Gajim should indicate when a signature is bad.
in src/common/GnuPG.py, the signature validation always gets BADSIG.
Replacing TemporaryFile with os.tmpfile() makes validation work, but I am unsure of security/portability.
Second, Gajim treats good and bad signatures the same: if resp.has_key('GOODSIG'): keyid = resp['GOODSIG'].split()[0] elif resp.has_key('BADSIG'): keyid = resp['BADSIG'].split()[0]
it should at least ignore bad signatures, possibly give some indicator that they're bad (red keyid text in tool tip?) and refuse to encrypt to that key.