You need to verify the key that signed it. A valid signature means nothing. A
malicious actor could sign any message or days with a valid, verifiable key and
send it to you. The heart of the matter is the key that signed it. Gnupg tells
you which key signed the data, usually by long key ID IIRC. You have to make
sure the key that signed the data is the key that you expect, basically. If you
need something more in-depth, there are many more qualified individuals to
assist on the list.
On October 26, 2017 7:52:33 PM EDT, Dan Horne <dan.ho...@redbone.co.nz> wrote:
>Hi all
>
>maybe I'm missing something, but how do I verify not only that an
>encrypted
>file is signed, but that it is signed by the party I expect to have
>signed
>it? In other words, if two parties can supply a file with the same name
>I
>want to make sure that when I think I'm dealing with a file from party
>A,
>it is actually signed by party A. At the the moment, when I decrypt the
>file, it seems to simply be checking that the signature is valid.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
