Send Gnupg-users mailing list submissions to
gnupg-users@gnupg.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.gnupg.org/mailman/listinfo/gnupg-users
or, via email, send a message with subject or body 'help' to
gnupg-users-requ...@gnupg.org
You can reach the person managing the list at
gnupg-users-ow...@gnupg.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Gnupg-users digest..."
Today's Topics:
1. Re: Are there cases where gpg --verify will exit 0, even if
verification failed? (Sandeep Murthy)
2. Re: Are there cases where gpg --verify will exit 0, even if
verification failed? (Daniel Kahn Gillmor)
3. Re: Are there cases where gpg --verify will exit 0, even if
verification failed? (Kristian Fiskerstrand)
4. Re: Are there cases where gpg --verify will exit 0, even if
verification failed? (Sandeep Murthy)
5. Re: Are there cases where gpg --verify will exit 0, even if
verification failed? (Werner Koch)
6. Re: Are there cases where gpg --verify will exit 0, even if
verification failed? (Patrick Schleizer)
7. Is there a shell script or bash library for parsing gpg's
--status-fd output? (Patrick Schleizer)
8. Re: Vanity Keys (Johan Wevers)
9. Re: Are there cases where gpg --verify will exit 0, even if
verification failed? (Werner Koch)
10. Specifying passphrase for batch key generation (Joey Castillo)
----------------------------------------------------------------------
Message: 1
Date: Wed, 14 Jan 2015 13:22:45 +0000
From: Sandeep Murthy <s.mur...@mykolab.com>
To: gnupg-users@gnupg.org
Subject: Re: Are there cases where gpg --verify will exit 0, even if
verification failed?
Message-ID: <3b2d48c6-89bd-452e-b7c5-fed144e13...@mykolab.com>
Content-Type: text/plain; charset="utf-8"
Are there cases where gpg --verify will exit 0, even if verification
failed?
Verification could fail internally within the gpg program, or
externally because
the signature fie does not exist or is incorrectly named or maybe
corrupt
e.g.
[srm@~]$ gpg --verify asig.sig; echo $?
gpg: can't open `asig.sig': No such file or directory
gpg: verify signatures failed: No such file or directory
2
Exit codes in shells indicate problems relating to completion or
disruption
of the child process invoked by a parent process.
They will not record unsuccessful events inside the child process
related to program functions, i.e. if you inside gpg editing a key
and enter an incorrect subcommand or use it incorrectly then this will
not affect the exit code, I don?t think.
Sandeep Murthy
s.mur...@mykolab.com
On 14 Jan 2015, at 07:51, Dave Pawson <dave.paw...@gmail.com> wrote:
In Unix terms, a program that has run successfully to completion
exits with status zero, no 'extra' semantic attached?
Dave
On 13 January 2015 at 19:03, Patrick Schleizer
<patrick-mailingli...@whonix.org> wrote:
In another thread...
Werner Koch
On Mon, 12 Jan 2015 19:52, patrick-
When it exits 0, then this approach is sound, sane and fine?
You better check the status lines; in particular watch out for
[GNUPG:] VALIDSIG E4B868C8F90C.....
or use gpgv.
Are there cases where gpg --verify will exit 0, even if verification
failed?
(Suppose one uses a separate --homedir where only legitimate signing
keys are imported.)
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
--
Dave Pawson
XSLT XSL-FO FAQ.
Docbook FAQ.
http://www.dpawson.co.uk
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150114/1b6b111e/attachment-0001.sig>
------------------------------
Message: 2
Date: Wed, 14 Jan 2015 08:40:23 -0500
From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
To: Sandeep Murthy <s.mur...@mykolab.com>, gnupg-users@gnupg.org
Subject: Re: Are there cases where gpg --verify will exit 0, even if
verification failed?
Message-ID: <878uh55vlk....@alice.fifthhorseman.net>
Content-Type: text/plain; charset=utf-8
On Wed 2015-01-14 08:22:45 -0500, Sandeep Murthy wrote:
Exit codes in shells indicate problems relating to completion or
disruption
of the child process invoked by a parent process.
They will not record unsuccessful events inside the child process
related to program functions, i.e. if you inside gpg editing a key
and enter an incorrect subcommand or use it incorrectly then this will
not affect the exit code, I don?t think.
This is not the case. all processes have a return code, whether they
are invoked by a shell or by other processes. The return code is a
critical part of the output of a program.
gpg does use the return code to indicate failure of signature
verification.
consider the results of:
echo test1 > test1.txt
echo test2 > test2.txt
gpg --detach-sign --armor test1.txt
gpg --verify test1.txt.asc test1.txt
gpg --verify test1.txt.asc test2.txt
the return value of the first --verify should be 0, but the second
--verify invocation should return 1, indicating that the signature
cannot be verified over the (different) contents of test2.txt
--dkg
------------------------------
Message: 3
Date: Wed, 14 Jan 2015 15:06:53 +0100
From: Kristian Fiskerstrand
<kristian.fiskerstr...@sumptuouscapital.com>
To: Daniel Kahn Gillmor <d...@fifthhorseman.net>, Sandeep Murthy
<s.mur...@mykolab.com>, gnupg-users@gnupg.org
Subject: Re: Are there cases where gpg --verify will exit 0, even if
verification failed?
Message-ID: <54b677fd.8090...@sumptuouscapital.com>
Content-Type: text/plain; charset=utf-8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 01/14/2015 02:40 PM, Daniel Kahn Gillmor wrote:
On Wed 2015-01-14 08:22:45 -0500, Sandeep Murthy wrote:
Exit codes in shells indicate problems relating to completion or
disruption of the child process invoked by a parent process.
..
the return value of the first --verify should be 0, but the second
--verify invocation should return 1, indicating that the signature
cannot be verified over the (different) contents of test2.txt
But iirc you will anyways have to check the status-fd for the validity
of the issuing key.
- --
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
"A government that robs Peter to pay Paul can always depend on the
support of Paul."
(George Bernard Shaw)
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJUtnf3AAoJEPw7F94F4Tag93cP/3sI+nnS0HK68JEeE3dfCO/5
pFweOpBSeSOeh5gA2e0UuO0Nm7l1hD2syjFNn18L/fMybVfqodYKnIWkh3v9O8oi
sNNxDJ8emhWPaE0oV9VpPocEcq5MbZwerF5iIB+rm9d+R2CuqMKpIkEYv2abIxWJ
tJsMlp9bXWC66QbQBDc9D+okn9yKzJgYdfAilprk7kKPmnSgIVIagwdcQyg9iUks
dX1q6rsGonYzPOwWk2sZdXyAB2TleYSPq8ySaShtSt4dZ/DFK38l4hYOcOX/OrG1
bROwTg3fnjISvFHYAJPx1CCrsdN/fIOPATrCITPQLV0IdTUIhrbi6bgTjDvfr8eQ
NSuggpdjvif1EtDnCQYv6gSoI2egbFFs92bqzLsfm/gVtJJi25d4JRammHNOzjWt
0SBxFBAI64cAuReDkLcqnhSu0dccQRQYUjF88a4dP9ldE6eK4HNo8h6vQxbVJ6Y+
xPQxBCMwHUoLLKWQt+PLBQXqqZFnFOdPRF6Ns+OHsIC3Go/oH7ynY+yKSQHziTRc
6TnLMfg4by2bh1RIsBF1nb1wkXcyV9tZXrriaM4H6wwPoR6IDnZnHU2dTcUn8LLT
c4FBn743TT0OZbVnMhd7e3PdUe6EVE0ZTKXilKqRk36+yEdBcrRj+ihwS9Vy/gt3
/u59aDPZpS8gTPWFSzjN
=KsGq
-----END PGP SIGNATURE-----
------------------------------
Message: 4
Date: Wed, 14 Jan 2015 15:31:43 +0000
From: Sandeep Murthy <s.mur...@mykolab.com>
To: gnupg-users@gnupg.org
Subject: Re: Are there cases where gpg --verify will exit 0, even if
verification failed?
Message-ID: <d214c3e8-f22e-416b-9c86-50aab7be7...@mykolab.com>
Content-Type: text/plain; charset=utf-8
I know that all processes have an exit code, what I meant was
if you invoke gpg interactively like gpg ?edit-key <key ID /email>
and then execute a wrong subcommand or specify something incorrectly
then the gpg exit code will not reflect this unless the subcommand
launches another process.
Sandeep Murthy
s.mur...@mykolab.com
On 14 Jan 2015, at 13:40, Daniel Kahn Gillmor <d...@fifthhorseman.net>
wrote:
On Wed 2015-01-14 08:22:45 -0500, Sandeep Murthy wrote:
Exit codes in shells indicate problems relating to completion or
disruption
of the child process invoked by a parent process.
They will not record unsuccessful events inside the child process
related to program functions, i.e. if you inside gpg editing a key
and enter an incorrect subcommand or use it incorrectly then this
will
not affect the exit code, I don?t think.
This is not the case. all processes have a return code, whether they
are invoked by a shell or by other processes. The return code is a
critical part of the output of a program.
gpg does use the return code to indicate failure of signature
verification.
consider the results of:
echo test1 > test1.txt
echo test2 > test2.txt
gpg --detach-sign --armor test1.txt
gpg --verify test1.txt.asc test1.txt
gpg --verify test1.txt.asc test2.txt
the return value of the first --verify should be 0, but the second
--verify invocation should return 1, indicating that the signature
cannot be verified over the (different) contents of test2.txt
--dkg
------------------------------
Message: 5
Date: Wed, 14 Jan 2015 17:18:19 +0100
From: Werner Koch <w...@gnupg.org>
To: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Cc: gnupg-users@gnupg.org
Subject: Re: Are there cases where gpg --verify will exit 0, even if
verification failed?
Message-ID: <87wq4p2v5g....@vigenere.g10code.de>
Content-Type: text/plain; charset=us-ascii
On Wed, 14 Jan 2015 14:40, d...@fifthhorseman.net said:
gpg does use the return code to indicate failure of signature
verification.
But recall that success does not mean that the signature is good.
Check the status output or use gpgv.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
------------------------------
Message: 6
Date: Wed, 14 Jan 2015 16:40:34 +0000
From: Patrick Schleizer <patrick-mailingli...@whonix.org>
To: gnupg-users@gnupg.org
Subject: Re: Are there cases where gpg --verify will exit 0, even if
verification failed?
Message-ID: <54b69c02.5050...@whonix.org>
Content-Type: text/plain; charset=windows-1252
Werner Koch:
On Wed, 14 Jan 2015 14:40, d...@fifthhorseman.net said:
gpg does use the return code to indicate failure of signature
verification.
But recall that success does not mean that the signature is good.
Check the status output or use gpgv.
Do you mean, for example, the signature could be valid, but the key
that
signed it could be revoked and gpg would still exit 0?
Or can you tell another example please where gpg would exit 0, but
where
where the signature is bad?
------------------------------
Message: 7
Date: Wed, 14 Jan 2015 16:44:47 +0000
From: Patrick Schleizer <patrick-mailingli...@whonix.org>
To: gnupg-users@gnupg.org
Subject: Is there a shell script or bash library for parsing gpg's
--status-fd output?
Message-ID: <54b69cff.5080...@whonix.org>
Content-Type: text/plain; charset=utf-8
Hi!
Is there a shell script or bash library for parsing gpg's --status-fd
output?
I mean, I could code it myself. But why duplicate effort and risk
messing up. Maybe there is some existing or even recommended or even
official library to do this?
(What I mean by parsing is: to get from lines such as "[GNUPG:] GOODSIG
416..." to variables such as goodsig=true, fingerprint=416... and so
forth.)
Cheers,
Patrick
------------------------------
Message: 8
Date: Wed, 14 Jan 2015 19:23:48 +0100
From: Johan Wevers <joh...@vulcan.xs4all.nl>
To: gnupg-users@gnupg.org
Subject: Re: Vanity Keys
Message-ID: <54b6b434.6050...@vulcan.xs4all.nl>
Content-Type: text/plain; charset=ISO-8859-1
On 13-01-2015 21:38, Werner Koch wrote:
Well, we could also change the code
to trial verify with all key ids but that takes longer than needed and
may by itself be used as a DoS.
You don't need to test all keyID's - just those with the same key ID.
Assuming this is a rare occasion and someone's keyring is not flooded
with keys with the same ID (in that case you are probably under some
kind of attack and might investigate), you can even detect and store
this condition somewere when importing the key and checking this
probably very short list if key ID's that appear multiple times.
I wonder what this would do with the keyserver network. They probably
need adapting too.
--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
------------------------------
Message: 9
Date: Wed, 14 Jan 2015 21:15:54 +0100
From: Werner Koch <w...@gnupg.org>
To: Patrick Schleizer <patrick-mailingli...@whonix.org>
Cc: gnupg-users@gnupg.org
Subject: Re: Are there cases where gpg --verify will exit 0, even if
verification failed?
Message-ID: <87a91l2k5h....@vigenere.g10code.de>
Content-Type: text/plain; charset=us-ascii
On Wed, 14 Jan 2015 17:40, patrick-mailingli...@whonix.org said:
Do you mean, for example, the signature could be valid, but the key
that
signed it could be revoked and gpg would still exit 0?
Sure. It is just to complex to put it into one number. Consider the
case for multiple signatures - who is going to decide whether the
signature is valid. This has all been discussed about 15 years ago
with the result of writing the gpgv binary which is suitable for most
automated signature verification use cases.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
------------------------------
Message: 10
Date: Wed, 14 Jan 2015 15:59:51 -0500
From: Joey Castillo <jose.casti...@gmail.com>
To: gnupg-users@gnupg.org
Subject: Specifying passphrase for batch key generation
Message-ID:
<CAAocvpu_1oe9Rpu-kNmpdDskg9VgOi-sY=2yvphvujuu_my...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Reading the manual for batch GPG key generation in GnuPG 2.1, I see
the following note:
Since GnuPG version 2.1 it is not anymore possible to specify a
passphrase for unattended key generation. The passphrase command is
simply ignored and ?%ask-passpharse? is thus implicitly enabled.
I'm running into an issue now with a module I was using to generate
keys in a python script (python-gnupg). Its method was to generate a
set of parameters, including the passphrase parameter, and pass that
via stdin to gpg --batch --gen-key.
Now that we cannot specify a passphrase in the batch parameters, what
is the preferred method for batch key generation with a specified
passphrase?
------------------------------
Subject: Digest Footer
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
------------------------------
End of Gnupg-users Digest, Vol 136, Issue 23
********************************************
