sqop decrypt --verify-with changes the return code based on whether a valid signature was found or not
the SOP documentation says:
The return code of sop decrypt is not affected by the results of signature verification. The caller MUST check the returned
VERIFICATIONS
to confirm signature status. An emptyVERIFICATIONS
output indicates that no valid signatures were found.
But sqop
appears to change the return code based on whether a signature was present or not:
0 dkg@alice:/tmp/cdtemp.8R6jAM$ sqop generate-key foo > foo.key
0 dkg@alice:/tmp/cdtemp.8R6jAM$ sqop extract-cert < foo.key > foo.cert
0 dkg@alice:/tmp/cdtemp.8R6jAM$ echo test | sqop encrypt foo.cert > test.msg
0 dkg@alice:/tmp/cdtemp.8R6jAM$ sqop decrypt foo.key < test.msg
test
0 dkg@alice:/tmp/cdtemp.8R6jAM$ sqop decrypt --verify-out test.verifs --verify-with=foo.cert foo.key < test.msg
No acceptable signatures found
3 dkg@alice:/tmp/cdtemp.8R6jAM$ sqop version --extended
sqop 0.27.3
sop-rs 0.4.2
Nettle 3.9 (Cv448: true)
Sequoia 1.16.0
0 dkg@alice:/tmp/cdtemp.8R6jAM$