Pedro Monreal Gonzalez
4eafdb296b
- Install the internal executables in the /usr/libexec dir instead
of /usr/lib64. These files are keyboxd, scdaemon, gpg-auth
gpg-check-pattern, gpg-pair-tool, gpg-preset-passphrase,
gpg-protect-tool, gpg-wks-client, dirmngr_ldap and tpm2daemon.
- Provide the systemd-user files since they have been removed
upstream since version 2.4.1. [bsc#1201564]
* Add gpg2-systemd-user.tar.xz
- Revert back to use the IBM TPM Software stack.
- Update to 2.4.3:
* gpg: Set default expiration date to 3 years. [T2701]
* gpg: Add --list-filter properties "key_expires" and
"key_expires_d". [T6529]
* gpg: Emit status line and proper diagnostics for write errors. [T6528]
* gpg: Make progress work for large files on Windows. [T6534]
* gpg: New option --no-compress as alias for -z0.
* gpgsm: Print PROGRESS status lines. Add new --input-size-hint. [T6534]
* gpgsm: Support SENDCERT_SKI for --call-dirmngr. [rG701a8b30f0]
* gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
* gpgtar: New option --no-compress.
* dirmngr: Extend the AD_QUERY command. [rG207c99567c]
* dirmngr: Disable the HTTP redirect rewriting. [T6477]
* dirmngr: New option --compatibility-flags. [rGbf04b07327]
* dirmngr: New option --ignore-crl-extensions. [T6545]
* wkd: Use export-clean for gpg-wks-client's --mirror and --create
commands. [rG2c7f7a5a27]
* wkd: Make --add-revocs the default in gpg-wks-client. New option
--no-add-revocs. [rG10c937ee68]
OBS-URL: https://build.opensuse.org/request/show/1116649
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=292
70 lines
2.6 KiB
Diff
70 lines
2.6 KiB
Diff
---
|
|
doc/gpg.texi | 18 ++++++++++++++++++
|
|
g10/gpg.c | 9 +++++++++
|
|
2 files changed, 27 insertions(+)
|
|
|
|
Index: gnupg-2.4.2/doc/gpg.texi
|
|
===================================================================
|
|
--- gnupg-2.4.2.orig/doc/gpg.texi
|
|
+++ gnupg-2.4.2/doc/gpg.texi
|
|
@@ -2285,6 +2285,24 @@ implies, this option is for experts only
|
|
understand the implications of what it allows you to do, leave this
|
|
off. @option{--no-expert} disables this option.
|
|
|
|
+@item --set-legacy-fips
|
|
+@itemx --set-legacy-fips
|
|
+@opindex set-legacy-fips
|
|
+Enable legacy support even when the libgcrypt library is in FIPS 140-2
|
|
+mode. The legacy mode of libgcrypt allows the use of all ciphers,
|
|
+including non-approved ciphers. This mode is needed when for legacy
|
|
+reasons a message must be encrypted or decrypted. Legacy reasons for
|
|
+decryptions include the decryption of old messages created with a
|
|
+public key that use cipher settings which do not meet FIPS 140-2
|
|
+requirements. Legacy reasons for encryption include the encryption
|
|
+of messages with a recipients public key where the recipient is not
|
|
+bound to FIPS 140-2 regulation and therefore provided a key using
|
|
+non-approved ciphers. Although the legacy mode is a violation of strict
|
|
+FIPS 140-2 rule interpretations, it is wise to use this mode or
|
|
+either not being able to access old messages or not being able
|
|
+to create encrypted messages to a recipient that is not adhering
|
|
+to FIPS 140-2 rules.
|
|
+
|
|
@end table
|
|
|
|
|
|
Index: gnupg-2.4.2/g10/gpg.c
|
|
===================================================================
|
|
--- gnupg-2.4.2.orig/g10/gpg.c
|
|
+++ gnupg-2.4.2/g10/gpg.c
|
|
@@ -446,6 +446,7 @@ enum cmd_and_opt_values
|
|
oForceSignKey,
|
|
oForbidGenKey,
|
|
oRequireCompliance,
|
|
+ oSetLegacyFips,
|
|
oCompatibilityFlags,
|
|
oAddDesigRevoker,
|
|
oAssertSigner,
|
|
@@ -886,6 +887,7 @@ static gpgrt_opt_t opts[] = {
|
|
ARGPARSE_s_s (oCipherAlgo, "cipher-algo", "@"),
|
|
ARGPARSE_s_s (oDigestAlgo, "digest-algo", "@"),
|
|
ARGPARSE_s_s (oCertDigestAlgo, "cert-digest-algo", "@"),
|
|
+ ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"),
|
|
|
|
|
|
ARGPARSE_header (NULL, N_("Options for unattended use")),
|
|
@@ -3756,6 +3758,14 @@ main (int argc, char **argv)
|
|
keybox_set_buffersize (pargs.r.ret_ulong, 0);
|
|
break;
|
|
|
|
+ case oSetLegacyFips:
|
|
+ if(gcry_fips_mode_active())
|
|
+ gcry_control (GCRYCTL_INACTIVATE_FIPS_FLAG,
|
|
+ "Enable legacy support in FIPS 140-2 mode");
|
|
+ else
|
|
+ log_info ("Command set-legacy-fips ignored as libgcrypt is not in FIPS mode\n");
|
|
+ break;
|
|
+
|
|
case oNoop: break;
|
|
|
|
default:
|