Verify GPG tarballs from command line with signer's public key block?

command-line gnupg verification

Solution 1:

We have to import the keys before checking the signature.

$ gpg --import gpg-signers.pem
gpg: key 4F25E3B6: public key "Werner Koch (dist sig)" imported
$ gpg --verify libassuan-2.2.0.tar.bz2.sig libassuan-2.2.0.tar.bz2
gpg: Signature made Thu 11 Dec 2014 21:13:07 JST using RSA key ID 4F25E3B6
gpg: Good signature from "Werner Koch (dist sig)"

If we don't want the keys to be stored in the local database permanently, use a disposable keyring.

$ gpg --no-default-keyring --keyring 1.keyring --import gpg-signers.pem
gpg: keyring 1.keyring created
...
$ gpg --no-default-keyring --keyring 1.keyring --verify ...
...
$ trash 1.keyring

By design, we receive keys out-of-band.

Though not as convenient as HTTPS, we can download Werner Koch's public key by gpg --recv-key 4F25E3B6. This command work out-of-box on many distros with a preconfigured keyserver. It is easy to write some script look into a signature file and automatically download the key the person who issue this signature used. But the decision is still left upon us, to determine whether to trust or not trust the person.

Related

How to point MacVim to the right perl on OSX 10.10?
Elevation: Accquiring the Admin Token in Administrator vs Standard Accounts in Windows
Windows 10 update to 1511 installation fails
Why have 3 external HDDs failed after a few hours of use?
Office installation won't open files downloaded from a browser
Wine and Kernel Access
How to burn iso image with Windows 8 Consumer Preview to USB memory stick on Mac OS X
laptop does not boot
Practical (not theoretical) Subnetting 192.168.0.0/25
Ubuntu live USB drive not recognized by mac
Delete a single site's cookies in Chrome 59+?
Exchange Management Shell "Could not find any available Global Catalog in forest"