Hi Tomasz,
what would be the most "canonical" way to store arbitrary, signed data along the gpg key? And then: what is the programmatic way of extracting said data? (...) sig!3 N KEYID 2019-08-17 User Example <u...@example.com> Signature notation: pub@signify=SIGNIFYKEYDoes it make sense? Is it a good idea? What would be a better way?
Yep, that definitely makes sense and notations are a good way to store additional data. The only problem here is how to get the notation values programmatically in a way that you know the self-signature is valid.
Sadly "gpg --list-options show-notations --with-colons --list-keys $KEY" does not print the notation output.
I did use OpenPGP.js to verify signature and extract notations for a small project of mine (https://metacode.biz/openpgp/proofs example here: https://metacode.biz/@wiktor ) but I understand you want to keep the dependencies to the minimum.
Maybe you could use GpgME, the docs look promising:> The signature notations on a key signature are only available if the key was retrieved via a listing operation with the GPGME_KEYLIST_MODE_SIG_NOTATIONS mode enabled, because it can be expensive to retrieve all signature notations.
Source: https://www.gnupg.org/(es)/documentation/manuals/gpgme/Key-objects.html#Key-objects
One minor thing, you may want to adjust the notation name (key). RFC 4880 advises e-mail-like key where the domain is a name you control. So for example "pub-sign...@debian.org" if you control "debian.org". Additionally it would be nice to have the e-mail redirect to a human in case someone sends the message there.
Kind regards, Wiktor
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
