Bug? Vulnerability? gpgme_op_verify_result() can be made to return a list of zero signatures
Werner Koch
wk at gnupg.org
Mon Jun 15 12:24:15 CEST 2020
Hi!
On Mon, 15 Jun 2020 12:36, Justin Steven said:
> GPG_ERR_NO_ERROR but for gpgme_op_verify_result() to return a list of zero
> signatures. This feels like an erroneous condition to me, and with libgpgme
We already explained that this is a requirement for OpenPGP because
OpenPGP allows to embed a signature in encrypted data (combined method
in contrast to the rarely used MIME containers). Thus when calling the
decrypt function you can't know in advance whether there will be a
signature - not returning an error if there is no signature is proper
behaviour.
More important: Checking the signature is one thing; its result is
basically whether the data is corrupted. The more important step is to
check whether you can trust the key used to generate a signature; this
is basic crypto knowledge which can't be ignored even if you use "GnuPG
Made Easy". GPGME has mechanisms to do this in a not too complicated
way and of course it requires to loop over all signatures.
20 years ago when Debian started to sign packages it was figured that
this is not a trivial task and together we developed gpgv which is a
simple command line tool dedicated to check signatures against a fixed
set of keys. There is no gpgme support for gpgv because calling gpgv is
pretty straightforward.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200615/df97cd97/attachment.sig>
More information about the Gnupg-users
mailing list