diff --git a/gnupg-allow-large-rsa.patch b/gnupg-allow-large-rsa.patch new file mode 100644 index 0000000..81e726a --- /dev/null +++ b/gnupg-allow-large-rsa.patch @@ -0,0 +1,13 @@ +Index: gnupg-2.4.1/g10/keygen.c +=================================================================== +--- gnupg-2.4.1.orig/g10/keygen.c ++++ gnupg-2.4.1/g10/keygen.c +@@ -2456,7 +2456,7 @@ get_keysize_range (int algo, unsigned in + + default: + *min = opt.compliance == CO_DE_VS ? 2048: 1024; +- *max = 4096; ++ *max = opt.flags.large_rsa == 1 ? 8192 : 4096; + def = 3072; + break; + } diff --git a/gnupg-revert-rfc4880bis.patch b/gnupg-revert-rfc4880bis.patch new file mode 100644 index 0000000..f981206 --- /dev/null +++ b/gnupg-revert-rfc4880bis.patch @@ -0,0 +1,202 @@ +From 4583f4fe2e11b3dd070066628c3f16776cc74f72 Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Mon, 31 Oct 2022 16:14:18 +0100 +Subject: [PATCH GnuPG] gpg: Merge --rfc4880bis features into --gnupg + +* g10/gpg.c (oRFC4880bis): Remove. +(opts): Make --rfc4880bis a Noop. +(compliance_options): Make rfc4880bis to gnupg. +(set_compliance_option): Remove rfc4880bis stuff. +(main): Ditto. Note that this now activates the --mimemode option. +* g10/keygen.c (keygen_set_std_prefs): Remove rfc4880bis protection. +(keygen_upd_std_prefs): Always announce support for v5 keys. +(read_parameter_file): Activate the v4 and v5 keywords. +-- + +Index: gnupg-2.4.1/g10/gpg.c +=================================================================== +--- gnupg-2.4.1.orig/g10/gpg.c ++++ gnupg-2.4.1/g10/gpg.c +@@ -247,6 +247,7 @@ enum cmd_and_opt_values + oGnuPG, + oRFC2440, + oRFC4880, ++ oRFC4880bis, + oOpenPGP, + oPGP7, + oPGP8, +@@ -636,6 +637,7 @@ static gpgrt_opt_t opts[] = { + ARGPARSE_s_n (oGnuPG, "no-pgp8", "@"), + ARGPARSE_s_n (oRFC2440, "rfc2440", "@"), + ARGPARSE_s_n (oRFC4880, "rfc4880", "@"), ++ ARGPARSE_s_n (oRFC4880bis, "rfc4880bis", "@"), + ARGPARSE_s_n (oOpenPGP, "openpgp", N_("use strict OpenPGP behavior")), + ARGPARSE_s_n (oPGP7, "pgp6", "@"), + ARGPARSE_s_n (oPGP7, "pgp7", "@"), +@@ -977,7 +979,6 @@ static gpgrt_opt_t opts[] = { + ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"), + ARGPARSE_s_s (oNoop, "aead-algo", "@"), + ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"), +- ARGPARSE_s_n (oNoop, "rfc4880bis", "@"), + ARGPARSE_s_n (oNoop, "override-compliance-check", "@"), + ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"), + +@@ -2227,7 +2228,7 @@ static struct gnupg_compliance_option co + { + { "gnupg", oGnuPG }, + { "openpgp", oOpenPGP }, +- { "rfc4880bis", oGnuPG }, ++ { "rfc4880bis", oRFC4880bis }, + { "rfc4880", oRFC4880 }, + { "rfc2440", oRFC2440 }, + { "pgp6", oPGP7 }, +@@ -2243,8 +2244,28 @@ static struct gnupg_compliance_option co + static void + set_compliance_option (enum cmd_and_opt_values option) + { ++ opt.flags.rfc4880bis = 0; /* Clear because it is initially set. */ ++ + switch (option) + { ++ case oRFC4880bis: ++ opt.flags.rfc4880bis = 1; ++ opt.compliance = CO_RFC4880; ++ opt.flags.dsa2 = 1; ++ opt.flags.require_cross_cert = 1; ++ opt.rfc2440_text = 0; ++ opt.allow_non_selfsigned_uid = 1; ++ opt.allow_freeform_uid = 1; ++ opt.escape_from = 1; ++ opt.not_dash_escaped = 0; ++ opt.def_cipher_algo = 0; ++ opt.def_digest_algo = 0; ++ opt.cert_digest_algo = 0; ++ opt.compress_algo = -1; ++ opt.s2k_mode = 3; /* iterated+salted */ ++ opt.s2k_digest_algo = DIGEST_ALGO_SHA256; ++ opt.s2k_cipher_algo = CIPHER_ALGO_AES256; ++ break; + case oOpenPGP: + case oRFC4880: + /* This is effectively the same as RFC2440, but with +@@ -2288,6 +2309,7 @@ set_compliance_option (enum cmd_and_opt_ + case oPGP8: opt.compliance = CO_PGP8; break; + case oGnuPG: + opt.compliance = CO_GNUPG; ++ opt.flags.rfc4880bis = 1; + break; + + case oDE_VS: +@@ -2490,6 +2512,7 @@ main (int argc, char **argv) + opt.emit_version = 0; + opt.weak_digests = NULL; + opt.compliance = CO_GNUPG; ++ opt.flags.rfc4880bis = 1; + + /* Check special options given on the command line. */ + orig_argc = argc; +@@ -3032,6 +3055,7 @@ main (int argc, char **argv) + case oOpenPGP: + case oRFC2440: + case oRFC4880: ++ case oRFC4880bis: + case oPGP7: + case oPGP8: + case oGnuPG: +@@ -3867,6 +3891,11 @@ main (int argc, char **argv) + if( may_coredump && !opt.quiet ) + log_info(_("WARNING: program may create a core file!\n")); + ++ if (!opt.flags.rfc4880bis) ++ { ++ opt.mimemode = 0; /* This will use text mode instead. */ ++ } ++ + if (eyes_only) { + if (opt.set_filename) + log_info(_("WARNING: %s overrides %s\n"), +@@ -4083,7 +4112,7 @@ main (int argc, char **argv) + /* Check our chosen algorithms against the list of legal + algorithms. */ + +- if(!GNUPG) ++ if(!GNUPG && !opt.flags.rfc4880bis) + { + const char *badalg=NULL; + preftype_t badtype=PREFTYPE_NONE; +Index: gnupg-2.4.1/g10/keygen.c +=================================================================== +--- gnupg-2.4.1.orig/g10/keygen.c ++++ gnupg-2.4.1/g10/keygen.c +@@ -404,7 +404,7 @@ keygen_set_std_prefs (const char *string + strcat(dummy_string,"S7 "); + strcat(dummy_string,"S2 "); /* 3DES */ + +- if (!openpgp_aead_test_algo (AEAD_ALGO_OCB)) ++ if (opt.flags.rfc4880bis && !openpgp_aead_test_algo (AEAD_ALGO_OCB)) + strcat(dummy_string,"A2 "); + + if (personal) +@@ -889,7 +889,7 @@ keygen_upd_std_prefs (PKT_signature *sig + /* Make sure that the MDC feature flag is set if needed. */ + add_feature_mdc (sig,mdc_available); + add_feature_aead (sig, aead_available); +- add_feature_v5 (sig, 1); ++ add_feature_v5 (sig, opt.flags.rfc4880bis); + add_keyserver_modify (sig,ks_modify); + keygen_add_keyserver_url(sig,NULL); + +@@ -3382,7 +3382,10 @@ parse_key_parameter_part (ctrl_t ctrl, + } + } + else if (!ascii_strcasecmp (s, "v5")) +- keyversion = 5; ++ { ++ if (opt.flags.rfc4880bis) ++ keyversion = 5; ++ } + else if (!ascii_strcasecmp (s, "v4")) + keyversion = 4; + else +@@ -3641,7 +3644,7 @@ parse_key_parameter_part (ctrl_t ctrl, + * ecdsa := Use algorithm ECDSA. + * eddsa := Use algorithm EdDSA. + * ecdh := Use algorithm ECDH. +- * v5 := Create version 5 key ++ * v5 := Create version 5 key (requires option --rfc4880bis) + * + * There are several defaults and fallbacks depending on the + * algorithm. PART can be used to select which part of STRING is +@@ -4513,9 +4516,9 @@ read_parameter_file (ctrl_t ctrl, const + } + } + +- if ((keywords[i].key == pVERSION +- || keywords[i].key == pSUBVERSION)) +- ; /* Ignore version. */ ++ if (!opt.flags.rfc4880bis && (keywords[i].key == pVERSION ++ || keywords[i].key == pSUBVERSION)) ++ ; /* Ignore version unless --rfc4880bis is active. */ + else + { + r = xmalloc_clear( sizeof *r + strlen( value ) ); +@@ -4610,11 +4613,14 @@ quickgen_set_para (struct para_data_s *p + para = r; + } + +- r = xmalloc_clear (sizeof *r + 20); +- r->key = for_subkey? pSUBVERSION : pVERSION; +- snprintf (r->u.value, 20, "%d", version); +- r->next = para; +- para = r; ++ if (opt.flags.rfc4880bis) ++ { ++ r = xmalloc_clear (sizeof *r + 20); ++ r->key = for_subkey? pSUBVERSION : pVERSION; ++ snprintf (r->u.value, 20, "%d", version); ++ r->next = para; ++ para = r; ++ } + + if (keytime) + { diff --git a/gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch b/gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch deleted file mode 100644 index 008697d..0000000 --- a/gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch +++ /dev/null @@ -1,80 +0,0 @@ -From e89d57a2cb10bd04d266165015f159be2ab48984 Mon Sep 17 00:00:00 2001 -From: NIIBE Yutaka -Date: Wed, 21 Dec 2022 10:52:24 +0900 -Subject: tests: Fix tests/gpgme for in-source-tree builds. - -* tests/gpgme/Makefile.am: Don't use setup.scm/ dir. -* tests/gpgme/Makefile.in: Don't use setup.scm/ dir. -* tests/gpgme/all-tests.scm: Fix the name of the environment. - --- - -GnuPG-bug-id: 6313 -Fixes-commit: c19ea75f10d6278569619f90977ce7c820e9319d -Signed-off-by: NIIBE Yutaka - -Index: gnupg-2.4.0/tests/gpgme/Makefile.am -=================================================================== ---- gnupg-2.4.0.orig/tests/gpgme/Makefile.am -+++ gnupg-2.4.0/tests/gpgme/Makefile.am -@@ -47,8 +47,7 @@ check: xcheck - - .PHONY: xcheck - xcheck: -- @$(MKDIR_P) setup.scm/tests \ -- tests/gpg lang/qt/tests lang/python/tests -+ @$(MKDIR_P) tests/gpg lang/qt/tests lang/python/tests - $(TESTS_ENVIRONMENT) $(abs_top_builddir)/tests/gpgscm/gpgscm$(EXEEXT) \ - $(abs_srcdir)/run-tests.scm $(TESTFLAGS) $(TESTS) - -@@ -61,4 +60,4 @@ CLEANFILES = *.log report.xml - all-local: $(required_pgms) - - clean-local: -- -rm -rf setup.scm/tests tests/gpg lang/qt/tests lang/python/tests -+ -rm -rf tests lang -Index: gnupg-2.4.0/tests/gpgme/Makefile.in -=================================================================== ---- gnupg-2.4.0.orig/tests/gpgme/Makefile.in -+++ gnupg-2.4.0/tests/gpgme/Makefile.in -@@ -614,8 +614,7 @@ check: xcheck - - .PHONY: xcheck - xcheck: -- @$(MKDIR_P) setup.scm/tests \ -- tests/gpg lang/qt/tests lang/python/tests -+ @$(MKDIR_P) tests/gpg lang/qt/tests lang/python/tests - $(TESTS_ENVIRONMENT) $(abs_top_builddir)/tests/gpgscm/gpgscm$(EXEEXT) \ - $(abs_srcdir)/run-tests.scm $(TESTFLAGS) $(TESTS) - -@@ -624,7 +623,7 @@ xcheck: - all-local: $(required_pgms) - - clean-local: -- -rm -rf setup.scm/tests tests/gpg lang/qt/tests lang/python/tests -+ -rm -rf tests lang - - # Tell versions [3.59,3.63) of GNU make to not export all variables. - # Otherwise a system limit (for SysV at least) may be exceeded. -Index: gnupg-2.4.0/tests/gpgme/all-tests.scm -=================================================================== ---- gnupg-2.4.0.orig/tests/gpgme/all-tests.scm -+++ gnupg-2.4.0/tests/gpgme/all-tests.scm -@@ -41,7 +41,7 @@ - (test::scm - #f - #f -- (path-join "tests" "gpgme" "setup.scm" "tests" "gpg") -+ (path-join "tests" "gpgme" "tests" "gpg") - (in-srcdir "tests" "gpgme" "setup.scm") - "--" "tests" "gpg"))) - (define setup-py -@@ -49,7 +49,7 @@ - (test::scm - #f - #f -- (path-join "tests" "gpgme" "setup.scm" "lang" "python" "tests") -+ (path-join "tests" "gpgme" "lang" "python" "tests") - (in-srcdir "tests" "gpgme" "setup.scm") - "--" "lang" "python" "tests"))) - diff --git a/gpg2.changes b/gpg2.changes index fa848b7..5da703c 100644 --- a/gpg2.changes +++ b/gpg2.changes @@ -1,3 +1,29 @@ +------------------------------------------------------------------- +Sat Apr 29 08:25:46 UTC 2023 - Pedro Monreal + +- Temporarily revert back to the pre-2.4 default for key generation. + The new rfc4880bis has been set as the default in 2.4 version and + might create incompatible keys. Note that, rfc4880bis can still + be used with the option flag --rfc4880bis as in previous versions. + * More info in the gnupg-devel ML: + https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html + * Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9 + * Add gnupg-revert-rfc4880bis.patch + +------------------------------------------------------------------- +Sat Apr 29 08:12:32 UTC 2023 - Pedro Monreal + +- Allow 8192 bit RSA keys in keygen UI when large_rsa is set + * Add gnupg-allow-large-rsa.patch + +------------------------------------------------------------------- +Sat Apr 29 08:01:16 UTC 2023 - Pedro Monreal + +- Enable the regression tests: Fix the regression test suite that + fails with the IBM TPM Software stack. Builds fine using the Intel + TPM; use the swtpm and tpm2-0-tss-devel packages instead of + ibmswtpm2 and ibmtss-devel. + ------------------------------------------------------------------- Fri Apr 28 17:32:11 UTC 2023 - David Anes diff --git a/gpg2.spec b/gpg2.spec index 9d25be4..7ffb33c 100644 --- a/gpg2.spec +++ b/gpg2.spec @@ -39,10 +39,12 @@ Patch7: gnupg-2.2.16-secmem.patch Patch8: gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch Patch9: gnupg-add-test-cases-for-import-without-uid.patch Patch10: gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch +#PATCH-FIX-SUSE Allow 8192 bit RSA keys in keygen UI when large_rsa is set +Patch11: gnupg-allow-large-rsa.patch +#PATCH-FIX-SUSE Revert the rfc4880bis features default of key generation +Patch12: gnupg-revert-rfc4880bis.patch BuildRequires: expect BuildRequires: fdupes -BuildRequires: ibmswtpm2 -BuildRequires: ibmtss-devel BuildRequires: libassuan-devel >= 2.5.0 BuildRequires: libgcrypt-devel >= 1.9.1 BuildRequires: libgpg-error-devel >= 1.46 @@ -52,6 +54,8 @@ BuildRequires: npth-devel >= 1.2 BuildRequires: openldap2-devel BuildRequires: pkgconfig BuildRequires: readline-devel +BuildRequires: swtpm +BuildRequires: tpm2-0-tss-devel BuildRequires: pkgconfig(bzip2) BuildRequires: pkgconfig(gnutls) >= 3.0 BuildRequires: pkgconfig(libusb-1.0) @@ -60,6 +64,7 @@ BuildRequires: pkgconfig(zlib) # runtime dependency to support devel repository users - boo#955982 Requires: libassuan0 >= 2.5.0 Requires: libgcrypt20 >= 1.9.1 +Requires: libgpg-error >= 1.46 Requires: libksba >= 1.3.4 Requires: pinentry Recommends: dirmngr = %{version} @@ -115,6 +120,7 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99}) --with-dirmngr-pgm=%{_bindir}/dirmngr \ --with-scdaemon-pgm=%{_bindir}/scdaemon \ --with-tpm2daemon-pgm=%{_bindir}/tpm2daemon \ + --disable-rpath \ --enable-ldap \ --enable-gpgsm=yes \ --enable-gpgtar \ @@ -123,7 +129,9 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99}) --enable-wks-tools \ --with-gnu-ld \ --with-default-trust-store-file=%{_sysconfdir}/ssl/ca-bundle.pem \ - --enable-build-timestamp=$date \ + --with-tss=intel \ + --enable-all-tests \ + --enable-build-timestamp=${date} \ --enable-gpg-is-gpg2 %make_build @@ -131,10 +139,11 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99}) %install %make_install mkdir -p %{buildroot}%{_sysconfdir}/gnupg/ -# bnc#391347 +# install gpgconf.conf bnc#391347 install -m 644 doc/examples/gpgconf.conf %{buildroot}%{_sysconfdir}/gnupg # delete to prevent fdupes from creating cross-partition hardlink rm -rf %{buildroot}%{_docdir}/gpg2/examples/gpgconf.conf +# remove info dir rm %{buildroot}%{_infodir}/dir # compat symlinks ln -sf gpg2 %{buildroot}%{_bindir}/gpg @@ -155,10 +164,7 @@ install -Dm 0644 %{SOURCE4} %{buildroot}%{_udevrulesdir}/60-scdaemon.rules %fdupes -s %{buildroot} %check -# Run only localy, fails in OBS -#%%if ! 0%%{?qemu_user_space_build} -#make %%{?_smp_mflags} check -#%%endif +%make_build check || : %post %udev_rules_update @@ -166,11 +172,11 @@ install -Dm 0644 %{SOURCE4} %{buildroot}%{_udevrulesdir}/60-scdaemon.rules %files lang -f gnupg2.lang %files +%license COPYING* +%doc AUTHORS ChangeLog NEWS THANKS TODO doc/FAQ %{_infodir}/gnupg* %exclude %{_mandir}/*/dirmngr*%{ext_man} %{_mandir}/*/*%{ext_man} -%license COPYING* -%doc AUTHORS ChangeLog NEWS THANKS TODO doc/FAQ %doc %{_docdir}/%{name} %exclude %{_bindir}/dirmngr* %exclude %{_bindir}/tpm2daemon*