[Feature request] Please make it easier to check success/failure from scripts
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Sep 9 05:47:38 CEST 2024
On Tue 2024-08-27 17:37:03 +0200, Jakob Bohm via Gnupg-users wrote:
> Another, related, feature would be the ability to run the gnupg tools in
> a mode that doesn't talk to any part of the environment, neither the
> gnupg config dir, nor the various helper programs (directory, password
> prompt etc.), but instead acts predicatably based only on the command
> line options.
Given this request for statelessness, You might be interested in the
"stateless openpgp command line interface", or "sop", which is designed
in many ways for the types of operations you're talking about:
https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/
(disclaimer: I've been shepherding the specification, but there are a
half-dozen high quality implementations in the wild and several more in
incubation)
For signature verification specifically, the "sopv" verification-only
subset is intended specifically to integrate well with other POSIX
commands. A sopv implementation that wraps gpgv and handles all the
status-fd checking as documented is also available at:
https://gitlab.com/dkg/sopv-gpgv
I see that you're using S/MIME and/or CMS (i.e. gpgsm) instead of the
OpenPGP equivalents, and i don't know that anyone has produced something
comparable for S/MIME or CMS, unfortunately. But the rough shape of the
problem space is the same. I'd be very surprised if you couldn't move
your administrative tooling over to using OpenPGP and making it work
successfully with any of the available sop implementations.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 324 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240908/26718de8/attachment.sig>
More information about the Gnupg-users
mailing list