gpgme_op_decrypt_result returned success and gpgme_op_verify_result found signatures on your
password database, but you haven't signed the keys so the signature is not valid.

The signature summary should never be null according to the GpgMe docs, so this is an undocumented "feature",
which results in this cryptic error message.

Quick fix: trust sign the keys that your database is crypted with so that key validity is not "none" or "unknown".

Next release will include, at the very least, a better error message.
Ideally a proper fix for this issue would be:

• show the signatures and your validity for them
• allow you to trust or skip the warning

On third thought, skipping the warning would be a patently Bad Idea™...

The trust interface feature is on the wishlist in issue #42, and that really depends on switching the interface lib, which means we've done all we can on this issue until we pass that bridge.

Why would skipping the warning be a bad idea?

https://bugs.debian.org/806404 is a bug report in Debian which seem to be related to this issue, and the problem I reported there was being unable to read passwords unless trusting the key use do sign the passwords. It seem strange to me that I have to trust the people giving me passwords. I can understand such trust relationship for those I plan to give a password, but I do not really expect me to trust everyone giving me a password.

these two issues are different @petterreinholdtsen. This ticket is about making the reason for the error more clear; you are arguing whether the warning is a bug.

Please continue this discussion at the newly created issue #53.