From 88f3202521d422d94bfd79e61bde00707d6f28c9 Mon Sep 17 00:00:00 2001 From: Andre Heinecke Date: Tue, 9 Jun 2020 10:21:54 +0200 Subject: [PATCH] doc: Explain verify_result_t.status == 0 more * doc/gpgme.texi (gpgme_verify_result_t): Explain GPGME_STATUS_NO_ERROR more clearly. -- This might help to avoid misunderstandings how the status can be interpreted and explains why a verify of unsigned PGP Data returns no error. As a reaction to CVE-2020-10759 discovered by Justin Steven. --- doc/gpgme.texi | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/doc/gpgme.texi b/doc/gpgme.texi index 3e1f30a7..3c9594f5 100644 --- a/doc/gpgme.texi +++ b/doc/gpgme.texi @@ -5773,8 +5773,15 @@ status codes are of interest: @table @code @item GPG_ERR_NO_ERROR - This status indicates that the signature is valid. For the combined - result this status means that all signatures are valid. + This status indicates that the signature could be verified or that + there is no signature. For the combined result this status + means that all signatures could be verified. + + Note: This does not mean that a valid signature could be found. Check + the @code{summary} field for that. + + For example a @code{gpgme_op_decrypt_verify} returns a verification + result with GPG_ERR_NO_ERROR for encrypted but unsigned data. @item GPG_ERR_SIG_EXPIRED This status indicates that the signature is valid but expired. For