Best way to catch INSECURE unverified sig status when shelling out to gpg?

David Shaw dshaw at
Sun Feb 10 06:09:01 CET 2013

On Feb 9, 2013, at 6:09 PM, Grant Olson <kgo at> wrote:

> I'm currently writing a plugin that allows you to OpenPGP sign/verify
> ruby software packages:
> Right now I'm just shelling out to gpg and checking the status code to
> determine success or failure.  When I have an unverified but good
> signature I don't get an error code.
> What is the best way to check for this?  I presume something like
> stdout.include?("INSECURE") is not localization friendly.

The option you're looking for is "--status-fd".  Using that, you can get a stream of localization-safe string tags that can tell you the exact status of a signature.  See the DETAILS file from the GnuPG distribution for the specific tags.


More information about the Gnupg-users mailing list