verify gpg signature without installing key

9
votes

How do i verify a gpg signature (cli or w/ node js) without installing the public key? i do have the public key but don't want to add it to the keyring. Any hints?

Thanks, Florian

2
command-linesignaturegnupg

2 Answers

8
votes

Here's a shell script I use for just that purpose. It creates a temporary keyring, installed the specified public key in it, runs the specified command, then deletes the temporary keyring.

Note that this installs the key from a keyserver. It shouldn't be hard to tweak it to use a key you already have on disk (and I should add an option to do just that).

Update: See https://github.com/Keith-S-Thompson/gpg-tmp

#!/bin/sh

keyid=$1
shift
case "$keyid" in
    ????????)
        ;;
    *)
        echo "Usage: $0 key args..." 1>&2
        exit 1
esac

tmp_keyring=$HOME/$keyid-keyring.gpg

gpg --no-default-keyring --keyring $tmp_keyring --recv-keys $keyid
gpg --no-default-keyring --keyring $tmp_keyring "$@"
rm -f $tmp_keyring

It acts like the gpg command, but takes an extra initial argument specifying the 8-digit key id.

Sample usage:

$ gpg coreutils-8.9.tar.gz.sig
gpg: Signature made Tue 04 Jan 2011 07:04:25 AM PST using RSA key ID 000BEEEE
gpg: Can't check signature: public key not found
$ gpg-tmp 000BEEEE coreutils-8.9.tar.gz.sig
gpg: keyring `/home/kst/000BEEEE-keyring.gpg' created
gpg: requesting key 000BEEEE from hkp server subkeys.pgp.net
gpg: key 000BEEEE: public key "Jim Meyering <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: Signature made Tue 04 Jan 2011 07:04:25 AM PST using RSA key ID 000BEEEE
gpg: Good signature from "Jim Meyering <[email protected]>"
gpg:                 aka "Jim Meyering <[email protected]>"
gpg:                 aka "Jim Meyering <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 155D 3FC5 00C8 3448 6D1E  EA67 7FD9 FCCB 000B EEEE

Keep in mind that this tells you absolutely nothing about the trustworthiness of the key, but it's useful as an integrity check.

(I wonder how many keys Jim Meyering generated before he got that one.)

1
votes

I didn't need much, gpg --dry-run (or gpg -n) worked for me. I was running gpg 1.4.12 on Mac via Homebrew, but it seems to be a standard option. No idea how it compares to other methods mentioned here.