gpgv

Verify a signed file

$ gpgv [path/to/file]

$ gpgv [path/to/signature] [path/to/file]

$ gpgv --keyring [./alice.keyring] [path/to/signature] [path/to/file]

gpgv [options] [files]

Examples:
gpgv --keyring ./trustedkeys.gpg signature.sig file.txt
gpgv package.deb.sig
gpgv --status-fd 1 my_signed_document.pdf.sig my_signed_document.pdf

--homedir DIR
    Specifies an alternative GnuPG home directory for configurations and keyrings.

--keyring FILE
    Uses FILE as the public keyring for verification. Essential when keys are not in the default location.

--keyid-format FORMAT
    Controls the display format of key IDs (e.g., long, 0xlong).

--status-fd FD
    Directs status output to a specified file descriptor, useful for script parsing.

--output FILE
    Writes the verified (decrypted) data to FILE. Applies if the signature is embedded or 'clearsigned'.

--verbose
    Increases the verbosity of output, showing more details about the verification process.

--quiet
    Suppresses most informational output, only showing errors.

--batch
    Disables interactive prompts, making it suitable for scripting and automated environments.

--no-default-keyring
    Explicitly prevents gpgv from using the default GnuPG keyring, enforcing isolated verification.

--ignore-time-conflict
    Disregards conflicts in creation and verification times of signatures.

--ignore-valid-until
    Ignores the 'valid until' timestamp of keys, allowing verification with expired keys.

gpgv is a command-line utility designed specifically for verifying cryptographic signatures generated by GnuPG. It acts as a lightweight wrapper around gpg --verify, but with a crucial distinction: it generally does not access or require the user's GnuPG keyring for signature validation. This makes gpgv ideal for scenarios where a quick, isolated signature check is needed, often without local access to trusted public keys.

It's commonly used by package managers and automated scripts to verify the integrity and authenticity of downloaded files or software packages against a known public key provided out-of-band. While gpg is a comprehensive tool for encryption, decryption, and key management, gpgv focuses solely on the verification aspect, offering a simpler and often more secure execution environment by minimizing external dependencies.

gpgv typically operates in a more restricted environment than the full gpg command. It generally does not automatically access or use the user's default GnuPG keyring for trust evaluation, requiring public keys to be explicitly provided (e.g., via --keyring option or by being present in the same directory for detached signatures). This isolation enhances security but means it won't perform comprehensive trust chain validation unless configured to do so. It is designed solely for signature verification, not for encryption, decryption, or key management.

gpgv is widely used in Linux package management systems (e.g., APT, RPM, Pacman) to verify the authenticity and integrity of downloaded packages before installation. It ensures that packages originate from trusted sources and haven't been tampered with. It's also suitable for verifying software releases, ISO images, or any digitally signed file in automated scripts or restricted environments where a full GnuPG installation is not necessary or desirable.

Unlike gpg, gpgv's default behavior often involves not using the user's default keyring. For successful verification, the public key of the signer must typically be provided explicitly (e.g., via --keyring FILE or by being present in the working directory alongside the signed file) or implicitly known to the environment. This design choice contributes to its security by preventing unintended key lookups and ensuring that verification relies only on specified trust anchors.

gpgv emerged as part of the GnuPG (GNU Privacy Guard) project, which began development in the late 1990s as a free replacement for Symantec's PGP (Pretty Good Privacy) software. While the core gpg command handles a wide range of cryptographic operations, the need for a simplified, verification-only tool became apparent, especially for automated scripts and package management systems.

gpgv essentially acts as a streamlined wrapper around gpg --verify, offering a more minimal and often more secure footprint by intentionally limiting its interaction with keyrings and complex trust models by default. Its development reflects a focus on secure, auditable verification for public software distribution.

gpg(1), dirmngr(8), gpgconf(1)