Allow certifying a key as trusted introducer for a domain

GnuPG-bug-id: 5245

CMakeLists.txt

@@ -86,6 +86,9 @@ set(HAVE_QDBUS ${Qt5DBus_FOUND})
 
 find_package(Gpgmepp ${GPGME_REQUIRED_VERSION} CONFIG REQUIRED)
 find_package(QGpgme ${GPGME_REQUIRED_VERSION} CONFIG REQUIRED)
+if (QGpgme_VERSION VERSION_GREATER_EQUAL "1.15.2")
+    set(QGPGME_SUPPORTS_TRUST_SIGNATURES 1)
+endif()
 
 # Kdepimlibs packages
 find_package(KF5Libkleo ${LIBKLEO_VERSION} CONFIG REQUIRED)

config-kleopatra.h.cmake

@@ -26,3 +26,6 @@
 
 /* DBus available */
 #cmakedefine01 HAVE_QDBUS
+
+/* Defined if QGpgME supports trust signatures */
+#cmakedefine QGPGME_SUPPORTS_TRUST_SIGNATURES 1

src/commands/certifycertificatecommand.cpp

@@ -88,7 +88,6 @@ CertifyCertificateCommand::Private::Private(CertifyCertificateCommand *qq, KeyLi
       dialog(),
       job()
 {
-
 }
 
 CertifyCertificateCommand::Private::~Private()
@@ -265,6 +264,12 @@ void CertifyCertificateCommand::Private::slotCertificationPrepared()
     // This also came with 1.14.0
     job->setDupeOk(true);
 #endif
+#ifdef QGPGME_SUPPORTS_TRUST_SIGNATURES
+    if (dialog->trustSignatureSelected() && !dialog->trustSignatureDomain().isEmpty()) {
+        // always create level 1 trust signatures with complete trust
+        job->setTrustSignature(TrustSignatureTrust::Complete, 1, dialog->trustSignatureDomain());
+    }
+#endif
 
     if (const Error err = job->start(key())) {
         slotResult(err);

src/dialogs/certifycertificatedialog.cpp

@@ -89,9 +89,14 @@ bool CertifyCertificateDialog::exportableCertificationSelected() const
     return mCertWidget->exportableSelected();
 }
 
-bool CertifyCertificateDialog::trustCertificationSelected() const
+bool CertifyCertificateDialog::trustSignatureSelected() const
 {
-    return false;
+    return mCertWidget->trustSignatureSelected();
+}
+
+QString CertifyCertificateDialog::trustSignatureDomain() const
+{
+    return mCertWidget->trustSignatureDomain();
 }
 
 bool CertifyCertificateDialog::nonRevocableCertificationSelected() const

src/dialogs/certifycertificatedialog.h

@@ -31,7 +31,8 @@ public:
 
     bool exportableCertificationSelected() const;
 
-    bool trustCertificationSelected() const;
+    bool trustSignatureSelected() const;
+    QString trustSignatureDomain() const;
 
     bool nonRevocableCertificationSelected() const;
 

src/dialogs/certifywidget.cpp

@@ -6,6 +6,8 @@
     SPDX-License-Identifier: GPL-2.0-or-later
 */
 
+#include <config-kleopatra.h>
+
 #include "certifywidget.h"
 
 #include "kleopatra_debug.h"
@@ -215,6 +217,8 @@ public:
     Private(CertifyWidget *qq)
         : q{qq}
         , mFprLabel{new QLabel{q}}
+        , mTrustSignatureCB{new QCheckBox{q}}
+        , mTrustSignatureDomainLE{new QLineEdit{q}}
     {
         auto mainLay = new QVBoxLayout(q);
         mainLay->addWidget(mFprLabel);
@@ -281,6 +285,17 @@ public:
         infoBtn->setVisible(false);
 #endif
 
+#ifndef QGPGME_SUPPORTS_TRUST_SIGNATURES
+        mTrustSignatureCB->setVisible(false);
+        mTrustSignatureDomainLE->setVisible(false);
+#endif
+        mTrustSignatureCB->setText(i18n("Certify as trusted introducer"));
+        mTrustSignatureDomainLE->setPlaceholderText(i18n("Domain"));
+        mTrustSignatureDomainLE->setEnabled(mTrustSignatureCB->isChecked());
+
+        advLay->addWidget(mTrustSignatureCB);
+        advLay->addWidget(mTrustSignatureDomainLE);
+
         expander->setContentLayout(advLay);
 
         mPublishCB->setEnabled(false);
@@ -298,6 +313,12 @@ public:
             Q_EMIT q->changed();
         });
 
+        connect(mTrustSignatureCB, &QCheckBox::toggled, q, [this] (bool on) {
+            mTrustSignatureDomainLE->setEnabled(on);
+            Q_EMIT q->changed();
+        });
+        connect(mTrustSignatureDomainLE, &QLineEdit::textChanged, q, &CertifyWidget::changed);
+
         loadConfig();
     }
 
@@ -406,6 +427,9 @@ public:
 
     bool isValid() const
     {
+        static const QRegularExpression domainNameRegExp{QStringLiteral(R"(^\s*((xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}\s*$)"),
+                                                         QRegularExpression::CaseInsensitiveOption};
+
         // do not accept null keys
         if (mTarget.isNull() || mSecKeySelect->currentKey().isNull()) {
             return false;
@@ -418,16 +442,21 @@ public:
         if (_detail::ByFingerprint<std::equal_to>()(mTarget, mSecKeySelect->currentKey())) {
             return false;
         }
+        if (mTrustSignatureCB->isChecked() && !domainNameRegExp.match(mTrustSignatureDomainLE->text()).hasMatch()) {
+            return false;
+        }
         return true;
     }
 
-private:
+public:
     CertifyWidget *const q;
     QLabel *mFprLabel = nullptr;
     KeySelectionCombo *mSecKeySelect = nullptr;
     QCheckBox *mExportCB = nullptr;
     QCheckBox *mPublishCB = nullptr;
     QLineEdit *mTagsLE = nullptr;
+    QCheckBox *mTrustSignatureCB = nullptr;
+    QLineEdit *mTrustSignatureDomainLE = nullptr;
 
     UserIDModel mUserIDModel;
     GpgME::Key mTarget;
@@ -481,6 +510,16 @@ bool CertifyWidget::publishSelected() const
     return d->publishSelected();
 }
 
+bool CertifyWidget::trustSignatureSelected() const
+{
+    return d->mTrustSignatureCB->isChecked();
+}
+
+QString CertifyWidget::trustSignatureDomain() const
+{
+    return d->mTrustSignatureDomainLE->text().trimmed();
+}
+
 bool CertifyWidget::isValid() const
 {
     return d->isValid();

src/dialogs/certifywidget.h

@@ -53,6 +53,12 @@ public:
     /* Should the signed key be be published */
     bool publishSelected() const;
 
+    /* Whether a trust signature should be created */
+    bool trustSignatureSelected() const;
+
+    /* The domain to use to limit the scope of the trust signature */
+    QString trustSignatureDomain() const;
+
     bool isValid() const;
 
 Q_SIGNALS: