Sunday, January 6, 2008

OS X: Integrate GPG Into Finder Using Automator

As a developer, I often find myself downloading open source software packages and libraries for my projects. Best practices dictate that you should always verify signed packages if a signature is present. Normally I do this from the command line but I recently created an Automator workflow that lets me check signatures right in the OS X Finder application. The rest of this article is a tutorial on how I implemented this workflow.

Getting started, you will need to have GNU Privacy Guard installed on your system. You can easily install gpg via Darwinports. I will be using gpg version 1.4.6 on Mac OS 10.4.11 (Tiger) for this tutorial.

The first thing to do is to get a signature that needs to be verified. For this example I will download the Jakarta commons-codec package. When downloading, be sure you also get the PGP KEYS file and the commons-codec-1.3.tar.gz.asc signature file.

Once you have downloaded the three files you will need to import the data in the KEYS file into your gpg keyring. Note that this will only need to be done once:

gpg --import KEYS

After the import, right click on the commons-codec-1.3.tar.gz.asc file and select Automator -> Create Workflow. Once the workflow editor opens, add the following three steps:

  1. Get Selected Finder Items - Finder Application
  2. Run Shell Script - Automator Application
  3. Run AppleScript - Automator Appliction

Step 2 will actually run the gpg signature verification command. Note that /opt/local/bin is the default location where Darwinports installs the gpg application:

/opt/local/bin/gpg --no-tty --verify $1 2>&1 || exit 0

Now in step 3, a short AppleScript will be used to display the signature verification results:

on run {input, parameters}

display dialog item 2 of input buttons {"OK"} default button 1

return input
end run

Finally, save your new workflow as a plugin for the Finder application. Go to File -> Save As Plugin and choose Finder. Save the workflow as "Verify Signature". Now you will be able to choose the Verify Signature workflow from the Automator menu in Finder.

No comments: