gpg: Allow to create revocations even with non-compliant algos.

* g10/sign.c (do_sign): Skip compliance check for revocation certs.
--

It just does not make sense to inhibit the creation of revocations
depending on the compliance mode.  We do this only for key revocation
but not for another kind of revocation because the rationale for uid
or subkey revocation is more complicated to explain.

1 files changed, 7 insertions, 5 deletions

diff --git a/g10/sign.c b/g10/sign.c
index d6ab396af..b00bdfefd 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -444,8 +444,9 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig,
       goto leave;
     }
 
-  /* Check compliance.  */
-  if (! gnupg_digest_is_allowed (opt.compliance, 1, mdalgo))
+  /* Check compliance but always allow for key revocations. */
+  if (!IS_KEY_REV (sig)
+      && ! gnupg_digest_is_allowed (opt.compliance, 1, mdalgo))
     {
       log_error (_("digest algorithm '%s' may not be used in %s mode\n"),
 		 gcry_md_algo_name (mdalgo),
@@ -454,9 +455,10 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig,
       goto leave;
     }
 
-  if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING,
-                             pksk->pubkey_algo, 0,
-                             pksk->pkey, nbits_from_pk (pksk), NULL))
+  if (!IS_KEY_REV (sig)
+      && ! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING,
+                                pksk->pubkey_algo, 0,
+                                pksk->pkey, nbits_from_pk (pksk), NULL))
     {
       log_error (_("key %s may not be used for signing in %s mode\n"),
                  keystr_from_pk (pksk),