[Pkg-gnupg-maint] Bug#695855: please provide a --verify command that outputs the signed data
Ansgar Burchardt
ansgar at debian.org
Fri Dec 14 18:44:26 UTC 2012
Werner Koch <wk at gnupg.org> writes:
> On Thu, 13 Dec 2012 16:35, ansgar at debian.org said:
>> it would be very nice if gpg had a --verify command that would also output the
>> signed data. (Maybe "gpg --output - --verify"?) Otherwise you know the data is
>> signed, but still have to extract it somehow.
>
> Verification of a signature is quite complicated. The math is easy but
> how to properly setup a scheme for automated signature checking is hard.
> You need to figure out what has been signed, who signed, whether the key
> is valid, and what to do if the key meanwhile expired. Return just a
> simple status code would need to hardwire a certain policy which needs
> to be strictly followed. I doubt that this is easier than to use
> detached signatures, which instantly solve many of the problems.
I agree that detached signatures are easier, but that should only change
the "what has been signed" part. Having gpg output the signed data
would answer that.
For the rest, I'm mostly thinking of places where gpgv is used and one
has a keyring where all keys are trusted. I don't think more complicated
policies should be implemented using just the return code.
Ansgar
More information about the Pkg-gnupg-maint
mailing list