gpgv

Verify a signed file

$ gpgv [path/to/file]

$ gpgv [path/to/signature] [path/to/file]

$ gpgv --keyring [./alice.keyring] [path/to/signature] [path/to/file]

gpgv [options] [signature_file] [data_file]

--keyring file
    Specify the keyring file to use for verifying signatures. This keyring should contain the public keys of the signers you trust.

--status-fd n
    Write status information to file descriptor n. This is useful for scripting and automation.

--dry-run
    Perform a dry run; that is, don't actually verify the signature, just check if the command would succeed.

--verbose
    Enable verbose output, providing more details about the verification process.

--quiet
    Suppress most output.

--version
    Display version information.

--help
    Display help information.

gpgv is a standalone signature verification tool.
It is designed to verify signatures created by GnuPG, ensuring the integrity and authenticity of files. gpgv doesn't require a keyring and typically uses a trust model based on pre-distributed public keys. This makes it suitable for automated verification tasks in scripts and systems where a full GPG environment is not necessary or desired.

Unlike GPG, gpgv primarily focuses on signature verification and doesn't handle key management or encryption. This specialization makes it a lightweight and efficient tool for verifying digitally signed files. gpgv can verify detached signatures, clearsign signatures, and also data with embedded signatures. It's commonly used in software distribution, package management systems, and other scenarios where verifying the integrity of downloaded or received files is crucial.

gpgv relies on the user to manage and distribute public keys.
It doesn't offer built-in mechanisms for key retrieval or revocation, unlike full GPG implementations.
Therefore, ensuring the validity and authenticity of the public keys used for verification is paramount.

gpgv's trust model is based on pre-distributed public keys. The user or system administrator is responsible for ensuring that the public keys used for verification are trustworthy and have not been compromised. This is in contrast to GPG's web of trust, where trust relationships are established through key signing.

gpgv returns different exit codes to indicate the outcome of the verification process. An exit code of 0 indicates successful verification, while non-zero exit codes indicate errors such as invalid signatures, missing keys, or other issues.

gpgv evolved as a lightweight alternative to the full GPG suite for signature verification.
It arose from the need for a simpler and more efficient tool specifically designed for verifying signatures without the overhead of key management and encryption functionalities.
Its usage has become widespread in scenarios where automated verification is essential, such as package management systems and software distribution channels.

gpg(1), gpgsm(1)