Understanding --status-fd output

[Ben Harris]

I'm trying to write a program that (among other things) validates GPG 
signatures on Git tags.  Git runs "gpg" internally, and I can manipulate 
its environment to point GNUPGHOME at somewhere with an options file 
containing a "status-fd" option so I can get machine-readable output. 
This is good, but I'm having some trouble working out what that output 
means.

As I understand it, the process of verifying a signature conceptually 
goes:

1: Is the signature cryptographically valid (i.e. does it match the signed 
data and the purported key)?

2: What UIDs are associated with that key?

3: Can we form a chain of trust from an ultimately-trusted key to that 
UID/key relation?

4: Does that UID name the person whom we expected to be signing this 
message?

As far as I can tell, GOODSIG corresponds to steps 1 and 2 above -- it 
indicates that we've found a key in the keyring and the signature matches 
it.  TRUST_* corresponds to step 3, and obviously it's my job to deal 
with step 4.  The problem I've got is to understand how the UID in GOODSIG 
relates to the trust in TRUST_*.  As far as I can tell from my testing, 
GOODSIG always includes the primary UID of the key, but TRUST_* reflects 
the trust in the most trusted UID.

In consequence, I can't from parsing the --status-fd output work out 
what valid UID is associated with a signature.  I can only tell that the 
key in question has _a_ valid UID.  Is this correct?  So if I want to know 
which of the UIDs on the key are trusted, I have to resort to --list-keys 
--with-colons or similar?

-- 
Ben Harris, University of Cambridge Computing Service.