libgcrypt Validation
Port build from safelibs/port-libgcrypt at commit 48f625fcb193 (release build-48f625fcb193)
Tests
libgcrypt AES CTR round trip Original / libgcrypt / aes-ctr-roundtrip Passed
libgcrypt SHA-256 digest Original / libgcrypt / digest-sha256-smoke Passed
libgcrypt HMAC digest Original / libgcrypt / hmac-sha256-smoke Passed
libgcrypt MPI arithmetic Original / libgcrypt / mpi-arithmetic Passed
libgcrypt nonce generation Original / libgcrypt / nonce-generation Passed
gpg always-trust unblocks untrusted recipient Original / libgcrypt / usage-gpg-always-trust-untrusted-recipient Passed
Imports a foreign public key into a fresh keyring, confirms encryption fails with the default trust model, then succeeds once --always-trust (--trust-model always) is supplied.
gpg armored detached signature Original / libgcrypt / usage-gpg-armor-detached-sign Passed
gpg armored recipient encryption Original / libgcrypt / usage-gpg-armor-recipient-encrypt Passed
gpg armor vs binary output magic Original / libgcrypt / usage-gpg-armor-vs-binary-magic Passed
Symmetrically encrypts the same payload as armored ASCII and as binary, then checks the file magic distinguishes them.
gpg armored message header only Original / libgcrypt / usage-gpg-armored-message-header-only Passed
gpg --auto-key-locate clear stays offline Original / libgcrypt / usage-gpg-auto-key-locate-clear-offline Passed
Verifies that gpg --auto-key-locate clear disables every locate mechanism so verifying a signature from an unknown signer fails with NO_PUBKEY rather than performing any network lookup.
gpg --batch --gen-key from parameter file Original / libgcrypt / usage-gpg-batch-gen-key-paramfile Passed
Generates an ed25519 signing key non-interactively via gpg --batch --gen-key fed a parameter control file on stdin, then asserts the public key listing reflects the requested UID.
gpg check-trustdb offline Original / libgcrypt / usage-gpg-check-trustdb-offline Passed
Generates a key in an isolated GNUPGHOME and runs gpg --check-trustdb to confirm the trust database walks cleanly without any network activity.
gpg clearsign output Original / libgcrypt / usage-gpg-clearsign-roundtrip-output Passed
Generates a clearsigned ASCII document with gpg --clearsign and verifies the message header and body line are preserved.
gpg clear-sign with explicit SHA256 digest header Original / libgcrypt / usage-gpg-clearsign-sha256-digest Passed
Clear-signs a payload with --digest-algo SHA256, confirms gpg --verify reports a good signature, and checks that the armored block declares a Hash: SHA256 header.
gpg clearsign verify Original / libgcrypt / usage-gpg-clearsign-verify-batch11 Passed
gpg clearsign verify status Original / libgcrypt / usage-gpg-clearsign-verify-status Passed
GnuPG clear-signed message Original / libgcrypt / usage-gpg-clearsign-verify Passed
gpg --comment writes Comment header in armor Original / libgcrypt / usage-gpg-comment-marker-in-armor Passed
Exports a public key in ASCII armor with a custom --comment marker and asserts the marker appears as a Comment: header inside the armor while the armor remains parseable by gpg --list-packets.
gpg dearmors public key Original / libgcrypt / usage-gpg-dearmor-public-key Passed
gpg decrypt clearsigned message Original / libgcrypt / usage-gpg-decrypt-clearsigned-message Passed
gpg --decrypt reads ciphertext via stdin redirection Original / libgcrypt / usage-gpg-decrypt-stdin-redirect Passed
Encrypts a payload symmetrically, then decrypts it by feeding the OpenPGP message to gpg over stdin (no file argument) and verifies the recovered plaintext.
gpg decrypts to stdout Original / libgcrypt / usage-gpg-decrypt-stdout Passed
Decrypts a symmetric gpg message directly to stdout and verifies the recovered plaintext stream.
gpg --default-key selects between two keys Original / libgcrypt / usage-gpg-default-key-selects-second-key Passed
Generates two distinct signing keys in the same keyring and asserts gpg --default-key picks the explicitly named key for a detached signature (verified via the issuer fingerprint reported by gpg --list-packets).
gpg detach sign with SHA512 digest Original / libgcrypt / usage-gpg-detach-sign-sha512-digest Passed
Generates an ed25519 key, creates an armored detached signature with --digest-algo SHA512, and confirms gpg --verify reports a good signature.
gpg binary detached signature Original / libgcrypt / usage-gpg-detached-binary-sign Passed
gpg detached sign status-fd Original / libgcrypt / usage-gpg-detached-sign-status-fd Passed
Verifies a detached signature with gpg --status-fd and checks the machine-readable GOODSIG status output.
GnuPG detached signature Original / libgcrypt / usage-gpg-detached-sign-verify Passed
gpg enarmor dearmor Original / libgcrypt / usage-gpg-enarmor-dearmor Passed
Encodes a payload with gpg --enarmor, decodes it again, and verifies the original bytes round trip.
gpg enarmor dearmor sha256 roundtrip Original / libgcrypt / usage-gpg-enarmor-roundtrip-sha256 Passed
Encodes random binary content with gpg --enarmor, decodes it with --dearmor, and confirms the sha256 digest matches the original.
gpg enarmor round trip Original / libgcrypt / usage-gpg-enarmor-roundtrip Passed
Converts binary data to ASCII armor with gpg enarmor, dearmors it again, and verifies the bytes match.
gpg encrypt decrypt stdout pipe Original / libgcrypt / usage-gpg-encrypt-decrypt-stdout-pipe Passed
gpg --output - writes encrypted message to stdout Original / libgcrypt / usage-gpg-encrypt-output-dash-stdout Passed
Encrypts a payload symmetrically with --output - so the OpenPGP message is delivered on stdout, then decrypts the captured stream and verifies the recovered plaintext.
gpg encrypt for two recipients then decrypt Original / libgcrypt / usage-gpg-encrypt-two-recipients Passed
Generates two distinct keypairs, encrypts a payload addressed to both, asserts the ciphertext contains two pubkey-enc packets via --list-packets, and decrypts the message in a fresh keyring that holds only the second recipient.
gpg export armor block Original / libgcrypt / usage-gpg-export-armor-block Passed
Exports a generated public key in ASCII armor through gpg --armor --export and verifies the begin and end markers.
GnuPG exports and imports key Original / libgcrypt / usage-gpg-export-import-key Passed
gpg exports ownertrust Original / libgcrypt / usage-gpg-export-ownertrust Passed
Imports ownertrust for a generated key and verifies gpg export-ownertrust writes the fingerprint record.
gpg exports public key Original / libgcrypt / usage-gpg-export-public-key Passed
gpg export minimal public key Original / libgcrypt / usage-gpg-export-public-minimal Passed
Exports a minimal armored public key with gpg export options and verifies the ASCII armor header.
gpg exports secret key Original / libgcrypt / usage-gpg-export-secret-key Passed
gpg fingerprint listing Original / libgcrypt / usage-gpg-fingerprint-list Passed
gpg fingerprint stable across export and import Original / libgcrypt / usage-gpg-fingerprint-stable-export-import Passed
Generates an ed25519 key, exports it armored, imports into a fresh GNUPGHOME, and confirms the fingerprint is byte-identical across both keyrings.
gpg gen-random base64 output length Original / libgcrypt / usage-gpg-gen-random-base64-length Passed
Generates 48 random bytes with gpg --gen-random level 1 mode 1 (base64 armor) and verifies the decoded payload length is exactly 48 bytes.
gpg generate random bytes Original / libgcrypt / usage-gpg-gen-random-bytes Passed
gpg random length Original / libgcrypt / usage-gpg-gen-random-length-batch11 Passed
gpg gen-random quality 1 armored Original / libgcrypt / usage-gpg-gen-random-quality1-armored Passed
Requests 16 random bytes from gpg --gen-random with quality level 1 and --armor, decoding the base64 payload back to exactly 16 bytes.
gpg gen-random 32 bytes Original / libgcrypt / usage-gpg-gen-random-zero-bytes Passed
Requests 32 bytes from gpg --gen-random and verifies the output stream length matches the requested byte count.
gpg auto-generated revocation certificate Original / libgcrypt / usage-gpg-gen-revoke-armor Passed
Generates an unattended ed25519 key, locates the armored revocation certificate gpg auto-stores under openpgp-revocs.d, and confirms gpg --list-packets reports a class 0x20 signature.
gpg --gen-revoke produces armored revocation cert with reason 0 Original / libgcrypt / usage-gpg-gen-revoke-detached-reason-zero Passed
Drives gpg --gen-revoke with --command-fd to produce a detached armored revocation certificate using reason code 0 (no reason given), then asserts the resulting block is a class 0x20 signature packet whose hashed subpacket 29 (reason for revocation) carries 0x00.
gpg --digest-algo SHA384 detached signature roundtrip Original / libgcrypt / usage-gpg-hash-algo-sha384-detached Passed
Generates an ed25519 signing key, produces a detached signature with --digest-algo SHA384, verifies it, and asserts the signature packet metadata reports SHA384 (digest 9).
gpg --hidden-recipient masks recipient key id in PKESK packet Original / libgcrypt / usage-gpg-hidden-recipient-anonymous-keyid Passed
Encrypts to a generated key with --hidden-recipient (no plain -r), confirms gpg --list-packets reports keyid 0000000000000000 in the public-key-encrypted-session-key packet, and round-trips the plaintext through decryption.
gpg hidden recipient encrypt Original / libgcrypt / usage-gpg-hidden-recipient-encrypt-batch11 Passed
gpg imports binary and armored exports of the same key Original / libgcrypt / usage-gpg-import-binary-vs-armor Passed
Exports a generated public key in both binary and ASCII-armored form, imports each into separate fresh keyrings, and verifies the resulting fingerprints (and uids) match exactly between the two import paths.
gpg import-options keep-ownertrust round-trip Original / libgcrypt / usage-gpg-import-options-keep-ownertrust-roundtrip Passed
Generates a key, exports its ownertrust and public key, re-imports both into a fresh GNUPGHOME with --import-options keep-ownertrust, and verifies the original ownertrust value is preserved across the round-trip.
gpg imports ownertrust Original / libgcrypt / usage-gpg-import-ownertrust Passed
gpg import public key listing Original / libgcrypt / usage-gpg-import-public-key-listing Passed
gpg imports public key Original / libgcrypt / usage-gpg-import-public-key Passed
gpg imports secret key Original / libgcrypt / usage-gpg-import-secret-key Passed
Exports a generated secret key and imports it into a second keyring, then verifies the secret key is listed.
gpg import show-only Original / libgcrypt / usage-gpg-import-show-only Passed
Inspects an exported public key with gpg import show-only mode and verifies public key metadata is displayed.
gpg keyid-format long vs short Original / libgcrypt / usage-gpg-keyid-format-long-vs-short Passed
Generates a key and confirms that gpg --keyid-format long renders the trailing 16 hex digits of the fingerprint and --keyid-format short renders only the trailing 8 hex digits.
gpg --keyserver-options no-honor-keyserver-url Original / libgcrypt / usage-gpg-keyserver-options-no-honor Passed
Generates a key and verifies that --keyserver-options no-honor-keyserver-url is accepted as a no-op for offline --list-keys: the listing still includes the uid and the command exits 0 without any keyserver traffic.
gpg list config cipher names Original / libgcrypt / usage-gpg-list-config-ciphername-batch11 Passed
gpg list-config cipher names include BLOWFISH Original / libgcrypt / usage-gpg-list-config-ciphername-blowfish Passed
Runs gpg --with-colons --list-config ciphername and asserts BLOWFISH appears in the reported cipher algorithms list.
gpg list config compression names Original / libgcrypt / usage-gpg-list-config-compressname-batch11 Passed
gpg list-config curve includes ed25519 Original / libgcrypt / usage-gpg-list-config-curve-ed25519 Passed
Inspects the list-config curve record with colon output and asserts that ed25519 is among the configured ECC curves.
gpg list config digest names Original / libgcrypt / usage-gpg-list-config-digestname-batch11 Passed
gpg list-config public key algorithms include RSA Original / libgcrypt / usage-gpg-list-config-pubkeyname-rsa Passed
Lists configured public key algorithm names with --with-colons --list-config pubkeyname and asserts RSA is present.
gpg --list-config reports version line Original / libgcrypt / usage-gpg-list-config-version Passed
Runs gpg --with-colons --list-config and asserts a cfg:version: record is emitted with a non-empty version string.
gpg list keys uid Original / libgcrypt / usage-gpg-list-keys-uid Passed
Lists keys for a generated identity with gpg --list-keys and verifies the user id string appears in the listing.
gpg --list-keys --with-colons pub record parsing Original / libgcrypt / usage-gpg-list-keys-with-colons-pub-record Passed
Generates a key and parses the machine-readable colon-listing output, verifying the pub record carries the documented field layout (validity, length, public-key algorithm, 16-hex keyid) and a matching fpr record with a 40-hex fingerprint.
gpg --list-keys --with-fingerprint shows subkey fingerprint Original / libgcrypt / usage-gpg-list-keys-with-fingerprint-subkey Passed
Generates a primary+subkey pair (default ed25519/cv25519) and asserts that gpg --list-keys --with-fingerprint --with-fingerprint emits the spaced fingerprint for both the primary key and the encryption subkey.
GnuPG lists generated key Original / libgcrypt / usage-gpg-list-keys Passed
gpg --list-options show-keyserver-urls Original / libgcrypt / usage-gpg-list-options-show-keyserver-urls Passed
Generates a key and verifies that --list-options show-keyserver-urls is accepted and produces a normal --list-keys listing including the new uid.
gpg list packets armor Original / libgcrypt / usage-gpg-list-packets-armor Passed
gpg list packets armored Original / libgcrypt / usage-gpg-list-packets-armored Passed
Lists packets from an armored encrypted message with gpg and verifies the symmetric packet summary appears.
gpg list packets binary detached Original / libgcrypt / usage-gpg-list-packets-binary-detached Passed
gpg list packets clearsign Original / libgcrypt / usage-gpg-list-packets-clearsign Passed
Inspects a clearsigned message with gpg --list-packets and verifies a signature packet is reported.
gpg AES256 packet listing Original / libgcrypt / usage-gpg-list-packets-symmetric-aes256 Passed
Lists AES256 symmetric packet metadata with gpg --list-packets and verifies the encrypted packet description.
gpg list-packets on TWOFISH symmetric ciphertext Original / libgcrypt / usage-gpg-list-packets-symmetric-twofish Passed
Symmetrically encrypts with TWOFISH and verifies gpg --list-packets reports the expected encrypted packet description.
gpg --list-packets shows ZIP compression algo Original / libgcrypt / usage-gpg-list-packets-zip-compress Passed
Symmetrically encrypts a payload with --compress-algo ZIP and uses --list-packets (with the symmetric passphrase) to decode the inner packets, asserting the compressed packet uses algo=1 (ZIP).
GnuPG lists encrypted packets Original / libgcrypt / usage-gpg-list-packets Passed
gpg list secret colons Original / libgcrypt / usage-gpg-list-secret-colons Passed
Lists generated secret keys in colon format with gpg and verifies the secret key record marker appears.
gpg list secret keys with colons Original / libgcrypt / usage-gpg-list-secret-keys-colons Passed
Lists secret keys in machine-readable format with gpg and verifies secret-key and fingerprint records are present.
gpg secret key keygrip listing Original / libgcrypt / usage-gpg-list-secret-keys-keygrip Passed
gpg --list-secret-keys --keyid-format 0xlong Original / libgcrypt / usage-gpg-list-secret-keys-keyid-format-0xlong Passed
Confirms that gpg --list-secret-keys --keyid-format 0xlong renders the trailing 16 hex digits of the primary fingerprint with the explicit "0x" prefix on the sec line.
gpg lists secret keys Original / libgcrypt / usage-gpg-list-secret-keys Passed
gpg --max-cert-depth accepted on verify Original / libgcrypt / usage-gpg-max-cert-depth-verify Passed
Confirms gpg accepts an explicit --max-cert-depth value (a numeric trust-model knob) on the command line during signature verification and still produces a Good signature for an ed25519 detached signature.
gpg --multifile --decrypt of multiple armored files Original / libgcrypt / usage-gpg-multifile-decrypt Passed
Generates a recipient key, encrypts two payloads to separate armored files, and decrypts both in a single gpg --multifile --decrypt invocation, verifying each plaintext output file.
gpg --no-armor explicit binary export Original / libgcrypt / usage-gpg-no-armor-explicit-binary Passed
Forces a binary OpenPGP public-key export with an explicit --no-armor and confirms the output starts with the OpenPGP packet magic byte rather than ASCII armor headers.
gpg --no-default-keyring + --keyring isolates from default ring Original / libgcrypt / usage-gpg-no-default-keyring-isolation Passed
Generates one key into the default GNUPGHOME pubring and another into a separate keyring file via --no-default-keyring + --keyring, then asserts each subsequent listing only sees the keyblock that lives in the keyring it was directed to.
gpg --no-emit-version omits Version header in armor Original / libgcrypt / usage-gpg-no-emit-version-armor Passed
Exports a public key in ASCII armor with --no-emit-version and asserts the resulting block contains the BEGIN/END armor markers but no "Version:" header line.
gpg --no-greeting --version still prints version Original / libgcrypt / usage-gpg-no-greeting-version Passed
Runs gpg with --no-greeting before --version and asserts the version banner including the linked libgcrypt version is still printed.
gpg no-tty in batch mode Original / libgcrypt / usage-gpg-no-tty-batch-list Passed
Runs gpg --no-tty --batch --list-keys against a freshly generated keyring and confirms it emits a normal listing with no terminal-tied prompts even when stdin is closed.
gpg ownertrust export check Original / libgcrypt / usage-gpg-ownertrust-export-check Passed
gpg --passwd --dry-run validates current passphrase Original / libgcrypt / usage-gpg-passwd-dry-run Passed
Generates a key with a known passphrase, runs --passwd --dry-run with the correct passphrase (must succeed), then runs --passwd --dry-run with the wrong passphrase (must fail with Bad passphrase), confirming libgcrypt-backed S2K verification is wired through.
gpg --personal-cipher-preferences AES256 selects symmetric cipher Original / libgcrypt / usage-gpg-personal-cipher-prefs-aes256 Passed
Generates a recipient key and encrypts a payload with --personal-cipher-preferences AES256 set, then inspects the resulting OpenPGP packet stream after decryption and asserts the symmetric cipher recorded was AES256 (cipher 9).
gpg --personal-digest-preferences SHA512 selects digest for signing Original / libgcrypt / usage-gpg-personal-digest-prefs-sha512 Passed
Generates an ed25519 signing key and signs a payload with --personal-digest-preferences SHA512 set, then inspects the resulting signature packet and asserts the chosen digest algorithm is SHA512 (10).
gpg --primary-keyring redirects new public key writes Original / libgcrypt / usage-gpg-primary-keyring-redirect-write Passed
Generates a key with --primary-keyring pointing to a redirected keyring file inside GNUPGHOME and confirms the new public key is materialized in the redirected keyring while the default pubring.kbx stays empty of public keyblocks.
gpg print-md MD5 fixed-string KAT Original / libgcrypt / usage-gpg-print-md-md5-kat-fixed-string Passed
Verifies gpg --print-md MD5 emits the canonical 5d41402abc4b2a76b9719d9110175c592 known-answer digest for the literal input "hello".
gpg MD5 digest Original / libgcrypt / usage-gpg-print-md-md5 Passed
gpg --print-md multi-algorithm digest lengths Original / libgcrypt / usage-gpg-print-md-multi-sha-family Passed
Computes SHA1, SHA224, SHA256, SHA384, and SHA512 digests of the same input via gpg --with-colons --print-md and asserts each output line contains a hex digest of the expected length for its algorithm.
gpg print-md RIPEMD160 Original / libgcrypt / usage-gpg-print-md-ripemd160-hex Passed
Computes a RIPEMD160 digest with gpg --print-md and verifies the grouped hexadecimal digest output is emitted.
gpg print-md RIPEMD160 KAT for "abc" Original / libgcrypt / usage-gpg-print-md-ripemd160-kat-abc Passed
Computes the RIPEMD160 digest of the literal byte string "abc" through gpg --print-md and asserts the published Dobbertin/Bosselaers/Preneel known-answer value.
gpg RIPEMD160 digest Original / libgcrypt / usage-gpg-print-md-ripemd160 Passed
gpg print-md SHA1 empty input KAT Original / libgcrypt / usage-gpg-print-md-sha1-empty-kat Passed
Verifies gpg --print-md SHA1 emits the canonical da39a3ee... known-answer digest for an empty input file.
gpg print-md SHA1 Original / libgcrypt / usage-gpg-print-md-sha1-hex Passed
gpg SHA1 digest Original / libgcrypt / usage-gpg-print-md-sha1 Passed
gpg --print-md SHA224 and SHA384 KAT vectors Original / libgcrypt / usage-gpg-print-md-sha224-sha384-kat Passed
Computes SHA224 and SHA384 digests of the FIPS 180-4 vector "abc" with gpg --print-md and asserts byte-exact match against the published known-answer values.
gpg SHA224 digest Original / libgcrypt / usage-gpg-print-md-sha224 Passed
gpg print-md SHA256 empty input KAT Original / libgcrypt / usage-gpg-print-md-sha256-empty-kat Passed
Verifies gpg --print-md SHA256 emits the canonical e3b0c442... known-answer digest for an empty input file.
gpg print-md SHA256 hex Original / libgcrypt / usage-gpg-print-md-sha256-hex Passed
Computes a SHA256 digest with gpg --print-md and verifies enough hex groups appear for a 256 bit output.
gpg print-md SHA3-256 KAT for "abc" Original / libgcrypt / usage-gpg-print-md-sha3-256-kat-abc Passed
Computes the SHA3-256 digest of the literal byte string "abc" through gpg --print-md and asserts the canonical FIPS 202 known-answer value.
gpg print-md SHA3-256 hex Original / libgcrypt / usage-gpg-print-md-sha3-256 Passed
Computes a SHA3-256 digest with gpg --print-md and confirms the output contains enough hex groups for a 256 bit digest.
gpg print-md SHA3-512 with hex output Original / libgcrypt / usage-gpg-print-md-sha3-512-hex Passed
Computes a SHA3-512 digest with gpg --print-md --with-colons and confirms the output is a continuous 128 hex character digest line.
gpg --print-md SHA3-512 KAT vector Original / libgcrypt / usage-gpg-print-md-sha3-512-kat Passed
Computes the SHA3-512 digest of the FIPS 202 message "abc" via gpg --print-md and asserts a byte-exact match against the published known-answer value.
gpg print-md SHA384 hex Original / libgcrypt / usage-gpg-print-md-sha384-hex Passed
Computes a SHA384 digest with gpg --print-md and verifies enough hex groups appear for a 384 bit output.
gpg SHA384 digest Original / libgcrypt / usage-gpg-print-md-sha384 Passed
gpg print-md SHA512 empty input KAT Original / libgcrypt / usage-gpg-print-md-sha512-empty-kat Passed
Verifies gpg --print-md SHA512 emits the canonical cf83e135... known-answer digest for an empty input file.
gpg SHA512 digest Original / libgcrypt / usage-gpg-print-md-sha512 Passed
GnuPG prints SHA-256 digest Original / libgcrypt / usage-gpg-print-md Passed
gpg --print-mds shows multiple digest algorithms Original / libgcrypt / usage-gpg-print-mds-multi Passed
Runs gpg --print-mds on a fixed payload and asserts that several digest algorithm labels (MD5, SHA1, RMD160, SHA256, SHA512) appear in the output.
gpg public key packet Original / libgcrypt / usage-gpg-public-key-packet-batch11 Passed
gpg --quick-add-uid attaches a new user id Original / libgcrypt / usage-gpg-quick-add-uid Passed
Generates a key, attaches a second user id with --quick-add-uid, and verifies that --list-keys reports both user ids on the same primary key.
gpg --quick-revuid surfaces validity 'r' in colon listing Original / libgcrypt / usage-gpg-quick-revuid-with-colons-validity Passed
Adds a second user id to a generated key, revokes it with --quick-revuid, and confirms the machine-readable colon listing reports the revoked uid with validity field 'r' while the primary uid retains 'u'.
gpg --quick-revuid revokes a user id Original / libgcrypt / usage-gpg-quick-revuid Passed
Generates a key, attaches a second user id, revokes that uid with --quick-revuid, and verifies a fresh export+import shows the revoked uid is no longer presented as a live binding.
gpg --quick-set-expire updates key expiration Original / libgcrypt / usage-gpg-quick-set-expire Passed
Generates a primary key with a 1d expiration, calls --quick-set-expire to extend it to 2y, and verifies --list-keys reflects the new expiration date and not the original.
gpg --cert-digest-algo SHA512 stamps key self-signature Original / libgcrypt / usage-gpg-r10-cert-digest-algo-sha512 Passed
Generates an Ed25519 key with --cert-digest-algo SHA512, exports the public key, and verifies gpg --list-packets reports digest algo 10 (SHA512) on the user-id self-signature packet.
gpg --export with --export-options export-clean exports a public key Original / libgcrypt / usage-gpg-r10-export-options-export-clean Passed
Generates an Ed25519 key, exports it with --export-options export-clean, and verifies the resulting bytes are a non-empty OpenPGP public key block (public-key packet at the start).
gpg --list-sigs reports self-signature on freshly generated key Original / libgcrypt / usage-gpg-r10-list-sigs-self-signature Passed
Generates an Ed25519 key in a fresh GNUPGHOME and verifies gpg --with-colons --list-sigs emits a sig: record (the self-signature on the user id).
gpg --print-md SHA256 over multiple file arguments Original / libgcrypt / usage-gpg-r10-print-md-multifile-args Passed
Invokes gpg --print-md SHA256 with two distinct file arguments in one call and verifies each file's name appears with a 64-character hex digest in the output.
gpg --quick-generate-key NIST P-384 produces 40-char fingerprint Original / libgcrypt / usage-gpg-r10-quick-generate-nistp384 Passed
Generates a NIST P-384 ECC signing key in a fresh GNUPGHOME and verifies the resulting fingerprint is 40 uppercase hex characters.
gpg --show-session-key emits session key on symmetric decrypt Original / libgcrypt / usage-gpg-r10-show-session-key-symmetric Passed
Symmetrically encrypts a payload then decrypts with --show-session-key and verifies the session key debug line is printed alongside the recovered plaintext.
gpg --no-comments suppresses Comment line in armored output Original / libgcrypt / usage-gpg-r10-symmetric-no-comments-armor Passed
Encrypts a file symmetrically with --armor and --no-comments and verifies the resulting ASCII-armor block contains the BEGIN PGP MESSAGE banner but no Comment: header line.
gpg --symmetric records --set-filename in literal data packet Original / libgcrypt / usage-gpg-r10-symmetric-set-filename-packet Passed
Symmetrically encrypts a payload using --set-filename original.bin and verifies gpg --list-packets reports that filename in the literal data packet header.
gpg --throw-keyids zeroes the recipient key id in PKESK Original / libgcrypt / usage-gpg-r10-throw-keyids-anonymous Passed
Encrypts to an Ed25519/Cv25519 key with --throw-keyids and verifies the resulting public-key encrypted session key packet reports an anonymous (all-zero) keyid via gpg --list-packets.
gpg --with-colons --list-keys uid record exposes the user id Original / libgcrypt / usage-gpg-r10-with-colons-uid-record Passed
Generates an Ed25519 key with a distinctive user id and verifies the with-colons listing emits a uid: record whose user-id field 10 contains the configured email tag.
gpg --enarmor + --dearmor round-trip raw bytes byte-equal Original / libgcrypt / usage-gpg-r11-enarmor-dearmor-roundtrip Passed
Pipes 64 random bytes through --enarmor (which produces a "BEGIN PGP ARMORED FILE" block) and back through --dearmor, then verifies the recovered bytes match the original via sha256 equality.
gpg --export-filter keep-uid restricts exported user-ids to a regex match Original / libgcrypt / usage-gpg-r11-export-filter-keep-uid Passed
Adds a second user-id to a key, runs --export with --export-filter keep-uid="uid =~ secondary", and verifies the exported packet stream contains only the secondary uid (the primary uid is filtered out).
gpg --export-secret-subkeys produces a gnu-dummy stub primary Original / libgcrypt / usage-gpg-r11-export-secret-subkeys-stub-master Passed
Generates a default key (ed25519 SC + cv25519 E) and verifies that --export-secret-subkeys yields a packet stream whose first secret key packet carries the gnu-dummy marker, indicating the master secret has been redacted to a stub.
gpg --export-ssh-key emits ssh-rsa public key from auth-capable RSA key Original / libgcrypt / usage-gpg-r11-export-ssh-key-rsa-auth Passed
Generates a 2048-bit RSA key with the auth usage flag and verifies --export-ssh-key produces a single line beginning with "ssh-rsa " followed by base64 material.
gpg --list-only --decrypt of symmetric stream prints AES diagnostic without writing plaintext Original / libgcrypt / usage-gpg-r11-list-only-decrypt-symmetric Passed
Symmetrically encrypts a payload, then runs --list-only --decrypt and verifies stderr contains the "AES256.CFB encrypted data" diagnostic line while stdout stays empty (no plaintext is materialised).
gpg --quick-add-uid attaches a second user-id reported by --list-keys Original / libgcrypt / usage-gpg-r11-quick-add-uid-second-uid Passed
Generates a primary key, runs --quick-add-uid to attach a second user-id, and verifies --with-colons --list-keys reports two uid records with the expected mailbox addresses.
gpg --quick-revoke-uid marks the targeted user-id revoked in colons output Original / libgcrypt / usage-gpg-r11-quick-revoke-uid-removes-second Passed
Adds a second user-id with --quick-add-uid, revokes it with --quick-revoke-uid, and verifies the colons-mode --list-keys output keeps both uid records but reports the revoked address with field-2 validity 'r' while the primary stays at non-r validity.
gpg --quick-set-expire shifts the primary key expiration timestamp Original / libgcrypt / usage-gpg-r11-quick-set-expire-shifts-expiration Passed
Generates a 2-day key, runs --quick-set-expire on its fingerprint to push the expiration to 30 days, and verifies the colons-mode pub record's expire field grew by at least 24 days worth of seconds.
gpg --s2k-cipher-algo AES256 selects cipher 9 in the symkey-enc packet Original / libgcrypt / usage-gpg-r11-s2k-cipher-algo-aes256-symenc Passed
Symmetrically encrypts a payload with --s2k-cipher-algo AES256 and verifies --list-packets reports cipher 9 in the symkey-enc packet (OpenPGP RFC 4880 sym alg 9 is AES-256).
gpg --with-keygrip --with-colons --list-keys emits grp records on the public keyring Original / libgcrypt / usage-gpg-r11-with-keygrip-colons-grp Passed
Generates a default key and verifies that --with-keygrip on the public --list-keys output (no --with-secret) emits at least two grp records of 40 uppercase hex chars (one per primary and subkey).
gpg --clearsign output decrypts back to the original payload via --decrypt Original / libgcrypt / usage-gpg-r12-clearsign-roundtrip-recovers-payload Passed
Generates an Ed25519 signing key, runs --clearsign over a known payload, then runs gpg --decrypt against the clearsigned message and verifies the recovered plaintext matches the original byte-for-byte.
gpg --detach-sign verifies original payload but rejects mutated payload Original / libgcrypt / usage-gpg-r12-detach-sign-verify-tampered-fails Passed
Generates an Ed25519 key, produces a detached signature with --detach-sign, verifies it succeeds against the unmodified payload, then mutates the payload and asserts gpg --verify exits non-zero against the tampered file.
gpg --armor --export emits a PUBLIC KEY BLOCK ASCII-armor banner Original / libgcrypt / usage-gpg-r12-export-armor-public-key-banner Passed
Generates an Ed25519 key in an ephemeral GNUPGHOME, exports it with --armor --export, and verifies the output starts and ends with the canonical "BEGIN PGP PUBLIC KEY BLOCK" / "END PGP PUBLIC KEY BLOCK" markers.
gpg armored export imports cleanly into a separate GNUPGHOME Original / libgcrypt / usage-gpg-r12-export-then-import-into-fresh-home Passed
Generates a key in a source GNUPGHOME, exports it with --armor --export, imports it into a brand-new GNUPGHOME, and verifies the imported key shows up as a pub: record in --with-colons --list-keys with the same fingerprint.
gpg --list-config reports RSA in pubkeyname configuration record Original / libgcrypt / usage-gpg-r12-list-config-pubkeyname-rsa Passed
Invokes gpg --with-colons --list-config in an ephemeral GNUPGHOME and verifies the cfg:pubkeyname record exists and includes RSA among the supported public-key algorithms reported by libgcrypt.
gpg --print-md SHA256 of an empty file matches the known SHA-256 digest Original / libgcrypt / usage-gpg-r12-print-md-sha256-empty-input Passed
Creates an empty file and runs gpg --print-md SHA256 against it, then strips spaces and verifies the digest equals the canonical SHA-256 of the empty string (e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855).
gpg --print-md SHA512 of "abc" matches the known canonical digest Original / libgcrypt / usage-gpg-r12-print-md-sha512-known-digest Passed
Writes the bytes "abc" to a file and runs gpg --print-md SHA512, then strips formatting and verifies the digest equals the canonical SHA-512 of "abc" published in FIPS 180-4.
gpg --quick-generate-key registers an ed25519 key visible in --list-secret-keys Original / libgcrypt / usage-gpg-r12-quick-gen-list-secret-keys Passed
Generates an Ed25519 sign-only key in a fresh GNUPGHOME with --quick-generate-key and asserts gpg --with-colons --list-secret-keys emits exactly one sec: record whose fingerprint is 40 uppercase hex characters.
gpg --symmetric --cipher-algo AES256 round-trips a payload Original / libgcrypt / usage-gpg-r12-symmetric-aes256-roundtrip Passed
Symmetrically encrypts a fixed payload with --cipher-algo AES256 and a passphrase under an ephemeral GNUPGHOME, decrypts it back with the same passphrase, and asserts the recovered plaintext is byte-identical to the input.
gpg --version banner advertises libgcrypt linkage Original / libgcrypt / usage-gpg-r12-version-banner-includes-libgcrypt Passed
Runs gpg --version against an ephemeral GNUPGHOME and verifies the banner includes both "gpg (GnuPG)" and "libgcrypt" markers, confirming gpg dynamically links and reports the libgcrypt runtime.
gpg --clearsign output begins with PGP SIGNED MESSAGE banner and embeds the payload Original / libgcrypt / usage-gpg-r13-clearsign-banner-and-payload Passed
Generates an Ed25519 signing key, produces a --clearsign output over a fixed payload, asserts the first line is exactly "-----BEGIN PGP SIGNED MESSAGE-----", and asserts the cleartext payload appears verbatim before the signature block.
gpg --detach-sign followed by --verify succeeds on the original payload Original / libgcrypt / usage-gpg-r13-detached-verify-own-payload Passed
Generates an Ed25519 signing key, produces a detached signature with --detach-sign over a fixed payload, runs gpg --verify against the unmodified payload, and asserts both the verify exit status is zero and the status output reports a Good signature.
gpg --enarmor / --dearmor round-trip recovers a binary blob byte-for-byte Original / libgcrypt / usage-gpg-r13-enarmor-dearmor-binary-blob-cmp Passed
Generates 256 random binary bytes, pipes them through gpg --enarmor to produce an ASCII PGP ARMORED FILE block, asserts the begin and end armor headers are present, then runs gpg --dearmor and asserts the recovered bytes are byte-identical to the original via cmp.
gpg --gen-random 0 emits the requested byte count and produces distinct outputs across runs Original / libgcrypt / usage-gpg-r13-gen-random-byte-count-distinct Passed
Runs gpg --gen-random 0 16 twice into separate files under an ephemeral GNUPGHOME, asserts each file is exactly 16 bytes (the requested length), and asserts the two outputs differ byte-for-byte (random level 0 must vary between calls).
gpg --list-config compressname includes ZIP, ZLIB, and BZIP2 algorithms Original / libgcrypt / usage-gpg-r13-list-config-compressname-zip Passed
Captures cfg:compressname: via --with-colons --list-config compressname and asserts the configured compression algorithm list contains ZIP, ZLIB, and BZIP2, confirming libgcrypt's compressor wiring is intact.
gpg --list-config curve advertises ed25519, cv25519, and a NIST curve Original / libgcrypt / usage-gpg-r13-list-config-curve-includes-multiple Passed
Captures cfg:curve: via --with-colons --list-config curve and asserts the configured ECC curve list includes ed25519, cv25519, and at least one NIST P-curve (nistp256/nistp384/nistp521), confirming libgcrypt's ECC curve table is exposed.
gpg --print-mds emits SHA224 alongside SHA256 and SHA512 labels Original / libgcrypt / usage-gpg-r13-print-mds-includes-sha224 Passed
Runs gpg --batch --print-mds on a fixed payload under an ephemeral GNUPGHOME, redirects stdout to a file, and asserts the listing includes the SHA224, SHA256, and SHA512 algorithm labels (libgcrypt digest table coverage).
gpg --symmetric with AES256 and --digest-algo SHA512 round-trips and uses S2K hash 10 Original / libgcrypt / usage-gpg-r13-symmetric-aes256-digest-sha512 Passed
Symmetrically encrypts a payload with --cipher-algo AES256 and --digest-algo SHA512, asserts the resulting symkey-enc packet records cipher 9 (AES-256) and hash 10 (SHA-512), then decrypts the ciphertext and asserts the recovered plaintext matches the original via cmp.
gpg --textmode --sign followed by --decrypt recovers the original payload byte-for-byte Original / libgcrypt / usage-gpg-r13-textmode-sign-decrypt-roundtrip Passed
Generates an Ed25519 signing key, signs a multi-line text payload with --textmode (canonical-text mode), runs gpg --decrypt on the resulting OpenPGP message, and asserts the recovered plaintext matches the original via cmp.
gpg --version banner starts with "gpg (GnuPG)" Original / libgcrypt / usage-gpg-r13-version-banner-gnupg-marker Passed
Captures gpg --version output under an ephemeral GNUPGHOME and asserts the very first line begins with the canonical "gpg (GnuPG)" identifier so downstream parsers can recognise the implementation.
gpg --dearmor recovers a fixed binary payload from an enarmored block Original / libgcrypt / usage-gpg-r14-enarmor-dearmor-fixed-payload-cmp Passed
Writes a fixed 128-byte payload, runs gpg --enarmor and then gpg --dearmor under an ephemeral GNUPGHOME, and asserts the recovered bytes are byte-identical to the original via cmp — a deterministic round-trip distinct from the random-blob enarmor variant.
gpg --enarmor wraps a fixed binary blob in PGP ARMORED FILE headers Original / libgcrypt / usage-gpg-r14-enarmor-headers-fixed-blob Passed
Pipes a fixed 64-byte payload through gpg --enarmor under an ephemeral GNUPGHOME, asserts the output begins with "-----BEGIN PGP ARMORED FILE-----" and ends with "-----END PGP ARMORED FILE-----", and asserts the body contains a 4-character base64 CRC checksum line beginning with '='.
gpg --encrypt to a self-generated recipient round-trips through --decrypt Original / libgcrypt / usage-gpg-r14-encrypt-to-self-decrypt-roundtrip Passed
Generates an Ed25519/Curve25519 default-future key pair under an ephemeral GNUPGHOME, encrypts a fixed payload to that uid with --trust-model always, decrypts the resulting OpenPGP message, and asserts the recovered plaintext is byte-identical to the original via cmp.
gpg --gen-random level 2 emits exactly the requested byte count Original / libgcrypt / usage-gpg-r14-gen-random-level2-eight-bytes Passed
Runs gpg --gen-random 2 8 (quality level 2 — strong RNG) under an ephemeral GNUPGHOME, redirects 8 raw bytes to a file, and asserts the output is exactly 8 bytes and that two independent calls produce different byte sequences.
gpg --list-config compressname reports ZIP among the supported compression algorithms Original / libgcrypt / usage-gpg-r14-list-config-compressname-includes-zip Passed
Runs gpg --with-colons --list-config compressname under an ephemeral GNUPGHOME and asserts the colon-format record contains both Uncompressed and ZIP among the supported compression algorithms (libgcrypt-backed compression registration).
gpg -K on a fresh GNUPGHOME emits no sec records Original / libgcrypt / usage-gpg-r14-list-secret-keys-empty-home Passed
Creates a brand-new ephemeral GNUPGHOME, runs gpg --batch --with-colons -K (the short form of --list-secret-keys), and asserts the colon output contains zero sec: records (no secret keys present).
gpg --print-mds emits RMD160 alongside MD5 and SHA1 labels Original / libgcrypt / usage-gpg-r14-print-mds-includes-rmd160 Passed
Runs gpg --batch --print-mds on a fixed payload under an ephemeral GNUPGHOME and asserts the multi-digest listing contains the MD5, SHA1, and RMD160 algorithm labels — a libgcrypt digest-table coverage check distinct from the SHA224/256/512 r13 variant.
gpg --symmetric --cipher-algo AES128 round-trips and records cipher 7 in the symkey-enc packet Original / libgcrypt / usage-gpg-r14-symmetric-aes128-cipher-7-roundtrip Passed
Symmetrically encrypts a fixed payload with --cipher-algo AES128 and a passphrase under an ephemeral GNUPGHOME, asserts the resulting symkey-enc packet declares cipher 7 (AES-128 per RFC 4880), then decrypts and asserts the recovered plaintext matches the input via cmp.
gpg --version banner advertises the active Home directory path Original / libgcrypt / usage-gpg-r14-version-shows-home-line Passed
Runs gpg --version against an ephemeral GNUPGHOME and asserts the output banner contains a "Home:" entry pointing at the configured GNUPGHOME path, confirming gpg honors GNUPGHOME and reports it back through the --version banner.
gpg --with-fingerprint --list-keys emits a 40-hex grouped fingerprint line Original / libgcrypt / usage-gpg-r14-with-fingerprint-list-keys-hex Passed
Generates an Ed25519 sign-only key in a fresh GNUPGHOME, runs gpg --with-fingerprint --list-keys, and asserts the human-readable output contains an indented fingerprint line of ten 4-hex groups (40 hex digits total) separated by single spaces with a double-space midline gap, plus the uid being listed.
gpg --detach-sign produces a binary signature that --verify accepts Original / libgcrypt / usage-gpg-r15-detached-binary-sign-verify-roundtrip Passed
Generates an Ed25519 sign-only key in an ephemeral GNUPGHOME, produces a binary detached signature with --detach-sign (no --armor), asserts the resulting .sig file is a non-empty binary blob whose first byte is NOT '-' (i.e., not an ASCII-armor header), then asserts gpg --verify accepts the detached signature against the original payload.
gpg binary --export imports cleanly into a fresh GNUPGHOME with a stable fingerprint Original / libgcrypt / usage-gpg-r15-export-import-fingerprint-stable-binary Passed
Generates an Ed25519 sign-only key in a source GNUPGHOME, exports it as a binary OpenPGP packet stream (no --armor) into a file, asserts the export file is non-empty and that its first byte is NOT '-' (i.e., not ASCII-armored), imports the binary export into a brand-new GNUPGHOME, and asserts the destination fingerprint matches the source fingerprint byte-for-byte — distinct from the r12 armored export/import variant.
gpg --list-config pubkeyname reports ELG among the supported public-key algorithms Original / libgcrypt / usage-gpg-r15-list-config-pubkeyname-includes-elg Passed
Runs gpg --batch --with-colons --list-config pubkeyname under an ephemeral GNUPGHOME and asserts the colon record begins with the expected cfg:pubkeyname: prefix and contains both RSA and ELG (ElGamal) algorithm tokens — exercising libgcrypt's public-key registration table.
gpg --list-keys on a fresh GNUPGHOME emits zero pub: records Original / libgcrypt / usage-gpg-r15-list-keys-empty-pub-count-zero Passed
Creates a brand-new ephemeral GNUPGHOME, runs gpg --batch --with-colons --list-keys, counts pub: records via awk, and asserts the count is exactly zero — confirming the public keyring is empty when GNUPGHOME is freshly minted.
gpg --no-options --version still emits the libgcrypt-aware version banner Original / libgcrypt / usage-gpg-r15-no-options-flag-version-banner Passed
Runs gpg --no-options --version against an ephemeral GNUPGHOME, asserting that even with options-file processing disabled the banner is still produced and contains the literal "gpg (GnuPG)" prefix and a "libgcrypt" line — confirming gpg honors --no-options without dropping its libgcrypt runtime banner.
gpg --print-mds emits a SHA384 line alongside MD5 and SHA1 labels Original / libgcrypt / usage-gpg-r15-print-mds-includes-sha384 Passed
Runs gpg --batch --print-mds on a fixed payload under an ephemeral GNUPGHOME and asserts the multi-digest listing contains the MD5, SHA1, and SHA384 algorithm labels — a libgcrypt digest-table coverage check distinct from the SHA224/SHA512 r13 variants.
gpg --quick-generate-key rsa3072 produces a 40-uppercase-hex fingerprint Original / libgcrypt / usage-gpg-r15-quick-gen-rsa3072-fpr-uppercase-hex Passed
Generates an RSA-3072 signing key in a fresh ephemeral GNUPGHOME, runs gpg --batch --with-colons --list-keys, extracts the fpr record's field 10 with awk, and asserts the value is exactly 40 characters and matches the uppercase hex pattern [A-F0-9]{40} — exercising libgcrypt's RSA keygen at a 3072-bit modulus distinct from r9's rsa2048 case.
gpg --symmetric --armor emits a radix-64 CRC line plus PGP MESSAGE banners Original / libgcrypt / usage-gpg-r15-symmetric-armor-radix64-checksum-line Passed
Symmetrically encrypts a fixed payload with --armor under an ephemeral GNUPGHOME, asserts the output begins with "-----BEGIN PGP MESSAGE-----" and ends with "-----END PGP MESSAGE-----", asserts a radix-64 CRC line of the form '=' followed by exactly four base64 characters appears on its own line, and decrypts back to the original payload via cmp.
gpg --symmetric --passphrase-fd reads the passphrase from a file descriptor and round-trips Original / libgcrypt / usage-gpg-r15-symmetric-passphrase-fd-roundtrip Passed
Symmetrically encrypts a fixed payload by feeding the passphrase via --passphrase-fd 0 (stdin) under an ephemeral GNUPGHOME, decrypts back the same way, and asserts the recovered plaintext matches the original via cmp — exercising libgcrypt's S2K + symmetric crypto path under fd-based passphrase entry rather than literal --passphrase.
gpg --symmetric --cipher-algo TWOFISH round-trips and records cipher 10 in the symkey-enc packet Original / libgcrypt / usage-gpg-r15-symmetric-twofish-cipher-10-roundtrip Passed
Symmetrically encrypts a fixed payload with --cipher-algo TWOFISH and a passphrase under an ephemeral GNUPGHOME, asserts the resulting symkey-enc packet declares cipher 10 (Twofish per RFC 4880), then decrypts and asserts the recovered plaintext matches the input via cmp.
gpg --list-keys on a fresh GNUPGHOME exits zero with empty stdout Original / libgcrypt / usage-gpg-r16-empty-home-list-keys-rc-zero Passed
Creates a brand-new GNUPGHOME, runs gpg --batch --list-keys, asserts the exit status is zero and the captured stdout is empty (no key records appear when the public keyring is freshly created), a smoke check distinct from the r15 colons-count variant.
gpg --enarmor then --dearmor recovers a 256-byte perl-built ramp Original / libgcrypt / usage-gpg-r16-enarmor-dearmor-perl-bytes-roundtrip Passed
Builds a deterministic 256-byte ramp (0..255) via perl, runs gpg --enarmor and gpg --dearmor under an ephemeral GNUPGHOME, and asserts the recovered bytes are byte-identical to the original via cmp — a longer payload than the r14 128-byte variant.
gpg --gen-random 0 16 emits exactly 16 bytes from the weak-quality RNG Original / libgcrypt / usage-gpg-r16-gen-random-quality0-sixteen-bytes Passed
Runs gpg --gen-random 0 16 (libgcrypt quality level 0 — weak) under an ephemeral GNUPGHOME and asserts the output is exactly 16 raw bytes and two independent calls produce different sequences, exercising the libgcrypt RNG at the low-quality level.
gpg --gen-random 1 32 emits 32 non-all-zero bytes from the medium-quality RNG Original / libgcrypt / usage-gpg-r16-gen-random-quality1-thirty-two-bytes Passed
Runs gpg --gen-random 1 32 under an ephemeral GNUPGHOME and asserts the output is exactly 32 raw bytes and not the all-zero buffer, exercising libgcrypt's medium-quality (level 1) RNG path through gpg.
gpg --list-config ciphername line lists AES256 Original / libgcrypt / usage-gpg-r16-list-config-ciphername-includes-aes256 Passed
Runs gpg --list-config under an ephemeral GNUPGHOME and asserts the "ciphername:" row mentions AES256 (libgcrypt provides AES with a 256-bit key as a registered cipher), exercising gpg's --list-config reflection of libgcrypt's compiled-in ciphers.
gpg --print-md SHA1 of "abc" matches the FIPS-180 known-answer Original / libgcrypt / usage-gpg-r16-print-md-sha1-abc-vector Passed
Hashes the three-byte payload "abc" with gpg --print-md SHA1 and asserts the lowercase hex digest equals the canonical FIPS-180 SHA-1 known-answer a9993e364706816aba3e25717850c26c9cd0d89d, exercising libgcrypt's SHA-1 implementation on a fixed-input KAT.
gpg --print-md SHA256 of "abc" matches the FIPS-180 known-answer Original / libgcrypt / usage-gpg-r16-print-md-sha256-fips-abc-vector Passed
Hashes the three-byte payload "abc" with gpg --print-md SHA256 and asserts the lowercase hex digest equals the canonical FIPS-180 SHA-256 known-answer ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad, exercising libgcrypt's SHA-256 implementation on a fixed-input KAT. Extracts only the file-prefixed digest line via awk to skip any keybox-creation notice.
gpg --print-md SHA512 of an empty input matches the published KAT Original / libgcrypt / usage-gpg-r16-print-md-sha512-empty-vector Passed
Hashes a zero-byte input with gpg --print-md SHA512 and asserts the lowercase hex digest equals the canonical SHA-512 known-answer for the empty string cf83e1357eefb8bd...3e85a6b3b1fa3 (truncated in description, full value is enforced), exercising libgcrypt's SHA-512 implementation on a fixed-input KAT. Extracts only the file-prefixed digest line via awk.
gpg --print-mds on empty input emits MD5 = d41d8cd98f00b204e9800998ecf8427e Original / libgcrypt / usage-gpg-r16-print-mds-empty-md5-known-answer Passed
Runs gpg --print-mds on a zero-byte file and asserts the MD5 line of the multi-digest listing equals the canonical empty-string MD5 d41d8cd98f00b204e9800998ecf8427e (case-insensitive hex match), exercising libgcrypt's MD5 implementation on the empty input KAT.
gpg --version banner mentions libgcrypt Original / libgcrypt / usage-gpg-r16-version-mentions-libgcrypt Passed
Runs gpg --version under an ephemeral GNUPGHOME and asserts the banner contains the substring "libgcrypt" (case-insensitive — gpg 2.4 prints the library line as "libgcrypt X.Y.Z"), confirming the gpg binary is linked against libgcrypt and reports its name in the version block.
gpg --check-trustdb on a fresh GNUPGHOME exits zero and creates trustdb.gpg Original / libgcrypt / usage-gpg-r17-check-trustdb-empty-home-creates-trustdb Passed
Creates a brand-new GNUPGHOME with no keys, runs gpg --batch --check-trustdb, and asserts the exit status is zero and a trustdb.gpg file exists afterwards, exercising libgcrypt-backed gpg's trustdb walk on a key-less keyring (distinct from the existing test that requires a generated key first).
gpg --gen-random 0 1 emits exactly 1 byte Original / libgcrypt / usage-gpg-r17-gen-random-quality0-one-byte Passed
Runs gpg --gen-random 0 1 (libgcrypt quality level 0 — weak) under an ephemeral GNUPGHOME and asserts the captured output is exactly 1 byte long, exercising the smallest non-zero RNG request.
gpg --import on a non-key file exits non-zero Original / libgcrypt / usage-gpg-r17-import-non-key-file-fails Passed
Attempts to import a plain text file (definitely not an OpenPGP keyring) via gpg --batch --import under an ephemeral GNUPGHOME and asserts the exit status is non-zero, exercising libgcrypt-backed gpg's keyring parser refusing to ingest random data.
gpg --list-config --with-colons emits a pubkeyname row Original / libgcrypt / usage-gpg-r17-list-config-emits-pubkeyname-row Passed
Runs gpg --list-config --with-colons under an ephemeral GNUPGHOME and asserts the output contains at least one line matching the "cfg:pubkeyname:" prefix, exercising gpg's --list-config reflection of libgcrypt's registered public-key algorithm list (without requiring a specific algorithm name).
gpg --print-md MD5 of "abc" matches the RFC 1321 known-answer Original / libgcrypt / usage-gpg-r17-print-md-md5-abc-vector Passed
Hashes the three-byte payload "abc" with gpg --print-md MD5 and asserts the lowercase hex digest equals the canonical RFC 1321 MD5 known-answer 900150983cd24fb0d6963f7d28e17f72, exercising libgcrypt's MD5 implementation on a fixed-input KAT (distinct from the older "hello" KAT test).
gpg --print-md SHA224 of "abc" matches the FIPS-180 known-answer Original / libgcrypt / usage-gpg-r17-print-md-sha224-abc-vector Passed
Hashes the three-byte payload "abc" with gpg --print-md SHA224 and asserts the lowercase hex digest equals the canonical FIPS-180 SHA-224 known-answer 23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7, exercising libgcrypt's SHA-224 implementation on a fixed-input KAT.
gpg --print-md SHA384 of an empty input matches the published KAT Original / libgcrypt / usage-gpg-r17-print-md-sha384-empty-vector Passed
Hashes a zero-byte input with gpg --print-md SHA384 and asserts the lowercase hex digest equals the canonical SHA-384 known-answer 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b, exercising libgcrypt's SHA-384 implementation on a fixed-input KAT.
gpg --version banner Pubkey algorithm list mentions RSA Original / libgcrypt / usage-gpg-r17-version-pubkey-rsa-present Passed
Runs gpg --version under an ephemeral GNUPGHOME and asserts the banner contains the substring "RSA" in its compiled-in Pubkey algorithm list (gpg 2.4 emits "Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA" on noble), exercising libgcrypt's compiled-in public-key algorithm reflection through gpg --version.
gpg --gen-random --armor 0 24 emits base64-shaped output of expected length Original / libgcrypt / usage-gpg-r18-gen-random-armored-base64-shape Passed
Runs gpg --gen-random --armor 0 24 under an ephemeral GNUPGHOME and asserts the output is a single base64 line consisting only of A-Z, a-z, 0-9, +, /, = and is exactly 32 chars long (24 bytes encodes to 32 base64 chars, no padding needed since 24%3==0), exercising the armor-encoded random output path.
gpg --gen-random 2 64 emits exactly 64 bytes and is not all-zeros Original / libgcrypt / usage-gpg-r18-gen-random-quality2-sixty-four-bytes Passed
Runs gpg --gen-random 2 64 (libgcrypt quality level 2 — long-term) under an ephemeral GNUPGHOME and asserts the output is exactly 64 raw bytes and contains at least one non-zero byte (rejecting the degenerate all-zero output), exercising the long-term-quality RNG at a 64-byte payload distinct from existing 8/16/32-byte coverage.
gpg --list-config --with-colons emits a cfg:curve: row mentioning secp256k1 Original / libgcrypt / usage-gpg-r18-list-config-curve-mentions-secp256k1 Passed
Runs gpg --list-config --with-colons under an ephemeral GNUPGHOME, extracts the cfg:curve: row, and asserts the field contains the literal token "secp256k1" (libgcrypt 1.10 on noble ships secp256k1 as part of the gpg curve registry), exercising gpg's --list-config reflection of libgcrypt's curve list.
gpg --list-config --with-colons emits a digestname row mentioning SHA256 Original / libgcrypt / usage-gpg-r18-list-config-digestname-row Passed
Runs gpg --list-config --with-colons under an ephemeral GNUPGHOME, extracts the cfg:digestname: row, and asserts the field contains the literal token "SHA256" (libgcrypt always exposes SHA-256 in the gpg 2.4 digest registry), exercising gpg's --list-config reflection of libgcrypt's digest algorithm list.
gpg --print-md SHA1 of the quick-brown-fox pangram matches the canonical KAT Original / libgcrypt / usage-gpg-r18-print-md-sha1-pangram-vector Passed
Hashes the canonical 43-byte pangram "The quick brown fox jumps over the lazy dog" with gpg --print-md SHA1 and asserts the lowercase hex digest equals 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12, exercising libgcrypt's SHA-1 implementation on a known KAT distinct from abc and empty-string vectors.
gpg --print-md SHA256 of FIPS-180 56-byte abcdbcde test vector matches KAT Original / libgcrypt / usage-gpg-r18-print-md-sha256-abcdbcde-vector Passed
Hashes the 56-byte FIPS-180 SHA-256 test message "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" via gpg --print-md SHA256 and asserts the lowercase hex digest equals the published KAT 248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1, exercising libgcrypt's SHA-256 on a multi-block input distinct from the abc vector.
gpg --print-md SHA512 of the quick-brown-fox pangram matches the canonical KAT Original / libgcrypt / usage-gpg-r18-print-md-sha512-pangram-vector Passed
Hashes the canonical 43-byte pangram "The quick brown fox jumps over the lazy dog" with gpg --print-md SHA512 and asserts the lowercase hex digest equals 07e547d9586f6a73f73fbac0435ed76951218fb7d0c8d788a309d785436bbb642e93a252a954f23912547d1e8a3b5ed6e1bfd7097821233fa0538f3db854fee6, exercising libgcrypt's SHA-512 on a known KAT distinct from the empty and abc vectors.
gpg --symmetric then --decrypt roundtrip yields the original plaintext Original / libgcrypt / usage-gpg-r18-symmetric-encrypt-decrypt-roundtrip Passed
Encrypts a fixed plaintext "round18 symmetric payload" with gpg --symmetric using a known passphrase via --pinentry-mode loopback and AES256, decrypts the resulting ciphertext, and asserts the decrypted bytes match the original byte-for-byte, exercising libgcrypt's symmetric encrypt/decrypt path end-to-end.
gpg --decrypt with the wrong passphrase on a --symmetric ciphertext fails Original / libgcrypt / usage-gpg-r18-symmetric-wrong-passphrase-fails Passed
Symmetrically encrypts a fixed plaintext with passphrase A, then attempts to decrypt with passphrase B via --pinentry-mode loopback and asserts the decrypt exit code is non-zero, exercising libgcrypt's S2K integrity-check / MDC failure path on a wrong-passphrase attempt.
gpg --version banner Cipher algorithm list mentions AES256 Original / libgcrypt / usage-gpg-r18-version-banner-cipher-aes-present Passed
Runs gpg --version under an ephemeral GNUPGHOME and asserts the banner contains the substring "AES256" in its compiled-in Cipher algorithm list (gpg 2.4 on noble exposes AES, AES192, AES256, and others via libgcrypt), exercising libgcrypt's cipher algorithm reflection through gpg --version.
gpg --gen-random 1 32 produces 32 raw bytes that differ between two invocations Original / libgcrypt / usage-gpg-r19-gen-random-32-bytes-distinct Passed
Invokes gpg --gen-random 1 32 twice (quality level 1, 32 bytes each), asserts each output is exactly 32 bytes, and asserts the two outputs are not byte-identical (libgcrypt's quality-1 generator must not return a fixed payload), exercising the random-number generator output sizing and non-degeneracy through gpg.
gpg --list-config --with-colons compressname row mentions ZLIB Original / libgcrypt / usage-gpg-r19-list-config-compressname-zlib Passed
Runs gpg --list-config --with-colons under an ephemeral GNUPGHOME, extracts the cfg:compressname: row, and asserts the field contains the literal token "ZLIB" (libgcrypt always exposes ZLIB in the gpg 2.4 compression algorithm registry), exercising gpg's --list-config reflection of the compiled-in compression list.
gpg --print-md MD5 of the empty input matches the RFC 1321 KAT Original / libgcrypt / usage-gpg-r19-print-md-md5-empty-vector Passed
Hashes a zero-byte input with gpg --print-md MD5 and asserts the lowercase hex digest equals the canonical RFC 1321 MD5 empty-string KAT d41d8cd98f00b204e9800998ecf8427e, exercising libgcrypt's MD5 path on the empty message.
gpg --print-md SHA1 of the empty input matches the RFC 3174 KAT Original / libgcrypt / usage-gpg-r19-print-md-sha1-empty-vector Passed
Hashes a zero-byte input with gpg --print-md SHA1 and asserts the lowercase hex digest equals the canonical SHA-1 empty-string KAT da39a3ee5e6b4b0d3255bfef95601890afd80709, exercising libgcrypt's SHA-1 path on the empty message.
gpg --print-md SHA224 of the empty input matches the FIPS-180 KAT Original / libgcrypt / usage-gpg-r19-print-md-sha224-empty-vector Passed
Hashes a zero-byte input with gpg --print-md SHA224 and asserts the lowercase hex digest equals the published FIPS-180 KAT d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f, exercising libgcrypt's SHA-224 implementation on the empty message.
gpg --print-md SHA256 of the empty input matches the FIPS-180 KAT Original / libgcrypt / usage-gpg-r19-print-md-sha256-empty-vector Passed
Hashes a zero-byte input with gpg --print-md SHA256 and asserts the lowercase hex digest equals the published FIPS-180 SHA-256 KAT e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, exercising libgcrypt's SHA-256 path on the canonical empty-message vector.
gpg --print-md SHA512 of the empty input matches the FIPS-180 KAT Original / libgcrypt / usage-gpg-r19-print-md-sha512-empty-vector Passed
Hashes a zero-byte input with gpg --print-md SHA512 and asserts the lowercase hex digest equals the published FIPS-180 SHA-512 KAT cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e, exercising libgcrypt's SHA-512 path on the empty message.
gpg --symmetric --cipher-algo AES128 roundtrips a binary plaintext byte-for-byte Original / libgcrypt / usage-gpg-r19-symmetric-aes128-roundtrip Passed
Encrypts a 1 KiB pseudo-random plaintext (built from /dev/urandom) via gpg --symmetric with AES128 and a fixed passphrase via --pinentry-mode loopback, decrypts the resulting ciphertext, and asserts the recovered bytes match the original byte-for-byte, exercising libgcrypt's AES-128 symmetric encrypt/decrypt path (distinct from the r18 AES-256 coverage).
gpg --symmetric --armor output opens and closes with PGP MESSAGE delimiters Original / libgcrypt / usage-gpg-r19-symmetric-armor-line-shape Passed
Encrypts a short fixed plaintext via gpg --symmetric --armor with AES256 and a fixed passphrase, then asserts the resulting ASCII-armored output starts with the literal "-----BEGIN PGP MESSAGE-----" header line and ends with the matching "-----END PGP MESSAGE-----" trailer, exercising libgcrypt's armored output framing through gpg.
gpg --version banner Cipher row mentions 3DES Original / libgcrypt / usage-gpg-r19-version-banner-cipher-3des-present Passed
Runs gpg --version under an ephemeral GNUPGHOME and asserts the banner's "Cipher:" row contains the substring "3DES" (libgcrypt always compiles in the legacy 3DES cipher on the noble baseline), exercising libgcrypt's compiled-in cipher algorithm reflection through gpg --version.
gpg --gen-random 1 128 emits exactly 128 raw bytes Original / libgcrypt / usage-gpg-r20-gen-random-quality1-128-bytes Passed
Calls gpg --gen-random 1 128 and asserts the captured output is exactly 128 bytes in length - locking in libgcrypt's random byte generator at quality level 1 for a length distinct from earlier rounds.
gpg --list-config --with-colons digestname row mentions SHA256 Original / libgcrypt / usage-gpg-r20-list-config-digestname-sha256 Passed
Runs gpg --list-config --with-colons under an ephemeral GNUPGHOME, extracts the cfg:digestname: row, and asserts it contains the literal token "SHA256" - locking in libgcrypt's SHA256 entry in gpg's compiled-in digest algorithm registry.
gpg --list-config --with-colons pubkeyname row mentions DSA Original / libgcrypt / usage-gpg-r20-list-config-pubkeyname-mentions-dsa Passed
Runs gpg --list-config --with-colons under an ephemeral GNUPGHOME, extracts the cfg:pubkeyname: row, and asserts it contains the literal token "DSA" - locking in libgcrypt's DSA entry in gpg's compiled-in public-key algorithm registry (distinct from prior RSA and ELG coverage).
gpg --print-md MD5 of "abcdefghijklmnopqrstuvwxyz" matches RFC 1321 KAT Original / libgcrypt / usage-gpg-r20-print-md-md5-alphabet-vector Passed
Pipes the 26-byte ASCII lowercase alphabet to gpg --print-md MD5 and asserts the captured lowercase hex digest equals c3fcd3d76192e4007dfb496cca67e13b (RFC 1321 known-answer) - locking in libgcrypt's MD5 path on the alphabet KAT, distinct from earlier rounds' "abc" and empty-input MD5 coverage.
gpg --print-md RIPEMD160 of empty input matches the canonical KAT Original / libgcrypt / usage-gpg-r20-print-md-ripemd160-empty-vector Passed
Pipes a zero-byte file to gpg --print-md RIPEMD160 and asserts the captured lowercase hex digest equals 9c1185a5c5e9fc54612808977ee8f548b2258d31 - locking in libgcrypt's RIPEMD160 path on the empty-input boundary (distinct from prior rounds' abc and "hello" RIPEMD160 KAT coverage).
gpg --print-md SHA224 of the FIPS pangram matches the canonical KAT Original / libgcrypt / usage-gpg-r20-print-md-sha224-pangram-vector Passed
Pipes the 43-byte pangram "The quick brown fox jumps over the lazy dog" to gpg --print-md SHA224 and asserts the captured lowercase digest equals 730e109bd7a8a32b1cb9d9a09aa2325d2430587ddbc0c38bad911525 - locking in libgcrypt's SHA224 path on the canonical pangram vector (distinct from r17 SHA224 abc and existing SHA1 pangram coverage).
gpg --print-md SHA3-384 on empty input matches the published KAT Original / libgcrypt / usage-gpg-r20-print-md-sha3-384-empty-vector Passed
Pipes a zero-byte file to gpg --print-md SHA3-384 and asserts the captured digest equals the published SHA3-384("") known answer (0c63a75b...51e7f3d52e7afc62), exercising libgcrypt's SHA3-384 digest path on the empty-input boundary (a digest variant not covered by prior rounds).
gpg --symmetric --cipher-algo AES192 roundtrips a 512-byte plaintext Original / libgcrypt / usage-gpg-r20-symmetric-aes192-roundtrip Passed
Encrypts 512 bytes of random data via gpg --symmetric --cipher-algo AES192 with a fixed passphrase under --pinentry-mode loopback, decrypts the resulting ciphertext, and asserts the recovered bytes match the original byte-for-byte - locking in libgcrypt's AES-192 symmetric encrypt/decrypt path (distinct from the existing AES128 and AES256 r19/r18 coverage).
gpg --symmetric --cipher-algo TWOFISH roundtrips a 768-byte plaintext Original / libgcrypt / usage-gpg-r20-symmetric-twofish-roundtrip Passed
Encrypts 768 bytes of random data via gpg --symmetric --cipher-algo TWOFISH with a fixed passphrase under --pinentry-mode loopback, decrypts the resulting ciphertext, and asserts the recovered bytes match the original byte-for-byte - locking in libgcrypt's Twofish symmetric encrypt/decrypt path at a size distinct from prior rounds.
gpg --version banner advertises a Compression algorithm group Original / libgcrypt / usage-gpg-r20-version-banner-compression-section Passed
Runs gpg --version under an ephemeral GNUPGHOME and asserts the captured banner contains a "Compression:" or "Compress:" section label (libgcrypt-backed gpg always advertises its compiled-in compression algorithms in the version banner) - locking in the compression-section advertisement of the version banner.
gpg --enarmor emits the PGP ARMORED FILE banner and the dearmor-comment line Original / libgcrypt / usage-gpg-r21-enarmor-banner-comment-line Passed
Pipes a fixed 8-byte payload through gpg --enarmor and asserts the captured output contains the exact "-----BEGIN PGP ARMORED FILE-----" banner, the literal Comment line advising "gpg --dearmor" for unpacking, and the closing "-----END PGP ARMORED FILE-----" trailer - locking in libgcrypt's enarmor banner shape that wraps a non-OpenPGP-message radix-64 block.
gpg --enarmor then --dearmor roundtrips 256 random bytes exactly Original / libgcrypt / usage-gpg-r21-enarmor-dearmor-binary-roundtrip-256 Passed
Generates 256 bytes of /dev/urandom into a binary file, pipes them through gpg --enarmor to produce a radix-64 armored block, pipes the armored block back through gpg --dearmor, and asserts the recovered bytes match the original via cmp -s - locking in libgcrypt's radix-64 encode/decode roundtrip path at a 256-byte payload distinct from earlier fixed-blob and perl-bytes roundtrip cases.
gpg --gen-random 2 128 emits exactly 128 bytes of strong-quality randomness Original / libgcrypt / usage-gpg-r21-gen-random-quality2-128-bytes Passed
Runs gpg --gen-random 2 128 to request 128 bytes from libgcrypt's strong-quality RNG (level 2) under an ephemeral GNUPGHOME, asserts the output is exactly 128 bytes, and that the bytes are not all identical (a trivial RNG sanity check) - locking in libgcrypt's GCRY_VERY_STRONG_RANDOM byte count at a 128-byte request distinct from prior 4/8/64-byte quality-2 tests.
gpg --list-config --with-colons cfg:curve row includes cv25519 Original / libgcrypt / usage-gpg-r21-list-config-curve-includes-cv25519 Passed
Runs gpg --list-config --with-colons under an ephemeral GNUPGHOME, extracts the cfg:curve: row, and asserts that splitting it on semicolons yields a token equal to exactly "cv25519" - locking in libgcrypt's cv25519 ECDH curve registration as a distinct semicolon token in gpg's compiled-in curve list (existing rounds checked ed25519, nistp256, secp256k1 but not cv25519 token-wise).
gpg --print-md RIPEMD160 of the lazy-dog pangram matches the RFC vector Original / libgcrypt / usage-gpg-r21-print-md-ripemd160-pangram-vector Passed
Computes the RIPEMD-160 digest of the canonical "The quick brown fox jumps over the lazy dog" pangram via gpg --print-md and asserts the captured uppercase-hex digest equals the published vector 37F332F68DB77BD9D7EDD4969571AD671CF9DD3B, locking in libgcrypt's RIPEMD-160 implementation on a 43-byte input distinct from prior abc and empty-input vectors.
gpg --print-md SHA3-256 of "abcdefghijklmnopqrstuvwxyz" matches NIST vector Original / libgcrypt / usage-gpg-r21-print-md-sha3-256-alphabet-vector Passed
Computes the SHA3-256 digest of the 26-character lowercase alphabet via gpg --print-md and asserts the captured uppercase-hex digest (whitespace stripped) equals the published NIST CAVS vector 7CAB2DC765E21B241DBC1C255CE620B29F527C6D5E7F5F843E56288F0D707521, locking in libgcrypt's SHA3-256 implementation on a 26-byte input distinct from prior abc and empty-input vectors.
gpg --print-md SHA3-384 of "abc" matches the NIST abc vector Original / libgcrypt / usage-gpg-r21-print-md-sha3-384-abc-vector Passed
Computes the SHA3-384 digest of the three-byte literal "abc" via gpg --print-md and asserts the captured uppercase-hex digest equals the NIST CAVS vector EC01498288516FC926459F58E2C6AD8DF9B473CB0FC08C2596DA7CF0E49BE4B298D88CEA927AC7F539F1EDF228376D25, locking in libgcrypt's SHA3-384 implementation on the canonical abc input (the existing r20 case covered only the empty-input vector).
gpg --print-md SHA3-512 of "abcdefghijklmnopqrstuvwxyz" matches NIST vector Original / libgcrypt / usage-gpg-r21-print-md-sha3-512-alphabet-vector Passed
Computes the SHA3-512 digest of the 26-character lowercase alphabet via gpg --print-md and asserts the captured uppercase-hex digest equals the published NIST CAVS vector AF328D17FA28753A3C9F5CB72E376B90440B96F0289E5703B729324A975AB384EDA565FC92AADED143669900D761861687ACDC0A5FFA358BD0571AAAD80ACA68, locking in libgcrypt's SHA3-512 implementation on a non-trivial input distinct from the existing abc and empty vectors.
gpg --quick-generate-key ed25519 produces a pub record with algorithm 22 (EdDSA) Original / libgcrypt / usage-gpg-r21-quick-gen-ed25519-pubalgo-22 Passed
Generates an ed25519 signing key in a fresh ephemeral GNUPGHOME using gpg --quick-generate-key, parses the resulting --with-colons --list-keys output for the pub record, and asserts field 4 (public-key algorithm id) is exactly 22 and field 17 (curve name) is exactly "ed25519" - locking in libgcrypt's ed25519 keygen registering with gpg's pubkey algorithm 22 (EdDSA) and reporting the curve via colons output (previous rounds covered RSA-3072 fingerprint uppercasing and nistp384 quick-gen but no algorithm-id assertion).
gpg --symmetric --cipher-algo CAMELLIA128 roundtrips a 384-byte payload Original / libgcrypt / usage-gpg-r21-symmetric-camellia128-roundtrip Passed
Encrypts 384 bytes of /dev/urandom output with gpg --symmetric --cipher-algo CAMELLIA128 under --pinentry-mode loopback with a fixed passphrase, decrypts the ciphertext, and asserts the recovered bytes match the original byte-for-byte - locking in libgcrypt's CAMELLIA-128 symmetric encrypt/decrypt path (existing rounds covered CAMELLIA192 and CAMELLIA256 roundtrips but not the 128-bit variant via a roundtrip).
gpg clearsign armor includes Hash header Original / libgcrypt / usage-gpg-r9-clearsign-armor-header-version Passed
Generates a clearsigned message and verifies the ASCII-armored output contains the Hash header documenting the digest algorithm.
gpg detached sign and verify Original / libgcrypt / usage-gpg-r9-detached-sign-verify-roundtrip Passed
Creates a detached binary signature for a payload and verifies it with --verify, asserting the verification status reports the signing key.
gpg --list-config curve includes nistp256 Original / libgcrypt / usage-gpg-r9-list-config-curve-nistp256 Passed
Calls gpg --list-config curve and verifies the supported-curves line includes nistp256 alongside other standard curves.
gpg --list-keys on empty keyring Original / libgcrypt / usage-gpg-r9-list-keys-empty-keyring Passed
Initializes a fresh GNUPGHOME and confirms gpg --list-keys returns successfully and produces no key entries.
gpg --print-md SHA224 KAT for empty input Original / libgcrypt / usage-gpg-r9-print-md-sha224-kat Passed
Computes the SHA224 digest of an empty input via gpg --print-md and verifies the output matches the canonical NIST KAT prefix.
gpg --print-md SHA512 from stdin Original / libgcrypt / usage-gpg-r9-print-md-sha512-stdin Passed
Pipes a known string into gpg --print-md SHA512 and verifies the digest matches the canonical SHA-512 hex for that input.
gpg --quick-generate-key RSA emits fingerprint Original / libgcrypt / usage-gpg-r9-quick-generate-rsa-fingerprint Passed
Generates an RSA-2048 signing key in a fresh GNUPGHOME and verifies a 40-character hex fingerprint can be extracted via --with-colons.
gpg symmetric binary file lacks ASCII armor header Original / libgcrypt / usage-gpg-r9-symmetric-binary-magic Passed
Encrypts a file symmetrically without --armor and verifies the resulting bytes do not contain the BEGIN PGP MESSAGE armor banner.
gpg symmetric with --compress-algo zip Original / libgcrypt / usage-gpg-r9-symmetric-compress-algo-zip Passed
Symmetrically encrypts a file with --compress-algo zip and decrypts the result, verifying the plaintext roundtrip succeeds.
gpg --version reports banner Original / libgcrypt / usage-gpg-r9-version-banner Passed
gpg binary recipient encryption Original / libgcrypt / usage-gpg-recipient-binary-encrypt Passed
gpg recipient encrypt armor Original / libgcrypt / usage-gpg-recipient-encrypt-armor Passed
Encrypts an armored message to a generated recipient key and verifies the decrypted plaintext round trip.
gpg recipient encrypt+decrypt with --cipher-algo AES128 Original / libgcrypt / usage-gpg-recipient-encrypt-cipher-aes128 Passed
Generates an RSA encryption key and round-trips a public-key encrypted message while pinning the session cipher to AES128 via --cipher-algo, asserting the recovered plaintext matches.
gpg recipient encrypt with --compress-algo BZIP2 Original / libgcrypt / usage-gpg-recipient-encrypt-compress-bzip2 Passed
Encrypts a compressible payload to a generated recipient using --compress-algo BZIP2, verifies the OpenPGP packet stream contains a compressed packet with algo=3 (BZip2), and round-trips the plaintext through decryption.
gpg recipient encrypt with --compress-algo none Original / libgcrypt / usage-gpg-recipient-encrypt-compress-none Passed
Encrypts a payload to a generated recipient with --compress-algo none and asserts that the inner OpenPGP stream contains a literal data packet with no preceding compressed packet, then round-trips the plaintext.
gpg recipient encrypt decrypt output Original / libgcrypt / usage-gpg-recipient-encrypt-decrypt-output Passed
GnuPG recipient encryption Original / libgcrypt / usage-gpg-recipient-encrypt Passed
gpg sign file round trip Original / libgcrypt / usage-gpg-sign-file-roundtrip Passed
gpg stored compressed packet Original / libgcrypt / usage-gpg-store-compressed-packet-batch11 Passed
gpg 3DES symmetric round trip Original / libgcrypt / usage-gpg-symmetric-3des Passed
gpg symmetric AES128 Original / libgcrypt / usage-gpg-symmetric-aes128-roundtrip Passed
Encrypts and decrypts a payload symmetrically with AES128 through gpg and verifies the restored plaintext.
gpg AES128 symmetric round trip Original / libgcrypt / usage-gpg-symmetric-aes128 Passed
gpg symmetric AES192 Original / libgcrypt / usage-gpg-symmetric-aes192-roundtrip Passed
Encrypts and decrypts a payload symmetrically with AES192 through gpg and verifies the restored plaintext.
gpg AES192 symmetric round trip Original / libgcrypt / usage-gpg-symmetric-aes192 Passed
gpg AES256 symmetric --no-armor binary output Original / libgcrypt / usage-gpg-symmetric-aes256-no-armor-binary Passed
Symmetrically encrypts a payload with --no-armor and asserts the ciphertext begins with an OpenPGP binary packet tag (high bit set), not an armored ASCII header.
gpg symmetric AES256 roundtrip Original / libgcrypt / usage-gpg-symmetric-aes256-roundtrip Passed
Encrypts and decrypts a payload with AES256 symmetric mode through gpg and verifies the recovered plaintext.
gpg AES256 symmetric round trip Original / libgcrypt / usage-gpg-symmetric-aes256 Passed
gpg symmetric armor output Original / libgcrypt / usage-gpg-symmetric-armor-output Passed
Produces an ASCII-armored symmetric message through gpg --armor and verifies decryption restores the original body.
GnuPG armored symmetric data Original / libgcrypt / usage-gpg-symmetric-armor Passed
gpg symmetric armored message Original / libgcrypt / usage-gpg-symmetric-armored-message Passed
gpg BLOWFISH symmetric round trip Original / libgcrypt / usage-gpg-symmetric-blowfish Passed
Symmetrically encrypts and decrypts a payload with --cipher-algo BLOWFISH (allowed via --allow-old-cipher-algos) and verifies the plaintext is restored byte-for-byte.
gpg symmetric bzip2 compression Original / libgcrypt / usage-gpg-symmetric-bzip2-compress Passed
gpg CAMELLIA192 symmetric round trip Original / libgcrypt / usage-gpg-symmetric-camellia192-roundtrip Passed
Encrypts a payload with gpg --cipher-algo CAMELLIA192 and verifies the decrypted bytes match the original sha256 digest.
gpg CAMELLIA256 symmetric Original / libgcrypt / usage-gpg-symmetric-camellia256-batch11 Passed
gpg CAST5 symmetric round trip Original / libgcrypt / usage-gpg-symmetric-cast5-roundtrip Passed
Symmetrically encrypts and decrypts with --cipher-algo CAST5 (allowed via --allow-old-cipher-algos) and confirms list-packets reports a symkey enc packet for the round-tripped ciphertext.
gpg CAST5 symmetric round trip Original / libgcrypt / usage-gpg-symmetric-cast5 Passed
gpg symmetric encryption with camellia128 Original / libgcrypt / usage-gpg-symmetric-cipher-camellia128 Passed
Encrypts and decrypts a payload with --cipher-algo CAMELLIA128 and confirms --list-packets reports symkey cipher 11 (camellia128) on the encrypted blob.
gpg symmetric encryption with compression level 9 Original / libgcrypt / usage-gpg-symmetric-compress-z9-decrypt Passed
Encrypts a highly compressible payload with --compress-level 9 and ZLIB, confirms ciphertext is materially smaller than plaintext, and verifies the decrypt sha256 matches.
gpg symmetric s2k with --digest-algo SHA512 Original / libgcrypt / usage-gpg-symmetric-digest-algo-sha512 Passed
Symmetrically encrypts a payload with explicit --digest-algo SHA512 (S2K hash) and round-trips the plaintext, confirming the s2k symkey packet header is present.
gpg symmetric encrypts zero-byte input Original / libgcrypt / usage-gpg-symmetric-empty-input Passed
Encrypts a zero-byte plaintext with AES256 symmetric mode and decrypts it, asserting the round-tripped output is also zero bytes.
gpg symmetric encryption advertises sha256 s2k digest Original / libgcrypt / usage-gpg-symmetric-list-packets-s2k-sha256 Passed
Encrypts symmetrically using --s2k-digest-algo SHA256 and confirms --list-packets reports a sha256 string-to-key specification on the encrypted blob.
gpg symmetric encryption with passphrase-fd 0 Original / libgcrypt / usage-gpg-symmetric-passphrase-fd-stdin Passed
Encrypts symmetrically while supplying the passphrase on file descriptor 0 via --passphrase-fd 0 and confirms the decrypt roundtrip succeeds.
gpg symmetric passphrase file Original / libgcrypt / usage-gpg-symmetric-passphrase-file Passed
Encrypts and decrypts with gpg symmetric mode using a passphrase file and verifies the plaintext round-trips.
GnuPG symmetric round trip Original / libgcrypt / usage-gpg-symmetric-roundtrip Passed
gpg symmetric s2k mode 1 salted only Original / libgcrypt / usage-gpg-symmetric-s2k-mode1-salted Passed
Encrypts symmetrically with --s2k-mode 1 (salted, no iteration) and confirms --list-packets shows mode 1 and a successful roundtrip decrypt.
gpg symmetric s2k mode 3 with explicit count Original / libgcrypt / usage-gpg-symmetric-s2k-mode3-count Passed
Encrypts symmetrically with explicit --s2k-mode 3 and --s2k-count, then decrypts and verifies the roundtrip sha256 matches.
gpg symmetric stdin armor Original / libgcrypt / usage-gpg-symmetric-stdin-armor Passed
Encrypts payload from stdin with gpg armored symmetric output and verifies decryption restores the streamed body.
gpg symmetric stdin Original / libgcrypt / usage-gpg-symmetric-stdin Passed
Encrypts stdin through gpg symmetric mode and verifies decrypted output matches the original streamed payload.
gpg TWOFISH symmetric Original / libgcrypt / usage-gpg-symmetric-twofish-batch11 Passed
gpg symmetric zlib compression Original / libgcrypt / usage-gpg-symmetric-zlib-compress Passed
gpg rejects tampered signature Original / libgcrypt / usage-gpg-tampered-signature-reject Passed
gpg --textmode symmetric roundtrip Original / libgcrypt / usage-gpg-textmode-encrypt-decrypt Passed
Symmetrically encrypts a multiline text payload with --textmode and decrypts it with --textmode, verifying the plaintext is preserved byte-for-byte.
gpg use-agent and no-use-agent both accepted Original / libgcrypt / usage-gpg-use-agent-flag-accepted Passed
Confirms gpg accepts both --use-agent and --no-use-agent without error, and that --no-use-agent is reported as obsolete-but-effectively-no-op while listing still succeeds.
gpg detached verify status-fd Original / libgcrypt / usage-gpg-verify-detached-status-fd Passed
gpg verify status stream Original / libgcrypt / usage-gpg-verify-status-stream Passed
GnuPG reports libgcrypt Original / libgcrypt / usage-gpg-version-libgcrypt Passed
gpg --weak-digest SHA1 rejects SHA1 signatures on verify Original / libgcrypt / usage-gpg-weak-digest-sha1-rejects-verify Passed
Demonstrates the --weak-digest contract: a SHA256 detached signature still verifies under --weak-digest SHA1, while a SHA1-digest detached signature is rejected with an "Invalid digest algorithm" error.
gpg with-colons fingerprint Original / libgcrypt / usage-gpg-with-colons-fingerprint Passed
Lists a generated key with with-colons mode and verifies the machine-readable fingerprint format.
CVE-2018-6829 libgcrypt regression Original / libgcrypt / cve-2018-6829 Passed
Asserts that gcry_pk_encrypt over ElGamal with (flags raw) still lacks semantic security — encrypting plaintext 0 produces a ciphertext whose b component equals 0 regardless of the freshly chosen k, which is the deterministic structural disclosure CVE-2018-6829 was filed against. The bug class survives in libgcrypt 1.10.x because the legacy direct-encryption path was never redesigned with a padding mode.
CVE-2024-2236 libgcrypt regression Original / libgcrypt / cve-2024-2236 Passed
Asserts that gcry_pk_decrypt of an RSA PKCS#1 v1.5 ciphertext still leaks a Bleichenbacher-style padding oracle — decrypting a valid PKCS#1 block returns ok while decrypting a block whose plaintext starts with 0x00 0x03 ... (deliberately wrong PKCS#1 header) returns a distinguishable error code. The CVE-2024-2236 fix in upstream libgcrypt would make both calls return the same outcome (synthetic random plaintext on failure); libgcrypt 1.10.x still distinguishes them.
libgcrypt AES CTR round trip Port / libgcrypt / aes-ctr-roundtrip Passed
libgcrypt SHA-256 digest Port / libgcrypt / digest-sha256-smoke Passed
libgcrypt HMAC digest Port / libgcrypt / hmac-sha256-smoke Passed
libgcrypt MPI arithmetic Port / libgcrypt / mpi-arithmetic Passed
libgcrypt nonce generation Port / libgcrypt / nonce-generation Passed
gpg always-trust unblocks untrusted recipient Port / libgcrypt / usage-gpg-always-trust-untrusted-recipient Passed
Imports a foreign public key into a fresh keyring, confirms encryption fails with the default trust model, then succeeds once --always-trust (--trust-model always) is supplied.
gpg armored detached signature Port / libgcrypt / usage-gpg-armor-detached-sign Passed
gpg armored recipient encryption Port / libgcrypt / usage-gpg-armor-recipient-encrypt Passed
gpg armor vs binary output magic Port / libgcrypt / usage-gpg-armor-vs-binary-magic Passed
Symmetrically encrypts the same payload as armored ASCII and as binary, then checks the file magic distinguishes them.
gpg armored message header only Port / libgcrypt / usage-gpg-armored-message-header-only Passed
gpg --auto-key-locate clear stays offline Port / libgcrypt / usage-gpg-auto-key-locate-clear-offline Passed
Verifies that gpg --auto-key-locate clear disables every locate mechanism so verifying a signature from an unknown signer fails with NO_PUBKEY rather than performing any network lookup.
gpg --batch --gen-key from parameter file Port / libgcrypt / usage-gpg-batch-gen-key-paramfile Passed
Generates an ed25519 signing key non-interactively via gpg --batch --gen-key fed a parameter control file on stdin, then asserts the public key listing reflects the requested UID.
gpg check-trustdb offline Port / libgcrypt / usage-gpg-check-trustdb-offline Passed
Generates a key in an isolated GNUPGHOME and runs gpg --check-trustdb to confirm the trust database walks cleanly without any network activity.
gpg clearsign output Port / libgcrypt / usage-gpg-clearsign-roundtrip-output Passed
Generates a clearsigned ASCII document with gpg --clearsign and verifies the message header and body line are preserved.
gpg clear-sign with explicit SHA256 digest header Port / libgcrypt / usage-gpg-clearsign-sha256-digest Passed
Clear-signs a payload with --digest-algo SHA256, confirms gpg --verify reports a good signature, and checks that the armored block declares a Hash: SHA256 header.
gpg clearsign verify Port / libgcrypt / usage-gpg-clearsign-verify-batch11 Passed
gpg clearsign verify status Port / libgcrypt / usage-gpg-clearsign-verify-status Passed
GnuPG clear-signed message Port / libgcrypt / usage-gpg-clearsign-verify Passed
gpg --comment writes Comment header in armor Port / libgcrypt / usage-gpg-comment-marker-in-armor Passed
Exports a public key in ASCII armor with a custom --comment marker and asserts the marker appears as a Comment: header inside the armor while the armor remains parseable by gpg --list-packets.
gpg dearmors public key Port / libgcrypt / usage-gpg-dearmor-public-key Passed
gpg decrypt clearsigned message Port / libgcrypt / usage-gpg-decrypt-clearsigned-message Passed
gpg --decrypt reads ciphertext via stdin redirection Port / libgcrypt / usage-gpg-decrypt-stdin-redirect Passed
Encrypts a payload symmetrically, then decrypts it by feeding the OpenPGP message to gpg over stdin (no file argument) and verifies the recovered plaintext.
gpg decrypts to stdout Port / libgcrypt / usage-gpg-decrypt-stdout Passed
Decrypts a symmetric gpg message directly to stdout and verifies the recovered plaintext stream.
gpg --default-key selects between two keys Port / libgcrypt / usage-gpg-default-key-selects-second-key Passed
Generates two distinct signing keys in the same keyring and asserts gpg --default-key picks the explicitly named key for a detached signature (verified via the issuer fingerprint reported by gpg --list-packets).
gpg detach sign with SHA512 digest Port / libgcrypt / usage-gpg-detach-sign-sha512-digest Passed
Generates an ed25519 key, creates an armored detached signature with --digest-algo SHA512, and confirms gpg --verify reports a good signature.
gpg binary detached signature Port / libgcrypt / usage-gpg-detached-binary-sign Passed
gpg detached sign status-fd Port / libgcrypt / usage-gpg-detached-sign-status-fd Passed
Verifies a detached signature with gpg --status-fd and checks the machine-readable GOODSIG status output.
GnuPG detached signature Port / libgcrypt / usage-gpg-detached-sign-verify Passed
gpg enarmor dearmor Port / libgcrypt / usage-gpg-enarmor-dearmor Passed
Encodes a payload with gpg --enarmor, decodes it again, and verifies the original bytes round trip.
gpg enarmor dearmor sha256 roundtrip Port / libgcrypt / usage-gpg-enarmor-roundtrip-sha256 Passed
Encodes random binary content with gpg --enarmor, decodes it with --dearmor, and confirms the sha256 digest matches the original.
gpg enarmor round trip Port / libgcrypt / usage-gpg-enarmor-roundtrip Passed
Converts binary data to ASCII armor with gpg enarmor, dearmors it again, and verifies the bytes match.
gpg encrypt decrypt stdout pipe Port / libgcrypt / usage-gpg-encrypt-decrypt-stdout-pipe Passed
gpg --output - writes encrypted message to stdout Port / libgcrypt / usage-gpg-encrypt-output-dash-stdout Passed
Encrypts a payload symmetrically with --output - so the OpenPGP message is delivered on stdout, then decrypts the captured stream and verifies the recovered plaintext.
gpg encrypt for two recipients then decrypt Port / libgcrypt / usage-gpg-encrypt-two-recipients Passed
Generates two distinct keypairs, encrypts a payload addressed to both, asserts the ciphertext contains two pubkey-enc packets via --list-packets, and decrypts the message in a fresh keyring that holds only the second recipient.
gpg export armor block Port / libgcrypt / usage-gpg-export-armor-block Passed
Exports a generated public key in ASCII armor through gpg --armor --export and verifies the begin and end markers.
GnuPG exports and imports key Port / libgcrypt / usage-gpg-export-import-key Passed
gpg exports ownertrust Port / libgcrypt / usage-gpg-export-ownertrust Passed
Imports ownertrust for a generated key and verifies gpg export-ownertrust writes the fingerprint record.
gpg exports public key Port / libgcrypt / usage-gpg-export-public-key Passed
gpg export minimal public key Port / libgcrypt / usage-gpg-export-public-minimal Passed
Exports a minimal armored public key with gpg export options and verifies the ASCII armor header.
gpg exports secret key Port / libgcrypt / usage-gpg-export-secret-key Passed
gpg fingerprint listing Port / libgcrypt / usage-gpg-fingerprint-list Passed
gpg fingerprint stable across export and import Port / libgcrypt / usage-gpg-fingerprint-stable-export-import Passed
Generates an ed25519 key, exports it armored, imports into a fresh GNUPGHOME, and confirms the fingerprint is byte-identical across both keyrings.
gpg gen-random base64 output length Port / libgcrypt / usage-gpg-gen-random-base64-length Passed
Generates 48 random bytes with gpg --gen-random level 1 mode 1 (base64 armor) and verifies the decoded payload length is exactly 48 bytes.
gpg generate random bytes Port / libgcrypt / usage-gpg-gen-random-bytes Passed
gpg random length Port / libgcrypt / usage-gpg-gen-random-length-batch11 Passed
gpg gen-random quality 1 armored Port / libgcrypt / usage-gpg-gen-random-quality1-armored Passed
Requests 16 random bytes from gpg --gen-random with quality level 1 and --armor, decoding the base64 payload back to exactly 16 bytes.
gpg gen-random 32 bytes Port / libgcrypt / usage-gpg-gen-random-zero-bytes Passed
Requests 32 bytes from gpg --gen-random and verifies the output stream length matches the requested byte count.
gpg auto-generated revocation certificate Port / libgcrypt / usage-gpg-gen-revoke-armor Passed
Generates an unattended ed25519 key, locates the armored revocation certificate gpg auto-stores under openpgp-revocs.d, and confirms gpg --list-packets reports a class 0x20 signature.
gpg --gen-revoke produces armored revocation cert with reason 0 Port / libgcrypt / usage-gpg-gen-revoke-detached-reason-zero Passed
Drives gpg --gen-revoke with --command-fd to produce a detached armored revocation certificate using reason code 0 (no reason given), then asserts the resulting block is a class 0x20 signature packet whose hashed subpacket 29 (reason for revocation) carries 0x00.
gpg --digest-algo SHA384 detached signature roundtrip Port / libgcrypt / usage-gpg-hash-algo-sha384-detached Passed
Generates an ed25519 signing key, produces a detached signature with --digest-algo SHA384, verifies it, and asserts the signature packet metadata reports SHA384 (digest 9).
gpg --hidden-recipient masks recipient key id in PKESK packet Port / libgcrypt / usage-gpg-hidden-recipient-anonymous-keyid Passed
Encrypts to a generated key with --hidden-recipient (no plain -r), confirms gpg --list-packets reports keyid 0000000000000000 in the public-key-encrypted-session-key packet, and round-trips the plaintext through decryption.
gpg hidden recipient encrypt Port / libgcrypt / usage-gpg-hidden-recipient-encrypt-batch11 Passed
gpg imports binary and armored exports of the same key Port / libgcrypt / usage-gpg-import-binary-vs-armor Passed
Exports a generated public key in both binary and ASCII-armored form, imports each into separate fresh keyrings, and verifies the resulting fingerprints (and uids) match exactly between the two import paths.
gpg import-options keep-ownertrust round-trip Port / libgcrypt / usage-gpg-import-options-keep-ownertrust-roundtrip Passed
Generates a key, exports its ownertrust and public key, re-imports both into a fresh GNUPGHOME with --import-options keep-ownertrust, and verifies the original ownertrust value is preserved across the round-trip.
gpg imports ownertrust Port / libgcrypt / usage-gpg-import-ownertrust Passed
gpg import public key listing Port / libgcrypt / usage-gpg-import-public-key-listing Passed
gpg imports public key Port / libgcrypt / usage-gpg-import-public-key Passed
gpg imports secret key Port / libgcrypt / usage-gpg-import-secret-key Passed
Exports a generated secret key and imports it into a second keyring, then verifies the secret key is listed.
gpg import show-only Port / libgcrypt / usage-gpg-import-show-only Passed
Inspects an exported public key with gpg import show-only mode and verifies public key metadata is displayed.
gpg keyid-format long vs short Port / libgcrypt / usage-gpg-keyid-format-long-vs-short Passed
Generates a key and confirms that gpg --keyid-format long renders the trailing 16 hex digits of the fingerprint and --keyid-format short renders only the trailing 8 hex digits.
gpg --keyserver-options no-honor-keyserver-url Port / libgcrypt / usage-gpg-keyserver-options-no-honor Passed
Generates a key and verifies that --keyserver-options no-honor-keyserver-url is accepted as a no-op for offline --list-keys: the listing still includes the uid and the command exits 0 without any keyserver traffic.
gpg list config cipher names Port / libgcrypt / usage-gpg-list-config-ciphername-batch11 Passed
gpg list-config cipher names include BLOWFISH Port / libgcrypt / usage-gpg-list-config-ciphername-blowfish Passed
Runs gpg --with-colons --list-config ciphername and asserts BLOWFISH appears in the reported cipher algorithms list.
gpg list config compression names Port / libgcrypt / usage-gpg-list-config-compressname-batch11 Passed
gpg list-config curve includes ed25519 Port / libgcrypt / usage-gpg-list-config-curve-ed25519 Passed
Inspects the list-config curve record with colon output and asserts that ed25519 is among the configured ECC curves.
gpg list config digest names Port / libgcrypt / usage-gpg-list-config-digestname-batch11 Passed
gpg list-config public key algorithms include RSA Port / libgcrypt / usage-gpg-list-config-pubkeyname-rsa Passed
Lists configured public key algorithm names with --with-colons --list-config pubkeyname and asserts RSA is present.
gpg --list-config reports version line Port / libgcrypt / usage-gpg-list-config-version Passed
Runs gpg --with-colons --list-config and asserts a cfg:version: record is emitted with a non-empty version string.
gpg list keys uid Port / libgcrypt / usage-gpg-list-keys-uid Passed
Lists keys for a generated identity with gpg --list-keys and verifies the user id string appears in the listing.
gpg --list-keys --with-colons pub record parsing Port / libgcrypt / usage-gpg-list-keys-with-colons-pub-record Passed
Generates a key and parses the machine-readable colon-listing output, verifying the pub record carries the documented field layout (validity, length, public-key algorithm, 16-hex keyid) and a matching fpr record with a 40-hex fingerprint.
gpg --list-keys --with-fingerprint shows subkey fingerprint Port / libgcrypt / usage-gpg-list-keys-with-fingerprint-subkey Passed
Generates a primary+subkey pair (default ed25519/cv25519) and asserts that gpg --list-keys --with-fingerprint --with-fingerprint emits the spaced fingerprint for both the primary key and the encryption subkey.
GnuPG lists generated key Port / libgcrypt / usage-gpg-list-keys Passed
gpg --list-options show-keyserver-urls Port / libgcrypt / usage-gpg-list-options-show-keyserver-urls Passed
Generates a key and verifies that --list-options show-keyserver-urls is accepted and produces a normal --list-keys listing including the new uid.
gpg list packets armor Port / libgcrypt / usage-gpg-list-packets-armor Passed
gpg list packets armored Port / libgcrypt / usage-gpg-list-packets-armored Passed
Lists packets from an armored encrypted message with gpg and verifies the symmetric packet summary appears.
gpg list packets binary detached Port / libgcrypt / usage-gpg-list-packets-binary-detached Passed
gpg list packets clearsign Port / libgcrypt / usage-gpg-list-packets-clearsign Passed
Inspects a clearsigned message with gpg --list-packets and verifies a signature packet is reported.
gpg AES256 packet listing Port / libgcrypt / usage-gpg-list-packets-symmetric-aes256 Passed
Lists AES256 symmetric packet metadata with gpg --list-packets and verifies the encrypted packet description.
gpg list-packets on TWOFISH symmetric ciphertext Port / libgcrypt / usage-gpg-list-packets-symmetric-twofish Passed
Symmetrically encrypts with TWOFISH and verifies gpg --list-packets reports the expected encrypted packet description.
gpg --list-packets shows ZIP compression algo Port / libgcrypt / usage-gpg-list-packets-zip-compress Passed
Symmetrically encrypts a payload with --compress-algo ZIP and uses --list-packets (with the symmetric passphrase) to decode the inner packets, asserting the compressed packet uses algo=1 (ZIP).
GnuPG lists encrypted packets Port / libgcrypt / usage-gpg-list-packets Passed
gpg list secret colons Port / libgcrypt / usage-gpg-list-secret-colons Passed
Lists generated secret keys in colon format with gpg and verifies the secret key record marker appears.
gpg list secret keys with colons Port / libgcrypt / usage-gpg-list-secret-keys-colons Passed
Lists secret keys in machine-readable format with gpg and verifies secret-key and fingerprint records are present.
gpg secret key keygrip listing Port / libgcrypt / usage-gpg-list-secret-keys-keygrip Passed
gpg --list-secret-keys --keyid-format 0xlong Port / libgcrypt / usage-gpg-list-secret-keys-keyid-format-0xlong Passed
Confirms that gpg --list-secret-keys --keyid-format 0xlong renders the trailing 16 hex digits of the primary fingerprint with the explicit "0x" prefix on the sec line.
gpg lists secret keys Port / libgcrypt / usage-gpg-list-secret-keys Passed
gpg --max-cert-depth accepted on verify Port / libgcrypt / usage-gpg-max-cert-depth-verify Passed
Confirms gpg accepts an explicit --max-cert-depth value (a numeric trust-model knob) on the command line during signature verification and still produces a Good signature for an ed25519 detached signature.
gpg --multifile --decrypt of multiple armored files Port / libgcrypt / usage-gpg-multifile-decrypt Passed
Generates a recipient key, encrypts two payloads to separate armored files, and decrypts both in a single gpg --multifile --decrypt invocation, verifying each plaintext output file.
gpg --no-armor explicit binary export Port / libgcrypt / usage-gpg-no-armor-explicit-binary Passed
Forces a binary OpenPGP public-key export with an explicit --no-armor and confirms the output starts with the OpenPGP packet magic byte rather than ASCII armor headers.
gpg --no-default-keyring + --keyring isolates from default ring Port / libgcrypt / usage-gpg-no-default-keyring-isolation Passed
Generates one key into the default GNUPGHOME pubring and another into a separate keyring file via --no-default-keyring + --keyring, then asserts each subsequent listing only sees the keyblock that lives in the keyring it was directed to.
gpg --no-emit-version omits Version header in armor Port / libgcrypt / usage-gpg-no-emit-version-armor Passed
Exports a public key in ASCII armor with --no-emit-version and asserts the resulting block contains the BEGIN/END armor markers but no "Version:" header line.
gpg --no-greeting --version still prints version Port / libgcrypt / usage-gpg-no-greeting-version Passed
Runs gpg with --no-greeting before --version and asserts the version banner including the linked libgcrypt version is still printed.
gpg no-tty in batch mode Port / libgcrypt / usage-gpg-no-tty-batch-list Passed
Runs gpg --no-tty --batch --list-keys against a freshly generated keyring and confirms it emits a normal listing with no terminal-tied prompts even when stdin is closed.
gpg ownertrust export check Port / libgcrypt / usage-gpg-ownertrust-export-check Passed
gpg --passwd --dry-run validates current passphrase Port / libgcrypt / usage-gpg-passwd-dry-run Passed
Generates a key with a known passphrase, runs --passwd --dry-run with the correct passphrase (must succeed), then runs --passwd --dry-run with the wrong passphrase (must fail with Bad passphrase), confirming libgcrypt-backed S2K verification is wired through.
gpg --personal-cipher-preferences AES256 selects symmetric cipher Port / libgcrypt / usage-gpg-personal-cipher-prefs-aes256 Passed
Generates a recipient key and encrypts a payload with --personal-cipher-preferences AES256 set, then inspects the resulting OpenPGP packet stream after decryption and asserts the symmetric cipher recorded was AES256 (cipher 9).
gpg --personal-digest-preferences SHA512 selects digest for signing Port / libgcrypt / usage-gpg-personal-digest-prefs-sha512 Passed
Generates an ed25519 signing key and signs a payload with --personal-digest-preferences SHA512 set, then inspects the resulting signature packet and asserts the chosen digest algorithm is SHA512 (10).
gpg --primary-keyring redirects new public key writes Port / libgcrypt / usage-gpg-primary-keyring-redirect-write Passed
Generates a key with --primary-keyring pointing to a redirected keyring file inside GNUPGHOME and confirms the new public key is materialized in the redirected keyring while the default pubring.kbx stays empty of public keyblocks.
gpg print-md MD5 fixed-string KAT Port / libgcrypt / usage-gpg-print-md-md5-kat-fixed-string Passed
Verifies gpg --print-md MD5 emits the canonical 5d41402abc4b2a76b9719d9110175c592 known-answer digest for the literal input "hello".
gpg MD5 digest Port / libgcrypt / usage-gpg-print-md-md5 Passed
gpg --print-md multi-algorithm digest lengths Port / libgcrypt / usage-gpg-print-md-multi-sha-family Passed
Computes SHA1, SHA224, SHA256, SHA384, and SHA512 digests of the same input via gpg --with-colons --print-md and asserts each output line contains a hex digest of the expected length for its algorithm.
gpg print-md RIPEMD160 Port / libgcrypt / usage-gpg-print-md-ripemd160-hex Passed
Computes a RIPEMD160 digest with gpg --print-md and verifies the grouped hexadecimal digest output is emitted.
gpg print-md RIPEMD160 KAT for "abc" Port / libgcrypt / usage-gpg-print-md-ripemd160-kat-abc Passed
Computes the RIPEMD160 digest of the literal byte string "abc" through gpg --print-md and asserts the published Dobbertin/Bosselaers/Preneel known-answer value.
gpg RIPEMD160 digest Port / libgcrypt / usage-gpg-print-md-ripemd160 Passed
gpg print-md SHA1 empty input KAT Port / libgcrypt / usage-gpg-print-md-sha1-empty-kat Passed
Verifies gpg --print-md SHA1 emits the canonical da39a3ee... known-answer digest for an empty input file.
gpg print-md SHA1 Port / libgcrypt / usage-gpg-print-md-sha1-hex Passed
gpg SHA1 digest Port / libgcrypt / usage-gpg-print-md-sha1 Passed
gpg --print-md SHA224 and SHA384 KAT vectors Port / libgcrypt / usage-gpg-print-md-sha224-sha384-kat Passed
Computes SHA224 and SHA384 digests of the FIPS 180-4 vector "abc" with gpg --print-md and asserts byte-exact match against the published known-answer values.
gpg SHA224 digest Port / libgcrypt / usage-gpg-print-md-sha224 Passed
gpg print-md SHA256 empty input KAT Port / libgcrypt / usage-gpg-print-md-sha256-empty-kat Passed
Verifies gpg --print-md SHA256 emits the canonical e3b0c442... known-answer digest for an empty input file.
gpg print-md SHA256 hex Port / libgcrypt / usage-gpg-print-md-sha256-hex Passed
Computes a SHA256 digest with gpg --print-md and verifies enough hex groups appear for a 256 bit output.
gpg print-md SHA3-256 KAT for "abc" Port / libgcrypt / usage-gpg-print-md-sha3-256-kat-abc Passed
Computes the SHA3-256 digest of the literal byte string "abc" through gpg --print-md and asserts the canonical FIPS 202 known-answer value.
gpg print-md SHA3-256 hex Port / libgcrypt / usage-gpg-print-md-sha3-256 Passed
Computes a SHA3-256 digest with gpg --print-md and confirms the output contains enough hex groups for a 256 bit digest.
gpg print-md SHA3-512 with hex output Port / libgcrypt / usage-gpg-print-md-sha3-512-hex Passed
Computes a SHA3-512 digest with gpg --print-md --with-colons and confirms the output is a continuous 128 hex character digest line.
gpg --print-md SHA3-512 KAT vector Port / libgcrypt / usage-gpg-print-md-sha3-512-kat Passed
Computes the SHA3-512 digest of the FIPS 202 message "abc" via gpg --print-md and asserts a byte-exact match against the published known-answer value.
gpg print-md SHA384 hex Port / libgcrypt / usage-gpg-print-md-sha384-hex Passed
Computes a SHA384 digest with gpg --print-md and verifies enough hex groups appear for a 384 bit output.
gpg SHA384 digest Port / libgcrypt / usage-gpg-print-md-sha384 Passed
gpg print-md SHA512 empty input KAT Port / libgcrypt / usage-gpg-print-md-sha512-empty-kat Passed
Verifies gpg --print-md SHA512 emits the canonical cf83e135... known-answer digest for an empty input file.
gpg SHA512 digest Port / libgcrypt / usage-gpg-print-md-sha512 Passed
GnuPG prints SHA-256 digest Port / libgcrypt / usage-gpg-print-md Passed
gpg --print-mds shows multiple digest algorithms Port / libgcrypt / usage-gpg-print-mds-multi Passed
Runs gpg --print-mds on a fixed payload and asserts that several digest algorithm labels (MD5, SHA1, RMD160, SHA256, SHA512) appear in the output.
gpg public key packet Port / libgcrypt / usage-gpg-public-key-packet-batch11 Passed
gpg --quick-add-uid attaches a new user id Port / libgcrypt / usage-gpg-quick-add-uid Passed
Generates a key, attaches a second user id with --quick-add-uid, and verifies that --list-keys reports both user ids on the same primary key.
gpg --quick-revuid surfaces validity 'r' in colon listing Port / libgcrypt / usage-gpg-quick-revuid-with-colons-validity Passed
Adds a second user id to a generated key, revokes it with --quick-revuid, and confirms the machine-readable colon listing reports the revoked uid with validity field 'r' while the primary uid retains 'u'.
gpg --quick-revuid revokes a user id Port / libgcrypt / usage-gpg-quick-revuid Passed
Generates a key, attaches a second user id, revokes that uid with --quick-revuid, and verifies a fresh export+import shows the revoked uid is no longer presented as a live binding.
gpg --quick-set-expire updates key expiration Port / libgcrypt / usage-gpg-quick-set-expire Passed
Generates a primary key with a 1d expiration, calls --quick-set-expire to extend it to 2y, and verifies --list-keys reflects the new expiration date and not the original.
gpg --cert-digest-algo SHA512 stamps key self-signature Port / libgcrypt / usage-gpg-r10-cert-digest-algo-sha512 Passed
Generates an Ed25519 key with --cert-digest-algo SHA512, exports the public key, and verifies gpg --list-packets reports digest algo 10 (SHA512) on the user-id self-signature packet.
gpg --export with --export-options export-clean exports a public key Port / libgcrypt / usage-gpg-r10-export-options-export-clean Passed
Generates an Ed25519 key, exports it with --export-options export-clean, and verifies the resulting bytes are a non-empty OpenPGP public key block (public-key packet at the start).
gpg --list-sigs reports self-signature on freshly generated key Port / libgcrypt / usage-gpg-r10-list-sigs-self-signature Passed
Generates an Ed25519 key in a fresh GNUPGHOME and verifies gpg --with-colons --list-sigs emits a sig: record (the self-signature on the user id).
gpg --print-md SHA256 over multiple file arguments Port / libgcrypt / usage-gpg-r10-print-md-multifile-args Passed
Invokes gpg --print-md SHA256 with two distinct file arguments in one call and verifies each file's name appears with a 64-character hex digest in the output.
gpg --quick-generate-key NIST P-384 produces 40-char fingerprint Port / libgcrypt / usage-gpg-r10-quick-generate-nistp384 Passed
Generates a NIST P-384 ECC signing key in a fresh GNUPGHOME and verifies the resulting fingerprint is 40 uppercase hex characters.
gpg --show-session-key emits session key on symmetric decrypt Port / libgcrypt / usage-gpg-r10-show-session-key-symmetric Passed
Symmetrically encrypts a payload then decrypts with --show-session-key and verifies the session key debug line is printed alongside the recovered plaintext.
gpg --no-comments suppresses Comment line in armored output Port / libgcrypt / usage-gpg-r10-symmetric-no-comments-armor Passed
Encrypts a file symmetrically with --armor and --no-comments and verifies the resulting ASCII-armor block contains the BEGIN PGP MESSAGE banner but no Comment: header line.
gpg --symmetric records --set-filename in literal data packet Port / libgcrypt / usage-gpg-r10-symmetric-set-filename-packet Passed
Symmetrically encrypts a payload using --set-filename original.bin and verifies gpg --list-packets reports that filename in the literal data packet header.
gpg --throw-keyids zeroes the recipient key id in PKESK Port / libgcrypt / usage-gpg-r10-throw-keyids-anonymous Passed
Encrypts to an Ed25519/Cv25519 key with --throw-keyids and verifies the resulting public-key encrypted session key packet reports an anonymous (all-zero) keyid via gpg --list-packets.
gpg --with-colons --list-keys uid record exposes the user id Port / libgcrypt / usage-gpg-r10-with-colons-uid-record Passed
Generates an Ed25519 key with a distinctive user id and verifies the with-colons listing emits a uid: record whose user-id field 10 contains the configured email tag.
gpg --enarmor + --dearmor round-trip raw bytes byte-equal Port / libgcrypt / usage-gpg-r11-enarmor-dearmor-roundtrip Passed
Pipes 64 random bytes through --enarmor (which produces a "BEGIN PGP ARMORED FILE" block) and back through --dearmor, then verifies the recovered bytes match the original via sha256 equality.
gpg --export-filter keep-uid restricts exported user-ids to a regex match Port / libgcrypt / usage-gpg-r11-export-filter-keep-uid Passed
Adds a second user-id to a key, runs --export with --export-filter keep-uid="uid =~ secondary", and verifies the exported packet stream contains only the secondary uid (the primary uid is filtered out).
gpg --export-secret-subkeys produces a gnu-dummy stub primary Port / libgcrypt / usage-gpg-r11-export-secret-subkeys-stub-master Passed
Generates a default key (ed25519 SC + cv25519 E) and verifies that --export-secret-subkeys yields a packet stream whose first secret key packet carries the gnu-dummy marker, indicating the master secret has been redacted to a stub.
gpg --export-ssh-key emits ssh-rsa public key from auth-capable RSA key Port / libgcrypt / usage-gpg-r11-export-ssh-key-rsa-auth Passed
Generates a 2048-bit RSA key with the auth usage flag and verifies --export-ssh-key produces a single line beginning with "ssh-rsa " followed by base64 material.
gpg --list-only --decrypt of symmetric stream prints AES diagnostic without writing plaintext Port / libgcrypt / usage-gpg-r11-list-only-decrypt-symmetric Passed
Symmetrically encrypts a payload, then runs --list-only --decrypt and verifies stderr contains the "AES256.CFB encrypted data" diagnostic line while stdout stays empty (no plaintext is materialised).
gpg --quick-add-uid attaches a second user-id reported by --list-keys Port / libgcrypt / usage-gpg-r11-quick-add-uid-second-uid Passed
Generates a primary key, runs --quick-add-uid to attach a second user-id, and verifies --with-colons --list-keys reports two uid records with the expected mailbox addresses.
gpg --quick-revoke-uid marks the targeted user-id revoked in colons output Port / libgcrypt / usage-gpg-r11-quick-revoke-uid-removes-second Passed
Adds a second user-id with --quick-add-uid, revokes it with --quick-revoke-uid, and verifies the colons-mode --list-keys output keeps both uid records but reports the revoked address with field-2 validity 'r' while the primary stays at non-r validity.
gpg --quick-set-expire shifts the primary key expiration timestamp Port / libgcrypt / usage-gpg-r11-quick-set-expire-shifts-expiration Passed
Generates a 2-day key, runs --quick-set-expire on its fingerprint to push the expiration to 30 days, and verifies the colons-mode pub record's expire field grew by at least 24 days worth of seconds.
gpg --s2k-cipher-algo AES256 selects cipher 9 in the symkey-enc packet Port / libgcrypt / usage-gpg-r11-s2k-cipher-algo-aes256-symenc Passed
Symmetrically encrypts a payload with --s2k-cipher-algo AES256 and verifies --list-packets reports cipher 9 in the symkey-enc packet (OpenPGP RFC 4880 sym alg 9 is AES-256).
gpg --with-keygrip --with-colons --list-keys emits grp records on the public keyring Port / libgcrypt / usage-gpg-r11-with-keygrip-colons-grp Passed
Generates a default key and verifies that --with-keygrip on the public --list-keys output (no --with-secret) emits at least two grp records of 40 uppercase hex chars (one per primary and subkey).
gpg --clearsign output decrypts back to the original payload via --decrypt Port / libgcrypt / usage-gpg-r12-clearsign-roundtrip-recovers-payload Passed
Generates an Ed25519 signing key, runs --clearsign over a known payload, then runs gpg --decrypt against the clearsigned message and verifies the recovered plaintext matches the original byte-for-byte.
gpg --detach-sign verifies original payload but rejects mutated payload Port / libgcrypt / usage-gpg-r12-detach-sign-verify-tampered-fails Passed
Generates an Ed25519 key, produces a detached signature with --detach-sign, verifies it succeeds against the unmodified payload, then mutates the payload and asserts gpg --verify exits non-zero against the tampered file.
gpg --armor --export emits a PUBLIC KEY BLOCK ASCII-armor banner Port / libgcrypt / usage-gpg-r12-export-armor-public-key-banner Passed
Generates an Ed25519 key in an ephemeral GNUPGHOME, exports it with --armor --export, and verifies the output starts and ends with the canonical "BEGIN PGP PUBLIC KEY BLOCK" / "END PGP PUBLIC KEY BLOCK" markers.
gpg armored export imports cleanly into a separate GNUPGHOME Port / libgcrypt / usage-gpg-r12-export-then-import-into-fresh-home Passed
Generates a key in a source GNUPGHOME, exports it with --armor --export, imports it into a brand-new GNUPGHOME, and verifies the imported key shows up as a pub: record in --with-colons --list-keys with the same fingerprint.
gpg --list-config reports RSA in pubkeyname configuration record Port / libgcrypt / usage-gpg-r12-list-config-pubkeyname-rsa Passed
Invokes gpg --with-colons --list-config in an ephemeral GNUPGHOME and verifies the cfg:pubkeyname record exists and includes RSA among the supported public-key algorithms reported by libgcrypt.
gpg --print-md SHA256 of an empty file matches the known SHA-256 digest Port / libgcrypt / usage-gpg-r12-print-md-sha256-empty-input Passed
Creates an empty file and runs gpg --print-md SHA256 against it, then strips spaces and verifies the digest equals the canonical SHA-256 of the empty string (e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855).
gpg --print-md SHA512 of "abc" matches the known canonical digest Port / libgcrypt / usage-gpg-r12-print-md-sha512-known-digest Passed
Writes the bytes "abc" to a file and runs gpg --print-md SHA512, then strips formatting and verifies the digest equals the canonical SHA-512 of "abc" published in FIPS 180-4.
gpg --quick-generate-key registers an ed25519 key visible in --list-secret-keys Port / libgcrypt / usage-gpg-r12-quick-gen-list-secret-keys Passed
Generates an Ed25519 sign-only key in a fresh GNUPGHOME with --quick-generate-key and asserts gpg --with-colons --list-secret-keys emits exactly one sec: record whose fingerprint is 40 uppercase hex characters.
gpg --symmetric --cipher-algo AES256 round-trips a payload Port / libgcrypt / usage-gpg-r12-symmetric-aes256-roundtrip Passed
Symmetrically encrypts a fixed payload with --cipher-algo AES256 and a passphrase under an ephemeral GNUPGHOME, decrypts it back with the same passphrase, and asserts the recovered plaintext is byte-identical to the input.
gpg --version banner advertises libgcrypt linkage Port / libgcrypt / usage-gpg-r12-version-banner-includes-libgcrypt Passed
Runs gpg --version against an ephemeral GNUPGHOME and verifies the banner includes both "gpg (GnuPG)" and "libgcrypt" markers, confirming gpg dynamically links and reports the libgcrypt runtime.
gpg --clearsign output begins with PGP SIGNED MESSAGE banner and embeds the payload Port / libgcrypt / usage-gpg-r13-clearsign-banner-and-payload Passed
Generates an Ed25519 signing key, produces a --clearsign output over a fixed payload, asserts the first line is exactly "-----BEGIN PGP SIGNED MESSAGE-----", and asserts the cleartext payload appears verbatim before the signature block.
gpg --detach-sign followed by --verify succeeds on the original payload Port / libgcrypt / usage-gpg-r13-detached-verify-own-payload Passed
Generates an Ed25519 signing key, produces a detached signature with --detach-sign over a fixed payload, runs gpg --verify against the unmodified payload, and asserts both the verify exit status is zero and the status output reports a Good signature.
gpg --enarmor / --dearmor round-trip recovers a binary blob byte-for-byte Port / libgcrypt / usage-gpg-r13-enarmor-dearmor-binary-blob-cmp Passed
Generates 256 random binary bytes, pipes them through gpg --enarmor to produce an ASCII PGP ARMORED FILE block, asserts the begin and end armor headers are present, then runs gpg --dearmor and asserts the recovered bytes are byte-identical to the original via cmp.
gpg --gen-random 0 emits the requested byte count and produces distinct outputs across runs Port / libgcrypt / usage-gpg-r13-gen-random-byte-count-distinct Passed
Runs gpg --gen-random 0 16 twice into separate files under an ephemeral GNUPGHOME, asserts each file is exactly 16 bytes (the requested length), and asserts the two outputs differ byte-for-byte (random level 0 must vary between calls).
gpg --list-config compressname includes ZIP, ZLIB, and BZIP2 algorithms Port / libgcrypt / usage-gpg-r13-list-config-compressname-zip Passed
Captures cfg:compressname: via --with-colons --list-config compressname and asserts the configured compression algorithm list contains ZIP, ZLIB, and BZIP2, confirming libgcrypt's compressor wiring is intact.
gpg --list-config curve advertises ed25519, cv25519, and a NIST curve Port / libgcrypt / usage-gpg-r13-list-config-curve-includes-multiple Passed
Captures cfg:curve: via --with-colons --list-config curve and asserts the configured ECC curve list includes ed25519, cv25519, and at least one NIST P-curve (nistp256/nistp384/nistp521), confirming libgcrypt's ECC curve table is exposed.
gpg --print-mds emits SHA224 alongside SHA256 and SHA512 labels Port / libgcrypt / usage-gpg-r13-print-mds-includes-sha224 Passed
Runs gpg --batch --print-mds on a fixed payload under an ephemeral GNUPGHOME, redirects stdout to a file, and asserts the listing includes the SHA224, SHA256, and SHA512 algorithm labels (libgcrypt digest table coverage).
gpg --symmetric with AES256 and --digest-algo SHA512 round-trips and uses S2K hash 10 Port / libgcrypt / usage-gpg-r13-symmetric-aes256-digest-sha512 Passed
Symmetrically encrypts a payload with --cipher-algo AES256 and --digest-algo SHA512, asserts the resulting symkey-enc packet records cipher 9 (AES-256) and hash 10 (SHA-512), then decrypts the ciphertext and asserts the recovered plaintext matches the original via cmp.
gpg --textmode --sign followed by --decrypt recovers the original payload byte-for-byte Port / libgcrypt / usage-gpg-r13-textmode-sign-decrypt-roundtrip Passed
Generates an Ed25519 signing key, signs a multi-line text payload with --textmode (canonical-text mode), runs gpg --decrypt on the resulting OpenPGP message, and asserts the recovered plaintext matches the original via cmp.
gpg --version banner starts with "gpg (GnuPG)" Port / libgcrypt / usage-gpg-r13-version-banner-gnupg-marker Passed
Captures gpg --version output under an ephemeral GNUPGHOME and asserts the very first line begins with the canonical "gpg (GnuPG)" identifier so downstream parsers can recognise the implementation.
gpg --dearmor recovers a fixed binary payload from an enarmored block Port / libgcrypt / usage-gpg-r14-enarmor-dearmor-fixed-payload-cmp Passed
Writes a fixed 128-byte payload, runs gpg --enarmor and then gpg --dearmor under an ephemeral GNUPGHOME, and asserts the recovered bytes are byte-identical to the original via cmp — a deterministic round-trip distinct from the random-blob enarmor variant.
gpg --enarmor wraps a fixed binary blob in PGP ARMORED FILE headers Port / libgcrypt / usage-gpg-r14-enarmor-headers-fixed-blob Passed
Pipes a fixed 64-byte payload through gpg --enarmor under an ephemeral GNUPGHOME, asserts the output begins with "-----BEGIN PGP ARMORED FILE-----" and ends with "-----END PGP ARMORED FILE-----", and asserts the body contains a 4-character base64 CRC checksum line beginning with '='.
gpg --encrypt to a self-generated recipient round-trips through --decrypt Port / libgcrypt / usage-gpg-r14-encrypt-to-self-decrypt-roundtrip Passed
Generates an Ed25519/Curve25519 default-future key pair under an ephemeral GNUPGHOME, encrypts a fixed payload to that uid with --trust-model always, decrypts the resulting OpenPGP message, and asserts the recovered plaintext is byte-identical to the original via cmp.
gpg --gen-random level 2 emits exactly the requested byte count Port / libgcrypt / usage-gpg-r14-gen-random-level2-eight-bytes Passed
Runs gpg --gen-random 2 8 (quality level 2 — strong RNG) under an ephemeral GNUPGHOME, redirects 8 raw bytes to a file, and asserts the output is exactly 8 bytes and that two independent calls produce different byte sequences.
gpg --list-config compressname reports ZIP among the supported compression algorithms Port / libgcrypt / usage-gpg-r14-list-config-compressname-includes-zip Passed
Runs gpg --with-colons --list-config compressname under an ephemeral GNUPGHOME and asserts the colon-format record contains both Uncompressed and ZIP among the supported compression algorithms (libgcrypt-backed compression registration).
gpg -K on a fresh GNUPGHOME emits no sec records Port / libgcrypt / usage-gpg-r14-list-secret-keys-empty-home Passed
Creates a brand-new ephemeral GNUPGHOME, runs gpg --batch --with-colons -K (the short form of --list-secret-keys), and asserts the colon output contains zero sec: records (no secret keys present).
gpg --print-mds emits RMD160 alongside MD5 and SHA1 labels Port / libgcrypt / usage-gpg-r14-print-mds-includes-rmd160 Passed
Runs gpg --batch --print-mds on a fixed payload under an ephemeral GNUPGHOME and asserts the multi-digest listing contains the MD5, SHA1, and RMD160 algorithm labels — a libgcrypt digest-table coverage check distinct from the SHA224/256/512 r13 variant.
gpg --symmetric --cipher-algo AES128 round-trips and records cipher 7 in the symkey-enc packet Port / libgcrypt / usage-gpg-r14-symmetric-aes128-cipher-7-roundtrip Passed
Symmetrically encrypts a fixed payload with --cipher-algo AES128 and a passphrase under an ephemeral GNUPGHOME, asserts the resulting symkey-enc packet declares cipher 7 (AES-128 per RFC 4880), then decrypts and asserts the recovered plaintext matches the input via cmp.
gpg --version banner advertises the active Home directory path Port / libgcrypt / usage-gpg-r14-version-shows-home-line Passed
Runs gpg --version against an ephemeral GNUPGHOME and asserts the output banner contains a "Home:" entry pointing at the configured GNUPGHOME path, confirming gpg honors GNUPGHOME and reports it back through the --version banner.
gpg --with-fingerprint --list-keys emits a 40-hex grouped fingerprint line Port / libgcrypt / usage-gpg-r14-with-fingerprint-list-keys-hex Passed
Generates an Ed25519 sign-only key in a fresh GNUPGHOME, runs gpg --with-fingerprint --list-keys, and asserts the human-readable output contains an indented fingerprint line of ten 4-hex groups (40 hex digits total) separated by single spaces with a double-space midline gap, plus the uid being listed.
gpg --detach-sign produces a binary signature that --verify accepts Port / libgcrypt / usage-gpg-r15-detached-binary-sign-verify-roundtrip Passed
Generates an Ed25519 sign-only key in an ephemeral GNUPGHOME, produces a binary detached signature with --detach-sign (no --armor), asserts the resulting .sig file is a non-empty binary blob whose first byte is NOT '-' (i.e., not an ASCII-armor header), then asserts gpg --verify accepts the detached signature against the original payload.
gpg binary --export imports cleanly into a fresh GNUPGHOME with a stable fingerprint Port / libgcrypt / usage-gpg-r15-export-import-fingerprint-stable-binary Passed
Generates an Ed25519 sign-only key in a source GNUPGHOME, exports it as a binary OpenPGP packet stream (no --armor) into a file, asserts the export file is non-empty and that its first byte is NOT '-' (i.e., not ASCII-armored), imports the binary export into a brand-new GNUPGHOME, and asserts the destination fingerprint matches the source fingerprint byte-for-byte — distinct from the r12 armored export/import variant.
gpg --list-config pubkeyname reports ELG among the supported public-key algorithms Port / libgcrypt / usage-gpg-r15-list-config-pubkeyname-includes-elg Passed
Runs gpg --batch --with-colons --list-config pubkeyname under an ephemeral GNUPGHOME and asserts the colon record begins with the expected cfg:pubkeyname: prefix and contains both RSA and ELG (ElGamal) algorithm tokens — exercising libgcrypt's public-key registration table.
gpg --list-keys on a fresh GNUPGHOME emits zero pub: records Port / libgcrypt / usage-gpg-r15-list-keys-empty-pub-count-zero Passed
Creates a brand-new ephemeral GNUPGHOME, runs gpg --batch --with-colons --list-keys, counts pub: records via awk, and asserts the count is exactly zero — confirming the public keyring is empty when GNUPGHOME is freshly minted.
gpg --no-options --version still emits the libgcrypt-aware version banner Port / libgcrypt / usage-gpg-r15-no-options-flag-version-banner Passed
Runs gpg --no-options --version against an ephemeral GNUPGHOME, asserting that even with options-file processing disabled the banner is still produced and contains the literal "gpg (GnuPG)" prefix and a "libgcrypt" line — confirming gpg honors --no-options without dropping its libgcrypt runtime banner.
gpg --print-mds emits a SHA384 line alongside MD5 and SHA1 labels Port / libgcrypt / usage-gpg-r15-print-mds-includes-sha384 Passed
Runs gpg --batch --print-mds on a fixed payload under an ephemeral GNUPGHOME and asserts the multi-digest listing contains the MD5, SHA1, and SHA384 algorithm labels — a libgcrypt digest-table coverage check distinct from the SHA224/SHA512 r13 variants.
gpg --quick-generate-key rsa3072 produces a 40-uppercase-hex fingerprint Port / libgcrypt / usage-gpg-r15-quick-gen-rsa3072-fpr-uppercase-hex Passed
Generates an RSA-3072 signing key in a fresh ephemeral GNUPGHOME, runs gpg --batch --with-colons --list-keys, extracts the fpr record's field 10 with awk, and asserts the value is exactly 40 characters and matches the uppercase hex pattern [A-F0-9]{40} — exercising libgcrypt's RSA keygen at a 3072-bit modulus distinct from r9's rsa2048 case.
gpg --symmetric --armor emits a radix-64 CRC line plus PGP MESSAGE banners Port / libgcrypt / usage-gpg-r15-symmetric-armor-radix64-checksum-line Passed
Symmetrically encrypts a fixed payload with --armor under an ephemeral GNUPGHOME, asserts the output begins with "-----BEGIN PGP MESSAGE-----" and ends with "-----END PGP MESSAGE-----", asserts a radix-64 CRC line of the form '=' followed by exactly four base64 characters appears on its own line, and decrypts back to the original payload via cmp.
gpg --symmetric --passphrase-fd reads the passphrase from a file descriptor and round-trips Port / libgcrypt / usage-gpg-r15-symmetric-passphrase-fd-roundtrip Passed
Symmetrically encrypts a fixed payload by feeding the passphrase via --passphrase-fd 0 (stdin) under an ephemeral GNUPGHOME, decrypts back the same way, and asserts the recovered plaintext matches the original via cmp — exercising libgcrypt's S2K + symmetric crypto path under fd-based passphrase entry rather than literal --passphrase.
gpg --symmetric --cipher-algo TWOFISH round-trips and records cipher 10 in the symkey-enc packet Port / libgcrypt / usage-gpg-r15-symmetric-twofish-cipher-10-roundtrip Passed
Symmetrically encrypts a fixed payload with --cipher-algo TWOFISH and a passphrase under an ephemeral GNUPGHOME, asserts the resulting symkey-enc packet declares cipher 10 (Twofish per RFC 4880), then decrypts and asserts the recovered plaintext matches the input via cmp.
gpg --list-keys on a fresh GNUPGHOME exits zero with empty stdout Port / libgcrypt / usage-gpg-r16-empty-home-list-keys-rc-zero Passed
Creates a brand-new GNUPGHOME, runs gpg --batch --list-keys, asserts the exit status is zero and the captured stdout is empty (no key records appear when the public keyring is freshly created), a smoke check distinct from the r15 colons-count variant.
gpg --enarmor then --dearmor recovers a 256-byte perl-built ramp Port / libgcrypt / usage-gpg-r16-enarmor-dearmor-perl-bytes-roundtrip Passed
Builds a deterministic 256-byte ramp (0..255) via perl, runs gpg --enarmor and gpg --dearmor under an ephemeral GNUPGHOME, and asserts the recovered bytes are byte-identical to the original via cmp — a longer payload than the r14 128-byte variant.
gpg --gen-random 0 16 emits exactly 16 bytes from the weak-quality RNG Port / libgcrypt / usage-gpg-r16-gen-random-quality0-sixteen-bytes Passed
Runs gpg --gen-random 0 16 (libgcrypt quality level 0 — weak) under an ephemeral GNUPGHOME and asserts the output is exactly 16 raw bytes and two independent calls produce different sequences, exercising the libgcrypt RNG at the low-quality level.
gpg --gen-random 1 32 emits 32 non-all-zero bytes from the medium-quality RNG Port / libgcrypt / usage-gpg-r16-gen-random-quality1-thirty-two-bytes Passed
Runs gpg --gen-random 1 32 under an ephemeral GNUPGHOME and asserts the output is exactly 32 raw bytes and not the all-zero buffer, exercising libgcrypt's medium-quality (level 1) RNG path through gpg.
gpg --list-config ciphername line lists AES256 Port / libgcrypt / usage-gpg-r16-list-config-ciphername-includes-aes256 Passed
Runs gpg --list-config under an ephemeral GNUPGHOME and asserts the "ciphername:" row mentions AES256 (libgcrypt provides AES with a 256-bit key as a registered cipher), exercising gpg's --list-config reflection of libgcrypt's compiled-in ciphers.
gpg --print-md SHA1 of "abc" matches the FIPS-180 known-answer Port / libgcrypt / usage-gpg-r16-print-md-sha1-abc-vector Passed
Hashes the three-byte payload "abc" with gpg --print-md SHA1 and asserts the lowercase hex digest equals the canonical FIPS-180 SHA-1 known-answer a9993e364706816aba3e25717850c26c9cd0d89d, exercising libgcrypt's SHA-1 implementation on a fixed-input KAT.
gpg --print-md SHA256 of "abc" matches the FIPS-180 known-answer Port / libgcrypt / usage-gpg-r16-print-md-sha256-fips-abc-vector Passed
Hashes the three-byte payload "abc" with gpg --print-md SHA256 and asserts the lowercase hex digest equals the canonical FIPS-180 SHA-256 known-answer ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad, exercising libgcrypt's SHA-256 implementation on a fixed-input KAT. Extracts only the file-prefixed digest line via awk to skip any keybox-creation notice.
gpg --print-md SHA512 of an empty input matches the published KAT Port / libgcrypt / usage-gpg-r16-print-md-sha512-empty-vector Passed
Hashes a zero-byte input with gpg --print-md SHA512 and asserts the lowercase hex digest equals the canonical SHA-512 known-answer for the empty string cf83e1357eefb8bd...3e85a6b3b1fa3 (truncated in description, full value is enforced), exercising libgcrypt's SHA-512 implementation on a fixed-input KAT. Extracts only the file-prefixed digest line via awk.
gpg --print-mds on empty input emits MD5 = d41d8cd98f00b204e9800998ecf8427e Port / libgcrypt / usage-gpg-r16-print-mds-empty-md5-known-answer Passed
Runs gpg --print-mds on a zero-byte file and asserts the MD5 line of the multi-digest listing equals the canonical empty-string MD5 d41d8cd98f00b204e9800998ecf8427e (case-insensitive hex match), exercising libgcrypt's MD5 implementation on the empty input KAT.
gpg --version banner mentions libgcrypt Port / libgcrypt / usage-gpg-r16-version-mentions-libgcrypt Passed
Runs gpg --version under an ephemeral GNUPGHOME and asserts the banner contains the substring "libgcrypt" (case-insensitive — gpg 2.4 prints the library line as "libgcrypt X.Y.Z"), confirming the gpg binary is linked against libgcrypt and reports its name in the version block.
gpg --check-trustdb on a fresh GNUPGHOME exits zero and creates trustdb.gpg Port / libgcrypt / usage-gpg-r17-check-trustdb-empty-home-creates-trustdb Passed
Creates a brand-new GNUPGHOME with no keys, runs gpg --batch --check-trustdb, and asserts the exit status is zero and a trustdb.gpg file exists afterwards, exercising libgcrypt-backed gpg's trustdb walk on a key-less keyring (distinct from the existing test that requires a generated key first).
gpg --gen-random 0 1 emits exactly 1 byte Port / libgcrypt / usage-gpg-r17-gen-random-quality0-one-byte Passed
Runs gpg --gen-random 0 1 (libgcrypt quality level 0 — weak) under an ephemeral GNUPGHOME and asserts the captured output is exactly 1 byte long, exercising the smallest non-zero RNG request.
gpg --import on a non-key file exits non-zero Port / libgcrypt / usage-gpg-r17-import-non-key-file-fails Passed
Attempts to import a plain text file (definitely not an OpenPGP keyring) via gpg --batch --import under an ephemeral GNUPGHOME and asserts the exit status is non-zero, exercising libgcrypt-backed gpg's keyring parser refusing to ingest random data.
gpg --list-config --with-colons emits a pubkeyname row Port / libgcrypt / usage-gpg-r17-list-config-emits-pubkeyname-row Passed
Runs gpg --list-config --with-colons under an ephemeral GNUPGHOME and asserts the output contains at least one line matching the "cfg:pubkeyname:" prefix, exercising gpg's --list-config reflection of libgcrypt's registered public-key algorithm list (without requiring a specific algorithm name).
gpg --print-md MD5 of "abc" matches the RFC 1321 known-answer Port / libgcrypt / usage-gpg-r17-print-md-md5-abc-vector Passed
Hashes the three-byte payload "abc" with gpg --print-md MD5 and asserts the lowercase hex digest equals the canonical RFC 1321 MD5 known-answer 900150983cd24fb0d6963f7d28e17f72, exercising libgcrypt's MD5 implementation on a fixed-input KAT (distinct from the older "hello" KAT test).
gpg --print-md SHA224 of "abc" matches the FIPS-180 known-answer Port / libgcrypt / usage-gpg-r17-print-md-sha224-abc-vector Passed
Hashes the three-byte payload "abc" with gpg --print-md SHA224 and asserts the lowercase hex digest equals the canonical FIPS-180 SHA-224 known-answer 23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7, exercising libgcrypt's SHA-224 implementation on a fixed-input KAT.
gpg --print-md SHA384 of an empty input matches the published KAT Port / libgcrypt / usage-gpg-r17-print-md-sha384-empty-vector Passed
Hashes a zero-byte input with gpg --print-md SHA384 and asserts the lowercase hex digest equals the canonical SHA-384 known-answer 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b, exercising libgcrypt's SHA-384 implementation on a fixed-input KAT.
gpg --version banner Pubkey algorithm list mentions RSA Port / libgcrypt / usage-gpg-r17-version-pubkey-rsa-present Passed
Runs gpg --version under an ephemeral GNUPGHOME and asserts the banner contains the substring "RSA" in its compiled-in Pubkey algorithm list (gpg 2.4 emits "Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA" on noble), exercising libgcrypt's compiled-in public-key algorithm reflection through gpg --version.
gpg --gen-random --armor 0 24 emits base64-shaped output of expected length Port / libgcrypt / usage-gpg-r18-gen-random-armored-base64-shape Passed
Runs gpg --gen-random --armor 0 24 under an ephemeral GNUPGHOME and asserts the output is a single base64 line consisting only of A-Z, a-z, 0-9, +, /, = and is exactly 32 chars long (24 bytes encodes to 32 base64 chars, no padding needed since 24%3==0), exercising the armor-encoded random output path.
gpg --gen-random 2 64 emits exactly 64 bytes and is not all-zeros Port / libgcrypt / usage-gpg-r18-gen-random-quality2-sixty-four-bytes Passed
Runs gpg --gen-random 2 64 (libgcrypt quality level 2 — long-term) under an ephemeral GNUPGHOME and asserts the output is exactly 64 raw bytes and contains at least one non-zero byte (rejecting the degenerate all-zero output), exercising the long-term-quality RNG at a 64-byte payload distinct from existing 8/16/32-byte coverage.
gpg --list-config --with-colons emits a cfg:curve: row mentioning secp256k1 Port / libgcrypt / usage-gpg-r18-list-config-curve-mentions-secp256k1 Passed
Runs gpg --list-config --with-colons under an ephemeral GNUPGHOME, extracts the cfg:curve: row, and asserts the field contains the literal token "secp256k1" (libgcrypt 1.10 on noble ships secp256k1 as part of the gpg curve registry), exercising gpg's --list-config reflection of libgcrypt's curve list.
gpg --list-config --with-colons emits a digestname row mentioning SHA256 Port / libgcrypt / usage-gpg-r18-list-config-digestname-row Passed
Runs gpg --list-config --with-colons under an ephemeral GNUPGHOME, extracts the cfg:digestname: row, and asserts the field contains the literal token "SHA256" (libgcrypt always exposes SHA-256 in the gpg 2.4 digest registry), exercising gpg's --list-config reflection of libgcrypt's digest algorithm list.
gpg --print-md SHA1 of the quick-brown-fox pangram matches the canonical KAT Port / libgcrypt / usage-gpg-r18-print-md-sha1-pangram-vector Passed
Hashes the canonical 43-byte pangram "The quick brown fox jumps over the lazy dog" with gpg --print-md SHA1 and asserts the lowercase hex digest equals 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12, exercising libgcrypt's SHA-1 implementation on a known KAT distinct from abc and empty-string vectors.
gpg --print-md SHA256 of FIPS-180 56-byte abcdbcde test vector matches KAT Port / libgcrypt / usage-gpg-r18-print-md-sha256-abcdbcde-vector Passed
Hashes the 56-byte FIPS-180 SHA-256 test message "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" via gpg --print-md SHA256 and asserts the lowercase hex digest equals the published KAT 248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1, exercising libgcrypt's SHA-256 on a multi-block input distinct from the abc vector.
gpg --print-md SHA512 of the quick-brown-fox pangram matches the canonical KAT Port / libgcrypt / usage-gpg-r18-print-md-sha512-pangram-vector Passed
Hashes the canonical 43-byte pangram "The quick brown fox jumps over the lazy dog" with gpg --print-md SHA512 and asserts the lowercase hex digest equals 07e547d9586f6a73f73fbac0435ed76951218fb7d0c8d788a309d785436bbb642e93a252a954f23912547d1e8a3b5ed6e1bfd7097821233fa0538f3db854fee6, exercising libgcrypt's SHA-512 on a known KAT distinct from the empty and abc vectors.
gpg --symmetric then --decrypt roundtrip yields the original plaintext Port / libgcrypt / usage-gpg-r18-symmetric-encrypt-decrypt-roundtrip Passed
Encrypts a fixed plaintext "round18 symmetric payload" with gpg --symmetric using a known passphrase via --pinentry-mode loopback and AES256, decrypts the resulting ciphertext, and asserts the decrypted bytes match the original byte-for-byte, exercising libgcrypt's symmetric encrypt/decrypt path end-to-end.
gpg --decrypt with the wrong passphrase on a --symmetric ciphertext fails Port / libgcrypt / usage-gpg-r18-symmetric-wrong-passphrase-fails Passed
Symmetrically encrypts a fixed plaintext with passphrase A, then attempts to decrypt with passphrase B via --pinentry-mode loopback and asserts the decrypt exit code is non-zero, exercising libgcrypt's S2K integrity-check / MDC failure path on a wrong-passphrase attempt.
gpg --version banner Cipher algorithm list mentions AES256 Port / libgcrypt / usage-gpg-r18-version-banner-cipher-aes-present Passed
Runs gpg --version under an ephemeral GNUPGHOME and asserts the banner contains the substring "AES256" in its compiled-in Cipher algorithm list (gpg 2.4 on noble exposes AES, AES192, AES256, and others via libgcrypt), exercising libgcrypt's cipher algorithm reflection through gpg --version.
gpg --gen-random 1 32 produces 32 raw bytes that differ between two invocations Port / libgcrypt / usage-gpg-r19-gen-random-32-bytes-distinct Passed
Invokes gpg --gen-random 1 32 twice (quality level 1, 32 bytes each), asserts each output is exactly 32 bytes, and asserts the two outputs are not byte-identical (libgcrypt's quality-1 generator must not return a fixed payload), exercising the random-number generator output sizing and non-degeneracy through gpg.
gpg --list-config --with-colons compressname row mentions ZLIB Port / libgcrypt / usage-gpg-r19-list-config-compressname-zlib Passed
Runs gpg --list-config --with-colons under an ephemeral GNUPGHOME, extracts the cfg:compressname: row, and asserts the field contains the literal token "ZLIB" (libgcrypt always exposes ZLIB in the gpg 2.4 compression algorithm registry), exercising gpg's --list-config reflection of the compiled-in compression list.
gpg --print-md MD5 of the empty input matches the RFC 1321 KAT Port / libgcrypt / usage-gpg-r19-print-md-md5-empty-vector Passed
Hashes a zero-byte input with gpg --print-md MD5 and asserts the lowercase hex digest equals the canonical RFC 1321 MD5 empty-string KAT d41d8cd98f00b204e9800998ecf8427e, exercising libgcrypt's MD5 path on the empty message.
gpg --print-md SHA1 of the empty input matches the RFC 3174 KAT Port / libgcrypt / usage-gpg-r19-print-md-sha1-empty-vector Passed
Hashes a zero-byte input with gpg --print-md SHA1 and asserts the lowercase hex digest equals the canonical SHA-1 empty-string KAT da39a3ee5e6b4b0d3255bfef95601890afd80709, exercising libgcrypt's SHA-1 path on the empty message.
gpg --print-md SHA224 of the empty input matches the FIPS-180 KAT Port / libgcrypt / usage-gpg-r19-print-md-sha224-empty-vector Passed
Hashes a zero-byte input with gpg --print-md SHA224 and asserts the lowercase hex digest equals the published FIPS-180 KAT d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f, exercising libgcrypt's SHA-224 implementation on the empty message.
gpg --print-md SHA256 of the empty input matches the FIPS-180 KAT Port / libgcrypt / usage-gpg-r19-print-md-sha256-empty-vector Passed
Hashes a zero-byte input with gpg --print-md SHA256 and asserts the lowercase hex digest equals the published FIPS-180 SHA-256 KAT e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, exercising libgcrypt's SHA-256 path on the canonical empty-message vector.
gpg --print-md SHA512 of the empty input matches the FIPS-180 KAT Port / libgcrypt / usage-gpg-r19-print-md-sha512-empty-vector Passed
Hashes a zero-byte input with gpg --print-md SHA512 and asserts the lowercase hex digest equals the published FIPS-180 SHA-512 KAT cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e, exercising libgcrypt's SHA-512 path on the empty message.
gpg --symmetric --cipher-algo AES128 roundtrips a binary plaintext byte-for-byte Port / libgcrypt / usage-gpg-r19-symmetric-aes128-roundtrip Passed
Encrypts a 1 KiB pseudo-random plaintext (built from /dev/urandom) via gpg --symmetric with AES128 and a fixed passphrase via --pinentry-mode loopback, decrypts the resulting ciphertext, and asserts the recovered bytes match the original byte-for-byte, exercising libgcrypt's AES-128 symmetric encrypt/decrypt path (distinct from the r18 AES-256 coverage).
gpg --symmetric --armor output opens and closes with PGP MESSAGE delimiters Port / libgcrypt / usage-gpg-r19-symmetric-armor-line-shape Passed
Encrypts a short fixed plaintext via gpg --symmetric --armor with AES256 and a fixed passphrase, then asserts the resulting ASCII-armored output starts with the literal "-----BEGIN PGP MESSAGE-----" header line and ends with the matching "-----END PGP MESSAGE-----" trailer, exercising libgcrypt's armored output framing through gpg.
gpg --version banner Cipher row mentions 3DES Port / libgcrypt / usage-gpg-r19-version-banner-cipher-3des-present Passed
Runs gpg --version under an ephemeral GNUPGHOME and asserts the banner's "Cipher:" row contains the substring "3DES" (libgcrypt always compiles in the legacy 3DES cipher on the noble baseline), exercising libgcrypt's compiled-in cipher algorithm reflection through gpg --version.
gpg --gen-random 1 128 emits exactly 128 raw bytes Port / libgcrypt / usage-gpg-r20-gen-random-quality1-128-bytes Passed
Calls gpg --gen-random 1 128 and asserts the captured output is exactly 128 bytes in length - locking in libgcrypt's random byte generator at quality level 1 for a length distinct from earlier rounds.
gpg --list-config --with-colons digestname row mentions SHA256 Port / libgcrypt / usage-gpg-r20-list-config-digestname-sha256 Passed
Runs gpg --list-config --with-colons under an ephemeral GNUPGHOME, extracts the cfg:digestname: row, and asserts it contains the literal token "SHA256" - locking in libgcrypt's SHA256 entry in gpg's compiled-in digest algorithm registry.
gpg --list-config --with-colons pubkeyname row mentions DSA Port / libgcrypt / usage-gpg-r20-list-config-pubkeyname-mentions-dsa Passed
Runs gpg --list-config --with-colons under an ephemeral GNUPGHOME, extracts the cfg:pubkeyname: row, and asserts it contains the literal token "DSA" - locking in libgcrypt's DSA entry in gpg's compiled-in public-key algorithm registry (distinct from prior RSA and ELG coverage).
gpg --print-md MD5 of "abcdefghijklmnopqrstuvwxyz" matches RFC 1321 KAT Port / libgcrypt / usage-gpg-r20-print-md-md5-alphabet-vector Passed
Pipes the 26-byte ASCII lowercase alphabet to gpg --print-md MD5 and asserts the captured lowercase hex digest equals c3fcd3d76192e4007dfb496cca67e13b (RFC 1321 known-answer) - locking in libgcrypt's MD5 path on the alphabet KAT, distinct from earlier rounds' "abc" and empty-input MD5 coverage.
gpg --print-md RIPEMD160 of empty input matches the canonical KAT Port / libgcrypt / usage-gpg-r20-print-md-ripemd160-empty-vector Passed
Pipes a zero-byte file to gpg --print-md RIPEMD160 and asserts the captured lowercase hex digest equals 9c1185a5c5e9fc54612808977ee8f548b2258d31 - locking in libgcrypt's RIPEMD160 path on the empty-input boundary (distinct from prior rounds' abc and "hello" RIPEMD160 KAT coverage).
gpg --print-md SHA224 of the FIPS pangram matches the canonical KAT Port / libgcrypt / usage-gpg-r20-print-md-sha224-pangram-vector Passed
Pipes the 43-byte pangram "The quick brown fox jumps over the lazy dog" to gpg --print-md SHA224 and asserts the captured lowercase digest equals 730e109bd7a8a32b1cb9d9a09aa2325d2430587ddbc0c38bad911525 - locking in libgcrypt's SHA224 path on the canonical pangram vector (distinct from r17 SHA224 abc and existing SHA1 pangram coverage).
gpg --print-md SHA3-384 on empty input matches the published KAT Port / libgcrypt / usage-gpg-r20-print-md-sha3-384-empty-vector Passed
Pipes a zero-byte file to gpg --print-md SHA3-384 and asserts the captured digest equals the published SHA3-384("") known answer (0c63a75b...51e7f3d52e7afc62), exercising libgcrypt's SHA3-384 digest path on the empty-input boundary (a digest variant not covered by prior rounds).
gpg --symmetric --cipher-algo AES192 roundtrips a 512-byte plaintext Port / libgcrypt / usage-gpg-r20-symmetric-aes192-roundtrip Passed
Encrypts 512 bytes of random data via gpg --symmetric --cipher-algo AES192 with a fixed passphrase under --pinentry-mode loopback, decrypts the resulting ciphertext, and asserts the recovered bytes match the original byte-for-byte - locking in libgcrypt's AES-192 symmetric encrypt/decrypt path (distinct from the existing AES128 and AES256 r19/r18 coverage).
gpg --symmetric --cipher-algo TWOFISH roundtrips a 768-byte plaintext Port / libgcrypt / usage-gpg-r20-symmetric-twofish-roundtrip Passed
Encrypts 768 bytes of random data via gpg --symmetric --cipher-algo TWOFISH with a fixed passphrase under --pinentry-mode loopback, decrypts the resulting ciphertext, and asserts the recovered bytes match the original byte-for-byte - locking in libgcrypt's Twofish symmetric encrypt/decrypt path at a size distinct from prior rounds.
gpg --version banner advertises a Compression algorithm group Port / libgcrypt / usage-gpg-r20-version-banner-compression-section Passed
Runs gpg --version under an ephemeral GNUPGHOME and asserts the captured banner contains a "Compression:" or "Compress:" section label (libgcrypt-backed gpg always advertises its compiled-in compression algorithms in the version banner) - locking in the compression-section advertisement of the version banner.
gpg --enarmor emits the PGP ARMORED FILE banner and the dearmor-comment line Port / libgcrypt / usage-gpg-r21-enarmor-banner-comment-line Passed
Pipes a fixed 8-byte payload through gpg --enarmor and asserts the captured output contains the exact "-----BEGIN PGP ARMORED FILE-----" banner, the literal Comment line advising "gpg --dearmor" for unpacking, and the closing "-----END PGP ARMORED FILE-----" trailer - locking in libgcrypt's enarmor banner shape that wraps a non-OpenPGP-message radix-64 block.
gpg --enarmor then --dearmor roundtrips 256 random bytes exactly Port / libgcrypt / usage-gpg-r21-enarmor-dearmor-binary-roundtrip-256 Passed
Generates 256 bytes of /dev/urandom into a binary file, pipes them through gpg --enarmor to produce a radix-64 armored block, pipes the armored block back through gpg --dearmor, and asserts the recovered bytes match the original via cmp -s - locking in libgcrypt's radix-64 encode/decode roundtrip path at a 256-byte payload distinct from earlier fixed-blob and perl-bytes roundtrip cases.
gpg --gen-random 2 128 emits exactly 128 bytes of strong-quality randomness Port / libgcrypt / usage-gpg-r21-gen-random-quality2-128-bytes Passed
Runs gpg --gen-random 2 128 to request 128 bytes from libgcrypt's strong-quality RNG (level 2) under an ephemeral GNUPGHOME, asserts the output is exactly 128 bytes, and that the bytes are not all identical (a trivial RNG sanity check) - locking in libgcrypt's GCRY_VERY_STRONG_RANDOM byte count at a 128-byte request distinct from prior 4/8/64-byte quality-2 tests.
gpg --list-config --with-colons cfg:curve row includes cv25519 Port / libgcrypt / usage-gpg-r21-list-config-curve-includes-cv25519 Passed
Runs gpg --list-config --with-colons under an ephemeral GNUPGHOME, extracts the cfg:curve: row, and asserts that splitting it on semicolons yields a token equal to exactly "cv25519" - locking in libgcrypt's cv25519 ECDH curve registration as a distinct semicolon token in gpg's compiled-in curve list (existing rounds checked ed25519, nistp256, secp256k1 but not cv25519 token-wise).
gpg --print-md RIPEMD160 of the lazy-dog pangram matches the RFC vector Port / libgcrypt / usage-gpg-r21-print-md-ripemd160-pangram-vector Passed
Computes the RIPEMD-160 digest of the canonical "The quick brown fox jumps over the lazy dog" pangram via gpg --print-md and asserts the captured uppercase-hex digest equals the published vector 37F332F68DB77BD9D7EDD4969571AD671CF9DD3B, locking in libgcrypt's RIPEMD-160 implementation on a 43-byte input distinct from prior abc and empty-input vectors.
gpg --print-md SHA3-256 of "abcdefghijklmnopqrstuvwxyz" matches NIST vector Port / libgcrypt / usage-gpg-r21-print-md-sha3-256-alphabet-vector Passed
Computes the SHA3-256 digest of the 26-character lowercase alphabet via gpg --print-md and asserts the captured uppercase-hex digest (whitespace stripped) equals the published NIST CAVS vector 7CAB2DC765E21B241DBC1C255CE620B29F527C6D5E7F5F843E56288F0D707521, locking in libgcrypt's SHA3-256 implementation on a 26-byte input distinct from prior abc and empty-input vectors.
gpg --print-md SHA3-384 of "abc" matches the NIST abc vector Port / libgcrypt / usage-gpg-r21-print-md-sha3-384-abc-vector Passed
Computes the SHA3-384 digest of the three-byte literal "abc" via gpg --print-md and asserts the captured uppercase-hex digest equals the NIST CAVS vector EC01498288516FC926459F58E2C6AD8DF9B473CB0FC08C2596DA7CF0E49BE4B298D88CEA927AC7F539F1EDF228376D25, locking in libgcrypt's SHA3-384 implementation on the canonical abc input (the existing r20 case covered only the empty-input vector).
gpg --print-md SHA3-512 of "abcdefghijklmnopqrstuvwxyz" matches NIST vector Port / libgcrypt / usage-gpg-r21-print-md-sha3-512-alphabet-vector Passed
Computes the SHA3-512 digest of the 26-character lowercase alphabet via gpg --print-md and asserts the captured uppercase-hex digest equals the published NIST CAVS vector AF328D17FA28753A3C9F5CB72E376B90440B96F0289E5703B729324A975AB384EDA565FC92AADED143669900D761861687ACDC0A5FFA358BD0571AAAD80ACA68, locking in libgcrypt's SHA3-512 implementation on a non-trivial input distinct from the existing abc and empty vectors.
gpg --quick-generate-key ed25519 produces a pub record with algorithm 22 (EdDSA) Port / libgcrypt / usage-gpg-r21-quick-gen-ed25519-pubalgo-22 Passed
Generates an ed25519 signing key in a fresh ephemeral GNUPGHOME using gpg --quick-generate-key, parses the resulting --with-colons --list-keys output for the pub record, and asserts field 4 (public-key algorithm id) is exactly 22 and field 17 (curve name) is exactly "ed25519" - locking in libgcrypt's ed25519 keygen registering with gpg's pubkey algorithm 22 (EdDSA) and reporting the curve via colons output (previous rounds covered RSA-3072 fingerprint uppercasing and nistp384 quick-gen but no algorithm-id assertion).
gpg --symmetric --cipher-algo CAMELLIA128 roundtrips a 384-byte payload Port / libgcrypt / usage-gpg-r21-symmetric-camellia128-roundtrip Passed
Encrypts 384 bytes of /dev/urandom output with gpg --symmetric --cipher-algo CAMELLIA128 under --pinentry-mode loopback with a fixed passphrase, decrypts the ciphertext, and asserts the recovered bytes match the original byte-for-byte - locking in libgcrypt's CAMELLIA-128 symmetric encrypt/decrypt path (existing rounds covered CAMELLIA192 and CAMELLIA256 roundtrips but not the 128-bit variant via a roundtrip).
gpg clearsign armor includes Hash header Port / libgcrypt / usage-gpg-r9-clearsign-armor-header-version Passed
Generates a clearsigned message and verifies the ASCII-armored output contains the Hash header documenting the digest algorithm.
gpg detached sign and verify Port / libgcrypt / usage-gpg-r9-detached-sign-verify-roundtrip Passed
Creates a detached binary signature for a payload and verifies it with --verify, asserting the verification status reports the signing key.
gpg --list-config curve includes nistp256 Port / libgcrypt / usage-gpg-r9-list-config-curve-nistp256 Passed
Calls gpg --list-config curve and verifies the supported-curves line includes nistp256 alongside other standard curves.
gpg --list-keys on empty keyring Port / libgcrypt / usage-gpg-r9-list-keys-empty-keyring Passed
Initializes a fresh GNUPGHOME and confirms gpg --list-keys returns successfully and produces no key entries.
gpg --print-md SHA224 KAT for empty input Port / libgcrypt / usage-gpg-r9-print-md-sha224-kat Passed
Computes the SHA224 digest of an empty input via gpg --print-md and verifies the output matches the canonical NIST KAT prefix.
gpg --print-md SHA512 from stdin Port / libgcrypt / usage-gpg-r9-print-md-sha512-stdin Passed
Pipes a known string into gpg --print-md SHA512 and verifies the digest matches the canonical SHA-512 hex for that input.
gpg --quick-generate-key RSA emits fingerprint Port / libgcrypt / usage-gpg-r9-quick-generate-rsa-fingerprint Passed
Generates an RSA-2048 signing key in a fresh GNUPGHOME and verifies a 40-character hex fingerprint can be extracted via --with-colons.
gpg symmetric binary file lacks ASCII armor header Port / libgcrypt / usage-gpg-r9-symmetric-binary-magic Passed
Encrypts a file symmetrically without --armor and verifies the resulting bytes do not contain the BEGIN PGP MESSAGE armor banner.
gpg symmetric with --compress-algo zip Port / libgcrypt / usage-gpg-r9-symmetric-compress-algo-zip Passed
Symmetrically encrypts a file with --compress-algo zip and decrypts the result, verifying the plaintext roundtrip succeeds.
gpg --version reports banner Port / libgcrypt / usage-gpg-r9-version-banner Passed
gpg binary recipient encryption Port / libgcrypt / usage-gpg-recipient-binary-encrypt Passed
gpg recipient encrypt armor Port / libgcrypt / usage-gpg-recipient-encrypt-armor Passed
Encrypts an armored message to a generated recipient key and verifies the decrypted plaintext round trip.
gpg recipient encrypt+decrypt with --cipher-algo AES128 Port / libgcrypt / usage-gpg-recipient-encrypt-cipher-aes128 Passed
Generates an RSA encryption key and round-trips a public-key encrypted message while pinning the session cipher to AES128 via --cipher-algo, asserting the recovered plaintext matches.
gpg recipient encrypt with --compress-algo BZIP2 Port / libgcrypt / usage-gpg-recipient-encrypt-compress-bzip2 Passed
Encrypts a compressible payload to a generated recipient using --compress-algo BZIP2, verifies the OpenPGP packet stream contains a compressed packet with algo=3 (BZip2), and round-trips the plaintext through decryption.
gpg recipient encrypt with --compress-algo none Port / libgcrypt / usage-gpg-recipient-encrypt-compress-none Passed
Encrypts a payload to a generated recipient with --compress-algo none and asserts that the inner OpenPGP stream contains a literal data packet with no preceding compressed packet, then round-trips the plaintext.
gpg recipient encrypt decrypt output Port / libgcrypt / usage-gpg-recipient-encrypt-decrypt-output Passed
GnuPG recipient encryption Port / libgcrypt / usage-gpg-recipient-encrypt Passed
gpg sign file round trip Port / libgcrypt / usage-gpg-sign-file-roundtrip Passed
gpg stored compressed packet Port / libgcrypt / usage-gpg-store-compressed-packet-batch11 Passed
gpg 3DES symmetric round trip Port / libgcrypt / usage-gpg-symmetric-3des Passed
gpg symmetric AES128 Port / libgcrypt / usage-gpg-symmetric-aes128-roundtrip Passed
Encrypts and decrypts a payload symmetrically with AES128 through gpg and verifies the restored plaintext.
gpg AES128 symmetric round trip Port / libgcrypt / usage-gpg-symmetric-aes128 Passed
gpg symmetric AES192 Port / libgcrypt / usage-gpg-symmetric-aes192-roundtrip Passed
Encrypts and decrypts a payload symmetrically with AES192 through gpg and verifies the restored plaintext.
gpg AES192 symmetric round trip Port / libgcrypt / usage-gpg-symmetric-aes192 Passed
gpg AES256 symmetric --no-armor binary output Port / libgcrypt / usage-gpg-symmetric-aes256-no-armor-binary Passed
Symmetrically encrypts a payload with --no-armor and asserts the ciphertext begins with an OpenPGP binary packet tag (high bit set), not an armored ASCII header.
gpg symmetric AES256 roundtrip Port / libgcrypt / usage-gpg-symmetric-aes256-roundtrip Passed
Encrypts and decrypts a payload with AES256 symmetric mode through gpg and verifies the recovered plaintext.
gpg AES256 symmetric round trip Port / libgcrypt / usage-gpg-symmetric-aes256 Passed
gpg symmetric armor output Port / libgcrypt / usage-gpg-symmetric-armor-output Passed
Produces an ASCII-armored symmetric message through gpg --armor and verifies decryption restores the original body.
GnuPG armored symmetric data Port / libgcrypt / usage-gpg-symmetric-armor Passed
gpg symmetric armored message Port / libgcrypt / usage-gpg-symmetric-armored-message Passed
gpg BLOWFISH symmetric round trip Port / libgcrypt / usage-gpg-symmetric-blowfish Passed
Symmetrically encrypts and decrypts a payload with --cipher-algo BLOWFISH (allowed via --allow-old-cipher-algos) and verifies the plaintext is restored byte-for-byte.
gpg symmetric bzip2 compression Port / libgcrypt / usage-gpg-symmetric-bzip2-compress Passed
gpg CAMELLIA192 symmetric round trip Port / libgcrypt / usage-gpg-symmetric-camellia192-roundtrip Passed
Encrypts a payload with gpg --cipher-algo CAMELLIA192 and verifies the decrypted bytes match the original sha256 digest.
gpg CAMELLIA256 symmetric Port / libgcrypt / usage-gpg-symmetric-camellia256-batch11 Passed
gpg CAST5 symmetric round trip Port / libgcrypt / usage-gpg-symmetric-cast5-roundtrip Passed
Symmetrically encrypts and decrypts with --cipher-algo CAST5 (allowed via --allow-old-cipher-algos) and confirms list-packets reports a symkey enc packet for the round-tripped ciphertext.
gpg CAST5 symmetric round trip Port / libgcrypt / usage-gpg-symmetric-cast5 Passed
gpg symmetric encryption with camellia128 Port / libgcrypt / usage-gpg-symmetric-cipher-camellia128 Passed
Encrypts and decrypts a payload with --cipher-algo CAMELLIA128 and confirms --list-packets reports symkey cipher 11 (camellia128) on the encrypted blob.
gpg symmetric encryption with compression level 9 Port / libgcrypt / usage-gpg-symmetric-compress-z9-decrypt Passed
Encrypts a highly compressible payload with --compress-level 9 and ZLIB, confirms ciphertext is materially smaller than plaintext, and verifies the decrypt sha256 matches.
gpg symmetric s2k with --digest-algo SHA512 Port / libgcrypt / usage-gpg-symmetric-digest-algo-sha512 Passed
Symmetrically encrypts a payload with explicit --digest-algo SHA512 (S2K hash) and round-trips the plaintext, confirming the s2k symkey packet header is present.
gpg symmetric encrypts zero-byte input Port / libgcrypt / usage-gpg-symmetric-empty-input Passed
Encrypts a zero-byte plaintext with AES256 symmetric mode and decrypts it, asserting the round-tripped output is also zero bytes.
gpg symmetric encryption advertises sha256 s2k digest Port / libgcrypt / usage-gpg-symmetric-list-packets-s2k-sha256 Passed
Encrypts symmetrically using --s2k-digest-algo SHA256 and confirms --list-packets reports a sha256 string-to-key specification on the encrypted blob.
gpg symmetric encryption with passphrase-fd 0 Port / libgcrypt / usage-gpg-symmetric-passphrase-fd-stdin Passed
Encrypts symmetrically while supplying the passphrase on file descriptor 0 via --passphrase-fd 0 and confirms the decrypt roundtrip succeeds.
gpg symmetric passphrase file Port / libgcrypt / usage-gpg-symmetric-passphrase-file Passed
Encrypts and decrypts with gpg symmetric mode using a passphrase file and verifies the plaintext round-trips.
GnuPG symmetric round trip Port / libgcrypt / usage-gpg-symmetric-roundtrip Passed
gpg symmetric s2k mode 1 salted only Port / libgcrypt / usage-gpg-symmetric-s2k-mode1-salted Passed
Encrypts symmetrically with --s2k-mode 1 (salted, no iteration) and confirms --list-packets shows mode 1 and a successful roundtrip decrypt.
gpg symmetric s2k mode 3 with explicit count Port / libgcrypt / usage-gpg-symmetric-s2k-mode3-count Passed
Encrypts symmetrically with explicit --s2k-mode 3 and --s2k-count, then decrypts and verifies the roundtrip sha256 matches.
gpg symmetric stdin armor Port / libgcrypt / usage-gpg-symmetric-stdin-armor Passed
Encrypts payload from stdin with gpg armored symmetric output and verifies decryption restores the streamed body.
gpg symmetric stdin Port / libgcrypt / usage-gpg-symmetric-stdin Passed
Encrypts stdin through gpg symmetric mode and verifies decrypted output matches the original streamed payload.
gpg TWOFISH symmetric Port / libgcrypt / usage-gpg-symmetric-twofish-batch11 Passed
gpg symmetric zlib compression Port / libgcrypt / usage-gpg-symmetric-zlib-compress Passed
gpg rejects tampered signature Port / libgcrypt / usage-gpg-tampered-signature-reject Passed
gpg --textmode symmetric roundtrip Port / libgcrypt / usage-gpg-textmode-encrypt-decrypt Passed
Symmetrically encrypts a multiline text payload with --textmode and decrypts it with --textmode, verifying the plaintext is preserved byte-for-byte.
gpg use-agent and no-use-agent both accepted Port / libgcrypt / usage-gpg-use-agent-flag-accepted Passed
Confirms gpg accepts both --use-agent and --no-use-agent without error, and that --no-use-agent is reported as obsolete-but-effectively-no-op while listing still succeeds.
gpg detached verify status-fd Port / libgcrypt / usage-gpg-verify-detached-status-fd Passed
gpg verify status stream Port / libgcrypt / usage-gpg-verify-status-stream Passed
GnuPG reports libgcrypt Port / libgcrypt / usage-gpg-version-libgcrypt Passed
gpg --weak-digest SHA1 rejects SHA1 signatures on verify Port / libgcrypt / usage-gpg-weak-digest-sha1-rejects-verify Passed
Demonstrates the --weak-digest contract: a SHA256 detached signature still verifies under --weak-digest SHA1, while a SHA1-digest detached signature is rejected with an "Invalid digest algorithm" error.
gpg with-colons fingerprint Port / libgcrypt / usage-gpg-with-colons-fingerprint Passed
Lists a generated key with with-colons mode and verifies the machine-readable fingerprint format.
CVE-2018-6829 libgcrypt regression Port / libgcrypt / cve-2018-6829 Passed
Asserts that gcry_pk_encrypt over ElGamal with (flags raw) still lacks semantic security — encrypting plaintext 0 produces a ciphertext whose b component equals 0 regardless of the freshly chosen k, which is the deterministic structural disclosure CVE-2018-6829 was filed against. The bug class survives in libgcrypt 1.10.x because the legacy direct-encryption path was never redesigned with a padding mode.
CVE-2024-2236 libgcrypt regression Port / libgcrypt / cve-2024-2236 Passed
Asserts that gcry_pk_decrypt of an RSA PKCS#1 v1.5 ciphertext still leaks a Bleichenbacher-style padding oracle — decrypting a valid PKCS#1 block returns ok while decrypting a block whose plaintext starts with 0x00 0x03 ... (deliberately wrong PKCS#1 header) returns a distinguishable error code. The CVE-2024-2236 fix in upstream libgcrypt would make both calls return the same outcome (synthetic random plaintext on failure); libgcrypt 1.10.x still distinguishes them.