diff options
Diffstat (limited to 'app-crypt/gnupg')
19 files changed, 1189 insertions, 150 deletions
diff --git a/app-crypt/gnupg/Manifest b/app-crypt/gnupg/Manifest index 635af7c8ca9c..e2facd7b6303 100644 --- a/app-crypt/gnupg/Manifest +++ b/app-crypt/gnupg/Manifest @@ -1,8 +1,8 @@ -DIST gnupg-2.2.40.tar.bz2 7301631 BLAKE2B c9a077e28b22888573bdd12029205eb5f79a463a297e400a623bc86a39eeb6454cd884d05bd96734998613c695f2c9dcc68963c7275b89938ac38ddc7ba1e229 SHA512 4c2f5fbf37ba6fbad0045aad23129186963010c673ea0b81801adc4f98efe14d6c7228e22815b6b26307c1fe5bb51cd088aa6a0f06a9325d3c021849ef81c594 -DIST gnupg-2.2.40.tar.bz2.sig 119 BLAKE2B baaffad8203169fca54be031b3c77f818ecf973c73b9389cb3cbcd8217ae8a6018f0d3d4d2d5b6f0611f7643b78467f91902add3107e9538273607c6ba3a49bf SHA512 fccc06c709450d58e64716c505cd79556edac440462613c47c6ec78714355425c045418946b4b4b2a5c79e33e0e75b20f0699ae6de9921add4877fd6c8cc2d64 -DIST gnupg-2.2.41.tar.bz2 7313746 BLAKE2B 0be2965a646a8636a127f89329030860908b0bbc447381782527459aed85f5276c29e7a2c89f87cb715407d9f1aabbf3ae1765073764d05e422035e8d5962569 SHA512 f472e5058ea9881355f0c754a47acd0b5360c36e8976b8563dbc763a7cef792bf88227cc15fe5172d3e9bb9fc34d8448dd5c183949031e91a1997cc7f0f83b55 -DIST gnupg-2.2.41.tar.bz2.sig 119 BLAKE2B d9a9ab4d71ca759d634c606144a2602fce8bf4e3a7407908442ef6f251c5e01ef829b3d35d28f03b13a3a7099081484ee6c83a26a9fe2154aa0a00e8678c654c SHA512 467c94a876c57854d283447ca7e94bd72d95d9cbe45247f39d9a73d0b3c500388927c980f84afb1b9c02c3811f349582cb7ee36d967c4f0d8aae95ce07bed955 -DIST gnupg-2.3.8.tar.bz2 7644926 BLAKE2B afb960adb877398363d92585d54bccc82c816f87b4489835950c19fc330edbf5302f7f958fdc6333b80d2e34730c9518e6abffea721891fd76c1b2ff2aa704be SHA512 6df8b1c53f0112c358f9f9eac732dd4ca13bcec24fc55a7d4a606587da988c5b7bb4c61be52b8b7769f1536dd2043087e6eb5cf224991cb0b2ed38ad00717ee2 -DIST gnupg-2.3.8.tar.bz2.sig 119 BLAKE2B 29a133605d72dc4c102ec9a82d654cb980a72463fdc6e255d595e0559bb08860dcb1b014681e1d177eb29c0d32f4ce4ef6caefa6558f1cb97c87c42fb426ea63 SHA512 d97a92c245df997dbff800b25872e9f0769b20e9336b12682b4539fd4fe0e9c2dada7af397b8afeeeba316100b8f4dd86ba96e1dc62cee70158927229b0a015d -DIST gnupg-2.4.0.tar.bz2 7666935 BLAKE2B cc4bcd439a3283df5932c0c41873a3b85de07103d9164ec6dc44552fa0d8c5e5973d74dcd3ffd3d4cf0564c9dab66c6e2adbcd7b34bbc4b5faf0f1bf0f3836aa SHA512 094d631130d4dfe4421cc5e715eaec1888d0b4b764f1be9287be86cbc34430313211739d5481b34e9b59021d05cdbae8a87a1007031cc4dc6213045984a8559a -DIST gnupg-2.4.0.tar.bz2.sig 119 BLAKE2B 238e07f48d7cf13d1030801d16dfd0af0411b5a9ebf0594124dc5edc02953187dd5fe7c9b7cca3edd63bd4ffb3604a098ee71031bf8fcef731e55268efb1f509 SHA512 3ed098ad036907fde2c80fdd09a5f3fd1a151ecfa47b5a34a949e129fcd1a748ab0ed7219433e5104d98a670bd91d353157ef2e8cc4e0c5817da2d7da58c4b20 +DIST gnupg-2.2.42.tar.bz2 7434291 BLAKE2B 5f7f01f31949e5258d638fbff81fa641e5c167e6eaf32c55eb187d4a31b31cd4fe6e51c622e74d8544c4f95c75484e15117f26a8cf26055ff6813d75e54f2b8a SHA512 9c59d034f428d42323b5520e1a8984acc1505ba1d96d90f00e17b24aa91660b2dc64e1a3ceb044c56f39b4c402a77c7e0b226c65218c23c094781b4ef51e2eb5 +DIST gnupg-2.2.42.tar.bz2.sig 238 BLAKE2B 251ad0a832042ceb93b0edfda8652104bfb463e291322f22f0ab0d9b35606c3589be7a6f3e9e2aac8f6ac368a7d11840ab83b29997587dc65685de9f2dec3fee SHA512 7073bfc920c571680a1de57b4e6cd83cde24ccb3b5f592602b0c32fd762eef497027b08745044c9f41130ca99bb7ec77222568c2d0a1099d3c1c15137e0221d7 +DIST gnupg-2.2.43.tar.bz2 7435426 BLAKE2B ddf5c89d317e6ce8d1a5348f0ef81ffa1c61c995ddb312b28410f04502b01eae307cd943bee7182d28d4efccac394c91053f8e33756b00166bf66b2bf4a791a7 SHA512 0d2e733b6659c116c043db5252de4de33d6a70c16172d1fe9b779ba413ba9fcb64bbfdcc4686d0e87904561fc62d1aa765144e0586957a500287c175ee37bd49 +DIST gnupg-2.2.43.tar.bz2.sig 119 BLAKE2B 38fd3790f5065d67d6b5323ef7abbb79facf00e5b9daba98e5078302fc3887423173ba434c7eff1e64faecef88d87aab9c057c570d6e96e8d0808f07f32d8fa1 SHA512 47c5354869b1825e56fa4276826fcde1ee41c70aab9b411686cf2733f4d1df9c006049e49e066b22e475bd37b337f9ffc97f8bbca0c62c0f32296909464a0643 +DIST gnupg-2.4.4.tar.bz2 7886036 BLAKE2B 02661e89f0358be09fa3e71e7235b764a7dbda62a48a0c8c7a4e6c9919c3b37d54ead50b930af58f8f2fdb87861b849d3f3751e95cbedf46bdfd76caa90c4db4 SHA512 3d1a3b08d1ce2319d238d8be96591e418ede1dc0b4ede33a4cc2fe40e9c56d5bbc27b1984736d8a786e7f292ddbc836846a8bdb4bf89f064e953c37cb54b94ef +DIST gnupg-2.4.4.tar.bz2.sig 237 BLAKE2B 6ee5878c36fbec747a6d84a268903749d862aab50dd7f9a389aabbf7b94dec1c424615f520b5f4a6d44e02093e8d9ad0b08d0c6cf6fd8886d8c174ce9faac99c SHA512 3ae7b6833576df851901a7619459b514bb82faeed350c864a57a782719d21f694d9ced5a3445c81dfa584a0302f87fedc660b08ea97bb8b861e76d7c5b46d07f +DIST gnupg-2.4.5.tar.bz2 7889060 BLAKE2B a8b80cd4dfbb377066efb5c9f1b6cdc6d0cd1b18358c962781b5c06de1545117b13038a4655ae627c36bfd2e5fee127692df8729d6b23e1b31051ab6d897b733 SHA512 4d54744f09399c5899144d0cb5fdc2756e45b058db41b9ea9df3be03e80b914509e16ef35aa0248e7561185b80f7a5f9fd6afcab8ccff75ff82ed555448a38ff +DIST gnupg-2.4.5.tar.bz2.sig 119 BLAKE2B f37fb5620bc009a5b935ac75df4235d377da4f052115c3c22c8d0887e9b21df6ea3059ac510eb2b555d825c2294e1c3ee44c86ecb371c6444a4645ca5a5c265a SHA512 53be0db371a98c930cbef9c844adcd06a8049d84dd71508f6f7427fc1736b374912c85ebf3a415748651260f65cf26f633697f4bdae2cc4a8d2c4b522db0bc71 diff --git a/app-crypt/gnupg/files/README-systemd b/app-crypt/gnupg/files/README-systemd new file mode 100644 index 000000000000..cc38fd66ab57 --- /dev/null +++ b/app-crypt/gnupg/files/README-systemd @@ -0,0 +1,67 @@ +Socket-activated dirmngr and gpg-agent with systemd +=================================================== + +When used on a GNU/Linux system supervised by systemd, you can ensure +that the GnuPG daemons dirmngr and gpg-agent are launched +automatically the first time they're needed, and shut down cleanly at +session logout. This is done by enabling user services via +socket-activation. + +System distributors +------------------- + +The *.service and *.socket files (from this directory) should be +placed in /usr/lib/systemd/user/ alongside other user-session services +and sockets. + +To enable socket-activated dirmngr for all accounts on the system, +use: + + systemctl --user --global enable dirmngr.socket + +To enable socket-activated gpg-agent for all accounts on the system, +use: + + systemctl --user --global enable gpg-agent.socket + +Additionally, you can enable socket-activated gpg-agent ssh-agent +emulation for all accounts on the system with: + + systemctl --user --global enable gpg-agent-ssh.socket + +You can also enable restricted ("--extra-socket"-style) gpg-agent +sockets for all accounts on the system with: + + systemctl --user --global enable gpg-agent-extra.socket + +Individual users +---------------- + +A user on a system with systemd where this has not been installed +system-wide can place these files in ~/.config/systemd/user/ to make +them available. + +If a given service isn't installed system-wide, or if it's installed +system-wide but not globally enabled, individual users will still need +to enable them. For example, to enable socket-activated dirmngr for +all future sessions: + + systemctl --user enable dirmngr.socket + +To enable socket-activated gpg-agent with ssh support, do: + + systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket + +These changes won't take effect until your next login after you've +fully logged out (be sure to terminate any running daemons before +logging out). + +If you'd rather try a socket-activated GnuPG daemon in an +already-running session without logging out (with or without enabling +it for all future sessions), kill any existing daemon and start the +user socket directly. For example, to set up socket-activated dirmgnr +in the current session: + + gpgconf --kill dirmngr + systemctl --user start dirmngr.socket + diff --git a/app-crypt/gnupg/files/dirmngr.service b/app-crypt/gnupg/files/dirmngr.service new file mode 100644 index 000000000000..3c060cde5d87 --- /dev/null +++ b/app-crypt/gnupg/files/dirmngr.service @@ -0,0 +1,8 @@ +[Unit] +Description=GnuPG network certificate management daemon +Documentation=man:dirmngr(8) +Requires=dirmngr.socket + +[Service] +ExecStart=/usr/bin/dirmngr --supervised +ExecReload=/usr/bin/gpgconf --reload dirmngr diff --git a/app-crypt/gnupg/files/dirmngr.socket b/app-crypt/gnupg/files/dirmngr.socket new file mode 100644 index 000000000000..ebabf896ab43 --- /dev/null +++ b/app-crypt/gnupg/files/dirmngr.socket @@ -0,0 +1,11 @@ +[Unit] +Description=GnuPG network certificate management daemon +Documentation=man:dirmngr(8) + +[Socket] +ListenStream=%t/gnupg/S.dirmngr +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/app-crypt/gnupg/files/gnupg-2.2.40-fix-no-ldap-build.patch b/app-crypt/gnupg/files/gnupg-2.2.40-fix-no-ldap-build.patch deleted file mode 100644 index 3ab9c0cba902..000000000000 --- a/app-crypt/gnupg/files/gnupg-2.2.40-fix-no-ldap-build.patch +++ /dev/null @@ -1,36 +0,0 @@ -https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=7011286ce6e1fb56c2989fdafbd11b931c489faa - -From 7011286ce6e1fb56c2989fdafbd11b931c489faa Mon Sep 17 00:00:00 2001 -From: NIIBE Yutaka <gniibe@fsij.org> -Date: Fri, 14 Oct 2022 09:58:41 +0900 -Subject: [PATCH] dirmngr: Fix build with no LDAP support. - -* dirmngr/server.c [USE_LDAP] (start_command_handler): Conditionalize. - --- - -GnuPG-bug-id: 6239 -Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> ---- - dirmngr/server.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/dirmngr/server.c b/dirmngr/server.c -index 04ebfd317..98f354300 100644 ---- a/dirmngr/server.c -+++ b/dirmngr/server.c -@@ -3137,8 +3137,10 @@ start_command_handler (assuan_fd_t fd, unsigned int session_id) - ctrl->refcount); - else - { -+#if USE_LDAP - ks_ldap_free_state (ctrl->ks_get_state); - ctrl->ks_get_state = NULL; -+#endif - release_ctrl_ocsp_certs (ctrl); - xfree (ctrl->server_local); - dirmngr_deinit_default_ctrl (ctrl); --- -2.11.0 - - diff --git a/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch b/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch new file mode 100644 index 000000000000..76d6d94c40b1 --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch @@ -0,0 +1,292 @@ +https://bugs.gentoo.org/923248 +https://dev.gnupg.org/T6944 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=3b69d8bf7146b8d10737d0cfea9c97affc60ad73 + +From 3b69d8bf7146b8d10737d0cfea9c97affc60ad73 Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Wed, 24 Jan 2024 11:29:24 +0100 +Subject: [PATCH] gpg: Fix leftover unprotected card backup key. + +* agent/command.c (cmd_learn): Add option --reallyforce. +* agent/findkey.c (agent_write_private_key): Implement reallyforce. +Also add arg reallyforce and pass it along the call chain. + +* g10/call-agent.c (agent_scd_learn): Pass --reallyforce with a +special force value. +* g10/keygen.c (card_store_key_with_backup): Use that force value. +-- + +This was a regression in 2.2.42. We took the easy path to fix it by +getting the behaviour back to what we did prior to 2.2.42. With GnuPG +2.4.4 we use an entire different and safer approach by introducing an +ephemeral private key store. + +GnuPG-bug-id: 6944 +--- a/agent/agent.h ++++ b/agent/agent.h +@@ -422,7 +422,8 @@ void start_command_handler_ssh (ctrl_t, gnupg_fd_t); + gpg_error_t agent_modify_description (const char *in, const char *comment, + const gcry_sexp_t key, char **result); + int agent_write_private_key (const unsigned char *grip, +- const void *buffer, size_t length, int force, ++ const void *buffer, size_t length, ++ int force, int reallyforce, + const char *serialno, const char *keyref, + const char *dispserialno, time_t timestamp); + gpg_error_t agent_key_from_file (ctrl_t ctrl, +@@ -548,6 +549,7 @@ gpg_error_t s2k_hash_passphrase (const char *passphrase, int hashalgo, + gpg_error_t agent_write_shadow_key (const unsigned char *grip, + const char *serialno, const char *keyid, + const unsigned char *pkbuf, int force, ++ int reallyforce, + const char *dispserialno); + + +@@ -628,7 +630,8 @@ void agent_card_killscd (void); + + + /*-- learncard.c --*/ +-int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force); ++int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, ++ int force, int reallyforce); + + + /*-- cvt-openpgp.c --*/ +--- a/agent/command-ssh.c ++++ b/agent/command-ssh.c +@@ -2499,7 +2499,7 @@ card_key_available (ctrl_t ctrl, gcry_sexp_t *r_pk, char **cardsn) + + /* (Shadow)-key is not available in our key storage. */ + agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno); +- err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0, ++ err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0, 0, + dispserialno); + xfree (dispserialno); + if (err) +@@ -3159,7 +3159,7 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec, + + /* Store this key to our key storage. We do not store a creation + * timestamp because we simply do not know. */ +- err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0, ++ err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0, 0, + NULL, NULL, NULL, 0); + if (err) + goto out; +--- a/agent/command.c ++++ b/agent/command.c +@@ -1042,7 +1042,7 @@ cmd_readkey (assuan_context_t ctx, char *line) + /* Shadow-key is or is not available in our key storage. In + * any case we need to check whether we need to update with + * a new display-s/n or whatever. */ +- rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0, ++ rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0, 0, + dispserialno); + if (rc) + goto leave; +@@ -1855,16 +1855,18 @@ cmd_learn (assuan_context_t ctx, char *line) + { + ctrl_t ctrl = assuan_get_pointer (ctx); + gpg_error_t err; +- int send, sendinfo, force; ++ int send, sendinfo, force, reallyforce; + + send = has_option (line, "--send"); + sendinfo = send? 1 : has_option (line, "--sendinfo"); + force = has_option (line, "--force"); ++ reallyforce = has_option (line, "--reallyforce"); + + if (ctrl->restricted) + return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); + +- err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL, force); ++ err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL, ++ force, reallyforce); + return leave_cmd (ctx, err); + } + +@@ -2427,11 +2429,11 @@ cmd_import_key (assuan_context_t ctx, char *line) + err = agent_protect (key, passphrase, &finalkey, &finalkeylen, + ctrl->s2k_count); + if (!err) +- err = agent_write_private_key (grip, finalkey, finalkeylen, force, ++ err = agent_write_private_key (grip, finalkey, finalkeylen, force, 0, + NULL, NULL, NULL, opt_timestamp); + } + else +- err = agent_write_private_key (grip, key, realkeylen, force, ++ err = agent_write_private_key (grip, key, realkeylen, force, 0, + NULL, NULL, NULL, opt_timestamp); + + leave: +--- a/agent/cvt-openpgp.c ++++ b/agent/cvt-openpgp.c +@@ -1070,7 +1070,7 @@ convert_from_openpgp_native (ctrl_t ctrl, + &protectedkey, &protectedkeylen, + ctrl->s2k_count)) + agent_write_private_key (grip, protectedkey, protectedkeylen, +- 1/*force*/, NULL, NULL, NULL, 0); ++ 1/*force*/, 0, NULL, NULL, NULL, 0); + xfree (protectedkey); + } + else +@@ -1079,7 +1079,7 @@ convert_from_openpgp_native (ctrl_t ctrl, + agent_write_private_key (grip, + *r_key, + gcry_sexp_canon_len (*r_key, 0, NULL,NULL), +- 1/*force*/, NULL, NULL, NULL, 0); ++ 1/*force*/, 0, NULL, NULL, NULL, 0); + } + } + +--- a/agent/findkey.c ++++ b/agent/findkey.c +@@ -82,7 +82,8 @@ fname_from_keygrip (const unsigned char *grip, int for_new) + * recorded as creation date. */ + int + agent_write_private_key (const unsigned char *grip, +- const void *buffer, size_t length, int force, ++ const void *buffer, size_t length, ++ int force, int reallyforce, + const char *serialno, const char *keyref, + const char *dispserialno, + time_t timestamp) +@@ -165,10 +166,13 @@ agent_write_private_key (const unsigned char *grip, + /* Check that we do not update a regular key with a shadow key. */ + if (is_regular && gpg_err_code (is_shadowed_key (key)) == GPG_ERR_TRUE) + { +- log_info ("updating regular key file '%s'" +- " by a shadow key inhibited\n", oldfname); +- err = 0; /* Simply ignore the error. */ +- goto leave; ++ if (!reallyforce) ++ { ++ log_info ("updating regular key file '%s'" ++ " by a shadow key inhibited\n", oldfname); ++ err = 0; /* Simply ignore the error. */ ++ goto leave; ++ } + } + /* Check that we update a regular key only in force mode. */ + if (is_regular && !force) +@@ -1704,12 +1708,13 @@ agent_delete_key (ctrl_t ctrl, const char *desc_text, + * Shadow key is created by an S-expression public key in PKBUF and + * card's SERIALNO and the IDSTRING. With FORCE passed as true an + * existing key with the given GRIP will get overwritten. If +- * DISPSERIALNO is not NULL the human readable s/n will also be +- * recorded in the key file. */ ++ * REALLYFORCE is also true, even a private key will be overwritten by ++ * a shadown key. If DISPSERIALNO is not NULL the human readable s/n ++ * will also be recorded in the key file. */ + gpg_error_t + agent_write_shadow_key (const unsigned char *grip, + const char *serialno, const char *keyid, +- const unsigned char *pkbuf, int force, ++ const unsigned char *pkbuf, int force, int reallyforce, + const char *dispserialno) + { + gpg_error_t err; +@@ -1737,7 +1742,7 @@ agent_write_shadow_key (const unsigned char *grip, + } + + len = gcry_sexp_canon_len (shdkey, 0, NULL, NULL); +- err = agent_write_private_key (grip, shdkey, len, force, ++ err = agent_write_private_key (grip, shdkey, len, force, reallyforce, + serialno, keyid, dispserialno, 0); + xfree (shdkey); + if (err) +--- a/agent/genkey.c ++++ b/agent/genkey.c +@@ -69,7 +69,7 @@ store_key (gcry_sexp_t private, const char *passphrase, int force, + buf = p; + } + +- rc = agent_write_private_key (grip, buf, len, force, ++ rc = agent_write_private_key (grip, buf, len, force, 0, + NULL, NULL, NULL, timestamp); + xfree (buf); + return rc; +--- a/agent/learncard.c ++++ b/agent/learncard.c +@@ -297,9 +297,12 @@ send_cert_back (ctrl_t ctrl, const char *id, void *assuan_context) + } + + /* Perform the learn operation. If ASSUAN_CONTEXT is not NULL and +- SEND is true all new certificates are send back via Assuan. */ ++ SEND is true all new certificates are send back via Assuan. If ++ REALLYFORCE is true a private key will be overwritten by a stub ++ key. */ + int +-agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force) ++agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, ++ int force, int reallyforce) + { + int rc; + struct kpinfo_cb_parm_s parm; +@@ -414,7 +417,7 @@ agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force) + + agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno); + rc = agent_write_shadow_key (grip, serialno, item->id, pubkey, +- force, dispserialno); ++ force, reallyforce, dispserialno); + xfree (dispserialno); + } + xfree (pubkey); +--- a/agent/protect-tool.c ++++ b/agent/protect-tool.c +@@ -807,13 +807,15 @@ agent_askpin (ctrl_t ctrl, + * to stdout. */ + int + agent_write_private_key (const unsigned char *grip, +- const void *buffer, size_t length, int force, ++ const void *buffer, size_t length, ++ int force, int reallyforce, + const char *serialno, const char *keyref, + const char *dispserialno, time_t timestamp) + { + char hexgrip[40+4+1]; + char *p; + ++ (void)reallyforce; + (void)force; + (void)timestamp; + (void)serialno; +--- a/g10/call-agent.c ++++ b/g10/call-agent.c +@@ -745,6 +745,11 @@ learn_status_cb (void *opaque, const char *line) + * card-util.c + * keyedit_menu + * card_store_key_with_backup (Woth force to remove secret key data) ++ * ++ * If force has the value 2 the --reallyforce option is also used. ++ * This is to make sure the sshadow key overwrites the private key. ++ * Note that this option is gnupg 2.2 specific because since 2.4.4 an ++ * ephemeral private key store is used instead. + */ + int + agent_scd_learn (struct agent_card_info_s *info, int force) +@@ -764,6 +769,7 @@ agent_scd_learn (struct agent_card_info_s *info, int force) + + parm.ctx = agent_ctx; + rc = assuan_transact (agent_ctx, ++ force == 2? "LEARN --sendinfo --force --reallyforce" : + force ? "LEARN --sendinfo --force" : "LEARN --sendinfo", + dummy_data_cb, NULL, default_inq_cb, &parm, + learn_status_cb, info); +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -5201,8 +5201,11 @@ card_store_key_with_backup (ctrl_t ctrl, PKT_public_key *sub_psk, + if (err) + log_error ("writing card key to backup file: %s\n", gpg_strerror (err)); + else +- /* Remove secret key data in agent side. */ +- agent_scd_learn (NULL, 1); ++ { ++ /* Remove secret key data in agent side. We use force 2 here to ++ * allow overwriting of the temporary private key. */ ++ agent_scd_learn (NULL, 2); ++ } + + leave: + xfree (ecdh_param_str); +-- +2.30.2 diff --git a/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch b/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch new file mode 100644 index 000000000000..21be675adef4 --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch @@ -0,0 +1,156 @@ +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d6c428699db7aa20f8b6ca9fe83197a0314b7e91 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c33c4fdf10b7ed9e03f2afe988d93f3085b727aa +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=41c022072599bc3f12f659e962653548cd86fa3a + +From d6c428699db7aa20f8b6ca9fe83197a0314b7e91 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Thu, 15 Feb 2024 15:38:34 +0900 +Subject: [PATCH] dirmngr: Fix proxy with TLS. + +* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always +available regardless of USE_TLS. +(send_request): Remove USE_TLS. + +-- + +Since quite some time building w/o TLS won't work. + +GnuPG-bug-id: 6997 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2498,9 +2498,7 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring) + } + + +- + /* Use the CONNECT method to proxy our TLS stream. */ +-#ifdef USE_TLS + static gpg_error_t + run_proxy_connect (http_t hd, proxy_info_t proxy, + const char *httphost, const char *server, +@@ -2709,7 +2707,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + xfree (tmpstr); + return err; + } +-#endif /*USE_TLS*/ + + + /* Make a request string using a standard proxy. On success the +@@ -2866,7 +2863,6 @@ send_request (http_t hd, const char *httphost, const char *auth, + goto leave; + } + +-#if USE_TLS + if (use_http_proxy && hd->uri->use_tls) + { + err = run_proxy_connect (hd, proxy, httphost, server, port); +@@ -2878,7 +2874,6 @@ send_request (http_t hd, const char *httphost, const char *auth, + * clear the flag to indicate this. */ + use_http_proxy = 0; + } +-#endif /* USE_TLS */ + + #if HTTP_USE_NTBTLS + err = run_ntbtls_handshake (hd); +-- +2.30.2 + +From c33c4fdf10b7ed9e03f2afe988d93f3085b727aa Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Fri, 16 Feb 2024 11:31:37 +0900 +Subject: [PATCH] dirmngr: Fix the regression of use of proxy for TLS + connection. + +* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it +causes resource leak of FP_WRITE. +Don't try to read response body to fix the hang. + +-- + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2520,6 +2520,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication + */ + auth_basic = !!proxy->uri->auth; ++ hd->keep_alive = 0; + + /* For basic authentication we need to send just one request. */ + if (auth_basic +@@ -2541,13 +2542,12 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + httphost ? httphost : server, + port, + authhdr ? authhdr : "", +- auth_basic? "" : "Connection: keep-alive\r\n"); ++ hd->keep_alive? "Connection: keep-alive\r\n" : ""); + if (!request) + { + err = gpg_error_from_syserror (); + goto leave; + } +- hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP)) + log_debug_with_string (request, "http.c:proxy:request:"); +@@ -2574,16 +2574,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + if (err) + goto leave; + +- { +- unsigned long count = 0; +- +- while (es_getc (hd->fp_read) != EOF) +- count++; +- if (opt_debug) +- log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n", +- count); +- } +- + /* Reset state. */ + es_clearerr (hd->fp_read); + ((cookie_t)(hd->read_cookie))->up_to_empty_line = 1; +-- +2.30.2 + +From 41c022072599bc3f12f659e962653548cd86fa3a Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Fri, 16 Feb 2024 16:24:26 +0900 +Subject: [PATCH] dirmngr: Fix keep-alive flag handling. + +* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic +Authentication. Fix resource leak of FP_WRITE. + +-- + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2520,7 +2520,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication + */ + auth_basic = !!proxy->uri->auth; +- hd->keep_alive = 0; ++ hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + /* For basic authentication we need to send just one request. */ + if (auth_basic +@@ -2684,6 +2684,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + } + + leave: ++ if (hd->keep_alive) ++ { ++ es_fclose (hd->fp_write); ++ hd->fp_write = NULL; ++ /* The close has released the cookie and thus we better set it ++ * to NULL. */ ++ hd->write_cookie = NULL; ++ } + /* Restore flags, destroy stream, reset state. */ + hd->flags = saved_flags; + es_fclose (hd->fp_read); +-- +2.30.2 diff --git a/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch b/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch new file mode 100644 index 000000000000..f10154b303e5 --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch @@ -0,0 +1,39 @@ +https://bugs.gentoo.org/924386 +https://dev.gnupg.org/T7003 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f50c543326c2eea6b40f548d61cf3a66a077bf54 + +From f50c543326c2eea6b40f548d61cf3a66a077bf54 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Fri, 1 Mar 2024 13:59:43 +0900 +Subject: [PATCH] agent: Allow simple KEYINFO command when restricted. + +* agent/command.c (cmd_keyinfo): Only forbid list command. + +-- + +GnuPG-bug-id: 7003 +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +--- a/agent/command.c ++++ b/agent/command.c +@@ -1282,9 +1282,6 @@ cmd_keyinfo (assuan_context_t ctx, char *line) + char hexgrip[41]; + int disabled, ttl, confirm, is_ssh; + +- if (ctrl->restricted) +- return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); +- + if (has_option (line, "--ssh-list")) + list_mode = 2; + else +@@ -1333,6 +1330,9 @@ cmd_keyinfo (assuan_context_t ctx, char *line) + char *dirname; + gnupg_dirent_t dir_entry; + ++ if (ctrl->restricted) ++ return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); ++ + dirname = make_filename_try (gnupg_homedir (), + GNUPG_PRIVATE_KEYS_DIR, NULL); + if (!dirname) +-- +2.30.2 diff --git a/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch b/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch new file mode 100644 index 000000000000..686a3aadc8dd --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch @@ -0,0 +1,202 @@ +https://bugs.gentoo.org/924606 +https://dev.gnupg.org/T6997 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=04cbc3074aa98660b513a80f623a7e9f0702c7c9 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=848546b05ab0ff6abd47724ecfab73bf32dd4c01 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2810b934647edd483996bee1f5f9256a162b2705 + +From 6236978d78886cbb476ed9fbc49ff99c7582b2d7 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Thu, 15 Feb 2024 15:38:34 +0900 +Subject: [PATCH 1/3] dirmngr: Fix proxy with TLS. + +* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always +available regardless of USE_TLS. +(run_proxy_connect): Use log_debug_string. +(send_request): Remove USE_TLS. + +-- + +Since the commit of + + 1009e4e5f71347a1fe194e59a9d88c8034a67016 + +Building with TLS library is mandatory. + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +--- + dirmngr/http.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 4899a5d55..10eecfdb0 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2362,7 +2362,6 @@ run_gnutls_handshake (http_t hd, const char *server) + * NULL, decode the string and use this as input from teh server. On + * success the final output token is stored at PROXY->OUTTOKEN and + * OUTTOKLEN. IF the authentication succeeded OUTTOKLEN is zero. */ +-#ifdef USE_TLS + static gpg_error_t + proxy_get_token (proxy_info_t proxy, const char *inputstring) + { +@@ -2530,11 +2529,9 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring) + + #endif /*!HAVE_W32_SYSTEM*/ + } +-#endif /*USE_TLS*/ + + + /* Use the CONNECT method to proxy our TLS stream. */ +-#ifdef USE_TLS + static gpg_error_t + run_proxy_connect (http_t hd, proxy_info_t proxy, + const char *httphost, const char *server, +@@ -2586,7 +2583,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP)) +- log_debug_with_string (request, "http.c:proxy:request:"); ++ log_debug_string (request, "http.c:proxy:request:"); + + if (!hd->fp_write) + { +@@ -2743,7 +2740,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + xfree (tmpstr); + return err; + } +-#endif /*USE_TLS*/ + + + /* Make a request string using a standard proxy. On success the +@@ -2903,7 +2899,6 @@ send_request (ctrl_t ctrl, + goto leave; + } + +-#if USE_TLS + if (use_http_proxy && hd->uri->use_tls) + { + err = run_proxy_connect (hd, proxy, httphost, server, port); +@@ -2915,7 +2910,6 @@ send_request (ctrl_t ctrl, + * clear the flag to indicate this. */ + use_http_proxy = 0; + } +-#endif /* USE_TLS */ + + #if HTTP_USE_NTBTLS + err = run_ntbtls_handshake (hd); +-- +2.43.2 + +From 68650eb6999e674fd2f1c78f47b68d3cd1d37ff0 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Fri, 16 Feb 2024 11:31:37 +0900 +Subject: [PATCH 2/3] dirmngr: Fix the regression of use of proxy for TLS + connection. + +* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it +causes resource leak of FP_WRITE. +Don't try to read response body to fix the hang. + +-- + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +--- + dirmngr/http.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 10eecfdb0..7ce01bacd 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2553,6 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication + */ + auth_basic = !!proxy->uri->auth; ++ hd->keep_alive = 0; + + /* For basic authentication we need to send just one request. */ + if (auth_basic +@@ -2574,13 +2575,12 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + httphost ? httphost : server, + port, + authhdr ? authhdr : "", +- auth_basic? "" : "Connection: keep-alive\r\n"); ++ hd->keep_alive? "Connection: keep-alive\r\n" : ""); + if (!request) + { + err = gpg_error_from_syserror (); + goto leave; + } +- hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP)) + log_debug_string (request, "http.c:proxy:request:"); +@@ -2607,16 +2607,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + if (err) + goto leave; + +- { +- unsigned long count = 0; +- +- while (es_getc (hd->fp_read) != EOF) +- count++; +- if (opt_debug) +- log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n", +- count); +- } +- + /* Reset state. */ + es_clearerr (hd->fp_read); + ((cookie_t)(hd->read_cookie))->up_to_empty_line = 1; +-- +2.43.2 + +From 7c7cbd94549d08780fc3767d6de8336b3f44e7d7 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Fri, 16 Feb 2024 16:24:26 +0900 +Subject: [PATCH 3/3] dirmngr: Fix keep-alive flag handling. + +* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic +Authentication. Fix resource leak of FP_WRITE. + +-- + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +--- + dirmngr/http.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 7ce01bacd..da0c89ae5 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2553,7 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication + */ + auth_basic = !!proxy->uri->auth; +- hd->keep_alive = 0; ++ hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + /* For basic authentication we need to send just one request. */ + if (auth_basic +@@ -2717,6 +2717,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + } + + leave: ++ if (hd->keep_alive) ++ { ++ es_fclose (hd->fp_write); ++ hd->fp_write = NULL; ++ /* The close has released the cookie and thus we better set it ++ * to NULL. */ ++ hd->write_cookie = NULL; ++ } + /* Restore flags, destroy stream, reset state. */ + hd->flags = saved_flags; + es_fclose (hd->fp_read); +-- +2.43.2 + diff --git a/app-crypt/gnupg/files/gpg-agent-browser.socket b/app-crypt/gnupg/files/gpg-agent-browser.socket new file mode 100644 index 000000000000..bc8d344e1f2d --- /dev/null +++ b/app-crypt/gnupg/files/gpg-agent-browser.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache (access for web browsers) +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.browser +FileDescriptorName=browser +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/app-crypt/gnupg/files/gpg-agent-extra.socket b/app-crypt/gnupg/files/gpg-agent-extra.socket new file mode 100644 index 000000000000..5b87d09dfa2a --- /dev/null +++ b/app-crypt/gnupg/files/gpg-agent-extra.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache (restricted) +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.extra +FileDescriptorName=extra +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/app-crypt/gnupg/files/gpg-agent-ssh.socket b/app-crypt/gnupg/files/gpg-agent-ssh.socket new file mode 100644 index 000000000000..798c1d967595 --- /dev/null +++ b/app-crypt/gnupg/files/gpg-agent-ssh.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent (ssh-agent emulation) +Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.ssh +FileDescriptorName=ssh +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/app-crypt/gnupg/files/gpg-agent.service b/app-crypt/gnupg/files/gpg-agent.service new file mode 100644 index 000000000000..a050fccdc527 --- /dev/null +++ b/app-crypt/gnupg/files/gpg-agent.service @@ -0,0 +1,8 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache +Documentation=man:gpg-agent(1) +Requires=gpg-agent.socket + +[Service] +ExecStart=/usr/bin/gpg-agent --supervised +ExecReload=/usr/bin/gpgconf --reload gpg-agent diff --git a/app-crypt/gnupg/files/gpg-agent.socket b/app-crypt/gnupg/files/gpg-agent.socket new file mode 100644 index 000000000000..4257c2c80f18 --- /dev/null +++ b/app-crypt/gnupg/files/gpg-agent.socket @@ -0,0 +1,12 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent +FileDescriptorName=std +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/app-crypt/gnupg/gnupg-2.2.40.ebuild b/app-crypt/gnupg/gnupg-2.2.42-r2.ebuild index 78a2c07f7972..72bb9fe0626a 100644 --- a/app-crypt/gnupg/gnupg-2.2.40.ebuild +++ b/app-crypt/gnupg/gnupg-2.2.42-r2.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -9,8 +9,9 @@ EAPI=8 # (find the one for the current release then subscribe to it + # any subsequent ones linked within so you're covered for a while.) -VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc -inherit flag-o-matic systemd toolchain-funcs verify-sig +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig MY_P="${P/_/-}" @@ -22,36 +23,42 @@ S="${WORKDIR}/${MY_P}" LICENSE="GPL-3+" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server" RESTRICT="!test? ( test )" # Existence of executables is checked during configuration. # Note: On each bump, update dep bounds on each version from configure.ac! -DEPEND=">=dev-libs/libassuan-2.5.0 +DEPEND=" + >=dev-libs/libassuan-2.5.0 >=dev-libs/libgcrypt-1.8.0:= - >=dev-libs/libgpg-error-1.29 + >=dev-libs/libgpg-error-1.38 >=dev-libs/libksba-1.3.5 >=dev-libs/npth-1.2 >=net-misc/curl-7.10 sys-libs/zlib bzip2? ( app-arch/bzip2 ) ldap? ( net-nds/openldap:= ) - readline? ( sys-libs/readline:0= ) + readline? ( sys-libs/readline:= ) smartcard? ( usb? ( virtual/libusb:1 ) ) - ssl? ( >=net-libs/gnutls-3.0:0= ) - tofu? ( >=dev-db/sqlite-3.7 )" - -RDEPEND="${DEPEND} - app-crypt/pinentry + ssl? ( >=net-libs/gnutls-3.0:= ) + tofu? ( >=dev-db/sqlite-3.7 ) +" +RDEPEND=" + ${DEPEND} nls? ( virtual/libintl ) selinux? ( sec-policy/selinux-gpg ) - wks-server? ( virtual/mta )" - -BDEPEND="virtual/pkgconfig + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry +" +BDEPEND=" + virtual/pkgconfig doc? ( sys-apps/texinfo ) nls? ( sys-devel/gettext ) - verify-sig? ( sec-keys/openpgp-keys-gnupg )" + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" DOCS=( ChangeLog NEWS README THANKS TODO VERSION @@ -60,7 +67,7 @@ DOCS=( PATCHES=( "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch - "${FILESDIR}"/${P}-fix-no-ldap-build.patch + "${FILESDIR}"/${PN}-2.2.42-bug923248-insecure-backup.patch ) src_prepare() { @@ -76,7 +83,10 @@ src_prepare() { -i doc/examples/systemd-user/gpg-agent-ssh.socket || die } -src_configure() { +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + local myconf=( $(use_enable bzip2) $(use_enable nls) @@ -89,7 +99,17 @@ src_configure() { $(use_enable wks-server wks-tools) $(use_with ldap) $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. --with-mailprog=/usr/libexec/sendmail + --disable-ntbtls --enable-gpg --enable-gpgsm @@ -107,7 +127,7 @@ src_configure() { if use prefix && use usb; then # bug #649598 - append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0" + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" fi # bug #663142 @@ -118,39 +138,27 @@ src_configure() { # glib fails and picks up clang's internal stdint.h causing weird errors tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h - # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. - # As of GnuPG 2.3, the mailprog substitution is used for the binary called - # by wks-client & wks-server; and if it's autodetected but not not exist at - # build time, then then 'gpg-wks-client --send' functionality will not - # work. This has an unwanted side-effect in stage3 builds: there was a - # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating - # the build where the install guide previously make the user chose the - # logger & mta early in the install. - econf "${myconf[@]}" } -src_compile() { +my_src_compile() { default use doc && emake -C doc html } -src_test() { - # bug #638574 - use tofu && export TESTFLAGS=--parallel +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" default } -src_install() { - default +my_src_install() { + emake DESTDIR="${D}" install - use tools && - dobin \ - tools/{convert-from-106,gpg-check-pattern} \ - tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys} \ - tools/make-dns-cert + use tools && dobin \ + tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \ + tools/make-dns-cert dosym gpg /usr/bin/gpg2 dosym gpgv /usr/bin/gpgv2 @@ -160,7 +168,15 @@ src_install() { dodir /etc/env.d echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die - use doc && dodoc doc/gnupg.html/* doc/*.png + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + + use doc && dodoc doc/*.png systemd_douserunit doc/examples/systemd-user/*.{service,socket} } diff --git a/app-crypt/gnupg/gnupg-2.3.8.ebuild b/app-crypt/gnupg/gnupg-2.2.42-r3.ebuild index d87edc8dcc51..d0937a7079a9 100644 --- a/app-crypt/gnupg/gnupg-2.3.8.ebuild +++ b/app-crypt/gnupg/gnupg-2.2.42-r3.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -9,8 +9,9 @@ EAPI=8 # (find the one for the current release then subscribe to it + # any subsequent ones linked within so you're covered for a while.) -VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc -inherit flag-o-matic systemd toolchain-funcs verify-sig +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig MY_P="${P/_/-}" @@ -22,39 +23,42 @@ S="${WORKDIR}/${MY_P}" LICENSE="GPL-3+" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server" RESTRICT="!test? ( test )" -REQUIRED_USE="test? ( tofu )" # Existence of executables is checked during configuration. # Note: On each bump, update dep bounds on each version from configure.ac! -DEPEND=">=dev-libs/libassuan-2.5.0 - >=dev-libs/libgcrypt-1.9.1:= - >=dev-libs/libgpg-error-1.41 - >=dev-libs/libksba-1.3.4 +DEPEND=" + >=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.8.0:= + >=dev-libs/libgpg-error-1.38 + >=dev-libs/libksba-1.3.5 >=dev-libs/npth-1.2 >=net-misc/curl-7.10 sys-libs/zlib bzip2? ( app-arch/bzip2 ) ldap? ( net-nds/openldap:= ) - readline? ( sys-libs/readline:0= ) + readline? ( sys-libs/readline:= ) smartcard? ( usb? ( virtual/libusb:1 ) ) - tofu? ( >=dev-db/sqlite-3.27 ) - tpm? ( >=app-crypt/tpm2-tss-2.4.0:= ) - ssl? ( >=net-libs/gnutls-3.0:0= ) + ssl? ( >=net-libs/gnutls-3.0:= ) + tofu? ( >=dev-db/sqlite-3.7 ) " - -RDEPEND="${DEPEND} - app-crypt/pinentry +RDEPEND=" + ${DEPEND} nls? ( virtual/libintl ) selinux? ( sec-policy/selinux-gpg ) - wks-server? ( virtual/mta )" - -BDEPEND="virtual/pkgconfig + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry +" +BDEPEND=" + virtual/pkgconfig doc? ( sys-apps/texinfo ) nls? ( sys-devel/gettext ) - verify-sig? ( sec-keys/openpgp-keys-gnupg )" + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" DOCS=( ChangeLog NEWS README THANKS TODO VERSION @@ -63,7 +67,9 @@ DOCS=( PATCHES=( "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch - "${FILESDIR}"/${PN}-2.2.40-fix-no-ldap-build.patch + "${FILESDIR}"/${P}-bug923248-insecure-backup.patch + "${FILESDIR}"/${P}-dirmngr-proxy.patch + "${FILESDIR}"/${P}-gpgme-tests.patch ) src_prepare() { @@ -79,7 +85,10 @@ src_prepare() { -i doc/examples/systemd-user/gpg-agent-ssh.socket || die } -src_configure() { +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + local myconf=( $(use_enable bzip2) $(use_enable nls) @@ -88,15 +97,23 @@ src_configure() { $(use_enable test all-tests) $(use_enable test tests) $(use_enable tofu) - $(use_enable tofu keyboxd) - $(use_enable tofu sqlite) - $(usex tpm '--with-tss=intel' '--disable-tpm2d') $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') $(use_enable wks-server wks-tools) $(use_with ldap) $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. --with-mailprog=/usr/libexec/sendmail + --disable-ntbtls + --enable-gpg --enable-gpgsm --enable-large-secmem @@ -123,39 +140,27 @@ src_configure() { # glib fails and picks up clang's internal stdint.h causing weird errors tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h - # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. - # As of GnuPG 2.3, the mailprog substitution is used for the binary called - # by wks-client & wks-server; and if it's autodetected but not not exist at - # build time, then then 'gpg-wks-client --send' functionality will not - # work. This has an unwanted side-effect in stage3 builds: there was a - # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating - # the build where the install guide previously make the user chose the - # logger & mta early in the install. - econf "${myconf[@]}" } -src_compile() { +my_src_compile() { default use doc && emake -C doc html } -src_test() { - # bug #638574 - use tofu && export TESTFLAGS=--parallel +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" default } -src_install() { - default +my_src_install() { + emake DESTDIR="${D}" install - use tools && - dobin \ - tools/{convert-from-106,gpg-check-pattern} \ - tools/{gpgconf,gpgsplit,lspgpot,mail-signed-keys} \ - tools/make-dns-cert + use tools && dobin \ + tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \ + tools/make-dns-cert dosym gpg /usr/bin/gpg2 dosym gpgv /usr/bin/gpgv2 @@ -165,7 +170,15 @@ src_install() { dodir /etc/env.d echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die - use doc && dodoc doc/gnupg.html/* doc/*.png + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + + use doc && dodoc doc/*.png systemd_douserunit doc/examples/systemd-user/*.{service,socket} } diff --git a/app-crypt/gnupg/gnupg-2.2.41.ebuild b/app-crypt/gnupg/gnupg-2.2.43.ebuild index 37e68bc395e3..5f121bcb2125 100644 --- a/app-crypt/gnupg/gnupg-2.2.41.ebuild +++ b/app-crypt/gnupg/gnupg-2.2.43.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -9,7 +9,7 @@ EAPI=8 # (find the one for the current release then subscribe to it + # any subsequent ones linked within so you're covered for a while.) -VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc # in-source builds are not supported: https://dev.gnupg.org/T6313#166339 inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig @@ -23,7 +23,7 @@ S="${WORKDIR}/${MY_P}" LICENSE="GPL-3+" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server" RESTRICT="!test? ( test )" @@ -32,8 +32,8 @@ RESTRICT="!test? ( test )" DEPEND=" >=dev-libs/libassuan-2.5.0 >=dev-libs/libgcrypt-1.8.0:= - >=dev-libs/libgpg-error-1.29 - >=dev-libs/libksba-1.3.5 + >=dev-libs/libgpg-error-1.38 + >=dev-libs/libksba-1.4.0 >=dev-libs/npth-1.2 >=net-misc/curl-7.10 sys-libs/zlib @@ -46,11 +46,13 @@ DEPEND=" " RDEPEND=" ${DEPEND} - app-crypt/pinentry nls? ( virtual/libintl ) selinux? ( sec-policy/selinux-gpg ) wks-server? ( virtual/mta ) " +PDEPEND=" + app-crypt/pinentry +" BDEPEND=" virtual/pkgconfig doc? ( sys-apps/texinfo ) @@ -81,6 +83,9 @@ src_prepare() { } my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + local myconf=( $(use_enable bzip2) $(use_enable nls) diff --git a/app-crypt/gnupg/gnupg-2.4.4-r1.ebuild b/app-crypt/gnupg/gnupg-2.4.4-r1.ebuild new file mode 100644 index 000000000000..c89d22b2c153 --- /dev/null +++ b/app-crypt/gnupg/gnupg-2.4.4-r1.ebuild @@ -0,0 +1,193 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should: +# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ +# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 +# (find the one for the current release then subscribe to it + +# any subsequent ones linked within so you're covered for a while.) + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig + +MY_P="${P/_/-}" + +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" +HOMEPAGE="https://gnupg.org/" +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" + +LICENSE="GPL-3+" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server" +RESTRICT="!test? ( test )" +REQUIRED_USE="test? ( tofu )" + +# Existence of executables is checked during configuration. +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=" + >=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.9.1:= + >=dev-libs/libgpg-error-1.46 + >=dev-libs/libksba-1.6.3 + >=dev-libs/npth-1.2 + >=net-misc/curl-7.10 + sys-libs/zlib + bzip2? ( app-arch/bzip2 ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:0= ) + smartcard? ( usb? ( virtual/libusb:1 ) ) + tofu? ( >=dev-db/sqlite-3.27 ) + tpm? ( >=app-crypt/tpm2-tss-2.4.0:= ) + ssl? ( >=net-libs/gnutls-3.2:0= ) +" +RDEPEND=" + ${DEPEND} + nls? ( virtual/libintl ) + selinux? ( sec-policy/selinux-gpg ) + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry +" +BDEPEND=" + virtual/pkgconfig + doc? ( sys-apps/texinfo ) + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" + +DOCS=( + ChangeLog NEWS README THANKS TODO VERSION + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER +) + +PATCHES=( + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch + "${FILESDIR}"/${P}-dirmngr-proxy.patch #924606 +) + +src_prepare() { + default + + GNUPG_SYSTEMD_UNITS=( + dirmngr.service + dirmngr.socket + gpg-agent-browser.socket + gpg-agent-extra.socket + gpg-agent.service + gpg-agent.socket + gpg-agent-ssh.socket + ) + + cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die + + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, + # idea borrowed from libdbus, see + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 + # + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', + # which in turn requires discovery in Autoconf, something that upstream deeply resents. + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ + -i "${T}"/gpg-agent-ssh.socket || die +} + +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + + local myconf=( + $(use_enable bzip2) + $(use_enable nls) + $(use_enable smartcard scdaemon) + $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) + $(use_enable tofu) + $(use_enable tofu keyboxd) + $(use_enable tofu sqlite) + $(usex tpm '--with-tss=intel' '--disable-tpm2d') + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') + $(use_enable wks-server wks-tools) + $(use_with ldap) + $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. + --with-mailprog=/usr/libexec/sendmail + + --disable-ntbtls + --enable-gpgsm + --enable-large-secmem + + CC_FOR_BUILD="$(tc-getBUILD_CC)" + ac_cv_path_GPGRT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpgrt-config" + + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) + + if use prefix && use usb; then + # bug #649598 + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" + fi + + # bug #663142 + if use user-socket; then + myconf+=( --enable-run-gnupg-user-socket ) + fi + + # glib fails and picks up clang's internal stdint.h causing weird errors + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h + + econf "${myconf[@]}" +} + +my_src_compile() { + default + + use doc && emake -C doc html +} + +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" + + default +} + +my_src_install() { + emake DESTDIR="${D}" install + + use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert + + dosym gpg /usr/bin/gpg2 + dosym gpgv /usr/bin/gpgv2 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die + + dodir /etc/env.d + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die + + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + use doc && dodoc doc/*.png + + # Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed. + dodoc "${FILESDIR}"/README-systemd + systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}" +} diff --git a/app-crypt/gnupg/gnupg-2.4.0.ebuild b/app-crypt/gnupg/gnupg-2.4.5.ebuild index 8c58fb2730da..65e00a4fa826 100644 --- a/app-crypt/gnupg/gnupg-2.4.0.ebuild +++ b/app-crypt/gnupg/gnupg-2.4.5.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -9,7 +9,7 @@ EAPI=8 # (find the one for the current release then subscribe to it + # any subsequent ones linked within so you're covered for a while.) -VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc # in-source builds are not supported: https://dev.gnupg.org/T6313#166339 inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig @@ -23,7 +23,7 @@ S="${WORKDIR}/${MY_P}" LICENSE="GPL-3+" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server" RESTRICT="!test? ( test )" REQUIRED_USE="test? ( tofu )" @@ -44,15 +44,17 @@ DEPEND=" smartcard? ( usb? ( virtual/libusb:1 ) ) tofu? ( >=dev-db/sqlite-3.27 ) tpm? ( >=app-crypt/tpm2-tss-2.4.0:= ) - ssl? ( >=net-libs/gnutls-3.0:0= ) + ssl? ( >=net-libs/gnutls-3.2:0= ) " RDEPEND=" ${DEPEND} - app-crypt/pinentry nls? ( virtual/libintl ) selinux? ( sec-policy/selinux-gpg ) wks-server? ( virtual/mta ) " +PDEPEND=" + app-crypt/pinentry +" BDEPEND=" virtual/pkgconfig doc? ( sys-apps/texinfo ) @@ -72,6 +74,18 @@ PATCHES=( src_prepare() { default + GNUPG_SYSTEMD_UNITS=( + dirmngr.service + dirmngr.socket + gpg-agent-browser.socket + gpg-agent-extra.socket + gpg-agent.service + gpg-agent.socket + gpg-agent-ssh.socket + ) + + cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, # idea borrowed from libdbus, see # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 @@ -79,10 +93,13 @@ src_prepare() { # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', # which in turn requires discovery in Autoconf, something that upstream deeply resents. sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ - -i doc/examples/systemd-user/gpg-agent-ssh.socket || die + -i "${T}"/gpg-agent-ssh.socket || die } my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + local myconf=( $(use_enable bzip2) $(use_enable nls) @@ -114,11 +131,7 @@ my_src_configure() { --enable-large-secmem CC_FOR_BUILD="$(tc-getBUILD_CC)" - GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" - KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" - LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" - LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" - NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" + ac_cv_path_GPGRT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpgrt-config" $("${S}/configure" --help | grep -o -- '--without-.*-prefix') ) @@ -171,8 +184,9 @@ my_src_install_all() { einstalldocs use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} - use doc && dodoc doc/*.png - systemd_douserunit doc/examples/systemd-user/*.{service,socket} + # Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed. + dodoc "${FILESDIR}"/README-systemd + systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}" } |