Re: [Bug 122721] New: app-crypt/gnupg: improper signature verification
On Mon, 13 Feb 2006 20:09:19 +0000, bugzilla-daemon said:
> The gpg man page states "RETURN VALUE, The program returns 0 if everything was
> fine, 1 if at least a signature was bad, and other error codes for fatal
> errors.", as gpg is often used as a backend the return value is often used to
> determine whether a signature verified correctly.
In general it is not sufficient to check just the return code.
Checking the trust values is also important unless you compate the
fingerprint of the key that verifies with a known list. In any case
you need to cope with the --status-fd output.
To make things easier gpgv provides signature verification based on a
keyring with trusted list. AFAIK, Debian uses just this. In this
case it is a real error not to return failure form gpg.
I have looked at this, fixed the problem and added s simple regression
test. The fix is in the SVN (svn://cvs.gnupg.org/gnupg/trunk).
I wonder why this problem has not been found earlier. We definitely
need more regression tests.