catching output from gpg --verify
Brad Tilley
rtilley at vt.edu
Wed Jul 20 19:39:29 CEST 2005
On Wed, 2005-07-20 at 09:10 -0400, David Shaw wrote:
> On Tue, Jul 19, 2005 at 01:21:00PM -0400, Brad Tilley wrote:
> > Hello Gnupg users,
> >
> > I am writing a script to automate the downloading and building of Linux
> > kernels. As a part of the script, I use gpg to check and make sure that
> > the kernel key is installed:
> >
> > check = os.popen('gpg --list-keys')
> > data = check.read()
> > check.close()
> >
> > This works well. I can read the data from gpg --list-keys and check it
> > and then proceed. If the key is not installed, I download and install
> > it, if it is installed, I move on.
> >
> > However, the next case in which I need to use gpg fails because I cannot
> > capture the output of gpg --verify:
> >
> > cmd = os.popen('gpg --verify kernel_name_sig, kernel_name)
> > data = cmd.read()
> > cmd.close()
> >
> > I've tried re-directing the output to a file (doesn't work) form the
> > command line and from my script. Any tips on how to capture this output
> > would be greatly appreciated.
>
> The problem here is not really that you can't capture the output, but
> that you shouldn't capture the output. The output of GPG is very
> subject to change, and every time we change GPG, we'll break your
> script.
>
> There are two good ways to do this safely:
>
> 1) Use something like:
>
> gpg --status-fd 1 --verify kernel_name_sig kernel_name 2>/dev/null
Thank you. I found this solution to work better for my situation. I
appreciate your advice. Have a nice day.
>
> That will cause a machine readable series of messages to appear on
> stdout. If you see a VALIDSIG tag, you know the signature is good.
>
> 2) Use gpgv, which is just a signature verification tool and exits 0
> if the signature is good, and non-0 otherwise.
>
> David
More information about the Gnupg-users
mailing list