gpg-verify c api

Neal H. Walfield neal at walfield.org
Fri Dec 4 13:41:46 CET 2015


At Fri, 4 Dec 2015 13:23:06 +0100,
Jeroen Ooms wrote:
> I've been working on a package with gpgme bindings for the R
> programming language to make gpg encryption and signature
> functionality available to R users. The ultimate goal is to implement
> native support in the R for verifying gpg signatures in the package
> manager.

Meik Michalke was working on creating an R package for working with
GnuPG a while ago.  I don't know what the status is.  (I've add him to
the cc.)

> However because R itself has to work out of the box on Linux, Mac and
> Windows, it cannot have a runtime dependency on gpg executables. Hence
> I was wondering if there pure C API for verifying gpg signatures,
> which depends only on libgcrypt (or other c libraries) but does not
> require a full gpg installation. That way we can statically link
> libgcrypt into the R binary on mac and windows, and have a portable
> solution.

There is no such library as far as I know.  The closest that I'm aware
of is gpgv, which just verifies signatures (it part of the GnuPG).

> The client would not need any of gpg's advanced features, it only
> needs to verify if a given signature is valid for a given message and
> pubkey, similar to the openssl EVP_Verify api [1].

A signature is not much more use than a checksum if you don't also
check the key's validity.  How were you planning on doing this?  Were
you just going to hard code a few keys?

> I was unable to figure out how to implement signature verification
> with libgcrypt alone. Has somebody worked on something similar?

At the very least, you need to parse the OpenPGP message, which is
what gpg does.

Neal



More information about the Gnupg-devel mailing list