So it seems like the check for VALIDSIG is incorrect (also the doc/DETAILS says:
VALIDSIG <fingerprint in hex> <sig_creation_date> <sig-timestamp> <expire-timestamp> <sig-version> <reserved> <pubkey-algo> <hash-algo> <sig-class> <primary-key-fpr>
The signature with the keyid is good. This is the same as
GOODSIG but has the fingerprint as the argument.
)
The doc for GOOGSIG says:
GOODSIG <long keyid> <username>
The signature with the keyid is good. For each signature only
one of the three codes GOODSIG, BADSIG or ERRSIG will be
emitted and they may be used as a marker for a new signature.
So it seems like the check for VALIDSIG is incorrect (also the doc/DETAILS says:
<expire- timestamp> <sig-version> <reserved> <pubkey-algo>
<hash- algo> <sig-class> <primary-key-fpr>
VALIDSIG <fingerprint in hex> <sig_creation_date> <sig-timestamp>
The signature with the keyid is good. This is the same as
GOODSIG but has the fingerprint as the argument.
)
The doc for GOOGSIG says:
GOODSIG <long keyid> <username>
The signature with the keyid is good. For each signature only
one of the three codes GOODSIG, BADSIG or ERRSIG will be
emitted and they may be used as a marker for a new signature.