Verify that the file is from who I expect it to be from

[Antony Prince]

You need to verify the key that signed it. A valid signature means nothing. A malicious actor could sign any message or days with a valid, verifiable key and send it to you. The heart of the matter is the key that signed it. Gnupg tells you which key signed the data, usually by long key ID IIRC. You have to make sure the key that signed the data is the key that you expect, basically. If you need something more in-depth, there are many more qualified individuals to assist on the list.

On October 26, 2017 7:52:33 PM EDT, Dan Horne <dan.horne at redbone.co.nz> wrote:
>Hi all
>
>maybe I'm missing something, but how do I verify not only that an
>encrypted
>file is signed, but that it is signed by the party I expect to have
>signed
>it? In other words, if two parties can supply a file with the same name
>I
>want to make sure that when I think I'm dealing with a file from party
>A,
>it is actually signed by party A. At the the moment, when I decrypt the
>file, it seems to simply be checking that the signature is valid.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171026/5e89f433/attachment-0001.html>