Mailing List Archive: GnuPG: users

Details of signature verification status-fd lines

Index | Next | Previous | View Threaded

bmearns at ieee

Sep 22, 2009, 7:26 AM

Post #1 of 7 (1011 views)
Permalink

Details of signature verification status-fd lines

Just a quick question on the --status-fd output from a --verify
operation: if EXPSIG, EXPKEYSIG, or REVKEYSIG are given, could
VALIDSIG or GOODSIG also show up? In other words, are these just for
more information on why a signature failed, or can they qualify the
"GOOD" and "VALID" outputs?

Thanks
-Brian

--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wk at gnupg

Sep 22, 2009, 8:19 AM

Post #2 of 7 (941 views)
Permalink

Re: Details of signature verification status-fd lines [In reply to]

On Tue, 22 Sep 2009 16:26, bmearns [at] ieee said:
> Just a quick question on the --status-fd output from a --verify
> operation: if EXPSIG, EXPKEYSIG, or REVKEYSIG are given, could
> VALIDSIG or GOODSIG also show up? In other words, are these just for

It depends. EXPKEYSIG for example may come in addition to VALIDSIG.
VALIDSIG is the modern version of GOODSIG. Except for the description
in doc/DETAILS we don't have a more specific description (it is on our
task list, though).

The best way to see what you can expect is to look at the gpgme code.
gpgme/src/verify.c computes the validity of signatures. Processing the
NEWSIG status line is in general a good idea so that you don't mix the
status lines given for different signatures.

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

bmearns at ieee

Sep 22, 2009, 8:50 AM

Post #3 of 7 (932 views)
Permalink

Re: Details of signature verification status-fd lines [In reply to]

On Tue, Sep 22, 2009 at 11:19 AM, Werner Koch <wk [at] gnupg> wrote:
> On Tue, 22 Sep 2009 16:26, bmearns [at] ieee said:
>> Just a quick question on the --status-fd output from a --verify
>> operation: if EXPSIG, EXPKEYSIG, or REVKEYSIG are given, could
>> VALIDSIG or GOODSIG also show up? In other words, are these just for
>
> It depends. EXPKEYSIG for example may come in addition to VALIDSIG.
> VALIDSIG is the modern version of GOODSIG. Except for the description
> in doc/DETAILS we don't have a more specific description (it is on our
> task list, though).
>
> The best way to see what you can expect is to look at the gpgme code.
> gpgme/src/verify.c computes the validity of signatures. Processing the
> NEWSIG status line is in general a good idea so that you don't mix the
> status lines given for different signatures.
>
>
> Salam-Shalom,
>
> Werner
>
>
> --
> Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
>
>

Thanks for the response. So EXPKEYSIG doesn't mean the key was expired
when the signature was made, right? If that shows up along with
VALIDSIG, it's ok to trust the signature, correct? What about
REVKEYSIG? If a key is revoked, is there an easy way to know if the
signature was made prior to revocation, or would it be necessary to
just compare the stamps on the signature and the revocation?

Thanks,
-Brian

--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wk at gnupg

Sep 23, 2009, 1:20 AM

Post #4 of 7 (930 views)
Permalink

Re: Details of signature verification status-fd lines [In reply to]

On Tue, 22 Sep 2009 17:50, bmearns [at] ieee said:

> Thanks for the response. So EXPKEYSIG doesn't mean the key was expired
> when the signature was made, right? If that shows up along with

It means that the key has expired by now.

> VALIDSIG, it's ok to trust the signature, correct? What about

That is up to you. Usually you would show a message stating that the
key used to create the message meanwhile expired. Whether you take the
signature creation date into account and show a different message is up
to you. If a signer wants to use an expired key for signing he may as
well change the signature creation time.

> REVKEYSIG? If a key is revoked, is there an easy way to know if the
> signature was made prior to revocation, or would it be necessary to
> just compare the stamps on the signature and the revocation?

There is no way becuase you don't know why the key was revoked. Sure
the revocation signature allows to give a reason of revocation and you
can take that in account, but if the key was compromised an attacker may
also create a revocation with a different reasons (e.g. key superseded).
You can't tell who did the revocation.

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

bmearns at ieee

Sep 23, 2009, 7:16 AM

Post #5 of 7 (922 views)
Permalink

Re: Details of signature verification status-fd lines [In reply to]

On Wed, Sep 23, 2009 at 4:20 AM, Werner Koch <wk [at] gnupg> wrote:
> On Tue, 22 Sep 2009 17:50, bmearns [at] ieee said:
>
>> Thanks for the response. So EXPKEYSIG doesn't mean the key was expired
>> when the signature was made, right? If that shows up along with
>
> It means that the key has expired by now.
>
>> VALIDSIG, it's ok to trust the signature, correct? What about
>
> That is up to you. Usually you would show a message stating that the
> key used to create the message meanwhile expired. Whether you take the
> signature creation date into account and show a different message is up
> to you. If a signer wants to use an expired key for signing he may as
> well change the signature creation time.
>
>> REVKEYSIG? If a key is revoked, is there an easy way to know if the
>> signature was made prior to revocation, or would it be necessary to
>> just compare the stamps on the signature and the revocation?
>
> There is no way becuase you don't know why the key was revoked. Sure
> the revocation signature allows to give a reason of revocation and you
> can take that in account, but if the key was compromised an attacker may
> also create a revocation with a different reasons (e.g. key superseded).
> You can't tell who did the revocation.
>
>
> Salam-Shalom,
>
> Werner
>
> --
> Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
>
>

Great, thanks for the help, Werner.

By the way, are there any python or PHP bindings for GPGME?

-Brian

--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wk at gnupg

Sep 23, 2009, 9:22 AM

Post #6 of 7 (924 views)
Permalink

Re: Details of signature verification status-fd lines [In reply to]

On Wed, 23 Sep 2009 16:16, bmearns [at] ieee said:

> By the way, are there any python or PHP bindings for GPGME?

Yes, there are several of them and we should really compile a list of
them or actually add them to the distribution.

Shalom-Salam,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

John at Mozilla-Enigmail

Sep 23, 2009, 9:53 AM

Post #7 of 7 (930 views)
Permalink

Re: Details of signature verification status-fd lines [In reply to]

Werner Koch wrote:
> On Wed, 23 Sep 2009 16:16, bmearns [at] ieee said:
>
>> By the way, are there any python or PHP bindings for GPGME?
>
> Yes, there are several of them and we should really compile a list of
> them or actually add them to the distribution.

It would be a huge help if added to the distro, Werner. Compiling a list would
be a nice bonus for those who already have GPGME downloaded or installed.

I was working on updating an application in Pascal that used the old GPGME api
and knocked it to the backburner when I couldn't find updated Pascal bindings.
(It was free work)

--
John P. Clizbe Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or
mailto:pgp-public-keys [at] gingerbear?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

Attachments:

signature.asc (0.66 KB)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads