gpgsm: Strip trailing zeroes from detached signatures.

* common/ksba-io-support.c: Include tlv.h (struct reader_cb_parm_s): Add new fields. (starts_with_sequence): New. (simple_reader_cb): Handle stripping. * common/ksba-io-support.h (GNUPG_KSBA_IO_STRIP): New. (gnupg_ksba_create_reader): Handle the new flag. * sm/verify.c (gpgsm_verify): Use the new flag for detached signatures. -- Note that this works only if --assume-binary is given. The use case for the feature is PDF signature checking where the PDF specs require that the detached signature is padded with zeroes. (cherry picked from commit 2a13f7f9dc)
2025-07-02 22:46:30 +02:00 · 2023-03-08 10:57:25 +01:00 · 2023-03-08 10:57:25 +01:00 · 6bdf11f671
commit 6bdf11f671
parent a6e47400c7
4 changed files with 119 additions and 5 deletions
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@ -480,8 +480,10 @@ This usually means that Dirmngr is employed to search for the
 certificate.  Note that this option makes a "web bug" like behavior
 possible.  LDAP server operators can see which keys you request, so by
 sending you a message signed by a brand new key (which you naturally
-will not have on your local keybox), the operator can tell both your IP
-address and the time when you verified the signature.
+will not have on your local keybox), the operator can tell both your
+IP address and the time when you verified the signature.  Note that if
+CRL checking is not disabled issuer certificates are retrieved in any
+case using the caIssuers authorityInfoAccess method.


@anchor{gpgsm-option --validation-model}