Q: how to verify signature

[Ph. Marek]

Hi everybody,

I'm having a problem.

What I want:
I have a big absolute tar-archive (several to 500 MB) that should go to
several people, who should get that into their machine without much
interaction. So they get a shell script, which verifies the signing, and if
it's from me, untar it.

Should be verifyable from me, and readable only by them. 
Distributed per CD or network, should be fast to be unpacked, MUST go without
temporary files of the archive. (space in /tmp <32MB).

So signed by me, crypted for them.

So:
> gpg -o Outputfile -se -r One -r Two -r Three Inputfile
makes the outputfile.


The problem:

I want to write a shellscript to unpack that.
If it does
  gpg -d -o - Outputfile | tar -xvf -
it gets the information "Good signature from xxx" AFTER it has been unpacked!

But if I do
  gpg -o - -e -r One -r Two -r Three Inputfile | gpg -s > Outputfile
and then
  gpg --verify Outputfile | grep 'Good signature from "xxx"' || exit
  gpg -o - d Outputfile | tar -xvf -
it doesn't work.
(BTW, if I want to do that via ssh-piping the datafile I'd have to send it
twice).

How can I test the signature of a file without having to read it twice??


Regards,

Phil

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org