python-gnupg uses "gpg --with-fingerprint --with-colons FILENAME" -- is this supported?

Daniel Kahn Gillmor dkg at
Tue Oct 4 20:41:41 CEST 2016

Hi GnuPG folks,

in the python-gnupg module maintained by Vinay Sajip (cc'ed here), it
tries to scan a file containing keys by using the following command

   gpg --with-fingerprint --with-colons FILENAME

        List details of an ascii armored or binary key file
        without first importing it to the local keyring.

        The function achieves this by running:
        $ gpg --with-fingerprint --with-colons filename

Is this a supported use case?  This appears to be using no explicit
command, which means it's taking advantage of the following section in

       gpg  may  be run with no commands, in which case it will perform a rea‐
       sonable action depending on the type of file it is given as  input  (an
       encrypted  message  is  decrypted, a signature is verified, a file con‐
       taining keys is listed).

If the desired action is "a file containing keys is listed", maybe it
would make more sense to explicitly provide a command that does this?  I
don't see a way to make an explicit command for it -- it seems to be
handled inside the aListPackets: clause of switch(cmd) in main() in
g10/gpg.c, but it is distinct from --list-packets because
packet_list_mode is not set.

Making matters worse, the output of this non-command actually differs
between gpg 1.4 and 2.1, even when 1.4 is using --fixed-list-mode:

0 dkg at alice:/tmp/cdtemp.uaInIQ$ diff -u <(gpg1 --homedir $(pwd) --fixed-list-mode --with-colons dkg-test.asc ) <(gpg --homedir $(pwd) --with-colons dkg-test.asc )
--- /dev/fd/63	2016-10-04 14:27:05.473568896 -0400
+++ /dev/fd/62	2016-10-04 14:27:05.473568896 -0400
@@ -1,2 +1,3 @@
-pub:-:4096:1:CCD2ED94D21739E9:1180812858:1483512006::-:Daniel Kahn Gillmor <dkg at>:
+uid:::::::::Daniel Kahn Gillmor <dkg at>:
 uid:::::::::Daniel Kahn Gillmor <dkg at>:
1 dkg at alice:/tmp/cdtemp.uaInIQ$

(the test file i used is attached if you want to try to replicate this)

I'm not sure of the proper way to approach this situation. is it:

 * a bug in --fixed-list-mode in 1.4?
 * a bug in the output of 2.1, since it is effectively an API break from
   previous versions?
 * an unsupported mode for programmatic use, since the behavior will
   vary depending on the contents of FILENAME (thus making it a bug that
   python-gnupg even tries to use this)?

 * something else?

Any thoughts or pointers welcome,


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dkg-test.asc
URL: </pipermail/attachments/20161004/e0408292/attachment-0001.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161004/e0408292/attachment-0001.sig>

More information about the Gnupg-devel mailing list