Page MenuHome GnuPG
Create Task
Maniphest T1609

Enforce signer identity when verify signature
Closed, WontfixPublic
Actions

Description

Hi,

It could be interesting to have an option to enforce signer identity when
verifying a signature. Currently, a GPG signature is valid regardless the signer.

My recent use-case is the Tor Browser Bundle, GPG-signed by 3 devs. I want to be
sure the released software is signed by 3 differents devs, and not by the same
dev multiple times (compromised guy).
With current GnuPG, it's impossible to do this automatically, I have to parse
« gpg --verify » output to fetch the fingerprint signature and compare it to the
expected one.

Would be better if there is an option like « --verify-signer » or equivalent, to
verify both signature and fingerprint directly in the gpg client, and fail if
the signature or the signer is wrong.

Regards,

Event Timeline

aeris added projects: Feature Request, gnupg.Jan 25 2014, 10:56 PM
aeris added a subscriber: aeris.
werner added a subscriber: werner.Jan 27 2014, 11:46 AM

You may want to look at the gpgv tool instead.

aeris added a comment.Jan 27 2014, 12:31 PM

Not enough for my case.
You can see here the script where I met the need :
https://gist.github.com/aeris/8483548

I have to verify 3 or more signatures, and need to ensure each from a different
signer.
Using gpgv to do this will be a huge hack with multiple trustedkeys.gpg creation
with a single key inside.
Worst and more complicated solution than my current one (with only one sed).

A « --ensure-signer » option with « gpg --verify » will be definitely simpler
and more secure and robust.
Or I miss something in gpgv.

werner added a comment.Jan 28 2014, 3:32 PM

Write a script to do that. It is fairly simple; remember to use --status-fd. I
commonly use awk for such tasks.

marcus closed this task as Wontfix.Jul 17 2017, 2:53 PM
marcus claimed this task.