Verifying a signature

Gill, John
Wed Oct 23 15:50:02 2002

I had to do this too.  To solve it, I created a master key database and
created a custom keyring only when I needed to decrypt a single item.  Into
that custom keyring I placed my public key and the public key of the sender.
The b2b network I was working with required all participants to put a set of
identifying information in the subject/filename so that the receiving party
knew who should have signed the file.

John Gill
***  These comments are my own and do not represent my employer in any way.

-----Original Message-----
From: [] 
Sent: Wednesday, October 23, 2002 7:11 AM
Subject: Verifying a signature

If I'm running gpg in an automated environment, what is the best way to 
make sure that a good signature came from the sender I expected?

For instance: I run gpg decrypt with --status-fd and analyze the output 
to see that a GOODSIG was included.  Now how do I make sure it was 
ACME's signature and not somebody else on my keyring?  Do I check the 
output for ACME's name or email or whatever identifying information 
they have with their public key?



Gnupg-users mailing list