[Feature request] Please make it easier to check success/failure from scripts

Werner Koch wk at gnupg.org
Fri Sep 6 11:26:30 CEST 2024


Hi!

On Tue, 27 Aug 2024 17:37, Jakob Bohm said:

> status-fd output for a multitude of situation specific strings. 
> Sometimes it is even necessary to check if the expected signing key is
> mentioned in specific ways.

Right.  That is because there are a lot of use cases for signatures
which required different handling depending on the signature (e.g. time
created) and meta data from the key.

For OpenPGP we wrote gpgv to handle one common task; which was
originally Debian package signing.

Only recently we added --assert-signer to gpg which actually can replace
gpgv.  The plan is to add a few other --assert options for example to
check the time the signature was made.

> I know this because I have a script that uses gpgsm to do pipelined
> check of a large CMS signed system log, which is signed by the server
> to prevent later malicious changes.  gpgsm is used because of its
> specific support for streamed processing.

Cool.  I didn't expected that someone really has this use case.  But it
makes sense.  See T7286: Add --assert-signer also to gpgsm.

> Another, related, feature would be the ability to run the gnupg tools
> in a mode that doesn't talk to any part of the environment, neither
> the gnupg config dir, nor the various helper programs (directory,
> password prompt etc.), but instead acts predicatably based only on the
> command line options.

That is too hard to implement.  We have keys, trust models, ownertrust,
and compliance modes which is quite some data.  For this it is better to
use a separate GNUPGHOME.  The --assert-signer requires a fingerprint or
the list of fingerprints and thus the import of the to-be-tested keys
prior to running a verification.  It might be possible to combine the
import and the verification and even make the imported keys ephemeral
so that they don't clutter the keyring.  However, some file system write
access will be required unless we can find a way to keep the keys in a
memory only database.  A RAM based file system and ephemeral storage of
keys would be an easier solution.


Shalom-Salam,

   Werner


-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240906/aa268f49/attachment.sig>


More information about the Gnupg-users mailing list