Hi all, I've been searching and searching, and have failed to find any documentation or tutorial that indicates the proper way to verify a signature from a program. The problem is that I want not to verify that *anyone* signed a message, but rather to verify that *someone in particular* signed it. And that doesn't seem to be in the gpg interface, so far as I can find. If a human is doing the verification, it's not so hard to first run verify, then read the output that indicates *who* signed it, but I'd really prefer to avoid trying to parse the output of gpg, as that seems to be a quick road to insecurity and fragility.
So far as I can tell, the process for a detached signature is something like: gpg --verify sigfile txtfile && echo signature passed then look at the output (or stderr?) to find out who signed the file, and compare with who was supposed to sign the file. It is this last step that sounds problematic. Am I missing something? I guess there is one other approach that I can see, which is to use a process such as gpg --export "User Name" > user-keyring gpg --no-default-keyring --keyring user-keyring --verify sigfile txtfile Is this what I should be doing? -- David Roundy _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
