Extract signature key ID with gpgme

[Allan McRae]

On 12/01/18 05:51, Werner Koch wrote:
> On Thu, 11 Jan 2018 07:19, allan at archlinux.org said:
> 
>> I am looking for a way to extract the issuer key ID from a signature
>> file using gpgme without firstly having verified the signature.
> 
> There is no API for this and I am not sure how to do this best.  The
> straightforward method would be to let gpgme run something gpg --dry-run
> --verify but that might even need changes to gpg.
> 
> In case you want to do that for a lot of files it might be to slow
> without changing gpg to be used as a co-process.  A dedicated API for
> and a simple parser in GPGME might really be better.  Note that we
> already have a limited OpenPGP parser in gpgme to implement
> gpgme_data_identify. 

I had a look at src/data_identify.c.  The current parser already detects
a signature subpacket, so it would "just" need to extract the issuer key
ID from that packet, which is fairly straight forward.  There would also
be some refactoring needed to the parser to allow it to be used more
generally than it is currently able.  If someone tells me what the
preferred API would look like, I can make a start on implementing this.

>> My software current has a homemade sig file parser that extracts the key
>> ID from a number of signature files, then it confirms all needed keys
>> are in the keyring before going onto verify the files.  I'd like to
> 
> What is your assumptions on the number of files to test in one go?

This is the "pacman" package manager, so usual would be anywhere from
one to hundreds of files needing verified.  The way Arch Linux is set up
to use it, every packager uses their own signing key which are signed by
3+ fully trusted distribution master keys.  So it is useful to verify
all signing keys are present in the keyring before processing the
verification.

Thanks,
Allan