Verify that a GPG-encrypted file is signed by particular user(s)
Mia Lopez 
I've got a file encrypted and signed by GPG.
In the man page for gpg, for the --decrypt option, it says:
If the decrypted file is signed, the signature is also verified.
I'd like to do more than just verify that a signature is valid "if the file is signed"—I'd like to:
- Check that the file is signed
- Check that the signature is from a particular user or subset of users in my keyring
What gpg command can be used to do this?
2 Answers
The --decrypt option already does most of that.
$ gpg --decrypt < test.gpggpg: encrypted with 4096-bit RSA key, ID CE7B5510340F19EF, created 2009-10-31 "grawity <>" The WELL (or Whole Earth 'Lectronic Link) is an example of the latest thing in frontier villages, the computer bulletin board. In this kind of small town, Main Street is a central minicomputer to which (in the case of the WELL) as many as 64 microcomputers may be connected at one time by phone lines and little blinking boxes called modems.gpg: Signature made 2015-05-15T07:52:55 EEST gpg: using RSA key D24F6CB2C1B52632 gpg: Good signature from "grawity <>" [ultimate] gpg: aka "grawity <>" [ultimate]
For machine-readable information, you can use --status-fd.
[GNUPG:] ENC_TO CE7B5510340F19EF 1 0 [GNUPG:] BEGIN_DECRYPTION [GNUPG:] DECRYPTION_INFO 2 9 [GNUPG:] PLAINTEXT 62 1431665575 [GNUPG:] NEWSIG [GNUPG:] SIG_ID 8AaWsnfpINFLIVjEqk665x7fuKA 2015-05-15 1431665575[GNUPG:] GOODSIG D24F6CB2C1B52632 grawity <>[GNUPG:] NOTATION_NAME [GNUPG:] NOTATION_DATA 2357E10CEF4F7ED27E233AD5D24F6CB2C1B52632[GNUPG:] VALIDSIG 2357E10CEF4F7ED27E233AD5D24F6CB2C1B52632 2015-05-15 1431665575 0 4 0 1 10 00 2357E10CEF4F7ED27E233AD5D24F6CB2C1B52632 [GNUPG:] TRUST_ULTIMATE[GNUPG:] DECRYPTION_OKAY[GNUPG:] GOODMDC[GNUPG:] END_DECRYPTION
Both GOODSIG and VALIDSIG here mean that the signature was checked, and TRUST_* correspond to the certification levels of that key. For example, keys you have signed (or lsigned) directly will have TRUST_FULL.
You can wrap this in a script that would check the fingerprint in VALIDSIG against a key whitelist, or just rely on the key trust model.
Note that you cannot check if a file is signed without decrypting it first, as PGP uses sign-before-encrypt.
gpg --decrypt < data.pgp > /dev/nullThis will result in the following output:
gpg: encrypted with 4096-bit RSA key, ID B91FFCCDDEE362261A, created 2015-05-21 "Shubham Chaudhary <>"
gpg: Signature made Mon Aug 21 23:13:03 2017 IST
gpg: using RSA key 71B6BEEFEED2DCA
gpg: issuer "Shubham Chaudhary <>"
gpg: Good signature from "Shubham Chaudhary <>" [ultimate]
