how to identify a good signature by an untrusted key with gpgme 1.1.7

Werner Koch wk at
Tue Nov 11 11:38:22 CET 2008

On Wed, 22 Oct 2008 14:33, ivo.alxneit at said:

> fpr=D0E3ADE78E893E9CAEC1E2F401DEC213515E30C7
> status=0
> timestamp=1222936366
> wrong_key_usage=0
> pka_trust=0
> chain_model=0
> validity=4      (GPGME_VALIDITY_FULL)
> validity_reason=0
> key=17
> hash=2
> why not validity=5 (GPGME_VALIDITY_ULTIMTE) as my key hast validity and
> trust set to ultimate.

The validity is the validity of the signature as computed by gpg.  It is
not the validity of the key.  FULL is full validity.  ULTIMATE is used
as a kludge to mark one owns key.

> summary=0       (??)
> fpr=4B12BCD5788511063B543190E09DF306
> status=0
> timestamp=1222182300
> wrong_key_usage=0
> pka_trust=0
> chain_model=0
> validity=0      (GPGME_VALIDITY_UNKNOWN)
> validity_reason=0
> key=1
> hash=1
> why not summary=2 (GPGME_SIGSUM_GREEN)

As you can see from the command line output, the key is not trusted;
i.e. not certified (signed) by a trusted key.  The fingerprint is shown
so that you can employ other, external, ways to check whether you want
to trust the key (e.g. using a list of fingerprints of trusted keys).

BTW, this is an v3 key with an MD5 based fingerprint.  It is easy to
generate two keys with the same fingerprint; thus I would not trust this
timestamping service at all.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-devel mailing list