Digital Signature Verification using GPG and GnuPG in Java

Question

Is it possible that a file signed by GPG https://gpgtools.org/ can be verified using some other tool say BouncyCastle or GnuPG https://www.gnupg.org/ ? In my opinion it should not be because key providers are different. Am I right? I need some knowledge in this context. Please help.

Answer 1

Is it possible that a file signed by GPG https://gpgtools.org/ can be verified using some other tool say BountyCastle or GnuPG https://www.gnupg.org/ ?

Yes, of course! Both GnuPG and BouncyCastle implement the common standard OpenPGP. GPGTools just ships GnuPG as binary distribution and adds some tools.

In my opinion it should not be because key providers are different. Am I right?

There is no central trust entity like a certificate authority in OpenPGP, with other words no trusted keys are preconfigured.

To verify signatures, you need to fetch the matching public key. This will tell you, whether the signatures was issued by the matching private key and whether the file was tampered or not. It does not say anything on the validty of the key and signature; you have to verify the key on some other way. This might be by comparing the fingerprints manually, or using the OpenPGP web of trust to find a trust path from a trust anchor like your own key.

I need some knowledge in this context.

It looks you're still very new to those technologies. Covering them in depth is far beyond an answer on Stack Exchange. I'd strongly recommend to read up on the following topics, to get a feeling for the topics:

• Public-key cryptography
• PGP and OpenPGP
• Public key infrastructure , especially the Web of trust in contrast to the Certificate authority system