[Pkg-gnupg-commit] [gnupg2] 03/09: skip missing signing keys (Closes: #834922)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu May 11 02:43:35 UTC 2017
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch experimental
in repository gnupg2.
commit 38c06ba3ec4414f3ec9f476c4fc5b881037c6ede
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Tue Apr 25 22:48:02 2017 -0400
skip missing signing keys (Closes: #834922)
---
debian/patches/0046-g10-Minor-fixes.patch | 2 +-
debian/patches/series | 1 +
...gning-keys-where-no-secret-key-is-availab.patch | 51 ++++++++++++++++++++++
3 files changed, 53 insertions(+), 1 deletion(-)
diff --git a/debian/patches/0046-g10-Minor-fixes.patch b/debian/patches/0046-g10-Minor-fixes.patch
index a33580c..f739460 100644
--- a/debian/patches/0046-g10-Minor-fixes.patch
+++ b/debian/patches/0046-g10-Minor-fixes.patch
@@ -38,7 +38,7 @@ index 9b203e3..ce79a2f 100644
subkey_list_t subkey_list = NULL; /* Track already processed subkeys. */
int skip_until_subkey = 0;
diff --git a/g10/getkey.c b/g10/getkey.c
-index dab63fa..75b8564 100644
+index 99bb98e..6ee9fe5 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -1654,7 +1654,8 @@ get_best_pubkey_byname (ctrl_t ctrl, GETKEY_CTX *retctx, PKT_public_key *pk,
diff --git a/debian/patches/series b/debian/patches/series
index 5b4e16c..a99ffe1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,6 +10,7 @@ gpg-agent-idling/0009-agent-Allow-threads-to-interrupt-main-select-loop-wi.patch
gpg-agent-idling/0010-agent-Avoid-tight-timer-tick-when-possible.patch
gpg-agent-idling/0011-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
skel-file-removal/0012-g10-remove-skeleton-options-files.patch
+skip-missing-signing-keys/0013-g10-Skip-signing-keys-where-no-secret-key-is-availab.patch
0013-agent-Minor-fix-for-get_client_pid.patch
0014-gpgscm-Simplify-substring-operation.patch
0015-gpgscm-Simplify-get-output-string-operation.patch
diff --git a/debian/patches/skip-missing-signing-keys/0013-g10-Skip-signing-keys-where-no-secret-key-is-availab.patch b/debian/patches/skip-missing-signing-keys/0013-g10-Skip-signing-keys-where-no-secret-key-is-availab.patch
new file mode 100644
index 0000000..1b455fc
--- /dev/null
+++ b/debian/patches/skip-missing-signing-keys/0013-g10-Skip-signing-keys-where-no-secret-key-is-availab.patch
@@ -0,0 +1,51 @@
+From: Simon Arlott <simon at arlott.org>
+Date: Sun, 5 Feb 2017 16:31:35 -0500
+Subject: g10: Skip signing keys where no secret key is available.
+
+* g10/getkey.c (finish_lookup): When requiring PUBKEY_USAGE_SIG, skip
+over keys where no signing key is available.
+
+--
+
+This should only be relevant when gpg is required to choose which key
+to sign with -- if verifying signatures, we already know which subkey
+to look at, and indeed gpg doesn't seem to have a problem with this.
+
+This patch comes from
+https://bugs.gnupg.org/gnupg/file793/sign-fix.patch
+
+I (dkg) have reviewed and tested it with missing local keys, and it
+makes sense to me as the default behavior. If the user has the secret
+key for a signing-capable subkey available and the command is --sign,
+it should be used.
+
+If the user has explicitly specified a subkey that happens to be
+missing (e.g. with the trailing ! for --default-key 0x${FPR}!) then
+this does not override that behavior (the signature will still fail).
+
+GnuPG-bug-id: 1967
+Debian-bug-id: 834922
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ g10/getkey.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/g10/getkey.c b/g10/getkey.c
+index dab63fa..99bb98e 100644
+--- a/g10/getkey.c
++++ b/g10/getkey.c
+@@ -3548,6 +3548,13 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact,
+ continue;
+ }
+
++ if ((req_usage & PUBKEY_USAGE_SIG) && agent_probe_secret_key (NULL, pk))
++ {
++ if (DBG_LOOKUP)
++ log_debug ("\tno secret key for signing\n");
++ continue;
++ }
++
+ if (DBG_LOOKUP)
+ log_debug ("\tsubkey might be fine\n");
+ /* In case a key has a timestamp of 0 set, we make sure
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list