Accepting request 1012076 from home:pmonrealgonzalez:branches:Base:System

- GnuPG 2.3.8: * gpg: Do not consider unknown public keys as non-compliant while decrypting. * gpg: Avoid to emit a compliance mode line if Libgcrypt is non-compliant. * gpg: Improve --edit-key setpref command to ease c+p. * gpg: Emit an ERROR status if --quick-set-primary-uid fails and allow to pass the user ID by hash. * gpg: Actually show symmetric+pubkey encrypted data as de-vs compliant. Add extra compliance checks for symkey_enc packets. * gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit preference. * gpgsm: Fix reporting of bad passphrase error during PKCS#11 import. * agent: Fix a regression in "READKEY --format=ssh". * agent: New option --need-attr for KEYINFO. * agent: New attribute "Remote-list" for use by KEYINFO. * scd: Fix problem with Yubikey 5.4 firmware. * dirmngr: Fix CRL Distribution Point fallback to other schemes. * dirmngr: New LDAP server flag "areconly" (A-record-only). * dirmngr: Fix upload of multiple keys for an LDAP server specified using the colon format. * dirmngr: Use LDAP schema v2 when a Base DN is specified. * dirmngr: Avoid caching expired certificates. * wkd: Fix path traversal attack in gpg-wks-server. Add the mail address to the pending request data. * wkd: New command --mirror for gpg-wks-client. * gpg-auth: New tool for authentication. * New common.conf option no-autostart. * Silence warnings from AllowSetForegroundWindow unless OBS-URL: https://build.opensuse.org/request/show/1012076 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=280
2022-10-17 18:43:45 +00:00 · 2022-10-17 18:43:45 +00:00 · 1567d49408
commit 1567d49408
parent a47f80ec30
8 changed files with 49 additions and 89 deletions
--- a/gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch
+++ b/gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch
@ -1,61 +0,0 @@
-From f34b9147eb3070bce80d53febaa564164cd6c977 Mon Sep 17 00:00:00 2001
-From: NIIBE Yutaka <gniibe@fsij.org>
-Date: Wed, 13 Jul 2022 10:40:55 +0900
-Subject: [PATCH] scd:openpgp: Fix workaround for Yubikey heuristics.
-References: https://bugzilla.opensuse.org/show_bug.cgi?id=1202201
-
-* scd/app-openpgp.c (parse_algorithm_attribute): Handle the case
-of firmware 5.4, too.
-
--
-
-GnuPG-bug-id: 6070
-Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
- scd/app-openpgp.c | 29 +++++++++++++++++++++--------
- 1 file changed, 21 insertions(+), 8 deletions(-)
-
-diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
-index 8bb346a86..4667416df 100644
--- a/scd/app-openpgp.c
-+++ b/scd/app-openpgp.c
-@@ -6259,15 +6259,28 @@ parse_algorithm_attribute (app_t app, int keyno)
-       app->app_local->keyattr[keyno].ecc.algo = *buffer;
-       app->app_local->keyattr[keyno].ecc.flags = 0;
- 
-      if (APP_CARD(app)->cardtype == CARDTYPE_YUBIKEY
-	  || buffer[buflen-1] == 0x00 || buffer[buflen-1] == 0xff)
-        { /* Found "pubkey required"-byte for private key template.  */
-          oidlen--;
-          if (buffer[buflen-1] == 0xff)
-            app->app_local->keyattr[keyno].ecc.flags |= ECC_FLAG_PUBKEY;
-+      if (APP_CARD(app)->cardtype == CARDTYPE_YUBIKEY)
-+        {
-+          /* Yubikey implementations vary.
-+           * Firmware version 5.2 returns "pubkey required"-byte with
-+           * 0x00, but after removal and second time insertion, it
-+           * returns bogus value there.
-+           * Firmware version 5.4 returns none.
-+           */
-+          curve = ecc_curve (buffer + 1, oidlen);
-+          if (!curve)
-+            curve = ecc_curve (buffer + 1, oidlen - 1);
-+        }
-+      else
-+        {
-+          if (buffer[buflen-1] == 0x00 || buffer[buflen-1] == 0xff)
-+            { /* Found "pubkey required"-byte for private key template.  */
-+              oidlen--;
-+              if (buffer[buflen-1] == 0xff)
-+                app->app_local->keyattr[keyno].ecc.flags |= ECC_FLAG_PUBKEY;
-+            }
-+          curve = ecc_curve (buffer + 1, oidlen);
-         }
-
-      curve = ecc_curve (buffer + 1, oidlen);
- 
-       if (!curve)
-         {
-- 
-2.37.1
-
--- a/gnupg-2.3.7.tar.bz2
+++ b/gnupg-2.3.7.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ee163a5fb9ec99ffc1b18e65faef8d086800c5713d15a672ab57d3799da83669
-size 7599853
--- a/gnupg-2.3.7.tar.bz2.sig
+++ b/gnupg-2.3.7.tar.bz2.sig
--- a/gnupg-2.3.8.tar.bz2
+++ b/gnupg-2.3.8.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:540b7a40e57da261fb10ef521a282e0021532a80fd023e75fb71757e8a4969ed
+size 7644926
--- a/gnupg-2.3.8.tar.bz2.sig
+++ b/gnupg-2.3.8.tar.bz2.sig
--- a/gnupg-detect_FIPS_mode.patch
+++ b/gnupg-detect_FIPS_mode.patch
@ -1,34 +1,18 @@
-Index: gnupg-2.1.1/g10/encrypt.c
+Index: gnupg-2.3.8/g10/mainproc.c
 ===================================================================
--- gnupg-2.1.1.orig/g10/encrypt.c
-+++ gnupg-2.1.1/g10/encrypt.c
-@@ -783,7 +783,10 @@ encrypt_filter (void *opaque, int contro
-                   /* Because 3DES is implicitly in the prefs, this can
-                      only happen if we do not have any public keys in
-                      the list.  */
-                  efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO;
-+		   /* Libgcrypt manual says that gcry_version_check must be called
-+		      before calling gcry_fips_mode_active. */
-+		    gcry_check_version (NULL);
-+		    efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO;
-                 }
- 
-               /* In case 3DES has been selected, print a warning if
-Index: gnupg-2.1.1/g10/mainproc.c
-===================================================================
--- gnupg-2.1.1.orig/g10/mainproc.c
-+++ gnupg-2.1.1/g10/mainproc.c
-@@ -719,7 +719,12 @@ proc_plaintext( CTX c, PACKET *pkt )
+--- gnupg-2.3.8.orig/g10/mainproc.c
+++ gnupg-2.3.8/g10/mainproc.c
+@@ -1011,7 +1011,12 @@ proc_plaintext( CTX c, PACKET *pkt )
          according to 2440, so hopefully it won't come up that often.
          There is no good way to specify what algorithms to use in
          that case, so these there are the historical answer. */
 -	gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
 +
 +	/* Libgcrypt manual says that gcry_version_check must be called
-+	   before calling gcry_fips_mode_active. */
+	 * before calling gcry_fips_mode_active. */
 +	gcry_check_version (NULL);
-+	if( !gcry_fips_mode_active() )
-+	  gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
+	if(!gcry_fips_mode_active())
+	  gcry_md_enable(c->mfx.md, DIGEST_ALGO_RMD160);
 	gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
     }
   if (DBG_HASHING)
--- a/gpg2.changes
+++ b/gpg2.changes
@ -1,3 +1,41 @@
+-------------------------------------------------------------------
+Mon Oct 17 11:35:11 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- GnuPG 2.3.8:
+  * gpg: Do not consider unknown public keys as non-compliant while
+    decrypting.
+  * gpg: Avoid to emit a compliance mode line if Libgcrypt is
+    non-compliant.
+  * gpg: Improve --edit-key setpref command to ease c+p.
+  * gpg: Emit an ERROR status if --quick-set-primary-uid fails and
+    allow to pass the user ID by hash.
+  * gpg: Actually show symmetric+pubkey encrypted data as de-vs
+    compliant.  Add extra compliance checks for symkey_enc packets.
+  * gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit
+    preference.
+  * gpgsm: Fix reporting of bad passphrase error during PKCS#11
+    import.
+  * agent: Fix a regression in "READKEY --format=ssh".
+  * agent: New option --need-attr for KEYINFO.
+  * agent: New attribute "Remote-list" for use by KEYINFO.
+  * scd: Fix problem with Yubikey 5.4 firmware.
+  * dirmngr: Fix CRL Distribution Point fallback to other schemes.
+  * dirmngr: New LDAP server flag "areconly" (A-record-only).
+  * dirmngr: Fix upload of multiple keys for an LDAP server specified
+    using the colon format.
+  * dirmngr: Use LDAP schema v2 when a Base DN is specified.
+  * dirmngr: Avoid caching expired certificates.
+  * wkd: Fix path traversal attack in gpg-wks-server. Add the mail
+    address to the pending request data.
+  * wkd: New command --mirror for gpg-wks-client.
+  * gpg-auth: New tool for authentication.
+  * New common.conf option no-autostart.
+  * Silence warnings from AllowSetForegroundWindow unless
+    GNUPG_EXEC_DEBUG_FLAGS is used.
+  * Rebase gnupg-detect_FIPS_mode.patch
+  * Remove patch upstream:
+    - gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch
+
 -------------------------------------------------------------------
 Mon Aug  8 18:00:44 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>

--- a/gpg2.spec
+++ b/gpg2.spec
@ -17,7 +17,7 @@


 Name:           gpg2
-Version:        2.3.7
+Version:        2.3.8
 Release:        0
 Summary:        File encryption, decryption, signature creation and verification utility
 License:        GPL-3.0-or-later
@ -39,7 +39,6 @@ Patch7:         gnupg-2.2.16-secmem.patch
 Patch8:         gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch
 Patch9:         gnupg-add-test-cases-for-import-without-uid.patch
 Patch10:        gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
-Patch11:        gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch
 BuildRequires:  expect
 BuildRequires:  fdupes
 BuildRequires:  ibmswtpm2