Page MenuHome GnuPG
Create Task
Maniphest T6907

gpgme: Explicitly tell gpg that we want to verify signed data
Testing, NormalPublic
Actions

Description

Long ago gpg didn't output the signed data when it was told to verify signed data (with --verify). Therefore gpgme didn't pass the --verify command when verifying (clear) signed data, so that gpg had to guess what gpgme wants and, as a side-effect, gpg output the signed data.

Since 7+ years (GnuPG 2.1.16) the --verify command respects the --output option. Because gpgme passes the --output option to gpg when verifying (clear) signed data we can (for gpg 2.1.16+) explicitly ask gpg to --verify. This will also avoid the warning "no command supplied. Trying to guess what you mean ..." issued by gpg which ends up in the diagnostic/audit log.

There is a minor risk that this change breaks code that relies on the undocumented behavior of gpgme_op_verify to let gpg guess what to do with the "signed" data. I think breaking this undocumented behavior is acceptable.

Revisions and Commits

rM GPGME
rM1dc44b7c5b92 core: Tell gpg that we want to verify signed data

Event Timeline

ikloecker created this task.Dec 22 2023, 10:28 AM
ikloecker updated the task description. (Show Details)Dec 22 2023, 10:32 AM
werner added a subscriber: werner.Dec 22 2023, 1:59 PM

I fully agree.

ikloecker claimed this task.Dec 22 2023, 2:25 PM
ikloecker triaged this task as Normal priority.
ikloecker added projects: Restricted Project, gpgme.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker moved this task from Backlog to WiP on the gpgme board.
ikloecker added a commit: rM1dc44b7c5b92: core: Tell gpg that we want to verify signed data.Dec 22 2023, 2:26 PM
ikloecker changed the task status from Open to Testing.Dec 22 2023, 2:31 PM

Done. I have verified with the test runner run-verifyopaquejob that verification still works and that the warning is gone.

This could be tested with Kleopatra by checking that the audit log/diagnostics don't contain the above warning when a signed file is verified.