diff --git a/agent/agent.h b/agent/agent.h index 9eccdeacf..d33b8cd34 100644 --- a/agent/agent.h +++ b/agent/agent.h @@ -157,6 +157,13 @@ struct interactively mark certificate in trustlist.txt as trusted. */ int allow_mark_trusted; + /* Only use the system trustlist. */ + int no_user_trustlist; + + /* The standard system trustlist is SYSCONFDIR/trustlist.txt. This + * option can be used to change the name. */ + const char *sys_trustlist_name; + /* If this global option is true, the Assuan command PRESET_PASSPHRASE is allowed. */ int allow_preset_passphrase; diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c index 468427933..7194e020a 100644 --- a/agent/gpg-agent.c +++ b/agent/gpg-agent.c @@ -128,6 +128,8 @@ enum cmd_and_opt_values oIgnoreCacheForSigning, oAllowMarkTrusted, oNoAllowMarkTrusted, + oNoUserTrustlist, + oSysTrustlistName, oAllowPresetPassphrase, oAllowLoopbackPinentry, oNoAllowLoopbackPinentry, @@ -251,6 +253,8 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_n (oNoAllowMarkTrusted, "no-allow-mark-trusted", /* */ N_("disallow clients to mark keys as \"trusted\"")), ARGPARSE_s_n (oAllowMarkTrusted, "allow-mark-trusted", "@"), + ARGPARSE_s_n (oNoUserTrustlist, "no-user-trustlist", "@"), + ARGPARSE_s_s (oSysTrustlistName, "sys-trustlist-name", "@"), ARGPARSE_s_n (oAllowPresetPassphrase, "allow-preset-passphrase", /* */ N_("allow presetting passphrase")), ARGPARSE_s_u (oS2KCount, "s2k-count", "@"), @@ -871,6 +875,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread) opt.enable_extended_key_format = 1; opt.ignore_cache_for_signing = 0; opt.allow_mark_trusted = 1; + opt.sys_trustlist_name = NULL; opt.allow_external_cache = 1; opt.allow_loopback_pinentry = 1; opt.allow_emacs_pinentry = 0; @@ -968,6 +973,8 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread) case oAllowMarkTrusted: opt.allow_mark_trusted = 1; break; case oNoAllowMarkTrusted: opt.allow_mark_trusted = 0; break; + case oNoUserTrustlist: opt.no_user_trustlist = 1; break; + case oSysTrustlistName: opt.sys_trustlist_name = pargs->r.ret_str; break; case oAllowPresetPassphrase: opt.allow_preset_passphrase = 1; break; @@ -1013,6 +1020,11 @@ finalize_rereadable_options (void) /* Hack to allow --grab to override --no-grab. */ if ((opt.no_grab & 2)) opt.no_grab = 0; + + /* With --no-user-trustlist it does not make sense to allow the mark + * trusted feature. */ + if (opt.no_user_trustlist) + opt.allow_mark_trusted = 0; } diff --git a/agent/trustlist.c b/agent/trustlist.c index 53d759fcd..250fcf27c 100644 --- a/agent/trustlist.c +++ b/agent/trustlist.c @@ -128,6 +128,24 @@ clear_trusttable (void) } +/* Return the name of the system trustlist. Caller must free. */ +static char * +make_sys_trustlist_name (void) +{ + if (opt.sys_trustlist_name + && (strchr (opt.sys_trustlist_name, '/') + || strchr (opt.sys_trustlist_name, '\\') + || (*opt.sys_trustlist_name == '~' + && opt.sys_trustlist_name[1] == '/'))) + return make_absfilename (opt.sys_trustlist_name, NULL); + else + return make_filename (gnupg_sysconfdir (), + (opt.sys_trustlist_name ? + opt.sys_trustlist_name : "trustlist.txt"), + NULL); +} + + static gpg_error_t read_one_trustfile (const char *fname, int systrust, trustitem_t **addr_of_table, @@ -196,7 +214,7 @@ read_one_trustfile (const char *fname, int systrust, } /* fixme: Should check for trailing garbage. */ - etcname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL); + etcname = make_sys_trustlist_name (); if ( !strcmp (etcname, fname) ) /* Same file. */ log_info (_("statement \"%s\" ignored in '%s', line %d\n"), "include-default", fname, lnr); @@ -348,17 +366,24 @@ read_trustfiles (void) return gpg_error_from_syserror (); tableidx = 0; - fname = make_filename_try (gnupg_homedir (), "trustlist.txt", NULL); - if (!fname) + if (opt.no_user_trustlist) + fname = NULL; + else { - err = gpg_error_from_syserror (); - xfree (table); - return err; + fname = make_filename_try (gnupg_homedir (), "trustlist.txt", NULL); + if (!fname) + { + err = gpg_error_from_syserror (); + xfree (table); + return err; + } } - if ((ec = gnupg_access (fname, F_OK))) + if (!fname || (ec = gnupg_access (fname, F_OK))) { - if ( ec == GPG_ERR_ENOENT ) + if (!fname) + ; /* --no-user-trustlist active. */ + else if ( ec == GPG_ERR_ENOENT ) ; /* Silently ignore a non-existing trustfile. */ else { @@ -366,7 +391,7 @@ read_trustfiles (void) log_error (_("error opening '%s': %s\n"), fname, gpg_strerror (err)); } xfree (fname); - fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL); + fname = make_sys_trustlist_name (); systrust = 1; } err = read_one_trustfile (fname, systrust, &table, &tablesize, &tableidx); diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index 98d024265..1655847bf 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -346,6 +346,21 @@ Do not allow clients to mark keys as trusted, i.e. put them into the @file{trustlist.txt} file. This makes it harder for users to inadvertently accept Root-CA keys. + +@anchor{option --no-user-trustlist} +@item --no-user-trustlist +@opindex no-user-trustlist +Entirely ignore the user trust list and consider only the global +trustlist (@file{@value{SYSCONFDIR}/trustlist.txt}). This +implies the @ref{option --no-allow-mark-trusted}. + +@item --sys-trustlist-name @var{file} +@opindex sys-trustlist-name +Changes the default name for the global trustlist from "trustlist.txt" +to @var{file}. If @var{file} does not contain any slashes and does +not start with "~/" it is searched in the system configuration +directory (@file{@value{SYSCONFDIR}}). + @anchor{option --allow-preset-passphrase} @item --allow-preset-passphrase @opindex allow-preset-passphrase @@ -773,7 +788,9 @@ that this file can't be changed inadvertently. As a special feature a line @code{include-default} will include a global list of trusted certificates (e.g. @file{@value{SYSCONFDIR}/trustlist.txt}). -This global list is also used if the local list is not available. +This global list is also used if the local list is not available; +the @ref{option --no-user-trustlist} enforces the use of only +this global list. It is possible to add further flags after the @code{S} for use by the caller: