1 @c Copyright (C) 2004 Free Software Foundation, Inc.
2 @c This is part of the GnuPG manual.
3 @c For copying conditions, see the file GnuPG.texi.
6 @c This is included by tools.texi.
11 @c Begin standard stuff
15 @section Verify OpenPGP signatures
18 \- Verify OpenPGP signatures
30 @c Begin gpg2 hack stuff
34 @section Verify OpenPGP signatures
37 \- Verify OpenPGP signatures
47 @c End gpg2 hack stuff
50 @code{@gpgvname} is an OpenPGP signature verification tool.
52 This program is actually a stripped-down version of @code{gpg} which is
53 only able to check signatures. It is somewhat smaller than the fully-blown
54 @code{gpg} and uses a different (and simpler) way to check that
55 the public keys used to make the signature are valid. There are
56 no configuration files and only a few options are implemented.
58 @code{@gpgvname} assumes that all keys in the keyring are trustworthy.
59 That does also mean that it does not check for expired or revoked
62 If no @code{--keyring} option is given, @code{gpgv} looks for a
63 ``default'' keyring named @file{trustedkeys.kbx} (preferred) or
64 @file{trustedkeys.gpg} in the home directory of GnuPG, either the
65 default home directory or the one set by the @code{--homedir} option
66 or the @code{GNUPGHOME} environment variable. If any @code{--keyring}
67 option is used, @code{gpgv} will not look for the default keyring. The
68 @code{--keyring} option may be used multiple times and all specified
69 keyrings will be used together.
73 @code{@gpgvname} recognizes these options:
80 Gives more information during processing. If used
81 twice, the input data is listed in detail.
86 Try to be as quiet as possible.
88 @item --keyring @var{file}
90 Add @var{file} to the list of keyrings.
91 If @var{file} begins with a tilde and a slash, these
92 are replaced by the HOME directory. If the filename
93 does not contain a slash, it is assumed to be in the
94 home-directory ("~/.gnupg" if --homedir is not used).
96 @item --output @var{file}
99 Write output to @var{file}; to write to stdout use @code{-}. This
100 option can be used to get the signed text from a cleartext or binary
101 signature; it also works for detached signatures, but in that case
102 this option is in general not useful. Note that an existing file will
106 @item --status-fd @var{n}
108 Write special status strings to the file descriptor @var{n}. See the
109 file DETAILS in the documentation for a listing of them.
111 @item --logger-fd @code{n}
113 Write log output to file descriptor @code{n} and not to stderr.
115 @item --log-file @code{file}
117 Same as @option{--logger-fd}, except the logger data is written to
118 file @code{file}. Use @file{socket://} to log to socket.
120 @item --ignore-time-conflict
121 @opindex ignore-time-conflict
122 GnuPG normally checks that the timestamps associated with keys and
123 signatures have plausible values. However, sometimes a signature seems to
124 be older than the key due to clock problems. This option turns these
125 checks into warnings.
127 @include opt-homedir.texi
129 @item --weak-digest @code{name}
131 Treat the specified digest algorithm as weak. Signatures made over
132 weak digests algorithms are normally rejected. This option can be
133 supplied multiple times if multiple algorithms should be considered
134 weak. MD5 is always considered weak, and does not need to be listed
137 @item --enable-special-filenames
138 @opindex enable-special-filenames
139 This option enables a mode in which filenames of the form
140 @file{-&n}, where n is a non-negative decimal number,
141 refer to the file descriptor n and not to a file with that name.
145 @mansect return value
147 The program returns 0 if everything is fine, 1 if at least
148 one signature was bad, and other error codes for fatal errors.
155 @item @gpgvname @code{pgpfile}
156 @itemx @gpgvname @code{sigfile} [@code{datafile}]
157 Verify the signature of the file. The second form is used for detached
158 signatures, where @code{sigfile} is the detached signature (either
159 ASCII-armored or binary) and @code{datafile} contains the signed data;
160 if @code{datafile} is "-" the signed data is expected on
161 @code{stdin}; if @code{datafile} is not given the name of the file
162 holding the signed data is constructed by cutting off the extension
163 (".asc", ".sig" or ".sign") from @code{sigfile}.
168 @subsection Environment
173 Used to locate the default home directory.
176 If set directory used instead of "~/.gnupg".
185 @item ~/.gnupg/trustedkeys.gpg
186 The default keyring with the allowed keys.
192 @include see-also-note.texi