Verify signature by specific key

David Shaw dshaw at
Wed Jun 17 15:20:02 CEST 2009

On Jun 17, 2009, at 8:58 AM, Brian Mearns wrote:

> I'm looking for an automated way to verify that a signature was made
> by a specific key. It's not sufficient to just verify that the
> signature is valid and known to my keyring, I want to confirm who it
> belongs to. I was hoping the -u option would work, but it doesn't seem
> to. The only work-arounds I've come up with are parsing the message
> sent to stderr ("Signature made ... using ... key ..."), or creating a
> separate key ring containing only desired key. But both of these
> options kind of suck. Any other ideas?

There is no way to do this directly, but a better answer than parsing  
the stderr message would be:

gpg --status-fd 1 --verify (thefile)

Look for a line like:

[GNUPG:] VALIDSIG DDBA02CC9AE4EFC2A51F2DEA4B721440F246FA67 2009-06-17  
1245244298 0 4 0 17 2 00 DDBA02CC9AE4EFC2A51F2DEA4B721440F246FA67

In order, the fields are:

  - the fingerprint of the key that made the signature (might be a  
  - the date of signing (according to the system that made the  
  - same as above in seconds-since-1970 form
  - the expiration time of the signature in seconds-since-1970 form,  
or 0 if it never expires
  - signature version
  - reserved field (ignore it)
  - the algorithm used in making the signature (1==RSA, 17==DSA)
  - hash algorithm (2==SHA-1, etc).
  - signature class (00==binary signature, 01==text signature)
  - primary key fingerprint of the key that made the signature

Most of those fields are not relevant to your use.  Just compare the  
last field (the primary key fingerprint) to the fingerprint of the key  
that you want to confirm made the signature, and you should get what  
you want.


More information about the Gnupg-users mailing list