verify signature in GPG

Discussion:

(too old to reply)

2010-07-28 20:16:44 UTC

Hi all,

I am working on a project to move encryption functionality from using
PGP 6.5.8 to GPG 1.4.10.

There is a requirement in our system that we check if there was a
signature on an encrypted message.
I need to give the user capability to accept or reject the message
depending on whether
1. there was no sign
2. there was a sign, but it cannot be validated due to its corr public
key not being present
3. there was a sign, it was verified and it was bad.

In my case if the message is going to be signed, it is always going to
be signed+encrypted. So there is not going to be a detached signature
file for me to verify.

So I tried using --verify option on a signed+encrypted message, but it
does not work.
(gpg.exe --verify EncryptedData.gpg)
it gives the exception
gpg: verify signatures failed: unexpected data.

But I am able to correctly decrypt the message. I need to know if
there is a valid sign on the message before decrypting, since the
messages are very big and that would save lot of processing time.

Thanks for your help

TomT

2010-07-29 20:00:36 UTC

Permalink

Post by SB
But I am able to correctly decrypt the message. I need to know if
there is a valid sign on the message before decrypting, since the
messages are very big and that would save lot of processing time.

I may be missing something here but since the correct procedure is to
sign and then encrypt I don't see a way out of your problem.

TomT

Steve Crook

2010-07-30 08:26:36 UTC

Permalink

On Wed, 28 Jul 2010 13:16:44 -0700 (PDT), SB wrote in

Post by SB
In my case if the message is going to be signed, it is always going to
be signed+encrypted. So there is not going to be a detached signature
file for me to verify.

Can you get the sender to encrypt the message and then sign it, either
inline or detached? If the encrypt + sign operations are done in a
single step, you can't verify until you decrypt.

2010-07-30 13:07:13 UTC

Permalink

Post by Steve Crook
On Wed, 28 Jul 2010 13:16:44 -0700 (PDT), SB wrote in

Post by SB
In my case if the message is going to be signed, it is always going to
be signed+encrypted. So there is not going to be a detached signature
file for me to verify.

Can you get the sender to encrypt the message and then sign it, either
inline or detached? If the encrypt + sign operations are done in a
single step, you can't verify until you decrypt.

Thanks for the idea Steve. I'll am going to try that next. Also,
detached signatures is not an option, since it will require changes to
ui to specify a separate sign file.

I am calling the gpg encrypt/decrpt commands from a batch file and am
using the --batch --yes option for a non user interactive mode.
Therefore it is necessary for me to get the error code that gpg
returns and bubble it up to my application. based on the error code I
can log an appropriate failure message into the logfile.

I actually don't mind, if gpg verifies the signature after decrypting,
but the problem is that it only gives a output error code of 2 for any
kind of failure.

I am still testing different cases and checking to see if it can
return other values of error codes for different errors but till now
no success.