gpg: New option --add-desig-revoker

* g10/gpg.c (oAddDesigRevoker): New. (opts): Add new option. * g10/options.h (opt): Add field desig_revokers. * g10/keygen.c (get_parameter_idx): New. (get_parameter): Make use of get_parameter_idx. (prepare_desig_revoker): New. (get_parameter_revkey): Add arg idx. (proc_parameter_file): Add designated revokers. (do_generate_keypair): Write all designated revokers. -- (cherry picked from commit 3d094e2bcf) Support for v5 desig revokers has been removed. However, we should check whether we can add a longer v4 desig revoker fingerprint in addition to the regular v4 desig revoker.
2025-07-02 22:46:30 +02:00 · 2023-02-16 18:09:22 +01:00 · 2023-02-16 18:09:22 +01:00 · 6c9db01101
commit 6c9db01101
parent 8c8608425a
6 changed files with 130 additions and 16 deletions
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@ -1713,6 +1713,19 @@ recipient's or signator's key.  If the given key is not locally
 available but an LDAP keyserver is configured the missing key is
 imported from that server.

+@item --add-desig-revoker [sensitive:]@var{fingerprint}
+@opindex add-desig-revoker
+Add the key specified by @var{fingerprint} as a designated revoker to
+newly created keys.  If the fingerprint is prefixed with the keyword
+``sensitive:'' that info is normally not exported wit the key.  This
+option may be given several time to add more than one designated
+revoker.  If the keyword ``clear'' is used instead of a fingerprint,
+all designated options previously encountered are discarded.
+Designated revokers are marked on the key as non-revocable.  Note that
+a designated revoker specified using a parameter file will also be
+added to the key.
+
+
@item --trust-model @{pgp|classic|tofu|tofu+pgp|direct|always|auto@}
@opindex trust-model
 Set what trust model GnuPG should follow. The models are: