From 87d7b7e07565bdba9e9e8b8698f7094046d4f762 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 11 Mar 2021 11:27:07 +0100 Subject: [PATCH] gpg: New option --force-sign-key * g10/gpg.c (oForceSignKey,opts): New option "--force-sign-key". (main): Set it. * g10/options.h (opt): New flag flags.force_sign_key. * g10/keyedit.c (sign_uids): Use new flag. -- GnuPG-bug-id: 4584 --- doc/gpg.texi | 29 ++++++++++++++++++++--------- g10/gpg.c | 5 +++++ g10/keyedit.c | 9 +++++---- g10/options.h | 2 ++ 4 files changed, 32 insertions(+), 13 deletions(-) diff --git a/doc/gpg.texi b/doc/gpg.texi index cd8ded982..b22568b63 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1114,7 +1114,9 @@ If a name is prefixed with a '=' a case sensitive exact match is done. The command @option{--quick-lsign-key} marks the signatures as non-exportable. If such a non-exportable signature already exists the -@option{--quick-sign-key} turns it into a exportable signature. +@option{--quick-sign-key} turns it into a exportable signature. If +you need to update an existing signature, for example to add or change +notation data, you need to use the option @option{--force-sign-key}. This command uses reasonable defaults and thus does not provide the full flexibility of the "sign" subcommand from @option{--edit-key}. @@ -1212,8 +1214,8 @@ encountered, you can explicitly stop parsing by using the special option @node GPG Configuration Options @subsection How to change the configuration -These options are used to change the configuration and are usually found -in the option file. +These options are used to change the configuration and most of them +are usually found in the option file. @table @gnupgtabopt @@ -1242,6 +1244,7 @@ one from the secret keyring or the one set with @option{--default-key}. @item --no-default-recipient @opindex no-default-recipient Reset @option{--default-recipient} and @option{--default-recipient-self}. +Should not be used in an option file. @item -v, --verbose @opindex verbose @@ -1250,11 +1253,11 @@ twice, the input data is listed in detail. @item --no-verbose @opindex no-verbose -Reset verbose level to 0. +Reset verbose level to 0. Should not be used in an option file. @item -q, --quiet @opindex quiet -Try to be as quiet as possible. +Try to be as quiet as possible. Should not be used in an option file. @item --batch @itemx --no-batch @@ -1266,11 +1269,11 @@ filename given on the command line, gpg might still need to read from STDIN (in particular if gpg figures that the input is a detached signature and no data file has been specified). Thus if you do not want to feed data via STDIN, you should connect STDIN to -g@file{/dev/null}. +@file{/dev/null}. It is highly recommended to use this option along with the options @option{--status-fd} and @option{--with-colons} for any unattended use of -@command{gpg}. +@command{gpg}. Should not be used in an option file. @item --no-tty @opindex no-tty @@ -1280,11 +1283,11 @@ warnings to the TTY even if @option{--batch} is used. @item --yes @opindex yes -Assume "yes" on most questions. +Assume "yes" on most questions. Should not be used in an option file. @item --no @opindex no -Assume "no" on most questions. +Assume "no" on most questions. Should not be used in an option file. @item --list-options @var{parameters} @@ -1565,6 +1568,7 @@ default (@option{--no-utf8-strings}) is to assume that arguments are encoded in the character set as specified by @option{--display-charset}. These options affect all following arguments. Both options may be used multiple times. +This option should not be used in an option file. @anchor{gpg-option --options} @item --options @var{file} @@ -3469,6 +3473,13 @@ You need to consult the source code to learn the details. Note that the advanced key generation commands can always be used to specify a key algorithm directly. +@item --force-sign-key +@opindex force-sign-key +This option modifies the behaviour of the commands +@option{--quick-sign-key}, @option{--quick-lsign-key}, and the "sign" +sub-commands of @option{--edit-key} by forcing the creation of a key +signature, even if one already exists. + @item --allow-secret-key-import @opindex allow-secret-key-import This is an obsolete option and is not used anywhere. diff --git a/g10/gpg.c b/g10/gpg.c index 6b44cfb0a..a0b395e91 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -430,6 +430,7 @@ enum cmd_and_opt_values oUseOnlyOpenPGPCard, oIncludeKeyBlock, oNoIncludeKeyBlock, + oForceSignKey, oNoop }; @@ -838,6 +839,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_s (oWeakDigest, "weak-digest","@"), ARGPARSE_s_n (oUnwrap, "unwrap", "@"), ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"), + ARGPARSE_s_n (oForceSignKey, "force-sign-key", "@"), /* Aliases. I constantly mistype these, and assume other people do as well. */ @@ -2674,6 +2676,9 @@ main (int argc, char **argv) case oAnswerYes: opt.answer_yes = 1; break; case oAnswerNo: opt.answer_no = 1; break; + + case oForceSignKey: opt.flags.force_sign_key = 1; break; + case oKeyring: append_to_strlist( &nrings, pargs.r.ret_str); break; case oPrimaryKeyring: sl = append_to_strlist (&nrings, pargs.r.ret_str); diff --git a/g10/keyedit.c b/g10/keyedit.c index ed81c4a03..ea3bcf2b8 100644 --- a/g10/keyedit.c +++ b/g10/keyedit.c @@ -751,10 +751,11 @@ sign_uids (ctrl_t ctrl, estream_t fp, _("\"%s\" was already signed by key %s\n"), user, keystr_from_pk (pk)); - if (opt.expert && !quick - && cpr_get_answer_is_yes ("sign_uid.dupe_okay", - _("Do you want to sign it " - "again anyway? (y/N) "))) + if (opt.flags.force_sign_key + || (opt.expert && !quick + && cpr_get_answer_is_yes ("sign_uid.dupe_okay", + _("Do you want to sign it " + "again anyway? (y/N) ")))) { /* Don't delete the old sig here since this is an --expert thing. */ diff --git a/g10/options.h b/g10/options.h index 3514a60dd..f5910f33d 100644 --- a/g10/options.h +++ b/g10/options.h @@ -241,6 +241,8 @@ struct /* Force the use of the OpenPGP card and do not allow the use of * another card. */ unsigned int use_only_openpgp_card:1; + /* Force signing keys even if a key signature already exists. */ + unsigned int force_sign_key:1; } flags; /* Linked list of ways to find a key if the key isn't on the local