Please help verify signature within Dockerfile
Werner Koch
wk at gnupg.org
Mon Feb 3 09:05:18 CET 2025
On Sun, 2 Feb 2025 09:22, Josef Wolf said:
>> Does it really need to be that hard to verify signature with a given pubkey?
That is for what gpgv was created for. Use it.
Or use the newer gpg option
--assert-signer fpr_or_file
This option checks whether at least one valid signature on a file
has been made with the specified key. The key is either specified
as a fingerprint or a file listing fingerprints. The fingerprint
must be given or listed in compact format (no colons or spaces in
between). This option can be given multiple times and each
fingerprint is checked against the signing key as well as the
corresponding primary key. If fpr_or_file specifies a file, empty
lines are ignored as well as all lines starting with a hash sign.
With this option gpg is guaranteed to return with an exit code of 0
if and only if a signature has been encountered, is valid, and the
key matches one of the fingerprints given by this option.
But here you need to import the keys first. But you need to
store them anyway and have a way to update them.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250203/018c073f/attachment.sig>
More information about the Gnupg-users
mailing list