aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWerner Koch <[email protected]>2025-08-27 14:04:01 +0000
committerWerner Koch <[email protected]>2025-08-27 14:04:01 +0000
commit1123be6ad659b24318ec3981c501a3ed2fc1960b (patch)
treeea2aab92e9b3c9525e867fd00a70b656c4724631
parentgpg: Avoid second Pinentry pop-up for a configured ADSK during keygen. (diff)
downloadgnupg-master.tar.gz
gnupg-master.zip
gpg: Change the ADSK key binding time to the current time.HEADmaster
* g10/keyedit.c (append_adsk_to_key): Add arg sigtimestamp and pass that as signing time to make_keysig_packet. * g10/keygen.c (append_all_default_adsks): Likewise. (do_generate_keypair): Likewise. -- For not anymore known reasons or maybe because I mixed up creation and binding time the creation date of the ADSK was also used as the time for the key binding signature. This works but is a bit surprising. Now we use either the current time or, on key creation, the time creation time of the primary key as we also do with the other self-signatures. GnuPG-bug-id: 6882
-rw-r--r--g10/keyedit.c13
-rw-r--r--g10/keyedit.h3
-rw-r--r--g10/keygen.c9
3 files changed, 17 insertions, 8 deletions
diff --git a/g10/keyedit.c b/g10/keyedit.c
index 0a5064a25..12e127452 100644
--- a/g10/keyedit.c
+++ b/g10/keyedit.c
@@ -5053,11 +5053,13 @@ fail:
/* Core function to add an ADSK to the KEYBLOCK. Returns 0 on success
- * or an error code. CACHE_NONCE can be used to avoid a second
- * Pinetry pop-up for appending the ADSK. */
+ * or an error code. If SIGTIMESTAMP is not 0 it is used for the key
+ * binding signature creation time; if not given the current time is
+ * used. CACHE_NONCE can be used to avoid a second Pinetry pop-up for
+ * appending the ADSK. */
gpg_error_t
append_adsk_to_key (ctrl_t ctrl, kbnode_t keyblock, PKT_public_key *adsk,
- const char *cache_nonce)
+ u32 sigtimestamp, const char *cache_nonce)
{
gpg_error_t err;
PKT_public_key *main_pk; /* The primary key. */
@@ -5102,7 +5104,7 @@ append_adsk_to_key (ctrl_t ctrl, kbnode_t keyblock, PKT_public_key *adsk,
/* Make the signature. */
err = make_keysig_packet (ctrl, &sig, main_pk, NULL, adsk, main_pk, 0x18,
- adsk->timestamp, 0,
+ sigtimestamp, 0,
keygen_add_key_flags_and_expire, adsk, cache_nonce);
adsk = NULL; /* (owned by adsknode - avoid double free.) */
if (err)
@@ -5150,6 +5152,7 @@ menu_addadsk (ctrl_t ctrl, kbnode_t pub_keyblock, const char *adskfpr)
byte fpr[MAX_FINGERPRINT_LEN];
size_t fprlen;
kbnode_t node;
+ u32 sigtimestamp = make_timestamp ();
log_assert (pub_keyblock->pkt->pkttype == PKT_PUBLIC_KEY);
@@ -5251,7 +5254,7 @@ menu_addadsk (ctrl_t ctrl, kbnode_t pub_keyblock, const char *adskfpr)
log_assert (node->pkt->pkttype == PKT_PUBLIC_KEY
|| node->pkt->pkttype == PKT_PUBLIC_SUBKEY);
err = append_adsk_to_key (ctrl, pub_keyblock, node->pkt->pkt.public_key,
- NULL);
+ sigtimestamp, NULL);
leave:
diff --git a/g10/keyedit.h b/g10/keyedit.h
index 5d8be078e..d37bcb23b 100644
--- a/g10/keyedit.h
+++ b/g10/keyedit.h
@@ -61,7 +61,8 @@ void keyedit_quick_update_pref (ctrl_t ctrl, const char *username);
void keyedit_quick_set_ownertrust (ctrl_t ctrl, const char *username,
const char *value);
gpg_error_t append_adsk_to_key (ctrl_t ctrl, kbnode_t keyblock,
- PKT_public_key *adsk, const char *cache_nonce);
+ PKT_public_key *adsk,
+ u32 sigtimestamp, const char *cache_nonce);
void show_basic_key_info (ctrl_t ctrl, kbnode_t keyblock, int print_sec);
int keyedit_print_one_sig (ctrl_t ctrl, estream_t fp,
int rc, kbnode_t keyblock,
diff --git a/g10/keygen.c b/g10/keygen.c
index 349149b8a..79f4e503b 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -1263,6 +1263,7 @@ append_all_default_adsks (ctrl_t ctrl, kbnode_t keyblock)
struct para_data_s *para;
byte adskfpr[MAX_FINGERPRINT_LEN];
size_t adskfprlen;
+ u32 sigtimestamp = make_timestamp ();
keygen_prepare_new_key_adsks ();
for (sl = opt.def_new_key_adsks; sl && !err; sl = sl->next)
@@ -1275,7 +1276,10 @@ append_all_default_adsks (ctrl_t ctrl, kbnode_t keyblock)
fingerprint_from_pk (para->u.adsk, adskfpr, &adskfprlen);
if (!has_key_with_fingerprint (keyblock, adskfpr, adskfprlen))
{
- err = append_adsk_to_key (ctrl, keyblock, para->u.adsk, NULL);
+ /* Fixme: We should use a cache nonce so that only one
+ * pinentry pops up. */
+ err = append_adsk_to_key (ctrl, keyblock, para->u.adsk,
+ sigtimestamp, NULL);
if (!err)
any_done = 1;
}
@@ -6629,7 +6633,8 @@ do_generate_keypair (ctrl_t ctrl, struct para_data_s *para,
for (idx=0; (adsk = get_parameter_adsk (para, idx)); idx++)
{
- err = append_adsk_to_key (ctrl, pub_root, adsk, cache_nonce);
+ err = append_adsk_to_key (ctrl, pub_root, adsk,
+ signtimestamp, cache_nonce);
if (err)
break;
any_adsk++;