Understanding --status-fd output
Ben Harris
bjh21 at cam.ac.uk
Wed Aug 24 19:58:48 CEST 2011
I'm trying to write a program that (among other things) validates GPG
signatures on Git tags. Git runs "gpg" internally, and I can manipulate
its environment to point GNUPGHOME at somewhere with an options file
containing a "status-fd" option so I can get machine-readable output.
This is good, but I'm having some trouble working out what that output
means.
As I understand it, the process of verifying a signature conceptually
goes:
1: Is the signature cryptographically valid (i.e. does it match the signed
data and the purported key)?
2: What UIDs are associated with that key?
3: Can we form a chain of trust from an ultimately-trusted key to that
UID/key relation?
4: Does that UID name the person whom we expected to be signing this
message?
As far as I can tell, GOODSIG corresponds to steps 1 and 2 above -- it
indicates that we've found a key in the keyring and the signature matches
it. TRUST_* corresponds to step 3, and obviously it's my job to deal
with step 4. The problem I've got is to understand how the UID in GOODSIG
relates to the trust in TRUST_*. As far as I can tell from my testing,
GOODSIG always includes the primary UID of the key, but TRUST_* reflects
the trust in the most trusted UID.
In consequence, I can't from parsing the --status-fd output work out
what valid UID is associated with a signature. I can only tell that the
key in question has _a_ valid UID. Is this correct? So if I want to know
which of the UIDs on the key are trusted, I have to resort to --list-keys
--with-colons or similar?
--
Ben Harris, University of Cambridge Computing Service.
More information about the Gnupg-users
mailing list