Optionally turn off checking of keys.

diff --git a/catcrypt.1 b/catcrypt.1
index 56fe297..6803067 100644 (file)
--- a/catcrypt.1
+++ b/catcrypt.1
@@ -44,7 +44,7 @@ is one of:
 .RI [ item ...]
 .br
 .B encrypt
 .RI [ item ...]
 .br
 .B encrypt

-.RB [ \-a ]
+.RB [ \-aC ]

 .RB [ \-k
 .IR tag ]
 .RB [ \-f
 .RB [ \-k
 .IR tag ]
 .RB [ \-f


@@ -54,7 +54,7 @@ is one of:
 .RI [ file ]
 .br
 .B decrypt
 .RI [ file ]
 .br
 .B decrypt

-.RB [ \-aqv ]
+.RB [ \-aqvC ]

 .RB [ \-f
 .IR format ]
 .RB [ \-o
 .RB [ \-f
 .IR format ]
 .RB [ \-o


@@ -470,6 +470,10 @@ in the current keyring; the default is not to sign the ciphertext.
 Write output to
 .I file
 rather than to standard output.
 Write output to
 .I file
 rather than to standard output.

+.TP
+.B "\-C, \-\-nocheck"
+Don't check the public key for validity.  This makes encryption go much
+faster, but at the risk of using a duff key.

 .SS decrypt
 The
 .B decrypt
 .SS decrypt
 The
 .B decrypt


@@ -508,6 +512,11 @@ Write output to
 instead of to standard output.  The file is written in binary mode.
 Fixing line-end conventions is your problem; there are lots of good
 tools for dealing with it.
 instead of to standard output.  The file is written in binary mode.
 Fixing line-end conventions is your problem; there are lots of good
 tools for dealing with it.

+.TP
+.B "\-C, \-\-nocheck"
+Don't check the private key for validity.  This makes decryption go much
+faster, but at the risk of using a duff key, and possibly leaking
+information about the private key.

 .PP
 Output is written to standard output in a machine-readable format.
 Major problems cause the program to write a diagnostic to standard error
 .PP
 Output is written to standard output in a machine-readable format.
 Major problems cause the program to write a diagnostic to standard error

diff --git a/catcrypt.c b/catcrypt.c
index bbe4660..fdb8473 100644 (file)
--- a/catcrypt.c
+++ b/catcrypt.c
@@ -153,6 +153,7 @@ static int encrypt(int argc, char *argv[])
   enc *e;
 
 #define f_bogus 1u
   enc *e;
 
 #define f_bogus 1u

+#define f_nocheck 2u

 
   for (;;) {
     static const struct option opt[] = {
 
   for (;;) {
     static const struct option opt[] = {


@@ -162,9 +163,10 @@ static int encrypt(int argc, char *argv[])
       { "armor",       0,              0,      'a' },
       { "format",      OPTF_ARGREQ,    0,      'f' },
       { "output",      OPTF_ARGREQ,    0,      'o' },
       { "armor",       0,              0,      'a' },
       { "format",      OPTF_ARGREQ,    0,      'f' },
       { "output",      OPTF_ARGREQ,    0,      'o' },

+      { "nocheck",     0,              0,      'C' },

       { 0,             0,              0,      0 }
     };
       { 0,             0,              0,      0 }
     };

-    i = mdwopt(argc, argv, "k:s:af:o:", opt, 0, 0, 0);
+    i = mdwopt(argc, argv, "k:s:af:o:C", opt, 0, 0, 0);

     if (i < 0) break;
     switch (i) {
       case 'k': kn = optarg; break;
     if (i < 0) break;
     switch (i) {
       case 'k': kn = optarg; break;


@@ -172,6 +174,7 @@ static int encrypt(int argc, char *argv[])
       case 'a': ef = "pem"; break;
       case 'f': ef = optarg; break;
       case 'o': of = optarg; break;
       case 'a': ef = "pem"; break;
       case 'f': ef = optarg; break;
       case 'o': of = optarg; break;

+      case 'C': f |= f_nocheck; break;

       default: f |= f_bogus; break;
     }
   }
       default: f |= f_bogus; break;
     }
   }


@@ -210,7 +213,7 @@ static int encrypt(int argc, char *argv[])
   key_fulltag(k, &d);
   e = initenc(eo, ofp, "CATCRYPT ENCRYPTED MESSAGE");
   km = getkem(k, "cckem", 0);
   key_fulltag(k, &d);
   e = initenc(eo, ofp, "CATCRYPT ENCRYPTED MESSAGE");
   km = getkem(k, "cckem", 0);

-  if ((err = km->ops->check(km)) != 0)
+  if (!(f & f_nocheck) && (err = km->ops->check(km)) != 0)

     moan("key %s fails check: %s", d.buf, err);
   if (sk) {
     dstr_reset(&d);
     moan("key %s fails check: %s", d.buf, err);
   if (sk) {
     dstr_reset(&d);


@@ -303,6 +306,7 @@ static int encrypt(int argc, char *argv[])
   return (0);
 
 #undef f_bogus
   return (0);
 
 #undef f_bogus

+#undef f_nocheck

 }
 
 /*---- Decryption ---------------------------------------------------------*/
 }
 
 /*---- Decryption ---------------------------------------------------------*/


@@ -337,6 +341,7 @@ static int decrypt(int argc, char *argv[])
 
 #define f_bogus 1u
 #define f_buffer 2u
 
 #define f_bogus 1u
 #define f_buffer 2u

+#define f_nocheck 4u

 
   for (;;) {
     static const struct option opt[] = {
 
   for (;;) {
     static const struct option opt[] = {


@@ -345,17 +350,19 @@ static int decrypt(int argc, char *argv[])
       { "buffer",      0,              0,      'b' },
       { "verbose",     0,              0,      'v' },
       { "quiet",       0,              0,      'q' },
       { "buffer",      0,              0,      'b' },
       { "verbose",     0,              0,      'v' },
       { "quiet",       0,              0,      'q' },

+      { "nocheck",     0,              0,      'C' },

       { "format",      OPTF_ARGREQ,    0,      'f' },
       { "output",      OPTF_ARGREQ,    0,      'o' },
       { 0,             0,              0,      0 }
     };
       { "format",      OPTF_ARGREQ,    0,      'f' },
       { "output",      OPTF_ARGREQ,    0,      'o' },
       { 0,             0,              0,      0 }
     };

-    i = mdwopt(argc, argv, "abf:o:qv", opt, 0, 0, 0);
+    i = mdwopt(argc, argv, "abf:o:qvC", opt, 0, 0, 0);

     if (i < 0) break;
     switch (i) {
       case 'a': ef = "pem"; break;
       case 'b': f |= f_buffer; break;
       case 'v': verb++; break;
       case 'q': if (verb) verb--; break;
     if (i < 0) break;
     switch (i) {
       case 'a': ef = "pem"; break;
       case 'b': f |= f_buffer; break;
       case 'v': verb++; break;
       case 'q': if (verb) verb--; break;

+      case 'C': f |= f_nocheck; break;

       case 'f': ef = optarg; break;
       case 'o': of = optarg; break;
       default: f |= f_bogus; break;
       case 'f': ef = optarg; break;
       case 'o': of = optarg; break;
       default: f |= f_bogus; break;


@@ -427,7 +434,7 @@ static int decrypt(int argc, char *argv[])
     s = getsig(sk, "ccsig", 0);
     dstr_reset(&d);
     key_fulltag(sk, &d);
     s = getsig(sk, "ccsig", 0);
     dstr_reset(&d);
     key_fulltag(sk, &d);

-    if (verb && (err = s->ops->check(s)) != 0)
+    if (!(f & f_nocheck) && verb && (err = s->ops->check(s)) != 0)

       printf("WARN verification key %s fails check: %s\n", d.buf, err);
     dstr_reset(&d);
     dstr_ensure(&d, 1024);
       printf("WARN verification key %s fails check: %s\n", d.buf, err);
     dstr_reset(&d);
     dstr_ensure(&d, 1024);


@@ -535,6 +542,7 @@ static int decrypt(int argc, char *argv[])
 
 #undef f_bogus
 #undef f_buffer
 
 #undef f_bogus
 #undef f_buffer

+#undef f_nocheck

 }
 
 /*----- Main code ---------------------------------------------------------*/
 }
 
 /*----- Main code ---------------------------------------------------------*/


@@ -570,7 +578,7 @@ static cmd cmdtab[] = {
   CMD_ENCODE,
   CMD_DECODE,
   { "encrypt", encrypt,
   CMD_ENCODE,
   CMD_DECODE,
   { "encrypt", encrypt,

-    "encrypt [-a] [-k TAG] [-s TAG] [-f FORMAT]\n\t\
+    "encrypt [-aC] [-k TAG] [-s TAG] [-f FORMAT]\n\t\

 [-o OUTPUT] [FILE]", "\
 Options:\n\
 \n\
 [-o OUTPUT] [FILE]", "\
 Options:\n\
 \n\


@@ -579,9 +587,10 @@ Options:\n\
 -k, --key=TAG          Use public encryption key named by TAG.\n\
 -s, --sign-key=TAG     Use private signature key named by TAG.\n\
 -o, --output=FILE      Write output to FILE.\n\
 -k, --key=TAG          Use public encryption key named by TAG.\n\
 -s, --sign-key=TAG     Use private signature key named by TAG.\n\
 -o, --output=FILE      Write output to FILE.\n\

+-C, --nocheck          Don't check the public key.\n\

 " },
   { "decrypt", decrypt,
 " },
   { "decrypt", decrypt,

-    "decrypt [-abqv] [-f FORMAT] [-o OUTPUT] [FILE]", "\
+    "decrypt [-abqvC] [-f FORMAT] [-o OUTPUT] [FILE]", "\

 Options:\n\
 \n\
 -a, --armour           Same as `-f pem'.\n\
 Options:\n\
 \n\
 -a, --armour           Same as `-f pem'.\n\


@@ -590,6 +599,7 @@ Options:\n\
 -o, --output=FILE      Write output to FILE.\n\
 -q, --quiet            Produce fewer messages.\n\
 -v, --verbose          Produce more verbose messages.\n\
 -o, --output=FILE      Write output to FILE.\n\
 -q, --quiet            Produce fewer messages.\n\
 -v, --verbose          Produce more verbose messages.\n\

+-C, --nocheck          Don't check the private key.\n\

 " }, /* ' emacs is confused */
   { 0, 0, 0 }
 };
 " }, /* ' emacs is confused */
   { 0, 0, 0 }
 };

diff --git a/catsign.1 b/catsign.1
index 596b76f..e762712 100644 (file)
--- a/catsign.1
+++ b/catsign.1
@@ -44,7 +44,7 @@ is one of:
 .RI [ item ...]
 .br
 .B sign
 .RI [ item ...]
 .br
 .B sign

-.RB [ \-adt ]
+.RB [ \-adtC ]

 .RB [ \-k
 .IR tag ]
 .RB [ \-f
 .RB [ \-k
 .IR tag ]
 .RB [ \-f


@@ -54,7 +54,7 @@ is one of:
 .RI [ file ]
 .br
 .B verify
 .RI [ file ]
 .br
 .B verify

-.RB [ \-aquv ]
+.RB [ \-aquvC ]

 .RB [ \-k
 .IR tag ]
 .RB [ \-f
 .RB [ \-k
 .IR tag ]
 .RB [ \-f


@@ -403,6 +403,11 @@ rather than to standard output.
 .TP
 .B "\-t, \-\-text"
 Read and sign the input as text.  This is the default.
 .TP
 .B "\-t, \-\-text"
 Read and sign the input as text.  This is the default.

+.TP
+.B "\-C, \-\-nocheck"
+Don't check the private key for validity.  This makes signing go much
+faster, but at the risk of using a duff key, and potentially leaking
+information about the private key.

 .SS verify
 The
 .B verify
 .SS verify
 The
 .B verify


@@ -472,6 +477,11 @@ The file is written in text or binary
 mode as appropriate.  The default is to write the message to standard
 output unless verifying a detached signature, in which case nothing is
 written.
 mode as appropriate.  The default is to write the message to standard
 output unless verifying a detached signature, in which case nothing is
 written.

+.TP
+.B "\-C, \-\-nocheck"
+Don't check the public key for validity.  This makes verification go
+much faster, but at the risk of using a duff key, and potentially
+accepting false signatures.

 .PP
 Output is written to standard output in a machine-readable format.
 Major problems cause the program to write a diagnostic to standard error
 .PP
 Output is written to standard output in a machine-readable format.
 Major problems cause the program to write a diagnostic to standard error

diff --git a/catsign.c b/catsign.c
index ce05618..46b7b87 100644 (file)
--- a/catsign.c
+++ b/catsign.c
@@ -91,6 +91,7 @@ typedef struct sigmsg {
 #define F_BOGUS 128u
 #define F_BUFFER 256u
 #define F_UTC 512u
 #define F_BOGUS 128u
 #define F_BUFFER 256u
 #define F_UTC 512u

+#define F_NOCHECK 1024u

 
 /*----- Chunk I/O ---------------------------------------------------------*/
 
 
 /*----- Chunk I/O ---------------------------------------------------------*/
 


@@ -453,9 +454,10 @@ static int sign(int argc, char *argv[])
       { "format",      OPTF_ARGREQ,    0,      'f' },
       { "output",      OPTF_ARGREQ,    0,      'o' },
       { "text",                0,              0,      't' },
       { "format",      OPTF_ARGREQ,    0,      'f' },
       { "output",      OPTF_ARGREQ,    0,      'o' },
       { "text",                0,              0,      't' },

+      { "nocheck",     0,              0,      'C' },

       { 0,             0,              0,      0 }
     };
       { 0,             0,              0,      0 }
     };

-    i = mdwopt(argc, argv, "k:f:o:abdt", opt, 0, 0, 0);
+    i = mdwopt(argc, argv, "k:f:o:abdtC", opt, 0, 0, 0);

     if (i < 0) break;
     switch (i) {
       case 'k': kn = optarg; break;
     if (i < 0) break;
     switch (i) {
       case 'k': kn = optarg; break;


@@ -465,6 +467,7 @@ static int sign(int argc, char *argv[])
       case 't': f &= ~F_BINARY; break;
       case 'b': f |= F_BINARY; break;
       case 'd': f |= F_DETACH; break;
       case 't': f &= ~F_BINARY; break;
       case 'b': f |= F_BINARY; break;
       case 'd': f |= F_DETACH; break;

+      case 'C': f |= F_NOCHECK; break;

       default: f |= F_BOGUS; break;
     }
   }
       default: f |= F_BOGUS; break;
     }
   }


@@ -494,7 +497,7 @@ static int sign(int argc, char *argv[])
   dstr_reset(&d);
   key_fulltag(k, &d);
   s.s = getsig(k, "ccsig", 1);
   dstr_reset(&d);
   key_fulltag(k, &d);
   s.s = getsig(k, "ccsig", 1);

-  if ((err = s.s->ops->check(s.s)) != 0)
+  if (!(f & F_NOCHECK) && (err = s.s->ops->check(s.s)) != 0)

     moan("key %s fails check: %s", d.buf, err);
   keyhash(k, s.s, &s.kh);
   e = initenc(eo, ofp,
     moan("key %s fails check: %s", d.buf, err);
   keyhash(k, s.s, &s.kh);
   e = initenc(eo, ofp,


@@ -600,6 +603,7 @@ static int verify(int argc, char *argv[])
       { "fresh-time",  0,              0,      't' },
       { "gmt",         0,              0,      'u' },
       { "verbose",     0,              0,      'v' },
       { "fresh-time",  0,              0,      't' },
       { "gmt",         0,              0,      'u' },
       { "verbose",     0,              0,      'v' },

+      { "nocheck",     0,              0,      'C' },

       { 0,             0,              0,      0 }
     };
     i = mdwopt(argc, argv, "k:f:o:abqt:uv", opt, 0, 0, 0);
       { 0,             0,              0,      0 }
     };
     i = mdwopt(argc, argv, "k:f:o:abqt:uv", opt, 0, 0, 0);


@@ -611,6 +615,7 @@ static int verify(int argc, char *argv[])
       case 'f': ef = optarg; break;
       case 'o': of = optarg; break;
       case 'u': v.f |= F_UTC; break;
       case 'f': ef = optarg; break;
       case 'o': of = optarg; break;
       case 'u': v.f |= F_UTC; break;

+      case 'C': v.f |= F_NOCHECK; break;

       case 't':
        if (strcmp(optarg, "always") == 0) t_fresh = 0;
         else if ((t_fresh = get_date(optarg, 0)) < 0)
       case 't':
        if (strcmp(optarg, "always") == 0) t_fresh = 0;
         else if ((t_fresh = get_date(optarg, 0)) < 0)


@@ -672,7 +677,7 @@ static int verify(int argc, char *argv[])
 
   s.s = getsig(k, "ccsig", 0);
   dstr_reset(&d); key_fulltag(k, &d);
 
   s.s = getsig(k, "ccsig", 0);
   dstr_reset(&d); key_fulltag(k, &d);

-  if (v.verb && (err = s.s->ops->check(s.s)) != 0)
+  if (!(v.f & F_NOCHECK) && v.verb && (err = s.s->ops->check(s.s)) != 0)

     printf("WARN verification key %s fails check: %s\n", d.buf, err);
 
   dstr_reset(&dd); keyhash(k, s.s, &dd);
     printf("WARN verification key %s fails check: %s\n", d.buf, err);
 
   dstr_reset(&dd); keyhash(k, s.s, &dd);


@@ -1053,7 +1058,7 @@ static cmd cmdtab[] = {
   CMD_ENCODE,
   CMD_DECODE,
   { "sign", sign,
   CMD_ENCODE,
   CMD_DECODE,
   { "sign", sign,

-    "sign [-adt] [-k TAG] [-f FORMAT] [-o OUTPUT] [FILE]", "\
+    "sign [-adtC] [-k TAG] [-f FORMAT] [-o OUTPUT] [FILE]", "\

 Options:\n\
 \n\
 -a, --armour           Same as `-f pem'.\n\
 Options:\n\
 \n\
 -a, --armour           Same as `-f pem'.\n\


@@ -1063,9 +1068,10 @@ Options:\n\
 -k, --key=TAG          Use public encryption key named by TAG.\n\
 -o, --output=FILE      Write output to FILE.\n\
 -t, --text             Canonify input message as a text file.\n\
 -k, --key=TAG          Use public encryption key named by TAG.\n\
 -o, --output=FILE      Write output to FILE.\n\
 -t, --text             Canonify input message as a text file.\n\

+-C, --nocheck          Don't check the private key.\n\

 " },
   { "verify", verify,
 " },
   { "verify", verify,

-    "verify [-abquv] [-f FORMAT] [-k TAG] [-o OUTPUT]\n\t\
+    "verify [-abquvC] [-f FORMAT] [-k TAG] [-o OUTPUT]\n\t\

 [FILE [MESSAGE]]", "\
 Options:\n\
 \n\
 [FILE [MESSAGE]]", "\
 Options:\n\
 \n\


@@ -1078,6 +1084,7 @@ Options:\n\
 -t, --freshtime=TIME   Only accept signatures made after this time.\n\
 -u, --utc              Show dates in UTC rather than local time.\n\
 -v, --verbose          Produce more verbose messages.\n\
 -t, --freshtime=TIME   Only accept signatures made after this time.\n\
 -u, --utc              Show dates in UTC rather than local time.\n\
 -v, --verbose          Produce more verbose messages.\n\

+-C, --nocheck          Don't check the public key.\n\

 " },
   { "info", info,
     "info [-au] [-f FORMAT] [FILE]", "\
 " },
   { "info", info,
     "info [-au] [-f FORMAT] [FILE]", "\

diff --git a/dsig.1 b/dsig.1
index 70a4ea8..10fe6c6 100644 (file)
--- a/dsig.1
+++ b/dsig.1
@@ -44,7 +44,7 @@ is one of:
 .RI [ item ...]
 .br
 .B sign
 .RI [ item ...]
 .br
 .B sign

-.RB [ \-0bqv ]
+.RB [ \-0bqvC ]

 .RB [ \-c
 .IR comment ]
 .RB [ \-k
 .RB [ \-c
 .IR comment ]
 .RB [ \-k


@@ -59,7 +59,7 @@ is one of:
 .IR output ]
 .br
 .B verify
 .IR output ]
 .br
 .B verify

-.RB [ \-qv ]
+.RB [ \-qvC ]

 .RI [ file ]
 .SH DESCRIPTION
 The
 .RI [ file ]
 .SH DESCRIPTION
 The


@@ -323,6 +323,11 @@ Set the signature to expire at
 The default is to expire 28 days from creation.  Use
 .B forever
 to make the signature not expire.
 The default is to expire 28 days from creation.  Use
 .B forever
 to make the signature not expire.

+.TP
+.B "\-C, \-\-nocheck"
+Don't check the private key for validity.  This makes signing go much
+faster, but at the risk of using a duff key, and potentially leaking
+information about the private key.

 .PP
 The whitespace-separated format for filenames allows quoting and
 escaping of strange characters.  The backslash
 .PP
 The whitespace-separated format for filenames allows quoting and
 escaping of strange characters.  The backslash


@@ -360,6 +365,11 @@ Produce more informational output.  The default verbosity level is 1.
 .TP
 .B "\-q, \-\-quiet"
 Produce less information output.
 .TP
 .B "\-q, \-\-quiet"
 Produce less information output.

+.TP
+.B "\-C, \-\-nocheck"
+Don't check the public key for validity.  This makes verification go
+much faster, but at the risk of using a duff key, and potentially
+accepting false signatures.

 .PP
 Output is written to standard output in a machine-readable format.
 Formatting errors cause the program to write a diagnostic to standard
 .PP
 Output is written to standard output in a machine-readable format.
 Formatting errors cause the program to write a diagnostic to standard

diff --git a/dsig.c b/dsig.c
index a8fc2f9..bcfe51d 100644 (file)
--- a/dsig.c
+++ b/dsig.c
@@ -654,6 +654,7 @@ static int sign(int argc, char *argv[])
 #define f_raw 1u
 #define f_bin 2u
 #define f_bogus 4u
 #define f_raw 1u
 #define f_bin 2u
 #define f_bogus 4u

+#define f_nocheck 8u

 
   unsigned f = 0;
   const char *ki = "dsig";
 
   unsigned f = 0;
   const char *ki = "dsig";


@@ -682,9 +683,10 @@ static int sign(int argc, char *argv[])
       { "output",      OPTF_ARGREQ,    0,      'o' },
       { "key",         OPTF_ARGREQ,    0,      'k' },
       { "expire",      OPTF_ARGREQ,    0,      'e' },
       { "output",      OPTF_ARGREQ,    0,      'o' },
       { "key",         OPTF_ARGREQ,    0,      'k' },
       { "expire",      OPTF_ARGREQ,    0,      'e' },

+      { "nocheck",     OPTF_ARGREQ,    0,      'C' },

       { 0,             0,              0,      0 }
     };
       { 0,             0,              0,      0 }
     };

-    int i = mdwopt(argc, argv, "+0vqb" "c:" "f:o:" "k:e:", opts, 0, 0, 0);
+    int i = mdwopt(argc, argv, "+0vqbC" "c:" "f:o:" "k:e:", opts, 0, 0, 0);

     if (i < 0)
       break;
     switch (i) {
     if (i < 0)
       break;
     switch (i) {


@@ -701,6 +703,9 @@ static int sign(int argc, char *argv[])
        if (verb > 0)
          verb--;
        break;
        if (verb > 0)
          verb--;
        break;

+      case 'C':
+       f |= f_nocheck;
+       break;

       case 'c':
        c = optarg;
        break;
       case 'c':
        c = optarg;
        break;


@@ -742,7 +747,7 @@ static int sign(int argc, char *argv[])
 
   /* --- Check the key --- */
 
 
   /* --- Check the key --- */
 

-  if ((err = s->ops->check(s)) != 0)
+  if (!(f & f_nocheck) && (err = s->ops->check(s)) != 0)

     moan("key `%s' fails check: %s", d.buf, err);
 
   /* --- Open files --- */
     moan("key `%s' fails check: %s", d.buf, err);
 
   /* --- Open files --- */


@@ -864,6 +869,7 @@ static int sign(int argc, char *argv[])
 #undef f_raw
 #undef f_bin
 #undef f_bogus
 #undef f_raw
 #undef f_bin
 #undef f_bogus

+#undef f_nocheck

 }
 
 /*----- Signature verification --------------------------------------------*/
 }
 
 /*----- Signature verification --------------------------------------------*/


@@ -873,6 +879,7 @@ static int verify(int argc, char *argv[])
 #define f_bogus 1u
 #define f_bin 2u
 #define f_ok 4u
 #define f_bogus 1u
 #define f_bin 2u
 #define f_ok 4u

+#define f_nocheck 8u

 
   unsigned f = 0;
   unsigned verb = 1;
 
   unsigned f = 0;
   unsigned verb = 1;


@@ -891,9 +898,10 @@ static int verify(int argc, char *argv[])
     static struct option opts[] = {
       { "verbose",     0,              0,      'v' },
       { "quiet",       0,              0,      'q' },
     static struct option opts[] = {
       { "verbose",     0,              0,      'v' },
       { "quiet",       0,              0,      'q' },

+      { "nocheck",     0,              0,      'C' },

       { 0,             0,              0,      0 }
     };
       { 0,             0,              0,      0 }
     };

-    int i = mdwopt(argc, argv, "+vq", opts, 0, 0, 0);
+    int i = mdwopt(argc, argv, "+vqC", opts, 0, 0, 0);

     if (i < 0)
       break;
     switch (i) {
     if (i < 0)
       break;
     switch (i) {


@@ -904,6 +912,9 @@ static int verify(int argc, char *argv[])
        if (verb)
          verb--;
        break;
        if (verb)
          verb--;
        break;

+      case 'C':
+       f |= f_nocheck;
+       break;

       default:
        f |= f_bogus;
        break;
       default:
        f |= f_bogus;
        break;


@@ -912,7 +923,7 @@ static int verify(int argc, char *argv[])
   argc -= optind;
   argv += optind;
   if ((f & f_bogus) || argc > 1)
   argc -= optind;
   argv += optind;
   if ((f & f_bogus) || argc > 1)

-    die(EXIT_FAILURE, "Usage: verify [-qv] [FILE]");
+    die(EXIT_FAILURE, "Usage: verify [-qvC] [FILE]");

 
   /* --- Open the key file, and start reading the input file --- */
 
 
   /* --- Open the key file, and start reading the input file --- */
 


@@ -979,7 +990,7 @@ static int verify(int argc, char *argv[])
   }
 
   s = getsig(k, "dsig", 0);
   }
 
   s = getsig(k, "dsig", 0);

-  if (verb && (err = s->ops->check(s)) != 0)
+  if (!(f & f_nocheck) && verb && (err = s->ops->check(s)) != 0)

     printf("WARN public key fails check: %s", err);
 
   for (;;) {
     printf("WARN public key fails check: %s", err);
 
   for (;;) {


@@ -1072,6 +1083,7 @@ done:
 #undef f_bogus
 #undef f_bin
 #undef f_ok
 #undef f_bogus
 #undef f_bin
 #undef f_ok

+#undef f_nocheck

 }
 
 /*----- Main code ---------------------------------------------------------*/
 }
 
 /*----- Main code ---------------------------------------------------------*/


@@ -1097,7 +1109,7 @@ static cmd cmdtab[] = {
   { "help", cmd_help, "help [COMMAND...]" },
   { "show", cmd_show, "show [ITEM...]" },
   { "sign", sign,
   { "help", cmd_help, "help [COMMAND...]" },
   { "show", cmd_show, "show [ITEM...]" },
   { "sign", sign,

-    "sign [-0bqv] [-c COMMENT] [-k TAG] [-e EXPIRE]\n\t\
+    "sign [-0bqvC] [-c COMMENT] [-k TAG] [-e EXPIRE]\n\t\

 [-f FILE] [-o OUTPUT]",
     "\
 Options:\n\
 [-f FILE] [-o OUTPUT]",
     "\
 Options:\n\


@@ -1106,6 +1118,7 @@ Options:\n\
 -b, --binary           Produce a binary output file.\n\
 -q, --quiet            Produce fewer messages while working.\n\
 -v, --verbose          Produce more messages while working.\n\
 -b, --binary           Produce a binary output file.\n\
 -q, --quiet            Produce fewer messages while working.\n\
 -v, --verbose          Produce more messages while working.\n\

+-C, --nocheck          Don't check the private key.\n\

 -c, --comment=COMMENT  Include COMMENT in the output file.\n\
 -f, --file=FILE                Read filenames to hash from FILE.\n\
 -o, --output=FILE      Write the signed result to FILE.\n\
 -c, --comment=COMMENT  Include COMMENT in the output file.\n\
 -f, --file=FILE                Read filenames to hash from FILE.\n\
 -o, --output=FILE      Write the signed result to FILE.\n\


@@ -1113,11 +1126,12 @@ Options:\n\
 -e, --expire=TIME      The signature should expire after TIME.\n\
 " },
   { "verify", verify,
 -e, --expire=TIME      The signature should expire after TIME.\n\
 " },
   { "verify", verify,

-    "verify [-qv] [FILE]", "\
+    "verify [-qvC] [FILE]", "\

 Options:\n\
 \n\
 -q, --quiet            Produce fewer messages while working.\n\
 -v, --verbose          Produce more messages while working.\n\
 Options:\n\
 \n\
 -q, --quiet            Produce fewer messages while working.\n\
 -v, --verbose          Produce more messages while working.\n\

+-C, --nocheck          Don't check the public key.\n\

 " },
   { 0, 0, 0 }
 };
 " },
   { 0, 0, 0 }
 };