* Ansgar Burchardt <ans...@debian.org> [121214 16:18]: > 2, Not asking gpg to verify signatures: > > I also found packages that call gpg in the form "gpg $file" and expect > gpg to verify the signature on $file and output the signed data. Indeed > it does so for *signed* files, but if you just give it unsigned data > packed into an OpenPGP message, it will happily just extract that > without caring about signatures. (One can generate those messages with > 'gpg --store'.) > > Sadly gpg doesn't seem to provide a painless way to check for a valid > signature and extracting the signed data[2]. Or did I miss something?
Instead of inventing new ways for this, I'd suggest to instead ask the more important question: What worth is checking for a signature if you are not checking who is signing it? Better either use --status-fd or use some wrapper like libgpgme to retrieve what key actually signed it and check that information instead. (While "just dump your own keyring somewhere and assume everything in there might sign anything and be trusted" might look like an easy hack, it hardly scales and might be quite brittle assuming quite some default options to things like --auto-key-locate (and with any new options in that direction that might still be added to gpg). Bernhard R. Link -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121214222149.ga19...@client.brlink.eu