Merge branch 'master' into staging-next

Comments on conflicts:
- llvm: d6f401e1 vs. 469ecc70 - docs for 6 and 7 say the default is
  to build all targets, so we should be fine
- some pypi hashes: they were equivalent, just base16 vs. base32

11 files changed, 104 insertions, 41 deletions

diff --git a/pkgs/tools/security/ccid/default.nix b/pkgs/tools/security/ccid/default.nix
index 67252453743b..c5a0de0c75f6 100644
--- a/pkgs/tools/security/ccid/default.nix
+++ b/pkgs/tools/security/ccid/default.nix
@@ -25,7 +25,6 @@ stdenv.mkDerivation rec {
     description = "ccid drivers for pcsclite";
     homepage = https://ccid.apdu.fr/;
     license = licenses.gpl2Plus;
-    maintainers = with maintainers; [ wkennington ];
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/tools/security/certmgr/default.nix b/pkgs/tools/security/certmgr/default.nix
index fa3076e8b593..4a9cd4867da6 100644
--- a/pkgs/tools/security/certmgr/default.nix
+++ b/pkgs/tools/security/certmgr/default.nix
@@ -1,23 +1,43 @@
-{ stdenv, buildGoPackage, fetchFromGitHub }:
+{ stdenv, buildGoPackage, fetchFromGitHub, fetchpatch }:
 
-buildGoPackage rec {
-  version = "1.6.1";
-  name = "certmgr-${version}";
+let
+  generic = { patches ? [] }:
+    buildGoPackage rec {
+      version = "1.6.1";
+      name = "certmgr-${version}";
 
-  goPackagePath = "github.com/cloudflare/certmgr/";
+      goPackagePath = "github.com/cloudflare/certmgr/";
 
-  src = fetchFromGitHub {
-    owner = "cloudflare";
-    repo = "certmgr";
-    rev = "v${version}";
-    sha256 = "1ky2pw1wxrb2fxfygg50h0mid5l023x6xz9zj5754a023d01qqr2";
-  };
+      src = fetchFromGitHub {
+        owner = "cloudflare";
+        repo = "certmgr";
+        rev = "v${version}";
+        sha256 = "1ky2pw1wxrb2fxfygg50h0mid5l023x6xz9zj5754a023d01qqr2";
+      };
+
+      inherit patches;
+
+      meta = with stdenv.lib; {
+        homepage = https://cfssl.org/;
+        description = "Cloudflare's certificate manager";
+        platforms = platforms.linux;
+        license = licenses.bsd2;
+        maintainers = with maintainers; [ johanot srhb ];
+      };
+    };
+in
+{
+  certmgr = generic {};
 
-  meta = with stdenv.lib; {
-    homepage = https://cfssl.org/;
-    description = "Cloudflare's certificate manager";
-    platforms = platforms.linux;
-    license = licenses.bsd2;
-    maintainers = with maintainers; [ johanot srhb ];
+  certmgr-selfsigned = generic {
+    # The following patch makes it possible to use a self-signed x509 cert
+    # for the cfssl apiserver.
+    # TODO: remove patch when PR is merged.
+    patches = [
+      (fetchpatch {
+        url    = "https://github.com/cloudflare/certmgr/pull/51.patch";
+        sha256 = "0jhsw159d2mgybvbbn6pmvj4yqr5cwcal5fjwkcn9m4f4zlb6qrs";
+      })
+    ];
   };
 }
diff --git a/pkgs/tools/security/efitools/default.nix b/pkgs/tools/security/efitools/default.nix
new file mode 100644
index 000000000000..1d983cb8599a
--- /dev/null
+++ b/pkgs/tools/security/efitools/default.nix
@@ -0,0 +1,39 @@
+{ stdenv, gnu-efi, openssl, sbsigntool, perl, perlPackages,
+help2man, fetchgit }:
+stdenv.mkDerivation rec {
+  name = "efitools-${version}";
+  version = "1.9.2";
+
+  buildInputs = [
+    gnu-efi
+    openssl
+    sbsigntool
+  ];
+
+  nativeBuildInputs = [
+    perl
+    perlPackages.FileSlurp
+    help2man
+  ];
+
+  src = fetchgit {
+    url = "git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git";
+    rev = "v${version}";
+    sha256 = "0jabgl2pxvfl780yvghq131ylpf82k7banjz0ksjhlm66ik8gb1i";
+  };
+
+  postPatch = ''
+    sed -i -e 's#/usr/include/efi#${gnu-efi}/include/efi/#g' Make.rules
+    sed -i -e 's#/usr/lib64/gnuefi#${gnu-efi}/lib/#g' Make.rules
+    sed -i -e 's#$(DESTDIR)/usr#$(out)#g' Make.rules
+    patchShebangs .
+  '';
+
+  meta = with stdenv.lib; {
+    description = "Tools for manipulating UEFI secure boot platforms";
+    homepage = "https://git.kernel.org/cgit/linux/kernel/git/jejb/efitools.git";
+    license = licenses.gpl2;
+    maintainers = [ maintainers.grahamc ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix
index b6de575edb90..ad4eae9578cb 100644
--- a/pkgs/tools/security/gnupg/22.nix
+++ b/pkgs/tools/security/gnupg/22.nix
@@ -64,7 +64,7 @@ stdenv.mkDerivation rec {
       frontend applications and libraries are available.  Version 2 of GnuPG
       also provides support for S/MIME.
     '';
-    maintainers = with maintainers; [ wkennington peti fpletz vrthra ];
+    maintainers = with maintainers; [ peti fpletz vrthra ];
     platforms = platforms.all;
   };
 }
diff --git a/pkgs/tools/security/keybase/default.nix b/pkgs/tools/security/keybase/default.nix
index b27b4ac24c0a..ae726544453a 100644
--- a/pkgs/tools/security/keybase/default.nix
+++ b/pkgs/tools/security/keybase/default.nix
@@ -1,22 +1,20 @@
-{ stdenv, lib, buildGoPackage, fetchFromGitHub, cf-private
+{ stdenv, lib, buildGoPackage, fetchurl, cf-private
 , AVFoundation, AudioToolbox, ImageIO, CoreMedia
 , Foundation, CoreGraphics, MediaToolbox
 }:
 
 buildGoPackage rec {
   name = "keybase-${version}";
-  version = "2.11.0";
+  version = "2.13.1";
 
   goPackagePath = "github.com/keybase/client";
   subPackages = [ "go/keybase" ];
 
   dontRenameImports = true;
 
-  src = fetchFromGitHub {
-    owner  = "keybase";
-    repo   = "client";
-    rev    = "v${version}";
-    sha256 = "1mj78cs6j0f1f86c71j4gdphas75j3rfaqygpy87dc40kc2yj0gd";
+  src = fetchurl {
+    url = "https://github.com/keybase/client/archive/v${version}.tar.gz";
+    sha256 = "0avq87y7cs3jipl444ssz1zd5jygpks20hls0fkqxxaikkpdsy4v";
   };
 
   buildInputs = lib.optionals stdenv.isDarwin [
diff --git a/pkgs/tools/security/keybase/gui.nix b/pkgs/tools/security/keybase/gui.nix
index a8c2d5ea4837..bd8166b214dc 100644
--- a/pkgs/tools/security/keybase/gui.nix
+++ b/pkgs/tools/security/keybase/gui.nix
@@ -3,16 +3,16 @@
 , libnotify, nspr, nss, pango, systemd, xorg, autoPatchelfHook, wrapGAppsHook }:
 
 let
-  versionSuffix = "20190104191034.69b3ee25b7";
+  versionSuffix = "20190115203650.eec94506e4";
 in
 
 stdenv.mkDerivation rec {
   name = "keybase-gui-${version}";
-  version = "2.13.0"; # Find latest version from https://prerelease.keybase.io/deb/dists/stable/main/binary-amd64/Packages
+  version = "2.13.1"; # Find latest version from https://prerelease.keybase.io/deb/dists/stable/main/binary-amd64/Packages
 
   src = fetchurl {
     url = "https://s3.amazonaws.com/prerelease.keybase.io/linux_binaries/deb/keybase_${version + "-" + versionSuffix}_amd64.deb";
-    sha256 = "5b188185dc6d594cd18876a2c955bb6481598c206f048cfd80ac2e7e8022241e";
+    sha256 = "01663jknr8s4sp51mclw9llhx07ww6yh22apawxikvpwmw9yg2qr";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/tools/security/monkeysphere/default.nix b/pkgs/tools/security/monkeysphere/default.nix
index 114ba57e1700..af507dbf993b 100644
--- a/pkgs/tools/security/monkeysphere/default.nix
+++ b/pkgs/tools/security/monkeysphere/default.nix
@@ -14,14 +14,14 @@ let
   });
 in stdenv.mkDerivation rec {
   name = "monkeysphere-${version}";
-  version = "0.42";
+  version = "0.43";
 
   # The patched OpenSSH binary MUST NOT be used (except in the check phase):
   disallowedRequisites = [ opensshUnsafe ];
 
   src = fetchurl {
     url = "http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_${version}.orig.tar.gz";
-    sha256 = "1haqgjxm8v2xnhc652lx79p2cqggb9gxgaf19w9l9akar2qmdjf1";
+    sha256 = "18i7qpvp5qb7mmd0z5rqai550rya9l3nbsq2hamwkl3smqsjdqc0";
   };
 
   patches = [ ./monkeysphere.patch ];
diff --git a/pkgs/tools/security/monkeysphere/monkeysphere.patch b/pkgs/tools/security/monkeysphere/monkeysphere.patch
index fdf4b9335b19..0a05635d6a80 100644
--- a/pkgs/tools/security/monkeysphere/monkeysphere.patch
+++ b/pkgs/tools/security/monkeysphere/monkeysphere.patch
@@ -28,5 +28,17 @@ diff --git a/src/share/keytrans b/src/share/keytrans
  
  # keytrans: this is an RSA key translation utility; it is capable of
  # transforming RSA keys (both public keys and secret keys) between
+diff --git a/tests/basic b/tests/basic
+--- a/tests/basic
++++ b/tests/basic
+@@ -343,7 +340,7 @@ if [ "$MONKEYSPHERE_TEST_USE_ED25519" = true ]; then
+     echo "### generating ed25519 key for testuser..."
+     # from the imported secret key
+     USER_FPR=8A4B353B4CBA6F30625498BAE00B5EEEBA79B482
+-    gpg --quick-add-key "$USER_FPR" ed25519 auth 2d
++    gpg --no-tty --quick-add-key "$USER_FPR" ed25519 auth 2d
+ else
+     echo "### generating standard monkeysphere key for testuser..."
+     monkeysphere gen-subkey
 -- 
 2.16.3
diff --git a/pkgs/tools/security/opensc/default.nix b/pkgs/tools/security/opensc/default.nix
index c23827842f23..7d709712fc80 100644
--- a/pkgs/tools/security/opensc/default.nix
+++ b/pkgs/tools/security/opensc/default.nix
@@ -44,7 +44,6 @@ stdenv.mkDerivation rec {
     description = "Set of libraries and utilities to access smart cards";
     homepage = https://github.com/OpenSC/OpenSC/wiki;
     license = licenses.lgpl21Plus;
-    maintainers = with maintainers; [ wkennington ];
     platforms = platforms.all;
   };
 }
diff --git a/pkgs/tools/security/pcsclite/default.nix b/pkgs/tools/security/pcsclite/default.nix
index 95f9bf16ebac..66a5615ee135 100644
--- a/pkgs/tools/security/pcsclite/default.nix
+++ b/pkgs/tools/security/pcsclite/default.nix
@@ -43,7 +43,6 @@ stdenv.mkDerivation rec {
     description = "Middleware to access a smart card using SCard API (PC/SC)";
     homepage = https://pcsclite.apdu.fr/;
     license = licenses.bsd3;
-    maintainers = with maintainers; [ wkennington ];
     platforms = with platforms; unix;
   };
 }
diff --git a/pkgs/tools/security/signing-party/default.nix b/pkgs/tools/security/signing-party/default.nix
index 996b6fa6d2c2..287ed1edcdae 100644
--- a/pkgs/tools/security/signing-party/default.nix
+++ b/pkgs/tools/security/signing-party/default.nix
@@ -1,12 +1,11 @@
 { stdenv, fetchurl, autoconf, automake, makeWrapper
-, python, perl, perlPackages
+, python3, perl, perlPackages
 , libmd, gnupg1, which, getopt, libpaper, nettools, qprint
 , sendmailPath ? "/run/wrappers/bin/sendmail" }:
 
 let
   # All runtime dependencies from the CPAN graph:
   # https://widgets.stratopan.com/wheel?q=GnuPG-Interface-0.52&runtime=1&fs=1
-  # TODO: XSLoader seems optional
   GnuPGInterfaceRuntimeDependencies = with perlPackages; [
     strictures ClassMethodModifiers DataPerl DevelGlobalDestruction ExporterTiny
     GnuPGInterface ListMoreUtils ModuleRuntime Moo MooXHandlesVia MooXlate
@@ -14,16 +13,14 @@ let
   ];
 in stdenv.mkDerivation rec {
   pname = "signing-party";
-  version = "2.7";
+  version = "2.8";
   name = "${pname}-${version}";
 
   src = fetchurl {
     url = "mirror://debian/pool/main/s/${pname}/${pname}_${version}.orig.tar.gz";
-    sha256 = "0znklgvxn7k7p6q7r8chcj86zmzildjamr3qlqfxkj5m7yziqr21";
+    sha256 = "1dfry04gsa8kv7a2kr4p7a4b616sql41hsyff4pmfvrhiv2fz39z";
   };
 
-  sourceRoot = ".";
-
   # TODO: Get this patch upstream...
   patches = [ ./gpgwrap_makefile.patch ];
 
@@ -45,7 +42,7 @@ in stdenv.mkDerivation rec {
   # Perl is required for it's pod2man.
   # Python and Perl are required for patching the script interpreter paths.
   nativeBuildInputs = [ autoconf automake makeWrapper ];
-  buildInputs = [ python perl perlPackages.GnuPGInterface libmd gnupg1 ];
+  buildInputs = [ python3 perl perlPackages.GnuPGInterface libmd gnupg1 ];
 
   postInstall = ''
     # Install all tools which aren't handled by 'make install'.
@@ -193,7 +190,7 @@ in stdenv.mkDerivation rec {
   '';
 
   meta = with stdenv.lib; {
-    homepage = https://pgp-tools.alioth.debian.org/;
+    homepage = https://salsa.debian.org/debian/signing-party;
     description = "A collection of several projects relating to OpenPGP";
     longDescription = ''
       This is a collection of several projects relating to OpenPGP.