[Pkg-gnupg-maint] Bug#695855: please provide a --verify command that outputs the signed data

[Werner Koch]

On Thu, 13 Dec 2012 16:35, ansgar at debian.org said:

> it would be very nice if gpg had a --verify command that would also output the
> signed data. (Maybe "gpg --output - --verify"?) Otherwise you know the data is
> signed, but still have to extract it somehow.

Verification of a signature is quite complicated.  The math is easy but
how to properly setup a scheme for automated signature checking is hard.
You need to figure out what has been signed, who signed, whether the key
is valid, and what to do if the key meanwhile expired.  Return just a
simple status code would need to hardwire a certain policy which needs
to be strictly followed.  I doubt that this is easier than to use
detached signatures, which instantly solve many of the problems.

> similar seems to be `gpg --status-{fd,file}=... --decrypt < $file' and parsing
> the status output, but that is significantly more work (esp. when processing
> files in shell).

That is actually pretty easy with a few lines of awk.  Remember, it is a
Unix tool; the Unix philosophy is that of a toolbox and not of highly
specialized tools.



Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.