Source: gpgme1.0 Version: 1.14.0-1 Severity: normal Tags: patch upstream bullseye X-Debbugs-Cc: gni...@fsij.org
Hi, Please consider uploading this to bullseye-proposed-updates. This is a fix that allows the keylisting operations as documented. The regression risk is extremely small and I wrote an autopkgtest that fails with the old version and passes with the new. I am CC'ing Gniibe since he authored the upstream change and he just so happens to be a Debian Developer too; I'd be delighted if he would sponsor this. A patch is attached or you can pull in the OpenPGP-signed commit from the debian-stable-fix branch of https://salsa.debian.org/jscott/gpgme.git -- System Information: Debian Release: bookworm/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (2, 'unstable- debug'), (2, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, arm64 Kernel: Linux 6.0.0-5-amd64 (SMP w/2 CPU threads; PREEMPT) Kernel taint flags: TAINT_USER, TAINT_WARN, TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
From 611fab84c0b6b0156d4e5d0a72da2c420c5bdddc Mon Sep 17 00:00:00 2001 From: John Scott <jsc...@posteo.net> Date: Fri, 31 Mar 2023 12:19:03 -0400 Subject: [PATCH] Backport a fix to the keylisting operations and prepare for release to Bullseye --- debian/changelog | 9 ++ debian/copyright | 4 + ...GPGME-keylist-from-data-ignores-sigs.patch | 88 +++++++++++++++++ debian/patches/series | 1 + debian/tests/control | 4 + debian/tests/find-signature-from-data.c | 99 +++++++++++++++++++ 6 files changed, 205 insertions(+) create mode 100644 debian/patches/GPGME-keylist-from-data-ignores-sigs.patch create mode 100644 debian/tests/find-signature-from-data.c diff --git a/debian/changelog b/debian/changelog index c7bedbb9..9ab80b04 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +gpgme1.0 (1.14.0-1+deb11u1) bullseye; urgency=medium + + [ John Scott ] + * Backport an upstream fix so that the functions for listing keys from data + can return signature information if the application so requests. + * Add DEP-8 test ensuring that the fix works. + + -- Debian GnuPG Maintainers <pkg-gnupg-ma...@lists.alioth.debian.org> Fri, 31 Mar 2023 11:35:22 -0400 + gpgme1.0 (1.14.0-1) unstable; urgency=medium * new upstream release diff --git a/debian/copyright b/debian/copyright index d5b34af4..f2bdfdd4 100644 --- a/debian/copyright +++ b/debian/copyright @@ -10,6 +10,10 @@ Copyright: Werner Koch License: LGPL-2.1+ +Files: debian/tests/find-signature-from-data.c +Copyright: 2023 John Scott <jsc...@posteo.net> +License: GPL-3+ + Files: src/argparse.* Copyright: 1998-2001, 2006-2008, 2012 Free Software Foundation, Inc., diff --git a/debian/patches/GPGME-keylist-from-data-ignores-sigs.patch b/debian/patches/GPGME-keylist-from-data-ignores-sigs.patch new file mode 100644 index 00000000..f94b2035 --- /dev/null +++ b/debian/patches/GPGME-keylist-from-data-ignores-sigs.patch @@ -0,0 +1,88 @@ +Description: fix GPGME's keylisting from data functions ignoring request for signatures + When requesting signature information, the functions to iterate over keys in specified + data does not return it. This is an oversight corrected in this change. Note that + the majority of applications don't request signature information (the default); this + change only serves to benefit those that do request it and hadn't been getting it. +Origin: upstream, https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=patch;h=b2a2158384a9f048ff61ee0cebef8346055f0454 +Author: NIIBE Yutaka <gni...@fsij.org> +Bug: https://dev.gnupg.org/T5438 +Applied-Upstream: 1.18.0, commit:b2a2158384a9f048ff61ee0cebef8346055f0454 +Reviewed-By: John Scott <jsc...@posteo.net> +Last-Update: 2023-03-31 +--- + +--- gpgme1.0-1.14.0.orig/src/engine-backend.h ++++ gpgme1.0-1.14.0/src/engine-backend.h +@@ -103,7 +103,8 @@ struct engine_ops + int secret_only, int reserved, + gpgme_keylist_mode_t mode, + int engine_flags); +- gpgme_error_t (*keylist_data) (void *engine, gpgme_data_t data); ++ gpgme_error_t (*keylist_data) (void *engine, gpgme_keylist_mode_t mode, ++ gpgme_data_t data); + gpgme_error_t (*keysign) (void *engine, + gpgme_key_t key, const char *userid, + unsigned long expires, unsigned int flags, +--- gpgme1.0-1.14.0.orig/src/engine-gpg.c ++++ gpgme1.0-1.14.0/src/engine-gpg.c +@@ -3115,7 +3115,7 @@ gpg_keylist_ext (void *engine, const cha + + + static gpgme_error_t +-gpg_keylist_data (void *engine, gpgme_data_t data) ++gpg_keylist_data (void *engine, gpgme_keylist_mode_t mode, gpgme_data_t data) + { + engine_gpg_t gpg = engine; + gpgme_error_t err; +@@ -3134,6 +3134,9 @@ gpg_keylist_data (void *engine, gpgme_da + err = add_arg (gpg, "--dry-run"); + if (!err) + err = add_arg (gpg, "--import"); ++ if (!err && (mode & GPGME_KEYLIST_MODE_SIGS) ++ && have_gpg_version (gpg, "2.0.10")) ++ err = add_arg (gpg, "--with-sig-check"); + if (!err) + err = add_arg (gpg, "--"); + if (!err) +--- gpgme1.0-1.14.0.orig/src/engine.c ++++ gpgme1.0-1.14.0/src/engine.c +@@ -885,7 +885,8 @@ _gpgme_engine_op_keylist_ext (engine_t e + + + gpgme_error_t +-_gpgme_engine_op_keylist_data (engine_t engine, gpgme_data_t data) ++_gpgme_engine_op_keylist_data (engine_t engine, gpgme_keylist_mode_t mode, ++ gpgme_data_t data) + { + if (!engine) + return gpg_error (GPG_ERR_INV_VALUE); +@@ -893,7 +894,7 @@ _gpgme_engine_op_keylist_data (engine_t + if (!engine->ops->keylist_data) + return gpg_error (GPG_ERR_NOT_IMPLEMENTED); + +- return (*engine->ops->keylist_data) (engine->engine, data); ++ return (*engine->ops->keylist_data) (engine->engine, mode, data); + } + + +--- gpgme1.0-1.14.0.orig/src/engine.h ++++ gpgme1.0-1.14.0/src/engine.h +@@ -149,6 +149,7 @@ gpgme_error_t _gpgme_engine_op_keylist_e + gpgme_keylist_mode_t mode, + int engine_flags); + gpgme_error_t _gpgme_engine_op_keylist_data (engine_t engine, ++ gpgme_keylist_mode_t mode, + gpgme_data_t data); + gpgme_error_t _gpgme_engine_op_sign (engine_t engine, gpgme_data_t in, + gpgme_data_t out, gpgme_sig_mode_t mode, +--- gpgme1.0-1.14.0.orig/src/keylist.c ++++ gpgme1.0-1.14.0/src/keylist.c +@@ -1192,7 +1192,7 @@ gpgme_op_keylist_from_data_start (gpgme_ + if (err) + return TRACE_ERR (err); + +- err = _gpgme_engine_op_keylist_data (ctx->engine, data); ++ err = _gpgme_engine_op_keylist_data (ctx->engine, ctx->keylist_mode, data); + return TRACE_ERR (err); + } + diff --git a/debian/patches/series b/debian/patches/series index 7ab96aa1..a9eec687 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ 0004-drop-python2-support.patch 0006-gpg-Send-with-keygrip-when-listing-keys.patch 0007-use-FULL_PATH_NAMES-NO-for-reproducible-doxygen-docu.patch +GPGME-keylist-from-data-ignores-sigs.patch diff --git a/debian/tests/control b/debian/tests/control index 383d9860..73c641e1 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -9,3 +9,7 @@ Restrictions: Depends: gcc, libc6-dev, + +Test-Command: gpg -k && gcc debian/tests/find-signature-from-data.c $(pkg-config --cflags --libs gpgme) -o "$AUTOPKGTEST_TMP"/testprog && "$AUTOPKGTEST_TMP"/testprog +Restrictions: allow-stderr +Depends: debian-archive-keyring, gcc, libc6-dev, libgpgme-dev, pkg-config diff --git a/debian/tests/find-signature-from-data.c b/debian/tests/find-signature-from-data.c new file mode 100644 index 00000000..25fe351d --- /dev/null +++ b/debian/tests/find-signature-from-data.c @@ -0,0 +1,99 @@ +/* SPDX-FileCopyrightText: 2023 John Scott <jsc...@posteo.net> + * SPDX-License-Identifier: GPL-3.0-or-later */ +#include <gpgme.h> +#include <locale.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +int main(void) { + const char *const localestr = setlocale(LC_ALL, ""); + if(!localestr) { + fputs("Failed to enable default locale\n", stderr); + exit(EXIT_FAILURE); + } + + if(!gpgme_check_version(NULL)) { + fputs("Failed to initialize GPGME\n", stderr); + exit(EXIT_FAILURE); + } + + gpgme_error_t w = gpgme_set_locale(NULL, LC_ALL, localestr); + if(w) { + fprintf(stderr, "Failed to set default locale in GPGME: %s\n", gpgme_strerror(w)); + exit(EXIT_FAILURE); + } + + gpgme_ctx_t ctx; + w = gpgme_new(&ctx); + if(w) { + fprintf(stderr, "Failed to get GPGME context object: %s\n", gpgme_strerror(w)); + exit(EXIT_FAILURE); + } + w = gpgme_set_protocol(ctx, GPGME_PROTOCOL_OPENPGP); + if(w) { + fprintf(stderr, "Failed to set protocol to OpenPGP: %s\n", gpgme_strerror(w)); + gpgme_release(ctx); + exit(EXIT_FAILURE); + } + + gpgme_keylist_mode_t mode = gpgme_get_keylist_mode(ctx); + mode |= GPGME_KEYLIST_MODE_SIGS; + w = gpgme_set_keylist_mode(ctx, mode); + if(w) { + fprintf(stderr, "Failed to enable the listing of keys: %s\n", gpgme_strerror(w)); + gpgme_release(ctx); + exit(EXIT_FAILURE); + } + + gpgme_data_t data; + w = gpgme_data_new_from_file(&data, "/usr/share/keyrings/debian-archive-bullseye-automatic.gpg", true); + if(w) { + fprintf(stderr, "Failed to read Debian Bullseye archive keyring: %s\n", gpgme_strerror(w)); + gpgme_release(ctx); + exit(EXIT_FAILURE); + } + + w = gpgme_op_keylist_from_data_start(ctx, data, false); + if(w) { + fprintf(stderr, "Failed to start reading keys: %s\n", gpgme_strerror(w)); + gpgme_data_release(data); + gpgme_release(ctx); + exit(EXIT_FAILURE); + } + + gpgme_key_t key; + w = gpgme_op_keylist_next(ctx, &key); + if(w) { + fprintf(stderr, "Failed to get first key: %s\n", gpgme_strerror(w)); + gpgme_data_release(data); + gpgme_release(ctx); + exit(EXIT_FAILURE); + } + + if(key->uids->signatures) { + puts("We got signatures!"); + gpgme_key_unref(key); + w = gpgme_op_keylist_end(ctx); + if(w) { + fprintf(stderr, "Failed to list keys: %s\n", strerror(w)); + gpgme_data_release(data); + gpgme_release(ctx); + exit(EXIT_FAILURE); + } + gpgme_data_release(data); + gpgme_release(ctx); + exit(EXIT_SUCCESS); + } + + fputs("We found no signatures.\n", stderr); + gpgme_key_unref(key); + w = gpgme_op_keylist_end(ctx); + if(w) { + fprintf(stderr, "Failed to list keys: %s\n", strerror(w)); + } + gpgme_data_release(data); + gpgme_release(ctx); + exit(EXIT_FAILURE); +} -- 2.35.1
signature.asc
Description: This is a digitally signed message part