Page MenuHome GnuPG
Create Task
Maniphest T1814

Add option to output the signed text with --verify
Closed, ResolvedPublic
Actions

Description

--output with --verify does not seem to create the signed data as documented in
the gpg man page (under --verify).

example:

sh -xc 'mkdir test_ver_out; cd test_ver_out ; echo test > test.txt ; gpg
--clearsign test.txt ; ls; gpg --output test.out --verify test.txt.asc; ls; [ -f
test.out ] && echo "YAY, it worked" || echo " error: no output"'
+ mkdir test_ver_out
+ cd test_ver_out
+ echo test
+ gpg --clearsign test.txt
+ ls
test.txt test.txt.asc
+ gpg --output test.out --verify test.txt.asc
gpg: Signature made Mon Jan 12 17:32:01 2015 MST using DSA key ID XXXXXXXX
gpg: Good signature from "Example <example@example.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
gpg: WARNING: not a detached signature; file 'test.txt' was NOT verified!
+ ls
test.txt test.txt.asc
+ [ -f test.out ]
+ echo ' error: no output'

  • error: no output

Shouldn't there be a test.out with the same contents as test.txt?

Details

Version
2.1.1 (at least)

Event Timeline

headsup set Version to 2.1.1 (at least).Jan 13 2015, 1:40 AM
headsup added a project: Bug Report.
headsup added a subscriber: headsup.
werner added a subscriber: werner.Jan 21 2015, 3:31 PM

This has never been the case and for backward compatibility we can't simply
chnage it.

We can add a new command or option to allow that. I changed the title and
category to reflect this.

werner renamed this task from --output with --verify doesn't emit signed data file to Add option to output the signed text with --verify.Jan 21 2015, 3:31 PM
werner removed a project: Bug Report.
werner added a project: Feature Request.
werner added a project: gnupg.
headsup added a comment.Jan 21 2015, 5:45 PM

That's fine... or just make the wording in the man page more clear. Under
--verify, it talks about using --output with cleartext signed data. That seemed
to imply (to me) that --output is used _with_ --verify. I think it should be
clearer that --output is to be used _without_ --verify or that --output has no
effect when using --verify.

So this could be treated as just a documentation bug rather than create yet
another new option.

For what it's worth, I don't think backward compatibility is an important
concern here. If someone was using --output with --verify before, they likely
were under the impression that the combination worked when in reality the two
options together just weren't a valid combination. It seems unlikely that
anyone would depend on --output being ignored when used with --verify, and so
making the combination work now should not cause legitimate compatibility problems.

If the combination of --output with --verify is not made to work, there should
probably be a warning emitted (in addition to fixing the documentation).

In summary, it seems to me that viable options are at least the following:

  • make --output work with --verify (possibly bad for compatibility reasons in

the rare use case of someone depending on current behavior of the currently
invalid combination)

  • fix man page in the --verify section - specifically, clarify the text

discussing using --output

  • add some new option
  • warn if an invalid combination of options exists (e.g., --verify with

--current in the current implementation <= 2.1.1)

These are not necessarily exclusive choices.

I guess I would prefer to allow the combination to work or warn and fix the
docs. Not as keen to add yet another new option - there's already a lot.

I can work up a patch if we can settle on a direction.

werner added a comment.Sep 14 2016, 1:23 PM

This has been implemented in the repo to be released with 2.1.16.

werner closed this task as Resolved.Sep 14 2016, 1:23 PM
werner claimed this task.
werner added a project: Unreleased.
werner removed a project: Unreleased.Jan 23 2017, 11:10 PM