From a5381060d206ba86227dd42f5edbd4c59aa61a46 Mon Sep 17 00:00:00 2001 From: David Shaw Date: Wed, 18 Jun 2003 03:25:45 +0000 Subject: [PATCH] * hkp.c (hkp_search): Return proper error code on failure. * keyedit.c (sign_uids): Do not allow signing a user ID without a self-signature. --expert overrides. * options.skel: Use subkeys.pgp.net as the default keyserver. * trustdb.c (validate_one_keyblock): Certifications on revoked or expired uids do not count in the web of trust. --- g10/ChangeLog | 12 ++++++++++++ g10/hkp.c | 7 +++++-- g10/keyedit.c | 22 +++++++++++++++++++--- g10/options.skel | 6 +++--- g10/trustdb.c | 17 ++++++++++------- 5 files changed, 49 insertions(+), 15 deletions(-) diff --git a/g10/ChangeLog b/g10/ChangeLog index f41ff4752..358e90360 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,15 @@ +2003-06-17 David Shaw + + * hkp.c (hkp_search): Return proper error code on failure. + + * keyedit.c (sign_uids): Do not allow signing a user ID without a + self-signature. --expert overrides. + + * options.skel: Use subkeys.pgp.net as the default keyserver. + + * trustdb.c (validate_one_keyblock): Certifications on revoked or + expired uids do not count in the web of trust. + 2003-06-14 David Shaw * keylist.c (list_keyblock_colon): Don't include validity values diff --git a/g10/hkp.c b/g10/hkp.c index 56c942166..287638371 100644 --- a/g10/hkp.c +++ b/g10/hkp.c @@ -366,7 +366,7 @@ parse_hkp_index(IOBUF buffer,char *line) { m_free(key); m_free(uid); - log_error(_("this keyserver is not fully HKP compatible\n")); + log_error(_("this keyserver does not support --search-keys\n")); return -1; } @@ -598,7 +598,10 @@ int hkp_search(STRLIST tokens) ret=parse_hkp_index(buffer,line); if(ret==-1) - break; + { + rc=G10ERR_KEYSERVER; + break; + } if(rc!=0) count+=ret; diff --git a/g10/keyedit.c b/g10/keyedit.c index 8ac7c1125..062fb992d 100644 --- a/g10/keyedit.c +++ b/g10/keyedit.c @@ -397,10 +397,26 @@ sign_uids( KBNODE keyblock, STRLIST locusr, int *ret_modified, tty_printf(_(" Unable to sign.\n")); } } - else if(!uidnode->pkt->pkt.user_id->created) + else if(!uidnode->pkt->pkt.user_id->created && !selfsig) { - tty_printf(_("WARNING: user ID \"%s\" is not " - "self-signed.\n"),user); + tty_printf(_("User ID \"%s\" is not self-signed."), + user); + + if(opt.expert) + { + tty_printf("\n"); + /* No, so remove the mark and continue */ + if(!cpr_get_answer_is_yes("sign_uid.nosig_okay", + _("Are you sure you " + "still want to sign " + "it? (y/N) "))) + uidnode->flag &= ~NODFLG_MARK_A; + } + else + { + uidnode->flag &= ~NODFLG_MARK_A; + tty_printf(_(" Unable to sign.\n")); + } } m_free(user); diff --git a/g10/options.skel b/g10/options.skel index 5c8afced2..c03221ff3 100644 --- a/g10/options.skel +++ b/g10/options.skel @@ -90,7 +90,7 @@ # support). # # Example HKP keyserver: -# x-hkp://subkeys.pgp.net +# hkp://subkeys.pgp.net # # Example email keyserver: # mailto:pgp-public-keys@keys.pgp.net @@ -101,7 +101,7 @@ # # Regular URL syntax applies, and you can set an alternate port # through the usual method: -# x-hkp://keyserver.example.net:22742 +# hkp://keyserver.example.net:22742 # # If you have problems connecting to a HKP server through a buggy http # proxy, you can use keyserver option broken-http-proxy (see below), @@ -112,7 +112,7 @@ # Most servers do synchronize with each other and DNS round-robin may # give you a quasi-random server each time. -#keyserver x-hkp://subkeys.pgp.net +keyserver hkp://subkeys.pgp.net #keyserver mailto:pgp-public-keys@keys.nl.pgp.net #keyserver ldap://pgp.surfnet.nl:11370 #keyserver ldap://keyserver.pgp.com diff --git a/g10/trustdb.c b/g10/trustdb.c index 3b972e339..55cc8d80e 100644 --- a/g10/trustdb.c +++ b/g10/trustdb.c @@ -1329,10 +1329,14 @@ validate_one_keyblock (KBNODE kb, struct key_item *klist, signed (but not self-signed) uid does carry trust, of a sort, even if it is a statement being made by people other than the key owner "through" the uids on the key owner's key. I'm - going with the latter. -dshaw */ + going with the latter. However, if the user ID was + explicitly revoked, or passively allowed to expire, that + should stop validity through the user ID until it is + resigned. -dshaw */ - /* && node->pkt->pkt.user_id->created) */ - if (node->pkt->pkttype == PKT_USER_ID) + if (node->pkt->pkttype == PKT_USER_ID + && !node->pkt->pkt.user_id->is_revoked + && !node->pkt->pkt.user_id->is_expired) { if (uidnode && issigned) { @@ -1346,12 +1350,11 @@ validate_one_keyblock (KBNODE kb, struct key_item *klist, } uidnode = node; uid=uidnode->pkt->pkt.user_id; -#if 0 - /* If the selfsig is going to expire... This is disabled as - we do count un-self-signed uids in the web of trust. */ + + /* If the selfsig is going to expire... */ if(uid->expiredate && uid->expiredate<*next_expire) *next_expire = uid->expiredate; -#endif + issigned = 0; get_validity_counts(pk,uid); mark_usable_uid_certs (kb, uidnode, main_kid, klist,