diff options
author | Alyssa Ross <hi@alyssa.is> | 2020-08-15 07:54:52 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2020-08-15 07:58:19 +0000 |
commit | 3fccb06a849783f75493592fd8a4206529362e59 (patch) | |
tree | f70d7116aa81148a7e944bf8621fccaa05bcd5f5 /overlays | |
parent | a4cec65468271e55cb603f37118b428d68aca9fd (diff) | |
download | nixlib-3fccb06a849783f75493592fd8a4206529362e59.tar nixlib-3fccb06a849783f75493592fd8a4206529362e59.tar.gz nixlib-3fccb06a849783f75493592fd8a4206529362e59.tar.bz2 nixlib-3fccb06a849783f75493592fd8a4206529362e59.tar.lz nixlib-3fccb06a849783f75493592fd8a4206529362e59.tar.xz nixlib-3fccb06a849783f75493592fd8a4206529362e59.tar.zst nixlib-3fccb06a849783f75493592fd8a4206529362e59.zip |
patches/gnupg: allow signing with expired keys
I can't get to my certification key because of the pandemic. GnuPG doesn't have a facility for key transition. So here we are.
Diffstat (limited to 'overlays')
-rw-r--r-- | overlays/patches/default.nix | 2 | ||||
-rw-r--r-- | overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch | 60 | ||||
-rw-r--r-- | overlays/patches/gnupg/default.nix | 8 |
3 files changed, 70 insertions, 0 deletions
diff --git a/overlays/patches/default.nix b/overlays/patches/default.nix index 4c664ba3ab11..9635f42f169f 100644 --- a/overlays/patches/default.nix +++ b/overlays/patches/default.nix @@ -7,6 +7,8 @@ self: super: { inherit (super) firefoxPackages; }; + gnupg = self.callPackage ./gnupg { inherit (super) gnupg; }; + public-inbox = self.callPackage ./public-inbox { inherit (super) public-inbox; }; diff --git a/overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch b/overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch new file mode 100644 index 000000000000..688c6cb6f074 --- /dev/null +++ b/overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch @@ -0,0 +1,60 @@ +From f6cd902764ea8d13523e98f10bb05ce32234f60d Mon Sep 17 00:00:00 2001 +From: Alyssa Ross <hi@alyssa.is> +Date: Fri, 31 Jul 2020 06:10:00 +0000 +Subject: [PATCH] VERY BAD: allow signing with expired keys + +This probably has very bad side effects. Will expiration dates still +be checked when verifying signatures, for example? Who knows‽ +--- + g10/getkey.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/g10/getkey.c b/g10/getkey.c +index cfcf9c96a..26f41656d 100644 +--- a/g10/getkey.c ++++ b/g10/getkey.c +@@ -1930,9 +1930,9 @@ parse_def_secret_key (ctrl_t ctrl) + if (pk->has_expired) + { + if (DBG_LOOKUP) +- log_debug ("not using %s as default key, %s", +- keystr_from_pk (pk), "expired"); +- continue; ++ log_debug ("%s has expired, but let's ignore that", ++ keystr_from_pk (pk)); ++ /* continue; */ + } + if (pk_is_disabled (pk)) + { +@@ -3579,9 +3579,9 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact, + if (pk->has_expired) + { + if (DBG_LOOKUP) +- log_debug ("\tsubkey has expired\n"); ++ log_debug ("\tsubkey has expired but let's ignored that\n"); + n_revoked_or_expired++; +- continue; ++ /* continue; */ + } + if (pk->timestamp > curtime && !opt.ignore_valid_from) + { +@@ -3656,13 +3656,11 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact, + if (DBG_LOOKUP) + log_debug ("\tprimary key has been revoked\n"); + } +- else if (pk->has_expired) +- { +- if (DBG_LOOKUP) +- log_debug ("\tprimary key has expired\n"); +- } + else /* Okay. */ + { ++ if (pk->has_expired && DBG_LOOKUP) ++ log_debug ("\tprimary key has expired but let's ignore that\n"); ++ + if (DBG_LOOKUP) + log_debug ("\tprimary key may be used\n"); + latest_key = keyblock; +-- +2.27.0 + diff --git a/overlays/patches/gnupg/default.nix b/overlays/patches/gnupg/default.nix new file mode 100644 index 000000000000..35000019c0b0 --- /dev/null +++ b/overlays/patches/gnupg/default.nix @@ -0,0 +1,8 @@ +{ gnupg, ... } @ args: + +(gnupg.override (builtins.removeAttrs args [ "gnupg" ])).overrideAttrs ( + { patches ? [], ... }: + { + patches = patches ++ [ ./VERY-BAD-allow-signing-with-expired-keys.patch ]; + } +) |