Accepting request 512955 from security:privacy

GnuPG 2.1.22

OBS-URL: https://build.opensuse.org/request/show/512955
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=175

gnupg-2.0.18-files-are-digests.patch

@@ -4,11 +4,11 @@
  g10/sign.c    |   68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
  3 files changed, 67 insertions(+), 6 deletions(-)
 
-Index: gnupg-2.1.21/g10/gpg.c
+Index: gnupg-2.1.22/g10/gpg.c
 ===================================================================
---- gnupg-2.1.21.orig/g10/gpg.c	2017-04-03 17:13:56.000000000 +0200
+--- gnupg-2.1.22.orig/g10/gpg.c
-+++ gnupg-2.1.21/g10/gpg.c	2017-04-04 15:59:20.823799866 +0200
++++ gnupg-2.1.22/g10/gpg.c
-@@ -374,6 +374,7 @@ enum cmd_and_opt_values
+@@ -379,6 +379,7 @@ enum cmd_and_opt_values
      oTTYtype,
      oLCctype,
      oLCmessages,
@@ -16,7 +16,7 @@ Index: gnupg-2.1.21/g10/gpg.c
      oXauthority,
      oGroup,
      oUnGroup,
-@@ -820,6 +821,7 @@ static ARGPARSE_OPTS opts[] = {
+@@ -828,6 +829,7 @@ static ARGPARSE_OPTS opts[] = {
    ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
    ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
    ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"),
@@ -24,7 +24,7 @@ Index: gnupg-2.1.21/g10/gpg.c
  
    /* Aliases.  I constantly mistype these, and assume other people do
       as well. */
-@@ -2393,6 +2395,7 @@ main (int argc, char **argv)
+@@ -2383,6 +2385,7 @@ main (int argc, char **argv)
      opt.def_cert_expire = "0";
      gnupg_set_homedir (NULL);
      opt.passphrase_repeat = 1;
@@ -32,7 +32,7 @@ Index: gnupg-2.1.21/g10/gpg.c
      opt.emit_version = 0;
      opt.weak_digests = NULL;
      additional_weak_digest("MD5");
-@@ -2942,6 +2945,7 @@ main (int argc, char **argv)
+@@ -2944,6 +2947,7 @@ main (int argc, char **argv)
  	    opt.verify_options&=~VERIFY_SHOW_PHOTOS;
  	    break;
  	  case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
@@ -40,11 +40,11 @@ Index: gnupg-2.1.21/g10/gpg.c
  
  	  case oForceMDC: opt.force_mdc = 1; break;
  	  case oNoForceMDC: opt.force_mdc = 0; break;
-Index: gnupg-2.1.21/g10/options.h
+Index: gnupg-2.1.22/g10/options.h
 ===================================================================
---- gnupg-2.1.21.orig/g10/options.h	2017-04-03 17:13:56.000000000 +0200
+--- gnupg-2.1.22.orig/g10/options.h
-+++ gnupg-2.1.21/g10/options.h	2017-04-04 15:59:20.827799905 +0200
++++ gnupg-2.1.22/g10/options.h
-@@ -214,6 +214,7 @@ struct
+@@ -212,6 +212,7 @@ struct
    int no_auto_check_trustdb;
    int preserve_permissions;
    int no_homedir_creation;
@@ -52,20 +52,20 @@ Index: gnupg-2.1.21/g10/options.h
    struct groupitem *grouplist;
    int mangle_dos_filenames;
    int enable_progress_filter;
-Index: gnupg-2.1.21/g10/sign.c
+Index: gnupg-2.1.22/g10/sign.c
 ===================================================================
---- gnupg-2.1.21.orig/g10/sign.c	2017-04-03 17:13:56.000000000 +0200
+--- gnupg-2.1.22.orig/g10/sign.c
-+++ gnupg-2.1.21/g10/sign.c	2017-04-04 15:59:27.515864763 +0200
++++ gnupg-2.1.22/g10/sign.c
-@@ -42,6 +42,8 @@
+@@ -43,6 +43,8 @@
- #include "call-agent.h"
  #include "../common/mbox-util.h"
+ #include "../common/compliance.h"
  
 +#include "../common/host2net.h"
 +
  #ifdef HAVE_DOSISH_SYSTEM
  #define LF "\r\n"
  #else
-@@ -695,6 +697,8 @@ write_signature_packets(ctrl_t ctrl,
+@@ -727,6 +729,8 @@ write_signature_packets (ctrl_t ctrl,
        if (duration || opt.sig_policy_url
            || opt.sig_notations || opt.sig_keyserver_url)
          sig->version = 4;
@@ -73,8 +73,8 @@ Index: gnupg-2.1.21/g10/sign.c
 +        sig->version = 3;
        else
          sig->version = pk->version;
-
+ 
-@@ -718,8 +720,12 @@ write_signature_packets (ctrl_t ctrl,
+@@ -750,8 +754,12 @@ write_signature_packets (ctrl_t ctrl,
            mk_notation_policy_etc (sig, NULL, pk);
          }
  
@@ -87,7 +87,7 @@ Index: gnupg-2.1.21/g10/sign.c
  
        rc = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce);
        gcry_md_close (md);
-@@ -781,6 +787,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -813,6 +821,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
      SK_LIST sk_rover = NULL;
      int multifile = 0;
      u32 duration=0;
@@ -96,7 +96,7 @@ Index: gnupg-2.1.21/g10/sign.c
  
      pfx = new_progress_context ();
      afx = new_armor_context ();
-@@ -798,7 +806,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -830,7 +840,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
  	fname = NULL;
  
      if( fname && filenames->next && (!detached || encryptflag) )
@@ -114,7 +114,7 @@ Index: gnupg-2.1.21/g10/sign.c
  
      if(encryptflag==2
         && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
-@@ -819,7 +836,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -851,7 +870,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
        goto leave;
  
      /* prepare iobufs */
@@ -123,7 +123,7 @@ Index: gnupg-2.1.21/g10/sign.c
  	inp = NULL; /* we do it later */
      else {
        inp = iobuf_open(fname);
-@@ -957,7 +974,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -989,7 +1008,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
      for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
        gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
  
@@ -132,7 +132,7 @@ Index: gnupg-2.1.21/g10/sign.c
  	iobuf_push_filter( inp, md_filter, &mfx );
  
      if( detached && !encryptflag)
-@@ -1012,6 +1029,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1044,6 +1063,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
  
      write_status_begin_signing (mfx.md);
  
@@ -141,7 +141,7 @@ Index: gnupg-2.1.21/g10/sign.c
      /* Setup the inner packet. */
      if( detached ) {
  	if( multifile ) {
-@@ -1052,6 +1071,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1084,6 +1105,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
  	    if( opt.verbose )
                log_printf ("\n");
  	}
@@ -187,7 +187,7 @@ Index: gnupg-2.1.21/g10/sign.c
  	else {
  	    /* read, so that the filter can calculate the digest */
  	    while( iobuf_get(inp) != -1 )
-@@ -1070,8 +1128,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1102,8 +1162,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
  
      /* write the signatures */
      rc = write_signature_packets (ctrl, sk_list, out, mfx.md,

gnupg-2.1.21.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7aead8a8ba75b69866f583b6c747d91414d523bfdfbe9a8e0fe026b16ba427dd
-size 6472887

gnupg-2.1.22.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:46716faf9e1b92cfca86609f3bfffbf5bb4b6804df90dc853ff7061cfcfb4ad7
+size 6530433

gnupg-add_legacy_FIPS_mode_option.patch

@@ -3,11 +3,11 @@
  g10/gpg.c    |    9 +++++++++
  2 files changed, 27 insertions(+)
 
-Index: gnupg-2.1.17/doc/gpg.texi
+Index: gnupg-2.1.22/doc/gpg.texi
 ===================================================================
---- gnupg-2.1.17.orig/doc/gpg.texi
+--- gnupg-2.1.22.orig/doc/gpg.texi
-+++ gnupg-2.1.17/doc/gpg.texi
++++ gnupg-2.1.22/doc/gpg.texi
-@@ -2034,6 +2034,24 @@ implies, this option is for experts only
+@@ -2079,6 +2079,24 @@ implies, this option is for experts only
  understand the implications of what it allows you to do, leave this
  off. @option{--no-expert} disables this option.
  
@@ -32,19 +32,19 @@ Index: gnupg-2.1.17/doc/gpg.texi
  @end table
  
  
-Index: gnupg-2.1.17/g10/gpg.c
+Index: gnupg-2.1.22/g10/gpg.c
 ===================================================================
---- gnupg-2.1.17.orig/g10/gpg.c
+--- gnupg-2.1.22.orig/g10/gpg.c
-+++ gnupg-2.1.17/g10/gpg.c
++++ gnupg-2.1.22/g10/gpg.c
-@@ -415,6 +415,7 @@ enum cmd_and_opt_values
+@@ -422,6 +422,7 @@ enum cmd_and_opt_values
-     oOnlySignTextIDs,
      oDisableSignerUID,
      oSender,
+     oKeyOrigin,
 +    oSetLegacyFips,
  
      oNoop
    };
-@@ -857,6 +858,7 @@ static ARGPARSE_OPTS opts[] = {
+@@ -867,6 +868,7 @@ static ARGPARSE_OPTS opts[] = {
    ARGPARSE_s_n (oAllowMultipleMessages,      "allow-multiple-messages", "@"),
    ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"),
    ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"),
@@ -52,7 +52,7 @@ Index: gnupg-2.1.17/g10/gpg.c
  
    ARGPARSE_s_s (oDefaultNewKeyAlgo, "default-new-key-algo", "@"),
  
-@@ -3510,6 +3512,13 @@ main (int argc, char **argv)
+@@ -3537,6 +3539,13 @@ main (int argc, char **argv)
              opt.def_new_key_algo = pargs.r.ret_str;
              break;
  

gpg2.changes

@@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Fri Jul 28 19:29:52 UTC 2017 - astieger@suse.com
+
+- GnuPG 2.1.22:
+  * gpg: Extend command --quick-set-expire to allow for setting the
+    expiration time of subkeys.
+  * gpg: By default try to repair keys during import. New sub-option
+    no-repair-keys for --import-options.
+  * gpg,gpgsm: Improved checking and reporting of DE-VS compliance.
+  * gpg: New options --key-origin and --with-key-origin. Store the
+    time of the last key update from keyservers, WKD, or DANE.
+  * agent: New option --ssh-fingerprint-digest.
+  * dimngr: Lower timeouts on keyserver connection attempts and made
+    it configurable.
+  * dirmngr: Tor will now automatically be detected and used. The
+    option --no-use-tor disables Tor detection.
+  * dirmngr: Now detects a changed /etc/resolv.conf.
+  * agent,dirmngr: Initiate shutdown on removal of the GnuPG home
+    directory.
+  * gpg: Avoid caching passphrase for failed symmetric encryption.
+  * agent: Support for unprotected ssh keys.
+  * dirmngr: Fixed name resolving on systems using only v6
+    nameservers.
+  * dirmngr: Allow the use of TLS over http proxies.
+  * wks: New man pages for client and server.
+
 -------------------------------------------------------------------
 Fri May 19 11:59:24 UTC 2017 - marco.strigl@suse.com
 

gpg2.spec

@@ -17,7 +17,7 @@
 
 
 Name:           gpg2
-Version:        2.1.21
+Version:        2.1.22
 Release:        0
 Summary:        File encryption, decryption, signature creation and verification utility
 License:        GPL-3.0+
@@ -67,7 +67,6 @@ Provides:       newpg
 # special feature needed for OBS signd
 Provides:       gpg2_signd_support
 Obsoletes:      gpg < 1.4.9
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
 GnuPG is a hybrid-encryption software program; it uses a combination
@@ -104,13 +103,13 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99})
     --enable-large-secmem \
     --enable-wks-tools \
     --with-gnu-ld \
-    --with-default-trust-store=/etc/ssl/ca-bundle.pem \
+    --with-default-trust-store=%{_sysconfdir}/ssl/ca-bundle.pem \
     --enable-build-timestamp=$date \
 
 make %{?_smp_mflags}
 
 %install
-make %{?_smp_mflags} DESTDIR=%{buildroot} install
+%make_install
 mkdir -p %{buildroot}%{_sysconfdir}/gnupg/
 # bnc#391347
 install -m 644 doc/examples/gpgconf.conf %{buildroot}%{_sysconfdir}/gnupg
@@ -125,7 +124,7 @@ ln -sf gpgv2.1 %{buildroot}%{_mandir}/man1/gpgv.1
 # fix rpmlint invalid-lc-messages-dir:
 rm -rf %{buildroot}/%{_datadir}/locale/en@{bold,}quot
 # additional files to documentation directory
-install -m 644 AUTHORS COPYING ChangeLog NEWS THANKS TODO doc/FAQ %{buildroot}/%{_docdir}/%{name}
+install -m 644 AUTHORS COPYING* ChangeLog NEWS THANKS TODO doc/FAQ %{buildroot}/%{_docdir}/%{name}
 # install scdaemon to %{_bindir} (bnc#863645)
 mv %{buildroot}%{_libdir}/scdaemon %{buildroot}%{_bindir}
 mv %{buildroot}%{_libdir}/dirmngr_ldap %{buildroot}%{_bindir}
@@ -149,10 +148,8 @@ install -m 755 tools/gpg-zip %{buildroot}/%{_bindir}
 %install_info_delete --info-dir=%{_infodir} %{_infodir}/gnupg.info.gz
 
 %files lang -f gnupg2.lang
-%defattr(-,root,root)
 
 %files
-%defattr(-,root,root)
 %{_infodir}/gnupg*
 %{_mandir}/*/*%{ext_man}
 %doc %{_docdir}/%{name}