From 33e571a74a7d6153ba65aeecc72539a10f1f0ae4 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 11 Sep 2024 14:24:58 +0200 Subject: gpgsm: New option --assert-signer * sm/gpgsm.c (oAssertSigner, oNoop): New. (opts): Add option --assert-signer. (assert_signer_true): New var. (main): Set new option. (gpgsm_exit): Handle assert_signer_true. * sm/gpgsm.h (opt): Add field assert_signer_list. * sm/verify.c (is_x509_fingerprint): New. (check_assert_signer_list): New. (gpgsm_verify): Handle option. -- GnuPG-bug-id: 7286 --- doc/gpgsm.texi | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'doc') diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi index 1316318a6..2cb50539a 100644 --- a/doc/gpgsm.texi +++ b/doc/gpgsm.texi @@ -732,6 +732,21 @@ instead to make sure that the gpgsm process exits with a failure if the compliance rules are not fulfilled. Note that this option has currently an effect only in "de-vs" mode. +@item --assert-signer @var{fpr_or_file} +@opindex assert-signer +This option checks whether at least one valid signature on a file has +been made with the specified key. The key is either specified as a +fingerprint or a file listing fingerprints. The fingerprint must be +given or listed in compact format (no colons or spaces in between). +As of now only SHA-1 fingerprints are allowed. This option can be +given multiple times and each fingerprint is checked against the +signing key as well as the corresponding primary key. If +@var{fpr_or_file} specifies a file, empty lines are ignored as well as +all lines starting with a hash sign. With this option gpgsm is +guaranteed to return with an exit code of 0 if and only if a signature +has been encountered, is valid, and the key matches one of the +fingerprints given by this option. + @item --always-trust @opindex always-trust Force encryption to the specified certificates without any validation -- cgit v1.2.3