gpgsm: New option --assert-signer

* sm/gpgsm.c (oAssertSigner, oNoop): New.
(opts): Add option --assert-signer.
(assert_signer_true): New var.
(main): Set new option.
(gpgsm_exit): Handle assert_signer_true.
* sm/gpgsm.h (opt): Add field assert_signer_list.
* sm/verify.c (is_x509_fingerprint): New.
(check_assert_signer_list): New.
(gpgsm_verify): Handle option.
--

GnuPG-bug-id: 7286

1 files changed, 15 insertions, 0 deletions

diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index 1316318a6..2cb50539a 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -732,6 +732,21 @@ instead to make sure that the gpgsm process exits with a failure if
 the compliance rules are not fulfilled.  Note that this option has
 currently an effect only in "de-vs" mode.
 
+@item --assert-signer @var{fpr_or_file}
+@opindex assert-signer
+This option checks whether at least one valid signature on a file has
+been made with the specified key.  The key is either specified as a
+fingerprint or a file listing fingerprints.  The fingerprint must be
+given or listed in compact format (no colons or spaces in between).
+As of now only SHA-1 fingerprints are allowed.  This option can be
+given multiple times and each fingerprint is checked against the
+signing key as well as the corresponding primary key.  If
+@var{fpr_or_file} specifies a file, empty lines are ignored as well as
+all lines starting with a hash sign.  With this option gpgsm is
+guaranteed to return with an exit code of 0 if and only if a signature
+has been encountered, is valid, and the key matches one of the
+fingerprints given by this option.
+
 @item --always-trust
 @opindex always-trust
 Force encryption to the specified certificates without any validation