Restore systemd units and sockets (#2158627)

2023-11-06 22:28:13 +01:00 · 2023-11-06 22:28:13 +01:00 · fd39da6d18
commit fd39da6d18
parent 9cb2d1dbba
2 changed files with 267 additions and 2 deletions
--- a/gnupg-2.4.3-restore-systemd-sockets.patch
+++ b/gnupg-2.4.3-restore-systemd-sockets.patch
@ -0,0 +1,256 @@
+From eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Mon, 23 Jan 2023 16:34:19 +0100
+Subject: [PATCH] doc: Remove profile and systemd example files.
+
+--
+
+The profiles are not any longer useful because global options are way
+more powerful (/etc/gnupg/gpg.conf et al.).  The use of systemd is
+deprecated because of additional complexity and the race between
+systemd based autolaunching and the explicit gnupg based and lockfile
+protected autolaunching.
+
+GnuPG-bug-id: 6336
+---
+diff --git b/doc/Makefile.am a/doc/Makefile.am
+index 390153c76..0093c43a8 100644
+--- b/doc/Makefile.am
+++ a/doc/Makefile.am
+@@ -22,6 +22,14 @@ AM_CPPFLAGS =
+            examples/qualified.txt                                       \
+ 	   examples/common.conf                                         \
+            examples/gpgconf.rnames examples/gpgconf.conf                \
+	   examples/systemd-user/README 				\
+	   examples/systemd-user/dirmngr.service 			\
+	   examples/systemd-user/dirmngr.socket				\
+	   examples/systemd-user/gpg-agent.service 			\
+	   examples/systemd-user/gpg-agent.socket 			\
+	   examples/systemd-user/gpg-agent-ssh.socket 			\
+	   examples/systemd-user/gpg-agent-browser.socket		\
+	   examples/systemd-user/gpg-agent-extra.socket 		\
+ 	   examples/pwpattern.list
+ 
+ helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt		\
+diff --git b/doc/examples/README a/doc/examples/README
+index cd341ab57..67508c471 100644
+--- b/doc/examples/README
+++ a/doc/examples/README
+@@ -8,6 +8,8 @@ trustlist.txt   A list of trustworthy root certificates
+ 
+ gpgconf.conf    A sample configuration file for gpgconf.
+ 
+systemd-user    Sample files for a Linux-only init system.
+
+ qualified.txt   Sample file for qualified.txt.
+ 
+ common.conf     Sample file for common options.
+diff --git b/doc/examples/gpgconf.conf a/doc/examples/gpgconf.conf
+index 314b955b9..a61d4d453 100644
+--- b/doc/examples/gpgconf.conf
+++ a/doc/examples/gpgconf.conf
+@@ -1,9 +1,5 @@
+ # gpgconf.conf - configuration for gpgconf
+ #----------------------------------------------------------------------
+-#
+-# === The use of this feature is deprecated ===
+-# == Please use the more powerful global options. ==
+-#
+ # This file is read by gpgconf(1) to setup defaults for all or
+ # specified users and groups.  It may be used to change the hardwired
+ # defaults in gpgconf and to enforce certain values for the various
+diff --git b/doc/examples/systemd-user/README a/doc/examples/systemd-user/README
+new file mode 100644
+index 000000000..43122f568
+--- /dev/null
+++ a/doc/examples/systemd-user/README
+@@ -0,0 +1,66 @@
+Socket-activated dirmngr and gpg-agent with systemd
+===================================================
+
+When used on a GNU/Linux system supervised by systemd, you can ensure
+that the GnuPG daemons dirmngr and gpg-agent are launched
+automatically the first time they're needed, and shut down cleanly at
+session logout.  This is done by enabling user services via
+socket-activation.
+
+System distributors
+-------------------
+
+The *.service and *.socket files (from this directory) should be
+placed in /usr/lib/systemd/user/ alongside other user-session services
+and sockets.
+
+To enable socket-activated dirmngr for all accounts on the system,
+use:
+
+    systemctl --user --global enable dirmngr.socket
+
+To enable socket-activated gpg-agent for all accounts on the system,
+use:
+
+    systemctl --user --global enable gpg-agent.socket
+
+Additionally, you can enable socket-activated gpg-agent ssh-agent
+emulation for all accounts on the system with:
+
+    systemctl --user --global enable gpg-agent-ssh.socket
+
+You can also enable restricted ("--extra-socket"-style) gpg-agent
+sockets for all accounts on the system with:
+
+    systemctl --user --global enable gpg-agent-extra.socket
+
+Individual users
+----------------
+
+A user on a system with systemd where this has not been installed
+system-wide can place these files in ~/.config/systemd/user/ to make
+them available.
+
+If a given service isn't installed system-wide, or if it's installed
+system-wide but not globally enabled, individual users will still need
+to enable them.  For example, to enable socket-activated dirmngr for
+all future sessions:
+
+    systemctl --user enable dirmngr.socket
+
+To enable socket-activated gpg-agent with ssh support, do:
+
+    systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket
+
+These changes won't take effect until your next login after you've
+fully logged out (be sure to terminate any running daemons before
+logging out).
+
+If you'd rather try a socket-activated GnuPG daemon in an
+already-running session without logging out (with or without enabling
+it for all future sessions), kill any existing daemon and start the
+user socket directly.  For example, to set up socket-activated dirmgnr
+in the current session:
+
+    gpgconf --kill dirmngr
+    systemctl --user start dirmngr.socket
+diff --git b/doc/examples/systemd-user/dirmngr.service a/doc/examples/systemd-user/dirmngr.service
+new file mode 100644
+index 000000000..3c060cde5
+--- /dev/null
+++ a/doc/examples/systemd-user/dirmngr.service
+@@ -0,0 +1,8 @@
+[Unit]
+Description=GnuPG network certificate management daemon
+Documentation=man:dirmngr(8)
+Requires=dirmngr.socket
+
+[Service]
+ExecStart=/usr/bin/dirmngr --supervised
+ExecReload=/usr/bin/gpgconf --reload dirmngr
+diff --git b/doc/examples/systemd-user/dirmngr.socket a/doc/examples/systemd-user/dirmngr.socket
+new file mode 100644
+index 000000000..ebabf896a
+--- /dev/null
+++ a/doc/examples/systemd-user/dirmngr.socket
+@@ -0,0 +1,11 @@
+[Unit]
+Description=GnuPG network certificate management daemon
+Documentation=man:dirmngr(8)
+
+[Socket]
+ListenStream=%t/gnupg/S.dirmngr
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
+diff --git b/doc/examples/systemd-user/gpg-agent-browser.socket a/doc/examples/systemd-user/gpg-agent-browser.socket
+new file mode 100644
+index 000000000..bc8d344e1
+--- /dev/null
+++ a/doc/examples/systemd-user/gpg-agent-browser.socket
+@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache (access for web browsers)
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.browser
+FileDescriptorName=browser
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
+diff --git b/doc/examples/systemd-user/gpg-agent-extra.socket a/doc/examples/systemd-user/gpg-agent-extra.socket
+new file mode 100644
+index 000000000..5b87d09df
+--- /dev/null
+++ a/doc/examples/systemd-user/gpg-agent-extra.socket
+@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache (restricted)
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.extra
+FileDescriptorName=extra
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
+diff --git b/doc/examples/systemd-user/gpg-agent-ssh.socket a/doc/examples/systemd-user/gpg-agent-ssh.socket
+new file mode 100644
+index 000000000..798c1d967
+--- /dev/null
+++ a/doc/examples/systemd-user/gpg-agent-ssh.socket
+@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent (ssh-agent emulation)
+Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.ssh
+FileDescriptorName=ssh
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
+diff --git b/doc/examples/systemd-user/gpg-agent.service a/doc/examples/systemd-user/gpg-agent.service
+new file mode 100644
+index 000000000..a050fccdc
+--- /dev/null
+++ a/doc/examples/systemd-user/gpg-agent.service
+@@ -0,0 +1,8 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache
+Documentation=man:gpg-agent(1)
+Requires=gpg-agent.socket
+
+[Service]
+ExecStart=/usr/bin/gpg-agent --supervised
+ExecReload=/usr/bin/gpgconf --reload gpg-agent
+diff --git b/doc/examples/systemd-user/gpg-agent.socket a/doc/examples/systemd-user/gpg-agent.socket
+new file mode 100644
+index 000000000..4257c2c80
+--- /dev/null
+++ a/doc/examples/systemd-user/gpg-agent.socket
+@@ -0,0 +1,12 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent
+FileDescriptorName=std
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
+-- 
+2.41.0
+
--- a/gnupg2.spec
+++ b/gnupg2.spec
@ -30,6 +30,8 @@ Patch31: gnupg2-revert-rfc4880bis.patch
 # https://dev.gnupg.org/rG2f872fa68c6576724b9dabee9fb0844266f55d0d
 # cherry-picked on top of gnupg 2.4.2 + gnupg-2.4.1-file-is-digest.patch
 Patch32: gnupg-2.4.2-gpg-Report-BEGIN_-status-before-examining-the-input.patch
+# Mostly reverts https://dev.gnupg.org/rGeae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed
+Patch33: gnupg-2.4.3-restore-systemd-sockets.patch

 URL:     https://www.gnupg.org/

@ -57,6 +59,7 @@ BuildRequires: gnutls-devel
 BuildRequires: sqlite-devel
 BuildRequires: fuse
 BuildRequires: make
+BuildRequires: systemd-rpm-macros
 BuildRequires: tpm2-tss-devel
 # for tests
 BuildRequires: openssh-clients
@ -122,6 +125,7 @@ to the base GnuPG package
 %patch 30 -p1 -b .coverity
 %patch 31 -p1 -b .revert-rfc4880bis
 %patch 32 -p1 -b .report-begin
+%patch 33 -p1 -b .restore-systemd-sockets

 # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
 # Note: this is just the name of the default shared lib to load in scdaemon,
@ -132,8 +136,7 @@ sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/scdaemon.c


 %build
-# can not regenerate makefiles because of automake-1.16.3 requirement
-# ./autogen.sh
+./autogen.sh
 %configure \
  --disable-rpath \
  --enable-g13 \
@ -174,6 +177,11 @@ rm -f %{buildroot}%{_infodir}/dir
 # drop the gpg scheme interpreter
 rm -f %{buildroot}%{_bindir}/gpgscm

+# Move the systemd user units to appropriate directory
+install -d -m755 %{buildroot}%{_userunitdir}
+mv %{buildroot}%{_pkgdocdir}/examples/systemd-user/*.socket %{buildroot}%{_userunitdir}
+mv %{buildroot}%{_pkgdocdir}/examples/systemd-user/*.service %{buildroot}%{_userunitdir}
+
 %check
 # need scratch gpg database for tests
 mkdir -p $HOME/.gnupg
@ -209,6 +217,7 @@ make -k check
 %{_libexecdir}/*
 %{_infodir}/*.info*
 %{_mandir}/man?/*
+%{_userunitdir}/*
 %exclude %{_mandir}/man?/gpgsm*

 %files smime