* sig-check.c (signature_check2): Print the backsig warning when there
authorDavid Shaw <dshaw@jabberwocky.com>
Sun, 12 Mar 2006 15:33:57 +0000 (15:33 +0000)
committerDavid Shaw <dshaw@jabberwocky.com>
Sun, 12 Mar 2006 15:33:57 +0000 (15:33 +0000)
is no backsig present.  Give a URL for more information.

* keyedit.c (menu_backsign): Small tweak to work properly with keys
originally generated with older GnuPGs that included comments in the
secret keys.

g10/ChangeLog
g10/keyedit.c
g10/sig-check.c

index 85da8f2..c320ed7 100644 (file)
@@ -1,3 +1,12 @@
+2006-03-12  David Shaw  <dshaw@jabberwocky.com>
+
+       * sig-check.c (signature_check2): Print the backsig warning when
+       there is no backsig present.  Give a URL for more information.
+
+       * keyedit.c (menu_backsign): Small tweak to work properly with
+       keys originally generated with older GnuPGs that included comments
+       in the secret keys.
+
 2006-03-09  David Shaw  <dshaw@jabberwocky.com>
 
        * build-packet.c (string_to_notation): Add ability to indicate a
index fcee1b7..ce31bdc 100644 (file)
@@ -3699,9 +3699,10 @@ menu_backsign(KBNODE pub_keyblock,KBNODE sec_keyblock)
         keys), so we just pick the selfsig with the right class.
         This is what menu_expire does as well. */
       for(node2=node2->next;
-         node2 && node2->pkt->pkttype==PKT_SIGNATURE;
+         node2 && node2->pkt->pkttype!=PKT_SECRET_SUBKEY;
          node2=node2->next)
-       if(node2->pkt->pkt.signature->version>=4
+       if(node2->pkt->pkttype==PKT_SIGNATURE
+          && node2->pkt->pkt.signature->version>=4
           && node2->pkt->pkt.signature->keyid[0]==sig_pk->pkt->pkt.signature->keyid[0]
           && node2->pkt->pkt.signature->keyid[1]==sig_pk->pkt->pkt.signature->keyid[1]
           && node2->pkt->pkt.signature->sig_class==sig_pk->pkt->pkt.signature->sig_class)
index a444bbf..f09711e 100644 (file)
@@ -96,15 +96,17 @@ signature_check2( PKT_signature *sig, MD_HANDLE digest, u32 *r_expiredate,
           signaures issued by it. */
        if(rc==0 && !pk->is_primary && pk->backsig<2)
          {
-           /* TODO: In a future version, once enough signing subkeys
-              have backsigs, change this to always give the warning,
-              and have --require-backsigs enable or disable the
-              G10ERR_GENERAL. */
-           if(pk->backsig==0 && opt.flags.require_cross_cert)
+           if(pk->backsig==0)
              {
                log_info(_("WARNING: signing subkey %s is not"
                           " cross-certified\n"),keystr_from_pk(pk));
-               rc=G10ERR_GENERAL;
+               log_info(_("please see %s for more information\n"),
+                        "http://www.gnupg.org/subkey-cross-certify.html");
+               /* --require-cross-certification makes this warning an
+                     error.  TODO: change the default to require this
+                     after more keys have backsigs. */
+               if(opt.flags.require_cross_cert)
+                 rc=G10ERR_GENERAL;
              }
            else if(pk->backsig==1)
              {