[Feature request] Please make it easier to check success/failure from scripts

[Jakob Bohm]

Dear GnuPG team,

According to the documentation for the version I have received from 
Debian, scripts that wish to check for success failure of decryption 
and/or signature validation done by invocation of gpg/gpgv/gpgsm, the 
script is currently required to set up a "status-fd", then check the 
status-fd output for a multitude of situation specific strings.  
Sometimes it is even necessary to check if the expected signing key is 
mentioned in specific ways.

This is highly impractical compared to other scripting of POSIX 
commands.  It would be really nice if a future version of the gnupg 
suite would provide the result via the process exit code directly, 
perhaps with some intermediary values indicating various warning 
conditions such as "valid signature from someone not listed in command 
line option to indicate expected signer" .

I know this because I have a script that uses gpgsm to do pipelined 
check of a large CMS signed system log, which is signed by the server to 
prevent later malicious changes.  gpgsm is used because of its specific 
support for streamed processing.

Your response to the latest fluff paper about supposed "Downgrade 
attacks" emphasizes the importance of doing these checks.

Another, related, feature would be the ability to run the gnupg tools in 
a mode that doesn't talk to any part of the environment, neither the 
gnupg config dir, nor the various helper programs (directory, password 
prompt etc.), but instead acts predicatably based only on the command 
line options.


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded