Skip to content

Update gpg.txt to correct gpg --verify syntax #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Update gpg.txt to correct gpg --verify syntax #285

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Documentation/config/gpg.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ gpg.program::
Use this custom program instead of "`gpg`" found on `$PATH` when
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the Git mailing list, Junio C Hamano wrote (reply to this):

"Robert Morgan via GitGitGadget" <[email protected]> writes:

> diff --git a/Documentation/config/gpg.txt b/Documentation/config/gpg.txt
> index f999f8ea49..cce2c89245 100644
> --- a/Documentation/config/gpg.txt
> +++ b/Documentation/config/gpg.txt
> @@ -2,7 +2,7 @@ gpg.program::
>  	Use this custom program instead of "`gpg`" found on `$PATH` when
>  	making or verifying a PGP signature. The program must support the
>  	same command-line interface as GPG, namely, to verify a detached
> -	signature, "`gpg --verify $file - <$signature`" is run, and the
> +	signature, "`gpg --verify $signature - <$file`" is run, and the
>  	program is expected to signal a good signature by exiting with
>  	code 0, and to generate an ASCII-armored detached signature, the
>  	standard input of "`gpg -bsau $key`" is fed with the contents to be

Wow.  Good find.

gpg-interface.c::verify_signed_buffer() takes a detached signature
in core, writes it to a temporary file and runs 

    gpg --status-fd=1 --verify $the_temporary_file

and the payload that is supposed to match the given signature is fed
via the standard input, so the above documentation is the only thing
that needs fixing, which is good ;-)

Thanks.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the Git mailing list, Robert Morgan wrote (reply to this):

Thanks Junio.

I was looking at 'smimesign' and working to understand how, when set
within 'gpg.program', it conformed with gpg's usage within git
sign,verify etc.  I happened to look at the docs for the 'gpg.program'
config variable and noticed the discrepancy.

Thanks again,
Robert

On Fri, Jul 12, 2019 at 11:47 AM Junio C Hamano <[email protected]> wrote:
>
> "Robert Morgan via GitGitGadget" <[email protected]> writes:
>
> > diff --git a/Documentation/config/gpg.txt b/Documentation/config/gpg.txt
> > index f999f8ea49..cce2c89245 100644
> > --- a/Documentation/config/gpg.txt
> > +++ b/Documentation/config/gpg.txt
> > @@ -2,7 +2,7 @@ gpg.program::
> >       Use this custom program instead of "`gpg`" found on `$PATH` when
> >       making or verifying a PGP signature. The program must support the
> >       same command-line interface as GPG, namely, to verify a detached
> > -     signature, "`gpg --verify $file - <$signature`" is run, and the
> > +     signature, "`gpg --verify $signature - <$file`" is run, and the
> >       program is expected to signal a good signature by exiting with
> >       code 0, and to generate an ASCII-armored detached signature, the
> >       standard input of "`gpg -bsau $key`" is fed with the contents to be
>
> Wow.  Good find.
>
> gpg-interface.c::verify_signed_buffer() takes a detached signature
> in core, writes it to a temporary file and runs
>
>     gpg --status-fd=1 --verify $the_temporary_file
>
> and the payload that is supposed to match the given signature is fed
> via the standard input, so the above documentation is the only thing
> that needs fixing, which is good ;-)
>
> Thanks.
>
>
>

making or verifying a PGP signature. The program must support the
same command-line interface as GPG, namely, to verify a detached
signature, "`gpg --verify $file - <$signature`" is run, and the
signature, "`gpg --verify $signature - <$file`" is run, and the
program is expected to signal a good signature by exiting with
code 0, and to generate an ASCII-armored detached signature, the
standard input of "`gpg -bsau $key`" is fed with the contents to be
Expand Down