Verify that the file is from who I expect it to be from

Werner Koch wk at
Fri Oct 27 13:20:14 CEST 2017

On Fri, 27 Oct 2017 06:01, dan.horne at said:

> gpg2 --verify-sign <key-id> <filename>

Verification against a set of known keys is done using gpgv

  gpgv FILE

which uses ~/.gnupg/trustedkeys.gpg.  To specifiy another file with keys
you use

  gpgv --keyring KEYRING FILE

here is how we do this when building GnUPG using the Speedo scripts:

  if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then
    echo "list of software versions is not valid!" >&2
    exit 1

This is from gnupg/build-aux/  To create the file with the
keys you can do this:

  gpg --export --export-options export-minimal FPR1 FPR2 FPR2 >trustedkeys.gpg

Do _not_ use --armor.  --export-options is not really required but
strips down the size of the key.

@Rob: Shouldn't we mention gpgv in the FAQ?



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list