gpg: Fix a potential loss of key sigs during import with self-sigs-only.

* g10/import.c (import_one_real): Don't do the final clean in the
merge case.
--

This fixes a regression introduced with self-sigs-only.

GnuPG-bug-id: 4628
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 6701a38f8e)

doc/gpg.texi

@@ -2363,12 +2363,14 @@ opposite meaning. The options are:
   command "clean" after import. Defaults to no.
 
   @item self-sigs-only
-  Accept only self-signatures while importing a key.  All other
+  Accept only self-signatures while importing a key.  All other key
-  key-signatures are skipped at an early import stage.  This option
+  signatures are skipped at an early import stage.  This option can be
-  can be used with @code{keyserver-options} to mitigate attempts to
+  used with @code{keyserver-options} to mitigate attempts to flood a
-  flood a key with bogus signatures from a keyserver.  The drawback is
+  key with bogus signatures from a keyserver.  The drawback is that
-  that all other valid key-signatures, as required by the Web of Trust
+  all other valid key signatures, as required by the Web of Trust are
-  are also not imported.
+  also not imported.  Note that when using this option along with
+  import-clean it suppresses the final clean step after merging the
+  imported key into the existing key.
 
   @item repair-keys
   After import, fix various problems with the

g10/import.c

@@ -2115,7 +2115,10 @@ import_one_real (ctrl_t ctrl,
       if (err)
         goto leave;
 
-      if ((options & IMPORT_CLEAN))
+      /* Clean the final keyblock again if requested.  we can't do
+       * this if only self-signatures are imported; see bug #4628.  */
+      if ((options & IMPORT_CLEAN)
+          && !(options & IMPORT_SELF_SIGS_ONLY))
         {
           merge_keys_and_selfsig (ctrl, keyblock_orig);
           clean_all_uids (ctrl, keyblock_orig, opt.verbose,