How to detect extraneous content in clearsigned (--clearsign) files?

Werner Koch wk at
Tue Jan 13 09:14:41 CET 2015

On Mon, 12 Jan 2015 19:52, patrick-mailinglists at said:

> However, what works for me is this:
> gpg --output ./out --verify ./sha512sums.asc

We are both wrong.  --verify does only a verify and nothing else.
Running without --verify writes the actual signed data to the file.

> When it exits 0, then this approach is sound, sane and fine?

You better check the status lines; in particular watch out for

  [GNUPG:] VALIDSIG E4B868C8F90C.....

or use gpgv.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list