GPGME: What does ‘0’ (zero) ‘signature.summary’ value mean?

Ben Finney ben+freesoftware at benfinney.id.au
Sun May 5 08:47:03 CEST 2024


Ingo Klöcker <kloecker at kde.org> writes:

> On Mittwoch, 17. April 2024 04:08:12 CEST Ben Finney wrote:
> > $ gpg --status-fd 2 foo.txt.asc
> [...]
> > [GNUPG:] TRUST_UNDEFINED 0 pgp
> > gpg: WARNING: This key is not certified with a trusted signature!
>
> I think this is the important bit. If you look at the code snippet
> that Werner pasted then you'll see why `sum` isn't changed in this
> snippet. So, in this case 0 means good signature by an uncertified
> key.

If that's the meaning, surely this should be unambiguously encoded with
the Signature result attributes? Rather than "everything is zero", which
(as you point out) just seems to be some default when the conditions
were not as expected.

> It's up to you to decide what to make of this.

I make of this, that GPGME has a bug: It does not handle this normal
condition well. The message emitted shows GnuPG understands what
happened; but the result object from the GPGME API does not communicate
that information unambiguously.

So, please consider this thread a bug report to that effect. How do I
formalise this so it can be addressed as such?

-- 
 \        “Most people, I think, don't even know what a rootkit is, so |
  `\     why should they care about it?” —Thomas Hesse, Sony BMG, 2006 |
_o__)                                                                  |
Ben Finney




More information about the Gnupg-devel mailing list