pool/gpg2
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 899427 from Base:System

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/899427
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=154
This commit is contained in:
Dominique Leuenberger 2021-06-15 14:36:49 +00:00 committed by Git OBS Bridge
parent 701c59566b
commit e6cd570008
3 changed files with 9 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

200
gnupg-2.2.8-files-are-digests.patch
View File

@ -1,200 +0,0 @@
---
g10/gpg.c | 4 +++
g10/options.h | 1
g10/sign.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
3 files changed, 67 insertions(+), 6 deletions(-)
Index: gnupg-2.2.27/g10/gpg.c
===================================================================
--- gnupg-2.2.27.orig/g10/gpg.c
+++ gnupg-2.2.27/g10/gpg.c
@@ -382,6 +382,7 @@ enum cmd_and_opt_values
oTTYtype,
oLCctype,
oLCmessages,
+ oFilesAreDigests,
oXauthority,
oGroup,
oUnGroup,
@@ -838,6 +839,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"),
+ ARGPARSE_s_n (oFilesAreDigests, "files-are-digests", "@"),
/* Aliases. I constantly mistype these, and assume other people do
as well. */
@@ -2372,6 +2374,7 @@ main (int argc, char **argv)
opt.def_cert_expire = "0";
gnupg_set_homedir (NULL);
opt.passphrase_repeat = 1;
+ opt.files_are_digests=0;
opt.emit_version = 0;
opt.weak_digests = NULL;
@@ -2944,6 +2947,7 @@ main (int argc, char **argv)
opt.verify_options&=~VERIFY_SHOW_PHOTOS;
break;
case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
+ case oFilesAreDigests: opt.files_are_digests = 1; break;
case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
case oIncludeKeyBlock: opt.flags.include_key_block = 1; break;
Index: gnupg-2.2.27/g10/options.h
===================================================================
--- gnupg-2.2.27.orig/g10/options.h
+++ gnupg-2.2.27/g10/options.h
@@ -202,6 +202,7 @@ struct
int no_auto_check_trustdb;
int preserve_permissions;
int no_homedir_creation;
+ int files_are_digests;
struct groupitem *grouplist;
int mangle_dos_filenames;
int enable_progress_filter;
Index: gnupg-2.2.27/g10/sign.c
===================================================================
--- gnupg-2.2.27.orig/g10/sign.c
+++ gnupg-2.2.27/g10/sign.c
@@ -43,6 +43,8 @@
#include "../common/mbox-util.h"
#include "../common/compliance.h"
+#include "../common/host2net.h"
+
#ifdef HAVE_DOSISH_SYSTEM
#define LF "\r\n"
#else
@@ -844,6 +846,8 @@ write_signature_packets (ctrl_t ctrl,
if (duration || opt.sig_policy_url
|| opt.sig_notations || opt.sig_keyserver_url)
sig->version = 4;
+ else if (opt.files_are_digests)
+ sig->version = 3;
else
sig->version = pk->version;
@@ -872,8 +876,12 @@ write_signature_packets (ctrl_t ctrl,
}
else
err = 0; /* Actually never reached. */
+ if (!opt.files_are_digests) {
hash_sigversion_to_magic (md, sig);
gcry_md_final (md);
+ } else if (sig->version >= 4) {
+ log_bug("files-are-digests doesn't work with v4 sigs\n");
+ }
if (!err)
err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
@@ -937,6 +945,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
SK_LIST sk_rover = NULL;
int multifile = 0;
u32 duration=0;
+ int sigclass = 0x00;
+ u32 timestamp = 0;
pfx = new_progress_context ();
afx = new_armor_context ();
@@ -954,7 +964,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
fname = NULL;
if( fname && filenames->next && (!detached || encryptflag) )
- log_bug("multiple files can only be detached signed");
+ log_bug("multiple files can only be detached signed\n");
+
+ if (opt.files_are_digests && (multifile || !fname))
+ log_bug("files-are-digests only works with one file\n");
+ if (opt.files_are_digests && !detached)
+ log_bug("files-are-digests can only write detached signatures\n");
+ if (opt.files_are_digests && !opt.def_digest_algo)
+ log_bug("files-are-digests needs --digest-algo\n");
+ if (opt.files_are_digests && opt.textmode)
+ log_bug("files-are-digests doesn't work with --textmode\n");
if(encryptflag==2
&& (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
@@ -975,7 +994,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
goto leave;
/* prepare iobufs */
- if( multifile ) /* have list of filenames */
+ if( multifile || opt.files_are_digests) /* have list of filenames */
inp = NULL; /* we do it later */
else {
inp = iobuf_open(fname);
@@ -1124,7 +1143,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
- if( !multifile )
+ if( !multifile && !opt.files_are_digests )
iobuf_push_filter( inp, md_filter, &mfx );
if( detached && !encryptflag)
@@ -1179,6 +1198,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
write_status_begin_signing (mfx.md);
+ sigclass = opt.textmode && !outfile? 0x01 : 0x00;
+
/* Setup the inner packet. */
if( detached ) {
if( multifile ) {
@@ -1219,6 +1240,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
if( opt.verbose )
log_printf ("\n");
}
+ else if (opt.files_are_digests) {
+ byte *mdb, ts[5];
+ size_t mdlen;
+ const char *fp;
+ int c, d;
+
+ gcry_md_final(mfx.md);
+ /* this assumes gcry_md_read returns the same buffer */
+ mdb = gcry_md_read(mfx.md, opt.def_digest_algo);
+ mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo);
+ if (strlen(fname) != mdlen * 2 + 11)
+ log_bug("digests must be %d + @ + 5 bytes\n", mdlen);
+ d = -1;
+ for (fp = fname ; *fp; ) {
+ c = *fp++;
+ if (c >= '0' && c <= '9')
+ c -= '0';
+ else if (c >= 'a' && c <= 'f')
+ c -= 'a' - 10;
+ else if (c >= 'A' && c <= 'F')
+ c -= 'A' - 10;
+ else
+ log_bug("filename is not hex\n");
+ if (d >= 0) {
+ *mdb++ = d << 4 | c;
+ c = -1;
+ if (--mdlen == 0) {
+ mdb = ts;
+ if (*fp++ != '@')
+ log_bug("missing time separator\n");
+ }
+ }
+ d = c;
+ }
+ sigclass = ts[0];
+ if (sigclass != 0x00 && sigclass != 0x01)
+ log_bug("bad cipher class\n");
+ timestamp = buf32_to_u32(ts + 1);
+ }
else {
/* read, so that the filter can calculate the digest */
while( iobuf_get(inp) != -1 )
@@ -1237,8 +1297,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
/* write the signatures */
rc = write_signature_packets (ctrl, sk_list, out, mfx.md,
- opt.textmode && !outfile? 0x01 : 0x00,
- 0, duration, detached ? 'D':'S', NULL);
+ sigclass,
+ timestamp, duration, detached ? 'D':'S', NULL);
if( rc )
goto leave;

9
gpg2.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Wed Apr 7 20:56:23 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
- Remove the "files-are-digests" option from the openSUSE package.
This feature was not upstream and only used in the OBS signing
daemon. The recommended upstream feature for separating the data
to be signed from the private keys is gpg agent forwarding,
available from 2.1. Drop gnupg-2.2.8-files-are-digests.patch
-------------------------------------------------------------------
Tue Jan 12 22:45:11 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>

4
gpg2.spec
View File

@ -30,7 +30,6 @@ Source3: %{name}.keyring
Source4: scdaemon.udev
Source99: %{name}.changes
Patch4: gnupg-2.0.9-langinfo.patch
Patch5: gnupg-2.2.8-files-are-digests.patch
Patch6: gnupg-dont-fail-with-seahorse-agent.patch
Patch8: gnupg-set_umask_before_open_outfile.patch
Patch9: gnupg-detect_FIPS_mode.patch
@ -65,8 +64,6 @@ Recommends: dirmngr = %{version}
Provides: gnupg = %{version}
Provides: gpg = 1.4.9
Provides: newpg
# special feature needed for OBS signd
Provides: gpg2_signd_support
Obsoletes: gpg < 1.4.9
%description
@ -94,7 +91,6 @@ gpgsm, or via the gpg-connect-agent tool.
%setup -q -n gnupg-%{version}
%patch1124847 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch8 -p1
%patch9 -p1