GPGME: What does ‘0’ (zero) ‘signature.summary’ value mean?

[Ingo Klöcker]

On Mittwoch, 17. April 2024 04:08:12 CEST Ben Finney wrote:
> Ingo Klöcker <kloecker at kde.org> writes:
> > It would be helpful if you also gave us the public key.
> 
> Oh, I had expected a GnuPG client would fetch the key? It's part of the
> signed message metadata, so it should be automatically fetched from the
> key servers, I'd expect.

Only if auto‐key‐retrieve is enabled.

> Regardless, here is the URL to download that public key:
> 
>     <URL:
> https://keys.openpgp.org/search?q=517C+F14B+B2F3+98B0+CB35++4855+B8B2+4C06+
> AC12+8405>

$ curl https://keys.openpgp.org/vks/v1/by-fingerprint/
517CF14BB2F398B0CB354855B8B24C06AC128405 | gpg --import
gpg: key B8B24C06AC128405: no user ID
gpg: Total number processed: 1

gpg doesn't import keys without user ID. I found the key on another keyserver, 
but when I try to verify the test message Kleopatra tells me:

Signature created on Montag, 15. April 2024 01:32:13 CEST
With unavailable certificate:
ID: 0x6159E0F29E2FA412E0795C73F9B46AAC84420C82
You can search the certificate on a keyserver or import it from a file.

I guess the required subkey is missing on the certificate I could import. 
Searching the certificate 0x6159E0F29E2FA412E0795C73F9B46AAC84420C82 didn't 
yield any results.

> $ gpg --status-fd 2 foo.txt.asc
[...]
> [GNUPG:] TRUST_UNDEFINED 0 pgp
> gpg: WARNING: This key is not certified with a trusted signature!

I think this is the important bit. If you look at the code snippet that Werner 
pasted then you'll see why `sum` isn't changed in this snippet. So, in this 
case 0 means good signature by an uncertified key. It's up to you to decide 
what to make of this.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20240502/4fd9b087/attachment.sig>