commit 0473b7492f9c2950d6fb1396baabc405f717fa3182f4cb3f1a116af4738dab62 Author: Adrian Schröter Date: Fri May 3 13:15:33 2024 +0200 Sync from SUSE:SLFO:Main gpg2 revision 9c3801b96630127eb85114532b8c21b3 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/gnupg-2.0.9-langinfo.patch b/gnupg-2.0.9-langinfo.patch new file mode 100644 index 0000000..e7c22d8 --- /dev/null +++ b/gnupg-2.0.9-langinfo.patch @@ -0,0 +1,17 @@ +# fix [bnc#305725] - non latin characters displayed incorrectly by pinentry +--- +# jnlib/utf8conv.c | 1 + +# 1 file changed, 1 insertion(+) +# +Index: gnupg-2.1.0/common/utf8conv.c +=================================================================== +--- gnupg-2.1.0.orig/common/utf8conv.c 2014-10-11 19:45:14.000000000 +0200 ++++ gnupg-2.1.0/common/utf8conv.c 2014-11-07 11:35:05.491413258 +0100 +@@ -198,6 +198,7 @@ set_native_charset (const char *newset) + #else /*!HAVE_W32_SYSTEM && !HAVE_ANDROID_SYSTEM*/ + + #ifdef HAVE_LANGINFO_CODESET ++ setlocale(LC_ALL, ""); + newset = nl_langinfo (CODESET); + #else /*!HAVE_LANGINFO_CODESET*/ + /* Try to get the used charset from environment variables. */ diff --git a/gnupg-2.2.16-secmem.patch b/gnupg-2.2.16-secmem.patch new file mode 100644 index 0000000..22ac5c2 --- /dev/null +++ b/gnupg-2.2.16-secmem.patch @@ -0,0 +1,35 @@ +Index: gnupg-2.2.16/g10/gpg.c +=================================================================== +--- gnupg-2.2.16.orig/g10/gpg.c ++++ gnupg-2.2.16/g10/gpg.c +@@ -973,7 +973,7 @@ make_libversion (const char *libname, co + + if (maybe_setuid) + { +- gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */ ++ gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); /* Drop setuid. */ + maybe_setuid = 0; + } + s = getfnc (NULL); +@@ -1125,7 +1125,7 @@ build_list (const char *text, char lette + char *string; + + if (maybe_setuid) +- gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */ ++ gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); /* Drop setuid. */ + + indent = utf8_charcount (text, -1); + len = 0; +Index: gnupg-2.2.16/sm/gpgsm.c +=================================================================== +--- gnupg-2.2.16.orig/sm/gpgsm.c ++++ gnupg-2.2.16/sm/gpgsm.c +@@ -533,7 +533,7 @@ make_libversion (const char *libname, co + + if (maybe_setuid) + { +- gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */ ++ gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); /* Drop setuid. */ + maybe_setuid = 0; + } + s = getfnc (NULL); diff --git a/gnupg-2.4.4.tar.bz2 b/gnupg-2.4.4.tar.bz2 new file mode 100644 index 0000000..35b0320 --- /dev/null +++ b/gnupg-2.4.4.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:67ebe016ca90fa7688ce67a387ebd82c6261e95897db7b23df24ff335be85bc6 +size 7886036 diff --git a/gnupg-2.4.4.tar.bz2.sig b/gnupg-2.4.4.tar.bz2.sig new file mode 100644 index 0000000..791d14d Binary files /dev/null and b/gnupg-2.4.4.tar.bz2.sig differ diff --git a/gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch b/gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch new file mode 100644 index 0000000..539e39d --- /dev/null +++ b/gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch @@ -0,0 +1,33 @@ +From f361141a44365ff7db2d2cfbf118d5b54b52c3d5 Mon Sep 17 00:00:00 2001 +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:43 +0200 +Subject: [PATCH] gpg: accept subkeys with a good revocation but no self-sig + during import + +* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we +encounter a valid revocation signature. This allows import of subkey +revocation signatures, even in the absence of a corresponding subkey +binding signature. + +-- + +This fixes the remaining test in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor +--- + g10/import.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/g10/import.c b/g10/import.c +index 2be214e63..ae2453803 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -3536,6 +3536,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self) + /* It's valid, so is it newer? */ + if (sig->timestamp >= rsdate) + { ++ knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid. */ + if (rsnode) + { + /* Delete the last revocation sig since diff --git a/gnupg-add-test-cases-for-import-without-uid.patch b/gnupg-add-test-cases-for-import-without-uid.patch new file mode 100644 index 0000000..78983e5 --- /dev/null +++ b/gnupg-add-test-cases-for-import-without-uid.patch @@ -0,0 +1,202 @@ +From 4c40bfa90bda748e5dada0bb1cc8fae14d744f07 Mon Sep 17 00:00:00 2001 +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:41 +0200 +Subject: [PATCH] tests: add test cases for import without uid + +This commit adds a test case that does the following, in order: +- Import of a primary key plus user id +- Check that import of a subkey works, without a user id present in the +imported key +- Check that import of a subkey revocation works, without a user id or +subkey binding signature present in the imported key +- Check that import of a primary key revocation works, without a user id +present in the imported key + +-- + +Note that this test currently fails. The following changesets will +fix gpg so that the tests pass. + +GnuPG-Bug-id: 4393 +Signed-Off-By: Daniel Kahn Gillmor +--- + tests/openpgp/Makefile.am | 1 + + tests/openpgp/import-incomplete.scm | 68 +++++++++++++++++++ + .../import-incomplete/primary+revocation.asc | 9 +++ + .../primary+subkey+sub-revocation.asc | 10 +++ + .../primary+subkey+sub-sig.asc | 10 +++ + .../import-incomplete/primary+uid-sig.asc | 10 +++ + .../openpgp/import-incomplete/primary+uid.asc | 10 +++ + 7 files changed, 118 insertions(+) + create mode 100755 tests/openpgp/import-incomplete.scm + create mode 100644 tests/openpgp/import-incomplete/primary+revocation.asc + create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc + create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc + create mode 100644 tests/openpgp/import-incomplete/primary+uid-sig.asc + create mode 100644 tests/openpgp/import-incomplete/primary+uid.asc + +diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am +index e5be42b41..d886bc8f7 100644 +--- a/tests/openpgp/Makefile.am ++++ b/tests/openpgp/Makefile.am +@@ -78,6 +78,7 @@ XTESTS = \ + gpgv-forged-keyring.scm \ + armor.scm \ + import.scm \ ++ import-incomplete.scm \ + import-revocation-certificate.scm \ + ecc.scm \ + 4gb-packet.scm \ +diff --git a/tests/openpgp/import-incomplete.scm b/tests/openpgp/import-incomplete.scm +new file mode 100755 +index 000000000..727a027c6 +--- /dev/null ++++ b/tests/openpgp/import-incomplete.scm +@@ -0,0 +1,68 @@ ++#!/usr/bin/env gpgscm ++ ++;; Copyright (C) 2016 g10 Code GmbH ++;; ++;; This file is part of GnuPG. ++;; ++;; GnuPG is free software; you can redistribute it and/or modify ++;; it under the terms of the GNU General Public License as published by ++;; the Free Software Foundation; either version 3 of the License, or ++;; (at your option) any later version. ++;; ++;; GnuPG is distributed in the hope that it will be useful, ++;; but WITHOUT ANY WARRANTY; without even the implied warranty of ++;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++;; GNU General Public License for more details. ++;; ++;; You should have received a copy of the GNU General Public License ++;; along with this program; if not, see . ++ ++(load (in-srcdir "tests" "openpgp" "defs.scm")) ++(setup-environment) ++ ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+uid.asc"))) ++ ++(info "Test import of new subkey, from a certificate without uid") ++(define keyid "573EA710367356BB") ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-sig.asc"))) ++(tr:do ++ (tr:pipe-do ++ (pipe:gpg `(--list-keys --with-colons ,keyid))) ++ (tr:call-with-content ++ (lambda (c) ++ ;; XXX we do not have a regexp library ++ (unless (any (lambda (line) ++ (and (string-prefix? line "sub:") ++ (string-contains? line "573EA710367356BB"))) ++ (string-split-newlines c)) ++ (exit 1))))) ++ ++(info "Test import of a subkey revocation, from a certificate without uid") ++(define keyid "573EA710367356BB") ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-revocation.asc"))) ++(tr:do ++ (tr:pipe-do ++ (pipe:gpg `(--list-keys --with-colons ,keyid))) ++ (tr:call-with-content ++ (lambda (c) ++ ;; XXX we do not have a regexp library ++ (unless (any (lambda (line) ++ (and (string-prefix? line "sub:r:") ++ (string-contains? line "573EA710367356BB"))) ++ (string-split-newlines c)) ++ (exit 1))))) ++ ++(info "Test import of revocation, from a certificate without uid") ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+revocation.asc"))) ++(tr:do ++ (tr:pipe-do ++ (pipe:gpg `(--list-keys --with-colons ,keyid))) ++ (tr:call-with-content ++ (lambda (c) ++ ;; XXX we do not have a regexp library ++ (unless (any (lambda (line) ++ (and (string-prefix? line "pub:r:") ++ (string-contains? line "0843DA969AA8DAFB"))) ++ (string-split-newlines c)) ++ (exit 1))))) ++ +diff --git a/tests/openpgp/import-incomplete/primary+revocation.asc b/tests/openpgp/import-incomplete/primary+revocation.asc +new file mode 100644 +index 000000000..6b7b60802 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+revocation.asc +@@ -0,0 +1,9 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [E] primary key, revocation signature over primary (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN2IeAQgFggAIBYhBLRpj5W82H/gSMzKKQhD2paaqNr7BQJc2ZQZAh0AAAoJ ++EAhD2paaqNr7qAwA/2jBUpnN0BxwRO/4CrxvrLIsL+C9aSXJUOTv8XkP4lvtAQD3 ++XsDFfFNgEueiTfF7HtOGt5LPmRqVvUpQSMVgJJW6CQ== ++=tM90 ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc +new file mode 100644 +index 000000000..83a51a549 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [D] primary key, subkey, subkey revocation (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK ++j++lwwWDAOlkVicDAQgHiHgEKBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC ++XNmnkAIdAgAKCRAIQ9qWmqja+ylaAQDmIKf86BJEq4OpDqU+V9D+wn2cyuxbyWVQ ++3r9LiL9qNwD/QAjyrhSN8L3Mfq+wdTHo5i0yB9ZCCpHLXSbhCqfWZwQ= ++=dwx2 ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc +new file mode 100644 +index 000000000..dc47a02d8 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [B] primary key, subkey, subkey binding sig (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK ++j++lwwWDAOlkVicDAQgHiHgEGBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC ++XNmUIQIbDAAKCRAIQ9qWmqja++vFAP98G1L+1/rWTGbsnxOAV2RocBYIroAvsbkR ++Ly6FdP8YNwEA7jOgT05CoKIe37MstpOz23mM80AK369Ca3JMmKKCQgg= ++=xuDu ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+uid-sig.asc b/tests/openpgp/import-incomplete/primary+uid-sig.asc +new file mode 100644 +index 000000000..134607d0e +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+uid-sig.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [C] primary key and self-sig expiring in 2024 (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN2IlgQTFggAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBLRpj5W8 ++2H/gSMzKKQhD2paaqNr7BQJc2ZR1BQkJZgHcAAoJEAhD2paaqNr79soA/0lWkUsu ++3NLwgbni6EzJxnTzgeNMpljqNpipHAwfix9hAP93AVtFdC8g7hdUZxawobl9lnSN ++9ohXOEBWvdJgVv2YAg== ++=KWIK ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+uid.asc b/tests/openpgp/import-incomplete/primary+uid.asc +new file mode 100644 +index 000000000..055f30086 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+uid.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [A] primary key, user ID, and self-sig expiring in 2021 ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN20CHRlc3Qga2V5iJYEExYIAD4WIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC ++XNmUGQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAIQ9qWmqja +++0G1AQDdQiwhXxjXLMqoth+D4SigVHTJK8ORwifzsy3UE7mPGwD/aZ67XbAF/lgI ++kv2O1Jo0u9BL9RNNF+L0DM7rAFbfMAs= ++=1eII ++-----END PGP PUBLIC KEY BLOCK----- diff --git a/gnupg-add_legacy_FIPS_mode_option.patch b/gnupg-add_legacy_FIPS_mode_option.patch new file mode 100644 index 0000000..83c5139 --- /dev/null +++ b/gnupg-add_legacy_FIPS_mode_option.patch @@ -0,0 +1,69 @@ +--- + doc/gpg.texi | 18 ++++++++++++++++++ + g10/gpg.c | 9 +++++++++ + 2 files changed, 27 insertions(+) + +Index: gnupg-2.4.2/doc/gpg.texi +=================================================================== +--- gnupg-2.4.2.orig/doc/gpg.texi ++++ gnupg-2.4.2/doc/gpg.texi +@@ -2285,6 +2285,24 @@ implies, this option is for experts only + understand the implications of what it allows you to do, leave this + off. @option{--no-expert} disables this option. + ++@item --set-legacy-fips ++@itemx --set-legacy-fips ++@opindex set-legacy-fips ++Enable legacy support even when the libgcrypt library is in FIPS 140-2 ++mode. The legacy mode of libgcrypt allows the use of all ciphers, ++including non-approved ciphers. This mode is needed when for legacy ++reasons a message must be encrypted or decrypted. Legacy reasons for ++decryptions include the decryption of old messages created with a ++public key that use cipher settings which do not meet FIPS 140-2 ++requirements. Legacy reasons for encryption include the encryption ++of messages with a recipients public key where the recipient is not ++bound to FIPS 140-2 regulation and therefore provided a key using ++non-approved ciphers. Although the legacy mode is a violation of strict ++FIPS 140-2 rule interpretations, it is wise to use this mode or ++either not being able to access old messages or not being able ++to create encrypted messages to a recipient that is not adhering ++to FIPS 140-2 rules. ++ + @end table + + +Index: gnupg-2.4.2/g10/gpg.c +=================================================================== +--- gnupg-2.4.2.orig/g10/gpg.c ++++ gnupg-2.4.2/g10/gpg.c +@@ -446,6 +446,7 @@ enum cmd_and_opt_values + oForceSignKey, + oForbidGenKey, + oRequireCompliance, ++ oSetLegacyFips, + oCompatibilityFlags, + oAddDesigRevoker, + oAssertSigner, +@@ -886,6 +887,7 @@ static gpgrt_opt_t opts[] = { + ARGPARSE_s_s (oCipherAlgo, "cipher-algo", "@"), + ARGPARSE_s_s (oDigestAlgo, "digest-algo", "@"), + ARGPARSE_s_s (oCertDigestAlgo, "cert-digest-algo", "@"), ++ ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"), + + + ARGPARSE_header (NULL, N_("Options for unattended use")), +@@ -3756,6 +3758,14 @@ main (int argc, char **argv) + keybox_set_buffersize (pargs.r.ret_ulong, 0); + break; + ++ case oSetLegacyFips: ++ if(gcry_fips_mode_active()) ++ gcry_control (GCRYCTL_INACTIVATE_FIPS_FLAG, ++ "Enable legacy support in FIPS 140-2 mode"); ++ else ++ log_info ("Command set-legacy-fips ignored as libgcrypt is not in FIPS mode\n"); ++ break; ++ + case oNoop: break; + + default: diff --git a/gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch b/gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch new file mode 100644 index 0000000..649e0d8 --- /dev/null +++ b/gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch @@ -0,0 +1,108 @@ +From a1db83d8a3308277f01b96833c13693bd7e13ff9 Mon Sep 17 00:00:00 2001 +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:42 +0200 +Subject: [PATCH] gpg: allow import of previously known keys, even without UIDs + +* g10/import.c (import_one): Accept an incoming OpenPGP certificate that +has no user id, as long as we already have a local variant of the cert +that matches the primary key. + +-- + +This fixes two of the three broken tests in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor +--- + g10/import.c | 49 +++++++++++-------------------------------------- + 1 file changed, 11 insertions(+), 38 deletions(-) + +Index: gnupg-2.4.0/g10/import.c +=================================================================== +--- gnupg-2.4.0.orig/g10/import.c ++++ gnupg-2.4.0/g10/import.c +@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl, + size_t an; + char pkstrbuf[PUBKEY_STRING_SIZE]; + int merge_keys_done = 0; +- int any_filter = 0; + KEYDB_HANDLE hd = NULL; + + if (r_valid) +@@ -1991,14 +1990,6 @@ import_one_real (ctrl_t ctrl, + log_printf ("\n"); + } + +- +- if (!uidnode) +- { +- if (!silent) +- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); +- return 0; +- } +- + if (screener && screener (keyblock, screener_arg)) + { + log_error (_("key %s: %s\n"), keystr_from_pk (pk), +@@ -2078,18 +2069,10 @@ import_one_real (ctrl_t ctrl, + } + } + +- /* Delete invalid parts and bail out if there are no user ids left. */ +- if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs)) +- { +- if (!silent) +- { +- log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); +- if (!opt.quiet) +- log_info(_("this may be caused by a missing self-signature\n")); +- } +- stats->no_user_id++; +- return 0; +- } ++ /* Delete invalid parts, and note if we have any valid ones left. ++ * We will later abort import if this key is new but contains ++ * no valid uids. */ ++ delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs); + + /* Get rid of deleted nodes. */ + commit_kbnode (&keyblock); +@@ -2099,24 +2082,11 @@ import_one_real (ctrl_t ctrl, + { + apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); + commit_kbnode (&keyblock); +- any_filter = 1; + } + if (import_filter.drop_sig) + { + apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); + commit_kbnode (&keyblock); +- any_filter = 1; +- } +- +- /* If we ran any filter we need to check that at least one user id +- * is left in the keyring. Note that we do not use log_error in +- * this case. */ +- if (any_filter && !any_uid_left (keyblock)) +- { +- if (!opt.quiet ) +- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); +- stats->no_user_id++; +- return 0; + } + + /* The keyblock is valid and ready for real import. */ +@@ -2174,6 +2144,13 @@ import_one_real (ctrl_t ctrl, + err = 0; + stats->skipped_new_keys++; + } ++ else if (err && !any_uid_left (keyblock)) ++ { ++ if (!silent) ++ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); ++ err = 0; ++ stats->no_user_id++; ++ } + else if (err) /* Insert this key. */ + { + /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */ diff --git a/gnupg-allow-large-rsa.patch b/gnupg-allow-large-rsa.patch new file mode 100644 index 0000000..b2ebc1e --- /dev/null +++ b/gnupg-allow-large-rsa.patch @@ -0,0 +1,13 @@ +Index: gnupg-2.4.0/g10/keygen.c +=================================================================== +--- gnupg-2.4.0.orig/g10/keygen.c ++++ gnupg-2.4.0/g10/keygen.c +@@ -2461,7 +2461,7 @@ get_keysize_range (int algo, unsigned in + + default: + *min = opt.compliance == CO_DE_VS ? 2048: 1024; +- *max = 4096; ++ *max = opt.flags.large_rsa == 1 ? 8192 : 4096; + def = 3072; + break; + } diff --git a/gnupg-detect_FIPS_mode.patch b/gnupg-detect_FIPS_mode.patch new file mode 100644 index 0000000..025a611 --- /dev/null +++ b/gnupg-detect_FIPS_mode.patch @@ -0,0 +1,18 @@ +Index: gnupg-2.3.8/g10/mainproc.c +=================================================================== +--- gnupg-2.3.8.orig/g10/mainproc.c ++++ gnupg-2.3.8/g10/mainproc.c +@@ -1011,7 +1011,12 @@ proc_plaintext( CTX c, PACKET *pkt ) + according to 2440, so hopefully it won't come up that often. + There is no good way to specify what algorithms to use in + that case, so these there are the historical answer. */ +- gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160); ++ ++ /* Libgcrypt manual says that gcry_version_check must be called ++ * before calling gcry_fips_mode_active. */ ++ gcry_check_version (NULL); ++ if(!gcry_fips_mode_active()) ++ gcry_md_enable(c->mfx.md, DIGEST_ALGO_RMD160); + gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1); + } + if (DBG_HASHING) diff --git a/gnupg-dont-fail-with-seahorse-agent.patch b/gnupg-dont-fail-with-seahorse-agent.patch new file mode 100644 index 0000000..e4bbb06 --- /dev/null +++ b/gnupg-dont-fail-with-seahorse-agent.patch @@ -0,0 +1,17 @@ +--- + g10/passphrase.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: gnupg-2.3.0/g10/passphrase.c +=================================================================== +--- gnupg-2.3.0.orig/g10/passphrase.c ++++ gnupg-2.3.0/g10/passphrase.c +@@ -222,7 +222,7 @@ passphrase_get (int newsymkey, int nocac + } + else + { +- log_error (_("problem with the agent: %s\n"), gpg_strerror (rc)); ++ log_info (_("problem with the agent: %s\n"), gpg_strerror (rc)); + /* Due to limitations in the API of the upper layers they + consider an error as no passphrase entered. This works in + most cases but not during key creation where this should diff --git a/gnupg-gpg-agent-ulimit.patch b/gnupg-gpg-agent-ulimit.patch new file mode 100644 index 0000000..735bbdb --- /dev/null +++ b/gnupg-gpg-agent-ulimit.patch @@ -0,0 +1,35 @@ +gpg-agent is in the chain of commands in xinitrc. +It receives a list of commands via argv[] which it is supposed to launch via exec. +In this mode all what matters is a bunch of setenv() of gpg related variables. +At no point it must fiddle with ulimit that was provided by its callers. +In case of xinitrc it was most likely pam_limits which, for example, configured the coredump settings for this session. + +Every code path before the fork() call does no sensitive things, so coredumps do not matter. + +gpg-agent does fork a child in this mode. +That child has the liberty to tweak ulimit in every way it wants. +This is what this patch does. + +Without this patch, all applications launched after gpg-agent are unable to coredump, because systemd-coredump check the ulimit of the crashed process. +As a result, crashes of desktop applications can not be debugged. + +References: bsc#1124847 + +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -1049,7 +1049,6 @@ main (int argc, char **argv ) + gcry_control (GCRYCTL_USE_SECURE_RNDPOOL); + gcry_set_progress_handler (agent_libgcrypt_progress_cb, NULL); + +- disable_core_dumps (); + + /* Set default options. */ + parse_rereadable_options (NULL, 0); /* Reset them to default values. */ +@@ -1738,6 +1737,7 @@ main (int argc, char **argv ) + /* + This is the child + */ ++ disable_core_dumps (); + + initialize_modules (); + diff --git a/gnupg-nobetasuffix.patch b/gnupg-nobetasuffix.patch new file mode 100644 index 0000000..42bbb66 --- /dev/null +++ b/gnupg-nobetasuffix.patch @@ -0,0 +1,24 @@ +Index: gnupg-2.4.3/autogen.sh +=================================================================== +--- gnupg-2.4.3.orig/autogen.sh ++++ gnupg-2.4.3/autogen.sh +@@ -221,7 +221,7 @@ if [ "$myhost" = "find-version" ]; then + esac + + beta=no +- if [ -e .git ]; then ++ if false; then + ingit=yes + tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null) + tmp=$(echo "$tmp" | sed s/^"$package"//) +@@ -237,8 +237,8 @@ if [ "$myhost" = "find-version" ]; then + rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null))) + else + ingit=no +- beta=yes +- tmp="-unknown" ++ beta=no ++ tmp="" + rev="0000000" + rvd="0" + fi diff --git a/gnupg-revert-rfc4880bis.patch b/gnupg-revert-rfc4880bis.patch new file mode 100644 index 0000000..6693bbd --- /dev/null +++ b/gnupg-revert-rfc4880bis.patch @@ -0,0 +1,202 @@ +From 4583f4fe2e11b3dd070066628c3f16776cc74f72 Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Mon, 31 Oct 2022 16:14:18 +0100 +Subject: [PATCH GnuPG] gpg: Merge --rfc4880bis features into --gnupg + +* g10/gpg.c (oRFC4880bis): Remove. +(opts): Make --rfc4880bis a Noop. +(compliance_options): Make rfc4880bis to gnupg. +(set_compliance_option): Remove rfc4880bis stuff. +(main): Ditto. Note that this now activates the --mimemode option. +* g10/keygen.c (keygen_set_std_prefs): Remove rfc4880bis protection. +(keygen_upd_std_prefs): Always announce support for v5 keys. +(read_parameter_file): Activate the v4 and v5 keywords. +-- + +Index: gnupg-2.4.1/g10/gpg.c +=================================================================== +--- gnupg-2.4.1.orig/g10/gpg.c ++++ gnupg-2.4.1/g10/gpg.c +@@ -247,6 +247,7 @@ enum cmd_and_opt_values + oGnuPG, + oRFC2440, + oRFC4880, ++ oRFC4880bis, + oOpenPGP, + oPGP7, + oPGP8, +@@ -636,6 +637,7 @@ static gpgrt_opt_t opts[] = { + ARGPARSE_s_n (oGnuPG, "no-pgp8", "@"), + ARGPARSE_s_n (oRFC2440, "rfc2440", "@"), + ARGPARSE_s_n (oRFC4880, "rfc4880", "@"), ++ ARGPARSE_s_n (oRFC4880bis, "rfc4880bis", "@"), + ARGPARSE_s_n (oOpenPGP, "openpgp", N_("use strict OpenPGP behavior")), + ARGPARSE_s_n (oPGP7, "pgp6", "@"), + ARGPARSE_s_n (oPGP7, "pgp7", "@"), +@@ -978,7 +980,6 @@ static gpgrt_opt_t opts[] = { + ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"), + ARGPARSE_s_s (oNoop, "aead-algo", "@"), + ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"), +- ARGPARSE_s_n (oNoop, "rfc4880bis", "@"), + ARGPARSE_s_n (oNoop, "override-compliance-check", "@"), + + +@@ -2227,7 +2228,7 @@ static struct gnupg_compliance_option co + { + { "gnupg", oGnuPG }, + { "openpgp", oOpenPGP }, +- { "rfc4880bis", oGnuPG }, ++ { "rfc4880bis", oRFC4880bis }, + { "rfc4880", oRFC4880 }, + { "rfc2440", oRFC2440 }, + { "pgp6", oPGP7 }, +@@ -2243,8 +2244,28 @@ static struct gnupg_compliance_option co + static void + set_compliance_option (enum cmd_and_opt_values option) + { ++ opt.flags.rfc4880bis = 0; /* Clear because it is initially set. */ ++ + switch (option) + { ++ case oRFC4880bis: ++ opt.flags.rfc4880bis = 1; ++ opt.compliance = CO_RFC4880; ++ opt.flags.dsa2 = 1; ++ opt.flags.require_cross_cert = 1; ++ opt.rfc2440_text = 0; ++ opt.allow_non_selfsigned_uid = 1; ++ opt.allow_freeform_uid = 1; ++ opt.escape_from = 1; ++ opt.not_dash_escaped = 0; ++ opt.def_cipher_algo = 0; ++ opt.def_digest_algo = 0; ++ opt.cert_digest_algo = 0; ++ opt.compress_algo = -1; ++ opt.s2k_mode = 3; /* iterated+salted */ ++ opt.s2k_digest_algo = DIGEST_ALGO_SHA256; ++ opt.s2k_cipher_algo = CIPHER_ALGO_AES256; ++ break; + case oOpenPGP: + case oRFC4880: + /* This is effectively the same as RFC2440, but with +@@ -2288,6 +2309,7 @@ set_compliance_option (enum cmd_and_opt_ + case oPGP8: opt.compliance = CO_PGP8; break; + case oGnuPG: + opt.compliance = CO_GNUPG; ++ opt.flags.rfc4880bis = 1; + break; + + case oDE_VS: +@@ -2490,6 +2512,7 @@ main (int argc, char **argv) + opt.emit_version = 0; + opt.weak_digests = NULL; + opt.compliance = CO_GNUPG; ++ opt.flags.rfc4880bis = 1; + + /* Check special options given on the command line. */ + orig_argc = argc; +@@ -3032,6 +3055,7 @@ main (int argc, char **argv) + case oOpenPGP: + case oRFC2440: + case oRFC4880: ++ case oRFC4880bis: + case oPGP7: + case oPGP8: + case oGnuPG: +@@ -3868,6 +3892,11 @@ main (int argc, char **argv) + if( may_coredump && !opt.quiet ) + log_info(_("WARNING: program may create a core file!\n")); + ++ if (!opt.flags.rfc4880bis) ++ { ++ opt.mimemode = 0; /* This will use text mode instead. */ ++ } ++ + if (eyes_only) { + if (opt.set_filename) + log_info(_("WARNING: %s overrides %s\n"), +@@ -4084,7 +4113,7 @@ main (int argc, char **argv) + /* Check our chosen algorithms against the list of legal + algorithms. */ + +- if(!GNUPG) ++ if(!GNUPG && !opt.flags.rfc4880bis) + { + const char *badalg=NULL; + preftype_t badtype=PREFTYPE_NONE; +Index: gnupg-2.4.1/g10/keygen.c +=================================================================== +--- gnupg-2.4.1.orig/g10/keygen.c ++++ gnupg-2.4.1/g10/keygen.c +@@ -404,7 +404,7 @@ keygen_set_std_prefs (const char *string + strcat(dummy_string,"S7 "); + strcat(dummy_string,"S2 "); /* 3DES */ + +- if (!openpgp_aead_test_algo (AEAD_ALGO_OCB)) ++ if (opt.flags.rfc4880bis && !openpgp_aead_test_algo (AEAD_ALGO_OCB)) + strcat(dummy_string,"A2 "); + + if (personal) +@@ -889,7 +889,7 @@ keygen_upd_std_prefs (PKT_signature *sig + /* Make sure that the MDC feature flag is set if needed. */ + add_feature_mdc (sig,mdc_available); + add_feature_aead (sig, aead_available); +- add_feature_v5 (sig, 1); ++ add_feature_v5 (sig, opt.flags.rfc4880bis); + add_keyserver_modify (sig,ks_modify); + keygen_add_keyserver_url(sig,NULL); + +@@ -3382,7 +3382,10 @@ parse_key_parameter_part (ctrl_t ctrl, + } + } + else if (!ascii_strcasecmp (s, "v5")) +- keyversion = 5; ++ { ++ if (opt.flags.rfc4880bis) ++ keyversion = 5; ++ } + else if (!ascii_strcasecmp (s, "v4")) + keyversion = 4; + else +@@ -3641,7 +3644,7 @@ parse_key_parameter_part (ctrl_t ctrl, + * ecdsa := Use algorithm ECDSA. + * eddsa := Use algorithm EdDSA. + * ecdh := Use algorithm ECDH. +- * v5 := Create version 5 key ++ * v5 := Create version 5 key (requires option --rfc4880bis) + * + * There are several defaults and fallbacks depending on the + * algorithm. PART can be used to select which part of STRING is +@@ -4513,9 +4516,9 @@ read_parameter_file (ctrl_t ctrl, const + } + } + +- if ((keywords[i].key == pVERSION +- || keywords[i].key == pSUBVERSION)) +- ; /* Ignore version. */ ++ if (!opt.flags.rfc4880bis && (keywords[i].key == pVERSION ++ || keywords[i].key == pSUBVERSION)) ++ ; /* Ignore version unless --rfc4880bis is active. */ + else + { + r = xmalloc_clear( sizeof *r + strlen( value ) ); +@@ -4610,11 +4613,14 @@ quickgen_set_para (struct para_data_s *p + para = r; + } + +- r = xmalloc_clear (sizeof *r + 20); +- r->key = for_subkey? pSUBVERSION : pVERSION; +- snprintf (r->u.value, 20, "%d", version); +- r->next = para; +- para = r; ++ if (opt.flags.rfc4880bis) ++ { ++ r = xmalloc_clear (sizeof *r + 20); ++ r->key = for_subkey? pSUBVERSION : pVERSION; ++ snprintf (r->u.value, 20, "%d", version); ++ r->next = para; ++ para = r; ++ } + + if (keytime) + { diff --git a/gnupg-set_umask_before_open_outfile.patch b/gnupg-set_umask_before_open_outfile.patch new file mode 100644 index 0000000..7e78d69 --- /dev/null +++ b/gnupg-set_umask_before_open_outfile.patch @@ -0,0 +1,43 @@ +Index: gnupg-2.3.0/g10/plaintext.c +=================================================================== +--- gnupg-2.3.0.orig/g10/plaintext.c ++++ gnupg-2.3.0/g10/plaintext.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #ifdef HAVE_DOSISH_SYSTEM + # include /* for setmode() */ + #endif +@@ -38,6 +39,9 @@ + #include "../common/status.h" + #include "../common/i18n.h" + ++/* define safe permissions for creating plaintext files */ ++#define GPG_SAFE_PERMS (S_IRUSR | S_IWUSR) ++#define GPG_SAFE_UMASK (0777 & ~GPG_SAFE_PERMS) + + /* Get the output filename. On success, the actual filename that is + used is set in *FNAMEP and a filepointer is returned in *FP. +@@ -161,11 +165,15 @@ get_output_file (const byte *embedded_na + log_error (_("error creating '%s': %s\n"), fname, gpg_strerror (err)); + goto leave; + } +- else if (!(fp = es_fopen (fname, "wb"))) +- { +- err = gpg_error_from_syserror (); +- log_error (_("error creating '%s': %s\n"), fname, gpg_strerror (err)); +- goto leave; ++ else { ++ mode_t saved_umask = umask(GPG_SAFE_UMASK); ++ if( !(fp = es_fopen(fname,"wb")) ) { ++ err = gpg_error_from_syserror (); ++ log_error(_("error creating `%s': %s\n"), fname, strerror(errno) ); ++ umask(saved_umask); ++ goto leave; ++ } ++ umask(saved_umask); + } + + leave: diff --git a/gpg2-systemd-user.tar.xz b/gpg2-systemd-user.tar.xz new file mode 100644 index 0000000..c2fe16f --- /dev/null +++ b/gpg2-systemd-user.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3f9243d1bb781cd5da3c4c41dccfecd62e0a78aa3fd0e2edd18d766bd4b1cfc3 +size 1812 diff --git a/gpg2.changes b/gpg2.changes new file mode 100644 index 0000000..2d1d39e --- /dev/null +++ b/gpg2.changes @@ -0,0 +1,2880 @@ +------------------------------------------------------------------- +Thu Jan 25 18:51:03 UTC 2024 - Pedro Monreal + +- Update to 2.4.4: [bsc#1219191] + * gpg: Do not keep an unprotected smartcard backup key on disk. + See https://gnupg.org/blog/20240125-smartcard-backup-key.html + for a security advisory. [T6944] + * gpg: Allow to specify seconds since Epoch beyond 2038 on 32-bit + platforms. [T6736] + * gpg: Fix expiration time when Creation-Date is specified. [T5252] + * gpg: Add support for Subkey-Expire-Date. [rG96b69c1866] + * gpg: Add option --with-v5-fingerprint. [T6705] + * gpg: Add sub-option ignore-attributes to --import-options. + * gpg: Add --list-filter properties sig_expires/sig_expires_d. + * gpg: Fix validity of re-imported keys. [T6399] + * gpg: Report BEGIN_ status before examining the input. [T6481] + * gpg: Don't try to compress a read-only keybox. [T6811] + * gpg: Choose key from inserted card over a non-inserted card. [T6831] + * gpg: Allow to create revocations even with non-compliant algos. [T6929] + * gpg: Fix regression in the Revoker keyword of the parameter file. [T6923] + * gpg: Improve error message for expired default keys. [T4704] + * gpgsm: Add --always-trust feature. [T6559] + * gpgsm: Support ECC certificates in de-vs mode. [T6802] + * gpgsm: Major rewrite of the PKCS#12 parser. [T6536] + * gpgsm: No not show the pkcs#12 passphrase in debug output. [T6654] + * keyboxd: Timeout on failure to get the database lock. [T6838] + * agent: Update the key stubs only if really modified. [T6829] + * scd: Add support for certain Starcos 3.2 cards. [rG5304c9b080] + * scd: Add support for CardOS 5.4 cards. [rG812f988059] + * scd: Add support for D-Trust 4.1/4.4 cards. [rG0b85a9ac09] + * scd: Add support for Smartcafe Expert 7.0 cards. [T6919] + * scd: Add a length check for a new PIN. [T6843] + * tpm: Fix keytotpm handling in the agent. [rG9909f622f6] + * tpm: Fixes for the TPM test suite. [T6052] + * dirmngr: New option --ignore-crl-extensions. [T6545] + * dirmngr: Support config value "none" to disable the default + keyserver. [T6708] + * dirmngr: Fix handling of the HTTP Content-Length. [rGa5e33618f4] + * gpgconf: Add commands --lock and --unlock. [rG93b5ba38dc] + * gpgconf: Add keyword socketdir to gpgconf.ctl. [rG239c1fdc28] + * gpgconf: Adjust the -X command for the new VERSION file format. [T6918] + * wkd: Use export-clean for gpg-wks-client's --mirror and --create + commands. [rG2c7f7a5a278c] + * wkd: Make --add-revocs the default in gpg-wks-client. New option + --no-add-revocs. [rG10c937ee68] + * Remove duplicated backslashes when setting the homedir. [T6833] + * Ignore attempts to remove the /dev/null device. [T6556] + * Improve advisory file lock retry strategy. [T3380] + * Release-info: https://dev.gnupg.org/T6578 + * Remove patch upstream: + - gnupg-Report-BEGIN_-status-before-examining-the-input.patch + +------------------------------------------------------------------- +Mon Oct 30 15:01:05 UTC 2023 - Pedro Monreal + +- Fix the build in SLE and Leap by adding an exclude in the files + section for the dirmngr's systemd user units. [jsc#PED-7093] + +------------------------------------------------------------------- +Tue Oct 17 10:27:15 UTC 2023 - Pedro Monreal + +- Do not pull revision info from GIT when autoconf is run. This + removes the -unknown suffix after the version number. + * Add gnupg-nobetasuffix.patch [bsc#1216334] + +------------------------------------------------------------------- +Mon Oct 16 19:54:40 UTC 2023 - Pedro Monreal + +- Fix Emacs EasyPG behavior when parsing output: + * gpg: Report BEGIN_* status before examining the input. + * Upstream task: https://dev.gnupg.org/T6481 + * Add gnupg-Report-BEGIN_-status-before-examining-the-input.patch + +------------------------------------------------------------------- +Tue Oct 10 06:46:08 UTC 2023 - Pedro Monreal + +- Install the internal executables in the /usr/libexec dir instead + of /usr/lib64. These files are keyboxd, scdaemon, gpg-auth + gpg-check-pattern, gpg-pair-tool, gpg-preset-passphrase, + gpg-protect-tool, gpg-wks-client, dirmngr_ldap and tpm2daemon. + +------------------------------------------------------------------- +Mon Oct 9 12:33:12 UTC 2023 - Pedro Monreal + +- Provide the systemd-user files since they have been removed + upstream since version 2.4.1. [bsc#1201564] + * Add gpg2-systemd-user.tar.xz + +------------------------------------------------------------------- +Thu Sep 21 07:36:32 UTC 2023 - Pedro Monreal + +- Install the systemd user units in the _userunitdir [bsc#1201564] + * Note that, there is no activation by default. + * Rework excludes in the spec's files section. + +------------------------------------------------------------------- +Thu Aug 3 16:24:19 UTC 2023 - Pedro Monreal + +- Revert back to use the IBM TPM Software stack. + +------------------------------------------------------------------- +Wed Jul 5 09:10:55 UTC 2023 - Pedro Monreal + +- Update to 2.4.3: + * gpg: Set default expiration date to 3 years. [T2701] + * gpg: Add --list-filter properties "key_expires" and + "key_expires_d". [T6529] + * gpg: Emit status line and proper diagnostics for write errors. [T6528] + * gpg: Make progress work for large files on Windows. [T6534] + * gpg: New option --no-compress as alias for -z0. + * gpgsm: Print PROGRESS status lines. Add new --input-size-hint. [T6534] + * gpgsm: Support SENDCERT_SKI for --call-dirmngr. [rG701a8b30f0] + * gpgsm: Major rewrite of the PKCS#12 parser. [T6536] + * gpgtar: New option --no-compress. + * dirmngr: Extend the AD_QUERY command. [rG207c99567c] + * dirmngr: Disable the HTTP redirect rewriting. [T6477] + * dirmngr: New option --compatibility-flags. [rGbf04b07327] + * dirmngr: New option --ignore-crl-extensions. [T6545] + * wkd: Use export-clean for gpg-wks-client's --mirror and --create + commands. [rG2c7f7a5a27] + * wkd: Make --add-revocs the default in gpg-wks-client. New option + --no-add-revocs. [rG10c937ee68] + * scd: Make signing work for Nexus cards. [rGb83d86b988] + * scd: Fix authentication with Administration Key for PIV. [rG25b59cf6ce] + +------------------------------------------------------------------- +Tue May 30 19:37:39 UTC 2023 - Pedro Monreal + +- Update to 2.4.2: + * gpg: Print a warning if no more encryption subkeys are left over + after changing the expiration date. [rGef2c3d50fa] + * gpg: Fix searching for the ADSK key when adding an ADSK. [T6504] + * gpgsm: Speed up key listings on Windows. [rG08ff55bd44] + * gpgsm: Reduce the number of "failed to open policy file" + diagnostics. [rG68613a6a9d] + * agent: Make updating of private key files more robust and track + display S/N. [T6135] + * keyboxd: Avoid longish delays on Windows when listing keys. + [rG6944aefa3c] + * gpgtar: Emit extra status lines to help GPGME. [T6497] + * w32: Avoid using the VirtualStore. [T6403] + * Rebase gnupg-add_legacy_FIPS_mode_option.patch + +------------------------------------------------------------------- +Fri Apr 28 11:58:06 UTC 2023 - Pedro Monreal + +- Update to 2.4.1: + * If the ~/.gnupg directory does not exist, the keyboxd is now + automagically enabled. [rGd9e7488b17] + * gpg: New option --add-desig-revoker. [rG3d094e2bcf] + * gpg: New option --assert-signer. [rGc9e95b8dee] + * gpg: New command --quick-add-adsk and other ADSK features. + [T6395, https://gnupg.org/blog/20230321-adsk.html] + * gpg: New list-option "show-unusable-sigs". Also show "[self-signature]" + instead of the user-id in key signature listings. [rG103acfe9ca] + * gpg: For symmetric encryption the default S2K hash is now SHA256. [T6367] + * gpg: Detect already compressed data also when using a pipe. Also + detect JPEG and PNG file formats. [T6332] + * gpg: New subcommand "openpgp" for --card-edit. [T6462] + * gpgsm: Verification of detached signatures does now strip trailing + zeroes from the input if --assume-binary is used. [rG2a13f7f9dc] + * gpgsm: Non-armored detached signature are now created without + using indefinite form length octets. This improves compatibility + with some PDF signature verification software. [rG8996b0b655] + * gpgtar: Emit progress status lines in create mode. [T6363] + * dirmngr: The LDAP modifyTimestamp is now returned by some + keyserver commands. [rG56d309133f] + * ssh: Allow specification of the order keys are presented to ssh. + See the man page entry for --enable-ssh-support. [T5996, T6212] + * gpg: Make list-options "show-sig-subpackets" work again. + Fixes regression in 2.4.0. [rG5a223303d7] + * gpg: Fix the keytocard command for Yubikeys. [T6378] + * gpg: Do not continue an export after a cancel for the primary key. [T6093] + * gpg: Replace the --override-compliance-check hack by a real fix. [T5655] + * gpgtar: Fix decryption with input taken from stdin. [T6355] + * Rebase patches: + - gnupg-revert-rfc4880bis.patch + - gnupg-add_legacy_FIPS_mode_option.patch + * Remove patch fixed upstream: + - gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch + +------------------------------------------------------------------- +Fri Mar 10 09:03:00 UTC 2023 - Pedro Monreal + +- Temporarily revert back to the pre-2.4 default for key generation. + The new rfc4880bis has been set as the default in 2.4 version and + might create incompatible keys. Note that, rfc4880bis can still + be used with the option flag --rfc4880bis as in previous versions. + * More info in the gnupg-devel ML: + https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html + * Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9 + * Add gnupg-revert-rfc4880bis.patch + +------------------------------------------------------------------- +Fri Mar 10 08:42:02 UTC 2023 - Pedro Monreal + +- Allow 8192 bit RSA keys in keygen UI when large_rsa is set + * Add gnupg-allow-large-rsa.patch + +------------------------------------------------------------------- +Tue Feb 7 08:58:03 UTC 2023 - Pedro Monreal + +- Fix the regression test suite fails with the IBM TPM Software + stack. Builds fine using the Intel TPM; use the swtpm and + tpm2-0-tss-devel packages instead of ibmswtpm2 and ibmtss-devel. + +------------------------------------------------------------------- +Wed Jan 11 11:15:54 UTC 2023 - Pedro Monreal + +- Fix broken GPGME QT tests: Upstram dev task dev.gnupg.org/T6313 + * The original patch has been modified to expand the changes + also to the tests/gpgme/Makefile.in file. + * Add gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch + +------------------------------------------------------------------- +Tue Dec 20 16:01:05 UTC 2022 - David Anes + +- Updated to require libgpg-error-devel >= 1.46 + +- Rebased patches: + * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch + * gnupg-add_legacy_FIPS_mode_option.patch + +- GnuPG 2.4.0: + * common: Fix translations in --help for gpgrt < 1.47. + * gpg: Do not continue the export after a cancel for the primary key. + * gpg: Replace use of PRIu64 in log_debug. + * Update NEWS for 2.4.0. + * tests: Fix make check with GPGME. + * agent: Allow arguments to "scd serialno" in restricted mode. + * scd:p15: Skip deleted records. + * build: Remove Windows CE support. + * wkd: Do not send/install/mirror expired user ids. + * gpgsm: Print the revocation time also with --verify. + * gpgsm: Fix "problem re-searching certificate" case. + * gpgsm: Print revocation date and reason in cert listings. + * gpgsm: Silence the "non-critical certificate policy not allowed". + * gpgsm: Always use the chain model if the root-CA requests this. + * gpg: New export option "mode1003". + * gpg: Remove a mostly duplicated function. + * tests: Simplify fake-pinentry to use the option only. + * tests: Fix fake-pinentry for Windows. + * tests: Fix make check-all. + * agent: Fix import of protected v5 keys. + * gpgsm: Change default algo to AES-256. + * tests: Put a workaround for semihosted environment. + * tests: More fix for semihosted environment. + * tests: Support semihosted environment. + * tests: Fix tests under cms. + * tests,w32: Fix for semihosted environment. + * w32: Fix for tests on semihosted environment. + * w32: Fix gnupg_unsetenv. + * wkd: New option --add-revocs and some fixes. + * wkd: Make use of --debug extprog. + * gpg: New export-filter export-revocs. + * gpg: Fix double-free in gpg --card-edit. + * gpg: Make --require-compliance work with out --status-fd. + * gpg: New option --list-filter. + * dirmngr: Silence ocsp debug output. + * tests: Fix to support --enable-all-tests and variants. + * tests:w32: Fix for non-dot file name for Windows. + * tests:gpgscm:w32: Fix for GetTempPath. + * tests: Keep .log files in objdir. + * tests: Use 233 for invalid value of FD. + * w32: Fix gnupg_tmpfile for possible failure. + * scd: Redact --debug cardio output of a VERIFY APDU. + * common: Remove Windows CE support in common. + * gpgsm: Fix colon outout of ECC encryption certificates. + * scd:nks: Fix ECC signing if key not given by keygrip. + * dirmngr: Fix verification of ECDSA signed CRLs. + * agent: Allow trustlist on Windows in Unicode homedirs. + * gpg: Fix verification of cleartext signatures with overlong lines. + * gpg: Move w32_system function. + * gpg: New option --quick-update-pref. + * gpg: New list-options show-pref and show-pref-verbose. + * tests: Add tests to check that OCB is only used for capable keys. + * gpg: Make --list-packets work w/o --no-armor for plain OCB packets. + * tests: Add symmetric decryption tests. + * tests: Add tr:assert-same function. + * agent: Avoid blanks in the ssh key's comment. + * build: Update m4 files. + * gpg: Merge --rfc4880bis features into --gnupg. + * gpg: Allow only OCB for AEAD encryption. + * gpg: New option --compatibility-flags. + * gpgsm: Also announce AES256-CBC in signatures. + * gpg: Fix trusted introducer for user-ids with only the mbox. + * gpg: Import stray revocation certificates. + * agent: Automatically convert to extended key format by KEYATTR. + * card: New commands "gpg" and "gpgsm". + * card: Also show fingerprints of known X.509 certificates. + * scd:nks: Support non-ESIGN signing with the Signature Card v2. + * gpgsm: Allow ECC encryption keys with just keyAgreement specified. + * gpgsm: Use macro constants for cert_usage_p. + * build: Update gpg-error.m4. + * agent,common,dirmngr,tests,tools: Remove spawn PREEXEC argument. + * gpg: Move NETLIBS after GPG_ERROR_LIBS. + * gpg: Use GCRY_KDF_ONESTEP_KDF with newer libgcrypt in future. + * common,w32: Fix struct stat on Windows. + * agent,w32: Support Win32-OpenSSH emulation by gpg-agent. + * common: Don't use FD2INT for POSIX-only code. + * dirmngr: Fix build with no LDAP support. + +------------------------------------------------------------------- +Mon Oct 17 11:35:11 UTC 2022 - Pedro Monreal + +- GnuPG 2.3.8: + * gpg: Do not consider unknown public keys as non-compliant while + decrypting. + * gpg: Avoid to emit a compliance mode line if Libgcrypt is + non-compliant. + * gpg: Improve --edit-key setpref command to ease c+p. + * gpg: Emit an ERROR status if --quick-set-primary-uid fails and + allow to pass the user ID by hash. + * gpg: Actually show symmetric+pubkey encrypted data as de-vs + compliant. Add extra compliance checks for symkey_enc packets. + * gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit + preference. + * gpgsm: Fix reporting of bad passphrase error during PKCS#11 + import. + * agent: Fix a regression in "READKEY --format=ssh". + * agent: New option --need-attr for KEYINFO. + * agent: New attribute "Remote-list" for use by KEYINFO. + * scd: Fix problem with Yubikey 5.4 firmware. + * dirmngr: Fix CRL Distribution Point fallback to other schemes. + * dirmngr: New LDAP server flag "areconly" (A-record-only). + * dirmngr: Fix upload of multiple keys for an LDAP server specified + using the colon format. + * dirmngr: Use LDAP schema v2 when a Base DN is specified. + * dirmngr: Avoid caching expired certificates. + * wkd: Fix path traversal attack in gpg-wks-server. Add the mail + address to the pending request data. + * wkd: New command --mirror for gpg-wks-client. + * gpg-auth: New tool for authentication. + * New common.conf option no-autostart. + * Silence warnings from AllowSetForegroundWindow unless + GNUPG_EXEC_DEBUG_FLAGS is used. + * Rebase gnupg-detect_FIPS_mode.patch + * Remove patch upstream: + - gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch + +------------------------------------------------------------------- +Mon Aug 8 18:00:44 UTC 2022 - Andreas Stieger + +- Fix YubiKey 5 Nano support (boo#1202201), add + gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch + +------------------------------------------------------------------- +Tue Jul 12 22:06:02 UTC 2022 - Andreas Stieger + +- GnuPG 2.3.7: + * CVE-2022-34903: garbled status messages could trick gpgme and + other parsers to accept faked status lines [boo#1201225] + * A number of bug fixes to the gpg command line interface + * gpgsm gained a number of new options and got some rework on + the PKCS#12 parser to support DFN issues keys + * The gpg agent got some added options and UI tweaks + * smart card support got a number of bug fixes, and improved + support for Technology Nexus cards and Yubikey + * The Telesec ESIGN application is now supported + +------------------------------------------------------------------- +Mon May 16 09:12:06 UTC 2022 - Marcus Meissner + +- added tpm support, added a new subpackage gpg2-tpm + +------------------------------------------------------------------- +Mon Apr 25 19:09:32 UTC 2022 - Andreas Stieger + +- GnuPG 2.3.6: + * Up to five times faster verification of detached signatures, + doubled detached signing speed, threefold decryption speedup + for large files, nearly double the AES256.OCB encryption speed + * Add support for GeNUA cards + * Added and improved options for crypto options, and all-around + bug fixes + +------------------------------------------------------------------- +Wed Dec 22 16:08:08 UTC 2021 - Andreas Stieger + +- GnuPG 2.3.4: + * gpg: New option --min-rsa-length + * gpg: New option --forbid-gen-key + * gpg: New option --override-compliance-check + * gpgconf: New command --show-configs + * agent,dirmngr,keyboxd: New option --steal-socket + * gpg: Fix printing of binary notations + * gpg: Remove stale ultimately trusted keys from the trustdb + * gpg: Fix indentation of --print-mds and --print-md sha512 + * gpg: Emit gpg 2.2 compatible Ed25519 signature + * gpgsm: Detect circular chains in --list-chain + * dirmngr: Make reading resolv.conf more robust + * dirmngr: Ask keyservers to provide the key fingerprints + * gpgconf: Allow changing gpg's deprecated keyserver option + * gpg-wks-server: Fix created file permissions + * scd: Support longer data for ssh-agent authentication with + openpgp cards + * scd: Modify DEVINFO behavior to support looping forever + * Silence warning about the rootdir under Unices w/o a mounted + /proc file system + * Fix possible build problems about missing include files + +------------------------------------------------------------------- +Tue Oct 12 19:20:50 UTC 2021 - Andreas Stieger + +- GnuPG 2.3.3: + * agent: Fix segv in GET_PASSPHRASE (regression) + * dirmngr: Fix Let's Encrypt certificate chain validation + * gpg: Change default and maximum AEAD chunk size to 4 MiB + * gpg: Print a warning when importing a bad cv25519 secret key + * gpg: Fix --list-packets for undecryptable AEAD packets + * gpg: Verify backsigs for v5 keys correctly + * keyboxd: Fix checksum computation for no UBID entry on disk + * keyboxd: Fix "invalid object" error with cv448 keys + * dirmngr: New option --ignore-cert + * agent: Fix calibrate_get_time use of clock_gettime + * Support a gpgconf.ctl file under Unix and use this for the + regression tests + +------------------------------------------------------------------- +Wed Aug 25 10:01:38 UTC 2021 - Pedro Monreal + +- GnuPG 2.3.2: + * gpg: Allow fingerprint based lookup with --locate-external-key. + * gpg: Allow decryption w/o public key but with correct card inserted. + * gpg: Auto import keys specified with --trusted-keys. + * gpg: Do not use import-clean for LDAP keyserver imports. + * gpg: Fix mailbox based search via AKL keyserver method. + * gpg: Fix memory corruption with --clearsign introduced with 2.3.1. + * gpg: Use a more descriptive prompt for symmetric decryption. + * gpg: Improve speed of secret key listing. + * gpg: Support keygrip search with traditional keyring. + * gpg: Let --fetch-key return an exit code on failure. + * gpg: Emit the NO_SECKEY status again for decryption. + * gpgsm: Support decryption of password based encryption (pwri). + * gpgsm: Support AES-GCM decryption. + * gpgsm: Let --dump-cert --show-cert also print an OpenPGP fingerprint. + * gpgsm: Fix finding of issuer in use-keyboxd mode. + * gpgsm: New option --ldapserver as an alias for --keyserver. + * agent: Use SHA-256 for SSH fingerprint by default. + * agent: Fix calling handle_pincache_put. + * agent: Fix importing protected secret key. + * agent: Fix a regression in agent_get_shadow_info_type. + * agent: Add translatable text for Caps Lock hint. + * agent: New option --pinentry-formatted-passphrase. + * agent: Add checkpin inquiry for pinentry. + * agent: New option --check-sym-passphrase-pattern. + * agent: Use the sysconfdir for a pattern file. + * agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pinentry. + * dirmngr: LDAP search by a mailbox now ignores revoked keys. + * dirmngr: For KS_SEARCH return the fingerprint also with LDAP. + * dirmngr: Allow for non-URL specified ldap keyservers. + * dirmngr: New option --ldapserver. + * dirmngr: Fix regression in KS_GET for mail address pattern. + * card: New option --shadow for the list command. + * tests: Make sure the built keyboxd is used. + * scd: Fix computing shared secrets for 512 bit curves. + * scd: Fix unblock PIN by a Reset Code with KDF. + * scd: Fix PC/SC removed card problem. + * scd: Recover the partial match for PORTSTR for PC/SC. + * scd: Make sure to release the PC/SC context. + * scd: Fix zero-byte handling in ECC. + * scd: Fix serial number detection for Yubikey 5. + * scd: Add basic support for AET JCOP cards. + * scd: Detect external interference when --pcsc-shared is in use. + * scd: Fix access to the list of cards. + * gpgconf: Do not list a disabled tpm2d. + * gpgconf: Make runtime changes with different homedir work. + * keyboxd: Fix searching for exact mail adddress. + * keyboxd: Fix searching with multiple patterns. + * tools: Extend gpg-check-pattern. + * wkd: Fix client issue with leading or trailing spaces in user-ids. + * Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to Pinentry. + * Change the default keyserver to keyserver.ubuntu.com. This is a + temporary change due to the shutdown of the SKS keyserver pools. + +------------------------------------------------------------------- +Fri Jun 11 12:19:16 UTC 2021 - Pedro Monreal + +- GnuPG 2.3.1: + * The new configuration file common.conf is now used to enable + the use of the key database daemon with "use-keyboxd". Using + this option in gpg.conf and gpgsm.conf is supported for a + transitional period. See doc/example/common.conf for more. + * gpg: Force version 5 key creation for ed448 and cv448 algorithms. + * gpg: By default do not use the self-sigs-only option when + importing from an LDAP keyserver. + * gpg: Lookup a missing public key of the active card via LDAP. + * gpgsm: New command --show-certs. + * scd: Fix CCID driver for SCM SPR332/SPR532. + * scd: Further improvements for PKCS#15 cards. + * New configure option --with-tss to allow the selection of the + TSS library. +- Rebase patches: + * gnupg-add_legacy_FIPS_mode_option.patch + * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch + * gnupg-dont-fail-with-seahorse-agent.patch + * gnupg-set_umask_before_open_outfile.patch + +------------------------------------------------------------------- +Fri Jun 11 12:15:37 UTC 2021 - Andreas Stieger + +- GnuPG 2.3.0: + * A new experimental key database daemon is provided. To enable + it put "use-keyboxd" into gpg.conf and gpgsm.conf. Keys are stored + in a SQLite database and make key lookup much faster. + * New tool gpg-card as a flexible frontend for all types of + supported smartcards. + * New option --chuid for gpg, gpgsm, gpgconf, gpg-card, and + gpg-connect-agent. + * The gpg-wks-client tool is now installed under bin; a wrapper for + its old location at libexec is also installed. + * tpm2d: New daemon to physically bind keys to the local machine. + * gpg: Switch to ed25519/cv25519 as default public key algorithms. + * gpg: Verification results now depend on the --sender option and + the signer's UID subpacket. + * gpg: Do not use any 64-bit block size cipher algorithm for + encryption. Use AES as last resort cipher preference instead of + 3DES. This can be reverted using --allow-old-cipher-algos. + * gpg: Support AEAD encryption mode using OCB or EAX. + * gpg: Support v5 keys and signatures. + * gpg: Support curve X448 (ed448, cv448). + * gpg: Allow use of group names in key listings. + * gpg: New option --full-timestrings to print date and time. + * gpg: New option --force-sign-key. + * gpg: New option --no-auto-trust-new-key. + * gpg: The legacy key discovery method PKA is no longer supported. + The command --print-pka-records and the PKA related import and + export options have been removed. + * gpg: Support export of Ed448 Secure Shell keys. + * gpgsm: Add basic ECC support. + * gpgsm: Support creation of EdDSA certificates. [#4888] + * agent: Allow the use of "Label:" in a key file to customize the + pinentry prompt. + * agent: Support ssh-agent extensions for environment variables. + With a patched version of OpenSSH this avoids the need for the + "updatestartuptty" kludge. + * scd: Improve support for multiple card readers and tokens. + * scd: Support PIV cards. + * scd: Support for Rohde&Schwarz Cybersecurity cards. + * scd: Support Telesec Signature Cards v2.0 + * scd: Support multiple application on certain smartcard. + * scd: New option --application-priority. + * scd: New option --pcsc-shared; see man page for important notes. + * dirmngr: Support a gpgNtds parameter in LDAP keyserver URLs. + * The symcryptrun tool, a wrapper for the now obsolete external + Chiasmus tool, has been removed. + * Full Unicode support for the command line. +- dropped legacy commands: gpg-zip + +------------------------------------------------------------------- +Wed Apr 7 20:56:23 UTC 2021 - Andreas Stieger + +- Remove the "files-are-digests" option from the openSUSE package. + This feature was not upstream and only used in the OBS signing + daemon. The recommended upstream feature for separating the data + to be signed from the private keys is gpg agent forwarding, + available from 2.1. Drop gnupg-2.2.8-files-are-digests.patch + +------------------------------------------------------------------- +Tue Jan 12 22:45:11 UTC 2021 - Andreas Stieger + +- GnuPG 2.2.27: + * gpgconf: Fix case with neither local nor global gpg.conf + * gpgconf: Fix description of two new options +- includes changes from 2.2.26: + * gpg: New AKL method "ntds" + * gpg: Fix --trusted-key with fingerprint arg + * scd: Fix writing of ECC keys to an OpenPGP card + * scd: Make an USB error fix specific to SPR532 readers + * dirmngr: With new LDAP keyservers store the new attributes. + Never store the useless pgpSignerID. Fix a long standing + bug storing some keys on an ldap server. + * dirmngr: Support the new Active Direcory LDAP schema for + keyservers + * dirmngr: Allow LDAP OpenPGP searches via fingerprint + * dirmngr: Do not block other threads during keyserver LDAP calls + * Support global configuration files + * Fix the iconv fallback handling to UTF-8 + +------------------------------------------------------------------- +Mon Nov 23 22:36:17 UTC 2020 - Andreas Stieger + +- GnuPG 2.2.25: + * scd: Fix regression in 2.2.24 requiring gpg --card-status + before signing or decrypting + * gpgsm: Using Libksba 1.5.0 signatures with a rarely used + combination of attributes can now be verified + +------------------------------------------------------------------- +Tue Nov 17 21:52:38 UTC 2020 - Andreas Stieger + +- GnuPG 2.2.24: + * gpg: New command --quick-revoke-sig + * gpg: Do not use weak digest algos if selected by recipient + preference during sign+encrypt + * gpg: Switch to AES256 for symmetric encryption in de-vs mode + * gpg: Silence weak digest warnings with --quiet + * gpg: Print new status line CANCELED_BY_USER for a cancel during + symmetric encryption + * gpg: Fix the encrypt+sign hash algo preference selection for + ECDSA. This is in particular needed for keys created from + existing smartcard based keys + * agent: Fix secret key import of GnuPG 2.3 generated Ed25519 + keys + * agent: Keep some permissions of private-keys-v1.d + * dirmngr: Align sks-keyservers.netCA.pem use between ntbtls and + gnutls builds + * dirmngr: Fix the pool keyserver case for a single host in the + pool + * scd: Fix the use case of verify_chv2 by CHECKPIN + * scd: Various improvements to the ccid-driver + * scd: Minor fixes for Yubikey + * gpgconf: New option --show-versions + * i18n: Complete overhaul and completion of the Italian + translation + +------------------------------------------------------------------- +Thu Sep 3 17:16:41 UTC 2020 - Andreas Stieger + +- GnuPG 2.2.23: + * gpg: fix AHEAD preference list overflow boo#1176034 / CVE-2020-25125 + * gpg: fix possible segv in the key cleaning code + * gpgsm: fix a minor RFC2253 parser gub + * scdaemon: Fix a PIN verify failure on certain OpenPGP card + implementations + +------------------------------------------------------------------- +Tue Sep 1 21:09:57 UTC 2020 - Andreas Stieger + +- GnuPG 2.2.22: + * gpg: Change the default key algorithm to rsa3072 + * gpg: Add regular expression support for Trust Signatures on + all platforms + * gpg: Ignore --personal-digest-prefs for ECDSA keys + * gpgsm: Make rsaPSS a de-vs compliant scheme + * gpgsm: Show also the SHA256 fingerprint in key listings + * gpgsm: Do not require a default keyring for --gpgconf-list + * gpg-agent: Default to extended key format and record the + creation time of keys + Add new option --disable-extended-key-format + * gpg-agent: Support the WAYLAND_DISPLAY envvar + * gpg-agent: Allow using --gpgconf-list even if HOME does not + exist + * gpg-agent: Make the Pinentry work even if the envvar TERM is + set to the empty string + * scdaemon: Add a workaround for Gnuk tokens <= 2.15 which + wrongly incremented the error counter when using the + "verify" command of "gpg --edit-key" with only the signature + key being present + * dirmngr: Better handle systems with disabled IPv6 + * gpgpslit: Install tool. It was not installed in the past to + avoid conflicts with the version installed by GnuPG 1.4 + * gpgtar: Make --files-from and --null work as documented +- drop gnupg-gpgme-t-encrypt-sym.patch, upstream + +------------------------------------------------------------------- +Tue Jul 14 10:22:22 UTC 2020 - Pedro Monreal Gonzalez + +- Fix regression in latest gpg2 that makes gpgme fail to build [bsc#1174007] +- Add gnupg-gpgme-t-encrypt-sym.patch + +------------------------------------------------------------------- +Thu Jul 9 11:36:57 UTC 2020 - Andreas Stieger + +- GnuPG 2.2.21: + * gpg: Improve symmetric decryption speed by about 25% + * gpg: Support decryption of AEAD encrypted data packets + * gpg: Add option --no-include-key-block + * gpg: Allow for extra padding in ECDH + * gpg: Only a single pinentry is shown for symmetric encryption if + the pinentry supports this + * gpg: Print a note if no keys are given to --delete-key + * gpg,gpgsm: The ridiculous passphrase quality bar is not anymore + shown + * gpgsm: Certificates without a CRL distribution point are now + considered valid without looking up a CRL. The new option + --enable-issuer-based-crl-check can be used to revert to the + former behaviour + * gpgsm: Support rsaPSS signature verification + * gpgsm: Unless CRL checking is disabled lookup a missing issuer + certificate using the certificate's authorityInfoAccess + * gpgsm: Print the certificate's serial number also in decimal + notation + * gpgsm: Fix possible NULL-deref in messages of --gen-key + * scd: Support the CardOS 5 based D-Trust Card 3.1 + * dirmngr: Allow http URLs with "LOOKUP --url" + * wkd: Take name of sendmail from configure. Fixes an OpenBSD + specific bug + +------------------------------------------------------------------- +Thu Apr 30 13:59:33 UTC 2020 - Pedro Monreal Gonzalez + +- Fix gpgme and gpgme-qt builds on gpg2 2.2.20 update [bsc#1170811] +- Refresh patches: + * gnupg-2.2.8-files-are-digests.patch + * gnupg-add_legacy_FIPS_mode_option.patch + +------------------------------------------------------------------- +Fri Mar 20 20:17:44 UTC 2020 - Andreas Stieger + +- GnuPG 2.2.20: + * Protect the error counter against overflow to guarantee that the + tools can't be tricked into returning success after an error + * gpg: Make really sure that --verify-files always returns an error + * gpg: Fix key listing --with-secret if a pattern is given + * gpg: Fix detection of certain keys used as default-key + * gpg: Fix default-key selection when a card is available + * gpg: Fix key expiration and key usage for keys created with a + creation date of zero + * gpgsm: Fix import of some CR,LF terminated certificates + * gpg: New options --include-key-block and --auto-key-import to + allow encrypted replies after an initial signed message + * gpg: Allow the use of a fingerprint with --trusted-key + * gpg: New property "fpr" for use by --export-filter + * scdaemon: Disable the pinpad if a KDF DO is used + * dirmngr: Improve finding OCSP certificates +- drop gpg2-gcc10-build-fno-common.patch, upstream + +------------------------------------------------------------------- +Fri Mar 13 10:39:09 UTC 2020 - Fabian Vogt + +- Split dirmngr into a subpackage to avoid a hard dependency of + gpg2 on libgnutls + +------------------------------------------------------------------- +Wed Feb 19 08:48:34 UTC 2020 - Pedro Monreal Gonzalez + +- Fix build with GCC-10: [bsc#1160394] + * Always use EXTERN_UNLESS_MAIN_MODULE pattern + * In GCC-10, the default option -fcommon will change to -fno-common +- Add gpg2-gcc10-build-fno-common.patch + +------------------------------------------------------------------- +Fri Jan 10 17:47:24 UTC 2020 - Pedro Monreal Gonzalez + +- Accept key updates even without UIDs [bsc#1143158] +- Add patches: + * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch + * gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch + * gnupg-add-test-cases-for-import-without-uid.patch + +------------------------------------------------------------------- +Sat Dec 7 15:20:41 UTC 2019 - Andreas Stieger + +- update to 2.2.19: + * gpg: Fix double free when decrypting for hidden recipients + * gpg: Use auto-key-locate for encryption even for mail addressed + given with angle brackets + * gpgsm: Add special case for certain expired intermediate + certificates + +------------------------------------------------------------------- +Wed Nov 27 15:42:22 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 2.2.18 [bsc#1157900, CVE-2019-14855] + * gpg: Changed the way keys are detected on a smartcards; this + allows the use of non-OpenPGP cards. In the case of a not very + likely regression the new option --use-only-openpgp-card is + available. [#4681] + * gpg: The commands --full-gen-key and --quick-gen-key now allow + direct key generation from supported cards. [#4681] + * gpg: Prepare against chosen-prefix SHA-1 collisions in key + signatures. This change removes all SHA-1 based key signature + newer than 2019-01-19 from the web-of-trust. Note that this + includes all key signature created with dsa1024 keys. The new + option --allow-weak-key-signatues can be used to override the new + and safer behaviour. [#4755,CVE-2019-14855] + * gpg: Improve performance for import of large keyblocks. [#4592] + * gpg: Implement a keybox compression run. [#4644] + * gpg: Show warnings from dirmngr about redirect and certificate + problems (details require --verbose as usual). + * gpg: Allow to pass the empty string for the passphrase if the + '--passphase=' syntax is used. [#4633] + * gpg: Fix printing of the KDF object attributes. + * gpg: Avoid surprises with --locate-external-key and certain + --auto-key-locate settings. [#4662] + * gpg: Improve selection of best matching key. [#4713] + * gpg: Delete key binding signature when deletring a subkey. + [#4665,#4457] + * gpg: Fix a potential loss of key sigantures during import with + self-sigs-only active. [#4628] + * gpg: Silence "marked as ultimately trusted" diagnostics if + option --quiet is used. [#4634] + * gpg: Silence some diagnostics during in key listsing even with + option --verbose. [#4627] + * gpg, gpgsm: Change parsing of agent's pkdecrypt results. [#4652] + * gpgsm: Support AES-256 keys. + * gpgsm: Fix a bug in triggering a keybox compression run if + --faked-system-time is used. + * dirmngr: System CA certificates are no longer used for the SKS + pool if GNUTLS instead of NTBTLS is used as TLS library. [#4594] + * dirmngr: On Windows detect usability of IPv4 and IPv6 interfaces + to avoid long timeouts. [#4165] + * scd: Fix BWI value for APDU level transfers to make Gemalto Ezio + Shield and Trustica Cryptoucan work. [#4654,#4566] + * wkd: gpg-wks-client --install-key now installs the required policy + file. +- Rebase patches: + * gnupg-2.2.8-files-are-digests.patch + * gnupg-add_legacy_FIPS_mode_option.patch + +------------------------------------------------------------------- +Thu Sep 19 12:05:13 UTC 2019 - Ludwig Nussel + +- Do not recommend lang package. The lang package already has a + supplements. + +------------------------------------------------------------------- +Thu Jul 11 09:51:49 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 2.2.17 [bsc#1141093] + * gpg: Do not try the import fallback if the options are already used. + * gpg: Fix regression in option "self-sigs-only". + * gpg: With --auto-key-retrieve prefer WKD over keyservers. + * gpg: Add "self-sigs-only" and "import-clean" to the keyserver options. + * gpg: Avoid printing false AKL error message. + * gpg: New command --locate-external-key. + * gpg: Make the get_pubkey_byname interface easier to understand. + * gpg: Fallback to import with self-sigs-only on too large keyblocks. + * gpg: New import and keyserver option "self-sigs-only" + * gpg: Make read_block in import.c more flexible. + * dirmngr: fix handling of HTTPS redirections during HKP. + * dirmngr: Avoid endless loop in case of HTTP error 503. + * dirmngr: Do not rewrite the redirection for the "openpgpkey" subdomain. + * dirmngr: Support the new WKD draft with the openpgpkey subdomain. + * wkd: Change client/server limit back to 64 KiB. + * tools: gpgconf: Killing order is children-first. + * Return better error code for some getinfo IPC commands. + * po: Update Russian translation. + +------------------------------------------------------------------- +Wed Jun 19 21:02:05 UTC 2019 - Jason Sikes + +- Fix secure memory being disabled before fips checks in libgcrypt [boo#1137307] + * Added gnupg-2.2.16-secmem.patch + +------------------------------------------------------------------- +Thu May 30 08:00:37 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 2.2.16 + * gpg: Fixed i18n markup of some strings. + * gpg: Allow deletion of subkeys with --delete-[secret-]key. + * gpg: Do not bail on an invalid packet in the local keyring. + * gpg: Do not allow creation of user ids larger than our parser allows. + * gpg: Do not delete any keys if --dry-run is passed. + * gpg: Fix using --decrypt along with --use-embedded-filename. + * gpg: Improve the photo image viewer selection. + * gpg: enable OpenPGP export of cleartext keys with comments. + * gpg: Do not print a hint to use the deprecated --keyserver option. + * gpg: Change update_keysig_packet to replace SHA-1 by SHA-256. + * gpg: Use just the addrspec from the Signer's UID. + * gpg: Accept also armored data from the WKD. + * gpg: Set a limit of 5 to the number of keys imported from the WKD. + * gpg: Don't use EdDSA algo ID for ECDSA curves. + * agent: Stop scdaemon after reload when disable_scdaemon. + * agent: For SSH key, don't put NUL-byte at the end. + * agent: correct length for uri and comment on 64-bit big-endian platforms + * dirmngr: Allow for other hash algorithms than SHA-1 in OCSP. + * dirmngr: Improve domaininfo cache update algorithm. + * dirmngr: Better error code for http status 413. + * g10: Fix possible null dereference. + * g10: Fix double free when locating by mbox. + * g10: Fix symmetric cipher algo constant for ECDH. + * sm: Avoid confusing diagnostic for the default key. + * sm: Fix a warning in an es_fopencooie function. + * gpgconf: Before --launch check that the config file is fine. + * gpgconf: Support --homedir for --launch. + * build: Update m4/iconv.m4. + * doc: correct documentation for gpgconf --kill. + * scd: Add dummy option --application-priority. + * common: Fix AWK portability. + +------------------------------------------------------------------- +Thu Mar 28 08:48:36 UTC 2019 - Karol Babioch + +- Update to 2.2.15 + * sm: Allow decryption even if expired keys are configured. + * agent: Change command KEYINFO to print ssh fingerprints with other + hash algos. + * dirmngr: Fix build problems on Solaris due to the use of reserved + symbol names. + * wkd: New commands --print-wkd-hash and --print-wkd-url for + gpg-wks-client. + +------------------------------------------------------------------- +Tue Mar 19 12:11:23 UTC 2019 - Karol Babioch + +- Update to 2.2.14: + * gpg: Allow import of PGP desktop exported secret keys. Also avoid + importing secret keys if the secret keyblock is not valid. + * gpg: Do not error out on version 5 keys in the local keyring. + * gpg: Make invalid primary key algo obvious in key listings. + * sm: Do not mark a certificate in a key listing as de-vs compliant + if its use for a signature will not be possible. + * sm: Fix certificate creation with key on card. + * sm: Create rsa3072 bit certificates by default. + * sm: Print Yubikey attestation extensions with --dump-cert. + * agent: Fix cancellation handling for scdaemon. + * agent: Support --mode=ssh option for CLEAR_PASSPHRASE. + * scd: Fix flushing of the CA-FPR DOs in app-openpgp. + * scd: Avoid a conflict error with the "undefined" app. + * dirmngr: Add CSRF protection exception for protonmail. + * dirmngr: Fix build problems with gcc 9 in libdns. + * gpgconf: New option --show-socket for use wity --launch. + * gpgtar: Make option -C work for archive creation. +- Removed patches that are included upstream by now: + - 0001-libdns-Avoid-using-compound-literals.patch + - 0002-libdns-Avoid-using-compound-literals-2.patch + - 0003-libdns-Avoid-using-compound-literals-3.patch + - 0004-libdns-Avoid-using-compound-literals-4.patch + - 0005-libdns-Avoid-using-compound-literals-5.patch + - 0006-libdns-Avoid-using-compound-literals-6.patch + - 0007-libdns-Avoid-using-compound-literals-7.patch + - 0008-libdns-Avoid-using-compound-literals-8.patch + +------------------------------------------------------------------- +Tue Feb 26 11:35:29 UTC 2019 - Pedro Monreal Gonzalez + +- Fix build with gcc9 [bsc#1121223] + * Avoid using compound literals + - Upstream bug: https://dev.gnupg.org/T4367 + * Added upstream patches: + - 0001-libdns-Avoid-using-compound-literals.patch + - 0002-libdns-Avoid-using-compound-literals-2.patch + - 0003-libdns-Avoid-using-compound-literals-3.patch + - 0004-libdns-Avoid-using-compound-literals-4.patch + - 0005-libdns-Avoid-using-compound-literals-5.patch + - 0006-libdns-Avoid-using-compound-literals-6.patch + - 0007-libdns-Avoid-using-compound-literals-7.patch + - 0008-libdns-Avoid-using-compound-literals-8.patch + +------------------------------------------------------------------- +Fri Feb 22 19:30:29 UTC 2019 - olaf@aepfle.de + +- Allow coredumps in X11 desktop sessions (bsc#1124847) + gpg-agent unconditionally disables coredumps, which is not + supposed to happen in the code path that does just exec(argv[]) + gnupg-gpg-agent-ulimit.patch + +------------------------------------------------------------------- +Wed Feb 13 06:12:32 UTC 2019 - Karol Babioch + +- Update to 2.2.13: + * gpg: Implement key lookup via keygrip (using the & prefix). + * gpg: Allow generating Ed25519 key from existing key. + * gpg: Emit an ERROR status line if no key was found with -k. + * gpg: Stop early when trying to create a primary Elgamal key. + * gpgsm: Print the card's key algorithms along with their keygrips + in interactive key generation. + * agent: Clear bogus pinentry cache in the error case. + * scd: Support "acknowledge button" feature. + * scd: Fix for USB INTERRUPT transfer. + * wks: Do no use compression for the the encrypted challenge and response. + +Release-info: https://dev.gnupg.org/T4290 +See-also: gnupg-announce/2019q1/000434.html + +------------------------------------------------------------------- +Fri Dec 14 16:11:56 UTC 2018 - atoptsoglou@suse.com + +- Update to 2.2.12: + * tools: New commands --install-key and --remove-key for + gpg-wks-client. This allows to prepare a Web Key Directory on a + local file system for later upload to a web server. + * gpg: New --list-option "show-only-fpr-mbox". This makes the use + of the new gpg-wks-client --install-key command easier on Windows. + * gpg: Improve processing speed when --skip-verify is used. + * gpg: Fix a bug where a LF was accidentally written to the console. + * gpg: --card-status now shwos whether a card has the new KDF + feature enabled. + * agent: New runtime option --s2k-calibration=MSEC. New configure + option --with-agent-s2k-calibration=MSEC. [#3399] + * dirmngr: Try another keyserver from the pool on receiving a 502, + 503, or 504 error. [#4175] + * dirmngr: Avoid possible CSRF attacks via http redirects. A HTTP + query will not anymore follow a 3xx redirect unless the Location + header gives the same host. If the host is different only the + host and port is taken from the Location header and the original + path and query parts are kept. + * dirmngr: New command FLUSHCRL to flush all CRLS from disk and + memory. [#3967] + +------------------------------------------------------------------- +Thu Nov 8 15:35:27 UTC 2018 - Cristian Rodríguez + +- Code no longer uses libcurl, remove from buildrequires. + +------------------------------------------------------------------- +Tue Nov 6 12:05:35 UTC 2018 - Karol Babioch + +- Update to 2.2.11: + * gpgsm: Fix CRL loading when intermediate certicates are not yet trusted. + * gpgsm: Fix an error message about the digest algo. + * gpg: Fix a wrong warning due to new sign usage check introduced with 2.2.9. + * gpg: Print the "data source" even for an unsuccessful keyserver query. + * gpg: Do not store the TOFU trust model in the trustdb. + * scd: Fix cases of "Bad PIN" after using "forcesig". + * agent: Fix possible hang in the ssh handler. + * dirmngr: Tack the unmodified mail address to a WKD request. + * dirmngr: Tweak diagnostic about missing LDAP server file. + * dirmngr: In verbose mode print the OCSP responder id. + * dirmngr: Fix parsing of the LDAP port. + * wks: Add option --directory/-C to the server. + * wks: Add option --with-colons to the client. + * Fix EBADF when gpg et al. are called by broken CGI scripts. + * Fix some minor memory leaks and bugs. + +------------------------------------------------------------------- +Thu Oct 4 04:09:12 UTC 2018 - Bernhard Wiedemann + +- Make package build reproducible (boo#1047218) + +------------------------------------------------------------------- +Thu Aug 30 14:14:08 UTC 2018 - kbabioch@suse.com + +- Update to 2.2.10: + * Refresh expired keys originating from the WKD + * Use a 256 KiB limit for a WKD imported key + * New option --known-notation + * dirmngr: Validate SRV records in WKD queries + +------------------------------------------------------------------- +Wed Jul 25 05:50:42 UTC 2018 - tchvatal@suse.com + +- Add basic udev rules for smartcards to be used with + scdaemon, taken from debian: + * scdaemon.udev + +------------------------------------------------------------------- +Fri Jul 13 07:13:12 UTC 2018 - astieger@suse.com + +- GnuPG 2.2.9: + * dirmngr: Fix recursive resolver mode and other bugs in the + libdns code + * dirmngr: When using libgpg-error 1.32 or later a GnuPG build + with NTBTLS support does not anymore block for dozens of + seconds before returning data. + * gpg: Fix bug in --show-keys which actually imported revocation + certificates + * gpg: Ignore too long user-ID and comment packets + * gpg: Fix crash due to bad German translation. Improved printf + format compile time check. + * gpg: Handle missing ISSUER sub packet gracefully in the presence of + the new ISSUER_FPR + * gpg: Allow decryption using several passphrases in most cases. + * gpg: Command --show-keys now enables the list options + show-unusable-uids, show-unusable-subkeys, show-notations and + show-policy-urls by default. + * gpg: Command --show-keys now prints revocation certificates. + * gpg: Add revocation reason to the "rev" and "rvs" records of the + option --with-colons. [#1173] + * gpg: Export option export-clean does now remove certain expired + subkeys; export-minimal removes all expired subkeys. + * gpg: New "usage" property for the drop-subkey filters. + +------------------------------------------------------------------- +Fri Jun 8 14:37:06 UTC 2018 - kbabioch@suse.com + +- Update to version 2.2.8: + * gpg: Decryption of messages not using the MDC mode will now lead to a + hard failure even if a legacy cipher algorithm was used. The option + --ignore-mdc-error can be used to turn this failure into a warning. Take + care: Never use that option unconditionally or without a prior warning. + * gpg: The MDC encryption mode is now always used regardless of the + cipher algorithm or any preferences. For testing --rfc2440 can be + used to create a message without an MDC. + * gpg: Sanitize the diagnostic output of the original file name in + verbose mode (bsc#1096745, CVE-2018-12020) + * gpg: Detect suspicious multiple plaintext packets in a more reliable way. + * gpg: Fix the duplicate key signature detection code. + * gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc, + --disable-mdc and --no-disable-mdc have no more effect. + * agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the + list of startup environment variables. +- Refresh gnupg-2.0.18-files-are-digests.patch + to gnupg-2.2.8-files-are-digests.patch + +------------------------------------------------------------------- +Fri May 4 14:15:27 UTC 2018 - astieger@suse.com + +- GnuPG 2.2.7: + * gpg: New option --no-symkey-cache to disable the passphrase + cache for symmetrical en- and decryption. + * gpg: The ERRSIG status now prints the fingerprint if that is + part of the signature + * gpg: Relax emitting of FAILURE status lines + * gpg: Add a status flag to "sig" lines printed with --list-sigs + * gpg: Fix "Too many open files" when using --multifile + * ssh: Return an error for unknown ssh-agent flags + * dirmngr: Fix a CNAME problem with pools and TLS. Also use a + fixed mapping of keys.gnupg.net to sks-keyservers.net + * dirmngr: Try resurrecting dead hosts earlier (from 3h to 1.5h) + * dirmngr: Fallback to CRL if no default OCSP responder is + configured + * dirmngr: Implement CRL fetching via https. Here a redirection + to http is explictly allowed + * agent,dirmngr: New sub-command "getenv" for "getinfo" to ease + debugging + +------------------------------------------------------------------- +Tue Apr 10 06:32:22 UTC 2018 - kbabioch@suse.com + +- GnuPG 2.2.6: + * gpg,gpgsm: New option --request-origin to pretend requests coming + from a browser or a remote site. + * gpg: Fix race condition on trustdb.gpg updates due to too early + released lock. + * gpg: Emit FAILURE status lines in almost all cases. + * gpg: Implement --dry-run for --passwd to make checking a key's + passphrase straightforward. + * gpg: Make sure to only accept a certification capable key for key + signatures. + * gpg: Better user interaction in --card-edit for the factory-reset + sub-command. + * gpg: Improve changing key attributes in --card-edit by adding an + explicit "key-attr" sub-command. + * gpg: Print the keygrips in the --card-status. + * scd: Support KDF DO setup. + * scd: Fix suspend/resume handling in the CCID driver. + * agent: Evict cached passphrases also via a timer. + * agent: Use separate passphrase caches depending on the request + origin. + * ssh: Support signature flags. + * dirmngr: Handle failures related to missing IPv6 support + gracefully. + * Allow the use of UNC directory names as homedir. [#3818] +- Dropped gnupg-CVE-2018-9234.patch since it is included upstream + +------------------------------------------------------------------- +Thu Apr 5 08:38:58 UTC 2018 - kbabioch@suse.com + +- Added gnupg-CVE-2018-9234.patch: Enforce that key certification + can only be done with the master key, and not a signing subkey. + (bnc#1088255 CVE-2018-9234) + +------------------------------------------------------------------- +Sun Feb 25 12:14:54 UTC 2018 - astieger@suse.com + +- GnuPG 2.2.5: + * gpg: Allow the use of the "cv25519" and "ed25519" short names + in addition to the canonical curve names in --batch --gen-key + * gpg: Make sure to print all secret keys with option --list-only + and --decrypt + * gpg: Fix the use of future-default with --quick-add-key for + signing keys + * gpg: Select a secret key by checking availability under + gpg-agent + * gpg: Fix reversed prompt texts for --only-sign-text-ids + * gpg,gpgsm: Fix detection of bogus keybox blobs on 32 bit + systems + * gpgsm: Fix regression since 2.1 in --export-secret-key-raw + which got $d mod (q-1)$ wrong + * scd: Support the KDF Data Object of the OpenPGP card 3.3 + * scd: Fix a regression in the internal CCID driver for certain + card readers + * dirmngr: Improve returned error description on failure of DNS + resolving + * wks: Implement command --install-key for gpg-wks-server. + +------------------------------------------------------------------- +Thu Feb 22 15:10:33 UTC 2018 - fvogt@suse.com + +- Use %license (boo#1082318) + +------------------------------------------------------------------- +Thu Dec 21 09:44:03 UTC 2017 - astieger@suse.com + +- GnuPG 2.2.4: + * gpg: Change default preferences to prefer SHA512. + * gpg: Print a warning when more than 150 MiB are encrypted using + a cipher with 64 bit block size. + * gpg: Print a warning if the MDC feature has not been used for a + message. + * gpg: Fix regular expression of domain addresses in trust + signatures + * agent: New option --auto-expand-secmem to help with high + numbers of concurrent connections. Requires libgcrypt 1.8.2 + for having an effect. + * dirmngr: Cache responses of WKD queries. + * gpgconf: Add option --status-fd. + * wks: Add commands --check and --remove-key to gpg-wks-server + * Increase the backlog parameter of the daemons to 64 and add + option --listen-backlog. +- Not enabled features: + * New configure option --enable-run-gnupg-user-socket to first + try a socket directory which is not removed by systemd at + session end. + +------------------------------------------------------------------- +Tue Nov 21 08:25:48 UTC 2017 - astieger@suse.com + +- GnuPG 2.2.3: + * dirmngr: Fix crash in case of a CRL loading error + * gpgtar: Fix wrong behaviour of --set-filename + * gpg: Silence AKL retrieval messages + * agent: Use clock or clock_gettime for calibration + * agent: Improve robustness of the shutdown pending state + +------------------------------------------------------------------- +Tue Nov 7 20:08:04 UTC 2017 - astieger@suse.com + +- GnuPG 2.2.2: + * gpg: Avoid duplicate key imports by concurrently running gpg + processes + * gpg: Fix creating on-disk subkey with on-card primary key + * gpg: Fix validity retrieval for multiple keyrings + * gpg: Fix --dry-run and import option show-only for secret keys + * gpg: Print "sec" or "sbb" for secret keys with import option + import-show + * gpg: Make import less verbose + * gpg: Add alias "Key-Grip" for parameter "Keygrip" and new + parameter "Subkey-Grip" to unattended key generation + * gpg: Improve "factory-reset" command for OpenPGP cards + * gpg: Ease switching Gnuk tokens into ECC mode by using the magic + keysize value 25519 + * gpgsm: Fix --with-colon listing in crt records for fields > 12. + * gpgsm: Do not expect X.509 keyids to be unique + * agent: Fix stucked Pinentry when using --max-passphrase-days + * agent: New option --s2k-count + * dirmngr: Do not follow https-to-http redirects + * dirmngr: Reduce default LDAP timeout from 100 to 15 seconds + * gpgconf: Ignore non-installed components for commands + --apply-profile and --apply-defaults + * Add configure option --enable-werror + +------------------------------------------------------------------- +Tue Sep 19 19:12:53 UTC 2017 - astieger@suse.com + +- GnuPG 2.2.1: + * gpg: Fix formatting of the user id in batch mode key generation + if only "name-email" is given. + * gpgv: Fix annoying "not suitable for" warnings. + * wks: Convey only the newest user id to the provider. This is + the case if different names are used with the same addr-spec. + * wks: Create a complying user id for provider policy mailbox-only. + * wks: Add workaround for posteo.de. + * scd: Fix the use of large ECC keys with an OpenPGP card. + * dirmngr: Use system provided root certificates if no specific + HKP certificates are configured. If bu + +------------------------------------------------------------------- +Mon Aug 28 17:21:30 UTC 2017 - astieger@suse.com + +- GnuPG 2.2.0: + * New long term stable branch, replacing the 2.0.x series + * gpg: Reverted change in 2.1.23 so that --no-auto-key-retrieve + is again the default boo#1054088 + * Fixed a few minor bugs + +------------------------------------------------------------------- +Sat Aug 12 16:56:26 UTC 2017 - astieger@suse.com + +- GnuPG 2.1.23: + * gpg: Options --auto-key-retrieve and --auto-key-locate "local,wkd" + are now used by default. Note: this enables keyserver and Web Key + Directory operators to notice when a signature from a locally + non-available key is being verified for the first time or when + you intend to encrypt to a mail address without having the key + locally. This new behaviour will eventually make key discovery + much easier and mostly automatic. Disable this by adding + no-auto-key-retrieve + auto-key-locate local + to your gpg.conf. + * agent: Option --no-grab is now the default. The new option --grab + allows to revert this. + * gpg: New import option "show-only". + * gpg: New option --disable-dirmngr to entirely disable network + access for gpg. + * gpg,gpgsm: Tweaked DE-VS compliance behaviour. + * New configure flag --enable-all-tests to run more extensive tests + during "make check". + * gpgsm: The keygrip is now always printed in colon mode as + documented in the man page. + +------------------------------------------------------------------- +Fri Jul 28 19:29:52 UTC 2017 - astieger@suse.com + +- GnuPG 2.1.22: + * gpg: Extend command --quick-set-expire to allow for setting the + expiration time of subkeys. + * gpg: By default try to repair keys during import. New sub-option + no-repair-keys for --import-options. + * gpg,gpgsm: Improved checking and reporting of DE-VS compliance. + * gpg: New options --key-origin and --with-key-origin. Store the + time of the last key update from keyservers, WKD, or DANE. + * agent: New option --ssh-fingerprint-digest. + * dimngr: Lower timeouts on keyserver connection attempts and made + it configurable. + * dirmngr: Tor will now automatically be detected and used. The + option --no-use-tor disables Tor detection. + * dirmngr: Now detects a changed /etc/resolv.conf. + * agent,dirmngr: Initiate shutdown on removal of the GnuPG home + directory. + * gpg: Avoid caching passphrase for failed symmetric encryption. + * agent: Support for unprotected ssh keys. + * dirmngr: Fixed name resolving on systems using only v6 + nameservers. + * dirmngr: Allow the use of TLS over http proxies. + * wks: New man pages for client and server. + +------------------------------------------------------------------- +Fri May 19 11:59:24 UTC 2017 - marco.strigl@suse.com + +- GnuPG 2.1.21: + * modified gnupg-2.0.18-files-are-digests.patch to work with + obs-sign again bsc#1039899 + +------------------------------------------------------------------- +Mon May 15 20:49:25 UTC 2017 - astieger@suse.com + +- GnuPG 2.1.21: + * gpg,gpgsm: Fix corruption of old style keyring.gpg files, + regression in 2.1.20 + * gpg,dirmngr: Removed the skeleton config file support + New installations no longer generate a configuration file. + In the absence of a file, SHA-2 family hashes are used. + Existing configurations are not touched. + drop gnupg-2.1.19-stronger-defaults.patch FATE#323084 + * gpg: Fixed import filter property match bug. + * scd: Removed Linux support for Cardman 4040 PCMCIA reader. + * scd: Fixed some corner case bugs in resume/suspend handling. + * Many minor bug fixes and code cleanup. + +------------------------------------------------------------------- +Tue Apr 4 14:00:36 UTC 2017 - astieger@suse.com + +- GnuPG 2.1.20: + * gpg: New properties 'expired', 'revoked', and 'disabled' for the + import and export filters. + * gpg: New command --quick-set-primary-uid. + * gpg: New compliance field for the --with-colon key listing. + * gpg: Changed the key parser to generalize the processing of local + meta data packets. + * gpg: Fixed assertion failure in the TOFU trust model. + * gpg: Fixed exporting of zero length user ID packets. + * scd: Improved support for multiple readers. + * scd: Fixed timeout handling for key generation. + * agent: New option --enable-extended-key-format. + * dirmngr: Do not add a keyserver to a new dirmngr.conf. Dirmngr + uses a default keyserver. + * dimngr: Do not treat TLS warning alerts as severe error when + building with GNUTLS. + * dirmngr: Actually take /etc/hosts in account. + * wks: Fixed client problems on Windows. Published keys are now set + to world-readable. + * tests: Fixed creation of temporary directories. + * A socket directory for a non standard GNUGHOME is now created on + the fly under /run/user. Thus "gpgconf --create-socketdir" is now + optional. The use of "gpgconf --remove-socketdir" to clean up + obsolete socket directories is however recommended to avoid + cluttering /run/user with useless directories. + * Fixed build problems on some platforms. + +------------------------------------------------------------------- +Tue Mar 14 20:41:55 UTC 2017 - astieger@suse.com + +- Use stronger defaults for new users, using SHA-2 digest family + for certificates and message signatures - FATE#323084 + adding gnupg-2.1.19-stronger-defaults.patch + +------------------------------------------------------------------- +Tue Mar 7 12:55:14 UTC 2017 - astieger@suse.com + +- GnuPG 2.1.19: + * gpg: Print a warning if Tor mode is requested but the Tor + daemon is not running. + * gpg: New status code DECRYPTION_KEY to print the actual private + key used for decryption. + * gpgv: New options --log-file and --debug. + * gpg-agent: Revamp the prompts to ask for card PINs. + * scd: Support for multiple card readers. + * scd: Removed option --debug-disable-ticker. Ticker is used + only when it is required to watch removal of device/card. + * scd: Improved detection of card inserting and removal. + * dirmngr: New option --disable-ipv4. + * dirmngr: New option --no-use-tor to explicitly disable the use + of Tor. + * dirmngr: The option --allow-version-check is now required even + if the option --use-tor is also used. + * dirmngr: Handle a missing nsswitch.conf gracefully. + * dirmngr: Avoid PTR lookups for keyserver pools. The are only + done for the debug command "keyserver --hosttable". + * dirmngr: Rework the internal certificate cache to support + classes of certificates. Load system provided certificates on + startup. + * Add options --tls, --no-crl, and --systrust to the "VALIDATE" + command. + * dirmngr: Add support for the ntbtls library. + * wks: Create mails with a "WKS-Phase" header. Fix detection of + Draft-2 mode. + * Many other bug fixes and new regression tests. +- dirmngr: use system certificate store + +------------------------------------------------------------------- +Thu Mar 2 10:12:09 UTC 2017 - jengelh@inai.de + +- Rewrite descriptions + +------------------------------------------------------------------- +Tue Jan 24 16:32:04 UTC 2017 - astieger@suse.com + +- GnuPG 2.1.18: + * gpg: Remove bogus subkey signature while cleaning a key (with + export-clean, import-clean, or --edit-key's sub-command clean) + * gpg: Allow freezing the clock with --faked-system-time. + * gpg: New --export-option flag "backup", new --import-option flag + "restore". + * gpg-agent: Fixed long delay due to a regression in the progress + callback code. + * scd: Lots of code cleanup and internal changes. + * scd: Improved the internal CCID driver. + * dirmngr: Fixed problem with the DNS glue code (removal of the + trailing dot in domain names). + * dirmngr: Make sure that Tor is actually enabled after changing the + conf file and sending SIGHUP or "gpgconf --reload dirmngr". + * dirmngr: Fixed Tor access to IPv6 addresses. Note that current + versions of Tor may require that the flag "IPv6Traffic" is used + with the option "SocksPort" in torrc to actually allow IPv6 + traffic. + * dirmngr: Fixed HKP for literally given IPv6 addresses. + * dirmngr: Enabled reverse DNS lookups via Tor. + * dirmngr: Added experimental SRV record lookup for WKD. + See commit 88dc3af3d4ae1afe1d5e136bc4c38bc4e7d4cd10 for details. + * dirmngr: For HKP use "pgpkey-hkps" and "pgpkey-hkp" in SRV record + lookups. Avoid SRV record lookup when a port is explicitly + specified. This fixes a regression from the 1.4 and 2.0 behavior. + * dirmngr: Gracefully handle a missing /etc/nsswitch.conf. Ignore + negation terms (e.g. "[!UNAVAIL=return]" instead of bailing out. + * dirmngr: Better debug output for flags "dns" and "network". + * dirmngr: On reload mark all known HKP servers alive. + * gpgconf: Allow keyword "all" for --launch, --kill, and --reload. + * tools: gpg-wks-client now ignores a missing policy file on the + server. + * Avoid unnecessary ambiguity error message in the option parsing. + * Further improvements of the regression test suite. + * Fixed building with --disable-libdns configure option. + * Fixed a crash running the tests on 32 bit architectures. + * Fixed spurious failures on BSD system in the spawn functions. + This affected for example gpg-wks-client and gpgconf. + +------------------------------------------------------------------- +Mon Jan 9 09:18:48 UTC 2017 - tchvatal@suse.com + +- Remove the fixme, condition around fdupes + +------------------------------------------------------------------- +Sun Dec 25 15:12:44 UTC 2016 - astieger@suse.com + +- add runtime dependency to match runtime version check for libksba + +------------------------------------------------------------------- +Tue Dec 20 18:58:55 UTC 2016 - astieger@suse.com + +- GnuPG 2.1.17: + * gpg: By default new keys expire after 2 years. + * gpg: New command --quick-set-expire to conveniently change the + expiration date of keys. + * gpg: Option and command names have been changed for easier + comprehension. The old names are still available as aliases. + * gpg: Improved the TOFU trust model. + * gpg: New option --default-new-key-algo. + * scd: Support OpenPGP card V3 for RSA. + * dirmngr: Support for the ADNS library has been removed. Now using + bundled libdns, enabling Tor support on all platforms. + New option --standard-resolver can be used to disable this code + at runtime. + * dirmngr: Lazily launch ldap reaper thread. + * tools: New options --check and --status-fd for gpg-wks-client. + * The UTF-8 byte order mark is now skipped when reading conf files. + * Fixed many bugs and regressions. + * Major improvements to the test suite. For example it is possible + to run the external test suite of GPGME. + +------------------------------------------------------------------- +Sat Nov 19 22:07:13 UTC 2016 - astieger@suse.com + +- GnuPG 2.1.16: + * gpg: New algorithm for selecting the best ranked public key when + using a mail address with -r, -R, or --locate-key. + * gpg: New option --with-tofu-info to print a new "tfs" record in + colon formatted key listings. + * gpg: New option --compliance as an alternative way to specify + options like --rfc2440, --rfc4880, et al. + * gpg: Many changes to the TOFU implementation. + * gpg: Improve usability of --quick-gen-key. + * gpg: In --verbose mode print a diagnostic when a pinentry is + launched. + * gpg: Remove code which warns for old versions of gnome-keyring. + * gpg: New option --override-session-key-fd. + * gpg: Option --output does now work with --verify. + * gpgv: New option --output to allow saving the verified data. + * gpgv: New option --enable-special-filenames. + * agent, dirmngr: New --supervised mode for use by systemd and alike. + * agent: By default listen on all available sockets using standard + names. + * agent: Invoke scdaemon with --homedir. + * dirmngr: On Linux now detects the removal of its own socket and + terminates. + * scd: Support ECC key generation. + * scd: Support more card readers. + * dirmngr: New option --allow-version-check to download a software + version database in the background. + * dirmngr: Use system provided CAs if no --hkp-cacert is given. + * dirmngr: Use a default keyserver if none is explicitly set + * gpgconf: New command --query-swdb to check software versions + against an copy of an online database. + * gpgconf: Print the socket directory with --list-dirs. + * tools: The WKS tools now support draft version -02. + * tools: Always build gpg-wks-client and install under libexec. + * tools: New option --supported for gpg-wks-client. + * The log-file option now accepts a value "socket://" to log to the + socket named "S.log" in the standard socket directory. + * Provide fake pinentries for use by tests cases of downstream + developers. + * Fixed many bugs and regressions. + * Many changes and improvements for the test suite. +- drop upstreamed patches: + * 0001-common-Follow-up-to-14479e2-fix-void-return-in-non-v.patch + * gnupg-2.1.15-bsc993324-status-output.patch + +------------------------------------------------------------------- +Tue Sep 13 13:50:52 UTC 2016 - astieger@suse.com + +- avoid mixing up status and colon line output - bsc#993324 + add gnupg-2.1.15-bsc993324-status-output.patch + +------------------------------------------------------------------- +Thu Sep 1 08:23:28 UTC 2016 - astieger@suse.com + +- enable web key discovery tools + +------------------------------------------------------------------- +Wed Aug 31 13:06:28 UTC 2016 - astieger@suse.com + +- Add an explicit runtime dependency on libgcrypt >= 1.7.0 to + match runtime version check + +------------------------------------------------------------------- +Fri Aug 19 21:22:22 UTC 2016 - astieger@suse.com + +- GnuPG 2.1.15: + * gpg: Remove the --tofu-db-format option and support for the + split TOFU database. + * gpg: Add option --sender to prepare for coming features. + * gpg: Add option --input-size-hint to help progress indicators. + * gpg: Extend the PROGRESS status line with the counted unit. + * gpg: Avoid publishing the GnuPG version by default with --armor. + * gpg: Properly ignore legacy keys in the keyring cache. + * gpg: Always print fingerprint records in --with-colons mode. + * gpg: Make sure that keygrips are printed for each subkey in + --with-colons mode. + * gpg: New import filter "drop-sig". + * gpgsm: Fix a bug in the machine-readable key listing. + * gpg,gpgsm: Block signals during keyring updates to limits the + effects of a Ctrl-C at the wrong time. + * g13: Add command --umount and other fixes for dm-crypt. + * agent: Fix regression in SIGTERM handling. + * agent: Cleanup of the ssh-agent code. + * agent: Allow import of overly long keys. + * scd: Fix problems with card removal. + * dirmngr: Remove all code for running as a system service. + * tools: Make gpg-wks-client conforming to the specs. + * tests: Improve the output of the new regression test tool. + * tests: Distribute the standalone test runner. + * tests: Run each test in a clean environment. + * Spelling and grammar fixes. +- fix build error, adding + 0001-common-Follow-up-to-14479e2-fix-void-return-in-non-v.patch + +------------------------------------------------------------------- +Sun Aug 14 14:12:40 UTC 2016 - astieger@suse.com + +- GnuPG 2.1.14: + * gpg: Removed options --print-dane-records and --print-pka-records. + The new export options "export-pka" and "export-dane" can instead + be used with the export command. + * gpg: New options --import-filter and --export-filter. + * gpg: New import options "import-show" and "import-export". + * gpg: New option --no-keyring. + * gpg: New command --quick-revuid. + * gpg: New options -f/--recipient-file and -F/--hidden-recipient-file + to directly specify encryption keys. + * gpg: New option --mimemode to indicate that the content is a MIME + part. Does only enable --textmode right now. + * gpg: New option --rfc4880bis to allow experiments with proposed + changes to the current OpenPGP specs. + * gpg: Fix regression in the "fetch" sub-command of --card-edit. + * gpg: Fix regression since 2.1 in option --try-all-secrets. + * gpgv: Change default options for extra security. + * gpgsm: No more root certificates are installed by default. + * agent: "updatestartuptty" does now affect more environment + variables. + * scd: The option --homedir does now work with scdaemon. + * scd: Support some more GEMPlus card readers. + * gpgtar: Fix handling of '-' as file name. + * gpgtar: New commands --create and --extract. + * gpgconf: Tweak for --list-dirs to better support shell scripts. + * tools: Add programs gpg-wks-client and gpg-wks-server to implement + a Web Key Service. The configure option --enable-wks-tools is + required to build them; they should be considered Beta software. + * tests: Complete rework of the openpgp part of the test suite. The + test scripts have been changed from Bourne shell scripts to Scheme + programs. A customized scheme interpreter (gpgscm) is included. + This change was triggered by the need to run the test suite on + non-Unix platforms. + * The rendering of the man pages has been improved. +- drop upstream gnupg-make_--try-all-secrets_work.patch + +------------------------------------------------------------------- +Thu Aug 4 12:17:14 UTC 2016 - tchvatal@suse.com + +- Fix date call as the curlified parameter for sure are not parsed + correctly by escaping it with % + +------------------------------------------------------------------- +Wed Aug 3 11:56:58 UTC 2016 - astieger@suse.com + +- Fix upstream bug 1985: --try-all-secrets doesn't work when + decrypting messages encrypted with --hidden-recipient, fixes unit + tests of the duplicity package. + Adding gnupg-make_--try-all-secrets_work.patch +- record the fact that gpg-error 1.21 is required + +------------------------------------------------------------------- +Thu Jun 16 20:21:39 UTC 2016 - astieger@suse.com + +- GnuPG 2.1.13: + * gpg: New command --quick-addkey. Extend the --quick-gen-key + command. + * gpg: New --keyid-format "none" which is now also the default. + * gpg: New option --with-subkey-fingerprint. + * gpg: Include Signer's UID subpacket in signatures if the secret key + has been specified using a mail address and the new option + --disable-signer-uid is not used. + * gpg: Allow unattended deletion of a secret key. + * gpg: Allow export of non-passphrase protected secret keys. + * gpg: New status lines KEY_CONSIDERED and NOTATION_FLAGS. + * gpg: Change status line TOFU_STATS_LONG to use '~' as + a non-breaking-space character. + * gpg: Speedup key listings in Tofu mode. + * gpg: Make sure that the current and total values of a PROGRESS + status line are small enough. + * gpgsm: Allow the use of AES192 and SERPENT ciphers. + * dirmngr: Adjust WKD lookup to current specs. + * dirmngr: Fallback to LDAP v3 if v2 is is not supported. + * gpgconf: New commands --create-socketdir and --remove-socketdir, + new option --homedir. + * If a /run/user/$UID directory exists, that directory is now used + for IPC sockets instead of the GNUPGHOME directory. This fixes + problems with NFS and too long socket names and thus avoids the + need for redirection files. + * Speedup fd closing after a fork. +- drop upstreamed gnupg-fix-signature-checking.patch + +------------------------------------------------------------------- +Thu Jun 2 16:01:40 UTC 2016 - pjanouch@suse.de + +- add gnupg-fix-signature-checking.patch (bsc#981020) + https://bugs.gnupg.org/gnupg/issue2351 + +------------------------------------------------------------------- +Wed May 4 15:37:12 UTC 2016 - astieger@suse.com + +- GnuPG 2.1.12: + * gpg: New --edit-key sub-command "change-usage" for testing + purposes. + * gpg: Out of order key-signatures are now systematically detected + and fixed by --edit-key. + * gpg: Improved detection of non-armored messages. + * gpg: Removed the extra prompt needed to create Curve25519 keys. + * gpg: Improved user ID selection for --quick-sign-key. + * gpg: Use the root CAs provided by the system with --fetch-key. + * gpg: Add support for the experimental Web Key Directory key + location service. + * gpg: Improve formatting of Tofu messages and emit new Tofu specific + status lines. + * gpgsm: Add option --pinentry-mode to support a loopback pinentry. + * gpgsm: A new pubring.kbx is now created with the header blob so + that gpg can detect that the keybox format needs to be used. + * agent: Add read support for the new private key protection format + openpgp-s2k-ocb-aes. + * agent: Add read support for the new extended private key format. + * agent: Default to --allow-loopback-pinentry and add option + --no-allow-loopback-pinentry. + * scd: Changed to use the new libusb 1.0 API for the internal CCID + driver. + * dirmngr: The dirmngr-client does now auto-detect the PEM format. + * g13: Add experimental support for dm-crypt. + * The man pages for gpg and gpgv are now installed under the correct + name (gpg2 or gpg - depending on a configure option). + +------------------------------------------------------------------- +Sun Mar 6 08:17:00 UTC 2016 - astieger@suse.com + +- GnuPG 2.1.11: + * gpg: New command --export-ssh-key to replace the gpgkey2ssh tool. + * gpg: Allow to generate mail address only keys with --gen-key. + * gpg: "--list-options show-usage" is now the default. + * gpg: Make lookup of DNS CERT records holding an URL work. + * gpg: Emit PROGRESS status lines during key generation. + * gpg: Don't check for ambigious or non-matching key specification in + the config file or given to --encrypt-to. This feature will return + in 2.3.x. + * gpg: Lock keybox files while updating them. + * gpg: Fix possible keyring corruption. (bug#2193) + * gpg: Fix regression of "bkuptocard" sub-command in --edit-key and + remove "checkbkupkey" sub-command introduced with 2.1. (bug#2169) + * gpg: Fix internal error in gpgv when using default keyid-format. + * gpg: Fix --auto-key-retrieve to work with dirmngr.conf configured + keyservers. (bug#2147). + * agent: New option --pinentry-timeout. + * scd: Fix regression for generating RSA keys on card. + * dirmmgr: All configured keyservers are now searched. + * dirmngr: Install CA certificate for hkps.pool.sks-keyservers.net. + Use this certiticate even if --hkp-cacert is not used. + * gpgtar: Add actual encryption code. gpgtar does now fully replace + gpg-zip. + * gpgtar: Fix filename encoding problem on Windows. + * Print a warning if a GnuPG component is using an older version of + gpg-agent, dirmngr, or scdaemon. +- disable running test which no longer work +- remove 0001-gpg-Improve-the-keyblock-cache-s-transparency.patch + is now upstream +- the PIE options are implemented in the upstream build, and spec + code broke the build. The only remaining broken executable was + gpgsplit, which was removed from the package + +------------------------------------------------------------------- +Tue Jan 26 20:23:18 UTC 2016 - astieger@suse.com + +- add g13, an experimental tool for accessing encrypted storage + with with GnuPG (cards) + +------------------------------------------------------------------- +Tue Jan 19 13:56:58 UTC 2016 - vcizek@suse.com + +- fix fingerprint ambiguity (bsc#958891) + * https://bugs.gnupg.org/gnupg/issue2198 + * add 0001-gpg-Improve-the-keyblock-cache-s-transparency.patch + +------------------------------------------------------------------- +Sun Dec 6 14:14:45 UTC 2015 - p.drouand@gmail.com + +- Move to pkgconfig() packaging style + +------------------------------------------------------------------- +Fri Dec 4 13:35:40 UTC 2015 - astieger@suse.com + +- GnuPG 2.1.10 adds TOFU (Trust-On-First-USe) and anonymous key + retrival via Tor. + * gpg: New trust models "tofu" and "tofu+pgp". + * gpg: New command --tofu-policy. New options --tofu-default-policy + and --tofu-db-format. + * gpg: New option --weak-digest to specify hash algorithms which + should be considered weak. + * gpg: Allow the use of multiple --default-key options; take the last + available key. + * gpg: New option --encrypt-to-default-key. + * gpg: New option --unwrap to only strip the encryption layer. + * gpg: New option --only-sign-text-ids to exclude photo IDs from key + signing. + * gpg: Check for ambigious or non-matching key specification in the + config file or given to --encrypt-to. + * gpg: Show the used card reader with --card-status. + * gpg: Print export statistics and an EXPORTED status line. + * gpg: Allow selecting subkeys by keyid in --edit-key. + * gpg: Allow updating the expiration time of multiple subkeys at + once. + * dirmngr: New option --use-tor. For full support this requires + libassuan version 2.4.2 and a patched version of libadns + (e.g. adns-1.4-g10-7 as used by the standard Windows installer). + * dirmngr: New option --nameserver to specify the nameserver used in + Tor mode. + * dirmngr: Keyservers may again be specified by IP address. + * dirmngr: Fixed problems in resolving keyserver pools. + * dirmngr: Fixed handling of premature termination of TLS streams so + that large numbers of keys can be refreshed via hkps. + * gpg: Fixed a regression in --locate-key [since 2.1.9]. + * gpg: Fixed another bug for keyrings with legacy keys. + * gpgsm: Allow combinations of usage flags in --gen-key. + * Make tilde expansion work with most options. + * Many other cleanups and bug fixes. + +------------------------------------------------------------------- +Tue Nov 24 10:27:58 UTC 2015 - vcizek@suse.com + +- enable tests for PPC64 again, + the problem from bsc#935887 went away + +------------------------------------------------------------------- +Fri Nov 20 16:03:03 UTC 2015 - astieger@suse.com + +- Improve upgrade to gpg2 from security:privacy w.r.t. libassuan + run-time dependencies (boo#955982) + +------------------------------------------------------------------- +Sat Oct 10 11:39:55 UTC 2015 - astieger@suse.com + +- GnuPG 2.1.9: + * gpg: Allow fetching keys via OpenPGP DANE (--auto-key-locate).\ + New option --print-dane-records. + * gpg: Fix for a problem with PGP-2 keys in a keyring. + * gpg: Fail with an error instead of a warning if a modern cipher + algorithm is used without a MDC. + * agent: New option --pinentry-invisible-char. + * agent: Always do a RSA signature verification after creation. + * agent: Fix a regression in ssh-add-ing Ed25519 keys. + * agent: Fix ssh fingerprint computation for nistp384 and EdDSA. + * agent: Fix crash during passprase entry on some platforms. + * scd: Change timeout to fix problems with some 2.1 cards. + * dirmngr: Displayed name is now Key Acquirer. + * dirmngr: Add option --keyserver. Deprecate that option for gpg. + Install a dirmngr.conf file from a skeleton for new installations. +- update gnupg-add_legacy_FIPS_mode_option.patch for context change + +------------------------------------------------------------------- +Fri Sep 11 06:02:23 UTC 2015 - astieger@suse.com + +- GnuPG 2.1.8: + * gpg: Sending very large keys to the keyservers works again. + * gpg: Validity strings in key listings are now again translatable. + * gpg: Emit FAILURE status lines to help GPGME. + * gpg: Does not anymore link to Libksba to reduce dependencies. + * gpgsm: Export of secret keys via Assuan is now possible. + * agent: Raise the maximum passphrase length from 100 to 255 bytes. + * agent: Fix regression using EdDSA keys with ssh. + * Does not anymore use a build timestamp by default. + * The fallback encoding for broken locale settings changed + from Latin-1 to UTF-8. + * Many code cleanups and improved internal documentation. + * Various minor bug fixes. + +------------------------------------------------------------------- +Wed Aug 12 10:58:48 UTC 2015 - astieger@suse.com + +- GnuPG 2.1.7: + * gpg: Support encryption with Curve25519 if Libgcrypt 1.7 is used. + * gpg: In the --edit-key menu: Removed the need for "toggle", changed + how secret keys are indicated, new commands "fpr *" and "grip". + * gpg: More fixes related to legacy keys in a keyring. + * gpgv: Does now also work with a "trustedkeys.kbx" file. + * scd: Support some feature from the OpenPGP card 3.0 specs. + * scd: Improved ECC support + * agent: New option --force for the DELETE_KEY command. + * Dropped deprecated gpgsm-gencert.sh + * Various other bug fixes. + +------------------------------------------------------------------- +Thu Jul 2 14:26:21 UTC 2015 - astieger@suse.com + +- do not run checks on ppc64 for now + +------------------------------------------------------------------- +Wed Jul 1 14:15:28 UTC 2015 - astieger@suse.com + +- GnuPG 2.1.6: + * agent: New option --verify for the PASSWD command. + * gpgsm: Add command option "offline" as an alternative to + --disable-dirmngr. + * gpg: Do not prompt multiple times for a password in pinentry + loopback mode. + * Allow the use of debug category names with --debug. + * Using gpg-agent and gpg/gpgsm with different locales will now show + the correct translations in Pinentry. + * gpg: Improve speed of --list-sigs and --check-sigs. + * gpg: Make --list-options show-sig-subpackets work again. + * gpg: Fix an export problem for old keyrings with PGP-2 keys. + * scd: Support PIN-pads on more readers. + * dirmngr: Properly cleanup zombie LDAP helper processes and avoid + hangs on dirmngr shutdown. + * Various other bug fixes. +- remove documentation make workaround, fixed upstream + +------------------------------------------------------------------- +Sun Jun 28 13:14:03 UTC 2015 - schwab@linux-m68k.org + +- Enable workaround for missing dependencies everywhere + +------------------------------------------------------------------- +Mon Jun 15 13:20:33 UTC 2015 - astieger@suse.com + +- fix build with openSUSE 13.2 and earlier, call make to + compensate for incorrect documentation dependencies. + +------------------------------------------------------------------- +Thu Jun 11 14:32:09 UTC 2015 - astieger@suse.com + +- GnuPG 2.1.5: + * Support for an external passphrase cache. + * Support for the forthcoming version 3 OpenPGP smartcard. + * Manuals now show the actual used file names. + * Prepared for improved integration with Emacs. + * Code cleanups and minor bug fixes. + +------------------------------------------------------------------- +Sun May 17 08:24:15 UTC 2015 - meissner@suse.com + +- info deinstall needs to be in %preun + +------------------------------------------------------------------- +Tue May 12 18:04:36 UTC 2015 - astieger@suse.com + +- update to 2.1.4: + * gpg: Add command --quick-adduid to non-interacitivly add a new + user id to an existing key. + * gpg: Do no enable honor-keyserver-url by default. Make it work + if enabled. + * gpg: Display the serial number in the --card-staus output again. + * agent: Support for external password managers. + Add option --no-allow-external-cache. + * scdaemon: Improved handling of extended APDUs. + * Make HTTP proxies work again. + * All network access including DNS as been moved to Dirmngr. + * Allow building without LDAP support. + * Fixed lots of smaller bugs. + +------------------------------------------------------------------- +Sat Apr 11 18:59:42 UTC 2015 - astieger@suse.com + +- update to 2.1.3: + * gpg: LDAP keyservers are now supported by 2.1. + * gpg: New option --with-icao-spelling. + * gpg: New option --print-pka-records. Changed the PKA method to + use CERT records and hashed names. + * gpg: New command --list-gcrypt-config. New parameter "curve" + for --list-config. + * gpg: Print a NEWSIG status line like gpgsm always did. + * gpg: Print MPI values with --list-packets and --verbose. + * gpg: Write correct MPI lengths with ECC keys. + * gpg: Skip legacy PGP-2 keys while searching. + (drop 0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch + now upstream) + * gpg: Improved searching for mail addresses when using a keybox. + * gpgsm: Changed default algos to AES-128 and SHA-256. + * gpgtar: Fixed extracting files with sizes of a multiple of 512. + * dirmngr: Fixed SNI handling for hkps pools. + (drop hkps-fix-host-name-verification-when-using-pools.patch + now upstream) + * dirmngr: extra-certs and trusted-certs are now always loaded + from the sysconfig dir instead of the homedir. + * Fixed possible problems due to compiler optimization, two minor + regressions, and other bugs. +- refreshed for context changes: + * gnupg-2.0.18-files-are-digests.patch + * gnupg-add_legacy_FIPS_mode_option.patch + +------------------------------------------------------------------- +Mon Mar 23 11:48:24 UTC 2015 - idonmez@suse.com + +- Add hkps-fix-host-name-verification-when-using-pools.patch to + fix hkps support w/ pools. Upstream commit dc10d46. + +------------------------------------------------------------------- +Thu Mar 19 15:56:12 UTC 2015 - astieger@suse.com + +- Ensure secure memory can be used with default 64k memlock limit + Fixes [boo#915931], removes gnupg-large_keys.patch +- Removed gnupg-remove_development_version_warning.patch, obsolete +- Removed gnupg-2.0.4-install_tools.diff, replaced by spec install +- Removed autoconf requirement and autoreconf calls thus obsoleted + +------------------------------------------------------------------- +Tue Feb 24 08:10:22 UTC 2015 - astieger@suse.com + +- Fix invalid packet read error when reading keyrings [boo#914625] + add 0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch + +------------------------------------------------------------------- +Wed Feb 11 21:48:13 UTC 2015 - astieger@suse.com + +- update to 2.1.2: + * gpg: The parameter 'Passphrase' for batch key generation works + again. + * gpg: Using a passphrase option in batch mode now has the + expected effect on --quick-gen-key. + * gpg: Improved reporting of unsupported PGP-2 keys. + * gpg: Added support for algo names when generating keys using + --command-fd. + * gpg: Fixed DoS based on bogus and overlong key packets. + * agent: When setting --default-cache-ttl the value + for --max-cache-ttl is adjusted to be not lower than the former. + * agent: Fixed problems with the new --extra-socket. + * agent: Made --allow-loopback-pinentry changeable with gpgconf. + * agent: Fixed importing of unprotected openpgp keys. + * agent: Now tries to use a fallback pinentry if the standard + pinentry is not installed. + * scd: Added support for ECDH. + * Fixed several bugs related to bogus keyrings and improved some + other code. +- in gnupg-2.0.18-files-are-digests.patch, change buffer_to_u32 to + buf32_to_u32 from host2net.h to match upstream changes +- now requires automake 1.14 + +------------------------------------------------------------------- +Fri Dec 26 21:15:55 UTC 2014 - andreas.stieger@gmx.de + +- update to 2.1.1: + * gpg: Detect faulty use of --verify on detached signatures. + * gpg: New import option "keep-ownertrust". + * gpg: New sub-command "factory-reset" for --card-edit. + * gpg: A stub key for smartcards is now created by --card-status. + * gpg: Fixed regression in --refresh-keys. + * gpg: Fixed regresion in %g and %p codes for --sig-notation. + * gpg: Fixed best matching hash algo detection for ECDSA and EdDSA. + * gpg: Improved perceived speed of secret key listisngs. + * gpg: Print number of skipped PGP-2 keys on import. + * gpg: Removed the option aliases --throw-keyid and --notation-data; + use --throw-keyids and --set-notation instead. + * gpg: New import option "keep-ownertrust". + * gpg: Skip too large keys during import. + * gpg,gpgsm: New option --no-autostart to avoid starting gpg-agent or + dirmngr. + * gpg-agent: New option --extra-socket to provide a restricted + command set for use with remote clients. + * gpgconf --kill does not anymore start a service only to kill it. + * gpg-pconnect-agent: Add convenience option --uiserver. + * More translations (but most of them are not complete). + * To support remotely mounted home directories, the IPC sockets may + now be redirected. This feature requires Libassuan 2.2.0. + * Improved portability and the usual bunch of bug fixes. +- removed patch not part of upstream release: + gnupg-2.1.0-boo-907198-openpgp_oid_to_str-buffer-overflow.patch +- refresh for context changes: + gnupg-2.0.18-files-are-digests.patch + gnupg-2.0.4-install_tools.diff +- refresh for upstream code changes: + gnupg-add_legacy_FIPS_mode_option.patch + gnupg-detect_FIPS_mode.patch (MD5 removed) + +------------------------------------------------------------------- +Thu Dec 25 18:09:11 UTC 2014 - dev@stellardeath.org + +- Support for large RSA keys + This involves compiling with --enable-large-rsa and + --enable-large-secmem, as well as patching the number + of secmem bytes and IPC bytes to slightly larger values. + See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739424 + * added gnupg-large_keys.patch + +------------------------------------------------------------------- +Wed Dec 3 22:37:59 UTC 2014 - andreas.stieger@gmx.de + +- update build requirement versions that changed with 2.1.0 + +------------------------------------------------------------------- +Wed Nov 26 19:21:15 UTC 2014 - andreas.stieger@gmx.de + +- fix buffer overflow in OID to string conversion function + [boo#907198], adding + gnupg-2.1.0-boo-907198-openpgp_oid_to_str-buffer-overflow.patch + +------------------------------------------------------------------- +Tue Nov 11 16:10:04 UTC 2014 - vcizek@suse.com + +- obsolete dirmngr (shipped with gpg since 2.1.0) +- spec cleanup after previous update +- get rid of "THIS IS A DEVELOPMENT VERSION" warning + http://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029065.html + * added gnupg-remove_development_version_warning.patch + +------------------------------------------------------------------- +Thu Nov 6 17:32:39 UTC 2014 - vcizek@suse.com + +- upgrade to 2.1.0 (modern) + - The file "secring.gpg" is not anymore used to store the secret + keys. Merging of secret keys is now supported. + - All support for PGP-2 keys has been removed for security reasons. + - The standard key generation interface is now much leaner. This + will help a new user to quickly generate a suitable key. + - Support for Elliptic Curve Cryptography (ECC) is now available. + - Commands to create and sign keys from the command line without any + extra prompts are now available. + - The Pinentry may now show the new passphrase entry and the + passphrase confirmation entry in one dialog. + - There is no more need to manually start the gpg-agent. It is now + started by any part of GnuPG as needed. + - Problems with importing keys with the same long key id have been + addressed. + - The Dirmngr is now part of GnuPG proper and also takes care of + accessing keyserver. + - Keyserver pools are now handled in a smarter way. + - A new format for locally storing the public keys is now used. + This considerable speeds up operations on large keyrings. + - Revocation certificates are now created by default. + - Card support has been updated, new readers and token types are + supported. + - The format of the key listing has been changed to better identify + the properties of a key. + - The gpg-agent may now be used on Windows as a Pageant replacement + for Putty in the same way it is used for years on Unix as + ssh-agent replacement. + - Creation of X.509 certificates has been improved. It is now also + possible to export them directly in PKCS#8 and PEM format for use + on TLS servers. +- dropped patches: + * gnupg-2.0.20-automake113.diff + * gnupg-2.0.18-tmpdir.diff (socket is created in homedir now) +- refresh most of the remaining patches +- added new BuildRequires: gnutls-devel, pkg-config, npth-devel + +------------------------------------------------------------------- +Tue Aug 12 20:19:45 UTC 2014 - andreas.stieger@gmx.de + +- update to 2.0.26: + * gpg: Fix a regression in 2.0.24 if a subkey id is given + to --recv-keys et al. + * gpg: Cap attribute packets at 16MB. + * gpgsm: Auto-create the ".gnupg" home directory in the same + way gpg does. + * scdaemon: Allow for certificates > 1024 when using PC/SC. +- remove URL from package keyring, upstream file metadata changes + +------------------------------------------------------------------- +Tue Jul 1 21:05:55 UTC 2014 - andreas.stieger@gmx.de + +- gnupg-add_legacy_FIPS_mode_option.patch (part of [bnc#856312]) + mentions GCRYCTL_INACTIVATE_FIPS_FLAG, raising the requirement + for gcrypt from 1.4.0 (from configure) to 1.6.1 where said flag + was introduced. Require this version to build. + +------------------------------------------------------------------- +Mon Jun 30 18:52:36 UTC 2014 - andreas.stieger@gmx.de + +- update to 2.0.25: + * gpg: Fix a regression in 2.0.24 if more than one keyid is given + to --recv-keys et al. + * gpg: Cap RSA and Elgamal keysize at 4096 bit also for unattended + key generation. + * gpgsm: Fix a DISPLAY related problem with + --export-secret-key-p12. + * scdaemon: Support reader Gemalto IDBridge CT30. + +------------------------------------------------------------------- +Tue Jun 24 22:25:12 UTC 2014 - andreas.stieger@gmx.de + +- update to 2.0.24 + Contains a security fix to stop a possible DoS using garbled + compressed data packets which can be used to put gpg into an + infinite loop. [bnc#884130] [CVE-2014-4617] + * gpg: Avoid DoS due to garbled compressed data packets. +- further: + * gpg: Screen keyserver responses to avoid importing unwanted + keys from rogue servers. + * gpg: The validity of user ids is now shown by default. To + revert this add "list-options no-show-uid-validity" to gpg.conf + * gpg: Print more specific reason codes with the INV_RECP status. + * gpg: Allow loading of a cert only key to an OpenPGP card. + * gpg-agent: Make ssh support for ECDSA keys work with Libgcrypt + 1.6. + +------------------------------------------------------------------- +Tue Jun 3 21:55:34 UTC 2014 - andreas.stieger@gmx.de + +- update to 2.0.23: + * gpg: Reject signatures made using the MD5 hash algorithm unless the + new option --allow-weak-digest-algos or --pgp2 are given. + * gpg: Do not create a trustdb file if --trust-model=always is used. + * gpg: Only the major version number is by default included in the + armored output. + * gpg: Print a warning if the Gnome-Keyring-Daemon intercepts the + communication with the gpg-agent. + * gpg: The format of the fallback key listing ("gpg KEYFILE") is now more + aligned to the regular key listing ("gpg -k"). + * gpg: The option--show-session-key prints its output now before the + decryption of the bulk message starts. + * gpg: New %U expando for the photo viewer. + * gpgsm: Improved handling of re-issued CA certificates. + * scdaemon: Various fixes for pinpad equipped card readers. + * Minor bug fixes. +- Packaging changes: + * add gpgtar utility + * update and use use source URL for tarball signing key + * removed gnupg-2.0.9-RSA_ES.patch, applied upstream + * updated for context changes: + gnupg-add_legacy_FIPS_mode_option.patch + gnupg-2.0.18-files-are-digests.patch + gnupg-dont-fail-with-seahorse-agent.patch + +------------------------------------------------------------------- +Tue Apr 29 12:06:03 UTC 2014 - vcizek@suse.com + +- add patch by Stephan Mueller which adds an option to enable + legacy ciphers in FIPS mode + * added gnupg-add_legacy_FIPS_mode_option.patch + (part of bnc#856312) +- added BuildRequires: makeinfo (to build info pages from the + patched gnupg.texi) + +------------------------------------------------------------------- +Fri Feb 14 16:14:14 UTC 2014 - vcizek@suse.com + +- install scdaemon to /usr/bin (bnc#863645) + +------------------------------------------------------------------- +Sat Oct 5 11:44:42 UTC 2013 - andreas.stieger@gmx.de + +- update to 2.0.22 [bnc#844175] + * Fixed possible infinite recursion in the compressed packet + parser. [CVE-2013-4402] + * Improved support for some card readers. + * Prepared building with the forthcoming Libgcrypt 1.6. + * Protect against rogue keyservers sending secret keys. +- remove gpg2-CVE-2013-4351.patch, committed upstream + +------------------------------------------------------------------- +Mon Sep 16 11:08:55 UTC 2013 - vcizek@suse.com + +- fix CVE-2013-4351 (bnc#840510) + +------------------------------------------------------------------- +Mon Aug 19 17:59:48 UTC 2013 - andreas.stieger@gmx.de + +- update to 2.0.21 + * gpg-agent: By default the users are now asked via the Pinentry + whether they trust an X.509 root key. To prohibit interactive + marking of such keys, the new option --no-allow-mark-trusted may + be used. + * gpg-agent: The command KEYINFO has options to add info from + sshcontrol. + * The included ssh agent does now support ECDSA keys. +- now requires libgpg-error 1.11 +- update gnupg-2.0.9-langinfo.patch for upstream whitespace changes +- drop gnupg-broken-curl-test.patch, no longer required + +------------------------------------------------------------------- +Mon Jun 17 12:48:24 UTC 2013 - coolo@suse.com + +- revert usage of gpg-offline to avoid cycles + +------------------------------------------------------------------- +Mon Jun 17 12:40:10 UTC 2013 - coolo@suse.com + +- add gnupg-2.0.20-automake113.diff to fix build with automake 1.13 + +------------------------------------------------------------------- +Tue May 14 14:00:45 UTC 2013 - vcizek@suse.com + +- set safe umask before creating a plaintext file (bnc#780943) + added gpg2-set_umask_before_open_outfile.patch +- select proper ciphers when running in FIPS mode (bnc#808958) + added gnupg-detect_FIPS_mode.patch + +------------------------------------------------------------------- +Fri May 10 19:33:24 UTC 2013 - andreas.stieger@gmx.de + +- update to 2.0.20 + * Decryption using smartcards keys > 3072 bit does now work. + * New meta option ignore-invalid-option to allow using the same + option file by other GnuPG versions. + * gpg: The hash algorithm is now printed for sig records in key listings. + * gpg: Skip invalid keyblock packets during import to avoid a DoS. + * gpg: Correctly handle ports from DNS SRV records. + * keyserver: Improve use of SRV records + * gpg-agent: Avoid tty corruption when killing pinentry. + * scdaemon: Improve detection of card insertion and removal. + * scdaemon: Rename option --disable-keypad to --disable-pinpad. + * scdaemon: Better support for CCID readers. Now, the internal CCID + driver supports readers without the auto configuration feature. + * scdaemon: Add pinpad input for PC/SC, if your reader has pinpad and + it supports variable length PIN input, and you specify + --enable-pinpad-varlen option. + * scdaemon: New option --enable-pinpad-varlen. + * scdaemon: Install into libexecdir to avoid accidental execution + from the command line. + * Assorted bug fixes. +- refresh gnupg-2.0.9-RSA_ES.patch +- verify gpg signature of source tarball + +------------------------------------------------------------------- +Wed Mar 27 12:16:19 UTC 2013 - mmeister@suse.com + +- Added url as source. + Please see http://en.opensuse.org/SourceUrls + +------------------------------------------------------------------- +Fri Jan 11 20:26:50 UTC 2013 - lazy.kent@opensuse.org + +- BuildRequires: libbz2-devel (support BZIP2 compression + algorithm) (bnc#798175). + +------------------------------------------------------------------- +Wed Apr 18 10:55:34 UTC 2012 - vcizek@suse.com + +- Mention some of the changes in Greg's version update + +------------------------------------------------------------------- +Tue Mar 27 20:38:27 UTC 2012 - gregkh@opensuse.org + +- update to upstream 2.0.19 + * GPG now accepts a space separated fingerprint as a user ID. This + allows to copy and paste the fingerprint from the key listing. + * GPG now uses the longest key ID available. Removed support for the + original HKP keyserver which is not anymore used by any site. + * Rebuild the trustdb after changing the option --min-cert-level. + * Ukrainian translation. + * Honor option --cert-digest-algo when creating a cert. + * Emit a DECRYPTION_INFO status line. + * Improved detection of JPEG files. + +------------------------------------------------------------------- +Tue Dec 6 10:58:36 UTC 2011 - vcizek@suse.com + +- fixed licence to GPL-3.0+ (bnc#734878) + +------------------------------------------------------------------- +Wed Nov 30 09:55:47 UTC 2011 - coolo@suse.com + +- add automake as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Sat Oct 1 15:53:04 UTC 2011 - crrodriguez@opensuse.org + +- Test suite hangs in qemu-arm, workaround. + +------------------------------------------------------------------- +Wed Aug 31 10:00:35 UTC 2011 - puzel@suse.com + +- link with -pie + +------------------------------------------------------------------- +Fri Aug 19 01:11:42 UTC 2011 - crrodriguez@opensuse.org + +- libcurl.m4 tests were broken, resulting in the usage + of a "fake" internal libcurl. + +------------------------------------------------------------------- +Sat Aug 6 20:19:09 UTC 2011 - andreas.stieger@gmx.de + +- update to upstream 2.0.18 + * Bug fix for newer versions of Libgcrypt. + * Support the SSH confirm flag and show SSH fingerprints in ssh + related pinentries. + * Improved dirmngr/gpgsm interaction for OCSP. + * Allow generation of card keys up to 4096 bit. +- refresh patch gnupg-2.0.10-tmpdir.diff -> gnupg-2.0.18-tmpdir.diff +- refresh patch gnupg-files-are-digests.patch -> gnupg-2.0.18-files-are-digests.patch + +------------------------------------------------------------------- +Tue Mar 15 09:29:42 UTC 2011 - puzel@novell.com + +- update to gnupg-2.0.17 + * Allow more hash algorithms with the OpenPGP v2 card. + * The gpg-agent now tests for a new gpg-agent.conf on a HUP. + * Fixed output of "gpgconf --check-options". + * Fixed a bug where Scdaemon sends a signal to Gpg-agent running + in non-daemon mode. + * Fixed TTY management for pinentries and session variable update + problem. +- drop gnupg-CVE-2010-2547.patch (in upstream) + +------------------------------------------------------------------- +Fri Jan 7 13:24:17 CET 2011 - sbrabec@suse.cz + +- Removed obsolete BuildRequires of opensc-devel. + +------------------------------------------------------------------- +Sun Oct 31 12:37:02 UTC 2010 - jengelh@medozas.de + +- Use %_smp_mflags + +------------------------------------------------------------------- +Wed Jul 28 09:39:00 UTC 2010 - puzel@novell.com + +- gnupg-CVE-2010-2547.patch (bnc#625947) +- renumber patches + +------------------------------------------------------------------- +Mon Jul 19 21:49:40 UTC 2010 - puzel@novell.com + +- update to gnupg-2.0.16 + * If the agent's --use-standard-socket option is active, all tools + try to start and daemonize the agent on the fly. In the past this + was only supported on W32; on non-W32 systems the new configure + option --use-standard-socket may now be used to use this feature by + default. + * The gpg-agent commands KILLAGENT and RELOADAGENT are now available + on all platforms. + * Minor bug fixes. +- drop gnupg-2.0.14-s2kcount.patch (builds fine without it now) + +------------------------------------------------------------------- +Mon Jun 7 09:40:32 UTC 2010 - adrian@suse.de + +- add special provides to make sure that obs signd gets correct gpg version + +------------------------------------------------------------------- +Fri Apr 9 12:47:11 UTC 2010 - chris@computersalat.de + +- fix deps + o libassuan-devel >= 2.0.0 + o pth / libpth-devel >= 1.3.7 +- added BuildReq libcurl-devel >= 7.10 +- removed BuildReq openldap2 + is already solved by openldap2-devel +- removed unrecognized configure options + --enable-external-hkp, --enable-shared, --enable-static-rnd + +------------------------------------------------------------------- +Wed Apr 7 14:19:11 UTC 2010 - puzel@novell.com + +- add gnupg-dont-fail-with-seahorse-agent.patch (bnc#589994) + +------------------------------------------------------------------- +Wed Mar 31 13:47:00 UTC 2010 - puzel@novell.com + +- update to gnupg-2.0.15 + * New command --passwd for GPG. + * Fixes a regression in 2.0.14 which prevented unprotection of new + or changed gpg-agent passphrases. + * Make use of libassuan 2.0 which is available as a DSO. + +------------------------------------------------------------------- +Mon Mar 22 15:09:24 UTC 2010 - puzel@novell.com + +- fix files-are-digests patch (bnc#469229) + +------------------------------------------------------------------- +Wed Feb 17 13:29:18 CET 2010 - dimstar@opensuse.org + +- Update to version 2.0.14: + + The default for --include-cert is now to include all + certificates in the chain except for the root certificate. + + Numerical values may now be used as an alternative to the + debug-level keywords. + + The GPGSM --audit-log feature is now more complete. + + GPG now supports DNS lookups for SRV, PKA and CERT on W32. + + New GPGSM option --ignore-cert-extension. + + New and changed passphrases are now created with an iteration + count requiring about 100ms of CPU work. +- Add gnupg-2.0.14-s2kcount.patch: use fixed s2k-count number + otherwise the gpg2 would want to consult gpg-agent which is not + yet installed in the mock chroot (Patch shamelessly stolen from + Fedora). + +------------------------------------------------------------------- +Thu Jan 28 14:15:24 UTC 2010 - puzel@novell.com + +- fix build for older distributions + +------------------------------------------------------------------- +Wed Jan 27 16:30:41 UTC 2010 - puzel@novell.com + +- port files-are-digests patch from gpg1 (bnc#469229) + +------------------------------------------------------------------- +Tue Dec 15 20:56:35 CET 2009 - jengelh@medozas.de + +- enable parallel building +- SPARC needs large PIE model + +------------------------------------------------------------------- +Sun Dec 6 08:52:32 UTC 2009 - coolo@novell.com + +- change -lang require to recommended + +------------------------------------------------------------------- +Fri Nov 13 14:37:58 UTC 2009 - puzel@novell.com + +- update to gnupg-2.0.13 + * GPG now generates 2048 bit RSA keys by default. The default hash + algorithm preferences has changed to prefer SHA-256 over SHA-1. + 2048 bit DSA keys are now generated to use a 256 bit hash algorithm + * The envvars XMODIFIERS, GTK_IM_MODULE and QT_IM_MODULE are now + passed to the Pinentry to make SCIM work. + * The GPGSM command --gen-key features a --batch mode and implements + all features of gpgsm-gencert.sh in standard mode. + * New option --re-import for GPGSM's IMPORT server command. + * Enhanced writing of existing keys to OpenPGP v2 cards. + * Add hack to the internal CCID driver to allow the use of some + Omnikey based card readers with 2048 bit keys. + * GPG now repeatly asks the user to insert the requested OpenPGP + card. This can be disabled with --limit-card-insert-tries=1. + * Minor bug fixes. +- drop gnupg-2.0.4-default-tty.diff + +------------------------------------------------------------------- +Thu Jun 18 13:22:00 CEST 2009 - puzel@novell.com + +- update to gnupg-2.0.12 + * GPGSM now always lists ephemeral certificates if specified by + fingerprint or keygrip. + * New command "KEYINFO" for GPG_AGENT. GPGSM now also returns + information about smartcards. + * Made sure not to leak file descriptors if running gpg-agent with a + command. Restore the signal mask to solve a problem in Mono. + * Changed order of the confirmation questions for root certificates + and store negative answers in trustlist.txt. + * Better synchronization of concurrent smartcard sessions. + * Support 2048 bit OpenPGP cards. + * Support Telesec Netkey 3 cards. + * The gpg-protect-tool now uses gpg-agent via libassuan. + * Changed code to avoid a possible Mac OS X system freeze. +- drop gpg2-fix-rtsignals.patch (fixed upstream) +- drop gnupg-1.9.22-ccid-driver-fix.diff (unused) + +------------------------------------------------------------------- +Thu Jun 11 11:19:58 CEST 2009 - puzel@suse.cz + +- change BuildRequires: (pth-devel -> libpth-devel) + +------------------------------------------------------------------- +Mon Jun 1 11:26:12 CEST 2009 - puzel@suse.cz + +- BuildRequires: pth-devel + +------------------------------------------------------------------- +Wed Mar 18 13:51:30 CET 2009 - puzel@suse.cz + +- add gpg2-fix-rtsignals.patch (bnc#481463) + +------------------------------------------------------------------- +Thu Mar 5 13:39:42 CET 2009 - puzel@suse.cz + +- update to 2.0.11 + * Fixed a problem in SCDAEMON which caused unexpected card resets. + * SCDAEMON is now aware of the Geldkarte. + * The SCDAEMON option --allow-admin is now used by default. + * GPGCONF now restarts SCdaemon if necessary. + * The default cipher algorithm in GPGSM is now again 3DES. This is + due to interoperability problems with Outlook 2003 which still + can't cope with AES. +- dropped gnupg-2.0.10-fix-convert.patch (upstream) +- dropped gnupg-2.0.10-fix-missing-option.patch (upstream) +- disabled gnupg-1.9.22-ccid-driver-fix.diff (does not apply and it is + not clear what it is good for) + +------------------------------------------------------------------- +Mon Mar 2 15:53:22 CET 2009 - puzel@suse.cz + +- gnupg-2.0.10-fix-missing-option.patch (bnc#477362) + +------------------------------------------------------------------- +Mon Jan 19 16:16:11 CET 2009 - puzel@suse.cz + +- add gnupg-2.0.10-fix-convert.patch + - fix broken 'make check' on ppc, s390 and s390x + +------------------------------------------------------------------- +Tue Jan 13 10:38:38 CET 2009 - puzel@suse.cz + +- update to 2.0.10 + * New keyserver helper gpg2keys_kdns as generic DNS CERT + lookup. + * New mechanisms "local" and "nodefault" for --auto-key-locate. + Fixed a few problems with this option. + * New command --locate-keys. + * New options --with-sig-list and --with-sig-check. + * The option "-sat" is no longer an alias for --clearsign. + * The option --fixed-list-mode is now implicitly used and obsolete. + * New control statement %ask-passphrase for the unattended key + generation. + * The algorithm to compute the SIG_ID status has been changed. + * [gpgsm] Now uses AES by default. + * [gpgsm] Made --output option work with --export-secret-key-p12. + * [gpg-agent] Terminate process if the own listening socket is not + anymore served by ourself. + * [gpg-connect-agent] Accept commands given as command line arguments. + * The gpg-preset-passphrase mechanism works again. An arbitrary + string may now be used for a custom cache ID. + * Admin PINs are cached again (bug in 2.0.9). + * Support for version 2 OpenPGP cards. + +- specfile changes: + * require libadns + * explicit versions for some BuildRequires + * BuildRequires libgpg-error + * changed license to GPL v3 + * /etc/gnupg/gnupg.conf is now (noreplace) + * documentation is installed with install + +------------------------------------------------------------------- +Wed Jun 11 11:06:09 CEST 2008 - puzel@suse.cz + +- fix [bnc#305725] - UTF-8 problems + * non latin characters displayed incorrectly by pinentry-* + +------------------------------------------------------------------- +Wed May 21 14:01:14 CEST 2008 - puzel@suse.cz + +- added missing gpgconf.conf (bnc#391347) + +------------------------------------------------------------------- +Fri Mar 28 16:14:33 CET 2008 - pcerny@suse.cz + +- update to 2.0.9 + * fixes CVE-2008-1530 (bnc#374254) + * removing gnupg-2.0.8-from-upstream.diff (included in release) + * removing gnupg-2.0.4-oldkey.diff (accepted by upstream) + * removing gnupg-2.0.8-warningfixes.diff + (also appears in upstream) +- patch gnupg-2.0.9-RSA_ES.patch + * adding back support for deprecated RSA_E, RSA_S algorithms + (bnc#342979) + +------------------------------------------------------------------- +Wed Mar 26 22:07:29 CET 2008 - coolo@suse.de + +- require the split out lang package + +------------------------------------------------------------------- +Sun Mar 23 12:10:56 CET 2008 - coolo@suse.de + +- splitting out a third of the package by using a lang subpack + +------------------------------------------------------------------- +Tue Feb 12 19:24:37 CET 2008 - bk@suse.de + +- install gpg-zip and gpgsplit again and use -pie for randomisation + +------------------------------------------------------------------- +Wed Feb 6 18:16:34 CET 2008 - bk@suse.de + +- add selected upstream fixes and fix gcc and rpmlint warnings + +------------------------------------------------------------------- +Tue Jan 8 10:48:30 CET 2008 - sassmann@suse.de + +- update to GnuPG-2.0.8 +- adapted patches to apply properly + * gnupg-1.9.18-tmpdir.diff + * gnupg-2.0.4-install_tools.diff +- gnupg-2.0.5.fixes-from-svn-20070812.diff commented out, + included in upstream 2.0.8 +- use optflags during build + +------------------------------------------------------------------- +Wed Sep 12 22:40:46 CEST 2007 - ltinkl@suse.cz + +- fix #304749 - gpg2 unable to use old secret key + +------------------------------------------------------------------- +Mon Sep 10 20:13:07 CEST 2007 - ltinkl@suse.cz + +- fix gpg2 crash on accessing key (#307666) +- fix gpg doesn't work on the console (#302323) + +------------------------------------------------------------------- +Fri Aug 10 11:50:20 CEST 2007 - bk@suse.de + +- update to GnuPG-2.0.5 - requries libassuan-1.0.2! + * Switched license to GPLv3. + * Fixed bug when using the --p12-charset without --armor. + * The command --gen-key may now be used instead of the + gpgsm-gencert.sh script. + * Changed key generation to reveal less information about the + machine. Bug fixes for gpg2's card key generation. +- enable make check to test against build issues in the crypto engine +- cleanup disabled nld patch for linking with -lgpg-error-nld +- use %find_lang to label the locale files properly with %lang +- add opensc-devel to BuildRequrires to enanble smartcard support +- del Makefile.in patches where we patch Makefile.am and run automake +- cleanup the standrd GNU INSTALL and the empty VERSION from %doc + +------------------------------------------------------------------- +Thu Jul 26 13:16:22 CEST 2007 - sbrabec@suse.cz + +- Build with libassuan-devel. + +------------------------------------------------------------------- +Thu Jun 21 20:31:44 CEST 2007 - ro@suse.de + +- install compat symlinks for gpg2 and gpgv2 +- install gpg-zip and gpgsplit +- added openldap2 to buildrequires (for gpgkeys_ldap) +- added fPIE/pie to CFLAGS/LDFLAGS for gpgsplit + +------------------------------------------------------------------- +Wed May 23 19:02:45 CEST 2007 - dmueller@suse.de + +- add libusb-devel build requires + +------------------------------------------------------------------- +Wed May 16 14:27:28 CEST 2007 - ltinkl@suse.cz + +- remove gpg from Require's (#273491) + +------------------------------------------------------------------- +Fri May 11 13:20:19 CEST 2007 - ltinkl@suse.cz + +- updated to 2.0.4 stable snapshot + +------------------------------------------------------------------- +Wed Apr 4 12:42:06 CEST 2007 - ltinkl@suse.cz + +- update to 2.0.3 +- fixed #251605 - VUL-0: signing issues within GNUPG +- removed outdated patches + +------------------------------------------------------------------- +Fri Mar 30 01:58:56 CEST 2007 - ro@suse.de + +- added zlib-devel to buildreq + +------------------------------------------------------------------- +Wed Feb 14 15:14:44 CET 2007 - ltinkl@suse.cz + +- fix file conflicts with gpg (#242133) + +------------------------------------------------------------------- +Tue Jan 30 00:34:50 CET 2007 - ro@suse.de + +- fix build (exclude possible debuginfo directory) + +------------------------------------------------------------------- +Mon Jan 29 16:22:15 CET 2007 - ltinkl@suse.cz + +- fix #221212 - gpg2 is not updated and do not contain documentation +- fix #233525 - gpg1/2: bug in vasprintf() implementation + +------------------------------------------------------------------- +Thu Nov 30 16:59:25 CET 2006 - anicka@suse.cz + +- fix overflow in openfile.c (CVE-2006-6169, #224108) + +------------------------------------------------------------------- +Mon Sep 11 13:44:21 CEST 2006 - pnemec@suse.cz + +- updated gnupg to new version 1.9.22 + Enhanced pkcs#12 support + Support for the CardMan 4040 PCMCIA + Collected bug fixes +- updated pth library to 2.0.7 +- changed using pinetry-qt to pinentry +- removed -cfb.diff -signature.patch -cap_large_uid.patch patches + they are no longer needed +- change patch -warnings-fix.diff -ccid-driver-fix.diff + +------------------------------------------------------------------- +Thu Aug 17 11:55:09 CEST 2006 - pnemec@suse.de + +- remove unused package in build requires + +------------------------------------------------------------------- +Wed Aug 9 09:32:56 CEST 2006 - pnemec@suse.cz + +- fix spec file to build with new gettext 0.15 + +------------------------------------------------------------------- +Mon Aug 7 11:06:19 CEST 2006 - pnemec@suse.cz + +- fixed security fix with large uid CVE-2006-3746 [#195569] + +------------------------------------------------------------------- +Thu Feb 23 17:07:18 CET 2006 - pnemec@suse.cz + +- fixed signature security problem CVE-2006-0455 (bugzilla#150742) + +------------------------------------------------------------------- +Thu Feb 2 15:37:22 CET 2006 - pnemec@suse.cz + +- fixed install info in spec file + +------------------------------------------------------------------- +Thu Jan 26 15:52:26 CET 2006 - sbrabec@suse.cz + +- Added missing %install_info. + +------------------------------------------------------------------- +Wed Jan 25 21:36:18 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Fri Aug 5 12:52:44 CEST 2005 - postadal@suse.cz + +- updated to version to 1.9.18 +- removed obsoleted gcc patch +- added patch tmpdir.diff for using $TMPDIR by gpg-agent [#bug95732] + +------------------------------------------------------------------- +Tue Jul 12 14:17:11 CEST 2005 - postadal@suse.cz + +- updated to version to 1.9.17 +- updated pth to version 2.0.4 +- removed obsoleted patch agent-cache-fix.diff +- fixed ccid-driver.c +- fixed gcc4 +- explicitly enabled gpg building in configure + +------------------------------------------------------------------- +Thu Mar 24 13:55:34 CET 2005 - postadal@suse.cz + +- fixed caching passphrase in gpg-agent [#71975] + +------------------------------------------------------------------- +Tue Mar 22 18:11:12 CET 2005 - postadal@suse.cz + +- fixed on 64bit archs [#72440] + +------------------------------------------------------------------- +Wed Feb 23 15:16:55 CET 2005 - postadal@suse.cz + +- security fix for cfb-cipher issue [#65862] + +------------------------------------------------------------------- +Wed Jan 12 16:02:00 CET 2005 - postadal@suse.cz + +- update to version 1.9.14 +- removed obsoleted patch automake-fixes.diff + +------------------------------------------------------------------- +Tue Sep 28 08:52:32 CEST 2004 - adrian@suse.de + +- link against libpth staticaly to make S/MIME support in kmail + usable. Hopefully we can convert this to a native thread implementation + later. (#46260) + +------------------------------------------------------------------- +Sat Jul 31 15:07:26 CEST 2004 - adrian@suse.de + +- update to version 1.9.10 + +------------------------------------------------------------------- +Tue Jul 20 09:01:50 CEST 2004 - adrian@suse.de + +- remove openct and opensc packages from nfb + (we will need thread support, when enabling card reader support, + but it isn't anyway implemented yet in gpg2) + +------------------------------------------------------------------- +Mon Jul 12 17:55:32 CEST 2004 - adrian@suse.de + +- use GnuPG 2 sources version 1.9.9 +- opensc support misses some functions atm, support disabled for now +- threading is disabled, since we do not have a pth package for now +- prepare for nld + +------------------------------------------------------------------- +Thu Feb 26 13:27:08 CET 2004 - postadal@suse.cz + +- adapted some functions to the libgcrypt version 1.1.91 [#34987] +- added libgpg-error to needforbuild flag + +------------------------------------------------------------------- +Wed Feb 18 14:02:47 CET 2004 - kukuk@suse.de + +- Don't build against libpth. + +------------------------------------------------------------------- +Tue Feb 10 16:00:08 CET 2004 - postadal@suse.cz + +- fixed code that broke strict aliasing + +------------------------------------------------------------------- +Fri Dec 5 14:35:32 CET 2003 - garloff@suse.de + +- disable core dumpe in child after forking. [#33499] + +------------------------------------------------------------------- +Mon Aug 11 14:48:50 CEST 2003 - adrian@suse.de + +- cleanup #neededforbuild and requires + +------------------------------------------------------------------- +Mon Aug 4 15:28:41 CEST 2003 - ro@suse.de + +- added openct to neededforbuild + +------------------------------------------------------------------- +Fri Jul 18 14:23:15 CEST 2003 - mc@suse.de + +- build against opensc + +------------------------------------------------------------------- +Thu Jun 19 19:04:45 CEST 2003 - schwab@suse.de + +- Add %install_info. + +------------------------------------------------------------------- +Mon Mar 17 15:25:30 CET 2003 - adrian@suse.de + +- add signal handler to check if the parent is still alive and + exit if not +- use pinentry-qt by default (/usr/bin/pinentry do not exist) + +------------------------------------------------------------------- +Tue Feb 11 15:38:30 CET 2003 - mc@suse.de + +- initial release + diff --git a/gpg2.keyring b/gpg2.keyring new file mode 100644 index 0000000..dd3bb0b --- /dev/null +++ b/gpg2.keyring @@ -0,0 +1,86 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBFjLuq4BDACnM7zNSIaVMAacTwjXa5TGYe13i6ilHe4VL0NShzrgzjcQg531 +3cRgiiiNA7OSOypMqVs73Jez6ZUctn2GVsHBrS/io9NcuC9pVwf8a61WlcEa+EtB +a3G7HlBmEWnwaUdAtWKNuAi9Xn+Ir7H2xEdksmmd5a0/QnL+sX705boVPF/tpYtb +LGpPxa78tNrtxDkSwy8Wmi0IADYLI5yI7/yUGeJd8RSCU/fLRKC9fG7YOZRq0tsO +MhVNWmtUjbG6e73Lu8LKnCZgs1/fC8hvPyARieSV5mdN8s1oWd7oYctfgL4uBleD +ItAA8GhjKejutzHN8Ei/APw6AiiSyEjnPg+cTX8OgvLGJWjks0H6mPZeB1v/kGyZ +hBS9vm540h2/MmlVN2ntiCK5TZGeSWpqddiqusfVXotMRpN4HeLKoZh4RAncaCbZ +F/S+YLeN+kMXY4k3Fqt1fjTX6veFCbthI9pDdHzU9LfUVNp9D/5ktC/tYMORMegV ++wSMxi9G2YWKJkMAEQEAAYkBzgQfAQgAOBYhBFuAxXVCmPDLVdjtarzvfilLCS4o +BQJYy8DdFwyAAZSlyaA8L+XKOwldjh/fcjz0YraxAgcAAAoJELzvfilLCS4oNgoL +/0+K1xIx8JW7Lk5M6bYCvNA4fdlEcwQIT4UidJFM9m+suxYFWIGfebvHpRlEuJTg +dBjkEit8uLAoJXU0BRkKTLrzTF+qDUE79Wfx/R+0nOgJ7aMykQOi0AvuwzMYz4dg +xIVS2Daou4DF7bh/KF8+fqrmq8P8W1ZrkuFDanMWpHeAPx1uj2skYbo7uPqFdvlJ +hlNHrcxlcCkjf1InAt0Xt5lMvEsCRUPf9xAH4mNEhs0lh9c+200YPRmtnLWAzc1K +ckLIC8Q+mUR3DjZDqBlDBEPegXkrI0+MlvRA+9AnAm4YPqTMUfpZ6ZOAWeFjC/6Z +QYxG/AdWGkb4WFindzklQfybEuiekP8vU07ACQwSwH8PYe0UCom1YrlRUjX7QLkn +ZLWoeZg8BZy9GTM1Ut7Q1Q2uTw6mxxISuef+RFgYOHjWwLpFWZpqC88xERl7o/iz +iERJRt/593IctbjO9wenWt2peIAwzR4nz7LqM6ZFTdRAETmcdSvYRhg2Qt8hUE47 +CbQkQW5kcmUgSGVpbmVja2UgKFJlbGVhc2UgU2lnbmluZyBLZXkpiQHUBBMBCAA+ +FiEEW4DFdUKY8MtV2O1qvO9+KUsJLigFAljLuq4CGwMFCRLMAwAFCwkIBwIGFQgJ +CgsCBBYCAwECHgECF4AACgkQvO9+KUsJLihC/QwAhCC+SEvcFLcutgZ8HfcCtoZs +IoVzZEy7DjqIvGgnTssD8HCLnIAHCDvnP7dJW3uMuLCdSqym3cjlEIiQMsaGywkl +fzJISAwJrGQdWSKRd535jXpEXQlXDKal/IwMKAUt0PZtlCc9S3gwixQryxdJ28lJ +6h2T9fVDr8ZswMmTAFG91uctfhjKOMgPt8UhSPGW484WsIsQgkbOvf+Kfswl0eHu +ywX+pKAB5ZQ/9GVC6Ug4xfrdiJL0azJTPnvjMY5JYp6/L9RURs5hP5AnHR2j/PPo +sAtsFCjmbRbOMiASzklnUJPbSz5kfLloDWZmrUScjbzmsXehGyt433JGyRhZJl4x +/jPbzKhaaAHsGd+fRao6vlLOwFywDDVMp6JuyK7UeUb7I8ekTbSkGFA+l2Oa3O6/ +Y7PYhq7hwwAFuZckYI98IpHNCG1fS9W07FyKdvQbK1PbF1JFRKfsUCWYMKqDnbqE +o5jivPEHZImw6iYhhXcyEYl8fjcb9T6/S+wOP7aviQGzBBABCAAdFiEElKXJoDwv +5co7CV2OH99yPPRitrEFAljLv5sACgkQH99yPPRitrFw4gv/XFMFN+/LHsn9hJOP +4rCwl1yUuxXuYmZgc0sRoY3EpeQkJVyKurQuqqKoy2VuoMiF0O1kAQmGoFtVPUk7 +b8hCoutqB5GyeyKcoLP+WINgVhB2gXg7TSp3MPLBKkgqvSDvPitgRxBqFb4LW8LJ +bDbfwGrzIvXfDV3WvsrHVPbc2fhlWdL8d+3AE6mFiXF3eTpgmV3ApSBQV12MkkCk +icLIPmp+ZxZON+OP52ZXkRtfMgOy4Oa/41agrViDAZdMOGeGkhPertQheQZgXzmo +GF5Wz498HPM80Kv35X91l3iGzL+icEtO+tWea2YscsZ6qpRe2lfVPHk3B+anlmCj +m4kM4cBd39xa4HHSVh/bRHbZNtgVr7slQCKxlHgQOGVI5vCxPCwEsgJ2KBk03Nk/ +IA9EKO+czfh3/bHW6uMbEqrYDCnt+hmzZrpKDSGcwS/KOhvMUIMlb7/8vDKum6mp +/8xAtVZ6IAxYZNt3qg7Y7aLRtzCTyqm8rJQrZPtRaQcgLoEimDMEX0PliRYJKwYB +BAHaRw8BAQdAz75Hlekc16JhhfI0MKdEVxLdkxhcMCO0ZG6WMBAmNpe0H1dlcm5l +ciBLb2NoIChkaXN0IHNpZ25pbmcgMjAyMCmImgQTFgoAQhYhBG2qbmSnbShAVxtJ +AlKIl7gmQDraBQJfQ+w1AhsDBQkShccRBQsJCAcCAyICAQYVCgkICwIEFgIDAQIe +BwIXgAAKCRBSiJe4JkA62nmuAP9uL/HOdB0gvwWrH+FpURJLs4bnaZaPIk9ARrU0 +EXRgJgD/YCGfHQXpIPT0ZaXuwJexK04Z+qMFR/bM1q1Leo5CjgaIbQQQEQsAHRYh +BIBhWHD1utaQMzaG0PKthaweQrNnBQJfQ/HmAAoJEPKthaweQrNnIZkA3jG6LcZv +V/URn8Y8OJqsyYa4C3NI4nN+OhEvYhgA4PHzMnALeXIpA2gblvjFIPJPAhDBAU37 +c5PA6+6IdQQQFggAHRYhBK6oTtzwGthsRwHIXGMROuhmWH0KBQJfQ/IlAAoJEGMR +OuhmWH0K1+MA/0uJ5AHcnSfIBEWHNJwwVVLGyrxAWtS2U+zeymp/UvlPAQDErCLZ +l0dBiPG3vlowFx5TNep7tanBs6ZJn8F1ao1tAIkBMwQQAQgAHRYhBNhpISPEBl3q +Xg86tSSbOdJPJeO2BQJfQ/OuAAoJECSbOdJPJeO2DVoH/0o9if66ph6FJrgr+A/W +HNVeHxmM5tUQhpL1wpRS70SKcsJgolf5CxO5iTQf3HlZe544xGbIU/aCTJsWw9zi +UE8KmhAtKV4eL/7oQ7xx4nxPnABLpudtM8A44nsM1x/XiYrJnnDm29QjYEGd2Hi8 +7npc7VWKzLoj+I/WcXquynJi5O9TUxW9Bknd1pjpxFkf8v+msjBzCD5VKJgr0CR8 +wA6peQBWeGZX2HacosMIZH4TfL0r0TFla6LJIkNBz9DyIm1yL4L8oRH0950hQljP +C7TM3L7aRpX+4Kph6llFz6g7MALGFP95kyJ6o+XED9ORuuQVZMBMIkNC0tXOu10V +bdqIdQQQFgoAHRYhBMHTS2khnkruwLocIeP9/yGORbcrBQJfQ/P8AAoJEOP9/yGO +Rbcr3lQBAMas8Vl3Hdl3g2I283lz1uHiGvlwcnk2TLeB+U4zIwC9AQCy0nnazVNt +VQPID1ZCMoaOX7AzOjaqQDLf4j+dVTxgBJgzBGCkgocWCSsGAQQB2kcPAQEHQJmd +fwp8jEN5P3eEjhQiWk6zQi8utvgOvYD57XmE+H8+tCBOaWliZSBZdXRha2EgKEdu +dVBHIFJlbGVhc2UgS2V5KYiaBBMWCgBCFiEErI4RW/c+LY1H+pkI6Y6bLRnGyL0F +AmCkgocCGwMFCQsNBpkFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEOmO +my0Zxsi9/4IA/1rvSr3MU+Sv4jhNDzD+CeC3gmHkPew6pi9VHEsEwdgmAQD2BtiX +7w1sJL/CBylGWv5jxj4345mP9YfZm0RsgzPjDIh1BBAWCAAdFiEEJJyzdxdQdF1c +3TI84mewUjZPAo0FAmFAQ54ACgkQ4mewUjZPAo1CiAD+KTT1UVdQTGHMyvHwZocS +QjU8xhcZrTet+dvvjrE5+4MA/RBdJPZgFevUKu68NEy0Lo+RbkeCtmQJ/c8v5ieF +vW0AiQEzBBABCAAdFiEEEkEkvTtIYq96CkLxALRevUynur4FAmFAQ7cACgkQALRe +vUynur4kaAgAolPR8TNWVS0vXMKrr0k0l2M/8QkZTaLZx1GT9Nx1yb4WJKY7ElPM +YkhGDxetvFBETx0pH/6R3jtj6Crmur+NKHVSRY+rCYpFPDn6ciIOryssRx2G4kCZ +t+nFB9JyDbBOZAR8DK4pN1mAxG/yLDt4oKcUQsP2xlEFum+phxyR8KyYCpkwKRxY +eK+6lfilQuveoUwp/Xx5wXPNUy6q4eOOovCW7gS7I7288NGHCa2ul8sD6vA9C4mM +4Zxaole9P9wwJe1zZFtCIy88zHM9vqv+YM9DxMCaW24+rUztr7eD4bCRdG+QlSh+ +7R/TaqSxY1eAAd1J5tma9CNJO73pTKU+/JhTBGFpSqMTCSskAwMCCAEBBwIDBF6X +D9NmUQDgiyYNbhs1DMJ14mIw812wY1HVx/4QWYWiBunhrvSFxVbzsjD7/Wv+v3bm +MPrL+M2DLyFiSewNmcS0JEdudVBHLmNvbSAoUmVsZWFzZSBTaWduaW5nIEtleSAy +MDIxKYiaBBMTCABCFiEEAvON/3Mf+XywOaHaVJ5pXpBboggFAmFpSqMCGwMFCQ9x +14oFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEFSeaV6QW6IITkoA/RYa +jaTl1eEBU/Gdm12o3jrI55N5xZK2XTqSx25clVyjAP0XwMW/Og5+ND1ri3bAqADV +WlBDUswz8wYxsb0C4kYBkoh1BBAWCgAdFiEEbapuZKdtKEBXG0kCUoiXuCZAOtoF +AmFpTvEACgkQUoiXuCZAOtrJQAEAh7YyykjAy/Qs1yC3ji8iBfIVnPXvblrIx3SR +RyDwRC8BAKtZbEuKTtPlgkLUgMleTcZJ/vEhJE+GvfQ9o5gWCqEFiHUEEBYKAB0W +IQTB00tpIZ5K7sC6HCHj/f8hjkW3KwUCYWlPWgAKCRDj/f8hjkW3Kx4eAQDp6aGS +N/fU4xLl8RSvQUVjVA+aCTrMQR3hRwqw8liF2wEA3O3ECxz6e1+DoItYoJBBLKLw +eiInsGZ/+h5XYrpXTgA= +=4+Sn +-----END PGP PUBLIC KEY BLOCK----- diff --git a/gpg2.spec b/gpg2.spec new file mode 100644 index 0000000..5d7132c --- /dev/null +++ b/gpg2.spec @@ -0,0 +1,199 @@ +# +# spec file for package gpg2 +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: gpg2 +Version: 2.4.4 +Release: 0 +Summary: File encryption, decryption, signature creation and verification utility +License: GPL-3.0-or-later +Group: Productivity/Networking/Security +URL: https://www.gnupg.org +Source: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2 +Source2: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig +# https://www.gnupg.org/signature_key.html +Source3: https://gnupg.org/signature_key.asc#/%{name}.keyring +Source4: scdaemon.udev +Source5: gpg2-systemd-user.tar.xz +Source99: %{name}.changes +Patch1: gnupg-gpg-agent-ulimit.patch +Patch2: gnupg-2.0.9-langinfo.patch +Patch3: gnupg-dont-fail-with-seahorse-agent.patch +Patch4: gnupg-set_umask_before_open_outfile.patch +Patch5: gnupg-detect_FIPS_mode.patch +Patch6: gnupg-add_legacy_FIPS_mode_option.patch +Patch7: gnupg-2.2.16-secmem.patch +Patch8: gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch +Patch9: gnupg-add-test-cases-for-import-without-uid.patch +Patch10: gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch +#PATCH-FIX-SUSE Allow 8192 bit RSA keys in keygen UI when large_rsa is set +Patch11: gnupg-allow-large-rsa.patch +#PATCH-FIX-SUSE Revert the rfc4880bis features default of key generation +Patch12: gnupg-revert-rfc4880bis.patch +#PATCH-FIX-OPENSUSE Do not pull revision info from GIT when autoconf is run +Patch13: gnupg-nobetasuffix.patch +BuildRequires: expect +BuildRequires: fdupes +BuildRequires: ibmswtpm2 +BuildRequires: ibmtss-devel +BuildRequires: libassuan-devel >= 2.5.0 +BuildRequires: libgcrypt-devel >= 1.9.1 +BuildRequires: libgpg-error-devel >= 1.46 +BuildRequires: libksba-devel >= 1.6.3 +BuildRequires: makeinfo +BuildRequires: npth-devel >= 1.2 +BuildRequires: openldap2-devel +BuildRequires: pkgconfig +BuildRequires: readline-devel +BuildRequires: pkgconfig(bzip2) +BuildRequires: pkgconfig(gnutls) >= 3.0 +BuildRequires: pkgconfig(libusb-1.0) +BuildRequires: pkgconfig(sqlite3) >= 3.27 +BuildRequires: pkgconfig(zlib) +# runtime dependency to support devel repository users - boo#955982 +Requires: libassuan0 >= 2.5.0 +Requires: libgcrypt20 >= 1.9.1 +Requires: libgpg-error >= 1.46 +Requires: libksba >= 1.3.4 +Requires: pinentry +Recommends: dirmngr = %{version} +Provides: gnupg = %{version} +Provides: gpg = 1.4.9 +Provides: newpg +Obsoletes: gpg < 1.4.9 + +%description +GnuPG is a hybrid-encryption software program; it uses a combination +of symmetric-key and public-key cryptography to encrypt/decrypt +messages and/or to sign and verify them. + +gpg2 provides GPGSM, gpg-agent, and a keybox library. + +%package -n dirmngr +Summary: Keyserver, CRL, and OCSP access for GnuPG +Group: Productivity/Networking/Security + +%description -n dirmngr +Since version 2.1 of GnuPG, dirmngr takes care of accessing the OpenPGP +keyservers. As with previous versions it is also used as a server for managing +and downloading certificate +revocation lists (CRLs) for X.509 certificates, downloading X.509 certificates, +and providing access to OCSP providers. Dirmngr is invoked internally by gpg, +gpgsm, or via the gpg-connect-agent tool. + +%package tpm +Summary: TPM2 support for GnuPG +Group: Productivity/Networking/Security + +%description tpm +Version 2.3 of GnuPG introduced support for converting GPG private +keys to TPM2 wrapped form. This package enables that support. The +keytotpm command will not function unless this package is installed. + +%lang_package + +%prep +%autosetup -p1 -a5 -n gnupg-%{version} + +# In order to compensate for gnupg-add_legacy_FIPS_mode_option.patch +# to not have man pages and info files have the build date (boo#1047218) +touch -d 2018-05-04 doc/gpg.texi + +%build +date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99}) +%configure \ + --docdir=%{_docdir}/%{name} \ + --disable-rpath \ + --enable-g13 \ + --enable-large-secmem \ + --with-gnu-ld \ + --with-default-trust-store-file=%{_sysconfdir}/ssl/ca-bundle.pem \ + --enable-build-timestamp=$date \ + --enable-gpg-is-gpg2 + +%make_build + +%install +%make_install +mkdir -p %{buildroot}%{_sysconfdir}/gnupg/ + +# install gpgconf.conf bnc#391347 +install -m 644 doc/examples/gpgconf.conf %{buildroot}%{_sysconfdir}/gnupg +# delete to prevent fdupes from creating cross-partition hardlink +rm -rf %{buildroot}%{_docdir}/gpg2/examples/gpgconf.conf + +# remove info dir +rm %{buildroot}%{_infodir}/dir + +# compat symlinks +ln -sf gpg2 %{buildroot}%{_bindir}/gpg +ln -sf gpgv2 %{buildroot}%{_bindir}/gpgv +ln -sf gpg2.1 %{buildroot}%{_mandir}/man1/gpg.1 +ln -sf gpgv2.1 %{buildroot}%{_mandir}/man1/gpgv.1 + +# install udev rules for scdaemon +install -Dm 0644 %{SOURCE4} %{buildroot}%{_udevrulesdir}/60-scdaemon.rules + +# Move the systemd user units to the appropriate directory +install -d -m 755 %{buildroot}%{_userunitdir} +cp systemd-user/gpg-agent*.s* %{buildroot}%{_userunitdir} +cp systemd-user/dirmngr.s* %{buildroot}%{_userunitdir} +cp systemd-user/README.systemd %{buildroot}%{_docdir}/gpg2/ + +%find_lang gnupg2 +%fdupes -s %{buildroot} + +%check +%make_build check || : + +%post +%udev_rules_update + +%files lang -f gnupg2.lang + +%files +%license COPYING* +%doc AUTHORS NEWS THANKS TODO ChangeLog +%{_infodir}/gnupg* +%{_mandir}/*/[agsw]*%{ext_man} +%doc %{_docdir}/%{name} +%{_bindir}/[gkw]* +%{_libexecdir}/[gks]* +%{_sbindir}/addgnupghome +%{_sbindir}/applygnupgdefaults +%{_sbindir}/g13-syshelp +%{_udevrulesdir}/60-scdaemon.rules +%{_datadir}/gnupg +%dir %{_sysconfdir}/gnupg +%config(noreplace) %{_sysconfdir}/gnupg/gpgconf.conf +%{_userunitdir}/gpg-agent* +%if 0%{?sle_version} >= 150500 +%exclude %{_userunitdir}/dirmngr.* +%endif + +%files -n dirmngr +%license COPYING* +%{_mandir}/*/dirmngr*%{ext_man} +%{_bindir}/dirmngr* +%{_libexecdir}/dirmngr_ldap +%{_userunitdir}/dirmngr.* + +%files tpm +%license COPYING* +%{_libexecdir}/tpm2daemon* + +%changelog diff --git a/scdaemon.udev b/scdaemon.udev new file mode 100644 index 0000000..1c9e1e2 --- /dev/null +++ b/scdaemon.udev @@ -0,0 +1,65 @@ +# do not edit this file, it will be overwritten on update + +SUBSYSTEM!="usb", GOTO="gnupg_rules_end" +ACTION!="add", GOTO="gnupg_rules_end" + +# USB SmartCard Readers +## Cherry GmbH (XX33, ST2000) +SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="0005", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="0010", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="003e", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## SCM Microsystems, Inc (SCR331-DI, SCR335, SCR3320, SCR331, SCR3310 and SPR532) +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5117", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="e001", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Omnikey AG (CardMan 3821, CardMan 6121) +SUBSYSTEM=="usb", ATTR{idVendor}=="076b", ATTR{idProduct}=="3821", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="076b", ATTR{idProduct}=="6622", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Gemalto +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3437", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3438", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3478", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="34c2", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="34ec", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Reiner (SCT cyberJack) +SUBSYSTEM=="usb", ATTR{idVendor}=="0c4b", ATTR{idProduct}=="0500", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Kobil (KAAN) +SUBSYSTEM=="usb", ATTR{idVendor}=="0d46", ATTR{idProduct}=="2012", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## VASCO (DIGIPASS 920) +SUBSYSTEM=="usb", ATTR{idVendor}=="1a44", ATTR{idProduct}=="0920", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Crypto Stick +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Nitrokey +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Gnuk Token +SUBSYSTEM=="usb", ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Alcor Micro Corp cardreader (in ThinkPad X250) +SUBSYSTEM=="usb", ATTR{idVendor}=="058f", ATTR{idProduct}=="9540", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Fujitsu Siemens +SUBSYSTEM=="usb", ATTR{idVendor}=="0bf8", ATTR{idProduct}=="1006", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Yubico +# Yubikey NEO OTP+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey NEO CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0112", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey NEO U2F+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey NEO OTP+U2F+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0404", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 OTP+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0405", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 U2F+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 OTP+U2F+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Trustica Cryptoucan +SUBSYSTEM=="usb", ATTR{idVendor}=="1fc9", ATTR{idProduct}=="81e6", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" + +LABEL="gnupg_rules_end"