Verify signature by specific key
David Shaw
dshaw at jabberwocky.com
Wed Jun 17 15:20:02 CEST 2009
On Jun 17, 2009, at 8:58 AM, Brian Mearns wrote:
> I'm looking for an automated way to verify that a signature was made
> by a specific key. It's not sufficient to just verify that the
> signature is valid and known to my keyring, I want to confirm who it
> belongs to. I was hoping the -u option would work, but it doesn't seem
> to. The only work-arounds I've come up with are parsing the message
> sent to stderr ("Signature made ... using ... key ..."), or creating a
> separate key ring containing only desired key. But both of these
> options kind of suck. Any other ideas?
There is no way to do this directly, but a better answer than parsing
the stderr message would be:
gpg --status-fd 1 --verify (thefile)
Look for a line like:
[GNUPG:] VALIDSIG DDBA02CC9AE4EFC2A51F2DEA4B721440F246FA67 2009-06-17
1245244298 0 4 0 17 2 00 DDBA02CC9AE4EFC2A51F2DEA4B721440F246FA67
In order, the fields are:
- the fingerprint of the key that made the signature (might be a
subkey)
- the date of signing (according to the system that made the
signature)
- same as above in seconds-since-1970 form
- the expiration time of the signature in seconds-since-1970 form,
or 0 if it never expires
- signature version
- reserved field (ignore it)
- the algorithm used in making the signature (1==RSA, 17==DSA)
- hash algorithm (2==SHA-1, etc).
- signature class (00==binary signature, 01==text signature)
- primary key fingerprint of the key that made the signature
Most of those fields are not relevant to your use. Just compare the
last field (the primary key fingerprint) to the fingerprint of the key
that you want to confirm made the signature, and you should get what
you want.
David
More information about the Gnupg-users
mailing list