patches/gnupg: allow signing with expired keys

I can't get to my certification key because of the pandemic.  GnuPG
doesn't have a facility for key transition.  So here we are.

3 files changed, 70 insertions, 0 deletions

diff --git a/overlays/patches/default.nix b/overlays/patches/default.nix
index 4c664ba3ab11..9635f42f169f 100644
--- a/overlays/patches/default.nix
+++ b/overlays/patches/default.nix
@@ -7,6 +7,8 @@ self: super: {
     inherit (super) firefoxPackages;
   };
 
+  gnupg = self.callPackage ./gnupg { inherit (super) gnupg; };
+
   public-inbox = self.callPackage ./public-inbox {
     inherit (super) public-inbox;
   };
diff --git a/overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch b/overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch
new file mode 100644
index 000000000000..688c6cb6f074
--- /dev/null
+++ b/overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch
@@ -0,0 +1,60 @@
+From f6cd902764ea8d13523e98f10bb05ce32234f60d Mon Sep 17 00:00:00 2001
+From: Alyssa Ross <hi@alyssa.is>
+Date: Fri, 31 Jul 2020 06:10:00 +0000
+Subject: [PATCH] VERY BAD: allow signing with expired keys
+
+This probably has very bad side effects.  Will expiration dates still
+be checked when verifying signatures, for example?  Who knows‽
+---
+ g10/getkey.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/g10/getkey.c b/g10/getkey.c
+index cfcf9c96a..26f41656d 100644
+--- a/g10/getkey.c
++++ b/g10/getkey.c
+@@ -1930,9 +1930,9 @@ parse_def_secret_key (ctrl_t ctrl)
+           if (pk->has_expired)
+             {
+               if (DBG_LOOKUP)
+-                log_debug ("not using %s as default key, %s",
+-                           keystr_from_pk (pk), "expired");
+-              continue;
++                log_debug ("%s has expired, but let's ignore that",
++                           keystr_from_pk (pk));
++              /* continue; */
+             }
+           if (pk_is_disabled (pk))
+             {
+@@ -3579,9 +3579,9 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact,
+ 	  if (pk->has_expired)
+ 	    {
+ 	      if (DBG_LOOKUP)
+-		log_debug ("\tsubkey has expired\n");
++	  	log_debug ("\tsubkey has expired but let's ignored that\n");
+               n_revoked_or_expired++;
+-	      continue;
++	      /* continue; */
+ 	    }
+ 	  if (pk->timestamp > curtime && !opt.ignore_valid_from)
+ 	    {
+@@ -3656,13 +3656,11 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact,
+ 	  if (DBG_LOOKUP)
+ 	    log_debug ("\tprimary key has been revoked\n");
+ 	}
+-      else if (pk->has_expired)
+-	{
+-	  if (DBG_LOOKUP)
+-	    log_debug ("\tprimary key has expired\n");
+-	}
+       else /* Okay.  */
+ 	{
++	  if (pk->has_expired && DBG_LOOKUP)
++	    log_debug ("\tprimary key has expired but let's ignore that\n");
++
+ 	  if (DBG_LOOKUP)
+ 	    log_debug ("\tprimary key may be used\n");
+ 	  latest_key = keyblock;
+-- 
+2.27.0
+
diff --git a/overlays/patches/gnupg/default.nix b/overlays/patches/gnupg/default.nix
new file mode 100644
index 000000000000..35000019c0b0
--- /dev/null
+++ b/overlays/patches/gnupg/default.nix
@@ -0,0 +1,8 @@
+{ gnupg, ... } @ args:
+
+(gnupg.override (builtins.removeAttrs args [ "gnupg" ])).overrideAttrs (
+  { patches ? [], ... }:
+  {
+    patches = patches ++ [ ./VERY-BAD-allow-signing-with-expired-keys.patch ];
+  }
+)