mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-12 15:36:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

app-crypt/gnupg: Sync with Gentoo

Browse Source 
It's from Gentoo commit 4edce3e2fe55d1f54143fc2596ffb589caab377d.
This commit is contained in:
Flatcar Buildbot 2025-01-27 07:04:42 +00:00 committed by Krzesimir Nowak
parent 153dbd9348
commit 8f36916805
10 changed files with 4 additions and 1251 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/Manifest vendored
View File

@ -1,11 +1,5 @@
DIST gnupg-2.2.42.tar.bz2 7434291 BLAKE2B 5f7f01f31949e5258d638fbff81fa641e5c167e6eaf32c55eb187d4a31b31cd4fe6e51c622e74d8544c4f95c75484e15117f26a8cf26055ff6813d75e54f2b8a SHA512 9c59d034f428d42323b5520e1a8984acc1505ba1d96d90f00e17b24aa91660b2dc64e1a3ceb044c56f39b4c402a77c7e0b226c65218c23c094781b4ef51e2eb5
DIST gnupg-2.2.42.tar.bz2.sig 238 BLAKE2B 251ad0a832042ceb93b0edfda8652104bfb463e291322f22f0ab0d9b35606c3589be7a6f3e9e2aac8f6ac368a7d11840ab83b29997587dc65685de9f2dec3fee SHA512 7073bfc920c571680a1de57b4e6cd83cde24ccb3b5f592602b0c32fd762eef497027b08745044c9f41130ca99bb7ec77222568c2d0a1099d3c1c15137e0221d7
DIST gnupg-2.2.43.tar.bz2 7435426 BLAKE2B ddf5c89d317e6ce8d1a5348f0ef81ffa1c61c995ddb312b28410f04502b01eae307cd943bee7182d28d4efccac394c91053f8e33756b00166bf66b2bf4a791a7 SHA512 0d2e733b6659c116c043db5252de4de33d6a70c16172d1fe9b779ba413ba9fcb64bbfdcc4686d0e87904561fc62d1aa765144e0586957a500287c175ee37bd49
DIST gnupg-2.2.43.tar.bz2.sig 119 BLAKE2B 38fd3790f5065d67d6b5323ef7abbb79facf00e5b9daba98e5078302fc3887423173ba434c7eff1e64faecef88d87aab9c057c570d6e96e8d0808f07f32d8fa1 SHA512 47c5354869b1825e56fa4276826fcde1ee41c70aab9b411686cf2733f4d1df9c006049e49e066b22e475bd37b337f9ffc97f8bbca0c62c0f32296909464a0643
DIST gnupg-2.2.45.tar.bz2 7447141 BLAKE2B 8fe2036325e31332166c0477ce9514152c8417a9f61b3edc43487340d5b52e6a4d4c2b104ca9fe7ce6893e6d2977e2cd9c9ccfb52c0b1ea18dae3304ec6ec7f3 SHA512 086bb2a96ff4a681451b357495c8b435229e6526e1121d8faee3cb2ecc9c14965c92c9b1ccbbf3a03f6c59c215cca85a5c4f740f2df7c008a9fa672b370bf33c
DIST gnupg-2.2.45.tar.bz2.sig 119 BLAKE2B 6656747b2d640a95c4172a221952fa75f7d03c231b7c6d40ea57b43a5bcfbceb800023ca2f352ca09325aaf186a7bf31fcfe7104129c5d6628f0e1256994df76 SHA512 181195a76eede8113bd8f2a7f5bc20674226f6327cf8263389e3d178c205ed2d817b28f2d3b504dd9f852f22fc283d2c14e809ba1c05cfe88b66103845ff114c
DIST gnupg-2.4.5.tar.bz2 7889060 BLAKE2B a8b80cd4dfbb377066efb5c9f1b6cdc6d0cd1b18358c962781b5c06de1545117b13038a4655ae627c36bfd2e5fee127692df8729d6b23e1b31051ab6d897b733 SHA512 4d54744f09399c5899144d0cb5fdc2756e45b058db41b9ea9df3be03e80b914509e16ef35aa0248e7561185b80f7a5f9fd6afcab8ccff75ff82ed555448a38ff
DIST gnupg-2.4.5.tar.bz2.sig 238 BLAKE2B b236e7d62f49c8385f4fb81389bf10715d9c0a0cb5c0b4c20fb6ff1465d05a3c3657061284db23af988a1ca16c9fa393af3ce5cbd27934501eb41a4f448fff0a SHA512 5a06970e499d1eb5213b142a8a182e46f5f21b7cb32785a9e5069378797c124e151ce74727382003820042d60fd7a2f909143f44aa9ef282605875e1cab04aef
DIST gnupg-2.4.6.tar.bz2 8011304 BLAKE2B 3b0deb3da1ec404e8f0aa50c424c7072727f933228de732d661a17ca15785b7430700e7b88afba69538f9794863cb218c90ae3d43469541fb9152fbabd3bc909 SHA512 192ae6cb18547e9c5fc4263dc968b548c1ce563ceb8cc2e651b264d4e5afa1cd99a2c1cdd80906faf5e0b0ca99cef76e003b1f7e73238f311a74a1de6c35b5cb
DIST gnupg-2.4.6.tar.bz2.sig 119 BLAKE2B f22b9488a46e585eaa4ed6434c37603756de2a0136a6e8a44d974304d31299f64dee5065a0c1f8ed6aff24555e369ffa213558027698a7e7b2244cef7c9eff76 SHA512 699f99d5aedbb1adef0fc46fbfb4184996ebaeb08e3c5a4d64195cd14e628a17a234ff9d990ad63c32119cbab24bcba802590eaf69f030a0a0addf9928172221
DIST gnupg-2.4.7.tar.bz2 8010244 BLAKE2B 4cdc6be4330b0c8f150d9d1a9ce9c7d34232ecf9b980b15fbd20e96ff6fcd8665688456d66f1c862b816472034eaa0796444357b1f36e75e8520a603a0e6b298 SHA512 3e84f1679904bf0efb789df6466e468bd2be9149d52561f35e2380038133479bebf1c61ee7adf6d3564b370915f32111098c052be6e6acaf3083a807f9f36019

292
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch vendored
View File

@ -1,292 +0,0 @@
https://bugs.gentoo.org/923248
https://dev.gnupg.org/T6944
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=3b69d8bf7146b8d10737d0cfea9c97affc60ad73
From 3b69d8bf7146b8d10737d0cfea9c97affc60ad73 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 24 Jan 2024 11:29:24 +0100
Subject: [PATCH] gpg: Fix leftover unprotected card backup key.
* agent/command.c (cmd_learn): Add option --reallyforce.
* agent/findkey.c (agent_write_private_key): Implement reallyforce.
Also add arg reallyforce and pass it along the call chain.
* g10/call-agent.c (agent_scd_learn): Pass --reallyforce with a
special force value.
* g10/keygen.c (card_store_key_with_backup): Use that force value.
--
This was a regression in 2.2.42. We took the easy path to fix it by
getting the behaviour back to what we did prior to 2.2.42. With GnuPG
2.4.4 we use an entire different and safer approach by introducing an
ephemeral private key store.
GnuPG-bug-id: 6944
--- a/agent/agent.h
+++ b/agent/agent.h
@@ -422,7 +422,8 @@ void start_command_handler_ssh (ctrl_t, gnupg_fd_t);
gpg_error_t agent_modify_description (const char *in, const char *comment,
const gcry_sexp_t key, char **result);
int agent_write_private_key (const unsigned char *grip,
- const void *buffer, size_t length, int force,
+ const void *buffer, size_t length,
+ int force, int reallyforce,
const char *serialno, const char *keyref,
const char *dispserialno, time_t timestamp);
gpg_error_t agent_key_from_file (ctrl_t ctrl,
@@ -548,6 +549,7 @@ gpg_error_t s2k_hash_passphrase (const char *passphrase, int hashalgo,
gpg_error_t agent_write_shadow_key (const unsigned char *grip,
const char *serialno, const char *keyid,
const unsigned char *pkbuf, int force,
+ int reallyforce,
const char *dispserialno);
@@ -628,7 +630,8 @@ void agent_card_killscd (void);
/*-- learncard.c --*/
-int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force);
+int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context,
+ int force, int reallyforce);
/*-- cvt-openpgp.c --*/
--- a/agent/command-ssh.c
+++ b/agent/command-ssh.c
@@ -2499,7 +2499,7 @@ card_key_available (ctrl_t ctrl, gcry_sexp_t *r_pk, char **cardsn)
/* (Shadow)-key is not available in our key storage. */
agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno);
- err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0,
+ err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0, 0,
dispserialno);
xfree (dispserialno);
if (err)
@@ -3159,7 +3159,7 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec,
/* Store this key to our key storage. We do not store a creation
* timestamp because we simply do not know. */
- err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0,
+ err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0, 0,
NULL, NULL, NULL, 0);
if (err)
goto out;
--- a/agent/command.c
+++ b/agent/command.c
@@ -1042,7 +1042,7 @@ cmd_readkey (assuan_context_t ctx, char *line)
/* Shadow-key is or is not available in our key storage. In
* any case we need to check whether we need to update with
* a new display-s/n or whatever. */
- rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0,
+ rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0, 0,
dispserialno);
if (rc)
goto leave;
@@ -1855,16 +1855,18 @@ cmd_learn (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
gpg_error_t err;
- int send, sendinfo, force;
+ int send, sendinfo, force, reallyforce;
send = has_option (line, "--send");
sendinfo = send? 1 : has_option (line, "--sendinfo");
force = has_option (line, "--force");
+ reallyforce = has_option (line, "--reallyforce");
if (ctrl->restricted)
return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
- err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL, force);
+ err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL,
+ force, reallyforce);
return leave_cmd (ctx, err);
}
@@ -2427,11 +2429,11 @@ cmd_import_key (assuan_context_t ctx, char *line)
err = agent_protect (key, passphrase, &finalkey, &finalkeylen,
ctrl->s2k_count);
if (!err)
- err = agent_write_private_key (grip, finalkey, finalkeylen, force,
+ err = agent_write_private_key (grip, finalkey, finalkeylen, force, 0,
NULL, NULL, NULL, opt_timestamp);
}
else
- err = agent_write_private_key (grip, key, realkeylen, force,
+ err = agent_write_private_key (grip, key, realkeylen, force, 0,
NULL, NULL, NULL, opt_timestamp);
leave:
--- a/agent/cvt-openpgp.c
+++ b/agent/cvt-openpgp.c
@@ -1070,7 +1070,7 @@ convert_from_openpgp_native (ctrl_t ctrl,
&protectedkey, &protectedkeylen,
ctrl->s2k_count))
agent_write_private_key (grip, protectedkey, protectedkeylen,
- 1/*force*/, NULL, NULL, NULL, 0);
+ 1/*force*/, 0, NULL, NULL, NULL, 0);
xfree (protectedkey);
}
else
@@ -1079,7 +1079,7 @@ convert_from_openpgp_native (ctrl_t ctrl,
agent_write_private_key (grip,
*r_key,
gcry_sexp_canon_len (*r_key, 0, NULL,NULL),
- 1/*force*/, NULL, NULL, NULL, 0);
+ 1/*force*/, 0, NULL, NULL, NULL, 0);
}
}
--- a/agent/findkey.c
+++ b/agent/findkey.c
@@ -82,7 +82,8 @@ fname_from_keygrip (const unsigned char *grip, int for_new)
* recorded as creation date. */
int
agent_write_private_key (const unsigned char *grip,
- const void *buffer, size_t length, int force,
+ const void *buffer, size_t length,
+ int force, int reallyforce,
const char *serialno, const char *keyref,
const char *dispserialno,
time_t timestamp)
@@ -165,10 +166,13 @@ agent_write_private_key (const unsigned char *grip,
/* Check that we do not update a regular key with a shadow key. */
if (is_regular && gpg_err_code (is_shadowed_key (key)) == GPG_ERR_TRUE)
{
- log_info ("updating regular key file '%s'"
- " by a shadow key inhibited\n", oldfname);
- err = 0; /* Simply ignore the error. */
- goto leave;
+ if (!reallyforce)
+ {
+ log_info ("updating regular key file '%s'"
+ " by a shadow key inhibited\n", oldfname);
+ err = 0; /* Simply ignore the error. */
+ goto leave;
+ }
}
/* Check that we update a regular key only in force mode. */
if (is_regular && !force)
@@ -1704,12 +1708,13 @@ agent_delete_key (ctrl_t ctrl, const char *desc_text,
* Shadow key is created by an S-expression public key in PKBUF and
* card's SERIALNO and the IDSTRING. With FORCE passed as true an
* existing key with the given GRIP will get overwritten. If
- * DISPSERIALNO is not NULL the human readable s/n will also be
- * recorded in the key file. */
+ * REALLYFORCE is also true, even a private key will be overwritten by
+ * a shadown key. If DISPSERIALNO is not NULL the human readable s/n
+ * will also be recorded in the key file. */
gpg_error_t
agent_write_shadow_key (const unsigned char *grip,
const char *serialno, const char *keyid,
- const unsigned char *pkbuf, int force,
+ const unsigned char *pkbuf, int force, int reallyforce,
const char *dispserialno)
{
gpg_error_t err;
@@ -1737,7 +1742,7 @@ agent_write_shadow_key (const unsigned char *grip,
}
len = gcry_sexp_canon_len (shdkey, 0, NULL, NULL);
- err = agent_write_private_key (grip, shdkey, len, force,
+ err = agent_write_private_key (grip, shdkey, len, force, reallyforce,
serialno, keyid, dispserialno, 0);
xfree (shdkey);
if (err)
--- a/agent/genkey.c
+++ b/agent/genkey.c
@@ -69,7 +69,7 @@ store_key (gcry_sexp_t private, const char *passphrase, int force,
buf = p;
}
- rc = agent_write_private_key (grip, buf, len, force,
+ rc = agent_write_private_key (grip, buf, len, force, 0,
NULL, NULL, NULL, timestamp);
xfree (buf);
return rc;
--- a/agent/learncard.c
+++ b/agent/learncard.c
@@ -297,9 +297,12 @@ send_cert_back (ctrl_t ctrl, const char *id, void *assuan_context)
}
/* Perform the learn operation. If ASSUAN_CONTEXT is not NULL and
- SEND is true all new certificates are send back via Assuan. */
+ SEND is true all new certificates are send back via Assuan. If
+ REALLYFORCE is true a private key will be overwritten by a stub
+ key. */
int
-agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force)
+agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context,
+ int force, int reallyforce)
{
int rc;
struct kpinfo_cb_parm_s parm;
@@ -414,7 +417,7 @@ agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force)
agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno);
rc = agent_write_shadow_key (grip, serialno, item->id, pubkey,
- force, dispserialno);
+ force, reallyforce, dispserialno);
xfree (dispserialno);
}
xfree (pubkey);
--- a/agent/protect-tool.c
+++ b/agent/protect-tool.c
@@ -807,13 +807,15 @@ agent_askpin (ctrl_t ctrl,
* to stdout. */
int
agent_write_private_key (const unsigned char *grip,
- const void *buffer, size_t length, int force,
+ const void *buffer, size_t length,
+ int force, int reallyforce,
const char *serialno, const char *keyref,
const char *dispserialno, time_t timestamp)
{
char hexgrip[40+4+1];
char *p;
+ (void)reallyforce;
(void)force;
(void)timestamp;
(void)serialno;
--- a/g10/call-agent.c
+++ b/g10/call-agent.c
@@ -745,6 +745,11 @@ learn_status_cb (void *opaque, const char *line)
* card-util.c
* keyedit_menu
* card_store_key_with_backup (Woth force to remove secret key data)
+ *
+ * If force has the value 2 the --reallyforce option is also used.
+ * This is to make sure the sshadow key overwrites the private key.
+ * Note that this option is gnupg 2.2 specific because since 2.4.4 an
+ * ephemeral private key store is used instead.
*/
int
agent_scd_learn (struct agent_card_info_s *info, int force)
@@ -764,6 +769,7 @@ agent_scd_learn (struct agent_card_info_s *info, int force)
parm.ctx = agent_ctx;
rc = assuan_transact (agent_ctx,
+ force == 2? "LEARN --sendinfo --force --reallyforce" :
force ? "LEARN --sendinfo --force" : "LEARN --sendinfo",
dummy_data_cb, NULL, default_inq_cb, &parm,
learn_status_cb, info);
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -5201,8 +5201,11 @@ card_store_key_with_backup (ctrl_t ctrl, PKT_public_key *sub_psk,
if (err)
log_error ("writing card key to backup file: %s\n", gpg_strerror (err));
else
- /* Remove secret key data in agent side. */
- agent_scd_learn (NULL, 1);
+ {
+ /* Remove secret key data in agent side. We use force 2 here to
+ * allow overwriting of the temporary private key. */
+ agent_scd_learn (NULL, 2);
+ }
leave:
xfree (ecdh_param_str);
--
2.30.2

156
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch vendored
View File

@ -1,156 +0,0 @@
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d6c428699db7aa20f8b6ca9fe83197a0314b7e91
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c33c4fdf10b7ed9e03f2afe988d93f3085b727aa
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=41c022072599bc3f12f659e962653548cd86fa3a
From d6c428699db7aa20f8b6ca9fe83197a0314b7e91 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 15 Feb 2024 15:38:34 +0900
Subject: [PATCH] dirmngr: Fix proxy with TLS.
* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always
available regardless of USE_TLS.
(send_request): Remove USE_TLS.
--
Since quite some time building w/o TLS won't work.
GnuPG-bug-id: 6997
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -2498,9 +2498,7 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring)
}
-
/* Use the CONNECT method to proxy our TLS stream. */
-#ifdef USE_TLS
static gpg_error_t
run_proxy_connect (http_t hd, proxy_info_t proxy,
const char *httphost, const char *server,
@@ -2709,7 +2707,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
xfree (tmpstr);
return err;
}
-#endif /*USE_TLS*/
/* Make a request string using a standard proxy. On success the
@@ -2866,7 +2863,6 @@ send_request (http_t hd, const char *httphost, const char *auth,
goto leave;
}
-#if USE_TLS
if (use_http_proxy && hd->uri->use_tls)
{
err = run_proxy_connect (hd, proxy, httphost, server, port);
@@ -2878,7 +2874,6 @@ send_request (http_t hd, const char *httphost, const char *auth,
* clear the flag to indicate this. */
use_http_proxy = 0;
}
-#endif /* USE_TLS */
#if HTTP_USE_NTBTLS
err = run_ntbtls_handshake (hd);
--
2.30.2
From c33c4fdf10b7ed9e03f2afe988d93f3085b727aa Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 16 Feb 2024 11:31:37 +0900
Subject: [PATCH] dirmngr: Fix the regression of use of proxy for TLS
connection.
* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it
causes resource leak of FP_WRITE.
Don't try to read response body to fix the hang.
--
GnuPG-bug-id: 6997
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -2520,6 +2520,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
* RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
*/
auth_basic = !!proxy->uri->auth;
+ hd->keep_alive = 0;
/* For basic authentication we need to send just one request. */
if (auth_basic
@@ -2541,13 +2542,12 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
httphost ? httphost : server,
port,
authhdr ? authhdr : "",
- auth_basic? "" : "Connection: keep-alive\r\n");
+ hd->keep_alive? "Connection: keep-alive\r\n" : "");
if (!request)
{
err = gpg_error_from_syserror ();
goto leave;
}
- hd->keep_alive = !auth_basic; /* We may need to send more requests. */
if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
log_debug_with_string (request, "http.c:proxy:request:");
@@ -2574,16 +2574,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
if (err)
goto leave;
- {
- unsigned long count = 0;
-
- while (es_getc (hd->fp_read) != EOF)
- count++;
- if (opt_debug)
- log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n",
- count);
- }
-
/* Reset state. */
es_clearerr (hd->fp_read);
((cookie_t)(hd->read_cookie))->up_to_empty_line = 1;
--
2.30.2
From 41c022072599bc3f12f659e962653548cd86fa3a Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 16 Feb 2024 16:24:26 +0900
Subject: [PATCH] dirmngr: Fix keep-alive flag handling.
* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic
Authentication. Fix resource leak of FP_WRITE.
--
GnuPG-bug-id: 6997
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -2520,7 +2520,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
* RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
*/
auth_basic = !!proxy->uri->auth;
- hd->keep_alive = 0;
+ hd->keep_alive = !auth_basic; /* We may need to send more requests. */
/* For basic authentication we need to send just one request. */
if (auth_basic
@@ -2684,6 +2684,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
}
leave:
+ if (hd->keep_alive)
+ {
+ es_fclose (hd->fp_write);
+ hd->fp_write = NULL;
+ /* The close has released the cookie and thus we better set it
+ * to NULL. */
+ hd->write_cookie = NULL;
+ }
/* Restore flags, destroy stream, reset state. */
hd->flags = saved_flags;
es_fclose (hd->fp_read);
--
2.30.2

39
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch vendored
View File

@ -1,39 +0,0 @@
https://bugs.gentoo.org/924386
https://dev.gnupg.org/T7003
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f50c543326c2eea6b40f548d61cf3a66a077bf54
From f50c543326c2eea6b40f548d61cf3a66a077bf54 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 1 Mar 2024 13:59:43 +0900
Subject: [PATCH] agent: Allow simple KEYINFO command when restricted.
* agent/command.c (cmd_keyinfo): Only forbid list command.
--
GnuPG-bug-id: 7003
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
--- a/agent/command.c
+++ b/agent/command.c
@@ -1282,9 +1282,6 @@ cmd_keyinfo (assuan_context_t ctx, char *line)
char hexgrip[41];
int disabled, ttl, confirm, is_ssh;
- if (ctrl->restricted)
- return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
-
if (has_option (line, "--ssh-list"))
list_mode = 2;
else
@@ -1333,6 +1330,9 @@ cmd_keyinfo (assuan_context_t ctx, char *line)
char *dirname;
gnupg_dirent_t dir_entry;
+ if (ctrl->restricted)
+ return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
+
dirname = make_filename_try (gnupg_homedir (),
GNUPG_PRIVATE_KEYS_DIR, NULL);
if (!dirname)
--
2.30.2

184
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.2.42-r4.ebuild vendored
View File

@ -1,184 +0,0 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should:
# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
# (find the one for the current release then subscribe to it +
# any subsequent ones linked within so you're covered for a while.)
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
MY_P="${P/_/-}"
DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
HOMEPAGE="https://gnupg.org/"
SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
S="${WORKDIR}/${MY_P}"
LICENSE="GPL-3+"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server"
RESTRICT="!test? ( test )"
# Existence of executables is checked during configuration.
# Note: On each bump, update dep bounds on each version from configure.ac!
DEPEND="
>=dev-libs/libassuan-2.5.0:=
>=dev-libs/libgcrypt-1.8.0:=
>=dev-libs/libgpg-error-1.38
>=dev-libs/libksba-1.3.5
>=dev-libs/npth-1.2
>=net-misc/curl-7.10
sys-libs/zlib
bzip2? ( app-arch/bzip2 )
ldap? ( net-nds/openldap:= )
readline? ( sys-libs/readline:= )
smartcard? ( usb? ( virtual/libusb:1 ) )
ssl? ( >=net-libs/gnutls-3.0:= )
tofu? ( >=dev-db/sqlite-3.7 )
"
RDEPEND="
${DEPEND}
nls? ( virtual/libintl )
selinux? ( sec-policy/selinux-gpg )
wks-server? ( virtual/mta )
"
PDEPEND="
app-crypt/pinentry
"
BDEPEND="
virtual/pkgconfig
doc? ( sys-apps/texinfo )
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-gnupg )
"
DOCS=(
ChangeLog NEWS README THANKS TODO VERSION
doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
)
PATCHES=(
"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
"${FILESDIR}"/${P}-bug923248-insecure-backup.patch
"${FILESDIR}"/${P}-dirmngr-proxy.patch
"${FILESDIR}"/${P}-gpgme-tests.patch
)
src_prepare() {
default
# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
# idea borrowed from libdbus, see
# https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
#
# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
# which in turn requires discovery in Autoconf, something that upstream deeply resents.
sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
-i doc/examples/systemd-user/gpg-agent-ssh.socket || die
}
my_src_configure() {
# Upstream don't support LTO, bug #854222.
filter-lto
local myconf=(
$(use_enable bzip2)
$(use_enable nls)
$(use_enable smartcard scdaemon)
$(use_enable ssl gnutls)
$(use_enable test all-tests)
$(use_enable test tests)
$(use_enable tofu)
$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
$(use_enable wks-server wks-tools)
$(use_with ldap)
$(use_with readline)
# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
# As of GnuPG 2.3, the mailprog substitution is used for the binary called
# by wks-client & wks-server; and if it's autodetected but not not exist at
# build time, then then 'gpg-wks-client --send' functionality will not
# work. This has an unwanted side-effect in stage3 builds: there was a
# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
# the build where the install guide previously make the user chose the
# logger & mta early in the install.
--with-mailprog=/usr/libexec/sendmail
--disable-ntbtls
--enable-gpg
--enable-gpgsm
--enable-large-secmem
CC_FOR_BUILD="$(tc-getBUILD_CC)"
GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
)
if use prefix && use usb; then
# bug #649598
append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
fi
# bug #663142
if use user-socket; then
myconf+=( --enable-run-gnupg-user-socket )
fi
# glib fails and picks up clang's internal stdint.h causing weird errors
tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
econf "${myconf[@]}"
}
my_src_compile() {
default
use doc && emake -C doc html
}
my_src_test() {
export TESTFLAGS="--parallel=$(makeopts_jobs)"
default
}
my_src_install() {
emake DESTDIR="${D}" install
use tools && dobin \
tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \
tools/make-dns-cert
dosym gpg /usr/bin/gpg2
dosym gpgv /usr/bin/gpgv2
echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
dodir /etc/env.d
echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
use doc && dodoc doc/gnupg.html/*
}
my_src_install_all() {
einstalldocs
use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
use doc && dodoc doc/*.png
systemd_douserunit doc/examples/systemd-user/*.{service,socket}
}

181
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.2.43-r1.ebuild vendored
View File

@ -1,181 +0,0 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should:
# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
# (find the one for the current release then subscribe to it +
# any subsequent ones linked within so you're covered for a while.)
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
MY_P="${P/_/-}"
DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
HOMEPAGE="https://gnupg.org/"
SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
S="${WORKDIR}/${MY_P}"
LICENSE="GPL-3+"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server"
RESTRICT="!test? ( test )"
# Existence of executables is checked during configuration.
# Note: On each bump, update dep bounds on each version from configure.ac!
DEPEND="
>=dev-libs/libassuan-2.5.0:=
>=dev-libs/libgcrypt-1.8.0:=
>=dev-libs/libgpg-error-1.38
>=dev-libs/libksba-1.4.0
>=dev-libs/npth-1.2
>=net-misc/curl-7.10
sys-libs/zlib
bzip2? ( app-arch/bzip2 )
ldap? ( net-nds/openldap:= )
readline? ( sys-libs/readline:= )
smartcard? ( usb? ( virtual/libusb:1 ) )
ssl? ( >=net-libs/gnutls-3.0:= )
tofu? ( >=dev-db/sqlite-3.7 )
"
RDEPEND="
${DEPEND}
nls? ( virtual/libintl )
selinux? ( sec-policy/selinux-gpg )
wks-server? ( virtual/mta )
"
PDEPEND="
app-crypt/pinentry
"
BDEPEND="
virtual/pkgconfig
doc? ( sys-apps/texinfo )
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-gnupg )
"
DOCS=(
ChangeLog NEWS README THANKS TODO VERSION
doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
)
PATCHES=(
"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
)
src_prepare() {
default
# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
# idea borrowed from libdbus, see
# https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
#
# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
# which in turn requires discovery in Autoconf, something that upstream deeply resents.
sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
-i doc/examples/systemd-user/gpg-agent-ssh.socket || die
}
my_src_configure() {
# Upstream don't support LTO, bug #854222.
filter-lto
local myconf=(
$(use_enable bzip2)
$(use_enable nls)
$(use_enable smartcard scdaemon)
$(use_enable ssl gnutls)
$(use_enable test all-tests)
$(use_enable test tests)
$(use_enable tofu)
$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
$(use_enable wks-server wks-tools)
$(use_with ldap)
$(use_with readline)
# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
# As of GnuPG 2.3, the mailprog substitution is used for the binary called
# by wks-client & wks-server; and if it's autodetected but not not exist at
# build time, then then 'gpg-wks-client --send' functionality will not
# work. This has an unwanted side-effect in stage3 builds: there was a
# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
# the build where the install guide previously make the user chose the
# logger & mta early in the install.
--with-mailprog=/usr/libexec/sendmail
--disable-ntbtls
--enable-gpg
--enable-gpgsm
--enable-large-secmem
CC_FOR_BUILD="$(tc-getBUILD_CC)"
GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
)
if use prefix && use usb; then
# bug #649598
append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
fi
# bug #663142
if use user-socket; then
myconf+=( --enable-run-gnupg-user-socket )
fi
# glib fails and picks up clang's internal stdint.h causing weird errors
tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
econf "${myconf[@]}"
}
my_src_compile() {
default
use doc && emake -C doc html
}
my_src_test() {
export TESTFLAGS="--parallel=$(makeopts_jobs)"
default
}
my_src_install() {
emake DESTDIR="${D}" install
use tools && dobin \
tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \
tools/make-dns-cert
dosym gpg /usr/bin/gpg2
dosym gpgv /usr/bin/gpgv2
echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
dodir /etc/env.d
echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
use doc && dodoc doc/gnupg.html/*
}
my_src_install_all() {
einstalldocs
use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
use doc && dodoc doc/*.png
systemd_douserunit doc/examples/systemd-user/*.{service,socket}
}

192
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.5-r1.ebuild vendored
View File

@ -1,192 +0,0 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should:
# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
# (find the one for the current release then subscribe to it +
# any subsequent ones linked within so you're covered for a while.)
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
MY_P="${P/_/-}"
DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
HOMEPAGE="https://gnupg.org/"
SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
S="${WORKDIR}/${MY_P}"
LICENSE="GPL-3+"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
RESTRICT="!test? ( test )"
REQUIRED_USE="test? ( tofu )"
# Existence of executables is checked during configuration.
# Note: On each bump, update dep bounds on each version from configure.ac!
DEPEND="
>=dev-libs/libassuan-2.5.0:=
>=dev-libs/libgcrypt-1.9.1:=
>=dev-libs/libgpg-error-1.46
>=dev-libs/libksba-1.6.3
>=dev-libs/npth-1.2
>=net-misc/curl-7.10
sys-libs/zlib
bzip2? ( app-arch/bzip2 )
ldap? ( net-nds/openldap:= )
readline? ( sys-libs/readline:0= )
smartcard? ( usb? ( virtual/libusb:1 ) )
tofu? ( >=dev-db/sqlite-3.27 )
tpm? ( >=app-crypt/tpm2-tss-2.4.0:= )
ssl? ( >=net-libs/gnutls-3.2:0= )
"
RDEPEND="
${DEPEND}
nls? ( virtual/libintl )
selinux? ( sec-policy/selinux-gpg )
wks-server? ( virtual/mta )
"
PDEPEND="
app-crypt/pinentry
"
BDEPEND="
virtual/pkgconfig
doc? ( sys-apps/texinfo )
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-gnupg )
"
DOCS=(
ChangeLog NEWS README THANKS TODO VERSION
doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
)
PATCHES=(
"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
)
src_prepare() {
default
GNUPG_SYSTEMD_UNITS=(
dirmngr.service
dirmngr.socket
gpg-agent-browser.socket
gpg-agent-extra.socket
gpg-agent.service
gpg-agent.socket
gpg-agent-ssh.socket
)
cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die
# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
# idea borrowed from libdbus, see
# https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
#
# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
# which in turn requires discovery in Autoconf, something that upstream deeply resents.
sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
-i "${T}"/gpg-agent-ssh.socket || die
}
my_src_configure() {
# Upstream don't support LTO, bug #854222.
filter-lto
local myconf=(
$(use_enable bzip2)
$(use_enable nls)
$(use_enable smartcard scdaemon)
$(use_enable ssl gnutls)
$(use_enable test all-tests)
$(use_enable test tests)
$(use_enable tofu)
$(use_enable tofu keyboxd)
$(use_enable tofu sqlite)
$(usex tpm '--with-tss=intel' '--disable-tpm2d')
$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
$(use_enable wks-server wks-tools)
$(use_with ldap)
$(use_with readline)
# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
# As of GnuPG 2.3, the mailprog substitution is used for the binary called
# by wks-client & wks-server; and if it's autodetected but not not exist at
# build time, then then 'gpg-wks-client --send' functionality will not
# work. This has an unwanted side-effect in stage3 builds: there was a
# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
# the build where the install guide previously make the user chose the
# logger & mta early in the install.
--with-mailprog=/usr/libexec/sendmail
--disable-ntbtls
--enable-gpgsm
--enable-large-secmem
CC_FOR_BUILD="$(tc-getBUILD_CC)"
ac_cv_path_GPGRT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpgrt-config"
$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
)
if use prefix && use usb; then
# bug #649598
append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
fi
# bug #663142
if use user-socket; then
myconf+=( --enable-run-gnupg-user-socket )
fi
# glib fails and picks up clang's internal stdint.h causing weird errors
tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
econf "${myconf[@]}"
}
my_src_compile() {
default
use doc && emake -C doc html
}
my_src_test() {
export TESTFLAGS="--parallel=$(makeopts_jobs)"
default
}
my_src_install() {
emake DESTDIR="${D}" install
use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert
dosym gpg /usr/bin/gpg2
dosym gpgv /usr/bin/gpgv2
echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
dodir /etc/env.d
echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
use doc && dodoc doc/gnupg.html/*
}
my_src_install_all() {
einstalldocs
use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
use doc && dodoc doc/*.png
# Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed.
dodoc "${FILESDIR}"/README-systemd
systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}"
}

197
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.5-r2.ebuild vendored
View File

@ -1,197 +0,0 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Maintainers should:
# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
# (find the one for the current release then subscribe to it +
# any subsequent ones linked within so you're covered for a while.)
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
MY_P="${P/_/-}"
DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
HOMEPAGE="https://gnupg.org/"
SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
S="${WORKDIR}/${MY_P}"
LICENSE="GPL-3+"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
RESTRICT="!test? ( test )"
REQUIRED_USE="test? ( tofu )"
# Existence of executables is checked during configuration.
# Note: On each bump, update dep bounds on each version from configure.ac!
DEPEND="
>=dev-libs/libassuan-2.5.0:=
>=dev-libs/libgcrypt-1.9.1:=
>=dev-libs/libgpg-error-1.46
>=dev-libs/libksba-1.6.3
>=dev-libs/npth-1.2
>=net-misc/curl-7.10
sys-libs/zlib
bzip2? ( app-arch/bzip2 )
ldap? ( net-nds/openldap:= )
readline? ( sys-libs/readline:0= )
smartcard? ( usb? ( virtual/libusb:1 ) )
tofu? ( >=dev-db/sqlite-3.27 )
tpm? ( >=app-crypt/tpm2-tss-2.4.0:= )
ssl? ( >=net-libs/gnutls-3.2:0= )
"
RDEPEND="
${DEPEND}
nls? ( virtual/libintl )
selinux? ( sec-policy/selinux-gpg )
wks-server? ( virtual/mta )
"
PDEPEND="
app-crypt/pinentry
"
BDEPEND="
virtual/pkgconfig
doc? ( sys-apps/texinfo )
nls? ( sys-devel/gettext )
verify-sig? ( sec-keys/openpgp-keys-gnupg )
"
DOCS=(
ChangeLog NEWS README THANKS TODO VERSION
doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
)
PATCHES=(
"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
"${FILESDIR}"/${PN}-2.4.5-revert-rfc4880bis.patch # bug #926186
)
src_prepare() {
default
GNUPG_SYSTEMD_UNITS=(
dirmngr.service
dirmngr.socket
gpg-agent-browser.socket
gpg-agent-extra.socket
gpg-agent.service
gpg-agent.socket
gpg-agent-ssh.socket
)
cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die
# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
# idea borrowed from libdbus, see
# https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
#
# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
# which in turn requires discovery in Autoconf, something that upstream deeply resents.
sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
-i "${T}"/gpg-agent-ssh.socket || die
# definition of getpeername etc uses different things like socket_fd_t
[[ ${CHOST} == *-solaris* ]] &&
append-cflags $(test-flags-CC -Wno-incompatible-pointer-types)
}
my_src_configure() {
# Upstream don't support LTO, bug #854222.
filter-lto
local myconf=(
$(use_enable bzip2)
$(use_enable nls)
$(use_enable smartcard scdaemon)
$(use_enable ssl gnutls)
$(use_enable test all-tests)
$(use_enable test tests)
$(use_enable tofu)
$(use_enable tofu keyboxd)
$(use_enable tofu sqlite)
$(usex tpm '--with-tss=intel' '--disable-tpm2d')
$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
$(use_enable wks-server wks-tools)
$(use_with ldap)
$(use_with readline)
# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
# As of GnuPG 2.3, the mailprog substitution is used for the binary called
# by wks-client & wks-server; and if it's autodetected but not not exist at
# build time, then then 'gpg-wks-client --send' functionality will not
# work. This has an unwanted side-effect in stage3 builds: there was a
# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
# the build where the install guide previously make the user chose the
# logger & mta early in the install.
--with-mailprog=/usr/libexec/sendmail
--disable-ntbtls
--enable-gpgsm
--enable-large-secmem
CC_FOR_BUILD="$(tc-getBUILD_CC)"
GPGRT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpgrt-config"
$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
)
if use prefix && use usb; then
# bug #649598
append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
fi
# bug #663142
if use user-socket; then
myconf+=( --enable-run-gnupg-user-socket )
fi
# glib fails and picks up clang's internal stdint.h causing weird errors
tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
econf "${myconf[@]}"
}
my_src_compile() {
default
use doc && emake -C doc html
}
my_src_test() {
export TESTFLAGS="--parallel=$(makeopts_jobs)"
default
}
my_src_install() {
emake DESTDIR="${D}" install
use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert
dosym gpg /usr/bin/gpg2
dosym gpgv /usr/bin/gpgv2
echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
dodir /etc/env.d
echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
use doc && dodoc doc/gnupg.html/*
}
my_src_install_all() {
einstalldocs
use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
use doc && dodoc doc/*.png
# Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed.
dodoc "${FILESDIR}"/README-systemd
systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}"
}

4
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.6-r1.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2024 Gentoo Authors
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -23,7 +23,7 @@ S="${WORKDIR}/${MY_P}"
LICENSE="GPL-3+"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
RESTRICT="!test? ( test )"
REQUIRED_USE="test? ( tofu )"

4
sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.4.7.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2024 Gentoo Authors
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -23,7 +23,7 @@ S="${WORKDIR}/${MY_P}"
LICENSE="GPL-3+"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
RESTRICT="!test? ( test )"
REQUIRED_USE="test? ( tofu )"