Verifying a signature

David Shaw dshaw@jabberwocky.com
Wed Oct 23 16:52:01 2002


On Wed, Oct 23, 2002 at 07:11:20AM -0500, Scott_Carpenter@cargill.com wrote:
> If I'm running gpg in an automated environment, what is the best way to 
> make sure that a good signature came from the sender I expected?
> 
> For instance: I run gpg decrypt with --status-fd and analyze the output 
> to see that a GOODSIG was included.  Now how do I make sure it was 
> ACME's signature and not somebody else on my keyring?  Do I check the 
> output for ACME's name or email or whatever identifying information 
> they have with their public key?

The most secure way to do this is to look for GOODSIG *and* VALIDSIG.
The first argument to VALIDSIG is the fingerprint of the key that made
the signature.  You can do this with just GOODSIG, but since GOODSIG
has only the keyid and not a full fingerprint, it is spoofable.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson