diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/DETAILS | 6 | ||||
| -rw-r--r-- | doc/gpg.texi | 23 | ||||
| -rw-r--r-- | doc/gpgv.texi | 5 |
3 files changed, 33 insertions, 1 deletions
diff --git a/doc/DETAILS b/doc/DETAILS index fd95e511c..29e39708b 100644 --- a/doc/DETAILS +++ b/doc/DETAILS @@ -527,6 +527,12 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB: --assert-signer is used. The fingerprint is printed with uppercase hex digits. +*** ASSERT_PUBKEY_ALGO <fingerprint> <state> <algostr> + This is emitted when option --assert-pubkey-algo is used and the + signing algorithms is accepted according to that list if state is + 1 or denied if state is 0. The fingerprint is printed with + uppercase hex digits. + *** SIG_ID <radix64_string> <sig_creation_date> <sig-timestamp> This is emitted only for signatures of class 0 or 1 which have been verified okay. The string is a signature id and may be used diff --git a/doc/gpg.texi b/doc/gpg.texi index 2f5b613d8..26e0ebdcd 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1917,6 +1917,29 @@ is guaranteed to return with an exit code of 0 if and only if a signature has been encountered, is valid, and the key matches one of the fingerprints given by this option. +@item --assert-pubkey-algo @var{algolist} +@opindex assert-pubkey-algo +During data signature verification this options checks whether the +used public key algorithm matches the algorithms given by +@var{algolist}. This option can be given multiple times to +concatenate more algorithms to the list; the delimiter of the list are +either commas or spaces. + +The algorithm names given in the list may either be verbatim names +like "ed25519" with an optional leading single equal sign, or being +prefixed with ">", ">=", "<=", or "<". That prefix operator is +applied to the number part of the algorithm name; for example 2048 in +"rsa2048" or 384 in "brainpoolP384r1". If the the leading non-digits +in the name matches, the prefix operator is used to compare the number +part, a trailing suffix is ignored in this case. For example an +algorithm list ">rsa3000, >=brainpool384r1, =ed25519" allows RSA +signatures with more that 3000 bits, Brainpool curves 384 and 512, +and the ed25519 algorithm. + +With this option gpg (and also gpgv) is guaranteed to return with an +exit code of 0 if and only if all valid signatures on data are made +using a matching algorithm from the given list. + @item --auto-key-locate @var{mechanisms} @itemx --no-auto-key-locate diff --git a/doc/gpgv.texi b/doc/gpgv.texi index 2dd9576b6..54ab23383 100644 --- a/doc/gpgv.texi +++ b/doc/gpgv.texi @@ -140,6 +140,10 @@ This option enables a mode in which filenames of the form @file{-&n}, where n is a non-negative decimal number, refer to the file descriptor n and not to a file with that name. +@item --assert-pubkey-algo @var{algolist} +@opindex assert-pubkey-algo +This option works in the same way as described for @command{gpg}. + @end table @mansect return value @@ -190,4 +194,3 @@ The default keyring with the allowed keys. @mansect see also @command{gpg}(1) @include see-also-note.texi - |