gpg: New option --proc-all-sigs

* g10/options.h (flags): Add proc_all_sigs.
* g10/mainproc.c (proc_tree): Do not stop signature checking if this
new option is used.
* g10/gpg.c (oProcAllSigs): New.
(opts): Add "proc-all-sigs".
(main): Set it.
--

GnuPG-bug-id: 7261

NEWS

@@ -1,6 +1,8 @@
 Noteworthy changes in version 2.5.1 (unreleased)
 ------------------------------------------------
 
+ * gpg: New option --proc-all-sigs.  [T7261]
+
 
   Release-info: https://dev.gnupg.org/T7191
 

doc/gpg.texi

@@ -264,6 +264,11 @@ out the actual signed data, but there are other pitfalls with this
 format as well.  It is suggested to avoid cleartext signatures in
 favor of detached signatures.
 
+Note: With option @option{--batch} he verification of signatures stops
+at the first bad signature.  This is a safe default for unattended
+processing but sometimes a status for all signatures is needed.  To
+override this early bailout use the option @option{--proc-all-sigs}.
+
 Note: To check whether a file was signed by a certain key the option
 @option{--assert-signer} can be used.  As an alternative the
 @command{gpgv} tool can be used.  @command{gpgv} is designed to
@@ -1373,6 +1378,12 @@ Assume "yes" on most questions.  Should not be used in an option file.
 Assume "no" on most questions.  Should not be used in an option file.
 
 
+@item --proc-all-sigs
+@opindex proc-all-sigs
+This option overrides the behaviour of the @option{--batch} option to
+stop signature verification at the first bad signatures.
+
+
 @item --list-filter @{select=@var{expr}@}
 @opindex list-filter
 A list filter can be used to output only certain keys during key

g10/gpg.c

@@ -459,6 +459,7 @@ enum cmd_and_opt_values
     oAssertPubkeyAlgo,
     oKbxBufferSize,
     oRequirePQCEncryption,
+    oProcAllSigs,
 
     oNoop
   };
@@ -907,6 +908,7 @@ static gpgrt_opt_t opts[] = {
 
   ARGPARSE_s_n (oBatch, "batch", "@"),
   ARGPARSE_s_n (oNoBatch, "no-batch", "@"),
+  ARGPARSE_s_n (oProcAllSigs, "proc-all-sigs", "@"),
   ARGPARSE_s_n (oAnswerYes, "yes", "@"),
   ARGPARSE_s_n (oAnswerNo, "no", "@"),
   ARGPARSE_s_i (oStatusFD, "status-fd", "@"),
@@ -2811,6 +2813,10 @@ main (int argc, char **argv)
             nogreeting = 1;
             break;
 
+          case oProcAllSigs:
+            opt.flags.proc_all_sigs = 1;
+            break;
+
           case oUseAgent: /* Dummy. */
             break;
 

g10/mainproc.c

@@ -2681,7 +2681,8 @@ proc_tree (CTX c, kbnode_t node)
         }
 
       for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
-        if (check_sig_and_print (c, n1) && opt.batch)
+        if (check_sig_and_print (c, n1) && opt.batch
+            && !opt.flags.proc_all_sigs)
           break;
 
     }
@@ -2701,7 +2702,8 @@ proc_tree (CTX c, kbnode_t node)
         }
 
       for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE));)
-        if (check_sig_and_print (c, n1) && opt.batch)
+        if (check_sig_and_print (c, n1) && opt.batch
+            && !opt.flags.proc_all_sigs)
           break;
     }
   else if (node->pkt->pkttype == PKT_SIGNATURE)
@@ -2830,7 +2832,8 @@ proc_tree (CTX c, kbnode_t node)
       if (multiple_ok)
         {
           for (n1 = node; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
-	    if (check_sig_and_print (c, n1) && opt.batch)
+	    if (check_sig_and_print (c, n1) && opt.batch
+                && !opt.flags.proc_all_sigs)
               break;
         }
       else

g10/options.h

@@ -306,7 +306,10 @@ struct
     /* Fail if an operation can't be done in the requested compliance
      * mode.  */
     unsigned int require_compliance:1;
+    /* Fail encryption unless a PQC algorithm is used.  */
     unsigned int require_pqc_encryption:1;
+    /* Process all signatures even in batch mode.  */
+    unsigned int proc_all_sigs:1;
   } flags;
 
   /* Linked list of ways to find a key if the key isn't on the local