Home GnuPG
Diffusion GnuPG 773b8fbbe915

gpg: New option --override-compliance-check

Description

gpg: New option --override-compliance-check

* g10/gpg.c (oOverrideComplianceCheck): New.
(opts): Add new option.
(main): Set option and add check for batch mode.
* g10/options.h (opt): Add flags.override_compliance_check.
* g10/sig-check.c (check_signature2): Factor complaince checking out
to ...
(check_key_verify_compliance): new.  Turn error into a warning in
override mode.

There is one important use case for this: For systems configured
globally to use de-vs mode, Ed25519 and other key types are not
allowed because they are not listred in the BSI algorithm catalog.
Now, our release signing keys happen to be Ed25519 and thus we need to
offer a way for users to check new versions even if the system is in
de-vs mode. This does on purpose not work in --batch mode so that
scripted solutions won't accidently pass a signature check.

Backported-from-master: fb26e144adfd93051501d58f5d0d4f8826ddf436

Details

Provenance
wernerAuthored on Wed, Oct 13, 5:25 PM
Parents
rGbb750cf4bae3: Post release updates
Branches
Unknown
Tags
Unknown
References
STABLE-BRANCH-2-2
Tasks
T5655: In -de-vs mode it is not possible so verify sigs with Ed25519 release keys.