ivo.alxneit at psi
Oct 22, 2008, 4:33 AM
Post #1 of 2
(555 views)
Permalink
|
|
how to identify a good signature by an untrusted key with gpgme 1.1.7
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hi all
i do not quite understand how i should interpret the result of
`gpgme_op_verify_result(ctx)`.
using gpg for my two files `foo` and `bar` i obtain what i expected.
$ gpg --verify foo
gpg: Signature made Thu 02 Oct 2008 10:32:46 AM CEST using DSA key ID
515E30C7
gpg: Good signature from "Ivo Alxneit (work) <ivo.alxneit [at] psi>"
gpg: aka "Ivo Alxneit (privat, old) <ialx [at] datacomm>"
gpg: aka "Ivo Alxneit (privat) <ialx [at] tiscalinet>"
- -> good signature from "trusted" key
$ gpg --verify bar
gpg: Signature made Tue 23 Sep 2008 05:05:00 PM CEST using RSA key ID
70B61F81
gpg: Good signature from "Timestamp Service <stamper [at] itconsult>"
[uncertain]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 4B 12 BC D5 78 85 11 06 3B 54 31 90 E0 9D F3 06
- -> good signature from "untrusted" key
i then use the following code to verify the signatures using gpgme
(version 1.1.7, gpg-1.4.5)
gpgme_op_verify(ctx, sig, NULL, text);
result = gpgme_op_verify_result(ctx);
s = result->signatures;
while (s) {
fprintf(stdout, "\nsummary=%d\n", s->summary);
fprintf(stdout, "fpr=%s\n", s->fpr);
fprintf(stdout, "status=%d\n", s->status);
fprintf(stdout, "timestamp=%lu\n", s->timestamp);
fprintf(stdout, "wrong_key_usage=%u\n", s->wrong_key_usage);
fprintf(stdout, "pka_trust=%u\n", s->pka_trust);
fprintf(stdout, "chain_model=%u\n", s->chain_model);
fprintf(stdout, "validity=%d\n", s->validity);
fprintf(stdout, "validity_reason=%d\n", s->validity_reason);
fprintf(stdout, "key=%d\n", s->pubkey_algo);
fprintf(stdout, "hash=%d\n", s->hash_algo);
s = s->next;
}
this seems to work fine but i do not understand all of the result
structure.
for `foo` i obtain
summary=3 (GPGME_SIGSUM_VALID + GPGME_SIGSUM_GREEN)
fpr=D0E3ADE78E893E9CAEC1E2F401DEC213515E30C7
status=0
timestamp=1222936366
wrong_key_usage=0
pka_trust=0
chain_model=0
validity=4 (GPGME_VALIDITY_FULL)
validity_reason=0
key=17
hash=2
why not validity=5 (GPGME_VALIDITY_ULTIMTE) as my key hast validity and
trust set to ultimate.
$ gpg --edit-key 0x515e30c7
Secret key is available.
pub 1024D/515E30C7 created: 2002-02-11 expires: never usage: SCA
trust: ultimate validity: ultimate
sub 2048g/0503D66E created: 2002-02-11 expires: never usage: E
for `bar` i obtain
summary=0 (??)
fpr=4B12BCD5788511063B543190E09DF306
status=0
timestamp=1222182300
wrong_key_usage=0
pka_trust=0
chain_model=0
validity=0 (GPGME_VALIDITY_UNKNOWN)
validity_reason=0
key=1
hash=1
why not summary=2 (GPGME_SIGSUM_GREEN)
so how ist the correct / intended way to detect a good signature made by
an untrusted key?
thanks for the help
please cc me, i have not subscribed to the list
- --
Dr. Ivo Alxneit
Laboratory for Solar Technology phone: +41 56 310 4092
Paul Scherrer Institute fax: +41 56 310 2688
CH-5232 Villigen http://solar.web.psi.ch
Switzerland gnupg key: 0x515E30C7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org
iD8DBQFI/x2WAd7CE1FeMMcRAhoCAKCOom07JVFqgR3GrMcR/pBNqNcQgQCglQKl
mBPJCVr/Q2kDc/KRsSkCKko=
=3Fn3
-----END PGP SIGNATURE-----
_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
|
