import gnupg2-2.3.3-1.el9

.gitignore

@@ -1 +1 @@
-SOURCES/gnupg-2.3.1.tar.bz2
+SOURCES/gnupg-2.3.3.tar.bz2

.gnupg2.metadata

@@ -1 +1 @@
-a8f66ba4f7dcb2e7322aef786f942ce5ccca6f14 SOURCES/gnupg-2.3.1.tar.bz2
+b19a407076424704f1b00e8265254de1b3061659 SOURCES/gnupg-2.3.3.tar.bz2

SOURCES/gnupg-2.2.16-ocsp-keyusage.patch

@@ -1,17 +0,0 @@
-diff -up gnupg-2.2.16/sm/certlist.c.keyusage gnupg-2.2.16/sm/certlist.c
---- gnupg-2.2.16/sm/certlist.c.keyusage	2019-07-01 17:17:06.925254065 +0200
-+++ gnupg-2.2.16/sm/certlist.c	2019-07-01 17:24:15.665759322 +0200
-@@ -147,10 +147,9 @@ cert_usage_p (ksba_cert_t cert, int mode
- 
-   if (mode == 5)
-     {
--      if (use != ~0
--          && (have_ocsp_signing
--              || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
--                         |KSBA_KEYUSAGE_CRL_SIGN))))
-+      if (have_ocsp_signing
-+          || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
-+                     |KSBA_KEYUSAGE_CRL_SIGN)))
-         return 0;
-       if (!silent)
-         log_info (_("certificate should not have "

SOURCES/gnupg-2.2.20-file-is-digest.patch

@@ -64,17 +64,34 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
        else
          sig->version = 4;  /* Required.  */
  
-@@ -860,8 +863,11 @@ write_signature_packets (ctrl_t ctrl,
-         err = mk_sig_subpkt_key_block (ctrl, sig, pk);
-       else
-         err = 0;
+@@ -860,14 +863,22 @@ write_signature_packets (ctrl_t ctrl,
+       if (gcry_md_copy (&md, hash))
+         BUG ();
+ 
+-      build_sig_subpkt_from_sig (sig, pk);
+-      mk_notation_policy_etc (ctrl, sig, NULL, pk);
+-      if (opt.flags.include_key_block && IS_SIG (sig))
+-        err = mk_sig_subpkt_key_block (ctrl, sig, pk);
+-      else
+-        err = 0;
 -      hash_sigversion_to_magic (md, sig, extrahash);
 -      gcry_md_final (md);
++      if (!opt.file_is_digest)
++        {
++          build_sig_subpkt_from_sig (sig, pk);
++          mk_notation_policy_etc (ctrl, sig, NULL, pk);
++          if (opt.flags.include_key_block && IS_SIG (sig))
++            err = mk_sig_subpkt_key_block (ctrl, sig, pk);
++          else
++            err = 0;
 +
-+      if (!opt.file_is_digest) {
-+        hash_sigversion_to_magic (md, sig, extrahash);
-+        gcry_md_final (md);
-+      }
++          hash_sigversion_to_magic (md, sig, extrahash);
++          gcry_md_final (md);
++        }
++      else if (sig->version >= 4)
++        {
++          log_bug("file-is-digest doesn't work with v4 sigs\n");
++        }
  
        if (!err)
          err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
@@ -152,27 +169,27 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
 +          d = -1;
 +          for (fp = fname ; *fp; )
 +            {
-+      	     c = *fp++;
-+      	     if (c >= '0' && c <= '9')
++      	       c = *fp++;
++      	       if (c >= '0' && c <= '9')
 +      	         c -= '0';
-+      	     else if (c >= 'a' && c <= 'f')
++      	       else if (c >= 'a' && c <= 'f')
 +      	         c -= 'a' - 10;
-+      	     else if (c >= 'A' && c <= 'F')
++      	       else if (c >= 'A' && c <= 'F')
 +      	         c -= 'A' - 10;
-+      	     else
++      	       else
 +      	         log_bug("filename is not hex\n");
-+      	     if (d >= 0)
++      	       if (d >= 0)
 +                {
-+      	         *mdb++ = d << 4 | c;
-+      	         c = -1;
-+      	         if (--mdlen == 0)
++      	           *mdb++ = d << 4 | c;
++      	           c = -1;
++      	           if (--mdlen == 0)
 +                    {
-+      	             mdb = ts;
-+      	             if (*fp++ != '@')
-+      	               log_bug("missing time separator\n");
-+      	           }
-+      	       }
-+      	     d = c;
++      	               mdb = ts;
++      	               if (*fp++ != '@')
++      	                 log_bug("missing time separator\n");
++      	             }
++      	         }
++      	       d = c;
 +            }
 +          sigclass = ts[0];
 +          if (sigclass != 0x00 && sigclass != 0x01)

SPECS/gnupg2.spec

@@ -6,8 +6,8 @@
 
 Summary: Utility for secure communication and data storage
 Name:    gnupg2
-Version: 2.3.1
-Release: 3%{?dist}
+Version: 2.3.3
+Release: 1%{?dist}
 
 License: GPLv3+
 Source0: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
@@ -17,8 +17,6 @@ Patch3:  gnupg-2.1.10-secmem.patch
 # non-upstreamable patch adding file-is-digest option needed for Copr
 # https://dev.gnupg.org/T1646
 Patch4:  gnupg-2.2.20-file-is-digest.patch
-# fix handling of missing key usage on ocsp replies - upstream T1333
-Patch5:  gnupg-2.2.16-ocsp-keyusage.patch
 Patch6:  gnupg-2.1.1-fips-algo.patch
 # allow 8192 bit RSA keys in keygen UI with large RSA
 Patch9:  gnupg-2.2.23-large-rsa.patch
@@ -63,6 +61,9 @@ Suggests: pinentry
 
 Suggests: gnupg2-smime
 
+# for USB smart card support
+Suggests: pcsc-lite-ccid
+
 %if %{with unversioned_gpg}
 # pgp-tools, perl-GnuPG-Interface requires 'gpg' (not sure why) -- Rex
 Provides: gpg = %{version}-%{release}
@@ -103,7 +104,6 @@ to the base GnuPG package
 
 %patch3 -p1 -b .secmem
 %patch4 -p1 -b .file-is-digest
-%patch5 -p1 -b .keyusage
 %patch6 -p1 -b .fips
 %patch9 -p1 -b .large-rsa
 
@@ -131,6 +131,7 @@ sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/scdaemon.c
 %endif
   --disable-rpath \
   --enable-g13 \
+  --disable-ccid-driver \
   --enable-large-secmem
 
 # need scratch gpg database for tests
@@ -225,6 +226,12 @@ make -k check
 
 
 %changelog
+* Fri Nov 19 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.3-1
+- Rebase to 2.3.1 to address random tests failures (#1984842)
+
+* Thu Nov 18 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.1-4
+- Fix --file-is-digest patch (#2024710)
+
 * Wed Sep 08 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.1-3
 - Revernt default key type back to RSA for FIPS compatibility (#2001937)