Clarification on getting a validity reason in GPGME
Ingo Klöcker
kloecker at kde.org
Sun Nov 8 16:50:33 CET 2020
On Sonntag, 8. November 2020 02:27:57 CET John Scott via Gnupg-users wrote:
> Hi
>
> I'm writing a tool using GPGSM and want to print signature validation
> information without reinventing the wheel with case statements, also for the
> sake of localization. These members in gpgme_signature_t [1] seem to be
> what I'm looking for:
>
> gpgme_validity_t validity
> The validity of the signature.
> gpgme_error_t validity_reason
> If a signature is not valid, this provides a reason why.
>
> so I can get a string from the gpgme_error_t, although it appears to be
> conditional on the signature being invalid. That's not clear since
> gpgme_validity_t is an enumeration of
> GPGME_VALIDITY_{UNKNOWN, UNDEFINED, NEVER, MARGINAL,FULL, ULTIMATE}
In the C++ bindings the equivalent for validity_reason is, more appropriately,
called nonValidityReason. Also, validity refers to the (local) validity of the
certificate that was used to make the signature. As far as I can see, in case
of gpgsm validitity can take only three of the above mentioned 6 values:
* FULL (if the signature is good; the signature cannot be good if there is a
problem or an untrusted key in the certificate chain; in this case
validity_reason is 0)
* NEVER (if the certificate chain is invalid; in this case validity_reason
gives more details)
* UNDEFINED (if there was some other problem while validating the certificate
chain).
> I wonder if this is the case already and it's just a documentation quirk,
> but it'd be helpful if validity_reason were set to some value for good
> signatures, although this isn't technically an error.
As mentioned above the variable is just named badly. It would better have been
called non_validity_reason (as in the C++ binding).
I'm wondering what kind of reason do you expect for a good signature? I mean
there's exactly one reason for a good signature: The signature is
"cryptographically correct" and the certificate that was used to make the
signature is valid. In all other cases the signature is not good and then it
makes sense to ask for the reason why it's not good.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201108/2f520043/attachment.sig>
More information about the Gnupg-users
mailing list