From ab3044b4536b70bda8686649bc300c42f25517b7 Mon Sep 17 00:00:00 2001 From: Alexis Hildebrandt Date: Tue, 7 Feb 2023 12:17:48 +0100 Subject: [PATCH 1/3] libgcrypt: 1.5.6 -> 1.8.10 --- pkgs/development/libraries/libgcrypt/1.5.nix | 53 -------------- pkgs/development/libraries/libgcrypt/1.8.nix | 75 ++++++++++++++++++++ pkgs/top-level/all-packages.nix | 2 +- 3 files changed, 76 insertions(+), 54 deletions(-) delete mode 100644 pkgs/development/libraries/libgcrypt/1.5.nix create mode 100644 pkgs/development/libraries/libgcrypt/1.8.nix diff --git a/pkgs/development/libraries/libgcrypt/1.5.nix b/pkgs/development/libraries/libgcrypt/1.5.nix deleted file mode 100644 index 918ed20efaaf..000000000000 --- a/pkgs/development/libraries/libgcrypt/1.5.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ lib, stdenv, fetchpatch, fetchurl, libgpg-error, enableCapabilities ? false, libcap }: - -assert enableCapabilities -> stdenv.isLinux; - -stdenv.mkDerivation rec { - pname = "libgcrypt"; - version = "1.5.6"; - - src = fetchurl { - url = "mirror://gnupg/libgcrypt/libgcrypt-${version}.tar.bz2"; - sha256 = "0ydy7bgra5jbq9mxl5x031nif3m6y3balc6ndw2ngj11wnsjc61h"; - }; - - patches = lib.optionals stdenv.isDarwin [ - (fetchpatch { - name = "fix-x86_64-apple-darwin.patch"; - sha256 = "138sfwl1avpy19320dbd63mskspc1khlc93j1f1zmylxx3w19csi"; - url = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=71939faa7c54e7b4b28d115e748a85f134876a02"; - }) - ]; - - buildInputs = - [ libgpg-error ] - ++ lib.optional enableCapabilities libcap; - - # Make sure libraries are correct for .pc and .la files - # Also make sure includes are fixed for callers who don't use libgpgcrypt-config - postInstall = '' - sed -i 's,#include ,#include "${libgpg-error.dev}/include/gpg-error.h",g' $out/include/gcrypt.h - '' + lib.optionalString enableCapabilities '' - sed -i 's,\(-lcap\),-L${libcap.lib}/lib \1,' $out/lib/libgcrypt.la - ''; - - doCheck = true; - - meta = with lib; { - homepage = "https://www.gnu.org/software/libgcrypt/"; - description = "General-pupose cryptographic library"; - license = licenses.lgpl2Plus; - platforms = platforms.all; - knownVulnerabilities = [ - "CVE-2014-3591" - "CVE-2015-0837" - "CVE-2015-7511" - "CVE-2017-0379" - "CVE-2017-7526" - "CVE-2017-9526" - "CVE-2018-0495" - "CVE-2018-6829" - "CVE-2018-12437" - ]; - }; -} diff --git a/pkgs/development/libraries/libgcrypt/1.8.nix b/pkgs/development/libraries/libgcrypt/1.8.nix new file mode 100644 index 000000000000..cce79780f1cb --- /dev/null +++ b/pkgs/development/libraries/libgcrypt/1.8.nix @@ -0,0 +1,75 @@ +{ lib +, stdenv +, fetchurl +, libgpg-error +, enableCapabilities ? false, libcap +, buildPackages +# for passthru.tests +, gnupg +, libotr +, rsyslog +}: + +assert enableCapabilities -> stdenv.isLinux; + +stdenv.mkDerivation rec { + pname = "libgcrypt"; + version = "1.8.10"; + + src = fetchurl { + url = "mirror://gnupg/libgcrypt/libgcrypt-${version}.tar.bz2"; + sha256 = "sha256-aJaRVQH5UeI9AtywRTRpwswiqk13oAH/c6JkfC0p590="; + }; + + outputs = [ "out" "dev" "info" ]; + outputBin = "dev"; + + # The CPU Jitter random number generator must not be compiled with + # optimizations and the optimize -O0 pragma only works for gcc. + # The build enables -O2 by default for everything else. + hardeningDisable = lib.optional stdenv.cc.isClang "fortify"; + + depsBuildBuild = [ buildPackages.stdenv.cc ]; + + buildInputs = [ libgpg-error ] + ++ lib.optional enableCapabilities libcap; + + strictDeps = true; + + configureFlags = [ "--with-libgpg-error-prefix=${libgpg-error.dev}" ] + ++ lib.optional (stdenv.hostPlatform.isMusl || (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64)) "--disable-asm"; # for darwin see https://dev.gnupg.org/T5157 + + # Necessary to generate correct assembly when compiling for aarch32 on + # aarch64 + configurePlatforms = [ "host" "build" ]; + + postConfigure = '' + sed -i configure \ + -e 's/NOEXECSTACK_FLAGS=$/NOEXECSTACK_FLAGS="-Wa,--noexecstack"/' + ''; + + # Make sure libraries are correct for .pc and .la files + # Also make sure includes are fixed for callers who don't use libgpgcrypt-config + postFixup = '' + sed -i 's,#include ,#include "${libgpg-error.dev}/include/gpg-error.h",g' "$dev/include/gcrypt.h" + '' + lib.optionalString enableCapabilities '' + sed -i 's,\(-lcap\),-L${libcap.lib}/lib \1,' $out/lib/libgcrypt.la + ''; + + doCheck = true; + + passthru.tests = { + inherit gnupg libotr rsyslog; + }; + + meta = with lib; { + homepage = "https://www.gnu.org/software/libgcrypt/"; + changelog = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=NEWS;hb=refs/tags/${pname}-${version}"; + description = "General-purpose cryptographic library"; + license = licenses.lgpl2Plus; + platforms = platforms.all; + knownVulnerabilities = [ + "CVE-2018-12437" # CVE is about LibTomCrypt + ]; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index b98217a2e6c3..29b5cd8e478d 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -21467,7 +21467,7 @@ with pkgs; libgcrypt = callPackage ../development/libraries/libgcrypt { }; - libgcrypt_1_5 = callPackage ../development/libraries/libgcrypt/1.5.nix { }; + libgcrypt_1_8 = callPackage ../development/libraries/libgcrypt/1.8.nix { }; libgdiplus = callPackage ../development/libraries/libgdiplus { inherit (darwin.apple_sdk.frameworks) Carbon; From 858391dfad508a2f1b80e571802c40813baa285f Mon Sep 17 00:00:00 2001 From: Alexis Hildebrandt Date: Tue, 7 Feb 2023 12:18:33 +0100 Subject: [PATCH 2/3] gnupg: Add LTS version 2.2.41 --- ...eviously-known-keys-even-without-UI.patch} | 26 ++-- pkgs/tools/security/gnupg/22.nix | 115 ++++++++++++++++++ ...reviously-known-keys-even-without-UI.patch | 107 ++++++++++++++++ pkgs/tools/security/gnupg/24.nix | 54 +++++--- pkgs/top-level/all-packages.nix | 7 +- 5 files changed, 276 insertions(+), 33 deletions(-) rename pkgs/tools/security/gnupg/{allow-import-of-previously-known-keys-even-without-UI.patch => 22-allow-import-of-previously-known-keys-even-without-UI.patch} (82%) create mode 100644 pkgs/tools/security/gnupg/22.nix create mode 100644 pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch diff --git a/pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch b/pkgs/tools/security/gnupg/22-allow-import-of-previously-known-keys-even-without-UI.patch similarity index 82% rename from pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch rename to pkgs/tools/security/gnupg/22-allow-import-of-previously-known-keys-even-without-UI.patch index 98dda54fc7fa..e8fbe1688402 100644 --- a/pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch +++ b/pkgs/tools/security/gnupg/22-allow-import-of-previously-known-keys-even-without-UI.patch @@ -16,11 +16,12 @@ Signed-off-by: Daniel Kahn Gillmor g10/import.c | 44 +++++++++++--------------------------------- 1 file changed, 11 insertions(+), 33 deletions(-) + diff --git a/g10/import.c b/g10/import.c -index 5d3162c..f9acf95 100644 +index cd3363fc7..8f10771db 100644 --- a/g10/import.c +++ b/g10/import.c -@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl, +@@ -1858,7 +1858,6 @@ import_one_real (ctrl_t ctrl, size_t an; char pkstrbuf[PUBKEY_STRING_SIZE]; int merge_keys_done = 0; @@ -28,12 +29,11 @@ index 5d3162c..f9acf95 100644 KEYDB_HANDLE hd = NULL; if (r_valid) -@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl, - log_printf ("\n"); +@@ -1896,13 +1895,6 @@ import_one_real (ctrl_t ctrl, } -- -- if (!uidnode) + +- if (!uidnode ) - { - if (!silent) - log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); @@ -43,17 +43,17 @@ index 5d3162c..f9acf95 100644 if (screener && screener (keyblock, screener_arg)) { log_error (_("key %s: %s\n"), keystr_from_pk (pk), -@@ -1907,18 +1898,10 @@ import_one_real (ctrl_t ctrl, +@@ -1977,18 +1969,10 @@ import_one_real (ctrl_t ctrl, } } - /* Delete invalid parts and bail out if there are no user ids left. */ -- if (!delete_inv_parts (ctrl, keyblock, keyid, options)) +- if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs)) - { - if (!silent) - { -- log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); -- if (!opt.quiet) +- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); +- if (!opt.quiet ) - log_info(_("this may be caused by a missing self-signature\n")); - } - stats->no_user_id++; @@ -62,11 +62,11 @@ index 5d3162c..f9acf95 100644 + /* Delete invalid parts, and note if we have any valid ones left. + * We will later abort import if this key is new but contains + * no valid uids. */ -+ delete_inv_parts (ctrl, keyblock, keyid, options); ++ delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs); /* Get rid of deleted nodes. */ commit_kbnode (&keyblock); -@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl, +@@ -1998,24 +1982,11 @@ import_one_real (ctrl_t ctrl, { apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); commit_kbnode (&keyblock); @@ -91,7 +91,7 @@ index 5d3162c..f9acf95 100644 } /* The keyblock is valid and ready for real import. */ -@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl, +@@ -2073,6 +2044,13 @@ import_one_real (ctrl_t ctrl, err = 0; stats->skipped_new_keys++; } diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix new file mode 100644 index 000000000000..3a4309075b76 --- /dev/null +++ b/pkgs/tools/security/gnupg/22.nix @@ -0,0 +1,115 @@ +{ lib, stdenv, fetchurl, buildPackages +, pkg-config, texinfo +, gettext, libassuan, libgcrypt, libgpg-error, libiconv, libksba, npth +, adns, bzip2, gnutls, libusb1, openldap, readline, sqlite, zlib +, enableMinimal ? false +, withPcsc ? !enableMinimal, pcsclite +, guiSupport ? stdenv.isDarwin, pinentry +}: + +with lib; + +let + pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry"; +in + +assert guiSupport -> enableMinimal == false; + +stdenv.mkDerivation rec { + pname = "gnupg"; + version = "2.2.41"; + + src = fetchurl { + url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2"; + hash = "sha256-E/MpEAel6FRvy3vAxmEM5EqqmzmVBZ1PgUW6Cf1b4+E="; + }; + + depsBuildBuild = [ buildPackages.stdenv.cc ]; + nativeBuildInputs = [ pkg-config texinfo ]; + buildInputs = [ + gettext libassuan libgcrypt libgpg-error libiconv libksba npth + ] ++ lib.optionals (!enableMinimal) [ + adns bzip2 gnutls libusb1 openldap readline sqlite zlib + ]; + + patches = [ + ./fix-libusb-include-path.patch + ./tests-add-test-cases-for-import-without-uid.patch + ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch + + # The following patch has no effect as the code is + # "[d]isabled for 2.2.19 to due problems with the standard hkps pool." + #./0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch + + ./22-allow-import-of-previously-known-keys-even-without-UI.patch + ]; + + postPatch = '' + sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' configure doc/dirmngr.texi doc/gnupg.info-1 + # Fix broken SOURCE_DATE_EPOCH usage - remove on the next upstream update + sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.am + sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.in + '' + lib.optionalString (stdenv.isLinux && withPcsc) '' + sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c + ''; + + configureFlags = [ + "--with-libgpg-error-prefix=${libgpg-error.dev}" + "--with-libgcrypt-prefix=${libgcrypt.dev}" + "--with-libassuan-prefix=${libassuan.dev}" + "--with-ksba-prefix=${libksba.dev}" + "--with-npth-prefix=${npth}" + ] + ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}" + ++ lib.optional stdenv.isDarwin "--disable-ccid-driver"; + + postInstall = if enableMinimal + then '' + rm -r $out/{libexec,sbin,share} + for f in $(find $out/bin -type f -not -name gpg) + do + rm $f + done + '' else '' + mkdir -p $out/lib/systemd/user + for f in doc/examples/systemd-user/*.{service,socket} ; do + substitute $f $out/lib/systemd/user/$(basename $f) \ + --replace /usr/bin $out/bin + done + + # add gpg2 symlink to make sure git does not break when signing commits + ln -s $out/bin/gpg $out/bin/gpg2 + + # Make libexec tools available in PATH + for f in $out/libexec/; do + if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi + ln -s $f $out/bin/$(basename $f) + done + + ln -s -t $out/bin $out/libexec/* + ''; + + enableParallelBuilding = true; + + passthru.tests.connman = nixosTests.gnupg; + + meta = with lib; { + homepage = "https://gnupg.org"; + description = "LTS release of the GNU Privacy Guard, a GPL OpenPGP implementation"; + license = licenses.gpl3Plus; + longDescription = '' + The GNU Privacy Guard is the GNU project's complete and free + implementation of the OpenPGP standard as defined by RFC4880. GnuPG + "modern" (2.1) is the latest development with a lot of new features. + GnuPG allows to encrypt and sign your data and communication, features a + versatile key management system as well as access modules for all kind of + public key directories. GnuPG, also known as GPG, is a command line tool + with features for easy integration with other applications. A wealth of + frontend applications and libraries are available. Version 2 of GnuPG + also provides support for S/MIME. + ''; + maintainers = with maintainers; [ fpletz vrthra ]; + platforms = platforms.all; + mainProgram = "gpg"; + }; +} diff --git a/pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch b/pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch new file mode 100644 index 000000000000..8d4f703a3dd1 --- /dev/null +++ b/pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch @@ -0,0 +1,107 @@ +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:42 +0200 +Subject: gpg: allow import of previously known keys, even without UIDs + +* g10/import.c (import_one): Accept an incoming OpenPGP certificate that +has no user id, as long as we already have a local variant of the cert +that matches the primary key. + +-- + +This fixes two of the three broken tests in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor +--- + g10/import.c | 44 +++++++++++--------------------------------- + 1 file changed, 11 insertions(+), 33 deletions(-) + + +diff --git a/g10/import.c b/g10/import.c +index 9fab46ca6..61896a6bf 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl, + size_t an; + char pkstrbuf[PUBKEY_STRING_SIZE]; + int merge_keys_done = 0; +- int any_filter = 0; + KEYDB_HANDLE hd = NULL; + + if (r_valid) +@@ -1992,13 +1991,6 @@ import_one_real (ctrl_t ctrl, + } + + +- if (!uidnode) +- { +- if (!silent) +- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); +- return 0; +- } +- + if (screener && screener (keyblock, screener_arg)) + { + log_error (_("key %s: %s\n"), keystr_from_pk (pk), +@@ -2078,18 +2070,10 @@ import_one_real (ctrl_t ctrl, + } + } + +- /* Delete invalid parts and bail out if there are no user ids left. */ +- if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs)) +- { +- if (!silent) +- { +- log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); +- if (!opt.quiet) +- log_info(_("this may be caused by a missing self-signature\n")); +- } +- stats->no_user_id++; +- return 0; +- } ++ /* Delete invalid parts, and note if we have any valid ones left. ++ * We will later abort import if this key is new but contains ++ * no valid uids. */ ++ delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs); + + /* Get rid of deleted nodes. */ + commit_kbnode (&keyblock); +@@ -2099,24 +2083,11 @@ import_one_real (ctrl_t ctrl, + { + apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); + commit_kbnode (&keyblock); +- any_filter = 1; + } + if (import_filter.drop_sig) + { + apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); + commit_kbnode (&keyblock); +- any_filter = 1; +- } +- +- /* If we ran any filter we need to check that at least one user id +- * is left in the keyring. Note that we do not use log_error in +- * this case. */ +- if (any_filter && !any_uid_left (keyblock)) +- { +- if (!opt.quiet ) +- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); +- stats->no_user_id++; +- return 0; + } + + /* The keyblock is valid and ready for real import. */ +@@ -2174,6 +2145,13 @@ import_one_real (ctrl_t ctrl, + err = 0; + stats->skipped_new_keys++; + } ++ else if (err && !any_uid_left (keyblock)) ++ { ++ if (!silent) ++ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); ++ err = 0; ++ stats->no_user_id++; ++ } + else if (err) /* Insert this key. */ + { + /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */ diff --git a/pkgs/tools/security/gnupg/24.nix b/pkgs/tools/security/gnupg/24.nix index c1f2825e8e93..0334964c473a 100644 --- a/pkgs/tools/security/gnupg/24.nix +++ b/pkgs/tools/security/gnupg/24.nix @@ -1,13 +1,19 @@ -{ fetchurl, fetchpatch, lib, stdenv, pkg-config, libgcrypt, libassuan, libksba -, libgpg-error, libiconv, npth, gettext, texinfo, buildPackages -, nixosTests -, guiSupport ? stdenv.isDarwin, enableMinimal ? false -, adns, bzip2, gnutls, libusb1, openldap -, pinentry, readline, sqlite, zlib +{ lib, stdenv, fetchurl, buildPackages +, pkg-config, texinfo +, gettext, libassuan, libgcrypt, libgpg-error, libiconv, libksba, npth +, adns, bzip2, gnutls, libusb1, openldap, readline, sqlite, zlib +, enableMinimal ? false , withPcsc ? !enableMinimal, pcsclite +, guiSupport ? stdenv.isDarwin, pinentry , withTpm2Tss ? !stdenv.isDarwin && !enableMinimal, tpm2-tss }: +with lib; + +let + pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry"; +in + assert guiSupport -> enableMinimal == false; stdenv.mkDerivation rec { @@ -16,44 +22,49 @@ stdenv.mkDerivation rec { src = fetchurl { url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2"; - sha256 = "sha256-HXkVjdAdmSQx3S4/rLif2slxJ/iXhOosthDGAPsMFIM="; + hash = "sha256-HXkVjdAdmSQx3S4/rLif2slxJ/iXhOosthDGAPsMFIM="; }; depsBuildBuild = [ buildPackages.stdenv.cc ]; nativeBuildInputs = [ pkg-config texinfo ]; buildInputs = [ - libgcrypt libassuan libksba libiconv npth gettext - ] ++ lib.optionals (!enableMinimal) ([ - readline libusb1 gnutls adns openldap zlib bzip2 sqlite - ] ++ lib.optional withTpm2Tss tpm2-tss); + gettext libassuan libgcrypt libgpg-error libiconv libksba npth + ] ++ lib.optionals (!enableMinimal) [ + adns bzip2 gnutls libusb1 openldap readline sqlite zlib + ] ++ lib.optionals withTpm2Tss [ tpm2-tss ]; patches = [ ./fix-libusb-include-path.patch ./tests-add-test-cases-for-import-without-uid.patch - # TODO: Refresh patch? Doesn't apply on 2.4.0 - #./allow-import-of-previously-known-keys-even-without-UI.patch ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch + # The following patch has no effect as the code is + # "[d]isabled for 2.3.2 to due problems with the standard hkps pool." + #./0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch + + ./24-allow-import-of-previously-known-keys-even-without-UI.patch + # Patch for DoS vuln from https://seclists.org/oss-sec/2022/q3/27 ./v3-0001-Disallow-compressed-signatures-and-certificates.patch - ]; + postPatch = '' sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1 - '' + lib.optionalString (stdenv.isLinux && withPcsc) '' - sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c - ''; + '' + lib.optionalString (stdenv.isLinux && withPcsc) '' + sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c + ''; - pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry"; configureFlags = [ "--with-libgpg-error-prefix=${libgpg-error.dev}" "--with-libgcrypt-prefix=${libgcrypt.dev}" "--with-libassuan-prefix=${libassuan.dev}" "--with-ksba-prefix=${libksba.dev}" "--with-npth-prefix=${npth}" - ] ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}" + ] + ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}" ++ lib.optional withTpm2Tss "--with-tss=intel" ++ lib.optional stdenv.isDarwin "--disable-ccid-driver"; + postInstall = if enableMinimal then '' rm -r $out/{libexec,sbin,share} @@ -76,6 +87,11 @@ stdenv.mkDerivation rec { if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi ln -s $f $out/bin/$(basename $f) done + + for f in $out/libexec/; do + if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi + ln -s $f $out/bin/$(basename $f) + done ''; enableParallelBuilding = true; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 29b5cd8e478d..a8621041d08d 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -7902,8 +7902,13 @@ with pkgs; gnupg1orig = callPackage ../tools/security/gnupg/1.nix { }; gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { }; gnupg1 = gnupg1compat; # use config.packageOverrides if you prefer original gnupg1 + + gnupg22 = callPackage ../tools/security/gnupg/22.nix { + pinentry = if stdenv.isDarwin then pinentry_mac else pinentry-gtk2; + libgcrypt = libgcrypt_1_8; + }; + gnupg24 = callPackage ../tools/security/gnupg/24.nix { - guiSupport = stdenv.isDarwin; pinentry = if stdenv.isDarwin then pinentry_mac else pinentry-gtk2; }; gnupg = gnupg24; From 530ebd6c0ddca9f228e1322d88957e392e6eae77 Mon Sep 17 00:00:00 2001 From: Alexis Hildebrandt Date: Wed, 22 Mar 2023 12:08:24 +0100 Subject: [PATCH 3/3] gnupg: Remove patch for code that is disabled upstream --- ...gr-Only-use-SKS-pool-CA-for-SKS-pool.patch | 34 ------------------- pkgs/tools/security/gnupg/22.nix | 5 --- pkgs/tools/security/gnupg/24.nix | 6 ---- 3 files changed, 45 deletions(-) delete mode 100644 pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch diff --git a/pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch b/pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch deleted file mode 100644 index 061fb0e8de9c..000000000000 --- a/pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254 Mon Sep 17 00:00:00 2001 -From: Daniel Kahn Gillmor -Date: Sun, 30 Jun 2019 11:54:35 -0400 -Subject: [PATCH] dirmngr: Only use SKS pool CA for SKS pool - -* dirmngr/http.c (http_session_new): when checking whether the -keyserver is the HKPS pool, check specifically against the pool name, -as ./configure might have been used to select a different default -keyserver. It makes no sense to apply Kristian's certificate -authority to anything other than the literal host -hkps.pool.sks-keyservers.net. - -Signed-off-by: Daniel Kahn Gillmor -GnuPG-Bug-Id: 4593 ---- - dirmngr/http.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/dirmngr/http.c b/dirmngr/http.c -index 384f2569d..8e5d53939 100644 ---- a/dirmngr/http.c -+++ b/dirmngr/http.c -@@ -767,7 +767,7 @@ http_session_new (http_session_t *r_session, - - is_hkps_pool = (intended_hostname - && !ascii_strcasecmp (intended_hostname, -- get_default_keyserver (1))); -+ "hkps.pool.sks-keyservers.net")); - - /* If the user has not specified a CA list, and they are looking - * for the hkps pool from sks-keyservers.net, then default to --- -2.22.0 - diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix index 3a4309075b76..de8bb4027b3b 100644 --- a/pkgs/tools/security/gnupg/22.nix +++ b/pkgs/tools/security/gnupg/22.nix @@ -36,11 +36,6 @@ stdenv.mkDerivation rec { ./fix-libusb-include-path.patch ./tests-add-test-cases-for-import-without-uid.patch ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch - - # The following patch has no effect as the code is - # "[d]isabled for 2.2.19 to due problems with the standard hkps pool." - #./0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch - ./22-allow-import-of-previously-known-keys-even-without-UI.patch ]; diff --git a/pkgs/tools/security/gnupg/24.nix b/pkgs/tools/security/gnupg/24.nix index 0334964c473a..a8083215d17b 100644 --- a/pkgs/tools/security/gnupg/24.nix +++ b/pkgs/tools/security/gnupg/24.nix @@ -37,13 +37,7 @@ stdenv.mkDerivation rec { ./fix-libusb-include-path.patch ./tests-add-test-cases-for-import-without-uid.patch ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch - - # The following patch has no effect as the code is - # "[d]isabled for 2.3.2 to due problems with the standard hkps pool." - #./0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch - ./24-allow-import-of-previously-known-keys-even-without-UI.patch - # Patch for DoS vuln from https://seclists.org/oss-sec/2022/q3/27 ./v3-0001-Disallow-compressed-signatures-and-certificates.patch ];