gpg: Add option --allow-weak-key-signatures.

* g10/gpg.c (oAllowWeakKeySignatures): New.
(opts): Add --allow-weak-key-signatures.
(main): Set it.
* g10/options.h (struct opt): Add flags.allow_weak_key_signatures.
* g10/misc.c (print_sha1_keysig_rejected_note): New.
* g10/sig-check.c (check_signature_over_key_or_uid): Print note and
act on new option.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e624c41dbafd33af82c1153188d14de72fcc7cd8)

doc/gpg.texi

@@ -113,9 +113,12 @@ only one command is allowed.  Generally speaking, irrelevant options
 are silently ignored, and may not be checked for correctness.
 
 @command{@gpgname} may be run with no commands. In this case it will
-perform a reasonable action depending on the type of file it is given
+print a warning perform a reasonable action depending on the type of
-as input (an encrypted message is decrypted, a signature is verified,
+file it is given as input (an encrypted message is decrypted, a
-a file containing keys is listed, etc.).
+signature is verified, a file containing keys is listed, etc.).
+
+If you run into any problems, please add the option @option{--verbose}
+to the invocation to see more diagnostics.
 
 
 @menu
@@ -3273,6 +3276,12 @@ weak.  See also @option{--allow-weak-digest-algos} to disable
 rejection of weak digests.  MD5 is always considered weak, and does
 not need to be listed explicitly.
 
+@item --allow-weak-key-signatures
+@opindex allow-weak-key-signatures
+To avoid a minor risk of collision attacks on third-party key
+signatures made using SHA-1, those key signatures are considered
+invalid.  This options allows to override this restriction.
+
 @item --no-default-keyring
 @opindex no-default-keyring
 Do not add the default keyrings to the list of keyrings. Note that

g10/gpg.c

@@ -407,6 +407,7 @@ enum cmd_and_opt_values
     oAllowMultipleMessages,
     oNoAllowMultipleMessages,
     oAllowWeakDigestAlgos,
+    oAllowWeakKeySignatures,
     oFakedSystemTime,
     oNoAutostart,
     oPrintPKARecords,
@@ -888,6 +889,9 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"),
   ARGPARSE_s_n (oNoSymkeyCache, "no-symkey-cache", "@"),
 
+  /* Options to override new security defaults.  */
+  ARGPARSE_s_n (oAllowWeakKeySignatures, "allow-weak-key-signatures", "@"),
+
   /* Options which can be used in special circumstances. They are not
    * published and we hope they are never required.  */
   ARGPARSE_s_n (oUseOnlyOpenPGPCard, "use-only-openpgp-card", "@"),
@@ -3558,6 +3562,10 @@ main (int argc, char **argv)
             opt.flags.allow_weak_digest_algos = 1;
             break;
 
+          case oAllowWeakKeySignatures:
+            opt.flags.allow_weak_key_signatures = 1;
+            break;
+
           case oFakedSystemTime:
             {
               size_t len = strlen (pargs.r.ret_str);

g10/main.h

@@ -91,6 +91,7 @@ void print_pubkey_algo_note (pubkey_algo_t algo);
 void print_cipher_algo_note (cipher_algo_t algo);
 void print_digest_algo_note (digest_algo_t algo);
 void print_digest_rejected_note (enum gcry_md_algos algo);
+void print_sha1_keysig_rejected_note (void);
 void print_reported_error (gpg_error_t err, gpg_err_code_t skip_if_ec);
 void print_further_info (const char *format, ...) GPGRT_ATTR_PRINTF(1,2);
 void additional_weak_digest (const char* digestname);

g10/misc.c

@@ -357,6 +357,24 @@ print_digest_rejected_note (enum gcry_md_algos algo)
 }
 
 
+void
+print_sha1_keysig_rejected_note (void)
+{
+  static int shown;
+
+  if (shown)
+    return;
+
+  shown = 1;
+  es_fflush (es_stdout);
+  log_info (_("Note: third-party key signatures using"
+              " the %s algorithm are rejected\n"),
+            gcry_md_algo_name (GCRY_MD_SHA1));
+  print_further_info ("use option \"%s\" to override",
+                      "--allow-weak-key-signatures");
+}
+
+
 /* Print a message
  *  "(reported error: %s)\n
  * in verbose mode to further explain an error.  If the error code has

g10/options.h

@@ -237,6 +237,7 @@ struct
     unsigned int dsa2:1;
     unsigned int allow_multiple_messages:1;
     unsigned int allow_weak_digest_algos:1;
+    unsigned int allow_weak_key_signatures:1;
     unsigned int large_rsa:1;
     unsigned int disable_signer_uid:1;
     /* Flag to enable experimental features from RFC4880bis.  */

g10/sig-check.c

@@ -966,13 +966,15 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer,
     {
       log_assert (packet->pkttype == PKT_USER_ID);
       if (sig->digest_algo == DIGEST_ALGO_SHA1 && !*is_selfsig
-          && sig->timestamp > 1547856000)
+          && sig->timestamp > 1547856000
+          && !opt.flags.allow_weak_key_signatures)
         {
           /* If the signature was created using SHA-1 we consider this
            * signature invalid because it makes it possible to mount a
            * chosen-prefix collision.  We don't do this for
            * self-signatures or for signatures created before the
            * somewhat arbitrary cut-off date 2019-01-19.  */
+          print_sha1_keysig_rejected_note ();
           rc = gpg_error (GPG_ERR_DIGEST_ALGO);
         }
       else