+Noteworthy changes in version 2.2.17 (2019-07-09)
+-------------------------------------------------
+
+ * gpg: Ignore all key-signatures received from keyservers. This
+ change is required to mitigate a DoS due to keys flooded with
+ faked key-signatures. The old behaviour can be achieved by adding
+ keyserver-options no-self-sigs-only,no-import-clean
+ to your gpg.conf. [#4607]
+
+ * gpg: If an imported keyblocks is too large to be stored in the
+ keybox (pubring.kbx) do not error out but fallback to an import
+ using the options "self-sigs-only,import-clean". [#4591]
+
+ * gpg: New command --locate-external-key which can be used to
+ refresh keys from the Web Key Directory or via other methods
+ configured with --auto-key-locate.
+
+ * gpg: New import option "self-sigs-only".
+
+ * gpg: In --auto-key-retrieve prefer WKD over keyservers. [#4595]
+
+ * dirmngr: Support the "openpgpkey" subdomain feature from
+ draft-koch-openpgp-webkey-service-07. [#4590].
+
+ * dirmngr: Add an exception for the "openpgpkey" subdomain to the
+ CSRF protection. [#4603]
+
+ * dirmngr: Fix endless loop due to http errors 503 and 504. [#4600]
+
+ * dirmngr: Fix TLS bug during redirection of HKP requests. [#4566]
+
+ * gpgconf: Fix a race condition when killing components. [#4577]
+
+ Release-info: https://dev.gnupg.org/T4606
+ See-also: gnupg-announce/2019q3/000439.html
+
+
Noteworthy changes in version 2.2.16 (2019-05-28)
-------------------------------------------------
* gpg: Fix a bug where a LF was accidentally written to the console.
- * gpg: --card-status now shwos whether a card has the new KDF
+ * gpg: --card-status now shows whether a card has the new KDF
feature enabled.
* agent: New runtime option --s2k-calibration=MSEC. New configure
command but from the menu provided by the new --card-edit command.
* PINs are now properly cached and there are only 2 PINs visible.
- The 3rd PIN (CHV2) is internally syncronized with the regular PIN.
+ The 3rd PIN (CHV2) is internally synchronized with the regular PIN.
* All kind of other internal stuff.
{
cmdopt = line;
if (!command_has_option (cmd, cmdopt))
- rc = gpg_error (GPG_ERR_GENERAL);
+ rc = gpg_error (GPG_ERR_FALSE);
}
}
}
}
else if (!strcmp (line, "restricted"))
{
- rc = ctrl->restricted? 0 : gpg_error (GPG_ERR_GENERAL);
+ rc = ctrl->restricted? 0 : gpg_error (GPG_ERR_FALSE);
}
else if (ctrl->restricted)
{
}
else if (!strcmp (line, "scd_running"))
{
- rc = agent_scd_check_running ()? 0 : gpg_error (GPG_ERR_GENERAL);
+ rc = agent_scd_check_running ()? 0 : gpg_error (GPG_ERR_FALSE);
}
else if (!strcmp (line, "std_env_names"))
{
GetCurrentProcess(), &h2,
EVENT_MODIFY_STATE|SYNCHRONIZE, TRUE, 0))
{
- log_error ("setting syncronize for scd notify event failed: %s\n",
+ log_error ("setting synchronize for scd notify event failed: %s\n",
w32_strerror (-1) );
CloseHandle (h);
}
m4_define([mym4_package],[gnupg])
m4_define([mym4_major], [2])
m4_define([mym4_minor], [2])
-m4_define([mym4_micro], [16])
+m4_define([mym4_micro], [17])
# To start a new development series, i.e a new major or minor number
# you need to mark an arbitrary commit before the first beta release
{ NULL, "api.protonmail.ch" },
{ "pm.me", "api.protonmail.ch" }
};
+ static const char *subdomains[] =
+ {
+ "openpgpkey."
+ };
int i;
const char *from;
return 1;
}
+ /* Also consider hosts the same if they differ only in a subdomain;
+ * in both direction. This allows to have redirection between the
+ * WKD advanced and direct lookup methods. */
+ for (i=0; i < DIM (subdomains); i++)
+ {
+ const char *subdom = subdomains[i];
+ size_t subdomlen = strlen (subdom);
+
+ if (!ascii_strncasecmp (a->host, subdom, subdomlen)
+ && !ascii_strcasecmp (a->host + subdomlen, b->host))
+ return 1;
+ if (!ascii_strncasecmp (b->host, subdom, subdomlen)
+ && !ascii_strcasecmp (b->host + subdomlen, a->host))
+ return 1;
+ }
+
return 0;
}
/* Number of retries done for a dead host etc. */
#define SEND_REQUEST_RETRIES 3
+/* Number of retries done in case of transient errors. */
+#define SEND_REQUEST_EXTRA_RETRIES 5
+
+
enum ks_protocol { KS_PROTOCOL_HKP, KS_PROTOCOL_HKPS, KS_PROTOCOL_MAX };
/* Objects used to maintain information about hosts. */
/* FIXME: I am not sure whey we allow a downgrade for hkp requests.
* Needs at least an explanation here.. */
+ once_more:
err = http_session_new (&session, httphost,
((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0)
| HTTP_FLAG_TRUST_DEF),
http_session_set_log_cb (session, cert_log_cb);
http_session_set_timeout (session, ctrl->timeout);
- once_more:
err = http_open (&http,
post_cb? HTTP_REQ_POST : HTTP_REQ_GET,
request,
request = request_buffer;
http_close (http, 0);
http = NULL;
+ http_session_release (session);
+ session = NULL;
}
goto once_more;
with REQUEST. The function returns true if the caller shall try
again. TRIES_LEFT points to a variable to track the number of
retries; this function decrements it and won't return true if it is
- down to zero. */
+ down to zero. EXTRA_TRIES_LEFT does the same but only for
+ transient http status codes. */
static int
handle_send_request_error (ctrl_t ctrl, gpg_error_t err, const char *request,
- unsigned int http_status, unsigned int *tries_left)
+ unsigned int http_status, unsigned int *tries_left,
+ unsigned int *extra_tries_left)
{
int retry = 0;
case 503: /* Service Unavailable */
case 504: /* Gateway Timeout */
- log_info ("selecting a different host due to a %u (%s)",
- http_status, http_status2string (http_status));
- retry = 1;
+ if (*extra_tries_left)
+ {
+ log_info ("selecting a different host due to a %u (%s)",
+ http_status, http_status2string (http_status));
+ retry = 2;
+ }
break;
}
}
break;
}
- if (*tries_left)
- --*tries_left;
+ if (retry == 2)
+ {
+ if (*extra_tries_left)
+ --*extra_tries_left;
+ }
+ else
+ {
+ if (*tries_left)
+ --*tries_left;
+ }
return retry;
}
char *httphost = NULL;
unsigned int http_status;
unsigned int tries = SEND_REQUEST_RETRIES;
+ unsigned int extra_tries = SEND_REQUEST_EXTRA_RETRIES;
*r_fp = NULL;
/* Send the request. */
err = send_request (ctrl, request, hostport, httphost, httpflags,
NULL, NULL, &fp, &http_status);
- if (handle_send_request_error (ctrl, err, request, http_status, &tries))
+ if (handle_send_request_error (ctrl, err, request, http_status,
+ &tries, &extra_tries))
{
reselect = 1;
goto again;
unsigned int httpflags;
unsigned int http_status;
unsigned int tries = SEND_REQUEST_RETRIES;
+ unsigned int extra_tries = SEND_REQUEST_EXTRA_RETRIES;
*r_fp = NULL;
/* Send the request. */
err = send_request (ctrl, request, hostport, httphost, httpflags,
NULL, NULL, &fp, &http_status);
- if (handle_send_request_error (ctrl, err, request, http_status, &tries))
+ if (handle_send_request_error (ctrl, err, request, http_status,
+ &tries, &extra_tries))
{
reselect = 1;
goto again;
unsigned int httpflags;
unsigned int http_status;
unsigned int tries = SEND_REQUEST_RETRIES;
+ unsigned int extra_tries = SEND_REQUEST_EXTRA_RETRIES;
parm.datastring = NULL;
/* Send the request. */
err = send_request (ctrl, request, hostport, httphost, 0,
put_post_cb, &parm, &fp, &http_status);
- if (handle_send_request_error (ctrl, err, request, http_status, &tries))
+ if (handle_send_request_error (ctrl, err, request, http_status,
+ &tries, &extra_tries))
{
reselect = 1;
goto again;
gpg_error_t err = 0;
char *mbox = NULL;
char *domainbuf = NULL;
- char *domain; /* Points to mbox or domainbuf. */
- char *domain_orig;/* Points to mbox. */
+ char *domain; /* Points to mbox or domainbuf. This is used to
+ * connect to the host. */
+ char *domain_orig;/* Points to mbox. This is the used for the
+ * query; i.e. the domain part of the
+ * addrspec. */
char sha1buf[20];
char *uri = NULL;
char *encodedhash = NULL;
int is_wkd_query; /* True if this is a real WKD query. */
int no_log = 0;
char portstr[20] = { 0 };
+ int subdomain_mode = 0;
opt_submission_addr = has_option (line, "--submission-address");
opt_policy_flags = has_option (line, "--policy-flags");
*domain++ = 0;
domain_orig = domain;
- /* First check whether we already know that the domain does not
+
+ /* Let's check whether we already know that the domain does not
* support WKD. */
if (is_wkd_query)
{
}
}
- /* Check for SRV records. */
- if (1)
+
+ /* First try the new "openpgp" subdomain. We check that the domain
+ * is valid because it is later used as an unescaped filename part
+ * of the URI. */
+ if (is_valid_domain_name (domain_orig))
+ {
+ dns_addrinfo_t aibuf;
+
+ domainbuf = strconcat ( "openpgpkey.", domain_orig, NULL);
+ if (!domainbuf)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+
+ /* FIXME: We should put a cache into dns-stuff because the same
+ * query (with a different port and socket type, though) will be
+ * done later by http function. */
+ err = resolve_dns_name (domainbuf, 0, 0, 0, &aibuf, NULL);
+ if (err)
+ {
+ err = 0;
+ xfree (domainbuf);
+ domainbuf = NULL;
+ }
+ else /* Got a subdomain. */
+ {
+ free_dns_addrinfo (aibuf);
+ subdomain_mode = 1;
+ domain = domainbuf;
+ }
+ }
+
+ /* Check for SRV records unless we have a subdomain. */
+ if (!subdomain_mode)
{
struct srventry *srvs;
unsigned int srvscount;
xfree (srvs);
}
+ /* Prepare the hash of the local part. */
gcry_md_hash_buffer (GCRY_MD_SHA1, sha1buf, mbox, strlen (mbox));
encodedhash = zb32_encode (sha1buf, 8*20);
if (!encodedhash)
uri = strconcat ("https://",
domain,
portstr,
- "/.well-known/openpgpkey/submission-address",
+ "/.well-known/openpgpkey/",
+ subdomain_mode? domain_orig : "",
+ subdomain_mode? "/" : "",
+ "submission-address",
NULL);
}
else if (opt_policy_flags)
uri = strconcat ("https://",
domain,
portstr,
- "/.well-known/openpgpkey/policy",
+ "/.well-known/openpgpkey/",
+ subdomain_mode? domain_orig : "",
+ subdomain_mode? "/" : "",
+ "policy",
NULL);
}
else
uri = strconcat ("https://",
domain,
portstr,
- "/.well-known/openpgpkey/hu/",
+ "/.well-known/openpgpkey/",
+ subdomain_mode? domain_orig : "",
+ subdomain_mode? "/" : "",
+ "hu/",
encodedhash,
"?l=",
escapedmbox,
@item --locate-keys
+@itemx --locate-external-keys
@opindex locate-keys
+@opindex locate-external-keys
Locate the keys given as arguments. This command basically uses the
-same algorithm as used when locating keys for encryption or signing and
-may thus be used to see what keys @command{@gpgname} might use. In
-particular external methods as defined by @option{--auto-key-locate} may
-be used to locate a key. Only public keys are listed.
+same algorithm as used when locating keys for encryption or signing
+and may thus be used to see what keys @command{@gpgname} might use.
+In particular external methods as defined by
+@option{--auto-key-locate} may be used to locate a key. Only public
+keys are listed. The variant @option{--locate-external-keys} does not
+consider a locally existing key and can thus be used to force the
+refresh of a key via the defined external methods.
@item --show-keys
@opindex show-keys
a keyserver when verifying signatures made by keys that are not on the
local keyring. The default is @option{--no-auto-key-retrieve}.
-If the method "wkd" is included in the list of methods given to
-@option{auto-key-locate}, the signer's user ID is part of the
-signature, and the option @option{--disable-signer-uid} is not used,
-the "wkd" method may also be used to retrieve a key.
+The order of methods tried to lookup the key is:
+
+1. If a preferred keyserver is specified in the signature and the
+option @option{honor-keyserver-url} is active (which is not the
+default), that keyserver is tried. Note that the creator of the
+signature uses the option @option{--sig-keyserver-url} to specify the
+preferred keyserver for data signatures.
+
+2. If the signature has the Signer's UID set (e.g. using
+@option{--sender} while creating the signature) a Web Key Directory
+(WKD) lookup is done. This is the default configuration but can be
+disabled by removing WKD from the auto-key-locate list or by using the
+option @option{--disable-signer-uid}.
+
+3. If the option @option{honor-pka-record} is active, the legacy PKA
+method is used.
+
+4. If any keyserver is configured and the Issuer Fingerprint is part
+of the signature (since GnuPG 2.1.16), the configured keyservers are
+tried.
Note that this option makes a "web bug" like behavior possible.
Keyserver or Web Key Directory operators can see which keys you
@end table
+The default list of options is: "self-sigs-only, import-clean,
+repair-keys, repair-pks-subkey-bug, export-attributes,
+honor-pka-record".
+
+
@item --completes-needed @var{n}
@opindex compliant-needed
Number of completely trusted users to introduce a new
on the keyring. This option is the same as running the @option{--edit-key}
command "clean" after import. Defaults to no.
+ @item self-sigs-only
+ Accept only self-signatures while importing a key. All other
+ key-signatures are skipped at an early import stage. This option
+ can be used with @code{keyserver-options} to mitigate attempts to
+ flood a key with bogus signatures from a keyserver. The drawback is
+ that all other valid key-signatures, as required by the Web of Trust
+ are also not imported.
+
@item repair-keys
After import, fix various problems with the
keys. For example, this reorders signatures, and strips duplicate
@item --disable-signer-uid
@opindex disable-signer-uid
-By default the user ID of the signing key is embedded in the data
-signature. As of now this is only done if the signing key has been
-specified with @option{local-user} using a mail address. This
-information can be helpful for verifier to locate the key; see
-option @option{--auto-key-retrieve}.
+By default the user ID of the signing key is embedded in the data signature.
+As of now this is only done if the signing key has been specified with
+@option{local-user} using a mail address, or with @option{sender}. This
+information can be helpful for verifier to locate the key; see option
+@option{--auto-key-retrieve}.
@item --personal-cipher-preferences @var{string}
@opindex personal-cipher-preferences
Key Directory.
With the @option{--supported} command the caller can test whether a
-site supports the Web Key Service. The argument is an arbitray
+site supports the Web Key Service. The argument is an arbitrary
address in the to be tested domain. For example
@file{foo@@example.net}. The command returns success if the Web Key
Service is supported. The operation is silent; to get diagnostic
/* Return true if the status message NO may currently be issued. We
- need this to avoid syncronisation problem while auto retrieving a
+ need this to avoid synchronization problem while auto retrieving a
key. There it may happen that a status NODATA is issued for a non
available key and the user may falsely interpret this has a missing
signature. */
{
getkey_ctx_t getkeyctx;
- err = get_pubkey_byname (ctrl, &getkeyctx, NULL, userid, &keyblock,
+ err = get_pubkey_byname (ctrl, GET_PUBKEY_NO_AKL,
+ &getkeyctx, NULL, userid, &keyblock,
NULL,
- 0 /* Only usable keys or given exact. */,
- 1 /* No AKL lookup. */);
+ 0 /* Only usable keys or given exact. */);
if (!err)
{
err = getkey_next (ctrl, getkeyctx, NULL, NULL);
/* Find a public key identified by NAME.
*
- * If name appears to be a valid RFC822 mailbox (i.e., email
- * address) and auto key lookup is enabled (no_akl == 0), then the
- * specified auto key lookup methods (--auto-key-lookup) are used to
- * import the key into the local keyring. Otherwise, just the local
- * keyring is consulted.
+ * If name appears to be a valid RFC822 mailbox (i.e., email address)
+ * and auto key lookup is enabled (mode != GET_PUBKEY_NO_AKL), then
+ * the specified auto key lookup methods (--auto-key-lookup) are used
+ * to import the key into the local keyring. Otherwise, just the
+ * local keyring is consulted.
+ *
+ * MODE can be one of:
+ * GET_PUBKEY_NORMAL - The standard mode
+ * GET_PUBKEY_NO_AKL - The auto key locate functionality is
+ * disabled and only the local key ring is
+ * considered. Note: the local key ring is
+ * consulted even if local is not in the
+ * auto-key-locate option list!
+ * GET_PUBKEY_NO_LOCAL - Only the auto key locate functionaly is
+ * used and no local search is done.
*
* If RETCTX is not NULL, then the constructed context is returned in
* *RETCTX so that getpubkey_next can be used to get subsequent
* documentation for skip_unusable for an exact definition) are
* skipped unless they are looked up by key id or by fingerprint.
*
- * If NO_AKL is set, then the auto key locate functionality is
- * disabled and only the local key ring is considered. Note: the
- * local key ring is consulted even if local is not in the
- * --auto-key-locate option list!
- *
* This function returns 0 on success. Otherwise, an error code is
* returned. In particular, GPG_ERR_NO_PUBKEY or GPG_ERR_NO_SECKEY
* (if want_secret is set) is returned if the key is not found. */
int
-get_pubkey_byname (ctrl_t ctrl, GETKEY_CTX * retctx, PKT_public_key * pk,
+get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
+ GETKEY_CTX * retctx, PKT_public_key * pk,
const char *name, KBNODE * ret_keyblock,
- KEYDB_HANDLE * ret_kdbhd, int include_unusable, int no_akl)
+ KEYDB_HANDLE * ret_kdbhd, int include_unusable)
{
int rc;
strlist_t namelist = NULL;
* Note: we only save the search context in RETCTX if the local
* method is the first method tried (either explicitly or
* implicitly). */
- if (!no_akl)
+ if (mode == GET_PUBKEY_NO_LOCAL)
+ nodefault = 1; /* Auto-key-locate but ignore "local". */
+ else if (mode != GET_PUBKEY_NO_AKL)
{
/* auto-key-locate is enabled. */
anylocalfirst = 1;
}
- if (nodefault && is_mbox)
+ if (mode == GET_PUBKEY_NO_LOCAL)
+ {
+ /* Force using the AKL. If IS_MBOX is not set this is the final
+ * error code. */
+ rc = GPG_ERR_NO_PUBKEY;
+ }
+ else if (nodefault && is_mbox)
{
/* Either "nodefault" or "local" (explicitly) appeared in the
* auto key locate list and NAME appears to be an email address.
/* If the requested name resembles a valid mailbox and automatic
retrieval has been enabled, we try to import the key. */
- if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && !no_akl && is_mbox)
+ if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
+ && mode != GET_PUBKEY_NO_AKL
+ && is_mbox)
{
/* NAME wasn't present in the local keyring (or we didn't try
* the local keyring). Since the auto key locate feature is
{
case AKL_NODEFAULT:
/* This is a dummy mechanism. */
- mechanism_string = "None";
+ mechanism_string = "";
rc = GPG_ERR_NO_PUBKEY;
break;
case AKL_LOCAL:
- mechanism_string = "Local";
- did_akl_local = 1;
- if (retctx)
- {
- getkey_end (ctrl, *retctx);
- *retctx = NULL;
- }
- add_to_strlist (&namelist, name);
- rc = key_byname (ctrl, anylocalfirst ? retctx : NULL,
- namelist, pk, 0,
- include_unusable, ret_keyblock, ret_kdbhd);
+ if (mode == GET_PUBKEY_NO_LOCAL)
+ {
+ mechanism_string = "";
+ rc = GPG_ERR_NO_PUBKEY;
+ }
+ else
+ {
+ mechanism_string = "Local";
+ did_akl_local = 1;
+ if (retctx)
+ {
+ getkey_end (ctrl, *retctx);
+ *retctx = NULL;
+ }
+ add_to_strlist (&namelist, name);
+ rc = key_byname (ctrl, anylocalfirst ? retctx : NULL,
+ namelist, pk, 0,
+ include_unusable, ret_keyblock, ret_kdbhd);
+ }
break;
case AKL_CERT:
name, mechanism_string);
break;
}
- if (gpg_err_code (rc) != GPG_ERR_NO_PUBKEY
- || opt.verbose || no_fingerprint)
+ if ((gpg_err_code (rc) != GPG_ERR_NO_PUBKEY
+ || opt.verbose || no_fingerprint) && *mechanism_string)
log_info (_("error retrieving '%s' via %s: %s\n"),
name, mechanism_string,
no_fingerprint ? _("No fingerprint") : gpg_strerror (rc));
}
}
-
if (rc && retctx)
{
getkey_end (ctrl, *retctx);
* resembles a mail address, the results are ranked and only the best
* result is returned. */
gpg_error_t
-get_best_pubkey_byname (ctrl_t ctrl, GETKEY_CTX *retctx, PKT_public_key *pk,
+get_best_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
+ GETKEY_CTX *retctx, PKT_public_key *pk,
const char *name, KBNODE *ret_keyblock,
int include_unusable)
{
getkey_end (ctrl, ctx);
ctx = NULL;
}
- err = get_pubkey_byname (ctrl, &ctx, pk, name, ret_keyblock,
- NULL, include_unusable, 0);
+ err = get_pubkey_byname (ctrl, mode,
+ &ctx, pk, name, ret_keyblock,
+ NULL, include_unusable);
if (err)
{
getkey_end (ctrl, ctx);
aSendKeys,
aRecvKeys,
aLocateKeys,
+ aLocateExtKeys,
aSearchKeys,
aRefreshKeys,
aFetchKeys,
ARGPARSE_c (aRefreshKeys, "refresh-keys",
N_("update all keys from a keyserver")),
ARGPARSE_c (aLocateKeys, "locate-keys", "@"),
+ ARGPARSE_c (aLocateExtKeys, "locate-external-keys", "@"),
ARGPARSE_c (aFetchKeys, "fetch-keys" , "@" ),
ARGPARSE_c (aShowKeys, "show-keys" , "@" ),
ARGPARSE_c (aExportSecret, "export-secret-keys" , "@" ),
opt.import_options = IMPORT_REPAIR_KEYS;
opt.export_options = EXPORT_ATTRIBUTES;
opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS
- | IMPORT_REPAIR_PKS_SUBKEY_BUG);
+ | IMPORT_REPAIR_PKS_SUBKEY_BUG
+ | IMPORT_SELF_SIGS_ONLY
+ | IMPORT_CLEAN);
opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
opt.verify_options = (LIST_SHOW_UID_VALIDITY
#endif /* ENABLE_CARD_SUPPORT*/
case aListKeys:
case aLocateKeys:
+ case aLocateExtKeys:
case aListSigs:
case aExportSecret:
case aExportSecretSub:
sl = NULL;
for( ; argc; argc--, argv++ )
add_to_strlist2( &sl, *argv, utf8_strings );
- public_key_list (ctrl, sl, 0);
+ public_key_list (ctrl, sl, 0, 0);
free_strlist(sl);
break;
case aListSecretKeys:
free_strlist(sl);
break;
case aLocateKeys:
+ case aLocateExtKeys:
sl = NULL;
for (; argc; argc--, argv++)
add_to_strlist2( &sl, *argv, utf8_strings );
- public_key_list (ctrl, sl, 1);
+ public_key_list (ctrl, sl, 1, cmd == aLocateExtKeys);
free_strlist (sl);
break;
option, argv[0]);
pk.req_usage = PUBKEY_USAGE_SIG;
- err = get_pubkey_byname (NULL, NULL, &pk, argv[1], NULL, NULL, 1, 1);
+ err = get_pubkey_byname (NULL, GET_PUBKEY_NO_AKL,
+ NULL, &pk, argv[1], NULL, NULL, 1);
if (err)
log_fatal ("looking up key %s: %s\n", argv[1], gpg_strerror (err));
memset (&pk, 0, sizeof (pk));
pk.req_usage = PUBKEY_USAGE_ENC;
- err = get_pubkey_byname (NULL, NULL, &pk, pi.keyid, NULL, NULL, 1, 1);
+ err = get_pubkey_byname (NULL, GET_PUBKEY_NO_AKL,
+ NULL, &pk, pi.keyid, NULL, NULL, 1);
if (err)
log_fatal ("%s: looking up key %s: %s\n",
option, pi.keyid, gpg_strerror (err));
unsigned char **fpr, size_t *fpr_len, unsigned int options,
import_screener_t screener, void *screener_arg,
int origin, const char *url);
-static int read_block (IOBUF a, int with_meta,
+static int read_block (IOBUF a, unsigned int options,
PACKET **pending_pkt, kbnode_t *ret_root, int *r_v3keys);
static void revocation_present (ctrl_t ctrl, kbnode_t keyblock);
static gpg_error_t import_one (ctrl_t ctrl,
static int delete_inv_parts (ctrl_t ctrl, kbnode_t keyblock,
u32 *keyid, unsigned int options);
static int any_uid_left (kbnode_t keyblock);
+static void remove_all_non_self_sigs (kbnode_t *keyblock, u32 *keyid);
static int merge_blocks (ctrl_t ctrl, unsigned int options,
kbnode_t keyblock_orig,
kbnode_t keyblock, u32 *keyid,
{"import-minimal",IMPORT_MINIMAL|IMPORT_CLEAN,NULL,
N_("remove as much as possible from key after import")},
+ {"self-sigs-only", IMPORT_SELF_SIGS_ONLY, NULL,
+ N_("ignore key-signatures which are not self-signatures")},
+
{"import-export", IMPORT_EXPORT, NULL,
N_("run import filters and export key immediately")},
release_armor_context (afx);
}
- while (!(rc = read_block (inp, !!(options & IMPORT_RESTORE),
- &pending_pkt, &keyblock, &v3keys)))
+ while (!(rc = read_block (inp, options, &pending_pkt, &keyblock, &v3keys)))
{
stats->v3keys += v3keys;
if (keyblock->pkt->pkttype == PKT_PUBLIC_KEY)
}
-/****************
- * Read the next keyblock from stream A.
- * Meta data (ring trust packets) are only considered of WITH_META is set.
- * PENDING_PKT should be initialized to NULL and not changed by the caller.
- * Return: 0 = okay, -1 no more blocks or another errorcode.
- * The int at R_V3KEY counts the number of unsupported v3
- * keyblocks.
+/* Read the next keyblock from stream A. Meta data (ring trust
+ * packets) are only considered if OPTIONS has the IMPORT_RESTORE flag
+ * set. PENDING_PKT should be initialized to NULL and not changed by
+ * the caller.
+ *
+ * Returns 0 for okay, -1 no more blocks, or any other errorcode. The
+ * integer at R_V3KEY counts the number of unsupported v3 keyblocks.
*/
static int
-read_block( IOBUF a, int with_meta,
+read_block( IOBUF a, unsigned int options,
PACKET **pending_pkt, kbnode_t *ret_root, int *r_v3keys)
{
int rc;
PACKET *pkt;
kbnode_t root = NULL;
int in_cert, in_v3key, skip_sigs;
+ u32 keyid[2];
+ int got_keyid = 0;
+ unsigned int dropped_nonselfsigs = 0;
*r_v3keys = 0;
{
root = new_kbnode( *pending_pkt );
*pending_pkt = NULL;
+ log_assert (root->pkt->pkttype == PKT_PUBLIC_KEY
+ || root->pkt->pkttype == PKT_SECRET_KEY);
in_cert = 1;
+ keyid_from_pk (root->pkt->pkt.public_key, keyid);
+ got_keyid = 1;
}
else
in_cert = 0;
pkt = xmalloc (sizeof *pkt);
init_packet (pkt);
init_parse_packet (&parsectx, a);
- if (!with_meta)
+ if (!(options & IMPORT_RESTORE))
parsectx.skip_meta = 1;
in_v3key = 0;
skip_sigs = 0;
init_packet(pkt);
break;
+ case PKT_SIGNATURE:
+ if (!in_cert)
+ goto x_default;
+ if (!(options & IMPORT_SELF_SIGS_ONLY))
+ goto x_default;
+ log_assert (got_keyid);
+ if (pkt->pkt.signature->keyid[0] == keyid[0]
+ && pkt->pkt.signature->keyid[1] == keyid[1])
+ { /* This is likely a self-signature. We import this one.
+ * Eventually we should use the ISSUER_FPR to compare
+ * self-signatures, but that will work only for v5 keys
+ * which are currently not even deployed.
+ * Note that we do not do any crypto verify here because
+ * that would defeat this very mitigation of DoS by
+ * importing a key with a huge amount of faked
+ * key-signatures. A verification will be done later in
+ * the processing anyway. Here we want a cheap an early
+ * way to drop non-self-signatures. */
+ goto x_default;
+ }
+ /* Skip this signature. */
+ dropped_nonselfsigs++;
+ free_packet (pkt, &parsectx);
+ init_packet(pkt);
+ break;
+
case PKT_PUBLIC_KEY:
case PKT_SECRET_KEY:
- if (in_cert ) /* Store this packet. */
+ if (!got_keyid)
+ {
+ keyid_from_pk (pkt->pkt.public_key, keyid);
+ got_keyid = 1;
+ }
+ if (in_cert) /* Store this packet. */
{
*pending_pkt = pkt;
pkt = NULL;
goto ready;
}
in_cert = 1;
- /* fall through */
+ goto x_default;
+
default:
x_default:
if (in_cert && valid_keyblock_packet (pkt->pkttype))
free_packet (pkt, &parsectx);
deinit_parse_packet (&parsectx);
xfree( pkt );
+ if (!rc && dropped_nonselfsigs && opt.verbose)
+ log_info ("key %s: number of dropped non-self-signatures: %u\n",
+ keystr (keyid), dropped_nonselfsigs);
+
return rc;
}
* has valid parts.
*/
static gpg_error_t
-import_one (ctrl_t ctrl,
- kbnode_t keyblock, struct import_stats_s *stats,
- unsigned char **fpr, size_t *fpr_len, unsigned int options,
- int from_sk, int silent,
- import_screener_t screener, void *screener_arg,
- int origin, const char *url, int *r_valid)
+import_one_real (ctrl_t ctrl,
+ kbnode_t keyblock, struct import_stats_s *stats,
+ unsigned char **fpr, size_t *fpr_len, unsigned int options,
+ int from_sk, int silent,
+ import_screener_t screener, void *screener_arg,
+ int origin, const char *url, int *r_valid)
{
gpg_error_t err = 0;
PKT_public_key *pk;
return 0;
}
+ /* Remove all non-self-sigs if requested. Noe that this is a NOP if
+ * that option has been globally set but we may also be called
+ * latter with the already parsed keyblock and a locally changed
+ * option. This is why we need to remove them here as well. */
+ if ((options & IMPORT_SELF_SIGS_ONLY))
+ remove_all_non_self_sigs (&keyblock, keyid);
+
collapse_uids(&keyblock);
/* Clean the key that we're about to import, to cut down on things
hd = NULL;
/* We are ready. */
- if (!opt.quiet && !silent)
+ if (!err && !opt.quiet && !silent)
{
char *p = get_user_id_byfpr_native (ctrl, fpr2);
log_info (_("key %s: public key \"%s\" imported\n"),
keystr(keyid), p);
xfree(p);
}
- if (is_status_enabled())
+ if (!err && is_status_enabled())
{
char *us = get_long_user_id_string (ctrl, keyid);
write_status_text( STATUS_IMPORTED, us );
xfree(us);
print_import_ok (pk, 1);
}
- stats->imported++;
- new_key = 1;
+ if (!err)
+ {
+ stats->imported++;
+ new_key = 1;
+ }
}
else /* Key already exists - merge. */
{
keydb_release (hd);
hd = NULL;
- /* We are ready. */
- if (!opt.quiet && !silent)
+ /* We are ready. Print and update stats if we got no error.
+ * An error here comes from writing the keyblock and thus
+ * very likely means that no update happened. */
+ if (!err && !opt.quiet && !silent)
{
char *p = get_user_id_byfpr_native (ctrl, fpr2);
if (n_uids == 1 )
xfree(p);
}
- stats->n_uids +=n_uids;
- stats->n_sigs +=n_sigs;
- stats->n_subk +=n_subk;
- stats->n_sigs_cleaned +=n_sigs_cleaned;
- stats->n_uids_cleaned +=n_uids_cleaned;
-
- if (is_status_enabled () && !silent)
- print_import_ok (pk, ((n_uids?2:0)|(n_sigs?4:0)|(n_subk?8:0)));
+ if (!err)
+ {
+ stats->n_uids +=n_uids;
+ stats->n_sigs +=n_sigs;
+ stats->n_subk +=n_subk;
+ stats->n_sigs_cleaned +=n_sigs_cleaned;
+ stats->n_uids_cleaned +=n_uids_cleaned;
+
+ if (is_status_enabled () && !silent)
+ print_import_ok (pk, ((n_uids?2:0)|(n_sigs?4:0)|(n_subk?8:0)));
+ }
}
else
{
}
+/* Wrapper around import_one_real to retry the import in some cases. */
+static gpg_error_t
+import_one (ctrl_t ctrl,
+ kbnode_t keyblock, struct import_stats_s *stats,
+ unsigned char **fpr, size_t *fpr_len, unsigned int options,
+ int from_sk, int silent,
+ import_screener_t screener, void *screener_arg,
+ int origin, const char *url, int *r_valid)
+{
+ gpg_error_t err;
+
+ err = import_one_real (ctrl, keyblock, stats, fpr, fpr_len, options,
+ from_sk, silent, screener, screener_arg,
+ origin, url, r_valid);
+ if (gpg_err_code (err) == GPG_ERR_TOO_LARGE
+ && gpg_err_source (err) == GPG_ERR_SOURCE_KEYBOX
+ && ((options & (IMPORT_SELF_SIGS_ONLY | IMPORT_CLEAN))
+ != (IMPORT_SELF_SIGS_ONLY | IMPORT_CLEAN)))
+ {
+ /* We hit the maximum image length. Ask the wrapper to do
+ * everything again but this time with some extra options. */
+ u32 keyid[2];
+
+ keyid_from_pk (keyblock->pkt->pkt.public_key, keyid);
+ log_info ("key %s: keyblock too large, retrying with self-sigs-only\n",
+ keystr (keyid));
+ options |= IMPORT_SELF_SIGS_ONLY | IMPORT_CLEAN;
+ err = import_one_real (ctrl, keyblock, stats, fpr, fpr_len, options,
+ from_sk, silent, screener, screener_arg,
+ origin, url, r_valid);
+ }
+ return err;
+}
+
+
/* Transfer all the secret keys in SEC_KEYBLOCK to the gpg-agent. The
* function prints diagnostics and returns an error code. If BATCH is
* true the secret keys are stored by gpg-agent in the transfer format
/* The secret keyblock may not have nodes which are deleted in
* the public keyblock. Otherwise we would import just the
* secret key without having the public key. That would be
- * surprising and clutters out private-keys-v1.d. */
+ * surprising and clutters our private-keys-v1.d. */
err = resync_sec_with_pub_keyblock (&keyblock, pub_keyblock, &attic);
if (err)
goto leave;
}
+/* Delete all non-self-sigs from KEYBLOCK.
+ * Returns: True if the keyblock has changed. */
+static void
+remove_all_non_self_sigs (kbnode_t *keyblock, u32 *keyid)
+{
+ kbnode_t node;
+ unsigned int dropped = 0;
+
+ for (node = *keyblock; node; node = node->next)
+ {
+ if (is_deleted_kbnode (node))
+ continue;
+
+ if (node->pkt->pkttype != PKT_SIGNATURE)
+ continue;
-/****************
+ if (node->pkt->pkt.signature->keyid[0] == keyid[0]
+ && node->pkt->pkt.signature->keyid[1] == keyid[1])
+ continue;
+ delete_kbnode (node);
+ dropped++;
+ }
+
+ if (dropped)
+ commit_kbnode (keyblock);
+
+ if (dropped && opt.verbose)
+ log_info ("key %s: number of dropped non-self-signatures: %u\n",
+ keystr (keyid), dropped);
+}
+
+
+/*
* It may happen that the imported keyblock has duplicated user IDs.
* We check this here and collapse those user IDs together with their
* sigs into one.
/* Free a list of public keys. */
void pubkeys_free (pubkey_t keys);
+
+/* Mode flags for get_pubkey_byname. */
+enum get_pubkey_modes
+ {
+ GET_PUBKEY_NORMAL = 0,
+ GET_PUBKEY_NO_AKL = 1,
+ GET_PUBKEY_NO_LOCAL = 2
+ };
+
/* Find a public key identified by NAME. */
-int get_pubkey_byname (ctrl_t ctrl,
+int get_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
GETKEY_CTX *retctx, PKT_public_key *pk,
const char *name,
KBNODE *ret_keyblock, KEYDB_HANDLE *ret_kdbhd,
- int include_unusable, int no_akl );
+ int include_unusable);
/* Likewise, but only return the best match if NAME resembles a mail
* address. */
-gpg_error_t get_best_pubkey_byname (ctrl_t ctrl,
+gpg_error_t get_best_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
GETKEY_CTX *retctx, PKT_public_key *pk,
const char *name, KBNODE *ret_keyblock,
int include_unusable);
#endif
/* Get the public key */
- err = get_pubkey_byname (ctrl, NULL, NULL, username, &keyblock, &kdbhd, 1, 1);
+ err = get_pubkey_byname (ctrl, GET_PUBKEY_NO_AKL,
+ NULL, NULL, username, &keyblock, &kdbhd, 1);
if (err)
{
log_error (_("key \"%s\" not found: %s\n"), username, gpg_strerror (err));
err = gpg_error (GPG_ERR_INV_NAME);
goto leave;
}
- err = get_pubkey_byname (ctrl, NULL, NULL, fpr, &keyblock, &kdbhd, 1, 1);
+ err = get_pubkey_byname (ctrl, GET_PUBKEY_NO_AKL,
+ NULL, NULL, fpr, &keyblock, &kdbhd, 1);
if (err)
{
log_error (_("key \"%s\" not found: %s\n"), fpr, gpg_strerror (err));
primary keys only, but some casual testing shows that PGP and
GnuPG both can handle a designated revocation from a subkey. */
revoker_pk->req_usage = PUBKEY_USAGE_CERT;
- rc = get_pubkey_byname (ctrl, NULL, revoker_pk, answer, NULL, NULL, 1, 1);
+ rc = get_pubkey_byname (ctrl, GET_PUBKEY_NO_AKL,
+ NULL, revoker_pk, answer, NULL, NULL, 1);
if (rc)
{
log_error (_("key \"%s\" not found: %s\n"), answer,
static void list_all (ctrl_t, int, int);
static void list_one (ctrl_t ctrl,
strlist_t names, int secret, int mark_secret);
-static void locate_one (ctrl_t ctrl, strlist_t names);
+static void locate_one (ctrl_t ctrl, strlist_t names, int no_local);
static void print_card_serialno (const char *serialno);
struct keylist_context
/* List the keys. If list is NULL, all available keys are listed.
- With LOCATE_MODE set the locate algorithm is used to find a
- key. */
+ * With LOCATE_MODE set the locate algorithm is used to find a key; if
+ * in addition NO_LOCAL is set the locate does not look into the local
+ * keyring. */
void
-public_key_list (ctrl_t ctrl, strlist_t list, int locate_mode)
+public_key_list (ctrl_t ctrl, strlist_t list, int locate_mode, int no_local)
{
#ifndef NO_TRUST_MODELS
if (opt.with_colons)
#endif
if (locate_mode)
- locate_one (ctrl, list);
+ locate_one (ctrl, list, no_local);
else if (!list)
list_all (ctrl, 0, opt.with_secret);
else
static void
-locate_one (ctrl_t ctrl, strlist_t names)
+locate_one (ctrl_t ctrl, strlist_t names, int no_local)
{
int rc = 0;
strlist_t sl;
for (sl = names; sl; sl = sl->next)
{
- rc = get_best_pubkey_byname (ctrl, &ctx, NULL, sl->d, &keyblock, 1);
+ rc = get_best_pubkey_byname (ctrl,
+ no_local? GET_PUBKEY_NO_LOCAL
+ /* */: GET_PUBKEY_NORMAL,
+ &ctx, NULL, sl->d, &keyblock, 1);
if (rc)
{
if (gpg_err_code (rc) != GPG_ERR_NO_PUBKEY)
{
/* Three slashes means network path with a default host name.
This is a hack because it does not crok all possible
- combiantions. We should better repalce all code bythe parser
+ combinations. We should better replace all code by the parser
from http.c. */
keyserver->path = xstrdup (uri+2);
}
void release_revocation_reason_info( struct revocation_reason_info *reason );
/*-- keylist.c --*/
-void public_key_list (ctrl_t ctrl, strlist_t list, int locate_mode );
+void public_key_list (ctrl_t ctrl, strlist_t list,
+ int locate_mode, int no_local);
void secret_key_list (ctrl_t ctrl, strlist_t list );
void print_subpackets_colon(PKT_signature *sig);
void reorder_keyblock (KBNODE keyblock);
int is_revkey = 0;
char *issuer_fpr = NULL;
PKT_public_key *pk = NULL; /* The public key for the signature or NULL. */
- int tried_ks_by_fpr;
if (opt.skip_verify)
{
rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
- /* If the key isn't found, check for a preferred keyserver. */
- if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY && sig->flags.pref_ks)
+ /* If the key isn't found, check for a preferred keyserver. Note
+ * that this is only done if honor-keyserver-url has been set. We
+ * test for this in the loop so that we can show info about the
+ * preferred keyservers. */
+ if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
+ && sig->flags.pref_ks)
{
const byte *p;
int seq = 0;
size_t n;
+ int any_pref_ks = 0;
while ((p=enum_sig_subpkt (sig->hashed,SIGSUBPKT_PREF_KS,&n,&seq,NULL)))
{
log_info(_("Key available at: ") );
print_utf8_buffer (log_get_stream(), p, n);
log_printf ("\n");
+ any_pref_ks = 1;
- if (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE
- && opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL)
+ if ((opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
+ && (opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL))
{
struct keyserver_spec *spec;
{
int res;
+ if (DBG_LOOKUP)
+ log_debug ("trying auto-key-retrieve method %s\n",
+ "Pref-KS");
+
free_public_key (pk);
pk = NULL;
glo_ctrl.in_auto_key_retrieve++;
if (!res)
rc = do_check_sig (c, node, NULL,
&is_expkey, &is_revkey, &pk);
+ else if (DBG_LOOKUP)
+ log_debug ("lookup via %s failed: %s\n", "Pref-KS",
+ gpg_strerror (res));
free_keyserver_spec (spec);
if (!rc)
}
}
}
+
+ if (any_pref_ks
+ && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
+ && !(opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL))
+ log_info (_("Note: Use '%s' to make use of this info\n"),
+ "--keyserver-option honor-keyserver-url");
+ }
+
+ /* If the above methods didn't work, our next try is to retrieve the
+ * key from the WKD. This requires that WKD is in the AKL and the
+ * Signer's UID is in the signature. */
+ if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
+ && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
+ && !opt.flags.disable_signer_uid
+ && akl_has_wkd_method ()
+ && sig->signers_uid)
+ {
+ int res;
+
+ if (DBG_LOOKUP)
+ log_debug ("trying auto-key-retrieve method %s\n", "WKD");
+ free_public_key (pk);
+ pk = NULL;
+ glo_ctrl.in_auto_key_retrieve++;
+ res = keyserver_import_wkd (c->ctrl, sig->signers_uid, 1, NULL, NULL);
+ glo_ctrl.in_auto_key_retrieve--;
+ /* Fixme: If the fingerprint is embedded in the signature,
+ * compare it to the fingerprint of the returned key. */
+ if (!res)
+ rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
+ else if (DBG_LOOKUP)
+ log_debug ("lookup via %s failed: %s\n", "WKD", gpg_strerror (res));
}
/* If the avove methods didn't work, our next try is to use the URI
- * from a DNS PKA record. */
+ * from a DNS PKA record. This is a legacy method which will
+ * eventually be removed. */
if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
&& (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
&& (opt.keyserver_options.options & KEYSERVER_HONOR_PKA_RECORD))
spec = parse_keyserver_uri (uri, 1);
if (spec)
{
+ if (DBG_LOOKUP)
+ log_debug ("trying auto-key-retrieve method %s\n", "PKA");
+
free_public_key (pk);
pk = NULL;
glo_ctrl.in_auto_key_retrieve++;
free_keyserver_spec (spec);
if (!res)
rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
+ else if (DBG_LOOKUP)
+ log_debug ("lookup via %s failed: %s\n", "PKA",
+ gpg_strerror (res));
}
}
}
/* If the above methods didn't work, our next try is to locate
* the key via its fingerprint from a keyserver. This requires
- * that the signers fingerprint is encoded in the signature. We
- * favor this over the WKD method (to be tried next), because an
- * arbitrary keyserver is less subject to web bug like monitoring. */
- tried_ks_by_fpr = 0;
+ * that the signers fingerprint is encoded in the signature. */
if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
&& (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
&& keyserver_any_configured (c->ctrl))
if (p)
{
/* v4 packet with a SHA-1 fingerprint. */
+ if (DBG_LOOKUP)
+ log_debug ("trying auto-key-retrieve method %s\n", "KS");
+
free_public_key (pk);
pk = NULL;
glo_ctrl.in_auto_key_retrieve++;
res = keyserver_import_fprint (c->ctrl, p, n, opt.keyserver, 1);
- tried_ks_by_fpr = 1;
glo_ctrl.in_auto_key_retrieve--;
if (!res)
rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
+ else if (DBG_LOOKUP)
+ log_debug ("lookup via %s failed: %s\n", "KS", gpg_strerror (res));
}
}
- /* If the above methods didn't work, our next try is to retrieve the
- * key from the WKD. */
- if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
- && (opt.keyserver_options.options & KEYSERVER_AUTO_KEY_RETRIEVE)
- && !opt.flags.disable_signer_uid
- && akl_has_wkd_method ()
- && sig->signers_uid)
- {
- int res;
-
- free_public_key (pk);
- pk = NULL;
- glo_ctrl.in_auto_key_retrieve++;
- res = keyserver_import_wkd (c->ctrl, sig->signers_uid, 1, NULL, NULL);
- glo_ctrl.in_auto_key_retrieve--;
- /* Fixme: If the fingerprint is embedded in the signature,
- * compare it to the fingerprint of the returned key. */
- if (!res)
- rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
- }
-
- /* If the above methods did't work, our next try is to use a
- * keyserver. */
- if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY
- && (opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE)
- && !tried_ks_by_fpr
- && keyserver_any_configured (c->ctrl))
- {
- int res;
-
- free_public_key (pk);
- pk = NULL;
- glo_ctrl.in_auto_key_retrieve++;
- res = keyserver_import_keyid (c->ctrl, sig->keyid, opt.keyserver, 1);
- glo_ctrl.in_auto_key_retrieve--;
- if (!res)
- rc = do_check_sig (c, node, NULL, &is_expkey, &is_revkey, &pk);
- }
-
if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
{
kbnode_t un, keyblock;
#define IMPORT_RESTORE (1<<10)
#define IMPORT_REPAIR_KEYS (1<<11)
#define IMPORT_DRY_RUN (1<<12)
+#define IMPORT_SELF_SIGS_ONLY (1<<14)
#define EXPORT_LOCAL_SIGS (1<<0)
#define EXPORT_ATTRIBUTES (1<<1)
if (from_file)
rc = get_pubkey_fromfile (ctrl, pk, name);
else
- rc = get_best_pubkey_byname (ctrl, NULL, pk, name, &keyblock, 0);
+ rc = get_best_pubkey_byname (ctrl, GET_PUBKEY_NORMAL,
+ NULL, pk, name, &keyblock, 0);
if (rc)
{
int code;
r->pk = xmalloc_clear (sizeof *r->pk);
r->pk->req_usage = PUBKEY_USAGE_ENC;
- rc = get_pubkey_byname (ctrl, NULL, r->pk, default_key,
- NULL, NULL, 0, 1);
+ rc = get_pubkey_byname (ctrl, GET_PUBKEY_NO_AKL,
+ NULL, r->pk, default_key, NULL, NULL, 0);
if (rc)
{
xfree (r->pk);
/* We explicitly allow encrypt-to to an disabled key; thus
we pass 1 for the second last argument and 1 as the last
argument to disable AKL. */
- if ( (rc = get_pubkey_byname (ctrl,
- NULL, pk, rov->d, NULL, NULL, 1, 1)) )
+ if ((rc = get_pubkey_byname (ctrl, GET_PUBKEY_NO_AKL,
+ NULL, pk, rov->d, NULL, NULL, 1)))
{
free_public_key ( pk ); pk = NULL;
log_error (_("%s: skipped: %s\n"), rov->d, gpg_strerror (rc) );
free_public_key (pk);
pk = xmalloc_clear( sizeof *pk );
pk->req_usage = PUBKEY_USAGE_ENC;
- rc = get_pubkey_byname (ctrl, NULL, pk, answer, NULL, NULL, 0, 0 );
+ rc = get_pubkey_byname (ctrl, GET_PUBKEY_NORMAL,
+ NULL, pk, answer, NULL, NULL, 0);
if (rc)
tty_printf(_("No such user ID.\n"));
else if ( !(rc=openpgp_pk_test_algo2 (pk->pubkey_algo,
/* The default recipient is allowed to be disabled; thus pass 1
as second last argument. We also don't want an AKL. */
- rc = get_pubkey_byname (ctrl, NULL, pk, def_rec, NULL, NULL, 1, 1);
+ rc = get_pubkey_byname (ctrl, GET_PUBKEY_NO_AKL,
+ NULL, pk, def_rec, NULL, NULL, 1);
if (rc)
log_error(_("unknown default recipient \"%s\"\n"), def_rec );
else if ( !(rc=openpgp_pk_test_algo2(pk->pubkey_algo,
{
cmdopt = line;
if (!command_has_option (cmd, cmdopt))
- err = gpg_error (GPG_ERR_GENERAL);
+ err = gpg_error (GPG_ERR_FALSE);
}
}
}
Note that this value matches TRUST_FLAG_REVOKED
- u16 RFU
- u32 Recheck_after
- - u32 Latest timestamp in the keyblock (useful for KS syncronsiation?)
+ - u32 Latest timestamp in the keyblock (useful for KS synchronization?)
- u32 Blob created at
- u32 [NRES] Size of reserved space (not including this field)
- bN Reserved space of size NRES for future use.
- bN Space for the keyblock or certificate.
- bN RFU. This is the remaining space after keyblock and before
the checksum. It is not covered by the checksum.
- - b20 SHA-1 checksum (useful for KS syncronisation?)
+ - b20 SHA-1 checksum (useful for KS synchronization?)
Note, that KBX versions before GnuPG 2.1 used an MD5
checksum. However it was only created but never checked.
Thus we do not expect problems if we switch to SHA-1. If
msgid "remove as much as possible from key after import"
msgstr ""
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "La clau és disponible en: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[incert]"
#
msgid ""
msgstr ""
-"Project-Id-Version: gnupg2 2.2.15\n"
+"Project-Id-Version: gnupg2 2.2.16\n"
"Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"PO-Revision-Date: 2019-04-21 06:20+02:00\n"
+"PO-Revision-Date: 2019-07-05 20:26+02:00\n"
"Last-Translator: Petr Pisar <petr.pisar@atlas.cz>\n"
"Language-Team: Czech <gnupg-i18n@gnupg.org>\n"
"Language: cs\n"
msgid "Note: The public primary key and all its subkeys will be deleted.\n"
msgstr ""
+"Poznámka: Veřejný primární klíč a všechny jeho podklíče budou smazány.\n"
msgid "Note: Only the shown public subkey will be deleted.\n"
-msgstr ""
+msgstr "Poznámka: Smazán bude pouze zobrazený podklíč.\n"
msgid "Note: Only the secret part of the shown primary key will be deleted.\n"
msgstr ""
+"Poznámka: Smazána bude pouze tajná část zobrazeného primárního klíče.\n"
msgid "Note: Only the secret part of the shown subkey will be deleted.\n"
-msgstr ""
+msgstr "Poznámka: Smazána bude pouze tajná část zobrazeného podklíče.\n"
msgid "Delete this key from the keyring? (y/N) "
msgstr "Smazat tento klíč ze souboru klíčů? (a/N) "
msgid "remove as much as possible from key after import"
msgstr "odstranit po importu z klíče vše, co lze"
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr "spustit importní filtry a exportovat klíč okamžitě"
#, c-format
msgid " new user IDs: %lu\n"
-msgstr " nové ID uživatelů: %lu\n"
+msgstr " nová ID uživatelů: %lu\n"
#, c-format
msgid " new subkeys: %lu\n"
msgid "Key available at: "
msgstr "Klíč k dispozici na: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[nejistý]"
msgid "Component not suitable for launching"
msgstr "Komponenta není vhodná pro spuštění"
-#, fuzzy, c-format
-#| msgid "External verification of component %s failed"
+#, c-format
msgid "Configuration file of component %s is broken\n"
-msgstr "Selhalo externí ověření komponenty %s"
+msgstr "Konfigurační soubor komponenty %s je rozbitý\n"
-#, fuzzy, c-format
-#| msgid "Note: Use the command \"%s\" to restart them.\n"
+#, c-format
msgid "Note: Use the command \"%s%s\" to get details.\n"
-msgstr "Poznámka: Restartovat je můžete příkazem „%s“.\n"
+msgstr "Poznámka: Podrobnosti získáte příkazem „%s%s“.\n"
#, c-format
msgid "External verification of component %s failed"
msgid "remove as much as possible from key after import"
msgstr "fjern så meget som muligt fra nøgle efter import"
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "Nøgle tilgængelig på: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[usikker]"
msgstr ""
"Project-Id-Version: gnupg-2.1.0\n"
"Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"PO-Revision-Date: 2019-05-27 12:47+0200\n"
+"PO-Revision-Date: 2019-07-09 13:31+0200\n"
"Last-Translator: Werner Koch <wk@gnupg.org>\n"
"Language-Team: German <de@li.org>\n"
"Language: de\n"
msgid "remove as much as possible from key after import"
msgstr "nach dem Import soviel wie möglich aus dem Schlüssel entfernen"
+msgid "ignore key-signatures which are not self-signatures"
+msgstr "Ignoriere Signaturen die keine Eigenbeglaubigungen sind"
+
msgid "run import filters and export key immediately"
msgstr "Import-Filter anwenden und Schlüssel direkt exportieren"
msgid "Key available at: "
msgstr "Schlüssel erhältlich bei: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr "Hinweis: Benutze '%s' um diese Information zu verwenden\n"
+
msgid "[uncertain]"
msgstr "[ungewiß] "
msgid "remove as much as possible from key after import"
msgstr ""
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "Κλειδί διαθέσιμο στο: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[αβέβαιο]"
msgid "remove as much as possible from key after import"
msgstr ""
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "Nenia helpo disponata"
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[malcerta]"
msgid "remove as much as possible from key after import"
msgstr "borrar tanto como sea posible de la clave tras importar"
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr "ejecutar filtros de importación y exportar clave inmediatamente"
msgid "Key available at: "
msgstr "Clave disponible en: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[incierto]"
msgid "remove as much as possible from key after import"
msgstr ""
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "Võtme leiate: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[ebakindel]"
msgid "remove as much as possible from key after import"
msgstr ""
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "Avain saatavilla kohteessa: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[ei tiedossa]"
msgid "remove as much as possible from key after import"
msgstr "supprimer autant que possible de la clef après l'importation"
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "Clef disponible sur : "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[doute]"
msgid "remove as much as possible from key after import"
msgstr ""
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "Chave dispoñible en: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[incerto]"
msgid "remove as much as possible from key after import"
msgstr ""
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "Kulcs található: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[bizonytalan]"
msgid "remove as much as possible from key after import"
msgstr ""
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "Kunci tersedia di:"
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[uncertain]"
msgid "remove as much as possible from key after import"
msgstr ""
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "Chiave disponibile presso: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[incerta]"
msgid "remove as much as possible from key after import"
msgstr "インポート後、できるだけ除去します"
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr "インポート・フィルタを実行し鍵をすぐにエクスポートします"
msgid "Key available at: "
msgstr "以下に鍵があります: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[不確定]"
msgid "remove as much as possible from key after import"
msgstr "fjern så mye som mulig fra nøkkel etter importering"
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr "kjør importeringsfiltre og eksporter nøkkel umiddelbart"
msgid "Key available at: "
msgstr "Nøkkel tilgjengelig ved: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[usikker]"
#
msgid ""
msgstr ""
-"Project-Id-Version: gnupg-2.2.14\n"
+"Project-Id-Version: gnupg-2.2.16\n"
"Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"PO-Revision-Date: 2019-03-24 10:29+0100\n"
+"PO-Revision-Date: 2019-05-29 17:45+0200\n"
"Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
"Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
"Language: pl\n"
msgid "Note: The public primary key and all its subkeys will be deleted.\n"
msgstr ""
+"Uwaga: główny klucz publiczny i wszystkie jego podklucze zostaną usunięte.\n"
msgid "Note: Only the shown public subkey will be deleted.\n"
-msgstr ""
+msgstr "Uwaga: usunięty zostanie tylko pokazany podklucz publiczny.\n"
msgid "Note: Only the secret part of the shown primary key will be deleted.\n"
msgstr ""
+"Uwaga: usunięta zostanie tylko tajna część pokazanego klucza głównego.\n"
msgid "Note: Only the secret part of the shown subkey will be deleted.\n"
-msgstr ""
+msgstr "Uwaga: usunięta zostanie tylko tajna część pokazanego podklucza.\n"
msgid "Delete this key from the keyring? (y/N) "
msgstr "Usunąć ten klucz ze zbioru? (t/N) "
msgid "remove as much as possible from key after import"
msgstr "usuwanie jak największej części kluczy po imporcie"
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr "natychmiastowe uruchomienie filtrów importu i eksport klucza"
msgid "Key available at: "
msgstr "Klucz dostępny w: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[niepewne]"
msgid "Component not suitable for launching"
msgstr "Komponent nie nadaje się do uruchomienia"
-#, fuzzy, c-format
-#| msgid "External verification of component %s failed"
+#, c-format
msgid "Configuration file of component %s is broken\n"
-msgstr "Zewnętrzna weryfikacja komponentu %s nie powiodła się"
+msgstr "Plik konfiguracyjny komponentu %s jest uszkodzony\n"
-#, fuzzy, c-format
-#| msgid "Note: Use the command \"%s\" to restart them.\n"
+#, c-format
msgid "Note: Use the command \"%s%s\" to get details.\n"
-msgstr "Uwaga: do restartu ich należy użyć polecenia ,,%s''.\n"
+msgstr "Podpowiedź: można użyć polecenia ,,%s%s'', aby uzyskać szczegóły.\n"
#, c-format
msgid "External verification of component %s failed"
msgstr ""
"Składnia: gpg-check-pattern [opcje] plik-wzorców\n"
"Sprawdzanie hasła ze standardowego wejścia względem pliku wzorców\n"
-
-#~ msgid "no keyserver known (use option --keyserver)\n"
-#~ msgstr "brak znanyk serwerów kluczy (użyj opcji --keyserver)\n"
-
-#~ msgid "error creating 'ultimately_trusted_keys' TOFU table: %s\n"
-#~ msgstr "błąd tworzenia tabeli TOFU ,,ultimately_trusted_keys'': %s\n"
-
-#~ msgid "error creating 'encryptions' TOFU table: %s\n"
-#~ msgstr "błąd tworzenia tabeli TOFU ,,encryptions'': %s\n"
-
-#~ msgid "adding column effective_policy to bindings DB: %s\n"
-#~ msgstr "dodawanie kolumny effective_policy do bazy danych powiązań: %s\n"
-
-#~ msgid "resetting keydb: %s\n"
-#~ msgstr "resetowanie bazy danych kluczy: %s\n"
-
-#~ msgid "error setting TOFU binding's policy to %s\n"
-#~ msgstr "błąd ustawiania polityki powiądań TOFU na %s\n"
-
-#~ msgid "%s: Verified %ld~signature in the past %s."
-#~ msgid_plural "%s: Verified %ld~signatures in the past %s."
-#~ msgstr[0] "%s: Sprawdzono %ld~podpis przez %s."
-#~ msgstr[1] "%s: Sprawdzono %ld~podpisy przez %s."
-#~ msgstr[2] "%s: Sprawdzono %ld~podpisów przez %s."
-
-#~ msgid "Encrypted %ld~message in the past %s."
-#~ msgid_plural "Encrypted %ld~messages in the past %s."
-#~ msgstr[0] "Zaszyfrowano %ld~wiadomość przez %s."
-#~ msgstr[1] "Zaszyfrowano %ld~wiadomości przez %s."
-#~ msgstr[2] "Zaszyfrowano %ld~wiadomości przez %s."
-
-#~ msgid "error setting policy for key %s, user id \"%s\": %s"
-#~ msgstr ""
-#~ "błąd ustawiania polityki dla klucza %s, identyfikator użytkownika ,,%s'': "
-#~ "%s"
-
-#~ msgid "only SHA-1 is supported for OCSP responses\n"
-#~ msgstr "dla odpowiedzi OCSP obsługiwane jest tylko SHA-1\n"
msgid "remove as much as possible from key after import"
msgstr ""
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "Nenhuma ajuda disponível"
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[incerto]"
msgid "remove as much as possible from key after import"
msgstr ""
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "Cheie disponibilă la: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[nesigur]"
msgstr ""
"Project-Id-Version: GnuPG 2.2.0\n"
"Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"PO-Revision-Date: 2019-02-14 17:41+0100\n"
+"PO-Revision-Date: 2019-05-29 17:41+0100\n"
"Last-Translator: Ineiev <ineiev@gnu.org>\n"
"Language-Team: Russian <gnupg-ru@gnupg.org>\n"
"Language: ru\n"
msgstr "не могу выполнить в пакетном режиме без \"--yes\"\n"
msgid "Note: The public primary key and all its subkeys will be deleted.\n"
-msgstr ""
+msgstr "Замечание: Будут удалены открытый первичный ключ и все его подключи.\n"
msgid "Note: Only the shown public subkey will be deleted.\n"
-msgstr ""
+msgstr "Замечание: Будет удален только показанный открытый подключ.\n"
msgid "Note: Only the secret part of the shown primary key will be deleted.\n"
msgstr ""
+"Замечание: Будет удалена только секретная часть показанного первичного "
+"ключа.\n"
msgid "Note: Only the secret part of the shown subkey will be deleted.\n"
msgstr ""
+"Замечание: Будет удалена только секретная часть показанного подключа.\n"
msgid "Delete this key from the keyring? (y/N) "
msgstr "Удалить данный ключ из таблицы? (y/N) "
msgid "remove as much as possible from key after import"
msgstr "удалить после импорта из ключа как можно больше"
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr "применить фильтры импорта и немедленно экспортировать ключ"
msgid "Key available at: "
msgstr "Ключ доступен на: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[сомнительно]"
msgid "Component not suitable for launching"
msgstr "Компонент не подходит для запуска"
-#, fuzzy, c-format
-#| msgid "External verification of component %s failed"
+#, c-format
msgid "Configuration file of component %s is broken\n"
-msgstr "Ð\92неÑ\88нÑ\8fÑ\8f пÑ\80овеÑ\80ка компоненÑ\82а %s не пÑ\80оÑ\88ла"
+msgstr "Файл конÑ\84игÑ\83Ñ\80аÑ\86ии компоненÑ\82а %s неиÑ\81пÑ\80авен\n"
-#, fuzzy, c-format
-#| msgid "Note: Use the command \"%s\" to restart them.\n"
+#, c-format
msgid "Note: Use the command \"%s%s\" to get details.\n"
-msgstr "Ð\97амеÑ\87ание: Ð\94лÑ\8f иÑ\85 пеÑ\80езагÑ\80Ñ\83зки воÑ\81полÑ\8cзÑ\83йÑ\82еÑ\81Ñ\8c командой \"%s\".\n"
+msgstr "Ð\97амеÑ\87ание: Ð\9fодÑ\80обноÑ\81Ñ\82и можно вÑ\8bвеÑ\81Ñ\82и командой \"%s%s\".\n"
#, c-format
msgid "External verification of component %s failed"
msgid "remove as much as possible from key after import"
msgstr ""
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "Kľúč k dispozícii na: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[neistý] "
msgid "remove as much as possible from key after import"
msgstr "ta bort så mycket som möjligt från nyckeln efter importering"
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "Nyckeln tillgänglig hos: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
# Visas vid ogiltig signatur:
# Eftersom signaturen är ogiltig kan man inte vara säker på att angivet namn och nyckel-id är riktigt.
msgid "[uncertain]"
msgid "remove as much as possible from key after import"
msgstr "ithalat sonrası anahtardan mümkün olduğunca çok şey kaldırır"
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "Anahtar burada:"
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[şüpheli]"
msgid "remove as much as possible from key after import"
msgstr "вилучити максимум частин з ключа після імпортування"
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr "запустити фільтри імпортування та експортувати ключ негайно"
msgid "Key available at: "
msgstr "Ключ доступний на: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[непевний]"
msgid "remove as much as possible from key after import"
msgstr "导入后尽可能多地移除密钥中的可选部分"
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr "运行导入过滤器并立即导出密钥"
msgid "Key available at: "
msgstr "密钥在以下地方可用: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[不确定]"
msgid "remove as much as possible from key after import"
msgstr "匯入後盡可能地從金鑰中移除"
+msgid "ignore key-signatures which are not self-signatures"
+msgstr ""
+
msgid "run import filters and export key immediately"
msgstr ""
msgid "Key available at: "
msgstr "可用的金鑰於: "
+#, c-format
+msgid "Note: Use '%s' to make use of this info\n"
+msgstr ""
+
msgid "[uncertain]"
msgstr "[ 不確定 ]"
Where FLAGS is a plain hexadecimal number representing flag values.
The lsb is here the rightmost bit. Defined flags bits are:
- Bit 0 = CHV1 and CHV2 are not syncronized
+ Bit 0 = CHV1 and CHV2 are not synchronized
Bit 1 = CHV2 has been set to the default PIN of "123456"
(this implies that bit 0 is also set).
bit 7 1
bit 6 1
bit 5 clear=request,set=response
- bit 4..0 0 = resyncronisation request
+ bit 4..0 0 = resynchronization request
1 = information field size request
2 = abort request
3 = extension of BWT request
{
cmdopt = line;
if (!command_has_option (cmd, cmdopt))
- rc = gpg_error (GPG_ERR_GENERAL);
+ rc = gpg_error (GPG_ERR_FALSE);
}
}
}
}
else if (!strcmp (line, "offline"))
{
- rc = ctrl->offline? 0 : gpg_error (GPG_ERR_GENERAL);
+ rc = ctrl->offline? 0 : gpg_error (GPG_ERR_FALSE);
}
else
rc = set_error (GPG_ERR_ASS_PARAMETER, "unknown value for WHAT");
}
/* Do the restart for the selected backends. */
- for (backend = 0; backend < GC_BACKEND_NR; backend++)
+ for (backend = GC_BACKEND_NR-1; backend; backend--)
{
if (runtime[backend] && gc_backend[backend].runtime_change)
(*gc_backend[backend].runtime_change) (1);
/* We limit the output to 64 KiB to avoid DoS using compression
* tricks. A regular client will anyway only send a minimal key;
* that is one w/o key signatures and attribute packets. */
- ccparray_put (&ccp, "--max-output=0xf0000"); /*FIXME: Change s/F/1/ */
+ ccparray_put (&ccp, "--max-output=0x10000");
ccparray_put (&ccp, "--batch");
if (opt.verbose)
ccparray_put (&ccp, "--verbose");