gpg: Allow to create revocations even with non-compliant algos.

* g10/sign.c (do_sign): Skip compliance check for revocation certs.
--

It just does not make sense to inhibit the creation of revocations
depending on the compliance mode.  We do this only for key revocation
but not for another kind of revocation because the rationale for uid
or subkey revocation is more complicated to explain.

1 files changed, 7 insertions, 5 deletions

diff --git a/g10/sign.c b/g10/sign.c
index 6fa6f46da..def43c7ab 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -385,8 +385,9 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig,
       goto leave;
     }
 
-  /* Check compliance.  */
-  if (! gnupg_digest_is_allowed (opt.compliance, 1, mdalgo))
+  /* Check compliance but always allow for key revocations. */
+  if (!IS_KEY_REV (sig)
+      && ! gnupg_digest_is_allowed (opt.compliance, 1, mdalgo))
     {
       log_error (_("digest algorithm '%s' may not be used in %s mode\n"),
 		 gcry_md_algo_name (mdalgo),
@@ -395,9 +396,10 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig,
       goto leave;
     }
 
-  if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING,
-                             pksk->pubkey_algo, 0,
-                             pksk->pkey, nbits_from_pk (pksk), NULL))
+  if (!IS_KEY_REV (sig)
+      && ! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING,
+                                pksk->pubkey_algo, 0,
+                                pksk->pkey, nbits_from_pk (pksk), NULL))
     {
       log_error (_("key %s may not be used for signing in %s mode\n"),
                  keystr_from_pk (pksk),