GnuPG don't show bad signatures
Closed, ResolvedPublic

Description

Release: 1.4.1

Environment

Linux

Description

gpg --list-sigs D0123E63 shows 20 signatures but 14 of them are bad as can be only verifieed by gpg --edit D0123E63 followed by a check.

Such signatures points to a manipulated key so this issue should be showed very obvious on the key listing!

How To Repeat

gpg --list-sigs D0123E63

gpg --edit D0123E63
check

gpg --search benoit panizzon

Fix

Unknown

werner added a subscriber: werner.

From: Klaus Ethgen <Klaus@Ethgen.de>
To: bug-any@bugs.gnupg.org
Cc: gnupg-hackers@gnupg.org, gnats-admin@trithemius.gnupg.org, wk@gnupg.org
Subject: Re: gnupg/527
Date: Mon, 12 Sep 2005 14:10:59 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Werner,

Am Mo den 12. Sep 2005 um 12:48 schrieb wk@gnupg.org:

This is on purpose. It is easy to add faulty signatures,
displaying them would lead to a bunch of messages without
any meaning. GnupG does not use bad signatures. See also
the new clean options

Yes, this is true, but in the list the bad signatures get's shown as if
they are normal and correct signatures.

A Flag like "<bad>" or "<wrong>" in the signature listing whould be very
helpfull. Also it might be good to remove them completely by the import
(Maybe an import option).

Regards

Klaus

Klaus Ethgen http://www.ethgen.de/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQEVAwUBQyVwU5+OKpjRpO3lAQI5/QgAnm4IHaiLLco+CrvJhSXESdU9d6p7bCPP
8GjNYlFpRmExtUfjih/fEKSUu7406iWwOtEnkEf8E64ZSwnlqDmVClxGHNbJhZ16
CyqWIej4HEDP8hS74IqJQqUgGszCwcpGzaIrZZ94ATomIklADfkDTRc+vx8t+dcd
+mPuW+zCWmOGYCuw4EYYUH9ma4nTKqJQhYN7nJ1qaS+n9jv1cvQjX90OnlEE9RjK
qKutA1cf0jCL+1bjyTnMUDE4rkgYhEAkOmf6cA0zUuQCrlIjNjdicPb/91C15xLX
NWUoiKeK5tcyRTa4cN+5hSYpvUcgZFJs80U0OazmHNT7V7HLV5iGKA==

T5n4

-----END PGP SIGNATURE-----

This is on purpose. It is easy to add faulty signatures,
displaying them would lead to a bunch of messages without
any meaning. GnupG does not use bad signatures. See also
the new clean options

werner closed this task as Resolved.