From e6cd570008ee5cb67a47f9eeb55f356548b5cf3ea268091ab6f1844fce4f711a Mon Sep 17 00:00:00 2001
From: Dominique Leuenberger <dleuenberger@suse.com>
Date: Tue, 15 Jun 2021 14:36:49 +0000
Subject: [PATCH] Accepting request 899427 from Base:System

OBS-URL: https://build.opensuse.org/request/show/899427
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=154
---
 gnupg-2.2.8-files-are-digests.patch | 200 ----------------------------
 gpg2.changes                        |   9 ++
 gpg2.spec                           |   4 -
 3 files changed, 9 insertions(+), 204 deletions(-)
 delete mode 100644 gnupg-2.2.8-files-are-digests.patch

diff --git a/gnupg-2.2.8-files-are-digests.patch b/gnupg-2.2.8-files-are-digests.patch
deleted file mode 100644
index 92992b2..0000000
--- a/gnupg-2.2.8-files-are-digests.patch
+++ /dev/null
@@ -1,200 +0,0 @@
----
- g10/gpg.c     |    4 +++
- g10/options.h |    1 
- g10/sign.c    |   68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
- 3 files changed, 67 insertions(+), 6 deletions(-)
-
-Index: gnupg-2.2.27/g10/gpg.c
-===================================================================
---- gnupg-2.2.27.orig/g10/gpg.c
-+++ gnupg-2.2.27/g10/gpg.c
-@@ -382,6 +382,7 @@ enum cmd_and_opt_values
-     oTTYtype,
-     oLCctype,
-     oLCmessages,
-+	oFilesAreDigests,
-     oXauthority,
-     oGroup,
-     oUnGroup,
-@@ -838,6 +839,7 @@ static ARGPARSE_OPTS opts[] = {
-   ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
-   ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
-   ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"),
-+  ARGPARSE_s_n (oFilesAreDigests, "files-are-digests", "@"),
- 
-   /* Aliases.  I constantly mistype these, and assume other people do
-      as well. */
-@@ -2372,6 +2374,7 @@ main (int argc, char **argv)
-     opt.def_cert_expire = "0";
-     gnupg_set_homedir (NULL);
-     opt.passphrase_repeat = 1;
-+    opt.files_are_digests=0;
-     opt.emit_version = 0;
-     opt.weak_digests = NULL;
- 
-@@ -2944,6 +2947,7 @@ main (int argc, char **argv)
- 	    opt.verify_options&=~VERIFY_SHOW_PHOTOS;
- 	    break;
- 	  case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
-+	  case oFilesAreDigests: opt.files_are_digests = 1; break;
- 
-           case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
-           case oIncludeKeyBlock:  opt.flags.include_key_block = 1; break;
-Index: gnupg-2.2.27/g10/options.h
-===================================================================
---- gnupg-2.2.27.orig/g10/options.h
-+++ gnupg-2.2.27/g10/options.h
-@@ -202,6 +202,7 @@ struct
-   int no_auto_check_trustdb;
-   int preserve_permissions;
-   int no_homedir_creation;
-+  int files_are_digests;
-   struct groupitem *grouplist;
-   int mangle_dos_filenames;
-   int enable_progress_filter;
-Index: gnupg-2.2.27/g10/sign.c
-===================================================================
---- gnupg-2.2.27.orig/g10/sign.c
-+++ gnupg-2.2.27/g10/sign.c
-@@ -43,6 +43,8 @@
- #include "../common/mbox-util.h"
- #include "../common/compliance.h"
- 
-+#include "../common/host2net.h"
-+
- #ifdef HAVE_DOSISH_SYSTEM
- #define LF "\r\n"
- #else
-@@ -844,6 +846,8 @@ write_signature_packets (ctrl_t ctrl,
-       if (duration || opt.sig_policy_url
-           || opt.sig_notations || opt.sig_keyserver_url)
-         sig->version = 4;
-+      else if (opt.files_are_digests)
-+        sig->version = 3;
-       else
-         sig->version = pk->version;
- 
-@@ -872,8 +876,12 @@ write_signature_packets (ctrl_t ctrl,
-         }
-       else
-         err = 0;  /* Actually never reached.  */
-+      if (!opt.files_are_digests) {
-       hash_sigversion_to_magic (md, sig);
-       gcry_md_final (md);
-+      } else if (sig->version >= 4) {
-+          log_bug("files-are-digests doesn't work with v4 sigs\n");
-+      }
- 
-       if (!err)
-         err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
-@@ -937,6 +945,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
-     SK_LIST sk_rover = NULL;
-     int multifile = 0;
-     u32 duration=0;
-+	int sigclass = 0x00;
-+	u32 timestamp = 0;
- 
-     pfx = new_progress_context ();
-     afx = new_armor_context ();
-@@ -954,7 +964,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
- 	fname = NULL;
- 
-     if( fname && filenames->next && (!detached || encryptflag) )
--	log_bug("multiple files can only be detached signed");
-+	log_bug("multiple files can only be detached signed\n");
-+
-+    if (opt.files_are_digests && (multifile || !fname))
-+	log_bug("files-are-digests only works with one file\n");
-+    if (opt.files_are_digests && !detached)
-+	log_bug("files-are-digests can only write detached signatures\n");
-+    if (opt.files_are_digests && !opt.def_digest_algo)
-+	log_bug("files-are-digests needs --digest-algo\n");
-+    if (opt.files_are_digests && opt.textmode)
-+	log_bug("files-are-digests doesn't work with --textmode\n");
- 
-     if(encryptflag==2
-        && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
-@@ -975,7 +994,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
-       goto leave;
- 
-     /* prepare iobufs */
--    if( multifile )  /* have list of filenames */
-+    if( multifile || opt.files_are_digests)  /* have list of filenames */
- 	inp = NULL; /* we do it later */
-     else {
-       inp = iobuf_open(fname);
-@@ -1124,7 +1143,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
-     for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
-       gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
- 
--    if( !multifile )
-+    if( !multifile && !opt.files_are_digests )
- 	iobuf_push_filter( inp, md_filter, &mfx );
- 
-     if( detached && !encryptflag)
-@@ -1179,6 +1198,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
- 
-     write_status_begin_signing (mfx.md);
- 
-+    sigclass = opt.textmode && !outfile? 0x01 : 0x00;
-+
-     /* Setup the inner packet. */
-     if( detached ) {
- 	if( multifile ) {
-@@ -1219,6 +1240,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
- 	    if( opt.verbose )
-               log_printf ("\n");
- 	}
-+	else if (opt.files_are_digests) {
-+	    byte *mdb, ts[5];
-+	    size_t mdlen;
-+	    const char *fp;
-+	    int c, d;
-+
-+	    gcry_md_final(mfx.md);
-+	    /* this assumes gcry_md_read returns the same buffer */
-+	    mdb = gcry_md_read(mfx.md, opt.def_digest_algo);
-+		mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo);
-+	    if (strlen(fname) != mdlen * 2 + 11)
-+	        log_bug("digests must be %d + @ + 5 bytes\n", mdlen);
-+	    d = -1;
-+	    for (fp = fname ; *fp; ) {
-+		c = *fp++;
-+		if (c >= '0' && c <= '9')
-+		    c -= '0';
-+		else if (c >= 'a' && c <= 'f')
-+		    c -= 'a' - 10;
-+		else if (c >= 'A' && c <= 'F')
-+		    c -= 'A' - 10;
-+		else
-+		    log_bug("filename is not hex\n");
-+		if (d >= 0) {
-+		    *mdb++ = d << 4 | c;
-+		    c = -1;
-+		    if (--mdlen == 0) {
-+			mdb = ts;
-+			if (*fp++ != '@')
-+			    log_bug("missing time separator\n");
-+		    }
-+		}
-+		d = c;
-+	    }
-+	    sigclass = ts[0];
-+	    if (sigclass != 0x00 && sigclass != 0x01)
-+		log_bug("bad cipher class\n");
-+	    timestamp = buf32_to_u32(ts + 1);
-+	}
- 	else {
- 	    /* read, so that the filter can calculate the digest */
- 	    while( iobuf_get(inp) != -1 )
-@@ -1237,8 +1297,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
- 
-     /* write the signatures */
-     rc = write_signature_packets (ctrl, sk_list, out, mfx.md,
--                                  opt.textmode && !outfile? 0x01 : 0x00,
--				  0, duration, detached ? 'D':'S', NULL);
-+                                  sigclass,
-+				  timestamp, duration, detached ? 'D':'S', NULL);
-     if( rc )
-         goto leave;
- 
diff --git a/gpg2.changes b/gpg2.changes
index 83c03a1..8cd6050 100644
--- a/gpg2.changes
+++ b/gpg2.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Apr  7 20:56:23 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Remove the "files-are-digests" option from the openSUSE package.
+  This feature was not upstream and only used in the OBS signing
+  daemon. The recommended upstream feature for separating the data
+  to be signed from the private keys is gpg agent forwarding,
+  available from 2.1. Drop gnupg-2.2.8-files-are-digests.patch
+
 -------------------------------------------------------------------
 Tue Jan 12 22:45:11 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
 
diff --git a/gpg2.spec b/gpg2.spec
index 3c8c658..53739ec 100644
--- a/gpg2.spec
+++ b/gpg2.spec
@@ -30,7 +30,6 @@ Source3:        %{name}.keyring
 Source4:        scdaemon.udev
 Source99:       %{name}.changes
 Patch4:         gnupg-2.0.9-langinfo.patch
-Patch5:         gnupg-2.2.8-files-are-digests.patch
 Patch6:         gnupg-dont-fail-with-seahorse-agent.patch
 Patch8:         gnupg-set_umask_before_open_outfile.patch
 Patch9:         gnupg-detect_FIPS_mode.patch
@@ -65,8 +64,6 @@ Recommends:     dirmngr = %{version}
 Provides:       gnupg = %{version}
 Provides:       gpg = 1.4.9
 Provides:       newpg
-# special feature needed for OBS signd
-Provides:       gpg2_signd_support
 Obsoletes:      gpg < 1.4.9
 
 %description
@@ -94,7 +91,6 @@ gpgsm, or via the gpg-connect-agent tool.
 %setup -q -n gnupg-%{version}
 %patch1124847 -p1
 %patch4 -p1
-%patch5 -p1
 %patch6 -p1
 %patch8 -p1
 %patch9 -p1