#1001331 gpg: Provide interface to inspect (detached) signatures

Package:
gpg
Source:
gnupg2
Description:
GNU Privacy Guard -- minimalist public key operations
Submitter:
Guillem Jover
Date:
2025-03-07 19:51:01 UTC
Severity:
wishlist
#1001331#5
Date:
2021-12-08 19:45:46 UTC
From:
To:
Hi!

With the latest debsig-verify I switched one of its gpg uses away from
«--list-packets» to «--with-colons --show-keys». But the remaining one
I cannot stop using as I do not know of a publicly supported interface
to inspect a (detached) signature to get its issuer fingerprint or
keyid.

Given that using «--list-packets» is very strongly discouraged from
other tools, it would be nice if there was a replacement for that use,
so that I can move away from it.

Thanks,
Guillem

#1001331#10
Date:
2021-12-13 21:58:22 UTC
From:
To:
Hi!

You can do this:

  gpg --verify --status-fd 1 x.asc /dev/null 2>/dev/null \
    | awk '$1=="[GNUPG:]" && $2=="BADSIG" { print $3}'

which greps for

[GNUPG:] BADSIG 19CC1C9E085B107A wk@gnupg.org

This shows the keyid but not the newer fingerprint.  Adding something
for the fingerprint would be easy, but it takes some time before it will
be widely enough deployed.


Salam-Shalom,

   Werner

#1001331#15
Date:
2021-12-15 03:27:02 UTC
From:
To:
Hi!

Hmm, this feels like a hack though, as I don't really want to verify
it at that point, only fetch metadata from it, it would be nice to have
the equivalent of --show-keys for signatures. But I guess it fulfills
the "officially supported interface" part. For debsig-verify at least
I would not mind at all requiring a recent enough GnuPG, as long as
I'd be able to use a nicer interface. :)

But, thanks, for now I think I could instead switch to do something
like:

  gpg --no-options --no-default-keyring --keyring /dev/null \
      --status-fd 1 --verify x.asc /dev/null 2>/dev/null \
    | awk '$1=="[GNUPG:]" && $2=="ERRSIG" \
           { if ($9 == "-") { print $3 } else { print $9 } }'

As that should be guaranteed regardless of keyring contents.

Thanks,
Guillem

#1001331#20
Date:
2025-03-05 20:53:52 UTC
From:
To:
You might also be interested in the following debian packages, which
offer different subcommands with generalized OpenPGP inspection:

  rpacket:   rpacket dump
  pgpdump:   pgpdump
  sq:        sq packet dump

hope this is useful,