gpg: Allow to create revocations even with non-compliant algos.

* g10/sign.c (do_sign): Skip compliance check for revocation certs. -- It just does not make sense to inhibit the creation of revocations depending on the compliance mode. We do this only for key revocation but not for another kind of revocation because the rationale for uid or subkey revocation is more complicated to explain.
2024-01-10 17:18:34 +01:00 · 2024-01-10 17:18:34 +01:00 · b7f45ee6ad
parent 275ced5067
commit b7f45ee6ad
1 changed files with 7 additions and 5 deletions
--- a/g10/sign.c
+++ b/g10/sign.c
@ -444,8 +444,9 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig,
      goto leave;
    }

-  /* Check compliance.  */
-  if (! gnupg_digest_is_allowed (opt.compliance, 1, mdalgo))
+  /* Check compliance but always allow for key revocations. */
+  if (!IS_KEY_REV (sig)
+      && ! gnupg_digest_is_allowed (opt.compliance, 1, mdalgo))
    {
      log_error (_("digest algorithm '%s' may not be used in %s mode\n"),
 		 gcry_md_algo_name (mdalgo),
@ -454,9 +455,10 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig,
      goto leave;
    }

-  if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING,
-                             pksk->pubkey_algo, 0,
-                             pksk->pkey, nbits_from_pk (pksk), NULL))
+  if (!IS_KEY_REV (sig)
+      && ! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING,
+                                pksk->pubkey_algo, 0,
+                                pksk->pkey, nbits_from_pk (pksk), NULL))
    {
      log_error (_("key %s may not be used for signing in %s mode\n"),
                 keystr_from_pk (pksk),