aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWerner Koch <[email protected]>2025-05-28 08:39:17 +0000
committerWerner Koch <[email protected]>2025-05-28 08:41:32 +0000
commit15a71f108d9eb25b2cfd8c190b9514c1a21e1c48 (patch)
tree538086c80d73e417a788c41c6732f93d9ae89e6d
parentdoc: Minor speedo build clarification (diff)
downloadgnupg-15a71f108d9eb25b2cfd8c190b9514c1a21e1c48.tar.gz
gnupg-15a71f108d9eb25b2cfd8c190b9514c1a21e1c48.zip
gpg: Allow updating a SHA-1 key certification w/o --force-sign-key.
* g10/keyedit.c (sign_uids): Add a case for this. -- GnuPG-bug-id: 7663
Diffstat
-rw-r--r--NEWS3
-rw-r--r--g10/keyedit.c11
2 files changed, 13 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index e562f5fc5..f5d2a7969 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
Noteworthy changes in version 2.5.7 (unreleased)
------------------------------------------------
+ * gpg: Allow updating a SHA-1 key certification w/o using
+ the --force-sign-key option. [T7663]
+
Noteworthy changes in version 2.5.6 (2025-05-08)
------------------------------------------------
diff --git a/g10/keyedit.c b/g10/keyedit.c
index 1f3f8f3b3..eebeecfcd 100644
--- a/g10/keyedit.c
+++ b/g10/keyedit.c
@@ -855,7 +855,16 @@ sign_uids (ctrl_t ctrl, estream_t fp,
_("\"%s\" was already signed by key %s\n"),
user, keystr_from_pk (pk));
- if (opt.flags.force_sign_key
+ if (node->pkt->pkt.signature->digest_algo
+ == DIGEST_ALGO_SHA1
+ && !opt.flags.allow_weak_key_signatures)
+ {
+ /* Allow updating a signature to a stronger
+ * digest algorithm without an extra option. */
+ xfree (user);
+ continue;
+ }
+ else if (opt.flags.force_sign_key
|| (opt.expert && !(flags & SIGN_UIDS_QUICK)
&& cpr_get_answer_is_yes ("sign_uid.dupe_okay",
_("Do you want to sign it "
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-07 09:30:45 +0000