From 4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 6 Oct 2021 10:31:41 +0200
Subject: dirmngr: New option --ignore-cert

* dirmngr/dirmngr.h (struct fingerprint_list_s): Add field binlen.
(opt): Add field ignored_certs.
* dirmngr/dirmngr.c: Add option --ignore-cert
(parse_rereadable_options): Handle that option.
(parse_ocsp_signer): Rename to ...
(parse_fingerprint_item): this and add two args.
* dirmngr/certcache.c (put_cert): Ignore all to be igored certs.
Change callers to handle the new error return.
--

This option is useful as a workaround in case we ill run into other
chain validation errors like what we fixed in
GnuPG-bug-id: 5639
---
 doc/dirmngr.texi | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'doc/dirmngr.texi')

diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 1638d7d84..bc6f0ba39 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -588,6 +588,25 @@ won't be rejected due to an unknown critical extension.  Use this
 option with care because extensions are usually flagged as critical
 for a reason.
 
+@item --ignore-cert @var{fpr}|@var{file}
+@opindex ignore-cert
+Entirely ignore certificates with the fingerprint @var{fpr}.  As an
+alternative to the fingerprint a filename can be given in which case
+all certificates described in that file are ignored.  Any argument
+which contains a slash, dot or tilde is considered a filename.  Usual
+filename expansion takes place: A tilde at the start followed by a
+slash is replaced by the content of @env{HOME}, no slash at start
+describes a relative filename which will be searched at the home
+directory.  To make sure that the @var{file} is searched in the home
+directory, either prepend the name with "./" or use a name which
+contains a dot.  The format of such a file is a list of SHA-1
+fingerprint, one per line with optional colons between the bytes.
+Empty lines and lines prefixed with a hash mark are ignored.
+
+This option is useful as a quick workaround to exclude certain
+certificates from the system store.
+
+
 @item --hkp-cacert @var{file}
 Use the root certificates in @var{file} for verification of the TLS
 certificates used with @code{hkps} (keyserver access over TLS).  If
-- 
cgit v1.2.3