Using --output with --verify

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Sep 8 12:36:30 CEST 2016 

On Thu 2016-09-08 00:52:31 +0200, Werner Koch wrote:

> it has been reported that --output has no effect if --verify is used to
> verify signed data.  This is also what the man page says.  However, in
> particular for binary signatures and clearsigs it is useful to get hold
> of the actual signed data.
>
> Thus I slightly changed the semantics of --verify to allow the use of
> --output.  For example by using "--verify --output -" the signed text
> can be printed to stdout.  This change (commit bbe940c) should not
> introduce problems but if it does, please tell us soon.

thanks!  this change looks good to me.  (though i assume that "--output
-" is an option, and "--verify" is a command, and gpg docs usually
suggest that options should precede the command, so i'd write it as
"gpg --output - --verify")

This makes a lot more sense than what people have traditionally done
(which is using "gpg --decrypt" to verify).

In testing this, i noticed that --enable-special-filenames doesn't work
right with --output, but that appears to be independent of this patch --
it's present in 2.1.15 as well, so i opened:
https://bugs.gnupg.org/gnupg/issue2677

> The next step will be to add an --output option to gpgv.

I see you've done this already -- thanks!  One issue with the current
implementation is how confused it gets if a file already exists, the
error message appears to be wrong:

0 dkg at alice:~/tmp/trial$ rm -rf output
0 dkg at alice:~/tmp/trial$ ./g10/gpgv --output output --keyring foo.gpg test.txt.asc 
gpgv: Signature made Tue 06 Sep 2016 09:53:02 AM CEST
gpgv:                using RSA key 24ECFF5AFF68370A
gpgv: Good signature from "Daniel Kahn Gillmor <dkg at debian.org>"
0 dkg at alice:~/tmp/trial$ ./g10/gpgv --output output --keyring foo.gpg test.txt.asc 
gpgv: handle plaintext failed: General error
gpgv: no signature found
gpgv: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
2 dkg at alice:~/tmp/trial$

i think the error message should be something about the output file
already existing.

it would be nice (but not super important) to add
--enable-special-filenames to gpgv as well.

             --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20160908/b8c598b4/attachment.sig>

More information about the Gnupg-devel mailing list