[git] GnuPG - branch, STABLE-BRANCH-2-2, updated. gnupg-2.2.6-10-g23a7145
by Werner Koch
cvs at cvs.gnupg.org
Thu Apr 12 16:48:24 CEST 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, STABLE-BRANCH-2-2 has been updated
via 23a714598c247d78cfda46a6dc338b17e17cc194 (commit)
from e2bd152a928d79ddfb95fd2f7911c80a1a8d5a21 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 23a714598c247d78cfda46a6dc338b17e17cc194
Author: Werner Koch <wk at gnupg.org>
Date: Thu Apr 12 16:41:05 2018 +0200
gpg: Extend the ERRSIG status line with a fingerprint.
* g10/mainproc.c (issuer_fpr_raw): New.
(issuer_fpr_string): Re-implement using issuer_fpr_rtaw.
(check_sig_and_print): Don't free ISSUER_FPR. Use ISSUER_FPR_RAW.
Use write_status_printf. Extend ERRSIG status.
--
Modern OpenPGP implementations put the ISSUER_FPR into the signature
to make it easier to discover the, public needed to check the
signature. This is also useful in error messages and thus we add it.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/NEWS b/NEWS
index 403c2a0..cd547a1 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,9 @@ Noteworthy changes in version 2.2.7 (unreleased)
* gpg: New option --no-symkey-cache to disable the passphrase cache
for symmetrical en- and decryption.
+ * gpg: The ERRSIG status now prints the fingerprint if that is part
+ of the signature.
+
Noteworthy changes in version 2.2.6 (2018-04-09)
------------------------------------------------
diff --git a/doc/DETAILS b/doc/DETAILS
index e54e8a0..2d78fec 100644
--- a/doc/DETAILS
+++ b/doc/DETAILS
@@ -435,14 +435,17 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
available. This is the case with CMS and might eventually also be
available for OpenPGP.
-*** ERRSIG <keyid> <pkalgo> <hashalgo> <sig_class> <time> <rc>
+*** ERRSIG <keyid> <pkalgo> <hashalgo> <sig_class> <time> <rc> <fpr>
It was not possible to check the signature. This may be caused by
a missing public key or an unsupported algorithm. A RC of 4
indicates unknown algorithm, a 9 indicates a missing public
key. The other fields give more information about this signature.
sig_class is a 2 byte hex-value. The fingerprint may be used
- instead of the keyid if it is available. This is the case with
- gpgsm and might eventually also be available for OpenPGP.
+ instead of the long_keyid_or_fpr if it is available. This is the
+ case with gpgsm and might eventually also be available for
+ OpenPGP. The ERRSIG line has FPR filed which is only available
+ since 2.2.7; that FPR may either be missing or - if the signature
+ has no fingerprint as meta data.
Note, that TIME may either be the number of seconds since Epoch or
an ISO 8601 string. The latter can be detected by the presence of
@@ -717,7 +720,9 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
The used key has been revoked by its owner. No arguments yet.
*** NO_PUBKEY <long keyid>
- The public key is not available
+ The public key is not available. Note the arg should in general
+ not be used because it is better to take it from the ERRSIG
+ status line which is printed right before this one.
*** NO_SECKEY <long keyid>
The secret key is not available
diff --git a/g10/mainproc.c b/g10/mainproc.c
index 512d33c..8582827 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -1608,6 +1608,26 @@ akl_has_wkd_method (void)
}
+/* Return the ISSUER fingerprint buffer and its lenbgth at R_LEN.
+ * Returns NULL if not available. The returned buffer is valid as
+ * long as SIG is not modified. */
+static const byte *
+issuer_fpr_raw (PKT_signature *sig, size_t *r_len)
+{
+ const byte *p;
+ size_t n;
+
+ p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
+ if (p && n == 21 && p[0] == 4)
+ {
+ *r_len = n - 1;
+ return p+1;
+ }
+ *r_len = 0;
+ return NULL;
+}
+
+
/* Return the ISSUER fingerprint string in human readbale format if
* available. Caller must release the string. */
static char *
@@ -1616,10 +1636,8 @@ issuer_fpr_string (PKT_signature *sig)
const byte *p;
size_t n;
- p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
- if (p && n == 21 && p[0] == 4)
- return bin2hex (p+1, n-1, NULL);
- return NULL;
+ p = issuer_fpr_raw (sig, &n);
+ return p? bin2hex (p, n, NULL) : NULL;
}
@@ -1659,7 +1677,7 @@ check_sig_and_print (CTX c, kbnode_t node)
int rc;
int is_expkey = 0;
int is_revkey = 0;
- char *issuer_fpr;
+ char *issuer_fpr = NULL;
PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */
int tried_ks_by_fpr;
@@ -1786,13 +1804,14 @@ check_sig_and_print (CTX c, kbnode_t node)
write_status_text (STATUS_NEWSIG, NULL);
astr = openpgp_pk_algo_name ( sig->pubkey_algo );
- if ((issuer_fpr = issuer_fpr_string (sig)))
+ issuer_fpr = issuer_fpr_string (sig);
+
+ if (issuer_fpr)
{
log_info (_("Signature made %s\n"), asctimestamp(sig->timestamp));
log_info (_(" using %s key %s\n"),
astr? astr: "?", issuer_fpr);
- xfree (issuer_fpr);
}
else if (!keystrlen () || keystrlen () > 8)
{
@@ -1899,14 +1918,14 @@ check_sig_and_print (CTX c, kbnode_t node)
const byte *p;
size_t n;
- p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_ISSUER_FPR, &n);
- if (p && n == 21 && p[0] == 4)
+ p = issuer_fpr_raw (sig, &n);
+ if (p)
{
/* v4 packet with a SHA-1 fingerprint. */
free_public_key (pk);
pk = NULL;
glo_ctrl.in_auto_key_retrieve++;
- res = keyserver_import_fprint (c->ctrl, p+1, n-1, opt.keyserver, 1);
+ res = keyserver_import_fprint (c->ctrl, p, n, opt.keyserver, 1);
tried_ks_by_fpr = 1;
glo_ctrl.in_auto_key_retrieve--;
if (!res)
@@ -2273,22 +2292,22 @@ check_sig_and_print (CTX c, kbnode_t node)
}
else
{
- char buf[50];
-
- snprintf (buf, sizeof buf, "%08lX%08lX %d %d %02x %lu %d",
- (ulong)sig->keyid[0], (ulong)sig->keyid[1],
- sig->pubkey_algo, sig->digest_algo,
- sig->sig_class, (ulong)sig->timestamp, gpg_err_code (rc));
- write_status_text (STATUS_ERRSIG, buf);
+ write_status_printf (STATUS_ERRSIG, "%08lX%08lX %d %d %02x %lu %d %s",
+ (ulong)sig->keyid[0], (ulong)sig->keyid[1],
+ sig->pubkey_algo, sig->digest_algo,
+ sig->sig_class, (ulong)sig->timestamp,
+ gpg_err_code (rc),
+ issuer_fpr? issuer_fpr:"-");
if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY)
{
- buf[16] = 0;
- write_status_text (STATUS_NO_PUBKEY, buf);
+ write_status_printf (STATUS_NO_PUBKEY, "%08lX%08lX",
+ (ulong)sig->keyid[0], (ulong)sig->keyid[1]);
}
if (gpg_err_code (rc) != GPG_ERR_NOT_PROCESSED)
log_error (_("Can't check signature: %s\n"), gpg_strerror (rc));
}
+ xfree (issuer_fpr);
return rc;
}
-----------------------------------------------------------------------
Summary of changes:
NEWS | 3 +++
doc/DETAILS | 13 +++++++++----
g10/mainproc.c | 57 ++++++++++++++++++++++++++++++++++++++-------------------
3 files changed, 50 insertions(+), 23 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list