Compare commits

...

No commits in common. "c8" and "c10s" have entirely different histories.
c8 ... c10s

29 changed files with 2608 additions and 750 deletions

1
.fmf/version Normal file
View File

@ -0,0 +1 @@
1

5
.gitignore vendored
View File

@ -1 +1,4 @@
SOURCES/gnupg-2.2.20.tar.bz2
/*.rpm
/gnupg-*.tar.bz*
/gnupg-*/
/results_gnupg2/

View File

@ -1 +0,0 @@
d5290f0781df5dc83302127d6065fb59b35e53d7 SOURCES/gnupg-2.2.20.tar.bz2

View File

@ -1,13 +0,0 @@
diff -up gnupg-2.1.1/g10/mainproc.c.fips gnupg-2.1.1/g10/mainproc.c
--- gnupg-2.1.1/g10/mainproc.c.fips 2015-01-29 17:19:49.266031504 +0100
+++ gnupg-2.1.1/g10/mainproc.c 2015-01-29 17:27:13.938088122 +0100
@@ -719,7 +719,8 @@ proc_plaintext( CTX c, PACKET *pkt )
according to 2440, so hopefully it won't come up that often.
There is no good way to specify what algorithms to use in
that case, so these there are the historical answer. */
- gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
+ if (!gcry_fips_mode_active())
+ gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
}
if (DBG_HASHING)

View File

@ -1,62 +0,0 @@
diff -up gnupg-2.1.21/tools/Makefile.am.insttools gnupg-2.1.21/tools/Makefile.am
--- gnupg-2.1.21/tools/Makefile.am.insttools 2017-04-03 17:13:56.000000000 +0200
+++ gnupg-2.1.21/tools/Makefile.am 2017-07-18 12:10:59.431729640 +0200
@@ -35,8 +35,8 @@ AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ER
sbin_SCRIPTS = addgnupghome applygnupgdefaults
if HAVE_USTAR
-# bin_SCRIPTS += gpg-zip
-noinst_SCRIPTS = gpg-zip
+bin_PROGRAMS += gpg-zip
+#noinst_SCRIPTS = gpg-zip
endif
if BUILD_SYMCRYPTRUN
@@ -53,7 +53,7 @@ endif
libexec_PROGRAMS = gpg-wks-client
-bin_PROGRAMS = gpgconf gpg-connect-agent ${symcryptrun}
+bin_PROGRAMS = gpgconf gpg-connect-agent ${symcryptrun} gpgsplit
if !HAVE_W32_SYSTEM
bin_PROGRAMS += watchgnupg gpgparsemail ${gpg_wks_server}
endif
@@ -63,7 +63,7 @@ libexec_PROGRAMS += gpg-check-pattern
endif
if !HAVE_W32CE_SYSTEM
-noinst_PROGRAMS = clean-sat make-dns-cert gpgsplit
+noinst_PROGRAMS = clean-sat make-dns-cert
endif
if !HAVE_W32CE_SYSTEM
diff -up gnupg-2.1.21/tools/Makefile.in.insttools gnupg-2.1.21/tools/Makefile.in
--- gnupg-2.1.21/tools/Makefile.in.insttools 2017-05-15 16:15:04.000000000 +0200
+++ gnupg-2.1.21/tools/Makefile.in 2017-07-18 12:12:17.907734745 +0200
@@ -137,13 +137,13 @@ DIST_COMMON = $(top_srcdir)/am/cmacros.a
@GNUPG_DIRMNGR_LDAP_PGM_TRUE@am__append_7 = -DGNUPG_DEFAULT_DIRMNGR_LDAP="\"@GNUPG_DIRMNGR_LDAP_PGM@\""
@HAVE_W32_SYSTEM_TRUE@am__append_8 = gpg-connect-agent-w32info.o
libexec_PROGRAMS = gpg-wks-client$(EXEEXT) $(am__EXEEXT_5)
-bin_PROGRAMS = gpgconf$(EXEEXT) gpg-connect-agent$(EXEEXT) \
+bin_PROGRAMS = gpgconf$(EXEEXT) gpg-connect-agent$(EXEEXT) gpgsplit$(EXEEXT) \
$(am__EXEEXT_1) $(am__EXEEXT_3) $(am__EXEEXT_4)
@HAVE_W32_SYSTEM_FALSE@am__append_9 = watchgnupg gpgparsemail ${gpg_wks_server}
@DISABLE_REGEX_FALSE@am__append_10 = gpg-check-pattern
@HAVE_W32CE_SYSTEM_FALSE@noinst_PROGRAMS = clean-sat$(EXEEXT) \
@HAVE_W32CE_SYSTEM_FALSE@ make-dns-cert$(EXEEXT) \
-@HAVE_W32CE_SYSTEM_FALSE@ gpgsplit$(EXEEXT) $(am__EXEEXT_6)
+@HAVE_W32CE_SYSTEM_FALSE@ $(am__EXEEXT_6)
@BUILD_GPGTAR_TRUE@@HAVE_W32CE_SYSTEM_FALSE@am__append_11 = gpgtar
@BUILD_GPGTAR_FALSE@@HAVE_W32CE_SYSTEM_FALSE@am__append_12 = gpgtar
subdir = tools
@@ -582,8 +582,8 @@ libcommontlsnpth = ../common/libcommontl
AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) $(LIBASSUAN_CFLAGS)
sbin_SCRIPTS = addgnupghome applygnupgdefaults
-# bin_SCRIPTS += gpg-zip
-@HAVE_USTAR_TRUE@noinst_SCRIPTS = gpg-zip
+@HAVE_USTAR_TRUE@bin_PROGRAMS += gpg-zip
+#@HAVE_USTAR_TRUE@noinst_SCRIPTS = gpg-zip
@BUILD_SYMCRYPTRUN_FALSE@symcryptrun =
@BUILD_SYMCRYPTRUN_TRUE@symcryptrun = symcryptrun
@BUILD_WKS_TOOLS_FALSE@gpg_wks_server =

View File

@ -1,12 +0,0 @@
diff -up gnupg-2.1.21/g10/keygen.c.large-rsa gnupg-2.1.21/g10/keygen.c
--- gnupg-2.1.21/g10/keygen.c.large-rsa 2017-05-15 14:13:22.000000000 +0200
+++ gnupg-2.1.21/g10/keygen.c 2017-07-18 16:12:37.738895016 +0200
@@ -2091,7 +2091,7 @@ get_keysize_range (int algo, unsigned in
default:
*min = opt.compliance == CO_DE_VS ? 2048: 1024;
- *max = 4096;
+ *max = opt.flags.large_rsa == 1 ? 8192 : 4096;
def = 2048;
break;
}

View File

@ -1,17 +0,0 @@
diff -up gnupg-2.2.16/sm/certlist.c.keyusage gnupg-2.2.16/sm/certlist.c
--- gnupg-2.2.16/sm/certlist.c.keyusage 2019-07-01 17:17:06.925254065 +0200
+++ gnupg-2.2.16/sm/certlist.c 2019-07-01 17:24:15.665759322 +0200
@@ -147,10 +147,9 @@ cert_usage_p (ksba_cert_t cert, int mode
if (mode == 5)
{
- if (use != ~0
- && (have_ocsp_signing
- || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
- |KSBA_KEYUSAGE_CRL_SIGN))))
+ if (have_ocsp_signing
+ || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
+ |KSBA_KEYUSAGE_CRL_SIGN)))
return 0;
if (!silent)
log_info (_("certificate should not have "

View File

@ -1,50 +0,0 @@
From 34c649b3601383cd11dbc76221747ec16fd68e1b Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 14 Jun 2022 11:33:27 +0200
Subject: [PATCH GnuPG] g10: Fix garbled status messages in NOTATION_DATA
* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
--
Depending on the escaping and line wrapping the computed remaining
buffer length could be wrong. Fixed by always using a break to
terminate the escape detection loop. Might have happened for all
status lines which may wrap.
GnuPG-bug-id: T6027
---
g10/cpr.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/g10/cpr.c b/g10/cpr.c
index 9bfdd3c34..fa8005d6f 100644
--- a/g10/cpr.c
+++ b/g10/cpr.c
@@ -372,20 +372,15 @@ write_status_text_and_buffer (int no, const char *string,
}
first = 0;
}
- for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
+ for (esc=0, s=buffer, n=len; n; s++, n--)
{
if (*s == '%' || *(const byte*)s <= lower_limit
|| *(const byte*)s == 127 )
esc = 1;
if (wrap && ++count > wrap)
- {
- dowrap=1;
- break;
- }
- }
- if (esc)
- {
- s--; n++;
+ dowrap=1;
+ if (esc || dowrap)
+ break;
}
if (s != buffer)
es_fwrite (buffer, s-buffer, 1, statusfp);
--
2.37.1

View File

@ -1,319 +0,0 @@
diff -up gnupg-2.2.20/common/server-help.c.coverity gnupg-2.2.20/common/server-help.c
--- gnupg-2.2.20/common/server-help.c.coverity 2019-02-11 10:59:34.000000000 +0100
+++ gnupg-2.2.20/common/server-help.c 2020-05-04 12:00:01.085945639 +0200
@@ -156,7 +156,7 @@ get_option_value (char *line, const char
*pend = 0;
*r_value = xtrystrdup (p);
*pend = c;
- if (!p)
+ if (!*r_value)
return my_error_from_syserror ();
return 0;
}
diff -up gnupg-2.2.20/dirmngr/dns.c.coverity gnupg-2.2.20/dirmngr/dns.c
--- gnupg-2.2.20/dirmngr/dns.c.coverity 2019-07-09 11:08:45.000000000 +0200
+++ gnupg-2.2.20/dirmngr/dns.c 2020-05-04 18:04:12.285521661 +0200
@@ -10106,9 +10106,8 @@ static const struct {
{ "AR", DNS_S_ADDITIONAL },
};
-const char *(dns_strsection)(enum dns_section section) {
- char _dst[DNS_STRMAXLEN + 1] = { 0 };
- struct dns_buf dst = DNS_B_INTO(_dst, sizeof _dst);
+const char *(dns_strsection)(enum dns_section section, void *_dst, size_t lim) {
+ struct dns_buf dst = DNS_B_INTO(_dst, lim);
unsigned i;
for (i = 0; i < lengthof(dns_sections); i++) {
@@ -10156,9 +10155,8 @@ static const struct {
{ "IN", DNS_C_IN },
};
-const char *(dns_strclass)(enum dns_class type) {
- char _dst[DNS_STRMAXLEN + 1] = { 0 };
- struct dns_buf dst = DNS_B_INTO(_dst, sizeof _dst);
+const char *(dns_strclass)(enum dns_class type, void *_dst, size_t lim) {
+ struct dns_buf dst = DNS_B_INTO(_dst, lim);
unsigned i;
for (i = 0; i < lengthof(dns_classes); i++) {
@@ -10193,9 +10191,8 @@ enum dns_class dns_iclass(const char *na
} /* dns_iclass() */
-const char *(dns_strtype)(enum dns_type type) {
- char _dst[DNS_STRMAXLEN + 1] = { 0 };
- struct dns_buf dst = DNS_B_INTO(_dst, sizeof _dst);
+const char *(dns_strtype)(enum dns_type type, void *_dst, size_t lim) {
+ struct dns_buf dst = DNS_B_INTO(_dst, lim);
unsigned i;
for (i = 0; i < lengthof(dns_rrtypes); i++) {
diff -up gnupg-2.2.20/dirmngr/dns.h.coverity gnupg-2.2.20/dirmngr/dns.h
--- gnupg-2.2.20/dirmngr/dns.h.coverity 2019-03-07 13:03:26.000000000 +0100
+++ gnupg-2.2.20/dirmngr/dns.h 2020-05-04 18:04:12.287521625 +0200
@@ -272,15 +272,25 @@ enum dns_rcode {
*/
#define DNS_STRMAXLEN 47 /* "QUESTION|ANSWER|AUTHORITY|ADDITIONAL" */
-DNS_PUBLIC const char *dns_strsection(enum dns_section);
+DNS_PUBLIC const char *dns_strsection(enum dns_section, void *, size_t);
+#define dns_strsection3(a, b, c) \
+ dns_strsection((a), (b), (c))
+#define dns_strsection1(a) dns_strsection((a), (char [DNS_STRMAXLEN + 1]){ 0 }, DNS_STRMAXLEN + 1)
+#define dns_strsection(...) DNS_PP_CALL(DNS_PP_XPASTE(dns_strsection, DNS_PP_NARG(__VA_ARGS__)), __VA_ARGS__)
DNS_PUBLIC enum dns_section dns_isection(const char *);
-DNS_PUBLIC const char *dns_strclass(enum dns_class);
+DNS_PUBLIC const char *dns_strclass(enum dns_class, void *, size_t);
+#define dns_strclass3(a, b, c) dns_strclass((a), (b), (c))
+#define dns_strclass1(a) dns_strclass((a), (char [DNS_STRMAXLEN + 1]){ 0 }, DNS_STRMAXLEN + 1)
+#define dns_strclass(...) DNS_PP_CALL(DNS_PP_XPASTE(dns_strclass, DNS_PP_NARG(__VA_ARGS__)), __VA_ARGS__)
DNS_PUBLIC enum dns_class dns_iclass(const char *);
-DNS_PUBLIC const char *dns_strtype(enum dns_type);
+DNS_PUBLIC const char *dns_strtype(enum dns_type, void *, size_t);
+#define dns_strtype3(a, b, c) dns_strtype((a), (b), (c))
+#define dns_strtype1(a) dns_strtype((a), (char [DNS_STRMAXLEN + 1]){ 0 }, DNS_STRMAXLEN + 1)
+#define dns_strtype(...) DNS_PP_CALL(DNS_PP_XPASTE(dns_strtype, DNS_PP_NARG(__VA_ARGS__)), __VA_ARGS__)
DNS_PUBLIC enum dns_type dns_itype(const char *);
diff -up gnupg-2.2.20/dirmngr/domaininfo.c.coverity gnupg-2.2.20/dirmngr/domaininfo.c
--- gnupg-2.2.20/dirmngr/domaininfo.c.coverity 2019-07-09 11:08:45.000000000 +0200
+++ gnupg-2.2.20/dirmngr/domaininfo.c 2020-05-04 17:54:30.800899152 +0200
@@ -193,6 +193,7 @@ insert_or_update (const char *domain,
log_error ("domaininfo: error allocating helper array: %s\n",
gpg_strerror (gpg_err_code_from_syserror ()));
drop_extra = bucket;
+ xfree (di_new);
goto leave;
}
narray = 0;
@@ -258,6 +259,8 @@ insert_or_update (const char *domain,
* sensible strategy. */
drop_extra = domainbuckets[hash];
domainbuckets[hash] = keep;
+
+ xfree (array);
}
/* Insert */
diff -up gnupg-2.2.20/dirmngr/http.c.coverity gnupg-2.2.20/dirmngr/http.c
--- gnupg-2.2.20/dirmngr/http.c.coverity 2019-11-18 18:44:33.000000000 +0100
+++ gnupg-2.2.20/dirmngr/http.c 2020-05-04 17:00:47.826878715 +0200
@@ -3656,7 +3656,6 @@ http_prepare_redirect (http_redir_info_t
if (!newurl)
{
err = gpg_error_from_syserror ();
- http_release_parsed_uri (locuri);
return err;
}
}
@@ -3675,7 +3674,6 @@ http_prepare_redirect (http_redir_info_t
if (!newurl)
{
err = gpg_error_from_syserror ();
- http_release_parsed_uri (locuri);
return err;
}
}
diff -up gnupg-2.2.20/dirmngr/ks-engine-hkp.c.coverity gnupg-2.2.20/dirmngr/ks-engine-hkp.c
--- gnupg-2.2.20/dirmngr/ks-engine-hkp.c.coverity 2019-11-18 18:44:33.000000000 +0100
+++ gnupg-2.2.20/dirmngr/ks-engine-hkp.c 2020-05-04 12:39:49.970920664 +0200
@@ -1426,7 +1426,7 @@ ks_hkp_search (ctrl_t ctrl, parsed_uri_t
int reselect;
unsigned int httpflags;
char *httphost = NULL;
- unsigned int http_status;
+ unsigned int http_status = 0;
unsigned int tries = SEND_REQUEST_RETRIES;
unsigned int extra_tries = SEND_REQUEST_EXTRA_RETRIES;
diff -up gnupg-2.2.20/g10/card-util.c.coverity gnupg-2.2.20/g10/card-util.c
--- gnupg-2.2.20/g10/card-util.c.coverity 2020-03-03 13:33:22.000000000 +0100
+++ gnupg-2.2.20/g10/card-util.c 2020-05-04 16:56:47.788157786 +0200
@@ -704,7 +704,7 @@ card_status (ctrl_t ctrl, estream_t fp,
{
int err;
strlist_t card_list, sl;
- char *serialno0, *serialno1;
+ char *serialno0, *serialno1 = NULL;
int all_cards = 0;
int any_card = 0;
@@ -749,6 +749,7 @@ card_status (ctrl_t ctrl, estream_t fp,
current_card_status (ctrl, fp, NULL, 0);
xfree (serialno1);
+ serialno1 = NULL;
if (!all_cards)
goto leave;
diff -up gnupg-2.2.20/g10/import.c.coverity gnupg-2.2.20/g10/import.c
--- gnupg-2.2.20/g10/import.c.coverity 2020-05-04 12:34:39.820379830 +0200
+++ gnupg-2.2.20/g10/import.c 2020-05-04 12:34:55.366106195 +0200
@@ -1888,7 +1888,7 @@ import_one_real (ctrl_t ctrl,
if (opt.interactive && !silent)
{
- if (is_status_enabled())
+ if (uidnode && is_status_enabled())
print_import_check (pk, uidnode->pkt->pkt.user_id);
merge_keys_and_selfsig (ctrl, keyblock);
tty_printf ("\n");
diff -up gnupg-2.2.20/g10/keygen.c.coverity gnupg-2.2.20/g10/keygen.c
--- gnupg-2.2.20/g10/keygen.c.coverity 2020-05-04 12:23:04.852613017 +0200
+++ gnupg-2.2.20/g10/keygen.c 2020-05-04 17:33:18.923891110 +0200
@@ -3075,7 +3075,7 @@ parse_key_parameter_part (ctrl_t ctrl,
char *endp;
const char *curve = NULL;
int ecdh_or_ecdsa = 0;
- unsigned int size;
+ unsigned int size = 0;
int keyuse;
int i;
const char *s;
@@ -5719,12 +5719,20 @@ gen_card_key (int keyno, int algo, int i
the self-signatures. */
err = agent_readkey (NULL, 1, keyid, &public);
if (err)
- return err;
+ {
+ xfree (pkt);
+ xfree (pk);
+ return err;
+ }
err = gcry_sexp_sscan (&s_key, NULL, public,
gcry_sexp_canon_len (public, 0, NULL, NULL));
xfree (public);
if (err)
- return err;
+ {
+ xfree (pkt);
+ xfree (pk);
+ return err;
+ }
if (algo == PUBKEY_ALGO_RSA)
err = key_from_sexp (pk->pkey, s_key, "public-key", "ne");
@@ -5739,6 +5747,7 @@ gen_card_key (int keyno, int algo, int i
if (err)
{
log_error ("key_from_sexp failed: %s\n", gpg_strerror (err) );
+ xfree (pkt);
free_public_key (pk);
return err;
}
diff -up gnupg-2.2.20/g10/sig-check.c.coverity gnupg-2.2.20/g10/sig-check.c
--- gnupg-2.2.20/g10/sig-check.c.coverity 2020-05-04 12:18:18.515653963 +0200
+++ gnupg-2.2.20/g10/sig-check.c 2020-05-04 12:18:33.599388425 +0200
@@ -902,6 +902,7 @@ check_signature_over_key_or_uid (ctrl_t
{
/* Issued by a subkey. */
signer = subk;
+ *is_selfsig = 1;
break;
}
}
diff -up gnupg-2.2.20/g10/sign.c.coverity gnupg-2.2.20/g10/sign.c
--- gnupg-2.2.20/g10/sign.c.coverity 2020-04-30 11:56:43.909360043 +0200
+++ gnupg-2.2.20/g10/sign.c 2020-05-04 12:08:56.651544958 +0200
@@ -823,7 +823,7 @@ write_signature_packets (ctrl_t ctrl,
PKT_public_key *pk;
PKT_signature *sig;
gcry_md_hd_t md;
- gpg_error_t err;
+ gpg_error_t err = 0;
pk = sk_rover->pk;
diff -up gnupg-2.2.20/kbx/keybox-dump.c.coverity gnupg-2.2.20/kbx/keybox-dump.c
--- gnupg-2.2.20/kbx/keybox-dump.c.coverity 2019-08-23 15:59:06.000000000 +0200
+++ gnupg-2.2.20/kbx/keybox-dump.c 2020-05-04 17:25:53.365946213 +0200
@@ -786,11 +786,15 @@ _keybox_dump_cut_records (const char *fi
while ( !(rc = _keybox_read_blob (&blob, fp, NULL)) )
{
if (recno > to)
- break; /* Ready. */
+ {
+ _keybox_release_blob (blob);
+ break; /* Ready. */
+ }
if (recno >= from)
{
if ((rc = _keybox_write_blob (blob, outfp)))
{
+ _keybox_release_blob (blob);
fprintf (stderr, "error writing output: %s\n",
gpg_strerror (rc));
goto leave;
diff -up gnupg-2.2.20/tools/gpg-wks-server.c.coverity gnupg-2.2.20/tools/gpg-wks-server.c
--- gnupg-2.2.20/tools/gpg-wks-server.c.coverity 2020-02-10 16:12:13.000000000 +0100
+++ gnupg-2.2.20/tools/gpg-wks-server.c 2020-05-04 11:52:42.547643198 +0200
@@ -890,15 +890,18 @@ store_key_as_pending (const char *dir, e
}
leave:
- if (err)
+ if (fname)
{
- es_fclose (outfp);
- gnupg_remove (fname);
- }
- else if (es_fclose (outfp))
- {
- err = gpg_error_from_syserror ();
- log_error ("error closing '%s': %s\n", fname, gpg_strerror (err));
+ if (err)
+ {
+ es_fclose (outfp);
+ gnupg_remove (fname);
+ }
+ else if (es_fclose (outfp))
+ {
+ err = gpg_error_from_syserror ();
+ log_error ("error closing '%s': %s\n", fname, gpg_strerror (err));
+ }
}
if (!err)
diff -up gnupg-2.2.20/tools/wks-util.c.coverity gnupg-2.2.20/tools/wks-util.c
--- gnupg-2.2.20/tools/wks-util.c.coverity 2020-05-04 12:02:21.839475031 +0200
+++ gnupg-2.2.20/tools/wks-util.c 2020-05-04 17:23:19.552726949 +0200
@@ -948,7 +948,7 @@ ensure_policy_file (const char *addrspec
static gpg_error_t
install_key_from_spec_file (const char *fname)
{
- gpg_error_t err;
+ gpg_error_t err = 0;
estream_t fp;
char *line = NULL;
size_t linelen = 0;
@@ -1195,10 +1195,8 @@ wks_cmd_print_wkd_hash (const char *user
char *addrspec, *fname;
err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
- if (err)
- return err;
-
- es_printf ("%s %s\n", fname, addrspec);
+ if (!err)
+ es_printf ("%s %s\n", fname, addrspec);
xfree (fname);
xfree (addrspec);
@@ -1216,7 +1214,10 @@ wks_cmd_print_wkd_url (const char *useri
err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
if (err)
- return err;
+ {
+ xfree (addrspec);
+ return err;
+ }
domain = strchr (addrspec, '@');
if (domain)

View File

@ -1,191 +0,0 @@
diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c
--- gnupg-2.2.20/g10/gpg.c.file-is-digest 2020-04-14 16:33:42.630269318 +0200
+++ gnupg-2.2.20/g10/gpg.c 2020-04-14 16:34:46.455100086 +0200
@@ -380,6 +380,7 @@ enum cmd_and_opt_values
oTTYtype,
oLCctype,
oLCmessages,
+ oFileIsDigest,
oXauthority,
oGroup,
oUnGroup,
@@ -831,6 +832,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_s (oPersonalCompressPreferences,
"personal-compress-preferences", "@"),
ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"),
+ ARGPARSE_s_n (oFileIsDigest, "file-is-digest", "@"),
ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"),
@@ -2419,6 +2421,7 @@ main (int argc, char **argv)
opt.keyid_format = KF_NONE;
opt.def_sig_expire = "0";
opt.def_cert_expire = "0";
+ opt.file_is_digest = 0;
gnupg_set_homedir (NULL);
opt.passphrase_repeat = 1;
opt.emit_version = 0;
@@ -2997,6 +3000,7 @@ main (int argc, char **argv)
opt.verify_options&=~VERIFY_SHOW_PHOTOS;
break;
case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
+ case oFileIsDigest: opt.file_is_digest = 1; break;
case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
case oIncludeKeyBlock: opt.flags.include_key_block = 1; break;
diff -up gnupg-2.2.20/g10/options.h.file-is-digest gnupg-2.2.20/g10/options.h
--- gnupg-2.2.20/g10/options.h.file-is-digest 2020-03-14 19:54:05.000000000 +0100
+++ gnupg-2.2.20/g10/options.h 2020-04-14 16:33:42.634269245 +0200
@@ -202,6 +202,7 @@ struct
int no_auto_check_trustdb;
int preserve_permissions;
int no_homedir_creation;
+ int file_is_digest;
struct groupitem *grouplist;
int mangle_dos_filenames;
int enable_progress_filter;
diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
--- gnupg-2.2.20/g10/sign.c.file-is-digest 2020-03-14 19:35:46.000000000 +0100
+++ gnupg-2.2.20/g10/sign.c 2020-04-14 16:36:54.661751422 +0200
@@ -40,6 +40,7 @@
#include "pkglue.h"
#include "../common/sysutils.h"
#include "call-agent.h"
+#include "../common/host2net.h"
#include "../common/mbox-util.h"
#include "../common/compliance.h"
@@ -834,6 +835,8 @@ write_signature_packets (ctrl_t ctrl,
if (duration || opt.sig_policy_url
|| opt.sig_notations || opt.sig_keyserver_url)
sig->version = 4;
+ else if (opt.file_is_digest)
+ sig->version = 3;
else
sig->version = pk->version;
@@ -860,8 +863,11 @@ write_signature_packets (ctrl_t ctrl,
else
err = 0;
}
- hash_sigversion_to_magic (md, sig);
- gcry_md_final (md);
+
+ if (!opt.file_is_digest) {
+ hash_sigversion_to_magic (md, sig);
+ gcry_md_final (md);
+ }
if (!err)
err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
@@ -924,6 +930,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
SK_LIST sk_rover = NULL;
int multifile = 0;
u32 duration=0;
+ int sigclass = 0x00;
+ u32 timestamp = 0;
pfx = new_progress_context ();
afx = new_armor_context ();
@@ -941,7 +949,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
fname = NULL;
if( fname && filenames->next && (!detached || encryptflag) )
- log_bug("multiple files can only be detached signed");
+ log_bug("multiple files can only be detached signed\n");
+
+ if (opt.file_is_digest && (multifile || !fname))
+ log_bug("file-is-digest only works with one file\n");
+ if (opt.file_is_digest && !detached)
+ log_bug("file-is-digest can only write detached signatures\n");
+ if (opt.file_is_digest && !opt.def_digest_algo)
+ log_bug("file-is-digest needs --digest-algo\n");
+ if (opt.file_is_digest && opt.textmode)
+ log_bug("file-is-digest doesn't work with --textmode\n");
if(encryptflag==2
&& (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
@@ -962,7 +979,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
goto leave;
/* prepare iobufs */
- if( multifile ) /* have list of filenames */
+ if( multifile || opt.file_is_digest) /* have list of filenames */
inp = NULL; /* we do it later */
else {
inp = iobuf_open(fname);
@@ -1100,7 +1117,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
- if( !multifile )
+ if( !multifile && !opt.file_is_digest )
iobuf_push_filter( inp, md_filter, &mfx );
if( detached && !encryptflag)
@@ -1155,6 +1172,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
write_status_begin_signing (mfx.md);
+ sigclass = opt.textmode && !outfile? 0x01 : 0x00;
+
/* Setup the inner packet. */
if( detached ) {
if( multifile ) {
@@ -1195,6 +1214,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
if( opt.verbose )
log_printf ("\n");
}
+ else if (opt.file_is_digest) {
+ byte *mdb, ts[5];
+ size_t mdlen;
+ const char *fp;
+ int c, d;
+
+ gcry_md_final(mfx.md);
+ /* this assumes gcry_md_read returns the same buffer */
+ mdb = gcry_md_read(mfx.md, opt.def_digest_algo);
+ mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo);
+ if (strlen(fname) != mdlen * 2 + 11)
+ log_bug("digests must be %zu + @ + 5 bytes\n", mdlen);
+ d = -1;
+ for (fp = fname ; *fp; ) {
+ c = *fp++;
+ if (c >= '0' && c <= '9')
+ c -= '0';
+ else if (c >= 'a' && c <= 'f')
+ c -= 'a' - 10;
+ else if (c >= 'A' && c <= 'F')
+ c -= 'A' - 10;
+ else
+ log_bug("filename is not hex\n");
+ if (d >= 0) {
+ *mdb++ = d << 4 | c;
+ c = -1;
+ if (--mdlen == 0) {
+ mdb = ts;
+ if (*fp++ != '@')
+ log_bug("missing time separator\n");
+ }
+ }
+ d = c;
+ }
+ sigclass = ts[0];
+ if (sigclass != 0x00 && sigclass != 0x01)
+ log_bug("bad cipher class\n");
+ timestamp = buf32_to_u32(ts + 1);
+ }
else {
/* read, so that the filter can calculate the digest */
while( iobuf_get(inp) != -1 )
@@ -1213,8 +1271,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
/* write the signatures */
rc = write_signature_packets (ctrl, sk_list, out, mfx.md,
- opt.textmode && !outfile? 0x01 : 0x00,
- 0, duration, detached ? 'D':'S', NULL);
+ sigclass,
+ timestamp, duration, detached ? 'D':'S', NULL);
if( rc )
goto leave;

Binary file not shown.

1
ci.fmf Normal file
View File

@ -0,0 +1 @@
resultsdb-testcase: separate

7
gating.yaml Normal file
View File

@ -0,0 +1,7 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}

View File

@ -0,0 +1,54 @@
diff -up gnupg-2.1.1/g10/mainproc.c.fips gnupg-2.1.1/g10/mainproc.c
--- gnupg-2.1.1/g10/mainproc.c.fips 2015-01-29 17:19:49.266031504 +0100
+++ gnupg-2.1.1/g10/mainproc.c 2015-01-29 17:27:13.938088122 +0100
@@ -719,7 +719,8 @@ proc_plaintext( CTX c, PACKET *pkt )
according to 2440, so hopefully it won't come up that often.
There is no good way to specify what algorithms to use in
that case, so these there are the historical answer. */
- gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
+ if (!gcry_fips_mode_active())
+ gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
}
if (DBG_HASHING)
diff --git a/common/t-sexputil.c b/common/t-sexputil.c
index d75090c5b..be5eb2122 100644
--- a/common/t-sexputil.c
+++ b/common/t-sexputil.c
@@ -291,36 +291,6 @@ test_ecc_uncompress (void)
const char *b; /* Compressed. */
}
tests[] = {
- {
- "(public-key"
- " (ecc"
- " (curve brainpoolP256r1)"
- " (q #042ECD8679930BE2DB4AD42B8600BA3F80"
- /* */"2D4D539BFF2F69B83EC9B7BBAA7F3406"
- /* */"436DD11A1756AFE56CD93408410FCDA9"
- /* */"BA95024EB613BD481A14FCFEC27A448A#)))",
- /* The same in compressed form. */
- "(public-key"
- " (ecc"
- " (curve brainpoolP256r1)"
- " (q #022ECD8679930BE2DB4AD42B8600BA3F80"
- /* */"2D4D539BFF2F69B83EC9B7BBAA7F3406#)))"
- },
- {
- "(public-key"
- " (ecc"
- " (curve brainpoolP256r1)"
- " (q #045B784CA008EE64AB3D85017EE0D2BE87"
- /* */"558762C7300E0C8E06B1F9AF7C031458"
- /* */"9EBBA41915313417BA54218EB0569C59"
- /* */"0B156C76DBCAB6E84575E6EF68CE7B87#)))",
- /* The same in compressed form. */
- "(public-key"
- " (ecc"
- " (curve brainpoolP256r1)"
- " (q #035B784CA008EE64AB3D85017EE0D2BE87"
- /* */"558762C7300E0C8E06B1F9AF7C031458#)))"
- },
{ /* A key which does not require a conversion. */
"(public-key"
" (ecdsa"

240
gnupg-2.2.21-coverity.patch Normal file
View File

@ -0,0 +1,240 @@
diff -up gnupg-2.2.21/common/server-help.c.coverity gnupg-2.2.21/common/server-help.c
--- gnupg-2.2.21/common/server-help.c.coverity 2019-02-11 10:59:34.000000000 +0100
+++ gnupg-2.2.21/common/server-help.c 2020-07-20 17:09:57.416148768 +0200
@@ -156,7 +156,7 @@ get_option_value (char *line, const char
*pend = 0;
*r_value = xtrystrdup (p);
*pend = c;
- if (!p)
+ if (!*r_value)
return my_error_from_syserror ();
return 0;
}
From 7a707a3eff1c3fbe17a74337776871f408377cee Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 9 Apr 2021 16:13:07 +0200
Subject: [PATCH GnuPG 03/19] g10: Fix memory leaks
* g10/card-util.c (change_pin): free answer on errors
(ask_card_keyattr): free answer on error
* g10/cpr.c (do_get_from_fd): free string
* g10/gpg.c (check_permissions): free dir on weird error
* g10/import.c (append_new_uid): release knode
* g10/keyedit.c (menu_set_keyserver_url): free answer
(menu_set_keyserver_url): free user
* g10/keygen.c (print_status_key_not_created): move allocation after
sanity check
(ask_expire_interval): free answer
(card_store_key_with_backup): goto leave instaed of return
* g10/keyserver.c (parse_keyserver_uri): goto fail instead of return
* g10/revoke.c (gen_desig_revoke): release kdbhd
(gen_desig_revoke): free answer
* g10/tofu.c (ask_about_binding): free sqerr and response
* g10/trustdb.c (ask_ownertrust): free pk
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
g10/card-util.c | 14 +++++++++++---
g10/cpr.c | 6 +++++-
g10/gpg.c | 1 +
g10/import.c | 5 ++++-
g10/keyedit.c | 8 +++++++-
g10/keygen.c | 15 +++++++++++----
g10/keyserver.c | 2 +-
g10/revoke.c | 6 +++++-
g10/tofu.c | 4 ++++
g10/trustdb.c | 1 +
10 files changed, 50 insertions(+), 12 deletions(-)
diff --git a/g10/card-util.c b/g10/card-util.c
index 36f096f06..c7df8380d 100644
--- a/g10/card-util.c
+++ b/g10/card-util.c
@@ -127,7 +127,7 @@ change_pin (int unblock_v2, int allow_admin)
else
for (;;)
{
- char *answer;
+ char *answer = NULL;
tty_printf ("\n");
tty_printf ("1 - change PIN\n"
diff --git a/g10/tofu.c b/g10/tofu.c
index f49083844..83786a08d 100644
--- a/g10/tofu.c
+++ b/g10/tofu.c
@@ -1687,6 +1687,8 @@ ask_about_binding (ctrl_t ctrl,
GPGSQL_ARG_END);
if (rc)
{
+ sqlite3_free (sqerr);
+ sqerr = NULL;
rc = gpg_error (GPG_ERR_GENERAL);
break;
}
--
2.30.2
From 7c8048b686a6e811d0b24febf3c5e2528e7881f1 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 13 Apr 2021 16:23:31 +0200
Subject: [PATCH GnuPG 14/19] dirmgr: Avoid memory leaks
* dirmngr/domaininfo.c (insert_or_update): free di_new
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
dirmngr/domaininfo.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/dirmngr/domaininfo.c b/dirmngr/domaininfo.c
index b41aef366..87782b4b1 100644
--- a/dirmngr/domaininfo.c
+++ b/dirmngr/domaininfo.c
@@ -193,6 +193,7 @@ insert_or_update (const char *domain,
log_error ("domaininfo: error allocating helper array: %s\n",
gpg_strerror (gpg_err_code_from_syserror ()));
drop_extra = bucket;
+ xfree (di_new);
goto leave;
}
narray = 0;
--
2.30.2
From ab3b8c53993b3305088efde756a44bac6e6492d4 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 13 Apr 2021 16:34:40 +0200
Subject: [PATCH GnuPG 15/19] scd: Avoid memory leaks and uninitialized memory
* scd/app-piv.c (do_decipher): goto leave, initialize outdatalen
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
scd/app-piv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scd/app-piv.c b/scd/app-piv.c
index 143cc047a..94257f0ee 100644
--- a/scd/app-piv.c
+++ b/scd/app-piv.c
@@ -2483,7 +2483,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
gpg_error_t err;
data_object_t dobj;
unsigned char *outdata = NULL;
- size_t outdatalen;
+ size_t outdatalen = 0;
const unsigned char *s;
size_t n;
int keyref, mechanism;
@@ -2582,7 +2582,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
/* Now verify the Application PIN. */
err = verify_chv (app, ctrl, 0x80, 0, pincb, pincb_arg);
if (err)
- return err;
+ goto leave;
/* Build the Dynamic Authentication Template. */
err = concat_tlv_list (0, &apdudata, &apdudatalen,
--
2.30.2
From f182bf91443618323e34261039045a6bde269be5 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 13 Apr 2021 16:44:48 +0200
Subject: [PATCH GnuPG 16/19] tools: Avoid memory leaks
* tools/wks-util.c (wks_cmd_print_wkd_url): Free addrspec on error
(wks_cmd_print_wkd_hash): Free addrspec on error
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tools/wks-util.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/tools/wks-util.c b/tools/wks-util.c
index 516c7fe00..38dd194ff 100644
--- a/tools/wks-util.c
+++ b/tools/wks-util.c
@@ -1192,11 +1192,14 @@ gpg_error_t
wks_cmd_print_wkd_hash (const char *userid)
{
gpg_error_t err;
- char *addrspec, *fname;
+ char *addrspec = NULL, *fname;
err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
if (err)
- return err;
+ {
+ xfree (addrspec);
+ return err;
+ }
es_printf ("%s %s\n", fname, addrspec);
@@ -1211,12 +1214,15 @@ gpg_error_t
wks_cmd_print_wkd_url (const char *userid)
{
gpg_error_t err;
- char *addrspec, *fname;
+ char *addrspec = NULL, *fname;
char *domain;
err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
if (err)
- return err;
+ {
+ xfree (addrspec);
+ return err;
+ }
domain = strchr (addrspec, '@');
if (domain)
--
2.30.2
From 600fabd8268c765d45d48873e7a8610e6dae0966 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 14 Apr 2021 15:59:12 +0200
Subject: [PATCH GnuPG 17/19] scd: Use the same allocator to free memory
* scd/command.c (cmd_getinfo): Use free instead of gcry_free to match
the original allocator
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
scd/command.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/scd/command.c b/scd/command.c
index cb0dd379a..9d85c5a41 100644
--- a/scd/command.c
+++ b/scd/command.c
@@ -1832,7 +1832,8 @@ cmd_getinfo (assuan_context_t ctx, char *line)
rc = assuan_send_data (ctx, p, strlen (p));
else
rc = gpg_error (GPG_ERR_NO_DATA);
- xfree (p);
+ /* allocated by scd/ccid-driver.c which is not using x*alloc/gcry_* */
+ free (p);
}
else if (!strcmp (line, "deny_admin"))
rc = opt.allow_admin? gpg_error (GPG_ERR_GENERAL) : 0;
--
2.30.2

View File

@ -0,0 +1,12 @@
diff -up gnupg-2.2.23/g10/keygen.c.large-rsa gnupg-2.2.23/g10/keygen.c
--- gnupg-2.2.23/g10/keygen.c.large-rsa 2020-09-04 13:53:42.030486671 +0200
+++ gnupg-2.2.23/g10/keygen.c 2020-09-04 13:55:52.896669542 +0200
@@ -2262,7 +2262,7 @@ get_keysize_range (int algo, unsigned in
default:
*min = opt.compliance == CO_DE_VS ? 2048: 1024;
- *max = 4096;
+ *max = opt.flags.large_rsa == 1 ? 8192 : 4096;
def = 3072;
break;
}

View File

@ -1,3 +1,4 @@
From c9485d59f735dbf7509a0136a896fe76f9cc915a Mon Sep 17 00:00:00 2001
From: Vincent Breitmoser <look@my.amazin.horse>
Date: Thu, 13 Jun 2019 21:27:42 +0200
Subject: gpg: allow import of previously known keys, even without UIDs
@ -13,14 +14,14 @@ This fixes two of the three broken tests in import-incomplete.scm.
GnuPG-Bug-id: 4393
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
g10/import.c | 44 +++++++++++---------------------------------
1 file changed, 11 insertions(+), 33 deletions(-)
g10/import.c | 45 +++++++++++----------------------------------
1 file changed, 11 insertions(+), 34 deletions(-)
diff --git a/g10/import.c b/g10/import.c
index 5d3162c..f9acf95 100644
index 9fab46ca6..c70a6221c 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl,
@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl,
size_t an;
char pkstrbuf[PUBKEY_STRING_SIZE];
int merge_keys_done = 0;
@ -28,12 +29,12 @@ index 5d3162c..f9acf95 100644
KEYDB_HANDLE hd = NULL;
if (r_valid)
@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl,
@@ -1991,14 +1990,6 @@ import_one_real (ctrl_t ctrl,
log_printf ("\n");
}
-
- if (!uidnode )
- if (!uidnode)
- {
- if (!silent)
- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
@ -43,16 +44,17 @@ index 5d3162c..f9acf95 100644
if (screener && screener (keyblock, screener_arg))
{
log_error (_("key %s: %s\n"), keystr_from_pk (pk),
@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl,
@@ -2078,18 +2069,10 @@ import_one_real (ctrl_t ctrl,
}
}
- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) )
- /* Delete invalid parts and bail out if there are no user ids left. */
- if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs))
- {
- if (!silent)
- {
- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
- if (!opt.quiet )
- log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
- if (!opt.quiet)
- log_info(_("this may be caused by a missing self-signature\n"));
- }
- stats->no_user_id++;
@ -61,11 +63,11 @@ index 5d3162c..f9acf95 100644
+ /* Delete invalid parts, and note if we have any valid ones left.
+ * We will later abort import if this key is new but contains
+ * no valid uids. */
+ delete_inv_parts (ctrl, keyblock, keyid, options);
+ delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs);
/* Get rid of deleted nodes. */
commit_kbnode (&keyblock);
@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl,
@@ -2099,24 +2082,11 @@ import_one_real (ctrl_t ctrl,
{
apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
commit_kbnode (&keyblock);
@ -90,7 +92,7 @@ index 5d3162c..f9acf95 100644
}
/* The keyblock is valid and ready for real import. */
@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl,
@@ -2174,6 +2144,13 @@ import_one_real (ctrl_t ctrl,
err = 0;
stats->skipped_new_keys++;
}

View File

@ -0,0 +1,226 @@
From cdd5082a9e3bdfc8de4aee4835dbdd607b4510be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= <tmraz@fedoraproject.org>
Date: Tue, 5 Aug 2014 17:04:08 +0200
Subject: [PATCH gnupg] add --file-is-digest option needed for copr
---
g10/gpg.c | 4 +++
g10/options.h | 1 +
g10/sign.c | 93 ++++++++++++++++++++++++++++++++++++++++++++-------
3 files changed, 85 insertions(+), 13 deletions(-)
diff --git a/g10/gpg.c b/g10/gpg.c
index f9bc8395f..dcab0a11a 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -395,6 +395,7 @@ enum cmd_and_opt_values
oTTYtype,
oLCctype,
oLCmessages,
+ oFileIsDigest,
oXauthority,
oGroup,
oUnGroup,
@@ -656,6 +657,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_s (oTempDir, "temp-directory", "@"),
ARGPARSE_s_s (oExecPath, "exec-path", "@"),
ARGPARSE_s_n (oExpert, "expert", "@"),
+ ARGPARSE_s_n (oFileIsDigest, "file-is-digest", "@"),
ARGPARSE_s_n (oNoExpert, "no-expert", "@"),
ARGPARSE_s_n (oNoSecmemWarn, "no-secmem-warning", "@"),
ARGPARSE_s_n (oRequireSecmem, "require-secmem", "@"),
@@ -2484,6 +2486,7 @@ main (int argc, char **argv)
opt.keyid_format = KF_NONE;
opt.def_sig_expire = "0";
opt.def_cert_expire = "0";
+ opt.file_is_digest = 0;
opt.passphrase_repeat = 1;
opt.emit_version = 0;
opt.weak_digests = NULL;
@@ -3111,6 +3114,7 @@ main (int argc, char **argv)
case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
case oForceAEAD: opt.force_aead = 1; break;
+ case oFileIsDigest: opt.file_is_digest = 1; break;
case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
case oIncludeKeyBlock: opt.flags.include_key_block = 1; break;
diff --git a/g10/options.h b/g10/options.h
index 9015e321f..10852046c 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -219,6 +219,7 @@ struct
int no_auto_check_trustdb;
int preserve_permissions;
int no_homedir_creation;
+ int file_is_digest;
struct groupitem *grouplist;
int mangle_dos_filenames;
int enable_progress_filter;
diff --git a/g10/sign.c b/g10/sign.c
index b5e9d422d..7ad143649 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -40,6 +40,7 @@
#include "pkglue.h"
#include "../common/sysutils.h"
#include "call-agent.h"
+#include "../common/host2net.h"
#include "../common/mbox-util.h"
#include "../common/compliance.h"
@@ -945,6 +946,8 @@ write_signature_packets (ctrl_t ctrl,
if (pk->version >= 5)
sig->version = 5; /* Required for v5 keys. */
+ else if (opt.file_is_digest)
+ sig->version = 3;
else
sig->version = 4; /* Required. */
@@ -962,14 +965,22 @@ write_signature_packets (ctrl_t ctrl,
if (gcry_md_copy (&md, hash))
BUG ();
- build_sig_subpkt_from_sig (sig, pk, 0);
- mk_notation_policy_etc (ctrl, sig, NULL, pk);
- if (opt.flags.include_key_block && IS_SIG (sig))
- err = mk_sig_subpkt_key_block (ctrl, sig, pk);
- else
- err = 0;
- hash_sigversion_to_magic (md, sig, extrahash);
- gcry_md_final (md);
+ if (!opt.file_is_digest)
+ {
+ build_sig_subpkt_from_sig (sig, pk, 0);
+ mk_notation_policy_etc (ctrl, sig, NULL, pk);
+ if (opt.flags.include_key_block && IS_SIG (sig))
+ err = mk_sig_subpkt_key_block (ctrl, sig, pk);
+ else
+ err = 0;
+
+ hash_sigversion_to_magic (md, sig, extrahash);
+ gcry_md_final (md);
+ }
+ else if (sig->version >= 4)
+ {
+ log_bug("file-is-digest doesn't work with v4 sigs\n");
+ }
if (!err)
err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
@@ -1034,6 +1045,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
SK_LIST sk_rover = NULL;
int multifile = 0;
u32 duration=0;
+ int sigclass = 0x00;
+ u32 timestamp = 0;
pt_extra_hash_data_t extrahash = NULL;
pfx = new_progress_context ();
@@ -1056,7 +1069,16 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
fname = NULL;
if (fname && filenames->next && (!detached || encryptflag))
- log_bug ("multiple files can only be detached signed");
+ log_bug ("multiple files can only be detached signed\n");
+
+ if (opt.file_is_digest && (multifile || !fname))
+ log_bug ("file-is-digest only works with one file\n");
+ if (opt.file_is_digest && !detached)
+ log_bug ("file-is-digest can only write detached signatures\n");
+ if (opt.file_is_digest && !opt.def_digest_algo)
+ log_bug ("file-is-digest needs --digest-algo\n");
+ if (opt.file_is_digest && opt.textmode)
+ log_bug ("file-is-digest doesn't work with --textmode\n");
if (encryptflag == 2
&& (rc = setup_symkey (&efx.symkey_s2k, &efx.symkey_dek)))
@@ -1077,7 +1099,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
goto leave;
/* Prepare iobufs. */
- if (multifile) /* have list of filenames */
+ if (multifile || opt.file_is_digest) /* have list of filenames */
inp = NULL; /* we do it later */
else
{
@@ -1240,7 +1262,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
- if (!multifile)
+ if (!multifile && !opt.file_is_digest)
iobuf_push_filter (inp, md_filter, &mfx);
if (detached && !encryptflag)
@@ -1306,6 +1328,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
write_status_begin_signing (mfx.md);
+ sigclass = opt.textmode && !outfile? 0x01 : 0x00;
+
/* Setup the inner packet. */
if (detached)
{
@@ -1353,6 +1377,49 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
if (opt.verbose)
log_printf ("\n");
}
+ else if (opt.file_is_digest)
+ {
+ byte *mdb, ts[5] = {0};
+ size_t mdlen;
+ const char *fp;
+ int c, d;
+
+ gcry_md_final(mfx.md);
+ /* this assumes gcry_md_read returns the same buffer */
+ mdb = gcry_md_read(mfx.md, opt.def_digest_algo);
+ mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo);
+ if (strlen(fname) != mdlen * 2 + 11)
+ log_bug("digests must be %zu + '@' + 5 bytes\n", mdlen);
+ d = -1;
+ for (fp = fname ; *fp; )
+ {
+ c = *fp++;
+ if (c >= '0' && c <= '9')
+ c -= '0';
+ else if (c >= 'a' && c <= 'f')
+ c -= 'a' - 10;
+ else if (c >= 'A' && c <= 'F')
+ c -= 'A' - 10;
+ else
+ log_bug("filename is not hex\n");
+ if (d >= 0)
+ {
+ *mdb++ = d << 4 | c;
+ c = -1;
+ if (--mdlen == 0)
+ {
+ mdb = ts;
+ if (*fp++ != '@')
+ log_bug("missing time separator\n");
+ }
+ }
+ d = c;
+ }
+ sigclass = ts[0];
+ if (sigclass != 0x00 && sigclass != 0x01)
+ log_bug("bad cipher class\n");
+ timestamp = buf32_to_u32(ts + 1);
+ }
else
{
/* Read, so that the filter can calculate the digest. */
@@ -1374,8 +1441,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
/* Write the signatures. */
rc = write_signature_packets (ctrl, sk_list, out, mfx.md, extrahash,
- opt.textmode && !outfile? 0x01 : 0x00,
- 0, duration, detached ? 'D':'S', NULL);
+ sigclass,
+ timestamp, duration, detached ? 'D':'S', NULL);
if (rc)
goto leave;

View File

@ -0,0 +1,275 @@
From eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 23 Jan 2023 16:34:19 +0100
Subject: [PATCH] doc: Remove profile and systemd example files.
--
The profiles are not any longer useful because global options are way
more powerful (/etc/gnupg/gpg.conf et al.). The use of systemd is
deprecated because of additional complexity and the race between
systemd based autolaunching and the explicit gnupg based and lockfile
protected autolaunching.
GnuPG-bug-id: 6336
---
diff --git b/doc/Makefile.am a/doc/Makefile.am
index 390153c76..0093c43a8 100644
--- b/doc/Makefile.am
+++ a/doc/Makefile.am
@@ -22,6 +22,14 @@ AM_CPPFLAGS =
examples/qualified.txt \
examples/common.conf \
examples/gpgconf.rnames examples/gpgconf.conf \
+ examples/systemd-user/README \
+ examples/systemd-user/dirmngr.service \
+ examples/systemd-user/dirmngr.socket \
+ examples/systemd-user/gpg-agent.service \
+ examples/systemd-user/gpg-agent.socket \
+ examples/systemd-user/gpg-agent-ssh.socket \
+ examples/systemd-user/gpg-agent-browser.socket \
+ examples/systemd-user/gpg-agent-extra.socket \
examples/pwpattern.list
helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt \
diff --git b/doc/Makefile.in a/doc/Makefile.in
index 390153c76..0093c43a8 100644
--- b/doc/Makefile.in
+++ a/doc/Makefile.in
@@ -475,6 +475,14 @@ AM_CPPFLAGS =
examples/qualified.txt \
examples/common.conf \
examples/gpgconf.rnames examples/gpgconf.conf \
+ examples/systemd-user/README \
+ examples/systemd-user/dirmngr.service \
+ examples/systemd-user/dirmngr.socket \
+ examples/systemd-user/gpg-agent.service \
+ examples/systemd-user/gpg-agent.socket \
+ examples/systemd-user/gpg-agent-ssh.socket \
+ examples/systemd-user/gpg-agent-browser.socket \
+ examples/systemd-user/gpg-agent-extra.socket \
examples/pwpattern.list
helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt \
diff --git b/doc/examples/README a/doc/examples/README
index cd341ab57..67508c471 100644
--- b/doc/examples/README
+++ a/doc/examples/README
@@ -8,6 +8,8 @@ trustlist.txt A list of trustworthy root certificates
gpgconf.conf A sample configuration file for gpgconf.
+systemd-user Sample files for a Linux-only init system.
+
qualified.txt Sample file for qualified.txt.
common.conf Sample file for common options.
diff --git b/doc/examples/gpgconf.conf a/doc/examples/gpgconf.conf
index 314b955b9..a61d4d453 100644
--- b/doc/examples/gpgconf.conf
+++ a/doc/examples/gpgconf.conf
@@ -1,9 +1,5 @@
# gpgconf.conf - configuration for gpgconf
#----------------------------------------------------------------------
-#
-# === The use of this feature is deprecated ===
-# == Please use the more powerful global options. ==
-#
# This file is read by gpgconf(1) to setup defaults for all or
# specified users and groups. It may be used to change the hardwired
# defaults in gpgconf and to enforce certain values for the various
diff --git b/doc/examples/systemd-user/README a/doc/examples/systemd-user/README
new file mode 100644
index 000000000..43122f568
--- /dev/null
+++ a/doc/examples/systemd-user/README
@@ -0,0 +1,66 @@
+Socket-activated dirmngr and gpg-agent with systemd
+===================================================
+
+When used on a GNU/Linux system supervised by systemd, you can ensure
+that the GnuPG daemons dirmngr and gpg-agent are launched
+automatically the first time they're needed, and shut down cleanly at
+session logout. This is done by enabling user services via
+socket-activation.
+
+System distributors
+-------------------
+
+The *.service and *.socket files (from this directory) should be
+placed in /usr/lib/systemd/user/ alongside other user-session services
+and sockets.
+
+To enable socket-activated dirmngr for all accounts on the system,
+use:
+
+ systemctl --user --global enable dirmngr.socket
+
+To enable socket-activated gpg-agent for all accounts on the system,
+use:
+
+ systemctl --user --global enable gpg-agent.socket
+
+Additionally, you can enable socket-activated gpg-agent ssh-agent
+emulation for all accounts on the system with:
+
+ systemctl --user --global enable gpg-agent-ssh.socket
+
+You can also enable restricted ("--extra-socket"-style) gpg-agent
+sockets for all accounts on the system with:
+
+ systemctl --user --global enable gpg-agent-extra.socket
+
+Individual users
+----------------
+
+A user on a system with systemd where this has not been installed
+system-wide can place these files in ~/.config/systemd/user/ to make
+them available.
+
+If a given service isn't installed system-wide, or if it's installed
+system-wide but not globally enabled, individual users will still need
+to enable them. For example, to enable socket-activated dirmngr for
+all future sessions:
+
+ systemctl --user enable dirmngr.socket
+
+To enable socket-activated gpg-agent with ssh support, do:
+
+ systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket
+
+These changes won't take effect until your next login after you've
+fully logged out (be sure to terminate any running daemons before
+logging out).
+
+If you'd rather try a socket-activated GnuPG daemon in an
+already-running session without logging out (with or without enabling
+it for all future sessions), kill any existing daemon and start the
+user socket directly. For example, to set up socket-activated dirmgnr
+in the current session:
+
+ gpgconf --kill dirmngr
+ systemctl --user start dirmngr.socket
diff --git b/doc/examples/systemd-user/dirmngr.service a/doc/examples/systemd-user/dirmngr.service
new file mode 100644
index 000000000..3c060cde5
--- /dev/null
+++ a/doc/examples/systemd-user/dirmngr.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=GnuPG network certificate management daemon
+Documentation=man:dirmngr(8)
+Requires=dirmngr.socket
+
+[Service]
+ExecStart=/usr/bin/dirmngr --supervised
+ExecReload=/usr/bin/gpgconf --reload dirmngr
diff --git b/doc/examples/systemd-user/dirmngr.socket a/doc/examples/systemd-user/dirmngr.socket
new file mode 100644
index 000000000..ebabf896a
--- /dev/null
+++ a/doc/examples/systemd-user/dirmngr.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=GnuPG network certificate management daemon
+Documentation=man:dirmngr(8)
+
+[Socket]
+ListenStream=%t/gnupg/S.dirmngr
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git b/doc/examples/systemd-user/gpg-agent-browser.socket a/doc/examples/systemd-user/gpg-agent-browser.socket
new file mode 100644
index 000000000..bc8d344e1
--- /dev/null
+++ a/doc/examples/systemd-user/gpg-agent-browser.socket
@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache (access for web browsers)
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.browser
+FileDescriptorName=browser
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git b/doc/examples/systemd-user/gpg-agent-extra.socket a/doc/examples/systemd-user/gpg-agent-extra.socket
new file mode 100644
index 000000000..5b87d09df
--- /dev/null
+++ a/doc/examples/systemd-user/gpg-agent-extra.socket
@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache (restricted)
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.extra
+FileDescriptorName=extra
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git b/doc/examples/systemd-user/gpg-agent-ssh.socket a/doc/examples/systemd-user/gpg-agent-ssh.socket
new file mode 100644
index 000000000..798c1d967
--- /dev/null
+++ a/doc/examples/systemd-user/gpg-agent-ssh.socket
@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent (ssh-agent emulation)
+Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.ssh
+FileDescriptorName=ssh
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git b/doc/examples/systemd-user/gpg-agent.service a/doc/examples/systemd-user/gpg-agent.service
new file mode 100644
index 000000000..a050fccdc
--- /dev/null
+++ a/doc/examples/systemd-user/gpg-agent.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache
+Documentation=man:gpg-agent(1)
+Requires=gpg-agent.socket
+
+[Service]
+ExecStart=/usr/bin/gpg-agent --supervised
+ExecReload=/usr/bin/gpgconf --reload gpg-agent
diff --git b/doc/examples/systemd-user/gpg-agent.socket a/doc/examples/systemd-user/gpg-agent.socket
new file mode 100644
index 000000000..4257c2c80
--- /dev/null
+++ a/doc/examples/systemd-user/gpg-agent.socket
@@ -0,0 +1,12 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent
+FileDescriptorName=std
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
--
2.41.0

View File

@ -0,0 +1,162 @@
From ff31dde456f32950f0df6c974b4c41f1d650d68f Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 5 Oct 2020 14:21:31 +0200
Subject: [PATCH GnuPG] gpg: Switch to ed25519+cv25519 as default algo.
* g10/keygen.c (DEFAULT_STD_KEY_PARAM): Change to former future
default ago.
(ask_algo): Change default and also the way we indicate the default
algo in the list of algos.
(ask_curve): Indicate the default curve.
Signed-off-by: Werner Koch <wk@gnupg.org>
---
g10/keygen.c | 57 ++++++++++++++++++++++++++--------------------------
1 file changed, 29 insertions(+), 28 deletions(-)
diff --git a/g10/keygen.c b/g10/keygen.c
index 16e4e58ea..b510525e3 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -47,10 +47,11 @@
#include "../common/mbox-util.h"
-/* The default algorithms. If you change them, you should ensure the value
- is inside the bounds enforced by ask_keysize and gen_xxx. See also
- get_keysize_range which encodes the allowed ranges. */
-#define DEFAULT_STD_KEY_PARAM "rsa3072/cert,sign+rsa3072/encr"
+/* The default algorithms. If you change them, you should ensure the
+ value is inside the bounds enforced by ask_keysize and gen_xxx.
+ See also get_keysize_range which encodes the allowed ranges. The
+ default answer in ask_algo also needs to be adjusted. */
+#define DEFAULT_STD_KEY_PARAM "ed25519/cert,sign+cv25519/encr"
#define FUTURE_STD_KEY_PARAM "ed25519/cert,sign+cv25519/encr"
/* When generating keys using the streamlined key generation dialog,
@@ -2112,50 +2113,49 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
#if GPG_USE_RSA
if (!addmode)
- tty_printf (_(" (%d) RSA and RSA (default)\n"), 1 );
+ tty_printf (_(" (%d) RSA and RSA%s\n"), 1, "");
#endif
if (!addmode && opt.compliance != CO_DE_VS)
- tty_printf (_(" (%d) DSA and Elgamal\n"), 2 );
+ tty_printf (_(" (%d) DSA and Elgamal%s\n"), 2, "");
if (opt.compliance != CO_DE_VS)
- tty_printf (_(" (%d) DSA (sign only)\n"), 3 );
+ tty_printf (_(" (%d) DSA (sign only)%s\n"), 3, "");
#if GPG_USE_RSA
- tty_printf (_(" (%d) RSA (sign only)\n"), 4 );
+ tty_printf (_(" (%d) RSA (sign only)%s\n"), 4, "");
#endif
if (addmode)
{
if (opt.compliance != CO_DE_VS)
- tty_printf (_(" (%d) Elgamal (encrypt only)\n"), 5 );
+ tty_printf (_(" (%d) Elgamal (encrypt only)%s\n"), 5, "");
#if GPG_USE_RSA
- tty_printf (_(" (%d) RSA (encrypt only)\n"), 6 );
+ tty_printf (_(" (%d) RSA (encrypt only)%s\n"), 6, "");
#endif
}
if (opt.expert)
{
if (opt.compliance != CO_DE_VS)
- tty_printf (_(" (%d) DSA (set your own capabilities)\n"), 7 );
+ tty_printf (_(" (%d) DSA (set your own capabilities)%s\n"), 7, "");
#if GPG_USE_RSA
- tty_printf (_(" (%d) RSA (set your own capabilities)\n"), 8 );
+ tty_printf (_(" (%d) RSA (set your own capabilities)%s\n"), 8, "");
#endif
}
#if GPG_USE_ECDSA || GPG_USE_ECDH || GPG_USE_EDDSA
- if (opt.expert && !addmode)
- tty_printf (_(" (%d) ECC and ECC\n"), 9 );
- if (opt.expert)
- tty_printf (_(" (%d) ECC (sign only)\n"), 10 );
+ if (!addmode)
+ tty_printf (_(" (%d) ECC (sign and encrypt)%s\n"), 9, _(" *default*") );
+ tty_printf (_(" (%d) ECC (sign only)\n"), 10 );
if (opt.expert)
- tty_printf (_(" (%d) ECC (set your own capabilities)\n"), 11 );
- if (opt.expert && addmode)
- tty_printf (_(" (%d) ECC (encrypt only)\n"), 12 );
+ tty_printf (_(" (%d) ECC (set your own capabilities)%s\n"), 11, "");
+ if (addmode)
+ tty_printf (_(" (%d) ECC (encrypt only)%s\n"), 12, "");
#endif
if (opt.expert && r_keygrip)
- tty_printf (_(" (%d) Existing key\n"), 13 );
+ tty_printf (_(" (%d) Existing key%s\n"), 13, "");
if (r_keygrip)
- tty_printf (_(" (%d) Existing key from card\n"), 14 );
+ tty_printf (_(" (%d) Existing key from card%s\n"), 14, "");
for (;;)
{
@@ -2164,7 +2164,7 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
xfree (answer);
answer = cpr_get ("keygen.algo", _("Your selection? "));
cpr_kill_prompt ();
- algo = *answer? atoi (answer) : 1;
+ algo = *answer? atoi (answer) : 9; /* Default algo is 9 */
if (opt.compliance == CO_DE_VS
&& (algo == 2 || algo == 3 || algo == 5 || algo == 7))
@@ -2220,13 +2220,13 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
break;
}
else if ((algo == 9 || !strcmp (answer, "ecc+ecc"))
- && opt.expert && !addmode)
+ && !addmode)
{
algo = PUBKEY_ALGO_ECDSA;
*r_subkey_algo = PUBKEY_ALGO_ECDH;
break;
}
- else if ((algo == 10 || !strcmp (answer, "ecc/s")) && opt.expert)
+ else if ((algo == 10 || !strcmp (answer, "ecc/s")))
{
algo = PUBKEY_ALGO_ECDSA;
*r_usage = PUBKEY_USAGE_SIG;
@@ -2239,7 +2239,7 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
break;
}
else if ((algo == 12 || !strcmp (answer, "ecc/e"))
- && opt.expert && addmode)
+ && addmode)
{
algo = PUBKEY_ALGO_ECDH;
*r_usage = PUBKEY_USAGE_ENC;
@@ -2616,7 +2616,7 @@ ask_curve (int *algo, int *subkey_algo, const char *current)
{ "NIST P-256", NULL, NULL, MY_USE_ECDSADH, 0, 1, 0 },
{ "NIST P-384", NULL, NULL, MY_USE_ECDSADH, 0, 0, 0 },
{ "NIST P-521", NULL, NULL, MY_USE_ECDSADH, 0, 1, 0 },
- { "brainpoolP256r1", NULL, "Brainpool P-256", MY_USE_ECDSADH, 1, 1, 0 },
+ { "brainpoolP256r1", NULL, "Brainpool P-256", MY_USE_ECDSADH, 1, 0, 0 },
{ "brainpoolP384r1", NULL, "Brainpool P-384", MY_USE_ECDSADH, 1, 1, 0 },
{ "brainpoolP512r1", NULL, "Brainpool P-512", MY_USE_ECDSADH, 1, 1, 0 },
{ "secp256k1", NULL, NULL, MY_USE_ECDSADH, 0, 1, 0 },
@@ -2672,9 +2672,10 @@ ask_curve (int *algo, int *subkey_algo, const char *current)
}
curves[idx].available = 1;
- tty_printf (" (%d) %s\n", idx + 1,
+ tty_printf (" (%d) %s%s\n", idx + 1,
curves[idx].pretty_name?
- curves[idx].pretty_name:curves[idx].name);
+ curves[idx].pretty_name:curves[idx].name,
+ idx == 0? _(" *default*"):"");
}
gcry_sexp_release (keyparms);
--
2.31.1

1016
gnupg-2.4.5-sast.patch Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,200 @@
From 1e4f1550996334d2a631a5d769e937d29ace47bb Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 9 Feb 2023 16:38:58 +0100
Subject: [PATCH gnupg] Revert the introduction of the RFC4880bis draft into
defaults
This reverts commit 4583f4fe2 (gpg: Merge --rfc4880bis features into
--gnupg, 2022-10-31).
---
g10/gpg.c | 35 ++++++++++++++++++++++++++++++++---
g10/keygen.c | 30 ++++++++++++++++++------------
2 files changed, 50 insertions(+), 15 deletions(-)
diff --git a/g10/gpg.c b/g10/gpg.c
index dcab0a11a..796888013 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -247,6 +247,7 @@ enum cmd_and_opt_values
oGnuPG,
oRFC2440,
oRFC4880,
+ oRFC4880bis,
oOpenPGP,
oPGP7,
oPGP8,
@@ -636,6 +637,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_n (oGnuPG, "no-pgp8", "@"),
ARGPARSE_s_n (oRFC2440, "rfc2440", "@"),
ARGPARSE_s_n (oRFC4880, "rfc4880", "@"),
+ ARGPARSE_s_n (oRFC4880bis, "rfc4880bis", "@"),
ARGPARSE_s_n (oOpenPGP, "openpgp", N_("use strict OpenPGP behavior")),
ARGPARSE_s_n (oPGP7, "pgp6", "@"),
ARGPARSE_s_n (oPGP7, "pgp7", "@"),
@@ -978,7 +980,6 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"),
ARGPARSE_s_s (oNoop, "aead-algo", "@"),
ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"),
- ARGPARSE_s_n (oNoop, "rfc4880bis", "@"),
ARGPARSE_s_n (oNoop, "override-compliance-check", "@"),
@@ -2227,7 +2228,7 @@ static struct gnupg_compliance_option compliance_options[] =
{
{ "gnupg", oGnuPG },
{ "openpgp", oOpenPGP },
- { "rfc4880bis", oGnuPG },
+ { "rfc4880bis", oRFC4880bis },
{ "rfc4880", oRFC4880 },
{ "rfc2440", oRFC2440 },
{ "pgp6", oPGP7 },
@@ -2243,8 +2244,28 @@ static struct gnupg_compliance_option compliance_options[] =
static void
set_compliance_option (enum cmd_and_opt_values option)
{
+ opt.flags.rfc4880bis = 0; /* Clear because it is initially set. */
+
switch (option)
{
+ case oRFC4880bis:
+ opt.flags.rfc4880bis = 1;
+ opt.compliance = CO_RFC4880;
+ opt.flags.dsa2 = 1;
+ opt.flags.require_cross_cert = 1;
+ opt.rfc2440_text = 0;
+ opt.allow_non_selfsigned_uid = 1;
+ opt.allow_freeform_uid = 1;
+ opt.escape_from = 1;
+ opt.not_dash_escaped = 0;
+ opt.def_cipher_algo = 0;
+ opt.def_digest_algo = 0;
+ opt.cert_digest_algo = 0;
+ opt.compress_algo = -1;
+ opt.s2k_mode = 3; /* iterated+salted */
+ opt.s2k_digest_algo = DIGEST_ALGO_SHA256;
+ opt.s2k_cipher_algo = CIPHER_ALGO_AES256;
+ break;
case oOpenPGP:
case oRFC4880:
/* This is effectively the same as RFC2440, but with
@@ -2288,6 +2309,7 @@ set_compliance_option (enum cmd_and_opt_values option)
case oPGP8: opt.compliance = CO_PGP8; break;
case oGnuPG:
opt.compliance = CO_GNUPG;
+ opt.flags.rfc4880bis = 1;
break;
case oDE_VS:
@@ -2491,6 +2513,7 @@ main (int argc, char **argv)
opt.emit_version = 0;
opt.weak_digests = NULL;
opt.compliance = CO_GNUPG;
+ opt.flags.rfc4880bis = 1;
/* Check special options given on the command line. */
orig_argc = argc;
@@ -3033,6 +3056,7 @@ main (int argc, char **argv)
case oOpenPGP:
case oRFC2440:
case oRFC4880:
+ case oRFC4880bis:
case oPGP7:
case oPGP8:
case oGnuPG:
@@ -3862,6 +3886,11 @@ main (int argc, char **argv)
if( may_coredump && !opt.quiet )
log_info(_("WARNING: program may create a core file!\n"));
+ if (!opt.flags.rfc4880bis)
+ {
+ opt.mimemode = 0; /* This will use text mode instead. */
+ }
+
if (eyes_only) {
if (opt.set_filename)
log_info(_("WARNING: %s overrides %s\n"),
@@ -4078,7 +4107,7 @@ main (int argc, char **argv)
/* Check our chosen algorithms against the list of legal
algorithms. */
- if(!GNUPG)
+ if(!GNUPG && !opt.flags.rfc4880bis)
{
const char *badalg=NULL;
preftype_t badtype=PREFTYPE_NONE;
diff --git a/g10/keygen.c b/g10/keygen.c
index a2cfe3ccf..2a1dd1f81 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -404,7 +404,7 @@ keygen_set_std_prefs (const char *string,int personal)
strcat(dummy_string,"S7 ");
strcat(dummy_string,"S2 "); /* 3DES */
- if (!openpgp_aead_test_algo (AEAD_ALGO_OCB))
+ if (opt.flags.rfc4880bis && !openpgp_aead_test_algo (AEAD_ALGO_OCB))
strcat(dummy_string,"A2 ");
if (personal)
@@ -889,7 +889,7 @@ keygen_upd_std_prefs (PKT_signature *sig, void *opaque)
/* Make sure that the MDC feature flag is set if needed. */
add_feature_mdc (sig,mdc_available);
add_feature_aead (sig, aead_available);
- add_feature_v5 (sig, 1);
+ add_feature_v5 (sig, opt.flags.rfc4880bis);
add_keyserver_modify (sig,ks_modify);
keygen_add_keyserver_url(sig,NULL);
@@ -3382,7 +3382,10 @@ parse_key_parameter_part (ctrl_t ctrl,
}
}
else if (!ascii_strcasecmp (s, "v5"))
- keyversion = 5;
+ {
+ if (opt.flags.rfc4880bis)
+ keyversion = 5;
+ }
else if (!ascii_strcasecmp (s, "v4"))
keyversion = 4;
else
@@ -3641,7 +3644,7 @@ parse_key_parameter_part (ctrl_t ctrl,
* ecdsa := Use algorithm ECDSA.
* eddsa := Use algorithm EdDSA.
* ecdh := Use algorithm ECDH.
- * v5 := Create version 5 key
+ * v5 := Create version 5 key (requires option --rfc4880bis)
*
* There are several defaults and fallbacks depending on the
* algorithm. PART can be used to select which part of STRING is
@@ -4513,9 +4516,9 @@ read_parameter_file (ctrl_t ctrl, const char *fname )
}
}
- if ((keywords[i].key == pVERSION
- || keywords[i].key == pSUBVERSION))
- ; /* Ignore version. */
+ if (!opt.flags.rfc4880bis && (keywords[i].key == pVERSION
+ || keywords[i].key == pSUBVERSION))
+ ; /* Ignore version unless --rfc4880bis is active. */
else
{
r = xmalloc_clear( sizeof *r + strlen( value ) );
@@ -4610,11 +4613,14 @@ quickgen_set_para (struct para_data_s *para, int for_subkey,
para = r;
}
- r = xmalloc_clear (sizeof *r + 20);
- r->key = for_subkey? pSUBVERSION : pVERSION;
- snprintf (r->u.value, 20, "%d", version);
- r->next = para;
- para = r;
+ if (opt.flags.rfc4880bis)
+ {
+ r = xmalloc_clear (sizeof *r + 20);
+ r->key = for_subkey? pSUBVERSION : pVERSION;
+ snprintf (r->u.value, 20, "%d", version);
+ r->next = para;
+ para = r;
+ }
if (keytime)
{

View File

@ -1,69 +1,84 @@
%bcond_without unversioned_gpg
%bcond_with bootstrap
Summary: Utility for secure communication and data storage
Name: gnupg2
Version: 2.2.20
Release: 3%{?dist}
Version: 2.4.5
Release: 2%{?dist}
License: GPLv3+
Source0: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
Source1: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2.sig
Patch1: gnupg-2.1.21-insttools.patch
License: CC0-1.0 AND GPL-2.0-or-later AND GPL-3.0-or-later AND LGPL-2.1-or-later AND LGPL-3.0-or-later AND (BSD-3-Clause OR LGPL-3.0-or-later OR GPL-2.0-or-later) AND CC-BY-4.0 AND MIT
Source0: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
Source1: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2.sig
Source2: https://gnupg.org/signature_key.asc
# needed for compatibility with system FIPS mode
Patch3: gnupg-2.1.10-secmem.patch
# non-upstreamable patch adding file-is-digest option needed for Copr
Patch4: gnupg-2.2.20-file-is-digest.patch
# fix handling of missing key usage on ocsp replies - upstream T1333
Patch5: gnupg-2.2.16-ocsp-keyusage.patch
# https://dev.gnupg.org/T1646
Patch4: gnupg-2.4.1-file-is-digest.patch
Patch6: gnupg-2.1.1-fips-algo.patch
# allow 8192 bit RSA keys in keygen UI with large RSA
Patch9: gnupg-2.1.21-large-rsa.patch
Patch9: gnupg-2.2.23-large-rsa.patch
# fix missing uid on refresh from keys.openpgp.org
# https://salsa.debian.org/debian/gnupg2/commit/f292beac1171c6c77faf41d1f88c2e0942ed4437
Patch20: gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch
Patch21: gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
Patch21: gnupg-2.4.0-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
Patch22: gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
Patch23: gnupg-2.2.20-CVE-2022-34903.patch
# Fixes for issues found in Coverity scan - reported upstream
Patch30: gnupg-2.2.20-coverity.patch
Patch30: gnupg-2.2.21-coverity.patch
# Revert the introduction of the RFC4880bis draft into defaults
Patch31: gnupg2-revert-rfc4880bis.patch
# Mostly reverts https://dev.gnupg.org/rGeae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed
Patch33: gnupg-2.4.3-restore-systemd-sockets.patch
# Revert default EdDSA key types -- they do not work in FIPS Mode
Patch34: gnupg-2.4.5-revert-default-eddsa.patch
# https://dev.gnupg.org/T7129
Patch35: gnupg-2.4.5-sast.patch
URL: https://www.gnupg.org/
URL: http://www.gnupg.org/
#BuildRequires: automake libtool texinfo transfig
BuildRequires: gcc
BuildRequires: bzip2-devel
BuildRequires: curl-devel
BuildRequires: docbook-utils
BuildRequires: gettext
BuildRequires: libassuan-devel >= 2.1.0
BuildRequires: libgcrypt-devel >= 1.7.0
BuildRequires: libgpg-error-devel >= 1.31
BuildRequires: libksba-devel >= 1.3.0
%if %{without bootstrap}
# Require gnupg2 to verify sources, unless bootstrapping
BuildRequires: gnupg2
%endif
BuildRequires: libassuan-devel >= 2.5.0
BuildRequires: libgcrypt-devel >= 1.9.1
BuildRequires: libgpg-error-devel >= 1.46
BuildRequires: libksba-devel >= 1.6.3
BuildRequires: openldap-devel
BuildRequires: libusb-devel
BuildRequires: pcsc-lite-libs
BuildRequires: ncurses-devel
BuildRequires: npth-devel
BuildRequires: readline-devel ncurses-devel
BuildRequires: readline-devel
BuildRequires: zlib-devel
BuildRequires: gnutls-devel
BuildRequires: sqlite-devel
BuildRequires: fuse
BuildRequires: make
BuildRequires: systemd-rpm-macros
BuildRequires: tpm2-tss-devel
# for tests
BuildRequires: openssh-clients
BuildRequires: swtpm
Requires: libgcrypt >= 1.7.0
Requires: libgpg-error >= 1.31
Requires: libgcrypt >= 1.9.1
Requires: libgpg-error >= 1.46
Recommends: pinentry
Recommends: gnupg2-smime
%if %{with unversioned_gpg}
# for USB smart card support
Recommends: pcsc-lite-ccid
# pgp-tools, perl-GnuPG-Interface requires 'gpg' (not sure why) -- Rex
Provides: gpg = %{version}-%{release}
# Obsolete GnuPG-1 package
Provides: gnupg = %{version}-%{release}
Obsoletes: gnupg <= 1.4.10
%endif
Obsoletes: gnupg < 1.4.24
Provides: dirmngr = %{version}-%{release}
Obsoletes: dirmngr < 1.2.0-1
@ -72,7 +87,7 @@ Obsoletes: dirmngr < 1.2.0-1
%package smime
Summary: CMS encryption and signing tool and smart card support for GnuPG
Requires: gnupg2 = %{version}-%{release}
Requires: gnupg2%{?_isa} = %{version}-%{release}
%description
@ -93,23 +108,25 @@ package adds support for smart cards and S/MIME encryption and signing
to the base GnuPG package
%prep
%if ! %{with bootstrap}
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%endif
%setup -q -n gnupg-%{version}
%if %{with unversioned_gpg}
%patch1 -p1 -b .insttools
%endif
%patch3 -p1 -b .secmem
%patch4 -p1 -b .file-is-digest
%patch5 -p1 -b .keyusage
%patch6 -p1 -b .fips
%patch9 -p1 -b .large-rsa
%patch 3 -p1 -b .secmem
%patch 4 -p1 -b .file-is-digest
%patch 6 -p1 -b .fips
%patch 9 -p1 -b .large-rsa
%patch20 -p1 -b .test_missing_uid
%patch21 -p1 -b .prev_known_key
%patch22 -p1 -b .good_revoc
%patch23 -p1 -b .CVE-2022-34903
%patch 20 -p1 -b .test_missing_uid
%patch 21 -p1 -b .prev_known_key
%patch 22 -p1 -b .good_revoc
%patch30 -p1 -b .coverity
%patch 30 -p1 -b .coverity
%patch 31 -p1 -b .revert-rfc4880bis
%patch 33 -p1 -b .restore-systemd-sockets
%patch 34 -p1 -R -b .eddsa
%patch 35 -p1 -b .sast
# pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
# Note: this is just the name of the default shared lib to load in scdaemon,
@ -120,50 +137,42 @@ sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/scdaemon.c
%build
%configure \
%if %{without unversioned_gpg}
--enable-gpg-is-gpg2 \
%endif
--disable-gpgtar \
--disable-rpath \
--enable-g13 \
--disable-ccid-driver \
--with-tss=intel \
--enable-large-secmem
# need scratch gpg database for tests
mkdir -p $HOME/.gnupg
make %{?_smp_mflags}
%make_build
%install
make install DESTDIR=%{buildroot} \
INSTALL="install -p" \
%make_install \
docdir=%{_pkgdocdir}
%if %{without unversioned_gpg}
# rename file conflicting with gnupg-1.x
rename gnupg.7 gnupg2.7 %{buildroot}%{_mandir}/man7/gnupg.7*
%endif
%find_lang %{name}
# gpgconf.conf
mkdir -p %{buildroot}%{_sysconfdir}/gnupg
touch %{buildroot}%{_sysconfdir}/gnupg/gpgconf.conf
mkdir -p %{buildroot}%{_sysconfdir}/profile.d
echo "export GPG_TTY=\$(tty)" > %{buildroot}%{_sysconfdir}/profile.d/gnupg2.sh
echo "setenv GPG_TTY \`tty\`" > %{buildroot}%{_sysconfdir}/profile.d/gnupg2.csh
# more docs
install -m644 -p AUTHORS NEWS THANKS TODO \
%{buildroot}%{_pkgdocdir}
%if %{with unversioned_gpg}
# compat symlinks
ln -sf gpg %{buildroot}%{_bindir}/gpg2
ln -sf gpgv %{buildroot}%{_bindir}/gpgv2
ln -sf gpg.1 %{buildroot}%{_mandir}/man1/gpg2.1
ln -sf gpgv.1 %{buildroot}%{_mandir}/man1/gpgv2.1
ln -sf gnupg.7 %{buildroot}%{_mandir}/man7/gnupg2.7
%endif
# info dir
rm -f %{buildroot}%{_infodir}/dir
@ -183,31 +192,34 @@ make -k check
%files -f %{name}.lang
%{!?_licensedir:%global license %%doc}
%license COPYING
#doc AUTHORS NEWS README THANKS TODO
%{_pkgdocdir}
%dir %{_sysconfdir}/gnupg
%ghost %config(noreplace) %{_sysconfdir}/gnupg/gpgconf.conf
%{_sysconfdir}/profile.d/gnupg2.sh
%{_sysconfdir}/profile.d/gnupg2.csh
## docs say to install suid root, but fedora/rh security folk say not to
%{_bindir}/gpg2
%{_bindir}/gpgv2
%{_bindir}/gpg-card
%{_bindir}/gpg-connect-agent
%{_bindir}/gpg-agent
%{_bindir}/gpg-wks-client
%{_bindir}/gpgconf
%{_bindir}/gpgparsemail
%{_bindir}/gpgtar
%{_bindir}/g13
%{_bindir}/dirmngr
%{_bindir}/dirmngr-client
%if %{with unversioned_gpg}
%{_bindir}/gpg
%{_bindir}/gpgv
%{_bindir}/gpgsplit
%{_bindir}/gpg-zip
%endif
%{_bindir}/watchgnupg
%{_bindir}/gpg-wks-server
%{_sbindir}/*
%{_sbindir}/addgnupghome
%{_sbindir}/applygnupgdefaults
%{_sbindir}/g13-syshelp
%{_datadir}/gnupg/
%{_libexecdir}/*
%{_infodir}/*.info*
@ -222,18 +234,219 @@ make -k check
%changelog
* Wed Aug 03 2022 Jakub Jelen <jjelen@redhat.com> - 2.2.20-3
- Fix CVE-2022-34903 (#2108447)
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.4.5-2
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon May 4 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-2
* Thu Jul 04 2024 Jakub Jelen <jjelen@redhat.com> - 2.4.5-1
- New upstream release (#2268461)
- Set GPG_TTY in profile.d (#2264985)
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.4.4-2
- Bump release for June 2024 mass rebuild
* Fri Jan 26 2024 Jakub Jelen <jjelen@redhat.com> - 2.4.4-1
- New upstream release (#2260333)
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Nov 10 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.3-4
- Avoid creation of development versions (#2249037)
* Mon Nov 06 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.3-3
- Restore systemd units and sockets (#2158627)
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Mon Jul 10 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.3-1
- New upstream release (#2193503)
* Thu Jun 01 2023 Michael J Gruber <mjg@fedoraproject.org> - 2.4.2-2
- fix emacs usage (rhbz#2212090)
* Wed May 31 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.2-1
- New upstream release
- Build with TPM2 support
* Fri Apr 28 2023 Todd Zullinger <tmz@pobox.com> - 2.4.1-1
- update to 2.4.1 (#2193503)
* Fri Apr 28 2023 Todd Zullinger <tmz@pobox.com> - 2.4.0-4
- remove %%skip_verify, brainpool signatures are supported now
* Fri Mar 03 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.0-3
- Revert introduction of the RFC4880bis draft into defaults
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Tue Dec 20 2022 Todd Zullinger <tmz@pobox.com> - 2.4.0-1
- update to 2.4.0 (#2155170)
* Mon Oct 17 2022 Todd Zullinger <tmz@pobox.com> - 2.3.8-1
- update to 2.3.8
- BR systemd-rpm-macros for %%{_userunitdir}
* Mon Oct 17 2022 Todd Zullinger <tmz@pobox.com> - 2.3.7-5
- verify upstream signatures in %%prep, unless bootstrapping
* Wed Oct 05 2022 Todd Zullinger <tmz@pobox.com> - 2.3.7-4
- update BR/R versions for libassuan, libgpg-error, and libksba
- drop with/without unversioned_gpg, last used with fedora-29
* Mon Aug 01 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.7-3
- Fix yubikey 5 detection (#2107766)
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue Jul 12 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.7-1
- New upstream release (#2106045)
* Mon Jul 04 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.6-2
- Fix for CVE-2022-34903 (#2103242)
- Fix focing AEAD through configuration files (#2093760)
* Mon Apr 25 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.6-1
- New upstream release (#2078550)
* Mon Apr 25 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.5-1
- New upstream release (#2077616)
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Tue Dec 21 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.4-1
- New upstream release (#2034437)
* Mon Nov 15 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.3-2
- Fix file-is-digest patch (#2022904)
* Wed Oct 13 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.3-1
- New upstream release (2013388)
* Wed Oct 06 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.2-3
- Fix crash in agent when deciphering (#2009978)
- Recommend pcsc-lite-ccid to support USB smart cards (#2007923)
* Mon Sep 20 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.2-2
- Disable ccid driver to avoid clash with pcscd (#2005714)
* Wed Aug 25 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.2-1
- New upstream relase (#1997276)
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Apr 21 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.1-1
- New upstream release (#1947159)
* Mon Mar 29 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.27-4
- Add a configuration to not require exclusive access to PCSC
* Thu Feb 18 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.27-3
- Bump required libgpg-error version (#1930110)
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.27-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jan 12 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.27-1
- New upstream release (#1909825)
* Mon Jan 04 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.26-1
- New upstream release (#1909825)
* Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 2.2.25-2
- Enable gpgtar (#1901103)
* Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 2.2.25-1
- Update to 2.2.25 (#1900815)
* Thu Nov 19 2020 Jakub Jelen <jjelen@redhat.com> - 2.2.24-1
- Update to 2.2.24 (#1898504)
* Fri Sep 4 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.23-1
- upgrade to 2.2.23
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.21-4
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.21-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 21 2020 Tom Stellard <tstellar@redhat.com> - 2.2.21-2
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.21-1
- upgrade to 2.2.21
* Mon May 4 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-3
- fixes for issues found in Coverity scan
* Thu Apr 30 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-1
* Thu Apr 30 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-2
- move systemd user units to _userunitdir (no activation by default)
* Tue Apr 14 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-1
- upgrade to 2.2.20
* Wed Jan 29 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.19-1
- upgrade to 2.2.19
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.18-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Jan 4 2020 Marcel Härry <mh+fedora@scrit.ch> - 2.2.18-3
- Add patches to be able to deal with keys without uids (#1787708)
* Fri Dec 6 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.18-2
- fix abort when decrypting data with anonymous recipient (#1780057)
* Tue Dec 3 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.18-1
- upgrade to 2.2.18
* Wed Nov 6 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.17-3
- fix the gnupg(7) manual page (#1769072)
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.17-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Jul 15 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.17-1
- upgrade to 2.2.17
* Mon Jul 1 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.16-1
- upgrade to 2.2.16
* Tue Feb 26 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.13-1
- upgrade to 2.2.13
* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.2.12-3
- Rebuild for readline 8.0
* Mon Feb 4 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.12-2
- make it build with gcc-9
* Tue Jan 8 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.12-1
- upgrade to 2.2.12
* Sat Dec 08 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.2.11-2
- Provide unversioned GPG on F30+
* Fri Nov 30 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.11-1
- upgrade to 2.2.11
* Wed Aug 1 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.9-1
- upgrade to 2.2.9
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jun 11 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.8-1
- upgrade to 2.2.8 fixing CVE 2018-12020

23
plans/ci.fmf Normal file
View File

@ -0,0 +1,23 @@
/fips-disabled-buildroot-disabled:
plan:
import:
url: https://pkgs.devel.redhat.com/git/tests/gnupg2
name: /plans/ci/fips-disabled-buildroot-disabled
/fips-disabled-buildroot-enabled:
plan:
import:
url: https://pkgs.devel.redhat.com/git/tests/gnupg2
name: /plans/ci/fips-disabled-buildroot-enabled
/fips-enabled-buildroot-disabled:
plan:
import:
url: https://pkgs.devel.redhat.com/git/tests/gnupg2
name: /plans/ci/fips-enabled-buildroot-disabled
/fips-enabled-buildroot-enabled:
plan:
import:
url: https://pkgs.devel.redhat.com/git/tests/gnupg2
name: /plans/ci/fips-enabled-buildroot-enabled

86
signature_key.asc Normal file
View File

@ -0,0 +1,86 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBFjLuq4BDACnM7zNSIaVMAacTwjXa5TGYe13i6ilHe4VL0NShzrgzjcQg531
3cRgiiiNA7OSOypMqVs73Jez6ZUctn2GVsHBrS/io9NcuC9pVwf8a61WlcEa+EtB
a3G7HlBmEWnwaUdAtWKNuAi9Xn+Ir7H2xEdksmmd5a0/QnL+sX705boVPF/tpYtb
LGpPxa78tNrtxDkSwy8Wmi0IADYLI5yI7/yUGeJd8RSCU/fLRKC9fG7YOZRq0tsO
MhVNWmtUjbG6e73Lu8LKnCZgs1/fC8hvPyARieSV5mdN8s1oWd7oYctfgL4uBleD
ItAA8GhjKejutzHN8Ei/APw6AiiSyEjnPg+cTX8OgvLGJWjks0H6mPZeB1v/kGyZ
hBS9vm540h2/MmlVN2ntiCK5TZGeSWpqddiqusfVXotMRpN4HeLKoZh4RAncaCbZ
F/S+YLeN+kMXY4k3Fqt1fjTX6veFCbthI9pDdHzU9LfUVNp9D/5ktC/tYMORMegV
+wSMxi9G2YWKJkMAEQEAAYkBzgQfAQgAOBYhBFuAxXVCmPDLVdjtarzvfilLCS4o
BQJYy8DdFwyAAZSlyaA8L+XKOwldjh/fcjz0YraxAgcAAAoJELzvfilLCS4oNgoL
/0+K1xIx8JW7Lk5M6bYCvNA4fdlEcwQIT4UidJFM9m+suxYFWIGfebvHpRlEuJTg
dBjkEit8uLAoJXU0BRkKTLrzTF+qDUE79Wfx/R+0nOgJ7aMykQOi0AvuwzMYz4dg
xIVS2Daou4DF7bh/KF8+fqrmq8P8W1ZrkuFDanMWpHeAPx1uj2skYbo7uPqFdvlJ
hlNHrcxlcCkjf1InAt0Xt5lMvEsCRUPf9xAH4mNEhs0lh9c+200YPRmtnLWAzc1K
ckLIC8Q+mUR3DjZDqBlDBEPegXkrI0+MlvRA+9AnAm4YPqTMUfpZ6ZOAWeFjC/6Z
QYxG/AdWGkb4WFindzklQfybEuiekP8vU07ACQwSwH8PYe0UCom1YrlRUjX7QLkn
ZLWoeZg8BZy9GTM1Ut7Q1Q2uTw6mxxISuef+RFgYOHjWwLpFWZpqC88xERl7o/iz
iERJRt/593IctbjO9wenWt2peIAwzR4nz7LqM6ZFTdRAETmcdSvYRhg2Qt8hUE47
CbQkQW5kcmUgSGVpbmVja2UgKFJlbGVhc2UgU2lnbmluZyBLZXkpiQHUBBMBCAA+
FiEEW4DFdUKY8MtV2O1qvO9+KUsJLigFAljLuq4CGwMFCRLMAwAFCwkIBwIGFQgJ
CgsCBBYCAwECHgECF4AACgkQvO9+KUsJLihC/QwAhCC+SEvcFLcutgZ8HfcCtoZs
IoVzZEy7DjqIvGgnTssD8HCLnIAHCDvnP7dJW3uMuLCdSqym3cjlEIiQMsaGywkl
fzJISAwJrGQdWSKRd535jXpEXQlXDKal/IwMKAUt0PZtlCc9S3gwixQryxdJ28lJ
6h2T9fVDr8ZswMmTAFG91uctfhjKOMgPt8UhSPGW484WsIsQgkbOvf+Kfswl0eHu
ywX+pKAB5ZQ/9GVC6Ug4xfrdiJL0azJTPnvjMY5JYp6/L9RURs5hP5AnHR2j/PPo
sAtsFCjmbRbOMiASzklnUJPbSz5kfLloDWZmrUScjbzmsXehGyt433JGyRhZJl4x
/jPbzKhaaAHsGd+fRao6vlLOwFywDDVMp6JuyK7UeUb7I8ekTbSkGFA+l2Oa3O6/
Y7PYhq7hwwAFuZckYI98IpHNCG1fS9W07FyKdvQbK1PbF1JFRKfsUCWYMKqDnbqE
o5jivPEHZImw6iYhhXcyEYl8fjcb9T6/S+wOP7aviQGzBBABCAAdFiEElKXJoDwv
5co7CV2OH99yPPRitrEFAljLv5sACgkQH99yPPRitrFw4gv/XFMFN+/LHsn9hJOP
4rCwl1yUuxXuYmZgc0sRoY3EpeQkJVyKurQuqqKoy2VuoMiF0O1kAQmGoFtVPUk7
b8hCoutqB5GyeyKcoLP+WINgVhB2gXg7TSp3MPLBKkgqvSDvPitgRxBqFb4LW8LJ
bDbfwGrzIvXfDV3WvsrHVPbc2fhlWdL8d+3AE6mFiXF3eTpgmV3ApSBQV12MkkCk
icLIPmp+ZxZON+OP52ZXkRtfMgOy4Oa/41agrViDAZdMOGeGkhPertQheQZgXzmo
GF5Wz498HPM80Kv35X91l3iGzL+icEtO+tWea2YscsZ6qpRe2lfVPHk3B+anlmCj
m4kM4cBd39xa4HHSVh/bRHbZNtgVr7slQCKxlHgQOGVI5vCxPCwEsgJ2KBk03Nk/
IA9EKO+czfh3/bHW6uMbEqrYDCnt+hmzZrpKDSGcwS/KOhvMUIMlb7/8vDKum6mp
/8xAtVZ6IAxYZNt3qg7Y7aLRtzCTyqm8rJQrZPtRaQcgLoEimDMEX0PliRYJKwYB
BAHaRw8BAQdAz75Hlekc16JhhfI0MKdEVxLdkxhcMCO0ZG6WMBAmNpe0H1dlcm5l
ciBLb2NoIChkaXN0IHNpZ25pbmcgMjAyMCmImgQTFgoAQhYhBG2qbmSnbShAVxtJ
AlKIl7gmQDraBQJfQ+w1AhsDBQkShccRBQsJCAcCAyICAQYVCgkICwIEFgIDAQIe
BwIXgAAKCRBSiJe4JkA62nmuAP9uL/HOdB0gvwWrH+FpURJLs4bnaZaPIk9ARrU0
EXRgJgD/YCGfHQXpIPT0ZaXuwJexK04Z+qMFR/bM1q1Leo5CjgaIbQQQEQsAHRYh
BIBhWHD1utaQMzaG0PKthaweQrNnBQJfQ/HmAAoJEPKthaweQrNnIZkA3jG6LcZv
V/URn8Y8OJqsyYa4C3NI4nN+OhEvYhgA4PHzMnALeXIpA2gblvjFIPJPAhDBAU37
c5PA6+6IdQQQFggAHRYhBK6oTtzwGthsRwHIXGMROuhmWH0KBQJfQ/IlAAoJEGMR
OuhmWH0K1+MA/0uJ5AHcnSfIBEWHNJwwVVLGyrxAWtS2U+zeymp/UvlPAQDErCLZ
l0dBiPG3vlowFx5TNep7tanBs6ZJn8F1ao1tAIkBMwQQAQgAHRYhBNhpISPEBl3q
Xg86tSSbOdJPJeO2BQJfQ/OuAAoJECSbOdJPJeO2DVoH/0o9if66ph6FJrgr+A/W
HNVeHxmM5tUQhpL1wpRS70SKcsJgolf5CxO5iTQf3HlZe544xGbIU/aCTJsWw9zi
UE8KmhAtKV4eL/7oQ7xx4nxPnABLpudtM8A44nsM1x/XiYrJnnDm29QjYEGd2Hi8
7npc7VWKzLoj+I/WcXquynJi5O9TUxW9Bknd1pjpxFkf8v+msjBzCD5VKJgr0CR8
wA6peQBWeGZX2HacosMIZH4TfL0r0TFla6LJIkNBz9DyIm1yL4L8oRH0950hQljP
C7TM3L7aRpX+4Kph6llFz6g7MALGFP95kyJ6o+XED9ORuuQVZMBMIkNC0tXOu10V
bdqIdQQQFgoAHRYhBMHTS2khnkruwLocIeP9/yGORbcrBQJfQ/P8AAoJEOP9/yGO
Rbcr3lQBAMas8Vl3Hdl3g2I283lz1uHiGvlwcnk2TLeB+U4zIwC9AQCy0nnazVNt
VQPID1ZCMoaOX7AzOjaqQDLf4j+dVTxgBJgzBGCkgocWCSsGAQQB2kcPAQEHQJmd
fwp8jEN5P3eEjhQiWk6zQi8utvgOvYD57XmE+H8+tCBOaWliZSBZdXRha2EgKEdu
dVBHIFJlbGVhc2UgS2V5KYiaBBMWCgBCFiEErI4RW/c+LY1H+pkI6Y6bLRnGyL0F
AmCkgocCGwMFCQsNBpkFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEOmO
my0Zxsi9/4IA/1rvSr3MU+Sv4jhNDzD+CeC3gmHkPew6pi9VHEsEwdgmAQD2BtiX
7w1sJL/CBylGWv5jxj4345mP9YfZm0RsgzPjDIh1BBAWCAAdFiEEJJyzdxdQdF1c
3TI84mewUjZPAo0FAmFAQ54ACgkQ4mewUjZPAo1CiAD+KTT1UVdQTGHMyvHwZocS
QjU8xhcZrTet+dvvjrE5+4MA/RBdJPZgFevUKu68NEy0Lo+RbkeCtmQJ/c8v5ieF
vW0AiQEzBBABCAAdFiEEEkEkvTtIYq96CkLxALRevUynur4FAmFAQ7cACgkQALRe
vUynur4kaAgAolPR8TNWVS0vXMKrr0k0l2M/8QkZTaLZx1GT9Nx1yb4WJKY7ElPM
YkhGDxetvFBETx0pH/6R3jtj6Crmur+NKHVSRY+rCYpFPDn6ciIOryssRx2G4kCZ
t+nFB9JyDbBOZAR8DK4pN1mAxG/yLDt4oKcUQsP2xlEFum+phxyR8KyYCpkwKRxY
eK+6lfilQuveoUwp/Xx5wXPNUy6q4eOOovCW7gS7I7288NGHCa2ul8sD6vA9C4mM
4Zxaole9P9wwJe1zZFtCIy88zHM9vqv+YM9DxMCaW24+rUztr7eD4bCRdG+QlSh+
7R/TaqSxY1eAAd1J5tma9CNJO73pTKU+/JhTBGFpSqMTCSskAwMCCAEBBwIDBF6X
D9NmUQDgiyYNbhs1DMJ14mIw812wY1HVx/4QWYWiBunhrvSFxVbzsjD7/Wv+v3bm
MPrL+M2DLyFiSewNmcS0JEdudVBHLmNvbSAoUmVsZWFzZSBTaWduaW5nIEtleSAy
MDIxKYiaBBMTCABCFiEEAvON/3Mf+XywOaHaVJ5pXpBboggFAmFpSqMCGwMFCQ9x
14oFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEFSeaV6QW6IITkoA/RYa
jaTl1eEBU/Gdm12o3jrI55N5xZK2XTqSx25clVyjAP0XwMW/Og5+ND1ri3bAqADV
WlBDUswz8wYxsb0C4kYBkoh1BBAWCgAdFiEEbapuZKdtKEBXG0kCUoiXuCZAOtoF
AmFpTvEACgkQUoiXuCZAOtrJQAEAh7YyykjAy/Qs1yC3ji8iBfIVnPXvblrIx3SR
RyDwRC8BAKtZbEuKTtPlgkLUgMleTcZJ/vEhJE+GvfQ9o5gWCqEFiHUEEBYKAB0W
IQTB00tpIZ5K7sC6HCHj/f8hjkW3KwUCYWlPWgAKCRDj/f8hjkW3Kx4eAQDp6aGS
N/fU4xLl8RSvQUVjVA+aCTrMQR3hRwqw8liF2wEA3O3ECxz6e1+DoItYoJBBLKLw
eiInsGZ/+h5XYrpXTgA=
=4+Sn
-----END PGP PUBLIC KEY BLOCK-----

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (gnupg-2.4.5.tar.bz2) = 4d54744f09399c5899144d0cb5fdc2756e45b058db41b9ea9df3be03e80b914509e16ef35aa0248e7561185b80f7a5f9fd6afcab8ccff75ff82ed555448a38ff
SHA512 (gnupg-2.4.5.tar.bz2.sig) = 53be0db371a98c930cbef9c844adcd06a8049d84dd71508f6f7427fc1736b374912c85ebf3a415748651260f65cf26f633697f4bdae2cc4a8d2c4b522db0bc71