On Jun 17, 2009, at 8:58 AM, Brian Mearns wrote:
I'm looking for an automated way to verify that a signature was made
by a specific key. It's not sufficient to just verify that the
signature is valid and known to my keyring, I want to confirm who it
belongs to. I was hoping the -u option would work, but it doesn't seem
to. The only work-arounds I've come up with are parsing the message
sent to stderr ("Signature made ... using ... key ..."), or creating a
separate key ring containing only desired key. But both of these
options kind of suck. Any other ideas?
There is no way to do this directly, but a better answer than parsing
the stderr message would be:
gpg --status-fd 1 --verify (thefile)
Look for a line like:
[GNUPG:] VALIDSIG DDBA02CC9AE4EFC2A51F2DEA4B721440F246FA67 2009-06-17
1245244298 0 4 0 17 2 00 DDBA02CC9AE4EFC2A51F2DEA4B721440F246FA67
In order, the fields are:
- the fingerprint of the key that made the signature (might be a
subkey)
- the date of signing (according to the system that made the
signature)
- same as above in seconds-since-1970 form
- the expiration time of the signature in seconds-since-1970 form,
or 0 if it never expires
- signature version
- reserved field (ignore it)
- the algorithm used in making the signature (1==RSA, 17==DSA)
- hash algorithm (2==SHA-1, etc).
- signature class (00==binary signature, 01==text signature)
- primary key fingerprint of the key that made the signature
Most of those fields are not relevant to your use. Just compare the
last field (the primary key fingerprint) to the fingerprint of the key
that you want to confirm made the signature, and you should get what
you want.
David
_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
