From e3dba8becfbbc7a891cd4590337d9eb56d684900 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Thu, 4 Jul 2024 11:42:54 +0200 Subject: [PATCH] 2.4.5-1 Sync from fedora + backport of RHEL9 patches Resolves: RHEL-44673 --- gnupg-2.4.5-revert-default-eddsa.patch | 162 +++++++++++++++++++++++++ gnupg2.spec | 20 ++- sources | 4 +- 3 files changed, 181 insertions(+), 5 deletions(-) create mode 100644 gnupg-2.4.5-revert-default-eddsa.patch diff --git a/gnupg-2.4.5-revert-default-eddsa.patch b/gnupg-2.4.5-revert-default-eddsa.patch new file mode 100644 index 0000000..8a7776d --- /dev/null +++ b/gnupg-2.4.5-revert-default-eddsa.patch @@ -0,0 +1,162 @@ +From ff31dde456f32950f0df6c974b4c41f1d650d68f Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Mon, 5 Oct 2020 14:21:31 +0200 +Subject: [PATCH GnuPG] gpg: Switch to ed25519+cv25519 as default algo. + +* g10/keygen.c (DEFAULT_STD_KEY_PARAM): Change to former future +default ago. +(ask_algo): Change default and also the way we indicate the default +algo in the list of algos. +(ask_curve): Indicate the default curve. + +Signed-off-by: Werner Koch +--- + g10/keygen.c | 57 ++++++++++++++++++++++++++-------------------------- + 1 file changed, 29 insertions(+), 28 deletions(-) + +diff --git a/g10/keygen.c b/g10/keygen.c +index 16e4e58ea..b510525e3 100644 +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -47,10 +47,11 @@ + #include "../common/mbox-util.h" + + +-/* The default algorithms. If you change them, you should ensure the value +- is inside the bounds enforced by ask_keysize and gen_xxx. See also +- get_keysize_range which encodes the allowed ranges. */ +-#define DEFAULT_STD_KEY_PARAM "rsa3072/cert,sign+rsa3072/encr" ++/* The default algorithms. If you change them, you should ensure the ++ value is inside the bounds enforced by ask_keysize and gen_xxx. ++ See also get_keysize_range which encodes the allowed ranges. The ++ default answer in ask_algo also needs to be adjusted. */ ++#define DEFAULT_STD_KEY_PARAM "ed25519/cert,sign+cv25519/encr" + #define FUTURE_STD_KEY_PARAM "ed25519/cert,sign+cv25519/encr" + + /* When generating keys using the streamlined key generation dialog, +@@ -2112,50 +2113,49 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage, + + #if GPG_USE_RSA + if (!addmode) +- tty_printf (_(" (%d) RSA and RSA (default)\n"), 1 ); ++ tty_printf (_(" (%d) RSA and RSA%s\n"), 1, ""); + #endif + + if (!addmode && opt.compliance != CO_DE_VS) +- tty_printf (_(" (%d) DSA and Elgamal\n"), 2 ); ++ tty_printf (_(" (%d) DSA and Elgamal%s\n"), 2, ""); + + if (opt.compliance != CO_DE_VS) +- tty_printf (_(" (%d) DSA (sign only)\n"), 3 ); ++ tty_printf (_(" (%d) DSA (sign only)%s\n"), 3, ""); + #if GPG_USE_RSA +- tty_printf (_(" (%d) RSA (sign only)\n"), 4 ); ++ tty_printf (_(" (%d) RSA (sign only)%s\n"), 4, ""); + #endif + + if (addmode) + { + if (opt.compliance != CO_DE_VS) +- tty_printf (_(" (%d) Elgamal (encrypt only)\n"), 5 ); ++ tty_printf (_(" (%d) Elgamal (encrypt only)%s\n"), 5, ""); + #if GPG_USE_RSA +- tty_printf (_(" (%d) RSA (encrypt only)\n"), 6 ); ++ tty_printf (_(" (%d) RSA (encrypt only)%s\n"), 6, ""); + #endif + } + if (opt.expert) + { + if (opt.compliance != CO_DE_VS) +- tty_printf (_(" (%d) DSA (set your own capabilities)\n"), 7 ); ++ tty_printf (_(" (%d) DSA (set your own capabilities)%s\n"), 7, ""); + #if GPG_USE_RSA +- tty_printf (_(" (%d) RSA (set your own capabilities)\n"), 8 ); ++ tty_printf (_(" (%d) RSA (set your own capabilities)%s\n"), 8, ""); + #endif + } + + #if GPG_USE_ECDSA || GPG_USE_ECDH || GPG_USE_EDDSA +- if (opt.expert && !addmode) +- tty_printf (_(" (%d) ECC and ECC\n"), 9 ); +- if (opt.expert) +- tty_printf (_(" (%d) ECC (sign only)\n"), 10 ); ++ if (!addmode) ++ tty_printf (_(" (%d) ECC (sign and encrypt)%s\n"), 9, _(" *default*") ); ++ tty_printf (_(" (%d) ECC (sign only)\n"), 10 ); + if (opt.expert) +- tty_printf (_(" (%d) ECC (set your own capabilities)\n"), 11 ); +- if (opt.expert && addmode) +- tty_printf (_(" (%d) ECC (encrypt only)\n"), 12 ); ++ tty_printf (_(" (%d) ECC (set your own capabilities)%s\n"), 11, ""); ++ if (addmode) ++ tty_printf (_(" (%d) ECC (encrypt only)%s\n"), 12, ""); + #endif + + if (opt.expert && r_keygrip) +- tty_printf (_(" (%d) Existing key\n"), 13 ); ++ tty_printf (_(" (%d) Existing key%s\n"), 13, ""); + if (r_keygrip) +- tty_printf (_(" (%d) Existing key from card\n"), 14 ); ++ tty_printf (_(" (%d) Existing key from card%s\n"), 14, ""); + + for (;;) + { +@@ -2164,7 +2164,7 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage, + xfree (answer); + answer = cpr_get ("keygen.algo", _("Your selection? ")); + cpr_kill_prompt (); +- algo = *answer? atoi (answer) : 1; ++ algo = *answer? atoi (answer) : 9; /* Default algo is 9 */ + + if (opt.compliance == CO_DE_VS + && (algo == 2 || algo == 3 || algo == 5 || algo == 7)) +@@ -2220,13 +2220,13 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage, + break; + } + else if ((algo == 9 || !strcmp (answer, "ecc+ecc")) +- && opt.expert && !addmode) ++ && !addmode) + { + algo = PUBKEY_ALGO_ECDSA; + *r_subkey_algo = PUBKEY_ALGO_ECDH; + break; + } +- else if ((algo == 10 || !strcmp (answer, "ecc/s")) && opt.expert) ++ else if ((algo == 10 || !strcmp (answer, "ecc/s"))) + { + algo = PUBKEY_ALGO_ECDSA; + *r_usage = PUBKEY_USAGE_SIG; +@@ -2239,7 +2239,7 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage, + break; + } + else if ((algo == 12 || !strcmp (answer, "ecc/e")) +- && opt.expert && addmode) ++ && addmode) + { + algo = PUBKEY_ALGO_ECDH; + *r_usage = PUBKEY_USAGE_ENC; +@@ -2616,7 +2616,7 @@ ask_curve (int *algo, int *subkey_algo, const char *current) + { "NIST P-256", NULL, NULL, MY_USE_ECDSADH, 0, 1, 0 }, + { "NIST P-384", NULL, NULL, MY_USE_ECDSADH, 0, 0, 0 }, + { "NIST P-521", NULL, NULL, MY_USE_ECDSADH, 0, 1, 0 }, +- { "brainpoolP256r1", NULL, "Brainpool P-256", MY_USE_ECDSADH, 1, 1, 0 }, ++ { "brainpoolP256r1", NULL, "Brainpool P-256", MY_USE_ECDSADH, 1, 0, 0 }, + { "brainpoolP384r1", NULL, "Brainpool P-384", MY_USE_ECDSADH, 1, 1, 0 }, + { "brainpoolP512r1", NULL, "Brainpool P-512", MY_USE_ECDSADH, 1, 1, 0 }, + { "secp256k1", NULL, NULL, MY_USE_ECDSADH, 0, 1, 0 }, +@@ -2672,9 +2672,10 @@ ask_curve (int *algo, int *subkey_algo, const char *current) + } + + curves[idx].available = 1; +- tty_printf (" (%d) %s\n", idx + 1, ++ tty_printf (" (%d) %s%s\n", idx + 1, + curves[idx].pretty_name? +- curves[idx].pretty_name:curves[idx].name); ++ curves[idx].pretty_name:curves[idx].name, ++ idx == 0? _(" *default*"):""); + } + gcry_sexp_release (keyparms); + +-- +2.31.1 + diff --git a/gnupg2.spec b/gnupg2.spec index e0095e6..fce847b 100644 --- a/gnupg2.spec +++ b/gnupg2.spec @@ -2,8 +2,8 @@ Summary: Utility for secure communication and data storage Name: gnupg2 -Version: 2.4.4 -Release: 2%{?dist} +Version: 2.4.5 +Release: 1%{?dist} License: CC0-1.0 AND GPL-2.0-or-later AND GPL-3.0-or-later AND LGPL-2.1-or-later AND LGPL-3.0-or-later AND (BSD-3-Clause OR LGPL-3.0-or-later OR GPL-2.0-or-later) AND CC-BY-4.0 AND MIT Source0: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2 @@ -28,6 +28,8 @@ Patch30: gnupg-2.2.21-coverity.patch Patch31: gnupg2-revert-rfc4880bis.patch # Mostly reverts https://dev.gnupg.org/rGeae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed Patch33: gnupg-2.4.3-restore-systemd-sockets.patch +# Revert default EdDSA key types -- they do not work in FIPS Mode +Patch34: gnupg-2.4.5-revert-default-eddsa.patch URL: https://www.gnupg.org/ @@ -121,6 +123,7 @@ to the base GnuPG package %patch 30 -p1 -b .coverity %patch 31 -p1 -b .revert-rfc4880bis %patch 33 -p1 -b .restore-systemd-sockets +%patch 34 -p1 -R -b .eddsa # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper) # Note: this is just the name of the default shared lib to load in scdaemon, @@ -153,6 +156,9 @@ mkdir -p $HOME/.gnupg # gpgconf.conf mkdir -p %{buildroot}%{_sysconfdir}/gnupg touch %{buildroot}%{_sysconfdir}/gnupg/gpgconf.conf +mkdir -p %{buildroot}%{_sysconfdir}/profile.d +echo "export GPG_TTY=\$(tty)" > %{buildroot}%{_sysconfdir}/profile.d/gnupg2.sh +echo "setenv GPG_TTY \`tty\`" > %{buildroot}%{_sysconfdir}/profile.d/gnupg2.csh # more docs install -m644 -p AUTHORS NEWS THANKS TODO \ @@ -188,6 +194,8 @@ make -k check %{_pkgdocdir} %dir %{_sysconfdir}/gnupg %ghost %config(noreplace) %{_sysconfdir}/gnupg/gpgconf.conf +%{_sysconfdir}/profile.d/gnupg2.sh +%{_sysconfdir}/profile.d/gnupg2.csh ## docs say to install suid root, but fedora/rh security folk say not to %{_bindir}/gpg2 %{_bindir}/gpgv2 @@ -206,7 +214,9 @@ make -k check %{_bindir}/gpgsplit %{_bindir}/watchgnupg %{_bindir}/gpg-wks-server -%{_sbindir}/* +%{_sbindir}/addgnupghome +%{_sbindir}/applygnupgdefaults +%{_sbindir}/g13-syshelp %{_datadir}/gnupg/ %{_libexecdir}/* %{_infodir}/*.info* @@ -221,6 +231,10 @@ make -k check %changelog +* Thu Jul 04 2024 Jakub Jelen - 2.4.5-1 +- New upstream release (#2268461) +- Set GPG_TTY in profile.d (#2264985) + * Mon Jun 24 2024 Troy Dawson - 2.4.4-2 - Bump release for June 2024 mass rebuild diff --git a/sources b/sources index d295518..bb3177b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (gnupg-2.4.4.tar.bz2) = 3d1a3b08d1ce2319d238d8be96591e418ede1dc0b4ede33a4cc2fe40e9c56d5bbc27b1984736d8a786e7f292ddbc836846a8bdb4bf89f064e953c37cb54b94ef -SHA512 (gnupg-2.4.4.tar.bz2.sig) = 3ae7b6833576df851901a7619459b514bb82faeed350c864a57a782719d21f694d9ced5a3445c81dfa584a0302f87fedc660b08ea97bb8b861e76d7c5b46d07f +SHA512 (gnupg-2.4.5.tar.bz2) = 4d54744f09399c5899144d0cb5fdc2756e45b058db41b9ea9df3be03e80b914509e16ef35aa0248e7561185b80f7a5f9fd6afcab8ccff75ff82ed555448a38ff +SHA512 (gnupg-2.4.5.tar.bz2.sig) = 53be0db371a98c930cbef9c844adcd06a8049d84dd71508f6f7427fc1736b374912c85ebf3a415748651260f65cf26f633697f4bdae2cc4a8d2c4b522db0bc71