Verify GPG file signature with Perl

2019-08-09 07:44发布

问题:

I want to verify a GPG signed file (Verify archive.tar.gz with archive.tar.gz.sign).

ATM I simply call gpg directly and parse the exit code and output. While this is a works-for-me solution, I figure there must be a nicer way to do this in a more perlish way.

But as a programming novice I fail to understand how I can use the GPG CPAN modules.

Any hints are much appreciated!

回答1:

The GnuPG module on CPAN contains this in the synopsis:

use GnuPG qw( :algo );
my $gpg = new GnuPG();
$gpg->verify( signature => "file.txt.asc", file => "file.txt" );

It seems very clean.



回答2:

The Crypt::OpenPGP module may be of help. It's a pure Perl implementation of the the OpenPGP spec.

DESCRIPTION

Crypt::OpenPGP is a pure-Perl implementation of the OpenPGP standard. In addition to support for the standard itself, Crypt::OpenPGP claims compatibility with many other PGP implementations, both those that support the standard and those that preceded it.

Crypt::OpenPGP provides signing/verification, encryption/decryption, keyring management, and key-pair generation; in short it should provide you with everything you need to PGP-enable yourself.

Here's an example of using it to verify a file:

my $pgp = Crypt::OpenPGP->new;

# Verify the detached signature $signature, which should be of the
# source file $file.
my $is_valid = $pgp->verify(
    Signature  => $signature,
    Files      => [ $file ],
);


标签: perl gnupg