trust level for validating signature with gpgme

Werner Koch wk at gnupg.org
Wed Nov 24 09:49:58 CET 2010


On Wed, 24 Nov 2010 02:31, allan at archlinux.org said:

> 1) I would have expected the trust level to be something like
> TRUST_FULL rather than TRUST_UNDEFINED.  Is this because I have no
> signatures on that key or more specifically because I have no
> ultimately trusted key in the keyring signing that key?

Signing the key is required to tell gpg that you trust the key.  You may
use the "lsign" command to do this only locally and not to announce it
to the world.

You also need to have a trust anchor; i.e. a key that is ultimately
trusted.  Check also the option --trusted-key.

> 2) It appears that getting GPGME_SIGSUM_VALID value requires the trust
> level to be defined.  How can I just check whether the signature is
> valid regardless of the trust in the key used to sign it?

You mean to compare the signature against a known valid key, right?  I
suggest to compare the fingerprint of the signing key (member FPR in the
result struct) against a list of valid fingerprints you keep in your
application.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list