Hi Peter, On tongersdei 17 Juny 2010, Peter Palfrader wrote: > | wea...@intrepid:~/tmp$ wget -nv > | http://snapshot.debian.org/archive/debian-volatile/20090903T013716Z/dist > | s/etch/volatile/Release{.gpg,} 2010-06-17 20:09:56 > | URL:http://snapshot.debian.org/archive/debian-volatile/20090903T013716Z/ > | dists/etch/volatile/Release.gpg [189/189] -> "Release.gpg" [1] 2010-06-17 > | 20:09:57 > | URL:http://snapshot.debian.org/archive/debian-volatile/20090903T013716Z/ > | dists/etch/volatile/Release [40688/40688] -> "Release" [1] FINISHED > | --2010-06-17 20:09:57-- > | Downloaded: 2 files, 40K in 0s (76139 GB/s) > | wea...@intrepid:~/tmp$ mkdir gnupghome > | wea...@intrepid:~/tmp$ export GNUPGHOME=gnupghome > | wea...@intrepid:~/tmp$ chmod go-rwx gnupghome > | wea...@intrepid:~/tmp$ gpg > | gpg: keyring `gnupghome/secring.gpg' created > | gpg: keyring `gnupghome/pubring.gpg' created > | gpg: Go ahead and type your message ... > | ^C > | gpg: Interrupt caught ... exiting > | > | wea...@intrepid:~/tmp$ gpg --keyserver keys.gnupg.net --recv BBE55AB3 > | gpg: requesting key BBE55AB3 from hkp server keys.gnupg.net > | gpg: gnupghome/trustdb.gpg: trustdb created > | gpg: key BBE55AB3: public key "Debian-Volatile Archive Automatic Signing > | Key (4.0/etch)" imported gpg: no ultimately trusted keys found > | gpg: Total number processed: 1 > | gpg: imported: 1 > | wea...@intrepid:~/tmp$ > | wea...@intrepid:~/tmp$ gpg --list-key BBE55AB3 > | pub 1024D/BBE55AB3 2007-03-31 [expired: 2010-03-30] > | uid Debian-Volatile Archive Automatic Signing Key > | (4.0/etch) > | > | wea...@intrepid:~/tmp$ cp gnupghome/pubring.gpg gnupghome/trustedkeys.gpg > | wea...@intrepid:~/tmp$ > | wea...@intrepid:~/tmp$ > | wea...@intrepid:~/tmp$ gpg --status-fd 2 --verify Release.gpg Release > | gpg: Signature made Thu Sep 3 03:35:17 2009 CEST using DSA key ID > | BBE55AB3 [GNUPG:] KEYEXPIRED 1269969909 > | [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead > | [GNUPG:] KEYEXPIRED 1269969909 > | [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead > | [GNUPG:] SIG_ID PloukF3ViGb7cZ/IkkSl6SbbY1g 2009-09-03 1251941717 > | [GNUPG:] KEYEXPIRED 1269969909 > | [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead > | [GNUPG:] EXPKEYSIG EC61E0B0BBE55AB3 Debian-Volatile Archive Automatic > | Signing Key (4.0/etch) gpg: Good signature from "Debian-Volatile Archive > | Automatic Signing Key (4.0/etch)" [GNUPG:] VALIDSIG > | 6039406A4EDCE124CF087B0AEC61E0B0BBE55AB3 2009-09-03 1251941717 0 3 0 17 > | 2 00 6039406A4EDCE124CF087B0AEC61E0B0BBE55AB3 gpg: Note: This key has > | expired! > | Primary key fingerprint: 6039 406A 4EDC E124 CF08 7B0A EC61 E0B0 BBE5 > | 5AB3 > > no GOODSIG -> signature is not valid. > > | wea...@intrepid:~/tmp$ gpgv Release.gpg Release > | gpgv: Signature made Thu Sep 3 03:35:17 2009 CEST using DSA key ID > | BBE55AB3 gpgv: Good signature from "Debian-Volatile Archive Automatic > | Signing Key (4.0/etch)" wea...@intrepid:~/tmp$ echo $? > | 0 > > exit code 0 -> signature is valid. > > > At the risk of repeating myself, this means that gpg and gpgv disagree on > what is a valid signature. > > This is gnupg and gpgv both at version 1.4.10-2~bpo50+1.
Thanks for clarifying again what exactly you're observing. I can indeed reproduce that situation. However, aren't you comparing apples with oranges? What I mean is that you compare checking the status-fd output of GnuPG with the exit code of gpgv. If I repeat your example, but compare gpg's status-fd output with gpgv's status-fd output, or compare gpg's exit code with gpgv's exit code, the results are consistent. Look at the following. [th...@morgana]/tmp$ wget -nv http://snapshot.debian.org/archive/debian- volatile/20090903T013716Z/dists/etch/volatile/Release{.gpg,} 2010-08-18 15:28:29 URL:http://snapshot.debian.org/archive/debian- volatile/20090903T013716Z/dists/etch/volatile/Release.gpg [189/189] -> "Release.gpg" [1] 2010-08-18 15:28:32 URL:http://snapshot.debian.org/archive/debian- volatile/20090903T013716Z/dists/etch/volatile/Release [40688/40688] -> "Release" [1] FINISHED --2010-08-18 15:28:32-- Downloaded: 2 files, 40K in 0s (76139 GB/s) [th...@morgana]/tmp$ mkdir gnupghome [th...@morgana]/tmp$ export GNUPGHOME=gnupghome [th...@morgana]/tmp$ chmod go-rwx gnupghome [th...@morgana]/tmp$ gpg gpg: keyring `gnupghome/secring.gpg' created gpg: keyring `gnupghome/pubring.gpg' created gpg: Go ahead and type your message ... gpg: processing message failed: eof [th...@morgana]/tmp$ gpg --keyserver keys.gnupg.net --recv BBE55AB3 gpg: requesting key BBE55AB3 from hkp server keys.gnupg.net gpg: gnupghome/trustdb.gpg: trustdb created gpg: key BBE55AB3: public key "Debian-Volatile Archive Automatic Signing Key (4.0/etch)" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 [th...@morgana]/tmp$ cp gnupghome/pubring.gpg gnupghome/trustedkeys.gpg [th...@morgana]/tmp$ gpg --status-fd 2 --verify Release.gpg Release gpg: Signature made Thu 03 Sep 2009 03:35:17 CEST using DSA key ID BBE55AB3 [GNUPG:] KEYEXPIRED 1269969909 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead [GNUPG:] KEYEXPIRED 1269969909 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead [GNUPG:] SIG_ID PloukF3ViGb7cZ/IkkSl6SbbY1g 2009-09-03 1251941717 [GNUPG:] KEYEXPIRED 1269969909 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead [GNUPG:] EXPKEYSIG EC61E0B0BBE55AB3 Debian-Volatile Archive Automatic Signing Key (4.0/etch) gpg: Good signature from "Debian-Volatile Archive Automatic Signing Key (4.0/etch)" [GNUPG:] VALIDSIG 6039406A4EDCE124CF087B0AEC61E0B0BBE55AB3 2009-09-03 1251941717 0 3 0 17 2 00 6039406A4EDCE124CF087B0AEC61E0B0BBE55AB3 gpg: Note: This key has expired! Primary key fingerprint: 6039 406A 4EDC E124 CF08 7B0A EC61 E0B0 BBE5 5AB3 [th...@morgana]/tmp$ echo $? 0 [th...@morgana]/tmp$ gpgv Release.gpg Release gpgv: Signature made Thu 03 Sep 2009 03:35:17 CEST using DSA key ID BBE55AB3 gpgv: Good signature from "Debian-Volatile Archive Automatic Signing Key (4.0/etch)" [th...@morgana]/tmp$ echo $? 0 --> Note: both return exit code 0. Now run gpgv also with status-fd=2, just like we do when invoking gpg: [th...@morgana]/tmp$ gpgv --status-fd=2 Release.gpg Release gpgv: Signature made Thu 03 Sep 2009 03:35:17 CEST using DSA key ID BBE55AB3 [GNUPG:] KEYEXPIRED 1269969909 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead [GNUPG:] KEYEXPIRED 1269969909 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead [GNUPG:] SIG_ID PloukF3ViGb7cZ/IkkSl6SbbY1g 2009-09-03 1251941717 [GNUPG:] KEYEXPIRED 1269969909 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead [GNUPG:] EXPKEYSIG EC61E0B0BBE55AB3 Debian-Volatile Archive Automatic Signing Key (4.0/etch) gpgv: Good signature from "Debian-Volatile Archive Automatic Signing Key (4.0/etch)" [GNUPG:] VALIDSIG 6039406A4EDCE124CF087B0AEC61E0B0BBE55AB3 2009-09-03 1251941717 0 3 0 17 2 00 6039406A4EDCE124CF087B0AEC61E0B0BBE55AB3 No GOODSIG also for gpgv. In your example both gpg and gpgv report exit code 0. Also 'gpg --status-fd=2' and 'gpgv --status-fd=2' both do not output GOODSIG in case of an expired key. Cheers, Thijs
signature.asc
Description: This is a digitally signed message part.
