Verifying a signature
Wed Oct 23 15:50:02 2002
I had to do this too. To solve it, I created a master key database and
created a custom keyring only when I needed to decrypt a single item. Into
that custom keyring I placed my public key and the public key of the sender.
The b2b network I was working with required all participants to put a set of
identifying information in the subject/filename so that the receiving party
knew who should have signed the file.
*** These comments are my own and do not represent my employer in any way.
From: Scott_Carpenter@cargill.com [mailto:Scott_Carpenter@cargill.com]
Sent: Wednesday, October 23, 2002 7:11 AM
Subject: Verifying a signature
If I'm running gpg in an automated environment, what is the best way to
make sure that a good signature came from the sender I expected?
For instance: I run gpg decrypt with --status-fd and analyze the output
to see that a GOODSIG was included. Now how do I make sure it was
ACME's signature and not somebody else on my keyring? Do I check the
output for ACME's name or email or whatever identifying information
they have with their public key?
Gnupg-users mailing list