Problem with verifying signatures in GPGME
Ingo Klöcker
kloecker at kde.org
Fri Apr 3 21:24:48 CEST 2026
On Freitag, 3. April 2026 16:14:49 Mitteleuropäische Sommerzeit Fabio
d'ORTOLI-GALERNEAU via Gnupg-devel wrote:
> I'm having a problem with a C++ code using GPGME and I was advised to
> ask about my problem here.
>
> The program is supposed to verify some signatures inputed in it.
> Basically it works for keys generated with my computer but not for some
> reason on ones that are not (it returns a 0 summary),
A 0 summary is a perfectly valid summary value. It indicates that none of the
conditions for a specific bit apply, i.e. the signature is neither "green"
(which mean it's good and the signer is at least fully trusted) nor "red"
(signature is bad) nor is the signature or the signing key expired or revoked
or ...
In other words, a 0 summary means: The signature is good (otherwise the RED
bit would be set), but the signer('s key) is not fully trusted.
> even if I tell it
> to ignore the trust database or to use tofu or whatever trust model.
Did you try with trust model "always"?
> I provided attached a toy version of the code that breaks, can you see
> anything wrong in it or is the problem somewhere else ?
I haven't looked at the code, but if you get a 0 summary for good signatures
with not fully trusted keys then your code probably works. The only problem
seems to be that you didn't expect 0 to be a valid summary value. (You are not
the first person being confused about a 0 summary.)
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 265 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260403/b7340bca/attachment.sig>
More information about the Gnupg-devel
mailing list