Accepting request 1083635 from home:pmonrealgonzalez:branches:Base:System

- Temporarily revert back to the pre-2.4 default for key generation.
  The new rfc4880bis has been set as the default in 2.4 version and
  might create incompatible keys. Note that, rfc4880bis can still
  be used with the option flag --rfc4880bis as in previous versions.
  * More info in the gnupg-devel ML:
    https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html
  * Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9
  * Add gnupg-revert-rfc4880bis.patch

- Allow 8192 bit RSA keys in keygen UI when large_rsa is set
  * Add gnupg-allow-large-rsa.patch

- Enable the regression tests: Fix the regression test suite that
  fails with the IBM TPM Software stack. Builds fine using the Intel
  TPM; use the swtpm and tpm2-0-tss-devel packages instead of
  ibmswtpm2 and ibmtss-devel.

OBS-URL: https://build.opensuse.org/request/show/1083635
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=285

gnupg-allow-large-rsa.patch

@@ -0,0 +1,13 @@
+Index: gnupg-2.4.1/g10/keygen.c
+===================================================================
+--- gnupg-2.4.1.orig/g10/keygen.c
++++ gnupg-2.4.1/g10/keygen.c
+@@ -2456,7 +2456,7 @@ get_keysize_range (int algo, unsigned in
+ 
+     default:
+       *min = opt.compliance == CO_DE_VS ? 2048: 1024;
+-      *max = 4096;
++      *max = opt.flags.large_rsa == 1 ? 8192 : 4096;
+       def = 3072;
+       break;
+     }

gnupg-revert-rfc4880bis.patch

@@ -0,0 +1,202 @@
+From 4583f4fe2e11b3dd070066628c3f16776cc74f72 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Mon, 31 Oct 2022 16:14:18 +0100
+Subject: [PATCH GnuPG] gpg: Merge --rfc4880bis features into --gnupg
+
+* g10/gpg.c (oRFC4880bis): Remove.
+(opts): Make --rfc4880bis a Noop.
+(compliance_options): Make rfc4880bis to gnupg.
+(set_compliance_option): Remove rfc4880bis stuff.
+(main): Ditto.  Note that this now activates the --mimemode option.
+* g10/keygen.c (keygen_set_std_prefs): Remove rfc4880bis protection.
+(keygen_upd_std_prefs): Always announce support for v5 keys.
+(read_parameter_file): Activate the v4 and v5 keywords.
+--
+
+Index: gnupg-2.4.1/g10/gpg.c
+===================================================================
+--- gnupg-2.4.1.orig/g10/gpg.c
++++ gnupg-2.4.1/g10/gpg.c
+@@ -247,6 +247,7 @@ enum cmd_and_opt_values
+     oGnuPG,
+     oRFC2440,
+     oRFC4880,
++    oRFC4880bis,
+     oOpenPGP,
+     oPGP7,
+     oPGP8,
+@@ -636,6 +637,7 @@ static gpgrt_opt_t opts[] = {
+   ARGPARSE_s_n (oGnuPG, "no-pgp8", "@"),
+   ARGPARSE_s_n (oRFC2440, "rfc2440", "@"),
+   ARGPARSE_s_n (oRFC4880, "rfc4880", "@"),
++  ARGPARSE_s_n (oRFC4880bis, "rfc4880bis", "@"),
+   ARGPARSE_s_n (oOpenPGP, "openpgp", N_("use strict OpenPGP behavior")),
+   ARGPARSE_s_n (oPGP7, "pgp6", "@"),
+   ARGPARSE_s_n (oPGP7, "pgp7", "@"),
+@@ -977,7 +979,6 @@ static gpgrt_opt_t opts[] = {
+   ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"),
+   ARGPARSE_s_s (oNoop, "aead-algo", "@"),
+   ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"),
+-  ARGPARSE_s_n (oNoop, "rfc4880bis", "@"),
+   ARGPARSE_s_n (oNoop, "override-compliance-check", "@"),
+   ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"),
+ 
+@@ -2227,7 +2228,7 @@ static struct gnupg_compliance_option co
+   {
+     { "gnupg",      oGnuPG },
+     { "openpgp",    oOpenPGP },
+-    { "rfc4880bis", oGnuPG },
++    { "rfc4880bis", oRFC4880bis },
+     { "rfc4880",    oRFC4880 },
+     { "rfc2440",    oRFC2440 },
+     { "pgp6",       oPGP7 },
+@@ -2243,8 +2244,28 @@ static struct gnupg_compliance_option co
+ static void
+ set_compliance_option (enum cmd_and_opt_values option)
+ {
++  opt.flags.rfc4880bis = 0;  /* Clear because it is initially set.  */
++
+   switch (option)
+     {
++    case oRFC4880bis:
++      opt.flags.rfc4880bis = 1;
++      opt.compliance = CO_RFC4880;
++      opt.flags.dsa2 = 1;
++      opt.flags.require_cross_cert = 1;
++      opt.rfc2440_text = 0;
++      opt.allow_non_selfsigned_uid = 1;
++      opt.allow_freeform_uid = 1;
++      opt.escape_from = 1;
++      opt.not_dash_escaped = 0;
++      opt.def_cipher_algo = 0;
++      opt.def_digest_algo = 0;
++      opt.cert_digest_algo = 0;
++      opt.compress_algo = -1;
++      opt.s2k_mode = 3; /* iterated+salted */
++      opt.s2k_digest_algo = DIGEST_ALGO_SHA256;
++      opt.s2k_cipher_algo = CIPHER_ALGO_AES256;
++      break;
+     case oOpenPGP:
+     case oRFC4880:
+       /* This is effectively the same as RFC2440, but with
+@@ -2288,6 +2309,7 @@ set_compliance_option (enum cmd_and_opt_
+     case oPGP8:  opt.compliance = CO_PGP8;  break;
+     case oGnuPG:
+       opt.compliance = CO_GNUPG;
++      opt.flags.rfc4880bis = 1;
+       break;
+ 
+     case oDE_VS:
+@@ -2490,6 +2512,7 @@ main (int argc, char **argv)
+     opt.emit_version = 0;
+     opt.weak_digests = NULL;
+     opt.compliance = CO_GNUPG;
++    opt.flags.rfc4880bis = 1;
+ 
+     /* Check special options given on the command line.  */
+     orig_argc = argc;
+@@ -3032,6 +3055,7 @@ main (int argc, char **argv)
+           case oOpenPGP:
+           case oRFC2440:
+           case oRFC4880:
++          case oRFC4880bis:
+           case oPGP7:
+           case oPGP8:
+           case oGnuPG:
+@@ -3867,6 +3891,11 @@ main (int argc, char **argv)
+     if( may_coredump && !opt.quiet )
+ 	log_info(_("WARNING: program may create a core file!\n"));
+ 
++    if (!opt.flags.rfc4880bis)
++      {
++        opt.mimemode = 0; /* This will use text mode instead.  */
++      }
++
+     if (eyes_only) {
+       if (opt.set_filename)
+ 	  log_info(_("WARNING: %s overrides %s\n"),
+@@ -4083,7 +4112,7 @@ main (int argc, char **argv)
+     /* Check our chosen algorithms against the list of legal
+        algorithms. */
+ 
+-    if(!GNUPG)
++    if(!GNUPG && !opt.flags.rfc4880bis)
+       {
+ 	const char *badalg=NULL;
+ 	preftype_t badtype=PREFTYPE_NONE;
+Index: gnupg-2.4.1/g10/keygen.c
+===================================================================
+--- gnupg-2.4.1.orig/g10/keygen.c
++++ gnupg-2.4.1/g10/keygen.c
+@@ -404,7 +404,7 @@ keygen_set_std_prefs (const char *string
+ 	      strcat(dummy_string,"S7 ");
+ 	    strcat(dummy_string,"S2 "); /* 3DES */
+ 
+-            if (!openpgp_aead_test_algo (AEAD_ALGO_OCB))
++            if (opt.flags.rfc4880bis && !openpgp_aead_test_algo (AEAD_ALGO_OCB))
+ 	      strcat(dummy_string,"A2 ");
+ 
+             if (personal)
+@@ -889,7 +889,7 @@ keygen_upd_std_prefs (PKT_signature *sig
+   /* Make sure that the MDC feature flag is set if needed.  */
+   add_feature_mdc (sig,mdc_available);
+   add_feature_aead (sig, aead_available);
+-  add_feature_v5 (sig, 1);
++  add_feature_v5 (sig, opt.flags.rfc4880bis);
+   add_keyserver_modify (sig,ks_modify);
+   keygen_add_keyserver_url(sig,NULL);
+ 
+@@ -3382,7 +3382,10 @@ parse_key_parameter_part (ctrl_t ctrl,
+                 }
+             }
+           else if (!ascii_strcasecmp (s, "v5"))
+-            keyversion = 5;
++            {
++              if (opt.flags.rfc4880bis)
++                keyversion = 5;
++            }
+           else if (!ascii_strcasecmp (s, "v4"))
+             keyversion = 4;
+           else
+@@ -3641,7 +3644,7 @@ parse_key_parameter_part (ctrl_t ctrl,
+  *   ecdsa := Use algorithm ECDSA.
+  *   eddsa := Use algorithm EdDSA.
+  *   ecdh  := Use algorithm ECDH.
+- *   v5    := Create version 5 key
++ *   v5    := Create version 5 key (requires option --rfc4880bis)
+  *
+  * There are several defaults and fallbacks depending on the
+  * algorithm.  PART can be used to select which part of STRING is
+@@ -4513,9 +4516,9 @@ read_parameter_file (ctrl_t ctrl, const
+ 	    }
+ 	}
+ 
+-        if ((keywords[i].key == pVERSION
+-             || keywords[i].key == pSUBVERSION))
+-          ; /* Ignore version.  */
++        if (!opt.flags.rfc4880bis && (keywords[i].key == pVERSION
++                                      || keywords[i].key == pSUBVERSION))
++          ; /* Ignore version unless --rfc4880bis is active.  */
+         else
+           {
+             r = xmalloc_clear( sizeof *r + strlen( value ) );
+@@ -4610,11 +4613,14 @@ quickgen_set_para (struct para_data_s *p
+       para = r;
+     }
+ 
+-  r = xmalloc_clear (sizeof *r + 20);
+-  r->key = for_subkey? pSUBVERSION : pVERSION;
+-  snprintf (r->u.value, 20, "%d", version);
+-  r->next = para;
+-  para = r;
++  if (opt.flags.rfc4880bis)
++    {
++      r = xmalloc_clear (sizeof *r + 20);
++      r->key = for_subkey? pSUBVERSION : pVERSION;
++      snprintf (r->u.value, 20, "%d", version);
++      r->next = para;
++      para = r;
++    }
+ 
+   if (keytime)
+     {

gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch

@@ -1,80 +0,0 @@
-From e89d57a2cb10bd04d266165015f159be2ab48984 Mon Sep 17 00:00:00 2001
-From: NIIBE Yutaka <gniibe@fsij.org>
-Date: Wed, 21 Dec 2022 10:52:24 +0900
-Subject: tests: Fix tests/gpgme for in-source-tree builds.
-
-* tests/gpgme/Makefile.am: Don't use setup.scm/ dir.
-* tests/gpgme/Makefile.in: Don't use setup.scm/ dir.
-* tests/gpgme/all-tests.scm: Fix the name of the environment.
-
---
-
-GnuPG-bug-id: 6313
-Fixes-commit: c19ea75f10d6278569619f90977ce7c820e9319d
-Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
-
-Index: gnupg-2.4.0/tests/gpgme/Makefile.am
-===================================================================
---- gnupg-2.4.0.orig/tests/gpgme/Makefile.am
-+++ gnupg-2.4.0/tests/gpgme/Makefile.am
-@@ -47,8 +47,7 @@ check: xcheck
- 
- .PHONY: xcheck
- xcheck:
--	@$(MKDIR_P) setup.scm/tests \
--	  tests/gpg lang/qt/tests lang/python/tests
-+	@$(MKDIR_P) tests/gpg lang/qt/tests lang/python/tests
- 	$(TESTS_ENVIRONMENT) $(abs_top_builddir)/tests/gpgscm/gpgscm$(EXEEXT) \
- 	  $(abs_srcdir)/run-tests.scm $(TESTFLAGS) $(TESTS)
- 
-@@ -61,4 +60,4 @@ CLEANFILES = *.log report.xml
- all-local: $(required_pgms)
- 
- clean-local:
--	-rm -rf setup.scm/tests tests/gpg lang/qt/tests lang/python/tests
-+	-rm -rf tests lang
-Index: gnupg-2.4.0/tests/gpgme/Makefile.in
-===================================================================
---- gnupg-2.4.0.orig/tests/gpgme/Makefile.in
-+++ gnupg-2.4.0/tests/gpgme/Makefile.in
-@@ -614,8 +614,7 @@ check: xcheck
- 
- .PHONY: xcheck
- xcheck:
--	@$(MKDIR_P) setup.scm/tests \
--	  tests/gpg lang/qt/tests lang/python/tests
-+	@$(MKDIR_P) tests/gpg lang/qt/tests lang/python/tests
- 	$(TESTS_ENVIRONMENT) $(abs_top_builddir)/tests/gpgscm/gpgscm$(EXEEXT) \
- 	  $(abs_srcdir)/run-tests.scm $(TESTFLAGS) $(TESTS)
- 
-@@ -624,7 +623,7 @@ xcheck:
- all-local: $(required_pgms)
- 
- clean-local:
--	-rm -rf setup.scm/tests tests/gpg lang/qt/tests lang/python/tests
-+	-rm -rf tests lang
- 
- # Tell versions [3.59,3.63) of GNU make to not export all variables.
- # Otherwise a system limit (for SysV at least) may be exceeded.
-Index: gnupg-2.4.0/tests/gpgme/all-tests.scm
-===================================================================
---- gnupg-2.4.0.orig/tests/gpgme/all-tests.scm
-+++ gnupg-2.4.0/tests/gpgme/all-tests.scm
-@@ -41,7 +41,7 @@
-     (test::scm
-      #f
-      #f
--     (path-join "tests" "gpgme" "setup.scm" "tests" "gpg")
-+     (path-join "tests" "gpgme" "tests" "gpg")
-      (in-srcdir "tests" "gpgme" "setup.scm")
-      "--" "tests" "gpg")))
-  (define setup-py
-@@ -49,7 +49,7 @@
-     (test::scm
-      #f
-      #f
--     (path-join "tests" "gpgme" "setup.scm" "lang" "python" "tests")
-+     (path-join "tests" "gpgme" "lang" "python" "tests")
-      (in-srcdir "tests" "gpgme" "setup.scm")
-      "--" "lang" "python" "tests")))
- 

gpg2.changes

@@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Sat Apr 29 08:25:46 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Temporarily revert back to the pre-2.4 default for key generation.
+  The new rfc4880bis has been set as the default in 2.4 version and
+  might create incompatible keys. Note that, rfc4880bis can still
+  be used with the option flag --rfc4880bis as in previous versions.
+  * More info in the gnupg-devel ML:
+    https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html
+  * Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9
+  * Add gnupg-revert-rfc4880bis.patch
+
+-------------------------------------------------------------------
+Sat Apr 29 08:12:32 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Allow 8192 bit RSA keys in keygen UI when large_rsa is set
+  * Add gnupg-allow-large-rsa.patch
+
+-------------------------------------------------------------------
+Sat Apr 29 08:01:16 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Enable the regression tests: Fix the regression test suite that
+  fails with the IBM TPM Software stack. Builds fine using the Intel
+  TPM; use the swtpm and tpm2-0-tss-devel packages instead of
+  ibmswtpm2 and ibmtss-devel.
+
 -------------------------------------------------------------------
 Fri Apr 28 17:32:11 UTC 2023 - David Anes <david.anes@suse.com>
 

gpg2.spec

@@ -39,10 +39,12 @@ Patch7:         gnupg-2.2.16-secmem.patch
 Patch8:         gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch
 Patch9:         gnupg-add-test-cases-for-import-without-uid.patch
 Patch10:        gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
+#PATCH-FIX-SUSE Allow 8192 bit RSA keys in keygen UI when large_rsa is set
+Patch11:        gnupg-allow-large-rsa.patch
+#PATCH-FIX-SUSE Revert the rfc4880bis features default of key generation
+Patch12:        gnupg-revert-rfc4880bis.patch
 BuildRequires:  expect
 BuildRequires:  fdupes
-BuildRequires:  ibmswtpm2
-BuildRequires:  ibmtss-devel
 BuildRequires:  libassuan-devel >= 2.5.0
 BuildRequires:  libgcrypt-devel >= 1.9.1
 BuildRequires:  libgpg-error-devel >= 1.46
@@ -52,6 +54,8 @@ BuildRequires:  npth-devel >= 1.2
 BuildRequires:  openldap2-devel
 BuildRequires:  pkgconfig
 BuildRequires:  readline-devel
+BuildRequires:  swtpm
+BuildRequires:  tpm2-0-tss-devel
 BuildRequires:  pkgconfig(bzip2)
 BuildRequires:  pkgconfig(gnutls) >= 3.0
 BuildRequires:  pkgconfig(libusb-1.0)
@@ -60,6 +64,7 @@ BuildRequires:  pkgconfig(zlib)
 # runtime dependency to support devel repository users - boo#955982
 Requires:       libassuan0 >= 2.5.0
 Requires:       libgcrypt20 >= 1.9.1
+Requires:       libgpg-error >= 1.46
 Requires:       libksba >= 1.3.4
 Requires:       pinentry
 Recommends:     dirmngr = %{version}
@@ -115,6 +120,7 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99})
     --with-dirmngr-pgm=%{_bindir}/dirmngr \
     --with-scdaemon-pgm=%{_bindir}/scdaemon \
     --with-tpm2daemon-pgm=%{_bindir}/tpm2daemon \
+    --disable-rpath \
     --enable-ldap \
     --enable-gpgsm=yes \
     --enable-gpgtar \
@@ -123,7 +129,9 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99})
     --enable-wks-tools \
     --with-gnu-ld \
     --with-default-trust-store-file=%{_sysconfdir}/ssl/ca-bundle.pem \
-    --enable-build-timestamp=$date \
+    --with-tss=intel \
+    --enable-all-tests \
+    --enable-build-timestamp=${date} \
     --enable-gpg-is-gpg2
 
 %make_build
@@ -131,10 +139,11 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99})
 %install
 %make_install
 mkdir -p %{buildroot}%{_sysconfdir}/gnupg/
-# bnc#391347
+# install gpgconf.conf bnc#391347
 install -m 644 doc/examples/gpgconf.conf %{buildroot}%{_sysconfdir}/gnupg
 # delete to prevent fdupes from creating cross-partition hardlink
 rm -rf %{buildroot}%{_docdir}/gpg2/examples/gpgconf.conf
+# remove info dir
 rm %{buildroot}%{_infodir}/dir
 # compat symlinks
 ln -sf gpg2 %{buildroot}%{_bindir}/gpg
@@ -155,10 +164,7 @@ install -Dm 0644 %{SOURCE4} %{buildroot}%{_udevrulesdir}/60-scdaemon.rules
 %fdupes -s %{buildroot}
 
 %check
-# Run only localy, fails in OBS
-#%%if ! 0%%{?qemu_user_space_build}
-#make %%{?_smp_mflags} check
-#%%endif
+%make_build check || :
 
 %post
 %udev_rules_update
@@ -166,11 +172,11 @@ install -Dm 0644 %{SOURCE4} %{buildroot}%{_udevrulesdir}/60-scdaemon.rules
 %files lang -f gnupg2.lang
 
 %files
+%license COPYING*
+%doc AUTHORS ChangeLog NEWS THANKS TODO doc/FAQ
 %{_infodir}/gnupg*
 %exclude %{_mandir}/*/dirmngr*%{ext_man}
 %{_mandir}/*/*%{ext_man}
-%license COPYING*
-%doc AUTHORS ChangeLog NEWS THANKS TODO doc/FAQ
 %doc %{_docdir}/%{name}
 %exclude %{_bindir}/dirmngr*
 %exclude %{_bindir}/tpm2daemon*