Re: Are there cases where gpg --verify will exit 0, even if verification failed?
On Wed, 14 Jan 2015 17:40, patrick-mailingli...@whonix.org said: Do you mean, for example, the signature could be valid, but the key that signed it could be revoked and gpg would still exit 0? Sure. It is just to complex to put it into one number. Consider the case for multiple signatures - who is going to decide whether the signature is valid. This has all been discussed about 15 years ago with the result of writing the gpgv binary which is suitable for most automated signature verification use cases. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Are there cases where gpg --verify will exit 0, even if verification failed?
I know that all processes have an exit code, what I meant was if you invoke gpg interactively like gpg —edit-key key ID /email and then execute a wrong subcommand or specify something incorrectly then the gpg exit code will not reflect this unless the subcommand launches another process. Sandeep Murthy s.mur...@mykolab.com On 14 Jan 2015, at 13:40, Daniel Kahn Gillmor d...@fifthhorseman.net wrote: On Wed 2015-01-14 08:22:45 -0500, Sandeep Murthy wrote: Exit codes in shells indicate problems relating to completion or disruption of the child process invoked by a parent process. They will not record unsuccessful events inside the child process related to program functions, i.e. if you inside gpg editing a key and enter an incorrect subcommand or use it incorrectly then this will not affect the exit code, I don’t think. This is not the case. all processes have a return code, whether they are invoked by a shell or by other processes. The return code is a critical part of the output of a program. gpg does use the return code to indicate failure of signature verification. consider the results of: echo test1 test1.txt echo test2 test2.txt gpg --detach-sign --armor test1.txt gpg --verify test1.txt.asc test1.txt gpg --verify test1.txt.asc test2.txt the return value of the first --verify should be 0, but the second --verify invocation should return 1, indicating that the signature cannot be verified over the (different) contents of test2.txt --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Are there cases where gpg --verify will exit 0, even if verification failed?
On Wed, 14 Jan 2015 14:40, d...@fifthhorseman.net said: gpg does use the return code to indicate failure of signature verification. But recall that success does not mean that the signature is good. Check the status output or use gpgv. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Are there cases where gpg --verify will exit 0, even if verification failed?
Werner Koch: On Wed, 14 Jan 2015 14:40, d...@fifthhorseman.net said: gpg does use the return code to indicate failure of signature verification. But recall that success does not mean that the signature is good. Check the status output or use gpgv. Do you mean, for example, the signature could be valid, but the key that signed it could be revoked and gpg would still exit 0? Or can you tell another example please where gpg would exit 0, but where where the signature is bad? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Are there cases where gpg --verify will exit 0, even if verification failed?
Are there cases where gpg --verify will exit 0, even if verification failed? Verification could fail internally within the gpg program, or externally because the signature fie does not exist or is incorrectly named or maybe corrupt e.g. [srm@~]$ gpg --verify asig.sig; echo $? gpg: can't open `asig.sig': No such file or directory gpg: verify signatures failed: No such file or directory 2 Exit codes in shells indicate problems relating to completion or disruption of the child process invoked by a parent process. They will not record unsuccessful events inside the child process related to program functions, i.e. if you inside gpg editing a key and enter an incorrect subcommand or use it incorrectly then this will not affect the exit code, I don’t think. Sandeep Murthy s.mur...@mykolab.com On 14 Jan 2015, at 07:51, Dave Pawson dave.paw...@gmail.com wrote: In Unix terms, a program that has run successfully to completion exits with status zero, no 'extra' semantic attached? Dave On 13 January 2015 at 19:03, Patrick Schleizer patrick-mailingli...@whonix.org wrote: In another thread... Werner Koch On Mon, 12 Jan 2015 19:52, patrick- When it exits 0, then this approach is sound, sane and fine? You better check the status lines; in particular watch out for [GNUPG:] VALIDSIG E4B868C8F90C. or use gpgv. Are there cases where gpg --verify will exit 0, even if verification failed? (Suppose one uses a separate --homedir where only legitimate signing keys are imported.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Are there cases where gpg --verify will exit 0, even if verification failed?
In Unix terms, a program that has run successfully to completion exits with status zero, no 'extra' semantic attached? Dave On 13 January 2015 at 19:03, Patrick Schleizer patrick-mailingli...@whonix.org wrote: In another thread... Werner Koch On Mon, 12 Jan 2015 19:52, patrick- When it exits 0, then this approach is sound, sane and fine? You better check the status lines; in particular watch out for [GNUPG:] VALIDSIG E4B868C8F90C. or use gpgv. Are there cases where gpg --verify will exit 0, even if verification failed? (Suppose one uses a separate --homedir where only legitimate signing keys are imported.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Dave Pawson XSLT XSL-FO FAQ. Docbook FAQ. http://www.dpawson.co.uk ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Are there cases where gpg --verify will exit 0, even if verification failed?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/14/2015 02:40 PM, Daniel Kahn Gillmor wrote: On Wed 2015-01-14 08:22:45 -0500, Sandeep Murthy wrote: Exit codes in shells indicate problems relating to completion or disruption of the child process invoked by a parent process. .. the return value of the first --verify should be 0, but the second --verify invocation should return 1, indicating that the signature cannot be verified over the (different) contents of test2.txt But iirc you will anyways have to check the status-fd for the validity of the issuing key. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - A government that robs Peter to pay Paul can always depend on the support of Paul. (George Bernard Shaw) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJUtnf3AAoJEPw7F94F4Tag93cP/3sI+nnS0HK68JEeE3dfCO/5 pFweOpBSeSOeh5gA2e0UuO0Nm7l1hD2syjFNn18L/fMybVfqodYKnIWkh3v9O8oi sNNxDJ8emhWPaE0oV9VpPocEcq5MbZwerF5iIB+rm9d+R2CuqMKpIkEYv2abIxWJ tJsMlp9bXWC66QbQBDc9D+okn9yKzJgYdfAilprk7kKPmnSgIVIagwdcQyg9iUks dX1q6rsGonYzPOwWk2sZdXyAB2TleYSPq8ySaShtSt4dZ/DFK38l4hYOcOX/OrG1 bROwTg3fnjISvFHYAJPx1CCrsdN/fIOPATrCITPQLV0IdTUIhrbi6bgTjDvfr8eQ NSuggpdjvif1EtDnCQYv6gSoI2egbFFs92bqzLsfm/gVtJJi25d4JRammHNOzjWt 0SBxFBAI64cAuReDkLcqnhSu0dccQRQYUjF88a4dP9ldE6eK4HNo8h6vQxbVJ6Y+ xPQxBCMwHUoLLKWQt+PLBQXqqZFnFOdPRF6Ns+OHsIC3Go/oH7ynY+yKSQHziTRc 6TnLMfg4by2bh1RIsBF1nb1wkXcyV9tZXrriaM4H6wwPoR6IDnZnHU2dTcUn8LLT c4FBn743TT0OZbVnMhd7e3PdUe6EVE0ZTKXilKqRk36+yEdBcrRj+ihwS9Vy/gt3 /u59aDPZpS8gTPWFSzjN =KsGq -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users