min-cert-level and lsigs

David Shaw dshaw at jabberwocky.com
Mon Feb 7 17:22:06 CET 2005

On Mon, Feb 07, 2005 at 07:28:14AM +0100, Peter Palfrader wrote:
> Hi,
> I have signed several keys locally with lsigs, usually at cert level 1
> if I couldn't be bothered to do any checks other than having
> successfully used this key to communicate in the past.
> Is there a way to accept local signatures regardless of certlevel, while
> still ignoring 0x11 signatures by other people?

It's certainly easy to do.  Something like this should do it

Index: trustdb.c
RCS file: /cvs/gnupg/gnupg/g10/trustdb.c,v
retrieving revision 1.137
diff -u -r1.137 trustdb.c
--- trustdb.c   6 Feb 2005 17:38:43 -0000       1.137
+++ trustdb.c   7 Feb 2005 16:06:59 -0000
@@ -1435,7 +1435,8 @@
         continue; /* ignore self-signatures */
       if (!IS_UID_SIG(sig) && !IS_UID_REV(sig))
         continue; /* we only look at these signature classes */
-      if(sig->sig_class>=0x11 && sig->sig_class<=0x13 &&
+      if(sig->flags.exportable
+        && sig->sig_class>=0x11 && sig->sig_class<=0x13 &&
       if (!is_in_klist (klist, sig))

> Should there be?

That's a harder question.  On the one hand, this change would make
local sigs different trust-wise than exportable sigs, which is
messier.  On the other hand, the whole point of local sigs is that
they are like a note from yourself, so they should be accepted
regardless of their class.  Then you get into questions about whether
it violates expectations and so on.

I'm rather sour on this whole 0x11 situation, and regret opening the
door by adding the ability to make them in the first place.

What do you think?


More information about the Gnupg-devel mailing list