[git] GnuPG - branch, STABLE-BRANCH-2-0, updated. gnupg-2.0.28-15-g60b0403

by Werner Koch cvs at cvs.gnupg.org
Tue Sep 1 07:47:04 CEST 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".

The branch, STABLE-BRANCH-2-0 has been updated
       via  60b0403f3ce50ee6f67fa94bf0342fb5b3988e2b (commit)
      from  80521c3ff900a09a1b382869783187c463144c77 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 60b0403f3ce50ee6f67fa94bf0342fb5b3988e2b
Author: Werner Koch <wk at gnupg.org>
Date:   Mon Aug 31 23:35:32 2015 +0200

    gpg: Obsolete --no-sig-create-check.
    
    * g10/gpg.c (opts): Make --no-sig-create-check a NOP.
    * g10/options.h (struct opt): Remove field "no_sig_create_check".
    * g10/sign.c (do_sign): Do not run the create check for Libgcrypt 1.7.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/doc/gpg.texi b/doc/gpg.texi
index 2808562..ee31d75 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1719,12 +1719,7 @@ can be done if someone else has write access to your public keyring.
 
 @item --no-sig-create-check
 @opindex no-sig-create-check
-GnuPG normally verifies each signature right after creation to protect
-against bugs and hardware malfunctions which could leak out bits from
-the secret key. This extra verification needs some time (about 115%
-for DSA keys), and so this option can be used to disable it.
-However, due to the fact that the signature creation needs manual
-interaction, this performance penalty does not matter in most settings.
+This option is obsolete.  It has no function.
 
 @item --auto-check-trustdb
 @itemx --no-auto-check-trustdb
diff --git a/g10/gpg.c b/g10/gpg.c
index 060495e..3fb598c 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -331,7 +331,6 @@ enum cmd_and_opt_values
     oNoExpensiveTrustChecks,
     oFixedListMode,
     oNoSigCache,
-    oNoSigCreateCheck,
     oAutoCheckTrustDB,
     oNoAutoCheckTrustDB,
     oPreservePermissions,
@@ -697,7 +696,6 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_n (oAutoKeyRetrieve, "auto-key-retrieve", "@"),
   ARGPARSE_s_n (oNoAutoKeyRetrieve, "no-auto-key-retrieve", "@"),
   ARGPARSE_s_n (oNoSigCache,         "no-sig-cache", "@"),
-  ARGPARSE_s_n (oNoSigCreateCheck,   "no-sig-create-check", "@"),
   ARGPARSE_s_n (oAutoCheckTrustDB, "auto-check-trustdb", "@"),
   ARGPARSE_s_n (oNoAutoCheckTrustDB, "no-auto-check-trustdb", "@"),
   ARGPARSE_s_n (oMergeOnly,	  "merge-only", "@" ),
@@ -776,6 +774,7 @@ static ARGPARSE_OPTS opts[] = {
   /* Dummy options.  */
   ARGPARSE_s_n (oNoop, "sk-comments", "@"),
   ARGPARSE_s_n (oNoop, "no-sk-comments", "@"),
+  ARGPARSE_s_n (oNoop, "no-sig-create-check", "@"),
 
   ARGPARSE_end ()
 };
@@ -2816,7 +2815,6 @@ main (int argc, char **argv)
             }
             break;
           case oNoSigCache: opt.no_sig_cache = 1; break;
-          case oNoSigCreateCheck: opt.no_sig_create_check = 1; break;
 	  case oAllowNonSelfsignedUID: opt.allow_non_selfsigned_uid = 1; break;
 	  case oNoAllowNonSelfsignedUID: opt.allow_non_selfsigned_uid=0; break;
 	  case oAllowFreeformUID: opt.allow_freeform_uid = 1; break;
diff --git a/g10/options.h b/g10/options.h
index 9b12b77..cc8718e 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -194,7 +194,6 @@ struct
   int try_all_secrets;
   int no_expensive_trust_checks;
   int no_sig_cache;
-  int no_sig_create_check;
   int no_auto_check_trustdb;
   int preserve_permissions;
   int no_homedir_creation;
diff --git a/g10/sign.c b/g10/sign.c
index e7e79cc..58bc981 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -291,10 +291,16 @@ do_sign( PKT_secret_key *sk, PKT_signature *sig,
         gcry_mpi_release (frame);
       }
 
-    if (!rc && !opt.no_sig_create_check) {
+    if (!rc
+#if GCRYPT_VERSION_NUMBER >= 0x010700 /* Libgcrypt >= 1.7 */
+        && is_DSA (sk->pubkey_algo)
+#endif /* Libgcrypt >= 1.7 */
+        )
+      {
         /* Check that the signature verification worked and nothing is
-         * fooling us e.g. by a bug in the signature create
-         * code or by deliberately introduced faults. */
+         * fooling us e.g. by a bug in the signature creation code or by
+         * deliberately introduced faults.  Libgcrypt 1.7 includes
+         * this check for RSA and thus we don't need it in that case.  */
         PKT_public_key *pk = xmalloc_clear (sizeof *pk);
 
         if( get_pubkey( pk, sig->keyid ) )
@@ -312,6 +318,7 @@ do_sign( PKT_secret_key *sk, PKT_signature *sig,
                          g10_errstr (rc));
         free_public_key (pk);
     }
+
     if( rc )
 	log_error(_("signing failed: %s\n"), g10_errstr(rc) );
     else {

-----------------------------------------------------------------------

Summary of changes:
 doc/gpg.texi  |  7 +------
 g10/gpg.c     |  4 +---
 g10/options.h |  1 -
 g10/sign.c    | 13 ++++++++++---
 4 files changed, 12 insertions(+), 13 deletions(-)


hooks/post-receive
-- 
The GNU Privacy Guard
http://git.gnupg.org

More information about the Gnupg-commits mailing list