Bug? Vulnerability? gpgme_op_verify_result() can be made to return a list of zero signatures

Werner Koch wk at gnupg.org
Mon Jun 15 12:24:15 CEST 2020


On Mon, 15 Jun 2020 12:36, Justin Steven said:

> GPG_ERR_NO_ERROR but for gpgme_op_verify_result() to return a list of zero
> signatures. This feels like an erroneous condition to me, and with libgpgme

We already explained that this is a requirement for OpenPGP because
OpenPGP allows to embed a signature in encrypted data (combined method
in contrast to the rarely used MIME containers).  Thus when calling the
decrypt function you can't know in advance whether there will be a
signature - not returning an error if there is no signature is proper

More important: Checking the signature is one thing; its result is
basically whether the data is corrupted.  The more important step is to
check whether you can trust the key used to generate a signature; this
is basic crypto knowledge which can't be ignored even if you use "GnuPG
Made Easy".  GPGME has mechanisms to do this in a not too complicated
way and of course it requires to loop over all signatures.

20 years ago when Debian started to sign packages it was figured that
this is not a trivial task and together we developed gpgv which is a
simple command line tool dedicated to check signatures against a fixed
set of keys.  There is no gpgme support for gpgv because calling gpgv is
pretty straightforward.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200615/df97cd97/attachment.sig>

More information about the Gnupg-users mailing list