Verify that the file is from who I expect it to be from
Dan Horne
dan.horne at redbone.co.nz
Fri Oct 27 06:01:44 CEST 2017
Yes - that's what my OP meant - Verifying the key. But I'm hoping to avoid
greping the output. What I'd love to do is provide the key I want verified
and for GnuPG to confirm e.g. something like the following would be fab:
gpg2 --verify-sign <key-id> <filename>
On 27 October 2017 at 15:08, Antony Prince <antony at blazrsoft.com> wrote:
> You need to verify the key that signed it. A valid signature means
> nothing. A malicious actor could sign any message or days with a valid,
> verifiable key and send it to you. The heart of the matter is the key that
> signed it. Gnupg tells you which key signed the data, usually by long key
> ID IIRC. You have to make sure the key that signed the data is the key that
> you expect, basically. If you need something more in-depth, there are many
> more qualified individuals to assist on the list.
>
> On October 26, 2017 7:52:33 PM EDT, Dan Horne <dan.horne at redbone.co.nz>
> wrote:
>>
>> Hi all
>>
>> maybe I'm missing something, but how do I verify not only that an
>> encrypted file is signed, but that it is signed by the party I expect to
>> have signed it? In other words, if two parties can supply a file with the
>> same name I want to make sure that when I think I'm dealing with a file
>> from party A, it is actually signed by party A. At the the moment, when I
>> decrypt the file, it seems to simply be checking that the signature is
>> valid.
>>
>>
>>
>>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171027/03cbea2e/attachment.html>
More information about the Gnupg-users
mailing list