Verifying Signatures in a Script

Keith Hellman khellman at
Mon Jun 11 18:56:38 CEST 2007

On Sun, Jun 10, 2007 at 10:33:47AM -0700, Dan T. wrote:
> Look into the --status-fd output, I think the VALIDSIG
> value is what you want.
> I hope this help.
> Dan

Just as a follow-up, I pursued Sven's idea and simply created a
specialized directory:
  $ mkdir .my_signature
Exported my public key to its location
  $ gpg --home ~/.my_signature --import <(gpg --export <my_key_identifier>)
(or something like that...)

And now I simply invoke gpg (or gpgv) from within my script as
  if gpg --home ~/.my_signature --verify ${FILE} ; then ...

Works like a charm, it also has a benefit of easily managing the
signatures I want my script to accept, without cluttering up my 
script will silly whose-signed-this-thing logic.  I just import or
remove the appropriate public keys from ./my_signature's database.

Keith Hellman                             #include <disclaimer.h>
khellman at                from disclaimer import standard
khellman at
                    public key @ B5354B76                     
    Y!M: mcprogramming                           AIM/ICQ: 485403897       
                     gtalk: jabber at                      

Experience is a harsh teacher.  She gives the test before you learn the
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/attachments/20070611/cd7fbdea/attachment.pgp 

More information about the Gnupg-users mailing list