Werner Koch <[email protected]> writes: > On Thu, 13 Dec 2012 16:35, [email protected] said: >> it would be very nice if gpg had a --verify command that would also output >> the >> signed data. (Maybe "gpg --output - --verify"?) Otherwise you know the data >> is >> signed, but still have to extract it somehow. > > Verification of a signature is quite complicated. The math is easy but > how to properly setup a scheme for automated signature checking is hard. > You need to figure out what has been signed, who signed, whether the key > is valid, and what to do if the key meanwhile expired. Return just a > simple status code would need to hardwire a certain policy which needs > to be strictly followed. I doubt that this is easier than to use > detached signatures, which instantly solve many of the problems.
I agree that detached signatures are easier, but that should only change the "what has been signed" part. Having gpg output the signed data would answer that. For the rest, I'm mostly thinking of places where gpgv is used and one has a keyring where all keys are trusted. I don't think more complicated policies should be implemented using just the return code. Ansgar -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
