gpg-verify c api

Neal H. Walfield neal at
Fri Dec 4 13:41:46 CET 2015

At Fri, 4 Dec 2015 13:23:06 +0100,
Jeroen Ooms wrote:
> I've been working on a package with gpgme bindings for the R
> programming language to make gpg encryption and signature
> functionality available to R users. The ultimate goal is to implement
> native support in the R for verifying gpg signatures in the package
> manager.

Meik Michalke was working on creating an R package for working with
GnuPG a while ago.  I don't know what the status is.  (I've add him to
the cc.)

> However because R itself has to work out of the box on Linux, Mac and
> Windows, it cannot have a runtime dependency on gpg executables. Hence
> I was wondering if there pure C API for verifying gpg signatures,
> which depends only on libgcrypt (or other c libraries) but does not
> require a full gpg installation. That way we can statically link
> libgcrypt into the R binary on mac and windows, and have a portable
> solution.

There is no such library as far as I know.  The closest that I'm aware
of is gpgv, which just verifies signatures (it part of the GnuPG).

> The client would not need any of gpg's advanced features, it only
> needs to verify if a given signature is valid for a given message and
> pubkey, similar to the openssl EVP_Verify api [1].

A signature is not much more use than a checksum if you don't also
check the key's validity.  How were you planning on doing this?  Were
you just going to hard code a few keys?

> I was unable to figure out how to implement signature verification
> with libgcrypt alone. Has somebody worked on something similar?

At the very least, you need to parse the OpenPGP message, which is
what gpg does.


More information about the Gnupg-devel mailing list