Re: [Bug 122721] New: app-crypt/gnupg: improper signature verification

To: bugzilla-daemon@gentoo.org
Cc: debian-dpkg@lists.debian.org
Cc: David Shaw <dshaw@jabberwocky.com>
Subject: Re: [Bug 122721] New: app-crypt/gnupg: improper signature verification
From: Werner Koch <wk@gnupg.org>
Date: Tue, 14 Feb 2006 10:41:47 +0100
Message-id: <[🔎] 87wtfy8eg4.fsf@wheatstone.g10code.de>
In-reply-to: <bug-122721-36936@http.bugs.gentoo.org/> (bugzilla-daemon@gentoo.org's message of "Mon, 13 Feb 2006 20:09:19 +0000")
References: <bug-122721-36936@http.bugs.gentoo.org/>

On Mon, 13 Feb 2006 20:09:19 +0000, bugzilla-daemon  said:

> The gpg man page states "RETURN VALUE, The program returns 0 if everything was
> fine, 1 if at least a signature was bad, and other error codes for fatal
> errors.", as gpg is often used as a backend the return value is often used to
> determine whether a signature verified correctly.

In general it is not sufficient to check just the return code.
Checking the trust values is also important unless you compate the
fingerprint of the key that verifies with a known list.  In any case
you need to cope with the --status-fd output.

To make things easier gpgv provides signature verification based on a
keyring with trusted list.  AFAIK, Debian uses just this.  In this
case it is a real error not to return failure form gpg.

I have looked at this, fixed the problem and added s simple regression
test.  The fix is in the SVN (svn://cvs.gnupg.org/gnupg/trunk).

I wonder why this problem has not been found earlier.  We definitely
need more regression tests.


Salam-Shalom,

   Werner

Reply to:

Prev by Date: dpkg_1.13.14_sparc.changes ACCEPTED
Next by Date: dpkg_1.13.14_alpha.changes ACCEPTED
Previous by thread: dpkg_1.13.14_sparc.changes ACCEPTED
Next by thread: Re: [Bug 122721] New: app-crypt/gnupg: improper signature verification
Index(es):
- Date
- Thread