gpgv: Tweak default options for extra security.
e32c575e0f37Unpublished
Actions

Unpublished Commit · Learn More

Not On Permanent Ref: This commit is not an ancestor of any permanent ref.

Description

gpgv: Tweak default options for extra security.

* g10/gpgv.c (main): Set opt.no_sig _cache, so that it doesn't depend on
cached status.  Similarly, set opt.flags.require_cross_cert for backsig
validation for subkey signature.

It is common that an organization distributes binary keyrings with
signature cache (Tag 12, Trust Packet) and people use gpgv to validate
signature with such keyrings. In such a use case, it is possible that
the key validation itself is skipped.

For the purpose of gpgv validation of signatures, we should not depend
on signature cache in keyrings (if any), but we should validate the key
by its self signature for primary key, and back signature for subkey.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

Details

Provenance

• gniibe

Authored on Jul 9 2016, 3:20 AM

Parents

rGcbe467e794f3: gpg: Add export options "export-pka" and "export-dane".

Branches

Unknown

Tags

Unknown

Event Timeline

NIIBE Yutaka <gniibe@fsij.org> committed rGe32c575e0f37: gpgv: Tweak default options for extra security. (authored by NIIBE Yutaka <gniibe@fsij.org>).Jul 9 2016, 3:20 AM

Changes (1)

Path

Size

g10/

gpgv.c

rGe32c575e0f37

View Options

gpgv: Tweak default options for extra security.e32c575e0f37UnpublishedActions