Diffusion GnuPG d9fd52afaceb

g10: Skip signing keys where no secret key is available.

Authored by sa on Feb 5 2017, 10:31 PM.

Description

g10: Skip signing keys where no secret key is available.

* g10/getkey.c (finish_lookup): When requiring PUBKEY_USAGE_SIG, skip
over keys where no signing key is available.

This should only be relevant when gpg is required to choose which key
to sign with -- if verifying signatures, we already know which subkey
to look at, and indeed gpg doesn't seem to have a problem with this.

This patch comes from
https://bugs.gnupg.org/gnupg/file793/sign-fix.patch

I (dkg) have reviewed and tested it with missing local keys, and it
makes sense to me as the default behavior. If the user has the secret
key for a signing-capable subkey available and the command is --sign,
it should be used.

If the user has explicitly specified a subkey that happens to be
missing (e.g. with the trailing ! for --default-key 0x${FPR}!) then
this does not override that behavior (the signature will still fail).

  • GnuPG-bug-id: T1967
  • Debian-bug-id: #834922
  • Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>