Commit 7a8ba3e1 authored by Daniel Kahn Gillmor's avatar Daniel Kahn Gillmor

New upstream version 2.2.17

parents 6a6219a9 591523ec
2019-07-09 Werner Koch <wk@gnupg.org>
Release 2.2.17.
+ commit 591523ec94b6279b8b39a01501d78cf980de8722
2019-07-09 Ineiev <ineiev@gnu.org>
po: Update Russian translation.
+ commit ad0c61972a413987d2cc8ac8deb6a646b954ae05
2019-07-09 Werner Koch <wk@gnupg.org>
gpg: Do not try the import fallback if the options are already used.
+ commit 3c2cf5ea952015a441ee5701c41dadc63be60d87
* g10/import.c (import_one): Check options.
gpg: Fix regression in option "self-sigs-only".
+ commit b6effaf4669b2c3707932e3c5f2f57df886d759e
* g10/import.c (read_block): Make sure KEYID is availabale also on a
pending packet.
2019-07-05 Werner Koch <wk@gnupg.org>
gpg: With --auto-key-retrieve prefer WKD over keyservers.
+ commit 3242837d203a7b90b92952e63ee160a5a41764c0
* g10/mainproc.c (check_sig_and_print): Print a hint on how to make
use of the preferred keyserver. Remove keyserver lookup just by the
keyid. Try a WKD lookup before a keyserver lookup.
wkd: Change client/server limit back to 64 KiB.
+ commit 6396f8d115f21ae15571b683e9ac9d1d7e3f44f4
* tools/wks-receive.c (decrypt_data): Change limit.
2019-07-04 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
dirmngr: fix handling of HTTPS redirections during HKP.
+ commit efb6e08ea2ca1cf2d39135d94195802cd69b9ea6
* dirmngr/ks-engine-hkp.c (send_request): Reinitialize HTTP session when
following a HTTP redirection.
2019-07-04 Werner Koch <wk@gnupg.org>
gpg: Add "self-sigs-only" and "import-clean" to the keyserver options.
+ commit 2b7151b0a57f5fe7d67fd76dfa1ba7a8731642c6
* g10/gpg.c (main): Change default.
gpg: Avoid printing false AKL error message.
+ commit 4cbd058a3da9aae74aadab7f260952b9ebb5becf
* g10/getkey.c (get_pubkey_byname): Add special traeatment for default
and skipped-local.
gpg: New command --locate-external-key.
+ commit 46f3283b345e1cabca4b0320cf98274ade8ec162
* g10/gpg.c (aLocateExtKeys): New.
(opts): Add --locate-external-keys.
(main): Implement that.
* g10/getkey.c (get_pubkey_byname): Implement GET_PUBKEY_NO_LOCAL.
(get_best_pubkey_byname): Add arg 'mode' and pass on to
get_pubkey_byname. Change callers.
* g10/keylist.c (public_key_list): Add arg 'no_local'.
(locate_one): Ditto. Pass on to get_best_pubkey_byname.
gpg: Make the get_pubkey_byname interface easier to understand.
+ commit 11871433436b5b9b9aca46579dd185a9a77674cd
* g10/keydb.h (enum get_pubkey_modes): New.
* g10/getkey.c (get_pubkey_byname): Repalce no_akl by a mode arg and
change all callers.
2019-07-03 Werner Koch <wk@gnupg.org>
dirmngr: Avoid endless loop in case of HTTP error 503.
+ commit d2e8d71251813e61b15a07637497fabe823b822c
* dirmngr/ks-engine-hkp.c (SEND_REQUEST_EXTRA_RETRIES): New.
(handle_send_request_error): Use it for 503 and 504.
(ks_hkp_search, ks_hkp_get, ks_hkp_put): Pass a new var for
extra_tries.
dirmngr: Do not rewrite the redirection for the "openpgpkey" subdomain.
+ commit c9b133a54e93b7f2365b5d6b1c39ec2cc6dac8f9
* dirmngr/http.c (same_host_p): Consider certain subdomains to be the
same.
2019-07-03 Peter Lebbing <peter@digitalbrains.com>
Mention --sender in documentation.
+ commit 37b549dfe0acd362399debd7c93794eb75937402
2019-07-03 Werner Koch <wk@gnupg.org>
dirmngr: Support the new WKD draft with the openpgpkey subdomain.
+ commit 458973f502b9a43ecf29e804a2c0c86e78f5927a
* dirmngr/server.c (proc_wkd_get): Implement new openpgpkey subdomain
method.
2019-07-02 Werner Koch <wk@gnupg.org>
gpg: Fallback to import with self-sigs-only on too large keyblocks.
+ commit a1f2f38dfb2ba5ed66d3aef66fc3be9b67f9b800
* g10/import.c (import_one): Rename to ...
(import_one_real): this. Do not print and update stats on keyring
write errors.
(import_one): New. Add fallback code.
2019-07-01 Werner Koch <wk@gnupg.org>
gpg: New import and keyserver option "self-sigs-only"
+ commit adb120e663fc5e78f714976c6e42ae233c1990b0
* g10/options.h (IMPORT_SELF_SIGS_ONLY): New.
* g10/import.c (parse_import_options): Add option "self-sigs-only".
(read_block): Handle that option.
gpg: Make read_block in import.c more flexible.
+ commit 15a425a1dfe60bd976b17671aa8e3d9aed12e1c0
* g10/import.c: Change arg 'with_meta' to 'options'. Change callers.
2019-07-01 NIIBE Yutaka <gniibe@fsij.org>
tools: gpgconf: Killing order is children-first.
+ commit 526714806da4e50c8e683b25d76460916d58ff41
* tools/gpgconf-comp.c (gc_component_kill): Reverse the order.
2019-06-24 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
spelling: Fix "synchronize"
+ commit 520f5d70e4128b61c30da2a463f6c34ca24b628e
2019-06-03 Werner Koch <wk@gnupg.org>
Return better error code for some getinfo IPC commands.
+ commit f3251023750d6bd9023dbb8373c804d7d4540a56
* agent/command.c (cmd_getinfo): Return GPG_ERR_FALSE as boolean False.
* g13/server.c (cmd_getinfo): Ditto.
* sm/server.c (cmd_getinfo): Ditto.
2019-05-29 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
doc/wks.texi: fix typo.
+ commit 175d194b5d6063895ecfcfed6ed2154e4a0d1421
2019-05-28 Werner Koch <wk@gnupg.org>
Release GnuPG 2.2.16.
Noteworthy changes in version 2.2.17 (2019-07-09)
-------------------------------------------------
* gpg: Ignore all key-signatures received from keyservers. This
change is required to mitigate a DoS due to keys flooded with
faked key-signatures. The old behaviour can be achieved by adding
keyserver-options no-self-sigs-only,no-import-clean
to your gpg.conf. [#4607]
* gpg: If an imported keyblocks is too large to be stored in the
keybox (pubring.kbx) do not error out but fallback to an import
using the options "self-sigs-only,import-clean". [#4591]
* gpg: New command --locate-external-key which can be used to
refresh keys from the Web Key Directory or via other methods
configured with --auto-key-locate.
* gpg: New import option "self-sigs-only".
* gpg: In --auto-key-retrieve prefer WKD over keyservers. [#4595]
* dirmngr: Support the "openpgpkey" subdomain feature from
draft-koch-openpgp-webkey-service-07. [#4590].
* dirmngr: Add an exception for the "openpgpkey" subdomain to the
CSRF protection. [#4603]
* dirmngr: Fix endless loop due to http errors 503 and 504. [#4600]
* dirmngr: Fix TLS bug during redirection of HKP requests. [#4566]
* gpgconf: Fix a race condition when killing components. [#4577]
Release-info: https://dev.gnupg.org/T4606
See-also: gnupg-announce/2019q3/000439.html
Noteworthy changes in version 2.2.16 (2019-05-28)
-------------------------------------------------
......@@ -164,7 +201,7 @@ Noteworthy changes in version 2.2.12 (2018-12-14)
* gpg: Fix a bug where a LF was accidentally written to the console.
* gpg: --card-status now shwos whether a card has the new KDF
* gpg: --card-status now shows whether a card has the new KDF
feature enabled.
* agent: New runtime option --s2k-calibration=MSEC. New configure
......@@ -2639,7 +2676,7 @@ Noteworthy changes in version 1.9.2 (2003-11-17)
command but from the menu provided by the new --card-edit command.
* PINs are now properly cached and there are only 2 PINs visible.
The 3rd PIN (CHV2) is internally syncronized with the regular PIN.
The 3rd PIN (CHV2) is internally synchronized with the regular PIN.
* All kind of other internal stuff.
......
......@@ -2887,7 +2887,7 @@ cmd_getinfo (assuan_context_t ctx, char *line)
{
cmdopt = line;
if (!command_has_option (cmd, cmdopt))
rc = gpg_error (GPG_ERR_GENERAL);
rc = gpg_error (GPG_ERR_FALSE);
}
}
}
......@@ -2901,7 +2901,7 @@ cmd_getinfo (assuan_context_t ctx, char *line)
}
else if (!strcmp (line, "restricted"))
{
rc = ctrl->restricted? 0 : gpg_error (GPG_ERR_GENERAL);
rc = ctrl->restricted? 0 : gpg_error (GPG_ERR_FALSE);
}
else if (ctrl->restricted)
{
......@@ -2935,7 +2935,7 @@ cmd_getinfo (assuan_context_t ctx, char *line)
}
else if (!strcmp (line, "scd_running"))
{
rc = agent_scd_check_running ()? 0 : gpg_error (GPG_ERR_GENERAL);
rc = agent_scd_check_running ()? 0 : gpg_error (GPG_ERR_FALSE);
}
else if (!strcmp (line, "std_env_names"))
{
......
......@@ -2115,7 +2115,7 @@ get_agent_scd_notify_event (void)
GetCurrentProcess(), &h2,
EVENT_MODIFY_STATE|SYNCHRONIZE, TRUE, 0))
{
log_error ("setting syncronize for scd notify event failed: %s\n",
log_error ("setting synchronize for scd notify event failed: %s\n",
w32_strerror (-1) );
CloseHandle (h);
}
......
......@@ -28,7 +28,7 @@ min_automake_version="1.14"
m4_define([mym4_package],[gnupg])
m4_define([mym4_major], [2])
m4_define([mym4_minor], [2])
m4_define([mym4_micro], [16])
m4_define([mym4_micro], [17])
# To start a new development series, i.e a new major or minor number
# you need to mark an arbitrary commit before the first beta release
......
......@@ -3533,6 +3533,10 @@ same_host_p (parsed_uri_t a, parsed_uri_t b)
{ NULL, "api.protonmail.ch" },
{ "pm.me", "api.protonmail.ch" }
};
static const char *subdomains[] =
{
"openpgpkey."
};
int i;
const char *from;
......@@ -3554,6 +3558,22 @@ same_host_p (parsed_uri_t a, parsed_uri_t b)
return 1;
}
/* Also consider hosts the same if they differ only in a subdomain;
* in both direction. This allows to have redirection between the
* WKD advanced and direct lookup methods. */
for (i=0; i < DIM (subdomains); i++)
{
const char *subdom = subdomains[i];
size_t subdomlen = strlen (subdom);
if (!ascii_strncasecmp (a->host, subdom, subdomlen)
&& !ascii_strcasecmp (a->host + subdomlen, b->host))
return 1;
if (!ascii_strncasecmp (b->host, subdom, subdomlen)
&& !ascii_strcasecmp (b->host + subdomlen, a->host))
return 1;
}
return 0;
}
......
......@@ -67,6 +67,10 @@
/* Number of retries done for a dead host etc. */
#define SEND_REQUEST_RETRIES 3
/* Number of retries done in case of transient errors. */
#define SEND_REQUEST_EXTRA_RETRIES 5
enum ks_protocol { KS_PROTOCOL_HKP, KS_PROTOCOL_HKPS, KS_PROTOCOL_MAX };
/* Objects used to maintain information about hosts. */
......@@ -1175,6 +1179,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
/* FIXME: I am not sure whey we allow a downgrade for hkp requests.
* Needs at least an explanation here.. */
once_more:
err = http_session_new (&session, httphost,
((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
| HTTP_FLAG_TRUST_DEF),
......@@ -1184,7 +1189,6 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
http_session_set_log_cb (session, cert_log_cb);
http_session_set_timeout (session, ctrl->timeout);
once_more:
err = http_open (&http,
post_cb? HTTP_REQ_POST : HTTP_REQ_GET,
request,
......@@ -1264,6 +1268,8 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
request = request_buffer;
http_close (http, 0);
http = NULL;
http_session_release (session);
session = NULL;
}
goto once_more;
......@@ -1311,10 +1317,12 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
with REQUEST. The function returns true if the caller shall try
again. TRIES_LEFT points to a variable to track the number of
retries; this function decrements it and won't return true if it is
down to zero. */
down to zero. EXTRA_TRIES_LEFT does the same but only for
transient http status codes. */
static int
handle_send_request_error (ctrl_t ctrl, gpg_error_t err, const char *request,
unsigned int http_status, unsigned int *tries_left)
unsigned int http_status, unsigned int *tries_left,
unsigned int *extra_tries_left)
{
int retry = 0;
......@@ -1370,9 +1378,12 @@ handle_send_request_error (ctrl_t ctrl, gpg_error_t err, const char *request,
case 503: /* Service Unavailable */
case 504: /* Gateway Timeout */
log_info ("selecting a different host due to a %u (%s)",
http_status, http_status2string (http_status));
retry = 1;
if (*extra_tries_left)
{
log_info ("selecting a different host due to a %u (%s)",
http_status, http_status2string (http_status));
retry = 2;
}
break;
}
}
......@@ -1382,8 +1393,16 @@ handle_send_request_error (ctrl_t ctrl, gpg_error_t err, const char *request,
break;
}
if (*tries_left)
--*tries_left;
if (retry == 2)
{
if (*extra_tries_left)
--*extra_tries_left;
}
else
{
if (*tries_left)
--*tries_left;
}
return retry;
}
......@@ -1408,6 +1427,7 @@ ks_hkp_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
char *httphost = NULL;
unsigned int http_status;
unsigned int tries = SEND_REQUEST_RETRIES;
unsigned int extra_tries = SEND_REQUEST_EXTRA_RETRIES;
*r_fp = NULL;
......@@ -1489,7 +1509,8 @@ ks_hkp_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
/* Send the request. */
err = send_request (ctrl, request, hostport, httphost, httpflags,
NULL, NULL, &fp, &http_status);
if (handle_send_request_error (ctrl, err, request, http_status, &tries))
if (handle_send_request_error (ctrl, err, request, http_status,
&tries, &extra_tries))
{
reselect = 1;
goto again;
......@@ -1559,6 +1580,7 @@ ks_hkp_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec, estream_t *r_fp)
unsigned int httpflags;
unsigned int http_status;
unsigned int tries = SEND_REQUEST_RETRIES;
unsigned int extra_tries = SEND_REQUEST_EXTRA_RETRIES;
*r_fp = NULL;
......@@ -1631,7 +1653,8 @@ ks_hkp_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec, estream_t *r_fp)
/* Send the request. */
err = send_request (ctrl, request, hostport, httphost, httpflags,
NULL, NULL, &fp, &http_status);
if (handle_send_request_error (ctrl, err, request, http_status, &tries))
if (handle_send_request_error (ctrl, err, request, http_status,
&tries, &extra_tries))
{
reselect = 1;
goto again;
......@@ -1707,6 +1730,7 @@ ks_hkp_put (ctrl_t ctrl, parsed_uri_t uri, const void *data, size_t datalen)
unsigned int httpflags;
unsigned int http_status;
unsigned int tries = SEND_REQUEST_RETRIES;
unsigned int extra_tries = SEND_REQUEST_EXTRA_RETRIES;
parm.datastring = NULL;
......@@ -1745,7 +1769,8 @@ ks_hkp_put (ctrl_t ctrl, parsed_uri_t uri, const void *data, size_t datalen)
/* Send the request. */
err = send_request (ctrl, request, hostport, httphost, 0,
put_post_cb, &parm, &fp, &http_status);
if (handle_send_request_error (ctrl, err, request, http_status, &tries))
if (handle_send_request_error (ctrl, err, request, http_status,
&tries, &extra_tries))
{
reselect = 1;
goto again;
......
......@@ -837,8 +837,11 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
gpg_error_t err = 0;
char *mbox = NULL;
char *domainbuf = NULL;
char *domain; /* Points to mbox or domainbuf. */
char *domain_orig;/* Points to mbox. */
char *domain; /* Points to mbox or domainbuf. This is used to
* connect to the host. */
char *domain_orig;/* Points to mbox. This is the used for the
* query; i.e. the domain part of the
* addrspec. */
char sha1buf[20];
char *uri = NULL;
char *encodedhash = NULL;
......@@ -847,6 +850,7 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
int is_wkd_query; /* True if this is a real WKD query. */
int no_log = 0;
char portstr[20] = { 0 };
int subdomain_mode = 0;
opt_submission_addr = has_option (line, "--submission-address");
opt_policy_flags = has_option (line, "--policy-flags");
......@@ -864,7 +868,8 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
*domain++ = 0;
domain_orig = domain;
/* First check whether we already know that the domain does not
/* Let's check whether we already know that the domain does not
* support WKD. */
if (is_wkd_query)
{
......@@ -875,8 +880,41 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
}
}
/* Check for SRV records. */
if (1)
/* First try the new "openpgp" subdomain. We check that the domain
* is valid because it is later used as an unescaped filename part
* of the URI. */
if (is_valid_domain_name (domain_orig))
{
dns_addrinfo_t aibuf;
domainbuf = strconcat ( "openpgpkey.", domain_orig, NULL);
if (!domainbuf)
{
err = gpg_error_from_syserror ();
goto leave;
}
/* FIXME: We should put a cache into dns-stuff because the same
* query (with a different port and socket type, though) will be
* done later by http function. */
err = resolve_dns_name (domainbuf, 0, 0, 0, &aibuf, NULL);
if (err)
{
err = 0;
xfree (domainbuf);
domainbuf = NULL;
}
else /* Got a subdomain. */
{
free_dns_addrinfo (aibuf);
subdomain_mode = 1;
domain = domainbuf;
}
}
/* Check for SRV records unless we have a subdomain. */
if (!subdomain_mode)
{
struct srventry *srvs;
unsigned int srvscount;
......@@ -931,6 +969,7 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
xfree (srvs);
}
/* Prepare the hash of the local part. */
gcry_md_hash_buffer (GCRY_MD_SHA1, sha1buf, mbox, strlen (mbox));
encodedhash = zb32_encode (sha1buf, 8*20);
if (!encodedhash)
......@@ -944,7 +983,10 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
uri = strconcat ("https://",
domain,
portstr,
"/.well-known/openpgpkey/submission-address",
"/.well-known/openpgpkey/",
subdomain_mode? domain_orig : "",
subdomain_mode? "/" : "",
"submission-address",
NULL);
}
else if (opt_policy_flags)
......@@ -952,7 +994,10 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
uri = strconcat ("https://",
domain,
portstr,
"/.well-known/openpgpkey/policy",
"/.well-known/openpgpkey/",
subdomain_mode? domain_orig : "",
subdomain_mode? "/" : "",
"policy",
NULL);
}
else
......@@ -965,7 +1010,10 @@ proc_wkd_get (ctrl_t ctrl, assuan_context_t ctx, char *line)
uri = strconcat ("https://",
domain,
portstr,
"/.well-known/openpgpkey/hu/",
"/.well-known/openpgpkey/",
subdomain_mode? domain_orig : "",
subdomain_mode? "/" : "",
"hu/",
encodedhash,
"?l=",
escapedmbox,
......
doc/gnupg-module-overview.png

60.1 KB | W: | H:

doc/gnupg-module-overview.png

60.1 KB | W: | H:

doc/gnupg-module-overview.png
doc/gnupg-module-overview.png
doc/gnupg-module-overview.png
doc/gnupg-module-overview.png
  • 2-up
  • Swipe
  • Onion skin
......@@ -346,12 +346,17 @@ numbers 1-9 or "T" for 10 and above to indicate trust signature levels
@item --locate-keys
@itemx --locate-external-keys
@opindex locate-keys
@opindex locate-external-keys
Locate the keys given as arguments. This command basically uses the
same algorithm as used when locating keys for encryption or signing and
may thus be used to see what keys @command{@gpgname} might use. In
particular external methods as defined by @option{--auto-key-locate} may
be used to locate a key. Only public keys are listed.
same algorithm as used when locating keys for encryption or signing
and may thus be used to see what keys @command{@gpgname} might use.
In particular external methods as defined by
@option{--auto-key-locate} may be used to locate a key. Only public
keys are listed. The variant @option{--locate-external-keys} does not
consider a locally existing key and can thus be used to force the
refresh of a key via the defined external methods.
@item --show-keys
@opindex show-keys
......@@ -1809,10 +1814,26 @@ These options enable or disable the automatic retrieving of keys from
a keyserver when verifying signatures made by keys that are not on the
local keyring. The default is @option{--no-auto-key-retrieve}.
If the method "wkd" is included in the list of methods given to
@option{auto-key-locate}, the signer's user ID is part of the
signature, and the option @option{--disable-signer-uid} is not used,
the "wkd" method may also be used to retrieve a key.
The order of methods tried to lookup the key is:
1. If a preferred keyserver is specified in the signature and the
option @option{honor-keyserver-url} is active (which is not the
default), that keyserver is tried. Note that the creator of the
signature uses the option @option{--sig-keyserver-url} to specify the
preferred keyserver for data signatures.
2. If the signature has the Signer's UID set (e.g. using
@option{--sender} while creating the signature) a Web Key Directory
(WKD) lookup is done. This is the default configuration but can be
disabled by removing WKD from the auto-key-locate list or by using the
option @option{--disable-signer-uid}.
3. If the option @option{honor-pka-record} is active, the legacy PKA
method is used.
4. If any keyserver is configured and the Issuer Fingerprint is part
of the signature (since GnuPG 2.1.16), the configured keyservers are
tried.
Note that this option makes a "web bug" like behavior possible.
Keyserver or Web Key Directory operators can see which keys you
......@@ -1912,6 +1933,11 @@ are available for all keyserver types, some common options are:
@end table
The default list of options is: "self-sigs-only, import-clean,
repair-keys, repair-pks-subkey-bug, export-attributes,
honor-pka-record".
@item --completes-needed @var{n}
@opindex compliant-needed
Number of completely trusted users to introduce a new
......@@ -2327,6 +2353,14 @@ opposite meaning. The options are:
on the keyring. This option is the same as running the @option{--edit-key}
command "clean" after import. Defaults to no.
@item self-sigs-only
Accept only self-signatures while importing a key. All other
key-signatures are skipped at an early import stage. This option
can be used with @code{keyserver-options} to mitigate attempts to
flood a key with bogus signatures from a keyserver. The drawback is
that all other valid key-signatures, as required by the Web of Trust
are also not imported.
@item repair-keys
After import, fix various problems with the
keys. For example, this reorders signatures, and strips duplicate
......@@ -2606,11 +2640,11 @@ allows for this.
@item --disable-signer-uid
@opindex disable-signer-uid
By default the user ID of the signing key is embedded in the data
signature. As of now this is only done if the signing key has been
specified with @option{local-user} using a mail address. This
information can be helpful for verifier to locate the key; see
option @option{--auto-key-retrieve}.
By default the user ID of the signing key is embedded in the data signature.
As of now this is only done if the signing key has been specified with
@option{local-user} using a mail address, or with @option{sender}. This
information can be helpful for verifier to locate the key; see option
@option{--auto-key-retrieve}.
@item --personal-cipher-preferences @var{string}
@opindex personal-cipher-preferences
......
......@@ -61,7 +61,7 @@ Service provider. This is usuallay done to upload a key into a Web
Key Directory.
With the @option{--supported} command the caller can test whether a
site supports the Web Key Service. The argument is an arbitray
site supports the Web Key Service. The argument is an arbitrary
address in the to be tested domain. For example
@file{foo@@example.net}. The command returns success if the Web Key
Service is supported. The operation is silent; to get diagnostic
......
......@@ -62,7 +62,7 @@ progress_cb (void *ctx, const char *what, int printchar,
/* Return true if the status message NO may currently be issued. We
need this to avoid syncronisation problem while auto retrieving a
need this to avoid synchronization problem while auto retrieving a
key. There it may happen that a status NODATA is issued for a non
available key and the user may falsely interpret this has a missing
signature. */
......
......@@ -2161,10 +2161,10 @@ export_ssh_key (ctrl_t ctrl, const char *userid)
{
getkey_ctx_t getkeyctx;
err = get_pubkey_byname (ctrl, &getkeyctx, NULL, userid, &keyblock,
err = get_pubkey_byname (ctrl, GET_PUBKEY_NO_AKL,
&getkeyctx, NULL, userid, &keyblock,
NULL,
0 /* Only usable keys or given exact. */,
1 /* No AKL lookup. */);
0 /* Only usable keys or given exact. */);
if (!err)
{
err = getkey_next (ctrl, getkeyctx, NULL, NULL);
......
......@@ -950,11 +950,21 @@ key_byname (ctrl_t ctrl, GETKEY_CTX *retctx, strlist_t namelist,
/* Find a public key identified by NAME.
*
* If name appears to be a valid RFC822 mailbox (i.e., email
* address) and auto key lookup is enabled (no_akl == 0), then the
* specified auto key lookup methods (--auto-key-lookup) are used to
* import the key into the local keyring. Otherwise, just the local
* keyring is consulted.
* If name appears to be a valid RFC822 mailbox (i.e., email address)
* and auto key lookup is enabled (mode != GET_PUBKEY_NO_AKL), then
* the specified auto key lookup methods (--auto-key-lookup) are used
* to import the key into the local keyring. Otherwise, just the
* local keyring is consulted.
*
* MODE can be one of:
* GET_PUBKEY_NORMAL - The standard mode
* GET_PUBKEY_NO_AKL - The auto key locate functionality is
* disabled and only the local key ring is
* considered. Note: the local key ring is
* consulted even if local is not in the
* auto-key-locate option list!
* GET_PUBKEY_NO_LOCAL - Only the auto key locate functionaly is
* used and no local search is done.
*
* If RETCTX is not NULL, then the constructed context is returned in
* *RETCTX so that getpubkey_next can be used to get subsequent
......@@ -990,18 +1000,14 @@ key_byname (ctrl_t ctrl, GETKEY_CTX *retctx, strlist_t namelist,
* documentation for skip_unusable for an exact definition) are
* skipped unless they are looked up by key id or by fingerprint.
*
* If NO_AKL is set, then the auto key locate functionality is
* disabled and only the local key ring is considered. Note: the
* local key ring is consulted even if local is not in the
* --auto-key-locate option list!
*
* This function returns 0 on success. Otherwise, an error code is
* returned. In particular, GPG_ERR_NO_PUBKEY or GPG_ERR_NO_SECKEY
* (if want_secret is set) is returned if the key is not found. */
int
get_pubkey_byname (ctrl_t ctrl, GETKEY_CTX * retctx, PKT_public_key * pk,
get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
GETKEY_CTX * retctx, PKT_public_key * pk,
const char *name, KBNODE * ret_keyblock,
KEYDB_HANDLE * ret_kdbhd, int include_unusable, int no_akl)
KEYDB_HANDLE * ret_kdbhd, int include_unusable)
{
int rc;
strlist_t namelist = NULL;
......@@ -1037,7 +1043,9 @@ get_pubkey_byname (ctrl_t ctrl, GETKEY_CTX * retctx, PKT_public_key * pk,
* Note: we only save the search context in RETCTX if the local
* method is the first method tried (either explicitly or
* implicitly). */
if (!no_akl)
if (mode == GET_PUBKEY_NO_LOCAL)
nodefault = 1; /* Auto-key-locate but ignore "local". */
else if (mode != GET_PUBKEY_NO_AKL)
{
/* auto-key-locate is enabled. */
......@@ -1066,7 +1074,13 @@ get_pubkey_byname (ctrl_t ctrl, GETKEY_CTX * retctx, PKT_public_key * pk,
anylocalfirst = 1;
}