On 24/10/2025 18:53, Werner Koch wrote:
On Fri, 24 Oct 2025 15:03, Jakob Bohm said:
Note that the above user visible output (not the exit code) pretends
to report success,
Which is tehcnically correct becuase the signature is valid. The
assertion simply fails and thus the exit code is guaranteed to be failure
and you will also see a ASSERT_SIGNER status line if the assertion is true.
"Technically correct" is a bad excuse for misleading humans.
--status-fd is a particularly horrible interface for shell scripting use,
as it requires setting up an additional temporary file and overly complex
awk is the tool of choice ;-)
I would suggest to use libgpgme, gpgme-tools, or gpgme-json for all
applications. No need for --assert-signer in this case because this can
be easily checked without.
And none of this is documented or exemplified in the obvious gnupg man
pages. Thus when I needed to verify that some files were signed by
specific automated systems, I had to do a highly complex combination of
bash scripting, grep etc. GpgMe has been presented to the public
(including me) exclusively as a library for integrating gnupg in
existing interactive MUA programs like Outlook and TBird, not for much
less user-oriented tasks such as verifying that internal file delivery
ABCD1234.xyz was signed by the time-appropriate key for system ABCD.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
Gnupg-users mailing list
[email protected]
https://lists.gnupg.org/mailman/listinfo/gnupg-users
