Page MenuHome GnuPG
Create Task
Maniphest T2835

"keyid-format none" ignored for --verify and other commands
Closed, ResolvedPublic
Actions

Description

From gnupg/issue2820:

I wondered about how to use --verify and check that the
file was signed by the authority key (--verify only prints the keyid,
"--keyid-format none" does not allow --verify to print fingerprints in 2.1.15

$ /opt/gnupg/bin/gpg --version
gpg (GnuPG) 2.1.15
...
$ echo foo > foo
$ /opt/gnupg/bin/gpg --detach-sign foo
...
$ /opt/gnupg/bin/gpg --keyid-format none --verify foo.sig
gpg: assuming signed data in 'foo'
gpg: Signature made Mon Nov 14 15:29:14 2016 CET
gpg: using RSA key FE78101DA517316D
gpg: Good signature from "user@example.com" [ultimate]

With --list-sigs and --search-keys only the long keyid is printed, too.
But with --list-sigs you can use --with-colons and with --search-keys you'd want
to check the imported keys anyway.
I haven't checked what other commands do.

Use case was https://github.com/firstlookmedia/gpgsync (or a non-gui equivalent)
where a signed file should only be accepted when it has been signed by a certain
authority key.

Details

Version
2.1.15

Related Objects

Event Timeline

thomas set Version to 2.1.15.Nov 14 2016, 4:13 PM
thomas added projects: gnupg (gpg21), Bug Report.
thomas added subscribers: aheinecke, thomas, werner, neal.
thomas mentioned this in T2820: GPGME: Allow to set the keyring for a context.Mar 30 2017, 7:19 PM
aheinecke added a comment.Nov 14 2016, 4:51 PM

When using a script you should not parse the human readable output.

gpg2 --status-fd 2 --verify /tmp/msg

[GNUPG:] VALIDSIG 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 2016-11-14 1479138285
0 4 0 1 8 00 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1

See https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS
for the meaning of these fields

In gpg2.1.16 the fingerprint is also used instead of the keyid if you do:

/opt/gnupg/bin/gpg --keyid-format none --verify foo.sig

Where do you take it from that keyid-format none should result in the full
fingerprint being shown?

aheinecke closed this task as Resolved.Nov 14 2016, 4:51 PM
aheinecke removed werner as the assignee of this task.
aheinecke claimed this task.
thomas added a comment.Nov 14 2016, 4:53 PM

OK, then this is just an issue for interactive usage, but still an issue.

thomas reopened this task as Open.Nov 14 2016, 4:53 PM
thomas closed this task as Resolved.

ah, misread the 2.1.16 part, so yes, it seems to be fixed.

Where do you take it from that keyid-format none should result in the full
fingerprint being shown?

The man page:
"none" does not show the key ID at all but shows the fingerprint in a separate
line.