gpg: Allow updating a SHA-1 key certification w/o --force-sign-key.

* g10/keyedit.c (sign_uids): Add a case for this. -- GnuPG-bug-id: 7663
2025-06-12 18:11:03 +02:00 · 2025-05-28 10:39:17 +02:00 · 2025-05-28 10:39:17 +02:00 · 15a71f108d
commit 15a71f108d
parent e8eb92019f
2 changed files with 13 additions and 1 deletions
--- a/3
+++ b/3
@ -1,6 +1,9 @@
 Noteworthy changes in version 2.5.7 (unreleased)
 ------------------------------------------------

+  * gpg: Allow updating a SHA-1 key certification w/o using
+    the --force-sign-key option.  [T7663]
+

 Noteworthy changes in version 2.5.6 (2025-05-08)
 ------------------------------------------------
--- a/g10/keyedit.c
+++ b/g10/keyedit.c
@ -855,7 +855,16 @@ sign_uids (ctrl_t ctrl, estream_t fp,
                                _("\"%s\" was already signed by key %s\n"),
 				user, keystr_from_pk (pk));

-		  if (opt.flags.force_sign_key
+                  if (node->pkt->pkt.signature->digest_algo
+                      == DIGEST_ALGO_SHA1
+                      && !opt.flags.allow_weak_key_signatures)
+                    {
+                      /* Allow updating a signature to a stronger
+                       * digest algorithm without an extra option.  */
+		      xfree (user);
+		      continue;
+                    }
+		  else if (opt.flags.force_sign_key
                      || (opt.expert && !(flags & SIGN_UIDS_QUICK)
                          && cpr_get_answer_is_yes ("sign_uid.dupe_okay",
                                                    _("Do you want to sign it "