| Commit message (Collapse) | Author | Files | Lines |
|---|
|
* g10/gpg.c (oWithV5Fingerprint): New.
(opts): Add new option.
(main): Set option.
* g10/options.h (opt): Add with_v5_fingerprint.
* g10/keyid.c (hash_public_key): Factor out to ...
(do_hash_public_key): this. Add new arg to foce v5 style hashing.
(v5_fingerprint_from_pk): New.
(v5hexfingerprint): New.
* g10/keylist.c (print_fingerprint): Print v5 fingerprint for v4 keys
if the option is set.
--
GnuPG-bug-id: 6705
|
|
* dirmngr/dirmngr.c (gpgrt_opt_t): Use string for oFakedSystemTime.
(oFakedSystemTime): Use similar conversion as gpgsm has.
* dirmngr/dirmngr.texi (faked-system-time): Document it.
--
For testing X509 certificates this is usually required and
then confusing that the example from the gpgsm man page
does not work for dirmngr.
|
|
* tools/gpg-wks-client.c (opt): New option --no-add-revocs.
(main): Make --add-revocs the default.
(command_send): Rename to ...
(command_create): to match the command name.
|
|
* dirmngr/dirmngr.c (oIgnoreCRLExtension): New.
(opts): Add --ignore-crl-extension.
(parse_rereadable_options): Add to list/
* dirmngr/dirmngr.h (opt): Add ignored_crl_extensions.
* dirmngr/crlcache.c (crl_cache_insert): Implement option.
--
This option is is useful for debugging problems with new CRL
extensions. It is similar to --ignore-cert-extension.
GnuPG-bug-id: 6545
|
|
* dirmngr/dirmngr.c (oCompatibilityFlags): NEw.
(opts): Add option --compatibility-flags.
(compatibility_flags): New.
(parse_rereadable_options): Parse them.
|
|
* tools/gpgtar.c: Add option --no-compress.
* tools/gpgtar.h (opt): Add field no_compress.
* tools/gpgtar-create.c (gpgtar_create): Pass -z0 to gpg.
--
This option is probably easier to remember than --gpg-args '-z0'.
|
|
|
|
* sm/gpgsm.c (oInputSizeHint): New.
(opts): Add "--input-size-hint".
(main): Set option.
* sm/server.c (option_handler): Add option "input-size-hint".
* sm/gpgsm.h (struct server_control_s): Add field input_size_hint.
* sm/encrypt.c (gpgsm_encrypt): Set the toatl file size.
* sm/decrypt.c (gpgsm_decrypt): Ditto.
* sm/sign.c (gpgsm_sign): Ditto.
* sm/verify.c (gpgsm_verify): Ditto.
--
This option allows to set a value for the progress output line. Note
that as of now there is no other way to set the file size.
GnuPG-bug-id: 6534
|
|
* g10/import.c (impex_filter_getval): Support new filter properties.
--
Here is how to list all subkeys expiring in the year 2061:
gpg --list-keys --list-filter
'select= sub/key_expires_d -gt 2061-01-01 \
&& sub/key_expires_d -lt 2061-12-31'
To list all primary key expirations, use the "pub/" prefix and to list
all expiration dates use no prefix.
GnuPG-bug-id: 6509
|
|
--
|
|
--
|
|
* g10/gpg.c (oDebugIgnoreExpiration): New.
(opts): Add option.
(main): Set flag.
* g10/options.h (opt): Add field ignore_expiration.
* g10/pkclist.c (do_we_trust): Handle the option.
* g10/getkey.c (skip_unusable): Ditto.
(finish_lookup): Ditto.
--
GnuPG-bug-id: 2703
|
|
* g10/card-util.c (current_card_status): Print a hint for fishy
outputs.
(enum cmdids): Add cmdOPENPGP.
(cmds): Add "openpgp".
(card_edit): Implement that command.
--
If a Yubikey has been used in PIV mode the initial listing does not
look correct. Although we explicitly switch to the OpenPGP app when
needed, we don't want to do this in listing mode. Instead we offer a
new command "openpgp" to force the openpgp mode. The ultimate goal
will be to enhance the gpg-card tool to completely take over the
--card-edit features. But we are not yet there.
GnuPG-bug-id: 6462
|
|
* agent/command-ssh.c (ssh_send_available_keys): Redefine the order of
keys.
--
GnuPG-bug-id: 6212
|
|
* g10/gpg.c (enum cmd_and_opt_values): Add oAssertSigner.
(opts): Add "assert-signer".
(main): Set option.
(assert_signer_true): New var.
(g10_exit): Evaluate new var.
* g10/main.h (assert_signer_true): Declare new var.
* common/status.h (STATUS_ASSERT_SIGNER): New.
* g10/options.h (opt): Add field assert_signer_list.
* g10/verify.c (is_fingerprint): New.
(check_assert_signer_list): New.
* g10/mainproc.c (check_sig_and_print): Call that function. Clear
assert_signer_true on a warning.
* g10/gpgv.c: Add dummy function and vars.
* g10/t-keydb-get-keyblock.c: Ditto.
* g10/t-keydb.c: Ditto.
* g10/t-stutter.c: Ditto.
--
|
|
* common/homedir.c (gnupg_maybe_make_homedir): Also create a
common.conf.
* g10/keydb.c: Include comopt.h.
(maybe_create_keyring_or_box): Detect the creation of a common.conf.
* g10/gpg.c (main): Avoid adding more resources in this case.
* sm/keydb.c: Include comopt.h.
(maybe_create_keybox): Detect the creation of a common.conf.
* common/comopt.h (comopt): Remove the conditional "extern".
|
|
* agent/trustlist.c (struct trustitem_s): Add field de_vs.
(read_one_trustfile): Parse it.
(istrusted_internal): Emit TRUSTLISTFLAG status line.
* sm/gpgsm.h (struct rootca_flags_s): Add field de_vs.
* sm/call-agent.c (istrusted_status_cb): Detect the flags.
* sm/sign.c (write_detached_signature): Remove unused vars.
--
Right now this flag has no effect; we first need to specify the exact
behaviour.
GnuPG-bug-id: 5079
|
|
* sm/sign.c (add_signed_attribute): Return an error because the option
--attribute is not yet working.
--
We require libskba 1.6 anyway.
|
|
* g10/gpg.c (enum cmd_and_opt_values): Add aQuickAddADSK.
(opts): Add --quick-add-adsk.
(main): Call the actual function.
* g10/keyedit.c (keyedit_quick_addadsk): New.
(menu_addadsk): Add arg adskfpr and change caller.
--
GnuPG-bug-id: 6395
|
|
* sm/gpgsm.c (oNoPrettyDN): New.
(opts): Add --no-pretty-dn.
(main): Implement.
* sm/gpgsm.h (opt): Add no_pretty_dn.
* sm/certdump.c (gpgsm_es_print_name): Act upon.
|
|
* tools/gpgtar.h (struct tarinfo_s): Add new fields.
* tools/gpgtar-extract.c (check_suspicious_name): Add arg info.
(extract_regular): Count files.
(gpgtar_extract): Print stats.
|
|
* agent/agent.h (opt): Remove enable_extended_key_format.
* agent/gpg-agent.c (enum cmd_and_opt_values): Turn
oDisableExtendedKeyFormat and oEnableExtendedKeyFormat into dummy
options.
* agent/protect.c (do_encryption): Remove arg use_ocb and
corresponding code.
(agent_protect): Ditto. Change all callers.
* agent/findkey.c (agent_write_private_key): Simplify due to the
removal of disable-extended-key-format.
(write_extended_private_key): Fold into agent_write_private_key.
--
This change is related to
GnuPG-bug-id: 6386
but should have no visible effect except for the removal of
option --disable-extended-key-format.
|
|
* g10/gpg.c (oLogTime): New.
(opts): Add "log-time".
(opt_log_time): New var.
(main): Implement.
* sm/gpgsm.c (oLogTime): New.
(opts): Add "log-time".
(opt_log_time): New var.
(main): Implement.
|
|
* common/ksba-io-support.c: Include tlv.h
(struct reader_cb_parm_s): Add new fields.
(starts_with_sequence): New.
(simple_reader_cb): Handle stripping.
* common/ksba-io-support.h (GNUPG_KSBA_IO_STRIP): New.
(gnupg_ksba_create_reader): Handle the new flag.
* sm/verify.c (gpgsm_verify): Use the new flag for detached
signatures.
--
Note that this works only if --assume-binary is given. The use case
for the feature is PDF signature checking where the PDF specs require
that the detached signature is padded with zeroes.
|
|
--
|
|
* g10/free-packet.c (copy_public_key): Factor some code out to ...
(copy_public_key_basics): new.
* g10/build-packet.c (build_sig_subpkt_from_sig): New arg signhints.
* g10/packet.h (PUBKEY_USAGE_RENC): Fix value.
(SIGNHINT_KEYSIG, SIGNHINT_SELFSIG): Moved from sign.c.
(SIGNHINT_ADSK): New.
(PKT_public_key): Change pubkey_usage from byte to u16.
(PKT_user_id): Cosmetic fix: change help_key_usage from int to u16.
* g10/getkey.c (parse_key_usage): Make public.
* g10/misc.c (openpgp_pk_algo_usage): Take PUBKEY_USAGE_RENC in
account.
* g10/sign.c (update_keysig_packet): Set SIGNHINT_ADSK.
(make_keysig_packet): Ditto.
(do_sign): No time warp check in ADSK mode.
* g10/sig-check.c (check_signature_metadata_validity): Ditto.
* g10/keygen.c (struct opaque_data_usage_and_pk): Remove.
(write_keybinding): Do not use the removed struct.
(do_add_key_flags): Support PUBKEY_USAGE_RENC and others.
(keygen_add_key_flags_and_expire): Rewrite and make public.
* g10/keyedit.c (enum cmdids): Add cmdADDADSK.
(keyedit_menu): Add command "addadsk".
(menu_addadsk): New.
--
This makes use of a new encryption flag:
The "restricted encryption key" (2nd,0x04) does not take part in any
automatic selection of encryption keys. It is only found on a
subkey signature (type 0x18), one that refers to the key the flag
applies to.
Followup patches will add encryption support and a --quick command.
GnuPG-bug-id: 6395
|
|
* g10/gpg.c (oAddDesigRevoker): New.
(opts): Add new option.
* g10/options.h (opt): Add field desig_revokers.
* g10/keygen.c (get_parameter_idx): New.
(get_parameter): Make use of get_parameter_idx.
(prepare_desig_revoker): New.
(get_parameter_revkey): Add arg idx.
(proc_parameter_file): Add designated revokers.
(do_generate_keypair): Write all designated revokers.
|
|
--
|
|
* g10/options.h (LIST_SHOW_UNUSABLE_SIGS): New.
* g10/gpg.c (parse_list_options): Add "show-unusable-sigs".
* g10/keydb.h (keyid_eq): New.
(pk_is_primary): New.
* g10/keylist.c (list_signature_print): Early return for weak key
signatures. Print "self-signature" instead of user-id.
(list_keyblock_print): Simplify and always set self-sig node flag.
--
This patch avoid the printing of often hundreds of "Invalid digest
algorithm" notices during key signature listings if those key
signatures were done with SHA1. The new option can be used to revert
the behaviour.
We now also print "[self-signature]" with --check-sigs or --list-sigs
instead of the primary user id. This makes such listing easier to read.
|
|
* tools/gpgtar.h (opt): Add field status_stream.
* tools/gpgtar.c (main): Set status_stream.
* tools/gpgtar-create.c (global_header_count): Rename to
global_total_files.
(global_written_files): New.
(global_total_data, global_written_data): New.
(struct scanctrl_s): Add field file_count.
(write_progress): New.
(write_file): Add arg skipped_open. Don't bail out immediatly on open
error. Write progress lines.
(gpgtar_create): Write progress lines. Print info aout skipped files.
--
GnuPG-bug-id: 6363
|
|
* tools/gpgtar.c (main): Revamp switch and fix usage test for aDecrypt
and aList.
--
GnuPG-bug-id: 6355
|
|
--
The profiles are not any longer useful because global options are way
more powerful (/etc/gnupg/gpg.conf et al.). The use of systemd is
deprecated because of additional complexity and the race between
systemd based autolaunching and the explicit gnupg based and lockfile
protected autolaunching.
GnuPG-bug-id: 6336
|
|
* common/compliance.c (gnupg_pk_is_allowed): Handle EdDSA.
* g10/gpg.c (oOverrideComplianceCheck): Remove.
(opts): Turn --override-compliance-check into a dummy option.
* g10/options.h (opt): Remove override_compliance_check.
* g10/sig-check.c (check_key_verify_compliance): Remove use of that
option.
--
The introduction of --override-compliance-check actually hid the real
cause for the signature verification problem in de-vs mode for the
Ed25519 key. The real fix is to handle the EdDSA algorithm in
gnupg_pk_is_allowed.
Fixes-commit: fb26e144adfd93051501d58f5d0d4f8826ddf436
GnuPG-bug-id: 5655
|
|
--
Note that we now print Copyright g10 Code instead of FSF.
|
|
* tools/wks-util.c (write_to_file): Rename to ...
(wks_write_to_file): this, make global, and support NULL for fname.
* tools/gpg-wks-client.c (command_check): Write to key.
|
|
--
Note that --unwrap is an option and not a command. Thus it modifies
the behaviour of the default operation or of -d.
|
|
* common/iobuf.c (file_filter_ctx_t): Add fields for the peek feature.
(file_filter): Implement peeking.
(iobuf_ioctl): Add new IOBUF_IOCTL_PEEK.
* common/iobuf.h (IOBUF_IOCTL_PEEK, IOBUFCTRL_PEEK): New.
* common/miscellaneous.c (is_file_compressed): Rewrite. Detect PDF.
* g10/encrypt.c (encrypt_simple): Peek before detecting compression.
(encrypt_crypt): Ditto.
* g10/sign.c (sign_file): Also detect already compressed data.
* g10/options.h (opt): Add explicit_compress_option.
* g10/gpg.c (main): Set opt.explicit_compress_option for -z.
--
Note that this patch also introduces a compression check for signing
which was never done in the past.
GnuPG-bug-id: 6332
|
|
--
Unfortunately the a reflow took place.
|
|
|
|
--
Reported-by: Andreas Metzler
GnuPG-bug-id: 6309
|
|
* sm/call-dirmngr.c (gpgsm_dirmngr_isvalid): Do not use
option --force-default-responder.
* sm/certchain.c (is_cert_still_valid): Rename arg for clarity.
(gpgsm_validate_chain): Always switch to chain model.
--
The trustlist.txt may indicate that a root CA issues certificates
which shall be validated using the chain model. This is for example
the case for qualified signatures. Before this change we did this
only if the default shell model indicated that a certificate has
expired. This optimization is technically okay but has one problem:
The chain model requires the use of OCSP but we switch to this only
when running the chain model validation. To catch revoked
certificates using OCSP we need to always switch to the chain model
unless OCSP has been enabled anyway.
Note that the old --force-default-responder option is not anymore
used.
Test cases are certificates issued by
# CN=TeleSec qualified Root CA 1
# O=Deutsche Telekom AG
# C=DE
# 2.5.4.97=USt-IdNr. DE 123475223
90:C6:13:6C:7D:EF:EF:E9:7C:C7:64:F9:D2:67:8E:AD:03:E5:52:96 \
S cm qual relax
A sample revoked certificate is
-----BEGIN CERTIFICATE-----
MIIDTzCCAvSgAwIBAgIQIXfquQjq32B03CdaflIbiDAMBggqhkjOPQQDAgUAMHEx
CzAJBgNVBAYTAkRFMRwwGgYDVQQKDBNEZXV0c2NoZSBUZWxla29tIEFHMSMwIQYD
VQQDDBpUZWxlU2VjIFBLUyBlSURBUyBRRVMgQ0EgMTEfMB0GA1UEYQwWVVN0LUlk
TnIuIERFIDEyMzQ3NTIyMzAeFw0yMDA2MjIxMDQ1NDJaFw0yMzA2MjUyMzU5MDBa
MDAxCzAJBgNVBAYTAkRFMRUwEwYDVQQDDAxLb2NoLCBXZXJuZXIxCjAIBgNVBAUT
ATMwWjAUBgcqhkjOPQIBBgkrJAMDAggBAQcDQgAEbkEXUuXTriWOwqQhjlh11oCc
6Z8lQdQDz3zY/OEh8fMJS7AKBNo8zkpPKDJ2olPph18b1goEbLiqHQsPRPahDaOC
AaowggGmMB8GA1UdIwQYMBaAFP/0iep1rMXT0iQ0+WUqBvLM6bqBMB0GA1UdDgQW
BBQEI3xsIUDnoOx+gLYbG63v5/f9kjAOBgNVHQ8BAf8EBAMCBkAwDAYDVR0TAQH/
BAIwADAgBgNVHREEGTAXgRV3ZXJuZXIua29jaEBnbnVwZy5jb20wPQYDVR0gBDYw
NDAyBgcEAIvsQAECMCcwJQYIKwYBBQUHAgEWGWh0dHA6Ly9wa3MudGVsZXNlYy5k
ZS9jcHMwgYQGCCsGAQUFBwEBBHgwdjBLBggrBgEFBQcwAoY/aHR0cDovL3RxcmNh
MS5wa2kudGVsZXNlYy5kZS9jcnQvVGVsZVNlY19QS1NfZUlEQVNfUUVTX0NBXzEu
Y3J0MCcGCCsGAQUFBzABhhtodHRwOi8vcGtzLnRlbGVzZWMuZGUvb2NzcHIwXgYI
KwYBBQUHAQMEUjBQMAgGBgQAjkYBATAIBgYEAI5GAQQwOgYGBACORgEFMDAwLhYo
aHR0cHM6Ly93d3cudGVsZXNlYy5kZS9zaWduYXR1cmthcnRlL2FnYhMCZW4wDAYI
KoZIzj0EAwIFAANHADBEAiAqgB8gyZyj05CRdHD5KJcpG68DzQECYnYP6ZPasUYK
AQIgI1GtRMJWvFTIKsZpgY+ty0pRb5/K09fbmvaSAKFpv/I=
-----END CERTIFICATE-----
|
|
* agent/command.c (cmd_export_key): Add option --mode1003.
(command_has_option): Ditto.
* g10/build-packet.c (do_key): Implement mode 1003.
* g10/parse-packet.c (parse_key): Ditto.
* g10/options.h (EXPORT_MODE1003): New.o
* g10/call-agent.c (agent_export_key): Add arg mode1003.
* g10/export.c (parse_export_options): Add "mode1003"
(secret_key_to_mode1003): New.
(receive_seckey_from_agent): Add arg mode1003.
(do_export_one_keyblock): Pass option down.
--
This option allows to export a secret key in GnuPG's native format.
Thus no re-encryption is required and further the public key parameters
are also authenticated if a protection passphrase has been used.
Note that --import is not yet able to handle this new mode. Although
old version of GnuPG will bail out with "invalid packet" if a mode1003
exported secret key is seen.
|
|
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* tools/gpg-wks.h (opt): Add add_revocs.
* tools/wks-util.c (wks_get_key): Add arg 'binary'.
(wks_armor_key): New.
(wks_find_add_revocs): New.
(wks_cmd_install_key): Get key in binary mode and add revocations if
enabled.
* tools/gpg-wks-client.c (oAddRevocs): New.
(opts): Add --add-revocs.
(parse_arguments): Set option,
(command_send): Get key in binary mode, add revocations if enabled,
and explictly armor key. Remove kludge to skip the Content-type line
in no_encrypt mode.
(mirror_one_keys_userid): Always filter the key to get rid of the
armor as received from dirmngr. Add revocations from the local
keyring.
--
Note that this also fixes an oddity of the new mirror command which
used to store the keys armored as received from dirmngr.
|
|
* g10/options.h (EXPORT_REVOCS): New.
* g10/export.c (export_select_filter): New.
(struct export_filter_attic_s): Add field.
(cleanup_export_globals): Cleanup.
(parse_export_options): Add option "export-revocs".
(parse_and_set_export_filter): Parse the select type.
(do_export_revocs): New.
(do_export_stream): Add a way to select things for export.
|
|
* g10/gpg.c (oListFilter): New.
(opts): Add --list-filter.
(main): Parse oListFilter.
* g10/keylist.c: Include init.h and recsel.h.
(struct list_filter_s, list_filter): New.
(release_list_filter): New.
(cleanup_keylist_globals): New.
(parse_and_set_list_filter): New.
(list_keyblock): Implement --list-filter type "select".
* g10/import.c (impex_filter_getval): Add scope support and new
property names "key-size", "algostr", "origin", "lastupd", and "url".
--
This option is pretty useful to select keys based on their properties.
The scope thing can be sued to limit a selection to just the primary
key or to subkeys. For example:
gpg -k --list-filter 'select=revoked-f && sub/algostr=ed25519'
Lists all non-revoked keys with an ed25519 (signing)-subkey.
|
|
* dirmngr/ocsp.c (check_signature_core): No debug output
--
Also typo and doc fixes.
|
|
* agent/trustlist.c (agent_marktrusted): Use gnupg_access.
|
|
* g10/gpg.c (aQuickUpdatePref): New.
(opts): Add --quick-update-pref.
(main): Implement.
* g10/keyedit.c (keyedit_quick_update_pref): New.
(menu_set_preferences): Add arg 'unattended' and adjust caller.
--
This new quick command is in particular useful to update existing keys
so that they can be used with OCB mode.
|
|
* g10/gpg.c (opts): New option--force-ocb as alias for force-aead.
Turn --aead-algo and --personal-aead-preferences into dummy options.
(build_list_md_test_algo, build_list_aead_algo_name): Remove.
(my_strusage): Remove output of AEAD algos.
(main): Remove code from the --aead options.
* g10/encrypt.c (encrypt_seskey): Make file local.
(use_aead): Remove requirement for rfc4880bis. Always return
AEAD_ALGO_OCB.
* g10/main.h (DEFAULT_AEAD_ALGO): Removed unused macro.
* g10/misc.c (default_aead_algo): Remove.
* g10/pkclist.c (select_aead_from_pklist): Return AEAD_ALGO_OCB or 0.
(select_algo_from_prefs): Remove personal AEAD algo setting.
* g10/keygen.c (keygen_set_std_prefs): Remove AEAD preference option
parsing.
* g10/options.h (opt): Remove def_aead_algo and personal_aead_prefs.
--
Due to the meanwhile expired patent on OCB there is no more reason for
using EAX. Thus we forcefully use OCB if the AEAD feature flag is set
on a key.
|
