This week I improved the authentication library I began writing the previous week: more precisely, I’ve implemented the method responsible to verify the signature against the ID of the key passed as parameter, moved the key IDs from five QStringList objetcs to a single QMap< TrustLevel, QList< QCA::SecureArray > > object which reduces a little the lines of code and, more important, increases its storage security.
However, I had a unhappy surprise when testing the library during this week: seems like the PGPKey class, which is widely used to load/save the keys from the local keystore, as well to verify the signature, lacks of a method call to retrieve all the IDs that signed the current key O.o
Is this method that essential for my library? Absolutely. Since I have to split the keys by their level of trust, first I save the KDE IDs, then I have to iterate all the PGPKeys remaining, and look if they are signed by a KDE key: these keys will build the second level of trust. Then, the library will load the user’s private key, and whose keys will create the user trusted keys; since we want to provide a certain degree of freedom on trustlevel, the user can also sign the keys he personally trusts, so here it is an other relationships check on the keys not processed yet. As you can see, I need to know which keys signed an other, so I spent some time on exploring the sourcecode of the GnuPG plugin to find out what went wrong, and I discovered that first, the API doesn’t expose that kind of call, and second, that the plugin doesn’t call the gpg command switches –list-signs or –check-signs at all! So I wrote to the QCA mantainer about my problem, and now we’re discussing about the implementation details on their mailinglist. My only hope is that they won’t take that much to implement this feature, I’ve got my first deadline in about one month, afterall!
Well, this is a brief summary of what I did on this second week of GSoC, stay tuned !