diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index 06ff7499e1..42389b919c 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -107,6 +107,7 @@ app-crypt/adcli app-crypt/argon2 app-crypt/ccid app-crypt/efitools +app-crypt/gnupg app-crypt/libb2 app-crypt/libmd app-crypt/mhash diff --git a/changelog/security/2024-02-20-gnupg-2.2.42.md b/changelog/security/2024-02-20-gnupg-2.2.42.md new file mode 100644 index 0000000000..796e1c71fb --- /dev/null +++ b/changelog/security/2024-02-20-gnupg-2.2.42.md @@ -0,0 +1 @@ +- gnupg ([gnupg-2024-01-25](https://gnupg.org/blog/20240125-smartcard-backup-key.html)) diff --git a/changelog/updates/2024-02-20-gnupg-2.2.42.md b/changelog/updates/2024-02-20-gnupg-2.2.42.md new file mode 100644 index 0000000000..c0f36030b0 --- /dev/null +++ b/changelog/updates/2024-02-20-gnupg-2.2.42.md @@ -0,0 +1 @@ +- gnupg ([2.2.42](https://dev.gnupg.org/T6307)) diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest deleted file mode 100644 index 5e6b9023e6..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest +++ /dev/null @@ -1,2 +0,0 @@ -DIST gnupg-2.2.35.tar.bz2 7262687 BLAKE2B 18b5965151ded3b3f28d139824e14d7a6f1673c5192ec5f5a80366a6d5f2e04ed7fa035e2bff105e1752753584f992626ccc9ea8840c2bfa39ffe7ca39b81f7f SHA512 ad9f8d10890b7fafb15a7422e2cebaf0f85ce7cf5f880f4edd8d1dec46aa73c01f9096e601f6edd665f8684d1f5892634991a400e00b3185e6b201f549004d3e -DIST gnupg-2.2.35.tar.bz2.sig 119 BLAKE2B d95323703c12c9474b21fa91ddb70d4d4d464c794223e21f6ae5d4de955f07a5cabde50612e977168ea6071c4b12be3262cbafe9bcaa8e9a0b009318c0ff6718 SHA512 9043894730520e974e7bc17e0f95419c319fbcd514f102faf644e2f5580e238719cecb8b5e778ecf20f9212ee2554206eb0686e8b5fce7f8c556146657660fe2 diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch deleted file mode 100644 index 23dbf00b18..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch +++ /dev/null @@ -1,45 +0,0 @@ -https://bugs.gentoo.org/855395 -https://marc.info/?l=oss-security&m=165657063921408&w=2 -https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=7b1db7192e6e4d0cfc439b23b13831837c85bc21 - -From 7b1db7192e6e4d0cfc439b23b13831837c85bc21 Mon Sep 17 00:00:00 2001 -From: Werner Koch -Date: Tue, 14 Jun 2022 11:33:27 +0200 -Subject: [PATCH] g10: Fix garbled status messages in NOTATION_DATA - -* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one --- - -Depending on the escaping and line wrapping the computed remaining -buffer length could be wrong. Fixed by always using a break to -terminate the escape detection loop. Might have happened for all -status lines which may wrap. - -GnuPG-bug-id: T6027 ---- a/g10/cpr.c -+++ b/g10/cpr.c -@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string, - } - first = 0; - } -- for (esc=0, s=buffer, n=len; n && !esc; s++, n--) -+ for (esc=0, s=buffer, n=len; n; s++, n--) - { - if (*s == '%' || *(const byte*)s <= lower_limit - || *(const byte*)s == 127 ) - esc = 1; - if (wrap && ++count > wrap) -- { -- dowrap=1; -- break; -- } -- } -- if (esc) -- { -- s--; n++; -+ dowrap=1; -+ if (esc || dowrap) -+ break; - } - if (s != buffer) - es_fwrite (buffer, s-buffer, 1, statusfp); diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch deleted file mode 100644 index a6173968f5..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Vincent Breitmoser -Date: Thu, 13 Jun 2019 21:27:43 +0200 -Subject: gpg: accept subkeys with a good revocation but no self-sig during - import - -* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we -encounter a valid revocation signature. This allows import of subkey -revocation signatures, even in the absence of a corresponding subkey -binding signature. - --- - -This fixes the remaining test in import-incomplete.scm. - -GnuPG-Bug-id: 4393 -Signed-off-by: Daniel Kahn Gillmor ---- - g10/import.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/g10/import.c b/g10/import.c -index f9acf95..9217911 100644 ---- a/g10/import.c -+++ b/g10/import.c -@@ -3602,6 +3602,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self) - /* It's valid, so is it newer? */ - if (sig->timestamp >= rsdate) - { -+ knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid. */ - if (rsnode) - { - /* Delete the last revocation sig since diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch deleted file mode 100644 index 4b5690f955..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch +++ /dev/null @@ -1,106 +0,0 @@ -From: Vincent Breitmoser -Date: Thu, 13 Jun 2019 21:27:42 +0200 -Subject: gpg: allow import of previously known keys, even without UIDs - -* g10/import.c (import_one): Accept an incoming OpenPGP certificate that -has no user id, as long as we already have a local variant of the cert -that matches the primary key. - --- - -This fixes two of the three broken tests in import-incomplete.scm. - -GnuPG-Bug-id: 4393 -Signed-off-by: Daniel Kahn Gillmor ---- - g10/import.c | 44 +++++++++++--------------------------------- - 1 file changed, 11 insertions(+), 33 deletions(-) - -diff --git a/g10/import.c b/g10/import.c -index 5d3162c..f9acf95 100644 ---- a/g10/import.c -+++ b/g10/import.c -@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl, - size_t an; - char pkstrbuf[PUBKEY_STRING_SIZE]; - int merge_keys_done = 0; -- int any_filter = 0; - KEYDB_HANDLE hd = NULL; - - if (r_valid) -@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl, - log_printf ("\n"); - } - -- -- if (!uidnode ) -- { -- if (!silent) -- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); -- return 0; -- } -- - if (screener && screener (keyblock, screener_arg)) - { - log_error (_("key %s: %s\n"), keystr_from_pk (pk), -@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl, - } - } - -- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) ) -- { -- if (!silent) -- { -- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); -- if (!opt.quiet ) -- log_info(_("this may be caused by a missing self-signature\n")); -- } -- stats->no_user_id++; -- return 0; -- } -+ /* Delete invalid parts, and note if we have any valid ones left. -+ * We will later abort import if this key is new but contains -+ * no valid uids. */ -+ delete_inv_parts (ctrl, keyblock, keyid, options); - - /* Get rid of deleted nodes. */ - commit_kbnode (&keyblock); -@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl, - { - apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); - commit_kbnode (&keyblock); -- any_filter = 1; - } - if (import_filter.drop_sig) - { - apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); - commit_kbnode (&keyblock); -- any_filter = 1; -- } -- -- /* If we ran any filter we need to check that at least one user id -- * is left in the keyring. Note that we do not use log_error in -- * this case. */ -- if (any_filter && !any_uid_left (keyblock)) -- { -- if (!opt.quiet ) -- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); -- stats->no_user_id++; -- return 0; - } - - /* The keyblock is valid and ready for real import. */ -@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl, - err = 0; - stats->skipped_new_keys++; - } -+ else if (err && !any_uid_left (keyblock)) -+ { -+ if (!silent) -+ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); -+ err = 0; -+ stats->no_user_id++; -+ } - else if (err) /* Insert this key. */ - { - /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */ diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index a82a060d23..471ef13116 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -17,6 +17,9 @@ # Needed by arm64-native SDK. =app-crypt/efitools-1.9.2-r1 ~arm64 +# Needed for addressing security issues related to smartcard keys. +=app-crypt/gnupg-2.2.42-r2 ~arm64 + # Needed to fix CVE-2023-36054. =app-crypt/mit-krb5-1.21.2 ~amd64 ~arm64 diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/Manifest b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/Manifest new file mode 100644 index 0000000000..8f3cf322eb --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/Manifest @@ -0,0 +1,8 @@ +DIST gnupg-2.2.41.tar.bz2 7313746 BLAKE2B 0be2965a646a8636a127f89329030860908b0bbc447381782527459aed85f5276c29e7a2c89f87cb715407d9f1aabbf3ae1765073764d05e422035e8d5962569 SHA512 f472e5058ea9881355f0c754a47acd0b5360c36e8976b8563dbc763a7cef792bf88227cc15fe5172d3e9bb9fc34d8448dd5c183949031e91a1997cc7f0f83b55 +DIST gnupg-2.2.41.tar.bz2.sig 238 BLAKE2B 7a4dc8dd4b3da77f6684325f46e3e3b1aeac6fcd8382e3148da1a01a5c5a9e14c1352fb28b61e500388d647e1103b8f78ad49e467e01b732c4a13eb849859b98 SHA512 ac6edd35c6b02a02d6c8a4468332213f20159f972aa2f7fd25c6841c662b3d84db5230330d540e0785ddaff080daf8dd250292104ff47560ad59c11803aabefa +DIST gnupg-2.2.42.tar.bz2 7434291 BLAKE2B 5f7f01f31949e5258d638fbff81fa641e5c167e6eaf32c55eb187d4a31b31cd4fe6e51c622e74d8544c4f95c75484e15117f26a8cf26055ff6813d75e54f2b8a SHA512 9c59d034f428d42323b5520e1a8984acc1505ba1d96d90f00e17b24aa91660b2dc64e1a3ceb044c56f39b4c402a77c7e0b226c65218c23c094781b4ef51e2eb5 +DIST gnupg-2.2.42.tar.bz2.sig 238 BLAKE2B 251ad0a832042ceb93b0edfda8652104bfb463e291322f22f0ab0d9b35606c3589be7a6f3e9e2aac8f6ac368a7d11840ab83b29997587dc65685de9f2dec3fee SHA512 7073bfc920c571680a1de57b4e6cd83cde24ccb3b5f592602b0c32fd762eef497027b08745044c9f41130ca99bb7ec77222568c2d0a1099d3c1c15137e0221d7 +DIST gnupg-2.4.3.tar.bz2 7351327 BLAKE2B b7f4f5e548ec6dfc89cf8792f507ee8642e8500692998cf8d2edc9f5d8002904d24a714b9caffabee6094707c4595e0f54197535135622a7a32aa772f5818f28 SHA512 193a9398445272ec3eb5b79e802efb7414f74bcfffc3db0bf72c0056e04228120c419ed91db168e5733a16a33e548bab5368dd9cf11ecd483825bce189341a1e +DIST gnupg-2.4.3.tar.bz2.sig 119 BLAKE2B 763c0569e5378e132de39e1583c19bae8912455bf7cd5a65bcfc88fa43be99fb6bbf8397192b3086db2f6f0f63fc25789f5e6ce98b2fe63cda3bf673b1c60a20 SHA512 7affff694d194c3befdfc865a7872c0883304ea704e3691eac328d802f12f4f82c2a93eaa1257d3e09b38494b38185f5b8cf35c964f0c3846bbb29b93727ffee +DIST gnupg-2.4.4.tar.bz2 7886036 BLAKE2B 02661e89f0358be09fa3e71e7235b764a7dbda62a48a0c8c7a4e6c9919c3b37d54ead50b930af58f8f2fdb87861b849d3f3751e95cbedf46bdfd76caa90c4db4 SHA512 3d1a3b08d1ce2319d238d8be96591e418ede1dc0b4ede33a4cc2fe40e9c56d5bbc27b1984736d8a786e7f292ddbc836846a8bdb4bf89f064e953c37cb54b94ef +DIST gnupg-2.4.4.tar.bz2.sig 237 BLAKE2B 6ee5878c36fbec747a6d84a268903749d862aab50dd7f9a389aabbf7b94dec1c424615f520b5f4a6d44e02093e8d9ad0b08d0c6cf6fd8886d8c174ce9faac99c SHA512 3ae7b6833576df851901a7619459b514bb82faeed350c864a57a782719d21f694d9ced5a3445c81dfa584a0302f87fedc660b08ea97bb8b861e76d7c5b46d07f diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/README-systemd b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/README-systemd new file mode 100644 index 0000000000..cc38fd66ab --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/README-systemd @@ -0,0 +1,67 @@ +Socket-activated dirmngr and gpg-agent with systemd +=================================================== + +When used on a GNU/Linux system supervised by systemd, you can ensure +that the GnuPG daemons dirmngr and gpg-agent are launched +automatically the first time they're needed, and shut down cleanly at +session logout. This is done by enabling user services via +socket-activation. + +System distributors +------------------- + +The *.service and *.socket files (from this directory) should be +placed in /usr/lib/systemd/user/ alongside other user-session services +and sockets. + +To enable socket-activated dirmngr for all accounts on the system, +use: + + systemctl --user --global enable dirmngr.socket + +To enable socket-activated gpg-agent for all accounts on the system, +use: + + systemctl --user --global enable gpg-agent.socket + +Additionally, you can enable socket-activated gpg-agent ssh-agent +emulation for all accounts on the system with: + + systemctl --user --global enable gpg-agent-ssh.socket + +You can also enable restricted ("--extra-socket"-style) gpg-agent +sockets for all accounts on the system with: + + systemctl --user --global enable gpg-agent-extra.socket + +Individual users +---------------- + +A user on a system with systemd where this has not been installed +system-wide can place these files in ~/.config/systemd/user/ to make +them available. + +If a given service isn't installed system-wide, or if it's installed +system-wide but not globally enabled, individual users will still need +to enable them. For example, to enable socket-activated dirmngr for +all future sessions: + + systemctl --user enable dirmngr.socket + +To enable socket-activated gpg-agent with ssh support, do: + + systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket + +These changes won't take effect until your next login after you've +fully logged out (be sure to terminate any running daemons before +logging out). + +If you'd rather try a socket-activated GnuPG daemon in an +already-running session without logging out (with or without enabling +it for all future sessions), kill any existing daemon and start the +user socket directly. For example, to set up socket-activated dirmgnr +in the current session: + + gpgconf --kill dirmngr + systemctl --user start dirmngr.socket + diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/dirmngr.service b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/dirmngr.service new file mode 100644 index 0000000000..3c060cde5d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/dirmngr.service @@ -0,0 +1,8 @@ +[Unit] +Description=GnuPG network certificate management daemon +Documentation=man:dirmngr(8) +Requires=dirmngr.socket + +[Service] +ExecStart=/usr/bin/dirmngr --supervised +ExecReload=/usr/bin/gpgconf --reload dirmngr diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/dirmngr.socket b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/dirmngr.socket new file mode 100644 index 0000000000..ebabf896ab --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/dirmngr.socket @@ -0,0 +1,11 @@ +[Unit] +Description=GnuPG network certificate management daemon +Documentation=man:dirmngr(8) + +[Socket] +ListenStream=%t/gnupg/S.dirmngr +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch rename to sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch new file mode 100644 index 0000000000..76d6d94c40 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch @@ -0,0 +1,292 @@ +https://bugs.gentoo.org/923248 +https://dev.gnupg.org/T6944 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=3b69d8bf7146b8d10737d0cfea9c97affc60ad73 + +From 3b69d8bf7146b8d10737d0cfea9c97affc60ad73 Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Wed, 24 Jan 2024 11:29:24 +0100 +Subject: [PATCH] gpg: Fix leftover unprotected card backup key. + +* agent/command.c (cmd_learn): Add option --reallyforce. +* agent/findkey.c (agent_write_private_key): Implement reallyforce. +Also add arg reallyforce and pass it along the call chain. + +* g10/call-agent.c (agent_scd_learn): Pass --reallyforce with a +special force value. +* g10/keygen.c (card_store_key_with_backup): Use that force value. +-- + +This was a regression in 2.2.42. We took the easy path to fix it by +getting the behaviour back to what we did prior to 2.2.42. With GnuPG +2.4.4 we use an entire different and safer approach by introducing an +ephemeral private key store. + +GnuPG-bug-id: 6944 +--- a/agent/agent.h ++++ b/agent/agent.h +@@ -422,7 +422,8 @@ void start_command_handler_ssh (ctrl_t, gnupg_fd_t); + gpg_error_t agent_modify_description (const char *in, const char *comment, + const gcry_sexp_t key, char **result); + int agent_write_private_key (const unsigned char *grip, +- const void *buffer, size_t length, int force, ++ const void *buffer, size_t length, ++ int force, int reallyforce, + const char *serialno, const char *keyref, + const char *dispserialno, time_t timestamp); + gpg_error_t agent_key_from_file (ctrl_t ctrl, +@@ -548,6 +549,7 @@ gpg_error_t s2k_hash_passphrase (const char *passphrase, int hashalgo, + gpg_error_t agent_write_shadow_key (const unsigned char *grip, + const char *serialno, const char *keyid, + const unsigned char *pkbuf, int force, ++ int reallyforce, + const char *dispserialno); + + +@@ -628,7 +630,8 @@ void agent_card_killscd (void); + + + /*-- learncard.c --*/ +-int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force); ++int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, ++ int force, int reallyforce); + + + /*-- cvt-openpgp.c --*/ +--- a/agent/command-ssh.c ++++ b/agent/command-ssh.c +@@ -2499,7 +2499,7 @@ card_key_available (ctrl_t ctrl, gcry_sexp_t *r_pk, char **cardsn) + + /* (Shadow)-key is not available in our key storage. */ + agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno); +- err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0, ++ err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0, 0, + dispserialno); + xfree (dispserialno); + if (err) +@@ -3159,7 +3159,7 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec, + + /* Store this key to our key storage. We do not store a creation + * timestamp because we simply do not know. */ +- err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0, ++ err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0, 0, + NULL, NULL, NULL, 0); + if (err) + goto out; +--- a/agent/command.c ++++ b/agent/command.c +@@ -1042,7 +1042,7 @@ cmd_readkey (assuan_context_t ctx, char *line) + /* Shadow-key is or is not available in our key storage. In + * any case we need to check whether we need to update with + * a new display-s/n or whatever. */ +- rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0, ++ rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0, 0, + dispserialno); + if (rc) + goto leave; +@@ -1855,16 +1855,18 @@ cmd_learn (assuan_context_t ctx, char *line) + { + ctrl_t ctrl = assuan_get_pointer (ctx); + gpg_error_t err; +- int send, sendinfo, force; ++ int send, sendinfo, force, reallyforce; + + send = has_option (line, "--send"); + sendinfo = send? 1 : has_option (line, "--sendinfo"); + force = has_option (line, "--force"); ++ reallyforce = has_option (line, "--reallyforce"); + + if (ctrl->restricted) + return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); + +- err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL, force); ++ err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL, ++ force, reallyforce); + return leave_cmd (ctx, err); + } + +@@ -2427,11 +2429,11 @@ cmd_import_key (assuan_context_t ctx, char *line) + err = agent_protect (key, passphrase, &finalkey, &finalkeylen, + ctrl->s2k_count); + if (!err) +- err = agent_write_private_key (grip, finalkey, finalkeylen, force, ++ err = agent_write_private_key (grip, finalkey, finalkeylen, force, 0, + NULL, NULL, NULL, opt_timestamp); + } + else +- err = agent_write_private_key (grip, key, realkeylen, force, ++ err = agent_write_private_key (grip, key, realkeylen, force, 0, + NULL, NULL, NULL, opt_timestamp); + + leave: +--- a/agent/cvt-openpgp.c ++++ b/agent/cvt-openpgp.c +@@ -1070,7 +1070,7 @@ convert_from_openpgp_native (ctrl_t ctrl, + &protectedkey, &protectedkeylen, + ctrl->s2k_count)) + agent_write_private_key (grip, protectedkey, protectedkeylen, +- 1/*force*/, NULL, NULL, NULL, 0); ++ 1/*force*/, 0, NULL, NULL, NULL, 0); + xfree (protectedkey); + } + else +@@ -1079,7 +1079,7 @@ convert_from_openpgp_native (ctrl_t ctrl, + agent_write_private_key (grip, + *r_key, + gcry_sexp_canon_len (*r_key, 0, NULL,NULL), +- 1/*force*/, NULL, NULL, NULL, 0); ++ 1/*force*/, 0, NULL, NULL, NULL, 0); + } + } + +--- a/agent/findkey.c ++++ b/agent/findkey.c +@@ -82,7 +82,8 @@ fname_from_keygrip (const unsigned char *grip, int for_new) + * recorded as creation date. */ + int + agent_write_private_key (const unsigned char *grip, +- const void *buffer, size_t length, int force, ++ const void *buffer, size_t length, ++ int force, int reallyforce, + const char *serialno, const char *keyref, + const char *dispserialno, + time_t timestamp) +@@ -165,10 +166,13 @@ agent_write_private_key (const unsigned char *grip, + /* Check that we do not update a regular key with a shadow key. */ + if (is_regular && gpg_err_code (is_shadowed_key (key)) == GPG_ERR_TRUE) + { +- log_info ("updating regular key file '%s'" +- " by a shadow key inhibited\n", oldfname); +- err = 0; /* Simply ignore the error. */ +- goto leave; ++ if (!reallyforce) ++ { ++ log_info ("updating regular key file '%s'" ++ " by a shadow key inhibited\n", oldfname); ++ err = 0; /* Simply ignore the error. */ ++ goto leave; ++ } + } + /* Check that we update a regular key only in force mode. */ + if (is_regular && !force) +@@ -1704,12 +1708,13 @@ agent_delete_key (ctrl_t ctrl, const char *desc_text, + * Shadow key is created by an S-expression public key in PKBUF and + * card's SERIALNO and the IDSTRING. With FORCE passed as true an + * existing key with the given GRIP will get overwritten. If +- * DISPSERIALNO is not NULL the human readable s/n will also be +- * recorded in the key file. */ ++ * REALLYFORCE is also true, even a private key will be overwritten by ++ * a shadown key. If DISPSERIALNO is not NULL the human readable s/n ++ * will also be recorded in the key file. */ + gpg_error_t + agent_write_shadow_key (const unsigned char *grip, + const char *serialno, const char *keyid, +- const unsigned char *pkbuf, int force, ++ const unsigned char *pkbuf, int force, int reallyforce, + const char *dispserialno) + { + gpg_error_t err; +@@ -1737,7 +1742,7 @@ agent_write_shadow_key (const unsigned char *grip, + } + + len = gcry_sexp_canon_len (shdkey, 0, NULL, NULL); +- err = agent_write_private_key (grip, shdkey, len, force, ++ err = agent_write_private_key (grip, shdkey, len, force, reallyforce, + serialno, keyid, dispserialno, 0); + xfree (shdkey); + if (err) +--- a/agent/genkey.c ++++ b/agent/genkey.c +@@ -69,7 +69,7 @@ store_key (gcry_sexp_t private, const char *passphrase, int force, + buf = p; + } + +- rc = agent_write_private_key (grip, buf, len, force, ++ rc = agent_write_private_key (grip, buf, len, force, 0, + NULL, NULL, NULL, timestamp); + xfree (buf); + return rc; +--- a/agent/learncard.c ++++ b/agent/learncard.c +@@ -297,9 +297,12 @@ send_cert_back (ctrl_t ctrl, const char *id, void *assuan_context) + } + + /* Perform the learn operation. If ASSUAN_CONTEXT is not NULL and +- SEND is true all new certificates are send back via Assuan. */ ++ SEND is true all new certificates are send back via Assuan. If ++ REALLYFORCE is true a private key will be overwritten by a stub ++ key. */ + int +-agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force) ++agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, ++ int force, int reallyforce) + { + int rc; + struct kpinfo_cb_parm_s parm; +@@ -414,7 +417,7 @@ agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force) + + agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno); + rc = agent_write_shadow_key (grip, serialno, item->id, pubkey, +- force, dispserialno); ++ force, reallyforce, dispserialno); + xfree (dispserialno); + } + xfree (pubkey); +--- a/agent/protect-tool.c ++++ b/agent/protect-tool.c +@@ -807,13 +807,15 @@ agent_askpin (ctrl_t ctrl, + * to stdout. */ + int + agent_write_private_key (const unsigned char *grip, +- const void *buffer, size_t length, int force, ++ const void *buffer, size_t length, ++ int force, int reallyforce, + const char *serialno, const char *keyref, + const char *dispserialno, time_t timestamp) + { + char hexgrip[40+4+1]; + char *p; + ++ (void)reallyforce; + (void)force; + (void)timestamp; + (void)serialno; +--- a/g10/call-agent.c ++++ b/g10/call-agent.c +@@ -745,6 +745,11 @@ learn_status_cb (void *opaque, const char *line) + * card-util.c + * keyedit_menu + * card_store_key_with_backup (Woth force to remove secret key data) ++ * ++ * If force has the value 2 the --reallyforce option is also used. ++ * This is to make sure the sshadow key overwrites the private key. ++ * Note that this option is gnupg 2.2 specific because since 2.4.4 an ++ * ephemeral private key store is used instead. + */ + int + agent_scd_learn (struct agent_card_info_s *info, int force) +@@ -764,6 +769,7 @@ agent_scd_learn (struct agent_card_info_s *info, int force) + + parm.ctx = agent_ctx; + rc = assuan_transact (agent_ctx, ++ force == 2? "LEARN --sendinfo --force --reallyforce" : + force ? "LEARN --sendinfo --force" : "LEARN --sendinfo", + dummy_data_cb, NULL, default_inq_cb, &parm, + learn_status_cb, info); +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -5201,8 +5201,11 @@ card_store_key_with_backup (ctrl_t ctrl, PKT_public_key *sub_psk, + if (err) + log_error ("writing card key to backup file: %s\n", gpg_strerror (err)); + else +- /* Remove secret key data in agent side. */ +- agent_scd_learn (NULL, 1); ++ { ++ /* Remove secret key data in agent side. We use force 2 here to ++ * allow overwriting of the temporary private key. */ ++ agent_scd_learn (NULL, 2); ++ } + + leave: + xfree (ecdh_param_str); +-- +2.30.2 diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.4.2-fix-emacs.patch b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.4.2-fix-emacs.patch new file mode 100644 index 0000000000..2e9141ab57 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.4.2-fix-emacs.patch @@ -0,0 +1,564 @@ +https://bugs.gentoo.org/907839 +https://dev.gnupg.org/T6481 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2f872fa68c6576724b9dabee9fb0844266f55d0d + +From 2f872fa68c6576724b9dabee9fb0844266f55d0d Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Wed, 24 May 2023 10:36:04 +0900 +Subject: [PATCH] gpg: Report BEGIN_* status before examining the input. + +* common/miscellaneous.c (is_openpgp_compressed_packet) +(is_file_compressed): Moved to ... +* common/iobuf.c: ... in this file. +(is_file_compressed): Change the argument to INP, the iobuf. +* common/util.h (is_file_compressed): Remove. +* common/iobuf.h (is_file_compressed): Add. +* g10/cipher-aead.c (write_header): Don't call write_status_printf +here. +(cipher_filter_aead): Call write_status_printf when called with +IOBUFCTRL_INIT. +* g10/cipher-cfb.c (write_header): Don't call write_status_printf +here. +(cipher_filter_cfb): Call write_status_printf when called with +IOBUFCTRL_INIT. +* g10/encrypt.c (encrypt_simple): Use new is_file_compressed function, +after call of iobuf_push_filter. +(encrypt_crypt): Likewise. +* g10/sign.c (sign_file): Likewise. + +-- + +GnuPG-bug-id: 6481 +Signed-off-by: NIIBE Yutaka +--- a/common/iobuf.c ++++ b/common/iobuf.c +@@ -3057,3 +3057,123 @@ iobuf_skip_rest (iobuf_t a, unsigned long n, int partial) + } + } + } ++ ++ ++/* Check whether (BUF,LEN) is valid header for an OpenPGP compressed ++ * packet. LEN should be at least 6. */ ++static int ++is_openpgp_compressed_packet (const unsigned char *buf, size_t len) ++{ ++ int c, ctb, pkttype; ++ int lenbytes; ++ ++ ctb = *buf++; len--; ++ if (!(ctb & 0x80)) ++ return 0; /* Invalid packet. */ ++ ++ if ((ctb & 0x40)) /* New style (OpenPGP) CTB. */ ++ { ++ pkttype = (ctb & 0x3f); ++ if (!len) ++ return 0; /* Expected first length octet missing. */ ++ c = *buf++; len--; ++ if (c < 192) ++ ; ++ else if (c < 224) ++ { ++ if (!len) ++ return 0; /* Expected second length octet missing. */ ++ } ++ else if (c == 255) ++ { ++ if (len < 4) ++ return 0; /* Expected length octets missing */ ++ } ++ } ++ else /* Old style CTB. */ ++ { ++ pkttype = (ctb>>2)&0xf; ++ lenbytes = ((ctb&3)==3)? 0 : (1<<(ctb & 3)); ++ if (len < lenbytes) ++ return 0; /* Not enough length bytes. */ ++ } ++ ++ return (pkttype == 8); ++} ++ ++ ++/* ++ * Check if the file is compressed, by peeking the iobuf. You need to ++ * pass the iobuf with INP. Returns true if the buffer seems to be ++ * compressed. ++ */ ++int ++is_file_compressed (iobuf_t inp) ++{ ++ int i; ++ char buf[32]; ++ int buflen; ++ ++ struct magic_compress_s ++ { ++ byte len; ++ byte extchk; ++ byte magic[5]; ++ } magic[] = ++ { ++ { 3, 0, { 0x42, 0x5a, 0x68, 0x00 } }, /* bzip2 */ ++ { 3, 0, { 0x1f, 0x8b, 0x08, 0x00 } }, /* gzip */ ++ { 4, 0, { 0x50, 0x4b, 0x03, 0x04 } }, /* (pk)zip */ ++ { 5, 0, { '%', 'P', 'D', 'F', '-'} }, /* PDF */ ++ { 4, 1, { 0xff, 0xd8, 0xff, 0xe0 } }, /* Maybe JFIF */ ++ { 5, 2, { 0x89, 'P','N','G', 0x0d} } /* Likely PNG */ ++ }; ++ ++ if (!inp) ++ return 0; ++ ++ for ( ; inp->chain; inp = inp->chain ) ++ ; ++ ++ buflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof buf, buf); ++ if (buflen < 0) ++ { ++ buflen = 0; ++ log_debug ("peeking at input failed\n"); ++ } ++ ++ if ( buflen < 6 ) ++ { ++ return 0; /* Too short to check - assume uncompressed. */ ++ } ++ ++ for ( i = 0; i < DIM (magic); i++ ) ++ { ++ if (!memcmp( buf, magic[i].magic, magic[i].len)) ++ { ++ switch (magic[i].extchk) ++ { ++ case 0: ++ return 1; /* Is compressed. */ ++ case 1: ++ if (buflen > 11 && !memcmp (buf + 6, "JFIF", 5)) ++ return 1; /* JFIF: this likely a compressed JPEG. */ ++ break; ++ case 2: ++ if (buflen > 8 ++ && buf[5] == 0x0a && buf[6] == 0x1a && buf[7] == 0x0a) ++ return 1; /* This is a PNG. */ ++ break; ++ default: ++ break; ++ } ++ } ++ } ++ ++ if (buflen >= 6 && is_openpgp_compressed_packet (buf, buflen)) ++ { ++ return 1; /* Already compressed. */ ++ } ++ ++ return 0; /* Not detected as compressed. */ ++} +--- a/common/iobuf.h ++++ b/common/iobuf.h +@@ -629,6 +629,9 @@ void iobuf_set_partial_body_length_mode (iobuf_t a, size_t len); + from the following filter (which may or may not return EOF). */ + void iobuf_skip_rest (iobuf_t a, unsigned long n, int partial); + ++/* Check if the file is compressed, by peeking the iobuf. */ ++int is_file_compressed (iobuf_t inp); ++ + #define iobuf_where(a) "[don't know]" + + /* Each time a filter is allocated (via iobuf_alloc()), a +--- a/common/miscellaneous.c ++++ b/common/miscellaneous.c +@@ -415,112 +415,6 @@ decode_c_string (const char *src) + } + + +-/* Check whether (BUF,LEN) is valid header for an OpenPGP compressed +- * packet. LEN should be at least 6. */ +-static int +-is_openpgp_compressed_packet (const unsigned char *buf, size_t len) +-{ +- int c, ctb, pkttype; +- int lenbytes; +- +- ctb = *buf++; len--; +- if (!(ctb & 0x80)) +- return 0; /* Invalid packet. */ +- +- if ((ctb & 0x40)) /* New style (OpenPGP) CTB. */ +- { +- pkttype = (ctb & 0x3f); +- if (!len) +- return 0; /* Expected first length octet missing. */ +- c = *buf++; len--; +- if (c < 192) +- ; +- else if (c < 224) +- { +- if (!len) +- return 0; /* Expected second length octet missing. */ +- } +- else if (c == 255) +- { +- if (len < 4) +- return 0; /* Expected length octets missing */ +- } +- } +- else /* Old style CTB. */ +- { +- pkttype = (ctb>>2)&0xf; +- lenbytes = ((ctb&3)==3)? 0 : (1<<(ctb & 3)); +- if (len < lenbytes) +- return 0; /* Not enough length bytes. */ +- } +- +- return (pkttype == 8); +-} +- +- +- +-/* +- * Check if the file is compressed. You need to pass the first bytes +- * of the file as (BUF,BUFLEN). Returns true if the buffer seems to +- * be compressed. +- */ +-int +-is_file_compressed (const byte *buf, unsigned int buflen) +-{ +- int i; +- +- struct magic_compress_s +- { +- byte len; +- byte extchk; +- byte magic[5]; +- } magic[] = +- { +- { 3, 0, { 0x42, 0x5a, 0x68, 0x00 } }, /* bzip2 */ +- { 3, 0, { 0x1f, 0x8b, 0x08, 0x00 } }, /* gzip */ +- { 4, 0, { 0x50, 0x4b, 0x03, 0x04 } }, /* (pk)zip */ +- { 5, 0, { '%', 'P', 'D', 'F', '-'} }, /* PDF */ +- { 4, 1, { 0xff, 0xd8, 0xff, 0xe0 } }, /* Maybe JFIF */ +- { 5, 2, { 0x89, 'P','N','G', 0x0d} } /* Likely PNG */ +- }; +- +- if ( buflen < 6 ) +- { +- return 0; /* Too short to check - assume uncompressed. */ +- } +- +- for ( i = 0; i < DIM (magic); i++ ) +- { +- if (!memcmp( buf, magic[i].magic, magic[i].len)) +- { +- switch (magic[i].extchk) +- { +- case 0: +- return 1; /* Is compressed. */ +- case 1: +- if (buflen > 11 && !memcmp (buf + 6, "JFIF", 5)) +- return 1; /* JFIF: this likely a compressed JPEG. */ +- break; +- case 2: +- if (buflen > 8 +- && buf[5] == 0x0a && buf[6] == 0x1a && buf[7] == 0x0a) +- return 1; /* This is a PNG. */ +- break; +- default: +- break; +- } +- } +- } +- +- if (buflen >= 6 && is_openpgp_compressed_packet (buf, buflen)) +- { +- return 1; /* Already compressed. */ +- } +- +- return 0; /* Not detected as compressed. */ +-} +- +- + /* Try match against each substring of multistr, delimited by | */ + int + match_multistr (const char *multistr,const char *match) +--- a/common/util.h ++++ b/common/util.h +@@ -360,8 +360,6 @@ char *try_make_printable_string (const void *p, size_t n, int delim); + char *make_printable_string (const void *p, size_t n, int delim); + char *decode_c_string (const char *src); + +-int is_file_compressed (const byte *buf, unsigned int buflen); +- + int match_multistr (const char *multistr,const char *match); + + int gnupg_compare_version (const char *a, const char *b); +--- a/g10/cipher-aead.c ++++ b/g10/cipher-aead.c +@@ -174,8 +174,6 @@ write_header (cipher_filter_context_t *cfx, iobuf_t a) + log_debug ("aead packet: len=%lu extralen=%d\n", + (unsigned long)ed.len, ed.extralen); + +- write_status_printf (STATUS_BEGIN_ENCRYPTION, "0 %d %d", +- cfx->dek->algo, ed.aead_algo); + print_cipher_algo_note (cfx->dek->algo); + + if (build_packet( a, &pkt)) +@@ -488,6 +486,11 @@ cipher_filter_aead (void *opaque, int control, + { + mem2str (buf, "cipher_filter_aead", *ret_len); + } ++ else if (control == IOBUFCTRL_INIT) ++ { ++ write_status_printf (STATUS_BEGIN_ENCRYPTION, "0 %d %d", ++ cfx->dek->algo, cfx->dek->use_aead); ++ } + + return rc; + } +--- a/g10/cipher-cfb.c ++++ b/g10/cipher-cfb.c +@@ -72,9 +72,6 @@ write_header (cipher_filter_context_t *cfx, iobuf_t a) + log_info (_("Hint: Do not use option %s\n"), "--rfc2440"); + } + +- write_status_printf (STATUS_BEGIN_ENCRYPTION, "%d %d", +- ed.mdc_method, cfx->dek->algo); +- + init_packet (&pkt); + pkt.pkttype = cfx->dek->use_mdc? PKT_ENCRYPTED_MDC : PKT_ENCRYPTED; + pkt.pkt.encrypted = &ed; +@@ -182,6 +179,12 @@ cipher_filter_cfb (void *opaque, int control, + { + mem2str (buf, "cipher_filter_cfb", *ret_len); + } ++ else if (control == IOBUFCTRL_INIT) ++ { ++ write_status_printf (STATUS_BEGIN_ENCRYPTION, "%d %d", ++ cfx->dek->use_mdc ? DIGEST_ALGO_SHA1 : 0, ++ cfx->dek->algo); ++ } + + return rc; + } +--- a/g10/encrypt.c ++++ b/g10/encrypt.c +@@ -410,8 +410,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey) + text_filter_context_t tfx; + progress_filter_context_t *pfx; + int do_compress = !!default_compress_algo(); +- char peekbuf[32]; +- int peekbuflen; + + if (!gnupg_rng_is_compliant (opt.compliance)) + { +@@ -448,14 +446,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey) + return rc; + } + +- peekbuflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof peekbuf, peekbuf); +- if (peekbuflen < 0) +- { +- peekbuflen = 0; +- if (DBG_FILTER) +- log_debug ("peeking at input failed\n"); +- } +- + handle_progress (pfx, inp, filename); + + if (opt.textmode) +@@ -517,17 +507,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey) + /**/ : "CFB"); + } + +- if (do_compress +- && cfx.dek +- && (cfx.dek->use_mdc || cfx.dek->use_aead) +- && !opt.explicit_compress_option +- && is_file_compressed (peekbuf, peekbuflen)) +- { +- if (opt.verbose) +- log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]"); +- do_compress = 0; +- } +- + if ( rc || (rc = open_outfile (-1, filename, opt.armor? 1:0, 0, &out ))) + { + iobuf_cancel (inp); +@@ -598,6 +577,24 @@ encrypt_simple (const char *filename, int mode, int use_seskey) + else + filesize = opt.set_filesize ? opt.set_filesize : 0; /* stdin */ + ++ /* Register the cipher filter. */ ++ if (mode) ++ iobuf_push_filter (out, ++ cfx.dek->use_aead? cipher_filter_aead ++ /**/ : cipher_filter_cfb, ++ &cfx ); ++ ++ if (do_compress ++ && cfx.dek ++ && (cfx.dek->use_mdc || cfx.dek->use_aead) ++ && !opt.explicit_compress_option ++ && is_file_compressed (inp)) ++ { ++ if (opt.verbose) ++ log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]"); ++ do_compress = 0; ++ } ++ + if (!opt.no_literal) + { + /* Note that PT has been initialized above in !no_literal mode. */ +@@ -617,13 +614,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey) + pkt.pkt.generic = NULL; + } + +- /* Register the cipher filter. */ +- if (mode) +- iobuf_push_filter (out, +- cfx.dek->use_aead? cipher_filter_aead +- /**/ : cipher_filter_cfb, +- &cfx ); +- + /* Register the compress filter. */ + if ( do_compress ) + { +@@ -783,7 +773,7 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename, + PKT_plaintext *pt = NULL; + DEK *symkey_dek = NULL; + STRING2KEY *symkey_s2k = NULL; +- int rc = 0, rc2 = 0; ++ int rc = 0; + u32 filesize; + cipher_filter_context_t cfx; + armor_filter_context_t *afx = NULL; +@@ -792,8 +782,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename, + progress_filter_context_t *pfx; + PK_LIST pk_list; + int do_compress; +- char peekbuf[32]; +- int peekbuflen; + + if (filefd != -1 && filename) + return gpg_error (GPG_ERR_INV_ARG); /* Both given. */ +@@ -866,14 +854,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename, + if (opt.verbose) + log_info (_("reading from '%s'\n"), iobuf_get_fname_nonnull (inp)); + +- peekbuflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof peekbuf, peekbuf); +- if (peekbuflen < 0) +- { +- peekbuflen = 0; +- if (DBG_FILTER) +- log_debug ("peeking at input failed\n"); +- } +- + handle_progress (pfx, inp, filename); + + if (opt.textmode) +@@ -900,25 +880,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename, + if (!cfx.dek->use_aead) + cfx.dek->use_mdc = !!use_mdc (pk_list, cfx.dek->algo); + +- /* Only do the is-file-already-compressed check if we are using a +- * MDC or AEAD. This forces compressed files to be re-compressed if +- * we do not have a MDC to give some protection against chosen +- * ciphertext attacks. */ +- if (do_compress +- && (cfx.dek->use_mdc || cfx.dek->use_aead) +- && !opt.explicit_compress_option +- && is_file_compressed (peekbuf, peekbuflen)) +- { +- if (opt.verbose) +- log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]"); +- do_compress = 0; +- } +- if (rc2) +- { +- rc = rc2; +- goto leave; +- } +- + make_session_key (cfx.dek); + if (DBG_CRYPTO) + log_printhex (cfx.dek->key, cfx.dek->keylen, "DEK is: "); +@@ -960,6 +921,26 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename, + else + filesize = opt.set_filesize ? opt.set_filesize : 0; /* stdin */ + ++ /* Register the cipher filter. */ ++ iobuf_push_filter (out, ++ cfx.dek->use_aead? cipher_filter_aead ++ /**/ : cipher_filter_cfb, ++ &cfx); ++ ++ /* Only do the is-file-already-compressed check if we are using a ++ * MDC or AEAD. This forces compressed files to be re-compressed if ++ * we do not have a MDC to give some protection against chosen ++ * ciphertext attacks. */ ++ if (do_compress ++ && (cfx.dek->use_mdc || cfx.dek->use_aead) ++ && !opt.explicit_compress_option ++ && is_file_compressed (inp)) ++ { ++ if (opt.verbose) ++ log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]"); ++ do_compress = 0; ++ } ++ + if (!opt.no_literal) + { + pt->timestamp = make_timestamp(); +@@ -974,12 +955,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename, + else + cfx.datalen = filesize && !do_compress ? filesize : 0; + +- /* Register the cipher filter. */ +- iobuf_push_filter (out, +- cfx.dek->use_aead? cipher_filter_aead +- /**/ : cipher_filter_cfb, +- &cfx); +- + /* Register the compress filter. */ + if (do_compress) + { +--- a/g10/sign.c ++++ b/g10/sign.c +@@ -1035,9 +1035,6 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, + int multifile = 0; + u32 duration=0; + pt_extra_hash_data_t extrahash = NULL; +- char peekbuf[32]; +- int peekbuflen = 0; +- + + pfx = new_progress_context (); + afx = new_armor_context (); +@@ -1096,14 +1093,6 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, + goto leave; + } + +- peekbuflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof peekbuf, peekbuf); +- if (peekbuflen < 0) +- { +- peekbuflen = 0; +- if (DBG_FILTER) +- log_debug ("peeking at input failed\n"); +- } +- + handle_progress (pfx, inp, fname); + } + +@@ -1261,7 +1250,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, + int compr_algo = opt.compress_algo; + + if (!opt.explicit_compress_option +- && is_file_compressed (peekbuf, peekbuflen)) ++ && is_file_compressed (inp)) + { + if (opt.verbose) + log_info(_("'%s' already compressed\n"), fname? fname: "[stdin]"); +-- +2.11.0 diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.4.3-no-ldap.patch b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.4.3-no-ldap.patch new file mode 100644 index 0000000000..06d4221488 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.4.3-no-ldap.patch @@ -0,0 +1,28 @@ +https://dev.gnupg.org/T6579 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=dc13361524c1477b2106c7385f2059f9ea111b84 + +From dc13361524c1477b2106c7385f2059f9ea111b84 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Wed, 5 Jul 2023 09:29:54 +0900 +Subject: [PATCH] dirmngr: Enable the call of ks_ldap_help_variables when + USE_LDAP. + +* dirmngr/server.c [USE_LDAP] (cmd_ad_query): Conditionalize. + +-- + +Signed-off-by: NIIBE Yutaka +--- a/dirmngr/server.c ++++ b/dirmngr/server.c +@@ -2776,7 +2776,9 @@ cmd_ad_query (assuan_context_t ctx, char *line) + + if (opt_help) + { ++#if USE_LDAP + ks_ldap_help_variables (ctrl); ++#endif + err = 0; + goto leave; + } +-- +2.11.0 diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch new file mode 100644 index 0000000000..686a3aadc8 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch @@ -0,0 +1,202 @@ +https://bugs.gentoo.org/924606 +https://dev.gnupg.org/T6997 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=04cbc3074aa98660b513a80f623a7e9f0702c7c9 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=848546b05ab0ff6abd47724ecfab73bf32dd4c01 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2810b934647edd483996bee1f5f9256a162b2705 + +From 6236978d78886cbb476ed9fbc49ff99c7582b2d7 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Thu, 15 Feb 2024 15:38:34 +0900 +Subject: [PATCH 1/3] dirmngr: Fix proxy with TLS. + +* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always +available regardless of USE_TLS. +(run_proxy_connect): Use log_debug_string. +(send_request): Remove USE_TLS. + +-- + +Since the commit of + + 1009e4e5f71347a1fe194e59a9d88c8034a67016 + +Building with TLS library is mandatory. + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka +--- + dirmngr/http.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 4899a5d55..10eecfdb0 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2362,7 +2362,6 @@ run_gnutls_handshake (http_t hd, const char *server) + * NULL, decode the string and use this as input from teh server. On + * success the final output token is stored at PROXY->OUTTOKEN and + * OUTTOKLEN. IF the authentication succeeded OUTTOKLEN is zero. */ +-#ifdef USE_TLS + static gpg_error_t + proxy_get_token (proxy_info_t proxy, const char *inputstring) + { +@@ -2530,11 +2529,9 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring) + + #endif /*!HAVE_W32_SYSTEM*/ + } +-#endif /*USE_TLS*/ + + + /* Use the CONNECT method to proxy our TLS stream. */ +-#ifdef USE_TLS + static gpg_error_t + run_proxy_connect (http_t hd, proxy_info_t proxy, + const char *httphost, const char *server, +@@ -2586,7 +2583,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP)) +- log_debug_with_string (request, "http.c:proxy:request:"); ++ log_debug_string (request, "http.c:proxy:request:"); + + if (!hd->fp_write) + { +@@ -2743,7 +2740,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + xfree (tmpstr); + return err; + } +-#endif /*USE_TLS*/ + + + /* Make a request string using a standard proxy. On success the +@@ -2903,7 +2899,6 @@ send_request (ctrl_t ctrl, + goto leave; + } + +-#if USE_TLS + if (use_http_proxy && hd->uri->use_tls) + { + err = run_proxy_connect (hd, proxy, httphost, server, port); +@@ -2915,7 +2910,6 @@ send_request (ctrl_t ctrl, + * clear the flag to indicate this. */ + use_http_proxy = 0; + } +-#endif /* USE_TLS */ + + #if HTTP_USE_NTBTLS + err = run_ntbtls_handshake (hd); +-- +2.43.2 + +From 68650eb6999e674fd2f1c78f47b68d3cd1d37ff0 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Fri, 16 Feb 2024 11:31:37 +0900 +Subject: [PATCH 2/3] dirmngr: Fix the regression of use of proxy for TLS + connection. + +* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it +causes resource leak of FP_WRITE. +Don't try to read response body to fix the hang. + +-- + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka +--- + dirmngr/http.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 10eecfdb0..7ce01bacd 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2553,6 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication + */ + auth_basic = !!proxy->uri->auth; ++ hd->keep_alive = 0; + + /* For basic authentication we need to send just one request. */ + if (auth_basic +@@ -2574,13 +2575,12 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + httphost ? httphost : server, + port, + authhdr ? authhdr : "", +- auth_basic? "" : "Connection: keep-alive\r\n"); ++ hd->keep_alive? "Connection: keep-alive\r\n" : ""); + if (!request) + { + err = gpg_error_from_syserror (); + goto leave; + } +- hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP)) + log_debug_string (request, "http.c:proxy:request:"); +@@ -2607,16 +2607,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + if (err) + goto leave; + +- { +- unsigned long count = 0; +- +- while (es_getc (hd->fp_read) != EOF) +- count++; +- if (opt_debug) +- log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n", +- count); +- } +- + /* Reset state. */ + es_clearerr (hd->fp_read); + ((cookie_t)(hd->read_cookie))->up_to_empty_line = 1; +-- +2.43.2 + +From 7c7cbd94549d08780fc3767d6de8336b3f44e7d7 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Fri, 16 Feb 2024 16:24:26 +0900 +Subject: [PATCH 3/3] dirmngr: Fix keep-alive flag handling. + +* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic +Authentication. Fix resource leak of FP_WRITE. + +-- + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka +--- + dirmngr/http.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 7ce01bacd..da0c89ae5 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2553,7 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication + */ + auth_basic = !!proxy->uri->auth; +- hd->keep_alive = 0; ++ hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + /* For basic authentication we need to send just one request. */ + if (auth_basic +@@ -2717,6 +2717,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + } + + leave: ++ if (hd->keep_alive) ++ { ++ es_fclose (hd->fp_write); ++ hd->fp_write = NULL; ++ /* The close has released the cookie and thus we better set it ++ * to NULL. */ ++ hd->write_cookie = NULL; ++ } + /* Restore flags, destroy stream, reset state. */ + hd->flags = saved_flags; + es_fclose (hd->fp_read); +-- +2.43.2 + diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent-browser.socket b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent-browser.socket new file mode 100644 index 0000000000..bc8d344e1f --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent-browser.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache (access for web browsers) +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.browser +FileDescriptorName=browser +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent-extra.socket b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent-extra.socket new file mode 100644 index 0000000000..5b87d09dfa --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent-extra.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache (restricted) +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.extra +FileDescriptorName=extra +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent-ssh.socket b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent-ssh.socket new file mode 100644 index 0000000000..798c1d9675 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent-ssh.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent (ssh-agent emulation) +Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.ssh +FileDescriptorName=ssh +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent.service b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent.service new file mode 100644 index 0000000000..a050fccdc5 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent.service @@ -0,0 +1,8 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache +Documentation=man:gpg-agent(1) +Requires=gpg-agent.socket + +[Service] +ExecStart=/usr/bin/gpg-agent --supervised +ExecReload=/usr/bin/gpgconf --reload gpg-agent diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent.socket b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent.socket new file mode 100644 index 0000000000..4257c2c80f --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent.socket @@ -0,0 +1,12 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent +FileDescriptorName=std +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.2.41.ebuild similarity index 62% rename from sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild rename to sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.2.41.ebuild index 7f49ba7cf7..423a1aa2bb 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.2.41.ebuild @@ -1,11 +1,17 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -# Flatcar: use EAPI=7, until EAPI 8 could be fully supported -EAPI=7 +EAPI=8 -VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc -inherit flag-o-matic systemd toolchain-funcs verify-sig +# Maintainers should: +# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ +# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 +# (find the one for the current release then subscribe to it + +# any subsequent ones linked within so you're covered for a while.) + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig MY_P="${P/_/-}" @@ -15,38 +21,42 @@ SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" S="${WORKDIR}/${MY_P}" -LICENSE="GPL-3" +LICENSE="GPL-3+" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server" RESTRICT="!test? ( test )" # Existence of executables is checked during configuration. # Note: On each bump, update dep bounds on each version from configure.ac! -DEPEND=">=dev-libs/libassuan-2.5.0 +DEPEND=" + >=dev-libs/libassuan-2.5.0 >=dev-libs/libgcrypt-1.8.0:= - >=dev-libs/libgpg-error-1.29 + >=dev-libs/libgpg-error-1.38 >=dev-libs/libksba-1.3.5 >=dev-libs/npth-1.2 >=net-misc/curl-7.10 sys-libs/zlib bzip2? ( app-arch/bzip2 ) ldap? ( net-nds/openldap:= ) - readline? ( sys-libs/readline:0= ) + readline? ( sys-libs/readline:= ) smartcard? ( usb? ( virtual/libusb:1 ) ) - ssl? ( >=net-libs/gnutls-3.0:0= ) - tofu? ( >=dev-db/sqlite-3.7 )" - -RDEPEND="${DEPEND} + ssl? ( >=net-libs/gnutls-3.0:= ) + tofu? ( >=dev-db/sqlite-3.7 ) +" +RDEPEND=" + ${DEPEND} app-crypt/pinentry nls? ( virtual/libintl ) selinux? ( sec-policy/selinux-gpg ) - wks-server? ( virtual/mta )" - -BDEPEND="virtual/pkgconfig + wks-server? ( virtual/mta ) +" +BDEPEND=" + virtual/pkgconfig doc? ( sys-apps/texinfo ) nls? ( sys-devel/gettext ) - verify-sig? ( sec-keys/openpgp-keys-gnupg )" + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" DOCS=( ChangeLog NEWS README THANKS TODO VERSION @@ -55,11 +65,6 @@ DOCS=( PATCHES=( "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch - "${FILESDIR}"/${P}-status-messages-garbled.patch - # Flatcar: the patches below are added only for Flatcar, to address the - # upstream gnupg issue https://dev.gnupg.org/T4393. - "${FILESDIR}/${PN}-allow-import-of-previously-known-keys-even-without-UI.patch" - "${FILESDIR}/${PN}-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch" ) src_prepare() { @@ -75,7 +80,10 @@ src_prepare() { -i doc/examples/systemd-user/gpg-agent-ssh.socket || die } -src_configure() { +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + local myconf=( $(use_enable bzip2) $(use_enable nls) @@ -88,7 +96,17 @@ src_configure() { $(use_enable wks-server wks-tools) $(use_with ldap) $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. --with-mailprog=/usr/libexec/sendmail + --disable-ntbtls --enable-gpg --enable-gpgsm @@ -106,7 +124,7 @@ src_configure() { if use prefix && use usb; then # bug #649598 - append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0" + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" fi # bug #663142 @@ -117,39 +135,27 @@ src_configure() { # glib fails and picks up clang's internal stdint.h causing weird errors tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h - # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. - # As of GnuPG 2.3, the mailprog substitution is used for the binary called - # by wks-client & wks-server; and if it's autodetected but not not exist at - # build time, then then 'gpg-wks-client --send' functionality will not - # work. This has an unwanted side-effect in stage3 builds: there was a - # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating - # the build where the install guide previously make the user chose the - # logger & mta early in the install. - econf "${myconf[@]}" } -src_compile() { +my_src_compile() { default use doc && emake -C doc html } -src_test() { - # bug #638574 - use tofu && export TESTFLAGS=--parallel +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" default } -src_install() { - default +my_src_install() { + emake DESTDIR="${D}" install - use tools && - dobin \ - tools/{convert-from-106,gpg-check-pattern} \ - tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys} \ - tools/make-dns-cert + use tools && dobin \ + tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \ + tools/make-dns-cert dosym gpg /usr/bin/gpg2 dosym gpgv /usr/bin/gpgv2 @@ -159,7 +165,15 @@ src_install() { dodir /etc/env.d echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die - use doc && dodoc doc/gnupg.html/* doc/*.png + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + + use doc && dodoc doc/*.png systemd_douserunit doc/examples/systemd-user/*.{service,socket} } diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.2.42-r1.ebuild b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.2.42-r1.ebuild new file mode 100644 index 0000000000..2038d73aa7 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.2.42-r1.ebuild @@ -0,0 +1,181 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should: +# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ +# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 +# (find the one for the current release then subscribe to it + +# any subsequent ones linked within so you're covered for a while.) + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig + +MY_P="${P/_/-}" + +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" +HOMEPAGE="https://gnupg.org/" +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" + +LICENSE="GPL-3+" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server" +RESTRICT="!test? ( test )" + +# Existence of executables is checked during configuration. +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=" + >=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.8.0:= + >=dev-libs/libgpg-error-1.38 + >=dev-libs/libksba-1.3.5 + >=dev-libs/npth-1.2 + >=net-misc/curl-7.10 + sys-libs/zlib + bzip2? ( app-arch/bzip2 ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:= ) + smartcard? ( usb? ( virtual/libusb:1 ) ) + ssl? ( >=net-libs/gnutls-3.0:= ) + tofu? ( >=dev-db/sqlite-3.7 ) +" +RDEPEND=" + ${DEPEND} + nls? ( virtual/libintl ) + selinux? ( sec-policy/selinux-gpg ) + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry +" +BDEPEND=" + virtual/pkgconfig + doc? ( sys-apps/texinfo ) + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" + +DOCS=( + ChangeLog NEWS README THANKS TODO VERSION + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER +) + +PATCHES=( + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch +) + +src_prepare() { + default + + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, + # idea borrowed from libdbus, see + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 + # + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', + # which in turn requires discovery in Autoconf, something that upstream deeply resents. + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ + -i doc/examples/systemd-user/gpg-agent-ssh.socket || die +} + +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + + local myconf=( + $(use_enable bzip2) + $(use_enable nls) + $(use_enable smartcard scdaemon) + $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) + $(use_enable tofu) + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') + $(use_enable wks-server wks-tools) + $(use_with ldap) + $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. + --with-mailprog=/usr/libexec/sendmail + + --disable-ntbtls + --enable-gpg + --enable-gpgsm + --enable-large-secmem + + CC_FOR_BUILD="$(tc-getBUILD_CC)" + GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" + KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" + LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" + LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" + NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" + + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) + + if use prefix && use usb; then + # bug #649598 + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" + fi + + # bug #663142 + if use user-socket; then + myconf+=( --enable-run-gnupg-user-socket ) + fi + + # glib fails and picks up clang's internal stdint.h causing weird errors + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h + + econf "${myconf[@]}" +} + +my_src_compile() { + default + + use doc && emake -C doc html +} + +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" + + default +} + +my_src_install() { + emake DESTDIR="${D}" install + + use tools && dobin \ + tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \ + tools/make-dns-cert + + dosym gpg /usr/bin/gpg2 + dosym gpgv /usr/bin/gpgv2 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die + + dodir /etc/env.d + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die + + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + + use doc && dodoc doc/*.png + + systemd_douserunit doc/examples/systemd-user/*.{service,socket} +} diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.2.42-r2.ebuild b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.2.42-r2.ebuild new file mode 100644 index 0000000000..b852bed96c --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.2.42-r2.ebuild @@ -0,0 +1,182 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should: +# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ +# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 +# (find the one for the current release then subscribe to it + +# any subsequent ones linked within so you're covered for a while.) + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig + +MY_P="${P/_/-}" + +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" +HOMEPAGE="https://gnupg.org/" +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" + +LICENSE="GPL-3+" +SLOT="0" +KEYWORDS="~alpha amd64 arm ~arm64 ~hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server" +RESTRICT="!test? ( test )" + +# Existence of executables is checked during configuration. +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=" + >=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.8.0:= + >=dev-libs/libgpg-error-1.38 + >=dev-libs/libksba-1.3.5 + >=dev-libs/npth-1.2 + >=net-misc/curl-7.10 + sys-libs/zlib + bzip2? ( app-arch/bzip2 ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:= ) + smartcard? ( usb? ( virtual/libusb:1 ) ) + ssl? ( >=net-libs/gnutls-3.0:= ) + tofu? ( >=dev-db/sqlite-3.7 ) +" +RDEPEND=" + ${DEPEND} + nls? ( virtual/libintl ) + selinux? ( sec-policy/selinux-gpg ) + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry +" +BDEPEND=" + virtual/pkgconfig + doc? ( sys-apps/texinfo ) + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" + +DOCS=( + ChangeLog NEWS README THANKS TODO VERSION + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER +) + +PATCHES=( + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch + "${FILESDIR}"/${PN}-2.2.42-bug923248-insecure-backup.patch +) + +src_prepare() { + default + + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, + # idea borrowed from libdbus, see + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 + # + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', + # which in turn requires discovery in Autoconf, something that upstream deeply resents. + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ + -i doc/examples/systemd-user/gpg-agent-ssh.socket || die +} + +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + + local myconf=( + $(use_enable bzip2) + $(use_enable nls) + $(use_enable smartcard scdaemon) + $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) + $(use_enable tofu) + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') + $(use_enable wks-server wks-tools) + $(use_with ldap) + $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. + --with-mailprog=/usr/libexec/sendmail + + --disable-ntbtls + --enable-gpg + --enable-gpgsm + --enable-large-secmem + + CC_FOR_BUILD="$(tc-getBUILD_CC)" + GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" + KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" + LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" + LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" + NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" + + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) + + if use prefix && use usb; then + # bug #649598 + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" + fi + + # bug #663142 + if use user-socket; then + myconf+=( --enable-run-gnupg-user-socket ) + fi + + # glib fails and picks up clang's internal stdint.h causing weird errors + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h + + econf "${myconf[@]}" +} + +my_src_compile() { + default + + use doc && emake -C doc html +} + +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" + + default +} + +my_src_install() { + emake DESTDIR="${D}" install + + use tools && dobin \ + tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \ + tools/make-dns-cert + + dosym gpg /usr/bin/gpg2 + dosym gpgv /usr/bin/gpgv2 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die + + dodir /etc/env.d + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die + + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + + use doc && dodoc doc/*.png + + systemd_douserunit doc/examples/systemd-user/*.{service,socket} +} diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.3-r1.ebuild b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.3-r1.ebuild new file mode 100644 index 0000000000..48e3b7e762 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.3-r1.ebuild @@ -0,0 +1,198 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should: +# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ +# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 +# (find the one for the current release then subscribe to it + +# any subsequent ones linked within so you're covered for a while.) + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig + +MY_P="${P/_/-}" + +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" +HOMEPAGE="https://gnupg.org/" +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" + +LICENSE="GPL-3+" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server" +RESTRICT="!test? ( test )" +REQUIRED_USE="test? ( tofu )" + +# Existence of executables is checked during configuration. +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=" + >=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.9.1:= + >=dev-libs/libgpg-error-1.46 + >=dev-libs/libksba-1.6.3 + >=dev-libs/npth-1.2 + >=net-misc/curl-7.10 + sys-libs/zlib + bzip2? ( app-arch/bzip2 ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:0= ) + smartcard? ( usb? ( virtual/libusb:1 ) ) + tofu? ( >=dev-db/sqlite-3.27 ) + tpm? ( >=app-crypt/tpm2-tss-2.4.0:= ) + ssl? ( >=net-libs/gnutls-3.0:0= ) +" +RDEPEND=" + ${DEPEND} + nls? ( virtual/libintl ) + selinux? ( sec-policy/selinux-gpg ) + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry +" +BDEPEND=" + virtual/pkgconfig + doc? ( sys-apps/texinfo ) + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" + +DOCS=( + ChangeLog NEWS README THANKS TODO VERSION + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER +) + +PATCHES=( + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch + "${FILESDIR}"/${PN}-2.4.2-fix-emacs.patch + "${FILESDIR}"/${P}-no-ldap.patch +) + +src_prepare() { + default + + GNUPG_SYSTEMD_UNITS=( + dirmngr.service + dirmngr.socket + gpg-agent-browser.socket + gpg-agent-extra.socket + gpg-agent.service + gpg-agent.socket + gpg-agent-ssh.socket + ) + + cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die + + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, + # idea borrowed from libdbus, see + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 + # + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', + # which in turn requires discovery in Autoconf, something that upstream deeply resents. + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ + -i "${T}"/gpg-agent-ssh.socket || die +} + +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + + local myconf=( + $(use_enable bzip2) + $(use_enable nls) + $(use_enable smartcard scdaemon) + $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) + $(use_enable tofu) + $(use_enable tofu keyboxd) + $(use_enable tofu sqlite) + $(usex tpm '--with-tss=intel' '--disable-tpm2d') + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') + $(use_enable wks-server wks-tools) + $(use_with ldap) + $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. + --with-mailprog=/usr/libexec/sendmail + + --disable-ntbtls + --enable-gpgsm + --enable-large-secmem + + CC_FOR_BUILD="$(tc-getBUILD_CC)" + GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" + KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" + LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" + LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" + NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" + + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) + + if use prefix && use usb; then + # bug #649598 + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" + fi + + # bug #663142 + if use user-socket; then + myconf+=( --enable-run-gnupg-user-socket ) + fi + + # glib fails and picks up clang's internal stdint.h causing weird errors + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h + + econf "${myconf[@]}" +} + +my_src_compile() { + default + + use doc && emake -C doc html +} + +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" + + default +} + +my_src_install() { + emake DESTDIR="${D}" install + + use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert + + dosym gpg /usr/bin/gpg2 + dosym gpgv /usr/bin/gpgv2 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die + + dodir /etc/env.d + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die + + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + use doc && dodoc doc/*.png + + # Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed. + dodoc "${FILESDIR}"/README-systemd + systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}" +} diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.4-r1.ebuild b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.4-r1.ebuild new file mode 100644 index 0000000000..768489c6bf --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.4-r1.ebuild @@ -0,0 +1,197 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should: +# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ +# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 +# (find the one for the current release then subscribe to it + +# any subsequent ones linked within so you're covered for a while.) + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig + +MY_P="${P/_/-}" + +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" +HOMEPAGE="https://gnupg.org/" +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" + +LICENSE="GPL-3+" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server" +RESTRICT="!test? ( test )" +REQUIRED_USE="test? ( tofu )" + +# Existence of executables is checked during configuration. +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=" + >=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.9.1:= + >=dev-libs/libgpg-error-1.46 + >=dev-libs/libksba-1.6.3 + >=dev-libs/npth-1.2 + >=net-misc/curl-7.10 + sys-libs/zlib + bzip2? ( app-arch/bzip2 ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:0= ) + smartcard? ( usb? ( virtual/libusb:1 ) ) + tofu? ( >=dev-db/sqlite-3.27 ) + tpm? ( >=app-crypt/tpm2-tss-2.4.0:= ) + ssl? ( >=net-libs/gnutls-3.2:0= ) +" +RDEPEND=" + ${DEPEND} + nls? ( virtual/libintl ) + selinux? ( sec-policy/selinux-gpg ) + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry +" +BDEPEND=" + virtual/pkgconfig + doc? ( sys-apps/texinfo ) + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" + +DOCS=( + ChangeLog NEWS README THANKS TODO VERSION + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER +) + +PATCHES=( + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch + "${FILESDIR}"/${P}-dirmngr-proxy.patch #924606 +) + +src_prepare() { + default + + GNUPG_SYSTEMD_UNITS=( + dirmngr.service + dirmngr.socket + gpg-agent-browser.socket + gpg-agent-extra.socket + gpg-agent.service + gpg-agent.socket + gpg-agent-ssh.socket + ) + + cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die + + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, + # idea borrowed from libdbus, see + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 + # + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', + # which in turn requires discovery in Autoconf, something that upstream deeply resents. + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ + -i "${T}"/gpg-agent-ssh.socket || die +} + +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + + local myconf=( + $(use_enable bzip2) + $(use_enable nls) + $(use_enable smartcard scdaemon) + $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) + $(use_enable tofu) + $(use_enable tofu keyboxd) + $(use_enable tofu sqlite) + $(usex tpm '--with-tss=intel' '--disable-tpm2d') + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') + $(use_enable wks-server wks-tools) + $(use_with ldap) + $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. + --with-mailprog=/usr/libexec/sendmail + + --disable-ntbtls + --enable-gpgsm + --enable-large-secmem + + CC_FOR_BUILD="$(tc-getBUILD_CC)" + GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" + KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" + LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" + LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" + NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" + + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) + + if use prefix && use usb; then + # bug #649598 + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" + fi + + # bug #663142 + if use user-socket; then + myconf+=( --enable-run-gnupg-user-socket ) + fi + + # glib fails and picks up clang's internal stdint.h causing weird errors + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h + + econf "${myconf[@]}" +} + +my_src_compile() { + default + + use doc && emake -C doc html +} + +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" + + default +} + +my_src_install() { + emake DESTDIR="${D}" install + + use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert + + dosym gpg /usr/bin/gpg2 + dosym gpgv /usr/bin/gpgv2 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die + + dodir /etc/env.d + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die + + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + use doc && dodoc doc/*.png + + # Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed. + dodoc "${FILESDIR}"/README-systemd + systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}" +} diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.4.ebuild b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.4.ebuild new file mode 100644 index 0000000000..f01cb0b881 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.4.ebuild @@ -0,0 +1,198 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should: +# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ +# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 +# (find the one for the current release then subscribe to it + +# any subsequent ones linked within so you're covered for a while.) + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig + +MY_P="${P/_/-}" + +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" +HOMEPAGE="https://gnupg.org/" +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" + +LICENSE="GPL-3+" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server" +RESTRICT="!test? ( test )" +REQUIRED_USE="test? ( tofu )" + +# Existence of executables is checked during configuration. +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=" + >=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.9.1:= + >=dev-libs/libgpg-error-1.46 + >=dev-libs/libksba-1.6.3 + >=dev-libs/npth-1.2 + >=net-misc/curl-7.10 + sys-libs/zlib + bzip2? ( app-arch/bzip2 ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:0= ) + smartcard? ( usb? ( virtual/libusb:1 ) ) + tofu? ( >=dev-db/sqlite-3.27 ) + tpm? ( >=app-crypt/tpm2-tss-2.4.0:= ) + ssl? ( >=net-libs/gnutls-3.2:0= ) +" +RDEPEND=" + ${DEPEND} + nls? ( virtual/libintl ) + selinux? ( sec-policy/selinux-gpg ) + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry +" +BDEPEND=" + virtual/pkgconfig + doc? ( sys-apps/texinfo ) + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" + +DOCS=( + ChangeLog NEWS README THANKS TODO VERSION + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER +) + +PATCHES=( + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch + #"${FILESDIR}"/${PN}-2.4.2-fix-emacs.patch + #"${FILESDIR}"/${PN}-2.4.3-no-ldap.patch +) + +src_prepare() { + default + + GNUPG_SYSTEMD_UNITS=( + dirmngr.service + dirmngr.socket + gpg-agent-browser.socket + gpg-agent-extra.socket + gpg-agent.service + gpg-agent.socket + gpg-agent-ssh.socket + ) + + cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die + + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, + # idea borrowed from libdbus, see + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 + # + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', + # which in turn requires discovery in Autoconf, something that upstream deeply resents. + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ + -i "${T}"/gpg-agent-ssh.socket || die +} + +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + + local myconf=( + $(use_enable bzip2) + $(use_enable nls) + $(use_enable smartcard scdaemon) + $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) + $(use_enable tofu) + $(use_enable tofu keyboxd) + $(use_enable tofu sqlite) + $(usex tpm '--with-tss=intel' '--disable-tpm2d') + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') + $(use_enable wks-server wks-tools) + $(use_with ldap) + $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. + --with-mailprog=/usr/libexec/sendmail + + --disable-ntbtls + --enable-gpgsm + --enable-large-secmem + + CC_FOR_BUILD="$(tc-getBUILD_CC)" + GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" + KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" + LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" + LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" + NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" + + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) + + if use prefix && use usb; then + # bug #649598 + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" + fi + + # bug #663142 + if use user-socket; then + myconf+=( --enable-run-gnupg-user-socket ) + fi + + # glib fails and picks up clang's internal stdint.h causing weird errors + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h + + econf "${myconf[@]}" +} + +my_src_compile() { + default + + use doc && emake -C doc html +} + +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" + + default +} + +my_src_install() { + emake DESTDIR="${D}" install + + use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert + + dosym gpg /usr/bin/gpg2 + dosym gpgv /usr/bin/gpgv2 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die + + dodir /etc/env.d + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die + + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + use doc && dodoc doc/*.png + + # Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed. + dodoc "${FILESDIR}"/README-systemd + systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}" +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/metadata.xml similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml rename to sdk_container/src/third_party/portage-stable/app-crypt/gnupg/metadata.xml index 9704490d3e..9cfaddc1cd 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/app-crypt/gnupg/metadata.xml @@ -1,10 +1,6 @@ - - zlogene@gentoo.org - Mikle Kolyada - base-system@gentoo.org Gentoo Base System