Re: --verify --status-fd separator for multiple signatures?
On Fri, 20 Mar 2015 19:41, patrick-mailingli...@whonix.org said: Well, I don't speak C, so I can't make head or tail of what we do in gpgme/src/verify.c. You should still be able to follow the control flow. That is not different from any pseudo code. Is there a complete list of all possible start/end keyword combinations? As, I said, checkout gpgme: switch (code) { case GPGME_STATUS_NEWSIG: if (sig) calc_sig_summary (sig); NEWSIG has been seen: Finalize the output for the current signature if any. err = prepare_new_sig (opd); opd-only_newsig_seen = 1; Get ready for a new signature. That is the helpful feature of NEWSIG. Note that there is no guarantee that a signature will follow: I maybe garbled or remove and gpg won't get to the actual verification. case GPGME_STATUS_GOODSIG: case GPGME_STATUS_EXPSIG: case GPGME_STATUS_EXPKEYSIG: case GPGME_STATUS_BADSIG: case GPGME_STATUS_ERRSIG: case GPGME_STATUS_REVKEYSIG: if (sig !opd-did_prepare_new_sig) calc_sig_summary (sig); If we have a signature and we are not yet preparing for a new signature (i.e. have not called prepare_new-sig): Finalize the output for the current signature opd-only_newsig_seen = 0; Clear flag for NEWSIG seen. return parse_new_sig (opd, code, args, ctx-protocol); Do something with the signature. This fucntion calls prepare_new_sig if not yet done. case GPGME_STATUS_VALIDSIG: opd-only_newsig_seen = 0; return sig ? parse_valid_sig (sig, args, ctx-protocol) : trace_gpg_error (GPG_ERR_INV_ENGINE); VALIDSIG is the modern version of GOODSIG. Take care of it. case GPGME_STATUS_NODATA: opd-only_newsig_seen = 0; Forget about NEWSIG. The code in GPGME requires this here and for several other status messages. case GPGME_STATUS_EOF: if (sig !opd-did_prepare_new_sig) calc_sig_summary (sig); if (opd-only_newsig_seen sig) { gpgme_signature_t sig2; /* The last signature has no valid information - remove it from the list. */ On EOF finalize the last signature. If a NEWSIG has neen seen remove the prepared information. Proper verification is a bit complicate if you need to do this in the most general way. You can get away much easier in many cases. For example VALIDSIG gives you all the information about correctly verified signatures. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --verify --status-fd separator for multiple signatures?
Werner Koch: On Thu, 19 Mar 2015 18:39, patrick-mailingli...@whonix.org said: when using --verify combined with --status-fd [or --status-file], how can one notice in scripts, that processing the one signature is done and that further status-fd messages belong to the next message? That is unfortunately a bit complicated due to different behaviour in gpgsm and gpg. I suggest to do what we do in gpgme/src/verify.c . Of course if would be useful to make sure that NEWSIG is also emitted by gpg but you also need to take care of older gpg versions. I assume adding NEWSIG to gpg has simply be forgotten. Well, I don't speak C, so I can't make head or tail of what we do in gpgme/src/verify.c. Maybe let's put it this way. If there is no guarantee to get a NEWSIG or other separator... Is there a limited combination of start and end keywords? What I mean... Here is an example... start: [GNUPG:] ERRSIG [...] end__: [GNUPG:] NODATA [...] start: [GNUPG:] SIG_ID [...] end__: [GNUPG:] TRUST_[...] start: [GNUPG:] ERRSIG [...] end__: [GNUPG:] NO_PUBKEY [...] Is there a complete list of all possible start/end keyword combinations? Cheers, Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --verify --status-fd separator for multiple signatures?
Doug Barton: On 3/19/15 10:39 AM, Patrick Schleizer wrote: Hi, when using --verify combined with --status-fd [or --status-file], how can one notice in scripts, that processing the one signature is done and that further status-fd messages belong to the next message? You are using --with-colons, right? No. Using --status-file. --with-colons does not seem to affect that. Cheers, Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --verify --status-fd separator for multiple signatures?
On Thu, 19 Mar 2015 18:39, patrick-mailingli...@whonix.org said: when using --verify combined with --status-fd [or --status-file], how can one notice in scripts, that processing the one signature is done and that further status-fd messages belong to the next message? That is unfortunately a bit complicated due to different behaviour in gpgsm and gpg. I suggest to do what we do in gpgme/src/verify.c . Of course if would be useful to make sure that NEWSIG is also emitted by gpg but you also need to take care of older gpg versions. I assume adding NEWSIG to gpg has simply be forgotten. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --verify --status-fd separator for multiple signatures?
On 3/19/15 10:39 AM, Patrick Schleizer wrote: Hi, when using --verify combined with --status-fd [or --status-file], how can one notice in scripts, that processing the one signature is done and that further status-fd messages belong to the next message? You are using --with-colons, right? -- I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks! signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users