On 2024-09-13 16:42, Werner Koch wrote:
Hi!GnuPG 2.5.1 has the option --assert-signer and 2.4.6 will have this option as well: --assert-signer fpr_or_fileThis option checks whether at least one valid signature on a filehas been made with the specified key. The key is either specified as a fingerprint or a file listing fingerprints. The fingerprint must be given or listed in compact format (no colons or spaces in between). As of now only SHA-1 fingerprints are allowed. This option can be given multiple times and each fingerprint is checked against the sign‐ ing key as well as the corresponding primary key. If fpr_or_file specifies a file, empty lines are ignored as well as all lines start‐ ing with a hash sign. With this option gpgsm is guaranteed to return with an exit code of 0 if and only if a signature has been encoun‐ tered, is valid, and the key matches one of the fingerprints given by this option. Tarcked as https://dev.gnupg.org/T7286 Hope that helps a bit.
This is a very partial solution, and only for bleeding edge Gnupg . It might be usable when combined with scripting that identifies the hash of the DER certificate expected, but still at the (security, stability and performance) cost of still invoking Ægyptian bureaucracy of GPG specific versions of the overall X.509 infrastructure in the OS (typically based on derivatives of old SSLeay code or Microsoft CryptoAPI 1.x) . Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
