+ recognise signatures made by subkeys as well as by primary keys
+ print out the relevant key which signed the file, even if it's
a subkey and not the primary key itself.
+ keep the same API as before
with many thanks to Jonathan Perkin
+ dump the huge output to /dev/null so that we can see what's
happening with the other tests in testit.sh
+ fix from jperkin@, don't try to be clever when selecting the only
key id in a keyring
+ add a test for single key (non-ssh) pubring
+ dump the huge output in testing script to /dev/null so that we can
see what's happening with the other tests in testit.sh
+ fix from jperkin@, don't try to be clever when selecting the only
key id in a keyring
+ add a test for single key (non-ssh) pubring
This version includes support for the '-c dump' command, which dumps
the contents of all PGP packets to stdout. Note that since we're
verifying, no private keys are involved.
Changes since 20141129:
+ bring over lint changes from src/crypto version of this utility
+ add a helper function to get an element from a cursor
+ added a small compile and test script, which uses BSD makefiles
+ change WARNS level in BSD Makefile from 6 to 5 - changes to make
WARNS=6 compile are way too intrusive and distracting to be useful
+ bump version to 20141204
+ Check the correct field in the struct is not NULL in sig_verify_dsa()
+ Move to using our own byte-swapping routines - portability
+ Check for errors in bzlib
+ Bump version number to 20140304
Switch over to using the zero-pre-requisite netpgpverify sources by
using reachover infrastructure to make sure we have one set of
sources.
This also brings with it the benefit of being able to use SSH
public keys, as well as PGP pub keys, when verifying signatures.
Extend the package building mechanism so that it can be built using
libtool (the default), or without libtool, depending on whether
"BOOTSTRAP" is defined at package build time.
Changes from previous version:
Add the ability for netpgpverify to verify ssh-pub-key-based signatures.
It is much more likely for ssh (rather than pgp) keys to be available,
and used, as a source of authentication data. These changes add the
ability for netpgpverify(1) -- the standalone, zero-prereq utility -
to verify signatures made by netpgp when using ssh keys.
Running the regression tests in WRKDIR gives the following output:
% mk -f *.bsd tst
./netpgpverify -k pubring.gpg NetBSD-6.0_RC1_hashes.asc
Good signature for NetBSD-6.0_RC1_hashes.asc made Thu Aug 23 11:47:50 2012
signature 4096/RSA (Encrypt or Sign) 064973ac4c4a706e 2009-06-23
fingerprint ddee 2bdb 9c98 a0d1 d4fb dbf7 0649 73ac 4c4a 706e
uid NetBSD Security Officer <security-officer@NetBSD.org>
./netpgpverify -k pubring.gpg NetBSD-6.0_RC1_hashes.gpg
Good signature for NetBSD-6.0_RC1_hashes.gpg made Thu Mar 14 13:32:59 2013
signature 4096/RSA (Encrypt or Sign) 064973ac4c4a706e 2009-06-23
fingerprint ddee 2bdb 9c98 a0d1 d4fb dbf7 0649 73ac 4c4a 706e
uid NetBSD Security Officer <security-officer@NetBSD.org>
./netpgpverify -v
netpgpverify portable 20140202
./netpgpverify -S sshtest-20140202.pub data.gpg
Good signature for data.gpg made Mon Feb 3 17:54:21 2014
signature 4096/RSA (Encrypt or Sign) 4d129225945bbb8f 1970-01-01
fingerprint 874b 75de d6a3 341f 2d5a 2219 4d12 9225 945b bb8f
uid netbsd-001.cupertino.alistaircrooks.com (sshtest-20140202.pub) <agc@netbsd-001.cupertino.alistaircrooks.com>
./netpgpverify -S sshtest-20140202.pub data.sig
Good signature for data.sig made Sun Feb 2 21:45:05 2014
signature 4096/RSA (Encrypt or Sign) 4d129225945bbb8f 1970-01-01
fingerprint 874b 75de d6a3 341f 2d5a 2219 4d12 9225 945b bb8f
uid netbsd-001.cupertino.alistaircrooks.com (sshtest-20140202.pub) <agc@netbsd-001.cupertino.alistaircrooks.com>
expected failure, to check bad signatures fail to verify
sed -e 's|A|B|' data.gpg | ./netpgpverify -S sshtest-20140202.pub
Signature did not match contents -- Signature on data did not match
*** Error code 1 (ignored)
%
A new HOWTO file is provided in the sources (files/HOWTO) to show how
to sign data using ssh keys and netpgp(1).
Fix a call to mp_radix_size to use a pointer to the BIGNUM, not the
address of the pointer, when accessing. Fixes a problem observed in
other software when using the same code. The problem was obscured
from the compiler because of the use of __UNCONST(). This makes the
BN_dec2bn() and BN_hex2bn() functions (in libnetpgpverify) work
properly.
OK: wiz
Change from previous version:
+ don't assume that output of a "cat" command (where output is sent to
stdout if the signature is verified) is able to be written with stdio.
latest 20130316 sources.
Changes since previous version:
+ this version is completely standalone, and relies on no external
libraries (other than libc)
+ updated man page to reflect reality
+ minor configure script added
netpgpverify is a standalone program to verify a PGP signature
on a file or document. Both RSA and DSA signatures are supported,
as are binary and document signatures.
netpgpverify is compliant with RFC 4880.
netpgpverify is a small frontend for libnetpgpverify, to allow PGP digital
signatures to be verified from the command line.
