From 5224d4728f3e1ad295928e170046a17096128686 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 3 Jan 2017 20:39:52 +0000 Subject: [PATCH] Import gnupg2_2.1.17-3.debian.tar.bz2 [dgit import tarball gnupg2 2.1.17-3 gnupg2_2.1.17-3.debian.tar.bz2] --- NEWS | 8 + Xsession.d/90gpg-agent | 21 + changelog | 1890 +++++++++++++++++ clean | 8 + compat | 1 + control | 323 +++ copyright | 233 ++ dirmngr.NEWS | 39 + dirmngr.README.Debian | 48 + dirmngr.docs | 4 + dirmngr.install | 7 + dirmngr.maintscript | 5 + dirmngr.manpages | 2 + gbp.conf | 33 + gnupg-agent.NEWS | 9 + gnupg-agent.README.Debian | 55 + gnupg-agent.examples | 2 + gnupg-agent.install | 12 + gnupg-agent.links | 2 + gnupg-agent.manpages | 5 + gnupg-l10n.install | 2 + gnupg.README.Debian | 44 + gnupg.docs | 9 + gnupg.examples | 1 + gnupg.info | 3 + gnupg.install | 13 + gnupg.manpages | 11 + gnupg2.links | 2 + gpg-check-pattern.1 | 35 + gpg-zip.1 | 102 + gpgsm.install | 1 + gpgsm.manpages | 1 + gpgsplit.1 | 41 + gpgv-static.1 | 32 + gpgv-static.install | 1 + gpgv-static.lintian-overrides | 3 + gpgv-static.manpages | 1 + gpgv-udeb.install | 1 + gpgv-win32.install | 1 + gpgv.install | 1 + gpgv.manpages | 1 + gpgv2.links | 2 + kbxutil.1 | 62 + lspgpot.1 | 22 + migrate-pubring-from-classic-gpg | 76 + migrate-pubring-from-classic-gpg.1 | 50 + ...012-gpgscm-Guard-use-of-union-member.patch | 27 + ...dirmngr-Fix-for-disable-libdns-usage.patch | 74 + ...ot-zone-suffix-from-libdns-cname-res.patch | 43 + ...rning-that-DNS-is-not-routed-via-Tor.patch | 29 + ...-warnings-to-detect-non-portable-cod.patch | 32 + ...eplace-use-of-variable-length-arrays.patch | 179 ++ ...g-message-on-correctly-initialized-l.patch | 39 + ...e-Tor-mode-is-also-set-for-DNS-on-SI.patch | 170 ++ ...gr-s-allow-version-check-description.patch | 30 + ...announcement-pointers-to-NEWS-entrie.patch | 460 ++++ ...-g10-avoid-warning-when-disable-tofu.patch | 27 + ...pgv-in-the-description-of-gpg-verify.patch | 30 + ...024-Silence-two-Wlogical-op-warnings.patch | 48 + ...ocument-summary-values-of-TOFU_STATS.patch | 36 + ...Avoid-simple-memory-dumps-via-ptrace.patch | 60 + .../0001-avoid-beta-warning.patch | 44 + ...erating-defsincdate-use-shipped-file.patch | 37 + ...d-potential-race-condition-when-some.patch | 77 + ...rngr-Avoid-need-for-hkp-housekeeping.patch | 228 ++ ...automatically-checking-upstream-swdb.patch | 45 + ...05-dirmngr-Drop-useless-housekeeping.patch | 199 ++ ...Create-framework-of-scheduled-timers.patch | 192 ++ ...ads-to-interrupt-main-select-loop-wi.patch | 101 + ...Avoid-tight-timer-tick-when-possible.patch | 87 + ...duled-checks-on-socket-when-inotify-.patch | 26 + patches/series | 25 + rules | 67 + scdaemon.examples | 1 + scdaemon.install | 1 + scdaemon.lintian-overrides | 4 + scdaemon.manpages | 1 + scdaemon.udev | 46 + source/format | 1 + source/lintian-overrides | 4 + source/options | 3 + systemd-user/gpg-agent-browser.socket | 13 + tests/control | 3 + tests/gpgv-win32 | 54 + upstream/signing-key.asc | 109 + watch | 5 + 86 files changed, 5882 insertions(+) create mode 100644 NEWS create mode 100644 Xsession.d/90gpg-agent create mode 100644 changelog create mode 100644 clean create mode 100644 compat create mode 100644 control create mode 100644 copyright create mode 100644 dirmngr.NEWS create mode 100644 dirmngr.README.Debian create mode 100644 dirmngr.docs create mode 100644 dirmngr.install create mode 100644 dirmngr.maintscript create mode 100644 dirmngr.manpages create mode 100644 gbp.conf create mode 100644 gnupg-agent.NEWS create mode 100644 gnupg-agent.README.Debian create mode 100644 gnupg-agent.examples create mode 100644 gnupg-agent.install create mode 100644 gnupg-agent.links create mode 100644 gnupg-agent.manpages create mode 100644 gnupg-l10n.install create mode 100644 gnupg.README.Debian create mode 100644 gnupg.docs create mode 100644 gnupg.examples create mode 100644 gnupg.info create mode 100644 gnupg.install create mode 100644 gnupg.manpages create mode 100644 gnupg2.links create mode 100644 gpg-check-pattern.1 create mode 100644 gpg-zip.1 create mode 100644 gpgsm.install create mode 100644 gpgsm.manpages create mode 100644 gpgsplit.1 create mode 100644 gpgv-static.1 create mode 100644 gpgv-static.install create mode 100644 gpgv-static.lintian-overrides create mode 100644 gpgv-static.manpages create mode 100644 gpgv-udeb.install create mode 100644 gpgv-win32.install create mode 100644 gpgv.install create mode 100644 gpgv.manpages create mode 100644 gpgv2.links create mode 100644 kbxutil.1 create mode 100644 lspgpot.1 create mode 100755 migrate-pubring-from-classic-gpg create mode 100644 migrate-pubring-from-classic-gpg.1 create mode 100644 patches/0012-gpgscm-Guard-use-of-union-member.patch create mode 100644 patches/0013-dirmngr-Fix-for-disable-libdns-usage.patch create mode 100644 patches/0014-dirmngr-Strip-root-zone-suffix-from-libdns-cname-res.patch create mode 100644 patches/0015-doc-Remove-warning-that-DNS-is-not-routed-via-Tor.patch create mode 100644 patches/0016-build-Enable-gcc-warnings-to-detect-non-portable-cod.patch create mode 100644 patches/0017-Replace-use-of-variable-length-arrays.patch create mode 100644 patches/0018-dirmngr-New-debug-message-on-correctly-initialized-l.patch create mode 100644 patches/0019-dirmngr-Make-sure-Tor-mode-is-also-set-for-DNS-on-SI.patch create mode 100644 patches/0020-doc-Extend-dirmngr-s-allow-version-check-description.patch create mode 100644 patches/0021-doc-Add-release-announcement-pointers-to-NEWS-entrie.patch create mode 100644 patches/0022-g10-avoid-warning-when-disable-tofu.patch create mode 100644 patches/0023-doc-Mention-gpgv-in-the-description-of-gpg-verify.patch create mode 100644 patches/0024-Silence-two-Wlogical-op-warnings.patch create mode 100644 patches/0025-doc-Document-summary-values-of-TOFU_STATS.patch create mode 100644 patches/block-ptrace-on-agent/0002-Avoid-simple-memory-dumps-via-ptrace.patch create mode 100644 patches/debian-packaging/0001-avoid-beta-warning.patch create mode 100644 patches/debian-packaging/0003-avoid-regenerating-defsincdate-use-shipped-file.patch create mode 100644 patches/dirmngr-idling/0001-dirmngr-hkp-Avoid-potential-race-condition-when-some.patch create mode 100644 patches/dirmngr-idling/0002-dimrngr-Avoid-need-for-hkp-housekeeping.patch create mode 100644 patches/dirmngr-idling/0004-dirmngr-Avoid-automatically-checking-upstream-swdb.patch create mode 100644 patches/dirmngr-idling/0005-dirmngr-Drop-useless-housekeeping.patch create mode 100644 patches/gpg-agent-idling/0001-agent-Create-framework-of-scheduled-timers.patch create mode 100644 patches/gpg-agent-idling/0002-agent-Allow-threads-to-interrupt-main-select-loop-wi.patch create mode 100644 patches/gpg-agent-idling/0003-agent-Avoid-tight-timer-tick-when-possible.patch create mode 100644 patches/gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch create mode 100644 patches/series create mode 100755 rules create mode 100644 scdaemon.examples create mode 100644 scdaemon.install create mode 100644 scdaemon.lintian-overrides create mode 100644 scdaemon.manpages create mode 100644 scdaemon.udev create mode 100644 source/format create mode 100644 source/lintian-overrides create mode 100644 source/options create mode 100644 systemd-user/gpg-agent-browser.socket create mode 100644 tests/control create mode 100755 tests/gpgv-win32 create mode 100644 upstream/signing-key.asc create mode 100644 watch diff --git a/NEWS b/NEWS new file mode 100644 index 0000000..0a6a744 --- /dev/null +++ b/NEWS @@ -0,0 +1,8 @@ +gnupg2 (2.1.11-7+exp1) experimental; urgency=medium + + The gnupg package now provides the "modern" version of GnuPG. + + Please read /usr/share/doc/gnupg/README.Debian for details about the + transition from "classic" to "modern" + + -- Daniel Kahn Gillmor Wed, 30 Mar 2016 09:59:35 -0400 diff --git a/Xsession.d/90gpg-agent b/Xsession.d/90gpg-agent new file mode 100644 index 0000000..b97c363 --- /dev/null +++ b/Xsession.d/90gpg-agent @@ -0,0 +1,21 @@ +# On systems with systemd running, we expect the agent to be launched +# via systemd's user mode (see /usr/lib/systemd/user/gpg-agent.service +# and systemd.unit(5)). This allows systemd to clean up the agent +# automatically at logout. + +# If systemd is absent from your system, or you do not permit it to +# run in user mode, then you may need to manually launch gpg-agent +# from your session initialization with something like "gpgconf +# --launch gpg-agent" + +# Nonetheless, ssh and older versions of gpg require environment +# variables to be set in order to find the agent, so we will set those +# here. + +agent_sock=$(gpgconf --list-dirs | grep ^agent-socket: | cut -d: -f2) +export GPG_AGENT_INFO=${agent_sock}:0:1 +if [ -n "$(gpgconf --list-options gpg-agent | \ + awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then + export SSH_AUTH_SOCK=${agent_sock}.ssh +fi + diff --git a/changelog b/changelog new file mode 100644 index 0000000..e83fbe1 --- /dev/null +++ b/changelog @@ -0,0 +1,1890 @@ +gnupg2 (2.1.17-3) unstable; urgency=medium + + * more bugfixes from upstream (improving but not yet closing: #849845) + + -- Daniel Kahn Gillmor Tue, 03 Jan 2017 15:39:52 -0500 + +gnupg2 (2.1.17-2) unstable; urgency=medium + + * include patches from upstream to avoid build failures on 32-bit + arches. + + -- Daniel Kahn Gillmor Sat, 24 Dec 2016 18:11:51 -0500 + +gnupg2 (2.1.17-1) unstable; urgency=medium + + * new upstream release. + + -- Daniel Kahn Gillmor Sat, 24 Dec 2016 15:39:04 -0500 + +gnupg2 (2.1.16-3) unstable; urgency=medium + + * remove -pie from hppa, kfreebsd-amd64, and x32 builds of + gpgv-static (Closes: #846889) + * import several upstream bugfix patches (Closes: #846834, #846168) + * link gnupg-agent and scdaemon with Enhances/Suggests (Closes: #833518) + + -- Daniel Kahn Gillmor Mon, 05 Dec 2016 15:34:49 -0500 + +gnupg2 (2.1.16-2) unstable; urgency=medium + + * avoid using adns, due to lack of security support (Closes: #845078) + + -- Daniel Kahn Gillmor Mon, 21 Nov 2016 09:57:26 -0500 + +gnupg2 (2.1.16-1) unstable; urgency=medium + + * New upstream version + * dropped many patches already incorporated upstream + + -- Daniel Kahn Gillmor Sun, 20 Nov 2016 23:22:49 -0500 + +gnupg2 (2.1.15-9) unstable; urgency=medium + + * Introduce gpgv-static package (Closes: #806940) + * more patches from upstream + * use adns for better DNS resolution in dirmngr + * add some import-options to + migrate-pubring-from-classic-gpg for better migration + * reorganize patches to distinguish debian variations from upstream + * set simple and easy defaults for keyservers + * help dirmngr and gpg-agent idle better in the default case + + -- Daniel Kahn Gillmor Thu, 10 Nov 2016 07:28:16 -0800 + +gnupg2 (2.1.15-8) unstable; urgency=medium + + * rename gpg-agent-restricted.socket to gpg-agent-extra.socket + (for symmetry with option names and actual sockets created) + + -- Daniel Kahn Gillmor Thu, 27 Oct 2016 13:54:53 -0400 + +gnupg2 (2.1.15-7) unstable; urgency=medium + + * more upstream patches + * dirmngr systemd user service is now socket-activated. + + -- Daniel Kahn Gillmor Thu, 27 Oct 2016 12:48:15 -0400 + +gnupg2 (2.1.15-6) unstable; urgency=medium + + * more upstream patches (Closes: #841437, #840680) + + -- Daniel Kahn Gillmor Wed, 26 Oct 2016 17:44:20 -0400 + +gnupg2 (2.1.15-5) unstable; urgency=medium + + * added udev rules for Fujitsu Siemens cardreader (Closes: #840312) + * mark transitional packages Multi-Arch: Foreign (closes: #840258) + * make gnupg2 binNMU-safe + * more patches from upstream + * track upstream decision-making about gpg-agent socket names + + -- Daniel Kahn Gillmor Tue, 25 Oct 2016 21:30:06 -0400 + +gnupg2 (2.1.15-4) unstable; urgency=medium + + * update debian/tests/gpgv-win32 + * more patches from upstream (Closes: #838153) + * tighten dependencies between gnupg and dirmngr (Closes: #834602) + * updated systemd user gpg-agent units for socket activation + + -- Daniel Kahn Gillmor Tue, 04 Oct 2016 17:22:30 -0400 + +gnupg2 (2.1.15-3) unstable; urgency=medium + + * Use upstream fix to avoid touching homedir during test suite + * backward compatibility for preset-passphrase and protect-tool + * add Breaks: for python3-apt too (thanks, Harald Jenny!) + * Avoid network access during tests (Closes: #836259) + * more patches from upstream + - gpgv --output now works + - fingerprint display doesn't vary with --keyid-format + - minor cleanup to scdaemon dealing with removed cards + + -- Daniel Kahn Gillmor Wed, 14 Sep 2016 17:08:58 -0400 + +gnupg2 (2.1.15-2) unstable; urgency=medium + + * restore keyid output in gpgv (Closes: #836144) + * avoid test suite failures when HOME does not exist + + -- Daniel Kahn Gillmor Wed, 31 Aug 2016 12:37:48 -0400 + +gnupg2 (2.1.15-1) unstable; urgency=medium + + * new upstream release + - blocks signals during keyring updates (Closes: #293556) + * avoid libusb on hurd. Thanks, Pino Toscano! (Closes: #834533) + * permissions on test suite are already fixed + * drop patches applied upstream and refresh remaining patches + * make gnupg2 reproducible by not regenerating documentation date + * make autopkgtest work with modern wine (Closes: #835976) + * wrap-and-sort -ast for cleaner diffs + * add versioned Breaks: for affected packages (Closes: #835349) + - gpgv Breaks: python-debian << 0.1.29 (addresses: #782904) + - gnupg Breaks: php-crypt-gpg <= 1.4.1-1 (addresses #835592) + - gnupg Breaks: python-apt <= 1.1.0~beta4 (addresses: #835465) + - gnupg Breaks: python-gnupg << 0.3.8-3 (addresses: #834514, #834600) + - gnupg Breaks: libgnupg-interface-perl << 0.52-3 (addresses: #834281) + - gnupg Breaks: libmail-gnupg-perl <= 0.22-1 (addresses: #835075) + - gnupg Breaks: libgnupg-perl << 0.19-1 (addresses: #834522) + + -- Daniel Kahn Gillmor Tue, 30 Aug 2016 13:19:23 -0400 + +gnupg2 (2.1.14-5) unstable; urgency=medium + + * actually ship /usr/share/doc/gnupg/README.Debian + * Release to unstable. + + -- Daniel Kahn Gillmor Fri, 12 Aug 2016 16:27:22 -0400 + +gnupg2 (2.1.14-4) experimental; urgency=medium + + * add ZeitControl card (Closes: #814584) + * three more fixes from upstream + + -- Daniel Kahn Gillmor Mon, 08 Aug 2016 12:54:21 -0400 + +gnupg2 (2.1.14-3) experimental; urgency=medium + + * cleanup debian/copyright + * update debian/watch + + -- Daniel Kahn Gillmor Wed, 03 Aug 2016 11:09:05 -0400 + +gnupg2 (2.1.14-2) experimental; urgency=medium + + * mark the gpgv binary as Priority: important, since apt depends on it + * import a bunch of fixes from upstream + * include permissioning on patched-in tests + * Breaks: some packages that expect old gpg behavior (Closes: #831500) + * remove scdaemon.service; it will be managed by gpg-agent.service + * avoid bulleted items in debian/NEWS (thanks, Lintian!) + * debian/copyright: cleanup, fix URLs + * debian/control: use standard URL for Vcs-Browser + * fix spelling and grammar noticed by lintian + * avoid lintian notes about a misspelled "written" + * clean up gpgv2 Description + * break out arch-indep localization files into new gnupg-l10n package + + -- Daniel Kahn Gillmor Mon, 01 Aug 2016 17:54:59 -0400 + +gnupg2 (2.1.14-1) experimental; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor Fri, 15 Jul 2016 01:39:25 +0200 + +gnupg2 (2.1.13-5) experimental; urgency=medium + + * dependency cleanup! + - make Recommends: strictly versioned between gnupg and {gpg-agent,dirmngr} + - make gnupg Provide: gpg and mention it in the package description + - drop mention of newpg, which has not been in debian for many releases + - gnupg2 2.0.18 predates debian wheezy, which is oldstable; drop mention + in debian/control + - drop Suggests: gnupg-doc, which does not appear to be maintained + - drop all references to gpg-idea, which has not been in debian for + several releases + - removed dependency on "dpkg (>= 1.15.4) | install-info", since that + dpkg version predates oldstable (wheezy) + + -- Daniel Kahn Gillmor Mon, 04 Jul 2016 10:13:42 -0400 + +gnupg2 (2.1.13-4) experimental; urgency=medium + + * add binutils-multiarch [!amd64 !i386] to Build-Depends-Indep: so that + we can generate win32 packages on non-x86 platforms. + + -- Daniel Kahn Gillmor Fri, 01 Jul 2016 11:30:28 -0400 + +gnupg2 (2.1.13-3) experimental; urgency=medium + + * pull bugfixes from upstream (Closes: #828109, #814584) + * should also allow for reproducible builds, with fix to + timestamps in tofu.test + * provide supervised dirmngr, gpg-agent, and scdaemon services from + systemd's user sessioniif the user wants to enable them. These + services should terminate at logout (Closes: #825911) + * avoid launching gpg-agent from Xsession.d since we have more robust + session management available (added NEWS entry about this change) + * gnupg-agent now Provides: gpg-agent to mitigate common confusion. + * updated dirmngr package description. + + -- Daniel Kahn Gillmor Tue, 28 Jun 2016 13:46:36 -0400 + +gnupg2 (2.1.13-2) experimental; urgency=medium + + * brown paper bag time: fix build-dep from libusb-1.0.0-dev to + libusb-1.0-0-dev + + -- Daniel Kahn Gillmor Fri, 17 Jun 2016 23:07:43 -0400 + +gnupg2 (2.1.13-1) experimental; urgency=medium + + * New upstream release + - new keyid-format "none", used by default (Closes: #826273) + * Build-depend on libusb-1.0.0-dev to ensure smartcards work (Thanks, + gniibe!) + + -- Daniel Kahn Gillmor Thu, 16 Jun 2016 18:30:36 -0400 + +gnupg2 (2.1.12-1) experimental; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor Tue, 10 May 2016 20:58:06 -0400 + +gnupg2 (2.1.11-7+exp1) experimental; urgency=medium + + * switching over binary package names in experimental -- gnupg2 source + package now provides gnupg and gpgv + + -- Daniel Kahn Gillmor Mon, 18 Apr 2016 19:17:19 -0400 + +gnupg2 (2.1.11-7) unstable; urgency=medium + + * move to unstable + * re-enable test suites on mips and mipsel since #730846 is resolved + + -- Daniel Kahn Gillmor Mon, 18 Apr 2016 07:45:16 -0400 + +gnupg2 (2.1.11-6+exp4) experimental; urgency=medium + + * stop using help2man to fix cross-building + * ensure gpgv-win32 is properly stripped + * enable autopkgtest to run without root on systems that already have + wine32 installed + + -- Daniel Kahn Gillmor Fri, 01 Apr 2016 13:08:07 -0300 + +gnupg2 (2.1.11-6+exp3) experimental; urgency=medium + + * more cleanup on arch-dependent packages. + + -- Daniel Kahn Gillmor Wed, 30 Mar 2016 03:36:18 -0400 + +gnupg2 (2.1.11-6+exp2) experimental; urgency=medium + + * avoid build failures when building only arch-dependent or only + arch-independent packages. + + -- Daniel Kahn Gillmor Wed, 30 Mar 2016 02:59:18 -0400 + +gnupg2 (2.1.11-6+exp1) experimental; urgency=medium + + * take over gpgv-win32 from gnupg 1.4 packaging + + -- Daniel Kahn Gillmor Mon, 28 Mar 2016 23:27:43 -0400 + +gnupg2 (2.1.11-6) unstable; urgency=medium + + * avoid FTBFS with patch from upstream (Closes: #814842) + * bumped standards-version to 3.9.7 (no changes needed) + + -- Daniel Kahn Gillmor Tue, 01 Mar 2016 09:36:41 +0100 + +gnupg2 (2.1.11-5) unstable; urgency=medium + + * taking over gpgv-udeb from gnupg 1.4 packaging + * debian/control: use secure transport for Vcs-* and Homepage + + -- Daniel Kahn Gillmor Thu, 04 Feb 2016 17:17:47 -0500 + +gnupg2 (2.1.11-4) unstable; urgency=medium + + * disable gpgtar, since it is causing unpredictable testsuite failures + and we don't ship it anyway. + + -- Daniel Kahn Gillmor Wed, 03 Feb 2016 11:57:57 -0500 + +gnupg2 (2.1.11-3) unstable; urgency=medium + + * trying again to get a proper dump of the gpgtar.test.log. sigh. + + -- Daniel Kahn Gillmor Thu, 28 Jan 2016 08:34:22 -0500 + +gnupg2 (2.1.11-2) unstable; urgency=medium + + * added temporary hook to view failing gpgtar test output on build + daemons since i can't replicate the failures on my own build systems. + + -- Daniel Kahn Gillmor Thu, 28 Jan 2016 00:53:29 -0500 + +gnupg2 (2.1.11-1) unstable; urgency=medium + + * new upstream release + - drops buggy attempt to detect duplicate keys (Closes: #807819) + * removed -dbg package, since we have automatic -dbgsym packages now + * removed undocumented gpgkey2ssh; use gpg --export-ssh-key instead + + -- Daniel Kahn Gillmor Mon, 25 Jan 2016 15:29:25 -0500 + +gnupg2 (2.1.10-3) unstable; urgency=medium + + * avoid infinite loop when doing --gen-revoke by fingerprint + + -- Daniel Kahn Gillmor Sat, 12 Dec 2015 16:53:40 -0500 + +gnupg2 (2.1.10-2) unstable; urgency=medium + + * actually use sks-keyservers CA by default if the user asks for + hkps://hkps.pool.sks-keyservers.net + * move ownership of some files in /usr/share/gnupg2/ to more appropriate + owners like gpgsm and dirmngr. + + -- Daniel Kahn Gillmor Fri, 11 Dec 2015 17:06:10 -0500 + +gnupg2 (2.1.10-1) unstable; urgency=medium + + * new upstream release + * ship sks-keyservers.netCA.pem in dirmngr to make it easier to use hkps. + * avoid shipping Changelog-2011, use upstream ChangeLog (Closes: + #803225) + + -- Daniel Kahn Gillmor Wed, 09 Dec 2015 12:05:42 -0500 + +gnupg2 (2.1.9-1) unstable; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor Tue, 13 Oct 2015 10:04:33 -0400 + +gnupg2 (2.1.8-2) UNRELEASED; urgency=medium + + [ NIIBE Yutaka ] + * update scdaemon dependencies + + [ Daniel Kahn Gillmor ] + * correct ssh fingerprint for ECDSA nistp384 (Closes: #795636) + + -- Daniel Kahn Gillmor Thu, 17 Sep 2015 00:00:28 -0400 + +gnupg2 (2.1.8-1) unstable; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor Thu, 10 Sep 2015 17:00:06 -0400 + +gnupg2 (2.1.7-2) unstable; urgency=medium + + * upload to unstable + + -- Daniel Kahn Gillmor Tue, 11 Aug 2015 21:24:18 -0400 + +gnupg2 (2.1.7-1) experimental; urgency=medium + + * new upstream release + * block ptrace connections to gpg-agent + + -- Daniel Kahn Gillmor Tue, 11 Aug 2015 20:05:38 -0400 + +gnupg2 (2.1.6-1) experimental; urgency=medium + + * new upstream release + * drop deprecated gpgsm-gencert.sh + + -- Daniel Kahn Gillmor Tue, 07 Jul 2015 14:27:23 -0400 + +gnupg2 (2.1.5-2) experimental; urgency=medium + + [ Daniel Kahn Gillmor ] + * pass DBUS_SESSION_BUS_ADDRESS through to the agent so that + pinentry-gnome3 can work across sessions. + * ensure that l10n files are rebuilt. + + [ Eric Dorland ] + * debian/patches/0003-Include-defs.inc-in-BUILT_SOURCES.patch: Fix for + build failure when rebuilding info docs. + + -- Daniel Kahn Gillmor Tue, 30 Jun 2015 18:13:58 -0400 + +gnupg2 (2.1.5-1) experimental; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor Thu, 11 Jun 2015 13:18:56 -0400 + +gnupg2 (2.1.4-2) experimental; urgency=medium + + * avoid excess dependencies on headless servers (Closes: #753163) + + -- Daniel Kahn Gillmor Wed, 03 Jun 2015 14:12:49 -0400 + +gnupg2 (2.1.4-1) experimental; urgency=medium + + * New upstream release. + + -- Daniel Kahn Gillmor Thu, 28 May 2015 00:25:55 -0400 + +gnupg2 (2.1.3-1) experimental; urgency=medium + + * New upstream version. + * Add gnupg2-dbg (Closes: #781631) + + -- Daniel Kahn Gillmor Wed, 01 Apr 2015 12:10:38 -0400 + +gnupg2 (2.1.2-2) experimental; urgency=medium + + * Fix segv due to NULL value stored as opaque MPI. + + -- Daniel Kahn Gillmor Sat, 21 Feb 2015 10:26:50 -0500 + +gnupg2 (2.1.2-1) experimental; urgency=medium + + * New upstream version + * move from automake1.11 to plain automake (upstream uses 1.14 now) + + -- Daniel Kahn Gillmor Thu, 12 Feb 2015 20:10:43 -0500 + +gnupg2 (2.1.1-1) experimental; urgency=medium + + * New upstream version (closes: #772654) + * gnupg2 now Breaks: older versions of dirmngr (closes: #769460) + + -- Daniel Kahn Gillmor Tue, 16 Dec 2014 14:58:06 -0500 + +gnupg2 (2.1.0-1) experimental; urgency=medium + + * import upstream 2.1.0 release. + * drop debian/patches/speed-up-test-suite.patch -- included upstream. + * avoid self-reporting as a beta now that this is a release + + -- Daniel Kahn Gillmor Thu, 06 Nov 2014 12:31:06 -0500 + +gnupg2 (2.1.0~beta895-3) experimental; urgency=medium + + * update gnupg-agent.xsession to export ssh-agent where + configured. (Closes: #767341) + * use cheap/fast entropy for the test suite so that builds on + low-entropy machines go faster. + + -- Daniel Kahn Gillmor Thu, 30 Oct 2014 13:37:08 -0400 + +gnupg2 (2.1.0~beta895-2) experimental; urgency=medium + + * added pkg-config to Build-Depends. + + -- Daniel Kahn Gillmor Wed, 29 Oct 2014 18:36:27 -0400 + +gnupg2 (2.1.0~beta895-1) experimental; urgency=medium + + * new upstream version in experimental (Closes: #762844, #751266, #762844) + * ship /usr/bin/gpgparsemail (Closes: #760575) + * document that doc/OpenPGP is not actually an RFC, but just refers to + one (closes: #745410) + * Bump Standards-Version to 3.9.6 (no changes needed) + * --enable-large-secmem to ensure that gpg2 works with pre-generated + oversized RSA keys + * updated /etc/X11/Xsession.d/90gpg-agent to export $GPG_AGENT_INFO + about the standard socket. + + -- Daniel Kahn Gillmor Wed, 29 Oct 2014 17:53:06 -0400 + +gnupg2 (2.0.28-3) unstable; urgency=medium + + * pass DBUS_SESION_BUS_ADDRESS to the agent for gnome3. + + -- Daniel Kahn Gillmor Sat, 04 Jul 2015 14:21:41 -0400 + +gnupg2 (2.0.28-2) unstable; urgency=medium + + * d/clean: drop stamp-po to rebuild l10n (Closes: #788989) + + -- Daniel Kahn Gillmor Tue, 30 Jun 2015 17:17:11 -0400 + +gnupg2 (2.0.28-1) unstable; urgency=medium + + * new upstream release + * really address excess dependencies on headless server (thanks Raphaël + Halimi for noticing) (Closes: #753163) + + -- Daniel Kahn Gillmor Tue, 02 Jun 2015 12:16:57 -0400 + +gnupg2 (2.0.27-2) unstable; urgency=medium + + * import upstream fix to avoid replicating unknown subkey + packets. (Closes: #787045) (Thanks, NIIBE Yutaka) + + -- Daniel Kahn Gillmor Thu, 28 May 2015 00:55:51 -0400 + +gnupg2 (2.0.27-1) unstable; urgency=medium + + * New upstream release. + * Provide a simple way for users to avoid gpg-agent hijacking, + working around: #760102 (Closes: #753163) + + -- Daniel Kahn Gillmor Fri, 08 May 2015 18:15:15 -0400 + +gnupg2 (2.0.26-6) unstable; urgency=medium + + * Avoid NULL dereference with opaque MPI. + + -- Daniel Kahn Gillmor Sat, 21 Feb 2015 18:01:40 -0500 + +gnupg2 (2.0.26-5) unstable; urgency=medium + + * import bug-fixes from upstream + (Closes: #773415, #773469, #773471, #773472, #773423) + * Fixes CVE-2015-1606 "Use after free, resulting from failure to skip + invalid packets", CVE-2015-1607 "memcpy with overlapping ranges, + resulting from incorrect bitwise left shifts" (Closes: #778577) + + -- Daniel Kahn Gillmor Mon, 16 Feb 2015 17:45:06 -0500 + +gnupg2 (2.0.26-4) unstable; urgency=medium + + [ David Prévot ] + * Update POT and PO files, and ensure the translations get rebuild + * Update French translation (Closes: #769574) + * Update Ukrainian translation, thanks to Yuri Chornoivan + * Update German translation, thanks to Werner Koch + * Update Danish translation, thanks to Joe Hansen + * Update Japanese translation, thanks to NIIBE Yutaka + * Update Chinese (traditional) translation, thanks to Jedi Lin + * Update Russian translation, thanks to Ineiev + * Update Polish translation, thanks to Jakub Bogusz + * Update Spanish translation, thanks to Manuel "Venturi" Porras Peralta + (Closes: #770727) + * New Dutch translation, thanks to Frans Spiesschaert (Closes: #770981) + + [ Daniel Kahn Gillmor ] + * bugfix and cryptographic safety changes imported from upstream: + - Avoid regression when adding subkeys with strong s2k algorithms + (Closes: #772780) Thanks, NIIBE Yutaka + - Allow french translation to work when prompting for passphrase. + - add build and runtime support for larger RSA keys (Closes: #739424) + - fix runtime errors on bad input (Closes: #771987) + - deprecate insecure one-argument variant for gpg --verify of detached + signatures (Closes: #771992) + - initialize trustdb before trying to clear it (Closes: #735363) + - default to issuing SHA256 signatures for RSA + - avoid relying on MD5 signatures + - show v3 key fingerprints as all zero (OpenPGPv3 is deprecated) + + -- Daniel Kahn Gillmor Sun, 04 Jan 2015 17:17:00 -0500 + +gnupg2 (2.0.26-3) unstable; urgency=medium + + * fix typo in gpg.info (closes: #760273) + * drop versioned Build-Conflicts on automake by setting environment + variables in debian/rules + * ship /usr/bin/gpgparsemail (closes: #760575) + * warn but don't fail when scdaemon options are in ~/.gnupg/gpg.conf + (closes: #762844) + * do not break on --trust-model=always (closes: #751266) + * document that doc/OpenPGP is not actually an RFC, but just refers to + one (closes: #745410) + * Bump Standards-Version to 3.9.6 (no changes needed) + + -- Daniel Kahn Gillmor Tue, 30 Sep 2014 23:39:15 -0400 + +gnupg2 (2.0.26-2) unstable; urgency=medium + + * ignore emacs turds in debian/ + * update Vcs fields + * move package to group maintenance + * wrap-and-sort cleanup of debian/* + + -- Daniel Kahn Gillmor Thu, 28 Aug 2014 11:42:18 -0700 + +gnupg2 (2.0.26-1) unstable; urgency=medium + + * New upstream release. + * debian/control: Suggest parcimonie. Thanks ilf. (Closes: #752261) + + -- Eric Dorland Tue, 19 Aug 2014 18:09:08 -0400 + +gnupg2 (2.0.25-2) unstable; urgency=medium + + * debian/control: Switch to libgcrypt20-dev (aka 1.6 release). + + -- Eric Dorland Fri, 08 Aug 2014 14:12:05 -0400 + +gnupg2 (2.0.25-1) unstable; urgency=medium + + * New upstream release. + + -- Eric Dorland Mon, 30 Jun 2014 13:10:04 -0400 + +gnupg2 (2.0.24-1) unstable; urgency=high + + * New upstream release. Fixes CVE-2014-4617 "infinite loop when + decompressing data packets". (Closes: #752498) + * debian/patches/02-gpgv2-dont-link-libassuan.diff: Drop, now + upstreamed. + + -- Eric Dorland Wed, 25 Jun 2014 00:11:19 -0400 + +gnupg2 (2.0.23-1) unstable; urgency=medium + + * New upstream release. + * debian/upstream/signing-key.asc: Rename upstream-signing-key.pgp to + the new, supported name. + * debian/control: Restore versioned conflict against gpg-idea. (Closes: + #733984) + * debian/control: Add Recommends on dirmngr for gpgsm. (Closes: #683579) + + -- Eric Dorland Sun, 08 Jun 2014 19:20:17 -0400 + +gnupg2 (2.0.22-3) unstable; urgency=low + + * debian/watch, debian/upstream-signing-key.pgp: Add upstream signing + key for uscan verification. + * debian/kbxutil.1, debian/rules: Add better description and regenerate + the manpage. + * debian/control: Remove version on gpg-idea conflict, add missing + Breaks for gpgsm and convert Conflicts to Breaks for gpgv2. + * debian/control: Move gnupg-agent to Depends for gpgsm instead of + Replaces (which in turn should have been Recommends). + * debian/control: Standards-Version to 3.9.5. + * debian/copyright: Switch to a shiny DEP-5 copyright file. + + -- Eric Dorland Wed, 01 Jan 2014 22:56:56 -0500 + +gnupg2 (2.0.22-2) unstable; urgency=low + + * debian/control: Fix Build-Conflicts on newer automakes. Thanks Chris + Boot. (Closes: #726015) + * debian/control: IDEA is no longer patented, drop its metion from the + description. Thanks brian m. carlson. (Closes: #726139) + * debian/rules: Disable the test suite on mips and mipsel to work around + Bug:#730846. + + -- Eric Dorland Sat, 30 Nov 2013 23:47:56 -0500 + +gnupg2 (2.0.22-1) unstable; urgency=low + + * New upstream version. Fixes CVE-2013-4402 and CVE-2013-4351. (Closes: + #725433, #722724) + * debian/gnupg2.install: Install gnupg-card-architecture.png for the + info file. + + -- Eric Dorland Sat, 05 Oct 2013 17:45:28 -0400 + +gnupg2 (2.0.21-2) unstable; urgency=low + + * debian/rules, debian/gnupg2.install: Switch libexecdir to + /usr/lib/gnupg2 to install helper binaries to a non-multiarch specific + location. (Closes: #717303) + * debian/control, debian/gpgv2.install: Split out gpgv2 into its own + package. + * debian/control, debian/gnupg2.install, debian/kbxutil.1: Add rule and + manpage for kbxutil using help2man. (Closes: #323494) + * debian/patches/02-gpgv2-dont-link-libassuan.diff: Don't link gpgv2 + against libassuan as it's not used. + * debian/rules: Install changelog for gpgv2. + + -- Eric Dorland Sun, 01 Sep 2013 00:42:16 -0400 + +gnupg2 (2.0.21-1) unstable; urgency=low + + * New upstream release. (Closes: #613465, #720369) + * debian/patches/01-gnupg2-rename.diff: Refresh patch. + * debian/control: Fix Vcs-Git path. + * debian/control: Now depends on libgpg-error >= 1.11. + * debian/control: Build-Depends on automake1.11 since the test suite + fails on newer versions. (Closes: #713287) + * debian/control: Also need a Build-Conflicts on automake (<= 1.12). + + -- Eric Dorland Sat, 24 Aug 2013 20:33:19 -0400 + +gnupg2 (2.0.20-1) unstable; urgency=low + + * New upstream release. (Closes: #691237, #583893) + * debian/patches/02-cve-2012-6085.diff: Remove, merged upstream. + * debian/control: Upgrade Standards-Version to 3.9.4. + * debian/compat, debian/control: Upgrade to debhelper v9. + * debian/control, debian/rules: Drop hardening-wrapper, now that we use + debhelper v9. + * debian/scdaemon.install: scdaemon has moved under $libexecdir. + * debian/control: Tighten dependency on scdaemon. + * debian/rules: Turn on all hardening options. + * debian/patches/01-gnupg2-rename.diff: Refresh patch. + * debian/gnupg-agent.install, debian/gnupg2.install, + debian/scdaemon.install: Fix /usr/lib paths for multi-arch. + * debian/rules: Pass ${pkglibdir} to --libexecdir since dh v9 passes + ${libdir} by default. + + -- Eric Dorland Sat, 11 May 2013 18:28:57 -0400 + +gnupg2 (2.0.19-2) unstable; urgency=high + + * debian/patches/02-cve-2012-6085.diff: Patch from upstream to fix + CVE-2012-6085, "gnupg key import memory corruption". (Closes: #697251) + * debian/control: Use canonical addresses for VCS. + * debian/control: Fix scdaemon short description. + + -- Eric Dorland Fri, 04 Jan 2013 00:56:52 -0500 + +gnupg2 (2.0.19-1) unstable; urgency=low + + * New upstream release. (Closes: #666092) + * debian/control: Add Multi-Arch: foreign to all packages. + * debian/rules: Update ChangeLog locations. + + -- Eric Dorland Sat, 31 Mar 2012 01:06:02 -0400 + +gnupg2 (2.0.18-2) unstable; urgency=low + + * debian/control, debian/gpgsm.install, debian/scdaemon.install: Add a + separate package for the scdaemon. (Closes: #416129) + * debian/control, debian/gpgsm.install, debian/gnupg2.install, + gnupg-agent.install: Move gpg-preset-passphrase and gpg-protect-tool + into the gnupg-agent. + * debian/control: Upgrade Standards-Version to 3.9.2. + * debian/rules: Install ChangeLog for new scdaemon package. + + -- Eric Dorland Sat, 15 Oct 2011 20:21:35 -0400 + +gnupg2 (2.0.18-1) unstable; urgency=low + + * New upstream release. (Closes: #635206) + * debian/copyright: Update ftp location. (Closes: #624404) + * debian/patches/01-gnupg2-rename.diff: Refresh patch. + + -- Eric Dorland Tue, 30 Aug 2011 03:43:20 -0400 + +gnupg2 (2.0.17-3) unstable; urgency=low + + * debian/rules: Convert the rules file to use the lovely dh format. + * debian/gnupg2.dirs, debian/gnupg-agent.dirs, debian/gpgsm.dirs: Remove + unless dirs files. + * debian/gnupg-agent.lintian-overrides, debian/gnupg2.lintian-overrides, + debian/gpgsm.lintian-overrides: Remove unneeded lintian-overrides files. + + -- Eric Dorland Mon, 14 Feb 2011 03:17:39 -0500 + +gnupg2 (2.0.17-2) unstable; urgency=low + + * debian/control: Add dependency on dpkg (>= 1.15.4) | install-info for + info install trigger. + * debian/control, debian/rules: Use debian build hardening. + + -- Eric Dorland Sun, 13 Feb 2011 16:33:17 -0500 + +gnupg2 (2.0.17-1) unstable; urgency=low + + * New upstream release. (Closes: #584316, #603985, #603983, #603984) + * debian/patches/02-encode-s2k.diff, + debian/patches/03-gpgsm-realloc.diff, debian/patches/series: Drop now + unneeded security patches. + * debian/rules, debian/patches/01-gnupg2-rename.diff, + debian/gnupg2.info, debian/gnupg2.install: No need to rename the info + file anymore. + * debian/patches/01-gnupg2-rename.diff: Rename the autoconf package for + better renaming of pkg directories. (Closes: #579006) + * debian/control, debian/compat: Upgrade to debhelper level 8. + * debian/control: + - Upgrade Standards-Version to 3.9.1. + - Update Build-Depends versions for the latest release. + * debian/gnupg2.install: Add the applygnupgdefaults command. (Closes: + #567537) + * debian/gnupg2.docs: doc/faq.html no longer exists. + + -- Eric Dorland Sun, 13 Feb 2011 16:06:41 -0500 + +gnupg2 (2.0.14-2) unstable; urgency=low + + * debian/*.lintian, debian/*.lintian-overrides, debian/rules: Rename + lintian files and use dh_lintian instead of shell snippets. + * debian/source/patch-header, debian/source/options: Delete patch header + and remove single-debian-patch option. + * debian/patches/01-gnupg2-rename.diff: Move patch to do the necessary + renaming of gnupg -> gnupg2 in a quilt patch. + * debian/patches/02-encode-s2k.diff: Added patch to fix passphrase + problem in gpgsm. Thanks Martijn van Brummelen for the NMU to fix this + problem in 2.0.14-1.1. + * debian/patches/03-gpgsm-realloc.diff: Fix for "Realloc Bug with X.509 + certificates" for gpgsm. (Closes: #590122) + * debian/rules, debian/control: Use dh-autoreconf and autopoint to + regenerate autotools files at build time. + + -- Eric Dorland Sun, 25 Jul 2010 02:16:42 -0400 + +gnupg2 (2.0.14-1) unstable; urgency=low + + * New upstream release. + * debian/control: Build depend on libreadline-dev instead of + libreadline5-dev, since libreadline6-dev is out. (Closes: #548922) + * debian/source/format, debian/source/options, + debian/source/patch-header: Convert to v3 quilt format, with + single-debian-patch. + * debian/control: Tighten dependency on gnupg-agent. (Closes: #551792) + + -- Eric Dorland Sat, 09 Jan 2010 21:15:18 -0500 + +gnupg2 (2.0.13-1) unstable; urgency=low + + * New upstream release. + * debian/control: Depend instead of Recommend gnupg-agent. (Closes: + #538947) + + -- Eric Dorland Mon, 07 Sep 2009 20:38:23 -0400 + +gnupg2 (2.0.12-1) unstable; urgency=low + + * New upstream release. (Closes: #499569, #463270, #446494, #314068, + #519375, #514587) + * debian/control: Change build dependency on gs to ghoscript, since + ghoscript has been replaced. + * debian/compat: Use debhelper v7. + * debian/control: Update Standards-Version to 3.8.2. + * debian/control: Use ${misc:Depends}. + * configure.ac: Override pkgdatadir so that it points to + /usr/share/gnupg2. (Closes: #528734) + * debian/rules: No longer need to specify pkgdatadir at make install + time. + + -- Eric Dorland Sun, 23 Aug 2009 20:48:11 -0400 + +gnupg2 (2.0.11-1) unstable; urgency=low + + * New upstream release. (Closes: #496663) + * debian/control: Make the description a little more distinctive than + gnupg v1's. Thanks Jari Aalto. (Closes: #496323) + + -- Eric Dorland Sun, 08 Mar 2009 22:46:47 -0400 + +gnupg2 (2.0.9-3) unstable; urgency=medium + + * Urgency medium to try to beat the release. + * tools/gpgkey2ssh.c: Patch from Daniel Kahn Gillmor to fix broken ssh + key generation. (Closes: #473841) + + -- Eric Dorland Mon, 21 Jul 2008 03:48:11 -0400 + +gnupg2 (2.0.9-2) unstable; urgency=low + + * The "I've neglected you too long" release. + + * debian/control: + - Add recommends on gnupg-agent for gpgsm and gnupg2, since they need + it under most circumstances. (Closes: #459462, #477691) + - Depend on pinentry instead of recommend, and move pinentry-gtk2 to the + front of the alternatives list. (Closes: #462951) + * keyserver/gpgkeys_curl.c, keyserver/gpgkeys_hkp.c: Fix FTBFS with gcc + 4.3 strictness on bitfields combined with curl. (Closes: #476999) + + -- Eric Dorland Mon, 28 Apr 2008 03:22:20 -0400 + +gnupg2 (2.0.9-1) unstable; urgency=low + + * New upstream release. Fixes CVE-2008-1530, Key import memory corruption. + (Closes: #472928) + * debian/rules: Don't ignore status of make distclean, just check for + the existance of the Makefile. + + -- Eric Dorland Sat, 29 Mar 2008 03:21:21 -0400 + +gnupg2 (2.0.8-1) unstable; urgency=low + + * New upstream release. (Closes: #428635) + * debian/watch: Use passive ftp, ftp.gnupg.org doesn't seem happy + otherwise. (Closes: #456467) + * debian/control: + - Requires libassuan >= 1.0.4 now. + - Remove the XS- prefix from the Vcs-* headers. + - Add Homepage header. + - Upgrade Standards-Version to 3.7.3.0. + - Make gnupg2 optional rather than extra. + - Remove unnecessary conflict on suidmanager. + + -- Eric Dorland Sat, 22 Dec 2007 02:06:42 -0500 + +gnupg2 (2.0.7-1) unstable; urgency=low + + * New upstream release. + * debian/rules: + - Remove unnecessary deletion of the .gmo files. (Closes: #442583) + - Clean out some old comments + * gnupg-agent.xsession: Remove the quotes around --write-env-file + argument. Not ideal, but fine for now. Thanks Luis Rodrigo Gallardo + Cruz. (Closes: #443580) + + -- Eric Dorland Sun, 30 Sep 2007 02:50:40 -0400 + +gnupg2 (2.0.6-1) unstable; urgency=low + + * New upstream release. (Closes: #437289) + * debian/gnupg-agent.xsession: Run the Xsession under the gpg-agent, so + it exits properly when the session dies. (Closes: #401843) + * debian/control: Add XS-Vcs headers for its new git home. + + -- Eric Dorland Mon, 03 Sep 2007 23:29:11 -0400 + +gnupg2 (2.0.5-2) unstable; urgency=low + + * The "Ubuntu, I would have done it had you only asked" release. + + * debian/copyright: Fix download location. Thanks Ubuntu. + * debian/README.Debian: Remove, doesn't contain any relevant info. + * debian/rules: + - Build with --sysconfdir=/etc, thanks Bernhard Herzog. (Closes: #434790) + - Run dh_installexamples. + - Don't list the docs to install in here. + * debian/gnupg2.examples: New file, install gpgconf.conf as an example + into /usr/share/doc. Hope this is a good compromise Bernhard. (Closes: + #434878) + * debian/control: + - Remove opensc and pcsc-lite build dependencies, they're not used anymore. + - Add libcurl4-gnutls-dev build dep, to use the real curl. + * g10/call-agent.c: set DBG_ASSUAN to 0 to suppress a debug + message. Thanks Ubuntu. + * debian/gnupg2.docs, debian/gpgsm.docs: Move installed docs in here, + add some new docs. Thanks Ubuntu. + * debian/rules, debian/gnupg-agent.install: Build symcryptrun and install it + in the gnupg-agent package. Thanks Bernhard Herzog. (Closes: #434787) + * debian/rules, debian/control: Only recommend libldap, don't depend on + it.Thanks Riku. (Closes: #435138) + + -- Eric Dorland Thu, 16 Aug 2007 22:24:16 -0400 + +gnupg2 (2.0.5-1) unstable; urgency=low + + * New upstream release. + * debian/watch: Add watch file. + * debian/control: + - Require libassuan 1.0.2 or greater. + - Require libksba 1.0.2 or greater. + - Don't recommend plain gpg anymore. + * debian/copyright: Update copyright text for GPL v3 relicensing. + * docs/scdaemon.texi: Remove old --print-atr documentation. Thanks + Ludovic Rousseau. (Closes: #404128) + + -- Eric Dorland Sun, 22 Jul 2007 16:03:32 -0400 + +gnupg2 (2.0.4-1) unstable; urgency=low + + * New upstream release. + + -- Eric Dorland Fri, 11 May 2007 00:41:01 -0400 + +gnupg2 (2.0.3-1) unstable; urgency=high + + * New upstream release. + - Fixes multoiple messages problem aka CVE-2007-1263. + + -- Eric Dorland Fri, 9 Mar 2007 03:28:53 -0500 + +gnupg2 (2.0.2-1) unstable; urgency=high + + * New upstream release. (Closes: #409559) + * Thanks Andreas Barth for NMUs. (Closes: #400777, #401895, #401913) + * debian/gpgsm.install: pcsc-wrapper renamed to gnupg-pcsc-wrapper. + + -- Eric Dorland Mon, 19 Feb 2007 20:34:52 -0500 + +gnupg2 (2.0.0-5) unstable; urgency=high + + * debian/control: Remove unnecessary dependencies on makedev and + udev. Thanks Marco d'Itri. + * doc/gnupg.texi, debian/gnupg2.info, debian/rules: Set the output file + to gnupg2.info, and use that for the index. (Closes: #398493) + + -- Eric Dorland Fri, 24 Nov 2006 02:23:35 -0500 + +gnupg2 (2.0.0-4) unstable; urgency=medium + + * debian/control: Update forgotten replaces for pcsc-wrapper move. + + -- Eric Dorland Mon, 20 Nov 2006 23:02:25 -0500 + +gnupg2 (2.0.0-3) unstable; urgency=medium + + * debian/control: Remove warning about development, thanks Gonzalo + HIGUERA DIAZ. (Closes: #399551) + + -- Eric Dorland Mon, 20 Nov 2006 14:32:33 -0500 + +gnupg2 (2.0.0-2) unstable; urgency=medium + + * All packaging fixes, so urgency medium to beat the freeze. + * debian/distfiles, debian/lintian.override, debian/point-to-info.1: + Remove unused files. + * debian/gnupg2.info, debian/rules, gnupg2.files: Install all the info + files properly. (Closes: #398493) + * debian/rules: + - Remove some unnecessary autotools build rules. + - Move some of make install targets more correctly to the + configure line. + * debian/*.files, debian/rules: Rename *.files to .install and use + dh_install nstead of dh_movefiles. + * debian/gnupg-agent.xsession: Account for spaces in the configuration + file, thanks Artem Zolochevskiy. (Closes: #352326) + * debian/control: + - Adjust build-dependency versions slightly to match what the + configure scipt requires. + - Update Standards-Version to 3.7.2.2. + * debian/gpgsm.install, debian/gnupg2.install: Install the pcsc-wrapper + in gpgsm. (Closes: #353232) + * debian/gpgsm.install, debian/rules: Install gpg-protect-tool into + /usr/libb/gnupg2. + + -- Eric Dorland Sun, 19 Nov 2006 18:03:39 -0500 + +gnupg2 (2.0.0-1) unstable; urgency=medium + + * New upstream release. (Closes: #398215) + * common/estream.c: #define PTH_SYSCALL_SOFT 0 as suggested by Daniel Hess. + + -- Eric Dorland Sun, 12 Nov 2006 23:52:59 -0500 + +gnupg2 (1.9.94-1) unstable; urgency=low + + * New upstream release. + + -- Eric Dorland Thu, 2 Nov 2006 16:06:30 -0500 + +gnupg2 (1.9.93-1) unstable; urgency=medium + + * New upstream release. Urgency medium to try to beat the freeze. Thanks + to Andreas Metzler for getting this package into shape. + + -- Eric Dorland Wed, 25 Oct 2006 00:41:15 -0400 + +gnupg2 (1.9.91-0.1) unstable; urgency=low + + * New upstream version, built against clean upstream tarball. + (Closes: #378489,#388257) + * bump Build-Depends: + - libgpg-error-dev 0.6 -> 1.4 + - libassuan-dev 0.6.10 -> 0.9.1 + - libksba-dev 0.9.13 -> 1.0.0 (closes: #368552) + * Add libreadline5-dev to Build-Depends. + * Pass proper --build and --host args to ./configure. + * configure with --mandir='$${prefix}/share/man'. + * Add $(LIBINTL) to gpgsplit_LDADD in tools/Makefile.am. + * New upstream includes a lot more manpages, ship them. + (Closes: #300129,#300677) + gpg-agent(1) documents ~/gpg-agent.conf. (Closes: #300676) + * Update debian/copyright. + * Drop gnupg2.postinst gnupg2.postrm postinst postrm. They all only consited + of calls to suidregister for /usr/bin/gpg" or "chmod 4755 /usr/bin/gpg". + suidregister has been obsolete for a long time and /usr/bin/gpg is not + part of these packages. - If /usr/bin/gpg(v)2 was supposed to be installed + suid it should be shipped with these permissions in the deb instead + using chmod in postinst anyway. + * Drop preinst (ending up as gnupg-agent's preinst), which only showed + a warning on upgrades from <<0.3.2-1. - There never was a gnupg-agent + 0.3.2-1. + * Add (noop) binary-indep target as required by policy 4.9. + + -- Andreas Metzler Sun, 8 Oct 2006 07:51:44 +0000 + +gnupg2 (1.9.20-2) unstable; urgency=high + + * debian/control: Make myself the maintainer with Matthias' permission. + * Acknowledge NMU. (Closes: #375053, #376755) + * g10/parse-packet.c: Patch from Martin Schulze to backport security fix + for CVE-2006-3746, crash when receiving overly long comments. + + -- Eric Dorland Fri, 4 Aug 2006 18:11:43 -0400 + +gnupg2 (1.9.20-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Adapt patch from upstream CVS, fixing buffer overflow leading to remote + DoS/crash (CVE-2006-3082). (Closes: #375053) + + -- Steinar H. Gunderson Tue, 4 Jul 2006 20:37:43 +0200 + +gnupg2 (1.9.20-1) unstable; urgency=low + + * New Upstream version. Closes:#306890,#344530 + * Closes:#320490: gpg-protect-tool fails to decrypt PKCS-12 files + * Depend on libopensc2-dev, not -1-. Closes:#348106 + + -- Matthias Urlichs Tue, 24 Jan 2006 04:31:42 +0100 + +gnupg2 (1.9.19-2) unstable; urgency=low + + * Convert debian/changelog to UTF-8. + * Put gnupg-agent and gpgsm lintian overrides in the respectively + right package. Closes: #335066 + * Added debhelper tokens to maintainer scripts. + * xsession fixes: + o Added host name to gpg-agent PID file name. Closes: #312717 + o Fixed xsession script to be able to run under zsh. Closes: #308516 + o Don't run gpg-agent if one is already running. Closes: #336480 + * debian/control: + o Fixed package description of gpgsm package. Closes: #299842 + o Added mention of gpg-agent to description of gnupg-agent package. + Closes: #304355 + * Thanks to Peter Eisentraut for all of the above. + + -- Matthias Urlichs Thu, 8 Dec 2005 22:13:21 +0100 + +gnupg2 (1.9.19-1) unstable; urgency=low + + * Merged with 1.9.19. + * Re-enable gpgv2 package. + + -- Matthias Urlichs Sat, 22 Oct 2005 14:33:33 +0200 + +gnupg2 (1.9.17-1) unstable; urgency=low + + * Merged with Upstream 1.9.17. + + -- Matthias Urlichs Mon, 4 Jul 2005 01:56:43 +0200 + +gnupg2 (1.9.15-6) unstable; urgency=high + + * Move gpg-protect-tool to the gpgsm package. + Closes: #303492. + High urgency because this renders gpgsm unuseable for some people. + * gpg-agent: Override max-cache-ttl if a higher default is set. + Closes: #302692. + + -- Matthias Urlichs Thu, 7 Apr 2005 10:13:19 +0200 + +gnupg2 (1.9.15-5) unstable; urgency=low + + * Add /etc/X11/Xsession.d/90gpg-agent script. Closes: #300128. + * Emphasize that gnupg2 is NOT useful at the moment. + * Conflict+replace gpg-agent with newpg. + + -- Matthias Urlichs Thu, 10 Mar 2005 22:46:10 +0100 + +gnupg2 (1.9.15-4) unstable; urgency=low + + * Incorporated Ubuntu changes from Andreas Mueller. + + -- Matthias Urlichs Thu, 10 Mar 2005 21:41:59 +0100 + +gnupg2 (1.9.15-3ubuntu3) hoary; urgency=low + + * removed info file + + -- Andreas Mueller Tue, 8 Mar 2005 01:58:39 +0100 + +gnupg2 (1.9.15-3ubuntu2) hoary; urgency=low + + * changed rules file, part cp gnupg.info to mv + and added dh_installinfo. + * changed Standards Version to 3.6.1 + + -- Andreas Mueller Tue, 8 Mar 2005 00:53:31 +0100 + +gnupg2 (1.9.15-3ubuntu1) hoary; urgency=low + + * added missing build depends texinfo + + -- Andreas Mueller Mon, 7 Mar 2005 22:47:56 +0100 + +gnupg2 (1.9.15-2) hoary; urgency=low + + * Initial checkin + + -- Andreas Mueller Mon, 7 Mar 2005 21:13:32 +0100 + +gnupg2 (1.9.15-1) experimental; urgency=low + + * New Upstream release. + * Removed -doc package: + - The package itself is too smal to merit being packaged separately. + - Interim solution: Documentation is included in the gnupg2 package. + - Goal: ask Upstream to split the .info file. + * Removed suidness. + * Update debian/copyright. + * Require libassuan >= 0.6.9. + + -- Matthias Urlichs Tue, 25 Jan 2005 08:19:15 +0100 + +gnupg2 (1.9.11+cvs20040924-5) experimental; urgency=low + + * Rebuild to depend on opensc1. + * Split -doc into its own package. + + -- Matthias Urlichs Thu, 16 Dec 2004 10:30:44 +0100 + +gnupg2 (1.9.11+cvs20040924-4) experimental; urgency=low + + * Turn on setuid-ness. + - Added Lintian overrides. + * Install all "standard" message files. + - Makefile.in: The package name for gettext is in the macro PACKAGE_GT, + not PACKAGE. + * Fix shebang line of addgnupghome script. + * Install info file in the correct place. + * Build cleanups. + + -- Matthias Urlichs Tue, 5 Oct 2004 10:59:56 +0200 + +gnupg2 (1.9.11+cvs20040924-3) experimental; urgency=low + + * rename gnupg-agent's changelog file + * Fix gnupg-agent's dependencies + + -- Matthias Urlichs Sun, 3 Oct 2004 20:14:30 +0200 + +gnupg2 (1.9.11+cvs20040924-2) experimental; urgency=low + + * Shipped a /usr/share/locale.alias file. Ouch. + * Split off gpgsm. + + -- Matthias Urlichs Wed, 29 Sep 2004 10:25:51 +0200 + +gnupg2 (1.9.11+cvs20040924-1) experimental; urgency=low + + * New Upstream. + + -- Matthias Urlichs Sat, 25 Sep 2004 11:05:44 +0200 + +gnupg2 (1.9.10+cvs-1) experimental; urgency=low + + * Packaged latest Upstream version. + * Split gpg-agent into its own .deb. + * Bit the bullet and started using debhelper. + + -- Matthias Urlichs Thu, 19 Aug 2004 11:43:34 +0200 + +gnupg2 (1.9.9-1) experimental; urgency=low + + * Packaged latest Upstream version. + + -- Matthias Urlichs Mon, 14 Jun 2004 17:18:18 +0200 + +gnupg2 (1.9.5-1) experimental; urgency=low + + * Packaged Upstream development version. + Closes:#187548 + + -- Matthias Urlichs Mon, 8 Mar 2004 05:30:35 +0100 + +gnupg (1.2.4-4) unstable; urgency=low + + * 12_zero_length_header.dpatch: update patch from David Shaw + to fix the fix of crashing on certain + keys. Closes: #234289 + + -- James Troup Mon, 23 Feb 2004 18:02:20 +0000 + +gnupg (1.2.4-3) unstable; urgency=low + + * Move to dpatch; existing non-debian/ change split into + 10_hppa_unaligned_constant.dpatch. + + * debian/rules: include /usr/share/dpatch/dpatch.make. + * debian/rules (build): depend on patch-stamp. + * debian/rules (clean): depend on unpatch. Remove debian/patched. + * debian/control (Build-Depends): add dpatch. + + * debian/rules: update version number and use install_foo convenience + variables. + * debian/rules (clean): remove emacs backup files from any directory. + + * 11_fi_po_update.dpatch: new patch from Tommi Vainikainen + to update Finnish translation as the current one + renders gnupg unusable. Closes: #232030, #222951, #192582 + * debian/rules (clean): remove po/fi.gmo to avoid dpkg-source errors + over unrepresentable changes to source. + + * 12_zero_length_header.dpatch: new patch from David Shaw + to fix cases where importing certain keys + makes the keyring unuseable. Closes: #232714 + + * 13_revoked_keys.dpatch: new patch from David Shaw + to list revoked keys as revoked. Closes: #231814 + + * 14_getkey_not_found_fix.dpatch: new patch from David Shaw + to fix --list-sigs incorrectly claiming "User + id not found". Closes: #229549 + + -- James Troup Fri, 20 Feb 2004 16:38:12 +0000 + +gnupg (1.2.4-2) unstable; urgency=low + + * mpi/hppa1.1/udiv-qrnnd.S: patch from LaMont Jones + to fix unaligned constant. Closes: #228456 + * debian/copyright: update year and version number. + + -- James Troup Tue, 20 Jan 2004 17:19:58 +0000 + +gnupg (1.2.4-1) unstable; urgency=medium + + * New upstream release. + * Most support for ElGamal Sign+Encrypt keys has been removed. Closes: #222293 + * No longer miss-identifies GNU/KFreeBSD as GNU/Hurd. Closes: #216957 + * Fixes build error on GNU/KFreeBSD (and Glibc-based GNU/KNetBSD). Closes: #221079 + * Fixes segmentation fault in prime generator. Closes: #213989 + * Fixes trustdb not updating without ultimately trusted keys. Closes: #222368 + + * debian/control (Build-Depends): add libbz2-dev. + + -- James Troup Wed, 31 Dec 2003 17:57:52 +0000 + +gnupg (1.2.3-1) unstable; urgency=low + + * New upstream release (Closes: #207340). + * gpg no longer kills keyrings by importing broken keys. Closes: #196505 + * options.skel uses subkeys.pgp.net instead of pgp.mit.edu. Closes: #206092 + * --import now closes files when it's done. Closes: #196643 + * A key listing speed regression has been fixed. Closes: #192083 + * debian/copyright: update URL and date. + * debian/rules: update dates and version. + + * debian/control (Standards-Version): bump to 3.6.0. + + * debian/Upgrading_From_PGP.txt: new file from to Richard Braakman + . Closes: #173233 + * debian/rules (binary-arch): install it. + + * debian/rules (build): correct libexecdir passed to configure; patch + from Matthias Cramer . Fixes invocation of + gpgkeys_ldap. Closes: #168486 + + -- James Troup Thu, 28 Aug 2003 14:08:50 +0100 + +gnupg (1.2.2-1) unstable; urgency=low + + * New upstream release. + * debian/control (Standards-Version): bump to 3.5.9.0. + * debian/rules (binary-arch): install convert-from-106 as + gpg-convert-from-106 and fix the path to gpg. + * debian/control: remove trailing full stop from short description. + * debian/control: remove out-dated and contradictory information about + RSA. + + -- James Troup Mon, 5 May 2003 03:08:58 +0100 + +gnupg (1.2.1-2) unstable; urgency=low + + * Update config.guess (to 2002-10-21) and config.sub (to 2002-09-05). + Thanks to Ryan Murray. Closes: #166696 + + -- James Troup Mon, 28 Oct 2002 01:47:26 +0000 + +gnupg (1.2.1-1) unstable; urgency=low + + * New upstream version. + * An inifinte loop in --update-trustdb has been fixed. Closes: #162039 + * The polish translation is now correctly specified as UTF-8. Closes: #162885 + * --refresh-keys is now documented in the manpage. Closes: #165566 + * debian/control (Conflicts): add gpg-idea <= 2.2 since gnupg >= 1.2 is + incompatible with that version of gpg-idea. Closes: #162314 + + -- James Troup Fri, 25 Oct 2002 18:18:43 +0100 + +gnupg (1.2.0-1) unstable; urgency=low + + * New upstream version. Closes: #161817. + * --options no longer mis-handles a directory as an argument. Closes: #151973 + * gpg now prompts before sending all keys to the keyserver. Closes: #64607 + * There is now a gnupg(7) manpage. Closes: #157750 + * The permission checking has been sanitized and handles non-home-dir + keyrings better. Closes: #147760 + * notation data longer than 5 characters is now handled. Closes: #156871 + * an abort when setting trust levels in a czech locale has been fixed. + Closes: #149212 + * debian/rules (binary-arch): there are no more modules, adjust + accordingly. + * debian/postinst, debian/prerm: remove; no longer do /usr/doc symlinks. + * debian/rules (binary-arch): don't install obsolete postinst or prerm. + * debian/rules (binary-arch): gzip gnupg.7 too. + * debian/rules (build): pass --libexecdir=/usr/lib/gnupg to configure. + * debian/rules (binary-arch): likewise, pass suitable libexcedir + argument to make install. + * debian/control (Standards-Version): update to 3.5.7.0. + * debian/copyright: update URL and date. + * debian/rules: update dates and version. + + -- James Troup Sun, 22 Sep 2002 22:26:25 +0100 + +gnupg (1.0.7-2) unstable; urgency=low + + * debian/control (Suggests): add xloadimage since that's what gpg uses + by default to view photo IDs. Thanks to Julien Danjou + for the suggestion. Closes: #156245 + * debian/control (Depends): add "hurd" to the alternatives to + makedev. Thanks to Michal Suchanek for + noticing. Closes: #158492 + * po/it.po: patch to fix typos from Marco Bodrato + Thu, 29 Aug 2002 01:42:58 +0100 + +gnupg (1.0.7-1) unstable; urgency=low + + * New upstream version. Closes: #145477. + * GDBM support has been removed. Closes: #33009. + * Now adds the default keyring when a keyring is specified. + Closes: #50616, #65260. + * Now does the Right Thing when receiving a key from the keyserver and + the key in question is in both a read-only and writable keyring. + Closes: #63297. + * Automatic key retrieval is now configurable. Closes: #64940. + * --no-options supresses ~/.gnupg creation again. Closes: #95486. + * duplicate trust entries are no longer treated as an error. Closes: #96480. + * There's now no comment line in ascii armours. Closes: #100088. + * Handle secret keyring given as keyring better. Closes: #100581, #106670. + * It's now documented that --with-colons unconditionally uses UTF8. + Closes: #101446, 101454. + * s/now/knows/ typo in manpage fixed. Closes: #107471. + * There's now support for a primary UID. Closes: #106567, #108155. + * Handles errors in uncompression layer beter. Closes: #112392. + * Key selection has been entirely revamped. Closes: #136170. + * Handles empty encrypt-to. Closes: #138378 + + * debian/rules (binary-arch): remove empty /usr/info directory, thanks + to Joey Hess . Closes: #121864. + * debian/control: remove duplicated word from long description, thanks + to Nicolas Boulenguez . Closes: #144786. + * README: correct URL to GPH and other docs, thanks to Mark Brown + . Closes: #100277. + * debian/control (Standards-Version): updated to 3.5.6.1. + * debian/rules (binary-arch): only strip ELF binaries. es_ES -> es hack + no longer needed as fixed upstream. + * debian/control (Build-Depends): remove libgdbmg1-dev; no longer used. + * debian/README.Debian: remove note about gdbm support which was finally + removed. Update note on old versions of gnupg to reflect the + pre-historic nature of those versions. + * debian/control (Build-Depends): add libldap2-dev. + * debian/rules (binary-arch): call dpkg-shlibdeps for all ELF binaries. + * debian/control (Build-Depends): add file. + * debian/control (Priority): increase to standard to match overrides. + + -- James Troup Sat, 11 May 2002 15:08:02 +0100 + +gnupg (1.0.6-3) unstable; urgency=low + + * moved into main. + + -- James Troup Tue, 19 Mar 2002 16:17:09 +0000 + +gnupg (1.0.6-2) unstable; urgency=high + + * debian/rules (binary-arch): remove the erroneous + /usr/share/locale/locale.alias that 'make install' adds; closes: + #99293. + + -- James Troup Wed, 30 May 2001 20:40:59 +0100 + +gnupg (1.0.6-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Tue, 29 May 2001 20:59:49 +0100 + +gnupg (1.0.5-4) unstable; urgency=low + + * Patch from Werner. + + -- James Troup Sun, 27 May 2001 09:34:50 +0100 + +gnupg (1.0.5-3) unstable; urgency=low + + * Apply patch from Matthew Wilcox to fix assembly on + hppa. + + -- James Troup Sun, 13 May 2001 02:36:45 +0100 + +gnupg (1.0.5-2) unstable; urgency=medium + + * util/http.c: patch from Werner that fixes --send-key, closes: #96277. + * debian/control (Depends): accept devfsd in place of makedev, closes: + #96307. + + -- James Troup Mon, 7 May 2001 00:13:51 +0100 + +gnupg (1.0.5-1) unstable; urgency=low + + * New upstream version. + * debian/README.Debian: fix spelling and update URL. + * debian/rules (binary): remove the new info files. + * scripts/config.{guess,sub}: sync with subversions, closes: #95729. + + -- James Troup Mon, 30 Apr 2001 02:12:38 +0100 + +gnupg (1.0.4-4) unstable; urgency=low + + * po/ru.po: patch by Ilya Martynov to replace German + entries and add missing translations, closes: #93987. + * g10/revoke.c (ask_revocation_reason): typo fix (s/non longer/no + longer/g); noticed by Colin Watson , closes: + #93664. + + * Deprecated depreciated; noticed by Vincent Broman + . + + * Following two patches are from Vincent Broman. + * g10/mainproc.c (proc_tree): use iobuf_get_real_fname() in preference + to iobuf_get_fname(). + * g10/openfile.c (open_sigfile): handle .sign prefixed files correctly. + + -- James Troup Fri, 20 Apr 2001 23:32:44 +0100 + +gnupg (1.0.4-3) unstable; urgency=medium + + * debian/rules (binary): make gpg binary suid, closes: #86433. + * debian/postinst: don't use suidregister. + * debian/postrm: removed (only called suidunregister). + * debian/control: conflict with suidmanager << 0.50. + * mpi/longlong.h: apply fix for ARM long long artimetic from Philip + Blundell , closes: #87487. + * debian/preinst: the old GnuPG debs have moved to people.debian.org. + * cipher/random.c: #include as well as + * g10/misc.c: likewise. + * debian/rules: define a strip alias which removes the .comment and + .note sections. + * debian/rules (binary-arch): use it. + * debian/lintian.override: new file; override the SUID warning from + lintian. + * debian/rules (binary-arch): install it. + + -- James Troup Sun, 25 Feb 2001 05:24:58 +0000 + +gnupg (1.0.4-2) stable unstable; urgency=high + + * Apply security fix patch from Werner. + * Apply another patch from Werner to fix bogus warning on Rijndael + usage. + * Change section to 'non-US'. + + -- James Troup Mon, 12 Feb 2001 07:47:02 +0000 + +gnupg (1.0.4-1) stable unstable; urgency=high + + * New upstream version. + * Fixes a serious bug which could lead to false signature verification + results when more than one signature is fed to gpg. + + -- James Troup Tue, 17 Oct 2000 17:26:17 +0100 + +gnupg (1.0.3b-1) unstable; urgency=low + + * New upstream snapshot version. + + -- James Troup Fri, 13 Oct 2000 18:08:14 +0100 + +gnupg (1.0.3-2) unstable; urgency=low + + * debian/control: Conflict, Replace and Provide gpg-rsa & gpg-rsaref. + Fix long description to reflect the fact that RSA is no longer + patented and now included. [#72177] + * debian/rules: move faq.html to /usr/share/doc/gnupg/ and remove FAQ + from /usr/share/gnupg/. Thanks to Robert Luberda + for noticing. [#72151] + * debian/control: Suggest new package gnupg-doc. [#64323, #65560] + * utils/secmem.c (lock_pool): don't bomb out if mlock() returns ENOMEM, + as Linux will do this if resource limits (or other reasons) prevent + memory from being locked, instead treat it like permission was denied + and warn but continue. Thanks to Topi Miettinen + . [#70446] + * g10/hkp.c (not_implemented): s/ist/is/ in error message. + * debian/README.Debian: add a note about GDBM support and why it is + disabled. Upstream already fixed the manpage. [#65913] + * debian/rules (binary-arch): fix the Spanish translation to be 'es' not + 'es_ES' at Nicolás Lichtmaier 's request. [#57314] + + -- James Troup Sun, 1 Oct 2000 14:55:03 +0100 + +gnupg (1.0.3-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Mon, 18 Sep 2000 15:56:54 +0100 + +gnupg (1.0.2-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Thu, 13 Jul 2000 20:26:50 +0100 + +gnupg (1.0.1-2) unstable; urgency=low + + * debian/control (Build-Depends): added. + * debian/copyright: corrected location of copyright file. Removed + references to Linux. Removed warnings about beta nature of GnuPG. + * debian/rules (binary-arch): install documentation into + /usr/share/doc/gnupg/ and pass mandir to make install to ensure the + manpages go to /usr/share/man/. + * debian/postinst: create /usr/doc/gnupg symlink. + * debian/prerm: new file; remove /usr/doc/gnupg symlink. + * debian/rules (binary-arch): install prerm. + * debian/control (Standards-Version): updated to 3.1.1.1. + + -- James Troup Thu, 30 Dec 1999 16:16:49 +0000 + +gnupg (1.0.1-1) unstable; urgency=low + + * New upstream version. + * doc/gpg.1: updated to something usable from + ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gpg.1.gz. + + -- James Troup Sun, 19 Dec 1999 23:47:10 +0000 + +gnupg (1.0.0-3) unstable; urgency=low + + * debian/rules (build): remove the stunningly ill-advised --host option + to configure. [#44698, #48212, #48281] + + -- James Troup Tue, 26 Oct 1999 01:12:59 +0100 + +gnupg (1.0.0-2) unstable; urgency=low + + * debian/rules (binary-arch): fix the permissions on the + modules. [#47280] + * debian/postinst, debian/postrm: fix the package name passed to + suidregister. [#45013] + * debian/control: update long description. [#44636] + * debian/rules (build): pass the host explicitly to configure to avoid + problems on sparc64. [(Should fix) #44698]. + + -- James Troup Wed, 20 Oct 1999 23:39:05 +0100 + +gnupg (1.0.0-1) unstable; urgency=low + + * New upstream release. [#44545] + + -- James Troup Wed, 8 Sep 1999 00:53:02 +0100 + +gnupg (0.9.10-2) unstable; urgency=low + + * debian/rules (binary-arch): install lspgpot. Requested by Kai + Henningsen . [#42288] + * debian/rules (binary-arch): correct the path where modules are looked + for. Reported by Karl M. Hegbloom . [#40881] + * debian/postinst, debian/postrm: under protest, register gpg the + package with suidmanager and make it suid by default. + [#29780,#32590,#40391] + + -- James Troup Tue, 10 Aug 1999 00:12:40 +0100 + +gnupg (0.9.10-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Fri, 6 Aug 1999 01:16:21 +0100 + +gnupg (0.9.9-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Sun, 25 Jul 1999 01:06:31 +0100 + +gnupg (0.9.8-1) unstable; urgency=low + + * New upstream version. + * debian/rules (binary-arch): don't create a gpgm manpage as the binary + no longer exists. Noticed by Wichert Akkerman + . [#38864] + + -- James Troup Sun, 27 Jun 1999 01:07:58 +0100 + +gnupg (0.9.7-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Tue, 25 May 1999 13:23:24 +0100 + +gnupg (0.9.6-1) unstable; urgency=low + + * New upstream version. + * debian/copyright: update version number, noticed by Lazarus Long + . + * debian/control (Depends): depend on makedev (>= 2.3.1-13) to ensure + that /dev/urandom exists; reported by Steffen Markert + . [#32076] + + -- James Troup Tue, 11 May 1999 21:06:27 +0100 + +gnupg (0.9.5-1) unstable; urgency=low + + * New upstream version. + * debian/control (Description): no tabs. [Lintian] + + -- James Troup Wed, 24 Mar 1999 22:37:40 +0000 + +gnupg (0.9.4-1) unstable; urgency=low + + * New version. + * debian/control: s/GNUPG/GnuPG/ + + -- Werner Koch Mon, 8 Mar 1999 19:58:28 +0100 + +gnupg (0.9.3-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Mon, 22 Feb 1999 22:55:04 +0000 + +gnupg (0.9.2-1) unstable; urgency=low + + * New version. + * debian/rules (build): Removed CFLAGS as the default is now sufficient. + * debian/rules (clean): remove special handling cleanup in intl. + + -- Werner Koch Wed, 20 Jan 1999 21:23:11 +0100 + +gnupg (0.9.1-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Sat, 9 Jan 1999 22:29:11 +0000 + +gnupg (0.9.0-1) unstable; urgency=low + + * New upstream version. + * g10/armor.c (armor_filter): add missing new line in comment string; as + noticed by Stainless Steel Rat . + + -- James Troup Tue, 29 Dec 1998 20:22:43 +0000 + +gnupg (0.4.5-1) unstable; urgency=low + + * New upstream version. + * debian/rules (clean): force removal of intl/libintl.h which the + Makefiles fail to remove properly. + + -- James Troup Tue, 8 Dec 1998 22:40:23 +0000 + +gnupg (0.4.4-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Sat, 21 Nov 1998 01:34:29 +0000 + +gnupg (0.4.3-1) unstable; urgency=low + + * New upstream version. + * debian/README.Debian: new file; contains same information as is in the + preinst. Suggested by Wichert Akkerman . + * debian/rules (binary-arch): install `README.Debian' + * debian/control (Standards-Version): updated to 2.5.0.0. + + -- James Troup Sun, 8 Nov 1998 19:08:12 +0000 + +gnupg (0.4.2-1) unstable; urgency=low + + * New upstream version. + * debian/preinst: improve message about the NEWS file which isn't + actually installed when it's referred to, thanks to Martin Mitchell + . + * debian/rules (binary-arch): don't install the now non-existent `rfcs', + but do install `OpenPGP'. + + -- James Troup Sun, 18 Oct 1998 22:48:34 +0100 + +gnupg (0.4.1-1) unstable; urgency=low + + * New upstream version. + * debian/rules (binary-arch): fix the gpgm manpage symlink now installed + by `make install'. + + -- James Troup Sun, 11 Oct 1998 17:01:21 +0100 + +gnupg (0.4.0-1) unstable; urgency=high + + * New upstream version. [#26717] + * debian/copyright: tone down warning about alpha nature of gnupg. + * debian/copyright: new maintainer address. + * debian/control: update extended description. + * debian/rules (binary-arch): install FAQ and all ChangeLogs. + * debian/preinst: new; check for upgrade from (<= 0.3.2-1) and warn about + incompatibilities in keyring format and offer to move old copy out of + gpg out of the way for transition strategy and inform the user about + the old copies of gnupg available on my web page. + * debian/rules (binary-arch) install preinst. + * debian/rules (binary-arch): don't depend on the test target as it is + now partially interactive (tries to generate a key, which requires + someone else to be using the computer). + + -- James Troup Thu, 8 Oct 1998 00:47:07 +0100 + +gnupg (0.3.2-1) unstable; urgency=low + + * New upstream version. + * debian/control (Maintainer): new address. + * debian/copyright: updated list of changes. + + -- James Troup Thu, 9 Jul 1998 21:06:07 +0200 + +gnupg (0.3.1-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Tue, 7 Jul 1998 00:26:21 +0200 + +gnupg (0.3.0-2) unstable; urgency=low + + * Applied bug-fix patch from Werner. + + -- James Troup Fri, 26 Jun 1998 12:18:29 +0200 + +gnupg (0.3.0-1) unstable; urgency=low + + * New upstream version. + * debian/control: rewrote short and long description. + * cipher/Makefile.am: link tiger with -lc. + * debian/rules (binary-arch): strip loadable modules. + * util/secmem.c (lock_pool): get rid of errant test code; fix from + Werner Koch . + * debian/rules (test): new target which runs gnupg's test suite. + binary-arch depends on it, to ensure it's run whenever the package is + built. + + -- James Troup Thu, 25 Jun 1998 16:04:57 +0200 + +gnupg (0.2.19-1) unstable; urgency=low + + * New upstream version. + * debian/control: Updated long description. + + -- James Troup Sat, 30 May 1998 12:12:35 +0200 + +gnupg (0.2.18-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Sat, 16 May 1998 11:52:47 +0200 + +gnupg (0.2.17-1) unstable; urgency=high + + * New upstream version. + * debian/control (Standards-Version): updated to 2.4.1.0. + * debian/control: tone down warning about alpha nature of gnupg, as per + README. + * debian/copyright: ditto. + + -- James Troup Mon, 4 May 1998 22:36:51 +0200 + +gnupg (0.2.15-1) unstable; urgency=high + + * New upstream version. + + -- James Troup Fri, 10 Apr 1998 01:12:20 +0100 + +gnupg (0.2.13-1) unstable; urgency=high + + * New upstream version. + + -- James Troup Wed, 11 Mar 1998 01:52:51 +0000 + +gnupg (0.2.12-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Sat, 7 Mar 1998 13:52:40 +0000 + +gnupg (0.2.11-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Wed, 4 Mar 1998 01:32:12 +0000 + +gnupg (0.2.10-1) unstable; urgency=low + + * New upstream version. + * Name changed upstream. + + -- James Troup Mon, 2 Mar 1998 07:32:05 +0000 + +g10 (0.2.7-1) unstable; urgency=low + + * Initial release. + + -- James Troup Fri, 20 Feb 1998 02:05:34 +0000 diff --git a/clean b/clean new file mode 100644 index 0000000..922f2c9 --- /dev/null +++ b/clean @@ -0,0 +1,8 @@ +po/*.gmo +po/stamp-po +build-gpgv-static/ +build-gpgv-udeb/ +build-gpgv-win32/ +doc/gnupg.info +doc/gnupg.info-1 +doc/gnupg.info-2 diff --git a/compat b/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/compat @@ -0,0 +1 @@ +9 diff --git a/control b/control new file mode 100644 index 0000000..c976558 --- /dev/null +++ b/control @@ -0,0 +1,323 @@ +Source: gnupg2 +Section: utils +Priority: optional +Maintainer: Debian GnuPG Maintainers +Uploaders: + Eric Dorland , + Daniel Kahn Gillmor , +Standards-Version: 3.9.8 +Build-Depends: + automake, + autopoint, + debhelper (>= 9), + dh-autoreconf, + file, + gettext, + ghostscript, + imagemagick, + libassuan-dev (>= 2.4.3), + libbz2-dev, + libcurl4-gnutls-dev, + libgcrypt20-dev (>= 1.7.0), + libgnutls28-dev (>= 3.0), + libgpg-error-dev (>= 1.24), + libksba-dev (>= 1.3.4), + libldap2-dev, + libnpth0-dev (>= 1.2), + libreadline-dev, + librsvg2-bin, + libsqlite3-dev, + libusb-1.0-0-dev [!hurd-any], + pkg-config, + texinfo, + transfig, + zlib1g-dev | libz-dev, +Build-Depends-Indep: + binutils-multiarch [!amd64 !i386], + libassuan-mingw-w64-dev, + libgcrypt-mingw-w64-dev, + libgpg-error-mingw-w64-dev, + libksba-mingw-w64-dev, + libnpth-mingw-w64-dev, + libz-mingw-w64-dev, + mingw-w64, +Vcs-Git: https://anonscm.debian.org/git/pkg-gnupg/gnupg2.git +Vcs-Browser: https://anonscm.debian.org/git/pkg-gnupg/gnupg2.git +Homepage: https://www.gnupg.org/ + +Package: gnupg-agent +Architecture: any +Multi-Arch: foreign +Depends: + pinentry-curses | pinentry, + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}) | gpgsm, +Suggests: + scdaemon, +Provides: + gpg-agent, +Description: GNU privacy guard - cryptographic agent + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains the agent program gpg-agent which handles all + secret key material for OpenPGP and S/MIME use. The agent also + provides a passphrase cache, which is used by pre-2.1 versions of + GnuPG for OpenPGP operations. + +Package: scdaemon +Architecture: any +Multi-Arch: foreign +Depends: + gnupg-agent (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Enhances: + gnupg-agent, +Description: GNU privacy guard - smart card support + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains the smart card program scdaemon, which is used + by gnupg-agent to access OpenPGP smart cards. + +Package: gpgsm +Architecture: any +Multi-Arch: foreign +Depends: + gnupg-agent (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + dirmngr (= ${binary:Version}), +Breaks: + gnupg2 (<< 2.1.10-2), +Replaces: + gnupg2 (<< 2.1.10-2), +Description: GNU privacy guard - S/MIME version + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains the gpgsm program. gpgsm is a tool to provide + digital encryption and signing services on X.509 certificates and the + CMS protocol. gpgsm includes complete certificate management. + +Package: gnupg +Architecture: any +Multi-Arch: foreign +Depends: + gnupg-agent (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + dirmngr (= ${binary:Version}), + gnupg-l10n (= ${source:Version}), + ${shlibs:Recommends}, +Suggests: + parcimonie, + xloadimage, +Breaks: + debsig-verify (<< 0.15), + dirmngr (<< ${binary:Version}), + gnupg2 (<< 2.1.11-7+exp1), + libgnupg-interface-perl (<< 0.52-3), + libgnupg-perl (<= 0.19-1), + libmail-gnupg-perl (<= 0.22-1), + monkeysphere (<< 0.38~), + php-crypt-gpg (<= 1.4.1-1), + python-apt (<= 1.1.0~beta4), + python-gnupg (<< 0.3.8-3), + python3-apt (<= 1.1.0~beta4), +Replaces: + gnupg2 (<< 2.1.11-7+exp1), +Provides: + gpg, +Description: GNU privacy guard - a free PGP replacement + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains /usr/bin/gpg and some helper utilities like + gpgconf and kbxutil. + +Package: gnupg2 +Architecture: all +Section: oldlibs +Priority: extra +Multi-Arch: foreign +Depends: + gnupg (>= ${source:Version}), + ${misc:Depends}, +Description: GNU privacy guard - a free PGP replacement (dummy transitional package) + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This is a dummy transitional package that provides symlinks from gpg2 + to gpg. + +Package: gpgv +Architecture: any +Priority: important +Multi-Arch: foreign +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Breaks: + gnupg2 (<< 2.0.21-2), + gpgv2 (<< 2.1.11-7+exp1), + python-debian (<< 0.1.29), +Replaces: + gnupg2 (<< 2.0.21-2), + gpgv2 (<< 2.1.11-7+exp1), +Suggests: + gnupg, +Description: GNU privacy guard - signature verification tool + GnuPG is GNU's tool for secure communication and data storage. + . + gpgv is actually a stripped-down version of gpg which is only able + to check signatures. It is somewhat smaller than the fully-blown gpg + and uses a different (and simpler) way to check that the public keys + used to make the signature are valid. There are no configuration + files and only a few options are implemented. + +Package: gpgv2 +Section: oldlibs +Priority: extra +Architecture: all +Multi-Arch: foreign +Depends: + gpgv (>= ${source:Version}), + ${misc:Depends}, +Description: GNU privacy guard - signature verification tool (dummy transitional package) + GnuPG is GNU's tool for secure communication and data storage. gpgv + is a stripped-down version of gpg which is only able to check + signatures. + . + This is a dummy transitional package that provides symlinks from gpgv2 + to gpgv. + +Package: dirmngr +Architecture: any +Depends: + adduser, + lsb-base (>= 3.2-13), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}), + ${shlibs:Recommends}, +Enhances: + gnupg, + gpgsm, + squid, +Breaks: + gnupg2 (<< 2.1.10-2), +Replaces: + gnupg2 (<< 2.1.10-2), +Suggests: + tor, +Description: GNU privacy guard - network certificate management service + dirmngr is a server for managing and downloading OpenPGP and X.509 + certificates, as well as updates and status signals related to those + certificates. For OpenPGP, this means pulling from the public + HKP/HKPS keyservers, or from LDAP servers. For X.509 this includes + Certificate Revocation Lists (CRLs) and Online Certificate Status + Protocol updates (OCSP). It is capable of using tor for network + access. + . + dirmngr is used for network access by gpg, gpgsm, and dirmngr-client, + among other tools. + +Package: gpgv-udeb +Package-Type: udeb +Section: debian-installer +Priority: extra +Architecture: any +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Description: minimal signature verification tool + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC 4880. + . + This is GnuPG's signature verification tool, gpgv, packaged in minimal + form for use in debian-installer. + +Package: gpgv-static +Priority: extra +Architecture: any +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + debian-archive-keyring, + debootstrap, +Description: minimal signature verification tool (static build) + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC 4880. + . + This is GnuPG's signature verification tool, gpgv, built statically + so that it can be directly used on any platform that is running on + the Linux kernel. Android and ChromeOS are two well known examples, + but there are many other platforms that this will work for, like + embedded Linux OSes. This gpgv in combination with debootstrap and + the Debian archive keyring allows the secure creation of chroot + installs on these platforms by using the full Debian signature + verification that is present in all official Debian mirrors. + +Package: gpgv-win32 +Architecture: all +Priority: extra +Multi-Arch: foreign +Depends: + ${misc:Depends}, +Suggests: + wine, +Description: GNU privacy guard - signature verification tool (win32 build) + GnuPG is GNU's tool for secure communication and data storage. + . + gpgv is a stripped-down version of gnupg which is only able to check + signatures. It is smaller than the full-blown gnupg and uses a + different (and simpler) way to check that the public keys used to + make the signature are trustworthy. + . + This is a win32 version of gpgv. It's meant to be used by the win32-loader + component of Debian-Installer. + +Package: gnupg-l10n +Architecture: all +Priority: extra +Multi-Arch: foreign +Depends: + ${misc:Depends}, +Enhances: + gnupg, +Breaks: + gnupg (<< 2.1.14-2~), + gnupg2 (<< 2.1.14-2~), +Replaces: + gnupg (<< 2.1.14-2~), + gnupg2 (<< 2.1.14-2~), +Description: GNU privacy guard - localization files + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC 4880. + . + This package contains the translation files for the use of GnuPG in + non-English locales. diff --git a/copyright b/copyright new file mode 100644 index 0000000..5676d81 --- /dev/null +++ b/copyright @@ -0,0 +1,233 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: GnuPG - The GNU Privacy Guard (modern version) +Upstream-Contact: GnuPG development mailing list +Source: https://gnupg.org/download/ + +Files: * +Copyright: 1992, 1995-2016, Free Software Foundation, Inc +License: GPL-3+ + +Files: agent/command.c + agent/command-ssh.c + agent/gpg-agent.c + common/homedir.c + common/sysutils.c + g10/mainproc.c +Copyright: 1998-2007, 2009, 2012, Free Software Foundation, Inc + 2013, Werner Koch +License: GPL-3+ + +Files: autogen.sh +Copyright: 2003, g10 Code GmbH +License: permissive + +Files: common/gc-opt-flags.h + common/i18n.h + tools/clean-sat.c + tools/no-libgcrypt.c +Copyright: 1998-2001, 2003, 2004, 2006, 2007 Free Software Foundation, Inc +License: permissive + +Files: common/localename.c +Copyright: 1985, 1989-1993, 1995-2003, 2007, 2008 Free Software Foundation, Inc. +License: LGPL-2.1+ + +Files: dirmngr/dns.c + dirmngr/dns.h +Copyright: 2008-2010, 2012-2016 William Ahern +License: Expat + +Files: doc/yat2m.c + scd/app-geldkarte.c +Copyright: 2004, 2005, g10 Code GmbH + 2006, 2008, 2009, 2011, Free Software Foundation, Inc +License: GPL-3+ + +Files: scd/ccid-driver.h + scd/ccid-driver.c +Copyright: 2003-2007, Free Software Foundation, Inc +License: GPL-3+ or BSD-3-clause + +Files: tools/rfc822parse.c + tools/rfc822parse.h +Copyright: 1999-2000, Werner Koch, Duesseldorf + 2003-2004, g10 Code GmbH +License: LGPL-3+ + +Files: tools/sockprox.c +Copyright: 2007, g10 Code GmbH +License: GPL-3+ + +Files: doc/OpenPGP +Copyright: 1998-2013 Free Software Foundation, Inc. + 1997, 1998, 2013 Werner Koch + 1998 The Internet Society +License: RFC-Reference + +Files: tests/gpgscm/* +Copyright: 2000, Dimitrios Souflis + 2016, Justus Winter, Werner Koch +License: TinySCHEME + +License: TinySCHEME + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + . + Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + Neither the name of Dimitrios Souflis nor the names of the + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +License: permissive + This file is free software; as a special exception the author gives + unlimited permission to copy and/or distribute it, with or without + modifications, as long as this notice is preserved. + . + This file is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY, to the extent permitted by law; without even + the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. + +License: RFC-Reference + doc/OpenPGP merely cites and references IETF Draft + draft-ietf-openpgp-formats-07.txt. This is believed to be fair use; + but if not, it's covered by the source document's license under + the 'comment on' clause. The license statement follows. + . + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph + are included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + . + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + +License: GPL-3+ + GnuPG is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + . + GnuPG is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, see . + . + On Debian systems, the full text of the GNU General Public + License version 3 can be found in the file + `/usr/share/common-licenses/GPL-3'. + +License: LGPL-3+ + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation; either version 3 of + the License, or (at your option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this program; if not, see . + . + On Debian systems, the full text of the GNU Lesser General Public + License version 3 can be found in the file + `/usr/share/common-licenses/LGPL-3'. + +License: LGPL-2.1+ + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation; either version 2.1 of + the License, or (at your option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this program; if not, see . + . + On Debian systems, the full text of the GNU Lesser General Public + License version 2.1 can be found in the file + `/usr/share/common-licenses/LGPL-2.1'. + +License: BSD-3-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, and the entire permission notice in its entirety, + including the disclaimer of warranties. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. The name of the author may not be used to endorse or promote + products derived from this software without specific prior + written permission. + . + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to permit + persons to whom the Software is furnished to do so, subject to the + following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN + NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, + DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR + OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE + USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/dirmngr.NEWS b/dirmngr.NEWS new file mode 100644 index 0000000..bd0ccb7 --- /dev/null +++ b/dirmngr.NEWS @@ -0,0 +1,39 @@ +dirmngr (2.1.13-3) experimental; urgency=medium + + gpg and most related processes will auto-launch dirmngr if needed. + + Any user who wants to launch dirmngr manually should do so with: + + gpgconf --launch dirmngr + + and may want to terminate dirmngr when their session ends with: + + gpgconf --kill dirmngr + + Users on machines with systemd can ensure that dirmngr is always + running for their session (and that it gets terminated at logout) + with: + + gpgconf --kill dirmngr + systemctl --user enable dirmngr + systemctl --user start dirmngr + + -- Daniel Kahn Gillmor Tue, 28 Jun 2016 17:55:15 -0400 + +dirmngr (2.1.0~beta895-1) experimental; urgency=medium + + No more dirmngr system service! + =============================== + + As of the 2.1.0 beta series, dirmngr is a local daemon that works + closely with gnupg2. It is launched on its own, per-user, and + listens on a standard socket (usually ~/.gnupg/S.dirmngr). There is + no more system-wide dirmngr process. + + If there is a special case where a dirmngr system process is + actually needed, please report a bug in dirmngr, and we can sort out + a way to set one up for that case so that everyone with dirmngr + installed doesn't need to have it running. + + -- Daniel Kahn Gillmor Tue, 07 Oct 2014 10:33:52 -0400 + diff --git a/dirmngr.README.Debian b/dirmngr.README.Debian new file mode 100644 index 0000000..4fd9156 --- /dev/null +++ b/dirmngr.README.Debian @@ -0,0 +1,48 @@ +dirmngr system integration +========================== + +Since 2.1.x, gpg and most related processes will auto-launch dirmngr +if needed. These auto-launched processes will inherit whatever +environment they started from, and they will not terminate +automatically. + +systemd +======= + +Users on machines with systemd can ensure that dirmngr is always +running for their session, and that it gets terminated safely at +logout by doing: + + systemctl --user enable dirmngr.socket + +If you do this from the middle of a running session, you probably also +want to clean up any other running dirmngr, and ensure that the +service is started for the current session as well: + + gpgconf --kill dirmngr + systemctl --user start dirmngr.socket + +Manual dirmngr startup +====================== + +Any user who wants to launch dirmngr manually (e.g., to talk to it +with a tool from outside the GnuPG suite) should do so with: + + gpgconf --launch dirmngr + +You may wish to add this to your session login scripts if you're not +using systemd. + +dirmngr teardown +================ + +If dirmngr is launched manually or automatically (but not supervised +by systemd), you probably want to ensure that it terminates when your +session ends with: + + gpgconf --kill dirmngr + +You may wish to add this to your session logout scripts if you're not +using systemd. + + -- Daniel Kahn Gillmor , Thu, 27 Oct 2016 12:46:23 -0400 diff --git a/dirmngr.docs b/dirmngr.docs new file mode 100644 index 0000000..817be40 --- /dev/null +++ b/dirmngr.docs @@ -0,0 +1,4 @@ +AUTHORS +NEWS +THANKS +TODO diff --git a/dirmngr.install b/dirmngr.install new file mode 100644 index 0000000..1e77641 --- /dev/null +++ b/dirmngr.install @@ -0,0 +1,7 @@ +debian/tmp/usr/bin/dirmngr +debian/tmp/usr/bin/dirmngr-client +debian/tmp/usr/lib/gnupg/dirmngr_ldap +debian/tmp/usr/share/gnupg/dirmngr-conf.skel +debian/tmp/usr/share/gnupg/sks-keyservers.netCA.pem +doc/examples/systemd-user/dirmngr.service usr/lib/systemd/user +doc/examples/systemd-user/dirmngr.socket usr/lib/systemd/user diff --git a/dirmngr.maintscript b/dirmngr.maintscript new file mode 100644 index 0000000..aa11aa5 --- /dev/null +++ b/dirmngr.maintscript @@ -0,0 +1,5 @@ +rm_conffile /etc/default/dirmngr +rm_conffile /etc/dirmngr/dirmngr.conf +rm_conffile /etc/dirmngr/ldapservers.conf +rm_conffile /etc/init.d/dirmngr +rm_conffile /etc/logrotate.d/dirmngr diff --git a/dirmngr.manpages b/dirmngr.manpages new file mode 100644 index 0000000..93702d9 --- /dev/null +++ b/dirmngr.manpages @@ -0,0 +1,2 @@ +debian/tmp/usr/share/man/man1/dirmngr-client.1 +debian/tmp/usr/share/man/man8/dirmngr.8 diff --git a/gbp.conf b/gbp.conf new file mode 100644 index 0000000..1789fc2 --- /dev/null +++ b/gbp.conf @@ -0,0 +1,33 @@ +[DEFAULT] +pristine-tar = True +upstream-vcs-tag = gnupg-%(version)s + +[import-orig] +filter = [ + 'aclocal.m4', + 'build-aux/compile', + 'build-aux/config.rpath', + 'build-aux/depcomp', + 'build-aux/install-sh', + 'build-aux/missing', + 'build-aux/mkinstalldirs', + 'build-aux/texinfo.tex', + 'config.h.in', + 'configure', + 'doc/gnupg.info*', + 'INSTALL', + 'm4/intdiv0.m4', + 'm4/intl.m4', + 'm4/lock.m4', + 'm4/printf-posix.m4', + 'm4/size_max.m4', + 'm4/uintmax_t.m4', + 'm4/wint_t.m4', + '*/*/Makefile.in', + '*/Makefile.in', + 'Makefile.in', + 'po/*.gmo', + 'po/Makefile.in.in', + 'po/stamp-po', + ] +filter-pristine-tar = False diff --git a/gnupg-agent.NEWS b/gnupg-agent.NEWS new file mode 100644 index 0000000..72cdeb4 --- /dev/null +++ b/gnupg-agent.NEWS @@ -0,0 +1,9 @@ +gnupg-agent (2.1.13-3) experimental; urgency=medium + + gpg-agent is no longer auto-launched by + /etc/X11/Xsession.d/90gpg-agent. Please read + /usr/share/doc/gnupg-agent/README.Debian for details about system + integration. + + -- Daniel Kahn Gillmor Tue, 28 Jun 2016 17:29:46 -0400 + diff --git a/gnupg-agent.README.Debian b/gnupg-agent.README.Debian new file mode 100644 index 0000000..dd4e51a --- /dev/null +++ b/gnupg-agent.README.Debian @@ -0,0 +1,55 @@ +gpg-agent system integration +============================ + +Since 2.1.x, gpg and most related processes will auto-launch gpg-agent +if needed. These auto-launched processes will inherit whatever +environment they started from, and they will not terminate +automatically. + +systemd +======= + +Users on machines with systemd can ensure that gpg-agent is always +available for their session, and that it gets terminated safely at +logout by doing: + + systemctl --user enable gpg-agent.socket + +If you also want the ssh or extra (restricted) sockets to be +available, you might also add: + + systemctl --user enable gpg-agent-ssh.socket + systemctl --user enable gpg-agent-extra.socket + +If you do this from the middle of a running session, you probably also +want to clean up any other running gpg-agent, and ensure that the +socket is open and listening is started for the current session as +well: + + gpgconf --kill gpg-agent + systemctl --user start gpg-agent.socket + +Manual gpg-agent startup +======================== + +Any user who wants to launch gpg-agent manually (e.g., to talk to it +with a tool from outside the GnuPG suite) should do so with: + + gpgconf --launch gpg-agent + +You may wish to add this to your session login scripts if you're not +using systemd. + +gpg-agent teardown +================== + +If gpg-agent is launched manually or automatically (but not supervised +by systemd), you probably want to ensure that it terminates when your +session ends with: + + gpgconf --kill gpg-agent + +You may wish to add this to your session logout scripts if you're not +using systemd. + + -- Daniel Kahn Gillmor , Mon, 17 Oct 2016 17:06:22 -0400 diff --git a/gnupg-agent.examples b/gnupg-agent.examples new file mode 100644 index 0000000..34213be --- /dev/null +++ b/gnupg-agent.examples @@ -0,0 +1,2 @@ +doc/examples/pwpattern.list +doc/examples/trustlist.txt diff --git a/gnupg-agent.install b/gnupg-agent.install new file mode 100644 index 0000000..2a4dcbe --- /dev/null +++ b/gnupg-agent.install @@ -0,0 +1,12 @@ +debian/Xsession.d/90gpg-agent etc/X11/Xsession.d +debian/systemd-user/gpg-agent-browser.socket usr/lib/systemd/user +debian/tmp/usr/bin/gpg-agent +debian/tmp/usr/bin/gpg-connect-agent +debian/tmp/usr/bin/symcryptrun +debian/tmp/usr/lib/gnupg/gpg-check-pattern +debian/tmp/usr/lib/gnupg/gpg-preset-passphrase +debian/tmp/usr/lib/gnupg/gpg-protect-tool +doc/examples/systemd-user/gpg-agent-extra.socket usr/lib/systemd/user +doc/examples/systemd-user/gpg-agent-ssh.socket usr/lib/systemd/user +doc/examples/systemd-user/gpg-agent.service usr/lib/systemd/user +doc/examples/systemd-user/gpg-agent.socket usr/lib/systemd/user diff --git a/gnupg-agent.links b/gnupg-agent.links new file mode 100644 index 0000000..2927701 --- /dev/null +++ b/gnupg-agent.links @@ -0,0 +1,2 @@ +usr/lib/gnupg/gpg-preset-passphrase usr/lib/gnupg2/gpg-preset-passphrase +usr/lib/gnupg/gpg-protect-tool usr/lib/gnupg2/gpg-protect-tool diff --git a/gnupg-agent.manpages b/gnupg-agent.manpages new file mode 100644 index 0000000..4819831 --- /dev/null +++ b/gnupg-agent.manpages @@ -0,0 +1,5 @@ +debian/gpg-check-pattern.1 +debian/tmp/usr/share/man/man1/gpg-agent.1 +debian/tmp/usr/share/man/man1/gpg-connect-agent.1 +debian/tmp/usr/share/man/man1/gpg-preset-passphrase.1 +debian/tmp/usr/share/man/man1/symcryptrun.1 diff --git a/gnupg-l10n.install b/gnupg-l10n.install new file mode 100644 index 0000000..9aaad82 --- /dev/null +++ b/gnupg-l10n.install @@ -0,0 +1,2 @@ +debian/tmp/usr/share/gnupg/help.*.txt +debian/tmp/usr/share/locale diff --git a/gnupg.README.Debian b/gnupg.README.Debian new file mode 100644 index 0000000..24944d3 --- /dev/null +++ b/gnupg.README.Debian @@ -0,0 +1,44 @@ +Using "Modern" GnuPG +==================== + +As of version 2.1.11-7+exp1, the gnupg package is provided by the "modern" +version of GnuPG. + +This means: + + * supporting daemons are auto-launched as needed + + * all access to secret key material is handled by gpg-agent + + * all smartcard access is handled by scdaemon + + * all network access is handled by dirmngr + + * PGPv3 keys are no longer supported + + * secret keys are no longer stored in $GNUPGHOME/secring.gpg, but + instead in $GNUPGHOME/private-keys-v1.d/ + + * public keyrings are stored in keybox format (~/.gnupg/pubring.kbx) by + default for new users. Upgrading users will continue to use + pubring.gpg until they decide to explicitly convert. + +Converting an existing installation +----------------------------------- + +If you have an existing GnuPG homedir from "classic" GnuPG, secret +keys should be migrated automatically upon the first run of the +"modern" version. + +If you have any secret keys that are stored only in a smartcard, after +your first use of "modern" gpg you should insert the card and run: + + gpg --card-status + + (see https://bugs.debian.org/795881) + +Public keys will not be automatically migrated from pubring.gpg to +pubring.kbx, however. If you want to migrate your public keyring, you +can use a script like /usr/bin/migrate-pubring-from-classic-gpg + + -- Daniel Kahn Gillmor , Mon, 18 Apr 2016 19:08:36 -0400 diff --git a/gnupg.docs b/gnupg.docs new file mode 100644 index 0000000..b182260 --- /dev/null +++ b/gnupg.docs @@ -0,0 +1,9 @@ +NEWS +README +THANKS +TODO +doc/DETAILS +doc/FAQ +doc/HACKING +doc/KEYSERVER +doc/OpenPGP diff --git a/gnupg.examples b/gnupg.examples new file mode 100644 index 0000000..3e74b94 --- /dev/null +++ b/gnupg.examples @@ -0,0 +1 @@ +doc/examples/gpgconf.conf diff --git a/gnupg.info b/gnupg.info new file mode 100644 index 0000000..e4baa0f --- /dev/null +++ b/gnupg.info @@ -0,0 +1,3 @@ +debian/tmp/usr/share/info/gnupg.info* +doc/gnupg-card-architecture.png +doc/gnupg-module-overview.png diff --git a/gnupg.install b/gnupg.install new file mode 100644 index 0000000..12fb913 --- /dev/null +++ b/gnupg.install @@ -0,0 +1,13 @@ +build/tools/gpg-zip usr/bin +build/tools/gpgsplit usr/bin +debian/migrate-pubring-from-classic-gpg usr/bin +debian/tmp/usr/bin/gpg +debian/tmp/usr/bin/gpgconf +debian/tmp/usr/bin/gpgparsemail +debian/tmp/usr/bin/kbxutil +debian/tmp/usr/bin/watchgnupg +debian/tmp/usr/sbin/addgnupghome +debian/tmp/usr/sbin/applygnupgdefaults +debian/tmp/usr/share/gnupg/distsigkey.gpg +debian/tmp/usr/share/gnupg/gpg-conf.skel +tools/lspgpot usr/bin diff --git a/gnupg.manpages b/gnupg.manpages new file mode 100644 index 0000000..4fc76c3 --- /dev/null +++ b/gnupg.manpages @@ -0,0 +1,11 @@ +debian/gpg-zip.1 +debian/gpgsplit.1 +debian/kbxutil.1 +debian/lspgpot.1 +debian/migrate-pubring-from-classic-gpg.1 +debian/tmp/usr/share/man/man1/gpg.1 +debian/tmp/usr/share/man/man1/gpgconf.1 +debian/tmp/usr/share/man/man1/gpgparsemail.1 +debian/tmp/usr/share/man/man1/watchgnupg.1 +debian/tmp/usr/share/man/man8/addgnupghome.8 +debian/tmp/usr/share/man/man8/applygnupgdefaults.8 diff --git a/gnupg2.links b/gnupg2.links new file mode 100644 index 0000000..96fde98 --- /dev/null +++ b/gnupg2.links @@ -0,0 +1,2 @@ +usr/bin/gpg usr/bin/gpg2 +usr/share/man/man1/gpg.1.gz usr/share/man/man1/gpg2.1.gz diff --git a/gpg-check-pattern.1 b/gpg-check-pattern.1 new file mode 100644 index 0000000..05dbc1e --- /dev/null +++ b/gpg-check-pattern.1 @@ -0,0 +1,35 @@ +.TH GPG-CHECK-PATTERN "1" "March 2016" "gpg-check-pattern (GnuPG) 2.1.11" "User Commands" + +.SH NAME +gpg-check-pattern \- Check a passphrase on stdin against the patternfile + +.SH SYNOPSIS +.B gpg\-check\-pattern +.RB [ options ] +.I patternfile + +.SH DESCRIPTION +.B gpg\-check\-pattern checks a passphrase given on stdin against a specified patternfile. + +.SH OPTIONS +.TP +.BR \-v ", " \-\-verbose +Produce verbose output +.TP +.BR \-\-check +run only a syntax check on the patternfile +.TP +.BR \-0 ", " \-\-null +input is expected to be null delimited +.PP +Please report bugs to . + +.SH COPYRIGHT +Copyright \(co 2016 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later + +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. + +This manpage was written by \fBDaniel Kahn Gillmor\fR for the Debian +distribution (but may be used by others). diff --git a/gpg-zip.1 b/gpg-zip.1 new file mode 100644 index 0000000..cba5db4 --- /dev/null +++ b/gpg-zip.1 @@ -0,0 +1,102 @@ +.TH "GPG\-ZIP" 1 "November 2006" + +.SH NAME +gpg\-zip \- encrypt or sign files into an archive + +.SH SYNOPSIS +.B gpg\-zip +.RB [ OPTIONS ] +.IR filename1 " [" "filename2, ..." ] +.IR directory1 " [" "directory2, ..." ] + +.SH DESCRIPTION +This manual page documents briefly the +.B gpg\-zip +command. +.PP +.B gpg\-zip +encrypts or signs files into an archive. It is an gpg-ized tar using the +same format as PGP's PGP Zip. + +.SH OPTIONS +.TP +.BR \-e ", " \-\-encrypt +Encrypt data. This option may be combined with +.B \-\-symmetric +(for output that may be decrypted via a secret key or a passphrase). +.TP +.BR \-d ", " \-\-decrypt +Decrypt data. +.TP +.BR \-c ", " \-\-symmetric +Encrypt with a symmetric cipher using a passphrase. The default +symmetric cipher used is CAST5, but may be chosen with the +.B \-\-cipher\-algo +option to +.BR gpg (1). +.TP +.BR \-s ", " \-\-sign +Make a signature. See +.BR gpg (1). +.TP +.BR \-r ", " \-\-recipient " \fIUSER\fR" +Encrypt for user id \fIUSER\fR. See +.BR gpg (1). +.TP +.BR \-u ", " \-\-local\-user " \fIUSER\fR" +Use \fIUSER\fR as the key to sign with. See +.BR gpg (1). +.TP +.B \-\-list\-archive +List the contents of the specified archive. +.TP +.BR \-o ", " \-\-output " " \fIFILE\fR" +Write output to specified file +.IR FILE . +.TP +.BI \-\-gpg " GPG" +Use the specified command instead of +.BR gpg . +.TP +.BI \-\-gpg\-args " ARGS" +Pass the specified options to +.BR gpg (1). +.TP +.BI \-\-tar " TAR" +Use the specified command instead of +.BR tar . +.TP +.BI \-\-tar\-args " ARGS" +Pass the specified options to +.BR tar (1). +.TP +.BR \-h ", " \-\-help +Output a short usage information. +.TP +.B \-\-version +Output the program version. + +.SH DIAGNOSTICS +The program returns \fB0\fR if everything was fine, \fB1\fR otherwise. + +.SH EXAMPLES +Encrypt the contents of directory \fImydocs\fR for user Bob to file \fItest1\fR: +.IP +.B gpg\-zip \-\-encrypt \-\-output test1 \-\-gpg-args ""\-r Bob"" mydocs +.PP +List the contents of archive \fItest1\fR: +.IP +.B gpg\-zip \-\-list\-archive test1 + +.SH SEE ALSO +.BR gpg (1), +.BR tar (1) + +.SH AUTHOR +Copyright (C) 2005 Free Software Foundation, Inc. Please report bugs to +<\&bug-gnupg@gnu.org\&>. + +This manpage was written by \fBColin Tuckley\fR <\&colin@tuckley.org\&> +and \fBDaniel Leidert\fR <\&daniel.leidert@wgdd.de\&> for the Debian +distribution (but may be used by others). + diff --git a/gpgsm.install b/gpgsm.install new file mode 100644 index 0000000..8822607 --- /dev/null +++ b/gpgsm.install @@ -0,0 +1 @@ +debian/tmp/usr/bin/gpgsm diff --git a/gpgsm.manpages b/gpgsm.manpages new file mode 100644 index 0000000..ad6a686 --- /dev/null +++ b/gpgsm.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/gpgsm.1 diff --git a/gpgsplit.1 b/gpgsplit.1 new file mode 100644 index 0000000..116ce89 --- /dev/null +++ b/gpgsplit.1 @@ -0,0 +1,41 @@ +.TH "gpgsplit" 1 "December 2005" + +.SH NAME +gpgsplit \- Split an OpenPGP message into packets + +.SH SYNOPSIS +.B gpgsplit +.RI [ OPTIONS ] +.RI [ FILES ] + +.SH DESCRIPTION +This manual page documents briefly the +.B gpgsplit +command. +.PP +.B gpgsplit +splits an OpenPGP message into packets. + +.SH OPTIONS +.TP +.BR \-v , \-\-verbose +Verbose. +.TP +.BR \-p , "\-\-prefix " \fISTRING\fR +Prepend filenames with \fISTRING\fR. +.TP +.B \-\-uncompress +Uncompress a packet. +.TP +.B \-\-secret\-to\-public +Convert secret keys to public keys. +.TP +.B \-\-no\-split +Write to stdout and don't actually split. + +.SH AUTHOR +Copyright (C) 2002 Free Software Foundation, Inc. Please report bugs to +. + +This manpage was written by Francois Wendling . + diff --git a/gpgv-static.1 b/gpgv-static.1 new file mode 100644 index 0000000..c8dcc1a --- /dev/null +++ b/gpgv-static.1 @@ -0,0 +1,32 @@ +.TH GPGV-STATIC "1" "November 2016" "GnuPG" "Gnu Privacy Guard 2.1" + +.SH NAME +gpgv-static - Verify OpenPGP signatures (static build) + +.SH SYNOPSIS +.B gpgv-static [\fIoptions\fP] \fIsigned_files\fP + +.SH DESCRIPTION +\fBgpgv\fR is an OpenPGP signature verification tool. + +\fBgpgv-static\fR is \fBgpgv\fR built statically so that it can be +directly used on any platform that is running on the Linux kernel, +such as Android, ChromeOS, or many embedded Linux systems. + +This version of \fBgpgv\fR in combination with \fBdebootstrap\fR and +the Debian archive keyring allows the secure creation of chroot +installs on these platforms by using the full Debian signature +verification that is present in all official Debian mirrors. + +You may wish to re-name the binary to plain \fBgpgv\fR when +transferring it into such a platform to create a chroot. + +Please read the documentation for \fBgpgv\fR for more details. + +.SH SEE ALSO +\fBgpg\fR(1) + +.SH AUTHOR +This manual page was written by Daniel Kahn Gillmor + for the Debian project, but may be used by +others under the same license as GnuPG itself. diff --git a/gpgv-static.install b/gpgv-static.install new file mode 100644 index 0000000..adb6deb --- /dev/null +++ b/gpgv-static.install @@ -0,0 +1 @@ +build-gpgv-static/g10/gpgv-static usr/bin/ diff --git a/gpgv-static.lintian-overrides b/gpgv-static.lintian-overrides new file mode 100644 index 0000000..fa0b8df --- /dev/null +++ b/gpgv-static.lintian-overrides @@ -0,0 +1,3 @@ +# gpgv-static is deliberately built statically. We cannot avoid +# embedding zlib. +gpgv-static: embedded-library usr/bin/gpgv-static: zlib diff --git a/gpgv-static.manpages b/gpgv-static.manpages new file mode 100644 index 0000000..e3f73aa --- /dev/null +++ b/gpgv-static.manpages @@ -0,0 +1 @@ +debian/gpgv-static.1 diff --git a/gpgv-udeb.install b/gpgv-udeb.install new file mode 100644 index 0000000..fe27533 --- /dev/null +++ b/gpgv-udeb.install @@ -0,0 +1 @@ +build-gpgv-udeb/g10/gpgv usr/bin/ diff --git a/gpgv-win32.install b/gpgv-win32.install new file mode 100644 index 0000000..cf3cd8c --- /dev/null +++ b/gpgv-win32.install @@ -0,0 +1 @@ +build-gpgv-win32/g10/gpgv.exe usr/share/win32 diff --git a/gpgv.install b/gpgv.install new file mode 100644 index 0000000..0a9f9a2 --- /dev/null +++ b/gpgv.install @@ -0,0 +1 @@ +debian/tmp/usr/bin/gpgv diff --git a/gpgv.manpages b/gpgv.manpages new file mode 100644 index 0000000..86a9e29 --- /dev/null +++ b/gpgv.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/gpgv.1 diff --git a/gpgv2.links b/gpgv2.links new file mode 100644 index 0000000..5107429 --- /dev/null +++ b/gpgv2.links @@ -0,0 +1,2 @@ +usr/bin/gpgv usr/bin/gpgv2 +usr/share/man/man1/gpgv.1.gz usr/share/man/man1/gpgv2.1.gz diff --git a/kbxutil.1 b/kbxutil.1 new file mode 100644 index 0000000..52b338a --- /dev/null +++ b/kbxutil.1 @@ -0,0 +1,62 @@ +.TH KBXUTIL "1" "March 2016" "kbxutil (GnuPG) 2.1.11" "User Commands" + +.SH NAME +kbxutil \- List, export, import Keybox data + +.SH SYNOPSIS +.B kbxutil +.RB [ OPTIONS ] +.RB [ FILES ] + +.SH DESCRIPTION +List, export, import Keybox data + +.SH COMMANDS +.TP +.B \-\-stats +show key statistics +.TP +.B \-\-import\-openpgp +import OpenPGP keyblocks +.TP +.B \-\-find\-dups +find duplicates +.TP +.B \-\-cut +export records + +.SH OPTIONS +.TP +.BI \-\-from " N" +first record to export +.TP +.BI \-\-to " N" +last record to export +.TP +.BR \-v ", " \-\-verbose +verbose +.TP +.BR \-q ", " \-\-quiet +be somewhat more quiet +.TP +.BR \-n ", " \-\-dry\-run +do not make any changes +.TP +.B \-\-debug +set debugging flags +.TP +.B \-\-debug\-all +enable full debugging + +.SH BUGS +Please report bugs to . + +.SH COPYRIGHT +Copyright \(co 2016 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later + +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. + +This manpage was written by \fBDaniel Kahn Gillmor\fR for the Debian +distribution (but may be used by others). diff --git a/lspgpot.1 b/lspgpot.1 new file mode 100644 index 0000000..ba27eca --- /dev/null +++ b/lspgpot.1 @@ -0,0 +1,22 @@ +.TH "lspgpot" 1 "December 2005" + +.SH NAME +lspgpot - extracts the ownertrust values from PGP keyrings and list them in +GnuPG ownertrust format. + + +.SH SYNOPSIS +.B lspgpot + + +.SH DESCRIPTION +.B lspgpot +extracts the ownertrust values from PGP keyrings and list them in +GnuPG ownertrust format. + +.SH AUTHOR +Copyright (C) 2002 Free Software Foundation, Inc. Please report bugs to +. + +This manpage was written by Francois Wendling . + diff --git a/migrate-pubring-from-classic-gpg b/migrate-pubring-from-classic-gpg new file mode 100755 index 0000000..13ee1f8 --- /dev/null +++ b/migrate-pubring-from-classic-gpg @@ -0,0 +1,76 @@ +#!/bin/bash + +# script to migrate fully from pubring.gpg to pubring.kbx + +# Author: Daniel Kahn Gillmor +# Date: 2016-04-01 +# License: GPLv3+ + +# This was written for the Debian project + +set -e + +GPG="${GPG:-gpg}" + +# select the default GnuPG home directory to work from: +GHD=${GNUPGHOME:-${HOME:-$(getent passwd "$(id -u)" | cut -f6 -d:)}/.gnupg} + +# Check that this is gnupg 2.1 or 2.2: +VERSION=$("$GPG" --version | head -n1 | cut -f3 -d\ | cut -f1,2 -d.) +if [ "$VERSION" != 2.1 ] && [ "$VERSION" != 2.2 ] ; then + printf '%s is version %s not version 2.1 or 2.2, this script might be wrong\n' "$GPG" "$VERSION" >&2 + exit 1 +fi + +usage() { + printf 'Usage: %s [GPGHOMEDIR|--default] +\tMigrate public keyring in GPGHOMEDIR from "classic" to "modern" GnuPG +\tusing %s version %s. + +\t--default migrates the GnuPG home directory at "%s" +' "$0" "$GPG" "$VERSION" "$GHD" +} + +if [ -z "$1" ]; then + usage >&2 + exit 1 +else + case "$1" in + --help|--usage|-h) + usage + exit + ;; + --default) + ;; + *) + GHD="$1" + ;; + esac +fi + +# ensure that there is a pubring.gpg to migrate: +if ! [ -f "$GHD/pubring.gpg" ]; then + printf 'There is no %s/pubring.gpg, no need to migrate\n' "$GHD" >&2 + exit +fi +if ! [ -s "$GHD/pubring.gpg" ]; then + mv -- "$GHD/pubring.gpg" "$GHD/pubring.gpg.empty" + printf '%s/pubring.gpg was empty (and has been moved out of the way), no need to migrate\n' "$GHD" >&2 + exit +fi + +BACKUP="$(mktemp -d "$GHD/migrate-from-classic-backup.$(date +%F).XXXXXX")" +printf 'Migrating from:\n%s\n[Backing up to %s]\n' "$(ls -l "$GHD/pubring.gpg")" "$BACKUP" >&2 + +"$GPG" --export-ownertrust > "$BACKUP/ownertrust.txt" +mv "$GHD/pubring.gpg" "$BACKUP/" +"$GPG" --import-options import-local-sigs,keep-ownertrust,repair-pks-subkey-bug --import < "$BACKUP/pubring.gpg" +"$GPG" --import-ownertrust < "$BACKUP/ownertrust.txt" +"$GPG" --check-trustdb + +if ! [ -f "$GHD/pubring.kbx" ]; then + printf 'No keybox was created at %s/pubring.kbx. Something went wrong!\n' "$GHD" >&2 + exit 1 +fi + +printf 'Migration completed successfully:\n%s\n' "$(ls -l "$GHD/pubring.kbx")" >&2 diff --git a/migrate-pubring-from-classic-gpg.1 b/migrate-pubring-from-classic-gpg.1 new file mode 100644 index 0000000..4d26b89 --- /dev/null +++ b/migrate-pubring-from-classic-gpg.1 @@ -0,0 +1,50 @@ +.TH "MIGRATE-PUBRING-FROM-CLASSIC-GPG" 1 "April 2016" + +.SH NAME +migrate\-pubring\-from\-classic\-gpg \- Migrate a public keyring from "classic" to "modern" GnuPG + +.SH SYNOPSIS +.B migrate\-pubring\-from\-classic\-gpg +.RB "[ " GPGHOMEDIR " | " +.IR \-\-default " ]" + +.SH DESCRIPTION + +.B migrate\-pubring\-from\-classic\-gpg +migrates the public keyring in GnuPG home directory GPGHOMEDIR from +the "classic" keyring format to the "modern" keybox format using GnuPG +versions 2.1 or 2.2. + +Specifying +.B \-\-default +selects the standard GnuPG home directory (looking at $GNUPGHOME +first, and falling back to ~/.gnupg if unset. + +.SH OPTIONS +.BR \-h ", " \-\-help ", " \-\-usage +Output a short usage information. + +.SH DIAGNOSTICS +The program sends quite a bit of text (perhaps too much) to stderr. + +During a migration, the tool backs up several pieces of data in a +timestamped subdirectory of the GPGHOMEDIR. + +.SH ENVIRONMENT VARIABLES + +.B GNUPGHOME +Selects the GnuPG home directory when set and --default is given. + +.B GPG +The name of the +.B gpg +executable (defaults to +.B gpg +). + +.SH SEE ALSO +.BR gpg (1) + +.SH AUTHOR +Copyright (C) 2016 Daniel Kahn Gillmor for the Debian project. Please +report bugs via the Debian BTS. diff --git a/patches/0012-gpgscm-Guard-use-of-union-member.patch b/patches/0012-gpgscm-Guard-use-of-union-member.patch new file mode 100644 index 0000000..f44bfe6 --- /dev/null +++ b/patches/0012-gpgscm-Guard-use-of-union-member.patch @@ -0,0 +1,27 @@ +From: Justus Winter +Date: Wed, 21 Dec 2016 16:14:45 +0100 +Subject: gpgscm: Guard use of union member. + +* tests/gpgscm/scheme.c (opexe_5): Check that we have a file port +before accessing filename. Fixes a crash on 32-bit architectures. + +Fixes-commit: e7429b1ced0c69fa7901f888f8dc25f00fc346a4 +Signed-off-by: Justus Winter +(cherry picked from commit 6e96cdd41a0e55b672309431062f37c4a4a9f485) +--- + tests/gpgscm/scheme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/gpgscm/scheme.c b/tests/gpgscm/scheme.c +index a5b7691fb..284454557 100644 +--- a/tests/gpgscm/scheme.c ++++ b/tests/gpgscm/scheme.c +@@ -4838,7 +4838,7 @@ static pointer opexe_5(scheme *sc, enum scheme_opcodes op) { + } else { + sc->nesting_stack[sc->file_i]++; + #if USE_TAGS && SHOW_ERROR_LINE +- { ++ if (sc->load_stack[sc->file_i].kind & port_file) { + const char *filename = + sc->load_stack[sc->file_i].rep.stdio.filename; + int lineno = diff --git a/patches/0013-dirmngr-Fix-for-disable-libdns-usage.patch b/patches/0013-dirmngr-Fix-for-disable-libdns-usage.patch new file mode 100644 index 0000000..b429d8e --- /dev/null +++ b/patches/0013-dirmngr-Fix-for-disable-libdns-usage.patch @@ -0,0 +1,74 @@ +From: NIIBE Yutaka +Date: Fri, 23 Dec 2016 16:05:01 +0900 +Subject: dirmngr: Fix for --disable-libdns usage. + +* dirmngr/dns-stuff.c (enable_recursive_resolver, set_dns_nameserver) +(reload_dns_stuff): Conditionalize with USE_LIBDNS. +(get_h_errno_as_gpg_error): Map HOST_NOT_FOUND to GPG_ERR_NO_NAME. + +-- + +get_dns_srv assumes error code of GPG_ERR_NO_NAME when no SRV record +available. + +Signed-off-by: NIIBE Yutaka +GnuPG-bug-id: 2889 +(cherry picked from commit d26c51825e2255fe58305cbc1cd74fa43f80d93e) +--- + dirmngr/dns-stuff.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c +index 491fccefd..a31b0731c 100644 +--- a/dirmngr/dns-stuff.c ++++ b/dirmngr/dns-stuff.c +@@ -181,7 +181,9 @@ void + enable_recursive_resolver (int yes) + { + recursive_resolver = yes; ++#ifdef USE_LIBDNS + libdns_reinit_pending = 1; ++#endif + } + + +@@ -251,8 +253,10 @@ set_dns_nameserver (const char *ipaddr) + strncpy (tor_nameserver, ipaddr? ipaddr : DEFAULT_NAMESERVER, + sizeof tor_nameserver -1); + tor_nameserver[sizeof tor_nameserver -1] = 0; ++#ifdef USE_LIBDNS + libdns_reinit_pending = 1; + libdns_tor_port = 0; /* Start again with the default port. */ ++#endif + } + + +@@ -278,7 +282,7 @@ get_h_errno_as_gpg_error (void) + + switch (h_errno) + { +- case HOST_NOT_FOUND: ec = GPG_ERR_UNKNOWN_HOST; break; ++ case HOST_NOT_FOUND: ec = GPG_ERR_NO_NAME; break; + case TRY_AGAIN: ec = GPG_ERR_TRY_LATER; break; + case NO_RECOVERY: ec = GPG_ERR_SERVER_FAILED; break; + case NO_DATA: ec = GPG_ERR_NO_DATA; break; +@@ -534,15 +538,17 @@ libdns_deinit (void) + void + reload_dns_stuff (int force) + { ++#ifdef USE_LIBDNS + if (force) + { +-#ifdef USE_LIBDNS + libdns_deinit (); +-#endif + libdns_reinit_pending = 0; + } + else + libdns_reinit_pending = 1; ++#else ++ (void)force; ++#endif + } + + diff --git a/patches/0014-dirmngr-Strip-root-zone-suffix-from-libdns-cname-res.patch b/patches/0014-dirmngr-Strip-root-zone-suffix-from-libdns-cname-res.patch new file mode 100644 index 0000000..bc4cc3a --- /dev/null +++ b/patches/0014-dirmngr-Strip-root-zone-suffix-from-libdns-cname-res.patch @@ -0,0 +1,43 @@ +From: Werner Koch +Date: Mon, 2 Jan 2017 10:00:33 +0100 +Subject: dirmngr: Strip root zone suffix from libdns cname results. + +* dirmngr/dns-stuff.c (resolve_name_libdns): Strip trailing dot. +(get_dns_cname_libdns): Ditto. +-- + +Signed-off-by: Werner Koch +(cherry picked from commit b200e636ab20d2aa93d9f71f3789db5a04af0a56) +--- + dirmngr/dns-stuff.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c +index a31b0731c..f2e1df925 100644 +--- a/dirmngr/dns-stuff.c ++++ b/dirmngr/dns-stuff.c +@@ -732,6 +732,10 @@ resolve_name_libdns (const char *name, unsigned short port, + err = gpg_error_from_syserror (); + goto leave; + } ++ /* Libdns appends the root zone part which is problematic ++ * for most other functions - strip it. */ ++ if (**r_canonname && (*r_canonname)[strlen (*r_canonname)-1] == '.') ++ (*r_canonname)[strlen (*r_canonname)-1] = 0; + } + + dai = xtrymalloc (sizeof *dai + ent->ai_addrlen -1); +@@ -1899,6 +1903,13 @@ get_dns_cname_libdns (const char *name, char **r_cname) + *r_cname = xtrystrdup (cname.host); + if (!*r_cname) + err = gpg_error_from_syserror (); ++ else ++ { ++ /* Libdns appends the root zone part which is problematic ++ * for most other functions - strip it. */ ++ if (**r_cname && (*r_cname)[strlen (*r_cname)-1] == '.') ++ (*r_cname)[strlen (*r_cname)-1] = 0; ++ } + + leave: + dns_free (ans); diff --git a/patches/0015-doc-Remove-warning-that-DNS-is-not-routed-via-Tor.patch b/patches/0015-doc-Remove-warning-that-DNS-is-not-routed-via-Tor.patch new file mode 100644 index 0000000..89adfaf --- /dev/null +++ b/patches/0015-doc-Remove-warning-that-DNS-is-not-routed-via-Tor.patch @@ -0,0 +1,29 @@ +From: Werner Koch +Date: Mon, 2 Jan 2017 10:39:59 +0100 +Subject: doc: Remove warning that DNS is not routed via Tor + +-- + +Signed-off-by: Werner Koch +(cherry picked from commit 5a4a109354d53cf3673d0636731c67021d3f367a) +--- + doc/dirmngr.texi | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi +index 5b4e68bc8..e136dff53 100644 +--- a/doc/dirmngr.texi ++++ b/doc/dirmngr.texi +@@ -239,10 +239,8 @@ useful for debugging. + @item --use-tor + @opindex use-tor + This option switches Dirmngr and thus GnuPG into ``Tor mode'' to route +-all network access via Tor (an anonymity network). WARNING: As of now +-this still leaks the DNS queries; e.g. to lookup the hosts in a +-keyserver pool. Certain other features are disabled if this mode is +-active. ++all network access via Tor (an anonymity network). Certain other ++features are disabled if this mode is active. + + @item --standard-resolver + @opindex standard-resolver diff --git a/patches/0016-build-Enable-gcc-warnings-to-detect-non-portable-cod.patch b/patches/0016-build-Enable-gcc-warnings-to-detect-non-portable-cod.patch new file mode 100644 index 0000000..3ea836f --- /dev/null +++ b/patches/0016-build-Enable-gcc-warnings-to-detect-non-portable-cod.patch @@ -0,0 +1,32 @@ +From: Werner Koch +Date: Mon, 2 Jan 2017 12:59:10 +0100 +Subject: build: Enable gcc warnings to detect non-portable code. + +-- + +Signed-off-by: Werner Koch +(cherry picked from commit c52930d11fcc52515fcc09a1085bf118411566a8) +--- + configure.ac | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 932c741ef..237189cf9 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1575,6 +1575,15 @@ if test "$GCC" = yes; then + if test x"$_gcc_wopt" = xyes ; then + mycflags="$mycflags -Wdeclaration-after-statement" + fi ++ ++ AC_MSG_CHECKING([if gcc supports -Wlogical-op and -Wvla]) ++ CFLAGS="-Wlogical-op -Wvla" ++ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([],[])],_gcc_wopt=yes,_gcc_wopt=no) ++ AC_MSG_RESULT($_gcc_wopt) ++ if test x"$_gcc_wopt" = xyes ; then ++ mycflags="$mycflags -Wlogical-op -Wvla" ++ fi ++ + else + mycflags="$mycflags -Wall" + fi diff --git a/patches/0017-Replace-use-of-variable-length-arrays.patch b/patches/0017-Replace-use-of-variable-length-arrays.patch new file mode 100644 index 0000000..3e3a2a7 --- /dev/null +++ b/patches/0017-Replace-use-of-variable-length-arrays.patch @@ -0,0 +1,179 @@ +From: Werner Koch +Date: Mon, 2 Jan 2017 13:29:18 +0100 +Subject: Replace use of variable-length-arrays. + +* common/t-iobuf.c (main): Replace variable-length-array. +* g10/gpgcompose.c (mksubpkt_callback): Ditto. +(encrypted): Ditto. +* g10/t-stutter.c (log_hexdump): Ditto. +(oracle_test): Ditto. +* g10/tofu.c (get_policy): Ditto. Use "%zu" for size_t. +* scd/app-openpgp.c (ecc_writekey): Replace variable-length-array. +Check for zero length OID_LEN. + +Signed-off-by: Werner Koch +(cherry picked from commit 6b84ecbf312d98ac8cce9fe5facdc815bc742fa1) +--- + common/t-iobuf.c | 6 ++++-- + g10/gpgcompose.c | 17 ++++++++++++----- + g10/t-stutter.c | 17 ++++++++++------- + g10/tofu.c | 6 +++--- + scd/app-openpgp.c | 14 +++++++++++++- + 5 files changed, 42 insertions(+), 18 deletions(-) + +diff --git a/common/t-iobuf.c b/common/t-iobuf.c +index 0e6f508a5..bdeab99a4 100644 +--- a/common/t-iobuf.c ++++ b/common/t-iobuf.c +@@ -362,10 +362,12 @@ main (int argc, char *argv[]) + { + iobuf_t iobuf; + int rc; +- char *content = "0123456789"; ++ char content[] = "0123456789"; + int n; + int c; +- char buffer[strlen (content)]; ++ char buffer[10]; ++ ++ assert (sizeof buffer == sizeof content - 1); + + iobuf = iobuf_temp_with_content (content, strlen (content)); + assert (iobuf); +diff --git a/g10/gpgcompose.c b/g10/gpgcompose.c +index 512cb450a..fafbfd274 100644 +--- a/g10/gpgcompose.c ++++ b/g10/gpgcompose.c +@@ -1654,13 +1654,17 @@ mksubpkt_callback (PKT_signature *sig, void *cookie) + + if (si->reason_for_revocation) + { +- int l = 1 + strlen (si->reason_for_revocation); +- char buf[l]; ++ int len = 1 + strlen (si->reason_for_revocation); ++ char *buf; ++ ++ buf = xmalloc (len); + + buf[0] = si->reason_for_revocation_code; +- memcpy (&buf[1], si->reason_for_revocation, l - 1); ++ memcpy (&buf[1], si->reason_for_revocation, len - 1); ++ ++ build_sig_subpkt (sig, SIGSUBPKT_REVOC_REASON, buf, len); + +- build_sig_subpkt (sig, SIGSUBPKT_REVOC_REASON, buf, l); ++ xfree (buf); + } + + if (si->features) +@@ -2540,10 +2544,13 @@ encrypted (const char *option, int argc, char *argv[], void *cookie) + + if (do_debug) + { +- char buf[2 * session_key.keylen + 1]; ++ char *buf; ++ ++ buf = xmalloc (2 * session_key.keylen + 1); + debug ("session key: algo: %d; keylen: %d; key: %s\n", + session_key.algo, session_key.keylen, + bin2hex (session_key.key, session_key.keylen, buf)); ++ xfree (buf); + } + + if (strcmp (option, "--encrypted-mdc") == 0) +diff --git a/g10/t-stutter.c b/g10/t-stutter.c +index a2e9666bf..359cdf622 100644 +--- a/g10/t-stutter.c ++++ b/g10/t-stutter.c +@@ -68,8 +68,8 @@ log_hexdump (byte *buffer, int length) + { + int have = length > 16 ? 16 : length; + int i; +- char formatted[2 * have + 1]; +- char text[have + 1]; ++ char formatted[2 * 16 + 1]; ++ char text[16 + 1]; + + fprintf (stderr, "%-8d ", written); + bin2hex (buffer, have, formatted); +@@ -87,10 +87,12 @@ log_hexdump (byte *buffer, int length) + } + + for (i = 0; i < have; i ++) +- if (isprint (buffer[i])) +- text[i] = buffer[i]; +- else +- text[i] = '.'; ++ { ++ if (isprint (buffer[i])) ++ text[i] = buffer[i]; ++ else ++ text[i] = '.'; ++ } + text[i] = 0; + + fprintf (stderr, " "); +@@ -347,8 +349,9 @@ oracle (int debug, byte *ciphertext, int len, byte **plaintextp, byte **cfbp) + static int + oracle_test (unsigned int d, int b, int debug) + { +- byte probe[blocksize + 2]; ++ byte probe[32 + 2]; + ++ log_assert (blocksize + 2 <= sizeof probe); + log_assert (d < 256 * 256); + + if (b == 1) +diff --git a/g10/tofu.c b/g10/tofu.c +index 2bded9e8d..8d535fa6c 100644 +--- a/g10/tofu.c ++++ b/g10/tofu.c +@@ -2457,16 +2457,16 @@ get_policy (tofu_dbs_t dbs, PKT_public_key *pk, + /* See if the key is signed by an ultimately trusted key. */ + { + int fingerprint_raw_len = strlen (fingerprint) / 2; +- char fingerprint_raw[fingerprint_raw_len]; ++ char fingerprint_raw[20]; + int len = 0; + +- if (fingerprint_raw_len != 20 ++ if (fingerprint_raw_len != sizeof fingerprint_raw + || ((len = hex2bin (fingerprint, + fingerprint_raw, fingerprint_raw_len)) + != strlen (fingerprint))) + { + if (DBG_TRUST) +- log_debug ("TOFU: Bad fingerprint: %s (len: %zd, parsed: %d)\n", ++ log_debug ("TOFU: Bad fingerprint: %s (len: %zu, parsed: %d)\n", + fingerprint, strlen (fingerprint), len); + } + else +diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c +index 5fa4fd294..4d8b1bc9e 100644 +--- a/scd/app-openpgp.c ++++ b/scd/app-openpgp.c +@@ -3580,11 +3580,23 @@ ecc_writekey (app_t app, gpg_error_t (*pincb)(void*, const char *, char **), + { + if (app->app_local->extcap.algo_attr_change) + { +- unsigned char keyattr[oid_len]; ++ unsigned char *keyattr; + ++ if (!oid_len) ++ { ++ err = gpg_error (GPG_ERR_INTERNAL); ++ goto leave; ++ } ++ keyattr = xtrymalloc (oid_len); ++ if (!keyattr) ++ { ++ err = gpg_error_from_syserror (); ++ goto leave; ++ } + keyattr[0] = algo; + memcpy (keyattr+1, oidbuf+1, oid_len-1); + err = change_keyattr (app, keyno, keyattr, oid_len, pincb, pincb_arg); ++ xfree (keyattr); + if (err) + goto leave; + } diff --git a/patches/0018-dirmngr-New-debug-message-on-correctly-initialized-l.patch b/patches/0018-dirmngr-New-debug-message-on-correctly-initialized-l.patch new file mode 100644 index 0000000..927f7e3 --- /dev/null +++ b/patches/0018-dirmngr-New-debug-message-on-correctly-initialized-l.patch @@ -0,0 +1,39 @@ +From: Werner Koch +Date: Mon, 2 Jan 2017 15:47:24 +0100 +Subject: dirmngr: New debug message on correctly initialized libdns. + +* dirmngr/dns-stuff.c (libdns_init): Add debug level diagnostic on +success. +-- + +This output may help to avoid questions when evaluating an Assuan log. + +Signed-off-by: Werner Koch +(cherry picked from commit 0004d52ba2f1245c84f95a151342ad99fd72ca3d) +--- + dirmngr/dns-stuff.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c +index f2e1df925..cf8cefb2e 100644 +--- a/dirmngr/dns-stuff.c ++++ b/dirmngr/dns-stuff.c +@@ -507,6 +507,9 @@ libdns_init (void) + /* All fine. Make the data global. */ + libdns = ld; + ++ if (opt_debug) ++ log_debug ("dns: libdns initialized%s\n", tor_mode?" (tor mode)":""); ++ + leave: + xfree (cfgstr); + return err; +@@ -595,7 +598,7 @@ libdns_res_open (struct dns_resolver **r_res) + + + #ifdef USE_LIBDNS +-/* Helper to test whether we need totry again after having swicthed ++/* Helper to test whether we need to try again after having switched + * the Tor port. */ + static int + libdns_switch_port_p (gpg_error_t err) diff --git a/patches/0019-dirmngr-Make-sure-Tor-mode-is-also-set-for-DNS-on-SI.patch b/patches/0019-dirmngr-Make-sure-Tor-mode-is-also-set-for-DNS-on-SI.patch new file mode 100644 index 0000000..2c02c2e --- /dev/null +++ b/patches/0019-dirmngr-Make-sure-Tor-mode-is-also-set-for-DNS-on-SI.patch @@ -0,0 +1,170 @@ +From: Werner Koch +Date: Tue, 3 Jan 2017 12:03:28 +0100 +Subject: dirmngr: Make sure Tor mode is also set for DNS on SIGHUP. + +* dirmngr/dns-stuff.c (enable_dns_tormode): Always succeed. +(reload_dns_stuff): Reset tor port. +* dirmngr/dirmngr.c (set_tor_mode): Also enable Tor mode for DNS. +(main): Remove warning that Tor mode may not fully work. +* dirmngr/server.c (cmd_dns_cert): Remove explicit Tor for DNS +initialization. +* dirmngr/t-dns-stuff.c (main): Remove option --new-circuit and error +checking for enable_dns_tormode. +-- + +This patch also resets the port on SIGHUP so that after starting Tor +SIGHUP is sufficient to use Tor. Without the SIGHUP and when not +using the Tor browser Dirmngr would keep on trying the Tor browser +port. + +Signed-off-by: Werner Koch +(cherry picked from commit 969512401603639e4467ede7d892f1b02582c2c9) +--- + dirmngr/dirmngr.c | 10 +++------- + dirmngr/dns-stuff.c | 12 +++++++----- + dirmngr/dns-stuff.h | 6 +++--- + dirmngr/server.c | 7 ------- + dirmngr/t-dns-stuff.c | 16 +--------------- + 5 files changed, 14 insertions(+), 37 deletions(-) + +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index 0b8bb02e6..5abfe78c6 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -474,6 +474,9 @@ set_tor_mode (void) + { + if (opt.use_tor) + { ++ /* Enable Tor mode and when called again force a new curcuit ++ * (e.g. on SIGHUP). */ ++ enable_dns_tormode (1); + if (assuan_sock_set_flag (ASSUAN_INVALID_FD, "tor-mode", 1)) + { + log_error ("error enabling Tor mode: %s\n", strerror (errno)); +@@ -912,13 +915,6 @@ main (int argc, char **argv) + log_info ("NOTE: this is a development version!\n"); + #endif + +- if (opt.use_tor) +- { +- log_info ("WARNING: ***************************************\n"); +- log_info ("WARNING: Tor mode (--use-tor) MAY NOT FULLY WORK!\n"); +- log_info ("WARNING: ***************************************\n"); +- } +- + /* Print a warning if an argument looks like an option. */ + if (!opt.quiet && !(pargs.flags & ARGPARSE_FLAG_STOP_SEEN)) + { +diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c +index cf8cefb2e..e32e1e3e1 100644 +--- a/dirmngr/dns-stuff.c ++++ b/dirmngr/dns-stuff.c +@@ -199,9 +199,9 @@ recursive_resolver_p (void) + } + + +-/* Sets the module in Tor mode. Returns 0 is this is possible or an +- error code. */ +-gpg_error_t ++/* Puts this module eternally into Tor mode. When called agained with ++ * NEW_CIRCUIT request a new TOR circuit for the next DNS query. */ ++void + enable_dns_tormode (int new_circuit) + { + if (!*tor_socks_user || new_circuit) +@@ -215,7 +215,6 @@ enable_dns_tormode (int new_circuit) + counter++; + } + tor_mode = 1; +- return 0; + } + + +@@ -548,7 +547,10 @@ reload_dns_stuff (int force) + libdns_reinit_pending = 0; + } + else +- libdns_reinit_pending = 1; ++ { ++ libdns_reinit_pending = 1; ++ libdns_tor_port = 0; /* Start again with the default port. */ ++ } + #else + (void)force; + #endif +diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h +index 0a4a4de2f..eb7fe7246 100644 +--- a/dirmngr/dns-stuff.h ++++ b/dirmngr/dns-stuff.h +@@ -113,9 +113,9 @@ void enable_recursive_resolver (int yes); + /* Return true iff the recursive resolver is used. */ + int recursive_resolver_p (void); + +-/* Calling this function switches the DNS code into Tor mode if +- possibe. Return 0 on success. */ +-gpg_error_t enable_dns_tormode (int new_circuit); ++/* Put this module eternally into Tor mode. When called agained with ++ * NEW_CIRCUIT request a new TOR circuit for the next DNS query. */ ++void enable_dns_tormode (int new_circuit); + + /* Change the default IP address of the nameserver to IPADDR. The + address needs to be a numerical IP address and will be used for the +diff --git a/dirmngr/server.c b/dirmngr/server.c +index a785238dc..28c2cd428 100644 +--- a/dirmngr/server.c ++++ b/dirmngr/server.c +@@ -709,13 +709,6 @@ cmd_dns_cert (assuan_context_t ctx, char *line) + } + } + +- if (opt.use_tor && (err = enable_dns_tormode (0))) +- { +- /* Tor mode is requested but the DNS code can't enable it. */ +- assuan_set_error (ctx, err, "error enabling Tor mode"); +- goto leave; +- } +- + if (pka_mode || dane_mode) + { + char *domain; /* Points to mbox. */ +diff --git a/dirmngr/t-dns-stuff.c b/dirmngr/t-dns-stuff.c +index b087b5ead..bc4ca9a51 100644 +--- a/dirmngr/t-dns-stuff.c ++++ b/dirmngr/t-dns-stuff.c +@@ -51,7 +51,6 @@ main (int argc, char **argv) + gpg_error_t err; + int any_options = 0; + int opt_tor = 0; +- int opt_new_circuit = 0; + int opt_cert = 0; + int opt_srv = 0; + int opt_bracket = 0; +@@ -103,11 +102,6 @@ main (int argc, char **argv) + opt_tor = 1; + argc--; argv++; + } +- else if (!strcmp (*argv, "--new-circuit")) +- { +- opt_new_circuit = 1; +- argc--; argv++; +- } + else if (!strcmp (*argv, "--standard-resolver")) + { + enable_standard_resolver (1); +@@ -171,15 +165,7 @@ main (int argc, char **argv) + init_sockets (); + + if (opt_tor) +- { +- err = enable_dns_tormode (opt_new_circuit); +- if (err) +- { +- fprintf (stderr, "error switching into Tor mode: %s\n", +- gpg_strerror (err)); +- exit (1); +- } +- } ++ enable_dns_tormode (0); + + if (opt_cert) + { diff --git a/patches/0020-doc-Extend-dirmngr-s-allow-version-check-description.patch b/patches/0020-doc-Extend-dirmngr-s-allow-version-check-description.patch new file mode 100644 index 0000000..1ca5f4f --- /dev/null +++ b/patches/0020-doc-Extend-dirmngr-s-allow-version-check-description.patch @@ -0,0 +1,30 @@ +From: Werner Koch +Date: Tue, 3 Jan 2017 13:12:25 +0100 +Subject: doc: Extend dirmngr's --allow-version-check description + +-- + +(cherry picked from commit 293a55bacdacec4501af3a396b14fd32e404e39e) +--- + doc/dirmngr.texi | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi +index e136dff53..fc617d81d 100644 +--- a/doc/dirmngr.texi ++++ b/doc/dirmngr.texi +@@ -264,7 +264,13 @@ the list of current software versions. If this option is enabled, or + if @option{use-tor} is active, the list is retrieved when the local + copy does not exist or is older than 5 to 7 days. See the option + @option{--query-swdb} of the command @command{gpgconf} for more +-details. ++details. Note, that regardless of this option a version check can ++always be triggered using this command: ++ ++@example ++ gpg-connect-agent --dirmngr 'loadswdb --force' /bye ++@end example ++ + + @item --keyserver @var{name} + @opindex keyserver diff --git a/patches/0021-doc-Add-release-announcement-pointers-to-NEWS-entrie.patch b/patches/0021-doc-Add-release-announcement-pointers-to-NEWS-entrie.patch new file mode 100644 index 0000000..e3fdecd --- /dev/null +++ b/patches/0021-doc-Add-release-announcement-pointers-to-NEWS-entrie.patch @@ -0,0 +1,460 @@ +From: Werner Koch +Date: Wed, 4 Jan 2017 18:37:36 +0100 +Subject: doc: Add release announcement pointers to NEWS entries. + +-- + +These are used by the website buider to link to the announcement +mails. + +Signed-off-by: Werner Koch +(cherry picked from commit 588121c158384b05099388097053d8d1e8bdf143) +--- + NEWS | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 97 insertions(+), 2 deletions(-) + +diff --git a/NEWS b/NEWS +index 5633c55b0..1e91af31f 100644 +--- a/NEWS ++++ b/NEWS +@@ -33,6 +33,8 @@ Noteworthy changes in version 2.1.17 (2016-12-20) + * Major improvements to the test suite. For example it is possible + to run the external test suite of GPGME. + ++ See-also: gnupg-announce/2016q4/000400.html ++ + + Noteworthy changes in version 2.1.16 (2016-11-18) + ------------------------------------------------- +@@ -105,6 +107,8 @@ Noteworthy changes in version 2.1.16 (2016-11-18) + + * Many changes and improvements for the test suite. + ++ See-also: gnupg-announce/2016q4/000398.html ++ + + Noteworthy changes in version 2.1.15 (2016-08-18) + ------------------------------------------------- +@@ -156,6 +160,8 @@ Noteworthy changes in version 2.1.15 (2016-08-18) + + * Spelling and grammar fixes. + ++ See-also: gnupg-announce/2016q3/000396.html ++ + + Noteworthy changes in version 2.1.14 (2016-07-14) + ------------------------------------------------- +@@ -214,6 +220,8 @@ Noteworthy changes in version 2.1.14 (2016-07-14) + + * The rendering of the man pages has been improved. + ++ See-also: gnupg-announce/2016q3/000393.html ++ + + Noteworthy changes in version 2.1.13 (2016-06-16) + ------------------------------------------------- +@@ -264,6 +272,8 @@ Noteworthy changes in version 2.1.13 (2016-06-16) + + * Speedup fd closing after a fork. + ++ See-also: gnupg-announce/2016q2/000390.html ++ + + Noteworthy changes in version 2.1.12 (2016-05-04) + ------------------------------------------------- +@@ -317,6 +327,8 @@ Noteworthy changes in version 2.1.12 (2016-05-04) + + * Lots of internal cleanups and bug fixes. + ++ See-also: gnupg-announce/2016q2/000387.html ++ + + Noteworthy changes in version 2.1.11 (2016-01-26) + ------------------------------------------------- +@@ -368,6 +380,8 @@ Noteworthy changes in version 2.1.11 (2016-01-26) + * Print a warning if a GnuPG component is using an older version of + gpg-agent, dirmngr, or scdaemon. + ++ See-also: gnupg-announce/2016q1/000383.html ++ + + Noteworthy changes in version 2.1.10 (2015-12-04) + ------------------------------------------------- +@@ -426,6 +440,8 @@ Noteworthy changes in version 2.1.10 (2015-12-04) + + * Many other cleanups and bug fixes. + ++ See-also: gnupg-announce/2015q4/000381.html ++ + + Noteworthy changes in version 2.1.9 (2015-10-09) + ------------------------------------------------ +@@ -456,6 +472,8 @@ Noteworthy changes in version 2.1.9 (2015-10-09) + * dirmngr: Add option --keyserver. Deprecate that option for gpg. + Install a dirmngr.conf file from a skeleton for new installations. + ++ See-also: gnupg-announce/2015q4/000380.html ++ + + Noteworthy changes in version 2.1.8 (2015-09-10) + ------------------------------------------------ +@@ -483,6 +501,8 @@ Noteworthy changes in version 2.1.8 (2015-09-10) + + * Various minor bug fixes. + ++ See-also: gnupg-announce/2015q3/000379.html ++ + + Noteworthy changes in version 2.1.7 (2015-08-11) + ------------------------------------------------ +@@ -508,6 +528,8 @@ Noteworthy changes in version 2.1.7 (2015-08-11) + + * Various other bug fixes. + ++ See-also: gnupg-announce/2015q3/000371.html ++ + + Noteworthy changes in version 2.1.6 (2015-07-01) + ------------------------------------------------ +@@ -538,6 +560,8 @@ Noteworthy changes in version 2.1.6 (2015-07-01) + + * Various other bug fixes. + ++ See-also: gnupg-announce/2015q3/000370.html ++ + + Noteworthy changes in version 2.1.5 (2015-06-11) + ------------------------------------------------ +@@ -552,6 +576,8 @@ Noteworthy changes in version 2.1.5 (2015-06-11) + + * Code cleanups and minor bug fixes. + ++ See-also: gnupg-announce/2015q2/000369.html ++ + + Noteworthy changes in version 2.1.4 (2015-05-12) + ------------------------------------------------ +@@ -577,6 +603,8 @@ Noteworthy changes in version 2.1.4 (2015-05-12) + + * Fixed lots of smaller bugs. + ++ See-also: gnupg-announce/2015q2/000366.html ++ + + Noteworthy changes in version 2.1.3 (2015-04-11) + ------------------------------------------------ +@@ -614,6 +642,8 @@ Noteworthy changes in version 2.1.3 (2015-04-11) + * Fixed possible problems due to compiler optimization, two minor + regressions, and other bugs. + ++ See-also: gnupg-announce/2015q2/000365.html ++ + + Noteworthy changes in version 2.1.2 (2015-02-11) + ------------------------------------------------ +@@ -648,6 +678,8 @@ Noteworthy changes in version 2.1.2 (2015-02-11) + * Fixed several bugs related to bogus keyrings and improved some + other code. + ++ See-also: gnupg-announce/2015q1/000361.html ++ + + Noteworthy changes in version 2.1.1 (2014-12-16) + ------------------------------------------------ +@@ -700,6 +732,8 @@ Noteworthy changes in version 2.1.1 (2014-12-16) + + * Improved portability and the usual bunch of bug fixes. + ++ See-also: gnupg-announce/2014q4/000360.html ++ + + Noteworthy changes in version 2.1.0 (2014-11-06) + ------------------------------------------------ +@@ -1017,6 +1051,8 @@ Noteworthy changes in version 2.1.0 (2014-11-06) + * Numerical values may now be used as an alternative to the + debug-level keywords. + ++ See-also: gnupg-announce/2014q4/000358.html ++ + + Version 2.0.28 (2015-06-02) + Version 2.0.27 (2015-02-18) +@@ -1060,6 +1096,8 @@ Noteworthy changes in version 2.0.13 (2009-09-04) + + * Minor bug fixes. + ++ See-also: gnupg-announce/2009q3/000294.html ++ + + Noteworthy changes in version 2.0.12 (2009-06-17) + ------------------------------------------------- +@@ -1087,6 +1125,8 @@ Noteworthy changes in version 2.0.12 (2009-06-17) + + * Changed code to avoid a possible Mac OS X system freeze. + ++ See-also: gnupg-announce/2009q2/000288.html ++ + + Noteworthy changes in version 2.0.11 (2009-03-03) + ------------------------------------------------- +@@ -1103,6 +1143,8 @@ Noteworthy changes in version 2.0.11 (2009-03-03) + due to interoperability problems with Outlook 2003 which still + can't cope with AES. + ++ See-also: gnupg-announce/2009q1/000287.html ++ + + Noteworthy changes in version 2.0.10 (2009-01-12) + ------------------------------------------------- +@@ -1158,6 +1200,8 @@ Noteworthy changes in version 2.0.10 (2009-01-12) + + * Libgcrypt 1.4 is now required. + ++ See-also: gnupg-announce/2009q1/000284.html ++ + + Noteworthy changes in version 2.0.9 (2008-03-26) + ------------------------------------------------ +@@ -1181,6 +1225,7 @@ Noteworthy changes in version 2.0.9 (2008-03-26) + * Minor bug fixes. + + ++ + Noteworthy changes in version 2.0.8 (2007-12-20) + ------------------------------------------------ + +@@ -1214,6 +1259,8 @@ Noteworthy changes in version 2.0.8 (2007-12-20) + taken into account. This required a change of our socket emulation + code and changed the IPC protocol under Windows. + ++ See-also: gnupg-announce/2007q4/000267.html ++ + + Noteworthy changes in version 2.0.7 (2007-09-10) + ------------------------------------------------ +@@ -1232,6 +1279,8 @@ Noteworthy changes in version 2.0.7 (2007-09-10) + installed versions of the programs and does not anymore search via + PATH for them. + ++ See-also: gnupg-announce/2007q3/000259.html ++ + + Noteworthy changes in version 2.0.6 (2007-08-16) + ------------------------------------------------ +@@ -1247,6 +1296,8 @@ Noteworthy changes in version 2.0.6 (2007-08-16) + + * Improved Windows support. + ++ See-also: gnupg-announce/2007q3/000258.html ++ + + Noteworthy changes in version 2.0.5 (2007-07-05) + ------------------------------------------------ +@@ -1264,6 +1315,8 @@ Noteworthy changes in version 2.0.5 (2007-07-05) + * Changed key generation to reveal less information about the + machine. Bug fixes for gpg2's card key generation. + ++ See-also: gnupg-announce/2007q3/000255.html ++ + + Noteworthy changes in version 2.0.4 (2007-05-09) + ------------------------------------------------ +@@ -1276,6 +1329,8 @@ Noteworthy changes in version 2.0.4 (2007-05-09) + + * Improved the libgcrypt logging support in all modules. + ++ See-also: gnupg-announce/2007q2/000254.html ++ + + Noteworthy changes in version 2.0.3 (2007-03-08) + ------------------------------------------------ +@@ -1296,6 +1351,8 @@ Noteworthy changes in version 2.0.3 (2007-03-08) + * The PIN pad of the Cherry XX44 keyboard is now supported. The + DINSIG and the NKS applications are now also aware of PIN pads. + ++ See-also: gnupg-announce/2007q1/000252.html ++ + + Noteworthy changes in version 2.0.2 (2007-01-31) + ------------------------------------------------ +@@ -1314,6 +1371,8 @@ Noteworthy changes in version 2.0.2 (2007-01-31) + + * The status code BEGIN_SIGNING now shows the used hash algorithms. + ++ See-also: gnupg-announce/2007q1/000249.html ++ + + Noteworthy changes in version 2.0.1 (2006-11-28) + ------------------------------------------------ +@@ -1327,12 +1386,16 @@ Noteworthy changes in version 2.0.1 (2006-11-28) + + * Fixed a buffer overflow in gpg2. [bug#728,CVE-2006-6169] + ++ See-also: gnupg-announce/2006q4/000242.html ++ + + Noteworthy changes in version 2.0.0 (2006-11-11) + ------------------------------------------------ + + * First stable version of a GnuPG integrating OpenPGP and S/MIME. + ++ See-also: gnupg-announce/2006q4/000239.html ++ + + Noteworthy changes in version 1.9.95 (2006-11-06) + ------------------------------------------------- +@@ -1373,6 +1436,8 @@ Noteworthy changes in version 1.9.92 (2006-10-11) + + * Bug fixes. + ++ See-also: gnupg-announce/2006q4/000236.html ++ + + Noteworthy changes in version 1.9.91 (2006-10-04) + ------------------------------------------------- +@@ -1874,6 +1939,8 @@ Noteworthy changes in version 1.3.2 (2003-05-27) + of GnuPG and other OpenPGP programs, please do not use this + algorithm. + ++ See-also: gnupg-announce/2003q2/000153.html ++ + + Noteworthy changes in version 1.3.1 (2002-11-12) + ------------------------------------------------ +@@ -2200,6 +2267,8 @@ Noteworthy changes in version 1.0.7 (2002-04-29) + + * Read only keyrings are now handled as expected. + ++ See-also: gnupg-announce/2002q2/000135.html ++ + + Noteworthy changes in version 1.0.6 (2001-05-29) + ------------------------------------------------ +@@ -2218,6 +2287,8 @@ Noteworthy changes in version 1.0.6 (2001-05-29) + + * non-writable keyrings are now correctly handled. + ++ See-also: gnupg-announce/2001q2/000123.html ++ + + Noteworthy changes in version 1.0.5 (2001-04-29) + ------------------------------------------------ +@@ -2276,6 +2347,8 @@ Noteworthy changes in version 1.0.5 (2001-04-29) + + * New translations: Estonian, Turkish. + ++ See-also: gnupg-announce/2001q2/000122.html ++ + + Noteworthy changes in version 1.0.4 (2000-10-17) + ------------------------------------------------ +@@ -2291,6 +2364,9 @@ Noteworthy changes in version 1.0.4 (2000-10-17) + + * --with-colons now works with --print-md[s]. + ++ See-also: gnupg-announce/2000q4/000082.html ++ ++ + Noteworthy changes in version 1.0.3 (2000-09-18) + ------------------------------------------------ + +@@ -2322,6 +2398,8 @@ Noteworthy changes in version 1.0.3 (2000-09-18) + this. Older versions of GnuPG don't support it, so they should be + upgraded to at least 1.0.2 + ++ See-also: gnupg-announce/2000q3/000075.html ++ + + Noteworthy changes in version 1.0.2 (2000-07-12) + ---------------------------------------------- +@@ -2380,6 +2458,9 @@ Noteworthy changes in version 1.0.2 (2000-07-12) + + * Danish translation + ++ See-also: gnupg-announce/2000q3/000069.html ++ ++ + Noteworthy changes in version 1.0.1 (1999-12-16) + ----------------------------------- + +@@ -2411,6 +2492,8 @@ Noteworthy changes in version 1.0.1 (1999-12-16) + * Removed the GNU Privacy Handbook from the distribution as it will go + into a separate one. + ++ See-also: gnupg-announce/1999q4/000050.html ++ + + Noteworthy changes in version 1.0.0 (1999-09-07) + ----------------------------------- +@@ -2420,6 +2503,8 @@ Noteworthy changes in version 1.0.0 (1999-09-07) + + * Changed the version number to GnuPG 2001 ;-) + ++ See-also: gnupg-announce/1999q3/000037.html ++ + + Noteworthy changes in version 0.9.11 (1999-09-03) + ------------------------------------ +@@ -2431,6 +2516,8 @@ Noteworthy changes in version 0.9.11 (1999-09-03) + + * Fixed a problem when importing new subkeys (duplicated signatures). + ++ See-also: gnupg-announce/1999q3/000036.html ++ + + Noteworthy changes in version 0.9.10 (1999-07-23) + ------------------------------------ +@@ -2439,6 +2526,8 @@ Noteworthy changes in version 0.9.10 (1999-07-23) + + * Cleaned up the dox a bit. + ++ See-also: gnupg-announce/1999q3/000034.html ++ + + Noteworthy changes in version 0.9.9 + ----------------------------------- +@@ -2466,6 +2555,8 @@ Noteworthy changes in version 0.9.9 + * New option --allow-non-selfsigned-uid to work around a problem with + the German IN way of separating signing and encryption keys. + ++ See-also: gnupg-announce/1999q3/000028.html ++ + + Noteworthy changes in version 0.9.8 (1999-06-26) + ----------------------------------- +@@ -2487,6 +2578,8 @@ Noteworthy changes in version 0.9.8 (1999-06-26) + + * Better support for HPUX. + ++ See-also: gnupg-announce/1999q2/000016.html ++ + + Noteworthy changes in version 0.9.7 (1999-05-23) + ----------------------------------- +@@ -2496,6 +2589,8 @@ Noteworthy changes in version 0.9.7 (1999-05-23) + + * Enhanced some status outputs. + ++ See-also: gnupg-announce/1999q2/000000.html ++ + + Noteworthy changes in version 0.9.6 (1999-05-06) + ----------------------------------- +@@ -2812,7 +2907,7 @@ Noteworthy changes in version 0.3.3 (1998-08-08) + a copy of the old program. + 2. Disable the network, make sure that you are the only + user, be sure that there are no Trojan horses etc .... +- 3. Use your old gpg (version 0.3.[12]) and set the ++ 3. Use your old gpg (version 0.3.1 or 0.3.2) and set the + passphrases of ALL your secret keys to empty! + (gpg --change-passphrase your-user-id). + 4. Save your ownertrusts (see the next point) +@@ -2825,7 +2920,7 @@ Noteworthy changes in version 0.3.3 (1998-08-08) + + * The format of the trust database has changed; you must delete + the old one, so gnupg can create a new one. +- IMPORTANT: Use version 0.3.[12] to save your assigned ownertrusts ++ IMPORTANT: Use version 0.3.1 or .2 to save your assigned ownertrusts + ("gpgm --list-ownertrust >saved-trust"); then build this new version + and restore the ownertrust with this new version + ("gpgm --import-ownertrust saved-trust"). Please note that diff --git a/patches/0022-g10-avoid-warning-when-disable-tofu.patch b/patches/0022-g10-avoid-warning-when-disable-tofu.patch new file mode 100644 index 0000000..4443007 --- /dev/null +++ b/patches/0022-g10-avoid-warning-when-disable-tofu.patch @@ -0,0 +1,27 @@ +From: Daniel Kahn Gillmor +Date: Wed, 4 Jan 2017 08:31:06 -0500 +Subject: g10: avoid warning when --disable-tofu + +If configured with --disable-tofu, we see compiler warnings about an +unused variable. This should remove those warnings. + +(cherry picked from commit 38671cfe5a2a40bb991619f4cb992c42b5f1e8cd) +--- + g10/trustdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/g10/trustdb.c b/g10/trustdb.c +index d402cb2ba..c113b7e9d 100644 +--- a/g10/trustdb.c ++++ b/g10/trustdb.c +@@ -1002,9 +1002,9 @@ tdb_get_validity_core (ctrl_t ctrl, + ulong recno; + #ifdef USE_TOFU + unsigned int tofu_validity = TRUST_UNKNOWN; ++ int free_kb = 0; + #endif + unsigned int validity = TRUST_UNKNOWN; +- int free_kb = 0; + + if (kb && pk) + log_assert (keyid_cmp (pk_main_keyid (pk), diff --git a/patches/0023-doc-Mention-gpgv-in-the-description-of-gpg-verify.patch b/patches/0023-doc-Mention-gpgv-in-the-description-of-gpg-verify.patch new file mode 100644 index 0000000..a05c742 --- /dev/null +++ b/patches/0023-doc-Mention-gpgv-in-the-description-of-gpg-verify.patch @@ -0,0 +1,30 @@ +From: Werner Koch +Date: Thu, 5 Jan 2017 20:25:16 +0100 +Subject: doc: Mention gpgv in the description of gpg --verify. + +-- + +Signed-off-by: Werner Koch +(cherry picked from commit 353f6ff37646ad4c24d309a495e6c6f41e5235e3) +--- + doc/gpg.texi | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/doc/gpg.texi b/doc/gpg.texi +index 469e5484a..4ea2cd21e 100644 +--- a/doc/gpg.texi ++++ b/doc/gpg.texi +@@ -255,6 +255,13 @@ out the actual signed data, but there are other pitfalls with this + format as well. It is suggested to avoid cleartext signatures in + favor of detached signatures. + ++Note: Sometimes the use of the @command{gpgv} tool is easier than ++using the full-fledged @command{gpg} with this option. @command{gpgv} ++is designed to compare signed data against a list of trusted keys and ++returns with success only for a good signature. It has its own manual ++page. ++ ++ + @item --multifile + @opindex multifile + This modifies certain other commands to accept multiple files for diff --git a/patches/0024-Silence-two-Wlogical-op-warnings.patch b/patches/0024-Silence-two-Wlogical-op-warnings.patch new file mode 100644 index 0000000..78fd134 --- /dev/null +++ b/patches/0024-Silence-two-Wlogical-op-warnings.patch @@ -0,0 +1,48 @@ +From: Werner Koch +Date: Thu, 5 Jan 2017 20:42:55 +0100 +Subject: Silence two -Wlogical-op warnings. + +* common/tlv.c (parse_ber_header): Avoid compiler warning about a +duplicate condition. +* tools/gpgtar-create.c (pattern_valid_p): Likewise. + +Signed-off-by: Werner Koch +(cherry picked from commit 6170eb809033c9d144abf3b1f31f8b936878cdd4) +--- + common/tlv.c | 4 ++-- + tools/gpgtar-create.c | 6 +++++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/common/tlv.c b/common/tlv.c +index 6813c585a..0058b67ca 100644 +--- a/common/tlv.c ++++ b/common/tlv.c +@@ -214,9 +214,9 @@ parse_ber_header (unsigned char const **buffer, size_t *size, + else + { + unsigned long len = 0; +- int count = c & 0x7f; ++ int count = (c & 0x7f); + +- if (count > sizeof (len) || count > sizeof (size_t)) ++ if (count > (sizeof(len)= 'a' && *pattern <= 'z') diff --git a/patches/0025-doc-Document-summary-values-of-TOFU_STATS.patch b/patches/0025-doc-Document-summary-values-of-TOFU_STATS.patch new file mode 100644 index 0000000..1ee390f --- /dev/null +++ b/patches/0025-doc-Document-summary-values-of-TOFU_STATS.patch @@ -0,0 +1,36 @@ +From: Andre Heinecke +Date: Fri, 6 Jan 2017 12:26:01 +0100 +Subject: doc: Document summary values of TOFU_STATS + +-- + +Signed-off-by: Andre Heinecke +(cherry picked from commit e1f68337b979fe4b7c3bd095a83ea832e14efb74) +--- + doc/DETAILS | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/doc/DETAILS b/doc/DETAILS +index 568500e51..ac599fc62 100644 +--- a/doc/DETAILS ++++ b/doc/DETAILS +@@ -761,6 +761,19 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB: + takes on value 0. Instead, if there is a conflict, VALIDITY still + reflects the key's validity (values: 1-4). + ++ SUMMARY values use the euclidean distance (m = sqrt(a² + b²)) rather ++ then the sum of the magnitudes (m = a + b) to ensure a balance between ++ verified signatures and encrypted messages. ++ ++ Values are calculated based on the number of days where a key was used ++ for verifying a signature or to encrypt to it. ++ The ranges for the values are: ++ ++ - 1 :: signature_days + encryption_days == 0 ++ - 2 :: 1 <= sqrt(signature_days² + encryption_days²) < 8 ++ - 3 :: 8 <= sqrt(signature_days² + encryption_days²) < 42 ++ - 4 :: sqrt(signature_days² + encryption_days²) >= 42 ++ + SIGN-COUNT and ENCRYPTION-COUNT are the number of messages that we + have seen that have been signed by this key / encryption to this + key. diff --git a/patches/block-ptrace-on-agent/0002-Avoid-simple-memory-dumps-via-ptrace.patch b/patches/block-ptrace-on-agent/0002-Avoid-simple-memory-dumps-via-ptrace.patch new file mode 100644 index 0000000..50d46f3 --- /dev/null +++ b/patches/block-ptrace-on-agent/0002-Avoid-simple-memory-dumps-via-ptrace.patch @@ -0,0 +1,60 @@ +From: Daniel Kahn Gillmor +Date: Tue, 11 Aug 2015 20:28:26 -0400 +Subject: Avoid simple memory dumps via ptrace + +This avoids needing to setgid gpg-agent. It probably doesn't defend +against all possible attacks, but it defends against one specific (and +easy) one. If there are other protections we should do them too. + +This will make it slightly harder to debug the agent because the +normal user won't be able to attach gdb to it directly while it runs. + +The remaining options for debugging are: + + * launch the agent from gdb directly + * connect gdb to a running agent as the superuser + +Upstream bug: https://bugs.gnupg.org/gnupg/issue1211 +--- + agent/gpg-agent.c | 8 ++++++++ + configure.ac | 1 + + 2 files changed, 9 insertions(+) + +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index f4ed6c5c4..f5ecea544 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -48,6 +48,9 @@ + # include + #endif + #include ++#ifdef HAVE_PRCTL ++# include ++#endif + + #define GNUPG_COMMON_NEED_AFLOCAL + #include "agent.h" +@@ -947,6 +950,11 @@ main (int argc, char **argv ) + + early_system_init (); + ++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) ++ /* Disable ptrace on Linux without sgid bit */ ++ prctl(PR_SET_DUMPABLE, 0); ++#endif ++ + /* Before we do anything else we save the list of currently open + file descriptors and the signal mask. This info is required to + do the exec call properly. */ +diff --git a/configure.ac b/configure.ac +index 663061031..932c741ef 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1335,6 +1335,7 @@ AC_CHECK_FUNCS([strerror strlwr tcgetattr mmap canonicalize_file_name]) + AC_CHECK_FUNCS([strcasecmp strncasecmp ctermid times gmtime_r strtoull]) + AC_CHECK_FUNCS([setenv unsetenv fcntl ftruncate inet_ntop]) + AC_CHECK_FUNCS([canonicalize_file_name]) ++AC_CHECK_FUNCS([prctl]) + AC_CHECK_FUNCS([gettimeofday getrusage getrlimit setrlimit clock_gettime]) + AC_CHECK_FUNCS([atexit raise getpagesize strftime nl_langinfo setlocale]) + AC_CHECK_FUNCS([waitpid wait4 sigaction sigprocmask pipe getaddrinfo]) diff --git a/patches/debian-packaging/0001-avoid-beta-warning.patch b/patches/debian-packaging/0001-avoid-beta-warning.patch new file mode 100644 index 0000000..f541c1a --- /dev/null +++ b/patches/debian-packaging/0001-avoid-beta-warning.patch @@ -0,0 +1,44 @@ +From: Debian GnuPG Maintainers +Date: Tue, 14 Apr 2015 10:02:31 -0400 +Subject: avoid-beta-warning + +avoid self-describing as a beta + +Using autoreconf against the source as distributed in tarball form +invariably results in a package that thinks it's a "beta" package, +which produces the "THIS IS A DEVELOPMENT VERSION" warning string. + +since we use dh_autoreconf, i need this patch to avoid producing +builds that announce themselves as DEVELOPMENT VERSIONs. + +See discussion at: + + http://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029065.html +--- + autogen.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/autogen.sh b/autogen.sh +index 92c6df807..6b631a241 100755 +--- a/autogen.sh ++++ b/autogen.sh +@@ -214,7 +214,7 @@ if [ "$myhost" = "find-version" ]; then + esac + + beta=no +- if [ -e .git ]; then ++ if false; then + ingit=yes + tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null) + if [ -n "$tmp" ]; then +@@ -228,8 +228,8 @@ if [ "$myhost" = "find-version" ]; then + rvd=$((0x$(echo ${rev} | head -c 4))) + else + ingit=no +- beta=yes +- tmp="-unknown" ++ beta=no ++ tmp="" + rev="0000000" + rvd="0" + fi diff --git a/patches/debian-packaging/0003-avoid-regenerating-defsincdate-use-shipped-file.patch b/patches/debian-packaging/0003-avoid-regenerating-defsincdate-use-shipped-file.patch new file mode 100644 index 0000000..c141e4f --- /dev/null +++ b/patches/debian-packaging/0003-avoid-regenerating-defsincdate-use-shipped-file.patch @@ -0,0 +1,37 @@ +From: Daniel Kahn Gillmor +Date: Mon, 29 Aug 2016 12:34:42 -0400 +Subject: avoid regenerating defsincdate (use shipped file) + +upstream ships doc/defsincdate in its tarballs. but doc/Makefile.am +tries to rewrite doc/defsincdate if it notices that any of the files +have been modified more recently, and it does so assuming that we're +running from a git repo. + +However, we'd rather ship the documents cleanly without regenerating +defsincdate -- we don't have a git repo available (debian builds from +upstream tarballs) and any changes to the texinfo files (e.g. from +debian/patches/) might result in different dates on the files than we +expect after they're applied by dpkg or quilt or whatever, which makes +the datestamp unreproducible. +--- + doc/Makefile.am | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/doc/Makefile.am b/doc/Makefile.am +index 0c2f2c9dc..65b941ca7 100644 +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -167,13 +167,6 @@ $(myman_pages) gnupg.7 : yat2m-stamp defs.inc + + dist-hook: defsincdate + +-defsincdate: $(gnupg_TEXINFOS) +- : >defsincdate ; \ +- if test -e $(top_srcdir)/.git; then \ +- (cd $(srcdir) && git log -1 --format='%ct' \ +- -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \ +- fi +- + defs.inc : defsincdate Makefile mkdefsinc + incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \ + ./mkdefsinc -C $(srcdir) --date "`cat $$incd 2>/dev/null`" \ diff --git a/patches/dirmngr-idling/0001-dirmngr-hkp-Avoid-potential-race-condition-when-some.patch b/patches/dirmngr-idling/0001-dirmngr-hkp-Avoid-potential-race-condition-when-some.patch new file mode 100644 index 0000000..2020da7 --- /dev/null +++ b/patches/dirmngr-idling/0001-dirmngr-hkp-Avoid-potential-race-condition-when-some.patch @@ -0,0 +1,77 @@ +From: Daniel Kahn Gillmor +Date: Sat, 29 Oct 2016 01:25:05 -0400 +Subject: dirmngr: hkp: Avoid potential race condition when some hosts die. + +* dirmngr/ks-engine-hkp.c (select_random_host): Use atomic pass +through the host table instead of risking out-of-bounds write. + +-- + +Multiple threads may write to hosttable[x]->dead while +select_random_host() is running. For example, a housekeeping thread +might clear the ->dead bit on some entries, or another connection to +dirmngr might manually mark a host as alive. + +If one or more hosts are resurrected between the two loops over a +given table in select_random_host(), then the allocation of tbl might +not be large enough, resulting in a write past the end of tbl on the +second loop. + +This change collapses the two loops into a single loop to avoid this +discrepancy: each host's "dead" bit is now only checked once. + +As Werner points out, this isn't currently strictly necessary, since +npth will not switch threads unless a blocking system call is made, +and no blocking system call is made in these two loops. + +However, in a subsequent change in this series, we will call a +function in this loop, and that function may sometimes write(2), or +call other functions, which may themselves block. Keeping this as a +single-pass loop avoids the need to keep track of what might block and +what might not. + +Signed-off-by: Daniel Kahn Gillmor +--- + dirmngr/ks-engine-hkp.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c +index a6c22f8cd..2d1240bb3 100644 +--- a/dirmngr/ks-engine-hkp.c ++++ b/dirmngr/ks-engine-hkp.c +@@ -209,25 +209,24 @@ host_in_pool_p (int *pool, int tblidx) + static int + select_random_host (int *table) + { +- int *tbl; +- size_t tblsize; ++ int *tbl = NULL; ++ size_t tblsize = 0; + int pidx, idx; + + /* We create a new table so that we randomly select only from + currently alive hosts. */ +- for (idx=0, tblsize=0; (pidx = table[idx]) != -1; idx++) ++ for (idx=0; (pidx = table[idx]) != -1; idx++) + if (hosttable[pidx] && !hosttable[pidx]->dead) +- tblsize++; ++ { ++ tblsize++; ++ tbl = xtryrealloc(tbl, tblsize * sizeof *tbl); ++ if (!tbl) ++ return -1; /* memory allocation failed! */ ++ tbl[tblsize-1] = pidx; ++ } + if (!tblsize) + return -1; /* No hosts. */ + +- tbl = xtrymalloc (tblsize * sizeof *tbl); +- if (!tbl) +- return -1; +- for (idx=0, tblsize=0; (pidx = table[idx]) != -1; idx++) +- if (hosttable[pidx] && !hosttable[pidx]->dead) +- tbl[tblsize++] = pidx; +- + if (tblsize == 1) /* Save a get_uint_nonce. */ + pidx = tbl[0]; + else diff --git a/patches/dirmngr-idling/0002-dimrngr-Avoid-need-for-hkp-housekeeping.patch b/patches/dirmngr-idling/0002-dimrngr-Avoid-need-for-hkp-housekeeping.patch new file mode 100644 index 0000000..75f4b90 --- /dev/null +++ b/patches/dirmngr-idling/0002-dimrngr-Avoid-need-for-hkp-housekeeping.patch @@ -0,0 +1,228 @@ +From: Daniel Kahn Gillmor +Date: Sat, 29 Oct 2016 02:00:50 -0400 +Subject: dimrngr: Avoid need for hkp housekeeping. + +* dirmngr/ks-engine-hkp.c (host_is_alive): New function. Test whether +host is alive and resurrects it if it has been dead long enough. +(select_random_host, map_host, ks_hkp_mark_host): Use host_is_alive +instead of testing hostinfo_t->dead directly. +(ks_hkp_housekeeping): Remove function, no longer needed. +* dirmngr/dirmngr.c (housekeeping_thread): Remove call to +ks_hkp_housekeeping. + +-- + +Rather than resurrecting hosts upon scheduled resurrection times, test +whether hosts should be resurrected as they're inspected for being +dead. This removes the need for explicit housekeeping, and makes host +resurrections happen "just in time", rather than being clustered on +HOUSEKEEPING_INTERVAL seconds. + +Signed-off-by: Daniel Kahn Gillmor +--- + dirmngr/dirmngr.c | 3 -- + dirmngr/dirmngr.h | 4 --- + dirmngr/ks-engine-hkp.c | 73 ++++++++++++++++++++++++------------------------- + 3 files changed, 36 insertions(+), 44 deletions(-) + +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index 5ee589e93..130f74bc7 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -1773,12 +1773,10 @@ static void * + housekeeping_thread (void *arg) + { + static int sentinel; +- time_t curtime; + struct server_control_s ctrlbuf; + + (void)arg; + +- curtime = gnupg_get_time (); + if (sentinel) + { + log_info ("housekeeping is already going on\n"); +@@ -1791,7 +1789,6 @@ housekeeping_thread (void *arg) + memset (&ctrlbuf, 0, sizeof ctrlbuf); + dirmngr_init_default_ctrl (&ctrlbuf); + +- ks_hkp_housekeeping (curtime); + if (network_activity_seen) + { + network_activity_seen = 0; +diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h +index 9a8787842..0469d55bc 100644 +--- a/dirmngr/dirmngr.h ++++ b/dirmngr/dirmngr.h +@@ -192,10 +192,6 @@ void dirmngr_sighup_action (void); + const char* dirmngr_get_current_socket_name (void); + + +-/*-- Various housekeeping functions. --*/ +-void ks_hkp_housekeeping (time_t curtime); +- +- + /*-- server.c --*/ + ldap_server_t get_ldapservers_from_ctrl (ctrl_t ctrl); + ksba_cert_t get_cert_local (ctrl_t ctrl, const char *issuer); +diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c +index 2d1240bb3..6f1c2e8e0 100644 +--- a/dirmngr/ks-engine-hkp.c ++++ b/dirmngr/ks-engine-hkp.c +@@ -203,6 +203,25 @@ host_in_pool_p (int *pool, int tblidx) + } + + ++static int ++host_is_alive (hostinfo_t hi, time_t curtime) ++{ ++ if (!hi) ++ return 0; ++ if (!hi->dead) ++ return 1; ++ if (!hi->died_at) ++ return 0; /* manually marked dead */ ++ if (hi->died_at + RESURRECT_INTERVAL <= curtime ++ || hi->died_at > curtime) ++ { ++ hi->dead = 0; ++ log_info ("resurrected host '%s'", hi->name); ++ return 1; ++ } ++ return 0; ++} ++ + /* Select a random host. Consult TABLE which indices into the global + hosttable. Returns index into TABLE or -1 if no host could be + selected. */ +@@ -212,11 +231,13 @@ select_random_host (int *table) + int *tbl = NULL; + size_t tblsize = 0; + int pidx, idx; ++ time_t curtime; + ++ curtime = gnupg_get_time (); + /* We create a new table so that we randomly select only from + currently alive hosts. */ + for (idx=0; (pidx = table[idx]) != -1; idx++) +- if (hosttable[pidx] && !hosttable[pidx]->dead) ++ if (hosttable[pidx] && host_is_alive (hosttable[pidx], curtime)) + { + tblsize++; + tbl = xtryrealloc(tbl, tblsize * sizeof *tbl); +@@ -392,6 +413,7 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, + gpg_error_t err = 0; + hostinfo_t hi; + int idx; ++ time_t curtime; + + *r_host = NULL; + if (r_httpflags) +@@ -538,6 +560,7 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, + xfree (reftbl); + } + ++ curtime = gnupg_get_time (); + hi = hosttable[idx]; + if (hi->pool) + { +@@ -554,7 +577,7 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, + if (force_reselect) + hi->poolidx = -1; + else if (hi->poolidx >= 0 && hi->poolidx < hosttable_size +- && hosttable[hi->poolidx] && hosttable[hi->poolidx]->dead) ++ && hosttable[hi->poolidx] && !host_is_alive (hosttable[hi->poolidx], curtime)) + hi->poolidx = -1; + + /* Select a host if needed. */ +@@ -578,7 +601,7 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, + assert (hi); + } + +- if (hi->dead) ++ if (!host_is_alive (hi, curtime)) + { + log_error ("host '%s' marked as dead\n", hi->name); + if (r_poolname) +@@ -683,7 +706,8 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive) + { + gpg_error_t err = 0; + hostinfo_t hi, hi2; +- int idx, idx2, idx3, n; ++ int idx, idx2, idx3, n, is_alive; ++ time_t curtime; + + if (!name || !*name || !strcmp (name, "localhost")) + return 0; +@@ -692,13 +716,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive) + if (idx == -1) + return gpg_error (GPG_ERR_NOT_FOUND); + ++ curtime = gnupg_get_time (); + hi = hosttable[idx]; +- if (alive && hi->dead) ++ is_alive = host_is_alive (hi, curtime); ++ if (alive && !is_alive) + { + hi->dead = 0; + err = ks_printf_help (ctrl, "marking '%s' as alive", name); + } +- else if (!alive && !hi->dead) ++ else if (!alive && is_alive) + { + hi->dead = 1; + hi->died_at = 0; /* Manually set dead. */ +@@ -730,14 +756,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive) + + hi2 = hosttable[n]; + if (!hi2) +- ; +- else if (alive && hi2->dead) ++ continue; ++ is_alive = host_is_alive (hi2, curtime); ++ if (alive && !is_alive) + { + hi2->dead = 0; + err = ks_printf_help (ctrl, "marking '%s' as alive", + hi2->name); + } +- else if (!alive && !hi2->dead) ++ else if (!alive && is_alive) + { + hi2->dead = 1; + hi2->died_at = 0; /* Manually set dead. */ +@@ -939,34 +966,6 @@ ks_hkp_resolve (ctrl_t ctrl, parsed_uri_t uri) + } + + +-/* Housekeeping function called from the housekeeping thread. It is +- used to mark dead hosts alive so that they may be tried again after +- some time. */ +-void +-ks_hkp_housekeeping (time_t curtime) +-{ +- int idx; +- hostinfo_t hi; +- +- for (idx=0; idx < hosttable_size; idx++) +- { +- hi = hosttable[idx]; +- if (!hi) +- continue; +- if (!hi->dead) +- continue; +- if (!hi->died_at) +- continue; /* Do not resurrect manually shot hosts. */ +- if (hi->died_at + RESURRECT_INTERVAL <= curtime +- || hi->died_at > curtime) +- { +- hi->dead = 0; +- log_info ("resurrected host '%s'", hi->name); +- } +- } +-} +- +- + /* Send an HTTP request. On success returns an estream object at + R_FP. HOSTPORTSTR is only used for diagnostics. If HTTPHOST is + not NULL it will be used as HTTP "Host" header. If POST_CB is not diff --git a/patches/dirmngr-idling/0004-dirmngr-Avoid-automatically-checking-upstream-swdb.patch b/patches/dirmngr-idling/0004-dirmngr-Avoid-automatically-checking-upstream-swdb.patch new file mode 100644 index 0000000..0851a62 --- /dev/null +++ b/patches/dirmngr-idling/0004-dirmngr-Avoid-automatically-checking-upstream-swdb.patch @@ -0,0 +1,45 @@ +From: Daniel Kahn Gillmor +Date: Sun, 20 Nov 2016 23:09:24 -0500 +Subject: dirmngr: Avoid automatically checking upstream swdb. + +* dirmngr/dirmngr.c (housekeeping_thread): Avoid automatically +checking upstream's software database. In Debian, software updates +should be handled by the distro mechanism, and additional upstream +checks only confuse the user. + +Signed-off-by: Daniel Kahn Gillmor +--- + dirmngr/dirmngr.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index 130f74bc7..58a424e8c 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -1773,7 +1773,6 @@ static void * + housekeeping_thread (void *arg) + { + static int sentinel; +- struct server_control_s ctrlbuf; + + (void)arg; + +@@ -1786,18 +1785,6 @@ housekeeping_thread (void *arg) + if (opt.verbose > 1) + log_info ("starting housekeeping\n"); + +- memset (&ctrlbuf, 0, sizeof ctrlbuf); +- dirmngr_init_default_ctrl (&ctrlbuf); +- +- if (network_activity_seen) +- { +- network_activity_seen = 0; +- if (opt.use_tor || opt.allow_version_check) +- dirmngr_load_swdb (&ctrlbuf, 0); +- } +- +- dirmngr_deinit_default_ctrl (&ctrlbuf); +- + if (opt.verbose > 1) + log_info ("ready with housekeeping\n"); + sentinel--; diff --git a/patches/dirmngr-idling/0005-dirmngr-Drop-useless-housekeeping.patch b/patches/dirmngr-idling/0005-dirmngr-Drop-useless-housekeeping.patch new file mode 100644 index 0000000..affb982 --- /dev/null +++ b/patches/dirmngr-idling/0005-dirmngr-Drop-useless-housekeeping.patch @@ -0,0 +1,199 @@ +From: Daniel Kahn Gillmor +Date: Sat, 29 Oct 2016 02:15:08 -0400 +Subject: dirmngr: Drop useless housekeeping. + +* dirmngr/dirmngr.c (handle_tick, time_for_housekeeping_p, +housekeeping_thread): Remove, no longer needed. +(handle_connections): Drop any attempt at a timeout, since no +housekeeping is necessary. + +-- + +The housekeeping thread no longer does anything, and the main loop was +waking up every 60 seconds for no good reason. The code is simpler +and the runtime is more efficient if we drop this. + +Signed-off-by: Daniel Kahn Gillmor +--- + dirmngr/dirmngr.c | 113 +++--------------------------------------------------- + 1 file changed, 5 insertions(+), 108 deletions(-) + +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index 58a424e8c..0b8bb02e6 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -304,13 +304,6 @@ static int active_connections; + * thread to run background network tasks. */ + static int network_activity_seen; + +-/* The timer tick used for housekeeping stuff. */ +-#define TIMERTICK_INTERVAL (60) +- +-/* How oft to run the housekeeping. */ +-#define HOUSEKEEPING_INTERVAL (600) +- +- + /* This union is used to avoid compiler warnings in case a pointer is + 64 bit and an int 32 bit. We store an integer in a pointer and get + it back later (npth_getspecific et al.). */ +@@ -1768,83 +1761,6 @@ handle_signal (int signo) + #endif /*!HAVE_W32_SYSTEM*/ + + +-/* Thread to do the housekeeping. */ +-static void * +-housekeeping_thread (void *arg) +-{ +- static int sentinel; +- +- (void)arg; +- +- if (sentinel) +- { +- log_info ("housekeeping is already going on\n"); +- return NULL; +- } +- sentinel++; +- if (opt.verbose > 1) +- log_info ("starting housekeeping\n"); +- +- if (opt.verbose > 1) +- log_info ("ready with housekeeping\n"); +- sentinel--; +- return NULL; +- +-} +- +- +-#if GPGRT_GCC_HAVE_PUSH_PRAGMA +-# pragma GCC push_options +-# pragma GCC optimize ("no-strict-overflow") +-#endif +-static int +-time_for_housekeeping_p (time_t curtime) +-{ +- static time_t last_housekeeping; +- +- if (!last_housekeeping) +- last_housekeeping = curtime; +- +- if (last_housekeeping + HOUSEKEEPING_INTERVAL <= curtime +- || last_housekeeping > curtime /*(be prepared for y2038)*/) +- { +- last_housekeeping = curtime; +- return 1; +- } +- return 0; +-} +-#if GPGRT_GCC_HAVE_PUSH_PRAGMA +-# pragma GCC pop_options +-#endif +- +- +-/* This is the worker for the ticker. It is called every few seconds +- and may only do fast operations. */ +-static void +-handle_tick (void) +-{ +- if (time_for_housekeeping_p (gnupg_get_time ())) +- { +- npth_t thread; +- npth_attr_t tattr; +- int err; +- +- err = npth_attr_init (&tattr); +- if (err) +- log_error ("error preparing housekeeping thread: %s\n", strerror (err)); +- else +- { +- npth_attr_setdetachstate (&tattr, NPTH_CREATE_DETACHED); +- err = npth_create (&thread, &tattr, housekeeping_thread, NULL); +- if (err) +- log_error ("error spawning housekeeping thread: %s\n", +- strerror (err)); +- npth_attr_destroy (&tattr); +- } +- } +-} +- +- + /* Check the nonce on a new connection. This is a NOP unless we are + using our Unix domain socket emulation under Windows. */ + static int +@@ -1945,9 +1861,6 @@ handle_connections (assuan_fd_t listen_fd) + gnupg_fd_t fd; + int nfd, ret; + fd_set fdset, read_fdset; +- struct timespec abstime; +- struct timespec curtime; +- struct timespec timeout; + int saved_errno; + int my_inotify_fd = -1; + +@@ -1987,9 +1900,7 @@ handle_connections (assuan_fd_t listen_fd) + #endif /*HAVE_INOTIFY_INIT*/ + + +- /* Setup the fdset. It has only one member. This is because we use +- pth_select instead of pth_accept to properly sync timeouts with +- to full second. */ ++ /* Setup the fdset. */ + FD_ZERO (&fdset); + FD_SET (FD2INT (listen_fd), &fdset); + nfd = FD2INT (listen_fd); +@@ -2000,9 +1911,6 @@ handle_connections (assuan_fd_t listen_fd) + nfd = my_inotify_fd; + } + +- npth_clock_gettime (&abstime); +- abstime.tv_sec += TIMERTICK_INTERVAL; +- + /* Main loop. */ + for (;;) + { +@@ -2013,7 +1921,7 @@ handle_connections (assuan_fd_t listen_fd) + break; /* ready */ + + /* Do not accept new connections but keep on running the +- * loop to cope with the timer events. ++ * select loop to wait for signals (e.g. SIGCHLD). + * + * Note that we do not close the listening socket because a + * client trying to connect to that socket would instead +@@ -2033,24 +1941,14 @@ handle_connections (assuan_fd_t listen_fd) + /* Take a copy of the fdset. */ + read_fdset = fdset; + +- npth_clock_gettime (&curtime); +- if (!(npth_timercmp (&curtime, &abstime, <))) +- { +- /* Timeout. */ +- handle_tick (); +- npth_clock_gettime (&abstime); +- abstime.tv_sec += TIMERTICK_INTERVAL; +- } +- npth_timersub (&abstime, &curtime, &timeout); +- + #ifndef HAVE_W32_SYSTEM +- ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, &timeout, npth_sigev_sigmask()); ++ ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, NULL, npth_sigev_sigmask()); + saved_errno = errno; + + while (npth_sigev_get_pending(&signo)) + handle_signal (signo); + #else +- ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, &timeout, NULL, NULL); ++ ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, NULL, NULL, NULL); + saved_errno = errno; + #endif + +@@ -2064,8 +1962,7 @@ handle_connections (assuan_fd_t listen_fd) + + if (ret <= 0) + { +- /* Interrupt or timeout. Will be handled when calculating the +- next timeout. */ ++ /* Interrupt. Will be handled at the top of the next loop. */ + continue; + } + diff --git a/patches/gpg-agent-idling/0001-agent-Create-framework-of-scheduled-timers.patch b/patches/gpg-agent-idling/0001-agent-Create-framework-of-scheduled-timers.patch new file mode 100644 index 0000000..b758117 --- /dev/null +++ b/patches/gpg-agent-idling/0001-agent-Create-framework-of-scheduled-timers.patch @@ -0,0 +1,192 @@ +From: Daniel Kahn Gillmor +Date: Mon, 31 Oct 2016 21:27:36 -0400 +Subject: agent: Create framework of scheduled timers. + +agent/gpg-agent.c (handle_tick): Remove intermittent call to +check_own_socket. +(tv_is_set): Add inline helper function for readability. +(handle_connections) Create general table of pending scheduled +timeouts. + +-- + +handle_tick() does fine-grained, rapid activity. check_own_socket() +is supposed to happen at a different interval. + +Mixing the two of them makes it a requirement that one interval be a +multiple of the other, which isn't ideal if there are different delay +strategies that we might want in the future. + +Creating an extensible regular timer framework in handle_connections +should make it possible to have any number of cadenced timers fire +regularly, without requiring that they happen in cadences related to +each other. + +It should also make it possible to dynamically change the cadence of +any regularly-scheduled timeout. + +Signed-off-by: Daniel Kahn Gillmor +--- + agent/gpg-agent.c | 87 ++++++++++++++++++++++++++++++++++++------------------- + 1 file changed, 58 insertions(+), 29 deletions(-) + +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index f5ecea544..82c8ae062 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -2270,11 +2270,6 @@ create_directories (void) + static void + handle_tick (void) + { +- static time_t last_minute; +- +- if (!last_minute) +- last_minute = time (NULL); +- + /* Check whether the scdaemon has died and cleanup in this case. */ + agent_scd_check_aliveness (); + +@@ -2293,16 +2288,6 @@ handle_tick (void) + } + } + #endif /*HAVE_W32_SYSTEM*/ +- +- /* Code to be run from time to time. */ +-#if CHECK_OWN_SOCKET_INTERVAL > 0 +- if (last_minute + CHECK_OWN_SOCKET_INTERVAL <= time (NULL)) +- { +- check_own_socket (); +- last_minute = time (NULL); +- } +-#endif +- + } + + +@@ -2699,6 +2684,15 @@ start_connection_thread_ssh (void *arg) + } + + ++/* helper function for readability: test whether a given struct ++ timespec is set to all-zeros */ ++static inline int ++tv_is_set (struct timespec tv) ++{ ++ return tv.tv_sec || tv.tv_nsec; ++} ++ ++ + /* Connection handler loop. Wait for connection requests and spawn a + thread after accepting a connection. */ + static void +@@ -2716,9 +2710,11 @@ handle_connections (gnupg_fd_t listen_fd, + gnupg_fd_t fd; + int nfd; + int saved_errno; ++ int idx; + struct timespec abstime; + struct timespec curtime; + struct timespec timeout; ++ struct timespec *select_timeout; + #ifdef HAVE_W32_SYSTEM + HANDLE events[2]; + unsigned int events_set; +@@ -2734,6 +2730,14 @@ handle_connections (gnupg_fd_t listen_fd, + { "browser", start_connection_thread_browser }, + { "ssh", start_connection_thread_ssh } + }; ++ struct { ++ struct timespec interval; ++ void (*func) (void); ++ struct timespec next; ++ } timertbl[] = { ++ { { TIMERTICK_INTERVAL, 0 }, handle_tick }, ++ { { CHECK_OWN_SOCKET_INTERVAL, 0 }, check_own_socket } ++ }; + + + ret = npth_attr_init(&tattr); +@@ -2823,9 +2827,6 @@ handle_connections (gnupg_fd_t listen_fd, + listentbl[2].l_fd = listen_fd_browser; + listentbl[3].l_fd = listen_fd_ssh; + +- npth_clock_gettime (&abstime); +- abstime.tv_sec += TIMERTICK_INTERVAL; +- + for (;;) + { + /* Shutdown test. */ +@@ -2854,18 +2855,47 @@ handle_connections (gnupg_fd_t listen_fd, + thus a simple assignment is fine to copy the entire set. */ + read_fdset = fdset; + ++ /* loop through all timers, fire any registered functions, and ++ plan next timer to trigger */ + npth_clock_gettime (&curtime); +- if (!(npth_timercmp (&curtime, &abstime, <))) +- { +- /* Timeout. */ +- handle_tick (); +- npth_clock_gettime (&abstime); +- abstime.tv_sec += TIMERTICK_INTERVAL; +- } +- npth_timersub (&abstime, &curtime, &timeout); ++ abstime.tv_sec = abstime.tv_nsec = 0; ++ for (idx=0; idx < DIM(timertbl); idx++) ++ { ++ /* schedule any unscheduled timers */ ++ if ((!tv_is_set (timertbl[idx].next)) && tv_is_set (timertbl[idx].interval)) ++ npth_timeradd (&timertbl[idx].interval, &curtime, &timertbl[idx].next); ++ /* if a timer is due, fire it ... */ ++ if (tv_is_set (timertbl[idx].next)) ++ { ++ if (!(npth_timercmp (&curtime, &timertbl[idx].next, <))) ++ { ++ timertbl[idx].func (); ++ npth_clock_gettime (&curtime); ++ /* ...and reschedule it, if desired: */ ++ if (tv_is_set (timertbl[idx].interval)) ++ npth_timeradd (&timertbl[idx].interval, &curtime, &timertbl[idx].next); ++ else ++ timertbl[idx].next.tv_sec = timertbl[idx].next.tv_nsec = 0; ++ } ++ } ++ /* accumulate next timer to come due in abstime: */ ++ if (tv_is_set (timertbl[idx].next) && ++ ((!tv_is_set (abstime)) || ++ (npth_timercmp (&abstime, &timertbl[idx].next, >)))) ++ abstime = timertbl[idx].next; ++ } ++ /* choose a timeout for the select loop: */ ++ if (tv_is_set (abstime)) ++ { ++ npth_timersub (&abstime, &curtime, &timeout); ++ select_timeout = &timeout; ++ } ++ else ++ select_timeout = NULL; ++ + + #ifndef HAVE_W32_SYSTEM +- ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, &timeout, ++ ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, select_timeout, + npth_sigev_sigmask ()); + saved_errno = errno; + +@@ -2875,7 +2905,7 @@ handle_connections (gnupg_fd_t listen_fd, + handle_signal (signo); + } + #else +- ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, &timeout, ++ ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, select_timeout, + events, &events_set); + saved_errno = errno; + +@@ -2898,7 +2928,6 @@ handle_connections (gnupg_fd_t listen_fd, + + if (!shutdown_pending) + { +- int idx; + ctrl_t ctrl; + npth_t thread; + diff --git a/patches/gpg-agent-idling/0002-agent-Allow-threads-to-interrupt-main-select-loop-wi.patch b/patches/gpg-agent-idling/0002-agent-Allow-threads-to-interrupt-main-select-loop-wi.patch new file mode 100644 index 0000000..6d294d3 --- /dev/null +++ b/patches/gpg-agent-idling/0002-agent-Allow-threads-to-interrupt-main-select-loop-wi.patch @@ -0,0 +1,101 @@ +From: Daniel Kahn Gillmor +Date: Tue, 1 Nov 2016 00:45:23 -0400 +Subject: agent: Allow threads to interrupt main select loop with SIGCONT. + +* agent/gpg-agent.c (interrupt_main_thread_loop): New function on +non-windows platforms, allows other threads to interrupt the main loop +if there's something that the main loop might be interested in. + +-- + +For example, the main loop might be interested in changes in program +state that affect the timers it expects to see. + +I don't know how to do this on Windows platforms, but i welcome any +proposed improvements. + +Signed-off-by: Daniel Kahn Gillmor +--- + agent/agent.h | 1 + + agent/gpg-agent.c | 19 ++++++++++++++++++- + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/agent/agent.h b/agent/agent.h +index 89dc46d05..147d242ec 100644 +--- a/agent/agent.h ++++ b/agent/agent.h +@@ -345,6 +345,7 @@ void *get_agent_scd_notify_event (void); + #endif + void agent_sighup_action (void); + int map_pk_openpgp_to_gcry (int openpgp_algo); ++void interrupt_main_thread_loop (void); + + /*-- command.c --*/ + gpg_error_t agent_inq_pinentry_launched (ctrl_t ctrl, unsigned long pid, +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index 82c8ae062..04a775c9b 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -382,6 +382,9 @@ static char *current_logfile; + watched. */ + static pid_t parent_pid = (pid_t)(-1); + ++/* Record the pid of the main thread, for easier signalling */ ++static pid_t main_thread_pid = (pid_t)(-1); ++ + /* Number of active connections. */ + static int active_connections; + +@@ -2020,7 +2023,7 @@ get_agent_scd_notify_event (void) + GetCurrentProcess(), &h2, + EVENT_MODIFY_STATE|SYNCHRONIZE, TRUE, 0)) + { +- log_error ("setting syncronize for scd notify event failed: %s\n", ++ log_error ("setting synchronize for scd notify event failed: %s\n", + w32_strerror (-1) ); + CloseHandle (h); + } +@@ -2346,6 +2349,10 @@ handle_signal (int signo) + agent_sigusr2_action (); + break; + ++ /* nothing to do here, just take an extra cycle on the select loop */ ++ case SIGCONT: ++ break; ++ + case SIGTERM: + if (!shutdown_pending) + log_info ("SIGTERM received - shutting down ...\n"); +@@ -2684,6 +2691,13 @@ start_connection_thread_ssh (void *arg) + } + + ++void interrupt_main_thread_loop (void) ++{ ++#ifndef HAVE_W32_SYSTEM ++ kill (main_thread_pid, SIGCONT); ++#endif ++} ++ + /* helper function for readability: test whether a given struct + timespec is set to all-zeros */ + static inline int +@@ -2752,8 +2766,10 @@ handle_connections (gnupg_fd_t listen_fd, + npth_sigev_add (SIGUSR1); + npth_sigev_add (SIGUSR2); + npth_sigev_add (SIGINT); ++ npth_sigev_add (SIGCONT); + npth_sigev_add (SIGTERM); + npth_sigev_fini (); ++ main_thread_pid = getpid (); + #else + # ifdef HAVE_W32CE_SYSTEM + /* Use a dummy event. */ +@@ -2765,6 +2781,7 @@ handle_connections (gnupg_fd_t listen_fd, + # endif + #endif + ++ + if (disable_check_own_socket) + my_inotify_fd = -1; + else if ((err = gnupg_inotify_watch_socket (&my_inotify_fd, socket_name))) diff --git a/patches/gpg-agent-idling/0003-agent-Avoid-tight-timer-tick-when-possible.patch b/patches/gpg-agent-idling/0003-agent-Avoid-tight-timer-tick-when-possible.patch new file mode 100644 index 0000000..c1d8ee0 --- /dev/null +++ b/patches/gpg-agent-idling/0003-agent-Avoid-tight-timer-tick-when-possible.patch @@ -0,0 +1,87 @@ +From: Daniel Kahn Gillmor +Date: Tue, 1 Nov 2016 00:14:10 -0400 +Subject: agent: Avoid tight timer tick when possible. + +* agent/gpg-agent.c (need_tick): Evaluate whether the short-phase +handle_tick() is needed. +(handle_connections): On each cycle of the select loop, adjust whether +we should call handle_tick() or not. +* agent/call-scd.c (start_scd): Call interrupt_main_thread_loop() once +the scdaemon thread context has started up. + +-- + +With this change, an idle gpg-agent that has no scdaemon running only +wakes up once a minute (to check_own_socket). + +Signed-off-by: Daniel Kahn Gillmor +--- + agent/call-scd.c | 4 +++- + agent/gpg-agent.c | 25 ++++++++++++++++++++++++- + 2 files changed, 27 insertions(+), 2 deletions(-) + +diff --git a/agent/call-scd.c b/agent/call-scd.c +index ba59c1825..1ac0f6ba5 100644 +--- a/agent/call-scd.c ++++ b/agent/call-scd.c +@@ -407,7 +407,9 @@ start_scd (ctrl_t ctrl) + + primary_scd_ctx = ctx; + primary_scd_ctx_reusable = 0; +- ++ /* notify the main loop that something has changed */ ++ interrupt_main_thread_loop (); ++ + leave: + xfree (abs_homedir); + if (err) +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index 04a775c9b..1bfe0f3ae 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -2267,6 +2267,26 @@ create_directories (void) + } + + ++static int ++need_tick (void) ++{ ++#ifdef HAVE_W32_SYSTEM ++ /* We do not know how to interrupt the select loop on Windows, so we ++ always need a short tick there. */ ++ return 1; ++#else ++ /* if we were invoked like "gpg-agent cmd arg1 arg2" then we need to ++ watch our parent. */ ++ if (parent_pid != (pid_t)(-1)) ++ return 1; ++ /* if scdaemon is running, we need to check that it's alive */ ++ if (agent_scd_check_running ()) ++ return 1; ++ /* otherwise, nothing fine-grained to do. */ ++ return 0; ++#endif /*HAVE_W32_SYSTEM*/ ++} ++ + + /* This is the worker for the ticker. It is called every few seconds + and may only do fast operations. */ +@@ -2325,7 +2345,7 @@ agent_sigusr2_action (void) + + #ifndef HAVE_W32_SYSTEM + /* The signal handler for this program. It is expected to be run in +- its own trhead and not in the context of a signal handler. */ ++ its own thread and not in the context of a signal handler. */ + static void + handle_signal (int signo) + { +@@ -2872,6 +2892,9 @@ handle_connections (gnupg_fd_t listen_fd, + thus a simple assignment is fine to copy the entire set. */ + read_fdset = fdset; + ++ /* avoid a fine-grained timer if we don't need one: */ ++ timertbl[0].interval.tv_sec = need_tick () ? TIMERTICK_INTERVAL : 0; ++ + /* loop through all timers, fire any registered functions, and + plan next timer to trigger */ + npth_clock_gettime (&curtime); diff --git a/patches/gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch b/patches/gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch new file mode 100644 index 0000000..6a565ea --- /dev/null +++ b/patches/gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch @@ -0,0 +1,26 @@ +From: Daniel Kahn Gillmor +Date: Tue, 1 Nov 2016 00:57:44 -0400 +Subject: agent: Avoid scheduled checks on socket when inotify is working. + +* agent/gpg-agent.c (handle_connections): When inotify is working, we +do not need to schedule a timer to evaluate whether we control our own +socket or not. + +Signed-off-by: Daniel Kahn Gillmor +--- + agent/gpg-agent.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index 1bfe0f3ae..0e5354947 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -2894,6 +2894,8 @@ handle_connections (gnupg_fd_t listen_fd, + + /* avoid a fine-grained timer if we don't need one: */ + timertbl[0].interval.tv_sec = need_tick () ? TIMERTICK_INTERVAL : 0; ++ /* avoid waking up to check sockets if we can count on inotify */ ++ timertbl[1].interval.tv_sec = (my_inotify_fd == -1) ? CHECK_OWN_SOCKET_INTERVAL : 0; + + /* loop through all timers, fire any registered functions, and + plan next timer to trigger */ diff --git a/patches/series b/patches/series new file mode 100644 index 0000000..1ea9189 --- /dev/null +++ b/patches/series @@ -0,0 +1,25 @@ +debian-packaging/0001-avoid-beta-warning.patch +block-ptrace-on-agent/0002-Avoid-simple-memory-dumps-via-ptrace.patch +debian-packaging/0003-avoid-regenerating-defsincdate-use-shipped-file.patch +dirmngr-idling/0001-dirmngr-hkp-Avoid-potential-race-condition-when-some.patch +dirmngr-idling/0002-dimrngr-Avoid-need-for-hkp-housekeeping.patch +dirmngr-idling/0004-dirmngr-Avoid-automatically-checking-upstream-swdb.patch +dirmngr-idling/0005-dirmngr-Drop-useless-housekeeping.patch +gpg-agent-idling/0001-agent-Create-framework-of-scheduled-timers.patch +gpg-agent-idling/0002-agent-Allow-threads-to-interrupt-main-select-loop-wi.patch +gpg-agent-idling/0003-agent-Avoid-tight-timer-tick-when-possible.patch +gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch +0012-gpgscm-Guard-use-of-union-member.patch +0013-dirmngr-Fix-for-disable-libdns-usage.patch +0014-dirmngr-Strip-root-zone-suffix-from-libdns-cname-res.patch +0015-doc-Remove-warning-that-DNS-is-not-routed-via-Tor.patch +0016-build-Enable-gcc-warnings-to-detect-non-portable-cod.patch +0017-Replace-use-of-variable-length-arrays.patch +0018-dirmngr-New-debug-message-on-correctly-initialized-l.patch +0019-dirmngr-Make-sure-Tor-mode-is-also-set-for-DNS-on-SI.patch +0020-doc-Extend-dirmngr-s-allow-version-check-description.patch +0021-doc-Add-release-announcement-pointers-to-NEWS-entrie.patch +0022-g10-avoid-warning-when-disable-tofu.patch +0023-doc-Mention-gpgv-in-the-description-of-gpg-verify.patch +0024-Silence-two-Wlogical-op-warnings.patch +0025-doc-Document-summary-values-of-TOFU_STATS.patch diff --git a/rules b/rules new file mode 100755 index 0000000..241cead --- /dev/null +++ b/rules @@ -0,0 +1,67 @@ +#!/usr/bin/make -f +# debian/rules file - for GnuPG +# Copyright 1994,1995 by Ian Jackson. +# Copyright 1998-2003 by James Troup. +# Copyright 2003-2004 by Matthias Urlichs. +# +# I hereby give you perpetual unlimited permission to copy, +# modify and relicense this file, provided that you do not remove +# my name from the file itself. (I assert my moral right of +# paternity under the Copyright, Designs and Patents Act 1988.) +# This file may have to be extensively modified + +include /usr/share/dpkg/architecture.mk + +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +# avoid -pie for gpgv-static on hppa, kfreebsd-amd64, and x32 +# platforms, which cannot support it by default: +ifeq (,$(filter $(DEB_HOST_ARCH), hppa kfreebsd-amd64 x32)) +GPGV_STATIC_HARDENING = "-pie" +else +GPGV_STATIC_HARDENING = "" +endif + +%: + dh $@ --with=autoreconf --builddirectory=build + +GPGV_UDEB_UNNEEDED = gpgtar bzip2 gpgsm scdaemon dirmngr doc tofu exec ldap gnutls sqlite libdns + +WIN32_FLAGS=LDFLAGS="-Xlinker --no-insert-timestamp -static" CFLAGS="-g -Os" CPPFLAGS= + +override_dh_auto_configure: + dh_auto_configure --builddirectory=build-gpgv-udeb -- \ + --enable-gpg2-is-gpg \ + $(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x)) + dh_auto_configure --builddirectory=build -- --libexecdir=\$${prefix}/lib/gnupg \ + --enable-gpg2-is-gpg \ + --enable-symcryptrun --enable-large-secmem + +override_dh_auto_build-arch: + dh_auto_build --builddirectory=build-gpgv-udeb + dh_auto_build --builddirectory=build + cp -a build-gpgv-udeb build-gpgv-static + rm -f build-gpgv-static/g10/gpgv + cd build-gpgv-static/g10 && $(MAKE) LDFLAGS="$$LDFLAGS $(GPGV_STATIC_HARDENING) -static" gpgv + mv build-gpgv-static/g10/gpgv build-gpgv-static/g10/gpgv-static + +override_dh_auto_build-indep: + mkdir -p build-gpgv-win32 + cd build-gpgv-win32 && $(WIN32_FLAGS) ../configure \ + $(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x)) \ + $(foreach x, libgpg-error libgcrypt libassuan ksba npth, --with-$x-prefix=/usr/i686-w64-mingw32) \ + --enable-gpg2-is-gpg \ + --with-zlib=/usr/i686-w64-mingw \ + --prefix=/usr/i686-w64-mingw32 \ + --host i686-w64-mingw32 + cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libcommon.a + cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libgpgrl.a + cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libsimple-pwquery.a + cd build-gpgv-win32/kbx && $(WIN32_FLAGS) $(MAKE) libkeybox.a + cd build-gpgv-win32/g10 && $(WIN32_FLAGS) $(MAKE) gpgv.exe + strip build-gpgv-win32/g10/gpgv.exe + +override_dh_shlibdeps: +# Make ldap a recommends rather than a hard dependency. + dpkg-shlibdeps -Tdebian/dirmngr.substvars -dRecommends debian/dirmngr/usr/lib/gnupg/dirmngr_ldap -dDepends debian/dirmngr/usr/bin/dirmngr* + dh_shlibdeps -Ndirmngr diff --git a/scdaemon.examples b/scdaemon.examples new file mode 100644 index 0000000..29f41a8 --- /dev/null +++ b/scdaemon.examples @@ -0,0 +1 @@ +doc/examples/scd-event diff --git a/scdaemon.install b/scdaemon.install new file mode 100644 index 0000000..a2a79aa --- /dev/null +++ b/scdaemon.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/gnupg/scdaemon diff --git a/scdaemon.lintian-overrides b/scdaemon.lintian-overrides new file mode 100644 index 0000000..b575cb1 --- /dev/null +++ b/scdaemon.lintian-overrides @@ -0,0 +1,4 @@ +# there is actually a function for interacting with the smartcard +# called "writen" that writes n octets; it is in the binary because it +# can be emitted in debug output: +scdaemon: spelling-error-in-binary usr/lib/gnupg/scdaemon writen written diff --git a/scdaemon.manpages b/scdaemon.manpages new file mode 100644 index 0000000..9efee23 --- /dev/null +++ b/scdaemon.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/scdaemon.1 diff --git a/scdaemon.udev b/scdaemon.udev new file mode 100644 index 0000000..d2efb55 --- /dev/null +++ b/scdaemon.udev @@ -0,0 +1,46 @@ +# do not edit this file, it will be overwritten on update + +SUBSYSTEM!="usb", GOTO="gnupg_rules_end" +ACTION!="add", GOTO="gnupg_rules_end" + +# USB SmartCard Readers +## Cherry GmbH (XX33, ST2000) +ATTR{idVendor}=="046a", ATTR{idProduct}=="0005", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="046a", ATTR{idProduct}=="0010", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="046a", ATTR{idProduct}=="003e", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## SCM Microsystems, Inc (SCR331-DI, SCR335, SCR3320, SCR331, SCR3310 and SPR532) +ATTR{idVendor}=="04e6", ATTR{idProduct}=="5111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="5116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="5117", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="e001", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Omnikey AG (CardMan 3821, CardMan 6121) +ATTR{idVendor}=="076b", ATTR{idProduct}=="3821", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="076b", ATTR{idProduct}=="6622", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Gemalto +ATTR{idVendor}=="08e6", ATTR{idProduct}=="3437", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="08e6", ATTR{idProduct}=="3438", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="08e6", ATTR{idProduct}=="3478", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="08e6", ATTR{idProduct}=="34c2", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="08e6", ATTR{idProduct}=="34ec", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Reiner (SCT cyberJack) +ATTR{idVendor}=="0c4b", ATTR{idProduct}=="0500", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Kobil (KAAN) +ATTR{idVendor}=="0d46", ATTR{idProduct}=="2012", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## VASCO (DIGIPASS 920) +ATTR{idVendor}=="1a44", ATTR{idProduct}=="0920", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Crypto Stick +ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Nitrokey +ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Gnuk Token +ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Alcor Micro Corp cardreader (in ThinkPad X250) +ATTR{idVendor}=="058f", ATTR{idProduct}=="9540", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Fujitsu Siemens +ATTR{idVendor}=="0bf8", ATTR{idProduct}=="1006", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" + +LABEL="gnupg_rules_end" diff --git a/source/format b/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/source/lintian-overrides b/source/lintian-overrides new file mode 100644 index 0000000..b5221c7 --- /dev/null +++ b/source/lintian-overrides @@ -0,0 +1,4 @@ +# doc merely references / cites IETF RFC: +gnupg2 source: license-problem-non-free-RFC doc/OpenPGP +gnupg2 source: license-problem-non-free-RFC debian/copyright + diff --git a/source/options b/source/options new file mode 100644 index 0000000..f0f8ede --- /dev/null +++ b/source/options @@ -0,0 +1,3 @@ +# let dpkg-source create a debian.tar.bz2 with maximal compression +compression = "bzip2" +compression-level = 9 diff --git a/systemd-user/gpg-agent-browser.socket b/systemd-user/gpg-agent-browser.socket new file mode 100644 index 0000000..67690ce --- /dev/null +++ b/systemd-user/gpg-agent-browser.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent (access for web browsers) +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.browser +FileDescriptorName=browser +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/tests/control b/tests/control new file mode 100644 index 0000000..9178821 --- /dev/null +++ b/tests/control @@ -0,0 +1,3 @@ +Tests: gpgv-win32 +Depends: gpgv-win32, gnupg2, gpgv2 +Restrictions: needs-root, allow-stderr diff --git a/tests/gpgv-win32 b/tests/gpgv-win32 new file mode 100755 index 0000000..3142a65 --- /dev/null +++ b/tests/gpgv-win32 @@ -0,0 +1,54 @@ +#!/bin/sh + +set -e + +export GNUPGHOME=$(mktemp -d) + +arch=$(dpkg --print-architecture) + +case "$arch" in + amd64) + if ! dpkg --print-foreign-architectures | grep -Fqx i386; then + echo "I: setting up multiarch" + dpkg --add-architecture i386 + apt update # FIXME you might want to try this up to some N times to avoid failures on temporary network issues + fi + ;; + arm64) + if ! dpkg --print-foreign-architectures | grep -Fqx armhf; then + echo "I: setting up multiarch" + dpkg --add-architecture armhf + apt update # FIXME you might want to try this up to some N times to avoid failures on temporary network issues + fi + ;; + i386|armel|armhf|powerpc) + : nothing, tests should just work + ;; + *) + echo "I: skipping tests on $arch; only works on amd64, i386, arm64, armhf, armel, and powerpc" + exit + ;; +esac + +if ! dpkg-query --status wine32 | grep -Fqx 'Status: install ok installed'; then + DEBIAN_FRONTEND=noninteractive apt install -qy wine32 # FIXME ditto +fi + +echo 'no-allow-loopback-pinentry:16' | gpgconf --change-options gpg-agent + +# Generate a minimal signing key: +gpg2 --batch --debug-quick-random --pinentry-mode loopback --passphrase '' --quick-gen-key 'Test key for gpgv-win32 ' + +gpg2 -o "$GNUPGHOME/key.gpg" --export test-key@example.com + +# Sign this very script +rm -f "${0}.gpg" +gpg2 --output "${0}.gpg" --detach-sign "${0}" + +# Verify using gpgv +gpgv2 --keyring "$GNUPGHOME/key.gpg" "${0}.gpg" "${0}" + +# Verify using gpgv.exe +wine /usr/share/win32/gpgv.exe --keyring "Z:\\\\${GNUPGHOME}/key.gpg" "Z:\\\\$(pwd)/${0}.gpg" "Z:\\\\$(pwd)/${0}" + +rm -rf "$GNUPGHOME" diff --git a/upstream/signing-key.asc b/upstream/signing-key.asc new file mode 100644 index 0000000..1e57599 --- /dev/null +++ b/upstream/signing-key.asc @@ -0,0 +1,109 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQENBE0ti4EBCACqGtKlX9jI/enhlBdy2cyQP6Q7JoyxtaG6/ckAKWHYrqFTQk3I +Ue8TuDrGT742XFncG9PoMBfJDUNltIPgKFn8E9tYQqAOlpSA25bOb30cA2ADkrjg +jvDAH8cZ+fkIayWtObTxwqLfPivjFxEM//IdShFFVQj+QHmXYBJggWyEIil8Bje7 +KRw6B5ucs4qSzp5VH4CqDr9PDnLD8lBGHk0x8jpwh4V/yEODJKATY0Vj00793L8u +qA35ZiyczUvvJSLYvf7STO943GswkxdAfqxXbYifiK2gjE/7SAmB+2jFxsonUDOB +1BAY5s3FKqrkaxZr3BBjeuGGoCuiSX/cXRIhABEBAAG0Fldlcm5lciBLb2NoIChk +aXN0IHNpZymJAT4EEwECACgFAk0ti4ECGwMFCRDdnwIGCwkIBwMCBhUIAgkKCwQW +AgMBAh4BAheAAAoJECSbOdJPJeO2PlMIAJxPtFXf5yozPpFjRbSkSdjsk9eru05s +hKZOAKw3RUePTU80SRLPdg4AH+vkm1JMWFFpwvHlgfxqnE9rp13o7L/4UwNUwqH8 +5zCwu7SHz9cX3d4UUwzcP6qQP4BQEH9/xlpQS9eTK9b2RMyggqwd/J8mxjvoWzL8 +Klf/wl6jXHn/yP92xG9/YA86lNOL1N3/PhlZzLuJ6bdD9WzsEp/+kh3UDfjkIrOc +WkqwupB+d01R4bHPu9tvXy8Xut8Sok2zku2xVkEOsV2TXHbwuHO2AGC5pWDX6wgC +E4F5XeCB/0ovao2/bk22w1TxzP6PMxo6sLkmaF6D0frhM2bl4C/uSsq5AQ0ETS2L +gQEIAKHwucgbaRj0V7Ht0FnM6RmbqwZ7IFV2lR+YN1gkZaWRRCaJoPEZFKhhPEBX +1bDVwr/iTPaPPEtpi7oQoHk65yeLrhtOmXXpNVkV/5WQjAJIrWn+JQ3z/ZejxHUL +hzKsGg5FC6pRYcEyzRXHtv4BO9kBIKNVirZjEkQG4BnIrQgl6e2YFa47GNMqcQH7 +nJdwG1cGQOZOIDQQM41gBzwoSrStMA6DjHkukFegKfcSbSLArBtYNAwTwmW7RqOM +EJwlo0+NYx2Yn75x66bYwdlsP0FLOgez/O/IxoPRxXr0l4e+uj6dFHqvBi04dx6J +sPmXEyeAyLiCWSh7Rwq8uIhBUBUAEQEAAYkBJQQYAQIADwUCTS2LgQIbIAUJEN2f +AgAKCRAkmznSTyXjtrsSCACRNgfGkD0OqOiwYo1/+KyWnrQLusVvSYOw8hN66geU +3BO8iQ0Koy+m0QKY1kWjaHwewpg8ZebY4E2sHbNIC9Spyiyz29sAJ2invf4/4Mep +TgpxNiw4+XmykCkN1AfVhvMTQXMzRbO5ZwRtPpjsMr1j5vX1s6U3/RxSAItpAkCu +1GGTTOH0r12Ochc/um+QGAyO6WUj/IiZ1MX7toXW0SCo8DSl8z5Q7KmJWF6TQLK1 +Lku4bIVG1Huwo1/0WHc2vCad5BxHjgoy8TsKLTmvYQZWtnjWvQGV2UOABYWcacut +ZXQQ2PPCIY7LlpuS/45CXWbT5Y+mxY3y7dbz4aF+8uyCiJwEEAECAAYFAk0tjQQA +CgkQU7Yg0BzgxjBGTwQAi5qzI6cJslbyOl+TeDZVnLV0FmPuDg8dojvQrVDPxfem +IjxZZoMLCVM8ly8AC2JPrIYfN040C343saIc0tTtOwwmVMuy7G/Uex22CdWH/0HB +MpG4gFuOuQmW9QQDjEdh1DgwU2gAWonX54ZlMybWss+2NCikRwMflVUupH57BauZ +AQ0EVFA7IwEIAOYQcDfRdzqin/vZlwl1AyuJW+cDI3bYvesRtOIAJ+8FqOzp+nOZ +7a4mULkXUeRh3HcO91wughXoR3qP3klWIlqgTQQHxPVM25BEvnGPuMA86lWnKoSs +Xe9F5h0IMiu6aURvzMJC9VMgKwhhgCjejFf9n8zuiBkMN457Ubnt/9jxhpxmorDQ +Cpb7bR1mfdbsuCmOXwTNfbkAoGXceL/P6z9PskKrFk8CVCr8pseRiHzWgib4Bfr/ +mj68LKcQTH/Y6R16g154eC6PAvxrEDA+hgpVX0I7L781Byh9nqC+KDX5LvlGuQbg +B2IvrgLs6lfU3aRfTwqUDMj37rmXJTDy3TMAEQEAAbQyTklJQkUgWXV0YWthIChH +bnVQRyBSZWxlYXNlIEtleSkgPGduaWliZUBmc2lqLm9yZz6JATwEEwEIACYFAlRQ +OyMCGwMFCQPCZwAFCwcICQMEFQgJCgUWAgMBAAIeAQIXgAAKCRAgcbCKM70/BnX/ +CADQspqXXAVlrwU9SidzYbPAT1iGRmIkHwoD9rtPr/9xbg3jr8azCKpknE3VF0qz +UH6unsQwxTduGhey0sFwhi96WOqHiU8FYKxNPb786nACaCfOOB1MdymcIxMQ51mS +0PlIqtOPa1VpZcCVYr9SwQRqcDdy/Oh/Ljifuub4Shrs/VgYIcv74iGyLroSVt6G +KVNP/HFyQddSOLVcO+hqAQQ0QeTmPhnaaFa2OcZyW+6IGRLhd7N7M0xb988DKllf +huRRE1sZ3yO2RvcSq35u/5lChID5SS/wA9oDOPyVFLD4JiMPGmgzSO2aI+uT678O +jjoI5UD8hfbZpg1PZjYqhYlXuQENBFRQOyMBCAC94CWuMHLmP1B7oFxU0FjKv3D6 +RTpLSLqC/nqRWeKVdlSddR4LnO/r9ahRsGgekAEVyeD04SKAD7g3OWMhWvEsK6aY +gmzc0cLJCJRTsLW+X7kRWo33KUAKIpKYO8VF8iErWejajvo5UgN3y1V/anqlBU45 +DalLk/mu6JXOr6t7u83+IscTrFQTkW17wOxoc6i9zDOU1FoWZFyNU+hxpPCGndfn +S25qzaEpb1qzxYoHpyttCkGX4R3siX6gAkRLIPhsYK4sZihBZhTBgHdAVYSYkCrK +hRNWoSb3XpUhdT5l88uPozwxXruXmzk6WCv6ZdCJ+0rGShwJjU1j6g+Fksk9ABEB +AAGJASUEGAEIAA8FAlRQOyMCGwwFCQPCZwAACgkQIHGwijO9Pwbgqwf7BfdPgAkx +Mrt0BJeLJu1ItnCQ4cZ8rbuS5gwAxrY80QXDoJquwRWs1AXaBu0VW+9KvWdp0uhQ +b0Wy7fv40rRtC+T8nuE/1jaf2byMIfQwPVp3ODH+O3WZew1KvrQZquDKimgHxRso +WH5vq2VjohI8oQuQNN8AYeyxYo74eB8+3WfUrdw4MYiJcKd20MjoZZS16Klb99qm +LVZfE/dt/+wwZYFB7cpb5vvvE1voqS+ycD2Rt0irRg6ulw7OXoUrJ25sfkrv9otD +omDl9V//pyJZSp+IiwK4r0xnk8sjXHgXkzUdIyS0AB17Aw1+G2sbUKyX/SdOgzN7 +D8qEd3C7n53TwpkBDQRUUF8HAQgAh1mo8r+kVWVTNsNlyurm2tdZKiQbdeVgpBgc +DnqI3fAV58C3nC8DVuK5qVGZPB/jbu42jc8BXGP1l6UP+515LQL5GpTtV0pRWUO0 +2WOuTLZBVQcq53vzbg1xVo31rWV96mqGAPs8lGUCm09fpuiVKQojO6/Ihkg7/bnz +eSbcX5Xk9eKLhyB7tnakuYJeRYm4bjs+YDApK8IFQyevYF8pjTcbLTSNJPW9WLCs +ozsy11r4xdfRcTWjARVz5VzTnQ+Px8YtsnjQ3qwNJBpsqMLCdDN7YGhh/mlwPjgd +q/UFf5+bY6f3ew0vshBqInBQycBSmYyoX0Ye3sAS/OR4nu5ZaQARAQABtD5EYXZp +ZCBTaGF3IChHbnVQRyBSZWxlYXNlIFNpZ25pbmcgS2V5KSA8ZHNoYXdAamFiYmVy +d29ja3kuY29tPokBPgQTAQIAKAUCVFBfBwIbAwUJCbp27gYLCQgHAwIGFQgCCQoL +BBYCAwECHgECF4AACgkQBDdvPuCFaVmIoQf+POxCWkCTicRVlq0kust/iwYO1egK +9FWG130e2Irnv2lAZZN/0S5ibjHCYFp9gfMgmtVTF5oWXjSDAy/kIykQBBcUVx4S +CJbdMtKSdsSIQMz6P4DxXumxQm79msOsbi5TsdtUwjqdrbu2sHloE7ck/hTXUCkX +3zuqtxY7W23BCQxVVT5qUaFuAHkkQaaBgAb8gdgixmkIBfu9u8k3k9zUKm/PNfMj +xClvORkP8gev+XyzNgcXM49h5YYlmDT+Ahv99nUM1wg8yJTjefBAY0fL982Scx30 +nDQO3w7ihALUoj5+TXQjhs3sWPJ8u3pstr9XcfzEZC77/CZmRYNr8g5hBrkBDQRU +UF8HAQgAodT0id+C6PMV7C8JxE8POGvX2wA6QLw29ESO0Ws8+Jq9EPQ3114mH+sC ++kDsweCDMyaY34i8gvh6hWxG9JfZmSkRUv0QX2zvlcwr8SOZ9dXzrV7ip+QgpzO2 +2eYRnH/RB+KWfFzqSop51sd1Uls41qKphDEm/ZAnnTwxYWX6jElOCpIuemTAiSxp +qtjPXVftchSEy06/bDRFuC4FevfU5aWTg3FSZEZpk0KF5RZBdzvOfX9PwHf2Fxhg +QtLkAsdvvWzDToYD0qOecM/MGt1doryBo8IkAiHJ+TRNyVi6/fAq/rig3brF5ETG +N7W5IRRGoLetY++4YO+1gY7Ea+1tZwARAQABiQElBBgBAgAPBQJUUF8HAhsgBQkJ +unbuAAoJEAQ3bz7ghWlZ6PAH/iTMC5+H/Ynj7G1KOjhyoufPoM+j+g4Ec8RmEA6v +YOWIi8F4AU86iS6Sq2HkZXSKxLgAYbWuseFHS6QA/qZPDPdIv8TceE3jMW3ZEmmm +nCsS6cmkQhpjRCKuWGfaOyZIEV2BT6Ere+MU5jU+wRqkbJGk1BS8myQHkZRN/5dg +fo5syFYKY4T64Z7DvlbQF70cCARlsIwk4lN6QJ/iqaHR9c2sWtzHfxAvdctApdg5 +w8GRcEpdDMieejha/lBMRTYVWY1vrEg++mkkhvCOkBilDFFCVojOnSdTJy7dNZji +BlEFwlmcjLq984C5FRwj5+eN0Bev5hZsWobLeRqt8QOGMlG5AQ0EVFBfBwEIAK4b +kUPSxSlmE8GHAI4FNQDA+QZzIvLPpf1p5JqFULpJeelwfVtbj6qOfPKwXVvam0yH +OiyrMnffdlZ/6+QXjP665RdbsPzEDPxCH972eGmdw8yV95wmPCVaoyBTH9XBDTX2 +52h0vPjgcbbOLUvUuYBV8C74ir6ESoA20g/rjYEGjJ/UAtgBGIfMo0Vk2Qc6/7wx +M3jNPxUc/6h5oiggUkgdbFcgzC2sOAUj3nJ0CS01dNPJuAlGPRjig9o61/PiumSO +Vy98efAetsjLLS00ysAmjxj7eFuxnf73TJOyAItKZPv3i7K4LIgMZXwL71Ox00zU +dzm6H+/JomSorqtLlOUAEQEAAYkBJQQYAQIADwUCVFBfBwIbDAUJCbp27gAKCRAE +N28+4IVpWbkxB/0azsvpA9eJPr6oNu3Iw4aCvLQi9I2jodGXpsNg3GN+ATp3PKMi +21KsneqkYXzwxY+27HAwNSQEmMeyOh37nkPXJMlBgJ0+aV7J2nAj3as310gnV3kY +Id8NXvLi+YLngqfTyQpxedDhBeSyTYLAP96mDtUuGFQ9/TWBF0wjZkBqFllnsmmU +Cs9lMmdaFUk1cT1/R1vwiGz1mAaUzyP2NNUnXsoE25TkeXg+Kf95QkxS0C3C9S+c +A4jCCHXEuGFxMe4+6IbubsVepIUFrlzbUaYpYB8lwFQutoSJ1qLc2jFcW00Qy2Z2 +SOVYJ5oyMhZNei0ZFsgQ9tp2PhtICjm5JfvPmQENBFRDqVIBCAC0k8eZKDmNqdma +wOlJ/m62L2g8uXT/+/vAEGb1yaib09xI6tfGXzbqlDwrLIZcJsSIT/nt/ajJnIVb +c3137va4XbwMzsDpAMH4mmiToqk+izEChGm2knzrLwhoflR8aGsKL35QoZT/erdj +fgPeCRLvf25fHsN2Jb0WIMzC56VkMeFoza+9HZ5hrkemmm+gPvIvhEUopxCyOS8m +K5WjB4zzIdyDJfkqVpHvafNP0N4LIsedKdyHcj/K3kY4Kejl99GW1z1snBgPamoN +2/e52Pf6KTw2FjsSGZ72oalcrkBR4wacUizGxKcRD2Y6Xa0g9mwToWdNBQCIII+u +TzOzq1EDABEBAAG0IVdlcm5lciBLb2NoIChSZWxlYXNlIFNpZ25pbmcgS2V5KYkB +PQQTAQgAJwUCVEOpUgIbAwUJC6oF9QULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAK +CRCKhhscfv1g2aH7B/wIW6mVmTmzW2xc1q1MUdssExQBhEeONrbWJ/HiGZP/Maab +gQ/+wZuThTAwfGM5zFQBOvrBOGURhINU6lYQlcOrVo+V8Z1mNQKFWaKxJaY5Ku1b +B1OuX9FHLEiMibogHu5fjJIXBE8XrnvueejyFQ5g/uX2xcGgCWlMe49sR3K+lEl3 +n93xTmSNhP52r0gTjMjbqKWKUaIGJ5OcWSrvawdfqLXkxR8phq2AlHHEfxpcZsOp +9mZirWYQ5jcgGgFP0LYXUw/RnxFpOcrj45qufmyEL9QJKjBV5RaHJbqukefwUInP +QtVUmINqQxztSh5QxQP2tsUPIeEi5RAoCwLJam8z +=PXPh +-----END PGP PUBLIC KEY BLOCK----- diff --git a/watch b/watch new file mode 100644 index 0000000..e6d36a1 --- /dev/null +++ b/watch @@ -0,0 +1,5 @@ +version=4 + +opts=pgpsigurlmangle=s/$/.sig/ \ + https://gnupg.org/ftp/gcrypt/gnupg/gnupg@ANY_VERSION@@ARCHIVE_EXT@ \ + debian uupdate -- 2.30.2