diff --git a/gnupg/0001-gpg-accept-subkeys-with-a-good-revocation-but-no-sel.patch b/gnupg/0002-gpg-accept-subkeys-with-a-good-revocation-but-no-sel.patch similarity index 78% rename from gnupg/0001-gpg-accept-subkeys-with-a-good-revocation-but-no-sel.patch rename to gnupg/0002-gpg-accept-subkeys-with-a-good-revocation-but-no-sel.patch index 814c48547ec..b87c2e857fa 100644 --- a/gnupg/0001-gpg-accept-subkeys-with-a-good-revocation-but-no-sel.patch +++ b/gnupg/0002-gpg-accept-subkeys-with-a-good-revocation-but-no-sel.patch @@ -1,8 +1,8 @@ -From b57d410c6d8fbfb5e9c87646d9c8fd44e4ce11d8 Mon Sep 17 00:00:00 2001 +From aadb053a5465d66ae881639c46aecc581a1fe1aa Mon Sep 17 00:00:00 2001 From: Vincent Breitmoser Date: Thu, 13 Jun 2019 21:27:43 +0200 -Subject: [PATCH] gpg: accept subkeys with a good revocation but no self-sig - during import +Subject: gpg: accept subkeys with a good revocation but no self-sig during + import * g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we encounter a valid revocation signature. This allows import of subkey @@ -20,10 +20,10 @@ Signed-off-by: Daniel Kahn Gillmor 1 file changed, 1 insertion(+) diff --git a/g10/import.c b/g10/import.c -index ba62d2322..fa4d417ad 100644 +index ea3ba2991..5d27d8b66 100644 --- a/g10/import.c +++ b/g10/import.c -@@ -3905,6 +3905,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self) +@@ -3890,6 +3890,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self) /* It's valid, so is it newer? */ if (sig->timestamp >= rsdate) { @@ -31,3 +31,6 @@ index ba62d2322..fa4d417ad 100644 if (rsnode) { /* Delete the last revocation sig since +-- +2.43.0 + diff --git a/gnupg/0002-gpg-allow-import-of-previously-known-keys-even-witho.patch b/gnupg/0003-gpg-allow-import-of-previously-known-keys-even-witho.patch similarity index 86% rename from gnupg/0002-gpg-allow-import-of-previously-known-keys-even-witho.patch rename to gnupg/0003-gpg-allow-import-of-previously-known-keys-even-witho.patch index b3e3b71dbda..2fa722c05b4 100644 --- a/gnupg/0002-gpg-allow-import-of-previously-known-keys-even-witho.patch +++ b/gnupg/0003-gpg-allow-import-of-previously-known-keys-even-witho.patch @@ -1,7 +1,7 @@ -From d74a2faf0db5d4db8dc23fe3813f707e5fa8bbb2 Mon Sep 17 00:00:00 2001 +From b987d2750496f481baa7c2e557427af05e27eded Mon Sep 17 00:00:00 2001 From: Vincent Breitmoser Date: Thu, 13 Jun 2019 21:27:42 +0200 -Subject: [PATCH] gpg: allow import of previously known keys, even without UIDs +Subject: gpg: allow import of previously known keys, even without UIDs * g10/import.c (import_one): Accept an incoming OpenPGP certificate that has no user id, as long as we already have a local variant of the cert @@ -18,10 +18,10 @@ Signed-off-by: Daniel Kahn Gillmor 1 file changed, 11 insertions(+), 34 deletions(-) diff --git a/g10/import.c b/g10/import.c -index fa4d417ad..0eacdda7b 100644 +index c83f87360..df482d4a1 100644 --- a/g10/import.c +++ b/g10/import.c -@@ -2000,7 +2000,6 @@ import_one_real (ctrl_t ctrl, +@@ -1996,7 +1996,6 @@ import_one_real (ctrl_t ctrl, int non_self_or_utk = 0; char pkstrbuf[PUBKEY_STRING_SIZE]; int merge_keys_done = 0; @@ -29,7 +29,7 @@ index fa4d417ad..0eacdda7b 100644 KEYDB_HANDLE hd = NULL; if (r_valid) -@@ -2037,14 +2036,6 @@ import_one_real (ctrl_t ctrl, +@@ -2033,14 +2032,6 @@ import_one_real (ctrl_t ctrl, log_printf ("\n"); } @@ -44,7 +44,7 @@ index fa4d417ad..0eacdda7b 100644 if (screener && screener (keyblock, screener_arg)) { log_error (_("key %s: %s\n"), keystr_from_pk (pk), -@@ -2138,18 +2129,10 @@ import_one_real (ctrl_t ctrl, +@@ -2134,18 +2125,10 @@ import_one_real (ctrl_t ctrl, } } @@ -67,7 +67,7 @@ index fa4d417ad..0eacdda7b 100644 /* Get rid of deleted nodes. */ commit_kbnode (&keyblock); -@@ -2159,24 +2142,11 @@ import_one_real (ctrl_t ctrl, +@@ -2155,24 +2138,11 @@ import_one_real (ctrl_t ctrl, { apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); commit_kbnode (&keyblock); @@ -92,7 +92,7 @@ index fa4d417ad..0eacdda7b 100644 } /* The keyblock is valid and ready for real import. */ -@@ -2236,6 +2206,13 @@ import_one_real (ctrl_t ctrl, +@@ -2234,6 +2204,13 @@ import_one_real (ctrl_t ctrl, err = 0; stats->skipped_new_keys++; } @@ -106,3 +106,6 @@ index fa4d417ad..0eacdda7b 100644 else if (err) /* Insert this key. */ { /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */ +-- +2.39.5 + diff --git a/gnupg/0003-tests-add-test-cases-for-import-without-uid.patch b/gnupg/0003-tests-add-test-cases-for-import-without-uid.patch deleted file mode 100644 index 346b0fc7c75..00000000000 --- a/gnupg/0003-tests-add-test-cases-for-import-without-uid.patch +++ /dev/null @@ -1,201 +0,0 @@ -From 203f84fd55c3a783e8e17dcdca11206944ec42a6 Mon Sep 17 00:00:00 2001 -From: Vincent Breitmoser -Date: Thu, 13 Jun 2019 21:27:41 +0200 -Subject: [PATCH] tests: add test cases for import without uid - -This commit adds a test case that does the following, in order: -- Import of a primary key plus user id -- Check that import of a subkey works, without a user id present in the -imported key -- Check that import of a subkey revocation works, without a user id or -subkey binding signature present in the imported key -- Check that import of a primary key revocation works, without a user id -present in the imported key - --- - -Note that this test currently fails. The following changesets will -fix gpg so that the tests pass. - -GnuPG-Bug-id: 4393 -Signed-Off-By: Daniel Kahn Gillmor ---- - tests/openpgp/Makefile.am | 1 + - tests/openpgp/import-incomplete.scm | 67 +++++++++++++++++++ - .../import-incomplete/primary+revocation.asc | 9 +++ - .../primary+subkey+sub-revocation.asc | 10 +++ - .../primary+subkey+sub-sig.asc | 10 +++ - .../import-incomplete/primary+uid-sig.asc | 10 +++ - .../openpgp/import-incomplete/primary+uid.asc | 10 +++ - 7 files changed, 117 insertions(+) - create mode 100755 tests/openpgp/import-incomplete.scm - create mode 100644 tests/openpgp/import-incomplete/primary+revocation.asc - create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc - create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc - create mode 100644 tests/openpgp/import-incomplete/primary+uid-sig.asc - create mode 100644 tests/openpgp/import-incomplete/primary+uid.asc - -diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am -index 7998d2ab9..ea8207e28 100644 ---- a/tests/openpgp/Makefile.am -+++ b/tests/openpgp/Makefile.am -@@ -81,6 +81,7 @@ XTESTS = \ - gpgv-forged-keyring.scm \ - armor.scm \ - import.scm \ -+ import-incomplete.scm \ - import-revocation-certificate.scm \ - ecc.scm \ - 4gb-packet.scm \ -diff --git a/tests/openpgp/import-incomplete.scm b/tests/openpgp/import-incomplete.scm -new file mode 100755 -index 000000000..331e10153 ---- /dev/null -+++ b/tests/openpgp/import-incomplete.scm -@@ -0,0 +1,67 @@ -+#!/usr/bin/env gpgscm -+ -+;; Copyright (C) 2016 g10 Code GmbH -+;; -+;; This file is part of GnuPG. -+;; -+;; GnuPG is free software; you can redistribute it and/or modify -+;; it under the terms of the GNU General Public License as published by -+;; the Free Software Foundation; either version 3 of the License, or -+;; (at your option) any later version. -+;; -+;; GnuPG is distributed in the hope that it will be useful, -+;; but WITHOUT ANY WARRANTY; without even the implied warranty of -+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+;; GNU General Public License for more details. -+;; -+;; You should have received a copy of the GNU General Public License -+;; along with this program; if not, see . -+ -+(load (in-srcdir "tests" "openpgp" "defs.scm")) -+(setup-environment) -+ -+(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+uid.asc"))) -+ -+(info "Test import of new subkey, from a certificate without uid") -+(define keyid "573EA710367356BB") -+(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-sig.asc"))) -+(tr:do -+ (tr:pipe-do -+ (pipe:gpg `(--list-keys --with-colons ,keyid))) -+ (tr:call-with-content -+ (lambda (c) -+ ;; XXX we do not have a regexp library -+ (unless (any (lambda (line) -+ (and (string-prefix? line "sub:") -+ (string-contains? line "573EA710367356BB"))) -+ (string-split-newlines c)) -+ (exit 1))))) -+ -+(info "Test import of a subkey revocation, from a certificate without uid") -+(define keyid "573EA710367356BB") -+(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-revocation.asc"))) -+(tr:do -+ (tr:pipe-do -+ (pipe:gpg `(--list-keys --with-colons ,keyid))) -+ (tr:call-with-content -+ (lambda (c) -+ ;; XXX we do not have a regexp library -+ (unless (any (lambda (line) -+ (and (string-prefix? line "sub:r:") -+ (string-contains? line "573EA710367356BB"))) -+ (string-split-newlines c)) -+ (exit 1))))) -+ -+(info "Test import of revocation, from a certificate without uid") -+(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+revocation.asc"))) -+(tr:do -+ (tr:pipe-do -+ (pipe:gpg `(--list-keys --with-colons ,keyid))) -+ (tr:call-with-content -+ (lambda (c) -+ ;; XXX we do not have a regexp library -+ (unless (any (lambda (line) -+ (and (string-prefix? line "pub:r:") -+ (string-contains? line "0843DA969AA8DAFB"))) -+ (string-split-newlines c)) -+ (exit 1))))) -diff --git a/tests/openpgp/import-incomplete/primary+revocation.asc b/tests/openpgp/import-incomplete/primary+revocation.asc -new file mode 100644 -index 000000000..6b7b60802 ---- /dev/null -+++ b/tests/openpgp/import-incomplete/primary+revocation.asc -@@ -0,0 +1,9 @@ -+-----BEGIN PGP PUBLIC KEY BLOCK----- -+Comment: [E] primary key, revocation signature over primary (no user ID) -+ -+mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ -+631VAN2IeAQgFggAIBYhBLRpj5W82H/gSMzKKQhD2paaqNr7BQJc2ZQZAh0AAAoJ -+EAhD2paaqNr7qAwA/2jBUpnN0BxwRO/4CrxvrLIsL+C9aSXJUOTv8XkP4lvtAQD3 -+XsDFfFNgEueiTfF7HtOGt5LPmRqVvUpQSMVgJJW6CQ== -+=tM90 -+-----END PGP PUBLIC KEY BLOCK----- -diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc -new file mode 100644 -index 000000000..83a51a549 ---- /dev/null -+++ b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc -@@ -0,0 +1,10 @@ -+-----BEGIN PGP PUBLIC KEY BLOCK----- -+Comment: [D] primary key, subkey, subkey revocation (no user ID) -+ -+mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ -+631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK -+j++lwwWDAOlkVicDAQgHiHgEKBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC -+XNmnkAIdAgAKCRAIQ9qWmqja+ylaAQDmIKf86BJEq4OpDqU+V9D+wn2cyuxbyWVQ -+3r9LiL9qNwD/QAjyrhSN8L3Mfq+wdTHo5i0yB9ZCCpHLXSbhCqfWZwQ= -+=dwx2 -+-----END PGP PUBLIC KEY BLOCK----- -diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc -new file mode 100644 -index 000000000..dc47a02d8 ---- /dev/null -+++ b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc -@@ -0,0 +1,10 @@ -+-----BEGIN PGP PUBLIC KEY BLOCK----- -+Comment: [B] primary key, subkey, subkey binding sig (no user ID) -+ -+mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ -+631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK -+j++lwwWDAOlkVicDAQgHiHgEGBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC -+XNmUIQIbDAAKCRAIQ9qWmqja++vFAP98G1L+1/rWTGbsnxOAV2RocBYIroAvsbkR -+Ly6FdP8YNwEA7jOgT05CoKIe37MstpOz23mM80AK369Ca3JMmKKCQgg= -+=xuDu -+-----END PGP PUBLIC KEY BLOCK----- -diff --git a/tests/openpgp/import-incomplete/primary+uid-sig.asc b/tests/openpgp/import-incomplete/primary+uid-sig.asc -new file mode 100644 -index 000000000..134607d0e ---- /dev/null -+++ b/tests/openpgp/import-incomplete/primary+uid-sig.asc -@@ -0,0 +1,10 @@ -+-----BEGIN PGP PUBLIC KEY BLOCK----- -+Comment: [C] primary key and self-sig expiring in 2024 (no user ID) -+ -+mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ -+631VAN2IlgQTFggAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBLRpj5W8 -+2H/gSMzKKQhD2paaqNr7BQJc2ZR1BQkJZgHcAAoJEAhD2paaqNr79soA/0lWkUsu -+3NLwgbni6EzJxnTzgeNMpljqNpipHAwfix9hAP93AVtFdC8g7hdUZxawobl9lnSN -+9ohXOEBWvdJgVv2YAg== -+=KWIK -+-----END PGP PUBLIC KEY BLOCK----- -diff --git a/tests/openpgp/import-incomplete/primary+uid.asc b/tests/openpgp/import-incomplete/primary+uid.asc -new file mode 100644 -index 000000000..055f30086 ---- /dev/null -+++ b/tests/openpgp/import-incomplete/primary+uid.asc -@@ -0,0 +1,10 @@ -+-----BEGIN PGP PUBLIC KEY BLOCK----- -+Comment: [A] primary key, user ID, and self-sig expiring in 2021 -+ -+mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ -+631VAN20CHRlc3Qga2V5iJYEExYIAD4WIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC -+XNmUGQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAIQ9qWmqja -++0G1AQDdQiwhXxjXLMqoth+D4SigVHTJK8ORwifzsy3UE7mPGwD/aZ67XbAF/lgI -+kv2O1Jo0u9BL9RNNF+L0DM7rAFbfMAs= -+=1eII -+-----END PGP PUBLIC KEY BLOCK----- diff --git a/gnupg/0005-avoid-systemd-deprecation-warning.patch b/gnupg/0005-avoid-systemd-deprecation-warning.patch deleted file mode 100644 index f165ef9d9e5..00000000000 --- a/gnupg/0005-avoid-systemd-deprecation-warning.patch +++ /dev/null @@ -1,38 +0,0 @@ -From c436c3cf6b289de93aa082f9c9c3724b276d9b98 Mon Sep 17 00:00:00 2001 -From: NIIBE Yutaka -Date: Mon, 21 Aug 2023 14:22:50 +0900 -Subject: [PATCH] avoid-systemd-deprecation-warning - ---- - agent/gpg-agent.c | 3 --- - dirmngr/dirmngr.c | 3 --- - 2 files changed, 6 deletions(-) - -diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c -index c4b281d63..8bcd496bf 100644 ---- a/agent/gpg-agent.c -+++ b/agent/gpg-agent.c -@@ -1399,9 +1399,6 @@ main (int argc, char **argv) - agent_exit (0); - } - -- if (is_supervised && !opt.quiet) -- log_info(_("WARNING: \"%s\" is a deprecated option\n"), "--supervised"); -- - if (is_supervised) - ; - else if (!opt.extra_socket) -diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c -index 5a9db1491..a8c3d2281 100644 ---- a/dirmngr/dirmngr.c -+++ b/dirmngr/dirmngr.c -@@ -1332,9 +1332,6 @@ main (int argc, char **argv) - { - struct stat statbuf; - -- if (!opt.quiet) -- log_info(_("WARNING: \"%s\" is a deprecated option\n"), "--supervised"); -- - /* In supervised mode, we expect file descriptor 3 to be an - already opened, listening socket. - diff --git a/gnupg/0004-gpg-drop-import-clean-from-default-keyserver-import-.patch b/gnupg/0005-gpg-drop-import-clean-from-default-keyserver-import-.patch similarity index 72% rename from gnupg/0004-gpg-drop-import-clean-from-default-keyserver-import-.patch rename to gnupg/0005-gpg-drop-import-clean-from-default-keyserver-import-.patch index a099ec28050..5595538810d 100644 --- a/gnupg/0004-gpg-drop-import-clean-from-default-keyserver-import-.patch +++ b/gnupg/0005-gpg-drop-import-clean-from-default-keyserver-import-.patch @@ -1,7 +1,7 @@ -From df393819b9a040b183e1c7e8b9e42a97cb711f55 Mon Sep 17 00:00:00 2001 +From ef5f0200718533d7a1881cce09877d37402e7279 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 15 Jul 2019 16:24:35 -0400 -Subject: [PATCH] gpg: drop import-clean from default keyserver import options +Subject: gpg: drop import-clean from default keyserver import options * g10/gpg.c (main): drop IMPORT_CLEAN from the default opt.keyserver_options.import_options @@ -22,23 +22,23 @@ Signed-off-by: Daniel Kahn Gillmor 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/doc/gpg.texi b/doc/gpg.texi -index 7e80a293a..652003c27 100644 +index 501e075d2..b15f6110e 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi -@@ -2188,7 +2188,7 @@ are available for all keyserver types, some common options are: +@@ -2191,7 +2191,7 @@ are available for all keyserver types, some common options are: @end table -The default list of options is: "self-sigs-only, import-clean, +The default list of options is: "self-sigs-only, - repair-keys, repair-pks-subkey-bug, export-attributes". However, if - the actual used source is an LDAP server "no-self-sigs-only" is - assumed unless "self-sigs-only" has been explicitly configured. + repair-keys, repair-pks-subkey-bug, export-attributes, + update-before-send". However, if the actual used source is an LDAP + server "no-self-sigs-only" is assumed unless "self-sigs-only" has been diff --git a/g10/gpg.c b/g10/gpg.c -index 28f47f80b..03298a295 100644 +index aab884d02..437afda03 100644 --- a/g10/gpg.c +++ b/g10/gpg.c -@@ -2485,8 +2485,7 @@ main (int argc, char **argv) +@@ -2490,8 +2490,7 @@ main (int argc, char **argv) | IMPORT_REPAIR_PKS_SUBKEY_BUG | IMPORT_SELF_SIGS_ONLY | IMPORT_COLLAPSE_UIDS @@ -46,5 +46,8 @@ index 28f47f80b..03298a295 100644 - | IMPORT_CLEAN); + | IMPORT_COLLAPSE_SUBKEYS); opt.keyserver_options.export_options = EXPORT_ATTRIBUTES; - opt.keyserver_options.options = 0; + opt.keyserver_options.options = KEYSERVER_UPDATE_BEFORE_SEND; opt.verify_options = (LIST_SHOW_UID_VALIDITY +-- +2.43.0 + diff --git a/gnupg/0008-avoid-systemd-deprecation-warning.patch b/gnupg/0008-avoid-systemd-deprecation-warning.patch new file mode 100644 index 00000000000..9672a635d85 --- /dev/null +++ b/gnupg/0008-avoid-systemd-deprecation-warning.patch @@ -0,0 +1,26 @@ +From 39fb2c89cf77b55ed72f5501c0503ad65c20d85e Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Mon, 21 Aug 2023 14:22:50 +0900 +Subject: avoid-systemd-deprecation-warning + +--- + dirmngr/dirmngr.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index 5a2a45bc1..2e077356b 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -1331,9 +1331,6 @@ main (int argc, char **argv) + { + struct stat statbuf; + +- if (!opt.quiet) +- log_info(_("WARNING: \"%s\" is a deprecated option\n"), "--supervised"); +- + is_supervised = 1; + + /* In supervised mode, we expect file descriptor 3 to be an +-- +2.43.0 + diff --git a/gnupg/0006-Add-systemd-support-for-keyboxd.patch b/gnupg/0009-Add-systemd-support-for-keyboxd.patch similarity index 77% rename from gnupg/0006-Add-systemd-support-for-keyboxd.patch rename to gnupg/0009-Add-systemd-support-for-keyboxd.patch index ce589831cca..2ac6f34358d 100644 --- a/gnupg/0006-Add-systemd-support-for-keyboxd.patch +++ b/gnupg/0009-Add-systemd-support-for-keyboxd.patch @@ -1,17 +1,17 @@ -From a7c109493de54162ad1e1f80cdcc6e313103b800 Mon Sep 17 00:00:00 2001 +From a8b47ca0ca6ccdc21f9a127fd8b959b808f89ae7 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Wed, 23 Aug 2023 09:26:51 +0900 -Subject: [PATCH] Add systemd support for keyboxd +Subject: Add systemd support for keyboxd --- - kbx/keyboxd.c | 79 +++++++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 77 insertions(+), 2 deletions(-) + kbx/keyboxd.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 87 insertions(+), 2 deletions(-) diff --git a/kbx/keyboxd.c b/kbx/keyboxd.c -index f875e115d..55e42bcdf 100644 +index 042ed20b5..9afdd3240 100644 --- a/kbx/keyboxd.c +++ b/kbx/keyboxd.c -@@ -88,6 +88,7 @@ enum cmd_and_opt_values +@@ -87,6 +87,7 @@ enum cmd_and_opt_values oLogFile, oServer, oDaemon, @@ -19,7 +19,7 @@ index f875e115d..55e42bcdf 100644 oFakedSystemTime, oListenBacklog, oDisableCheckOwnSocket, -@@ -104,6 +105,9 @@ static gpgrt_opt_t opts[] = { +@@ -103,6 +104,9 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_n (oDaemon, "daemon", N_("run in daemon mode (background)")), ARGPARSE_s_n (oServer, "server", N_("run in server mode (foreground)")), @@ -29,17 +29,27 @@ index f875e115d..55e42bcdf 100644 ARGPARSE_s_n (oNoDetach, "no-detach", N_("do not detach from the console")), ARGPARSE_s_n (oStealSocket, "steal-socket", "@"), ARGPARSE_s_s (oHomedir, "homedir", "@"), -@@ -209,6 +213,9 @@ static int have_homedir_inotify; - * reliable. */ - static int reliable_homedir_inotify; +@@ -210,6 +214,19 @@ static char *config_filename; + * the log file after a SIGHUP if it didn't changed. Malloced. */ + static char *current_logfile; ++/* This flag is true if the inotify mechanism for detecting the ++ * removal of the homedir is active. This flag is used to disable the ++ * alternative but portable stat based check. */ ++static int have_homedir_inotify; ++ ++/* Depending on how keyboxd was started, the homedir inotify watch may ++ * not be reliable. This flag is set if we assume that inotify works ++ * reliable. */ ++static int reliable_homedir_inotify; ++ +/* Flag indicating that we are in supervised mode. */ +static int is_supervised; + /* Number of active connections. */ static int active_connections; -@@ -575,6 +582,7 @@ main (int argc, char **argv ) +@@ -574,6 +591,7 @@ main (int argc, char **argv ) case oLogFile: logfile = pargs.r.ret_str; break; case oServer: pipe_server = 1; break; case oDaemon: is_daemon = 1; break; @@ -47,7 +57,7 @@ index f875e115d..55e42bcdf 100644 case oFakedSystemTime: { time_t faked_time = isotime2epoch (pargs.r.ret_str); -@@ -643,7 +651,7 @@ main (int argc, char **argv ) +@@ -642,7 +660,7 @@ main (int argc, char **argv ) bind_textdomain_codeset (PACKAGE_GT, "UTF-8"); #endif @@ -56,7 +66,7 @@ index f875e115d..55e42bcdf 100644 { /* We have been called without any command and thus we merely * check whether an instance of us is already running. We do -@@ -716,6 +724,73 @@ main (int argc, char **argv ) +@@ -715,6 +733,73 @@ main (int argc, char **argv ) kbxd_deinit_default_ctrl (ctrl); xfree (ctrl); } @@ -130,7 +140,7 @@ index f875e115d..55e42bcdf 100644 else if (!is_daemon) ; /* NOTREACHED */ else -@@ -1546,7 +1621,7 @@ handle_connections (gnupg_fd_t listen_fd) +@@ -1603,7 +1688,7 @@ handle_connections (gnupg_fd_t listen_fd) /* Shutdown test. */ if (shutdown_pending) { @@ -139,3 +149,6 @@ index f875e115d..55e42bcdf 100644 break; /* ready */ /* Do not accept new connections but keep on running the +-- +2.43.0 + diff --git a/gnupg/0007-Ship-sample-systemd-unit-files.patch b/gnupg/0010-Ship-sample-systemd-unit-files.patch similarity index 97% rename from gnupg/0007-Ship-sample-systemd-unit-files.patch rename to gnupg/0010-Ship-sample-systemd-unit-files.patch index ad6efc2fd21..3079400ca13 100644 --- a/gnupg/0007-Ship-sample-systemd-unit-files.patch +++ b/gnupg/0010-Ship-sample-systemd-unit-files.patch @@ -1,7 +1,6 @@ -From 8a2e11a4f2d232d698245722e43263d0c788ef1c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 23 Jan 2023 16:34:19 +0100 -Subject: [PATCH] Ship sample systemd unit files +Subject: Ship sample systemd unit files This reverts the systemd-relevant parts of upstream's eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed @@ -29,7 +28,7 @@ GnuPG-bug-id: 6336 .../systemd-user/gpg-agent-ssh.socket | 13 ++++ doc/examples/systemd-user/gpg-agent.service | 8 +++ doc/examples/systemd-user/gpg-agent.socket | 12 ++++ - 10 files changed, 154 insertions(+) + 10 files changed, 154 insertions(+), 0 deletions(-) create mode 100644 doc/examples/systemd-user/README create mode 100644 doc/examples/systemd-user/dirmngr.service create mode 100644 doc/examples/systemd-user/dirmngr.socket @@ -40,7 +39,7 @@ GnuPG-bug-id: 6336 create mode 100644 doc/examples/systemd-user/gpg-agent.socket diff --git a/doc/Makefile.am b/doc/Makefile.am -index 6889bda1e..03d9ebc7f 100644 +index fad425db7..7031848e7 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -25,6 +25,14 @@ examples = examples/README examples/scd-event examples/trustlist.txt \ @@ -263,3 +262,6 @@ index 000000000..4257c2c80 + +[Install] +WantedBy=sockets.target +-- +2.43.0 + diff --git a/gnupg/0008-gpg-default-El-Gamal-to-3072-bit-keys.patch b/gnupg/0011-el-gamal-default-to-3072-bits.patch similarity index 78% rename from gnupg/0008-gpg-default-El-Gamal-to-3072-bit-keys.patch rename to gnupg/0011-el-gamal-default-to-3072-bits.patch index d781e08c2b6..3e95abf93a6 100644 --- a/gnupg/0008-gpg-default-El-Gamal-to-3072-bit-keys.patch +++ b/gnupg/0011-el-gamal-default-to-3072-bits.patch @@ -1,7 +1,6 @@ -From 2a109f83fc81c4ccb75cf875d11d7af62b778653 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 7 Sep 2017 18:41:10 -0400 -Subject: [PATCH] gpg: default El Gamal to 3072-bit keys. +Subject: gpg: default El Gamal to 3072-bit keys. * g10/keygen.c (gen_elg): update default from 2048 to 3072. @@ -20,10 +19,10 @@ Signed-off-by: Daniel Kahn Gillmor 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/g10/keygen.c b/g10/keygen.c -index b7e2bf8df..745441c48 100644 +index b263a47..03d55be 100644 --- a/g10/keygen.c +++ b/g10/keygen.c -@@ -1752,7 +1752,7 @@ gen_elg (int algo, unsigned int nbits, KBNODE pub_root, +@@ -1646,7 +1646,7 @@ gen_elg (int algo, unsigned int nbits, KBNODE pub_root, if (nbits < 1024) { diff --git a/gnupg/0009-gpg-Always-support-and-default-to-using-SHA-512.patch b/gnupg/0012-gpg-default-digest-algorithm-SHA512.patch similarity index 88% rename from gnupg/0009-gpg-Always-support-and-default-to-using-SHA-512.patch rename to gnupg/0012-gpg-default-digest-algorithm-SHA512.patch index c0bdb4f2368..79990848d4d 100644 --- a/gnupg/0009-gpg-Always-support-and-default-to-using-SHA-512.patch +++ b/gnupg/0012-gpg-default-digest-algorithm-SHA512.patch @@ -1,7 +1,6 @@ -From b15eba73a45a8261a7f6992154b9f8429d34c616 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor -Date: Wed, 5 Feb 2025 18:03:42 -0500 -Subject: [PATCH] gpg: Always support and default to using SHA-512. +Date: Wed, 05 Feb 2025 18:03:42 -0500 +Subject: gpg: Always support and default to using SHA-512. * g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA512 instead of SHA256 in standard modes. Use SHA256 for PGP8, and SHA1 for archaic modes. @@ -28,7 +27,7 @@ Signed-off-by: Daniel Kahn Gillmor 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac -index 94bc80583..b0b1cfc5e 100644 +index c80bce1..42ef43b 100644 --- a/configure.ac +++ b/configure.ac @@ -339,7 +339,7 @@ GNUPG_GPG_DISABLE_ALGO([rmd160],[RIPE-MD160 hash]) @@ -41,7 +40,7 @@ index 94bc80583..b0b1cfc5e 100644 # Allow disabling of zip support. diff --git a/g10/main.h b/g10/main.h -index 6d47287c7..4b9aa28a0 100644 +index 2482fbd..f15d90f 100644 --- a/g10/main.h +++ b/g10/main.h @@ -41,7 +41,7 @@ @@ -54,7 +53,7 @@ index 6d47287c7..4b9aa28a0 100644 #ifdef HAVE_ZIP # define DEFAULT_COMPRESS_ALGO COMPRESS_ALGO_ZIP diff --git a/g10/misc.c b/g10/misc.c -index 2f4b452dd..0e6d9d56c 100644 +index 2f4b452..0e6d9d5 100644 --- a/g10/misc.c +++ b/g10/misc.c @@ -862,11 +862,8 @@ map_md_openpgp_to_gcry (digest_algo_t algo) diff --git a/gnupg/0010-gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest-pr.patch b/gnupg/0013-gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch similarity index 63% rename from gnupg/0010-gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest-pr.patch rename to gnupg/0013-gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch index 50fdbfb9c2b..8c4ea4b1b89 100644 --- a/gnupg/0010-gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest-pr.patch +++ b/gnupg/0013-gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch @@ -1,8 +1,6 @@ -From d826c27e241fe96cae7a4834ca3dad9e95bd9e38 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Wed, 3 Jan 2018 12:34:26 -0500 -Subject: [PATCH] gpg: Prefer SHA-512 and SHA-384 in - personal-digest-preferences. +Subject: gpg: Prefer SHA-512 and SHA-384 in personal-digest-preferences. * g10/keygen.c (keygen_set_std_prefs): prefer SHA-512 and SHA-384 by default. @@ -17,14 +15,14 @@ OpenPGP library supports them all. Signed-off-by: Daniel Kahn Gillmor --- - g10/keygen.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) + g10/keygen.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/g10/keygen.c b/g10/keygen.c -index 745441c48..9b547ad23 100644 +index 03d55be..d4fe7aa 100644 --- a/g10/keygen.c +++ b/g10/keygen.c -@@ -461,16 +461,16 @@ keygen_set_std_prefs (const char *string,int personal) +@@ -423,16 +423,16 @@ keygen_set_std_prefs (const char *string,int personal) if (personal) { /* The default internal hash algo order is: @@ -33,16 +31,14 @@ index 745441c48..9b547ad23 100644 */ - if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256)) - strcat (dummy_string, "H8 "); -- -- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384)) -- strcat (dummy_string, "H9 "); -- - if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512)) - strcat (dummy_string, "H10 "); -+ -+ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384)) -+ strcat (dummy_string, "H9 "); -+ ++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512)) ++ strcat (dummy_string, "H10 "); + + if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384)) + strcat (dummy_string, "H9 "); + +- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512)) +- strcat (dummy_string, "H10 "); + if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256)) + strcat (dummy_string, "H8 "); } diff --git a/gnupg/0014-gpg-Sync-compliance-mode-cleanup-with-master.patch b/gnupg/0014-gpg-Sync-compliance-mode-cleanup-with-master.patch deleted file mode 100644 index cae715addd1..00000000000 --- a/gnupg/0014-gpg-Sync-compliance-mode-cleanup-with-master.patch +++ /dev/null @@ -1,170 +0,0 @@ -From 02865ddda0ead7d1ec402ae67649714f5add385d Mon Sep 17 00:00:00 2001 -From: Daniel Kahn Gillmor -Date: Mon, 3 Feb 2025 23:39:08 -0500 -Subject: [PATCH] gpg: Sync compliance mode cleanup with master - -* g10/gpg.c (set_compliance_option): Clean up option settings for -compliance modes. -* doc/gpg.texi: note that --allow-old-cipher-algos must come after any -compliance setting. - --- - -This makes it possible to reset all options affected by any non-gnupg -compliance mode to their default values by using --compliance=gnupg. - -This synchronizes the compliance mode behaviors with the master -branch, including commits: - -- 54a8770aeb20eb9e18b5e95e51c376ec7820f8f6 -- 0bdf5859935e3db15baaf5d0d96b723ddbd2acd5 -- 04d58ff8475575f22a5ee1fb8c4f2c2dca0b5522 -- aa46ba28ba75fc479b407c572c723b51b22d4a73 -- 4b2729b983bf3c6c1186ebdf1962f64d8cb1b3a1 - -GnuPG-Bug-id: 7501 -Signed-off-by: Daniel Kahn Gillmor ---- - doc/gpg.texi | 7 ++++-- - g10/gpg.c | 61 ++++++++++++++++++++++++++-------------------------- - 2 files changed, 35 insertions(+), 33 deletions(-) - -diff --git a/doc/gpg.texi b/doc/gpg.texi -index 652003c27..4f44e4530 100644 ---- a/doc/gpg.texi -+++ b/doc/gpg.texi -@@ -3084,7 +3084,8 @@ to the default of 3. - @subsection Compliance options - - These options control what GnuPG is compliant to. Only one of these --options may be active at a time. Note that the default setting of -+options may be active at a time. If multiple options are given, the -+last one supersedes all the others. Note that the default setting of - this is nearly always the correct one. See the INTEROPERABILITY WITH - OTHER OPENPGP PROGRAMS section below before using one of these - options. -@@ -3691,7 +3692,9 @@ blocks of 64 bits; modern algorithms use blocks of 128 bit instead. - To avoid certain attack on these old algorithms it is suggested not to - encrypt more than 150 MiByte using the same key. For this reason gpg - does not allow the use of 64 bit block size algorithms for encryption --unless this option is specified. -+unless this option is specified. Some compliance modes already set or -+clear this flag and thus this flag should be used after a compliance -+mode setting. - - @item --allow-weak-digest-algos - @opindex allow-weak-digest-algos -diff --git a/g10/gpg.c b/g10/gpg.c -index 03298a295..b5928963f 100644 ---- a/g10/gpg.c -+++ b/g10/gpg.c -@@ -2266,51 +2266,59 @@ set_compliance_option (enum cmd_and_opt_values option) - { - switch (option) - { -+ case oGnuPG: -+ /* set up default options affected by policy compliance: */ -+ opt.compliance = CO_GNUPG; -+ opt.flags.dsa2 = 0; -+ opt.flags.require_cross_cert = 1; -+ opt.rfc2440_text = 0; -+ opt.allow_non_selfsigned_uid = 0; -+ opt.allow_freeform_uid = 0; -+ opt.escape_from = 1; -+ opt.not_dash_escaped = 0; -+ opt.def_cipher_algo = 0; -+ opt.def_digest_algo = 0; -+ opt.cert_digest_algo = 0; -+ opt.compress_algo = -1; -+ opt.s2k_mode = 3; /* iterated+salted */ -+ opt.s2k_digest_algo = 0; -+ opt.s2k_cipher_algo = DEFAULT_CIPHER_ALGO; -+ opt.flags.allow_old_cipher_algos = 0; -+ break; - case oOpenPGP: - case oRFC4880: -+ set_compliance_option (oGnuPG); - /* This is effectively the same as RFC2440, but with - "--enable-dsa2 --no-rfc2440-text --escape-from-lines - --require-cross-certification". */ - opt.compliance = CO_RFC4880; - opt.flags.dsa2 = 1; -- opt.flags.require_cross_cert = 1; -- opt.rfc2440_text = 0; - opt.allow_non_selfsigned_uid = 1; - opt.allow_freeform_uid = 1; -- opt.escape_from = 1; -- opt.not_dash_escaped = 0; -- opt.def_cipher_algo = 0; -- opt.def_digest_algo = 0; -- opt.cert_digest_algo = 0; -- opt.compress_algo = -1; -- opt.s2k_mode = 3; /* iterated+salted */ - opt.s2k_digest_algo = DIGEST_ALGO_SHA1; - opt.s2k_cipher_algo = CIPHER_ALGO_3DES; - opt.flags.allow_old_cipher_algos = 1; - break; - case oRFC2440: -+ set_compliance_option (oGnuPG); - opt.compliance = CO_RFC2440; -- opt.flags.dsa2 = 0; -+ opt.flags.require_cross_cert = 0; - opt.rfc2440_text = 1; - opt.allow_non_selfsigned_uid = 1; - opt.allow_freeform_uid = 1; - opt.escape_from = 0; -- opt.not_dash_escaped = 0; -- opt.def_cipher_algo = 0; -- opt.def_digest_algo = 0; -- opt.cert_digest_algo = 0; -- opt.compress_algo = -1; -- opt.s2k_mode = 3; /* iterated+salted */ - opt.s2k_digest_algo = DIGEST_ALGO_SHA1; - opt.s2k_cipher_algo = CIPHER_ALGO_3DES; - opt.flags.allow_old_cipher_algos = 1; - break; -- case oPGP7: opt.compliance = CO_PGP7; break; -- case oPGP8: opt.compliance = CO_PGP8; break; -- case oGnuPG: -- opt.compliance = CO_GNUPG; -+ case oPGP7: -+ set_compliance_option (oGnuPG); -+ opt.compliance = CO_PGP7; -+ break; -+ case oPGP8: -+ set_compliance_option (oGnuPG); -+ opt.compliance = CO_PGP8; - break; -- - case oDE_VS: - set_compliance_option (oOpenPGP); - opt.compliance = CO_DE_VS; -@@ -2464,19 +2472,10 @@ main (int argc, char **argv) - opt.command_fd = -1; /* no command fd */ - opt.compress_level = -1; /* defaults to standard compress level */ - opt.bz2_compress_level = -1; /* defaults to standard compress level */ -- /* note: if you change these lines, look at oOpenPGP */ -- opt.def_cipher_algo = 0; -- opt.def_digest_algo = 0; -- opt.cert_digest_algo = 0; -- opt.compress_algo = -1; /* defaults to DEFAULT_COMPRESS_ALGO */ -- opt.s2k_mode = 3; /* iterated+salted */ - opt.s2k_count = 0; /* Auto-calibrate when needed. */ -- opt.s2k_cipher_algo = DEFAULT_CIPHER_ALGO; - opt.completes_needed = 1; - opt.marginals_needed = 3; - opt.max_cert_depth = 5; -- opt.escape_from = 1; -- opt.flags.require_cross_cert = 1; - opt.import_options = (IMPORT_REPAIR_KEYS - | IMPORT_COLLAPSE_UIDS - | IMPORT_COLLAPSE_SUBKEYS); -@@ -2510,7 +2509,7 @@ main (int argc, char **argv) - opt.passphrase_repeat = 1; - opt.emit_version = 0; - opt.weak_digests = NULL; -- opt.compliance = CO_GNUPG; -+ set_compliance_option (oGnuPG); - - /* Check special options given on the command line. */ - orig_argc = argc; diff --git a/gnupg/0011-Avoid-simple-memory-dumps-via-ptrace.patch b/gnupg/0018-Avoid-simple-memory-dumps-via-ptrace.patch similarity index 91% rename from gnupg/0011-Avoid-simple-memory-dumps-via-ptrace.patch rename to gnupg/0018-Avoid-simple-memory-dumps-via-ptrace.patch index ea55df4d34e..f6026e0aeb9 100644 --- a/gnupg/0011-Avoid-simple-memory-dumps-via-ptrace.patch +++ b/gnupg/0018-Avoid-simple-memory-dumps-via-ptrace.patch @@ -1,7 +1,6 @@ -From 4ac2227f8a715b1ac5057b87f4550c87aabd047e Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 11 Aug 2015 20:28:26 -0400 -Subject: [PATCH] Avoid simple memory dumps via ptrace +Subject: Avoid simple memory dumps via ptrace This avoids needing to setgid gpg-agent. It probably doesn't defend against all possible attacks, but it defends against one specific (and @@ -23,7 +22,7 @@ Upstream bug: https://dev.gnupg.org/T1211 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c -index 8bcd496bf..937af3262 100644 +index c57fafb..cbe45f0 100644 --- a/agent/gpg-agent.c +++ b/agent/gpg-agent.c @@ -48,6 +48,9 @@ @@ -49,7 +48,7 @@ index 8bcd496bf..937af3262 100644 file descriptors and the signal mask. This info is required to do the exec call properly. We don't need it on Windows. */ diff --git a/configure.ac b/configure.ac -index b0b1cfc5e..44f0237b3 100644 +index ac4f08c..c80bce1 100644 --- a/configure.ac +++ b/configure.ac @@ -1406,7 +1406,7 @@ AC_CHECK_FUNCS([atexit canonicalize_file_name clock_gettime ctermid \ @@ -62,7 +61,7 @@ index b0b1cfc5e..44f0237b3 100644 stat stpcpy strcasecmp strerror strftime stricmp \ strlwr strncasecmp strpbrk strsep strtol strtoul \ diff --git a/scd/scdaemon.c b/scd/scdaemon.c -index 96179202a..cace63822 100644 +index 1a8705b..a3af4bd 100644 --- a/scd/scdaemon.c +++ b/scd/scdaemon.c @@ -37,6 +37,9 @@ @@ -75,7 +74,7 @@ index 96179202a..cace63822 100644 #define INCLUDED_BY_MAIN_MODULE 1 #define GNUPG_COMMON_NEED_AFLOCAL -@@ -471,6 +474,12 @@ main (int argc, char **argv ) +@@ -474,6 +477,12 @@ main (int argc, char **argv ) const char *application_priority = NULL; early_system_init (); diff --git a/gnupg/0012-Disallow-compressed-signatures-and-certificates.patch b/gnupg/0019-Disallow-compressed-signatures-and-certificates.patch similarity index 85% rename from gnupg/0012-Disallow-compressed-signatures-and-certificates.patch rename to gnupg/0019-Disallow-compressed-signatures-and-certificates.patch index ea972ae9ad4..69830e75425 100644 --- a/gnupg/0012-Disallow-compressed-signatures-and-certificates.patch +++ b/gnupg/0019-Disallow-compressed-signatures-and-certificates.patch @@ -1,7 +1,6 @@ -From 3566abba5948741467c853adbbf5b23b0b8fe676 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Wed, 29 Jun 2022 11:07:28 -0400 -Subject: [PATCH] Disallow compressed signatures and certificates +Subject: Disallow compressed signatures and certificates Compressed packets have significant attack surface, both due to the potential for denial of service (zip bombs and the like) and for code @@ -27,10 +26,10 @@ Signed-off-by: Demi Marie Obenour 3 files changed, 60 insertions(+), 3 deletions(-) diff --git a/g10/mainproc.c b/g10/mainproc.c -index 82ea79d46..dfd6403dd 100644 +index af11877aa257e46662c42b6ff573ee01c3ad1547..d85124abd7bb0067423835186f61a7f94b734aeb 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c -@@ -170,6 +170,7 @@ add_onepass_sig (CTX c, PACKET *pkt) +@@ -152,6 +152,7 @@ add_onepass_sig (CTX c, PACKET *pkt) { kbnode_t node; @@ -38,7 +37,7 @@ index 82ea79d46..dfd6403dd 100644 if (c->list) /* Add another packet. */ add_kbnode (c->list, new_kbnode (pkt)); else /* Insert the first one. */ -@@ -1119,7 +1120,10 @@ proc_compressed (CTX c, PACKET *pkt) +@@ -1077,7 +1078,10 @@ proc_compressed (CTX c, PACKET *pkt) /*printf("zip: compressed data packet\n");*/ if (c->sigs_only) @@ -50,7 +49,7 @@ index 82ea79d46..dfd6403dd 100644 else if( c->encrypt_only ) rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c); else -@@ -1644,6 +1648,7 @@ do_proc_packets (CTX c, iobuf_t a) +@@ -1596,6 +1600,7 @@ do_proc_packets (CTX c, iobuf_t a) c->iobuf = a; init_packet(pkt); init_parse_packet (&parsectx, a); @@ -58,7 +57,7 @@ index 82ea79d46..dfd6403dd 100644 while ((rc=parse_packet (&parsectx, pkt)) != -1) { any_data = 1; -@@ -1655,6 +1660,12 @@ do_proc_packets (CTX c, iobuf_t a) +@@ -1607,6 +1612,12 @@ do_proc_packets (CTX c, iobuf_t a) if (gpg_err_code (rc) == GPG_ERR_INV_PACKET && opt.list_packets == 0) break; @@ -71,7 +70,7 @@ index 82ea79d46..dfd6403dd 100644 continue; } newpkt = -1; -@@ -1692,7 +1703,9 @@ do_proc_packets (CTX c, iobuf_t a) +@@ -1644,7 +1655,9 @@ do_proc_packets (CTX c, iobuf_t a) case PKT_COMPRESSED: rc = proc_compressed (c, pkt); break; case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break; case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break; @@ -83,27 +82,27 @@ index 82ea79d46..dfd6403dd 100644 } else if (c->encrypt_only) diff --git a/g10/packet.h b/g10/packet.h -index 9a1198d4a..d3f0dfe4a 100644 +index 5a14015a16c872fe7b0b15468598daf7a05ffc02..82dfe786b46051491e7015e64441678140defa9e 100644 --- a/g10/packet.h +++ b/g10/packet.h -@@ -674,6 +674,7 @@ struct parse_packet_ctx_s - int free_last_pkt; /* Indicates that LAST_PKT must be freed. */ - int skip_meta; /* Skip ring trust packets. */ +@@ -657,6 +657,7 @@ struct parse_packet_ctx_s + int only_fookey_enc; /* Stop if the packet is not {sym,pub}key_enc. */ unsigned int n_parsed_packets; /* Number of parsed packets. */ + int last_ctb; /* The last CTB read. */ + int sigs_only; /* Only accept detached signature packets */ }; typedef struct parse_packet_ctx_s *parse_packet_ctx_t; -@@ -684,6 +685,7 @@ typedef struct parse_packet_ctx_s *parse_packet_ctx_t; - (a)->free_last_pkt = 0; \ - (a)->skip_meta = 0; \ +@@ -667,6 +668,7 @@ typedef struct parse_packet_ctx_s *parse_packet_ctx_t; + (a)->only_fookey_enc = 0; \ (a)->n_parsed_packets = 0; \ + (a)->last_ctb = 1; \ + (a)->sigs_only = 0; \ } while (0) #define deinit_parse_packet(a) do { \ diff --git a/g10/parse-packet.c b/g10/parse-packet.c -index aa6bac9da..da3c4cee4 100644 +index cea1f7ebc5daec3863ae963c1ab25500f86796fe..dca66ff427ea6778e536782ec6bda83584877342 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -738,6 +738,20 @@ parse (parse_packet_ctx_t ctx, PACKET *pkt, int onlykeypkts, off_t * retpos, diff --git a/gnupg/0013-ssh-agent-emulation-under-systemd-inject-SSH_AUTH_SO.patch b/gnupg/0020-ssh-agent-emulation-under-systemd-inject-SSH_AUTH_SO.patch similarity index 96% rename from gnupg/0013-ssh-agent-emulation-under-systemd-inject-SSH_AUTH_SO.patch rename to gnupg/0020-ssh-agent-emulation-under-systemd-inject-SSH_AUTH_SO.patch index 01e8d15ab4f..6c5d1ea47e3 100644 --- a/gnupg/0013-ssh-agent-emulation-under-systemd-inject-SSH_AUTH_SO.patch +++ b/gnupg/0020-ssh-agent-emulation-under-systemd-inject-SSH_AUTH_SO.patch @@ -1,4 +1,4 @@ -From 593b580164185fe8f2eb8f09294a38fe24bbfe1b Mon Sep 17 00:00:00 2001 +From d69e381e348e47b779462b86240ecdf997614f64 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 30 Jan 2025 11:22:12 -0500 Subject: [PATCH] ssh-agent emulation under systemd: inject SSH_AUTH_SOCK at @@ -49,3 +49,6 @@ index 798c1d967..425682dfb 100644 FileDescriptorName=ssh Service=gpg-agent.service SocketMode=0600 +-- +2.47.2 + diff --git a/gnupg/0015-gpg-emit-RSA-pubkey-algorithm-when-in-compatibility-.patch b/gnupg/0022-gpg-emit-RSA-pubkey-algorithm-when-in-compatibility-.patch similarity index 89% rename from gnupg/0015-gpg-emit-RSA-pubkey-algorithm-when-in-compatibility-.patch rename to gnupg/0022-gpg-emit-RSA-pubkey-algorithm-when-in-compatibility-.patch index 925c074121c..844c9aff83a 100644 --- a/gnupg/0015-gpg-emit-RSA-pubkey-algorithm-when-in-compatibility-.patch +++ b/gnupg/0022-gpg-emit-RSA-pubkey-algorithm-when-in-compatibility-.patch @@ -1,7 +1,8 @@ -From 85619355cd487e392032ac324b8bf17d876792b1 Mon Sep 17 00:00:00 2001 +From 9efb8bba8e478c89bba99031b81d1437028db4c4 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 4 Feb 2025 01:22:41 -0500 -Subject: [PATCH] gpg: emit RSA pubkey algorithm when in compatibility modes +Subject: [PATCH GnuPG 13/17] gpg: emit RSA pubkey algorithm when in + compatibility modes * doc/gpg.texi (Compliance Options): --gnupg offers LibrePGP behavior, and prefers LibrePGP where it diverges from OpenPGP; --rfc4880bis is @@ -45,10 +46,10 @@ Signed-off-by: Daniel Kahn Gillmor 5 files changed, 39 insertions(+), 22 deletions(-) diff --git a/common/compliance.c b/common/compliance.c -index 84449af25..5e468a11c 100644 +index 6c271c199..9707f3a20 100644 --- a/common/compliance.c +++ b/common/compliance.c -@@ -696,6 +696,13 @@ gnupg_parse_compliance_option (const char *string, +@@ -782,6 +782,13 @@ gnupg_parse_compliance_option (const char *string, return -1; } @@ -76,10 +77,10 @@ index 111fdc74b..2ddf38f83 100644 void gnupg_set_compliance_extra_info (unsigned int min_rsa); diff --git a/doc/gpg.texi b/doc/gpg.texi -index 4f44e4530..834c5dda5 100644 +index 24fbcb9c9..11b3f398b 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi -@@ -3094,12 +3094,11 @@ options. +@@ -3078,12 +3078,11 @@ options. @item --gnupg @opindex gnupg @@ -97,7 +98,7 @@ index 4f44e4530..834c5dda5 100644 @item --openpgp @opindex openpgp -@@ -3118,21 +3117,20 @@ Note that this is currently the same thing as @option{--openpgp}. +@@ -3102,21 +3101,20 @@ Note that this is currently the same thing as @option{--openpgp}. @item --rfc4880bis @opindex rfc4880bis @@ -127,7 +128,7 @@ index 4f44e4530..834c5dda5 100644 @item --pgp7 @opindex pgp7 -@@ -3848,13 +3846,11 @@ absolute date in the form YYYY-MM-DD. Defaults to "0". +@@ -3847,13 +3845,11 @@ absolute date in the form YYYY-MM-DD. Defaults to "0". @opindex default-new-key-algo @var{string} This option can be used to change the default algorithms for key generation. The @var{string} is similar to the arguments required for @@ -147,38 +148,38 @@ index 4f44e4530..834c5dda5 100644 @item --no-auto-trust-new-key @opindex no-auto-trust-new-key diff --git a/g10/gpg.c b/g10/gpg.c -index b5928963f..b64a65b5a 100644 +index 73961bd24..0b3f1a39c 100644 --- a/g10/gpg.c +++ b/g10/gpg.c -@@ -2284,6 +2284,7 @@ set_compliance_option (enum cmd_and_opt_values option) +@@ -2295,6 +2295,7 @@ set_compliance_option (enum cmd_and_opt_values option) opt.s2k_digest_algo = 0; opt.s2k_cipher_algo = DEFAULT_CIPHER_ALGO; opt.flags.allow_old_cipher_algos = 0; + opt.def_new_key_algo = NULL; break; + case oOpenPGP: - case oRFC4880: -@@ -2298,6 +2299,7 @@ set_compliance_option (enum cmd_and_opt_values option) +@@ -2310,6 +2311,7 @@ set_compliance_option (enum cmd_and_opt_values option) opt.s2k_digest_algo = DIGEST_ALGO_SHA1; opt.s2k_cipher_algo = CIPHER_ALGO_3DES; opt.flags.allow_old_cipher_algos = 1; + opt.def_new_key_algo = "rsa3072/cert,sign+rsa3072/encr"; break; + case oRFC2440: - set_compliance_option (oGnuPG); -@@ -2310,6 +2312,7 @@ set_compliance_option (enum cmd_and_opt_values option) +@@ -2323,6 +2325,7 @@ set_compliance_option (enum cmd_and_opt_values option) opt.s2k_digest_algo = DIGEST_ALGO_SHA1; opt.s2k_cipher_algo = CIPHER_ALGO_3DES; opt.flags.allow_old_cipher_algos = 1; + opt.def_new_key_algo = "rsa3072/cert,sign+rsa3072/encr"; break; + case oPGP7: - set_compliance_option (oGnuPG); diff --git a/g10/keygen.c b/g10/keygen.c -index 9b547ad23..0eacd610d 100644 +index 3c9a433da..fb78df701 100644 --- a/g10/keygen.c +++ b/g10/keygen.c -@@ -3577,6 +3577,15 @@ parse_key_parameter_part (ctrl_t ctrl, +@@ -4032,6 +4032,15 @@ parse_key_parameter_part (ctrl_t ctrl, else return gpg_error (GPG_ERR_UNKNOWN_CURVE); @@ -194,3 +195,6 @@ index 9b547ad23..0eacd610d 100644 /* Parse the flags. */ keyuse = 0; if (flags) +-- +2.47.2 + diff --git a/gnupg/0016-gpg-Reintroduce-openpgp-as-distinct-from-rfc4880.patch b/gnupg/0023-gpg-Reintroduce-openpgp-as-distinct-from-rfc4880.patch similarity index 84% rename from gnupg/0016-gpg-Reintroduce-openpgp-as-distinct-from-rfc4880.patch rename to gnupg/0023-gpg-Reintroduce-openpgp-as-distinct-from-rfc4880.patch index 604dd9c4f67..ee9d24636ec 100644 --- a/gnupg/0016-gpg-Reintroduce-openpgp-as-distinct-from-rfc4880.patch +++ b/gnupg/0023-gpg-Reintroduce-openpgp-as-distinct-from-rfc4880.patch @@ -1,7 +1,7 @@ -From d20f4638b2951114e53871be0b673a81aca5ae21 Mon Sep 17 00:00:00 2001 +From f149ead6f32662d75039570b2b80e94991e62fdd Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 4 Feb 2025 01:11:08 -0500 -Subject: [PATCH] gpg: Reintroduce --openpgp as distinct from --rfc4880 +Subject: gpg: Reintroduce --openpgp as distinct from --rfc4880 * common/compliance.{c,h}: add CO_OPENPGP * options.h: #define OPENPGP by analogy with RFC4880 @@ -26,10 +26,10 @@ Signed-off-by: Daniel Kahn Gillmor 6 files changed, 25 insertions(+), 13 deletions(-) diff --git a/common/compliance.c b/common/compliance.c -index 5e468a11c..9f395e69b 100644 +index 43a7892e5..b80cfcf1e 100644 --- a/common/compliance.c +++ b/common/compliance.c -@@ -52,6 +52,7 @@ static int * +@@ -85,6 +85,7 @@ static int * get_compliance_cache (enum gnupg_compliance_mode compliance, int for_rng) { static int r_gnupg = -1, s_gnupg = -1; @@ -37,7 +37,7 @@ index 5e468a11c..9f395e69b 100644 static int r_rfc4880 = -1, s_rfc4880 = -1; static int r_rfc2440 = -1, s_rfc2440 = -1; static int r_pgp7 = -1, s_pgp7 = -1; -@@ -63,6 +64,7 @@ get_compliance_cache (enum gnupg_compliance_mode compliance, int for_rng) +@@ -96,6 +97,7 @@ get_compliance_cache (enum gnupg_compliance_mode compliance, int for_rng) switch (compliance) { case CO_GNUPG: ptr = for_rng? &r_gnupg : &s_gnupg ; break; @@ -45,7 +45,7 @@ index 5e468a11c..9f395e69b 100644 case CO_RFC4880: ptr = for_rng? &r_rfc4880 : &s_rfc4880; break; case CO_RFC2440: ptr = for_rng? &r_rfc2440 : &s_rfc2440; break; case CO_PGP7: ptr = for_rng? &r_pgp7 : &s_pgp7 ; break; -@@ -653,6 +655,7 @@ gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance) +@@ -742,6 +744,7 @@ gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance) { case CO_GNUPG: return "8"; @@ -53,7 +53,7 @@ index 5e468a11c..9f395e69b 100644 case CO_RFC4880: case CO_RFC2440: case CO_PGP7: -@@ -711,7 +714,8 @@ gnupg_compliance_option_string (enum gnupg_compliance_mode compliance) +@@ -871,7 +874,8 @@ gnupg_compliance_option_string (enum gnupg_compliance_mode compliance) switch (compliance) { case CO_GNUPG: return "--compliance=gnupg"; @@ -64,7 +64,7 @@ index 5e468a11c..9f395e69b 100644 case CO_PGP7: return "--compliance=pgp7"; case CO_PGP8: return "--compliance=pgp8"; diff --git a/common/compliance.h b/common/compliance.h -index 2ddf38f83..47d81f0f8 100644 +index 994869fc7..0b3d76ac8 100644 --- a/common/compliance.h +++ b/common/compliance.h @@ -38,7 +38,7 @@ void gnupg_initialize_compliance (int gnupg_module_name); @@ -77,10 +77,10 @@ index 2ddf38f83..47d81f0f8 100644 }; diff --git a/doc/gpg.texi b/doc/gpg.texi -index 834c5dda5..5a03ce592 100644 +index acca0c82a..018ec8659 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi -@@ -3102,18 +3102,15 @@ gpg.conf file. +@@ -3150,18 +3150,15 @@ gpg.conf file. @item --openpgp @opindex openpgp @@ -106,12 +106,12 @@ index 834c5dda5..5a03ce592 100644 @item --rfc4880bis @opindex rfc4880bis diff --git a/g10/gpg.c b/g10/gpg.c -index b64a65b5a..dce171efb 100644 +index d9db8e457..ac638dd9f 100644 --- a/g10/gpg.c +++ b/g10/gpg.c -@@ -2287,6 +2287,12 @@ set_compliance_option (enum cmd_and_opt_values option) - opt.def_new_key_algo = NULL; +@@ -2319,6 +2319,12 @@ set_compliance_option (enum cmd_and_opt_values option) break; + case oOpenPGP: + /* use MTIs from RFC 9580 at least: */ + set_compliance_option (oGnuPG); @@ -120,13 +120,13 @@ index b64a65b5a..dce171efb 100644 + opt.allow_freeform_uid = 1; + break; case oRFC4880: - set_compliance_option (oGnuPG); /* This is effectively the same as RFC2440, but with + "--enable-dsa2 --no-rfc2440-text --escape-from-lines diff --git a/g10/misc.c b/g10/misc.c -index 0e6d9d56c..b54f15250 100644 +index 468b1a4a5..f1348ff15 100644 --- a/g10/misc.c +++ b/g10/misc.c -@@ -1410,12 +1410,16 @@ compliance_failure(void) +@@ -1425,12 +1425,16 @@ compliance_failure(void) ver="GnuPG"; break; @@ -146,14 +146,17 @@ index 0e6d9d56c..b54f15250 100644 case CO_PGP7: diff --git a/g10/options.h b/g10/options.h -index 62d667277..db52701b3 100644 +index 5512ecb11..94ce556f9 100644 --- a/g10/options.h +++ b/g10/options.h -@@ -392,6 +392,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; +@@ -407,6 +407,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; - /* Compliance test macors. */ + /* Compliance test macros. */ #define GNUPG (opt.compliance==CO_GNUPG || opt.compliance==CO_DE_VS) +#define OPENPGP (opt.compliance==CO_OPENPGP) #define RFC2440 (opt.compliance==CO_RFC2440) #define RFC4880 (opt.compliance==CO_RFC4880) #define PGP7 (opt.compliance==CO_PGP7) +-- +2.39.5 + diff --git a/gnupg/0024-gpg-Do-not-use-a-default-when-asking-for-another-out.patch b/gnupg/0024-gpg-Do-not-use-a-default-when-asking-for-another-out.patch deleted file mode 100644 index bb019ff0f53..00000000000 --- a/gnupg/0024-gpg-Do-not-use-a-default-when-asking-for-another-out.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 9d89572219b1bd5d5e85ac227b3d8db63d99d37c Mon Sep 17 00:00:00 2001 -From: Werner Koch -Date: Mon, 27 Oct 2025 12:43:27 +0100 -Subject: [PATCH] gpg: Do not use a default when asking for another output - filename. - -* g10/options.h (COMPAT_SUGGEST_EMBEDDED_NAME): New. -* g10/gpg.c (compatibility_flags): New flags "suggest-embedded-name". -* g10/openfile.c (ask_outfile_name): Do not show a default unless the -compatibiliy flag is used. ---- - g10/gpg.c | 1 + - g10/openfile.c | 12 +++++++++--- - g10/options.h | 5 +++++ - 3 files changed, 15 insertions(+), 3 deletions(-) - -diff --git a/g10/gpg.c b/g10/gpg.c -index e3ec86c2a..f7d192c1a 100644 ---- a/g10/gpg.c -+++ b/g10/gpg.c -@@ -1038,6 +1038,7 @@ static struct debug_flags_s debug_flags [] = - static struct compatibility_flags_s compatibility_flags [] = - { - { COMPAT_COMPR_KEYS, "compr-keys" }, -+ { COMPAT_SUGGEST_EMBEDDED_NAME, "suggest-embedded-name" }, - { 0, NULL } - }; - -diff --git a/g10/openfile.c b/g10/openfile.c -index 5ca168a13..0c728db76 100644 ---- a/g10/openfile.c -+++ b/g10/openfile.c -@@ -125,7 +125,7 @@ make_outfile_name (const char *iname) - NAMELEN is its actual length. - */ - char * --ask_outfile_name( const char *name, size_t namelen ) -+ask_outfile_name (const char *name, size_t namelen) - { - size_t n; - const char *s; -@@ -136,8 +136,14 @@ ask_outfile_name( const char *name, size_t namelen ) - if ( opt.batch ) - return NULL; - -- defname = name && namelen? make_printable_string (name, namelen, 0) : NULL; -- -+ /* To avoid tricking the user into using the embedded filename we do -+ * not anymore include that name in the prompt as default. For -+ * modern v5 signature this might make sense as they are now covered -+ * by the signature but we better leave such a decision to a GUI. */ -+ if (name && namelen && (opt.compat_flags & COMPAT_SUGGEST_EMBEDDED_NAME)) -+ defname = make_printable_string (name, namelen, 0); -+ else -+ defname = NULL; - s = _("Enter new filename"); - n = strlen(s) + (defname?strlen (defname):0) + 10; - prompt = xmalloc (n); -diff --git a/g10/options.h b/g10/options.h -index db52701b3..e7935ecee 100644 ---- a/g10/options.h -+++ b/g10/options.h -@@ -388,6 +388,11 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; - - /* Compatibility flags */ - #define COMPAT_COMPR_KEYS 4 /* Allow import of compressed keys. (T7014) */ -+#define COMPAT_SUGGEST_EMBEDDED_NAME 16 /* Show the non-signed -+ * embedded filename as -+ * suggestion. */ -+ -+ - - - /* Compliance test macors. */ diff --git a/gnupg/0017-gpg-Emit-LibrePGP-material-only-in-compliance-gnupg.patch b/gnupg/0024-gpg-Emit-LibrePGP-material-only-in-compliance-gnupg.patch similarity index 80% rename from gnupg/0017-gpg-Emit-LibrePGP-material-only-in-compliance-gnupg.patch rename to gnupg/0024-gpg-Emit-LibrePGP-material-only-in-compliance-gnupg.patch index 8a0b3af3928..5de51bfa3bb 100644 --- a/gnupg/0017-gpg-Emit-LibrePGP-material-only-in-compliance-gnupg.patch +++ b/gnupg/0024-gpg-Emit-LibrePGP-material-only-in-compliance-gnupg.patch @@ -1,7 +1,8 @@ -From 08b9a243d573ee1d06daeb4f3a5f598712651bc0 Mon Sep 17 00:00:00 2001 +From fff7db37a1cb72a6ba9b07bf37073de089bec631 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 4 Feb 2025 02:56:36 -0500 -Subject: [PATCH] gpg: Emit LibrePGP material only in --compliance=gnupg +Subject: [PATCH GnuPG 15/17] gpg: Emit LibrePGP material only in + --compliance=gnupg * g10/encrypt.c (use_aead): only emit LibrePGP AEAD/OCB if in --compliance=gnupg or --force-ocb @@ -45,10 +46,10 @@ Signed-off-by: Daniel Kahn Gillmor 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/g10/encrypt.c b/g10/encrypt.c -index 5593f694c..de4811fe8 100644 +index 9b27b595b..35120de61 100644 --- a/g10/encrypt.c +++ b/g10/encrypt.c -@@ -358,6 +358,11 @@ use_aead (pk_list_t pk_list, int algo) +@@ -401,6 +401,11 @@ use_aead (pk_list_t pk_list, int algo) } return AEAD_ALGO_OCB; } @@ -61,19 +62,20 @@ index 5593f694c..de4811fe8 100644 /* AEAD does only work with 128 bit cipher blocklength. */ if (!can_use) diff --git a/g10/keygen.c b/g10/keygen.c -index 0eacd610d..c7af82c64 100644 +index fb78df701..8ad87cc5a 100644 --- a/g10/keygen.c +++ b/g10/keygen.c -@@ -455,7 +455,7 @@ keygen_set_std_prefs (const char *string,int personal) - strcat(dummy_string,"S7 "); - strcat(dummy_string,"S2 "); /* 3DES */ +@@ -489,8 +489,8 @@ keygen_set_std_prefs (const char *string,int personal) + strcat(dummy_string,"S7 "); /* AES-128 - LibrePGP default. */ + if ( !openpgp_cipher_test_algo (CIPHER_ALGO_3DES) ) + strcat(dummy_string,"S2 "); /* 3DES - RFC4880 default. */ - if (!openpgp_aead_test_algo (AEAD_ALGO_OCB)) + if ((opt.compliance == CO_GNUPG) && (!openpgp_aead_test_algo (AEAD_ALGO_OCB))) strcat(dummy_string,"A2 "); if (personal) -@@ -939,8 +939,10 @@ keygen_upd_std_prefs (PKT_signature *sig, void *opaque) +@@ -973,8 +973,10 @@ keygen_upd_std_prefs (PKT_signature *sig, void *opaque) /* Make sure that the MDC feature flag is set if needed. */ add_feature_mdc (sig,mdc_available); @@ -86,7 +88,7 @@ index 0eacd610d..c7af82c64 100644 add_keyserver_modify (sig,ks_modify); keygen_add_keyserver_url(sig,NULL); -@@ -3643,7 +3645,13 @@ parse_key_parameter_part (ctrl_t ctrl, +@@ -4098,7 +4100,13 @@ parse_key_parameter_part (ctrl_t ctrl, } } else if (!ascii_strcasecmp (s, "v5")) @@ -100,9 +102,9 @@ index 0eacd610d..c7af82c64 100644 else if (!ascii_strcasecmp (s, "v4")) keyversion = 4; else -@@ -3824,6 +3832,11 @@ parse_key_parameter_part (ctrl_t ctrl, - /* Ed448 and X448 must only be used as v5 keys. */ - if (is_448) +@@ -4279,6 +4287,11 @@ parse_key_parameter_part (ctrl_t ctrl, + /* Ed448, X448 and the PQC algos must only be used as v5 keys. */ + if (is_448 || is_pqc) { + if (opt.compliance != CO_GNUPG) + { @@ -112,3 +114,6 @@ index 0eacd610d..c7af82c64 100644 if (keyversion == 4) log_info (_("WARNING: v4 is specified, but overridden by v5.\n")); +-- +2.47.2 + diff --git a/gnupg/0018-gpg-gpgconf-list-report-actual-compliance-mode.patch b/gnupg/0025-gpg-gpgconf-list-report-actual-compliance-mode.patch similarity index 77% rename from gnupg/0018-gpg-gpgconf-list-report-actual-compliance-mode.patch rename to gnupg/0025-gpg-gpgconf-list-report-actual-compliance-mode.patch index b37ba7865f9..414b83e436f 100644 --- a/gnupg/0018-gpg-gpgconf-list-report-actual-compliance-mode.patch +++ b/gnupg/0025-gpg-gpgconf-list-report-actual-compliance-mode.patch @@ -1,7 +1,8 @@ -From d28ae3d4d943ec78626444ac96a7b59b53d94556 Mon Sep 17 00:00:00 2001 +From 8ce81ec493d07f408780451d7ce080217b5d1685 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 6 Feb 2025 12:58:31 -0500 -Subject: [PATCH] gpg: --gpgconf-list: report actual compliance mode +Subject: [PATCH GnuPG 16/17] gpg: --gpgconf-list: report actual compliance + mode * g10/gpg.c (gpgconf_list): report actual compliance mode @@ -14,10 +15,10 @@ Signed-off-by: Daniel Kahn Gillmor 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/g10/gpg.c b/g10/gpg.c -index dce171efb..32cef0a8d 100644 +index 86cc1d187..cba6f7366 100644 --- a/g10/gpg.c +++ b/g10/gpg.c -@@ -1995,7 +1995,8 @@ static void +@@ -2004,7 +2004,8 @@ static void gpgconf_list (void) { es_printf ("debug-level:%lu:\"none:\n", GC_OPT_FLAG_DEFAULT); @@ -27,3 +28,6 @@ index dce171efb..32cef0a8d 100644 /* The next one is an info only item and should match the macros at the top of keygen.c */ +-- +2.47.2 + diff --git a/gnupg/0019-gpg-Default-to-compliance-openpgp.patch b/gnupg/0026-gpg-Default-to-compliance-openpgp.patch similarity index 86% rename from gnupg/0019-gpg-Default-to-compliance-openpgp.patch rename to gnupg/0026-gpg-Default-to-compliance-openpgp.patch index 6aa1b46e974..8bddbdd7e39 100644 --- a/gnupg/0019-gpg-Default-to-compliance-openpgp.patch +++ b/gnupg/0026-gpg-Default-to-compliance-openpgp.patch @@ -1,7 +1,7 @@ -From 2b544356081d85a66f632d62243d958b698c1540 Mon Sep 17 00:00:00 2001 +From b602719515d741f807305a159c4d9ea58f747ce9 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 4 Feb 2025 02:06:53 -0500 -Subject: [PATCH] gpg: Default to --compliance=openpgp +Subject: [PATCH GnuPG 17/17] gpg: Default to --compliance=openpgp * g10/gpg.c (main): default set_compliance_option(oOpenPGP). @@ -23,10 +23,10 @@ Signed-off-by: Daniel Kahn Gillmor 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/gpg.texi b/doc/gpg.texi -index 5a03ce592..5f648e583 100644 +index 4abbb7906..a719603e2 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi -@@ -3096,15 +3096,15 @@ options. +@@ -3080,15 +3080,15 @@ options. @opindex gnupg Use standard GnuPG behavior. This is now LibrePGP behavior, which is a different draft protocol that overlaps in some cases with @@ -47,13 +47,13 @@ index 5a03ce592..5f648e583 100644 @item --rfc4880 @opindex rfc4880 diff --git a/g10/gpg.c b/g10/gpg.c -index 32cef0a8d..e3ec86c2a 100644 +index cba6f7366..70513d28b 100644 --- a/g10/gpg.c +++ b/g10/gpg.c -@@ -2519,7 +2519,7 @@ main (int argc, char **argv) - opt.passphrase_repeat = 1; +@@ -2536,7 +2536,7 @@ main (int argc, char **argv) opt.emit_version = 0; opt.weak_digests = NULL; + opt.with_subkey_fingerprint = 1; - set_compliance_option (oGnuPG); + set_compliance_option (oOpenPGP); @@ -72,3 +72,6 @@ index ef2f7b0bc..ed903ce5b 100755 -r ,"patrice.lumumba" -r ,"mahsa.amini")) (tr:call-with-content +-- +2.47.2 + diff --git a/gnupg/0020-gpg-Fix-newlines-in-Cleartext-Signature-Framework-CS.patch b/gnupg/0027-gpg-Fix-newlines-in-Cleartext-Signature-Framework-CS.patch similarity index 93% rename from gnupg/0020-gpg-Fix-newlines-in-Cleartext-Signature-Framework-CS.patch rename to gnupg/0027-gpg-Fix-newlines-in-Cleartext-Signature-Framework-CS.patch index 031741706f3..ac1762c028c 100644 --- a/gnupg/0020-gpg-Fix-newlines-in-Cleartext-Signature-Framework-CS.patch +++ b/gnupg/0027-gpg-Fix-newlines-in-Cleartext-Signature-Framework-CS.patch @@ -1,8 +1,7 @@ -From 69bed7ff1a66be0379816494603e73790cfca922 Mon Sep 17 00:00:00 2001 +From d285d8d3c09fc7951179798c2747805e7a9e3109 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 20 Feb 2025 20:03:48 -0500 -Subject: [PATCH] gpg: Fix newlines in Cleartext Signature Framework (CSF) - messages +Subject: gpg: Fix newlines in Cleartext Signature Framework (CSF) messages * g10/armor.c (fake_packet): trim the final newline (and any trailing whitespace) from synthetic literal data packet when parsing CSF. @@ -45,10 +44,10 @@ Signed-off-by: Daniel Kahn Gillmor 4 files changed, 28 insertions(+), 53 deletions(-) diff --git a/g10/armor.c b/g10/armor.c -index f8cfa86db..16a8da020 100644 +index cd1c5fcad..dae6b99d4 100644 --- a/g10/armor.c +++ b/g10/armor.c -@@ -777,6 +777,16 @@ fake_packet( armor_filter_context_t *afx, IOBUF a, +@@ -787,6 +787,16 @@ fake_packet( armor_filter_context_t *afx, IOBUF a, } if( lastline ) { /* write last (ending) length header */ @@ -66,10 +65,10 @@ index f8cfa86db..16a8da020 100644 buf[len++]=tempbuf_len; else diff --git a/g10/plaintext.c b/g10/plaintext.c -index 5c21dd7f6..c906d05b6 100644 +index a96214994..ff001e971 100644 --- a/g10/plaintext.c +++ b/g10/plaintext.c -@@ -439,9 +439,9 @@ handle_plaintext (PKT_plaintext * pt, md_filter_context_t * mfx, +@@ -432,9 +432,9 @@ handle_plaintext (PKT_plaintext * pt, md_filter_context_t * mfx, } pt->buf = NULL; } @@ -81,7 +80,7 @@ index 5c21dd7f6..c906d05b6 100644 while ((c = iobuf_get (pt->buf)) != -1) { -@@ -464,37 +464,10 @@ handle_plaintext (PKT_plaintext * pt, md_filter_context_t * mfx, +@@ -457,37 +457,10 @@ handle_plaintext (PKT_plaintext * pt, md_filter_context_t * mfx, } if (!mfx->md) continue; @@ -171,7 +170,7 @@ index 3e68900bb..d8837b30e 100644 if( truncated ) log_info(_("input line longer than %d characters\n"), MAX_LINELEN ); diff --git a/tests/openpgp/clearsig.scm b/tests/openpgp/clearsig.scm -index b1c72c2ec..e99659641 100755 +index a627d53a7..39c8055ec 100755 --- a/tests/openpgp/clearsig.scm +++ b/tests/openpgp/clearsig.scm @@ -30,12 +30,7 @@ @@ -208,5 +207,8 @@ index b1c72c2ec..e99659641 100755 + ;; section 7.1), so verification will succeed, but the type- + ;; specific data passed to the digest will not be identical. ("this is a sig test - " #f ()) + " #f ()))) +-- +2.39.5 + diff --git a/gnupg/0028-Revert-Remove-the-default-keyserver.patch b/gnupg/0028-Revert-Remove-the-default-keyserver.patch new file mode 100644 index 00000000000..e986ff654ae --- /dev/null +++ b/gnupg/0028-Revert-Remove-the-default-keyserver.patch @@ -0,0 +1,73 @@ +From 864271933114dbde609480aba0df21ca817bc134 Mon Sep 17 00:00:00 2001 +From: Hooty McOwlface <21995603-hooty@users.noreply.gitlab.com> +Date: Mon, 24 Feb 2025 00:16:45 +0000 +Subject: Revert "Remove the default keyserver." + +This reverts commit a2f2523b99ff0ce27bd83558db40496b0528ecf6. +--- + NEWS | 1 - + configure.ac | 2 +- + dirmngr/server.c | 6 ++---- + doc/dirmngr.texi | 4 +++- + 4 files changed, 6 insertions(+), 7 deletions(-) + +diff --git a/NEWS b/NEWS +index b08fa7899..a9b349a43 100644 +--- a/NEWS ++++ b/NEWS +@@ -53,7 +53,6 @@ Noteworthy changes in version 2.5.3 (2025-01-09) + renamed to --deprecated-supervised as preparation for their + removal. [rGa019a0fcd8] + +- * There is no more default for a keyserver. + + See-also: gnupg-announce/2025q1/000489.html + Release-info: https://dev.gnupg.org/T7442 +diff --git a/configure.ac b/configure.ac +index 07a085115..a04c1d5bc 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1927,7 +1927,7 @@ AC_DEFINE_UNQUOTED(TPM2DAEMON_SOCK_NAME, "S.tpm2daemon", + AC_DEFINE_UNQUOTED(DIRMNGR_SOCK_NAME, "S.dirmngr", + [The name of the dirmngr socket]) + AC_DEFINE_UNQUOTED(DIRMNGR_DEFAULT_KEYSERVER, +- "hkps://none", ++ "hkps://keyserver.ubuntu.com", + [The default keyserver for dirmngr to use, if none is explicitly given]) + + AC_DEFINE_UNQUOTED(GPGEXT_GPG, "gpg", [The standard binary file suffix]) +diff --git a/dirmngr/server.c b/dirmngr/server.c +index ed8e3caf6..710317e5e 100644 +--- a/dirmngr/server.c ++++ b/dirmngr/server.c +@@ -2209,10 +2209,8 @@ ensure_keyserver (ctrl_t ctrl) + if (!opt.keyserver) + { + /* No global option set. Fall back to default: */ +- /* return make_keyserver_item (DIRMNGR_DEFAULT_KEYSERVER, */ +- /* &ctrl->server_local->keyservers); */ +- err = gpg_error (GPG_ERR_NO_KEYSERVER); /* No more default. */ +- goto leave; ++ return make_keyserver_item (DIRMNGR_DEFAULT_KEYSERVER, ++ &ctrl->server_local->keyservers); + } + + for (sl = opt.keyserver; sl; sl = sl->next) +diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi +index 9683ea5ab..d986eaafa 100644 +--- a/doc/dirmngr.texi ++++ b/doc/dirmngr.texi +@@ -349,7 +349,9 @@ service (.onion), Dirmngr selects the keyserver to use depending on + configured values are removed. This can be used to override a value + specified in the global config file. + +-There is no default keyserver since version 2.5.3. ++If no keyserver is explicitly configured, dirmngr will use the ++built-in default of @code{https://keyserver.ubuntu.com}. To avoid the ++use of a default keyserver the value @code{none} can be used. + + Windows users with a keyserver running on their Active Directory + may use the short form @code{ldap:///} for @var{name} to access this directory. +-- +2.39.5 + diff --git a/gnupg/0021-Add-keyboxd-systemd-support.patch b/gnupg/0029-Add-keyboxd-systemd-support.patch similarity index 92% rename from gnupg/0021-Add-keyboxd-systemd-support.patch rename to gnupg/0029-Add-keyboxd-systemd-support.patch index c5275e6d970..a60de832805 100644 --- a/gnupg/0021-Add-keyboxd-systemd-support.patch +++ b/gnupg/0029-Add-keyboxd-systemd-support.patch @@ -1,7 +1,7 @@ -From f725b1a4aeb5d4157d2d5478ebda678b4b586519 Mon Sep 17 00:00:00 2001 +From 001f9553eb455f4462b63a1a2cb823a2a8e26608 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Tue, 22 Aug 2023 15:20:54 +0900 -Subject: [PATCH] Add keyboxd systemd support +Subject: Add keyboxd systemd support Forwarded: not-needed Last-Update: 2023-08-22 @@ -14,7 +14,7 @@ Last-Update: 2023-08-22 create mode 100644 doc/examples/systemd-user/keyboxd.socket diff --git a/doc/Makefile.am b/doc/Makefile.am -index 03d9ebc7f..0c9c83955 100644 +index c0b5184ed..240aa05ac 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -33,6 +33,8 @@ examples = examples/README examples/scd-event examples/trustlist.txt \ @@ -57,3 +57,6 @@ index 000000000..d4572f1b6 + +[Install] +WantedBy=sockets.target +-- +2.47.2 + diff --git a/gnupg/0022-Support-large-RSA-keygen-in-non-batch-mode.patch b/gnupg/0033-Support-large-RSA-keygen-in-non-batch-mode.patch similarity index 76% rename from gnupg/0022-Support-large-RSA-keygen-in-non-batch-mode.patch rename to gnupg/0033-Support-large-RSA-keygen-in-non-batch-mode.patch index ae348db863d..c6c5fef7d8d 100644 --- a/gnupg/0022-Support-large-RSA-keygen-in-non-batch-mode.patch +++ b/gnupg/0033-Support-large-RSA-keygen-in-non-batch-mode.patch @@ -1,7 +1,7 @@ -From 5c196d7fb655f0195edc5080cb707a294f86ce4d Mon Sep 17 00:00:00 2001 +From 5976b75cfd29018fa189375041ebe7d30a7a8432 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 11 Feb 2025 14:44:23 +0100 -Subject: [PATCH] Support large RSA keygen in non-batch mode +Subject: Support large RSA keygen in non-batch mode --- doc/gpg.texi | 11 +++++------ @@ -10,19 +10,19 @@ Subject: [PATCH] Support large RSA keygen in non-batch mode 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/doc/gpg.texi b/doc/gpg.texi -index 5f648e583..56ef02b91 100644 +index 9ccb74996..a11857235 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi -@@ -1543,12 +1543,11 @@ the opposite meaning. The options are: +@@ -1524,12 +1524,11 @@ the opposite meaning. The options are: @itemx --disable-large-rsa @opindex enable-large-rsa @opindex disable-large-rsa --With --generate-key and --batch, enable the creation of RSA secret keys as --large as 8192 bit. Note: 8192 bit is more than is generally --recommended. These large keys don't significantly improve security, --but they are more expensive to use, and their signatures and --certifications are larger. This option is only available if the --binary was build with large-secmem support. +-With @option{--generate-key} and @option{--batch}, enable the creation +-of RSA secret keys as large as 8192 bit. Note: 8192 bit is more than +-is generally recommended. These large keys don't significantly +-improve security, but they are more expensive to use, and their +-signatures and certifications are larger. This option is only +-available if the binary was build with large-secmem support. +Enable the creation of RSA secret keys as large as 8192 bit. +Note: 8192 bit is more than is generally recommended. These large +keys don't significantly improve security, but they are more expensive @@ -32,10 +32,10 @@ index 5f648e583..56ef02b91 100644 @item --enable-dsa2 @itemx --disable-dsa2 diff --git a/g10/keygen.c b/g10/keygen.c -index c7af82c64..23ffe101b 100644 +index 5d936feab..dec517121 100644 --- a/g10/keygen.c +++ b/g10/keygen.c -@@ -2673,7 +2673,7 @@ get_keysize_range (int algo, unsigned int *min, unsigned int *max) +@@ -3022,7 +3022,7 @@ get_keysize_range (int algo, unsigned int *min, unsigned int *max) default: *min = opt.compliance == CO_DE_VS ? 2048: 1024; @@ -75,3 +75,6 @@ index 71d222a22..37ac708fc 100755 (info "Checking that we can add a user ID...") ;; Make sure the key capabilities don't change when we add a user id. +-- +2.39.5 + diff --git a/gnupg/0023-gpg-Verify-Text-mode-Signatures-over-binary-Literal-.patch b/gnupg/0034-gpg-Verify-Text-mode-Signatures-over-binary-Literal-.patch similarity index 87% rename from gnupg/0023-gpg-Verify-Text-mode-Signatures-over-binary-Literal-.patch rename to gnupg/0034-gpg-Verify-Text-mode-Signatures-over-binary-Literal-.patch index fb2eee91f84..652e93dedd6 100644 --- a/gnupg/0023-gpg-Verify-Text-mode-Signatures-over-binary-Literal-.patch +++ b/gnupg/0034-gpg-Verify-Text-mode-Signatures-over-binary-Literal-.patch @@ -1,8 +1,7 @@ -From f27f9f0d589556918e4b5a931c79c871671548ab Mon Sep 17 00:00:00 2001 +From 76e4d45d4ecbee09eaecbdfa5a868eaa8372e351 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 4 Mar 2025 23:56:30 -0500 -Subject: [PATCH] gpg: Verify Text mode Signatures over binary Literal Data - Packets +Subject: gpg: Verify Text mode Signatures over binary Literal Data Packets * tests/openpgp/issue7539{.scm,-signer.asc,message.asc}: Add test with text-mode Signature over binary Literal Data Packet. @@ -53,7 +52,7 @@ Signed-off-by: Daniel Kahn Gillmor create mode 100644 tests/openpgp/issue7539.scm diff --git a/g10/filter.h b/g10/filter.h -index 4b4fc55ff..8e1662b4e 100644 +index b15ce6aa5..c066898b2 100644 --- a/g10/filter.h +++ b/g10/filter.h @@ -27,6 +27,8 @@ typedef struct { @@ -64,12 +63,12 @@ index 4b4fc55ff..8e1662b4e 100644 + int seen_cr; /* 1 if last octet hashed was '\r' */ } md_filter_context_t; - typedef struct { + typedef struct md_thd_filter_context *md_thd_filter_context_t; diff --git a/g10/mainproc.c b/g10/mainproc.c -index dfd6403dd..fc585ee04 100644 +index 7f63e3b16..ef4a61a39 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c -@@ -971,9 +971,12 @@ proc_plaintext( CTX c, PACKET *pkt ) +@@ -994,9 +994,12 @@ proc_plaintext( CTX c, PACKET *pkt ) if (n->pkt->pkt.onepass_sig->digest_algo) { if (!opt.skip_verify) @@ -85,7 +84,7 @@ index dfd6403dd..fc585ee04 100644 any = 1; } } -@@ -992,7 +995,10 @@ proc_plaintext( CTX c, PACKET *pkt ) +@@ -1015,7 +1018,10 @@ proc_plaintext( CTX c, PACKET *pkt ) clearsig = (*data == 0x01); for (data++, datalen--; datalen; datalen--, data++) if (!opt.skip_verify) @@ -97,7 +96,7 @@ index dfd6403dd..fc585ee04 100644 any = 1; break; /* Stop here as one-pass signature packets are not expected. */ -@@ -1001,7 +1007,11 @@ proc_plaintext( CTX c, PACKET *pkt ) +@@ -1024,7 +1030,11 @@ proc_plaintext( CTX c, PACKET *pkt ) { /* The SIG+LITERAL case that PGP used to use. */ if (!opt.skip_verify) @@ -111,10 +110,10 @@ index dfd6403dd..fc585ee04 100644 } } diff --git a/g10/mdfilter.c b/g10/mdfilter.c -index f3318f15c..4872d9cb4 100644 +index a655d6d72..656661e49 100644 --- a/g10/mdfilter.c +++ b/g10/mdfilter.c -@@ -40,7 +40,7 @@ md_filter( void *opaque, int control, +@@ -41,7 +41,7 @@ md_filter( void *opaque, int control, { size_t size = *ret_len; md_filter_context_t *mfx = opaque; @@ -123,7 +122,7 @@ index f3318f15c..4872d9cb4 100644 if( control == IOBUFCTRL_UNDERFLOW ) { if( mfx->maxbuf_size && size > mfx->maxbuf_size ) -@@ -48,7 +48,16 @@ md_filter( void *opaque, int control, +@@ -49,7 +49,16 @@ md_filter( void *opaque, int control, i = iobuf_read( a, buf, size ); if( i == -1 ) i = 0; if( i ) { @@ -141,18 +140,20 @@ index f3318f15c..4872d9cb4 100644 if( mfx->md2 ) gcry_md_write(mfx->md2, buf, i ); } -@@ -70,4 +79,6 @@ free_md_filter_context( md_filter_context_t *mfx ) +@@ -71,6 +80,8 @@ free_md_filter_context( md_filter_context_t *mfx ) mfx->md = NULL; mfx->md2 = NULL; mfx->maxbuf_size = 0; + mfx->textmode = 0; + mfx->seen_cr = 0; } + + diff --git a/g10/plaintext.c b/g10/plaintext.c -index c906d05b6..25da64a78 100644 +index ff001e971..848849337 100644 --- a/g10/plaintext.c +++ b/g10/plaintext.c -@@ -311,6 +311,7 @@ handle_plaintext (PKT_plaintext * pt, md_filter_context_t * mfx, +@@ -304,6 +304,7 @@ handle_plaintext (PKT_plaintext * pt, md_filter_context_t * mfx, while (pt->len) { int len = pt->len > temp_size ? temp_size : pt->len; @@ -160,7 +161,7 @@ index c906d05b6..25da64a78 100644 len = iobuf_read (pt->buf, buffer, len); if (len == -1) { -@@ -321,7 +322,18 @@ handle_plaintext (PKT_plaintext * pt, md_filter_context_t * mfx, +@@ -314,7 +315,18 @@ handle_plaintext (PKT_plaintext * pt, md_filter_context_t * mfx, goto leave; } if (mfx->md) @@ -180,7 +181,7 @@ index c906d05b6..25da64a78 100644 if (fp) { if (opt.max_output && (count += len) > opt.max_output) -@@ -409,12 +421,24 @@ handle_plaintext (PKT_plaintext * pt, md_filter_context_t * mfx, +@@ -402,12 +414,24 @@ handle_plaintext (PKT_plaintext * pt, md_filter_context_t * mfx, * So, always assume EOF if iobuf_read returns less bytes * then requested */ int len = iobuf_read (pt->buf, buffer, temp_size); @@ -207,30 +208,26 @@ index c906d05b6..25da64a78 100644 { if (opt.max_output && (count += len) > opt.max_output) diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am -index ea8207e28..bf2f11a08 100644 +index a446836d3..31eedb153 100644 --- a/tests/openpgp/Makefile.am +++ b/tests/openpgp/Makefile.am -@@ -105,7 +105,8 @@ XTESTS = \ +@@ -99,6 +99,7 @@ XTESTS = \ + delete-keys.scm \ + gpgconf.scm \ + add-recipient.scm \ ++ issue7539.scm \ + issue2015.scm \ + issue2346.scm \ issue2417.scm \ - issue2419.scm \ - issue2929.scm \ -- issue2941.scm -+ issue2941.scm \ -+ issue7539.scm - - - # XXX: Currently, one cannot override automake's 'check' target. As a -@@ -178,7 +179,9 @@ TEST_FILES = pubring.asc secring.asc plain-1o.asc plain-2o.asc plain-3o.asc \ - trust-pgp/david.sec.asc \ - trust-pgp/frank.sec.asc \ - trust-pgp/grace.sec.asc \ -- trust-pgp/heidi.sec.asc -+ trust-pgp/heidi.sec.asc \ +@@ -167,6 +168,8 @@ TEST_FILES = pubring.asc secring.asc plain-1o.asc plain-2o.asc plain-3o.asc \ + key-selection/2.asc \ + key-selection/3.asc \ + key-selection/4.asc \ + issue7539-signer.asc \ -+ issue7539-message.asc - - data_files = data-500 data-9000 data-32000 data-80000 plain-large - ++ issue7539-message.asc \ + trust-pgp/scenario1.asc \ + trust-pgp/scenario2.asc \ + trust-pgp/scenario3.asc \ diff --git a/tests/openpgp/issue7539-message.asc b/tests/openpgp/issue7539-message.asc new file mode 100644 index 000000000..d9627e9de @@ -295,3 +292,6 @@ index 000000000..c84c40feb + +(call-check `(,@gpg --import ,keyfile)) +(call-check `(,@gpg --verify ,msg)) +-- +2.47.2 + diff --git a/gnupg/0040-Add-missing-test-files-to-EXTRA_DIST.patch b/gnupg/0040-Add-missing-test-files-to-EXTRA_DIST.patch new file mode 100644 index 00000000000..57b6643caca --- /dev/null +++ b/gnupg/0040-Add-missing-test-files-to-EXTRA_DIST.patch @@ -0,0 +1,33 @@ +From 2b5c04bfae6daf416c182d16f2a7e30a4d062cf1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= +Date: Sat, 17 Jan 2026 16:01:52 +0100 +Subject: [PATCH GnuPG] Add missing test files to EXTRA_DIST +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add EXTRA_DIST entries for the tests introduced in the "tests: add test +cases for import without uid" patch. + +Signed-off-by: Michał Górny +--- + tests/openpgp/Makefile.am | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am +index 41f23bf76..6d95736bf 100644 +--- a/tests/openpgp/Makefile.am ++++ b/tests/openpgp/Makefile.am +@@ -164,7 +164,12 @@ TEST_FILES = pubring.asc secring.asc plain-1o.asc plain-2o.asc plain-3o.asc \ + tofu/cross-sigs/871C2247-3.gpg \ + tofu/cross-sigs/871C2247-3.txt \ + tofu/cross-sigs/871C2247-4.gpg \ + tofu/cross-sigs/README \ ++ import-incomplete/primary+revocation.asc \ ++ import-incomplete/primary+subkey+sub-revocation.asc \ ++ import-incomplete/primary+subkey+sub-sig.asc \ ++ import-incomplete/primary+uid.asc \ ++ import-incomplete/primary+uid-sig.asc \ + key-selection/0.asc \ + key-selection/1.asc \ + key-selection/2.asc \ diff --git a/gnupg/0041-skip-trust-packets-during-import-restore.patch b/gnupg/0041-skip-trust-packets-during-import-restore.patch new file mode 100644 index 00000000000..f77ff5abf37 --- /dev/null +++ b/gnupg/0041-skip-trust-packets-during-import-restore.patch @@ -0,0 +1,27 @@ +From 8ee9269a8e616485e7261d6cc6357bbdecad111e Mon Sep 17 00:00:00 2001 +From: Andrew Gallagher +Date: Tue, 6 Jan 2026 17:54:26 +0000 +Subject: skip trust packets during import-restore + +--- + g10/import.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/g10/import.c b/g10/import.c +index 882b3c453..29bcacbf5 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -1084,9 +1084,7 @@ read_block( IOBUF a, unsigned int options, + break; + + case PKT_RING_TRUST: +- /* Skip those packets unless we are in restore mode. */ +- if ((opt.import_options & IMPORT_RESTORE)) +- goto x_default; ++ /* Skip trust packets. */ + free_packet (pkt, &parsectx); + init_packet(pkt); + break; +-- +2.39.3 (Apple Git-145) + diff --git a/gnupg/0042-compat-ignore-truncated-line.patch b/gnupg/0042-compat-ignore-truncated-line.patch new file mode 100644 index 00000000000..11581991650 --- /dev/null +++ b/gnupg/0042-compat-ignore-truncated-line.patch @@ -0,0 +1,58 @@ +From 586700dd0563bfed1863c282e0fab7d300098fa8 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Tue, 6 Jan 2026 18:56:40 +0000 +Subject: compat ignore truncated line + +--- + +diff --git a/g10/armor.c b/g10/armor.c +index 9ea412ae3..b03b3cdff 100644 +--- a/g10/armor.c ++++ b/g10/armor.c +@@ -1566,11 +1566,16 @@ armor_filter( void *opaque, int control, + /* Note that in a cleartext signature truncated lines in the + * plaintext are detected and propagated to the signature + * checking code by inserting a \f into the plaintext. We do +- * not use log_info here because some of the truncated lines +- * are harmless. */ +- if( afx->truncated ) +- log_info(_("invalid armor: line longer than %d characters\n"), +- MAX_LINELEN ); ++ * not use log_error here because some of the truncated lines ++ * are harmless, in compatibility mode. */ ++ if( afx->truncated ) { ++ if((opt.compat_flags & COMPAT_IGNORE_TRUNCATED_LINE)) ++ log_info(_("invalid armor: line longer than %d characters\n"), ++ MAX_LINELEN ); ++ else ++ log_error(_("invalid armor: line longer than %d characters\n"), ++ MAX_LINELEN ); ++ } + /* issue an error to enforce dissemination of correct software */ + if( afx->qp_detected ) + log_error(_("quoted printable character in armor - " +diff --git a/g10/gpg.c b/g10/gpg.c +index 99fe5b844..7ef911bbc 100644 +--- a/g10/gpg.c ++++ b/g10/gpg.c +@@ -1065,7 +1065,8 @@ static struct compatibility_flags_s compatibility_flags [] = + { COMPAT_COMPR_KEYS, "compr-keys" }, + { COMPAT_NO_MANU, "no-manu" }, + { COMPAT_SUGGEST_EMBEDDED_NAME, "suggest-embedded-name" }, + { COMPAT_ALLOW_NOT_DASH_ESCAPED, "allow-not-dash-escaped" }, ++ { COMPAT_IGNORE_TRUNCATED_LINE, "ignore-truncated-line" }, + { 0, NULL } + }; + +diff --git a/g10/options.h b/g10/options.h +index 962f45f16..80d1fe239 100644 +--- a/g10/options.h ++++ b/g10/options.h +@@ -407,6 +407,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; + #define COMPAT_SUGGEST_EMBEDDED_NAME 16 /* Show the non-signed + * embedded filename as + * suggestion. */ + #define COMPAT_ALLOW_NOT_DASH_ESCAPED 32 /* Handle NotDashEscaped header. */ ++#define COMPAT_IGNORE_TRUNCATED_LINE 64 /* Ignore truncated line. */ + + diff --git a/gnupg/0043-fail-on-unprintable-armor-headers.patch b/gnupg/0043-fail-on-unprintable-armor-headers.patch new file mode 100644 index 00000000000..dcb99de3599 --- /dev/null +++ b/gnupg/0043-fail-on-unprintable-armor-headers.patch @@ -0,0 +1,47 @@ +From 586700dd0563bfed1863c282e0fab7d300098fa8 Mon Sep 17 00:00:00 2001 +From: Andrew Gallagher +Date: Tue, 6 Jan 2026 18:56:40 +0000 +Subject: fail on unprintable armor headers + +--- + g10/armor.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/g10/armor.c b/g10/armor.c +index dae6b99d4..7de6d0438 100644 +--- a/g10/armor.c ++++ b/g10/armor.c +@@ -466,6 +466,13 @@ parse_header_line( armor_filter_context_t *afx, byte *line, unsigned int len ) + int hashes=0; + unsigned int len2; + ++ if (strlen(line) != len) ++ { ++ /* There must be an embedded null byte in the armor header */ ++ log_error(_("invalid clearsig header\n")); ++ return -1; ++ } ++ + len2 = length_sans_trailing_ws ( line, len ); + if( !len2 ) { + afx->buffer_pos = len2; /* (it is not the fine way to do it here) */ +@@ -513,7 +520,15 @@ parse_header_line( armor_filter_context_t *afx, byte *line, unsigned int len ) + else if ((opt.compat_flags & COMPAT_ALLOW_NOT_DASH_ESCAPED) + && strlen (line) > 15 + && !memcmp( line, "NotDashEscaped:", 15 ) ) +- afx->not_dash_escaped = 1; ++ { ++ for (unsigned int i=15; inot_dash_escaped = 1; ++ } + else + { + log_error(_("invalid clearsig header\n")); +-- +2.39.3 (Apple Git-145) + diff --git a/gnupg/PKGBUILD b/gnupg/PKGBUILD index eb150abd107..66a18956825 100644 --- a/gnupg/PKGBUILD +++ b/gnupg/PKGBUILD @@ -1,7 +1,7 @@ # Maintainer: Alexey Pavlov pkgname=gnupg -pkgver=2.4.9 +pkgver=2.5.19 pkgrel=1 pkgdesc='Complete and free implementation of the OpenPGP standard' provides=('dirmngr' "gnupg2=${pkgver}") @@ -58,60 +58,64 @@ depends=('bzip2' ) source=("https://gnupg.org/ftp/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig} '0001-gnupg-2.2.8-msys2.patch' - gnupg-2.4-avoid_beta_warning.patch - # patches maintained by freepg project: https://gitlab.com/freepg/gnupg/-/commits/gnupg-2.4.8-freepg - 0001-gpg-accept-subkeys-with-a-good-revocation-but-no-sel.patch - 0002-gpg-allow-import-of-previously-known-keys-even-witho.patch - 0003-tests-add-test-cases-for-import-without-uid.patch - 0004-gpg-drop-import-clean-from-default-keyserver-import-.patch - 0005-avoid-systemd-deprecation-warning.patch - 0006-Add-systemd-support-for-keyboxd.patch - 0007-Ship-sample-systemd-unit-files.patch - 0008-gpg-default-El-Gamal-to-3072-bit-keys.patch - 0009-gpg-Always-support-and-default-to-using-SHA-512.patch - 0010-gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest-pr.patch - 0012-Disallow-compressed-signatures-and-certificates.patch - 0011-Avoid-simple-memory-dumps-via-ptrace.patch - 0013-ssh-agent-emulation-under-systemd-inject-SSH_AUTH_SO.patch - 0014-gpg-Sync-compliance-mode-cleanup-with-master.patch - 0015-gpg-emit-RSA-pubkey-algorithm-when-in-compatibility-.patch - 0016-gpg-Reintroduce-openpgp-as-distinct-from-rfc4880.patch - 0017-gpg-Emit-LibrePGP-material-only-in-compliance-gnupg.patch - 0018-gpg-gpgconf-list-report-actual-compliance-mode.patch - 0019-gpg-Default-to-compliance-openpgp.patch - 0020-gpg-Fix-newlines-in-Cleartext-Signature-Framework-CS.patch - 0021-Add-keyboxd-systemd-support.patch - 0022-Support-large-RSA-keygen-in-non-batch-mode.patch - 0023-gpg-Verify-Text-mode-Signatures-over-binary-Literal-.patch - 0024-gpg-Do-not-use-a-default-when-asking-for-another-out.patch) -sha256sums=('dd17ab2e9a04fd79d39d853f599cbc852062ddb9ab52a4ddeb4176fd8b302964' + gnupg-2.5-avoid_beta_warning.patch + # patches maintained by freepg project: https://gitlab.com/freepg/gnupg/-/tree/main/master-freepg + 0002-gpg-accept-subkeys-with-a-good-revocation-but-no-sel.patch + 0003-gpg-allow-import-of-previously-known-keys-even-witho.patch + 0005-gpg-drop-import-clean-from-default-keyserver-import-.patch + 0008-avoid-systemd-deprecation-warning.patch + 0009-Add-systemd-support-for-keyboxd.patch + 0010-Ship-sample-systemd-unit-files.patch + 0011-el-gamal-default-to-3072-bits.patch + 0012-gpg-default-digest-algorithm-SHA512.patch + 0013-gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch + 0018-Avoid-simple-memory-dumps-via-ptrace.patch + 0019-Disallow-compressed-signatures-and-certificates.patch + 0020-ssh-agent-emulation-under-systemd-inject-SSH_AUTH_SO.patch + 0022-gpg-emit-RSA-pubkey-algorithm-when-in-compatibility-.patch + 0023-gpg-Reintroduce-openpgp-as-distinct-from-rfc4880.patch + 0024-gpg-Emit-LibrePGP-material-only-in-compliance-gnupg.patch + 0025-gpg-gpgconf-list-report-actual-compliance-mode.patch + 0026-gpg-Default-to-compliance-openpgp.patch + 0027-gpg-Fix-newlines-in-Cleartext-Signature-Framework-CS.patch + 0028-Revert-Remove-the-default-keyserver.patch + 0029-Add-keyboxd-systemd-support.patch + 0033-Support-large-RSA-keygen-in-non-batch-mode.patch + 0034-gpg-Verify-Text-mode-Signatures-over-binary-Literal-.patch + 0040-Add-missing-test-files-to-EXTRA_DIST.patch + 0041-skip-trust-packets-during-import-restore.patch + 0042-compat-ignore-truncated-line.patch + 0043-fail-on-unprintable-armor-headers.patch) +sha256sums=('722aa8a426dd9b44e0d194b73bfee3a3e617d65674cd4d1d062e6df29f1788c6' 'SKIP' '902563c91c72ed9222343de3482f4ca7b141775235625af5ad790f3d86419370' - '243c3a79295519b3931f9d846cf2af5caa064a78de812ee336dc786c1567b4d0' - '28ab30a6d4318db5fd43e0023dff4c1e14b52dc0d1a61e0f2fc2de580a5c2ed4' - 'af0dc5a99b692f702c1394939aced1b395074cfb77e85abc1d43427189c18d0b' - '1ec1f49b7a268e632025ef8e19ba2ad9eddec8422e82fdff6c538166729b5383' - 'c7c2f274843ef4d2fedf8e2e11b3d48c12068763f382ee109f8f891bb77882e3' - '1dafb121d03722b20ab11890c6fc21f3e17130ca7671ae1832e6c08fa79bfdd7' - '66aeae7536a9ac665b4ffd4a5a8139c9f5d0937c0a36bdc2be1a78618d6778a8' - 'a6666def2d2d097466b06588c11f8284356427fc97a221a931c1660d6bfdd995' - '6d394da4bed0775e4be2b491afefa12a6fd0c1aa728ffbab84478d81c82413db' - 'ee26d07ccbc3de76f864e0a1b2abc08a099a870325608a3f3d6bf27c48ee5e52' - 'c49eab41a56f51d95c874eaaf84fe8a813960063eee1b5d306ea3bc79bc3376e' - '0bba286b75af29767a399ac42de7063d188a1c6ee1e7bb98156618b58561c8d0' - '8bac80ddcfbd3462b308c8fcab285f38e321612723f63d176a8c7cba4c094400' - 'e661cbe070cc532fb4f030b3f7212b837b600202b8e87d5e8e6e07719f762438' - '05650d9b8821f24ab24d6bf0e8b548015c8682dd3426a664e62b7d257fb1a1ca' - '0ab309c49275b1752d8a9357e3aa99d0ce390cea719352459ba15f0ba7ad36cd' - 'd6e18412d04bb7a3c5c67ee0b58dec10d99ad7bed088d79a90087207bd42f918' - '6933f46233134c20a9b2b157228075bd1e1dd7ff5dc4827fe69b6b1950f0e9f8' - '1cede22601b8889a9c03b074a3672119ffd22584c7ad41fa770680bcfbf8f6f8' - '94ca8efe9772985114bcffe3ca9518b414db5ee9e3336d61167f4f0481192a72' - '843f5d2f0de250a594dd1be50aecd5dd0e86aae87bb0a12b043251beb7b0fcfd' - '8a7737be5bc092b5034ca91a213946b1a3af0ff2c083b829eba751f0e4d1ad1f' - 'b81fd496950e26908cf6c2c2d91c80a486866180aef1432efdd244dfa3c76fc2' - '741bb77575765aac6728f12b2ba83ded281ae5a591cc531054fe29a0b691e7f2' - 'a4fe401b274d22bbbea8c48caf40cee8e0a361b1bdb94019803120b4a9feeecd') + 'a6a685d507d948efb8babc9d74f36b647b9099bce9a7de2cf66064bdb971361e' + '85e4fee794f8f90d8a226b2d1db69ac43414da1c4278b8bf932bd1da73555188' + '6403b8c369d82dcb2e7796df1baa2b357060d5cd2b1245fa8a0548b021494580' + 'd064002cee6e31301060d64000b6ae478ea61b665b066ab19bbb53cd7743b188' + '780abef124c498363f715dd7155008c7b299e4721db5eecead84b8c3b6817f64' + 'c93972fe7ab3d24e8b6e1aeafb68caebf52c6ed1934827b1517abffe0dab6d0e' + '441b5630ad76216a2f234eed7cea646bc2cbc7ede1b0b2308b88b3248ae4e2b1' + '7bad1c49374db7d1a1984190750282f50d1bf4e735b62280ee6701c66108c05f' + 'd0046eb7ef9588647e3a0d9a2e27692b6758f6268c0162c5a5ccf539b3bdc580' + 'e4a1e91f75c818aba3adb48bb033e99d041062f39db84984fde08b05b86a530d' + '46650b1ffd4b8e024243a340ec5528c87dd3bd1a7b7428533cd16177f4d59b83' + '00a0f3ea92fbfc1f7522576eb4f493167d4b59ac6462fed8c91c41056ed83326' + '46444fbfc205d1cf1c213eb2fd17d1227cce09d20934f8aec89e993388042a13' + '81ecbc6e6f1eaf85702b3df16671a477ec9edabec1d421fc82df661a542a9d21' + 'fa753bf45f087180bcc317c583e03fb77ae475161c1d23cf1d06973169a74504' + 'da5337fabe1f109349148d5d81f7a6cdad584fecface57e2fe59710eda5ee617' + '7965aaec377dcdc9810a4ff52cc84f21c987a241d3c33dc7083fa105561d4d38' + 'ea718300829bf2ef4e07b1739310438d8f4aa20c45647a290de1c03cfc47811d' + '54220dc51e13f90fbdae0ed1e0da8a9a6f2731034b3c970ef10d9fc1c5dedd35' + '021782a4afe187e99490f53c91a5bde320daa44175ae24bf3055f3de88820365' + 'b4b71b5e8ee9b86985cb067fc749ff7446b45c8cd7293a14fecac8ef2e718bf7' + '23773ed7ad1c06ba8583d5e079fc3acd66094f982d7e6600ce86080d823dbd8a' + 'fa6f29ffacaf37fac10db62f029d08809c8890271f25a009c3fd80251e822a4a' + '9ed3f7b25eed96aa6884636e1307db23dee8b5d6b5868ea2bb8da0f9674b27aa' + '5f45fa2d816e0e5a1aa6d71620f29c810441579b219696089a07972d1052691d' + '30dde2837e432824bf2253c5b502dd92f6b759408cfa317e92d78f409654869e' + '720aa9a801e707af3ef66943ded1f0655c936becb5ca7fd8e2a980282f88130d') validpgpkeys=( '5B80C5754298F0CB55D8ED6ABCEF7E294B092E28' # Andre Heinecke (Release Signing Key) '6DAA6E64A76D2840571B4902528897B826403ADA' # Werner Koch (dist signing 2020) @@ -127,31 +131,33 @@ prepare() { patch -p1 -i ${srcdir}/0001-gnupg-2.2.8-msys2.patch # Arch Linux/freepg patches - patch -p1 -i ${srcdir}/gnupg-2.4-avoid_beta_warning.patch - patch -p1 -i ${srcdir}/0001-gpg-accept-subkeys-with-a-good-revocation-but-no-sel.patch - patch -p1 -i ${srcdir}/0002-gpg-allow-import-of-previously-known-keys-even-witho.patch - patch -p1 -i ${srcdir}/0003-tests-add-test-cases-for-import-without-uid.patch - patch -p1 -i ${srcdir}/0004-gpg-drop-import-clean-from-default-keyserver-import-.patch - patch -p1 -i ${srcdir}/0005-avoid-systemd-deprecation-warning.patch - patch -p1 -i ${srcdir}/0006-Add-systemd-support-for-keyboxd.patch - patch -p1 -i ${srcdir}/0007-Ship-sample-systemd-unit-files.patch - patch -p1 -i ${srcdir}/0008-gpg-default-El-Gamal-to-3072-bit-keys.patch - patch -p1 -i ${srcdir}/0009-gpg-Always-support-and-default-to-using-SHA-512.patch - patch -p1 -i ${srcdir}/0010-gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest-pr.patch - patch -p1 -i ${srcdir}/0012-Disallow-compressed-signatures-and-certificates.patch - patch -p1 -i ${srcdir}/0011-Avoid-simple-memory-dumps-via-ptrace.patch - patch -p1 -i ${srcdir}/0013-ssh-agent-emulation-under-systemd-inject-SSH_AUTH_SO.patch - patch -p1 -i ${srcdir}/0014-gpg-Sync-compliance-mode-cleanup-with-master.patch - patch -p1 -i ${srcdir}/0015-gpg-emit-RSA-pubkey-algorithm-when-in-compatibility-.patch - patch -p1 -i ${srcdir}/0016-gpg-Reintroduce-openpgp-as-distinct-from-rfc4880.patch - patch -p1 -i ${srcdir}/0017-gpg-Emit-LibrePGP-material-only-in-compliance-gnupg.patch - patch -p1 -i ${srcdir}/0018-gpg-gpgconf-list-report-actual-compliance-mode.patch - patch -p1 -i ${srcdir}/0019-gpg-Default-to-compliance-openpgp.patch - patch -p1 -i ${srcdir}/0020-gpg-Fix-newlines-in-Cleartext-Signature-Framework-CS.patch - patch -p1 -i ${srcdir}/0021-Add-keyboxd-systemd-support.patch - patch -p1 -i ${srcdir}/0022-Support-large-RSA-keygen-in-non-batch-mode.patch - patch -p1 -i ${srcdir}/0023-gpg-Verify-Text-mode-Signatures-over-binary-Literal-.patch - patch -p1 -i ${srcdir}/0024-gpg-Do-not-use-a-default-when-asking-for-another-out.patch + patch -p1 -i ${srcdir}/gnupg-2.5-avoid_beta_warning.patch + patch -p1 -i ${srcdir}/0002-gpg-accept-subkeys-with-a-good-revocation-but-no-sel.patch + patch -p1 -i ${srcdir}/0003-gpg-allow-import-of-previously-known-keys-even-witho.patch + patch -p1 -i ${srcdir}/0005-gpg-drop-import-clean-from-default-keyserver-import-.patch + patch -p1 -i ${srcdir}/0008-avoid-systemd-deprecation-warning.patch + patch -p1 -i ${srcdir}/0009-Add-systemd-support-for-keyboxd.patch + patch -p1 -i ${srcdir}/0010-Ship-sample-systemd-unit-files.patch + patch -p1 -i ${srcdir}/0011-el-gamal-default-to-3072-bits.patch + patch -p1 -i ${srcdir}/0012-gpg-default-digest-algorithm-SHA512.patch + patch -p1 -i ${srcdir}/0013-gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch + patch -p1 -i ${srcdir}/0018-Avoid-simple-memory-dumps-via-ptrace.patch + patch -p1 -i ${srcdir}/0019-Disallow-compressed-signatures-and-certificates.patch + patch -p1 -i ${srcdir}/0020-ssh-agent-emulation-under-systemd-inject-SSH_AUTH_SO.patch + patch -p1 -i ${srcdir}/0022-gpg-emit-RSA-pubkey-algorithm-when-in-compatibility-.patch + patch -p1 -i ${srcdir}/0023-gpg-Reintroduce-openpgp-as-distinct-from-rfc4880.patch + patch -p1 -i ${srcdir}/0024-gpg-Emit-LibrePGP-material-only-in-compliance-gnupg.patch + patch -p1 -i ${srcdir}/0025-gpg-gpgconf-list-report-actual-compliance-mode.patch + patch -p1 -i ${srcdir}/0026-gpg-Default-to-compliance-openpgp.patch + patch -p1 -i ${srcdir}/0027-gpg-Fix-newlines-in-Cleartext-Signature-Framework-CS.patch + patch -p1 -i ${srcdir}/0028-Revert-Remove-the-default-keyserver.patch + patch -p1 -i ${srcdir}/0029-Add-keyboxd-systemd-support.patch + patch -p1 -i ${srcdir}/0033-Support-large-RSA-keygen-in-non-batch-mode.patch + patch -p1 -i ${srcdir}/0034-gpg-Verify-Text-mode-Signatures-over-binary-Literal-.patch + patch -p1 -i ${srcdir}/0040-Add-missing-test-files-to-EXTRA_DIST.patch + patch -p1 -i ${srcdir}/0041-skip-trust-packets-during-import-restore.patch + patch -p1 -i ${srcdir}/0042-compat-ignore-truncated-line.patch + patch -p1 -i ${srcdir}/0043-fail-on-unprintable-armor-headers.patch ./autogen.sh --force } @@ -167,8 +173,7 @@ build() { --sbindir=/usr/bin \ --libexecdir=/usr/lib/gnupg \ --disable-libdns \ - --enable-large-secmem \ - --enable-maintainer-mode + --enable-large-secmem make } diff --git a/gnupg/gnupg-2.4-avoid_beta_warning.patch b/gnupg/gnupg-2.5-avoid_beta_warning.patch similarity index 78% rename from gnupg/gnupg-2.4-avoid_beta_warning.patch rename to gnupg/gnupg-2.5-avoid_beta_warning.patch index 2c3c873fe60..a5a0958603c 100644 --- a/gnupg/gnupg-2.4-avoid_beta_warning.patch +++ b/gnupg/gnupg-2.5-avoid_beta_warning.patch @@ -24,16 +24,16 @@ diff --git a/autogen.sh b/autogen.sh index b238550..9b86d3f 100755 --- a/autogen.sh +++ b/autogen.sh -@@ -229,7 +229,7 @@ if [ "$myhost" = "find-version" ]; then - esac +@@ -261,7 +261,7 @@ if [ "$myhost" = "find-version" ]; then + matchexcl="--exclude $package-*beta*" beta=no - if [ -e .git ]; then + if false; then ingit=yes - tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null) - tmp=$(echo "$tmp" | sed s/^"$package"//) -@@ -245,8 +245,8 @@ if [ "$myhost" = "find-version" ]; then + tmp=$(git describe --match "${matchstr1}" $matchexcl --long 2>/dev/null) + tmp=$(echo "$tmp" | sed s/^"$package"// \ +@@ -286,8 +286,8 @@ if [ "$myhost" = "find-version" ]; then rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null))) else ingit=no @@ -41,6 +41,6 @@ index b238550..9b86d3f 100755 - tmp="-unknown" + beta=no + tmp="" + cid="0000000" rev="0000000" rvd="0" - fi