verifying gpg signature under opendkim-lua script

Werner Koch wk at gnupg.org
Thu Jan 8 11:20:55 CET 2026 

On Thu,  8 Jan 2026 02:01, Robert J. Hansen said:

> The first, KEY_CONSIDERED, gives you the full fingerprint. If you then

but you may see severeal of these status lines.

> see GOODSIG the message has passed its signature verification and then

That is okay but if you need the fingerprint parse the also emitted

  [GNUPG:] VALIDSIG 6DAA6E64A76D2840571B4902528897B826403ADA 2025-12-30 1767102089 0 4 0 22 10 00 6DAA6E64A76D2840571B4902528897B826403ADA

is the better option:

    The args are:

    - <fingerprint_in_hex>
    - <sig_creation_date>
    - <sig-timestamp>
    - <expire-timestamp>
    - <sig-version>
    - <reserved>
    - <pubkey-algo>
    - <hash-algo>
    - <sig-class>
    - [ <primary-key-fpr> ]

    This status indicates that the signature is cryptographically
    valid. This is similar to GOODSIG, EXPSIG, EXPKEYSIG, or REVKEYSIG
    (depending on the date and the state of the signature and signing
    key) but has the fingerprint as the argument. Multiple status
    lines (VALIDSIG and the other appropriate *SIG status) are emitted
    for a valid signature.  All arguments here are on one long line.
    sig-timestamp is the signature creation time in seconds after the
    epoch. expire-timestamp is the signature expiration time in
    seconds after the epoch (zero means "does not
    expire"). sig-version, pubkey-algo, hash-algo, and sig-class (a
    2-byte hex value) are all straight from the signature packet.
    PRIMARY-KEY-FPR is the fingerprint of the primary key or identical
    to the first argument.  This is useful to get back to the primary
    key without running gpg again for this purpose.

    The primary-key-fpr parameter is used for OpenPGP and not
    available for CMS signatures.  The sig-version as well as the sig
    class is not defined for CMS and currently set to 0 and 00.

    Note, that *-TIMESTAMP may either be a number of seconds since
    Epoch or an ISO 8601 string which can be detected by the presence
    of the letter 'T'.




Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260108/0fd24995/attachment.sig>

More information about the Gnupg-users mailing list