[Pkg-gnupg-maint] Bug#695855: please provide a --verify command that outputs the signed data
Ansgar Burchardt
ansgar at debian.org
Thu Dec 13 15:35:25 UTC 2012
Package: gnupg
Version: 1.4.12-6
Severity: wishlist
Tags: upstream
Hi,
it would be very nice if gpg had a --verify command that would also output the
signed data. (Maybe "gpg --output - --verify"?) Otherwise you know the data is
signed, but still have to extract it somehow.
I have seen software using just
gpg < $file
to try to do this. However this doesn't make sure that the input is actually
signed; it would also accept data created with `gpg --store'.
I have also seen software (trying to) extract the data using the markers in a
clearsigned message (`gpg --clearsign') that could be tricked into processing
the wrong data (it did not look for the correct markers).
This would be prevented if there was an option to make gpg --verify also output
the data that was actually signed. Currently the only way to get something
similar seems to be `gpg --status-{fd,file}=... --decrypt < $file' and parsing
the status output, but that is significantly more work (esp. when processing
files in shell).
Ansgar
More information about the Pkg-gnupg-maint
mailing list