gpg: New option --override-compliance-check

* g10/gpg.c (oOverrideComplianceCheck): New. (opts): Add new option. (main): Set option and add check for batch mode. * g10/options.h (opt): Add flags.override_compliance_check. * g10/sig-check.c (check_signature2): Factor complaince checking out to ... (check_key_verify_compliance): this. Turn error into a warning in override mode. -- There is one important use case for this: For systems configured globally to use de-vs mode, Ed25519 and other key types are not allowed because they are not listred in the BSI algorithm catalog. Now, our release signing keys happen to be Ed25519 and thus we need to offer a way for users to check new versions even if the system is in de-vs mode. This does on purpose not work in --batch mode so that scripted solutions won't accidently pass a signature check. GnuPG-bug-id: 5655
2025-07-03 22:56:33 +02:00 · 2021-10-13 17:25:28 +02:00 · 2021-10-13 17:25:28 +02:00 · fb26e144ad
commit fb26e144ad
parent d7d26eff85
4 changed files with 56 additions and 12 deletions
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@ -3471,6 +3471,15 @@ To avoid a minor risk of collision attacks on third-party key
 signatures made using SHA-1, those key signatures are considered
 invalid.  This options allows to override this restriction.

+@item --override-compliance-check
+@opindex --override-compliance-check
+The signature verification only allows the use of keys suitable in the
+current compliance mode.  If the compliance mode has been forced by a
+global option, there might be no way to check certain signature.  This
+option allows to override this and prints an extra warning in such a
+case.  This option is ignored in --batch mode so that no accidental
+unattended verification may happen.
+
@item --no-default-keyring
@opindex no-default-keyring
 Do not add the default keyring to the list of keyrings. Note that