Mailing List Archive

On Fri, 12 Apr 2024 17:30, Ben Finney said:

> What is the meaning of a GPGME `signature` result with `summary` value 0
> (zero)?

There might be a bug in the code. We have not touched it in the last 20
years, though.

Firs the flags are computed.

/* Calculate the red/green flag. */
if (sig->validity == GPGME_VALIDITY_FULL
|| sig->validity == GPGME_VALIDITY_ULTIMATE)
{
if (gpg_err_code (sig->status) == GPG_ERR_NO_ERROR
|| gpg_err_code (sig->status) == GPG_ERR_SIG_EXPIRED
|| gpg_err_code (sig->status) == GPG_ERR_KEY_EXPIRED)
sum |= GPGME_SIGSUM_GREEN;
}
else if (sig->validity == GPGME_VALIDITY_NEVER)
{
if (gpg_err_code (sig->status) == GPG_ERR_NO_ERROR
|| gpg_err_code (sig->status) == GPG_ERR_SIG_EXPIRED
|| gpg_err_code (sig->status) == GPG_ERR_KEY_EXPIRED)
sum |= GPGME_SIGSUM_RED;
}
else if (gpg_err_code (sig->status) == GPG_ERR_BAD_SIGNATURE)
sum |= GPGME_SIGSUM_RED;

Further on the SUM is not modified if we see no error or bad signature.
Thus there are cases - depending on the signature validity and the error
code when SUM might still be zero. A new error code emitted by gpg could
result in this behaviour.

Do you have an example?


Salam-Shalom,

Werner


--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Werner Koch via Gnupg-devel <gnupg-devel@gnupg.org> writes:

> There might be a bug in the code. We have not touched it in the last
> 20 years, though.

Thank you, I hope it's a simple as a bug.

> […] there are cases - depending on the signature validity and the
> error code when SUM might still be zero. A new error code emitted by
> gpg could result in this behaviour.
>
> Do you have an example?

Included in this message is a Python program ‘verify_test.py’. That
program makes use of the ‘python-gpg’ library, the Python wrapper of
GPGME.

The program includes inline a clear-signed message, and when run it will
use ‘gpg.Context.verify’ to verify the message. It then reports the
result of that call.

Here is the session where I run the program:

=====
$ python3 verify_test.py
GnuPG verify message from file ‘<inline literal text>’:
‘gpg.Context.verify’ returned result: VerifyResult(file_name=None,
is_mime=0, signatures=[Signature(chain_model=False, exp_timestamp=0,
fpr='6159E0F29E2FA412E0795C73F9B46AAC84420C82', hash_algo=8,
is_de_vs=False, key=None, notations=[], pka_address=None, pka_trust=0,
pubkey_algo=1, status=0, summary=0, timestamp=1713137533, validity=0,
validity_reason=0, wrong_key_usage=False)])
Signature at index 0: Signature(chain_model=False, exp_timestamp=0,
fpr='6159E0F29E2FA412E0795C73F9B46AAC84420C82', hash_algo=8,
is_de_vs=False, key=None, notations=[], pka_address=None, pka_trust=0,
pubkey_algo=1, status=0, summary=0, timestamp=1713137533, validity=0,
validity_reason=0, wrong_key_usage=False)
=====

You can see that the ‘verify’ call succeeds (no error is raised), and
there is a single attached Signature.

That Signature, though it has a valid timestamp and fingerprint, has ‘0’
for all of ‘pka_trust’, ‘status’, ‘summary’, ‘validity’, and
‘validity_reason’.

On Montag, 15. April 2024 06:01:21 CEST Ben Finney wrote:
> Werner Koch via Gnupg-devel <gnupg-devel@gnupg.org> writes:
> > Do you have an example?
>
> Included in this message is a Python program ‘verify_test.py’. That
> program makes use of the ‘python-gpg’ library, the Python wrapper of
> GPGME.
>
> The program includes inline a clear-signed message, and when run it will
> use ‘gpg.Context.verify’ to verify the message. It then reports the
> result of that call.

It would be helpful if you also gave us the public key. Because now I get
```
$ gpg --status-fd 2
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: Go ahead and type your message ...
...
[GNUPG:] NEWSIG
gpg: Signature made Mo 15 Apr 2024 01:32:13 CEST
gpg: using RSA key 6159E0F29E2FA412E0795C73F9B46AAC84420C82
[GNUPG:] ERRSIG F9B46AAC84420C82 1 8 01 1713137533 9
6159E0F29E2FA412E0795C73F9B46AAC84420C82
[GNUPG:] NO_PUBKEY F9B46AAC84420C82
gpg: Can't check signature: No public key
```

Please also provide the output you get when you run `gpg --status-fd 2` on the
message.

Regards,
Ingo

Ingo Klöcker <kloecker@kde.org> writes:

> It would be helpful if you also gave us the public key.

Oh, I had expected a GnuPG client would fetch the key? It's part of the
signed message metadata, so it should be automatically fetched from the
key servers, I'd expect.

Regardless, here is the URL to download that public key:

<URL: https://keys.openpgp.org/search?q=517C+F14B+B2F3+98B0+CB35++4855+B8B2+4C06+AC12+8405>

> Please also provide the output you get when you run `gpg --status-fd
> 2` on the message.

Here is the session:

=====
$ gpg --status-fd 2 foo.txt.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
[GNUPG:] PLAINTEXT 74 0
[GNUPG:] NEWSIG
gpg: Signature made Mon 15 Apr 2024 09:32:13 AEST
gpg: using RSA key 6159E0F29E2FA412E0795C73F9B46AAC84420C82
[GNUPG:] KEYEXPIRED 1446855895
[GNUPG:] KEYEXPIRED 1541729896
[GNUPG:] KEYEXPIRED 1650968464
[GNUPG:] KEY_CONSIDERED 517CF14BB2F398B0CB354855B8B24C06AC128405 0
[GNUPG:] SIG_ID R7hUtvOTHhmxxN8Fpqx8OxQtJ2w 2024-04-14 1713137533
[GNUPG:] KEYEXPIRED 1446855895
[GNUPG:] KEYEXPIRED 1541729896
[GNUPG:] KEYEXPIRED 1650968464
[GNUPG:] KEY_CONSIDERED 517CF14BB2F398B0CB354855B8B24C06AC128405 0
[GNUPG:] GOODSIG F9B46AAC84420C82 Ben Finney <ben@benfinney.id.au>
gpg: Good signature from "Ben Finney <ben@benfinney.id.au>" [unknown]
gpg: aka "Ben Finney (White Tree) <bignose@whitetree.org>" [unknown]
gpg: aka "Ben Finney (Free Software Foundation) <bignose@member.fsf.org>" [unknown]
gpg: aka "Ben Finney (Debian) <ben+debian@benfinney.id.au>" [unknown]
gpg: aka "[jpeg image of size 8917]" [unknown]
gpg: aka "[jpeg image of size 6222]" [unknown]
gpg: aka "Ben Finney <bignose@whitetree.org>" [unknown]
gpg: aka "Ben Finney <bignose@member.fsf.org>" [unknown]
gpg: aka "Ben Finney <ben+debian@benfinney.id.au>" [unknown]
gpg: aka "Ben Finney (Debian Project) <bignose@debian.org>" [unknown]
[GNUPG:] VALIDSIG 6159E0F29E2FA412E0795C73F9B46AAC84420C82 2024-04-14 1713137533 0 4 0 1 8 01 517CF14BB2F398B0CB354855B8B24C06AC128405
[GNUPG:] KEYEXPIRED 1446855895
[GNUPG:] KEYEXPIRED 1541729896
[GNUPG:] KEYEXPIRED 1650968464
[GNUPG:] KEY_CONSIDERED 517CF14BB2F398B0CB354855B8B24C06AC128405 0
[GNUPG:] KEYEXPIRED 1446855895
[GNUPG:] KEYEXPIRED 1541729896
[GNUPG:] KEYEXPIRED 1650968464
[GNUPG:] KEY_CONSIDERED 517CF14BB2F398B0CB354855B8B24C06AC128405 0
[GNUPG:] TRUST_UNDEFINED 0 pgp
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 517C F14B B2F3 98B0 CB35 4855 B8B2 4C06 AC12 8405
Subkey fingerprint: 6159 E0F2 9E2F A412 E079 5C73 F9B4 6AAC 8442 0C82
=====

So, the key is expired; but this (correctly) does not cause the
signature verification to fail.

--
\ “Some subjects are so serious that one can only joke about |
`\ them.” —Niels Bohr |
_o__) |
Ben Finney


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-devel

Ben Finney <ben+freesoftware@benfinney.id.au> writes:

> Werner Koch via Gnupg-devel <gnupg-devel@gnupg.org> writes:
>
> > Do you have an example?
>
> Included in this message is a Python program ‘verify_test.py’. […]
>
> You can see that the ‘verify’ call succeeds (no error is raised), and
> there is a single attached Signature.
>
> That Signature, though it has a valid timestamp and fingerprint, has ‘0’
> for all of ‘pka_trust’, ‘status’, ‘summary’, ‘validity’, and
> ‘validity_reason’.

Has this helped understand the problem? What more diagnostic information
can I provide?

I am trying to make use of GPGME (via the Python wrapper) to verify
signatures and interpret the result using the documented API.

--
\ “If you always want the latest and greatest, then you have to |
`\ buy a new iPod at least once a year.” —Steve Jobs, MSNBC |
_o__) interview 2006-05-25 |
Ben Finney


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-devel

On Mittwoch, 17. April 2024 04:08:12 CEST Ben Finney wrote:
> Ingo Klöcker <kloecker@kde.org> writes:
> > It would be helpful if you also gave us the public key.
>
> Oh, I had expected a GnuPG client would fetch the key? It's part of the
> signed message metadata, so it should be automatically fetched from the
> key servers, I'd expect.

Only if auto?key?retrieve is enabled.

> Regardless, here is the URL to download that public key:
>
> <URL:
> https://keys.openpgp.org/search?q=517C+F14B+B2F3+98B0+CB35++4855+B8B2+4C06+
> AC12+8405>

$ curl https://keys.openpgp.org/vks/v1/by-fingerprint/
517CF14BB2F398B0CB354855B8B24C06AC128405 | gpg --import
gpg: key B8B24C06AC128405: no user ID
gpg: Total number processed: 1

gpg doesn't import keys without user ID. I found the key on another keyserver,
but when I try to verify the test message Kleopatra tells me:

Signature created on Montag, 15. April 2024 01:32:13 CEST
With unavailable certificate:
ID: 0x6159E0F29E2FA412E0795C73F9B46AAC84420C82
You can search the certificate on a keyserver or import it from a file.

I guess the required subkey is missing on the certificate I could import.
Searching the certificate 0x6159E0F29E2FA412E0795C73F9B46AAC84420C82 didn't
yield any results.

> $ gpg --status-fd 2 foo.txt.asc
[...]
> [GNUPG:] TRUST_UNDEFINED 0 pgp
> gpg: WARNING: This key is not certified with a trusted signature!

I think this is the important bit. If you look at the code snippet that Werner
pasted then you'll see why `sum` isn't changed in this snippet. So, in this
case 0 means good signature by an uncertified key. It's up to you to decide
what to make of this.

Regards,
Ingo