Verifying a signature
Wed Oct 23 14:11:02 2002

If I'm running gpg in an automated environment, what is the best way to 
make sure that a good signature came from the sender I expected?

For instance: I run gpg decrypt with --status-fd and analyze the output 
to see that a GOODSIG was included.  Now how do I make sure it was 
ACME's signature and not somebody else on my keyring?  Do I check the 
output for ACME's name or email or whatever identifying information 
they have with their public key?