<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">On 30/10/2025 06:38, Robert J. Hansen
via Gnupg-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:21598c5a-7d7d-41d1-9c32-3f2268d51fc6@sixdemonbag.org">
<blockquote type="cite">And none of this is documented or
exemplified in the obvious gnupg
<br>
man pages.
<br>
</blockquote>
<br>
From the first page of the man:
<br>
<br>
"Note that signature verification requires exact
<br>
knowledge of what has been signed and by whom it
<br>
has been signed. Using only the return code is
<br>
thus not an appropriate way to verify a signature
<br>
by a script. Either make proper use or the status
<br>
codes or use the gpgv tool which has been designed
<br>
to make signature verification easy for scripts."
<br>
<br>
You weren't using status codes sent on --status-fd, you were
parsing
<br>
human-readable output exactly like you were explicitly advised not
to
<br>
do. From the "WARNINGS" section of the manpage:
<br>
</blockquote>
<tt>Wrong assumption, I headed that warning and wrote a bunch of <br>
bash scripting to look in --status-fd output for relevant <br>
computer-readable messages, some including the hash of the <br>
expected signer identity (this was written years before gpg <br>
2.4 added the new option). My complain is how much work that <br>
was .<br>
</tt><tt></tt>
<blockquote type="cite"
cite="mid:21598c5a-7d7d-41d1-9c32-3f2268d51fc6@sixdemonbag.org"><tt>
</tt><br>
"For scripted or other unattended use of gpg make
<br>
sure to use the machine-parseable interface and not
<br>
the default interface which is intended for direct
<br>
use by humans. The machine-parseable interface
<br>
provides a stable and well documented API
<br>
independent of the locale or future changes of gpg.
<br>
To enable this interface use the options
<br>
--with-colons and --status-fd. For certain
<br>
operations the option --command-fd may come handy
<br>
too.
<br>
<br>
…
<br>
<br>
As an alternative the library GPGME can be used as
<br>
a high-level abstraction on top of that interface."
<br>
<br>
Everything you needed was at the top of the man page. This one's
on you.
<br>
<br>
<blockquote type="cite">GpgMe has been presented to the public
(including me) exclusively as
<br>
a library for integrating gnupg in existing interactive MUA
programs
<br>
like Outlook and TBird, not for much less user-oriented tasks
such
<br>
as verifying that internal file delivery ABCD1234.xyz was signed
by
<br>
the time-appropriate key for system ABCD.
<br>
</blockquote>
<br>
From <a class="moz-txt-link-freetext" href="https://www.gnupg.org/software/gpgme/index.html">https://www.gnupg.org/software/gpgme/index.html</a>:
<br>
<br>
"Because the direct use of GnuPG from an
<br>
application can be a complicated programming task,
<br>
it is suggested that all software should try to
<br>
use GPGME instead."
<br>
<br>
</blockquote>
<tt>That statement says nothing to dispell the notion that gpgme is
a <br>
library for the most primitive end user scenarios, not serious <br>
automation,</tt><tt> </tt><tt>a notion very much encouraged by
the use of the word <br>
"me" in its name.</tt><tt><br>
</tt><tt><br>
</tt><tt>In fact it looks very much like the advertisement blurbs
added by <br>
other </tt><tt></tt><tt>software vendors to advertise seriously
crippled wrapper <br>
libraries.</tt><tt><br>
</tt><br>
<blockquote type="cite"
cite="mid:21598c5a-7d7d-41d1-9c32-3f2268d51fc6@sixdemonbag.org">I
don't know who presented GPGME to you, but whoever it was hadn't
read
<br>
the web page about it.<br>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
Jakob Bohm, CIO, partner, WiseMo A/S. <a
href="https://www.wisemo.com">https://www.wisemo.com</a><br>
Transformervej 29, 2860 Soborg, Denmark. direct: <a
href="tel:+4531131610">+45 31 13 16 10</a><br>
This message is only for its intended recipient, delete if
misaddressed.<br>
WiseMo - Remote Service Management for PCs, Phones and Embedded
</div>
</body>
</html>