From f8075257afad4c7a41cd4409e334670a0097b5b8 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 8 Mar 2022 19:06:30 +0100
Subject: gpgsm: New option --require-compliance

* sm/gpgsm.c (oRequireCompliance): New.
(opts): Add --require-compliance.
(main): Set option.
* sm/gpgsm.h (opt): Add field require_compliance.
(gpgsm_errors_seen): Declare.
* sm/verify.c (gpgsm_verify): Emit error if non de-vs compliant.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
* sm/decrypt.c (gpgsm_decrypt): Ditto.
--
---
 sm/verify.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'sm/verify.c')

diff --git a/sm/verify.c b/sm/verify.c
index fe111c32a..c9a435895 100644
--- a/sm/verify.c
+++ b/sm/verify.c
@@ -520,6 +520,13 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
           && gnupg_digest_is_compliant (CO_DE_VS, sigval_hash_algo))
         gpgsm_status (ctrl, STATUS_VERIFICATION_COMPLIANCE_MODE,
                       gnupg_status_compliance_flag (CO_DE_VS));
+      else if (opt.require_compliance
+               && opt.compliance == CO_DE_VS)
+        {
+          log_error (_("operation forced to fail due to"
+                       " unfulfilled compliance rules\n"));
+          gpgsm_errors_seen = 1;
+        }
 
 
       /* Now we can check the signature.  */
-- 
cgit v1.2.3