gpg-bash-lib - gpg file verification bash library - first public release announcement - 0.5-1

Patrick Schleizer patrick-mailinglists at
Thu Apr 2 15:29:39 CEST 2015

gpg-bash-lib is a gpg file verification bash library, addresses
comprehensive threat model, that covers file name tampering, indefinite
freeze, rollback, endless data attacks, etc.


Writing bash scripts that do file verification using gpg that really is
secure and passes a comprehensive threat model, that covers indefinite
freeze, rollback, endless data attacks, etc. is hard.

gpg-bash-lib's goal is to provide a bash library that we can
collaboratively develop, audit and abstract the hard work into reuseable

Checking gpg exit codes only is insufficient. Quote Werner Koch [1]
(gnupg lead developer):

    "there is no clear distinction between the codes and for proper
error reporting you are advised to use the --status-fd messages."

(For a definition of these attacks, see TUF [2] (The Update Framework)'s
[3] threat model [4] [5].)

Mini Demo:
After installation, if you would run the following command.


You would see the following output.

your_script_begin: ...
verification: BEGIN
verification: END
your_script_output: BEGIN
gpg_bash_lib_output_failure_status: false
gpg_bash_lib_output_gpg_verify_exit_code: 0
gpg_bash_lib_output_goodsig_status: true
gpg_bash_lib_output_validsig_status: true
gpg_bash_lib_output_signed_on_unixtime: 1422049448
gpg_bash_lib_output_signed_on_date: March 01 13:56:27 UTC 2015
gpg_bash_lib_output_notation[$file at name]: test-file
gpg_bash_lib_output_file_name_tampering: false
gpg_bash_lib_output_freshness_status: true
gpg_bash_lib_output_freshness_detail: current
- Freshness: Signature is current.
- valid-max: Signatures are valid up to 30 days.
- Signature Creation Date: March 01 13:56:27 UTC 2015
- Current System Date    : March 02 16:0:55 UTC 2015
- Local System Clock: Your clock seems okay.
- Relative Signature Creation Time: According to your system clock,
signature was created 2 days 26 minutes 3 seconds ago.
gpg_bash_lib_output_alright_status: true
your_script_output: END

All information (Signature Creation Date, etc.) are easily accessible
through separate variables, which are all documented.


Usage examples:

Main code file:

Specifically, does the status-fd parsing code look sane?

Could you leave some feedback please?

Anyone else interested to contribute?



More information about the Gnupg-users mailing list