Hi! On Thu, 14 Dec 2023 16:19, Jakob Bohm said:
> zcat ${infl} | > faketime "${DSTAMP}" gpgsm --verify --validation-model shell > --assume-binary --status-fd 3 --output - - 3>${wrkdir}/sigdec.status > || : > gpgsm: ksba_cms_parse failed: Broken pipe gpgsm expects more data but zcat already sent its EOF. This might be due to a broken ASN.1 structure which announced N bytes but gpgsm was not able to read thes N bytes. CMS chunks up the data so that you can have a very long stream of data. (I have sometimes seen chunks of just one byte). That is the error message you meant, or did you see more? Adding --verbose is often very helpful. > Message on status-fd (copied to stderr by cat command) > > [GNUPG:] ERROR verify.leave 32877 This is the machine interface; which you rightfully parse. $ gpg-error 32877 32877 = (0, 32877) = (GPG_ERR_SOURCE_UNKNOWN, GPG_ERR_EPIPE) = (Unspecified source, Broken pipe) verify.leave helps us to locate the place where the error as emitted: Here is is at the end of gpgsm_verify function but unfortunately we can't get the offset of the input data where it stopped parsing. You may use "--debug hashing" to write a file with the data hashed (i.e. what is verified). That gives an indication where inthe stream the error occured. Anothyer useful tool is the venerable dumpasn1 tool which you could use instead of gpgsm to find error in the input data structure. > Which of the inputs was being truncated on the way to the that > parsing function? The decompressed $infl . > It would be much easier if the gpgsm code could be used standalone > like the old gpg1 could, with no entanglement to pinentry, dirmgr Yeah But for security reasons we have separated tasks in a way similar to what postfix does. > status-fd protocol etc. etc. scripted signing and verification of > computer generated data is not suited to a human-centric user Right, it is a machine interface. For gpg we have the extra tool gpgv to make verification against a known set of keys easy. And recently we added --assert-signer which basically does the same. There has never been a demand to have a dedicated verification tool for CMS but I can imagine to add a --assert-signer also to gpgsm. Your use of faketime is interesting ;-) Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
openpgp-digital-signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users