diff --git a/NEWS b/NEWS index 61e33ff05..5180f2ba6 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,8 @@ Noteworthy changes in version 2.5.1 (unreleased) ------------------------------------------------ + * gpg: New option --proc-all-sigs. [T7261] + Release-info: https://dev.gnupg.org/T7191 diff --git a/doc/gpg.texi b/doc/gpg.texi index ae1603924..75bef4053 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -264,6 +264,11 @@ out the actual signed data, but there are other pitfalls with this format as well. It is suggested to avoid cleartext signatures in favor of detached signatures. +Note: With option @option{--batch} he verification of signatures stops +at the first bad signature. This is a safe default for unattended +processing but sometimes a status for all signatures is needed. To +override this early bailout use the option @option{--proc-all-sigs}. + Note: To check whether a file was signed by a certain key the option @option{--assert-signer} can be used. As an alternative the @command{gpgv} tool can be used. @command{gpgv} is designed to @@ -1373,6 +1378,12 @@ Assume "yes" on most questions. Should not be used in an option file. Assume "no" on most questions. Should not be used in an option file. +@item --proc-all-sigs +@opindex proc-all-sigs +This option overrides the behaviour of the @option{--batch} option to +stop signature verification at the first bad signatures. + + @item --list-filter @{select=@var{expr}@} @opindex list-filter A list filter can be used to output only certain keys during key diff --git a/g10/gpg.c b/g10/gpg.c index 8e38ec0af..e61b6879a 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -459,6 +459,7 @@ enum cmd_and_opt_values oAssertPubkeyAlgo, oKbxBufferSize, oRequirePQCEncryption, + oProcAllSigs, oNoop }; @@ -907,6 +908,7 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_n (oBatch, "batch", "@"), ARGPARSE_s_n (oNoBatch, "no-batch", "@"), + ARGPARSE_s_n (oProcAllSigs, "proc-all-sigs", "@"), ARGPARSE_s_n (oAnswerYes, "yes", "@"), ARGPARSE_s_n (oAnswerNo, "no", "@"), ARGPARSE_s_i (oStatusFD, "status-fd", "@"), @@ -2811,6 +2813,10 @@ main (int argc, char **argv) nogreeting = 1; break; + case oProcAllSigs: + opt.flags.proc_all_sigs = 1; + break; + case oUseAgent: /* Dummy. */ break; diff --git a/g10/mainproc.c b/g10/mainproc.c index 29e5188f5..42d341d0c 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -2681,7 +2681,8 @@ proc_tree (CTX c, kbnode_t node) } for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));) - if (check_sig_and_print (c, n1) && opt.batch) + if (check_sig_and_print (c, n1) && opt.batch + && !opt.flags.proc_all_sigs) break; } @@ -2701,7 +2702,8 @@ proc_tree (CTX c, kbnode_t node) } for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));) - if (check_sig_and_print (c, n1) && opt.batch) + if (check_sig_and_print (c, n1) && opt.batch + && !opt.flags.proc_all_sigs) break; } else if (node->pkt->pkttype == PKT_SIGNATURE) @@ -2830,7 +2832,8 @@ proc_tree (CTX c, kbnode_t node) if (multiple_ok) { for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE))) - if (check_sig_and_print (c, n1) && opt.batch) + if (check_sig_and_print (c, n1) && opt.batch + && !opt.flags.proc_all_sigs) break; } else diff --git a/g10/options.h b/g10/options.h index 8fde3523a..6f5017196 100644 --- a/g10/options.h +++ b/g10/options.h @@ -306,7 +306,10 @@ struct /* Fail if an operation can't be done in the requested compliance * mode. */ unsigned int require_compliance:1; + /* Fail encryption unless a PQC algorithm is used. */ unsigned int require_pqc_encryption:1; + /* Process all signatures even in batch mode. */ + unsigned int proc_all_sigs:1; } flags; /* Linked list of ways to find a key if the key isn't on the local