1

Background information: I have a directory full of files and detached .asc signatures. I also have my default keyring which includes many public keys of people (some of whom I trust and others I don't).

If I verify all files in the directory, gpg outputs something similar to the following for each file:

Signature made XXX using RSA key ID XXXX
Good signature from SIGNER

My issue stems from needing to check these lines for each file to make sure that the signer is who I expect it to be. What I would like to do is limit which public key gpg can use to verify files.

Question: Is it possible to configure gpg to only use one public key to verify files?

One solution is to use a new temporary keyring (with only one key) every time I needed to verify files. But this solution quicky becomes tedious if I need to do it more than a few times.

Improve this question

1 Answer 1

Reset to default
1

Use the information provided via "status-fd":

$ cat message.txt | gpg --verify --status-fd=1
[GNUPG:] NEWSIG
gpg: Signature made 2019-12-18T15:06:03 EET
gpg:                using RSA key 2357E10CEF...
[GNUPG:] KEY_CONSIDERED 2357Exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2632 0
[GNUPG:] SIG_ID XZf34rp0ZuF0AqxbAkJhqrEV/Og 2019-12-18 1576674363
[GNUPG:] KEY_CONSIDERED 2357Exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2632 0
[GNUPG:] GOODSIG xxxxxxxxxxxx2632 Fred Foobar <[email protected]>
gpg: Good signature from "Fred Foobar <[email protected]>" [ultimate]
[GNUPG:] VALIDSIG 2357Exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2632 2019-12-18 1576674363 0 4 0 1 10 00 2357Exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2632
[GNUPG:] KEY_CONSIDERED 2357Exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2632 0
[GNUPG:] TRUST_ULTIMATE 0 pgp
[GNUPG:] VERIFICATION_COMPLIANCE_MODE 23

So if you wanted to ensure that it's signed by a specific key, you would use:

verify_with() {
    local fingerprint=$1
    local file=$2
    local status

    fingerprint=$(echo "$fingerprint" | tr a-z A-Z | tr -dc A-Z)

    status=$(gpg --status-fd=4 --trust-model=always verify "$file" 4>&1 >/dev/null 2>&1)

    if grep -qs "^\\[GNUPG:\\] VALIDSIG $fingerprint " <<< "$status"; then
        return 0
    else
        return 1
    fi
}
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .