Gentoo Archives: gentoo-commits

From: Sam James <sam@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: app-crypt/gnupg/files/, app-crypt/gnupg/
Date: Thu, 30 Jun 2022 20:01:18
Message-Id: 1656619268.988fa70ca5731f8d4a1862d559603cbf13d569be.sam@gentoo
1 commit: 988fa70ca5731f8d4a1862d559603cbf13d569be
2 Author: Sam James <sam <AT> gentoo <DOT> org>
3 AuthorDate: Thu Jun 30 20:01:02 2022 +0000
4 Commit: Sam James <sam <AT> gentoo <DOT> org>
5 CommitDate: Thu Jun 30 20:01:08 2022 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=988fa70c
7
8 app-crypt/gnupg: backport signature status message fix
9
10 Bug: https://bugs.gentoo.org/855395
11 Signed-off-by: Sam James <sam <AT> gentoo.org>
12
13 .../gnupg-2.2.35-status-messages-garbled.patch | 45 ++++++
14 .../gnupg-2.3.6-status-messages-garbled.patch | 45 ++++++
15 app-crypt/gnupg/gnupg-2.2.35-r1.ebuild | 160 ++++++++++++++++++++
16 app-crypt/gnupg/gnupg-2.3.6-r1.ebuild | 165 +++++++++++++++++++++
17 4 files changed, 415 insertions(+)
18
19 diff --git a/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch b/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch
20 new file mode 100644
21 index 000000000000..23dbf00b1831
22 --- /dev/null
23 +++ b/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch
24 @@ -0,0 +1,45 @@
25 +https://bugs.gentoo.org/855395
26 +https://marc.info/?l=oss-security&m=165657063921408&w=2
27 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=7b1db7192e6e4d0cfc439b23b13831837c85bc21
28 +
29 +From 7b1db7192e6e4d0cfc439b23b13831837c85bc21 Mon Sep 17 00:00:00 2001
30 +From: Werner Koch <wk@×××××.org>
31 +Date: Tue, 14 Jun 2022 11:33:27 +0200
32 +Subject: [PATCH] g10: Fix garbled status messages in NOTATION_DATA
33 +
34 +* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
35 +--
36 +
37 +Depending on the escaping and line wrapping the computed remaining
38 +buffer length could be wrong. Fixed by always using a break to
39 +terminate the escape detection loop. Might have happened for all
40 +status lines which may wrap.
41 +
42 +GnuPG-bug-id: T6027
43 +--- a/g10/cpr.c
44 ++++ b/g10/cpr.c
45 +@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string,
46 + }
47 + first = 0;
48 + }
49 +- for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
50 ++ for (esc=0, s=buffer, n=len; n; s++, n--)
51 + {
52 + if (*s == '%' || *(const byte*)s <= lower_limit
53 + || *(const byte*)s == 127 )
54 + esc = 1;
55 + if (wrap && ++count > wrap)
56 +- {
57 +- dowrap=1;
58 +- break;
59 +- }
60 +- }
61 +- if (esc)
62 +- {
63 +- s--; n++;
64 ++ dowrap=1;
65 ++ if (esc || dowrap)
66 ++ break;
67 + }
68 + if (s != buffer)
69 + es_fwrite (buffer, s-buffer, 1, statusfp);
70
71 diff --git a/app-crypt/gnupg/files/gnupg-2.3.6-status-messages-garbled.patch b/app-crypt/gnupg/files/gnupg-2.3.6-status-messages-garbled.patch
72 new file mode 100644
73 index 000000000000..4bac4fea0f0e
74 --- /dev/null
75 +++ b/app-crypt/gnupg/files/gnupg-2.3.6-status-messages-garbled.patch
76 @@ -0,0 +1,45 @@
77 +https://bugs.gentoo.org/855395
78 +https://marc.info/?l=oss-security&m=165657063921408&w=2
79 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=34c649b3601383cd11dbc76221747ec16fd68e1b;hp=4dbef2addca8c76fb4953fd507bd800d2a19d3ec
80 +
81 +From 34c649b3601383cd11dbc76221747ec16fd68e1b Mon Sep 17 00:00:00 2001
82 +From: Werner Koch <wk@×××××.org>
83 +Date: Tue, 14 Jun 2022 11:33:27 +0200
84 +Subject: [PATCH 1/1] g10: Fix garbled status messages in NOTATION_DATA
85 +
86 +* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
87 +--
88 +
89 +Depending on the escaping and line wrapping the computed remaining
90 +buffer length could be wrong. Fixed by always using a break to
91 +terminate the escape detection loop. Might have happened for all
92 +status lines which may wrap.
93 +
94 +GnuPG-bug-id: T6027
95 +--- a/g10/cpr.c
96 ++++ b/g10/cpr.c
97 +@@ -372,20 +372,15 @@ write_status_text_and_buffer (int no, const char *string,
98 + }
99 + first = 0;
100 + }
101 +- for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
102 ++ for (esc=0, s=buffer, n=len; n; s++, n--)
103 + {
104 + if (*s == '%' || *(const byte*)s <= lower_limit
105 + || *(const byte*)s == 127 )
106 + esc = 1;
107 + if (wrap && ++count > wrap)
108 +- {
109 +- dowrap=1;
110 +- break;
111 +- }
112 +- }
113 +- if (esc)
114 +- {
115 +- s--; n++;
116 ++ dowrap=1;
117 ++ if (esc || dowrap)
118 ++ break;
119 + }
120 + if (s != buffer)
121 + es_fwrite (buffer, s-buffer, 1, statusfp);
122
123 diff --git a/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild b/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild
124 new file mode 100644
125 index 000000000000..8590dbbe4f97
126 --- /dev/null
127 +++ b/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild
128 @@ -0,0 +1,160 @@
129 +# Copyright 1999-2022 Gentoo Authors
130 +# Distributed under the terms of the GNU General Public License v2
131 +
132 +EAPI=7
133 +
134 +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc
135 +inherit flag-o-matic systemd toolchain-funcs verify-sig
136 +
137 +MY_P="${P/_/-}"
138 +
139 +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
140 +HOMEPAGE="https://gnupg.org/"
141 +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
142 +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
143 +S="${WORKDIR}/${MY_P}"
144 +
145 +LICENSE="GPL-3"
146 +SLOT="0"
147 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
148 +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server"
149 +RESTRICT="!test? ( test )"
150 +
151 +# Existence of executables is checked during configuration.
152 +# Note: On each bump, update dep bounds on each version from configure.ac!
153 +DEPEND=">=dev-libs/libassuan-2.5.0
154 + >=dev-libs/libgcrypt-1.8.0:=
155 + >=dev-libs/libgpg-error-1.29
156 + >=dev-libs/libksba-1.3.5
157 + >=dev-libs/npth-1.2
158 + >=net-misc/curl-7.10
159 + sys-libs/zlib
160 + bzip2? ( app-arch/bzip2 )
161 + ldap? ( net-nds/openldap:= )
162 + readline? ( sys-libs/readline:0= )
163 + smartcard? ( usb? ( virtual/libusb:1 ) )
164 + ssl? ( >=net-libs/gnutls-3.0:0= )
165 + tofu? ( >=dev-db/sqlite-3.7 )"
166 +
167 +RDEPEND="${DEPEND}
168 + app-crypt/pinentry
169 + nls? ( virtual/libintl )
170 + selinux? ( sec-policy/selinux-gpg )
171 + wks-server? ( virtual/mta )"
172 +
173 +BDEPEND="virtual/pkgconfig
174 + doc? ( sys-apps/texinfo )
175 + nls? ( sys-devel/gettext )
176 + verify-sig? ( sec-keys/openpgp-keys-gnupg )"
177 +
178 +DOCS=(
179 + ChangeLog NEWS README THANKS TODO VERSION
180 + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
181 +)
182 +
183 +PATCHES=(
184 + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
185 + "${FILESDIR}"/${P}-status-messages-garbled.patch
186 +)
187 +
188 +src_prepare() {
189 + default
190 +
191 + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
192 + # idea borrowed from libdbus, see
193 + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
194 + #
195 + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
196 + # which in turn requires discovery in Autoconf, something that upstream deeply resents.
197 + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
198 + -i doc/examples/systemd-user/gpg-agent-ssh.socket || die
199 +}
200 +
201 +src_configure() {
202 + local myconf=(
203 + $(use_enable bzip2)
204 + $(use_enable nls)
205 + $(use_enable smartcard scdaemon)
206 + $(use_enable ssl gnutls)
207 + $(use_enable test all-tests)
208 + $(use_enable test tests)
209 + $(use_enable tofu)
210 + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
211 + $(use_enable wks-server wks-tools)
212 + $(use_with ldap)
213 + $(use_with readline)
214 + --with-mailprog=/usr/libexec/sendmail
215 + --disable-ntbtls
216 + --enable-gpg
217 + --enable-gpgsm
218 + --enable-large-secmem
219 +
220 + CC_FOR_BUILD="$(tc-getBUILD_CC)"
221 + GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
222 + KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
223 + LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
224 + LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
225 + NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
226 +
227 + $("${S}/configure" --help | grep -o -- '--without-.*-prefix')
228 + )
229 +
230 + if use prefix && use usb; then
231 + # bug #649598
232 + append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0"
233 + fi
234 +
235 + # bug #663142
236 + if use user-socket; then
237 + myconf+=( --enable-run-gnupg-user-socket )
238 + fi
239 +
240 + # glib fails and picks up clang's internal stdint.h causing weird errors
241 + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
242 +
243 + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
244 + # As of GnuPG 2.3, the mailprog substitution is used for the binary called
245 + # by wks-client & wks-server; and if it's autodetected but not not exist at
246 + # build time, then then 'gpg-wks-client --send' functionality will not
247 + # work. This has an unwanted side-effect in stage3 builds: there was a
248 + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
249 + # the build where the install guide previously make the user chose the
250 + # logger & mta early in the install.
251 +
252 + econf "${myconf[@]}"
253 +}
254 +
255 +src_compile() {
256 + default
257 +
258 + use doc && emake -C doc html
259 +}
260 +
261 +src_test() {
262 + # bug #638574
263 + use tofu && export TESTFLAGS=--parallel
264 +
265 + default
266 +}
267 +
268 +src_install() {
269 + default
270 +
271 + use tools &&
272 + dobin \
273 + tools/{convert-from-106,gpg-check-pattern} \
274 + tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys} \
275 + tools/make-dns-cert
276 +
277 + dosym gpg /usr/bin/gpg2
278 + dosym gpgv /usr/bin/gpgv2
279 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
280 + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
281 +
282 + dodir /etc/env.d
283 + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
284 +
285 + use doc && dodoc doc/gnupg.html/* doc/*.png
286 +
287 + systemd_douserunit doc/examples/systemd-user/*.{service,socket}
288 +}
289
290 diff --git a/app-crypt/gnupg/gnupg-2.3.6-r1.ebuild b/app-crypt/gnupg/gnupg-2.3.6-r1.ebuild
291 new file mode 100644
292 index 000000000000..c2540e9010b7
293 --- /dev/null
294 +++ b/app-crypt/gnupg/gnupg-2.3.6-r1.ebuild
295 @@ -0,0 +1,165 @@
296 +# Copyright 1999-2022 Gentoo Authors
297 +# Distributed under the terms of the GNU General Public License v2
298 +
299 +EAPI=7
300 +
301 +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc
302 +inherit flag-o-matic systemd toolchain-funcs verify-sig
303 +
304 +MY_P="${P/_/-}"
305 +
306 +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
307 +HOMEPAGE="https://gnupg.org/"
308 +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
309 +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
310 +S="${WORKDIR}/${MY_P}"
311 +
312 +LICENSE="GPL-3"
313 +SLOT="0"
314 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
315 +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
316 +RESTRICT="!test? ( test )"
317 +REQUIRED_USE="test? ( tofu )"
318 +
319 +# Existence of executables is checked during configuration.
320 +# Note: On each bump, update dep bounds on each version from configure.ac!
321 +DEPEND=">=dev-libs/libassuan-2.5.0
322 + >=dev-libs/libgcrypt-1.9.1:=
323 + >=dev-libs/libgpg-error-1.41
324 + >=dev-libs/libksba-1.3.4
325 + >=dev-libs/npth-1.2
326 + >=net-misc/curl-7.10
327 + sys-libs/zlib
328 + bzip2? ( app-arch/bzip2 )
329 + ldap? ( net-nds/openldap:= )
330 + readline? ( sys-libs/readline:0= )
331 + smartcard? ( usb? ( virtual/libusb:1 ) )
332 + tofu? ( >=dev-db/sqlite-3.27 )
333 + tpm? ( >=app-crypt/tpm2-tss-2.4.0:= )
334 + ssl? ( >=net-libs/gnutls-3.0:0= )
335 +"
336 +
337 +RDEPEND="${DEPEND}
338 + app-crypt/pinentry
339 + nls? ( virtual/libintl )
340 + selinux? ( sec-policy/selinux-gpg )
341 + wks-server? ( virtual/mta )"
342 +
343 +BDEPEND="virtual/pkgconfig
344 + doc? ( sys-apps/texinfo )
345 + nls? ( sys-devel/gettext )
346 + verify-sig? ( sec-keys/openpgp-keys-gnupg )"
347 +
348 +DOCS=(
349 + ChangeLog NEWS README THANKS TODO VERSION
350 + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
351 +)
352 +
353 +PATCHES=(
354 + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
355 + "${FILESDIR}"/${P}-status-messages-garbled.patch
356 +)
357 +
358 +src_prepare() {
359 + default
360 +
361 + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
362 + # idea borrowed from libdbus, see
363 + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
364 + #
365 + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
366 + # which in turn requires discovery in Autoconf, something that upstream deeply resents.
367 + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
368 + -i doc/examples/systemd-user/gpg-agent-ssh.socket || die
369 +}
370 +
371 +src_configure() {
372 + local myconf=(
373 + $(use_enable bzip2)
374 + $(use_enable nls)
375 + $(use_enable smartcard scdaemon)
376 + $(use_enable ssl gnutls)
377 + $(use_enable test all-tests)
378 + $(use_enable test tests)
379 + $(use_enable tofu)
380 + $(use_enable tofu keyboxd)
381 + $(use_enable tofu sqlite)
382 + $(usex tpm '--with-tss=intel' '--disable-tpm2d')
383 + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
384 + $(use_enable wks-server wks-tools)
385 + $(use_with ldap)
386 + $(use_with readline)
387 + --with-mailprog=/usr/libexec/sendmail
388 + --disable-ntbtls
389 + --enable-gpgsm
390 + --enable-large-secmem
391 +
392 + CC_FOR_BUILD="$(tc-getBUILD_CC)"
393 + GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
394 + KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
395 + LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
396 + LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
397 + NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
398 +
399 + $("${S}/configure" --help | grep -o -- '--without-.*-prefix')
400 + )
401 +
402 + if use prefix && use usb; then
403 + # bug #649598
404 + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
405 + fi
406 +
407 + # bug #663142
408 + if use user-socket; then
409 + myconf+=( --enable-run-gnupg-user-socket )
410 + fi
411 +
412 + # glib fails and picks up clang's internal stdint.h causing weird errors
413 + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
414 +
415 + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
416 + # As of GnuPG 2.3, the mailprog substitution is used for the binary called
417 + # by wks-client & wks-server; and if it's autodetected but not not exist at
418 + # build time, then then 'gpg-wks-client --send' functionality will not
419 + # work. This has an unwanted side-effect in stage3 builds: there was a
420 + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
421 + # the build where the install guide previously make the user chose the
422 + # logger & mta early in the install.
423 +
424 + econf "${myconf[@]}"
425 +}
426 +
427 +src_compile() {
428 + default
429 +
430 + use doc && emake -C doc html
431 +}
432 +
433 +src_test() {
434 + # bug #638574
435 + use tofu && export TESTFLAGS=--parallel
436 +
437 + default
438 +}
439 +
440 +src_install() {
441 + default
442 +
443 + use tools &&
444 + dobin \
445 + tools/{convert-from-106,gpg-check-pattern} \
446 + tools/{gpgconf,gpgsplit,lspgpot,mail-signed-keys} \
447 + tools/make-dns-cert
448 +
449 + dosym gpg /usr/bin/gpg2
450 + dosym gpgv /usr/bin/gpgv2
451 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
452 + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
453 +
454 + dodir /etc/env.d
455 + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
456 +
457 + use doc && dodoc doc/gnupg.html/* doc/*.png
458 +
459 + systemd_douserunit doc/examples/systemd-user/*.{service,socket}
460 +}