1 files changed, 22 insertions, 4 deletions

diff --git a/sm/keylist.c b/sm/keylist.c
index 4e2d99920..c2f201c8e 100644
--- a/sm/keylist.c
+++ b/sm/keylist.c
@@ -371,20 +371,38 @@ email_kludge (const char *name)
 }
 
 
+/* Check whether the certificate has the de_vs flag set.  */
+static int
+cert_has_de_vs_flag (ksba_cert_t cert)
+{
+  gpg_error_t err;
+  size_t buflen;
+  char buffer[1];
+
+  if ((opt.compat_flags & COMPAT_DE_VS_TRUSTLIST))
+    return 1;
+
+  err = ksba_cert_get_user_data (cert, "is_de_vs",
+                                 &buffer, sizeof (buffer), &buflen);
+  if (!err && buflen && *buffer)
+    return 1;
+
+  return 0;
+}
+
 /* Print the compliance flags to field 18.  ALGO is the gcrypt algo
  * number.  NBITS is the length of the key in bits.  */
 static void
 print_compliance_flags (ksba_cert_t cert, int algo, unsigned int nbits,
                         const char *curvename, estream_t fp)
 {
-  int hashalgo;
-
   /* Note that we do not need to test for PK_ALGO_FLAG_RSAPSS because
    * that is not a property of the key but one of the created
    * signature.  */
-  if (gnupg_pk_is_compliant (CO_DE_VS, algo, 0, NULL, nbits, curvename))
+  if (cert_has_de_vs_flag (cert)
+      && gnupg_pk_is_compliant (CO_DE_VS, algo, 0, NULL, nbits, curvename))
     {
-      hashalgo = gcry_md_map_name (ksba_cert_get_digest_algo (cert));
+      int hashalgo = gcry_md_map_name (ksba_cert_get_digest_algo (cert));
       if (gnupg_digest_is_compliant (CO_DE_VS, hashalgo))
         {
           es_fputs (gnupg_status_compliance_flag (CO_DE_VS), fp);