verifying signatures with gpgme 1.1.6

Ivo Alxneit-Kamber ivo.alxneit at psi.ch
Fri Oct 3 16:57:53 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hi all

i do not quite understand how i should interpret the result of
`gpgme_op_verify_result(ctx)`.
using gpg for my two files `foo` and `bar` i obtain what i expected.

$ gpg --verify foo
gpg: Signature made Thu 02 Oct 2008 10:32:46 AM CEST using DSA key ID
515E30C7
gpg: Good signature from "Ivo Alxneit (work) <ivo.alxneit at psi.ch>"
gpg:                 aka "Ivo Alxneit (privat, old) <ialx at datacomm.ch>"
gpg:                 aka "Ivo Alxneit (privat) <ialx at tiscalinet.ch>"

- -> good signature from "trusted" key

$ gpg --verify bar
gpg: Signature made Tue 23 Sep 2008 05:05:00 PM CEST using RSA key ID
70B61F81
gpg: Good signature from "Timestamp Service <stamper at itconsult.co.uk>"
[uncertain]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 4B 12 BC D5 78 85 11 06  3B 54 31 90 E0 9D F3 06

- -> good signature from "untrusted" key


i then use the following code to verify the signatures using gpgme
(version 1.1.6)

gpgme_op_verify(ctx, sig, NULL, text);
result = gpgme_op_verify_result(ctx);
s = result->signatures;
while (s) {
        fprintf(stdout, "\nsummary=%d\n", s->summary);
        fprintf(stdout, "fpr=%s\n", s->fpr);
        fprintf(stdout, "status=%d\n", s->status);
        fprintf(stdout, "timestamp=%lu\n", s->timestamp);
        fprintf(stdout, "wrong_key_usage=%u\n", s->wrong_key_usage);
        fprintf(stdout, "pka_trust=%u\n", s->pka_trust);
        fprintf(stdout, "chain_model=%u\n", s->chain_model);
        fprintf(stdout, "validity=%d\n", s->validity);
        fprintf(stdout, "validity_reason=%d\n", s->validity_reason);
        fprintf(stdout, "key=%d\n", s->pubkey_algo);
        fprintf(stdout, "hash=%d\n", s->hash_algo);
        s = s->next;
    }

this seems to work fine. but i do not understand all of the result
structure.

for `foo` i obtain

summary=3       (GPGME_SIGSUM_VALID + GPGME_SIGSUM_GREEN)
fpr=D0E3ADE78E893E9CAEC1E2F401DEC213515E30C7
status=0
timestamp=1222936366
wrong_key_usage=0
pka_trust=0
chain_model=0
validity=4      (GPGME_VALIDITY_FULL)
validity_reason=0
key=17
hash=2

why not validity=5 (GPGME_VALIDITY_ULTIMTE) as my key hast validity and
trust set to ultimate.

$ gpg --edit-key 0x515e30c7
Secret key is available.

pub  1024D/515E30C7  created: 2002-02-11  expires: never       usage: SCA
                     trust: ultimate      validity: ultimate
sub  2048g/0503D66E  created: 2002-02-11  expires: never       usage: E

for `bar` i obtain

summary=0       (??)
fpr=4B12BCD5788511063B543190E09DF306
status=0
timestamp=1222182300
wrong_key_usage=0
pka_trust=0
chain_model=0
validity=0      (GPGME_VALIDITY_UNKNOWN)
validity_reason=0
key=1
hash=1

why not summary=2 (GPGME_SIGSUM_GREEN)

so how ist the correct / intended way to detect a good signature made by
an untrusted key?


thanks for the help
- --
Dr. Ivo Alxneit
Laboratory for Solar Technology   phone: +41 56 310 4092
Paul Scherrer Institute             fax: +41 56 310 2688
CH-5232 Villigen                   http://solar.web.psi.ch
Switzerland                   gnupg key: 0x515E30C7

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org

iD8DBQFI5jLxAd7CE1FeMMcRAspKAKCBf4YUy9V5cffTgQuJix07sj8tNgCcDN/k
niTLSEktrQOdnaKeRHqERQ4=
=E2TX
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list