diff options
| author | V3n3RiX <venerix@koprulu.sector> | 2024-01-29 12:57:49 +0000 |
|---|---|---|
| committer | V3n3RiX <venerix@koprulu.sector> | 2024-01-29 12:57:49 +0000 |
| commit | b2f1788f6f0365b76f55f257b2d170c1e68a8640 (patch) | |
| tree | 508984ca9480c5d791a38bcd454c260752330cfb /app-crypt/gnupg | |
| parent | 16fa78787149cbbd73549c6bcda0eec50293ea0e (diff) | |
gentoo auto-resync : 29:01:2024 - 12:57:49
Diffstat (limited to 'app-crypt/gnupg')
| -rw-r--r-- | app-crypt/gnupg/Manifest | 7 | ||||
| -rw-r--r-- | app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch | 292 | ||||
| -rw-r--r-- | app-crypt/gnupg/gnupg-2.2.42-r2.ebuild (renamed from app-crypt/gnupg/gnupg-2.2.42.ebuild) | 7 | ||||
| -rw-r--r-- | app-crypt/gnupg/gnupg-2.4.2-r1.ebuild | 195 | ||||
| -rw-r--r-- | app-crypt/gnupg/gnupg-2.4.3.ebuild | 196 |
5 files changed, 299 insertions, 398 deletions
diff --git a/app-crypt/gnupg/Manifest b/app-crypt/gnupg/Manifest index d87cd0735741..c3be33d69d46 100644 --- a/app-crypt/gnupg/Manifest +++ b/app-crypt/gnupg/Manifest @@ -2,6 +2,7 @@ AUX README-systemd 2275 BLAKE2B ea3e1bc3f9f0e21c40dbd9b8f4f919b2ff15962145383400 AUX dirmngr.service 212 BLAKE2B 7a3af856305eb4b00929aaf029dd4e5c84376df4f30add76976b9b058addf6fc4d8c39335fc83d11493ea9d8a40f0510dbac8572b99a8c8b9b3a4eca8e585774 SHA512 f0804b1365f1c1a8d9b22a1aaa569145031b4579d1b96ee5964964e08fda73cbcf662cfb64f64c5bafb383a81ed28f158aa60cd997a82ff5117db753c5587a07 AUX dirmngr.socket 204 BLAKE2B 7cf60bfd5eaf1809e0a0eb86efaa8f7f07681e351e9c0cf12127f8b29bd4f989f5fee159e7978343d45112945483b3e7b72ea9c085d00f7ee3bc0480b269b36d SHA512 9495cdc61a9cca3156d4739e5f72c2f7d3a80e45030f1a5ae14cba7f9de98ef7fabd8d40eb18eb8824b792ed03c566e317d36183372cd4245b8bd86b6167d4b5 AUX gnupg-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch 1048 BLAKE2B 36f37b74da309100191f4d8f9c27d08a1b00d2d30fbaf169dbb74ebbe42293357a4fb62332e286fe5725dcfdc30645a602dc2a51c51924b06215b68fd5235658 SHA512 fd12827150e96cd7979ea9611d64ed4ab9e6c61cfecdd697b8fb4d162f20985b734c2bfc365a921809b9029e86a85a9b36c10ec472b3dd49c25ea18f5aef56ce +AUX gnupg-2.2.42-bug923248-insecure-backup.patch 12385 BLAKE2B af374b2038a6d8628922e433f26dee2cc66c9e031d871947e2a44586cf2183d8a7bc365f1f0cc0cde552eb176d5f580b3aaab5e4a551d0652f10096c5150aa43 SHA512 1dc123f120d95ae77b52b3869bf7abfcaf0cfbfe732f691663b472a6e9bdd20502280527585dda81da4bd03e8194bdd5e72cc2111f24ccf2ce9e476fe474d4cf AUX gnupg-2.4.2-fix-emacs.patch 16897 BLAKE2B 8d810abf26b4fbc3a6119d5b0b3c8048a82262249b2b61fbfaa01792229d4ac6277cb2b20f8e8b2fac36a201d4c0b8980e6f7c63293d2edbdb379b5d1123112e SHA512 1b2d89c5203cabcc7bdce9e4a665e708d9610e7da347a653e8c60e0a95f95605234ea953ca0ba6eb0157743d231ed52c00240f02a181640aee3b87e963e42322 AUX gnupg-2.4.3-no-ldap.patch 732 BLAKE2B 24ae1b81900dff5b1698dd4260399557e39e68f5ecae5d8012a489a7c63c1d899f586aa0ec19a81464a738fd5362a202423afedad3a9f37ea74819f11eb6f857 SHA512 064e0ea7af889a2c9f7545de21e3999441bc86ad8b01fa092339ea4b5fcffc601b21d37a1d40397afcb21c073f3b075057af2c1fbedd926db3d427acbf8f8657 AUX gpg-agent-browser.socket 298 BLAKE2B 0b08e5e60ced5e09a485506a52c1da35ed6e557fc36021d0c5f5f1ade19e7dd1d67096110eebe7955246eea53f21b2bdc3ab9f3a660ed8be90ab609ce7126008 SHA512 8dfdd132f991be23aa29ea36d2cfbfd36cdd5c3f7243636fb82ee99e5a427eccbdec69d51732ad78b9592a307eb2a0044c413635e03a6cadc94b7719388b86a7 @@ -13,17 +14,13 @@ DIST gnupg-2.2.41.tar.bz2 7313746 BLAKE2B 0be2965a646a8636a127f89329030860908b0b DIST gnupg-2.2.41.tar.bz2.sig 238 BLAKE2B 7a4dc8dd4b3da77f6684325f46e3e3b1aeac6fcd8382e3148da1a01a5c5a9e14c1352fb28b61e500388d647e1103b8f78ad49e467e01b732c4a13eb849859b98 SHA512 ac6edd35c6b02a02d6c8a4468332213f20159f972aa2f7fd25c6841c662b3d84db5230330d540e0785ddaff080daf8dd250292104ff47560ad59c11803aabefa DIST gnupg-2.2.42.tar.bz2 7434291 BLAKE2B 5f7f01f31949e5258d638fbff81fa641e5c167e6eaf32c55eb187d4a31b31cd4fe6e51c622e74d8544c4f95c75484e15117f26a8cf26055ff6813d75e54f2b8a SHA512 9c59d034f428d42323b5520e1a8984acc1505ba1d96d90f00e17b24aa91660b2dc64e1a3ceb044c56f39b4c402a77c7e0b226c65218c23c094781b4ef51e2eb5 DIST gnupg-2.2.42.tar.bz2.sig 238 BLAKE2B 251ad0a832042ceb93b0edfda8652104bfb463e291322f22f0ab0d9b35606c3589be7a6f3e9e2aac8f6ac368a7d11840ab83b29997587dc65685de9f2dec3fee SHA512 7073bfc920c571680a1de57b4e6cd83cde24ccb3b5f592602b0c32fd762eef497027b08745044c9f41130ca99bb7ec77222568c2d0a1099d3c1c15137e0221d7 -DIST gnupg-2.4.2.tar.bz2 7346587 BLAKE2B 7a5aecca25d87f5f531576c8db1629908d97381bc75f69c228ebf7f06f2234ff847e631ad2b4ff35772e0905648b291e79816a4a274616fda5157bd6a88319a2 SHA512 64076146c735adeaf176dab432b13b1314bfb588eb97ba1081c26ae32647d2b099e62f02bb1c66ce672ff1146d1fb9a389cdd17e7b9c2ec674ff1dccb7f46a8e -DIST gnupg-2.4.2.tar.bz2.sig 119 BLAKE2B da10bc6d93e5bd96572d6e03b99595eb3f3a5e2e53767a235f9e28878a294e6f444c5cee3a44579f6593582e5c4d85e99e963f2eb7ad2d64aa3a54136c39ffef SHA512 d08cb718a8656efb922f2591ec295e678687fe5f3a26459498952d28f4eea4f8368ea896c2908f58e3d3d8ea49faf865a1c146dda1b24f15bf8d37dce3eac868 DIST gnupg-2.4.3.tar.bz2 7351327 BLAKE2B b7f4f5e548ec6dfc89cf8792f507ee8642e8500692998cf8d2edc9f5d8002904d24a714b9caffabee6094707c4595e0f54197535135622a7a32aa772f5818f28 SHA512 193a9398445272ec3eb5b79e802efb7414f74bcfffc3db0bf72c0056e04228120c419ed91db168e5733a16a33e548bab5368dd9cf11ecd483825bce189341a1e DIST gnupg-2.4.3.tar.bz2.sig 119 BLAKE2B 763c0569e5378e132de39e1583c19bae8912455bf7cd5a65bcfc88fa43be99fb6bbf8397192b3086db2f6f0f63fc25789f5e6ce98b2fe63cda3bf673b1c60a20 SHA512 7affff694d194c3befdfc865a7872c0883304ea704e3691eac328d802f12f4f82c2a93eaa1257d3e09b38494b38185f5b8cf35c964f0c3846bbb29b93727ffee DIST gnupg-2.4.4.tar.bz2 7886036 BLAKE2B 02661e89f0358be09fa3e71e7235b764a7dbda62a48a0c8c7a4e6c9919c3b37d54ead50b930af58f8f2fdb87861b849d3f3751e95cbedf46bdfd76caa90c4db4 SHA512 3d1a3b08d1ce2319d238d8be96591e418ede1dc0b4ede33a4cc2fe40e9c56d5bbc27b1984736d8a786e7f292ddbc836846a8bdb4bf89f064e953c37cb54b94ef DIST gnupg-2.4.4.tar.bz2.sig 237 BLAKE2B 6ee5878c36fbec747a6d84a268903749d862aab50dd7f9a389aabbf7b94dec1c424615f520b5f4a6d44e02093e8d9ad0b08d0c6cf6fd8886d8c174ce9faac99c SHA512 3ae7b6833576df851901a7619459b514bb82faeed350c864a57a782719d21f694d9ced5a3445c81dfa584a0302f87fedc660b08ea97bb8b861e76d7c5b46d07f EBUILD gnupg-2.2.41.ebuild 5565 BLAKE2B fdb0c920af7a13bd25a23e4ed5e0561f385b49520e737cf3d3a8f6a646fd94ae022245772ef8bcfcc86fcb84c381dd51485ec5457abfdda67998586922a13926 SHA512 9070ca445e56d9b61bec036d7d735de5e18f7247fef9904b1ada678150b7eb588dadf2053fceef6eefafa8eb7de7133fdbf3dede5dacdb623d1ba7d8eb78f43f EBUILD gnupg-2.2.42-r1.ebuild 5585 BLAKE2B b93ce0f9bd50af4ca60fd022abd469d7e01128893a284e03d4d58ea30c8931b111cd0bc78136033e6a7c92c1e7bf3e958ac246ee91c306462b91337136975041 SHA512 e5f97fa30968480420ba9f5107ed1db8d6e1112886f81e735a382a61a0945ac0529c7cca891d226818cfc2cf3574f042358eb058e55cd2dc064c46ef04e34bb3 -EBUILD gnupg-2.2.42.ebuild 5573 BLAKE2B 2dfb8618986098b10e8f497999ccff4137524151f524f3c5a08d98b15ea4b3d457acc157b3835deb70b1d34693aaba6585a8ff0d3301ae798ff35d2ca28fc62a SHA512 5ddfca7f67b9ea52c2179158fee296a3e301d7ade2f81426279c1917e903cd10722bd52a017233d3c0f9f1f1af017f4d4494239fe4845ad519d9463d147b25aa -EBUILD gnupg-2.4.2-r1.ebuild 6155 BLAKE2B b5473cb1669e7862516d5c26b91610a923f9fb6fbf85655e2036538624d46873ca19f68f891944e297008fda8f17ae530eb8fcf33edffbe1e2e44c53028020ee SHA512 99eafa14f822ab0b6e3ec7c4939e1900cc844f6dbaf32d81a774b4563ae8bbe8331ddf2a6af823bab82bb9c943ea74e1252af7ff867de0fcee76ca893283670a +EBUILD gnupg-2.2.42-r2.ebuild 5645 BLAKE2B 612217717538cd7c769e6cf86c79d9a58be75bb4f19708a2d60c67fb72629ed53b6bc63fd1a1665b30dbdbe656633966c2e2b3126e36d5a0c303a85b73530d9e SHA512 2f753255c4fc3a30b359a30566d9d54e8247e840eb06c7d1b81b70e1f970b3954057155ce426e3686499fb022cd95782665f874d89ecc8419b359baec03d525d EBUILD gnupg-2.4.3-r1.ebuild 6201 BLAKE2B 24a6e7d1c0bbbb544487e2bd6b30b052a352b16ef7c1bcaa1587964a4eb883407edc393a0548f7fe2b3ee60257b1dc0bd48cd9c4398fdc6ca228521b5fc8bef7 SHA512 5a084293031b6d186fc948001142d72430dbfca819a61e611c8a268dabf4afe15c25c57f7cd2dde506dc4da05dfe482d5a8e180b46556c90d518c097c057be30 -EBUILD gnupg-2.4.3.ebuild 6189 BLAKE2B 2ad8e3f5f553263f2e1a63c15acdf145cf3840a34e3b52344561e40140ce42c166ce2099d94015e13b0600f1611a33474032e20e47059a2f12acf86fed05afba SHA512 356800d6699398512cb6e4906dee5c724ad34a82afd4489707cb63d41f18424fc904b5cf558fb7c1adc99ae934daf08ca2f1fc8c3275cc190d1882bef4b24c43 EBUILD gnupg-2.4.4.ebuild 6210 BLAKE2B 587a3c4651ca0a71988067b0c41e649614de1459bf504f802f613cb40c9e613763286b6f6156fccd365d0013d536b4e450f95a13f61e709d337cd44755be4e8a SHA512 e3534902f01a42e772c60f4f8e0f5b9e80196f49a12b326321c7a4756614a0f1184ddb173a026601c59ca69fecc3c797212c22a512577e92ba28857afd001419 MISC metadata.xml 1189 BLAKE2B dae783678abfe0bae095970d96d952f591a569debad411708d29a2f128c6a291b73a33ee0b3491a6a5ec44c11f56d33c1531022e0ef9eaad3326c9cd0f79e3fb SHA512 bc7d6a9ceda213c134d9afc527fe0b0c87a4886a171b7a1e1f662f3978fec5e71323bae4c9f3882e1d763d5738446f161265070a8e513a59fa62ef0f792e9fa5 diff --git a/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch b/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch new file mode 100644 index 000000000000..76d6d94c40b1 --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch @@ -0,0 +1,292 @@ +https://bugs.gentoo.org/923248 +https://dev.gnupg.org/T6944 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=3b69d8bf7146b8d10737d0cfea9c97affc60ad73 + +From 3b69d8bf7146b8d10737d0cfea9c97affc60ad73 Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Wed, 24 Jan 2024 11:29:24 +0100 +Subject: [PATCH] gpg: Fix leftover unprotected card backup key. + +* agent/command.c (cmd_learn): Add option --reallyforce. +* agent/findkey.c (agent_write_private_key): Implement reallyforce. +Also add arg reallyforce and pass it along the call chain. + +* g10/call-agent.c (agent_scd_learn): Pass --reallyforce with a +special force value. +* g10/keygen.c (card_store_key_with_backup): Use that force value. +-- + +This was a regression in 2.2.42. We took the easy path to fix it by +getting the behaviour back to what we did prior to 2.2.42. With GnuPG +2.4.4 we use an entire different and safer approach by introducing an +ephemeral private key store. + +GnuPG-bug-id: 6944 +--- a/agent/agent.h ++++ b/agent/agent.h +@@ -422,7 +422,8 @@ void start_command_handler_ssh (ctrl_t, gnupg_fd_t); + gpg_error_t agent_modify_description (const char *in, const char *comment, + const gcry_sexp_t key, char **result); + int agent_write_private_key (const unsigned char *grip, +- const void *buffer, size_t length, int force, ++ const void *buffer, size_t length, ++ int force, int reallyforce, + const char *serialno, const char *keyref, + const char *dispserialno, time_t timestamp); + gpg_error_t agent_key_from_file (ctrl_t ctrl, +@@ -548,6 +549,7 @@ gpg_error_t s2k_hash_passphrase (const char *passphrase, int hashalgo, + gpg_error_t agent_write_shadow_key (const unsigned char *grip, + const char *serialno, const char *keyid, + const unsigned char *pkbuf, int force, ++ int reallyforce, + const char *dispserialno); + + +@@ -628,7 +630,8 @@ void agent_card_killscd (void); + + + /*-- learncard.c --*/ +-int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force); ++int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, ++ int force, int reallyforce); + + + /*-- cvt-openpgp.c --*/ +--- a/agent/command-ssh.c ++++ b/agent/command-ssh.c +@@ -2499,7 +2499,7 @@ card_key_available (ctrl_t ctrl, gcry_sexp_t *r_pk, char **cardsn) + + /* (Shadow)-key is not available in our key storage. */ + agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno); +- err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0, ++ err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0, 0, + dispserialno); + xfree (dispserialno); + if (err) +@@ -3159,7 +3159,7 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec, + + /* Store this key to our key storage. We do not store a creation + * timestamp because we simply do not know. */ +- err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0, ++ err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0, 0, + NULL, NULL, NULL, 0); + if (err) + goto out; +--- a/agent/command.c ++++ b/agent/command.c +@@ -1042,7 +1042,7 @@ cmd_readkey (assuan_context_t ctx, char *line) + /* Shadow-key is or is not available in our key storage. In + * any case we need to check whether we need to update with + * a new display-s/n or whatever. */ +- rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0, ++ rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0, 0, + dispserialno); + if (rc) + goto leave; +@@ -1855,16 +1855,18 @@ cmd_learn (assuan_context_t ctx, char *line) + { + ctrl_t ctrl = assuan_get_pointer (ctx); + gpg_error_t err; +- int send, sendinfo, force; ++ int send, sendinfo, force, reallyforce; + + send = has_option (line, "--send"); + sendinfo = send? 1 : has_option (line, "--sendinfo"); + force = has_option (line, "--force"); ++ reallyforce = has_option (line, "--reallyforce"); + + if (ctrl->restricted) + return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); + +- err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL, force); ++ err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL, ++ force, reallyforce); + return leave_cmd (ctx, err); + } + +@@ -2427,11 +2429,11 @@ cmd_import_key (assuan_context_t ctx, char *line) + err = agent_protect (key, passphrase, &finalkey, &finalkeylen, + ctrl->s2k_count); + if (!err) +- err = agent_write_private_key (grip, finalkey, finalkeylen, force, ++ err = agent_write_private_key (grip, finalkey, finalkeylen, force, 0, + NULL, NULL, NULL, opt_timestamp); + } + else +- err = agent_write_private_key (grip, key, realkeylen, force, ++ err = agent_write_private_key (grip, key, realkeylen, force, 0, + NULL, NULL, NULL, opt_timestamp); + + leave: +--- a/agent/cvt-openpgp.c ++++ b/agent/cvt-openpgp.c +@@ -1070,7 +1070,7 @@ convert_from_openpgp_native (ctrl_t ctrl, + &protectedkey, &protectedkeylen, + ctrl->s2k_count)) + agent_write_private_key (grip, protectedkey, protectedkeylen, +- 1/*force*/, NULL, NULL, NULL, 0); ++ 1/*force*/, 0, NULL, NULL, NULL, 0); + xfree (protectedkey); + } + else +@@ -1079,7 +1079,7 @@ convert_from_openpgp_native (ctrl_t ctrl, + agent_write_private_key (grip, + *r_key, + gcry_sexp_canon_len (*r_key, 0, NULL,NULL), +- 1/*force*/, NULL, NULL, NULL, 0); ++ 1/*force*/, 0, NULL, NULL, NULL, 0); + } + } + +--- a/agent/findkey.c ++++ b/agent/findkey.c +@@ -82,7 +82,8 @@ fname_from_keygrip (const unsigned char *grip, int for_new) + * recorded as creation date. */ + int + agent_write_private_key (const unsigned char *grip, +- const void *buffer, size_t length, int force, ++ const void *buffer, size_t length, ++ int force, int reallyforce, + const char *serialno, const char *keyref, + const char *dispserialno, + time_t timestamp) +@@ -165,10 +166,13 @@ agent_write_private_key (const unsigned char *grip, + /* Check that we do not update a regular key with a shadow key. */ + if (is_regular && gpg_err_code (is_shadowed_key (key)) == GPG_ERR_TRUE) + { +- log_info ("updating regular key file '%s'" +- " by a shadow key inhibited\n", oldfname); +- err = 0; /* Simply ignore the error. */ +- goto leave; ++ if (!reallyforce) ++ { ++ log_info ("updating regular key file '%s'" ++ " by a shadow key inhibited\n", oldfname); ++ err = 0; /* Simply ignore the error. */ ++ goto leave; ++ } + } + /* Check that we update a regular key only in force mode. */ + if (is_regular && !force) +@@ -1704,12 +1708,13 @@ agent_delete_key (ctrl_t ctrl, const char *desc_text, + * Shadow key is created by an S-expression public key in PKBUF and + * card's SERIALNO and the IDSTRING. With FORCE passed as true an + * existing key with the given GRIP will get overwritten. If +- * DISPSERIALNO is not NULL the human readable s/n will also be +- * recorded in the key file. */ ++ * REALLYFORCE is also true, even a private key will be overwritten by ++ * a shadown key. If DISPSERIALNO is not NULL the human readable s/n ++ * will also be recorded in the key file. */ + gpg_error_t + agent_write_shadow_key (const unsigned char *grip, + const char *serialno, const char *keyid, +- const unsigned char *pkbuf, int force, ++ const unsigned char *pkbuf, int force, int reallyforce, + const char *dispserialno) + { + gpg_error_t err; +@@ -1737,7 +1742,7 @@ agent_write_shadow_key (const unsigned char *grip, + } + + len = gcry_sexp_canon_len (shdkey, 0, NULL, NULL); +- err = agent_write_private_key (grip, shdkey, len, force, ++ err = agent_write_private_key (grip, shdkey, len, force, reallyforce, + serialno, keyid, dispserialno, 0); + xfree (shdkey); + if (err) +--- a/agent/genkey.c ++++ b/agent/genkey.c +@@ -69,7 +69,7 @@ store_key (gcry_sexp_t private, const char *passphrase, int force, + buf = p; + } + +- rc = agent_write_private_key (grip, buf, len, force, ++ rc = agent_write_private_key (grip, buf, len, force, 0, + NULL, NULL, NULL, timestamp); + xfree (buf); + return rc; +--- a/agent/learncard.c ++++ b/agent/learncard.c +@@ -297,9 +297,12 @@ send_cert_back (ctrl_t ctrl, const char *id, void *assuan_context) + } + + /* Perform the learn operation. If ASSUAN_CONTEXT is not NULL and +- SEND is true all new certificates are send back via Assuan. */ ++ SEND is true all new certificates are send back via Assuan. If ++ REALLYFORCE is true a private key will be overwritten by a stub ++ key. */ + int +-agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force) ++agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, ++ int force, int reallyforce) + { + int rc; + struct kpinfo_cb_parm_s parm; +@@ -414,7 +417,7 @@ agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force) + + agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno); + rc = agent_write_shadow_key (grip, serialno, item->id, pubkey, +- force, dispserialno); ++ force, reallyforce, dispserialno); + xfree (dispserialno); + } + xfree (pubkey); +--- a/agent/protect-tool.c ++++ b/agent/protect-tool.c +@@ -807,13 +807,15 @@ agent_askpin (ctrl_t ctrl, + * to stdout. */ + int + agent_write_private_key (const unsigned char *grip, +- const void *buffer, size_t length, int force, ++ const void *buffer, size_t length, ++ int force, int reallyforce, + const char *serialno, const char *keyref, + const char *dispserialno, time_t timestamp) + { + char hexgrip[40+4+1]; + char *p; + ++ (void)reallyforce; + (void)force; + (void)timestamp; + (void)serialno; +--- a/g10/call-agent.c ++++ b/g10/call-agent.c +@@ -745,6 +745,11 @@ learn_status_cb (void *opaque, const char *line) + * card-util.c + * keyedit_menu + * card_store_key_with_backup (Woth force to remove secret key data) ++ * ++ * If force has the value 2 the --reallyforce option is also used. ++ * This is to make sure the sshadow key overwrites the private key. ++ * Note that this option is gnupg 2.2 specific because since 2.4.4 an ++ * ephemeral private key store is used instead. + */ + int + agent_scd_learn (struct agent_card_info_s *info, int force) +@@ -764,6 +769,7 @@ agent_scd_learn (struct agent_card_info_s *info, int force) + + parm.ctx = agent_ctx; + rc = assuan_transact (agent_ctx, ++ force == 2? "LEARN --sendinfo --force --reallyforce" : + force ? "LEARN --sendinfo --force" : "LEARN --sendinfo", + dummy_data_cb, NULL, default_inq_cb, &parm, + learn_status_cb, info); +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -5201,8 +5201,11 @@ card_store_key_with_backup (ctrl_t ctrl, PKT_public_key *sub_psk, + if (err) + log_error ("writing card key to backup file: %s\n", gpg_strerror (err)); + else +- /* Remove secret key data in agent side. */ +- agent_scd_learn (NULL, 1); ++ { ++ /* Remove secret key data in agent side. We use force 2 here to ++ * allow overwriting of the temporary private key. */ ++ agent_scd_learn (NULL, 2); ++ } + + leave: + xfree (ecdh_param_str); +-- +2.30.2 diff --git a/app-crypt/gnupg/gnupg-2.2.42.ebuild b/app-crypt/gnupg/gnupg-2.2.42-r2.ebuild index 2b5d6e16fdfb..b46257fafc93 100644 --- a/app-crypt/gnupg/gnupg-2.2.42.ebuild +++ b/app-crypt/gnupg/gnupg-2.2.42-r2.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -46,11 +46,13 @@ DEPEND=" " RDEPEND=" ${DEPEND} - app-crypt/pinentry nls? ( virtual/libintl ) selinux? ( sec-policy/selinux-gpg ) wks-server? ( virtual/mta ) " +PDEPEND=" + app-crypt/pinentry +" BDEPEND=" virtual/pkgconfig doc? ( sys-apps/texinfo ) @@ -65,6 +67,7 @@ DOCS=( PATCHES=( "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch + "${FILESDIR}"/${PN}-2.2.42-bug923248-insecure-backup.patch ) src_prepare() { diff --git a/app-crypt/gnupg/gnupg-2.4.2-r1.ebuild b/app-crypt/gnupg/gnupg-2.4.2-r1.ebuild deleted file mode 100644 index 70943660259a..000000000000 --- a/app-crypt/gnupg/gnupg-2.4.2-r1.ebuild +++ /dev/null @@ -1,195 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -# Maintainers should: -# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ -# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 -# (find the one for the current release then subscribe to it + -# any subsequent ones linked within so you're covered for a while.) - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc -# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 -inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig - -MY_P="${P/_/-}" - -DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" -HOMEPAGE="https://gnupg.org/" -SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" -SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" -S="${WORKDIR}/${MY_P}" - -LICENSE="GPL-3+" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" -IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server" -RESTRICT="!test? ( test )" -REQUIRED_USE="test? ( tofu )" - -# Existence of executables is checked during configuration. -# Note: On each bump, update dep bounds on each version from configure.ac! -DEPEND=" - >=dev-libs/libassuan-2.5.0 - >=dev-libs/libgcrypt-1.9.1:= - >=dev-libs/libgpg-error-1.46 - >=dev-libs/libksba-1.6.3 - >=dev-libs/npth-1.2 - >=net-misc/curl-7.10 - sys-libs/zlib - bzip2? ( app-arch/bzip2 ) - ldap? ( net-nds/openldap:= ) - readline? ( sys-libs/readline:0= ) - smartcard? ( usb? ( virtual/libusb:1 ) ) - tofu? ( >=dev-db/sqlite-3.27 ) - tpm? ( >=app-crypt/tpm2-tss-2.4.0:= ) - ssl? ( >=net-libs/gnutls-3.0:0= ) -" -RDEPEND=" - ${DEPEND} - app-crypt/pinentry - nls? ( virtual/libintl ) - selinux? ( sec-policy/selinux-gpg ) - wks-server? ( virtual/mta ) -" -BDEPEND=" - virtual/pkgconfig - doc? ( sys-apps/texinfo ) - nls? ( sys-devel/gettext ) - verify-sig? ( sec-keys/openpgp-keys-gnupg ) -" - -DOCS=( - ChangeLog NEWS README THANKS TODO VERSION - doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER -) - -PATCHES=( - "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch - "${FILESDIR}"/${PN}-2.4.2-fix-emacs.patch -) - -src_prepare() { - default - - GNUPG_SYSTEMD_UNITS=( - dirmngr.service - dirmngr.socket - gpg-agent-browser.socket - gpg-agent-extra.socket - gpg-agent.service - gpg-agent.socket - gpg-agent-ssh.socket - ) - - cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die - - # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, - # idea borrowed from libdbus, see - # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 - # - # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', - # which in turn requires discovery in Autoconf, something that upstream deeply resents. - sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ - -i "${T}"/gpg-agent-ssh.socket || die -} - -my_src_configure() { - # Upstream don't support LTO, bug #854222. - filter-lto - - local myconf=( - $(use_enable bzip2) - $(use_enable nls) - $(use_enable smartcard scdaemon) - $(use_enable ssl gnutls) - $(use_enable test all-tests) - $(use_enable test tests) - $(use_enable tofu) - $(use_enable tofu keyboxd) - $(use_enable tofu sqlite) - $(usex tpm '--with-tss=intel' '--disable-tpm2d') - $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') - $(use_enable wks-server wks-tools) - $(use_with ldap) - $(use_with readline) - - # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. - # As of GnuPG 2.3, the mailprog substitution is used for the binary called - # by wks-client & wks-server; and if it's autodetected but not not exist at - # build time, then then 'gpg-wks-client --send' functionality will not - # work. This has an unwanted side-effect in stage3 builds: there was a - # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating - # the build where the install guide previously make the user chose the - # logger & mta early in the install. - --with-mailprog=/usr/libexec/sendmail - - --disable-ntbtls - --enable-gpgsm - --enable-large-secmem - - CC_FOR_BUILD="$(tc-getBUILD_CC)" - GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" - KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" - LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" - LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" - NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" - - $("${S}/configure" --help | grep -o -- '--without-.*-prefix') - ) - - if use prefix && use usb; then - # bug #649598 - append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" - fi - - # bug #663142 - if use user-socket; then - myconf+=( --enable-run-gnupg-user-socket ) - fi - - # glib fails and picks up clang's internal stdint.h causing weird errors - tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h - - econf "${myconf[@]}" -} - -my_src_compile() { - default - - use doc && emake -C doc html -} - -my_src_test() { - export TESTFLAGS="--parallel=$(makeopts_jobs)" - - default -} - -my_src_install() { - emake DESTDIR="${D}" install - - use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert - - dosym gpg /usr/bin/gpg2 - dosym gpgv /usr/bin/gpgv2 - echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die - echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die - - dodir /etc/env.d - echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die - - use doc && dodoc doc/gnupg.html/* -} - -my_src_install_all() { - einstalldocs - - use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} - use doc && dodoc doc/*.png - - # Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed. - dodoc "${FILESDIR}"/README-systemd - systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}" -} diff --git a/app-crypt/gnupg/gnupg-2.4.3.ebuild b/app-crypt/gnupg/gnupg-2.4.3.ebuild deleted file mode 100644 index ccf1c8185ea1..000000000000 --- a/app-crypt/gnupg/gnupg-2.4.3.ebuild +++ /dev/null @@ -1,196 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -# Maintainers should: -# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ -# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 -# (find the one for the current release then subscribe to it + -# any subsequent ones linked within so you're covered for a while.) - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc -# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 -inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig - -MY_P="${P/_/-}" - -DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" -HOMEPAGE="https://gnupg.org/" -SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" -SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" -S="${WORKDIR}/${MY_P}" - -LICENSE="GPL-3+" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" -IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server" -RESTRICT="!test? ( test )" -REQUIRED_USE="test? ( tofu )" - -# Existence of executables is checked during configuration. -# Note: On each bump, update dep bounds on each version from configure.ac! -DEPEND=" - >=dev-libs/libassuan-2.5.0 - >=dev-libs/libgcrypt-1.9.1:= - >=dev-libs/libgpg-error-1.46 - >=dev-libs/libksba-1.6.3 - >=dev-libs/npth-1.2 - >=net-misc/curl-7.10 - sys-libs/zlib - bzip2? ( app-arch/bzip2 ) - ldap? ( net-nds/openldap:= ) - readline? ( sys-libs/readline:0= ) - smartcard? ( usb? ( virtual/libusb:1 ) ) - tofu? ( >=dev-db/sqlite-3.27 ) - tpm? ( >=app-crypt/tpm2-tss-2.4.0:= ) - ssl? ( >=net-libs/gnutls-3.0:0= ) -" -RDEPEND=" - ${DEPEND} - app-crypt/pinentry - nls? ( virtual/libintl ) - selinux? ( sec-policy/selinux-gpg ) - wks-server? ( virtual/mta ) -" -BDEPEND=" - virtual/pkgconfig - doc? ( sys-apps/texinfo ) - nls? ( sys-devel/gettext ) - verify-sig? ( sec-keys/openpgp-keys-gnupg ) -" - -DOCS=( - ChangeLog NEWS README THANKS TODO VERSION - doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER -) - -PATCHES=( - "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch - "${FILESDIR}"/${PN}-2.4.2-fix-emacs.patch - "${FILESDIR}"/${P}-no-ldap.patch -) - -src_prepare() { - default - - GNUPG_SYSTEMD_UNITS=( - dirmngr.service - dirmngr.socket - gpg-agent-browser.socket - gpg-agent-extra.socket - gpg-agent.service - gpg-agent.socket - gpg-agent-ssh.socket - ) - - cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die - - # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, - # idea borrowed from libdbus, see - # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 - # - # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', - # which in turn requires discovery in Autoconf, something that upstream deeply resents. - sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ - -i "${T}"/gpg-agent-ssh.socket || die -} - -my_src_configure() { - # Upstream don't support LTO, bug #854222. - filter-lto - - local myconf=( - $(use_enable bzip2) - $(use_enable nls) - $(use_enable smartcard scdaemon) - $(use_enable ssl gnutls) - $(use_enable test all-tests) - $(use_enable test tests) - $(use_enable tofu) - $(use_enable tofu keyboxd) - $(use_enable tofu sqlite) - $(usex tpm '--with-tss=intel' '--disable-tpm2d') - $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') - $(use_enable wks-server wks-tools) - $(use_with ldap) - $(use_with readline) - - # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. - # As of GnuPG 2.3, the mailprog substitution is used for the binary called - # by wks-client & wks-server; and if it's autodetected but not not exist at - # build time, then then 'gpg-wks-client --send' functionality will not - # work. This has an unwanted side-effect in stage3 builds: there was a - # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating - # the build where the install guide previously make the user chose the - # logger & mta early in the install. - --with-mailprog=/usr/libexec/sendmail - - --disable-ntbtls - --enable-gpgsm - --enable-large-secmem - - CC_FOR_BUILD="$(tc-getBUILD_CC)" - GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" - KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" - LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" - LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" - NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" - - $("${S}/configure" --help | grep -o -- '--without-.*-prefix') - ) - - if use prefix && use usb; then - # bug #649598 - append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" - fi - - # bug #663142 - if use user-socket; then - myconf+=( --enable-run-gnupg-user-socket ) - fi - - # glib fails and picks up clang's internal stdint.h causing weird errors - tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h - - econf "${myconf[@]}" -} - -my_src_compile() { - default - - use doc && emake -C doc html -} - -my_src_test() { - export TESTFLAGS="--parallel=$(makeopts_jobs)" - - default -} - -my_src_install() { - emake DESTDIR="${D}" install - - use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert - - dosym gpg /usr/bin/gpg2 - dosym gpgv /usr/bin/gpgv2 - echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die - echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die - - dodir /etc/env.d - echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die - - use doc && dodoc doc/gnupg.html/* -} - -my_src_install_all() { - einstalldocs - - use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} - use doc && dodoc doc/*.png - - # Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed. - dodoc "${FILESDIR}"/README-systemd - systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}" -} |