Key ID in pgpverify

Julien ÉLIE julien at trigofacile.com
Sat Jan 16 22:12:11 UTC 2010


Hi all,

I'm trying to work on "Support a PGP key ID in control.ctl"
    http://inn.eyrie.org/trac/ticket/75

and I thought about adding the -keyid flag to pgpverify, so as to modify
its output, returning a key ID instead of a user ID.
Then controlchan would either use "pgpverify" or "pgpverify -keyid",
depending on what follows "verify-" (an hex string).

22:55 news at trigo ~% pgpverify < sample.control
news.announce.newgroups

22:55 news at trigo ~% pgpverify -keyid < sample.control
C25D3AD3B88DA9C1



However, what do we do for PGP implementations that do not return
the key ID?  I for instance see:

  # MIT PGP 2.6.2 and PGP 6.5.2:
  #   Good signature from user "Russ Allbery <rra at stanford.edu>".
  # ViaCrypt PGP 4.0:
  #   Good signature from user:  Russ Allbery <rra at stanford.edu>
  # PGP 5.0:
  #   Good signature made 1999-02-10 03:29 GMT by key:
  #     1024 bits, Key ID 0AFC7476, Created 1999-02-10
  #      "Russ Allbery <rra at stanford.edu>"

Can't MIT PGP 2.6.2 return the key ID?
Can't PGP 5.0 return 8 bytes instead of 4 bytes for the key ID?
(F985E3400AFC7476 is normally the complete key ID in the sample)



Anyway, here is a beginning for a patch:

--- pgpverify.in        (révision 8880)
+++ pgpverify.in        (copie de travail)
@@ -196,16 +196,21 @@

 use strict;
 use vars qw($gpgv $pgp $keyring $tmp $tmpdir $lockdir $syslog_method
-            $syslog_facility $syslog_level $log_date $test $messageid);
+            $syslog_facility $syslog_level $log_date $keyid $test $messageid);

 use Fcntl qw(O_WRONLY O_CREAT O_EXCL);
 use FileHandle;
 use IPC::Open3 qw(open3);
 use POSIX qw(strftime);

-# Turn on test mode if the first argument is '-test'.
-if (@ARGV && $ARGV[0] eq '-test') {
+# Check the first argument passed to pgpverify.  If it is '-keyid', the
+# output will be the hexadecimal key ID of the key that signed the message,
+# instead of the user ID.  If it is '-test', turn on test mode.
+if (@ARGV && $ARGV[0] eq '-keyid') {
   shift @ARGV;
+  $keyid = 1;
+} elsif (@ARGV && $ARGV[0] eq '-test') {
+  shift @ARGV;
   $test = 1;
 }

@@ -488,13 +493,15 @@
   local $_;
   local $/ = '';
   my $signer;
+  my $signerkeyid;
   my $ok = 255;
   while (<$output>) {
     print if $test;
     if ($pgpstyle eq 'GPG') {
-      if (/\[GNUPG:\]\s+GOODSIG\s+\S+\s+(\S+)/) {
+      if (/\[GNUPG:\]\s+GOODSIG\s+(\S+)\s+(\S+)/) {
         $ok = 0;
-        $signer = $1;
+        $signerkeyid = $1;
+        $signer = $2;
       } elsif (/\[GNUPG:\]\s+NODATA/ || /\[GNUPG:\]\s+UNEXPECTED/) {
         $ok = 1;
       } elsif (/\[GNUPG:\]\s+NO_PUBKEY/) {
@@ -507,8 +514,9 @@
         $signer = $+;
         $ok = 0;
         last;
-      } elsif (/^Good signature made .* by key:\n.+\n\s+\"(.*)\"/m) {
-        $signer = $1;
+      } elsif (/^Good signature made .* by key:\n.*Key ID ([A-F0-9]+).*\n\s+\"(.*)\"/m) {
+        $signerkeyid = $1;
+        $signer = $2;
         $ok = 0;
         last;
       } elsif (/^\S+: Good signature from \"(.*)\"/m) {
@@ -525,7 +533,7 @@
   waitpid ($pid, 0);
   unlink ($filename, "$filename.asc");
   umask $umask;
-  return ($ok, $signer || '');
+  return ($ok, ($keyid ? $signerkeyid : $signer) || '');
 }

 # Log an error message, attempting syslog first based on $syslog_method
@@ -687,7 +695,7 @@

 =head1 SYNOPSIS

-B<pgpverify> [B<-test>] < I<message>
+B<pgpverify> [B<-keyid>|B<-test>] < I<message>

 =head1 DESCRIPTION

@@ -696,8 +704,9 @@
 program (or some other program that produces a compatible format).
 B<pgpverify> then uses a PGP implementation to determine who signed the
 control message.  If the control message has a valid signature,
-B<pgpverify> prints (to stdout) the user ID of the key that signed the
-message.  Otherwise, it exits with a non-zero exit status.
+B<pgpverify> prints to stdout the user ID (or the hexadecimal key ID,
+if the B<-keyid> flag is used) of the key that signed the message.
+Otherwise, it exits with a non-zero exit status.

 If B<pgpverify> is installed as part of INN, it uses INN's configuration
 to determine what signature verification program to use, how to log
@@ -723,11 +732,17 @@

 =head1 OPTIONS

+The B<-keyid> flag causes B<pgpverify> to print out the hexadecimal key
+ID of the key that signed the message, instead of the user ID.
+
 The B<-test> flag causes B<pgpverify> to print out the input that it is
 passing to PGP (which is a reconstructed version of the input that
 supposedly created the control message) as well as the output from PGP's
 analysis of the message.

+Note that only one of the B<-keyid> and B<-test> flags can be used at the
+same time.
+
 =head1 EXIT STATUS

 B<pgpverify> may exit with the following statuses:




I hope that sounds OK.

-- 
Julien ÉLIE

« La perfection est atteinte non pas lorsqu'il n'y a plus rien à ajouter,
  mais lorsqu'il n'y a plus rien à retirer. » (Saint-Exupéry) 




More information about the inn-workers mailing list