From 6391641db2f07d9bd1b4f3eb2ec53fe73698a436278e0ad0079392a327f2de61 Mon Sep 17 00:00:00 2001 From: OBS User buildservice-autocommit Date: Wed, 17 May 2023 08:52:48 +0000 Subject: [PATCH 1/2] Updating link to change in openSUSE:Factory/gpg2 revision 165 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=470148cd26498127ebe3c310690037d6 --- gnupg-2.3.8.tar.bz2 | 3 + gnupg-2.3.8.tar.bz2.sig | Bin 0 -> 119 bytes gnupg-2.4.1.tar.bz2 | 3 - gnupg-2.4.1.tar.bz2.sig | Bin 119 -> 0 bytes gnupg-add_legacy_FIPS_mode_option.patch | 55 ++--- ...viously-known-keys-even-without-UIDs.patch | 23 +- gnupg-allow-large-rsa.patch | 13 -- gnupg-revert-rfc4880bis.patch | 202 ------------------ gpg2.changes | 164 -------------- gpg2.spec | 36 ++-- 10 files changed, 59 insertions(+), 440 deletions(-) create mode 100644 gnupg-2.3.8.tar.bz2 create mode 100644 gnupg-2.3.8.tar.bz2.sig delete mode 100644 gnupg-2.4.1.tar.bz2 delete mode 100644 gnupg-2.4.1.tar.bz2.sig delete mode 100644 gnupg-allow-large-rsa.patch delete mode 100644 gnupg-revert-rfc4880bis.patch diff --git a/gnupg-2.3.8.tar.bz2 b/gnupg-2.3.8.tar.bz2 new file mode 100644 index 0000000..ab87c26 --- /dev/null +++ b/gnupg-2.3.8.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:540b7a40e57da261fb10ef521a282e0021532a80fd023e75fb71757e8a4969ed +size 7644926 diff --git a/gnupg-2.3.8.tar.bz2.sig b/gnupg-2.3.8.tar.bz2.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..cf362c596cfba1af7147ffbb690b7138f5abc05793f0f1820b62731a3dd04f61 GIT binary patch literal 119 zcmeAuWnmEGV2~A4WXWBXm$E!p!y#PSlPRcU`VKV*t6Qv0$sX398MrtFU?TsXGcw$g zHrzS){lqH|j=sC^{zz)=GUgxqE<9fODU`Fi`QR(vH4OjL+3kNhsW=q1xCSl0)sZW8 VL0x~5P~&++&U?QfUNkLa0RYLSGll>F literal 0 HcmV?d00001 diff --git a/gnupg-2.4.1.tar.bz2 b/gnupg-2.4.1.tar.bz2 deleted file mode 100644 index f61626e..0000000 --- a/gnupg-2.4.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:76b71e5aeb443bfd910ce9cbc8281b617c8341687afb67bae455877972b59de8 -size 7341338 diff --git a/gnupg-2.4.1.tar.bz2.sig b/gnupg-2.4.1.tar.bz2.sig deleted file mode 100644 index c12b732bc36d7aba22f95b7fcedaf6ee6e00cc7431c12f265e0842ee382a7f27..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 119 zcmeAuWnmEGVvrS6WXWBXm$E!p!y#PSlPRcU`VKV*t6Qv0Dc&3X8MrtFU?S_P8GbR@ zrC3C7op-Y!DmJAfE=?itaou)fzok7Kwl4jRt(zkl88)Oa+8bIN%Gchw^+MW{C0?Ef Td8e@VNa=5zD4}4poRJ# g10/import.c | 49 +++++++++++-------------------------------------- 1 file changed, 11 insertions(+), 38 deletions(-) -Index: gnupg-2.4.0/g10/import.c +Index: gnupg-2.3.0/g10/import.c =================================================================== ---- gnupg-2.4.0.orig/g10/import.c -+++ gnupg-2.4.0/g10/import.c -@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl, +--- gnupg-2.3.0.orig/g10/import.c ++++ gnupg-2.3.0/g10/import.c +@@ -1876,7 +1876,6 @@ import_one_real (ctrl_t ctrl, size_t an; char pkstrbuf[PUBKEY_STRING_SIZE]; int merge_keys_done = 0; @@ -29,7 +29,7 @@ Index: gnupg-2.4.0/g10/import.c KEYDB_HANDLE hd = NULL; if (r_valid) -@@ -1991,14 +1990,6 @@ import_one_real (ctrl_t ctrl, +@@ -1913,14 +1912,6 @@ import_one_real (ctrl_t ctrl, log_printf ("\n"); } @@ -44,12 +44,13 @@ Index: gnupg-2.4.0/g10/import.c if (screener && screener (keyblock, screener_arg)) { log_error (_("key %s: %s\n"), keystr_from_pk (pk), -@@ -2078,18 +2069,10 @@ import_one_real (ctrl_t ctrl, +@@ -1999,19 +1990,10 @@ import_one_real (ctrl_t ctrl, + xfree(user); } } - +- - /* Delete invalid parts and bail out if there are no user ids left. */ -- if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs)) +- if (!delete_inv_parts (ctrl, keyblock, keyid, options)) - { - if (!silent) - { @@ -63,11 +64,11 @@ Index: gnupg-2.4.0/g10/import.c + /* Delete invalid parts, and note if we have any valid ones left. + * We will later abort import if this key is new but contains + * no valid uids. */ -+ delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs); ++ delete_inv_parts (ctrl, keyblock, keyid, options); /* Get rid of deleted nodes. */ commit_kbnode (&keyblock); -@@ -2099,24 +2082,11 @@ import_one_real (ctrl_t ctrl, +@@ -2021,24 +2003,11 @@ import_one_real (ctrl_t ctrl, { apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); commit_kbnode (&keyblock); @@ -92,7 +93,7 @@ Index: gnupg-2.4.0/g10/import.c } /* The keyblock is valid and ready for real import. */ -@@ -2174,6 +2144,13 @@ import_one_real (ctrl_t ctrl, +@@ -2096,6 +2065,13 @@ import_one_real (ctrl_t ctrl, err = 0; stats->skipped_new_keys++; } diff --git a/gnupg-allow-large-rsa.patch b/gnupg-allow-large-rsa.patch deleted file mode 100644 index 81e726a..0000000 --- a/gnupg-allow-large-rsa.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: gnupg-2.4.1/g10/keygen.c -=================================================================== ---- gnupg-2.4.1.orig/g10/keygen.c -+++ gnupg-2.4.1/g10/keygen.c -@@ -2456,7 +2456,7 @@ get_keysize_range (int algo, unsigned in - - default: - *min = opt.compliance == CO_DE_VS ? 2048: 1024; -- *max = 4096; -+ *max = opt.flags.large_rsa == 1 ? 8192 : 4096; - def = 3072; - break; - } diff --git a/gnupg-revert-rfc4880bis.patch b/gnupg-revert-rfc4880bis.patch deleted file mode 100644 index f981206..0000000 --- a/gnupg-revert-rfc4880bis.patch +++ /dev/null @@ -1,202 +0,0 @@ -From 4583f4fe2e11b3dd070066628c3f16776cc74f72 Mon Sep 17 00:00:00 2001 -From: Werner Koch -Date: Mon, 31 Oct 2022 16:14:18 +0100 -Subject: [PATCH GnuPG] gpg: Merge --rfc4880bis features into --gnupg - -* g10/gpg.c (oRFC4880bis): Remove. -(opts): Make --rfc4880bis a Noop. -(compliance_options): Make rfc4880bis to gnupg. -(set_compliance_option): Remove rfc4880bis stuff. -(main): Ditto. Note that this now activates the --mimemode option. -* g10/keygen.c (keygen_set_std_prefs): Remove rfc4880bis protection. -(keygen_upd_std_prefs): Always announce support for v5 keys. -(read_parameter_file): Activate the v4 and v5 keywords. --- - -Index: gnupg-2.4.1/g10/gpg.c -=================================================================== ---- gnupg-2.4.1.orig/g10/gpg.c -+++ gnupg-2.4.1/g10/gpg.c -@@ -247,6 +247,7 @@ enum cmd_and_opt_values - oGnuPG, - oRFC2440, - oRFC4880, -+ oRFC4880bis, - oOpenPGP, - oPGP7, - oPGP8, -@@ -636,6 +637,7 @@ static gpgrt_opt_t opts[] = { - ARGPARSE_s_n (oGnuPG, "no-pgp8", "@"), - ARGPARSE_s_n (oRFC2440, "rfc2440", "@"), - ARGPARSE_s_n (oRFC4880, "rfc4880", "@"), -+ ARGPARSE_s_n (oRFC4880bis, "rfc4880bis", "@"), - ARGPARSE_s_n (oOpenPGP, "openpgp", N_("use strict OpenPGP behavior")), - ARGPARSE_s_n (oPGP7, "pgp6", "@"), - ARGPARSE_s_n (oPGP7, "pgp7", "@"), -@@ -977,7 +979,6 @@ static gpgrt_opt_t opts[] = { - ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"), - ARGPARSE_s_s (oNoop, "aead-algo", "@"), - ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"), -- ARGPARSE_s_n (oNoop, "rfc4880bis", "@"), - ARGPARSE_s_n (oNoop, "override-compliance-check", "@"), - ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"), - -@@ -2227,7 +2228,7 @@ static struct gnupg_compliance_option co - { - { "gnupg", oGnuPG }, - { "openpgp", oOpenPGP }, -- { "rfc4880bis", oGnuPG }, -+ { "rfc4880bis", oRFC4880bis }, - { "rfc4880", oRFC4880 }, - { "rfc2440", oRFC2440 }, - { "pgp6", oPGP7 }, -@@ -2243,8 +2244,28 @@ static struct gnupg_compliance_option co - static void - set_compliance_option (enum cmd_and_opt_values option) - { -+ opt.flags.rfc4880bis = 0; /* Clear because it is initially set. */ -+ - switch (option) - { -+ case oRFC4880bis: -+ opt.flags.rfc4880bis = 1; -+ opt.compliance = CO_RFC4880; -+ opt.flags.dsa2 = 1; -+ opt.flags.require_cross_cert = 1; -+ opt.rfc2440_text = 0; -+ opt.allow_non_selfsigned_uid = 1; -+ opt.allow_freeform_uid = 1; -+ opt.escape_from = 1; -+ opt.not_dash_escaped = 0; -+ opt.def_cipher_algo = 0; -+ opt.def_digest_algo = 0; -+ opt.cert_digest_algo = 0; -+ opt.compress_algo = -1; -+ opt.s2k_mode = 3; /* iterated+salted */ -+ opt.s2k_digest_algo = DIGEST_ALGO_SHA256; -+ opt.s2k_cipher_algo = CIPHER_ALGO_AES256; -+ break; - case oOpenPGP: - case oRFC4880: - /* This is effectively the same as RFC2440, but with -@@ -2288,6 +2309,7 @@ set_compliance_option (enum cmd_and_opt_ - case oPGP8: opt.compliance = CO_PGP8; break; - case oGnuPG: - opt.compliance = CO_GNUPG; -+ opt.flags.rfc4880bis = 1; - break; - - case oDE_VS: -@@ -2490,6 +2512,7 @@ main (int argc, char **argv) - opt.emit_version = 0; - opt.weak_digests = NULL; - opt.compliance = CO_GNUPG; -+ opt.flags.rfc4880bis = 1; - - /* Check special options given on the command line. */ - orig_argc = argc; -@@ -3032,6 +3055,7 @@ main (int argc, char **argv) - case oOpenPGP: - case oRFC2440: - case oRFC4880: -+ case oRFC4880bis: - case oPGP7: - case oPGP8: - case oGnuPG: -@@ -3867,6 +3891,11 @@ main (int argc, char **argv) - if( may_coredump && !opt.quiet ) - log_info(_("WARNING: program may create a core file!\n")); - -+ if (!opt.flags.rfc4880bis) -+ { -+ opt.mimemode = 0; /* This will use text mode instead. */ -+ } -+ - if (eyes_only) { - if (opt.set_filename) - log_info(_("WARNING: %s overrides %s\n"), -@@ -4083,7 +4112,7 @@ main (int argc, char **argv) - /* Check our chosen algorithms against the list of legal - algorithms. */ - -- if(!GNUPG) -+ if(!GNUPG && !opt.flags.rfc4880bis) - { - const char *badalg=NULL; - preftype_t badtype=PREFTYPE_NONE; -Index: gnupg-2.4.1/g10/keygen.c -=================================================================== ---- gnupg-2.4.1.orig/g10/keygen.c -+++ gnupg-2.4.1/g10/keygen.c -@@ -404,7 +404,7 @@ keygen_set_std_prefs (const char *string - strcat(dummy_string,"S7 "); - strcat(dummy_string,"S2 "); /* 3DES */ - -- if (!openpgp_aead_test_algo (AEAD_ALGO_OCB)) -+ if (opt.flags.rfc4880bis && !openpgp_aead_test_algo (AEAD_ALGO_OCB)) - strcat(dummy_string,"A2 "); - - if (personal) -@@ -889,7 +889,7 @@ keygen_upd_std_prefs (PKT_signature *sig - /* Make sure that the MDC feature flag is set if needed. */ - add_feature_mdc (sig,mdc_available); - add_feature_aead (sig, aead_available); -- add_feature_v5 (sig, 1); -+ add_feature_v5 (sig, opt.flags.rfc4880bis); - add_keyserver_modify (sig,ks_modify); - keygen_add_keyserver_url(sig,NULL); - -@@ -3382,7 +3382,10 @@ parse_key_parameter_part (ctrl_t ctrl, - } - } - else if (!ascii_strcasecmp (s, "v5")) -- keyversion = 5; -+ { -+ if (opt.flags.rfc4880bis) -+ keyversion = 5; -+ } - else if (!ascii_strcasecmp (s, "v4")) - keyversion = 4; - else -@@ -3641,7 +3644,7 @@ parse_key_parameter_part (ctrl_t ctrl, - * ecdsa := Use algorithm ECDSA. - * eddsa := Use algorithm EdDSA. - * ecdh := Use algorithm ECDH. -- * v5 := Create version 5 key -+ * v5 := Create version 5 key (requires option --rfc4880bis) - * - * There are several defaults and fallbacks depending on the - * algorithm. PART can be used to select which part of STRING is -@@ -4513,9 +4516,9 @@ read_parameter_file (ctrl_t ctrl, const - } - } - -- if ((keywords[i].key == pVERSION -- || keywords[i].key == pSUBVERSION)) -- ; /* Ignore version. */ -+ if (!opt.flags.rfc4880bis && (keywords[i].key == pVERSION -+ || keywords[i].key == pSUBVERSION)) -+ ; /* Ignore version unless --rfc4880bis is active. */ - else - { - r = xmalloc_clear( sizeof *r + strlen( value ) ); -@@ -4610,11 +4613,14 @@ quickgen_set_para (struct para_data_s *p - para = r; - } - -- r = xmalloc_clear (sizeof *r + 20); -- r->key = for_subkey? pSUBVERSION : pVERSION; -- snprintf (r->u.value, 20, "%d", version); -- r->next = para; -- para = r; -+ if (opt.flags.rfc4880bis) -+ { -+ r = xmalloc_clear (sizeof *r + 20); -+ r->key = for_subkey? pSUBVERSION : pVERSION; -+ snprintf (r->u.value, 20, "%d", version); -+ r->next = para; -+ para = r; -+ } - - if (keytime) - { diff --git a/gpg2.changes b/gpg2.changes index 5da703c..da1913e 100644 --- a/gpg2.changes +++ b/gpg2.changes @@ -1,167 +1,3 @@ -------------------------------------------------------------------- -Sat Apr 29 08:25:46 UTC 2023 - Pedro Monreal - -- Temporarily revert back to the pre-2.4 default for key generation. - The new rfc4880bis has been set as the default in 2.4 version and - might create incompatible keys. Note that, rfc4880bis can still - be used with the option flag --rfc4880bis as in previous versions. - * More info in the gnupg-devel ML: - https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html - * Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9 - * Add gnupg-revert-rfc4880bis.patch - -------------------------------------------------------------------- -Sat Apr 29 08:12:32 UTC 2023 - Pedro Monreal - -- Allow 8192 bit RSA keys in keygen UI when large_rsa is set - * Add gnupg-allow-large-rsa.patch - -------------------------------------------------------------------- -Sat Apr 29 08:01:16 UTC 2023 - Pedro Monreal - -- Enable the regression tests: Fix the regression test suite that - fails with the IBM TPM Software stack. Builds fine using the Intel - TPM; use the swtpm and tpm2-0-tss-devel packages instead of - ibmswtpm2 and ibmtss-devel. - -------------------------------------------------------------------- -Fri Apr 28 17:32:11 UTC 2023 - David Anes - -- Rebased patches: - * gnupg-add_legacy_FIPS_mode_option.patch - -- Removed patches (already upstream): - * gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch - -- Don't ship systemd examples, as they are removed from upstream - release tarball. - -- Update to 2.4.1: - * If the ~/.gnupg directory does not exist, the keyboxd is now - automagically enabled. - * gpg: New option --add-desig-revoker. - * gpg: New option --assert-signer. - * gpg: New command --quick-add-adsk and other ADSK features. - * gpg: New list-option "show-unusable-sigs". Also show - "[self-signature]" instead of the user-id in key signature - listings. - * gpg: For symmetric encryption the default S2K hash is now SHA256. - * gpg: Detect already compressed data also when using a pipe. Also - detect JPEG and PNG file formats. - * gpg: New subcommand "openpgp" for --card-edit. - * gpgsm: Verification of detached signatures does now strip trailing - zeroes from the input if --assume-binary is used. - * gpgsm: Non-armored detached signature are now created without - using indefinite form length octets. This improves compatibility - with some PDF signature verification software. - * gpgtar: Emit progress status lines in create mode. - * dirmngr: The LDAP modifyTimestamp is now returned by some - keyserver commands. - * ssh: Allow specification of the order keys are presented to ssh. - See the man page entry for --enable-ssh-support. - * gpg: Make list-options "show-sig-subpackets" work again. - Fixes regression in 2.4.0. - * gpg: Fix the keytocard command for Yubikeys. - * gpg: Do not continue an export after a cancel for the primary key. - * gpg: Replace the --override-compliance-check hack by a real fix. - * gpgtar: Fix decryption with input taken from stdin. - -------------------------------------------------------------------- -Wed Jan 11 11:15:54 UTC 2023 - Pedro Monreal - -- Fix broken GPGME QT tests: Upstram dev task dev.gnupg.org/T6313 - * The original patch has been modified to expand the changes - also to the tests/gpgme/Makefile.in file. - * Add gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch - -------------------------------------------------------------------- -Tue Dec 20 16:01:05 UTC 2022 - David Anes - -- Updated to require libgpg-error-devel >= 1.46 - -- Rebased patches: - * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch - * gnupg-add_legacy_FIPS_mode_option.patch - -- GnuPG 2.4.0: - * common: Fix translations in --help for gpgrt < 1.47. - * gpg: Do not continue the export after a cancel for the primary key. - * gpg: Replace use of PRIu64 in log_debug. - * Update NEWS for 2.4.0. - * tests: Fix make check with GPGME. - * agent: Allow arguments to "scd serialno" in restricted mode. - * scd:p15: Skip deleted records. - * build: Remove Windows CE support. - * wkd: Do not send/install/mirror expired user ids. - * gpgsm: Print the revocation time also with --verify. - * gpgsm: Fix "problem re-searching certificate" case. - * gpgsm: Print revocation date and reason in cert listings. - * gpgsm: Silence the "non-critical certificate policy not allowed". - * gpgsm: Always use the chain model if the root-CA requests this. - * gpg: New export option "mode1003". - * gpg: Remove a mostly duplicated function. - * tests: Simplify fake-pinentry to use the option only. - * tests: Fix fake-pinentry for Windows. - * tests: Fix make check-all. - * agent: Fix import of protected v5 keys. - * gpgsm: Change default algo to AES-256. - * tests: Put a workaround for semihosted environment. - * tests: More fix for semihosted environment. - * tests: Support semihosted environment. - * tests: Fix tests under cms. - * tests,w32: Fix for semihosted environment. - * w32: Fix for tests on semihosted environment. - * w32: Fix gnupg_unsetenv. - * wkd: New option --add-revocs and some fixes. - * wkd: Make use of --debug extprog. - * gpg: New export-filter export-revocs. - * gpg: Fix double-free in gpg --card-edit. - * gpg: Make --require-compliance work with out --status-fd. - * gpg: New option --list-filter. - * dirmngr: Silence ocsp debug output. - * tests: Fix to support --enable-all-tests and variants. - * tests:w32: Fix for non-dot file name for Windows. - * tests:gpgscm:w32: Fix for GetTempPath. - * tests: Keep .log files in objdir. - * tests: Use 233 for invalid value of FD. - * w32: Fix gnupg_tmpfile for possible failure. - * scd: Redact --debug cardio output of a VERIFY APDU. - * common: Remove Windows CE support in common. - * gpgsm: Fix colon outout of ECC encryption certificates. - * scd:nks: Fix ECC signing if key not given by keygrip. - * dirmngr: Fix verification of ECDSA signed CRLs. - * agent: Allow trustlist on Windows in Unicode homedirs. - * gpg: Fix verification of cleartext signatures with overlong lines. - * gpg: Move w32_system function. - * gpg: New option --quick-update-pref. - * gpg: New list-options show-pref and show-pref-verbose. - * tests: Add tests to check that OCB is only used for capable keys. - * gpg: Make --list-packets work w/o --no-armor for plain OCB packets. - * tests: Add symmetric decryption tests. - * tests: Add tr:assert-same function. - * agent: Avoid blanks in the ssh key's comment. - * build: Update m4 files. - * gpg: Merge --rfc4880bis features into --gnupg. - * gpg: Allow only OCB for AEAD encryption. - * gpg: New option --compatibility-flags. - * gpgsm: Also announce AES256-CBC in signatures. - * gpg: Fix trusted introducer for user-ids with only the mbox. - * gpg: Import stray revocation certificates. - * agent: Automatically convert to extended key format by KEYATTR. - * card: New commands "gpg" and "gpgsm". - * card: Also show fingerprints of known X.509 certificates. - * scd:nks: Support non-ESIGN signing with the Signature Card v2. - * gpgsm: Allow ECC encryption keys with just keyAgreement specified. - * gpgsm: Use macro constants for cert_usage_p. - * build: Update gpg-error.m4. - * agent,common,dirmngr,tests,tools: Remove spawn PREEXEC argument. - * gpg: Move NETLIBS after GPG_ERROR_LIBS. - * gpg: Use GCRY_KDF_ONESTEP_KDF with newer libgcrypt in future. - * common,w32: Fix struct stat on Windows. - * agent,w32: Support Win32-OpenSSH emulation by gpg-agent. - * common: Don't use FD2INT for POSIX-only code. - * dirmngr: Fix build with no LDAP support. - ------------------------------------------------------------------- Mon Oct 17 11:35:11 UTC 2022 - Pedro Monreal diff --git a/gpg2.spec b/gpg2.spec index 7ffb33c..87c0390 100644 --- a/gpg2.spec +++ b/gpg2.spec @@ -1,7 +1,7 @@ # # spec file for package gpg2 # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: gpg2 -Version: 2.4.1 +Version: 2.3.8 Release: 0 Summary: File encryption, decryption, signature creation and verification utility License: GPL-3.0-or-later @@ -39,23 +39,19 @@ Patch7: gnupg-2.2.16-secmem.patch Patch8: gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch Patch9: gnupg-add-test-cases-for-import-without-uid.patch Patch10: gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch -#PATCH-FIX-SUSE Allow 8192 bit RSA keys in keygen UI when large_rsa is set -Patch11: gnupg-allow-large-rsa.patch -#PATCH-FIX-SUSE Revert the rfc4880bis features default of key generation -Patch12: gnupg-revert-rfc4880bis.patch BuildRequires: expect BuildRequires: fdupes +BuildRequires: ibmswtpm2 +BuildRequires: ibmtss-devel BuildRequires: libassuan-devel >= 2.5.0 BuildRequires: libgcrypt-devel >= 1.9.1 -BuildRequires: libgpg-error-devel >= 1.46 -BuildRequires: libksba-devel >= 1.6.3 +BuildRequires: libgpg-error-devel >= 1.41 +BuildRequires: libksba-devel >= 1.3.4 BuildRequires: makeinfo BuildRequires: npth-devel >= 1.2 BuildRequires: openldap2-devel BuildRequires: pkgconfig BuildRequires: readline-devel -BuildRequires: swtpm -BuildRequires: tpm2-0-tss-devel BuildRequires: pkgconfig(bzip2) BuildRequires: pkgconfig(gnutls) >= 3.0 BuildRequires: pkgconfig(libusb-1.0) @@ -64,7 +60,6 @@ BuildRequires: pkgconfig(zlib) # runtime dependency to support devel repository users - boo#955982 Requires: libassuan0 >= 2.5.0 Requires: libgcrypt20 >= 1.9.1 -Requires: libgpg-error >= 1.46 Requires: libksba >= 1.3.4 Requires: pinentry Recommends: dirmngr = %{version} @@ -120,7 +115,6 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99}) --with-dirmngr-pgm=%{_bindir}/dirmngr \ --with-scdaemon-pgm=%{_bindir}/scdaemon \ --with-tpm2daemon-pgm=%{_bindir}/tpm2daemon \ - --disable-rpath \ --enable-ldap \ --enable-gpgsm=yes \ --enable-gpgtar \ @@ -129,9 +123,7 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99}) --enable-wks-tools \ --with-gnu-ld \ --with-default-trust-store-file=%{_sysconfdir}/ssl/ca-bundle.pem \ - --with-tss=intel \ - --enable-all-tests \ - --enable-build-timestamp=${date} \ + --enable-build-timestamp=$date \ --enable-gpg-is-gpg2 %make_build @@ -139,11 +131,10 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99}) %install %make_install mkdir -p %{buildroot}%{_sysconfdir}/gnupg/ -# install gpgconf.conf bnc#391347 +# bnc#391347 install -m 644 doc/examples/gpgconf.conf %{buildroot}%{_sysconfdir}/gnupg # delete to prevent fdupes from creating cross-partition hardlink rm -rf %{buildroot}%{_docdir}/gpg2/examples/gpgconf.conf -# remove info dir rm %{buildroot}%{_infodir}/dir # compat symlinks ln -sf gpg2 %{buildroot}%{_bindir}/gpg @@ -164,7 +155,10 @@ install -Dm 0644 %{SOURCE4} %{buildroot}%{_udevrulesdir}/60-scdaemon.rules %fdupes -s %{buildroot} %check -%make_build check || : +# Run only localy, fails in OBS +#%%if ! 0%%{?qemu_user_space_build} +#make %%{?_smp_mflags} check +#%%endif %post %udev_rules_update @@ -172,11 +166,12 @@ install -Dm 0644 %{SOURCE4} %{buildroot}%{_udevrulesdir}/60-scdaemon.rules %files lang -f gnupg2.lang %files -%license COPYING* -%doc AUTHORS ChangeLog NEWS THANKS TODO doc/FAQ %{_infodir}/gnupg* %exclude %{_mandir}/*/dirmngr*%{ext_man} %{_mandir}/*/*%{ext_man} +%license COPYING* +%doc AUTHORS ChangeLog NEWS THANKS TODO doc/FAQ +%exclude %{_docdir}/%{name}/examples/systemd-user/dirmngr.* %doc %{_docdir}/%{name} %exclude %{_bindir}/dirmngr* %exclude %{_bindir}/tpm2daemon* @@ -193,6 +188,7 @@ install -Dm 0644 %{SOURCE4} %{buildroot}%{_udevrulesdir}/60-scdaemon.rules %files -n dirmngr %license COPYING* %{_mandir}/*/dirmngr*%{ext_man} +%{_docdir}/%{name}/examples/systemd-user/dirmngr.* %{_bindir}/dirmngr* %files tpm From 8386d6f0f3ba4a92c59055b2bc184003c742764ff141b38a524b2f9dd96f2db3 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Mon, 5 Jun 2023 06:26:02 +0000 Subject: [PATCH 2/2] Accepting request 1089861 from home:pmonrealgonzalez:branches:Base:System - Update to 2.4.2: * gpg: Print a warning if no more encryption subkeys are left over after changing the expiration date. [rGef2c3d50fa] * gpg: Fix searching for the ADSK key when adding an ADSK. [T6504] * gpgsm: Speed up key listings on Windows. [rG08ff55bd44] * gpgsm: Reduce the number of "failed to open policy file" diagnostics. [rG68613a6a9d] * agent: Make updating of private key files more robust and track display S/N. [T6135] * keyboxd: Avoid longish delays on Windows when listing keys. [rG6944aefa3c] * gpgtar: Emit extra status lines to help GPGME. [T6497] * w32: Avoid using the VirtualStore. [T6403] * Rebase gnupg-add_legacy_FIPS_mode_option.patch - Update to 2.4.1: * If the ~/.gnupg directory does not exist, the keyboxd is now automagically enabled. [rGd9e7488b17] * gpg: New option --add-desig-revoker. [rG3d094e2bcf] * gpg: New option --assert-signer. [rGc9e95b8dee] * gpg: New command --quick-add-adsk and other ADSK features. [T6395, https://gnupg.org/blog/20230321-adsk.html] * gpg: New list-option "show-unusable-sigs". Also show "[self-signature]" instead of the user-id in key signature listings. [rG103acfe9ca] * gpg: For symmetric encryption the default S2K hash is now SHA256. [T6367] * gpg: Detect already compressed data also when using a pipe. Also detect JPEG and PNG file formats. [T6332] * gpg: New subcommand "openpgp" for --card-edit. [T6462] * gpgsm: Verification of detached signatures does now strip trailing zeroes from the input if --assume-binary is used. [rG2a13f7f9dc] OBS-URL: https://build.opensuse.org/request/show/1089861 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=287 --- gnupg-2.3.8.tar.bz2 | 3 - gnupg-2.3.8.tar.bz2.sig | Bin 119 -> 0 bytes gnupg-2.4.2.tar.bz2 | 3 + gnupg-2.4.2.tar.bz2.sig | Bin 0 -> 119 bytes gnupg-add_legacy_FIPS_mode_option.patch | 30 +-- ...viously-known-keys-even-without-UIDs.patch | 23 +- gnupg-allow-large-rsa.patch | 13 ++ gnupg-revert-rfc4880bis.patch | 202 ++++++++++++++++++ gpg2.changes | 177 +++++++++++++++ gpg2.spec | 45 ++-- 10 files changed, 449 insertions(+), 47 deletions(-) delete mode 100644 gnupg-2.3.8.tar.bz2 delete mode 100644 gnupg-2.3.8.tar.bz2.sig create mode 100644 gnupg-2.4.2.tar.bz2 create mode 100644 gnupg-2.4.2.tar.bz2.sig create mode 100644 gnupg-allow-large-rsa.patch create mode 100644 gnupg-revert-rfc4880bis.patch diff --git a/gnupg-2.3.8.tar.bz2 b/gnupg-2.3.8.tar.bz2 deleted file mode 100644 index ab87c26..0000000 --- a/gnupg-2.3.8.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:540b7a40e57da261fb10ef521a282e0021532a80fd023e75fb71757e8a4969ed -size 7644926 diff --git a/gnupg-2.3.8.tar.bz2.sig b/gnupg-2.3.8.tar.bz2.sig deleted file mode 100644 index cf362c596cfba1af7147ffbb690b7138f5abc05793f0f1820b62731a3dd04f61..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 119 zcmeAuWnmEGV2~A4WXWBXm$E!p!y#PSlPRcU`VKV*t6Qv0$sX398MrtFU?TsXGcw$g zHrzS){lqH|j=sC^{zz)=GUgxqE<9fODU`Fi`QR(vH4OjL+3kNhsW=q1xCSl0)sZW8 VL0x~5P~&++&U?QfUNkLa0RYLSGll>F diff --git a/gnupg-2.4.2.tar.bz2 b/gnupg-2.4.2.tar.bz2 new file mode 100644 index 0000000..53d7424 --- /dev/null +++ b/gnupg-2.4.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:97eb47df8ae5a3ff744f868005a090da5ab45cb48ee9836dbf5ee739a4e5cf49 +size 7346587 diff --git a/gnupg-2.4.2.tar.bz2.sig b/gnupg-2.4.2.tar.bz2.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..8cd420cad7943ec6017927487884b9180a0158a9692fd0b6e56fe6be04e6d2b3 GIT binary patch literal 119 zcmeAuWnmEGVvrS6WXWBXm$E!p!y#PSlPRcU`VKV*t6Qv0DW$IuFmQ1Sz(kauG5n8Z zR!k|LYyINeB2@+Bvd9g`Uvu7y+wl8luvoO2@XD<}85!p9HJCi-i(QAqVU?N|dmi5O U)>lkUf}5-A g10/import.c | 49 +++++++++++-------------------------------------- 1 file changed, 11 insertions(+), 38 deletions(-) -Index: gnupg-2.3.0/g10/import.c +Index: gnupg-2.4.0/g10/import.c =================================================================== ---- gnupg-2.3.0.orig/g10/import.c -+++ gnupg-2.3.0/g10/import.c -@@ -1876,7 +1876,6 @@ import_one_real (ctrl_t ctrl, +--- gnupg-2.4.0.orig/g10/import.c ++++ gnupg-2.4.0/g10/import.c +@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl, size_t an; char pkstrbuf[PUBKEY_STRING_SIZE]; int merge_keys_done = 0; @@ -29,7 +29,7 @@ Index: gnupg-2.3.0/g10/import.c KEYDB_HANDLE hd = NULL; if (r_valid) -@@ -1913,14 +1912,6 @@ import_one_real (ctrl_t ctrl, +@@ -1991,14 +1990,6 @@ import_one_real (ctrl_t ctrl, log_printf ("\n"); } @@ -44,13 +44,12 @@ Index: gnupg-2.3.0/g10/import.c if (screener && screener (keyblock, screener_arg)) { log_error (_("key %s: %s\n"), keystr_from_pk (pk), -@@ -1999,19 +1990,10 @@ import_one_real (ctrl_t ctrl, - xfree(user); +@@ -2078,18 +2069,10 @@ import_one_real (ctrl_t ctrl, } } -- + - /* Delete invalid parts and bail out if there are no user ids left. */ -- if (!delete_inv_parts (ctrl, keyblock, keyid, options)) +- if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs)) - { - if (!silent) - { @@ -64,11 +63,11 @@ Index: gnupg-2.3.0/g10/import.c + /* Delete invalid parts, and note if we have any valid ones left. + * We will later abort import if this key is new but contains + * no valid uids. */ -+ delete_inv_parts (ctrl, keyblock, keyid, options); ++ delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs); /* Get rid of deleted nodes. */ commit_kbnode (&keyblock); -@@ -2021,24 +2003,11 @@ import_one_real (ctrl_t ctrl, +@@ -2099,24 +2082,11 @@ import_one_real (ctrl_t ctrl, { apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); commit_kbnode (&keyblock); @@ -93,7 +92,7 @@ Index: gnupg-2.3.0/g10/import.c } /* The keyblock is valid and ready for real import. */ -@@ -2096,6 +2065,13 @@ import_one_real (ctrl_t ctrl, +@@ -2174,6 +2144,13 @@ import_one_real (ctrl_t ctrl, err = 0; stats->skipped_new_keys++; } diff --git a/gnupg-allow-large-rsa.patch b/gnupg-allow-large-rsa.patch new file mode 100644 index 0000000..b2ebc1e --- /dev/null +++ b/gnupg-allow-large-rsa.patch @@ -0,0 +1,13 @@ +Index: gnupg-2.4.0/g10/keygen.c +=================================================================== +--- gnupg-2.4.0.orig/g10/keygen.c ++++ gnupg-2.4.0/g10/keygen.c +@@ -2461,7 +2461,7 @@ get_keysize_range (int algo, unsigned in + + default: + *min = opt.compliance == CO_DE_VS ? 2048: 1024; +- *max = 4096; ++ *max = opt.flags.large_rsa == 1 ? 8192 : 4096; + def = 3072; + break; + } diff --git a/gnupg-revert-rfc4880bis.patch b/gnupg-revert-rfc4880bis.patch new file mode 100644 index 0000000..6693bbd --- /dev/null +++ b/gnupg-revert-rfc4880bis.patch @@ -0,0 +1,202 @@ +From 4583f4fe2e11b3dd070066628c3f16776cc74f72 Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Mon, 31 Oct 2022 16:14:18 +0100 +Subject: [PATCH GnuPG] gpg: Merge --rfc4880bis features into --gnupg + +* g10/gpg.c (oRFC4880bis): Remove. +(opts): Make --rfc4880bis a Noop. +(compliance_options): Make rfc4880bis to gnupg. +(set_compliance_option): Remove rfc4880bis stuff. +(main): Ditto. Note that this now activates the --mimemode option. +* g10/keygen.c (keygen_set_std_prefs): Remove rfc4880bis protection. +(keygen_upd_std_prefs): Always announce support for v5 keys. +(read_parameter_file): Activate the v4 and v5 keywords. +-- + +Index: gnupg-2.4.1/g10/gpg.c +=================================================================== +--- gnupg-2.4.1.orig/g10/gpg.c ++++ gnupg-2.4.1/g10/gpg.c +@@ -247,6 +247,7 @@ enum cmd_and_opt_values + oGnuPG, + oRFC2440, + oRFC4880, ++ oRFC4880bis, + oOpenPGP, + oPGP7, + oPGP8, +@@ -636,6 +637,7 @@ static gpgrt_opt_t opts[] = { + ARGPARSE_s_n (oGnuPG, "no-pgp8", "@"), + ARGPARSE_s_n (oRFC2440, "rfc2440", "@"), + ARGPARSE_s_n (oRFC4880, "rfc4880", "@"), ++ ARGPARSE_s_n (oRFC4880bis, "rfc4880bis", "@"), + ARGPARSE_s_n (oOpenPGP, "openpgp", N_("use strict OpenPGP behavior")), + ARGPARSE_s_n (oPGP7, "pgp6", "@"), + ARGPARSE_s_n (oPGP7, "pgp7", "@"), +@@ -978,7 +980,6 @@ static gpgrt_opt_t opts[] = { + ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"), + ARGPARSE_s_s (oNoop, "aead-algo", "@"), + ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"), +- ARGPARSE_s_n (oNoop, "rfc4880bis", "@"), + ARGPARSE_s_n (oNoop, "override-compliance-check", "@"), + + +@@ -2227,7 +2228,7 @@ static struct gnupg_compliance_option co + { + { "gnupg", oGnuPG }, + { "openpgp", oOpenPGP }, +- { "rfc4880bis", oGnuPG }, ++ { "rfc4880bis", oRFC4880bis }, + { "rfc4880", oRFC4880 }, + { "rfc2440", oRFC2440 }, + { "pgp6", oPGP7 }, +@@ -2243,8 +2244,28 @@ static struct gnupg_compliance_option co + static void + set_compliance_option (enum cmd_and_opt_values option) + { ++ opt.flags.rfc4880bis = 0; /* Clear because it is initially set. */ ++ + switch (option) + { ++ case oRFC4880bis: ++ opt.flags.rfc4880bis = 1; ++ opt.compliance = CO_RFC4880; ++ opt.flags.dsa2 = 1; ++ opt.flags.require_cross_cert = 1; ++ opt.rfc2440_text = 0; ++ opt.allow_non_selfsigned_uid = 1; ++ opt.allow_freeform_uid = 1; ++ opt.escape_from = 1; ++ opt.not_dash_escaped = 0; ++ opt.def_cipher_algo = 0; ++ opt.def_digest_algo = 0; ++ opt.cert_digest_algo = 0; ++ opt.compress_algo = -1; ++ opt.s2k_mode = 3; /* iterated+salted */ ++ opt.s2k_digest_algo = DIGEST_ALGO_SHA256; ++ opt.s2k_cipher_algo = CIPHER_ALGO_AES256; ++ break; + case oOpenPGP: + case oRFC4880: + /* This is effectively the same as RFC2440, but with +@@ -2288,6 +2309,7 @@ set_compliance_option (enum cmd_and_opt_ + case oPGP8: opt.compliance = CO_PGP8; break; + case oGnuPG: + opt.compliance = CO_GNUPG; ++ opt.flags.rfc4880bis = 1; + break; + + case oDE_VS: +@@ -2490,6 +2512,7 @@ main (int argc, char **argv) + opt.emit_version = 0; + opt.weak_digests = NULL; + opt.compliance = CO_GNUPG; ++ opt.flags.rfc4880bis = 1; + + /* Check special options given on the command line. */ + orig_argc = argc; +@@ -3032,6 +3055,7 @@ main (int argc, char **argv) + case oOpenPGP: + case oRFC2440: + case oRFC4880: ++ case oRFC4880bis: + case oPGP7: + case oPGP8: + case oGnuPG: +@@ -3868,6 +3892,11 @@ main (int argc, char **argv) + if( may_coredump && !opt.quiet ) + log_info(_("WARNING: program may create a core file!\n")); + ++ if (!opt.flags.rfc4880bis) ++ { ++ opt.mimemode = 0; /* This will use text mode instead. */ ++ } ++ + if (eyes_only) { + if (opt.set_filename) + log_info(_("WARNING: %s overrides %s\n"), +@@ -4084,7 +4113,7 @@ main (int argc, char **argv) + /* Check our chosen algorithms against the list of legal + algorithms. */ + +- if(!GNUPG) ++ if(!GNUPG && !opt.flags.rfc4880bis) + { + const char *badalg=NULL; + preftype_t badtype=PREFTYPE_NONE; +Index: gnupg-2.4.1/g10/keygen.c +=================================================================== +--- gnupg-2.4.1.orig/g10/keygen.c ++++ gnupg-2.4.1/g10/keygen.c +@@ -404,7 +404,7 @@ keygen_set_std_prefs (const char *string + strcat(dummy_string,"S7 "); + strcat(dummy_string,"S2 "); /* 3DES */ + +- if (!openpgp_aead_test_algo (AEAD_ALGO_OCB)) ++ if (opt.flags.rfc4880bis && !openpgp_aead_test_algo (AEAD_ALGO_OCB)) + strcat(dummy_string,"A2 "); + + if (personal) +@@ -889,7 +889,7 @@ keygen_upd_std_prefs (PKT_signature *sig + /* Make sure that the MDC feature flag is set if needed. */ + add_feature_mdc (sig,mdc_available); + add_feature_aead (sig, aead_available); +- add_feature_v5 (sig, 1); ++ add_feature_v5 (sig, opt.flags.rfc4880bis); + add_keyserver_modify (sig,ks_modify); + keygen_add_keyserver_url(sig,NULL); + +@@ -3382,7 +3382,10 @@ parse_key_parameter_part (ctrl_t ctrl, + } + } + else if (!ascii_strcasecmp (s, "v5")) +- keyversion = 5; ++ { ++ if (opt.flags.rfc4880bis) ++ keyversion = 5; ++ } + else if (!ascii_strcasecmp (s, "v4")) + keyversion = 4; + else +@@ -3641,7 +3644,7 @@ parse_key_parameter_part (ctrl_t ctrl, + * ecdsa := Use algorithm ECDSA. + * eddsa := Use algorithm EdDSA. + * ecdh := Use algorithm ECDH. +- * v5 := Create version 5 key ++ * v5 := Create version 5 key (requires option --rfc4880bis) + * + * There are several defaults and fallbacks depending on the + * algorithm. PART can be used to select which part of STRING is +@@ -4513,9 +4516,9 @@ read_parameter_file (ctrl_t ctrl, const + } + } + +- if ((keywords[i].key == pVERSION +- || keywords[i].key == pSUBVERSION)) +- ; /* Ignore version. */ ++ if (!opt.flags.rfc4880bis && (keywords[i].key == pVERSION ++ || keywords[i].key == pSUBVERSION)) ++ ; /* Ignore version unless --rfc4880bis is active. */ + else + { + r = xmalloc_clear( sizeof *r + strlen( value ) ); +@@ -4610,11 +4613,14 @@ quickgen_set_para (struct para_data_s *p + para = r; + } + +- r = xmalloc_clear (sizeof *r + 20); +- r->key = for_subkey? pSUBVERSION : pVERSION; +- snprintf (r->u.value, 20, "%d", version); +- r->next = para; +- para = r; ++ if (opt.flags.rfc4880bis) ++ { ++ r = xmalloc_clear (sizeof *r + 20); ++ r->key = for_subkey? pSUBVERSION : pVERSION; ++ snprintf (r->u.value, 20, "%d", version); ++ r->next = para; ++ para = r; ++ } + + if (keytime) + { diff --git a/gpg2.changes b/gpg2.changes index da1913e..87782d9 100644 --- a/gpg2.changes +++ b/gpg2.changes @@ -1,3 +1,180 @@ +------------------------------------------------------------------- +Tue May 30 19:37:39 UTC 2023 - Pedro Monreal + +- Update to 2.4.2: + * gpg: Print a warning if no more encryption subkeys are left over + after changing the expiration date. [rGef2c3d50fa] + * gpg: Fix searching for the ADSK key when adding an ADSK. [T6504] + * gpgsm: Speed up key listings on Windows. [rG08ff55bd44] + * gpgsm: Reduce the number of "failed to open policy file" + diagnostics. [rG68613a6a9d] + * agent: Make updating of private key files more robust and track + display S/N. [T6135] + * keyboxd: Avoid longish delays on Windows when listing keys. + [rG6944aefa3c] + * gpgtar: Emit extra status lines to help GPGME. [T6497] + * w32: Avoid using the VirtualStore. [T6403] + * Rebase gnupg-add_legacy_FIPS_mode_option.patch + +------------------------------------------------------------------- +Fri Apr 28 11:58:06 UTC 2023 - Pedro Monreal + +- Update to 2.4.1: + * If the ~/.gnupg directory does not exist, the keyboxd is now + automagically enabled. [rGd9e7488b17] + * gpg: New option --add-desig-revoker. [rG3d094e2bcf] + * gpg: New option --assert-signer. [rGc9e95b8dee] + * gpg: New command --quick-add-adsk and other ADSK features. + [T6395, https://gnupg.org/blog/20230321-adsk.html] + * gpg: New list-option "show-unusable-sigs". Also show "[self-signature]" + instead of the user-id in key signature listings. [rG103acfe9ca] + * gpg: For symmetric encryption the default S2K hash is now SHA256. [T6367] + * gpg: Detect already compressed data also when using a pipe. Also + detect JPEG and PNG file formats. [T6332] + * gpg: New subcommand "openpgp" for --card-edit. [T6462] + * gpgsm: Verification of detached signatures does now strip trailing + zeroes from the input if --assume-binary is used. [rG2a13f7f9dc] + * gpgsm: Non-armored detached signature are now created without + using indefinite form length octets. This improves compatibility + with some PDF signature verification software. [rG8996b0b655] + * gpgtar: Emit progress status lines in create mode. [T6363] + * dirmngr: The LDAP modifyTimestamp is now returned by some + keyserver commands. [rG56d309133f] + * ssh: Allow specification of the order keys are presented to ssh. + See the man page entry for --enable-ssh-support. [T5996, T6212] + * gpg: Make list-options "show-sig-subpackets" work again. + Fixes regression in 2.4.0. [rG5a223303d7] + * gpg: Fix the keytocard command for Yubikeys. [T6378] + * gpg: Do not continue an export after a cancel for the primary key. [T6093] + * gpg: Replace the --override-compliance-check hack by a real fix. [T5655] + * gpgtar: Fix decryption with input taken from stdin. [T6355] + * Rebase patches: + - gnupg-revert-rfc4880bis.patch + - gnupg-add_legacy_FIPS_mode_option.patch + * Remove patch fixed upstream: + - gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch + +------------------------------------------------------------------- +Fri Mar 10 09:03:00 UTC 2023 - Pedro Monreal + +- Temporarily revert back to the pre-2.4 default for key generation. + The new rfc4880bis has been set as the default in 2.4 version and + might create incompatible keys. Note that, rfc4880bis can still + be used with the option flag --rfc4880bis as in previous versions. + * More info in the gnupg-devel ML: + https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html + * Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9 + * Add gnupg-revert-rfc4880bis.patch + +------------------------------------------------------------------- +Fri Mar 10 08:42:02 UTC 2023 - Pedro Monreal + +- Allow 8192 bit RSA keys in keygen UI when large_rsa is set + * Add gnupg-allow-large-rsa.patch + +------------------------------------------------------------------- +Tue Feb 7 08:58:03 UTC 2023 - Pedro Monreal + +- Fix the regression test suite fails with the IBM TPM Software + stack. Builds fine using the Intel TPM; use the swtpm and + tpm2-0-tss-devel packages instead of ibmswtpm2 and ibmtss-devel. + +------------------------------------------------------------------- +Wed Jan 11 11:15:54 UTC 2023 - Pedro Monreal + +- Fix broken GPGME QT tests: Upstram dev task dev.gnupg.org/T6313 + * The original patch has been modified to expand the changes + also to the tests/gpgme/Makefile.in file. + * Add gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch + +------------------------------------------------------------------- +Tue Dec 20 16:01:05 UTC 2022 - David Anes + +- Updated to require libgpg-error-devel >= 1.46 + +- Rebased patches: + * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch + * gnupg-add_legacy_FIPS_mode_option.patch + +- GnuPG 2.4.0: + * common: Fix translations in --help for gpgrt < 1.47. + * gpg: Do not continue the export after a cancel for the primary key. + * gpg: Replace use of PRIu64 in log_debug. + * Update NEWS for 2.4.0. + * tests: Fix make check with GPGME. + * agent: Allow arguments to "scd serialno" in restricted mode. + * scd:p15: Skip deleted records. + * build: Remove Windows CE support. + * wkd: Do not send/install/mirror expired user ids. + * gpgsm: Print the revocation time also with --verify. + * gpgsm: Fix "problem re-searching certificate" case. + * gpgsm: Print revocation date and reason in cert listings. + * gpgsm: Silence the "non-critical certificate policy not allowed". + * gpgsm: Always use the chain model if the root-CA requests this. + * gpg: New export option "mode1003". + * gpg: Remove a mostly duplicated function. + * tests: Simplify fake-pinentry to use the option only. + * tests: Fix fake-pinentry for Windows. + * tests: Fix make check-all. + * agent: Fix import of protected v5 keys. + * gpgsm: Change default algo to AES-256. + * tests: Put a workaround for semihosted environment. + * tests: More fix for semihosted environment. + * tests: Support semihosted environment. + * tests: Fix tests under cms. + * tests,w32: Fix for semihosted environment. + * w32: Fix for tests on semihosted environment. + * w32: Fix gnupg_unsetenv. + * wkd: New option --add-revocs and some fixes. + * wkd: Make use of --debug extprog. + * gpg: New export-filter export-revocs. + * gpg: Fix double-free in gpg --card-edit. + * gpg: Make --require-compliance work with out --status-fd. + * gpg: New option --list-filter. + * dirmngr: Silence ocsp debug output. + * tests: Fix to support --enable-all-tests and variants. + * tests:w32: Fix for non-dot file name for Windows. + * tests:gpgscm:w32: Fix for GetTempPath. + * tests: Keep .log files in objdir. + * tests: Use 233 for invalid value of FD. + * w32: Fix gnupg_tmpfile for possible failure. + * scd: Redact --debug cardio output of a VERIFY APDU. + * common: Remove Windows CE support in common. + * gpgsm: Fix colon outout of ECC encryption certificates. + * scd:nks: Fix ECC signing if key not given by keygrip. + * dirmngr: Fix verification of ECDSA signed CRLs. + * agent: Allow trustlist on Windows in Unicode homedirs. + * gpg: Fix verification of cleartext signatures with overlong lines. + * gpg: Move w32_system function. + * gpg: New option --quick-update-pref. + * gpg: New list-options show-pref and show-pref-verbose. + * tests: Add tests to check that OCB is only used for capable keys. + * gpg: Make --list-packets work w/o --no-armor for plain OCB packets. + * tests: Add symmetric decryption tests. + * tests: Add tr:assert-same function. + * agent: Avoid blanks in the ssh key's comment. + * build: Update m4 files. + * gpg: Merge --rfc4880bis features into --gnupg. + * gpg: Allow only OCB for AEAD encryption. + * gpg: New option --compatibility-flags. + * gpgsm: Also announce AES256-CBC in signatures. + * gpg: Fix trusted introducer for user-ids with only the mbox. + * gpg: Import stray revocation certificates. + * agent: Automatically convert to extended key format by KEYATTR. + * card: New commands "gpg" and "gpgsm". + * card: Also show fingerprints of known X.509 certificates. + * scd:nks: Support non-ESIGN signing with the Signature Card v2. + * gpgsm: Allow ECC encryption keys with just keyAgreement specified. + * gpgsm: Use macro constants for cert_usage_p. + * build: Update gpg-error.m4. + * agent,common,dirmngr,tests,tools: Remove spawn PREEXEC argument. + * gpg: Move NETLIBS after GPG_ERROR_LIBS. + * gpg: Use GCRY_KDF_ONESTEP_KDF with newer libgcrypt in future. + * common,w32: Fix struct stat on Windows. + * agent,w32: Support Win32-OpenSSH emulation by gpg-agent. + * common: Don't use FD2INT for POSIX-only code. + * dirmngr: Fix build with no LDAP support. + ------------------------------------------------------------------- Mon Oct 17 11:35:11 UTC 2022 - Pedro Monreal diff --git a/gpg2.spec b/gpg2.spec index 87c0390..2b82986 100644 --- a/gpg2.spec +++ b/gpg2.spec @@ -1,7 +1,7 @@ # # spec file for package gpg2 # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: gpg2 -Version: 2.3.8 +Version: 2.4.2 Release: 0 Summary: File encryption, decryption, signature creation and verification utility License: GPL-3.0-or-later @@ -39,19 +39,23 @@ Patch7: gnupg-2.2.16-secmem.patch Patch8: gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch Patch9: gnupg-add-test-cases-for-import-without-uid.patch Patch10: gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch +#PATCH-FIX-SUSE Allow 8192 bit RSA keys in keygen UI when large_rsa is set +Patch11: gnupg-allow-large-rsa.patch +#PATCH-FIX-SUSE Revert the rfc4880bis features default of key generation +Patch12: gnupg-revert-rfc4880bis.patch BuildRequires: expect BuildRequires: fdupes -BuildRequires: ibmswtpm2 -BuildRequires: ibmtss-devel BuildRequires: libassuan-devel >= 2.5.0 BuildRequires: libgcrypt-devel >= 1.9.1 -BuildRequires: libgpg-error-devel >= 1.41 -BuildRequires: libksba-devel >= 1.3.4 +BuildRequires: libgpg-error-devel >= 1.46 +BuildRequires: libksba-devel >= 1.6.3 BuildRequires: makeinfo BuildRequires: npth-devel >= 1.2 BuildRequires: openldap2-devel BuildRequires: pkgconfig BuildRequires: readline-devel +BuildRequires: swtpm +BuildRequires: tpm2-0-tss-devel BuildRequires: pkgconfig(bzip2) BuildRequires: pkgconfig(gnutls) >= 3.0 BuildRequires: pkgconfig(libusb-1.0) @@ -60,6 +64,7 @@ BuildRequires: pkgconfig(zlib) # runtime dependency to support devel repository users - boo#955982 Requires: libassuan0 >= 2.5.0 Requires: libgcrypt20 >= 1.9.1 +Requires: libgpg-error >= 1.46 Requires: libksba >= 1.3.4 Requires: pinentry Recommends: dirmngr = %{version} @@ -115,6 +120,7 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99}) --with-dirmngr-pgm=%{_bindir}/dirmngr \ --with-scdaemon-pgm=%{_bindir}/scdaemon \ --with-tpm2daemon-pgm=%{_bindir}/tpm2daemon \ + --disable-rpath \ --enable-ldap \ --enable-gpgsm=yes \ --enable-gpgtar \ @@ -123,6 +129,8 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99}) --enable-wks-tools \ --with-gnu-ld \ --with-default-trust-store-file=%{_sysconfdir}/ssl/ca-bundle.pem \ + --with-tss=intel \ + --enable-all-tests \ --enable-build-timestamp=$date \ --enable-gpg-is-gpg2 @@ -131,47 +139,51 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99}) %install %make_install mkdir -p %{buildroot}%{_sysconfdir}/gnupg/ -# bnc#391347 +# install gpgconf.conf bnc#391347 install -m 644 doc/examples/gpgconf.conf %{buildroot}%{_sysconfdir}/gnupg + # delete to prevent fdupes from creating cross-partition hardlink rm -rf %{buildroot}%{_docdir}/gpg2/examples/gpgconf.conf + +# remove info dir rm %{buildroot}%{_infodir}/dir + # compat symlinks ln -sf gpg2 %{buildroot}%{_bindir}/gpg ln -sf gpgv2 %{buildroot}%{_bindir}/gpgv ln -sf gpg2.1 %{buildroot}%{_mandir}/man1/gpg.1 ln -sf gpgv2.1 %{buildroot}%{_mandir}/man1/gpgv.1 + # fix rpmlint invalid-lc-messages-dir: rm -rf %{buildroot}/%{_datadir}/locale/en@{bold,}quot + # install scdaemon to %%{_bindir} (bnc#863645) mv %{buildroot}%{_libdir}/scdaemon %{buildroot}%{_bindir} mv %{buildroot}%{_libdir}/dirmngr_ldap %{buildroot}%{_bindir} + # install tpm2daemon mv %{buildroot}%{_libdir}/tpm2daemon %{buildroot}%{_bindir} + # install udev rules for scdaemon install -Dm 0644 %{SOURCE4} %{buildroot}%{_udevrulesdir}/60-scdaemon.rules +%check +%make_build check || : + %find_lang gnupg2 %fdupes -s %{buildroot} -%check -# Run only localy, fails in OBS -#%%if ! 0%%{?qemu_user_space_build} -#make %%{?_smp_mflags} check -#%%endif - %post %udev_rules_update %files lang -f gnupg2.lang %files +%license COPYING* +%doc AUTHORS ChangeLog NEWS THANKS TODO doc/FAQ %{_infodir}/gnupg* %exclude %{_mandir}/*/dirmngr*%{ext_man} %{_mandir}/*/*%{ext_man} -%license COPYING* -%doc AUTHORS ChangeLog NEWS THANKS TODO doc/FAQ -%exclude %{_docdir}/%{name}/examples/systemd-user/dirmngr.* %doc %{_docdir}/%{name} %exclude %{_bindir}/dirmngr* %exclude %{_bindir}/tpm2daemon* @@ -188,7 +200,6 @@ install -Dm 0644 %{SOURCE4} %{buildroot}%{_udevrulesdir}/60-scdaemon.rules %files -n dirmngr %license COPYING* %{_mandir}/*/dirmngr*%{ext_man} -%{_docdir}/%{name}/examples/systemd-user/dirmngr.* %{_bindir}/dirmngr* %files tpm