diff --git a/NEWS b/NEWS index 3548b4226..86e99d074 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,8 @@ Noteworthy changes in version 2.2.45 (unreleased) ------------------------------------------------- + * gpg: New option --proc-all-sigs. [T7261] + Release-info: https://dev.gnupg.org/T7255 diff --git a/doc/gpg.texi b/doc/gpg.texi index 5c3bcf7ec..ee4378b13 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -270,6 +270,12 @@ is designed to compare signed data against a list of trusted keys and returns with success only for a good signature. It has its own manual page. +Note: With option @option{--batch} the verification of signatures +stops at the first bad signature. This is a safe default for +unattended processing but sometimes a status for all signatures is +needed. To override this early bailout use the option +@option{--proc-all-sigs}. + @item --multifile @opindex multifile @@ -1307,6 +1313,10 @@ Assume "yes" on most questions. Should not be used in an option file. @opindex no Assume "no" on most questions. Should not be used in an option file. +@item --proc-all-sigs +@opindex proc-all-sigs +This option overrides the behaviour of the @option{--batch} option to +stop signature verification at the first bad signatures. @item --list-options @var{parameters} @opindex list-options diff --git a/g10/gpg.c b/g10/gpg.c index f431a2676..38ed41da1 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -438,6 +438,7 @@ enum cmd_and_opt_values oRequireCompliance, oCompatibilityFlags, oAddDesigRevoker, + oProcAllSigs, oNoop }; @@ -877,6 +878,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oBatch, "batch", "@"), ARGPARSE_s_n (oNoBatch, "no-batch", "@"), + ARGPARSE_s_n (oProcAllSigs, "proc-all-sigs", "@"), ARGPARSE_s_n (oAnswerYes, "yes", "@"), ARGPARSE_s_n (oAnswerNo, "no", "@"), ARGPARSE_s_i (oStatusFD, "status-fd", "@"), @@ -2713,6 +2715,10 @@ main (int argc, char **argv) nogreeting = 1; break; + case oProcAllSigs: + opt.flags.proc_all_sigs = 1; + break; + case oUseAgent: /* Dummy. */ break; diff --git a/g10/mainproc.c b/g10/mainproc.c index 0d98e0f67..eb114f639 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -2638,7 +2638,7 @@ check_sig_and_print (CTX c, kbnode_t node) release_kbnode( keyblock ); if (rc) g10_errors_seen = 1; - if (opt.batch && rc) + if (opt.batch && rc && !opt.flags.proc_all_sigs) g10_exit (1); } else diff --git a/g10/options.h b/g10/options.h index 9cdd251b5..c250e3ced 100644 --- a/g10/options.h +++ b/g10/options.h @@ -260,6 +260,8 @@ struct /* Fail if an operation can't be done in the requested compliance * mode. */ unsigned int require_compliance:1; + /* Process all signatures even in batch mode. */ + unsigned int proc_all_sigs:1; } flags; /* Linked list of ways to find a key if the key isn't on the local