GPGME: Signature summary

Werner Koch wk at
Fri Oct 16 14:26:38 CEST 2009

On Fri, 16 Oct 2009 11:22, mat69 at said:

>> This sets another bit and thus the VALID flag is not anymore correct.
> This would imo apply to the current code as well.

Nope.  The code sets the valid bit at the end of the function _only_ if
no other bits but GREEN is set.  That is what VALID is about.

> The problem I have still remains though and is unadressed, namely summary 
> returning 0, a value that is not defined for gpgme_sigsum_t and imo that is 
> not a good practice as it leaves the user in the cold of what is the case. So 

I already mentioned that this indicates: Not enough information to tell
anything about the validity of the signature.

> And as I have pointed out this happens when GPGME_VALIDITY_UNKNOWN is set. 
> Even if the signature is correct. So what is one supposed to do when summary 
> returns 0?

You can't tell anything without further digging into the subject.  The
mathematical correctness of the signature does not tell you anything.
It is not more than a checksum to spot errors on the transport channel.

What some programs do is to check the key used to create the signature
against a database of known keys and from that deduce that this is a
valid signature.  This is what I mean with YELLOW state: Use other means
to see whether you driver trough the crossing / take the signature as



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-devel mailing list