Verify that the file is from who I expect it to be from
Werner Koch
wk at gnupg.org
Fri Oct 27 13:20:14 CEST 2017
On Fri, 27 Oct 2017 06:01, dan.horne at redbone.co.nz said:
> gpg2 --verify-sign <key-id> <filename>
Verification against a set of known keys is done using gpgv
gpgv FILE
which uses ~/.gnupg/trustedkeys.gpg. To specifiy another file with keys
you use
gpgv --keyring KEYRING FILE
here is how we do this when building GnUPG using the Speedo scripts:
if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then
echo "list of software versions is not valid!" >&2
exit 1
fi
This is from gnupg/build-aux/getswdb.sh. To create the file with the
keys you can do this:
gpg --export --export-options export-minimal FPR1 FPR2 FPR2 >trustedkeys.gpg
Do _not_ use --armor. --export-options is not really required but
strips down the size of the key.
@Rob: Shouldn't we mention gpgv in the FAQ?
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171027/ebf8ef02/attachment-0001.sig>
More information about the Gnupg-users
mailing list