diff --git a/common/compliance.c b/common/compliance.c index c552f0275..992c1d3e3 100644 --- a/common/compliance.c +++ b/common/compliance.c @@ -358,6 +358,10 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance, case PUBKEY_ALGO_EDDSA: + if (use == PK_USE_VERIFICATION) + result = 1; + else /* We may not create such signatures in de-vs mode. */ + result = 0; break; default: diff --git a/doc/gpg.texi b/doc/gpg.texi index d6320f576..4f09d4e2c 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -3424,13 +3424,7 @@ signatures made using SHA-1, those key signatures are considered invalid. This options allows to override this restriction. @item --override-compliance-check -@opindex --override-compliance-check -The signature verification only allows the use of keys suitable in the -current compliance mode. If the compliance mode has been forced by a -global option, there might be no way to check certain signature. This -option allows to override this and prints an extra warning in such a -case. This option is ignored in --batch mode so that no accidental -unattended verification may happen. +This was a temporary introduced option and has no more effect. @item --no-default-keyring @opindex no-default-keyring diff --git a/g10/gpg.c b/g10/gpg.c index d7b75a1d8..d4ba3d867 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -350,7 +350,6 @@ enum cmd_and_opt_values oShowSessionKey, oOverrideSessionKey, oOverrideSessionKeyFD, - oOverrideComplianceCheck, oNoRandomSeedFile, oAutoKeyRetrieve, oNoAutoKeyRetrieve, @@ -856,7 +855,6 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_s (oCipherAlgo, "cipher-algo", "@"), ARGPARSE_s_s (oDigestAlgo, "digest-algo", "@"), ARGPARSE_s_s (oCertDigestAlgo, "cert-digest-algo", "@"), - ARGPARSE_s_n (oOverrideComplianceCheck, "override-compliance-check", "@"), /* Options to override new security defaults. */ ARGPARSE_s_n (oAllowWeakKeySignatures, "allow-weak-key-signatures", "@"), ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"), @@ -953,6 +951,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oNoop, "no-force-mdc", "@"), ARGPARSE_s_n (oNoop, "disable-mdc", "@"), ARGPARSE_s_n (oNoop, "no-disable-mdc", "@"), + ARGPARSE_s_n (oNoop, "override-compliance-check", "@"), ARGPARSE_group (302, N_( @@ -3593,10 +3592,6 @@ main (int argc, char **argv) opt.flags.allow_weak_key_signatures = 1; break; - case oOverrideComplianceCheck: - opt.flags.override_compliance_check = 1; - break; - case oFakedSystemTime: { size_t len = strlen (pargs.r.ret_str); @@ -3793,15 +3788,6 @@ main (int argc, char **argv) g10_exit(2); } - /* We allow overriding the compliance check only in non-batch mode - * so that the user has a chance to see the message. */ - if (opt.flags.override_compliance_check && opt.batch) - { - opt.flags.override_compliance_check = 0; - log_info ("Note: '%s' ignored due to batch mode\n", - "--override-compliance-check"); - } - set_debug (debug_level); if (opt.verbose) /* Print the compatibility flags. */ parse_compatibility_flags (NULL, &opt.compat_flags, compatibility_flags); diff --git a/g10/options.h b/g10/options.h index 020b558aa..2333c6973 100644 --- a/g10/options.h +++ b/g10/options.h @@ -238,7 +238,6 @@ struct unsigned int allow_multiple_messages:1; unsigned int allow_weak_digest_algos:1; unsigned int allow_weak_key_signatures:1; - unsigned int override_compliance_check:1; unsigned int large_rsa:1; unsigned int disable_signer_uid:1; unsigned int include_key_block:1; diff --git a/g10/sig-check.c b/g10/sig-check.c index eeaf6f0df..ec136024b 100644 --- a/g10/sig-check.c +++ b/g10/sig-check.c @@ -75,17 +75,10 @@ check_key_verify_compliance (PKT_public_key *pk) NULL)) { /* Compliance failure. */ - log_info (_("key %s may not be used for signing in %s mode\n"), + log_error (_("key %s may not be used for signing in %s mode\n"), keystr_from_pk (pk), gnupg_compliance_option_string (opt.compliance)); - if (opt.flags.override_compliance_check) - log_info (_("continuing verification anyway due to option %s\n"), - "--override-compliance-failure"); - else - { - log_inc_errorcount (); /* We used log info above. */ - err = gpg_error (GPG_ERR_PUBKEY_ALGO); - } + err = gpg_error (GPG_ERR_PUBKEY_ALGO); } return err;