Signature Verification

Essentially there are two principal methods of verification of a signature. The first of these is for use with the normal or default signing method and for clear-signed messages. The second is for use with files and data with detached signatures.

The following example is intended for use with the default signing method where the file was not ASCII armoured:

import gpg
import time

filename = "statement.txt"
gpg_file = "statement.txt.gpg"

c = gpg.Context()

try:
    data, result = c.verify(open(gpg_file))
    verified = True
except gpg.errors.BadSignatures as e:
    verified = False
    print(e)

if verified is True:
    for i in range(len(result.signatures)):
        sign = result.signatures[i]
        print("""Good signature from:
{0}
with key {1}
made at {2}
""".format(c.get_key(sign.fpr).uids[0].uid,
           sign.fpr, time.ctime(sign.timestamp)))
else:
    pass

Whereas this next example, which is almost identical would work with normal ASCII armoured files and with clear-signed files:

import gpg
import time

filename = "statement.txt"
asc_file = "statement.txt.asc"

c = gpg.Context()

try:
    data, result = c.verify(open(asc_file))
    verified = True
except gpg.errors.BadSignatures as e:
    verified = False
    print(e)

if verified is True:
    for i in range(len(result.signatures)):
        sign = result.signatures[i]
        print("""Good signature from:
{0}
with key {1}
made at {2}
""".format(c.get_key(sign.fpr).uids[0].uid,
           sign.fpr, time.ctime(sign.timestamp)))
else:
    pass

In both of the previous examples it is also possible to compare the original data that was signed against the signed data in data to see if it matches with something like this:

with open(filename, "rb") as afile:
    text = afile.read()

if text == data:
    print("Good signature.")
else:
    pass

The following two examples, however, deal with detached signatures. With his method of verification the data that was signed does not get returned since it is already being explicitly referenced in the first argument of c.verify. So data is None and only the information in result is available.

import gpg
import time

filename = "statement.txt"
sig_file = "statement.txt.sig"

c = gpg.Context()

try:
    data, result = c.verify(open(filename), open(sig_file))
    verified = True
except gpg.errors.BadSignatures as e:
    verified = False
    print(e)

if verified is True:
    for i in range(len(result.signatures)):
        sign = result.signatures[i]
        print("""Good signature from:
{0}
with key {1}
made at {2}
""".format(c.get_key(sign.fpr).uids[0].uid,
           sign.fpr, time.ctime(sign.timestamp)))
else:
    pass

import gpg
import time

filename = "statement.txt"
asc_file = "statement.txt.asc"

c = gpg.Context()

try:
    data, result = c.verify(open(filename), open(asc_file))
    verified = True
except gpg.errors.BadSignatures as e:
    verified = False
    print(e)

if verified is not None:
    for i in range(len(result.signatures)):
        sign = result.signatures[i]
        print("""Good signature from:
{0}
with key {1}
made at {2}
""".format(c.get_key(sign.fpr).uids[0].uid,
           sign.fpr, time.ctime(sign.timestamp)))
else:
    pass