how to properly verify a signature from a program?

Peter Pentchev roam at
Wed Nov 25 12:44:35 CET 2009

On Tue, Nov 24, 2009 at 12:16:29PM -0500, David Roundy wrote:
> Hi all,
> I've been searching and searching, and have failed to find any
> documentation or tutorial that indicates the proper way to verify a
> signature from a program.  The problem is that I want not to verify
> that *anyone* signed a message, but rather to verify that *someone in
> particular* signed it.
> So far as I can tell, the process for a detached signature is something like:
> gpg --verify sigfile txtfile && echo signature passed
> then look at the output (or stderr?) to find out who signed the file,
> and compare with who was supposed to sign the file.  It is this last
> step that sounds problematic.  Am I missing something?

That's pretty much what you should do, with just one addition:
add --status-fd=1 to the GnuPG command line.  When you do that, gpg
will output something like the following to file descriptor 1 (stdout):

[GNUPG:] SIG_ID eLbkcOT0G/i0ugaTvtB5kkRMJc0 2009-11-25 1259148663
[GNUPG:] GOODSIG 651EEFB02527DF13 Peter Pentchev <roam at>
[GNUPG:] VALIDSIG 2EE7A7A517FC124CF115C354651EEFB02527DF13 2009-11-25 1259148663 0 4 0 1 10 01 2EE7A7A517FC124CF115C354651EEFB02527DF13

Of course, the output *will* be different in your case, what with dates,
key ID's and such :)  Also, of course you can use a different value for
the file descriptor (like 2 for stderr, but then this output will be
mixed with the rest of GnuPG's freeform messages), just make sure your
program can read what GnuPG writes to that fd :)

Hope that helps.


Peter Pentchev	roam at    roam at    roam at
PGP key:
Key fingerprint	2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
I had to translate this sentence into English because I could not read the original Sanskrit.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: </pipermail/attachments/20091125/a883f53f/attachment.pgp>

More information about the Gnupg-users mailing list