Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: users

how to properly verify a signature from a program?

  

 
GnuPG users RSS feed   Index | Next | Previous | View Threaded


roundyd at physics

Nov 24, 2009, 9:16 AM

Post #1 of 3 (620 views)
Permalink
how to properly verify a signature from a program?
Hi all,

I've been searching and searching, and have failed to find any
documentation or tutorial that indicates the proper way to verify a
signature from a program. The problem is that I want not to verify
that *anyone* signed a message, but rather to verify that *someone in
particular* signed it. And that doesn't seem to be in the gpg
interface, so far as I can find. If a human is doing the
verification, it's not so hard to first run verify, then read the
output that indicates *who* signed it, but I'd really prefer to avoid
trying to parse the output of gpg, as that seems to be a quick road to
insecurity and fragility.

So far as I can tell, the process for a detached signature is something like:

gpg --verify sigfile txtfile && echo signature passed

then look at the output (or stderr?) to find out who signed the file,
and compare with who was supposed to sign the file. It is this last
step that sounds problematic. Am I missing something?

I guess there is one other approach that I can see, which is to use a
process such as

gpg --export "User Name" > user-keyring
gpg --no-default-keyring --keyring user-keyring --verify sigfile txtfile

Is this what I should be doing?
--
David Roundy

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


roam at ringlet

Nov 25, 2009, 3:44 AM

Post #2 of 3 (568 views)
Permalink
Re: how to properly verify a signature from a program? [In reply to]
On Tue, Nov 24, 2009 at 12:16:29PM -0500, David Roundy wrote:
> Hi all,
>
> I've been searching and searching, and have failed to find any
> documentation or tutorial that indicates the proper way to verify a
> signature from a program. The problem is that I want not to verify
> that *anyone* signed a message, but rather to verify that *someone in
> particular* signed it.
[snip]
> So far as I can tell, the process for a detached signature is something like:
>
> gpg --verify sigfile txtfile && echo signature passed
>
> then look at the output (or stderr?) to find out who signed the file,
> and compare with who was supposed to sign the file. It is this last
> step that sounds problematic. Am I missing something?

That's pretty much what you should do, with just one addition:
add --status-fd=1 to the GnuPG command line. When you do that, gpg
will output something like the following to file descriptor 1 (stdout):

[GNUPG:] SIG_ID eLbkcOT0G/i0ugaTvtB5kkRMJc0 2009-11-25 1259148663
[GNUPG:] GOODSIG 651EEFB02527DF13 Peter Pentchev <roam [at] ringlet>
[GNUPG:] VALIDSIG 2EE7A7A517FC124CF115C354651EEFB02527DF13 2009-11-25 1259148663 0 4 0 1 10 01 2EE7A7A517FC124CF115C354651EEFB02527DF13
[GNUPG:] TRUST_ULTIMATE

Of course, the output *will* be different in your case, what with dates,
key ID's and such :) Also, of course you can use a different value for
the file descriptor (like 2 for stderr, but then this output will be
mixed with the rest of GnuPG's freeform messages), just make sure your
program can read what GnuPG writes to that fd :)

Hope that helps.

G'luck,
Peter

--
Peter Pentchev roam [at] ringlet roam [at] space roam [at] FreeBSD
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
I had to translate this sentence into English because I could not read the original Sanskrit.


roam at ringlet

Nov 25, 2009, 3:49 AM

Post #3 of 3 (565 views)
Permalink
Re: how to properly verify a signature from a program? [In reply to]
On Wed, Nov 25, 2009 at 01:44:35PM +0200, Peter Pentchev wrote:
> On Tue, Nov 24, 2009 at 12:16:29PM -0500, David Roundy wrote:
> > Hi all,
> >
> > I've been searching and searching, and have failed to find any
> > documentation or tutorial that indicates the proper way to verify a
> > signature from a program. The problem is that I want not to verify
> > that *anyone* signed a message, but rather to verify that *someone in
> > particular* signed it.
> [snip]
> > So far as I can tell, the process for a detached signature is something like:
> >
> > gpg --verify sigfile txtfile && echo signature passed
> >
> > then look at the output (or stderr?) to find out who signed the file,
> > and compare with who was supposed to sign the file. It is this last
> > step that sounds problematic. Am I missing something?
>
> That's pretty much what you should do, with just one addition:
> add --status-fd=1 to the GnuPG command line.
[snip]

And then again, if you're writing in C, C++, or any language that can
invoke routines in a shared library described in a C header file, there
is also another way to do it - use the GPGME (GnuPG Made Easy) library.
It provides functions that will verify a signature and return a list of
signature structures, each of which will contain the fingerprint of
the signing key.

G'luck,
Peter

--
Peter Pentchev roam [at] ringlet roam [at] space roam [at] FreeBSD
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
"yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation.

GnuPG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.