agent: New option --no-user-trustlist and --sys-trustlist-name.

* agent/gpg-agent.c (oNoUserTrustlist,oSysTrustlistName): New. (opts): Add new option names. (parse_rereadable_options): Parse options. (finalize_rereadable_options): Reset allow-mark-trusted for the new option. * agent/agent.h (opt): Add fields no_user_trustlist and sys_trustlist_name. * agent/trustlist.c (make_sys_trustlist_name): New. (read_one_trustfile): Use here. (read_trustfiles): Use here. Implement --no-user-trustlist. Also repalce "allow_include" by "systrust" and adjust callers. -- With the global options we can now avoid that a user changes the Root-CA trust by editing the trustlist.txt. However, to implement this we need a new option so that we don't need to rely on some magic like --no-allow-mark-trusted has been put into a force section. The second option makes system administration easier as it allows to keep the trustlist in a non-distributed file. GnuPG-bug-id: 5990 Backported-from-master: 1530d04725
2025-07-02 22:46:30 +02:00 · 2022-06-14 14:25:21 +02:00 · 2022-06-14 14:25:21 +02:00 · d0bd91ba73
commit d0bd91ba73
parent abe69b2094
4 changed files with 77 additions and 17 deletions
--- a/agent/trustlist.c
+++ b/agent/trustlist.c
@ -128,8 +128,26 @@ clear_trusttable (void)
 }


+/* Return the name of the system trustlist.  Caller must free.  */
+static char *
+make_sys_trustlist_name (void)
+{
+  if (opt.sys_trustlist_name
+      && (strchr (opt.sys_trustlist_name, '/')
+          || strchr (opt.sys_trustlist_name, '\\')
+          || (*opt.sys_trustlist_name == '~'
+              && opt.sys_trustlist_name[1] == '/')))
+    return make_absfilename (opt.sys_trustlist_name, NULL);
+  else
+    return make_filename (gnupg_sysconfdir (),
+                          (opt.sys_trustlist_name ?
+                           opt.sys_trustlist_name : "trustlist.txt"),
+                          NULL);
+}
+
+
 static gpg_error_t
-read_one_trustfile (const char *fname, int allow_include,
+read_one_trustfile (const char *fname, int systrust,
                    trustitem_t **addr_of_table,
                    size_t *addr_of_tablesize,
                    int *addr_of_tableidx)
@ -188,7 +206,7 @@ read_one_trustfile (const char *fname, int allow_include,
          gpg_error_t err2;
          gpg_err_code_t ec;

-          if (!allow_include)
+          if (systrust)
            {
              log_error (_("statement \"%s\" ignored in '%s', line %d\n"),
                         "include-default", fname, lnr);
@ -196,7 +214,7 @@ read_one_trustfile (const char *fname, int allow_include,
            }
          /* fixme: Should check for trailing garbage.  */

-          etcname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
+          etcname = make_sys_trustlist_name ();
          if ( !strcmp (etcname, fname) ) /* Same file. */
            log_info (_("statement \"%s\" ignored in '%s', line %d\n"),
                      "include-default", fname, lnr);
@ -208,7 +226,7 @@ read_one_trustfile (const char *fname, int allow_include,
            }
          else
            {
-              err2 = read_one_trustfile (etcname, 0,
+              err2 = read_one_trustfile (etcname, 1,
                                         &table, &tablesize, &tableidx);
              if (err2)
                err = err2;
@ -337,7 +355,7 @@ read_trustfiles (void)
  int tableidx;
  size_t tablesize;
  char *fname;
-  int allow_include = 1;
+  int systrust = 0;
  gpg_err_code_t ec;

  tablesize = 20;
@ -346,17 +364,24 @@ read_trustfiles (void)
    return gpg_error_from_syserror ();
  tableidx = 0;

-  fname = make_filename_try (gnupg_homedir (), "trustlist.txt", NULL);
-  if (!fname)
+  if (opt.no_user_trustlist)
+    fname = NULL;
+  else
    {
-      err = gpg_error_from_syserror ();
-      xfree (table);
-      return err;
+      fname = make_filename_try (gnupg_homedir (), "trustlist.txt", NULL);
+      if (!fname)
+        {
+          err = gpg_error_from_syserror ();
+          xfree (table);
+          return err;
+        }
    }

-  if ((ec = gnupg_access (fname, F_OK)))
+  if (!fname || (ec = gnupg_access (fname, F_OK)))
    {
-      if ( ec == GPG_ERR_ENOENT )
+      if (!fname)
+        ; /* --no-user-trustlist active.  */
+      else if ( ec == GPG_ERR_ENOENT )
        ; /* Silently ignore a non-existing trustfile.  */
      else
        {
@ -364,11 +389,10 @@ read_trustfiles (void)
          log_error (_("error opening '%s': %s\n"), fname, gpg_strerror (err));
        }
      xfree (fname);
-      fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
-      allow_include = 0;
+      fname = make_sys_trustlist_name ();
+      systrust = 1;
    }
-  err = read_one_trustfile (fname, allow_include,
-                            &table, &tablesize, &tableidx);
+  err = read_one_trustfile (fname, systrust, &table, &tablesize, &tableidx);
  xfree (fname);

  if (err)