1

When I execute the following command I get an output like this:

$ gpg --verify awscliv2.deb

gpg: Signature made Mon Nov 4 19:00:01 2019 PST
gpg: using RSA key FB5D B77F D5C1 18B8 0511 ADA8 A631 0ACC 4672 475C
gpg: Good signature from "AWS CLI Team <aws-cli@amazon.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FB5D B77F D5C1 18B8 0511 ADA8 A631 0ACC 4672 475C

How can I verify using shell that the above output contains the string Good signature or Primary key fingerprint ?

I have used grep command like this but it's not returning the expected result.

$ gpg --verify awscliv2.deb | grep -iq 'Good signature'
$ echo $?
1

For a valid signed file with output as above echo $? should return 0 and otherwise 1. But it's returning 1 always.

Sourav Bhattacharjee
  • 328
  • 1
  • 4
  • 20
  • Does this answer your question? [Checking if output of a command contains a certain string in a shell script](https://stackoverflow.com/questions/16931244/checking-if-output-of-a-command-contains-a-certain-string-in-a-shell-script) – wjandrea Mar 20 '21 at 18:05
  • No, it doesn't work. $? always returns 1. – Sourav Bhattacharjee Mar 20 '21 at 18:14
  • What do you mean? Did you use `grep`? – wjandrea Mar 20 '21 at 18:15
  • Yes, after the above command in question I have piped grep 'signature' &> /dev/null – Sourav Bhattacharjee Mar 20 '21 at 18:17
  • 1
    OK, is the `1` not what you expected? Please provide a [mre]. – wjandrea Mar 20 '21 at 18:22
  • Added more information. – Sourav Bhattacharjee Mar 20 '21 at 18:30
  • If I do `grep -iq 'Good signature' <<'EOF'` and feed it the output from your first example, it returns `0`. Please provide a [mre] including input. – wjandrea Mar 20 '21 at 18:39
  • Now I understood the problem actually understood the problem why the command I mentioned above is not working. The output that I see is not stdout it's stderr and that is why just piping grep is not working as it is expecting stdout. Is there a way to ask grep to use stdout as well, other than storing stderr in a file and then pass it to grep? – Sourav Bhattacharjee Mar 20 '21 at 18:49
  • 1
    Yeah, you could [pipe both](/a/37085215/4518341), if that'd work – wjandrea Mar 20 '21 at 19:02
  • 1
    I tried something like this: 2>&1 >/dev/null and it worked. But from the above link it is more optimized with |& – Sourav Bhattacharjee Mar 20 '21 at 19:05
  • Why can't you use directly `$ gpg --verify awscliv2.deb` and check the exit code ? It's 0 if the signature is good, 1 if it is not, 2 if there's a problem (I/O error, etc.) and the signature can't be checked. Did you really need to check the output string ? If it is the case, you have to redirect the gpg output stderr with `2>&1`or else `grep` will have nothing to grep and will always return 1. And **only** `2>&1` ! Like : `gpg --verify awscliv2.deb 2>&1 | grep -iq 'Good signature'` – Zilog80 Mar 27 '21 at 22:42

2 Answers2

0

I also struggled with this a bit. This worked for me.

set -o pipefail
gpg --verify someascfile.asc 2>&1 >/dev/null | grep 'Good Signature'
if [ $? = 0 ]; then
 echo "The signature for the tar file is not a good signature. Exiting now."
 exit 1
fi
Michelle Carter
  • 1
  • 1
0

Even though the verification passed with a valid RSA key, the first case failed for me because echo $? returned 2, which was unexpected.

In this case, I needed to import the public key to get a match on Good Signature by first checking for the RSA key output, then running:

gpg --receive-keys <RSA KEY>

rsa_key=$(gpg $ASC_FILE 2>&1 | grep RSA | awk '{print $5}')
gpg --receive-keys $rsa_key
VERIFIED=$(gpg --verify $driver_asc $driver_filename 2>&1 | grep 'Good signature')
if [[ $VERIFIED ]]; then
    echo "gpg keys verified. Installing..."
else
    echo "gpg key cannot be verifed. Aborting installations"
    exit 1
fi
lacostenycoder
  • 10,623
  • 4
  • 31
  • 48