Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

pgp --verify verifies an encrypted file (which is not signed).

Created: 14 May 2013 • Updated: 28 May 2013 | 7 comments
This issue has been solved. See solution.

Hi,

For an encrypted file, if I run the verify command, it returns the success. Please note, the file is not signed.

Scenario -

Creating the encrypted file.

pgp --encrypt abc.txt --recipient <The owner of public key in your key ring/ to whom you want to send the encrypted file>

(here recipient's pub ring is already imported and signed by private key).

Verification of the file

on the other side, once the file is received by the recipient, this file can be verified, with below command.

pgp --verify abc.txt.pgp --passphrase <passphrase>

This verifies successfully although this file is not signed.

Please advice on below : -

1. Is anyting missing here to avoid the encrypted file getting verified successfully.

2. The basic requirement is if the file is not signed, verification should fail.

3. Is it that, while encrypting, pgp is also adding the signautre (kind of) on the encrypted file which is verified while verification. Is yes, how to avoid the files getting signature on it.

 

Thanks & Regards

Abhijit

 

Operating Systems:

Comments 7 CommentsJump to latest comment

abhijit pande's picture

Just to add to it, the commandline returns the exitcode=0 which is then caught in the java code and treated as success.

Expectation was : it would give a non zero exit code if the file was not signed and verification is ran.

 

dfinkelstein's picture

I understand your expectation.  This is the current behavior, and we may change it in a future release.

For now, the best solution I can offer is to parse the output of "pgp --verify" and look for output indicating that the message was signed.  In the output you will find

3038:signing key <information about the key>

if the key is available in your keyring, or

3039: signing key <KeyID>

if the key is not available.

Regards,

 

--------

David Finkelstein

Symantec R&D

abhijit pande's picture

Thanks David for the prompt reply, this will help us in the case when we try to verify and the key is not present.

Imagine the public key (of sender) is present in key ring pair and sender sends an encrypted file which (not signed) and with expectation that its signed, we verify it, it gives us exitCode=0 i.e. success which we catch in Java code (the output/err stream of ProcessBuilder class).

Is there any way, to identify if the file is signed only or encrypted only or both.

 

Thanks in advance for your help.

 

 

 

dfinkelstein's picture

Yes, if you have the signer's key in your keyring and run "pgp --verify [file name] --passphrase [your passphrase]" you'll see the following information printed for a file that was signed:

 

[file name]:verify (3177:message signed by key ID [Key ID of Signer])
[file name]:verify (3038:signing key [Key ID of Signer] [User ID of Signer])
[file name]:verify (3040:signature created 2013-05-17T12:41:10-07:00)
[file name]:verify (3170:signature hash SHA-256)
[file name]:verify (3035:good signature)
 
None of this information about the signature will be present if the file is not signed.  The numerical identifiers (3177, 3038, 3040, 3170, 3035) effectively identify the "status code" of parsing the file information.
 
If you don't have the signing key available, you won't see code 3038, instead you will see 3039.
 
Regards,
 

--------

David Finkelstein

Symantec R&D

abhijit pande's picture

Thanks David, this helped us.

=================

1 more question.

If a file (signed by someone else) needs to be verifried at our end and my key ring has multiple public keys (say 10-15 public keys or even more).

Can i mention which specific public key to be used while verifying. (Although it is not reqd & PGP understand on its own), still to be specific, want to understand.

Generally the command is -

pgp --verify <FileName>.txt.pgp --passphrase <passphrase>

Here, can we not have something like below ?

pgp --verify <FileName>.txt.pgp --passphrase <passphrase> --<key_to_used> <KEY_NAME>

Thanks in advance

Abhijit

dfinkelstein's picture

There isn't a way to do that exactly.  What you can do is look for status code 3177 and get the key ID used to do the signature and make sure that is the key you expect.

 

--------

David Finkelstein

Symantec R&D