For a decrypted message, gpg prints whether it is signed to the terminal (not stdout/stderr), hence this info is not in gnupg Python module

[dtauerbach]

gpg sucks. If you decrypt a signed message, it looks like the test message below, where all the lines prefixed with "gpg:" are printed directly to the terminal instead of to stdout or stderr. It seems the gnupg Python module doesn't handle this well, as the string representation omits those "gpg:" lines and importantly for us the lines at the bottom that indicate that the message was signed. So we'll need to file a bug against Isis or the version of the gnupg that we use to also include this information when decrypting.

dan@dan-T430:~/git/OpenPGPBot$ gpg --decrypt tmptest gpg: encrypted with 4096-bit RSA key, ID 9B8814B4, created 2013-09-26 "OpenPGP Bot bot@openpgpbot.eff.org" gpg: encrypted with 4096-bit RSA key, ID 10FE2C2C, created 2013-09-10 "OpenPGPBot Test Suite (insecure) invalid_and_insecure@openpgpbot.eff.org" Content-Type: multipart/mixed; boundary="6TTIUvgnFDQhlwS6Ds9qqlEvGLQq83iRh"

--6TTIUvgnFDQhlwS6Ds9qqlEvGLQq83iRh Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

this message is encrypted and signed and uses pgp/mime

--=20 Dan Auerbach Staff Technologist Electronic Frontier Foundation dan@eff.org 415 436 9333 x134

--6TTIUvgnFDQhlwS6Ds9qqlEvGLQq83iRh-- gpg: Signature made Wed 02 Oct 2013 02:45:49 PM PDT using RSA key ID 0D3E5387 gpg: Good signature from "OpenPGPBot Test Suite (insecure) invalid_and_insecure@openpgpbot.eff.org"

[mfb]

Have you looked at --logger-fd and --status-fd

[dtauerbach]

Thanks! I hadn't seen those, though --status-fd looks useful in this case. Also --no-tty, --no-batch force the status data to get dumped to stderr. Annoyingly, we'll need to patch the gnupg module we're using... again. (This same issue came up before for --list-keys)

[micahflee]

I'm also running into problems with the gnupg module trying to implement #3. the GPG.import_keys function doesn't work on my really long key. I've done some debugging and discovered it's because it ends up piping the key data in, and the pipe gets broken before it's done, so it fails.

I think that both this issue and the issue I'm having with #3 can't be solved without fixing bugs in the upstream gnupg module. So I'm going to attempt to remove the gnupg module altogether and instead write our own really simple one that only does what we need.

[micahflee]

@dtauerbach ok I have refactored everything to no longer rely on an external gnupg module. And the quick and dirty internal one I wrote is tested, and the tests all pass. Want to see if you can get this working again?

[dtauerbach]

I have to deal with Privacy Badger before leaving. The earliest I can get to this would be next week, probably Tuesday. I will put it on my todo list for then.

[micahflee]

Sounds good. Cryptobot is my top priority so I might get to it before you, but I'm going to focus on #3 for now.