From 6502bb0d2af5784918ebb74242fff6f0a72844bf Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 27 Jul 2017 16:22:36 +0200
Subject: gpg: Tweak compliance checking for verification

* common/compliance.c (gnupg_pk_is_allowed): Rework to always allow
verification.
* g10/mainproc.c (check_sig_and_print): Print a con-compliant warning.
* g10/sig-check.c (check_signature2): Use log_error instead of
log_info.
--

We should be able to verify all signatures.  So we only print a
warning.  That is the same beheavour as for untrusted keys etc.

GnuPG-bug-id: 3311
Signed-off-by: Werner Koch <wk@gnupg.org>
---
 g10/mainproc.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'g10/mainproc.c')

diff --git a/g10/mainproc.c b/g10/mainproc.c
index d0584d39a..b712e6048 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -2168,6 +2168,16 @@ check_sig_and_print (CTX c, kbnode_t node)
                                mainpkhex);
 	}
 
+      /* Print compliance warning for Good signatures.  */
+      if (!rc && pk && !opt.quiet
+          && !gnupg_pk_is_compliant (opt.compliance, pk->pubkey_algo,
+                                     pk->pkey, nbits_from_pk (pk), NULL))
+        {
+          log_info (_("WARNING: This key is not suitable for signing"
+                      " in %s mode\n"),
+                    gnupg_compliance_option_string (opt.compliance));
+        }
+
       /* For good signatures compute and print the trust information.
          Note that in the Tofu trust model this may ask the user on
          how to resolve a conflict.  */
-- 
cgit v1.2.3