diff --git a/g10/ChangeLog b/g10/ChangeLog index 2ecd3ed7c..cddda13c7 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,10 @@ +2006-03-07 David Shaw + + * options.h, gpg.c (main, parse_trust_model), pkclist.c + (check_signatures_trust), mainproc.c (check_sig_and_print, + pka_uri_from_sig), trustdb.c (init_trustdb): Some tweaks to PKA so + that it is a verify-option now. + 2006-03-07 Werner Koch * mainproc.c (proc_signature_packets): Return any_sig_seen to caller. diff --git a/g10/gpg.c b/g10/gpg.c index 074eb4e4a..9485001d7 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -243,7 +243,6 @@ enum cmd_and_opt_values oAlwaysTrust, oTrustModel, oForceOwnertrust, - oAllowPkaLookup, oRunAsShmCP, oSetFilename, oForYourEyesOnly, @@ -601,7 +600,6 @@ static ARGPARSE_OPTS opts[] = { { oAlwaysTrust, "always-trust", 0, "@"}, { oTrustModel, "trust-model", 2, "@"}, { oForceOwnertrust, "force-ownertrust", 2, "@"}, - { oAllowPkaLookup, "allow-pka-lookup", 0, "@" }, { oRunAsShmCP, "run-as-shm-coprocess", 4, "@" }, { oSetFilename, "set-filename", 2, "@" }, { oForYourEyesOnly, "for-your-eyes-only", 0, "@" }, @@ -1452,7 +1450,6 @@ gpgconf_list (const char *configfile) printf ("quiet:%lu:\n", GC_OPT_FLAG_NONE); printf ("keyserver:%lu:\n", GC_OPT_FLAG_NONE); printf ("reader-port:%lu:\n", GC_OPT_FLAG_NONE); - printf ("allow-pka-lookup:%lu:\n", GC_OPT_FLAG_NONE); } @@ -1608,47 +1605,20 @@ collapse_args(int argc,char *argv[]) static void parse_trust_model(const char *model) { - opt.pka_trust_increase = 0; if(ascii_strcasecmp(model,"pgp")==0) - { - opt.trust_model=TM_PGP; - } - else if(ascii_strcasecmp(model,"pgp+pka")==0) - { - opt.trust_model=TM_PGP; - opt.pka_trust_increase = 1; - } + opt.trust_model=TM_PGP; else if(ascii_strcasecmp(model,"classic")==0) - { - opt.trust_model=TM_CLASSIC; - } + opt.trust_model=TM_CLASSIC; else if(ascii_strcasecmp(model,"always")==0) - { - opt.trust_model=TM_ALWAYS; - } + opt.trust_model=TM_ALWAYS; else if(ascii_strcasecmp(model,"direct")==0) - { - opt.trust_model=TM_DIRECT; - } - else if(ascii_strcasecmp(model,"direct+pka")==0) - { - opt.trust_model=TM_DIRECT; - opt.pka_trust_increase = 1; - } + opt.trust_model=TM_DIRECT; else if(ascii_strcasecmp(model,"auto")==0) - { - opt.trust_model=TM_AUTO; - } - else if(ascii_strcasecmp(model,"auto+pka")==0) - { - opt.trust_model=TM_AUTO; - opt.pka_trust_increase = 1; - } + opt.trust_model=TM_AUTO; else log_error("unknown trust model `%s'\n",model); } - int main (int argc, char **argv ) { @@ -1740,7 +1710,6 @@ main (int argc, char **argv ) opt.verify_options= VERIFY_SHOW_POLICY_URLS|VERIFY_SHOW_STD_NOTATIONS|VERIFY_SHOW_KEYSERVER_URLS; opt.trust_model=TM_AUTO; - opt.pka_trust_increase=0; opt.mangle_dos_filenames=0; opt.min_cert_level=2; set_screen_dimensions(); @@ -2153,9 +2122,6 @@ main (int argc, char **argv ) opt.force_ownertrust=0; } break; - case oAllowPkaLookup: - opt.allow_pka_lookup = 1; - break; case oLoadExtension: #ifndef __riscos__ #if defined(USE_DYNAMIC_LINKING) || defined(_WIN32) @@ -2496,6 +2462,10 @@ main (int argc, char **argv ) N_("show user ID validity during signature verification")}, {"show-unusable-uids",VERIFY_SHOW_UNUSABLE_UIDS,NULL, N_("show revoked and expired user IDs in signature verification")}, + {"pka-lookup",VERIFY_PKA_LOOKUP,NULL, + N_("validate signatures with PKA data")}, + {"pka-trust-increase",VERIFY_PKA_TRUST_INCREASE,NULL, + N_("elevate the trust of signatures with valid PKA data")}, {NULL,0,NULL,NULL} }; diff --git a/g10/mainproc.c b/g10/mainproc.c index cc865a833..8c8262f58 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -1390,7 +1390,7 @@ pka_uri_from_sig (PKT_signature *sig) assert (!sig->pka_info); sig->flags.pka_tried = 1; sig->pka_info = get_pka_address (sig); - if (sig->pka_info && opt.allow_pka_lookup) + if (sig->pka_info) { char *uri; @@ -1866,7 +1866,8 @@ check_sig_and_print( CTX c, KBNODE node ) if (!rc) { - pka_uri_from_sig (sig); /* Make sure PKA info is available. */ + if(opt.verify_options&VERIFY_PKA_LOOKUP) + pka_uri_from_sig (sig); /* Make sure PKA info is available. */ rc = check_signatures_trust( sig ); } diff --git a/g10/options.h b/g10/options.h index 422d36b85..65e7cded5 100644 --- a/g10/options.h +++ b/g10/options.h @@ -103,8 +103,6 @@ struct TM_CLASSIC=0, TM_PGP=1, TM_EXTERNAL=2, TM_ALWAYS, TM_DIRECT, TM_AUTO } trust_model; int force_ownertrust; - int pka_trust_increase; /* Valid PKA information increases the trust. */ - int allow_pka_lookup; /* PKA lookups are only done if this is set. */ enum { CO_GNUPG=0, CO_RFC2440, CO_RFC1991, CO_PGP2, CO_PGP6, CO_PGP7, CO_PGP8 @@ -316,6 +314,8 @@ struct { #define VERIFY_SHOW_KEYSERVER_URLS (1<<4) #define VERIFY_SHOW_UID_VALIDITY (1<<5) #define VERIFY_SHOW_UNUSABLE_UIDS (1<<6) +#define VERIFY_PKA_LOOKUP (1<<7) +#define VERIFY_PKA_TRUST_INCREASE (1<<8) #define KEYSERVER_USE_TEMP_FILES (1<<0) #define KEYSERVER_KEEP_TEMP_FILES (1<<1) diff --git a/g10/pkclist.c b/g10/pkclist.c index 11a5f522e..5cce7f209 100644 --- a/g10/pkclist.c +++ b/g10/pkclist.c @@ -566,7 +566,7 @@ check_signatures_trust( PKT_signature *sig ) case TRUST_UNKNOWN: case TRUST_UNDEFINED: case TRUST_MARGINAL: - if (okay && opt.pka_trust_increase) + if (okay && opt.verify_options&VERIFY_PKA_TRUST_INCREASE) { trustlevel = ((trustlevel & ~TRUST_MASK) | TRUST_FULLY); log_info (_("trustlevel adjusted to FULL" diff --git a/g10/trustdb.c b/g10/trustdb.c index cff55ec21..e372bf8fb 100644 --- a/g10/trustdb.c +++ b/g10/trustdb.c @@ -450,12 +450,7 @@ init_trustdb() } if(opt.verbose) - { - log_info(_("using %s trust model\n"),trust_model_string()); - if (opt.pka_trust_increase) - log_info(_("PKA verification is allowed to" - " leverage trust to full\n")); - } + log_info(_("using %s trust model\n"),trust_model_string()); } if(opt.trust_model==TM_PGP || opt.trust_model==TM_CLASSIC)