Mailing List Archive: Is there built-in a way validate a signature against a specific key?

Is there built-in a way validate a signature against a specific key?

Apr 23, 2024, 9:39 PM

Post #1 of 3 (17 views)

I have multiple public keys in my GPG keyring. When validating
signatures, I sometimes want to validate them against a specific key so
if the file is signed by someone other than the individual or
organization I expect, it will fail. Currently, I do this by creating a
keyring that consists of only one key and using that, and some cursory
searching didn't uncover any alternatives. If there still isn't a GPG
option for validating a signature against a specific key, is there a
particular reason it doesn't exist?

Eric

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is there built-in a way validate a signature against a specific key? [ In reply to ]

gnupg-users at gnupg

Apr 24, 2024, 2:14 AM

Post #2 of 3 (17 views)

Permalink

On Tue, 23 Apr 2024 21:39, Eric Pruitt said:
> I have multiple public keys in my GPG keyring. When validating
> signatures, I sometimes want to validate them against a specific key so

The classcc tool for this is gpgv with its --keyring option. This is
what for example Debian uses to validate signatures.

A newer way is the --assert-signer option we introduced with version
2.4.1:

--assert-signer fpr_or_file

This option checks whether at least one valid signature on
a file has been made with the specified key. The key is
either specified as a fingerprint or a file listing
fingerprints. The fingerprint must be given or listed in
compact format (no colons or spaces in between). This
option can be given multiple times and each fingerprint is
checked against the signing key as well as the
corresponding primary key. If fpr_or_file specifies a
file, empty lines are ignored as well as all lines
starting with a hash sign. With this option gpg is
guaranteed to return with an exit code of 0 if and only if
a signature has been encountered, is valid, and the key
matches one of the fingerprints given by this option.

Shalom-Salam,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Re: Is there built-in a way validate a signature against a specific key? [ In reply to ]

gnupg-users at gnupg

Apr 26, 2024, 9:53 PM

Post #3 of 3 (14 views)

Permalink

On Wed, Apr 24, 2024 at 11:14:06AM +0200, Werner Koch via Gnupg-users wrote:
> On Tue, 23 Apr 2024 21:39, Eric Pruitt said:
> > I have multiple public keys in my GPG keyring. When validating
> > signatures, I sometimes want to validate them against a specific key so
>
> The classcc tool for this is gpgv with its --keyring option. This is
> what for example Debian uses to validate signatures.

I think this is what I'm already doing and what I meant when I wrote "I
do this by creating a keyring that consists of only one key and using
that [...]" or have I misunderstood what you suggested?

> A newer way is the --assert-signer option we introduced with version
> 2.4.1:

Thanks, this does what I want.

Eric

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Mailing List Archive

Mailing List Archive

Attached Files: