gpg-verify c api

[Jeroen Ooms]

On Fri, Dec 4, 2015 at 1:41 PM, Neal H. Walfield <neal at walfield.org> wrote:
> There is no such library as far as I know.  The closest that I'm aware
> of is gpgv, which just verifies signatures (it part of the GnuPG).

But gpgv only has a command line interface, correct? Or does it also
provide a C API?

> A signature is not much more use than a checksum if you don't also
> check the key's validity.  How were you planning on doing this?  Were
> you just going to hard code a few keys?

Yes, I was thinking of shipping trusted keys with the R installation,
possibly with the option to update them via https. The R archive
network already has SSL certs for it's root servers so that should be
fine I think.

> At the very least, you need to parse the OpenPGP message, which is
> what gpg does.

Is this available at the C level, similar to <openssl/pem.h> ?
https://www.openssl.org/docs/manmaster/crypto/pem.html