Verification of a detached signature fails, what am I missing?
Vinay Sajip
vinay_sajip at yahoo.co.uk
Sun May 8 01:33:28 CEST 2022
The following script fails at the verification step. It needs to be run with Bash in a scratch directory.
command_status() {
if [ $1 = '0' ]; then
echo $'\e[1;32m'Result: Success$'\e[0m'
else
echo $'\e[1;31m'Result: Failure \(exit code = $1\)$'\e[0m'
fi
}
GPG=gpg2
rm -rf keys
mkdir -p keys
chmod 0700 keys
killall gpg-agent > /dev/null 2>&1
cat << EOF > key_data.txt
Key-Type: DSA
Key-Length: 1024
Subkey-Type: ELG-E
Subkey-Length: 2048
Name-Comment: A test user
Name-Real: Andrew Able
Name-Email: andrew.able at example.com
Passphrase: aable
Expire-Date: 0
%commit
EOF
COMMON_ARGS="--status-fd 2 --no-tty --no-verbose --fixed-list-mode --batch --with-colons --homedir keys"
echo $'\e[1;33m'GPG version ...$'\e[0m'
${GPG} ${COMMON_ARGS} --version | head -1
echo $'\e[1;33m'Generating a key ...$'\e[0m'
${GPG} ${COMMON_ARGS} --gen-key < key_data.txt 2>&1 | tee key_info.txt
command_status $?
KEYID=$(tail -1 key_info.txt | awk '{ print $(NF)}')
# echo $'\e[1;33m'Key ID: ${KEYID}$'\e[0m'
rm key_data.txt key_info.txt
echo $'\e[1;33m'Creating random data to sign ...$'\e[0m'
dd if=/dev/urandom of=data-to-sign bs=1 count=1024 > /dev/null 2>&1
echo $'\e[1;33m'Signing data, asking for a detached signature ...$'\e[0m'
echo aable | ${GPG} --pinentry-mode loopback ${COMMON_ARGS} --passphrase-fd 0 -sa --detach-sign --default-key ${KEYID} | tee sig.asc
command_status $?
echo $'\e[1;33m'Trying to verify data ...$'\e[0m'
${GPG} ${COMMON_ARGS} --verify sig.asc data-to-sign
command_status $?
If I run the above, I get
GPG version ...
gpg (GnuPG) 2.3.6
Generating a key ...
gpg: keybox '/disk2/vinay/projects/scratch/gnupg/keys/pubring.kbx' created
gpg: /disk2/vinay/projects/scratch/gnupg/keys/trustdb.gpg: trustdb created
gpg: directory '/disk2/vinay/projects/scratch/gnupg/keys/openpgp-revocs.d' created
[GNUPG:] KEY_CONSIDERED 1ADA97672FD8E615012C75C295CEF1267475C187 0
gpg: revocation certificate stored as '/disk2/vinay/projects/scratch/gnupg/keys/openpgp-revocs.d/1ADA97672FD8E615012C75C295CEF1267475C187.rev'
[GNUPG:] KEY_CREATED B 1ADA97672FD8E615012C75C295CEF1267475C187
Result: Success
Creating random data to sign ...
Signing data, asking for a detached signature ...
gpg: using "1ADA97672FD8E615012C75C295CEF1267475C187" as default secret key for signing
[GNUPG:] KEY_CONSIDERED 1ADA97672FD8E615012C75C295CEF1267475C187 2
[GNUPG:] BEGIN_SIGNING H2
[GNUPG:] SIG_CREATED D 17 2 00 1651965765 1ADA97672FD8E615012C75C295CEF1267475C187
-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQQa2pdnL9jmFQEsdcKVzvEmdHXBhwUCYnb/RQAKCRCVzvEmdHXB
h3FGAJ9zUzSbkYbven89dQZekXn4FaogcwCfXJEoGE0Gar40OKJlNfAJrj4AYE8=
=Gye9
-----END PGP SIGNATURE-----
Result: Success
Trying to verify data ...
[GNUPG:] NEWSIG
gpg: Signature made Sun 08 May 2022 00:22:45 BST
gpg: using DSA key 1ADA97672FD8E615012C75C295CEF1267475C187
[GNUPG:] KEY_CONSIDERED 1ADA97672FD8E615012C75C295CEF1267475C187 0
[GNUPG:] KEY_CONSIDERED 1ADA97672FD8E615012C75C295CEF1267475C187 0
gpg: checking the trustdb
[GNUPG:] KEY_CONSIDERED 1ADA97672FD8E615012C75C295CEF1267475C187 0
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
[GNUPG:] BADSIG 95CEF1267475C187 Andrew Able (A test user) <andrew.able at example.com>
gpg: BAD signature from "Andrew Able (A test user) <andrew.able at example.com>" [ultimate]
[GNUPG:] FAILURE gpg-exit 33554433
Result: Failure (exit code = 1)
What have I missed in terms of arguments passed to GnuPG, or anything else? All help gratefully received.
The script is also available (in case the above gets manged by email software) at https://gist.github.com/vsajip/3f6b092d8d72e3b68b3ce21ec3e013b7
Regards,
Vinay Sajip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220507/63cd2f7c/attachment-0001.html>
More information about the Gnupg-users
mailing list