On 30/10/2025 06:38, Robert J. Hansen via Gnupg-users wrote:
And none of this is documented or exemplified in the obvious gnupg
man pages.
From the first page of the man:
"Note that signature verification requires exact
knowledge of what has been signed and by whom it
has been signed. Using only the return code is
thus not an appropriate way to verify a signature
by a script. Either make proper use or the status
codes or use the gpgv tool which has been designed
to make signature verification easy for scripts."
You weren't using status codes sent on --status-fd, you were parsing
human-readable output exactly like you were explicitly advised not to
do. From the "WARNINGS" section of the manpage:
Wrong assumption, I headed that warning and wrote a bunch of
bash scripting to look in --status-fd output for relevant
computer-readable messages, some including the hash of the
expected signer identity (this was written years before gpg
2.4 added the new option). My complain is how much work that
was .
"For scripted or other unattended use of gpg make
sure to use the machine-parseable interface and not
the default interface which is intended for direct
use by humans. The machine-parseable interface
provides a stable and well documented API
independent of the locale or future changes of gpg.
To enable this interface use the options
--with-colons and --status-fd. For certain
operations the option --command-fd may come handy
too.
…
As an alternative the library GPGME can be used as
a high-level abstraction on top of that interface."
Everything you needed was at the top of the man page. This one's on you.
GpgMe has been presented to the public (including me) exclusively as
a library for integrating gnupg in existing interactive MUA programs
like Outlook and TBird, not for much less user-oriented tasks such
as verifying that internal file delivery ABCD1234.xyz was signed by
the time-appropriate key for system ABCD.
From https://www.gnupg.org/software/gpgme/index.html:
"Because the direct use of GnuPG from an
application can be a complicated programming task,
it is suggested that all software should try to
use GPGME instead."
That statement says nothing to dispell the notion that gpgme is a
library for the most primitive end user scenarios, not serious
automation,a notion very much encouraged by the use of the word
"me" in its name.
In fact it looks very much like the advertisement blurbs added by
other software vendors to advertise seriously crippled wrapper
libraries.
I don't know who presented GPGME to you, but whoever it was hadn't read
the web page about it.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
Gnupg-users mailing list
[email protected]
https://lists.gnupg.org/mailman/listinfo/gnupg-users
