From 8c6498bf40e19276e13b00da2d2a8608214012a0b32a1c0341d9ccb330aed013 Mon Sep 17 00:00:00 2001
From: Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
Date: Fri, 11 Jun 2021 09:17:32 +0000
Subject: [PATCH] Accepting request 899100 from
 home:AndreasStieger:branches:Base:System

- Remove the "files-are-digests" option from the openSUSE package.
  This feature was not upstream and only used in the OBS signing
  daemon. The recommended upstream feature for separating the data
  to be signed from the private keys is gpg agent forwarding,
  available from 2.1. Drop gnupg-2.2.8-files-are-digests.patch

OBS-URL: https://build.opensuse.org/request/show/899100
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=265
---
 gnupg-2.2.8-files-are-digests.patch | 200 ----------------------------
 gpg2.changes                        |   9 ++
 gpg2.spec                           |   4 -
 3 files changed, 9 insertions(+), 204 deletions(-)
 delete mode 100644 gnupg-2.2.8-files-are-digests.patch

diff --git a/gnupg-2.2.8-files-are-digests.patch b/gnupg-2.2.8-files-are-digests.patch
deleted file mode 100644
index 92992b2..0000000
--- a/gnupg-2.2.8-files-are-digests.patch
+++ /dev/null
@@ -1,200 +0,0 @@
----
- g10/gpg.c     |    4 +++
- g10/options.h |    1 
- g10/sign.c    |   68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
- 3 files changed, 67 insertions(+), 6 deletions(-)
-
-Index: gnupg-2.2.27/g10/gpg.c
-===================================================================
---- gnupg-2.2.27.orig/g10/gpg.c
-+++ gnupg-2.2.27/g10/gpg.c
-@@ -382,6 +382,7 @@ enum cmd_and_opt_values
-     oTTYtype,
-     oLCctype,
-     oLCmessages,
-+	oFilesAreDigests,
-     oXauthority,
-     oGroup,
-     oUnGroup,
-@@ -838,6 +839,7 @@ static ARGPARSE_OPTS opts[] = {
-   ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
-   ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
-   ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"),
-+  ARGPARSE_s_n (oFilesAreDigests, "files-are-digests", "@"),
- 
-   /* Aliases.  I constantly mistype these, and assume other people do
-      as well. */
-@@ -2372,6 +2374,7 @@ main (int argc, char **argv)
-     opt.def_cert_expire = "0";
-     gnupg_set_homedir (NULL);
-     opt.passphrase_repeat = 1;
-+    opt.files_are_digests=0;
-     opt.emit_version = 0;
-     opt.weak_digests = NULL;
- 
-@@ -2944,6 +2947,7 @@ main (int argc, char **argv)
- 	    opt.verify_options&=~VERIFY_SHOW_PHOTOS;
- 	    break;
- 	  case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
-+	  case oFilesAreDigests: opt.files_are_digests = 1; break;
- 
-           case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
-           case oIncludeKeyBlock:  opt.flags.include_key_block = 1; break;
-Index: gnupg-2.2.27/g10/options.h
-===================================================================
---- gnupg-2.2.27.orig/g10/options.h
-+++ gnupg-2.2.27/g10/options.h
-@@ -202,6 +202,7 @@ struct
-   int no_auto_check_trustdb;
-   int preserve_permissions;
-   int no_homedir_creation;
-+  int files_are_digests;
-   struct groupitem *grouplist;
-   int mangle_dos_filenames;
-   int enable_progress_filter;
-Index: gnupg-2.2.27/g10/sign.c
-===================================================================
---- gnupg-2.2.27.orig/g10/sign.c
-+++ gnupg-2.2.27/g10/sign.c
-@@ -43,6 +43,8 @@
- #include "../common/mbox-util.h"
- #include "../common/compliance.h"
- 
-+#include "../common/host2net.h"
-+
- #ifdef HAVE_DOSISH_SYSTEM
- #define LF "\r\n"
- #else
-@@ -844,6 +846,8 @@ write_signature_packets (ctrl_t ctrl,
-       if (duration || opt.sig_policy_url
-           || opt.sig_notations || opt.sig_keyserver_url)
-         sig->version = 4;
-+      else if (opt.files_are_digests)
-+        sig->version = 3;
-       else
-         sig->version = pk->version;
- 
-@@ -872,8 +876,12 @@ write_signature_packets (ctrl_t ctrl,
-         }
-       else
-         err = 0;  /* Actually never reached.  */
-+      if (!opt.files_are_digests) {
-       hash_sigversion_to_magic (md, sig);
-       gcry_md_final (md);
-+      } else if (sig->version >= 4) {
-+          log_bug("files-are-digests doesn't work with v4 sigs\n");
-+      }
- 
-       if (!err)
-         err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
-@@ -937,6 +945,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
-     SK_LIST sk_rover = NULL;
-     int multifile = 0;
-     u32 duration=0;
-+	int sigclass = 0x00;
-+	u32 timestamp = 0;
- 
-     pfx = new_progress_context ();
-     afx = new_armor_context ();
-@@ -954,7 +964,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
- 	fname = NULL;
- 
-     if( fname && filenames->next && (!detached || encryptflag) )
--	log_bug("multiple files can only be detached signed");
-+	log_bug("multiple files can only be detached signed\n");
-+
-+    if (opt.files_are_digests && (multifile || !fname))
-+	log_bug("files-are-digests only works with one file\n");
-+    if (opt.files_are_digests && !detached)
-+	log_bug("files-are-digests can only write detached signatures\n");
-+    if (opt.files_are_digests && !opt.def_digest_algo)
-+	log_bug("files-are-digests needs --digest-algo\n");
-+    if (opt.files_are_digests && opt.textmode)
-+	log_bug("files-are-digests doesn't work with --textmode\n");
- 
-     if(encryptflag==2
-        && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
-@@ -975,7 +994,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
-       goto leave;
- 
-     /* prepare iobufs */
--    if( multifile )  /* have list of filenames */
-+    if( multifile || opt.files_are_digests)  /* have list of filenames */
- 	inp = NULL; /* we do it later */
-     else {
-       inp = iobuf_open(fname);
-@@ -1124,7 +1143,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
-     for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
-       gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
- 
--    if( !multifile )
-+    if( !multifile && !opt.files_are_digests )
- 	iobuf_push_filter( inp, md_filter, &mfx );
- 
-     if( detached && !encryptflag)
-@@ -1179,6 +1198,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
- 
-     write_status_begin_signing (mfx.md);
- 
-+    sigclass = opt.textmode && !outfile? 0x01 : 0x00;
-+
-     /* Setup the inner packet. */
-     if( detached ) {
- 	if( multifile ) {
-@@ -1219,6 +1240,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
- 	    if( opt.verbose )
-               log_printf ("\n");
- 	}
-+	else if (opt.files_are_digests) {
-+	    byte *mdb, ts[5];
-+	    size_t mdlen;
-+	    const char *fp;
-+	    int c, d;
-+
-+	    gcry_md_final(mfx.md);
-+	    /* this assumes gcry_md_read returns the same buffer */
-+	    mdb = gcry_md_read(mfx.md, opt.def_digest_algo);
-+		mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo);
-+	    if (strlen(fname) != mdlen * 2 + 11)
-+	        log_bug("digests must be %d + @ + 5 bytes\n", mdlen);
-+	    d = -1;
-+	    for (fp = fname ; *fp; ) {
-+		c = *fp++;
-+		if (c >= '0' && c <= '9')
-+		    c -= '0';
-+		else if (c >= 'a' && c <= 'f')
-+		    c -= 'a' - 10;
-+		else if (c >= 'A' && c <= 'F')
-+		    c -= 'A' - 10;
-+		else
-+		    log_bug("filename is not hex\n");
-+		if (d >= 0) {
-+		    *mdb++ = d << 4 | c;
-+		    c = -1;
-+		    if (--mdlen == 0) {
-+			mdb = ts;
-+			if (*fp++ != '@')
-+			    log_bug("missing time separator\n");
-+		    }
-+		}
-+		d = c;
-+	    }
-+	    sigclass = ts[0];
-+	    if (sigclass != 0x00 && sigclass != 0x01)
-+		log_bug("bad cipher class\n");
-+	    timestamp = buf32_to_u32(ts + 1);
-+	}
- 	else {
- 	    /* read, so that the filter can calculate the digest */
- 	    while( iobuf_get(inp) != -1 )
-@@ -1237,8 +1297,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
- 
-     /* write the signatures */
-     rc = write_signature_packets (ctrl, sk_list, out, mfx.md,
--                                  opt.textmode && !outfile? 0x01 : 0x00,
--				  0, duration, detached ? 'D':'S', NULL);
-+                                  sigclass,
-+				  timestamp, duration, detached ? 'D':'S', NULL);
-     if( rc )
-         goto leave;
- 
diff --git a/gpg2.changes b/gpg2.changes
index 83c03a1..8cd6050 100644
--- a/gpg2.changes
+++ b/gpg2.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Apr  7 20:56:23 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Remove the "files-are-digests" option from the openSUSE package.
+  This feature was not upstream and only used in the OBS signing
+  daemon. The recommended upstream feature for separating the data
+  to be signed from the private keys is gpg agent forwarding,
+  available from 2.1. Drop gnupg-2.2.8-files-are-digests.patch
+
 -------------------------------------------------------------------
 Tue Jan 12 22:45:11 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
 
diff --git a/gpg2.spec b/gpg2.spec
index 3c8c658..53739ec 100644
--- a/gpg2.spec
+++ b/gpg2.spec
@@ -30,7 +30,6 @@ Source3:        %{name}.keyring
 Source4:        scdaemon.udev
 Source99:       %{name}.changes
 Patch4:         gnupg-2.0.9-langinfo.patch
-Patch5:         gnupg-2.2.8-files-are-digests.patch
 Patch6:         gnupg-dont-fail-with-seahorse-agent.patch
 Patch8:         gnupg-set_umask_before_open_outfile.patch
 Patch9:         gnupg-detect_FIPS_mode.patch
@@ -65,8 +64,6 @@ Recommends:     dirmngr = %{version}
 Provides:       gnupg = %{version}
 Provides:       gpg = 1.4.9
 Provides:       newpg
-# special feature needed for OBS signd
-Provides:       gpg2_signd_support
 Obsoletes:      gpg < 1.4.9
 
 %description
@@ -94,7 +91,6 @@ gpgsm, or via the gpg-connect-agent tool.
 %setup -q -n gnupg-%{version}
 %patch1124847 -p1
 %patch4 -p1
-%patch5 -p1
 %patch6 -p1
 %patch8 -p1
 %patch9 -p1