4.6 Automated signature checking
It is very important to understand the semantics used with signature
verification. Checking a signature is not as simple as it may sound and
so the ooperation si a bit complicated. In mosted cases it is required
to look at several status lines. Here is a table of all cases a signed
message may have:
- The signature is valid
- This does mean that the signature has been successfully verified, the
certificates are all sane. However there are two subcases with
important information: One of the certificates may have expired or a
signature of a message itself as expired. It is a sound practise to
consider such a signature still as valid but additional information
should be displayed. Depending on the subcase gpgsm will issue
these status codes:
- signature valid and nothing did expire
-
GOODSIG
, VALIDSIG
, TRUST_FULLY
- signature valid but at least one certificate has expired
-
EXPKEYSIG
, VALIDSIG
, TRUST_FULLY
- signature valid but expired
-
EXPSIG
, VALIDSIG
, TRUST_FULLY
Note, that this case is currently not implemented.
- The signature is invalid
- This means that the signature verification failed (this is an indication
of af a transfer error, a programm error or tampering with the message).
gpgsm issues one of these status codes sequences:
BADSIG
GOODSIG, VALIDSIG TRUST_NEVER
-
- Error verifying a signature
- For some reason the signature could not be verified, i.e. it can't be
decided whether the signature is valid or invalid. A common reason for
this is a missing certificate.