From 15a71f108d9eb25b2cfd8c190b9514c1a21e1c48 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 28 May 2025 10:39:17 +0200
Subject: gpg: Allow updating a SHA-1 key certification w/o --force-sign-key.

* g10/keyedit.c (sign_uids): Add a case for this.
--

GnuPG-bug-id:  7663
---
 NEWS          |  3 +++
 g10/keyedit.c | 11 ++++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index e562f5fc5..f5d2a7969 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
 Noteworthy changes in version 2.5.7 (unreleased)
 ------------------------------------------------
 
+  * gpg: Allow updating a SHA-1 key certification w/o using
+    the --force-sign-key option.  [T7663]
+
 
 Noteworthy changes in version 2.5.6 (2025-05-08)
 ------------------------------------------------
diff --git a/g10/keyedit.c b/g10/keyedit.c
index 1f3f8f3b3..eebeecfcd 100644
--- a/g10/keyedit.c
+++ b/g10/keyedit.c
@@ -855,7 +855,16 @@ sign_uids (ctrl_t ctrl, estream_t fp,
                                 _("\"%s\" was already signed by key %s\n"),
 				user, keystr_from_pk (pk));
 
-		  if (opt.flags.force_sign_key
+                  if (node->pkt->pkt.signature->digest_algo
+                      == DIGEST_ALGO_SHA1
+                      && !opt.flags.allow_weak_key_signatures)
+                    {
+                      /* Allow updating a signature to a stronger
+                       * digest algorithm without an extra option.  */
+		      xfree (user);
+		      continue;
+                    }
+		  else if (opt.flags.force_sign_key
                       || (opt.expert && !(flags & SIGN_UIDS_QUICK)
                           && cpr_get_answer_is_yes ("sign_uid.dupe_okay",
                                                     _("Do you want to sign it "
-- 
cgit v1.2.3