gpg --decrypt AND --verify ?

Michael Tokarev
Sat May 25 17:47:01 2002

Hello all, this is my first post here.

Gnupg has two commands (in fact more than two) that may be used together,
and this is cleanly noted in manpage and FAQs.  It's --sign and --encrypt
(together with -files variants, thus more than 2).  Now I wonder why there
is no similar --decrypt --verify command available (given two together,
gpg complains about conflicting options).  The quiestion is - why, ofcource.

If an input is signed and encrypted, one can not use --verify alone: gpg
tells about unexpected block format and aborts.  So the only way to ensure
that encrypted data is signed is to check signature at decription time.

I think it is worth an effort to allow using both --decript and --verify,
to mean *require* valid signature (just like --verify alone does) AND
decript, and to return 0 (success) ONLY when both decription and verification
was ok.  Currently, with --decript, verification stage is optional and
works only if there is a signature in data AND it is valid (i.e. --decript
will tell you if there is a valid (good) signature if it is, but decript
regardless on that, and exit with 0 in case *decription* was ok).

This will be very useful for many applications, especially automatic
processors.  For example, one may use signed+encrypted data packets to
transaction exchange (e.g. from remote buisiness app).  Before processing,
data should be verified as it belongs to real owner etc, and decripted.
There is no need to do something if either stage fails.  For this, it
is very convient to call `gpg --decript --verify' and check exit status.

Currently, one need to parse gpg's output (maybe using --status-fd) in
order to find if the signature was correct and the like.  But this is
only half-a-solution.  For example, GOODSIGN message may be followed
by e.g. TRUST UNKNOWN (I don't remember the exact message), or may be
not.  It's not a *very* trivial task to parse gpg's output in proper
way - since there may be in fact numerous possibilities.

Currently, such task was "solved" here for my needs this way:

 o read output from `gpg --batch -q --decrypt' and check exit code
 o check that LAST LINE (there should be exactly 2 lines of output) is
   in a form:
     gpg: Good signature from "(.+)"

(first line is "gpg: signature made <date>...")

I don't know if this is a guarantee that the message was signed by a
known signature (ok, ok, I explicitly reset LC_* before calling gpg! ;),
and I don't know how to deal with --status-fd messages either.

Comments, anyone?