I have a C++ program that needs to verify the signature of a file that has been signed with GPG using a specific private key. Using GPGME I have successfully written a program that verifies that the given file has been properly signed with a private key corresponding to one of the public keys in the GPG keyring.
Now I would like my program to verify the file using a public key that is hard coded inside my program instead of just verifying the signature using one of the public keys available in the GPG keyring.
I want my program (that will be installed on someone else's computer) to be able to verify that the file really comes from me. If it does the verify operation by using the list of public key in the GPG keyring of the user's computer, it seems like that user could just resign my file with his own private key and my program would validate the file's signature even though I didn't sign it.
Is there any way of achieving this with GPGME? Any help is greatly appreciated.
While not exactly the solution to my problem, I solved this by checking the fingerprint of the public key that has been used to verify the signed file. I can hard code the fingerprint of my public key in my program and can use GPGME to import my public key into GPG if it isn't already there.
In GPGME the fingerprint can be gotten from a
gpgme_signature_tgotten by agpgme_op_verify_result(...)call (see documentation).GPG can display the fingerprint of your public key with the following command:
gpg --fingerprint