Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

verify gpg signature without installing key

Tags:

command-line

gnupg

signature

How do i verify a gpg signature (cli or w/ node js) without installing the public key? i do have the public key but don't want to add it to the keyring. Any hints?

Thanks, Florian

like image 386
Florian Avatar asked Feb 02 '12 21:02

Florian

1 Answers

Here's a shell script I use for just that purpose. It creates a temporary keyring, installed the specified public key in it, runs the specified command, then deletes the temporary keyring.

Note that this installs the key from a keyserver. It shouldn't be hard to tweak it to use a key you already have on disk (and I should add an option to do just that).

Update: See https://github.com/Keith-S-Thompson/gpg-tmp

#!/bin/sh

keyid=$1
shift
case "$keyid" in
    ????????)
        ;;
    *)
        echo "Usage: $0 key args..." 1>&2
        exit 1
esac

tmp_keyring=$HOME/$keyid-keyring.gpg

gpg --no-default-keyring --keyring $tmp_keyring --recv-keys $keyid
gpg --no-default-keyring --keyring $tmp_keyring "$@"
rm -f $tmp_keyring

It acts like the gpg command, but takes an extra initial argument specifying the 8-digit key id.

Sample usage:

$ gpg coreutils-8.9.tar.gz.sig
gpg: Signature made Tue 04 Jan 2011 07:04:25 AM PST using RSA key ID 000BEEEE
gpg: Can't check signature: public key not found
$ gpg-tmp 000BEEEE coreutils-8.9.tar.gz.sig
gpg: keyring `/home/kst/000BEEEE-keyring.gpg' created
gpg: requesting key 000BEEEE from hkp server subkeys.pgp.net
gpg: key 000BEEEE: public key "Jim Meyering <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Signature made Tue 04 Jan 2011 07:04:25 AM PST using RSA key ID 000BEEEE
gpg: Good signature from "Jim Meyering <[email protected]>"
gpg:                 aka "Jim Meyering <[email protected]>"
gpg:                 aka "Jim Meyering <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 155D 3FC5 00C8 3448 6D1E  EA67 7FD9 FCCB 000B EEEE

Keep in mind that this tells you absolutely nothing about the trustworthiness of the key, but it's useful as an integrity check.

(I wonder how many keys Jim Meyering generated before he got that one.)

like image 162
Keith Thompson Avatar answered Oct 05 '22 12:10

Keith Thompson
Sign in to Comment

Related questions

Specify Python source file encoding from the command line
Curses for PHP on Windows
Selective test execution in Karma Jasmine using pattern matching
How can I reencode a video to match another's codec exactly?
Passing parameter from Client CMD through ICA file to launch published Citrix App
Write to tmp folder
Convert raw RGB32 file to JPEG or PNG using FFmpeg
Can Python's argparse permute argument order like gnu getopt?
How to run Go(lang) code directly from terminal/command line?
MS Paint command line switches
PHP Warning: Module 'ldap' & 'mysql' already loaded when running PHP at command line
extract matches of a regex capturing group from a file
Command-line fulltext indexing?
Bash Command-Line Tab Completion Colon Character
How do you do a `git blame` from the command line on one line of code that I am interested in?
How do I open a file from a prompt with VS Code and go to a specific line number?
How do you configure Github Desktop to run from the command line in OSX?
Bash error using the column command: 'column: line too long'
How to set environment variable within GDB using shell command?
Open URL in already-opened Firefox profile

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!