How to determine who signed what
Paul R. Ramer
free10pro at gmail.com
Tue Jun 3 14:33:03 CEST 2014
On June 1, 2014 10:45:45 AM PDT, frank ernest <doark at mail.com> wrote:
>Hi again, I have been browsing and downloading gpg signed files and I'm
>acctually been downloading the sigs! However, I'm having trouble
>figuring out who signed what. Is there some way to determin this using
>the sig? Perhaps it has the keys fingerpinnt in it or something. For
>obvious things like the linux kernel source Linus himself signs it, but
>on an old ftp server, serving old now dead projects, who signed what is
>not quite so clear.
Use gpg --verify followed by the sig file. Even if you do not have the public key for the person who signed it, you can fetch it with gpg --recv-keys by using the key ID that gpg --verify gave you (e.g. gpg --recv-keys DEADBEEF) or look up the key on a keyserver.
More information about the Gnupg-users