5.2.2 Verifying an OpenPGP Key

The verification functions of OpenPGP keys, included in GnuTLS, are simple ones, and do not use the features of the “web of trust”. For that reason, if the verification needs are complex, the assistance of external tools like GnuPG and GPGME (http://www.gnupg.org/related_software/gpgme/) is recommended.

There is one verification function in GnuTLS, the gnutls_openpgp_crt_verify_ring. This checks an OpenPGP key against a given set of public keys (keyring) and returns the key status. The key verification status is the same as in X.509 certificates, although the meaning and interpretation are different. For example an OpenPGP key may be valid, if the self signature is ok, even if no signers were found. The meaning of verification status is shown in the figure below.

CERT_INVALID:

A signature on the key is invalid. That means that the key was modified by somebody, or corrupted during transport.

CERT_REVOKED:

The key has been revoked by its owner.

CERT_SIGNER_NOT_FOUND:

The key was not signed by a known signer.

GNUTLS_CERT_INSECURE_ALGORITHM:

The certificate was signed using an insecure algorithm such as MD2 or MD5. These algorithms have been broken and should not be trusted.