commit: fc2b8743fef9c5bd8cd79a0a0f92f083e246cd00 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Mon Jun 24 03:56:52 2024 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Mon Jun 24 03:58:04 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fc2b8743
app-crypt/gnupg: revert rfc4880bis default for now Revert a new default which creates keys incompatible with other OpenPGP implementations. This is what other distros such as Fedora and Arch. See https://lwn.net/Articles/953797/. Closes: https://bugs.gentoo.org/926186 Signed-off-by: Sam James <sam <AT> gentoo.org> .../files/gnupg-2.4.5-revert-rfc4880bis.patch | 196 +++++++++++++++++++++ app-crypt/gnupg/gnupg-2.4.5-r2.ebuild | 193 ++++++++++++++++++++ 2 files changed, 389 insertions(+) diff --git a/app-crypt/gnupg/files/gnupg-2.4.5-revert-rfc4880bis.patch b/app-crypt/gnupg/files/gnupg-2.4.5-revert-rfc4880bis.patch new file mode 100644 index 000000000000..57c00966d542 --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.4.5-revert-rfc4880bis.patch @@ -0,0 +1,196 @@ +https://lwn.net/Articles/953797/ +https://security.stackexchange.com/questions/275883/should-one-really-disable-aead-for-recent-gnupg-created-pgp-keys +https://lists.gnupg.org/pipermail/librepgp-discuss/2023/000001.html +https://bugs.gentoo.org/926186 + +From 1e4f1550996334d2a631a5d769e937d29ace47bb Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <[email protected]> +Date: Thu, 9 Feb 2023 16:38:58 +0100 +Subject: [PATCH gnupg] Revert the introduction of the RFC4880bis draft into + defaults + +This reverts commit 4583f4fe2 (gpg: Merge --rfc4880bis features into +--gnupg, 2022-10-31). +--- a/g10/gpg.c ++++ b/g10/gpg.c +@@ -247,6 +247,7 @@ enum cmd_and_opt_values + oGnuPG, + oRFC2440, + oRFC4880, ++ oRFC4880bis, + oOpenPGP, + oPGP7, + oPGP8, +@@ -636,6 +637,7 @@ static gpgrt_opt_t opts[] = { + ARGPARSE_s_n (oGnuPG, "no-pgp8", "@"), + ARGPARSE_s_n (oRFC2440, "rfc2440", "@"), + ARGPARSE_s_n (oRFC4880, "rfc4880", "@"), ++ ARGPARSE_s_n (oRFC4880bis, "rfc4880bis", "@"), + ARGPARSE_s_n (oOpenPGP, "openpgp", N_("use strict OpenPGP behavior")), + ARGPARSE_s_n (oPGP7, "pgp6", "@"), + ARGPARSE_s_n (oPGP7, "pgp7", "@"), +@@ -978,7 +980,6 @@ static gpgrt_opt_t opts[] = { + ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"), + ARGPARSE_s_s (oNoop, "aead-algo", "@"), + ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"), +- ARGPARSE_s_n (oNoop, "rfc4880bis", "@"), + ARGPARSE_s_n (oNoop, "override-compliance-check", "@"), + + +@@ -2227,7 +2228,7 @@ static struct gnupg_compliance_option compliance_options[] = + { + { "gnupg", oGnuPG }, + { "openpgp", oOpenPGP }, +- { "rfc4880bis", oGnuPG }, ++ { "rfc4880bis", oRFC4880bis }, + { "rfc4880", oRFC4880 }, + { "rfc2440", oRFC2440 }, + { "pgp6", oPGP7 }, +@@ -2243,8 +2244,28 @@ static struct gnupg_compliance_option compliance_options[] = + static void + set_compliance_option (enum cmd_and_opt_values option) + { ++ opt.flags.rfc4880bis = 0; /* Clear because it is initially set. */ ++ + switch (option) + { ++ case oRFC4880bis: ++ opt.flags.rfc4880bis = 1; ++ opt.compliance = CO_RFC4880; ++ opt.flags.dsa2 = 1; ++ opt.flags.require_cross_cert = 1; ++ opt.rfc2440_text = 0; ++ opt.allow_non_selfsigned_uid = 1; ++ opt.allow_freeform_uid = 1; ++ opt.escape_from = 1; ++ opt.not_dash_escaped = 0; ++ opt.def_cipher_algo = 0; ++ opt.def_digest_algo = 0; ++ opt.cert_digest_algo = 0; ++ opt.compress_algo = -1; ++ opt.s2k_mode = 3; /* iterated+salted */ ++ opt.s2k_digest_algo = DIGEST_ALGO_SHA256; ++ opt.s2k_cipher_algo = CIPHER_ALGO_AES256; ++ break; + case oOpenPGP: + case oRFC4880: + /* This is effectively the same as RFC2440, but with +@@ -2288,6 +2309,7 @@ set_compliance_option (enum cmd_and_opt_values option) + case oPGP8: opt.compliance = CO_PGP8; break; + case oGnuPG: + opt.compliance = CO_GNUPG; ++ opt.flags.rfc4880bis = 1; + break; + + case oDE_VS: +@@ -2491,6 +2513,7 @@ main (int argc, char **argv) + opt.emit_version = 0; + opt.weak_digests = NULL; + opt.compliance = CO_GNUPG; ++ opt.flags.rfc4880bis = 1; + + /* Check special options given on the command line. */ + orig_argc = argc; +@@ -3033,6 +3056,7 @@ main (int argc, char **argv) + case oOpenPGP: + case oRFC2440: + case oRFC4880: ++ case oRFC4880bis: + case oPGP7: + case oPGP8: + case oGnuPG: +@@ -3862,6 +3886,11 @@ main (int argc, char **argv) + if( may_coredump && !opt.quiet ) + log_info(_("WARNING: program may create a core file!\n")); + ++ if (!opt.flags.rfc4880bis) ++ { ++ opt.mimemode = 0; /* This will use text mode instead. */ ++ } ++ + if (eyes_only) { + if (opt.set_filename) + log_info(_("WARNING: %s overrides %s\n"), +@@ -4078,7 +4107,7 @@ main (int argc, char **argv) + /* Check our chosen algorithms against the list of legal + algorithms. */ + +- if(!GNUPG) ++ if(!GNUPG && !opt.flags.rfc4880bis) + { + const char *badalg=NULL; + preftype_t badtype=PREFTYPE_NONE; +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -404,7 +404,7 @@ keygen_set_std_prefs (const char *string,int personal) + strcat(dummy_string,"S7 "); + strcat(dummy_string,"S2 "); /* 3DES */ + +- if (!openpgp_aead_test_algo (AEAD_ALGO_OCB)) ++ if (opt.flags.rfc4880bis && !openpgp_aead_test_algo (AEAD_ALGO_OCB)) + strcat(dummy_string,"A2 "); + + if (personal) +@@ -889,7 +889,7 @@ keygen_upd_std_prefs (PKT_signature *sig, void *opaque) + /* Make sure that the MDC feature flag is set if needed. */ + add_feature_mdc (sig,mdc_available); + add_feature_aead (sig, aead_available); +- add_feature_v5 (sig, 1); ++ add_feature_v5 (sig, opt.flags.rfc4880bis); + add_keyserver_modify (sig,ks_modify); + keygen_add_keyserver_url(sig,NULL); + +@@ -3382,7 +3382,10 @@ parse_key_parameter_part (ctrl_t ctrl, + } + } + else if (!ascii_strcasecmp (s, "v5")) +- keyversion = 5; ++ { ++ if (opt.flags.rfc4880bis) ++ keyversion = 5; ++ } + else if (!ascii_strcasecmp (s, "v4")) + keyversion = 4; + else +@@ -3641,7 +3644,7 @@ parse_key_parameter_part (ctrl_t ctrl, + * ecdsa := Use algorithm ECDSA. + * eddsa := Use algorithm EdDSA. + * ecdh := Use algorithm ECDH. +- * v5 := Create version 5 key ++ * v5 := Create version 5 key (requires option --rfc4880bis) + * + * There are several defaults and fallbacks depending on the + * algorithm. PART can be used to select which part of STRING is +@@ -4513,9 +4516,9 @@ read_parameter_file (ctrl_t ctrl, const char *fname ) + } + } + +- if ((keywords[i].key == pVERSION +- || keywords[i].key == pSUBVERSION)) +- ; /* Ignore version. */ ++ if (!opt.flags.rfc4880bis && (keywords[i].key == pVERSION ++ || keywords[i].key == pSUBVERSION)) ++ ; /* Ignore version unless --rfc4880bis is active. */ + else + { + r = xmalloc_clear( sizeof *r + strlen( value ) ); +@@ -4610,11 +4613,14 @@ quickgen_set_para (struct para_data_s *para, int for_subkey, + para = r; + } + +- r = xmalloc_clear (sizeof *r + 20); +- r->key = for_subkey? pSUBVERSION : pVERSION; +- snprintf (r->u.value, 20, "%d", version); +- r->next = para; +- para = r; ++ if (opt.flags.rfc4880bis) ++ { ++ r = xmalloc_clear (sizeof *r + 20); ++ r->key = for_subkey? pSUBVERSION : pVERSION; ++ snprintf (r->u.value, 20, "%d", version); ++ r->next = para; ++ para = r; ++ } + + if (keytime) + { diff --git a/app-crypt/gnupg/gnupg-2.4.5-r2.ebuild b/app-crypt/gnupg/gnupg-2.4.5-r2.ebuild new file mode 100644 index 000000000000..5b2191cfb0b7 --- /dev/null +++ b/app-crypt/gnupg/gnupg-2.4.5-r2.ebuild @@ -0,0 +1,193 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should: +# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ +# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 +# (find the one for the current release then subscribe to it + +# any subsequent ones linked within so you're covered for a while.) + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig + +MY_P="${P/_/-}" + +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" +HOMEPAGE="https://gnupg.org/"; +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" + +LICENSE="GPL-3+" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server" +RESTRICT="!test? ( test )" +REQUIRED_USE="test? ( tofu )" + +# Existence of executables is checked during configuration. +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=" + >=dev-libs/libassuan-2.5.0:= + >=dev-libs/libgcrypt-1.9.1:= + >=dev-libs/libgpg-error-1.46 + >=dev-libs/libksba-1.6.3 + >=dev-libs/npth-1.2 + >=net-misc/curl-7.10 + sys-libs/zlib + bzip2? ( app-arch/bzip2 ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:0= ) + smartcard? ( usb? ( virtual/libusb:1 ) ) + tofu? ( >=dev-db/sqlite-3.27 ) + tpm? ( >=app-crypt/tpm2-tss-2.4.0:= ) + ssl? ( >=net-libs/gnutls-3.2:0= ) +" +RDEPEND=" + ${DEPEND} + nls? ( virtual/libintl ) + selinux? ( sec-policy/selinux-gpg ) + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry +" +BDEPEND=" + virtual/pkgconfig + doc? ( sys-apps/texinfo ) + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" + +DOCS=( + ChangeLog NEWS README THANKS TODO VERSION + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER +) + +PATCHES=( + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch + "${FILESDIR}"/${PN}-2.4.5-revert-rfc4880bis.patch # bug #926186 +) + +src_prepare() { + default + + GNUPG_SYSTEMD_UNITS=( + dirmngr.service + dirmngr.socket + gpg-agent-browser.socket + gpg-agent-extra.socket + gpg-agent.service + gpg-agent.socket + gpg-agent-ssh.socket + ) + + cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die + + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, + # idea borrowed from libdbus, see + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 + # + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', + # which in turn requires discovery in Autoconf, something that upstream deeply resents. + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ + -i "${T}"/gpg-agent-ssh.socket || die +} + +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + + local myconf=( + $(use_enable bzip2) + $(use_enable nls) + $(use_enable smartcard scdaemon) + $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) + $(use_enable tofu) + $(use_enable tofu keyboxd) + $(use_enable tofu sqlite) + $(usex tpm '--with-tss=intel' '--disable-tpm2d') + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') + $(use_enable wks-server wks-tools) + $(use_with ldap) + $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. + --with-mailprog=/usr/libexec/sendmail + + --disable-ntbtls + --enable-gpgsm + --enable-large-secmem + + CC_FOR_BUILD="$(tc-getBUILD_CC)" + ac_cv_path_GPGRT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpgrt-config" + + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) + + if use prefix && use usb; then + # bug #649598 + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" + fi + + # bug #663142 + if use user-socket; then + myconf+=( --enable-run-gnupg-user-socket ) + fi + + # glib fails and picks up clang's internal stdint.h causing weird errors + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h + + econf "${myconf[@]}" +} + +my_src_compile() { + default + + use doc && emake -C doc html +} + +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" + + default +} + +my_src_install() { + emake DESTDIR="${D}" install + + use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert + + dosym gpg /usr/bin/gpg2 + dosym gpgv /usr/bin/gpgv2 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die + + dodir /etc/env.d + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die + + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + use doc && dodoc doc/*.png + + # Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed. + dodoc "${FILESDIR}"/README-systemd + systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}" +}
