Verify that the file is from who I expect it to be from

Dan Horne dan.horne at
Fri Oct 27 06:01:44 CEST 2017

Yes - that's what my OP meant - Verifying the key. But I'm hoping to avoid
greping the output. What I'd love to do is provide the key I want verified
and for GnuPG to confirm e.g. something like the following would be fab:

gpg2 --verify-sign <key-id> <filename>

On 27 October 2017 at 15:08, Antony Prince <antony at> wrote:

> You need to verify the key that signed it. A valid signature means
> nothing. A malicious actor could sign any message or days with a valid,
> verifiable key and send it to you. The heart of the matter is the key that
> signed it. Gnupg tells you which key signed the data, usually by long key
> ID IIRC. You have to make sure the key that signed the data is the key that
> you expect, basically. If you need something more in-depth, there are many
> more qualified individuals to assist on the list.
> On October 26, 2017 7:52:33 PM EDT, Dan Horne <dan.horne at>
> wrote:
>> Hi all
>> maybe I'm missing something, but how do I verify not only that an
>> encrypted file is signed, but that it is signed by the party I expect to
>> have signed it? In other words, if two parties can supply a file with the
>> same name I want to make sure that when I think I'm dealing with a file
>> from party A, it is actually signed by party A. At the the moment, when I
>> decrypt the file, it seems to simply be checking that the signature is
>> valid.
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Gnupg-users mailing list