Page MenuHome GnuPG

gpgsm --import --quiet is not quiet
Closed, ResolvedPublic

Description

I'm trying to quietly import a PKCS#12 object with an empty passphrase with gpgsm, but it produces quite a bit of noise on stderr, despite my providing the --quiet option:

$ gpgsm --pinentry-mode=loopback --passphrase-fd 4 4<<<'' --homedir=$(mktemp -d) --batch --quiet --import <test.p12
gpgsm: 992 bytes of 3DES encrypted text
gpgsm: processing certBag
gpgsm: issuer certificate (#/CN=Sample LAMPS Certificate Authority) not found
gpgsm: 872 bytes of 3DES encrypted text
gpgsm: processing certBag
gpgsm: 1224 bytes of 3DES encrypted text
gpgsm: DBG: keygrip= D3 E5 44 6E 1D 01 22 86 F3 97 4B F4 BB CD 56 19 4A 2B E5 FC
$ 

--quiet is apparently not doing the job it is supposed to do here.

I've attached the test.p12 file i'm working with if anyone wants to try to replicate.

Details

Version
2.2.17

Event Timeline

Other ways that gpgsm --quiet is not quiet:

$ gpgsm --homedir /home/dkg/tmp/tmp.9N2MLnakUz --disable-dirmngr --quiet --disable-crl-checks --disable-policy-checks --disable-ocsp --import bob.encrypt.crt
gpgsm: issuer certificate (#/CN=Sample LAMPS Certificate Authority) not found
$ 
$ echo test | gpgsm --homedir /home/dkg/tmp/tmp.9N2MLnakUz --disable-dirmngr --quiet --disable-crl-checks --disable-policy-checks --disable-ocsp --recipient '&3B9045B756394324AB9F2AFC73F72972A5E5E134' --encrypt > test.p7
gpgsm: encrypted data created
$ 
werner claimed this task.
werner added a subscriber: werner.

Done in 2.2 and 2.3. The issuer certificate thing is a real error message and thus it should be printed.

Thanks for the fixes, @werner!

If "issuer certificate (…) not found" is a real error message, it is pretty opaque to me. the only thing I asked for was an --import, not any sort of verification or validation of the certificate. What is the error? From my testing, it looks like gpgsm does actually import the certificate, and it returns 0 (typically meaning "success").

By comparison , importing an OpenPGP certificate (or "keyblock" if you prefer) into gpg with --quiet doesn't give me any warning messages, even if I import a certificate which is expired or otherwise unusable.

I'm re-opening this because I think the remaining message is a warning at worst, maybe eve just informational, and i generally expect --quiet to suppress any informational or warning message, as long as the stated intent (--import) succeeds.

Okay, okay, I had in mind that we print them because we used to put such certificates into the ephemeral certificate storage because it is not possible to check the signature. But I reliazed that this changed quite some time ago and we can view these error messages as informative only. They are now not anymore printed int quiet mode. Well, for 2.3 - not sure whether I should backport this to 2.2.