* gpg-agent.c: Remove help texts for options lile --lc-ctype.

(main): New option --allow-mark-trusted.
* trustlist.c (agent_marktrusted): Use it here.

* gpg-agent.texi (Agent Options): Add --allow-mark-trusted.

* gpgconf-comp.c: Add --allow-mark-trusted for the gpg-agent.

8 files changed, 51 insertions, 12 deletions

diff --git a/agent/ChangeLog b/agent/ChangeLog
index 2f2b1e410..cf4ae79bf 100644
--- a/agent/ChangeLog
+++ b/agent/ChangeLog
@@ -1,3 +1,9 @@
+2004-05-03  Werner Koch  <wk@gnupg.org>
+
+	* gpg-agent.c: Remove help texts for options lile --lc-ctype.
+	(main): New option --allow-mark-trusted. 
+	* trustlist.c (agent_marktrusted): Use it here.
+
 2004-04-30  Werner Koch  <wk@gnupg.org>
 
 	* protect-tool.c: New option --enable-status-msg.
diff --git a/agent/agent.h b/agent/agent.h
index a4312e081..99fdc0547 100644
--- a/agent/agent.h
+++ b/agent/agent.h
@@ -58,6 +58,7 @@ struct {
   int running_detached; /* we are running detached from the tty. */
 
   int ignore_cache_for_signing;
+  int allow_mark_trusted;
   int keep_tty;  /* don't switch the TTY (for pinentry) on request */
   int keep_display;  /* don't switch the DISPLAY (for pinentry) on request */
 } opt;
diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
index 3bf62c26f..ad6ef33ea 100644
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@@ -80,6 +80,7 @@ enum cmd_and_opt_values
   oDisablePth,
 
   oIgnoreCacheForSigning,
+  oAllowMarkTrusted,
   oKeepTTY,
   oKeepDISPLAY,
 
@@ -109,21 +110,26 @@ static ARGPARSE_OPTS opts[] = {
   { oLogFile, "log-file"   ,2, N_("use a log file for the server")},
   { oDisablePth, "disable-pth", 0, N_("do not allow multiple connections")},
 
-  { oPinentryProgram, "pinentry-program", 2 , "path to PIN Entry program" },
-  { oDisplay,    "display",     2, "set the display" },
-  { oTTYname,    "ttyname",     2, "set the tty terminal node name" },
-  { oTTYtype,    "ttytype",     2, "set the tty terminal type" },
-  { oLCctype,    "lc-ctype",    2, "set the tty LC_CTYPE value" },
-  { oLCmessages, "lc-messages", 2, "set the tty LC_MESSAGES value" },
+  { oPinentryProgram, "pinentry-program", 2 ,
+                               N_("|PGM|use PGM as the PIN-Entry program") },
+  { oScdaemonProgram, "scdaemon-program", 2 ,
+                               N_("|PGM|use PGM as the SCdaemon program") },
 
-  { oScdaemonProgram, "scdaemon-program", 2 , "path to SCdaemon program" },
-  { oDefCacheTTL, "default-cache-ttl", 4,
-                                 "|N|expire cached PINs after N seconds"},
-  { oIgnoreCacheForSigning, "ignore-cache-for-signing", 0,
-                                 "do not use the PIN cache when signing"},
+  { oDisplay,    "display",     2, "@" },
+  { oTTYname,    "ttyname",     2, "@" },
+  { oTTYtype,    "ttytype",     2, "@" },
+  { oLCctype,    "lc-ctype",    2, "@" },
+  { oLCmessages, "lc-messages", 2, "@" },
   { oKeepTTY, "keep-tty", 0,  N_("ignore requests to change the TTY")},
   { oKeepDISPLAY, "keep-display",
                           0, N_("ignore requests to change the X display")},
+
+  { oDefCacheTTL, "default-cache-ttl", 4,
+                               N_("|N|expire cached PINs after N seconds")},
+  { oIgnoreCacheForSigning, "ignore-cache-for-signing", 0,
+                               N_("do not use the PIN cache when signing")},
+  { oAllowMarkTrusted, "allow-mark-trusted", 0,
+                             N_("allow clients to mark keys as \"trusted\"")},
   {0}
 };
 
@@ -336,6 +342,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
       opt.scdaemon_program = NULL;
       opt.def_cache_ttl = DEFAULT_CACHE_TTL;
       opt.ignore_cache_for_signing = 0;
+      opt.allow_mark_trusted = 0;
       return 1;
     }
 
@@ -367,6 +374,8 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
       
     case oIgnoreCacheForSigning: opt.ignore_cache_for_signing = 1; break;
 
+    case oAllowMarkTrusted: opt.allow_mark_trusted = 1; break;
+
     default:
       return 0; /* not handled */
     }
@@ -648,6 +657,8 @@ main (int argc, char **argv )
               GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME);
       printf ("ignore-cache-for-signing:%lu:\n",
               GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME);
+      printf ("allow-mark-trusted:%lu:\n",
+              GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME);
 
       agent_exit (0);
     }
diff --git a/agent/trustlist.c b/agent/trustlist.c
index 5c3271ac0..19de0708d 100644
--- a/agent/trustlist.c
+++ b/agent/trustlist.c
@@ -224,7 +224,7 @@ agent_listtrusted (void *assuan_context)
 
 /* Insert the given fpr into our trustdb.  We expect FPR to be an all
    uppercase hexstring of 40 characters. FLAG is either 'P' or 'C'.
-   This function does first check whether that key has alreay ben put
+   This function does first check whether that key has alreay been put
    into the trustdb and returns success in this case.  Before a FPR
    actually gets inserted, the user is asked by means of the pin-entry
    whether this is actual wants he want to do.
@@ -265,6 +265,10 @@ agent_marktrusted (CTRL ctrl, const char *name, const char *fpr, int flag)
   if (rc != -1)
     return rc;   /* error in the trustdb */
 
+  /* This feature must explicitly been enabled. */
+  if (!opt.allow_mark_trusted)
+    return gpg_error (GPG_ERR_NOT_SUPPORTED);
+
   /* insert a new one */
   if (asprintf (&desc,
                 "Please verify that the certificate identified as:%%0A"
diff --git a/doc/ChangeLog b/doc/ChangeLog
index 39d98b963..a920022d0 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,7 @@
+2004-05-03  Werner Koch  <wk@gnupg.org>
+
+	* gpg-agent.texi (Agent Options): Add --allow-mark-trusted.
+
 2004-02-03  Werner Koch  <wk@gnupg.org>
 
 	* contrib.texi (Contributors): Updated from the gpg 1.2.3 thanks
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index e199109a4..aad0fbb68 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -238,6 +238,12 @@ seeing what the agent actually does.
 Don't allow multiple connections.  This option is in general not very
 useful. 
 
+@item --allow-mark-trusted
+@opindex allow-mark-trusted
+Allow clients to mark keys as trusted, i.e. put them into the
+@code{trustlist.txt} file.  This is by default not allowed to make it
+harder for users to inadvertly accept Root-CA keys.
+
 @item --ignore-cache-for-signing
 @opindex ignore-cache-for-signing
 This option will let gpg-agent bypass the passphrase cache for all
diff --git a/tools/ChangeLog b/tools/ChangeLog
index 529892643..fa41aff0a 100644
--- a/tools/ChangeLog
+++ b/tools/ChangeLog
@@ -1,3 +1,7 @@
+2004-05-03  Werner Koch  <wk@gnupg.org>
+
+	* gpgconf-comp.c: Add --allow-mark-trusted for the gpg-agent.
+
 2004-04-30  Werner Koch  <wk@gnupg.org>
 
 	* gpgconf-comp.c: Added more runtime flags for the gpg-agent
diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
index ce16ce7f4..735e87c86 100644
--- a/tools/gpgconf-comp.c
+++ b/tools/gpgconf-comp.c
@@ -469,6 +469,9 @@ static gc_option_t gc_options_gpg_agent[] =
    { "ignore-cache-for-signing", GC_OPT_FLAG_RUNTIME, GC_LEVEL_BASIC,
      "gnupg", "do not use the PIN cache when signing",
      GC_ARG_TYPE_NONE, GC_BACKEND_GPG_AGENT },
+   { "allow-mark-trusted", GC_OPT_FLAG_RUNTIME, GC_LEVEL_ADVANCED,
+     "gnupg", "allow clients to mark keys as \"trusted\"",
+     GC_ARG_TYPE_NONE, GC_BACKEND_GPG_AGENT },
    { "no-grab", GC_OPT_FLAG_RUNTIME, GC_LEVEL_EXPERT,
      "gnupg", "do not grab keyboard and mouse",
      GC_ARG_TYPE_NONE, GC_BACKEND_GPG_AGENT },