File: gnupg.info, Node: Automated signature checking, Next: CSR and certificate creation, Up: Unattended Usage 5.5.1 Automated signature checking ---------------------------------- It is very important to understand the semantics used with signature verification. Checking a signature is not as simple as it may sound and so the operation is a bit complicated. In most cases it is required to look at several status lines. Here is a table of all cases a signed message may have: The signature is valid This does mean that the signature has been successfully verified, the certificates are all sane. However there are two subcases with important information: One of the certificates may have expired or a signature of a message itself as expired. It is a sound practise to consider such a signature still as valid but additional information should be displayed. Depending on the subcase 'gpgsm' will issue these status codes: signature valid and nothing did expire 'GOODSIG', 'VALIDSIG', 'TRUST_FULLY' signature valid but at least one certificate has expired 'EXPKEYSIG', 'VALIDSIG', 'TRUST_FULLY' signature valid but expired 'EXPSIG', 'VALIDSIG', 'TRUST_FULLY' Note, that this case is currently not implemented. The signature is invalid This means that the signature verification failed (this is an indication of a transfer error, a program error or tampering with the message). 'gpgsm' issues one of these status codes sequences: 'BADSIG' 'GOODSIG, VALIDSIG TRUST_NEVER' Error verifying a signature For some reason the signature could not be verified, i.e. it cannot be decided whether the signature is valid or invalid. A common reason for this is a missing certificate.