how to properly verify a signature from a program?

Peter Pentchev roam at
Wed Nov 25 12:49:47 CET 2009

On Wed, Nov 25, 2009 at 01:44:35PM +0200, Peter Pentchev wrote:
> On Tue, Nov 24, 2009 at 12:16:29PM -0500, David Roundy wrote:
> > Hi all,
> > 
> > I've been searching and searching, and have failed to find any
> > documentation or tutorial that indicates the proper way to verify a
> > signature from a program.  The problem is that I want not to verify
> > that *anyone* signed a message, but rather to verify that *someone in
> > particular* signed it.
> [snip]
> > So far as I can tell, the process for a detached signature is something like:
> > 
> > gpg --verify sigfile txtfile && echo signature passed
> > 
> > then look at the output (or stderr?) to find out who signed the file,
> > and compare with who was supposed to sign the file.  It is this last
> > step that sounds problematic.  Am I missing something?
> That's pretty much what you should do, with just one addition:
> add --status-fd=1 to the GnuPG command line.

And then again, if you're writing in C, C++, or any language that can
invoke routines in a shared library described in a C header file, there
is also another way to do it - use the GPGME (GnuPG Made Easy) library.
It provides functions that will verify a signature and return a list of
signature structures, each of which will contain the fingerprint of
the signing key.


Peter Pentchev	roam at    roam at    roam at
PGP key:
Key fingerprint	2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
"yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: </pipermail/attachments/20091125/d022bd6d/attachment.pgp>

More information about the Gnupg-users mailing list