catching output from gpg --verify

David Shaw dshaw at jabberwocky.com
Wed Jul 20 15:10:56 CEST 2005


On Tue, Jul 19, 2005 at 01:21:00PM -0400, Brad Tilley wrote:
> Hello Gnupg users,
> 
> I am writing a script to automate the downloading and building of Linux
> kernels. As a part of the script, I use gpg to check and make sure that
> the kernel key is installed:
> 
>     check = os.popen('gpg --list-keys')
>     data = check.read()
>     check.close()
> 
> This works well. I can read the data from gpg --list-keys and check it
> and then proceed. If the key is not installed, I download and install
> it, if it is installed, I move on.
> 
> However, the next case in which I need to use gpg fails because I cannot
> capture the output of gpg --verify:
> 
>     cmd = os.popen('gpg --verify kernel_name_sig, kernel_name)    
>     data = cmd.read()
>     cmd.close()
> 
> I've tried re-directing the output to a file (doesn't work) form the
> command line and from my script. Any tips on how to capture this output
> would be greatly appreciated.

The problem here is not really that you can't capture the output, but
that you shouldn't capture the output.  The output of GPG is very
subject to change, and every time we change GPG, we'll break your
script.

There are two good ways to do this safely:

1) Use something like:

   gpg --status-fd 1 --verify kernel_name_sig kernel_name 2>/dev/null

That will cause a machine readable series of messages to appear on
stdout.  If you see a VALIDSIG tag, you know the signature is good.

2) Use gpgv, which is just a signature verification tool and exits 0
   if the signature is good, and non-0 otherwise.

David



More information about the Gnupg-users mailing list