On Wed, Nov 25, 2009 at 01:44:35PM +0200, Peter Pentchev wrote: > On Tue, Nov 24, 2009 at 12:16:29PM -0500, David Roundy wrote: > > Hi all, > > > > I've been searching and searching, and have failed to find any > > documentation or tutorial that indicates the proper way to verify a > > signature from a program. The problem is that I want not to verify > > that *anyone* signed a message, but rather to verify that *someone in > > particular* signed it. > [snip] > > So far as I can tell, the process for a detached signature is something > > like: > > > > gpg --verify sigfile txtfile && echo signature passed > > > > then look at the output (or stderr?) to find out who signed the file, > > and compare with who was supposed to sign the file. It is this last > > step that sounds problematic. Am I missing something? > > That's pretty much what you should do, with just one addition: > add --status-fd=1 to the GnuPG command line. [snip]
And then again, if you're writing in C, C++, or any language that can invoke routines in a shared library described in a C header file, there is also another way to do it - use the GPGME (GnuPG Made Easy) library. It provides functions that will verify a signature and return a list of signature structures, each of which will contain the fingerprint of the signing key. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@space.bg r...@freebsd.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 "yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation.
pgppRiglJHJNF.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
