commit 2115d3eb438bf70a2fe382cd3e572bdc302dad84 Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 10:41:13 2019 -0400 Package init diff --git a/gnupg-2.1.1-fips-algo.patch b/gnupg-2.1.1-fips-algo.patch new file mode 100644 index 0000000..fbb6d27 --- /dev/null +++ b/gnupg-2.1.1-fips-algo.patch @@ -0,0 +1,13 @@ +diff -up gnupg-2.1.1/g10/mainproc.c.fips gnupg-2.1.1/g10/mainproc.c +--- gnupg-2.1.1/g10/mainproc.c.fips 2015-01-29 17:19:49.266031504 +0100 ++++ gnupg-2.1.1/g10/mainproc.c 2015-01-29 17:27:13.938088122 +0100 +@@ -719,7 +719,8 @@ proc_plaintext( CTX c, PACKET *pkt ) + according to 2440, so hopefully it won't come up that often. + There is no good way to specify what algorithms to use in + that case, so these there are the historical answer. */ +- gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160); ++ if (!gcry_fips_mode_active()) ++ gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160); + gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1); + } + if (DBG_HASHING) diff --git a/gnupg-2.1.10-secmem.patch b/gnupg-2.1.10-secmem.patch new file mode 100644 index 0000000..e263509 --- /dev/null +++ b/gnupg-2.1.10-secmem.patch @@ -0,0 +1,33 @@ +diff -up gnupg-2.1.10/g10/gpg.c.secmem gnupg-2.1.10/g10/gpg.c +--- gnupg-2.1.10/g10/gpg.c.secmem 2015-12-04 10:53:27.000000000 +0100 ++++ gnupg-2.1.10/g10/gpg.c 2015-12-07 15:32:38.922812652 +0100 +@@ -889,7 +889,7 @@ make_libversion (const char *libname, co + + if (maybe_setuid) + { +- gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */ ++ gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); /* Drop setuid. */ + maybe_setuid = 0; + } + s = getfnc (NULL); +@@ -1041,7 +1041,7 @@ build_list (const char *text, char lette + char *string; + + if (maybe_setuid) +- gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */ ++ gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); /* Drop setuid. */ + + indent = utf8_charcount (text, -1); + len = 0; +diff -up gnupg-2.1.10/sm/gpgsm.c.secmem gnupg-2.1.10/sm/gpgsm.c +--- gnupg-2.1.10/sm/gpgsm.c.secmem 2015-11-30 17:39:52.000000000 +0100 ++++ gnupg-2.1.10/sm/gpgsm.c 2015-12-07 15:31:17.226884207 +0100 +@@ -530,7 +530,7 @@ make_libversion (const char *libname, co + + if (maybe_setuid) + { +- gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */ ++ gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); /* Drop setuid. */ + maybe_setuid = 0; + } + s = getfnc (NULL); diff --git a/gnupg-2.1.21-insttools.patch b/gnupg-2.1.21-insttools.patch new file mode 100644 index 0000000..e076dae --- /dev/null +++ b/gnupg-2.1.21-insttools.patch @@ -0,0 +1,62 @@ +diff -up gnupg-2.1.21/tools/Makefile.am.insttools gnupg-2.1.21/tools/Makefile.am +--- gnupg-2.1.21/tools/Makefile.am.insttools 2017-04-03 17:13:56.000000000 +0200 ++++ gnupg-2.1.21/tools/Makefile.am 2017-07-18 12:10:59.431729640 +0200 +@@ -35,8 +35,8 @@ AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ER + sbin_SCRIPTS = addgnupghome applygnupgdefaults + + if HAVE_USTAR +-# bin_SCRIPTS += gpg-zip +-noinst_SCRIPTS = gpg-zip ++bin_PROGRAMS += gpg-zip ++#noinst_SCRIPTS = gpg-zip + endif + + if BUILD_SYMCRYPTRUN +@@ -53,7 +53,7 @@ endif + + libexec_PROGRAMS = gpg-wks-client + +-bin_PROGRAMS = gpgconf gpg-connect-agent ${symcryptrun} ++bin_PROGRAMS = gpgconf gpg-connect-agent ${symcryptrun} gpgsplit + if !HAVE_W32_SYSTEM + bin_PROGRAMS += watchgnupg gpgparsemail ${gpg_wks_server} + endif +@@ -63,7 +63,7 @@ libexec_PROGRAMS += gpg-check-pattern + endif + + if !HAVE_W32CE_SYSTEM +-noinst_PROGRAMS = clean-sat make-dns-cert gpgsplit ++noinst_PROGRAMS = clean-sat make-dns-cert + endif + + if !HAVE_W32CE_SYSTEM +diff -up gnupg-2.1.21/tools/Makefile.in.insttools gnupg-2.1.21/tools/Makefile.in +--- gnupg-2.1.21/tools/Makefile.in.insttools 2017-05-15 16:15:04.000000000 +0200 ++++ gnupg-2.1.21/tools/Makefile.in 2017-07-18 12:12:17.907734745 +0200 +@@ -137,13 +137,13 @@ DIST_COMMON = $(top_srcdir)/am/cmacros.a + @GNUPG_DIRMNGR_LDAP_PGM_TRUE@am__append_7 = -DGNUPG_DEFAULT_DIRMNGR_LDAP="\"@GNUPG_DIRMNGR_LDAP_PGM@\"" + @HAVE_W32_SYSTEM_TRUE@am__append_8 = gpg-connect-agent-w32info.o + libexec_PROGRAMS = gpg-wks-client$(EXEEXT) $(am__EXEEXT_5) +-bin_PROGRAMS = gpgconf$(EXEEXT) gpg-connect-agent$(EXEEXT) \ ++bin_PROGRAMS = gpgconf$(EXEEXT) gpg-connect-agent$(EXEEXT) gpgsplit$(EXEEXT) \ + $(am__EXEEXT_1) $(am__EXEEXT_3) $(am__EXEEXT_4) + @HAVE_W32_SYSTEM_FALSE@am__append_9 = watchgnupg gpgparsemail ${gpg_wks_server} + @DISABLE_REGEX_FALSE@am__append_10 = gpg-check-pattern + @HAVE_W32CE_SYSTEM_FALSE@noinst_PROGRAMS = clean-sat$(EXEEXT) \ + @HAVE_W32CE_SYSTEM_FALSE@ make-dns-cert$(EXEEXT) \ +-@HAVE_W32CE_SYSTEM_FALSE@ gpgsplit$(EXEEXT) $(am__EXEEXT_6) ++@HAVE_W32CE_SYSTEM_FALSE@ $(am__EXEEXT_6) + @BUILD_GPGTAR_TRUE@@HAVE_W32CE_SYSTEM_FALSE@am__append_11 = gpgtar + @BUILD_GPGTAR_FALSE@@HAVE_W32CE_SYSTEM_FALSE@am__append_12 = gpgtar + subdir = tools +@@ -582,8 +582,8 @@ libcommontlsnpth = ../common/libcommontl + AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) $(LIBASSUAN_CFLAGS) + sbin_SCRIPTS = addgnupghome applygnupgdefaults + +-# bin_SCRIPTS += gpg-zip +-@HAVE_USTAR_TRUE@noinst_SCRIPTS = gpg-zip ++@HAVE_USTAR_TRUE@bin_PROGRAMS += gpg-zip ++#@HAVE_USTAR_TRUE@noinst_SCRIPTS = gpg-zip + @BUILD_SYMCRYPTRUN_FALSE@symcryptrun = + @BUILD_SYMCRYPTRUN_TRUE@symcryptrun = symcryptrun + @BUILD_WKS_TOOLS_FALSE@gpg_wks_server = diff --git a/gnupg-2.1.21-large-rsa.patch b/gnupg-2.1.21-large-rsa.patch new file mode 100644 index 0000000..96aad02 --- /dev/null +++ b/gnupg-2.1.21-large-rsa.patch @@ -0,0 +1,12 @@ +diff -up gnupg-2.1.21/g10/keygen.c.large-rsa gnupg-2.1.21/g10/keygen.c +--- gnupg-2.1.21/g10/keygen.c.large-rsa 2017-05-15 14:13:22.000000000 +0200 ++++ gnupg-2.1.21/g10/keygen.c 2017-07-18 16:12:37.738895016 +0200 +@@ -2091,7 +2091,7 @@ get_keysize_range (int algo, unsigned in + + default: + *min = opt.compliance == CO_DE_VS ? 2048: 1024; +- *max = 4096; ++ *max = opt.flags.large_rsa == 1 ? 8192 : 4096; + def = 2048; + break; + } diff --git a/gnupg-2.2.17-ocsp-keyusage.patch b/gnupg-2.2.17-ocsp-keyusage.patch new file mode 100644 index 0000000..9b6dd4d --- /dev/null +++ b/gnupg-2.2.17-ocsp-keyusage.patch @@ -0,0 +1,17 @@ +diff -up gnupg-2.1.1/sm/certlist.c.keyusage gnupg-2.1.1/sm/certlist.c +--- gnupg-2.1.1/sm/certlist.c.keyusage 2014-11-27 11:51:36.000000000 +0100 ++++ gnupg-2.1.1/sm/certlist.c 2015-01-29 17:30:57.117135497 +0100 +@@ -146,10 +146,9 @@ cert_usage_p (ksba_cert_t cert, int mode + + if (mode == 5) + { +- if (use != ~0 +- && (have_ocsp_signing +- || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN +- |KSBA_KEYUSAGE_CRL_SIGN)))) ++ if (have_ocsp_signing ++ || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN ++ |KSBA_KEYUSAGE_CRL_SIGN))) + return 0; + if (!silent) + log_info (_("certificate should not have " diff --git a/gnupg-2.2.17.tar.bz2 b/gnupg-2.2.17.tar.bz2 new file mode 100644 index 0000000..20dba88 Binary files /dev/null and b/gnupg-2.2.17.tar.bz2 differ diff --git a/gnupg-2.2.17.tar.bz2.sig b/gnupg-2.2.17.tar.bz2.sig new file mode 100644 index 0000000..8b983bd Binary files /dev/null and b/gnupg-2.2.17.tar.bz2.sig differ diff --git a/gnupg-2.2.8-file-is-digest.patch b/gnupg-2.2.8-file-is-digest.patch new file mode 100644 index 0000000..49345cd --- /dev/null +++ b/gnupg-2.2.8-file-is-digest.patch @@ -0,0 +1,190 @@ +diff -up gnupg-2.2.8/g10/gpg.c.file-is-digest gnupg-2.2.8/g10/gpg.c +--- gnupg-2.2.8/g10/gpg.c.file-is-digest 2018-06-11 10:15:33.755167428 +0200 ++++ gnupg-2.2.8/g10/gpg.c 2018-06-11 10:17:36.352063501 +0200 +@@ -376,6 +376,7 @@ enum cmd_and_opt_values + oTTYtype, + oLCctype, + oLCmessages, ++ oFileIsDigest, + oXauthority, + oGroup, + oUnGroup, +@@ -821,6 +822,7 @@ static ARGPARSE_OPTS opts[] = { + ARGPARSE_s_s (oPersonalCompressPreferences, + "personal-compress-preferences", "@"), + ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"), ++ ARGPARSE_s_n (oFileIsDigest, "file-is-digest", "@"), + ARGPARSE_s_s (oWeakDigest, "weak-digest","@"), + ARGPARSE_s_n (oUnwrap, "unwrap", "@"), + ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"), +@@ -2390,6 +2392,7 @@ main (int argc, char **argv) + opt.keyid_format = KF_NONE; + opt.def_sig_expire = "0"; + opt.def_cert_expire = "0"; ++ opt.file_is_digest = 0; + gnupg_set_homedir (NULL); + opt.passphrase_repeat = 1; + opt.emit_version = 0; +@@ -2963,6 +2966,7 @@ main (int argc, char **argv) + opt.verify_options&=~VERIFY_SHOW_PHOTOS; + break; + case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break; ++ case oFileIsDigest: opt.file_is_digest = 1; break; + + case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break; + +diff -up gnupg-2.2.8/g10/options.h.file-is-digest gnupg-2.2.8/g10/options.h +--- gnupg-2.2.8/g10/options.h.file-is-digest 2018-05-31 12:03:06.000000000 +0200 ++++ gnupg-2.2.8/g10/options.h 2018-06-11 10:15:33.757167476 +0200 +@@ -210,6 +210,7 @@ struct + int no_auto_check_trustdb; + int preserve_permissions; + int no_homedir_creation; ++ int file_is_digest; + struct groupitem *grouplist; + int mangle_dos_filenames; + int enable_progress_filter; +diff -up gnupg-2.2.8/g10/sign.c.file-is-digest gnupg-2.2.8/g10/sign.c +--- gnupg-2.2.8/g10/sign.c.file-is-digest 2017-08-28 12:22:54.000000000 +0200 ++++ gnupg-2.2.8/g10/sign.c 2018-06-11 10:15:33.757167476 +0200 +@@ -40,6 +40,7 @@ + #include "pkglue.h" + #include "../common/sysutils.h" + #include "call-agent.h" ++#include "../common/host2net.h" + #include "../common/mbox-util.h" + #include "../common/compliance.h" + +@@ -727,6 +728,8 @@ write_signature_packets (ctrl_t ctrl, + if (duration || opt.sig_policy_url + || opt.sig_notations || opt.sig_keyserver_url) + sig->version = 4; ++ else if (opt.file_is_digest) ++ sig->version = 3; + else + sig->version = pk->version; + +@@ -750,8 +753,10 @@ write_signature_packets (ctrl_t ctrl, + mk_notation_policy_etc (sig, NULL, pk); + } + +- hash_sigversion_to_magic (md, sig); +- gcry_md_final (md); ++ if (!opt.file_is_digest) { ++ hash_sigversion_to_magic (md, sig); ++ gcry_md_final (md); ++ } + + rc = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce); + gcry_md_close (md); +@@ -813,6 +818,8 @@ sign_file (ctrl_t ctrl, strlist_t filena + SK_LIST sk_rover = NULL; + int multifile = 0; + u32 duration=0; ++ int sigclass = 0x00; ++ u32 timestamp = 0; + + pfx = new_progress_context (); + afx = new_armor_context (); +@@ -830,7 +837,16 @@ sign_file (ctrl_t ctrl, strlist_t filena + fname = NULL; + + if( fname && filenames->next && (!detached || encryptflag) ) +- log_bug("multiple files can only be detached signed"); ++ log_bug("multiple files can only be detached signed\n"); ++ ++ if (opt.file_is_digest && (multifile || !fname)) ++ log_bug("file-is-digest only works with one file\n"); ++ if (opt.file_is_digest && !detached) ++ log_bug("file-is-digest can only write detached signatures\n"); ++ if (opt.file_is_digest && !opt.def_digest_algo) ++ log_bug("file-is-digest needs --digest-algo\n"); ++ if (opt.file_is_digest && opt.textmode) ++ log_bug("file-is-digest doesn't work with --textmode\n"); + + if(encryptflag==2 + && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek))) +@@ -851,7 +867,7 @@ sign_file (ctrl_t ctrl, strlist_t filena + goto leave; + + /* prepare iobufs */ +- if( multifile ) /* have list of filenames */ ++ if( multifile || opt.file_is_digest) /* have list of filenames */ + inp = NULL; /* we do it later */ + else { + inp = iobuf_open(fname); +@@ -989,7 +1005,7 @@ sign_file (ctrl_t ctrl, strlist_t filena + for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) + gcry_md_enable (mfx.md, hash_for (sk_rover->pk)); + +- if( !multifile ) ++ if( !multifile && !opt.file_is_digest ) + iobuf_push_filter( inp, md_filter, &mfx ); + + if( detached && !encryptflag) +@@ -1044,6 +1060,8 @@ sign_file (ctrl_t ctrl, strlist_t filena + + write_status_begin_signing (mfx.md); + ++ sigclass = opt.textmode && !outfile? 0x01 : 0x00; ++ + /* Setup the inner packet. */ + if( detached ) { + if( multifile ) { +@@ -1084,6 +1102,45 @@ sign_file (ctrl_t ctrl, strlist_t filena + if( opt.verbose ) + log_printf ("\n"); + } ++ else if (opt.file_is_digest) { ++ byte *mdb, ts[5]; ++ size_t mdlen; ++ const char *fp; ++ int c, d; ++ ++ gcry_md_final(mfx.md); ++ /* this assumes gcry_md_read returns the same buffer */ ++ mdb = gcry_md_read(mfx.md, opt.def_digest_algo); ++ mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo); ++ if (strlen(fname) != mdlen * 2 + 11) ++ log_bug("digests must be %zu + @ + 5 bytes\n", mdlen); ++ d = -1; ++ for (fp = fname ; *fp; ) { ++ c = *fp++; ++ if (c >= '0' && c <= '9') ++ c -= '0'; ++ else if (c >= 'a' && c <= 'f') ++ c -= 'a' - 10; ++ else if (c >= 'A' && c <= 'F') ++ c -= 'A' - 10; ++ else ++ log_bug("filename is not hex\n"); ++ if (d >= 0) { ++ *mdb++ = d << 4 | c; ++ c = -1; ++ if (--mdlen == 0) { ++ mdb = ts; ++ if (*fp++ != '@') ++ log_bug("missing time separator\n"); ++ } ++ } ++ d = c; ++ } ++ sigclass = ts[0]; ++ if (sigclass != 0x00 && sigclass != 0x01) ++ log_bug("bad cipher class\n"); ++ timestamp = buf32_to_u32(ts + 1); ++ } + else { + /* read, so that the filter can calculate the digest */ + while( iobuf_get(inp) != -1 ) +@@ -1102,8 +1159,8 @@ sign_file (ctrl_t ctrl, strlist_t filena + + /* write the signatures */ + rc = write_signature_packets (ctrl, sk_list, out, mfx.md, +- opt.textmode && !outfile? 0x01 : 0x00, +- 0, duration, detached ? 'D':'S', NULL); ++ sigclass, ++ timestamp, duration, detached ? 'D':'S', NULL); + if( rc ) + goto leave; + diff --git a/gnupg2.spec b/gnupg2.spec new file mode 100644 index 0000000..908cf4d --- /dev/null +++ b/gnupg2.spec @@ -0,0 +1,107 @@ +Name: gnupg2 +Version: 2.2.17 +Release: 1 +Summary: Utility for secure communication and data storage + +License: GPLv3+ +URL: https://gnupg.org/ +Source0: https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2 +Source1: https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig + +Patch1: gnupg-2.1.21-insttools.patch +Patch3: gnupg-2.1.10-secmem.patch +Patch4: gnupg-2.2.8-file-is-digest.patch +Patch5: gnupg-2.2.17-ocsp-keyusage.patch +Patch6: gnupg-2.1.1-fips-algo.patch +Patch9: gnupg-2.1.21-large-rsa.patch + +BuildRequires: zlib-devel, npth-devel +BuildRequires: libgpg-error-devel >= 1.31 +BuildRequires: libgcrypt-devel >= 1.7.0 +BuildRequires: libksba-devel >= 1.3.0 +BuildRequires: libassuan-devel >= 2.1.0 + +Requires: libgcrypt >= 1.7.0 +Requires: libgpg-error >= 1.31 + +Recommends: pinentry +Recommends: gnupg2-smime + +Provides: gpg = %{version}-%{release} +Provides: gnupg = %{version}-%{release} +Provides: dirmngr = %{version}-%{release} +Provides: gnupg2-smime + +Obsoletes: gnupg <= 1.4.24 +Obsoletes: dirmngr < 1.2.0-1 +Obsoletes: gnupg2-smime + +%description +GnuPG is a complete and free implementation of the OpenPGP standard +as defined by RFC4880 (also known as PGP). GnuPG enables encryption +and signing of data and communication, and features a versatile key +management system as well as access modules for public key +directories. + +GnuPG 2.0 adds support for smart cards and S/MIME encryption and +signing to the base GnuPG package. + +%package_help + +%prep +%autosetup -n gnupg-%{version} -p1 + +%global pcsclib %(basename $(ls -1 %{_libdir}/libpcsclite.so.? 2>/dev/null ) 2>/dev/null ) + +sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/scdaemon.c + +%build +%configure \ + --enable-gpg-is-gpg2 \ + --disable-gpgtar \ + --disable-rpath \ + --enable-g13 \ + --enable-large-secmem + +%make_build + +%install +%make_install + +%find_lang %{name} + +mkdir -p %{buildroot}%{_sysconfdir}/gnupg +touch %{buildroot}%{_sysconfdir}/gnupg/gpgconf.conf + +rm -f %{buildroot}%{_infodir}/dir + +%check +make check + +%files -f %{name}.lang +%defattr(-,root,root) +%license COPYING +%doc README AUTHORS +%dir %{_sysconfdir}/gnupg +%ghost %config(noreplace) %{_sysconfdir}/gnupg/gpgconf.conf +%{_bindir}/gpg* +%{_bindir}/g13 +%{_bindir}/dirmngr* +%{_bindir}/watchgnupg +%{_bindir}/kbxutil +%{_sbindir}/* +%{_libexecdir}/* + + +%files help +%defattr(-,root,root) +%doc NEWS TODO THANKS +%{_infodir}/*info*.gz +%{_datadir}/gnupg/ +%{_datadir}/doc/gnupg/* +%{_mandir}/man?/* + + +%changelog +* Thu Sep 12 2019 openEuler Buildteam - 2.2.17-1 +- Package init