Key ID in pgpverify
Julien ÉLIE
julien at trigofacile.com
Sat Jan 16 22:12:11 UTC 2010
Hi all,
I'm trying to work on "Support a PGP key ID in control.ctl"
http://inn.eyrie.org/trac/ticket/75
and I thought about adding the -keyid flag to pgpverify, so as to modify
its output, returning a key ID instead of a user ID.
Then controlchan would either use "pgpverify" or "pgpverify -keyid",
depending on what follows "verify-" (an hex string).
22:55 news at trigo ~% pgpverify < sample.control
news.announce.newgroups
22:55 news at trigo ~% pgpverify -keyid < sample.control
C25D3AD3B88DA9C1
However, what do we do for PGP implementations that do not return
the key ID? I for instance see:
# MIT PGP 2.6.2 and PGP 6.5.2:
# Good signature from user "Russ Allbery <rra at stanford.edu>".
# ViaCrypt PGP 4.0:
# Good signature from user: Russ Allbery <rra at stanford.edu>
# PGP 5.0:
# Good signature made 1999-02-10 03:29 GMT by key:
# 1024 bits, Key ID 0AFC7476, Created 1999-02-10
# "Russ Allbery <rra at stanford.edu>"
Can't MIT PGP 2.6.2 return the key ID?
Can't PGP 5.0 return 8 bytes instead of 4 bytes for the key ID?
(F985E3400AFC7476 is normally the complete key ID in the sample)
Anyway, here is a beginning for a patch:
--- pgpverify.in (révision 8880)
+++ pgpverify.in (copie de travail)
@@ -196,16 +196,21 @@
use strict;
use vars qw($gpgv $pgp $keyring $tmp $tmpdir $lockdir $syslog_method
- $syslog_facility $syslog_level $log_date $test $messageid);
+ $syslog_facility $syslog_level $log_date $keyid $test $messageid);
use Fcntl qw(O_WRONLY O_CREAT O_EXCL);
use FileHandle;
use IPC::Open3 qw(open3);
use POSIX qw(strftime);
-# Turn on test mode if the first argument is '-test'.
-if (@ARGV && $ARGV[0] eq '-test') {
+# Check the first argument passed to pgpverify. If it is '-keyid', the
+# output will be the hexadecimal key ID of the key that signed the message,
+# instead of the user ID. If it is '-test', turn on test mode.
+if (@ARGV && $ARGV[0] eq '-keyid') {
shift @ARGV;
+ $keyid = 1;
+} elsif (@ARGV && $ARGV[0] eq '-test') {
+ shift @ARGV;
$test = 1;
}
@@ -488,13 +493,15 @@
local $_;
local $/ = '';
my $signer;
+ my $signerkeyid;
my $ok = 255;
while (<$output>) {
print if $test;
if ($pgpstyle eq 'GPG') {
- if (/\[GNUPG:\]\s+GOODSIG\s+\S+\s+(\S+)/) {
+ if (/\[GNUPG:\]\s+GOODSIG\s+(\S+)\s+(\S+)/) {
$ok = 0;
- $signer = $1;
+ $signerkeyid = $1;
+ $signer = $2;
} elsif (/\[GNUPG:\]\s+NODATA/ || /\[GNUPG:\]\s+UNEXPECTED/) {
$ok = 1;
} elsif (/\[GNUPG:\]\s+NO_PUBKEY/) {
@@ -507,8 +514,9 @@
$signer = $+;
$ok = 0;
last;
- } elsif (/^Good signature made .* by key:\n.+\n\s+\"(.*)\"/m) {
- $signer = $1;
+ } elsif (/^Good signature made .* by key:\n.*Key ID ([A-F0-9]+).*\n\s+\"(.*)\"/m) {
+ $signerkeyid = $1;
+ $signer = $2;
$ok = 0;
last;
} elsif (/^\S+: Good signature from \"(.*)\"/m) {
@@ -525,7 +533,7 @@
waitpid ($pid, 0);
unlink ($filename, "$filename.asc");
umask $umask;
- return ($ok, $signer || '');
+ return ($ok, ($keyid ? $signerkeyid : $signer) || '');
}
# Log an error message, attempting syslog first based on $syslog_method
@@ -687,7 +695,7 @@
=head1 SYNOPSIS
-B<pgpverify> [B<-test>] < I<message>
+B<pgpverify> [B<-keyid>|B<-test>] < I<message>
=head1 DESCRIPTION
@@ -696,8 +704,9 @@
program (or some other program that produces a compatible format).
B<pgpverify> then uses a PGP implementation to determine who signed the
control message. If the control message has a valid signature,
-B<pgpverify> prints (to stdout) the user ID of the key that signed the
-message. Otherwise, it exits with a non-zero exit status.
+B<pgpverify> prints to stdout the user ID (or the hexadecimal key ID,
+if the B<-keyid> flag is used) of the key that signed the message.
+Otherwise, it exits with a non-zero exit status.
If B<pgpverify> is installed as part of INN, it uses INN's configuration
to determine what signature verification program to use, how to log
@@ -723,11 +732,17 @@
=head1 OPTIONS
+The B<-keyid> flag causes B<pgpverify> to print out the hexadecimal key
+ID of the key that signed the message, instead of the user ID.
+
The B<-test> flag causes B<pgpverify> to print out the input that it is
passing to PGP (which is a reconstructed version of the input that
supposedly created the control message) as well as the output from PGP's
analysis of the message.
+Note that only one of the B<-keyid> and B<-test> flags can be used at the
+same time.
+
=head1 EXIT STATUS
B<pgpverify> may exit with the following statuses:
I hope that sounds OK.
--
Julien ÉLIE
« La perfection est atteinte non pas lorsqu'il n'y a plus rien à ajouter,
mais lorsqu'il n'y a plus rien à retirer. » (Saint-Exupéry)
More information about the inn-workers
mailing list