1 |
commit: a12f7eafa84c6cb0cf6d643c55ef027f33b8147e |
2 |
Author: Kristian Fiskerstrand <k_f <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Aug 11 16:15:46 2017 +0000 |
4 |
Commit: Kristian Fiskerstrand <k_f <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Aug 11 16:48:26 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a12f7eaf |
7 |
|
8 |
app-crypt/gnupg: New upstream version 2.1.23 |
9 |
|
10 |
Reverting to default of no --auto-key-retrieve as this has information |
11 |
leak potential that should not be enabled in default configuration. The |
12 |
change is also reverted upstream |
13 |
|
14 |
Package-Manager: Portage-2.3.6, Repoman-2.3.1 |
15 |
|
16 |
app-crypt/gnupg/Manifest | 1 + |
17 |
....1.23-gpg-default-to-no-auto-key-retrieve.patch | 71 ++++++++++++ |
18 |
app-crypt/gnupg/gnupg-2.1.23.ebuild | 124 +++++++++++++++++++++ |
19 |
3 files changed, 196 insertions(+) |
20 |
|
21 |
diff --git a/app-crypt/gnupg/Manifest b/app-crypt/gnupg/Manifest |
22 |
index 77cdbd2968f..07c1872aeaf 100644 |
23 |
--- a/app-crypt/gnupg/Manifest |
24 |
+++ b/app-crypt/gnupg/Manifest |
25 |
@@ -2,3 +2,4 @@ DIST gnupg-1.4.21.tar.bz2 3689305 SHA256 6b47a3100c857dcab3c60e6152e56a997f2c786 |
26 |
DIST gnupg-2.1.15.tar.bz2 5723689 SHA256 c28c1a208f1b8ad63bdb6b88d252f6734ff4d33de6b54e38494b11d49e00ffdd SHA512 69c943e853e1a37e8b17b3bc34e1503f14bc8f189fa9f3ac6644bcc98ccce6eaef64da20ff9dd1c8de3a7789ea577167984ccf3ac286cac50752e6f7c2f42ab1 WHIRLPOOL 4c5a8cd4e8b7196f4a355ce7739cf6e23c43817414e10bbba219117e4e51c4c618ffb5dbce27cb836a2171eda58e003d5ddf78d4af09a813c2a1729963413151 |
27 |
DIST gnupg-2.1.20.tar.bz2 6456128 SHA256 24cf9a69369be64a9f6f8cc11a1be33ab7780ad77a6a1b93719438f49f69960d SHA512 14a9890bc64e143f87cff121dd298d490d78dbd34e36883e0f25763ff9064e5706a7632893d7c5d0e8e9b8cf9cdb0d378b4ce1715348729f0fc080455b61eca9 WHIRLPOOL fa6cbd66031cac41db308b10bebec87e37a19d3c63219d22fb874d7d016bcad057b93eeece7a64001718ee1f881199e3d3eebc8ef6625691f553b0d2dbc92624 |
28 |
DIST gnupg-2.1.22.tar.bz2 6530433 SHA256 46716faf9e1b92cfca86609f3bfffbf5bb4b6804df90dc853ff7061cfcfb4ad7 SHA512 d2ccbf32716a701df9e4ad5c19b682daf1a02b0bf8a1751a32af6db0c9284a4ee7df91310bed1a2087911a9964cb7b7f2ca9dad32a880ed1e1465d8048605e16 WHIRLPOOL 3a87914898e2f164f7effa67e0e8f5ccb48aed0e9e4d65559d73783478ee509f7876ef7ef77ec9c43de2611a8a2ecdcbfbd443ab5de119203b20e316473e4e75 |
29 |
+DIST gnupg-2.1.23.tar.bz2 6526734 SHA256 a94476391595e9351f219188767a9d6ea128e83be5ed3226a7890f49aa2d0d77 SHA512 8b8be0784129f5aa0ccde32a413a68c36e0e4131abe70c3eb186958c60f3df1023deb2db2db84d63ad30a3408a75c7622b430aff1a524ff28a24be511c952412 WHIRLPOOL deb4e933108e0a77b941ed95732eab2ee77af175bd776f3f5dbd25bb38b37dcdf09ae8eee7cd39a09883c3757b81688e48b5a07d6f43419a4453d4ba38541c14 |
30 |
|
31 |
diff --git a/app-crypt/gnupg/files/gnupg-2.1.23-gpg-default-to-no-auto-key-retrieve.patch b/app-crypt/gnupg/files/gnupg-2.1.23-gpg-default-to-no-auto-key-retrieve.patch |
32 |
new file mode 100644 |
33 |
index 00000000000..4cc414d18e3 |
34 |
--- /dev/null |
35 |
+++ b/app-crypt/gnupg/files/gnupg-2.1.23-gpg-default-to-no-auto-key-retrieve.patch |
36 |
@@ -0,0 +1,71 @@ |
37 |
+From e6f84116abca2ed49bf14b2e28c3c811a3717227 Mon Sep 17 00:00:00 2001 |
38 |
+From: Daniel Kahn Gillmor <dkg@×××××××××××××.net> |
39 |
+Date: Fri, 11 Aug 2017 02:26:52 -0400 |
40 |
+Subject: [PATCH] gpg: default to --no-auto-key-retrieve. |
41 |
+ |
42 |
+* g10/gpg.c (main): remove KEYSERVER_AUTO_KEY_RETRIEVE from the |
43 |
+default keyserver options. |
44 |
+* doc/gpg.texi: document this change. |
45 |
+-- |
46 |
+ |
47 |
+This is a partial reversion of |
48 |
+7e1fe791d188b078398bf83c9af992cb1bd2a4b3. Werner and i discussed it |
49 |
+earlier today, and came to the conclusion that: |
50 |
+ |
51 |
+ * the risk of metadata leakage represented by a default |
52 |
+ --auto-key-retrieve, both in e-mail (as a "web bug") and in other |
53 |
+ contexts where GnuPG is used to verified signatures, is quite high. |
54 |
+ |
55 |
+ * the advantages of --auto-key-retrieve (in terms of signature |
56 |
+ verification) can sometimes be achieved in other ways, such as when |
57 |
+ a signed message includes a copy of its own key. |
58 |
+ |
59 |
+ * when those other ways are not useful, a graphical, user-facing |
60 |
+ application can still offer the user the opportunity to choose to |
61 |
+ fetch the key; or it can apply its own policy about when to set |
62 |
+ --auto-key-retrieve, without needing to affect the defaults. |
63 |
+ |
64 |
+Note that --auto-key-retrieve is specifically about signature |
65 |
+verification. Decisions about how and whether to look up a key during |
66 |
+message encryption are governed by --auto-key-locate. This change |
67 |
+does not touch the --auto-key-locate default of "local,wkd". The user |
68 |
+deliberately asking gpg to encrypt to an e-mail address is a different |
69 |
+scenario than having an incoming e-mail trigger a potentially unique |
70 |
+network request. |
71 |
+ |
72 |
+Signed-off-by: Daniel Kahn Gillmor <dkg@×××××××××××××.net> |
73 |
+--- |
74 |
+ doc/gpg.texi | 2 +- |
75 |
+ g10/gpg.c | 3 +-- |
76 |
+ 2 files changed, 2 insertions(+), 3 deletions(-) |
77 |
+ |
78 |
+diff --git a/doc/gpg.texi b/doc/gpg.texi |
79 |
+index c71126a97..b6a9b2d70 100644 |
80 |
+--- a/doc/gpg.texi |
81 |
++++ b/doc/gpg.texi |
82 |
+@@ -1792,7 +1792,7 @@ list. The default is "local,wkd". |
83 |
+ @opindex no-auto-key-retrieve |
84 |
+ These options enable or disable the automatic retrieving of keys from |
85 |
+ a keyserver when verifying signatures made by keys that are not on the |
86 |
+-local keyring. The default is @option{--auto-key-retrieve}. |
87 |
++local keyring. The default is @option{--no-auto-key-retrieve}. |
88 |
+ |
89 |
+ If the method "wkd" is included in the list of methods given to |
90 |
+ @option{auto-key-locate}, the signer's user ID is part of the |
91 |
+diff --git a/g10/gpg.c b/g10/gpg.c |
92 |
+index c721cdc4a..c9fa7ae5b 100644 |
93 |
+--- a/g10/gpg.c |
94 |
++++ b/g10/gpg.c |
95 |
+@@ -2366,8 +2366,7 @@ main (int argc, char **argv) |
96 |
+ opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS |
97 |
+ | IMPORT_REPAIR_PKS_SUBKEY_BUG); |
98 |
+ opt.keyserver_options.export_options = EXPORT_ATTRIBUTES; |
99 |
+- opt.keyserver_options.options = (KEYSERVER_HONOR_PKA_RECORD |
100 |
+- | KEYSERVER_AUTO_KEY_RETRIEVE); |
101 |
++ opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD; |
102 |
+ opt.verify_options = (LIST_SHOW_UID_VALIDITY |
103 |
+ | VERIFY_SHOW_POLICY_URLS |
104 |
+ | VERIFY_SHOW_STD_NOTATIONS |
105 |
+-- |
106 |
+2.13.0 |
107 |
+ |
108 |
|
109 |
diff --git a/app-crypt/gnupg/gnupg-2.1.23.ebuild b/app-crypt/gnupg/gnupg-2.1.23.ebuild |
110 |
new file mode 100644 |
111 |
index 00000000000..9564b859cdf |
112 |
--- /dev/null |
113 |
+++ b/app-crypt/gnupg/gnupg-2.1.23.ebuild |
114 |
@@ -0,0 +1,124 @@ |
115 |
+# Copyright 1999-2017 Gentoo Foundation |
116 |
+# Distributed under the terms of the GNU General Public License v2 |
117 |
+ |
118 |
+EAPI="6" |
119 |
+ |
120 |
+inherit systemd toolchain-funcs |
121 |
+ |
122 |
+MY_P="${P/_/-}" |
123 |
+ |
124 |
+DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" |
125 |
+HOMEPAGE="http://www.gnupg.org/" |
126 |
+SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" |
127 |
+ |
128 |
+LICENSE="GPL-3" |
129 |
+SLOT="0" |
130 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" |
131 |
+IUSE="bzip2 doc +gnutls ldap nls readline selinux +smartcard tofu tools usb wks-server" |
132 |
+ |
133 |
+COMMON_DEPEND_LIBS=" |
134 |
+ >=dev-libs/npth-1.2 |
135 |
+ >=dev-libs/libassuan-2.4.3 |
136 |
+ >=dev-libs/libgcrypt-1.7.3 |
137 |
+ >=dev-libs/libgpg-error-1.24 |
138 |
+ >=dev-libs/libksba-1.3.4 |
139 |
+ >=net-misc/curl-7.10 |
140 |
+ gnutls? ( >=net-libs/gnutls-3.0:0= ) |
141 |
+ sys-libs/zlib |
142 |
+ ldap? ( net-nds/openldap ) |
143 |
+ bzip2? ( app-arch/bzip2 ) |
144 |
+ readline? ( sys-libs/readline:0= ) |
145 |
+ smartcard? ( usb? ( virtual/libusb:0 ) ) |
146 |
+ tofu? ( >=dev-db/sqlite-3.7 ) |
147 |
+ " |
148 |
+COMMON_DEPEND_BINS="app-crypt/pinentry |
149 |
+ !app-crypt/dirmngr" |
150 |
+ |
151 |
+# Existence of executables is checked during configuration. |
152 |
+DEPEND="${COMMON_DEPEND_LIBS} |
153 |
+ ${COMMON_DEPEND_BINS} |
154 |
+ nls? ( sys-devel/gettext ) |
155 |
+ doc? ( sys-apps/texinfo )" |
156 |
+ |
157 |
+RDEPEND="${COMMON_DEPEND_LIBS} |
158 |
+ ${COMMON_DEPEND_BINS} |
159 |
+ selinux? ( sec-policy/selinux-gpg ) |
160 |
+ nls? ( virtual/libintl )" |
161 |
+ |
162 |
+S="${WORKDIR}/${MY_P}" |
163 |
+ |
164 |
+DOCS=( |
165 |
+ ChangeLog NEWS README THANKS TODO VERSION |
166 |
+ doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER |
167 |
+) |
168 |
+ |
169 |
+PATCHES=( |
170 |
+ "${FILESDIR}/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch" |
171 |
+ "${FILESDIR}/${P}-gpg-default-to-no-auto-key-retrieve.patch" |
172 |
+) |
173 |
+ |
174 |
+src_configure() { |
175 |
+ local myconf=() |
176 |
+ |
177 |
+ if use smartcard; then |
178 |
+ myconf+=( |
179 |
+ --enable-scdaemon |
180 |
+ $(use_enable usb ccid-driver) |
181 |
+ ) |
182 |
+ else |
183 |
+ myconf+=( --disable-scdaemon ) |
184 |
+ fi |
185 |
+ |
186 |
+ if use elibc_SunOS || use elibc_AIX; then |
187 |
+ myconf+=( --disable-symcryptrun ) |
188 |
+ else |
189 |
+ myconf+=( --enable-symcryptrun ) |
190 |
+ fi |
191 |
+ |
192 |
+ # glib fails and picks up clang's internal stdint.h causing weird errors |
193 |
+ [[ ${CC} == *clang ]] && \ |
194 |
+ export gl_cv_absolute_stdint_h=/usr/include/stdint.h |
195 |
+ |
196 |
+ econf \ |
197 |
+ "${myconf[@]}" \ |
198 |
+ $(use_enable bzip2) \ |
199 |
+ $(use_enable gnutls) \ |
200 |
+ $(use_enable nls) \ |
201 |
+ $(use_enable tofu) \ |
202 |
+ $(use_enable wks-server wks-tools) \ |
203 |
+ $(use_with ldap) \ |
204 |
+ $(use_with readline) \ |
205 |
+ --enable-gpg \ |
206 |
+ --enable-gpgsm \ |
207 |
+ --enable-large-secmem \ |
208 |
+ --enable-all-tests \ |
209 |
+ CC_FOR_BUILD="$(tc-getBUILD_CC)" |
210 |
+} |
211 |
+ |
212 |
+src_compile() { |
213 |
+ default |
214 |
+ |
215 |
+ use doc && emake -C doc html |
216 |
+} |
217 |
+ |
218 |
+src_install() { |
219 |
+ default |
220 |
+ |
221 |
+ use tools && |
222 |
+ dobin \ |
223 |
+ tools/{convert-from-106,gpg-check-pattern} \ |
224 |
+ tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys} \ |
225 |
+ tools/make-dns-cert |
226 |
+ |
227 |
+ dosym gpg /usr/bin/gpg2 |
228 |
+ dosym gpgv /usr/bin/gpgv2 |
229 |
+ echo ".so man1/gpg2.1" > "${ED}"/usr/share/man/man1/gpg.1 || die |
230 |
+ echo ".so man1/gpgv2.1" > "${ED}"/usr/share/man/man1/gpgv.1 || die |
231 |
+ |
232 |
+ dodir /etc/env.d |
233 |
+ echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die |
234 |
+ |
235 |
+ use doc && dodoc doc/gnupg.html/* doc/*.png |
236 |
+ |
237 |
+ systemd_douserunit doc/examples/systemd-user/*.{service,socket} |
238 |
+} |