Details of signature verification status-fd lines

Werner Koch wk at
Wed Sep 23 10:20:07 CEST 2009

On Tue, 22 Sep 2009 17:50, bmearns at said:

> Thanks for the response. So EXPKEYSIG doesn't mean the key was expired
> when the signature was made, right? If that shows up along with

It means that the key has expired by now.

> VALIDSIG, it's ok to trust the signature, correct? What about

That is up to you.  Usually you would show a message stating that the
key used to create the message meanwhile expired.  Whether you take the
signature creation date into account and show a different message is up
to you.  If a signer wants to use an expired key for signing he may as
well change the signature creation time.

> REVKEYSIG? If a key is revoked, is there an easy way to know if the
> signature was made prior to revocation, or would it be necessary to
> just compare the stamps on the signature and the revocation?

There is no way becuase you don't know why the key was revoked.  Sure
the revocation signature allows to give a reason of revocation and you
can take that in account, but if the key was compromised an attacker may
also create a revocation with a different reasons (e.g. key superseded).
You can't tell who did the revocation.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-users mailing list