when i have a set of OpenPGP signatures bundled together which have different validities, it looks like gpg behaves differently depending on if --batch is set or not.
In particular, an invalid signature seems to terminate the entire
--verify process (skipping later valid signatures) when --batch is set,
but it does not terminate the verification process otherwise.
Attached are two files: one is a simple shell script to demonstrate the
problem (with embedded data and signature material), and a fake key used
in the demonstrations.
When i run it, i get the following output (AB means the good sig from
the fake key occurs first, BA means the bad sig from my own key
(D21739E9) happens first:
> 0 d...@pip:~/src/gmimetest/gmimetest$ ./demonstrate-flip
> Testing without --batch:
> ==AB==
> [GNUPG:] SIG_ID 8Dv9B4/7/rdjgFrLYlRGhj31b3o 2010-11-21 1290318596
> [GNUPG:] GOODSIG FAF286F977F50B3B fake user <f...@example.org>
> [GNUPG:] VALIDSIG FCD3E0AFA74EE527C61E0D34FAF286F977F50B3B 2010-11-21
> 1290318596 0 4 0 1 10 01 FCD3E0AFA74EE527C61E0D34FAF286F977F50B3B
> [GNUPG:] TRUST_UNDEFINED
> [GNUPG:] BADSIG CCD2ED94D21739E9 Daniel Kahn Gillmor <d...@fifthhorseman.net>
> ==BA==
> [GNUPG:] BADSIG CCD2ED94D21739E9 Daniel Kahn Gillmor <d...@fifthhorseman.net>
> [GNUPG:] SIG_ID 8Dv9B4/7/rdjgFrLYlRGhj31b3o 2010-11-21 1290318596
> [GNUPG:] GOODSIG FAF286F977F50B3B fake user <f...@example.org>
> [GNUPG:] VALIDSIG FCD3E0AFA74EE527C61E0D34FAF286F977F50B3B 2010-11-21
> 1290318596 0 4 0 1 10 01 FCD3E0AFA74EE527C61E0D34FAF286F977F50B3B
> [GNUPG:] TRUST_UNDEFINED
> Testing with --batch:
> ==AB==
> [GNUPG:] SIG_ID 8Dv9B4/7/rdjgFrLYlRGhj31b3o 2010-11-21 1290318596
> [GNUPG:] GOODSIG FAF286F977F50B3B fake user <f...@example.org>
> [GNUPG:] VALIDSIG FCD3E0AFA74EE527C61E0D34FAF286F977F50B3B 2010-11-21
> 1290318596 0 4 0 1 10 01 FCD3E0AFA74EE527C61E0D34FAF286F977F50B3B
> [GNUPG:] TRUST_UNDEFINED
> [GNUPG:] BADSIG CCD2ED94D21739E9 Daniel Kahn Gillmor <d...@fifthhorseman.net>
> ==BA==
> [GNUPG:] BADSIG CCD2ED94D21739E9 Daniel Kahn Gillmor <d...@fifthhorseman.net>
> 0 d...@pip:~/src/gmimetest/gmimetest$
And if i use a test user that doesn't actually have a copy of D21739E9
in its keyring, then i get feedback from both signatures even in order
BA with --batch (i suppose because the keyring can't tell that the
signature for D21739E9 is bad).
I see no good reason for --batch to cause gpg to terminate on the first
badsig it sees, and no documentation justifying this behavior, so it
seems like a bug to me.
I tested this with gpg 1.4.11 and 2.0.14 on i386 GNU/Linux systems
running the current debian testing (gpg itself from debian's
experimental archive)
Regards,
--dkg
#!/bin/bash ab=$(mktemp signature.ab.XXXXXXX) if [ $? != 0 ]; then exit 1 fi ba=$(mktemp signature.ba.XXXXXXX) if [ $? != 0 ]; then exit 1 fi data=$(mktemp data.XXXXXXX) if [ $? != 0 ]; then exit 1 fi cat >>"$data" <<EOF Content-Type: text/plain this is a test EOF cat >>"$ab" <<EOF -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iJwEAQEKAAYFAkzoswQACgkQ+vKG+Xf1CzsYYwP8CkBYHc3lX4HUAPdSa4Zkrg8KbZkaLxabNbfW X7HSx530T6/ItiJLS9kjVcF/gD9U01BsiSSuVGq0ye7a4K4BNpxN2fmbmC1SfABDNaZxh9cW/FDu B+X8VXCXYwpcGgnxDQKxvRtEEOS6jeyXySaVEKhxpia/hL7VMAOJE7OVzteJAhwEAQEKAAYFAkzo swQACgkQzNLtlNIXOekYYw/7BqdF1Re5r/XIEuLtI6M2CHX65Pkf6qomkfq/sfX3gCMCwCWnTBxQ Tv0ywFgeCOI+zNBLgL1VNh/rUcgKFQxAwFh26c28mqMr48eLBAmYbatCPjfwT4Er/yizwPGRKXQ+ 903c9wTowNCS0Bk/95LDsMx4c0JuyTUZDXTT0Qf/qcsfhL9OPD0CdPBmA9czDivNPXevCr4RGYoT xGQVmrlZI2wzCzNYW/SraDtvTVjRUwzCFDNHzZ8u1duO7Qm+08SrNmODHaTjAmzkMJ4S7gDlC151 fKWLUZ3vjWoAlvahPlQbnyzqiah4AY45BjS+GcdAj6GL8dpisWSrwrS943LbNFCnQRncwMDzky9p h2Jsd9ziurfC0z9YBRKELXx21DGNSP6W5x1DqXSpzcTcM/gL+yvPc0dkkx4DVKg0++Y0/cDo/2/g Gn4s4AM5iS5gYkj0LFFbCvV44OPEcjfdzgzk5jRQ91yCt9uDDQk2v9pHCvWQG7Dsa0o4k8QLjqb1 G7UBBoFdLIH0ouFgmxOfoynveoO83bVtF3kzFP9VMpzneA021/myT9bva3SMD5UWQLm8bSBHOqen VSt6ra7IcSdA+5KCOSNHJdkSq+1S2ctr7hsPxciTasMvA6GpMmgSKwUF+exsEMkhonuYU0nBBiey D1gByBUg+kvSCkxoBlXGi8s= -----END PGP SIGNATURE----- EOF cat >>"$ba" <<EOF -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCgAGBQJM6LMEAAoJEMzS7ZTSFznpGGMP+wanRdUXua/1yBLi7SOjNgh1+uT5H+qqJpH6 v7H194AjAsAlp0wcUE79MsBYHgjiPszQS4C9VTYf61HIChUMQMBYdunNvJqjK+PHiwQJmG2rQj43 8E+BK/8os8DxkSl0PvdN3PcE6MDQktAZP/eSw7DMeHNCbsk1GQ1009EH/6nLH4S/Tjw9AnTwZgPX Mw4rzT13rwq+ERmKE8RkFZq5WSNsMwszWFv0q2g7b01Y0VMMwhQzR82fLtXbju0JvtPEqzZjgx2k 4wJs5DCeEu4A5QtedXyli1Gd741qAJb2oT5UG58s6omoeAGOOQY0vhnHQI+hi/HaYrFkq8K0veNy 2zRQp0EZ3MDA85MvaYdibHfc4rq3wtM/WAUShC18dtQxjUj+lucdQ6l0qc3E3DP4C/srz3NHZJMe A1SoNPvmNP3A6P9v4Bp+LOADOYkuYGJI9CxRWwr1eODjxHI33c4M5OY0UPdcgrfbgw0JNr/aRwr1 kBuw7GtKOJPEC46m9Ru1AQaBXSyB9KLhYJsTn6Mp73qDvN21bRd5MxT/VTKc53gNNtf5sk/W72t0 jA+VFkC5vG0gRzqnp1Ureq2uyHEnQPuSgjkjRyXZEqvtUtnLa+4bD8XIk2rDLwOhqTJoEisFBfns bBDJIaJ7mFNJwQYnsg9YAcgVIPpL0gpMaAZVxovLiJwEAQEKAAYFAkzoswQACgkQ+vKG+Xf1CzsY YwP8CkBYHc3lX4HUAPdSa4Zkrg8KbZkaLxabNbfWX7HSx530T6/ItiJLS9kjVcF/gD9U01BsiSSu VGq0ye7a4K4BNpxN2fmbmC1SfABDNaZxh9cW/FDuB+X8VXCXYwpcGgnxDQKxvRtEEOS6jeyXySaV EKhxpia/hL7VMAOJE7OVztc= -----END PGP SIGNATURE----- EOF echo "Testing without --batch:" echo " ==AB== " gpg --status-fd 1 --quiet --no-tty --verify "$ab" "$data" 2>/dev/null echo " ==BA== " gpg --status-fd 1 --quiet --no-tty --verify "$ba" "$data" 2>/dev/null echo "Testing with --batch:" echo " ==AB== " gpg --batch --status-fd 1 --quiet --no-tty --verify "$ab" "$data" 2>/dev/null echo " ==BA== " gpg --batch --status-fd 1 --quiet --no-tty --verify "$ba" "$data" 2>/dev/null rm -f "$data" rm -f "$ab" rm -f "$ba"
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (GNU/Linux) mI0ETOiY+QEEAKSVytin0iJzcrUH99CBhUGfp0OHaYhLADFGRrEtIwxLkicjnuOf co/cU3NVEdH/w7iZWzHL79dupbBvvOzvG+/h1xXsiBm0wjq5pdS3tH3zn8eRyjHt 8FprjvIAdHjz0kM49FCe3LHB1uktCW9UgwE1/29A5qyLBmcO+ARW74PfABEBAAG0 HGZha2UgdXNlciA8ZmFrZUBleGFtcGxlLm9yZz6IvQQTAQoAJwUCTOiY+QIbAwUJ AAk6gAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRD68ob5d/ULOz9BBACdYgGu 76x0BU1njWipxuZnIPIN8SlJbNo6p9YZnK0Y2bEa84DF5zSH1IV7D1vwWYuJWJvB pQBvoyXK0Xdn8g1EKhLYojr6JHcODmMGbB0QOBB8W2ofyYkix33ZeqCWLC+tvzot KGGPZahTusrAw4hnvcZjh34DCYIgQLXuDeeCCw== =Uy4v -----END PGP PUBLIC KEY BLOCK-----
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
