Discuss this help topic in SecureBlackbox Forum
Validate a detached signature
This article is a follow-up for the Unprotect an OpenPGP File article.
A signature is called detached if it is stored separately from the signed data. In the detached scenario, you distribute the data and the signature independently. To validate a detached signature, the processing party needs both the original data and the signature - in contrast to generic or cleartext signatures, where both the signature and the data are included in the same OpenPGP blob.
Detached signatures, just like generic ones, are processed with TElPGPReader component. While any preparations for detached signature validation - such as key setup and event handling - are performed in exactly same way as you do with generic signatures, the actual method that you call to process the data differs.
Instead of calling DecryptAndVerify() or DecryptAndVerifyFile(), you call VerifyDetached() or VerifyDetachedFile(), passing your data and the signature(s) as individual streams/files.
The rest of processing goes in virtually the same way. The component fires OnSigned and OnSignatures event, letting you know about any signatures and their verification results.
Note. As detached signatures do not contain encrypted or compressed data, and as there is no data to extract, such events as OnEncrypted, OnCompressed, OnTemporaryStream, OnCreateOutputStream or OnRequestOutputFile events will not be fired.
How To articles about file encryption and signing with OpenPGP
