Verify that the file is from who I expect it to be from

Dan Horne dan.horne at redbone.co.nz
Mon Oct 30 03:00:35 CET 2017


Thanks. I exported my keys to ~/.gnupg/trustedkeys.gpg. I tried gpgv2 but
got the following

bash-3.2$ gpgv2 declaration.pgp
gpgv: verify signatures failed: Unexpected error

Adding --verbose did not affect this (Note this is a OpenCSW install)

However, if I simply decrypt the file I get confirmation of the signature

bash-3.2$ gpg2  --output declaration.txt  --decrypt declaration.pgp

gpg: encrypted with 2048-bit RSA key, ID C0F7C32A, created 2017-10-26
      "<my dummy key>"
gpg: Signature made Mon Oct 30 13:04:26 2017 NZDT using RSA key ID 0A5F3B0F
gpg: Good signature from "<third party dummy key>" [ultimate]



On 28 October 2017 at 00:20, Werner Koch <wk at gnupg.org> wrote:

> On Fri, 27 Oct 2017 06:01, dan.horne at redbone.co.nz said:
>
> > gpg2 --verify-sign <key-id> <filename>
>
> Verification against a set of known keys is done using gpgv
>
>   gpgv FILE
>
> which uses ~/.gnupg/trustedkeys.gpg.  To specifiy another file with keys
> you use
>
>   gpgv --keyring KEYRING FILE
>
> here is how we do this when building GnUPG using the Speedo scripts:
>
>   if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then
>     echo "list of software versions is not valid!" >&2
>     exit 1
>   fi
>
> This is from gnupg/build-aux/getswdb.sh.  To create the file with the
> keys you can do this:
>
>   gpg --export --export-options export-minimal FPR1 FPR2 FPR2
> >trustedkeys.gpg
>
> Do _not_ use --armor.  --export-options is not really required but
> strips down the size of the key.
>
>
> @Rob: Shouldn't we mention gpgv in the FAQ?
>
>
> Shalom-Salam,
>
>    Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171030/fce92655/attachment.html>


More information about the Gnupg-users mailing list