LinuxCommandLibrary

gpgv

Verify digital signatures

TLDR

Verify a signed file

$ gpgv [path/to/file]
copy

Verify a signed file using a detached signature
$ gpgv [path/to/signature] [path/to/file]
copy

Add a file to the list of keyrings (a single exported key also counts as a keyring)
$ gpgv --keyring [./alice.keyring] [path/to/signature] [path/to/file]
copy

SYNOPSIS

gpgv [options] [signature_file] [data_file]

PARAMETERS

--keyring file
    Specify the keyring file to use for verifying signatures. This keyring should contain the public keys of the signers you trust.

--status-fd n
    Write status information to file descriptor n. This is useful for scripting and automation.

--dry-run
    Perform a dry run; that is, don't actually verify the signature, just check if the command would succeed.

--verbose
    Enable verbose output, providing more details about the verification process.

--quiet
    Suppress most output.

--version
    Display version information.

--help
    Display help information.

DESCRIPTION

gpgv is a standalone signature verification tool.
It is designed to verify signatures created by GnuPG, ensuring the integrity and authenticity of files. gpgv doesn't require a keyring and typically uses a trust model based on pre-distributed public keys. This makes it suitable for automated verification tasks in scripts and systems where a full GPG environment is not necessary or desired.

Unlike GPG, gpgv primarily focuses on signature verification and doesn't handle key management or encryption. This specialization makes it a lightweight and efficient tool for verifying digitally signed files. gpgv can verify detached signatures, clearsign signatures, and also data with embedded signatures. It's commonly used in software distribution, package management systems, and other scenarios where verifying the integrity of downloaded or received files is crucial.

CAVEATS

gpgv relies on the user to manage and distribute public keys.
It doesn't offer built-in mechanisms for key retrieval or revocation, unlike full GPG implementations.
Therefore, ensuring the validity and authenticity of the public keys used for verification is paramount.

TRUST MODEL

gpgv's trust model is based on pre-distributed public keys. The user or system administrator is responsible for ensuring that the public keys used for verification are trustworthy and have not been compromised. This is in contrast to GPG's web of trust, where trust relationships are established through key signing.

EXIT CODES

gpgv returns different exit codes to indicate the outcome of the verification process. An exit code of 0 indicates successful verification, while non-zero exit codes indicate errors such as invalid signatures, missing keys, or other issues.

HISTORY

gpgv evolved as a lightweight alternative to the full GPG suite for signature verification.
It arose from the need for a simpler and more efficient tool specifically designed for verifying signatures without the overhead of key management and encryption functionalities.
Its usage has become widespread in scenarios where automated verification is essential, such as package management systems and software distribution channels.

SEE ALSO

gpg(1), gpgsm(1)

Copied to clipboard