From 483f2ba02e70968e6c9f57afa0fc88f7566a76c4 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Fri, 2 May 2025 11:11:05 +0200
Subject: [PATCH 0938/1000] gpg: Fix another regression due to the T7547 fix.

* g10/getkey.c (get_pubkey_for_sig): Keep a requested
PUBKEY_USAGE_CERT.
(finish_lookup): For correctness in future use cases allow
PUBKEY_USAGE_CERT to also trigger verify mode.
--

The case here was that a cert-only primary key was removed with
export-clean.

GnuPG-bug-id: 7583

Index: gnupg-2.4.4/g10/getkey.c
===================================================================
--- gnupg-2.4.4.orig/g10/getkey.c
+++ gnupg-2.4.4/g10/getkey.c
@@ -336,8 +336,10 @@ get_pubkey_for_sig (ctrl_t ctrl, PKT_pub
   /* Make sure to request only keys cabable of signing.  This makes
    * sure that a subkey w/o a valid backsig or with bad usage flags
    * will be skipped.  We also request the verification mode so that
-   * expired and revoked keys are returned.  */
-  pk->req_usage = (PUBKEY_USAGE_SIG | PUBKEY_USAGE_VERIFY);
+   * expired and revoked keys are returned. We keep only a requested
+   * CERT usage in PK for the sake of key signatures. */
+  pk->req_usage = (PUBKEY_USAGE_SIG | PUBKEY_USAGE_VERIFY
+                   | (pk->req_usage & PUBKEY_USAGE_CERT));
 
   /* First try the ISSUER_FPR info.  */
   fpr = issuer_fpr_raw (sig, &fprlen);
@@ -3675,7 +3677,7 @@ finish_lookup (kbnode_t keyblock, unsign
   /* The verify mode is used to change the behaviour so that we can
    * return an expired or revoked key for signature verification.  */
   verify_mode = ((req_usage & PUBKEY_USAGE_VERIFY)
-                 && (req_usage & PUBKEY_USAGE_SIG));
+                 && (req_usage & (PUBKEY_USAGE_CERT|PUBKEY_USAGE_SIG)));
 
 #define USAGE_MASK  (PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC|PUBKEY_USAGE_CERT)
   req_usage &= USAGE_MASK;