* options.h, g10.c (main): Add --trust-model option. Current models are

"openpgp" which is classic+trustsigs, "classic" which is classic only, and
"always" which is the same as the current option --always-trust (which
still works).  Default is "openpgp".

* trustdb.c (validate_one_keyblock): Use "openpgp" trust model to enable
trust sigs.

* gpgv.c (main), mainproc.c (check_sig_and_print), pkclist.c (do_we_trust,
do_we_trust_pre, check_signatures_trust): Use new --trust-model option in
place of --always-trust.

g10/ChangeLog

@@ -1,5 +1,17 @@
 2002-11-03  David Shaw  <dshaw@jabberwocky.com>
 
+	* options.h, g10.c (main): Add --trust-model option.  Current
+	models are "openpgp" which is classic+trustsigs, "classic" which
+	is classic only, and "always" which is the same as the current
+	option --always-trust (which still works).  Default is "openpgp".
+
+	* trustdb.c (validate_one_keyblock): Use "openpgp" trust model to
+	enable trust sigs.
+
+	* gpgv.c (main), mainproc.c (check_sig_and_print), pkclist.c
+	(do_we_trust, do_we_trust_pre, check_signatures_trust): Use new
+	--trust-model option in place of --always-trust.
+
 	* keyedit.c (sign_mk_attrib, trustsig_prompt, sign_uids,
 	keyedit_menu): Prompt for and create a trust signature with
 	"tsign".  This is functional, but needs better UI text.

g10/g10.c

@@ -205,6 +205,7 @@ enum cmd_and_opt_values { aNull = 0,
     oCompressKeys,
     oCompressSigs,
     oAlwaysTrust,
+    oTrustModel,
     oEmuChecksumBug,
     oRunAsShmCP,
     oSetFilename,
@@ -522,6 +523,7 @@ static ARGPARSE_OPTS opts[] = {
     { oCompressSigs, "compress-sigs",0, "@"},
     { oDefCertCheckLevel, "default-cert-check-level", 1, "@"},
     { oAlwaysTrust, "always-trust", 0, "@"},
+    { oTrustModel, "trust-model", 2, "@"},
     { oEmuChecksumBug, "emulate-checksum-bug", 0, "@"},
     { oRunAsShmCP, "run-as-shm-coprocess", 4, "@" },
     { oSetFilename, "set-filename", 2, "@" },
@@ -1142,6 +1144,7 @@ main( int argc, char **argv )
       EXPORT_INCLUDE_NON_RFC|EXPORT_INCLUDE_ATTRIBUTES;
     opt.keyserver_options.include_subkeys=1;
     opt.keyserver_options.include_revoked=1;
+    opt.trust_model=TM_OPENPGP;
 #if defined (__MINGW32__) || defined (__CYGWIN32__)
     set_homedir ( read_w32_registry_string( NULL,
                                     "Software\\GNU\\GnuPG", "HomeDir" ));
@@ -1443,7 +1446,20 @@ main( int argc, char **argv )
 	  case oCompressAlgo: opt.def_compress_algo = pargs.r.ret_int; break;
 	  case oCompressKeys: opt.compress_keys = 1; break;
 	  case aListSecretKeys: set_cmd( &cmd, aListSecretKeys); break;
-	  case oAlwaysTrust: opt.always_trust = 1; break;
+	    /* There are many programs (like mutt) that call gpg with
+	       --always-trust so keep this option around for a long
+	       time. */
+	  case oAlwaysTrust: opt.trust_model=TM_ALWAYS; break;
+	  case oTrustModel:
+	    if(ascii_strcasecmp(pargs.r.ret_str,"openpgp")==0)
+	      opt.trust_model=TM_OPENPGP;
+	    else if(ascii_strcasecmp(pargs.r.ret_str,"classic")==0)
+	      opt.trust_model=TM_CLASSIC;
+	    else if(ascii_strcasecmp(pargs.r.ret_str,"always")==0)
+	      opt.trust_model=TM_ALWAYS;
+	    else
+	      log_error("unknown trust model \"%s\"\n",pargs.r.ret_str);
+	    break;
 	  case oLoadExtension:
 #ifndef __riscos__
 #if defined(USE_DYNAMIC_LINKING) || defined(__MINGW32__)

g10/gpgv.c

@@ -150,7 +150,7 @@ main( int argc, char **argv )
     opt.command_fd = -1; /* no command fd */
     opt.pgp2_workarounds = 1;
     opt.keyserver_options.auto_key_retrieve = 1;
-    opt.always_trust = 1;
+    opt.trust_model = TM_ALWAYS;
     opt.batch = 1;
 
   #if defined (__MINGW32__) || defined (__CYGWIN32__)

g10/mainproc.c

@@ -1382,7 +1382,7 @@ check_sig_and_print( CTX c, KBNODE node )
 		}
 	    }
 
-            if (opt.always_trust || !un)
+            if (opt.trust_model==TM_ALWAYS || !un)
                 keyid_str[17] = 0; /* cut off the "[uncertain]" part */
 
             write_status_text_and_buffer (statno, keyid_str,
@@ -1393,7 +1393,7 @@ check_sig_and_print( CTX c, KBNODE node )
             log_info(rc? _("BAD signature from \"")
                        : sig->flags.expired ? _("Expired signature from \"")
 		       : _("Good signature from \""));
-            if (!opt.always_trust && un) {
+            if (opt.trust_model!=TM_ALWAYS && un) {
                 fputs(_("[uncertain]"), log_stream() );
                 putc(' ', log_stream() );
             }

g10/options.h

@@ -88,7 +88,7 @@ struct {
     int skip_verify;
     int compress_keys;
     int compress_sigs;
-    int always_trust;
+    enum {TM_OPENPGP, TM_CLASSIC, TM_ALWAYS} trust_model;
     int pgp2;
     int pgp6;
     int pgp7; /* if we get any more of these, it's time to look at a

g10/pkclist.c

@@ -475,9 +475,9 @@ do_we_trust( PKT_public_key *pk, unsigned int *trustlevel )
     }
     *trustlevel &= ~trustmask;
 
-    if( opt.always_trust) {
+    if( opt.trust_model==TM_ALWAYS ) {
 	if( opt.verbose )
-	    log_info("No trust check due to --always-trust option\n");
+	    log_info("No trust check due to --trust-model always option\n");
 	return 1;
     }
 
@@ -570,7 +570,7 @@ do_we_trust_pre( PKT_public_key *pk, unsigned int trustlevel )
 	 *	 his decision the next time he encrypts for this recipient?
 	 */
     }
-    else if( opt.always_trust && !rc ) {
+    else if( opt.trust_model==TM_ALWAYS && !rc ) {
 	if( !opt.quiet )
 	    log_info(_("WARNING: Using untrusted key!\n"));
 	rc = 1;
@@ -591,7 +591,7 @@ check_signatures_trust( PKT_signature *sig )
   unsigned int trustlevel;
   int rc=0;
 
-  if ( opt.always_trust)
+  if ( opt.trust_model==TM_ALWAYS )
     {
       if( !opt.quiet )
         log_info(_("WARNING: Using untrusted key!\n"));

g10/trustdb.c

@@ -1405,11 +1405,11 @@ validate_one_keyblock (KBNODE kb, struct key_item *klist,
              did not exist.  This is safe for non-trust sigs as well
              since we don't accept a regexp on the sig unless it's a
              trust sig. */
-          if (kr && (kr->trust_regexp==NULL ||
+          if (kr && (kr->trust_regexp==NULL || opt.trust_model==TM_CLASSIC ||
 		     (uidnode && check_regexp(kr->trust_regexp,
 					    uidnode->pkt->pkt.user_id->name))))
             {
-	      if(DBG_TRUST && sig->trust_depth)
+	      if(DBG_TRUST && opt.trust_model!=TM_CLASSIC && sig->trust_depth)
 		log_debug("trust sig on %s, sig depth is %d, kr depth is %d\n",
 			  uidnode->pkt->pkt.user_id->name,sig->trust_depth,
 			  kr->trust_depth);
@@ -1419,10 +1419,10 @@ validate_one_keyblock (KBNODE kb, struct key_item *klist,
                  lesser trust sig or value.  I could make a decent
                  argument for any of these cases, but this seems to be
                  what PGP does, and I'd like to be compatible. -dms */
-	      if(sig->trust_depth &&
-		 pk->trust_timestamp<=sig->timestamp &&
-		 (sig->trust_depth<=kr->trust_depth ||
-		  kr->ownertrust==TRUST_ULTIMATE))
+	      if(opt.trust_model!=TM_CLASSIC && sig->trust_depth
+		 && pk->trust_timestamp<=sig->timestamp
+		 && (sig->trust_depth<=kr->trust_depth
+		     || kr->ownertrust==TRUST_ULTIMATE))
 		{
 		  /* If we got here, we know that:
 
@@ -1773,7 +1773,8 @@ validate_keys (int interactive)
 
 	  /* This can happen during transition from an old trustdb
 	     before trust sigs.  It can also happen if a user uses two
-	     different versions of GnuPG. */
+	     different versions of GnuPG or changes the --trust-model
+	     setting. */
 	  if(k->ownertrust<min)
 	    {
 	      if(DBG_TRUST)