From 1530d04725d475bf29328eab40b42f72ff8aa06b Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 14 Jun 2022 14:25:21 +0200 Subject: agent: New option --no-user-trustlist and --sys-trustlist-name. * agent/gpg-agent.c (oNoUserTrustlist,oSysTrustlistName): New. (opts): Add new option names. (parse_rereadable_options): Parse options. (finalize_rereadable_options): Reset allow-mark-trusted for the new option. * agent/agent.h (opt): Add fields no_user_trustlist and sys_trustlist_name. * agent/trustlist.c (make_sys_trustlist_name): New. (read_one_trustfile): Use here. (read_trustfiles): Use here. Implement --no-user-trustlist. -- With the global options we can now avoid that a user changes the Root-CA trust by editing the trustlist.txt. However, to implement this we need a new option so that we don't need to rely on some magic like --no-allow-mark-trusted has been put into a force section. The second option makes system administration easier as it allows to keep the trustlist in a non-distributed file. GnuPG-bug-id: 5990 --- agent/agent.h | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'agent/agent.h') diff --git a/agent/agent.h b/agent/agent.h index 9eccdeacf..d33b8cd34 100644 --- a/agent/agent.h +++ b/agent/agent.h @@ -157,6 +157,13 @@ struct interactively mark certificate in trustlist.txt as trusted. */ int allow_mark_trusted; + /* Only use the system trustlist. */ + int no_user_trustlist; + + /* The standard system trustlist is SYSCONFDIR/trustlist.txt. This + * option can be used to change the name. */ + const char *sys_trustlist_name; + /* If this global option is true, the Assuan command PRESET_PASSPHRASE is allowed. */ int allow_preset_passphrase; -- cgit v1.2.3