On 12/01/18 05:51, Werner Koch wrote: > On Thu, 11 Jan 2018 07:19, [email protected] said: > >> I am looking for a way to extract the issuer key ID from a signature >> file using gpgme without firstly having verified the signature. > > There is no API for this and I am not sure how to do this best. The > straightforward method would be to let gpgme run something gpg --dry-run > --verify but that might even need changes to gpg. > > In case you want to do that for a lot of files it might be to slow > without changing gpg to be used as a co-process. A dedicated API for > and a simple parser in GPGME might really be better. Note that we > already have a limited OpenPGP parser in gpgme to implement > gpgme_data_identify.
I had a look at src/data_identify.c. The current parser already detects a signature subpacket, so it would "just" need to extract the issuer key ID from that packet, which is fairly straight forward. There would also be some refactoring needed to the parser to allow it to be used more generally than it is currently able. If someone tells me what the preferred API would look like, I can make a start on implementing this. >> My software current has a homemade sig file parser that extracts the key >> ID from a number of signature files, then it confirms all needed keys >> are in the keyring before going onto verify the files. I'd like to > > What is your assumptions on the number of files to test in one go? This is the "pacman" package manager, so usual would be anywhere from one to hundreds of files needing verified. The way Arch Linux is set up to use it, every packager uses their own signing key which are signed by 3+ fully trusted distribution master keys. So it is useful to verify all signing keys are present in the keyring before processing the verification. Thanks, Allan _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
