Source: gpgme1.0
Version: 1.14.0-1
Severity: normal
Tags: patch upstream bullseye
X-Debbugs-Cc: gni...@fsij.org

Hi,

Please consider uploading this to bullseye-proposed-updates. This is a
fix that allows the keylisting operations as documented. The regression
risk is extremely small and I wrote an autopkgtest that fails with the
old version and passes with the new.

I am CC'ing Gniibe since he authored the upstream change and he just so
happens to be a Debian Developer too; I'd be delighted if he would
sponsor this.

A patch is attached or you can pull in the OpenPGP-signed commit from
the debian-stable-fix branch of
https://salsa.debian.org/jscott/gpgme.git

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (2, 'unstable-
debug'), (2, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64

Kernel: Linux 6.0.0-5-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER, TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

From 611fab84c0b6b0156d4e5d0a72da2c420c5bdddc Mon Sep 17 00:00:00 2001
From: John Scott <jsc...@posteo.net>
Date: Fri, 31 Mar 2023 12:19:03 -0400
Subject: [PATCH] Backport a fix to the keylisting operations and prepare for
 release to Bullseye

---
 debian/changelog                              |  9 ++
 debian/copyright                              |  4 +
 ...GPGME-keylist-from-data-ignores-sigs.patch | 88 +++++++++++++++++
 debian/patches/series                         |  1 +
 debian/tests/control                          |  4 +
 debian/tests/find-signature-from-data.c       | 99 +++++++++++++++++++
 6 files changed, 205 insertions(+)
 create mode 100644 debian/patches/GPGME-keylist-from-data-ignores-sigs.patch
 create mode 100644 debian/tests/find-signature-from-data.c

diff --git a/debian/changelog b/debian/changelog
index c7bedbb9..9ab80b04 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+gpgme1.0 (1.14.0-1+deb11u1) bullseye; urgency=medium
+
+  [ John Scott ]
+  * Backport an upstream fix so that the functions for listing keys from data
+    can return signature information if the application so requests.
+  * Add DEP-8 test ensuring that the fix works.
+
+ -- Debian GnuPG Maintainers <pkg-gnupg-ma...@lists.alioth.debian.org>  Fri, 31 Mar 2023 11:35:22 -0400
+
 gpgme1.0 (1.14.0-1) unstable; urgency=medium
 
   * new upstream release
diff --git a/debian/copyright b/debian/copyright
index d5b34af4..f2bdfdd4 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -10,6 +10,10 @@ Copyright:
   Werner Koch
 License: LGPL-2.1+
 
+Files: debian/tests/find-signature-from-data.c
+Copyright: 2023 John Scott <jsc...@posteo.net>
+License: GPL-3+
+
 Files: src/argparse.*
 Copyright:
  1998-2001, 2006-2008, 2012 Free Software Foundation, Inc.,
diff --git a/debian/patches/GPGME-keylist-from-data-ignores-sigs.patch b/debian/patches/GPGME-keylist-from-data-ignores-sigs.patch
new file mode 100644
index 00000000..f94b2035
--- /dev/null
+++ b/debian/patches/GPGME-keylist-from-data-ignores-sigs.patch
@@ -0,0 +1,88 @@
+Description: fix GPGME's keylisting from data functions ignoring request for signatures
+ When requesting signature information, the functions to iterate over keys in specified
+ data does not return it. This is an oversight corrected in this change. Note that
+ the majority of applications don't request signature information (the default); this
+ change only serves to benefit those that do request it and hadn't been getting it.
+Origin: upstream, https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=patch;h=b2a2158384a9f048ff61ee0cebef8346055f0454
+Author: NIIBE Yutaka <gni...@fsij.org>
+Bug: https://dev.gnupg.org/T5438
+Applied-Upstream: 1.18.0, commit:b2a2158384a9f048ff61ee0cebef8346055f0454
+Reviewed-By: John Scott <jsc...@posteo.net>
+Last-Update: 2023-03-31
+---
+
+--- gpgme1.0-1.14.0.orig/src/engine-backend.h
++++ gpgme1.0-1.14.0/src/engine-backend.h
+@@ -103,7 +103,8 @@ struct engine_ops
+ 				int secret_only, int reserved,
+ 				gpgme_keylist_mode_t mode,
+ 				int engine_flags);
+-  gpgme_error_t (*keylist_data) (void *engine, gpgme_data_t data);
++  gpgme_error_t (*keylist_data) (void *engine, gpgme_keylist_mode_t mode,
++				 gpgme_data_t data);
+   gpgme_error_t (*keysign) (void *engine,
+                             gpgme_key_t key, const char *userid,
+                             unsigned long expires, unsigned int flags,
+--- gpgme1.0-1.14.0.orig/src/engine-gpg.c
++++ gpgme1.0-1.14.0/src/engine-gpg.c
+@@ -3115,7 +3115,7 @@ gpg_keylist_ext (void *engine, const cha
+
+
+ static gpgme_error_t
+-gpg_keylist_data (void *engine, gpgme_data_t data)
++gpg_keylist_data (void *engine, gpgme_keylist_mode_t mode, gpgme_data_t data)
+ {
+   engine_gpg_t gpg = engine;
+   gpgme_error_t err;
+@@ -3134,6 +3134,9 @@ gpg_keylist_data (void *engine, gpgme_da
+     err = add_arg (gpg, "--dry-run");
+   if (!err)
+     err = add_arg (gpg, "--import");
++  if (!err && (mode & GPGME_KEYLIST_MODE_SIGS)
++      && have_gpg_version (gpg, "2.0.10"))
++    err = add_arg (gpg, "--with-sig-check");
+   if (!err)
+     err = add_arg (gpg, "--");
+   if (!err)
+--- gpgme1.0-1.14.0.orig/src/engine.c
++++ gpgme1.0-1.14.0/src/engine.c
+@@ -885,7 +885,8 @@ _gpgme_engine_op_keylist_ext (engine_t e
+
+
+ gpgme_error_t
+-_gpgme_engine_op_keylist_data (engine_t engine, gpgme_data_t data)
++_gpgme_engine_op_keylist_data (engine_t engine, gpgme_keylist_mode_t mode,
++			       gpgme_data_t data)
+ {
+   if (!engine)
+     return gpg_error (GPG_ERR_INV_VALUE);
+@@ -893,7 +894,7 @@ _gpgme_engine_op_keylist_data (engine_t
+   if (!engine->ops->keylist_data)
+     return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
+
+-  return (*engine->ops->keylist_data) (engine->engine, data);
++  return (*engine->ops->keylist_data) (engine->engine, mode, data);
+ }
+
+
+--- gpgme1.0-1.14.0.orig/src/engine.h
++++ gpgme1.0-1.14.0/src/engine.h
+@@ -149,6 +149,7 @@ gpgme_error_t _gpgme_engine_op_keylist_e
+ 					    gpgme_keylist_mode_t mode,
+ 					    int engine_flags);
+ gpgme_error_t _gpgme_engine_op_keylist_data (engine_t engine,
++					     gpgme_keylist_mode_t mode,
+ 					     gpgme_data_t data);
+ gpgme_error_t _gpgme_engine_op_sign (engine_t engine, gpgme_data_t in,
+ 				     gpgme_data_t out, gpgme_sig_mode_t mode,
+--- gpgme1.0-1.14.0.orig/src/keylist.c
++++ gpgme1.0-1.14.0/src/keylist.c
+@@ -1192,7 +1192,7 @@ gpgme_op_keylist_from_data_start (gpgme_
+   if (err)
+     return TRACE_ERR (err);
+
+-  err = _gpgme_engine_op_keylist_data (ctx->engine, data);
++  err = _gpgme_engine_op_keylist_data (ctx->engine, ctx->keylist_mode, data);
+   return TRACE_ERR (err);
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 7ab96aa1..a9eec687 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 0004-drop-python2-support.patch
 0006-gpg-Send-with-keygrip-when-listing-keys.patch
 0007-use-FULL_PATH_NAMES-NO-for-reproducible-doxygen-docu.patch
+GPGME-keylist-from-data-ignores-sigs.patch
diff --git a/debian/tests/control b/debian/tests/control
index 383d9860..73c641e1 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -9,3 +9,7 @@ Restrictions:
 Depends:
  gcc,
  libc6-dev,
+
+Test-Command: gpg -k && gcc debian/tests/find-signature-from-data.c $(pkg-config --cflags --libs gpgme) -o "$AUTOPKGTEST_TMP"/testprog && "$AUTOPKGTEST_TMP"/testprog
+Restrictions: allow-stderr
+Depends: debian-archive-keyring, gcc, libc6-dev, libgpgme-dev, pkg-config
diff --git a/debian/tests/find-signature-from-data.c b/debian/tests/find-signature-from-data.c
new file mode 100644
index 00000000..25fe351d
--- /dev/null
+++ b/debian/tests/find-signature-from-data.c
@@ -0,0 +1,99 @@
+/* SPDX-FileCopyrightText: 2023 John Scott <jsc...@posteo.net>
+ * SPDX-License-Identifier: GPL-3.0-or-later */
+#include <gpgme.h>
+#include <locale.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int main(void) {
+	const char *const localestr = setlocale(LC_ALL, "");
+	if(!localestr) {
+		fputs("Failed to enable default locale\n", stderr);
+		exit(EXIT_FAILURE);
+	}
+
+	if(!gpgme_check_version(NULL)) {
+		fputs("Failed to initialize GPGME\n", stderr);
+		exit(EXIT_FAILURE);
+	}
+
+	gpgme_error_t w = gpgme_set_locale(NULL, LC_ALL, localestr);
+	if(w) {
+		fprintf(stderr, "Failed to set default locale in GPGME: %s\n", gpgme_strerror(w));
+		exit(EXIT_FAILURE);
+	}
+
+	gpgme_ctx_t ctx;
+	w = gpgme_new(&ctx);
+	if(w) {
+		fprintf(stderr, "Failed to get GPGME context object: %s\n", gpgme_strerror(w));
+		exit(EXIT_FAILURE);
+	}
+	w = gpgme_set_protocol(ctx, GPGME_PROTOCOL_OPENPGP);
+	if(w) {
+		fprintf(stderr, "Failed to set protocol to OpenPGP: %s\n", gpgme_strerror(w));
+		gpgme_release(ctx);
+		exit(EXIT_FAILURE);
+	}
+
+	gpgme_keylist_mode_t mode = gpgme_get_keylist_mode(ctx);
+	mode |= GPGME_KEYLIST_MODE_SIGS;
+	w = gpgme_set_keylist_mode(ctx, mode);
+	if(w) {
+		fprintf(stderr, "Failed to enable the listing of keys: %s\n", gpgme_strerror(w));
+		gpgme_release(ctx);
+		exit(EXIT_FAILURE);
+	}
+
+	gpgme_data_t data;
+	w = gpgme_data_new_from_file(&data, "/usr/share/keyrings/debian-archive-bullseye-automatic.gpg", true);
+	if(w) {
+		fprintf(stderr, "Failed to read Debian Bullseye archive keyring: %s\n", gpgme_strerror(w));
+		gpgme_release(ctx);
+		exit(EXIT_FAILURE);
+	}
+
+	w = gpgme_op_keylist_from_data_start(ctx, data, false);
+	if(w) {
+		fprintf(stderr, "Failed to start reading keys: %s\n", gpgme_strerror(w));
+		gpgme_data_release(data);
+		gpgme_release(ctx);
+		exit(EXIT_FAILURE);
+	}
+
+	gpgme_key_t key;
+	w = gpgme_op_keylist_next(ctx, &key);
+	if(w) {
+		fprintf(stderr, "Failed to get first key: %s\n", gpgme_strerror(w));
+		gpgme_data_release(data);
+		gpgme_release(ctx);
+		exit(EXIT_FAILURE);
+	}
+
+	if(key->uids->signatures) {
+		puts("We got signatures!");
+		gpgme_key_unref(key);
+		w = gpgme_op_keylist_end(ctx);
+		if(w) {
+			fprintf(stderr, "Failed to list keys: %s\n", strerror(w));
+			gpgme_data_release(data);
+			gpgme_release(ctx);
+			exit(EXIT_FAILURE);
+		}
+		gpgme_data_release(data);
+		gpgme_release(ctx);
+		exit(EXIT_SUCCESS);
+	}
+
+	fputs("We found no signatures.\n", stderr);
+	gpgme_key_unref(key);
+	w = gpgme_op_keylist_end(ctx);
+	if(w) {
+		fprintf(stderr, "Failed to list keys: %s\n", strerror(w));
+	}
+	gpgme_data_release(data);
+	gpgme_release(ctx);
+	exit(EXIT_FAILURE);
+}
-- 
2.35.1

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to