Mailing List Archive: gpg --verify in batch mode / how to require a trust level?

gpg --verify in batch mode / how to require a trust level?

Jan 18, 2022, 6:59 AM

Post #1 of 4 (362 views)

Hi,

for a backup integrity protection, I want to add a signature check to
the restore script to reject the backup files that are not properly
signed. So far, so good.

#$ gpg --verify backup.tar.sig

#$ if [ $? -ne 0 ]; then echo "backup is not properly signed!"; exit 1; fi

#$ tar xzvf backup.tar

Now, I find that `gpg --verify` produces a return code rc=0 when there
is a public key in my keyring that I once added, even though I never
declared that I trust this key.

How can I require `gpg --verify` to only accept keys from my keyring
with a certain trust level and fail otherwise (rc!=0)

Alternatively, how can I check that a signature was done with a specific
key?

Many thanks

Bernd

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg --verify in batch mode / how to require a trust level? [ In reply to ]

gnupg-users at gnupg

Jan 18, 2022, 7:19 AM

Post #2 of 4 (362 views)

Permalink

Hi,

for a backup integrity protection, I want to add a signature check to
the restore script to reject the backup files that are not properly
signed. So far, so good.

#$ gpg --verify backup.tar.sig

#$ if [ $? -ne 0 ]; then echo "backup is not properly signed!"; exit 1; fi

#$ tar xzvf backup.tar

Now, I find that `gpg --verify` produces a return code rc=0 when there
is a public key in my keyring that I once added, even though I never
declared that I trust this key.

How can I require `gpg --verify` to only accept keys from my keyring
with a certain trust level and fail otherwise (rc!=0)

Alternatively, how can I check that a signature was done with a specific
key?

Many thanks

Bern

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg --verify in batch mode / how to require a trust level? [ In reply to ]

kloecker at kde

Jan 18, 2022, 9:49 AM

Post #3 of 4 (362 views)

Permalink

On Dienstag, 18. Januar 2022 15:59:11 CET Bernd Graf via Gnupg-users wrote:
> How can I require `gpg --verify` to only accept keys from my keyring
> with a certain trust level and fail otherwise (rc!=0)
>
> Alternatively, how can I check that a signature was done with a specific
> key?

Use gpgv instead of gpg. It's much more lightweight and specifically meant for
signature verification. In particular, you can pass it a keyring that only
contains the keys you want:

$ gpgv --keyring FILE backup.tar.sig backup.tar

For details
$ man gpgv

Regards,
Ingo

Re: gpg --verify in batch mode / how to require a trust level? [ In reply to ]

gnupg-users at gnupg

Jan 18, 2022, 10:39 AM

Post #4 of 4 (362 views)

Permalink

On Tue, 18 Jan 2022 15:59, Bernd Graf said:

> How can I require `gpg --verify` to only accept keys from my keyring
> with a certain trust level and fail otherwise (rc!=0)

Use gpgv instead of gpg.

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Mailing List Archive

Attached Files:

Attached Files: