Package: gnupg2 / 2.2.12-1+deb10u1

from-2.2.15/sm-Allow-decryption-even-if-expired-other-keys-are-config.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
From: Werner Koch <wk@gnupg.org>
Date: Tue, 26 Mar 2019 13:31:06 +0100
Subject: sm: Allow decryption even if expired other keys are configured.

* sm/gpgsm.c (main): Add special handling for bad keys in decrypt
mode.
--

The problem can easily be tested by adding --encrypt-to EXPIRED_KEY to
a decryption command.  With that patch the errors are printed but
decryption continues and the process returns success unless other
errors occur.

GnuPG-bug-id: 4431
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 30972d21824264aef2088d30b4f2e5ce3aca889e)
---
 sm/gpgsm.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index 52f26e2..598caa2 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -1732,6 +1732,8 @@ main ( int argc, char **argv)
 
   if (!do_not_setup_keys)
     {
+      int errcount = log_get_errorcount (0);
+
       for (sl = locusr; sl ; sl = sl->next)
         {
           int rc = gpgsm_add_to_certlist (&ctrl, sl->d, 1, &signerlist, 0);
@@ -1760,6 +1762,15 @@ main ( int argc, char **argv)
             if ((sl->flags & 1))
               do_add_recipient (&ctrl, sl->d, &recplist, 1, recp_required);
         }
+
+      /* We do not require a recipient for decryption but because
+       * recipients and signers are always checked and log_error is
+       * sometimes used (for failed signing keys or due to a failed
+       * CRL checking) that would have bumbed up the error counter.
+       * We clear the counter in the decryption case because there is
+       * no reason to force decryption to fail. */
+      if (cmd == aDecrypt && !errcount)
+        log_get_errorcount (1); /* clear counter */
     }
 
   if (log_get_errorcount(0))