1.4.0: Howto verify a signed file quickly - without any --homedir...

David Shaw dshaw at jabberwocky.com
Tue Feb 8 15:10:57 CET 2005


On Tue, Feb 08, 2005 at 10:58:08AM +0100, Peter Valdemar Mørch wrote:
> Hi there,
> 
> My task: I have a public keyring and a signed file. I need to test
> whether they verify from a script.
> 
> I don't want to use the current user's trust, keyrings or anything. In
> fact, the user's home directory may not even be writable by the user.
> 
> In gnupg 1.2.5, this worked:
> 
> # gpg --always-trust --secret-keyring /dev/null --no-default-keyring
> --keyring /my/key.ring --verify /some/file
> gpg: Signature made Mon 19 Apr 2004 13:29:53 CEST using DSA key ID 53776FD8
> gpg: Good signature from "Somebody <some at where.dk>"
> gpg: WARNING: Using untrusted key!
> 
> 
> However, in 1.4.0, this gives the following error:
> 
> gpg: fatal: can't create directory `/home/user/.gnupg': Permission denied
> 
> OK, so I can always do e.g.:
> # mkdir /tmp/bogus
> # gpg --homedir /tmp/bogus ...
> # rm -rf /tmp/bogus
> 
> But then I'm spending time creating the bogus directory, initializing a
> trust database, only to just delete it afterward. And now I have to take
> care not to have two scripts running simultaneously or to use distinct
> temporary directory names with all the pitfalls *that* has.
> 
> Isn't there a simpler way avoiding the homedir altogether? (--homedir 
> /dev/null doesn't work! :-D)

It sounds like you are looking for gpgv, which comes with GnuPG.  It
does just what you want - verifies files and nothing else.

David



More information about the Gnupg-users mailing list