gpg: New option --force-sign-key

* g10/gpg.c (oForceSignKey,opts): New option "--force-sign-key".
(main): Set it.
* g10/options.h (opt): New flag flags.force_sign_key.
* g10/keyedit.c (sign_uids): Use new flag.
--

GnuPG-bug-id: 4584

4 files changed, 32 insertions, 14 deletions

diff --git a/doc/gpg.texi b/doc/gpg.texi
index b93b52cd7..f6107b815 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1123,7 +1123,9 @@ If a name is prefixed with a '=' a case sensitive exact match is done.
 
 The command @option{--quick-lsign-key} marks the signatures as
 non-exportable.  If such a non-exportable signature already exists the
-@option{--quick-sign-key} turns it into a exportable signature.
+@option{--quick-sign-key} turns it into a exportable signature.  If
+you need to update an existing signature, for example to add or change
+notation data, you need to use the option @option{--force-sign-key}.
 
 This command uses reasonable defaults and thus does not provide the
 full flexibility of the "sign" subcommand from @option{--edit-key}.
@@ -1221,8 +1223,8 @@ encountered, you can explicitly stop parsing by using the special option
 @node GPG Configuration Options
 @subsection How to change the configuration
 
-These options are used to change the configuration and are usually found
-in the option file.
+These options are used to change the configuration and most of them
+are usually found in the option file.
 
 @table @gnupgtabopt
 
@@ -1251,6 +1253,7 @@ one from the secret keyring or the one set with @option{--default-key}.
 @item --no-default-recipient
 @opindex no-default-recipient
 Reset @option{--default-recipient} and @option{--default-recipient-self}.
+Should not be used in an option file.
 
 @item -v, --verbose
 @opindex verbose
@@ -1259,11 +1262,11 @@ twice, the input data is listed in detail.
 
 @item --no-verbose
 @opindex no-verbose
-Reset verbose level to 0.
+Reset verbose level to 0.  Should not be used in an option file.
 
 @item -q, --quiet
 @opindex quiet
-Try to be as quiet as possible.
+Try to be as quiet as possible.  Should not be used in an option file.
 
 @item --batch
 @itemx --no-batch
@@ -1275,11 +1278,11 @@ filename given on the command line, gpg might still need to read from
 STDIN (in particular if gpg figures that the input is a
 detached signature and no data file has been specified).  Thus if you
 do not want to feed data via STDIN, you should connect STDIN to
-g@file{/dev/null}.
+@file{/dev/null}.
 
 It is highly recommended to use this option along with the options
 @option{--status-fd} and @option{--with-colons} for any unattended use of
-@command{gpg}.
+@command{gpg}.  Should not be used in an option file.
 
 @item --no-tty
 @opindex no-tty
@@ -1289,11 +1292,11 @@ warnings to the TTY even if @option{--batch} is used.
 
 @item --yes
 @opindex yes
-Assume "yes" on most questions.
+Assume "yes" on most questions.  Should not be used in an option file.
 
 @item --no
 @opindex no
-Assume "no" on most questions.
+Assume "no" on most questions.  Should not be used in an option file.
 
 
 @item --list-options @var{parameters}
@@ -1571,6 +1574,7 @@ default (@option{--no-utf8-strings}) is to assume that arguments are
 encoded in the character set as specified by
 @option{--display-charset}. These options affect all following
 arguments. Both options may be used multiple times.
+This option should not be used in an option file.
 
 This option has no effect on Windows.  There the internal used UTF-8
 encoding is translated for console input and output.  The command line
@@ -3563,6 +3567,13 @@ You need to consult the source code to learn the details.  Note that
 the advanced key generation commands can always be used to specify a
 key algorithm directly.
 
+@item --force-sign-key
+@opindex force-sign-key
+This option modifies the behaviour of the commands
+@option{--quick-sign-key}, @option{--quick-lsign-key}, and the "sign"
+sub-commands of @option{--edit-key} by forcing the creation of a key
+signature, even if one already exists.
+
 @item --allow-secret-key-import
 @opindex allow-secret-key-import
 This is an obsolete option and is not used anywhere.
diff --git a/g10/gpg.c b/g10/gpg.c
index c61f17188..a11ea12f9 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -435,6 +435,7 @@ enum cmd_and_opt_values
     oIncludeKeyBlock,
     oNoIncludeKeyBlock,
     oChUid,
+    oForceSignKey,
 
     oNoop
   };
@@ -886,7 +887,7 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_s (oPassphraseFile,  "passphrase-file", "@"),
   ARGPARSE_s_i (oPassphraseRepeat,"passphrase-repeat", "@"),
   ARGPARSE_s_s (oPinentryMode,    "pinentry-mode", "@"),
-
+  ARGPARSE_s_n (oForceSignKey,    "force-sign-key", "@"),
 
   ARGPARSE_header (NULL, N_("Other options")),
 
@@ -2778,6 +2779,9 @@ main (int argc, char **argv)
 
 	  case oAnswerYes: opt.answer_yes = 1; break;
 	  case oAnswerNo: opt.answer_no = 1; break;
+
+          case oForceSignKey: opt.flags.force_sign_key = 1; break;
+
 	  case oKeyring: append_to_strlist( &nrings, pargs.r.ret_str); break;
 	  case oPrimaryKeyring:
 	    sl = append_to_strlist (&nrings, pargs.r.ret_str);
diff --git a/g10/keyedit.c b/g10/keyedit.c
index c8a127551..d07ec6526 100644
--- a/g10/keyedit.c
+++ b/g10/keyedit.c
@@ -751,10 +751,11 @@ sign_uids (ctrl_t ctrl, estream_t fp,
                                 _("\"%s\" was already signed by key %s\n"),
 				user, keystr_from_pk (pk));
 
-		  if (opt.expert && !quick
-		      && cpr_get_answer_is_yes ("sign_uid.dupe_okay",
-						_("Do you want to sign it "
-						  "again anyway? (y/N) ")))
+		  if (opt.flags.force_sign_key
+                      || (opt.expert && !quick
+                          && cpr_get_answer_is_yes ("sign_uid.dupe_okay",
+                                                    _("Do you want to sign it "
+                                                      "again anyway? (y/N) "))))
 		    {
 		      /* Don't delete the old sig here since this is
 		         an --expert thing. */
diff --git a/g10/options.h b/g10/options.h
index 61118314e..f502ace61 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -252,6 +252,8 @@ struct
      * another card.  */
     unsigned int use_only_openpgp_card:1;
     unsigned int full_timestrings:1;
+    /* Force signing keys even if a key signature already exists.  */
+    unsigned int force_sign_key:1;
   } flags;
 
   /* Linked list of ways to find a key if the key isn't on the local