[Catalog-sig] [Announce] Catalog Server Prototype Updated
Martin v. Loewis
Thu, 3 May 2001 23:57:00 +0200
> Can you tell me how to determine the uploader given a signature and a
> list of public keys?
I think you first need to install all public keys in a
keyring. Assuming you use gpg, this should be done with gpg --import.
Then, given the signature and the file, you do
gpg --verify AFoo-1.0.tar.gz.asc AFoo-1.0.tar.gz
It then prints a message like
gpg: Signature made Thu May 3 23:04:07 2001 CEST using DSA key ID DC3E5D42
gpg: Good signature from "Martin v. Loewis <firstname.lastname@example.org>"
There is also a GPG module at http://www.amk.ca/python/code/gpg.html,
which already processes the GPG output. Using the --status-fd option,
you get output that is much better parsable; in my case
[GNUPG:] SIG_ID VptwaSnFDdwDevjjAwD4bbUeWGI 2001-05-03 988923847
[GNUPG:] GOODSIG 10459BC5DC3E5D42 Martin v. Loewis <email@example.com>
[GNUPG:] VALIDSIG E6ACD89306E0F05FA7653FCA10459BC5DC3E5D42 2001-05-03 988923847
All this can be probably made to work with pgp as well, but you'd have
to figure it out yourself.