4.6 Automated signature checking

It is very important to understand the semantics used with signature verification. Checking a signature is not as simple as it may sound and so the ooperation si a bit complicated. In mosted cases it is required to look at several status lines. Here is a table of all cases a signed message may have:

The signature is valid

This does mean that the signature has been successfully verified, the certificates are all sane. However there are two subcases with important information: One of the certificates may have expired or a signature of a message itself as expired. It is a sound practise to consider such a signature still as valid but additional information should be displayed. Depending on the subcase gpgsm will issue these status codes:

signature valid and nothing did expire

GOODSIG, VALIDSIG, TRUST_FULLY

signature valid but at least one certificate has expired

EXPKEYSIG, VALIDSIG, TRUST_FULLY

signature valid but expired

EXPSIG, VALIDSIG, TRUST_FULLY Note, that this case is currently not implemented.

The signature is invalid

This means that the signature verification failed (this is an indication of af a transfer error, a programm error or tampering with the message). gpgsm issues one of these status codes sequences:

BADSIG

GOODSIG, VALIDSIG TRUST_NEVER

Error verifying a signature

For some reason the signature could not be verified, i.e. it can't be decided whether the signature is valid or invalid. A common reason for this is a missing certificate.