okay, final mail on this issue today:
On Tue, 6 Sep 2016, Johannes Schindelin wrote:
> Your original issue seemed to be that the gpg command could succeed, but
> still no signature be seen. There *must* be a way to test whether the
> called program added a signature, simply by testing whether *any*
> characters were written.
> And if characters were written that were not actually a GPG signature,
> maybe the enterprisey user who configured the gpg command to be her magic
> script actually meant something else than a GPG signature to be added?
I actually just saw that this is *precisely* what the code does already:
if (ret || signature->len == bottom)
return error(_("gpg failed to sign the data"));
Why is this not good enough?