On Wed, 21 May 2025 21:18, Björn Persson said:
>> for i in $@ ; do
>> gpg -d -- ${i}.signedhash | sha256sum -c || fail "Failed to verify"
>> done
>
> That script ignores the result of the signature verification. It will
> return success if sha256sum finds that the hash matches the file, even
> if the signature is invalid.
Further, the verification is not robust. Either use --assert-signer or
replace gpg by gpgv. Then the OP should either use clear text signature
and use "--output -" to get the asctua signed data or - better - use a
detached signature scheme with a data file and a separate signature
file. Something like this:
if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst 2>/dev/null; then
echo "list of software versions is not valid!" >&2
exit 1
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
