Testing code to verify GPG without needing GPG, in Python. The start of this script is derived from this gist with an Apache license. The original license is included here along with the LICENSE. Other interesting libraries include:
- gpgme using gpgme, which is C or C++ wrappers
First let's set up a dummy case of creating a key, signing something, and then we can try to verify it. GitHub actually has nice documentation for this. If you already have one, you can just list them:
$ gpg --list-secret-keys --keyid-format LONGLet's make a file to sign.
$ echo "TACOS?" > tacos.txtAnd sign it!
$ gpg --sign tacos.txtThat generates a file with extension gpg. You can try verifying it, just as a sanity check:
$ gpg --verify tacos.txt.gpg
gpg: Signature made Mon 29 Mar 2021 01:03:01 PM MDT
gpg: using RSA key 9C48AA932DE7FC1056E6F4768C9BC1XXXXXXXXXX
gpg: Good signature from "dinosaur <dinosaur@dinosaurthings.com>" [ultimate]Now let's write a script that will read in the binary of the file, and try to verify it. I was at first looking at RedHat's rpm verify and the gpg source code but I found the best documentation to be the ref standard for it instead.
$ python verify.py tacos.txt.gpgI've been able to load the packets, but I'm not sure what to do next.