1

I want to verify a GPG signed file (Verify archive.tar.gz with archive.tar.gz.sign).

ATM I simply call gpg directly and parse the exit code and output. While this is a works-for-me solution, I figure there must be a nicer way to do this in a more perlish way.

But as a programming novice I fail to understand how I can use the GPG CPAN modules.

Any hints are much appreciated!

scrumpy
  • 11
  • 2
  • 2
    What don't you understand? How to download the CPAN module itself, or how to use it once it has been installed? What have you tried? – Sdaz MacSkibbons Mar 06 '11 at 16:17
  • I tried it with three different modules. With [GnuPG](http://search.cpan.org/~frajulac/GnuPG-0.09/) and the following code: `use strict; use warnings; use GnuPG qw( :algo ); my $gpg = new GnuPG(); my $sig = $gpg->verify( signature => "linux-2.6.32.31.tar.bz2.sign", file => "linux-2.6.32.31.tar.bz" );` – scrumpy Mar 06 '11 at 17:36
  • ... and what does it do, and what do you expect it to do? You keep basically saying "it doesn't work", which is not helpful. It works lovely here. It `croak`s if the signature verification fails; otherwise, you should print out the contents of your `$sig` hashref variable there. (You should note, though, that in trying to find the identical kernel version, I noticed that kernel 2.6.32 only appeared to go up to 2.6.32.27...) – Sdaz MacSkibbons Mar 07 '11 at 02:12

2 Answers2

4

The GnuPG module on CPAN contains this in the synopsis:

use GnuPG qw( :algo );
my $gpg = new GnuPG();
$gpg->verify( signature => "file.txt.asc", file => "file.txt" );

It seems very clean.

Tim
  • 13,904
  • 10
  • 69
  • 101
0

The Crypt::OpenPGP module may be of help. It's a pure Perl implementation of the OpenPGP spec.

DESCRIPTION

Crypt::OpenPGP is a pure-Perl implementation of the OpenPGP standard. In addition to support for the standard itself, Crypt::OpenPGP claims compatibility with many other PGP implementations, both those that support the standard and those that preceded it.

Crypt::OpenPGP provides signing/verification, encryption/decryption, keyring management, and key-pair generation; in short it should provide you with everything you need to PGP-enable yourself.

Here's an example of using it to verify a file:

my $pgp = Crypt::OpenPGP->new;

# Verify the detached signature $signature, which should be of the
# source file $file.
my $is_valid = $pgp->verify(
    Signature  => $signature,
    Files      => [ $file ],
);
HoldOffHunger
  • 18,769
  • 10
  • 104
  • 133
Brian Minton
  • 3,377
  • 3
  • 35
  • 41