how to properly verify a signature from a program?

David Roundy roundyd at physics.oregonstate.edu
Tue Nov 24 18:16:29 CET 2009


Hi all,

I've been searching and searching, and have failed to find any
documentation or tutorial that indicates the proper way to verify a
signature from a program.  The problem is that I want not to verify
that *anyone* signed a message, but rather to verify that *someone in
particular* signed it.  And that doesn't seem to be in the gpg
interface, so far as I can find.  If a human is doing the
verification, it's not so hard to first run verify, then read the
output that indicates *who* signed it, but I'd really prefer to avoid
trying to parse the output of gpg, as that seems to be a quick road to
insecurity and fragility.

So far as I can tell, the process for a detached signature is something like:

gpg --verify sigfile txtfile && echo signature passed

then look at the output (or stderr?) to find out who signed the file,
and compare with who was supposed to sign the file.  It is this last
step that sounds problematic.  Am I missing something?

I guess there is one other approach that I can see, which is to use a
process such as

gpg --export "User Name" > user-keyring
gpg --no-default-keyring --keyring user-keyring --verify sigfile txtfile

Is this what I should be doing?
-- 
David Roundy



More information about the Gnupg-users mailing list