I've got a script to fetch Gcrypt's five source packaes from GnuPG Download. I also fetch the signature for each package. For example:
FILE=libassuan-2.2.0
wget -q "ftp://ftp.gnupg.org/gcrypt/libassuan/$FILE.tar.bz2.sig" -O "$FILE.tar.bz2.sig"
wget -q "ftp://ftp.gnupg.org/gcrypt/libassuan/$FILE.tar.bz2" -O "$FILE.tar.bz2"
gpg --verify "$FILE.tar.bz2.sig" "$FILE.tar.bz2"
While trying to verify the download, I get an error "Can't check signature: public key not found". This is expected since the VM is fairly clean and it does not have a GPG keychain (I think that's what its called).
I have the public key block from the Signature Key page, and its in a file called gpg-signers.pem
. But I don't know how to use it with GPG.
I've searched the man pages, but I don't see how to pass public key block (gpg-signers.pem
) to the command (gpg --verify
). There is a --sign-key
, but its used to "sign a public key with you secret key"; and not specify the signer's key to verify a signature.
How do I pass gpg-signers.pem
to gpg --verify
to verify the signature on the package?
Best Answer
We have to import the keys before checking the signature.
If we don't want the keys to be stored in the local database permanently, use a disposable keyring.
By design, we receive keys out-of-band.
Though not as convenient as HTTPS, we can download Werner Koch's public key by
gpg --recv-key 4F25E3B6
. This command work out-of-box on many distros with a preconfigured keyserver. It is easy to write some script look into a signature file and automatically download the key the person who issue this signature used. But the decision is still left upon us, to determine whether to trust or not trust the person.