* sig-check.c (check_key_signature2): Comments.

* keyring.c (keyring_rebuild_cache): Clear sig cache for any signatures
that we can no longer process (say, if the user removed support for a
necessary pubkey or digest algorithm).

3 files changed, 29 insertions, 10 deletions

diff --git a/g10/ChangeLog b/g10/ChangeLog
index 8b42d8ab0..f6a5c0779 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,11 @@
+2004-01-19  David Shaw  <[email protected]>
+
+	* sig-check.c (check_key_signature2): Comments.
+
+	* keyring.c (keyring_rebuild_cache): Clear sig cache for any
+	signatures that we can no longer process (say, if the user removed
+	support for a necessary pubkey or digest algorithm).
+
 2004-01-16  David Shaw  <[email protected]>
 
 	* misc.c (print_cipher_algo_note): May as well call Rijndael AES
diff --git a/g10/keyring.c b/g10/keyring.c
index 8004e3752..bf879df32 100644
--- a/g10/keyring.c
+++ b/g10/keyring.c
@@ -1,5 +1,5 @@
 /* keyring.c - keyring file handling
- * Copyright (C) 2001 Free Software Foundation, Inc.
+ * Copyright (C) 2001, 2004 Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
  *
@@ -1375,16 +1375,24 @@ keyring_rebuild_cache (void *token)
       /* check all signature to set the signature's cache flags */
       for (node=keyblock; node; node=node->next)
         {
+	  /* Note that this doesn't cache the result of a revocation
+	     issued by a designated revoker.  This is because the pk
+	     in question does not carry the revkeys as we haven't
+	     merged the key and selfsigs.  It is questionable whether
+	     this matters very much since there are very very few
+	     designated revoker revocation packets out there. */
+
           if (node->pkt->pkttype == PKT_SIGNATURE)
             {
-	      /* Note that this doesn't cache the result of a
-		 revocation issued by a designated revoker.  This is
-		 because the pk in question does not carry the revkeys
-		 as we haven't merged the key and selfsigs.  It is
-		 questionable whether this matters very much since
-		 there are very very few designated revoker revocation
-		 packets out there. */
-              check_key_signature (keyblock, node, NULL);
+	      PKT_signature *sig=node->pkt->pkt.signature;
+
+	      if(!opt.no_sig_cache && sig->flags.checked && sig->flags.valid
+		 && (check_digest_algo(sig->digest_algo)
+		     || check_pubkey_algo(sig->pubkey_algo)))
+		sig->flags.checked=sig->flags.valid=0;
+	      else
+		check_key_signature (keyblock, node, NULL);
+
               sigcount++;
             }
         }
diff --git a/g10/sig-check.c b/g10/sig-check.c
index 4aeaaee38..606035d29 100644
--- a/g10/sig-check.c
+++ b/g10/sig-check.c
@@ -428,7 +428,10 @@ check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *check_pk,
     sig = node->pkt->pkt.signature;
     algo = sig->digest_algo;
 
-    /* check whether we have cached the result of a previous signature check.*/
+    /* Check whether we have cached the result of a previous signature
+       check.  Note that we may no longer have the pubkey or hash
+       needed to verify a sig, but can still use the cached value.  A
+       cache refresh detects and clears these cases. */
     if ( !opt.no_sig_cache ) {
         if (sig->flags.checked) { /*cached status available*/
 	    if( is_selfsig ) {