gpg --verify exit status

Werner Koch wk at
Thu Aug 19 09:44:44 CEST 2004

On Wed, 18 Aug 2004 19:01:08 +0200, Jos Vos said:

> In my experience, both gpg --verify as --verify-files exit 0 for
> files that are not signed.  The only difference is that they
> then do not print the success message.  Is this correct?

Yes.  It is usually not sufficient to look at the exit code because in
an unattended setting you won't make use of the Web of Trust (or well
only in rare cases).  Thus to make sure the signature has been done by
a trusted key you also need to compare the fingerprint of the key too.

Something like "gpg --verify --status-fd 1" and then grepping for 

[GNUPG:] VALIDSIG 6BD9050FD8FC941B43412DCC68B7AB8957548DCD

and compare the 3rd field against a list of trusted keys.

> In general: how do I enforce a signature check on a given file
> (without having to parse the output messages -- if possble)?

Because this is a common problem, gpgv exists.  gpgv retruns a proper
exit code and you known that the signature is good and the key
trusted.  The trick here is that gpgv uses only keys from a different
keyring (default ist ~/.gnupg/trustedkeys.gpg, change using --keyring
option) and this keyring is you list of trusted keys.



More information about the Gnupg-users mailing list