bash script checking if GPG signature is valid and belongs to a key

Question

I am trying to write a bash script that checks if a given signature is valid or not. I have two possible outputs from:

$ gpg --no-default-keyring --keyring /etc/pubring.gpg  --verify file.tgz.sig file.tgz

WRONG

gpg: Signature made Tue 05 Apr 2011 11:01:19 CEST using RSA key ID E32804F0
gpg: Can't check signature: public key not found

RIGHT

gpg: Signature made Tue 05 Apr 2011 11:01:19 CEST using RSA key ID E32804F0
gpg: Good signature from "Test key <test@localhost>"

How I can detect if the checking was right without having to parse the result.

This question is similar to Verify GPG file signature with Perl but II would like to do that in bash (or if very needed Python.)

Answer 1

I don't know the gpg command but does it return a different exit value for the "wrong" and "right" results? The easiest way to check this after running the command would be:

echo $?

I would expect it to return 0 if everything is OK and something else if not. So your bash script would look like:

gpg --no-default-keyring --keyring /etc/pubring.gpg --verify file.tgz.sig file.tgz

if [ $? -eq 0 ]
then
    echo All is well.
else
    echo Problem with signature.
fi

Answer 2

From the GnuPG man page:

The program returns 0 if everything was fine, 1 if at least a signature was bad, and other error codes for fatal errors.

So you can use http://docs.python.org/library/subprocess.html to get the return code of gpg.