From 616bfde3a1432371de61637d4ec4d30b8cda15414a2fa837e296f3f35122dbe5 Mon Sep 17 00:00:00 2001 From: Andreas Stieger Date: Sat, 17 Aug 2024 17:00:41 +0000 Subject: [PATCH] - Build with Botan 3 on Leap 15.7 OBS-URL: https://build.opensuse.org/package/show/security:privacy/rnp?expand=0&rev=38 --- .gitattributes | 23 ++++ .gitignore | 1 + rnp-v0.17.0-cpp14-googletest.patch | 20 ++++ rnp-v0.17.0-disable-static.patch | 154 +++++++++++++++++++++++++ rnp-v0.17.0-system-sexp.patch | 131 ++++++++++++++++++++++ rnp-v0.17.0-test-SHA1-cutoff.patch | 103 +++++++++++++++++ rnp-v0.17.0-tests.patch | 34 ++++++ rnp-v0.17.0.tar.gz | 3 + rnp-v0.17.0.tar.gz.asc | 7 ++ rnp-v0.17.1.tar.gz | 3 + rnp-v0.17.1.tar.gz.asc | 7 ++ rnp.changes | 174 +++++++++++++++++++++++++++++ rnp.keyring | 16 +++ rnp.spec | 109 ++++++++++++++++++ 14 files changed, 785 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 rnp-v0.17.0-cpp14-googletest.patch create mode 100644 rnp-v0.17.0-disable-static.patch create mode 100644 rnp-v0.17.0-system-sexp.patch create mode 100644 rnp-v0.17.0-test-SHA1-cutoff.patch create mode 100644 rnp-v0.17.0-tests.patch create mode 100644 rnp-v0.17.0.tar.gz create mode 100644 rnp-v0.17.0.tar.gz.asc create mode 100644 rnp-v0.17.1.tar.gz create mode 100644 rnp-v0.17.1.tar.gz.asc create mode 100644 rnp.changes create mode 100644 rnp.keyring create mode 100644 rnp.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/rnp-v0.17.0-cpp14-googletest.patch b/rnp-v0.17.0-cpp14-googletest.patch new file mode 100644 index 0000000..2496011 --- /dev/null +++ b/rnp-v0.17.0-cpp14-googletest.patch @@ -0,0 +1,20 @@ +https://github.com/rnpgp/rnp/pull/2209 +GoogleTest 1.14.0 requires C++ 14: + +[ 26s] /usr/include/gtest/internal/gtest-port.h:279:2: error: #error C++ versions less than C++14 are not supported. +[ 26s] 279 | #error C++ versions less than C++14 are not supported. +[ 26s] | ^~~~~ + +Index: rnp-v0.17.0/CMakeLists.txt +=================================================================== +--- rnp-v0.17.0.orig/CMakeLists.txt ++++ rnp-v0.17.0/CMakeLists.txt +@@ -137,7 +137,7 @@ endif(WIN32) + + # set a few other things at the top level to prevent incompatibilities + set(CMAKE_C_STANDARD 99) +-set(CMAKE_CXX_STANDARD 11) ++set(CMAKE_CXX_STANDARD 14) + set(CMAKE_CXX_STANDARD_REQUIRED ON) + set(CMAKE_CXX_EXTENSIONS OFF) + add_definitions(-D_GNU_SOURCE) diff --git a/rnp-v0.17.0-disable-static.patch b/rnp-v0.17.0-disable-static.patch new file mode 100644 index 0000000..d6c25e2 --- /dev/null +++ b/rnp-v0.17.0-disable-static.patch @@ -0,0 +1,154 @@ +From 8f7b2f27af277b0577ada7ecc54bb2db190eac85 Mon Sep 17 00:00:00 2001 +From: "Maxim [maxirmx] Samsonov" +Date: Wed, 3 May 2023 20:26:49 +0300 +Subject: [PATCH] Not installing static libraries when BUILD_SHARED_LIBS=ON + +--- + ci/tests/deb-tests.sh | 2 -- + ci/tests/pk-tests.sh | 27 --------------------------- + ci/tests/pkg-tests.sh | 2 -- + ci/tests/rpm-tests.sh | 2 -- + src/lib/CMakeLists.txt | 33 +++++++++++++-------------------- + 5 files changed, 13 insertions(+), 53 deletions(-) + +diff --git a/ci/tests/deb-tests.sh b/ci/tests/deb-tests.sh +index 78057026..35630223 100755 +--- a/ci/tests/deb-tests.sh ++++ b/ci/tests/deb-tests.sh +@@ -43,8 +43,6 @@ declare expected_libraries=( + + declare expected_devlibraries=( + "$DIR_LIB/librnp.so" +- "$DIR_LIB/librnp.a" +- "$DIR_LIB/libsexp.a" + "$DIR_LIB/pkgconfig/librnp.pc" + ) + +diff --git a/ci/tests/pk-tests.sh b/ci/tests/pk-tests.sh +index 2b22df99..34f9b17c 100755 +--- a/ci/tests/pk-tests.sh ++++ b/ci/tests/pk-tests.sh +@@ -101,33 +101,6 @@ test_shared_library() { + sudo yum -y erase $(rpm -qa | grep rnp) + } + +-test_static_library() { +- sudo yum -y localinstall librnp0-0*.*.rpm librnp0-devel-0*.*.rpm +- pushd "$(mktemp -d)" +- create_source_file +- create_cmake_file 'rnp::librnp-static' +- +-# shellcheck disable=SC2251 +-! cmake . -DCMAKE_MODULE_PATH="$DIR_CMAKE"/* +- assertEquals "cmake failed at static library test" 0 "${PIPESTATUS[0]}" +- +-# shellcheck disable=SC2251 +-! make +- assertEquals "make failed at static library test" 0 "${PIPESTATUS[0]}" +- +-# shellcheck disable=SC2251 +-! ./find_package_test +- assertEquals "test program failed at static library test" 0 "${PIPESTATUS[0]}" +- +-# shellcheck disable=SC2251 +-! ldd find_package_test | grep librnp +- assertNotEquals "unexpected reference to shared rnp library at static library test" 0 "${PIPESTATUS[1]}" +- +- popd +-# shellcheck disable=SC2046 +- sudo yum -y erase $(rpm -qa | grep rnp) +-} +- + test_no_library() { + pushd "$(mktemp -d)" + create_source_file +diff --git a/ci/tests/pkg-tests.sh b/ci/tests/pkg-tests.sh +index dbeaac6d..dcc4d014 100755 +--- a/ci/tests/pkg-tests.sh ++++ b/ci/tests/pkg-tests.sh +@@ -43,8 +43,6 @@ declare expected_libraries=( + + declare expected_devlibraries=( + "$DIR_LIB/librnp.so" +- "$DIR_LIB/librnp.a" +- "$DIR_LIB/libsexp.a" + "$DIR_LIB/pkgconfig/librnp.pc" + ) + +diff --git a/ci/tests/rpm-tests.sh b/ci/tests/rpm-tests.sh +index 39f8dd03..75b676e9 100755 +--- a/ci/tests/rpm-tests.sh ++++ b/ci/tests/rpm-tests.sh +@@ -50,8 +50,6 @@ declare expected_libraries=( + + declare expected_devlibraries=( + "$DIR_LIB/librnp.so" +- "$DIR_LIB/librnp.a" +- "$DIR_LIB/libsexp.a" + "$DIR_LIB/pkgconfig/librnp.pc" + ) + +diff --git a/src/lib/CMakeLists.txt b/src/lib/CMakeLists.txt +index 086ac57d..f6987967 100755 +--- a/src/lib/CMakeLists.txt ++++ b/src/lib/CMakeLists.txt +@@ -414,11 +414,11 @@ else() + endif() + + # add these to the rnp-targets export +-# On Unix like systems we will build/install/pack shared and static libraries librnp.so and librnp.a +-# On Windows we will build/install/pack dynamic, import and static libraries rnp.dll, rnp.lib and rnp-static.lib ++# On Unix like systems we will build/install/pack either shared library librnp.so or static librnp.a ++# On Windows we will build/install/pack either dynamic and import libraries rnp.dll, rnp.lib or static library rnp-static.lib + +-# If a client application uses shared rnp library, sexp is statically linked to librnp.so +-# If a client application uses static rnp library, it still needs libsexp.a ++# If a client application uses shared rnp library, sexp is statically linked to librnp.so and libsexp.a is not installed ++# If a client application uses static rnp library, it still needs libsexp.a and it is installed + + if (BUILD_SHARED_LIBS) + # both static and shared libraries +@@ -433,15 +433,17 @@ install(TARGETS librnp + COMPONENT development + ) + +- install(TARGETS librnp-static sexp +- EXPORT rnp-targets +- ARCHIVE +- DESTINATION "${CMAKE_INSTALL_LIBDIR}" +- COMPONENT development +- ) ++# install dll only for windows ++ if (WIN32) ++ install(TARGETS librnp ++ RUNTIME ++ DESTINATION "${CMAKE_INSTALL_BINDIR}" ++ COMPONENT runtime ++ ) ++ endif(WIN32) + else(BUILD_SHARED_LIBS) + # static libraries only +-install(TARGETS librnp sexp ++ install(TARGETS librnp sexp + EXPORT rnp-targets + ARCHIVE + DESTINATION "${CMAKE_INSTALL_LIBDIR}" +@@ -449,15 +451,6 @@ install(TARGETS librnp sexp + ) + endif(BUILD_SHARED_LIBS) + +-# install dll only for windows +-if (WIN32) +- install(TARGETS librnp +- RUNTIME +- DESTINATION "${CMAKE_INSTALL_BINDIR}" +- COMPONENT runtime +- ) +-endif(WIN32) +- + # install headers + install( + FILES +-- +2.41.0 + diff --git a/rnp-v0.17.0-system-sexp.patch b/rnp-v0.17.0-system-sexp.patch new file mode 100644 index 0000000..e88095d --- /dev/null +++ b/rnp-v0.17.0-system-sexp.patch @@ -0,0 +1,131 @@ +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 0fa5aa14c..d64927540 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -58,6 +58,8 @@ option(ENABLE_COVERAGE "Enable code coverage testing.") + option(ENABLE_SANITIZERS "Enable ASan and other sanitizers.") + option(ENABLE_FUZZERS "Enable fuzz targets.") + option(DOWNLOAD_GTEST "Download Googletest" On) ++option(SYSTEM_LIBSEXPP "Use system sexpp library" OFF) ++ + # crypto components + function(tristate_feature_auto NAME DESCRIPTION) + set(${NAME} Auto CACHE STRING ${DESCRIPTION}) +@@ -182,10 +184,22 @@ if (ENABLE_FUZZERS) + endif() + add_subdirectory(src/common) + +-set(WITH_SEXP_CLI OFF) +-set(WITH_SEXP_TESTS OFF) +-set(CMAKE_INSTALL_DEFAULT_COMPONENT_NAME development) +-add_subdirectory(src/libsexp EXCLUDE_FROM_ALL) ++if (SYSTEM_LIBSEXPP) ++ find_package(PkgConfig) ++ pkg_check_modules(REQUIRED sexpp>=0.8.7) ++else (SYSTEM_LIBSEXPP) ++# If we use system libsexpp is not used we build sexpp static library ++# If librnp is shared, libsexpp.a is a transient artifact which is hidden from ++# the end user. ++# If librnp is static we install libsexpp.a aside ++ set(SAVED_BUILD_SHARED_LIBS ${BUILD_SHARED_LIBS}) ++ set(BUILD_SHARED_LIBS OFF) ++ set(WITH_SEXP_CLI OFF) ++ set(WITH_SEXP_TESTS OFF) ++ set(CMAKE_INSTALL_DEFAULT_COMPONENT_NAME development) ++ add_subdirectory(src/libsexpp EXCLUDE_FROM_ALL) ++ set(BUILD_SHARED_LIBS ${SAVED_BUILD_SHARED_LIBS}) ++endif (SYSTEM_LIBSEXPP) + + add_subdirectory(src/lib) + add_subdirectory(src/rnp) +diff --git a/src/lib/CMakeLists.txt b/src/lib/CMakeLists.txt +index d931701a5..19059c2fa 100755 +--- a/src/lib/CMakeLists.txt ++++ b/src/lib/CMakeLists.txt +@@ -342,7 +342,7 @@ elseif (CRYPTO_BACKEND_OPENSSL) + target_link_libraries(librnp-obj PRIVATE OpenSSL::Crypto) + endif() + +-target_link_libraries(librnp-obj PRIVATE sexp) ++target_link_libraries(librnp-obj PRIVATE sexpp) + + set_target_properties(librnp-obj PROPERTIES CXX_VISIBILITY_PRESET hidden) + if (TARGET BZip2::BZip2) +@@ -398,7 +398,7 @@ foreach (prop LINK_LIBRARIES INTERFACE_LINK_LIBRARIES INCLUDE_DIRECTORIES INTERF + get_target_property(val librnp-obj ${prop}) + if (BUILD_SHARED_LIBS) + set_property(TARGET librnp-static PROPERTY ${prop} ${val}) +- list(REMOVE_ITEM val "$") ++ list(REMOVE_ITEM val "$") + set_property(TARGET librnp PROPERTY ${prop} ${val}) + else() + set_property(TARGET librnp PROPERTY ${prop} ${val}) +@@ -431,12 +431,11 @@ endif() + # On Unix like systems we will build/install/pack either shared library librnp.so or static librnp.a + # On Windows we will build/install/pack either dynamic and import libraries rnp.dll, rnp.lib or static library rnp-static.lib + +-# If a client application uses shared rnp library, sexp is statically linked to librnp.so and libsexp.a is not installed +-# If a client application uses static rnp library, it still needs libsexp.a and it is installed ++# If a client application uses shared rnp library, sexpp is statically linked to librnp.so and libsexpp.a is not installed ++# If a client application uses static rnp library, it still needs libsexpp.a and it is installed + + if (BUILD_SHARED_LIBS) +-# both static and shared libraries +-install(TARGETS librnp ++ install(TARGETS librnp + EXPORT rnp-targets + LIBRARY + DESTINATION "${CMAKE_INSTALL_LIBDIR}" +@@ -456,13 +455,23 @@ install(TARGETS librnp + ) + endif(WIN32) + else(BUILD_SHARED_LIBS) +-# static libraries only +- install(TARGETS librnp sexp ++# static libraries ++# install libsexpp unless system-installed libsexpp is used ++ if (SYSTEM_LIBSEXPP) ++ install(TARGETS librnp ++ EXPORT rnp-targets ++ ARCHIVE ++ DESTINATION "${CMAKE_INSTALL_LIBDIR}" ++ COMPONENT development ++ ) ++ else (SYSTEM_LIBSEXPP) ++ install(TARGETS librnp sexpp + EXPORT rnp-targets + ARCHIVE + DESTINATION "${CMAKE_INSTALL_LIBDIR}" + COMPONENT development +-) ++ ) ++ endif (SYSTEM_LIBSEXPP) + endif(BUILD_SHARED_LIBS) + + # install headers +diff --git a/src/librekey/g23_sexp.hpp b/src/librekey/g23_sexp.hpp +index b888680f5..b062c52f1 100644 +--- a/src/librekey/g23_sexp.hpp ++++ b/src/librekey/g23_sexp.hpp +@@ -27,8 +27,8 @@ + #ifndef RNP_G23_SEXP_HPP + #define RNP_G23_SEXP_HPP + +-#include "sexp/sexp.h" +-#include "sexp/ext-key-format.h" ++#include "sexpp/sexp.h" ++#include "sexpp/ext-key-format.h" + + #define SXP_MAX_DEPTH 30 + +--- a/src/tests/CMakeLists.txt ++++ b/src/tests/CMakeLists.txt +@@ -186,7 +186,7 @@ target_link_libraries(rnp_tests + PRIVATE + librnp-static + JSON-C::JSON-C +- sexp ++ sexpp + ${GTestMain} + ) + if (CRYPTO_BACKEND_LOWERCASE STREQUAL "openssl") diff --git a/rnp-v0.17.0-test-SHA1-cutoff.patch b/rnp-v0.17.0-test-SHA1-cutoff.patch new file mode 100644 index 0000000..f47bd4b --- /dev/null +++ b/rnp-v0.17.0-test-SHA1-cutoff.patch @@ -0,0 +1,103 @@ +From eb1f10b003c2addf8098a764b823696d48b62c01 Mon Sep 17 00:00:00 2001 +From: Nickolay Olshevsky +Date: Fri, 19 Jan 2024 16:05:32 +0200 +Subject: [PATCH] Update tests to match SHA1 cutoff date for key signatures. + +--- + src/tests/cli_tests.py | 10 +++++----- + src/tests/ffi.cpp | 26 +++++++++++++++++--------- + src/tests/key-add-userid.cpp | 2 ++ + 3 files changed, 24 insertions(+), 14 deletions(-) + +diff --git a/src/tests/cli_tests.py b/src/tests/cli_tests.py +index bde7faf9d..634c88504 100755 +--- a/src/tests/cli_tests.py ++++ b/src/tests/cli_tests.py +@@ -4862,12 +4862,16 @@ def do_test_encrypt(self, sign_key_size, enc_key_size): + self.operation_key_location = tuple((key_path(pfx, False), key_path(pfx, True))) + self.rnp.userid = self.gpg.userid = pfx + AT_EXAMPLE + # DSA 1024 key uses SHA-1 as hash but verification would succeed till 2024 ++ if sign_key_size == 1024: ++ return + self._encrypt_decrypt(self.gpg, self.rnp) + + def do_test_decrypt(self, sign_key_size, enc_key_size): + pfx = EncryptElgamal.key_pfx(sign_key_size, enc_key_size) + self.operation_key_location = tuple((key_path(pfx, False), key_path(pfx, True))) + self.rnp.userid = self.gpg.userid = pfx + AT_EXAMPLE ++ if sign_key_size == 1024: ++ return + self._encrypt_decrypt(self.rnp, self.gpg) + + def test_encrypt_P1024_1024(self): self.do_test_encrypt(1024, 1024) +@@ -4878,11 +4882,7 @@ def test_decrypt_P1024_1024(self): self.do_test_decrypt(1024, 1024) + def test_decrypt_P2048_2048(self): self.do_test_decrypt(2048, 2048) + def test_decrypt_P1234_1234(self): self.do_test_decrypt(1234, 1234) + +- def test_generate_elgamal_key1024_in_gpg_and_encrypt(self): +- cmd = EncryptElgamal.GPG_GENERATE_DSA_ELGAMAL_PATTERN.format(1024, 1024, self.gpg.userid) +- self.operation_key_gencmd = cmd +- # Will not fail till 2024 since 1024-bit DSA key uses SHA-1 as hash. +- self._encrypt_decrypt(self.gpg, self.rnp) ++ # 1024-bit key generation test was removed since it uses SHA1, which is not allowed for key signatures since Jan 19, 2024. + + def test_generate_elgamal_key1536_in_gpg_and_encrypt(self): + cmd = EncryptElgamal.GPG_GENERATE_DSA_ELGAMAL_PATTERN.format(1536, 1536, self.gpg.userid) +diff --git a/src/tests/ffi.cpp b/src/tests/ffi.cpp +index 8f1694d9f..07b778f00 100644 +--- a/src/tests/ffi.cpp ++++ b/src/tests/ffi.cpp +@@ -5976,11 +5976,16 @@ TEST_F(rnp_tests, test_ffi_security_profile) + assert_int_equal(flags, 0); + /* SHA1 - now, data verify disabled, key sig verify is enabled */ + flags = 0; +- assert_rnp_success(rnp_get_security_rule( +- ffi, RNP_FEATURE_HASH_ALG, "SHA1", time(NULL), &flags, &from, &level)); +- assert_int_equal(from, SHA1_DATA_FROM); ++ auto now = time(NULL); ++ bool sha1_cutoff = now > SHA1_KEY_FROM; ++ /* This would pick default rule closer to the date independent on usage */ ++ assert_rnp_success( ++ rnp_get_security_rule(ffi, RNP_FEATURE_HASH_ALG, "SHA1", now, &flags, &from, &level)); ++ auto expect_from = sha1_cutoff ? SHA1_KEY_FROM : SHA1_DATA_FROM; ++ auto expect_usage = sha1_cutoff ? RNP_SECURITY_VERIFY_KEY : RNP_SECURITY_VERIFY_DATA; ++ assert_int_equal(from, expect_from); + assert_int_equal(level, RNP_SECURITY_INSECURE); +- assert_int_equal(flags, RNP_SECURITY_VERIFY_DATA); ++ assert_int_equal(flags, expect_usage); + flags = 0; + assert_rnp_success(rnp_get_security_rule( + ffi, RNP_FEATURE_HASH_ALG, "SHA1", SHA1_DATA_FROM - 1, &flags, &from, &level)); +@@ -5993,11 +5998,14 @@ TEST_F(rnp_tests, test_ffi_security_profile) + assert_int_equal(level, RNP_SECURITY_INSECURE); + assert_int_equal(flags, RNP_SECURITY_VERIFY_DATA); + flags = RNP_SECURITY_VERIFY_KEY; +- assert_rnp_success(rnp_get_security_rule( +- ffi, RNP_FEATURE_HASH_ALG, "SHA1", time(NULL), &flags, &from, &level)); +- assert_int_equal(from, 0); +- assert_int_equal(level, RNP_SECURITY_DEFAULT); +- assert_int_equal(flags, 0); ++ assert_rnp_success( ++ rnp_get_security_rule(ffi, RNP_FEATURE_HASH_ALG, "SHA1", now, &flags, &from, &level)); ++ expect_from = sha1_cutoff ? SHA1_KEY_FROM : 0; ++ auto expect_level = sha1_cutoff ? RNP_SECURITY_INSECURE : RNP_SECURITY_DEFAULT; ++ expect_usage = sha1_cutoff ? RNP_SECURITY_VERIFY_KEY : 0; ++ assert_int_equal(from, expect_from); ++ assert_int_equal(level, expect_level); ++ assert_int_equal(flags, expect_usage); + flags = RNP_SECURITY_VERIFY_KEY; + assert_rnp_success(rnp_get_security_rule( + ffi, RNP_FEATURE_HASH_ALG, "SHA1", SHA1_KEY_FROM + 5, &flags, &from, &level)); +diff --git a/src/tests/key-add-userid.cpp b/src/tests/key-add-userid.cpp +index 5c2a4f71d..edd420573 100644 +--- a/src/tests/key-add-userid.cpp ++++ b/src/tests/key-add-userid.cpp +@@ -68,6 +68,8 @@ TEST_F(rnp_tests, test_key_add_userid) + selfsig0.key_flags = 0x2; + selfsig0.key_expiration = base_expiry; + selfsig0.primary = false; ++ auto curtime = global_ctx.time(); ++ global_ctx.set_time(curtime > SHA1_KEY_FROM ? SHA1_KEY_FROM - 100 : 0); + key->add_uid_cert(selfsig0, PGP_HASH_SHA1, global_ctx); + // attempt to add sha1-signed uid and make sure it succeeds now and fails after the cutoff + // date in 2024 diff --git a/rnp-v0.17.0-tests.patch b/rnp-v0.17.0-tests.patch new file mode 100644 index 0000000..c689540 --- /dev/null +++ b/rnp-v0.17.0-tests.patch @@ -0,0 +1,34 @@ +From e69da980c1bc3d6096db6446a5e14cac924146fa Mon Sep 17 00:00:00 2001 +From: Andreas Stieger +Date: Mon, 19 Jun 2023 23:05:27 +0200 +Subject: [PATCH] Increase key expiry seconds in tests from 10s to 60s + +--- + src/tests/cli_tests.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/tests/cli_tests.py b/src/tests/cli_tests.py +index e6f5ed76..f0bcc757 100755 +--- a/src/tests/cli_tests.py ++++ b/src/tests/cli_tests.py +@@ -1997,14 +1997,14 @@ class Keystore(unittest.TestCase): + matches = re.findall(r'(key expiration time: 63072000 seconds \(730 days\))', out) + self.assertEqual(len(matches), 1) + +- # Expires in 10 seconds +- ret, out, _ = run_proc(RNPK, ['--homedir', RNPDIR, '--edit-key', '--set-expire', '10', 'primary_with_empty_password@rnp']) ++ # Expires in 60 seconds ++ ret, out, _ = run_proc(RNPK, ['--homedir', RNPDIR, '--edit-key', '--set-expire', '60', 'primary_with_empty_password@rnp']) + self.assertEqual(ret, 0) + self.assertRegex(out, r'(?s)^.*\[EXPIRES .*') + + ret, out, _ = run_proc(RNP, ['--list-packets', kpath]) + self.assertEqual(ret, 0) +- self.assertRegex(out, r'(?s)^.*key expiration time: 10 seconds \(0 days\).*') ++ self.assertRegex(out, r'(?s)^.*key expiration time: 60 seconds \(0 days\).*') + + # Expires in 10 hours + ret, out, _ = run_proc(RNPK, ['--homedir', RNPDIR, '--edit-key', '--set-expire', '10h', 'primary_with_empty_password@rnp']) +-- +2.41.0 + diff --git a/rnp-v0.17.0.tar.gz b/rnp-v0.17.0.tar.gz new file mode 100644 index 0000000..bfd9ae7 --- /dev/null +++ b/rnp-v0.17.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:04d29fe9a20c56bb7ff4d77bc761b91f1f96462efd3b29d4d1d40262ce4eb782 +size 3083098 diff --git a/rnp-v0.17.0.tar.gz.asc b/rnp-v0.17.0.tar.gz.asc new file mode 100644 index 0000000..8f39bae --- /dev/null +++ b/rnp-v0.17.0.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- + +iHUEABYIAB0WIQRQ2lnVuRNPotsesgz7gpq10P4BfwUCZFI5oQAKCRD7gpq10P4B +f54nAP9diWXjNJWAAP/RT3pvz5vWD/bIsjfBtqKHkIp2zJin0gEAleb9Pd4Fxq5O +EtYr/e2qwH8B7rzma6vm4tjVOmSKywk= +=vwtT +-----END PGP SIGNATURE----- diff --git a/rnp-v0.17.1.tar.gz b/rnp-v0.17.1.tar.gz new file mode 100644 index 0000000..2923ea7 --- /dev/null +++ b/rnp-v0.17.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3095e2439ecb7b65f0ab72b7bbfafeb39bb1dda3c24c2ae110719a41bbfbf37d +size 3563881 diff --git a/rnp-v0.17.1.tar.gz.asc b/rnp-v0.17.1.tar.gz.asc new file mode 100644 index 0000000..6e3964d --- /dev/null +++ b/rnp-v0.17.1.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- + +wnsEABYIACMWIQRQ2lnVuRNPotsesgz7gpq10P4BfwUCZkMJgwUDAAAAAAAKCRD7gpq10P4Bf2jG +AQDO4DGfnXrnQ7fJhVGcUwM46hygc2mP/VX2G5qXazEyDQEAjGR5we4cD23zq5fHM4ITE040H4YG +bLwQuzo8RciwOQQ= +=oCnb +-----END PGP SIGNATURE----- diff --git a/rnp.changes b/rnp.changes new file mode 100644 index 0000000..c0b7462 --- /dev/null +++ b/rnp.changes @@ -0,0 +1,174 @@ +------------------------------------------------------------------- +Sat Aug 17 16:49:52 UTC 2024 - Andreas Stieger + +- Build with Botan 3 on Leap 15.7 + +------------------------------------------------------------------- +Tue Jul 30 20:17:53 UTC 2024 - Andreas Stieger + +- Build with Botan 3 on Tumbleweed + +------------------------------------------------------------------- +Sun Jul 28 18:20:34 UTC 2024 - Andreas Stieger + +- rnp 0.17.1: + * Added support for Botan 3 + * Updated support for OpenSSL 3 + * Added support for mimemode in literal data packet + * Relaxed Base64 decoding to allow spaces after the checksum + * Added functions rnp_key_set_features() and + rnp_signature_get_features() +- drop patches no longer needed: + * rnp-v0.17.0-cpp14-googletest.patch + * rnp-v0.17.0-disable-static.patch + * rnp-v0.17.0-system-sexp.patch + * rnp-v0.17.0-test-SHA1-cutoff.patch + * rnp-v0.17.0-tests.patch + +------------------------------------------------------------------- +Wed Apr 3 11:14:34 UTC 2024 - Andreas Stieger + +- switch to C++14 to fix build with new GoogleTest 1.14.0 + add rnp-v0.17.0-cpp14-googletest.patch + +------------------------------------------------------------------- +Sat Jan 20 09:52:21 UTC 2024 - Andreas Stieger + +- fix build after SHA-1 cutoff date + add rnp-v0.17.0-test-SHA1-cutoff.patch + +------------------------------------------------------------------- +Mon Jun 26 20:21:55 UTC 2023 - Andreas Stieger + +- build with system sexpp library (renamed) + +------------------------------------------------------------------- +Mon Jun 19 21:10:24 UTC 2023 - Andreas Stieger + +- fix s390x tests - add rnp-v0.17.0-tests.patch + +------------------------------------------------------------------- +Wed Jun 14 21:01:38 UTC 2023 - Andreas Stieger + +- build with system sexp library + (add rnp-v0.17.0-system-sexp.patch) +- drop rnp-v0.17.0-gcc13.patch no longer needed + +------------------------------------------------------------------- +Wed Jun 14 20:57:32 UTC 2023 - Andreas Stieger + +- fix build on Leap (json-c) + +------------------------------------------------------------------- +Mon Jun 12 20:32:19 UTC 2023 - Andreas Stieger + +- rnp 0.17.0: + * Add support for hidden recipient during decryption + * Improve support for offline secret keys during default key + selection + * Support for GnuPG 2 + * SExp parsing code is moved to separate library + * Mark subkeys as expired instead of invalid if primary key is + expired + * AEAD: use OCB by default instead of EAX + * Do not attempt to validate signatures of unexpected types + * Use thread-safe time and date handling functions + * Added ENABLE_BLOWFISH, ENABLE_CAST5 and ENABLE_RIPEMD160 build + time options + * Corrected usage of CEK/KEK algorithms if those differs + * Add default armor message type for --enarmor command + * Add command --set-filename to specify which file name should be stored in message + * Add --add-subkey subcommand to the --edit-key + * Add set-expire subcommand to the --edit-key + * Add --s2k-iterations and --s2k-msec options to the rnp + * dd --allow-weak-hash command to allow usage of weak hash algorithms + * Report number of new/updated keys during the key import +- add rnp-v0.17.0-disable-static.patch +- add rnp-v0.17.0-gcc13.patch +- uses bundled libsexp + +------------------------------------------------------------------- +Mon Jun 12 17:16:52 UTC 2023 - Andreas Stieger + +- rnp 0.16.3: + * CVE-2023-29479: Fix issue with possible hang on malformed + inputs (boo#1212253) + * CVE-2023-29480: Fix issue where in some cases, secret keys + remain unlocked after use (boo#1212254) + +------------------------------------------------------------------- +Mon Sep 26 04:36:06 UTC 2022 - Andreas Stieger + +- rnp 0.16.2: + * Support a number of additional key and encryption operations + * Now uses separate security rules for the data and key signatures, + extending SHA1 key signature support till the Jan, 19 2024. + * The default key expiration time was set to 2 years. + * The library got a number of developer visible updates, + and the command-line interface gained a number of additional + knobs, switches, and output improvements + +------------------------------------------------------------------- +Sun May 22 08:14:29 UTC 2022 - Andreas Stieger + +- add upstream signing key and verify source signature + +------------------------------------------------------------------- +Sun Feb 13 18:12:53 UTC 2022 - Andreas Stieger + +- rnp 0.16.0: + * Ability to disable certain features via compile-time switches + (ENABLE_AEAD, ENABLE_SM2, etc.) + * Mark signatures with SHA1/MD5 hash, produced after the specific + date (2019-01-19 and 2012-01-01) as invalid + * Fixed possible incompatibility with GnuPG on x25519 secret key + export + * Fixed export of non-FFI symbols from rnp.so/rnp.dylib + * Fixed key expiration time calculation in some edge cases + * Added security profile manipulation functions to the FFI + * Improved CLI tools help messages + * Improved CLI: stdin/stdout/env input/output specifiers, --notty + for batch processing, etc. + +------------------------------------------------------------------- +Sat Jan 15 08:14:17 UTC 2022 - Andreas Stieger + +- disable tests + +------------------------------------------------------------------- +Mon Aug 9 20:44:23 UTC 2021 - Andreas Stieger + +- rnp 0.15.2: + * Be less strict in userid validation: allow to use userids with + self-signature, which has key expiration in the past + * Do not mark signature as invalid if key which produced it is + expired now, but was valid during signing + * Fix incorrect key expiration calculation in some cases + * rnp: Show error message if encryption failed + * rnpkeys: Add --expiration option to specify expiration time + during key generation +- run tests + +------------------------------------------------------------------- +Mon Jun 28 20:17:02 UTC 2021 - Andreas Stieger + +- rnp 0.15.1: + * Fix updating of expiration time for a key with multiple user + IDs + * Fixed key expiry check for keys valid after the year 2038 + * Pick up key expiration time from direct-key signature or primary + userid certification if available + * CVE-2021-33589: issue with cleartext key data after the + rnp_key_unprotect()/rnp_key_protect() calls (boo#1187759) +- includes changes from 0.15.0: + * Improve handling of cleartext signatures, when empty line + between headers and contents contains some whitespace + * Relax requirements for the armored messages CRC (allow absence + of the CRC, and issue warning instead of complete failure) + * documentation updates + * rnpkeys: add --remove-key command + +------------------------------------------------------------------- +Sun Feb 21 21:44:24 UTC 2021 - Andreas Stieger + +- initial package, 0.14.0 diff --git a/rnp.keyring b/rnp.keyring new file mode 100644 index 0000000..a4acb2b --- /dev/null +++ b/rnp.keyring @@ -0,0 +1,16 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEYOUN0RYJKwYBBAHaRw8BAQdA3FRB/1WGnBDheAOEENZ1jnwOlzWyCGTmZi7u +d824hiW0LFJOUEdQIFJlbGVhc2UgU2lnbmluZyBLZXkgPHJucGdwQHJpYm9zZS5j +b20+iJYEExYIAD4WIQQxr1ok2GHvy3y3mhkkkAzgrvtUFwUCYOUN0QIbAQUJbeHV +gAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAkkAzgrvtUF42MAQDXfgjYWWqR +PkCvVhDQEjJVETNmwSgfhG/q3pMmGSlJFQD/ZJI9KhowbzGU0/qDXDERPoR2FYB5 +xx4BwotTOwketw64MwRjGxr6FgkrBgEEAdpHDwEBB0B5WpvGuJLXoMdAAIyNfOjd +Z7ittaBksxh/mfCPKcXrPoj1BBgWCAAmFiEEMa9aJNhh78t8t5oZJJAM4K77VBcF +AmMbGvoCGwIFCQPCZwAAgQkQJJAM4K77VBd2IAQZFggAHRYhBFDaWdW5E0+i2x6y +DPuCmrXQ/gF/BQJjGxr6AAoJEPuCmrXQ/gF/Zi4A/RwEZ17ZrXyn0kiY/DP6BSIt +p/6Sk9hG7KpkRqC3aaWsAQD2P6eZV6pWbhQp1C/kQYtgBbLOMUqmAg+5fMduhmaw +BDfrAP9PXS/3/h4R2UWvQ8yDv4BXztrnf61rX6re4iGpfixBZAD9FalZDJmCrdQm +toOkvaIWylfh5HgTM3lxXcO3Dz6W6QQ= +=Towq +-----END PGP PUBLIC KEY BLOCK----- diff --git a/rnp.spec b/rnp.spec new file mode 100644 index 0000000..fc45dbb --- /dev/null +++ b/rnp.spec @@ -0,0 +1,109 @@ +# +# spec file for package rnp +# +# Copyright (c) 2024 Andreas Stieger +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define soname 0 +Name: rnp +Version: 0.17.1 +Release: 0 +Summary: OpenPGP implementation fully compliant with RFC 4880 +License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause +URL: https://www.rnpgp.com/ +Source: https://github.com/rnpgp/rnp/releases/download/v%{version}/%{name}-v%{version}.tar.gz +Source2: https://github.com/rnpgp/rnp/releases/download/v%{version}/%{name}-v%{version}.tar.gz.asc +Source3: https://www.rnpgp.org/openpgp_keys/31AF5A24D861EFCB7CB79A1924900CE0AEFB5417-50DA59D5B9134FA2DB1EB20CFB829AB5D0FE017F.asc#/%{name}.keyring +BuildRequires: c++_compiler +BuildRequires: cmake >= 3.18 +BuildRequires: gpg2 >= 2.2 +BuildRequires: gtest +BuildRequires: pkgconfig +BuildRequires: pkgconfig(bzip2) +BuildRequires: pkgconfig(json-c) >= 0.11 +BuildRequires: pkgconfig(sexpp) >= 0.8.7 +BuildRequires: pkgconfig(zlib) +BuildRequires: rubygem(asciidoctor) +%if (0%{?suse_version} > 1600) || (0%{?sle_version} >= 150700 && 0%{?is_opensuse}) +BuildRequires: pkgconfig(botan-3) >= 3.0.0 +%else +BuildRequires: pkgconfig(botan-2) >= 2.14.0 +%endif +%if 0%{?sle_version} >= 150700 && 0%{?is_opensuse} +BuildRequires: gcc12-c++ +%endif + +%description +RNP is a set of OpenPGP (RFC4880) tools, an alternative to GnuPG. + +%package -n librnp%{soname} +Summary: OpenPGP implementation as a C++ library fully compliant with RFC 4880 + +%description -n librnp%{soname} +RNP is a set of OpenPGP (RFC4880) tools, an alternative to GnuPG. +librnp is the library used by RNP for all OpenPGP functions, useful for +developers to build against, different from GPGME. + +%package devel +Summary: Development files for RNP +Requires: librnp%{soname} = %{version} + +%description devel +RNP is a set of OpenPGP (RFC4880) tools, an alternative to GnuPG. +This package contains the files needed to build against librnp. + +%prep +%autosetup -p1 -n %{name}-v%{version} +rm -rf src/libsexp + +%build +%if 0%{?sle_version} >= 150700 && 0%{?is_opensuse} +export CC=gcc-12 +export CXX=g++-12 +%endif +%cmake \ + -DDOWNLOAD_GTEST:BOOL=OFF \ + -DBUILD_TESTING:BOOL=ON \ + -DSYSTEM_LIBSEXPP:BOOL=ON \ + %{nil} +%cmake_build + +%install +%cmake_install + +%check +%ctest + +%ldconfig_scriptlets -n librnp%{soname} + +%files +%license LICENSE* +%{_bindir}/* +%{_mandir}/man1/*.1%{?ext_man} + +%files -n librnp%{soname} +%license LICENSE* +%{_libdir}/*.so.0* + +%files devel +%license LICENSE* +%doc CHANGELOG.md README.adoc +%{_includedir}/* +%{_libdir}/cmake/rnp +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc +%{_mandir}/man3/*.3%{?ext_man} + +%changelog