Verifying a signature
Wed Oct 23 14:11:02 2002
If I'm running gpg in an automated environment, what is the best way to
make sure that a good signature came from the sender I expected?
For instance: I run gpg decrypt with --status-fd and analyze the output
to see that a GOODSIG was included. Now how do I make sure it was
ACME's signature and not somebody else on my keyring? Do I check the
output for ACME's name or email or whatever identifying information
they have with their public key?