pool/gpg2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 883690 from home:AndreasStieger:branches:Base:System

Browse Source 
GnuPG 2.3.0

OBS-URL: https://build.opensuse.org/request/show/883690
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=263
This commit is contained in:
Dirk Mueller 2021-04-17 14:15:27 +00:00 committed by Git OBS Bridge
parent c9e0dcf362
commit 58d8332fde
11 changed files with 117 additions and 266 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gnupg-2.2.27.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:34e60009014ea16402069136e0a5f63d9b65f90096244975db5cea74b3d02399
size 7191555

BIN
gnupg-2.2.27.tar.bz2.sig
View File

Binary file not shown.

200
gnupg-2.2.8-files-are-digests.patch
View File

@ -1,200 +0,0 @@
---
g10/gpg.c | 4 +++
g10/options.h | 1
g10/sign.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
3 files changed, 67 insertions(+), 6 deletions(-)
Index: gnupg-2.2.27/g10/gpg.c
===================================================================
--- gnupg-2.2.27.orig/g10/gpg.c
+++ gnupg-2.2.27/g10/gpg.c
@@ -382,6 +382,7 @@ enum cmd_and_opt_values
oTTYtype,
oLCctype,
oLCmessages,
+ oFilesAreDigests,
oXauthority,
oGroup,
oUnGroup,
@@ -838,6 +839,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"),
+ ARGPARSE_s_n (oFilesAreDigests, "files-are-digests", "@"),
/* Aliases. I constantly mistype these, and assume other people do
as well. */
@@ -2372,6 +2374,7 @@ main (int argc, char **argv)
opt.def_cert_expire = "0";
gnupg_set_homedir (NULL);
opt.passphrase_repeat = 1;
+ opt.files_are_digests=0;
opt.emit_version = 0;
opt.weak_digests = NULL;
@@ -2944,6 +2947,7 @@ main (int argc, char **argv)
opt.verify_options&=~VERIFY_SHOW_PHOTOS;
break;
case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
+ case oFilesAreDigests: opt.files_are_digests = 1; break;
case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
case oIncludeKeyBlock: opt.flags.include_key_block = 1; break;
Index: gnupg-2.2.27/g10/options.h
===================================================================
--- gnupg-2.2.27.orig/g10/options.h
+++ gnupg-2.2.27/g10/options.h
@@ -202,6 +202,7 @@ struct
int no_auto_check_trustdb;
int preserve_permissions;
int no_homedir_creation;
+ int files_are_digests;
struct groupitem *grouplist;
int mangle_dos_filenames;
int enable_progress_filter;
Index: gnupg-2.2.27/g10/sign.c
===================================================================
--- gnupg-2.2.27.orig/g10/sign.c
+++ gnupg-2.2.27/g10/sign.c
@@ -43,6 +43,8 @@
#include "../common/mbox-util.h"
#include "../common/compliance.h"
+#include "../common/host2net.h"
+
#ifdef HAVE_DOSISH_SYSTEM
#define LF "\r\n"
#else
@@ -844,6 +846,8 @@ write_signature_packets (ctrl_t ctrl,
if (duration || opt.sig_policy_url
|| opt.sig_notations || opt.sig_keyserver_url)
sig->version = 4;
+ else if (opt.files_are_digests)
+ sig->version = 3;
else
sig->version = pk->version;
@@ -872,8 +876,12 @@ write_signature_packets (ctrl_t ctrl,
}
else
err = 0; /* Actually never reached. */
+ if (!opt.files_are_digests) {
hash_sigversion_to_magic (md, sig);
gcry_md_final (md);
+ } else if (sig->version >= 4) {
+ log_bug("files-are-digests doesn't work with v4 sigs\n");
+ }
if (!err)
err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
@@ -937,6 +945,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
SK_LIST sk_rover = NULL;
int multifile = 0;
u32 duration=0;
+ int sigclass = 0x00;
+ u32 timestamp = 0;
pfx = new_progress_context ();
afx = new_armor_context ();
@@ -954,7 +964,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
fname = NULL;
if( fname && filenames->next && (!detached || encryptflag) )
- log_bug("multiple files can only be detached signed");
+ log_bug("multiple files can only be detached signed\n");
+
+ if (opt.files_are_digests && (multifile || !fname))
+ log_bug("files-are-digests only works with one file\n");
+ if (opt.files_are_digests && !detached)
+ log_bug("files-are-digests can only write detached signatures\n");
+ if (opt.files_are_digests && !opt.def_digest_algo)
+ log_bug("files-are-digests needs --digest-algo\n");
+ if (opt.files_are_digests && opt.textmode)
+ log_bug("files-are-digests doesn't work with --textmode\n");
if(encryptflag==2
&& (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
@@ -975,7 +994,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
goto leave;
/* prepare iobufs */
- if( multifile ) /* have list of filenames */
+ if( multifile || opt.files_are_digests) /* have list of filenames */
inp = NULL; /* we do it later */
else {
inp = iobuf_open(fname);
@@ -1124,7 +1143,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
- if( !multifile )
+ if( !multifile && !opt.files_are_digests )
iobuf_push_filter( inp, md_filter, &mfx );
if( detached && !encryptflag)
@@ -1179,6 +1198,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
write_status_begin_signing (mfx.md);
+ sigclass = opt.textmode && !outfile? 0x01 : 0x00;
+
/* Setup the inner packet. */
if( detached ) {
if( multifile ) {
@@ -1219,6 +1240,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
if( opt.verbose )
log_printf ("\n");
}
+ else if (opt.files_are_digests) {
+ byte *mdb, ts[5];
+ size_t mdlen;
+ const char *fp;
+ int c, d;
+
+ gcry_md_final(mfx.md);
+ /* this assumes gcry_md_read returns the same buffer */
+ mdb = gcry_md_read(mfx.md, opt.def_digest_algo);
+ mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo);
+ if (strlen(fname) != mdlen * 2 + 11)
+ log_bug("digests must be %d + @ + 5 bytes\n", mdlen);
+ d = -1;
+ for (fp = fname ; *fp; ) {
+ c = *fp++;
+ if (c >= '0' && c <= '9')
+ c -= '0';
+ else if (c >= 'a' && c <= 'f')
+ c -= 'a' - 10;
+ else if (c >= 'A' && c <= 'F')
+ c -= 'A' - 10;
+ else
+ log_bug("filename is not hex\n");
+ if (d >= 0) {
+ *mdb++ = d << 4 | c;
+ c = -1;
+ if (--mdlen == 0) {
+ mdb = ts;
+ if (*fp++ != '@')
+ log_bug("missing time separator\n");
+ }
+ }
+ d = c;
+ }
+ sigclass = ts[0];
+ if (sigclass != 0x00 && sigclass != 0x01)
+ log_bug("bad cipher class\n");
+ timestamp = buf32_to_u32(ts + 1);
+ }
else {
/* read, so that the filter can calculate the digest */
while( iobuf_get(inp) != -1 )
@@ -1237,8 +1297,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
/* write the signatures */
rc = write_signature_packets (ctrl, sk_list, out, mfx.md,
- opt.textmode && !outfile? 0x01 : 0x00,
- 0, duration, detached ? 'D':'S', NULL);
+ sigclass,
+ timestamp, duration, detached ? 'D':'S', NULL);
if( rc )
goto leave;

3
gnupg-2.3.0.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:84c1ef39e8621cfb70f31463a5d1d8edeab44332bc1e0e1af9b78b6f9ed05bb4
size 7557228

BIN
gnupg-2.3.0.tar.bz2.sig Normal file
View File

Binary file not shown.

34
gnupg-add_legacy_FIPS_mode_option.patch
View File

@ -3,11 +3,11 @@
g10/gpg.c | 9 +++++++++
2 files changed, 27 insertions(+)
Index: gnupg-2.2.20/doc/gpg.texi
Index: gnupg-2.3.0/doc/gpg.texi
===================================================================
--- gnupg-2.2.20.orig/doc/gpg.texi
+++ gnupg-2.2.20/doc/gpg.texi
@@ -2133,6 +2133,24 @@ implies, this option is for experts only
--- gnupg-2.3.0.orig/doc/gpg.texi
+++ gnupg-2.3.0/doc/gpg.texi
@@ -2178,6 +2178,24 @@ implies, this option is for experts only
understand the implications of what it allows you to do, leave this
off. @option{--no-expert} disables this option.
@ -32,28 +32,28 @@ Index: gnupg-2.2.20/doc/gpg.texi
@end table
Index: gnupg-2.2.20/g10/gpg.c
Index: gnupg-2.3.0/g10/gpg.c
===================================================================
--- gnupg-2.2.20.orig/g10/gpg.c
+++ gnupg-2.2.20/g10/gpg.c
@@ -429,6 +429,7 @@ enum cmd_and_opt_values
oUseOnlyOpenPGPCard,
oIncludeKeyBlock,
--- gnupg-2.3.0.orig/g10/gpg.c
+++ gnupg-2.3.0/g10/gpg.c
@@ -437,6 +437,7 @@ enum cmd_and_opt_values
oNoIncludeKeyBlock,
oChUid,
oForceSignKey,
+ oSetLegacyFips,
oNoop
};
@@ -874,6 +875,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"),
ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"),
ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"),
@@ -870,6 +871,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_s (oAEADAlgo, "aead-algo", "@"),
ARGPARSE_s_s (oDigestAlgo, "digest-algo", "@"),
ARGPARSE_s_s (oCertDigestAlgo, "cert-digest-algo", "@"),
+ ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"),
ARGPARSE_s_s (oDefaultNewKeyAlgo, "default-new-key-algo", "@"),
@@ -3614,6 +3616,13 @@ main (int argc, char **argv)
opt.flags.use_only_openpgp_card = 1;
ARGPARSE_header (NULL, N_("Options for unattended use")),
@@ -3688,6 +3690,13 @@ main (int argc, char **argv)
opt.flags.full_timestrings = 1;
break;
+ case oSetLegacyFips:

28
gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
View File

@ -17,11 +17,11 @@ Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
g10/import.c | 49 +++++++++++--------------------------------------
1 file changed, 11 insertions(+), 38 deletions(-)
Index: gnupg-2.2.19/g10/import.c
Index: gnupg-2.3.0/g10/import.c
===================================================================
--- gnupg-2.2.19.orig/g10/import.c
+++ gnupg-2.2.19/g10/import.c
@@ -1792,7 +1792,6 @@ import_one_real (ctrl_t ctrl,
--- gnupg-2.3.0.orig/g10/import.c
+++ gnupg-2.3.0/g10/import.c
@@ -1876,7 +1876,6 @@ import_one_real (ctrl_t ctrl,
size_t an;
char pkstrbuf[PUBKEY_STRING_SIZE];
int merge_keys_done = 0;
@ -29,12 +29,12 @@ Index: gnupg-2.2.19/g10/import.c
KEYDB_HANDLE hd = NULL;
if (r_valid)
@@ -1829,14 +1828,6 @@ import_one_real (ctrl_t ctrl,
@@ -1913,14 +1912,6 @@ import_one_real (ctrl_t ctrl,
log_printf ("\n");
}
-
- if (!uidnode )
- if (!uidnode)
- {
- if (!silent)
- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
@ -44,16 +44,18 @@ Index: gnupg-2.2.19/g10/import.c
if (screener && screener (keyblock, screener_arg))
{
log_error (_("key %s: %s\n"), keystr_from_pk (pk),
@@ -1911,17 +1902,10 @@ import_one_real (ctrl_t ctrl,
@@ -1999,19 +1990,10 @@ import_one_real (ctrl_t ctrl,
xfree(user);
}
}
- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) )
-
- /* Delete invalid parts and bail out if there are no user ids left. */
- if (!delete_inv_parts (ctrl, keyblock, keyid, options))
- {
- if (!silent)
- {
- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
- if (!opt.quiet )
- log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
- if (!opt.quiet)
- log_info(_("this may be caused by a missing self-signature\n"));
- }
- stats->no_user_id++;
@ -66,7 +68,7 @@ Index: gnupg-2.2.19/g10/import.c
/* Get rid of deleted nodes. */
commit_kbnode (&keyblock);
@@ -1931,24 +1915,11 @@ import_one_real (ctrl_t ctrl,
@@ -2021,24 +2003,11 @@ import_one_real (ctrl_t ctrl,
{
apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
commit_kbnode (&keyblock);
@ -91,7 +93,7 @@ Index: gnupg-2.2.19/g10/import.c
}
/* The keyblock is valid and ready for real import. */
@@ -2006,6 +1977,13 @@ import_one_real (ctrl_t ctrl,
@@ -2096,6 +2065,13 @@ import_one_real (ctrl_t ctrl,
err = 0;
stats->skipped_new_keys++;
}

24
gnupg-dont-fail-with-seahorse-agent.patch
View File

@ -2,16 +2,16 @@
g10/passphrase.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: gnupg-2.1.0/g10/passphrase.c
Index: gnupg-2.3.0/g10/passphrase.c
===================================================================
--- gnupg-2.1.0.orig/g10/passphrase.c 2014-11-07 16:52:11.080483153 +0100
+++ gnupg-2.1.0/g10/passphrase.c 2014-11-07 16:52:11.996494299 +0100
@@ -71,7 +71,7 @@ encode_s2k_iterations (int iterations)
{
/* Don't print an error if an older agent is used. */
if (err && gpg_err_code (err) != GPG_ERR_ASS_PARAMETER)
- log_error (_("problem with the agent: %s\n"), gpg_strerror (err));
+ log_info (_("problem with the agent: %s\n"), gpg_strerror (err));
/* Default to 65536 which we used up to 2.0.13. */
return 96;
}
--- gnupg-2.3.0.orig/g10/passphrase.c
+++ gnupg-2.3.0/g10/passphrase.c
@@ -222,7 +222,7 @@ passphrase_get (int newsymkey, int nocac
}
else
{
- log_error (_("problem with the agent: %s\n"), gpg_strerror (rc));
+ log_info (_("problem with the agent: %s\n"), gpg_strerror (rc));
/* Due to limitations in the API of the upper layers they
consider an error as no passphrase entered. This works in
most cases but not during key creation where this should

10
gnupg-set_umask_before_open_outfile.patch
View File

@ -1,7 +1,7 @@
Index: gnupg-2.1.20/g10/plaintext.c
Index: gnupg-2.3.0/g10/plaintext.c
===================================================================
--- gnupg-2.1.20.orig/g10/plaintext.c 2017-04-03 17:13:56.000000000 +0200
+++ gnupg-2.1.20/g10/plaintext.c 2017-04-04 09:53:31.541145727 +0200
--- gnupg-2.3.0.orig/g10/plaintext.c
+++ gnupg-2.3.0/g10/plaintext.c
@@ -24,6 +24,7 @@
#include <string.h>
#include <errno.h>
@ -39,5 +39,5 @@ Index: gnupg-2.1.20/g10/plaintext.c
+ }
+ umask(saved_umask);
}
#else /* __riscos__ */
/* If no output filename was given, i.e. we constructed it, convert
leave:

56
gpg2.changes
View File

@ -1,3 +1,59 @@
-------------------------------------------------------------------
Wed Apr 7 20:56:23 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
- GnuPG 2.3.0:
* A new experimental key database daemon is provided. To enable
it put "use-keyboxd" into gpg.conf and gpgsm.conf. Keys are stored
in a SQLite database and make key lookup much faster.
* New tool gpg-card as a flexible frontend for all types of
supported smartcards.
* New option --chuid for gpg, gpgsm, gpgconf, gpg-card, and
gpg-connect-agent.
* The gpg-wks-client tool is now installed under bin; a wrapper for
its old location at libexec is also installed.
* tpm2d: New daemon to physically bind keys to the local machine.
* gpg: Switch to ed25519/cv25519 as default public key algorithms.
* gpg: Verification results now depend on the --sender option and
the signer's UID subpacket.
* gpg: Do not use any 64-bit block size cipher algorithm for
encryption. Use AES as last resort cipher preference instead of
3DES. This can be reverted using --allow-old-cipher-algos.
* gpg: Support AEAD encryption mode using OCB or EAX.
* gpg: Support v5 keys and signatures.
* gpg: Support curve X448 (ed448, cv448).
* gpg: Allow use of group names in key listings.
* gpg: New option --full-timestrings to print date and time.
* gpg: New option --force-sign-key.
* gpg: New option --no-auto-trust-new-key.
* gpg: The legacy key discovery method PKA is no longer supported.
The command --print-pka-records and the PKA related import and
export options have been removed.
* gpg: Support export of Ed448 Secure Shell keys.
* gpgsm: Add basic ECC support.
* gpgsm: Support creation of EdDSA certificates. [#4888]
* agent: Allow the use of "Label:" in a key file to customize the
pinentry prompt.
* agent: Support ssh-agent extensions for environment variables.
With a patched version of OpenSSH this avoids the need for the
"updatestartuptty" kludge.
* scd: Improve support for multiple card readers and tokens.
* scd: Support PIV cards.
* scd: Support for Rohde&Schwarz Cybersecurity cards.
* scd: Support Telesec Signature Cards v2.0
* scd: Support multiple application on certain smartcard.
* scd: New option --application-priority.
* scd: New option --pcsc-shared; see man page for important notes.
* dirmngr: Support a gpgNtds parameter in LDAP keyserver URLs.
* The symcryptrun tool, a wrapper for the now obsolete external
Chiasmus tool, has been removed.
* Full Unicode support for the command line.
- Remove the "files-are-digests" option from the openSUSE package.
This feature was not upstream and only used in the OBS signing
daemon. The recommended upstream feature for separating the data
to be signed from the private keys is gpg agent forwarding,
available from 2.1. Drop gnupg-2.2.8-files-are-digests.patch
- dropped legacy commands: gpg-zip
-------------------------------------------------------------------
Tue Jan 12 22:45:11 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>

25
gpg2.spec
View File

@ -17,7 +17,7 @@
Name: gpg2
Version: 2.2.27
Version: 2.3.0
Release: 0
Summary: File encryption, decryption, signature creation and verification utility
License: GPL-3.0-or-later
@ -30,7 +30,6 @@ Source3: %{name}.keyring
Source4: scdaemon.udev
Source99: %{name}.changes
Patch4: gnupg-2.0.9-langinfo.patch
Patch5: gnupg-2.2.8-files-are-digests.patch
Patch6: gnupg-dont-fail-with-seahorse-agent.patch
Patch8: gnupg-set_umask_before_open_outfile.patch
Patch9: gnupg-detect_FIPS_mode.patch
@ -42,10 +41,12 @@ Patch15: gnupg-allow-import-of-previously-known-keys-even-without-UIDs.pa
Patch1124847: gnupg-gpg-agent-ulimit.patch
BuildRequires: expect
BuildRequires: fdupes
BuildRequires: ibmswtpm2
BuildRequires: ibmtss-devel
BuildRequires: libassuan-devel >= 2.5.0
BuildRequires: libgcrypt-devel >= 1.8.0
BuildRequires: libgpg-error-devel >= 1.27
BuildRequires: libksba-devel >= 1.3.5
BuildRequires: libgcrypt-devel >= 1.9.1
BuildRequires: libgpg-error-devel >= 1.41
BuildRequires: libksba-devel >= 1.3.4
BuildRequires: makeinfo
BuildRequires: npth-devel >= 1.2
BuildRequires: openldap2-devel
@ -54,19 +55,17 @@ BuildRequires: readline-devel
BuildRequires: pkgconfig(bzip2)
BuildRequires: pkgconfig(gnutls) >= 3.0
BuildRequires: pkgconfig(libusb-1.0)
BuildRequires: pkgconfig(sqlite3) >= 3.7
BuildRequires: pkgconfig(sqlite3) >= 3.27
BuildRequires: pkgconfig(zlib)
# runtime dependency to support devel repository users - boo#955982
Requires: libassuan0 >= 2.5.0
Requires: libgcrypt20 >= 1.8.0
Requires: libksba >= 1.3.5
Requires: libgcrypt20 >= 1.9.1
Requires: libksba >= 1.3.4
Requires: pinentry
Recommends: dirmngr = %{version}
Provides: gnupg = %{version}
Provides: gpg = 1.4.9
Provides: newpg
# special feature needed for OBS signd
Provides: gpg2_signd_support
Obsoletes: gpg < 1.4.9
%description
@ -94,7 +93,6 @@ gpgsm, or via the gpg-connect-agent tool.
%setup -q -n gnupg-%{version}
%patch1124847 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch8 -p1
%patch9 -p1
@ -116,7 +114,6 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99})
--with-scdaemon-pgm=%{_bindir}/scdaemon \
--enable-ldap \
--enable-gpgsm=yes \
--enable-gpg \
--enable-gpgtar \
--enable-g13 \
--enable-large-secmem \
@ -125,7 +122,6 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99})
--with-default-trust-store-file=%{_sysconfdir}/ssl/ca-bundle.pem \
--enable-build-timestamp=$date \
--enable-gpg-is-gpg2 \
--enable-Werror
%make_build
@ -149,9 +145,6 @@ mv %{buildroot}%{_libdir}/scdaemon %{buildroot}%{_bindir}
mv %{buildroot}%{_libdir}/dirmngr_ldap %{buildroot}%{_bindir}
# install udev rules for scdaemon
install -Dm 0644 %{SOURCE4} %{buildroot}%{_udevrulesdir}/60-scdaemon.rules
# install legacy tools
install -m 755 tools/gpg-zip %{buildroot}/%{_bindir}
# install -m 755 tools/gpgsplit %%{buildroot}/%%{_bindir}
%find_lang gnupg2
%fdupes -s %{buildroot}