Add ability to mark critical notations as "recognized" during signature verification
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	wiktor-k
	Jul 7 2018, 10:43 PM

Description

It is possible to add a critical notation during signature creation:

echo x | gpg --sign --sig-notation !target@metacode.biz=node-1 > f.sig

But there is currently no way to mark the critical signature notation as "recognized" during signature verification.

That could be used to create signatures that will not be broadly found as valid but could be validated with software that understands these notations.

gpgme_op_verify will return summary GPGME_SIGSUM_RED and status GPG_ERR_BAD_SIGNATURE (with source GPGME) when a signature with critical notation is encountered.

The change would probably be additional argument to verify function that would mark the notation as recognized (either using the notation key and value or just the key).

An open question is what would happen if I mark a notation as recognized but the signature does not contain it.

Details

Version: 2.2.8

Revisions and Commits

rG GnuPG
	rGa59a9962f48f gpg: New option --known-notation.
	rG3da835713fb6 gpg: New option --known-notation.

Related Objects

Mentioned In: T4112: GnuPG 2.2.10 release

Event Timeline

wiktor-k created this task.Jul 7 2018, 10:43 PM

re: last question: Marking a notation as recognized does not mean gpg does do anything with it or that it demands this notation. The latter can be handled by the caller. For example, gpg knows about "preferred-email-encoding@pgp.com" but does not apply any semantic to it.

Agreed, after the verification succeeds the caller can (and probably will) check the signature notations.

BenM added a subscriber: BenM.Jul 13 2018, 5:57 AM

• werner added a commit: rG3da835713fb6: gpg: New option --known-notation..Aug 29 2018, 9:46 AM

• werner added a commit: rGa59a9962f48f: gpg: New option --known-notation..

Will be in 2.2.10

Thank you!

• werner mentioned this in T4112: GnuPG 2.2.10 release.Aug 30 2018, 3:58 PM