Hi, While your tool would certainly be a valuable addition to signing-party, a blocker is that it gets the digest algorithm on certificate signatures by parsing the output of ‘--list-packets’, which as far as I can tell isn't documented.
IMHO a better (and faster) approach would be, as you hinted at, to
extract the OpenPGP signature packets from public key packets, cf. RFC
4880 sections. It's non trivial though :-(
Note that if the key of which to check the signatures is in your
keyring, a workaround is to use gpg2 as the digest algorithm is
available on the (documented & parsable) ‘--with-colons’ output.
For instance to list signatures with weak digest algorithms (MD5 and
SHA1 [1]):
gpg2 --with-colons --list-sigs $keyID | grep -E
'^(pub|uid|sig(:[^:]*){14}:[12]):'
(But as of 1.1.6-1 gnupg2 is not a dependency of signing-party, and I'm
unsure if doing it before the whole Debian project migrates away from
gnupg to gnupg2 is the right move :-/)
Cheers,
--
Guilhem.
[1] https://tools.ietf.org/html/rfc4880#section-9.4
signature.asc
Description: Digital signature
