gpg: Allow adding of Additional Decryption Subkeys.

* g10/free-packet.c (copy_public_key): Factor some code out to ... (copy_public_key_basics): new. * g10/build-packet.c (build_sig_subpkt_from_sig): New arg signhints. * g10/packet.h (PUBKEY_USAGE_RENC): Fix value. (SIGNHINT_KEYSIG, SIGNHINT_SELFSIG): Moved from sign.c. (SIGNHINT_ADSK): New. (PKT_public_key): Change pubkey_usage from byte to u16. (PKT_user_id): Cosmetic fix: change help_key_usage from int to u16. * g10/getkey.c (parse_key_usage): Make public. * g10/misc.c (openpgp_pk_algo_usage): Take PUBKEY_USAGE_RENC in account. * g10/sign.c (update_keysig_packet): Set SIGNHINT_ADSK. (make_keysig_packet): Ditto. (do_sign): No time warp check in ADSK mode. * g10/sig-check.c (check_signature_metadata_validity): Ditto. * g10/keygen.c (struct opaque_data_usage_and_pk): Remove. (write_keybinding): Do not use the removed struct. (do_add_key_flags): Support PUBKEY_USAGE_RENC and others. (keygen_add_key_flags_and_expire): Rewrite and make public. * g10/keyedit.c (enum cmdids): Add cmdADDADSK. (keyedit_menu): Add command "addadsk". (menu_addadsk): New. -- This makes use of a new encryption flag: The "restricted encryption key" (2nd,0x04) does not take part in any automatic selection of encryption keys. It is only found on a subkey signature (type 0x18), one that refers to the key the flag applies to. Followup patches will add encryption support and a --quick command. GnuPG-bug-id: 6395
2025-07-02 22:46:30 +02:00 · 2023-03-01 17:22:20 +01:00 · 2023-03-01 17:22:20 +01:00 · 3a18378a92
commit 3a18378a92
parent 1aaadede76
13 changed files with 278 additions and 76 deletions
--- a/doc/DETAILS
+++ b/doc/DETAILS
@ -1724,17 +1724,10 @@ Description of some debug flags:

 ** gnupg.org notations

-  - adsk@gnupg.org :: Additional decryption subkey.  This notation
-                      gives a list of keys an implementation SHOULD
-                      also encrypt to.  The data consists of an array
-                      of eight-octet numbers holding the Key ID of an
-                      encryption subkey.  This notation is only valid
-                      on an encryption subkey (i.e. with first octet
-                      of the key flags 0x04 or 0x08).  Subkeys not on
-                      the same keyblock MUST NOT be considered.  For
-                      interoperability this notation SHOULD NOT be
-                      marked as criticial.  Due to its nature it MUST
-                      NOT be marked as human readable.
+  - rem@gnupg.org :: Used by Kleopatra to implement the tag feature.
+                     These tags are used to mark keys for easier
+                     searching and grouping.
+

 ** Simplified revocation certificates
  Revocation certificates consist only of the signature packet;
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@ -1067,6 +1067,15 @@ signing.
  "sensitive". If a designated revoker is marked as sensitive, it will
  not be exported by default (see export-options).

+  @item addadsk
+  @opindex keyedit:addadsk
+  Add an Additional Decryption Subkey.  The user is asked to enter the
+  fingerprint of another encryption subkey.  Note that the exact
+  fingerprint of another key's encryption subkey needs to be entered.
+  This is because commonly the primary key has no encryption
+  capability.  Use the option @option{--with-subkey-fingerprint} with
+  a list command to display the subkey fingerprints.
+
  @item passwd
  @opindex keyedit:passwd
  Change the passphrase of the secret key.