16

I'd like to create script, that downloads and GPG-verifies files to my docker image. From apache docs I see, that for verification, I need to do: 

gpg --import KEYS
gpg --verify downloaded_file.tgz.asc downloaded_file.tgz

I'd like to ommit the first step as it changes "some files somewhere". The reason here is I'd like to keep the docker image as-untouched-as-possible. I'd prefer simply calling something like: gpg --using-keys KEYS --verify file.tgz.asc file.tgz. Is it possible?

I've tried using --no-default-keyring --keyring KEYS as mentioned here, but I can't interpret the output correctly (it prints Can't check signature: public key not found. When I remove the --no-default-keyring the output seems fine, but I've previously imported the KEYS file and don't know how to unimport it to see the clear result).

The KEYS, .tgz and .tgz.asc files are from Apache Kafka.

kub1x
  • 3,272
  • 37
  • 38
  • 1
    Keys must be imported into a keychain in order to be used (post mentions private key but this also applies to public key) https://lists.gnupg.org/pipermail/gnupg-users/2016-February/055351.html - storing keys in a database or in variables is a inconceivable use case according to the GnuPG team. – Ashley Sep 06 '17 at 19:49
  • What's the output of `gpg --no-default-keyring --keyring KEYS --list-keys`? – Jens Erat Sep 07 '17 at 20:02

1 Answers1

8

I am a newbie to gpg so take this with a grain of salt, but something like this works for me well enough. Tested on debian and with gpg (GnuPG) 2.1.18:

test.asc is a public key which we do not want to import, test.tar.bz2.asc is a file signature signed with above public key, test.tar.bz2 is a file for signature verification. First I dearmor keys, then use them to verify file signature:

gpg --dearmor ./test.asc
gpg --dearmor ./test.tar.bz2.asc
gpg --dry-run --no-default-keyring --keyring ./test.asc.gpg --homedir ./ --verify ./test.tar.bz2.asc.gpg ./test.tar.bz2

of course gpg complains that the signature is not trusted and creates trustdb in current folder: 

gpg: WARNING: unsafe permissions on homedir '/tmp/./'
gpg: Signature made Mi 24 Apr 2019 21:52:46 CEST
gpg:                using RSA key xxxxxxxxxxxxxxxx
gpg: /tmp/.//trustdb.gpg: trustdb created
gpg: Good signature from "example security <security@example.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: xxxx xxxx xxxx xxxx xxxx  xxxx xxxx xxxx xxxx xxxx

but this fails afterwards:

gpg --dry-run  --homedir ./ --verify ./test.tar.bz2.asc.gpg ./test.tar.bz2
gpg --dry-run  --verify ./test.tar.bz2.asc.gpg ./test.tar.bz2
gpg --verify ./test.tar.bz2.asc.gpg ./test.tar.bz2

so I assume that the key was not imported to the usual key db.

pawelw
  • 121
  • 1
  • 2