diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 09:59:16 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 09:59:16 +0000 |
commit | abd376d1e24e6665ef3662eb23ad76adadf78f72 (patch) | |
tree | ec7213f75b7e8c9cdbb4d335ed9ca7c11aae6f5f | |
parent | Adding upstream version 2.2.27. (diff) | |
download | gnupg2-abd376d1e24e6665ef3662eb23ad76adadf78f72.tar.xz gnupg2-abd376d1e24e6665ef3662eb23ad76adadf78f72.zip |
Adding debian version 2.2.27-2+deb11u2.debian/2.2.27-2+deb11u2debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
103 files changed, 6697 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 0000000..2a30631 --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,38 @@ +gnupg2 (2.2.27-2) unstable; urgency=medium + + Starting with version 2.2.27-1, per-user configuration of the GnuPG + suite has completely moved to ~/.gnupg/gpg.conf, and ~/.gnupg/options + is no longer in use. Please rename the file if necessary, or move + its contents to the new location. + + -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Thu, 22 Apr 2021 20:37:45 +0200 + +gnupg2 (2.2.17-1) unstable; urgency=medium + + Upstream GnuPG now defaults to not accepting third-party certifications + from the keyserver network. Given that the SKS keyserver network is + under attack via certificate flooding, and third-party certifications + will not be accepted anyway, we now ship with the more tightly-constrained + and abuse-resistant system hkps://keys.openpgp.org as the default + keyserver. + + Users with bandwidth to spare who want to try their luck with the SKS + pool should add the following line to ~/.gnupg/dirmngr.conf to revert to + upstream's default keyserver: + + keyserver hkps://hkps.pool.sks-keyservers.net + + See the 2.2.17 section in the upstream NEWS file at + /usr/share/doc/gnupg/NEWS.gz for more information about fully + reverting to the old, risky behavior. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 11 Jul 2019 22:12:07 -0400 + +gnupg2 (2.1.11-7+exp1) experimental; urgency=medium + + The gnupg package now provides the "modern" version of GnuPG. + + Please read /usr/share/doc/gnupg/README.Debian for details about the + transition from "classic" to "modern" + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 30 Mar 2016 09:59:35 -0400 diff --git a/debian/Xsession.d/90gpg-agent b/debian/Xsession.d/90gpg-agent new file mode 100644 index 0000000..8b45b05 --- /dev/null +++ b/debian/Xsession.d/90gpg-agent @@ -0,0 +1,22 @@ +# On systems with systemd running, we expect the agent to be launched +# via systemd's user mode (see +# /usr/lib/systemd/user/gpg-agent.{socket,service} and +# systemd.unit(5)). This allows systemd to clean up the agent +# automatically at logout. + +# If systemd is absent from your system, or you do not permit it to +# run in user mode, then you may need to manually launch gpg-agent +# from your session initialization with something like "gpgconf +# --launch gpg-agent" + +# Nonetheless, ssh and older versions of gpg require environment +# variables to be set in order to find the agent, so we will set those +# here. + +agent_sock=$(gpgconf --list-dirs agent-socket) +export GPG_AGENT_INFO=${agent_sock}:0:1 +if [ -n "$(gpgconf --list-options gpg-agent | \ + awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then + export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) +fi + diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..0a4a041 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,2528 @@ +gnupg2 (2.2.27-2+deb11u2) bullseye-security; urgency=high + + * fix broken status line (Closes: #1014157) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 01 Jul 2022 03:03:46 -0400 + +gnupg2 (2.2.27-2+deb11u1) bullseye; urgency=medium + + [ RaphaĆ«l Hertzog ] + * Avoid network interaction in generator. Closes: #993578 + + [ Christoph Biedl ] + * Backport "Scd: Fix CCID driver for SCM SPR332/SPR532". Closes: #982546 + + [ Daniel Kahn Gillmor ] + * update git to point to debian/bullseye branch + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 27 Jan 2022 14:46:11 -0500 + +gnupg2 (2.2.27-2) unstable; urgency=medium + + * Add a NEWS entry about the end of support for ~/.gnupg/options. + Closes: #985158 + + -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Thu, 22 Apr 2021 20:40:36 +0200 + +gnupg2 (2.2.27-1) unstable; urgency=medium + + [ NIIBE Yutaka ] + * New upstream release. + + [ Christoph Biedl ] + * Tighten libgcrypt and libksba dependency + + [ Daniel Kahn Gillmor ] + * change debian packaging branch name to debian/main + * refresh patches using gbp pq + * point to upstream commit used to improve spawning reliability + * Refresh 3072-bit default patch + * standards-version: bump to 4.5.1 (no changes needed) + * dh: bump to dh 13 + * clean up lintian overrides + * fully drop symcryptrun + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 08 Feb 2021 17:57:00 -0500 + +gnupg2 (2.2.26-1) UNRELEASED; urgency=medium + + [ Jeremiah C. Foster ] + * debian/scdaemon.udev: Add an entry for Librem Key. + + [ NIIBE Yutaka ] + * New upstream release. + * refresh patches. + * debian/rules: Add build for regexp. + * debian/gnupg-utils.install: Remove /usr/bin/symcryptrun. + Fix for gpgsplit, which is changed in upstream from 'noinst'. + * debian/patches/gpg-change-agent-spawn-2019-07-24-v2.patch: New patch to + fix a race condition, backported from master (Closes: #868550, #972525). + * debian/scdaemon.udev: Add a generic entry for "Gnuk Token" and another + for GnuPG e.V. + * org.gnupg.scdaemon.metainfo.xml: Add an entry for GnuPG e.V. + + -- NIIBE Yutaka <gniibe@fsij.org> Thu, 07 Jan 2021 09:07:21 +0900 + +gnupg2 (2.2.20-1) unstable; urgency=medium + + * New upstream release + * refresh patches + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 23 Mar 2020 15:05:13 -0400 + +gnupg2 (2.2.19-3) unstable; urgency=medium + + * d/copyright update years + * Avoid errors in systemd environment generator (Closes: #950836) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 09 Mar 2020 14:27:42 -0400 + +gnupg2 (2.2.19-2) unstable; urgency=medium + + * clarify that keys.openpgp.org is a debian-specific + choice for default keyserver + * Standards-version: bump to 4.5.0 (no changes needed) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 27 Feb 2020 17:35:36 -0500 + +gnupg2 (2.2.19-1) unstable; urgency=medium + + * New upstream release + + [ Roger Shimizu ] + * d/control: Update Build-Depends: libgpg-error-dev (>= 1.35) + + [ Daniel Kahn Gillmor ] + * clean up unnecessary whitespace + * Ship identifiers for Librem Key (Closes: #932474) + * drop extra systemd user service links (Closes: #931954) + * update signing key for Werner + * fixup patch + * drop patches already upstream + * refresh patches + * cherry-pick fix from upstream + * dirmngr-idling: add some commentary about dns housekeeping + * bump standards-version to 4.4.1 (no changes needed) + * sort scdaemon metainfo.xml modalias + * announce librem key in scdaemon metainfo.xml + * add lintian overrides for executables shipped by upstream in /usr/lib/gnupg/ + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 08 Jan 2020 10:33:12 -0500 + +gnupg2 (2.2.17-3) unstable; urgency=medium + + * avoid data loss when using keyservers (see https://dev.gnupg.org/T4628) + * avoid O(N^2) operations when listing certificates with many sigs + * d/tests/gpgv-win32: make more robust + * avoid system CAs for HKPS pool + * build-depend on gpgrt-tools for yat2m + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 16 Jul 2019 20:20:39 -0400 + +gnupg2 (2.2.17-2) unstable; urgency=medium + + * d/tests/gpgv-win32: depend directly on wine32 (Closes: #905563) + * d/tests/gpgv-win32: by default pinentry-mode loopback is allowed upstream + * migrate-pubring-from-classic-gpg: make more robust (Closes: #931385) + * migrate-pubring-from-classic-gpg: always pass --homedir and --batch + * added test of migration script + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 13 Jul 2019 21:36:24 -0400 + +gnupg2 (2.2.17-1) unstable; urgency=medium + + * New upstream release + * upload to unstable, since buster is released + + [ kwadronaut ] + * Specify what new and old keyrings are in migration script + + [ Daniel Kahn Gillmor ] + * drop unnecessary patches, including broken patch for printing + revocation certificates + * use DEP-14 for debian/master + * refresh and reorganize patches + * only use Kristian's CA for the SKS HKPS pool + * switch to hkps://keys.openpgp.org as the default keyserver + * added NEWS entry about move to keys.openpgp.org + * Standards-Version: bump to 4.4.0 (no changes needed) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 11 Jul 2019 22:09:21 -0400 + +gnupg2 (2.2.16-2) experimental; urgency=medium + + * fix HKPS redirections + * drop dh_missing --fail-missing (Closes: #930042) + * enable cert update without uids (Closes: #930665) + * fix upstream spelling of 'arbitrary' + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 18 Jun 2019 12:59:57 -0400 + +gnupg2 (2.2.16-1) experimental; urgency=medium + + * clean up logcheck rules for gpg-agent (Closes: #918466) + * drop patches already upstream + * refresh patches + * use upstream manpages for gpg-wks-{client,server} (Closes: #918586) + * use distributed form of gpgtar, not build/tools/gpgtar + * gnupg: ship every doc that upstream ships + * gnupg-l10n: ship basic help.txt as well + * explicitly avoid shipping gpgscm without the Scheme library + * use dh_missing --fail-missing to catch unshipped files + * gbp-import filter: drop m4/iconv.m4 as well + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 28 May 2019 20:13:01 -0400 + +gnupg2 (2.2.15-1) experimental; urgency=medium + + * new upstream release (still in experimental, due to freeze) + * refresh patches + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 01 Apr 2019 09:56:09 -0400 + +gnupg2 (2.2.14-1) experimental; urgency=medium + + * new upstream release (to experimental, due to freeze) + * drop patches already upstream + * refresh remaining patches + * move to debhelper 12 + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 20 Mar 2019 07:19:50 -0400 + +gnupg2 (2.2.13-2) unstable; urgency=medium + + * Correct gpg-wks-server manpage (Closes: #927431) Thanks, ju xor! + * Fix handling private keys with comments (Closes: #928963, #928964) + * clean up logcheck rules for gpg-agent (Closes: #918466) + * Update gpg-wks-client.1 (Closes: #918586) + * cherry-pick more patches from upstream STABLE-BRANCH-2-2 + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 14 May 2019 02:08:47 -0400 + +gnupg2 (2.2.13-1) unstable; urgency=medium + + * New upstream release (Closes: #919856) + + [ Roger Shimizu ] + * add some simple tests for gpg{,v}. Thanks to Julian Andres Klode + (Closes: #920892). + + [ Daniel Kahn Gillmor ] + * refresh patches + * cherry-pick fixes from upstream STABLE-BRANCH-2-2 + * Standards-Version: bump to 4.3.0 (no changes needed) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 02 Mar 2019 11:50:15 -0500 + +gnupg2 (2.2.12-1) unstable; urgency=medium + + * New upstream release + * refresh patches + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 14 Dec 2018 20:17:16 -0500 + +gnupg2 (2.2.11-1) unstable; urgency=medium + + * new upstream release + * refresh patches + * refresh upstream/signing-key.asc + * deprecate gpg-zip + * gnupg-utils: ship gpgtar, since gpg-zip is deprecated + * Make gpg-zip use tar from $PATH (Closes: #913582) + * fix spelling mistakes in tools documentation + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 18 Nov 2018 17:38:30 -0500 + +gnupg2 (2.2.10-3) unstable; urgency=medium + + [ Bjarni Ingi Gislason ] + * clean up nroff for gpg-check-pattern.1 (Closes: #900247) + + [ Daniel Kahn Gillmor ] + * backport fix for subkey binding sigs + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 08 Oct 2018 11:36:01 -0400 + +gnupg2 (2.2.10-2) unstable; urgency=medium + + * import upstream minor bugfixes + * wrap-and-sort -ast + * actually ship gpgcompose in gnupg-utils + * drop debian/source/options (thanks, Lintian!) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 30 Sep 2018 11:40:42 -0500 + +gnupg2 (2.2.10-1) unstable; urgency=medium + + * new upstream maintenance release + * drop patches already upstream + * refresh patches + * Standards-Version: bump to 4.2.1 (no changes needed) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 30 Aug 2018 11:57:15 -0400 + +gnupg2 (2.2.9-2) unstable; urgency=medium + + [ Daniel Kahn Gillmor ] + * spell Tor correctly (Closes: #895398) + * Standards-Version: bump to 4.2.0 (no changes needed) + * corrected license in AppStream file + * standardize udev rules for Yubikey USB devices and claim them in AppStream + * from upstream: s2k bugfix, support for Trustica Cryptoucan + * Claim Trustica Cryptoucan via AppStream + + [ JiÅĆ KeresteÅ” ] + * udev rule for Trustica Cryptoucan + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 24 Aug 2018 09:48:15 -0400 + +gnupg2 (2.2.9-1) unstable; urgency=medium + + * New upstream release + * Standards-Version: bump to 4.1.5 (no changes needed) + * drop patches already upstream + * refresh patches + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 19 Jul 2018 14:02:31 -0400 + +gnupg2 (2.2.8-3) unstable; urgency=medium + + * Ensure arch: all gnupg package supports binMNUs + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 21 Jun 2018 12:18:14 -0400 + +gnupg2 (2.2.8-2) unstable; urgency=medium + + [ Daniel Kahn Gillmor ] + * import bugfixes and improvements from upstream/STABLE-BRANCH-2-2 + * ensure that revocation certificates show up in --show-keys output + (see 7c79bf7f71aa594102cb684b0abd8331bdac4608) + * try passing not explicit paths to wine for the gpgv-win32 test + * d/copyright: clarify debian/* licensing + * convert gnupg metapackage to Architecture: all + + [ Giovanni Mascellani ] + * avoid parallel tests on riscv64 (Closes: #901646) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 20 Jun 2018 06:56:09 -0400 + +gnupg2 (2.2.8-1) unstable; urgency=medium + + * New upstream release + * refresh patches + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 08 Jun 2018 10:08:36 -0400 + +gnupg2 (2.2.7-1) unstable; urgency=medium + + * new upstream release + * update/refresh patches, improve patch description + * bump standards-version to 4.1.4 (no changes needed) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 23 May 2018 11:50:27 -0400 + +gnupg2 (2.2.5-1) unstable; urgency=medium + + * New upstream release + * d/gbp.conf: use DEP-14 branch naming + * d/control: declare Rules-Requires-Root: no + * drop patches already applied upstream + * refresh patches + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 22 Feb 2018 14:20:18 -0800 + +gnupg2 (2.2.4-3) unstable; urgency=medium + + * version build-deps on mingw library toolchain (Closes: #889921) + * drop misbehaving upstream scd patch (Closes: #889751) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 09 Feb 2018 13:51:35 -0500 + +gnupg2 (2.2.4-2) unstable; urgency=medium + + [ Daniel Kahn Gillmor ] + * move to debhelper 11 + * d/control: move Vcs to salsa + * import more bugfixes and hardware from upstream + + [ Helge Deller ] + * Fix FTBFS on hppa (Closes: #887843) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 05 Feb 2018 23:07:21 -0500 + +gnupg2 (2.2.4-1) unstable; urgency=medium + + * New upstream release + * do not use uupdate (we use gbp-import-orig) + * dirmngr: cannot avoid idling in current arrangement + * adjusting fixes to gpgsm defaults + * prefer SHA-512 specifically on personal-digest-preferences. + * refresh patches + * Standards-Version: bump to 4.1.3 (no changes needed) + * drop unnecessary lintian override + * reflect actual requirement for libassuan + * import bugfixes from upstream + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 Jan 2018 12:43:40 -0500 + +gnupg2 (2.2.3-1) unstable; urgency=medium + + * New upstream release + * refreshed patches + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 30 Nov 2017 19:06:35 -0500 + +gnupg2 (2.2.2-1) unstable; urgency=medium + + * new upstream release. + * avoid testsuite delays from excess socket waiting + * clean up trailing whitespace in debian/{rules,changelog} + * drop patches already upstream + * refresh remaining patches + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 08 Nov 2017 20:09:33 +0100 + +gnupg2 (2.2.1-5) unstable; urgency=medium + + * block ptrace on scdaemon as well as gpg-agent (Closes: #878952) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 27 Oct 2017 01:43:20 -0400 + +gnupg2 (2.2.1-4) unstable; urgency=medium + + * restore lintian override, because ftp-master isn't yet running lintian + 2.5.55 (see #877999 for more details) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 19 Oct 2017 02:33:36 -0400 + +gnupg2 (2.2.1-3) unstable; urgency=medium + + * bugfix for multiple keyrings (Closes: #878812) + * drop an unnecessary lintian override + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 19 Oct 2017 00:23:41 -0400 + +gnupg2 (2.2.1-2) unstable; urgency=medium + + * adopt bugfixes and documentation improvements from upstream + * reorganize debian/patches for simpler maintenance + * move gnupg-l10n to Section: localization + * Standards-Version: bump to 4.1.1 (no changes needed) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 10 Oct 2017 10:05:45 -0400 + +gnupg2 (2.2.1-1) unstable; urgency=medium + + * New upstream release + * drop patches already applied upstream + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 19 Sep 2017 08:26:26 -0400 + +gnupg2 (2.2.0-3) unstable; urgency=medium + + * avoid FTBFS when TZ=UTC-12 (Closes: #874617) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 08 Sep 2017 02:10:02 -0400 + +gnupg2 (2.2.0-2) unstable; urgency=medium + + * dirmngr and gpgv-static are Multi-arch: foreign (Closes: #874111) + * update to stronger cryptographic defaults. + * use upstream gpg-agent-browser.socket systemd user service + * publish SSH_AUTH_SOCK for wayland users (Closes: #855868) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 07 Sep 2017 19:20:35 -0400 + +gnupg2 (2.2.0-1) unstable; urgency=medium + + * New upstream release. + * drop patches already upstream + * scdaemon: bugfix from upstream for large ECC keys + * Standards-Version: bump to 4.1.0 (no changes needed) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 06 Sep 2017 13:10:28 -0400 + +gnupg2 (2.1.23-2) unstable; urgency=medium + + * add openssh-client to build-deps for testing + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 13 Aug 2017 22:48:23 -0400 + +gnupg2 (2.1.23-1) unstable; urgency=medium + + * New upstream release + * move to unstable + * refresh patches + * keep default --no-auto-key-retrieve + * Standards-Version: 4.0.1 (Priority: extra -> optional) + * run tests in parallel + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 11 Aug 2017 09:56:05 -0400 + +gnupg2 (2.1.22-1) experimental; urgency=medium + + * New upstream release + * refreshed patches + * pulled a few bugfix patches from upstream + * simplify systemd user units + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 07 Aug 2017 01:17:19 -0400 + +gnupg2 (2.1.21-4) experimental; urgency=medium + + * package reorganization: + - new package 'gpg' is just for public key operations + - 'gnupg' package is the full suite + - 'gnupg-agent' package is renamed to 'gpg-agent' + - 'gpgconf' is a base package, other packages depend on it + - 'gnupg-utils' are a grab-bag of helper tools that may be useful + * scdaemon: add AppStream metainfo about supported smartcards + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 26 Jul 2017 12:50:55 -0400 + +gnupg2 (2.1.21-3) experimental; urgency=medium + + * include upstream bugfixes and improvements (Closes: #863221) + * build gpgcompose, ship new gpgcompose binary package + * upgrade to debhelper 10 + * upgrade to Standards-Version 4.0.0 (no changes needed) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 11 Jun 2017 01:50:30 +0200 + +gnupg2 (2.1.21-2) experimental; urgency=medium + + [ Stefan BĆ¼hler ] + * Create WKS server and client packages + + [ Daniel Kahn Gillmor ] + * minor packaging cleanups + * more upstream bugfix and cleanup patches + * rename WKS packages to match the tool names + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 18 May 2017 18:02:46 -0400 + +gnupg2 (2.1.21-1) experimental; urgency=medium + + * new upstream release + * drop patches alread yupstream, refresh patches + * import post-release bugfixes from upstream + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 16 May 2017 22:42:20 -0400 + +gnupg2 (2.1.20-4) experimental; urgency=medium + + * avoid shipping or trying to use .skel files + * more bugfixes from upstream + * skip missing signing keys (Closes: #834922) + * prefer available smartcard + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 10 May 2017 14:59:02 -0400 + +gnupg2 (2.1.20-3) experimental; urgency=medium + + * more upstream bugfixes (Closes: #858400) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 07 Apr 2017 11:36:51 -0400 + +gnupg2 (2.1.20-2) experimental; urgency=medium + + * more bugfix patches from upstream + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 06 Apr 2017 11:21:24 -0400 + +gnupg2 (2.1.20-1) experimental; urgency=medium + + * new upstream release + * drop patches already upstream, refresh patches + * import post-release bugfixes from upstream + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 05 Apr 2017 11:43:09 -0400 + +gnupg2 (2.1.19-3) experimental; urgency=medium + + * more patches from usptream + - test suite should now use /tmp and not require /run/user/ + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 21 Mar 2017 12:34:47 -0400 + +gnupg2 (2.1.19-2) experimental; urgency=medium + + * more patches from upstream (Closes: #854829) + * add verbose=3 to the test suite as requested by upstream + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 20 Mar 2017 14:05:46 -0400 + +gnupg2 (2.1.19-1) experimental; urgency=medium + + * New upstream release (Closes: #854359) + * many post-release bugfixes from upstream + * add logcheck filters for gpg-agent (Closes: #856438) + * Upload to experimental due to the freeze + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 16 Mar 2017 12:47:40 -0400 + +gnupg2 (2.1.18-6) unstable; urgency=medium + + [ NIIBE Yutaka ] + * scdaemon: Fix duplicated entries (Closes: #855056). + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 13 Feb 2017 19:29:34 -0500 + +gnupg2 (2.1.18-5) unstable; urgency=medium + + [ Daniel Kahn Gillmor ] + * Xsession.d/90gpg-agent: use simpler and more direct gpgconf + invocations for socket names. + + [ NIIBE Yutaka ] + * scdaemon.udev: Add Yubikey and Nitrokey (Closes: #648331, 734889). + * scdaemon fix for PC/SC (Closes: #852702, #854005, #854595, #854616). + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 13 Feb 2017 09:15:07 -0500 + +gnupg2 (2.1.18-4) unstable; urgency=medium + + [ Daniel Kahn Gillmor ] + * document that debian disables --allow-version-check + * docs, debugging, and bugfix patches from upstream (Closes: #852979) + + [ NIIBE Yutaka ] + * scdaemon bugfixes + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 04 Feb 2017 22:03:26 -0500 + +gnupg2 (2.1.18-3) unstable; urgency=medium + + * fix searches for keys with raw addr-spec + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 25 Jan 2017 16:58:56 -0500 + +gnupg2 (2.1.18-2) unstable; urgency=medium + + * pull fixes from upstream (including a double-free in gpg-agent) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 25 Jan 2017 09:29:25 -0500 + +gnupg2 (2.1.18-1) unstable; urgency=medium + + * New upstream release. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 23 Jan 2017 23:12:35 -0500 + +gnupg2 (2.1.17-6) unstable; urgency=medium + + * Upstream patches, fixing unnecessary delay in gpg-agent (Closes: #851298) + * gpg-agent: avoid race in shutdown (Closes: #841143) + * improve dirmngr, gpg-agent README.Debian (Closes: #850982) + * clean up gpg-agent-idling patch + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 18 Jan 2017 14:40:41 -0500 + +gnupg2 (2.1.17-5) unstable; urgency=medium + + * more fixes from upstream (improving but not yet closing: #849845) + * gpg-agent: actively poll when shutdown is pending. Thanks, NIIBE + Yutaka! (addresses but does not close #841143) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 11 Jan 2017 15:44:57 -0500 + +gnupg2 (2.1.17-4) unstable; urgency=medium + + * more patches from upstream, including dirmngr debugging + improvements + * resolve ambiguity in aliased options and commands (Closes: #850475) + * auto-enable gpg-agent and dirmngr for systemd user sessions + * enable easy reloads from systemd + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 10 Jan 2017 17:30:08 -0500 + +gnupg2 (2.1.17-3) unstable; urgency=medium + + * more bugfixes from upstream (improving but not yet closing: #849845) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 03 Jan 2017 15:39:52 -0500 + +gnupg2 (2.1.17-2) unstable; urgency=medium + + * include patches from upstream to avoid build failures on 32-bit + arches. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 24 Dec 2016 18:11:51 -0500 + +gnupg2 (2.1.17-1) unstable; urgency=medium + + * new upstream release. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 24 Dec 2016 15:39:04 -0500 + +gnupg2 (2.1.16-3) unstable; urgency=medium + + * remove -pie from hppa, kfreebsd-amd64, and x32 builds of + gpgv-static (Closes: #846889) + * import several upstream bugfix patches (Closes: #846834, #846168) + * link gnupg-agent and scdaemon with Enhances/Suggests (Closes: #833518) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 05 Dec 2016 15:34:49 -0500 + +gnupg2 (2.1.16-2) unstable; urgency=medium + + * avoid using adns, due to lack of security support (Closes: #845078) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 21 Nov 2016 09:57:26 -0500 + +gnupg2 (2.1.16-1) unstable; urgency=medium + + * New upstream version + * dropped many patches already incorporated upstream + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 20 Nov 2016 23:22:49 -0500 + +gnupg2 (2.1.15-9) unstable; urgency=medium + + * Introduce gpgv-static package (Closes: #806940) + * more patches from upstream + * use adns for better DNS resolution in dirmngr + * add some import-options to + migrate-pubring-from-classic-gpg for better migration + * reorganize patches to distinguish debian variations from upstream + * set simple and easy defaults for keyservers + * help dirmngr and gpg-agent idle better in the default case + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 10 Nov 2016 07:28:16 -0800 + +gnupg2 (2.1.15-8) unstable; urgency=medium + + * rename gpg-agent-restricted.socket to gpg-agent-extra.socket + (for symmetry with option names and actual sockets created) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 27 Oct 2016 13:54:53 -0400 + +gnupg2 (2.1.15-7) unstable; urgency=medium + + * more upstream patches + * dirmngr systemd user service is now socket-activated. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 27 Oct 2016 12:48:15 -0400 + +gnupg2 (2.1.15-6) unstable; urgency=medium + + * more upstream patches (Closes: #841437, #840680) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 26 Oct 2016 17:44:20 -0400 + +gnupg2 (2.1.15-5) unstable; urgency=medium + + * added udev rules for Fujitsu Siemens cardreader (Closes: #840312) + * mark transitional packages Multi-Arch: Foreign (closes: #840258) + * make gnupg2 binNMU-safe + * more patches from upstream + * track upstream decision-making about gpg-agent socket names + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 25 Oct 2016 21:30:06 -0400 + +gnupg2 (2.1.15-4) unstable; urgency=medium + + * update debian/tests/gpgv-win32 + * more patches from upstream (Closes: #838153) + * tighten dependencies between gnupg and dirmngr (Closes: #834602) + * updated systemd user gpg-agent units for socket activation + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 04 Oct 2016 17:22:30 -0400 + +gnupg2 (2.1.15-3) unstable; urgency=medium + + * Use upstream fix to avoid touching homedir during test suite + * backward compatibility for preset-passphrase and protect-tool + * add Breaks: for python3-apt too (thanks, Harald Jenny!) + * Avoid network access during tests (Closes: #836259) + * more patches from upstream + - gpgv --output now works + - fingerprint display doesn't vary with --keyid-format + - minor cleanup to scdaemon dealing with removed cards + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 14 Sep 2016 17:08:58 -0400 + +gnupg2 (2.1.15-2) unstable; urgency=medium + + * restore keyid output in gpgv (Closes: #836144) + * avoid test suite failures when HOME does not exist + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 31 Aug 2016 12:37:48 -0400 + +gnupg2 (2.1.15-1) unstable; urgency=medium + + * new upstream release + - blocks signals during keyring updates (Closes: #293556) + * avoid libusb on hurd. Thanks, Pino Toscano! (Closes: #834533) + * permissions on test suite are already fixed + * drop patches applied upstream and refresh remaining patches + * make gnupg2 reproducible by not regenerating documentation date + * make autopkgtest work with modern wine (Closes: #835976) + * wrap-and-sort -ast for cleaner diffs + * add versioned Breaks: for affected packages (Closes: #835349) + - gpgv Breaks: python-debian << 0.1.29 (addresses: #782904) + - gnupg Breaks: php-crypt-gpg <= 1.4.1-1 (addresses #835592) + - gnupg Breaks: python-apt <= 1.1.0~beta4 (addresses: #835465) + - gnupg Breaks: python-gnupg << 0.3.8-3 (addresses: #834514, #834600) + - gnupg Breaks: libgnupg-interface-perl << 0.52-3 (addresses: #834281) + - gnupg Breaks: libmail-gnupg-perl <= 0.22-1 (addresses: #835075) + - gnupg Breaks: libgnupg-perl << 0.19-1 (addresses: #834522) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 30 Aug 2016 13:19:23 -0400 + +gnupg2 (2.1.14-5) unstable; urgency=medium + + * actually ship /usr/share/doc/gnupg/README.Debian + * Release to unstable. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 12 Aug 2016 16:27:22 -0400 + +gnupg2 (2.1.14-4) experimental; urgency=medium + + * add ZeitControl card (Closes: #814584) + * three more fixes from upstream + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 08 Aug 2016 12:54:21 -0400 + +gnupg2 (2.1.14-3) experimental; urgency=medium + + * cleanup debian/copyright + * update debian/watch + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 Aug 2016 11:09:05 -0400 + +gnupg2 (2.1.14-2) experimental; urgency=medium + + * mark the gpgv binary as Priority: important, since apt depends on it + * import a bunch of fixes from upstream + * include permissioning on patched-in tests + * Breaks: some packages that expect old gpg behavior (Closes: #831500) + * remove scdaemon.service; it will be managed by gpg-agent.service + * avoid bulleted items in debian/NEWS (thanks, Lintian!) + * debian/copyright: cleanup, fix URLs + * debian/control: use standard URL for Vcs-Browser + * fix spelling and grammar noticed by lintian + * avoid lintian notes about a misspelled "written" + * clean up gpgv2 Description + * break out arch-indep localization files into new gnupg-l10n package + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 01 Aug 2016 17:54:59 -0400 + +gnupg2 (2.1.14-1) experimental; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 15 Jul 2016 01:39:25 +0200 + +gnupg2 (2.1.13-5) experimental; urgency=medium + + * dependency cleanup! + - make Recommends: strictly versioned between gnupg and {gpg-agent,dirmngr} + - make gnupg Provide: gpg and mention it in the package description + - drop mention of newpg, which has not been in debian for many releases + - gnupg2 2.0.18 predates debian wheezy, which is oldstable; drop mention + in debian/control + - drop Suggests: gnupg-doc, which does not appear to be maintained + - drop all references to gpg-idea, which has not been in debian for + several releases + - removed dependency on "dpkg (>= 1.15.4) | install-info", since that + dpkg version predates oldstable (wheezy) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 04 Jul 2016 10:13:42 -0400 + +gnupg2 (2.1.13-4) experimental; urgency=medium + + * add binutils-multiarch [!amd64 !i386] to Build-Depends-Indep: so that + we can generate win32 packages on non-x86 platforms. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 01 Jul 2016 11:30:28 -0400 + +gnupg2 (2.1.13-3) experimental; urgency=medium + + * pull bugfixes from upstream (Closes: #828109, #814584) + * should also allow for reproducible builds, with fix to + timestamps in tofu.test + * provide supervised dirmngr, gpg-agent, and scdaemon services from + systemd's user sessioniif the user wants to enable them. These + services should terminate at logout (Closes: #825911) + * avoid launching gpg-agent from Xsession.d since we have more robust + session management available (added NEWS entry about this change) + * gnupg-agent now Provides: gpg-agent to mitigate common confusion. + * updated dirmngr package description. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 28 Jun 2016 13:46:36 -0400 + +gnupg2 (2.1.13-2) experimental; urgency=medium + + * brown paper bag time: fix build-dep from libusb-1.0.0-dev to + libusb-1.0-0-dev + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 17 Jun 2016 23:07:43 -0400 + +gnupg2 (2.1.13-1) experimental; urgency=medium + + * New upstream release + - new keyid-format "none", used by default (Closes: #826273) + * Build-depend on libusb-1.0.0-dev to ensure smartcards work (Thanks, + gniibe!) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 16 Jun 2016 18:30:36 -0400 + +gnupg2 (2.1.12-1) experimental; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 10 May 2016 20:58:06 -0400 + +gnupg2 (2.1.11-7+exp1) experimental; urgency=medium + + * switching over binary package names in experimental -- gnupg2 source + package now provides gnupg and gpgv + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 18 Apr 2016 19:17:19 -0400 + +gnupg2 (2.1.11-7) unstable; urgency=medium + + * move to unstable + * re-enable test suites on mips and mipsel since #730846 is resolved + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 18 Apr 2016 07:45:16 -0400 + +gnupg2 (2.1.11-6+exp4) experimental; urgency=medium + + * stop using help2man to fix cross-building + * ensure gpgv-win32 is properly stripped + * enable autopkgtest to run without root on systems that already have + wine32 installed + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 01 Apr 2016 13:08:07 -0300 + +gnupg2 (2.1.11-6+exp3) experimental; urgency=medium + + * more cleanup on arch-dependent packages. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 30 Mar 2016 03:36:18 -0400 + +gnupg2 (2.1.11-6+exp2) experimental; urgency=medium + + * avoid build failures when building only arch-dependent or only + arch-independent packages. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 30 Mar 2016 02:59:18 -0400 + +gnupg2 (2.1.11-6+exp1) experimental; urgency=medium + + * take over gpgv-win32 from gnupg 1.4 packaging + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 28 Mar 2016 23:27:43 -0400 + +gnupg2 (2.1.11-6) unstable; urgency=medium + + * avoid FTBFS with patch from upstream (Closes: #814842) + * bumped standards-version to 3.9.7 (no changes needed) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 01 Mar 2016 09:36:41 +0100 + +gnupg2 (2.1.11-5) unstable; urgency=medium + + * taking over gpgv-udeb from gnupg 1.4 packaging + * debian/control: use secure transport for Vcs-* and Homepage + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 04 Feb 2016 17:17:47 -0500 + +gnupg2 (2.1.11-4) unstable; urgency=medium + + * disable gpgtar, since it is causing unpredictable testsuite failures + and we don't ship it anyway. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 Feb 2016 11:57:57 -0500 + +gnupg2 (2.1.11-3) unstable; urgency=medium + + * trying again to get a proper dump of the gpgtar.test.log. sigh. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 28 Jan 2016 08:34:22 -0500 + +gnupg2 (2.1.11-2) unstable; urgency=medium + + * added temporary hook to view failing gpgtar test output on build + daemons since i can't replicate the failures on my own build systems. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 28 Jan 2016 00:53:29 -0500 + +gnupg2 (2.1.11-1) unstable; urgency=medium + + * new upstream release + - drops buggy attempt to detect duplicate keys (Closes: #807819) + * removed -dbg package, since we have automatic -dbgsym packages now + * removed undocumented gpgkey2ssh; use gpg --export-ssh-key instead + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 25 Jan 2016 15:29:25 -0500 + +gnupg2 (2.1.10-3) unstable; urgency=medium + + * avoid infinite loop when doing --gen-revoke by fingerprint + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 12 Dec 2015 16:53:40 -0500 + +gnupg2 (2.1.10-2) unstable; urgency=medium + + * actually use sks-keyservers CA by default if the user asks for + hkps://hkps.pool.sks-keyservers.net + * move ownership of some files in /usr/share/gnupg2/ to more appropriate + owners like gpgsm and dirmngr. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 11 Dec 2015 17:06:10 -0500 + +gnupg2 (2.1.10-1) unstable; urgency=medium + + * new upstream release + * ship sks-keyservers.netCA.pem in dirmngr to make it easier to use hkps. + * avoid shipping Changelog-2011, use upstream ChangeLog (Closes: + #803225) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 09 Dec 2015 12:05:42 -0500 + +gnupg2 (2.1.9-1) unstable; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 13 Oct 2015 10:04:33 -0400 + +gnupg2 (2.1.8-2) UNRELEASED; urgency=medium + + [ NIIBE Yutaka ] + * update scdaemon dependencies + + [ Daniel Kahn Gillmor ] + * correct ssh fingerprint for ECDSA nistp384 (Closes: #795636) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 17 Sep 2015 00:00:28 -0400 + +gnupg2 (2.1.8-1) unstable; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 10 Sep 2015 17:00:06 -0400 + +gnupg2 (2.1.7-2) unstable; urgency=medium + + * upload to unstable + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 11 Aug 2015 21:24:18 -0400 + +gnupg2 (2.1.7-1) experimental; urgency=medium + + * new upstream release + * block ptrace connections to gpg-agent + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 11 Aug 2015 20:05:38 -0400 + +gnupg2 (2.1.6-1) experimental; urgency=medium + + * new upstream release + * drop deprecated gpgsm-gencert.sh + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 07 Jul 2015 14:27:23 -0400 + +gnupg2 (2.1.5-2) experimental; urgency=medium + + [ Daniel Kahn Gillmor ] + * pass DBUS_SESSION_BUS_ADDRESS through to the agent so that + pinentry-gnome3 can work across sessions. + * ensure that l10n files are rebuilt. + + [ Eric Dorland ] + * debian/patches/0003-Include-defs.inc-in-BUILT_SOURCES.patch: Fix for + build failure when rebuilding info docs. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 30 Jun 2015 18:13:58 -0400 + +gnupg2 (2.1.5-1) experimental; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 11 Jun 2015 13:18:56 -0400 + +gnupg2 (2.1.4-2) experimental; urgency=medium + + * avoid excess dependencies on headless servers (Closes: #753163) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 Jun 2015 14:12:49 -0400 + +gnupg2 (2.1.4-1) experimental; urgency=medium + + * New upstream release. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 28 May 2015 00:25:55 -0400 + +gnupg2 (2.1.3-1) experimental; urgency=medium + + * New upstream version. + * Add gnupg2-dbg (Closes: #781631) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 01 Apr 2015 12:10:38 -0400 + +gnupg2 (2.1.2-2) experimental; urgency=medium + + * Fix segv due to NULL value stored as opaque MPI. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 21 Feb 2015 10:26:50 -0500 + +gnupg2 (2.1.2-1) experimental; urgency=medium + + * New upstream version + * move from automake1.11 to plain automake (upstream uses 1.14 now) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 12 Feb 2015 20:10:43 -0500 + +gnupg2 (2.1.1-1) experimental; urgency=medium + + * New upstream version (closes: #772654) + * gnupg2 now Breaks: older versions of dirmngr (closes: #769460) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 16 Dec 2014 14:58:06 -0500 + +gnupg2 (2.1.0-1) experimental; urgency=medium + + * import upstream 2.1.0 release. + * drop debian/patches/speed-up-test-suite.patch -- included upstream. + * avoid self-reporting as a beta now that this is a release + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 06 Nov 2014 12:31:06 -0500 + +gnupg2 (2.1.0~beta895-3) experimental; urgency=medium + + * update gnupg-agent.xsession to export ssh-agent where + configured. (Closes: #767341) + * use cheap/fast entropy for the test suite so that builds on + low-entropy machines go faster. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 30 Oct 2014 13:37:08 -0400 + +gnupg2 (2.1.0~beta895-2) experimental; urgency=medium + + * added pkg-config to Build-Depends. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Oct 2014 18:36:27 -0400 + +gnupg2 (2.1.0~beta895-1) experimental; urgency=medium + + * new upstream version in experimental (Closes: #762844, #751266, #762844) + * ship /usr/bin/gpgparsemail (Closes: #760575) + * document that doc/OpenPGP is not actually an RFC, but just refers to + one (closes: #745410) + * Bump Standards-Version to 3.9.6 (no changes needed) + * --enable-large-secmem to ensure that gpg2 works with pre-generated + oversized RSA keys + * updated /etc/X11/Xsession.d/90gpg-agent to export $GPG_AGENT_INFO + about the standard socket. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 Oct 2014 17:53:06 -0400 + +gnupg2 (2.0.28-3) unstable; urgency=medium + + * pass DBUS_SESION_BUS_ADDRESS to the agent for gnome3. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 04 Jul 2015 14:21:41 -0400 + +gnupg2 (2.0.28-2) unstable; urgency=medium + + * d/clean: drop stamp-po to rebuild l10n (Closes: #788989) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 30 Jun 2015 17:17:11 -0400 + +gnupg2 (2.0.28-1) unstable; urgency=medium + + * new upstream release + * really address excess dependencies on headless server (thanks RaphaĆ«l + Halimi for noticing) (Closes: #753163) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 02 Jun 2015 12:16:57 -0400 + +gnupg2 (2.0.27-2) unstable; urgency=medium + + * import upstream fix to avoid replicating unknown subkey + packets. (Closes: #787045) (Thanks, NIIBE Yutaka) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 28 May 2015 00:55:51 -0400 + +gnupg2 (2.0.27-1) unstable; urgency=medium + + * New upstream release. + * Provide a simple way for users to avoid gpg-agent hijacking, + working around: #760102 (Closes: #753163) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 08 May 2015 18:15:15 -0400 + +gnupg2 (2.0.26-6) unstable; urgency=medium + + * Avoid NULL dereference with opaque MPI. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 21 Feb 2015 18:01:40 -0500 + +gnupg2 (2.0.26-5) unstable; urgency=medium + + * import bug-fixes from upstream + (Closes: #773415, #773469, #773471, #773472, #773423) + * Fixes CVE-2015-1606 "Use after free, resulting from failure to skip + invalid packets", CVE-2015-1607 "memcpy with overlapping ranges, + resulting from incorrect bitwise left shifts" (Closes: #778577) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 16 Feb 2015 17:45:06 -0500 + +gnupg2 (2.0.26-4) unstable; urgency=medium + + [ David PrĆ©vot ] + * Update POT and PO files, and ensure the translations get rebuild + * Update French translation (Closes: #769574) + * Update Ukrainian translation, thanks to Yuri Chornoivan + * Update German translation, thanks to Werner Koch + * Update Danish translation, thanks to Joe Hansen + * Update Japanese translation, thanks to NIIBE Yutaka + * Update Chinese (traditional) translation, thanks to Jedi Lin + * Update Russian translation, thanks to Ineiev + * Update Polish translation, thanks to Jakub Bogusz + * Update Spanish translation, thanks to Manuel "Venturi" Porras Peralta + (Closes: #770727) + * New Dutch translation, thanks to Frans Spiesschaert (Closes: #770981) + + [ Daniel Kahn Gillmor ] + * bugfix and cryptographic safety changes imported from upstream: + - Avoid regression when adding subkeys with strong s2k algorithms + (Closes: #772780) Thanks, NIIBE Yutaka + - Allow french translation to work when prompting for passphrase. + - add build and runtime support for larger RSA keys (Closes: #739424) + - fix runtime errors on bad input (Closes: #771987) + - deprecate insecure one-argument variant for gpg --verify of detached + signatures (Closes: #771992) + - initialize trustdb before trying to clear it (Closes: #735363) + - default to issuing SHA256 signatures for RSA + - avoid relying on MD5 signatures + - show v3 key fingerprints as all zero (OpenPGPv3 is deprecated) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 04 Jan 2015 17:17:00 -0500 + +gnupg2 (2.0.26-3) unstable; urgency=medium + + * fix typo in gpg.info (closes: #760273) + * drop versioned Build-Conflicts on automake by setting environment + variables in debian/rules + * ship /usr/bin/gpgparsemail (closes: #760575) + * warn but don't fail when scdaemon options are in ~/.gnupg/gpg.conf + (closes: #762844) + * do not break on --trust-model=always (closes: #751266) + * document that doc/OpenPGP is not actually an RFC, but just refers to + one (closes: #745410) + * Bump Standards-Version to 3.9.6 (no changes needed) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 30 Sep 2014 23:39:15 -0400 + +gnupg2 (2.0.26-2) unstable; urgency=medium + + * ignore emacs turds in debian/ + * update Vcs fields + * move package to group maintenance + * wrap-and-sort cleanup of debian/* + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 28 Aug 2014 11:42:18 -0700 + +gnupg2 (2.0.26-1) unstable; urgency=medium + + * New upstream release. + * debian/control: Suggest parcimonie. Thanks ilf. (Closes: #752261) + + -- Eric Dorland <eric@debian.org> Tue, 19 Aug 2014 18:09:08 -0400 + +gnupg2 (2.0.25-2) unstable; urgency=medium + + * debian/control: Switch to libgcrypt20-dev (aka 1.6 release). + + -- Eric Dorland <eric@debian.org> Fri, 08 Aug 2014 14:12:05 -0400 + +gnupg2 (2.0.25-1) unstable; urgency=medium + + * New upstream release. + + -- Eric Dorland <eric@debian.org> Mon, 30 Jun 2014 13:10:04 -0400 + +gnupg2 (2.0.24-1) unstable; urgency=high + + * New upstream release. Fixes CVE-2014-4617 "infinite loop when + decompressing data packets". (Closes: #752498) + * debian/patches/02-gpgv2-dont-link-libassuan.diff: Drop, now + upstreamed. + + -- Eric Dorland <eric@debian.org> Wed, 25 Jun 2014 00:11:19 -0400 + +gnupg2 (2.0.23-1) unstable; urgency=medium + + * New upstream release. + * debian/upstream/signing-key.asc: Rename upstream-signing-key.pgp to + the new, supported name. + * debian/control: Restore versioned conflict against gpg-idea. (Closes: + #733984) + * debian/control: Add Recommends on dirmngr for gpgsm. (Closes: #683579) + + -- Eric Dorland <eric@debian.org> Sun, 08 Jun 2014 19:20:17 -0400 + +gnupg2 (2.0.22-3) unstable; urgency=low + + * debian/watch, debian/upstream-signing-key.pgp: Add upstream signing + key for uscan verification. + * debian/kbxutil.1, debian/rules: Add better description and regenerate + the manpage. + * debian/control: Remove version on gpg-idea conflict, add missing + Breaks for gpgsm and convert Conflicts to Breaks for gpgv2. + * debian/control: Move gnupg-agent to Depends for gpgsm instead of + Replaces (which in turn should have been Recommends). + * debian/control: Standards-Version to 3.9.5. + * debian/copyright: Switch to a shiny DEP-5 copyright file. + + -- Eric Dorland <eric@debian.org> Wed, 01 Jan 2014 22:56:56 -0500 + +gnupg2 (2.0.22-2) unstable; urgency=low + + * debian/control: Fix Build-Conflicts on newer automakes. Thanks Chris + Boot. (Closes: #726015) + * debian/control: IDEA is no longer patented, drop its metion from the + description. Thanks brian m. carlson. (Closes: #726139) + * debian/rules: Disable the test suite on mips and mipsel to work around + Bug:#730846. + + -- Eric Dorland <eric@debian.org> Sat, 30 Nov 2013 23:47:56 -0500 + +gnupg2 (2.0.22-1) unstable; urgency=low + + * New upstream version. Fixes CVE-2013-4402 and CVE-2013-4351. (Closes: + #725433, #722724) + * debian/gnupg2.install: Install gnupg-card-architecture.png for the + info file. + + -- Eric Dorland <eric@debian.org> Sat, 05 Oct 2013 17:45:28 -0400 + +gnupg2 (2.0.21-2) unstable; urgency=low + + * debian/rules, debian/gnupg2.install: Switch libexecdir to + /usr/lib/gnupg2 to install helper binaries to a non-multiarch specific + location. (Closes: #717303) + * debian/control, debian/gpgv2.install: Split out gpgv2 into its own + package. + * debian/control, debian/gnupg2.install, debian/kbxutil.1: Add rule and + manpage for kbxutil using help2man. (Closes: #323494) + * debian/patches/02-gpgv2-dont-link-libassuan.diff: Don't link gpgv2 + against libassuan as it's not used. + * debian/rules: Install changelog for gpgv2. + + -- Eric Dorland <eric@debian.org> Sun, 01 Sep 2013 00:42:16 -0400 + +gnupg2 (2.0.21-1) unstable; urgency=low + + * New upstream release. (Closes: #613465, #720369) + * debian/patches/01-gnupg2-rename.diff: Refresh patch. + * debian/control: Fix Vcs-Git path. + * debian/control: Now depends on libgpg-error >= 1.11. + * debian/control: Build-Depends on automake1.11 since the test suite + fails on newer versions. (Closes: #713287) + * debian/control: Also need a Build-Conflicts on automake (<= 1.12). + + -- Eric Dorland <eric@debian.org> Sat, 24 Aug 2013 20:33:19 -0400 + +gnupg2 (2.0.20-1) unstable; urgency=low + + * New upstream release. (Closes: #691237, #583893) + * debian/patches/02-cve-2012-6085.diff: Remove, merged upstream. + * debian/control: Upgrade Standards-Version to 3.9.4. + * debian/compat, debian/control: Upgrade to debhelper v9. + * debian/control, debian/rules: Drop hardening-wrapper, now that we use + debhelper v9. + * debian/scdaemon.install: scdaemon has moved under $libexecdir. + * debian/control: Tighten dependency on scdaemon. + * debian/rules: Turn on all hardening options. + * debian/patches/01-gnupg2-rename.diff: Refresh patch. + * debian/gnupg-agent.install, debian/gnupg2.install, + debian/scdaemon.install: Fix /usr/lib paths for multi-arch. + * debian/rules: Pass ${pkglibdir} to --libexecdir since dh v9 passes + ${libdir} by default. + + -- Eric Dorland <eric@debian.org> Sat, 11 May 2013 18:28:57 -0400 + +gnupg2 (2.0.19-2) unstable; urgency=high + + * debian/patches/02-cve-2012-6085.diff: Patch from upstream to fix + CVE-2012-6085, "gnupg key import memory corruption". (Closes: #697251) + * debian/control: Use canonical addresses for VCS. + * debian/control: Fix scdaemon short description. + + -- Eric Dorland <eric@debian.org> Fri, 04 Jan 2013 00:56:52 -0500 + +gnupg2 (2.0.19-1) unstable; urgency=low + + * New upstream release. (Closes: #666092) + * debian/control: Add Multi-Arch: foreign to all packages. + * debian/rules: Update ChangeLog locations. + + -- Eric Dorland <eric@debian.org> Sat, 31 Mar 2012 01:06:02 -0400 + +gnupg2 (2.0.18-2) unstable; urgency=low + + * debian/control, debian/gpgsm.install, debian/scdaemon.install: Add a + separate package for the scdaemon. (Closes: #416129) + * debian/control, debian/gpgsm.install, debian/gnupg2.install, + gnupg-agent.install: Move gpg-preset-passphrase and gpg-protect-tool + into the gnupg-agent. + * debian/control: Upgrade Standards-Version to 3.9.2. + * debian/rules: Install ChangeLog for new scdaemon package. + + -- Eric Dorland <eric@debian.org> Sat, 15 Oct 2011 20:21:35 -0400 + +gnupg2 (2.0.18-1) unstable; urgency=low + + * New upstream release. (Closes: #635206) + * debian/copyright: Update ftp location. (Closes: #624404) + * debian/patches/01-gnupg2-rename.diff: Refresh patch. + + -- Eric Dorland <eric@debian.org> Tue, 30 Aug 2011 03:43:20 -0400 + +gnupg2 (2.0.17-3) unstable; urgency=low + + * debian/rules: Convert the rules file to use the lovely dh format. + * debian/gnupg2.dirs, debian/gnupg-agent.dirs, debian/gpgsm.dirs: Remove + unless dirs files. + * debian/gnupg-agent.lintian-overrides, debian/gnupg2.lintian-overrides, + debian/gpgsm.lintian-overrides: Remove unneeded lintian-overrides files. + + -- Eric Dorland <eric@debian.org> Mon, 14 Feb 2011 03:17:39 -0500 + +gnupg2 (2.0.17-2) unstable; urgency=low + + * debian/control: Add dependency on dpkg (>= 1.15.4) | install-info for + info install trigger. + * debian/control, debian/rules: Use debian build hardening. + + -- Eric Dorland <eric@debian.org> Sun, 13 Feb 2011 16:33:17 -0500 + +gnupg2 (2.0.17-1) unstable; urgency=low + + * New upstream release. (Closes: #584316, #603985, #603983, #603984) + * debian/patches/02-encode-s2k.diff, + debian/patches/03-gpgsm-realloc.diff, debian/patches/series: Drop now + unneeded security patches. + * debian/rules, debian/patches/01-gnupg2-rename.diff, + debian/gnupg2.info, debian/gnupg2.install: No need to rename the info + file anymore. + * debian/patches/01-gnupg2-rename.diff: Rename the autoconf package for + better renaming of pkg directories. (Closes: #579006) + * debian/control, debian/compat: Upgrade to debhelper level 8. + * debian/control: + - Upgrade Standards-Version to 3.9.1. + - Update Build-Depends versions for the latest release. + * debian/gnupg2.install: Add the applygnupgdefaults command. (Closes: + #567537) + * debian/gnupg2.docs: doc/faq.html no longer exists. + + -- Eric Dorland <eric@debian.org> Sun, 13 Feb 2011 16:06:41 -0500 + +gnupg2 (2.0.14-2) unstable; urgency=low + + * debian/*.lintian, debian/*.lintian-overrides, debian/rules: Rename + lintian files and use dh_lintian instead of shell snippets. + * debian/source/patch-header, debian/source/options: Delete patch header + and remove single-debian-patch option. + * debian/patches/01-gnupg2-rename.diff: Move patch to do the necessary + renaming of gnupg -> gnupg2 in a quilt patch. + * debian/patches/02-encode-s2k.diff: Added patch to fix passphrase + problem in gpgsm. Thanks Martijn van Brummelen for the NMU to fix this + problem in 2.0.14-1.1. + * debian/patches/03-gpgsm-realloc.diff: Fix for "Realloc Bug with X.509 + certificates" for gpgsm. (Closes: #590122) + * debian/rules, debian/control: Use dh-autoreconf and autopoint to + regenerate autotools files at build time. + + -- Eric Dorland <eric@debian.org> Sun, 25 Jul 2010 02:16:42 -0400 + +gnupg2 (2.0.14-1) unstable; urgency=low + + * New upstream release. + * debian/control: Build depend on libreadline-dev instead of + libreadline5-dev, since libreadline6-dev is out. (Closes: #548922) + * debian/source/format, debian/source/options, + debian/source/patch-header: Convert to v3 quilt format, with + single-debian-patch. + * debian/control: Tighten dependency on gnupg-agent. (Closes: #551792) + + -- Eric Dorland <eric@debian.org> Sat, 09 Jan 2010 21:15:18 -0500 + +gnupg2 (2.0.13-1) unstable; urgency=low + + * New upstream release. + * debian/control: Depend instead of Recommend gnupg-agent. (Closes: + #538947) + + -- Eric Dorland <eric@debian.org> Mon, 07 Sep 2009 20:38:23 -0400 + +gnupg2 (2.0.12-1) unstable; urgency=low + + * New upstream release. (Closes: #499569, #463270, #446494, #314068, + #519375, #514587) + * debian/control: Change build dependency on gs to ghoscript, since + ghoscript has been replaced. + * debian/compat: Use debhelper v7. + * debian/control: Update Standards-Version to 3.8.2. + * debian/control: Use ${misc:Depends}. + * configure.ac: Override pkgdatadir so that it points to + /usr/share/gnupg2. (Closes: #528734) + * debian/rules: No longer need to specify pkgdatadir at make install + time. + + -- Eric Dorland <eric@debian.org> Sun, 23 Aug 2009 20:48:11 -0400 + +gnupg2 (2.0.11-1) unstable; urgency=low + + * New upstream release. (Closes: #496663) + * debian/control: Make the description a little more distinctive than + gnupg v1's. Thanks Jari Aalto. (Closes: #496323) + + -- Eric Dorland <eric@debian.org> Sun, 08 Mar 2009 22:46:47 -0400 + +gnupg2 (2.0.9-3) unstable; urgency=medium + + * Urgency medium to try to beat the release. + * tools/gpgkey2ssh.c: Patch from Daniel Kahn Gillmor to fix broken ssh + key generation. (Closes: #473841) + + -- Eric Dorland <eric@debian.org> Mon, 21 Jul 2008 03:48:11 -0400 + +gnupg2 (2.0.9-2) unstable; urgency=low + + * The "I've neglected you too long" release. + + * debian/control: + - Add recommends on gnupg-agent for gpgsm and gnupg2, since they need + it under most circumstances. (Closes: #459462, #477691) + - Depend on pinentry instead of recommend, and move pinentry-gtk2 to the + front of the alternatives list. (Closes: #462951) + * keyserver/gpgkeys_curl.c, keyserver/gpgkeys_hkp.c: Fix FTBFS with gcc + 4.3 strictness on bitfields combined with curl. (Closes: #476999) + + -- Eric Dorland <eric@debian.org> Mon, 28 Apr 2008 03:22:20 -0400 + +gnupg2 (2.0.9-1) unstable; urgency=low + + * New upstream release. Fixes CVE-2008-1530, Key import memory corruption. + (Closes: #472928) + * debian/rules: Don't ignore status of make distclean, just check for + the existance of the Makefile. + + -- Eric Dorland <eric@debian.org> Sat, 29 Mar 2008 03:21:21 -0400 + +gnupg2 (2.0.8-1) unstable; urgency=low + + * New upstream release. (Closes: #428635) + * debian/watch: Use passive ftp, ftp.gnupg.org doesn't seem happy + otherwise. (Closes: #456467) + * debian/control: + - Requires libassuan >= 1.0.4 now. + - Remove the XS- prefix from the Vcs-* headers. + - Add Homepage header. + - Upgrade Standards-Version to 3.7.3.0. + - Make gnupg2 optional rather than extra. + - Remove unnecessary conflict on suidmanager. + + -- Eric Dorland <eric@debian.org> Sat, 22 Dec 2007 02:06:42 -0500 + +gnupg2 (2.0.7-1) unstable; urgency=low + + * New upstream release. + * debian/rules: + - Remove unnecessary deletion of the .gmo files. (Closes: #442583) + - Clean out some old comments + * gnupg-agent.xsession: Remove the quotes around --write-env-file + argument. Not ideal, but fine for now. Thanks Luis Rodrigo Gallardo + Cruz. (Closes: #443580) + + -- Eric Dorland <eric@debian.org> Sun, 30 Sep 2007 02:50:40 -0400 + +gnupg2 (2.0.6-1) unstable; urgency=low + + * New upstream release. (Closes: #437289) + * debian/gnupg-agent.xsession: Run the Xsession under the gpg-agent, so + it exits properly when the session dies. (Closes: #401843) + * debian/control: Add XS-Vcs headers for its new git home. + + -- Eric Dorland <eric@debian.org> Mon, 03 Sep 2007 23:29:11 -0400 + +gnupg2 (2.0.5-2) unstable; urgency=low + + * The "Ubuntu, I would have done it had you only asked" release. + + * debian/copyright: Fix download location. Thanks Ubuntu. + * debian/README.Debian: Remove, doesn't contain any relevant info. + * debian/rules: + - Build with --sysconfdir=/etc, thanks Bernhard Herzog. (Closes: #434790) + - Run dh_installexamples. + - Don't list the docs to install in here. + * debian/gnupg2.examples: New file, install gpgconf.conf as an example + into /usr/share/doc. Hope this is a good compromise Bernhard. (Closes: + #434878) + * debian/control: + - Remove opensc and pcsc-lite build dependencies, they're not used anymore. + - Add libcurl4-gnutls-dev build dep, to use the real curl. + * g10/call-agent.c: set DBG_ASSUAN to 0 to suppress a debug + message. Thanks Ubuntu. + * debian/gnupg2.docs, debian/gpgsm.docs: Move installed docs in here, + add some new docs. Thanks Ubuntu. + * debian/rules, debian/gnupg-agent.install: Build symcryptrun and install it + in the gnupg-agent package. Thanks Bernhard Herzog. (Closes: #434787) + * debian/rules, debian/control: Only recommend libldap, don't depend on + it.Thanks Riku. (Closes: #435138) + + -- Eric Dorland <eric@debian.org> Thu, 16 Aug 2007 22:24:16 -0400 + +gnupg2 (2.0.5-1) unstable; urgency=low + + * New upstream release. + * debian/watch: Add watch file. + * debian/control: + - Require libassuan 1.0.2 or greater. + - Require libksba 1.0.2 or greater. + - Don't recommend plain gpg anymore. + * debian/copyright: Update copyright text for GPL v3 relicensing. + * docs/scdaemon.texi: Remove old --print-atr documentation. Thanks + Ludovic Rousseau. (Closes: #404128) + + -- Eric Dorland <eric@debian.org> Sun, 22 Jul 2007 16:03:32 -0400 + +gnupg2 (2.0.4-1) unstable; urgency=low + + * New upstream release. + + -- Eric Dorland <eric@debian.org> Fri, 11 May 2007 00:41:01 -0400 + +gnupg2 (2.0.3-1) unstable; urgency=high + + * New upstream release. + - Fixes multoiple messages problem aka CVE-2007-1263. + + -- Eric Dorland <eric@debian.org> Fri, 9 Mar 2007 03:28:53 -0500 + +gnupg2 (2.0.2-1) unstable; urgency=high + + * New upstream release. (Closes: #409559) + * Thanks Andreas Barth for NMUs. (Closes: #400777, #401895, #401913) + * debian/gpgsm.install: pcsc-wrapper renamed to gnupg-pcsc-wrapper. + + -- Eric Dorland <eric@debian.org> Mon, 19 Feb 2007 20:34:52 -0500 + +gnupg2 (2.0.0-5) unstable; urgency=high + + * debian/control: Remove unnecessary dependencies on makedev and + udev. Thanks Marco d'Itri. + * doc/gnupg.texi, debian/gnupg2.info, debian/rules: Set the output file + to gnupg2.info, and use that for the index. (Closes: #398493) + + -- Eric Dorland <eric@debian.org> Fri, 24 Nov 2006 02:23:35 -0500 + +gnupg2 (2.0.0-4) unstable; urgency=medium + + * debian/control: Update forgotten replaces for pcsc-wrapper move. + + -- Eric Dorland <eric@debian.org> Mon, 20 Nov 2006 23:02:25 -0500 + +gnupg2 (2.0.0-3) unstable; urgency=medium + + * debian/control: Remove warning about development, thanks Gonzalo + HIGUERA DIAZ. (Closes: #399551) + + -- Eric Dorland <eric@debian.org> Mon, 20 Nov 2006 14:32:33 -0500 + +gnupg2 (2.0.0-2) unstable; urgency=medium + + * All packaging fixes, so urgency medium to beat the freeze. + * debian/distfiles, debian/lintian.override, debian/point-to-info.1: + Remove unused files. + * debian/gnupg2.info, debian/rules, gnupg2.files: Install all the info + files properly. (Closes: #398493) + * debian/rules: + - Remove some unnecessary autotools build rules. + - Move some of make install targets more correctly to the + configure line. + * debian/*.files, debian/rules: Rename *.files to .install and use + dh_install nstead of dh_movefiles. + * debian/gnupg-agent.xsession: Account for spaces in the configuration + file, thanks Artem Zolochevskiy. (Closes: #352326) + * debian/control: + - Adjust build-dependency versions slightly to match what the + configure scipt requires. + - Update Standards-Version to 3.7.2.2. + * debian/gpgsm.install, debian/gnupg2.install: Install the pcsc-wrapper + in gpgsm. (Closes: #353232) + * debian/gpgsm.install, debian/rules: Install gpg-protect-tool into + /usr/libb/gnupg2. + + -- Eric Dorland <eric@debian.org> Sun, 19 Nov 2006 18:03:39 -0500 + +gnupg2 (2.0.0-1) unstable; urgency=medium + + * New upstream release. (Closes: #398215) + * common/estream.c: #define PTH_SYSCALL_SOFT 0 as suggested by Daniel Hess. + + -- Eric Dorland <eric@debian.org> Sun, 12 Nov 2006 23:52:59 -0500 + +gnupg2 (1.9.94-1) unstable; urgency=low + + * New upstream release. + + -- Eric Dorland <eric@debian.org> Thu, 2 Nov 2006 16:06:30 -0500 + +gnupg2 (1.9.93-1) unstable; urgency=medium + + * New upstream release. Urgency medium to try to beat the freeze. Thanks + to Andreas Metzler for getting this package into shape. + + -- Eric Dorland <eric@debian.org> Wed, 25 Oct 2006 00:41:15 -0400 + +gnupg2 (1.9.91-0.1) unstable; urgency=low + + * New upstream version, built against clean upstream tarball. + (Closes: #378489,#388257) + * bump Build-Depends: + - libgpg-error-dev 0.6 -> 1.4 + - libassuan-dev 0.6.10 -> 0.9.1 + - libksba-dev 0.9.13 -> 1.0.0 (closes: #368552) + * Add libreadline5-dev to Build-Depends. + * Pass proper --build and --host args to ./configure. + * configure with --mandir='$${prefix}/share/man'. + * Add $(LIBINTL) to gpgsplit_LDADD in tools/Makefile.am. + * New upstream includes a lot more manpages, ship them. + (Closes: #300129,#300677) + gpg-agent(1) documents ~/gpg-agent.conf. (Closes: #300676) + * Update debian/copyright. + * Drop gnupg2.postinst gnupg2.postrm postinst postrm. They all only consited + of calls to suidregister for /usr/bin/gpg" or "chmod 4755 /usr/bin/gpg". + suidregister has been obsolete for a long time and /usr/bin/gpg is not + part of these packages. - If /usr/bin/gpg(v)2 was supposed to be installed + suid it should be shipped with these permissions in the deb instead + using chmod in postinst anyway. + * Drop preinst (ending up as gnupg-agent's preinst), which only showed + a warning on upgrades from <<0.3.2-1. - There never was a gnupg-agent + 0.3.2-1. + * Add (noop) binary-indep target as required by policy 4.9. + + -- Andreas Metzler <ametzler@debian.org> Sun, 8 Oct 2006 07:51:44 +0000 + +gnupg2 (1.9.20-2) unstable; urgency=high + + * debian/control: Make myself the maintainer with Matthias' permission. + * Acknowledge NMU. (Closes: #375053, #376755) + * g10/parse-packet.c: Patch from Martin Schulze to backport security fix + for CVE-2006-3746, crash when receiving overly long comments. + + -- Eric Dorland <eric@debian.org> Fri, 4 Aug 2006 18:11:43 -0400 + +gnupg2 (1.9.20-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Adapt patch from upstream CVS, fixing buffer overflow leading to remote + DoS/crash (CVE-2006-3082). (Closes: #375053) + + -- Steinar H. Gunderson <sesse@debian.org> Tue, 4 Jul 2006 20:37:43 +0200 + +gnupg2 (1.9.20-1) unstable; urgency=low + + * New Upstream version. Closes:#306890,#344530 + * Closes:#320490: gpg-protect-tool fails to decrypt PKCS-12 files + * Depend on libopensc2-dev, not -1-. Closes:#348106 + + -- Matthias Urlichs <smurf@debian.org> Tue, 24 Jan 2006 04:31:42 +0100 + +gnupg2 (1.9.19-2) unstable; urgency=low + + * Convert debian/changelog to UTF-8. + * Put gnupg-agent and gpgsm lintian overrides in the respectively + right package. Closes: #335066 + * Added debhelper tokens to maintainer scripts. + * xsession fixes: + o Added host name to gpg-agent PID file name. Closes: #312717 + o Fixed xsession script to be able to run under zsh. Closes: #308516 + o Don't run gpg-agent if one is already running. Closes: #336480 + * debian/control: + o Fixed package description of gpgsm package. Closes: #299842 + o Added mention of gpg-agent to description of gnupg-agent package. + Closes: #304355 + * Thanks to Peter Eisentraut <petere@debian.org> for all of the above. + + -- Matthias Urlichs <smurf@debian.org> Thu, 8 Dec 2005 22:13:21 +0100 + +gnupg2 (1.9.19-1) unstable; urgency=low + + * Merged with 1.9.19. + * Re-enable gpgv2 package. + + -- Matthias Urlichs <smurf@debian.org> Sat, 22 Oct 2005 14:33:33 +0200 + +gnupg2 (1.9.17-1) unstable; urgency=low + + * Merged with Upstream 1.9.17. + + -- Matthias Urlichs <smurf@debian.org> Mon, 4 Jul 2005 01:56:43 +0200 + +gnupg2 (1.9.15-6) unstable; urgency=high + + * Move gpg-protect-tool to the gpgsm package. + Closes: #303492. + High urgency because this renders gpgsm unuseable for some people. + * gpg-agent: Override max-cache-ttl if a higher default is set. + Closes: #302692. + + -- Matthias Urlichs <smurf@debian.org> Thu, 7 Apr 2005 10:13:19 +0200 + +gnupg2 (1.9.15-5) unstable; urgency=low + + * Add /etc/X11/Xsession.d/90gpg-agent script. Closes: #300128. + * Emphasize that gnupg2 is NOT useful at the moment. + * Conflict+replace gpg-agent with newpg. + + -- Matthias Urlichs <smurf@debian.org> Thu, 10 Mar 2005 22:46:10 +0100 + +gnupg2 (1.9.15-4) unstable; urgency=low + + * Incorporated Ubuntu changes from Andreas Mueller. + + -- Matthias Urlichs <smurf@debian.org> Thu, 10 Mar 2005 21:41:59 +0100 + +gnupg2 (1.9.15-3ubuntu3) hoary; urgency=low + + * removed info file + + -- Andreas Mueller <amu@ubuntu.com> Tue, 8 Mar 2005 01:58:39 +0100 + +gnupg2 (1.9.15-3ubuntu2) hoary; urgency=low + + * changed rules file, part cp gnupg.info to mv + and added dh_installinfo. + * changed Standards Version to 3.6.1 + + -- Andreas Mueller <amu@ubuntu.com> Tue, 8 Mar 2005 00:53:31 +0100 + +gnupg2 (1.9.15-3ubuntu1) hoary; urgency=low + + * added missing build depends texinfo + + -- Andreas Mueller <amu@ubuntu.com> Mon, 7 Mar 2005 22:47:56 +0100 + +gnupg2 (1.9.15-2) hoary; urgency=low + + * Initial checkin + + -- Andreas Mueller <amu@ubuntu.com> Mon, 7 Mar 2005 21:13:32 +0100 + +gnupg2 (1.9.15-1) experimental; urgency=low + + * New Upstream release. + * Removed -doc package: + - The package itself is too smal to merit being packaged separately. + - Interim solution: Documentation is included in the gnupg2 package. + - Goal: ask Upstream to split the .info file. + * Removed suidness. + * Update debian/copyright. + * Require libassuan >= 0.6.9. + + -- Matthias Urlichs <smurf@debian.org> Tue, 25 Jan 2005 08:19:15 +0100 + +gnupg2 (1.9.11+cvs20040924-5) experimental; urgency=low + + * Rebuild to depend on opensc1. + * Split -doc into its own package. + + -- Matthias Urlichs <smurf@debian.org> Thu, 16 Dec 2004 10:30:44 +0100 + +gnupg2 (1.9.11+cvs20040924-4) experimental; urgency=low + + * Turn on setuid-ness. + - Added Lintian overrides. + * Install all "standard" message files. + - Makefile.in: The package name for gettext is in the macro PACKAGE_GT, + not PACKAGE. + * Fix shebang line of addgnupghome script. + * Install info file in the correct place. + * Build cleanups. + + -- Matthias Urlichs <smurf@debian.org> Tue, 5 Oct 2004 10:59:56 +0200 + +gnupg2 (1.9.11+cvs20040924-3) experimental; urgency=low + + * rename gnupg-agent's changelog file + * Fix gnupg-agent's dependencies + + -- Matthias Urlichs <smurf@debian.org> Sun, 3 Oct 2004 20:14:30 +0200 + +gnupg2 (1.9.11+cvs20040924-2) experimental; urgency=low + + * Shipped a /usr/share/locale.alias file. Ouch. + * Split off gpgsm. + + -- Matthias Urlichs <smurf@debian.org> Wed, 29 Sep 2004 10:25:51 +0200 + +gnupg2 (1.9.11+cvs20040924-1) experimental; urgency=low + + * New Upstream. + + -- Matthias Urlichs <smurf@debian.org> Sat, 25 Sep 2004 11:05:44 +0200 + +gnupg2 (1.9.10+cvs-1) experimental; urgency=low + + * Packaged latest Upstream version. + * Split gpg-agent into its own .deb. + * Bit the bullet and started using debhelper. + + -- Matthias Urlichs <smurf@debian.org> Thu, 19 Aug 2004 11:43:34 +0200 + +gnupg2 (1.9.9-1) experimental; urgency=low + + * Packaged latest Upstream version. + + -- Matthias Urlichs <smurf@debian.org> Mon, 14 Jun 2004 17:18:18 +0200 + +gnupg2 (1.9.5-1) experimental; urgency=low + + * Packaged Upstream development version. + Closes:#187548 + + -- Matthias Urlichs <smurf@debian.org> Mon, 8 Mar 2004 05:30:35 +0100 + +gnupg (1.2.4-4) unstable; urgency=low + + * 12_zero_length_header.dpatch: update patch from David Shaw + <dshaw@jabberwocky.com> to fix the fix of crashing on certain + keys. Closes: #234289 + + -- James Troup <james@nocrew.org> Mon, 23 Feb 2004 18:02:20 +0000 + +gnupg (1.2.4-3) unstable; urgency=low + + * Move to dpatch; existing non-debian/ change split into + 10_hppa_unaligned_constant.dpatch. + + * debian/rules: include /usr/share/dpatch/dpatch.make. + * debian/rules (build): depend on patch-stamp. + * debian/rules (clean): depend on unpatch. Remove debian/patched. + * debian/control (Build-Depends): add dpatch. + + * debian/rules: update version number and use install_foo convenience + variables. + * debian/rules (clean): remove emacs backup files from any directory. + + * 11_fi_po_update.dpatch: new patch from Tommi Vainikainen + <thv+debian@iki.fi> to update Finnish translation as the current one + renders gnupg unusable. Closes: #232030, #222951, #192582 + * debian/rules (clean): remove po/fi.gmo to avoid dpkg-source errors + over unrepresentable changes to source. + + * 12_zero_length_header.dpatch: new patch from David Shaw + <dshaw@jabberwocky.com> to fix cases where importing certain keys + makes the keyring unuseable. Closes: #232714 + + * 13_revoked_keys.dpatch: new patch from David Shaw + <dshaw@jabberwocky.com> to list revoked keys as revoked. Closes: #231814 + + * 14_getkey_not_found_fix.dpatch: new patch from David Shaw + <dshaw@jabberwocky.com> to fix --list-sigs incorrectly claiming "User + id not found". Closes: #229549 + + -- James Troup <james@nocrew.org> Fri, 20 Feb 2004 16:38:12 +0000 + +gnupg (1.2.4-2) unstable; urgency=low + + * mpi/hppa1.1/udiv-qrnnd.S: patch from LaMont Jones <lamont@debian.org> + to fix unaligned constant. Closes: #228456 + * debian/copyright: update year and version number. + + -- James Troup <james@nocrew.org> Tue, 20 Jan 2004 17:19:58 +0000 + +gnupg (1.2.4-1) unstable; urgency=medium + + * New upstream release. + * Most support for ElGamal Sign+Encrypt keys has been removed. Closes: #222293 + * No longer miss-identifies GNU/KFreeBSD as GNU/Hurd. Closes: #216957 + * Fixes build error on GNU/KFreeBSD (and Glibc-based GNU/KNetBSD). Closes: #221079 + * Fixes segmentation fault in prime generator. Closes: #213989 + * Fixes trustdb not updating without ultimately trusted keys. Closes: #222368 + + * debian/control (Build-Depends): add libbz2-dev. + + -- James Troup <james@nocrew.org> Wed, 31 Dec 2003 17:57:52 +0000 + +gnupg (1.2.3-1) unstable; urgency=low + + * New upstream release (Closes: #207340). + * gpg no longer kills keyrings by importing broken keys. Closes: #196505 + * options.skel uses subkeys.pgp.net instead of pgp.mit.edu. Closes: #206092 + * --import now closes files when it's done. Closes: #196643 + * A key listing speed regression has been fixed. Closes: #192083 + * debian/copyright: update URL and date. + * debian/rules: update dates and version. + + * debian/control (Standards-Version): bump to 3.6.0. + + * debian/Upgrading_From_PGP.txt: new file from to Richard Braakman + <dark@xs4all.nl>. Closes: #173233 + * debian/rules (binary-arch): install it. + + * debian/rules (build): correct libexecdir passed to configure; patch + from Matthias Cramer <cramer@freestone.net>. Fixes invocation of + gpgkeys_ldap. Closes: #168486 + + -- James Troup <james@nocrew.org> Thu, 28 Aug 2003 14:08:50 +0100 + +gnupg (1.2.2-1) unstable; urgency=low + + * New upstream release. + * debian/control (Standards-Version): bump to 3.5.9.0. + * debian/rules (binary-arch): install convert-from-106 as + gpg-convert-from-106 and fix the path to gpg. + * debian/control: remove trailing full stop from short description. + * debian/control: remove out-dated and contradictory information about + RSA. + + -- James Troup <james@nocrew.org> Mon, 5 May 2003 03:08:58 +0100 + +gnupg (1.2.1-2) unstable; urgency=low + + * Update config.guess (to 2002-10-21) and config.sub (to 2002-09-05). + Thanks to Ryan Murray. Closes: #166696 + + -- James Troup <james@nocrew.org> Mon, 28 Oct 2002 01:47:26 +0000 + +gnupg (1.2.1-1) unstable; urgency=low + + * New upstream version. + * An inifinte loop in --update-trustdb has been fixed. Closes: #162039 + * The polish translation is now correctly specified as UTF-8. Closes: #162885 + * --refresh-keys is now documented in the manpage. Closes: #165566 + * debian/control (Conflicts): add gpg-idea <= 2.2 since gnupg >= 1.2 is + incompatible with that version of gpg-idea. Closes: #162314 + + -- James Troup <james@nocrew.org> Fri, 25 Oct 2002 18:18:43 +0100 + +gnupg (1.2.0-1) unstable; urgency=low + + * New upstream version. Closes: #161817. + * --options no longer mis-handles a directory as an argument. Closes: #151973 + * gpg now prompts before sending all keys to the keyserver. Closes: #64607 + * There is now a gnupg(7) manpage. Closes: #157750 + * The permission checking has been sanitized and handles non-home-dir + keyrings better. Closes: #147760 + * notation data longer than 5 characters is now handled. Closes: #156871 + * an abort when setting trust levels in a czech locale has been fixed. + Closes: #149212 + * debian/rules (binary-arch): there are no more modules, adjust + accordingly. + * debian/postinst, debian/prerm: remove; no longer do /usr/doc symlinks. + * debian/rules (binary-arch): don't install obsolete postinst or prerm. + * debian/rules (binary-arch): gzip gnupg.7 too. + * debian/rules (build): pass --libexecdir=/usr/lib/gnupg to configure. + * debian/rules (binary-arch): likewise, pass suitable libexcedir + argument to make install. + * debian/control (Standards-Version): update to 3.5.7.0. + * debian/copyright: update URL and date. + * debian/rules: update dates and version. + + -- James Troup <james@nocrew.org> Sun, 22 Sep 2002 22:26:25 +0100 + +gnupg (1.0.7-2) unstable; urgency=low + + * debian/control (Suggests): add xloadimage since that's what gpg uses + by default to view photo IDs. Thanks to Julien Danjou + <acid@debian.org> for the suggestion. Closes: #156245 + * debian/control (Depends): add "hurd" to the alternatives to + makedev. Thanks to Michal Suchanek <hramrach_l@centrum.cz> for + noticing. Closes: #158492 + * po/it.po: patch to fix typos from Marco Bodrato + <bodrato@gulp.linux.it. Closes: #149462 + * g10/g10.c (main): remove the bogus undef of USE_SHM_COPROCESSING to + match upstream and fix gabber and libgnupg-perl. Closes: #147679, #151969 + + -- James Troup <james@nocrew.org> Thu, 29 Aug 2002 01:42:58 +0100 + +gnupg (1.0.7-1) unstable; urgency=low + + * New upstream version. Closes: #145477. + * GDBM support has been removed. Closes: #33009. + * Now adds the default keyring when a keyring is specified. + Closes: #50616, #65260. + * Now does the Right Thing when receiving a key from the keyserver and + the key in question is in both a read-only and writable keyring. + Closes: #63297. + * Automatic key retrieval is now configurable. Closes: #64940. + * --no-options supresses ~/.gnupg creation again. Closes: #95486. + * duplicate trust entries are no longer treated as an error. Closes: #96480. + * There's now no comment line in ascii armours. Closes: #100088. + * Handle secret keyring given as keyring better. Closes: #100581, #106670. + * It's now documented that --with-colons unconditionally uses UTF8. + Closes: #101446, 101454. + * s/now/knows/ typo in manpage fixed. Closes: #107471. + * There's now support for a primary UID. Closes: #106567, #108155. + * Handles errors in uncompression layer beter. Closes: #112392. + * Key selection has been entirely revamped. Closes: #136170. + * Handles empty encrypt-to. Closes: #138378 + + * debian/rules (binary-arch): remove empty /usr/info directory, thanks + to Joey Hess <joeyh@debian.org>. Closes: #121864. + * debian/control: remove duplicated word from long description, thanks + to Nicolas Boulenguez <nicolas.boulenguez@free.fr>. Closes: #144786. + * README: correct URL to GPH and other docs, thanks to Mark Brown + <broonie@sirena.org.uk>. Closes: #100277. + * debian/control (Standards-Version): updated to 3.5.6.1. + * debian/rules (binary-arch): only strip ELF binaries. es_ES -> es hack + no longer needed as fixed upstream. + * debian/control (Build-Depends): remove libgdbmg1-dev; no longer used. + * debian/README.Debian: remove note about gdbm support which was finally + removed. Update note on old versions of gnupg to reflect the + pre-historic nature of those versions. + * debian/control (Build-Depends): add libldap2-dev. + * debian/rules (binary-arch): call dpkg-shlibdeps for all ELF binaries. + * debian/control (Build-Depends): add file. + * debian/control (Priority): increase to standard to match overrides. + + -- James Troup <james@nocrew.org> Sat, 11 May 2002 15:08:02 +0100 + +gnupg (1.0.6-3) unstable; urgency=low + + * moved into main. + + -- James Troup <james@nocrew.org> Tue, 19 Mar 2002 16:17:09 +0000 + +gnupg (1.0.6-2) unstable; urgency=high + + * debian/rules (binary-arch): remove the erroneous + /usr/share/locale/locale.alias that 'make install' adds; closes: + #99293. + + -- James Troup <james@nocrew.org> Wed, 30 May 2001 20:40:59 +0100 + +gnupg (1.0.6-1) unstable; urgency=low + + * New upstream version. + + -- James Troup <james@nocrew.org> Tue, 29 May 2001 20:59:49 +0100 + +gnupg (1.0.5-4) unstable; urgency=low + + * Patch from Werner. + + -- James Troup <james@nocrew.org> Sun, 27 May 2001 09:34:50 +0100 + +gnupg (1.0.5-3) unstable; urgency=low + + * Apply patch from Matthew Wilcox <matthew@wil.cx> to fix assembly on + hppa. + + -- James Troup <james@nocrew.org> Sun, 13 May 2001 02:36:45 +0100 + +gnupg (1.0.5-2) unstable; urgency=medium + + * util/http.c: patch from Werner that fixes --send-key, closes: #96277. + * debian/control (Depends): accept devfsd in place of makedev, closes: + #96307. + + -- James Troup <james@nocrew.org> Mon, 7 May 2001 00:13:51 +0100 + +gnupg (1.0.5-1) unstable; urgency=low + + * New upstream version. + * debian/README.Debian: fix spelling and update URL. + * debian/rules (binary): remove the new info files. + * scripts/config.{guess,sub}: sync with subversions, closes: #95729. + + -- James Troup <james@nocrew.org> Mon, 30 Apr 2001 02:12:38 +0100 + +gnupg (1.0.4-4) unstable; urgency=low + + * po/ru.po: patch by Ilya Martynov <m_ilya@agava.com> to replace German + entries and add missing translations, closes: #93987. + * g10/revoke.c (ask_revocation_reason): typo fix (s/non longer/no + longer/g); noticed by Colin Watson <cjw44@flatline.org.uk>, closes: + #93664. + + * Deprecated depreciated; noticed by Vincent Broman + <broman@spawar.navy.mil>. + + * Following two patches are from Vincent Broman. + * g10/mainproc.c (proc_tree): use iobuf_get_real_fname() in preference + to iobuf_get_fname(). + * g10/openfile.c (open_sigfile): handle .sign prefixed files correctly. + + -- James Troup <james@nocrew.org> Fri, 20 Apr 2001 23:32:44 +0100 + +gnupg (1.0.4-3) unstable; urgency=medium + + * debian/rules (binary): make gpg binary suid, closes: #86433. + * debian/postinst: don't use suidregister. + * debian/postrm: removed (only called suidunregister). + * debian/control: conflict with suidmanager << 0.50. + * mpi/longlong.h: apply fix for ARM long long artimetic from Philip + Blundell <philb@gnu.org>, closes: #87487. + * debian/preinst: the old GnuPG debs have moved to people.debian.org. + * cipher/random.c: #include <time.h> as well as <sys/time.h> + * g10/misc.c: likewise. + * debian/rules: define a strip alias which removes the .comment and + .note sections. + * debian/rules (binary-arch): use it. + * debian/lintian.override: new file; override the SUID warning from + lintian. + * debian/rules (binary-arch): install it. + + -- James Troup <james@nocrew.org> Sun, 25 Feb 2001 05:24:58 +0000 + +gnupg (1.0.4-2) stable unstable; urgency=high + + * Apply security fix patch from Werner. + * Apply another patch from Werner to fix bogus warning on Rijndael + usage. + * Change section to 'non-US'. + + -- James Troup <james@nocrew.org> Mon, 12 Feb 2001 07:47:02 +0000 + +gnupg (1.0.4-1) stable unstable; urgency=high + + * New upstream version. + * Fixes a serious bug which could lead to false signature verification + results when more than one signature is fed to gpg. + + -- James Troup <james@nocrew.org> Tue, 17 Oct 2000 17:26:17 +0100 + +gnupg (1.0.3b-1) unstable; urgency=low + + * New upstream snapshot version. + + -- James Troup <james@nocrew.org> Fri, 13 Oct 2000 18:08:14 +0100 + +gnupg (1.0.3-2) unstable; urgency=low + + * debian/control: Conflict, Replace and Provide gpg-rsa & gpg-rsaref. + Fix long description to reflect the fact that RSA is no longer + patented and now included. [#72177] + * debian/rules: move faq.html to /usr/share/doc/gnupg/ and remove FAQ + from /usr/share/gnupg/. Thanks to Robert Luberda + <robert@pingu.ii.uj.edu.pl> for noticing. [#72151] + * debian/control: Suggest new package gnupg-doc. [#64323, #65560] + * utils/secmem.c (lock_pool): don't bomb out if mlock() returns ENOMEM, + as Linux will do this if resource limits (or other reasons) prevent + memory from being locked, instead treat it like permission was denied + and warn but continue. Thanks to Topi Miettinen + <Topi.Miettinen@nic.fi>. [#70446] + * g10/hkp.c (not_implemented): s/ist/is/ in error message. + * debian/README.Debian: add a note about GDBM support and why it is + disabled. Upstream already fixed the manpage. [#65913] + * debian/rules (binary-arch): fix the Spanish translation to be 'es' not + 'es_ES' at NicolĆ”s Lichtmaier <nick@debian.org>'s request. [#57314] + + -- James Troup <james@nocrew.org> Sun, 1 Oct 2000 14:55:03 +0100 + +gnupg (1.0.3-1) unstable; urgency=low + + * New upstream version. + + -- James Troup <james@nocrew.org> Mon, 18 Sep 2000 15:56:54 +0100 + +gnupg (1.0.2-1) unstable; urgency=low + + * New upstream version. + + -- James Troup <james@nocrew.org> Thu, 13 Jul 2000 20:26:50 +0100 + +gnupg (1.0.1-2) unstable; urgency=low + + * debian/control (Build-Depends): added. + * debian/copyright: corrected location of copyright file. Removed + references to Linux. Removed warnings about beta nature of GnuPG. + * debian/rules (binary-arch): install documentation into + /usr/share/doc/gnupg/ and pass mandir to make install to ensure the + manpages go to /usr/share/man/. + * debian/postinst: create /usr/doc/gnupg symlink. + * debian/prerm: new file; remove /usr/doc/gnupg symlink. + * debian/rules (binary-arch): install prerm. + * debian/control (Standards-Version): updated to 3.1.1.1. + + -- James Troup <james@nocrew.org> Thu, 30 Dec 1999 16:16:49 +0000 + +gnupg (1.0.1-1) unstable; urgency=low + + * New upstream version. + * doc/gpg.1: updated to something usable from + ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gpg.1.gz. + + -- James Troup <james@nocrew.org> Sun, 19 Dec 1999 23:47:10 +0000 + +gnupg (1.0.0-3) unstable; urgency=low + + * debian/rules (build): remove the stunningly ill-advised --host option + to configure. [#44698, #48212, #48281] + + -- James Troup <james@nocrew.org> Tue, 26 Oct 1999 01:12:59 +0100 + +gnupg (1.0.0-2) unstable; urgency=low + + * debian/rules (binary-arch): fix the permissions on the + modules. [#47280] + * debian/postinst, debian/postrm: fix the package name passed to + suidregister. [#45013] + * debian/control: update long description. [#44636] + * debian/rules (build): pass the host explicitly to configure to avoid + problems on sparc64. [(Should fix) #44698]. + + -- James Troup <james@nocrew.org> Wed, 20 Oct 1999 23:39:05 +0100 + +gnupg (1.0.0-1) unstable; urgency=low + + * New upstream release. [#44545] + + -- James Troup <james@nocrew.org> Wed, 8 Sep 1999 00:53:02 +0100 + +gnupg (0.9.10-2) unstable; urgency=low + + * debian/rules (binary-arch): install lspgpot. Requested by Kai + Henningsen <kai@khms.westfalen.de>. [#42288] + * debian/rules (binary-arch): correct the path where modules are looked + for. Reported by Karl M. Hegbloom <karlheg@odin.cc.pdx.edu>. [#40881] + * debian/postinst, debian/postrm: under protest, register gpg the + package with suidmanager and make it suid by default. + [#29780,#32590,#40391] + + -- James Troup <james@nocrew.org> Tue, 10 Aug 1999 00:12:40 +0100 + +gnupg (0.9.10-1) unstable; urgency=low + + * New upstream version. + + -- James Troup <james@nocrew.org> Fri, 6 Aug 1999 01:16:21 +0100 + +gnupg (0.9.9-1) unstable; urgency=low + + * New upstream version. + + -- James Troup <james@nocrew.org> Sun, 25 Jul 1999 01:06:31 +0100 + +gnupg (0.9.8-1) unstable; urgency=low + + * New upstream version. + * debian/rules (binary-arch): don't create a gpgm manpage as the binary + no longer exists. Noticed by Wichert Akkerman + <wichert@cs.leidenuniv.nl>. [#38864] + + -- James Troup <james@nocrew.org> Sun, 27 Jun 1999 01:07:58 +0100 + +gnupg (0.9.7-1) unstable; urgency=low + + * New upstream version. + + -- James Troup <james@nocrew.org> Tue, 25 May 1999 13:23:24 +0100 + +gnupg (0.9.6-1) unstable; urgency=low + + * New upstream version. + * debian/copyright: update version number, noticed by Lazarus Long + <lazarus@frontiernet.net>. + * debian/control (Depends): depend on makedev (>= 2.3.1-13) to ensure + that /dev/urandom exists; reported by Steffen Markert + <smort@rz.tu-ilmenau.de>. [#32076] + + -- James Troup <james@nocrew.org> Tue, 11 May 1999 21:06:27 +0100 + +gnupg (0.9.5-1) unstable; urgency=low + + * New upstream version. + * debian/control (Description): no tabs. [Lintian] + + -- James Troup <james@nocrew.org> Wed, 24 Mar 1999 22:37:40 +0000 + +gnupg (0.9.4-1) unstable; urgency=low + + * New version. + * debian/control: s/GNUPG/GnuPG/ + + -- Werner Koch <wk@isil.d.suttle.de> Mon, 8 Mar 1999 19:58:28 +0100 + +gnupg (0.9.3-1) unstable; urgency=low + + * New upstream version. + + -- James Troup <james@nocrew.org> Mon, 22 Feb 1999 22:55:04 +0000 + +gnupg (0.9.2-1) unstable; urgency=low + + * New version. + * debian/rules (build): Removed CFLAGS as the default is now sufficient. + * debian/rules (clean): remove special handling cleanup in intl. + + -- Werner Koch <wk@isil.d.suttle.de> Wed, 20 Jan 1999 21:23:11 +0100 + +gnupg (0.9.1-1) unstable; urgency=low + + * New upstream version. + + -- James Troup <james@nocrew.org> Sat, 9 Jan 1999 22:29:11 +0000 + +gnupg (0.9.0-1) unstable; urgency=low + + * New upstream version. + * g10/armor.c (armor_filter): add missing new line in comment string; as + noticed by Stainless Steel Rat <ratinox@peorth.gweep.net>. + + -- James Troup <james@nocrew.org> Tue, 29 Dec 1998 20:22:43 +0000 + +gnupg (0.4.5-1) unstable; urgency=low + + * New upstream version. + * debian/rules (clean): force removal of intl/libintl.h which the + Makefiles fail to remove properly. + + -- James Troup <james@nocrew.org> Tue, 8 Dec 1998 22:40:23 +0000 + +gnupg (0.4.4-1) unstable; urgency=low + + * New upstream version. + + -- James Troup <james@nocrew.org> Sat, 21 Nov 1998 01:34:29 +0000 + +gnupg (0.4.3-1) unstable; urgency=low + + * New upstream version. + * debian/README.Debian: new file; contains same information as is in the + preinst. Suggested by Wichert Akkerman <wichert@cs.leidenuniv.nl>. + * debian/rules (binary-arch): install `README.Debian' + * debian/control (Standards-Version): updated to 2.5.0.0. + + -- James Troup <james@nocrew.org> Sun, 8 Nov 1998 19:08:12 +0000 + +gnupg (0.4.2-1) unstable; urgency=low + + * New upstream version. + * debian/preinst: improve message about the NEWS file which isn't + actually installed when it's referred to, thanks to Martin Mitchell + <martin@debian.org>. + * debian/rules (binary-arch): don't install the now non-existent `rfcs', + but do install `OpenPGP'. + + -- James Troup <james@nocrew.org> Sun, 18 Oct 1998 22:48:34 +0100 + +gnupg (0.4.1-1) unstable; urgency=low + + * New upstream version. + * debian/rules (binary-arch): fix the gpgm manpage symlink now installed + by `make install'. + + -- James Troup <james@nocrew.org> Sun, 11 Oct 1998 17:01:21 +0100 + +gnupg (0.4.0-1) unstable; urgency=high + + * New upstream version. [#26717] + * debian/copyright: tone down warning about alpha nature of gnupg. + * debian/copyright: new maintainer address. + * debian/control: update extended description. + * debian/rules (binary-arch): install FAQ and all ChangeLogs. + * debian/preinst: new; check for upgrade from (<= 0.3.2-1) and warn about + incompatibilities in keyring format and offer to move old copy out of + gpg out of the way for transition strategy and inform the user about + the old copies of gnupg available on my web page. + * debian/rules (binary-arch) install preinst. + * debian/rules (binary-arch): don't depend on the test target as it is + now partially interactive (tries to generate a key, which requires + someone else to be using the computer). + + -- James Troup <james@nocrew.org> Thu, 8 Oct 1998 00:47:07 +0100 + +gnupg (0.3.2-1) unstable; urgency=low + + * New upstream version. + * debian/control (Maintainer): new address. + * debian/copyright: updated list of changes. + + -- James Troup <james@nocrew.org> Thu, 9 Jul 1998 21:06:07 +0200 + +gnupg (0.3.1-1) unstable; urgency=low + + * New upstream version. + + -- James Troup <james@nocrew.org> Tue, 7 Jul 1998 00:26:21 +0200 + +gnupg (0.3.0-2) unstable; urgency=low + + * Applied bug-fix patch from Werner. + + -- James Troup <jjtroup@comp.brad.ac.uk> Fri, 26 Jun 1998 12:18:29 +0200 + +gnupg (0.3.0-1) unstable; urgency=low + + * New upstream version. + * debian/control: rewrote short and long description. + * cipher/Makefile.am: link tiger with -lc. + * debian/rules (binary-arch): strip loadable modules. + * util/secmem.c (lock_pool): get rid of errant test code; fix from + Werner Koch <wk@isil.d.shuttle.de>. + * debian/rules (test): new target which runs gnupg's test suite. + binary-arch depends on it, to ensure it's run whenever the package is + built. + + -- James Troup <jjtroup@comp.brad.ac.uk> Thu, 25 Jun 1998 16:04:57 +0200 + +gnupg (0.2.19-1) unstable; urgency=low + + * New upstream version. + * debian/control: Updated long description. + + -- James Troup <jjtroup@comp.brad.ac.uk> Sat, 30 May 1998 12:12:35 +0200 + +gnupg (0.2.18-1) unstable; urgency=low + + * New upstream version. + + -- James Troup <J.J.Troup@comp.brad.ac.uk> Sat, 16 May 1998 11:52:47 +0200 + +gnupg (0.2.17-1) unstable; urgency=high + + * New upstream version. + * debian/control (Standards-Version): updated to 2.4.1.0. + * debian/control: tone down warning about alpha nature of gnupg, as per + README. + * debian/copyright: ditto. + + -- James Troup <jjtroup@comp.brad.ac.uk> Mon, 4 May 1998 22:36:51 +0200 + +gnupg (0.2.15-1) unstable; urgency=high + + * New upstream version. + + -- James Troup <jjtroup@comp.brad.ac.uk> Fri, 10 Apr 1998 01:12:20 +0100 + +gnupg (0.2.13-1) unstable; urgency=high + + * New upstream version. + + -- James Troup <jjtroup@comp.brad.ac.uk> Wed, 11 Mar 1998 01:52:51 +0000 + +gnupg (0.2.12-1) unstable; urgency=low + + * New upstream version. + + -- James Troup <jjtroup@comp.brad.ac.uk> Sat, 7 Mar 1998 13:52:40 +0000 + +gnupg (0.2.11-1) unstable; urgency=low + + * New upstream version. + + -- James Troup <jjtroup@comp.brad.ac.uk> Wed, 4 Mar 1998 01:32:12 +0000 + +gnupg (0.2.10-1) unstable; urgency=low + + * New upstream version. + * Name changed upstream. + + -- James Troup <jjtroup@comp.brad.ac.uk> Mon, 2 Mar 1998 07:32:05 +0000 + +g10 (0.2.7-1) unstable; urgency=low + + * Initial release. + + -- James Troup <jjtroup@comp.brad.ac.uk> Fri, 20 Feb 1998 02:05:34 +0000 diff --git a/debian/clean b/debian/clean new file mode 100644 index 0000000..4b27f09 --- /dev/null +++ b/debian/clean @@ -0,0 +1,9 @@ +po/*.gmo +po/stamp-po +build-gpgv-static/ +build-gpgv-udeb/ +build-gpgv-win32/ +build-maintainer/ +doc/gnupg.info +doc/gnupg.info-1 +doc/gnupg.info-2 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..9e6a03c --- /dev/null +++ b/debian/control @@ -0,0 +1,504 @@ +Source: gnupg2 +Section: utils +Priority: optional +Maintainer: Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org> +Uploaders: + Eric Dorland <eric@debian.org>, + Daniel Kahn Gillmor <dkg@fifthhorseman.net>, + Christoph Biedl <debian.axhn@manchmal.in-ulm.de>, +Standards-Version: 4.5.1 +Build-Depends: + automake, + autopoint, + debhelper-compat (= 13), + file, + gettext, + ghostscript, + gpgrt-tools, + imagemagick, + libassuan-dev (>= 2.5.0), + libbz2-dev, + libcurl4-gnutls-dev, + libgcrypt20-dev (>= 1.8.0), + libgnutls28-dev (>= 3.0), + libgpg-error-dev (>= 1.35), + libksba-dev (>= 1.3.5), + libldap2-dev, + libnpth0-dev (>= 1.2), + libreadline-dev, + librsvg2-bin, + libsqlite3-dev, + libusb-1.0-0-dev [!hurd-any], + openssh-client <!nocheck>, + pkg-config, + texinfo, + transfig, + zlib1g-dev | libz-dev, +Build-Depends-Indep: + binutils-multiarch [!amd64 !i386], + libassuan-mingw-w64-dev (>= 2.5.0), + libgcrypt-mingw-w64-dev (>= 1.8.0), + libgpg-error-mingw-w64-dev (>= 1.26-2~), + libksba-mingw-w64-dev (>= 1.3.5), + libnpth-mingw-w64-dev (>= 1.2), + libz-mingw-w64-dev, + mingw-w64, +Vcs-Git: https://salsa.debian.org/debian/gnupg2.git -b debian/bullseye +Vcs-Browser: https://salsa.debian.org/debian/gnupg2 +Homepage: https://www.gnupg.org/ +Rules-Requires-Root: no + +Package: gpgconf +Architecture: any +Multi-Arch: foreign +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Replaces: + gnupg (<< 2.1.21-4), + gnupg-agent (<< 2.1.21-4), +Breaks: + gnupg (<< 2.1.21-4), + gnupg-agent (<< 2.1.21-4), +Description: GNU privacy guard - core configuration utilities + GnuPG is GNU's tool for secure communication and data storage. + . + This package contains core utilities used by different tools in the + suite offered by GnuPG. It can be used to programmatically edit + config files for tools in the GnuPG suite, to launch or terminate + per-user daemons (if installed), etc. + +Package: gnupg-agent +Architecture: all +Section: oldlibs +Multi-Arch: foreign +Depends: + gpg-agent (>= ${source:Version}), + ${misc:Depends}, +Description: GNU privacy guard - cryptographic agent (dummy transitional package) + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This is a dummy transitional package; please use gpg-agent instead. + +Package: gpg-agent +Architecture: any +Multi-Arch: foreign +Depends: + gpgconf (= ${binary:Version}), + pinentry-curses | pinentry, + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}), + ${shlibs:Recommends}, +Suggests: + dbus-user-session, + libpam-systemd, + pinentry-gnome3, + scdaemon, +Replaces: + gnupg-agent (<< 2.1.21-4), +Breaks: + gnupg-agent (<< 2.1.21-4), +Provides: + gnupg-agent, +Description: GNU privacy guard - cryptographic agent + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains the agent program gpg-agent which handles all + secret key material for OpenPGP and S/MIME use. The agent also + provides a passphrase cache, which is used by pre-2.1 versions of + GnuPG for OpenPGP operations. Without this package, trying to do + secret-key operations with any part of the modern GnuPG suite will + fail. + +Package: gpg-wks-server +Architecture: any +Multi-Arch: foreign +Depends: + gpg (= ${binary:Version}), + gpg-agent (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}), + ${shlibs:Recommends}, +Description: GNU privacy guard - Web Key Service server + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package provides the GnuPG server for the Web Key Service + protocol. + . + A Web Key Service is a service that allows users to upload keys per + mail to be verified over https as described in + https://tools.ietf.org/html/draft-koch-openpgp-webkey-service + . + For more information see: https://wiki.gnupg.org/WKS + +Package: gpg-wks-client +Architecture: any +Multi-Arch: foreign +Depends: + dirmngr (= ${binary:Version}), + gpg (= ${binary:Version}), + gpg-agent (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}), + ${shlibs:Recommends}, +Description: GNU privacy guard - Web Key Service client + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package provides the GnuPG client for the Web Key Service + protocol. + . + A Web Key Service is a service that allows users to upload keys per + mail to be verified over https as described in + https://tools.ietf.org/html/draft-koch-openpgp-webkey-service + . + For more information see: https://wiki.gnupg.org/WKS + +Package: scdaemon +Architecture: any +Multi-Arch: foreign +Depends: + gpg-agent (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Enhances: + gpg-agent, +Description: GNU privacy guard - smart card support + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains the smart card program scdaemon, which is used + by gpg-agent to access OpenPGP smart cards. + +Package: gpgsm +Architecture: any +Multi-Arch: foreign +Depends: + gpgconf (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}), + ${shlibs:Recommends}, +Breaks: + gnupg2 (<< 2.1.10-2), +Replaces: + gnupg2 (<< 2.1.10-2), +Description: GNU privacy guard - S/MIME version + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains the gpgsm program. gpgsm is a tool to provide + digital encryption and signing services on X.509 certificates and the + CMS protocol. gpgsm includes complete certificate management. + +Package: gpg +Architecture: any +Multi-Arch: foreign +Depends: + gpgconf (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}), + ${shlibs:Recommends}, +Breaks: + gnupg (<< 2.1.21-4), +Replaces: + gnupg (<< 2.1.21-4), +Description: GNU Privacy Guard -- minimalist public key operations + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains /usr/bin/gpg itself, and is useful on its own + only for public key operations (encryption, signature verification, + listing OpenPGP certificates, etc). If you want full capabilities + (including secret key operations, network access, etc), please + install the "gnupg" package, which pulls in the full suite of tools. + +Package: gnupg +Architecture: all +Multi-Arch: foreign +Depends: + dirmngr (<< ${source:Version}.1~), + dirmngr (>= ${source:Version}), + gnupg-l10n (= ${source:Version}), + gnupg-utils (<< ${source:Version}.1~), + gnupg-utils (>= ${source:Version}), + gpg (<< ${source:Version}.1~), + gpg (>= ${source:Version}), + gpg-agent (<< ${source:Version}.1~), + gpg-agent (>= ${source:Version}), + gpg-wks-client (<< ${source:Version}.1~), + gpg-wks-client (>= ${source:Version}), + gpg-wks-server (<< ${source:Version}.1~), + gpg-wks-server (>= ${source:Version}), + gpgsm (<< ${source:Version}.1~), + gpgsm (>= ${source:Version}), + gpgv (<< ${source:Version}.1~), + gpgv (>= ${source:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + ${shlibs:Recommends}, +Suggests: + parcimonie, + xloadimage, +Breaks: + debsig-verify (<< 0.15), + dirmngr (<< ${binary:Version}), + gnupg2 (<< 2.1.11-7+exp1), + libgnupg-interface-perl (<< 0.52-3), + libgnupg-perl (<= 0.19-1), + libmail-gnupg-perl (<= 0.22-1), + monkeysphere (<< 0.38~), + php-crypt-gpg (<= 1.4.1-1), + python-apt (<= 1.1.0~beta4), + python-gnupg (<< 0.3.8-3), + python3-apt (<= 1.1.0~beta4), +Replaces: + gnupg2 (<< 2.1.11-7+exp1), +Description: GNU privacy guard - a free PGP replacement + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains the full suite of GnuPG tools for cryptographic + communications and data storage. + +Package: gnupg2 +Architecture: all +Section: oldlibs +Multi-Arch: foreign +Depends: + gnupg (>= ${source:Version}), + ${misc:Depends}, +Description: GNU privacy guard - a free PGP replacement (dummy transitional package) + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This is a dummy transitional package that provides symlinks from gpg2 + to gpg. + +Package: gpgv +Architecture: any +Priority: important +Multi-Arch: foreign +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Breaks: + gnupg2 (<< 2.0.21-2), + gpgv2 (<< 2.1.11-7+exp1), + python-debian (<< 0.1.29), +Replaces: + gnupg2 (<< 2.0.21-2), + gpgv2 (<< 2.1.11-7+exp1), +Suggests: + gnupg, +Description: GNU privacy guard - signature verification tool + GnuPG is GNU's tool for secure communication and data storage. + . + gpgv is actually a stripped-down version of gpg which is only able + to check signatures. It is somewhat smaller than the fully-blown gpg + and uses a different (and simpler) way to check that the public keys + used to make the signature are valid. There are no configuration + files and only a few options are implemented. + +Package: gpgv2 +Section: oldlibs +Architecture: all +Multi-Arch: foreign +Depends: + gpgv (>= ${source:Version}), + ${misc:Depends}, +Description: GNU privacy guard - signature verification tool (dummy transitional package) + GnuPG is GNU's tool for secure communication and data storage. gpgv + is a stripped-down version of gpg which is only able to check + signatures. + . + This is a dummy transitional package that provides symlinks from gpgv2 + to gpgv. + +Package: dirmngr +Architecture: any +Multi-Arch: foreign +Depends: + adduser, + gpgconf (= ${binary:Version}), + lsb-base (>= 3.2-13), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}), + ${shlibs:Recommends}, +Enhances: + gpg, + gpgsm, + squid, +Breaks: + gnupg2 (<< 2.1.10-2), +Replaces: + gnupg2 (<< 2.1.10-2), +Suggests: + dbus-user-session, + libpam-systemd, + pinentry-gnome3, + tor, +Description: GNU privacy guard - network certificate management service + dirmngr is a server for managing and downloading OpenPGP and X.509 + certificates, as well as updates and status signals related to those + certificates. For OpenPGP, this means pulling from the public + HKP/HKPS keyservers, or from LDAP servers. For X.509 this includes + Certificate Revocation Lists (CRLs) and Online Certificate Status + Protocol updates (OCSP). It is capable of using Tor for network + access. + . + dirmngr is used for network access by gpg, gpgsm, and dirmngr-client, + among other tools. Unless this package is installed, the parts of + the GnuPG suite that try to interact with the network will fail. + +Package: gpgv-udeb +Package-Type: udeb +Section: debian-installer +Architecture: any +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Description: minimal signature verification tool + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC 4880. + . + This is GnuPG's signature verification tool, gpgv, packaged in minimal + form for use in debian-installer. + +Package: gpgv-static +Architecture: any +Multi-Arch: foreign +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + debian-archive-keyring, + debootstrap, +Description: minimal signature verification tool (static build) + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC 4880. + . + This is GnuPG's signature verification tool, gpgv, built statically + so that it can be directly used on any platform that is running on + the Linux kernel. Android and ChromeOS are two well known examples, + but there are many other platforms that this will work for, like + embedded Linux OSes. This gpgv in combination with debootstrap and + the Debian archive keyring allows the secure creation of chroot + installs on these platforms by using the full Debian signature + verification that is present in all official Debian mirrors. + +Package: gpgv-win32 +Architecture: all +Multi-Arch: foreign +Depends: + ${misc:Depends}, +Suggests: + wine, +Description: GNU privacy guard - signature verification tool (win32 build) + GnuPG is GNU's tool for secure communication and data storage. + . + gpgv is a stripped-down version of gnupg which is only able to check + signatures. It is smaller than the full-blown gnupg and uses a + different (and simpler) way to check that the public keys used to + make the signature are trustworthy. + . + This is a win32 version of gpgv. It's meant to be used by the win32-loader + component of Debian-Installer. + +Package: gnupg-l10n +Section: localization +Architecture: all +Multi-Arch: foreign +Depends: + ${misc:Depends}, +Enhances: + dirmngr, + gpg, + gpg-agent, +Breaks: + gnupg (<< 2.1.14-2~), + gnupg2 (<< 2.1.14-2~), +Replaces: + gnupg (<< 2.1.14-2~), + gnupg2 (<< 2.1.14-2~), +Description: GNU privacy guard - localization files + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC 4880. + . + This package contains the translation files for the use of GnuPG in + non-English locales. + +Package: gnupg-utils +Architecture: any +Multi-Arch: foreign +Replaces: + gnupg (<< 2.1.21-4), + gnupg-agent (<< 2.1.21-4), +Breaks: + gnupg (<< 2.1.21-4), + gnupg-agent (<< 2.1.21-4), +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gpg, + gpg-agent, + gpgconf, + gpgsm, +Description: GNU privacy guard - utility programs + GnuPG is GNU's tool for secure communication and data storage. + . + This package contains several useful utilities for manipulating + OpenPGP data and other related cryptographic elements. It includes: + . + * addgnupghome -- create .gnupg home directories + * applygnupgdefaults -- run gpgconf --apply-defaults for all users + * gpgcompose -- an experimental tool for constructing arbitrary + sequences of OpenPGP packets (e.g. for testing) + * gpgparsemail -- parse an e-mail message into annotated format + * gpgsplit -- split a sequence of OpenPGP packets into files + * gpgtar -- encrypt or sign files in an archive + * kbxutil -- list, export, import Keybox data + * lspgpot -- convert PGP ownertrust values to GnuPG + * migrate-pubring-from-classic-gpg -- use only "modern" formats + * symcryptrun -- use simple symmetric encryption tool in GnuPG framework + * watchgnupg -- watch socket-based logs diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..7ad8935 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,253 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: GnuPG - The GNU Privacy Guard (modern version) +Upstream-Contact: GnuPG development mailing list <gnupg-devel@gnupg.org> +Source: https://gnupg.org/download/ + +Files: * +Copyright: 1992, 1995-2020, Free Software Foundation, Inc +License: GPL-3+ + +Files: agent/command.c + agent/command-ssh.c + agent/gpg-agent.c + common/homedir.c + common/sysutils.c + g10/mainproc.c +Copyright: 1998-2007, 2009, 2012, Free Software Foundation, Inc + 2013, Werner Koch +License: GPL-3+ + +Files: autogen.sh +Copyright: 2003, g10 Code GmbH +License: permissive + +Files: common/gc-opt-flags.h + common/i18n.h + tools/clean-sat.c + tools/no-libgcrypt.c +Copyright: 1998-2001, 2003, 2004, 2006, 2007 Free Software Foundation, Inc +License: permissive + +Files: common/localename.c +Copyright: 1985, 1989-1993, 1995-2003, 2007, 2008 Free Software Foundation, Inc. +License: LGPL-2.1+ + +Files: dirmngr/dns.c + dirmngr/dns.h +Copyright: 2008-2010, 2012-2016 William Ahern +License: Expat + +Files: doc/yat2m.c + scd/app-geldkarte.c +Copyright: 2004, 2005, g10 Code GmbH + 2006, 2008, 2009, 2011, Free Software Foundation, Inc +License: GPL-3+ + +Files: scd/ccid-driver.h + scd/ccid-driver.c +Copyright: 2003-2007, Free Software Foundation, Inc +License: GPL-3+ or BSD-3-clause + +Files: tools/rfc822parse.c + tools/rfc822parse.h +Copyright: 1999-2000, Werner Koch, Duesseldorf + 2003-2004, g10 Code GmbH +License: LGPL-3+ + +Files: tools/sockprox.c +Copyright: 2007, g10 Code GmbH +License: GPL-3+ + +Files: doc/OpenPGP +Copyright: 1998-2013 Free Software Foundation, Inc. + 1997, 1998, 2013 Werner Koch + 1998 The Internet Society +License: RFC-Reference + +Files: tests/gpgscm/* +Copyright: 2000, Dimitrios Souflis + 2016, Justus Winter, Werner Koch +License: TinySCHEME + +Files: debian/* +Copyright: 1998-2020 Debian GnuPG packagers, including + Eric Dorland <eric@debian.org> + Daniel Kahn Gillmor <dkg@fifthhorseman.net> + NIIBE Yutaka <gniibe@fsij.org> +License: GPL-3+ + +Files: debian/org.gnupg.scdaemon.metainfo.xml +Copyright: 2017 Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Comment: This file is licensed permissively for the sake of AppStream +License: CC0-1.0 + +License: TinySCHEME + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + . + Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + Neither the name of Dimitrios Souflis nor the names of the + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +License: permissive + This file is free software; as a special exception the author gives + unlimited permission to copy and/or distribute it, with or without + modifications, as long as this notice is preserved. + . + This file is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY, to the extent permitted by law; without even + the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. + +License: RFC-Reference + doc/OpenPGP merely cites and references IETF Draft + draft-ietf-openpgp-formats-07.txt. This is believed to be fair use; + but if not, it's covered by the source document's license under + the 'comment on' clause. The license statement follows. + . + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph + are included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + . + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + +License: GPL-3+ + GnuPG is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + . + GnuPG is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, see <https://www.gnu.org/licenses/>. + . + On Debian systems, the full text of the GNU General Public + License version 3 can be found in the file + `/usr/share/common-licenses/GPL-3'. + +License: LGPL-3+ + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation; either version 3 of + the License, or (at your option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this program; if not, see <https://www.gnu.org/licenses/>. + . + On Debian systems, the full text of the GNU Lesser General Public + License version 3 can be found in the file + `/usr/share/common-licenses/LGPL-3'. + +License: LGPL-2.1+ + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation; either version 2.1 of + the License, or (at your option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this program; if not, see <https://www.gnu.org/licenses/>. + . + On Debian systems, the full text of the GNU Lesser General Public + License version 2.1 can be found in the file + `/usr/share/common-licenses/LGPL-2.1'. + +License: BSD-3-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, and the entire permission notice in its entirety, + including the disclaimer of warranties. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. The name of the author may not be used to endorse or promote + products derived from this software without specific prior + written permission. + . + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to permit + persons to whom the Software is furnished to do so, subject to the + following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN + NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, + DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR + OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE + USE OR OTHER DEALINGS IN THE SOFTWARE. + +License: CC0-1.0 + To the extent possible under law, the author(s) have dedicated all + copyright and related and neighboring rights to this software to the public + domain worldwide. This software is distributed without any warranty. + . + On Debian systems, the complete text of the CC0 license, version 1.0, + can be found in /usr/share/common-licenses/CC0-1.0. diff --git a/debian/dirmngr.NEWS b/debian/dirmngr.NEWS new file mode 100644 index 0000000..b0c550f --- /dev/null +++ b/debian/dirmngr.NEWS @@ -0,0 +1,49 @@ +dirmngr (2.1.18-1) unstable; urgency=medium + + If your machine is configured with system user session management, + dirmngr will be managed automatically by systemd's user sessions on + machines configured with use systemd. Please consider installing the + packages that the dirmngr package Suggests:, and see + /usr/share/doc/dirmngr/README.Debian for more details. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 23 Jan 2017 22:50:34 -0500 + +dirmngr (2.1.13-3) experimental; urgency=medium + + gpg and most related processes will auto-launch dirmngr if needed. + + Any user who wants to launch dirmngr manually should do so with: + + gpgconf --launch dirmngr + + and may want to terminate dirmngr when their session ends with: + + gpgconf --kill dirmngr + + Users on machines with systemd can ensure that dirmngr is always + running for their session (and that it gets terminated at logout) + with: + + gpgconf --kill dirmngr + systemctl --user enable dirmngr + systemctl --user start dirmngr + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 28 Jun 2016 17:55:15 -0400 + +dirmngr (2.1.0~beta895-1) experimental; urgency=medium + + No more dirmngr system service! + =============================== + + As of the 2.1.0 beta series, dirmngr is a local daemon that works + closely with gnupg2. It is launched on its own, per-user, and + listens on a standard socket (usually ~/.gnupg/S.dirmngr). There is + no more system-wide dirmngr process. + + If there is a special case where a dirmngr system process is + actually needed, please report a bug in dirmngr, and we can sort out + a way to set one up for that case so that everyone with dirmngr + installed doesn't need to have it running. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 07 Oct 2014 10:33:52 -0400 + diff --git a/debian/dirmngr.README.Debian b/debian/dirmngr.README.Debian new file mode 100644 index 0000000..099240a --- /dev/null +++ b/debian/dirmngr.README.Debian @@ -0,0 +1,47 @@ +dirmngr system integration +========================== + +Since 2.1.x, gpg and most related processes will auto-launch dirmngr +if needed. These auto-launched processes will inherit whatever +environment they started from, and they will not terminate +automatically. + +systemd +======= + +Since 2.1.17, users on machines with systemd will have a dirmngr +process launched automatically by systemd's user session, upon first +access of the standard socket. systemd will also cleanly tear this +process down at session logout. + +Users who don't want systemd to manage their dirmngr in this way for +all future sessions should do: + + systemctl --user mask --now dirmngr.socket + +Doing this means that dirmngr will fall back to its manual mode of +operation. (This decision can be reversed by the user with "unmask" +instead of "mask") + +See systemctl(1) for more details about managing the dirmngr.socket +unit. + +Manual dirmngr startup and teardown +=================================== + +Any user who wants to launch dirmngr manually (e.g., to talk to it +with a tool from outside the GnuPG suite) and is *not* using systemd +should first ensure that it is launched with: + + gpgconf --launch dirmngr + +If dirmngr is launched manually or automatically (but not supervised +by systemd), you also probably want to ensure that it terminates when +your session ends with: + + gpgconf --kill dirmngr + +If you're not using systemd, you may wish to add this command to your +session logout scripts. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mon, 23 Jan 2017 22:49:45 -0500 diff --git a/debian/dirmngr.docs b/debian/dirmngr.docs new file mode 100644 index 0000000..61e3257 --- /dev/null +++ b/debian/dirmngr.docs @@ -0,0 +1,5 @@ +AUTHORS +NEWS +THANKS +TODO +doc/KEYSERVER diff --git a/debian/dirmngr.install b/debian/dirmngr.install new file mode 100644 index 0000000..4bd9ed2 --- /dev/null +++ b/debian/dirmngr.install @@ -0,0 +1,6 @@ +debian/tmp/usr/bin/dirmngr +debian/tmp/usr/bin/dirmngr-client +debian/tmp/usr/lib/gnupg/dirmngr_ldap +debian/tmp/usr/share/gnupg/sks-keyservers.netCA.pem +doc/examples/systemd-user/dirmngr.service usr/lib/systemd/user +doc/examples/systemd-user/dirmngr.socket usr/lib/systemd/user diff --git a/debian/dirmngr.maintscript b/debian/dirmngr.maintscript new file mode 100644 index 0000000..aa11aa5 --- /dev/null +++ b/debian/dirmngr.maintscript @@ -0,0 +1,5 @@ +rm_conffile /etc/default/dirmngr +rm_conffile /etc/dirmngr/dirmngr.conf +rm_conffile /etc/dirmngr/ldapservers.conf +rm_conffile /etc/init.d/dirmngr +rm_conffile /etc/logrotate.d/dirmngr diff --git a/debian/dirmngr.manpages b/debian/dirmngr.manpages new file mode 100644 index 0000000..93702d9 --- /dev/null +++ b/debian/dirmngr.manpages @@ -0,0 +1,2 @@ +debian/tmp/usr/share/man/man1/dirmngr-client.1 +debian/tmp/usr/share/man/man8/dirmngr.8 diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..2061ad9 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,38 @@ +[DEFAULT] +debian-branch = debian/bullseye +pristine-tar = True +upstream-vcs-tag = gnupg-%(version)s + +[import-orig] +filter = [ + 'aclocal.m4', + 'build-aux/compile', + 'build-aux/config.rpath', + 'build-aux/depcomp', + 'build-aux/install-sh', + 'build-aux/missing', + 'build-aux/mkinstalldirs', + 'build-aux/texinfo.tex', + 'config.h.in', + 'configure', + 'doc/gnupg.info*', + 'INSTALL', + 'm4/iconv.m4', + 'm4/intdiv0.m4', + 'm4/intl.m4', + 'm4/lock.m4', + 'm4/printf-posix.m4', + 'm4/size_max.m4', + 'm4/uintmax_t.m4', + 'm4/wint_t.m4', + '*/*/Makefile.in', + '*/Makefile.in', + 'Makefile.in', + 'po/*.gmo', + 'po/Makefile.in.in', + 'po/stamp-po', + ] +filter-pristine-tar = False + +[pq] +patch-numbers = False diff --git a/debian/gnupg-l10n.install b/debian/gnupg-l10n.install new file mode 100644 index 0000000..a84f37d --- /dev/null +++ b/debian/gnupg-l10n.install @@ -0,0 +1,3 @@ +debian/tmp/usr/share/gnupg/help.*.txt +debian/tmp/usr/share/gnupg/help.txt +debian/tmp/usr/share/locale diff --git a/debian/gnupg-l10n.lintian-overrides b/debian/gnupg-l10n.lintian-overrides new file mode 100644 index 0000000..b1493da --- /dev/null +++ b/debian/gnupg-l10n.lintian-overrides @@ -0,0 +1,2 @@ +# these files are how GnuPG distributes localized help text +gnupg-l10n: package-contains-documentation-outside-usr-share-doc usr/share/gnupg/help.*txt diff --git a/debian/gnupg-utils.install b/debian/gnupg-utils.install new file mode 100644 index 0000000..5c764d4 --- /dev/null +++ b/debian/gnupg-utils.install @@ -0,0 +1,11 @@ +build-maintainer/g10/gpgcompose usr/bin +build/tools/gpg-zip usr/bin +debian/migrate-pubring-from-classic-gpg usr/bin +debian/tmp/usr/bin/gpgparsemail +debian/tmp/usr/bin/gpgtar +debian/tmp/usr/bin/gpgsplit +debian/tmp/usr/bin/kbxutil +debian/tmp/usr/bin/watchgnupg +debian/tmp/usr/sbin/addgnupghome +debian/tmp/usr/sbin/applygnupgdefaults +tools/lspgpot usr/bin diff --git a/debian/gnupg-utils.manpages b/debian/gnupg-utils.manpages new file mode 100644 index 0000000..e65e4ff --- /dev/null +++ b/debian/gnupg-utils.manpages @@ -0,0 +1,11 @@ +debian/gpg-zip.1 +debian/gpgcompose.1 +debian/gpgsplit.1 +debian/kbxutil.1 +debian/lspgpot.1 +debian/migrate-pubring-from-classic-gpg.1 +debian/tmp/usr/share/man/man1/gpgparsemail.1 +debian/tmp/usr/share/man/man1/gpgtar.1 +debian/tmp/usr/share/man/man1/watchgnupg.1 +debian/tmp/usr/share/man/man8/addgnupghome.8 +debian/tmp/usr/share/man/man8/applygnupgdefaults.8 diff --git a/debian/gnupg.README.Debian b/debian/gnupg.README.Debian new file mode 100644 index 0000000..24944d3 --- /dev/null +++ b/debian/gnupg.README.Debian @@ -0,0 +1,44 @@ +Using "Modern" GnuPG +==================== + +As of version 2.1.11-7+exp1, the gnupg package is provided by the "modern" +version of GnuPG. + +This means: + + * supporting daemons are auto-launched as needed + + * all access to secret key material is handled by gpg-agent + + * all smartcard access is handled by scdaemon + + * all network access is handled by dirmngr + + * PGPv3 keys are no longer supported + + * secret keys are no longer stored in $GNUPGHOME/secring.gpg, but + instead in $GNUPGHOME/private-keys-v1.d/ + + * public keyrings are stored in keybox format (~/.gnupg/pubring.kbx) by + default for new users. Upgrading users will continue to use + pubring.gpg until they decide to explicitly convert. + +Converting an existing installation +----------------------------------- + +If you have an existing GnuPG homedir from "classic" GnuPG, secret +keys should be migrated automatically upon the first run of the +"modern" version. + +If you have any secret keys that are stored only in a smartcard, after +your first use of "modern" gpg you should insert the card and run: + + gpg --card-status + + (see https://bugs.debian.org/795881) + +Public keys will not be automatically migrated from pubring.gpg to +pubring.kbx, however. If you want to migrate your public keyring, you +can use a script like /usr/bin/migrate-pubring-from-classic-gpg + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mon, 18 Apr 2016 19:08:36 -0400 diff --git a/debian/gnupg.docs b/debian/gnupg.docs new file mode 100644 index 0000000..66384bb --- /dev/null +++ b/debian/gnupg.docs @@ -0,0 +1,4 @@ +debian/tmp/usr/share/doc/gnupg/* +NEWS +THANKS +TODO diff --git a/debian/gnupg.info b/debian/gnupg.info new file mode 100644 index 0000000..e4baa0f --- /dev/null +++ b/debian/gnupg.info @@ -0,0 +1,3 @@ +debian/tmp/usr/share/info/gnupg.info* +doc/gnupg-card-architecture.png +doc/gnupg-module-overview.png diff --git a/debian/gnupg.manpages b/debian/gnupg.manpages new file mode 100644 index 0000000..60f7ab7 --- /dev/null +++ b/debian/gnupg.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man7/gnupg.7 diff --git a/debian/gnupg2.links b/debian/gnupg2.links new file mode 100644 index 0000000..96fde98 --- /dev/null +++ b/debian/gnupg2.links @@ -0,0 +1,2 @@ +usr/bin/gpg usr/bin/gpg2 +usr/share/man/man1/gpg.1.gz usr/share/man/man1/gpg2.1.gz diff --git a/debian/gpg-agent.NEWS b/debian/gpg-agent.NEWS new file mode 100644 index 0000000..69b4e49 --- /dev/null +++ b/debian/gpg-agent.NEWS @@ -0,0 +1,19 @@ +gnupg-agent (2.1.18-1) unstable; urgency=medium + + If your machine is configured with system user session management, + gpg-agent will be managed automatically by systemd's user sessions on + machines configured with use systemd. Please consider installing the + packages that the gnupg-agent package Suggests:, and see + /usr/share/doc/gnupg-agent/README.Debian for more details. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 23 Jan 2017 22:54:48 -0500 + +gnupg-agent (2.1.13-3) experimental; urgency=medium + + gpg-agent is no longer auto-launched by + /etc/X11/Xsession.d/90gpg-agent. Please read + /usr/share/doc/gnupg-agent/README.Debian for details about system + integration. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 28 Jun 2016 17:29:46 -0400 + diff --git a/debian/gpg-agent.README.Debian b/debian/gpg-agent.README.Debian new file mode 100644 index 0000000..f57d278 --- /dev/null +++ b/debian/gpg-agent.README.Debian @@ -0,0 +1,82 @@ +gpg-agent system integration +============================ + +Since 2.1.x, gpg and most related processes will auto-launch gpg-agent +if needed. These auto-launched processes will inherit whatever +environment they started from, and they will not terminate +automatically. + +systemd +======= + +Since 2.1.17, users on machines with systemd will have their gpg-agent +process launched automatically by systemd's user session, upon first +access of any of the expected gpg-agent sockets (including the ssh +socket). systemd will also cleanly tear this process down at session +logout. + +If dbus-user-session and pinentry-gnome3 packages are installed, then +all user interaction with this systemd-managed gpg-agent process +(e.g. prompting for passwords or confirmations, etc) will take place +over the d-bus session, for better integration with graphical +environments like GNOME. + +Users who don't want systemd to manage their gpg-agent in this way for +all future sessions should do: + + systemctl --user mask --now gpg-agent.service gpg-agent.socket gpg-agent-ssh.socket gpg-agent-extra.socket gpg-agent-browser.socket + +Doing this means that gpg-agent will fall back to its manual mode of +operation. (This decision can be reversed by the user with "unmask" +instead of "mask") + +See systemctl(1) for more details about managing the gpg-agent*.socket +units. + +ssh-agent emulation +=================== + +gpg-agent offers an ssh-agent emulation which can be achieved by +setting the environment variable SSH_AUTH_SOCK to: + + /run/user/$(id -u)/gnupg/S.gpg-agent.ssh + +(replace $(id -u) with the user's numeric user ID, of course). + +But ssh doesn't have a way to tell ssh-agent how to prompt the user +when necessary; the systemd-managed gpg-agent process will only know +how to prompt the user if you have dbus-user-session and +pinentry-gnome3 installed. This is the recommended configuration for +gpg-agent's ssh-agent emulation on desktop machines running systemd, +and doesn't need any additional configuration. + +However, if dbus-user-session and pinentry-gnome3 are not in use, by +default the systemd-managed gpg-agent will not know how to get +feedback from the user when a request is first received by ssh. You +can give it a hint for all future ssh connections by running: + + gpg-connect-agent updatestartuptty /bye + +You may wish to do this in the login scripts for your user session if +you run systemd without dbus-user-session and pinentry-gnome3, and you +plan to use gpg-agent's ssh-agent emulation. + +Manual gpg-agent startup and teardown +===================================== + +Any user who wants to launch gpg-agent manually (e.g., to talk to it +with a tool from outside the GnuPG suite) and is *not* using systemd +should first ensure that it is launched with: + + gpgconf --launch gpg-agent + +If gpg-agent is launched manually or automatically (but not supervised +by systemd), you probably want to ensure that it terminates when your +session ends with: + + gpgconf --kill gpg-agent + +If you're not using systemd, you may wish to add this to your session +logout scripts. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mon, 23 Jan 2017 22:56:08 -0500 diff --git a/debian/gpg-agent.examples b/debian/gpg-agent.examples new file mode 100644 index 0000000..34213be --- /dev/null +++ b/debian/gpg-agent.examples @@ -0,0 +1,2 @@ +doc/examples/pwpattern.list +doc/examples/trustlist.txt diff --git a/debian/gpg-agent.install b/debian/gpg-agent.install new file mode 100644 index 0000000..ae93fb5 --- /dev/null +++ b/debian/gpg-agent.install @@ -0,0 +1,11 @@ +debian/Xsession.d/90gpg-agent etc/X11/Xsession.d +debian/systemd-environment-generator/90gpg-agent usr/lib/systemd/user-environment-generators +debian/tmp/usr/bin/gpg-agent +debian/tmp/usr/lib/gnupg/gpg-check-pattern +debian/tmp/usr/lib/gnupg/gpg-preset-passphrase +debian/tmp/usr/lib/gnupg/gpg-protect-tool +doc/examples/systemd-user/gpg-agent-browser.socket usr/lib/systemd/user +doc/examples/systemd-user/gpg-agent-extra.socket usr/lib/systemd/user +doc/examples/systemd-user/gpg-agent-ssh.socket usr/lib/systemd/user +doc/examples/systemd-user/gpg-agent.service usr/lib/systemd/user +doc/examples/systemd-user/gpg-agent.socket usr/lib/systemd/user diff --git a/debian/gpg-agent.links b/debian/gpg-agent.links new file mode 100644 index 0000000..2927701 --- /dev/null +++ b/debian/gpg-agent.links @@ -0,0 +1,2 @@ +usr/lib/gnupg/gpg-preset-passphrase usr/lib/gnupg2/gpg-preset-passphrase +usr/lib/gnupg/gpg-protect-tool usr/lib/gnupg2/gpg-protect-tool diff --git a/debian/gpg-agent.lintian-overrides b/debian/gpg-agent.lintian-overrides new file mode 100644 index 0000000..52dc367 --- /dev/null +++ b/debian/gpg-agent.lintian-overrides @@ -0,0 +1,3 @@ +# these binaries are stored in /usr/lib/gnupg, as recommended by upstream: +gpg-agent: spare-manual-page usr/share/man/man1/gpg-check-pattern.1.gz +gpg-agent: spare-manual-page usr/share/man/man1/gpg-preset-passphrase.1.gz diff --git a/debian/gpg-agent.logcheck.ignore.server b/debian/gpg-agent.logcheck.ignore.server new file mode 100644 index 0000000..6de7991 --- /dev/null +++ b/debian/gpg-agent.logcheck.ignore.server @@ -0,0 +1,11 @@ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent and passphrase cache\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG network certificate management daemon\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent and passphrase cache \(restricted\)\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent and passphrase cache \(access for web browsers\)\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent \(ssh-agent emulation\)\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG network certificate management daemon\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent and passphrase cache\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent and passphrase cache \(restricted\)\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent \(ssh-agent emulation\)\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent and passphrase cache \(access for web browsers\)\.$ + diff --git a/debian/gpg-agent.manpages b/debian/gpg-agent.manpages new file mode 100644 index 0000000..ca2e72f --- /dev/null +++ b/debian/gpg-agent.manpages @@ -0,0 +1,3 @@ +debian/gpg-check-pattern.1 +debian/tmp/usr/share/man/man1/gpg-agent.1 +debian/tmp/usr/share/man/man1/gpg-preset-passphrase.1 diff --git a/debian/gpg-check-pattern.1 b/debian/gpg-check-pattern.1 new file mode 100644 index 0000000..0714faf --- /dev/null +++ b/debian/gpg-check-pattern.1 @@ -0,0 +1,36 @@ +.TH GPG-CHECK-PATTERN "1" "March 2016" "gpg-check-pattern (GnuPG) 2.1.11" "User Commands" + +.SH NAME +gpg-check-pattern \- Check a passphrase on stdin against the patternfile + +.SH SYNOPSIS +.B gpg\-check\-pattern +.RI [ options ] +.I patternfile + +.SH DESCRIPTION +.B gpg\-check\-pattern +checks a passphrase given on stdin against a specified patternfile. + +.SH OPTIONS +.TP +.BR \-v ", " \-\-verbose +Produce verbose output +.TP +.B \-\-check +run only a syntax check on the patternfile +.TP +.BR \-0 ", " \-\-null +input is expected to be null delimited +.PP +Please report bugs to <https://dev.gnupg.org>. + +.SH COPYRIGHT +Copyright \(co 2016 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> + +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. + +This manpage was written by \fBDaniel Kahn Gillmor\fR for the Debian +distribution (but may be used by others). diff --git a/debian/gpg-wks-client.install b/debian/gpg-wks-client.install new file mode 100644 index 0000000..1b331dd --- /dev/null +++ b/debian/gpg-wks-client.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/gnupg/gpg-wks-client diff --git a/debian/gpg-wks-client.lintian-overrides b/debian/gpg-wks-client.lintian-overrides new file mode 100644 index 0000000..d6fe3ff --- /dev/null +++ b/debian/gpg-wks-client.lintian-overrides @@ -0,0 +1,2 @@ +# these binaries are stored in /usr/lib/gnupg, as recommended by upstream: +gpg-wks-client: spare-manual-page usr/share/man/man1/gpg-wks-client.1.gz diff --git a/debian/gpg-wks-client.manpages b/debian/gpg-wks-client.manpages new file mode 100644 index 0000000..e600ad3 --- /dev/null +++ b/debian/gpg-wks-client.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/gpg-wks-client.1 diff --git a/debian/gpg-wks-server.install b/debian/gpg-wks-server.install new file mode 100644 index 0000000..c18c2e7 --- /dev/null +++ b/debian/gpg-wks-server.install @@ -0,0 +1 @@ +debian/tmp/usr/bin/gpg-wks-server diff --git a/debian/gpg-wks-server.manpages b/debian/gpg-wks-server.manpages new file mode 100644 index 0000000..1469434 --- /dev/null +++ b/debian/gpg-wks-server.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/gpg-wks-server.1 diff --git a/debian/gpg-zip.1 b/debian/gpg-zip.1 new file mode 100644 index 0000000..c20f770 --- /dev/null +++ b/debian/gpg-zip.1 @@ -0,0 +1,106 @@ +.TH "GPG\-ZIP" 1 "November 2006" + +.SH NAME +gpg\-zip \- encrypt or sign files into an archive + +.SH SYNOPSIS +.B gpg\-zip +.RB [ OPTIONS ] +.IR filename1 " [" "filename2, ..." ] +.IR directory1 " [" "directory2, ..." ] + +.SH DESCRIPTION +This manual page documents briefly the +.B gpg\-zip +command. +.PP +.B gpg\-zip +IS DEPRECATED. PLEASE USE gpgtar(1) instead. +.PP +.B gpg\-zip +encrypts or signs files into an archive. It is an gpg-ized tar using the +same format as PGP's PGP Zip. + +.SH OPTIONS +.TP +.BR \-e ", " \-\-encrypt +Encrypt data. This option may be combined with +.B \-\-symmetric +(for output that may be decrypted via a secret key or a passphrase). +.TP +.BR \-d ", " \-\-decrypt +Decrypt data. +.TP +.BR \-c ", " \-\-symmetric +Encrypt with a symmetric cipher using a passphrase. The default +symmetric cipher used is CAST5, but may be chosen with the +.B \-\-cipher\-algo +option to +.BR gpg (1). +.TP +.BR \-s ", " \-\-sign +Make a signature. See +.BR gpg (1). +.TP +.BR \-r ", " \-\-recipient " \fIUSER\fR" +Encrypt for user id \fIUSER\fR. See +.BR gpg (1). +.TP +.BR \-u ", " \-\-local\-user " \fIUSER\fR" +Use \fIUSER\fR as the key to sign with. See +.BR gpg (1). +.TP +.B \-\-list\-archive +List the contents of the specified archive. +.TP +.BR \-o ", " \-\-output " " \fIFILE\fR" +Write output to specified file +.IR FILE . +.TP +.BI \-\-gpg " GPG" +Use the specified command instead of +.BR gpg . +.TP +.BI \-\-gpg\-args " ARGS" +Pass the specified options to +.BR gpg (1). +.TP +.BI \-\-tar " TAR" +Use the specified command instead of +.BR tar . +.TP +.BI \-\-tar\-args " ARGS" +Pass the specified options to +.BR tar (1). +.TP +.BR \-h ", " \-\-help +Output a short usage information. +.TP +.B \-\-version +Output the program version. + +.SH DIAGNOSTICS +The program returns \fB0\fR if everything was fine, \fB1\fR otherwise. + +.SH EXAMPLES +Encrypt the contents of directory \fImydocs\fR for user Bob to file \fItest1\fR: +.IP +.B gpg\-zip \-\-encrypt \-\-output test1 \-\-gpg-args ""\-r Bob"" mydocs +.PP +List the contents of archive \fItest1\fR: +.IP +.B gpg\-zip \-\-list\-archive test1 + +.SH SEE ALSO +.BR gpg (1), +.BR gpgtar (1), +.BR tar (1) + +.SH AUTHOR +Copyright (C) 2005 Free Software Foundation, Inc. Please report bugs to +<\&bug-gnupg@gnu.org\&>. + +This manpage was written by \fBColin Tuckley\fR <\&colin@tuckley.org\&> +and \fBDaniel Leidert\fR <\&daniel.leidert@wgdd.de\&> for the Debian +distribution (but may be used by others). + diff --git a/debian/gpg.install b/debian/gpg.install new file mode 100644 index 0000000..0b53564 --- /dev/null +++ b/debian/gpg.install @@ -0,0 +1 @@ +debian/tmp/usr/bin/gpg diff --git a/debian/gpg.manpages b/debian/gpg.manpages new file mode 100644 index 0000000..7c47415 --- /dev/null +++ b/debian/gpg.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/gpg.1 diff --git a/debian/gpgcompose.1 b/debian/gpgcompose.1 new file mode 100644 index 0000000..f92fb05 --- /dev/null +++ b/debian/gpgcompose.1 @@ -0,0 +1,56 @@ +.TH "gpgcompose" 1 "June 2017" + +.SH NAME +gpgcompose \- Generate a stream of OpenPGP packets + +.SH SYNOPSIS +.B gpgcompose +.RI [[ OPTION +.RI [ ARGS ]] +\&... ] + +.B gpgcompose --help + +.B gpgcompose +.I OPTION +.B --help + +.SH DESCRIPTION +.B gpgcompose +generates a stream of OpenPGP packets, including some which can +include other nested packets within a layer of encryption. The syntax +on the command line isn't stable enough to document currently, but +additional hints and examples can be found from the command line using +.BR \-\-help . + +.SH EXTERNAL DEPENDENCIES + +.B gpgcompose +is not capable of performing secret key operations on its own. +Creation of any OpenPGP object that requires secret key operations +(e.g., +.BR \-\-signature ) +will need to speak to an already-running +.BR gpg-agent . + +.SH FILES + +Occasionally, +.B gpgcompose +will need to look up existing public keys for reference (e.g., +.BR \-\-public-key ). +It will do so in +.BR ~/.gnupg/keyring.kbx, +or in +.B $GNUPGHOME/keyring.kbx +if that variable is set. + +.SH SEE ALSO + +RFC 4880, gpg(1), gpg-agent(1), gpg-connect-agent(1) + +.SH AUTHOR +gpgcompose is copyright (C) 2016, g10 Code GmbH. + +This manpage was written by Daniel Kahn Gillmor <dkg@fifthhorseman.net>. + diff --git a/debian/gpgconf.examples b/debian/gpgconf.examples new file mode 100644 index 0000000..3e74b94 --- /dev/null +++ b/debian/gpgconf.examples @@ -0,0 +1 @@ +doc/examples/gpgconf.conf diff --git a/debian/gpgconf.install b/debian/gpgconf.install new file mode 100644 index 0000000..398d8a6 --- /dev/null +++ b/debian/gpgconf.install @@ -0,0 +1,3 @@ +debian/tmp/usr/bin/gpg-connect-agent +debian/tmp/usr/bin/gpgconf +debian/tmp/usr/share/gnupg/distsigkey.gpg diff --git a/debian/gpgconf.manpages b/debian/gpgconf.manpages new file mode 100644 index 0000000..70bb0d7 --- /dev/null +++ b/debian/gpgconf.manpages @@ -0,0 +1,2 @@ +debian/tmp/usr/share/man/man1/gpg-connect-agent.1 +debian/tmp/usr/share/man/man1/gpgconf.1 diff --git a/debian/gpgsm.install b/debian/gpgsm.install new file mode 100644 index 0000000..8822607 --- /dev/null +++ b/debian/gpgsm.install @@ -0,0 +1 @@ +debian/tmp/usr/bin/gpgsm diff --git a/debian/gpgsm.manpages b/debian/gpgsm.manpages new file mode 100644 index 0000000..ad6a686 --- /dev/null +++ b/debian/gpgsm.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/gpgsm.1 diff --git a/debian/gpgsplit.1 b/debian/gpgsplit.1 new file mode 100644 index 0000000..116ce89 --- /dev/null +++ b/debian/gpgsplit.1 @@ -0,0 +1,41 @@ +.TH "gpgsplit" 1 "December 2005" + +.SH NAME +gpgsplit \- Split an OpenPGP message into packets + +.SH SYNOPSIS +.B gpgsplit +.RI [ OPTIONS ] +.RI [ FILES ] + +.SH DESCRIPTION +This manual page documents briefly the +.B gpgsplit +command. +.PP +.B gpgsplit +splits an OpenPGP message into packets. + +.SH OPTIONS +.TP +.BR \-v , \-\-verbose +Verbose. +.TP +.BR \-p , "\-\-prefix " \fISTRING\fR +Prepend filenames with \fISTRING\fR. +.TP +.B \-\-uncompress +Uncompress a packet. +.TP +.B \-\-secret\-to\-public +Convert secret keys to public keys. +.TP +.B \-\-no\-split +Write to stdout and don't actually split. + +.SH AUTHOR +Copyright (C) 2002 Free Software Foundation, Inc. Please report bugs to +<bug-gnupg@gnu.org>. + +This manpage was written by Francois Wendling <frwendling@free.fr>. + diff --git a/debian/gpgv-static.1 b/debian/gpgv-static.1 new file mode 100644 index 0000000..c8dcc1a --- /dev/null +++ b/debian/gpgv-static.1 @@ -0,0 +1,32 @@ +.TH GPGV-STATIC "1" "November 2016" "GnuPG" "Gnu Privacy Guard 2.1" + +.SH NAME +gpgv-static - Verify OpenPGP signatures (static build) + +.SH SYNOPSIS +.B gpgv-static [\fIoptions\fP] \fIsigned_files\fP + +.SH DESCRIPTION +\fBgpgv\fR is an OpenPGP signature verification tool. + +\fBgpgv-static\fR is \fBgpgv\fR built statically so that it can be +directly used on any platform that is running on the Linux kernel, +such as Android, ChromeOS, or many embedded Linux systems. + +This version of \fBgpgv\fR in combination with \fBdebootstrap\fR and +the Debian archive keyring allows the secure creation of chroot +installs on these platforms by using the full Debian signature +verification that is present in all official Debian mirrors. + +You may wish to re-name the binary to plain \fBgpgv\fR when +transferring it into such a platform to create a chroot. + +Please read the documentation for \fBgpgv\fR for more details. + +.SH SEE ALSO +\fBgpg\fR(1) + +.SH AUTHOR +This manual page was written by Daniel Kahn Gillmor +<dkg@fifthhorseman.net> for the Debian project, but may be used by +others under the same license as GnuPG itself. diff --git a/debian/gpgv-static.install b/debian/gpgv-static.install new file mode 100644 index 0000000..adb6deb --- /dev/null +++ b/debian/gpgv-static.install @@ -0,0 +1 @@ +build-gpgv-static/g10/gpgv-static usr/bin/ diff --git a/debian/gpgv-static.lintian-overrides b/debian/gpgv-static.lintian-overrides new file mode 100644 index 0000000..fa0b8df --- /dev/null +++ b/debian/gpgv-static.lintian-overrides @@ -0,0 +1,3 @@ +# gpgv-static is deliberately built statically. We cannot avoid +# embedding zlib. +gpgv-static: embedded-library usr/bin/gpgv-static: zlib diff --git a/debian/gpgv-static.manpages b/debian/gpgv-static.manpages new file mode 100644 index 0000000..e3f73aa --- /dev/null +++ b/debian/gpgv-static.manpages @@ -0,0 +1 @@ +debian/gpgv-static.1 diff --git a/debian/gpgv-udeb.install b/debian/gpgv-udeb.install new file mode 100644 index 0000000..fe27533 --- /dev/null +++ b/debian/gpgv-udeb.install @@ -0,0 +1 @@ +build-gpgv-udeb/g10/gpgv usr/bin/ diff --git a/debian/gpgv-win32.install b/debian/gpgv-win32.install new file mode 100644 index 0000000..cf3cd8c --- /dev/null +++ b/debian/gpgv-win32.install @@ -0,0 +1 @@ +build-gpgv-win32/g10/gpgv.exe usr/share/win32 diff --git a/debian/gpgv.install b/debian/gpgv.install new file mode 100644 index 0000000..0a9f9a2 --- /dev/null +++ b/debian/gpgv.install @@ -0,0 +1 @@ +debian/tmp/usr/bin/gpgv diff --git a/debian/gpgv.manpages b/debian/gpgv.manpages new file mode 100644 index 0000000..86a9e29 --- /dev/null +++ b/debian/gpgv.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/gpgv.1 diff --git a/debian/gpgv2.links b/debian/gpgv2.links new file mode 100644 index 0000000..5107429 --- /dev/null +++ b/debian/gpgv2.links @@ -0,0 +1,2 @@ +usr/bin/gpgv usr/bin/gpgv2 +usr/share/man/man1/gpgv.1.gz usr/share/man/man1/gpgv2.1.gz diff --git a/debian/kbxutil.1 b/debian/kbxutil.1 new file mode 100644 index 0000000..d59f1fe --- /dev/null +++ b/debian/kbxutil.1 @@ -0,0 +1,62 @@ +.TH KBXUTIL "1" "March 2016" "kbxutil (GnuPG) 2.1.11" "User Commands" + +.SH NAME +kbxutil \- List, export, import Keybox data + +.SH SYNOPSIS +.B kbxutil +.RB [ OPTIONS ] +.RB [ FILES ] + +.SH DESCRIPTION +List, export, import Keybox data + +.SH COMMANDS +.TP +.B \-\-stats +show key statistics +.TP +.B \-\-import\-openpgp +import OpenPGP keyblocks +.TP +.B \-\-find\-dups +find duplicates +.TP +.B \-\-cut +export records + +.SH OPTIONS +.TP +.BI \-\-from " N" +first record to export +.TP +.BI \-\-to " N" +last record to export +.TP +.BR \-v ", " \-\-verbose +verbose +.TP +.BR \-q ", " \-\-quiet +be somewhat more quiet +.TP +.BR \-n ", " \-\-dry\-run +do not make any changes +.TP +.B \-\-debug +set debugging flags +.TP +.B \-\-debug\-all +enable full debugging + +.SH BUGS +Please report bugs to <https://dev.gnupg.org>. + +.SH COPYRIGHT +Copyright \(co 2016 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> + +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. + +This manpage was written by \fBDaniel Kahn Gillmor\fR for the Debian +distribution (but may be used by others). diff --git a/debian/lspgpot.1 b/debian/lspgpot.1 new file mode 100644 index 0000000..ba27eca --- /dev/null +++ b/debian/lspgpot.1 @@ -0,0 +1,22 @@ +.TH "lspgpot" 1 "December 2005" + +.SH NAME +lspgpot - extracts the ownertrust values from PGP keyrings and list them in +GnuPG ownertrust format. + + +.SH SYNOPSIS +.B lspgpot + + +.SH DESCRIPTION +.B lspgpot +extracts the ownertrust values from PGP keyrings and list them in +GnuPG ownertrust format. + +.SH AUTHOR +Copyright (C) 2002 Free Software Foundation, Inc. Please report bugs to +<bug-gnupg@gnu.org>. + +This manpage was written by Francois Wendling <frwendling@free.fr>. + diff --git a/debian/migrate-pubring-from-classic-gpg b/debian/migrate-pubring-from-classic-gpg new file mode 100755 index 0000000..ecbc8d9 --- /dev/null +++ b/debian/migrate-pubring-from-classic-gpg @@ -0,0 +1,108 @@ +#!/bin/bash + +# script to migrate fully from pubring.gpg to pubring.kbx + +# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +# Date: 2016-04-01 +# License: GPLv3+ + +# This was written for the Debian project + +set -e + +GPG="${GPG:-gpg}" + +# select the default GnuPG home directory to work from: +GHD=${GNUPGHOME:-${HOME:-$(getent passwd "$(id -u)" | cut -f6 -d:)}/.gnupg} + +# Check that this is gnupg 2.1 or 2.2: +VERSION=$("$GPG" --version | head -n1 | cut -f3 -d\ | cut -f1,2 -d.) +if [ "$VERSION" != 2.1 ] && [ "$VERSION" != 2.2 ] ; then + printf '%s is version %s not version 2.1 or 2.2, this script might be wrong\n' "$GPG" "$VERSION" >&2 + exit 1 +fi + +usage() { + printf 'Usage: %s [GPGHOMEDIR|--default] +\tMigrate public keyring in GPGHOMEDIR from "classic" to "modern" GnuPG +\tusing %s version %s. + +\t--default migrates the GnuPG home directory at "%s" +' "$0" "$GPG" "$VERSION" "$GHD" +} + +if [ -z "$1" ]; then + usage >&2 + exit 1 +else + case "$1" in + --help|--usage|-h) + usage + exit + ;; + --default) + ;; + *) + GHD="$1" + ;; + esac +fi + +GPG=("$GPG" --homedir "$GHD" --batch) + +# ensure that there is a pubring.gpg to migrate: +if ! [ -f "$GHD/pubring.gpg" ]; then + printf 'There is no %s/pubring.gpg, no need to migrate\n' "$GHD" >&2 + exit +fi +if ! [ -s "$GHD/pubring.gpg" ]; then + mv -- "$GHD/pubring.gpg" "$GHD/pubring.gpg.empty" + printf '%s/pubring.gpg was empty (and has been moved out of the way), no need to migrate\n' "$GHD" >&2 + exit +fi + +BACKUP="$(mktemp -d "$GHD/migrate-from-classic-backup.$(date +%F).XXXXXX")" +printf 'Migrating from:\n%s\n[Backing up to %s]\n' "$(ls -l "$GHD/pubring.gpg")" "$BACKUP" >&2 + +"${GPG[@]}" --export-ownertrust > "$BACKUP/ownertrust.txt" +mv "$GHD/pubring.gpg" "$BACKUP/" + +revert() { + printf >&2 'Restoring pubring.gpg...\n' + cp "$BACKUP/pubring.gpg" "$GHD/pubring.gpg" +} + +trap revert EXIT + +if ! "${GPG[@]}" --status-file "$BACKUP/import-status" --import-options import-local-sigs,keep-ownertrust,repair-pks-subkey-bug --import < "$BACKUP/pubring.gpg" ; then + cat >&2 <<EOF +Keyring import was not completely successful (see error message above, +and the LIMITATIONS section of migrate-pubring-from-classic-gpg(1) for +more details). + +If you suspect a bug in the migration script, please use: + + reportbug gnupg-utils --subject='migrate-pubring-from-classic-gpg partial failure' + +And include the above output (redacted for privacy as needed) in the +body of the report. + +Continuing with the rest of the migration anyway... +EOF +fi +"${GPG[@]}" --import-ownertrust < "$BACKUP/ownertrust.txt" +"${GPG[@]}" --check-trustdb + +if ! [ -f "$GHD/pubring.kbx" ]; then + cat >&2 <<EOF +No keybox was created at $GHD/pubring.kbx. Something went wrong! + +Please report a bug in the migration script, using: + + reportbug gnupg-utils --subject='migrate-pubring-from-classic-gpg no pubring.kbx ($BACKUP)' +EOF + exit 1 +fi +trap - EXIT + +printf 'Migration completed successfully:\n%s\n' "$(ls -l "$GHD/pubring.kbx")" >&2 diff --git a/debian/migrate-pubring-from-classic-gpg.1 b/debian/migrate-pubring-from-classic-gpg.1 new file mode 100644 index 0000000..7cbeec7 --- /dev/null +++ b/debian/migrate-pubring-from-classic-gpg.1 @@ -0,0 +1,94 @@ +.TH "MIGRATE-PUBRING-FROM-CLASSIC-GPG" 1 "April 2016" + +.SH NAME +migrate\-pubring\-from\-classic\-gpg \- Migrate a public keyring from "classic" to "modern" GnuPG + +.SH SYNOPSIS +.B migrate\-pubring\-from\-classic\-gpg +.RB "[ " GPGHOMEDIR " | " +.IR \-\-default " ]" + +.SH DESCRIPTION + +.B migrate\-pubring\-from\-classic\-gpg +migrates the public keyring in GnuPG home directory GPGHOMEDIR from +the "classic" keyring format (pubring.gpg) to the "modern" keybox format using GnuPG +versions 2.1 or 2.2 (pubring.kbx). + +Specifying +.B \-\-default +selects the standard GnuPG home directory (looking at $GNUPGHOME +first, and falling back to ~/.gnupg if unset. + +.SH OPTIONS +.BR \-h ", " \-\-help ", " \-\-usage +Output a short usage information. + +.SH DIAGNOSTICS +The program sends quite a bit of text (perhaps too much) to stderr. + +During a migration, the tool backs up several pieces of data in a +timestamped subdirectory of the GPGHOMEDIR. + +.SH LIMITATIONS +The keybox format rejects a number of OpenPGP certificates that the +"classic" keyring format used to accept. These filters are defensive, +since the certificates rejected are unsafe -- either cryptographically +unsound, or dangerously non-performant. This means that some +migrations may produce warning messages about the migration being +incomplete. This is generally a good thing! + +Known limitations: + +.B Flooded certificates +.RS 4 +Some OpenPGP certificates have been flooded with bogus certifications +as part of an attack on the SKS keyserver network (see +https://tools.ietf.org/html/draft-dkg-openpgp-abuse-resistant-keystore-03#section-2.1). + +The keybox format rejects import of any OpenPGP certificate larger +than 5MiB. As of GnuPG 2.2.17, if gpg encounters such a flooded +certificate will retry the import while stripping all third-party +certifications (see "self-sigs-only" in gpg(1)). + +The typical error message when migrating a keyring with a flooded +certificate will be something like: + +.RE +.RS 8 +error writing keyring 'pubring.kbx': Provided object is too large +.RE + +.B OpenPGPv3 public keys (a.k.a. "PGP-2" keys) +.RS 4 +Modern OpenPGP implementations use so-called "OpenPGP v4" public keys. +Older versions of the public key format have serious known problems. +See https://tools.ietf.org/html/rfc4880#section-5.5.2 for more details +about and reasons for v3 key deprecation. + +The keybox format skips v3 keys entirely during migration, and GnuPG +will produce a message like: + +.RE +.RS 8 +skipped PGP-2 keys: 1 +.RE + +.SH ENVIRONMENT VARIABLES + +.B GNUPGHOME +Selects the GnuPG home directory when set and --default is given. + +.B GPG +The name of the +.B gpg +executable (defaults to +.B gpg +). + +.SH SEE ALSO +.BR gpg (1) + +.SH AUTHOR +Copyright (C) 2016 Daniel Kahn Gillmor for the Debian project. Please +report bugs via the Debian BTS. diff --git a/debian/not-installed b/debian/not-installed new file mode 100644 index 0000000..a563837 --- /dev/null +++ b/debian/not-installed @@ -0,0 +1,2 @@ +usr/bin/gpgscm +usr/share/man/man1/symcryptrun.1 diff --git a/debian/org.gnupg.scdaemon.metainfo.xml b/debian/org.gnupg.scdaemon.metainfo.xml new file mode 100644 index 0000000..b96f232 --- /dev/null +++ b/debian/org.gnupg.scdaemon.metainfo.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<component> + <id>org.gnupg.scdaemon</id> + <metadata_license>CC0-1.0</metadata_license> + <name>scdaemon</name> + <summary>USB SmartCard Readers</summary> + <description> + <p> + GnuPG's scdaemon provides access to USB tokens and smartcard + readers that provide cryptographic functionality (e.g. use of + protected secret keys). + </p> + </description> + <provides> + <modalias>usb:v046Ap0005d*</modalias> + <modalias>usb:v046Ap0010d*</modalias> + <modalias>usb:v046Ap003Ed*</modalias> + <modalias>usb:v04E6p5111d*</modalias> + <modalias>usb:v04E6p5115d*</modalias> + <modalias>usb:v04E6p5116d*</modalias> + <modalias>usb:v04E6p5117d*</modalias> + <modalias>usb:v04E6pE001d*</modalias> + <modalias>usb:v04E6pE003d*</modalias> + <modalias>usb:v058Fp9540d*</modalias> + <modalias>usb:v076Bp3821d*</modalias> + <modalias>usb:v076Bp6622d*</modalias> + <modalias>usb:v08E6p3437d*</modalias> + <modalias>usb:v08E6p3438d*</modalias> + <modalias>usb:v08E6p3478d*</modalias> + <modalias>usb:v08E6p34C2d*</modalias> + <modalias>usb:v08E6p34ECd*</modalias> + <modalias>usb:v0BF8p1006d*</modalias> + <modalias>usb:v0C4Bp0500d*</modalias> + <modalias>usb:v0D46p2012d*</modalias> + <modalias>usb:v1050p0111d*</modalias> + <modalias>usb:v1050p0112d*</modalias> + <modalias>usb:v1050p0115d*</modalias> + <modalias>usb:v1050p0116d*</modalias> + <modalias>usb:v1050p0404d*</modalias> + <modalias>usb:v1050p0405d*</modalias> + <modalias>usb:v1050p0406d*</modalias> + <modalias>usb:v1050p0407d*</modalias> + <modalias>usb:v1A44p0920d*</modalias> + <modalias>usb:v1FC9p81E6d*</modalias> + <modalias>usb:v20A0p4107d*</modalias> + <modalias>usb:v20A0p4108d*</modalias> + <modalias>usb:v20A0p4109d*</modalias> + <modalias>usb:v20A0p4211d*</modalias> + <modalias>usb:v234Bp0000d*</modalias> + <modalias>usb:v316Dp4C4Bd*</modalias> + <modalias>usb:v1209p2440d*</modalias> + </provides> +</component> diff --git a/debian/package-dependencies.dot b/debian/package-dependencies.dot new file mode 100644 index 0000000..8297f78 --- /dev/null +++ b/debian/package-dependencies.dot @@ -0,0 +1,73 @@ +#!/usr/bin/dot + +# interrelationships between binary packages produced by gnupg2 source +# package: + +# it would be good to graph the external dependencies as well. + +digraph gnupg2 { + # odd-duck packages: + node [shape=box]; + gpgv_udeb [label="gpgv-udeb"]; + gpgv_static [label="gpgv-static"]; + gpgv_win32 [label="gpgv-win32"]; + + # meta-packages, transitional packages: + node [shape=diamond]; + gnupg_agent [label="gnupg-agent"]; + gnupg; + gnupg2; + gpgv2; + + + node [shape=ellipse]; + gpg_agent [label="gpg-agent"]; + gpg_wks_server [label="gpg-wks-server"]; + gpg_wks_client [label="gpg-wks-client"]; + gnupg_l10n [label="gnupg-l10n"]; + gnupg_utils [label="gnupg-utils"]; + + + # depends: + edge [color=black]; + gnupg_agent -> gpg_agent; + gpg_agent -> gpgconf; + gpg_wks_server -> gpg; + gpg_wks_server -> gpg_agent; + gpg_wks_client -> gpg; + gpg_wks_client -> gpg_agent; + gpg_wks_client -> dirmngr; + scdaemon -> gpg_agent; + gpgsm -> gpgconf; + gpg -> gpgconf; + gnupg -> dirmngr; + gnupg -> gnupg_l10n; + gnupg -> gnupg_utils; + gnupg -> gpg; + gnupg -> gpg_agent; + gnupg -> gpg_wks_client; + gnupg -> gpg_wks_server; + gnupg -> gpgsm; + gnupg -> gpgv; + gnupg2 -> gnupg; + gpgv2 -> gpgv; + dirmngr -> gpgconf; + + + # recommends: + edge [color=red]; + gpg_agent -> gnupg; + gpg_wks_server -> gnupg; + gpg_wks_client -> gnupg; + gpgsm -> gnupg; + gpg -> gnupg; + dirmngr -> gnupg; + gnupg_utils -> gpg; + gnupg_utils -> gpg_agent; + gnupg_utils -> gpgconf; + gnupg_utils -> gpgsm; + + # suggests: + edge [color=blue]; + gpgv -> gnupg; +} diff --git a/debian/patches/Make-gpg-zip-use-tar-from-PATH.patch b/debian/patches/Make-gpg-zip-use-tar-from-PATH.patch new file mode 100644 index 0000000..2deee94 --- /dev/null +++ b/debian/patches/Make-gpg-zip-use-tar-from-PATH.patch @@ -0,0 +1,27 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Sun, 18 Nov 2018 17:29:52 -0500 +Subject: Make gpg-zip use tar from $PATH + +Apparently there is no clean way to configure this from ./configure, +and upstream is deprecating gpg-zip anyway. So just force-set tar to +be manually "tar" (meaning, that we should look in the $PATH at +runtime). + +See also https://dev.gnupg.org/T4251 and https://bugs.debian.org/913582 +--- + tools/gpg-zip.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/gpg-zip.in b/tools/gpg-zip.in +index 9047e36..3821f3a 100644 +--- a/tools/gpg-zip.in ++++ b/tools/gpg-zip.in +@@ -23,7 +23,7 @@ + # the GNU or POSIX variant of USTAR. + + VERSION=@VERSION@ +-TAR=@TAR@ ++TAR=tar + GPG=gpg + + usage="\ diff --git a/debian/patches/Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch b/debian/patches/Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch new file mode 100644 index 0000000..ce69403 --- /dev/null +++ b/debian/patches/Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch @@ -0,0 +1,71 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Thu, 11 Jul 2019 21:52:11 -0400 +Subject: Use hkps://keys.openpgp.org as the default keyserver + +As of 2.2.17, GnuPG will refuse to accept any third-party +certifications from OpenPGP certificates pulled from the keyserver +network. + +The SKS keyserver network currently has at least a dozen popular +certificates which are flooded with enough unusable third-party +certifications that they cannot be retrieved in any reasonable amount +of time. + +The hkps://keys.openpgp.org keyserver installation offers HKPS, +performs cryptographic validation, and by policy does not distribute +third-party certifications anyway. + +It is not distributed or federated yet, unfortunately, but it is +functional, which is more than can be said for the dying SKS pool. +And given that GnuPG is going to reject all the third-party +certifications anyway, there is no clear "web of trust" rationale for +relying on the SKS pool. + +One sticking point is that keys.openpgp.org does not distribute user +IDs unless the user has proven control of the associated e-mail +address. This means that on standard upstream GnuPG, retrieving +revocations or subkey updates of those certificates will fail, because +upstream GnuPG ignores any incoming certificate without a user ID, +even if it knows a user ID in the local copy of the certificate (see +https://dev.gnupg.org/T4393). + +However, we have three patches in +debian/patches/import-merge-without-userid/ that together fix that +bug. + +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + configure.ac | 2 +- + doc/dirmngr.texi | 6 +++++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 4b9d908..47eb11c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1856,7 +1856,7 @@ AC_DEFINE_UNQUOTED(SCDAEMON_SOCK_NAME, "S.scdaemon", + AC_DEFINE_UNQUOTED(DIRMNGR_SOCK_NAME, "S.dirmngr", + [The name of the dirmngr socket]) + AC_DEFINE_UNQUOTED(DIRMNGR_DEFAULT_KEYSERVER, +- "hkps://hkps.pool.sks-keyservers.net", ++ "hkps://keys.openpgp.org", + [The default keyserver for dirmngr to use, if none is explicitly given]) + + AC_DEFINE_UNQUOTED(GPGEXT_GPG, "gpg", [The standard binary file suffix]) +diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi +index 84a8d28..603a11a 100644 +--- a/doc/dirmngr.texi ++++ b/doc/dirmngr.texi +@@ -329,7 +329,11 @@ whether Tor is locally running or not. The check for a running Tor is + done for each new connection. + + If no keyserver is explicitly configured, dirmngr will use the +-built-in default of @code{hkps://hkps.pool.sks-keyservers.net}. ++built-in default of @code{hkps://keys.openpgp.org}. ++ ++Note that the above default is a Debian-specific choice. Upstream ++GnuPG prefers @code{hkps://hkps.pool.sks-keyservers.net}. See ++/usr/share/doc/gpgconf/NEWS.Debian.gz for more details. + + Windows users with a keyserver running on their Active Directory + should use @code{ldap:///} for @var{name} to access this directory. diff --git a/debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch b/debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch new file mode 100644 index 0000000..a1ce6ea --- /dev/null +++ b/debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch @@ -0,0 +1,89 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Tue, 11 Aug 2015 20:28:26 -0400 +Subject: Avoid simple memory dumps via ptrace + +This avoids needing to setgid gpg-agent. It probably doesn't defend +against all possible attacks, but it defends against one specific (and +easy) one. If there are other protections we should do them too. + +This will make it slightly harder to debug the agent because the +normal user won't be able to attach gdb to it directly while it runs. + +The remaining options for debugging are: + + * launch the agent from gdb directly + * connect gdb to a running agent as the superuser + +Upstream bug: https://dev.gnupg.org/T1211 +--- + agent/gpg-agent.c | 8 ++++++++ + configure.ac | 2 +- + scd/scdaemon.c | 9 +++++++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index b167c34..5afcf11 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -50,6 +50,9 @@ + # include <signal.h> + #endif + #include <npth.h> ++#ifdef HAVE_PRCTL ++# include <sys/prctl.h> ++#endif + + #define INCLUDED_BY_MAIN_MODULE 1 + #define GNUPG_COMMON_NEED_AFLOCAL +@@ -1030,6 +1033,11 @@ main (int argc, char **argv ) + + early_system_init (); + ++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) ++ /* Disable ptrace on Linux without sgid bit */ ++ prctl(PR_SET_DUMPABLE, 0); ++#endif ++ + /* Before we do anything else we save the list of currently open + file descriptors and the signal mask. This info is required to + do the exec call properly. We don't need it on Windows. */ +diff --git a/configure.ac b/configure.ac +index 7a2d410..2d8b050 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1426,7 +1426,7 @@ AC_CHECK_FUNCS([atexit canonicalize_file_name clock_gettime ctermid \ + ftruncate funlockfile getaddrinfo getenv getpagesize \ + getpwnam getpwuid getrlimit getrusage gettimeofday \ + gmtime_r inet_ntop inet_pton isascii lstat memicmp \ +- memmove memrchr mmap nl_langinfo pipe raise rand \ ++ memmove memrchr mmap nl_langinfo pipe prctl raise rand \ + setenv setlocale setrlimit sigaction sigprocmask \ + stat stpcpy strcasecmp strerror strftime stricmp \ + strlwr strncasecmp strpbrk strsep strtol strtoul \ +diff --git a/scd/scdaemon.c b/scd/scdaemon.c +index 5c519f8..cab66a0 100644 +--- a/scd/scdaemon.c ++++ b/scd/scdaemon.c +@@ -37,6 +37,9 @@ + #include <unistd.h> + #include <signal.h> + #include <npth.h> ++#ifdef HAVE_PRCTL ++# include <sys/prctl.h> ++#endif + + #define INCLUDED_BY_MAIN_MODULE 1 + #define GNUPG_COMMON_NEED_AFLOCAL +@@ -446,6 +449,12 @@ main (int argc, char **argv ) + npth_t pipecon_handler; + + early_system_init (); ++ ++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) ++ /* Disable ptrace on Linux without sgid bit */ ++ prctl(PR_SET_DUMPABLE, 0); ++#endif ++ + set_strusage (my_strusage); + gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN); + /* Please note that we may running SUID(ROOT), so be very CAREFUL diff --git a/debian/patches/cherry-picked/1617856888.gnupg-2.3.0-4-gab66c4357.scd-fix-ccid-driver-for-scm-spr332-spr532.patch b/debian/patches/cherry-picked/1617856888.gnupg-2.3.0-4-gab66c4357.scd-fix-ccid-driver-for-scm-spr332-spr532.patch new file mode 100644 index 0000000..a54ff93 --- /dev/null +++ b/debian/patches/cherry-picked/1617856888.gnupg-2.3.0-4-gab66c4357.scd-fix-ccid-driver-for-scm-spr332-spr532.patch @@ -0,0 +1,48 @@ +Subject: Scd: Fix CCID driver for SCM SPR332/SPR532 +Origin: gnupg-2.3.0-4-gab66c4357 +Upstream-Author: NIIBE Yutaka <gniibe@fsij.org> +Date: Thu Apr 8 13:41:28 2021 +0900 +Bug-Debian: https://bugs.debian.org/982546 + + * scd/ccid-driver.c (ccid_vendor_specific_pinpad_setup): New. + (ccid_vendor_specific_setup): Only send CLEAR_HALT. + (ccid_transceive_secure): Each time, use send_escape_cmd. + + -- + + GnuPG-bug-id: 5297 + Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> + +--- a/scd/ccid-driver.c ++++ b/scd/ccid-driver.c +@@ -1304,10 +1304,20 @@ + { + if (handle->id_vendor == VENDOR_SCM && handle->id_product == SCM_SPR532) + { ++ libusb_clear_halt (handle->idev, handle->ep_intr); ++ } ++ return 0; ++} ++ ++ ++static int ++ccid_vendor_specific_pinpad_setup (ccid_driver_t handle) ++{ ++ if (handle->id_vendor == VENDOR_SCM && handle->id_product == SCM_SPR532) ++ { + DEBUGOUT ("sending escape sequence to switch to a case 1 APDU\n"); + send_escape_cmd (handle, (const unsigned char*)"\x80\x02\x00", 3, + NULL, 0, NULL); +- libusb_clear_halt (handle->idev, handle->ep_intr); + } + return 0; + } +@@ -3583,6 +3593,8 @@ + if (pininfo->fixedlen < 0 || pininfo->fixedlen >= 16) + return CCID_DRIVER_ERR_NOT_SUPPORTED; + ++ ccid_vendor_specific_pinpad_setup (handle); ++ + msg = send_buffer; + msg[0] = cherry_mode? 0x89 : PC_to_RDR_Secure; + msg[5] = 0; /* slot */ diff --git a/debian/patches/cherry-picked/g10-Fix-garbled-status-messages-in-NOTATION_DATA.patch b/debian/patches/cherry-picked/g10-Fix-garbled-status-messages-in-NOTATION_DATA.patch new file mode 100644 index 0000000..d66b346 --- /dev/null +++ b/debian/patches/cherry-picked/g10-Fix-garbled-status-messages-in-NOTATION_DATA.patch @@ -0,0 +1,47 @@ +From: Werner Koch <wk@gnupg.org> +Date: Tue, 14 Jun 2022 11:33:27 +0200 +Subject: g10: Fix garbled status messages in NOTATION_DATA + +* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one +-- + +Depending on the escaping and line wrapping the computed remaining +buffer length could be wrong. Fixed by always using a break to +terminate the escape detection loop. Might have happened for all +status lines which may wrap. + +GnuPG-bug-id: T6027 +(cherry picked from commit 34c649b3601383cd11dbc76221747ec16fd68e1b) +--- + g10/cpr.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/g10/cpr.c b/g10/cpr.c +index d502e8b..bc4b715 100644 +--- a/g10/cpr.c ++++ b/g10/cpr.c +@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string, + } + first = 0; + } +- for (esc=0, s=buffer, n=len; n && !esc; s++, n--) ++ for (esc=0, s=buffer, n=len; n; s++, n--) + { + if (*s == '%' || *(const byte*)s <= lower_limit + || *(const byte*)s == 127 ) + esc = 1; + if (wrap && ++count > wrap) +- { +- dowrap=1; +- break; +- } +- } +- if (esc) +- { +- s--; n++; ++ dowrap=1; ++ if (esc || dowrap) ++ break; + } + if (s != buffer) + es_fwrite (buffer, s-buffer, 1, statusfp); diff --git a/debian/patches/debian-packaging/avoid-beta-warning.patch b/debian/patches/debian-packaging/avoid-beta-warning.patch new file mode 100644 index 0000000..5cb22e5 --- /dev/null +++ b/debian/patches/debian-packaging/avoid-beta-warning.patch @@ -0,0 +1,44 @@ +From: Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org> +Date: Tue, 14 Apr 2015 10:02:31 -0400 +Subject: avoid-beta-warning + +avoid self-describing as a beta + +Using autoreconf against the source as distributed in tarball form +invariably results in a package that thinks it's a "beta" package, +which produces the "THIS IS A DEVELOPMENT VERSION" warning string. + +since we use dh_autoreconf, i need this patch to avoid producing +builds that announce themselves as DEVELOPMENT VERSIONs. + +See discussion at: + + http://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029065.html +--- + autogen.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/autogen.sh b/autogen.sh +index b238550..9b86d3f 100755 +--- a/autogen.sh ++++ b/autogen.sh +@@ -229,7 +229,7 @@ if [ "$myhost" = "find-version" ]; then + esac + + beta=no +- if [ -e .git ]; then ++ if false; then + ingit=yes + tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null) + tmp=$(echo "$tmp" | sed s/^"$package"//) +@@ -245,8 +245,8 @@ if [ "$myhost" = "find-version" ]; then + rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null))) + else + ingit=no +- beta=yes +- tmp="-unknown" ++ beta=no ++ tmp="" + rev="0000000" + rvd="0" + fi diff --git a/debian/patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch b/debian/patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch new file mode 100644 index 0000000..01489be --- /dev/null +++ b/debian/patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch @@ -0,0 +1,39 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Mon, 29 Aug 2016 12:34:42 -0400 +Subject: avoid regenerating defsincdate (use shipped file) + +upstream ships doc/defsincdate in its tarballs. but doc/Makefile.am +tries to rewrite doc/defsincdate if it notices that any of the files +have been modified more recently, and it does so assuming that we're +running from a git repo. + +However, we'd rather ship the documents cleanly without regenerating +defsincdate -- we don't have a git repo available (debian builds from +upstream tarballs) and any changes to the texinfo files (e.g. from +debian/patches/) might result in different dates on the files than we +expect after they're applied by dpkg or quilt or whatever, which makes +the datestamp unreproducible. +--- + doc/Makefile.am | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/doc/Makefile.am b/doc/Makefile.am +index 2b882c3..6be571b 100644 +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -178,15 +178,6 @@ $(myman_pages) gnupg.7 : yat2m-stamp defs.inc + + dist-hook: defsincdate + +-defsincdate: $(gnupg_TEXINFOS) +- : >defsincdate ; \ +- if test -e $(top_srcdir)/.git; then \ +- (cd $(srcdir) && git log -1 --format='%ct' \ +- -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \ +- elif test x"$$SOURCE_DATE_EPOCH" != x; then \ +- echo "$$SOURCE_DATE_EPOCH" >>defsincdate ; \ +- fi +- + defs.inc : defsincdate Makefile mkdefsinc + incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \ + ./mkdefsinc -C $(srcdir) --date "`cat $$incd 2>/dev/null`" \ diff --git a/debian/patches/dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch b/debian/patches/dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch new file mode 100644 index 0000000..6a0e778 --- /dev/null +++ b/debian/patches/dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch @@ -0,0 +1,29 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Sun, 30 Jun 2019 11:54:35 -0400 +Subject: dirmngr: Only use SKS pool CA for SKS pool + +* dirmngr/http.c (http_session_new): when checking whether the +keyserver is the HKPS pool, check specifically against the pool name, +as ./configure might have been used to select a different default +keyserver. It makes no sense to apply Kristian's certificate +authority to anything other than the literal host +hkps.pool.sks-keyservers.net. + +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + dirmngr/http.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 5e3f17c..40160e0 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -768,7 +768,7 @@ http_session_new (http_session_t *r_session, + + is_hkps_pool = (intended_hostname + && !ascii_strcasecmp (intended_hostname, +- get_default_keyserver (1))); ++ "hkps.pool.sks-keyservers.net")); + + /* If we are looking for the hkps pool from sks-keyservers.net, + * then forcefully use its dedicated certificate authority. */ diff --git a/debian/patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch b/debian/patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch new file mode 100644 index 0000000..bd68c9c --- /dev/null +++ b/debian/patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch @@ -0,0 +1,47 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Sun, 20 Nov 2016 23:09:24 -0500 +Subject: dirmngr: Avoid automatically checking upstream swdb. + +* dirmngr/dirmngr.c (housekeeping_thread): Avoid automatically +checking upstream's software database. In Debian, software updates +should be handled by the distro mechanism, and additional upstream +checks only confuse the user. +* doc/dirmngr.texi: document that --allow-version-check does nothing. + +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + dirmngr/dirmngr.c | 2 -- + doc/dirmngr.texi | 7 ++++--- + 2 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index 89eea4e..f26ed63 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -1955,8 +1955,6 @@ housekeeping_thread (void *arg) + if (network_activity_seen) + { + network_activity_seen = 0; +- if (opt.allow_version_check) +- dirmngr_load_swdb (&ctrlbuf, 0); + workqueue_run_global_tasks (&ctrlbuf, 1); + } + else +diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi +index 843fdbf..84a8d28 100644 +--- a/doc/dirmngr.texi ++++ b/doc/dirmngr.texi +@@ -291,9 +291,10 @@ Set the size of the queue for pending connections. The default is 64. + @item --allow-version-check + @opindex allow-version-check + Allow Dirmngr to connect to @code{https://versions.gnupg.org} to get +-the list of current software versions. If this option is enabled +-the list is retrieved in case the local +-copy does not exist or is older than 5 to 7 days. See the option ++the list of current software versions. ++On debian-packaged versions, this option does nothing since software ++updates should be handled by the distribution. ++See the option + @option{--query-swdb} of the command @command{gpgconf} for more + details. Note, that regardless of this option a version check can + always be triggered using this command: diff --git a/debian/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch b/debian/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch new file mode 100644 index 0000000..cbd1695 --- /dev/null +++ b/debian/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch @@ -0,0 +1,230 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Sat, 29 Oct 2016 02:00:50 -0400 +Subject: dirmngr: Avoid need for hkp housekeeping. + +* dirmngr/ks-engine-hkp.c (host_is_alive): New function. Test whether +host is alive and resurrects it if it has been dead long enough. +(select_random_host, map_host, ks_hkp_mark_host): Use host_is_alive +instead of testing hostinfo_t->dead directly. +(ks_hkp_housekeeping): Remove function, no longer needed. +* dirmngr/dirmngr.c (housekeeping_thread): Remove call to +ks_hkp_housekeeping. + +-- + +Rather than resurrecting hosts upon scheduled resurrection times, test +whether hosts should be resurrected as they're inspected for being +dead. This removes the need for explicit housekeeping, and makes host +resurrections happen "just in time", rather than being clustered on +HOUSEKEEPING_INTERVAL seconds. + +According to 392e068e9f143d41f6350345619543cbcd47380f, +dns_stuff_housekeeping only works on Windows, so it also isn't +necessary in debian, but it remains in place for now. + +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + dirmngr/dirmngr.c | 3 --- + dirmngr/dirmngr.h | 1 - + dirmngr/ks-engine-hkp.c | 72 ++++++++++++++++++++++++------------------------- + 3 files changed, 35 insertions(+), 41 deletions(-) + +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index ae967dd..89eea4e 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -1935,12 +1935,10 @@ static void * + housekeeping_thread (void *arg) + { + static int sentinel; +- time_t curtime; + struct server_control_s ctrlbuf; + + (void)arg; + +- curtime = gnupg_get_time (); + if (sentinel) + { + log_info ("housekeeping is already going on\n"); +@@ -1954,7 +1952,6 @@ housekeeping_thread (void *arg) + dirmngr_init_default_ctrl (&ctrlbuf); + + dns_stuff_housekeeping (); +- ks_hkp_housekeeping (curtime); + if (network_activity_seen) + { + network_activity_seen = 0; +diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h +index 1b52a1d..4afc19b 100644 +--- a/dirmngr/dirmngr.h ++++ b/dirmngr/dirmngr.h +@@ -217,7 +217,6 @@ const char* dirmngr_get_current_socket_name (void); + int dirmngr_use_tor (void); + + /*-- Various housekeeping functions. --*/ +-void ks_hkp_housekeeping (time_t curtime); + void ks_hkp_reload (void); + + +diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c +index d425363..c50681d 100644 +--- a/dirmngr/ks-engine-hkp.c ++++ b/dirmngr/ks-engine-hkp.c +@@ -218,6 +218,24 @@ host_in_pool_p (hostinfo_t hi, int tblidx) + return 0; + } + ++static int ++host_is_alive (hostinfo_t hi, time_t curtime) ++{ ++ if (!hi) ++ return 0; ++ if (!hi->dead) ++ return 1; ++ if (!hi->died_at) ++ return 0; /* manually marked dead */ ++ if (hi->died_at + RESURRECT_INTERVAL <= curtime ++ || hi->died_at > curtime) ++ { ++ hi->dead = 0; ++ log_info ("resurrected host '%s'", hi->name); ++ return 1; ++ } ++ return 0; ++} + + /* Select a random host. Consult HI->pool which indices into the global + hosttable. Returns index into HI->pool or -1 if no host could be +@@ -228,13 +246,15 @@ select_random_host (hostinfo_t hi) + int *tbl = NULL; + size_t tblsize = 0; + int pidx, idx; ++ time_t curtime; + ++ curtime = gnupg_get_time (); + /* We create a new table so that we randomly select only from + currently alive hosts. */ + for (idx = 0; + idx < hi->pool_len && (pidx = hi->pool[idx]) != -1; + idx++) +- if (hosttable[pidx] && !hosttable[pidx]->dead) ++ if (hosttable[pidx] && host_is_alive (hosttable[pidx], curtime)) + { + tblsize++; + tbl = xtryrealloc(tbl, tblsize * sizeof *tbl); +@@ -462,6 +482,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + int is_pool; + int new_hosts = 0; + char *cname; ++ time_t curtime; + + *r_host = NULL; + if (r_httpflags) +@@ -501,6 +522,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + } + else + hi = hosttable[idx]; ++ curtime = gnupg_get_time (); + + is_pool = hi->pool != NULL; + +@@ -607,7 +629,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + if (force_reselect) + hi->poolidx = -1; + else if (hi->poolidx >= 0 && hi->poolidx < hosttable_size +- && hosttable[hi->poolidx] && hosttable[hi->poolidx]->dead) ++ && hosttable[hi->poolidx] && !host_is_alive (hosttable[hi->poolidx], curtime)) + hi->poolidx = -1; + + /* Select a host if needed. */ +@@ -665,7 +687,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + return gpg_error_from_syserror (); + } + +- if (hi->dead) ++ if (!host_is_alive (hi, curtime)) + { + log_error ("host '%s' marked as dead\n", hi->name); + if (r_httphost) +@@ -770,7 +792,8 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive) + { + gpg_error_t err = 0; + hostinfo_t hi, hi2; +- int idx, idx2, idx3, n; ++ int idx, idx2, idx3, n, is_alive; ++ time_t curtime; + + if (!name || !*name || !strcmp (name, "localhost")) + return 0; +@@ -779,13 +802,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive) + if (idx == -1) + return gpg_error (GPG_ERR_NOT_FOUND); + ++ curtime = gnupg_get_time (); + hi = hosttable[idx]; +- if (alive && hi->dead) ++ is_alive = host_is_alive (hi, curtime); ++ if (alive && !is_alive) + { + hi->dead = 0; + err = ks_printf_help (ctrl, "marking '%s' as alive", name); + } +- else if (!alive && !hi->dead) ++ else if (!alive && is_alive) + { + hi->dead = 1; + hi->died_at = 0; /* Manually set dead. */ +@@ -819,14 +844,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive) + + hi2 = hosttable[n]; + if (!hi2) +- ; +- else if (alive && hi2->dead) ++ continue; ++ is_alive = host_is_alive (hi2, curtime); ++ if (alive && !is_alive) + { + hi2->dead = 0; + err = ks_printf_help (ctrl, "marking '%s' as alive", + hi2->name); + } +- else if (!alive && !hi2->dead) ++ else if (!alive && is_alive) + { + hi2->dead = 1; + hi2->died_at = 0; /* Manually set dead. */ +@@ -1112,34 +1138,6 @@ ks_hkp_resolve (ctrl_t ctrl, parsed_uri_t uri) + } + + +-/* Housekeeping function called from the housekeeping thread. It is +- used to mark dead hosts alive so that they may be tried again after +- some time. */ +-void +-ks_hkp_housekeeping (time_t curtime) +-{ +- int idx; +- hostinfo_t hi; +- +- for (idx=0; idx < hosttable_size; idx++) +- { +- hi = hosttable[idx]; +- if (!hi) +- continue; +- if (!hi->dead) +- continue; +- if (!hi->died_at) +- continue; /* Do not resurrect manually shot hosts. */ +- if (hi->died_at + RESURRECT_INTERVAL <= curtime +- || hi->died_at > curtime) +- { +- hi->dead = 0; +- log_info ("resurrected host '%s'", hi->name); +- } +- } +-} +- +- + /* Reload (SIGHUP) action for this module. We mark all host alive + * even those which have been manually shot. */ + void diff --git a/debian/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch b/debian/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch new file mode 100644 index 0000000..49ebbd4 --- /dev/null +++ b/debian/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch @@ -0,0 +1,81 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Sat, 29 Oct 2016 01:25:05 -0400 +Subject: dirmngr: hkp: Avoid potential race condition when some hosts die. + +* dirmngr/ks-engine-hkp.c (select_random_host): Use atomic pass +through the host table instead of risking out-of-bounds write. + +-- + +Multiple threads may write to hosttable[x]->dead while +select_random_host() is running. For example, a housekeeping thread +might clear the ->dead bit on some entries, or another connection to +dirmngr might manually mark a host as alive. + +If one or more hosts are resurrected between the two loops over a +given table in select_random_host(), then the allocation of tbl might +not be large enough, resulting in a write past the end of tbl on the +second loop. + +This change collapses the two loops into a single loop to avoid this +discrepancy: each host's "dead" bit is now only checked once. + +As Werner points out, this isn't currently strictly necessary, since +npth will not switch threads unless a blocking system call is made, +and no blocking system call is made in these two loops. + +However, in a subsequent change in this series, we will call a +function in this loop, and that function may sometimes write(2), or +call other functions, which may themselves block. Keeping this as a +single-pass loop avoids the need to keep track of what might block and +what might not. + +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + dirmngr/ks-engine-hkp.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c +index 14859c7..d425363 100644 +--- a/dirmngr/ks-engine-hkp.c ++++ b/dirmngr/ks-engine-hkp.c +@@ -225,29 +225,26 @@ host_in_pool_p (hostinfo_t hi, int tblidx) + static int + select_random_host (hostinfo_t hi) + { +- int *tbl; +- size_t tblsize; ++ int *tbl = NULL; ++ size_t tblsize = 0; + int pidx, idx; + + /* We create a new table so that we randomly select only from + currently alive hosts. */ +- for (idx = 0, tblsize = 0; ++ for (idx = 0; + idx < hi->pool_len && (pidx = hi->pool[idx]) != -1; + idx++) + if (hosttable[pidx] && !hosttable[pidx]->dead) +- tblsize++; ++ { ++ tblsize++; ++ tbl = xtryrealloc(tbl, tblsize * sizeof *tbl); ++ if (!tbl) ++ return -1; /* memory allocation failed! */ ++ tbl[tblsize-1] = pidx; ++ } + if (!tblsize) + return -1; /* No hosts. */ + +- tbl = xtrymalloc (tblsize * sizeof *tbl); +- if (!tbl) +- return -1; +- for (idx = 0, tblsize = 0; +- idx < hi->pool_len && (pidx = hi->pool[idx]) != -1; +- idx++) +- if (hosttable[pidx] && !hosttable[pidx]->dead) +- tbl[tblsize++] = pidx; +- + if (tblsize == 1) /* Save a get_uint_nonce. */ + pidx = tbl[0]; + else diff --git a/debian/patches/from-master/gpg-change-agent-spawn-2019-07-24-v2.patch b/debian/patches/from-master/gpg-change-agent-spawn-2019-07-24-v2.patch new file mode 100644 index 0000000..849e985 --- /dev/null +++ b/debian/patches/from-master/gpg-change-agent-spawn-2019-07-24-v2.patch @@ -0,0 +1,50 @@ +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Thu, 22 Oct 2020 11:32:00 +0900 +Subject: buildd: sbuild randomly fails to sign changes file despite valid + signature keys +Forwarded: https://dev.gnupg.org/rGb1c56cf9e2bb51abfd47747128bd2a6285ed1623 + +--- + common/asshelp.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/common/asshelp.c b/common/asshelp.c +index d87017e..9f269ab 100644 +--- a/common/asshelp.c ++++ b/common/asshelp.c +@@ -477,8 +477,18 @@ start_new_gpg_agent (assuan_context_t *r_ctx, + if (!(err = lock_spawning (&lock, gnupg_homedir (), "agent", verbose)) + && assuan_socket_connect (ctx, sockname, 0, 0)) + { ++#ifdef HAVE_W32_SYSTEM + err = gnupg_spawn_process_detached (program? program : agent_program, + argv, NULL); ++#else ++ pid_t pid; ++ ++ err = gnupg_spawn_process_fd (program? program : agent_program, ++ argv, -1, -1, -1, &pid); ++ if (!err) ++ err = gnupg_wait_process (program? program : agent_program, ++ pid, 1, NULL); ++#endif + if (err) + log_error ("failed to start agent '%s': %s\n", + agent_program, gpg_strerror (err)); +@@ -612,7 +622,16 @@ start_new_dirmngr (assuan_context_t *r_ctx, + if (!(err = lock_spawning (&lock, gnupg_homedir (), "dirmngr", verbose)) + && assuan_socket_connect (ctx, sockname, 0, 0)) + { ++#ifdef HAVE_W32_SYSTEM + err = gnupg_spawn_process_detached (dirmngr_program, argv, NULL); ++#else ++ pid_t pid; ++ ++ err = gnupg_spawn_process_fd (dirmngr_program, argv, ++ -1, -1, -1, &pid); ++ if (!err) ++ err = gnupg_wait_process (dirmngr_program, pid, 1, NULL); ++#endif + if (err) + log_error ("failed to start the dirmngr '%s': %s\n", + dirmngr_program, gpg_strerror (err)); diff --git a/debian/patches/from-master/gpg-default-to-3072-bit-keys.patch b/debian/patches/from-master/gpg-default-to-3072-bit-keys.patch new file mode 100644 index 0000000..54b4292 --- /dev/null +++ b/debian/patches/from-master/gpg-default-to-3072-bit-keys.patch @@ -0,0 +1,91 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Thu, 7 Sep 2017 18:41:10 -0400 +Subject: gpg: default to 3072-bit keys. + +* agent/command.c (hlp_genkey): update help text to suggest the use of +3072 bits. +* doc/wks.texi: Make example match default generation. +* g10/keygen.c (gen_elg): update default from 2048 to 3072. +* g10/keyid.c (pubkey_string): update comment so that first example +is the default 3072-bit RSA. + +-- + +3072-bit RSA is widely considered to be 128-bit-equivalent security. +This is a sensible default in 2017. + +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> + +(cherry picked from commit 909fbca19678e6e36968607e8a2348381da39d8c) +--- + agent/command.c | 2 +- + doc/wks.texi | 4 ++-- + g10/keygen.c | 2 +- + g10/keyid.c | 4 ++-- + 4 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/agent/command.c b/agent/command.c +index 8642498..f94e770 100644 +--- a/agent/command.c ++++ b/agent/command.c +@@ -843,7 +843,7 @@ static const char hlp_genkey[] = + "\n" + " C: GENKEY\n" + " S: INQUIRE KEYPARAM\n" +- " C: D (genkey (rsa (nbits 2048)))\n" ++ " C: D (genkey (rsa (nbits 3072)))\n" + " C: END\n" + " S: D (public-key\n" + " S: D (rsa (n 326487324683264) (e 10001)))\n" +diff --git a/doc/wks.texi b/doc/wks.texi +index 119e31c..ae6c310 100644 +--- a/doc/wks.texi ++++ b/doc/wks.texi +@@ -412,10 +412,10 @@ the submission address: + The output of the last command looks similar to this: + + @example +- sec rsa2048 2016-08-30 [SC] ++ sec rsa3072 2016-08-30 [SC] + C0FCF8642D830C53246211400346653590B3795B + uid [ultimate] key-submission@@example.net +- ssb rsa2048 2016-08-30 [E] ++ ssb rsa3072 2016-08-30 [E] + @end example + + Take the fingerprint from that output and manually publish the key: +diff --git a/g10/keygen.c b/g10/keygen.c +index d50acf8..79d4579 100644 +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -1436,7 +1436,7 @@ gen_elg (int algo, unsigned int nbits, KBNODE pub_root, + + if (nbits < 1024) + { +- nbits = 2048; ++ nbits = 3072; + log_info (_("keysize invalid; using %u bits\n"), nbits ); + } + else if (nbits > 4096) +diff --git a/g10/keyid.c b/g10/keyid.c +index 69d85da..2987287 100644 +--- a/g10/keyid.c ++++ b/g10/keyid.c +@@ -73,7 +73,7 @@ pubkey_letter( int algo ) + is copied to the supplied buffer up a length of BUFSIZE-1. + Examples for the output are: + +- "rsa2048" - RSA with 2048 bit ++ "rsa3072" - RSA with 3072 bit + "elg1024" - Elgamal with 1024 bit + "ed25519" - ECC using the curve Ed25519. + "E_1.2.3.4" - ECC using the unsupported curve with OID "1.2.3.4". +@@ -83,7 +83,7 @@ pubkey_letter( int algo ) + If the option --legacy-list-mode is active, the output use the + legacy format: + +- "2048R" - RSA with 2048 bit ++ "3072R" - RSA with 3072 bit + "1024g" - Elgamal with 1024 bit + "256E" - ECDSA using a curve with 256 bit + diff --git a/debian/patches/from-master/gpg-default-to-AES-256.patch b/debian/patches/from-master/gpg-default-to-AES-256.patch new file mode 100644 index 0000000..d131f6a --- /dev/null +++ b/debian/patches/from-master/gpg-default-to-AES-256.patch @@ -0,0 +1,35 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Thu, 7 Sep 2017 19:04:00 -0400 +Subject: gpg: default to AES-256. + +* g10/main.h (DEFAULT_CIPHER_ALGO): Prefer AES256 by default. + +-- + +It's 2017, and pretty much everyone has AES-256 available. Symmetric +crypto is also rarely the bottleneck (asymmetric crypto is much more +expensive). AES-256 provides some level of protection against +large-scale decryption efforts, and longer key lengths provide a hedge +against unforseen cryptanalysis. + +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +(cherry picked from commit 73ff075204df09db5248170a049f06498cdbb7aa) +--- + g10/main.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/g10/main.h b/g10/main.h +index 68360e2..1983e42 100644 +--- a/g10/main.h ++++ b/g10/main.h +@@ -31,7 +31,9 @@ + (i.e. uncompressed) rather than 1 (zip). However, the real world + issues of speed and size come into play here. */ + +-#if GPG_USE_AES128 ++#if GPG_USE_AES256 ++# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES256 ++#elif GPG_USE_AES128 + # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES + #elif GPG_USE_CAST5 + # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_CAST5 diff --git a/debian/patches/gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch b/debian/patches/gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch new file mode 100644 index 0000000..f0f1ef6 --- /dev/null +++ b/debian/patches/gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch @@ -0,0 +1,84 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Tue, 1 Nov 2016 00:45:23 -0400 +Subject: agent: Allow threads to interrupt main select loop with SIGCONT. + +* agent/gpg-agent.c (interrupt_main_thread_loop): New function on +non-windows platforms, allows other threads to interrupt the main loop +if there's something that the main loop might be interested in. + +-- + +For example, the main loop might be interested in changes in program +state that affect the timers it expects to see. + +I don't know how to do this on Windows platforms, but i welcome any +proposed improvements. + +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + agent/agent.h | 1 + + agent/gpg-agent.c | 16 ++++++++++++++++ + 2 files changed, 17 insertions(+) + +diff --git a/agent/agent.h b/agent/agent.h +index fb46412..4abc6ed 100644 +--- a/agent/agent.h ++++ b/agent/agent.h +@@ -375,6 +375,7 @@ void *get_agent_scd_notify_event (void); + #endif + void agent_sighup_action (void); + int map_pk_openpgp_to_gcry (int openpgp_algo); ++void interrupt_main_thread_loop (void); + + /*-- command.c --*/ + gpg_error_t agent_inq_pinentry_launched (ctrl_t ctrl, unsigned long pid, +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index 69705ed..752552c 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -430,6 +430,9 @@ static int have_homedir_inotify; + * works reliable. */ + static int reliable_homedir_inotify; + ++/* Record the pid of the main thread, for easier signalling */ ++static pid_t main_thread_pid = (pid_t)(-1); ++ + /* Number of active connections. */ + static int active_connections; + +@@ -2458,6 +2461,10 @@ handle_signal (int signo) + agent_sigusr2_action (); + break; + ++ /* nothing to do here, just take an extra cycle on the select loop */ ++ case SIGCONT: ++ break; ++ + case SIGTERM: + if (!shutdown_pending) + log_info ("SIGTERM received - shutting down ...\n"); +@@ -2796,6 +2803,13 @@ start_connection_thread_ssh (void *arg) + } + + ++void interrupt_main_thread_loop (void) ++{ ++#ifndef HAVE_W32_SYSTEM ++ kill (main_thread_pid, SIGCONT); ++#endif ++} ++ + /* helper function for readability: test whether a given struct + timespec is set to all-zeros */ + static inline int +@@ -2865,8 +2879,10 @@ handle_connections (gnupg_fd_t listen_fd, + npth_sigev_add (SIGUSR1); + npth_sigev_add (SIGUSR2); + npth_sigev_add (SIGINT); ++ npth_sigev_add (SIGCONT); + npth_sigev_add (SIGTERM); + npth_sigev_fini (); ++ main_thread_pid = getpid (); + #else + # ifdef HAVE_W32CE_SYSTEM + /* Use a dummy event. */ diff --git a/debian/patches/gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch b/debian/patches/gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch new file mode 100644 index 0000000..3cef203 --- /dev/null +++ b/debian/patches/gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch @@ -0,0 +1,26 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Tue, 1 Nov 2016 00:57:44 -0400 +Subject: agent: Avoid scheduled checks on socket when inotify is working. + +* agent/gpg-agent.c (handle_connections): When inotify is working, we +do not need to schedule a timer to evaluate whether we control our own +socket or not. + +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + agent/gpg-agent.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index eff82ca..3ae77c6 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -3032,6 +3032,8 @@ handle_connections (gnupg_fd_t listen_fd, + + /* avoid a fine-grained timer if we don't need one: */ + timertbl[0].interval.tv_sec = need_tick () ? TIMERTICK_INTERVAL : 0; ++ /* avoid waking up to check sockets if we can count on inotify */ ++ timertbl[1].interval.tv_sec = (sock_inotify_fd == -1) ? CHECK_OWN_SOCKET_INTERVAL : 0; + + /* loop through all timers, fire any registered functions, and + plan next timer to trigger */ diff --git a/debian/patches/gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch b/debian/patches/gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch new file mode 100644 index 0000000..3900cf4 --- /dev/null +++ b/debian/patches/gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch @@ -0,0 +1,101 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Tue, 1 Nov 2016 00:14:10 -0400 +Subject: agent: Avoid tight timer tick when possible. + +* agent/gpg-agent.c (need_tick): Evaluate whether the short-phase +handle_tick() is needed. +(handle_connections): On each cycle of the select loop, adjust whether +we should call handle_tick() or not. +(start_connection_thread_ssh, do_start_connection_thread): Signal the +main loop when the child terminates. +* agent/call-scd.c (start_scd): Call interrupt_main_thread_loop() once +the scdaemon thread context has started up. + +-- + +With this change, an idle gpg-agent that has no scdaemon running only +wakes up once a minute (to check_own_socket). + +Thanks to Ian Jackson and NIIBE Yutaka who helped me improve some of +the blocking and corner cases. + +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + agent/call-scd.c | 2 ++ + agent/gpg-agent.c | 29 +++++++++++++++++++++++++++-- + 2 files changed, 29 insertions(+), 2 deletions(-) + +diff --git a/agent/call-scd.c b/agent/call-scd.c +index 6438693..ee69bb4 100644 +--- a/agent/call-scd.c ++++ b/agent/call-scd.c +@@ -414,6 +414,8 @@ start_scd (ctrl_t ctrl) + + primary_scd_ctx = ctx; + primary_scd_ctx_reusable = 0; ++ /* notify the main loop that something has changed */ ++ interrupt_main_thread_loop (); + + leave: + xfree (abs_homedir); +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index 752552c..eff82ca 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -2362,6 +2362,26 @@ create_directories (void) + } + + ++static int ++need_tick (void) ++{ ++#ifdef HAVE_W32_SYSTEM ++ /* We do not know how to interrupt the select loop on Windows, so we ++ always need a short tick there. */ ++ return 1; ++#else ++ /* if we were invoked like "gpg-agent cmd arg1 arg2" then we need to ++ watch our parent. */ ++ if (parent_pid != (pid_t)(-1)) ++ return 1; ++ /* if scdaemon is running, we need to check that it's alive */ ++ if (agent_scd_check_running ()) ++ return 1; ++ /* otherwise, nothing fine-grained to do. */ ++ return 0; ++#endif /*HAVE_W32_SYSTEM*/ ++} ++ + + /* This is the worker for the ticker. It is called every few seconds + and may only do fast operations. */ +@@ -2718,7 +2738,8 @@ do_start_connection_thread (ctrl_t ctrl) + + agent_deinit_default_ctrl (ctrl); + xfree (ctrl); +- active_connections--; ++ if (--active_connections == 0) ++ interrupt_main_thread_loop(); + return NULL; + } + +@@ -2798,7 +2819,8 @@ start_connection_thread_ssh (void *arg) + + agent_deinit_default_ctrl (ctrl); + xfree (ctrl); +- active_connections--; ++ if (--active_connections == 0) ++ interrupt_main_thread_loop(); + return NULL; + } + +@@ -3008,6 +3030,9 @@ handle_connections (gnupg_fd_t listen_fd, + thus a simple assignment is fine to copy the entire set. */ + read_fdset = fdset; + ++ /* avoid a fine-grained timer if we don't need one: */ ++ timertbl[0].interval.tv_sec = need_tick () ? TIMERTICK_INTERVAL : 0; ++ + /* loop through all timers, fire any registered functions, and + plan next timer to trigger */ + npth_clock_gettime (&curtime); diff --git a/debian/patches/gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch b/debian/patches/gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch new file mode 100644 index 0000000..29bbd54 --- /dev/null +++ b/debian/patches/gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch @@ -0,0 +1,191 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Mon, 31 Oct 2016 21:27:36 -0400 +Subject: agent: Create framework of scheduled timers. + +agent/gpg-agent.c (handle_tick): Remove intermittent call to +check_own_socket. +(tv_is_set): Add inline helper function for readability. +(handle_connections) Create general table of pending scheduled +timeouts. + +-- + +handle_tick() does fine-grained, rapid activity. check_own_socket() +is supposed to happen at a different interval. + +Mixing the two of them makes it a requirement that one interval be a +multiple of the other, which isn't ideal if there are different delay +strategies that we might want in the future. + +Creating an extensible regular timer framework in handle_connections +should make it possible to have any number of cadenced timers fire +regularly, without requiring that they happen in cadences related to +each other. + +It should also make it possible to dynamically change the cadence of +any regularly-scheduled timeout. + +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + agent/gpg-agent.c | 84 +++++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 57 insertions(+), 27 deletions(-) + +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index 5afcf11..69705ed 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -2365,12 +2365,8 @@ create_directories (void) + static void + handle_tick (void) + { +- static time_t last_minute; + struct stat statbuf; + +- if (!last_minute) +- last_minute = time (NULL); +- + /* Check whether the scdaemon has died and cleanup in this case. */ + agent_scd_check_aliveness (); + +@@ -2390,15 +2386,6 @@ handle_tick (void) + } + #endif /*HAVE_W32_SYSTEM*/ + +- /* Code to be run from time to time. */ +-#if CHECK_OWN_SOCKET_INTERVAL > 0 +- if (last_minute + CHECK_OWN_SOCKET_INTERVAL <= time (NULL)) +- { +- check_own_socket (); +- last_minute = time (NULL); +- } +-#endif +- + /* Need to check for expired cache entries. */ + agent_cache_housekeeping (); + +@@ -2809,6 +2796,15 @@ start_connection_thread_ssh (void *arg) + } + + ++/* helper function for readability: test whether a given struct ++ timespec is set to all-zeros */ ++static inline int ++tv_is_set (struct timespec tv) ++{ ++ return tv.tv_sec || tv.tv_nsec; ++} ++ ++ + /* Connection handler loop. Wait for connection requests and spawn a + thread after accepting a connection. */ + static void +@@ -2826,9 +2822,11 @@ handle_connections (gnupg_fd_t listen_fd, + gnupg_fd_t fd; + int nfd; + int saved_errno; ++ int idx; + struct timespec abstime; + struct timespec curtime; + struct timespec timeout; ++ struct timespec *select_timeout; + #ifdef HAVE_W32_SYSTEM + HANDLE events[2]; + unsigned int events_set; +@@ -2845,6 +2843,14 @@ handle_connections (gnupg_fd_t listen_fd, + { "browser", start_connection_thread_browser }, + { "ssh", start_connection_thread_ssh } + }; ++ struct { ++ struct timespec interval; ++ void (*func) (void); ++ struct timespec next; ++ } timertbl[] = { ++ { { TIMERTICK_INTERVAL, 0 }, handle_tick }, ++ { { CHECK_OWN_SOCKET_INTERVAL, 0 }, check_own_socket } ++ }; + + + ret = npth_attr_init(&tattr); +@@ -2952,9 +2958,6 @@ handle_connections (gnupg_fd_t listen_fd, + listentbl[2].l_fd = listen_fd_browser; + listentbl[3].l_fd = listen_fd_ssh; + +- npth_clock_gettime (&abstime); +- abstime.tv_sec += TIMERTICK_INTERVAL; +- + for (;;) + { + /* Shutdown test. */ +@@ -2989,18 +2992,46 @@ handle_connections (gnupg_fd_t listen_fd, + thus a simple assignment is fine to copy the entire set. */ + read_fdset = fdset; + ++ /* loop through all timers, fire any registered functions, and ++ plan next timer to trigger */ + npth_clock_gettime (&curtime); +- if (!(npth_timercmp (&curtime, &abstime, <))) +- { +- /* Timeout. */ +- handle_tick (); +- npth_clock_gettime (&abstime); +- abstime.tv_sec += TIMERTICK_INTERVAL; +- } +- npth_timersub (&abstime, &curtime, &timeout); ++ abstime.tv_sec = abstime.tv_nsec = 0; ++ for (idx=0; idx < DIM(timertbl); idx++) ++ { ++ /* schedule any unscheduled timers */ ++ if ((!tv_is_set (timertbl[idx].next)) && tv_is_set (timertbl[idx].interval)) ++ npth_timeradd (&timertbl[idx].interval, &curtime, &timertbl[idx].next); ++ /* if a timer is due, fire it ... */ ++ if (tv_is_set (timertbl[idx].next)) ++ { ++ if (!(npth_timercmp (&curtime, &timertbl[idx].next, <))) ++ { ++ timertbl[idx].func (); ++ npth_clock_gettime (&curtime); ++ /* ...and reschedule it, if desired: */ ++ if (tv_is_set (timertbl[idx].interval)) ++ npth_timeradd (&timertbl[idx].interval, &curtime, &timertbl[idx].next); ++ else ++ timertbl[idx].next.tv_sec = timertbl[idx].next.tv_nsec = 0; ++ } ++ } ++ /* accumulate next timer to come due in abstime: */ ++ if (tv_is_set (timertbl[idx].next) && ++ ((!tv_is_set (abstime)) || ++ (npth_timercmp (&abstime, &timertbl[idx].next, >)))) ++ abstime = timertbl[idx].next; ++ } ++ /* choose a timeout for the select loop: */ ++ if (tv_is_set (abstime)) ++ { ++ npth_timersub (&abstime, &curtime, &timeout); ++ select_timeout = &timeout; ++ } ++ else ++ select_timeout = NULL; + + #ifndef HAVE_W32_SYSTEM +- ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, &timeout, ++ ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, select_timeout, + npth_sigev_sigmask ()); + saved_errno = errno; + +@@ -3010,7 +3041,7 @@ handle_connections (gnupg_fd_t listen_fd, + handle_signal (signo); + } + #else +- ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, &timeout, ++ ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, select_timeout, + events, &events_set); + saved_errno = errno; + +@@ -3055,7 +3086,6 @@ handle_connections (gnupg_fd_t listen_fd, + + if (!shutdown_pending) + { +- int idx; + ctrl_t ctrl; + npth_t thread; + diff --git a/debian/patches/gpg-drop-import-clean-from-default-keyserver-import-optio.patch b/debian/patches/gpg-drop-import-clean-from-default-keyserver-import-optio.patch new file mode 100644 index 0000000..6fa2283 --- /dev/null +++ b/debian/patches/gpg-drop-import-clean-from-default-keyserver-import-optio.patch @@ -0,0 +1,49 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Mon, 15 Jul 2019 16:24:35 -0400 +Subject: gpg: drop import-clean from default keyserver import options + +* g10/gpg.c (main): drop IMPORT_CLEAN from the +default opt.keyserver_options.import_options +* doc/gpg.texi: reflect this change in the documentation + +Given that SELF_SIGS_ONLY is already set, it's not clear what +additional benefit IMPORT_CLEAN provides. Furthermore, IMPORT_CLEAN +means that receiving an OpenPGP certificate from a keyserver will +potentially delete data that is otherwise held in the local keyring, +which is surprising to users who expect retrieval from the keyservers +to be purely additive. + +GnuPG-Bug-Id: 4628 +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + doc/gpg.texi | 2 +- + g10/gpg.c | 3 +-- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/doc/gpg.texi b/doc/gpg.texi +index 7b603d7..104318a 100644 +--- a/doc/gpg.texi ++++ b/doc/gpg.texi +@@ -1982,7 +1982,7 @@ are available for all keyserver types, some common options are: + + @end table + +-The default list of options is: "self-sigs-only, import-clean, ++The default list of options is: "self-sigs-only, + repair-keys, repair-pks-subkey-bug, export-attributes, + honor-pka-record". + +diff --git a/g10/gpg.c b/g10/gpg.c +index 6b44cfb..caa0487 100644 +--- a/g10/gpg.c ++++ b/g10/gpg.c +@@ -2348,8 +2348,7 @@ main (int argc, char **argv) + opt.export_options = EXPORT_ATTRIBUTES; + opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS + | IMPORT_REPAIR_PKS_SUBKEY_BUG +- | IMPORT_SELF_SIGS_ONLY +- | IMPORT_CLEAN); ++ | IMPORT_SELF_SIGS_ONLY); + opt.keyserver_options.export_options = EXPORT_ATTRIBUTES; + opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD; + opt.verify_options = (LIST_SHOW_UID_VALIDITY diff --git a/debian/patches/import-merge-without-userid/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch b/debian/patches/import-merge-without-userid/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch new file mode 100644 index 0000000..e448a0a --- /dev/null +++ b/debian/patches/import-merge-without-userid/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch @@ -0,0 +1,32 @@ +From: Vincent Breitmoser <look@my.amazin.horse> +Date: Thu, 13 Jun 2019 21:27:43 +0200 +Subject: gpg: accept subkeys with a good revocation but no self-sig during + import + +* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we +encounter a valid revocation signature. This allows import of subkey +revocation signatures, even in the absence of a corresponding subkey +binding signature. + +-- + +This fixes the remaining test in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + g10/import.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/g10/import.c b/g10/import.c +index 79104dc..20f4af5 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -3665,6 +3665,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self) + /* It's valid, so is it newer? */ + if (sig->timestamp >= rsdate) + { ++ knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid. */ + if (rsnode) + { + /* Delete the last revocation sig since diff --git a/debian/patches/import-merge-without-userid/gpg-allow-import-of-previously-known-keys-even-without-UI.patch b/debian/patches/import-merge-without-userid/gpg-allow-import-of-previously-known-keys-even-without-UI.patch new file mode 100644 index 0000000..fb93748 --- /dev/null +++ b/debian/patches/import-merge-without-userid/gpg-allow-import-of-previously-known-keys-even-without-UI.patch @@ -0,0 +1,106 @@ +From: Vincent Breitmoser <look@my.amazin.horse> +Date: Thu, 13 Jun 2019 21:27:42 +0200 +Subject: gpg: allow import of previously known keys, even without UIDs + +* g10/import.c (import_one): Accept an incoming OpenPGP certificate that +has no user id, as long as we already have a local variant of the cert +that matches the primary key. + +-- + +This fixes two of the three broken tests in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + g10/import.c | 44 +++++++++++--------------------------------- + 1 file changed, 11 insertions(+), 33 deletions(-) + +diff --git a/g10/import.c b/g10/import.c +index c8692e2..79104dc 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -1843,7 +1843,6 @@ import_one_real (ctrl_t ctrl, + size_t an; + char pkstrbuf[PUBKEY_STRING_SIZE]; + int merge_keys_done = 0; +- int any_filter = 0; + KEYDB_HANDLE hd = NULL; + + if (r_valid) +@@ -1880,14 +1879,6 @@ import_one_real (ctrl_t ctrl, + log_printf ("\n"); + } + +- +- if (!uidnode ) +- { +- if (!silent) +- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); +- return 0; +- } +- + if (screener && screener (keyblock, screener_arg)) + { + log_error (_("key %s: %s\n"), keystr_from_pk (pk), +@@ -1962,17 +1953,10 @@ import_one_real (ctrl_t ctrl, + } + } + +- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) ) +- { +- if (!silent) +- { +- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); +- if (!opt.quiet ) +- log_info(_("this may be caused by a missing self-signature\n")); +- } +- stats->no_user_id++; +- return 0; +- } ++ /* Delete invalid parts, and note if we have any valid ones left. ++ * We will later abort import if this key is new but contains ++ * no valid uids. */ ++ delete_inv_parts (ctrl, keyblock, keyid, options); + + /* Get rid of deleted nodes. */ + commit_kbnode (&keyblock); +@@ -1982,24 +1966,11 @@ import_one_real (ctrl_t ctrl, + { + apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); + commit_kbnode (&keyblock); +- any_filter = 1; + } + if (import_filter.drop_sig) + { + apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); + commit_kbnode (&keyblock); +- any_filter = 1; +- } +- +- /* If we ran any filter we need to check that at least one user id +- * is left in the keyring. Note that we do not use log_error in +- * this case. */ +- if (any_filter && !any_uid_left (keyblock)) +- { +- if (!opt.quiet ) +- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); +- stats->no_user_id++; +- return 0; + } + + /* The keyblock is valid and ready for real import. */ +@@ -2057,6 +2028,13 @@ import_one_real (ctrl_t ctrl, + err = 0; + stats->skipped_new_keys++; + } ++ else if (err && !any_uid_left (keyblock)) ++ { ++ if (!silent) ++ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); ++ err = 0; ++ stats->no_user_id++; ++ } + else if (err) /* Insert this key. */ + { + /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */ diff --git a/debian/patches/import-merge-without-userid/tests-add-test-cases-for-import-without-uid.patch b/debian/patches/import-merge-without-userid/tests-add-test-cases-for-import-without-uid.patch new file mode 100644 index 0000000..52ca688 --- /dev/null +++ b/debian/patches/import-merge-without-userid/tests-add-test-cases-for-import-without-uid.patch @@ -0,0 +1,201 @@ +From: Vincent Breitmoser <look@my.amazin.horse> +Date: Thu, 13 Jun 2019 21:27:41 +0200 +Subject: tests: add test cases for import without uid + +This commit adds a test case that does the following, in order: +- Import of a primary key plus user id +- Check that import of a subkey works, without a user id present in the +imported key +- Check that import of a subkey revocation works, without a user id or +subkey binding signature present in the imported key +- Check that import of a primary key revocation works, without a user id +present in the imported key + +-- + +Note that this test currently fails. The following changesets will +fix gpg so that the tests pass. + +GnuPG-Bug-id: 4393 +Signed-Off-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + tests/openpgp/Makefile.am | 1 + + tests/openpgp/import-incomplete.scm | 68 ++++++++++++++++++++++ + .../import-incomplete/primary+revocation.asc | 9 +++ + .../primary+subkey+sub-revocation.asc | 10 ++++ + .../import-incomplete/primary+subkey+sub-sig.asc | 10 ++++ + .../openpgp/import-incomplete/primary+uid-sig.asc | 10 ++++ + tests/openpgp/import-incomplete/primary+uid.asc | 10 ++++ + 7 files changed, 118 insertions(+) + create mode 100755 tests/openpgp/import-incomplete.scm + create mode 100644 tests/openpgp/import-incomplete/primary+revocation.asc + create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc + create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc + create mode 100644 tests/openpgp/import-incomplete/primary+uid-sig.asc + create mode 100644 tests/openpgp/import-incomplete/primary+uid.asc + +diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am +index 59f39e2..3b8b699 100644 +--- a/tests/openpgp/Makefile.am ++++ b/tests/openpgp/Makefile.am +@@ -78,6 +78,7 @@ XTESTS = \ + gpgv-forged-keyring.scm \ + armor.scm \ + import.scm \ ++ import-incomplete.scm \ + import-revocation-certificate.scm \ + ecc.scm \ + 4gb-packet.scm \ +diff --git a/tests/openpgp/import-incomplete.scm b/tests/openpgp/import-incomplete.scm +new file mode 100755 +index 0000000..727a027 +--- /dev/null ++++ b/tests/openpgp/import-incomplete.scm +@@ -0,0 +1,68 @@ ++#!/usr/bin/env gpgscm ++ ++;; Copyright (C) 2016 g10 Code GmbH ++;; ++;; This file is part of GnuPG. ++;; ++;; GnuPG is free software; you can redistribute it and/or modify ++;; it under the terms of the GNU General Public License as published by ++;; the Free Software Foundation; either version 3 of the License, or ++;; (at your option) any later version. ++;; ++;; GnuPG is distributed in the hope that it will be useful, ++;; but WITHOUT ANY WARRANTY; without even the implied warranty of ++;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++;; GNU General Public License for more details. ++;; ++;; You should have received a copy of the GNU General Public License ++;; along with this program; if not, see <http://www.gnu.org/licenses/>. ++ ++(load (in-srcdir "tests" "openpgp" "defs.scm")) ++(setup-environment) ++ ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+uid.asc"))) ++ ++(info "Test import of new subkey, from a certificate without uid") ++(define keyid "573EA710367356BB") ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-sig.asc"))) ++(tr:do ++ (tr:pipe-do ++ (pipe:gpg `(--list-keys --with-colons ,keyid))) ++ (tr:call-with-content ++ (lambda (c) ++ ;; XXX we do not have a regexp library ++ (unless (any (lambda (line) ++ (and (string-prefix? line "sub:") ++ (string-contains? line "573EA710367356BB"))) ++ (string-split-newlines c)) ++ (exit 1))))) ++ ++(info "Test import of a subkey revocation, from a certificate without uid") ++(define keyid "573EA710367356BB") ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-revocation.asc"))) ++(tr:do ++ (tr:pipe-do ++ (pipe:gpg `(--list-keys --with-colons ,keyid))) ++ (tr:call-with-content ++ (lambda (c) ++ ;; XXX we do not have a regexp library ++ (unless (any (lambda (line) ++ (and (string-prefix? line "sub:r:") ++ (string-contains? line "573EA710367356BB"))) ++ (string-split-newlines c)) ++ (exit 1))))) ++ ++(info "Test import of revocation, from a certificate without uid") ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+revocation.asc"))) ++(tr:do ++ (tr:pipe-do ++ (pipe:gpg `(--list-keys --with-colons ,keyid))) ++ (tr:call-with-content ++ (lambda (c) ++ ;; XXX we do not have a regexp library ++ (unless (any (lambda (line) ++ (and (string-prefix? line "pub:r:") ++ (string-contains? line "0843DA969AA8DAFB"))) ++ (string-split-newlines c)) ++ (exit 1))))) ++ +diff --git a/tests/openpgp/import-incomplete/primary+revocation.asc b/tests/openpgp/import-incomplete/primary+revocation.asc +new file mode 100644 +index 0000000..6b7b608 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+revocation.asc +@@ -0,0 +1,9 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [E] primary key, revocation signature over primary (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN2IeAQgFggAIBYhBLRpj5W82H/gSMzKKQhD2paaqNr7BQJc2ZQZAh0AAAoJ ++EAhD2paaqNr7qAwA/2jBUpnN0BxwRO/4CrxvrLIsL+C9aSXJUOTv8XkP4lvtAQD3 ++XsDFfFNgEueiTfF7HtOGt5LPmRqVvUpQSMVgJJW6CQ== ++=tM90 ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc +new file mode 100644 +index 0000000..83a51a5 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [D] primary key, subkey, subkey revocation (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK ++j++lwwWDAOlkVicDAQgHiHgEKBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC ++XNmnkAIdAgAKCRAIQ9qWmqja+ylaAQDmIKf86BJEq4OpDqU+V9D+wn2cyuxbyWVQ ++3r9LiL9qNwD/QAjyrhSN8L3Mfq+wdTHo5i0yB9ZCCpHLXSbhCqfWZwQ= ++=dwx2 ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc +new file mode 100644 +index 0000000..dc47a02 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [B] primary key, subkey, subkey binding sig (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK ++j++lwwWDAOlkVicDAQgHiHgEGBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC ++XNmUIQIbDAAKCRAIQ9qWmqja++vFAP98G1L+1/rWTGbsnxOAV2RocBYIroAvsbkR ++Ly6FdP8YNwEA7jOgT05CoKIe37MstpOz23mM80AK369Ca3JMmKKCQgg= ++=xuDu ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+uid-sig.asc b/tests/openpgp/import-incomplete/primary+uid-sig.asc +new file mode 100644 +index 0000000..134607d +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+uid-sig.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [C] primary key and self-sig expiring in 2024 (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN2IlgQTFggAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBLRpj5W8 ++2H/gSMzKKQhD2paaqNr7BQJc2ZR1BQkJZgHcAAoJEAhD2paaqNr79soA/0lWkUsu ++3NLwgbni6EzJxnTzgeNMpljqNpipHAwfix9hAP93AVtFdC8g7hdUZxawobl9lnSN ++9ohXOEBWvdJgVv2YAg== ++=KWIK ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+uid.asc b/tests/openpgp/import-incomplete/primary+uid.asc +new file mode 100644 +index 0000000..055f300 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+uid.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [A] primary key, user ID, and self-sig expiring in 2021 ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN20CHRlc3Qga2V5iJYEExYIAD4WIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC ++XNmUGQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAIQ9qWmqja +++0G1AQDdQiwhXxjXLMqoth+D4SigVHTJK8ORwifzsy3UE7mPGwD/aZ67XbAF/lgI ++kv2O1Jo0u9BL9RNNF+L0DM7rAFbfMAs= ++=1eII ++-----END PGP PUBLIC KEY BLOCK----- diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..3d8fed9 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,24 @@ +debian-packaging/avoid-beta-warning.patch +debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch +block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch +dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch +dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch +dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch +gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch +gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch +gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch +gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch +from-master/gpg-default-to-3072-bit-keys.patch +from-master/gpg-default-to-AES-256.patch +update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch +update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch +import-merge-without-userid/tests-add-test-cases-for-import-without-uid.patch +import-merge-without-userid/gpg-allow-import-of-previously-known-keys-even-without-UI.patch +import-merge-without-userid/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch +dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch +Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch +Make-gpg-zip-use-tar-from-PATH.patch +gpg-drop-import-clean-from-default-keyserver-import-optio.patch +from-master/gpg-change-agent-spawn-2019-07-24-v2.patch +cherry-picked/1617856888.gnupg-2.3.0-4-gab66c4357.scd-fix-ccid-driver-for-scm-spr332-spr532.patch +cherry-picked/g10-Fix-garbled-status-messages-in-NOTATION_DATA.patch diff --git a/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch b/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch new file mode 100644 index 0000000..2cc3eaa --- /dev/null +++ b/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch @@ -0,0 +1,64 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Thu, 7 Sep 2017 18:49:35 -0400 +Subject: gpg: Default to SHA-512 for all signature types on RSA keys. + +* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA512 instead of SHA256 in +--gnupg mode (leave strict RFC and PGP modes alone). +* configure.ac: Do not allow disabling sha512. +* g10/misc.c (map_md_openpgp_to_gcry): Always support SHA512. + +-- + +SHA512 is more performant on most 64-bit platforms than SHA256, and +offers a better security margin. It is also widely implemented. + +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + configure.ac | 2 +- + g10/main.h | 2 +- + g10/misc.c | 5 +---- + 3 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 2d8b050..4b9d908 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -317,7 +317,7 @@ GNUPG_GPG_DISABLE_ALGO([rmd160],[RIPE-MD160 hash]) + GNUPG_GPG_DISABLE_ALGO([sha224],[SHA-224 hash]) + # SHA256 is a MUST algorithm for GnuPG. + GNUPG_GPG_DISABLE_ALGO([sha384],[SHA-384 hash]) +-GNUPG_GPG_DISABLE_ALGO([sha512],[SHA-512 hash]) ++# SHA512 is a MUST algorithm for GnuPG. + + + # Allow disabling of zip support. +diff --git a/g10/main.h b/g10/main.h +index 1983e42..388eae3 100644 +--- a/g10/main.h ++++ b/g10/main.h +@@ -41,7 +41,7 @@ + # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_3DES + #endif + +-#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA256:DIGEST_ALGO_SHA1) ++#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA512:DIGEST_ALGO_SHA1) + #define DEFAULT_S2K_DIGEST_ALGO DIGEST_ALGO_SHA1 + #ifdef HAVE_ZIP + # define DEFAULT_COMPRESS_ALGO COMPRESS_ALGO_ZIP +diff --git a/g10/misc.c b/g10/misc.c +index 634d303..6fc2d58 100644 +--- a/g10/misc.c ++++ b/g10/misc.c +@@ -849,11 +849,8 @@ map_md_openpgp_to_gcry (digest_algo_t algo) + case DIGEST_ALGO_SHA384: return 0; + #endif + +-#ifdef GPG_USE_SHA512 + case DIGEST_ALGO_SHA512: return GCRY_MD_SHA512; +-#else +- case DIGEST_ALGO_SHA512: return 0; +-#endif ++ + default: return 0; + } + } diff --git a/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch b/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch new file mode 100644 index 0000000..c55502a --- /dev/null +++ b/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch @@ -0,0 +1,46 @@ +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Wed, 3 Jan 2018 12:34:26 -0500 +Subject: gpg: Prefer SHA-512 and SHA-384 in personal-digest-preferences. + +* g10/keygen.c (keygen_set_std_prefs): prefer SHA-512 +and SHA-384 by default. + +-- + +In 8ede3ae29a39641a2f98ad9a4cf61ea99085a892, upstream changed the +defaults for --default-preference-list to advertise a preference for +SHA-512, without touching --personal-digest-preferences. This makes +the same change for --personal-digest-preferences, since every modern +OpenPGP library supports them all. + +Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +--- + g10/keygen.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/g10/keygen.c b/g10/keygen.c +index 79d4579..cb92468 100644 +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -391,16 +391,16 @@ keygen_set_std_prefs (const char *string,int personal) + if (personal) + { + /* The default internal hash algo order is: +- * SHA-256, SHA-384, SHA-512, SHA-224, SHA-1. ++ * SHA-512, SHA-384, SHA-256, SHA-224, SHA-1. + */ +- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256)) +- strcat (dummy_string, "H8 "); ++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512)) ++ strcat (dummy_string, "H10 "); + + if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384)) + strcat (dummy_string, "H9 "); + +- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512)) +- strcat (dummy_string, "H10 "); ++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256)) ++ strcat (dummy_string, "H8 "); + } + else + { diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..b6aba08 --- /dev/null +++ b/debian/rules @@ -0,0 +1,90 @@ +#!/usr/bin/make -f +# debian/rules file - for GnuPG +# Copyright 1994,1995 by Ian Jackson. +# Copyright 1998-2003 by James Troup. +# Copyright 2003-2004 by Matthias Urlichs. +# +# I hereby give you perpetual unlimited permission to copy, +# modify and relicense this file, provided that you do not remove +# my name from the file itself. (I assert my moral right of +# paternity under the Copyright, Designs and Patents Act 1988.) +# This file may have to be extensively modified + +include /usr/share/dpkg/architecture.mk + +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +# avoid -pie for gpgv-static on kfreebsd-amd64, and x32 +# platforms, which cannot support it by default: +ifeq (,$(filter $(DEB_HOST_ARCH), kfreebsd-amd64 x32)) +GPGV_STATIC_HARDENING = "-pie" +else +GPGV_STATIC_HARDENING = "" +endif + +# Avoid parallel tests on hppa and riscv64 architecture. +# Parallel tests generates high load on machine which causes timeouts and thus +# triggers unexpected failures. +ifeq (,$(filter $(DEB_HOST_ARCH), hppa riscv64)) +AUTOTEST_FLAGS = "--parallel" +else +AUTOTEST_FLAGS = "--no-parallel" +endif + +%: + dh $@ --with=autoreconf --builddirectory=build + +GPGV_UDEB_UNNEEDED = gpgtar bzip2 gpgsm scdaemon dirmngr doc tofu exec ldap gnutls sqlite libdns + +WIN32_FLAGS=LDFLAGS="-Xlinker --no-insert-timestamp -static" CFLAGS="-g -Os" CPPFLAGS= + +override_dh_auto_configure: + dh_auto_configure --builddirectory=build-gpgv-udeb -- \ + $(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x)) + dh_auto_configure --builddirectory=build-maintainer -- \ + --enable-maintainer-mode \ + $(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x)) + dh_auto_configure --builddirectory=build -- --libexecdir=\$${prefix}/lib/gnupg \ + --enable-wks-tools \ + --enable-all-tests \ + --with-agent-s2k-calibration=300 \ + --enable-large-secmem + +override_dh_auto_build-arch: + dh_auto_build --builddirectory=build-gpgv-udeb + dh_auto_build --builddirectory=build + dh_auto_build --builddirectory=build-maintainer + cp -a build-gpgv-udeb build-gpgv-static + rm -f build-gpgv-static/g10/gpgv + cd build-gpgv-static/g10 && $(MAKE) LDFLAGS="$$LDFLAGS $(GPGV_STATIC_HARDENING) -static" gpgv + mv build-gpgv-static/g10/gpgv build-gpgv-static/g10/gpgv-static + +override_dh_auto_build-indep: + mkdir -p build-gpgv-win32 + cd build-gpgv-win32 && $(WIN32_FLAGS) ../configure \ + $(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x)) \ + $(foreach x, libgpg-error libgcrypt libassuan ksba npth, --with-$x-prefix=/usr/i686-w64-mingw32) \ + --enable-gpg2-is-gpg \ + --with-zlib=/usr/i686-w64-mingw \ + --prefix=/usr/i686-w64-mingw32 \ + --host i686-w64-mingw32 + cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libcommon.a + cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libgpgrl.a + cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libsimple-pwquery.a + cd build-gpgv-win32/kbx && $(WIN32_FLAGS) $(MAKE) libkeybox.a + cd build-gpgv-win32/regexp && $(WIN32_FLAGS) $(MAKE) libregexp.a + cd build-gpgv-win32/g10 && $(WIN32_FLAGS) $(MAKE) gpgv.exe + strip build-gpgv-win32/g10/gpgv.exe + + +override_dh_auto_test: + dh_auto_test --builddirectory=build -- verbose=3 TESTFLAGS=$(AUTOTEST_FLAGS) + +override_dh_shlibdeps: +# Make ldap a recommends rather than a hard dependency. + dpkg-shlibdeps -Tdebian/dirmngr.substvars -dRecommends debian/dirmngr/usr/lib/gnupg/dirmngr_ldap -dDepends debian/dirmngr/usr/bin/dirmngr* + dh_shlibdeps -Ndirmngr + +# visualizations of package dependencies: +debian/%.png: debian/%.dot + dot -T png -o $@ $< diff --git a/debian/scdaemon.examples b/debian/scdaemon.examples new file mode 100644 index 0000000..29f41a8 --- /dev/null +++ b/debian/scdaemon.examples @@ -0,0 +1 @@ +doc/examples/scd-event diff --git a/debian/scdaemon.install b/debian/scdaemon.install new file mode 100644 index 0000000..5b7bd35 --- /dev/null +++ b/debian/scdaemon.install @@ -0,0 +1,2 @@ +debian/org.gnupg.scdaemon.metainfo.xml usr/share/metainfo +debian/tmp/usr/lib/gnupg/scdaemon diff --git a/debian/scdaemon.lintian-overrides b/debian/scdaemon.lintian-overrides new file mode 100644 index 0000000..652cdb0 --- /dev/null +++ b/debian/scdaemon.lintian-overrides @@ -0,0 +1,2 @@ +# these binaries are stored in /usr/lib/gnupg, as recommended by upstream: +scdaemon: spare-manual-page usr/share/man/man1/scdaemon.1.gz diff --git a/debian/scdaemon.manpages b/debian/scdaemon.manpages new file mode 100644 index 0000000..9efee23 --- /dev/null +++ b/debian/scdaemon.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/scdaemon.1 diff --git a/debian/scdaemon.udev b/debian/scdaemon.udev new file mode 100644 index 0000000..236d123 --- /dev/null +++ b/debian/scdaemon.udev @@ -0,0 +1,69 @@ +# do not edit this file, it will be overwritten on update + +SUBSYSTEM!="usb", GOTO="gnupg_rules_end" +ACTION!="add", GOTO="gnupg_rules_end" + +# USB SmartCard Readers +## Cherry GmbH (XX33, ST2000) +SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="0005", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="0010", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="003e", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## SCM Microsystems, Inc (SCR331-DI, SCR335, SCR3320, SCR331, SCR3310 and SPR532) +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5117", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="e001", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Omnikey AG (CardMan 3821, CardMan 6121) +SUBSYSTEM=="usb", ATTR{idVendor}=="076b", ATTR{idProduct}=="3821", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="076b", ATTR{idProduct}=="6622", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Gemalto +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3437", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3438", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3478", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="34c2", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="34ec", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Reiner (SCT cyberJack) +SUBSYSTEM=="usb", ATTR{idVendor}=="0c4b", ATTR{idProduct}=="0500", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Kobil (KAAN) +SUBSYSTEM=="usb", ATTR{idVendor}=="0d46", ATTR{idProduct}=="2012", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## VASCO (DIGIPASS 920) +SUBSYSTEM=="usb", ATTR{idVendor}=="1a44", ATTR{idProduct}=="0920", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Crypto Stick +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Nitrokey +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Librem Key +SUBSYSTEM=="usb", ATTR{idVendor}=="316d", ATTR{idProduct}=="4c4b", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Gnuk Token +SUBSYSTEM=="usb", ATTR{product}=="Gnuk Token", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="2440", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Alcor Micro Corp cardreader (in ThinkPad X250) +SUBSYSTEM=="usb", ATTR{idVendor}=="058f", ATTR{idProduct}=="9540", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Fujitsu Siemens +SUBSYSTEM=="usb", ATTR{idVendor}=="0bf8", ATTR{idProduct}=="1006", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Yubico +# Yubikey NEO OTP+CCID +SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey NEO CCID +SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0112", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey NEO U2F+CCID +SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey NEO OTP+U2F+CCID +SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 CCID +SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0404", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 OTP+CCID +SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0405", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 U2F+CCID +SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0406", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 OTP+U2F+CCID +SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0407", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Trustica Cryptoucan +SUBSYSTEM=="usb", ATTR{idVendor}=="1fc9", ATTR{idProduct}=="81e6", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" + +LABEL="gnupg_rules_end" diff --git a/debian/simplified-package-dependencies.dot b/debian/simplified-package-dependencies.dot new file mode 100644 index 0000000..2edb3fb --- /dev/null +++ b/debian/simplified-package-dependencies.dot @@ -0,0 +1,43 @@ +#!/usr/bin/dot + +# interrelationships between binary packages produced by gnupg2 source +# package, if we were to move to the simplified package structure: + +# it would be good to graph the external dependencies as well. + +digraph gnupg2 { + # odd-duck packages: + node [shape=box]; + gpgv_udeb [label="gpgv-udeb"]; + gpgv_static [label="gpgv-static"]; + gpgv_win32 [label="gpgv-win32"]; + + # meta-packages, transitional packages: + node [shape=diamond]; + gnupg_agent [label="gnupg-agent"]; + gnupg2; + gpgv2; + gpgsm; + dirmngr; + + node [shape=ellipse]; + gnupg_l10n [label="gnupg-l10n"]; + + # depends: + edge [color=black]; + scdaemon -> gnupg; + gnupg2 -> gnupg; + gnupg_agent -> gnupg; + gpgsm -> gnupg; + dirmngr -> gnupg; + gpgv2 -> gpgv; + + # recommends: + edge [color=red]; + gnupg -> gnupg_l10n; + gnupg -> gpgv; + + # suggests: + edge [color=blue]; + gpgv -> gnupg; +} diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides new file mode 100644 index 0000000..14caca0 --- /dev/null +++ b/debian/source/lintian-overrides @@ -0,0 +1,2 @@ +# doc merely references / cites IETF RFC: +gnupg2 source: license-problem-non-free-RFC doc/OpenPGP diff --git a/debian/systemd-environment-generator/90gpg-agent b/debian/systemd-environment-generator/90gpg-agent new file mode 100755 index 0000000..7ece62b --- /dev/null +++ b/debian/systemd-environment-generator/90gpg-agent @@ -0,0 +1,21 @@ +#!/bin/bash + +# If enable-ssh-support is present in gpg-agent.conf, export SSH_AUTH_SOCK +# pointing at the gpg-agent's ssh-agent compatibility layer. + +# Authors: +# rufo <rufo@rufoa.com> +# Daniel Kahn Gillmor <dkg@fifthhorseman.net> + +# See https://bugs.debian.org/855868 + +# see gpgconf(1): $5 is the "okay" field. +# see also https://dev.gnupg.org/T4866 and https://dev.gnupg.org/T4867 +get_okay='BEGIN{ret=1} /^gpg-agent:/{if ($5 == "1") { ret=0; exit 0 } } END {exit ret}' + +if gpgconf --check-options gpg-agent | awk -F: "$get_okay" && \ + [ -n "$(gpgconf --list-options gpg-agent | \ + awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then + echo SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) + echo GSM_SKIP_SSH_AGENT_WORKAROUND=true +fi diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..7f84c8b --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,11 @@ +Tests: gpgv-win32 +Depends: gpgv-win32, gnupg2, gpgv2, wine32, diffutils +Restrictions: allow-stderr, skip-not-installable + +Tests: simple-tests +Depends: gnupg2, gpgv2 +Restrictions: allow-stderr + +Tests: migration +Depends: gpg, gnupg1, gnupg-utils, debian-archive-keyring, diffutils +Restrictions: allow-stderr diff --git a/debian/tests/gpgv-win32 b/debian/tests/gpgv-win32 new file mode 100755 index 0000000..035c060 --- /dev/null +++ b/debian/tests/gpgv-win32 @@ -0,0 +1,34 @@ +#!/bin/bash + +set -e + +export GNUPGHOME=$(mktemp -d) +gpgargs=(--batch --quiet --pinentry-mode=loopback --passphrase '' --with-colons) + +# Generate a minimal signing key: +gpg "${gpgargs[@]}" --quick-gen-key 'Test key for gpgv-win32 <test-key@example.com>' + +gpg "${gpgargs[@]}" -o "$GNUPGHOME/key.gpg" --export test-key@example.com + +# Sign this very script +rm -f "${0}.gpg" +gpg "${gpgargs[@]}" --output "${0}.gpg" --detach-sign "${0}" + +# Verify using gpgv +gpgv --quiet --status-fd 3 3> native.status --keyring "$GNUPGHOME/key.gpg" "${0}.gpg" "${0}" + +WINE=/usr/lib/wine/wine +export WINESERVER=/usr/lib/wine/wineserver32 + +# Verify using gpgv.exe (using --status-fd 1 because i don't know how +# to pass a non-standard file descriptor into wine) +"$WINE" /usr/share/win32/gpgv.exe --quiet --status-fd 1 > win32.status --keyring "Z://${GNUPGHOME}/key.gpg" "${0}.gpg" "${0}" + +# convert to unix newlines if necessary: +sed -i 's/\r$//' win32.status + +diff -u native.status win32.status + +head -v win32.status + +rm -rf "$GNUPGHOME" diff --git a/debian/tests/migration b/debian/tests/migration new file mode 100755 index 0000000..b676999 --- /dev/null +++ b/debian/tests/migration @@ -0,0 +1,20 @@ +#!/bin/bash + +set -e +set -x + +DIR=$(mktemp -d) +GPG_HOME="$DIR/gnupg" +gpg=(gpg --homedir "$GPG_HOME" --batch --quiet --with-colons) +gpg1=(gpg1 --homedir "$GPG_HOME" --batch --quiet --with-colons) + +mkdir "$GPG_HOME" +chmod 700 "$GPG_HOME" + +cat /usr/share/keyrings/debian-archive-*.gpg | "${gpg1[@]}" --import +"${gpg1[@]}" --list-keys +"${gpg[@]}" --list-keys > "$DIR/key.list.before" +migrate-pubring-from-classic-gpg "$GPG_HOME" +"${gpg[@]}" --list-keys > "$DIR/key.list.after" + +diff -u "$DIR/key.list.before" "$DIR/key.list.after" diff --git a/debian/tests/simple-tests b/debian/tests/simple-tests new file mode 100644 index 0000000..97d4ab4 --- /dev/null +++ b/debian/tests/simple-tests @@ -0,0 +1,34 @@ +#!/bin/sh + +set -e +set -x + +DIR=$(mktemp -d) +GPG_HOME=$DIR/gnupg +gpg="gpg --homedir $GPG_HOME" + +mkdir $GPG_HOME +chmod 700 $GPG_HOME + +#trap "cd $HOME && rm -rf $DIR" EXIT + +cd $DIR + +cat > key-batch << EOF +Key-Type: default +Subkey-Type: default +Name-Real: test case +Name-Email: example@example.com +Expire-Date: 0 +%no-protection +%commit +EOF + +$gpg --batch --generate-key key-batch +$gpg -abs < $GPG_HOME/pubring.kbx > pubring.kbx.asc +$gpg --verify pubring.kbx.asc $GPG_HOME/pubring.kbx +gpgv --keyring $GPG_HOME/pubring.kbx pubring.kbx.asc $GPG_HOME/pubring.kbx + +# Encrypt +$gpg -e -r example@example.com < $GPG_HOME/pubring.kbx > pubring.kbx.gpg +$gpg -d -r example@example.com < pubring.kbx.gpg > pubring.kbx.gpg.dec diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc new file mode 100644 index 0000000..b7303e8 --- /dev/null +++ b/debian/upstream/signing-key.asc @@ -0,0 +1,77 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBE0ti4EBCACqGtKlX9jI/enhlBdy2cyQP6Q7JoyxtaG6/ckAKWHYrqFTQk3I +Ue8TuDrGT742XFncG9PoMBfJDUNltIPgKFn8E9tYQqAOlpSA25bOb30cA2ADkrjg +jvDAH8cZ+fkIayWtObTxwqLfPivjFxEM//IdShFFVQj+QHmXYBJggWyEIil8Bje7 +KRw6B5ucs4qSzp5VH4CqDr9PDnLD8lBGHk0x8jpwh4V/yEODJKATY0Vj00793L8u +qA35ZiyczUvvJSLYvf7STO943GswkxdAfqxXbYifiK2gjE/7SAmB+2jFxsonUDOB +1BAY5s3FKqrkaxZr3BBjeuGGoCuiSX/cXRIhABEBAAG0Fldlcm5lciBLb2NoIChk +aXN0IHNpZymJAVUEEwEIAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE +2GkhI8QGXepeDzq1JJs50k8l47YFAl4MxBkFCRShVzYACgkQJJs50k8l47YImQf9 +HaqHWor+aSmaEwQnaAN0zRa4kPbAWya182aJtsFzLZJf6BbS0aoiMhwtREN/DMvB +jzxARKep/cELaM+mc7oDK4mEwqSX/u6BE8D7FaNA9sut8P+4xjpoLPU+UzILMg29 +t1remjyT9rs6sbu8BqufIxueArkjoi4WCOSRiVTdw+YDd88volPkXlPfS8hg9Rct +wZ8kEEDywa+NrxiLx+kDgDNTNdk3PJdfcnesf8S1a+KLUTNRds5+xGTYz0JSQ9BZ +7Q9r4VQ/NL55muQZi5W7lVxdp3HxQFUNjHzzBfGtkpS4xqZpJvNjW50Wh5Vi5RYZ +LZ3M1EuIHXHmRiY4dmqqcpkBDQRUUF8HAQgAh1mo8r+kVWVTNsNlyurm2tdZKiQb +deVgpBgcDnqI3fAV58C3nC8DVuK5qVGZPB/jbu42jc8BXGP1l6UP+515LQL5GpTt +V0pRWUO02WOuTLZBVQcq53vzbg1xVo31rWV96mqGAPs8lGUCm09fpuiVKQojO6/I +hkg7/bnzeSbcX5Xk9eKLhyB7tnakuYJeRYm4bjs+YDApK8IFQyevYF8pjTcbLTSN +JPW9WLCsozsy11r4xdfRcTWjARVz5VzTnQ+Px8YtsnjQ3qwNJBpsqMLCdDN7YGhh +/mlwPjgdq/UFf5+bY6f3ew0vshBqInBQycBSmYyoX0Ye3sAS/OR4nu5ZaQARAQAB +tD5EYXZpZCBTaGF3IChHbnVQRyBSZWxlYXNlIFNpZ25pbmcgS2V5KSA8ZHNoYXdA +amFiYmVyd29ja3kuY29tPokBHwQwAQIACQUCWJ96UQIdIAAKCRAEN28+4IVpWXZr +B/wKcGVm3AYNs2BN/qbFoWaYlTck23j4oJSZYY21H++3AnxbFYYpuVhvmK07vIXG +n+fxvZGa7G+Er8jJ6kdkV4nqykuqwaxOk2R4sW9yoes9kKpAuX7RqP+5a7jJ1utX +Jg77eLBFLlCb4kk8U0wb58NHLdc34C70Vlc1nakF1MPNqDPADoNM0NCMfy6McKF9 +oRTTU4cS0B8orWHR5THT4ZDvP5PdnHovp9n1m8LW+VTsV4aAlmAMTpq9CUoqmCYc +wWGpC4ZKnD0vLPLgG7foxGmKLdDXUHplHiTySMv65S1mHTzZz3/TGuaRpTVQyEPQ +OoguSZ4hZ5q5siOjHKnbUALotCZEYXZpZCBTaGF3IChHbnVQRyBSZWxlYXNlIFNp +Z25pbmcgS2V5KYkBPgQTAQIAKAUCWJ96MgIbAwUJCbp27gYLCQgHAwIGFQgCCQoL +BBYCAwECHgECF4AACgkQBDdvPuCFaVnFCQf+OrJ2/vsqTyIUI1Dx1R2/VPK/dkEo +f1y4uscSXKqJM6Yn+3wr4fg63p5SzkM58AdTwzwZk5X379qe17xADzKGhDgP4uu6 +YQ87I2lKx5Hr7L9HwCKl/Mh5lSkO+94YQ/lW7jtvaCe4eyyEOcqyUnKZjZhNhY54 +3Bxh56/VGqFOEUFagPY8hxFbfmkbyr0BMzLRZUiJJ+qwTXlORx4eqB4Zc5DVD/YR +MUTwaK6HVhB9K+xNgvgjkZaEfWRvxCuK1PhZKdZnVUrbdpmjXxuUMWhYLHk/V/kD +Hg+5LYbeSP7dOXKEi/9XSslI4h6fOCvLmSH4tPSzyNnU/YpKuSRzfMx12ZkBDQRU +Q6lSAQgAtJPHmSg5janZmsDpSf5uti9oPLl0//v7wBBm9cmom9PcSOrXxl826pQ8 +KyyGXCbEiE/57f2oyZyFW3N9d+72uF28DM7A6QDB+Jpok6KpPosxAoRptpJ86y8I +aH5UfGhrCi9+UKGU/3q3Y34D3gkS739uXx7DdiW9FiDMwuelZDHhaM2vvR2eYa5H +pppvoD7yL4RFKKcQsjkvJiuVoweM8yHcgyX5KlaR72nzT9DeCyLHnSnch3I/yt5G +OCno5ffRltc9bJwYD2pqDdv3udj3+ik8NhY7Ehme9qGpXK5AUeMGnFIsxsSnEQ9m +Ol2tIPZsE6FnTQUAiCCPrk8zs6tRAwARAQABtCFXZXJuZXIgS29jaCAoUmVsZWFz +ZSBTaWduaW5nIEtleSmJAT0EEwEIACcFAlRDqVICGwMFCQuqBfUFCwkIBwIGFQgJ +CgsCBBYCAwECHgECF4AACgkQioYbHH79YNmh+wf8CFuplZk5s1tsXNatTFHbLBMU +AYRHjja21ifx4hmT/zGmm4EP/sGbk4UwMHxjOcxUATr6wThlEYSDVOpWEJXDq1aP +lfGdZjUChVmisSWmOSrtWwdTrl/RRyxIjIm6IB7uX4ySFwRPF6577nno8hUOYP7l +9sXBoAlpTHuPbEdyvpRJd5/d8U5kjYT+dq9IE4zI26ililGiBieTnFkq72sHX6i1 +5MUfKYatgJRxxH8aXGbDqfZmYq1mEOY3IBoBT9C2F1MP0Z8RaTnK4+Oarn5shC/U +CSowVeUWhyW6rpHn8FCJz0LVVJiDakMc7UoeUMUD9rbFDyHhIuUQKAsCyWpvM5kB +DQRUUDsjAQgA5hBwN9F3OqKf+9mXCXUDK4lb5wMjdti96xG04gAn7wWo7On6c5nt +riZQuRdR5GHcdw73XC6CFehHeo/eSVYiWqBNBAfE9UzbkES+cY+4wDzqVacqhKxd +70XmHQgyK7ppRG/MwkL1UyArCGGAKN6MV/2fzO6IGQw3jntRue3/2PGGnGaisNAK +lvttHWZ91uy4KY5fBM19uQCgZdx4v8/rP0+yQqsWTwJUKvymx5GIfNaCJvgF+v+a +PrwspxBMf9jpHXqDXnh4Lo8C/GsQMD6GClVfQjsvvzUHKH2eoL4oNfku+Ua5BuAH +Yi+uAuzqV9TdpF9PCpQMyPfuuZclMPLdMwARAQABtDJOSUlCRSBZdXRha2EgKEdu +dVBHIFJlbGVhc2UgS2V5KSA8Z25paWJlQGZzaWoub3JnPokBPAQTAQgAJgIbAwUL +BwgJAwQVCAkKBRYCAwEAAh4BAheABQJYDxRZBQkLS5A2AAoJECBxsIozvT8GvG8I +AMBIlGz9voYcSSXAdQOuvz2gM2kOjvMHzN6VlS9VP06IjnTz2DnejFZwLmxJw8e8 +mZjUo0jw22uo1HREQhDrne3S1IazPMeTUCUNzpWFMxXNc6SAyrw9apWa8gouGUWJ +v3HOwVs8EFA2E9UdtDJ2uG7MY/+eC5K/aeOAyudZEbvS8rgZypTFrBtBcNKUWZhz +7FRn63HxEmYLE3p6I19ZDXrc1WTazF2oz18zym6cuURr6waRbdSemUTshpLnKCBZ +XzJ82bXBgXNnfdmc3gtS24ZmM3ZfK/rYztEDkiTks2R1gwDwf5RtDpaf5LD2ufES +dbLuT+8blAlscbgYLBcwDqu5AQ0EVFA7IwEIAL3gJa4wcuY/UHugXFTQWMq/cPpF +OktIuoL+epFZ4pV2VJ11Hguc7+v1qFGwaB6QARXJ4PThIoAPuDc5YyFa8SwrppiC +bNzRwskIlFOwtb5fuRFajfcpQAoikpg7xUXyIStZ6NqO+jlSA3fLVX9qeqUFTjkN +qUuT+a7olc6vq3u7zf4ixxOsVBORbXvA7GhzqL3MM5TUWhZkXI1T6HGk8Iad1+dL +bmrNoSlvWrPFigenK20KQZfhHeyJfqACREsg+GxgrixmKEFmFMGAd0BVhJiQKsqF +E1ahJvdelSF1PmXzy4+jPDFeu5ebOTpYK/pl0In7SsZKHAmNTWPqD4WSyT0AEQEA +AYkBJQQYAQgADwIbDAUCWA8URgUJC0uQIwAKCRAgcbCKM70/BgoNB/0ddDVFvid4 +L+z/+9F/CqkSxhOoYuB387x3/QGseiMTV3qLKJ1kgZfjRKCarU49RkT0a1bmXZa7 +CPJyGsjJJHw2dDyH1w3RqBiMt+n7ewkUZhEawvYnsSYlU9R3r6AdyrYvn7OGbd73 +xppLEyVLlAZwT0jIO1015NQHJreSDqW1rNKj3O3MZXqfnzk/ZSJJCcvV+y+KTmJC +QPyToNzKCaEGfF9ufLmM9pXs9NynHBjyTqMcgvxnXjgZgdlhu4cxC7Affnu9GC+r +R6l2H7snEma0O1LyCmdH9TaRWGiBLA9CcHTrO1w+9efBnOdgavD5ndrnvD55/Yxn +huLyA60R3TOH +=Gbuk +-----END PGP PUBLIC KEY BLOCK----- diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..e1c393d --- /dev/null +++ b/debian/watch @@ -0,0 +1,5 @@ +version=4 + +opts=pgpsigurlmangle=s/$/.sig/ \ + https://gnupg.org/ftp/gcrypt/gnupg/gnupg@ANY_VERSION@@ARCHIVE_EXT@ \ + debian |