diff --git a/g10/ChangeLog b/g10/ChangeLog index f9958dd6a..4075bb77a 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,24 @@ +2003-08-21 David Shaw + + * gpgv.c: Remove extra semicolon (typo). + + * options.skel: Note that keyserver.pgp.com isn't synchronized, + and explain the roundrobin a bit better. + + * sig-check.c (check_key_signature2), import.c (import_one, + import_revoke_cert, chk_self_sigs, delete_inv_parts, + collapse_uids, merge_blocks): Make much quieter during import of + slightly munged, but recoverable, keys. Use log_error for + unrecoverable import failures. + + * keyring.c (keyring_rebuild_cache): Comment. + + * sign.c (mk_notation_and_policy): Making a v3 signature with + notations or policy urls is an error, not an info (i.e. increment + the errorcount). Don't print the notation or policy url to stdout + since it can be mixed into the output stream when piping and munge + the stream. + 2003-08-12 David Shaw * packet.h, sig-check.c (signature_check2, do_check, diff --git a/g10/gpgv.c b/g10/gpgv.c index f06b92a6a..5116f33ef 100644 --- a/g10/gpgv.c +++ b/g10/gpgv.c @@ -229,7 +229,7 @@ check_signatures_trust( PKT_signature *sig ) void read_trust_options(byte *trust_model,ulong *created,ulong *nextcheck, - byte *marginals,byte *completes,byte *cert_depth) {}; + byte *marginals,byte *completes,byte *cert_depth) {} /* Stub: * We don't have the trustdb , so we have to provide some stub functions diff --git a/g10/import.c b/g10/import.c index ac4ab7291..8d94c3967 100644 --- a/g10/import.c +++ b/g10/import.c @@ -592,7 +592,8 @@ import_one( const char *fname, KBNODE keyblock, clear_kbnode_flags( keyblock ); - if((options&IMPORT_REPAIR_PKS_SUBKEY_BUG) && fix_pks_corruption(keyblock)) + if((options&IMPORT_REPAIR_PKS_SUBKEY_BUG) && fix_pks_corruption(keyblock) + && opt.verbose) log_info(_("key %08lX: PKS subkey corruption repaired\n"), (ulong)keyid[1]); @@ -614,11 +615,9 @@ import_one( const char *fname, KBNODE keyblock, } if( !delete_inv_parts( fname, keyblock, keyid, options ) ) { - if( !opt.quiet ) { - log_info( _("key %08lX: no valid user IDs\n"), - (ulong)keyid[1]); - log_info(_("this may be caused by a missing self-signature\n")); - } + log_error( _("key %08lX: no valid user IDs\n"), (ulong)keyid[1]); + if( !opt.quiet ) + log_info(_("this may be caused by a missing self-signature\n")); stats->no_user_id++; return 0; } @@ -980,8 +979,8 @@ import_revoke_cert( const char *fname, KBNODE node, struct stats_s *stats ) pk = m_alloc_clear( sizeof *pk ); rc = get_pubkey( pk, keyid ); if( rc == G10ERR_NO_PUBKEY ) { - log_info( _("key %08lX: no public key - " - "can't apply revocation certificate\n"), (ulong)keyid[1]); + log_error( _("key %08lX: no public key - " + "can't apply revocation certificate\n"), (ulong)keyid[1]); rc = 0; goto leave; } @@ -1126,15 +1125,18 @@ chk_self_sigs( const char *fname, KBNODE keyblock, rc = check_key_signature( keyblock, n, NULL); if( rc ) { - char *p=utf8_to_native(unode->pkt->pkt.user_id->name, + if( opt.verbose ) + { + char *p=utf8_to_native(unode->pkt->pkt.user_id->name, strlen(unode->pkt->pkt.user_id->name),0); - log_info( rc == G10ERR_PUBKEY_ALGO ? - _("key %08lX: unsupported public key " - "algorithm on user id \"%s\"\n"): - _("key %08lX: invalid self-signature " - "on user id \"%s\"\n"), - (ulong)keyid[1],p); - m_free(p); + log_info( rc == G10ERR_PUBKEY_ALGO ? + _("key %08lX: unsupported public key " + "algorithm on user id \"%s\"\n"): + _("key %08lX: invalid self-signature " + "on user id \"%s\"\n"), + (ulong)keyid[1],p); + m_free(p); + } } else unode->flag |= 1; /* mark that signature checked */ @@ -1146,17 +1148,19 @@ chk_self_sigs( const char *fname, KBNODE keyblock, revocation targets, this may need to be revised. */ if( !knode ) { - log_info( _("key %08lX: no subkey for subkey " - "binding signature\n"),(ulong)keyid[1]); + if(opt.verbose) + log_info( _("key %08lX: no subkey for key binding\n"), + (ulong)keyid[1]); n->flag |= 4; /* delete this */ } else { rc = check_key_signature( keyblock, n, NULL); if( rc ) { - log_info( rc == G10ERR_PUBKEY_ALGO ? + if(opt.verbose) + log_info(rc == G10ERR_PUBKEY_ALGO ? _("key %08lX: unsupported public key algorithm\n"): - _("key %08lX: invalid subkey binding\n"), - (ulong)keyid[1]); + _("key %08lX: invalid subkey binding\n"), + (ulong)keyid[1]); n->flag|=4; } else { @@ -1167,8 +1171,9 @@ chk_self_sigs( const char *fname, KBNODE keyblock, bsnode->flag|=4; /* Delete the last binding sig since this one is newer */ - log_info(_("key %08lX: removed multiple subkey " - "binding\n"),(ulong)keyid[1]); + if(opt.verbose) + log_info(_("key %08lX: removed multiple subkey " + "binding\n"),(ulong)keyid[1]); } bsnode=n; @@ -1187,18 +1192,21 @@ chk_self_sigs( const char *fname, KBNODE keyblock, See the comment in getkey.c:merge_selfsigs_subkey for more */ if( !knode ) { - log_info( _("key %08lX: no subkey for subkey " - "revocation signature\n"),(ulong)keyid[1]); + if(opt.verbose) + log_info( _("key %08lX: no subkey for key revocation\n"), + (ulong)keyid[1]); n->flag |= 4; /* delete this */ } else { rc = check_key_signature( keyblock, n, NULL); if( rc ) { - log_info( rc == G10ERR_PUBKEY_ALGO ? + if(opt.verbose) + log_info(rc == G10ERR_PUBKEY_ALGO ? _("key %08lX: unsupported public key algorithm\n"): - _("key %08lX: invalid subkey revocation\n"), - (ulong)keyid[1]); - n->flag|=4; + _("key %08lX: invalid subkey revocation\n"), + (ulong)keyid[1]); + + n->flag|=4; } else { /* It's valid, so is it newer? */ @@ -1207,8 +1215,9 @@ chk_self_sigs( const char *fname, KBNODE keyblock, rsnode->flag|=4; /* Delete the last revocation sig since this one is newer */ - log_info(_("key %08lX: removed multiple subkey " - "revocation signatures\n"),(ulong)keyid[1]); + if(opt.verbose) + log_info(_("key %08lX: removed multiple subkey " + "revocation\n"),(ulong)keyid[1]); } rsnode=n; @@ -1295,18 +1304,18 @@ delete_inv_parts( const char *fname, KBNODE keyblock, * to import non-exportable signature when we have the * the secret key used to create this signature - it * seems that this makes sense */ - log_info( _("key %08lX: non exportable signature " - "(class %02x) - skipped\n"), - (ulong)keyid[1], - node->pkt->pkt.signature->sig_class ); + if(opt.verbose) + log_info( _("key %08lX: non exportable signature " + "(class %02x) - skipped\n"), + (ulong)keyid[1], node->pkt->pkt.signature->sig_class ); delete_kbnode( node ); } else if( node->pkt->pkttype == PKT_SIGNATURE && node->pkt->pkt.signature->sig_class == 0x20 ) { if( uid_seen ) { - log_error( _("key %08lX: revocation certificate " - "at wrong place - skipped\n"), - (ulong)keyid[1]); + if(opt.verbose) + log_info( _("key %08lX: revocation certificate " + "at wrong place - skipped\n"), (ulong)keyid[1]); delete_kbnode( node ); } else { @@ -1321,9 +1330,10 @@ delete_inv_parts( const char *fname, KBNODE keyblock, int rc = check_key_signature( keyblock, node, NULL); if( rc ) { - log_error( _("key %08lX: invalid revocation " - "certificate: %s - skipped\n"), - (ulong)keyid[1], g10_errstr(rc)); + if(opt.verbose) + log_info( _("key %08lX: invalid revocation " + "certificate: %s - skipped\n"), + (ulong)keyid[1], g10_errstr(rc)); delete_kbnode( node ); } } @@ -1333,17 +1343,18 @@ delete_inv_parts( const char *fname, KBNODE keyblock, (node->pkt->pkt.signature->sig_class == 0x18 || node->pkt->pkt.signature->sig_class == 0x28) && !subkey_seen ) { - log_error( _("key %08lX: subkey signature " - "in wrong place - skipped\n"), - (ulong)keyid[1]); + if(opt.verbose) + log_info( _("key %08lX: subkey signature " + "in wrong place - skipped\n"), (ulong)keyid[1]); delete_kbnode( node ); } else if( node->pkt->pkttype == PKT_SIGNATURE && !IS_CERT(node->pkt->pkt.signature)) { - log_error(_("key %08lX: unexpected signature class (0x%02X) -" - " skipped\n"),(ulong)keyid[1], - node->pkt->pkt.signature->sig_class); + if(opt.verbose) + log_info(_("key %08lX: unexpected signature class (0x%02X) -" + " skipped\n"),(ulong)keyid[1], + node->pkt->pkt.signature->sig_class); delete_kbnode(node); } else if( (node->flag & 4) ) /* marked for deletion */ @@ -1439,8 +1450,9 @@ collapse_uids( KBNODE *keyblock ) kid1 = keyid_from_sk( n->pkt->pkt.secret_key, NULL ); else kid1 = 0; - log_info(_("key %08lX: duplicated user ID detected - merged\n"), - (ulong)kid1); + if(!opt.quiet) + log_info(_("key %08lX: duplicated user ID detected - merged\n"), + (ulong)kid1); return 1; } @@ -1563,14 +1575,17 @@ merge_blocks( const char *fname, KBNODE keyblock_orig, KBNODE keyblock, } } if( !found ) { - char *p=get_user_id_printable (keyid); KBNODE n2 = clone_kbnode(node); insert_kbnode( keyblock_orig, n2, 0 ); n2->flag |= 1; ++*n_sigs; - log_info(_("key %08lX: \"%s\" revocation certificate added\n"), - (ulong)keyid[1],p); - m_free(p); + if(!opt.quiet) + { + char *p=get_user_id_printable (keyid); + log_info(_("key %08lX: \"%s\" revocation " + "certificate added\n"), (ulong)keyid[1],p); + m_free(p); + } } } } @@ -1599,8 +1614,9 @@ merge_blocks( const char *fname, KBNODE keyblock_orig, KBNODE keyblock, insert_kbnode( keyblock_orig, n2, 0 ); n2->flag |= 1; ++*n_sigs; - log_info( _("key %08lX: direct key signature added\n"), - (ulong)keyid[1]); + if(!opt.quiet) + log_info( _("key %08lX: direct key signature added\n"), + (ulong)keyid[1]); } } } diff --git a/g10/keyring.c b/g10/keyring.c index f8b6e1520..a18cbbad2 100644 --- a/g10/keyring.c +++ b/g10/keyring.c @@ -1377,6 +1377,13 @@ keyring_rebuild_cache (void *token) { if (node->pkt->pkttype == PKT_SIGNATURE) { + /* Note that this doesn't cache the result of a + revocation issued by a designated revoker. This is + because the pk in question does not carry the revkeys + as we haven't merged the key and selfsigs. It is + questionable whether this matters very much since + there are very very few designated revoker revocation + packets out there. */ check_key_signature (keyblock, node, NULL); sigcount++; } diff --git a/g10/options.skel b/g10/options.skel index c03221ff3..3d15f811c 100644 --- a/g10/options.skel +++ b/g10/options.skel @@ -109,8 +109,12 @@ # regarding proxies (keyserver option honor-http-proxy) # # Most users just set the name and type of their preferred keyserver. -# Most servers do synchronize with each other and DNS round-robin may -# give you a quasi-random server each time. +# Note that most servers (with the notable exception of +# ldap://keyserver.pgp.com) synchronize changes with each other. Note +# also that a single server name may actually point to multiple +# servers via DNS round-robin. hkp://subkeys.pgp.net is an example of +# such a "server", which spreads the load over a number of physical +# servers. keyserver hkp://subkeys.pgp.net #keyserver mailto:pgp-public-keys@keys.nl.pgp.net diff --git a/g10/sig-check.c b/g10/sig-check.c index c3b6f041a..699153959 100644 --- a/g10/sig-check.c +++ b/g10/sig-check.c @@ -564,7 +564,7 @@ check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *check_pk, md_close(md); } else { - if (!opt.quiet) + if (opt.verbose) log_info (_("key %08lX: no subkey for subkey " "revocation signature\n"), (ulong)keyid_from_pk (pk, NULL)); diff --git a/g10/sign.c b/g10/sign.c index c55035798..d90f2bdbc 100644 --- a/g10/sign.c +++ b/g10/sign.c @@ -72,18 +72,25 @@ mk_notation_policy_etc( PKT_signature *sig, args.pk=pk; args.sk=sk; + /* It is actually impossible to get here when making a v3 key + signature since keyedit.c:sign_uids will automatically bump a + signature with a notation or policy url up to v4, but it is + good to do these checks anyway. */ + /* notation data */ if(IS_SIG(sig) && opt.sig_notation_data) { if(sig->version<4) - log_info("can't put notation data into v3 signatures\n"); + log_error(_("can't put notation data into v3 (PGP 2.x style) " + "signatures\n")); else nd=opt.sig_notation_data; } else if( IS_CERT(sig) && opt.cert_notation_data ) { if(sig->version<4) - log_info("can't put notation data into v3 key signatures\n"); + log_error(_("can't put notation data into v3 (PGP 2.x style) " + "key signatures\n")); else nd=opt.cert_notation_data; } @@ -123,21 +130,20 @@ mk_notation_policy_etc( PKT_signature *sig, m_free(buf); } - if(opt.list_options&LIST_SHOW_NOTATION) - show_notation(sig,0,0); - /* set policy URL */ if( IS_SIG(sig) && opt.sig_policy_url ) { if(sig->version<4) - log_info("can't put a policy URL into v3 signatures\n"); + log_error(_("can't put a policy URL into v3 (PGP 2.x style) " + "signatures\n")); else pu=opt.sig_policy_url; } else if( IS_CERT(sig) && opt.cert_policy_url ) { if(sig->version<4) - log_info("can't put a policy URL into v3 key signatures\n"); + log_error(_("can't put a policy URL into v3 key (PGP 2.x style) " + "signatures\n")); else pu=opt.cert_policy_url; } @@ -161,9 +167,6 @@ mk_notation_policy_etc( PKT_signature *sig, m_free(s); } - if(opt.list_options&LIST_SHOW_POLICY) - show_policy_url(sig,0,0); - /* preferred keyserver URL */ if( IS_SIG(sig) && opt.sig_keyserver_url ) {