Possible error or ambiguity in "Automated signature checking" doc

Thibault Polge thibault at thb.lt
Sat May 19 14:58:48 CEST 2018


I'm working on a parser for the output of gpg --verify --status-fd and
the documentation at [1] doesn't match the output I get from GnuPG.
According to this page, if "signature [is] valid but at least one
certificate has expired", I should expect to see EXPKEYSIG, VALIDSIG,
TRUST_FULLY; but actual logs don't include any TRUST_*.  Eg, with an
expired subkey of a still valid key, I get:

[GNUPG:] NEWSIG expired-subkey at badsig.example.com
[GNUPG:] KEYEXPIRED 1262392402
[GNUPG:] KEY_CONSIDERED 98CEF64929BD15E2E615814E56FB8134143D7A68 0
[GNUPG:] KEYEXPIRED 1262392402
[GNUPG:] SIG_ID PcUpJdyvZiBI1mGBT7YS1p+710E 2010-01-01 1262306010
[GNUPG:] KEYEXPIRED 1262392402
[GNUPG:] KEY_CONSIDERED 98CEF64929BD15E2E615814E56FB8134143D7A68 0
[GNUPG:] EXPKEYSIG 83BAA10B93D9A003 Expired-Subkey Badsig <expired-subkey at badsig.example.com>
[GNUPG:] VALIDSIG 57FABA5D48DB0C6239D504FC83BAA10B93D9A003 2010-01-01 1262306010 0 4 0 1 8 01 98CEF64929BD15E2E615814E56FB8134143D7A68
[GNUPG:] KEYEXPIRED 1262392402
[GNUPG:] KEY_CONSIDERED 98CEF64929BD15E2E615814E56FB8134143D7A68 0

The output with an expired key is similar.

There are a few more ambiguities in this page:

 - The word "certificate" in the same sentence is unclear.  Is it a
   (sub)key or something else?

 - Also, the case where the signature *and* the key have expired should
   be documented.  The current documentation seems to make them mutually
   exclusive, which they're not.

 - I'm not sure I understand why the only value for TRUST_* is
   TRUST_FULLY.  At the very least TRUST_ULTIMATE should be accepted
   too, but really everything but NEVER may be good depending on the
   context.  It should at least be clarified that TRUST_FULLY and
   TRUST_NEVER are not the only possible values.

If someone could clarify this, I'd be happy to sent a PR to improve the


[1] <https://www.gnupg.org/documentation/manuals/gnupg/Automated-signature-checking.html>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180519/fba4fec9/attachment.sig>

More information about the Gnupg-devel mailing list