* sig-check.c (signature_check2): Print the backsig warning when there

is no backsig present.  Give a URL for more information.

* keyedit.c (menu_backsign): Small tweak to work properly with keys
originally generated with older GnuPGs that included comments in the
secret keys.

1 files changed, 8 insertions, 6 deletions

diff --git a/g10/sig-check.c b/g10/sig-check.c
index a444bbfe7..f09711e12 100644
--- a/g10/sig-check.c
+++ b/g10/sig-check.c
@@ -96,15 +96,17 @@ signature_check2( PKT_signature *sig, MD_HANDLE digest, u32 *r_expiredate,
 	   signaures issued by it. */
 	if(rc==0 && !pk->is_primary && pk->backsig<2)
 	  {
-	    /* TODO: In a future version, once enough signing subkeys
-	       have backsigs, change this to always give the warning,
-	       and have --require-backsigs enable or disable the
-	       G10ERR_GENERAL. */
-	    if(pk->backsig==0 && opt.flags.require_cross_cert)
+	    if(pk->backsig==0)
 	      {
 		log_info(_("WARNING: signing subkey %s is not"
 			   " cross-certified\n"),keystr_from_pk(pk));
-		rc=G10ERR_GENERAL;
+		log_info(_("please see %s for more information\n"),
+			 "http://www.gnupg.org/subkey-cross-certify.html");
+		/* --require-cross-certification makes this warning an
+                     error.  TODO: change the default to require this
+                     after more keys have backsigs. */
+		if(opt.flags.require_cross_cert)
+		  rc=G10ERR_GENERAL;
 	      }
 	    else if(pk->backsig==1)
 	      {