[Feature request] Please make it easier to check success/failure from scripts
Jakob Bohm
jb-gnumlists at wisemo.com
Mon Sep 16 12:47:35 CEST 2024
On 2024-09-13 16:42, Werner Koch wrote:
> Hi!
>
> GnuPG 2.5.1 has the option --assert-signer and 2.4.6 will have this
> option as well:
>
> --assert-signer fpr_or_file
>
> This option checks whether at least one valid signature on a file
> has been made with the specified key. The key is either specified
> as a fingerprint or a file listing fingerprints. The fingerprint
> must be given or listed in compact format (no colons or spaces in
> between). As of now only SHA-1 fingerprints are allowed. This
> option can be given multiple times and each fingerprint is checked
> against the sign‐ ing key as well as the corresponding primary key.
> If fpr_or_file specifies a file, empty lines are ignored as well as
> all lines start‐ ing with a hash sign. With this option gpgsm is
> guaranteed to return with an exit code of 0 if and only if a
> signature has been encoun‐ tered, is valid, and the key matches one
> of the fingerprints given by this option.
>
>
> Tarcked as https://dev.gnupg.org/T7286
>
> Hope that helps a bit.
>
>
This is a very partial solution, and only for bleeding edge Gnupg . It
might be usable when combined with scripting that identifies the hash of
the DER certificate expected, but still at the (security, stability and
performance) cost of still invoking Ægyptian bureaucracy of GPG specific
versions of the overall X.509 infrastructure in the OS (typically based
on derivatives of old SSLeay code or Microsoft CryptoAPI 1.x) .
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the Gnupg-users
mailing list