From 0c0f91e48d4f0f92f0bc15caf6703732f4978e59 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Mon, 27 Sep 2021 15:18:18 +0200 Subject: [PATCH 1/4] app-crypt/gnupg: update to 2.2.29 Update app-crypt/gnupg to 2.2.29. One of the key purposes for the update is to be able to use the new default keyserver `keyserver.ubuntu.com`, which is provided by default since 2.2.29. It is due to the shutdown of the SKS keyserver pools. See also https://bugs.gentoo.org/811828 . --- .../coreos-overlay/app-crypt/gnupg/Manifest | 6 +- ...th-a-good-revocation-but-no-self-sig.patch | 32 ------ ...reviously-known-keys-even-without-UI.patch | 106 ------------------ ...nupg-2.2.20.ebuild => gnupg-2.2.29.ebuild} | 79 +++++-------- .../app-crypt/gnupg/metadata.xml | 23 ++-- 5 files changed, 52 insertions(+), 194 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch rename sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/{gnupg-2.2.20.ebuild => gnupg-2.2.29.ebuild} (66%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest index c7e6dd6cb8..e2a729dfe8 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest @@ -1 +1,5 @@ -DIST gnupg-2.2.20.tar.bz2 6786913 BLAKE2B 43cf9402a26e67d6c7c2444eb2faaee3f06ea0bf6c07708a50834c5d7424db2f9c38e1f0046dd3a35082abc08d401b2951655e7e068f0873db297560b87d2667 SHA512 3e69f102366ec3415f439ab81aae2458182fa1a18dfb86565b1d9dc638f3fc4c179a5947f0042b7c5a813345676285a662793664a1803ea9ad8328f0548e0edc +DIST gnupg-2.2.16-scdaemon_shared-access.patch 2586 BLAKE2B 42fd5482c4e86751ce62836125997c2295c44bc5db0671a06460fd306b2ed93f290fb898fc1b1e463a863eddf9ab5f99ea3c90a55499ef45ca1ed6edf2854663 SHA512 38abaa4200114ae6b6f220fabc0a84a056761949c97bd0564557f4411a299b9a1939893555c27e26da2d8e8da4bc97a298fa7e68f1e80fe99c3f88cc329eaa84 +DIST gnupg-2.2.27.tar.bz2 7191555 BLAKE2B d652aad382cf07cc458b29ff82718edd47457d8236dcbeee51f22d88503be141f009e9ea45b6dafe614115d9558fe371509579e58ce17a5f04540a31aa406ea3 SHA512 cf336962116c9c08ac80b1299654b94948033ef51d6d5e7f54c2f07bbf7d92c7b0bddb606ceee2cdd837063f519b8d59af5a82816b840a0fc47d90c07b0e95ab +DIST gnupg-2.2.29.tar.bz2 7215986 BLAKE2B 04b777730b8fcbe8d93dfc8985aadd6bc7385ac2ac9684e6248cb3ae6d008daae5aa976ffa3bae27fe9e89bc2c4c1d4ae81dcaa259fb08d13f894f00f12072e9 SHA512 12645e230fc6aa4811420ef33def6baa590e847ecdf7e5f8b96eb49122e6406cbdba4595d0b52fa26700d5d5def67acb4ed7dfe7f778e496d4d21ccbef3c476b +DIST gnupg-2.2.31.tar.bz2 7212188 BLAKE2B 57a2b6c6ea491137a708e18a0119502621b7bdf0591818d19beb8b08a521a7dbf60472243e1723f53acbfb9a5de612b8e5040c45dc847bdda26012244edb11be SHA512 2f6fa200e08d6b8993b482e5825bea6083afc8686c4e1ae80386b36ae49e1c2d73066c508edaa359a7794cb26ba7a00f81555a906fa422d1117e41415cfa2fea +DIST gnupg-2.3.2.tar.bz2 7589445 BLAKE2B f7e35ed553ea89cdb073abb1432f67fa00bb625f6e686e534f96bca11d88f09ea272b3cb0d6706e4bce2c023f8c5b8d628742aa2f60752a2e605132cd32f62ed SHA512 2747cbe38546f500d165f024ebb2dc5be70fa68d20702af3f61e97db685eba94caf65307293137c76ea6cfcc189ed24aaee025c80cd33f26609e5fe512bdda73 diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch deleted file mode 100644 index a6173968f5..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Vincent Breitmoser -Date: Thu, 13 Jun 2019 21:27:43 +0200 -Subject: gpg: accept subkeys with a good revocation but no self-sig during - import - -* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we -encounter a valid revocation signature. This allows import of subkey -revocation signatures, even in the absence of a corresponding subkey -binding signature. - --- - -This fixes the remaining test in import-incomplete.scm. - -GnuPG-Bug-id: 4393 -Signed-off-by: Daniel Kahn Gillmor ---- - g10/import.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/g10/import.c b/g10/import.c -index f9acf95..9217911 100644 ---- a/g10/import.c -+++ b/g10/import.c -@@ -3602,6 +3602,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self) - /* It's valid, so is it newer? */ - if (sig->timestamp >= rsdate) - { -+ knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid. */ - if (rsnode) - { - /* Delete the last revocation sig since diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch deleted file mode 100644 index 4b5690f955..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch +++ /dev/null @@ -1,106 +0,0 @@ -From: Vincent Breitmoser -Date: Thu, 13 Jun 2019 21:27:42 +0200 -Subject: gpg: allow import of previously known keys, even without UIDs - -* g10/import.c (import_one): Accept an incoming OpenPGP certificate that -has no user id, as long as we already have a local variant of the cert -that matches the primary key. - --- - -This fixes two of the three broken tests in import-incomplete.scm. - -GnuPG-Bug-id: 4393 -Signed-off-by: Daniel Kahn Gillmor ---- - g10/import.c | 44 +++++++++++--------------------------------- - 1 file changed, 11 insertions(+), 33 deletions(-) - -diff --git a/g10/import.c b/g10/import.c -index 5d3162c..f9acf95 100644 ---- a/g10/import.c -+++ b/g10/import.c -@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl, - size_t an; - char pkstrbuf[PUBKEY_STRING_SIZE]; - int merge_keys_done = 0; -- int any_filter = 0; - KEYDB_HANDLE hd = NULL; - - if (r_valid) -@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl, - log_printf ("\n"); - } - -- -- if (!uidnode ) -- { -- if (!silent) -- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); -- return 0; -- } -- - if (screener && screener (keyblock, screener_arg)) - { - log_error (_("key %s: %s\n"), keystr_from_pk (pk), -@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl, - } - } - -- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) ) -- { -- if (!silent) -- { -- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); -- if (!opt.quiet ) -- log_info(_("this may be caused by a missing self-signature\n")); -- } -- stats->no_user_id++; -- return 0; -- } -+ /* Delete invalid parts, and note if we have any valid ones left. -+ * We will later abort import if this key is new but contains -+ * no valid uids. */ -+ delete_inv_parts (ctrl, keyblock, keyid, options); - - /* Get rid of deleted nodes. */ - commit_kbnode (&keyblock); -@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl, - { - apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); - commit_kbnode (&keyblock); -- any_filter = 1; - } - if (import_filter.drop_sig) - { - apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); - commit_kbnode (&keyblock); -- any_filter = 1; -- } -- -- /* If we ran any filter we need to check that at least one user id -- * is left in the keyring. Note that we do not use log_error in -- * this case. */ -- if (any_filter && !any_uid_left (keyblock)) -- { -- if (!opt.quiet ) -- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); -- stats->no_user_id++; -- return 0; - } - - /* The keyblock is valid and ready for real import. */ -@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl, - err = 0; - stats->skipped_new_keys++; - } -+ else if (err && !any_uid_left (keyblock)) -+ { -+ if (!silent) -+ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); -+ err = 0; -+ stats->no_user_id++; -+ } - else if (err) /* Insert this key. */ - { - /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */ diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.20.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild similarity index 66% rename from sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.20.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild index d13716c7de..5a864898ea 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.20.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild @@ -1,7 +1,7 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2021 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 inherit flag-o-matic systemd toolchain-funcs @@ -13,14 +13,13 @@ SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" LICENSE="GPL-3" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl tofu tools usb user-socket wks-server" # Existence of executables is checked during configuration. -DEPEND="!app-crypt/dirmngr - >=dev-libs/libassuan-2.5.0 - >=dev-libs/libgcrypt-1.7.3 - >=dev-libs/libgpg-error-1.28 +DEPEND=">=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.8.0 + >=dev-libs/libgpg-error-1.29 >=dev-libs/libksba-1.3.4 >=dev-libs/npth-1.2 >=net-misc/curl-7.10 @@ -51,10 +50,6 @@ DOCS=( PATCHES=( "${FILESDIR}/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch" - # Flatcar: the patches below are added only for Flatcar, to address the - # upstream gnupg issue https://dev.gnupg.org/T4393. - "${FILESDIR}/${PN}-allow-import-of-previously-known-keys-even-without-UI.patch" - "${FILESDIR}/${PN}-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch" ) src_prepare() { @@ -71,19 +66,36 @@ src_prepare() { } src_configure() { - local myconf=() + local myconf=( + $(use_enable bzip2) + $(use_enable nls) + $(use_enable smartcard scdaemon) + $(use_enable ssl gnutls) + $(use_enable tofu) + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') + $(use_enable wks-server wks-tools) + $(use_with ldap) + $(use_with readline) + --with-mailprog=/usr/libexec/sendmail + --disable-ntbtls + --enable-all-tests + --enable-gpg + --enable-gpgsm + --enable-large-secmem + CC_FOR_BUILD="$(tc-getBUILD_CC)" + GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" + KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" + LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" + LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" + NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) if use prefix && use usb; then # bug #649598 append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0" fi - if use elibc_SunOS || use elibc_AIX; then - myconf+=( --disable-symcryptrun ) - else - myconf+=( --enable-symcryptrun ) - fi - #bug 663142 if use user-socket; then myconf+=( --enable-run-gnupg-user-socket ) @@ -102,30 +114,7 @@ src_configure() { # the build where the install guide previously make the user chose the # logger & mta early in the install. - econf \ - "${myconf[@]}" \ - $(use_enable bzip2) \ - $(use_enable nls) \ - $(use_enable smartcard scdaemon) \ - $(use_enable ssl gnutls) \ - $(use_enable tofu) \ - $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') \ - $(use_enable wks-server wks-tools) \ - $(use_with ldap) \ - $(use_with readline) \ - --with-mailprog=/usr/libexec/sendmail \ - --disable-ntbtls \ - --enable-all-tests \ - --enable-gpg \ - --enable-gpgsm \ - --enable-large-secmem \ - CC_FOR_BUILD="$(tc-getBUILD_CC)" \ - GPG_ERROR_CONFIG="${EROOT}/usr/bin/${CHOST}-gpg-error-config" \ - KSBA_CONFIG="${EROOT}/usr/bin/ksba-config" \ - LIBASSUAN_CONFIG="${EROOT}/usr/bin/libassuan-config" \ - LIBGCRYPT_CONFIG="${EROOT}/usr/bin/${CHOST}-libgcrypt-config" \ - NPTH_CONFIG="${EROOT}/usr/bin/npth-config" \ - $("${S}/configure" --help | grep -- '--without-.*-prefix' | sed -e 's/^ *\([^ ]*\) .*/\1/g') + econf "${myconf[@]}" } src_compile() { @@ -161,9 +150,3 @@ src_install() { systemd_douserunit doc/examples/systemd-user/*.{service,socket} } - -pkg_postinst() { - elog "See https://wiki.gentoo.org/wiki/GnuPG for documentation on gnupg" - elog - elog "If you wish to use 'gpg-wks-client --send', you must install an MTA!" -} diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml index eac23b93cc..f6fc64ff0b 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml @@ -1,15 +1,24 @@ - + - k_f@gentoo.org - Kristian Fiskerstrand + zlogene@gentoo.org + Mikle Kolyada + + + polynomial-c@gentoo.org + Lars Wendler + + + base-system@gentoo.org + Gentoo Base System - - GnuPG is a complete and free implementation of the OpenPGP standard as - defined by RFC4880. - + + Allow concurrent access to scdaemon by multiple apps from same + user. Useful if you want to use scdaemon with gnupg and for + example NitroKey. + Build scdaemon software. Enables usage of OpenPGP cards. For other type of smartcards, try app-crypt/gnupg-pkcs11-scd. From 8617b30cb63a31d3a923d5416ddab2381461a236 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Tue, 26 May 2020 10:04:30 +0200 Subject: [PATCH 2/4] app-crypt/gnupg: add patches for accepting without UIDs When the GnuPG keyserver is set to `keys.openpgp.org`, `gpg --recv-keys` occasionally fails with the following error: ``` gpg: key E52F0DB391453C45: no user ID ``` We need to make GnuPG accept keys even without UIDs. Original patches come from https://salsa.debian.org/debian/gnupg2/tree/f292beac1171c6c77faf41d1f88c2e0942ed4437/debian/patches/import-merge-without-userid . See also https://dev.gnupg.org/T4393 . Based on commit 3d9a9c9c3654c6b8c073e306636bf8dc64cfb657 . --- ...th-a-good-revocation-but-no-self-sig.patch | 32 ++++++ ...reviously-known-keys-even-without-UI.patch | 106 ++++++++++++++++++ .../app-crypt/gnupg/gnupg-2.2.29.ebuild | 4 + 3 files changed, 142 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch new file mode 100644 index 0000000000..a6173968f5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch @@ -0,0 +1,32 @@ +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:43 +0200 +Subject: gpg: accept subkeys with a good revocation but no self-sig during + import + +* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we +encounter a valid revocation signature. This allows import of subkey +revocation signatures, even in the absence of a corresponding subkey +binding signature. + +-- + +This fixes the remaining test in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor +--- + g10/import.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/g10/import.c b/g10/import.c +index f9acf95..9217911 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -3602,6 +3602,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self) + /* It's valid, so is it newer? */ + if (sig->timestamp >= rsdate) + { ++ knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid. */ + if (rsnode) + { + /* Delete the last revocation sig since diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch new file mode 100644 index 0000000000..4b5690f955 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch @@ -0,0 +1,106 @@ +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:42 +0200 +Subject: gpg: allow import of previously known keys, even without UIDs + +* g10/import.c (import_one): Accept an incoming OpenPGP certificate that +has no user id, as long as we already have a local variant of the cert +that matches the primary key. + +-- + +This fixes two of the three broken tests in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor +--- + g10/import.c | 44 +++++++++++--------------------------------- + 1 file changed, 11 insertions(+), 33 deletions(-) + +diff --git a/g10/import.c b/g10/import.c +index 5d3162c..f9acf95 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl, + size_t an; + char pkstrbuf[PUBKEY_STRING_SIZE]; + int merge_keys_done = 0; +- int any_filter = 0; + KEYDB_HANDLE hd = NULL; + + if (r_valid) +@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl, + log_printf ("\n"); + } + +- +- if (!uidnode ) +- { +- if (!silent) +- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); +- return 0; +- } +- + if (screener && screener (keyblock, screener_arg)) + { + log_error (_("key %s: %s\n"), keystr_from_pk (pk), +@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl, + } + } + +- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) ) +- { +- if (!silent) +- { +- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); +- if (!opt.quiet ) +- log_info(_("this may be caused by a missing self-signature\n")); +- } +- stats->no_user_id++; +- return 0; +- } ++ /* Delete invalid parts, and note if we have any valid ones left. ++ * We will later abort import if this key is new but contains ++ * no valid uids. */ ++ delete_inv_parts (ctrl, keyblock, keyid, options); + + /* Get rid of deleted nodes. */ + commit_kbnode (&keyblock); +@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl, + { + apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); + commit_kbnode (&keyblock); +- any_filter = 1; + } + if (import_filter.drop_sig) + { + apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); + commit_kbnode (&keyblock); +- any_filter = 1; +- } +- +- /* If we ran any filter we need to check that at least one user id +- * is left in the keyring. Note that we do not use log_error in +- * this case. */ +- if (any_filter && !any_uid_left (keyblock)) +- { +- if (!opt.quiet ) +- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); +- stats->no_user_id++; +- return 0; + } + + /* The keyblock is valid and ready for real import. */ +@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl, + err = 0; + stats->skipped_new_keys++; + } ++ else if (err && !any_uid_left (keyblock)) ++ { ++ if (!silent) ++ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); ++ err = 0; ++ stats->no_user_id++; ++ } + else if (err) /* Insert this key. */ + { + /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */ diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild index 5a864898ea..adb00c17c7 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild @@ -50,6 +50,10 @@ DOCS=( PATCHES=( "${FILESDIR}/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch" + # Flatcar: the patches below are added only for Flatcar, to address the + # upstream gnupg issue https://dev.gnupg.org/T4393. + "${FILESDIR}/${PN}-allow-import-of-previously-known-keys-even-without-UI.patch" + "${FILESDIR}/${PN}-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch" ) src_prepare() { From 4ab9a38e021489078820f6aa9ec849ff7476c707 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Mon, 27 Sep 2021 15:26:36 +0200 Subject: [PATCH 3/4] app-crypt/gnupg: use EAPI=7 We should stay with EAPI=7, until EAPI 8 could be fully supported by the Flatcar code base. --- .../coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild index adb00c17c7..c7231c63b2 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild @@ -1,7 +1,8 @@ # Copyright 1999-2021 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=8 +# Flatcar: use EAPI=7, until EAPI 8 could be fully supported +EAPI=7 inherit flag-o-matic systemd toolchain-funcs From 20449e0f4de5112fec38062a57be44c4537ba5c7 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Mon, 27 Sep 2021 15:23:57 +0200 Subject: [PATCH 4/4] profiles: delete app-crypt/gnupg from accept_keywords Since app-crypt/gnupg is already stablilized for both amd64 and arm64, we do not need gnupg in accept_keywords. --- .../coreos-overlay/profiles/coreos/base/package.accept_keywords | 1 - 1 file changed, 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 4245eaec68..1b9cd96419 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -52,7 +52,6 @@ dev-util/checkbashisms =cross-x86_64-cros-linux-gnu/gcc-9.3.0-r1 ~amd64 # Force upgrades to work around catalyst problems while upgrading ncurses. -=app-crypt/gnupg-2.2.20 ~amd64 ~arm64 =sys-apps/gptfdisk-1.0.3 ~amd64 ~arm64 =sys-apps/util-linux-2.32 ~amd64 ~arm64