1 files changed, 16 insertions, 9 deletions

diff --git a/g10/sign.c b/g10/sign.c
index def43c7ab..c978effb7 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -49,10 +49,6 @@
 #define LF "\n"
 #endif
 
-/* Bitflags to convey hints on what kind of signayire is created.  */
-#define SIGNHINT_KEYSIG  1
-#define SIGNHINT_SELFSIG 2
-
 
 /* Hack */
 static int recipient_digest_algo=0;
@@ -355,7 +351,10 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig,
   byte *dp;
   char *hexgrip;
 
-  if (pksk->timestamp > sig->timestamp )
+  /* An ADSK key commonly has a creation date older than the primary
+   * key.  For example because the ADSK is used as an archive key for
+   * a group of users.  */
+  if (pksk->timestamp > sig->timestamp && !(signhints & SIGNHINT_ADSK))
     {
       ulong d = pksk->timestamp - sig->timestamp;
       log_info (ngettext("key %s was created %lu second"
@@ -864,7 +863,7 @@ write_signature_packets (ctrl_t ctrl,
 
       if (sig->version >= 4)
         {
-          build_sig_subpkt_from_sig (sig, pk);
+          build_sig_subpkt_from_sig (sig, pk, 0);
           mk_notation_policy_etc (sig, NULL, pk);
           if (opt.flags.include_key_block && IS_SIG (sig))
             err = mk_sig_subpkt_key_block (ctrl, sig, pk);
@@ -1687,6 +1686,8 @@ make_keysig_packet (ctrl_t ctrl,
       {
 	/* hash the subkey binding/backsig/revocation */
 	hash_public_key( md, subpk );
+        if ((subpk->pubkey_usage & PUBKEY_USAGE_RENC))
+          signhints |= SIGNHINT_ADSK;
       }
     else if( sigclass != 0x1F && sigclass != 0x20 )
       {
@@ -1709,7 +1710,7 @@ make_keysig_packet (ctrl_t ctrl,
       sig->expiredate=sig->timestamp+duration;
     sig->sig_class = sigclass;
 
-    build_sig_subpkt_from_sig (sig, pksk);
+    build_sig_subpkt_from_sig (sig, pksk, signhints);
     mk_notation_policy_etc (sig, pk, pksk);
 
     /* Crucial that the call to mksubpkt comes LAST before the calls
@@ -1759,7 +1760,7 @@ update_keysig_packet (ctrl_t ctrl,
     int digest_algo;
     gcry_md_hd_t md;
     u32 pk_keyid[2], pksk_keyid[2];
-    unsigned int signhints;
+    unsigned int signhints = 0;
 
     if ((!orig_sig || !pk || !pksk)
 	|| (orig_sig->sig_class >= 0x10 && orig_sig->sig_class <= 0x13 && !uid)
@@ -1820,6 +1821,12 @@ update_keysig_packet (ctrl_t ctrl,
         }
     }
 
+    /* Detect an ADSK key binding signature.  */
+    if ((sig->sig_class == 0x18
+         || sig->sig_class == 0x19 || sig->sig_class == 0x28)
+        && (pk->pubkey_usage & PUBKEY_USAGE_RENC))
+      signhints |= SIGNHINT_ADSK;
+
     /* Note that already expired sigs will remain expired (with a
        duration of 1) since build-packet.c:build_sig_subpkt_from_sig
        detects this case. */
@@ -1828,7 +1835,7 @@ update_keysig_packet (ctrl_t ctrl,
        automagically lower any sig expiration dates to correctly
        correspond to the differences in the timestamps (i.e. the
        duration will shrink).  */
-    build_sig_subpkt_from_sig (sig, pksk);
+    build_sig_subpkt_from_sig (sig, pksk, signhints);
 
     if (mksubpkt)
       rc = (*mksubpkt)(sig, opaque);