diff options
| author | David Shaw <[email protected]> | 2001-12-07 01:14:15 +0000 |
|---|---|---|
| committer | David Shaw <[email protected]> | 2001-12-07 01:14:15 +0000 |
| commit | 1ccd578910dbf973cf0b2f06db274f22beeea5ac (patch) | |
| tree | d3fca7224c0dfea851c3456d964b0073afa1ce79 | |
| parent | Allow a regular key signature to promote a local signature to full (diff) | |
| download | gnupg-1ccd578910dbf973cf0b2f06db274f22beeea5ac.tar.gz gnupg-1ccd578910dbf973cf0b2f06db274f22beeea5ac.zip | |
Sig expiration code
Offer to expire a key signature when the key the user is signing expires
Expired sigs cause an error return
If --expert is set, prompt for sig duration
| -rw-r--r-- | g10/ChangeLog | 33 | ||||
| -rw-r--r-- | g10/build-packet.c | 12 | ||||
| -rw-r--r-- | g10/keydb.h | 2 | ||||
| -rw-r--r-- | g10/keyedit.c | 81 | ||||
| -rw-r--r-- | g10/keygen.c | 57 | ||||
| -rw-r--r-- | g10/keyid.c | 25 | ||||
| -rw-r--r-- | g10/keylist.c | 6 | ||||
| -rw-r--r-- | g10/main.h | 1 | ||||
| -rw-r--r-- | g10/mainproc.c | 10 | ||||
| -rw-r--r-- | g10/packet.h | 4 | ||||
| -rw-r--r-- | g10/revoke.c | 2 | ||||
| -rw-r--r-- | g10/sign.c | 55 |
12 files changed, 244 insertions, 44 deletions
diff --git a/g10/ChangeLog b/g10/ChangeLog index 5f602b639..1e044a535 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,36 @@ +2001-12-05 David Shaw <[email protected]> + + * sign.c (sign_file, clearsign_file, sign_symencrypt_file): Prompt + for sig expiration if --expert is set and --force-v3-sigs is not + set (v3 sigs cannot expire). + + * mainproc.c (check_sig_and_print): After checking a sig, print + expiration status. This causes a error return if the sig is + expired. + + * build-packet.c (build_sig_subpkt_from_sig): Include a critical + sig expiration subpacket if the sig is to expire. + + * keyedit.c (sign_uids): Do not sign an expired key unless + --expert is set, in which case prompt. Also, offer to expire a + signature when the key the user is signing expires. + + * keygen.c (ask_expire_interval): Add a value to determine whether + to prompt for a key or sig expiration and change all callers. + + * keyid.c: New functions: expirestr_from_sig and + colon_expirestr_from_sig. + + * keylist.c (list_keyblock_colon): Show sig expiration date in the + --with-colons listing. + + * sign.c (make_keysig_packet, write_signature_packets): Pass in an + optional timestamp for the signature packet, and change all + callers. + + * keyedit.c (sign_mk_attrib): Include a critical expiration + subpacket in the signature if an expiration date is given. + 2001-12-04 David Shaw <[email protected]> * keyedit.c (sign_uids): If the user tries to sign a diff --git a/g10/build-packet.c b/g10/build-packet.c index 610968bc8..2025c4091 100644 --- a/g10/build-packet.c +++ b/g10/build-packet.c @@ -777,6 +777,7 @@ build_sig_subpkt (PKT_signature *sig, sigsubpkttype_t type, case SIGSUBPKT_PREF_HASH: case SIGSUBPKT_PREF_COMPR: case SIGSUBPKT_FEATURES: + case SIGSUBPKT_SIG_EXPIRE: delete_sig_subpkt (sig->hashed, type); break; default: @@ -891,6 +892,17 @@ build_sig_subpkt_from_sig( PKT_signature *sig ) buf[2] = (u >> 8) & 0xff; buf[3] = u & 0xff; build_sig_subpkt( sig, SIGSUBPKT_SIG_CREATED, buf, 4 ); + + if(sig->expiredate) + { + u = sig->expiredate-sig->timestamp; + buf[0] = (u >> 24) & 0xff; + buf[1] = (u >> 16) & 0xff; + buf[2] = (u >> 8) & 0xff; + buf[3] = u & 0xff; + build_sig_subpkt( sig, SIGSUBPKT_SIG_EXPIRE | SIGSUBPKT_FLAG_CRITICAL, + buf, 4 ); + } } diff --git a/g10/keydb.h b/g10/keydb.h index ba7d58528..bd3974541 100644 --- a/g10/keydb.h +++ b/g10/keydb.h @@ -224,11 +224,13 @@ const char *datestr_from_sk( PKT_secret_key *sk ); const char *datestr_from_sig( PKT_signature *sig ); const char *expirestr_from_pk( PKT_public_key *pk ); const char *expirestr_from_sk( PKT_secret_key *sk ); +const char *expirestr_from_sig( PKT_signature *sig ); const char *colon_strtime (u32 t); const char *colon_datestr_from_pk (PKT_public_key *pk); const char *colon_datestr_from_sk (PKT_secret_key *sk); const char *colon_datestr_from_sig (PKT_signature *sig); +const char *colon_expirestr_from_sig (PKT_signature *sig); byte *fingerprint_from_sk( PKT_secret_key *sk, byte *buf, size_t *ret_len ); byte *fingerprint_from_pk( PKT_public_key *pk, byte *buf, size_t *ret_len ); diff --git a/g10/keyedit.c b/g10/keyedit.c index f9521193b..c30cd1d7b 100644 --- a/g10/keyedit.c +++ b/g10/keyedit.c @@ -78,6 +78,7 @@ static int enable_disable_key( KBNODE keyblock, int disable ); struct sign_attrib { int non_exportable; + u32 duration; struct revocation_reason_info *reason; }; @@ -243,6 +244,19 @@ sign_mk_attrib( PKT_signature *sig, void *opaque ) buf[0] = 0; /* not exportable */ build_sig_subpkt( sig, SIGSUBPKT_EXPORTABLE, buf, 1 ); } + + if(attrib->duration>0) { + buf[0]=(attrib->duration >> 24) & 0xff; + buf[1]=(attrib->duration >> 16) & 0xff; + buf[2]=(attrib->duration >> 8) & 0xff; + buf[3]=attrib->duration & 0xff; + /* Mark this CRITICAL, so if any implementation doesn't + understand sigs that can expire, it'll just disregard this + sig altogether. */ + build_sig_subpkt( sig, SIGSUBPKT_SIG_EXPIRE | SIGSUBPKT_FLAG_CRITICAL, + buf, 4 ); + } + if( attrib->reason ) revocation_reason_build_cb( sig, attrib->reason ); @@ -288,6 +302,7 @@ sign_uids( KBNODE keyblock, STRLIST locusr, int *ret_modified, int local ) u32 sk_keyid[2]; size_t n; char *p; + u32 duration=0,timestamp=0; /* we have to use a copy of the sk, because make_keysig_packet * may remove the protection from sk and if we did other @@ -307,7 +322,10 @@ sign_uids( KBNODE keyblock, STRLIST locusr, int *ret_modified, int local ) /* reset mark for uids which are already signed */ uidnode = NULL; for( node=keyblock; node; node = node->next ) { - if( node->pkt->pkttype == PKT_USER_ID ) { + if( node->pkt->pkttype == PKT_PUBLIC_KEY ) { + primary_pk=node->pkt->pkt.public_key; + } + else if( node->pkt->pkttype == PKT_USER_ID ) { uidnode = (node->flag & NODFLG_MARK_A)? node : NULL; if(uidnode && uidnode->pkt->pkt.user_id->is_revoked) { @@ -382,6 +400,54 @@ sign_uids( KBNODE keyblock, STRLIST locusr, int *ret_modified, int local ) show_key_with_all_names( keyblock, 1, 1, 0, 0 ); tty_printf("\n"); + if(primary_pk->expiredate) + { + u32 now=make_timestamp(); + + if(primary_pk->expiredate<=now) + { + tty_printf(_("This key has expired!")); + + if(opt.expert) + { + tty_printf(_(" Are you sure you still " + "want to sign it?\n")); + if(!cpr_get_answer_is_yes("sign_uid.okay", + _("Really sign? "))) + continue; + } + else + { + tty_printf("\n"); + continue; + } + } + else + { + tty_printf(_("This key is due to expire on %s.\n"), + expirestr_from_pk(primary_pk)); + if(cpr_get_answer_is_yes("sign_uid.expire",_("Do you want your signature to expire at the same time? (y/n) "))) + { + /* This fixes the signature timestamp we're going + to make as now. This is so the expiration date + is exactly correct, and not a few seconds off + (due to the time it takes to answer the + questions, enter the passphrase, etc). */ + timestamp=now; + duration=primary_pk->expiredate-now; + force_v4=1; + } + } + } + + /* Only ask for duration if we haven't already set it to match + the expiration of the pk */ + if(opt.expert && !duration) + duration=ask_expire_interval(1); + + if(duration) + force_v4=1; + if(opt.batch) class=0x10+opt.def_check_level; else @@ -471,6 +537,7 @@ sign_uids( KBNODE keyblock, STRLIST locusr, int *ret_modified, int local ) assert( primary_pk ); memset( &attrib, 0, sizeof attrib ); attrib.non_exportable = local; + attrib.duration = duration; node->flag &= ~NODFLG_MARK_A; /* we force createion of a v4 signature for local @@ -482,7 +549,7 @@ sign_uids( KBNODE keyblock, STRLIST locusr, int *ret_modified, int local ) NULL, sk, class, 0, force_v4?4:0, - sign_mk_attrib, + timestamp, sign_mk_attrib, &attrib ); if( rc ) { log_error(_("signing failed: %s\n"), g10_errstr(rc)); @@ -1459,7 +1526,7 @@ menu_adduid( KBNODE pub_keyblock, KBNODE sec_keyblock ) sec_where = NULL; assert(pk && sk ); - rc = make_keysig_packet( &sig, pk, uid, NULL, sk, 0x13, 0, 0, + rc = make_keysig_packet( &sig, pk, uid, NULL, sk, 0x13, 0, 0, 0, keygen_add_std_prefs, pk ); free_secret_key( sk ); if( rc ) { @@ -1754,11 +1821,11 @@ menu_expire( KBNODE pub_keyblock, KBNODE sec_keyblock ) /* create new self signature */ if( mainkey ) rc = make_keysig_packet( &newsig, main_pk, uid, NULL, - sk, 0x13, 0, 0, + sk, 0x13, 0, 0, 0, keygen_add_std_prefs, main_pk ); else rc = make_keysig_packet( &newsig, main_pk, NULL, sub_pk, - sk, 0x18, 0, 0, + sk, 0x18, 0, 0, 0, keygen_add_key_expire, sub_pk ); if( rc ) { log_error("make_keysig_packet failed: %s\n", @@ -2275,7 +2342,7 @@ menu_revsig( KBNODE keyblock ) unode->pkt->pkt.user_id, NULL, sk, - 0x30, 0, 0, + 0x30, 0, 0, 0, sign_mk_attrib, &attrib ); free_secret_key(sk); @@ -2338,7 +2405,7 @@ menu_revkey( KBNODE pub_keyblock, KBNODE sec_keyblock ) node->flag &= ~NODFLG_SELKEY; sk = copy_secret_key( NULL, sec_keyblock->pkt->pkt.secret_key ); rc = make_keysig_packet( &sig, mainpk, NULL, subpk, sk, - 0x28, 0, 0, + 0x28, 0, 0, 0, sign_mk_attrib, &attrib ); free_secret_key(sk); if( rc ) { diff --git a/g10/keygen.c b/g10/keygen.c index b9e486886..0c145f1a5 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -387,7 +387,7 @@ write_selfsig( KBNODE root, KBNODE pub_root, PKT_secret_key *sk, cache_public_key (pk); /* and make the signature */ - rc = make_keysig_packet( &sig, pk, uid, NULL, sk, 0x13, 0, 0, + rc = make_keysig_packet( &sig, pk, uid, NULL, sk, 0x13, 0, 0, 0, keygen_add_std_prefs, pk ); if( rc ) { log_error("make_keysig_packet failed: %s\n", g10_errstr(rc) ); @@ -436,7 +436,7 @@ write_keybinding( KBNODE root, KBNODE pub_root, PKT_secret_key *sk, /* and make the signature */ oduap.usage = use; oduap.pk = subpk; - rc = make_keysig_packet( &sig, pk, NULL, subpk, sk, 0x18, 0, 0, + rc = make_keysig_packet( &sig, pk, NULL, subpk, sk, 0x18, 0, 0, 0, keygen_add_key_flags_and_expire, &oduap ); if( rc ) { log_error("make_keysig_packet failed: %s\n", g10_errstr(rc) ); @@ -905,20 +905,38 @@ parse_expire_string( const char *string ) return valid_days; } - -static u32 -ask_expire_interval(void) +/* object == 0 for a key, and 1 for a sig */ +u32 +ask_expire_interval(int object) { char *answer; int valid_days=0; u32 interval = 0; - tty_printf(_("Please specify how long the key should be valid.\n" - " 0 = key does not expire\n" - " <n> = key expires in n days\n" - " <n>w = key expires in n weeks\n" - " <n>m = key expires in n months\n" - " <n>y = key expires in n years\n")); + switch(object) + { + case 0: + tty_printf(_("Please specify how long the key should be valid.\n" + " 0 = key does not expire\n" + " <n> = key expires in n days\n" + " <n>w = key expires in n weeks\n" + " <n>m = key expires in n months\n" + " <n>y = key expires in n years\n")); + break; + + case 1: + tty_printf(_("Please specify how long the signature should be valid.\n" + " 0 = signature does not expire\n" + " <n> = signature expires in n days\n" + " <n>w = signature expires in n weeks\n" + " <n>m = signature expires in n months\n" + " <n>y = signature expires in n years\n")); + break; + + default: + BUG(); + } + /* Note: The elgamal subkey for DSA has no expiration date because * it must be signed with the DSA key and this one has the expiration * date */ @@ -928,7 +946,10 @@ ask_expire_interval(void) u32 curtime=make_timestamp(); m_free(answer); - answer = cpr_get("keygen.valid",_("Key is valid for? (0) ")); + if(object==0) + answer = cpr_get("keygen.valid",_("Key is valid for? (0) ")); + else + answer = cpr_get("siggen.valid",_("Signature is valid for? (0) ")); cpr_kill_prompt(); trim_spaces(answer); valid_days = parse_expire_string( answer ); @@ -938,13 +959,15 @@ ask_expire_interval(void) } if( !valid_days ) { - tty_printf(_("Key does not expire at all\n")); + tty_printf(_("%s does not expire at all\n"), + object==0?"Key":"Signature"); interval = 0; } else { interval = valid_days * 86400L; /* print the date when the key expires */ - tty_printf(_("Key expires at %s\n"), + tty_printf(_("%s expires at %s\n"), + object==0?"Key":"Signature", asctimestamp((ulong)(curtime + interval) ) ); /* FIXME: This check yields warning on alhas: write a configure check and to this check here only for 32 bit machines */ @@ -964,7 +987,7 @@ ask_expire_interval(void) u32 ask_expiredate() { - u32 x = ask_expire_interval(); + u32 x = ask_expire_interval(0); return x? make_timestamp() + x : 0; } @@ -1725,7 +1748,7 @@ generate_keypair( const char *fname ) r->next = para; para = r; - expire = ask_expire_interval(); + expire = ask_expire_interval(0); r = m_alloc_clear( sizeof *r + 20 ); r->key = pKEYEXPIRE; r->u.expire = expire; @@ -2045,7 +2068,7 @@ generate_subkeypair( KBNODE pub_keyblock, KBNODE sec_keyblock ) algo = ask_algo( 1, &use ); assert(algo); nbits = ask_keysize( algo ); - expire = ask_expire_interval(); + expire = ask_expire_interval(0); if( !cpr_enabled() && !cpr_get_answer_is_yes("keygen.sub.okay", _("Really create? ") ) ) goto leave; diff --git a/g10/keyid.c b/g10/keyid.c index 1e81545e6..624625d5a 100644 --- a/g10/keyid.c +++ b/g10/keyid.c @@ -318,7 +318,6 @@ datestr_from_sig( PKT_signature *sig ) return mk_datestr (buffer, atime); } - const char * expirestr_from_pk( PKT_public_key *pk ) { @@ -344,6 +343,18 @@ expirestr_from_sk( PKT_secret_key *sk ) } const char * +expirestr_from_sig( PKT_signature *sig ) +{ + static char buffer[11+5]; + time_t atime; + + if(!sig->expiredate) + return "never "; + atime=sig->expiredate; + return mk_datestr (buffer, atime); +} + +const char * colon_strtime (u32 t) { if (!t) @@ -389,6 +400,18 @@ colon_datestr_from_sig (PKT_signature *sig) return datestr_from_sig (sig); } +const char * +colon_expirestr_from_sig (PKT_signature *sig) +{ + if(!sig->expiredate) + return ""; + if (opt.fixed_list_mode) { + static char buf[15]; + sprintf (buf, "%lu", (ulong)sig->expiredate); + return buf; + } + return expirestr_from_sig (sig); +} /**************** . diff --git a/g10/keylist.c b/g10/keylist.c index 1cb6a46be..9994aa6e8 100644 --- a/g10/keylist.c +++ b/g10/keylist.c @@ -425,6 +425,7 @@ list_keyblock_print ( KBNODE keyblock, int secret ) rc = 0; sigrc = ' '; } + fputs( sigstr, stdout ); printf("%c%c %c%c%c%c%c %08lX %s ", sigrc,(sig->sig_class-0x10>0 && @@ -716,9 +717,10 @@ list_keyblock_colon( KBNODE keyblock, int secret ) putchar(':'); if( sigrc != ' ' ) putchar(sigrc); - printf("::%d:%08lX%08lX:%s::::", sig->pubkey_algo, + printf("::%d:%08lX%08lX:%s:%s:::", sig->pubkey_algo, (ulong)sig->keyid[0], - (ulong)sig->keyid[1], colon_datestr_from_sig(sig)); + (ulong)sig->keyid[1], colon_datestr_from_sig(sig), + colon_expirestr_from_sig(sig)); if( sigrc == '%' ) printf("[%s] ", g10_errstr(rc) ); else if( sigrc == '?' ) diff --git a/g10/main.h b/g10/main.h index d254aa452..2e4b373f2 100644 --- a/g10/main.h +++ b/g10/main.h @@ -98,6 +98,7 @@ void keyedit_menu( const char *username, STRLIST locusr, STRLIST cmds, int sign_mode ); /*-- keygen.c --*/ +u32 ask_expire_interval(int object); u32 ask_expiredate(void); void generate_keypair( const char *fname ); int keygen_set_std_prefs (const char *string); diff --git a/g10/mainproc.c b/g10/mainproc.c index 57cf22139..b9fab04c2 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -1336,6 +1336,7 @@ check_sig_and_print( CTX c, KBNODE node ) } } release_kbnode( keyblock ); + if( !rc ) print_notation_data( sig ); @@ -1362,6 +1363,15 @@ check_sig_and_print( CTX c, KBNODE node ) if( !rc ) rc = check_signatures_trust( sig ); + + if(sig->flags.expired) + { + log_info("Signature expired %s\n",asctimestamp(sig->expiredate)); + rc=G10ERR_GENERAL; /* need a better error here? */ + } + else if(sig->expiredate) + log_info("Signature expires %s\n",asctimestamp(sig->expiredate)); + if( rc ) g10_errors_seen = 1; if( opt.batch && rc ) diff --git a/g10/packet.h b/g10/packet.h index 871a9986e..0bddfe41b 100644 --- a/g10/packet.h +++ b/g10/packet.h @@ -436,8 +436,8 @@ int write_comment( IOBUF out, const char *s ); /*-- sign.c --*/ int make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk, PKT_user_id *uid, PKT_public_key *subpk, - PKT_secret_key *sk, - int sigclass, int digest_algo, int sigversion, + PKT_secret_key *sk, int sigclass, int digest_algo, + int sigversion, u32 timestamp, int (*mksubpkt)(PKT_signature *, void *), void *opaque ); int update_keysig_packet( PKT_signature **ret_sig, diff --git a/g10/revoke.c b/g10/revoke.c index 453620c7c..45ce6b3e0 100644 --- a/g10/revoke.c +++ b/g10/revoke.c @@ -193,7 +193,7 @@ gen_revoke( const char *uname ) iobuf_push_filter( out, armor_filter, &afx ); /* create it */ - rc = make_keysig_packet( &sig, pk, NULL, NULL, sk, 0x20, 0, 0, + rc = make_keysig_packet( &sig, pk, NULL, NULL, sk, 0x20, 0, 0, 0, revocation_reason_build_cb, reason ); if( rc ) { diff --git a/g10/sign.c b/g10/sign.c index ce8f82a41..61380d016 100644 --- a/g10/sign.c +++ b/g10/sign.c @@ -433,7 +433,8 @@ write_plaintext_packet (IOBUF out, IOBUF inp, const char *fname, int ptmode) */ static int write_signature_packets (SK_LIST sk_list, IOBUF out, MD_HANDLE hash, - int sigclass, int old_style, int status_letter) + int sigclass, u32 timestamp, u32 duration, + int old_style, int status_letter) { SK_LIST sk_rover; @@ -448,11 +449,21 @@ write_signature_packets (SK_LIST sk_list, IOBUF out, MD_HANDLE hash, /* build the signature packet */ sig = m_alloc_clear (sizeof *sig); - sig->version = (old_style || opt.force_v3_sigs)? 3 : sk->version; + if(old_style || opt.force_v3_sigs) + sig->version=3; + else if(duration) + sig->version=4; + else + sig->version=sk->version; keyid_from_sk (sk, sig->keyid); sig->digest_algo = hash_for (sk->pubkey_algo, sk->version); sig->pubkey_algo = sk->pubkey_algo; - sig->timestamp = make_timestamp(); + if(timestamp) + sig->timestamp = timestamp; + else + sig->timestamp = make_timestamp(); + if(duration) + sig->expiredate = sig->timestamp+duration; sig->sig_class = sigclass; md = md_copy (hash); @@ -520,7 +531,7 @@ sign_file( STRLIST filenames, int detached, STRLIST locusr, int multifile = 0; int old_style = opt.rfc1991; int compr_algo = -1; /* unknown */ - + u32 timestamp=0,duration=0; memset( &afx, 0, sizeof afx); memset( &zfx, 0, sizeof zfx); @@ -539,9 +550,12 @@ sign_file( STRLIST filenames, int detached, STRLIST locusr, if( fname && filenames->next && (!detached || encryptflag) ) log_bug("multiple files can only be detached signed"); + if(opt.expert && !opt.batch && !opt.force_v3_sigs && !old_style) + duration=ask_expire_interval(1); + if( (rc=build_sk_list( locusr, &sk_list, 1, PUBKEY_USAGE_SIG )) ) goto leave; - if( !old_style ) + if( !old_style && !duration ) old_style = only_old_style( sk_list ); if( encryptflag ) { @@ -662,6 +676,7 @@ sign_file( STRLIST filenames, int detached, STRLIST locusr, /* write the signatures */ rc = write_signature_packets (sk_list, out, mfx.md, opt.textmode && !outfile? 0x01 : 0x00, + timestamp, duration, old_style, detached ? 'D':'S'); if( rc ) goto leave; @@ -699,13 +714,17 @@ clearsign_file( const char *fname, STRLIST locusr, const char *outfile ) SK_LIST sk_rover = NULL; int old_style = opt.rfc1991; int only_md5 = 0; + u32 timestamp=0,duration=0; memset( &afx, 0, sizeof afx); init_packet( &pkt ); + if(opt.expert && !opt.batch && !opt.force_v3_sigs && !old_style) + duration=ask_expire_interval(1); + if( (rc=build_sk_list( locusr, &sk_list, 1, PUBKEY_USAGE_SIG )) ) goto leave; - if( !old_style ) + if( !old_style && !duration ) old_style = only_old_style( sk_list ); /* prepare iobufs */ @@ -789,8 +808,8 @@ clearsign_file( const char *fname, STRLIST locusr, const char *outfile ) iobuf_push_filter( out, armor_filter, &afx ); /* write the signatures */ - rc = write_signature_packets (sk_list, out, textmd, - 0x01, old_style, 'C'); + rc = write_signature_packets (sk_list, out, textmd, 0x01, + timestamp, duration, old_style, 'C'); if( rc ) goto leave; @@ -826,6 +845,7 @@ sign_symencrypt_file (const char *fname, STRLIST locusr) int old_style = opt.rfc1991; int compr_algo = -1; /* unknown */ int algo; + u32 timestamp=0,duration=0; memset( &afx, 0, sizeof afx); memset( &zfx, 0, sizeof zfx); @@ -834,10 +854,13 @@ sign_symencrypt_file (const char *fname, STRLIST locusr) memset( &cfx, 0, sizeof cfx); init_packet( &pkt ); + if(opt.expert && !opt.batch && !opt.force_v3_sigs && !old_style) + duration=ask_expire_interval(1); + rc = build_sk_list (locusr, &sk_list, 1, PUBKEY_USAGE_SIG); if (rc) goto leave; - if( !old_style ) + if( !old_style && !duration ) old_style = only_old_style( sk_list ); /* prepare iobufs */ @@ -934,7 +957,8 @@ sign_symencrypt_file (const char *fname, STRLIST locusr) /* Write the signatures */ /*(current filters: zip - encrypt - armor)*/ rc = write_signature_packets (sk_list, out, mfx.md, - opt.textmode? 0x01 : 0x00, + opt.textmode? 0x01 : 0x00, + timestamp, duration, old_style, 'S'); if( rc ) goto leave; @@ -963,14 +987,14 @@ sign_symencrypt_file (const char *fname, STRLIST locusr) * DIGEST_ALGO is 0 the function selects an appropriate one. * SIGVERSION gives the minimal required signature packet version; * this is needed so that special properties like local sign are not - * applied (actually: dropped) when a v3 key is used. - */ + * applied (actually: dropped) when a v3 key is used. TIMESTAMP is + * the timestamp to use for the signature. 0 means "now" */ int make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk, PKT_user_id *uid, PKT_public_key *subpk, PKT_secret_key *sk, int sigclass, int digest_algo, - int sigversion, + int sigversion, u32 timestamp, int (*mksubpkt)(PKT_signature *, void *), void *opaque ) { @@ -1030,7 +1054,10 @@ make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk, keyid_from_sk( sk, sig->keyid ); sig->pubkey_algo = sk->pubkey_algo; sig->digest_algo = digest_algo; - sig->timestamp = make_timestamp(); + if(timestamp) + sig->timestamp=timestamp; + else + sig->timestamp = make_timestamp(); sig->sig_class = sigclass; if( sig->version >= 4 ) build_sig_subpkt_from_sig( sig ); |