* sm/call-dirmngr.c (run_command_inq_cb): Support ISTRUSTED.
(inq_certificate): Distinguish unsupported inquiry error.
--
When loading a CRL through "gpgsm --call-dirmngr loadcrl foo"
dirmngr can ask gpgsm back if a certificate used ISTRUSTED, which
previously resulted in an error.
(cherry picked from commit 6b36c16f77722d17f4f317c788701cbc1e9552b2)
That commit was from the 2.2 branch and we forgot to forward port it.
* dirmngr/dirmngr.c (debug_flags): Add "keeptmp".
(set_debug): Don't set in with "guru".
* dirmngr/dirmngr.h (DBG_KEEPTMP_VALUE): New.
--
Note that flag is not yet used.
* common/openpgp-oid.c (oidtable): Add them.
(oid_ed25519_v5, oid_cv25519_v5): New.
(openpgp_oidbuf_is_ed25519): Take new OID in account.
(openpgp_oidbuf_is_cv25519): Ditto.
--
ed25519 is used in GnuPG and other implementations since 2015 and thus
we can't simply switch to the shorter OIDs. However, we have not
widely used them with v5 keys (only ed448 forced the use of v5) and
thus it might be possible to use the new OIDs with v5 keys.
Note that Libgcrypt supports the new OIDs even in 1.8.
* g10/gpg.c (main): Replace setmode by es_set_binary and use only when
needed.
--
It is better to use our es_set_binary than to use a Windows specific
method which still worked but is fragile because estream might be
changed. We now set binary only when needed. Note that it does not
harm to call es_set_binary more often than needed.
* g10/options.h (LIST_SHOW_UNUSABLE_SIGS): New.
* g10/gpg.c (parse_list_options): Add "show-unusable-sigs".
* g10/keydb.h (keyid_eq): New.
(pk_is_primary): New.
* g10/keylist.c (list_signature_print): Early return for weak key
signatures. Print "self-signature" instead of user-id.
(list_keyblock_print): Simplify and always set self-sig node flag.
--
This patch avoid the printing of often hundreds of "Invalid digest
algorithm" notices during key signature listings if those key
signatures were done with SHA1. The new option can be used to revert
the behaviour.
We now also print "[self-signature]" with --check-sigs or --list-sigs
instead of the primary user id. This makes such listing easier to read.
* agent/findkey.c (public_key_from_file): Add arg r_sshorder.
(agent_ssh_key_from_file): Ditto.
* agent/command-ssh.c (struct key_collection_item_s): New.
(struct key_collection_s): New.
(search_control_file): Add art r_lnr.
(add_to_key_array): New.
(free_key_array): New.
(compare_key_collection_items): New.
(ssh_send_available_keys): Rewrite to return the keys in the user
given order.
--
GnuPG-bug-id: 6212
We now first return the keys from active cards, followed by keys
listed in sshcontrol, finally from those with the "Use-for-ssh" key
attribute. Keys from active cards are returned sorted by their S/N.
Keys from sshcontrol are returned in the order they are given in that
file. Use-for-ssh keys are ordered by the value assigned to that key
attribute. The values for the latter are clamped at 99999.
* g10/gpg.c (parse_list_options): Set value for show-sig-subpackets.
--
Fixes-commit: 811cfa34cb3e7166f0cf1f94565504dee21cd9f5
and thus a regression in 2.4.0
* common/name-value.c (nvc_get_boolean): Rewrite.
--
The function may now return a positive or negative number instead of
just 1 for true. All callers were already prepared for this.
GnuPG-bug-id: 6212
--
The profiles are not any longer useful because global options are way
more powerful (/etc/gnupg/gpg.conf et al.). The use of systemd is
deprecated because of additional complexity and the race between
systemd based autolaunching and the explicit gnupg based and lockfile
protected autolaunching.
GnuPG-bug-id: 6336
* common/compliance.c (gnupg_pk_is_allowed): Handle EdDSA.
* g10/gpg.c (oOverrideComplianceCheck): Remove.
(opts): Turn --override-compliance-check into a dummy option.
* g10/options.h (opt): Remove override_compliance_check.
* g10/sig-check.c (check_key_verify_compliance): Remove use of that
option.
--
The introduction of --override-compliance-check actually hid the real
cause for the signature verification problem in de-vs mode for the
Ed25519 key. The real fix is to handle the EdDSA algorithm in
gnupg_pk_is_allowed.
Fixes-commit: fb26e144adfd93051501d58f5d0d4f8826ddf436
GnuPG-bug-id: 5655
* tools/wks-util.c (write_to_file): Rename to ...
(wks_write_to_file): this, make global, and support NULL for fname.
* tools/gpg-wks-client.c (command_check): Write to key.
* tools/call-dirmngr.c (wkd_get_status_cb): Deetect and output warning
and note stati from dirmngr.
--
This is in particular helpful to check for non-proper TLS
certificates.
* common/iobuf.c (file_filter_ctx_t): Add fields for the peek feature.
(file_filter): Implement peeking.
(iobuf_ioctl): Add new IOBUF_IOCTL_PEEK.
* common/iobuf.h (IOBUF_IOCTL_PEEK, IOBUFCTRL_PEEK): New.
* common/miscellaneous.c (is_file_compressed): Rewrite. Detect PDF.
* g10/encrypt.c (encrypt_simple): Peek before detecting compression.
(encrypt_crypt): Ditto.
* g10/sign.c (sign_file): Also detect already compressed data.
* g10/options.h (opt): Add explicit_compress_option.
* g10/gpg.c (main): Set opt.explicit_compress_option for -z.
--
Note that this patch also introduces a compression check for signing
which was never done in the past.
GnuPG-bug-id: 6332
* tools/gpgtar-create.c (gpgtar_create): Do not close the status_fd in
spawn.
* tools/gpgtar-extract.c (gpgtar_extract): Ditto.
* tools/gpgtar-list.c (gpgtar_list): Ditto.
--
Note that this fix does not handle file descripotors passed via the
--gpg-args options.
GnuPG-bug-id: 6348
* common/compliance.c (gnupg_pk_is_compliant): Also consider the
gcrypt vids for ECDSA et al.
(gnupg_pk_is_allowed): Ditto.
* sm/verify.c (gpgsm_verify): Consider the curve. Print a compliance
notice for a non-compliant key.
* sm/certchain.c (gpgsm_validate_chain): Silence the "switching to
chain model".
* tests/gpgme/Makefile.am: Don't use setup.scm/ dir.
* tests/gpgme/all-tests.scm: Fix the name of the environment.
--
GnuPG-bug-id: 6313
Fixes-commit: c19ea75f10d6278569619f90977ce7c820e9319d
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* g10/cipher-aead.c (do_flush): Use %llu and a cast.
* g10/decrypt-data.c (aead_underflow): Ditto.
--
Fixes-commit: b2cedc108d5cabb07f496c31c11c9cba6f328f76
We don't use the system's printf but the one implemented by
us (gpgrt's estream-printf) thus the PRIu64 may or may not be correct.
We can't do much about the -Wformat errors due to our different
implementation.
