LinuxCommandLibrary

gpgv

Verify digital signatures

TLDR

Verify a clearsigned or inline-signed file (the signature is embedded in the file itself)

$ gpgv [path/to/file.asc]
copy

Verify a detached signature (.asc or .sig) against its corresponding data file
$ gpgv [path/to/signature.asc] [path/to/data_file]
copy

Verify a detached signature using a specific public keyring or exported public key file (.gpg or .kbx)
$ gpgv --keyring [path/to/pubkey_or_keyring.gpg] [path/to/signature.asc] [path/to/data_file]
copy

Verify a detached signature using a specific public key file in plain text format (.txt)
$ gpg --dearmor [[-o|--output]] [path/to/pubkey.gpg] [path/to/pubkey.txt] && gpgv --keyring [path/to/pubkey.gpg] [path/to/signature.asc] [path/to/data_file]
copy

SYNOPSIS

gpgv [options] [--] signed_files

PARAMETERS

--keyring file
    Use file as keyring (default: pubring.gpg or trustedkeys.gpg)

--output file
    Write verified data to file (stdout by default)

-q, --quiet
    Suppress all status messages

-v, --verbose
    Enable verbose output

-vv
    More detailed verbose output

--strict
    Fail on any time inconsistencies or non-RFC2440 signatures

--ignore-time-conflict
    Ignore timestamps in future/past

--ignore-valid-from
    Ignore "valid-from" time conflicts

--ignore-crc-error
    Ignore CRC errors in data

--print-sigs
    Print signature details even for bad signatures

--list-only
    List signatures without verifying data

--status-fd n
    Write status info to file descriptor n

--homedir dir
    Use dir as GnuPG home directory

--help
    Display help

--version
    Show version info

DESCRIPTION

gpgv (GnuPG Verify) is a minimal tool from the GnuPG suite for verifying OpenPGP signatures without public key management, signing, or encryption features. It checks the authenticity and integrity of signed files using detached signatures (e.g., data.txt.sig for data.txt) or inline-signed data. Designed for efficiency, it's ideal for scripts, embedded systems, or batch verification where full gpg is unnecessary.

gpgv uses a keyring containing public keys to validate signatures. It reports good signatures, bad signatures, missing keys, or errors like expiration/revocation. Supports status output (--status-fd) for programmatic use. By default, it reads from ~/.gnupg/pubring.gpg or trustedkeys.gpg. Time conflicts or CRC errors can be ignored with options. Not suitable for interactive key handling.

CAVEATS

No key import/management; pre-load keys into keyring. Detached signatures primary; inline supported but limited. No decryption or signing. Fails if key missing/expired/revoked.

EXIT CODES

0: Good signature
1: Bad signature
2: Processing error
112: No public key
113: Key revoked
114: Key expired

DEFAULT KEYRINGS

~/.gnupg/pubring.gpg, ~/.gnupg/trustedkeys.gpg, or system-wide

HISTORY

Introduced in GnuPG 1.0 (1998) by Werner Koch as a stripped-down gpg for verification-only use. Evolved with OpenPGP standards (RFC 4880/9580); now in GnuPG 2.x for minimal deployments.

SEE ALSO

gpg(1), gpg2(1), gpg-agent(1)

Copied to clipboard