Please provide an option to make --verify accept only signatures from specific trusted UID
Open, Needs TriagePublic

Description

FWIU, currently --verify considers a signature trusted if it is made using a key that has at least one trusted UID. This is suboptimal for batch checking since it means that a person whose identity I've verified in the past can add a forged UID and while it will be untrusted, a lot of programs will happily assume that the signature is trusted.

Of course, this currently be solved at program level. However, it's quite inconvenient (a lot of plumbing work in the end), and upstreams actively refuse to do it. For example, Evolution maintainers closed a report of this problem, claiming that changes on GnuPG must happen first.

I believe it would be helpful if GnuPG had an additional option to specify the apparent UID (e-mail address) that the signature is expected to originate from. If this option is used, GnuPG should consider a signature trusted only if the signing key has a matching UID and that UID is trusted. Otherwise, it should consider the signature untrusted even if the key is normally considered trusted.

For example:

$ gpg --verify test.gpg 
gpg: Signature made Wed Oct 30 17:44:59 2019 CET
gpg:                using RSA key C76A845094098D28CC8B26C5639ADAE2329E240E
gpg: Good signature from "Michał Górny (Gentoo) <mgorny@gentoo.org>" [ultimate]
gpg:                 aka "keybase.io/mgorny <mgorny@keybase.io>" [ultimate]
gpg:                 aka "Michał Górny (XMPP) <mgorny@jabber.ru>" [ultimate]
gpg:                 aka "Michał Górny (NetBSD) <mgorny@NetBSD.org>" [ultimate]

BUT if I did:

$ gpg --new-fancy-uid-option alice@example.com --verify test.gpg 

it would report the signature as untrusted because alice@example.com is not a trusted UID on that key.

mgorny created this task.Wed, Oct 30, 5:55 PM
werner added a subscriber: werner.Thu, Oct 31, 9:58 AM

So you mean we should take the signer's UID (which can be part of the signature) into account when displaying the user id? Right now we display the primary UID followed by _all_ other user IDs so that the verifier has an overview of the associated user ids.

No. I mean to have an option for the caller to provide apparent UID in context to the --verify option, and have that influence the result. This is important for automated software that can't rely on user rechecking the result.