gnupg: Automated signature checking
5.5.1 Automated signature checking
----------------------------------
It is very important to understand the semantics used with signature
verification. Checking a signature is not as simple as it may sound and
so the operation is a bit complicated. In most cases it is required to
look at several status lines. Here is a table of all cases a signed
message may have:
The signature is valid
This does mean that the signature has been successfully verified,
the certificates are all sane. However there are two subcases with
important information: One of the certificates may have expired or
a signature of a message itself as expired. It is a sound practise
to consider such a signature still as valid but additional
information should be displayed. Depending on the subcase 'gpgsm'
will issue these status codes:
signature valid and nothing did expire
'GOODSIG', 'VALIDSIG', 'TRUST_FULLY'
signature valid but at least one certificate has expired
'EXPKEYSIG', 'VALIDSIG', 'TRUST_FULLY'
signature valid but expired
'EXPSIG', 'VALIDSIG', 'TRUST_FULLY' Note, that this case is
currently not implemented.
The signature is invalid
This means that the signature verification failed (this is an
indication of a transfer error, a program error or tampering with
the message). 'gpgsm' issues one of these status codes sequences:
'BADSIG'
'GOODSIG, VALIDSIG TRUST_NEVER'
Error verifying a signature
For some reason the signature could not be verified, i.e. it
cannot be decided whether the signature is valid or invalid. A
common reason for this is a missing certificate.