Verify that a GPG-encrypted file is signed by particular user(s)

I've got a file encrypted and signed by GPG.

In the man page for gpg, for the --decrypt option, it says:

If the decrypted file is signed, the signature is also verified.

I'd like to do more than just verify that a signature is valid "if the file is signed"—I'd like to:

  • Check that the file is signed
  • Check that the signature is from a particular user or subset of users in my keyring

What gpg command can be used to do this?


The --decrypt option already does most of that.

$ gpg --decrypt < test.gpg
gpg: encrypted with 4096-bit RSA key, ID CE7B5510340F19EF, created 2009-10-31
      "grawity <[email protected]>"
The WELL (or Whole Earth 'Lectronic Link) is an example of the latest thing in frontier
villages, the computer bulletin board. In this kind of small town, Main Street is a
central minicomputer to which (in the case of the WELL) as many as 64 microcomputers
may be connected at one time by phone lines and little blinking boxes called modems.
gpg: Signature made 2015-05-15T07:52:55 EEST
gpg:                using RSA key D24F6CB2C1B52632
gpg: Good signature from "grawity <[email protected]>" [ultimate]
gpg:                 aka "grawity <[email protected]>" [ultimate]

For machine-readable information, you can use --status-fd.

[GNUPG:] ENC_TO CE7B5510340F19EF 1 0
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_INFO 2 9
[GNUPG:] PLAINTEXT 62 1431665575 
[GNUPG:] NEWSIG
[GNUPG:] SIG_ID 8AaWsnfpINFLIVjEqk665x7fuKA 2015-05-15 1431665575
[GNUPG:] GOODSIG D24F6CB2C1B52632 grawity <[email protected]>
[GNUPG:] NOTATION_NAME [email protected]
[GNUPG:] NOTATION_DATA 2357E10CEF4F7ED27E233AD5D24F6CB2C1B52632
[GNUPG:] VALIDSIG 2357E10CEF4F7ED27E233AD5D24F6CB2C1B52632 2015-05-15 1431665575 0 4 0 1 10 00 2357E10CEF4F7ED27E233AD5D24F6CB2C1B52632
[GNUPG:] TRUST_ULTIMATE
[GNUPG:] DECRYPTION_OKAY
[GNUPG:] GOODMDC
[GNUPG:] END_DECRYPTION

Both GOODSIG and VALIDSIG here mean that the signature was checked, and TRUST_* correspond to the certification levels of that key. For example, keys you have signed (or lsigned) directly will have TRUST_FULL.

You can wrap this in a script that would check the fingerprint in VALIDSIG against a key whitelist, or just rely on the key trust model.

Note that you cannot check if a file is signed without decrypting it first, as PGP uses sign-before-encrypt.