Dear GnuPG team,
According to the documentation for the version I have received from
Debian, scripts that wish to check for success failure of decryption
and/or signature validation done by invocation of gpg/gpgv/gpgsm, the
script is currently required to set up a "status-fd", then check the
status-fd output for a multitude of situation specific strings.
Sometimes it is even necessary to check if the expected signing key is
mentioned in specific ways.
This is highly impractical compared to other scripting of POSIX
commands. It would be really nice if a future version of the gnupg
suite would provide the result via the process exit code directly,
perhaps with some intermediary values indicating various warning
conditions such as "valid signature from someone not listed in command
line option to indicate expected signer" .
I know this because I have a script that uses gpgsm to do pipelined
check of a large CMS signed system log, which is signed by the server to
prevent later malicious changes. gpgsm is used because of its specific
support for streamed processing.
Your response to the latest fluff paper about supposed "Downgrade
attacks" emphasizes the importance of doing these checks.
Another, related, feature would be the ability to run the gnupg tools in
a mode that doesn't talk to any part of the environment, neither the
gnupg config dir, nor the various helper programs (directory, password
prompt etc.), but instead acts predicatably based only on the command
line options.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
