--verify --status-fd separator for multiple signatures?

Werner Koch wk at gnupg.org
Sat Mar 21 14:18:17 CET 2015 

On Fri, 20 Mar 2015 19:41, patrick-mailinglists at whonix.org said:

> Well, I don't speak C, so I can't make head or tail of "what we do in
> gpgme/src/verify.c".

You should still be able to follow the control flow.  That is not
different from any pseudo code.

> Is there a complete list of all possible start/end keyword combinations?

As, I said, checkout gpgme: 

  switch (code)
    {
    case GPGME_STATUS_NEWSIG:
      if (sig)
        calc_sig_summary (sig);

NEWSIG has been seen: Finalize the output for the current signature if any.

      err = prepare_new_sig (opd);

      opd->only_newsig_seen = 1;

Get ready for a new signature.  That is the helpful feature of NEWSIG.
Note that there is no guarantee that a signature will follow: I maybe
garbled or remove and gpg won't get to the actual verification.

    case GPGME_STATUS_GOODSIG:
    case GPGME_STATUS_EXPSIG:
    case GPGME_STATUS_EXPKEYSIG:
    case GPGME_STATUS_BADSIG:
    case GPGME_STATUS_ERRSIG:
    case GPGME_STATUS_REVKEYSIG:
      if (sig && !opd->did_prepare_new_sig)
	calc_sig_summary (sig);

If we have a signature and we are not yet preparing for a new signature
(i.e. have not called prepare_new-sig): Finalize the output for the
current signature

      opd->only_newsig_seen = 0;

Clear flag for NEWSIG seen.

      return parse_new_sig (opd, code, args, ctx->protocol);

Do something with the signature.  This fucntion calls prepare_new_sig if
not yet done.

    case GPGME_STATUS_VALIDSIG:
      opd->only_newsig_seen = 0;
      return sig ? parse_valid_sig (sig, args, ctx->protocol)
	: trace_gpg_error (GPG_ERR_INV_ENGINE);

VALIDSIG is the modern version of GOODSIG.  Take care of it.


    case GPGME_STATUS_NODATA:
      opd->only_newsig_seen = 0;

Forget about NEWSIG.  The code in GPGME requires this here and for
several other status messages.

    case GPGME_STATUS_EOF:
      if (sig && !opd->did_prepare_new_sig)
	calc_sig_summary (sig);
      if (opd->only_newsig_seen && sig)
        {
          gpgme_signature_t sig2;
          /* The last signature has no valid information - remove it
             from the list. */

On EOF finalize the last signature.  If a NEWSIG has neen seen remove
the prepared information.

Proper verification is a bit complicate if you need to do this in the
most general way.  You can get away much easier in many cases.  For
example VALIDSIG gives you all the information about correctly verified
signatures.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list