[1/1] gpg(docs): use correct --verify syntax
diff mbox series

Message ID e2daf21f1f2574a79f83d4e66591f67b1c937efe.1562945635.git.gitgitgadget@gmail.com
State New
Headers show
Series
  • Update gpg.txt to correct gpg --verify syntax
Related show

Commit Message

Adam Roben via GitGitGadget July 12, 2019, 3:33 p.m. UTC
From: Robert Morgan <robert.thomas.morgan@gmail.com>

The gpg --verify usage example within the 'gpg.program' variable
reference provides an incorrect example of the gpg --verify command
arguments.

The command argument order, when providing both a detached signature
and data, should be signature first and data second:
https://gnupg.org/documentation/manuals/gnupg/Operational-GPG-Commands.html

Signed-off-by: Robert Morgan <robert.thomas.morgan@gmail.com>
---
 Documentation/config/gpg.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Junio C Hamano July 12, 2019, 4:47 p.m. UTC | #1
"Robert Morgan via GitGitGadget" <gitgitgadget@gmail.com> writes:

> diff --git a/Documentation/config/gpg.txt b/Documentation/config/gpg.txt
> index f999f8ea49..cce2c89245 100644
> --- a/Documentation/config/gpg.txt
> +++ b/Documentation/config/gpg.txt
> @@ -2,7 +2,7 @@ gpg.program::
>  	Use this custom program instead of "`gpg`" found on `$PATH` when
>  	making or verifying a PGP signature. The program must support the
>  	same command-line interface as GPG, namely, to verify a detached
> -	signature, "`gpg --verify $file - <$signature`" is run, and the
> +	signature, "`gpg --verify $signature - <$file`" is run, and the
>  	program is expected to signal a good signature by exiting with
>  	code 0, and to generate an ASCII-armored detached signature, the
>  	standard input of "`gpg -bsau $key`" is fed with the contents to be

Wow.  Good find.

gpg-interface.c::verify_signed_buffer() takes a detached signature
in core, writes it to a temporary file and runs 

    gpg --status-fd=1 --verify $the_temporary_file

and the payload that is supposed to match the given signature is fed
via the standard input, so the above documentation is the only thing
that needs fixing, which is good ;-)

Thanks.
Robert Morgan July 12, 2019, 7:11 p.m. UTC | #2
Thanks Junio.

I was looking at 'smimesign' and working to understand how, when set
within 'gpg.program', it conformed with gpg's usage within git
sign,verify etc.  I happened to look at the docs for the 'gpg.program'
config variable and noticed the discrepancy.

Thanks again,
Robert

On Fri, Jul 12, 2019 at 11:47 AM Junio C Hamano <gitster@pobox.com> wrote:
>
> "Robert Morgan via GitGitGadget" <gitgitgadget@gmail.com> writes:
>
> > diff --git a/Documentation/config/gpg.txt b/Documentation/config/gpg.txt
> > index f999f8ea49..cce2c89245 100644
> > --- a/Documentation/config/gpg.txt
> > +++ b/Documentation/config/gpg.txt
> > @@ -2,7 +2,7 @@ gpg.program::
> >       Use this custom program instead of "`gpg`" found on `$PATH` when
> >       making or verifying a PGP signature. The program must support the
> >       same command-line interface as GPG, namely, to verify a detached
> > -     signature, "`gpg --verify $file - <$signature`" is run, and the
> > +     signature, "`gpg --verify $signature - <$file`" is run, and the
> >       program is expected to signal a good signature by exiting with
> >       code 0, and to generate an ASCII-armored detached signature, the
> >       standard input of "`gpg -bsau $key`" is fed with the contents to be
>
> Wow.  Good find.
>
> gpg-interface.c::verify_signed_buffer() takes a detached signature
> in core, writes it to a temporary file and runs
>
>     gpg --status-fd=1 --verify $the_temporary_file
>
> and the payload that is supposed to match the given signature is fed
> via the standard input, so the above documentation is the only thing
> that needs fixing, which is good ;-)
>
> Thanks.
>
>
>

Patch
diff mbox series

diff --git a/Documentation/config/gpg.txt b/Documentation/config/gpg.txt
index f999f8ea49..cce2c89245 100644
--- a/Documentation/config/gpg.txt
+++ b/Documentation/config/gpg.txt
@@ -2,7 +2,7 @@  gpg.program::
 	Use this custom program instead of "`gpg`" found on `$PATH` when
 	making or verifying a PGP signature. The program must support the
 	same command-line interface as GPG, namely, to verify a detached
-	signature, "`gpg --verify $file - <$signature`" is run, and the
+	signature, "`gpg --verify $signature - <$file`" is run, and the
 	program is expected to signal a good signature by exiting with
 	code 0, and to generate an ASCII-armored detached signature, the
 	standard input of "`gpg -bsau $key`" is fed with the contents to be