From 6709ea103b3dd4d66714a852fe8de9524d727802 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 14 Feb 2017 00:29:34 +0000 Subject: [PATCH] Import gnupg2_2.1.18-6.debian.tar.bz2 [dgit import tarball gnupg2 2.1.18-6 gnupg2_2.1.18-6.debian.tar.bz2] --- NEWS | 8 + Xsession.d/90gpg-agent | 22 + changelog | 1965 +++++++++++++++++ clean | 8 + compat | 1 + control | 329 +++ copyright | 233 ++ dirmngr.NEWS | 49 + dirmngr.README.Debian | 47 + dirmngr.docs | 4 + dirmngr.install | 7 + dirmngr.links | 1 + dirmngr.maintscript | 5 + dirmngr.manpages | 2 + gbp.conf | 33 + gnupg-agent.NEWS | 19 + gnupg-agent.README.Debian | 82 + gnupg-agent.examples | 2 + gnupg-agent.install | 12 + gnupg-agent.links | 6 + gnupg-agent.manpages | 5 + gnupg-l10n.install | 2 + gnupg.README.Debian | 44 + gnupg.docs | 9 + gnupg.examples | 1 + gnupg.info | 3 + gnupg.install | 13 + gnupg.manpages | 11 + gnupg2.links | 2 + gpg-check-pattern.1 | 35 + gpg-zip.1 | 102 + gpgsm.install | 1 + gpgsm.manpages | 1 + gpgsplit.1 | 41 + gpgv-static.1 | 32 + gpgv-static.install | 1 + gpgv-static.lintian-overrides | 3 + gpgv-static.manpages | 1 + gpgv-udeb.install | 1 + gpgv-win32.install | 1 + gpgv.install | 1 + gpgv.manpages | 1 + gpgv2.links | 2 + kbxutil.1 | 62 + lspgpot.1 | 22 + migrate-pubring-from-classic-gpg | 76 + migrate-pubring-from-classic-gpg.1 | 50 + patches/0012-tools-Fix-memory-leak.patch | 28 + .../0013-tools-Improve-error-handling.patch | 29 + ...0014-dirmngr-New-option-disable-ipv4.patch | 245 ++ ...mplify-error-returning-inside-http.c.patch | 255 +++ ...-gpg-Print-a-warning-on-Tor-problems.patch | 188 ++ patches/0017-agent-Fix-double-free.patch | 49 + ...ching-for-mail-addresses-in-keyrings.patch | 54 + ...tion-no-use-tor-and-internal-changes.patch | 382 ++++ ...-gpg-Remove-period-at-end-of-warning.patch | 26 + patches/0021-gpg-Add-newline-to-output.patch | 25 + ...ut-TOFU-statistics-for-conflicts-in-.patch | 187 ++ ...a-TOFU-conflict-elide-the-too-few-me.patch | 42 + ...bindings-associated-with-UTKs-are-re.patch | 60 + ...-assume-that-strtoul-interprets-as-0.patch | 53 + ...-diagnostics-for-a-launched-pinentry.patch | 81 + ...027-doc-Clarify-abbreviation-of-help.patch | 27 + ...8-scd-Backport-two-fixes-from-master.patch | 55 + patches/0029-scd-Fix-use-case-of-PC-SC.patch | 93 + ...Avoid-simple-memory-dumps-via-ptrace.patch | 60 + .../0001-avoid-beta-warning.patch | 44 + ...erating-defsincdate-use-shipped-file.patch | 37 + ...d-potential-race-condition-when-some.patch | 77 + ...rngr-Avoid-need-for-hkp-housekeeping.patch | 225 ++ ...automatically-checking-upstream-swdb.patch | 69 + ...05-dirmngr-Drop-useless-housekeeping.patch | 199 ++ ...Create-framework-of-scheduled-timers.patch | 192 ++ ...ads-to-interrupt-main-select-loop-wi.patch | 93 + ...Avoid-tight-timer-tick-when-possible.patch | 112 + ...duled-checks-on-socket-when-inotify-.patch | 26 + patches/series | 29 + rules | 67 + scdaemon.examples | 1 + scdaemon.install | 1 + scdaemon.lintian-overrides | 4 + scdaemon.manpages | 1 + scdaemon.udev | 63 + source/format | 1 + source/lintian-overrides | 4 + source/options | 3 + systemd-user/gpg-agent-browser.socket | 13 + tests/control | 3 + tests/gpgv-win32 | 54 + upstream/signing-key.asc | 109 + watch | 5 + 91 files changed, 6729 insertions(+) create mode 100644 NEWS create mode 100644 Xsession.d/90gpg-agent create mode 100644 changelog create mode 100644 clean create mode 100644 compat create mode 100644 control create mode 100644 copyright create mode 100644 dirmngr.NEWS create mode 100644 dirmngr.README.Debian create mode 100644 dirmngr.docs create mode 100644 dirmngr.install create mode 100644 dirmngr.links create mode 100644 dirmngr.maintscript create mode 100644 dirmngr.manpages create mode 100644 gbp.conf create mode 100644 gnupg-agent.NEWS create mode 100644 gnupg-agent.README.Debian create mode 100644 gnupg-agent.examples create mode 100644 gnupg-agent.install create mode 100644 gnupg-agent.links create mode 100644 gnupg-agent.manpages create mode 100644 gnupg-l10n.install create mode 100644 gnupg.README.Debian create mode 100644 gnupg.docs create mode 100644 gnupg.examples create mode 100644 gnupg.info create mode 100644 gnupg.install create mode 100644 gnupg.manpages create mode 100644 gnupg2.links create mode 100644 gpg-check-pattern.1 create mode 100644 gpg-zip.1 create mode 100644 gpgsm.install create mode 100644 gpgsm.manpages create mode 100644 gpgsplit.1 create mode 100644 gpgv-static.1 create mode 100644 gpgv-static.install create mode 100644 gpgv-static.lintian-overrides create mode 100644 gpgv-static.manpages create mode 100644 gpgv-udeb.install create mode 100644 gpgv-win32.install create mode 100644 gpgv.install create mode 100644 gpgv.manpages create mode 100644 gpgv2.links create mode 100644 kbxutil.1 create mode 100644 lspgpot.1 create mode 100755 migrate-pubring-from-classic-gpg create mode 100644 migrate-pubring-from-classic-gpg.1 create mode 100644 patches/0012-tools-Fix-memory-leak.patch create mode 100644 patches/0013-tools-Improve-error-handling.patch create mode 100644 patches/0014-dirmngr-New-option-disable-ipv4.patch create mode 100644 patches/0015-dirmngr-Simplify-error-returning-inside-http.c.patch create mode 100644 patches/0016-gpg-Print-a-warning-on-Tor-problems.patch create mode 100644 patches/0017-agent-Fix-double-free.patch create mode 100644 patches/0018-gpg-Fix-searching-for-mail-addresses-in-keyrings.patch create mode 100644 patches/0019-dirmngr-New-option-no-use-tor-and-internal-changes.patch create mode 100644 patches/0020-gpg-Remove-period-at-end-of-warning.patch create mode 100644 patches/0021-gpg-Add-newline-to-output.patch create mode 100644 patches/0022-gpg-Only-print-out-TOFU-statistics-for-conflicts-in-.patch create mode 100644 patches/0023-gpg-If-there-is-a-TOFU-conflict-elide-the-too-few-me.patch create mode 100644 patches/0024-gpg-Ensure-TOFU-bindings-associated-with-UTKs-are-re.patch create mode 100644 patches/0025-gpg-Don-t-assume-that-strtoul-interprets-as-0.patch create mode 100644 patches/0026-gpg-More-diagnostics-for-a-launched-pinentry.patch create mode 100644 patches/0027-doc-Clarify-abbreviation-of-help.patch create mode 100644 patches/0028-scd-Backport-two-fixes-from-master.patch create mode 100644 patches/0029-scd-Fix-use-case-of-PC-SC.patch create mode 100644 patches/block-ptrace-on-agent/0002-Avoid-simple-memory-dumps-via-ptrace.patch create mode 100644 patches/debian-packaging/0001-avoid-beta-warning.patch create mode 100644 patches/debian-packaging/0003-avoid-regenerating-defsincdate-use-shipped-file.patch create mode 100644 patches/dirmngr-idling/0001-dirmngr-hkp-Avoid-potential-race-condition-when-some.patch create mode 100644 patches/dirmngr-idling/0002-dimrngr-Avoid-need-for-hkp-housekeeping.patch create mode 100644 patches/dirmngr-idling/0004-dirmngr-Avoid-automatically-checking-upstream-swdb.patch create mode 100644 patches/dirmngr-idling/0005-dirmngr-Drop-useless-housekeeping.patch create mode 100644 patches/gpg-agent-idling/0001-agent-Create-framework-of-scheduled-timers.patch create mode 100644 patches/gpg-agent-idling/0002-agent-Allow-threads-to-interrupt-main-select-loop-wi.patch create mode 100644 patches/gpg-agent-idling/0003-agent-Avoid-tight-timer-tick-when-possible.patch create mode 100644 patches/gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch create mode 100644 patches/series create mode 100755 rules create mode 100644 scdaemon.examples create mode 100644 scdaemon.install create mode 100644 scdaemon.lintian-overrides create mode 100644 scdaemon.manpages create mode 100644 scdaemon.udev create mode 100644 source/format create mode 100644 source/lintian-overrides create mode 100644 source/options create mode 100644 systemd-user/gpg-agent-browser.socket create mode 100644 tests/control create mode 100755 tests/gpgv-win32 create mode 100644 upstream/signing-key.asc create mode 100644 watch diff --git a/NEWS b/NEWS new file mode 100644 index 0000000..0a6a744 --- /dev/null +++ b/NEWS @@ -0,0 +1,8 @@ +gnupg2 (2.1.11-7+exp1) experimental; urgency=medium + + The gnupg package now provides the "modern" version of GnuPG. + + Please read /usr/share/doc/gnupg/README.Debian for details about the + transition from "classic" to "modern" + + -- Daniel Kahn Gillmor Wed, 30 Mar 2016 09:59:35 -0400 diff --git a/Xsession.d/90gpg-agent b/Xsession.d/90gpg-agent new file mode 100644 index 0000000..8b45b05 --- /dev/null +++ b/Xsession.d/90gpg-agent @@ -0,0 +1,22 @@ +# On systems with systemd running, we expect the agent to be launched +# via systemd's user mode (see +# /usr/lib/systemd/user/gpg-agent.{socket,service} and +# systemd.unit(5)). This allows systemd to clean up the agent +# automatically at logout. + +# If systemd is absent from your system, or you do not permit it to +# run in user mode, then you may need to manually launch gpg-agent +# from your session initialization with something like "gpgconf +# --launch gpg-agent" + +# Nonetheless, ssh and older versions of gpg require environment +# variables to be set in order to find the agent, so we will set those +# here. + +agent_sock=$(gpgconf --list-dirs agent-socket) +export GPG_AGENT_INFO=${agent_sock}:0:1 +if [ -n "$(gpgconf --list-options gpg-agent | \ + awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then + export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) +fi + diff --git a/changelog b/changelog new file mode 100644 index 0000000..4167d38 --- /dev/null +++ b/changelog @@ -0,0 +1,1965 @@ +gnupg2 (2.1.18-6) unstable; urgency=medium + + [ NIIBE Yutaka ] + * scdaemon: Fix duplicated entries (Closes: #855056). + + -- Daniel Kahn Gillmor Mon, 13 Feb 2017 19:29:34 -0500 + +gnupg2 (2.1.18-5) unstable; urgency=medium + + [ Daniel Kahn Gillmor ] + * Xsession.d/90gpg-agent: use simpler and more direct gpgconf + invocations for socket names. + + [ NIIBE Yutaka ] + * scdaemon.udev: Add Yubikey and Nitrokey (Closes: #648331, 734889). + * scdaemon fix for PC/SC (Closes: #852702, #854005, #854595, #854616). + + -- Daniel Kahn Gillmor Mon, 13 Feb 2017 09:15:07 -0500 + +gnupg2 (2.1.18-4) unstable; urgency=medium + + [ Daniel Kahn Gillmor ] + * document that debian disables --allow-version-check + * docs, debugging, and bugfix patches from upstream (Closes: #852979) + + [ NIIBE Yutaka ] + * scdaemon bugfixes + + -- Daniel Kahn Gillmor Sat, 04 Feb 2017 22:03:26 -0500 + +gnupg2 (2.1.18-3) unstable; urgency=medium + + * fix searches for keys with raw addr-spec + + -- Daniel Kahn Gillmor Wed, 25 Jan 2017 16:58:56 -0500 + +gnupg2 (2.1.18-2) unstable; urgency=medium + + * pull fixes from upstream (including a double-free in gpg-agent) + + -- Daniel Kahn Gillmor Wed, 25 Jan 2017 09:29:25 -0500 + +gnupg2 (2.1.18-1) unstable; urgency=medium + + * New upstream release. + + -- Daniel Kahn Gillmor Mon, 23 Jan 2017 23:12:35 -0500 + +gnupg2 (2.1.17-6) unstable; urgency=medium + + * Upstream patches, fixing unnecessary delay in gpg-agent (Closes: #851298) + * gpg-agent: avoid race in shutdown (Closes: #841143) + * improve dirmngr, gpg-agent README.Debian (Closes: #850982) + * clean up gpg-agent-idling patch + + -- Daniel Kahn Gillmor Wed, 18 Jan 2017 14:40:41 -0500 + +gnupg2 (2.1.17-5) unstable; urgency=medium + + * more fixes from upstream (improving but not yet closing: #849845) + * gpg-agent: actively poll when shutdown is pending. Thanks, NIIBE + Yutaka! (addresses but does not close #841143) + + -- Daniel Kahn Gillmor Wed, 11 Jan 2017 15:44:57 -0500 + +gnupg2 (2.1.17-4) unstable; urgency=medium + + * more patches from upstream, including dirmngr debugging + improvements + * resolve ambiguity in aliased options and commands (Closes: #850475) + * auto-enable gpg-agent and dirmngr for systemd user sessions + * enable easy reloads from systemd + + -- Daniel Kahn Gillmor Tue, 10 Jan 2017 17:30:08 -0500 + +gnupg2 (2.1.17-3) unstable; urgency=medium + + * more bugfixes from upstream (improving but not yet closing: #849845) + + -- Daniel Kahn Gillmor Tue, 03 Jan 2017 15:39:52 -0500 + +gnupg2 (2.1.17-2) unstable; urgency=medium + + * include patches from upstream to avoid build failures on 32-bit + arches. + + -- Daniel Kahn Gillmor Sat, 24 Dec 2016 18:11:51 -0500 + +gnupg2 (2.1.17-1) unstable; urgency=medium + + * new upstream release. + + -- Daniel Kahn Gillmor Sat, 24 Dec 2016 15:39:04 -0500 + +gnupg2 (2.1.16-3) unstable; urgency=medium + + * remove -pie from hppa, kfreebsd-amd64, and x32 builds of + gpgv-static (Closes: #846889) + * import several upstream bugfix patches (Closes: #846834, #846168) + * link gnupg-agent and scdaemon with Enhances/Suggests (Closes: #833518) + + -- Daniel Kahn Gillmor Mon, 05 Dec 2016 15:34:49 -0500 + +gnupg2 (2.1.16-2) unstable; urgency=medium + + * avoid using adns, due to lack of security support (Closes: #845078) + + -- Daniel Kahn Gillmor Mon, 21 Nov 2016 09:57:26 -0500 + +gnupg2 (2.1.16-1) unstable; urgency=medium + + * New upstream version + * dropped many patches already incorporated upstream + + -- Daniel Kahn Gillmor Sun, 20 Nov 2016 23:22:49 -0500 + +gnupg2 (2.1.15-9) unstable; urgency=medium + + * Introduce gpgv-static package (Closes: #806940) + * more patches from upstream + * use adns for better DNS resolution in dirmngr + * add some import-options to + migrate-pubring-from-classic-gpg for better migration + * reorganize patches to distinguish debian variations from upstream + * set simple and easy defaults for keyservers + * help dirmngr and gpg-agent idle better in the default case + + -- Daniel Kahn Gillmor Thu, 10 Nov 2016 07:28:16 -0800 + +gnupg2 (2.1.15-8) unstable; urgency=medium + + * rename gpg-agent-restricted.socket to gpg-agent-extra.socket + (for symmetry with option names and actual sockets created) + + -- Daniel Kahn Gillmor Thu, 27 Oct 2016 13:54:53 -0400 + +gnupg2 (2.1.15-7) unstable; urgency=medium + + * more upstream patches + * dirmngr systemd user service is now socket-activated. + + -- Daniel Kahn Gillmor Thu, 27 Oct 2016 12:48:15 -0400 + +gnupg2 (2.1.15-6) unstable; urgency=medium + + * more upstream patches (Closes: #841437, #840680) + + -- Daniel Kahn Gillmor Wed, 26 Oct 2016 17:44:20 -0400 + +gnupg2 (2.1.15-5) unstable; urgency=medium + + * added udev rules for Fujitsu Siemens cardreader (Closes: #840312) + * mark transitional packages Multi-Arch: Foreign (closes: #840258) + * make gnupg2 binNMU-safe + * more patches from upstream + * track upstream decision-making about gpg-agent socket names + + -- Daniel Kahn Gillmor Tue, 25 Oct 2016 21:30:06 -0400 + +gnupg2 (2.1.15-4) unstable; urgency=medium + + * update debian/tests/gpgv-win32 + * more patches from upstream (Closes: #838153) + * tighten dependencies between gnupg and dirmngr (Closes: #834602) + * updated systemd user gpg-agent units for socket activation + + -- Daniel Kahn Gillmor Tue, 04 Oct 2016 17:22:30 -0400 + +gnupg2 (2.1.15-3) unstable; urgency=medium + + * Use upstream fix to avoid touching homedir during test suite + * backward compatibility for preset-passphrase and protect-tool + * add Breaks: for python3-apt too (thanks, Harald Jenny!) + * Avoid network access during tests (Closes: #836259) + * more patches from upstream + - gpgv --output now works + - fingerprint display doesn't vary with --keyid-format + - minor cleanup to scdaemon dealing with removed cards + + -- Daniel Kahn Gillmor Wed, 14 Sep 2016 17:08:58 -0400 + +gnupg2 (2.1.15-2) unstable; urgency=medium + + * restore keyid output in gpgv (Closes: #836144) + * avoid test suite failures when HOME does not exist + + -- Daniel Kahn Gillmor Wed, 31 Aug 2016 12:37:48 -0400 + +gnupg2 (2.1.15-1) unstable; urgency=medium + + * new upstream release + - blocks signals during keyring updates (Closes: #293556) + * avoid libusb on hurd. Thanks, Pino Toscano! (Closes: #834533) + * permissions on test suite are already fixed + * drop patches applied upstream and refresh remaining patches + * make gnupg2 reproducible by not regenerating documentation date + * make autopkgtest work with modern wine (Closes: #835976) + * wrap-and-sort -ast for cleaner diffs + * add versioned Breaks: for affected packages (Closes: #835349) + - gpgv Breaks: python-debian << 0.1.29 (addresses: #782904) + - gnupg Breaks: php-crypt-gpg <= 1.4.1-1 (addresses #835592) + - gnupg Breaks: python-apt <= 1.1.0~beta4 (addresses: #835465) + - gnupg Breaks: python-gnupg << 0.3.8-3 (addresses: #834514, #834600) + - gnupg Breaks: libgnupg-interface-perl << 0.52-3 (addresses: #834281) + - gnupg Breaks: libmail-gnupg-perl <= 0.22-1 (addresses: #835075) + - gnupg Breaks: libgnupg-perl << 0.19-1 (addresses: #834522) + + -- Daniel Kahn Gillmor Tue, 30 Aug 2016 13:19:23 -0400 + +gnupg2 (2.1.14-5) unstable; urgency=medium + + * actually ship /usr/share/doc/gnupg/README.Debian + * Release to unstable. + + -- Daniel Kahn Gillmor Fri, 12 Aug 2016 16:27:22 -0400 + +gnupg2 (2.1.14-4) experimental; urgency=medium + + * add ZeitControl card (Closes: #814584) + * three more fixes from upstream + + -- Daniel Kahn Gillmor Mon, 08 Aug 2016 12:54:21 -0400 + +gnupg2 (2.1.14-3) experimental; urgency=medium + + * cleanup debian/copyright + * update debian/watch + + -- Daniel Kahn Gillmor Wed, 03 Aug 2016 11:09:05 -0400 + +gnupg2 (2.1.14-2) experimental; urgency=medium + + * mark the gpgv binary as Priority: important, since apt depends on it + * import a bunch of fixes from upstream + * include permissioning on patched-in tests + * Breaks: some packages that expect old gpg behavior (Closes: #831500) + * remove scdaemon.service; it will be managed by gpg-agent.service + * avoid bulleted items in debian/NEWS (thanks, Lintian!) + * debian/copyright: cleanup, fix URLs + * debian/control: use standard URL for Vcs-Browser + * fix spelling and grammar noticed by lintian + * avoid lintian notes about a misspelled "written" + * clean up gpgv2 Description + * break out arch-indep localization files into new gnupg-l10n package + + -- Daniel Kahn Gillmor Mon, 01 Aug 2016 17:54:59 -0400 + +gnupg2 (2.1.14-1) experimental; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor Fri, 15 Jul 2016 01:39:25 +0200 + +gnupg2 (2.1.13-5) experimental; urgency=medium + + * dependency cleanup! + - make Recommends: strictly versioned between gnupg and {gpg-agent,dirmngr} + - make gnupg Provide: gpg and mention it in the package description + - drop mention of newpg, which has not been in debian for many releases + - gnupg2 2.0.18 predates debian wheezy, which is oldstable; drop mention + in debian/control + - drop Suggests: gnupg-doc, which does not appear to be maintained + - drop all references to gpg-idea, which has not been in debian for + several releases + - removed dependency on "dpkg (>= 1.15.4) | install-info", since that + dpkg version predates oldstable (wheezy) + + -- Daniel Kahn Gillmor Mon, 04 Jul 2016 10:13:42 -0400 + +gnupg2 (2.1.13-4) experimental; urgency=medium + + * add binutils-multiarch [!amd64 !i386] to Build-Depends-Indep: so that + we can generate win32 packages on non-x86 platforms. + + -- Daniel Kahn Gillmor Fri, 01 Jul 2016 11:30:28 -0400 + +gnupg2 (2.1.13-3) experimental; urgency=medium + + * pull bugfixes from upstream (Closes: #828109, #814584) + * should also allow for reproducible builds, with fix to + timestamps in tofu.test + * provide supervised dirmngr, gpg-agent, and scdaemon services from + systemd's user sessioniif the user wants to enable them. These + services should terminate at logout (Closes: #825911) + * avoid launching gpg-agent from Xsession.d since we have more robust + session management available (added NEWS entry about this change) + * gnupg-agent now Provides: gpg-agent to mitigate common confusion. + * updated dirmngr package description. + + -- Daniel Kahn Gillmor Tue, 28 Jun 2016 13:46:36 -0400 + +gnupg2 (2.1.13-2) experimental; urgency=medium + + * brown paper bag time: fix build-dep from libusb-1.0.0-dev to + libusb-1.0-0-dev + + -- Daniel Kahn Gillmor Fri, 17 Jun 2016 23:07:43 -0400 + +gnupg2 (2.1.13-1) experimental; urgency=medium + + * New upstream release + - new keyid-format "none", used by default (Closes: #826273) + * Build-depend on libusb-1.0.0-dev to ensure smartcards work (Thanks, + gniibe!) + + -- Daniel Kahn Gillmor Thu, 16 Jun 2016 18:30:36 -0400 + +gnupg2 (2.1.12-1) experimental; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor Tue, 10 May 2016 20:58:06 -0400 + +gnupg2 (2.1.11-7+exp1) experimental; urgency=medium + + * switching over binary package names in experimental -- gnupg2 source + package now provides gnupg and gpgv + + -- Daniel Kahn Gillmor Mon, 18 Apr 2016 19:17:19 -0400 + +gnupg2 (2.1.11-7) unstable; urgency=medium + + * move to unstable + * re-enable test suites on mips and mipsel since #730846 is resolved + + -- Daniel Kahn Gillmor Mon, 18 Apr 2016 07:45:16 -0400 + +gnupg2 (2.1.11-6+exp4) experimental; urgency=medium + + * stop using help2man to fix cross-building + * ensure gpgv-win32 is properly stripped + * enable autopkgtest to run without root on systems that already have + wine32 installed + + -- Daniel Kahn Gillmor Fri, 01 Apr 2016 13:08:07 -0300 + +gnupg2 (2.1.11-6+exp3) experimental; urgency=medium + + * more cleanup on arch-dependent packages. + + -- Daniel Kahn Gillmor Wed, 30 Mar 2016 03:36:18 -0400 + +gnupg2 (2.1.11-6+exp2) experimental; urgency=medium + + * avoid build failures when building only arch-dependent or only + arch-independent packages. + + -- Daniel Kahn Gillmor Wed, 30 Mar 2016 02:59:18 -0400 + +gnupg2 (2.1.11-6+exp1) experimental; urgency=medium + + * take over gpgv-win32 from gnupg 1.4 packaging + + -- Daniel Kahn Gillmor Mon, 28 Mar 2016 23:27:43 -0400 + +gnupg2 (2.1.11-6) unstable; urgency=medium + + * avoid FTBFS with patch from upstream (Closes: #814842) + * bumped standards-version to 3.9.7 (no changes needed) + + -- Daniel Kahn Gillmor Tue, 01 Mar 2016 09:36:41 +0100 + +gnupg2 (2.1.11-5) unstable; urgency=medium + + * taking over gpgv-udeb from gnupg 1.4 packaging + * debian/control: use secure transport for Vcs-* and Homepage + + -- Daniel Kahn Gillmor Thu, 04 Feb 2016 17:17:47 -0500 + +gnupg2 (2.1.11-4) unstable; urgency=medium + + * disable gpgtar, since it is causing unpredictable testsuite failures + and we don't ship it anyway. + + -- Daniel Kahn Gillmor Wed, 03 Feb 2016 11:57:57 -0500 + +gnupg2 (2.1.11-3) unstable; urgency=medium + + * trying again to get a proper dump of the gpgtar.test.log. sigh. + + -- Daniel Kahn Gillmor Thu, 28 Jan 2016 08:34:22 -0500 + +gnupg2 (2.1.11-2) unstable; urgency=medium + + * added temporary hook to view failing gpgtar test output on build + daemons since i can't replicate the failures on my own build systems. + + -- Daniel Kahn Gillmor Thu, 28 Jan 2016 00:53:29 -0500 + +gnupg2 (2.1.11-1) unstable; urgency=medium + + * new upstream release + - drops buggy attempt to detect duplicate keys (Closes: #807819) + * removed -dbg package, since we have automatic -dbgsym packages now + * removed undocumented gpgkey2ssh; use gpg --export-ssh-key instead + + -- Daniel Kahn Gillmor Mon, 25 Jan 2016 15:29:25 -0500 + +gnupg2 (2.1.10-3) unstable; urgency=medium + + * avoid infinite loop when doing --gen-revoke by fingerprint + + -- Daniel Kahn Gillmor Sat, 12 Dec 2015 16:53:40 -0500 + +gnupg2 (2.1.10-2) unstable; urgency=medium + + * actually use sks-keyservers CA by default if the user asks for + hkps://hkps.pool.sks-keyservers.net + * move ownership of some files in /usr/share/gnupg2/ to more appropriate + owners like gpgsm and dirmngr. + + -- Daniel Kahn Gillmor Fri, 11 Dec 2015 17:06:10 -0500 + +gnupg2 (2.1.10-1) unstable; urgency=medium + + * new upstream release + * ship sks-keyservers.netCA.pem in dirmngr to make it easier to use hkps. + * avoid shipping Changelog-2011, use upstream ChangeLog (Closes: + #803225) + + -- Daniel Kahn Gillmor Wed, 09 Dec 2015 12:05:42 -0500 + +gnupg2 (2.1.9-1) unstable; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor Tue, 13 Oct 2015 10:04:33 -0400 + +gnupg2 (2.1.8-2) UNRELEASED; urgency=medium + + [ NIIBE Yutaka ] + * update scdaemon dependencies + + [ Daniel Kahn Gillmor ] + * correct ssh fingerprint for ECDSA nistp384 (Closes: #795636) + + -- Daniel Kahn Gillmor Thu, 17 Sep 2015 00:00:28 -0400 + +gnupg2 (2.1.8-1) unstable; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor Thu, 10 Sep 2015 17:00:06 -0400 + +gnupg2 (2.1.7-2) unstable; urgency=medium + + * upload to unstable + + -- Daniel Kahn Gillmor Tue, 11 Aug 2015 21:24:18 -0400 + +gnupg2 (2.1.7-1) experimental; urgency=medium + + * new upstream release + * block ptrace connections to gpg-agent + + -- Daniel Kahn Gillmor Tue, 11 Aug 2015 20:05:38 -0400 + +gnupg2 (2.1.6-1) experimental; urgency=medium + + * new upstream release + * drop deprecated gpgsm-gencert.sh + + -- Daniel Kahn Gillmor Tue, 07 Jul 2015 14:27:23 -0400 + +gnupg2 (2.1.5-2) experimental; urgency=medium + + [ Daniel Kahn Gillmor ] + * pass DBUS_SESSION_BUS_ADDRESS through to the agent so that + pinentry-gnome3 can work across sessions. + * ensure that l10n files are rebuilt. + + [ Eric Dorland ] + * debian/patches/0003-Include-defs.inc-in-BUILT_SOURCES.patch: Fix for + build failure when rebuilding info docs. + + -- Daniel Kahn Gillmor Tue, 30 Jun 2015 18:13:58 -0400 + +gnupg2 (2.1.5-1) experimental; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor Thu, 11 Jun 2015 13:18:56 -0400 + +gnupg2 (2.1.4-2) experimental; urgency=medium + + * avoid excess dependencies on headless servers (Closes: #753163) + + -- Daniel Kahn Gillmor Wed, 03 Jun 2015 14:12:49 -0400 + +gnupg2 (2.1.4-1) experimental; urgency=medium + + * New upstream release. + + -- Daniel Kahn Gillmor Thu, 28 May 2015 00:25:55 -0400 + +gnupg2 (2.1.3-1) experimental; urgency=medium + + * New upstream version. + * Add gnupg2-dbg (Closes: #781631) + + -- Daniel Kahn Gillmor Wed, 01 Apr 2015 12:10:38 -0400 + +gnupg2 (2.1.2-2) experimental; urgency=medium + + * Fix segv due to NULL value stored as opaque MPI. + + -- Daniel Kahn Gillmor Sat, 21 Feb 2015 10:26:50 -0500 + +gnupg2 (2.1.2-1) experimental; urgency=medium + + * New upstream version + * move from automake1.11 to plain automake (upstream uses 1.14 now) + + -- Daniel Kahn Gillmor Thu, 12 Feb 2015 20:10:43 -0500 + +gnupg2 (2.1.1-1) experimental; urgency=medium + + * New upstream version (closes: #772654) + * gnupg2 now Breaks: older versions of dirmngr (closes: #769460) + + -- Daniel Kahn Gillmor Tue, 16 Dec 2014 14:58:06 -0500 + +gnupg2 (2.1.0-1) experimental; urgency=medium + + * import upstream 2.1.0 release. + * drop debian/patches/speed-up-test-suite.patch -- included upstream. + * avoid self-reporting as a beta now that this is a release + + -- Daniel Kahn Gillmor Thu, 06 Nov 2014 12:31:06 -0500 + +gnupg2 (2.1.0~beta895-3) experimental; urgency=medium + + * update gnupg-agent.xsession to export ssh-agent where + configured. (Closes: #767341) + * use cheap/fast entropy for the test suite so that builds on + low-entropy machines go faster. + + -- Daniel Kahn Gillmor Thu, 30 Oct 2014 13:37:08 -0400 + +gnupg2 (2.1.0~beta895-2) experimental; urgency=medium + + * added pkg-config to Build-Depends. + + -- Daniel Kahn Gillmor Wed, 29 Oct 2014 18:36:27 -0400 + +gnupg2 (2.1.0~beta895-1) experimental; urgency=medium + + * new upstream version in experimental (Closes: #762844, #751266, #762844) + * ship /usr/bin/gpgparsemail (Closes: #760575) + * document that doc/OpenPGP is not actually an RFC, but just refers to + one (closes: #745410) + * Bump Standards-Version to 3.9.6 (no changes needed) + * --enable-large-secmem to ensure that gpg2 works with pre-generated + oversized RSA keys + * updated /etc/X11/Xsession.d/90gpg-agent to export $GPG_AGENT_INFO + about the standard socket. + + -- Daniel Kahn Gillmor Wed, 29 Oct 2014 17:53:06 -0400 + +gnupg2 (2.0.28-3) unstable; urgency=medium + + * pass DBUS_SESION_BUS_ADDRESS to the agent for gnome3. + + -- Daniel Kahn Gillmor Sat, 04 Jul 2015 14:21:41 -0400 + +gnupg2 (2.0.28-2) unstable; urgency=medium + + * d/clean: drop stamp-po to rebuild l10n (Closes: #788989) + + -- Daniel Kahn Gillmor Tue, 30 Jun 2015 17:17:11 -0400 + +gnupg2 (2.0.28-1) unstable; urgency=medium + + * new upstream release + * really address excess dependencies on headless server (thanks Raphaël + Halimi for noticing) (Closes: #753163) + + -- Daniel Kahn Gillmor Tue, 02 Jun 2015 12:16:57 -0400 + +gnupg2 (2.0.27-2) unstable; urgency=medium + + * import upstream fix to avoid replicating unknown subkey + packets. (Closes: #787045) (Thanks, NIIBE Yutaka) + + -- Daniel Kahn Gillmor Thu, 28 May 2015 00:55:51 -0400 + +gnupg2 (2.0.27-1) unstable; urgency=medium + + * New upstream release. + * Provide a simple way for users to avoid gpg-agent hijacking, + working around: #760102 (Closes: #753163) + + -- Daniel Kahn Gillmor Fri, 08 May 2015 18:15:15 -0400 + +gnupg2 (2.0.26-6) unstable; urgency=medium + + * Avoid NULL dereference with opaque MPI. + + -- Daniel Kahn Gillmor Sat, 21 Feb 2015 18:01:40 -0500 + +gnupg2 (2.0.26-5) unstable; urgency=medium + + * import bug-fixes from upstream + (Closes: #773415, #773469, #773471, #773472, #773423) + * Fixes CVE-2015-1606 "Use after free, resulting from failure to skip + invalid packets", CVE-2015-1607 "memcpy with overlapping ranges, + resulting from incorrect bitwise left shifts" (Closes: #778577) + + -- Daniel Kahn Gillmor Mon, 16 Feb 2015 17:45:06 -0500 + +gnupg2 (2.0.26-4) unstable; urgency=medium + + [ David Prévot ] + * Update POT and PO files, and ensure the translations get rebuild + * Update French translation (Closes: #769574) + * Update Ukrainian translation, thanks to Yuri Chornoivan + * Update German translation, thanks to Werner Koch + * Update Danish translation, thanks to Joe Hansen + * Update Japanese translation, thanks to NIIBE Yutaka + * Update Chinese (traditional) translation, thanks to Jedi Lin + * Update Russian translation, thanks to Ineiev + * Update Polish translation, thanks to Jakub Bogusz + * Update Spanish translation, thanks to Manuel "Venturi" Porras Peralta + (Closes: #770727) + * New Dutch translation, thanks to Frans Spiesschaert (Closes: #770981) + + [ Daniel Kahn Gillmor ] + * bugfix and cryptographic safety changes imported from upstream: + - Avoid regression when adding subkeys with strong s2k algorithms + (Closes: #772780) Thanks, NIIBE Yutaka + - Allow french translation to work when prompting for passphrase. + - add build and runtime support for larger RSA keys (Closes: #739424) + - fix runtime errors on bad input (Closes: #771987) + - deprecate insecure one-argument variant for gpg --verify of detached + signatures (Closes: #771992) + - initialize trustdb before trying to clear it (Closes: #735363) + - default to issuing SHA256 signatures for RSA + - avoid relying on MD5 signatures + - show v3 key fingerprints as all zero (OpenPGPv3 is deprecated) + + -- Daniel Kahn Gillmor Sun, 04 Jan 2015 17:17:00 -0500 + +gnupg2 (2.0.26-3) unstable; urgency=medium + + * fix typo in gpg.info (closes: #760273) + * drop versioned Build-Conflicts on automake by setting environment + variables in debian/rules + * ship /usr/bin/gpgparsemail (closes: #760575) + * warn but don't fail when scdaemon options are in ~/.gnupg/gpg.conf + (closes: #762844) + * do not break on --trust-model=always (closes: #751266) + * document that doc/OpenPGP is not actually an RFC, but just refers to + one (closes: #745410) + * Bump Standards-Version to 3.9.6 (no changes needed) + + -- Daniel Kahn Gillmor Tue, 30 Sep 2014 23:39:15 -0400 + +gnupg2 (2.0.26-2) unstable; urgency=medium + + * ignore emacs turds in debian/ + * update Vcs fields + * move package to group maintenance + * wrap-and-sort cleanup of debian/* + + -- Daniel Kahn Gillmor Thu, 28 Aug 2014 11:42:18 -0700 + +gnupg2 (2.0.26-1) unstable; urgency=medium + + * New upstream release. + * debian/control: Suggest parcimonie. Thanks ilf. (Closes: #752261) + + -- Eric Dorland Tue, 19 Aug 2014 18:09:08 -0400 + +gnupg2 (2.0.25-2) unstable; urgency=medium + + * debian/control: Switch to libgcrypt20-dev (aka 1.6 release). + + -- Eric Dorland Fri, 08 Aug 2014 14:12:05 -0400 + +gnupg2 (2.0.25-1) unstable; urgency=medium + + * New upstream release. + + -- Eric Dorland Mon, 30 Jun 2014 13:10:04 -0400 + +gnupg2 (2.0.24-1) unstable; urgency=high + + * New upstream release. Fixes CVE-2014-4617 "infinite loop when + decompressing data packets". (Closes: #752498) + * debian/patches/02-gpgv2-dont-link-libassuan.diff: Drop, now + upstreamed. + + -- Eric Dorland Wed, 25 Jun 2014 00:11:19 -0400 + +gnupg2 (2.0.23-1) unstable; urgency=medium + + * New upstream release. + * debian/upstream/signing-key.asc: Rename upstream-signing-key.pgp to + the new, supported name. + * debian/control: Restore versioned conflict against gpg-idea. (Closes: + #733984) + * debian/control: Add Recommends on dirmngr for gpgsm. (Closes: #683579) + + -- Eric Dorland Sun, 08 Jun 2014 19:20:17 -0400 + +gnupg2 (2.0.22-3) unstable; urgency=low + + * debian/watch, debian/upstream-signing-key.pgp: Add upstream signing + key for uscan verification. + * debian/kbxutil.1, debian/rules: Add better description and regenerate + the manpage. + * debian/control: Remove version on gpg-idea conflict, add missing + Breaks for gpgsm and convert Conflicts to Breaks for gpgv2. + * debian/control: Move gnupg-agent to Depends for gpgsm instead of + Replaces (which in turn should have been Recommends). + * debian/control: Standards-Version to 3.9.5. + * debian/copyright: Switch to a shiny DEP-5 copyright file. + + -- Eric Dorland Wed, 01 Jan 2014 22:56:56 -0500 + +gnupg2 (2.0.22-2) unstable; urgency=low + + * debian/control: Fix Build-Conflicts on newer automakes. Thanks Chris + Boot. (Closes: #726015) + * debian/control: IDEA is no longer patented, drop its metion from the + description. Thanks brian m. carlson. (Closes: #726139) + * debian/rules: Disable the test suite on mips and mipsel to work around + Bug:#730846. + + -- Eric Dorland Sat, 30 Nov 2013 23:47:56 -0500 + +gnupg2 (2.0.22-1) unstable; urgency=low + + * New upstream version. Fixes CVE-2013-4402 and CVE-2013-4351. (Closes: + #725433, #722724) + * debian/gnupg2.install: Install gnupg-card-architecture.png for the + info file. + + -- Eric Dorland Sat, 05 Oct 2013 17:45:28 -0400 + +gnupg2 (2.0.21-2) unstable; urgency=low + + * debian/rules, debian/gnupg2.install: Switch libexecdir to + /usr/lib/gnupg2 to install helper binaries to a non-multiarch specific + location. (Closes: #717303) + * debian/control, debian/gpgv2.install: Split out gpgv2 into its own + package. + * debian/control, debian/gnupg2.install, debian/kbxutil.1: Add rule and + manpage for kbxutil using help2man. (Closes: #323494) + * debian/patches/02-gpgv2-dont-link-libassuan.diff: Don't link gpgv2 + against libassuan as it's not used. + * debian/rules: Install changelog for gpgv2. + + -- Eric Dorland Sun, 01 Sep 2013 00:42:16 -0400 + +gnupg2 (2.0.21-1) unstable; urgency=low + + * New upstream release. (Closes: #613465, #720369) + * debian/patches/01-gnupg2-rename.diff: Refresh patch. + * debian/control: Fix Vcs-Git path. + * debian/control: Now depends on libgpg-error >= 1.11. + * debian/control: Build-Depends on automake1.11 since the test suite + fails on newer versions. (Closes: #713287) + * debian/control: Also need a Build-Conflicts on automake (<= 1.12). + + -- Eric Dorland Sat, 24 Aug 2013 20:33:19 -0400 + +gnupg2 (2.0.20-1) unstable; urgency=low + + * New upstream release. (Closes: #691237, #583893) + * debian/patches/02-cve-2012-6085.diff: Remove, merged upstream. + * debian/control: Upgrade Standards-Version to 3.9.4. + * debian/compat, debian/control: Upgrade to debhelper v9. + * debian/control, debian/rules: Drop hardening-wrapper, now that we use + debhelper v9. + * debian/scdaemon.install: scdaemon has moved under $libexecdir. + * debian/control: Tighten dependency on scdaemon. + * debian/rules: Turn on all hardening options. + * debian/patches/01-gnupg2-rename.diff: Refresh patch. + * debian/gnupg-agent.install, debian/gnupg2.install, + debian/scdaemon.install: Fix /usr/lib paths for multi-arch. + * debian/rules: Pass ${pkglibdir} to --libexecdir since dh v9 passes + ${libdir} by default. + + -- Eric Dorland Sat, 11 May 2013 18:28:57 -0400 + +gnupg2 (2.0.19-2) unstable; urgency=high + + * debian/patches/02-cve-2012-6085.diff: Patch from upstream to fix + CVE-2012-6085, "gnupg key import memory corruption". (Closes: #697251) + * debian/control: Use canonical addresses for VCS. + * debian/control: Fix scdaemon short description. + + -- Eric Dorland Fri, 04 Jan 2013 00:56:52 -0500 + +gnupg2 (2.0.19-1) unstable; urgency=low + + * New upstream release. (Closes: #666092) + * debian/control: Add Multi-Arch: foreign to all packages. + * debian/rules: Update ChangeLog locations. + + -- Eric Dorland Sat, 31 Mar 2012 01:06:02 -0400 + +gnupg2 (2.0.18-2) unstable; urgency=low + + * debian/control, debian/gpgsm.install, debian/scdaemon.install: Add a + separate package for the scdaemon. (Closes: #416129) + * debian/control, debian/gpgsm.install, debian/gnupg2.install, + gnupg-agent.install: Move gpg-preset-passphrase and gpg-protect-tool + into the gnupg-agent. + * debian/control: Upgrade Standards-Version to 3.9.2. + * debian/rules: Install ChangeLog for new scdaemon package. + + -- Eric Dorland Sat, 15 Oct 2011 20:21:35 -0400 + +gnupg2 (2.0.18-1) unstable; urgency=low + + * New upstream release. (Closes: #635206) + * debian/copyright: Update ftp location. (Closes: #624404) + * debian/patches/01-gnupg2-rename.diff: Refresh patch. + + -- Eric Dorland Tue, 30 Aug 2011 03:43:20 -0400 + +gnupg2 (2.0.17-3) unstable; urgency=low + + * debian/rules: Convert the rules file to use the lovely dh format. + * debian/gnupg2.dirs, debian/gnupg-agent.dirs, debian/gpgsm.dirs: Remove + unless dirs files. + * debian/gnupg-agent.lintian-overrides, debian/gnupg2.lintian-overrides, + debian/gpgsm.lintian-overrides: Remove unneeded lintian-overrides files. + + -- Eric Dorland Mon, 14 Feb 2011 03:17:39 -0500 + +gnupg2 (2.0.17-2) unstable; urgency=low + + * debian/control: Add dependency on dpkg (>= 1.15.4) | install-info for + info install trigger. + * debian/control, debian/rules: Use debian build hardening. + + -- Eric Dorland Sun, 13 Feb 2011 16:33:17 -0500 + +gnupg2 (2.0.17-1) unstable; urgency=low + + * New upstream release. (Closes: #584316, #603985, #603983, #603984) + * debian/patches/02-encode-s2k.diff, + debian/patches/03-gpgsm-realloc.diff, debian/patches/series: Drop now + unneeded security patches. + * debian/rules, debian/patches/01-gnupg2-rename.diff, + debian/gnupg2.info, debian/gnupg2.install: No need to rename the info + file anymore. + * debian/patches/01-gnupg2-rename.diff: Rename the autoconf package for + better renaming of pkg directories. (Closes: #579006) + * debian/control, debian/compat: Upgrade to debhelper level 8. + * debian/control: + - Upgrade Standards-Version to 3.9.1. + - Update Build-Depends versions for the latest release. + * debian/gnupg2.install: Add the applygnupgdefaults command. (Closes: + #567537) + * debian/gnupg2.docs: doc/faq.html no longer exists. + + -- Eric Dorland Sun, 13 Feb 2011 16:06:41 -0500 + +gnupg2 (2.0.14-2) unstable; urgency=low + + * debian/*.lintian, debian/*.lintian-overrides, debian/rules: Rename + lintian files and use dh_lintian instead of shell snippets. + * debian/source/patch-header, debian/source/options: Delete patch header + and remove single-debian-patch option. + * debian/patches/01-gnupg2-rename.diff: Move patch to do the necessary + renaming of gnupg -> gnupg2 in a quilt patch. + * debian/patches/02-encode-s2k.diff: Added patch to fix passphrase + problem in gpgsm. Thanks Martijn van Brummelen for the NMU to fix this + problem in 2.0.14-1.1. + * debian/patches/03-gpgsm-realloc.diff: Fix for "Realloc Bug with X.509 + certificates" for gpgsm. (Closes: #590122) + * debian/rules, debian/control: Use dh-autoreconf and autopoint to + regenerate autotools files at build time. + + -- Eric Dorland Sun, 25 Jul 2010 02:16:42 -0400 + +gnupg2 (2.0.14-1) unstable; urgency=low + + * New upstream release. + * debian/control: Build depend on libreadline-dev instead of + libreadline5-dev, since libreadline6-dev is out. (Closes: #548922) + * debian/source/format, debian/source/options, + debian/source/patch-header: Convert to v3 quilt format, with + single-debian-patch. + * debian/control: Tighten dependency on gnupg-agent. (Closes: #551792) + + -- Eric Dorland Sat, 09 Jan 2010 21:15:18 -0500 + +gnupg2 (2.0.13-1) unstable; urgency=low + + * New upstream release. + * debian/control: Depend instead of Recommend gnupg-agent. (Closes: + #538947) + + -- Eric Dorland Mon, 07 Sep 2009 20:38:23 -0400 + +gnupg2 (2.0.12-1) unstable; urgency=low + + * New upstream release. (Closes: #499569, #463270, #446494, #314068, + #519375, #514587) + * debian/control: Change build dependency on gs to ghoscript, since + ghoscript has been replaced. + * debian/compat: Use debhelper v7. + * debian/control: Update Standards-Version to 3.8.2. + * debian/control: Use ${misc:Depends}. + * configure.ac: Override pkgdatadir so that it points to + /usr/share/gnupg2. (Closes: #528734) + * debian/rules: No longer need to specify pkgdatadir at make install + time. + + -- Eric Dorland Sun, 23 Aug 2009 20:48:11 -0400 + +gnupg2 (2.0.11-1) unstable; urgency=low + + * New upstream release. (Closes: #496663) + * debian/control: Make the description a little more distinctive than + gnupg v1's. Thanks Jari Aalto. (Closes: #496323) + + -- Eric Dorland Sun, 08 Mar 2009 22:46:47 -0400 + +gnupg2 (2.0.9-3) unstable; urgency=medium + + * Urgency medium to try to beat the release. + * tools/gpgkey2ssh.c: Patch from Daniel Kahn Gillmor to fix broken ssh + key generation. (Closes: #473841) + + -- Eric Dorland Mon, 21 Jul 2008 03:48:11 -0400 + +gnupg2 (2.0.9-2) unstable; urgency=low + + * The "I've neglected you too long" release. + + * debian/control: + - Add recommends on gnupg-agent for gpgsm and gnupg2, since they need + it under most circumstances. (Closes: #459462, #477691) + - Depend on pinentry instead of recommend, and move pinentry-gtk2 to the + front of the alternatives list. (Closes: #462951) + * keyserver/gpgkeys_curl.c, keyserver/gpgkeys_hkp.c: Fix FTBFS with gcc + 4.3 strictness on bitfields combined with curl. (Closes: #476999) + + -- Eric Dorland Mon, 28 Apr 2008 03:22:20 -0400 + +gnupg2 (2.0.9-1) unstable; urgency=low + + * New upstream release. Fixes CVE-2008-1530, Key import memory corruption. + (Closes: #472928) + * debian/rules: Don't ignore status of make distclean, just check for + the existance of the Makefile. + + -- Eric Dorland Sat, 29 Mar 2008 03:21:21 -0400 + +gnupg2 (2.0.8-1) unstable; urgency=low + + * New upstream release. (Closes: #428635) + * debian/watch: Use passive ftp, ftp.gnupg.org doesn't seem happy + otherwise. (Closes: #456467) + * debian/control: + - Requires libassuan >= 1.0.4 now. + - Remove the XS- prefix from the Vcs-* headers. + - Add Homepage header. + - Upgrade Standards-Version to 3.7.3.0. + - Make gnupg2 optional rather than extra. + - Remove unnecessary conflict on suidmanager. + + -- Eric Dorland Sat, 22 Dec 2007 02:06:42 -0500 + +gnupg2 (2.0.7-1) unstable; urgency=low + + * New upstream release. + * debian/rules: + - Remove unnecessary deletion of the .gmo files. (Closes: #442583) + - Clean out some old comments + * gnupg-agent.xsession: Remove the quotes around --write-env-file + argument. Not ideal, but fine for now. Thanks Luis Rodrigo Gallardo + Cruz. (Closes: #443580) + + -- Eric Dorland Sun, 30 Sep 2007 02:50:40 -0400 + +gnupg2 (2.0.6-1) unstable; urgency=low + + * New upstream release. (Closes: #437289) + * debian/gnupg-agent.xsession: Run the Xsession under the gpg-agent, so + it exits properly when the session dies. (Closes: #401843) + * debian/control: Add XS-Vcs headers for its new git home. + + -- Eric Dorland Mon, 03 Sep 2007 23:29:11 -0400 + +gnupg2 (2.0.5-2) unstable; urgency=low + + * The "Ubuntu, I would have done it had you only asked" release. + + * debian/copyright: Fix download location. Thanks Ubuntu. + * debian/README.Debian: Remove, doesn't contain any relevant info. + * debian/rules: + - Build with --sysconfdir=/etc, thanks Bernhard Herzog. (Closes: #434790) + - Run dh_installexamples. + - Don't list the docs to install in here. + * debian/gnupg2.examples: New file, install gpgconf.conf as an example + into /usr/share/doc. Hope this is a good compromise Bernhard. (Closes: + #434878) + * debian/control: + - Remove opensc and pcsc-lite build dependencies, they're not used anymore. + - Add libcurl4-gnutls-dev build dep, to use the real curl. + * g10/call-agent.c: set DBG_ASSUAN to 0 to suppress a debug + message. Thanks Ubuntu. + * debian/gnupg2.docs, debian/gpgsm.docs: Move installed docs in here, + add some new docs. Thanks Ubuntu. + * debian/rules, debian/gnupg-agent.install: Build symcryptrun and install it + in the gnupg-agent package. Thanks Bernhard Herzog. (Closes: #434787) + * debian/rules, debian/control: Only recommend libldap, don't depend on + it.Thanks Riku. (Closes: #435138) + + -- Eric Dorland Thu, 16 Aug 2007 22:24:16 -0400 + +gnupg2 (2.0.5-1) unstable; urgency=low + + * New upstream release. + * debian/watch: Add watch file. + * debian/control: + - Require libassuan 1.0.2 or greater. + - Require libksba 1.0.2 or greater. + - Don't recommend plain gpg anymore. + * debian/copyright: Update copyright text for GPL v3 relicensing. + * docs/scdaemon.texi: Remove old --print-atr documentation. Thanks + Ludovic Rousseau. (Closes: #404128) + + -- Eric Dorland Sun, 22 Jul 2007 16:03:32 -0400 + +gnupg2 (2.0.4-1) unstable; urgency=low + + * New upstream release. + + -- Eric Dorland Fri, 11 May 2007 00:41:01 -0400 + +gnupg2 (2.0.3-1) unstable; urgency=high + + * New upstream release. + - Fixes multoiple messages problem aka CVE-2007-1263. + + -- Eric Dorland Fri, 9 Mar 2007 03:28:53 -0500 + +gnupg2 (2.0.2-1) unstable; urgency=high + + * New upstream release. (Closes: #409559) + * Thanks Andreas Barth for NMUs. (Closes: #400777, #401895, #401913) + * debian/gpgsm.install: pcsc-wrapper renamed to gnupg-pcsc-wrapper. + + -- Eric Dorland Mon, 19 Feb 2007 20:34:52 -0500 + +gnupg2 (2.0.0-5) unstable; urgency=high + + * debian/control: Remove unnecessary dependencies on makedev and + udev. Thanks Marco d'Itri. + * doc/gnupg.texi, debian/gnupg2.info, debian/rules: Set the output file + to gnupg2.info, and use that for the index. (Closes: #398493) + + -- Eric Dorland Fri, 24 Nov 2006 02:23:35 -0500 + +gnupg2 (2.0.0-4) unstable; urgency=medium + + * debian/control: Update forgotten replaces for pcsc-wrapper move. + + -- Eric Dorland Mon, 20 Nov 2006 23:02:25 -0500 + +gnupg2 (2.0.0-3) unstable; urgency=medium + + * debian/control: Remove warning about development, thanks Gonzalo + HIGUERA DIAZ. (Closes: #399551) + + -- Eric Dorland Mon, 20 Nov 2006 14:32:33 -0500 + +gnupg2 (2.0.0-2) unstable; urgency=medium + + * All packaging fixes, so urgency medium to beat the freeze. + * debian/distfiles, debian/lintian.override, debian/point-to-info.1: + Remove unused files. + * debian/gnupg2.info, debian/rules, gnupg2.files: Install all the info + files properly. (Closes: #398493) + * debian/rules: + - Remove some unnecessary autotools build rules. + - Move some of make install targets more correctly to the + configure line. + * debian/*.files, debian/rules: Rename *.files to .install and use + dh_install nstead of dh_movefiles. + * debian/gnupg-agent.xsession: Account for spaces in the configuration + file, thanks Artem Zolochevskiy. (Closes: #352326) + * debian/control: + - Adjust build-dependency versions slightly to match what the + configure scipt requires. + - Update Standards-Version to 3.7.2.2. + * debian/gpgsm.install, debian/gnupg2.install: Install the pcsc-wrapper + in gpgsm. (Closes: #353232) + * debian/gpgsm.install, debian/rules: Install gpg-protect-tool into + /usr/libb/gnupg2. + + -- Eric Dorland Sun, 19 Nov 2006 18:03:39 -0500 + +gnupg2 (2.0.0-1) unstable; urgency=medium + + * New upstream release. (Closes: #398215) + * common/estream.c: #define PTH_SYSCALL_SOFT 0 as suggested by Daniel Hess. + + -- Eric Dorland Sun, 12 Nov 2006 23:52:59 -0500 + +gnupg2 (1.9.94-1) unstable; urgency=low + + * New upstream release. + + -- Eric Dorland Thu, 2 Nov 2006 16:06:30 -0500 + +gnupg2 (1.9.93-1) unstable; urgency=medium + + * New upstream release. Urgency medium to try to beat the freeze. Thanks + to Andreas Metzler for getting this package into shape. + + -- Eric Dorland Wed, 25 Oct 2006 00:41:15 -0400 + +gnupg2 (1.9.91-0.1) unstable; urgency=low + + * New upstream version, built against clean upstream tarball. + (Closes: #378489,#388257) + * bump Build-Depends: + - libgpg-error-dev 0.6 -> 1.4 + - libassuan-dev 0.6.10 -> 0.9.1 + - libksba-dev 0.9.13 -> 1.0.0 (closes: #368552) + * Add libreadline5-dev to Build-Depends. + * Pass proper --build and --host args to ./configure. + * configure with --mandir='$${prefix}/share/man'. + * Add $(LIBINTL) to gpgsplit_LDADD in tools/Makefile.am. + * New upstream includes a lot more manpages, ship them. + (Closes: #300129,#300677) + gpg-agent(1) documents ~/gpg-agent.conf. (Closes: #300676) + * Update debian/copyright. + * Drop gnupg2.postinst gnupg2.postrm postinst postrm. They all only consited + of calls to suidregister for /usr/bin/gpg" or "chmod 4755 /usr/bin/gpg". + suidregister has been obsolete for a long time and /usr/bin/gpg is not + part of these packages. - If /usr/bin/gpg(v)2 was supposed to be installed + suid it should be shipped with these permissions in the deb instead + using chmod in postinst anyway. + * Drop preinst (ending up as gnupg-agent's preinst), which only showed + a warning on upgrades from <<0.3.2-1. - There never was a gnupg-agent + 0.3.2-1. + * Add (noop) binary-indep target as required by policy 4.9. + + -- Andreas Metzler Sun, 8 Oct 2006 07:51:44 +0000 + +gnupg2 (1.9.20-2) unstable; urgency=high + + * debian/control: Make myself the maintainer with Matthias' permission. + * Acknowledge NMU. (Closes: #375053, #376755) + * g10/parse-packet.c: Patch from Martin Schulze to backport security fix + for CVE-2006-3746, crash when receiving overly long comments. + + -- Eric Dorland Fri, 4 Aug 2006 18:11:43 -0400 + +gnupg2 (1.9.20-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Adapt patch from upstream CVS, fixing buffer overflow leading to remote + DoS/crash (CVE-2006-3082). (Closes: #375053) + + -- Steinar H. Gunderson Tue, 4 Jul 2006 20:37:43 +0200 + +gnupg2 (1.9.20-1) unstable; urgency=low + + * New Upstream version. Closes:#306890,#344530 + * Closes:#320490: gpg-protect-tool fails to decrypt PKCS-12 files + * Depend on libopensc2-dev, not -1-. Closes:#348106 + + -- Matthias Urlichs Tue, 24 Jan 2006 04:31:42 +0100 + +gnupg2 (1.9.19-2) unstable; urgency=low + + * Convert debian/changelog to UTF-8. + * Put gnupg-agent and gpgsm lintian overrides in the respectively + right package. Closes: #335066 + * Added debhelper tokens to maintainer scripts. + * xsession fixes: + o Added host name to gpg-agent PID file name. Closes: #312717 + o Fixed xsession script to be able to run under zsh. Closes: #308516 + o Don't run gpg-agent if one is already running. Closes: #336480 + * debian/control: + o Fixed package description of gpgsm package. Closes: #299842 + o Added mention of gpg-agent to description of gnupg-agent package. + Closes: #304355 + * Thanks to Peter Eisentraut for all of the above. + + -- Matthias Urlichs Thu, 8 Dec 2005 22:13:21 +0100 + +gnupg2 (1.9.19-1) unstable; urgency=low + + * Merged with 1.9.19. + * Re-enable gpgv2 package. + + -- Matthias Urlichs Sat, 22 Oct 2005 14:33:33 +0200 + +gnupg2 (1.9.17-1) unstable; urgency=low + + * Merged with Upstream 1.9.17. + + -- Matthias Urlichs Mon, 4 Jul 2005 01:56:43 +0200 + +gnupg2 (1.9.15-6) unstable; urgency=high + + * Move gpg-protect-tool to the gpgsm package. + Closes: #303492. + High urgency because this renders gpgsm unuseable for some people. + * gpg-agent: Override max-cache-ttl if a higher default is set. + Closes: #302692. + + -- Matthias Urlichs Thu, 7 Apr 2005 10:13:19 +0200 + +gnupg2 (1.9.15-5) unstable; urgency=low + + * Add /etc/X11/Xsession.d/90gpg-agent script. Closes: #300128. + * Emphasize that gnupg2 is NOT useful at the moment. + * Conflict+replace gpg-agent with newpg. + + -- Matthias Urlichs Thu, 10 Mar 2005 22:46:10 +0100 + +gnupg2 (1.9.15-4) unstable; urgency=low + + * Incorporated Ubuntu changes from Andreas Mueller. + + -- Matthias Urlichs Thu, 10 Mar 2005 21:41:59 +0100 + +gnupg2 (1.9.15-3ubuntu3) hoary; urgency=low + + * removed info file + + -- Andreas Mueller Tue, 8 Mar 2005 01:58:39 +0100 + +gnupg2 (1.9.15-3ubuntu2) hoary; urgency=low + + * changed rules file, part cp gnupg.info to mv + and added dh_installinfo. + * changed Standards Version to 3.6.1 + + -- Andreas Mueller Tue, 8 Mar 2005 00:53:31 +0100 + +gnupg2 (1.9.15-3ubuntu1) hoary; urgency=low + + * added missing build depends texinfo + + -- Andreas Mueller Mon, 7 Mar 2005 22:47:56 +0100 + +gnupg2 (1.9.15-2) hoary; urgency=low + + * Initial checkin + + -- Andreas Mueller Mon, 7 Mar 2005 21:13:32 +0100 + +gnupg2 (1.9.15-1) experimental; urgency=low + + * New Upstream release. + * Removed -doc package: + - The package itself is too smal to merit being packaged separately. + - Interim solution: Documentation is included in the gnupg2 package. + - Goal: ask Upstream to split the .info file. + * Removed suidness. + * Update debian/copyright. + * Require libassuan >= 0.6.9. + + -- Matthias Urlichs Tue, 25 Jan 2005 08:19:15 +0100 + +gnupg2 (1.9.11+cvs20040924-5) experimental; urgency=low + + * Rebuild to depend on opensc1. + * Split -doc into its own package. + + -- Matthias Urlichs Thu, 16 Dec 2004 10:30:44 +0100 + +gnupg2 (1.9.11+cvs20040924-4) experimental; urgency=low + + * Turn on setuid-ness. + - Added Lintian overrides. + * Install all "standard" message files. + - Makefile.in: The package name for gettext is in the macro PACKAGE_GT, + not PACKAGE. + * Fix shebang line of addgnupghome script. + * Install info file in the correct place. + * Build cleanups. + + -- Matthias Urlichs Tue, 5 Oct 2004 10:59:56 +0200 + +gnupg2 (1.9.11+cvs20040924-3) experimental; urgency=low + + * rename gnupg-agent's changelog file + * Fix gnupg-agent's dependencies + + -- Matthias Urlichs Sun, 3 Oct 2004 20:14:30 +0200 + +gnupg2 (1.9.11+cvs20040924-2) experimental; urgency=low + + * Shipped a /usr/share/locale.alias file. Ouch. + * Split off gpgsm. + + -- Matthias Urlichs Wed, 29 Sep 2004 10:25:51 +0200 + +gnupg2 (1.9.11+cvs20040924-1) experimental; urgency=low + + * New Upstream. + + -- Matthias Urlichs Sat, 25 Sep 2004 11:05:44 +0200 + +gnupg2 (1.9.10+cvs-1) experimental; urgency=low + + * Packaged latest Upstream version. + * Split gpg-agent into its own .deb. + * Bit the bullet and started using debhelper. + + -- Matthias Urlichs Thu, 19 Aug 2004 11:43:34 +0200 + +gnupg2 (1.9.9-1) experimental; urgency=low + + * Packaged latest Upstream version. + + -- Matthias Urlichs Mon, 14 Jun 2004 17:18:18 +0200 + +gnupg2 (1.9.5-1) experimental; urgency=low + + * Packaged Upstream development version. + Closes:#187548 + + -- Matthias Urlichs Mon, 8 Mar 2004 05:30:35 +0100 + +gnupg (1.2.4-4) unstable; urgency=low + + * 12_zero_length_header.dpatch: update patch from David Shaw + to fix the fix of crashing on certain + keys. Closes: #234289 + + -- James Troup Mon, 23 Feb 2004 18:02:20 +0000 + +gnupg (1.2.4-3) unstable; urgency=low + + * Move to dpatch; existing non-debian/ change split into + 10_hppa_unaligned_constant.dpatch. + + * debian/rules: include /usr/share/dpatch/dpatch.make. + * debian/rules (build): depend on patch-stamp. + * debian/rules (clean): depend on unpatch. Remove debian/patched. + * debian/control (Build-Depends): add dpatch. + + * debian/rules: update version number and use install_foo convenience + variables. + * debian/rules (clean): remove emacs backup files from any directory. + + * 11_fi_po_update.dpatch: new patch from Tommi Vainikainen + to update Finnish translation as the current one + renders gnupg unusable. Closes: #232030, #222951, #192582 + * debian/rules (clean): remove po/fi.gmo to avoid dpkg-source errors + over unrepresentable changes to source. + + * 12_zero_length_header.dpatch: new patch from David Shaw + to fix cases where importing certain keys + makes the keyring unuseable. Closes: #232714 + + * 13_revoked_keys.dpatch: new patch from David Shaw + to list revoked keys as revoked. Closes: #231814 + + * 14_getkey_not_found_fix.dpatch: new patch from David Shaw + to fix --list-sigs incorrectly claiming "User + id not found". Closes: #229549 + + -- James Troup Fri, 20 Feb 2004 16:38:12 +0000 + +gnupg (1.2.4-2) unstable; urgency=low + + * mpi/hppa1.1/udiv-qrnnd.S: patch from LaMont Jones + to fix unaligned constant. Closes: #228456 + * debian/copyright: update year and version number. + + -- James Troup Tue, 20 Jan 2004 17:19:58 +0000 + +gnupg (1.2.4-1) unstable; urgency=medium + + * New upstream release. + * Most support for ElGamal Sign+Encrypt keys has been removed. Closes: #222293 + * No longer miss-identifies GNU/KFreeBSD as GNU/Hurd. Closes: #216957 + * Fixes build error on GNU/KFreeBSD (and Glibc-based GNU/KNetBSD). Closes: #221079 + * Fixes segmentation fault in prime generator. Closes: #213989 + * Fixes trustdb not updating without ultimately trusted keys. Closes: #222368 + + * debian/control (Build-Depends): add libbz2-dev. + + -- James Troup Wed, 31 Dec 2003 17:57:52 +0000 + +gnupg (1.2.3-1) unstable; urgency=low + + * New upstream release (Closes: #207340). + * gpg no longer kills keyrings by importing broken keys. Closes: #196505 + * options.skel uses subkeys.pgp.net instead of pgp.mit.edu. Closes: #206092 + * --import now closes files when it's done. Closes: #196643 + * A key listing speed regression has been fixed. Closes: #192083 + * debian/copyright: update URL and date. + * debian/rules: update dates and version. + + * debian/control (Standards-Version): bump to 3.6.0. + + * debian/Upgrading_From_PGP.txt: new file from to Richard Braakman + . Closes: #173233 + * debian/rules (binary-arch): install it. + + * debian/rules (build): correct libexecdir passed to configure; patch + from Matthias Cramer . Fixes invocation of + gpgkeys_ldap. Closes: #168486 + + -- James Troup Thu, 28 Aug 2003 14:08:50 +0100 + +gnupg (1.2.2-1) unstable; urgency=low + + * New upstream release. + * debian/control (Standards-Version): bump to 3.5.9.0. + * debian/rules (binary-arch): install convert-from-106 as + gpg-convert-from-106 and fix the path to gpg. + * debian/control: remove trailing full stop from short description. + * debian/control: remove out-dated and contradictory information about + RSA. + + -- James Troup Mon, 5 May 2003 03:08:58 +0100 + +gnupg (1.2.1-2) unstable; urgency=low + + * Update config.guess (to 2002-10-21) and config.sub (to 2002-09-05). + Thanks to Ryan Murray. Closes: #166696 + + -- James Troup Mon, 28 Oct 2002 01:47:26 +0000 + +gnupg (1.2.1-1) unstable; urgency=low + + * New upstream version. + * An inifinte loop in --update-trustdb has been fixed. Closes: #162039 + * The polish translation is now correctly specified as UTF-8. Closes: #162885 + * --refresh-keys is now documented in the manpage. Closes: #165566 + * debian/control (Conflicts): add gpg-idea <= 2.2 since gnupg >= 1.2 is + incompatible with that version of gpg-idea. Closes: #162314 + + -- James Troup Fri, 25 Oct 2002 18:18:43 +0100 + +gnupg (1.2.0-1) unstable; urgency=low + + * New upstream version. Closes: #161817. + * --options no longer mis-handles a directory as an argument. Closes: #151973 + * gpg now prompts before sending all keys to the keyserver. Closes: #64607 + * There is now a gnupg(7) manpage. Closes: #157750 + * The permission checking has been sanitized and handles non-home-dir + keyrings better. Closes: #147760 + * notation data longer than 5 characters is now handled. Closes: #156871 + * an abort when setting trust levels in a czech locale has been fixed. + Closes: #149212 + * debian/rules (binary-arch): there are no more modules, adjust + accordingly. + * debian/postinst, debian/prerm: remove; no longer do /usr/doc symlinks. + * debian/rules (binary-arch): don't install obsolete postinst or prerm. + * debian/rules (binary-arch): gzip gnupg.7 too. + * debian/rules (build): pass --libexecdir=/usr/lib/gnupg to configure. + * debian/rules (binary-arch): likewise, pass suitable libexcedir + argument to make install. + * debian/control (Standards-Version): update to 3.5.7.0. + * debian/copyright: update URL and date. + * debian/rules: update dates and version. + + -- James Troup Sun, 22 Sep 2002 22:26:25 +0100 + +gnupg (1.0.7-2) unstable; urgency=low + + * debian/control (Suggests): add xloadimage since that's what gpg uses + by default to view photo IDs. Thanks to Julien Danjou + for the suggestion. Closes: #156245 + * debian/control (Depends): add "hurd" to the alternatives to + makedev. Thanks to Michal Suchanek for + noticing. Closes: #158492 + * po/it.po: patch to fix typos from Marco Bodrato + Thu, 29 Aug 2002 01:42:58 +0100 + +gnupg (1.0.7-1) unstable; urgency=low + + * New upstream version. Closes: #145477. + * GDBM support has been removed. Closes: #33009. + * Now adds the default keyring when a keyring is specified. + Closes: #50616, #65260. + * Now does the Right Thing when receiving a key from the keyserver and + the key in question is in both a read-only and writable keyring. + Closes: #63297. + * Automatic key retrieval is now configurable. Closes: #64940. + * --no-options supresses ~/.gnupg creation again. Closes: #95486. + * duplicate trust entries are no longer treated as an error. Closes: #96480. + * There's now no comment line in ascii armours. Closes: #100088. + * Handle secret keyring given as keyring better. Closes: #100581, #106670. + * It's now documented that --with-colons unconditionally uses UTF8. + Closes: #101446, 101454. + * s/now/knows/ typo in manpage fixed. Closes: #107471. + * There's now support for a primary UID. Closes: #106567, #108155. + * Handles errors in uncompression layer beter. Closes: #112392. + * Key selection has been entirely revamped. Closes: #136170. + * Handles empty encrypt-to. Closes: #138378 + + * debian/rules (binary-arch): remove empty /usr/info directory, thanks + to Joey Hess . Closes: #121864. + * debian/control: remove duplicated word from long description, thanks + to Nicolas Boulenguez . Closes: #144786. + * README: correct URL to GPH and other docs, thanks to Mark Brown + . Closes: #100277. + * debian/control (Standards-Version): updated to 3.5.6.1. + * debian/rules (binary-arch): only strip ELF binaries. es_ES -> es hack + no longer needed as fixed upstream. + * debian/control (Build-Depends): remove libgdbmg1-dev; no longer used. + * debian/README.Debian: remove note about gdbm support which was finally + removed. Update note on old versions of gnupg to reflect the + pre-historic nature of those versions. + * debian/control (Build-Depends): add libldap2-dev. + * debian/rules (binary-arch): call dpkg-shlibdeps for all ELF binaries. + * debian/control (Build-Depends): add file. + * debian/control (Priority): increase to standard to match overrides. + + -- James Troup Sat, 11 May 2002 15:08:02 +0100 + +gnupg (1.0.6-3) unstable; urgency=low + + * moved into main. + + -- James Troup Tue, 19 Mar 2002 16:17:09 +0000 + +gnupg (1.0.6-2) unstable; urgency=high + + * debian/rules (binary-arch): remove the erroneous + /usr/share/locale/locale.alias that 'make install' adds; closes: + #99293. + + -- James Troup Wed, 30 May 2001 20:40:59 +0100 + +gnupg (1.0.6-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Tue, 29 May 2001 20:59:49 +0100 + +gnupg (1.0.5-4) unstable; urgency=low + + * Patch from Werner. + + -- James Troup Sun, 27 May 2001 09:34:50 +0100 + +gnupg (1.0.5-3) unstable; urgency=low + + * Apply patch from Matthew Wilcox to fix assembly on + hppa. + + -- James Troup Sun, 13 May 2001 02:36:45 +0100 + +gnupg (1.0.5-2) unstable; urgency=medium + + * util/http.c: patch from Werner that fixes --send-key, closes: #96277. + * debian/control (Depends): accept devfsd in place of makedev, closes: + #96307. + + -- James Troup Mon, 7 May 2001 00:13:51 +0100 + +gnupg (1.0.5-1) unstable; urgency=low + + * New upstream version. + * debian/README.Debian: fix spelling and update URL. + * debian/rules (binary): remove the new info files. + * scripts/config.{guess,sub}: sync with subversions, closes: #95729. + + -- James Troup Mon, 30 Apr 2001 02:12:38 +0100 + +gnupg (1.0.4-4) unstable; urgency=low + + * po/ru.po: patch by Ilya Martynov to replace German + entries and add missing translations, closes: #93987. + * g10/revoke.c (ask_revocation_reason): typo fix (s/non longer/no + longer/g); noticed by Colin Watson , closes: + #93664. + + * Deprecated depreciated; noticed by Vincent Broman + . + + * Following two patches are from Vincent Broman. + * g10/mainproc.c (proc_tree): use iobuf_get_real_fname() in preference + to iobuf_get_fname(). + * g10/openfile.c (open_sigfile): handle .sign prefixed files correctly. + + -- James Troup Fri, 20 Apr 2001 23:32:44 +0100 + +gnupg (1.0.4-3) unstable; urgency=medium + + * debian/rules (binary): make gpg binary suid, closes: #86433. + * debian/postinst: don't use suidregister. + * debian/postrm: removed (only called suidunregister). + * debian/control: conflict with suidmanager << 0.50. + * mpi/longlong.h: apply fix for ARM long long artimetic from Philip + Blundell , closes: #87487. + * debian/preinst: the old GnuPG debs have moved to people.debian.org. + * cipher/random.c: #include as well as + * g10/misc.c: likewise. + * debian/rules: define a strip alias which removes the .comment and + .note sections. + * debian/rules (binary-arch): use it. + * debian/lintian.override: new file; override the SUID warning from + lintian. + * debian/rules (binary-arch): install it. + + -- James Troup Sun, 25 Feb 2001 05:24:58 +0000 + +gnupg (1.0.4-2) stable unstable; urgency=high + + * Apply security fix patch from Werner. + * Apply another patch from Werner to fix bogus warning on Rijndael + usage. + * Change section to 'non-US'. + + -- James Troup Mon, 12 Feb 2001 07:47:02 +0000 + +gnupg (1.0.4-1) stable unstable; urgency=high + + * New upstream version. + * Fixes a serious bug which could lead to false signature verification + results when more than one signature is fed to gpg. + + -- James Troup Tue, 17 Oct 2000 17:26:17 +0100 + +gnupg (1.0.3b-1) unstable; urgency=low + + * New upstream snapshot version. + + -- James Troup Fri, 13 Oct 2000 18:08:14 +0100 + +gnupg (1.0.3-2) unstable; urgency=low + + * debian/control: Conflict, Replace and Provide gpg-rsa & gpg-rsaref. + Fix long description to reflect the fact that RSA is no longer + patented and now included. [#72177] + * debian/rules: move faq.html to /usr/share/doc/gnupg/ and remove FAQ + from /usr/share/gnupg/. Thanks to Robert Luberda + for noticing. [#72151] + * debian/control: Suggest new package gnupg-doc. [#64323, #65560] + * utils/secmem.c (lock_pool): don't bomb out if mlock() returns ENOMEM, + as Linux will do this if resource limits (or other reasons) prevent + memory from being locked, instead treat it like permission was denied + and warn but continue. Thanks to Topi Miettinen + . [#70446] + * g10/hkp.c (not_implemented): s/ist/is/ in error message. + * debian/README.Debian: add a note about GDBM support and why it is + disabled. Upstream already fixed the manpage. [#65913] + * debian/rules (binary-arch): fix the Spanish translation to be 'es' not + 'es_ES' at Nicolás Lichtmaier 's request. [#57314] + + -- James Troup Sun, 1 Oct 2000 14:55:03 +0100 + +gnupg (1.0.3-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Mon, 18 Sep 2000 15:56:54 +0100 + +gnupg (1.0.2-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Thu, 13 Jul 2000 20:26:50 +0100 + +gnupg (1.0.1-2) unstable; urgency=low + + * debian/control (Build-Depends): added. + * debian/copyright: corrected location of copyright file. Removed + references to Linux. Removed warnings about beta nature of GnuPG. + * debian/rules (binary-arch): install documentation into + /usr/share/doc/gnupg/ and pass mandir to make install to ensure the + manpages go to /usr/share/man/. + * debian/postinst: create /usr/doc/gnupg symlink. + * debian/prerm: new file; remove /usr/doc/gnupg symlink. + * debian/rules (binary-arch): install prerm. + * debian/control (Standards-Version): updated to 3.1.1.1. + + -- James Troup Thu, 30 Dec 1999 16:16:49 +0000 + +gnupg (1.0.1-1) unstable; urgency=low + + * New upstream version. + * doc/gpg.1: updated to something usable from + ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gpg.1.gz. + + -- James Troup Sun, 19 Dec 1999 23:47:10 +0000 + +gnupg (1.0.0-3) unstable; urgency=low + + * debian/rules (build): remove the stunningly ill-advised --host option + to configure. [#44698, #48212, #48281] + + -- James Troup Tue, 26 Oct 1999 01:12:59 +0100 + +gnupg (1.0.0-2) unstable; urgency=low + + * debian/rules (binary-arch): fix the permissions on the + modules. [#47280] + * debian/postinst, debian/postrm: fix the package name passed to + suidregister. [#45013] + * debian/control: update long description. [#44636] + * debian/rules (build): pass the host explicitly to configure to avoid + problems on sparc64. [(Should fix) #44698]. + + -- James Troup Wed, 20 Oct 1999 23:39:05 +0100 + +gnupg (1.0.0-1) unstable; urgency=low + + * New upstream release. [#44545] + + -- James Troup Wed, 8 Sep 1999 00:53:02 +0100 + +gnupg (0.9.10-2) unstable; urgency=low + + * debian/rules (binary-arch): install lspgpot. Requested by Kai + Henningsen . [#42288] + * debian/rules (binary-arch): correct the path where modules are looked + for. Reported by Karl M. Hegbloom . [#40881] + * debian/postinst, debian/postrm: under protest, register gpg the + package with suidmanager and make it suid by default. + [#29780,#32590,#40391] + + -- James Troup Tue, 10 Aug 1999 00:12:40 +0100 + +gnupg (0.9.10-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Fri, 6 Aug 1999 01:16:21 +0100 + +gnupg (0.9.9-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Sun, 25 Jul 1999 01:06:31 +0100 + +gnupg (0.9.8-1) unstable; urgency=low + + * New upstream version. + * debian/rules (binary-arch): don't create a gpgm manpage as the binary + no longer exists. Noticed by Wichert Akkerman + . [#38864] + + -- James Troup Sun, 27 Jun 1999 01:07:58 +0100 + +gnupg (0.9.7-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Tue, 25 May 1999 13:23:24 +0100 + +gnupg (0.9.6-1) unstable; urgency=low + + * New upstream version. + * debian/copyright: update version number, noticed by Lazarus Long + . + * debian/control (Depends): depend on makedev (>= 2.3.1-13) to ensure + that /dev/urandom exists; reported by Steffen Markert + . [#32076] + + -- James Troup Tue, 11 May 1999 21:06:27 +0100 + +gnupg (0.9.5-1) unstable; urgency=low + + * New upstream version. + * debian/control (Description): no tabs. [Lintian] + + -- James Troup Wed, 24 Mar 1999 22:37:40 +0000 + +gnupg (0.9.4-1) unstable; urgency=low + + * New version. + * debian/control: s/GNUPG/GnuPG/ + + -- Werner Koch Mon, 8 Mar 1999 19:58:28 +0100 + +gnupg (0.9.3-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Mon, 22 Feb 1999 22:55:04 +0000 + +gnupg (0.9.2-1) unstable; urgency=low + + * New version. + * debian/rules (build): Removed CFLAGS as the default is now sufficient. + * debian/rules (clean): remove special handling cleanup in intl. + + -- Werner Koch Wed, 20 Jan 1999 21:23:11 +0100 + +gnupg (0.9.1-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Sat, 9 Jan 1999 22:29:11 +0000 + +gnupg (0.9.0-1) unstable; urgency=low + + * New upstream version. + * g10/armor.c (armor_filter): add missing new line in comment string; as + noticed by Stainless Steel Rat . + + -- James Troup Tue, 29 Dec 1998 20:22:43 +0000 + +gnupg (0.4.5-1) unstable; urgency=low + + * New upstream version. + * debian/rules (clean): force removal of intl/libintl.h which the + Makefiles fail to remove properly. + + -- James Troup Tue, 8 Dec 1998 22:40:23 +0000 + +gnupg (0.4.4-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Sat, 21 Nov 1998 01:34:29 +0000 + +gnupg (0.4.3-1) unstable; urgency=low + + * New upstream version. + * debian/README.Debian: new file; contains same information as is in the + preinst. Suggested by Wichert Akkerman . + * debian/rules (binary-arch): install `README.Debian' + * debian/control (Standards-Version): updated to 2.5.0.0. + + -- James Troup Sun, 8 Nov 1998 19:08:12 +0000 + +gnupg (0.4.2-1) unstable; urgency=low + + * New upstream version. + * debian/preinst: improve message about the NEWS file which isn't + actually installed when it's referred to, thanks to Martin Mitchell + . + * debian/rules (binary-arch): don't install the now non-existent `rfcs', + but do install `OpenPGP'. + + -- James Troup Sun, 18 Oct 1998 22:48:34 +0100 + +gnupg (0.4.1-1) unstable; urgency=low + + * New upstream version. + * debian/rules (binary-arch): fix the gpgm manpage symlink now installed + by `make install'. + + -- James Troup Sun, 11 Oct 1998 17:01:21 +0100 + +gnupg (0.4.0-1) unstable; urgency=high + + * New upstream version. [#26717] + * debian/copyright: tone down warning about alpha nature of gnupg. + * debian/copyright: new maintainer address. + * debian/control: update extended description. + * debian/rules (binary-arch): install FAQ and all ChangeLogs. + * debian/preinst: new; check for upgrade from (<= 0.3.2-1) and warn about + incompatibilities in keyring format and offer to move old copy out of + gpg out of the way for transition strategy and inform the user about + the old copies of gnupg available on my web page. + * debian/rules (binary-arch) install preinst. + * debian/rules (binary-arch): don't depend on the test target as it is + now partially interactive (tries to generate a key, which requires + someone else to be using the computer). + + -- James Troup Thu, 8 Oct 1998 00:47:07 +0100 + +gnupg (0.3.2-1) unstable; urgency=low + + * New upstream version. + * debian/control (Maintainer): new address. + * debian/copyright: updated list of changes. + + -- James Troup Thu, 9 Jul 1998 21:06:07 +0200 + +gnupg (0.3.1-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Tue, 7 Jul 1998 00:26:21 +0200 + +gnupg (0.3.0-2) unstable; urgency=low + + * Applied bug-fix patch from Werner. + + -- James Troup Fri, 26 Jun 1998 12:18:29 +0200 + +gnupg (0.3.0-1) unstable; urgency=low + + * New upstream version. + * debian/control: rewrote short and long description. + * cipher/Makefile.am: link tiger with -lc. + * debian/rules (binary-arch): strip loadable modules. + * util/secmem.c (lock_pool): get rid of errant test code; fix from + Werner Koch . + * debian/rules (test): new target which runs gnupg's test suite. + binary-arch depends on it, to ensure it's run whenever the package is + built. + + -- James Troup Thu, 25 Jun 1998 16:04:57 +0200 + +gnupg (0.2.19-1) unstable; urgency=low + + * New upstream version. + * debian/control: Updated long description. + + -- James Troup Sat, 30 May 1998 12:12:35 +0200 + +gnupg (0.2.18-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Sat, 16 May 1998 11:52:47 +0200 + +gnupg (0.2.17-1) unstable; urgency=high + + * New upstream version. + * debian/control (Standards-Version): updated to 2.4.1.0. + * debian/control: tone down warning about alpha nature of gnupg, as per + README. + * debian/copyright: ditto. + + -- James Troup Mon, 4 May 1998 22:36:51 +0200 + +gnupg (0.2.15-1) unstable; urgency=high + + * New upstream version. + + -- James Troup Fri, 10 Apr 1998 01:12:20 +0100 + +gnupg (0.2.13-1) unstable; urgency=high + + * New upstream version. + + -- James Troup Wed, 11 Mar 1998 01:52:51 +0000 + +gnupg (0.2.12-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Sat, 7 Mar 1998 13:52:40 +0000 + +gnupg (0.2.11-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Wed, 4 Mar 1998 01:32:12 +0000 + +gnupg (0.2.10-1) unstable; urgency=low + + * New upstream version. + * Name changed upstream. + + -- James Troup Mon, 2 Mar 1998 07:32:05 +0000 + +g10 (0.2.7-1) unstable; urgency=low + + * Initial release. + + -- James Troup Fri, 20 Feb 1998 02:05:34 +0000 diff --git a/clean b/clean new file mode 100644 index 0000000..922f2c9 --- /dev/null +++ b/clean @@ -0,0 +1,8 @@ +po/*.gmo +po/stamp-po +build-gpgv-static/ +build-gpgv-udeb/ +build-gpgv-win32/ +doc/gnupg.info +doc/gnupg.info-1 +doc/gnupg.info-2 diff --git a/compat b/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/compat @@ -0,0 +1 @@ +9 diff --git a/control b/control new file mode 100644 index 0000000..ac0b079 --- /dev/null +++ b/control @@ -0,0 +1,329 @@ +Source: gnupg2 +Section: utils +Priority: optional +Maintainer: Debian GnuPG Maintainers +Uploaders: + Eric Dorland , + Daniel Kahn Gillmor , +Standards-Version: 3.9.8 +Build-Depends: + automake, + autopoint, + debhelper (>= 9), + dh-autoreconf, + file, + gettext, + ghostscript, + imagemagick, + libassuan-dev (>= 2.4.3), + libbz2-dev, + libcurl4-gnutls-dev, + libgcrypt20-dev (>= 1.7.0), + libgnutls28-dev (>= 3.0), + libgpg-error-dev (>= 1.26-2~), + libksba-dev (>= 1.3.4), + libldap2-dev, + libnpth0-dev (>= 1.2), + libreadline-dev, + librsvg2-bin, + libsqlite3-dev, + libusb-1.0-0-dev [!hurd-any], + pkg-config, + texinfo, + transfig, + zlib1g-dev | libz-dev, +Build-Depends-Indep: + binutils-multiarch [!amd64 !i386], + libassuan-mingw-w64-dev, + libgcrypt-mingw-w64-dev, + libgpg-error-mingw-w64-dev, + libksba-mingw-w64-dev, + libnpth-mingw-w64-dev, + libz-mingw-w64-dev, + mingw-w64, +Vcs-Git: https://anonscm.debian.org/git/pkg-gnupg/gnupg2.git +Vcs-Browser: https://anonscm.debian.org/git/pkg-gnupg/gnupg2.git +Homepage: https://www.gnupg.org/ + +Package: gnupg-agent +Architecture: any +Multi-Arch: foreign +Depends: + pinentry-curses | pinentry, + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}) | gpgsm, +Suggests: + dbus-user-session, + libpam-systemd, + pinentry-gnome3, + scdaemon, +Provides: + gpg-agent, +Description: GNU privacy guard - cryptographic agent + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains the agent program gpg-agent which handles all + secret key material for OpenPGP and S/MIME use. The agent also + provides a passphrase cache, which is used by pre-2.1 versions of + GnuPG for OpenPGP operations. + +Package: scdaemon +Architecture: any +Multi-Arch: foreign +Depends: + gnupg-agent (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Enhances: + gnupg-agent, +Description: GNU privacy guard - smart card support + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains the smart card program scdaemon, which is used + by gnupg-agent to access OpenPGP smart cards. + +Package: gpgsm +Architecture: any +Multi-Arch: foreign +Depends: + gnupg-agent (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + dirmngr (= ${binary:Version}), +Breaks: + gnupg2 (<< 2.1.10-2), +Replaces: + gnupg2 (<< 2.1.10-2), +Description: GNU privacy guard - S/MIME version + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains the gpgsm program. gpgsm is a tool to provide + digital encryption and signing services on X.509 certificates and the + CMS protocol. gpgsm includes complete certificate management. + +Package: gnupg +Architecture: any +Multi-Arch: foreign +Depends: + gnupg-agent (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + dirmngr (= ${binary:Version}), + gnupg-l10n (= ${source:Version}), + ${shlibs:Recommends}, +Suggests: + parcimonie, + xloadimage, +Breaks: + debsig-verify (<< 0.15), + dirmngr (<< ${binary:Version}), + gnupg2 (<< 2.1.11-7+exp1), + libgnupg-interface-perl (<< 0.52-3), + libgnupg-perl (<= 0.19-1), + libmail-gnupg-perl (<= 0.22-1), + monkeysphere (<< 0.38~), + php-crypt-gpg (<= 1.4.1-1), + python-apt (<= 1.1.0~beta4), + python-gnupg (<< 0.3.8-3), + python3-apt (<= 1.1.0~beta4), +Replaces: + gnupg2 (<< 2.1.11-7+exp1), +Provides: + gpg, +Description: GNU privacy guard - a free PGP replacement + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains /usr/bin/gpg and some helper utilities like + gpgconf and kbxutil. + +Package: gnupg2 +Architecture: all +Section: oldlibs +Priority: extra +Multi-Arch: foreign +Depends: + gnupg (>= ${source:Version}), + ${misc:Depends}, +Description: GNU privacy guard - a free PGP replacement (dummy transitional package) + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This is a dummy transitional package that provides symlinks from gpg2 + to gpg. + +Package: gpgv +Architecture: any +Priority: important +Multi-Arch: foreign +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Breaks: + gnupg2 (<< 2.0.21-2), + gpgv2 (<< 2.1.11-7+exp1), + python-debian (<< 0.1.29), +Replaces: + gnupg2 (<< 2.0.21-2), + gpgv2 (<< 2.1.11-7+exp1), +Suggests: + gnupg, +Description: GNU privacy guard - signature verification tool + GnuPG is GNU's tool for secure communication and data storage. + . + gpgv is actually a stripped-down version of gpg which is only able + to check signatures. It is somewhat smaller than the fully-blown gpg + and uses a different (and simpler) way to check that the public keys + used to make the signature are valid. There are no configuration + files and only a few options are implemented. + +Package: gpgv2 +Section: oldlibs +Priority: extra +Architecture: all +Multi-Arch: foreign +Depends: + gpgv (>= ${source:Version}), + ${misc:Depends}, +Description: GNU privacy guard - signature verification tool (dummy transitional package) + GnuPG is GNU's tool for secure communication and data storage. gpgv + is a stripped-down version of gpg which is only able to check + signatures. + . + This is a dummy transitional package that provides symlinks from gpgv2 + to gpgv. + +Package: dirmngr +Architecture: any +Depends: + adduser, + lsb-base (>= 3.2-13), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}), + ${shlibs:Recommends}, +Enhances: + gnupg, + gpgsm, + squid, +Breaks: + gnupg2 (<< 2.1.10-2), +Replaces: + gnupg2 (<< 2.1.10-2), +Suggests: + dbus-user-session, + libpam-systemd, + pinentry-gnome3, + tor, +Description: GNU privacy guard - network certificate management service + dirmngr is a server for managing and downloading OpenPGP and X.509 + certificates, as well as updates and status signals related to those + certificates. For OpenPGP, this means pulling from the public + HKP/HKPS keyservers, or from LDAP servers. For X.509 this includes + Certificate Revocation Lists (CRLs) and Online Certificate Status + Protocol updates (OCSP). It is capable of using tor for network + access. + . + dirmngr is used for network access by gpg, gpgsm, and dirmngr-client, + among other tools. + +Package: gpgv-udeb +Package-Type: udeb +Section: debian-installer +Priority: extra +Architecture: any +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Description: minimal signature verification tool + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC 4880. + . + This is GnuPG's signature verification tool, gpgv, packaged in minimal + form for use in debian-installer. + +Package: gpgv-static +Priority: extra +Architecture: any +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + debian-archive-keyring, + debootstrap, +Description: minimal signature verification tool (static build) + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC 4880. + . + This is GnuPG's signature verification tool, gpgv, built statically + so that it can be directly used on any platform that is running on + the Linux kernel. Android and ChromeOS are two well known examples, + but there are many other platforms that this will work for, like + embedded Linux OSes. This gpgv in combination with debootstrap and + the Debian archive keyring allows the secure creation of chroot + installs on these platforms by using the full Debian signature + verification that is present in all official Debian mirrors. + +Package: gpgv-win32 +Architecture: all +Priority: extra +Multi-Arch: foreign +Depends: + ${misc:Depends}, +Suggests: + wine, +Description: GNU privacy guard - signature verification tool (win32 build) + GnuPG is GNU's tool for secure communication and data storage. + . + gpgv is a stripped-down version of gnupg which is only able to check + signatures. It is smaller than the full-blown gnupg and uses a + different (and simpler) way to check that the public keys used to + make the signature are trustworthy. + . + This is a win32 version of gpgv. It's meant to be used by the win32-loader + component of Debian-Installer. + +Package: gnupg-l10n +Architecture: all +Priority: extra +Multi-Arch: foreign +Depends: + ${misc:Depends}, +Enhances: + gnupg, +Breaks: + gnupg (<< 2.1.14-2~), + gnupg2 (<< 2.1.14-2~), +Replaces: + gnupg (<< 2.1.14-2~), + gnupg2 (<< 2.1.14-2~), +Description: GNU privacy guard - localization files + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC 4880. + . + This package contains the translation files for the use of GnuPG in + non-English locales. diff --git a/copyright b/copyright new file mode 100644 index 0000000..5676d81 --- /dev/null +++ b/copyright @@ -0,0 +1,233 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: GnuPG - The GNU Privacy Guard (modern version) +Upstream-Contact: GnuPG development mailing list +Source: https://gnupg.org/download/ + +Files: * +Copyright: 1992, 1995-2016, Free Software Foundation, Inc +License: GPL-3+ + +Files: agent/command.c + agent/command-ssh.c + agent/gpg-agent.c + common/homedir.c + common/sysutils.c + g10/mainproc.c +Copyright: 1998-2007, 2009, 2012, Free Software Foundation, Inc + 2013, Werner Koch +License: GPL-3+ + +Files: autogen.sh +Copyright: 2003, g10 Code GmbH +License: permissive + +Files: common/gc-opt-flags.h + common/i18n.h + tools/clean-sat.c + tools/no-libgcrypt.c +Copyright: 1998-2001, 2003, 2004, 2006, 2007 Free Software Foundation, Inc +License: permissive + +Files: common/localename.c +Copyright: 1985, 1989-1993, 1995-2003, 2007, 2008 Free Software Foundation, Inc. +License: LGPL-2.1+ + +Files: dirmngr/dns.c + dirmngr/dns.h +Copyright: 2008-2010, 2012-2016 William Ahern +License: Expat + +Files: doc/yat2m.c + scd/app-geldkarte.c +Copyright: 2004, 2005, g10 Code GmbH + 2006, 2008, 2009, 2011, Free Software Foundation, Inc +License: GPL-3+ + +Files: scd/ccid-driver.h + scd/ccid-driver.c +Copyright: 2003-2007, Free Software Foundation, Inc +License: GPL-3+ or BSD-3-clause + +Files: tools/rfc822parse.c + tools/rfc822parse.h +Copyright: 1999-2000, Werner Koch, Duesseldorf + 2003-2004, g10 Code GmbH +License: LGPL-3+ + +Files: tools/sockprox.c +Copyright: 2007, g10 Code GmbH +License: GPL-3+ + +Files: doc/OpenPGP +Copyright: 1998-2013 Free Software Foundation, Inc. + 1997, 1998, 2013 Werner Koch + 1998 The Internet Society +License: RFC-Reference + +Files: tests/gpgscm/* +Copyright: 2000, Dimitrios Souflis + 2016, Justus Winter, Werner Koch +License: TinySCHEME + +License: TinySCHEME + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + . + Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + Neither the name of Dimitrios Souflis nor the names of the + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +License: permissive + This file is free software; as a special exception the author gives + unlimited permission to copy and/or distribute it, with or without + modifications, as long as this notice is preserved. + . + This file is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY, to the extent permitted by law; without even + the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. + +License: RFC-Reference + doc/OpenPGP merely cites and references IETF Draft + draft-ietf-openpgp-formats-07.txt. This is believed to be fair use; + but if not, it's covered by the source document's license under + the 'comment on' clause. The license statement follows. + . + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph + are included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + . + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + +License: GPL-3+ + GnuPG is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + . + GnuPG is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, see . + . + On Debian systems, the full text of the GNU General Public + License version 3 can be found in the file + `/usr/share/common-licenses/GPL-3'. + +License: LGPL-3+ + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation; either version 3 of + the License, or (at your option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this program; if not, see . + . + On Debian systems, the full text of the GNU Lesser General Public + License version 3 can be found in the file + `/usr/share/common-licenses/LGPL-3'. + +License: LGPL-2.1+ + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation; either version 2.1 of + the License, or (at your option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this program; if not, see . + . + On Debian systems, the full text of the GNU Lesser General Public + License version 2.1 can be found in the file + `/usr/share/common-licenses/LGPL-2.1'. + +License: BSD-3-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, and the entire permission notice in its entirety, + including the disclaimer of warranties. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. The name of the author may not be used to endorse or promote + products derived from this software without specific prior + written permission. + . + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to permit + persons to whom the Software is furnished to do so, subject to the + following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN + NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, + DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR + OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE + USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/dirmngr.NEWS b/dirmngr.NEWS new file mode 100644 index 0000000..b0c550f --- /dev/null +++ b/dirmngr.NEWS @@ -0,0 +1,49 @@ +dirmngr (2.1.18-1) unstable; urgency=medium + + If your machine is configured with system user session management, + dirmngr will be managed automatically by systemd's user sessions on + machines configured with use systemd. Please consider installing the + packages that the dirmngr package Suggests:, and see + /usr/share/doc/dirmngr/README.Debian for more details. + + -- Daniel Kahn Gillmor Mon, 23 Jan 2017 22:50:34 -0500 + +dirmngr (2.1.13-3) experimental; urgency=medium + + gpg and most related processes will auto-launch dirmngr if needed. + + Any user who wants to launch dirmngr manually should do so with: + + gpgconf --launch dirmngr + + and may want to terminate dirmngr when their session ends with: + + gpgconf --kill dirmngr + + Users on machines with systemd can ensure that dirmngr is always + running for their session (and that it gets terminated at logout) + with: + + gpgconf --kill dirmngr + systemctl --user enable dirmngr + systemctl --user start dirmngr + + -- Daniel Kahn Gillmor Tue, 28 Jun 2016 17:55:15 -0400 + +dirmngr (2.1.0~beta895-1) experimental; urgency=medium + + No more dirmngr system service! + =============================== + + As of the 2.1.0 beta series, dirmngr is a local daemon that works + closely with gnupg2. It is launched on its own, per-user, and + listens on a standard socket (usually ~/.gnupg/S.dirmngr). There is + no more system-wide dirmngr process. + + If there is a special case where a dirmngr system process is + actually needed, please report a bug in dirmngr, and we can sort out + a way to set one up for that case so that everyone with dirmngr + installed doesn't need to have it running. + + -- Daniel Kahn Gillmor Tue, 07 Oct 2014 10:33:52 -0400 + diff --git a/dirmngr.README.Debian b/dirmngr.README.Debian new file mode 100644 index 0000000..099240a --- /dev/null +++ b/dirmngr.README.Debian @@ -0,0 +1,47 @@ +dirmngr system integration +========================== + +Since 2.1.x, gpg and most related processes will auto-launch dirmngr +if needed. These auto-launched processes will inherit whatever +environment they started from, and they will not terminate +automatically. + +systemd +======= + +Since 2.1.17, users on machines with systemd will have a dirmngr +process launched automatically by systemd's user session, upon first +access of the standard socket. systemd will also cleanly tear this +process down at session logout. + +Users who don't want systemd to manage their dirmngr in this way for +all future sessions should do: + + systemctl --user mask --now dirmngr.socket + +Doing this means that dirmngr will fall back to its manual mode of +operation. (This decision can be reversed by the user with "unmask" +instead of "mask") + +See systemctl(1) for more details about managing the dirmngr.socket +unit. + +Manual dirmngr startup and teardown +=================================== + +Any user who wants to launch dirmngr manually (e.g., to talk to it +with a tool from outside the GnuPG suite) and is *not* using systemd +should first ensure that it is launched with: + + gpgconf --launch dirmngr + +If dirmngr is launched manually or automatically (but not supervised +by systemd), you also probably want to ensure that it terminates when +your session ends with: + + gpgconf --kill dirmngr + +If you're not using systemd, you may wish to add this command to your +session logout scripts. + + -- Daniel Kahn Gillmor , Mon, 23 Jan 2017 22:49:45 -0500 diff --git a/dirmngr.docs b/dirmngr.docs new file mode 100644 index 0000000..817be40 --- /dev/null +++ b/dirmngr.docs @@ -0,0 +1,4 @@ +AUTHORS +NEWS +THANKS +TODO diff --git a/dirmngr.install b/dirmngr.install new file mode 100644 index 0000000..1e77641 --- /dev/null +++ b/dirmngr.install @@ -0,0 +1,7 @@ +debian/tmp/usr/bin/dirmngr +debian/tmp/usr/bin/dirmngr-client +debian/tmp/usr/lib/gnupg/dirmngr_ldap +debian/tmp/usr/share/gnupg/dirmngr-conf.skel +debian/tmp/usr/share/gnupg/sks-keyservers.netCA.pem +doc/examples/systemd-user/dirmngr.service usr/lib/systemd/user +doc/examples/systemd-user/dirmngr.socket usr/lib/systemd/user diff --git a/dirmngr.links b/dirmngr.links new file mode 100644 index 0000000..ca801e7 --- /dev/null +++ b/dirmngr.links @@ -0,0 +1 @@ +usr/lib/systemd/user/dirmngr.socket /usr/lib/systemd/user/sockets.target.wants/dirmngr.socket diff --git a/dirmngr.maintscript b/dirmngr.maintscript new file mode 100644 index 0000000..aa11aa5 --- /dev/null +++ b/dirmngr.maintscript @@ -0,0 +1,5 @@ +rm_conffile /etc/default/dirmngr +rm_conffile /etc/dirmngr/dirmngr.conf +rm_conffile /etc/dirmngr/ldapservers.conf +rm_conffile /etc/init.d/dirmngr +rm_conffile /etc/logrotate.d/dirmngr diff --git a/dirmngr.manpages b/dirmngr.manpages new file mode 100644 index 0000000..93702d9 --- /dev/null +++ b/dirmngr.manpages @@ -0,0 +1,2 @@ +debian/tmp/usr/share/man/man1/dirmngr-client.1 +debian/tmp/usr/share/man/man8/dirmngr.8 diff --git a/gbp.conf b/gbp.conf new file mode 100644 index 0000000..1789fc2 --- /dev/null +++ b/gbp.conf @@ -0,0 +1,33 @@ +[DEFAULT] +pristine-tar = True +upstream-vcs-tag = gnupg-%(version)s + +[import-orig] +filter = [ + 'aclocal.m4', + 'build-aux/compile', + 'build-aux/config.rpath', + 'build-aux/depcomp', + 'build-aux/install-sh', + 'build-aux/missing', + 'build-aux/mkinstalldirs', + 'build-aux/texinfo.tex', + 'config.h.in', + 'configure', + 'doc/gnupg.info*', + 'INSTALL', + 'm4/intdiv0.m4', + 'm4/intl.m4', + 'm4/lock.m4', + 'm4/printf-posix.m4', + 'm4/size_max.m4', + 'm4/uintmax_t.m4', + 'm4/wint_t.m4', + '*/*/Makefile.in', + '*/Makefile.in', + 'Makefile.in', + 'po/*.gmo', + 'po/Makefile.in.in', + 'po/stamp-po', + ] +filter-pristine-tar = False diff --git a/gnupg-agent.NEWS b/gnupg-agent.NEWS new file mode 100644 index 0000000..69b4e49 --- /dev/null +++ b/gnupg-agent.NEWS @@ -0,0 +1,19 @@ +gnupg-agent (2.1.18-1) unstable; urgency=medium + + If your machine is configured with system user session management, + gpg-agent will be managed automatically by systemd's user sessions on + machines configured with use systemd. Please consider installing the + packages that the gnupg-agent package Suggests:, and see + /usr/share/doc/gnupg-agent/README.Debian for more details. + + -- Daniel Kahn Gillmor Mon, 23 Jan 2017 22:54:48 -0500 + +gnupg-agent (2.1.13-3) experimental; urgency=medium + + gpg-agent is no longer auto-launched by + /etc/X11/Xsession.d/90gpg-agent. Please read + /usr/share/doc/gnupg-agent/README.Debian for details about system + integration. + + -- Daniel Kahn Gillmor Tue, 28 Jun 2016 17:29:46 -0400 + diff --git a/gnupg-agent.README.Debian b/gnupg-agent.README.Debian new file mode 100644 index 0000000..f57d278 --- /dev/null +++ b/gnupg-agent.README.Debian @@ -0,0 +1,82 @@ +gpg-agent system integration +============================ + +Since 2.1.x, gpg and most related processes will auto-launch gpg-agent +if needed. These auto-launched processes will inherit whatever +environment they started from, and they will not terminate +automatically. + +systemd +======= + +Since 2.1.17, users on machines with systemd will have their gpg-agent +process launched automatically by systemd's user session, upon first +access of any of the expected gpg-agent sockets (including the ssh +socket). systemd will also cleanly tear this process down at session +logout. + +If dbus-user-session and pinentry-gnome3 packages are installed, then +all user interaction with this systemd-managed gpg-agent process +(e.g. prompting for passwords or confirmations, etc) will take place +over the d-bus session, for better integration with graphical +environments like GNOME. + +Users who don't want systemd to manage their gpg-agent in this way for +all future sessions should do: + + systemctl --user mask --now gpg-agent.service gpg-agent.socket gpg-agent-ssh.socket gpg-agent-extra.socket gpg-agent-browser.socket + +Doing this means that gpg-agent will fall back to its manual mode of +operation. (This decision can be reversed by the user with "unmask" +instead of "mask") + +See systemctl(1) for more details about managing the gpg-agent*.socket +units. + +ssh-agent emulation +=================== + +gpg-agent offers an ssh-agent emulation which can be achieved by +setting the environment variable SSH_AUTH_SOCK to: + + /run/user/$(id -u)/gnupg/S.gpg-agent.ssh + +(replace $(id -u) with the user's numeric user ID, of course). + +But ssh doesn't have a way to tell ssh-agent how to prompt the user +when necessary; the systemd-managed gpg-agent process will only know +how to prompt the user if you have dbus-user-session and +pinentry-gnome3 installed. This is the recommended configuration for +gpg-agent's ssh-agent emulation on desktop machines running systemd, +and doesn't need any additional configuration. + +However, if dbus-user-session and pinentry-gnome3 are not in use, by +default the systemd-managed gpg-agent will not know how to get +feedback from the user when a request is first received by ssh. You +can give it a hint for all future ssh connections by running: + + gpg-connect-agent updatestartuptty /bye + +You may wish to do this in the login scripts for your user session if +you run systemd without dbus-user-session and pinentry-gnome3, and you +plan to use gpg-agent's ssh-agent emulation. + +Manual gpg-agent startup and teardown +===================================== + +Any user who wants to launch gpg-agent manually (e.g., to talk to it +with a tool from outside the GnuPG suite) and is *not* using systemd +should first ensure that it is launched with: + + gpgconf --launch gpg-agent + +If gpg-agent is launched manually or automatically (but not supervised +by systemd), you probably want to ensure that it terminates when your +session ends with: + + gpgconf --kill gpg-agent + +If you're not using systemd, you may wish to add this to your session +logout scripts. + + -- Daniel Kahn Gillmor , Mon, 23 Jan 2017 22:56:08 -0500 diff --git a/gnupg-agent.examples b/gnupg-agent.examples new file mode 100644 index 0000000..34213be --- /dev/null +++ b/gnupg-agent.examples @@ -0,0 +1,2 @@ +doc/examples/pwpattern.list +doc/examples/trustlist.txt diff --git a/gnupg-agent.install b/gnupg-agent.install new file mode 100644 index 0000000..2a4dcbe --- /dev/null +++ b/gnupg-agent.install @@ -0,0 +1,12 @@ +debian/Xsession.d/90gpg-agent etc/X11/Xsession.d +debian/systemd-user/gpg-agent-browser.socket usr/lib/systemd/user +debian/tmp/usr/bin/gpg-agent +debian/tmp/usr/bin/gpg-connect-agent +debian/tmp/usr/bin/symcryptrun +debian/tmp/usr/lib/gnupg/gpg-check-pattern +debian/tmp/usr/lib/gnupg/gpg-preset-passphrase +debian/tmp/usr/lib/gnupg/gpg-protect-tool +doc/examples/systemd-user/gpg-agent-extra.socket usr/lib/systemd/user +doc/examples/systemd-user/gpg-agent-ssh.socket usr/lib/systemd/user +doc/examples/systemd-user/gpg-agent.service usr/lib/systemd/user +doc/examples/systemd-user/gpg-agent.socket usr/lib/systemd/user diff --git a/gnupg-agent.links b/gnupg-agent.links new file mode 100644 index 0000000..90f6ce1 --- /dev/null +++ b/gnupg-agent.links @@ -0,0 +1,6 @@ +usr/lib/gnupg/gpg-preset-passphrase usr/lib/gnupg2/gpg-preset-passphrase +usr/lib/gnupg/gpg-protect-tool usr/lib/gnupg2/gpg-protect-tool +usr/lib/systemd/user/gpg-agent-browser.socket usr/lib/systemd/user/sockets.target.wants/gpg-agent-browser.socket +usr/lib/systemd/user/gpg-agent-extra.socket usr/lib/systemd/user/sockets.target.wants/gpg-agent-extra.socket +usr/lib/systemd/user/gpg-agent-ssh.socket usr/lib/systemd/user/sockets.target.wants/gpg-agent-ssh.socket +usr/lib/systemd/user/gpg-agent.socket usr/lib/systemd/user/sockets.target.wants/gpg-agent.socket diff --git a/gnupg-agent.manpages b/gnupg-agent.manpages new file mode 100644 index 0000000..4819831 --- /dev/null +++ b/gnupg-agent.manpages @@ -0,0 +1,5 @@ +debian/gpg-check-pattern.1 +debian/tmp/usr/share/man/man1/gpg-agent.1 +debian/tmp/usr/share/man/man1/gpg-connect-agent.1 +debian/tmp/usr/share/man/man1/gpg-preset-passphrase.1 +debian/tmp/usr/share/man/man1/symcryptrun.1 diff --git a/gnupg-l10n.install b/gnupg-l10n.install new file mode 100644 index 0000000..9aaad82 --- /dev/null +++ b/gnupg-l10n.install @@ -0,0 +1,2 @@ +debian/tmp/usr/share/gnupg/help.*.txt +debian/tmp/usr/share/locale diff --git a/gnupg.README.Debian b/gnupg.README.Debian new file mode 100644 index 0000000..24944d3 --- /dev/null +++ b/gnupg.README.Debian @@ -0,0 +1,44 @@ +Using "Modern" GnuPG +==================== + +As of version 2.1.11-7+exp1, the gnupg package is provided by the "modern" +version of GnuPG. + +This means: + + * supporting daemons are auto-launched as needed + + * all access to secret key material is handled by gpg-agent + + * all smartcard access is handled by scdaemon + + * all network access is handled by dirmngr + + * PGPv3 keys are no longer supported + + * secret keys are no longer stored in $GNUPGHOME/secring.gpg, but + instead in $GNUPGHOME/private-keys-v1.d/ + + * public keyrings are stored in keybox format (~/.gnupg/pubring.kbx) by + default for new users. Upgrading users will continue to use + pubring.gpg until they decide to explicitly convert. + +Converting an existing installation +----------------------------------- + +If you have an existing GnuPG homedir from "classic" GnuPG, secret +keys should be migrated automatically upon the first run of the +"modern" version. + +If you have any secret keys that are stored only in a smartcard, after +your first use of "modern" gpg you should insert the card and run: + + gpg --card-status + + (see https://bugs.debian.org/795881) + +Public keys will not be automatically migrated from pubring.gpg to +pubring.kbx, however. If you want to migrate your public keyring, you +can use a script like /usr/bin/migrate-pubring-from-classic-gpg + + -- Daniel Kahn Gillmor , Mon, 18 Apr 2016 19:08:36 -0400 diff --git a/gnupg.docs b/gnupg.docs new file mode 100644 index 0000000..b182260 --- /dev/null +++ b/gnupg.docs @@ -0,0 +1,9 @@ +NEWS +README +THANKS +TODO +doc/DETAILS +doc/FAQ +doc/HACKING +doc/KEYSERVER +doc/OpenPGP diff --git a/gnupg.examples b/gnupg.examples new file mode 100644 index 0000000..3e74b94 --- /dev/null +++ b/gnupg.examples @@ -0,0 +1 @@ +doc/examples/gpgconf.conf diff --git a/gnupg.info b/gnupg.info new file mode 100644 index 0000000..e4baa0f --- /dev/null +++ b/gnupg.info @@ -0,0 +1,3 @@ +debian/tmp/usr/share/info/gnupg.info* +doc/gnupg-card-architecture.png +doc/gnupg-module-overview.png diff --git a/gnupg.install b/gnupg.install new file mode 100644 index 0000000..12fb913 --- /dev/null +++ b/gnupg.install @@ -0,0 +1,13 @@ +build/tools/gpg-zip usr/bin +build/tools/gpgsplit usr/bin +debian/migrate-pubring-from-classic-gpg usr/bin +debian/tmp/usr/bin/gpg +debian/tmp/usr/bin/gpgconf +debian/tmp/usr/bin/gpgparsemail +debian/tmp/usr/bin/kbxutil +debian/tmp/usr/bin/watchgnupg +debian/tmp/usr/sbin/addgnupghome +debian/tmp/usr/sbin/applygnupgdefaults +debian/tmp/usr/share/gnupg/distsigkey.gpg +debian/tmp/usr/share/gnupg/gpg-conf.skel +tools/lspgpot usr/bin diff --git a/gnupg.manpages b/gnupg.manpages new file mode 100644 index 0000000..4fc76c3 --- /dev/null +++ b/gnupg.manpages @@ -0,0 +1,11 @@ +debian/gpg-zip.1 +debian/gpgsplit.1 +debian/kbxutil.1 +debian/lspgpot.1 +debian/migrate-pubring-from-classic-gpg.1 +debian/tmp/usr/share/man/man1/gpg.1 +debian/tmp/usr/share/man/man1/gpgconf.1 +debian/tmp/usr/share/man/man1/gpgparsemail.1 +debian/tmp/usr/share/man/man1/watchgnupg.1 +debian/tmp/usr/share/man/man8/addgnupghome.8 +debian/tmp/usr/share/man/man8/applygnupgdefaults.8 diff --git a/gnupg2.links b/gnupg2.links new file mode 100644 index 0000000..96fde98 --- /dev/null +++ b/gnupg2.links @@ -0,0 +1,2 @@ +usr/bin/gpg usr/bin/gpg2 +usr/share/man/man1/gpg.1.gz usr/share/man/man1/gpg2.1.gz diff --git a/gpg-check-pattern.1 b/gpg-check-pattern.1 new file mode 100644 index 0000000..05dbc1e --- /dev/null +++ b/gpg-check-pattern.1 @@ -0,0 +1,35 @@ +.TH GPG-CHECK-PATTERN "1" "March 2016" "gpg-check-pattern (GnuPG) 2.1.11" "User Commands" + +.SH NAME +gpg-check-pattern \- Check a passphrase on stdin against the patternfile + +.SH SYNOPSIS +.B gpg\-check\-pattern +.RB [ options ] +.I patternfile + +.SH DESCRIPTION +.B gpg\-check\-pattern checks a passphrase given on stdin against a specified patternfile. + +.SH OPTIONS +.TP +.BR \-v ", " \-\-verbose +Produce verbose output +.TP +.BR \-\-check +run only a syntax check on the patternfile +.TP +.BR \-0 ", " \-\-null +input is expected to be null delimited +.PP +Please report bugs to . + +.SH COPYRIGHT +Copyright \(co 2016 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later + +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. + +This manpage was written by \fBDaniel Kahn Gillmor\fR for the Debian +distribution (but may be used by others). diff --git a/gpg-zip.1 b/gpg-zip.1 new file mode 100644 index 0000000..cba5db4 --- /dev/null +++ b/gpg-zip.1 @@ -0,0 +1,102 @@ +.TH "GPG\-ZIP" 1 "November 2006" + +.SH NAME +gpg\-zip \- encrypt or sign files into an archive + +.SH SYNOPSIS +.B gpg\-zip +.RB [ OPTIONS ] +.IR filename1 " [" "filename2, ..." ] +.IR directory1 " [" "directory2, ..." ] + +.SH DESCRIPTION +This manual page documents briefly the +.B gpg\-zip +command. +.PP +.B gpg\-zip +encrypts or signs files into an archive. It is an gpg-ized tar using the +same format as PGP's PGP Zip. + +.SH OPTIONS +.TP +.BR \-e ", " \-\-encrypt +Encrypt data. This option may be combined with +.B \-\-symmetric +(for output that may be decrypted via a secret key or a passphrase). +.TP +.BR \-d ", " \-\-decrypt +Decrypt data. +.TP +.BR \-c ", " \-\-symmetric +Encrypt with a symmetric cipher using a passphrase. The default +symmetric cipher used is CAST5, but may be chosen with the +.B \-\-cipher\-algo +option to +.BR gpg (1). +.TP +.BR \-s ", " \-\-sign +Make a signature. See +.BR gpg (1). +.TP +.BR \-r ", " \-\-recipient " \fIUSER\fR" +Encrypt for user id \fIUSER\fR. See +.BR gpg (1). +.TP +.BR \-u ", " \-\-local\-user " \fIUSER\fR" +Use \fIUSER\fR as the key to sign with. See +.BR gpg (1). +.TP +.B \-\-list\-archive +List the contents of the specified archive. +.TP +.BR \-o ", " \-\-output " " \fIFILE\fR" +Write output to specified file +.IR FILE . +.TP +.BI \-\-gpg " GPG" +Use the specified command instead of +.BR gpg . +.TP +.BI \-\-gpg\-args " ARGS" +Pass the specified options to +.BR gpg (1). +.TP +.BI \-\-tar " TAR" +Use the specified command instead of +.BR tar . +.TP +.BI \-\-tar\-args " ARGS" +Pass the specified options to +.BR tar (1). +.TP +.BR \-h ", " \-\-help +Output a short usage information. +.TP +.B \-\-version +Output the program version. + +.SH DIAGNOSTICS +The program returns \fB0\fR if everything was fine, \fB1\fR otherwise. + +.SH EXAMPLES +Encrypt the contents of directory \fImydocs\fR for user Bob to file \fItest1\fR: +.IP +.B gpg\-zip \-\-encrypt \-\-output test1 \-\-gpg-args ""\-r Bob"" mydocs +.PP +List the contents of archive \fItest1\fR: +.IP +.B gpg\-zip \-\-list\-archive test1 + +.SH SEE ALSO +.BR gpg (1), +.BR tar (1) + +.SH AUTHOR +Copyright (C) 2005 Free Software Foundation, Inc. Please report bugs to +<\&bug-gnupg@gnu.org\&>. + +This manpage was written by \fBColin Tuckley\fR <\&colin@tuckley.org\&> +and \fBDaniel Leidert\fR <\&daniel.leidert@wgdd.de\&> for the Debian +distribution (but may be used by others). + diff --git a/gpgsm.install b/gpgsm.install new file mode 100644 index 0000000..8822607 --- /dev/null +++ b/gpgsm.install @@ -0,0 +1 @@ +debian/tmp/usr/bin/gpgsm diff --git a/gpgsm.manpages b/gpgsm.manpages new file mode 100644 index 0000000..ad6a686 --- /dev/null +++ b/gpgsm.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/gpgsm.1 diff --git a/gpgsplit.1 b/gpgsplit.1 new file mode 100644 index 0000000..116ce89 --- /dev/null +++ b/gpgsplit.1 @@ -0,0 +1,41 @@ +.TH "gpgsplit" 1 "December 2005" + +.SH NAME +gpgsplit \- Split an OpenPGP message into packets + +.SH SYNOPSIS +.B gpgsplit +.RI [ OPTIONS ] +.RI [ FILES ] + +.SH DESCRIPTION +This manual page documents briefly the +.B gpgsplit +command. +.PP +.B gpgsplit +splits an OpenPGP message into packets. + +.SH OPTIONS +.TP +.BR \-v , \-\-verbose +Verbose. +.TP +.BR \-p , "\-\-prefix " \fISTRING\fR +Prepend filenames with \fISTRING\fR. +.TP +.B \-\-uncompress +Uncompress a packet. +.TP +.B \-\-secret\-to\-public +Convert secret keys to public keys. +.TP +.B \-\-no\-split +Write to stdout and don't actually split. + +.SH AUTHOR +Copyright (C) 2002 Free Software Foundation, Inc. Please report bugs to +. + +This manpage was written by Francois Wendling . + diff --git a/gpgv-static.1 b/gpgv-static.1 new file mode 100644 index 0000000..c8dcc1a --- /dev/null +++ b/gpgv-static.1 @@ -0,0 +1,32 @@ +.TH GPGV-STATIC "1" "November 2016" "GnuPG" "Gnu Privacy Guard 2.1" + +.SH NAME +gpgv-static - Verify OpenPGP signatures (static build) + +.SH SYNOPSIS +.B gpgv-static [\fIoptions\fP] \fIsigned_files\fP + +.SH DESCRIPTION +\fBgpgv\fR is an OpenPGP signature verification tool. + +\fBgpgv-static\fR is \fBgpgv\fR built statically so that it can be +directly used on any platform that is running on the Linux kernel, +such as Android, ChromeOS, or many embedded Linux systems. + +This version of \fBgpgv\fR in combination with \fBdebootstrap\fR and +the Debian archive keyring allows the secure creation of chroot +installs on these platforms by using the full Debian signature +verification that is present in all official Debian mirrors. + +You may wish to re-name the binary to plain \fBgpgv\fR when +transferring it into such a platform to create a chroot. + +Please read the documentation for \fBgpgv\fR for more details. + +.SH SEE ALSO +\fBgpg\fR(1) + +.SH AUTHOR +This manual page was written by Daniel Kahn Gillmor + for the Debian project, but may be used by +others under the same license as GnuPG itself. diff --git a/gpgv-static.install b/gpgv-static.install new file mode 100644 index 0000000..adb6deb --- /dev/null +++ b/gpgv-static.install @@ -0,0 +1 @@ +build-gpgv-static/g10/gpgv-static usr/bin/ diff --git a/gpgv-static.lintian-overrides b/gpgv-static.lintian-overrides new file mode 100644 index 0000000..fa0b8df --- /dev/null +++ b/gpgv-static.lintian-overrides @@ -0,0 +1,3 @@ +# gpgv-static is deliberately built statically. We cannot avoid +# embedding zlib. +gpgv-static: embedded-library usr/bin/gpgv-static: zlib diff --git a/gpgv-static.manpages b/gpgv-static.manpages new file mode 100644 index 0000000..e3f73aa --- /dev/null +++ b/gpgv-static.manpages @@ -0,0 +1 @@ +debian/gpgv-static.1 diff --git a/gpgv-udeb.install b/gpgv-udeb.install new file mode 100644 index 0000000..fe27533 --- /dev/null +++ b/gpgv-udeb.install @@ -0,0 +1 @@ +build-gpgv-udeb/g10/gpgv usr/bin/ diff --git a/gpgv-win32.install b/gpgv-win32.install new file mode 100644 index 0000000..cf3cd8c --- /dev/null +++ b/gpgv-win32.install @@ -0,0 +1 @@ +build-gpgv-win32/g10/gpgv.exe usr/share/win32 diff --git a/gpgv.install b/gpgv.install new file mode 100644 index 0000000..0a9f9a2 --- /dev/null +++ b/gpgv.install @@ -0,0 +1 @@ +debian/tmp/usr/bin/gpgv diff --git a/gpgv.manpages b/gpgv.manpages new file mode 100644 index 0000000..86a9e29 --- /dev/null +++ b/gpgv.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/gpgv.1 diff --git a/gpgv2.links b/gpgv2.links new file mode 100644 index 0000000..5107429 --- /dev/null +++ b/gpgv2.links @@ -0,0 +1,2 @@ +usr/bin/gpgv usr/bin/gpgv2 +usr/share/man/man1/gpgv.1.gz usr/share/man/man1/gpgv2.1.gz diff --git a/kbxutil.1 b/kbxutil.1 new file mode 100644 index 0000000..52b338a --- /dev/null +++ b/kbxutil.1 @@ -0,0 +1,62 @@ +.TH KBXUTIL "1" "March 2016" "kbxutil (GnuPG) 2.1.11" "User Commands" + +.SH NAME +kbxutil \- List, export, import Keybox data + +.SH SYNOPSIS +.B kbxutil +.RB [ OPTIONS ] +.RB [ FILES ] + +.SH DESCRIPTION +List, export, import Keybox data + +.SH COMMANDS +.TP +.B \-\-stats +show key statistics +.TP +.B \-\-import\-openpgp +import OpenPGP keyblocks +.TP +.B \-\-find\-dups +find duplicates +.TP +.B \-\-cut +export records + +.SH OPTIONS +.TP +.BI \-\-from " N" +first record to export +.TP +.BI \-\-to " N" +last record to export +.TP +.BR \-v ", " \-\-verbose +verbose +.TP +.BR \-q ", " \-\-quiet +be somewhat more quiet +.TP +.BR \-n ", " \-\-dry\-run +do not make any changes +.TP +.B \-\-debug +set debugging flags +.TP +.B \-\-debug\-all +enable full debugging + +.SH BUGS +Please report bugs to . + +.SH COPYRIGHT +Copyright \(co 2016 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later + +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. + +This manpage was written by \fBDaniel Kahn Gillmor\fR for the Debian +distribution (but may be used by others). diff --git a/lspgpot.1 b/lspgpot.1 new file mode 100644 index 0000000..ba27eca --- /dev/null +++ b/lspgpot.1 @@ -0,0 +1,22 @@ +.TH "lspgpot" 1 "December 2005" + +.SH NAME +lspgpot - extracts the ownertrust values from PGP keyrings and list them in +GnuPG ownertrust format. + + +.SH SYNOPSIS +.B lspgpot + + +.SH DESCRIPTION +.B lspgpot +extracts the ownertrust values from PGP keyrings and list them in +GnuPG ownertrust format. + +.SH AUTHOR +Copyright (C) 2002 Free Software Foundation, Inc. Please report bugs to +. + +This manpage was written by Francois Wendling . + diff --git a/migrate-pubring-from-classic-gpg b/migrate-pubring-from-classic-gpg new file mode 100755 index 0000000..13ee1f8 --- /dev/null +++ b/migrate-pubring-from-classic-gpg @@ -0,0 +1,76 @@ +#!/bin/bash + +# script to migrate fully from pubring.gpg to pubring.kbx + +# Author: Daniel Kahn Gillmor +# Date: 2016-04-01 +# License: GPLv3+ + +# This was written for the Debian project + +set -e + +GPG="${GPG:-gpg}" + +# select the default GnuPG home directory to work from: +GHD=${GNUPGHOME:-${HOME:-$(getent passwd "$(id -u)" | cut -f6 -d:)}/.gnupg} + +# Check that this is gnupg 2.1 or 2.2: +VERSION=$("$GPG" --version | head -n1 | cut -f3 -d\ | cut -f1,2 -d.) +if [ "$VERSION" != 2.1 ] && [ "$VERSION" != 2.2 ] ; then + printf '%s is version %s not version 2.1 or 2.2, this script might be wrong\n' "$GPG" "$VERSION" >&2 + exit 1 +fi + +usage() { + printf 'Usage: %s [GPGHOMEDIR|--default] +\tMigrate public keyring in GPGHOMEDIR from "classic" to "modern" GnuPG +\tusing %s version %s. + +\t--default migrates the GnuPG home directory at "%s" +' "$0" "$GPG" "$VERSION" "$GHD" +} + +if [ -z "$1" ]; then + usage >&2 + exit 1 +else + case "$1" in + --help|--usage|-h) + usage + exit + ;; + --default) + ;; + *) + GHD="$1" + ;; + esac +fi + +# ensure that there is a pubring.gpg to migrate: +if ! [ -f "$GHD/pubring.gpg" ]; then + printf 'There is no %s/pubring.gpg, no need to migrate\n' "$GHD" >&2 + exit +fi +if ! [ -s "$GHD/pubring.gpg" ]; then + mv -- "$GHD/pubring.gpg" "$GHD/pubring.gpg.empty" + printf '%s/pubring.gpg was empty (and has been moved out of the way), no need to migrate\n' "$GHD" >&2 + exit +fi + +BACKUP="$(mktemp -d "$GHD/migrate-from-classic-backup.$(date +%F).XXXXXX")" +printf 'Migrating from:\n%s\n[Backing up to %s]\n' "$(ls -l "$GHD/pubring.gpg")" "$BACKUP" >&2 + +"$GPG" --export-ownertrust > "$BACKUP/ownertrust.txt" +mv "$GHD/pubring.gpg" "$BACKUP/" +"$GPG" --import-options import-local-sigs,keep-ownertrust,repair-pks-subkey-bug --import < "$BACKUP/pubring.gpg" +"$GPG" --import-ownertrust < "$BACKUP/ownertrust.txt" +"$GPG" --check-trustdb + +if ! [ -f "$GHD/pubring.kbx" ]; then + printf 'No keybox was created at %s/pubring.kbx. Something went wrong!\n' "$GHD" >&2 + exit 1 +fi + +printf 'Migration completed successfully:\n%s\n' "$(ls -l "$GHD/pubring.kbx")" >&2 diff --git a/migrate-pubring-from-classic-gpg.1 b/migrate-pubring-from-classic-gpg.1 new file mode 100644 index 0000000..4d26b89 --- /dev/null +++ b/migrate-pubring-from-classic-gpg.1 @@ -0,0 +1,50 @@ +.TH "MIGRATE-PUBRING-FROM-CLASSIC-GPG" 1 "April 2016" + +.SH NAME +migrate\-pubring\-from\-classic\-gpg \- Migrate a public keyring from "classic" to "modern" GnuPG + +.SH SYNOPSIS +.B migrate\-pubring\-from\-classic\-gpg +.RB "[ " GPGHOMEDIR " | " +.IR \-\-default " ]" + +.SH DESCRIPTION + +.B migrate\-pubring\-from\-classic\-gpg +migrates the public keyring in GnuPG home directory GPGHOMEDIR from +the "classic" keyring format to the "modern" keybox format using GnuPG +versions 2.1 or 2.2. + +Specifying +.B \-\-default +selects the standard GnuPG home directory (looking at $GNUPGHOME +first, and falling back to ~/.gnupg if unset. + +.SH OPTIONS +.BR \-h ", " \-\-help ", " \-\-usage +Output a short usage information. + +.SH DIAGNOSTICS +The program sends quite a bit of text (perhaps too much) to stderr. + +During a migration, the tool backs up several pieces of data in a +timestamped subdirectory of the GPGHOMEDIR. + +.SH ENVIRONMENT VARIABLES + +.B GNUPGHOME +Selects the GnuPG home directory when set and --default is given. + +.B GPG +The name of the +.B gpg +executable (defaults to +.B gpg +). + +.SH SEE ALSO +.BR gpg (1) + +.SH AUTHOR +Copyright (C) 2016 Daniel Kahn Gillmor for the Debian project. Please +report bugs via the Debian BTS. diff --git a/patches/0012-tools-Fix-memory-leak.patch b/patches/0012-tools-Fix-memory-leak.patch new file mode 100644 index 0000000..4d47557 --- /dev/null +++ b/patches/0012-tools-Fix-memory-leak.patch @@ -0,0 +1,28 @@ +From: Justus Winter +Date: Mon, 23 Jan 2017 11:52:30 +0100 +Subject: tools: Fix memory leak. + +* tools/gpgconf-comp.c (change_options_file): Fix leak. +-- +Previously, 'src_filename' and 'orig_filename' leaked if creating the +backup file failed. + +Signed-off-by: Justus Winter +(cherry picked from commit 5b28f025085b386e0ec49535d4cd3f875a414eb0) +--- + tools/gpgconf-comp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c +index a25b5136e..85eb80ab5 100644 +--- a/tools/gpgconf-comp.c ++++ b/tools/gpgconf-comp.c +@@ -2641,6 +2641,8 @@ change_options_file (gc_component_t component, gc_backend_t backend, + if (res < 0 && errno != ENOENT) + { + xfree (dest_filename); ++ xfree (src_filename); ++ xfree (orig_filename); + return -1; + } + if (res < 0) diff --git a/patches/0013-tools-Improve-error-handling.patch b/patches/0013-tools-Improve-error-handling.patch new file mode 100644 index 0000000..b0034da --- /dev/null +++ b/patches/0013-tools-Improve-error-handling.patch @@ -0,0 +1,29 @@ +From: Justus Winter +Date: Mon, 23 Jan 2017 14:24:22 +0100 +Subject: tools: Improve error handling. + +* tools/gpgconf-comp.c (gp_component_change_options): Improve error +handling when reading from stdin. +-- +Previously, errors encountered while reading the configuration changes +were ignored. + +Signed-off-by: Justus Winter +(cherry picked from commit b0348fdb26637b0bcbd68a96c1746a1613b309af) +--- + tools/gpgconf-comp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c +index 85eb80ab5..180fd65c2 100644 +--- a/tools/gpgconf-comp.c ++++ b/tools/gpgconf-comp.c +@@ -3328,6 +3328,8 @@ gc_component_change_options (int component, estream_t in, estream_t out, + + change_one_value (option, runtime, flags, new_value, 0); + } ++ if (length < 0 || gpgrt_ferror (in)) ++ gc_error (1, errno, "error reading stream 'in'"); + } + + /* Now that we have collected and locally verified the changes, diff --git a/patches/0014-dirmngr-New-option-disable-ipv4.patch b/patches/0014-dirmngr-New-option-disable-ipv4.patch new file mode 100644 index 0000000..0aa0549 --- /dev/null +++ b/patches/0014-dirmngr-New-option-disable-ipv4.patch @@ -0,0 +1,245 @@ +From: Werner Koch +Date: Tue, 24 Jan 2017 16:36:28 +0100 +Subject: dirmngr: New option --disable-ipv4. + +* dirmngr/dirmngr.c (oDisableIPv4): New const. +(opts): New option --disable-ipv4. +(parse_rereadable_options): Set that option. +* dirmngr/dirmngr.h (opt): New field 'disable_ipv4'. +* dirmngr/dns-stuff.c (opt_disable_ipv4): bew var. +(set_dns_disable_ipv4): New. +(resolve_name_standard): Skip v4 addresses when OPT_DISABLE_IPV4 is +set. +* dirmngr/ks-engine-hkp.c (map_host): Ditto. +(send_request): Pass HTTP_FLAG_IGNORE_IPv4 if opt.disable_v4 is set. +* dirmngr/crlfetch.c (crl_fetch): Ditto. +* dirmngr/ks-engine-finger.c (ks_finger_fetch): Ditto. +* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto. +* dirmngr/ocsp.c (do_ocsp_request): Ditto. + +Signed-off-by: Werner Koch +(cherry picked from commit 72736af86a501592d974d46ff754a63959e183bd) +--- + dirmngr/crlfetch.c | 4 +++- + dirmngr/dirmngr.c | 5 +++++ + dirmngr/dirmngr.h | 1 + + dirmngr/dns-stuff.c | 15 +++++++++++++++ + dirmngr/dns-stuff.h | 4 ++++ + dirmngr/ks-engine-finger.c | 4 +++- + dirmngr/ks-engine-hkp.c | 8 ++++++-- + dirmngr/ks-engine-http.c | 3 ++- + dirmngr/ocsp.c | 3 ++- + doc/dirmngr.texi | 5 +++++ + 10 files changed, 46 insertions(+), 6 deletions(-) + +diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c +index 8fe6e0b1b..aa82137f7 100644 +--- a/dirmngr/crlfetch.c ++++ b/dirmngr/crlfetch.c +@@ -198,7 +198,9 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader) + err = http_open_document (&hd, url, NULL, + ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0) + |(DBG_LOOKUP? HTTP_FLAG_LOG_RESP:0) +- |(opt.use_tor? HTTP_FLAG_FORCE_TOR:0)), ++ |(opt.use_tor? HTTP_FLAG_FORCE_TOR:0) ++ |(opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4:0) ++ ), + ctrl->http_proxy, NULL, NULL, NULL); + + switch ( err? 99999 : http_get_status_code (hd) ) +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index 8d9de9e5a..83356c94c 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -111,6 +111,7 @@ enum cmd_and_opt_values { + oBatch, + oDisableHTTP, + oDisableLDAP, ++ oDisableIPv4, + oIgnoreLDAPDP, + oIgnoreHTTPDP, + oIgnoreOCSPSvcUrl, +@@ -224,6 +225,8 @@ static ARGPARSE_OPTS opts[] = { + + ARGPARSE_s_n (oUseTor, "use-tor", N_("route all network traffic via Tor")), + ++ ARGPARSE_s_n (oDisableIPv4, "disable-ipv4", "@"), ++ + ARGPARSE_s_s (oSocketName, "socket-name", "@"), /* Only for debugging. */ + + ARGPARSE_s_u (oFakedSystemTime, "faked-system-time", "@"), /*(epoch time)*/ +@@ -586,6 +589,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) + + case oDisableHTTP: opt.disable_http = 1; break; + case oDisableLDAP: opt.disable_ldap = 1; break; ++ case oDisableIPv4: opt.disable_ipv4 = 1; break; + case oHonorHTTPProxy: opt.honor_http_proxy = 1; break; + case oHTTPProxy: opt.http_proxy = pargs->r.ret_str; break; + case oLDAPProxy: opt.ldap_proxy = pargs->r.ret_str; break; +@@ -645,6 +649,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) + + set_dns_verbose (opt.verbose, !!DBG_DNS); + http_set_verbose (opt.verbose, !!DBG_NETWORK); ++ set_dns_disable_ipv4 (opt.disable_ipv4); + + return 1; /* Handled. */ + } +diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h +index acd4c636d..fd80d7237 100644 +--- a/dirmngr/dirmngr.h ++++ b/dirmngr/dirmngr.h +@@ -98,6 +98,7 @@ struct + + int disable_http; /* Do not use HTTP at all. */ + int disable_ldap; /* Do not use LDAP at all. */ ++ int disable_ipv4; /* Do not use leagacy IP addresses. */ + int honor_http_proxy; /* Honor the http_proxy env variable. */ + const char *http_proxy; /* The default HTTP proxy. */ + const char *ldap_proxy; /* Use given LDAP proxy. */ +diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c +index 9347196b3..ad19fc2ce 100644 +--- a/dirmngr/dns-stuff.c ++++ b/dirmngr/dns-stuff.c +@@ -119,6 +119,10 @@ static int opt_debug; + /* The timeout in seconds for libdns requests. */ + static int opt_timeout; + ++/* The flag to disable IPv4 access - right now this only skips ++ * returned A records. */ ++static int opt_disable_ipv4; ++ + /* If set force the use of the standard resolver. */ + static int standard_resolver; + +@@ -227,6 +231,15 @@ set_dns_verbose (int verbose, int debug) + } + + ++/* Set the Disable-IPv4 flag so that the name resolver does not return ++ * A addresses. */ ++void ++set_dns_disable_ipv4 (int yes) ++{ ++ opt_disable_ipv4 = !!yes; ++} ++ ++ + /* Set the timeout for libdns requests to SECONDS. A value of 0 sets + * the default timeout and values are capped at 10 minutes. */ + void +@@ -873,6 +886,8 @@ resolve_name_standard (const char *name, unsigned short port, + { + if (ai->ai_family != AF_INET6 && ai->ai_family != AF_INET) + continue; ++ if (opt_disable_ipv4 && ai->ai_family == AF_INET) ++ continue; + + dai = xtrymalloc (sizeof *dai + ai->ai_addrlen - 1); + dai->family = ai->ai_family; +diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h +index d68dd1728..9eb97fd6a 100644 +--- a/dirmngr/dns-stuff.h ++++ b/dirmngr/dns-stuff.h +@@ -95,6 +95,10 @@ struct srventry + /* Set verbosity and debug mode for this module. */ + void set_dns_verbose (int verbose, int debug); + ++/* Set the Disable-IPv4 flag so that the name resolver does not return ++ * A addresses. */ ++void set_dns_disable_ipv4 (int yes); ++ + /* Set the timeout for libdns requests to SECONDS. */ + void set_dns_timeout (int seconds); + +diff --git a/dirmngr/ks-engine-finger.c b/dirmngr/ks-engine-finger.c +index b1f02ad7d..114f2e9ac 100644 +--- a/dirmngr/ks-engine-finger.c ++++ b/dirmngr/ks-engine-finger.c +@@ -83,7 +83,9 @@ ks_finger_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp) + *server++ = 0; + + err = http_raw_connect (&http, server, 79, +- (opt.use_tor? HTTP_FLAG_FORCE_TOR : 0), NULL); ++ ((opt.use_tor? HTTP_FLAG_FORCE_TOR : 0) ++ | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)), ++ NULL); + if (err) + { + xfree (name); +diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c +index 2b90441e2..dad83efcd 100644 +--- a/dirmngr/ks-engine-hkp.c ++++ b/dirmngr/ks-engine-hkp.c +@@ -526,6 +526,8 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + { + if (ai->family != AF_INET && ai->family != AF_INET6) + continue; ++ if (opt.disable_ipv4 && ai->family == AF_INET) ++ continue; + dirmngr_tick (ctrl); + + add_host (name, is_pool, ai, 0, reftbl, reftblsize, &refidx); +@@ -607,7 +609,8 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + { + for (ai = aibuf; ai; ai = ai->next) + { +- if (ai->family == AF_INET6 || ai->family == AF_INET) ++ if (ai->family == AF_INET6 ++ || (!opt.disable_ipv4 && ai->family == AF_INET)) + { + err = resolve_dns_addr (ai->addr, ai->addrlen, 0, &host); + if (!err) +@@ -1058,7 +1061,8 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, + /* fixme: AUTH */ NULL, + (httpflags + |(opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0) +- |(opt.use_tor? HTTP_FLAG_FORCE_TOR:0)), ++ |(opt.use_tor? HTTP_FLAG_FORCE_TOR:0) ++ |(opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)), + ctrl->http_proxy, + session, + NULL, +diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c +index 858c943ea..dbbf4bb79 100644 +--- a/dirmngr/ks-engine-http.c ++++ b/dirmngr/ks-engine-http.c +@@ -88,7 +88,8 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp) + /* httphost */ NULL, + /* fixme: AUTH */ NULL, + ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0) +- | (opt.use_tor? HTTP_FLAG_FORCE_TOR:0)), ++ | (opt.use_tor? HTTP_FLAG_FORCE_TOR:0) ++ | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)), + ctrl->http_proxy, + session, + NULL, +diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c +index 9127cf754..b46c78567 100644 +--- a/dirmngr/ocsp.c ++++ b/dirmngr/ocsp.c +@@ -174,7 +174,8 @@ do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp, gcry_md_hd_t md, + once_more: + err = http_open (&http, HTTP_REQ_POST, url, NULL, NULL, + ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0) +- | (opt.use_tor? HTTP_FLAG_FORCE_TOR:0)), ++ | (opt.use_tor? HTTP_FLAG_FORCE_TOR:0) ++ | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)), + ctrl->http_proxy, NULL, NULL, NULL); + if (err) + { +diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi +index dd104273d..b00c2d377 100644 +--- a/doc/dirmngr.texi ++++ b/doc/dirmngr.texi +@@ -312,6 +312,11 @@ not be used a different one can be given using this option. Note that + a numerical IP address must be given (IPv6 or IPv4) and that no error + checking is done for @var{ipaddr}. + ++@item --disable-ipv4 ++@opindex disable-ipv4 ++Disable the use of all IPv4 addresses. This option is mainly useful ++for debugging. ++ + @item --disable-ldap + @opindex disable-ldap + Entirely disables the use of LDAP. diff --git a/patches/0015-dirmngr-Simplify-error-returning-inside-http.c.patch b/patches/0015-dirmngr-Simplify-error-returning-inside-http.c.patch new file mode 100644 index 0000000..bcf4ee6 --- /dev/null +++ b/patches/0015-dirmngr-Simplify-error-returning-inside-http.c.patch @@ -0,0 +1,255 @@ +From: Werner Koch +Date: Tue, 24 Jan 2017 18:41:43 +0100 +Subject: dirmngr: Simplify error returning inside http.c. + +* dirmngr/http.c (connect_server): Change to return an gpg_error_t +and to store socket at the passed address. +(http_raw_connect, send_request): Adjust accordingly. +-- + +This change removes cruft from the code and allows to return the error +code from the name lookup. + +Signed-off-by: Werner Koch +(cherry picked from commit 51e5a5e5a46279809848b4ab4419f35045336010) +--- + dirmngr/http.c | 101 ++++++++++++++++++++++++++++----------------------------- + 1 file changed, 50 insertions(+), 51 deletions(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 35877d241..fe9c3c734 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -155,9 +155,9 @@ static gpg_error_t send_request (http_t hd, const char *httphost, + static char *build_rel_path (parsed_uri_t uri); + static gpg_error_t parse_response (http_t hd); + +-static assuan_fd_t connect_server (const char *server, unsigned short port, ++static gpg_error_t connect_server (const char *server, unsigned short port, + unsigned int flags, const char *srvtag, +- int *r_host_not_found); ++ assuan_fd_t *r_sock); + static gpg_error_t write_server (int sock, const char *data, size_t length); + + static gpgrt_ssize_t cookie_read (void *cookie, void *buffer, size_t size); +@@ -924,7 +924,6 @@ http_raw_connect (http_t *r_hd, const char *server, unsigned short port, + gpg_error_t err = 0; + http_t hd; + cookie_t cookie; +- int hnf; + + *r_hd = NULL; + +@@ -950,12 +949,9 @@ http_raw_connect (http_t *r_hd, const char *server, unsigned short port, + { + assuan_fd_t sock; + +- sock = connect_server (server, port, hd->flags, srvtag, &hnf); +- if (sock == ASSUAN_INVALID_FD) ++ err = connect_server (server, port, hd->flags, srvtag, &sock); ++ if (err) + { +- err = gpg_err_make (default_errsource, +- (hnf? GPG_ERR_UNKNOWN_HOST +- : gpg_err_code_from_syserror ())); + xfree (hd); + return err; + } +@@ -1643,7 +1639,6 @@ send_request (http_t hd, const char *httphost, const char *auth, + char *proxy_authstr = NULL; + char *authstr = NULL; + int sock; +- int hnf; + + if (hd->uri->use_tls && !hd->session) + { +@@ -1713,7 +1708,6 @@ send_request (http_t hd, const char *httphost, const char *auth, + && *http_proxy )) + { + parsed_uri_t uri; +- int save_errno; + + if (proxy) + http_proxy = proxy; +@@ -1760,25 +1754,20 @@ send_request (http_t hd, const char *httphost, const char *auth, + } + } + +- sock = connect_server (*uri->host ? uri->host : "localhost", +- uri->port ? uri->port : 80, +- hd->flags, srvtag, &hnf); +- save_errno = errno; ++ err = connect_server (*uri->host ? uri->host : "localhost", ++ uri->port ? uri->port : 80, ++ hd->flags, srvtag, &sock); + http_release_parsed_uri (uri); +- if (sock == ASSUAN_INVALID_FD) +- gpg_err_set_errno (save_errno); + } + else + { +- sock = connect_server (server, port, hd->flags, srvtag, &hnf); ++ err = connect_server (server, port, hd->flags, srvtag, &sock); + } + +- if (sock == ASSUAN_INVALID_FD) ++ if (err) + { + xfree (proxy_authstr); +- return gpg_err_make (default_errsource, +- (hnf? GPG_ERR_UNKNOWN_HOST +- : gpg_err_code_from_syserror ())); ++ return err; + } + hd->sock = my_socket_new (sock); + if (!hd->sock) +@@ -1788,7 +1777,6 @@ send_request (http_t hd, const char *httphost, const char *auth, + } + + +- + #if HTTP_USE_NTBTLS + if (hd->uri->use_tls) + { +@@ -2476,11 +2464,13 @@ my_sock_new_for_addr (struct sockaddr *addr, int type, int proto) + } + + +-/* Actually connect to a server. Returns the file descriptor or -1 on +- error. ERRNO is set on error. */ +-static assuan_fd_t ++/* Actually connect to a server. On success 0 is returned and the ++ * file descriptor for the socket is stored at R_SOCK; on error an ++ * error code is returned and ASSUAN_INVALID_FD is stored at ++ * R_SOCK. */ ++static gpg_error_t + connect_server (const char *server, unsigned short port, +- unsigned int flags, const char *srvtag, int *r_host_not_found) ++ unsigned int flags, const char *srvtag, assuan_fd_t *r_sock) + { + gpg_error_t err; + assuan_fd_t sock = ASSUAN_INVALID_FD; +@@ -2488,11 +2478,11 @@ connect_server (const char *server, unsigned short port, + int hostfound = 0; + int anyhostaddr = 0; + int srv, connected; +- int last_errno = 0; ++ gpg_error_t last_err = 0; + struct srventry *serverlist = NULL; +- int ret; + +- *r_host_not_found = 0; ++ *r_sock = ASSUAN_INVALID_FD; ++ + #if defined(HAVE_W32_SYSTEM) && !defined(HTTP_NO_WSASTARTUP) + init_sockets (); + #endif /*Windows*/ +@@ -2509,18 +2499,21 @@ connect_server (const char *server, unsigned short port, + ASSUAN_SOCK_TOR); + if (sock == ASSUAN_INVALID_FD) + { +- if (errno == EHOSTUNREACH) +- *r_host_not_found = 1; +- log_error ("can't connect to '%s': %s\n", server, strerror (errno)); ++ err = gpg_err_make (default_errsource, ++ (errno == EHOSTUNREACH)? GPG_ERR_UNKNOWN_HOST ++ : gpg_err_code_from_syserror ()); ++ log_error ("can't connect to '%s': %s\n", server, gpg_strerror (err)); ++ return err; + } +- else +- notify_netactivity (); +- return sock; ++ ++ notify_netactivity (); ++ *r_sock = sock; ++ return 0; + + #else /*!ASSUAN_SOCK_TOR*/ + +- gpg_err_set_errno (ENETUNREACH); +- return -1; /* Out of core. */ ++ err = gpg_err_make (default_errsource, GPG_ERR_ENETUNREACH); ++ return ASSUAN_INVALID_FD; + + #endif /*!HASSUAN_SOCK_TOR*/ + } +@@ -2533,6 +2526,7 @@ connect_server (const char *server, unsigned short port, + log_info ("getting '%s' SRV for '%s' failed: %s\n", + srvtag, server, gpg_strerror (err)); + /* Note that on error SRVCOUNT is zero. */ ++ err = 0; + } + + if (!serverlist) +@@ -2541,7 +2535,8 @@ connect_server (const char *server, unsigned short port, + up a fake SRV record. */ + serverlist = xtrycalloc (1, sizeof *serverlist); + if (!serverlist) +- return -1; /* Out of core. */ ++ return gpg_err_make (default_errsource, gpg_err_code_from_syserror ()); ++ + serverlist->port = port; + strncpy (serverlist->target, server, DIMof (struct srventry, target)); + serverlist->target[DIMof (struct srventry, target)-1] = '\0'; +@@ -2562,6 +2557,7 @@ connect_server (const char *server, unsigned short port, + { + log_info ("resolving '%s' failed: %s\n", + serverlist[srv].target, gpg_strerror (err)); ++ last_err = err; + continue; /* Not found - try next one. */ + } + hostfound = 1; +@@ -2578,18 +2574,20 @@ connect_server (const char *server, unsigned short port, + sock = my_sock_new_for_addr (ai->addr, ai->socktype, ai->protocol); + if (sock == ASSUAN_INVALID_FD) + { +- int save_errno = errno; +- log_error ("error creating socket: %s\n", strerror (errno)); ++ err = gpg_err_make (default_errsource, ++ gpg_err_code_from_syserror ()); ++ log_error ("error creating socket: %s\n", gpg_strerror (err)); + free_dns_addrinfo (aibuf); + xfree (serverlist); +- errno = save_errno; +- return ASSUAN_INVALID_FD; ++ return err; + } + + anyhostaddr = 1; +- ret = assuan_sock_connect (sock, ai->addr, ai->addrlen); +- if (ret) +- last_errno = errno; ++ if (assuan_sock_connect (sock, ai->addr, ai->addrlen)) ++ { ++ last_err = gpg_err_make (default_errsource, ++ gpg_err_code_from_syserror ()); ++ } + else + { + connected = 1; +@@ -2616,17 +2614,18 @@ connect_server (const char *server, unsigned short port, + server, (int)WSAGetLastError()); + #else + log_error ("can't connect to '%s': %s\n", +- server, strerror (last_errno)); ++ server, gpg_strerror (last_err)); + #endif + } +- if (!hostfound || (hostfound && !anyhostaddr)) +- *r_host_not_found = 1; ++ err = last_err? last_err : gpg_err_make (default_errsource, ++ GPG_ERR_UNKNOWN_HOST); + if (sock != ASSUAN_INVALID_FD) + assuan_sock_close (sock); +- gpg_err_set_errno (last_errno); +- return ASSUAN_INVALID_FD; ++ return err; + } +- return sock; ++ ++ *r_sock = sock; ++ return 0; + } + + diff --git a/patches/0016-gpg-Print-a-warning-on-Tor-problems.patch b/patches/0016-gpg-Print-a-warning-on-Tor-problems.patch new file mode 100644 index 0000000..1979069 --- /dev/null +++ b/patches/0016-gpg-Print-a-warning-on-Tor-problems.patch @@ -0,0 +1,188 @@ +From: Werner Koch +Date: Tue, 24 Jan 2017 20:45:31 +0100 +Subject: gpg: Print a warning on Tor problems. + +* dirmngr/ks-engine-hkp.c (tor_not_running_p): New. +(map_host): Call that to print a warning. +(handle_send_request_error): Ditto and avoid marking the host dead. +Also print a tor_config_problem warning. Add arg CTRL; adjust callers +to pass that new arg. +* g10/call-dirmngr.c (ks_status_cb): Detect and print the new +warnings. + +Signed-off-by: Werner Koch +(cherry picked from commit 770b75a746836773909af25ccb9b480e61cea677) +--- + dirmngr/ks-engine-hkp.c | 60 ++++++++++++++++++++++++++++++++++++------------- + g10/call-dirmngr.c | 26 ++++++++++++++++++++- + 2 files changed, 70 insertions(+), 16 deletions(-) + +diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c +index dad83efcd..858cd2f26 100644 +--- a/dirmngr/ks-engine-hkp.c ++++ b/dirmngr/ks-engine-hkp.c +@@ -278,6 +278,31 @@ arecords_is_pool (dns_addrinfo_t aibuf) + } + + ++/* Print a warninng iff Tor is not running but Tor has been requested. ++ * Also return true if it is not running. */ ++static int ++tor_not_running_p (ctrl_t ctrl) ++{ ++ assuan_fd_t sock; ++ ++ if (!opt.use_tor) ++ return 0; ++ ++ sock = assuan_sock_connect_byname (NULL, 0, 0, NULL, ASSUAN_SOCK_TOR); ++ if (sock != ASSUAN_INVALID_FD) ++ { ++ assuan_sock_close (sock); ++ return 0; ++ } ++ ++ log_info ("(it seems Tor is not running)\n"); ++ dirmngr_status (ctrl, "WARNING", "tor_not_running 0", ++ "Tor is enabled but the local Tor daemon" ++ " seems to be down", NULL); ++ return 1; ++} ++ ++ + /* Add the host AI under the NAME into the HOSTTABLE. If PORT is not + zero, it specifies which port to use to talk to the host. If NAME + specifies a pool (as indicated by IS_POOL), update the given +@@ -475,6 +500,8 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + if (err) + { + xfree (reftbl); ++ if (gpg_err_code (err) == GPG_ERR_ECONNREFUSED) ++ tor_not_running_p (ctrl); + return err; + } + +@@ -1180,13 +1207,13 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, + } + + +-/* Helper to evaluate the error code ERR form a send_request() call ++/* Helper to evaluate the error code ERR from a send_request() call + with REQUEST. The function returns true if the caller shall try + again. TRIES_LEFT points to a variable to track the number of + retries; this function decrements it and won't return true if it is + down to zero. */ + static int +-handle_send_request_error (gpg_error_t err, const char *request, ++handle_send_request_error (ctrl_t ctrl, gpg_error_t err, const char *request, + unsigned int *tries_left) + { + int retry = 0; +@@ -1197,16 +1224,9 @@ handle_send_request_error (gpg_error_t err, const char *request, + switch (gpg_err_code (err)) + { + case GPG_ERR_ECONNREFUSED: +- if (opt.use_tor) +- { +- assuan_fd_t sock; +- +- sock = assuan_sock_connect_byname (NULL, 0, 0, NULL, ASSUAN_SOCK_TOR); +- if (sock == ASSUAN_INVALID_FD) +- log_info ("(it seems Tor is not running)\n"); +- else +- assuan_sock_close (sock); +- } ++ if (tor_not_running_p (ctrl)) ++ break; /* A retry does not make sense. */ ++ /* Okay: Tor is up or --use-tor is not used. */ + /*FALLTHRU*/ + case GPG_ERR_ENETUNREACH: + case GPG_ERR_ENETDOWN: +@@ -1224,6 +1244,16 @@ handle_send_request_error (gpg_error_t err, const char *request, + } + break; + ++ case GPG_ERR_EACCES: ++ if (opt.use_tor) ++ { ++ log_info ("(Tor configuration problem)\n"); ++ dirmngr_status (ctrl, "WARNING", "tor_config_problem 0", ++ "Please check that the \"SocksPort\" flag " ++ "\"IPv6Traffic\" is set in torrc", NULL); ++ } ++ break; ++ + default: + break; + } +@@ -1334,7 +1364,7 @@ ks_hkp_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern, + /* Send the request. */ + err = send_request (ctrl, request, hostport, httphost, httpflags, + NULL, NULL, &fp, r_http_status); +- if (handle_send_request_error (err, request, &tries)) ++ if (handle_send_request_error (ctrl, err, request, &tries)) + { + reselect = 1; + goto again; +@@ -1468,7 +1498,7 @@ ks_hkp_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec, estream_t *r_fp) + /* Send the request. */ + err = send_request (ctrl, request, hostport, httphost, httpflags, + NULL, NULL, &fp, NULL); +- if (handle_send_request_error (err, request, &tries)) ++ if (handle_send_request_error (ctrl, err, request, &tries)) + { + reselect = 1; + goto again; +@@ -1577,7 +1607,7 @@ ks_hkp_put (ctrl_t ctrl, parsed_uri_t uri, const void *data, size_t datalen) + /* Send the request. */ + err = send_request (ctrl, request, hostport, httphost, 0, + put_post_cb, &parm, &fp, NULL); +- if (handle_send_request_error (err, request, &tries)) ++ if (handle_send_request_error (ctrl, err, request, &tries)) + { + reselect = 1; + goto again; +diff --git a/g10/call-dirmngr.c b/g10/call-dirmngr.c +index 4be9da117..2f2ba982e 100644 +--- a/g10/call-dirmngr.c ++++ b/g10/call-dirmngr.c +@@ -374,7 +374,8 @@ ks_status_cb (void *opaque, const char *line) + { + struct ks_status_parm_s *parm = opaque; + gpg_error_t err = 0; +- const char *s; ++ const char *s, *s2; ++ const char *warn; + + if ((s = has_leading_keyword (line, parm->keyword? parm->keyword : "SOURCE"))) + { +@@ -385,6 +386,29 @@ ks_status_cb (void *opaque, const char *line) + err = gpg_error_from_syserror (); + } + } ++ else if ((s = has_leading_keyword (line, "WARNING"))) ++ { ++ if ((s2 = has_leading_keyword (s, "tor_not_running"))) ++ warn = _("Tor is not running"); ++ else if ((s2 = has_leading_keyword (s, "tor_config_problem"))) ++ warn = _("Tor is not properly configured"); ++ else ++ warn = NULL; ++ ++ if (warn) ++ { ++ log_info (_("WARNING: %s\n"), warn); ++ if (s2) ++ { ++ while (*s2 && !spacep (s2)) ++ s2++; ++ while (*s2 && spacep (s2)) ++ s2++; ++ if (*s2) ++ print_further_info ("%s", s2); ++ } ++ } ++ } + + return err; + } diff --git a/patches/0017-agent-Fix-double-free.patch b/patches/0017-agent-Fix-double-free.patch new file mode 100644 index 0000000..b3d96ed --- /dev/null +++ b/patches/0017-agent-Fix-double-free.patch @@ -0,0 +1,49 @@ +From: Justus Winter +Date: Wed, 25 Jan 2017 13:51:57 +0100 +Subject: agent: Fix double free. + +* agent/cache.c (agent_store_cache_hit): Make sure the update is +atomic. +-- +Previously, the function freed the last key, and duplicated the new +key after doing that. There is a chance, however, that calling the +allocator surrenders control to a different thread, causing a double +free if a different thread also calls this function. + +To make sure the update is atomic under the non-preemptive thread +model, we must make sure not to surrender control to a different +thread. Therefore, we avoid calling the allocator during the +update. + +Signed-off-by: Justus Winter +(cherry picked from commit e175152ef7515921635bf1e00383e812668d13fc) +--- + agent/cache.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/agent/cache.c b/agent/cache.c +index f58eaeaaa..248368277 100644 +--- a/agent/cache.c ++++ b/agent/cache.c +@@ -475,6 +475,19 @@ agent_get_cache (const char *key, cache_mode_t cache_mode) + void + agent_store_cache_hit (const char *key) + { +- xfree (last_stored_cache_key); +- last_stored_cache_key = key? xtrystrdup (key) : NULL; ++ char *new; ++ char *old; ++ ++ /* To make sure the update is atomic under the non-preemptive thread ++ * model, we must make sure not to surrender control to a different ++ * thread. Therefore, we avoid calling the allocator during the ++ * update. */ ++ new = key ? xtrystrdup (key) : NULL; ++ ++ /* Atomic update. */ ++ old = last_stored_cache_key; ++ last_stored_cache_key = new; ++ /* Done. */ ++ ++ xfree (old); + } diff --git a/patches/0018-gpg-Fix-searching-for-mail-addresses-in-keyrings.patch b/patches/0018-gpg-Fix-searching-for-mail-addresses-in-keyrings.patch new file mode 100644 index 0000000..6365109 --- /dev/null +++ b/patches/0018-gpg-Fix-searching-for-mail-addresses-in-keyrings.patch @@ -0,0 +1,54 @@ +From: Justus Winter +Date: Wed, 25 Jan 2017 16:33:20 +0100 +Subject: gpg: Fix searching for mail addresses in keyrings. + +* g10/keyring.c (compare_name): Fix KEYDB_SEARCH_MODE_MAIL* searches +in keyrings when the UID is a plain addr-spec. +-- +Previously, 'gpg --list-key ""' failed if 1/ the +keyring format is used and 2/ the key's UID is a plain addr-spec +(cf. RFC2822 section 4.3), e.g. 'foo@example.org'. + +GnuPG-bug-id: 2930 +Signed-off-by: Justus Winter +(cherry picked from commit 3f4f20ee6eff052c88647b820d9ecfdbd8df0f40) +--- + g10/keyring.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/g10/keyring.c b/g10/keyring.c +index f1281e98e..328290ed8 100644 +--- a/g10/keyring.c ++++ b/g10/keyring.c +@@ -928,13 +928,27 @@ compare_name (int mode, const char *name, const char *uid, size_t uidlen) + else if ( mode == KEYDB_SEARCH_MODE_MAIL + || mode == KEYDB_SEARCH_MODE_MAILSUB + || mode == KEYDB_SEARCH_MODE_MAILEND) { ++ int have_angles = 1; + for (i=0, s= uid; i < uidlen && *s != '<'; s++, i++) + ; ++ if (i == uidlen) ++ { ++ /* The UID is a plain addr-spec (cf. RFC2822 section 4.3). */ ++ have_angles = 0; ++ s = uid; ++ i = 0; ++ } + if (i < uidlen) { +- /* skip opening delim and one char and look for the closing one*/ +- s++; i++; +- for (se=s+1, i++; i < uidlen && *se != '>'; se++, i++) +- ; ++ if (have_angles) ++ { ++ /* skip opening delim and one char and look for the closing one*/ ++ s++; i++; ++ for (se=s+1, i++; i < uidlen && *se != '>'; se++, i++) ++ ; ++ } ++ else ++ se = s + uidlen; ++ + if (i < uidlen) { + i = se - s; + if (mode == KEYDB_SEARCH_MODE_MAIL) { diff --git a/patches/0019-dirmngr-New-option-no-use-tor-and-internal-changes.patch b/patches/0019-dirmngr-New-option-no-use-tor-and-internal-changes.patch new file mode 100644 index 0000000..f936685 --- /dev/null +++ b/patches/0019-dirmngr-New-option-no-use-tor-and-internal-changes.patch @@ -0,0 +1,382 @@ +From: Werner Koch +Date: Wed, 1 Feb 2017 17:54:14 +0100 +Subject: dirmngr: New option --no-use-tor and internal changes. + +* dirmngr/dns-stuff.c (disable_dns_tormode): New. +* dirmngr/dirmngr.c (oNoUseTor): New const. +(opts): New option --no-use-tor. +(tor_mode): New var. +(parse_rereadable_options): Change to use TOR_MODE. +(dirmngr_use_tor): New. +(set_tor_mode): Call disable_dns_tormode. Implement oNoUseTor. +* dirmngr/dirmngr.h (opt): Remove field 'use_tor'. Replace all +references by a call to dirmngr_use_tor(). +* dirmngr/server.c (cmd_getinfo): Distinguish between default and +enforced TOR_MODE. +-- + +This patch replaces the global variable opt.use_tar by a function +testing a file local mode flag. This patch prepares for a +use-tor-if-available mode. + +GnuPG-bug-id: 2935 +Signed-off-by: Werner Koch +(cherry picked from commit 7440119e729d3fdedda8a9b44b70f8959beea8d7) +--- + dirmngr/crlfetch.c | 10 +++++----- + dirmngr/dirmngr.c | 46 +++++++++++++++++++++++++++++++++++++++++++--- + dirmngr/dirmngr.h | 3 +-- + dirmngr/dns-stuff.c | 8 ++++++++ + dirmngr/dns-stuff.h | 1 + + dirmngr/ks-engine-finger.c | 2 +- + dirmngr/ks-engine-hkp.c | 6 +++--- + dirmngr/ks-engine-http.c | 2 +- + dirmngr/ks-engine-ldap.c | 6 +++--- + dirmngr/ocsp.c | 4 ++-- + dirmngr/server.c | 10 +++++++--- + 11 files changed, 75 insertions(+), 23 deletions(-) + +diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c +index aa82137f7..337fe6e4d 100644 +--- a/dirmngr/crlfetch.c ++++ b/dirmngr/crlfetch.c +@@ -198,7 +198,7 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader) + err = http_open_document (&hd, url, NULL, + ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0) + |(DBG_LOOKUP? HTTP_FLAG_LOG_RESP:0) +- |(opt.use_tor? HTTP_FLAG_FORCE_TOR:0) ++ |(dirmngr_use_tor()? HTTP_FLAG_FORCE_TOR:0) + |(opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4:0) + ), + ctrl->http_proxy, NULL, NULL, NULL); +@@ -292,7 +292,7 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader) + "LDAP"); + err = gpg_error (GPG_ERR_NOT_SUPPORTED); + } +- else if (opt.use_tor) ++ else if (dirmngr_use_tor ()) + { + /* For now we do not support LDAP over Tor. */ + log_error (_("CRL access not possible due to Tor mode\n")); +@@ -318,7 +318,7 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader) + gpg_error_t + crl_fetch_default (ctrl_t ctrl, const char *issuer, ksba_reader_t *reader) + { +- if (opt.use_tor) ++ if (dirmngr_use_tor ()) + { + /* For now we do not support LDAP over Tor. */ + log_error (_("CRL access not possible due to Tor mode\n")); +@@ -350,7 +350,7 @@ crl_fetch_default (ctrl_t ctrl, const char *issuer, ksba_reader_t *reader) + gpg_error_t + ca_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context, const char *dn) + { +- if (opt.use_tor) ++ if (dirmngr_use_tor ()) + { + /* For now we do not support LDAP over Tor. */ + log_error (_("CRL access not possible due to Tor mode\n")); +@@ -377,7 +377,7 @@ gpg_error_t + start_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context, + strlist_t patterns, const ldap_server_t server) + { +- if (opt.use_tor) ++ if (dirmngr_use_tor ()) + { + /* For now we do not support LDAP over Tor. */ + log_error (_("CRL access not possible due to Tor mode\n")); +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index 83356c94c..43e9cbd07 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -138,6 +138,7 @@ enum cmd_and_opt_values { + oHTTPWrapperProgram, + oIgnoreCertExtension, + oUseTor, ++ oNoUseTor, + oKeyServer, + oNameServer, + oDisableCheckOwnSocket, +@@ -224,6 +225,7 @@ static ARGPARSE_OPTS opts[] = { + N_("|FILE|use the CA certificates in FILE for HKP over TLS")), + + ARGPARSE_s_n (oUseTor, "use-tor", N_("route all network traffic via Tor")), ++ ARGPARSE_s_n (oNoUseTor, "no-use-tor", "@"), + + ARGPARSE_s_n (oDisableIPv4, "disable-ipv4", "@"), + +@@ -300,6 +302,16 @@ static volatile int shutdown_pending; + /* Flags to indicate that we shall not watch our own socket. */ + static int disable_check_own_socket; + ++/* Flag to control the Tor mode. */ ++static enum ++ { TOR_MODE_AUTO = 0, /* Switch to NO or YES */ ++ TOR_MODE_NEVER, /* Never use Tor. */ ++ TOR_MODE_NO, /* Do not use Tor */ ++ TOR_MODE_YES, /* Use Tor */ ++ TOR_MODE_FORCE /* Force using Tor */ ++ } tor_mode; ++ ++ + /* Counter for the active connections. */ + static int active_connections; + +@@ -475,7 +487,7 @@ set_debug (void) + static void + set_tor_mode (void) + { +- if (opt.use_tor) ++ if (dirmngr_use_tor ()) + { + /* Enable Tor mode and when called again force a new curcuit + * (e.g. on SIGHUP). */ +@@ -486,6 +498,26 @@ set_tor_mode (void) + log_info ("(is your Libassuan recent enough?)\n"); + } + } ++ else ++ disable_dns_tormode (); ++} ++ ++ ++/* Return true if Tor shall be used. */ ++int ++dirmngr_use_tor (void) ++{ ++ if (tor_mode == TOR_MODE_AUTO) ++ { ++ /* FIXME: Figure out whether Tor is running. */ ++ } ++ ++ if (tor_mode == TOR_MODE_FORCE) ++ return 2; /* Use Tor (using 2 to indicate force mode) */ ++ else if (tor_mode == TOR_MODE_YES) ++ return 1; /* Use Tor */ ++ else ++ return 0; /* Do not use Tor. */ + } + + +@@ -548,7 +580,9 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) + FREE_STRLIST (opt.ignored_cert_extensions); + http_register_tls_ca (NULL); + FREE_STRLIST (opt.keyserver); +- /* Note: We do not allow resetting of opt.use_tor at runtime. */ ++ /* Note: We do not allow resetting of TOR_MODE_FORCE at runtime. */ ++ if (tor_mode != TOR_MODE_FORCE) ++ tor_mode = TOR_MODE_AUTO; + disable_check_own_socket = 0; + enable_standard_resolver (0); + set_dns_timeout (0); +@@ -625,7 +659,13 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) + add_to_strlist (&opt.ignored_cert_extensions, pargs->r.ret_str); + break; + +- case oUseTor: opt.use_tor = 1; break; ++ case oUseTor: ++ tor_mode = TOR_MODE_FORCE; ++ break; ++ case oNoUseTor: ++ if (tor_mode != TOR_MODE_FORCE) ++ tor_mode = TOR_MODE_NEVER; ++ break; + + case oStandardResolver: enable_standard_resolver (1); break; + case oRecursiveResolver: enable_recursive_resolver (1); break; +diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h +index fd80d7237..6a4fd003f 100644 +--- a/dirmngr/dirmngr.h ++++ b/dirmngr/dirmngr.h +@@ -91,7 +91,6 @@ struct + program. */ + + int running_detached; /* We are running in detached mode. */ +- int use_tor; /* Tor mode has been enabled. */ + int allow_version_check; /* --allow-version-check is active. */ + + int force; /* Force loading outdated CRLs. */ +@@ -191,7 +190,7 @@ void dirmngr_init_default_ctrl (ctrl_t ctrl); + void dirmngr_deinit_default_ctrl (ctrl_t ctrl); + void dirmngr_sighup_action (void); + const char* dirmngr_get_current_socket_name (void); +- ++int dirmngr_use_tor (void); + + /*-- Various housekeeping functions. --*/ + void ks_hkp_reload (void); +diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c +index ad19fc2ce..52f011a00 100644 +--- a/dirmngr/dns-stuff.c ++++ b/dirmngr/dns-stuff.c +@@ -222,6 +222,14 @@ enable_dns_tormode (int new_circuit) + } + + ++/* Disable tor mode. */ ++void ++disable_dns_tormode (void) ++{ ++ tor_mode = 0; ++} ++ ++ + /* Set verbosity and debug mode for this module. */ + void + set_dns_verbose (int verbose, int debug) +diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h +index 9eb97fd6a..9b8303c3b 100644 +--- a/dirmngr/dns-stuff.h ++++ b/dirmngr/dns-stuff.h +@@ -120,6 +120,7 @@ int recursive_resolver_p (void); + /* Put this module eternally into Tor mode. When called agained with + * NEW_CIRCUIT request a new TOR circuit for the next DNS query. */ + void enable_dns_tormode (int new_circuit); ++void disable_dns_tormode (void); + + /* Change the default IP address of the nameserver to IPADDR. The + address needs to be a numerical IP address and will be used for the +diff --git a/dirmngr/ks-engine-finger.c b/dirmngr/ks-engine-finger.c +index 114f2e9ac..811b72de4 100644 +--- a/dirmngr/ks-engine-finger.c ++++ b/dirmngr/ks-engine-finger.c +@@ -83,7 +83,7 @@ ks_finger_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp) + *server++ = 0; + + err = http_raw_connect (&http, server, 79, +- ((opt.use_tor? HTTP_FLAG_FORCE_TOR : 0) ++ ((dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR : 0) + | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)), + NULL); + if (err) +diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c +index 858cd2f26..be8b08333 100644 +--- a/dirmngr/ks-engine-hkp.c ++++ b/dirmngr/ks-engine-hkp.c +@@ -285,7 +285,7 @@ tor_not_running_p (ctrl_t ctrl) + { + assuan_fd_t sock; + +- if (!opt.use_tor) ++ if (!dirmngr_use_tor ()) + return 0; + + sock = assuan_sock_connect_byname (NULL, 0, 0, NULL, ASSUAN_SOCK_TOR); +@@ -1088,7 +1088,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, + /* fixme: AUTH */ NULL, + (httpflags + |(opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0) +- |(opt.use_tor? HTTP_FLAG_FORCE_TOR:0) ++ |(dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR:0) + |(opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)), + ctrl->http_proxy, + session, +@@ -1245,7 +1245,7 @@ handle_send_request_error (ctrl_t ctrl, gpg_error_t err, const char *request, + break; + + case GPG_ERR_EACCES: +- if (opt.use_tor) ++ if (dirmngr_use_tor ()) + { + log_info ("(Tor configuration problem)\n"); + dirmngr_status (ctrl, "WARNING", "tor_config_problem 0", +diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c +index dbbf4bb79..69642ff98 100644 +--- a/dirmngr/ks-engine-http.c ++++ b/dirmngr/ks-engine-http.c +@@ -88,7 +88,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp) + /* httphost */ NULL, + /* fixme: AUTH */ NULL, + ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0) +- | (opt.use_tor? HTTP_FLAG_FORCE_TOR:0) ++ | (dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR:0) + | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)), + ctrl->http_proxy, + session, +diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c +index 6d520e98e..b7aa7cc65 100644 +--- a/dirmngr/ks-engine-ldap.c ++++ b/dirmngr/ks-engine-ldap.c +@@ -850,7 +850,7 @@ ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, const char *keyspec, + + (void) ctrl; + +- if (opt.use_tor) ++ if (dirmngr_use_tor ()) + { + /* For now we do not support LDAP over Tor. */ + log_error (_("LDAP access not possible due to Tor mode\n")); +@@ -1033,7 +1033,7 @@ ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern, + + (void) ctrl; + +- if (opt.use_tor) ++ if (dirmngr_use_tor ()) + { + /* For now we do not support LDAP over Tor. */ + log_error (_("LDAP access not possible due to Tor mode\n")); +@@ -1909,7 +1909,7 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri, + /* Elide a warning. */ + (void) ctrl; + +- if (opt.use_tor) ++ if (dirmngr_use_tor ()) + { + /* For now we do not support LDAP over Tor. */ + log_error (_("LDAP access not possible due to Tor mode\n")); +diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c +index b46c78567..aff8e3288 100644 +--- a/dirmngr/ocsp.c ++++ b/dirmngr/ocsp.c +@@ -132,7 +132,7 @@ do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp, gcry_md_hd_t md, + + (void)ctrl; + +- if (opt.use_tor) ++ if (dirmngr_use_tor ()) + { + /* For now we do not allow OCSP via Tor due to possible privacy + concerns. Needs further research. */ +@@ -174,7 +174,7 @@ do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp, gcry_md_hd_t md, + once_more: + err = http_open (&http, HTTP_REQ_POST, url, NULL, NULL, + ((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0) +- | (opt.use_tor? HTTP_FLAG_FORCE_TOR:0) ++ | (dirmngr_use_tor ()? HTTP_FLAG_FORCE_TOR:0) + | (opt.disable_ipv4? HTTP_FLAG_IGNORE_IPv4 : 0)), + ctrl->http_proxy, NULL, NULL, NULL); + if (err) +diff --git a/dirmngr/server.c b/dirmngr/server.c +index c9c4ad437..bca3a61e4 100644 +--- a/dirmngr/server.c ++++ b/dirmngr/server.c +@@ -625,7 +625,7 @@ option_handler (assuan_context_t ctx, const char *key, const char *value) + else if (!strcmp (key, "honor-keyserver-url-used")) + { + /* Return an error if we are running in Tor mode. */ +- if (opt.use_tor) ++ if (dirmngr_use_tor ()) + err = gpg_error (GPG_ERR_FORBIDDEN); + } + else +@@ -2338,14 +2338,18 @@ cmd_getinfo (assuan_context_t ctx, char *line) + } + else if (!strcmp (line, "tor")) + { +- if (opt.use_tor) ++ int use_tor; ++ ++ use_tor = dirmngr_use_tor (); ++ if (use_tor) + { + if (!is_tor_running (ctrl)) + err = assuan_write_status (ctx, "NO_TOR", "Tor not running"); + else + err = 0; + if (!err) +- assuan_set_okay_line (ctx, "- Tor mode is enabled"); ++ assuan_set_okay_line (ctx, use_tor == 1 ? "- Tor mode is enabled" ++ /**/ : "- Tor mode is enforced"); + } + else + err = set_error (GPG_ERR_FALSE, "Tor mode is NOT enabled"); diff --git a/patches/0020-gpg-Remove-period-at-end-of-warning.patch b/patches/0020-gpg-Remove-period-at-end-of-warning.patch new file mode 100644 index 0000000..247ff44 --- /dev/null +++ b/patches/0020-gpg-Remove-period-at-end-of-warning.patch @@ -0,0 +1,26 @@ +From: "Neal H. Walfield" +Date: Fri, 6 Jan 2017 11:51:08 +0100 +Subject: gpg: Remove period at end of warning. + +* g10/tofu.c (tofu_register_encryption): Remove period at end of +warning. + +Signed-off-by: Neal H. Walfield +(cherry picked from commit 6f9d8a956b2ca0f5a0eb7acc656fc17af2f2de47) +--- + g10/tofu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/g10/tofu.c b/g10/tofu.c +index 8d535fa6c..149a18545 100644 +--- a/g10/tofu.c ++++ b/g10/tofu.c +@@ -3480,7 +3480,7 @@ tofu_register_encryption (ctrl_t ctrl, + + if (! user_id_list) + log_info (_("WARNING: Encrypting to %s, which has no " +- "non-revoked user ids.\n"), ++ "non-revoked user ids\n"), + keystr (pk->keyid)); + } + diff --git a/patches/0021-gpg-Add-newline-to-output.patch b/patches/0021-gpg-Add-newline-to-output.patch new file mode 100644 index 0000000..b79c546 --- /dev/null +++ b/patches/0021-gpg-Add-newline-to-output.patch @@ -0,0 +1,25 @@ +From: "Neal H. Walfield" +Date: Thu, 2 Feb 2017 11:00:51 +0100 +Subject: gpg: Add newline to output. + +* g10/tofu.c (ask_about_binding): Add newline to output. + +Signed-off-by: Neal H. Walfield +(cherry picked from commit 74268180e5a3acc827f3a369f1fe5971f3bbe285) +--- + g10/tofu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/g10/tofu.c b/g10/tofu.c +index 149a18545..9f5f40694 100644 +--- a/g10/tofu.c ++++ b/g10/tofu.c +@@ -1969,7 +1969,7 @@ ask_about_binding (ctrl_t ctrl, + else if (!response[0]) + /* Default to unknown. Don't save it. */ + { +- tty_printf (_("Defaulting to unknown.")); ++ tty_printf (_("Defaulting to unknown.\n")); + *policy = TOFU_POLICY_UNKNOWN; + break; + } diff --git a/patches/0022-gpg-Only-print-out-TOFU-statistics-for-conflicts-in-.patch b/patches/0022-gpg-Only-print-out-TOFU-statistics-for-conflicts-in-.patch new file mode 100644 index 0000000..d8b5d79 --- /dev/null +++ b/patches/0022-gpg-Only-print-out-TOFU-statistics-for-conflicts-in-.patch @@ -0,0 +1,187 @@ +From: "Neal H. Walfield" +Date: Thu, 2 Feb 2017 13:24:57 +0100 +Subject: gpg: Only print out TOFU statistics for conflicts in interactive mode + +* g10/tofu.c (get_trust): Add arguments POLICYP and CONFLICT_SETP. If +they are not NULL, return the policy and conflict set (if there is +one), respectively. Update callers. If MAY_ASK is FALSE, don't print +out the statistics. +(tofu_register_encryption): If there is a conflict and we haven't yet +printed the statistics about the conflicting bindings, do so now. +(tofu_get_validity): Likewise. + +Signed-off-by: Neal H. Walfield +GnuPG-bug-id: 2914 +(cherry picked from commit 027b81b35fe36692005b8dba22d9eb2db05e8c80) +--- + g10/tofu.c | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 69 insertions(+), 14 deletions(-) + +diff --git a/g10/tofu.c b/g10/tofu.c +index 9f5f40694..fc03c5a7d 100644 +--- a/g10/tofu.c ++++ b/g10/tofu.c +@@ -2644,7 +2644,9 @@ get_policy (tofu_dbs_t dbs, PKT_public_key *pk, + static enum tofu_policy + get_trust (ctrl_t ctrl, PKT_public_key *pk, + const char *fingerprint, const char *email, +- const char *user_id, int may_ask, time_t now) ++ const char *user_id, int may_ask, ++ enum tofu_policy *policyp, strlist_t *conflict_setp, ++ time_t now) + { + tofu_dbs_t dbs = ctrl->tofu.dbs; + int in_transaction = 0; +@@ -2683,6 +2685,7 @@ get_trust (ctrl_t ctrl, PKT_public_key *pk, + if (tdb_keyid_is_utk (kid)) + { + trust_level = TRUST_ULTIMATE; ++ policy = TOFU_POLICY_GOOD; + goto out; + } + } +@@ -2690,7 +2693,8 @@ get_trust (ctrl_t ctrl, PKT_public_key *pk, + begin_transaction (ctrl, 0); + in_transaction = 1; + +- policy = get_policy (dbs, pk, fingerprint, user_id, email, &conflict_set, now); ++ policy = get_policy (dbs, pk, fingerprint, user_id, email, ++ &conflict_set, now); + if (policy == TOFU_POLICY_AUTO) + { + policy = opt.tofu_default_policy; +@@ -2758,10 +2762,6 @@ get_trust (ctrl_t ctrl, PKT_public_key *pk, + } + else + { +- for (iter = conflict_set; iter; iter = iter->next) +- show_statistics (dbs, iter->d, email, +- TOFU_POLICY_ASK, NULL, 1, now); +- + trust_level = TRUST_UNDEFINED; + } + +@@ -2807,7 +2807,13 @@ get_trust (ctrl_t ctrl, PKT_public_key *pk, + if (in_transaction) + end_transaction (ctrl, 0); + +- free_strlist (conflict_set); ++ if (policyp) ++ *policyp = policy; ++ ++ if (conflict_setp) ++ *conflict_setp = conflict_set; ++ else ++ free_strlist (conflict_set); + + return trust_level; + } +@@ -3326,7 +3332,8 @@ tofu_register_signature (ctrl_t ctrl, + + /* Make sure the binding exists and record any TOFU + conflicts. */ +- if (get_trust (ctrl, pk, fingerprint, email, user_id->d, 0, now) ++ if (get_trust (ctrl, pk, fingerprint, email, user_id->d, ++ 0, NULL, NULL, now) + == _tofu_GET_TRUST_ERROR) + { + rc = gpg_error (GPG_ERR_GENERAL); +@@ -3492,11 +3499,13 @@ tofu_register_encryption (ctrl_t ctrl, + for (user_id = user_id_list; user_id; user_id = user_id->next) + { + char *email = email_from_user_id (user_id->d); ++ strlist_t conflict_set = NULL; ++ enum tofu_policy policy; + + /* Make sure the binding exists and that we recognize any + conflicts. */ + int tl = get_trust (ctrl, pk, fingerprint, email, user_id->d, +- may_ask, now); ++ may_ask, &policy, &conflict_set, now); + if (tl == _tofu_GET_TRUST_ERROR) + { + /* An error. */ +@@ -3505,6 +3514,28 @@ tofu_register_encryption (ctrl_t ctrl, + goto die; + } + ++ ++ /* If there is a conflict and MAY_ASK is true, we need to show ++ * the TOFU statistics for the current binding and the ++ * conflicting bindings. But, if we are not in batch mode, then ++ * they have already been printed (this is required to make sure ++ * the information is available to the caller before cpr_get is ++ * called). */ ++ if (policy == TOFU_POLICY_ASK && may_ask && opt.batch) ++ { ++ strlist_t iter; ++ ++ /* The conflict set should contain at least the current ++ * key. */ ++ log_assert (conflict_set); ++ ++ for (iter = conflict_set; iter; iter = iter->next) ++ show_statistics (dbs, iter->d, email, ++ TOFU_POLICY_ASK, NULL, 1, now); ++ } ++ ++ free_strlist (conflict_set); ++ + rc = gpgsql_stepx + (dbs->db, &dbs->s.register_encryption, NULL, NULL, &err, + "insert into encryptions\n" +@@ -3681,11 +3712,13 @@ tofu_get_validity (ctrl_t ctrl, PKT_public_key *pk, strlist_t user_id_list, + for (user_id = user_id_list; user_id; user_id = user_id->next, bindings ++) + { + char *email = email_from_user_id (user_id->d); ++ strlist_t conflict_set = NULL; ++ enum tofu_policy policy; + + /* Always call get_trust to make sure the binding is + registered. */ + int tl = get_trust (ctrl, pk, fingerprint, email, user_id->d, +- may_ask, now); ++ may_ask, &policy, &conflict_set, now); + if (tl == _tofu_GET_TRUST_ERROR) + { + /* An error. */ +@@ -3708,13 +3741,35 @@ tofu_get_validity (ctrl_t ctrl, PKT_public_key *pk, strlist_t user_id_list, + + if (may_ask && tl != TRUST_ULTIMATE && tl != TRUST_EXPIRED) + { +- enum tofu_policy policy = +- get_policy (dbs, pk, fingerprint, user_id->d, email, NULL, now); ++ /* If policy is ask, then we already printed out the ++ * conflict information in ask_about_binding or will do so ++ * in a moment. */ ++ if (policy != TOFU_POLICY_ASK) ++ need_warning |= ++ show_statistics (dbs, fingerprint, email, policy, NULL, 0, now); ++ ++ /* If there is a conflict and MAY_ASK is true, we need to ++ * show the TOFU statistics for the current binding and the ++ * conflicting bindings. But, if we are not in batch mode, ++ * then they have already been printed (this is required to ++ * make sure the information is available to the caller ++ * before cpr_get is called). */ ++ if (policy == TOFU_POLICY_ASK && opt.batch) ++ { ++ strlist_t iter; + +- need_warning |= +- show_statistics (dbs, fingerprint, email, policy, NULL, 0, now); ++ /* The conflict set should contain at least the current ++ * key. */ ++ log_assert (conflict_set); ++ ++ for (iter = conflict_set; iter; iter = iter->next) ++ show_statistics (dbs, iter->d, email, ++ TOFU_POLICY_ASK, NULL, 1, now); ++ } + } + ++ free_strlist (conflict_set); ++ + if (tl == TRUST_NEVER) + trust_level = TRUST_NEVER; + else if (tl == TRUST_EXPIRED) diff --git a/patches/0023-gpg-If-there-is-a-TOFU-conflict-elide-the-too-few-me.patch b/patches/0023-gpg-If-there-is-a-TOFU-conflict-elide-the-too-few-me.patch new file mode 100644 index 0000000..2ae2abe --- /dev/null +++ b/patches/0023-gpg-If-there-is-a-TOFU-conflict-elide-the-too-few-me.patch @@ -0,0 +1,42 @@ +From: "Neal H. Walfield" +Date: Thu, 2 Feb 2017 13:26:17 +0100 +Subject: gpg: If there is a TOFU conflict, elide the too few message warning. + +* g10/tofu.c (tofu_get_validity): If there was a conflict, don't also +print out a warning about too few messages. + +Signed-off-by: Neal H. Walfield +(cherry picked from commit a08c781739e7561093f32b732c4991f2bd817ec2) +--- + g10/tofu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/g10/tofu.c b/g10/tofu.c +index fc03c5a7d..41bdd5f30 100644 +--- a/g10/tofu.c ++++ b/g10/tofu.c +@@ -3694,6 +3694,7 @@ tofu_get_validity (ctrl_t ctrl, PKT_public_key *pk, strlist_t user_id_list, + int bindings = 0; + int bindings_valid = 0; + int need_warning = 0; ++ int had_conflict = 0; + + dbs = opendbs (ctrl); + if (! dbs) +@@ -3762,6 +3763,7 @@ tofu_get_validity (ctrl_t ctrl, PKT_public_key *pk, strlist_t user_id_list, + * key. */ + log_assert (conflict_set); + ++ had_conflict = 1; + for (iter = conflict_set; iter; iter = iter->next) + show_statistics (dbs, iter->d, email, + TOFU_POLICY_ASK, NULL, 1, now); +@@ -3794,7 +3796,7 @@ tofu_get_validity (ctrl_t ctrl, PKT_public_key *pk, strlist_t user_id_list, + xfree (email); + } + +- if (need_warning) ++ if (need_warning && ! had_conflict) + show_warning (fingerprint, user_id_list); + + die: diff --git a/patches/0024-gpg-Ensure-TOFU-bindings-associated-with-UTKs-are-re.patch b/patches/0024-gpg-Ensure-TOFU-bindings-associated-with-UTKs-are-re.patch new file mode 100644 index 0000000..42d257e --- /dev/null +++ b/patches/0024-gpg-Ensure-TOFU-bindings-associated-with-UTKs-are-re.patch @@ -0,0 +1,60 @@ +From: "Neal H. Walfield" +Date: Thu, 2 Feb 2017 14:24:38 +0100 +Subject: gpg: Ensure TOFU bindings associated with UTKs are registered as + usual + +* g10/tofu.c (get_trust): Call get_policy before short-circuiting the +policy lookup for ultimately trusted keys to make sure the binding is +added to the bindings table, if necessary. + +Signed-off-by: Neal H. Walfield +GnuPG-bug-id: 2929 +(cherry picked from commit 769272ba87f282a69e8d5f9bb27c86e6bec4496b) +--- + g10/tofu.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/g10/tofu.c b/g10/tofu.c +index 41bdd5f30..85347bb74 100644 +--- a/g10/tofu.c ++++ b/g10/tofu.c +@@ -2306,7 +2306,11 @@ build_conflict_set (tofu_dbs_t dbs, + /* Return the effective policy for the binding + * (email has already been normalized) and any conflict information in + * *CONFLICT_SETP, if CONFLICT_SETP is not NULL. Returns +- * _tofu_GET_POLICY_ERROR if an error occurs. */ ++ * _tofu_GET_POLICY_ERROR if an error occurs. ++ * ++ * This function registers the binding in the bindings table if it has ++ * not yet been registered. ++ */ + static enum tofu_policy + get_policy (tofu_dbs_t dbs, PKT_public_key *pk, + const char *fingerprint, const char *user_id, const char *email, +@@ -2677,6 +2681,14 @@ get_trust (ctrl_t ctrl, PKT_public_key *pk, + && _tofu_GET_TRUST_ERROR != TRUST_FULLY + && _tofu_GET_TRUST_ERROR != TRUST_ULTIMATE); + ++ begin_transaction (ctrl, 0); ++ in_transaction = 1; ++ ++ /* We need to call get_policy even if the key is ultimately trusted ++ * to make sure the binding has been registered. */ ++ policy = get_policy (dbs, pk, fingerprint, user_id, email, ++ &conflict_set, now); ++ + /* If the key is ultimately trusted, there is nothing to do. */ + { + u32 kid[2]; +@@ -2690,11 +2702,6 @@ get_trust (ctrl_t ctrl, PKT_public_key *pk, + } + } + +- begin_transaction (ctrl, 0); +- in_transaction = 1; +- +- policy = get_policy (dbs, pk, fingerprint, user_id, email, +- &conflict_set, now); + if (policy == TOFU_POLICY_AUTO) + { + policy = opt.tofu_default_policy; diff --git a/patches/0025-gpg-Don-t-assume-that-strtoul-interprets-as-0.patch b/patches/0025-gpg-Don-t-assume-that-strtoul-interprets-as-0.patch new file mode 100644 index 0000000..b92a49f --- /dev/null +++ b/patches/0025-gpg-Don-t-assume-that-strtoul-interprets-as-0.patch @@ -0,0 +1,53 @@ +From: "Neal H. Walfield" +Date: Thu, 2 Feb 2017 15:48:45 +0100 +Subject: gpg: Don't assume that strtoul interprets "" as 0. + +* g10/tofu.c (show_statistics): If there are not records, return 0 +instead of NULL. + +-- +Signed-off-by: Neal H. Walfield +GnuPG-bug-id: 2853 + +According to SUSv3: + + If the subject sequence is empty or does not have the expected form, + no conversion is performed + ... + If no conversion could be performed, 0 is returned and errno may be + set to [EINVAL]. + + http://pubs.opengroup.org/onlinepubs/007908799/xsh/strtol.html + +It appears that MacOS X sets errno to EINVAL, but glibc doesn't. +Hence, we map NULL to 0 explicitly. + +(cherry picked from commit 407f5f9baea5591f148974240a87dfb43e5efef3) +--- + g10/tofu.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/g10/tofu.c b/g10/tofu.c +index 85347bb74..449e921b6 100644 +--- a/g10/tofu.c ++++ b/g10/tofu.c +@@ -2983,7 +2983,8 @@ show_statistics (tofu_dbs_t dbs, + /* Get the signature stats. */ + rc = gpgsql_exec_printf + (dbs->db, strings_collect_cb, &strlist, &err, +- "select count (*), min (signatures.time), max (signatures.time)\n" ++ "select count (*), coalesce (min (signatures.time), 0),\n" ++ " coalesce (max (signatures.time), 0)\n" + " from signatures\n" + " left join bindings on signatures.binding = bindings.oid\n" + " where fingerprint = %Q and email = %Q;", +@@ -3036,7 +3037,8 @@ show_statistics (tofu_dbs_t dbs, + /* Get the encryption stats. */ + rc = gpgsql_exec_printf + (dbs->db, strings_collect_cb, &strlist, &err, +- "select count (*), min (encryptions.time), max (encryptions.time)\n" ++ "select count (*), coalesce (min (encryptions.time), 0),\n" ++ " coalesce (max (encryptions.time), 0)\n" + " from encryptions\n" + " left join bindings on encryptions.binding = bindings.oid\n" + " where fingerprint = %Q and email = %Q;", diff --git a/patches/0026-gpg-More-diagnostics-for-a-launched-pinentry.patch b/patches/0026-gpg-More-diagnostics-for-a-launched-pinentry.patch new file mode 100644 index 0000000..7fe05e5 --- /dev/null +++ b/patches/0026-gpg-More-diagnostics-for-a-launched-pinentry.patch @@ -0,0 +1,81 @@ +From: Werner Koch +Date: Fri, 3 Feb 2017 12:04:52 +0100 +Subject: gpg: More diagnostics for a launched pinentry. + +* agent/call-pinentry.c (start_pinentry): Call getinfo/ttyinfo. +* g10/server.c (gpg_proxy_pinentry_notify): Simplify the output so +that we do not change the code when adding new fields to +PINENTRY_LAUNCHED. +-- + +This patch changes the --verbose output of gpg to show +for example + + gpg: pinentry launched (5228 gtk2 1.0.1-beta10 \ + /dev/pts/4 xterm localhost:10.0) + +the used tty, its type, and the value of DISPLAY in addiion to the +pid, flavor, and version. + +Signed-off-by: Werner Koch +(cherry picked from commit 7052a0d77cf8f3a445b252a809d29be445788625) +--- + agent/call-pinentry.c | 6 +++++- + g10/server.c | 19 ++++++++----------- + 2 files changed, 13 insertions(+), 12 deletions(-) + +diff --git a/agent/call-pinentry.c b/agent/call-pinentry.c +index fa00bf921..2bebee205 100644 +--- a/agent/call-pinentry.c ++++ b/agent/call-pinentry.c +@@ -541,7 +541,7 @@ start_pinentry (ctrl_t ctrl) + } + + +- /* Ask the pinentry for its version and flavor and streo that as a ++ /* Ask the pinentry for its version and flavor and store that as a + * string in MB. This information is useful for helping users to + * figure out Pinentry problems. */ + { +@@ -555,6 +555,10 @@ start_pinentry (ctrl_t ctrl) + if (assuan_transact (entry_ctx, "GETINFO version", + put_membuf_cb, &mb, NULL, NULL, NULL, NULL)) + put_membuf_str (&mb, "unknown"); ++ put_membuf_str (&mb, " "); ++ if (assuan_transact (entry_ctx, "GETINFO ttyinfo", ++ put_membuf_cb, &mb, NULL, NULL, NULL, NULL)) ++ put_membuf_str (&mb, "? ? ?"); + put_membuf (&mb, "", 1); + flavor_version = get_membuf (&mb, NULL); + } +diff --git a/g10/server.c b/g10/server.c +index b89f0be69..e3a3bad22 100644 +--- a/g10/server.c ++++ b/g10/server.c +@@ -770,18 +770,15 @@ gpg_server (ctrl_t ctrl) + gpg_error_t + gpg_proxy_pinentry_notify (ctrl_t ctrl, const unsigned char *line) + { +- if (opt.verbose) +- { +- char *linecopy = xtrystrdup (line); +- char *fields[4]; +- +- if (linecopy +- && split_fields (linecopy, fields, DIM (fields)) >= 4 +- && !strcmp (fields[0], "PINENTRY_LAUNCHED")) +- log_info (_("pinentry launched (pid %s, flavor %s, version %s)\n"), +- fields[1], fields[2], fields[3]); ++ const char *s; + +- xfree (linecopy); ++ if (opt.verbose ++ && !strncmp (line, "PINENTRY_LAUNCHED", 17) ++ && (line[17]==' '||!line[17])) ++ { ++ for (s = line + 17; *s && spacep (s); s++) ++ ; ++ log_info (_("pinentry launched (%s)\n"), s); + } + + if (!ctrl || !ctrl->server_local diff --git a/patches/0027-doc-Clarify-abbreviation-of-help.patch b/patches/0027-doc-Clarify-abbreviation-of-help.patch new file mode 100644 index 0000000..6d08d4b --- /dev/null +++ b/patches/0027-doc-Clarify-abbreviation-of-help.patch @@ -0,0 +1,27 @@ +From: Daniel Kahn Gillmor +Date: Sat, 4 Feb 2017 01:28:08 -0500 +Subject: doc: Clarify abbreviation of --help. + +* doc/gpg.texi: clarify abbreviation of --help. + +Debian-bug-id: 852979 +Signed-off-by: Daniel Kahn Gillmor +(cherry picked from commit f2b276dffbe2435b17abf2b3c51684d3636f3f11) +--- + doc/gpg.texi | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/doc/gpg.texi b/doc/gpg.texi +index 8e1a5e6fc..b79b78334 100644 +--- a/doc/gpg.texi ++++ b/doc/gpg.texi +@@ -141,7 +141,8 @@ cannot abbreviate this command. + @itemx -h + @opindex help + Print a usage message summarizing the most useful command-line options. +-Note that you cannot abbreviate this command. ++Note that you cannot arbitrarily abbreviate this command ++(though you can use its short form @option{-h}). + + @item --warranty + @opindex warranty diff --git a/patches/0028-scd-Backport-two-fixes-from-master.patch b/patches/0028-scd-Backport-two-fixes-from-master.patch new file mode 100644 index 0000000..2193f94 --- /dev/null +++ b/patches/0028-scd-Backport-two-fixes-from-master.patch @@ -0,0 +1,55 @@ +From: NIIBE Yutaka +Date: Sun, 5 Feb 2017 08:34:08 +0900 +Subject: scd: Backport two fixes from master. + +* scd/app.c (app_new_register): Initialize by -1, so that it can detect +an error correctly when card reader can't power-on the card initially. +* scd/command.c (open_card_with_request): Release APP before the scan. + +-- +The first one-liner patch handles an erroneous card. + +The second patch handles the case when we repeatedly do +signing/decrypting by a single session of scdaemon. + +Signed-off-by: NIIBE Yutaka +--- + scd/app.c | 1 + + scd/command.c | 5 +++++ + 2 files changed, 6 insertions(+) + +diff --git a/scd/app.c b/scd/app.c +index b10a452d6..989e0c060 100644 +--- a/scd/app.c ++++ b/scd/app.c +@@ -192,6 +192,7 @@ app_new_register (int slot, ctrl_t ctrl, const char *name) + } + + app->slot = slot; ++ app->card_status = (unsigned int)-1; + + if (npth_mutex_init (&app->lock, NULL)) + { +diff --git a/scd/command.c b/scd/command.c +index 8c7ca20a6..0ae6d29aa 100644 +--- a/scd/command.c ++++ b/scd/command.c +@@ -217,6 +217,7 @@ open_card_with_request (ctrl_t ctrl, const char *apptype, const char *serialno) + gpg_error_t err; + unsigned char *serialno_bin = NULL; + size_t serialno_bin_len = 0; ++ app_t app = ctrl->app_ctx; + + /* If we are already initialized for one specific application we + need to check that the client didn't requested a specific +@@ -224,6 +225,10 @@ open_card_with_request (ctrl_t ctrl, const char *apptype, const char *serialno) + if (apptype && ctrl->app_ctx) + return check_application_conflict (apptype, ctrl->app_ctx); + ++ /* Re-scan USB devices. Release APP, before the scan. */ ++ ctrl->app_ctx = NULL; ++ release_application (app); ++ + if (serialno) + serialno_bin = hex_to_buffer (serialno, &serialno_bin_len); + diff --git a/patches/0029-scd-Fix-use-case-of-PC-SC.patch b/patches/0029-scd-Fix-use-case-of-PC-SC.patch new file mode 100644 index 0000000..a26360d --- /dev/null +++ b/patches/0029-scd-Fix-use-case-of-PC-SC.patch @@ -0,0 +1,93 @@ +From: NIIBE Yutaka +Date: Mon, 13 Feb 2017 11:09:13 +0900 +Subject: scd: Fix use case of PC/SC. + +* scd/apdu.c (apdu_open_reader): Add an argument APP_EMPTY. +When CCID driver fails to open, try PC/SC if APP is nothing. +* scd/app.c (select_application): Supply arg if APP is nothing. + +-- + +After scanning available card readers by CCID driver, scdaemon should +try PC/SC service if no APP is registered yet. Also, when the slot +is allocated for PC/SC (ccid.handle==NULL), it should not call +ccid_compare_BAI, otherwise scdaemon crashes. + +Debian-bug-id: 852702, 854005, 854595, 854616 + +Signed-off-by: NIIBE Yutaka +--- + scd/apdu.c | 14 +++++++++++--- + scd/apdu.h | 2 +- + scd/app.c | 2 +- + 3 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/scd/apdu.c b/scd/apdu.c +index 38ebd2be5..149154cf3 100644 +--- a/scd/apdu.c ++++ b/scd/apdu.c +@@ -3117,7 +3117,7 @@ apdu_open_one_reader (const char *portstr) + } + + int +-apdu_open_reader (struct dev_list *dl) ++apdu_open_reader (struct dev_list *dl, int app_empty) + { + int slot; + +@@ -3167,6 +3167,7 @@ apdu_open_reader (struct dev_list *dl) + /* Check identity by BAI against already opened HANDLEs. */ + for (slot = 0; slot < MAX_READER; slot++) + if (reader_table[slot].used ++ && reader_table[slot].ccid.handle + && ccid_compare_BAI (reader_table[slot].ccid.handle, bai)) + break; + +@@ -3191,12 +3192,19 @@ apdu_open_reader (struct dev_list *dl) + dl->idx++; + } + +- slot = -1; ++ /* Not found. Try one for PC/SC, only when it's the initial scan. */ ++ if (app_empty && dl->idx == dl->idx_max) ++ { ++ dl->idx++; ++ slot = apdu_open_one_reader (dl->portstr); ++ } ++ else ++ slot = -1; + } + else + #endif + { /* PC/SC readers. */ +- if (dl->idx == 0) ++ if (app_empty && dl->idx == 0) + { + dl->idx++; + slot = apdu_open_one_reader (dl->portstr); +diff --git a/scd/apdu.h b/scd/apdu.h +index 473def518..6751e8c9b 100644 +--- a/scd/apdu.h ++++ b/scd/apdu.h +@@ -91,7 +91,7 @@ gpg_error_t apdu_dev_list_start (const char *portstr, struct dev_list **l_p); + void apdu_dev_list_finish (struct dev_list *l); + + /* Note, that apdu_open_reader returns no status word but -1 on error. */ +-int apdu_open_reader (struct dev_list *l); ++int apdu_open_reader (struct dev_list *l, int app_empty); + int apdu_open_remote_reader (const char *portstr, + const unsigned char *cookie, size_t length, + int (*readfnc) (void *opaque, +diff --git a/scd/app.c b/scd/app.c +index 989e0c060..8fb0d4553 100644 +--- a/scd/app.c ++++ b/scd/app.c +@@ -340,7 +340,7 @@ select_application (ctrl_t ctrl, const char *name, app_t *r_app, + int slot; + int sw; + +- slot = apdu_open_reader (l); ++ slot = apdu_open_reader (l, !app_top); + if (slot < 0) + break; + diff --git a/patches/block-ptrace-on-agent/0002-Avoid-simple-memory-dumps-via-ptrace.patch b/patches/block-ptrace-on-agent/0002-Avoid-simple-memory-dumps-via-ptrace.patch new file mode 100644 index 0000000..96a8e0d --- /dev/null +++ b/patches/block-ptrace-on-agent/0002-Avoid-simple-memory-dumps-via-ptrace.patch @@ -0,0 +1,60 @@ +From: Daniel Kahn Gillmor +Date: Tue, 11 Aug 2015 20:28:26 -0400 +Subject: Avoid simple memory dumps via ptrace + +This avoids needing to setgid gpg-agent. It probably doesn't defend +against all possible attacks, but it defends against one specific (and +easy) one. If there are other protections we should do them too. + +This will make it slightly harder to debug the agent because the +normal user won't be able to attach gdb to it directly while it runs. + +The remaining options for debugging are: + + * launch the agent from gdb directly + * connect gdb to a running agent as the superuser + +Upstream bug: https://bugs.gnupg.org/gnupg/issue1211 +--- + agent/gpg-agent.c | 8 ++++++++ + configure.ac | 1 + + 2 files changed, 9 insertions(+) + +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index c0208cc88..31bf3370a 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -48,6 +48,9 @@ + # include + #endif + #include ++#ifdef HAVE_PRCTL ++# include ++#endif + + #define GNUPG_COMMON_NEED_AFLOCAL + #include "agent.h" +@@ -949,6 +952,11 @@ main (int argc, char **argv ) + + early_system_init (); + ++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) ++ /* Disable ptrace on Linux without sgid bit */ ++ prctl(PR_SET_DUMPABLE, 0); ++#endif ++ + /* Before we do anything else we save the list of currently open + file descriptors and the signal mask. This info is required to + do the exec call properly. We don't need it on Windows. */ +diff --git a/configure.ac b/configure.ac +index f929cb60f..f2b6a70d2 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1335,6 +1335,7 @@ AC_CHECK_FUNCS([strerror strlwr tcgetattr mmap canonicalize_file_name]) + AC_CHECK_FUNCS([strcasecmp strncasecmp ctermid times gmtime_r strtoull]) + AC_CHECK_FUNCS([setenv unsetenv fcntl ftruncate inet_ntop]) + AC_CHECK_FUNCS([canonicalize_file_name]) ++AC_CHECK_FUNCS([prctl]) + AC_CHECK_FUNCS([gettimeofday getrusage getrlimit setrlimit clock_gettime]) + AC_CHECK_FUNCS([atexit raise getpagesize strftime nl_langinfo setlocale]) + AC_CHECK_FUNCS([waitpid wait4 sigaction sigprocmask pipe getaddrinfo]) diff --git a/patches/debian-packaging/0001-avoid-beta-warning.patch b/patches/debian-packaging/0001-avoid-beta-warning.patch new file mode 100644 index 0000000..ea08ce8 --- /dev/null +++ b/patches/debian-packaging/0001-avoid-beta-warning.patch @@ -0,0 +1,44 @@ +From: Debian GnuPG Maintainers +Date: Tue, 14 Apr 2015 10:02:31 -0400 +Subject: avoid-beta-warning + +avoid self-describing as a beta + +Using autoreconf against the source as distributed in tarball form +invariably results in a package that thinks it's a "beta" package, +which produces the "THIS IS A DEVELOPMENT VERSION" warning string. + +since we use dh_autoreconf, i need this patch to avoid producing +builds that announce themselves as DEVELOPMENT VERSIONs. + +See discussion at: + + http://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029065.html +--- + autogen.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/autogen.sh b/autogen.sh +index e5ba5bf05..d7bab0383 100755 +--- a/autogen.sh ++++ b/autogen.sh +@@ -229,7 +229,7 @@ if [ "$myhost" = "find-version" ]; then + esac + + beta=no +- if [ -e .git ]; then ++ if false; then + ingit=yes + tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null) + tmp=$(echo "$tmp" | sed s/^"$package"//) +@@ -245,8 +245,8 @@ if [ "$myhost" = "find-version" ]; then + rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null))) + else + ingit=no +- beta=yes +- tmp="-unknown" ++ beta=no ++ tmp="" + rev="0000000" + rvd="0" + fi diff --git a/patches/debian-packaging/0003-avoid-regenerating-defsincdate-use-shipped-file.patch b/patches/debian-packaging/0003-avoid-regenerating-defsincdate-use-shipped-file.patch new file mode 100644 index 0000000..c141e4f --- /dev/null +++ b/patches/debian-packaging/0003-avoid-regenerating-defsincdate-use-shipped-file.patch @@ -0,0 +1,37 @@ +From: Daniel Kahn Gillmor +Date: Mon, 29 Aug 2016 12:34:42 -0400 +Subject: avoid regenerating defsincdate (use shipped file) + +upstream ships doc/defsincdate in its tarballs. but doc/Makefile.am +tries to rewrite doc/defsincdate if it notices that any of the files +have been modified more recently, and it does so assuming that we're +running from a git repo. + +However, we'd rather ship the documents cleanly without regenerating +defsincdate -- we don't have a git repo available (debian builds from +upstream tarballs) and any changes to the texinfo files (e.g. from +debian/patches/) might result in different dates on the files than we +expect after they're applied by dpkg or quilt or whatever, which makes +the datestamp unreproducible. +--- + doc/Makefile.am | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/doc/Makefile.am b/doc/Makefile.am +index 0c2f2c9dc..65b941ca7 100644 +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -167,13 +167,6 @@ $(myman_pages) gnupg.7 : yat2m-stamp defs.inc + + dist-hook: defsincdate + +-defsincdate: $(gnupg_TEXINFOS) +- : >defsincdate ; \ +- if test -e $(top_srcdir)/.git; then \ +- (cd $(srcdir) && git log -1 --format='%ct' \ +- -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \ +- fi +- + defs.inc : defsincdate Makefile mkdefsinc + incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \ + ./mkdefsinc -C $(srcdir) --date "`cat $$incd 2>/dev/null`" \ diff --git a/patches/dirmngr-idling/0001-dirmngr-hkp-Avoid-potential-race-condition-when-some.patch b/patches/dirmngr-idling/0001-dirmngr-hkp-Avoid-potential-race-condition-when-some.patch new file mode 100644 index 0000000..f1bcde3 --- /dev/null +++ b/patches/dirmngr-idling/0001-dirmngr-hkp-Avoid-potential-race-condition-when-some.patch @@ -0,0 +1,77 @@ +From: Daniel Kahn Gillmor +Date: Sat, 29 Oct 2016 01:25:05 -0400 +Subject: dirmngr: hkp: Avoid potential race condition when some hosts die. + +* dirmngr/ks-engine-hkp.c (select_random_host): Use atomic pass +through the host table instead of risking out-of-bounds write. + +-- + +Multiple threads may write to hosttable[x]->dead while +select_random_host() is running. For example, a housekeeping thread +might clear the ->dead bit on some entries, or another connection to +dirmngr might manually mark a host as alive. + +If one or more hosts are resurrected between the two loops over a +given table in select_random_host(), then the allocation of tbl might +not be large enough, resulting in a write past the end of tbl on the +second loop. + +This change collapses the two loops into a single loop to avoid this +discrepancy: each host's "dead" bit is now only checked once. + +As Werner points out, this isn't currently strictly necessary, since +npth will not switch threads unless a blocking system call is made, +and no blocking system call is made in these two loops. + +However, in a subsequent change in this series, we will call a +function in this loop, and that function may sometimes write(2), or +call other functions, which may themselves block. Keeping this as a +single-pass loop avoids the need to keep track of what might block and +what might not. + +Signed-off-by: Daniel Kahn Gillmor +--- + dirmngr/ks-engine-hkp.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c +index 45965cecc..57e7529f3 100644 +--- a/dirmngr/ks-engine-hkp.c ++++ b/dirmngr/ks-engine-hkp.c +@@ -209,25 +209,24 @@ host_in_pool_p (int *pool, int tblidx) + static int + select_random_host (int *table) + { +- int *tbl; +- size_t tblsize; ++ int *tbl = NULL; ++ size_t tblsize = 0; + int pidx, idx; + + /* We create a new table so that we randomly select only from + currently alive hosts. */ +- for (idx=0, tblsize=0; (pidx = table[idx]) != -1; idx++) ++ for (idx=0; (pidx = table[idx]) != -1; idx++) + if (hosttable[pidx] && !hosttable[pidx]->dead) +- tblsize++; ++ { ++ tblsize++; ++ tbl = xtryrealloc(tbl, tblsize * sizeof *tbl); ++ if (!tbl) ++ return -1; /* memory allocation failed! */ ++ tbl[tblsize-1] = pidx; ++ } + if (!tblsize) + return -1; /* No hosts. */ + +- tbl = xtrymalloc (tblsize * sizeof *tbl); +- if (!tbl) +- return -1; +- for (idx=0, tblsize=0; (pidx = table[idx]) != -1; idx++) +- if (hosttable[pidx] && !hosttable[pidx]->dead) +- tbl[tblsize++] = pidx; +- + if (tblsize == 1) /* Save a get_uint_nonce. */ + pidx = tbl[0]; + else diff --git a/patches/dirmngr-idling/0002-dimrngr-Avoid-need-for-hkp-housekeeping.patch b/patches/dirmngr-idling/0002-dimrngr-Avoid-need-for-hkp-housekeeping.patch new file mode 100644 index 0000000..c23485c --- /dev/null +++ b/patches/dirmngr-idling/0002-dimrngr-Avoid-need-for-hkp-housekeeping.patch @@ -0,0 +1,225 @@ +From: Daniel Kahn Gillmor +Date: Sat, 29 Oct 2016 02:00:50 -0400 +Subject: dimrngr: Avoid need for hkp housekeeping. + +* dirmngr/ks-engine-hkp.c (host_is_alive): New function. Test whether +host is alive and resurrects it if it has been dead long enough. +(select_random_host, map_host, ks_hkp_mark_host): Use host_is_alive +instead of testing hostinfo_t->dead directly. +(ks_hkp_housekeeping): Remove function, no longer needed. +* dirmngr/dirmngr.c (housekeeping_thread): Remove call to +ks_hkp_housekeeping. + +-- + +Rather than resurrecting hosts upon scheduled resurrection times, test +whether hosts should be resurrected as they're inspected for being +dead. This removes the need for explicit housekeeping, and makes host +resurrections happen "just in time", rather than being clustered on +HOUSEKEEPING_INTERVAL seconds. + +Signed-off-by: Daniel Kahn Gillmor +--- + dirmngr/dirmngr.c | 3 -- + dirmngr/dirmngr.h | 1 - + dirmngr/ks-engine-hkp.c | 73 ++++++++++++++++++++++++------------------------- + 3 files changed, 36 insertions(+), 41 deletions(-) + +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index 061cfc300..a8be56fa4 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -1771,12 +1771,10 @@ static void * + housekeeping_thread (void *arg) + { + static int sentinel; +- time_t curtime; + struct server_control_s ctrlbuf; + + (void)arg; + +- curtime = gnupg_get_time (); + if (sentinel) + { + log_info ("housekeeping is already going on\n"); +@@ -1789,7 +1787,6 @@ housekeeping_thread (void *arg) + memset (&ctrlbuf, 0, sizeof ctrlbuf); + dirmngr_init_default_ctrl (&ctrlbuf); + +- ks_hkp_housekeeping (curtime); + if (network_activity_seen) + { + network_activity_seen = 0; +diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h +index 35bc000fb..acd4c636d 100644 +--- a/dirmngr/dirmngr.h ++++ b/dirmngr/dirmngr.h +@@ -193,7 +193,6 @@ const char* dirmngr_get_current_socket_name (void); + + + /*-- Various housekeeping functions. --*/ +-void ks_hkp_housekeeping (time_t curtime); + void ks_hkp_reload (void); + + +diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c +index 57e7529f3..2b90441e2 100644 +--- a/dirmngr/ks-engine-hkp.c ++++ b/dirmngr/ks-engine-hkp.c +@@ -203,6 +203,25 @@ host_in_pool_p (int *pool, int tblidx) + } + + ++static int ++host_is_alive (hostinfo_t hi, time_t curtime) ++{ ++ if (!hi) ++ return 0; ++ if (!hi->dead) ++ return 1; ++ if (!hi->died_at) ++ return 0; /* manually marked dead */ ++ if (hi->died_at + RESURRECT_INTERVAL <= curtime ++ || hi->died_at > curtime) ++ { ++ hi->dead = 0; ++ log_info ("resurrected host '%s'", hi->name); ++ return 1; ++ } ++ return 0; ++} ++ + /* Select a random host. Consult TABLE which indices into the global + hosttable. Returns index into TABLE or -1 if no host could be + selected. */ +@@ -212,11 +231,13 @@ select_random_host (int *table) + int *tbl = NULL; + size_t tblsize = 0; + int pidx, idx; ++ time_t curtime; + ++ curtime = gnupg_get_time (); + /* We create a new table so that we randomly select only from + currently alive hosts. */ + for (idx=0; (pidx = table[idx]) != -1; idx++) +- if (hosttable[pidx] && !hosttable[pidx]->dead) ++ if (hosttable[pidx] && host_is_alive (hosttable[pidx], curtime)) + { + tblsize++; + tbl = xtryrealloc(tbl, tblsize * sizeof *tbl); +@@ -395,6 +416,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + gpg_error_t err = 0; + hostinfo_t hi; + int idx; ++ time_t curtime; + + *r_host = NULL; + if (r_httpflags) +@@ -531,6 +553,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + xfree (reftbl); + } + ++ curtime = gnupg_get_time (); + hi = hosttable[idx]; + if (hi->pool) + { +@@ -547,7 +570,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + if (force_reselect) + hi->poolidx = -1; + else if (hi->poolidx >= 0 && hi->poolidx < hosttable_size +- && hosttable[hi->poolidx] && hosttable[hi->poolidx]->dead) ++ && hosttable[hi->poolidx] && !host_is_alive (hosttable[hi->poolidx], curtime)) + hi->poolidx = -1; + + /* Select a host if needed. */ +@@ -599,7 +622,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + free_dns_addrinfo (aibuf); + } + +- if (hi->dead) ++ if (!host_is_alive (hi, curtime)) + { + log_error ("host '%s' marked as dead\n", hi->name); + if (r_httphost) +@@ -704,7 +727,8 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive) + { + gpg_error_t err = 0; + hostinfo_t hi, hi2; +- int idx, idx2, idx3, n; ++ int idx, idx2, idx3, n, is_alive; ++ time_t curtime; + + if (!name || !*name || !strcmp (name, "localhost")) + return 0; +@@ -713,13 +737,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive) + if (idx == -1) + return gpg_error (GPG_ERR_NOT_FOUND); + ++ curtime = gnupg_get_time (); + hi = hosttable[idx]; +- if (alive && hi->dead) ++ is_alive = host_is_alive (hi, curtime); ++ if (alive && !is_alive) + { + hi->dead = 0; + err = ks_printf_help (ctrl, "marking '%s' as alive", name); + } +- else if (!alive && !hi->dead) ++ else if (!alive && is_alive) + { + hi->dead = 1; + hi->died_at = 0; /* Manually set dead. */ +@@ -751,14 +777,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive) + + hi2 = hosttable[n]; + if (!hi2) +- ; +- else if (alive && hi2->dead) ++ continue; ++ is_alive = host_is_alive (hi2, curtime); ++ if (alive && !is_alive) + { + hi2->dead = 0; + err = ks_printf_help (ctrl, "marking '%s' as alive", + hi2->name); + } +- else if (!alive && !hi2->dead) ++ else if (!alive && is_alive) + { + hi2->dead = 1; + hi2->died_at = 0; /* Manually set dead. */ +@@ -974,34 +1001,6 @@ ks_hkp_resolve (ctrl_t ctrl, parsed_uri_t uri) + } + + +-/* Housekeeping function called from the housekeeping thread. It is +- used to mark dead hosts alive so that they may be tried again after +- some time. */ +-void +-ks_hkp_housekeeping (time_t curtime) +-{ +- int idx; +- hostinfo_t hi; +- +- for (idx=0; idx < hosttable_size; idx++) +- { +- hi = hosttable[idx]; +- if (!hi) +- continue; +- if (!hi->dead) +- continue; +- if (!hi->died_at) +- continue; /* Do not resurrect manually shot hosts. */ +- if (hi->died_at + RESURRECT_INTERVAL <= curtime +- || hi->died_at > curtime) +- { +- hi->dead = 0; +- log_info ("resurrected host '%s'", hi->name); +- } +- } +-} +- +- + /* Reload (SIGHUP) action for this module. We mark all host alive + * even those which have been manually shot. */ + void diff --git a/patches/dirmngr-idling/0004-dirmngr-Avoid-automatically-checking-upstream-swdb.patch b/patches/dirmngr-idling/0004-dirmngr-Avoid-automatically-checking-upstream-swdb.patch new file mode 100644 index 0000000..7791852 --- /dev/null +++ b/patches/dirmngr-idling/0004-dirmngr-Avoid-automatically-checking-upstream-swdb.patch @@ -0,0 +1,69 @@ +From: Daniel Kahn Gillmor +Date: Sun, 20 Nov 2016 23:09:24 -0500 +Subject: dirmngr: Avoid automatically checking upstream swdb. + +* dirmngr/dirmngr.c (housekeeping_thread): Avoid automatically +checking upstream's software database. In Debian, software updates +should be handled by the distro mechanism, and additional upstream +checks only confuse the user. +* doc/dirmngr.texi: document that --allow-version-check does nothing. + +Signed-off-by: Daniel Kahn Gillmor +--- + dirmngr/dirmngr.c | 13 ------------- + doc/dirmngr.texi | 11 +++++------ + 2 files changed, 5 insertions(+), 19 deletions(-) + +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index a8be56fa4..746f43d10 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -1771,7 +1771,6 @@ static void * + housekeeping_thread (void *arg) + { + static int sentinel; +- struct server_control_s ctrlbuf; + + (void)arg; + +@@ -1784,18 +1783,6 @@ housekeeping_thread (void *arg) + if (opt.verbose > 1) + log_info ("starting housekeeping\n"); + +- memset (&ctrlbuf, 0, sizeof ctrlbuf); +- dirmngr_init_default_ctrl (&ctrlbuf); +- +- if (network_activity_seen) +- { +- network_activity_seen = 0; +- if (opt.use_tor || opt.allow_version_check) +- dirmngr_load_swdb (&ctrlbuf, 0); +- } +- +- dirmngr_deinit_default_ctrl (&ctrlbuf); +- + if (opt.verbose > 1) + log_info ("ready with housekeeping\n"); + sentinel--; +diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi +index e27157c00..dd104273d 100644 +--- a/doc/dirmngr.texi ++++ b/doc/dirmngr.texi +@@ -266,12 +266,11 @@ seconds. + @item --allow-version-check + @opindex allow-version-check + Allow Dirmngr to connect to @code{https://versions.gnupg.org} to get +-the list of current software versions. If this option is enabled, or +-if @option{use-tor} is active, the list is retrieved when the local +-copy does not exist or is older than 5 to 7 days. See the option +-@option{--query-swdb} of the command @command{gpgconf} for more +-details. Note, that regardless of this option a version check can +-always be triggered using this command: ++the list of current software versions. On debian-packaged versions, ++this option does nothing since software updates should be handled by ++the distribution. See the option @option{--query-swdb} of the command ++@command{gpgconf} for more details. Note, that regardless of this ++option a version check can always be triggered using this command: + + @example + gpg-connect-agent --dirmngr 'loadswdb --force' /bye diff --git a/patches/dirmngr-idling/0005-dirmngr-Drop-useless-housekeeping.patch b/patches/dirmngr-idling/0005-dirmngr-Drop-useless-housekeeping.patch new file mode 100644 index 0000000..69bdc9d --- /dev/null +++ b/patches/dirmngr-idling/0005-dirmngr-Drop-useless-housekeeping.patch @@ -0,0 +1,199 @@ +From: Daniel Kahn Gillmor +Date: Sat, 29 Oct 2016 02:15:08 -0400 +Subject: dirmngr: Drop useless housekeeping. + +* dirmngr/dirmngr.c (handle_tick, time_for_housekeeping_p, +housekeeping_thread): Remove, no longer needed. +(handle_connections): Drop any attempt at a timeout, since no +housekeeping is necessary. + +-- + +The housekeeping thread no longer does anything, and the main loop was +waking up every 60 seconds for no good reason. The code is simpler +and the runtime is more efficient if we drop this. + +Signed-off-by: Daniel Kahn Gillmor +--- + dirmngr/dirmngr.c | 113 +++--------------------------------------------------- + 1 file changed, 5 insertions(+), 108 deletions(-) + +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index 746f43d10..8d9de9e5a 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -304,13 +304,6 @@ static int active_connections; + * thread to run background network tasks. */ + static int network_activity_seen; + +-/* The timer tick used for housekeeping stuff. */ +-#define TIMERTICK_INTERVAL (60) +- +-/* How oft to run the housekeeping. */ +-#define HOUSEKEEPING_INTERVAL (600) +- +- + /* This union is used to avoid compiler warnings in case a pointer is + 64 bit and an int 32 bit. We store an integer in a pointer and get + it back later (npth_getspecific et al.). */ +@@ -1766,83 +1759,6 @@ handle_signal (int signo) + #endif /*!HAVE_W32_SYSTEM*/ + + +-/* Thread to do the housekeeping. */ +-static void * +-housekeeping_thread (void *arg) +-{ +- static int sentinel; +- +- (void)arg; +- +- if (sentinel) +- { +- log_info ("housekeeping is already going on\n"); +- return NULL; +- } +- sentinel++; +- if (opt.verbose > 1) +- log_info ("starting housekeeping\n"); +- +- if (opt.verbose > 1) +- log_info ("ready with housekeeping\n"); +- sentinel--; +- return NULL; +- +-} +- +- +-#if GPGRT_GCC_HAVE_PUSH_PRAGMA +-# pragma GCC push_options +-# pragma GCC optimize ("no-strict-overflow") +-#endif +-static int +-time_for_housekeeping_p (time_t curtime) +-{ +- static time_t last_housekeeping; +- +- if (!last_housekeeping) +- last_housekeeping = curtime; +- +- if (last_housekeeping + HOUSEKEEPING_INTERVAL <= curtime +- || last_housekeeping > curtime /*(be prepared for y2038)*/) +- { +- last_housekeeping = curtime; +- return 1; +- } +- return 0; +-} +-#if GPGRT_GCC_HAVE_PUSH_PRAGMA +-# pragma GCC pop_options +-#endif +- +- +-/* This is the worker for the ticker. It is called every few seconds +- and may only do fast operations. */ +-static void +-handle_tick (void) +-{ +- if (time_for_housekeeping_p (gnupg_get_time ())) +- { +- npth_t thread; +- npth_attr_t tattr; +- int err; +- +- err = npth_attr_init (&tattr); +- if (err) +- log_error ("error preparing housekeeping thread: %s\n", strerror (err)); +- else +- { +- npth_attr_setdetachstate (&tattr, NPTH_CREATE_DETACHED); +- err = npth_create (&thread, &tattr, housekeeping_thread, NULL); +- if (err) +- log_error ("error spawning housekeeping thread: %s\n", +- strerror (err)); +- npth_attr_destroy (&tattr); +- } +- } +-} +- +- + /* Check the nonce on a new connection. This is a NOP unless we are + using our Unix domain socket emulation under Windows. */ + static int +@@ -1943,9 +1859,6 @@ handle_connections (assuan_fd_t listen_fd) + gnupg_fd_t fd; + int nfd, ret; + fd_set fdset, read_fdset; +- struct timespec abstime; +- struct timespec curtime; +- struct timespec timeout; + int saved_errno; + int my_inotify_fd = -1; + +@@ -1985,9 +1898,7 @@ handle_connections (assuan_fd_t listen_fd) + #endif /*HAVE_INOTIFY_INIT*/ + + +- /* Setup the fdset. It has only one member. This is because we use +- pth_select instead of pth_accept to properly sync timeouts with +- to full second. */ ++ /* Setup the fdset. */ + FD_ZERO (&fdset); + FD_SET (FD2INT (listen_fd), &fdset); + nfd = FD2INT (listen_fd); +@@ -1998,9 +1909,6 @@ handle_connections (assuan_fd_t listen_fd) + nfd = my_inotify_fd; + } + +- npth_clock_gettime (&abstime); +- abstime.tv_sec += TIMERTICK_INTERVAL; +- + /* Main loop. */ + for (;;) + { +@@ -2011,7 +1919,7 @@ handle_connections (assuan_fd_t listen_fd) + break; /* ready */ + + /* Do not accept new connections but keep on running the +- * loop to cope with the timer events. ++ * select loop to wait for signals (e.g. SIGCHLD). + * + * Note that we do not close the listening socket because a + * client trying to connect to that socket would instead +@@ -2031,24 +1939,14 @@ handle_connections (assuan_fd_t listen_fd) + /* Take a copy of the fdset. */ + read_fdset = fdset; + +- npth_clock_gettime (&curtime); +- if (!(npth_timercmp (&curtime, &abstime, <))) +- { +- /* Timeout. */ +- handle_tick (); +- npth_clock_gettime (&abstime); +- abstime.tv_sec += TIMERTICK_INTERVAL; +- } +- npth_timersub (&abstime, &curtime, &timeout); +- + #ifndef HAVE_W32_SYSTEM +- ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, &timeout, npth_sigev_sigmask()); ++ ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, NULL, npth_sigev_sigmask()); + saved_errno = errno; + + while (npth_sigev_get_pending(&signo)) + handle_signal (signo); + #else +- ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, &timeout, NULL, NULL); ++ ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, NULL, NULL, NULL); + saved_errno = errno; + #endif + +@@ -2062,8 +1960,7 @@ handle_connections (assuan_fd_t listen_fd) + + if (ret <= 0) + { +- /* Interrupt or timeout. Will be handled when calculating the +- next timeout. */ ++ /* Interrupt. Will be handled at the top of the next loop. */ + continue; + } + diff --git a/patches/gpg-agent-idling/0001-agent-Create-framework-of-scheduled-timers.patch b/patches/gpg-agent-idling/0001-agent-Create-framework-of-scheduled-timers.patch new file mode 100644 index 0000000..05817dd --- /dev/null +++ b/patches/gpg-agent-idling/0001-agent-Create-framework-of-scheduled-timers.patch @@ -0,0 +1,192 @@ +From: Daniel Kahn Gillmor +Date: Mon, 31 Oct 2016 21:27:36 -0400 +Subject: agent: Create framework of scheduled timers. + +agent/gpg-agent.c (handle_tick): Remove intermittent call to +check_own_socket. +(tv_is_set): Add inline helper function for readability. +(handle_connections) Create general table of pending scheduled +timeouts. + +-- + +handle_tick() does fine-grained, rapid activity. check_own_socket() +is supposed to happen at a different interval. + +Mixing the two of them makes it a requirement that one interval be a +multiple of the other, which isn't ideal if there are different delay +strategies that we might want in the future. + +Creating an extensible regular timer framework in handle_connections +should make it possible to have any number of cadenced timers fire +regularly, without requiring that they happen in cadences related to +each other. + +It should also make it possible to dynamically change the cadence of +any regularly-scheduled timeout. + +Signed-off-by: Daniel Kahn Gillmor +--- + agent/gpg-agent.c | 87 ++++++++++++++++++++++++++++++++++++------------------- + 1 file changed, 58 insertions(+), 29 deletions(-) + +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index 31bf3370a..25aae6af0 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -2282,11 +2282,6 @@ create_directories (void) + static void + handle_tick (void) + { +- static time_t last_minute; +- +- if (!last_minute) +- last_minute = time (NULL); +- + /* Check whether the scdaemon has died and cleanup in this case. */ + agent_scd_check_aliveness (); + +@@ -2305,16 +2300,6 @@ handle_tick (void) + } + } + #endif /*HAVE_W32_SYSTEM*/ +- +- /* Code to be run from time to time. */ +-#if CHECK_OWN_SOCKET_INTERVAL > 0 +- if (last_minute + CHECK_OWN_SOCKET_INTERVAL <= time (NULL)) +- { +- check_own_socket (); +- last_minute = time (NULL); +- } +-#endif +- + } + + +@@ -2711,6 +2696,15 @@ start_connection_thread_ssh (void *arg) + } + + ++/* helper function for readability: test whether a given struct ++ timespec is set to all-zeros */ ++static inline int ++tv_is_set (struct timespec tv) ++{ ++ return tv.tv_sec || tv.tv_nsec; ++} ++ ++ + /* Connection handler loop. Wait for connection requests and spawn a + thread after accepting a connection. */ + static void +@@ -2728,9 +2722,11 @@ handle_connections (gnupg_fd_t listen_fd, + gnupg_fd_t fd; + int nfd; + int saved_errno; ++ int idx; + struct timespec abstime; + struct timespec curtime; + struct timespec timeout; ++ struct timespec *select_timeout; + #ifdef HAVE_W32_SYSTEM + HANDLE events[2]; + unsigned int events_set; +@@ -2746,6 +2742,14 @@ handle_connections (gnupg_fd_t listen_fd, + { "browser", start_connection_thread_browser }, + { "ssh", start_connection_thread_ssh } + }; ++ struct { ++ struct timespec interval; ++ void (*func) (void); ++ struct timespec next; ++ } timertbl[] = { ++ { { TIMERTICK_INTERVAL, 0 }, handle_tick }, ++ { { CHECK_OWN_SOCKET_INTERVAL, 0 }, check_own_socket } ++ }; + + + ret = npth_attr_init(&tattr); +@@ -2835,9 +2839,6 @@ handle_connections (gnupg_fd_t listen_fd, + listentbl[2].l_fd = listen_fd_browser; + listentbl[3].l_fd = listen_fd_ssh; + +- npth_clock_gettime (&abstime); +- abstime.tv_sec += TIMERTICK_INTERVAL; +- + for (;;) + { + /* Shutdown test. */ +@@ -2866,18 +2867,47 @@ handle_connections (gnupg_fd_t listen_fd, + thus a simple assignment is fine to copy the entire set. */ + read_fdset = fdset; + ++ /* loop through all timers, fire any registered functions, and ++ plan next timer to trigger */ + npth_clock_gettime (&curtime); +- if (!(npth_timercmp (&curtime, &abstime, <))) +- { +- /* Timeout. */ +- handle_tick (); +- npth_clock_gettime (&abstime); +- abstime.tv_sec += TIMERTICK_INTERVAL; +- } +- npth_timersub (&abstime, &curtime, &timeout); ++ abstime.tv_sec = abstime.tv_nsec = 0; ++ for (idx=0; idx < DIM(timertbl); idx++) ++ { ++ /* schedule any unscheduled timers */ ++ if ((!tv_is_set (timertbl[idx].next)) && tv_is_set (timertbl[idx].interval)) ++ npth_timeradd (&timertbl[idx].interval, &curtime, &timertbl[idx].next); ++ /* if a timer is due, fire it ... */ ++ if (tv_is_set (timertbl[idx].next)) ++ { ++ if (!(npth_timercmp (&curtime, &timertbl[idx].next, <))) ++ { ++ timertbl[idx].func (); ++ npth_clock_gettime (&curtime); ++ /* ...and reschedule it, if desired: */ ++ if (tv_is_set (timertbl[idx].interval)) ++ npth_timeradd (&timertbl[idx].interval, &curtime, &timertbl[idx].next); ++ else ++ timertbl[idx].next.tv_sec = timertbl[idx].next.tv_nsec = 0; ++ } ++ } ++ /* accumulate next timer to come due in abstime: */ ++ if (tv_is_set (timertbl[idx].next) && ++ ((!tv_is_set (abstime)) || ++ (npth_timercmp (&abstime, &timertbl[idx].next, >)))) ++ abstime = timertbl[idx].next; ++ } ++ /* choose a timeout for the select loop: */ ++ if (tv_is_set (abstime)) ++ { ++ npth_timersub (&abstime, &curtime, &timeout); ++ select_timeout = &timeout; ++ } ++ else ++ select_timeout = NULL; ++ + + #ifndef HAVE_W32_SYSTEM +- ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, &timeout, ++ ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, select_timeout, + npth_sigev_sigmask ()); + saved_errno = errno; + +@@ -2887,7 +2917,7 @@ handle_connections (gnupg_fd_t listen_fd, + handle_signal (signo); + } + #else +- ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, &timeout, ++ ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, select_timeout, + events, &events_set); + saved_errno = errno; + +@@ -2910,7 +2940,6 @@ handle_connections (gnupg_fd_t listen_fd, + + if (!shutdown_pending) + { +- int idx; + ctrl_t ctrl; + npth_t thread; + diff --git a/patches/gpg-agent-idling/0002-agent-Allow-threads-to-interrupt-main-select-loop-wi.patch b/patches/gpg-agent-idling/0002-agent-Allow-threads-to-interrupt-main-select-loop-wi.patch new file mode 100644 index 0000000..317cea5 --- /dev/null +++ b/patches/gpg-agent-idling/0002-agent-Allow-threads-to-interrupt-main-select-loop-wi.patch @@ -0,0 +1,93 @@ +From: Daniel Kahn Gillmor +Date: Tue, 1 Nov 2016 00:45:23 -0400 +Subject: agent: Allow threads to interrupt main select loop with SIGCONT. + +* agent/gpg-agent.c (interrupt_main_thread_loop): New function on +non-windows platforms, allows other threads to interrupt the main loop +if there's something that the main loop might be interested in. + +-- + +For example, the main loop might be interested in changes in program +state that affect the timers it expects to see. + +I don't know how to do this on Windows platforms, but i welcome any +proposed improvements. + +Signed-off-by: Daniel Kahn Gillmor +--- + agent/agent.h | 1 + + agent/gpg-agent.c | 18 +++++++++++++++++- + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/agent/agent.h b/agent/agent.h +index 2db5a5c74..4e75b2a56 100644 +--- a/agent/agent.h ++++ b/agent/agent.h +@@ -345,6 +345,7 @@ void *get_agent_scd_notify_event (void); + #endif + void agent_sighup_action (void); + int map_pk_openpgp_to_gcry (int openpgp_algo); ++void interrupt_main_thread_loop (void); + + /*-- command.c --*/ + gpg_error_t agent_inq_pinentry_launched (ctrl_t ctrl, unsigned long pid, +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index 25aae6af0..73cd560aa 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -384,6 +384,9 @@ static char *current_logfile; + watched. */ + static pid_t parent_pid = (pid_t)(-1); + ++/* Record the pid of the main thread, for easier signalling */ ++static pid_t main_thread_pid = (pid_t)(-1); ++ + /* Number of active connections. */ + static int active_connections; + +@@ -2032,7 +2035,7 @@ get_agent_scd_notify_event (void) + GetCurrentProcess(), &h2, + EVENT_MODIFY_STATE|SYNCHRONIZE, TRUE, 0)) + { +- log_error ("setting syncronize for scd notify event failed: %s\n", ++ log_error ("setting synchronize for scd notify event failed: %s\n", + w32_strerror (-1) ); + CloseHandle (h); + } +@@ -2358,6 +2361,10 @@ handle_signal (int signo) + agent_sigusr2_action (); + break; + ++ /* nothing to do here, just take an extra cycle on the select loop */ ++ case SIGCONT: ++ break; ++ + case SIGTERM: + if (!shutdown_pending) + log_info ("SIGTERM received - shutting down ...\n"); +@@ -2696,6 +2703,13 @@ start_connection_thread_ssh (void *arg) + } + + ++void interrupt_main_thread_loop (void) ++{ ++#ifndef HAVE_W32_SYSTEM ++ kill (main_thread_pid, SIGCONT); ++#endif ++} ++ + /* helper function for readability: test whether a given struct + timespec is set to all-zeros */ + static inline int +@@ -2764,8 +2778,10 @@ handle_connections (gnupg_fd_t listen_fd, + npth_sigev_add (SIGUSR1); + npth_sigev_add (SIGUSR2); + npth_sigev_add (SIGINT); ++ npth_sigev_add (SIGCONT); + npth_sigev_add (SIGTERM); + npth_sigev_fini (); ++ main_thread_pid = getpid (); + #else + # ifdef HAVE_W32CE_SYSTEM + /* Use a dummy event. */ diff --git a/patches/gpg-agent-idling/0003-agent-Avoid-tight-timer-tick-when-possible.patch b/patches/gpg-agent-idling/0003-agent-Avoid-tight-timer-tick-when-possible.patch new file mode 100644 index 0000000..f107e78 --- /dev/null +++ b/patches/gpg-agent-idling/0003-agent-Avoid-tight-timer-tick-when-possible.patch @@ -0,0 +1,112 @@ +From: Daniel Kahn Gillmor +Date: Tue, 1 Nov 2016 00:14:10 -0400 +Subject: agent: Avoid tight timer tick when possible. + +* agent/gpg-agent.c (need_tick): Evaluate whether the short-phase +handle_tick() is needed. +(handle_connections): On each cycle of the select loop, adjust whether +we should call handle_tick() or not. +(start_connection_thread_ssh, do_start_connection_thread): Signal the +main loop when the child terminates. +* agent/call-scd.c (start_scd): Call interrupt_main_thread_loop() once +the scdaemon thread context has started up. + +-- + +With this change, an idle gpg-agent that has no scdaemon running only +wakes up once a minute (to check_own_socket). + +Thanks to Ian Jackson and NIIBE Yutaka who helped me improve some of +the blocking and corner cases. + +Signed-off-by: Daniel Kahn Gillmor +--- + agent/call-scd.c | 4 +++- + agent/gpg-agent.c | 31 ++++++++++++++++++++++++++++--- + 2 files changed, 31 insertions(+), 4 deletions(-) + +diff --git a/agent/call-scd.c b/agent/call-scd.c +index 15a2ba529..0bf603084 100644 +--- a/agent/call-scd.c ++++ b/agent/call-scd.c +@@ -407,7 +407,9 @@ start_scd (ctrl_t ctrl) + + primary_scd_ctx = ctx; + primary_scd_ctx_reusable = 0; +- ++ /* notify the main loop that something has changed */ ++ interrupt_main_thread_loop (); ++ + leave: + xfree (abs_homedir); + if (err) +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index 73cd560aa..b33de7d39 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -2279,6 +2279,26 @@ create_directories (void) + } + + ++static int ++need_tick (void) ++{ ++#ifdef HAVE_W32_SYSTEM ++ /* We do not know how to interrupt the select loop on Windows, so we ++ always need a short tick there. */ ++ return 1; ++#else ++ /* if we were invoked like "gpg-agent cmd arg1 arg2" then we need to ++ watch our parent. */ ++ if (parent_pid != (pid_t)(-1)) ++ return 1; ++ /* if scdaemon is running, we need to check that it's alive */ ++ if (agent_scd_check_running ()) ++ return 1; ++ /* otherwise, nothing fine-grained to do. */ ++ return 0; ++#endif /*HAVE_W32_SYSTEM*/ ++} ++ + + /* This is the worker for the ticker. It is called every few seconds + and may only do fast operations. */ +@@ -2337,7 +2357,7 @@ agent_sigusr2_action (void) + + #ifndef HAVE_W32_SYSTEM + /* The signal handler for this program. It is expected to be run in +- its own trhead and not in the context of a signal handler. */ ++ its own thread and not in the context of a signal handler. */ + static void + handle_signal (int signo) + { +@@ -2618,7 +2638,8 @@ do_start_connection_thread (ctrl_t ctrl) + + agent_deinit_default_ctrl (ctrl); + xfree (ctrl); +- active_connections--; ++ if (--active_connections == 0) ++ interrupt_main_thread_loop(); + return NULL; + } + +@@ -2698,7 +2719,8 @@ start_connection_thread_ssh (void *arg) + + agent_deinit_default_ctrl (ctrl); + xfree (ctrl); +- active_connections--; ++ if (--active_connections == 0) ++ interrupt_main_thread_loop(); + return NULL; + } + +@@ -2883,6 +2905,9 @@ handle_connections (gnupg_fd_t listen_fd, + thus a simple assignment is fine to copy the entire set. */ + read_fdset = fdset; + ++ /* avoid a fine-grained timer if we don't need one: */ ++ timertbl[0].interval.tv_sec = need_tick () ? TIMERTICK_INTERVAL : 0; ++ + /* loop through all timers, fire any registered functions, and + plan next timer to trigger */ + npth_clock_gettime (&curtime); diff --git a/patches/gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch b/patches/gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch new file mode 100644 index 0000000..557deff --- /dev/null +++ b/patches/gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch @@ -0,0 +1,26 @@ +From: Daniel Kahn Gillmor +Date: Tue, 1 Nov 2016 00:57:44 -0400 +Subject: agent: Avoid scheduled checks on socket when inotify is working. + +* agent/gpg-agent.c (handle_connections): When inotify is working, we +do not need to schedule a timer to evaluate whether we control our own +socket or not. + +Signed-off-by: Daniel Kahn Gillmor +--- + agent/gpg-agent.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index b33de7d39..56c28a679 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -2907,6 +2907,8 @@ handle_connections (gnupg_fd_t listen_fd, + + /* avoid a fine-grained timer if we don't need one: */ + timertbl[0].interval.tv_sec = need_tick () ? TIMERTICK_INTERVAL : 0; ++ /* avoid waking up to check sockets if we can count on inotify */ ++ timertbl[1].interval.tv_sec = (my_inotify_fd == -1) ? CHECK_OWN_SOCKET_INTERVAL : 0; + + /* loop through all timers, fire any registered functions, and + plan next timer to trigger */ diff --git a/patches/series b/patches/series new file mode 100644 index 0000000..bd3d6f6 --- /dev/null +++ b/patches/series @@ -0,0 +1,29 @@ +debian-packaging/0001-avoid-beta-warning.patch +block-ptrace-on-agent/0002-Avoid-simple-memory-dumps-via-ptrace.patch +debian-packaging/0003-avoid-regenerating-defsincdate-use-shipped-file.patch +dirmngr-idling/0001-dirmngr-hkp-Avoid-potential-race-condition-when-some.patch +dirmngr-idling/0002-dimrngr-Avoid-need-for-hkp-housekeeping.patch +dirmngr-idling/0004-dirmngr-Avoid-automatically-checking-upstream-swdb.patch +dirmngr-idling/0005-dirmngr-Drop-useless-housekeeping.patch +gpg-agent-idling/0001-agent-Create-framework-of-scheduled-timers.patch +gpg-agent-idling/0002-agent-Allow-threads-to-interrupt-main-select-loop-wi.patch +gpg-agent-idling/0003-agent-Avoid-tight-timer-tick-when-possible.patch +gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch +0012-tools-Fix-memory-leak.patch +0013-tools-Improve-error-handling.patch +0014-dirmngr-New-option-disable-ipv4.patch +0015-dirmngr-Simplify-error-returning-inside-http.c.patch +0016-gpg-Print-a-warning-on-Tor-problems.patch +0017-agent-Fix-double-free.patch +0018-gpg-Fix-searching-for-mail-addresses-in-keyrings.patch +0019-dirmngr-New-option-no-use-tor-and-internal-changes.patch +0020-gpg-Remove-period-at-end-of-warning.patch +0021-gpg-Add-newline-to-output.patch +0022-gpg-Only-print-out-TOFU-statistics-for-conflicts-in-.patch +0023-gpg-If-there-is-a-TOFU-conflict-elide-the-too-few-me.patch +0024-gpg-Ensure-TOFU-bindings-associated-with-UTKs-are-re.patch +0025-gpg-Don-t-assume-that-strtoul-interprets-as-0.patch +0026-gpg-More-diagnostics-for-a-launched-pinentry.patch +0027-doc-Clarify-abbreviation-of-help.patch +0028-scd-Backport-two-fixes-from-master.patch +0029-scd-Fix-use-case-of-PC-SC.patch diff --git a/rules b/rules new file mode 100755 index 0000000..241cead --- /dev/null +++ b/rules @@ -0,0 +1,67 @@ +#!/usr/bin/make -f +# debian/rules file - for GnuPG +# Copyright 1994,1995 by Ian Jackson. +# Copyright 1998-2003 by James Troup. +# Copyright 2003-2004 by Matthias Urlichs. +# +# I hereby give you perpetual unlimited permission to copy, +# modify and relicense this file, provided that you do not remove +# my name from the file itself. (I assert my moral right of +# paternity under the Copyright, Designs and Patents Act 1988.) +# This file may have to be extensively modified + +include /usr/share/dpkg/architecture.mk + +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +# avoid -pie for gpgv-static on hppa, kfreebsd-amd64, and x32 +# platforms, which cannot support it by default: +ifeq (,$(filter $(DEB_HOST_ARCH), hppa kfreebsd-amd64 x32)) +GPGV_STATIC_HARDENING = "-pie" +else +GPGV_STATIC_HARDENING = "" +endif + +%: + dh $@ --with=autoreconf --builddirectory=build + +GPGV_UDEB_UNNEEDED = gpgtar bzip2 gpgsm scdaemon dirmngr doc tofu exec ldap gnutls sqlite libdns + +WIN32_FLAGS=LDFLAGS="-Xlinker --no-insert-timestamp -static" CFLAGS="-g -Os" CPPFLAGS= + +override_dh_auto_configure: + dh_auto_configure --builddirectory=build-gpgv-udeb -- \ + --enable-gpg2-is-gpg \ + $(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x)) + dh_auto_configure --builddirectory=build -- --libexecdir=\$${prefix}/lib/gnupg \ + --enable-gpg2-is-gpg \ + --enable-symcryptrun --enable-large-secmem + +override_dh_auto_build-arch: + dh_auto_build --builddirectory=build-gpgv-udeb + dh_auto_build --builddirectory=build + cp -a build-gpgv-udeb build-gpgv-static + rm -f build-gpgv-static/g10/gpgv + cd build-gpgv-static/g10 && $(MAKE) LDFLAGS="$$LDFLAGS $(GPGV_STATIC_HARDENING) -static" gpgv + mv build-gpgv-static/g10/gpgv build-gpgv-static/g10/gpgv-static + +override_dh_auto_build-indep: + mkdir -p build-gpgv-win32 + cd build-gpgv-win32 && $(WIN32_FLAGS) ../configure \ + $(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x)) \ + $(foreach x, libgpg-error libgcrypt libassuan ksba npth, --with-$x-prefix=/usr/i686-w64-mingw32) \ + --enable-gpg2-is-gpg \ + --with-zlib=/usr/i686-w64-mingw \ + --prefix=/usr/i686-w64-mingw32 \ + --host i686-w64-mingw32 + cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libcommon.a + cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libgpgrl.a + cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libsimple-pwquery.a + cd build-gpgv-win32/kbx && $(WIN32_FLAGS) $(MAKE) libkeybox.a + cd build-gpgv-win32/g10 && $(WIN32_FLAGS) $(MAKE) gpgv.exe + strip build-gpgv-win32/g10/gpgv.exe + +override_dh_shlibdeps: +# Make ldap a recommends rather than a hard dependency. + dpkg-shlibdeps -Tdebian/dirmngr.substvars -dRecommends debian/dirmngr/usr/lib/gnupg/dirmngr_ldap -dDepends debian/dirmngr/usr/bin/dirmngr* + dh_shlibdeps -Ndirmngr diff --git a/scdaemon.examples b/scdaemon.examples new file mode 100644 index 0000000..29f41a8 --- /dev/null +++ b/scdaemon.examples @@ -0,0 +1 @@ +doc/examples/scd-event diff --git a/scdaemon.install b/scdaemon.install new file mode 100644 index 0000000..a2a79aa --- /dev/null +++ b/scdaemon.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/gnupg/scdaemon diff --git a/scdaemon.lintian-overrides b/scdaemon.lintian-overrides new file mode 100644 index 0000000..b575cb1 --- /dev/null +++ b/scdaemon.lintian-overrides @@ -0,0 +1,4 @@ +# there is actually a function for interacting with the smartcard +# called "writen" that writes n octets; it is in the binary because it +# can be emitted in debug output: +scdaemon: spelling-error-in-binary usr/lib/gnupg/scdaemon writen written diff --git a/scdaemon.manpages b/scdaemon.manpages new file mode 100644 index 0000000..9efee23 --- /dev/null +++ b/scdaemon.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/scdaemon.1 diff --git a/scdaemon.udev b/scdaemon.udev new file mode 100644 index 0000000..dd076df --- /dev/null +++ b/scdaemon.udev @@ -0,0 +1,63 @@ +# do not edit this file, it will be overwritten on update + +SUBSYSTEM!="usb", GOTO="gnupg_rules_end" +ACTION!="add", GOTO="gnupg_rules_end" + +# USB SmartCard Readers +## Cherry GmbH (XX33, ST2000) +ATTR{idVendor}=="046a", ATTR{idProduct}=="0005", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="046a", ATTR{idProduct}=="0010", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="046a", ATTR{idProduct}=="003e", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## SCM Microsystems, Inc (SCR331-DI, SCR335, SCR3320, SCR331, SCR3310 and SPR532) +ATTR{idVendor}=="04e6", ATTR{idProduct}=="5111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="5116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="5117", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="e001", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Omnikey AG (CardMan 3821, CardMan 6121) +ATTR{idVendor}=="076b", ATTR{idProduct}=="3821", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="076b", ATTR{idProduct}=="6622", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Gemalto +ATTR{idVendor}=="08e6", ATTR{idProduct}=="3437", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="08e6", ATTR{idProduct}=="3438", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="08e6", ATTR{idProduct}=="3478", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="08e6", ATTR{idProduct}=="34c2", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="08e6", ATTR{idProduct}=="34ec", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Reiner (SCT cyberJack) +ATTR{idVendor}=="0c4b", ATTR{idProduct}=="0500", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Kobil (KAAN) +ATTR{idVendor}=="0d46", ATTR{idProduct}=="2012", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## VASCO (DIGIPASS 920) +ATTR{idVendor}=="1a44", ATTR{idProduct}=="0920", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Crypto Stick +ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Nitrokey +ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Gnuk Token +ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Alcor Micro Corp cardreader (in ThinkPad X250) +ATTR{idVendor}=="058f", ATTR{idProduct}=="9540", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Fujitsu Siemens +ATTR{idVendor}=="0bf8", ATTR{idProduct}=="1006", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Yubico +# Yubikey NEO OTP+CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey NEO CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0112", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey NEO U2F+CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey NEO OTP+U2F+CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0404", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 OTP+CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0405", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 U2F+CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 OTP+U2F+CCID +ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" + +LABEL="gnupg_rules_end" diff --git a/source/format b/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/source/lintian-overrides b/source/lintian-overrides new file mode 100644 index 0000000..b5221c7 --- /dev/null +++ b/source/lintian-overrides @@ -0,0 +1,4 @@ +# doc merely references / cites IETF RFC: +gnupg2 source: license-problem-non-free-RFC doc/OpenPGP +gnupg2 source: license-problem-non-free-RFC debian/copyright + diff --git a/source/options b/source/options new file mode 100644 index 0000000..f0f8ede --- /dev/null +++ b/source/options @@ -0,0 +1,3 @@ +# let dpkg-source create a debian.tar.bz2 with maximal compression +compression = "bzip2" +compression-level = 9 diff --git a/systemd-user/gpg-agent-browser.socket b/systemd-user/gpg-agent-browser.socket new file mode 100644 index 0000000..67690ce --- /dev/null +++ b/systemd-user/gpg-agent-browser.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent (access for web browsers) +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.browser +FileDescriptorName=browser +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/tests/control b/tests/control new file mode 100644 index 0000000..9178821 --- /dev/null +++ b/tests/control @@ -0,0 +1,3 @@ +Tests: gpgv-win32 +Depends: gpgv-win32, gnupg2, gpgv2 +Restrictions: needs-root, allow-stderr diff --git a/tests/gpgv-win32 b/tests/gpgv-win32 new file mode 100755 index 0000000..3142a65 --- /dev/null +++ b/tests/gpgv-win32 @@ -0,0 +1,54 @@ +#!/bin/sh + +set -e + +export GNUPGHOME=$(mktemp -d) + +arch=$(dpkg --print-architecture) + +case "$arch" in + amd64) + if ! dpkg --print-foreign-architectures | grep -Fqx i386; then + echo "I: setting up multiarch" + dpkg --add-architecture i386 + apt update # FIXME you might want to try this up to some N times to avoid failures on temporary network issues + fi + ;; + arm64) + if ! dpkg --print-foreign-architectures | grep -Fqx armhf; then + echo "I: setting up multiarch" + dpkg --add-architecture armhf + apt update # FIXME you might want to try this up to some N times to avoid failures on temporary network issues + fi + ;; + i386|armel|armhf|powerpc) + : nothing, tests should just work + ;; + *) + echo "I: skipping tests on $arch; only works on amd64, i386, arm64, armhf, armel, and powerpc" + exit + ;; +esac + +if ! dpkg-query --status wine32 | grep -Fqx 'Status: install ok installed'; then + DEBIAN_FRONTEND=noninteractive apt install -qy wine32 # FIXME ditto +fi + +echo 'no-allow-loopback-pinentry:16' | gpgconf --change-options gpg-agent + +# Generate a minimal signing key: +gpg2 --batch --debug-quick-random --pinentry-mode loopback --passphrase '' --quick-gen-key 'Test key for gpgv-win32 ' + +gpg2 -o "$GNUPGHOME/key.gpg" --export test-key@example.com + +# Sign this very script +rm -f "${0}.gpg" +gpg2 --output "${0}.gpg" --detach-sign "${0}" + +# Verify using gpgv +gpgv2 --keyring "$GNUPGHOME/key.gpg" "${0}.gpg" "${0}" + +# Verify using gpgv.exe +wine /usr/share/win32/gpgv.exe --keyring "Z:\\\\${GNUPGHOME}/key.gpg" "Z:\\\\$(pwd)/${0}.gpg" "Z:\\\\$(pwd)/${0}" + +rm -rf "$GNUPGHOME" diff --git a/upstream/signing-key.asc b/upstream/signing-key.asc new file mode 100644 index 0000000..1e57599 --- /dev/null +++ b/upstream/signing-key.asc @@ -0,0 +1,109 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQENBE0ti4EBCACqGtKlX9jI/enhlBdy2cyQP6Q7JoyxtaG6/ckAKWHYrqFTQk3I +Ue8TuDrGT742XFncG9PoMBfJDUNltIPgKFn8E9tYQqAOlpSA25bOb30cA2ADkrjg +jvDAH8cZ+fkIayWtObTxwqLfPivjFxEM//IdShFFVQj+QHmXYBJggWyEIil8Bje7 +KRw6B5ucs4qSzp5VH4CqDr9PDnLD8lBGHk0x8jpwh4V/yEODJKATY0Vj00793L8u +qA35ZiyczUvvJSLYvf7STO943GswkxdAfqxXbYifiK2gjE/7SAmB+2jFxsonUDOB +1BAY5s3FKqrkaxZr3BBjeuGGoCuiSX/cXRIhABEBAAG0Fldlcm5lciBLb2NoIChk +aXN0IHNpZymJAT4EEwECACgFAk0ti4ECGwMFCRDdnwIGCwkIBwMCBhUIAgkKCwQW +AgMBAh4BAheAAAoJECSbOdJPJeO2PlMIAJxPtFXf5yozPpFjRbSkSdjsk9eru05s +hKZOAKw3RUePTU80SRLPdg4AH+vkm1JMWFFpwvHlgfxqnE9rp13o7L/4UwNUwqH8 +5zCwu7SHz9cX3d4UUwzcP6qQP4BQEH9/xlpQS9eTK9b2RMyggqwd/J8mxjvoWzL8 +Klf/wl6jXHn/yP92xG9/YA86lNOL1N3/PhlZzLuJ6bdD9WzsEp/+kh3UDfjkIrOc +WkqwupB+d01R4bHPu9tvXy8Xut8Sok2zku2xVkEOsV2TXHbwuHO2AGC5pWDX6wgC +E4F5XeCB/0ovao2/bk22w1TxzP6PMxo6sLkmaF6D0frhM2bl4C/uSsq5AQ0ETS2L +gQEIAKHwucgbaRj0V7Ht0FnM6RmbqwZ7IFV2lR+YN1gkZaWRRCaJoPEZFKhhPEBX +1bDVwr/iTPaPPEtpi7oQoHk65yeLrhtOmXXpNVkV/5WQjAJIrWn+JQ3z/ZejxHUL +hzKsGg5FC6pRYcEyzRXHtv4BO9kBIKNVirZjEkQG4BnIrQgl6e2YFa47GNMqcQH7 +nJdwG1cGQOZOIDQQM41gBzwoSrStMA6DjHkukFegKfcSbSLArBtYNAwTwmW7RqOM +EJwlo0+NYx2Yn75x66bYwdlsP0FLOgez/O/IxoPRxXr0l4e+uj6dFHqvBi04dx6J +sPmXEyeAyLiCWSh7Rwq8uIhBUBUAEQEAAYkBJQQYAQIADwUCTS2LgQIbIAUJEN2f +AgAKCRAkmznSTyXjtrsSCACRNgfGkD0OqOiwYo1/+KyWnrQLusVvSYOw8hN66geU +3BO8iQ0Koy+m0QKY1kWjaHwewpg8ZebY4E2sHbNIC9Spyiyz29sAJ2invf4/4Mep +TgpxNiw4+XmykCkN1AfVhvMTQXMzRbO5ZwRtPpjsMr1j5vX1s6U3/RxSAItpAkCu +1GGTTOH0r12Ochc/um+QGAyO6WUj/IiZ1MX7toXW0SCo8DSl8z5Q7KmJWF6TQLK1 +Lku4bIVG1Huwo1/0WHc2vCad5BxHjgoy8TsKLTmvYQZWtnjWvQGV2UOABYWcacut +ZXQQ2PPCIY7LlpuS/45CXWbT5Y+mxY3y7dbz4aF+8uyCiJwEEAECAAYFAk0tjQQA +CgkQU7Yg0BzgxjBGTwQAi5qzI6cJslbyOl+TeDZVnLV0FmPuDg8dojvQrVDPxfem +IjxZZoMLCVM8ly8AC2JPrIYfN040C343saIc0tTtOwwmVMuy7G/Uex22CdWH/0HB +MpG4gFuOuQmW9QQDjEdh1DgwU2gAWonX54ZlMybWss+2NCikRwMflVUupH57BauZ +AQ0EVFA7IwEIAOYQcDfRdzqin/vZlwl1AyuJW+cDI3bYvesRtOIAJ+8FqOzp+nOZ +7a4mULkXUeRh3HcO91wughXoR3qP3klWIlqgTQQHxPVM25BEvnGPuMA86lWnKoSs +Xe9F5h0IMiu6aURvzMJC9VMgKwhhgCjejFf9n8zuiBkMN457Ubnt/9jxhpxmorDQ +Cpb7bR1mfdbsuCmOXwTNfbkAoGXceL/P6z9PskKrFk8CVCr8pseRiHzWgib4Bfr/ +mj68LKcQTH/Y6R16g154eC6PAvxrEDA+hgpVX0I7L781Byh9nqC+KDX5LvlGuQbg +B2IvrgLs6lfU3aRfTwqUDMj37rmXJTDy3TMAEQEAAbQyTklJQkUgWXV0YWthIChH +bnVQRyBSZWxlYXNlIEtleSkgPGduaWliZUBmc2lqLm9yZz6JATwEEwEIACYFAlRQ +OyMCGwMFCQPCZwAFCwcICQMEFQgJCgUWAgMBAAIeAQIXgAAKCRAgcbCKM70/BnX/ +CADQspqXXAVlrwU9SidzYbPAT1iGRmIkHwoD9rtPr/9xbg3jr8azCKpknE3VF0qz +UH6unsQwxTduGhey0sFwhi96WOqHiU8FYKxNPb786nACaCfOOB1MdymcIxMQ51mS +0PlIqtOPa1VpZcCVYr9SwQRqcDdy/Oh/Ljifuub4Shrs/VgYIcv74iGyLroSVt6G +KVNP/HFyQddSOLVcO+hqAQQ0QeTmPhnaaFa2OcZyW+6IGRLhd7N7M0xb988DKllf +huRRE1sZ3yO2RvcSq35u/5lChID5SS/wA9oDOPyVFLD4JiMPGmgzSO2aI+uT678O +jjoI5UD8hfbZpg1PZjYqhYlXuQENBFRQOyMBCAC94CWuMHLmP1B7oFxU0FjKv3D6 +RTpLSLqC/nqRWeKVdlSddR4LnO/r9ahRsGgekAEVyeD04SKAD7g3OWMhWvEsK6aY +gmzc0cLJCJRTsLW+X7kRWo33KUAKIpKYO8VF8iErWejajvo5UgN3y1V/anqlBU45 +DalLk/mu6JXOr6t7u83+IscTrFQTkW17wOxoc6i9zDOU1FoWZFyNU+hxpPCGndfn +S25qzaEpb1qzxYoHpyttCkGX4R3siX6gAkRLIPhsYK4sZihBZhTBgHdAVYSYkCrK +hRNWoSb3XpUhdT5l88uPozwxXruXmzk6WCv6ZdCJ+0rGShwJjU1j6g+Fksk9ABEB +AAGJASUEGAEIAA8FAlRQOyMCGwwFCQPCZwAACgkQIHGwijO9Pwbgqwf7BfdPgAkx +Mrt0BJeLJu1ItnCQ4cZ8rbuS5gwAxrY80QXDoJquwRWs1AXaBu0VW+9KvWdp0uhQ +b0Wy7fv40rRtC+T8nuE/1jaf2byMIfQwPVp3ODH+O3WZew1KvrQZquDKimgHxRso +WH5vq2VjohI8oQuQNN8AYeyxYo74eB8+3WfUrdw4MYiJcKd20MjoZZS16Klb99qm +LVZfE/dt/+wwZYFB7cpb5vvvE1voqS+ycD2Rt0irRg6ulw7OXoUrJ25sfkrv9otD +omDl9V//pyJZSp+IiwK4r0xnk8sjXHgXkzUdIyS0AB17Aw1+G2sbUKyX/SdOgzN7 +D8qEd3C7n53TwpkBDQRUUF8HAQgAh1mo8r+kVWVTNsNlyurm2tdZKiQbdeVgpBgc +DnqI3fAV58C3nC8DVuK5qVGZPB/jbu42jc8BXGP1l6UP+515LQL5GpTtV0pRWUO0 +2WOuTLZBVQcq53vzbg1xVo31rWV96mqGAPs8lGUCm09fpuiVKQojO6/Ihkg7/bnz +eSbcX5Xk9eKLhyB7tnakuYJeRYm4bjs+YDApK8IFQyevYF8pjTcbLTSNJPW9WLCs +ozsy11r4xdfRcTWjARVz5VzTnQ+Px8YtsnjQ3qwNJBpsqMLCdDN7YGhh/mlwPjgd +q/UFf5+bY6f3ew0vshBqInBQycBSmYyoX0Ye3sAS/OR4nu5ZaQARAQABtD5EYXZp +ZCBTaGF3IChHbnVQRyBSZWxlYXNlIFNpZ25pbmcgS2V5KSA8ZHNoYXdAamFiYmVy +d29ja3kuY29tPokBPgQTAQIAKAUCVFBfBwIbAwUJCbp27gYLCQgHAwIGFQgCCQoL +BBYCAwECHgECF4AACgkQBDdvPuCFaVmIoQf+POxCWkCTicRVlq0kust/iwYO1egK +9FWG130e2Irnv2lAZZN/0S5ibjHCYFp9gfMgmtVTF5oWXjSDAy/kIykQBBcUVx4S +CJbdMtKSdsSIQMz6P4DxXumxQm79msOsbi5TsdtUwjqdrbu2sHloE7ck/hTXUCkX +3zuqtxY7W23BCQxVVT5qUaFuAHkkQaaBgAb8gdgixmkIBfu9u8k3k9zUKm/PNfMj +xClvORkP8gev+XyzNgcXM49h5YYlmDT+Ahv99nUM1wg8yJTjefBAY0fL982Scx30 +nDQO3w7ihALUoj5+TXQjhs3sWPJ8u3pstr9XcfzEZC77/CZmRYNr8g5hBrkBDQRU +UF8HAQgAodT0id+C6PMV7C8JxE8POGvX2wA6QLw29ESO0Ws8+Jq9EPQ3114mH+sC ++kDsweCDMyaY34i8gvh6hWxG9JfZmSkRUv0QX2zvlcwr8SOZ9dXzrV7ip+QgpzO2 +2eYRnH/RB+KWfFzqSop51sd1Uls41qKphDEm/ZAnnTwxYWX6jElOCpIuemTAiSxp +qtjPXVftchSEy06/bDRFuC4FevfU5aWTg3FSZEZpk0KF5RZBdzvOfX9PwHf2Fxhg +QtLkAsdvvWzDToYD0qOecM/MGt1doryBo8IkAiHJ+TRNyVi6/fAq/rig3brF5ETG +N7W5IRRGoLetY++4YO+1gY7Ea+1tZwARAQABiQElBBgBAgAPBQJUUF8HAhsgBQkJ +unbuAAoJEAQ3bz7ghWlZ6PAH/iTMC5+H/Ynj7G1KOjhyoufPoM+j+g4Ec8RmEA6v +YOWIi8F4AU86iS6Sq2HkZXSKxLgAYbWuseFHS6QA/qZPDPdIv8TceE3jMW3ZEmmm +nCsS6cmkQhpjRCKuWGfaOyZIEV2BT6Ere+MU5jU+wRqkbJGk1BS8myQHkZRN/5dg +fo5syFYKY4T64Z7DvlbQF70cCARlsIwk4lN6QJ/iqaHR9c2sWtzHfxAvdctApdg5 +w8GRcEpdDMieejha/lBMRTYVWY1vrEg++mkkhvCOkBilDFFCVojOnSdTJy7dNZji +BlEFwlmcjLq984C5FRwj5+eN0Bev5hZsWobLeRqt8QOGMlG5AQ0EVFBfBwEIAK4b +kUPSxSlmE8GHAI4FNQDA+QZzIvLPpf1p5JqFULpJeelwfVtbj6qOfPKwXVvam0yH +OiyrMnffdlZ/6+QXjP665RdbsPzEDPxCH972eGmdw8yV95wmPCVaoyBTH9XBDTX2 +52h0vPjgcbbOLUvUuYBV8C74ir6ESoA20g/rjYEGjJ/UAtgBGIfMo0Vk2Qc6/7wx +M3jNPxUc/6h5oiggUkgdbFcgzC2sOAUj3nJ0CS01dNPJuAlGPRjig9o61/PiumSO +Vy98efAetsjLLS00ysAmjxj7eFuxnf73TJOyAItKZPv3i7K4LIgMZXwL71Ox00zU +dzm6H+/JomSorqtLlOUAEQEAAYkBJQQYAQIADwUCVFBfBwIbDAUJCbp27gAKCRAE +N28+4IVpWbkxB/0azsvpA9eJPr6oNu3Iw4aCvLQi9I2jodGXpsNg3GN+ATp3PKMi +21KsneqkYXzwxY+27HAwNSQEmMeyOh37nkPXJMlBgJ0+aV7J2nAj3as310gnV3kY +Id8NXvLi+YLngqfTyQpxedDhBeSyTYLAP96mDtUuGFQ9/TWBF0wjZkBqFllnsmmU +Cs9lMmdaFUk1cT1/R1vwiGz1mAaUzyP2NNUnXsoE25TkeXg+Kf95QkxS0C3C9S+c +A4jCCHXEuGFxMe4+6IbubsVepIUFrlzbUaYpYB8lwFQutoSJ1qLc2jFcW00Qy2Z2 +SOVYJ5oyMhZNei0ZFsgQ9tp2PhtICjm5JfvPmQENBFRDqVIBCAC0k8eZKDmNqdma +wOlJ/m62L2g8uXT/+/vAEGb1yaib09xI6tfGXzbqlDwrLIZcJsSIT/nt/ajJnIVb +c3137va4XbwMzsDpAMH4mmiToqk+izEChGm2knzrLwhoflR8aGsKL35QoZT/erdj +fgPeCRLvf25fHsN2Jb0WIMzC56VkMeFoza+9HZ5hrkemmm+gPvIvhEUopxCyOS8m +K5WjB4zzIdyDJfkqVpHvafNP0N4LIsedKdyHcj/K3kY4Kejl99GW1z1snBgPamoN +2/e52Pf6KTw2FjsSGZ72oalcrkBR4wacUizGxKcRD2Y6Xa0g9mwToWdNBQCIII+u +TzOzq1EDABEBAAG0IVdlcm5lciBLb2NoIChSZWxlYXNlIFNpZ25pbmcgS2V5KYkB +PQQTAQgAJwUCVEOpUgIbAwUJC6oF9QULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAK +CRCKhhscfv1g2aH7B/wIW6mVmTmzW2xc1q1MUdssExQBhEeONrbWJ/HiGZP/Maab +gQ/+wZuThTAwfGM5zFQBOvrBOGURhINU6lYQlcOrVo+V8Z1mNQKFWaKxJaY5Ku1b +B1OuX9FHLEiMibogHu5fjJIXBE8XrnvueejyFQ5g/uX2xcGgCWlMe49sR3K+lEl3 +n93xTmSNhP52r0gTjMjbqKWKUaIGJ5OcWSrvawdfqLXkxR8phq2AlHHEfxpcZsOp +9mZirWYQ5jcgGgFP0LYXUw/RnxFpOcrj45qufmyEL9QJKjBV5RaHJbqukefwUInP +QtVUmINqQxztSh5QxQP2tsUPIeEi5RAoCwLJam8z +=PXPh +-----END PGP PUBLIC KEY BLOCK----- diff --git a/watch b/watch new file mode 100644 index 0000000..e6d36a1 --- /dev/null +++ b/watch @@ -0,0 +1,5 @@ +version=4 + +opts=pgpsigurlmangle=s/$/.sig/ \ + https://gnupg.org/ftp/gcrypt/gnupg/gnupg@ANY_VERSION@@ARCHIVE_EXT@ \ + debian uupdate -- 2.30.2