gpg: Tweak compliance checking for verification

* common/compliance.c (gnupg_pk_is_allowed): Rework to always allow
verification.
* g10/mainproc.c (check_sig_and_print): Print a con-compliant warning.
* g10/sig-check.c (check_signature2): Use log_error instead of
log_info.
--

We should be able to verify all signatures.  So we only print a
warning.  That is the same beheavour as for untrusted keys etc.

GnuPG-bug-id: 3311
Signed-off-by: Werner Koch <wk@gnupg.org>

g10/mainproc.c

@@ -2168,6 +2168,16 @@ check_sig_and_print (CTX c, kbnode_t node)
                                mainpkhex);
 	}
 
+      /* Print compliance warning for Good signatures.  */
+      if (!rc && pk && !opt.quiet
+          && !gnupg_pk_is_compliant (opt.compliance, pk->pubkey_algo,
+                                     pk->pkey, nbits_from_pk (pk), NULL))
+        {
+          log_info (_("WARNING: This key is not suitable for signing"
+                      " in %s mode\n"),
+                    gnupg_compliance_option_string (opt.compliance));
+        }
+
       /* For good signatures compute and print the trust information.
          Note that in the Tofu trust model this may ask the user on
          how to resolve a conflict.  */

g10/sig-check.c

@@ -162,10 +162,10 @@ check_signature2 (ctrl_t ctrl,
 				    NULL))
       {
 	/* Compliance failure.  */
-	log_info (_("key %s not suitable for signature verification"
-                    " while in %s mode\n"),
-		  keystr_from_pk (pk),
-                  gnupg_compliance_option_string (opt.compliance));
+	log_error (_("key %s is not suitable for signature verification"
+                     " in %s mode\n"),
+                   keystr_from_pk (pk),
+                   gnupg_compliance_option_string (opt.compliance));
 	rc = gpg_error (GPG_ERR_PUBKEY_ALGO);
       }
     else if(!pk->flags.valid)
@@ -207,6 +207,7 @@ check_signature2 (ctrl_t ctrl,
 		rc = gpg_error (GPG_ERR_GENERAL);
 	      }
 	  }
+
       }
 
     if( !rc && sig->sig_class < 2 && is_status_enabled() ) {