Q: how to verify signature

Ph. Marek marek@mail.bmlv.gv.at
Thu, 30 Nov 2000 17:16:18 +0100


Hi everybody,

I'm having a problem.

What I want:
I have a big absolute tar-archive (several to 500 MB) that should go to
several people, who should get that into their machine without much
interaction. So they get a shell script, which verifies the signing, and if
it's from me, untar it.

Should be verifyable from me, and readable only by them. 
Distributed per CD or network, should be fast to be unpacked, MUST go without
temporary files of the archive. (space in /tmp <32MB).

So signed by me, crypted for them.

So:

> gpg -o Outputfile -se -r One -r Two -r Three Inputfile
makes the outputfile. The problem: I want to write a shellscript to unpack that. If it does gpg -d -o - Outputfile | tar -xvf - it gets the information "Good signature from xxx" AFTER it has been unpacked! But if I do gpg -o - -e -r One -r Two -r Three Inputfile | gpg -s > Outputfile and then gpg --verify Outputfile | grep 'Good signature from "xxx"' || exit gpg -o - d Outputfile | tar -xvf - it doesn't work. (BTW, if I want to do that via ssh-piping the datafile I'd have to send it twice). How can I test the signature of a file without having to read it twice?? Regards, Phil -- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org