如何在不安装公钥的情况下验证gpg签名(cli或w / node js)?我有公钥但不想将其添加到密钥环。任何提示?
谢谢, 弗洛里安
答案 0 :(得分:6)
这是我用于此目的的shell脚本。它创建一个临时密钥环,在其中安装指定的公钥,运行指定的命令,然后删除临时密钥环。
请注意,这会从密钥服务器安装密钥。调整它以使用你已经在磁盘上的密钥应该不难(我应该添加一个选项来做到这一点)。
更新:请参阅https://github.com/Keith-S-Thompson/gpg-tmp
#!/bin/sh
keyid=$1
shift
case "$keyid" in
????????)
;;
*)
echo "Usage: $0 key args..." 1>&2
exit 1
esac
tmp_keyring=$HOME/$keyid-keyring.gpg
gpg --no-default-keyring --keyring $tmp_keyring --recv-keys $keyid
gpg --no-default-keyring --keyring $tmp_keyring "$@"
rm -f $tmp_keyring
它的作用类似于gpg命令,但需要额外的初始参数来指定8位密钥ID。
样本用法:
$ gpg coreutils-8.9.tar.gz.sig
gpg: Signature made Tue 04 Jan 2011 07:04:25 AM PST using RSA key ID 000BEEEE
gpg: Can't check signature: public key not found
$ gpg-tmp 000BEEEE coreutils-8.9.tar.gz.sig
gpg: keyring `/home/kst/000BEEEE-keyring.gpg' created
gpg: requesting key 000BEEEE from hkp server subkeys.pgp.net
gpg: key 000BEEEE: public key "Jim Meyering <jim@meyering.net>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: Signature made Tue 04 Jan 2011 07:04:25 AM PST using RSA key ID 000BEEEE
gpg: Good signature from "Jim Meyering <jim@meyering.net>"
gpg: aka "Jim Meyering <meyering@gnu.org>"
gpg: aka "Jim Meyering <meyering@redhat.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 155D 3FC5 00C8 3448 6D1E EA67 7FD9 FCCB 000B EEEE
请记住,这告诉您绝对没有关于密钥的可信赖性,但它可用作完整性检查。
(我想知道Jim Meyering在获得那把钥匙之前生成了多少把钥匙。)
答案 1 :(得分:2)
我不需要太多,gpg --dry-run(或gpg -n)为我工作。我通过Homebrew在Mac上运行gpg 1.4.12,但它似乎是一个标准选项。不知道它与这里提到的其他方法相比如何。