Hi!
On Mon, 2021-12-13 at 22:58:22 +0100, Werner Koch wrote:
> > I cannot stop using as I do not know of a publicly supported interface
> > to inspect a (detached) signature to get its issuer fingerprint or
> > keyid.
>
> You can do this:
>
> gpg --verify --status-fd 1 x.asc /dev/null 2>/dev/null \
> | awk '$1=="[GNUPG:]" && $2=="BADSIG" { print $3}'
>
> which greps for
>
> [GNUPG:] BADSIG 19CC1C9E085B107A w...@gnupg.org
>
> This shows the keyid but not the newer fingerprint. Adding something
> for the fingerprint would be easy, but it takes some time before it will
> be widely enough deployed.
Hmm, this feels like a hack though, as I don't really want to verify
it at that point, only fetch metadata from it, it would be nice to have
the equivalent of --show-keys for signatures. But I guess it fulfills
the "officially supported interface" part. For debsig-verify at least
I would not mind at all requiring a recent enough GnuPG, as long as
I'd be able to use a nicer interface. :)
But, thanks, for now I think I could instead switch to do something
like:
gpg --no-options --no-default-keyring --keyring /dev/null \
--status-fd 1 --verify x.asc /dev/null 2>/dev/null \
| awk '$1=="[GNUPG:]" && $2=="ERRSIG" \
{ if ($9 == "-") { print $3 } else { print $9 } }'
As that should be guaranteed regardless of keyring contents.
Thanks,
Guillem
