trust level for validating signature with gpgme

Allan McRae allan at archlinux.org
Wed Nov 24 02:31:51 CET 2010 

On 24/11/10 05:14, Werner Koch wrote:
> On Tue, 23 Nov 2010 14:53, allan at archlinux.org said:
>
>> validity of the key.  I am currently testing:
>> (gpgme_verify_result_t->summary&  GPGME_SIGSUM_VALID)
>> Is that the correct approach?
>
> That's fine.  However if a key expired you won't get VALID.  An expired
> key does not mean that the signature is not valid.  Are more relaxed
> check is to check for the GPGME_SIGSUM_GREEN.
>
> To check what's wrong you should manually verify the signature:
>
>    gpg --verify --status-fd 2 -v foo.gpg
>
> Gpgme watches the [GNUPG:] lines to get its idea of the signature
> status.
>

Looking at this, I think it gpgme is validating the signature, just not 
at the trust level I (incorrectly?) expected.

To clarify, /etc/pacman.d/gnupg/ is the keyring directory for my 
software and currently only has one key imported.  If I set the trust 
level of that key to "ultimate" I get:

 > gpg --homedir=/etc/pacman.d/gnupg/ --status-fd 2 -v pacman.db.sig | 
grep GNUPG:
[GNUPG:] SIG_ID MOkIXv87D7Hsngf6x2YP1R2/x3w 2010-11-23 1290492335
[GNUPG:] GOODSIG E9241FABC8A82D92 Allan McRae (Arch Linux) 
<allan at archlinux.org>
[GNUPG:] VALIDSIG 1A03113E773AA2652D2FA5DCE9241FABC8A82D92 2010-11-23 
1290492335 0 4 0 1 2 00 1A03113E773AA2652D2FA5DCE9241FABC8A82D92
[GNUPG:] TRUST_ULTIMATE

which succeeds in giving me GPGME_SIGSUM_VALID.   If I change the level 
in trust to "full" (or anything else...), I get:

 > gpg --homedir=/etc/pacman.d/gnupg/ --status-fd 2 -v pacman.db.sig
[GNUPG:] SIG_ID MOkIXv87D7Hsngf6x2YP1R2/x3w 2010-11-23 1290492335
[GNUPG:] GOODSIG E9241FABC8A82D92 Allan McRae (Arch Linux) 
<allan at archlinux.org>
[GNUPG:] VALIDSIG 1A03113E773AA2652D2FA5DCE9241FABC8A82D92 2010-11-23 
1290492335 0 4 0 1 2 00 1A03113E773AA2652D2FA5DCE9241FABC8A82D92
[GNUPG:] TRUST_UNDEFINED

with additional warning:
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the 
owner.

So if I understand the output correctly, this is a good signature, just 
without a defined trust level.  So that leads me to two queries:

1) I would have expected the trust level to be something like TRUST_FULL 
rather than TRUST_UNDEFINED.  Is this because I have no signatures on 
that key or more specifically because I have no ultimately trusted key 
in the keyring signing that key?

2) It appears that getting GPGME_SIGSUM_VALID value requires the trust 
level to be defined.  How can I just check whether the signature is 
valid regardless of the trust in the key used to sign it?

Thanks,
Allan

More information about the Gnupg-users mailing list