OpenPGP for Java version 3.1 was released

DidiSoft OpenPGP Library for Java version 3.1 was released today.

New way to check digital signatures

The major change in this release is a new way to check the outcome of OpenPGP digital signatures verification and the introduction of a new enum com.didisoft.pgp.SignatureCheckResult

/** Represents the result of an OpenPGP signature check */
public enum SignatureCheckResult {
    /** Signature verified with the provided public key(s) */
    SignatureVerified,
    /** Signature broken or forged */
    SignatureBroken,
    /** The signature wasn't made with the provided public key */
    PublicKeyNotMatching,
    /** No signature was found in the input data */
    NoSignatureFound        	
}

Till now the outcome of checking signatures was a boolean result. When it was true it was clear that the signature is correct. The problem was when the result was false. In that case it was unclear was the signature tempered, or we have used a wrong public key to check it, or there was no signature in the .pgp message at all.

In order to solve this weakness a new set of methods was introduced:

PGPLib.verifyAndExtract verifies an OpenPGP signed or clear text signed message and extracts the data
PGPLib.verifyWithoutExtracting verifies an OpenPGP signed or clear text signed message without extracts the data
PGPLib.decryptAndVerify verifies an OpenPGP signed and encrypted message and extracts the data
PGPLib.detachedVerify verifies an OpenPGP detached signature

All of the above mentioned methods return com.didisoft.pgp.SignatureCheckResult which recognizes four cases : the signature is OK, the signature is tempered, we have tried to check with a wrong key / or in case when we use a KeyStore there is no matching key and finally the specified .pgp message has no digital signature at all.

Te benefit of this new API is that the outcome is more accurate and there is no need of additional checks with PGPInspectLib in order to investigate the fault cases.

Backward compatibility

Upgrading is safe and will not harm your application. All the existing methods will stay although marked as obsolete. The reason for marking them obsolete is to encourage new application development to use the more accurate new set of methods.