Page MenuHome GnuPG
Create Task
Maniphest T4101

--verify-files does not provide sufficient information
Closed, ResolvedPublic
Actions

Description

GnuPG provides an option "--verify-files" to iterate the "--verify" result over multiple files. The "--verify" command does not include the filename itself in the result, which does not present problems for a single invocation. The problem is that with "--verify-files" no additional information is provided, making the option useless in practice.

Steps to reproduce:

  1. Generate two files with signatures, file-1.txt.gpg and file-2.txt.gpg
  2. Randomly change one of the bits of one of the files.
  3. gpg --verify-files file-1.txt.gpg file-2.txt.gpg

gpg: Signature made Wed Jun 6 02:55:50 2018 CEST
gpg: using RSA key 0x<redacted>
gpg: Good signature from <redacted>
gpg: Signature made Wed Jun 6 02:56:16 2018 CEST
gpg: using RSA key 0x<redacted>
gpg: BAD signature from <redacted>

Current outcome:
As a user I do not know which of the files has a good and which has a bad signature. This is feasible to check by hand with 2 files, but infeasible with multiple.

Expected result:
Include the filename in the result so that I can tell which result belongs to which file.

Details

Version
gpg (GnuPG/MacGPG2) 2.2.8

Event Timeline

1sand0s created this task.Aug 15 2018, 11:11 AM
werner closed this task as Resolved.Aug 29 2018, 1:11 PM
werner claimed this task.
werner added a subscriber: werner.

--verify-files is mostly useful for scripting and and not for manual checking. With scripting etc you always need to use --status-fd and with that you get:

$ gpg --verify-files --status-fd  2 x1.sig x2.sig
[GNUPG:] FILE_START 1 x1.sig
[GNUPG:] NEWSIG
gpg: Signature made Wed Aug 29 12:57:06 2018 CEST
gpg:                using RSA key 4E94E616EB4899CE5152EAF3DF0E412E43F69C85
[GNUPG:] KEY_CONSIDERED 4E94E616EB4899CE5152EAF3DF0E412E43F69C85 0
[GNUPG:] SIG_ID sn7RYmDe74LBNnoyPMODIlaj7M0 2018-08-29 1535540226
[GNUPG:] KEY_CONSIDERED 4E94E616EB4899CE5152EAF3DF0E412E43F69C85 0
[GNUPG:] GOODSIG DF0E412E43F69C85 foo@example.org
gpg: Good signature from "foo@example.org" [ultimate]
[GNUPG:] VALIDSIG 4E94E616EB4899CE5152EAF3DF0E412E43F69C85 2018-08-29 1535540226 0 4 0 1 8   00 4E94E616EB4899CE5152EAF3DF0E412E43F69C85
[GNUPG:] KEY_CONSIDERED 4E94E616EB4899CE5152EAF3DF0E412E43F69C85 0
[GNUPG:] TRUST_ULTIMATE 0 pgp
[GNUPG:] VERIFICATION_COMPLIANCE_MODE 23
[GNUPG:] FILE_DONE
[GNUPG:] FILE_START 1 x2.sig
[...]

Note the FILE_START tags. Adding information about the file in the human output may only lead to wrong usage attempts.