commit cc855f54edca1f3603e2de4f51c8180134de0272 Author: zyppe <210hcl@gmail.com> Date: Tue Feb 6 20:40:34 2024 +0800 Initialize for gpg2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..59e43c4 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +gnupg-2.2.27.tar.bz2 diff --git a/.gpg2.metadata b/.gpg2.metadata new file mode 100644 index 0000000..c7e3346 --- /dev/null +++ b/.gpg2.metadata @@ -0,0 +1 @@ +3a103b9e956aaf4608894488fe5435180a60e9d8cf7bae74233d08b33eabd163 gnupg-2.2.27.tar.bz2 diff --git a/gnupg-2.0.9-langinfo.patch b/gnupg-2.0.9-langinfo.patch new file mode 100644 index 0000000..44debc8 --- /dev/null +++ b/gnupg-2.0.9-langinfo.patch @@ -0,0 +1,17 @@ +# fix [bnc#305725] - non latin characters displayed incorrectly by pinentry +--- +# jnlib/utf8conv.c | 1 + +# 1 file changed, 1 insertion(+) +# +Index: gnupg-2.1.0/common/utf8conv.c +=================================================================== +--- gnupg-2.1.0.orig/common/utf8conv.c 2014-10-11 19:45:14.000000000 +0200 ++++ gnupg-2.1.0/common/utf8conv.c 2014-11-07 11:35:05.491413258 +0100 +@@ -198,6 +198,7 @@ set_native_charset (const char *newset) + #else /*!HAVE_W32_SYSTEM && !HAVE_ANDROID_SYSTEM*/ + + #ifdef HAVE_LANGINFO_CODESET ++ setlocale(LC_ALL, ""); + newset = nl_langinfo (CODESET); + #else /*!HAVE_LANGINFO_CODESET*/ + /* Try to get the used charset from environment variables. */ diff --git a/gnupg-2.2.16-secmem.patch b/gnupg-2.2.16-secmem.patch new file mode 100644 index 0000000..48570da --- /dev/null +++ b/gnupg-2.2.16-secmem.patch @@ -0,0 +1,35 @@ +Index: gnupg-2.2.16/g10/gpg.c +=================================================================== +--- gnupg-2.2.16.orig/g10/gpg.c ++++ gnupg-2.2.16/g10/gpg.c +@@ -973,7 +973,7 @@ make_libversion (const char *libname, co + + if (maybe_setuid) + { +- gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */ ++ gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); /* Drop setuid. */ + maybe_setuid = 0; + } + s = getfnc (NULL); +@@ -1125,7 +1125,7 @@ build_list (const char *text, char lette + char *string; + + if (maybe_setuid) +- gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */ ++ gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); /* Drop setuid. */ + + indent = utf8_charcount (text, -1); + len = 0; +Index: gnupg-2.2.16/sm/gpgsm.c +=================================================================== +--- gnupg-2.2.16.orig/sm/gpgsm.c ++++ gnupg-2.2.16/sm/gpgsm.c +@@ -533,7 +533,7 @@ make_libversion (const char *libname, co + + if (maybe_setuid) + { +- gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */ ++ gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); /* Drop setuid. */ + maybe_setuid = 0; + } + s = getfnc (NULL); diff --git a/gnupg-2.2.27.tar.bz2.sig b/gnupg-2.2.27.tar.bz2.sig new file mode 100644 index 0000000..c993854 Binary files /dev/null and b/gnupg-2.2.27.tar.bz2.sig differ diff --git a/gnupg-2.2.8-files-are-digests.patch b/gnupg-2.2.8-files-are-digests.patch new file mode 100644 index 0000000..3292c08 --- /dev/null +++ b/gnupg-2.2.8-files-are-digests.patch @@ -0,0 +1,200 @@ +--- + g10/gpg.c | 4 +++ + g10/options.h | 1 + g10/sign.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------ + 3 files changed, 67 insertions(+), 6 deletions(-) + +Index: gnupg-2.2.27/g10/gpg.c +=================================================================== +--- gnupg-2.2.27.orig/g10/gpg.c ++++ gnupg-2.2.27/g10/gpg.c +@@ -382,6 +382,7 @@ enum cmd_and_opt_values + oTTYtype, + oLCctype, + oLCmessages, ++ oFilesAreDigests, + oXauthority, + oGroup, + oUnGroup, +@@ -838,6 +839,7 @@ static ARGPARSE_OPTS opts[] = { + ARGPARSE_s_s (oWeakDigest, "weak-digest","@"), + ARGPARSE_s_n (oUnwrap, "unwrap", "@"), + ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"), ++ ARGPARSE_s_n (oFilesAreDigests, "files-are-digests", "@"), + + /* Aliases. I constantly mistype these, and assume other people do + as well. */ +@@ -2372,6 +2374,7 @@ main (int argc, char **argv) + opt.def_cert_expire = "0"; + gnupg_set_homedir (NULL); + opt.passphrase_repeat = 1; ++ opt.files_are_digests=0; + opt.emit_version = 0; + opt.weak_digests = NULL; + +@@ -2944,6 +2947,7 @@ main (int argc, char **argv) + opt.verify_options&=~VERIFY_SHOW_PHOTOS; + break; + case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break; ++ case oFilesAreDigests: opt.files_are_digests = 1; break; + + case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break; + case oIncludeKeyBlock: opt.flags.include_key_block = 1; break; +Index: gnupg-2.2.27/g10/options.h +=================================================================== +--- gnupg-2.2.27.orig/g10/options.h ++++ gnupg-2.2.27/g10/options.h +@@ -202,6 +202,7 @@ struct + int no_auto_check_trustdb; + int preserve_permissions; + int no_homedir_creation; ++ int files_are_digests; + struct groupitem *grouplist; + int mangle_dos_filenames; + int enable_progress_filter; +Index: gnupg-2.2.27/g10/sign.c +=================================================================== +--- gnupg-2.2.27.orig/g10/sign.c ++++ gnupg-2.2.27/g10/sign.c +@@ -43,6 +43,8 @@ + #include "../common/mbox-util.h" + #include "../common/compliance.h" + ++#include "../common/host2net.h" ++ + #ifdef HAVE_DOSISH_SYSTEM + #define LF "\r\n" + #else +@@ -844,6 +846,8 @@ write_signature_packets (ctrl_t ctrl, + if (duration || opt.sig_policy_url + || opt.sig_notations || opt.sig_keyserver_url) + sig->version = 4; ++ else if (opt.files_are_digests) ++ sig->version = 3; + else + sig->version = pk->version; + +@@ -872,8 +876,12 @@ write_signature_packets (ctrl_t ctrl, + } + else + err = 0; /* Actually never reached. */ ++ if (!opt.files_are_digests) { + hash_sigversion_to_magic (md, sig); + gcry_md_final (md); ++ } else if (sig->version >= 4) { ++ log_bug("files-are-digests doesn't work with v4 sigs\n"); ++ } + + if (!err) + err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0); +@@ -937,6 +945,8 @@ sign_file (ctrl_t ctrl, strlist_t filena + SK_LIST sk_rover = NULL; + int multifile = 0; + u32 duration=0; ++ int sigclass = 0x00; ++ u32 timestamp = 0; + + pfx = new_progress_context (); + afx = new_armor_context (); +@@ -954,7 +964,16 @@ sign_file (ctrl_t ctrl, strlist_t filena + fname = NULL; + + if( fname && filenames->next && (!detached || encryptflag) ) +- log_bug("multiple files can only be detached signed"); ++ log_bug("multiple files can only be detached signed\n"); ++ ++ if (opt.files_are_digests && (multifile || !fname)) ++ log_bug("files-are-digests only works with one file\n"); ++ if (opt.files_are_digests && !detached) ++ log_bug("files-are-digests can only write detached signatures\n"); ++ if (opt.files_are_digests && !opt.def_digest_algo) ++ log_bug("files-are-digests needs --digest-algo\n"); ++ if (opt.files_are_digests && opt.textmode) ++ log_bug("files-are-digests doesn't work with --textmode\n"); + + if(encryptflag==2 + && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek))) +@@ -975,7 +994,7 @@ sign_file (ctrl_t ctrl, strlist_t filena + goto leave; + + /* prepare iobufs */ +- if( multifile ) /* have list of filenames */ ++ if( multifile || opt.files_are_digests) /* have list of filenames */ + inp = NULL; /* we do it later */ + else { + inp = iobuf_open(fname); +@@ -1124,7 +1143,7 @@ sign_file (ctrl_t ctrl, strlist_t filena + for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) + gcry_md_enable (mfx.md, hash_for (sk_rover->pk)); + +- if( !multifile ) ++ if( !multifile && !opt.files_are_digests ) + iobuf_push_filter( inp, md_filter, &mfx ); + + if( detached && !encryptflag) +@@ -1179,6 +1198,8 @@ sign_file (ctrl_t ctrl, strlist_t filena + + write_status_begin_signing (mfx.md); + ++ sigclass = opt.textmode && !outfile? 0x01 : 0x00; ++ + /* Setup the inner packet. */ + if( detached ) { + if( multifile ) { +@@ -1219,6 +1240,45 @@ sign_file (ctrl_t ctrl, strlist_t filena + if( opt.verbose ) + log_printf ("\n"); + } ++ else if (opt.files_are_digests) { ++ byte *mdb, ts[5]; ++ size_t mdlen; ++ const char *fp; ++ int c, d; ++ ++ gcry_md_final(mfx.md); ++ /* this assumes gcry_md_read returns the same buffer */ ++ mdb = gcry_md_read(mfx.md, opt.def_digest_algo); ++ mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo); ++ if (strlen(fname) != mdlen * 2 + 11) ++ log_bug("digests must be %d + @ + 5 bytes\n", mdlen); ++ d = -1; ++ for (fp = fname ; *fp; ) { ++ c = *fp++; ++ if (c >= '0' && c <= '9') ++ c -= '0'; ++ else if (c >= 'a' && c <= 'f') ++ c -= 'a' - 10; ++ else if (c >= 'A' && c <= 'F') ++ c -= 'A' - 10; ++ else ++ log_bug("filename is not hex\n"); ++ if (d >= 0) { ++ *mdb++ = d << 4 | c; ++ c = -1; ++ if (--mdlen == 0) { ++ mdb = ts; ++ if (*fp++ != '@') ++ log_bug("missing time separator\n"); ++ } ++ } ++ d = c; ++ } ++ sigclass = ts[0]; ++ if (sigclass != 0x00 && sigclass != 0x01) ++ log_bug("bad cipher class\n"); ++ timestamp = buf32_to_u32(ts + 1); ++ } + else { + /* read, so that the filter can calculate the digest */ + while( iobuf_get(inp) != -1 ) +@@ -1237,8 +1297,8 @@ sign_file (ctrl_t ctrl, strlist_t filena + + /* write the signatures */ + rc = write_signature_packets (ctrl, sk_list, out, mfx.md, +- opt.textmode && !outfile? 0x01 : 0x00, +- 0, duration, detached ? 'D':'S', NULL); ++ sigclass, ++ timestamp, duration, detached ? 'D':'S', NULL); + if( rc ) + goto leave; + diff --git a/gnupg-CVE-2022-34903.patch b/gnupg-CVE-2022-34903.patch new file mode 100644 index 0000000..d66b346 --- /dev/null +++ b/gnupg-CVE-2022-34903.patch @@ -0,0 +1,47 @@ +From: Werner Koch +Date: Tue, 14 Jun 2022 11:33:27 +0200 +Subject: g10: Fix garbled status messages in NOTATION_DATA + +* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one +-- + +Depending on the escaping and line wrapping the computed remaining +buffer length could be wrong. Fixed by always using a break to +terminate the escape detection loop. Might have happened for all +status lines which may wrap. + +GnuPG-bug-id: T6027 +(cherry picked from commit 34c649b3601383cd11dbc76221747ec16fd68e1b) +--- + g10/cpr.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/g10/cpr.c b/g10/cpr.c +index d502e8b..bc4b715 100644 +--- a/g10/cpr.c ++++ b/g10/cpr.c +@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string, + } + first = 0; + } +- for (esc=0, s=buffer, n=len; n && !esc; s++, n--) ++ for (esc=0, s=buffer, n=len; n; s++, n--) + { + if (*s == '%' || *(const byte*)s <= lower_limit + || *(const byte*)s == 127 ) + esc = 1; + if (wrap && ++count > wrap) +- { +- dowrap=1; +- break; +- } +- } +- if (esc) +- { +- s--; n++; ++ dowrap=1; ++ if (esc || dowrap) ++ break; + } + if (s != buffer) + es_fwrite (buffer, s-buffer, 1, statusfp); diff --git a/gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch b/gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch new file mode 100644 index 0000000..826acec --- /dev/null +++ b/gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch @@ -0,0 +1,33 @@ +From f361141a44365ff7db2d2cfbf118d5b54b52c3d5 Mon Sep 17 00:00:00 2001 +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:43 +0200 +Subject: [PATCH] gpg: accept subkeys with a good revocation but no self-sig + during import + +* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we +encounter a valid revocation signature. This allows import of subkey +revocation signatures, even in the absence of a corresponding subkey +binding signature. + +-- + +This fixes the remaining test in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor +--- + g10/import.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/g10/import.c b/g10/import.c +index 2be214e63..ae2453803 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -3536,6 +3536,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self) + /* It's valid, so is it newer? */ + if (sig->timestamp >= rsdate) + { ++ knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid. */ + if (rsnode) + { + /* Delete the last revocation sig since diff --git a/gnupg-add-test-cases-for-import-without-uid.patch b/gnupg-add-test-cases-for-import-without-uid.patch new file mode 100644 index 0000000..43142a4 --- /dev/null +++ b/gnupg-add-test-cases-for-import-without-uid.patch @@ -0,0 +1,202 @@ +From 4c40bfa90bda748e5dada0bb1cc8fae14d744f07 Mon Sep 17 00:00:00 2001 +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:41 +0200 +Subject: [PATCH] tests: add test cases for import without uid + +This commit adds a test case that does the following, in order: +- Import of a primary key plus user id +- Check that import of a subkey works, without a user id present in the +imported key +- Check that import of a subkey revocation works, without a user id or +subkey binding signature present in the imported key +- Check that import of a primary key revocation works, without a user id +present in the imported key + +-- + +Note that this test currently fails. The following changesets will +fix gpg so that the tests pass. + +GnuPG-Bug-id: 4393 +Signed-Off-By: Daniel Kahn Gillmor +--- + tests/openpgp/Makefile.am | 1 + + tests/openpgp/import-incomplete.scm | 68 +++++++++++++++++++ + .../import-incomplete/primary+revocation.asc | 9 +++ + .../primary+subkey+sub-revocation.asc | 10 +++ + .../primary+subkey+sub-sig.asc | 10 +++ + .../import-incomplete/primary+uid-sig.asc | 10 +++ + .../openpgp/import-incomplete/primary+uid.asc | 10 +++ + 7 files changed, 118 insertions(+) + create mode 100755 tests/openpgp/import-incomplete.scm + create mode 100644 tests/openpgp/import-incomplete/primary+revocation.asc + create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc + create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc + create mode 100644 tests/openpgp/import-incomplete/primary+uid-sig.asc + create mode 100644 tests/openpgp/import-incomplete/primary+uid.asc + +diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am +index e5be42b41..d886bc8f7 100644 +--- a/tests/openpgp/Makefile.am ++++ b/tests/openpgp/Makefile.am +@@ -78,6 +78,7 @@ XTESTS = \ + gpgv-forged-keyring.scm \ + armor.scm \ + import.scm \ ++ import-incomplete.scm \ + import-revocation-certificate.scm \ + ecc.scm \ + 4gb-packet.scm \ +diff --git a/tests/openpgp/import-incomplete.scm b/tests/openpgp/import-incomplete.scm +new file mode 100755 +index 000000000..727a027c6 +--- /dev/null ++++ b/tests/openpgp/import-incomplete.scm +@@ -0,0 +1,68 @@ ++#!/usr/bin/env gpgscm ++ ++;; Copyright (C) 2016 g10 Code GmbH ++;; ++;; This file is part of GnuPG. ++;; ++;; GnuPG is free software; you can redistribute it and/or modify ++;; it under the terms of the GNU General Public License as published by ++;; the Free Software Foundation; either version 3 of the License, or ++;; (at your option) any later version. ++;; ++;; GnuPG is distributed in the hope that it will be useful, ++;; but WITHOUT ANY WARRANTY; without even the implied warranty of ++;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++;; GNU General Public License for more details. ++;; ++;; You should have received a copy of the GNU General Public License ++;; along with this program; if not, see . ++ ++(load (in-srcdir "tests" "openpgp" "defs.scm")) ++(setup-environment) ++ ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+uid.asc"))) ++ ++(info "Test import of new subkey, from a certificate without uid") ++(define keyid "573EA710367356BB") ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-sig.asc"))) ++(tr:do ++ (tr:pipe-do ++ (pipe:gpg `(--list-keys --with-colons ,keyid))) ++ (tr:call-with-content ++ (lambda (c) ++ ;; XXX we do not have a regexp library ++ (unless (any (lambda (line) ++ (and (string-prefix? line "sub:") ++ (string-contains? line "573EA710367356BB"))) ++ (string-split-newlines c)) ++ (exit 1))))) ++ ++(info "Test import of a subkey revocation, from a certificate without uid") ++(define keyid "573EA710367356BB") ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-revocation.asc"))) ++(tr:do ++ (tr:pipe-do ++ (pipe:gpg `(--list-keys --with-colons ,keyid))) ++ (tr:call-with-content ++ (lambda (c) ++ ;; XXX we do not have a regexp library ++ (unless (any (lambda (line) ++ (and (string-prefix? line "sub:r:") ++ (string-contains? line "573EA710367356BB"))) ++ (string-split-newlines c)) ++ (exit 1))))) ++ ++(info "Test import of revocation, from a certificate without uid") ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+revocation.asc"))) ++(tr:do ++ (tr:pipe-do ++ (pipe:gpg `(--list-keys --with-colons ,keyid))) ++ (tr:call-with-content ++ (lambda (c) ++ ;; XXX we do not have a regexp library ++ (unless (any (lambda (line) ++ (and (string-prefix? line "pub:r:") ++ (string-contains? line "0843DA969AA8DAFB"))) ++ (string-split-newlines c)) ++ (exit 1))))) ++ +diff --git a/tests/openpgp/import-incomplete/primary+revocation.asc b/tests/openpgp/import-incomplete/primary+revocation.asc +new file mode 100644 +index 000000000..6b7b60802 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+revocation.asc +@@ -0,0 +1,9 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [E] primary key, revocation signature over primary (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN2IeAQgFggAIBYhBLRpj5W82H/gSMzKKQhD2paaqNr7BQJc2ZQZAh0AAAoJ ++EAhD2paaqNr7qAwA/2jBUpnN0BxwRO/4CrxvrLIsL+C9aSXJUOTv8XkP4lvtAQD3 ++XsDFfFNgEueiTfF7HtOGt5LPmRqVvUpQSMVgJJW6CQ== ++=tM90 ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc +new file mode 100644 +index 000000000..83a51a549 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [D] primary key, subkey, subkey revocation (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK ++j++lwwWDAOlkVicDAQgHiHgEKBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC ++XNmnkAIdAgAKCRAIQ9qWmqja+ylaAQDmIKf86BJEq4OpDqU+V9D+wn2cyuxbyWVQ ++3r9LiL9qNwD/QAjyrhSN8L3Mfq+wdTHo5i0yB9ZCCpHLXSbhCqfWZwQ= ++=dwx2 ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc +new file mode 100644 +index 000000000..dc47a02d8 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [B] primary key, subkey, subkey binding sig (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK ++j++lwwWDAOlkVicDAQgHiHgEGBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC ++XNmUIQIbDAAKCRAIQ9qWmqja++vFAP98G1L+1/rWTGbsnxOAV2RocBYIroAvsbkR ++Ly6FdP8YNwEA7jOgT05CoKIe37MstpOz23mM80AK369Ca3JMmKKCQgg= ++=xuDu ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+uid-sig.asc b/tests/openpgp/import-incomplete/primary+uid-sig.asc +new file mode 100644 +index 000000000..134607d0e +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+uid-sig.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [C] primary key and self-sig expiring in 2024 (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN2IlgQTFggAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBLRpj5W8 ++2H/gSMzKKQhD2paaqNr7BQJc2ZR1BQkJZgHcAAoJEAhD2paaqNr79soA/0lWkUsu ++3NLwgbni6EzJxnTzgeNMpljqNpipHAwfix9hAP93AVtFdC8g7hdUZxawobl9lnSN ++9ohXOEBWvdJgVv2YAg== ++=KWIK ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+uid.asc b/tests/openpgp/import-incomplete/primary+uid.asc +new file mode 100644 +index 000000000..055f30086 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+uid.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [A] primary key, user ID, and self-sig expiring in 2021 ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN20CHRlc3Qga2V5iJYEExYIAD4WIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC ++XNmUGQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAIQ9qWmqja +++0G1AQDdQiwhXxjXLMqoth+D4SigVHTJK8ORwifzsy3UE7mPGwD/aZ67XbAF/lgI ++kv2O1Jo0u9BL9RNNF+L0DM7rAFbfMAs= ++=1eII ++-----END PGP PUBLIC KEY BLOCK----- diff --git a/gnupg-add_legacy_FIPS_mode_option.patch b/gnupg-add_legacy_FIPS_mode_option.patch new file mode 100644 index 0000000..4593b2b --- /dev/null +++ b/gnupg-add_legacy_FIPS_mode_option.patch @@ -0,0 +1,68 @@ +--- + doc/gpg.texi | 18 ++++++++++++++++++ + g10/gpg.c | 9 +++++++++ + 2 files changed, 27 insertions(+) + +Index: gnupg-2.2.20/doc/gpg.texi +=================================================================== +--- gnupg-2.2.20.orig/doc/gpg.texi ++++ gnupg-2.2.20/doc/gpg.texi +@@ -2133,6 +2133,24 @@ implies, this option is for experts only + understand the implications of what it allows you to do, leave this + off. @option{--no-expert} disables this option. + ++@item --set-legacy-fips ++@itemx --set-legacy-fips ++@opindex set-legacy-fips ++Enable legacy support even when the libgcrypt library is in FIPS 140-2 ++mode. The legacy mode of libgcrypt allows the use of all ciphers, ++including non-approved ciphers. This mode is needed when for legacy ++reasons a message must be encrypted or decrypted. Legacy reasons for ++decryptions include the decryption of old messages created with a ++public key that use cipher settings which do not meet FIPS 140-2 ++requirements. Legacy reasons for encryption include the encryption ++of messages with a recipients public key where the recipient is not ++bound to FIPS 140-2 regulation and therefore provided a key using ++non-approved ciphers. Although the legacy mode is a violation of strict ++FIPS 140-2 rule interpretations, it is wise to use this mode or ++either not being able to access old messages or not being able ++to create encrypted messages to a recipient that is not adhering ++to FIPS 140-2 rules. ++ + @end table + + +Index: gnupg-2.2.20/g10/gpg.c +=================================================================== +--- gnupg-2.2.20.orig/g10/gpg.c ++++ gnupg-2.2.20/g10/gpg.c +@@ -429,6 +429,7 @@ enum cmd_and_opt_values + oUseOnlyOpenPGPCard, + oIncludeKeyBlock, + oNoIncludeKeyBlock, ++ oSetLegacyFips, + + oNoop + }; +@@ -874,6 +875,7 @@ static ARGPARSE_OPTS opts[] = { + ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"), + ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"), + ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"), ++ ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"), + + ARGPARSE_s_s (oDefaultNewKeyAlgo, "default-new-key-algo", "@"), + +@@ -3614,6 +3616,13 @@ main (int argc, char **argv) + opt.flags.use_only_openpgp_card = 1; + break; + ++ case oSetLegacyFips: ++ if(gcry_fips_mode_active()) ++ gcry_control (GCRYCTL_INACTIVATE_FIPS_FLAG, "Enable legacy support in FIPS 140-2 mode"); ++ else ++ log_info ("Command set-legacy-fips ignored as libgcrypt is not in FIPS mode\n"); ++ break; ++ + case oNoop: break; + + default: diff --git a/gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch b/gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch new file mode 100644 index 0000000..51802d7 --- /dev/null +++ b/gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch @@ -0,0 +1,107 @@ +From a1db83d8a3308277f01b96833c13693bd7e13ff9 Mon Sep 17 00:00:00 2001 +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:42 +0200 +Subject: [PATCH] gpg: allow import of previously known keys, even without UIDs + +* g10/import.c (import_one): Accept an incoming OpenPGP certificate that +has no user id, as long as we already have a local variant of the cert +that matches the primary key. + +-- + +This fixes two of the three broken tests in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor +--- + g10/import.c | 49 +++++++++++-------------------------------------- + 1 file changed, 11 insertions(+), 38 deletions(-) + +Index: gnupg-2.2.19/g10/import.c +=================================================================== +--- gnupg-2.2.19.orig/g10/import.c ++++ gnupg-2.2.19/g10/import.c +@@ -1792,7 +1792,6 @@ import_one_real (ctrl_t ctrl, + size_t an; + char pkstrbuf[PUBKEY_STRING_SIZE]; + int merge_keys_done = 0; +- int any_filter = 0; + KEYDB_HANDLE hd = NULL; + + if (r_valid) +@@ -1829,14 +1828,6 @@ import_one_real (ctrl_t ctrl, + log_printf ("\n"); + } + +- +- if (!uidnode ) +- { +- if (!silent) +- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); +- return 0; +- } +- + if (screener && screener (keyblock, screener_arg)) + { + log_error (_("key %s: %s\n"), keystr_from_pk (pk), +@@ -1911,17 +1902,10 @@ import_one_real (ctrl_t ctrl, + } + } + +- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) ) +- { +- if (!silent) +- { +- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); +- if (!opt.quiet ) +- log_info(_("this may be caused by a missing self-signature\n")); +- } +- stats->no_user_id++; +- return 0; +- } ++ /* Delete invalid parts, and note if we have any valid ones left. ++ * We will later abort import if this key is new but contains ++ * no valid uids. */ ++ delete_inv_parts (ctrl, keyblock, keyid, options); + + /* Get rid of deleted nodes. */ + commit_kbnode (&keyblock); +@@ -1931,24 +1915,11 @@ import_one_real (ctrl_t ctrl, + { + apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); + commit_kbnode (&keyblock); +- any_filter = 1; + } + if (import_filter.drop_sig) + { + apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); + commit_kbnode (&keyblock); +- any_filter = 1; +- } +- +- /* If we ran any filter we need to check that at least one user id +- * is left in the keyring. Note that we do not use log_error in +- * this case. */ +- if (any_filter && !any_uid_left (keyblock)) +- { +- if (!opt.quiet ) +- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); +- stats->no_user_id++; +- return 0; + } + + /* The keyblock is valid and ready for real import. */ +@@ -2006,6 +1977,13 @@ import_one_real (ctrl_t ctrl, + err = 0; + stats->skipped_new_keys++; + } ++ else if (err && !any_uid_left (keyblock)) ++ { ++ if (!silent) ++ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); ++ err = 0; ++ stats->no_user_id++; ++ } + else if (err) /* Insert this key. */ + { + /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */ diff --git a/gnupg-detect_FIPS_mode.patch b/gnupg-detect_FIPS_mode.patch new file mode 100644 index 0000000..4611835 --- /dev/null +++ b/gnupg-detect_FIPS_mode.patch @@ -0,0 +1,44 @@ +Index: gnupg-2.2.27/g10/encrypt.c +=================================================================== +--- gnupg-2.2.27.orig/g10/encrypt.c ++++ gnupg-2.2.27/g10/encrypt.c +@@ -577,7 +577,8 @@ encrypt_crypt (ctrl_t ctrl, int filefd, + that the implementation behind any v4 key can handle 3DES. */ + if (cfx.dek->algo == -1) + { +- cfx.dek->algo = CIPHER_ALGO_3DES; ++ gcry_check_version (NULL); ++ cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : CIPHER_ALGO_3DES; + } + + /* In case 3DES has been selected, print a warning if any key +@@ -841,7 +842,10 @@ encrypt_filter (void *opaque, int contro + /* Because 3DES is implicitly in the prefs, this can + only happen if we do not have any public keys in + the list. */ +- efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO; ++ /* Libgcrypt manual says that gcry_version_check must be called ++ before calling gcry_fips_mode_active. */ ++ gcry_check_version (NULL); ++ efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO; + } + + /* In case 3DES has been selected, print a warning if +Index: gnupg-2.2.27/g10/mainproc.c +=================================================================== +--- gnupg-2.2.27.orig/g10/mainproc.c ++++ gnupg-2.2.27/g10/mainproc.c +@@ -953,7 +953,12 @@ proc_plaintext( CTX c, PACKET *pkt ) + according to 2440, so hopefully it won't come up that often. + There is no good way to specify what algorithms to use in + that case, so these there are the historical answer. */ +- gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160); ++ ++ /* Libgcrypt manual says that gcry_version_check must be called ++ before calling gcry_fips_mode_active. */ ++ gcry_check_version (NULL); ++ if( !gcry_fips_mode_active() ) ++ gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 ); + gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1); + } + if (DBG_HASHING) diff --git a/gnupg-dirmngr-Clear-the-error-count-to-try-certificate-as-binary.patch b/gnupg-dirmngr-Clear-the-error-count-to-try-certificate-as-binary.patch new file mode 100644 index 0000000..8f8660e --- /dev/null +++ b/gnupg-dirmngr-Clear-the-error-count-to-try-certificate-as-binary.patch @@ -0,0 +1,29 @@ +From 4d19759ce5fb4962b22a8bc04c3a54e3f47d2f17 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Thu, 24 Mar 2022 13:55:32 +0900 +Subject: [PATCH] dirmngr: Clear the error count to try certificate as binary. + +* dirmngr/dirmngr-client.c (read_certificate): Call +log_get_errorcount. + +-- + +GnuPG-bug-id: 5531 +Signed-off-by: NIIBE Yutaka +--- + dirmngr/dirmngr-client.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: gnupg-2.2.27/dirmngr/dirmngr-client.c +=================================================================== +--- gnupg-2.2.27.orig/dirmngr/dirmngr-client.c ++++ gnupg-2.2.27/dirmngr/dirmngr-client.c +@@ -637,6 +637,8 @@ read_certificate (const char *fname, uns + err = read_pem_certificate (fname, rbuf, rbuflen, 1); + if (! err) + return 0; ++ /* Clear the error count to try as binary certificate. */ ++ log_get_errorcount (1); + } + + fp = fname? gnupg_fopen (fname, "rb") : stdin; diff --git a/gnupg-dirmngr-Suppress-error-message-on-trial-reading-as-PEM.patch b/gnupg-dirmngr-Suppress-error-message-on-trial-reading-as-PEM.patch new file mode 100644 index 0000000..6ac3100 --- /dev/null +++ b/gnupg-dirmngr-Suppress-error-message-on-trial-reading-as-PEM.patch @@ -0,0 +1,67 @@ +From 25d37a0a6a9c42326777c2949054a8bd6f276f8a Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Fri, 25 Mar 2022 08:38:42 +0900 +Subject: [PATCH] dirmngr: Suppress error message on trial reading as PEM + format. + +* dirmngr/dirmngr-client.c (read_pem_certificate): Add NO_ERRMSG +argument to suppress the error message. +(read_certificate, squid_loop_body): Follow the change. + +-- + +GnuPG-bug-id: 5531 +Signed-off-by: NIIBE Yutaka +--- + dirmngr/dirmngr-client.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +Index: gnupg-2.2.27/dirmngr/dirmngr-client.c +=================================================================== +--- gnupg-2.2.27.orig/dirmngr/dirmngr-client.c ++++ gnupg-2.2.27/dirmngr/dirmngr-client.c +@@ -460,7 +460,8 @@ data_cb (void *opaque, const void *buffe + returned in an alloced buffer whose address will be returned in + RBUF and its length in RBUFLEN. */ + static gpg_error_t +-read_pem_certificate (const char *fname, unsigned char **rbuf, size_t *rbuflen) ++read_pem_certificate (const char *fname, unsigned char **rbuf, size_t *rbuflen, ++ int no_errmsg) + { + FILE *fp; + int c; +@@ -603,7 +604,8 @@ read_pem_certificate (const char *fname, + } + else if (state != s_waitend) + { +- log_error ("no certificate or invalid encoded\n"); ++ if (!no_errmsg) ++ log_error ("no certificate or invalid encoded\n"); + xfree (buf); + return gpg_error (GPG_ERR_INV_ARMOR); + } +@@ -626,13 +628,13 @@ read_certificate (const char *fname, uns + size_t nread, bufsize, buflen; + + if (opt.pem) +- return read_pem_certificate (fname, rbuf, rbuflen); ++ return read_pem_certificate (fname, rbuf, rbuflen, 0); + else if (fname) + { + /* A filename has been given. Let's just assume it is in PEM + format and decode it, and fall back to interpreting it as + binary certificate if that fails. */ +- err = read_pem_certificate (fname, rbuf, rbuflen); ++ err = read_pem_certificate (fname, rbuf, rbuflen, 1); + if (! err) + return 0; + } +@@ -904,7 +906,7 @@ squid_loop_body (assuan_context_t ctx) + unsigned char *certbuf; + size_t certbuflen = 0; + +- err = read_pem_certificate (NULL, &certbuf, &certbuflen); ++ err = read_pem_certificate (NULL, &certbuf, &certbuflen, 0); + if (gpg_err_code (err) == GPG_ERR_EOF) + return err; + if (err) diff --git a/gnupg-dont-fail-with-seahorse-agent.patch b/gnupg-dont-fail-with-seahorse-agent.patch new file mode 100644 index 0000000..b06e69b --- /dev/null +++ b/gnupg-dont-fail-with-seahorse-agent.patch @@ -0,0 +1,17 @@ +--- + g10/passphrase.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: gnupg-2.1.0/g10/passphrase.c +=================================================================== +--- gnupg-2.1.0.orig/g10/passphrase.c 2014-11-07 16:52:11.080483153 +0100 ++++ gnupg-2.1.0/g10/passphrase.c 2014-11-07 16:52:11.996494299 +0100 +@@ -71,7 +71,7 @@ encode_s2k_iterations (int iterations) + { + /* Don't print an error if an older agent is used. */ + if (err && gpg_err_code (err) != GPG_ERR_ASS_PARAMETER) +- log_error (_("problem with the agent: %s\n"), gpg_strerror (err)); ++ log_info (_("problem with the agent: %s\n"), gpg_strerror (err)); + /* Default to 65536 which we used up to 2.0.13. */ + return 96; + } diff --git a/gnupg-gpg-agent-ulimit.patch b/gnupg-gpg-agent-ulimit.patch new file mode 100644 index 0000000..d7de5ea --- /dev/null +++ b/gnupg-gpg-agent-ulimit.patch @@ -0,0 +1,35 @@ +gpg-agent is in the chain of commands in xinitrc. +It receives a list of commands via argv[] which it is supposed to launch via exec. +In this mode all what matters is a bunch of setenv() of gpg related variables. +At no point it must fiddle with ulimit that was provided by its callers. +In case of xinitrc it was most likely pam_limits which, for example, configured the coredump settings for this session. + +Every code path before the fork() call does no sensitive things, so coredumps do not matter. + +gpg-agent does fork a child in this mode. +That child has the liberty to tweak ulimit in every way it wants. +This is what this patch does. + +Without this patch, all applications launched after gpg-agent are unable to coredump, because systemd-coredump check the ulimit of the crashed process. +As a result, crashes of desktop applications can not be debugged. + +References: bsc#1124847 + +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -1049,7 +1049,6 @@ main (int argc, char **argv ) + gcry_control (GCRYCTL_USE_SECURE_RNDPOOL); + gcry_set_progress_handler (agent_libgcrypt_progress_cb, NULL); + +- disable_core_dumps (); + + /* Set default options. */ + parse_rereadable_options (NULL, 0); /* Reset them to default values. */ +@@ -1738,6 +1737,7 @@ main (int argc, char **argv ) + /* + This is the child + */ ++ disable_core_dumps (); + + initialize_modules (); + diff --git a/gnupg-set_umask_before_open_outfile.patch b/gnupg-set_umask_before_open_outfile.patch new file mode 100644 index 0000000..4c1dcef --- /dev/null +++ b/gnupg-set_umask_before_open_outfile.patch @@ -0,0 +1,43 @@ +Index: gnupg-2.1.20/g10/plaintext.c +=================================================================== +--- gnupg-2.1.20.orig/g10/plaintext.c 2017-04-03 17:13:56.000000000 +0200 ++++ gnupg-2.1.20/g10/plaintext.c 2017-04-04 09:53:31.541145727 +0200 +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #ifdef HAVE_DOSISH_SYSTEM + # include /* for setmode() */ + #endif +@@ -38,6 +39,9 @@ + #include "../common/status.h" + #include "../common/i18n.h" + ++/* define safe permissions for creating plaintext files */ ++#define GPG_SAFE_PERMS (S_IRUSR | S_IWUSR) ++#define GPG_SAFE_UMASK (0777 & ~GPG_SAFE_PERMS) + + /* Get the output filename. On success, the actual filename that is + used is set in *FNAMEP and a filepointer is returned in *FP. +@@ -161,11 +165,15 @@ get_output_file (const byte *embedded_na + log_error (_("error creating '%s': %s\n"), fname, gpg_strerror (err)); + goto leave; + } +- else if (!(fp = es_fopen (fname, "wb"))) +- { +- err = gpg_error_from_syserror (); +- log_error (_("error creating '%s': %s\n"), fname, gpg_strerror (err)); +- goto leave; ++ else { ++ mode_t saved_umask = umask(GPG_SAFE_UMASK); ++ if( !(fp = es_fopen(fname,"wb")) ) { ++ err = gpg_error_from_syserror (); ++ log_error(_("error creating `%s': %s\n"), fname, strerror(errno) ); ++ umask(saved_umask); ++ goto leave; ++ } ++ umask(saved_umask); + } + #else /* __riscos__ */ + /* If no output filename was given, i.e. we constructed it, convert diff --git a/gpg2.changes b/gpg2.changes new file mode 100644 index 0000000..d54abac --- /dev/null +++ b/gpg2.changes @@ -0,0 +1,1818 @@ +* Wed Nov 22 2023 otto.hollmann@suse.com +- Suppress error message on trial reading as PEM format when using + dirmngr to validate broken DER encoded files (bsc#1217212) + * Add patches: + - gnupg-dirmngr-Suppress-error-message-on-trial-reading-as-PEM.patch + - gnupg-dirmngr-Clear-the-error-count-to-try-certificate-as-binary.patch +* Mon Jul 18 2022 david.anes@suse.com +- Security fix [CVE-2022-34903, bsc#1201225] + - Vulnerable to status injection + - Added patch gnupg-CVE-2022-34903.patch +* Wed Jun 8 2022 meissner@suse.com +- gnupg-detect_FIPS_mode.patch: use AES as default cipher instead + of 3DES if we are in FIPS mode. (bsc#1196125) +* Mon Feb 22 2021 pmonreal@suse.com +- Update gpg2 for SLE15-SP3 [jsc#SLE-17559, bsc#1182572] +- Remove patches fixed upstream: + * gnupg-gpg-agent-ssh-agent.patch + * gnupg-2.2.22-fix-segv-import-keys.patch + * gnupg-Allow-redirection-from-https-to-http-for-CRLs.patch + * gnupg-CRL-fetching-via-https.patch + * gnupg-CVE-2018-1000858.patch + * gnupg-CVE-2018-12020.patch + * gnupg-CVE-2019-13050_0_of_5.patch + * gnupg-CVE-2019-13050_1_of_5.patch + * gnupg-CVE-2019-13050_2_of_5.patch + * gnupg-CVE-2019-13050_3_of_5.patch + * gnupg-CVE-2019-13050_4_of_5.patch + * gnupg-CVE-2019-13050_5_of_5.patch + * gnupg-CVE-2019-14855.patch +- Update gpg2.keyring +* Tue Jan 12 2021 andreas.stieger@gmx.de +- GnuPG 2.2.27: + * gpgconf: Fix case with neither local nor global gpg.conf + * gpgconf: Fix description of two new options +- includes changes from 2.2.26: + * gpg: New AKL method "ntds" + * gpg: Fix --trusted-key with fingerprint arg + * scd: Fix writing of ECC keys to an OpenPGP card + * scd: Make an USB error fix specific to SPR532 readers + * dirmngr: With new LDAP keyservers store the new attributes. + Never store the useless pgpSignerID. Fix a long standing + bug storing some keys on an ldap server. + * dirmngr: Support the new Active Direcory LDAP schema for + keyservers + * dirmngr: Allow LDAP OpenPGP searches via fingerprint + * dirmngr: Do not block other threads during keyserver LDAP calls + * Support global configuration files + * Fix the iconv fallback handling to UTF-8 +* Mon Nov 23 2020 andreas.stieger@gmx.de +- GnuPG 2.2.25: + * scd: Fix regression in 2.2.24 requiring gpg --card-status + before signing or decrypting + * gpgsm: Using Libksba 1.5.0 signatures with a rarely used + combination of attributes can now be verified +* Tue Nov 17 2020 andreas.stieger@gmx.de +- GnuPG 2.2.24: + * gpg: New command --quick-revoke-sig + * gpg: Do not use weak digest algos if selected by recipient + preference during sign+encrypt + * gpg: Switch to AES256 for symmetric encryption in de-vs mode + * gpg: Silence weak digest warnings with --quiet + * gpg: Print new status line CANCELED_BY_USER for a cancel during + symmetric encryption + * gpg: Fix the encrypt+sign hash algo preference selection for + ECDSA. This is in particular needed for keys created from + existing smartcard based keys + * agent: Fix secret key import of GnuPG 2.3 generated Ed25519 + keys + * agent: Keep some permissions of private-keys-v1.d + * dirmngr: Align sks-keyservers.netCA.pem use between ntbtls and + gnutls builds + * dirmngr: Fix the pool keyserver case for a single host in the + pool + * scd: Fix the use case of verify_chv2 by CHECKPIN + * scd: Various improvements to the ccid-driver + * scd: Minor fixes for Yubikey + * gpgconf: New option --show-versions + * i18n: Complete overhaul and completion of the Italian + translation +* Thu Sep 3 2020 andreas.stieger@gmx.de +- GnuPG 2.2.23: + * gpg: fix AHEAD preference list overflow boo#1176034 / CVE-2020-25125 + * gpg: fix possible segv in the key cleaning code + * gpgsm: fix a minor RFC2253 parser gub + * scdaemon: Fix a PIN verify failure on certain OpenPGP card + implementations +* Wed Sep 2 2020 pmonreal@suse.com +- Fix segv importing certain keys (e.g. ed25519). [bsc#1176034] +- Add gnupg-2.2.22-fix-segv-import-keys.patch +* Tue Sep 1 2020 andreas.stieger@gmx.de +- GnuPG 2.2.22: + * gpg: Change the default key algorithm to rsa3072 + * gpg: Add regular expression support for Trust Signatures on + all platforms + * gpg: Ignore --personal-digest-prefs for ECDSA keys + * gpgsm: Make rsaPSS a de-vs compliant scheme + * gpgsm: Show also the SHA256 fingerprint in key listings + * gpgsm: Do not require a default keyring for --gpgconf-list + * gpg-agent: Default to extended key format and record the + creation time of keys + Add new option --disable-extended-key-format + * gpg-agent: Support the WAYLAND_DISPLAY envvar + * gpg-agent: Allow using --gpgconf-list even if HOME does not + exist + * gpg-agent: Make the Pinentry work even if the envvar TERM is + set to the empty string + * scdaemon: Add a workaround for Gnuk tokens <= 2.15 which + wrongly incremented the error counter when using the + "verify" command of "gpg --edit-key" with only the signature + key being present + * dirmngr: Better handle systems with disabled IPv6 + * gpgpslit: Install tool. It was not installed in the past to + avoid conflicts with the version installed by GnuPG 1.4 + * gpgtar: Make --files-from and --null work as documented +- drop gnupg-gpgme-t-encrypt-sym.patch, upstream +* Tue Jul 14 2020 pmonrealgonzalez@suse.com +- Fix regression in latest gpg2 that makes gpgme fail to build [bsc#1174007] +- Add gnupg-gpgme-t-encrypt-sym.patch +* Thu Jul 9 2020 andreas.stieger@gmx.de +- GnuPG 2.2.21: + * gpg: Improve symmetric decryption speed by about 25%% + * gpg: Support decryption of AEAD encrypted data packets + * gpg: Add option --no-include-key-block + * gpg: Allow for extra padding in ECDH + * gpg: Only a single pinentry is shown for symmetric encryption if + the pinentry supports this + * gpg: Print a note if no keys are given to --delete-key + * gpg,gpgsm: The ridiculous passphrase quality bar is not anymore + shown + * gpgsm: Certificates without a CRL distribution point are now + considered valid without looking up a CRL. The new option + - -enable-issuer-based-crl-check can be used to revert to the + former behaviour + * gpgsm: Support rsaPSS signature verification + * gpgsm: Unless CRL checking is disabled lookup a missing issuer + certificate using the certificate's authorityInfoAccess + * gpgsm: Print the certificate's serial number also in decimal + notation + * gpgsm: Fix possible NULL-deref in messages of --gen-key + * scd: Support the CardOS 5 based D-Trust Card 3.1 + * dirmngr: Allow http URLs with "LOOKUP --url" + * wkd: Take name of sendmail from configure. Fixes an OpenBSD + specific bug +* Thu May 21 2020 pmonrealgonzalez@suse.com +- Fix warning: agent returned different signature type ssh-rsa + * The gpg-agent's ssh-agent does not handle flags in signing + requests properly [bsc#1161268, bsc#1172308] + * Add gnupg-gpg-agent-ssh-agent.patch +* Thu Apr 30 2020 pmonrealgonzalez@suse.com +- Fix gpgme and gpgme-qt builds on gpg2 2.2.20 update [bsc#1170811] +- Refresh patches: + * gnupg-2.2.8-files-are-digests.patch + * gnupg-add_legacy_FIPS_mode_option.patch +* Fri Mar 20 2020 andreas.stieger@gmx.de +- GnuPG 2.2.20: + * Protect the error counter against overflow to guarantee that the + tools can't be tricked into returning success after an error + * gpg: Make really sure that --verify-files always returns an error + * gpg: Fix key listing --with-secret if a pattern is given + * gpg: Fix detection of certain keys used as default-key + * gpg: Fix default-key selection when a card is available + * gpg: Fix key expiration and key usage for keys created with a + creation date of zero + * gpgsm: Fix import of some CR,LF terminated certificates + * gpg: New options --include-key-block and --auto-key-import to + allow encrypted replies after an initial signed message + * gpg: Allow the use of a fingerprint with --trusted-key + * gpg: New property "fpr" for use by --export-filter + * scdaemon: Disable the pinpad if a KDF DO is used + * dirmngr: Improve finding OCSP certificates +- drop gpg2-gcc10-build-fno-common.patch, upstream +* Fri Mar 13 2020 fvogt@suse.com +- Split dirmngr into a subpackage to avoid a hard dependency of + gpg2 on libgnutls +* Wed Feb 19 2020 pmonrealgonzalez@suse.com +- Fix build with GCC-10: [bsc#1160394] + * Always use EXTERN_UNLESS_MAIN_MODULE pattern + * In GCC-10, the default option -fcommon will change to -fno-common +- Add gpg2-gcc10-build-fno-common.patch +* Fri Jan 10 2020 pmonrealgonzalez@suse.com +- Accept key updates even without UIDs [bsc#1143158] +- Add patches: + * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch + * gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch + * gnupg-add-test-cases-for-import-without-uid.patch +* Thu Jan 9 2020 pmonrealgonzalez@suse.com +- Security fix: [bsc#1157900, CVE-2019-14855, jsc#SLE-16534] + * Web of Trust forgeries using collisions in SHA-1 signatures + * Ignore all SHA-1 signatures in 3rd party key signatures. + * Forbid the creation of SHA-1 third-party key signatures. + * Add option --allow-weak-key-signatures +- Add gnupg-CVE-2019-14855.patch +* Sat Dec 7 2019 andreas.stieger@gmx.de +- update to 2.2.19: + * gpg: Fix double free when decrypting for hidden recipients + * gpg: Use auto-key-locate for encryption even for mail addressed + given with angle brackets + * gpgsm: Add special case for certain expired intermediate + certificates +* Wed Nov 27 2019 pmonrealgonzalez@suse.com +- Update to 2.2.18 [bsc#1157900, CVE-2019-14855] + * gpg: Changed the way keys are detected on a smartcards; this + allows the use of non-OpenPGP cards. In the case of a not very + likely regression the new option --use-only-openpgp-card is + available. [#4681] + * gpg: The commands --full-gen-key and --quick-gen-key now allow + direct key generation from supported cards. [#4681] + * gpg: Prepare against chosen-prefix SHA-1 collisions in key + signatures. This change removes all SHA-1 based key signature + newer than 2019-01-19 from the web-of-trust. Note that this + includes all key signature created with dsa1024 keys. The new + option --allow-weak-key-signatues can be used to override the new + and safer behaviour. [#4755,CVE-2019-14855] + * gpg: Improve performance for import of large keyblocks. [#4592] + * gpg: Implement a keybox compression run. [#4644] + * gpg: Show warnings from dirmngr about redirect and certificate + problems (details require --verbose as usual). + * gpg: Allow to pass the empty string for the passphrase if the + '--passphase=' syntax is used. [#4633] + * gpg: Fix printing of the KDF object attributes. + * gpg: Avoid surprises with --locate-external-key and certain + - -auto-key-locate settings. [#4662] + * gpg: Improve selection of best matching key. [#4713] + * gpg: Delete key binding signature when deletring a subkey. + [#4665,#4457] + * gpg: Fix a potential loss of key sigantures during import with + self-sigs-only active. [#4628] + * gpg: Silence "marked as ultimately trusted" diagnostics if + option --quiet is used. [#4634] + * gpg: Silence some diagnostics during in key listsing even with + option --verbose. [#4627] + * gpg, gpgsm: Change parsing of agent's pkdecrypt results. [#4652] + * gpgsm: Support AES-256 keys. + * gpgsm: Fix a bug in triggering a keybox compression run if + - -faked-system-time is used. + * dirmngr: System CA certificates are no longer used for the SKS + pool if GNUTLS instead of NTBTLS is used as TLS library. [#4594] + * dirmngr: On Windows detect usability of IPv4 and IPv6 interfaces + to avoid long timeouts. [#4165] + * scd: Fix BWI value for APDU level transfers to make Gemalto Ezio + Shield and Trustica Cryptoucan work. [#4654,#4566] + * wkd: gpg-wks-client --install-key now installs the required policy + file. +- Rebase patches: + * gnupg-2.2.8-files-are-digests.patch + * gnupg-add_legacy_FIPS_mode_option.patch +* Wed Oct 2 2019 pmonrealgonzalez@suse.com +- Remove self-buildrequire [bsc#1152755] +* Thu Sep 19 2019 lnussel@suse.de +- Do not recommend lang package. The lang package already has a + supplements. +* Mon Jul 22 2019 pmonrealgonzalez@suse.com +- Security fix: [bsc#1141093, CVE-2019-13050] + * Denial of service attacks via big keys + * Added patches: + - gnupg-CVE-2019-13050_0_of_5.patch + - gnupg-CVE-2019-13050_1_of_5.patch + - gnupg-CVE-2019-13050_2_of_5.patch + - gnupg-CVE-2019-13050_3_of_5.patch + - gnupg-CVE-2019-13050_4_of_5.patch + - gnupg-CVE-2019-13050_5_of_5.patch +* Thu Jul 11 2019 pmonrealgonzalez@suse.com +- Update to 2.2.17 [bsc#1141093] + * gpg: Do not try the import fallback if the options are already used. + * gpg: Fix regression in option "self-sigs-only". + * gpg: With --auto-key-retrieve prefer WKD over keyservers. + * gpg: Add "self-sigs-only" and "import-clean" to the keyserver options. + * gpg: Avoid printing false AKL error message. + * gpg: New command --locate-external-key. + * gpg: Make the get_pubkey_byname interface easier to understand. + * gpg: Fallback to import with self-sigs-only on too large keyblocks. + * gpg: New import and keyserver option "self-sigs-only" + * gpg: Make read_block in import.c more flexible. + * dirmngr: fix handling of HTTPS redirections during HKP. + * dirmngr: Avoid endless loop in case of HTTP error 503. + * dirmngr: Do not rewrite the redirection for the "openpgpkey" subdomain. + * dirmngr: Support the new WKD draft with the openpgpkey subdomain. + * wkd: Change client/server limit back to 64 KiB. + * tools: gpgconf: Killing order is children-first. + * Return better error code for some getinfo IPC commands. + * po: Update Russian translation. +* Wed Jun 19 2019 jsikes@suse.de +- Fix secure memory being disabled before fips checks in libgcrypt [boo#1137307] + * Added gnupg-2.2.16-secmem.patch +* Thu May 30 2019 pmonrealgonzalez@suse.com +- Update to 2.2.16 + * gpg: Fixed i18n markup of some strings. + * gpg: Allow deletion of subkeys with --delete-[secret-]key. + * gpg: Do not bail on an invalid packet in the local keyring. + * gpg: Do not allow creation of user ids larger than our parser allows. + * gpg: Do not delete any keys if --dry-run is passed. + * gpg: Fix using --decrypt along with --use-embedded-filename. + * gpg: Improve the photo image viewer selection. + * gpg: enable OpenPGP export of cleartext keys with comments. + * gpg: Do not print a hint to use the deprecated --keyserver option. + * gpg: Change update_keysig_packet to replace SHA-1 by SHA-256. + * gpg: Use just the addrspec from the Signer's UID. + * gpg: Accept also armored data from the WKD. + * gpg: Set a limit of 5 to the number of keys imported from the WKD. + * gpg: Don't use EdDSA algo ID for ECDSA curves. + * agent: Stop scdaemon after reload when disable_scdaemon. + * agent: For SSH key, don't put NUL-byte at the end. + * agent: correct length for uri and comment on 64-bit big-endian platforms + * dirmngr: Allow for other hash algorithms than SHA-1 in OCSP. + * dirmngr: Improve domaininfo cache update algorithm. + * dirmngr: Better error code for http status 413. + * g10: Fix possible null dereference. + * g10: Fix double free when locating by mbox. + * g10: Fix symmetric cipher algo constant for ECDH. + * sm: Avoid confusing diagnostic for the default key. + * sm: Fix a warning in an es_fopencooie function. + * gpgconf: Before --launch check that the config file is fine. + * gpgconf: Support --homedir for --launch. + * build: Update m4/iconv.m4. + * doc: correct documentation for gpgconf --kill. + * scd: Add dummy option --application-priority. + * common: Fix AWK portability. +* Mon Apr 29 2019 pmonrealgonzalez@suse.com +- Allow coredumps in X11 desktop sessions (bsc#1124847) + gpg-agent unconditionally disables coredumps, which is not + supposed to happen in the code path that does just exec(argv[]) + * Added gnupg-gpg-agent-ulimit.patch +* Thu Mar 28 2019 kbabioch@suse.de +- Update to 2.2.15 + * sm: Allow decryption even if expired keys are configured. + * agent: Change command KEYINFO to print ssh fingerprints with other + hash algos. + * dirmngr: Fix build problems on Solaris due to the use of reserved + symbol names. + * wkd: New commands --print-wkd-hash and --print-wkd-url for + gpg-wks-client. +* Tue Mar 19 2019 kbabioch@suse.de +- Update to 2.2.14: + * gpg: Allow import of PGP desktop exported secret keys. Also avoid + importing secret keys if the secret keyblock is not valid. + * gpg: Do not error out on version 5 keys in the local keyring. + * gpg: Make invalid primary key algo obvious in key listings. + * sm: Do not mark a certificate in a key listing as de-vs compliant + if its use for a signature will not be possible. + * sm: Fix certificate creation with key on card. + * sm: Create rsa3072 bit certificates by default. + * sm: Print Yubikey attestation extensions with --dump-cert. + * agent: Fix cancellation handling for scdaemon. + * agent: Support --mode=ssh option for CLEAR_PASSPHRASE. + * scd: Fix flushing of the CA-FPR DOs in app-openpgp. + * scd: Avoid a conflict error with the "undefined" app. + * dirmngr: Add CSRF protection exception for protonmail. + * dirmngr: Fix build problems with gcc 9 in libdns. + * gpgconf: New option --show-socket for use wity --launch. + * gpgtar: Make option -C work for archive creation. +- Removed patches that are included upstream by now: + - 0001-libdns-Avoid-using-compound-literals.patch + - 0002-libdns-Avoid-using-compound-literals-2.patch + - 0003-libdns-Avoid-using-compound-literals-3.patch + - 0004-libdns-Avoid-using-compound-literals-4.patch + - 0005-libdns-Avoid-using-compound-literals-5.patch + - 0006-libdns-Avoid-using-compound-literals-6.patch + - 0007-libdns-Avoid-using-compound-literals-7.patch + - 0008-libdns-Avoid-using-compound-literals-8.patch +* Tue Feb 26 2019 pmonrealgonzalez@suse.com +- Fix build with gcc9 [bsc#1121223] + * Avoid using compound literals + - Upstream bug: https://dev.gnupg.org/T4367 + * Added upstream patches: + - 0001-libdns-Avoid-using-compound-literals.patch + - 0002-libdns-Avoid-using-compound-literals-2.patch + - 0003-libdns-Avoid-using-compound-literals-3.patch + - 0004-libdns-Avoid-using-compound-literals-4.patch + - 0005-libdns-Avoid-using-compound-literals-5.patch + - 0006-libdns-Avoid-using-compound-literals-6.patch + - 0007-libdns-Avoid-using-compound-literals-7.patch + - 0008-libdns-Avoid-using-compound-literals-8.patch +* Wed Feb 13 2019 kbabioch@suse.de +- Update to 2.2.13: + * gpg: Implement key lookup via keygrip (using the & prefix). + * gpg: Allow generating Ed25519 key from existing key. + * gpg: Emit an ERROR status line if no key was found with -k. + * gpg: Stop early when trying to create a primary Elgamal key. + * gpgsm: Print the card's key algorithms along with their keygrips + in interactive key generation. + * agent: Clear bogus pinentry cache in the error case. + * scd: Support "acknowledge button" feature. + * scd: Fix for USB INTERRUPT transfer. + * wks: Do no use compression for the the encrypted challenge and response. + Release-info: https://dev.gnupg.org/T4290 + See-also: gnupg-announce/2019q1/000434.html +* Wed Jan 2 2019 pmonrealgonzalez@suse.com +- Security fix: [bsc#1120346, CVE-2018-1000858] + * Cross Site Request Forgery (CSRF) vulnerability in dirmngr that + can result in Attacker controlled CSRF. + * Added patches: + - gnupg-CRL-fetching-via-https.patch + - gnupg-Allow-redirection-from-https-to-http-for-CRLs.patch + - gnupg-CVE-2018-1000858.patch +* Fri Dec 14 2018 atoptsoglou@suse.com +- Update to 2.2.12: + * tools: New commands --install-key and --remove-key for + gpg-wks-client. This allows to prepare a Web Key Directory on a + local file system for later upload to a web server. + * gpg: New --list-option "show-only-fpr-mbox". This makes the use + of the new gpg-wks-client --install-key command easier on Windows. + * gpg: Improve processing speed when --skip-verify is used. + * gpg: Fix a bug where a LF was accidentally written to the console. + * gpg: --card-status now shwos whether a card has the new KDF + feature enabled. + * agent: New runtime option --s2k-calibration=MSEC. New configure + option --with-agent-s2k-calibration=MSEC. [#3399] + * dirmngr: Try another keyserver from the pool on receiving a 502, + 503, or 504 error. [#4175] + * dirmngr: Avoid possible CSRF attacks via http redirects. A HTTP + query will not anymore follow a 3xx redirect unless the Location + header gives the same host. If the host is different only the + host and port is taken from the Location header and the original + path and query parts are kept. + * dirmngr: New command FLUSHCRL to flush all CRLS from disk and + memory. [#3967] +* Thu Nov 8 2018 crrodriguez@opensuse.org +- Code no longer uses libcurl, remove from buildrequires. +* Tue Nov 6 2018 kbabioch@suse.com +- Update to 2.2.11: + * gpgsm: Fix CRL loading when intermediate certicates are not yet trusted. + * gpgsm: Fix an error message about the digest algo. + * gpg: Fix a wrong warning due to new sign usage check introduced with 2.2.9. + * gpg: Print the "data source" even for an unsuccessful keyserver query. + * gpg: Do not store the TOFU trust model in the trustdb. + * scd: Fix cases of "Bad PIN" after using "forcesig". + * agent: Fix possible hang in the ssh handler. + * dirmngr: Tack the unmodified mail address to a WKD request. + * dirmngr: Tweak diagnostic about missing LDAP server file. + * dirmngr: In verbose mode print the OCSP responder id. + * dirmngr: Fix parsing of the LDAP port. + * wks: Add option --directory/-C to the server. + * wks: Add option --with-colons to the client. + * Fix EBADF when gpg et al. are called by broken CGI scripts. + * Fix some minor memory leaks and bugs. +* Thu Oct 4 2018 bwiedemann@suse.com +- Make package build reproducible (boo#1047218) +* Thu Aug 30 2018 kbabioch@suse.com +- Update to 2.2.10: + * Refresh expired keys originating from the WKD + * Use a 256 KiB limit for a WKD imported key + * New option --known-notation + * dirmngr: Validate SRV records in WKD queries +* Wed Jul 25 2018 tchvatal@suse.com +- Add basic udev rules for smartcards to be used with + scdaemon, taken from debian: + * scdaemon.udev +* Fri Jul 13 2018 astieger@suse.com +- GnuPG 2.2.9: + * dirmngr: Fix recursive resolver mode and other bugs in the + libdns code + * dirmngr: When using libgpg-error 1.32 or later a GnuPG build + with NTBTLS support does not anymore block for dozens of + seconds before returning data. + * gpg: Fix bug in --show-keys which actually imported revocation + certificates + * gpg: Ignore too long user-ID and comment packets + * gpg: Fix crash due to bad German translation. Improved printf + format compile time check. + * gpg: Handle missing ISSUER sub packet gracefully in the presence of + the new ISSUER_FPR + * gpg: Allow decryption using several passphrases in most cases. + * gpg: Command --show-keys now enables the list options + show-unusable-uids, show-unusable-subkeys, show-notations and + show-policy-urls by default. + * gpg: Command --show-keys now prints revocation certificates. + * gpg: Add revocation reason to the "rev" and "rvs" records of the + option --with-colons. [#1173] + * gpg: Export option export-clean does now remove certain expired + subkeys; export-minimal removes all expired subkeys. + * gpg: New "usage" property for the drop-subkey filters. +* Fri Jun 8 2018 kbabioch@suse.com +- Added gnupg-CVE-2018-12020.patch: Sanitize the diagnostic output of the + original file name in verbose mode (bsc#1096745, CVE-2018-12020). +* Fri Jun 8 2018 kbabioch@suse.com +- Update to version 2.2.8: + * gpg: Decryption of messages not using the MDC mode will now lead to a + hard failure even if a legacy cipher algorithm was used. The option + - -ignore-mdc-error can be used to turn this failure into a warning. Take + care: Never use that option unconditionally or without a prior warning. + * gpg: The MDC encryption mode is now always used regardless of the + cipher algorithm or any preferences. For testing --rfc2440 can be + used to create a message without an MDC. + * gpg: Sanitize the diagnostic output of the original file name in + verbose mode (bsc#1096745, CVE-2018-12020) + * gpg: Detect suspicious multiple plaintext packets in a more reliable way. + * gpg: Fix the duplicate key signature detection code. + * gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc, + - -disable-mdc and --no-disable-mdc have no more effect. + * agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the + list of startup environment variables. +- Refresh gnupg-2.0.18-files-are-digests.patch + to gnupg-2.2.8-files-are-digests.patch +* Fri May 4 2018 astieger@suse.com +- GnuPG 2.2.7: + * gpg: New option --no-symkey-cache to disable the passphrase + cache for symmetrical en- and decryption. + * gpg: The ERRSIG status now prints the fingerprint if that is + part of the signature + * gpg: Relax emitting of FAILURE status lines + * gpg: Add a status flag to "sig" lines printed with --list-sigs + * gpg: Fix "Too many open files" when using --multifile + * ssh: Return an error for unknown ssh-agent flags + * dirmngr: Fix a CNAME problem with pools and TLS. Also use a + fixed mapping of keys.gnupg.net to sks-keyservers.net + * dirmngr: Try resurrecting dead hosts earlier (from 3h to 1.5h) + * dirmngr: Fallback to CRL if no default OCSP responder is + configured + * dirmngr: Implement CRL fetching via https. Here a redirection + to http is explictly allowed + * agent,dirmngr: New sub-command "getenv" for "getinfo" to ease + debugging +* Tue Apr 10 2018 kbabioch@suse.com +- GnuPG 2.2.6: + * gpg,gpgsm: New option --request-origin to pretend requests coming + from a browser or a remote site. + * gpg: Fix race condition on trustdb.gpg updates due to too early + released lock. + * gpg: Emit FAILURE status lines in almost all cases. + * gpg: Implement --dry-run for --passwd to make checking a key's + passphrase straightforward. + * gpg: Make sure to only accept a certification capable key for key + signatures. + * gpg: Better user interaction in --card-edit for the factory-reset + sub-command. + * gpg: Improve changing key attributes in --card-edit by adding an + explicit "key-attr" sub-command. + * gpg: Print the keygrips in the --card-status. + * scd: Support KDF DO setup. + * scd: Fix suspend/resume handling in the CCID driver. + * agent: Evict cached passphrases also via a timer. + * agent: Use separate passphrase caches depending on the request + origin. + * ssh: Support signature flags. + * dirmngr: Handle failures related to missing IPv6 support + gracefully. + * Allow the use of UNC directory names as homedir. [#3818] +- Dropped gnupg-CVE-2018-9234.patch since it is included upstream +* Thu Apr 5 2018 kbabioch@suse.com +- Added gnupg-CVE-2018-9234.patch: Enforce that key certification + can only be done with the master key, and not a signing subkey. + (bnc#1088255 CVE-2018-9234) +* Sun Feb 25 2018 astieger@suse.com +- GnuPG 2.2.5: + * gpg: Allow the use of the "cv25519" and "ed25519" short names + in addition to the canonical curve names in --batch --gen-key + * gpg: Make sure to print all secret keys with option --list-only + and --decrypt + * gpg: Fix the use of future-default with --quick-add-key for + signing keys + * gpg: Select a secret key by checking availability under + gpg-agent + * gpg: Fix reversed prompt texts for --only-sign-text-ids + * gpg,gpgsm: Fix detection of bogus keybox blobs on 32 bit + systems + * gpgsm: Fix regression since 2.1 in --export-secret-key-raw + which got $d mod (q-1)$ wrong + * scd: Support the KDF Data Object of the OpenPGP card 3.3 + * scd: Fix a regression in the internal CCID driver for certain + card readers + * dirmngr: Improve returned error description on failure of DNS + resolving + * wks: Implement command --install-key for gpg-wks-server. +* Thu Feb 22 2018 fvogt@suse.com +- Use %%license (boo#1082318) +* Thu Dec 21 2017 astieger@suse.com +- GnuPG 2.2.4: + * gpg: Change default preferences to prefer SHA512. + * gpg: Print a warning when more than 150 MiB are encrypted using + a cipher with 64 bit block size. + * gpg: Print a warning if the MDC feature has not been used for a + message. + * gpg: Fix regular expression of domain addresses in trust + signatures + * agent: New option --auto-expand-secmem to help with high + numbers of concurrent connections. Requires libgcrypt 1.8.2 + for having an effect. + * dirmngr: Cache responses of WKD queries. + * gpgconf: Add option --status-fd. + * wks: Add commands --check and --remove-key to gpg-wks-server + * Increase the backlog parameter of the daemons to 64 and add + option --listen-backlog. +- Not enabled features: + * New configure option --enable-run-gnupg-user-socket to first + try a socket directory which is not removed by systemd at + session end. +* Tue Nov 21 2017 astieger@suse.com +- GnuPG 2.2.3: + * dirmngr: Fix crash in case of a CRL loading error + * gpgtar: Fix wrong behaviour of --set-filename + * gpg: Silence AKL retrieval messages + * agent: Use clock or clock_gettime for calibration + * agent: Improve robustness of the shutdown pending state +* Tue Nov 7 2017 astieger@suse.com +- GnuPG 2.2.2: + * gpg: Avoid duplicate key imports by concurrently running gpg + processes + * gpg: Fix creating on-disk subkey with on-card primary key + * gpg: Fix validity retrieval for multiple keyrings + * gpg: Fix --dry-run and import option show-only for secret keys + * gpg: Print "sec" or "sbb" for secret keys with import option + import-show + * gpg: Make import less verbose + * gpg: Add alias "Key-Grip" for parameter "Keygrip" and new + parameter "Subkey-Grip" to unattended key generation + * gpg: Improve "factory-reset" command for OpenPGP cards + * gpg: Ease switching Gnuk tokens into ECC mode by using the magic + keysize value 25519 + * gpgsm: Fix --with-colon listing in crt records for fields > 12. + * gpgsm: Do not expect X.509 keyids to be unique + * agent: Fix stucked Pinentry when using --max-passphrase-days + * agent: New option --s2k-count + * dirmngr: Do not follow https-to-http redirects + * dirmngr: Reduce default LDAP timeout from 100 to 15 seconds + * gpgconf: Ignore non-installed components for commands + - -apply-profile and --apply-defaults + * Add configure option --enable-werror +* Tue Sep 19 2017 astieger@suse.com +- GnuPG 2.2.1: + * gpg: Fix formatting of the user id in batch mode key generation + if only "name-email" is given. + * gpgv: Fix annoying "not suitable for" warnings. + * wks: Convey only the newest user id to the provider. This is + the case if different names are used with the same addr-spec. + * wks: Create a complying user id for provider policy mailbox-only. + * wks: Add workaround for posteo.de. + * scd: Fix the use of large ECC keys with an OpenPGP card. + * dirmngr: Use system provided root certificates if no specific + HKP certificates are configured. If bu +* Mon Aug 28 2017 astieger@suse.com +- GnuPG 2.2.0: + * New long term stable branch, replacing the 2.0.x series + * gpg: Reverted change in 2.1.23 so that --no-auto-key-retrieve + is again the default boo#1054088 + * Fixed a few minor bugs +* Sat Aug 12 2017 astieger@suse.com +- GnuPG 2.1.23: + * gpg: Options --auto-key-retrieve and --auto-key-locate "local,wkd" + are now used by default. Note: this enables keyserver and Web Key + Directory operators to notice when a signature from a locally + non-available key is being verified for the first time or when + you intend to encrypt to a mail address without having the key + locally. This new behaviour will eventually make key discovery + much easier and mostly automatic. Disable this by adding + no-auto-key-retrieve + auto-key-locate local + to your gpg.conf. + * agent: Option --no-grab is now the default. The new option --grab + allows to revert this. + * gpg: New import option "show-only". + * gpg: New option --disable-dirmngr to entirely disable network + access for gpg. + * gpg,gpgsm: Tweaked DE-VS compliance behaviour. + * New configure flag --enable-all-tests to run more extensive tests + during "make check". + * gpgsm: The keygrip is now always printed in colon mode as + documented in the man page. +* Fri Jul 28 2017 astieger@suse.com +- GnuPG 2.1.22: + * gpg: Extend command --quick-set-expire to allow for setting the + expiration time of subkeys. + * gpg: By default try to repair keys during import. New sub-option + no-repair-keys for --import-options. + * gpg,gpgsm: Improved checking and reporting of DE-VS compliance. + * gpg: New options --key-origin and --with-key-origin. Store the + time of the last key update from keyservers, WKD, or DANE. + * agent: New option --ssh-fingerprint-digest. + * dimngr: Lower timeouts on keyserver connection attempts and made + it configurable. + * dirmngr: Tor will now automatically be detected and used. The + option --no-use-tor disables Tor detection. + * dirmngr: Now detects a changed /etc/resolv.conf. + * agent,dirmngr: Initiate shutdown on removal of the GnuPG home + directory. + * gpg: Avoid caching passphrase for failed symmetric encryption. + * agent: Support for unprotected ssh keys. + * dirmngr: Fixed name resolving on systems using only v6 + nameservers. + * dirmngr: Allow the use of TLS over http proxies. + * wks: New man pages for client and server. +* Fri May 19 2017 marco.strigl@suse.com +- GnuPG 2.1.21: + * modified gnupg-2.0.18-files-are-digests.patch to work with + obs-sign again bsc#1039899 +* Mon May 15 2017 astieger@suse.com +- GnuPG 2.1.21: + * gpg,gpgsm: Fix corruption of old style keyring.gpg files, + regression in 2.1.20 + * gpg,dirmngr: Removed the skeleton config file support + New installations no longer generate a configuration file. + In the absence of a file, SHA-2 family hashes are used. + Existing configurations are not touched. + drop gnupg-2.1.19-stronger-defaults.patch FATE#323084 + * gpg: Fixed import filter property match bug. + * scd: Removed Linux support for Cardman 4040 PCMCIA reader. + * scd: Fixed some corner case bugs in resume/suspend handling. + * Many minor bug fixes and code cleanup. +* Tue Apr 4 2017 astieger@suse.com +- GnuPG 2.1.20: + * gpg: New properties 'expired', 'revoked', and 'disabled' for the + import and export filters. + * gpg: New command --quick-set-primary-uid. + * gpg: New compliance field for the --with-colon key listing. + * gpg: Changed the key parser to generalize the processing of local + meta data packets. + * gpg: Fixed assertion failure in the TOFU trust model. + * gpg: Fixed exporting of zero length user ID packets. + * scd: Improved support for multiple readers. + * scd: Fixed timeout handling for key generation. + * agent: New option --enable-extended-key-format. + * dirmngr: Do not add a keyserver to a new dirmngr.conf. Dirmngr + uses a default keyserver. + * dimngr: Do not treat TLS warning alerts as severe error when + building with GNUTLS. + * dirmngr: Actually take /etc/hosts in account. + * wks: Fixed client problems on Windows. Published keys are now set + to world-readable. + * tests: Fixed creation of temporary directories. + * A socket directory for a non standard GNUGHOME is now created on + the fly under /run/user. Thus "gpgconf --create-socketdir" is now + optional. The use of "gpgconf --remove-socketdir" to clean up + obsolete socket directories is however recommended to avoid + cluttering /run/user with useless directories. + * Fixed build problems on some platforms. +* Tue Mar 14 2017 astieger@suse.com +- Use stronger defaults for new users, using SHA-2 digest family + for certificates and message signatures - FATE#323084 + adding gnupg-2.1.19-stronger-defaults.patch +* Tue Mar 7 2017 astieger@suse.com +- GnuPG 2.1.19: + * gpg: Print a warning if Tor mode is requested but the Tor + daemon is not running. + * gpg: New status code DECRYPTION_KEY to print the actual private + key used for decryption. + * gpgv: New options --log-file and --debug. + * gpg-agent: Revamp the prompts to ask for card PINs. + * scd: Support for multiple card readers. + * scd: Removed option --debug-disable-ticker. Ticker is used + only when it is required to watch removal of device/card. + * scd: Improved detection of card inserting and removal. + * dirmngr: New option --disable-ipv4. + * dirmngr: New option --no-use-tor to explicitly disable the use + of Tor. + * dirmngr: The option --allow-version-check is now required even + if the option --use-tor is also used. + * dirmngr: Handle a missing nsswitch.conf gracefully. + * dirmngr: Avoid PTR lookups for keyserver pools. The are only + done for the debug command "keyserver --hosttable". + * dirmngr: Rework the internal certificate cache to support + classes of certificates. Load system provided certificates on + startup. + * Add options --tls, --no-crl, and --systrust to the "VALIDATE" + command. + * dirmngr: Add support for the ntbtls library. + * wks: Create mails with a "WKS-Phase" header. Fix detection of + Draft-2 mode. + * Many other bug fixes and new regression tests. +- dirmngr: use system certificate store +* Thu Mar 2 2017 jengelh@inai.de +- Rewrite descriptions +* Tue Jan 24 2017 astieger@suse.com +- GnuPG 2.1.18: + * gpg: Remove bogus subkey signature while cleaning a key (with + export-clean, import-clean, or --edit-key's sub-command clean) + * gpg: Allow freezing the clock with --faked-system-time. + * gpg: New --export-option flag "backup", new --import-option flag + "restore". + * gpg-agent: Fixed long delay due to a regression in the progress + callback code. + * scd: Lots of code cleanup and internal changes. + * scd: Improved the internal CCID driver. + * dirmngr: Fixed problem with the DNS glue code (removal of the + trailing dot in domain names). + * dirmngr: Make sure that Tor is actually enabled after changing the + conf file and sending SIGHUP or "gpgconf --reload dirmngr". + * dirmngr: Fixed Tor access to IPv6 addresses. Note that current + versions of Tor may require that the flag "IPv6Traffic" is used + with the option "SocksPort" in torrc to actually allow IPv6 + traffic. + * dirmngr: Fixed HKP for literally given IPv6 addresses. + * dirmngr: Enabled reverse DNS lookups via Tor. + * dirmngr: Added experimental SRV record lookup for WKD. + See commit 88dc3af3d4ae1afe1d5e136bc4c38bc4e7d4cd10 for details. + * dirmngr: For HKP use "pgpkey-hkps" and "pgpkey-hkp" in SRV record + lookups. Avoid SRV record lookup when a port is explicitly + specified. This fixes a regression from the 1.4 and 2.0 behavior. + * dirmngr: Gracefully handle a missing /etc/nsswitch.conf. Ignore + negation terms (e.g. "[!UNAVAIL=return]" instead of bailing out. + * dirmngr: Better debug output for flags "dns" and "network". + * dirmngr: On reload mark all known HKP servers alive. + * gpgconf: Allow keyword "all" for --launch, --kill, and --reload. + * tools: gpg-wks-client now ignores a missing policy file on the + server. + * Avoid unnecessary ambiguity error message in the option parsing. + * Further improvements of the regression test suite. + * Fixed building with --disable-libdns configure option. + * Fixed a crash running the tests on 32 bit architectures. + * Fixed spurious failures on BSD system in the spawn functions. + This affected for example gpg-wks-client and gpgconf. +* Mon Jan 9 2017 tchvatal@suse.com +- Remove the fixme, condition around fdupes +* Sun Dec 25 2016 astieger@suse.com +- add runtime dependency to match runtime version check for libksba +* Tue Dec 20 2016 astieger@suse.com +- GnuPG 2.1.17: + * gpg: By default new keys expire after 2 years. + * gpg: New command --quick-set-expire to conveniently change the + expiration date of keys. + * gpg: Option and command names have been changed for easier + comprehension. The old names are still available as aliases. + * gpg: Improved the TOFU trust model. + * gpg: New option --default-new-key-algo. + * scd: Support OpenPGP card V3 for RSA. + * dirmngr: Support for the ADNS library has been removed. Now using + bundled libdns, enabling Tor support on all platforms. + New option --standard-resolver can be used to disable this code + at runtime. + * dirmngr: Lazily launch ldap reaper thread. + * tools: New options --check and --status-fd for gpg-wks-client. + * The UTF-8 byte order mark is now skipped when reading conf files. + * Fixed many bugs and regressions. + * Major improvements to the test suite. For example it is possible + to run the external test suite of GPGME. +* Sat Nov 19 2016 astieger@suse.com +- GnuPG 2.1.16: + * gpg: New algorithm for selecting the best ranked public key when + using a mail address with -r, -R, or --locate-key. + * gpg: New option --with-tofu-info to print a new "tfs" record in + colon formatted key listings. + * gpg: New option --compliance as an alternative way to specify + options like --rfc2440, --rfc4880, et al. + * gpg: Many changes to the TOFU implementation. + * gpg: Improve usability of --quick-gen-key. + * gpg: In --verbose mode print a diagnostic when a pinentry is + launched. + * gpg: Remove code which warns for old versions of gnome-keyring. + * gpg: New option --override-session-key-fd. + * gpg: Option --output does now work with --verify. + * gpgv: New option --output to allow saving the verified data. + * gpgv: New option --enable-special-filenames. + * agent, dirmngr: New --supervised mode for use by systemd and alike. + * agent: By default listen on all available sockets using standard + names. + * agent: Invoke scdaemon with --homedir. + * dirmngr: On Linux now detects the removal of its own socket and + terminates. + * scd: Support ECC key generation. + * scd: Support more card readers. + * dirmngr: New option --allow-version-check to download a software + version database in the background. + * dirmngr: Use system provided CAs if no --hkp-cacert is given. + * dirmngr: Use a default keyserver if none is explicitly set + * gpgconf: New command --query-swdb to check software versions + against an copy of an online database. + * gpgconf: Print the socket directory with --list-dirs. + * tools: The WKS tools now support draft version -02. + * tools: Always build gpg-wks-client and install under libexec. + * tools: New option --supported for gpg-wks-client. + * The log-file option now accepts a value "socket://" to log to the + socket named "S.log" in the standard socket directory. + * Provide fake pinentries for use by tests cases of downstream + developers. + * Fixed many bugs and regressions. + * Many changes and improvements for the test suite. +- drop upstreamed patches: + * 0001-common-Follow-up-to-14479e2-fix-void-return-in-non-v.patch + * gnupg-2.1.15-bsc993324-status-output.patch +* Tue Sep 13 2016 astieger@suse.com +- avoid mixing up status and colon line output - bsc#993324 + add gnupg-2.1.15-bsc993324-status-output.patch +* Thu Sep 1 2016 astieger@suse.com +- enable web key discovery tools +* Wed Aug 31 2016 astieger@suse.com +- Add an explicit runtime dependency on libgcrypt >= 1.7.0 to + match runtime version check +* Fri Aug 19 2016 astieger@suse.com +- GnuPG 2.1.15: + * gpg: Remove the --tofu-db-format option and support for the + split TOFU database. + * gpg: Add option --sender to prepare for coming features. + * gpg: Add option --input-size-hint to help progress indicators. + * gpg: Extend the PROGRESS status line with the counted unit. + * gpg: Avoid publishing the GnuPG version by default with --armor. + * gpg: Properly ignore legacy keys in the keyring cache. + * gpg: Always print fingerprint records in --with-colons mode. + * gpg: Make sure that keygrips are printed for each subkey in + - -with-colons mode. + * gpg: New import filter "drop-sig". + * gpgsm: Fix a bug in the machine-readable key listing. + * gpg,gpgsm: Block signals during keyring updates to limits the + effects of a Ctrl-C at the wrong time. + * g13: Add command --umount and other fixes for dm-crypt. + * agent: Fix regression in SIGTERM handling. + * agent: Cleanup of the ssh-agent code. + * agent: Allow import of overly long keys. + * scd: Fix problems with card removal. + * dirmngr: Remove all code for running as a system service. + * tools: Make gpg-wks-client conforming to the specs. + * tests: Improve the output of the new regression test tool. + * tests: Distribute the standalone test runner. + * tests: Run each test in a clean environment. + * Spelling and grammar fixes. +- fix build error, adding + 0001-common-Follow-up-to-14479e2-fix-void-return-in-non-v.patch +* Sun Aug 14 2016 astieger@suse.com +- GnuPG 2.1.14: + * gpg: Removed options --print-dane-records and --print-pka-records. + The new export options "export-pka" and "export-dane" can instead + be used with the export command. + * gpg: New options --import-filter and --export-filter. + * gpg: New import options "import-show" and "import-export". + * gpg: New option --no-keyring. + * gpg: New command --quick-revuid. + * gpg: New options -f/--recipient-file and -F/--hidden-recipient-file + to directly specify encryption keys. + * gpg: New option --mimemode to indicate that the content is a MIME + part. Does only enable --textmode right now. + * gpg: New option --rfc4880bis to allow experiments with proposed + changes to the current OpenPGP specs. + * gpg: Fix regression in the "fetch" sub-command of --card-edit. + * gpg: Fix regression since 2.1 in option --try-all-secrets. + * gpgv: Change default options for extra security. + * gpgsm: No more root certificates are installed by default. + * agent: "updatestartuptty" does now affect more environment + variables. + * scd: The option --homedir does now work with scdaemon. + * scd: Support some more GEMPlus card readers. + * gpgtar: Fix handling of '-' as file name. + * gpgtar: New commands --create and --extract. + * gpgconf: Tweak for --list-dirs to better support shell scripts. + * tools: Add programs gpg-wks-client and gpg-wks-server to implement + a Web Key Service. The configure option --enable-wks-tools is + required to build them; they should be considered Beta software. + * tests: Complete rework of the openpgp part of the test suite. The + test scripts have been changed from Bourne shell scripts to Scheme + programs. A customized scheme interpreter (gpgscm) is included. + This change was triggered by the need to run the test suite on + non-Unix platforms. + * The rendering of the man pages has been improved. +- drop upstream gnupg-make_--try-all-secrets_work.patch +* Thu Aug 4 2016 tchvatal@suse.com +- Fix date call as the curlified parameter for sure are not parsed + correctly by escaping it with %% +* Wed Aug 3 2016 astieger@suse.com +- Fix upstream bug 1985: --try-all-secrets doesn't work when + decrypting messages encrypted with --hidden-recipient, fixes unit + tests of the duplicity package. + Adding gnupg-make_--try-all-secrets_work.patch +- record the fact that gpg-error 1.21 is required +* Thu Jun 16 2016 astieger@suse.com +- GnuPG 2.1.13: + * gpg: New command --quick-addkey. Extend the --quick-gen-key + command. + * gpg: New --keyid-format "none" which is now also the default. + * gpg: New option --with-subkey-fingerprint. + * gpg: Include Signer's UID subpacket in signatures if the secret key + has been specified using a mail address and the new option + - -disable-signer-uid is not used. + * gpg: Allow unattended deletion of a secret key. + * gpg: Allow export of non-passphrase protected secret keys. + * gpg: New status lines KEY_CONSIDERED and NOTATION_FLAGS. + * gpg: Change status line TOFU_STATS_LONG to use '~' as + a non-breaking-space character. + * gpg: Speedup key listings in Tofu mode. + * gpg: Make sure that the current and total values of a PROGRESS + status line are small enough. + * gpgsm: Allow the use of AES192 and SERPENT ciphers. + * dirmngr: Adjust WKD lookup to current specs. + * dirmngr: Fallback to LDAP v3 if v2 is is not supported. + * gpgconf: New commands --create-socketdir and --remove-socketdir, + new option --homedir. + * If a /run/user/$UID directory exists, that directory is now used + for IPC sockets instead of the GNUPGHOME directory. This fixes + problems with NFS and too long socket names and thus avoids the + need for redirection files. + * Speedup fd closing after a fork. +- drop upstreamed gnupg-fix-signature-checking.patch +* Thu Jun 2 2016 pjanouch@suse.de +- add gnupg-fix-signature-checking.patch (bsc#981020) + https://bugs.gnupg.org/gnupg/issue2351 +* Wed May 4 2016 astieger@suse.com +- GnuPG 2.1.12: + * gpg: New --edit-key sub-command "change-usage" for testing + purposes. + * gpg: Out of order key-signatures are now systematically detected + and fixed by --edit-key. + * gpg: Improved detection of non-armored messages. + * gpg: Removed the extra prompt needed to create Curve25519 keys. + * gpg: Improved user ID selection for --quick-sign-key. + * gpg: Use the root CAs provided by the system with --fetch-key. + * gpg: Add support for the experimental Web Key Directory key + location service. + * gpg: Improve formatting of Tofu messages and emit new Tofu specific + status lines. + * gpgsm: Add option --pinentry-mode to support a loopback pinentry. + * gpgsm: A new pubring.kbx is now created with the header blob so + that gpg can detect that the keybox format needs to be used. + * agent: Add read support for the new private key protection format + openpgp-s2k-ocb-aes. + * agent: Add read support for the new extended private key format. + * agent: Default to --allow-loopback-pinentry and add option + - -no-allow-loopback-pinentry. + * scd: Changed to use the new libusb 1.0 API for the internal CCID + driver. + * dirmngr: The dirmngr-client does now auto-detect the PEM format. + * g13: Add experimental support for dm-crypt. + * The man pages for gpg and gpgv are now installed under the correct + name (gpg2 or gpg - depending on a configure option). +* Sun Mar 6 2016 astieger@suse.com +- GnuPG 2.1.11: + * gpg: New command --export-ssh-key to replace the gpgkey2ssh tool. + * gpg: Allow to generate mail address only keys with --gen-key. + * gpg: "--list-options show-usage" is now the default. + * gpg: Make lookup of DNS CERT records holding an URL work. + * gpg: Emit PROGRESS status lines during key generation. + * gpg: Don't check for ambigious or non-matching key specification in + the config file or given to --encrypt-to. This feature will return + in 2.3.x. + * gpg: Lock keybox files while updating them. + * gpg: Fix possible keyring corruption. (bug#2193) + * gpg: Fix regression of "bkuptocard" sub-command in --edit-key and + remove "checkbkupkey" sub-command introduced with 2.1. (bug#2169) + * gpg: Fix internal error in gpgv when using default keyid-format. + * gpg: Fix --auto-key-retrieve to work with dirmngr.conf configured + keyservers. (bug#2147). + * agent: New option --pinentry-timeout. + * scd: Fix regression for generating RSA keys on card. + * dirmmgr: All configured keyservers are now searched. + * dirmngr: Install CA certificate for hkps.pool.sks-keyservers.net. + Use this certiticate even if --hkp-cacert is not used. + * gpgtar: Add actual encryption code. gpgtar does now fully replace + gpg-zip. + * gpgtar: Fix filename encoding problem on Windows. + * Print a warning if a GnuPG component is using an older version of + gpg-agent, dirmngr, or scdaemon. +- disable running test which no longer work +- remove 0001-gpg-Improve-the-keyblock-cache-s-transparency.patch + is now upstream +- the PIE options are implemented in the upstream build, and spec + code broke the build. The only remaining broken executable was + gpgsplit, which was removed from the package +* Tue Jan 26 2016 astieger@suse.com +- add g13, an experimental tool for accessing encrypted storage + with with GnuPG (cards) +* Tue Jan 19 2016 vcizek@suse.com +- fix fingerprint ambiguity (bsc#958891) + * https://bugs.gnupg.org/gnupg/issue2198 + * add 0001-gpg-Improve-the-keyblock-cache-s-transparency.patch +* Sun Dec 6 2015 p.drouand@gmail.com +- Move to pkgconfig() packaging style +* Fri Dec 4 2015 astieger@suse.com +- GnuPG 2.1.10 adds TOFU (Trust-On-First-USe) and anonymous key + retrival via Tor. + * gpg: New trust models "tofu" and "tofu+pgp". + * gpg: New command --tofu-policy. New options --tofu-default-policy + and --tofu-db-format. + * gpg: New option --weak-digest to specify hash algorithms which + should be considered weak. + * gpg: Allow the use of multiple --default-key options; take the last + available key. + * gpg: New option --encrypt-to-default-key. + * gpg: New option --unwrap to only strip the encryption layer. + * gpg: New option --only-sign-text-ids to exclude photo IDs from key + signing. + * gpg: Check for ambigious or non-matching key specification in the + config file or given to --encrypt-to. + * gpg: Show the used card reader with --card-status. + * gpg: Print export statistics and an EXPORTED status line. + * gpg: Allow selecting subkeys by keyid in --edit-key. + * gpg: Allow updating the expiration time of multiple subkeys at + once. + * dirmngr: New option --use-tor. For full support this requires + libassuan version 2.4.2 and a patched version of libadns + (e.g. adns-1.4-g10-7 as used by the standard Windows installer). + * dirmngr: New option --nameserver to specify the nameserver used in + Tor mode. + * dirmngr: Keyservers may again be specified by IP address. + * dirmngr: Fixed problems in resolving keyserver pools. + * dirmngr: Fixed handling of premature termination of TLS streams so + that large numbers of keys can be refreshed via hkps. + * gpg: Fixed a regression in --locate-key [since 2.1.9]. + * gpg: Fixed another bug for keyrings with legacy keys. + * gpgsm: Allow combinations of usage flags in --gen-key. + * Make tilde expansion work with most options. + * Many other cleanups and bug fixes. +* Tue Nov 24 2015 vcizek@suse.com +- enable tests for PPC64 again, + the problem from bsc#935887 went away +* Fri Nov 20 2015 astieger@suse.com +- Improve upgrade to gpg2 from security:privacy w.r.t. libassuan + run-time dependencies (boo#955982) +* Sat Oct 10 2015 astieger@suse.com +- GnuPG 2.1.9: + * gpg: Allow fetching keys via OpenPGP DANE (--auto-key-locate).\ + New option --print-dane-records. + * gpg: Fix for a problem with PGP-2 keys in a keyring. + * gpg: Fail with an error instead of a warning if a modern cipher + algorithm is used without a MDC. + * agent: New option --pinentry-invisible-char. + * agent: Always do a RSA signature verification after creation. + * agent: Fix a regression in ssh-add-ing Ed25519 keys. + * agent: Fix ssh fingerprint computation for nistp384 and EdDSA. + * agent: Fix crash during passprase entry on some platforms. + * scd: Change timeout to fix problems with some 2.1 cards. + * dirmngr: Displayed name is now Key Acquirer. + * dirmngr: Add option --keyserver. Deprecate that option for gpg. + Install a dirmngr.conf file from a skeleton for new installations. +- update gnupg-add_legacy_FIPS_mode_option.patch for context change +* Fri Sep 11 2015 astieger@suse.com +- GnuPG 2.1.8: + * gpg: Sending very large keys to the keyservers works again. + * gpg: Validity strings in key listings are now again translatable. + * gpg: Emit FAILURE status lines to help GPGME. + * gpg: Does not anymore link to Libksba to reduce dependencies. + * gpgsm: Export of secret keys via Assuan is now possible. + * agent: Raise the maximum passphrase length from 100 to 255 bytes. + * agent: Fix regression using EdDSA keys with ssh. + * Does not anymore use a build timestamp by default. + * The fallback encoding for broken locale settings changed + from Latin-1 to UTF-8. + * Many code cleanups and improved internal documentation. + * Various minor bug fixes. +* Wed Aug 12 2015 astieger@suse.com +- GnuPG 2.1.7: + * gpg: Support encryption with Curve25519 if Libgcrypt 1.7 is used. + * gpg: In the --edit-key menu: Removed the need for "toggle", changed + how secret keys are indicated, new commands "fpr *" and "grip". + * gpg: More fixes related to legacy keys in a keyring. + * gpgv: Does now also work with a "trustedkeys.kbx" file. + * scd: Support some feature from the OpenPGP card 3.0 specs. + * scd: Improved ECC support + * agent: New option --force for the DELETE_KEY command. + * Dropped deprecated gpgsm-gencert.sh + * Various other bug fixes. +* Thu Jul 2 2015 astieger@suse.com +- do not run checks on ppc64 for now +* Wed Jul 1 2015 astieger@suse.com +- GnuPG 2.1.6: + * agent: New option --verify for the PASSWD command. + * gpgsm: Add command option "offline" as an alternative to + - -disable-dirmngr. + * gpg: Do not prompt multiple times for a password in pinentry + loopback mode. + * Allow the use of debug category names with --debug. + * Using gpg-agent and gpg/gpgsm with different locales will now show + the correct translations in Pinentry. + * gpg: Improve speed of --list-sigs and --check-sigs. + * gpg: Make --list-options show-sig-subpackets work again. + * gpg: Fix an export problem for old keyrings with PGP-2 keys. + * scd: Support PIN-pads on more readers. + * dirmngr: Properly cleanup zombie LDAP helper processes and avoid + hangs on dirmngr shutdown. + * Various other bug fixes. +- remove documentation make workaround, fixed upstream +* Sun Jun 28 2015 schwab@linux-m68k.org +- Enable workaround for missing dependencies everywhere +* Mon Jun 15 2015 astieger@suse.com +- fix build with openSUSE 13.2 and earlier, call make to + compensate for incorrect documentation dependencies. +* Thu Jun 11 2015 astieger@suse.com +- GnuPG 2.1.5: + * Support for an external passphrase cache. + * Support for the forthcoming version 3 OpenPGP smartcard. + * Manuals now show the actual used file names. + * Prepared for improved integration with Emacs. + * Code cleanups and minor bug fixes. +* Sun May 17 2015 meissner@suse.com +- info deinstall needs to be in %%preun +* Tue May 12 2015 astieger@suse.com +- update to 2.1.4: + * gpg: Add command --quick-adduid to non-interacitivly add a new + user id to an existing key. + * gpg: Do no enable honor-keyserver-url by default. Make it work + if enabled. + * gpg: Display the serial number in the --card-staus output again. + * agent: Support for external password managers. + Add option --no-allow-external-cache. + * scdaemon: Improved handling of extended APDUs. + * Make HTTP proxies work again. + * All network access including DNS as been moved to Dirmngr. + * Allow building without LDAP support. + * Fixed lots of smaller bugs. +* Sat Apr 11 2015 astieger@suse.com +- update to 2.1.3: + * gpg: LDAP keyservers are now supported by 2.1. + * gpg: New option --with-icao-spelling. + * gpg: New option --print-pka-records. Changed the PKA method to + use CERT records and hashed names. + * gpg: New command --list-gcrypt-config. New parameter "curve" + for --list-config. + * gpg: Print a NEWSIG status line like gpgsm always did. + * gpg: Print MPI values with --list-packets and --verbose. + * gpg: Write correct MPI lengths with ECC keys. + * gpg: Skip legacy PGP-2 keys while searching. + (drop 0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch + now upstream) + * gpg: Improved searching for mail addresses when using a keybox. + * gpgsm: Changed default algos to AES-128 and SHA-256. + * gpgtar: Fixed extracting files with sizes of a multiple of 512. + * dirmngr: Fixed SNI handling for hkps pools. + (drop hkps-fix-host-name-verification-when-using-pools.patch + now upstream) + * dirmngr: extra-certs and trusted-certs are now always loaded + from the sysconfig dir instead of the homedir. + * Fixed possible problems due to compiler optimization, two minor + regressions, and other bugs. +- refreshed for context changes: + * gnupg-2.0.18-files-are-digests.patch + * gnupg-add_legacy_FIPS_mode_option.patch +* Mon Mar 23 2015 idonmez@suse.com +- Add hkps-fix-host-name-verification-when-using-pools.patch to + fix hkps support w/ pools. Upstream commit dc10d46. +* Thu Mar 19 2015 astieger@suse.com +- Ensure secure memory can be used with default 64k memlock limit + Fixes [boo#915931], removes gnupg-large_keys.patch +- Removed gnupg-remove_development_version_warning.patch, obsolete +- Removed gnupg-2.0.4-install_tools.diff, replaced by spec install +- Removed autoconf requirement and autoreconf calls thus obsoleted +* Tue Feb 24 2015 astieger@suse.com +- Fix invalid packet read error when reading keyrings [boo#914625] + add 0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch +* Wed Feb 11 2015 astieger@suse.com +- update to 2.1.2: + * gpg: The parameter 'Passphrase' for batch key generation works + again. + * gpg: Using a passphrase option in batch mode now has the + expected effect on --quick-gen-key. + * gpg: Improved reporting of unsupported PGP-2 keys. + * gpg: Added support for algo names when generating keys using + - -command-fd. + * gpg: Fixed DoS based on bogus and overlong key packets. + * agent: When setting --default-cache-ttl the value + for --max-cache-ttl is adjusted to be not lower than the former. + * agent: Fixed problems with the new --extra-socket. + * agent: Made --allow-loopback-pinentry changeable with gpgconf. + * agent: Fixed importing of unprotected openpgp keys. + * agent: Now tries to use a fallback pinentry if the standard + pinentry is not installed. + * scd: Added support for ECDH. + * Fixed several bugs related to bogus keyrings and improved some + other code. +- in gnupg-2.0.18-files-are-digests.patch, change buffer_to_u32 to + buf32_to_u32 from host2net.h to match upstream changes +- now requires automake 1.14 +* Fri Dec 26 2014 andreas.stieger@gmx.de +- update to 2.1.1: + * gpg: Detect faulty use of --verify on detached signatures. + * gpg: New import option "keep-ownertrust". + * gpg: New sub-command "factory-reset" for --card-edit. + * gpg: A stub key for smartcards is now created by --card-status. + * gpg: Fixed regression in --refresh-keys. + * gpg: Fixed regresion in %%g and %%p codes for --sig-notation. + * gpg: Fixed best matching hash algo detection for ECDSA and EdDSA. + * gpg: Improved perceived speed of secret key listisngs. + * gpg: Print number of skipped PGP-2 keys on import. + * gpg: Removed the option aliases --throw-keyid and --notation-data; + use --throw-keyids and --set-notation instead. + * gpg: New import option "keep-ownertrust". + * gpg: Skip too large keys during import. + * gpg,gpgsm: New option --no-autostart to avoid starting gpg-agent or + dirmngr. + * gpg-agent: New option --extra-socket to provide a restricted + command set for use with remote clients. + * gpgconf --kill does not anymore start a service only to kill it. + * gpg-pconnect-agent: Add convenience option --uiserver. + * More translations (but most of them are not complete). + * To support remotely mounted home directories, the IPC sockets may + now be redirected. This feature requires Libassuan 2.2.0. + * Improved portability and the usual bunch of bug fixes. +- removed patch not part of upstream release: + gnupg-2.1.0-boo-907198-openpgp_oid_to_str-buffer-overflow.patch +- refresh for context changes: + gnupg-2.0.18-files-are-digests.patch + gnupg-2.0.4-install_tools.diff +- refresh for upstream code changes: + gnupg-add_legacy_FIPS_mode_option.patch + gnupg-detect_FIPS_mode.patch (MD5 removed) +* Thu Dec 25 2014 dev@stellardeath.org +- Support for large RSA keys + This involves compiling with --enable-large-rsa and + - -enable-large-secmem, as well as patching the number + of secmem bytes and IPC bytes to slightly larger values. + See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739424 + * added gnupg-large_keys.patch +* Wed Dec 3 2014 andreas.stieger@gmx.de +- update build requirement versions that changed with 2.1.0 +* Wed Nov 26 2014 andreas.stieger@gmx.de +- fix buffer overflow in OID to string conversion function + [boo#907198], adding + gnupg-2.1.0-boo-907198-openpgp_oid_to_str-buffer-overflow.patch +* Tue Nov 11 2014 vcizek@suse.com +- obsolete dirmngr (shipped with gpg since 2.1.0) +- spec cleanup after previous update +- get rid of "THIS IS A DEVELOPMENT VERSION" warning + http://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029065.html + * added gnupg-remove_development_version_warning.patch +* Thu Nov 6 2014 vcizek@suse.com +- upgrade to 2.1.0 (modern) + - The file "secring.gpg" is not anymore used to store the secret + keys. Merging of secret keys is now supported. + - All support for PGP-2 keys has been removed for security reasons. + - The standard key generation interface is now much leaner. This + will help a new user to quickly generate a suitable key. + - Support for Elliptic Curve Cryptography (ECC) is now available. + - Commands to create and sign keys from the command line without any + extra prompts are now available. + - The Pinentry may now show the new passphrase entry and the + passphrase confirmation entry in one dialog. + - There is no more need to manually start the gpg-agent. It is now + started by any part of GnuPG as needed. + - Problems with importing keys with the same long key id have been + addressed. + - The Dirmngr is now part of GnuPG proper and also takes care of + accessing keyserver. + - Keyserver pools are now handled in a smarter way. + - A new format for locally storing the public keys is now used. + This considerable speeds up operations on large keyrings. + - Revocation certificates are now created by default. + - Card support has been updated, new readers and token types are + supported. + - The format of the key listing has been changed to better identify + the properties of a key. + - The gpg-agent may now be used on Windows as a Pageant replacement + for Putty in the same way it is used for years on Unix as + ssh-agent replacement. + - Creation of X.509 certificates has been improved. It is now also + possible to export them directly in PKCS#8 and PEM format for use + on TLS servers. +- dropped patches: + * gnupg-2.0.20-automake113.diff + * gnupg-2.0.18-tmpdir.diff (socket is created in homedir now) +- refresh most of the remaining patches +- added new BuildRequires: gnutls-devel, pkg-config, npth-devel +* Tue Aug 12 2014 andreas.stieger@gmx.de +- update to 2.0.26: + * gpg: Fix a regression in 2.0.24 if a subkey id is given + to --recv-keys et al. + * gpg: Cap attribute packets at 16MB. + * gpgsm: Auto-create the ".gnupg" home directory in the same + way gpg does. + * scdaemon: Allow for certificates > 1024 when using PC/SC. +- remove URL from package keyring, upstream file metadata changes +* Tue Jul 1 2014 andreas.stieger@gmx.de +- gnupg-add_legacy_FIPS_mode_option.patch (part of [bnc#856312]) + mentions GCRYCTL_INACTIVATE_FIPS_FLAG, raising the requirement + for gcrypt from 1.4.0 (from configure) to 1.6.1 where said flag + was introduced. Require this version to build. +* Mon Jun 30 2014 andreas.stieger@gmx.de +- update to 2.0.25: + * gpg: Fix a regression in 2.0.24 if more than one keyid is given + to --recv-keys et al. + * gpg: Cap RSA and Elgamal keysize at 4096 bit also for unattended + key generation. + * gpgsm: Fix a DISPLAY related problem with + - -export-secret-key-p12. + * scdaemon: Support reader Gemalto IDBridge CT30. +* Tue Jun 24 2014 andreas.stieger@gmx.de +- update to 2.0.24 + Contains a security fix to stop a possible DoS using garbled + compressed data packets which can be used to put gpg into an + infinite loop. [bnc#884130] [CVE-2014-4617] + * gpg: Avoid DoS due to garbled compressed data packets. +- further: + * gpg: Screen keyserver responses to avoid importing unwanted + keys from rogue servers. + * gpg: The validity of user ids is now shown by default. To + revert this add "list-options no-show-uid-validity" to gpg.conf + * gpg: Print more specific reason codes with the INV_RECP status. + * gpg: Allow loading of a cert only key to an OpenPGP card. + * gpg-agent: Make ssh support for ECDSA keys work with Libgcrypt + 1.6. +* Tue Jun 3 2014 andreas.stieger@gmx.de +- update to 2.0.23: + * gpg: Reject signatures made using the MD5 hash algorithm unless the + new option --allow-weak-digest-algos or --pgp2 are given. + * gpg: Do not create a trustdb file if --trust-model=always is used. + * gpg: Only the major version number is by default included in the + armored output. + * gpg: Print a warning if the Gnome-Keyring-Daemon intercepts the + communication with the gpg-agent. + * gpg: The format of the fallback key listing ("gpg KEYFILE") is now more + aligned to the regular key listing ("gpg -k"). + * gpg: The option--show-session-key prints its output now before the + decryption of the bulk message starts. + * gpg: New %%U expando for the photo viewer. + * gpgsm: Improved handling of re-issued CA certificates. + * scdaemon: Various fixes for pinpad equipped card readers. + * Minor bug fixes. +- Packaging changes: + * add gpgtar utility + * update and use use source URL for tarball signing key + * removed gnupg-2.0.9-RSA_ES.patch, applied upstream + * updated for context changes: + gnupg-add_legacy_FIPS_mode_option.patch + gnupg-2.0.18-files-are-digests.patch + gnupg-dont-fail-with-seahorse-agent.patch +* Tue Apr 29 2014 vcizek@suse.com +- add patch by Stephan Mueller which adds an option to enable + legacy ciphers in FIPS mode + * added gnupg-add_legacy_FIPS_mode_option.patch + (part of bnc#856312) +- added BuildRequires: makeinfo (to build info pages from the + patched gnupg.texi) +* Fri Feb 14 2014 vcizek@suse.com +- install scdaemon to /usr/bin (bnc#863645) +* Sat Oct 5 2013 andreas.stieger@gmx.de +- update to 2.0.22 [bnc#844175] + * Fixed possible infinite recursion in the compressed packet + parser. [CVE-2013-4402] + * Improved support for some card readers. + * Prepared building with the forthcoming Libgcrypt 1.6. + * Protect against rogue keyservers sending secret keys. +- remove gpg2-CVE-2013-4351.patch, committed upstream +* Mon Sep 16 2013 vcizek@suse.com +- fix CVE-2013-4351 (bnc#840510) +* Mon Aug 19 2013 andreas.stieger@gmx.de +- update to 2.0.21 + * gpg-agent: By default the users are now asked via the Pinentry + whether they trust an X.509 root key. To prohibit interactive + marking of such keys, the new option --no-allow-mark-trusted may + be used. + * gpg-agent: The command KEYINFO has options to add info from + sshcontrol. + * The included ssh agent does now support ECDSA keys. +- now requires libgpg-error 1.11 +- update gnupg-2.0.9-langinfo.patch for upstream whitespace changes +- drop gnupg-broken-curl-test.patch, no longer required +* Mon Jun 17 2013 coolo@suse.com +- revert usage of gpg-offline to avoid cycles +* Mon Jun 17 2013 coolo@suse.com +- add gnupg-2.0.20-automake113.diff to fix build with automake 1.13 +* Tue May 14 2013 vcizek@suse.com +- set safe umask before creating a plaintext file (bnc#780943) + added gpg2-set_umask_before_open_outfile.patch +- select proper ciphers when running in FIPS mode (bnc#808958) + added gnupg-detect_FIPS_mode.patch +* Fri May 10 2013 andreas.stieger@gmx.de +- update to 2.0.20 + * Decryption using smartcards keys > 3072 bit does now work. + * New meta option ignore-invalid-option to allow using the same + option file by other GnuPG versions. + * gpg: The hash algorithm is now printed for sig records in key listings. + * gpg: Skip invalid keyblock packets during import to avoid a DoS. + * gpg: Correctly handle ports from DNS SRV records. + * keyserver: Improve use of SRV records + * gpg-agent: Avoid tty corruption when killing pinentry. + * scdaemon: Improve detection of card insertion and removal. + * scdaemon: Rename option --disable-keypad to --disable-pinpad. + * scdaemon: Better support for CCID readers. Now, the internal CCID + driver supports readers without the auto configuration feature. + * scdaemon: Add pinpad input for PC/SC, if your reader has pinpad and + it supports variable length PIN input, and you specify + - -enable-pinpad-varlen option. + * scdaemon: New option --enable-pinpad-varlen. + * scdaemon: Install into libexecdir to avoid accidental execution + from the command line. + * Assorted bug fixes. +- refresh gnupg-2.0.9-RSA_ES.patch +- verify gpg signature of source tarball +* Wed Mar 27 2013 mmeister@suse.com +- Added url as source. + Please see http://en.opensuse.org/SourceUrls +* Fri Jan 11 2013 lazy.kent@opensuse.org +- BuildRequires: libbz2-devel (support BZIP2 compression + algorithm) (bnc#798175). +* Wed Apr 18 2012 vcizek@suse.com +- Mention some of the changes in Greg's version update +* Tue Mar 27 2012 gregkh@opensuse.org +- update to upstream 2.0.19 + * GPG now accepts a space separated fingerprint as a user ID. This + allows to copy and paste the fingerprint from the key listing. + * GPG now uses the longest key ID available. Removed support for the + original HKP keyserver which is not anymore used by any site. + * Rebuild the trustdb after changing the option --min-cert-level. + * Ukrainian translation. + * Honor option --cert-digest-algo when creating a cert. + * Emit a DECRYPTION_INFO status line. + * Improved detection of JPEG files. +* Tue Dec 6 2011 vcizek@suse.com +- fixed licence to GPL-3.0+ (bnc#734878) +* Wed Nov 30 2011 coolo@suse.com +- add automake as buildrequire to avoid implicit dependency +* Sat Oct 1 2011 crrodriguez@opensuse.org +- Test suite hangs in qemu-arm, workaround. +* Wed Aug 31 2011 puzel@suse.com +- link with -pie +* Fri Aug 19 2011 crrodriguez@opensuse.org +- libcurl.m4 tests were broken, resulting in the usage + of a "fake" internal libcurl. +* Sat Aug 6 2011 andreas.stieger@gmx.de +- update to upstream 2.0.18 + * Bug fix for newer versions of Libgcrypt. + * Support the SSH confirm flag and show SSH fingerprints in ssh + related pinentries. + * Improved dirmngr/gpgsm interaction for OCSP. + * Allow generation of card keys up to 4096 bit. +- refresh patch gnupg-2.0.10-tmpdir.diff -> gnupg-2.0.18-tmpdir.diff +- refresh patch gnupg-files-are-digests.patch -> gnupg-2.0.18-files-are-digests.patch +* Tue Mar 15 2011 puzel@novell.com +- update to gnupg-2.0.17 + * Allow more hash algorithms with the OpenPGP v2 card. + * The gpg-agent now tests for a new gpg-agent.conf on a HUP. + * Fixed output of "gpgconf --check-options". + * Fixed a bug where Scdaemon sends a signal to Gpg-agent running + in non-daemon mode. + * Fixed TTY management for pinentries and session variable update + problem. +- drop gnupg-CVE-2010-2547.patch (in upstream) +* Fri Jan 7 2011 sbrabec@suse.cz +- Removed obsolete BuildRequires of opensc-devel. +* Sun Oct 31 2010 jengelh@medozas.de +- Use %%_smp_mflags +* Wed Jul 28 2010 puzel@novell.com +- gnupg-CVE-2010-2547.patch (bnc#625947) +- renumber patches +* Mon Jul 19 2010 puzel@novell.com +- update to gnupg-2.0.16 + * If the agent's --use-standard-socket option is active, all tools + try to start and daemonize the agent on the fly. In the past this + was only supported on W32; on non-W32 systems the new configure + option --use-standard-socket may now be used to use this feature by + default. + * The gpg-agent commands KILLAGENT and RELOADAGENT are now available + on all platforms. + * Minor bug fixes. +- drop gnupg-2.0.14-s2kcount.patch (builds fine without it now) +* Mon Jun 7 2010 adrian@suse.de +- add special provides to make sure that obs signd gets correct gpg version +* Fri Apr 9 2010 chris@computersalat.de +- fix deps + o libassuan-devel >= 2.0.0 + o pth / libpth-devel >= 1.3.7 +- added BuildReq libcurl-devel >= 7.10 +- removed BuildReq openldap2 + is already solved by openldap2-devel +- removed unrecognized configure options + - -enable-external-hkp, --enable-shared, --enable-static-rnd +* Wed Apr 7 2010 puzel@novell.com +- add gnupg-dont-fail-with-seahorse-agent.patch (bnc#589994) +* Wed Mar 31 2010 puzel@novell.com +- update to gnupg-2.0.15 + * New command --passwd for GPG. + * Fixes a regression in 2.0.14 which prevented unprotection of new + or changed gpg-agent passphrases. + * Make use of libassuan 2.0 which is available as a DSO. +* Mon Mar 22 2010 puzel@novell.com +- fix files-are-digests patch (bnc#469229) +* Wed Feb 17 2010 dimstar@opensuse.org +- Update to version 2.0.14: + + The default for --include-cert is now to include all + certificates in the chain except for the root certificate. + + Numerical values may now be used as an alternative to the + debug-level keywords. + + The GPGSM --audit-log feature is now more complete. + + GPG now supports DNS lookups for SRV, PKA and CERT on W32. + + New GPGSM option --ignore-cert-extension. + + New and changed passphrases are now created with an iteration + count requiring about 100ms of CPU work. +- Add gnupg-2.0.14-s2kcount.patch: use fixed s2k-count number + otherwise the gpg2 would want to consult gpg-agent which is not + yet installed in the mock chroot (Patch shamelessly stolen from + Fedora). +* Thu Jan 28 2010 puzel@novell.com +- fix build for older distributions +* Wed Jan 27 2010 puzel@novell.com +- port files-are-digests patch from gpg1 (bnc#469229) +* Tue Dec 15 2009 jengelh@medozas.de +- enable parallel building +- SPARC needs large PIE model +* Sun Dec 6 2009 coolo@novell.com +- change -lang require to recommended +* Fri Nov 13 2009 puzel@novell.com +- update to gnupg-2.0.13 + * GPG now generates 2048 bit RSA keys by default. The default hash + algorithm preferences has changed to prefer SHA-256 over SHA-1. + 2048 bit DSA keys are now generated to use a 256 bit hash algorithm + * The envvars XMODIFIERS, GTK_IM_MODULE and QT_IM_MODULE are now + passed to the Pinentry to make SCIM work. + * The GPGSM command --gen-key features a --batch mode and implements + all features of gpgsm-gencert.sh in standard mode. + * New option --re-import for GPGSM's IMPORT server command. + * Enhanced writing of existing keys to OpenPGP v2 cards. + * Add hack to the internal CCID driver to allow the use of some + Omnikey based card readers with 2048 bit keys. + * GPG now repeatly asks the user to insert the requested OpenPGP + card. This can be disabled with --limit-card-insert-tries=1. + * Minor bug fixes. +- drop gnupg-2.0.4-default-tty.diff +* Thu Jun 18 2009 puzel@novell.com +- update to gnupg-2.0.12 + * GPGSM now always lists ephemeral certificates if specified by + fingerprint or keygrip. + * New command "KEYINFO" for GPG_AGENT. GPGSM now also returns + information about smartcards. + * Made sure not to leak file descriptors if running gpg-agent with a + command. Restore the signal mask to solve a problem in Mono. + * Changed order of the confirmation questions for root certificates + and store negative answers in trustlist.txt. + * Better synchronization of concurrent smartcard sessions. + * Support 2048 bit OpenPGP cards. + * Support Telesec Netkey 3 cards. + * The gpg-protect-tool now uses gpg-agent via libassuan. + * Changed code to avoid a possible Mac OS X system freeze. +- drop gpg2-fix-rtsignals.patch (fixed upstream) +- drop gnupg-1.9.22-ccid-driver-fix.diff (unused) +* Thu Jun 11 2009 puzel@suse.cz +- change BuildRequires: (pth-devel -> libpth-devel) +* Mon Jun 1 2009 puzel@suse.cz +- BuildRequires: pth-devel +* Wed Mar 18 2009 puzel@suse.cz +- add gpg2-fix-rtsignals.patch (bnc#481463) +* Thu Mar 5 2009 puzel@suse.cz +- update to 2.0.11 + * Fixed a problem in SCDAEMON which caused unexpected card resets. + * SCDAEMON is now aware of the Geldkarte. + * The SCDAEMON option --allow-admin is now used by default. + * GPGCONF now restarts SCdaemon if necessary. + * The default cipher algorithm in GPGSM is now again 3DES. This is + due to interoperability problems with Outlook 2003 which still + can't cope with AES. +- dropped gnupg-2.0.10-fix-convert.patch (upstream) +- dropped gnupg-2.0.10-fix-missing-option.patch (upstream) +- disabled gnupg-1.9.22-ccid-driver-fix.diff (does not apply and it is + not clear what it is good for) +* Mon Mar 2 2009 puzel@suse.cz +- gnupg-2.0.10-fix-missing-option.patch (bnc#477362) +* Mon Jan 19 2009 puzel@suse.cz +- add gnupg-2.0.10-fix-convert.patch + - fix broken 'make check' on ppc, s390 and s390x +* Tue Jan 13 2009 puzel@suse.cz +- update to 2.0.10 + * New keyserver helper gpg2keys_kdns as generic DNS CERT + lookup. + * New mechanisms "local" and "nodefault" for --auto-key-locate. + Fixed a few problems with this option. + * New command --locate-keys. + * New options --with-sig-list and --with-sig-check. + * The option "-sat" is no longer an alias for --clearsign. + * The option --fixed-list-mode is now implicitly used and obsolete. + * New control statement %%ask-passphrase for the unattended key + generation. + * The algorithm to compute the SIG_ID status has been changed. + * [gpgsm] Now uses AES by default. + * [gpgsm] Made --output option work with --export-secret-key-p12. + * [gpg-agent] Terminate process if the own listening socket is not + anymore served by ourself. + * [gpg-connect-agent] Accept commands given as command line arguments. + * The gpg-preset-passphrase mechanism works again. An arbitrary + string may now be used for a custom cache ID. + * Admin PINs are cached again (bug in 2.0.9). + * Support for version 2 OpenPGP cards. +- specfile changes: + * require libadns + * explicit versions for some BuildRequires + * BuildRequires libgpg-error + * changed license to GPL v3 + * /etc/gnupg/gnupg.conf is now (noreplace) + * documentation is installed with install +* Wed Jun 11 2008 puzel@suse.cz +- fix [bnc#305725] - UTF-8 problems + * non latin characters displayed incorrectly by pinentry-* +* Wed May 21 2008 puzel@suse.cz +- added missing gpgconf.conf (bnc#391347) +* Fri Mar 28 2008 pcerny@suse.cz +- update to 2.0.9 + * fixes CVE-2008-1530 (bnc#374254) + * removing gnupg-2.0.8-from-upstream.diff (included in release) + * removing gnupg-2.0.4-oldkey.diff (accepted by upstream) + * removing gnupg-2.0.8-warningfixes.diff + (also appears in upstream) +- patch gnupg-2.0.9-RSA_ES.patch + * adding back support for deprecated RSA_E, RSA_S algorithms + (bnc#342979) +* Wed Mar 26 2008 coolo@suse.de +- require the split out lang package +* Sun Mar 23 2008 coolo@suse.de +- splitting out a third of the package by using a lang subpack +* Tue Feb 12 2008 bk@suse.de +- install gpg-zip and gpgsplit again and use -pie for randomisation +* Wed Feb 6 2008 bk@suse.de +- add selected upstream fixes and fix gcc and rpmlint warnings +* Tue Jan 8 2008 sassmann@suse.de +- update to GnuPG-2.0.8 +- adapted patches to apply properly + * gnupg-1.9.18-tmpdir.diff + * gnupg-2.0.4-install_tools.diff +- gnupg-2.0.5.fixes-from-svn-20070812.diff commented out, + included in upstream 2.0.8 +- use optflags during build +* Wed Sep 12 2007 ltinkl@suse.cz +- fix #304749 - gpg2 unable to use old secret key +* Mon Sep 10 2007 ltinkl@suse.cz +- fix gpg2 crash on accessing key (#307666) +- fix gpg doesn't work on the console (#302323) +* Fri Aug 10 2007 bk@suse.de +- update to GnuPG-2.0.5 - requries libassuan-1.0.2! + * Switched license to GPLv3. + * Fixed bug when using the --p12-charset without --armor. + * The command --gen-key may now be used instead of the + gpgsm-gencert.sh script. + * Changed key generation to reveal less information about the + machine. Bug fixes for gpg2's card key generation. +- enable make check to test against build issues in the crypto engine +- cleanup disabled nld patch for linking with -lgpg-error-nld +- use %%find_lang to label the locale files properly with %%lang +- add opensc-devel to BuildRequrires to enanble smartcard support +- del Makefile.in patches where we patch Makefile.am and run automake +- cleanup the standrd GNU INSTALL and the empty VERSION from %%doc +* Thu Jul 26 2007 sbrabec@suse.cz +- Build with libassuan-devel. +* Thu Jun 21 2007 ro@suse.de +- install compat symlinks for gpg2 and gpgv2 +- install gpg-zip and gpgsplit +- added openldap2 to buildrequires (for gpgkeys_ldap) +- added fPIE/pie to CFLAGS/LDFLAGS for gpgsplit +* Wed May 23 2007 dmueller@suse.de +- add libusb-devel build requires +* Wed May 16 2007 ltinkl@suse.cz +- remove gpg from Require's (#273491) +* Fri May 11 2007 ltinkl@suse.cz +- updated to 2.0.4 stable snapshot +* Wed Apr 4 2007 ltinkl@suse.cz +- update to 2.0.3 +- fixed #251605 - VUL-0: signing issues within GNUPG +- removed outdated patches +* Thu Mar 29 2007 ro@suse.de +- added zlib-devel to buildreq +* Wed Feb 14 2007 ltinkl@suse.cz +- fix file conflicts with gpg (#242133) +* Mon Jan 29 2007 ro@suse.de +- fix build (exclude possible debuginfo directory) +* Mon Jan 29 2007 ltinkl@suse.cz +- fix #221212 - gpg2 is not updated and do not contain documentation +- fix #233525 - gpg1/2: bug in vasprintf() implementation +* Thu Nov 30 2006 anicka@suse.cz +- fix overflow in openfile.c (CVE-2006-6169, #224108) +* Mon Sep 11 2006 pnemec@suse.cz +- updated gnupg to new version 1.9.22 + Enhanced pkcs#12 support + Support for the CardMan 4040 PCMCIA + Collected bug fixes +- updated pth library to 2.0.7 +- changed using pinetry-qt to pinentry +- removed -cfb.diff -signature.patch -cap_large_uid.patch patches + they are no longer needed +- change patch -warnings-fix.diff -ccid-driver-fix.diff +* Thu Aug 17 2006 pnemec@suse.de +- remove unused package in build requires +* Wed Aug 9 2006 pnemec@suse.cz +- fix spec file to build with new gettext 0.15 +* Mon Aug 7 2006 pnemec@suse.cz +- fixed security fix with large uid CVE-2006-3746 [#195569] +* Thu Feb 23 2006 pnemec@suse.cz +- fixed signature security problem CVE-2006-0455 (bugzilla#150742) +* Thu Feb 2 2006 pnemec@suse.cz +- fixed install info in spec file +* Thu Jan 26 2006 sbrabec@suse.cz +- Added missing %%install_info. +* Wed Jan 25 2006 mls@suse.de +- converted neededforbuild to BuildRequires +* Fri Aug 5 2005 postadal@suse.cz +- updated to version to 1.9.18 +- removed obsoleted gcc patch +- added patch tmpdir.diff for using $TMPDIR by gpg-agent [#bug95732] +* Tue Jul 12 2005 postadal@suse.cz +- updated to version to 1.9.17 +- updated pth to version 2.0.4 +- removed obsoleted patch agent-cache-fix.diff +- fixed ccid-driver.c +- fixed gcc4 +- explicitly enabled gpg building in configure +* Thu Mar 24 2005 postadal@suse.cz +- fixed caching passphrase in gpg-agent [#71975] +* Tue Mar 22 2005 postadal@suse.cz +- fixed on 64bit archs [#72440] +* Wed Feb 23 2005 postadal@suse.cz +- security fix for cfb-cipher issue [#65862] +* Wed Jan 12 2005 postadal@suse.cz +- update to version 1.9.14 +- removed obsoleted patch automake-fixes.diff +* Tue Sep 28 2004 adrian@suse.de +- link against libpth staticaly to make S/MIME support in kmail + usable. Hopefully we can convert this to a native thread implementation + later. (#46260) +* Sat Jul 31 2004 adrian@suse.de +- update to version 1.9.10 +* Tue Jul 20 2004 adrian@suse.de +- remove openct and opensc packages from nfb + (we will need thread support, when enabling card reader support, + but it isn't anyway implemented yet in gpg2) +* Mon Jul 12 2004 adrian@suse.de +- use GnuPG 2 sources version 1.9.9 +- opensc support misses some functions atm, support disabled for now +- threading is disabled, since we do not have a pth package for now +- prepare for nld +* Thu Feb 26 2004 postadal@suse.cz +- adapted some functions to the libgcrypt version 1.1.91 [#34987] +- added libgpg-error to needforbuild flag +* Wed Feb 18 2004 kukuk@suse.de +- Don't build against libpth. +* Tue Feb 10 2004 postadal@suse.cz +- fixed code that broke strict aliasing +* Fri Dec 5 2003 garloff@suse.de +- disable core dumpe in child after forking. [#33499] +* Mon Aug 11 2003 adrian@suse.de +- cleanup #neededforbuild and requires +* Mon Aug 4 2003 ro@suse.de +- added openct to neededforbuild +* Fri Jul 18 2003 mc@suse.de +- build against opensc +* Thu Jun 19 2003 schwab@suse.de +- Add %%install_info. +* Mon Mar 17 2003 adrian@suse.de +- add signal handler to check if the parent is still alive and + exit if not +- use pinentry-qt by default (/usr/bin/pinentry do not exist) +* Tue Feb 11 2003 mc@suse.de +- initial release diff --git a/gpg2.keyring b/gpg2.keyring new file mode 100644 index 0000000..3f00d96 --- /dev/null +++ b/gpg2.keyring @@ -0,0 +1,65 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBE0ti4EBCACqGtKlX9jI/enhlBdy2cyQP6Q7JoyxtaG6/ckAKWHYrqFTQk3I +Ue8TuDrGT742XFncG9PoMBfJDUNltIPgKFn8E9tYQqAOlpSA25bOb30cA2ADkrjg +jvDAH8cZ+fkIayWtObTxwqLfPivjFxEM//IdShFFVQj+QHmXYBJggWyEIil8Bje7 +KRw6B5ucs4qSzp5VH4CqDr9PDnLD8lBGHk0x8jpwh4V/yEODJKATY0Vj00793L8u +qA35ZiyczUvvJSLYvf7STO943GswkxdAfqxXbYifiK2gjE/7SAmB+2jFxsonUDOB +1BAY5s3FKqrkaxZr3BBjeuGGoCuiSX/cXRIhABEBAAG0Fldlcm5lciBLb2NoIChk +aXN0IHNpZymJAVUEEwEIAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE +2GkhI8QGXepeDzq1JJs50k8l47YFAl4MxBkFCRShVzYACgkQJJs50k8l47YImQf9 +HaqHWor+aSmaEwQnaAN0zRa4kPbAWya182aJtsFzLZJf6BbS0aoiMhwtREN/DMvB +jzxARKep/cELaM+mc7oDK4mEwqSX/u6BE8D7FaNA9sut8P+4xjpoLPU+UzILMg29 +t1remjyT9rs6sbu8BqufIxueArkjoi4WCOSRiVTdw+YDd88volPkXlPfS8hg9Rct +wZ8kEEDywa+NrxiLx+kDgDNTNdk3PJdfcnesf8S1a+KLUTNRds5+xGTYz0JSQ9BZ +7Q9r4VQ/NL55muQZi5W7lVxdp3HxQFUNjHzzBfGtkpS4xqZpJvNjW50Wh5Vi5RYZ +LZ3M1EuIHXHmRiY4dmqqcpkBDQRUUDsjAQgA5hBwN9F3OqKf+9mXCXUDK4lb5wMj +dti96xG04gAn7wWo7On6c5ntriZQuRdR5GHcdw73XC6CFehHeo/eSVYiWqBNBAfE +9UzbkES+cY+4wDzqVacqhKxd70XmHQgyK7ppRG/MwkL1UyArCGGAKN6MV/2fzO6I +GQw3jntRue3/2PGGnGaisNAKlvttHWZ91uy4KY5fBM19uQCgZdx4v8/rP0+yQqsW +TwJUKvymx5GIfNaCJvgF+v+aPrwspxBMf9jpHXqDXnh4Lo8C/GsQMD6GClVfQjsv +vzUHKH2eoL4oNfku+Ua5BuAHYi+uAuzqV9TdpF9PCpQMyPfuuZclMPLdMwARAQAB +tDJOSUlCRSBZdXRha2EgKEdudVBHIFJlbGVhc2UgS2V5KSA8Z25paWJlQGZzaWou +b3JnPokBPAQTAQgAJgIbAwULBwgJAwQVCAkKBRYCAwEAAh4BAheABQJYDxRZBQkL +S5A2AAoJECBxsIozvT8GvG8IAMBIlGz9voYcSSXAdQOuvz2gM2kOjvMHzN6VlS9V +P06IjnTz2DnejFZwLmxJw8e8mZjUo0jw22uo1HREQhDrne3S1IazPMeTUCUNzpWF +MxXNc6SAyrw9apWa8gouGUWJv3HOwVs8EFA2E9UdtDJ2uG7MY/+eC5K/aeOAyudZ +EbvS8rgZypTFrBtBcNKUWZhz7FRn63HxEmYLE3p6I19ZDXrc1WTazF2oz18zym6c +uURr6waRbdSemUTshpLnKCBZXzJ82bXBgXNnfdmc3gtS24ZmM3ZfK/rYztEDkiTk +s2R1gwDwf5RtDpaf5LD2ufESdbLuT+8blAlscbgYLBcwDquZAY0EWMu6rgEMAKcz +vM1IhpUwBpxPCNdrlMZh7XeLqKUd7hUvQ1KHOuDONxCDnfXdxGCKKI0Ds5I7Kkyp +Wzvcl7PplRy2fYZWwcGtL+Kj01y4L2lXB/xrrVaVwRr4S0FrcbseUGYRafBpR0C1 +Yo24CL1ef4ivsfbER2SyaZ3lrT9Ccv6xfvTluhU8X+2li1ssak/Frvy02u3EORLD +LxaaLQgANgsjnIjv/JQZ4l3xFIJT98tEoL18btg5lGrS2w4yFU1aa1SNsbp7vcu7 +wsqcJmCzX98LyG8/IBGJ5JXmZ03yzWhZ3uhhy1+Avi4GV4Mi0ADwaGMp6O63Mc3w +SL8A/DoCKJLISOc+D5xNfw6C8sYlaOSzQfqY9l4HW/+QbJmEFL2+bnjSHb8yaVU3 +ae2IIrlNkZ5Jamp12Kq6x9Vei0xGk3gd4sqhmHhECdxoJtkX9L5gt436QxdjiTcW +q3V+NNfq94UJu2Ej2kN0fNT0t9RU2n0P/mS0L+1gw5Ex6BX7BIzGL0bZhYomQwAR +AQABiQHOBB8BCAA4FiEEW4DFdUKY8MtV2O1qvO9+KUsJLigFAljLwN0XDIABlKXJ +oDwv5co7CV2OH99yPPRitrECBwAACgkQvO9+KUsJLig2Cgv/T4rXEjHwlbsuTkzp +tgK80Dh92URzBAhPhSJ0kUz2b6y7FgVYgZ95u8elGUS4lOB0GOQSK3y4sCgldTQF +GQpMuvNMX6oNQTv1Z/H9H7Sc6AntozKRA6LQC+7DMxjPh2DEhVLYNqi7gMXtuH8o +Xz5+quarw/xbVmuS4UNqcxakd4A/HW6PayRhuju4+oV2+UmGU0etzGVwKSN/UicC +3Re3mUy8SwJFQ9/3EAfiY0SGzSWH1z7bTRg9Ga2ctYDNzUpyQsgLxD6ZRHcONkOo +GUMEQ96BeSsjT4yW9ED70CcCbhg+pMxR+lnpk4BZ4WML/plBjEb8B1YaRvhYWKd3 +OSVB/JsS6J6Q/y9TTsAJDBLAfw9h7RQKibViuVFSNftAuSdktah5mDwFnL0ZMzVS +3tDVDa5PDqbHEhK55/5EWBg4eNbAukVZmmoLzzERGXuj+LOIRElG3/n3chy1uM73 +B6da3al4gDDNHifPsuozpkVN1EAROZx1K9hGGDZC3yFQTjsJtCRBbmRyZSBIZWlu +ZWNrZSAoUmVsZWFzZSBTaWduaW5nIEtleSmJAdQEEwEIAD4WIQRbgMV1Qpjwy1XY +7Wq8734pSwkuKAUCWMu6rgIbAwUJEswDAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIX +gAAKCRC8734pSwkuKEL9DACEIL5IS9wUty62Bnwd9wK2hmwihXNkTLsOOoi8aCdO +ywPwcIucgAcIO+c/t0lbe4y4sJ1KrKbdyOUQiJAyxobLCSV/MkhIDAmsZB1ZIpF3 +nfmNekRdCVcMpqX8jAwoBS3Q9m2UJz1LeDCLFCvLF0nbyUnqHZP19UOvxmzAyZMA +Ub3W5y1+GMo4yA+3xSFI8ZbjzhawixCCRs69/4p+zCXR4e7LBf6koAHllD/0ZULp +SDjF+t2IkvRrMlM+e+Mxjklinr8v1FRGzmE/kCcdHaP88+iwC2wUKOZtFs4yIBLO +SWdQk9tLPmR8uWgNZmatRJyNvOaxd6EbK3jfckbJGFkmXjH+M9vMqFpoAewZ359F +qjq+Us7AXLAMNUynom7IrtR5Rvsjx6RNtKQYUD6XY5rc7r9js9iGruHDAAW5lyRg +j3wikc0IbV9L1bTsXIp29BsrU9sXUkVEp+xQJZgwqoOduoSjmOK88QdkibDqJiGF +dzIRiXx+Nxv1Pr9L7A4/tq+YMwRfQ+WJFgkrBgEEAdpHDwEBB0DPvkeV6RzXomGF +8jQwp0RXEt2TGFwwI7RkbpYwECY2l7QfV2VybmVyIEtvY2ggKGRpc3Qgc2lnbmlu +ZyAyMDIwKYiaBBMWCgBCFiEEbapuZKdtKEBXG0kCUoiXuCZAOtoFAl9D7DUCGwMF +CRKFxxEFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEFKIl7gmQDraea4A +/24v8c50HSC/Basf4WlREkuzhudplo8iT0BGtTQRdGAmAP9gIZ8dBekg9PRlpe7A +l7ErThn6owVH9szWrUt6jkKOBg== +=h7e4 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/gpg2.spec b/gpg2.spec new file mode 100644 index 0000000..7b6bbcd --- /dev/null +++ b/gpg2.spec @@ -0,0 +1,192 @@ +# +# spec file for package gpg2 +# +# Copyright (c) 2022-2023 ZhuningOS +# + + +Name: gpg2 +Version: 2.2.27 +Release: 150300.3.8.1 +Summary: File encryption, decryption, signature creation and verification utility +License: GPL-3.0-or-later +Group: Productivity/Networking/Security +URL: https://www.gnupg.org +Source: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2 +Source2: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig +# https://www.gnupg.org/signature_key.html +Source3: %{name}.keyring +Source4: scdaemon.udev +Source99: %{name}.changes +Patch4: gnupg-2.0.9-langinfo.patch +Patch5: gnupg-2.2.8-files-are-digests.patch +Patch6: gnupg-dont-fail-with-seahorse-agent.patch +Patch8: gnupg-set_umask_before_open_outfile.patch +Patch9: gnupg-detect_FIPS_mode.patch +Patch11: gnupg-add_legacy_FIPS_mode_option.patch +Patch12: gnupg-2.2.16-secmem.patch +Patch13: gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch +Patch14: gnupg-add-test-cases-for-import-without-uid.patch +Patch15: gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch +# PATCH-FIX-UPSTREAM boo#1201225, CVE-2022-34903 vulnerable to status injection +Patch16: gnupg-CVE-2022-34903.patch +# PATCH-FIX-UPSTREAM bsc#1217212, dirmngr --validate broken for DER encoded files +Patch17: gnupg-dirmngr-Suppress-error-message-on-trial-reading-as-PEM.patch +Patch18: gnupg-dirmngr-Clear-the-error-count-to-try-certificate-as-binary.patch +Patch1124847: gnupg-gpg-agent-ulimit.patch +BuildRequires: expect +BuildRequires: fdupes +BuildRequires: libassuan-devel >= 2.5.0 +BuildRequires: libgcrypt-devel >= 1.8.0 +BuildRequires: libgpg-error-devel >= 1.27 +BuildRequires: libksba-devel >= 1.3.5 +BuildRequires: makeinfo +BuildRequires: npth-devel >= 1.2 +BuildRequires: openldap2-devel +BuildRequires: pkgconfig +BuildRequires: readline-devel +BuildRequires: pkgconfig(bzip2) +BuildRequires: pkgconfig(gnutls) >= 3.0 +BuildRequires: pkgconfig(libusb-1.0) +BuildRequires: pkgconfig(sqlite3) >= 3.7 +BuildRequires: pkgconfig(zlib) +# runtime dependency to support devel repository users - boo#955982 +Requires: libassuan0 >= 2.5.0 +Requires: libgcrypt20 >= 1.8.0 +Requires: libksba >= 1.3.5 +Requires: pinentry +Recommends: dirmngr = %{version} +Provides: gnupg = %{version} +Provides: gpg = 1.4.9 +Provides: newpg +# special feature needed for OBS signd +Provides: gpg2_signd_support +Obsoletes: gpg < 1.4.9 + +%description +GnuPG is a hybrid-encryption software program; it uses a combination +of symmetric-key and public-key cryptography to encrypt/decrypt +messages and/or to sign and verify them. + +gpg2 provides GPGSM, gpg-agent, and a keybox library. + +%package -n dirmngr +Summary: Keyserver, CRL, and OCSP access for GnuPG +Group: Productivity/Networking/Security + +%description -n dirmngr +Since version 2.1 of GnuPG, dirmngr takes care of accessing the OpenPGP +keyservers. As with previous versions it is also used as a server for managing +and downloading certificate +revocation lists (CRLs) for X.509 certificates, downloading X.509 certificates, +and providing access to OCSP providers. Dirmngr is invoked internally by gpg, +gpgsm, or via the gpg-connect-agent tool. + +%lang_package + +%prep +%setup -q -n gnupg-%{version} +%patch1124847 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch8 -p1 +%patch9 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +touch -d 2018-05-04 doc/gpg.texi # to compensate for patch11 in order to not have man pages and info files have the build date (boo#1047218) + +%build +date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99}) +%configure \ + --libexecdir=%{_libdir} \ + --docdir=%{_docdir}/%{name} \ + --with-agent-pgm=%{_bindir}/gpg-agent \ + --with-pinentry-pgm=%{_bindir}/pinentry \ + --with-dirmngr-pgm=%{_bindir}/dirmngr \ + --with-scdaemon-pgm=%{_bindir}/scdaemon \ + --enable-ldap \ + --enable-gpgsm=yes \ + --enable-gpg \ + --enable-gpgtar \ + --enable-g13 \ + --enable-large-secmem \ + --enable-wks-tools \ + --with-gnu-ld \ + --with-default-trust-store-file=%{_sysconfdir}/ssl/ca-bundle.pem \ + --enable-build-timestamp=$date \ + --enable-gpg-is-gpg2 \ + --enable-Werror + +%make_build + +%install +%make_install +mkdir -p %{buildroot}%{_sysconfdir}/gnupg/ +# bnc#391347 +install -m 644 doc/examples/gpgconf.conf %{buildroot}%{_sysconfdir}/gnupg +# delete to prevent fdupes from creating cross-partition hardlink +rm -rf %{buildroot}%{_docdir}/gpg2/examples/gpgconf.conf +rm %{buildroot}%{_infodir}/dir +# compat symlinks +ln -sf gpg2 %{buildroot}%{_bindir}/gpg +ln -sf gpgv2 %{buildroot}%{_bindir}/gpgv +ln -sf gpg2.1 %{buildroot}%{_mandir}/man1/gpg.1 +ln -sf gpgv2.1 %{buildroot}%{_mandir}/man1/gpgv.1 +# fix rpmlint invalid-lc-messages-dir: +rm -rf %{buildroot}/%{_datadir}/locale/en@{bold,}quot +# install scdaemon to %%{_bindir} (bnc#863645) +mv %{buildroot}%{_libdir}/scdaemon %{buildroot}%{_bindir} +mv %{buildroot}%{_libdir}/dirmngr_ldap %{buildroot}%{_bindir} +# install udev rules for scdaemon +install -Dm 0644 %{SOURCE4} %{buildroot}%{_udevrulesdir}/60-scdaemon.rules +# install legacy tools +install -m 755 tools/gpg-zip %{buildroot}/%{_bindir} +# install -m 755 tools/gpgsplit %%{buildroot}/%%{_bindir} + +%find_lang gnupg2 +%fdupes -s %{buildroot} + +%check +# Run only localy, fails in OBS +#%%if ! 0%%{?qemu_user_space_build} +#make %%{?_smp_mflags} check +#%%endif + +%post +%udev_rules_update + +%files lang -f gnupg2.lang + +%files +%{_infodir}/gnupg* +%exclude %{_mandir}/*/dirmngr*%{ext_man} +%{_mandir}/*/*%{ext_man} +%license COPYING* +%doc AUTHORS ChangeLog NEWS THANKS TODO doc/FAQ +%exclude %{_docdir}/%{name}/examples/systemd-user/dirmngr.* +%doc %{_docdir}/%{name} +%exclude %{_bindir}/dirmngr* +%{_bindir}/* +%{_libdir}/[^d]* +%{_sbindir}/addgnupghome +%{_sbindir}/applygnupgdefaults +%{_sbindir}/g13-syshelp +%{_udevrulesdir}/60-scdaemon.rules +%{_datadir}/gnupg +%dir %{_sysconfdir}/gnupg +%config(noreplace) %{_sysconfdir}/gnupg/gpgconf.conf + +%files -n dirmngr +%license COPYING* +%{_mandir}/*/dirmngr*%{ext_man} +%{_docdir}/%{name}/examples/systemd-user/dirmngr.* +%{_bindir}/dirmngr* + +%changelog diff --git a/scdaemon.udev b/scdaemon.udev new file mode 100644 index 0000000..8406264 --- /dev/null +++ b/scdaemon.udev @@ -0,0 +1,65 @@ +# do not edit this file, it will be overwritten on update + +SUBSYSTEM!="usb", GOTO="gnupg_rules_end" +ACTION!="add", GOTO="gnupg_rules_end" + +# USB SmartCard Readers +## Cherry GmbH (XX33, ST2000) +SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="0005", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="0010", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="003e", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## SCM Microsystems, Inc (SCR331-DI, SCR335, SCR3320, SCR331, SCR3310 and SPR532) +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5117", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="e001", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Omnikey AG (CardMan 3821, CardMan 6121) +SUBSYSTEM=="usb", ATTR{idVendor}=="076b", ATTR{idProduct}=="3821", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="076b", ATTR{idProduct}=="6622", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Gemalto +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3437", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3438", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3478", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="34c2", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="34ec", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Reiner (SCT cyberJack) +SUBSYSTEM=="usb", ATTR{idVendor}=="0c4b", ATTR{idProduct}=="0500", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Kobil (KAAN) +SUBSYSTEM=="usb", ATTR{idVendor}=="0d46", ATTR{idProduct}=="2012", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## VASCO (DIGIPASS 920) +SUBSYSTEM=="usb", ATTR{idVendor}=="1a44", ATTR{idProduct}=="0920", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Crypto Stick +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Nitrokey +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Gnuk Token +SUBSYSTEM=="usb", ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Alcor Micro Corp cardreader (in ThinkPad X250) +SUBSYSTEM=="usb", ATTR{idVendor}=="058f", ATTR{idProduct}=="9540", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Fujitsu Siemens +SUBSYSTEM=="usb", ATTR{idVendor}=="0bf8", ATTR{idProduct}=="1006", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Yubico +# Yubikey NEO OTP+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey NEO CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0112", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey NEO U2F+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey NEO OTP+U2F+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0404", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 OTP+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0405", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 U2F+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 OTP+U2F+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Trustica Cryptoucan +SUBSYSTEM=="usb", ATTR{idVendor}=="1fc9", ATTR{idProduct}=="81e6", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" + +LABEL="gnupg_rules_end"