How to verify whether I am really chatting with my friend using GPG and his public key?

Question

I am chatting with my friend via Skype chat and I want to know whether it is really my friend Bob on the other side. I have Bob's public key and I am 100% sure that this is real Bob's public key. How can I verify that this is really Bob who is chatting with me?

a] I will ask the guy to send me a file signed by him. Then I will verify the signature.

b] I will send the guy a file signed by real Bob's public key and ask him to verify the file.

c] I will send the guy a file and ask him to sign it. Then I will verify his signature.

I think option A] makes sense. Am I correct? This is just a hypothetical situation.

Answer 1

I would suggest the following:

Your "friends" can encrypt messages using GPG:

gpg --encrypt --sign --armor -r your-user-id some-message.txt

This will encrypt some-message.txt using your public key (your-user-id) and signs it with their own private key to guarantee that it is coming from them.

Provided you have already added their public key, when you receive the message, simply call GPG on the message file:

gpg some-message.txt