GPGME: Signature summary
Werner Koch
wk at gnupg.org
Fri Oct 16 14:26:38 CEST 2009
On Fri, 16 Oct 2009 11:22, mat69 at gmx.net said:
>> This sets another bit and thus the VALID flag is not anymore correct.
> This would imo apply to the current code as well.
Nope. The code sets the valid bit at the end of the function _only_ if
no other bits but GREEN is set. That is what VALID is about.
> The problem I have still remains though and is unadressed, namely summary
> returning 0, a value that is not defined for gpgme_sigsum_t and imo that is
> not a good practice as it leaves the user in the cold of what is the case. So
I already mentioned that this indicates: Not enough information to tell
anything about the validity of the signature.
> And as I have pointed out this happens when GPGME_VALIDITY_UNKNOWN is set.
> Even if the signature is correct. So what is one supposed to do when summary
> returns 0?
You can't tell anything without further digging into the subject. The
mathematical correctness of the signature does not tell you anything.
It is not more than a checksum to spot errors on the transport channel.
What some programs do is to check the key used to create the signature
against a database of known keys and from that deduce that this is a
valid signature. This is what I mean with YELLOW state: Use other means
to see whether you driver trough the crossing / take the signature as
valid.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnupg-devel
mailing list