Yes - that's what my OP meant - Verifying the key. But I'm hoping to avoid greping the output. What I'd love to do is provide the key I want verified and for GnuPG to confirm e.g. something like the following would be fab:
gpg2 --verify-sign <key-id> <filename> On 27 October 2017 at 15:08, Antony Prince <ant...@blazrsoft.com> wrote: > You need to verify the key that signed it. A valid signature means > nothing. A malicious actor could sign any message or days with a valid, > verifiable key and send it to you. The heart of the matter is the key that > signed it. Gnupg tells you which key signed the data, usually by long key > ID IIRC. You have to make sure the key that signed the data is the key that > you expect, basically. If you need something more in-depth, there are many > more qualified individuals to assist on the list. > > On October 26, 2017 7:52:33 PM EDT, Dan Horne <dan.ho...@redbone.co.nz> > wrote: >> >> Hi all >> >> maybe I'm missing something, but how do I verify not only that an >> encrypted file is signed, but that it is signed by the party I expect to >> have signed it? In other words, if two parties can supply a file with the >> same name I want to make sure that when I think I'm dealing with a file >> from party A, it is actually signed by party A. At the the moment, when I >> decrypt the file, it seems to simply be checking that the signature is >> valid. >> >> >> >> > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. >
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
