gpg-verify c api
Neal H. Walfield
neal at walfield.org
Fri Dec 4 14:11:14 CET 2015
Hi,
At Fri, 4 Dec 2015 14:06:33 +0100,
Jeroen Ooms wrote:
> On Fri, Dec 4, 2015 at 1:41 PM, Neal H. Walfield <neal at walfield.org> wrote:
> > There is no such library as far as I know. The closest that I'm aware
> > of is gpgv, which just verifies signatures (it part of the GnuPG).
>
> But gpgv only has a command line interface, correct? Or does it also
> provide a C API?
Correct. It is a program. But if you are willing to depend on a
library, I don't see why you can't depend on an executable.
> > A signature is not much more use than a checksum if you don't also
> > check the key's validity. How were you planning on doing this? Were
> > you just going to hard code a few keys?
>
> Yes, I was thinking of shipping trusted keys with the R installation,
> possibly with the option to update them via https. The R archive
> network already has SSL certs for it's root servers so that should be
> fine I think.
Sounds like a disaster waiting to happen.
> > At the very least, you need to parse the OpenPGP message, which is
> > what gpg does.
>
> Is this available at the C level, similar to <openssl/pem.h> ?
> https://www.openssl.org/docs/manmaster/crypto/pem.html
No.
Neal
More information about the Gnupg-devel
mailing list