-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi all
i do not quite understand how i should interpret the result of `gpgme_op_verify_result(ctx)`. using gpg for my two files `foo` and `bar` i obtain what i expected. $ gpg --verify foo gpg: Signature made Thu 02 Oct 2008 10:32:46 AM CEST using DSA key ID 515E30C7 gpg: Good signature from "Ivo Alxneit (work) <[EMAIL PROTECTED]>" gpg: aka "Ivo Alxneit (privat, old) <[EMAIL PROTECTED]>" gpg: aka "Ivo Alxneit (privat) <[EMAIL PROTECTED]>" - -> good signature from "trusted" key $ gpg --verify bar gpg: Signature made Tue 23 Sep 2008 05:05:00 PM CEST using RSA key ID 70B61F81 gpg: Good signature from "Timestamp Service <[EMAIL PROTECTED]>" [uncertain] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 4B 12 BC D5 78 85 11 06 3B 54 31 90 E0 9D F3 06 - -> good signature from "untrusted" key i then use the following code to verify the signatures using gpgme (version 1.1.6) gpgme_op_verify(ctx, sig, NULL, text); result = gpgme_op_verify_result(ctx); s = result->signatures; while (s) { fprintf(stdout, "\nsummary=%d\n", s->summary); fprintf(stdout, "fpr=%s\n", s->fpr); fprintf(stdout, "status=%d\n", s->status); fprintf(stdout, "timestamp=%lu\n", s->timestamp); fprintf(stdout, "wrong_key_usage=%u\n", s->wrong_key_usage); fprintf(stdout, "pka_trust=%u\n", s->pka_trust); fprintf(stdout, "chain_model=%u\n", s->chain_model); fprintf(stdout, "validity=%d\n", s->validity); fprintf(stdout, "validity_reason=%d\n", s->validity_reason); fprintf(stdout, "key=%d\n", s->pubkey_algo); fprintf(stdout, "hash=%d\n", s->hash_algo); s = s->next; } this seems to work fine. but i do not understand all of the result structure. for `foo` i obtain summary=3 (GPGME_SIGSUM_VALID + GPGME_SIGSUM_GREEN) fpr=D0E3ADE78E893E9CAEC1E2F401DEC213515E30C7 status=0 timestamp=1222936366 wrong_key_usage=0 pka_trust=0 chain_model=0 validity=4 (GPGME_VALIDITY_FULL) validity_reason=0 key=17 hash=2 why not validity=5 (GPGME_VALIDITY_ULTIMTE) as my key hast validity and trust set to ultimate. $ gpg --edit-key 0x515e30c7 Secret key is available. pub 1024D/515E30C7 created: 2002-02-11 expires: never usage: SCA trust: ultimate validity: ultimate sub 2048g/0503D66E created: 2002-02-11 expires: never usage: E for `bar` i obtain summary=0 (??) fpr=4B12BCD5788511063B543190E09DF306 status=0 timestamp=1222182300 wrong_key_usage=0 pka_trust=0 chain_model=0 validity=0 (GPGME_VALIDITY_UNKNOWN) validity_reason=0 key=1 hash=1 why not summary=2 (GPGME_SIGSUM_GREEN) so how ist the correct / intended way to detect a good signature made by an untrusted key? thanks for the help - -- Dr. Ivo Alxneit Laboratory for Solar Technology phone: +41 56 310 4092 Paul Scherrer Institute fax: +41 56 310 2688 CH-5232 Villigen http://solar.web.psi.ch Switzerland gnupg key: 0x515E30C7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org iD8DBQFI5jLxAd7CE1FeMMcRAspKAKCBf4YUy9V5cffTgQuJix07sj8tNgCcDN/k niTLSEktrQOdnaKeRHqERQ4= =E2TX -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users