如何在不安装公钥的情况下验证gpg签名(使用cli或node js)?我有公钥,但不想将其添加到密钥环中。有什么提示吗?
谢谢, Florian
如何在不安装公钥的情况下验证gpg签名(使用cli或node js)?我有公钥,但不想将其添加到密钥环中。有什么提示吗?
谢谢, Florian
#!/bin/sh
keyid=$1
shift
case "$keyid" in
????????)
;;
*)
echo "Usage: $0 key args..." 1>&2
exit 1
esac
tmp_keyring=$HOME/$keyid-keyring.gpg
gpg --no-default-keyring --keyring $tmp_keyring --recv-keys $keyid
gpg --no-default-keyring --keyring $tmp_keyring "$@"
rm -f $tmp_keyring
gpg
命令,但需要一个额外的初始参数来指定8位数字密钥ID。$ gpg coreutils-8.9.tar.gz.sig
gpg: Signature made Tue 04 Jan 2011 07:04:25 AM PST using RSA key ID 000BEEEE
gpg: Can't check signature: public key not found
$ gpg-tmp 000BEEEE coreutils-8.9.tar.gz.sig
gpg: keyring `/home/kst/000BEEEE-keyring.gpg' created
gpg: requesting key 000BEEEE from hkp server subkeys.pgp.net
gpg: key 000BEEEE: public key "Jim Meyering <jim@meyering.net>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: Signature made Tue 04 Jan 2011 07:04:25 AM PST using RSA key ID 000BEEEE
gpg: Good signature from "Jim Meyering <jim@meyering.net>"
gpg: aka "Jim Meyering <meyering@gnu.org>"
gpg: aka "Jim Meyering <meyering@redhat.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 155D 3FC5 00C8 3448 6D1E EA67 7FD9 FCCB 000B EEEE
我不需要太多,gpg --dry-run
(或gpg -n
)对我来说已经足够了。我在Mac上通过Homebrew运行gpg 1.4.12,但它似乎是一个标准选项。不知道它与这里提到的其他方法相比如何。
gpg --dry-run coreutils-8.9.tar.gz.sig
给出了 "gpg: 无法检查签名:未找到公钥
"。 (我的密钥环中没有Jim Meyering的密钥。) - Keith Thompsongpg --dry-run --trust-model direct --keyserver-options auto-key-retrieve --auto-key-locate keyserver --keyserver keys.gnupg.net --verify-options pka-lookups --verify coreutils-8.9.tar.gz.sig coreutils-8.9.tar.gz
但它仍然显示gpg: Can't check signature: public key not found
。好吧,我想如果你真的想避免脚本,你可以编写命令来使用临时 home/keyring,并在之后删除它。但 GPG 的目的是建立信任:这就是为什么他们让这个过程变得困难的原因。 - Louis St-Amourverify-options pka-lookups
只是添加了额外的检查,不会自动下载……) - Louis St-Amour