gpg-bash-lib - gpg file verification bash library - first public release announcement - 0.5-1
patrick-mailinglists at whonix.org
Thu Apr 2 15:29:39 CEST 2015
gpg-bash-lib is a gpg file verification bash library, addresses
comprehensive threat model, that covers file name tampering, indefinite
freeze, rollback, endless data attacks, etc.
Writing bash scripts that do file verification using gpg that really is
secure and passes a comprehensive threat model, that covers indefinite
freeze, rollback, endless data attacks, etc. is hard.
gpg-bash-lib's goal is to provide a bash library that we can
collaboratively develop, audit and abstract the hard work into reuseable
Checking gpg exit codes only is insufficient. Quote Werner Koch 
(gnupg lead developer):
"there is no clear distinction between the codes and for proper
error reporting you are advised to use the --status-fd messages."
(For a definition of these attacks, see TUF  (The Update Framework)'s
 threat model  .)
After installation, if you would run the following command.
You would see the following output.
gpg_bash_lib_output_signed_on_date: March 01 13:56:27 UTC 2015
gpg_bash_lib_output_notation[$file at name]: test-file
- Freshness: Signature is current.
- valid-max: Signatures are valid up to 30 days.
- Signature Creation Date: March 01 13:56:27 UTC 2015
- Current System Date : March 02 16:0:55 UTC 2015
- Local System Clock: Your clock seems okay.
- Relative Signature Creation Time: According to your system clock,
signature was created 2 days 26 minutes 3 seconds ago.
All information (Signature Creation Date, etc.) are easily accessible
through separate variables, which are all documented.
Main code file:
Specifically, does the status-fd parsing code look sane?
Could you leave some feedback please?
Anyone else interested to contribute?
More information about the Gnupg-users