From 873665024ebfaa761ee49b508a79db7178aeb778 Mon Sep 17 00:00:00 2001 From: davidovski Date: Sat, 4 Jun 2022 15:08:04 +0100 Subject: added gnupg --- .../0001-Include-sys-select.h-for-FD_SETSIZE.patch | 31 +++ repo/gnupg/0010-avoid-beta-warning.patch | 46 ++++ ...regenerating-defsincdate-use-shipped-file.patch | 41 ++++ ...0110-avoid-simple-memory-dumps-via-ptrace.patch | 91 ++++++++ ...tential-race-condition-when-some-host-die.patch | 83 ++++++++ ...0-dirmngr-avoid-need-for-hkp-housekeeping.patch | 232 +++++++++++++++++++++ ...void-automatically-checking-upstream-swdb.patch | 51 +++++ repo/gnupg/0310-gpg-default-to-3072-bit-keys.patch | 93 +++++++++ repo/gnupg/0320-gpg-default-to-aes256.patch | 37 ++++ ...ha512-for-all-signature-types-on-rsa-keys.patch | 66 ++++++ ...efer-sha512-and-sha384-in-personal-digest.patch | 48 +++++ .../0410-make-gpg-zip-use-tar-from-path.patch | 29 +++ ...ean-from-default-keyserver-import-options.patch | 51 +++++ repo/gnupg/60-scdaemon.rules | 63 ++++++ repo/gnupg/fix-i18n.patch | 12 ++ repo/gnupg/gnupg-scdaemon.pre-install | 4 + repo/gnupg/gnupg.xibuild | 73 +++++++ 17 files changed, 1051 insertions(+) create mode 100644 repo/gnupg/0001-Include-sys-select.h-for-FD_SETSIZE.patch create mode 100644 repo/gnupg/0010-avoid-beta-warning.patch create mode 100644 repo/gnupg/0020-avoid-regenerating-defsincdate-use-shipped-file.patch create mode 100644 repo/gnupg/0110-avoid-simple-memory-dumps-via-ptrace.patch create mode 100644 repo/gnupg/0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch create mode 100644 repo/gnupg/0220-dirmngr-avoid-need-for-hkp-housekeeping.patch create mode 100644 repo/gnupg/0230-dirmngr-avoid-automatically-checking-upstream-swdb.patch create mode 100644 repo/gnupg/0310-gpg-default-to-3072-bit-keys.patch create mode 100644 repo/gnupg/0320-gpg-default-to-aes256.patch create mode 100644 repo/gnupg/0330-gpg-default-to-sha512-for-all-signature-types-on-rsa-keys.patch create mode 100644 repo/gnupg/0340-gpg-prefer-sha512-and-sha384-in-personal-digest.patch create mode 100644 repo/gnupg/0410-make-gpg-zip-use-tar-from-path.patch create mode 100644 repo/gnupg/0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch create mode 100644 repo/gnupg/60-scdaemon.rules create mode 100644 repo/gnupg/fix-i18n.patch create mode 100644 repo/gnupg/gnupg-scdaemon.pre-install create mode 100644 repo/gnupg/gnupg.xibuild (limited to 'repo/gnupg') diff --git a/repo/gnupg/0001-Include-sys-select.h-for-FD_SETSIZE.patch b/repo/gnupg/0001-Include-sys-select.h-for-FD_SETSIZE.patch new file mode 100644 index 0000000..a835f39 --- /dev/null +++ b/repo/gnupg/0001-Include-sys-select.h-for-FD_SETSIZE.patch @@ -0,0 +1,31 @@ +From d2f3053e156a8dfc3e2e7f8fa814f671d851b26f Mon Sep 17 00:00:00 2001 +From: Natanael Copa +Date: Fri, 4 Jul 2014 08:15:21 +0000 +Subject: [PATCH] Include sys/select.h for FD_SETSIZE + +This fixes the following compile error with musl libc: +watchgnupg.c:225:18: error: 'FD_SETSIZE' undeclared (first use in this +function) + else if (fd >= FD_SETSIZE) + ^ + +Signed-off-by: Natanael Copa +--- + tools/watchgnupg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/watchgnupg.c b/tools/watchgnupg.c +index 4f4d54d..7aede22 100644 +--- a/tools/watchgnupg.c ++++ b/tools/watchgnupg.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + #include + #include + #include +-- +2.0.1 + diff --git a/repo/gnupg/0010-avoid-beta-warning.patch b/repo/gnupg/0010-avoid-beta-warning.patch new file mode 100644 index 0000000..2c3c873 --- /dev/null +++ b/repo/gnupg/0010-avoid-beta-warning.patch @@ -0,0 +1,46 @@ +From: Debian GnuPG Maintainers +Date: Tue, 14 Apr 2015 10:02:31 -0400 +Subject: avoid-beta-warning + +avoid self-describing as a beta + +Using autoreconf against the source as distributed in tarball form +invariably results in a package that thinks it's a "beta" package, +which produces the "THIS IS A DEVELOPMENT VERSION" warning string. + +since we use dh_autoreconf, i need this patch to avoid producing +builds that announce themselves as DEVELOPMENT VERSIONs. + +See discussion at: + + http://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029065.html +--- + autogen.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/debian-packaging/avoid-beta-warning.patch + +diff --git a/autogen.sh b/autogen.sh +index b238550..9b86d3f 100755 +--- a/autogen.sh ++++ b/autogen.sh +@@ -229,7 +229,7 @@ if [ "$myhost" = "find-version" ]; then + esac + + beta=no +- if [ -e .git ]; then ++ if false; then + ingit=yes + tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null) + tmp=$(echo "$tmp" | sed s/^"$package"//) +@@ -245,8 +245,8 @@ if [ "$myhost" = "find-version" ]; then + rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null))) + else + ingit=no +- beta=yes +- tmp="-unknown" ++ beta=no ++ tmp="" + rev="0000000" + rvd="0" + fi diff --git a/repo/gnupg/0020-avoid-regenerating-defsincdate-use-shipped-file.patch b/repo/gnupg/0020-avoid-regenerating-defsincdate-use-shipped-file.patch new file mode 100644 index 0000000..2ce171a --- /dev/null +++ b/repo/gnupg/0020-avoid-regenerating-defsincdate-use-shipped-file.patch @@ -0,0 +1,41 @@ +From: Daniel Kahn Gillmor +Date: Mon, 29 Aug 2016 12:34:42 -0400 +Subject: avoid regenerating defsincdate (use shipped file) + +upstream ships doc/defsincdate in its tarballs. but doc/Makefile.am +tries to rewrite doc/defsincdate if it notices that any of the files +have been modified more recently, and it does so assuming that we're +running from a git repo. + +However, we'd rather ship the documents cleanly without regenerating +defsincdate -- we don't have a git repo available (debian builds from +upstream tarballs) and any changes to the texinfo files (e.g. from +debian/patches/) might result in different dates on the files than we +expect after they're applied by dpkg or quilt or whatever, which makes +the datestamp unreproducible. +--- + doc/Makefile.am | 9 --------- + 1 file changed, 9 deletions(-) + +Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch + +diff --git a/doc/Makefile.am b/doc/Makefile.am +index 2b882c3..6be571b 100644 +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -178,15 +178,6 @@ $(myman_pages) gnupg.7 : yat2m-stamp defs.inc + + dist-hook: defsincdate + +-defsincdate: $(gnupg_TEXINFOS) +- : >defsincdate ; \ +- if test -e $(top_srcdir)/.git; then \ +- (cd $(srcdir) && git log -1 --format='%ct' \ +- -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \ +- elif test x"$$SOURCE_DATE_EPOCH" != x; then \ +- echo "$$SOURCE_DATE_EPOCH" >>defsincdate ; \ +- fi +- + defs.inc : defsincdate Makefile mkdefsinc + incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \ + ./mkdefsinc -C $(srcdir) --date "`cat $$incd 2>/dev/null`" \ diff --git a/repo/gnupg/0110-avoid-simple-memory-dumps-via-ptrace.patch b/repo/gnupg/0110-avoid-simple-memory-dumps-via-ptrace.patch new file mode 100644 index 0000000..644b8a5 --- /dev/null +++ b/repo/gnupg/0110-avoid-simple-memory-dumps-via-ptrace.patch @@ -0,0 +1,91 @@ +From: Daniel Kahn Gillmor +Date: Tue, 11 Aug 2015 20:28:26 -0400 +Subject: Avoid simple memory dumps via ptrace + +This avoids needing to setgid gpg-agent. It probably doesn't defend +against all possible attacks, but it defends against one specific (and +easy) one. If there are other protections we should do them too. + +This will make it slightly harder to debug the agent because the +normal user won't be able to attach gdb to it directly while it runs. + +The remaining options for debugging are: + + * launch the agent from gdb directly + * connect gdb to a running agent as the superuser + +Upstream bug: https://dev.gnupg.org/T1211 +--- + agent/gpg-agent.c | 8 ++++++++ + configure.ac | 2 +- + scd/scdaemon.c | 9 +++++++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + +Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch + +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index b167c34..5afcf11 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -50,6 +50,9 @@ + # include + #endif + #include ++#ifdef HAVE_PRCTL ++# include ++#endif + + #define INCLUDED_BY_MAIN_MODULE 1 + #define GNUPG_COMMON_NEED_AFLOCAL +@@ -1030,6 +1033,11 @@ main (int argc, char **argv ) + + early_system_init (); + ++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) ++ /* Disable ptrace on Linux without sgid bit */ ++ prctl(PR_SET_DUMPABLE, 0); ++#endif ++ + /* Before we do anything else we save the list of currently open + file descriptors and the signal mask. This info is required to + do the exec call properly. We don't need it on Windows. */ +diff --git a/configure.ac b/configure.ac +index 7a2d410..2d8b050 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1426,7 +1426,7 @@ AC_CHECK_FUNCS([atexit canonicalize_file_name clock_gettime ctermid \ + ftruncate funlockfile getaddrinfo getenv getpagesize \ + getpwnam getpwuid getrlimit getrusage gettimeofday \ + gmtime_r inet_ntop inet_pton isascii lstat memicmp \ +- memmove memrchr mmap nl_langinfo pipe raise rand \ ++ memmove memrchr mmap nl_langinfo pipe prctl raise rand \ + setenv setlocale setrlimit sigaction sigprocmask \ + stat stpcpy strcasecmp strerror strftime stricmp \ + strlwr strncasecmp strpbrk strsep strtol strtoul \ +diff --git a/scd/scdaemon.c b/scd/scdaemon.c +index 5c519f8..cab66a0 100644 +--- a/scd/scdaemon.c ++++ b/scd/scdaemon.c +@@ -37,6 +37,9 @@ + #include + #include + #include ++#ifdef HAVE_PRCTL ++# include ++#endif + + #define INCLUDED_BY_MAIN_MODULE 1 + #define GNUPG_COMMON_NEED_AFLOCAL +@@ -446,6 +449,12 @@ main (int argc, char **argv ) + npth_t pipecon_handler; + + early_system_init (); ++ ++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) ++ /* Disable ptrace on Linux without sgid bit */ ++ prctl(PR_SET_DUMPABLE, 0); ++#endif ++ + set_strusage (my_strusage); + gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN); + /* Please note that we may running SUID(ROOT), so be very CAREFUL diff --git a/repo/gnupg/0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch b/repo/gnupg/0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch new file mode 100644 index 0000000..1aa79c6 --- /dev/null +++ b/repo/gnupg/0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch @@ -0,0 +1,83 @@ +From: Daniel Kahn Gillmor +Date: Sat, 29 Oct 2016 01:25:05 -0400 +Subject: dirmngr: hkp: Avoid potential race condition when some hosts die. + +* dirmngr/ks-engine-hkp.c (select_random_host): Use atomic pass +through the host table instead of risking out-of-bounds write. + +-- + +Multiple threads may write to hosttable[x]->dead while +select_random_host() is running. For example, a housekeeping thread +might clear the ->dead bit on some entries, or another connection to +dirmngr might manually mark a host as alive. + +If one or more hosts are resurrected between the two loops over a +given table in select_random_host(), then the allocation of tbl might +not be large enough, resulting in a write past the end of tbl on the +second loop. + +This change collapses the two loops into a single loop to avoid this +discrepancy: each host's "dead" bit is now only checked once. + +As Werner points out, this isn't currently strictly necessary, since +npth will not switch threads unless a blocking system call is made, +and no blocking system call is made in these two loops. + +However, in a subsequent change in this series, we will call a +function in this loop, and that function may sometimes write(2), or +call other functions, which may themselves block. Keeping this as a +single-pass loop avoids the need to keep track of what might block and +what might not. + +Signed-off-by: Daniel Kahn Gillmor +--- + dirmngr/ks-engine-hkp.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch + +diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c +index 14859c7..d425363 100644 +--- a/dirmngr/ks-engine-hkp.c ++++ b/dirmngr/ks-engine-hkp.c +@@ -225,29 +225,26 @@ host_in_pool_p (hostinfo_t hi, int tblidx) + static int + select_random_host (hostinfo_t hi) + { +- int *tbl; +- size_t tblsize; ++ int *tbl = NULL; ++ size_t tblsize = 0; + int pidx, idx; + + /* We create a new table so that we randomly select only from + currently alive hosts. */ +- for (idx = 0, tblsize = 0; ++ for (idx = 0; + idx < hi->pool_len && (pidx = hi->pool[idx]) != -1; + idx++) + if (hosttable[pidx] && !hosttable[pidx]->dead) +- tblsize++; ++ { ++ tblsize++; ++ tbl = xtryrealloc(tbl, tblsize * sizeof *tbl); ++ if (!tbl) ++ return -1; /* memory allocation failed! */ ++ tbl[tblsize-1] = pidx; ++ } + if (!tblsize) + return -1; /* No hosts. */ + +- tbl = xtrymalloc (tblsize * sizeof *tbl); +- if (!tbl) +- return -1; +- for (idx = 0, tblsize = 0; +- idx < hi->pool_len && (pidx = hi->pool[idx]) != -1; +- idx++) +- if (hosttable[pidx] && !hosttable[pidx]->dead) +- tbl[tblsize++] = pidx; +- + if (tblsize == 1) /* Save a get_uint_nonce. */ + pidx = tbl[0]; + else diff --git a/repo/gnupg/0220-dirmngr-avoid-need-for-hkp-housekeeping.patch b/repo/gnupg/0220-dirmngr-avoid-need-for-hkp-housekeeping.patch new file mode 100644 index 0000000..0e125fd --- /dev/null +++ b/repo/gnupg/0220-dirmngr-avoid-need-for-hkp-housekeeping.patch @@ -0,0 +1,232 @@ +From: Daniel Kahn Gillmor +Date: Sat, 29 Oct 2016 02:00:50 -0400 +Subject: dirmngr: Avoid need for hkp housekeeping. + +* dirmngr/ks-engine-hkp.c (host_is_alive): New function. Test whether +host is alive and resurrects it if it has been dead long enough. +(select_random_host, map_host, ks_hkp_mark_host): Use host_is_alive +instead of testing hostinfo_t->dead directly. +(ks_hkp_housekeeping): Remove function, no longer needed. +* dirmngr/dirmngr.c (housekeeping_thread): Remove call to +ks_hkp_housekeeping. + +-- + +Rather than resurrecting hosts upon scheduled resurrection times, test +whether hosts should be resurrected as they're inspected for being +dead. This removes the need for explicit housekeeping, and makes host +resurrections happen "just in time", rather than being clustered on +HOUSEKEEPING_INTERVAL seconds. + +According to 392e068e9f143d41f6350345619543cbcd47380f, +dns_stuff_housekeeping only works on Windows, so it also isn't +necessary in debian, but it remains in place for now. + +Signed-off-by: Daniel Kahn Gillmor +--- + dirmngr/dirmngr.c | 3 --- + dirmngr/dirmngr.h | 1 - + dirmngr/ks-engine-hkp.c | 72 ++++++++++++++++++++++++------------------------- + 3 files changed, 35 insertions(+), 41 deletions(-) + +Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch + +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index ae967dd..89eea4e 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -1935,12 +1935,10 @@ static void * + housekeeping_thread (void *arg) + { + static int sentinel; +- time_t curtime; + struct server_control_s ctrlbuf; + + (void)arg; + +- curtime = gnupg_get_time (); + if (sentinel) + { + log_info ("housekeeping is already going on\n"); +@@ -1954,7 +1952,6 @@ housekeeping_thread (void *arg) + dirmngr_init_default_ctrl (&ctrlbuf); + + dns_stuff_housekeeping (); +- ks_hkp_housekeeping (curtime); + if (network_activity_seen) + { + network_activity_seen = 0; +diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h +index 1b52a1d..4afc19b 100644 +--- a/dirmngr/dirmngr.h ++++ b/dirmngr/dirmngr.h +@@ -217,7 +217,6 @@ const char* dirmngr_get_current_socket_name (void); + int dirmngr_use_tor (void); + + /*-- Various housekeeping functions. --*/ +-void ks_hkp_housekeeping (time_t curtime); + void ks_hkp_reload (void); + + +diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c +index d425363..c50681d 100644 +--- a/dirmngr/ks-engine-hkp.c ++++ b/dirmngr/ks-engine-hkp.c +@@ -218,6 +218,24 @@ host_in_pool_p (hostinfo_t hi, int tblidx) + return 0; + } + ++static int ++host_is_alive (hostinfo_t hi, time_t curtime) ++{ ++ if (!hi) ++ return 0; ++ if (!hi->dead) ++ return 1; ++ if (!hi->died_at) ++ return 0; /* manually marked dead */ ++ if (hi->died_at + RESURRECT_INTERVAL <= curtime ++ || hi->died_at > curtime) ++ { ++ hi->dead = 0; ++ log_info ("resurrected host '%s'", hi->name); ++ return 1; ++ } ++ return 0; ++} + + /* Select a random host. Consult HI->pool which indices into the global + hosttable. Returns index into HI->pool or -1 if no host could be +@@ -228,13 +246,15 @@ select_random_host (hostinfo_t hi) + int *tbl = NULL; + size_t tblsize = 0; + int pidx, idx; ++ time_t curtime; + ++ curtime = gnupg_get_time (); + /* We create a new table so that we randomly select only from + currently alive hosts. */ + for (idx = 0; + idx < hi->pool_len && (pidx = hi->pool[idx]) != -1; + idx++) +- if (hosttable[pidx] && !hosttable[pidx]->dead) ++ if (hosttable[pidx] && host_is_alive (hosttable[pidx], curtime)) + { + tblsize++; + tbl = xtryrealloc(tbl, tblsize * sizeof *tbl); +@@ -462,6 +482,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + int is_pool; + int new_hosts = 0; + char *cname; ++ time_t curtime; + + *r_host = NULL; + if (r_httpflags) +@@ -501,6 +522,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + } + else + hi = hosttable[idx]; ++ curtime = gnupg_get_time (); + + is_pool = hi->pool != NULL; + +@@ -607,7 +629,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + if (force_reselect) + hi->poolidx = -1; + else if (hi->poolidx >= 0 && hi->poolidx < hosttable_size +- && hosttable[hi->poolidx] && hosttable[hi->poolidx]->dead) ++ && hosttable[hi->poolidx] && !host_is_alive (hosttable[hi->poolidx], curtime)) + hi->poolidx = -1; + + /* Select a host if needed. */ +@@ -665,7 +687,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + return gpg_error_from_syserror (); + } + +- if (hi->dead) ++ if (!host_is_alive (hi, curtime)) + { + log_error ("host '%s' marked as dead\n", hi->name); + if (r_httphost) +@@ -770,7 +792,8 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive) + { + gpg_error_t err = 0; + hostinfo_t hi, hi2; +- int idx, idx2, idx3, n; ++ int idx, idx2, idx3, n, is_alive; ++ time_t curtime; + + if (!name || !*name || !strcmp (name, "localhost")) + return 0; +@@ -779,13 +802,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive) + if (idx == -1) + return gpg_error (GPG_ERR_NOT_FOUND); + ++ curtime = gnupg_get_time (); + hi = hosttable[idx]; +- if (alive && hi->dead) ++ is_alive = host_is_alive (hi, curtime); ++ if (alive && !is_alive) + { + hi->dead = 0; + err = ks_printf_help (ctrl, "marking '%s' as alive", name); + } +- else if (!alive && !hi->dead) ++ else if (!alive && is_alive) + { + hi->dead = 1; + hi->died_at = 0; /* Manually set dead. */ +@@ -819,14 +844,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive) + + hi2 = hosttable[n]; + if (!hi2) +- ; +- else if (alive && hi2->dead) ++ continue; ++ is_alive = host_is_alive (hi2, curtime); ++ if (alive && !is_alive) + { + hi2->dead = 0; + err = ks_printf_help (ctrl, "marking '%s' as alive", + hi2->name); + } +- else if (!alive && !hi2->dead) ++ else if (!alive && is_alive) + { + hi2->dead = 1; + hi2->died_at = 0; /* Manually set dead. */ +@@ -1112,34 +1138,6 @@ ks_hkp_resolve (ctrl_t ctrl, parsed_uri_t uri) + } + + +-/* Housekeeping function called from the housekeeping thread. It is +- used to mark dead hosts alive so that they may be tried again after +- some time. */ +-void +-ks_hkp_housekeeping (time_t curtime) +-{ +- int idx; +- hostinfo_t hi; +- +- for (idx=0; idx < hosttable_size; idx++) +- { +- hi = hosttable[idx]; +- if (!hi) +- continue; +- if (!hi->dead) +- continue; +- if (!hi->died_at) +- continue; /* Do not resurrect manually shot hosts. */ +- if (hi->died_at + RESURRECT_INTERVAL <= curtime +- || hi->died_at > curtime) +- { +- hi->dead = 0; +- log_info ("resurrected host '%s'", hi->name); +- } +- } +-} +- +- + /* Reload (SIGHUP) action for this module. We mark all host alive + * even those which have been manually shot. */ + void diff --git a/repo/gnupg/0230-dirmngr-avoid-automatically-checking-upstream-swdb.patch b/repo/gnupg/0230-dirmngr-avoid-automatically-checking-upstream-swdb.patch new file mode 100644 index 0000000..8ffd897 --- /dev/null +++ b/repo/gnupg/0230-dirmngr-avoid-automatically-checking-upstream-swdb.patch @@ -0,0 +1,51 @@ +From: Daniel Kahn Gillmor +From: Jakub Jirutka +Date: Sun, 20 Nov 2016 23:09:24 -0500 +Date: Wed, 18 Aug 2021 21:08:20 +0200 +Subject: dirmngr: Avoid automatically checking upstream swdb. + +* dirmngr/dirmngr.c (housekeeping_thread): Avoid automatically +checking upstream's software database. In Debian, software updates +should be handled by the distro mechanism, and additional upstream +checks only confuse the user. +* doc/dirmngr.texi: document that --allow-version-check does nothing. + +Signed-off-by: Daniel Kahn Gillmor +--- + dirmngr/dirmngr.c | 2 -- + doc/dirmngr.texi | 7 ++++--- + 2 files changed, 4 insertions(+), 5 deletions(-) + +Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch + +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index 89eea4e..f26ed63 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -1955,8 +1955,6 @@ housekeeping_thread (void *arg) + if (network_activity_seen) + { + network_activity_seen = 0; +- if (opt.allow_version_check) +- dirmngr_load_swdb (&ctrlbuf, 0); + workqueue_run_global_tasks (&ctrlbuf, 1); + } + else +diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi +index 843fdbf..84a8d28 100644 +--- a/doc/dirmngr.texi ++++ b/doc/dirmngr.texi +@@ -291,9 +291,10 @@ Set the size of the queue for pending connections. The default is 64. + @item --allow-version-check + @opindex allow-version-check + Allow Dirmngr to connect to @code{https://versions.gnupg.org} to get +-the list of current software versions. If this option is enabled +-the list is retrieved in case the local +-copy does not exist or is older than 5 to 7 days. See the option ++the list of current software versions. ++On Alpine-packaged versions, this option does nothing since software ++updates should be handled by the distribution. ++See the option + @option{--query-swdb} of the command @command{gpgconf} for more + details. Note, that regardless of this option a version check can + always be triggered using this command: diff --git a/repo/gnupg/0310-gpg-default-to-3072-bit-keys.patch b/repo/gnupg/0310-gpg-default-to-3072-bit-keys.patch new file mode 100644 index 0000000..e04f480 --- /dev/null +++ b/repo/gnupg/0310-gpg-default-to-3072-bit-keys.patch @@ -0,0 +1,93 @@ +From: Daniel Kahn Gillmor +Date: Thu, 7 Sep 2017 18:41:10 -0400 +Subject: gpg: default to 3072-bit keys. + +* agent/command.c (hlp_genkey): update help text to suggest the use of +3072 bits. +* doc/wks.texi: Make example match default generation. +* g10/keygen.c (gen_elg): update default from 2048 to 3072. +* g10/keyid.c (pubkey_string): update comment so that first example +is the default 3072-bit RSA. + +-- + +3072-bit RSA is widely considered to be 128-bit-equivalent security. +This is a sensible default in 2017. + +Signed-off-by: Daniel Kahn Gillmor + +(cherry picked from commit 909fbca19678e6e36968607e8a2348381da39d8c) +--- + agent/command.c | 2 +- + doc/wks.texi | 4 ++-- + g10/keygen.c | 2 +- + g10/keyid.c | 4 ++-- + 4 files changed, 6 insertions(+), 6 deletions(-) + +Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/from-master/gpg-default-to-3072-bit-keys.patch + +diff --git a/agent/command.c b/agent/command.c +index 8642498..f94e770 100644 +--- a/agent/command.c ++++ b/agent/command.c +@@ -843,7 +843,7 @@ static const char hlp_genkey[] = + "\n" + " C: GENKEY\n" + " S: INQUIRE KEYPARAM\n" +- " C: D (genkey (rsa (nbits 2048)))\n" ++ " C: D (genkey (rsa (nbits 3072)))\n" + " C: END\n" + " S: D (public-key\n" + " S: D (rsa (n 326487324683264) (e 10001)))\n" +diff --git a/doc/wks.texi b/doc/wks.texi +index 119e31c..ae6c310 100644 +--- a/doc/wks.texi ++++ b/doc/wks.texi +@@ -412,10 +412,10 @@ the submission address: + The output of the last command looks similar to this: + + @example +- sec rsa2048 2016-08-30 [SC] ++ sec rsa3072 2016-08-30 [SC] + C0FCF8642D830C53246211400346653590B3795B + uid [ultimate] key-submission@@example.net +- ssb rsa2048 2016-08-30 [E] ++ ssb rsa3072 2016-08-30 [E] + @end example + + Take the fingerprint from that output and manually publish the key: +diff --git a/g10/keygen.c b/g10/keygen.c +index d50acf8..79d4579 100644 +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -1436,7 +1436,7 @@ gen_elg (int algo, unsigned int nbits, KBNODE pub_root, + + if (nbits < 1024) + { +- nbits = 2048; ++ nbits = 3072; + log_info (_("keysize invalid; using %u bits\n"), nbits ); + } + else if (nbits > 4096) +diff --git a/g10/keyid.c b/g10/keyid.c +index 69d85da..2987287 100644 +--- a/g10/keyid.c ++++ b/g10/keyid.c +@@ -73,7 +73,7 @@ pubkey_letter( int algo ) + is copied to the supplied buffer up a length of BUFSIZE-1. + Examples for the output are: + +- "rsa2048" - RSA with 2048 bit ++ "rsa3072" - RSA with 3072 bit + "elg1024" - Elgamal with 1024 bit + "ed25519" - ECC using the curve Ed25519. + "E_1.2.3.4" - ECC using the unsupported curve with OID "1.2.3.4". +@@ -83,7 +83,7 @@ pubkey_letter( int algo ) + If the option --legacy-list-mode is active, the output use the + legacy format: + +- "2048R" - RSA with 2048 bit ++ "3072R" - RSA with 3072 bit + "1024g" - Elgamal with 1024 bit + "256E" - ECDSA using a curve with 256 bit + diff --git a/repo/gnupg/0320-gpg-default-to-aes256.patch b/repo/gnupg/0320-gpg-default-to-aes256.patch new file mode 100644 index 0000000..2d9a90f --- /dev/null +++ b/repo/gnupg/0320-gpg-default-to-aes256.patch @@ -0,0 +1,37 @@ +From: Daniel Kahn Gillmor +Date: Thu, 7 Sep 2017 19:04:00 -0400 +Subject: gpg: default to AES-256. + +* g10/main.h (DEFAULT_CIPHER_ALGO): Prefer AES256 by default. + +-- + +It's 2017, and pretty much everyone has AES-256 available. Symmetric +crypto is also rarely the bottleneck (asymmetric crypto is much more +expensive). AES-256 provides some level of protection against +large-scale decryption efforts, and longer key lengths provide a hedge +against unforseen cryptanalysis. + +Signed-off-by: Daniel Kahn Gillmor +(cherry picked from commit 73ff075204df09db5248170a049f06498cdbb7aa) +--- + g10/main.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/from-master/gpg-default-to-AES-256.patch + +diff --git a/g10/main.h b/g10/main.h +index 68360e2..1983e42 100644 +--- a/g10/main.h ++++ b/g10/main.h +@@ -31,7 +31,9 @@ + (i.e. uncompressed) rather than 1 (zip). However, the real world + issues of speed and size come into play here. */ + +-#if GPG_USE_AES128 ++#if GPG_USE_AES256 ++# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES256 ++#elif GPG_USE_AES128 + # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES + #elif GPG_USE_CAST5 + # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_CAST5 diff --git a/repo/gnupg/0330-gpg-default-to-sha512-for-all-signature-types-on-rsa-keys.patch b/repo/gnupg/0330-gpg-default-to-sha512-for-all-signature-types-on-rsa-keys.patch new file mode 100644 index 0000000..75c5b73 --- /dev/null +++ b/repo/gnupg/0330-gpg-default-to-sha512-for-all-signature-types-on-rsa-keys.patch @@ -0,0 +1,66 @@ +From: Daniel Kahn Gillmor +Date: Thu, 7 Sep 2017 18:49:35 -0400 +Subject: gpg: Default to SHA-512 for all signature types on RSA keys. + +* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA512 instead of SHA256 in +--gnupg mode (leave strict RFC and PGP modes alone). +* configure.ac: Do not allow disabling sha512. +* g10/misc.c (map_md_openpgp_to_gcry): Always support SHA512. + +-- + +SHA512 is more performant on most 64-bit platforms than SHA256, and +offers a better security margin. It is also widely implemented. + +Signed-off-by: Daniel Kahn Gillmor +--- + configure.ac | 2 +- + g10/main.h | 2 +- + g10/misc.c | 5 +---- + 3 files changed, 3 insertions(+), 6 deletions(-) + +Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch + +diff --git a/configure.ac b/configure.ac +index 2d8b050..4b9d908 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -317,7 +317,7 @@ GNUPG_GPG_DISABLE_ALGO([rmd160],[RIPE-MD160 hash]) + GNUPG_GPG_DISABLE_ALGO([sha224],[SHA-224 hash]) + # SHA256 is a MUST algorithm for GnuPG. + GNUPG_GPG_DISABLE_ALGO([sha384],[SHA-384 hash]) +-GNUPG_GPG_DISABLE_ALGO([sha512],[SHA-512 hash]) ++# SHA512 is a MUST algorithm for GnuPG. + + + # Allow disabling of zip support. +diff --git a/g10/main.h b/g10/main.h +index 1983e42..388eae3 100644 +--- a/g10/main.h ++++ b/g10/main.h +@@ -41,7 +41,7 @@ + # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_3DES + #endif + +-#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA256:DIGEST_ALGO_SHA1) ++#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA512:DIGEST_ALGO_SHA1) + #define DEFAULT_S2K_DIGEST_ALGO DIGEST_ALGO_SHA1 + #ifdef HAVE_ZIP + # define DEFAULT_COMPRESS_ALGO COMPRESS_ALGO_ZIP +diff --git a/g10/misc.c b/g10/misc.c +index 634d303..6fc2d58 100644 +--- a/g10/misc.c ++++ b/g10/misc.c +@@ -849,11 +849,8 @@ map_md_openpgp_to_gcry (digest_algo_t algo) + case DIGEST_ALGO_SHA384: return 0; + #endif + +-#ifdef GPG_USE_SHA512 + case DIGEST_ALGO_SHA512: return GCRY_MD_SHA512; +-#else +- case DIGEST_ALGO_SHA512: return 0; +-#endif ++ + default: return 0; + } + } diff --git a/repo/gnupg/0340-gpg-prefer-sha512-and-sha384-in-personal-digest.patch b/repo/gnupg/0340-gpg-prefer-sha512-and-sha384-in-personal-digest.patch new file mode 100644 index 0000000..bac31b3 --- /dev/null +++ b/repo/gnupg/0340-gpg-prefer-sha512-and-sha384-in-personal-digest.patch @@ -0,0 +1,48 @@ +From: Daniel Kahn Gillmor +Date: Wed, 3 Jan 2018 12:34:26 -0500 +Subject: gpg: Prefer SHA-512 and SHA-384 in personal-digest-preferences. + +* g10/keygen.c (keygen_set_std_prefs): prefer SHA-512 +and SHA-384 by default. + +-- + +In 8ede3ae29a39641a2f98ad9a4cf61ea99085a892, upstream changed the +defaults for --default-preference-list to advertise a preference for +SHA-512, without touching --personal-digest-preferences. This makes +the same change for --personal-digest-preferences, since every modern +OpenPGP library supports them all. + +Signed-off-by: Daniel Kahn Gillmor +--- + g10/keygen.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch + +diff --git a/g10/keygen.c b/g10/keygen.c +index 79d4579..cb92468 100644 +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -391,16 +391,16 @@ keygen_set_std_prefs (const char *string,int personal) + if (personal) + { + /* The default internal hash algo order is: +- * SHA-256, SHA-384, SHA-512, SHA-224, SHA-1. ++ * SHA-512, SHA-384, SHA-256, SHA-224, SHA-1. + */ +- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256)) +- strcat (dummy_string, "H8 "); ++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512)) ++ strcat (dummy_string, "H10 "); + + if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384)) + strcat (dummy_string, "H9 "); + +- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512)) +- strcat (dummy_string, "H10 "); ++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256)) ++ strcat (dummy_string, "H8 "); + } + else + { diff --git a/repo/gnupg/0410-make-gpg-zip-use-tar-from-path.patch b/repo/gnupg/0410-make-gpg-zip-use-tar-from-path.patch new file mode 100644 index 0000000..b0d619e --- /dev/null +++ b/repo/gnupg/0410-make-gpg-zip-use-tar-from-path.patch @@ -0,0 +1,29 @@ +From: Daniel Kahn Gillmor +Date: Sun, 18 Nov 2018 17:29:52 -0500 +Subject: Make gpg-zip use tar from $PATH + +Apparently there is no clean way to configure this from ./configure, +and upstream is deprecating gpg-zip anyway. So just force-set tar to +be manually "tar" (meaning, that we should look in the $PATH at +runtime). + +See also https://dev.gnupg.org/T4251 and https://bugs.debian.org/913582 +--- + tools/gpg-zip.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/Make-gpg-zip-use-tar-from-PATH.patch + +diff --git a/tools/gpg-zip.in b/tools/gpg-zip.in +index 9047e36..3821f3a 100644 +--- a/tools/gpg-zip.in ++++ b/tools/gpg-zip.in +@@ -23,7 +23,7 @@ + # the GNU or POSIX variant of USTAR. + + VERSION=@VERSION@ +-TAR=@TAR@ ++TAR=tar + GPG=gpg + + usage="\ diff --git a/repo/gnupg/0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch b/repo/gnupg/0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch new file mode 100644 index 0000000..46f2316 --- /dev/null +++ b/repo/gnupg/0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch @@ -0,0 +1,51 @@ +From: Daniel Kahn Gillmor +Date: Mon, 15 Jul 2019 16:24:35 -0400 +Subject: gpg: drop import-clean from default keyserver import options + +* g10/gpg.c (main): drop IMPORT_CLEAN from the +default opt.keyserver_options.import_options +* doc/gpg.texi: reflect this change in the documentation + +Given that SELF_SIGS_ONLY is already set, it's not clear what +additional benefit IMPORT_CLEAN provides. Furthermore, IMPORT_CLEAN +means that receiving an OpenPGP certificate from a keyserver will +potentially delete data that is otherwise held in the local keyring, +which is surprising to users who expect retrieval from the keyservers +to be purely additive. + +GnuPG-Bug-Id: 4628 +Signed-off-by: Daniel Kahn Gillmor +--- + doc/gpg.texi | 2 +- + g10/gpg.c | 3 +-- + 2 files changed, 2 insertions(+), 3 deletions(-) + +Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/gpg-drop-import-clean-from-default-keyserver-import-optio.patch + +diff --git a/doc/gpg.texi b/doc/gpg.texi +index 7b603d7..104318a 100644 +--- a/doc/gpg.texi ++++ b/doc/gpg.texi +@@ -1982,7 +1982,7 @@ are available for all keyserver types, some common options are: + + @end table + +-The default list of options is: "self-sigs-only, import-clean, ++The default list of options is: "self-sigs-only, + repair-keys, repair-pks-subkey-bug, export-attributes, + honor-pka-record". + +diff --git a/g10/gpg.c b/g10/gpg.c +index 6b44cfb..caa0487 100644 +--- a/g10/gpg.c ++++ b/g10/gpg.c +@@ -2348,8 +2348,7 @@ main (int argc, char **argv) + opt.export_options = EXPORT_ATTRIBUTES; + opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS + | IMPORT_REPAIR_PKS_SUBKEY_BUG +- | IMPORT_SELF_SIGS_ONLY +- | IMPORT_CLEAN); ++ | IMPORT_SELF_SIGS_ONLY); + opt.keyserver_options.export_options = EXPORT_ATTRIBUTES; + opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD; + opt.verify_options = (LIST_SHOW_UID_VALIDITY diff --git a/repo/gnupg/60-scdaemon.rules b/repo/gnupg/60-scdaemon.rules new file mode 100644 index 0000000..55ca5c1 --- /dev/null +++ b/repo/gnupg/60-scdaemon.rules @@ -0,0 +1,63 @@ +# do not edit this file, it will be overwritten on update + +SUBSYSTEM!="usb", GOTO="gnupg_rules_end" +ACTION!="add", GOTO="gnupg_rules_end" + +# USB SmartCard Readers +## Cherry GmbH (XX33, ST2000) +ATTR{idVendor}=="046a", ATTR{idProduct}=="0005", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +ATTR{idVendor}=="046a", ATTR{idProduct}=="0010", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +ATTR{idVendor}=="046a", ATTR{idProduct}=="003e", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +## SCM Microsystems, Inc (SCR331-DI, SCR335, SCR3320, SCR331, SCR3310 and SPR532) +ATTR{idVendor}=="04e6", ATTR{idProduct}=="5111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="5116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="5117", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="e001", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +## Omnikey AG (CardMan 3821, CardMan 6121) +ATTR{idVendor}=="076b", ATTR{idProduct}=="3821", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +ATTR{idVendor}=="076b", ATTR{idProduct}=="6622", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +## Gemalto +ATTR{idVendor}=="08e6", ATTR{idProduct}=="3437", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +ATTR{idVendor}=="08e6", ATTR{idProduct}=="3438", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +ATTR{idVendor}=="08e6", ATTR{idProduct}=="3478", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +ATTR{idVendor}=="08e6", ATTR{idProduct}=="34c2", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +ATTR{idVendor}=="08e6", ATTR{idProduct}=="34ec", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +## Reiner (SCT cyberJack) +ATTR{idVendor}=="0c4b", ATTR{idProduct}=="0500", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +## Kobil (KAAN) +ATTR{idVendor}=="0d46", ATTR{idProduct}=="2012", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +## VASCO (DIGIPASS 920) +ATTR{idVendor}=="1a44", ATTR{idProduct}=="0920", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +## Crypto Stick +ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +## Nitrokey +ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +## Gnuk Token +ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +## Alcor Micro Corp cardreader (in ThinkPad X250) +ATTR{idVendor}=="058f", ATTR{idProduct}=="9540", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +## Fujitsu Siemens +ATTR{idVendor}=="0bf8", ATTR{idProduct}=="1006", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +## Yubico +# Yubikey NEO OTP+CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +# Yubikey NEO CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0112", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +# Yubikey NEO U2F+CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +# Yubikey NEO OTP+U2F+CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +# Yubikey 4 CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0404", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +# Yubikey 4 OTP+CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0405", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +# Yubikey 4 U2F+CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" +# Yubikey 4 OTP+U2F+CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg" + +LABEL="gnupg_rules_end" diff --git a/repo/gnupg/fix-i18n.patch b/repo/gnupg/fix-i18n.patch new file mode 100644 index 0000000..90fc033 --- /dev/null +++ b/repo/gnupg/fix-i18n.patch @@ -0,0 +1,12 @@ +--- gnupg-2.1.7/common/i18n.c.orig 2015-08-31 20:40:18.752742866 +0300 ++++ gnupg-2.1.7/common/i18n.c 2015-08-31 20:40:41.806336224 +0300 +@@ -85,8 +85,8 @@ + bindtextdomain (PACKAGE_GT, gnupg_localedir ()); + textdomain (PACKAGE_GT); + #else +-# ifdef ENABLE_NLS + setlocale (LC_ALL, "" ); ++# ifdef ENABLE_NLS + bindtextdomain (PACKAGE_GT, gnupg_localedir ()); + textdomain (PACKAGE_GT); + # endif diff --git a/repo/gnupg/gnupg-scdaemon.pre-install b/repo/gnupg/gnupg-scdaemon.pre-install new file mode 100644 index 0000000..b0cac4c --- /dev/null +++ b/repo/gnupg/gnupg-scdaemon.pre-install @@ -0,0 +1,4 @@ +#!/bin/sh +addgroup -S gnupg 2> /dev/null + +exit 0 diff --git a/repo/gnupg/gnupg.xibuild b/repo/gnupg/gnupg.xibuild new file mode 100644 index 0000000..95ffa44 --- /dev/null +++ b/repo/gnupg/gnupg.xibuild @@ -0,0 +1,73 @@ +#!/bin/sh + +NAME="gnupg" +DESC="GNU Privacy Guard 2 - meta package for full GnuPG suite" + +MAKEDEPS=" autoconf automake bzip2 gettext gnutls libassuan libgcrypt libgpg-error libksba libtool libusb npth openldap pinentry sqlite texinfo zlib" + +PKG_VER=2.2.34 +SOURCE="https://gnupg.org/ftp/gcrypt/gnupg/gnupg-$PKG_VER.tar.bz2" + +ADDITIONAL=" +0001-Include-sys-select.h-for-FD_SETSIZE.patch +0010-avoid-beta-warning.patch +0020-avoid-regenerating-defsincdate-use-shipped-file.patch +0110-avoid-simple-memory-dumps-via-ptrace.patch +0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch +0220-dirmngr-avoid-need-for-hkp-housekeeping.patch +0230-dirmngr-avoid-automatically-checking-upstream-swdb.patch +0310-gpg-default-to-3072-bit-keys.patch +0320-gpg-default-to-aes256.patch +0330-gpg-default-to-sha512-for-all-signature-types-on-rsa-keys.patch +0340-gpg-prefer-sha512-and-sha384-in-personal-digest.patch +0410-make-gpg-zip-use-tar-from-path.patch +0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch +60-scdaemon.rules +fix-i18n.patch +gnupg-scdaemon.pre-install +" + +prepare() { + apply_patches + + autoreconf -vif +} + +build() { + ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --mandir=/usr/share/man \ + --infodir=/usr/share/info \ + --localstatedir=/var \ + --disable-nls \ + --enable-bzip2 \ + --enable-tofu \ + --enable-scdaemon \ + --enable-ccid-driver + make +} + +check() { + make check +} + +package() { + make DESTDIR="$PKG_DEST" install + + install -m755 tools/gpg-zip "$PKG_DEST"/usr/bin/gpg-zip + install -Dm644 -t "$PKG_DEST"/lib/udev/rules.d/ "$BUILD_ROOT"/60-scdaemon.rules + + cd "$PKG_DEST" + + # install compat symlink + ln -s gpg usr/bin/gpg2 + ln -s gpgv usr/bin/gpgv2 + + # Remove docs for systemd-user + rm -rf usr/share/doc/gnupg/examples/systemd-user + + # Remove gpg scheme interpreter - an internal tool used in gpg tests + rm -rf usr/bin/gpgscm +} + -- cgit v1.2.1