diff options
Diffstat (limited to 'app-crypt/gnupg')
22 files changed, 1582 insertions, 387 deletions
diff --git a/app-crypt/gnupg/Manifest b/app-crypt/gnupg/Manifest index dbeb3c42d900..e2facd7b6303 100644 --- a/app-crypt/gnupg/Manifest +++ b/app-crypt/gnupg/Manifest @@ -1,4 +1,8 @@ -DIST gnupg-2.2.16-scdaemon_shared-access.patch 2586 BLAKE2B 42fd5482c4e86751ce62836125997c2295c44bc5db0671a06460fd306b2ed93f290fb898fc1b1e463a863eddf9ab5f99ea3c90a55499ef45ca1ed6edf2854663 SHA512 38abaa4200114ae6b6f220fabc0a84a056761949c97bd0564557f4411a299b9a1939893555c27e26da2d8e8da4bc97a298fa7e68f1e80fe99c3f88cc329eaa84 -DIST gnupg-2.2.27.tar.bz2 7191555 BLAKE2B d652aad382cf07cc458b29ff82718edd47457d8236dcbeee51f22d88503be141f009e9ea45b6dafe614115d9558fe371509579e58ce17a5f04540a31aa406ea3 SHA512 cf336962116c9c08ac80b1299654b94948033ef51d6d5e7f54c2f07bbf7d92c7b0bddb606ceee2cdd837063f519b8d59af5a82816b840a0fc47d90c07b0e95ab -DIST gnupg-2.2.28.tar.bz2 7218833 BLAKE2B 61e90a39f4572f41da687c6a6983a897eec1784d60b6ff6579f895c07214d273ad2a25a1a5cb4c26210028afee32c58a8fb0752683a0ab9a5f8a73438492b80b SHA512 d79594fac93773639fc5b95cdfad1003829879e1bc9c415261bccfc64bd56cbeec5d8571d1468e4e3fd982c546e3b9cfc2161412d544717f48eabe3a360caae8 -DIST gnupg-2.3.1.tar.bz2 7570431 BLAKE2B f7c7d3246b0807798917ecd711c74ea7c52dd24530106765a1f4a6e9af098c9a99c5d0f44fc2c253d013b11f862fccf0b1630593d07b2e1950a91b3473c671c1 SHA512 d2cc82c1b47bbd79acd6ef787c01684fb084b1c5507bbca6cf7ca8834ed978ae7a44c01d652cc3afbd70e2906583c8701aebc8d9fd3fc5e0401769ad4cd46af1 +DIST gnupg-2.2.42.tar.bz2 7434291 BLAKE2B 5f7f01f31949e5258d638fbff81fa641e5c167e6eaf32c55eb187d4a31b31cd4fe6e51c622e74d8544c4f95c75484e15117f26a8cf26055ff6813d75e54f2b8a SHA512 9c59d034f428d42323b5520e1a8984acc1505ba1d96d90f00e17b24aa91660b2dc64e1a3ceb044c56f39b4c402a77c7e0b226c65218c23c094781b4ef51e2eb5 +DIST gnupg-2.2.42.tar.bz2.sig 238 BLAKE2B 251ad0a832042ceb93b0edfda8652104bfb463e291322f22f0ab0d9b35606c3589be7a6f3e9e2aac8f6ac368a7d11840ab83b29997587dc65685de9f2dec3fee SHA512 7073bfc920c571680a1de57b4e6cd83cde24ccb3b5f592602b0c32fd762eef497027b08745044c9f41130ca99bb7ec77222568c2d0a1099d3c1c15137e0221d7 +DIST gnupg-2.2.43.tar.bz2 7435426 BLAKE2B ddf5c89d317e6ce8d1a5348f0ef81ffa1c61c995ddb312b28410f04502b01eae307cd943bee7182d28d4efccac394c91053f8e33756b00166bf66b2bf4a791a7 SHA512 0d2e733b6659c116c043db5252de4de33d6a70c16172d1fe9b779ba413ba9fcb64bbfdcc4686d0e87904561fc62d1aa765144e0586957a500287c175ee37bd49 +DIST gnupg-2.2.43.tar.bz2.sig 119 BLAKE2B 38fd3790f5065d67d6b5323ef7abbb79facf00e5b9daba98e5078302fc3887423173ba434c7eff1e64faecef88d87aab9c057c570d6e96e8d0808f07f32d8fa1 SHA512 47c5354869b1825e56fa4276826fcde1ee41c70aab9b411686cf2733f4d1df9c006049e49e066b22e475bd37b337f9ffc97f8bbca0c62c0f32296909464a0643 +DIST gnupg-2.4.4.tar.bz2 7886036 BLAKE2B 02661e89f0358be09fa3e71e7235b764a7dbda62a48a0c8c7a4e6c9919c3b37d54ead50b930af58f8f2fdb87861b849d3f3751e95cbedf46bdfd76caa90c4db4 SHA512 3d1a3b08d1ce2319d238d8be96591e418ede1dc0b4ede33a4cc2fe40e9c56d5bbc27b1984736d8a786e7f292ddbc836846a8bdb4bf89f064e953c37cb54b94ef +DIST gnupg-2.4.4.tar.bz2.sig 237 BLAKE2B 6ee5878c36fbec747a6d84a268903749d862aab50dd7f9a389aabbf7b94dec1c424615f520b5f4a6d44e02093e8d9ad0b08d0c6cf6fd8886d8c174ce9faac99c SHA512 3ae7b6833576df851901a7619459b514bb82faeed350c864a57a782719d21f694d9ced5a3445c81dfa584a0302f87fedc660b08ea97bb8b861e76d7c5b46d07f +DIST gnupg-2.4.5.tar.bz2 7889060 BLAKE2B a8b80cd4dfbb377066efb5c9f1b6cdc6d0cd1b18358c962781b5c06de1545117b13038a4655ae627c36bfd2e5fee127692df8729d6b23e1b31051ab6d897b733 SHA512 4d54744f09399c5899144d0cb5fdc2756e45b058db41b9ea9df3be03e80b914509e16ef35aa0248e7561185b80f7a5f9fd6afcab8ccff75ff82ed555448a38ff +DIST gnupg-2.4.5.tar.bz2.sig 119 BLAKE2B f37fb5620bc009a5b935ac75df4235d377da4f052115c3c22c8d0887e9b21df6ea3059ac510eb2b555d825c2294e1c3ee44c86ecb371c6444a4645ca5a5c265a SHA512 53be0db371a98c930cbef9c844adcd06a8049d84dd71508f6f7427fc1736b374912c85ebf3a415748651260f65cf26f633697f4bdae2cc4a8d2c4b522db0bc71 diff --git a/app-crypt/gnupg/files/README-systemd b/app-crypt/gnupg/files/README-systemd new file mode 100644 index 000000000000..cc38fd66ab57 --- /dev/null +++ b/app-crypt/gnupg/files/README-systemd @@ -0,0 +1,67 @@ +Socket-activated dirmngr and gpg-agent with systemd +=================================================== + +When used on a GNU/Linux system supervised by systemd, you can ensure +that the GnuPG daemons dirmngr and gpg-agent are launched +automatically the first time they're needed, and shut down cleanly at +session logout. This is done by enabling user services via +socket-activation. + +System distributors +------------------- + +The *.service and *.socket files (from this directory) should be +placed in /usr/lib/systemd/user/ alongside other user-session services +and sockets. + +To enable socket-activated dirmngr for all accounts on the system, +use: + + systemctl --user --global enable dirmngr.socket + +To enable socket-activated gpg-agent for all accounts on the system, +use: + + systemctl --user --global enable gpg-agent.socket + +Additionally, you can enable socket-activated gpg-agent ssh-agent +emulation for all accounts on the system with: + + systemctl --user --global enable gpg-agent-ssh.socket + +You can also enable restricted ("--extra-socket"-style) gpg-agent +sockets for all accounts on the system with: + + systemctl --user --global enable gpg-agent-extra.socket + +Individual users +---------------- + +A user on a system with systemd where this has not been installed +system-wide can place these files in ~/.config/systemd/user/ to make +them available. + +If a given service isn't installed system-wide, or if it's installed +system-wide but not globally enabled, individual users will still need +to enable them. For example, to enable socket-activated dirmngr for +all future sessions: + + systemctl --user enable dirmngr.socket + +To enable socket-activated gpg-agent with ssh support, do: + + systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket + +These changes won't take effect until your next login after you've +fully logged out (be sure to terminate any running daemons before +logging out). + +If you'd rather try a socket-activated GnuPG daemon in an +already-running session without logging out (with or without enabling +it for all future sessions), kill any existing daemon and start the +user socket directly. For example, to set up socket-activated dirmgnr +in the current session: + + gpgconf --kill dirmngr + systemctl --user start dirmngr.socket + diff --git a/app-crypt/gnupg/files/dirmngr.service b/app-crypt/gnupg/files/dirmngr.service new file mode 100644 index 000000000000..3c060cde5d87 --- /dev/null +++ b/app-crypt/gnupg/files/dirmngr.service @@ -0,0 +1,8 @@ +[Unit] +Description=GnuPG network certificate management daemon +Documentation=man:dirmngr(8) +Requires=dirmngr.socket + +[Service] +ExecStart=/usr/bin/dirmngr --supervised +ExecReload=/usr/bin/gpgconf --reload dirmngr diff --git a/app-crypt/gnupg/files/dirmngr.socket b/app-crypt/gnupg/files/dirmngr.socket new file mode 100644 index 000000000000..ebabf896ab43 --- /dev/null +++ b/app-crypt/gnupg/files/dirmngr.socket @@ -0,0 +1,11 @@ +[Unit] +Description=GnuPG network certificate management daemon +Documentation=man:dirmngr(8) + +[Socket] +ListenStream=%t/gnupg/S.dirmngr +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/app-crypt/gnupg/files/gnupg-2.2.28-dirmngr_ldap.patch b/app-crypt/gnupg/files/gnupg-2.2.28-dirmngr_ldap.patch deleted file mode 100644 index 86e83de8ec37..000000000000 --- a/app-crypt/gnupg/files/gnupg-2.2.28-dirmngr_ldap.patch +++ /dev/null @@ -1,36 +0,0 @@ -From c8b2162c0e7eb42b74811b7ed225fa0f56be4083 Mon Sep 17 00:00:00 2001 -From: NIIBE Yutaka <gniibe@fsij.org> -Date: Fri, 11 Jun 2021 10:30:02 +0900 -Subject: [PATCH] dirmngir: Fix build with --disable-ldap. - -* dirmngr/dirmngr.c (parse_rereadable_options) [USE_LDAP]: -Conditionalize. - --- - -Reported-by: Phil Pennock -Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> ---- - dirmngr/dirmngr.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c -index 04fe9e238..6a818cabc 100644 ---- a/dirmngr/dirmngr.c -+++ b/dirmngr/dirmngr.c -@@ -736,6 +736,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) - case oRecursiveResolver: enable_recursive_resolver (1); break; - - case oLDAPServer: -+#if USE_LDAP - { - ldap_server_t server; - char *p; -@@ -757,6 +758,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) - opt.ldapservers = server; - } - } -+#endif - break; - - case oKeyServer: diff --git a/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch b/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch new file mode 100644 index 000000000000..76d6d94c40b1 --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.2.42-bug923248-insecure-backup.patch @@ -0,0 +1,292 @@ +https://bugs.gentoo.org/923248 +https://dev.gnupg.org/T6944 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=3b69d8bf7146b8d10737d0cfea9c97affc60ad73 + +From 3b69d8bf7146b8d10737d0cfea9c97affc60ad73 Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Wed, 24 Jan 2024 11:29:24 +0100 +Subject: [PATCH] gpg: Fix leftover unprotected card backup key. + +* agent/command.c (cmd_learn): Add option --reallyforce. +* agent/findkey.c (agent_write_private_key): Implement reallyforce. +Also add arg reallyforce and pass it along the call chain. + +* g10/call-agent.c (agent_scd_learn): Pass --reallyforce with a +special force value. +* g10/keygen.c (card_store_key_with_backup): Use that force value. +-- + +This was a regression in 2.2.42. We took the easy path to fix it by +getting the behaviour back to what we did prior to 2.2.42. With GnuPG +2.4.4 we use an entire different and safer approach by introducing an +ephemeral private key store. + +GnuPG-bug-id: 6944 +--- a/agent/agent.h ++++ b/agent/agent.h +@@ -422,7 +422,8 @@ void start_command_handler_ssh (ctrl_t, gnupg_fd_t); + gpg_error_t agent_modify_description (const char *in, const char *comment, + const gcry_sexp_t key, char **result); + int agent_write_private_key (const unsigned char *grip, +- const void *buffer, size_t length, int force, ++ const void *buffer, size_t length, ++ int force, int reallyforce, + const char *serialno, const char *keyref, + const char *dispserialno, time_t timestamp); + gpg_error_t agent_key_from_file (ctrl_t ctrl, +@@ -548,6 +549,7 @@ gpg_error_t s2k_hash_passphrase (const char *passphrase, int hashalgo, + gpg_error_t agent_write_shadow_key (const unsigned char *grip, + const char *serialno, const char *keyid, + const unsigned char *pkbuf, int force, ++ int reallyforce, + const char *dispserialno); + + +@@ -628,7 +630,8 @@ void agent_card_killscd (void); + + + /*-- learncard.c --*/ +-int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force); ++int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, ++ int force, int reallyforce); + + + /*-- cvt-openpgp.c --*/ +--- a/agent/command-ssh.c ++++ b/agent/command-ssh.c +@@ -2499,7 +2499,7 @@ card_key_available (ctrl_t ctrl, gcry_sexp_t *r_pk, char **cardsn) + + /* (Shadow)-key is not available in our key storage. */ + agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno); +- err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0, ++ err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0, 0, + dispserialno); + xfree (dispserialno); + if (err) +@@ -3159,7 +3159,7 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec, + + /* Store this key to our key storage. We do not store a creation + * timestamp because we simply do not know. */ +- err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0, ++ err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0, 0, + NULL, NULL, NULL, 0); + if (err) + goto out; +--- a/agent/command.c ++++ b/agent/command.c +@@ -1042,7 +1042,7 @@ cmd_readkey (assuan_context_t ctx, char *line) + /* Shadow-key is or is not available in our key storage. In + * any case we need to check whether we need to update with + * a new display-s/n or whatever. */ +- rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0, ++ rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0, 0, + dispserialno); + if (rc) + goto leave; +@@ -1855,16 +1855,18 @@ cmd_learn (assuan_context_t ctx, char *line) + { + ctrl_t ctrl = assuan_get_pointer (ctx); + gpg_error_t err; +- int send, sendinfo, force; ++ int send, sendinfo, force, reallyforce; + + send = has_option (line, "--send"); + sendinfo = send? 1 : has_option (line, "--sendinfo"); + force = has_option (line, "--force"); ++ reallyforce = has_option (line, "--reallyforce"); + + if (ctrl->restricted) + return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); + +- err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL, force); ++ err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL, ++ force, reallyforce); + return leave_cmd (ctx, err); + } + +@@ -2427,11 +2429,11 @@ cmd_import_key (assuan_context_t ctx, char *line) + err = agent_protect (key, passphrase, &finalkey, &finalkeylen, + ctrl->s2k_count); + if (!err) +- err = agent_write_private_key (grip, finalkey, finalkeylen, force, ++ err = agent_write_private_key (grip, finalkey, finalkeylen, force, 0, + NULL, NULL, NULL, opt_timestamp); + } + else +- err = agent_write_private_key (grip, key, realkeylen, force, ++ err = agent_write_private_key (grip, key, realkeylen, force, 0, + NULL, NULL, NULL, opt_timestamp); + + leave: +--- a/agent/cvt-openpgp.c ++++ b/agent/cvt-openpgp.c +@@ -1070,7 +1070,7 @@ convert_from_openpgp_native (ctrl_t ctrl, + &protectedkey, &protectedkeylen, + ctrl->s2k_count)) + agent_write_private_key (grip, protectedkey, protectedkeylen, +- 1/*force*/, NULL, NULL, NULL, 0); ++ 1/*force*/, 0, NULL, NULL, NULL, 0); + xfree (protectedkey); + } + else +@@ -1079,7 +1079,7 @@ convert_from_openpgp_native (ctrl_t ctrl, + agent_write_private_key (grip, + *r_key, + gcry_sexp_canon_len (*r_key, 0, NULL,NULL), +- 1/*force*/, NULL, NULL, NULL, 0); ++ 1/*force*/, 0, NULL, NULL, NULL, 0); + } + } + +--- a/agent/findkey.c ++++ b/agent/findkey.c +@@ -82,7 +82,8 @@ fname_from_keygrip (const unsigned char *grip, int for_new) + * recorded as creation date. */ + int + agent_write_private_key (const unsigned char *grip, +- const void *buffer, size_t length, int force, ++ const void *buffer, size_t length, ++ int force, int reallyforce, + const char *serialno, const char *keyref, + const char *dispserialno, + time_t timestamp) +@@ -165,10 +166,13 @@ agent_write_private_key (const unsigned char *grip, + /* Check that we do not update a regular key with a shadow key. */ + if (is_regular && gpg_err_code (is_shadowed_key (key)) == GPG_ERR_TRUE) + { +- log_info ("updating regular key file '%s'" +- " by a shadow key inhibited\n", oldfname); +- err = 0; /* Simply ignore the error. */ +- goto leave; ++ if (!reallyforce) ++ { ++ log_info ("updating regular key file '%s'" ++ " by a shadow key inhibited\n", oldfname); ++ err = 0; /* Simply ignore the error. */ ++ goto leave; ++ } + } + /* Check that we update a regular key only in force mode. */ + if (is_regular && !force) +@@ -1704,12 +1708,13 @@ agent_delete_key (ctrl_t ctrl, const char *desc_text, + * Shadow key is created by an S-expression public key in PKBUF and + * card's SERIALNO and the IDSTRING. With FORCE passed as true an + * existing key with the given GRIP will get overwritten. If +- * DISPSERIALNO is not NULL the human readable s/n will also be +- * recorded in the key file. */ ++ * REALLYFORCE is also true, even a private key will be overwritten by ++ * a shadown key. If DISPSERIALNO is not NULL the human readable s/n ++ * will also be recorded in the key file. */ + gpg_error_t + agent_write_shadow_key (const unsigned char *grip, + const char *serialno, const char *keyid, +- const unsigned char *pkbuf, int force, ++ const unsigned char *pkbuf, int force, int reallyforce, + const char *dispserialno) + { + gpg_error_t err; +@@ -1737,7 +1742,7 @@ agent_write_shadow_key (const unsigned char *grip, + } + + len = gcry_sexp_canon_len (shdkey, 0, NULL, NULL); +- err = agent_write_private_key (grip, shdkey, len, force, ++ err = agent_write_private_key (grip, shdkey, len, force, reallyforce, + serialno, keyid, dispserialno, 0); + xfree (shdkey); + if (err) +--- a/agent/genkey.c ++++ b/agent/genkey.c +@@ -69,7 +69,7 @@ store_key (gcry_sexp_t private, const char *passphrase, int force, + buf = p; + } + +- rc = agent_write_private_key (grip, buf, len, force, ++ rc = agent_write_private_key (grip, buf, len, force, 0, + NULL, NULL, NULL, timestamp); + xfree (buf); + return rc; +--- a/agent/learncard.c ++++ b/agent/learncard.c +@@ -297,9 +297,12 @@ send_cert_back (ctrl_t ctrl, const char *id, void *assuan_context) + } + + /* Perform the learn operation. If ASSUAN_CONTEXT is not NULL and +- SEND is true all new certificates are send back via Assuan. */ ++ SEND is true all new certificates are send back via Assuan. If ++ REALLYFORCE is true a private key will be overwritten by a stub ++ key. */ + int +-agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force) ++agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, ++ int force, int reallyforce) + { + int rc; + struct kpinfo_cb_parm_s parm; +@@ -414,7 +417,7 @@ agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force) + + agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno); + rc = agent_write_shadow_key (grip, serialno, item->id, pubkey, +- force, dispserialno); ++ force, reallyforce, dispserialno); + xfree (dispserialno); + } + xfree (pubkey); +--- a/agent/protect-tool.c ++++ b/agent/protect-tool.c +@@ -807,13 +807,15 @@ agent_askpin (ctrl_t ctrl, + * to stdout. */ + int + agent_write_private_key (const unsigned char *grip, +- const void *buffer, size_t length, int force, ++ const void *buffer, size_t length, ++ int force, int reallyforce, + const char *serialno, const char *keyref, + const char *dispserialno, time_t timestamp) + { + char hexgrip[40+4+1]; + char *p; + ++ (void)reallyforce; + (void)force; + (void)timestamp; + (void)serialno; +--- a/g10/call-agent.c ++++ b/g10/call-agent.c +@@ -745,6 +745,11 @@ learn_status_cb (void *opaque, const char *line) + * card-util.c + * keyedit_menu + * card_store_key_with_backup (Woth force to remove secret key data) ++ * ++ * If force has the value 2 the --reallyforce option is also used. ++ * This is to make sure the sshadow key overwrites the private key. ++ * Note that this option is gnupg 2.2 specific because since 2.4.4 an ++ * ephemeral private key store is used instead. + */ + int + agent_scd_learn (struct agent_card_info_s *info, int force) +@@ -764,6 +769,7 @@ agent_scd_learn (struct agent_card_info_s *info, int force) + + parm.ctx = agent_ctx; + rc = assuan_transact (agent_ctx, ++ force == 2? "LEARN --sendinfo --force --reallyforce" : + force ? "LEARN --sendinfo --force" : "LEARN --sendinfo", + dummy_data_cb, NULL, default_inq_cb, &parm, + learn_status_cb, info); +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -5201,8 +5201,11 @@ card_store_key_with_backup (ctrl_t ctrl, PKT_public_key *sub_psk, + if (err) + log_error ("writing card key to backup file: %s\n", gpg_strerror (err)); + else +- /* Remove secret key data in agent side. */ +- agent_scd_learn (NULL, 1); ++ { ++ /* Remove secret key data in agent side. We use force 2 here to ++ * allow overwriting of the temporary private key. */ ++ agent_scd_learn (NULL, 2); ++ } + + leave: + xfree (ecdh_param_str); +-- +2.30.2 diff --git a/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch b/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch new file mode 100644 index 000000000000..21be675adef4 --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.2.42-dirmngr-proxy.patch @@ -0,0 +1,156 @@ +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d6c428699db7aa20f8b6ca9fe83197a0314b7e91 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c33c4fdf10b7ed9e03f2afe988d93f3085b727aa +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=41c022072599bc3f12f659e962653548cd86fa3a + +From d6c428699db7aa20f8b6ca9fe83197a0314b7e91 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Thu, 15 Feb 2024 15:38:34 +0900 +Subject: [PATCH] dirmngr: Fix proxy with TLS. + +* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always +available regardless of USE_TLS. +(send_request): Remove USE_TLS. + +-- + +Since quite some time building w/o TLS won't work. + +GnuPG-bug-id: 6997 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2498,9 +2498,7 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring) + } + + +- + /* Use the CONNECT method to proxy our TLS stream. */ +-#ifdef USE_TLS + static gpg_error_t + run_proxy_connect (http_t hd, proxy_info_t proxy, + const char *httphost, const char *server, +@@ -2709,7 +2707,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + xfree (tmpstr); + return err; + } +-#endif /*USE_TLS*/ + + + /* Make a request string using a standard proxy. On success the +@@ -2866,7 +2863,6 @@ send_request (http_t hd, const char *httphost, const char *auth, + goto leave; + } + +-#if USE_TLS + if (use_http_proxy && hd->uri->use_tls) + { + err = run_proxy_connect (hd, proxy, httphost, server, port); +@@ -2878,7 +2874,6 @@ send_request (http_t hd, const char *httphost, const char *auth, + * clear the flag to indicate this. */ + use_http_proxy = 0; + } +-#endif /* USE_TLS */ + + #if HTTP_USE_NTBTLS + err = run_ntbtls_handshake (hd); +-- +2.30.2 + +From c33c4fdf10b7ed9e03f2afe988d93f3085b727aa Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Fri, 16 Feb 2024 11:31:37 +0900 +Subject: [PATCH] dirmngr: Fix the regression of use of proxy for TLS + connection. + +* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it +causes resource leak of FP_WRITE. +Don't try to read response body to fix the hang. + +-- + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2520,6 +2520,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication + */ + auth_basic = !!proxy->uri->auth; ++ hd->keep_alive = 0; + + /* For basic authentication we need to send just one request. */ + if (auth_basic +@@ -2541,13 +2542,12 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + httphost ? httphost : server, + port, + authhdr ? authhdr : "", +- auth_basic? "" : "Connection: keep-alive\r\n"); ++ hd->keep_alive? "Connection: keep-alive\r\n" : ""); + if (!request) + { + err = gpg_error_from_syserror (); + goto leave; + } +- hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP)) + log_debug_with_string (request, "http.c:proxy:request:"); +@@ -2574,16 +2574,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + if (err) + goto leave; + +- { +- unsigned long count = 0; +- +- while (es_getc (hd->fp_read) != EOF) +- count++; +- if (opt_debug) +- log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n", +- count); +- } +- + /* Reset state. */ + es_clearerr (hd->fp_read); + ((cookie_t)(hd->read_cookie))->up_to_empty_line = 1; +-- +2.30.2 + +From 41c022072599bc3f12f659e962653548cd86fa3a Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Fri, 16 Feb 2024 16:24:26 +0900 +Subject: [PATCH] dirmngr: Fix keep-alive flag handling. + +* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic +Authentication. Fix resource leak of FP_WRITE. + +-- + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2520,7 +2520,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication + */ + auth_basic = !!proxy->uri->auth; +- hd->keep_alive = 0; ++ hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + /* For basic authentication we need to send just one request. */ + if (auth_basic +@@ -2684,6 +2684,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + } + + leave: ++ if (hd->keep_alive) ++ { ++ es_fclose (hd->fp_write); ++ hd->fp_write = NULL; ++ /* The close has released the cookie and thus we better set it ++ * to NULL. */ ++ hd->write_cookie = NULL; ++ } + /* Restore flags, destroy stream, reset state. */ + hd->flags = saved_flags; + es_fclose (hd->fp_read); +-- +2.30.2 diff --git a/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch b/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch new file mode 100644 index 000000000000..f10154b303e5 --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.2.42-gpgme-tests.patch @@ -0,0 +1,39 @@ +https://bugs.gentoo.org/924386 +https://dev.gnupg.org/T7003 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f50c543326c2eea6b40f548d61cf3a66a077bf54 + +From f50c543326c2eea6b40f548d61cf3a66a077bf54 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Fri, 1 Mar 2024 13:59:43 +0900 +Subject: [PATCH] agent: Allow simple KEYINFO command when restricted. + +* agent/command.c (cmd_keyinfo): Only forbid list command. + +-- + +GnuPG-bug-id: 7003 +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +--- a/agent/command.c ++++ b/agent/command.c +@@ -1282,9 +1282,6 @@ cmd_keyinfo (assuan_context_t ctx, char *line) + char hexgrip[41]; + int disabled, ttl, confirm, is_ssh; + +- if (ctrl->restricted) +- return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); +- + if (has_option (line, "--ssh-list")) + list_mode = 2; + else +@@ -1333,6 +1330,9 @@ cmd_keyinfo (assuan_context_t ctx, char *line) + char *dirname; + gnupg_dirent_t dir_entry; + ++ if (ctrl->restricted) ++ return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); ++ + dirname = make_filename_try (gnupg_homedir (), + GNUPG_PRIVATE_KEYS_DIR, NULL); + if (!dirname) +-- +2.30.2 diff --git a/app-crypt/gnupg/files/gnupg-2.3.0-sqlite_check.patch b/app-crypt/gnupg/files/gnupg-2.3.0-sqlite_check.patch deleted file mode 100644 index dd529da7a7c6..000000000000 --- a/app-crypt/gnupg/files/gnupg-2.3.0-sqlite_check.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 58aa0e8547a29e147f3d9d1792117d96bc00ffda Mon Sep 17 00:00:00 2001 -From: Lars Wendler <polynomial-c@gentoo.org> -Date: Thu, 8 Apr 2021 11:05:36 +0200 -Subject: [PATCH] gnupg: configure.ac: Fix sqlite3 detection - -or else --disable-sqlite has no effect and linking later fails with: - - keyboxd-backend-sqlite.o: in function `show_sqlstmt.part.0': - backend-sqlite.c:(.text+0x42): undefined reference to `sqlite3_expanded_sql' - -Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> ---- - configure.ac | 23 ++++++++++++----------- - 1 file changed, 12 insertions(+), 11 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 9cf0c6a7f..d46469cbb 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -969,18 +969,20 @@ AC_ARG_ENABLE(sqlite, - [disable the use of SQLITE]), - try_sqlite=$enableval, try_sqlite=yes) - --if test x"$use_tofu" = xyes ; then -- if test x"$try_sqlite" = xyes ; then -+AS_IF([test x"$try_sqlite" = xyes], [ - PKG_CHECK_MODULES([SQLITE3], [sqlite3 >= $NEED_SQLITE_VERSION], - [have_sqlite=yes], - [have_sqlite=no]) -- fi -- if test "$have_sqlite" = "yes"; then -- : -- AC_SUBST([SQLITE3_CFLAGS]) -- AC_SUBST([SQLITE3_LIBS]) -- else -- use_tofu=no -+ AS_IF([test "$have_sqlite" = "yes"], [ -+ AC_SUBST([SQLITE3_CFLAGS]) -+ AC_SUBST([SQLITE3_LIBS]) -+ ]) -+ ]) -+ -+AS_IF([test "$have_sqlite" != "yes"], [ -+ AS_IF([test x"$use_tofu" = xyes], [ -+ use_tofu=no -+ ]) - build_keyboxd=no - tmp=$(echo "$SQLITE3_PKG_ERRORS" | tr '\n' '\v' | sed 's/\v/\n*** /g') - AC_MSG_WARN([[ -@@ -988,8 +990,7 @@ if test x"$use_tofu" = xyes ; then - *** Building without SQLite support - TOFU and Keyboxd disabled - *** - *** $tmp]]) -- fi --fi -+]) - - AM_CONDITIONAL(SQLITE3, test "$have_sqlite" = "yes") - --- -2.31.1 - diff --git a/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch b/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch new file mode 100644 index 000000000000..686a3aadc8dd --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.4.4-dirmngr-proxy.patch @@ -0,0 +1,202 @@ +https://bugs.gentoo.org/924606 +https://dev.gnupg.org/T6997 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=04cbc3074aa98660b513a80f623a7e9f0702c7c9 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=848546b05ab0ff6abd47724ecfab73bf32dd4c01 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2810b934647edd483996bee1f5f9256a162b2705 + +From 6236978d78886cbb476ed9fbc49ff99c7582b2d7 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Thu, 15 Feb 2024 15:38:34 +0900 +Subject: [PATCH 1/3] dirmngr: Fix proxy with TLS. + +* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always +available regardless of USE_TLS. +(run_proxy_connect): Use log_debug_string. +(send_request): Remove USE_TLS. + +-- + +Since the commit of + + 1009e4e5f71347a1fe194e59a9d88c8034a67016 + +Building with TLS library is mandatory. + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +--- + dirmngr/http.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 4899a5d55..10eecfdb0 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2362,7 +2362,6 @@ run_gnutls_handshake (http_t hd, const char *server) + * NULL, decode the string and use this as input from teh server. On + * success the final output token is stored at PROXY->OUTTOKEN and + * OUTTOKLEN. IF the authentication succeeded OUTTOKLEN is zero. */ +-#ifdef USE_TLS + static gpg_error_t + proxy_get_token (proxy_info_t proxy, const char *inputstring) + { +@@ -2530,11 +2529,9 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring) + + #endif /*!HAVE_W32_SYSTEM*/ + } +-#endif /*USE_TLS*/ + + + /* Use the CONNECT method to proxy our TLS stream. */ +-#ifdef USE_TLS + static gpg_error_t + run_proxy_connect (http_t hd, proxy_info_t proxy, + const char *httphost, const char *server, +@@ -2586,7 +2583,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP)) +- log_debug_with_string (request, "http.c:proxy:request:"); ++ log_debug_string (request, "http.c:proxy:request:"); + + if (!hd->fp_write) + { +@@ -2743,7 +2740,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + xfree (tmpstr); + return err; + } +-#endif /*USE_TLS*/ + + + /* Make a request string using a standard proxy. On success the +@@ -2903,7 +2899,6 @@ send_request (ctrl_t ctrl, + goto leave; + } + +-#if USE_TLS + if (use_http_proxy && hd->uri->use_tls) + { + err = run_proxy_connect (hd, proxy, httphost, server, port); +@@ -2915,7 +2910,6 @@ send_request (ctrl_t ctrl, + * clear the flag to indicate this. */ + use_http_proxy = 0; + } +-#endif /* USE_TLS */ + + #if HTTP_USE_NTBTLS + err = run_ntbtls_handshake (hd); +-- +2.43.2 + +From 68650eb6999e674fd2f1c78f47b68d3cd1d37ff0 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Fri, 16 Feb 2024 11:31:37 +0900 +Subject: [PATCH 2/3] dirmngr: Fix the regression of use of proxy for TLS + connection. + +* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it +causes resource leak of FP_WRITE. +Don't try to read response body to fix the hang. + +-- + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +--- + dirmngr/http.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 10eecfdb0..7ce01bacd 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2553,6 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication + */ + auth_basic = !!proxy->uri->auth; ++ hd->keep_alive = 0; + + /* For basic authentication we need to send just one request. */ + if (auth_basic +@@ -2574,13 +2575,12 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + httphost ? httphost : server, + port, + authhdr ? authhdr : "", +- auth_basic? "" : "Connection: keep-alive\r\n"); ++ hd->keep_alive? "Connection: keep-alive\r\n" : ""); + if (!request) + { + err = gpg_error_from_syserror (); + goto leave; + } +- hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP)) + log_debug_string (request, "http.c:proxy:request:"); +@@ -2607,16 +2607,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + if (err) + goto leave; + +- { +- unsigned long count = 0; +- +- while (es_getc (hd->fp_read) != EOF) +- count++; +- if (opt_debug) +- log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n", +- count); +- } +- + /* Reset state. */ + es_clearerr (hd->fp_read); + ((cookie_t)(hd->read_cookie))->up_to_empty_line = 1; +-- +2.43.2 + +From 7c7cbd94549d08780fc3767d6de8336b3f44e7d7 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gniibe@fsij.org> +Date: Fri, 16 Feb 2024 16:24:26 +0900 +Subject: [PATCH 3/3] dirmngr: Fix keep-alive flag handling. + +* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic +Authentication. Fix resource leak of FP_WRITE. + +-- + +GnuPG-bug-id: 6997 +Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> +--- + dirmngr/http.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 7ce01bacd..da0c89ae5 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -2553,7 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication + */ + auth_basic = !!proxy->uri->auth; +- hd->keep_alive = 0; ++ hd->keep_alive = !auth_basic; /* We may need to send more requests. */ + + /* For basic authentication we need to send just one request. */ + if (auth_basic +@@ -2717,6 +2717,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, + } + + leave: ++ if (hd->keep_alive) ++ { ++ es_fclose (hd->fp_write); ++ hd->fp_write = NULL; ++ /* The close has released the cookie and thus we better set it ++ * to NULL. */ ++ hd->write_cookie = NULL; ++ } + /* Restore flags, destroy stream, reset state. */ + hd->flags = saved_flags; + es_fclose (hd->fp_read); +-- +2.43.2 + diff --git a/app-crypt/gnupg/files/gpg-agent-browser.socket b/app-crypt/gnupg/files/gpg-agent-browser.socket new file mode 100644 index 000000000000..bc8d344e1f2d --- /dev/null +++ b/app-crypt/gnupg/files/gpg-agent-browser.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache (access for web browsers) +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.browser +FileDescriptorName=browser +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/app-crypt/gnupg/files/gpg-agent-extra.socket b/app-crypt/gnupg/files/gpg-agent-extra.socket new file mode 100644 index 000000000000..5b87d09dfa2a --- /dev/null +++ b/app-crypt/gnupg/files/gpg-agent-extra.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache (restricted) +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.extra +FileDescriptorName=extra +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/app-crypt/gnupg/files/gpg-agent-ssh.socket b/app-crypt/gnupg/files/gpg-agent-ssh.socket new file mode 100644 index 000000000000..798c1d967595 --- /dev/null +++ b/app-crypt/gnupg/files/gpg-agent-ssh.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent (ssh-agent emulation) +Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.ssh +FileDescriptorName=ssh +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/app-crypt/gnupg/files/gpg-agent.service b/app-crypt/gnupg/files/gpg-agent.service new file mode 100644 index 000000000000..a050fccdc527 --- /dev/null +++ b/app-crypt/gnupg/files/gpg-agent.service @@ -0,0 +1,8 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache +Documentation=man:gpg-agent(1) +Requires=gpg-agent.socket + +[Service] +ExecStart=/usr/bin/gpg-agent --supervised +ExecReload=/usr/bin/gpgconf --reload gpg-agent diff --git a/app-crypt/gnupg/files/gpg-agent.socket b/app-crypt/gnupg/files/gpg-agent.socket new file mode 100644 index 000000000000..4257c2c80f18 --- /dev/null +++ b/app-crypt/gnupg/files/gpg-agent.socket @@ -0,0 +1,12 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent +FileDescriptorName=std +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/app-crypt/gnupg/gnupg-2.2.27.ebuild b/app-crypt/gnupg/gnupg-2.2.42-r2.ebuild index abbcdf02bd07..72bb9fe0626a 100644 --- a/app-crypt/gnupg/gnupg-2.2.27.ebuild +++ b/app-crypt/gnupg/gnupg-2.2.42-r2.ebuild @@ -1,48 +1,64 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 -inherit flag-o-matic systemd toolchain-funcs +# Maintainers should: +# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ +# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 +# (find the one for the current release then subscribe to it + +# any subsequent ones linked within so you're covered for a while.) + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig MY_P="${P/_/-}" DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" HOMEPAGE="https://gnupg.org/" -SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2 - scd-shared-access? ( https://raw.githubusercontent.com/GPGTools/MacGPG2/5ca182f54b7b6cd635d1c0a4713953834489fdd9/patches/gnupg/scdaemon_shared-access.patch -> ${PN}-2.2.16-scdaemon_shared-access.patch )" +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" -LICENSE="GPL-3" +LICENSE="GPL-3+" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -IUSE="bzip2 doc ldap nls readline scd-shared-access selinux +smartcard ssl tofu tools usb user-socket wks-server" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server" +RESTRICT="!test? ( test )" # Existence of executables is checked during configuration. -DEPEND=">=dev-libs/libassuan-2.5.0 - >=dev-libs/libgcrypt-1.8.0 - >=dev-libs/libgpg-error-1.29 - >=dev-libs/libksba-1.3.4 +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=" + >=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.8.0:= + >=dev-libs/libgpg-error-1.38 + >=dev-libs/libksba-1.3.5 >=dev-libs/npth-1.2 >=net-misc/curl-7.10 + sys-libs/zlib bzip2? ( app-arch/bzip2 ) - ldap? ( net-nds/openldap ) - readline? ( sys-libs/readline:0= ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:= ) smartcard? ( usb? ( virtual/libusb:1 ) ) - ssl? ( >=net-libs/gnutls-3.0:0= ) - sys-libs/zlib - tofu? ( >=dev-db/sqlite-3.7 )" - -RDEPEND="${DEPEND} - app-crypt/pinentry + ssl? ( >=net-libs/gnutls-3.0:= ) + tofu? ( >=dev-db/sqlite-3.7 ) +" +RDEPEND=" + ${DEPEND} nls? ( virtual/libintl ) selinux? ( sec-policy/selinux-gpg ) - wks-server? ( virtual/mta )" - -BDEPEND="virtual/pkgconfig + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry +" +BDEPEND=" + virtual/pkgconfig doc? ( sys-apps/texinfo ) - nls? ( sys-devel/gettext )" - -S="${WORKDIR}/${MY_P}" + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" DOCS=( ChangeLog NEWS README THANKS TODO VERSION @@ -50,19 +66,13 @@ DOCS=( ) PATCHES=( - "${FILESDIR}/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch" + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch + "${FILESDIR}"/${PN}-2.2.42-bug923248-insecure-backup.patch ) src_prepare() { default - # Made optional because it's a non-official patch - if use scd-shared-access ; then - # Patch taken from - # https://github.com/GPGTools/MacGPG2/tree/dev/patches/gnupg - eapply "${DISTDIR}/${PN}-2.2.16-scdaemon_shared-access.patch" - fi - # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, # idea borrowed from libdbus, see # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 @@ -73,78 +83,82 @@ src_prepare() { -i doc/examples/systemd-user/gpg-agent-ssh.socket || die } -src_configure() { +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + local myconf=( $(use_enable bzip2) $(use_enable nls) $(use_enable smartcard scdaemon) $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) $(use_enable tofu) $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') $(use_enable wks-server wks-tools) $(use_with ldap) $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. --with-mailprog=/usr/libexec/sendmail + --disable-ntbtls - --enable-all-tests --enable-gpg --enable-gpgsm --enable-large-secmem + CC_FOR_BUILD="$(tc-getBUILD_CC)" GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') ) if use prefix && use usb; then # bug #649598 - append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0" + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" fi - #bug 663142 + # bug #663142 if use user-socket; then myconf+=( --enable-run-gnupg-user-socket ) fi # glib fails and picks up clang's internal stdint.h causing weird errors - [[ ${CC} == *clang ]] && \ - export gl_cv_absolute_stdint_h=/usr/include/stdint.h - - # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. - # As of GnuPG 2.3, the mailprog substitution is used for the binary called - # by wks-client & wks-server; and if it's autodetected but not not exist at - # build time, then then 'gpg-wks-client --send' functionality will not - # work. This has an unwanted side-effect in stage3 builds: there was a - # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating - # the build where the install guide previously make the user chose the - # logger & mta early in the install. + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h econf "${myconf[@]}" } -src_compile() { +my_src_compile() { default use doc && emake -C doc html } -src_test() { - #Bug: 638574 - use tofu && export TESTFLAGS=--parallel +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" + default } -src_install() { - default +my_src_install() { + emake DESTDIR="${D}" install - use tools && - dobin \ - tools/{convert-from-106,gpg-check-pattern} \ - tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys} \ - tools/make-dns-cert + use tools && dobin \ + tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \ + tools/make-dns-cert dosym gpg /usr/bin/gpg2 dosym gpgv /usr/bin/gpgv2 @@ -154,7 +168,15 @@ src_install() { dodir /etc/env.d echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die - use doc && dodoc doc/gnupg.html/* doc/*.png + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + + use doc && dodoc doc/*.png systemd_douserunit doc/examples/systemd-user/*.{service,socket} } diff --git a/app-crypt/gnupg/gnupg-2.2.42-r3.ebuild b/app-crypt/gnupg/gnupg-2.2.42-r3.ebuild new file mode 100644 index 000000000000..d0937a7079a9 --- /dev/null +++ b/app-crypt/gnupg/gnupg-2.2.42-r3.ebuild @@ -0,0 +1,184 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should: +# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ +# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 +# (find the one for the current release then subscribe to it + +# any subsequent ones linked within so you're covered for a while.) + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig + +MY_P="${P/_/-}" + +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" +HOMEPAGE="https://gnupg.org/" +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" + +LICENSE="GPL-3+" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server" +RESTRICT="!test? ( test )" + +# Existence of executables is checked during configuration. +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=" + >=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.8.0:= + >=dev-libs/libgpg-error-1.38 + >=dev-libs/libksba-1.3.5 + >=dev-libs/npth-1.2 + >=net-misc/curl-7.10 + sys-libs/zlib + bzip2? ( app-arch/bzip2 ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:= ) + smartcard? ( usb? ( virtual/libusb:1 ) ) + ssl? ( >=net-libs/gnutls-3.0:= ) + tofu? ( >=dev-db/sqlite-3.7 ) +" +RDEPEND=" + ${DEPEND} + nls? ( virtual/libintl ) + selinux? ( sec-policy/selinux-gpg ) + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry +" +BDEPEND=" + virtual/pkgconfig + doc? ( sys-apps/texinfo ) + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" + +DOCS=( + ChangeLog NEWS README THANKS TODO VERSION + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER +) + +PATCHES=( + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch + "${FILESDIR}"/${P}-bug923248-insecure-backup.patch + "${FILESDIR}"/${P}-dirmngr-proxy.patch + "${FILESDIR}"/${P}-gpgme-tests.patch +) + +src_prepare() { + default + + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, + # idea borrowed from libdbus, see + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 + # + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', + # which in turn requires discovery in Autoconf, something that upstream deeply resents. + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ + -i doc/examples/systemd-user/gpg-agent-ssh.socket || die +} + +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + + local myconf=( + $(use_enable bzip2) + $(use_enable nls) + $(use_enable smartcard scdaemon) + $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) + $(use_enable tofu) + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') + $(use_enable wks-server wks-tools) + $(use_with ldap) + $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. + --with-mailprog=/usr/libexec/sendmail + + --disable-ntbtls + --enable-gpg + --enable-gpgsm + --enable-large-secmem + + CC_FOR_BUILD="$(tc-getBUILD_CC)" + GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" + KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" + LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" + LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" + NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" + + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) + + if use prefix && use usb; then + # bug #649598 + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" + fi + + # bug #663142 + if use user-socket; then + myconf+=( --enable-run-gnupg-user-socket ) + fi + + # glib fails and picks up clang's internal stdint.h causing weird errors + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h + + econf "${myconf[@]}" +} + +my_src_compile() { + default + + use doc && emake -C doc html +} + +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" + + default +} + +my_src_install() { + emake DESTDIR="${D}" install + + use tools && dobin \ + tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \ + tools/make-dns-cert + + dosym gpg /usr/bin/gpg2 + dosym gpgv /usr/bin/gpgv2 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die + + dodir /etc/env.d + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die + + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + + use doc && dodoc doc/*.png + + systemd_douserunit doc/examples/systemd-user/*.{service,socket} +} diff --git a/app-crypt/gnupg/gnupg-2.2.28.ebuild b/app-crypt/gnupg/gnupg-2.2.43.ebuild index 0f4396fc3999..5f121bcb2125 100644 --- a/app-crypt/gnupg/gnupg-2.2.28.ebuild +++ b/app-crypt/gnupg/gnupg-2.2.43.ebuild @@ -1,47 +1,64 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 -inherit flag-o-matic systemd toolchain-funcs +# Maintainers should: +# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ +# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 +# (find the one for the current release then subscribe to it + +# any subsequent ones linked within so you're covered for a while.) + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig MY_P="${P/_/-}" DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" HOMEPAGE="https://gnupg.org/" SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" -LICENSE="GPL-3" +LICENSE="GPL-3+" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl tofu tools usb user-socket wks-server" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server" +RESTRICT="!test? ( test )" # Existence of executables is checked during configuration. -DEPEND=">=dev-libs/libassuan-2.5.0 - >=dev-libs/libgcrypt-1.8.0 - >=dev-libs/libgpg-error-1.29 - >=dev-libs/libksba-1.3.4 +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=" + >=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.8.0:= + >=dev-libs/libgpg-error-1.38 + >=dev-libs/libksba-1.4.0 >=dev-libs/npth-1.2 >=net-misc/curl-7.10 + sys-libs/zlib bzip2? ( app-arch/bzip2 ) - ldap? ( net-nds/openldap ) - readline? ( sys-libs/readline:0= ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:= ) smartcard? ( usb? ( virtual/libusb:1 ) ) - ssl? ( >=net-libs/gnutls-3.0:0= ) - sys-libs/zlib - tofu? ( >=dev-db/sqlite-3.7 )" - -RDEPEND="${DEPEND} - app-crypt/pinentry + ssl? ( >=net-libs/gnutls-3.0:= ) + tofu? ( >=dev-db/sqlite-3.7 ) +" +RDEPEND=" + ${DEPEND} nls? ( virtual/libintl ) selinux? ( sec-policy/selinux-gpg ) - wks-server? ( virtual/mta )" - -BDEPEND="virtual/pkgconfig + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry +" +BDEPEND=" + virtual/pkgconfig doc? ( sys-apps/texinfo ) - nls? ( sys-devel/gettext )" - -S="${WORKDIR}/${MY_P}" + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" DOCS=( ChangeLog NEWS README THANKS TODO VERSION @@ -49,8 +66,7 @@ DOCS=( ) PATCHES=( - "${FILESDIR}/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch" - "${FILESDIR}/${P}-dirmngr_ldap.patch" #795669 + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch ) src_prepare() { @@ -66,78 +82,82 @@ src_prepare() { -i doc/examples/systemd-user/gpg-agent-ssh.socket || die } -src_configure() { +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + local myconf=( $(use_enable bzip2) $(use_enable nls) $(use_enable smartcard scdaemon) $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) $(use_enable tofu) $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') $(use_enable wks-server wks-tools) $(use_with ldap) $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. --with-mailprog=/usr/libexec/sendmail + --disable-ntbtls - --enable-all-tests --enable-gpg --enable-gpgsm --enable-large-secmem + CC_FOR_BUILD="$(tc-getBUILD_CC)" GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') ) if use prefix && use usb; then # bug #649598 - append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0" + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" fi - #bug 663142 + # bug #663142 if use user-socket; then myconf+=( --enable-run-gnupg-user-socket ) fi # glib fails and picks up clang's internal stdint.h causing weird errors - [[ ${CC} == *clang ]] && \ - export gl_cv_absolute_stdint_h=/usr/include/stdint.h - - # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. - # As of GnuPG 2.3, the mailprog substitution is used for the binary called - # by wks-client & wks-server; and if it's autodetected but not not exist at - # build time, then then 'gpg-wks-client --send' functionality will not - # work. This has an unwanted side-effect in stage3 builds: there was a - # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating - # the build where the install guide previously make the user chose the - # logger & mta early in the install. + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h econf "${myconf[@]}" } -src_compile() { +my_src_compile() { default use doc && emake -C doc html } -src_test() { - #Bug: 638574 - use tofu && export TESTFLAGS=--parallel +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" + default } -src_install() { - default +my_src_install() { + emake DESTDIR="${D}" install - use tools && - dobin \ - tools/{convert-from-106,gpg-check-pattern} \ - tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys} \ - tools/make-dns-cert + use tools && dobin \ + tools/{gpg-zip,gpgconf,gpgsplit,gpg-check-pattern} \ + tools/make-dns-cert dosym gpg /usr/bin/gpg2 dosym gpgv /usr/bin/gpgv2 @@ -147,7 +167,15 @@ src_install() { dodir /etc/env.d echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die - use doc && dodoc doc/gnupg.html/* doc/*.png + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + + use doc && dodoc doc/*.png systemd_douserunit doc/examples/systemd-user/*.{service,socket} } diff --git a/app-crypt/gnupg/gnupg-2.3.1.ebuild b/app-crypt/gnupg/gnupg-2.3.1.ebuild deleted file mode 100644 index 3ca970d0c2d7..000000000000 --- a/app-crypt/gnupg/gnupg-2.3.1.ebuild +++ /dev/null @@ -1,158 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit autotools flag-o-matic systemd toolchain-funcs - -MY_P="${P/_/-}" - -DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" -HOMEPAGE="https://gnupg.org/" -SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" - -LICENSE="GPL-3" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -IUSE="bzip2 doc ldap nls readline selinux +smartcard sqlite ssl tofu tools usb user-socket wks-server" - -# Existence of executables is checked during configuration. -DEPEND=">=dev-libs/libassuan-2.5.0 - >=dev-libs/libgcrypt-1.9.1 - >=dev-libs/libgpg-error-1.29 - >=dev-libs/libksba-1.3.4 - >=dev-libs/npth-1.2 - >=net-misc/curl-7.10 - bzip2? ( app-arch/bzip2 ) - ldap? ( net-nds/openldap ) - readline? ( sys-libs/readline:0= ) - smartcard? ( usb? ( virtual/libusb:1 ) ) - sqlite? ( >=dev-db/sqlite-3.27 ) - ssl? ( >=net-libs/gnutls-3.0:0= ) - sys-libs/zlib -" - -RDEPEND="${DEPEND} - app-crypt/pinentry - nls? ( virtual/libintl ) - selinux? ( sec-policy/selinux-gpg ) - wks-server? ( virtual/mta )" - -BDEPEND="virtual/pkgconfig - doc? ( sys-apps/texinfo ) - nls? ( sys-devel/gettext )" - -S="${WORKDIR}/${MY_P}" - -REQUIRED_USE="tofu? ( sqlite )" - -DOCS=( - ChangeLog NEWS README THANKS TODO VERSION - doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER -) - -PATCHES=( - "${FILESDIR}/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch" - "${FILESDIR}/${PN}-2.3.0-sqlite_check.patch" -) - -src_prepare() { - default - - eautoreconf - - # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, - # idea borrowed from libdbus, see - # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 - # - # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', - # which in turn requires discovery in Autoconf, something that upstream deeply resents. - sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ - -i doc/examples/systemd-user/gpg-agent-ssh.socket || die -} - -src_configure() { - local myconf=( - $(use_enable bzip2) - $(use_enable nls) - $(use_enable smartcard scdaemon) - $(use_enable sqlite) - $(use_enable ssl gnutls) - $(use_enable tofu) - $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') - $(use_enable wks-server wks-tools) - $(use_with ldap) - $(use_with readline) - --with-mailprog=/usr/libexec/sendmail - --disable-ntbtls - --enable-all-tests - --enable-gpgsm - --enable-large-secmem - CC_FOR_BUILD="$(tc-getBUILD_CC)" - GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" - KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" - LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" - LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" - NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" - $("${S}/configure" --help | grep -o -- '--without-.*-prefix') - ) - - if use prefix && use usb; then - # bug #649598 - append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0" - fi - - #bug 663142 - if use user-socket; then - myconf+=( --enable-run-gnupg-user-socket ) - fi - - # glib fails and picks up clang's internal stdint.h causing weird errors - [[ ${CC} == *clang ]] && \ - export gl_cv_absolute_stdint_h=/usr/include/stdint.h - - # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. - # As of GnuPG 2.3, the mailprog substitution is used for the binary called - # by wks-client & wks-server; and if it's autodetected but not not exist at - # build time, then then 'gpg-wks-client --send' functionality will not - # work. This has an unwanted side-effect in stage3 builds: there was a - # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating - # the build where the install guide previously make the user chose the - # logger & mta early in the install. - - econf "${myconf[@]}" -} - -src_compile() { - default - - use doc && emake -C doc html -} - -src_test() { - #Bug: 638574 - use tofu && export TESTFLAGS=--parallel - default -} - -src_install() { - default - - use tools && - dobin \ - tools/{convert-from-106,gpg-check-pattern} \ - tools/{gpgconf,gpgsplit,lspgpot,mail-signed-keys} \ - tools/make-dns-cert - - dosym gpg /usr/bin/gpg2 - dosym gpgv /usr/bin/gpgv2 - echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die - echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die - - dodir /etc/env.d - echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die - - use doc && dodoc doc/gnupg.html/* doc/*.png - - systemd_douserunit doc/examples/systemd-user/*.{service,socket} -} diff --git a/app-crypt/gnupg/gnupg-2.4.4-r1.ebuild b/app-crypt/gnupg/gnupg-2.4.4-r1.ebuild new file mode 100644 index 000000000000..c89d22b2c153 --- /dev/null +++ b/app-crypt/gnupg/gnupg-2.4.4-r1.ebuild @@ -0,0 +1,193 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should: +# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ +# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 +# (find the one for the current release then subscribe to it + +# any subsequent ones linked within so you're covered for a while.) + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig + +MY_P="${P/_/-}" + +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" +HOMEPAGE="https://gnupg.org/" +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" + +LICENSE="GPL-3+" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server" +RESTRICT="!test? ( test )" +REQUIRED_USE="test? ( tofu )" + +# Existence of executables is checked during configuration. +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=" + >=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.9.1:= + >=dev-libs/libgpg-error-1.46 + >=dev-libs/libksba-1.6.3 + >=dev-libs/npth-1.2 + >=net-misc/curl-7.10 + sys-libs/zlib + bzip2? ( app-arch/bzip2 ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:0= ) + smartcard? ( usb? ( virtual/libusb:1 ) ) + tofu? ( >=dev-db/sqlite-3.27 ) + tpm? ( >=app-crypt/tpm2-tss-2.4.0:= ) + ssl? ( >=net-libs/gnutls-3.2:0= ) +" +RDEPEND=" + ${DEPEND} + nls? ( virtual/libintl ) + selinux? ( sec-policy/selinux-gpg ) + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry +" +BDEPEND=" + virtual/pkgconfig + doc? ( sys-apps/texinfo ) + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" + +DOCS=( + ChangeLog NEWS README THANKS TODO VERSION + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER +) + +PATCHES=( + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch + "${FILESDIR}"/${P}-dirmngr-proxy.patch #924606 +) + +src_prepare() { + default + + GNUPG_SYSTEMD_UNITS=( + dirmngr.service + dirmngr.socket + gpg-agent-browser.socket + gpg-agent-extra.socket + gpg-agent.service + gpg-agent.socket + gpg-agent-ssh.socket + ) + + cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die + + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, + # idea borrowed from libdbus, see + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 + # + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', + # which in turn requires discovery in Autoconf, something that upstream deeply resents. + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ + -i "${T}"/gpg-agent-ssh.socket || die +} + +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + + local myconf=( + $(use_enable bzip2) + $(use_enable nls) + $(use_enable smartcard scdaemon) + $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) + $(use_enable tofu) + $(use_enable tofu keyboxd) + $(use_enable tofu sqlite) + $(usex tpm '--with-tss=intel' '--disable-tpm2d') + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') + $(use_enable wks-server wks-tools) + $(use_with ldap) + $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. + --with-mailprog=/usr/libexec/sendmail + + --disable-ntbtls + --enable-gpgsm + --enable-large-secmem + + CC_FOR_BUILD="$(tc-getBUILD_CC)" + ac_cv_path_GPGRT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpgrt-config" + + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) + + if use prefix && use usb; then + # bug #649598 + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" + fi + + # bug #663142 + if use user-socket; then + myconf+=( --enable-run-gnupg-user-socket ) + fi + + # glib fails and picks up clang's internal stdint.h causing weird errors + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h + + econf "${myconf[@]}" +} + +my_src_compile() { + default + + use doc && emake -C doc html +} + +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" + + default +} + +my_src_install() { + emake DESTDIR="${D}" install + + use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert + + dosym gpg /usr/bin/gpg2 + dosym gpgv /usr/bin/gpgv2 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die + + dodir /etc/env.d + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die + + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + use doc && dodoc doc/*.png + + # Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed. + dodoc "${FILESDIR}"/README-systemd + systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}" +} diff --git a/app-crypt/gnupg/gnupg-2.4.5.ebuild b/app-crypt/gnupg/gnupg-2.4.5.ebuild new file mode 100644 index 000000000000..65e00a4fa826 --- /dev/null +++ b/app-crypt/gnupg/gnupg-2.4.5.ebuild @@ -0,0 +1,192 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should: +# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ +# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 +# (find the one for the current release then subscribe to it + +# any subsequent ones linked within so you're covered for a while.) + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig + +MY_P="${P/_/-}" + +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" +HOMEPAGE="https://gnupg.org/" +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" + +LICENSE="GPL-3+" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server" +RESTRICT="!test? ( test )" +REQUIRED_USE="test? ( tofu )" + +# Existence of executables is checked during configuration. +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=" + >=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.9.1:= + >=dev-libs/libgpg-error-1.46 + >=dev-libs/libksba-1.6.3 + >=dev-libs/npth-1.2 + >=net-misc/curl-7.10 + sys-libs/zlib + bzip2? ( app-arch/bzip2 ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:0= ) + smartcard? ( usb? ( virtual/libusb:1 ) ) + tofu? ( >=dev-db/sqlite-3.27 ) + tpm? ( >=app-crypt/tpm2-tss-2.4.0:= ) + ssl? ( >=net-libs/gnutls-3.2:0= ) +" +RDEPEND=" + ${DEPEND} + nls? ( virtual/libintl ) + selinux? ( sec-policy/selinux-gpg ) + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry +" +BDEPEND=" + virtual/pkgconfig + doc? ( sys-apps/texinfo ) + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" + +DOCS=( + ChangeLog NEWS README THANKS TODO VERSION + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER +) + +PATCHES=( + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch +) + +src_prepare() { + default + + GNUPG_SYSTEMD_UNITS=( + dirmngr.service + dirmngr.socket + gpg-agent-browser.socket + gpg-agent-extra.socket + gpg-agent.service + gpg-agent.socket + gpg-agent-ssh.socket + ) + + cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die + + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, + # idea borrowed from libdbus, see + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 + # + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', + # which in turn requires discovery in Autoconf, something that upstream deeply resents. + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ + -i "${T}"/gpg-agent-ssh.socket || die +} + +my_src_configure() { + # Upstream don't support LTO, bug #854222. + filter-lto + + local myconf=( + $(use_enable bzip2) + $(use_enable nls) + $(use_enable smartcard scdaemon) + $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) + $(use_enable tofu) + $(use_enable tofu keyboxd) + $(use_enable tofu sqlite) + $(usex tpm '--with-tss=intel' '--disable-tpm2d') + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') + $(use_enable wks-server wks-tools) + $(use_with ldap) + $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. + --with-mailprog=/usr/libexec/sendmail + + --disable-ntbtls + --enable-gpgsm + --enable-large-secmem + + CC_FOR_BUILD="$(tc-getBUILD_CC)" + ac_cv_path_GPGRT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpgrt-config" + + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) + + if use prefix && use usb; then + # bug #649598 + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" + fi + + # bug #663142 + if use user-socket; then + myconf+=( --enable-run-gnupg-user-socket ) + fi + + # glib fails and picks up clang's internal stdint.h causing weird errors + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h + + econf "${myconf[@]}" +} + +my_src_compile() { + default + + use doc && emake -C doc html +} + +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" + + default +} + +my_src_install() { + emake DESTDIR="${D}" install + + use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert + + dosym gpg /usr/bin/gpg2 + dosym gpgv /usr/bin/gpgv2 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die + + dodir /etc/env.d + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die + + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + use doc && dodoc doc/*.png + + # Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed. + dodoc "${FILESDIR}"/README-systemd + systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}" +} diff --git a/app-crypt/gnupg/metadata.xml b/app-crypt/gnupg/metadata.xml index c6692d9cdbf4..9cfaddc1cdbe 100644 --- a/app-crypt/gnupg/metadata.xml +++ b/app-crypt/gnupg/metadata.xml @@ -1,20 +1,11 @@ <?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd"> <pkgmetadata> - <maintainer type="person"> - <email>zlogene@gentoo.org</email> - <name>Mikle Kolyada</name> - </maintainer> - <maintainer type="person"> - <email>polynomial-c@gentoo.org</email> - <name>Lars Wendler</name> + <maintainer type="project"> + <email>base-system@gentoo.org</email> + <name>Gentoo Base System</name> </maintainer> <use> - <flag name="scd-shared-access"> - Allow concurrent access to scdaemon by multiple apps from same - user. Useful if you want to use scdaemon with gnupg and for - example NitroKey. - </flag> <flag name="smartcard"> Build scdaemon software. Enables usage of OpenPGP cards. For other type of smartcards, try <pkg>app-crypt/gnupg-pkcs11-scd</pkg>. @@ -32,6 +23,9 @@ <flag name="tools"> Install extra tools (including gpgsplit and gpg-zip). </flag> + <flag name="tpm"> + Enable TPM support via <pkg>app-crypt/tpm2-tss</pkg> and build tpm2d. + </flag> <flag name="wks-server"> Install the wks-server </flag> |