gpg-verify c api

[Jeroen Ooms]

I've been working on a package with gpgme bindings for the R
programming language to make gpg encryption and signature
functionality available to R users. The ultimate goal is to implement
native support in the R for verifying gpg signatures in the package
manager.

However because R itself has to work out of the box on Linux, Mac and
Windows, it cannot have a runtime dependency on gpg executables. Hence
I was wondering if there pure C API for verifying gpg signatures,
which depends only on libgcrypt (or other c libraries) but does not
require a full gpg installation. That way we can statically link
libgcrypt into the R binary on mac and windows, and have a portable
solution.

The client would not need any of gpg's advanced features, it only
needs to verify if a given signature is valid for a given message and
pubkey, similar to the openssl EVP_Verify api [1]. Perhaps I
underestimate the complexity of the gpg system, but I think a simple
portable gpg-verify C library would be very useful for many other
software as well. BSD has something called netpgpverify, but
unfortunately it does not work on other platforms.

I was unable to figure out how to implement signature verification
with libgcrypt alone. Has somebody worked on something similar?

[1] https://wiki.openssl.org/index.php/EVP_Signing_and_Verifying