diff options
| author | Werner Koch <[email protected]> | 2021-10-13 15:25:28 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2021-10-13 15:25:28 +0000 |
| commit | fb26e144adfd93051501d58f5d0d4f8826ddf436 (patch) | |
| tree | a6e220130df72e7dbe0bda45aa384f8475cd815e /g10/options.h | |
| parent | Post release updates (diff) | |
| download | gnupg-fb26e144adfd93051501d58f5d0d4f8826ddf436.tar.gz gnupg-fb26e144adfd93051501d58f5d0d4f8826ddf436.zip | |
gpg: New option --override-compliance-check
* g10/gpg.c (oOverrideComplianceCheck): New.
(opts): Add new option.
(main): Set option and add check for batch mode.
* g10/options.h (opt): Add flags.override_compliance_check.
* g10/sig-check.c (check_signature2): Factor complaince checking out
to ...
(check_key_verify_compliance): this. Turn error into a warning in
override mode.
--
There is one important use case for this: For systems configured
globally to use de-vs mode, Ed25519 and other key types are not
allowed because they are not listred in the BSI algorithm catalog.
Now, our release signing keys happen to be Ed25519 and thus we need to
offer a way for users to check new versions even if the system is in
de-vs mode. This does on purpose not work in --batch mode so that
scripted solutions won't accidently pass a signature check.
GnuPG-bug-id: 5655
Diffstat (limited to 'g10/options.h')
| -rw-r--r-- | g10/options.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/g10/options.h b/g10/options.h index 761d95830..2ad86ae42 100644 --- a/g10/options.h +++ b/g10/options.h @@ -245,6 +245,7 @@ struct unsigned int allow_old_cipher_algos:1; unsigned int allow_weak_digest_algos:1; unsigned int allow_weak_key_signatures:1; + unsigned int override_compliance_check:1; unsigned int large_rsa:1; unsigned int disable_signer_uid:1; unsigned int include_key_block:1; |