Hi! On Mon, 15 Jun 2020 12:36, Justin Steven said:
> GPG_ERR_NO_ERROR but for gpgme_op_verify_result() to return a list of zero > signatures. This feels like an erroneous condition to me, and with libgpgme We already explained that this is a requirement for OpenPGP because OpenPGP allows to embed a signature in encrypted data (combined method in contrast to the rarely used MIME containers). Thus when calling the decrypt function you can't know in advance whether there will be a signature - not returning an error if there is no signature is proper behaviour. More important: Checking the signature is one thing; its result is basically whether the data is corrupted. The more important step is to check whether you can trust the key used to generate a signature; this is basic crypto knowledge which can't be ignored even if you use "GnuPG Made Easy". GPGME has mechanisms to do this in a not too complicated way and of course it requires to loop over all signatures. 20 years ago when Debian started to sign packages it was figured that this is not a trivial task and together we developed gpgv which is a simple command line tool dedicated to check signatures against a fixed set of keys. There is no gpgme support for gpgv because calling gpgv is pretty straightforward. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users