mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-07 21:16:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1681 from flatcar/dongsu/gnupg-2.2.42

Browse Source 
app-crypt/gnupg: update to 2.2.42-r2
This commit is contained in:
Dongsu Park 2024-02-21 16:04:41 +01:00 committed by GitHub
commit 051232e560
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
29 changed files with 2261 additions and 235 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/portage-stable-packages-list vendored
View File

@ -107,6 +107,7 @@ app-crypt/adcli
app-crypt/argon2
app-crypt/ccid
app-crypt/efitools
app-crypt/gnupg
app-crypt/libb2
app-crypt/libmd
app-crypt/mhash

1
changelog/security/2024-02-20-gnupg-2.2.42.md Normal file
View File

@ -0,0 +1 @@
- gnupg ([gnupg-2024-01-25](https://gnupg.org/blog/20240125-smartcard-backup-key.html))

1
changelog/updates/2024-02-20-gnupg-2.2.42.md Normal file
View File

@ -0,0 +1 @@
- gnupg ([2.2.42](https://dev.gnupg.org/T6307))

2
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest vendored
View File

@ -1,2 +0,0 @@
DIST gnupg-2.2.35.tar.bz2 7262687 BLAKE2B 18b5965151ded3b3f28d139824e14d7a6f1673c5192ec5f5a80366a6d5f2e04ed7fa035e2bff105e1752753584f992626ccc9ea8840c2bfa39ffe7ca39b81f7f SHA512 ad9f8d10890b7fafb15a7422e2cebaf0f85ce7cf5f880f4edd8d1dec46aa73c01f9096e601f6edd665f8684d1f5892634991a400e00b3185e6b201f549004d3e
DIST gnupg-2.2.35.tar.bz2.sig 119 BLAKE2B d95323703c12c9474b21fa91ddb70d4d4d464c794223e21f6ae5d4de955f07a5cabde50612e977168ea6071c4b12be3262cbafe9bcaa8e9a0b009318c0ff6718 SHA512 9043894730520e974e7bc17e0f95419c319fbcd514f102faf644e2f5580e238719cecb8b5e778ecf20f9212ee2554206eb0686e8b5fce7f8c556146657660fe2

45
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch vendored
View File

@ -1,45 +0,0 @@
https://bugs.gentoo.org/855395
https://marc.info/?l=oss-security&m=165657063921408&w=2
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=7b1db7192e6e4d0cfc439b23b13831837c85bc21
From 7b1db7192e6e4d0cfc439b23b13831837c85bc21 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 14 Jun 2022 11:33:27 +0200
Subject: [PATCH] g10: Fix garbled status messages in NOTATION_DATA
* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
--
Depending on the escaping and line wrapping the computed remaining
buffer length could be wrong. Fixed by always using a break to
terminate the escape detection loop. Might have happened for all
status lines which may wrap.
GnuPG-bug-id: T6027
--- a/g10/cpr.c
+++ b/g10/cpr.c
@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string,
}
first = 0;
}
- for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
+ for (esc=0, s=buffer, n=len; n; s++, n--)
{
if (*s == '%' || *(const byte*)s <= lower_limit
|| *(const byte*)s == 127 )
esc = 1;
if (wrap && ++count > wrap)
- {
- dowrap=1;
- break;
- }
- }
- if (esc)
- {
- s--; n++;
+ dowrap=1;
+ if (esc || dowrap)
+ break;
}
if (s != buffer)
es_fwrite (buffer, s-buffer, 1, statusfp);

32
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch vendored
View File

@ -1,32 +0,0 @@
From: Vincent Breitmoser <look@my.amazin.horse>
Date: Thu, 13 Jun 2019 21:27:43 +0200
Subject: gpg: accept subkeys with a good revocation but no self-sig during
import
* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we
encounter a valid revocation signature. This allows import of subkey
revocation signatures, even in the absence of a corresponding subkey
binding signature.
--
This fixes the remaining test in import-incomplete.scm.
GnuPG-Bug-id: 4393
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
g10/import.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/g10/import.c b/g10/import.c
index f9acf95..9217911 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -3602,6 +3602,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self)
/* It's valid, so is it newer? */
if (sig->timestamp >= rsdate)
{
+ knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid. */
if (rsnode)
{
/* Delete the last revocation sig since

106
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch vendored
View File

@ -1,106 +0,0 @@
From: Vincent Breitmoser <look@my.amazin.horse>
Date: Thu, 13 Jun 2019 21:27:42 +0200
Subject: gpg: allow import of previously known keys, even without UIDs
* g10/import.c (import_one): Accept an incoming OpenPGP certificate that
has no user id, as long as we already have a local variant of the cert
that matches the primary key.
--
This fixes two of the three broken tests in import-incomplete.scm.
GnuPG-Bug-id: 4393
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
g10/import.c | 44 +++++++++++---------------------------------
1 file changed, 11 insertions(+), 33 deletions(-)
diff --git a/g10/import.c b/g10/import.c
index 5d3162c..f9acf95 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl,
size_t an;
char pkstrbuf[PUBKEY_STRING_SIZE];
int merge_keys_done = 0;
- int any_filter = 0;
KEYDB_HANDLE hd = NULL;
if (r_valid)
@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl,
log_printf ("\n");
}
-
- if (!uidnode )
- {
- if (!silent)
- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
- return 0;
- }
-
if (screener && screener (keyblock, screener_arg))
{
log_error (_("key %s: %s\n"), keystr_from_pk (pk),
@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl,
}
}
- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) )
- {
- if (!silent)
- {
- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
- if (!opt.quiet )
- log_info(_("this may be caused by a missing self-signature\n"));
- }
- stats->no_user_id++;
- return 0;
- }
+ /* Delete invalid parts, and note if we have any valid ones left.
+ * We will later abort import if this key is new but contains
+ * no valid uids. */
+ delete_inv_parts (ctrl, keyblock, keyid, options);
/* Get rid of deleted nodes. */
commit_kbnode (&keyblock);
@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl,
{
apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
commit_kbnode (&keyblock);
- any_filter = 1;
}
if (import_filter.drop_sig)
{
apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig);
commit_kbnode (&keyblock);
- any_filter = 1;
- }
-
- /* If we ran any filter we need to check that at least one user id
- * is left in the keyring. Note that we do not use log_error in
- * this case. */
- if (any_filter && !any_uid_left (keyblock))
- {
- if (!opt.quiet )
- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk));
- stats->no_user_id++;
- return 0;
}
/* The keyblock is valid and ready for real import. */
@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl,
err = 0;
stats->skipped_new_keys++;
}
+ else if (err && !any_uid_left (keyblock))
+ {
+ if (!silent)
+ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid));
+ err = 0;
+ stats->no_user_id++;
+ }
else if (err) /* Insert this key. */
{
/* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */

3
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords vendored
View File

@ -17,6 +17,9 @@
# Needed by arm64-native SDK.
=app-crypt/efitools-1.9.2-r1 ~arm64
# Needed for addressing security issues related to smartcard keys.
=app-crypt/gnupg-2.2.42-r2 ~arm64
# Needed to fix CVE-2023-36054.
=app-crypt/mit-krb5-1.21.2 ~amd64 ~arm64

8
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/Manifest vendored Normal file
View File

@ -0,0 +1,8 @@
DIST gnupg-2.2.41.tar.bz2 7313746 BLAKE2B 0be2965a646a8636a127f89329030860908b0bbc447381782527459aed85f5276c29e7a2c89f87cb715407d9f1aabbf3ae1765073764d05e422035e8d5962569 SHA512 f472e5058ea9881355f0c754a47acd0b5360c36e8976b8563dbc763a7cef792bf88227cc15fe5172d3e9bb9fc34d8448dd5c183949031e91a1997cc7f0f83b55
DIST gnupg-2.2.41.tar.bz2.sig 238 BLAKE2B 7a4dc8dd4b3da77f6684325f46e3e3b1aeac6fcd8382e3148da1a01a5c5a9e14c1352fb28b61e500388d647e1103b8f78ad49e467e01b732c4a13eb849859b98 SHA512 ac6edd35c6b02a02d6c8a4468332213f20159f972aa2f7fd25c6841c662b3d84db5230330d540e0785ddaff080daf8dd250292104ff47560ad59c11803aabefa
DIST gnupg-2.2.42.tar.bz2 7434291 BLAKE2B 5f7f01f31949e5258d638fbff81fa641e5c167e6eaf32c55eb187d4a31b31cd4fe6e51c622e74d8544c4f95c75484e15117f26a8cf26055ff6813d75e54f2b8a SHA512 9c59d034f428d42323b5520e1a8984acc1505ba1d96d90f00e17b24aa91660b2dc64e1a3ceb044c56f39b4c402a77c7e0b226c65218c23c094781b4ef51e2eb5
DIST gnupg-2.2.42.tar.bz2.sig 238 BLAKE2B 251ad0a832042ceb93b0edfda8652104bfb463e291322f22f0ab0d9b35606c3589be7a6f3e9e2aac8f6ac368a7d11840ab83b29997587dc65685de9f2dec3fee SHA512 7073bfc920c571680a1de57b4e6cd83cde24ccb3b5f592602b0c32fd762eef497027b08745044c9f41130ca99bb7ec77222568c2d0a1099d3c1c15137e0221d7
DIST gnupg-2.4.3.tar.bz2 7351327 BLAKE2B b7f4f5e548ec6dfc89cf8792f507ee8642e8500692998cf8d2edc9f5d8002904d24a714b9caffabee6094707c4595e0f54197535135622a7a32aa772f5818f28 SHA512 193a9398445272ec3eb5b79e802efb7414f74bcfffc3db0bf72c0056e04228120c419ed91db168e5733a16a33e548bab5368dd9cf11ecd483825bce189341a1e
DIST gnupg-2.4.3.tar.bz2.sig 119 BLAKE2B 763c0569e5378e132de39e1583c19bae8912455bf7cd5a65bcfc88fa43be99fb6bbf8397192b3086db2f6f0f63fc25789f5e6ce98b2fe63cda3bf673b1c60a20 SHA512 7affff694d194c3befdfc865a7872c0883304ea704e3691eac328d802f12f4f82c2a93eaa1257d3e09b38494b38185f5b8cf35c964f0c3846bbb29b93727ffee
DIST gnupg-2.4.4.tar.bz2 7886036 BLAKE2B 02661e89f0358be09fa3e71e7235b764a7dbda62a48a0c8c7a4e6c9919c3b37d54ead50b930af58f8f2fdb87861b849d3f3751e95cbedf46bdfd76caa90c4db4 SHA512 3d1a3b08d1ce2319d238d8be96591e418ede1dc0b4ede33a4cc2fe40e9c56d5bbc27b1984736d8a786e7f292ddbc836846a8bdb4bf89f064e953c37cb54b94ef
DIST gnupg-2.4.4.tar.bz2.sig 237 BLAKE2B 6ee5878c36fbec747a6d84a268903749d862aab50dd7f9a389aabbf7b94dec1c424615f520b5f4a6d44e02093e8d9ad0b08d0c6cf6fd8886d8c174ce9faac99c SHA512 3ae7b6833576df851901a7619459b514bb82faeed350c864a57a782719d21f694d9ced5a3445c81dfa584a0302f87fedc660b08ea97bb8b861e76d7c5b46d07f

67
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/README-systemd vendored Normal file
View File

@ -0,0 +1,67 @@
Socket-activated dirmngr and gpg-agent with systemd
===================================================
When used on a GNU/Linux system supervised by systemd, you can ensure
that the GnuPG daemons dirmngr and gpg-agent are launched
automatically the first time they're needed, and shut down cleanly at
session logout. This is done by enabling user services via
socket-activation.
System distributors
-------------------
The *.service and *.socket files (from this directory) should be
placed in /usr/lib/systemd/user/ alongside other user-session services
and sockets.
To enable socket-activated dirmngr for all accounts on the system,
use:
systemctl --user --global enable dirmngr.socket
To enable socket-activated gpg-agent for all accounts on the system,
use:
systemctl --user --global enable gpg-agent.socket
Additionally, you can enable socket-activated gpg-agent ssh-agent
emulation for all accounts on the system with:
systemctl --user --global enable gpg-agent-ssh.socket
You can also enable restricted ("--extra-socket"-style) gpg-agent
sockets for all accounts on the system with:
systemctl --user --global enable gpg-agent-extra.socket
Individual users
----------------
A user on a system with systemd where this has not been installed
system-wide can place these files in ~/.config/systemd/user/ to make
them available.
If a given service isn't installed system-wide, or if it's installed
system-wide but not globally enabled, individual users will still need
to enable them. For example, to enable socket-activated dirmngr for
all future sessions:
systemctl --user enable dirmngr.socket
To enable socket-activated gpg-agent with ssh support, do:
systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket
These changes won't take effect until your next login after you've
fully logged out (be sure to terminate any running daemons before
logging out).
If you'd rather try a socket-activated GnuPG daemon in an
already-running session without logging out (with or without enabling
it for all future sessions), kill any existing daemon and start the
user socket directly. For example, to set up socket-activated dirmgnr
in the current session:
gpgconf --kill dirmngr
systemctl --user start dirmngr.socket

8
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/dirmngr.service vendored Normal file
View File

@ -0,0 +1,8 @@
[Unit]
Description=GnuPG network certificate management daemon
Documentation=man:dirmngr(8)
Requires=dirmngr.socket
[Service]
ExecStart=/usr/bin/dirmngr --supervised
ExecReload=/usr/bin/gpgconf --reload dirmngr

11
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/dirmngr.socket vendored Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=GnuPG network certificate management daemon
Documentation=man:dirmngr(8)
[Socket]
ListenStream=%t/gnupg/S.dirmngr
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target

0
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch → sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch vendored
View File

292
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch vendored Normal file
View File

@ -0,0 +1,292 @@
https://bugs.gentoo.org/923248
https://dev.gnupg.org/T6944
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=3b69d8bf7146b8d10737d0cfea9c97affc60ad73
From 3b69d8bf7146b8d10737d0cfea9c97affc60ad73 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 24 Jan 2024 11:29:24 +0100
Subject: [PATCH] gpg: Fix leftover unprotected card backup key.
* agent/command.c (cmd_learn): Add option --reallyforce.
* agent/findkey.c (agent_write_private_key): Implement reallyforce.
Also add arg reallyforce and pass it along the call chain.
* g10/call-agent.c (agent_scd_learn): Pass --reallyforce with a
special force value.
* g10/keygen.c (card_store_key_with_backup): Use that force value.
--
This was a regression in 2.2.42. We took the easy path to fix it by
getting the behaviour back to what we did prior to 2.2.42. With GnuPG
2.4.4 we use an entire different and safer approach by introducing an
ephemeral private key store.
GnuPG-bug-id: 6944
--- a/agent/agent.h
+++ b/agent/agent.h
@@ -422,7 +422,8 @@ void start_command_handler_ssh (ctrl_t, gnupg_fd_t);
gpg_error_t agent_modify_description (const char *in, const char *comment,
const gcry_sexp_t key, char **result);
int agent_write_private_key (const unsigned char *grip,
- const void *buffer, size_t length, int force,
+ const void *buffer, size_t length,
+ int force, int reallyforce,
const char *serialno, const char *keyref,
const char *dispserialno, time_t timestamp);
gpg_error_t agent_key_from_file (ctrl_t ctrl,
@@ -548,6 +549,7 @@ gpg_error_t s2k_hash_passphrase (const char *passphrase, int hashalgo,
gpg_error_t agent_write_shadow_key (const unsigned char *grip,
const char *serialno, const char *keyid,
const unsigned char *pkbuf, int force,
+ int reallyforce,
const char *dispserialno);
@@ -628,7 +630,8 @@ void agent_card_killscd (void);
/*-- learncard.c --*/
-int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force);
+int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context,
+ int force, int reallyforce);
/*-- cvt-openpgp.c --*/
--- a/agent/command-ssh.c
+++ b/agent/command-ssh.c
@@ -2499,7 +2499,7 @@ card_key_available (ctrl_t ctrl, gcry_sexp_t *r_pk, char **cardsn)
/* (Shadow)-key is not available in our key storage. */
agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno);
- err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0,
+ err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0, 0,
dispserialno);
xfree (dispserialno);
if (err)
@@ -3159,7 +3159,7 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec,
/* Store this key to our key storage. We do not store a creation
* timestamp because we simply do not know. */
- err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0,
+ err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0, 0,
NULL, NULL, NULL, 0);
if (err)
goto out;
--- a/agent/command.c
+++ b/agent/command.c
@@ -1042,7 +1042,7 @@ cmd_readkey (assuan_context_t ctx, char *line)
/* Shadow-key is or is not available in our key storage. In
* any case we need to check whether we need to update with
* a new display-s/n or whatever. */
- rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0,
+ rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0, 0,
dispserialno);
if (rc)
goto leave;
@@ -1855,16 +1855,18 @@ cmd_learn (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err;
- int send, sendinfo, force;
+ int send, sendinfo, force, reallyforce;
send = has_option (line, "--send");
sendinfo = send? 1 : has_option (line, "--sendinfo");
force = has_option (line, "--force");
+ reallyforce = has_option (line, "--reallyforce");
if (ctrl->restricted)
return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
- err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL, force);
+ err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL,
+ force, reallyforce);
return leave_cmd (ctx, err);
}
@@ -2427,11 +2429,11 @@ cmd_import_key (assuan_context_t ctx, char *line)
err = agent_protect (key, passphrase, &finalkey, &finalkeylen,
ctrl->s2k_count);
if (!err)
- err = agent_write_private_key (grip, finalkey, finalkeylen, force,
+ err = agent_write_private_key (grip, finalkey, finalkeylen, force, 0,
NULL, NULL, NULL, opt_timestamp);
}
else
- err = agent_write_private_key (grip, key, realkeylen, force,
+ err = agent_write_private_key (grip, key, realkeylen, force, 0,
NULL, NULL, NULL, opt_timestamp);
leave:
--- a/agent/cvt-openpgp.c
+++ b/agent/cvt-openpgp.c
@@ -1070,7 +1070,7 @@ convert_from_openpgp_native (ctrl_t ctrl,
&protectedkey, &protectedkeylen,
ctrl->s2k_count))
agent_write_private_key (grip, protectedkey, protectedkeylen,
- 1/*force*/, NULL, NULL, NULL, 0);
+ 1/*force*/, 0, NULL, NULL, NULL, 0);
xfree (protectedkey);
}
else
@@ -1079,7 +1079,7 @@ convert_from_openpgp_native (ctrl_t ctrl,
agent_write_private_key (grip,
*r_key,
gcry_sexp_canon_len (*r_key, 0, NULL,NULL),
- 1/*force*/, NULL, NULL, NULL, 0);
+ 1/*force*/, 0, NULL, NULL, NULL, 0);
}
}
--- a/agent/findkey.c
+++ b/agent/findkey.c
@@ -82,7 +82,8 @@ fname_from_keygrip (const unsigned char *grip, int for_new)
* recorded as creation date. */
int
agent_write_private_key (const unsigned char *grip,
- const void *buffer, size_t length, int force,
+ const void *buffer, size_t length,
+ int force, int reallyforce,
const char *serialno, const char *keyref,
const char *dispserialno,
time_t timestamp)
@@ -165,10 +166,13 @@ agent_write_private_key (const unsigned char *grip,
/* Check that we do not update a regular key with a shadow key. */
if (is_regular && gpg_err_code (is_shadowed_key (key)) == GPG_ERR_TRUE)
{
- log_info ("updating regular key file '%s'"
- " by a shadow key inhibited\n", oldfname);
- err = 0; /* Simply ignore the error. */
- goto leave;
+ if (!reallyforce)
+ {
+ log_info ("updating regular key file '%s'"
+ " by a shadow key inhibited\n", oldfname);
+ err = 0; /* Simply ignore the error. */
+ goto leave;
+ }
}
/* Check that we update a regular key only in force mode. */
if (is_regular && !force)
@@ -1704,12 +1708,13 @@ agent_delete_key (ctrl_t ctrl, const char *desc_text,
* Shadow key is created by an S-expression public key in PKBUF and
* card's SERIALNO and the IDSTRING. With FORCE passed as true an
* existing key with the given GRIP will get overwritten. If
- * DISPSERIALNO is not NULL the human readable s/n will also be
- * recorded in the key file. */
+ * REALLYFORCE is also true, even a private key will be overwritten by
+ * a shadown key. If DISPSERIALNO is not NULL the human readable s/n
+ * will also be recorded in the key file. */
gpg_error_t
agent_write_shadow_key (const unsigned char *grip,
const char *serialno, const char *keyid,
- const unsigned char *pkbuf, int force,
+ const unsigned char *pkbuf, int force, int reallyforce,
const char *dispserialno)
{
gpg_error_t err;
@@ -1737,7 +1742,7 @@ agent_write_shadow_key (const unsigned char *grip,
}
len = gcry_sexp_canon_len (shdkey, 0, NULL, NULL);
- err = agent_write_private_key (grip, shdkey, len, force,
+ err = agent_write_private_key (grip, shdkey, len, force, reallyforce,
serialno, keyid, dispserialno, 0);
xfree (shdkey);
if (err)
--- a/agent/genkey.c
+++ b/agent/genkey.c
@@ -69,7 +69,7 @@ store_key (gcry_sexp_t private, const char *passphrase, int force,
buf = p;
}
- rc = agent_write_private_key (grip, buf, len, force,
+ rc = agent_write_private_key (grip, buf, len, force, 0,
NULL, NULL, NULL, timestamp);
xfree (buf);
return rc;
--- a/agent/learncard.c
+++ b/agent/learncard.c
@@ -297,9 +297,12 @@ send_cert_back (ctrl_t ctrl, const char *id, void *assuan_context)
}
/* Perform the learn operation. If ASSUAN_CONTEXT is not NULL and
- SEND is true all new certificates are send back via Assuan. */
+ SEND is true all new certificates are send back via Assuan. If
+ REALLYFORCE is true a private key will be overwritten by a stub
+ key. */
int
-agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force)
+agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context,
+ int force, int reallyforce)
{
int rc;
struct kpinfo_cb_parm_s parm;
@@ -414,7 +417,7 @@ agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force)
agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno);
rc = agent_write_shadow_key (grip, serialno, item->id, pubkey,
- force, dispserialno);
+ force, reallyforce, dispserialno);
xfree (dispserialno);
}
xfree (pubkey);
--- a/agent/protect-tool.c
+++ b/agent/protect-tool.c
@@ -807,13 +807,15 @@ agent_askpin (ctrl_t ctrl,
* to stdout. */
int
agent_write_private_key (const unsigned char *grip,
- const void *buffer, size_t length, int force,
+ const void *buffer, size_t length,
+ int force, int reallyforce,
const char *serialno, const char *keyref,
const char *dispserialno, time_t timestamp)
{
char hexgrip[40+4+1];
char *p;
+ (void)reallyforce;
(void)force;
(void)timestamp;
(void)serialno;
--- a/g10/call-agent.c
+++ b/g10/call-agent.c
@@ -745,6 +745,11 @@ learn_status_cb (void *opaque, const char *line)
* card-util.c
* keyedit_menu
* card_store_key_with_backup (Woth force to remove secret key data)
+ *
+ * If force has the value 2 the --reallyforce option is also used.
+ * This is to make sure the sshadow key overwrites the private key.
+ * Note that this option is gnupg 2.2 specific because since 2.4.4 an
+ * ephemeral private key store is used instead.
*/
int
agent_scd_learn (struct agent_card_info_s *info, int force)
@@ -764,6 +769,7 @@ agent_scd_learn (struct agent_card_info_s *info, int force)
parm.ctx = agent_ctx;
rc = assuan_transact (agent_ctx,
+ force == 2? "LEARN --sendinfo --force --reallyforce" :
force ? "LEARN --sendinfo --force" : "LEARN --sendinfo",
dummy_data_cb, NULL, default_inq_cb, &parm,
learn_status_cb, info);
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -5201,8 +5201,11 @@ card_store_key_with_backup (ctrl_t ctrl, PKT_public_key *sub_psk,
if (err)
log_error ("writing card key to backup file: %s\n", gpg_strerror (err));
else
- /* Remove secret key data in agent side. */
- agent_scd_learn (NULL, 1);
+ {
+ /* Remove secret key data in agent side. We use force 2 here to
+ * allow overwriting of the temporary private key. */
+ agent_scd_learn (NULL, 2);
+ }
leave:
xfree (ecdh_param_str);
--
2.30.2

564
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.4.2-fix-emacs.patch vendored Normal file
View File

@ -0,0 +1,564 @@
https://bugs.gentoo.org/907839
https://dev.gnupg.org/T6481
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2f872fa68c6576724b9dabee9fb0844266f55d0d
From 2f872fa68c6576724b9dabee9fb0844266f55d0d Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Wed, 24 May 2023 10:36:04 +0900
Subject: [PATCH] gpg: Report BEGIN_* status before examining the input.
* common/miscellaneous.c (is_openpgp_compressed_packet)
(is_file_compressed): Moved to ...
* common/iobuf.c: ... in this file.
(is_file_compressed): Change the argument to INP, the iobuf.
* common/util.h (is_file_compressed): Remove.
* common/iobuf.h (is_file_compressed): Add.
* g10/cipher-aead.c (write_header): Don't call write_status_printf
here.
(cipher_filter_aead): Call write_status_printf when called with
IOBUFCTRL_INIT.
* g10/cipher-cfb.c (write_header): Don't call write_status_printf
here.
(cipher_filter_cfb): Call write_status_printf when called with
IOBUFCTRL_INIT.
* g10/encrypt.c (encrypt_simple): Use new is_file_compressed function,
after call of iobuf_push_filter.
(encrypt_crypt): Likewise.
* g10/sign.c (sign_file): Likewise.
--
GnuPG-bug-id: 6481
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
--- a/common/iobuf.c
+++ b/common/iobuf.c
@@ -3057,3 +3057,123 @@ iobuf_skip_rest (iobuf_t a, unsigned long n, int partial)
}
}
}
+
+
+/* Check whether (BUF,LEN) is valid header for an OpenPGP compressed
+ * packet. LEN should be at least 6. */
+static int
+is_openpgp_compressed_packet (const unsigned char *buf, size_t len)
+{
+ int c, ctb, pkttype;
+ int lenbytes;
+
+ ctb = *buf++; len--;
+ if (!(ctb & 0x80))
+ return 0; /* Invalid packet. */
+
+ if ((ctb & 0x40)) /* New style (OpenPGP) CTB. */
+ {
+ pkttype = (ctb & 0x3f);
+ if (!len)
+ return 0; /* Expected first length octet missing. */
+ c = *buf++; len--;
+ if (c < 192)
+ ;
+ else if (c < 224)
+ {
+ if (!len)
+ return 0; /* Expected second length octet missing. */
+ }
+ else if (c == 255)
+ {
+ if (len < 4)
+ return 0; /* Expected length octets missing */
+ }
+ }
+ else /* Old style CTB. */
+ {
+ pkttype = (ctb>>2)&0xf;
+ lenbytes = ((ctb&3)==3)? 0 : (1<<(ctb & 3));
+ if (len < lenbytes)
+ return 0; /* Not enough length bytes. */
+ }
+
+ return (pkttype == 8);
+}
+
+
+/*
+ * Check if the file is compressed, by peeking the iobuf. You need to
+ * pass the iobuf with INP. Returns true if the buffer seems to be
+ * compressed.
+ */
+int
+is_file_compressed (iobuf_t inp)
+{
+ int i;
+ char buf[32];
+ int buflen;
+
+ struct magic_compress_s
+ {
+ byte len;
+ byte extchk;
+ byte magic[5];
+ } magic[] =
+ {
+ { 3, 0, { 0x42, 0x5a, 0x68, 0x00 } }, /* bzip2 */
+ { 3, 0, { 0x1f, 0x8b, 0x08, 0x00 } }, /* gzip */
+ { 4, 0, { 0x50, 0x4b, 0x03, 0x04 } }, /* (pk)zip */
+ { 5, 0, { '%', 'P', 'D', 'F', '-'} }, /* PDF */
+ { 4, 1, { 0xff, 0xd8, 0xff, 0xe0 } }, /* Maybe JFIF */
+ { 5, 2, { 0x89, 'P','N','G', 0x0d} } /* Likely PNG */
+ };
+
+ if (!inp)
+ return 0;
+
+ for ( ; inp->chain; inp = inp->chain )
+ ;
+
+ buflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof buf, buf);
+ if (buflen < 0)
+ {
+ buflen = 0;
+ log_debug ("peeking at input failed\n");
+ }
+
+ if ( buflen < 6 )
+ {
+ return 0; /* Too short to check - assume uncompressed. */
+ }
+
+ for ( i = 0; i < DIM (magic); i++ )
+ {
+ if (!memcmp( buf, magic[i].magic, magic[i].len))
+ {
+ switch (magic[i].extchk)
+ {
+ case 0:
+ return 1; /* Is compressed. */
+ case 1:
+ if (buflen > 11 && !memcmp (buf + 6, "JFIF", 5))
+ return 1; /* JFIF: this likely a compressed JPEG. */
+ break;
+ case 2:
+ if (buflen > 8
+ && buf[5] == 0x0a && buf[6] == 0x1a && buf[7] == 0x0a)
+ return 1; /* This is a PNG. */
+ break;
+ default:
+ break;
+ }
+ }
+ }
+
+ if (buflen >= 6 && is_openpgp_compressed_packet (buf, buflen))
+ {
+ return 1; /* Already compressed. */
+ }
+
+ return 0; /* Not detected as compressed. */
+}
--- a/common/iobuf.h
+++ b/common/iobuf.h
@@ -629,6 +629,9 @@ void iobuf_set_partial_body_length_mode (iobuf_t a, size_t len);
from the following filter (which may or may not return EOF). */
void iobuf_skip_rest (iobuf_t a, unsigned long n, int partial);
+/* Check if the file is compressed, by peeking the iobuf. */
+int is_file_compressed (iobuf_t inp);
+
#define iobuf_where(a) "[don't know]"
/* Each time a filter is allocated (via iobuf_alloc()), a
--- a/common/miscellaneous.c
+++ b/common/miscellaneous.c
@@ -415,112 +415,6 @@ decode_c_string (const char *src)
}
-/* Check whether (BUF,LEN) is valid header for an OpenPGP compressed
- * packet. LEN should be at least 6. */
-static int
-is_openpgp_compressed_packet (const unsigned char *buf, size_t len)
-{
- int c, ctb, pkttype;
- int lenbytes;
-
- ctb = *buf++; len--;
- if (!(ctb & 0x80))
- return 0; /* Invalid packet. */
-
- if ((ctb & 0x40)) /* New style (OpenPGP) CTB. */
- {
- pkttype = (ctb & 0x3f);
- if (!len)
- return 0; /* Expected first length octet missing. */
- c = *buf++; len--;
- if (c < 192)
- ;
- else if (c < 224)
- {
- if (!len)
- return 0; /* Expected second length octet missing. */
- }
- else if (c == 255)
- {
- if (len < 4)
- return 0; /* Expected length octets missing */
- }
- }
- else /* Old style CTB. */
- {
- pkttype = (ctb>>2)&0xf;
- lenbytes = ((ctb&3)==3)? 0 : (1<<(ctb & 3));
- if (len < lenbytes)
- return 0; /* Not enough length bytes. */
- }
-
- return (pkttype == 8);
-}
-
-
-
-/*
- * Check if the file is compressed. You need to pass the first bytes
- * of the file as (BUF,BUFLEN). Returns true if the buffer seems to
- * be compressed.
- */
-int
-is_file_compressed (const byte *buf, unsigned int buflen)
-{
- int i;
-
- struct magic_compress_s
- {
- byte len;
- byte extchk;
- byte magic[5];
- } magic[] =
- {
- { 3, 0, { 0x42, 0x5a, 0x68, 0x00 } }, /* bzip2 */
- { 3, 0, { 0x1f, 0x8b, 0x08, 0x00 } }, /* gzip */
- { 4, 0, { 0x50, 0x4b, 0x03, 0x04 } }, /* (pk)zip */
- { 5, 0, { '%', 'P', 'D', 'F', '-'} }, /* PDF */
- { 4, 1, { 0xff, 0xd8, 0xff, 0xe0 } }, /* Maybe JFIF */
- { 5, 2, { 0x89, 'P','N','G', 0x0d} } /* Likely PNG */
- };
-
- if ( buflen < 6 )
- {
- return 0; /* Too short to check - assume uncompressed. */
- }
-
- for ( i = 0; i < DIM (magic); i++ )
- {
- if (!memcmp( buf, magic[i].magic, magic[i].len))
- {
- switch (magic[i].extchk)
- {
- case 0:
- return 1; /* Is compressed. */
- case 1:
- if (buflen > 11 && !memcmp (buf + 6, "JFIF", 5))
- return 1; /* JFIF: this likely a compressed JPEG. */
- break;
- case 2:
- if (buflen > 8
- && buf[5] == 0x0a && buf[6] == 0x1a && buf[7] == 0x0a)
- return 1; /* This is a PNG. */
- break;
- default:
- break;
- }
- }
- }
-
- if (buflen >= 6 && is_openpgp_compressed_packet (buf, buflen))
- {
- return 1; /* Already compressed. */
- }
-
- return 0; /* Not detected as compressed. */
-}
-
-
/* Try match against each substring of multistr, delimited by | */
int
match_multistr (const char *multistr,const char *match)
--- a/common/util.h
+++ b/common/util.h
@@ -360,8 +360,6 @@ char *try_make_printable_string (const void *p, size_t n, int delim);
char *make_printable_string (const void *p, size_t n, int delim);
char *decode_c_string (const char *src);
-int is_file_compressed (const byte *buf, unsigned int buflen);
-
int match_multistr (const char *multistr,const char *match);
int gnupg_compare_version (const char *a, const char *b);
--- a/g10/cipher-aead.c
+++ b/g10/cipher-aead.c
@@ -174,8 +174,6 @@ write_header (cipher_filter_context_t *cfx, iobuf_t a)
log_debug ("aead packet: len=%lu extralen=%d\n",
(unsigned long)ed.len, ed.extralen);
- write_status_printf (STATUS_BEGIN_ENCRYPTION, "0 %d %d",
- cfx->dek->algo, ed.aead_algo);
print_cipher_algo_note (cfx->dek->algo);
if (build_packet( a, &pkt))
@@ -488,6 +486,11 @@ cipher_filter_aead (void *opaque, int control,
{
mem2str (buf, "cipher_filter_aead", *ret_len);
}
+ else if (control == IOBUFCTRL_INIT)
+ {
+ write_status_printf (STATUS_BEGIN_ENCRYPTION, "0 %d %d",
+ cfx->dek->algo, cfx->dek->use_aead);
+ }
return rc;
}
--- a/g10/cipher-cfb.c
+++ b/g10/cipher-cfb.c
@@ -72,9 +72,6 @@ write_header (cipher_filter_context_t *cfx, iobuf_t a)
log_info (_("Hint: Do not use option %s\n"), "--rfc2440");
}
- write_status_printf (STATUS_BEGIN_ENCRYPTION, "%d %d",
- ed.mdc_method, cfx->dek->algo);
-
init_packet (&pkt);
pkt.pkttype = cfx->dek->use_mdc? PKT_ENCRYPTED_MDC : PKT_ENCRYPTED;
pkt.pkt.encrypted = &ed;
@@ -182,6 +179,12 @@ cipher_filter_cfb (void *opaque, int control,
{
mem2str (buf, "cipher_filter_cfb", *ret_len);
}
+ else if (control == IOBUFCTRL_INIT)
+ {
+ write_status_printf (STATUS_BEGIN_ENCRYPTION, "%d %d",
+ cfx->dek->use_mdc ? DIGEST_ALGO_SHA1 : 0,
+ cfx->dek->algo);
+ }
return rc;
}
--- a/g10/encrypt.c
+++ b/g10/encrypt.c
@@ -410,8 +410,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
text_filter_context_t tfx;
progress_filter_context_t *pfx;
int do_compress = !!default_compress_algo();
- char peekbuf[32];
- int peekbuflen;
if (!gnupg_rng_is_compliant (opt.compliance))
{
@@ -448,14 +446,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
return rc;
}
- peekbuflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof peekbuf, peekbuf);
- if (peekbuflen < 0)
- {
- peekbuflen = 0;
- if (DBG_FILTER)
- log_debug ("peeking at input failed\n");
- }
-
handle_progress (pfx, inp, filename);
if (opt.textmode)
@@ -517,17 +507,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
/**/ : "CFB");
}
- if (do_compress
- && cfx.dek
- && (cfx.dek->use_mdc || cfx.dek->use_aead)
- && !opt.explicit_compress_option
- && is_file_compressed (peekbuf, peekbuflen))
- {
- if (opt.verbose)
- log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]");
- do_compress = 0;
- }
-
if ( rc || (rc = open_outfile (-1, filename, opt.armor? 1:0, 0, &out )))
{
iobuf_cancel (inp);
@@ -598,6 +577,24 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
else
filesize = opt.set_filesize ? opt.set_filesize : 0; /* stdin */
+ /* Register the cipher filter. */
+ if (mode)
+ iobuf_push_filter (out,
+ cfx.dek->use_aead? cipher_filter_aead
+ /**/ : cipher_filter_cfb,
+ &cfx );
+
+ if (do_compress
+ && cfx.dek
+ && (cfx.dek->use_mdc || cfx.dek->use_aead)
+ && !opt.explicit_compress_option
+ && is_file_compressed (inp))
+ {
+ if (opt.verbose)
+ log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]");
+ do_compress = 0;
+ }
+
if (!opt.no_literal)
{
/* Note that PT has been initialized above in !no_literal mode. */
@@ -617,13 +614,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
pkt.pkt.generic = NULL;
}
- /* Register the cipher filter. */
- if (mode)
- iobuf_push_filter (out,
- cfx.dek->use_aead? cipher_filter_aead
- /**/ : cipher_filter_cfb,
- &cfx );
-
/* Register the compress filter. */
if ( do_compress )
{
@@ -783,7 +773,7 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
PKT_plaintext *pt = NULL;
DEK *symkey_dek = NULL;
STRING2KEY *symkey_s2k = NULL;
- int rc = 0, rc2 = 0;
+ int rc = 0;
u32 filesize;
cipher_filter_context_t cfx;
armor_filter_context_t *afx = NULL;
@@ -792,8 +782,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
progress_filter_context_t *pfx;
PK_LIST pk_list;
int do_compress;
- char peekbuf[32];
- int peekbuflen;
if (filefd != -1 && filename)
return gpg_error (GPG_ERR_INV_ARG); /* Both given. */
@@ -866,14 +854,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
if (opt.verbose)
log_info (_("reading from '%s'\n"), iobuf_get_fname_nonnull (inp));
- peekbuflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof peekbuf, peekbuf);
- if (peekbuflen < 0)
- {
- peekbuflen = 0;
- if (DBG_FILTER)
- log_debug ("peeking at input failed\n");
- }
-
handle_progress (pfx, inp, filename);
if (opt.textmode)
@@ -900,25 +880,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
if (!cfx.dek->use_aead)
cfx.dek->use_mdc = !!use_mdc (pk_list, cfx.dek->algo);
- /* Only do the is-file-already-compressed check if we are using a
- * MDC or AEAD. This forces compressed files to be re-compressed if
- * we do not have a MDC to give some protection against chosen
- * ciphertext attacks. */
- if (do_compress
- && (cfx.dek->use_mdc || cfx.dek->use_aead)
- && !opt.explicit_compress_option
- && is_file_compressed (peekbuf, peekbuflen))
- {
- if (opt.verbose)
- log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]");
- do_compress = 0;
- }
- if (rc2)
- {
- rc = rc2;
- goto leave;
- }
-
make_session_key (cfx.dek);
if (DBG_CRYPTO)
log_printhex (cfx.dek->key, cfx.dek->keylen, "DEK is: ");
@@ -960,6 +921,26 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
else
filesize = opt.set_filesize ? opt.set_filesize : 0; /* stdin */
+ /* Register the cipher filter. */
+ iobuf_push_filter (out,
+ cfx.dek->use_aead? cipher_filter_aead
+ /**/ : cipher_filter_cfb,
+ &cfx);
+
+ /* Only do the is-file-already-compressed check if we are using a
+ * MDC or AEAD. This forces compressed files to be re-compressed if
+ * we do not have a MDC to give some protection against chosen
+ * ciphertext attacks. */
+ if (do_compress
+ && (cfx.dek->use_mdc || cfx.dek->use_aead)
+ && !opt.explicit_compress_option
+ && is_file_compressed (inp))
+ {
+ if (opt.verbose)
+ log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]");
+ do_compress = 0;
+ }
+
if (!opt.no_literal)
{
pt->timestamp = make_timestamp();
@@ -974,12 +955,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
else
cfx.datalen = filesize && !do_compress ? filesize : 0;
- /* Register the cipher filter. */
- iobuf_push_filter (out,
- cfx.dek->use_aead? cipher_filter_aead
- /**/ : cipher_filter_cfb,
- &cfx);
-
/* Register the compress filter. */
if (do_compress)
{
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -1035,9 +1035,6 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
int multifile = 0;
u32 duration=0;
pt_extra_hash_data_t extrahash = NULL;
- char peekbuf[32];
- int peekbuflen = 0;
-
pfx = new_progress_context ();
afx = new_armor_context ();
@@ -1096,14 +1093,6 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
goto leave;
}
- peekbuflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof peekbuf, peekbuf);
- if (peekbuflen < 0)
- {
- peekbuflen = 0;
- if (DBG_FILTER)
- log_debug ("peeking at input failed\n");
- }
-
handle_progress (pfx, inp, fname);
}
@@ -1261,7 +1250,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
int compr_algo = opt.compress_algo;
if (!opt.explicit_compress_option
- && is_file_compressed (peekbuf, peekbuflen))
+ && is_file_compressed (inp))
{
if (opt.verbose)
log_info(_("'%s' already compressed\n"), fname? fname: "[stdin]");
--
2.11.0

28
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.4.3-no-ldap.patch vendored Normal file
View File

@ -0,0 +1,28 @@
https://dev.gnupg.org/T6579
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=dc13361524c1477b2106c7385f2059f9ea111b84
From dc13361524c1477b2106c7385f2059f9ea111b84 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Wed, 5 Jul 2023 09:29:54 +0900
Subject: [PATCH] dirmngr: Enable the call of ks_ldap_help_variables when
USE_LDAP.
* dirmngr/server.c [USE_LDAP] (cmd_ad_query): Conditionalize.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -2776,7 +2776,9 @@ cmd_ad_query (assuan_context_t ctx, char *line)
if (opt_help)
{
+#if USE_LDAP
ks_ldap_help_variables (ctrl);
+#endif
err = 0;
goto leave;
}
--
2.11.0

202
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch vendored Normal file
View File

@ -0,0 +1,202 @@
https://bugs.gentoo.org/924606
https://dev.gnupg.org/T6997
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=04cbc3074aa98660b513a80f623a7e9f0702c7c9
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=848546b05ab0ff6abd47724ecfab73bf32dd4c01
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2810b934647edd483996bee1f5f9256a162b2705
From 6236978d78886cbb476ed9fbc49ff99c7582b2d7 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 15 Feb 2024 15:38:34 +0900
Subject: [PATCH 1/3] dirmngr: Fix proxy with TLS.
* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always
available regardless of USE_TLS.
(run_proxy_connect): Use log_debug_string.
(send_request): Remove USE_TLS.
--
Since the commit of
1009e4e5f71347a1fe194e59a9d88c8034a67016
Building with TLS library is mandatory.
GnuPG-bug-id: 6997
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
dirmngr/http.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/dirmngr/http.c b/dirmngr/http.c
index 4899a5d55..10eecfdb0 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -2362,7 +2362,6 @@ run_gnutls_handshake (http_t hd, const char *server)
* NULL, decode the string and use this as input from teh server. On
* success the final output token is stored at PROXY->OUTTOKEN and
* OUTTOKLEN. IF the authentication succeeded OUTTOKLEN is zero. */
-#ifdef USE_TLS
static gpg_error_t
proxy_get_token (proxy_info_t proxy, const char *inputstring)
{
@@ -2530,11 +2529,9 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring)
#endif /*!HAVE_W32_SYSTEM*/
}
-#endif /*USE_TLS*/
/* Use the CONNECT method to proxy our TLS stream. */
-#ifdef USE_TLS
static gpg_error_t
run_proxy_connect (http_t hd, proxy_info_t proxy,
const char *httphost, const char *server,
@@ -2586,7 +2583,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
hd->keep_alive = !auth_basic; /* We may need to send more requests. */
if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
- log_debug_with_string (request, "http.c:proxy:request:");
+ log_debug_string (request, "http.c:proxy:request:");
if (!hd->fp_write)
{
@@ -2743,7 +2740,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
xfree (tmpstr);
return err;
}
-#endif /*USE_TLS*/
/* Make a request string using a standard proxy. On success the
@@ -2903,7 +2899,6 @@ send_request (ctrl_t ctrl,
goto leave;
}
-#if USE_TLS
if (use_http_proxy && hd->uri->use_tls)
{
err = run_proxy_connect (hd, proxy, httphost, server, port);
@@ -2915,7 +2910,6 @@ send_request (ctrl_t ctrl,
* clear the flag to indicate this. */
use_http_proxy = 0;
}
-#endif /* USE_TLS */
#if HTTP_USE_NTBTLS
err = run_ntbtls_handshake (hd);
--
2.43.2
From 68650eb6999e674fd2f1c78f47b68d3cd1d37ff0 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 16 Feb 2024 11:31:37 +0900
Subject: [PATCH 2/3] dirmngr: Fix the regression of use of proxy for TLS
connection.
* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it
causes resource leak of FP_WRITE.
Don't try to read response body to fix the hang.
--
GnuPG-bug-id: 6997
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
dirmngr/http.c | 14 ++------------
1 file changed, 2 insertions(+), 12 deletions(-)
diff --git a/dirmngr/http.c b/dirmngr/http.c
index 10eecfdb0..7ce01bacd 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -2553,6 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
* RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
*/
auth_basic = !!proxy->uri->auth;
+ hd->keep_alive = 0;
/* For basic authentication we need to send just one request. */
if (auth_basic
@@ -2574,13 +2575,12 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
httphost ? httphost : server,
port,
authhdr ? authhdr : "",
- auth_basic? "" : "Connection: keep-alive\r\n");
+ hd->keep_alive? "Connection: keep-alive\r\n" : "");
if (!request)
{
err = gpg_error_from_syserror ();
goto leave;
}
- hd->keep_alive = !auth_basic; /* We may need to send more requests. */
if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
log_debug_string (request, "http.c:proxy:request:");
@@ -2607,16 +2607,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
if (err)
goto leave;
- {
- unsigned long count = 0;
-
- while (es_getc (hd->fp_read) != EOF)
- count++;
- if (opt_debug)
- log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n",
- count);
- }
-
/* Reset state. */
es_clearerr (hd->fp_read);
((cookie_t)(hd->read_cookie))->up_to_empty_line = 1;
--
2.43.2
From 7c7cbd94549d08780fc3767d6de8336b3f44e7d7 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 16 Feb 2024 16:24:26 +0900
Subject: [PATCH 3/3] dirmngr: Fix keep-alive flag handling.
* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic
Authentication. Fix resource leak of FP_WRITE.
--
GnuPG-bug-id: 6997
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
dirmngr/http.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/dirmngr/http.c b/dirmngr/http.c
index 7ce01bacd..da0c89ae5 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -2553,7 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
* RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
*/
auth_basic = !!proxy->uri->auth;
- hd->keep_alive = 0;
+ hd->keep_alive = !auth_basic; /* We may need to send more requests. */
/* For basic authentication we need to send just one request. */
if (auth_basic
@@ -2717,6 +2717,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
}
leave:
+ if (hd->keep_alive)
+ {
+ es_fclose (hd->fp_write);
+ hd->fp_write = NULL;
+ /* The close has released the cookie and thus we better set it
+ * to NULL. */
+ hd->write_cookie = NULL;
+ }
/* Restore flags, destroy stream, reset state. */
hd->flags = saved_flags;
es_fclose (hd->fp_read);
--
2.43.2

13
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent-browser.socket vendored Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=GnuPG cryptographic agent and passphrase cache (access for web browsers)
Documentation=man:gpg-agent(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent.browser
FileDescriptorName=browser
Service=gpg-agent.service
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target

13
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent-extra.socket vendored Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=GnuPG cryptographic agent and passphrase cache (restricted)
Documentation=man:gpg-agent(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent.extra
FileDescriptorName=extra
Service=gpg-agent.service
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target

13
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent-ssh.socket vendored Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=GnuPG cryptographic agent (ssh-agent emulation)
Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent.ssh
FileDescriptorName=ssh
Service=gpg-agent.service
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target

8
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent.service vendored Normal file
View File

@ -0,0 +1,8 @@
[Unit]
Description=GnuPG cryptographic agent and passphrase cache
Documentation=man:gpg-agent(1)
Requires=gpg-agent.socket
[Service]
ExecStart=/usr/bin/gpg-agent --supervised
ExecReload=/usr/bin/gpgconf --reload gpg-agent

12
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gpg-agent.socket vendored Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=GnuPG cryptographic agent and passphrase cache
Documentation=man:gpg-agent(1)
[Socket]
ListenStream=%t/gnupg/S.gpg-agent
FileDescriptorName=std
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target

106
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild → sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.2.41.ebuild vendored
View File

@ -1,11 +1,17 @@
# Copyright 1999-2022 Gentoo Authors
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
# Flatcar: use EAPI=7, until EAPI 8 could be fully supported
EAPI=7
EAPI=8
VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc
inherit flag-o-matic systemd toolchain-funcs verify-sig
# Maintainers should:
# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
# (find the one for the current release then subscribe to it +
# any subsequent ones linked within so you're covered for a while.)
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
MY_P="${P/_/-}"
@ -15,38 +21,42 @@ SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
S="${WORKDIR}/${MY_P}"
LICENSE="GPL-3"
LICENSE="GPL-3+"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server"
RESTRICT="!test? ( test )"
# Existence of executables is checked during configuration.
# Note: On each bump, update dep bounds on each version from configure.ac!
DEPEND=">=dev-libs/libassuan-2.5.0
DEPEND="
>=dev-libs/libassuan-2.5.0
>=dev-libs/libgcrypt-1.8.0:=
>=dev-libs/libgpg-error-1.29
>=dev-libs/libgpg-error-1.38
>=dev-libs/libksba-1.3.5
>=dev-libs/npth-1.2
>=net-misc/curl-7.10
sys-libs/zlib
bzip2? ( app-arch/bzip2 )
ldap? ( net-nds/openldap:= )
readline? ( sys-libs/readline:0= )
readline? ( sys-libs/readline:= )
smartcard? ( usb? ( virtual/libusb:1 ) )
ssl? ( >=net-libs/gnutls-3.0:0= )
tofu? ( >=dev-db/sqlite-3.7 )"
RDEPEND="${DEPEND}
ssl? ( >=net-libs/gnutls-3.0:= )
tofu? ( >=dev-db/sqlite-3.7 )
"
RDEPEND="
${DEPEND}
app-crypt/pinentry
nls? ( virtual/libintl )
selinux? ( sec-policy/selinux-gpg )
wks-server? ( virtual/mta )"
BDEPEND="virtual/pkgconfig
wks-server? ( virtual/mta )
"
BDEPEND="
virtual/pkgconfig
doc? ( sys-apps/texinfo )
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-gnupg )"
verify-sig? ( sec-keys/openpgp-keys-gnupg )
"
DOCS=(
ChangeLog NEWS README THANKS TODO VERSION
@ -55,11 +65,6 @@ DOCS=(
PATCHES=(
"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
"${FILESDIR}"/${P}-status-messages-garbled.patch
# Flatcar: the patches below are added only for Flatcar, to address the
# upstream gnupg issue https://dev.gnupg.org/T4393.
"${FILESDIR}/${PN}-allow-import-of-previously-known-keys-even-without-UI.patch"
"${FILESDIR}/${PN}-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch"
)
src_prepare() {
@ -75,7 +80,10 @@ src_prepare() {
-i doc/examples/systemd-user/gpg-agent-ssh.socket || die
}
src_configure() {
my_src_configure() {
# Upstream don't support LTO, bug #854222.
filter-lto
local myconf=(
$(use_enable bzip2)
$(use_enable nls)
@ -88,7 +96,17 @@ src_configure() {
$(use_enable wks-server wks-tools)
$(use_with ldap)
$(use_with readline)
# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
# As of GnuPG 2.3, the mailprog substitution is used for the binary called
# by wks-client & wks-server; and if it's autodetected but not not exist at
# build time, then then 'gpg-wks-client --send' functionality will not
# work. This has an unwanted side-effect in stage3 builds: there was a
# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
# the build where the install guide previously make the user chose the
# logger & mta early in the install.
--with-mailprog=/usr/libexec/sendmail
--disable-ntbtls
--enable-gpg
--enable-gpgsm
@ -106,7 +124,7 @@ src_configure() {
if use prefix && use usb; then
# bug #649598
append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0"
append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
fi
# bug #663142
@ -117,39 +135,27 @@ src_configure() {
# glib fails and picks up clang's internal stdint.h causing weird errors
tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
# As of GnuPG 2.3, the mailprog substitution is used for the binary called
# by wks-client & wks-server; and if it's autodetected but not not exist at
# build time, then then 'gpg-wks-client --send' functionality will not
# work. This has an unwanted side-effect in stage3 builds: there was a
# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
# the build where the install guide previously make the user chose the
# logger & mta early in the install.
econf "${myconf[@]}"
}
src_compile() {
my_src_compile() {
default
use doc && emake -C doc html
}
src_test() {
# bug #638574
use tofu && export TESTFLAGS=--parallel
my_src_test() {
export TESTFLAGS="--parallel=$(makeopts_jobs)"
default
}
src_install() {
default
my_src_install() {
emake DESTDIR="${D}" install
use tools &&
dobin \
tools/{convert-from-106,gpg-check-pattern} \
tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys} \
tools/make-dns-cert
use tools && dobin \
tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \
tools/make-dns-cert
dosym gpg /usr/bin/gpg2
dosym gpgv /usr/bin/gpgv2
@ -159,7 +165,15 @@ src_install() {
dodir /etc/env.d
echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
use doc && dodoc doc/gnupg.html/* doc/*.png
use doc && dodoc doc/gnupg.html/*
}
my_src_install_all() {
einstalldocs
use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
use doc && dodoc doc/*.png
systemd_douserunit doc/examples/systemd-user/*.{service,socket}
}

181
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.2.42-r1.ebuild vendored Normal file
View File

@ -0,0 +1,181 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should:
# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
# (find the one for the current release then subscribe to it +
# any subsequent ones linked within so you're covered for a while.)
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
MY_P="${P/_/-}"
DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
HOMEPAGE="https://gnupg.org/"
SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
S="${WORKDIR}/${MY_P}"
LICENSE="GPL-3+"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server"
RESTRICT="!test? ( test )"
# Existence of executables is checked during configuration.
# Note: On each bump, update dep bounds on each version from configure.ac!
DEPEND="
>=dev-libs/libassuan-2.5.0
>=dev-libs/libgcrypt-1.8.0:=
>=dev-libs/libgpg-error-1.38
>=dev-libs/libksba-1.3.5
>=dev-libs/npth-1.2
>=net-misc/curl-7.10
sys-libs/zlib
bzip2? ( app-arch/bzip2 )
ldap? ( net-nds/openldap:= )
readline? ( sys-libs/readline:= )
smartcard? ( usb? ( virtual/libusb:1 ) )
ssl? ( >=net-libs/gnutls-3.0:= )
tofu? ( >=dev-db/sqlite-3.7 )
"
RDEPEND="
${DEPEND}
nls? ( virtual/libintl )
selinux? ( sec-policy/selinux-gpg )
wks-server? ( virtual/mta )
"
PDEPEND="
app-crypt/pinentry
"
BDEPEND="
virtual/pkgconfig
doc? ( sys-apps/texinfo )
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-gnupg )
"
DOCS=(
ChangeLog NEWS README THANKS TODO VERSION
doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
)
PATCHES=(
"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
)
src_prepare() {
default
# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
# idea borrowed from libdbus, see
# https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
#
# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
# which in turn requires discovery in Autoconf, something that upstream deeply resents.
sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
-i doc/examples/systemd-user/gpg-agent-ssh.socket || die
}
my_src_configure() {
# Upstream don't support LTO, bug #854222.
filter-lto
local myconf=(
$(use_enable bzip2)
$(use_enable nls)
$(use_enable smartcard scdaemon)
$(use_enable ssl gnutls)
$(use_enable test all-tests)
$(use_enable test tests)
$(use_enable tofu)
$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
$(use_enable wks-server wks-tools)
$(use_with ldap)
$(use_with readline)
# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
# As of GnuPG 2.3, the mailprog substitution is used for the binary called
# by wks-client & wks-server; and if it's autodetected but not not exist at
# build time, then then 'gpg-wks-client --send' functionality will not
# work. This has an unwanted side-effect in stage3 builds: there was a
# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
# the build where the install guide previously make the user chose the
# logger & mta early in the install.
--with-mailprog=/usr/libexec/sendmail
--disable-ntbtls
--enable-gpg
--enable-gpgsm
--enable-large-secmem
CC_FOR_BUILD="$(tc-getBUILD_CC)"
GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
)
if use prefix && use usb; then
# bug #649598
append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
fi
# bug #663142
if use user-socket; then
myconf+=( --enable-run-gnupg-user-socket )
fi
# glib fails and picks up clang's internal stdint.h causing weird errors
tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
econf "${myconf[@]}"
}
my_src_compile() {
default
use doc && emake -C doc html
}
my_src_test() {
export TESTFLAGS="--parallel=$(makeopts_jobs)"
default
}
my_src_install() {
emake DESTDIR="${D}" install
use tools && dobin \
tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \
tools/make-dns-cert
dosym gpg /usr/bin/gpg2
dosym gpgv /usr/bin/gpgv2
echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
dodir /etc/env.d
echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
use doc && dodoc doc/gnupg.html/*
}
my_src_install_all() {
einstalldocs
use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
use doc && dodoc doc/*.png
systemd_douserunit doc/examples/systemd-user/*.{service,socket}
}

182
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.2.42-r2.ebuild vendored Normal file
View File

@ -0,0 +1,182 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should:
# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
# (find the one for the current release then subscribe to it +
# any subsequent ones linked within so you're covered for a while.)
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
MY_P="${P/_/-}"
DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
HOMEPAGE="https://gnupg.org/"
SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
S="${WORKDIR}/${MY_P}"
LICENSE="GPL-3+"
SLOT="0"
KEYWORDS="~alpha amd64 arm ~arm64 ~hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server"
RESTRICT="!test? ( test )"
# Existence of executables is checked during configuration.
# Note: On each bump, update dep bounds on each version from configure.ac!
DEPEND="
>=dev-libs/libassuan-2.5.0
>=dev-libs/libgcrypt-1.8.0:=
>=dev-libs/libgpg-error-1.38
>=dev-libs/libksba-1.3.5
>=dev-libs/npth-1.2
>=net-misc/curl-7.10
sys-libs/zlib
bzip2? ( app-arch/bzip2 )
ldap? ( net-nds/openldap:= )
readline? ( sys-libs/readline:= )
smartcard? ( usb? ( virtual/libusb:1 ) )
ssl? ( >=net-libs/gnutls-3.0:= )
tofu? ( >=dev-db/sqlite-3.7 )
"
RDEPEND="
${DEPEND}
nls? ( virtual/libintl )
selinux? ( sec-policy/selinux-gpg )
wks-server? ( virtual/mta )
"
PDEPEND="
app-crypt/pinentry
"
BDEPEND="
virtual/pkgconfig
doc? ( sys-apps/texinfo )
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-gnupg )
"
DOCS=(
ChangeLog NEWS README THANKS TODO VERSION
doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
)
PATCHES=(
"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
"${FILESDIR}"/${PN}-2.2.42-bug923248-insecure-backup.patch
)
src_prepare() {
default
# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
# idea borrowed from libdbus, see
# https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
#
# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
# which in turn requires discovery in Autoconf, something that upstream deeply resents.
sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
-i doc/examples/systemd-user/gpg-agent-ssh.socket || die
}
my_src_configure() {
# Upstream don't support LTO, bug #854222.
filter-lto
local myconf=(
$(use_enable bzip2)
$(use_enable nls)
$(use_enable smartcard scdaemon)
$(use_enable ssl gnutls)
$(use_enable test all-tests)
$(use_enable test tests)
$(use_enable tofu)
$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
$(use_enable wks-server wks-tools)
$(use_with ldap)
$(use_with readline)
# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
# As of GnuPG 2.3, the mailprog substitution is used for the binary called
# by wks-client & wks-server; and if it's autodetected but not not exist at
# build time, then then 'gpg-wks-client --send' functionality will not
# work. This has an unwanted side-effect in stage3 builds: there was a
# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
# the build where the install guide previously make the user chose the
# logger & mta early in the install.
--with-mailprog=/usr/libexec/sendmail
--disable-ntbtls
--enable-gpg
--enable-gpgsm
--enable-large-secmem
CC_FOR_BUILD="$(tc-getBUILD_CC)"
GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
)
if use prefix && use usb; then
# bug #649598
append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
fi
# bug #663142
if use user-socket; then
myconf+=( --enable-run-gnupg-user-socket )
fi
# glib fails and picks up clang's internal stdint.h causing weird errors
tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
econf "${myconf[@]}"
}
my_src_compile() {
default
use doc && emake -C doc html
}
my_src_test() {
export TESTFLAGS="--parallel=$(makeopts_jobs)"
default
}
my_src_install() {
emake DESTDIR="${D}" install
use tools && dobin \
tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \
tools/make-dns-cert
dosym gpg /usr/bin/gpg2
dosym gpgv /usr/bin/gpgv2
echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
dodir /etc/env.d
echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
use doc && dodoc doc/gnupg.html/*
}
my_src_install_all() {
einstalldocs
use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
use doc && dodoc doc/*.png
systemd_douserunit doc/examples/systemd-user/*.{service,socket}
}

198
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.3-r1.ebuild vendored Normal file
View File

@ -0,0 +1,198 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should:
# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
# (find the one for the current release then subscribe to it +
# any subsequent ones linked within so you're covered for a while.)
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
MY_P="${P/_/-}"
DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
HOMEPAGE="https://gnupg.org/"
SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
S="${WORKDIR}/${MY_P}"
LICENSE="GPL-3+"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
RESTRICT="!test? ( test )"
REQUIRED_USE="test? ( tofu )"
# Existence of executables is checked during configuration.
# Note: On each bump, update dep bounds on each version from configure.ac!
DEPEND="
>=dev-libs/libassuan-2.5.0
>=dev-libs/libgcrypt-1.9.1:=
>=dev-libs/libgpg-error-1.46
>=dev-libs/libksba-1.6.3
>=dev-libs/npth-1.2
>=net-misc/curl-7.10
sys-libs/zlib
bzip2? ( app-arch/bzip2 )
ldap? ( net-nds/openldap:= )
readline? ( sys-libs/readline:0= )
smartcard? ( usb? ( virtual/libusb:1 ) )
tofu? ( >=dev-db/sqlite-3.27 )
tpm? ( >=app-crypt/tpm2-tss-2.4.0:= )
ssl? ( >=net-libs/gnutls-3.0:0= )
"
RDEPEND="
${DEPEND}
nls? ( virtual/libintl )
selinux? ( sec-policy/selinux-gpg )
wks-server? ( virtual/mta )
"
PDEPEND="
app-crypt/pinentry
"
BDEPEND="
virtual/pkgconfig
doc? ( sys-apps/texinfo )
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-gnupg )
"
DOCS=(
ChangeLog NEWS README THANKS TODO VERSION
doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
)
PATCHES=(
"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
"${FILESDIR}"/${PN}-2.4.2-fix-emacs.patch
"${FILESDIR}"/${P}-no-ldap.patch
)
src_prepare() {
default
GNUPG_SYSTEMD_UNITS=(
dirmngr.service
dirmngr.socket
gpg-agent-browser.socket
gpg-agent-extra.socket
gpg-agent.service
gpg-agent.socket
gpg-agent-ssh.socket
)
cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die
# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
# idea borrowed from libdbus, see
# https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
#
# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
# which in turn requires discovery in Autoconf, something that upstream deeply resents.
sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
-i "${T}"/gpg-agent-ssh.socket || die
}
my_src_configure() {
# Upstream don't support LTO, bug #854222.
filter-lto
local myconf=(
$(use_enable bzip2)
$(use_enable nls)
$(use_enable smartcard scdaemon)
$(use_enable ssl gnutls)
$(use_enable test all-tests)
$(use_enable test tests)
$(use_enable tofu)
$(use_enable tofu keyboxd)
$(use_enable tofu sqlite)
$(usex tpm '--with-tss=intel' '--disable-tpm2d')
$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
$(use_enable wks-server wks-tools)
$(use_with ldap)
$(use_with readline)
# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
# As of GnuPG 2.3, the mailprog substitution is used for the binary called
# by wks-client & wks-server; and if it's autodetected but not not exist at
# build time, then then 'gpg-wks-client --send' functionality will not
# work. This has an unwanted side-effect in stage3 builds: there was a
# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
# the build where the install guide previously make the user chose the
# logger & mta early in the install.
--with-mailprog=/usr/libexec/sendmail
--disable-ntbtls
--enable-gpgsm
--enable-large-secmem
CC_FOR_BUILD="$(tc-getBUILD_CC)"
GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
)
if use prefix && use usb; then
# bug #649598
append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
fi
# bug #663142
if use user-socket; then
myconf+=( --enable-run-gnupg-user-socket )
fi
# glib fails and picks up clang's internal stdint.h causing weird errors
tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
econf "${myconf[@]}"
}
my_src_compile() {
default
use doc && emake -C doc html
}
my_src_test() {
export TESTFLAGS="--parallel=$(makeopts_jobs)"
default
}
my_src_install() {
emake DESTDIR="${D}" install
use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert
dosym gpg /usr/bin/gpg2
dosym gpgv /usr/bin/gpgv2
echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
dodir /etc/env.d
echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
use doc && dodoc doc/gnupg.html/*
}
my_src_install_all() {
einstalldocs
use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
use doc && dodoc doc/*.png
# Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed.
dodoc "${FILESDIR}"/README-systemd
systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}"
}

197
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.4-r1.ebuild vendored Normal file
View File

@ -0,0 +1,197 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should:
# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
# (find the one for the current release then subscribe to it +
# any subsequent ones linked within so you're covered for a while.)
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
MY_P="${P/_/-}"
DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
HOMEPAGE="https://gnupg.org/"
SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
S="${WORKDIR}/${MY_P}"
LICENSE="GPL-3+"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
RESTRICT="!test? ( test )"
REQUIRED_USE="test? ( tofu )"
# Existence of executables is checked during configuration.
# Note: On each bump, update dep bounds on each version from configure.ac!
DEPEND="
>=dev-libs/libassuan-2.5.0
>=dev-libs/libgcrypt-1.9.1:=
>=dev-libs/libgpg-error-1.46
>=dev-libs/libksba-1.6.3
>=dev-libs/npth-1.2
>=net-misc/curl-7.10
sys-libs/zlib
bzip2? ( app-arch/bzip2 )
ldap? ( net-nds/openldap:= )
readline? ( sys-libs/readline:0= )
smartcard? ( usb? ( virtual/libusb:1 ) )
tofu? ( >=dev-db/sqlite-3.27 )
tpm? ( >=app-crypt/tpm2-tss-2.4.0:= )
ssl? ( >=net-libs/gnutls-3.2:0= )
"
RDEPEND="
${DEPEND}
nls? ( virtual/libintl )
selinux? ( sec-policy/selinux-gpg )
wks-server? ( virtual/mta )
"
PDEPEND="
app-crypt/pinentry
"
BDEPEND="
virtual/pkgconfig
doc? ( sys-apps/texinfo )
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-gnupg )
"
DOCS=(
ChangeLog NEWS README THANKS TODO VERSION
doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
)
PATCHES=(
"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
"${FILESDIR}"/${P}-dirmngr-proxy.patch #924606
)
src_prepare() {
default
GNUPG_SYSTEMD_UNITS=(
dirmngr.service
dirmngr.socket
gpg-agent-browser.socket
gpg-agent-extra.socket
gpg-agent.service
gpg-agent.socket
gpg-agent-ssh.socket
)
cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die
# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
# idea borrowed from libdbus, see
# https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
#
# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
# which in turn requires discovery in Autoconf, something that upstream deeply resents.
sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
-i "${T}"/gpg-agent-ssh.socket || die
}
my_src_configure() {
# Upstream don't support LTO, bug #854222.
filter-lto
local myconf=(
$(use_enable bzip2)
$(use_enable nls)
$(use_enable smartcard scdaemon)
$(use_enable ssl gnutls)
$(use_enable test all-tests)
$(use_enable test tests)
$(use_enable tofu)
$(use_enable tofu keyboxd)
$(use_enable tofu sqlite)
$(usex tpm '--with-tss=intel' '--disable-tpm2d')
$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
$(use_enable wks-server wks-tools)
$(use_with ldap)
$(use_with readline)
# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
# As of GnuPG 2.3, the mailprog substitution is used for the binary called
# by wks-client & wks-server; and if it's autodetected but not not exist at
# build time, then then 'gpg-wks-client --send' functionality will not
# work. This has an unwanted side-effect in stage3 builds: there was a
# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
# the build where the install guide previously make the user chose the
# logger & mta early in the install.
--with-mailprog=/usr/libexec/sendmail
--disable-ntbtls
--enable-gpgsm
--enable-large-secmem
CC_FOR_BUILD="$(tc-getBUILD_CC)"
GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
)
if use prefix && use usb; then
# bug #649598
append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
fi
# bug #663142
if use user-socket; then
myconf+=( --enable-run-gnupg-user-socket )
fi
# glib fails and picks up clang's internal stdint.h causing weird errors
tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
econf "${myconf[@]}"
}
my_src_compile() {
default
use doc && emake -C doc html
}
my_src_test() {
export TESTFLAGS="--parallel=$(makeopts_jobs)"
default
}
my_src_install() {
emake DESTDIR="${D}" install
use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert
dosym gpg /usr/bin/gpg2
dosym gpgv /usr/bin/gpgv2
echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
dodir /etc/env.d
echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
use doc && dodoc doc/gnupg.html/*
}
my_src_install_all() {
einstalldocs
use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
use doc && dodoc doc/*.png
# Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed.
dodoc "${FILESDIR}"/README-systemd
systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}"
}

198
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.4.ebuild vendored Normal file
View File

@ -0,0 +1,198 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should:
# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
# (find the one for the current release then subscribe to it +
# any subsequent ones linked within so you're covered for a while.)
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
MY_P="${P/_/-}"
DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
HOMEPAGE="https://gnupg.org/"
SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
S="${WORKDIR}/${MY_P}"
LICENSE="GPL-3+"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
RESTRICT="!test? ( test )"
REQUIRED_USE="test? ( tofu )"
# Existence of executables is checked during configuration.
# Note: On each bump, update dep bounds on each version from configure.ac!
DEPEND="
>=dev-libs/libassuan-2.5.0
>=dev-libs/libgcrypt-1.9.1:=
>=dev-libs/libgpg-error-1.46
>=dev-libs/libksba-1.6.3
>=dev-libs/npth-1.2
>=net-misc/curl-7.10
sys-libs/zlib
bzip2? ( app-arch/bzip2 )
ldap? ( net-nds/openldap:= )
readline? ( sys-libs/readline:0= )
smartcard? ( usb? ( virtual/libusb:1 ) )
tofu? ( >=dev-db/sqlite-3.27 )
tpm? ( >=app-crypt/tpm2-tss-2.4.0:= )
ssl? ( >=net-libs/gnutls-3.2:0= )
"
RDEPEND="
${DEPEND}
nls? ( virtual/libintl )
selinux? ( sec-policy/selinux-gpg )
wks-server? ( virtual/mta )
"
PDEPEND="
app-crypt/pinentry
"
BDEPEND="
virtual/pkgconfig
doc? ( sys-apps/texinfo )
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-gnupg )
"
DOCS=(
ChangeLog NEWS README THANKS TODO VERSION
doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
)
PATCHES=(
"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
#"${FILESDIR}"/${PN}-2.4.2-fix-emacs.patch
#"${FILESDIR}"/${PN}-2.4.3-no-ldap.patch
)
src_prepare() {
default
GNUPG_SYSTEMD_UNITS=(
dirmngr.service
dirmngr.socket
gpg-agent-browser.socket
gpg-agent-extra.socket
gpg-agent.service
gpg-agent.socket
gpg-agent-ssh.socket
)
cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die
# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
# idea borrowed from libdbus, see
# https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
#
# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
# which in turn requires discovery in Autoconf, something that upstream deeply resents.
sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
-i "${T}"/gpg-agent-ssh.socket || die
}
my_src_configure() {
# Upstream don't support LTO, bug #854222.
filter-lto
local myconf=(
$(use_enable bzip2)
$(use_enable nls)
$(use_enable smartcard scdaemon)
$(use_enable ssl gnutls)
$(use_enable test all-tests)
$(use_enable test tests)
$(use_enable tofu)
$(use_enable tofu keyboxd)
$(use_enable tofu sqlite)
$(usex tpm '--with-tss=intel' '--disable-tpm2d')
$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
$(use_enable wks-server wks-tools)
$(use_with ldap)
$(use_with readline)
# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
# As of GnuPG 2.3, the mailprog substitution is used for the binary called
# by wks-client & wks-server; and if it's autodetected but not not exist at
# build time, then then 'gpg-wks-client --send' functionality will not
# work. This has an unwanted side-effect in stage3 builds: there was a
# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
# the build where the install guide previously make the user chose the
# logger & mta early in the install.
--with-mailprog=/usr/libexec/sendmail
--disable-ntbtls
--enable-gpgsm
--enable-large-secmem
CC_FOR_BUILD="$(tc-getBUILD_CC)"
GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
)
if use prefix && use usb; then
# bug #649598
append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
fi
# bug #663142
if use user-socket; then
myconf+=( --enable-run-gnupg-user-socket )
fi
# glib fails and picks up clang's internal stdint.h causing weird errors
tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
econf "${myconf[@]}"
}
my_src_compile() {
default
use doc && emake -C doc html
}
my_src_test() {
export TESTFLAGS="--parallel=$(makeopts_jobs)"
default
}
my_src_install() {
emake DESTDIR="${D}" install
use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert
dosym gpg /usr/bin/gpg2
dosym gpgv /usr/bin/gpgv2
echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
dodir /etc/env.d
echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
use doc && dodoc doc/gnupg.html/*
}
my_src_install_all() {
einstalldocs
use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
use doc && dodoc doc/*.png
# Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed.
dodoc "${FILESDIR}"/README-systemd
systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}"
}

4
sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml → sdk_container/src/third_party/portage-stable/app-crypt/gnupg/metadata.xml vendored
View File

@ -1,10 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>zlogene@gentoo.org</email>
<name>Mikle Kolyada</name>
</maintainer>
<maintainer type="project">
<email>base-system@gentoo.org</email>
<name>Gentoo Base System</name>