gpg: Auto import keys specified with --trusted-keys.

* g10/getkey.c (get_pubkey_with_ldap_fallback): New. * g10/trustdb.c (verify_own_keys): Use it. (cherry picked from commit 100037ac0f)
2025-07-02 22:46:30 +02:00 · 2021-04-25 20:03:07 +02:00 · 2021-04-25 20:03:07 +02:00 · e7251be84c
commit e7251be84c
parent e53f603728
4 changed files with 47 additions and 6 deletions
--- a/g10/getkey.c
+++ b/g10/getkey.c
@ -558,6 +558,42 @@ leave:
 }


+/* Same as get_pubkey but if the key was not found the function tries
+ * to import it from LDAP.  FIXME: We should not need this but swicth
+ * to a fingerprint lookup.  */
+gpg_error_t
+get_pubkey_with_ldap_fallback (ctrl_t ctrl, PKT_public_key *pk, u32 *keyid)
+{
+  gpg_error_t err;
+
+  err = get_pubkey (ctrl, pk, keyid);
+  if (!err)
+    return 0;
+
+  if (gpg_err_code (err) != GPG_ERR_NO_PUBKEY)
+    return err;
+
+  /* Note that this code does not handle the case for two readers
+   * having both openpgp encryption keys.  Only one will be tried.  */
+  if (opt.debug)
+    log_debug ("using LDAP to find a public key\n");
+  err = keyserver_import_keyid (ctrl, keyid,
+                                opt.keyserver, KEYSERVER_IMPORT_FLAG_LDAP);
+  if (gpg_err_code (err) == GPG_ERR_NO_DATA
+      || gpg_err_code (err) == GPG_ERR_NO_KEYSERVER)
+    {
+      /* Dirmngr returns NO DATA is the selected keyserver
+       * does not have the requested key.  It returns NO
+       * KEYSERVER if no LDAP keyservers are configured.  */
+      err = gpg_error (GPG_ERR_NO_PUBKEY);
+    }
+  if (err)
+    return err;
+
+  return get_pubkey (ctrl, pk, keyid);
+}
+
+
 /* Similar to get_pubkey, but it does not take PK->REQ_USAGE into
 * account nor does it merge in the self-signed data.  This function
 * also only considers primary keys.  It is intended to be used as a
--- a/g10/keydb.h
+++ b/g10/keydb.h
@ -322,6 +322,10 @@ gpg_error_t get_pubkey_for_sig (ctrl_t ctrl,
 /* Return the public key with the key id KEYID and store it at PK.  */
 int get_pubkey (ctrl_t ctrl, PKT_public_key *pk, u32 *keyid);

+/* Same as get_pubkey but with auto LDAP fetch.  */
+gpg_error_t get_pubkey_with_ldap_fallback (ctrl_t ctrl,
+                                           PKT_public_key *pk, u32 * keyid);
+
 /* Similar to get_pubkey, but it does not take PK->REQ_USAGE into
   account nor does it merge in the self-signed data.  This function
   also only considers primary keys.  */
--- a/g10/trustdb.c
+++ b/g10/trustdb.c
@ -300,7 +300,7 @@ verify_own_keys (ctrl_t ctrl)
          PKT_public_key pk;

          memset (&pk, 0, sizeof pk);
-          rc = get_pubkey (ctrl, &pk, k->kid);
+          rc = get_pubkey_with_ldap_fallback (ctrl, &pk, k->kid);
          if (rc)
 	    log_info(_("key %s: no public key for trusted key - skipped\n"),
 		     keystr(k->kid));