Page MenuHome GnuPG

Add ability to mark critical notations as "recognized" during signature verification
Closed, ResolvedPublic


It is possible to add a critical notation during signature creation:

echo x | gpg --sign --sig-notation ! > f.sig

But there is currently no way to mark the critical signature notation as "recognized" during signature verification.

That could be used to create signatures that will not be broadly found as valid but could be validated with software that understands these notations.

gpgme_op_verify will return summary GPGME_SIGSUM_RED and status GPG_ERR_BAD_SIGNATURE (with source GPGME) when a signature with critical notation is encountered.

The change would probably be additional argument to verify function that would mark the notation as recognized (either using the notation key and value or just the key).

An open question is what would happen if I mark a notation as recognized but the signature does not contain it.



Revisions and Commits

Related Objects

Event Timeline

werner triaged this task as Normal priority.Jul 8 2018, 7:49 AM
werner added a project: gnupg (gpg22).
werner added a subscriber: werner.

re: last question: Marking a notation as recognized does not mean gpg does do anything with it or that it demands this notation. The latter can be handled by the caller. For example, gpg knows about "" but does not apply any semantic to it.

Agreed, after the verification succeeds the caller can (and probably will) check the signature notations.

werner claimed this task.

Will be in 2.2.10