In order to determine how trustworthy a digital signature of a file is, you need to grab the file, the digital signature, and you will need to import the user’s public key. This wikipedia fragment describes what is meant by a “trustworthy signature” in terms of the Web of Trust.

This is the command I run to determine the level of trust of my signed foaf file.

gpg --verify --no-tty --status-fd 2 --command-fd 0 foaf.rdf.asc foaf.rdf

Which results in the folowing output :

gpg: Signature made Wed 3 Jun 23:19:52 2009 BST using RSA key ID 51F2F7EF
[GNUPG:] SIG_ID foL1PiWCT+546VnE17UG2QvWJeE 2009-06-03 1244067592
[GNUPG:] GOODSIG 9ED0B04E51F2F7EF Mischa Tuffield (Mischa@Garlik) <mischa.tuffield@garlik.com>
gpg: Good signature from "Mischa Tuffield (Mischa@Garlik) <mischa.tuffield@garlik.com>"
gpg: aka "Mischa Tuffield (http://id.ecs.soton.ac.uk/person/6914) <mmt04r@ecs.soton.ac.uk>"
[GNUPG:] VALIDSIG 18A2AF280CA59E77AE512BB39ED0B04E51F2F7EF 2009-06-03 1244067592 0 4 0 1 2 00 18A2AF280CA59E77AE512BB39ED0B04E51F2F7EF
[GNUPG:] TRUST_ULTIMATE

This is an automatic way of evaluating how trust worthy statement at the end of a URI are.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.