gpg: Change the ADSK key binding time to the current time.HEAD master

* g10/keyedit.c (append_adsk_to_key): Add arg sigtimestamp and pass that as signing time to make_keysig_packet. * g10/keygen.c (append_all_default_adsks): Likewise. (do_generate_keypair): Likewise. -- For not anymore known reasons or maybe because I mixed up creation and binding time the creation date of the ADSK was also used as the time for the key binding signature. This works but is a bit surprising. Now we use either the current time or, on key creation, the time creation time of the primary key as we also do with the other self-signatures. GnuPG-bug-id: 6882
author: Werner Koch <[email protected]> 2025-08-27 14:04:01 +0000
committer: Werner Koch <[email protected]> 2025-08-27 14:04:01 +0000
commit: 1123be6ad659b24318ec3981c501a3ed2fc1960b (patch)
tree: ea2aab92e9b3c9525e867fd00a70b656c4724631
parent: gpg: Avoid second Pinentry pop-up for a configured ADSK during keygen. (diff)
download: gnupg-master.tar.gz
gnupg-master.zip
3 files changed, 17 insertions, 8 deletions
diff --git a/g10/keyedit.c b/g10/keyedit.c
index 0a5064a25..12e127452 100644
--- a/g10/keyedit.c
+++ b/g10/keyedit.c
@@ -5053,11 +5053,13 @@ fail:
 
 
 /* Core function to add an ADSK to the KEYBLOCK.  Returns 0 on success
- * or an error code.  CACHE_NONCE can be used to avoid a second
- * Pinetry pop-up for appending the ADSK. */
+ * or an error code.  If SIGTIMESTAMP is not 0 it is used for the key
+ * binding signature creation time; if not given the current time is
+ * used.  CACHE_NONCE can be used to avoid a second Pinetry pop-up for
+ * appending the ADSK. */
 gpg_error_t
 append_adsk_to_key (ctrl_t ctrl, kbnode_t keyblock, PKT_public_key *adsk,
-                    const char *cache_nonce)
+                    u32 sigtimestamp, const char *cache_nonce)
 {
   gpg_error_t err;
   PKT_public_key *main_pk;  /* The primary key.  */
@@ -5102,7 +5104,7 @@ append_adsk_to_key (ctrl_t ctrl, kbnode_t keyblock, PKT_public_key *adsk,
 
   /* Make the signature.  */
   err = make_keysig_packet (ctrl, &sig, main_pk, NULL, adsk, main_pk, 0x18,
-                            adsk->timestamp, 0,
+                            sigtimestamp, 0,
                             keygen_add_key_flags_and_expire, adsk, cache_nonce);
   adsk = NULL; /* (owned by adsknode - avoid double free.)  */
   if (err)
@@ -5150,6 +5152,7 @@ menu_addadsk (ctrl_t ctrl, kbnode_t pub_keyblock, const char *adskfpr)
   byte fpr[MAX_FINGERPRINT_LEN];
   size_t fprlen;
   kbnode_t node;
+  u32 sigtimestamp = make_timestamp ();
 
   log_assert (pub_keyblock->pkt->pkttype == PKT_PUBLIC_KEY);
 
@@ -5251,7 +5254,7 @@ menu_addadsk (ctrl_t ctrl, kbnode_t pub_keyblock, const char *adskfpr)
   log_assert (node->pkt->pkttype == PKT_PUBLIC_KEY
               || node->pkt->pkttype == PKT_PUBLIC_SUBKEY);
   err = append_adsk_to_key (ctrl, pub_keyblock, node->pkt->pkt.public_key,
-                            NULL);
+                            sigtimestamp, NULL);
 
 
  leave:
diff --git a/g10/keyedit.h b/g10/keyedit.h
index 5d8be078e..d37bcb23b 100644
--- a/g10/keyedit.h
+++ b/g10/keyedit.h
@@ -61,7 +61,8 @@ void keyedit_quick_update_pref (ctrl_t ctrl, const char *username);
 void keyedit_quick_set_ownertrust (ctrl_t ctrl, const char *username,
                                    const char *value);
 gpg_error_t append_adsk_to_key (ctrl_t ctrl, kbnode_t keyblock,
-                                PKT_public_key *adsk, const char *cache_nonce);
+                                PKT_public_key *adsk,
+                                u32 sigtimestamp, const char *cache_nonce);
 void show_basic_key_info (ctrl_t ctrl, kbnode_t keyblock, int print_sec);
 int keyedit_print_one_sig (ctrl_t ctrl, estream_t fp,
                            int rc, kbnode_t keyblock,
diff --git a/g10/keygen.c b/g10/keygen.c
index 349149b8a..79f4e503b 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -1263,6 +1263,7 @@ append_all_default_adsks (ctrl_t ctrl, kbnode_t keyblock)
   struct para_data_s *para;
   byte adskfpr[MAX_FINGERPRINT_LEN];
   size_t adskfprlen;
+  u32 sigtimestamp = make_timestamp ();
 
   keygen_prepare_new_key_adsks ();
   for (sl = opt.def_new_key_adsks; sl && !err; sl = sl->next)
@@ -1275,7 +1276,10 @@ append_all_default_adsks (ctrl_t ctrl, kbnode_t keyblock)
           fingerprint_from_pk (para->u.adsk, adskfpr, &adskfprlen);
           if (!has_key_with_fingerprint (keyblock, adskfpr, adskfprlen))
             {
-              err = append_adsk_to_key (ctrl, keyblock, para->u.adsk, NULL);
+              /* Fixme: We should use a cache nonce so that only one
+               * pinentry pops up.  */
+              err = append_adsk_to_key (ctrl, keyblock, para->u.adsk,
+                                        sigtimestamp, NULL);
               if (!err)
                 any_done = 1;
             }
@@ -6629,7 +6633,8 @@ do_generate_keypair (ctrl_t ctrl, struct para_data_s *para,
 
       for (idx=0; (adsk = get_parameter_adsk (para, idx)); idx++)
         {
-          err = append_adsk_to_key (ctrl, pub_root, adsk, cache_nonce);
+          err = append_adsk_to_key (ctrl, pub_root, adsk,
+                                    signtimestamp, cache_nonce);
           if (err)
             break;
           any_adsk++;
author	Werner Koch <[email protected]>	2025-08-27 14:04:01 +0000
committer	Werner Koch <[email protected]>	2025-08-27 14:04:01 +0000
commit	1123be6ad659b24318ec3981c501a3ed2fc1960b (patch)
tree	ea2aab92e9b3c9525e867fd00a70b656c4724631
parent	gpg: Avoid second Pinentry pop-up for a configured ADSK during keygen. (diff)
download	gnupg-master.tar.gz gnupg-master.zip