Problem with verifying signatures in GPGME

Fabio d'ORTOLI-GALERNEAU fabio.d.ortoli-galerneau at ens.fr
Sat Apr 4 14:58:16 CEST 2026 

Hello,

Thank you for the clarification, the documentation was not fully clear 
to me to that matter, as I assumed the summary should display something 
when the signature is valid.

If I understand correctly the example code given as the documentation
# if ((sig.summary & GPGME_SIGSUM_VALID))
# {
# ..do stuff if valid..
# }
# else
# {
# ..do stuff if not fully valid..
# }
should be modified as
# if (!(sig.summary & GPGME_SIGSUM_RED))
for my purpose ? (which is just checking that a signed message is 
authentic, I will handle trust matters regarding the author separately).

> Did you try with trust model "always"?
I did, I checked all the options available as well as the special 
"no-auto-check-trustdb" flag, which is why I was confused it didn't work 
for foreign keys.

I would also note it would be good to signify on the mailing list page 
whether there are active moderators for mail coming from non-subscribed 
authors. I spent a lot of time waiting for previous mails to be sent to 
the list when I was not yet subscribed.

Best regards,
Fabio



Le 2026-04-03 21:24, Ingo Klöcker a écrit :
> On Freitag, 3. April 2026 16:14:49 Mitteleuropäische Sommerzeit Fabio
> d'ORTOLI-GALERNEAU via Gnupg-devel wrote:
>> I'm having a problem with a C++ code using GPGME and I was advised to
>> ask about my problem here.
>> 
>> The program is supposed to verify some signatures inputed in it.
>> Basically it works for keys generated with my computer but not for 
>> some
>> reason on ones that are not (it returns a 0 summary),
> 
> A 0 summary is a perfectly valid summary value. It indicates that none 
> of the
> conditions for a specific bit apply, i.e. the signature is neither 
> "green"
> (which mean it's good and the signer is at least fully trusted) nor 
> "red"
> (signature is bad) nor is the signature or the signing key expired or 
> revoked
> or ...
> 
> In other words, a 0 summary means: The signature is good (otherwise the 
> RED
> bit would be set), but the signer('s key) is not fully trusted.
> 
>> even if I tell it
>> to ignore the trust database or to use tofu or whatever trust model.
> 
> Did you try with trust model "always"?
> 
>> I provided attached a toy version of the code that breaks, can you see
>> anything wrong in it or is the problem somewhere else ?
> 
> I haven't looked at the code, but if you get a 0 summary for good 
> signatures
> with not fully trusted keys then your code probably works. The only 
> problem
> seems to be that you didn't expect 0 to be a valid summary value. (You 
> are not
> the first person being confused about a 0 summary.)
> 
> Regards,
> Ingo
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-devel

More information about the Gnupg-devel mailing list