Page MenuHome GnuPG

gpgme: Explicitly tell gpg that we want to verify signed data
Testing, NormalPublic


Long ago gpg didn't output the signed data when it was told to verify signed data (with --verify). Therefore gpgme didn't pass the --verify command when verifying (clear) signed data, so that gpg had to guess what gpgme wants and, as a side-effect, gpg output the signed data.

Since 7+ years (GnuPG 2.1.16) the --verify command respects the --output option. Because gpgme passes the --output option to gpg when verifying (clear) signed data we can (for gpg 2.1.16+) explicitly ask gpg to --verify. This will also avoid the warning "no command supplied. Trying to guess what you mean ..." issued by gpg which ends up in the diagnostic/audit log.

There is a minor risk that this change breaks code that relies on the undocumented behavior of gpgme_op_verify to let gpg guess what to do with the "signed" data. I think breaking this undocumented behavior is acceptable.

Event Timeline

ikloecker triaged this task as Normal priority.
ikloecker added projects: Restricted Project, gpgme.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker moved this task from Backlog to WiP on the gpgme board.
ikloecker changed the task status from Open to Testing.Dec 22 2023, 2:31 PM

Done. I have verified with the test runner run-verifyopaquejob that verification still works and that the warning is gone.

This could be tested with Kleopatra by checking that the audit log/diagnostics don't contain the above warning when a signed file is verified.