how to properly verify a signature from a program?
Peter Pentchev
roam at ringlet.net
Wed Nov 25 12:49:47 CET 2009
On Wed, Nov 25, 2009 at 01:44:35PM +0200, Peter Pentchev wrote:
> On Tue, Nov 24, 2009 at 12:16:29PM -0500, David Roundy wrote:
> > Hi all,
> >
> > I've been searching and searching, and have failed to find any
> > documentation or tutorial that indicates the proper way to verify a
> > signature from a program. The problem is that I want not to verify
> > that *anyone* signed a message, but rather to verify that *someone in
> > particular* signed it.
> [snip]
> > So far as I can tell, the process for a detached signature is something like:
> >
> > gpg --verify sigfile txtfile && echo signature passed
> >
> > then look at the output (or stderr?) to find out who signed the file,
> > and compare with who was supposed to sign the file. It is this last
> > step that sounds problematic. Am I missing something?
>
> That's pretty much what you should do, with just one addition:
> add --status-fd=1 to the GnuPG command line.
[snip]
And then again, if you're writing in C, C++, or any language that can
invoke routines in a shared library described in a C header file, there
is also another way to do it - use the GPGME (GnuPG Made Easy) library.
It provides functions that will verify a signature and return a list of
signature structures, each of which will contain the fingerprint of
the signing key.
G'luck,
Peter
--
Peter Pentchev roam at ringlet.net roam at space.bg roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
"yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: </pipermail/attachments/20091125/d022bd6d/attachment.pgp>
More information about the Gnupg-users
mailing list