sopv-gpgpv: an implementation of the verification-only subset of the Stateless OpenPGP CLI using gpgv as a backend

Simon Josefsson simon at josefsson.org
Wed Jul 24 11:48:54 CEST 2024


Werner Koch via Gnupg-users <gnupg-users at gnupg.org> writes:

> Hi!
>
> while talking about gpgv, let me remind you about the new
> --assert-signer option which can be used as a replacement for gpgv.
>
>   --assert-signer fpr_or_file
>   
>      This option checks whether at least one valid signature on file has
>      been made with the specified key.  The key is either specified as a
>      fingerprint or a file listing fingerprints.  The fingerprint must be
>      given or listed in compact format (no colons or spaces in between).
>      This option can be given multiple times and each fingerprint is
>      checked against the signing key as well as the corresponding
>      primary key.  If fpr_or_file specifies a file, empty lines are
>      ignored as well as all lines starting with a hash sign.  With this
>      option gpg is guaranteed to return with an exit code of 0 if and
>      only if a signature has been encountered, is valid, and the key
>      matches one of the fingerprints given by this option.
>
> This option is available since 2.4.1.

I've been wanting a parameter like that!  Does it check key expiration
times by default?  Is it possible to disable/enable that behaviour?

Sometimes (and a safe default behaviour) you want to reject signatures
signed by an expired key, although sometimes you want to permit that to
confirm that some old signature was created by some expired key.

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240724/d7744a24/attachment.sig>


More information about the Gnupg-users mailing list