From 103acfe9ca6e314049671f5b5a760a620046788f Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 7 Feb 2023 14:25:58 +0100 Subject: [PATCH] gpg: New list-option --show-unusable-sigs. * g10/options.h (LIST_SHOW_UNUSABLE_SIGS): New. * g10/gpg.c (parse_list_options): Add "show-unusable-sigs". * g10/keydb.h (keyid_eq): New. (pk_is_primary): New. * g10/keylist.c (list_signature_print): Early return for weak key signatures. Print "self-signature" instead of user-id. (list_keyblock_print): Simplify and always set self-sig node flag. -- This patch avoid the printing of often hundreds of "Invalid digest algorithm" notices during key signature listings if those key signatures were done with SHA1. The new option can be used to revert the behaviour. We now also print "[self-signature]" with --check-sigs or --list-sigs instead of the primary user id. This makes such listing easier to read. --- NEWS | 8 +++++- doc/gpg.texi | 4 +++ g10/getkey.c | 2 +- g10/gpg.c | 2 ++ g10/keydb.h | 9 ++++++- g10/keylist.c | 73 ++++++++++++++++++++++++++++++--------------------- g10/options.h | 1 + 7 files changed, 66 insertions(+), 33 deletions(-) diff --git a/NEWS b/NEWS index d2bb1c65e..176f92740 100644 --- a/NEWS +++ b/NEWS @@ -1,10 +1,16 @@ Noteworthy changes in version 2.4.1 (unreleased) ------------------------------------------------ - * gpg: Make "--list-options show-sig-subpackets" work again. + * gpg: New list-option "show-unusable-sigs". + + * gpg: Show "[self-signature]" instead of the user-id in key + signature listings. + + * gpg: Make list-options "show-sig-subpackets" work again. Fixes regression in 2.4.0. + Noteworthy changes in version 2.4.0 (2022-12-16) ------------------------------------------------ diff --git a/doc/gpg.texi b/doc/gpg.texi index 47aa0a4d0..55b45e6bf 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1405,6 +1405,10 @@ give the opposite meaning. The options are: @opindex list-options:show-unusable-subkeys Show revoked and expired subkeys in key listings. Defaults to no. + @item show-unusable-sigs + @opindex list-options:show-unusable-sigs + Show key signature made using weak or unsupported algorithms. + @item show-keyring @opindex list-options:show-keyring Display the keyring name at the head of key listings to show which diff --git a/g10/getkey.c b/g10/getkey.c index 6363fea9f..f0843d154 100644 --- a/g10/getkey.c +++ b/g10/getkey.c @@ -3247,7 +3247,7 @@ buf_to_sig (const byte * buf, size_t len) * has_expired * expired_date * - * On this subkey's most revent valid self-signed packet, the + * On this subkey's most recent valid self-signed packet, the * following field is set: * * flags.chosen_selfsig diff --git a/g10/gpg.c b/g10/gpg.c index b9a81510f..c490ff72b 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -2071,6 +2071,8 @@ parse_list_options(char *str) N_("show revoked and expired user IDs in key listings")}, {"show-unusable-subkeys",LIST_SHOW_UNUSABLE_SUBKEYS,NULL, N_("show revoked and expired subkeys in key listings")}, + {"show-unusable-sigs",LIST_SHOW_UNUSABLE_SIGS,NULL, + N_("show signatures with invalid algorithms during signature listings")}, {"show-keyring",LIST_SHOW_KEYRING,NULL, N_("show the keyring name in key listings")}, {"show-sig-expire",LIST_SHOW_SIG_EXPIRE,NULL, diff --git a/g10/keydb.h b/g10/keydb.h index 771bc8e16..28b61d4a1 100644 --- a/g10/keydb.h +++ b/g10/keydb.h @@ -511,11 +511,18 @@ keyid_cmp (const u32 *a, const u32 *b) return 0; } +/* Return true if both keyids are equal. */ +static int GPGRT_ATTR_UNUSED +keyid_eq (const u32 *a, const u32 *b) +{ + return a[0] == b[0] && a[1] == b[1]; +} + /* Return whether PK is a primary key. */ static int GPGRT_ATTR_UNUSED pk_is_primary (PKT_public_key *pk) { - return keyid_cmp (pk_keyid (pk), pk_main_keyid (pk)) == 0; + return keyid_eq (pk_keyid (pk), pk_main_keyid (pk)); } /* Copy the keyid in SRC to DEST and return DEST. */ diff --git a/g10/keylist.c b/g10/keylist.c index 1ced732a4..8b7c597cb 100644 --- a/g10/keylist.c +++ b/g10/keylist.c @@ -1216,7 +1216,8 @@ cmp_signodes (const void *av, const void *bv) } -/* Helper for list_keyblock_print. */ +/* Helper for list_keyblock_print. The caller must have set + * NODFLG_MARK_B to indicate self-signatures. */ static void list_signature_print (ctrl_t ctrl, kbnode_t keyblock, kbnode_t node, struct keylist_context *listctx) @@ -1247,6 +1248,11 @@ list_signature_print (ctrl_t ctrl, kbnode_t keyblock, kbnode_t node, case GPG_ERR_UNUSABLE_PUBKEY: listctx->no_key++; return; + case GPG_ERR_DIGEST_ALGO: + case GPG_ERR_PUBKEY_ALGO: + if (!(opt.list_options & LIST_SHOW_UNUSABLE_SIGS)) + return; + /* fallthru. */ default: listctx->oth_err++; sigrc = '%'; @@ -1259,6 +1265,15 @@ list_signature_print (ctrl_t ctrl, kbnode_t keyblock, kbnode_t node, } else { + if (!(opt.list_options & LIST_SHOW_UNUSABLE_SIGS) + && (gpg_err_code (openpgp_pk_test_algo (sig->pubkey_algo) + == GPG_ERR_PUBKEY_ALGO) + || gpg_err_code (openpgp_md_test_algo (sig->digest_algo) + == GPG_ERR_DIGEST_ALGO) + || (sig->digest_algo == DIGEST_ALGO_SHA1 + && !(node->flag & NODFLG_MARK_B) /*no selfsig*/ + && !opt.flags.allow_weak_key_signatures))) + return; rc = 0; sigrc = ' '; } @@ -1306,7 +1321,9 @@ list_signature_print (ctrl_t ctrl, kbnode_t keyblock, kbnode_t node, es_fprintf (es_stdout, "[%s] ", gpg_strerror (rc)); else if (sigrc == '?') ; - else if (!opt.fast_list_mode) + else if ((node->flag & NODFLG_MARK_B)) + es_fputs (_("[self-signature]"), es_stdout); + else if (!opt.fast_list_mode ) { size_t n; char *p = get_user_id (ctrl, sig->keyid, &n, NULL); @@ -1585,37 +1602,33 @@ list_keyblock_print (ctrl_t ctrl, kbnode_t keyblock, int secret, int fpr, else if (opt.list_sigs && node->pkt->pkttype == PKT_SIGNATURE && !skip_sigs) { - if ((opt.list_options & LIST_SORT_SIGS)) + kbnode_t n; + unsigned int sigcount = 0; + kbnode_t *sigarray; + unsigned int idx; + + for (n=node; n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next) + sigcount++; + sigarray = xcalloc (sigcount, sizeof *sigarray); + + sigcount = 0; + for (n=node; n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next) { - kbnode_t n; - unsigned int sigcount = 0; - kbnode_t *sigarray; - unsigned int idx; + if (keyid_eq (mainkid, n->pkt->pkt.signature->keyid)) + n->flag |= NODFLG_MARK_B; /* Is a self-sig. */ + else + n->flag &= ~NODFLG_MARK_B; - for (n=node; n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next) - sigcount++; - sigarray = xcalloc (sigcount, sizeof *sigarray); - - sigcount = 0; - for (n=node; n && n->pkt->pkttype == PKT_SIGNATURE; n = n->next) - { - if (!keyid_cmp (mainkid, n->pkt->pkt.signature->keyid)) - n->flag |= NODFLG_MARK_B; /* Is a self-sig. */ - else - n->flag &= ~NODFLG_MARK_B; - - sigarray[sigcount++] = node = n; - } - /* Note that NODE is now at the last signature. */ - - qsort (sigarray, sigcount, sizeof *sigarray, cmp_signodes); - - for (idx=0; idx < sigcount; idx++) - list_signature_print (ctrl, keyblock, sigarray[idx], listctx); - xfree (sigarray); + sigarray[sigcount++] = node = n; } - else - list_signature_print (ctrl, keyblock, node, listctx); + /* Note that NODE is now at the last signature. */ + + if ((opt.list_options & LIST_SORT_SIGS)) + qsort (sigarray, sigcount, sizeof *sigarray, cmp_signodes); + + for (idx=0; idx < sigcount; idx++) + list_signature_print (ctrl, keyblock, sigarray[idx], listctx); + xfree (sigarray); } } es_putc ('\n', es_stdout); diff --git a/g10/options.h b/g10/options.h index 74a6cdb16..499544cdf 100644 --- a/g10/options.h +++ b/g10/options.h @@ -426,6 +426,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; #define LIST_SORT_SIGS (1<<13) #define LIST_SHOW_PREF (1<<14) #define LIST_SHOW_PREF_VERBOSE (1<<15) +#define LIST_SHOW_UNUSABLE_SIGS (1<<16) #define VERIFY_SHOW_PHOTOS (1<<0) #define VERIFY_SHOW_POLICY_URLS (1<<1)