gpg: New option --force-sign-key

* g10/gpg.c (oForceSignKey,opts): New option "--force-sign-key".
(main): Set it.
* g10/options.h (opt): New flag flags.force_sign_key.
* g10/keyedit.c (sign_uids): Use new flag.
--

GnuPG-bug-id: 4584

doc/gpg.texi

@@ -1114,7 +1114,9 @@ If a name is prefixed with a '=' a case sensitive exact match is done.
 
 The command @option{--quick-lsign-key} marks the signatures as
 non-exportable.  If such a non-exportable signature already exists the
-@option{--quick-sign-key} turns it into a exportable signature.
+@option{--quick-sign-key} turns it into a exportable signature.  If
+you need to update an existing signature, for example to add or change
+notation data, you need to use the option @option{--force-sign-key}.
 
 This command uses reasonable defaults and thus does not provide the
 full flexibility of the "sign" subcommand from @option{--edit-key}.
@@ -1212,8 +1214,8 @@ encountered, you can explicitly stop parsing by using the special option
 @node GPG Configuration Options
 @subsection How to change the configuration
 
-These options are used to change the configuration and are usually found
+These options are used to change the configuration and most of them
-in the option file.
+are usually found in the option file.
 
 @table @gnupgtabopt
 
@@ -1242,6 +1244,7 @@ one from the secret keyring or the one set with @option{--default-key}.
 @item --no-default-recipient
 @opindex no-default-recipient
 Reset @option{--default-recipient} and @option{--default-recipient-self}.
+Should not be used in an option file.
 
 @item -v, --verbose
 @opindex verbose
@@ -1250,11 +1253,11 @@ twice, the input data is listed in detail.
 
 @item --no-verbose
 @opindex no-verbose
-Reset verbose level to 0.
+Reset verbose level to 0.  Should not be used in an option file.
 
 @item -q, --quiet
 @opindex quiet
-Try to be as quiet as possible.
+Try to be as quiet as possible.  Should not be used in an option file.
 
 @item --batch
 @itemx --no-batch
@@ -1266,11 +1269,11 @@ filename given on the command line, gpg might still need to read from
 STDIN (in particular if gpg figures that the input is a
 detached signature and no data file has been specified).  Thus if you
 do not want to feed data via STDIN, you should connect STDIN to
-g@file{/dev/null}.
+@file{/dev/null}.
 
 It is highly recommended to use this option along with the options
 @option{--status-fd} and @option{--with-colons} for any unattended use of
-@command{gpg}.
+@command{gpg}.  Should not be used in an option file.
 
 @item --no-tty
 @opindex no-tty
@@ -1280,11 +1283,11 @@ warnings to the TTY even if @option{--batch} is used.
 
 @item --yes
 @opindex yes
-Assume "yes" on most questions.
+Assume "yes" on most questions.  Should not be used in an option file.
 
 @item --no
 @opindex no
-Assume "no" on most questions.
+Assume "no" on most questions.  Should not be used in an option file.
 
 
 @item --list-options @var{parameters}
@@ -1565,6 +1568,7 @@ default (@option{--no-utf8-strings}) is to assume that arguments are
 encoded in the character set as specified by
 @option{--display-charset}. These options affect all following
 arguments. Both options may be used multiple times.
+This option should not be used in an option file.
 
 @anchor{gpg-option --options}
 @item --options @var{file}
@@ -3469,6 +3473,13 @@ You need to consult the source code to learn the details.  Note that
 the advanced key generation commands can always be used to specify a
 key algorithm directly.
 
+@item --force-sign-key
+@opindex force-sign-key
+This option modifies the behaviour of the commands
+@option{--quick-sign-key}, @option{--quick-lsign-key}, and the "sign"
+sub-commands of @option{--edit-key} by forcing the creation of a key
+signature, even if one already exists.
+
 @item --allow-secret-key-import
 @opindex allow-secret-key-import
 This is an obsolete option and is not used anywhere.

g10/gpg.c

@@ -430,6 +430,7 @@ enum cmd_and_opt_values
     oUseOnlyOpenPGPCard,
     oIncludeKeyBlock,
     oNoIncludeKeyBlock,
+    oForceSignKey,
 
     oNoop
   };
@@ -838,6 +839,7 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
   ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
   ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"),
+  ARGPARSE_s_n (oForceSignKey,    "force-sign-key", "@"),
 
   /* Aliases.  I constantly mistype these, and assume other people do
      as well. */
@@ -2674,6 +2676,9 @@ main (int argc, char **argv)
 
 	  case oAnswerYes: opt.answer_yes = 1; break;
 	  case oAnswerNo: opt.answer_no = 1; break;
+
+          case oForceSignKey: opt.flags.force_sign_key = 1; break;
+
 	  case oKeyring: append_to_strlist( &nrings, pargs.r.ret_str); break;
 	  case oPrimaryKeyring:
 	    sl = append_to_strlist (&nrings, pargs.r.ret_str);

g10/keyedit.c

@@ -751,10 +751,11 @@ sign_uids (ctrl_t ctrl, estream_t fp,
                                 _("\"%s\" was already signed by key %s\n"),
 				user, keystr_from_pk (pk));
 
-		  if (opt.expert && !quick
+		  if (opt.flags.force_sign_key
-		      && cpr_get_answer_is_yes ("sign_uid.dupe_okay",
+                      || (opt.expert && !quick
-						_("Do you want to sign it "
+                          && cpr_get_answer_is_yes ("sign_uid.dupe_okay",
-						  "again anyway? (y/N) ")))
+                                                    _("Do you want to sign it "
+                                                      "again anyway? (y/N) "))))
 		    {
 		      /* Don't delete the old sig here since this is
 		         an --expert thing. */

g10/options.h

@@ -241,6 +241,8 @@ struct
     /* Force the use of the OpenPGP card and do not allow the use of
      * another card.  */
     unsigned int use_only_openpgp_card:1;
+    /* Force signing keys even if a key signature already exists.  */
+    unsigned int force_sign_key:1;
   } flags;
 
   /* Linked list of ways to find a key if the key isn't on the local