Re: decryption outputs to stdout before verification

Wed, 29 Oct 2025 22:40:08 -0700 

And none of this is documented or exemplified in the obvious gnupg
man pages.


From the first page of the man:

        "Note that signature verification requires exact
        knowledge of what has been signed and by whom it
        has been signed.  Using only the return code is
        thus not an appropriate way to verify a signature
        by a script. Either make proper use or the status
        codes or use the gpgv tool which has been designed
        to make signature verification easy for scripts."

You weren't using status codes sent on --status-fd, you were parsing
human-readable output exactly like you were explicitly advised not to
do. From the "WARNINGS" section of the manpage:

        "For scripted or other unattended use of gpg make
        sure to use the machine-parseable interface and not
        the default interface which is intended for direct
        use by humans.  The machine-parseable interface
        provides a stable and well documented API
        independent of the locale or future changes of gpg.
        To enable this interface use the options
        --with-colons and --status-fd.  For certain
        operations the option --command-fd may come handy
        too.

        …

        As an alternative the library GPGME can be used as
        a high-level abstraction on top of that interface."

Everything you needed was at the top of the man page. This one's on you.


GpgMe has been presented to the public (including me) exclusively as
a library for integrating gnupg in existing interactive MUA programs
like Outlook and TBird, not for much less user-oriented tasks such
as verifying that internal file delivery ABCD1234.xyz was signed by
the time-appropriate key for system ABCD.


From https://www.gnupg.org/software/gpgme/index.html:

        "Because the direct use of GnuPG from an
        application can be a complicated programming task,
        it is suggested that all software should try to
        use GPGME instead."

I don't know who presented GPGME to you, but whoever it was hadn't read
the web page about it.




Attachment:
OpenPGP_signature.asc

Description: OpenPGP digital signature


_______________________________________________
Gnupg-users mailing list
[email protected]
https://lists.gnupg.org/mailman/listinfo/gnupg-users






















					Reply via email to