From 89c7eccba5155462a3435301b05b33c2ba832e03 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 10 Jan 2024 17:18:34 +0100 Subject: [PATCH] gpg: Allow to create revocations even with non-compliant algos. * g10/sign.c (do_sign): Skip compliance check for revocation certs. -- It just does not make sense to inhibit the creation of revocations depending on the compliance mode. We do this only for key revocation but not for another kind of revocation because the rationale for uid or subkey revocation is more complicated to explain. --- g10/sign.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/g10/sign.c b/g10/sign.c index 6fa6f46da..def43c7ab 100644 --- a/g10/sign.c +++ b/g10/sign.c @@ -385,8 +385,9 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig, goto leave; } - /* Check compliance. */ - if (! gnupg_digest_is_allowed (opt.compliance, 1, mdalgo)) + /* Check compliance but always allow for key revocations. */ + if (!IS_KEY_REV (sig) + && ! gnupg_digest_is_allowed (opt.compliance, 1, mdalgo)) { log_error (_("digest algorithm '%s' may not be used in %s mode\n"), gcry_md_algo_name (mdalgo), @@ -395,9 +396,10 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig, goto leave; } - if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, - pksk->pubkey_algo, 0, - pksk->pkey, nbits_from_pk (pksk), NULL)) + if (!IS_KEY_REV (sig) + && ! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, + pksk->pubkey_algo, 0, + pksk->pkey, nbits_from_pk (pksk), NULL)) { log_error (_("key %s may not be used for signing in %s mode\n"), keystr_from_pk (pksk),