2 files changed, 31 insertions, 2 deletions

diff --git a/scripts/Dpkg/OpenPGP/Backend/GnuPG.pm b/scripts/Dpkg/OpenPGP/Backend/GnuPG.pm
index 6c834be..43ac1e2 100644
--- a/scripts/Dpkg/OpenPGP/Backend/GnuPG.pm
+++ b/scripts/Dpkg/OpenPGP/Backend/GnuPG.pm
@@ -34,7 +34,9 @@ use strict;
 use warnings;
 
 use POSIX qw(:sys_wait_h);
+use File::Basename;
 use File::Temp;
+use File::Copy;
 use MIME::Base64;
 
 use Dpkg::ErrorHandling;
@@ -296,6 +298,18 @@ sub inline_sign {
 
     return OPENPGP_MISSING_CMD if ! $self->has_backend_cmd();
 
+    my $file = basename($data);
+    my $signdir = File::Temp->newdir('dpkg-sign.XXXXXXXX', TMPDIR => 1);
+    my $signfile = "$signdir/$file";
+
+    # Make sure the file to sign ends with a newline, as GnuPG does not adhere
+    # to the OpenPGP specification (see <https://dev.gnupg.org/T7106>).
+    copy($data, $signfile);
+    open my $signfh, '>>', $signfile
+        or syserr(g_('cannot open %s'), $signfile);
+    print { $signfh } "\n";
+    close $signfh or syserr(g_('cannot close %s'), $signfile);
+
     my @exec = ($self->{cmd});
     push @exec, _gpg_options_weak_digests();
     push @exec, qw(--utf8-strings --textmode --armor);
diff --git a/scripts/Dpkg/OpenPGP/ErrorCodes.pm b/scripts/Dpkg/OpenPGP/ErrorCodes.pm
index 0db59aa..3a67dd8 100644
--- a/scripts/Dpkg/OpenPGP/ErrorCodes.pm
+++ b/scripts/Dpkg/OpenPGP/ErrorCodes.pm
@@ -1,4 +1,4 @@
-# Copyright © 2022 Guillem Jover <guillem@debian.org>
+# Copyright © 2022-2024 Guillem Jover <guillem@debian.org>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -44,7 +44,12 @@ our @EXPORT = qw(
     OPENPGP_MISSING_INPUT
     OPENPGP_KEY_IS_PROTECTED
     OPENPGP_UNSUPPORTED_SUBCMD
+    OPENPGP_UNSUPPORTED_SPECIAL_PREFIX
+    OPENPGP_AMBIGUOUS_INPUT
     OPENPGP_KEY_CANNOT_SIGN
+    OPENPGP_INCOMPATIBLE_OPTIONS
+    OPENPGP_NO_HW_KEY_FOUND
+    OPENPGP_HW_KEY_FAILURE
 
     OPENPGP_MISSING_CMD
     OPENPGP_NEEDS_KEYSTORE
@@ -58,7 +63,7 @@ use Exporter qw(import);
 use Dpkg::Gettext;
 
 # Error codes based on
-# https://ietf.org/archive/id/draft-dkg-openpgp-stateless-cli-04.html#section-6
+# https://ietf.org/archive/id/draft-dkg-openpgp-stateless-cli-10.html#section-7
 #
 # Local error codes use a negative number, as that should not conflict with
 # the SOP exit codes.
@@ -74,7 +79,12 @@ use constant {
     OPENPGP_MISSING_INPUT => 61,
     OPENPGP_KEY_IS_PROTECTED => 67,
     OPENPGP_UNSUPPORTED_SUBCMD => 69,
+    OPENPGP_UNSUPPORTED_SPECIAL_PREFIX => 71,
+    OPENPGP_AMBIGUOUS_INPUT => 73,
     OPENPGP_KEY_CANNOT_SIGN => 79,
+    OPENPGP_INCOMPATIBLE_OPTIONS => 83,
+    OPENPGP_NO_HW_KEY_FOUND => 97,
+    OPENPGP_HW_KEY_FAILURE => 101,
 
     OPENPGP_MISSING_CMD => -1,
     OPENPGP_NEEDS_KEYSTORE => -2,
@@ -92,7 +102,12 @@ my %code2error = (
     OPENPGP_MISSING_INPUT() => N_('input file does not exist'),
     OPENPGP_KEY_IS_PROTECTED() => N_('cannot unlock password-protected key'),
     OPENPGP_UNSUPPORTED_SUBCMD() => N_('unsupported subcommand'),
+    OPENPGP_UNSUPPORTED_SPECIAL_PREFIX() => N_('unknown special designator in indirect parameter'),
+    OPENPGP_AMBIGUOUS_INPUT() => N_('special designator in indirect parameter is an existing file'),
     OPENPGP_KEY_CANNOT_SIGN() => N_('key is not signature-capable'),
+    OPENPGP_INCOMPATIBLE_OPTIONS() => N_('mutually exclusive options'),
+    OPENPGP_NO_HW_KEY_FOUND() => N_('cannot identify hardware device for hardware-backed secret keys'),
+    OPENPGP_HW_KEY_FAILURE() => N_('cannot perform operation on hardware-backed secret key'),
 
     OPENPGP_MISSING_CMD() => N_('missing OpenPGP implementation'),
     OPENPGP_NEEDS_KEYSTORE() => N_('specified key needs a keystore'),