Hi! On Tue, 27 Aug 2024 17:37, Jakob Bohm said:
> status-fd output for a multitude of situation specific strings. > Sometimes it is even necessary to check if the expected signing key is > mentioned in specific ways. Right. That is because there are a lot of use cases for signatures which required different handling depending on the signature (e.g. time created) and meta data from the key. For OpenPGP we wrote gpgv to handle one common task; which was originally Debian package signing. Only recently we added --assert-signer to gpg which actually can replace gpgv. The plan is to add a few other --assert options for example to check the time the signature was made. > I know this because I have a script that uses gpgsm to do pipelined > check of a large CMS signed system log, which is signed by the server > to prevent later malicious changes. gpgsm is used because of its > specific support for streamed processing. Cool. I didn't expected that someone really has this use case. But it makes sense. See T7286: Add --assert-signer also to gpgsm. > Another, related, feature would be the ability to run the gnupg tools > in a mode that doesn't talk to any part of the environment, neither > the gnupg config dir, nor the various helper programs (directory, > password prompt etc.), but instead acts predicatably based only on the > command line options. That is too hard to implement. We have keys, trust models, ownertrust, and compliance modes which is quite some data. For this it is better to use a separate GNUPGHOME. The --assert-signer requires a fingerprint or the list of fingerprints and thus the import of the to-be-tested keys prior to running a verification. It might be possible to combine the import and the verification and even make the imported keys ephemeral so that they don't clutter the keyring. However, some file system write access will be required unless we can find a way to keep the keys in a memory only database. A RAM based file system and ephemeral storage of keys would be an easier solution. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
