diff --git a/gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch b/gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch deleted file mode 100644 index 50b048e..0000000 --- a/gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch +++ /dev/null @@ -1,61 +0,0 @@ -From f34b9147eb3070bce80d53febaa564164cd6c977 Mon Sep 17 00:00:00 2001 -From: NIIBE Yutaka -Date: Wed, 13 Jul 2022 10:40:55 +0900 -Subject: [PATCH] scd:openpgp: Fix workaround for Yubikey heuristics. -References: https://bugzilla.opensuse.org/show_bug.cgi?id=1202201 - -* scd/app-openpgp.c (parse_algorithm_attribute): Handle the case -of firmware 5.4, too. - --- - -GnuPG-bug-id: 6070 -Signed-off-by: NIIBE Yutaka ---- - scd/app-openpgp.c | 29 +++++++++++++++++++++-------- - 1 file changed, 21 insertions(+), 8 deletions(-) - -diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c -index 8bb346a86..4667416df 100644 ---- a/scd/app-openpgp.c -+++ b/scd/app-openpgp.c -@@ -6259,15 +6259,28 @@ parse_algorithm_attribute (app_t app, int keyno) - app->app_local->keyattr[keyno].ecc.algo = *buffer; - app->app_local->keyattr[keyno].ecc.flags = 0; - -- if (APP_CARD(app)->cardtype == CARDTYPE_YUBIKEY -- || buffer[buflen-1] == 0x00 || buffer[buflen-1] == 0xff) -- { /* Found "pubkey required"-byte for private key template. */ -- oidlen--; -- if (buffer[buflen-1] == 0xff) -- app->app_local->keyattr[keyno].ecc.flags |= ECC_FLAG_PUBKEY; -+ if (APP_CARD(app)->cardtype == CARDTYPE_YUBIKEY) -+ { -+ /* Yubikey implementations vary. -+ * Firmware version 5.2 returns "pubkey required"-byte with -+ * 0x00, but after removal and second time insertion, it -+ * returns bogus value there. -+ * Firmware version 5.4 returns none. -+ */ -+ curve = ecc_curve (buffer + 1, oidlen); -+ if (!curve) -+ curve = ecc_curve (buffer + 1, oidlen - 1); -+ } -+ else -+ { -+ if (buffer[buflen-1] == 0x00 || buffer[buflen-1] == 0xff) -+ { /* Found "pubkey required"-byte for private key template. */ -+ oidlen--; -+ if (buffer[buflen-1] == 0xff) -+ app->app_local->keyattr[keyno].ecc.flags |= ECC_FLAG_PUBKEY; -+ } -+ curve = ecc_curve (buffer + 1, oidlen); - } -- -- curve = ecc_curve (buffer + 1, oidlen); - - if (!curve) - { --- -2.37.1 - diff --git a/gnupg-2.3.7.tar.bz2 b/gnupg-2.3.7.tar.bz2 deleted file mode 100644 index f5ee5ef..0000000 --- a/gnupg-2.3.7.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ee163a5fb9ec99ffc1b18e65faef8d086800c5713d15a672ab57d3799da83669 -size 7599853 diff --git a/gnupg-2.3.7.tar.bz2.sig b/gnupg-2.3.7.tar.bz2.sig deleted file mode 100644 index bdfdc3f..0000000 Binary files a/gnupg-2.3.7.tar.bz2.sig and /dev/null differ diff --git a/gnupg-2.3.8.tar.bz2 b/gnupg-2.3.8.tar.bz2 new file mode 100644 index 0000000..ab87c26 --- /dev/null +++ b/gnupg-2.3.8.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:540b7a40e57da261fb10ef521a282e0021532a80fd023e75fb71757e8a4969ed +size 7644926 diff --git a/gnupg-2.3.8.tar.bz2.sig b/gnupg-2.3.8.tar.bz2.sig new file mode 100644 index 0000000..cf362c5 Binary files /dev/null and b/gnupg-2.3.8.tar.bz2.sig differ diff --git a/gnupg-detect_FIPS_mode.patch b/gnupg-detect_FIPS_mode.patch index 81aa96b..025a611 100644 --- a/gnupg-detect_FIPS_mode.patch +++ b/gnupg-detect_FIPS_mode.patch @@ -1,34 +1,18 @@ -Index: gnupg-2.1.1/g10/encrypt.c +Index: gnupg-2.3.8/g10/mainproc.c =================================================================== ---- gnupg-2.1.1.orig/g10/encrypt.c -+++ gnupg-2.1.1/g10/encrypt.c -@@ -783,7 +783,10 @@ encrypt_filter (void *opaque, int contro - /* Because 3DES is implicitly in the prefs, this can - only happen if we do not have any public keys in - the list. */ -- efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO; -+ /* Libgcrypt manual says that gcry_version_check must be called -+ before calling gcry_fips_mode_active. */ -+ gcry_check_version (NULL); -+ efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO; - } - - /* In case 3DES has been selected, print a warning if -Index: gnupg-2.1.1/g10/mainproc.c -=================================================================== ---- gnupg-2.1.1.orig/g10/mainproc.c -+++ gnupg-2.1.1/g10/mainproc.c -@@ -719,7 +719,12 @@ proc_plaintext( CTX c, PACKET *pkt ) +--- gnupg-2.3.8.orig/g10/mainproc.c ++++ gnupg-2.3.8/g10/mainproc.c +@@ -1011,7 +1011,12 @@ proc_plaintext( CTX c, PACKET *pkt ) according to 2440, so hopefully it won't come up that often. There is no good way to specify what algorithms to use in that case, so these there are the historical answer. */ - gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160); + + /* Libgcrypt manual says that gcry_version_check must be called -+ before calling gcry_fips_mode_active. */ ++ * before calling gcry_fips_mode_active. */ + gcry_check_version (NULL); -+ if( !gcry_fips_mode_active() ) -+ gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 ); ++ if(!gcry_fips_mode_active()) ++ gcry_md_enable(c->mfx.md, DIGEST_ALGO_RMD160); gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1); } if (DBG_HASHING) diff --git a/gpg2.changes b/gpg2.changes index 3039bd1..da1913e 100644 --- a/gpg2.changes +++ b/gpg2.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Mon Oct 17 11:35:11 UTC 2022 - Pedro Monreal + +- GnuPG 2.3.8: + * gpg: Do not consider unknown public keys as non-compliant while + decrypting. + * gpg: Avoid to emit a compliance mode line if Libgcrypt is + non-compliant. + * gpg: Improve --edit-key setpref command to ease c+p. + * gpg: Emit an ERROR status if --quick-set-primary-uid fails and + allow to pass the user ID by hash. + * gpg: Actually show symmetric+pubkey encrypted data as de-vs + compliant. Add extra compliance checks for symkey_enc packets. + * gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit + preference. + * gpgsm: Fix reporting of bad passphrase error during PKCS#11 + import. + * agent: Fix a regression in "READKEY --format=ssh". + * agent: New option --need-attr for KEYINFO. + * agent: New attribute "Remote-list" for use by KEYINFO. + * scd: Fix problem with Yubikey 5.4 firmware. + * dirmngr: Fix CRL Distribution Point fallback to other schemes. + * dirmngr: New LDAP server flag "areconly" (A-record-only). + * dirmngr: Fix upload of multiple keys for an LDAP server specified + using the colon format. + * dirmngr: Use LDAP schema v2 when a Base DN is specified. + * dirmngr: Avoid caching expired certificates. + * wkd: Fix path traversal attack in gpg-wks-server. Add the mail + address to the pending request data. + * wkd: New command --mirror for gpg-wks-client. + * gpg-auth: New tool for authentication. + * New common.conf option no-autostart. + * Silence warnings from AllowSetForegroundWindow unless + GNUPG_EXEC_DEBUG_FLAGS is used. + * Rebase gnupg-detect_FIPS_mode.patch + * Remove patch upstream: + - gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch + ------------------------------------------------------------------- Mon Aug 8 18:00:44 UTC 2022 - Andreas Stieger diff --git a/gpg2.spec b/gpg2.spec index 5b9eedc..87c0390 100644 --- a/gpg2.spec +++ b/gpg2.spec @@ -17,7 +17,7 @@ Name: gpg2 -Version: 2.3.7 +Version: 2.3.8 Release: 0 Summary: File encryption, decryption, signature creation and verification utility License: GPL-3.0-or-later @@ -39,7 +39,6 @@ Patch7: gnupg-2.2.16-secmem.patch Patch8: gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch Patch9: gnupg-add-test-cases-for-import-without-uid.patch Patch10: gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch -Patch11: gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch BuildRequires: expect BuildRequires: fdupes BuildRequires: ibmswtpm2