[Catalog-sig] [Announce] Catalog Server Prototype Updated

Martin v. Loewis martin@loewis.home.cs.tu-berlin.de
Thu, 3 May 2001 23:57:00 +0200

> Can you tell me how to determine the uploader given a signature and a
> list of public keys?

I think you first need to install all public keys in a
keyring. Assuming you use gpg, this should be done with gpg --import.
Then, given the signature and the file, you do

gpg --verify AFoo-1.0.tar.gz.asc AFoo-1.0.tar.gz

It then prints a message like

gpg: Signature made Thu May  3 23:04:07 2001 CEST using DSA key ID DC3E5D42
gpg: Good signature from "Martin v. Loewis <martin@loewis.home.cs.tu-berlin.de>"

There is also a GPG module at http://www.amk.ca/python/code/gpg.html,
which already processes the GPG output. Using the --status-fd option,
you get output that is much better parsable; in my case

[GNUPG:] SIG_ID VptwaSnFDdwDevjjAwD4bbUeWGI 2001-05-03 988923847
[GNUPG:] GOODSIG 10459BC5DC3E5D42 Martin v. Loewis <martin@loewis.home.cs.tu-berlin.de>
[GNUPG:] VALIDSIG E6ACD89306E0F05FA7653FCA10459BC5DC3E5D42 2001-05-03 988923847
[GNUPG:] TRUST_ULTIMATE                                                        

All this can be probably made to work with pgp as well, but you'd have
to figure it out yourself.