gpgsm: New option --assert-signer

* sm/gpgsm.c (oAssertSigner, oNoop): New. (opts): Add option --assert-signer. (assert_signer_true): New var. (main): Set new option. (gpgsm_exit): Handle assert_signer_true. * sm/gpgsm.h (opt): Add field assert_signer_list. * sm/verify.c (is_x509_fingerprint): New. (check_assert_signer_list): New. (gpgsm_verify): Handle option. -- GnuPG-bug-id: 7286
2025-07-03 22:56:33 +02:00 · 2024-09-11 14:24:58 +02:00 · 2024-09-11 14:24:58 +02:00 · 33e571a74a
commit 33e571a74a
parent 2125f228d3
6 changed files with 184 additions and 4 deletions
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@ -732,6 +732,21 @@ instead to make sure that the gpgsm process exits with a failure if
 the compliance rules are not fulfilled.  Note that this option has
 currently an effect only in "de-vs" mode.

+@item --assert-signer @var{fpr_or_file}
+@opindex assert-signer
+This option checks whether at least one valid signature on a file has
+been made with the specified key.  The key is either specified as a
+fingerprint or a file listing fingerprints.  The fingerprint must be
+given or listed in compact format (no colons or spaces in between).
+As of now only SHA-1 fingerprints are allowed.  This option can be
+given multiple times and each fingerprint is checked against the
+signing key as well as the corresponding primary key.  If
+@var{fpr_or_file} specifies a file, empty lines are ignored as well as
+all lines starting with a hash sign.  With this option gpgsm is
+guaranteed to return with an exit code of 0 if and only if a signature
+has been encountered, is valid, and the key matches one of the
+fingerprints given by this option.
+
@item --always-trust
@opindex always-trust
 Force encryption to the specified certificates without any validation