commit: 1aaab826cb4ec987b3540d39df9a23dfa176421a Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sat Jan 25 17:19:07 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sat Jan 25 17:24:01 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1aaab826
app-crypt/gnupg: drop 2.2.42-r4, 2.2.43-r1 Signed-off-by: Sam James <sam <AT> gentoo.org> app-crypt/gnupg/Manifest | 4 - .../gnupg-2.2.42-bug923248-insecure-backup.patch | 292 --------------------- .../gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch | 156 ----------- .../gnupg/files/gnupg-2.2.42-gpgme-tests.patch | 39 --- app-crypt/gnupg/gnupg-2.2.42-r4.ebuild | 184 ------------- app-crypt/gnupg/gnupg-2.2.43-r1.ebuild | 181 ------------- 6 files changed, 856 deletions(-) diff --git a/app-crypt/gnupg/Manifest b/app-crypt/gnupg/Manifest index 9d9c53325678..204635d88ed1 100644 --- a/app-crypt/gnupg/Manifest +++ b/app-crypt/gnupg/Manifest @@ -1,7 +1,3 @@ -DIST gnupg-2.2.42.tar.bz2 7434291 BLAKE2B 5f7f01f31949e5258d638fbff81fa641e5c167e6eaf32c55eb187d4a31b31cd4fe6e51c622e74d8544c4f95c75484e15117f26a8cf26055ff6813d75e54f2b8a SHA512 9c59d034f428d42323b5520e1a8984acc1505ba1d96d90f00e17b24aa91660b2dc64e1a3ceb044c56f39b4c402a77c7e0b226c65218c23c094781b4ef51e2eb5 -DIST gnupg-2.2.42.tar.bz2.sig 238 BLAKE2B 251ad0a832042ceb93b0edfda8652104bfb463e291322f22f0ab0d9b35606c3589be7a6f3e9e2aac8f6ac368a7d11840ab83b29997587dc65685de9f2dec3fee SHA512 7073bfc920c571680a1de57b4e6cd83cde24ccb3b5f592602b0c32fd762eef497027b08745044c9f41130ca99bb7ec77222568c2d0a1099d3c1c15137e0221d7 -DIST gnupg-2.2.43.tar.bz2 7435426 BLAKE2B ddf5c89d317e6ce8d1a5348f0ef81ffa1c61c995ddb312b28410f04502b01eae307cd943bee7182d28d4efccac394c91053f8e33756b00166bf66b2bf4a791a7 SHA512 0d2e733b6659c116c043db5252de4de33d6a70c16172d1fe9b779ba413ba9fcb64bbfdcc4686d0e87904561fc62d1aa765144e0586957a500287c175ee37bd49 -DIST gnupg-2.2.43.tar.bz2.sig 119 BLAKE2B 38fd3790f5065d67d6b5323ef7abbb79facf00e5b9daba98e5078302fc3887423173ba434c7eff1e64faecef88d87aab9c057c570d6e96e8d0808f07f32d8fa1 SHA512 47c5354869b1825e56fa4276826fcde1ee41c70aab9b411686cf2733f4d1df9c006049e49e066b22e475bd37b337f9ffc97f8bbca0c62c0f32296909464a0643 DIST gnupg-2.2.45.tar.bz2 7447141 BLAKE2B 8fe2036325e31332166c0477ce9514152c8417a9f61b3edc43487340d5b52e6a4d4c2b104ca9fe7ce6893e6d2977e2cd9c9ccfb52c0b1ea18dae3304ec6ec7f3 SHA512 086bb2a96ff4a681451b357495c8b435229e6526e1121d8faee3cb2ecc9c14965c92c9b1ccbbf3a03f6c59c215cca85a5c4f740f2df7c008a9fa672b370bf33c DIST gnupg-2.2.45.tar.bz2.sig 119 BLAKE2B 6656747b2d640a95c4172a221952fa75f7d03c231b7c6d40ea57b43a5bcfbceb800023ca2f352ca09325aaf186a7bf31fcfe7104129c5d6628f0e1256994df76 SHA512 181195a76eede8113bd8f2a7f5bc20674226f6327cf8263389e3d178c205ed2d817b28f2d3b504dd9f852f22fc283d2c14e809ba1c05cfe88b66103845ff114c DIST gnupg-2.4.5.tar.bz2 7889060 BLAKE2B a8b80cd4dfbb377066efb5c9f1b6cdc6d0cd1b18358c962781b5c06de1545117b13038a4655ae627c36bfd2e5fee127692df8729d6b23e1b31051ab6d897b733 SHA512 4d54744f09399c5899144d0cb5fdc2756e45b058db41b9ea9df3be03e80b914509e16ef35aa0248e7561185b80f7a5f9fd6afcab8ccff75ff82ed555448a38ff diff --git a/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch b/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch deleted file mode 100644 index 76d6d94c40b1..000000000000 --- a/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch +++ /dev/null @@ -1,292 +0,0 @@ -https://bugs.gentoo.org/923248 -https://dev.gnupg.org/T6944 -https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=3b69d8bf7146b8d10737d0cfea9c97affc60ad73 - -From 3b69d8bf7146b8d10737d0cfea9c97affc60ad73 Mon Sep 17 00:00:00 2001 -From: Werner Koch <[email protected]> -Date: Wed, 24 Jan 2024 11:29:24 +0100 -Subject: [PATCH] gpg: Fix leftover unprotected card backup key. - -* agent/command.c (cmd_learn): Add option --reallyforce. -* agent/findkey.c (agent_write_private_key): Implement reallyforce. -Also add arg reallyforce and pass it along the call chain. - -* g10/call-agent.c (agent_scd_learn): Pass --reallyforce with a -special force value. -* g10/keygen.c (card_store_key_with_backup): Use that force value. --- - -This was a regression in 2.2.42. We took the easy path to fix it by -getting the behaviour back to what we did prior to 2.2.42. With GnuPG -2.4.4 we use an entire different and safer approach by introducing an -ephemeral private key store. - -GnuPG-bug-id: 6944 ---- a/agent/agent.h -+++ b/agent/agent.h -@@ -422,7 +422,8 @@ void start_command_handler_ssh (ctrl_t, gnupg_fd_t); - gpg_error_t agent_modify_description (const char *in, const char *comment, - const gcry_sexp_t key, char **result); - int agent_write_private_key (const unsigned char *grip, -- const void *buffer, size_t length, int force, -+ const void *buffer, size_t length, -+ int force, int reallyforce, - const char *serialno, const char *keyref, - const char *dispserialno, time_t timestamp); - gpg_error_t agent_key_from_file (ctrl_t ctrl, -@@ -548,6 +549,7 @@ gpg_error_t s2k_hash_passphrase (const char *passphrase, int hashalgo, - gpg_error_t agent_write_shadow_key (const unsigned char *grip, - const char *serialno, const char *keyid, - const unsigned char *pkbuf, int force, -+ int reallyforce, - const char *dispserialno); - - -@@ -628,7 +630,8 @@ void agent_card_killscd (void); - - - /*-- learncard.c --*/ --int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force); -+int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, -+ int force, int reallyforce); - - - /*-- cvt-openpgp.c --*/ ---- a/agent/command-ssh.c -+++ b/agent/command-ssh.c -@@ -2499,7 +2499,7 @@ card_key_available (ctrl_t ctrl, gcry_sexp_t *r_pk, char **cardsn) - - /* (Shadow)-key is not available in our key storage. */ - agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno); -- err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0, -+ err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0, 0, - dispserialno); - xfree (dispserialno); - if (err) -@@ -3159,7 +3159,7 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec, - - /* Store this key to our key storage. We do not store a creation - * timestamp because we simply do not know. */ -- err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0, -+ err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0, 0, - NULL, NULL, NULL, 0); - if (err) - goto out; ---- a/agent/command.c -+++ b/agent/command.c -@@ -1042,7 +1042,7 @@ cmd_readkey (assuan_context_t ctx, char *line) - /* Shadow-key is or is not available in our key storage. In - * any case we need to check whether we need to update with - * a new display-s/n or whatever. */ -- rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0, -+ rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0, 0, - dispserialno); - if (rc) - goto leave; -@@ -1855,16 +1855,18 @@ cmd_learn (assuan_context_t ctx, char *line) - { - ctrl_t ctrl = assuan_get_pointer (ctx); - gpg_error_t err; -- int send, sendinfo, force; -+ int send, sendinfo, force, reallyforce; - - send = has_option (line, "--send"); - sendinfo = send? 1 : has_option (line, "--sendinfo"); - force = has_option (line, "--force"); -+ reallyforce = has_option (line, "--reallyforce"); - - if (ctrl->restricted) - return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); - -- err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL, force); -+ err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL, -+ force, reallyforce); - return leave_cmd (ctx, err); - } - -@@ -2427,11 +2429,11 @@ cmd_import_key (assuan_context_t ctx, char *line) - err = agent_protect (key, passphrase, &finalkey, &finalkeylen, - ctrl->s2k_count); - if (!err) -- err = agent_write_private_key (grip, finalkey, finalkeylen, force, -+ err = agent_write_private_key (grip, finalkey, finalkeylen, force, 0, - NULL, NULL, NULL, opt_timestamp); - } - else -- err = agent_write_private_key (grip, key, realkeylen, force, -+ err = agent_write_private_key (grip, key, realkeylen, force, 0, - NULL, NULL, NULL, opt_timestamp); - - leave: ---- a/agent/cvt-openpgp.c -+++ b/agent/cvt-openpgp.c -@@ -1070,7 +1070,7 @@ convert_from_openpgp_native (ctrl_t ctrl, - &protectedkey, &protectedkeylen, - ctrl->s2k_count)) - agent_write_private_key (grip, protectedkey, protectedkeylen, -- 1/*force*/, NULL, NULL, NULL, 0); -+ 1/*force*/, 0, NULL, NULL, NULL, 0); - xfree (protectedkey); - } - else -@@ -1079,7 +1079,7 @@ convert_from_openpgp_native (ctrl_t ctrl, - agent_write_private_key (grip, - *r_key, - gcry_sexp_canon_len (*r_key, 0, NULL,NULL), -- 1/*force*/, NULL, NULL, NULL, 0); -+ 1/*force*/, 0, NULL, NULL, NULL, 0); - } - } - ---- a/agent/findkey.c -+++ b/agent/findkey.c -@@ -82,7 +82,8 @@ fname_from_keygrip (const unsigned char *grip, int for_new) - * recorded as creation date. */ - int - agent_write_private_key (const unsigned char *grip, -- const void *buffer, size_t length, int force, -+ const void *buffer, size_t length, -+ int force, int reallyforce, - const char *serialno, const char *keyref, - const char *dispserialno, - time_t timestamp) -@@ -165,10 +166,13 @@ agent_write_private_key (const unsigned char *grip, - /* Check that we do not update a regular key with a shadow key. */ - if (is_regular && gpg_err_code (is_shadowed_key (key)) == GPG_ERR_TRUE) - { -- log_info ("updating regular key file '%s'" -- " by a shadow key inhibited\n", oldfname); -- err = 0; /* Simply ignore the error. */ -- goto leave; -+ if (!reallyforce) -+ { -+ log_info ("updating regular key file '%s'" -+ " by a shadow key inhibited\n", oldfname); -+ err = 0; /* Simply ignore the error. */ -+ goto leave; -+ } - } - /* Check that we update a regular key only in force mode. */ - if (is_regular && !force) -@@ -1704,12 +1708,13 @@ agent_delete_key (ctrl_t ctrl, const char *desc_text, - * Shadow key is created by an S-expression public key in PKBUF and - * card's SERIALNO and the IDSTRING. With FORCE passed as true an - * existing key with the given GRIP will get overwritten. If -- * DISPSERIALNO is not NULL the human readable s/n will also be -- * recorded in the key file. */ -+ * REALLYFORCE is also true, even a private key will be overwritten by -+ * a shadown key. If DISPSERIALNO is not NULL the human readable s/n -+ * will also be recorded in the key file. */ - gpg_error_t - agent_write_shadow_key (const unsigned char *grip, - const char *serialno, const char *keyid, -- const unsigned char *pkbuf, int force, -+ const unsigned char *pkbuf, int force, int reallyforce, - const char *dispserialno) - { - gpg_error_t err; -@@ -1737,7 +1742,7 @@ agent_write_shadow_key (const unsigned char *grip, - } - - len = gcry_sexp_canon_len (shdkey, 0, NULL, NULL); -- err = agent_write_private_key (grip, shdkey, len, force, -+ err = agent_write_private_key (grip, shdkey, len, force, reallyforce, - serialno, keyid, dispserialno, 0); - xfree (shdkey); - if (err) ---- a/agent/genkey.c -+++ b/agent/genkey.c -@@ -69,7 +69,7 @@ store_key (gcry_sexp_t private, const char *passphrase, int force, - buf = p; - } - -- rc = agent_write_private_key (grip, buf, len, force, -+ rc = agent_write_private_key (grip, buf, len, force, 0, - NULL, NULL, NULL, timestamp); - xfree (buf); - return rc; ---- a/agent/learncard.c -+++ b/agent/learncard.c -@@ -297,9 +297,12 @@ send_cert_back (ctrl_t ctrl, const char *id, void *assuan_context) - } - - /* Perform the learn operation. If ASSUAN_CONTEXT is not NULL and -- SEND is true all new certificates are send back via Assuan. */ -+ SEND is true all new certificates are send back via Assuan. If -+ REALLYFORCE is true a private key will be overwritten by a stub -+ key. */ - int --agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force) -+agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, -+ int force, int reallyforce) - { - int rc; - struct kpinfo_cb_parm_s parm; -@@ -414,7 +417,7 @@ agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force) - - agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno); - rc = agent_write_shadow_key (grip, serialno, item->id, pubkey, -- force, dispserialno); -+ force, reallyforce, dispserialno); - xfree (dispserialno); - } - xfree (pubkey); ---- a/agent/protect-tool.c -+++ b/agent/protect-tool.c -@@ -807,13 +807,15 @@ agent_askpin (ctrl_t ctrl, - * to stdout. */ - int - agent_write_private_key (const unsigned char *grip, -- const void *buffer, size_t length, int force, -+ const void *buffer, size_t length, -+ int force, int reallyforce, - const char *serialno, const char *keyref, - const char *dispserialno, time_t timestamp) - { - char hexgrip[40+4+1]; - char *p; - -+ (void)reallyforce; - (void)force; - (void)timestamp; - (void)serialno; ---- a/g10/call-agent.c -+++ b/g10/call-agent.c -@@ -745,6 +745,11 @@ learn_status_cb (void *opaque, const char *line) - * card-util.c - * keyedit_menu - * card_store_key_with_backup (Woth force to remove secret key data) -+ * -+ * If force has the value 2 the --reallyforce option is also used. -+ * This is to make sure the sshadow key overwrites the private key. -+ * Note that this option is gnupg 2.2 specific because since 2.4.4 an -+ * ephemeral private key store is used instead. - */ - int - agent_scd_learn (struct agent_card_info_s *info, int force) -@@ -764,6 +769,7 @@ agent_scd_learn (struct agent_card_info_s *info, int force) - - parm.ctx = agent_ctx; - rc = assuan_transact (agent_ctx, -+ force == 2? "LEARN --sendinfo --force --reallyforce" : - force ? "LEARN --sendinfo --force" : "LEARN --sendinfo", - dummy_data_cb, NULL, default_inq_cb, &parm, - learn_status_cb, info); ---- a/g10/keygen.c -+++ b/g10/keygen.c -@@ -5201,8 +5201,11 @@ card_store_key_with_backup (ctrl_t ctrl, PKT_public_key *sub_psk, - if (err) - log_error ("writing card key to backup file: %s\n", gpg_strerror (err)); - else -- /* Remove secret key data in agent side. */ -- agent_scd_learn (NULL, 1); -+ { -+ /* Remove secret key data in agent side. We use force 2 here to -+ * allow overwriting of the temporary private key. */ -+ agent_scd_learn (NULL, 2); -+ } - - leave: - xfree (ecdh_param_str); --- -2.30.2 diff --git a/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch b/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch deleted file mode 100644 index 21be675adef4..000000000000 --- a/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch +++ /dev/null @@ -1,156 +0,0 @@ -https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d6c428699db7aa20f8b6ca9fe83197a0314b7e91 -https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c33c4fdf10b7ed9e03f2afe988d93f3085b727aa -https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=41c022072599bc3f12f659e962653548cd86fa3a - -From d6c428699db7aa20f8b6ca9fe83197a0314b7e91 Mon Sep 17 00:00:00 2001 -From: NIIBE Yutaka <[email protected]> -Date: Thu, 15 Feb 2024 15:38:34 +0900 -Subject: [PATCH] dirmngr: Fix proxy with TLS. - -* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always -available regardless of USE_TLS. -(send_request): Remove USE_TLS. - --- - -Since quite some time building w/o TLS won't work. - -GnuPG-bug-id: 6997 ---- a/dirmngr/http.c -+++ b/dirmngr/http.c -@@ -2498,9 +2498,7 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring) - } - - -- - /* Use the CONNECT method to proxy our TLS stream. */ --#ifdef USE_TLS - static gpg_error_t - run_proxy_connect (http_t hd, proxy_info_t proxy, - const char *httphost, const char *server, -@@ -2709,7 +2707,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, - xfree (tmpstr); - return err; - } --#endif /*USE_TLS*/ - - - /* Make a request string using a standard proxy. On success the -@@ -2866,7 +2863,6 @@ send_request (http_t hd, const char *httphost, const char *auth, - goto leave; - } - --#if USE_TLS - if (use_http_proxy && hd->uri->use_tls) - { - err = run_proxy_connect (hd, proxy, httphost, server, port); -@@ -2878,7 +2874,6 @@ send_request (http_t hd, const char *httphost, const char *auth, - * clear the flag to indicate this. */ - use_http_proxy = 0; - } --#endif /* USE_TLS */ - - #if HTTP_USE_NTBTLS - err = run_ntbtls_handshake (hd); --- -2.30.2 - -From c33c4fdf10b7ed9e03f2afe988d93f3085b727aa Mon Sep 17 00:00:00 2001 -From: NIIBE Yutaka <[email protected]> -Date: Fri, 16 Feb 2024 11:31:37 +0900 -Subject: [PATCH] dirmngr: Fix the regression of use of proxy for TLS - connection. - -* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it -causes resource leak of FP_WRITE. -Don't try to read response body to fix the hang. - --- - -GnuPG-bug-id: 6997 -Signed-off-by: NIIBE Yutaka <[email protected]> ---- a/dirmngr/http.c -+++ b/dirmngr/http.c -@@ -2520,6 +2520,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, - * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication - */ - auth_basic = !!proxy->uri->auth; -+ hd->keep_alive = 0; - - /* For basic authentication we need to send just one request. */ - if (auth_basic -@@ -2541,13 +2542,12 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, - httphost ? httphost : server, - port, - authhdr ? authhdr : "", -- auth_basic? "" : "Connection: keep-alive\r\n"); -+ hd->keep_alive? "Connection: keep-alive\r\n" : ""); - if (!request) - { - err = gpg_error_from_syserror (); - goto leave; - } -- hd->keep_alive = !auth_basic; /* We may need to send more requests. */ - - if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP)) - log_debug_with_string (request, "http.c:proxy:request:"); -@@ -2574,16 +2574,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, - if (err) - goto leave; - -- { -- unsigned long count = 0; -- -- while (es_getc (hd->fp_read) != EOF) -- count++; -- if (opt_debug) -- log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n", -- count); -- } -- - /* Reset state. */ - es_clearerr (hd->fp_read); - ((cookie_t)(hd->read_cookie))->up_to_empty_line = 1; --- -2.30.2 - -From 41c022072599bc3f12f659e962653548cd86fa3a Mon Sep 17 00:00:00 2001 -From: NIIBE Yutaka <[email protected]> -Date: Fri, 16 Feb 2024 16:24:26 +0900 -Subject: [PATCH] dirmngr: Fix keep-alive flag handling. - -* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic -Authentication. Fix resource leak of FP_WRITE. - --- - -GnuPG-bug-id: 6997 -Signed-off-by: NIIBE Yutaka <[email protected]> ---- a/dirmngr/http.c -+++ b/dirmngr/http.c -@@ -2520,7 +2520,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, - * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication - */ - auth_basic = !!proxy->uri->auth; -- hd->keep_alive = 0; -+ hd->keep_alive = !auth_basic; /* We may need to send more requests. */ - - /* For basic authentication we need to send just one request. */ - if (auth_basic -@@ -2684,6 +2684,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, - } - - leave: -+ if (hd->keep_alive) -+ { -+ es_fclose (hd->fp_write); -+ hd->fp_write = NULL; -+ /* The close has released the cookie and thus we better set it -+ * to NULL. */ -+ hd->write_cookie = NULL; -+ } - /* Restore flags, destroy stream, reset state. */ - hd->flags = saved_flags; - es_fclose (hd->fp_read); --- -2.30.2 diff --git a/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch b/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch deleted file mode 100644 index f10154b303e5..000000000000 --- a/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch +++ /dev/null @@ -1,39 +0,0 @@ -https://bugs.gentoo.org/924386 -https://dev.gnupg.org/T7003 -https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f50c543326c2eea6b40f548d61cf3a66a077bf54 - -From f50c543326c2eea6b40f548d61cf3a66a077bf54 Mon Sep 17 00:00:00 2001 -From: NIIBE Yutaka <[email protected]> -Date: Fri, 1 Mar 2024 13:59:43 +0900 -Subject: [PATCH] agent: Allow simple KEYINFO command when restricted. - -* agent/command.c (cmd_keyinfo): Only forbid list command. - --- - -GnuPG-bug-id: 7003 -Signed-off-by: NIIBE Yutaka <[email protected]> ---- a/agent/command.c -+++ b/agent/command.c -@@ -1282,9 +1282,6 @@ cmd_keyinfo (assuan_context_t ctx, char *line) - char hexgrip[41]; - int disabled, ttl, confirm, is_ssh; - -- if (ctrl->restricted) -- return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); -- - if (has_option (line, "--ssh-list")) - list_mode = 2; - else -@@ -1333,6 +1330,9 @@ cmd_keyinfo (assuan_context_t ctx, char *line) - char *dirname; - gnupg_dirent_t dir_entry; - -+ if (ctrl->restricted) -+ return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); -+ - dirname = make_filename_try (gnupg_homedir (), - GNUPG_PRIVATE_KEYS_DIR, NULL); - if (!dirname) --- -2.30.2 diff --git a/app-crypt/gnupg/gnupg-2.2.42-r4.ebuild b/app-crypt/gnupg/gnupg-2.2.42-r4.ebuild deleted file mode 100644 index 06f010973e05..000000000000 --- a/app-crypt/gnupg/gnupg-2.2.42-r4.ebuild +++ /dev/null @@ -1,184 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -# Maintainers should: -# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ -# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 -# (find the one for the current release then subscribe to it + -# any subsequent ones linked within so you're covered for a while.) - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc -# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 -inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig - -MY_P="${P/_/-}" - -DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" -HOMEPAGE="https://gnupg.org/"; -SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" -SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" -S="${WORKDIR}/${MY_P}" - -LICENSE="GPL-3+" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" -IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server" -RESTRICT="!test? ( test )" - -# Existence of executables is checked during configuration. -# Note: On each bump, update dep bounds on each version from configure.ac! -DEPEND=" - >=dev-libs/libassuan-2.5.0:= - >=dev-libs/libgcrypt-1.8.0:= - >=dev-libs/libgpg-error-1.38 - >=dev-libs/libksba-1.3.5 - >=dev-libs/npth-1.2 - >=net-misc/curl-7.10 - sys-libs/zlib - bzip2? ( app-arch/bzip2 ) - ldap? ( net-nds/openldap:= ) - readline? ( sys-libs/readline:= ) - smartcard? ( usb? ( virtual/libusb:1 ) ) - ssl? ( >=net-libs/gnutls-3.0:= ) - tofu? ( >=dev-db/sqlite-3.7 ) -" -RDEPEND=" - ${DEPEND} - nls? ( virtual/libintl ) - selinux? ( sec-policy/selinux-gpg ) - wks-server? ( virtual/mta ) -" -PDEPEND=" - app-crypt/pinentry -" -BDEPEND=" - virtual/pkgconfig - doc? ( sys-apps/texinfo ) - nls? ( sys-devel/gettext ) - verify-sig? ( sec-keys/openpgp-keys-gnupg ) -" - -DOCS=( - ChangeLog NEWS README THANKS TODO VERSION - doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER -) - -PATCHES=( - "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch - "${FILESDIR}"/${P}-bug923248-insecure-backup.patch - "${FILESDIR}"/${P}-dirmngr-proxy.patch - "${FILESDIR}"/${P}-gpgme-tests.patch -) - -src_prepare() { - default - - # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, - # idea borrowed from libdbus, see - # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 - # - # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', - # which in turn requires discovery in Autoconf, something that upstream deeply resents. - sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ - -i doc/examples/systemd-user/gpg-agent-ssh.socket || die -} - -my_src_configure() { - # Upstream don't support LTO, bug #854222. - filter-lto - - local myconf=( - $(use_enable bzip2) - $(use_enable nls) - $(use_enable smartcard scdaemon) - $(use_enable ssl gnutls) - $(use_enable test all-tests) - $(use_enable test tests) - $(use_enable tofu) - $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') - $(use_enable wks-server wks-tools) - $(use_with ldap) - $(use_with readline) - - # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. - # As of GnuPG 2.3, the mailprog substitution is used for the binary called - # by wks-client & wks-server; and if it's autodetected but not not exist at - # build time, then then 'gpg-wks-client --send' functionality will not - # work. This has an unwanted side-effect in stage3 builds: there was a - # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating - # the build where the install guide previously make the user chose the - # logger & mta early in the install. - --with-mailprog=/usr/libexec/sendmail - - --disable-ntbtls - --enable-gpg - --enable-gpgsm - --enable-large-secmem - - CC_FOR_BUILD="$(tc-getBUILD_CC)" - GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" - KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" - LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" - LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" - NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" - - $("${S}/configure" --help | grep -o -- '--without-.*-prefix') - ) - - if use prefix && use usb; then - # bug #649598 - append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" - fi - - # bug #663142 - if use user-socket; then - myconf+=( --enable-run-gnupg-user-socket ) - fi - - # glib fails and picks up clang's internal stdint.h causing weird errors - tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h - - econf "${myconf[@]}" -} - -my_src_compile() { - default - - use doc && emake -C doc html -} - -my_src_test() { - export TESTFLAGS="--parallel=$(makeopts_jobs)" - - default -} - -my_src_install() { - emake DESTDIR="${D}" install - - use tools && dobin \ - tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \ - tools/make-dns-cert - - dosym gpg /usr/bin/gpg2 - dosym gpgv /usr/bin/gpgv2 - echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die - echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die - - dodir /etc/env.d - echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die - - use doc && dodoc doc/gnupg.html/* -} - -my_src_install_all() { - einstalldocs - - use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} - - use doc && dodoc doc/*.png - - systemd_douserunit doc/examples/systemd-user/*.{service,socket} -} diff --git a/app-crypt/gnupg/gnupg-2.2.43-r1.ebuild b/app-crypt/gnupg/gnupg-2.2.43-r1.ebuild deleted file mode 100644 index 9ccaeb24401c..000000000000 --- a/app-crypt/gnupg/gnupg-2.2.43-r1.ebuild +++ /dev/null @@ -1,181 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -# Maintainers should: -# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ -# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 -# (find the one for the current release then subscribe to it + -# any subsequent ones linked within so you're covered for a while.) - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc -# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 -inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig - -MY_P="${P/_/-}" - -DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" -HOMEPAGE="https://gnupg.org/"; -SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" -SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" -S="${WORKDIR}/${MY_P}" - -LICENSE="GPL-3+" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" -IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server" -RESTRICT="!test? ( test )" - -# Existence of executables is checked during configuration. -# Note: On each bump, update dep bounds on each version from configure.ac! -DEPEND=" - >=dev-libs/libassuan-2.5.0:= - >=dev-libs/libgcrypt-1.8.0:= - >=dev-libs/libgpg-error-1.38 - >=dev-libs/libksba-1.4.0 - >=dev-libs/npth-1.2 - >=net-misc/curl-7.10 - sys-libs/zlib - bzip2? ( app-arch/bzip2 ) - ldap? ( net-nds/openldap:= ) - readline? ( sys-libs/readline:= ) - smartcard? ( usb? ( virtual/libusb:1 ) ) - ssl? ( >=net-libs/gnutls-3.0:= ) - tofu? ( >=dev-db/sqlite-3.7 ) -" -RDEPEND=" - ${DEPEND} - nls? ( virtual/libintl ) - selinux? ( sec-policy/selinux-gpg ) - wks-server? ( virtual/mta ) -" -PDEPEND=" - app-crypt/pinentry -" -BDEPEND=" - virtual/pkgconfig - doc? ( sys-apps/texinfo ) - nls? ( sys-devel/gettext ) - verify-sig? ( sec-keys/openpgp-keys-gnupg ) -" - -DOCS=( - ChangeLog NEWS README THANKS TODO VERSION - doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER -) - -PATCHES=( - "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch -) - -src_prepare() { - default - - # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, - # idea borrowed from libdbus, see - # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 - # - # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', - # which in turn requires discovery in Autoconf, something that upstream deeply resents. - sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ - -i doc/examples/systemd-user/gpg-agent-ssh.socket || die -} - -my_src_configure() { - # Upstream don't support LTO, bug #854222. - filter-lto - - local myconf=( - $(use_enable bzip2) - $(use_enable nls) - $(use_enable smartcard scdaemon) - $(use_enable ssl gnutls) - $(use_enable test all-tests) - $(use_enable test tests) - $(use_enable tofu) - $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') - $(use_enable wks-server wks-tools) - $(use_with ldap) - $(use_with readline) - - # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. - # As of GnuPG 2.3, the mailprog substitution is used for the binary called - # by wks-client & wks-server; and if it's autodetected but not not exist at - # build time, then then 'gpg-wks-client --send' functionality will not - # work. This has an unwanted side-effect in stage3 builds: there was a - # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating - # the build where the install guide previously make the user chose the - # logger & mta early in the install. - --with-mailprog=/usr/libexec/sendmail - - --disable-ntbtls - --enable-gpg - --enable-gpgsm - --enable-large-secmem - - CC_FOR_BUILD="$(tc-getBUILD_CC)" - GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" - KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" - LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" - LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" - NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" - - $("${S}/configure" --help | grep -o -- '--without-.*-prefix') - ) - - if use prefix && use usb; then - # bug #649598 - append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" - fi - - # bug #663142 - if use user-socket; then - myconf+=( --enable-run-gnupg-user-socket ) - fi - - # glib fails and picks up clang's internal stdint.h causing weird errors - tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h - - econf "${myconf[@]}" -} - -my_src_compile() { - default - - use doc && emake -C doc html -} - -my_src_test() { - export TESTFLAGS="--parallel=$(makeopts_jobs)" - - default -} - -my_src_install() { - emake DESTDIR="${D}" install - - use tools && dobin \ - tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \ - tools/make-dns-cert - - dosym gpg /usr/bin/gpg2 - dosym gpgv /usr/bin/gpgv2 - echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die - echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die - - dodir /etc/env.d - echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die - - use doc && dodoc doc/gnupg.html/* -} - -my_src_install_all() { - einstalldocs - - use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} - - use doc && dodoc doc/*.png - - systemd_douserunit doc/examples/systemd-user/*.{service,socket} -}
