Before I try parsing the key id from stdout I thought I'd ask if anyone has a better suggestion. The python-gnupg does verification, but only if the public key is already imported into a keyring.
My goal is to automate source integrity verification. Given a download url, I can probably guess the signature file (if one exists). Given a signature file I should be able to get the key id and obtain the public key of the signee. Then complete the verification process. Better ideas or welcome, or a polite "you're crazy" works too.
Example below is how it already works well on the command line. I'd like to do this in Python.
Code:
user@boxen:~/$ gpg --verify ./rsync-3.1.1.tar.gz.asc
gpg: Signature made Sun 22 Jun 2014 01:13:20 PM EDT using DSA key ID 4B96A8C5
gpg: Can't check signature: public key not found
user@boxen:~/$ gpg --recv-keys 4B96A8C5
gpg: requesting key 4B96A8C5 from hkp server keys.gnupg.net
gpg: key 4B96A8C5: public key "Wayne Davison <wayned@example.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1
user@boxen:~/$ gpg --verify ./rsync-3.1.1.tar.gz.asc
gpg: Signature made Sun 22 Jun 2014 01:13:20 PM EDT using DSA key ID 4B96A8C5
gpg: Good signature from "Wayne Davison <wayned@example.com>"
gpg: aka "Wayne Davison <wayned@example.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0048 C8B0 26D4 C96F 0E58 9C2F 6C85 9FB1 4B96 A8C5