diff options
Diffstat (limited to 'nixpkgs/pkgs/tools/security/gnupg')
-rw-r--r-- | nixpkgs/pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch | 34 | ||||
-rw-r--r-- | nixpkgs/pkgs/tools/security/gnupg/1.nix | 2 | ||||
-rw-r--r-- | nixpkgs/pkgs/tools/security/gnupg/22-allow-import-of-previously-known-keys-even-without-UI.patch (renamed from nixpkgs/pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch) | 26 | ||||
-rw-r--r-- | nixpkgs/pkgs/tools/security/gnupg/22.nix | 105 | ||||
-rw-r--r-- | nixpkgs/pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch | 107 | ||||
-rw-r--r-- | nixpkgs/pkgs/tools/security/gnupg/24.nix (renamed from nixpkgs/pkgs/tools/security/gnupg/23.nix) | 52 |
6 files changed, 259 insertions, 67 deletions
diff --git a/nixpkgs/pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch b/nixpkgs/pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch deleted file mode 100644 index 061fb0e8de9c..000000000000 --- a/nixpkgs/pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254 Mon Sep 17 00:00:00 2001 -From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> -Date: Sun, 30 Jun 2019 11:54:35 -0400 -Subject: [PATCH] dirmngr: Only use SKS pool CA for SKS pool - -* dirmngr/http.c (http_session_new): when checking whether the -keyserver is the HKPS pool, check specifically against the pool name, -as ./configure might have been used to select a different default -keyserver. It makes no sense to apply Kristian's certificate -authority to anything other than the literal host -hkps.pool.sks-keyservers.net. - -Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> -GnuPG-Bug-Id: 4593 ---- - dirmngr/http.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/dirmngr/http.c b/dirmngr/http.c -index 384f2569d..8e5d53939 100644 ---- a/dirmngr/http.c -+++ b/dirmngr/http.c -@@ -767,7 +767,7 @@ http_session_new (http_session_t *r_session, - - is_hkps_pool = (intended_hostname - && !ascii_strcasecmp (intended_hostname, -- get_default_keyserver (1))); -+ "hkps.pool.sks-keyservers.net")); - - /* If the user has not specified a CA list, and they are looking - * for the hkps pool from sks-keyservers.net, then default to --- -2.22.0 - diff --git a/nixpkgs/pkgs/tools/security/gnupg/1.nix b/nixpkgs/pkgs/tools/security/gnupg/1.nix index 5fa9bc0beddb..390665fe44fd 100644 --- a/nixpkgs/pkgs/tools/security/gnupg/1.nix +++ b/nixpkgs/pkgs/tools/security/gnupg/1.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { # gcc-10. Otherwise build fails as: # ld: ../util/libutil.a(estream-printf.o):/build/gnupg-1.4.23/util/../include/memory.h:100: multiple definition of # `memory_debug_mode'; gpgsplit.o:/build/gnupg-1.4.23/tools/../include/memory.h:100: first defined here - NIX_CFLAGS_COMPILE = "-fcommon"; + env.NIX_CFLAGS_COMPILE = "-fcommon"; doCheck = true; diff --git a/nixpkgs/pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch b/nixpkgs/pkgs/tools/security/gnupg/22-allow-import-of-previously-known-keys-even-without-UI.patch index 98dda54fc7fa..e8fbe1688402 100644 --- a/nixpkgs/pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch +++ b/nixpkgs/pkgs/tools/security/gnupg/22-allow-import-of-previously-known-keys-even-without-UI.patch @@ -16,11 +16,12 @@ Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> g10/import.c | 44 +++++++++++--------------------------------- 1 file changed, 11 insertions(+), 33 deletions(-) + diff --git a/g10/import.c b/g10/import.c -index 5d3162c..f9acf95 100644 +index cd3363fc7..8f10771db 100644 --- a/g10/import.c +++ b/g10/import.c -@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl, +@@ -1858,7 +1858,6 @@ import_one_real (ctrl_t ctrl, size_t an; char pkstrbuf[PUBKEY_STRING_SIZE]; int merge_keys_done = 0; @@ -28,12 +29,11 @@ index 5d3162c..f9acf95 100644 KEYDB_HANDLE hd = NULL; if (r_valid) -@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl, - log_printf ("\n"); +@@ -1896,13 +1895,6 @@ import_one_real (ctrl_t ctrl, } -- -- if (!uidnode) + +- if (!uidnode ) - { - if (!silent) - log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); @@ -43,17 +43,17 @@ index 5d3162c..f9acf95 100644 if (screener && screener (keyblock, screener_arg)) { log_error (_("key %s: %s\n"), keystr_from_pk (pk), -@@ -1907,18 +1898,10 @@ import_one_real (ctrl_t ctrl, +@@ -1977,18 +1969,10 @@ import_one_real (ctrl_t ctrl, } } - /* Delete invalid parts and bail out if there are no user ids left. */ -- if (!delete_inv_parts (ctrl, keyblock, keyid, options)) +- if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs)) - { - if (!silent) - { -- log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); -- if (!opt.quiet) +- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); +- if (!opt.quiet ) - log_info(_("this may be caused by a missing self-signature\n")); - } - stats->no_user_id++; @@ -62,11 +62,11 @@ index 5d3162c..f9acf95 100644 + /* Delete invalid parts, and note if we have any valid ones left. + * We will later abort import if this key is new but contains + * no valid uids. */ -+ delete_inv_parts (ctrl, keyblock, keyid, options); ++ delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs); /* Get rid of deleted nodes. */ commit_kbnode (&keyblock); -@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl, +@@ -1998,24 +1982,11 @@ import_one_real (ctrl_t ctrl, { apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); commit_kbnode (&keyblock); @@ -91,7 +91,7 @@ index 5d3162c..f9acf95 100644 } /* The keyblock is valid and ready for real import. */ -@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl, +@@ -2073,6 +2044,13 @@ import_one_real (ctrl_t ctrl, err = 0; stats->skipped_new_keys++; } diff --git a/nixpkgs/pkgs/tools/security/gnupg/22.nix b/nixpkgs/pkgs/tools/security/gnupg/22.nix new file mode 100644 index 000000000000..6c2ffe123548 --- /dev/null +++ b/nixpkgs/pkgs/tools/security/gnupg/22.nix @@ -0,0 +1,105 @@ +{ lib, stdenv, fetchurl, buildPackages +, pkg-config, texinfo +, gettext, libassuan, libgcrypt, libgpg-error, libiconv, libksba, npth +, adns, bzip2, gnutls, libusb1, openldap, readline, sqlite, zlib +, enableMinimal ? false +, withPcsc ? !enableMinimal, pcsclite +, guiSupport ? stdenv.isDarwin, pinentry +}: + +assert guiSupport -> enableMinimal == false; + +stdenv.mkDerivation rec { + pname = "gnupg"; + version = "2.2.41"; + + src = fetchurl { + url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2"; + hash = "sha256-E/MpEAel6FRvy3vAxmEM5EqqmzmVBZ1PgUW6Cf1b4+E="; + }; + + depsBuildBuild = [ buildPackages.stdenv.cc ]; + nativeBuildInputs = [ pkg-config texinfo ]; + buildInputs = [ + gettext libassuan libgcrypt libgpg-error libiconv libksba npth + ] ++ lib.optionals (!enableMinimal) [ + adns bzip2 gnutls libusb1 openldap readline sqlite zlib + ]; + + patches = [ + ./fix-libusb-include-path.patch + ./tests-add-test-cases-for-import-without-uid.patch + ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch + ./22-allow-import-of-previously-known-keys-even-without-UI.patch + ]; + + postPatch = '' + sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' configure doc/dirmngr.texi doc/gnupg.info-1 + # Fix broken SOURCE_DATE_EPOCH usage - remove on the next upstream update + sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.am + sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.in + '' + lib.optionalString (stdenv.isLinux && withPcsc) '' + sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c + ''; + + configureFlags = [ + "--with-libgpg-error-prefix=${libgpg-error.dev}" + "--with-libgcrypt-prefix=${libgcrypt.dev}" + "--with-libassuan-prefix=${libassuan.dev}" + "--with-ksba-prefix=${libksba.dev}" + "--with-npth-prefix=${npth}" + ] + ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentry.binaryPath or "bin/pinentry"}" + ++ lib.optional stdenv.isDarwin "--disable-ccid-driver"; + + postInstall = if enableMinimal + then '' + rm -r $out/{libexec,sbin,share} + for f in $(find $out/bin -type f -not -name gpg) + do + rm $f + done + '' else '' + mkdir -p $out/lib/systemd/user + for f in doc/examples/systemd-user/*.{service,socket} ; do + substitute $f $out/lib/systemd/user/$(basename $f) \ + --replace /usr/bin $out/bin + done + + # add gpg2 symlink to make sure git does not break when signing commits + ln -s $out/bin/gpg $out/bin/gpg2 + + # Make libexec tools available in PATH + for f in $out/libexec/; do + if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi + ln -s $f $out/bin/$(basename $f) + done + + ln -s -t $out/bin $out/libexec/* + ''; + + enableParallelBuilding = true; + + passthru.tests.connman = lib.nixosTests.gnupg; + + meta = with lib; { + homepage = "https://gnupg.org"; + changelog = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=${pname}.git;a=blob;f=NEWS;hb=refs/tags/${pname}-${version}"; + description = "LTS release of the GNU Privacy Guard, a GPL OpenPGP implementation"; + license = licenses.gpl3Plus; + longDescription = '' + The GNU Privacy Guard is the GNU project's complete and free + implementation of the OpenPGP standard as defined by RFC4880. GnuPG + "modern" (2.1) is the latest development with a lot of new features. + GnuPG allows to encrypt and sign your data and communication, features a + versatile key management system as well as access modules for all kind of + public key directories. GnuPG, also known as GPG, is a command line tool + with features for easy integration with other applications. A wealth of + frontend applications and libraries are available. Version 2 of GnuPG + also provides support for S/MIME. + ''; + maintainers = with maintainers; [ fpletz vrthra ]; + platforms = platforms.all; + mainProgram = "gpg"; + }; +} diff --git a/nixpkgs/pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch b/nixpkgs/pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch new file mode 100644 index 000000000000..8d4f703a3dd1 --- /dev/null +++ b/nixpkgs/pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch @@ -0,0 +1,107 @@ +From: Vincent Breitmoser <look@my.amazin.horse> +Date: Thu, 13 Jun 2019 21:27:42 +0200 +Subject: gpg: allow import of previously known keys, even without UIDs + +* g10/import.c (import_one): Accept an incoming OpenPGP certificate that +has no user id, as long as we already have a local variant of the cert +that matches the primary key. + +-- + +This fixes two of the three broken tests in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + g10/import.c | 44 +++++++++++--------------------------------- + 1 file changed, 11 insertions(+), 33 deletions(-) + + +diff --git a/g10/import.c b/g10/import.c +index 9fab46ca6..61896a6bf 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl, + size_t an; + char pkstrbuf[PUBKEY_STRING_SIZE]; + int merge_keys_done = 0; +- int any_filter = 0; + KEYDB_HANDLE hd = NULL; + + if (r_valid) +@@ -1992,13 +1991,6 @@ import_one_real (ctrl_t ctrl, + } + + +- if (!uidnode) +- { +- if (!silent) +- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); +- return 0; +- } +- + if (screener && screener (keyblock, screener_arg)) + { + log_error (_("key %s: %s\n"), keystr_from_pk (pk), +@@ -2078,18 +2070,10 @@ import_one_real (ctrl_t ctrl, + } + } + +- /* Delete invalid parts and bail out if there are no user ids left. */ +- if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs)) +- { +- if (!silent) +- { +- log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); +- if (!opt.quiet) +- log_info(_("this may be caused by a missing self-signature\n")); +- } +- stats->no_user_id++; +- return 0; +- } ++ /* Delete invalid parts, and note if we have any valid ones left. ++ * We will later abort import if this key is new but contains ++ * no valid uids. */ ++ delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs); + + /* Get rid of deleted nodes. */ + commit_kbnode (&keyblock); +@@ -2099,24 +2083,11 @@ import_one_real (ctrl_t ctrl, + { + apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); + commit_kbnode (&keyblock); +- any_filter = 1; + } + if (import_filter.drop_sig) + { + apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); + commit_kbnode (&keyblock); +- any_filter = 1; +- } +- +- /* If we ran any filter we need to check that at least one user id +- * is left in the keyring. Note that we do not use log_error in +- * this case. */ +- if (any_filter && !any_uid_left (keyblock)) +- { +- if (!opt.quiet ) +- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); +- stats->no_user_id++; +- return 0; + } + + /* The keyblock is valid and ready for real import. */ +@@ -2174,6 +2145,13 @@ import_one_real (ctrl_t ctrl, + err = 0; + stats->skipped_new_keys++; + } ++ else if (err && !any_uid_left (keyblock)) ++ { ++ if (!silent) ++ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); ++ err = 0; ++ stats->no_user_id++; ++ } + else if (err) /* Insert this key. */ + { + /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */ diff --git a/nixpkgs/pkgs/tools/security/gnupg/23.nix b/nixpkgs/pkgs/tools/security/gnupg/24.nix index b93e533e6fd8..c8e313cd9cf5 100644 --- a/nixpkgs/pkgs/tools/security/gnupg/23.nix +++ b/nixpkgs/pkgs/tools/security/gnupg/24.nix @@ -1,53 +1,59 @@ -{ fetchurl, fetchpatch, lib, stdenv, pkg-config, libgcrypt, libassuan, libksba -, libgpg-error, libiconv, npth, gettext, texinfo, buildPackages -, guiSupport ? stdenv.isDarwin, enableMinimal ? false -, adns, bzip2, gnutls, libusb1, openldap -, tpm2-tss, pcsclite, pinentry, readline, sqlite, zlib +{ lib, stdenv, fetchurl, buildPackages +, pkg-config, texinfo +, gettext, libassuan, libgcrypt, libgpg-error, libiconv, libksba, npth +, adns, bzip2, gnutls, libusb1, openldap, readline, sqlite, zlib +, enableMinimal ? false +, withPcsc ? !enableMinimal, pcsclite +, guiSupport ? stdenv.isDarwin, pinentry +, withTpm2Tss ? !stdenv.isDarwin && !enableMinimal, tpm2-tss }: assert guiSupport -> enableMinimal == false; stdenv.mkDerivation rec { pname = "gnupg"; - version = "2.3.7"; + version = "2.4.0"; src = fetchurl { url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2"; - sha256 = "sha256-7hY6X7nsmf/BsY5l+u+NCGgAxXE9FaZyq1fTeZ2oNmk="; + hash = "sha256-HXkVjdAdmSQx3S4/rLif2slxJ/iXhOosthDGAPsMFIM="; }; depsBuildBuild = [ buildPackages.stdenv.cc ]; nativeBuildInputs = [ pkg-config texinfo ]; buildInputs = [ - libgcrypt libassuan libksba libiconv npth gettext - ] ++ lib.optionals (!enableMinimal) ([ - readline libusb1 gnutls adns openldap zlib bzip2 sqlite - ] ++ lib.optional (!stdenv.isDarwin) tpm2-tss); + gettext libassuan libgcrypt libgpg-error libiconv libksba npth + ] ++ lib.optionals (!enableMinimal) [ + adns bzip2 gnutls libusb1 openldap readline sqlite zlib + ] ++ lib.optionals withTpm2Tss [ tpm2-tss ]; patches = [ ./fix-libusb-include-path.patch ./tests-add-test-cases-for-import-without-uid.patch - ./allow-import-of-previously-known-keys-even-without-UI.patch ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch - + ./24-allow-import-of-previously-known-keys-even-without-UI.patch # Patch for DoS vuln from https://seclists.org/oss-sec/2022/q3/27 ./v3-0001-Disallow-compressed-signatures-and-certificates.patch ]; + postPatch = '' sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1 - '' + lib.optionalString (stdenv.isLinux && (!enableMinimal)) '' - sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c - ''; + '' + lib.optionalString (stdenv.isLinux && withPcsc) '' + sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c + ''; - pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry"; configureFlags = [ + "--sysconfdir=/etc" "--with-libgpg-error-prefix=${libgpg-error.dev}" "--with-libgcrypt-prefix=${libgcrypt.dev}" "--with-libassuan-prefix=${libassuan.dev}" "--with-ksba-prefix=${libksba.dev}" "--with-npth-prefix=${npth}" - ] ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}" - ++ lib.optional ((!stdenv.isDarwin) && (!enableMinimal)) "--with-tss=intel"; + ] + ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentry.binaryPath or "bin/pinentry"}" + ++ lib.optional withTpm2Tss "--with-tss=intel" + ++ lib.optional stdenv.isDarwin "--disable-ccid-driver"; + postInstall = if enableMinimal then '' rm -r $out/{libexec,sbin,share} @@ -70,12 +76,20 @@ stdenv.mkDerivation rec { if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi ln -s $f $out/bin/$(basename $f) done + + for f in $out/libexec/; do + if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi + ln -s $f $out/bin/$(basename $f) + done ''; enableParallelBuilding = true; + passthru.tests.connman = lib.nixosTests.gnupg; + meta = with lib; { homepage = "https://gnupg.org"; + changelog = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=${pname}.git;a=blob;f=NEWS;hb=refs/tags/${pname}-${version}"; description = "Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation"; license = licenses.gpl3Plus; longDescription = '' |