If signed, pass data to gpg validate

[bwbroersma]

To prevent an invalid PGP signature like to pass, like:

• 54

• 55

The data could be passed to gpg to validate the form of the signature data. E.g. an invalid escape like listed in #54 would produce:

$ gpg  --verify security-with-escaped-begin-signature.txt
gpg: unexpected armor: -----END PGP SIGNATURE-----\r\n
gpg: no valid OpenPGP data found.
gpg: no signature found
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

While a parsable message results in:

$ gpg  --verify valid-pgp-security.txt
gpg: Signature made Sun 01 Jan 2023 12:34:46 PM CEST
gpg:                using RSA key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
gpg: Can't check signature: No public key

Even the signature date could be checked for:

• not a date in the future
• sectxt Expire - PGP signature date < 1 year

[DigitalTrustCenter]

We attempted to use the GNUPG function mentioned in your issue. For this we tested python-gnupg, a wrapper for GnuPG. However for this the binary would need to be installed if you use this package. We did find a replacement module, PGPy Python library for implementing Pretty Good Privacy into Python programs, conforming to the OpenPGP specification per RFC 4880. This package will detect any issue with the pgp message or the data within without decrypting the message.