From b084c6a0fab7f32c904c5c8e8db8dddcefbe507f Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Thu, 22 Feb 2024 19:42:24 +0100 Subject: gnupg: remove ignore expiry patch There's now a flag to do this. --- overlays/patches/default.nix | 2 - .../VERY-BAD-allow-signing-with-expired-keys.patch | 78 ---------------------- overlays/patches/gnupg/default.nix | 8 --- 3 files changed, 88 deletions(-) delete mode 100644 overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch delete mode 100644 overlays/patches/gnupg/default.nix (limited to 'overlays') diff --git a/overlays/patches/default.nix b/overlays/patches/default.nix index 8770349330e1..b57a87683f87 100644 --- a/overlays/patches/default.nix +++ b/overlays/patches/default.nix @@ -8,8 +8,6 @@ self: super: { llvmPackages = self.llvmPackages_latest; }; - gnupg = self.callPackage ./gnupg { inherit (super) gnupg; }; - mailmanPackages = super.mailmanPackages.extend (self: super: { web = self.callPackage mailman/web.nix { inherit (super) web; }; }); diff --git a/overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch b/overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch deleted file mode 100644 index 6c4187d8620e..000000000000 --- a/overlays/patches/gnupg/VERY-BAD-allow-signing-with-expired-keys.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 76d4bdc4a906ac54013fae1bddaae10a13b059cc Mon Sep 17 00:00:00 2001 -From: Alyssa Ross -Date: Fri, 31 Jul 2020 06:10:00 +0000 -Subject: [PATCH] VERY BAD: allow signing with expired keys -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This probably has very bad side effects. Will expiration dates still -be checked when verifying signatures, for example? Who knows‽ ---- - g10/getkey.c | 18 ++++++++---------- - g10/pkclist.c | 3 +-- - 2 files changed, 9 insertions(+), 12 deletions(-) - -diff --git a/g10/getkey.c b/g10/getkey.c -index cafed3a9a..95783bee4 100644 ---- a/g10/getkey.c -+++ b/g10/getkey.c -@@ -1986,9 +1986,9 @@ parse_def_secret_key (ctrl_t ctrl) - if (pk->has_expired) - { - if (DBG_LOOKUP) -- log_debug ("not using %s as default key, %s", -- keystr_from_pk (pk), "expired"); -- continue; -+ log_debug ("%s has expired, but let's ignore that", -+ keystr_from_pk (pk)); -+ /* continue; */ - } - if (pk_is_disabled (pk)) - { -@@ -3600,9 +3600,9 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact, - if (pk->has_expired) - { - if (DBG_LOOKUP) -- log_debug ("\tsubkey has expired\n"); -+ log_debug ("\tsubkey has expired but let's ignored that\n"); - n_revoked_or_expired++; -- continue; -+ /* continue; */ - } - if (pk->timestamp > curtime && !opt.ignore_valid_from) - { -@@ -3665,13 +3665,11 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact, - if (DBG_LOOKUP) - log_debug ("\tprimary key has been revoked\n"); - } -- else if (pk->has_expired) -- { -- if (DBG_LOOKUP) -- log_debug ("\tprimary key has expired\n"); -- } - else /* Okay. */ - { -+ if (pk->has_expired && DBG_LOOKUP) -+ log_debug ("\tprimary key has expired but let's ignore that\n"); -+ - if (DBG_LOOKUP) - log_debug ("\tprimary key may be used\n"); - latest_key = keyblock; -diff --git a/g10/pkclist.c b/g10/pkclist.c -index 542164949..6cdd8a35c 100644 ---- a/g10/pkclist.c -+++ b/g10/pkclist.c -@@ -412,8 +412,7 @@ do_we_trust( PKT_public_key *pk, unsigned int trustlevel ) - /* We should not be able to get here with a revoked or expired - key */ - if(trustlevel & TRUST_FLAG_REVOKED -- || trustlevel & TRUST_FLAG_SUB_REVOKED -- || (trustlevel & TRUST_MASK) == TRUST_EXPIRED) -+ || trustlevel & TRUST_FLAG_SUB_REVOKED) - BUG(); - - if( opt.trust_model==TM_ALWAYS ) --- -2.27.0 - diff --git a/overlays/patches/gnupg/default.nix b/overlays/patches/gnupg/default.nix deleted file mode 100644 index 35000019c0b0..000000000000 --- a/overlays/patches/gnupg/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ gnupg, ... } @ args: - -(gnupg.override (builtins.removeAttrs args [ "gnupg" ])).overrideAttrs ( - { patches ? [], ... }: - { - patches = patches ++ [ ./VERY-BAD-allow-signing-with-expired-keys.patch ]; - } -) -- cgit 1.4.1