gpg-verify c api

Neal H. Walfield neal at
Fri Dec 4 14:11:14 CET 2015


At Fri, 4 Dec 2015 14:06:33 +0100,
Jeroen Ooms wrote:
> On Fri, Dec 4, 2015 at 1:41 PM, Neal H. Walfield <neal at> wrote:
> > There is no such library as far as I know.  The closest that I'm aware
> > of is gpgv, which just verifies signatures (it part of the GnuPG).
> But gpgv only has a command line interface, correct? Or does it also
> provide a C API?

Correct.  It is a program.  But if you are willing to depend on a
library, I don't see why you can't depend on an executable.

> > A signature is not much more use than a checksum if you don't also
> > check the key's validity.  How were you planning on doing this?  Were
> > you just going to hard code a few keys?
> Yes, I was thinking of shipping trusted keys with the R installation,
> possibly with the option to update them via https. The R archive
> network already has SSL certs for it's root servers so that should be
> fine I think.

Sounds like a disaster waiting to happen.

> > At the very least, you need to parse the OpenPGP message, which is
> > what gpg does.
> Is this available at the C level, similar to <openssl/pem.h> ?



More information about the Gnupg-devel mailing list