Verifies a GPG-style detached signature, where the signed file is
file, and the signature itself is in file signature_file.
Optionally, a specific public key to use can be specified using
pubkey_file. When environment variable
is set to
enforce, then pubkey_file must itself be
properly signed by an already-trusted key. An unsigned
pubkey_file can be loaded by specifying --skip-sig.
If pubkey_file is omitted, then public keys from GRUB’s trusted keys
(see list_trusted, see trust, and see distrust) are
$? is set to 0 if the signature validates
successfully. If validation fails, it is set to a non-zero value.
See Using digital signatures, for more information.