From 6b6a6e559ac9e44a36b5c1e87715992f206a1bba Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Tue, 26 May 2020 09:48:05 +0200 Subject: [PATCH 1/3] app-crypt/gnupg: import upstream gnupg 2.2.20 --- .../coreos-overlay/app-crypt/gnupg/Manifest | 1 + ...er-socket-path-lengts-to-improve-tes.patch | 33 ++++ .../app-crypt/gnupg/gnupg-2.2.20.ebuild | 165 ++++++++++++++++++ .../app-crypt/gnupg/metadata.xml | 37 ++++ 4 files changed, 236 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.20.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest new file mode 100644 index 0000000000..c7e6dd6cb8 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest @@ -0,0 +1 @@ +DIST gnupg-2.2.20.tar.bz2 6786913 BLAKE2B 43cf9402a26e67d6c7c2444eb2faaee3f06ea0bf6c07708a50834c5d7424db2f9c38e1f0046dd3a35082abc08d401b2951655e7e068f0873db297560b87d2667 SHA512 3e69f102366ec3415f439ab81aae2458182fa1a18dfb86565b1d9dc638f3fc4c179a5947f0042b7c5a813345676285a662793664a1803ea9ad8328f0548e0edc diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch new file mode 100644 index 0000000000..dd75e3a5e9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch @@ -0,0 +1,33 @@ +From e3bdb7d17264b8d5bd9abab97c96d9c4a50e4f61 Mon Sep 17 00:00:00 2001 +From: Kristian Fiskerstrand +Date: Mon, 3 Apr 2017 23:44:56 +0300 +Subject: [PATCH] gpgscm: Use shorter socket path lengts to improve test + reliability + +-- +As socket lengths are normally restricted to 108 characters +(UNIX_PATH_MAX variable in /usr/include/linux/un.h), using 42 characters +by default easily results in errors. +--- + tests/gpgscm/tests.scm | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/gpgscm/tests.scm b/tests/gpgscm/tests.scm +index 592b36f..f54a387 100644 +--- a/tests/gpgscm/tests.scm ++++ b/tests/gpgscm/tests.scm +@@ -273,9 +273,9 @@ + (canonical-path (_mkdtemp (if (null? components) + (path-join + (get-temp-path) +- (string-append "gpgscm-" (get-isotime) "-" ++ (string-append "gscm" + (basename-suffix *scriptname* ".scm") +- "-XXXXXX")) ++ "XXXXXX")) + (apply path-join components))))) + + ;; Make a temporary directory and remove it at interpreter shutdown. +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.20.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.20.ebuild new file mode 100644 index 0000000000..35dc9274af --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.20.ebuild @@ -0,0 +1,165 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit flag-o-matic systemd toolchain-funcs + +MY_P="${P/_/-}" + +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" +HOMEPAGE="https://gnupg.org/" +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl tofu tools usb user-socket wks-server" + +# Existence of executables is checked during configuration. +DEPEND="!app-crypt/dirmngr + >=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.7.3 + >=dev-libs/libgpg-error-1.28 + >=dev-libs/libksba-1.3.4 + >=dev-libs/npth-1.2 + >=net-misc/curl-7.10 + bzip2? ( app-arch/bzip2 ) + ldap? ( net-nds/openldap ) + readline? ( sys-libs/readline:0= ) + smartcard? ( usb? ( virtual/libusb:1 ) ) + ssl? ( >=net-libs/gnutls-3.0:0= ) + sys-libs/zlib + tofu? ( >=dev-db/sqlite-3.7 )" + +RDEPEND="${DEPEND} + app-crypt/pinentry + nls? ( virtual/libintl ) + selinux? ( sec-policy/selinux-gpg ) + wks-server? ( virtual/mta )" + +BDEPEND="virtual/pkgconfig + doc? ( sys-apps/texinfo ) + nls? ( sys-devel/gettext )" + +S="${WORKDIR}/${MY_P}" + +DOCS=( + ChangeLog NEWS README THANKS TODO VERSION + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER +) + +PATCHES=( + "${FILESDIR}/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch" +) + +src_prepare() { + default + + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, + # idea borrowed from libdbus, see + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 + # + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', + # which in turn requires discovery in Autoconf, something that upstream deeply resents. + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ + -i doc/examples/systemd-user/gpg-agent-ssh.socket || die +} + +src_configure() { + local myconf=() + + if use prefix && use usb; then + # bug #649598 + append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0" + fi + + if use elibc_SunOS || use elibc_AIX; then + myconf+=( --disable-symcryptrun ) + else + myconf+=( --enable-symcryptrun ) + fi + + #bug 663142 + if use user-socket; then + myconf+=( --enable-run-gnupg-user-socket ) + fi + + # glib fails and picks up clang's internal stdint.h causing weird errors + [[ ${CC} == *clang ]] && \ + export gl_cv_absolute_stdint_h=/usr/include/stdint.h + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. + + econf \ + "${myconf[@]}" \ + $(use_enable bzip2) \ + $(use_enable nls) \ + $(use_enable smartcard scdaemon) \ + $(use_enable ssl gnutls) \ + $(use_enable tofu) \ + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') \ + $(use_enable wks-server wks-tools) \ + $(use_with ldap) \ + $(use_with readline) \ + --with-mailprog=/usr/libexec/sendmail \ + --disable-ntbtls \ + --enable-all-tests \ + --enable-gpg \ + --enable-gpgsm \ + --enable-large-secmem \ + CC_FOR_BUILD="$(tc-getBUILD_CC)" \ + GPG_ERROR_CONFIG="${EROOT}/usr/bin/${CHOST}-gpg-error-config" \ + KSBA_CONFIG="${EROOT}/usr/bin/ksba-config" \ + LIBASSUAN_CONFIG="${EROOT}/usr/bin/libassuan-config" \ + LIBGCRYPT_CONFIG="${EROOT}/usr/bin/${CHOST}-libgcrypt-config" \ + NPTH_CONFIG="${EROOT}/usr/bin/npth-config" \ + $("${S}/configure" --help | grep -- '--without-.*-prefix' | sed -e 's/^ *\([^ ]*\) .*/\1/g') +} + +src_compile() { + default + + use doc && emake -C doc html +} + +src_test() { + #Bug: 638574 + use tofu && export TESTFLAGS=--parallel + default +} + +src_install() { + default + + use tools && + dobin \ + tools/{convert-from-106,gpg-check-pattern} \ + tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys} \ + tools/make-dns-cert + + dosym gpg /usr/bin/gpg2 + dosym gpgv /usr/bin/gpgv2 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die + + dodir /etc/env.d + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die + + use doc && dodoc doc/gnupg.html/* doc/*.png + + systemd_douserunit doc/examples/systemd-user/*.{service,socket} +} + +pkg_postinst() { + elog "See https://wiki.gentoo.org/wiki/GnuPG for documentation on gnupg" + elog + elog "If you wish to use 'gpg-wks-client --send', you must install an MTA!" +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml new file mode 100644 index 0000000000..eac23b93cc --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml @@ -0,0 +1,37 @@ + + + + + k_f@gentoo.org + Kristian Fiskerstrand + + + GnuPG is a complete and free implementation of the OpenPGP standard as + defined by RFC4880. + + + + Build scdaemon software. Enables usage of OpenPGP cards. For + other type of smartcards, try app-crypt/gnupg-pkcs11-scd. + Bring in dev-libs/libusb as a dependency; enable scdaemon. + + + Build direct CCID access for scdaemon; requires dev-libs/libusb. + + + try a socket directory which is not removed by init manager at session end + + + Enable support for Trust on First use trust model; requires dev-db/sqlite. + + + Install extra tools (including gpgsplit and gpg-zip). + + + Install the wks-server + + + + cpe:/a:gnupg:gnupg + + From bff1e680ef1d2dc5e44e28b8fb47bfd6fdf24ad1 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Tue, 26 May 2020 10:04:30 +0200 Subject: [PATCH 2/3] app-crypt/gnupg: add patches for accepting without UIDs When the GnuPG keyserver is set to `keys.openpgp.org`, `gpg --recv-keys` occasionally fails with the following error: ``` gpg: key E52F0DB391453C45: no user ID ``` We need to make GnuPG accept keys even without UIDs. Original patches come from https://salsa.debian.org/debian/gnupg2/tree/f292beac1171c6c77faf41d1f88c2e0942ed4437/debian/patches/import-merge-without-userid . See also https://dev.gnupg.org/T4393 . --- ...th-a-good-revocation-but-no-self-sig.patch | 32 ++++++ ...reviously-known-keys-even-without-UI.patch | 106 ++++++++++++++++++ .../app-crypt/gnupg/gnupg-2.2.20.ebuild | 4 + 3 files changed, 142 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch new file mode 100644 index 0000000000..a6173968f5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch @@ -0,0 +1,32 @@ +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:43 +0200 +Subject: gpg: accept subkeys with a good revocation but no self-sig during + import + +* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we +encounter a valid revocation signature. This allows import of subkey +revocation signatures, even in the absence of a corresponding subkey +binding signature. + +-- + +This fixes the remaining test in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor +--- + g10/import.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/g10/import.c b/g10/import.c +index f9acf95..9217911 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -3602,6 +3602,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self) + /* It's valid, so is it newer? */ + if (sig->timestamp >= rsdate) + { ++ knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid. */ + if (rsnode) + { + /* Delete the last revocation sig since diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch new file mode 100644 index 0000000000..4b5690f955 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch @@ -0,0 +1,106 @@ +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:42 +0200 +Subject: gpg: allow import of previously known keys, even without UIDs + +* g10/import.c (import_one): Accept an incoming OpenPGP certificate that +has no user id, as long as we already have a local variant of the cert +that matches the primary key. + +-- + +This fixes two of the three broken tests in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor +--- + g10/import.c | 44 +++++++++++--------------------------------- + 1 file changed, 11 insertions(+), 33 deletions(-) + +diff --git a/g10/import.c b/g10/import.c +index 5d3162c..f9acf95 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl, + size_t an; + char pkstrbuf[PUBKEY_STRING_SIZE]; + int merge_keys_done = 0; +- int any_filter = 0; + KEYDB_HANDLE hd = NULL; + + if (r_valid) +@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl, + log_printf ("\n"); + } + +- +- if (!uidnode ) +- { +- if (!silent) +- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); +- return 0; +- } +- + if (screener && screener (keyblock, screener_arg)) + { + log_error (_("key %s: %s\n"), keystr_from_pk (pk), +@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl, + } + } + +- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) ) +- { +- if (!silent) +- { +- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); +- if (!opt.quiet ) +- log_info(_("this may be caused by a missing self-signature\n")); +- } +- stats->no_user_id++; +- return 0; +- } ++ /* Delete invalid parts, and note if we have any valid ones left. ++ * We will later abort import if this key is new but contains ++ * no valid uids. */ ++ delete_inv_parts (ctrl, keyblock, keyid, options); + + /* Get rid of deleted nodes. */ + commit_kbnode (&keyblock); +@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl, + { + apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); + commit_kbnode (&keyblock); +- any_filter = 1; + } + if (import_filter.drop_sig) + { + apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); + commit_kbnode (&keyblock); +- any_filter = 1; +- } +- +- /* If we ran any filter we need to check that at least one user id +- * is left in the keyring. Note that we do not use log_error in +- * this case. */ +- if (any_filter && !any_uid_left (keyblock)) +- { +- if (!opt.quiet ) +- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); +- stats->no_user_id++; +- return 0; + } + + /* The keyblock is valid and ready for real import. */ +@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl, + err = 0; + stats->skipped_new_keys++; + } ++ else if (err && !any_uid_left (keyblock)) ++ { ++ if (!silent) ++ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); ++ err = 0; ++ stats->no_user_id++; ++ } + else if (err) /* Insert this key. */ + { + /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */ diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.20.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.20.ebuild index 35dc9274af..d13716c7de 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.20.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.20.ebuild @@ -51,6 +51,10 @@ DOCS=( PATCHES=( "${FILESDIR}/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch" + # Flatcar: the patches below are added only for Flatcar, to address the + # upstream gnupg issue https://dev.gnupg.org/T4393. + "${FILESDIR}/${PN}-allow-import-of-previously-known-keys-even-without-UI.patch" + "${FILESDIR}/${PN}-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch" ) src_prepare() { From 86217c645db8101eaad9dd82d5804e33f1b75e35 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Tue, 26 May 2020 10:40:23 +0200 Subject: [PATCH 3/3] profiles: bump GnuPG versions to 2.2.20 for both arches --- .../coreos-overlay/profiles/coreos/base/package.accept_keywords | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 2603fcc854..fc454bf797 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -52,7 +52,7 @@ dev-util/checkbashisms =cross-x86_64-cros-linux-gnu/gcc-7.3.0 ~amd64 # Force upgrades to work around catalyst problems while upgrading ncurses. -=app-crypt/gnupg-2.2.7 ~amd64 ~arm64 +=app-crypt/gnupg-2.2.20 ~amd64 ~arm64 =sys-apps/gptfdisk-1.0.3 ~amd64 ~arm64 =sys-apps/util-linux-2.32 ~amd64 ~arm64