sopv-gpgpv: an implementation of the verification-only subset of the Stateless OpenPGP CLI using gpgv as a backend

Todd Zullinger tmz at pobox.com
Mon Jul 29 21:47:09 CEST 2024


Hi,

Daniel Kahn Gillmor via Gnupg-users wrote:
> Hi Todd--
> 
> On Fri 2024-07-26 09:54:32 -0400, Todd Zullinger via Gnupg-users wrote:
>> A reasonably common use case for gpgv is to verify
>> signatures on release artifacts by distribution packaging
>> tools.  Being able to use the upstream provided key
>> material, which is typically armored, would make things a
>> bit simpler and easier to verify for people interested in
>> ensuring those packages are using the proper key material
>> and are not introducing any issues.
> 
> I recommend using any sopv implementation for that use case, since sopv
> is specified to explicitly accept both armored and unarmored
> certificates as verification targets.

That's a fine goal for down the road, but it's not going to
be a solid option until those implementations are all
included in the distributions.

Particularly, using sopv-gpgv would introduce more
dependencies to the buildroot (the python stack,
specifically) which is unlikely to be something folks like
Fedora want, after spending time to minimize the default
buildroot.  (I don't care too much about Fedora anymore, as
I'm migrating away from anything Red Hat based, but it's
still what I'm most familiar with.)

Fedora does have the Sequoia SOP command available, but it
doesn't work out of the box (nor does it provide an option
to be more verbose, AFAICT).

Not that I want to turn this into a support chat for an
unrelated command, but here's what the experience looks like
in a minimal Fedora 40 container when attempting to verify
the git source:

    [root at 6e3fc2ac22a3 tmp]# /usr/lib/rpm/redhat/gpgverify \
        --keyring=gpgkey-junio.asc --signature=git-2.46.0.tar.sign \
        --data=git-2.46.0.tar
    gpgv: Signature made Mon Jul 29 14:27:21 2024 UTC
    gpgv:                using RSA key E1F036B1FEE7221FC778ECEFB0B5E88696AFE6CB
    gpgv: Good signature from "Junio C Hamano <gitster at pobox.com>"
    gpgv:                 aka "Junio C Hamano <junio at pobox.com>"
    gpgv:                 aka "Junio C Hamano <jch at google.com>"

    [root at 6e3fc2ac22a3 tmp]# /tmp/sopv-gpgv verify git-2.46.0.tar.sign \
        gpgkey-junio.asc <git-2.46.0.tar
    2024-07-29T14:07:21Z E1F036B1FEE7221FC778ECEFB0B5E88696AFE6CB 96E07AF25771955980DAD10020D04E5A713660A7 mode:binary

    [root at 6e3fc2ac22a3 tmp]# sqop verify git-2.46.0.tar.sign \
        gpgkey-junio.asc <git-2.46.0.tar
	       No acceptable signatures found

The version installed was 0.34.0, while there is a newer tag
upstream 0.35.0.  I tested that as well, with the same
result.

Using /usr/lib/rpm/redhat/gpgverify -- which is a small
shell script wrapper for gpgv -- avoids new dependencies and
produces quite readable output which is handy in build logs.

Using an SOP command would still require some wrapper to
provide useful error output.  That's all fixable, but it's
going to take some time before that's in place and
acceptable by many distributions.

Personally, I'd prefer to continue using gpgv for now.  But
I'll keep any eye on the SOP clients.

Thanks,

-- 
Todd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240729/9a0aa2fb/attachment.sig>


More information about the Gnupg-users mailing list