mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
gpg: New option --auto-key-import
* g10/gpg.c (opts): New options --auto-key-import, --no-auto-key-import, and --no-include-key-block. (gpgconf_list): Add them. * g10/options.h (opt): Add field flags.auto_key_import. * g10/mainproc.c (check_sig_and_print): Use flag to enable that feature. * tools/gpgconf-comp.c: Give the new options a Basic config level. -- Note that the --no variants of the options are intended for easy disabling at the command line. GnuPG-bug-id: 4856 Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
parent
6a4443c842
commit
6b306f45f4
39
doc/gpg.texi
39
doc/gpg.texi
@ -1766,6 +1766,19 @@ Set what trust model GnuPG should follow. The models are:
|
|||||||
must be enabled explicitly.
|
must be enabled explicitly.
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
|
@item --include-key-block
|
||||||
|
@itemx --no-include-key-block
|
||||||
|
@opindex include-key-block
|
||||||
|
@opindex no-include-key-block
|
||||||
|
Include a minimized version of the public parts of the signing key as
|
||||||
|
a “Key Block subpacket” into data signatures. The Key Block contains
|
||||||
|
the signing key or subkey as well as an encryption subkey. This
|
||||||
|
allows the recipient of a signed message to reply encrypted to the
|
||||||
|
sender without using any online directories to lookup the key. The
|
||||||
|
default is @option{--no-innclude-key-block}. See also the option
|
||||||
|
@option{--auto-key-import}.
|
||||||
|
|
||||||
|
|
||||||
@item --auto-key-locate @var{mechanisms}
|
@item --auto-key-locate @var{mechanisms}
|
||||||
@itemx --no-auto-key-locate
|
@itemx --no-auto-key-locate
|
||||||
@opindex auto-key-locate
|
@opindex auto-key-locate
|
||||||
@ -1827,6 +1840,20 @@ list. The default is "local,wkd".
|
|||||||
@end table
|
@end table
|
||||||
|
|
||||||
|
|
||||||
|
@item --auto-key-import
|
||||||
|
@itemx --no-auto-key-import
|
||||||
|
@opindex auto-key-import
|
||||||
|
@opindex no-auto-key-import
|
||||||
|
This is an offline mechanism to get a missing key for signature
|
||||||
|
verification and for later encryption to this key. If this option is
|
||||||
|
enabled and a signature includes a “Key Block subpacket”, that key is
|
||||||
|
used to verify the signature and on verification success that key is
|
||||||
|
imported. The default is @option{--no-auto-key-import}.
|
||||||
|
|
||||||
|
On the sender (signing) site the option @option{--include-key-block}
|
||||||
|
needs to be used to put the public part of the signing key as “Key
|
||||||
|
Block subpacket” into the signature.
|
||||||
|
|
||||||
@item --auto-key-retrieve
|
@item --auto-key-retrieve
|
||||||
@itemx --no-auto-key-retrieve
|
@itemx --no-auto-key-retrieve
|
||||||
@opindex auto-key-retrieve
|
@opindex auto-key-retrieve
|
||||||
@ -1837,22 +1864,26 @@ local keyring. The default is @option{--no-auto-key-retrieve}.
|
|||||||
|
|
||||||
The order of methods tried to lookup the key is:
|
The order of methods tried to lookup the key is:
|
||||||
|
|
||||||
1. If a preferred keyserver is specified in the signature and the
|
1. If the option @option{--auto-key-import} is set and the signatures
|
||||||
|
includes a “Key Block subpacket”, that key is used to verify the
|
||||||
|
signature and on verification success that key is imported.
|
||||||
|
|
||||||
|
2. If a preferred keyserver is specified in the signature and the
|
||||||
option @option{honor-keyserver-url} is active (which is not the
|
option @option{honor-keyserver-url} is active (which is not the
|
||||||
default), that keyserver is tried. Note that the creator of the
|
default), that keyserver is tried. Note that the creator of the
|
||||||
signature uses the option @option{--sig-keyserver-url} to specify the
|
signature uses the option @option{--sig-keyserver-url} to specify the
|
||||||
preferred keyserver for data signatures.
|
preferred keyserver for data signatures.
|
||||||
|
|
||||||
2. If the signature has the Signer's UID set (e.g. using
|
3. If the signature has the Signer's UID set (e.g. using
|
||||||
@option{--sender} while creating the signature) a Web Key Directory
|
@option{--sender} while creating the signature) a Web Key Directory
|
||||||
(WKD) lookup is done. This is the default configuration but can be
|
(WKD) lookup is done. This is the default configuration but can be
|
||||||
disabled by removing WKD from the auto-key-locate list or by using the
|
disabled by removing WKD from the auto-key-locate list or by using the
|
||||||
option @option{--disable-signer-uid}.
|
option @option{--disable-signer-uid}.
|
||||||
|
|
||||||
3. If the option @option{honor-pka-record} is active, the legacy PKA
|
4. If the option @option{honor-pka-record} is active, the legacy PKA
|
||||||
method is used.
|
method is used.
|
||||||
|
|
||||||
4. If any keyserver is configured and the Issuer Fingerprint is part
|
5. If any keyserver is configured and the Issuer Fingerprint is part
|
||||||
of the signature (since GnuPG 2.1.16), the configured keyservers are
|
of the signature (since GnuPG 2.1.16), the configured keyservers are
|
||||||
tried.
|
tried.
|
||||||
|
|
||||||
|
17
g10/gpg.c
17
g10/gpg.c
@ -360,6 +360,8 @@ enum cmd_and_opt_values
|
|||||||
oNoRandomSeedFile,
|
oNoRandomSeedFile,
|
||||||
oAutoKeyRetrieve,
|
oAutoKeyRetrieve,
|
||||||
oNoAutoKeyRetrieve,
|
oNoAutoKeyRetrieve,
|
||||||
|
oAutoKeyImport,
|
||||||
|
oNoAutoKeyImport,
|
||||||
oUseAgent,
|
oUseAgent,
|
||||||
oNoUseAgent,
|
oNoUseAgent,
|
||||||
oGpgAgentInfo,
|
oGpgAgentInfo,
|
||||||
@ -434,6 +436,7 @@ enum cmd_and_opt_values
|
|||||||
oUseOnlyOpenPGPCard,
|
oUseOnlyOpenPGPCard,
|
||||||
oFullTimestrings,
|
oFullTimestrings,
|
||||||
oIncludeKeyBlock,
|
oIncludeKeyBlock,
|
||||||
|
oNoIncludeKeyBlock,
|
||||||
|
|
||||||
oNoop
|
oNoop
|
||||||
};
|
};
|
||||||
@ -750,8 +753,6 @@ static gpgrt_opt_t opts[] = {
|
|||||||
ARGPARSE_s_i (oCompressLevel, "compress-level", "@"),
|
ARGPARSE_s_i (oCompressLevel, "compress-level", "@"),
|
||||||
ARGPARSE_s_i (oBZ2CompressLevel, "bzip2-compress-level", "@"),
|
ARGPARSE_s_i (oBZ2CompressLevel, "bzip2-compress-level", "@"),
|
||||||
ARGPARSE_s_n (oDisableSignerUID, "disable-signer-uid", "@"),
|
ARGPARSE_s_n (oDisableSignerUID, "disable-signer-uid", "@"),
|
||||||
ARGPARSE_s_n (oIncludeKeyBlock, "include-key-block",
|
|
||||||
N_("include the public key in the signature")),
|
|
||||||
|
|
||||||
ARGPARSE_header ("ImportExport",
|
ARGPARSE_header ("ImportExport",
|
||||||
N_("Options controlling key import and export")),
|
N_("Options controlling key import and export")),
|
||||||
@ -759,8 +760,14 @@ static gpgrt_opt_t opts[] = {
|
|||||||
ARGPARSE_s_s (oAutoKeyLocate, "auto-key-locate",
|
ARGPARSE_s_s (oAutoKeyLocate, "auto-key-locate",
|
||||||
N_("|MECHANISMS|use MECHANISMS to locate keys by mail address")),
|
N_("|MECHANISMS|use MECHANISMS to locate keys by mail address")),
|
||||||
ARGPARSE_s_n (oNoAutoKeyLocate, "no-auto-key-locate", "@"),
|
ARGPARSE_s_n (oNoAutoKeyLocate, "no-auto-key-locate", "@"),
|
||||||
|
ARGPARSE_s_n (oAutoKeyImport, "auto-key-import",
|
||||||
|
N_("import missing key from a signature")),
|
||||||
|
ARGPARSE_s_n (oNoAutoKeyImport, "no-auto-key-import", "@"),
|
||||||
ARGPARSE_s_n (oAutoKeyRetrieve, "auto-key-retrieve", "@"),
|
ARGPARSE_s_n (oAutoKeyRetrieve, "auto-key-retrieve", "@"),
|
||||||
ARGPARSE_s_n (oNoAutoKeyRetrieve, "no-auto-key-retrieve", "@"),
|
ARGPARSE_s_n (oNoAutoKeyRetrieve, "no-auto-key-retrieve", "@"),
|
||||||
|
ARGPARSE_s_n (oIncludeKeyBlock, "include-key-block",
|
||||||
|
N_("include the public key in signatures")),
|
||||||
|
ARGPARSE_s_n (oNoIncludeKeyBlock, "no-include-key-block", "@"),
|
||||||
ARGPARSE_s_n (oDisableDirmngr, "disable-dirmngr",
|
ARGPARSE_s_n (oDisableDirmngr, "disable-dirmngr",
|
||||||
N_("disable all access to the dirmngr")),
|
N_("disable all access to the dirmngr")),
|
||||||
ARGPARSE_s_s (oKeyServer, "keyserver", "@"), /* Deprecated. */
|
ARGPARSE_s_s (oKeyServer, "keyserver", "@"), /* Deprecated. */
|
||||||
@ -1943,6 +1950,8 @@ gpgconf_list (const char *configfile)
|
|||||||
es_printf ("encrypt-to:%lu:\n", GC_OPT_FLAG_NONE);
|
es_printf ("encrypt-to:%lu:\n", GC_OPT_FLAG_NONE);
|
||||||
es_printf ("try-secret-key:%lu:\n", GC_OPT_FLAG_NONE);
|
es_printf ("try-secret-key:%lu:\n", GC_OPT_FLAG_NONE);
|
||||||
es_printf ("auto-key-locate:%lu:\n", GC_OPT_FLAG_NONE);
|
es_printf ("auto-key-locate:%lu:\n", GC_OPT_FLAG_NONE);
|
||||||
|
es_printf ("auto-key-import:%lu:\n", GC_OPT_FLAG_NONE);
|
||||||
|
es_printf ("include-key-block:%lu:\n", GC_OPT_FLAG_NONE);
|
||||||
es_printf ("auto-key-retrieve:%lu:\n", GC_OPT_FLAG_NONE);
|
es_printf ("auto-key-retrieve:%lu:\n", GC_OPT_FLAG_NONE);
|
||||||
es_printf ("log-file:%lu:\n", GC_OPT_FLAG_NONE);
|
es_printf ("log-file:%lu:\n", GC_OPT_FLAG_NONE);
|
||||||
es_printf ("debug-level:%lu:\"none:\n", GC_OPT_FLAG_DEFAULT);
|
es_printf ("debug-level:%lu:\"none:\n", GC_OPT_FLAG_DEFAULT);
|
||||||
@ -3035,6 +3044,7 @@ main (int argc, char **argv)
|
|||||||
|
|
||||||
case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
|
case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
|
||||||
case oIncludeKeyBlock: opt.flags.include_key_block = 1; break;
|
case oIncludeKeyBlock: opt.flags.include_key_block = 1; break;
|
||||||
|
case oNoIncludeKeyBlock: opt.flags.include_key_block = 0; break;
|
||||||
|
|
||||||
case oS2KMode: opt.s2k_mode = pargs.r.ret_int; break;
|
case oS2KMode: opt.s2k_mode = pargs.r.ret_int; break;
|
||||||
case oS2KDigest: s2k_digest_string = xstrdup(pargs.r.ret_str); break;
|
case oS2KDigest: s2k_digest_string = xstrdup(pargs.r.ret_str); break;
|
||||||
@ -3420,6 +3430,9 @@ main (int argc, char **argv)
|
|||||||
case oIgnoreMDCError: opt.ignore_mdc_error = 1; break;
|
case oIgnoreMDCError: opt.ignore_mdc_error = 1; break;
|
||||||
case oNoRandomSeedFile: use_random_seed = 0; break;
|
case oNoRandomSeedFile: use_random_seed = 0; break;
|
||||||
|
|
||||||
|
case oAutoKeyImport: opt.flags.auto_key_import = 1; break;
|
||||||
|
case oNoAutoKeyImport: opt.flags.auto_key_import = 0; break;
|
||||||
|
|
||||||
case oAutoKeyRetrieve:
|
case oAutoKeyRetrieve:
|
||||||
opt.keyserver_options.options |= KEYSERVER_AUTO_KEY_RETRIEVE;
|
opt.keyserver_options.options |= KEYSERVER_AUTO_KEY_RETRIEVE;
|
||||||
break;
|
break;
|
||||||
|
@ -2012,14 +2012,11 @@ check_sig_and_print (CTX c, kbnode_t node)
|
|||||||
rc = do_check_sig (c, node, extrahash, extrahashlen, NULL,
|
rc = do_check_sig (c, node, extrahash, extrahashlen, NULL,
|
||||||
NULL, &is_expkey, &is_revkey, &pk);
|
NULL, &is_expkey, &is_revkey, &pk);
|
||||||
|
|
||||||
/* If the key is not found but the signaure includes a key bnlock we
|
/* If the key is not found but the signature includes a key block we
|
||||||
* import that key block and trry again. We keep this key block
|
* use that key block for verification and on success import it. */
|
||||||
* only if the signature verifies. */
|
|
||||||
/* FIXME: Shall we add an option to disable it or use it only if
|
|
||||||
* --auto-key-retriueve is set? */
|
|
||||||
if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
|
if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
|
||||||
&& sig->flags.key_block)
|
&& sig->flags.key_block
|
||||||
/* && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)) */
|
&& opt.flags.auto_key_import)
|
||||||
{
|
{
|
||||||
PKT_public_key *included_pk;
|
PKT_public_key *included_pk;
|
||||||
const byte *kblock;
|
const byte *kblock;
|
||||||
|
@ -242,6 +242,7 @@ struct
|
|||||||
unsigned int large_rsa:1;
|
unsigned int large_rsa:1;
|
||||||
unsigned int disable_signer_uid:1;
|
unsigned int disable_signer_uid:1;
|
||||||
unsigned int include_key_block:1;
|
unsigned int include_key_block:1;
|
||||||
|
unsigned int auto_key_import:1;
|
||||||
/* Flag to enable experimental features from RFC4880bis. */
|
/* Flag to enable experimental features from RFC4880bis. */
|
||||||
unsigned int rfc4880bis:1;
|
unsigned int rfc4880bis:1;
|
||||||
/* Hack: --output is not given but OUTFILE was temporary set to "-". */
|
/* Hack: --output is not given but OUTFILE was temporary set to "-". */
|
||||||
|
@ -404,8 +404,9 @@ static known_option_t known_options_gpg[] =
|
|||||||
{ "log-file", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED,
|
{ "log-file", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED,
|
||||||
GC_ARG_TYPE_FILENAME },
|
GC_ARG_TYPE_FILENAME },
|
||||||
{ "auto-key-locate", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED },
|
{ "auto-key-locate", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED },
|
||||||
|
{ "auto-key-import", GC_OPT_FLAG_NONE, GC_LEVEL_BASIC },
|
||||||
{ "auto-key-retrieve", GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT },
|
{ "auto-key-retrieve", GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT },
|
||||||
{ "no-auto-key-retrieve", GC_OPT_FLAG_NONE, GC_LEVEL_INVISIBLE },
|
{ "include-key-block", GC_OPT_FLAG_NONE, GC_LEVEL_BASIC },
|
||||||
{ "disable-dirmngr", GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT },
|
{ "disable-dirmngr", GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT },
|
||||||
{ "max-cert-depth", GC_OPT_FLAG_NONE, GC_LEVEL_INVISIBLE },
|
{ "max-cert-depth", GC_OPT_FLAG_NONE, GC_LEVEL_INVISIBLE },
|
||||||
{ "completes-needed", GC_OPT_FLAG_NONE, GC_LEVEL_INVISIBLE },
|
{ "completes-needed", GC_OPT_FLAG_NONE, GC_LEVEL_INVISIBLE },
|
||||||
|
Loading…
x
Reference in New Issue
Block a user