Dear GnuPG team,

According to the documentation for the version I have received from Debian, scripts that wish to check for success failure of decryption and/or signature validation done by invocation of gpg/gpgv/gpgsm, the script is currently required to set up a "status-fd", then check the status-fd output for a multitude of situation specific strings.  Sometimes it is even necessary to check if the expected signing key is mentioned in specific ways.

This is highly impractical compared to other scripting of POSIX commands.  It would be really nice if a future version of the gnupg suite would provide the result via the process exit code directly, perhaps with some intermediary values indicating various warning conditions such as "valid signature from someone not listed in command line option to indicate expected signer" .

I know this because I have a script that uses gpgsm to do pipelined check of a large CMS signed system log, which is signed by the server to prevent later malicious changes.  gpgsm is used because of its specific support for streamed processing.

Your response to the latest fluff paper about supposed "Downgrade attacks" emphasizes the importance of doing these checks.

Another, related, feature would be the ability to run the gnupg tools in a mode that doesn't talk to any part of the environment, neither the gnupg config dir, nor the various helper programs (directory, password prompt etc.), but instead acts predicatably based only on the command line options.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to