gpg: New option --no-auto-trust-new-key.

* g10/gpg.c (oNoAutoTrustNewKey): New.
(opts): Add --no-auto-trust-new-key.
(main): Set it.
* g10/options.h (opt): Add flags.no_auto_trust_new_key.

Signed-off-by: Werner Koch <wk@gnupg.org>

NEWS

@@ -14,6 +14,8 @@ Noteworthy changes in version 2.3.0 (unreleased)
   * The gpg-wks-client tool is now installed under bin; a wrapper for
     its old location at libexec is also installed.
 
+  * tpm2d: New daemon to physically bind keys to the local machine.
+
   * gpg: Switch to ed25519/cv25519 as default public key algorithms.
 
   * gpg: Verification results now depend on the --sender option and
@@ -33,6 +35,10 @@ Noteworthy changes in version 2.3.0 (unreleased)
 
   * gpg: New option --full-timestrings to print date and time.
 
+  * gpg: New option --force-sign-key.  [#4584]
+
+  * gpg: New option --no-auto-trust-new-key.
+
   * gpg: The legacy key discovery method PKA is no longer supported.
     The command --print-pka-records and the PKA related import and
     export options have been removed.
@@ -58,6 +64,8 @@ Noteworthy changes in version 2.3.0 (unreleased)
 
   * scd: New option --application-priority.
 
+  * scd: New option --pcsc-shared; see man page for important notes.
+
   * dirmngr: Support a gpgNtds parameter in LDAP keyserver URLs.
 
   * The symcryptrun tool, a wrapper for the now obsolete external

agent/command-ssh.c

@@ -158,7 +158,7 @@ typedef gpg_error_t (*ssh_signature_encoder_t) (ssh_key_type_spec_t *spec,
                                                 estream_t signature_blob,
 						gcry_sexp_t sig);
 
-/* Type, which is used for boundling all the algorithm specific
+/* Type, which is used for bundling all the algorithm specific
    information together in a single object.  */
 struct ssh_key_type_spec
 {

doc/gpg.texi

@@ -3587,6 +3587,12 @@ You need to consult the source code to learn the details.  Note that
 the advanced key generation commands can always be used to specify a
 key algorithm directly.
 
+@item --no-auto-trust-new-key
+@opindex no-auto-trust-new-key
+When creating a new key the ownertrust of the new key is set to
+ultimate.  This option disables this and the user needs to manually
+assign an ownertrust value.
+
 @item --force-sign-key
 @opindex force-sign-key
 This option modifies the behaviour of the commands

g10/gpg.c

@@ -285,6 +285,7 @@ enum cmd_and_opt_values
     oAlwaysTrust,
     oTrustModel,
     oForceOwnertrust,
+    oNoAutoTrustNewKey,
     oSetFilename,
     oForYourEyesOnly,
     oNoForYourEyesOnly,
@@ -692,6 +693,7 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_n (oAutoCheckTrustDB, "auto-check-trustdb", "@"),
   ARGPARSE_s_n (oNoAutoCheckTrustDB, "no-auto-check-trustdb", "@"),
   ARGPARSE_s_s (oForceOwnertrust, "force-ownertrust", "@"),
+  ARGPARSE_s_n (oNoAutoTrustNewKey, "no-auto-trust-new-key", "@"),
 #endif
 
 
@@ -2969,6 +2971,8 @@ main (int argc, char **argv)
 	      }
 	    break;
 
+          case oNoAutoTrustNewKey: opt.flags.no_auto_trust_new_key = 1; break;
+
           case oCompliance:
 	    {
 	      int compliance = gnupg_parse_compliance_option

g10/keygen.c

@@ -5568,9 +5568,10 @@ do_generate_keypair (ctrl_t ctrl, struct para_data_s *para,
           keyid_from_pk (pk, pk->main_keyid);
           register_trusted_keyid (pk->main_keyid);
 
-	  update_ownertrust (ctrl, pk,
-                             ((get_ownertrust (ctrl, pk) & ~TRUST_MASK)
-                              | TRUST_ULTIMATE ));
+          if (!opt.flags.no_auto_trust_new_key)
+            update_ownertrust (ctrl, pk,
+                               ((get_ownertrust (ctrl, pk) & ~TRUST_MASK)
+                                | TRUST_ULTIMATE ));
 
           gen_standard_revoke (ctrl, pk, cache_nonce);
 

g10/options.h

@@ -254,6 +254,8 @@ struct
     unsigned int full_timestrings:1;
     /* Force signing keys even if a key signature already exists.  */
     unsigned int force_sign_key:1;
+    /* On key generation do not set the ownertrust.  */
+    unsigned int no_auto_trust_new_key:1;
   } flags;
 
   /* Linked list of ways to find a key if the key isn't on the local