colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Revert "Add LTS version of GnuPG and update libgcrypt to latest LTS version"

Browse Source
This commit is contained in:
K900 2023-04-13 11:46:59 +03:00 committed by GitHub
parent 59695dcb9e
commit 6092709f22
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 122 additions and 342 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
pkgs/development/libraries/libgcrypt/1.5.nix Normal file
View File

@ -0,0 +1,53 @@
{ lib, stdenv, fetchpatch, fetchurl, libgpg-error, enableCapabilities ? false, libcap }:
assert enableCapabilities -> stdenv.isLinux;
stdenv.mkDerivation rec {
pname = "libgcrypt";
version = "1.5.6";
src = fetchurl {
url = "mirror://gnupg/libgcrypt/libgcrypt-${version}.tar.bz2";
sha256 = "0ydy7bgra5jbq9mxl5x031nif3m6y3balc6ndw2ngj11wnsjc61h";
};
patches = lib.optionals stdenv.isDarwin [
(fetchpatch {
name = "fix-x86_64-apple-darwin.patch";
sha256 = "138sfwl1avpy19320dbd63mskspc1khlc93j1f1zmylxx3w19csi";
url = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=71939faa7c54e7b4b28d115e748a85f134876a02";
})
];
buildInputs =
[ libgpg-error ]
++ lib.optional enableCapabilities libcap;
# Make sure libraries are correct for .pc and .la files
# Also make sure includes are fixed for callers who don't use libgpgcrypt-config
postInstall = ''
sed -i 's,#include <gpg-error.h>,#include "${libgpg-error.dev}/include/gpg-error.h",g' $out/include/gcrypt.h
'' + lib.optionalString enableCapabilities ''
sed -i 's,\(-lcap\),-L${libcap.lib}/lib \1,' $out/lib/libgcrypt.la
'';
doCheck = true;
meta = with lib; {
homepage = "https://www.gnu.org/software/libgcrypt/";
description = "General-pupose cryptographic library";
license = licenses.lgpl2Plus;
platforms = platforms.all;
knownVulnerabilities = [
"CVE-2014-3591"
"CVE-2015-0837"
"CVE-2015-7511"
"CVE-2017-0379"
"CVE-2017-7526"
"CVE-2017-9526"
"CVE-2018-0495"
"CVE-2018-6829"
"CVE-2018-12437"
];
};
}

75
pkgs/development/libraries/libgcrypt/1.8.nix
View File

@ -1,75 +0,0 @@
{ lib
, stdenv
, fetchurl
, libgpg-error
, enableCapabilities ? false, libcap
, buildPackages
# for passthru.tests
, gnupg
, libotr
, rsyslog
}:
assert enableCapabilities -> stdenv.isLinux;
stdenv.mkDerivation rec {
pname = "libgcrypt";
version = "1.8.10";
src = fetchurl {
url = "mirror://gnupg/libgcrypt/libgcrypt-${version}.tar.bz2";
sha256 = "sha256-aJaRVQH5UeI9AtywRTRpwswiqk13oAH/c6JkfC0p590=";
};
outputs = [ "out" "dev" "info" ];
outputBin = "dev";
# The CPU Jitter random number generator must not be compiled with
# optimizations and the optimize -O0 pragma only works for gcc.
# The build enables -O2 by default for everything else.
hardeningDisable = lib.optional stdenv.cc.isClang "fortify";
depsBuildBuild = [ buildPackages.stdenv.cc ];
buildInputs = [ libgpg-error ]
++ lib.optional enableCapabilities libcap;
strictDeps = true;
configureFlags = [ "--with-libgpg-error-prefix=${libgpg-error.dev}" ]
++ lib.optional (stdenv.hostPlatform.isMusl || (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64)) "--disable-asm"; # for darwin see https://dev.gnupg.org/T5157
# Necessary to generate correct assembly when compiling for aarch32 on
# aarch64
configurePlatforms = [ "host" "build" ];
postConfigure = ''
sed -i configure \
-e 's/NOEXECSTACK_FLAGS=$/NOEXECSTACK_FLAGS="-Wa,--noexecstack"/'
'';
# Make sure libraries are correct for .pc and .la files
# Also make sure includes are fixed for callers who don't use libgpgcrypt-config
postFixup = ''
sed -i 's,#include <gpg-error.h>,#include "${libgpg-error.dev}/include/gpg-error.h",g' "$dev/include/gcrypt.h"
'' + lib.optionalString enableCapabilities ''
sed -i 's,\(-lcap\),-L${libcap.lib}/lib \1,' $out/lib/libgcrypt.la
'';
doCheck = true;
passthru.tests = {
inherit gnupg libotr rsyslog;
};
meta = with lib; {
homepage = "https://www.gnu.org/software/libgcrypt/";
changelog = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=NEWS;hb=refs/tags/${pname}-${version}";
description = "General-purpose cryptographic library";
license = licenses.lgpl2Plus;
platforms = platforms.all;
knownVulnerabilities = [
"CVE-2018-12437" # CVE is about LibTomCrypt
];
};
}

34
pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch Normal file
View File

@ -0,0 +1,34 @@
From 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 30 Jun 2019 11:54:35 -0400
Subject: [PATCH] dirmngr: Only use SKS pool CA for SKS pool
* dirmngr/http.c (http_session_new): when checking whether the
keyserver is the HKPS pool, check specifically against the pool name,
as ./configure might have been used to select a different default
keyserver. It makes no sense to apply Kristian's certificate
authority to anything other than the literal host
hkps.pool.sks-keyservers.net.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
GnuPG-Bug-Id: 4593
---
dirmngr/http.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dirmngr/http.c b/dirmngr/http.c
index 384f2569d..8e5d53939 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -767,7 +767,7 @@ http_session_new (http_session_t *r_session,
is_hkps_pool = (intended_hostname
&& !ascii_strcasecmp (intended_hostname,
- get_default_keyserver (1)));
+ "hkps.pool.sks-keyservers.net"));
/* If the user has not specified a CA list, and they are looking
* for the hkps pool from sks-keyservers.net, then default to
--
2.22.0

110
pkgs/tools/security/gnupg/22.nix
View File

@ -1,110 +0,0 @@
{ lib, stdenv, fetchurl, buildPackages
, pkg-config, texinfo
, gettext, libassuan, libgcrypt, libgpg-error, libiconv, libksba, npth
, adns, bzip2, gnutls, libusb1, openldap, readline, sqlite, zlib
, enableMinimal ? false
, withPcsc ? !enableMinimal, pcsclite
, guiSupport ? stdenv.isDarwin, pinentry
}:
with lib;
let
pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry";
in
assert guiSupport -> enableMinimal == false;
stdenv.mkDerivation rec {
pname = "gnupg";
version = "2.2.41";
src = fetchurl {
url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2";
hash = "sha256-E/MpEAel6FRvy3vAxmEM5EqqmzmVBZ1PgUW6Cf1b4+E=";
};
depsBuildBuild = [ buildPackages.stdenv.cc ];
nativeBuildInputs = [ pkg-config texinfo ];
buildInputs = [
gettext libassuan libgcrypt libgpg-error libiconv libksba npth
] ++ lib.optionals (!enableMinimal) [
adns bzip2 gnutls libusb1 openldap readline sqlite zlib
];
patches = [
./fix-libusb-include-path.patch
./tests-add-test-cases-for-import-without-uid.patch
./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
./22-allow-import-of-previously-known-keys-even-without-UI.patch
];
postPatch = ''
sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' configure doc/dirmngr.texi doc/gnupg.info-1
# Fix broken SOURCE_DATE_EPOCH usage - remove on the next upstream update
sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.am
sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.in
'' + lib.optionalString (stdenv.isLinux && withPcsc) ''
sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c
'';
configureFlags = [
"--with-libgpg-error-prefix=${libgpg-error.dev}"
"--with-libgcrypt-prefix=${libgcrypt.dev}"
"--with-libassuan-prefix=${libassuan.dev}"
"--with-ksba-prefix=${libksba.dev}"
"--with-npth-prefix=${npth}"
]
++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}"
++ lib.optional stdenv.isDarwin "--disable-ccid-driver";
postInstall = if enableMinimal
then ''
rm -r $out/{libexec,sbin,share}
for f in $(find $out/bin -type f -not -name gpg)
do
rm $f
done
'' else ''
mkdir -p $out/lib/systemd/user
for f in doc/examples/systemd-user/*.{service,socket} ; do
substitute $f $out/lib/systemd/user/$(basename $f) \
--replace /usr/bin $out/bin
done
# add gpg2 symlink to make sure git does not break when signing commits
ln -s $out/bin/gpg $out/bin/gpg2
# Make libexec tools available in PATH
for f in $out/libexec/; do
if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi
ln -s $f $out/bin/$(basename $f)
done
ln -s -t $out/bin $out/libexec/*
'';
enableParallelBuilding = true;
passthru.tests.connman = nixosTests.gnupg;
meta = with lib; {
homepage = "https://gnupg.org";
description = "LTS release of the GNU Privacy Guard, a GPL OpenPGP implementation";
license = licenses.gpl3Plus;
longDescription = ''
The GNU Privacy Guard is the GNU project's complete and free
implementation of the OpenPGP standard as defined by RFC4880. GnuPG
"modern" (2.1) is the latest development with a lot of new features.
GnuPG allows to encrypt and sign your data and communication, features a
versatile key management system as well as access modules for all kind of
public key directories. GnuPG, also known as GPG, is a command line tool
with features for easy integration with other applications. A wealth of
frontend applications and libraries are available. Version 2 of GnuPG
also provides support for S/MIME.
'';
maintainers = with maintainers; [ fpletz vrthra ];
platforms = platforms.all;
mainProgram = "gpg";
};
}

107
pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch
View File

@ -1,107 +0,0 @@
From: Vincent Breitmoser <look@my.amazin.horse>
Date: Thu, 13 Jun 2019 21:27:42 +0200
Subject: gpg: allow import of previously known keys, even without UIDs
* g10/import.c (import_one): Accept an incoming OpenPGP certificate that
has no user id, as long as we already have a local variant of the cert
that matches the primary key.
--
This fixes two of the three broken tests in import-incomplete.scm.
GnuPG-Bug-id: 4393
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
g10/import.c | 44 +++++++++++---------------------------------
1 file changed, 11 insertions(+), 33 deletions(-)
diff --git a/g10/import.c b/g10/import.c
index 9fab46ca6..61896a6bf 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl,
size_t an;
char pkstrbuf[PUBKEY_STRING_SIZE];
int merge_keys_done = 0;
- int any_filter = 0;
KEYDB_HANDLE hd = NULL;
if (r_valid)
@@ -1992,13 +1991,6 @@ import_one_real (ctrl_t ctrl,
}
- if (!uidnode)
- {
- if (!silent)
- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
- return 0;
- }
-
if (screener && screener (keyblock, screener_arg))
{
log_error (_("key %s: %s\n"), keystr_from_pk (pk),
@@ -2078,18 +2070,10 @@ import_one_real (ctrl_t ctrl,
}
}
- /* Delete invalid parts and bail out if there are no user ids left. */
- if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs))
- {
- if (!silent)
- {
- log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
- if (!opt.quiet)
- log_info(_("this may be caused by a missing self-signature\n"));
- }
- stats->no_user_id++;
- return 0;
- }
+ /* Delete invalid parts, and note if we have any valid ones left.
+ * We will later abort import if this key is new but contains
+ * no valid uids. */
+ delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs);
/* Get rid of deleted nodes. */
commit_kbnode (&keyblock);
@@ -2099,24 +2083,11 @@ import_one_real (ctrl_t ctrl,
{
apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
commit_kbnode (&keyblock);
- any_filter = 1;
}
if (import_filter.drop_sig)
{
apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig);
commit_kbnode (&keyblock);
- any_filter = 1;
- }
-
- /* If we ran any filter we need to check that at least one user id
- * is left in the keyring. Note that we do not use log_error in
- * this case. */
- if (any_filter && !any_uid_left (keyblock))
- {
- if (!opt.quiet )
- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk));
- stats->no_user_id++;
- return 0;
}
/* The keyblock is valid and ready for real import. */
@@ -2174,6 +2145,13 @@ import_one_real (ctrl_t ctrl,
err = 0;
stats->skipped_new_keys++;
}
+ else if (err && !any_uid_left (keyblock))
+ {
+ if (!silent)
+ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid));
+ err = 0;
+ stats->no_user_id++;
+ }
else if (err) /* Insert this key. */
{
/* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */

50
pkgs/tools/security/gnupg/24.nix
View File

@ -1,19 +1,13 @@
{ lib, stdenv, fetchurl, buildPackages
, pkg-config, texinfo
, gettext, libassuan, libgcrypt, libgpg-error, libiconv, libksba, npth
, adns, bzip2, gnutls, libusb1, openldap, readline, sqlite, zlib
, enableMinimal ? false
{ fetchurl, fetchpatch, lib, stdenv, pkg-config, libgcrypt, libassuan, libksba
, libgpg-error, libiconv, npth, gettext, texinfo, buildPackages
, nixosTests
, guiSupport ? stdenv.isDarwin, enableMinimal ? false
, adns, bzip2, gnutls, libusb1, openldap
, pinentry, readline, sqlite, zlib
, withPcsc ? !enableMinimal, pcsclite
, guiSupport ? stdenv.isDarwin, pinentry
, withTpm2Tss ? !stdenv.isDarwin && !enableMinimal, tpm2-tss
}:
with lib;
let
pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry";
in
assert guiSupport -> enableMinimal == false;
stdenv.mkDerivation rec {
@ -22,43 +16,44 @@ stdenv.mkDerivation rec {
src = fetchurl {
url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2";
hash = "sha256-HXkVjdAdmSQx3S4/rLif2slxJ/iXhOosthDGAPsMFIM=";
sha256 = "sha256-HXkVjdAdmSQx3S4/rLif2slxJ/iXhOosthDGAPsMFIM=";
};
depsBuildBuild = [ buildPackages.stdenv.cc ];
nativeBuildInputs = [ pkg-config texinfo ];
buildInputs = [
gettext libassuan libgcrypt libgpg-error libiconv libksba npth
] ++ lib.optionals (!enableMinimal) [
adns bzip2 gnutls libusb1 openldap readline sqlite zlib
] ++ lib.optionals withTpm2Tss [ tpm2-tss ];
libgcrypt libassuan libksba libiconv npth gettext
] ++ lib.optionals (!enableMinimal) ([
readline libusb1 gnutls adns openldap zlib bzip2 sqlite
] ++ lib.optional withTpm2Tss tpm2-tss);
patches = [
./fix-libusb-include-path.patch
./tests-add-test-cases-for-import-without-uid.patch
# TODO: Refresh patch? Doesn't apply on 2.4.0
#./allow-import-of-previously-known-keys-even-without-UI.patch
./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
./24-allow-import-of-previously-known-keys-even-without-UI.patch
# Patch for DoS vuln from https://seclists.org/oss-sec/2022/q3/27
./v3-0001-Disallow-compressed-signatures-and-certificates.patch
];
];
postPatch = ''
sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1
'' + lib.optionalString (stdenv.isLinux && withPcsc) ''
sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c
'';
'' + lib.optionalString (stdenv.isLinux && withPcsc) ''
sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c
'';
pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry";
configureFlags = [
"--with-libgpg-error-prefix=${libgpg-error.dev}"
"--with-libgcrypt-prefix=${libgcrypt.dev}"
"--with-libassuan-prefix=${libassuan.dev}"
"--with-ksba-prefix=${libksba.dev}"
"--with-npth-prefix=${npth}"
]
++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}"
] ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}"
++ lib.optional withTpm2Tss "--with-tss=intel"
++ lib.optional stdenv.isDarwin "--disable-ccid-driver";
postInstall = if enableMinimal
then ''
rm -r $out/{libexec,sbin,share}
@ -81,11 +76,6 @@ stdenv.mkDerivation rec {
if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi
ln -s $f $out/bin/$(basename $f)
done
for f in $out/libexec/; do
if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi
ln -s $f $out/bin/$(basename $f)
done
'';
enableParallelBuilding = true;

26
pkgs/tools/security/gnupg/22-allow-import-of-previously-known-keys-even-without-UI.patch → pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch
View File

@ -16,12 +16,11 @@ Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
g10/import.c | 44 +++++++++++---------------------------------
1 file changed, 11 insertions(+), 33 deletions(-)
diff --git a/g10/import.c b/g10/import.c
index cd3363fc7..8f10771db 100644
index 5d3162c..f9acf95 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1858,7 +1858,6 @@ import_one_real (ctrl_t ctrl,
@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl,
size_t an;
char pkstrbuf[PUBKEY_STRING_SIZE];
int merge_keys_done = 0;
@ -29,11 +28,12 @@ index cd3363fc7..8f10771db 100644
KEYDB_HANDLE hd = NULL;
if (r_valid)
@@ -1896,13 +1895,6 @@ import_one_real (ctrl_t ctrl,
@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl,
log_printf ("\n");
}
- if (!uidnode )
-
- if (!uidnode)
- {
- if (!silent)
- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
@ -43,17 +43,17 @@ index cd3363fc7..8f10771db 100644
if (screener && screener (keyblock, screener_arg))
{
log_error (_("key %s: %s\n"), keystr_from_pk (pk),
@@ -1977,18 +1969,10 @@ import_one_real (ctrl_t ctrl,
@@ -1907,18 +1898,10 @@ import_one_real (ctrl_t ctrl,
}
}
- /* Delete invalid parts and bail out if there are no user ids left. */
- if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs))
- if (!delete_inv_parts (ctrl, keyblock, keyid, options))
- {
- if (!silent)
- {
- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
- if (!opt.quiet )
- log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
- if (!opt.quiet)
- log_info(_("this may be caused by a missing self-signature\n"));
- }
- stats->no_user_id++;
@ -62,11 +62,11 @@ index cd3363fc7..8f10771db 100644
+ /* Delete invalid parts, and note if we have any valid ones left.
+ * We will later abort import if this key is new but contains
+ * no valid uids. */
+ delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs);
+ delete_inv_parts (ctrl, keyblock, keyid, options);
/* Get rid of deleted nodes. */
commit_kbnode (&keyblock);
@@ -1998,24 +1982,11 @@ import_one_real (ctrl_t ctrl,
@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl,
{
apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
commit_kbnode (&keyblock);
@ -91,7 +91,7 @@ index cd3363fc7..8f10771db 100644
}
/* The keyblock is valid and ready for real import. */
@@ -2073,6 +2044,13 @@ import_one_real (ctrl_t ctrl,
@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl,
err = 0;
stats->skipped_new_keys++;
}

9
pkgs/top-level/all-packages.nix
View File

@ -7887,13 +7887,8 @@ with pkgs;
gnupg1orig = callPackage ../tools/security/gnupg/1.nix { };
gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { };
gnupg1 = gnupg1compat; # use config.packageOverrides if you prefer original gnupg1
gnupg22 = callPackage ../tools/security/gnupg/22.nix {
pinentry = if stdenv.isDarwin then pinentry_mac else pinentry-gtk2;
libgcrypt = libgcrypt_1_8;
};
gnupg24 = callPackage ../tools/security/gnupg/24.nix {
guiSupport = stdenv.isDarwin;
pinentry = if stdenv.isDarwin then pinentry_mac else pinentry-gtk2;
};
gnupg = gnupg24;
@ -21535,7 +21530,7 @@ with pkgs;
libgcrypt = callPackage ../development/libraries/libgcrypt { };
libgcrypt_1_8 = callPackage ../development/libraries/libgcrypt/1.8.nix { };
libgcrypt_1_5 = callPackage ../development/libraries/libgcrypt/1.5.nix { };
libgdiplus = callPackage ../development/libraries/libgdiplus {
inherit (darwin.apple_sdk.frameworks) Carbon;