search

keybase / node-client

CLI for keybase.io written in/for Node.js
BSD 3-Clause "New" or "Revised" License
300 stars 32 forks source link

Verifying a non-detached, non-clearsign signature should print content #212

Open kentonv opened 9 years ago

kentonv commented 9 years ago

If I pass a non-detached, non-clearsign signature to keybase verify, it checks the signature for me but does not tell me the content.

It appears that Keybase inherits GPG's tradition of calling this operation "decrypt", even though the content is not actually encrypted. The keybase decrypt command does what I want. Unfortunately, though, this command refuses to operate if my private key is not present, even though my private key should not be needed to verify a signature. It's also unintuitive to use "decrypt" for this -- every time I tell someone to use it for signature verification, they get confused and ask me if I meant "verify". Therefore it seems best for keybase verify to print the content, or provide a switch to print it.

paulproteus commented 9 years ago

You can have a PGP MESSAGE block that includes the plaintext. In this shell transcript to demonstrate the issue, I've signed the text "I am the coolest". (This isn't a GPG key that's on keybase, but that's orthogonal to the issue.)

gpg decrypt successfully verifies it & prints the plaintext.

keybase decrypt aborts because on this machine I don't have my private key in the shell account that I run keybase from.

$ cat <<EOF > /tmp/wowee.txt
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1

owEBRwK4/ZANAwACAY14F8pgr2eFAcsXYgBWA1H3SSBhbSB0aGUgY29vbGVzdAqJ
AhwEAAECAAYFAlYDUfcACgkQjXgXymCvZ4VDThAAqQplMGyakSOWA39fliL2t5Un
cBCKlbSnLBQzLaFb67YlE8gyjcYNDKeuYuYpIEpG1L5brCpeCFJqWVBRYSHVhYCy
YOKIpydUiy/SqZAbMx7R36m9SwPXLp6ihWqeMJs5Gz/BCsRzT7UF3iULQ9AjQ/mc
vhm7X9pgVp4auzijL9RZTlGNaBnyNnegEj/Wr7+CgHps6MMPo5SQ0GkqtqDztro1
Jm97vx6JamsycZEoTEwSGx6two5IX9pIASFi1eOCBGROg+V/KTOxC6iLUtDPaeoe
hEBT6NL28TiPcVngGxnhQeNs5qI24QH4lF8LdBRMplpCec2PNTmCGN/eZ2qZ2WPo
u7/10eWkrrLTl3XNmtXj+z7+4ZfW0zDIjAeeEGSHTjCKUX5dIp2cZonPdAxfCGch
1DBR7qREAsg1h0jzfdl9P9JTOjgp7JJa0WBKy32VYrEscTWBebxC4ggoKFI7dUCd
LLMKVLuxT9GjC5nX6YYyb/UkEe0IiRdcyHKootvy9bg531zO7vJ+FvE4cX8bgwUf
TLycCiajbh+ljWFpg98HHGc26NS2fyY8/GGbLWy8DMLtPrmJG9yp3CgoMIy+NuV3
pRUS7uNcYGHl3FSx5BxiNQeIUHNKBviZILYUO5CKeeCrXxFrlmUKg22K+6MBL5/c
nvgC3o3+Yt6KyeaJF9Y=
=vv5u
-----END PGP MESSAGE-----
EOF

$ gpg --decrypt < wowee.txt
I am the coolest
gpg: Signature made Wed 23 Sep 2015 06:29:27 PM PDT using RSA key ID 60AF6785
gpg: Good signature from "Asheesh Laroia (passwords) <asheesh@asheesh.org>"
$ keybase decrypt /tmp/wowee.txt 
error: can't perform secret-key action without a secret key