diff options
| author | Werner Koch <wk@gnupg.org> | 2020-06-08 20:13:25 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2020-06-08 20:13:25 +0200 |
| commit | 5c2080f4670a768787f5cb4ed5c32e0946837883 (patch) | |
| tree | a633de37837b03fc1169bf51ba7abeb93266c335 /doc | |
| parent | build: Fix recent commit for SOURCE_DATE_EPOCH. (diff) | |
| download | gnupg2-5c2080f4670a768787f5cb4ed5c32e0946837883.tar.xz gnupg2-5c2080f4670a768787f5cb4ed5c32e0946837883.zip | |
gpg: If possible TRUST values now depend on signer's UID or --sender.
* g10/mainproc.c (check_sig_and_print): Add failsafe check for PK.
Pass KEYBLOCK down do check_signatures_trust. Protect existsing error
ocde in case the signature expired.
* g10/pkclist.c (is_in_sender_list): New.
(check_signatures_trust): Add args keyblock and pk. Add new uid based
checking code.
* g10/test-stubs.c, g10/gpgv.c: Adjust stubs.
--
GnuPG-bug-id: 4735
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/gpg.texi | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/doc/gpg.texi b/doc/gpg.texi index d05699c55..970cbabb5 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -2243,11 +2243,32 @@ Use @var{name} as the key to sign with. Note that this option overrides @item --sender @var{mbox} @opindex sender This option has two purposes. @var{mbox} must either be a complete -user id with a proper mail address or just a mail address. When -creating a signature this option tells gpg the user id of a key used -to make a signature if the key was not directly specified by a user -id. When verifying a signature the @var{mbox} is used to restrict the -information printed by the TOFU code to matching user ids. +user ID containing a proper mail address or just a plain mail address. +The option can be given multiple times. + +When creating a signature this option tells gpg the signing key's user +id used to make the signature and embeds that user ID into the created +signature (using OpenPGP's ``Signer's User ID'' subpacket). If the +option is given multiple times a suitable user ID is picked. However, +if the signing key was specified directly by using a mail address +(i.e. not by using a fingerprint or key ID) this option is used and +the mail address is embedded in the created signature. + +When verifying a signature @var{mbox} is used to restrict the +information printed by the TOFU code to matching user IDs. If the +option is used and the signature contains a ``Signer's User ID'' +subpacket that information is is also used to restrict the printed +information. Note that GnuPG considers only the mail address part of +a User ID. + +If this option or the said subpacket is available the TRUST lines as +printed by option @option{status-fd} correspond to the corresponding +User ID; if no User ID is known the TRUST lines are computed directly +on the key and do not give any information about the User ID. In the +latter case it his highly recommended to scripts and other frontends +to evaluate the VALIDSIG line, retrieve the key and print all User IDs +along with their validity (trust) information. + @item --try-secret-key @var{name} @opindex try-secret-key |