From 124246206faf37b901c930a87f15578cb7c8719e Mon Sep 17 00:00:00 2001 From: Peter Michael Green Date: Wed, 25 Jul 2018 11:25:32 +0100 Subject: [PATCH] Import gnupg2_2.2.9-1+rpi1.debian.tar.bz2 [dgit import tarball gnupg2 2.2.9-1+rpi1 gnupg2_2.2.9-1+rpi1.debian.tar.bz2] --- NEWS | 8 + Xsession.d/90gpg-agent | 22 + changelog | 2256 +++++++++++++++++ clean | 9 + compat | 1 + control | 502 ++++ copyright | 253 ++ dirmngr.NEWS | 49 + dirmngr.README.Debian | 47 + dirmngr.docs | 5 + dirmngr.install | 6 + dirmngr.links | 1 + dirmngr.maintscript | 5 + dirmngr.manpages | 2 + gbp.conf | 37 + gnupg-l10n.install | 2 + gnupg-utils.install | 10 + gnupg-utils.manpages | 10 + gnupg.README.Debian | 44 + gnupg.docs | 8 + gnupg.info | 3 + gnupg2.links | 2 + gpg-agent.NEWS | 19 + gpg-agent.README.Debian | 82 + gpg-agent.examples | 2 + gpg-agent.install | 11 + gpg-agent.links | 6 + gpg-agent.logcheck.ignore.server | 11 + gpg-agent.manpages | 3 + gpg-check-pattern.1 | 35 + gpg-wks-client.1 | 178 ++ gpg-wks-client.install | 1 + gpg-wks-client.manpages | 1 + gpg-wks-server.1 | 180 ++ gpg-wks-server.install | 1 + gpg-wks-server.manpages | 1 + gpg-zip.1 | 102 + gpg.install | 1 + gpg.manpages | 1 + gpgcompose.1 | 56 + gpgcompose.install | 1 + gpgcompose.manpages | 1 + gpgconf.examples | 1 + gpgconf.install | 3 + gpgconf.manpages | 2 + gpgsm.install | 1 + gpgsm.manpages | 1 + gpgsplit.1 | 41 + gpgv-static.1 | 32 + gpgv-static.install | 1 + gpgv-static.lintian-overrides | 3 + gpgv-static.manpages | 1 + gpgv-udeb.install | 1 + gpgv-win32.install | 1 + gpgv.install | 1 + gpgv.manpages | 1 + gpgv2.links | 2 + kbxutil.1 | 62 + lspgpot.1 | 22 + migrate-pubring-from-classic-gpg | 76 + migrate-pubring-from-classic-gpg.1 | 50 + org.gnupg.scdaemon.metainfo.xml | 42 + package-dependencies.dot | 73 + ...Avoid-simple-memory-dumps-via-ptrace.patch | 88 + .../debian-packaging/avoid-beta-warning.patch | 44 + ...erating-defsincdate-use-shipped-file.patch | 37 + ...automatically-checking-upstream-swdb.patch | 47 + ...mngr-Avoid-need-for-hkp-housekeeping.patch | 226 ++ ...d-potential-race-condition-when-some.patch | 81 + ...x-cancellation-handling-for-scdaemon.patch | 140 + ...ime-configuration-of-s2k-calibration.patch | 72 + ...assuan-Reorganize-waiting-for-socket.patch | 117 + ...ntial-decay-for-first-1s-of-spinlock.patch | 71 + .../common-Fix-gnupg_wait_processes.patch | 82 + patches/from-master/gpg-Fix-comparison.patch | 26 + .../gpg-default-to-3072-bit-RSA-keys.patch | 116 + .../from-master/gpg-default-to-AES-256.patch | 35 + .../gpgsm-default-to-3072-bit-keys.patch | 130 + ...sh-cancel-by-user-and-protocol-error.patch | 68 + ...ads-to-interrupt-main-select-loop-wi.patch | 93 + ...duled-checks-on-socket-when-inotify-.patch | 26 + ...Avoid-tight-timer-tick-when-possible.patch | 101 + ...Create-framework-of-scheduled-timers.patch | 191 ++ patches/series | 23 + ...certificate-details-when-showing-wit.patch | 51 + ...HA-512-for-all-signature-types-on-RS.patch | 64 + ...A-512-and-SHA-384-in-personal-digest.patch | 46 + rules | 89 + scdaemon.examples | 1 + scdaemon.install | 2 + scdaemon.manpages | 1 + scdaemon.udev | 63 + simplified-package-dependencies.dot | 43 + source/format | 1 + source/lintian-overrides | 2 + source/options | 3 + systemd-environment-generator/90gpg-agent | 10 + tests/control | 3 + tests/gpgv-win32 | 54 + upstream/signing-key.asc | 109 + watch | 5 + 101 files changed, 6753 insertions(+) create mode 100644 NEWS create mode 100644 Xsession.d/90gpg-agent create mode 100644 changelog create mode 100644 clean create mode 100644 compat create mode 100644 control create mode 100644 copyright create mode 100644 dirmngr.NEWS create mode 100644 dirmngr.README.Debian create mode 100644 dirmngr.docs create mode 100644 dirmngr.install create mode 100644 dirmngr.links create mode 100644 dirmngr.maintscript create mode 100644 dirmngr.manpages create mode 100644 gbp.conf create mode 100644 gnupg-l10n.install create mode 100644 gnupg-utils.install create mode 100644 gnupg-utils.manpages create mode 100644 gnupg.README.Debian create mode 100644 gnupg.docs create mode 100644 gnupg.info create mode 100644 gnupg2.links create mode 100644 gpg-agent.NEWS create mode 100644 gpg-agent.README.Debian create mode 100644 gpg-agent.examples create mode 100644 gpg-agent.install create mode 100644 gpg-agent.links create mode 100644 gpg-agent.logcheck.ignore.server create mode 100644 gpg-agent.manpages create mode 100644 gpg-check-pattern.1 create mode 100644 gpg-wks-client.1 create mode 100644 gpg-wks-client.install create mode 100644 gpg-wks-client.manpages create mode 100644 gpg-wks-server.1 create mode 100644 gpg-wks-server.install create mode 100644 gpg-wks-server.manpages create mode 100644 gpg-zip.1 create mode 100644 gpg.install create mode 100644 gpg.manpages create mode 100644 gpgcompose.1 create mode 100644 gpgcompose.install create mode 100644 gpgcompose.manpages create mode 100644 gpgconf.examples create mode 100644 gpgconf.install create mode 100644 gpgconf.manpages create mode 100644 gpgsm.install create mode 100644 gpgsm.manpages create mode 100644 gpgsplit.1 create mode 100644 gpgv-static.1 create mode 100644 gpgv-static.install create mode 100644 gpgv-static.lintian-overrides create mode 100644 gpgv-static.manpages create mode 100644 gpgv-udeb.install create mode 100644 gpgv-win32.install create mode 100644 gpgv.install create mode 100644 gpgv.manpages create mode 100644 gpgv2.links create mode 100644 kbxutil.1 create mode 100644 lspgpot.1 create mode 100755 migrate-pubring-from-classic-gpg create mode 100644 migrate-pubring-from-classic-gpg.1 create mode 100644 org.gnupg.scdaemon.metainfo.xml create mode 100644 package-dependencies.dot create mode 100644 patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch create mode 100644 patches/debian-packaging/avoid-beta-warning.patch create mode 100644 patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch create mode 100644 patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch create mode 100644 patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch create mode 100644 patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch create mode 100644 patches/from-master/agent-Fix-cancellation-handling-for-scdaemon.patch create mode 100644 patches/from-master/agent-compile-time-configuration-of-s2k-calibration.patch create mode 100644 patches/from-master/assuan-Reorganize-waiting-for-socket.patch create mode 100644 patches/from-master/assuan-Use-exponential-decay-for-first-1s-of-spinlock.patch create mode 100644 patches/from-master/common-Fix-gnupg_wait_processes.patch create mode 100644 patches/from-master/gpg-Fix-comparison.patch create mode 100644 patches/from-master/gpg-default-to-3072-bit-RSA-keys.patch create mode 100644 patches/from-master/gpg-default-to-AES-256.patch create mode 100644 patches/from-master/gpgsm-default-to-3072-bit-keys.patch create mode 100644 patches/from-master/scd-Distinguish-cancel-by-user-and-protocol-error.patch create mode 100644 patches/gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch create mode 100644 patches/gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch create mode 100644 patches/gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch create mode 100644 patches/gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch create mode 100644 patches/series create mode 100644 patches/show-revocation-cert/gpg-Print-revocation-certificate-details-when-showing-wit.patch create mode 100644 patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch create mode 100644 patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch create mode 100755 rules create mode 100644 scdaemon.examples create mode 100644 scdaemon.install create mode 100644 scdaemon.manpages create mode 100644 scdaemon.udev create mode 100644 simplified-package-dependencies.dot create mode 100644 source/format create mode 100644 source/lintian-overrides create mode 100644 source/options create mode 100755 systemd-environment-generator/90gpg-agent create mode 100644 tests/control create mode 100755 tests/gpgv-win32 create mode 100644 upstream/signing-key.asc create mode 100644 watch diff --git a/NEWS b/NEWS new file mode 100644 index 0000000..0a6a744 --- /dev/null +++ b/NEWS @@ -0,0 +1,8 @@ +gnupg2 (2.1.11-7+exp1) experimental; urgency=medium + + The gnupg package now provides the "modern" version of GnuPG. + + Please read /usr/share/doc/gnupg/README.Debian for details about the + transition from "classic" to "modern" + + -- Daniel Kahn Gillmor Wed, 30 Mar 2016 09:59:35 -0400 diff --git a/Xsession.d/90gpg-agent b/Xsession.d/90gpg-agent new file mode 100644 index 0000000..8b45b05 --- /dev/null +++ b/Xsession.d/90gpg-agent @@ -0,0 +1,22 @@ +# On systems with systemd running, we expect the agent to be launched +# via systemd's user mode (see +# /usr/lib/systemd/user/gpg-agent.{socket,service} and +# systemd.unit(5)). This allows systemd to clean up the agent +# automatically at logout. + +# If systemd is absent from your system, or you do not permit it to +# run in user mode, then you may need to manually launch gpg-agent +# from your session initialization with something like "gpgconf +# --launch gpg-agent" + +# Nonetheless, ssh and older versions of gpg require environment +# variables to be set in order to find the agent, so we will set those +# here. + +agent_sock=$(gpgconf --list-dirs agent-socket) +export GPG_AGENT_INFO=${agent_sock}:0:1 +if [ -n "$(gpgconf --list-options gpg-agent | \ + awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then + export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) +fi + diff --git a/changelog b/changelog new file mode 100644 index 0000000..a2a23bf --- /dev/null +++ b/changelog @@ -0,0 +1,2256 @@ +gnupg2 (2.2.9-1+rpi1) buster-staging; urgency=medium + + * Disable testsuite. + + -- Peter Michael Green Wed, 25 Jul 2018 10:25:32 +0000 + +gnupg2 (2.2.9-1) unstable; urgency=medium + + * New upstream release + * Standards-Version: bump to 4.1.5 (no changes needed) + * drop patches already upstream + * refresh patches + + -- Daniel Kahn Gillmor Thu, 19 Jul 2018 14:02:31 -0400 + +gnupg2 (2.2.8-3) unstable; urgency=medium + + * Ensure arch: all gnupg package supports binMNUs + + -- Daniel Kahn Gillmor Thu, 21 Jun 2018 12:18:14 -0400 + +gnupg2 (2.2.8-2) unstable; urgency=medium + + [ Daniel Kahn Gillmor ] + * import bugfixes and improvements from upstream/STABLE-BRANCH-2-2 + * ensure that revocation certificates show up in --show-keys output + (see 7c79bf7f71aa594102cb684b0abd8331bdac4608) + * try passing not explicit paths to wine for the gpgv-win32 test + * d/copyright: clarify debian/* licensing + * convert gnupg metapackage to Architecture: all + + [ Giovanni Mascellani ] + * avoid parallel tests on riscv64 (Closes: #901646) + + -- Daniel Kahn Gillmor Wed, 20 Jun 2018 06:56:09 -0400 + +gnupg2 (2.2.8-1) unstable; urgency=medium + + * New upstream release + * refresh patches + + -- Daniel Kahn Gillmor Fri, 08 Jun 2018 10:08:36 -0400 + +gnupg2 (2.2.7-1) unstable; urgency=medium + + * new upstream release + * update/refresh patches, improve patch description + * bump standards-version to 4.1.4 (no changes needed) + + -- Daniel Kahn Gillmor Wed, 23 May 2018 11:50:27 -0400 + +gnupg2 (2.2.5-1) unstable; urgency=medium + + * New upstream release + * d/gbp.conf: use DEP-14 branch naming + * d/control: declare Rules-Requires-Root: no + * drop patches already applied upstream + * refresh patches + + -- Daniel Kahn Gillmor Thu, 22 Feb 2018 14:20:18 -0800 + +gnupg2 (2.2.4-3) unstable; urgency=medium + + * version build-deps on mingw library toolchain (Closes: #889921) + * drop misbehaving upstream scd patch (Closes: #889751) + + -- Daniel Kahn Gillmor Fri, 09 Feb 2018 13:51:35 -0500 + +gnupg2 (2.2.4-2) unstable; urgency=medium + + [ Daniel Kahn Gillmor ] + * move to debhelper 11 + * d/control: move Vcs to salsa + * import more bugfixes and hardware from upstream + + [ Helge Deller ] + * Fix FTBFS on hppa (Closes: #887843) + + -- Daniel Kahn Gillmor Mon, 05 Feb 2018 23:07:21 -0500 + +gnupg2 (2.2.4-1) unstable; urgency=medium + + * New upstream release + * do not use uupdate (we use gbp-import-orig) + * dirmngr: cannot avoid idling in current arrangement + * adjusting fixes to gpgsm defaults + * prefer SHA-512 specifically on personal-digest-preferences. + * refresh patches + * Standards-Version: bump to 4.1.3 (no changes needed) + * drop unnecessary lintian override + * reflect actual requirement for libassuan + * import bugfixes from upstream + + -- Daniel Kahn Gillmor Wed, 03 Jan 2018 12:43:40 -0500 + +gnupg2 (2.2.3-1) unstable; urgency=medium + + * New upstream release + * refreshed patches + + -- Daniel Kahn Gillmor Thu, 30 Nov 2017 19:06:35 -0500 + +gnupg2 (2.2.2-1) unstable; urgency=medium + + * new upstream release. + * avoid testsuite delays from excess socket waiting + * clean up trailing whitespace in debian/{rules,changelog} + * drop patches already upstream + * refresh remaining patches + + -- Daniel Kahn Gillmor Wed, 08 Nov 2017 20:09:33 +0100 + +gnupg2 (2.2.1-5) unstable; urgency=medium + + * block ptrace on scdaemon as well as gpg-agent (Closes: #878952) + + -- Daniel Kahn Gillmor Fri, 27 Oct 2017 01:43:20 -0400 + +gnupg2 (2.2.1-4) unstable; urgency=medium + + * restore lintian override, because ftp-master isn't yet running lintian + 2.5.55 (see #877999 for more details) + + -- Daniel Kahn Gillmor Thu, 19 Oct 2017 02:33:36 -0400 + +gnupg2 (2.2.1-3) unstable; urgency=medium + + * bugfix for multiple keyrings (Closes: #878812) + * drop an unnecessary lintian override + + -- Daniel Kahn Gillmor Thu, 19 Oct 2017 00:23:41 -0400 + +gnupg2 (2.2.1-2) unstable; urgency=medium + + * adopt bugfixes and documentation improvements from upstream + * reorganize debian/patches for simpler maintenance + * move gnupg-l10n to Section: localization + * Standards-Version: bump to 4.1.1 (no changes needed) + + -- Daniel Kahn Gillmor Tue, 10 Oct 2017 10:05:45 -0400 + +gnupg2 (2.2.1-1) unstable; urgency=medium + + * New upstream release + * drop patches already applied upstream + + -- Daniel Kahn Gillmor Tue, 19 Sep 2017 08:26:26 -0400 + +gnupg2 (2.2.0-3) unstable; urgency=medium + + * avoid FTBFS when TZ=UTC-12 (Closes: #874617) + + -- Daniel Kahn Gillmor Fri, 08 Sep 2017 02:10:02 -0400 + +gnupg2 (2.2.0-2) unstable; urgency=medium + + * dirmngr and gpgv-static are Multi-arch: foreign (Closes: #874111) + * update to stronger cryptographic defaults. + * use upstream gpg-agent-browser.socket systemd user service + * publish SSH_AUTH_SOCK for wayland users (Closes: #855868) + + -- Daniel Kahn Gillmor Thu, 07 Sep 2017 19:20:35 -0400 + +gnupg2 (2.2.0-1) unstable; urgency=medium + + * New upstream release. + * drop patches already upstream + * scdaemon: bugfix from upstream for large ECC keys + * Standards-Version: bump to 4.1.0 (no changes needed) + + -- Daniel Kahn Gillmor Wed, 06 Sep 2017 13:10:28 -0400 + +gnupg2 (2.1.23-2) unstable; urgency=medium + + * add openssh-client to build-deps for testing + + -- Daniel Kahn Gillmor Sun, 13 Aug 2017 22:48:23 -0400 + +gnupg2 (2.1.23-1) unstable; urgency=medium + + * New upstream release + * move to unstable + * refresh patches + * keep default --no-auto-key-retrieve + * Standards-Version: 4.0.1 (Priority: extra -> optional) + * run tests in parallel + + -- Daniel Kahn Gillmor Fri, 11 Aug 2017 09:56:05 -0400 + +gnupg2 (2.1.22-1) experimental; urgency=medium + + * New upstream release + * refreshed patches + * pulled a few bugfix patches from upstream + * simplify systemd user units + + -- Daniel Kahn Gillmor Mon, 07 Aug 2017 01:17:19 -0400 + +gnupg2 (2.1.21-4) experimental; urgency=medium + + * package reorganization: + - new package 'gpg' is just for public key operations + - 'gnupg' package is the full suite + - 'gnupg-agent' package is renamed to 'gpg-agent' + - 'gpgconf' is a base package, other packages depend on it + - 'gnupg-utils' are a grab-bag of helper tools that may be useful + * scdaemon: add AppStream metainfo about supported smartcards + + -- Daniel Kahn Gillmor Wed, 26 Jul 2017 12:50:55 -0400 + +gnupg2 (2.1.21-3) experimental; urgency=medium + + * include upstream bugfixes and improvements (Closes: #863221) + * build gpgcompose, ship new gpgcompose binary package + * upgrade to debhelper 10 + * upgrade to Standards-Version 4.0.0 (no changes needed) + + -- Daniel Kahn Gillmor Sun, 11 Jun 2017 01:50:30 +0200 + +gnupg2 (2.1.21-2) experimental; urgency=medium + + [ Stefan Bühler ] + * Create WKS server and client packages + + [ Daniel Kahn Gillmor ] + * minor packaging cleanups + * more upstream bugfix and cleanup patches + * rename WKS packages to match the tool names + + -- Daniel Kahn Gillmor Thu, 18 May 2017 18:02:46 -0400 + +gnupg2 (2.1.21-1) experimental; urgency=medium + + * new upstream release + * drop patches alread yupstream, refresh patches + * import post-release bugfixes from upstream + + -- Daniel Kahn Gillmor Tue, 16 May 2017 22:42:20 -0400 + +gnupg2 (2.1.20-4) experimental; urgency=medium + + * avoid shipping or trying to use .skel files + * more bugfixes from upstream + * skip missing signing keys (Closes: #834922) + * prefer available smartcard + + -- Daniel Kahn Gillmor Wed, 10 May 2017 14:59:02 -0400 + +gnupg2 (2.1.20-3) experimental; urgency=medium + + * more upstream bugfixes (Closes: #858400) + + -- Daniel Kahn Gillmor Fri, 07 Apr 2017 11:36:51 -0400 + +gnupg2 (2.1.20-2) experimental; urgency=medium + + * more bugfix patches from upstream + + -- Daniel Kahn Gillmor Thu, 06 Apr 2017 11:21:24 -0400 + +gnupg2 (2.1.20-1) experimental; urgency=medium + + * new upstream release + * drop patches already upstream, refresh patches + * import post-release bugfixes from upstream + + -- Daniel Kahn Gillmor Wed, 05 Apr 2017 11:43:09 -0400 + +gnupg2 (2.1.19-3) experimental; urgency=medium + + * more patches from usptream + - test suite should now use /tmp and not require /run/user/ + + -- Daniel Kahn Gillmor Tue, 21 Mar 2017 12:34:47 -0400 + +gnupg2 (2.1.19-2) experimental; urgency=medium + + * more patches from upstream (Closes: #854829) + * add verbose=3 to the test suite as requested by upstream + + -- Daniel Kahn Gillmor Mon, 20 Mar 2017 14:05:46 -0400 + +gnupg2 (2.1.19-1) experimental; urgency=medium + + * New upstream release (Closes: #854359) + * many post-release bugfixes from upstream + * add logcheck filters for gpg-agent (Closes: #856438) + * Upload to experimental due to the freeze + + -- Daniel Kahn Gillmor Thu, 16 Mar 2017 12:47:40 -0400 + +gnupg2 (2.1.18-6) unstable; urgency=medium + + [ NIIBE Yutaka ] + * scdaemon: Fix duplicated entries (Closes: #855056). + + -- Daniel Kahn Gillmor Mon, 13 Feb 2017 19:29:34 -0500 + +gnupg2 (2.1.18-5) unstable; urgency=medium + + [ Daniel Kahn Gillmor ] + * Xsession.d/90gpg-agent: use simpler and more direct gpgconf + invocations for socket names. + + [ NIIBE Yutaka ] + * scdaemon.udev: Add Yubikey and Nitrokey (Closes: #648331, 734889). + * scdaemon fix for PC/SC (Closes: #852702, #854005, #854595, #854616). + + -- Daniel Kahn Gillmor Mon, 13 Feb 2017 09:15:07 -0500 + +gnupg2 (2.1.18-4) unstable; urgency=medium + + [ Daniel Kahn Gillmor ] + * document that debian disables --allow-version-check + * docs, debugging, and bugfix patches from upstream (Closes: #852979) + + [ NIIBE Yutaka ] + * scdaemon bugfixes + + -- Daniel Kahn Gillmor Sat, 04 Feb 2017 22:03:26 -0500 + +gnupg2 (2.1.18-3) unstable; urgency=medium + + * fix searches for keys with raw addr-spec + + -- Daniel Kahn Gillmor Wed, 25 Jan 2017 16:58:56 -0500 + +gnupg2 (2.1.18-2) unstable; urgency=medium + + * pull fixes from upstream (including a double-free in gpg-agent) + + -- Daniel Kahn Gillmor Wed, 25 Jan 2017 09:29:25 -0500 + +gnupg2 (2.1.18-1) unstable; urgency=medium + + * New upstream release. + + -- Daniel Kahn Gillmor Mon, 23 Jan 2017 23:12:35 -0500 + +gnupg2 (2.1.17-6) unstable; urgency=medium + + * Upstream patches, fixing unnecessary delay in gpg-agent (Closes: #851298) + * gpg-agent: avoid race in shutdown (Closes: #841143) + * improve dirmngr, gpg-agent README.Debian (Closes: #850982) + * clean up gpg-agent-idling patch + + -- Daniel Kahn Gillmor Wed, 18 Jan 2017 14:40:41 -0500 + +gnupg2 (2.1.17-5) unstable; urgency=medium + + * more fixes from upstream (improving but not yet closing: #849845) + * gpg-agent: actively poll when shutdown is pending. Thanks, NIIBE + Yutaka! (addresses but does not close #841143) + + -- Daniel Kahn Gillmor Wed, 11 Jan 2017 15:44:57 -0500 + +gnupg2 (2.1.17-4) unstable; urgency=medium + + * more patches from upstream, including dirmngr debugging + improvements + * resolve ambiguity in aliased options and commands (Closes: #850475) + * auto-enable gpg-agent and dirmngr for systemd user sessions + * enable easy reloads from systemd + + -- Daniel Kahn Gillmor Tue, 10 Jan 2017 17:30:08 -0500 + +gnupg2 (2.1.17-3) unstable; urgency=medium + + * more bugfixes from upstream (improving but not yet closing: #849845) + + -- Daniel Kahn Gillmor Tue, 03 Jan 2017 15:39:52 -0500 + +gnupg2 (2.1.17-2) unstable; urgency=medium + + * include patches from upstream to avoid build failures on 32-bit + arches. + + -- Daniel Kahn Gillmor Sat, 24 Dec 2016 18:11:51 -0500 + +gnupg2 (2.1.17-1) unstable; urgency=medium + + * new upstream release. + + -- Daniel Kahn Gillmor Sat, 24 Dec 2016 15:39:04 -0500 + +gnupg2 (2.1.16-3) unstable; urgency=medium + + * remove -pie from hppa, kfreebsd-amd64, and x32 builds of + gpgv-static (Closes: #846889) + * import several upstream bugfix patches (Closes: #846834, #846168) + * link gnupg-agent and scdaemon with Enhances/Suggests (Closes: #833518) + + -- Daniel Kahn Gillmor Mon, 05 Dec 2016 15:34:49 -0500 + +gnupg2 (2.1.16-2) unstable; urgency=medium + + * avoid using adns, due to lack of security support (Closes: #845078) + + -- Daniel Kahn Gillmor Mon, 21 Nov 2016 09:57:26 -0500 + +gnupg2 (2.1.16-1) unstable; urgency=medium + + * New upstream version + * dropped many patches already incorporated upstream + + -- Daniel Kahn Gillmor Sun, 20 Nov 2016 23:22:49 -0500 + +gnupg2 (2.1.15-9) unstable; urgency=medium + + * Introduce gpgv-static package (Closes: #806940) + * more patches from upstream + * use adns for better DNS resolution in dirmngr + * add some import-options to + migrate-pubring-from-classic-gpg for better migration + * reorganize patches to distinguish debian variations from upstream + * set simple and easy defaults for keyservers + * help dirmngr and gpg-agent idle better in the default case + + -- Daniel Kahn Gillmor Thu, 10 Nov 2016 07:28:16 -0800 + +gnupg2 (2.1.15-8) unstable; urgency=medium + + * rename gpg-agent-restricted.socket to gpg-agent-extra.socket + (for symmetry with option names and actual sockets created) + + -- Daniel Kahn Gillmor Thu, 27 Oct 2016 13:54:53 -0400 + +gnupg2 (2.1.15-7) unstable; urgency=medium + + * more upstream patches + * dirmngr systemd user service is now socket-activated. + + -- Daniel Kahn Gillmor Thu, 27 Oct 2016 12:48:15 -0400 + +gnupg2 (2.1.15-6) unstable; urgency=medium + + * more upstream patches (Closes: #841437, #840680) + + -- Daniel Kahn Gillmor Wed, 26 Oct 2016 17:44:20 -0400 + +gnupg2 (2.1.15-5) unstable; urgency=medium + + * added udev rules for Fujitsu Siemens cardreader (Closes: #840312) + * mark transitional packages Multi-Arch: Foreign (closes: #840258) + * make gnupg2 binNMU-safe + * more patches from upstream + * track upstream decision-making about gpg-agent socket names + + -- Daniel Kahn Gillmor Tue, 25 Oct 2016 21:30:06 -0400 + +gnupg2 (2.1.15-4) unstable; urgency=medium + + * update debian/tests/gpgv-win32 + * more patches from upstream (Closes: #838153) + * tighten dependencies between gnupg and dirmngr (Closes: #834602) + * updated systemd user gpg-agent units for socket activation + + -- Daniel Kahn Gillmor Tue, 04 Oct 2016 17:22:30 -0400 + +gnupg2 (2.1.15-3) unstable; urgency=medium + + * Use upstream fix to avoid touching homedir during test suite + * backward compatibility for preset-passphrase and protect-tool + * add Breaks: for python3-apt too (thanks, Harald Jenny!) + * Avoid network access during tests (Closes: #836259) + * more patches from upstream + - gpgv --output now works + - fingerprint display doesn't vary with --keyid-format + - minor cleanup to scdaemon dealing with removed cards + + -- Daniel Kahn Gillmor Wed, 14 Sep 2016 17:08:58 -0400 + +gnupg2 (2.1.15-2) unstable; urgency=medium + + * restore keyid output in gpgv (Closes: #836144) + * avoid test suite failures when HOME does not exist + + -- Daniel Kahn Gillmor Wed, 31 Aug 2016 12:37:48 -0400 + +gnupg2 (2.1.15-1) unstable; urgency=medium + + * new upstream release + - blocks signals during keyring updates (Closes: #293556) + * avoid libusb on hurd. Thanks, Pino Toscano! (Closes: #834533) + * permissions on test suite are already fixed + * drop patches applied upstream and refresh remaining patches + * make gnupg2 reproducible by not regenerating documentation date + * make autopkgtest work with modern wine (Closes: #835976) + * wrap-and-sort -ast for cleaner diffs + * add versioned Breaks: for affected packages (Closes: #835349) + - gpgv Breaks: python-debian << 0.1.29 (addresses: #782904) + - gnupg Breaks: php-crypt-gpg <= 1.4.1-1 (addresses #835592) + - gnupg Breaks: python-apt <= 1.1.0~beta4 (addresses: #835465) + - gnupg Breaks: python-gnupg << 0.3.8-3 (addresses: #834514, #834600) + - gnupg Breaks: libgnupg-interface-perl << 0.52-3 (addresses: #834281) + - gnupg Breaks: libmail-gnupg-perl <= 0.22-1 (addresses: #835075) + - gnupg Breaks: libgnupg-perl << 0.19-1 (addresses: #834522) + + -- Daniel Kahn Gillmor Tue, 30 Aug 2016 13:19:23 -0400 + +gnupg2 (2.1.14-5) unstable; urgency=medium + + * actually ship /usr/share/doc/gnupg/README.Debian + * Release to unstable. + + -- Daniel Kahn Gillmor Fri, 12 Aug 2016 16:27:22 -0400 + +gnupg2 (2.1.14-4) experimental; urgency=medium + + * add ZeitControl card (Closes: #814584) + * three more fixes from upstream + + -- Daniel Kahn Gillmor Mon, 08 Aug 2016 12:54:21 -0400 + +gnupg2 (2.1.14-3) experimental; urgency=medium + + * cleanup debian/copyright + * update debian/watch + + -- Daniel Kahn Gillmor Wed, 03 Aug 2016 11:09:05 -0400 + +gnupg2 (2.1.14-2) experimental; urgency=medium + + * mark the gpgv binary as Priority: important, since apt depends on it + * import a bunch of fixes from upstream + * include permissioning on patched-in tests + * Breaks: some packages that expect old gpg behavior (Closes: #831500) + * remove scdaemon.service; it will be managed by gpg-agent.service + * avoid bulleted items in debian/NEWS (thanks, Lintian!) + * debian/copyright: cleanup, fix URLs + * debian/control: use standard URL for Vcs-Browser + * fix spelling and grammar noticed by lintian + * avoid lintian notes about a misspelled "written" + * clean up gpgv2 Description + * break out arch-indep localization files into new gnupg-l10n package + + -- Daniel Kahn Gillmor Mon, 01 Aug 2016 17:54:59 -0400 + +gnupg2 (2.1.14-1) experimental; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor Fri, 15 Jul 2016 01:39:25 +0200 + +gnupg2 (2.1.13-5) experimental; urgency=medium + + * dependency cleanup! + - make Recommends: strictly versioned between gnupg and {gpg-agent,dirmngr} + - make gnupg Provide: gpg and mention it in the package description + - drop mention of newpg, which has not been in debian for many releases + - gnupg2 2.0.18 predates debian wheezy, which is oldstable; drop mention + in debian/control + - drop Suggests: gnupg-doc, which does not appear to be maintained + - drop all references to gpg-idea, which has not been in debian for + several releases + - removed dependency on "dpkg (>= 1.15.4) | install-info", since that + dpkg version predates oldstable (wheezy) + + -- Daniel Kahn Gillmor Mon, 04 Jul 2016 10:13:42 -0400 + +gnupg2 (2.1.13-4) experimental; urgency=medium + + * add binutils-multiarch [!amd64 !i386] to Build-Depends-Indep: so that + we can generate win32 packages on non-x86 platforms. + + -- Daniel Kahn Gillmor Fri, 01 Jul 2016 11:30:28 -0400 + +gnupg2 (2.1.13-3) experimental; urgency=medium + + * pull bugfixes from upstream (Closes: #828109, #814584) + * should also allow for reproducible builds, with fix to + timestamps in tofu.test + * provide supervised dirmngr, gpg-agent, and scdaemon services from + systemd's user sessioniif the user wants to enable them. These + services should terminate at logout (Closes: #825911) + * avoid launching gpg-agent from Xsession.d since we have more robust + session management available (added NEWS entry about this change) + * gnupg-agent now Provides: gpg-agent to mitigate common confusion. + * updated dirmngr package description. + + -- Daniel Kahn Gillmor Tue, 28 Jun 2016 13:46:36 -0400 + +gnupg2 (2.1.13-2) experimental; urgency=medium + + * brown paper bag time: fix build-dep from libusb-1.0.0-dev to + libusb-1.0-0-dev + + -- Daniel Kahn Gillmor Fri, 17 Jun 2016 23:07:43 -0400 + +gnupg2 (2.1.13-1) experimental; urgency=medium + + * New upstream release + - new keyid-format "none", used by default (Closes: #826273) + * Build-depend on libusb-1.0.0-dev to ensure smartcards work (Thanks, + gniibe!) + + -- Daniel Kahn Gillmor Thu, 16 Jun 2016 18:30:36 -0400 + +gnupg2 (2.1.12-1) experimental; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor Tue, 10 May 2016 20:58:06 -0400 + +gnupg2 (2.1.11-7+exp1) experimental; urgency=medium + + * switching over binary package names in experimental -- gnupg2 source + package now provides gnupg and gpgv + + -- Daniel Kahn Gillmor Mon, 18 Apr 2016 19:17:19 -0400 + +gnupg2 (2.1.11-7) unstable; urgency=medium + + * move to unstable + * re-enable test suites on mips and mipsel since #730846 is resolved + + -- Daniel Kahn Gillmor Mon, 18 Apr 2016 07:45:16 -0400 + +gnupg2 (2.1.11-6+exp4) experimental; urgency=medium + + * stop using help2man to fix cross-building + * ensure gpgv-win32 is properly stripped + * enable autopkgtest to run without root on systems that already have + wine32 installed + + -- Daniel Kahn Gillmor Fri, 01 Apr 2016 13:08:07 -0300 + +gnupg2 (2.1.11-6+exp3) experimental; urgency=medium + + * more cleanup on arch-dependent packages. + + -- Daniel Kahn Gillmor Wed, 30 Mar 2016 03:36:18 -0400 + +gnupg2 (2.1.11-6+exp2) experimental; urgency=medium + + * avoid build failures when building only arch-dependent or only + arch-independent packages. + + -- Daniel Kahn Gillmor Wed, 30 Mar 2016 02:59:18 -0400 + +gnupg2 (2.1.11-6+exp1) experimental; urgency=medium + + * take over gpgv-win32 from gnupg 1.4 packaging + + -- Daniel Kahn Gillmor Mon, 28 Mar 2016 23:27:43 -0400 + +gnupg2 (2.1.11-6) unstable; urgency=medium + + * avoid FTBFS with patch from upstream (Closes: #814842) + * bumped standards-version to 3.9.7 (no changes needed) + + -- Daniel Kahn Gillmor Tue, 01 Mar 2016 09:36:41 +0100 + +gnupg2 (2.1.11-5) unstable; urgency=medium + + * taking over gpgv-udeb from gnupg 1.4 packaging + * debian/control: use secure transport for Vcs-* and Homepage + + -- Daniel Kahn Gillmor Thu, 04 Feb 2016 17:17:47 -0500 + +gnupg2 (2.1.11-4) unstable; urgency=medium + + * disable gpgtar, since it is causing unpredictable testsuite failures + and we don't ship it anyway. + + -- Daniel Kahn Gillmor Wed, 03 Feb 2016 11:57:57 -0500 + +gnupg2 (2.1.11-3) unstable; urgency=medium + + * trying again to get a proper dump of the gpgtar.test.log. sigh. + + -- Daniel Kahn Gillmor Thu, 28 Jan 2016 08:34:22 -0500 + +gnupg2 (2.1.11-2) unstable; urgency=medium + + * added temporary hook to view failing gpgtar test output on build + daemons since i can't replicate the failures on my own build systems. + + -- Daniel Kahn Gillmor Thu, 28 Jan 2016 00:53:29 -0500 + +gnupg2 (2.1.11-1) unstable; urgency=medium + + * new upstream release + - drops buggy attempt to detect duplicate keys (Closes: #807819) + * removed -dbg package, since we have automatic -dbgsym packages now + * removed undocumented gpgkey2ssh; use gpg --export-ssh-key instead + + -- Daniel Kahn Gillmor Mon, 25 Jan 2016 15:29:25 -0500 + +gnupg2 (2.1.10-3) unstable; urgency=medium + + * avoid infinite loop when doing --gen-revoke by fingerprint + + -- Daniel Kahn Gillmor Sat, 12 Dec 2015 16:53:40 -0500 + +gnupg2 (2.1.10-2) unstable; urgency=medium + + * actually use sks-keyservers CA by default if the user asks for + hkps://hkps.pool.sks-keyservers.net + * move ownership of some files in /usr/share/gnupg2/ to more appropriate + owners like gpgsm and dirmngr. + + -- Daniel Kahn Gillmor Fri, 11 Dec 2015 17:06:10 -0500 + +gnupg2 (2.1.10-1) unstable; urgency=medium + + * new upstream release + * ship sks-keyservers.netCA.pem in dirmngr to make it easier to use hkps. + * avoid shipping Changelog-2011, use upstream ChangeLog (Closes: + #803225) + + -- Daniel Kahn Gillmor Wed, 09 Dec 2015 12:05:42 -0500 + +gnupg2 (2.1.9-1) unstable; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor Tue, 13 Oct 2015 10:04:33 -0400 + +gnupg2 (2.1.8-2) UNRELEASED; urgency=medium + + [ NIIBE Yutaka ] + * update scdaemon dependencies + + [ Daniel Kahn Gillmor ] + * correct ssh fingerprint for ECDSA nistp384 (Closes: #795636) + + -- Daniel Kahn Gillmor Thu, 17 Sep 2015 00:00:28 -0400 + +gnupg2 (2.1.8-1) unstable; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor Thu, 10 Sep 2015 17:00:06 -0400 + +gnupg2 (2.1.7-2) unstable; urgency=medium + + * upload to unstable + + -- Daniel Kahn Gillmor Tue, 11 Aug 2015 21:24:18 -0400 + +gnupg2 (2.1.7-1) experimental; urgency=medium + + * new upstream release + * block ptrace connections to gpg-agent + + -- Daniel Kahn Gillmor Tue, 11 Aug 2015 20:05:38 -0400 + +gnupg2 (2.1.6-1) experimental; urgency=medium + + * new upstream release + * drop deprecated gpgsm-gencert.sh + + -- Daniel Kahn Gillmor Tue, 07 Jul 2015 14:27:23 -0400 + +gnupg2 (2.1.5-2) experimental; urgency=medium + + [ Daniel Kahn Gillmor ] + * pass DBUS_SESSION_BUS_ADDRESS through to the agent so that + pinentry-gnome3 can work across sessions. + * ensure that l10n files are rebuilt. + + [ Eric Dorland ] + * debian/patches/0003-Include-defs.inc-in-BUILT_SOURCES.patch: Fix for + build failure when rebuilding info docs. + + -- Daniel Kahn Gillmor Tue, 30 Jun 2015 18:13:58 -0400 + +gnupg2 (2.1.5-1) experimental; urgency=medium + + * New upstream release + + -- Daniel Kahn Gillmor Thu, 11 Jun 2015 13:18:56 -0400 + +gnupg2 (2.1.4-2) experimental; urgency=medium + + * avoid excess dependencies on headless servers (Closes: #753163) + + -- Daniel Kahn Gillmor Wed, 03 Jun 2015 14:12:49 -0400 + +gnupg2 (2.1.4-1) experimental; urgency=medium + + * New upstream release. + + -- Daniel Kahn Gillmor Thu, 28 May 2015 00:25:55 -0400 + +gnupg2 (2.1.3-1) experimental; urgency=medium + + * New upstream version. + * Add gnupg2-dbg (Closes: #781631) + + -- Daniel Kahn Gillmor Wed, 01 Apr 2015 12:10:38 -0400 + +gnupg2 (2.1.2-2) experimental; urgency=medium + + * Fix segv due to NULL value stored as opaque MPI. + + -- Daniel Kahn Gillmor Sat, 21 Feb 2015 10:26:50 -0500 + +gnupg2 (2.1.2-1) experimental; urgency=medium + + * New upstream version + * move from automake1.11 to plain automake (upstream uses 1.14 now) + + -- Daniel Kahn Gillmor Thu, 12 Feb 2015 20:10:43 -0500 + +gnupg2 (2.1.1-1) experimental; urgency=medium + + * New upstream version (closes: #772654) + * gnupg2 now Breaks: older versions of dirmngr (closes: #769460) + + -- Daniel Kahn Gillmor Tue, 16 Dec 2014 14:58:06 -0500 + +gnupg2 (2.1.0-1) experimental; urgency=medium + + * import upstream 2.1.0 release. + * drop debian/patches/speed-up-test-suite.patch -- included upstream. + * avoid self-reporting as a beta now that this is a release + + -- Daniel Kahn Gillmor Thu, 06 Nov 2014 12:31:06 -0500 + +gnupg2 (2.1.0~beta895-3) experimental; urgency=medium + + * update gnupg-agent.xsession to export ssh-agent where + configured. (Closes: #767341) + * use cheap/fast entropy for the test suite so that builds on + low-entropy machines go faster. + + -- Daniel Kahn Gillmor Thu, 30 Oct 2014 13:37:08 -0400 + +gnupg2 (2.1.0~beta895-2) experimental; urgency=medium + + * added pkg-config to Build-Depends. + + -- Daniel Kahn Gillmor Wed, 29 Oct 2014 18:36:27 -0400 + +gnupg2 (2.1.0~beta895-1) experimental; urgency=medium + + * new upstream version in experimental (Closes: #762844, #751266, #762844) + * ship /usr/bin/gpgparsemail (Closes: #760575) + * document that doc/OpenPGP is not actually an RFC, but just refers to + one (closes: #745410) + * Bump Standards-Version to 3.9.6 (no changes needed) + * --enable-large-secmem to ensure that gpg2 works with pre-generated + oversized RSA keys + * updated /etc/X11/Xsession.d/90gpg-agent to export $GPG_AGENT_INFO + about the standard socket. + + -- Daniel Kahn Gillmor Wed, 29 Oct 2014 17:53:06 -0400 + +gnupg2 (2.0.28-3) unstable; urgency=medium + + * pass DBUS_SESION_BUS_ADDRESS to the agent for gnome3. + + -- Daniel Kahn Gillmor Sat, 04 Jul 2015 14:21:41 -0400 + +gnupg2 (2.0.28-2) unstable; urgency=medium + + * d/clean: drop stamp-po to rebuild l10n (Closes: #788989) + + -- Daniel Kahn Gillmor Tue, 30 Jun 2015 17:17:11 -0400 + +gnupg2 (2.0.28-1) unstable; urgency=medium + + * new upstream release + * really address excess dependencies on headless server (thanks Raphaël + Halimi for noticing) (Closes: #753163) + + -- Daniel Kahn Gillmor Tue, 02 Jun 2015 12:16:57 -0400 + +gnupg2 (2.0.27-2) unstable; urgency=medium + + * import upstream fix to avoid replicating unknown subkey + packets. (Closes: #787045) (Thanks, NIIBE Yutaka) + + -- Daniel Kahn Gillmor Thu, 28 May 2015 00:55:51 -0400 + +gnupg2 (2.0.27-1) unstable; urgency=medium + + * New upstream release. + * Provide a simple way for users to avoid gpg-agent hijacking, + working around: #760102 (Closes: #753163) + + -- Daniel Kahn Gillmor Fri, 08 May 2015 18:15:15 -0400 + +gnupg2 (2.0.26-6) unstable; urgency=medium + + * Avoid NULL dereference with opaque MPI. + + -- Daniel Kahn Gillmor Sat, 21 Feb 2015 18:01:40 -0500 + +gnupg2 (2.0.26-5) unstable; urgency=medium + + * import bug-fixes from upstream + (Closes: #773415, #773469, #773471, #773472, #773423) + * Fixes CVE-2015-1606 "Use after free, resulting from failure to skip + invalid packets", CVE-2015-1607 "memcpy with overlapping ranges, + resulting from incorrect bitwise left shifts" (Closes: #778577) + + -- Daniel Kahn Gillmor Mon, 16 Feb 2015 17:45:06 -0500 + +gnupg2 (2.0.26-4) unstable; urgency=medium + + [ David Prévot ] + * Update POT and PO files, and ensure the translations get rebuild + * Update French translation (Closes: #769574) + * Update Ukrainian translation, thanks to Yuri Chornoivan + * Update German translation, thanks to Werner Koch + * Update Danish translation, thanks to Joe Hansen + * Update Japanese translation, thanks to NIIBE Yutaka + * Update Chinese (traditional) translation, thanks to Jedi Lin + * Update Russian translation, thanks to Ineiev + * Update Polish translation, thanks to Jakub Bogusz + * Update Spanish translation, thanks to Manuel "Venturi" Porras Peralta + (Closes: #770727) + * New Dutch translation, thanks to Frans Spiesschaert (Closes: #770981) + + [ Daniel Kahn Gillmor ] + * bugfix and cryptographic safety changes imported from upstream: + - Avoid regression when adding subkeys with strong s2k algorithms + (Closes: #772780) Thanks, NIIBE Yutaka + - Allow french translation to work when prompting for passphrase. + - add build and runtime support for larger RSA keys (Closes: #739424) + - fix runtime errors on bad input (Closes: #771987) + - deprecate insecure one-argument variant for gpg --verify of detached + signatures (Closes: #771992) + - initialize trustdb before trying to clear it (Closes: #735363) + - default to issuing SHA256 signatures for RSA + - avoid relying on MD5 signatures + - show v3 key fingerprints as all zero (OpenPGPv3 is deprecated) + + -- Daniel Kahn Gillmor Sun, 04 Jan 2015 17:17:00 -0500 + +gnupg2 (2.0.26-3) unstable; urgency=medium + + * fix typo in gpg.info (closes: #760273) + * drop versioned Build-Conflicts on automake by setting environment + variables in debian/rules + * ship /usr/bin/gpgparsemail (closes: #760575) + * warn but don't fail when scdaemon options are in ~/.gnupg/gpg.conf + (closes: #762844) + * do not break on --trust-model=always (closes: #751266) + * document that doc/OpenPGP is not actually an RFC, but just refers to + one (closes: #745410) + * Bump Standards-Version to 3.9.6 (no changes needed) + + -- Daniel Kahn Gillmor Tue, 30 Sep 2014 23:39:15 -0400 + +gnupg2 (2.0.26-2) unstable; urgency=medium + + * ignore emacs turds in debian/ + * update Vcs fields + * move package to group maintenance + * wrap-and-sort cleanup of debian/* + + -- Daniel Kahn Gillmor Thu, 28 Aug 2014 11:42:18 -0700 + +gnupg2 (2.0.26-1) unstable; urgency=medium + + * New upstream release. + * debian/control: Suggest parcimonie. Thanks ilf. (Closes: #752261) + + -- Eric Dorland Tue, 19 Aug 2014 18:09:08 -0400 + +gnupg2 (2.0.25-2) unstable; urgency=medium + + * debian/control: Switch to libgcrypt20-dev (aka 1.6 release). + + -- Eric Dorland Fri, 08 Aug 2014 14:12:05 -0400 + +gnupg2 (2.0.25-1) unstable; urgency=medium + + * New upstream release. + + -- Eric Dorland Mon, 30 Jun 2014 13:10:04 -0400 + +gnupg2 (2.0.24-1) unstable; urgency=high + + * New upstream release. Fixes CVE-2014-4617 "infinite loop when + decompressing data packets". (Closes: #752498) + * debian/patches/02-gpgv2-dont-link-libassuan.diff: Drop, now + upstreamed. + + -- Eric Dorland Wed, 25 Jun 2014 00:11:19 -0400 + +gnupg2 (2.0.23-1) unstable; urgency=medium + + * New upstream release. + * debian/upstream/signing-key.asc: Rename upstream-signing-key.pgp to + the new, supported name. + * debian/control: Restore versioned conflict against gpg-idea. (Closes: + #733984) + * debian/control: Add Recommends on dirmngr for gpgsm. (Closes: #683579) + + -- Eric Dorland Sun, 08 Jun 2014 19:20:17 -0400 + +gnupg2 (2.0.22-3) unstable; urgency=low + + * debian/watch, debian/upstream-signing-key.pgp: Add upstream signing + key for uscan verification. + * debian/kbxutil.1, debian/rules: Add better description and regenerate + the manpage. + * debian/control: Remove version on gpg-idea conflict, add missing + Breaks for gpgsm and convert Conflicts to Breaks for gpgv2. + * debian/control: Move gnupg-agent to Depends for gpgsm instead of + Replaces (which in turn should have been Recommends). + * debian/control: Standards-Version to 3.9.5. + * debian/copyright: Switch to a shiny DEP-5 copyright file. + + -- Eric Dorland Wed, 01 Jan 2014 22:56:56 -0500 + +gnupg2 (2.0.22-2) unstable; urgency=low + + * debian/control: Fix Build-Conflicts on newer automakes. Thanks Chris + Boot. (Closes: #726015) + * debian/control: IDEA is no longer patented, drop its metion from the + description. Thanks brian m. carlson. (Closes: #726139) + * debian/rules: Disable the test suite on mips and mipsel to work around + Bug:#730846. + + -- Eric Dorland Sat, 30 Nov 2013 23:47:56 -0500 + +gnupg2 (2.0.22-1) unstable; urgency=low + + * New upstream version. Fixes CVE-2013-4402 and CVE-2013-4351. (Closes: + #725433, #722724) + * debian/gnupg2.install: Install gnupg-card-architecture.png for the + info file. + + -- Eric Dorland Sat, 05 Oct 2013 17:45:28 -0400 + +gnupg2 (2.0.21-2) unstable; urgency=low + + * debian/rules, debian/gnupg2.install: Switch libexecdir to + /usr/lib/gnupg2 to install helper binaries to a non-multiarch specific + location. (Closes: #717303) + * debian/control, debian/gpgv2.install: Split out gpgv2 into its own + package. + * debian/control, debian/gnupg2.install, debian/kbxutil.1: Add rule and + manpage for kbxutil using help2man. (Closes: #323494) + * debian/patches/02-gpgv2-dont-link-libassuan.diff: Don't link gpgv2 + against libassuan as it's not used. + * debian/rules: Install changelog for gpgv2. + + -- Eric Dorland Sun, 01 Sep 2013 00:42:16 -0400 + +gnupg2 (2.0.21-1) unstable; urgency=low + + * New upstream release. (Closes: #613465, #720369) + * debian/patches/01-gnupg2-rename.diff: Refresh patch. + * debian/control: Fix Vcs-Git path. + * debian/control: Now depends on libgpg-error >= 1.11. + * debian/control: Build-Depends on automake1.11 since the test suite + fails on newer versions. (Closes: #713287) + * debian/control: Also need a Build-Conflicts on automake (<= 1.12). + + -- Eric Dorland Sat, 24 Aug 2013 20:33:19 -0400 + +gnupg2 (2.0.20-1) unstable; urgency=low + + * New upstream release. (Closes: #691237, #583893) + * debian/patches/02-cve-2012-6085.diff: Remove, merged upstream. + * debian/control: Upgrade Standards-Version to 3.9.4. + * debian/compat, debian/control: Upgrade to debhelper v9. + * debian/control, debian/rules: Drop hardening-wrapper, now that we use + debhelper v9. + * debian/scdaemon.install: scdaemon has moved under $libexecdir. + * debian/control: Tighten dependency on scdaemon. + * debian/rules: Turn on all hardening options. + * debian/patches/01-gnupg2-rename.diff: Refresh patch. + * debian/gnupg-agent.install, debian/gnupg2.install, + debian/scdaemon.install: Fix /usr/lib paths for multi-arch. + * debian/rules: Pass ${pkglibdir} to --libexecdir since dh v9 passes + ${libdir} by default. + + -- Eric Dorland Sat, 11 May 2013 18:28:57 -0400 + +gnupg2 (2.0.19-2) unstable; urgency=high + + * debian/patches/02-cve-2012-6085.diff: Patch from upstream to fix + CVE-2012-6085, "gnupg key import memory corruption". (Closes: #697251) + * debian/control: Use canonical addresses for VCS. + * debian/control: Fix scdaemon short description. + + -- Eric Dorland Fri, 04 Jan 2013 00:56:52 -0500 + +gnupg2 (2.0.19-1) unstable; urgency=low + + * New upstream release. (Closes: #666092) + * debian/control: Add Multi-Arch: foreign to all packages. + * debian/rules: Update ChangeLog locations. + + -- Eric Dorland Sat, 31 Mar 2012 01:06:02 -0400 + +gnupg2 (2.0.18-2) unstable; urgency=low + + * debian/control, debian/gpgsm.install, debian/scdaemon.install: Add a + separate package for the scdaemon. (Closes: #416129) + * debian/control, debian/gpgsm.install, debian/gnupg2.install, + gnupg-agent.install: Move gpg-preset-passphrase and gpg-protect-tool + into the gnupg-agent. + * debian/control: Upgrade Standards-Version to 3.9.2. + * debian/rules: Install ChangeLog for new scdaemon package. + + -- Eric Dorland Sat, 15 Oct 2011 20:21:35 -0400 + +gnupg2 (2.0.18-1) unstable; urgency=low + + * New upstream release. (Closes: #635206) + * debian/copyright: Update ftp location. (Closes: #624404) + * debian/patches/01-gnupg2-rename.diff: Refresh patch. + + -- Eric Dorland Tue, 30 Aug 2011 03:43:20 -0400 + +gnupg2 (2.0.17-3) unstable; urgency=low + + * debian/rules: Convert the rules file to use the lovely dh format. + * debian/gnupg2.dirs, debian/gnupg-agent.dirs, debian/gpgsm.dirs: Remove + unless dirs files. + * debian/gnupg-agent.lintian-overrides, debian/gnupg2.lintian-overrides, + debian/gpgsm.lintian-overrides: Remove unneeded lintian-overrides files. + + -- Eric Dorland Mon, 14 Feb 2011 03:17:39 -0500 + +gnupg2 (2.0.17-2) unstable; urgency=low + + * debian/control: Add dependency on dpkg (>= 1.15.4) | install-info for + info install trigger. + * debian/control, debian/rules: Use debian build hardening. + + -- Eric Dorland Sun, 13 Feb 2011 16:33:17 -0500 + +gnupg2 (2.0.17-1) unstable; urgency=low + + * New upstream release. (Closes: #584316, #603985, #603983, #603984) + * debian/patches/02-encode-s2k.diff, + debian/patches/03-gpgsm-realloc.diff, debian/patches/series: Drop now + unneeded security patches. + * debian/rules, debian/patches/01-gnupg2-rename.diff, + debian/gnupg2.info, debian/gnupg2.install: No need to rename the info + file anymore. + * debian/patches/01-gnupg2-rename.diff: Rename the autoconf package for + better renaming of pkg directories. (Closes: #579006) + * debian/control, debian/compat: Upgrade to debhelper level 8. + * debian/control: + - Upgrade Standards-Version to 3.9.1. + - Update Build-Depends versions for the latest release. + * debian/gnupg2.install: Add the applygnupgdefaults command. (Closes: + #567537) + * debian/gnupg2.docs: doc/faq.html no longer exists. + + -- Eric Dorland Sun, 13 Feb 2011 16:06:41 -0500 + +gnupg2 (2.0.14-2) unstable; urgency=low + + * debian/*.lintian, debian/*.lintian-overrides, debian/rules: Rename + lintian files and use dh_lintian instead of shell snippets. + * debian/source/patch-header, debian/source/options: Delete patch header + and remove single-debian-patch option. + * debian/patches/01-gnupg2-rename.diff: Move patch to do the necessary + renaming of gnupg -> gnupg2 in a quilt patch. + * debian/patches/02-encode-s2k.diff: Added patch to fix passphrase + problem in gpgsm. Thanks Martijn van Brummelen for the NMU to fix this + problem in 2.0.14-1.1. + * debian/patches/03-gpgsm-realloc.diff: Fix for "Realloc Bug with X.509 + certificates" for gpgsm. (Closes: #590122) + * debian/rules, debian/control: Use dh-autoreconf and autopoint to + regenerate autotools files at build time. + + -- Eric Dorland Sun, 25 Jul 2010 02:16:42 -0400 + +gnupg2 (2.0.14-1) unstable; urgency=low + + * New upstream release. + * debian/control: Build depend on libreadline-dev instead of + libreadline5-dev, since libreadline6-dev is out. (Closes: #548922) + * debian/source/format, debian/source/options, + debian/source/patch-header: Convert to v3 quilt format, with + single-debian-patch. + * debian/control: Tighten dependency on gnupg-agent. (Closes: #551792) + + -- Eric Dorland Sat, 09 Jan 2010 21:15:18 -0500 + +gnupg2 (2.0.13-1) unstable; urgency=low + + * New upstream release. + * debian/control: Depend instead of Recommend gnupg-agent. (Closes: + #538947) + + -- Eric Dorland Mon, 07 Sep 2009 20:38:23 -0400 + +gnupg2 (2.0.12-1) unstable; urgency=low + + * New upstream release. (Closes: #499569, #463270, #446494, #314068, + #519375, #514587) + * debian/control: Change build dependency on gs to ghoscript, since + ghoscript has been replaced. + * debian/compat: Use debhelper v7. + * debian/control: Update Standards-Version to 3.8.2. + * debian/control: Use ${misc:Depends}. + * configure.ac: Override pkgdatadir so that it points to + /usr/share/gnupg2. (Closes: #528734) + * debian/rules: No longer need to specify pkgdatadir at make install + time. + + -- Eric Dorland Sun, 23 Aug 2009 20:48:11 -0400 + +gnupg2 (2.0.11-1) unstable; urgency=low + + * New upstream release. (Closes: #496663) + * debian/control: Make the description a little more distinctive than + gnupg v1's. Thanks Jari Aalto. (Closes: #496323) + + -- Eric Dorland Sun, 08 Mar 2009 22:46:47 -0400 + +gnupg2 (2.0.9-3) unstable; urgency=medium + + * Urgency medium to try to beat the release. + * tools/gpgkey2ssh.c: Patch from Daniel Kahn Gillmor to fix broken ssh + key generation. (Closes: #473841) + + -- Eric Dorland Mon, 21 Jul 2008 03:48:11 -0400 + +gnupg2 (2.0.9-2) unstable; urgency=low + + * The "I've neglected you too long" release. + + * debian/control: + - Add recommends on gnupg-agent for gpgsm and gnupg2, since they need + it under most circumstances. (Closes: #459462, #477691) + - Depend on pinentry instead of recommend, and move pinentry-gtk2 to the + front of the alternatives list. (Closes: #462951) + * keyserver/gpgkeys_curl.c, keyserver/gpgkeys_hkp.c: Fix FTBFS with gcc + 4.3 strictness on bitfields combined with curl. (Closes: #476999) + + -- Eric Dorland Mon, 28 Apr 2008 03:22:20 -0400 + +gnupg2 (2.0.9-1) unstable; urgency=low + + * New upstream release. Fixes CVE-2008-1530, Key import memory corruption. + (Closes: #472928) + * debian/rules: Don't ignore status of make distclean, just check for + the existance of the Makefile. + + -- Eric Dorland Sat, 29 Mar 2008 03:21:21 -0400 + +gnupg2 (2.0.8-1) unstable; urgency=low + + * New upstream release. (Closes: #428635) + * debian/watch: Use passive ftp, ftp.gnupg.org doesn't seem happy + otherwise. (Closes: #456467) + * debian/control: + - Requires libassuan >= 1.0.4 now. + - Remove the XS- prefix from the Vcs-* headers. + - Add Homepage header. + - Upgrade Standards-Version to 3.7.3.0. + - Make gnupg2 optional rather than extra. + - Remove unnecessary conflict on suidmanager. + + -- Eric Dorland Sat, 22 Dec 2007 02:06:42 -0500 + +gnupg2 (2.0.7-1) unstable; urgency=low + + * New upstream release. + * debian/rules: + - Remove unnecessary deletion of the .gmo files. (Closes: #442583) + - Clean out some old comments + * gnupg-agent.xsession: Remove the quotes around --write-env-file + argument. Not ideal, but fine for now. Thanks Luis Rodrigo Gallardo + Cruz. (Closes: #443580) + + -- Eric Dorland Sun, 30 Sep 2007 02:50:40 -0400 + +gnupg2 (2.0.6-1) unstable; urgency=low + + * New upstream release. (Closes: #437289) + * debian/gnupg-agent.xsession: Run the Xsession under the gpg-agent, so + it exits properly when the session dies. (Closes: #401843) + * debian/control: Add XS-Vcs headers for its new git home. + + -- Eric Dorland Mon, 03 Sep 2007 23:29:11 -0400 + +gnupg2 (2.0.5-2) unstable; urgency=low + + * The "Ubuntu, I would have done it had you only asked" release. + + * debian/copyright: Fix download location. Thanks Ubuntu. + * debian/README.Debian: Remove, doesn't contain any relevant info. + * debian/rules: + - Build with --sysconfdir=/etc, thanks Bernhard Herzog. (Closes: #434790) + - Run dh_installexamples. + - Don't list the docs to install in here. + * debian/gnupg2.examples: New file, install gpgconf.conf as an example + into /usr/share/doc. Hope this is a good compromise Bernhard. (Closes: + #434878) + * debian/control: + - Remove opensc and pcsc-lite build dependencies, they're not used anymore. + - Add libcurl4-gnutls-dev build dep, to use the real curl. + * g10/call-agent.c: set DBG_ASSUAN to 0 to suppress a debug + message. Thanks Ubuntu. + * debian/gnupg2.docs, debian/gpgsm.docs: Move installed docs in here, + add some new docs. Thanks Ubuntu. + * debian/rules, debian/gnupg-agent.install: Build symcryptrun and install it + in the gnupg-agent package. Thanks Bernhard Herzog. (Closes: #434787) + * debian/rules, debian/control: Only recommend libldap, don't depend on + it.Thanks Riku. (Closes: #435138) + + -- Eric Dorland Thu, 16 Aug 2007 22:24:16 -0400 + +gnupg2 (2.0.5-1) unstable; urgency=low + + * New upstream release. + * debian/watch: Add watch file. + * debian/control: + - Require libassuan 1.0.2 or greater. + - Require libksba 1.0.2 or greater. + - Don't recommend plain gpg anymore. + * debian/copyright: Update copyright text for GPL v3 relicensing. + * docs/scdaemon.texi: Remove old --print-atr documentation. Thanks + Ludovic Rousseau. (Closes: #404128) + + -- Eric Dorland Sun, 22 Jul 2007 16:03:32 -0400 + +gnupg2 (2.0.4-1) unstable; urgency=low + + * New upstream release. + + -- Eric Dorland Fri, 11 May 2007 00:41:01 -0400 + +gnupg2 (2.0.3-1) unstable; urgency=high + + * New upstream release. + - Fixes multoiple messages problem aka CVE-2007-1263. + + -- Eric Dorland Fri, 9 Mar 2007 03:28:53 -0500 + +gnupg2 (2.0.2-1) unstable; urgency=high + + * New upstream release. (Closes: #409559) + * Thanks Andreas Barth for NMUs. (Closes: #400777, #401895, #401913) + * debian/gpgsm.install: pcsc-wrapper renamed to gnupg-pcsc-wrapper. + + -- Eric Dorland Mon, 19 Feb 2007 20:34:52 -0500 + +gnupg2 (2.0.0-5) unstable; urgency=high + + * debian/control: Remove unnecessary dependencies on makedev and + udev. Thanks Marco d'Itri. + * doc/gnupg.texi, debian/gnupg2.info, debian/rules: Set the output file + to gnupg2.info, and use that for the index. (Closes: #398493) + + -- Eric Dorland Fri, 24 Nov 2006 02:23:35 -0500 + +gnupg2 (2.0.0-4) unstable; urgency=medium + + * debian/control: Update forgotten replaces for pcsc-wrapper move. + + -- Eric Dorland Mon, 20 Nov 2006 23:02:25 -0500 + +gnupg2 (2.0.0-3) unstable; urgency=medium + + * debian/control: Remove warning about development, thanks Gonzalo + HIGUERA DIAZ. (Closes: #399551) + + -- Eric Dorland Mon, 20 Nov 2006 14:32:33 -0500 + +gnupg2 (2.0.0-2) unstable; urgency=medium + + * All packaging fixes, so urgency medium to beat the freeze. + * debian/distfiles, debian/lintian.override, debian/point-to-info.1: + Remove unused files. + * debian/gnupg2.info, debian/rules, gnupg2.files: Install all the info + files properly. (Closes: #398493) + * debian/rules: + - Remove some unnecessary autotools build rules. + - Move some of make install targets more correctly to the + configure line. + * debian/*.files, debian/rules: Rename *.files to .install and use + dh_install nstead of dh_movefiles. + * debian/gnupg-agent.xsession: Account for spaces in the configuration + file, thanks Artem Zolochevskiy. (Closes: #352326) + * debian/control: + - Adjust build-dependency versions slightly to match what the + configure scipt requires. + - Update Standards-Version to 3.7.2.2. + * debian/gpgsm.install, debian/gnupg2.install: Install the pcsc-wrapper + in gpgsm. (Closes: #353232) + * debian/gpgsm.install, debian/rules: Install gpg-protect-tool into + /usr/libb/gnupg2. + + -- Eric Dorland Sun, 19 Nov 2006 18:03:39 -0500 + +gnupg2 (2.0.0-1) unstable; urgency=medium + + * New upstream release. (Closes: #398215) + * common/estream.c: #define PTH_SYSCALL_SOFT 0 as suggested by Daniel Hess. + + -- Eric Dorland Sun, 12 Nov 2006 23:52:59 -0500 + +gnupg2 (1.9.94-1) unstable; urgency=low + + * New upstream release. + + -- Eric Dorland Thu, 2 Nov 2006 16:06:30 -0500 + +gnupg2 (1.9.93-1) unstable; urgency=medium + + * New upstream release. Urgency medium to try to beat the freeze. Thanks + to Andreas Metzler for getting this package into shape. + + -- Eric Dorland Wed, 25 Oct 2006 00:41:15 -0400 + +gnupg2 (1.9.91-0.1) unstable; urgency=low + + * New upstream version, built against clean upstream tarball. + (Closes: #378489,#388257) + * bump Build-Depends: + - libgpg-error-dev 0.6 -> 1.4 + - libassuan-dev 0.6.10 -> 0.9.1 + - libksba-dev 0.9.13 -> 1.0.0 (closes: #368552) + * Add libreadline5-dev to Build-Depends. + * Pass proper --build and --host args to ./configure. + * configure with --mandir='$${prefix}/share/man'. + * Add $(LIBINTL) to gpgsplit_LDADD in tools/Makefile.am. + * New upstream includes a lot more manpages, ship them. + (Closes: #300129,#300677) + gpg-agent(1) documents ~/gpg-agent.conf. (Closes: #300676) + * Update debian/copyright. + * Drop gnupg2.postinst gnupg2.postrm postinst postrm. They all only consited + of calls to suidregister for /usr/bin/gpg" or "chmod 4755 /usr/bin/gpg". + suidregister has been obsolete for a long time and /usr/bin/gpg is not + part of these packages. - If /usr/bin/gpg(v)2 was supposed to be installed + suid it should be shipped with these permissions in the deb instead + using chmod in postinst anyway. + * Drop preinst (ending up as gnupg-agent's preinst), which only showed + a warning on upgrades from <<0.3.2-1. - There never was a gnupg-agent + 0.3.2-1. + * Add (noop) binary-indep target as required by policy 4.9. + + -- Andreas Metzler Sun, 8 Oct 2006 07:51:44 +0000 + +gnupg2 (1.9.20-2) unstable; urgency=high + + * debian/control: Make myself the maintainer with Matthias' permission. + * Acknowledge NMU. (Closes: #375053, #376755) + * g10/parse-packet.c: Patch from Martin Schulze to backport security fix + for CVE-2006-3746, crash when receiving overly long comments. + + -- Eric Dorland Fri, 4 Aug 2006 18:11:43 -0400 + +gnupg2 (1.9.20-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Adapt patch from upstream CVS, fixing buffer overflow leading to remote + DoS/crash (CVE-2006-3082). (Closes: #375053) + + -- Steinar H. Gunderson Tue, 4 Jul 2006 20:37:43 +0200 + +gnupg2 (1.9.20-1) unstable; urgency=low + + * New Upstream version. Closes:#306890,#344530 + * Closes:#320490: gpg-protect-tool fails to decrypt PKCS-12 files + * Depend on libopensc2-dev, not -1-. Closes:#348106 + + -- Matthias Urlichs Tue, 24 Jan 2006 04:31:42 +0100 + +gnupg2 (1.9.19-2) unstable; urgency=low + + * Convert debian/changelog to UTF-8. + * Put gnupg-agent and gpgsm lintian overrides in the respectively + right package. Closes: #335066 + * Added debhelper tokens to maintainer scripts. + * xsession fixes: + o Added host name to gpg-agent PID file name. Closes: #312717 + o Fixed xsession script to be able to run under zsh. Closes: #308516 + o Don't run gpg-agent if one is already running. Closes: #336480 + * debian/control: + o Fixed package description of gpgsm package. Closes: #299842 + o Added mention of gpg-agent to description of gnupg-agent package. + Closes: #304355 + * Thanks to Peter Eisentraut for all of the above. + + -- Matthias Urlichs Thu, 8 Dec 2005 22:13:21 +0100 + +gnupg2 (1.9.19-1) unstable; urgency=low + + * Merged with 1.9.19. + * Re-enable gpgv2 package. + + -- Matthias Urlichs Sat, 22 Oct 2005 14:33:33 +0200 + +gnupg2 (1.9.17-1) unstable; urgency=low + + * Merged with Upstream 1.9.17. + + -- Matthias Urlichs Mon, 4 Jul 2005 01:56:43 +0200 + +gnupg2 (1.9.15-6) unstable; urgency=high + + * Move gpg-protect-tool to the gpgsm package. + Closes: #303492. + High urgency because this renders gpgsm unuseable for some people. + * gpg-agent: Override max-cache-ttl if a higher default is set. + Closes: #302692. + + -- Matthias Urlichs Thu, 7 Apr 2005 10:13:19 +0200 + +gnupg2 (1.9.15-5) unstable; urgency=low + + * Add /etc/X11/Xsession.d/90gpg-agent script. Closes: #300128. + * Emphasize that gnupg2 is NOT useful at the moment. + * Conflict+replace gpg-agent with newpg. + + -- Matthias Urlichs Thu, 10 Mar 2005 22:46:10 +0100 + +gnupg2 (1.9.15-4) unstable; urgency=low + + * Incorporated Ubuntu changes from Andreas Mueller. + + -- Matthias Urlichs Thu, 10 Mar 2005 21:41:59 +0100 + +gnupg2 (1.9.15-3ubuntu3) hoary; urgency=low + + * removed info file + + -- Andreas Mueller Tue, 8 Mar 2005 01:58:39 +0100 + +gnupg2 (1.9.15-3ubuntu2) hoary; urgency=low + + * changed rules file, part cp gnupg.info to mv + and added dh_installinfo. + * changed Standards Version to 3.6.1 + + -- Andreas Mueller Tue, 8 Mar 2005 00:53:31 +0100 + +gnupg2 (1.9.15-3ubuntu1) hoary; urgency=low + + * added missing build depends texinfo + + -- Andreas Mueller Mon, 7 Mar 2005 22:47:56 +0100 + +gnupg2 (1.9.15-2) hoary; urgency=low + + * Initial checkin + + -- Andreas Mueller Mon, 7 Mar 2005 21:13:32 +0100 + +gnupg2 (1.9.15-1) experimental; urgency=low + + * New Upstream release. + * Removed -doc package: + - The package itself is too smal to merit being packaged separately. + - Interim solution: Documentation is included in the gnupg2 package. + - Goal: ask Upstream to split the .info file. + * Removed suidness. + * Update debian/copyright. + * Require libassuan >= 0.6.9. + + -- Matthias Urlichs Tue, 25 Jan 2005 08:19:15 +0100 + +gnupg2 (1.9.11+cvs20040924-5) experimental; urgency=low + + * Rebuild to depend on opensc1. + * Split -doc into its own package. + + -- Matthias Urlichs Thu, 16 Dec 2004 10:30:44 +0100 + +gnupg2 (1.9.11+cvs20040924-4) experimental; urgency=low + + * Turn on setuid-ness. + - Added Lintian overrides. + * Install all "standard" message files. + - Makefile.in: The package name for gettext is in the macro PACKAGE_GT, + not PACKAGE. + * Fix shebang line of addgnupghome script. + * Install info file in the correct place. + * Build cleanups. + + -- Matthias Urlichs Tue, 5 Oct 2004 10:59:56 +0200 + +gnupg2 (1.9.11+cvs20040924-3) experimental; urgency=low + + * rename gnupg-agent's changelog file + * Fix gnupg-agent's dependencies + + -- Matthias Urlichs Sun, 3 Oct 2004 20:14:30 +0200 + +gnupg2 (1.9.11+cvs20040924-2) experimental; urgency=low + + * Shipped a /usr/share/locale.alias file. Ouch. + * Split off gpgsm. + + -- Matthias Urlichs Wed, 29 Sep 2004 10:25:51 +0200 + +gnupg2 (1.9.11+cvs20040924-1) experimental; urgency=low + + * New Upstream. + + -- Matthias Urlichs Sat, 25 Sep 2004 11:05:44 +0200 + +gnupg2 (1.9.10+cvs-1) experimental; urgency=low + + * Packaged latest Upstream version. + * Split gpg-agent into its own .deb. + * Bit the bullet and started using debhelper. + + -- Matthias Urlichs Thu, 19 Aug 2004 11:43:34 +0200 + +gnupg2 (1.9.9-1) experimental; urgency=low + + * Packaged latest Upstream version. + + -- Matthias Urlichs Mon, 14 Jun 2004 17:18:18 +0200 + +gnupg2 (1.9.5-1) experimental; urgency=low + + * Packaged Upstream development version. + Closes:#187548 + + -- Matthias Urlichs Mon, 8 Mar 2004 05:30:35 +0100 + +gnupg (1.2.4-4) unstable; urgency=low + + * 12_zero_length_header.dpatch: update patch from David Shaw + to fix the fix of crashing on certain + keys. Closes: #234289 + + -- James Troup Mon, 23 Feb 2004 18:02:20 +0000 + +gnupg (1.2.4-3) unstable; urgency=low + + * Move to dpatch; existing non-debian/ change split into + 10_hppa_unaligned_constant.dpatch. + + * debian/rules: include /usr/share/dpatch/dpatch.make. + * debian/rules (build): depend on patch-stamp. + * debian/rules (clean): depend on unpatch. Remove debian/patched. + * debian/control (Build-Depends): add dpatch. + + * debian/rules: update version number and use install_foo convenience + variables. + * debian/rules (clean): remove emacs backup files from any directory. + + * 11_fi_po_update.dpatch: new patch from Tommi Vainikainen + to update Finnish translation as the current one + renders gnupg unusable. Closes: #232030, #222951, #192582 + * debian/rules (clean): remove po/fi.gmo to avoid dpkg-source errors + over unrepresentable changes to source. + + * 12_zero_length_header.dpatch: new patch from David Shaw + to fix cases where importing certain keys + makes the keyring unuseable. Closes: #232714 + + * 13_revoked_keys.dpatch: new patch from David Shaw + to list revoked keys as revoked. Closes: #231814 + + * 14_getkey_not_found_fix.dpatch: new patch from David Shaw + to fix --list-sigs incorrectly claiming "User + id not found". Closes: #229549 + + -- James Troup Fri, 20 Feb 2004 16:38:12 +0000 + +gnupg (1.2.4-2) unstable; urgency=low + + * mpi/hppa1.1/udiv-qrnnd.S: patch from LaMont Jones + to fix unaligned constant. Closes: #228456 + * debian/copyright: update year and version number. + + -- James Troup Tue, 20 Jan 2004 17:19:58 +0000 + +gnupg (1.2.4-1) unstable; urgency=medium + + * New upstream release. + * Most support for ElGamal Sign+Encrypt keys has been removed. Closes: #222293 + * No longer miss-identifies GNU/KFreeBSD as GNU/Hurd. Closes: #216957 + * Fixes build error on GNU/KFreeBSD (and Glibc-based GNU/KNetBSD). Closes: #221079 + * Fixes segmentation fault in prime generator. Closes: #213989 + * Fixes trustdb not updating without ultimately trusted keys. Closes: #222368 + + * debian/control (Build-Depends): add libbz2-dev. + + -- James Troup Wed, 31 Dec 2003 17:57:52 +0000 + +gnupg (1.2.3-1) unstable; urgency=low + + * New upstream release (Closes: #207340). + * gpg no longer kills keyrings by importing broken keys. Closes: #196505 + * options.skel uses subkeys.pgp.net instead of pgp.mit.edu. Closes: #206092 + * --import now closes files when it's done. Closes: #196643 + * A key listing speed regression has been fixed. Closes: #192083 + * debian/copyright: update URL and date. + * debian/rules: update dates and version. + + * debian/control (Standards-Version): bump to 3.6.0. + + * debian/Upgrading_From_PGP.txt: new file from to Richard Braakman + . Closes: #173233 + * debian/rules (binary-arch): install it. + + * debian/rules (build): correct libexecdir passed to configure; patch + from Matthias Cramer . Fixes invocation of + gpgkeys_ldap. Closes: #168486 + + -- James Troup Thu, 28 Aug 2003 14:08:50 +0100 + +gnupg (1.2.2-1) unstable; urgency=low + + * New upstream release. + * debian/control (Standards-Version): bump to 3.5.9.0. + * debian/rules (binary-arch): install convert-from-106 as + gpg-convert-from-106 and fix the path to gpg. + * debian/control: remove trailing full stop from short description. + * debian/control: remove out-dated and contradictory information about + RSA. + + -- James Troup Mon, 5 May 2003 03:08:58 +0100 + +gnupg (1.2.1-2) unstable; urgency=low + + * Update config.guess (to 2002-10-21) and config.sub (to 2002-09-05). + Thanks to Ryan Murray. Closes: #166696 + + -- James Troup Mon, 28 Oct 2002 01:47:26 +0000 + +gnupg (1.2.1-1) unstable; urgency=low + + * New upstream version. + * An inifinte loop in --update-trustdb has been fixed. Closes: #162039 + * The polish translation is now correctly specified as UTF-8. Closes: #162885 + * --refresh-keys is now documented in the manpage. Closes: #165566 + * debian/control (Conflicts): add gpg-idea <= 2.2 since gnupg >= 1.2 is + incompatible with that version of gpg-idea. Closes: #162314 + + -- James Troup Fri, 25 Oct 2002 18:18:43 +0100 + +gnupg (1.2.0-1) unstable; urgency=low + + * New upstream version. Closes: #161817. + * --options no longer mis-handles a directory as an argument. Closes: #151973 + * gpg now prompts before sending all keys to the keyserver. Closes: #64607 + * There is now a gnupg(7) manpage. Closes: #157750 + * The permission checking has been sanitized and handles non-home-dir + keyrings better. Closes: #147760 + * notation data longer than 5 characters is now handled. Closes: #156871 + * an abort when setting trust levels in a czech locale has been fixed. + Closes: #149212 + * debian/rules (binary-arch): there are no more modules, adjust + accordingly. + * debian/postinst, debian/prerm: remove; no longer do /usr/doc symlinks. + * debian/rules (binary-arch): don't install obsolete postinst or prerm. + * debian/rules (binary-arch): gzip gnupg.7 too. + * debian/rules (build): pass --libexecdir=/usr/lib/gnupg to configure. + * debian/rules (binary-arch): likewise, pass suitable libexcedir + argument to make install. + * debian/control (Standards-Version): update to 3.5.7.0. + * debian/copyright: update URL and date. + * debian/rules: update dates and version. + + -- James Troup Sun, 22 Sep 2002 22:26:25 +0100 + +gnupg (1.0.7-2) unstable; urgency=low + + * debian/control (Suggests): add xloadimage since that's what gpg uses + by default to view photo IDs. Thanks to Julien Danjou + for the suggestion. Closes: #156245 + * debian/control (Depends): add "hurd" to the alternatives to + makedev. Thanks to Michal Suchanek for + noticing. Closes: #158492 + * po/it.po: patch to fix typos from Marco Bodrato + Thu, 29 Aug 2002 01:42:58 +0100 + +gnupg (1.0.7-1) unstable; urgency=low + + * New upstream version. Closes: #145477. + * GDBM support has been removed. Closes: #33009. + * Now adds the default keyring when a keyring is specified. + Closes: #50616, #65260. + * Now does the Right Thing when receiving a key from the keyserver and + the key in question is in both a read-only and writable keyring. + Closes: #63297. + * Automatic key retrieval is now configurable. Closes: #64940. + * --no-options supresses ~/.gnupg creation again. Closes: #95486. + * duplicate trust entries are no longer treated as an error. Closes: #96480. + * There's now no comment line in ascii armours. Closes: #100088. + * Handle secret keyring given as keyring better. Closes: #100581, #106670. + * It's now documented that --with-colons unconditionally uses UTF8. + Closes: #101446, 101454. + * s/now/knows/ typo in manpage fixed. Closes: #107471. + * There's now support for a primary UID. Closes: #106567, #108155. + * Handles errors in uncompression layer beter. Closes: #112392. + * Key selection has been entirely revamped. Closes: #136170. + * Handles empty encrypt-to. Closes: #138378 + + * debian/rules (binary-arch): remove empty /usr/info directory, thanks + to Joey Hess . Closes: #121864. + * debian/control: remove duplicated word from long description, thanks + to Nicolas Boulenguez . Closes: #144786. + * README: correct URL to GPH and other docs, thanks to Mark Brown + . Closes: #100277. + * debian/control (Standards-Version): updated to 3.5.6.1. + * debian/rules (binary-arch): only strip ELF binaries. es_ES -> es hack + no longer needed as fixed upstream. + * debian/control (Build-Depends): remove libgdbmg1-dev; no longer used. + * debian/README.Debian: remove note about gdbm support which was finally + removed. Update note on old versions of gnupg to reflect the + pre-historic nature of those versions. + * debian/control (Build-Depends): add libldap2-dev. + * debian/rules (binary-arch): call dpkg-shlibdeps for all ELF binaries. + * debian/control (Build-Depends): add file. + * debian/control (Priority): increase to standard to match overrides. + + -- James Troup Sat, 11 May 2002 15:08:02 +0100 + +gnupg (1.0.6-3) unstable; urgency=low + + * moved into main. + + -- James Troup Tue, 19 Mar 2002 16:17:09 +0000 + +gnupg (1.0.6-2) unstable; urgency=high + + * debian/rules (binary-arch): remove the erroneous + /usr/share/locale/locale.alias that 'make install' adds; closes: + #99293. + + -- James Troup Wed, 30 May 2001 20:40:59 +0100 + +gnupg (1.0.6-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Tue, 29 May 2001 20:59:49 +0100 + +gnupg (1.0.5-4) unstable; urgency=low + + * Patch from Werner. + + -- James Troup Sun, 27 May 2001 09:34:50 +0100 + +gnupg (1.0.5-3) unstable; urgency=low + + * Apply patch from Matthew Wilcox to fix assembly on + hppa. + + -- James Troup Sun, 13 May 2001 02:36:45 +0100 + +gnupg (1.0.5-2) unstable; urgency=medium + + * util/http.c: patch from Werner that fixes --send-key, closes: #96277. + * debian/control (Depends): accept devfsd in place of makedev, closes: + #96307. + + -- James Troup Mon, 7 May 2001 00:13:51 +0100 + +gnupg (1.0.5-1) unstable; urgency=low + + * New upstream version. + * debian/README.Debian: fix spelling and update URL. + * debian/rules (binary): remove the new info files. + * scripts/config.{guess,sub}: sync with subversions, closes: #95729. + + -- James Troup Mon, 30 Apr 2001 02:12:38 +0100 + +gnupg (1.0.4-4) unstable; urgency=low + + * po/ru.po: patch by Ilya Martynov to replace German + entries and add missing translations, closes: #93987. + * g10/revoke.c (ask_revocation_reason): typo fix (s/non longer/no + longer/g); noticed by Colin Watson , closes: + #93664. + + * Deprecated depreciated; noticed by Vincent Broman + . + + * Following two patches are from Vincent Broman. + * g10/mainproc.c (proc_tree): use iobuf_get_real_fname() in preference + to iobuf_get_fname(). + * g10/openfile.c (open_sigfile): handle .sign prefixed files correctly. + + -- James Troup Fri, 20 Apr 2001 23:32:44 +0100 + +gnupg (1.0.4-3) unstable; urgency=medium + + * debian/rules (binary): make gpg binary suid, closes: #86433. + * debian/postinst: don't use suidregister. + * debian/postrm: removed (only called suidunregister). + * debian/control: conflict with suidmanager << 0.50. + * mpi/longlong.h: apply fix for ARM long long artimetic from Philip + Blundell , closes: #87487. + * debian/preinst: the old GnuPG debs have moved to people.debian.org. + * cipher/random.c: #include as well as + * g10/misc.c: likewise. + * debian/rules: define a strip alias which removes the .comment and + .note sections. + * debian/rules (binary-arch): use it. + * debian/lintian.override: new file; override the SUID warning from + lintian. + * debian/rules (binary-arch): install it. + + -- James Troup Sun, 25 Feb 2001 05:24:58 +0000 + +gnupg (1.0.4-2) stable unstable; urgency=high + + * Apply security fix patch from Werner. + * Apply another patch from Werner to fix bogus warning on Rijndael + usage. + * Change section to 'non-US'. + + -- James Troup Mon, 12 Feb 2001 07:47:02 +0000 + +gnupg (1.0.4-1) stable unstable; urgency=high + + * New upstream version. + * Fixes a serious bug which could lead to false signature verification + results when more than one signature is fed to gpg. + + -- James Troup Tue, 17 Oct 2000 17:26:17 +0100 + +gnupg (1.0.3b-1) unstable; urgency=low + + * New upstream snapshot version. + + -- James Troup Fri, 13 Oct 2000 18:08:14 +0100 + +gnupg (1.0.3-2) unstable; urgency=low + + * debian/control: Conflict, Replace and Provide gpg-rsa & gpg-rsaref. + Fix long description to reflect the fact that RSA is no longer + patented and now included. [#72177] + * debian/rules: move faq.html to /usr/share/doc/gnupg/ and remove FAQ + from /usr/share/gnupg/. Thanks to Robert Luberda + for noticing. [#72151] + * debian/control: Suggest new package gnupg-doc. [#64323, #65560] + * utils/secmem.c (lock_pool): don't bomb out if mlock() returns ENOMEM, + as Linux will do this if resource limits (or other reasons) prevent + memory from being locked, instead treat it like permission was denied + and warn but continue. Thanks to Topi Miettinen + . [#70446] + * g10/hkp.c (not_implemented): s/ist/is/ in error message. + * debian/README.Debian: add a note about GDBM support and why it is + disabled. Upstream already fixed the manpage. [#65913] + * debian/rules (binary-arch): fix the Spanish translation to be 'es' not + 'es_ES' at Nicolás Lichtmaier 's request. [#57314] + + -- James Troup Sun, 1 Oct 2000 14:55:03 +0100 + +gnupg (1.0.3-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Mon, 18 Sep 2000 15:56:54 +0100 + +gnupg (1.0.2-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Thu, 13 Jul 2000 20:26:50 +0100 + +gnupg (1.0.1-2) unstable; urgency=low + + * debian/control (Build-Depends): added. + * debian/copyright: corrected location of copyright file. Removed + references to Linux. Removed warnings about beta nature of GnuPG. + * debian/rules (binary-arch): install documentation into + /usr/share/doc/gnupg/ and pass mandir to make install to ensure the + manpages go to /usr/share/man/. + * debian/postinst: create /usr/doc/gnupg symlink. + * debian/prerm: new file; remove /usr/doc/gnupg symlink. + * debian/rules (binary-arch): install prerm. + * debian/control (Standards-Version): updated to 3.1.1.1. + + -- James Troup Thu, 30 Dec 1999 16:16:49 +0000 + +gnupg (1.0.1-1) unstable; urgency=low + + * New upstream version. + * doc/gpg.1: updated to something usable from + ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gpg.1.gz. + + -- James Troup Sun, 19 Dec 1999 23:47:10 +0000 + +gnupg (1.0.0-3) unstable; urgency=low + + * debian/rules (build): remove the stunningly ill-advised --host option + to configure. [#44698, #48212, #48281] + + -- James Troup Tue, 26 Oct 1999 01:12:59 +0100 + +gnupg (1.0.0-2) unstable; urgency=low + + * debian/rules (binary-arch): fix the permissions on the + modules. [#47280] + * debian/postinst, debian/postrm: fix the package name passed to + suidregister. [#45013] + * debian/control: update long description. [#44636] + * debian/rules (build): pass the host explicitly to configure to avoid + problems on sparc64. [(Should fix) #44698]. + + -- James Troup Wed, 20 Oct 1999 23:39:05 +0100 + +gnupg (1.0.0-1) unstable; urgency=low + + * New upstream release. [#44545] + + -- James Troup Wed, 8 Sep 1999 00:53:02 +0100 + +gnupg (0.9.10-2) unstable; urgency=low + + * debian/rules (binary-arch): install lspgpot. Requested by Kai + Henningsen . [#42288] + * debian/rules (binary-arch): correct the path where modules are looked + for. Reported by Karl M. Hegbloom . [#40881] + * debian/postinst, debian/postrm: under protest, register gpg the + package with suidmanager and make it suid by default. + [#29780,#32590,#40391] + + -- James Troup Tue, 10 Aug 1999 00:12:40 +0100 + +gnupg (0.9.10-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Fri, 6 Aug 1999 01:16:21 +0100 + +gnupg (0.9.9-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Sun, 25 Jul 1999 01:06:31 +0100 + +gnupg (0.9.8-1) unstable; urgency=low + + * New upstream version. + * debian/rules (binary-arch): don't create a gpgm manpage as the binary + no longer exists. Noticed by Wichert Akkerman + . [#38864] + + -- James Troup Sun, 27 Jun 1999 01:07:58 +0100 + +gnupg (0.9.7-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Tue, 25 May 1999 13:23:24 +0100 + +gnupg (0.9.6-1) unstable; urgency=low + + * New upstream version. + * debian/copyright: update version number, noticed by Lazarus Long + . + * debian/control (Depends): depend on makedev (>= 2.3.1-13) to ensure + that /dev/urandom exists; reported by Steffen Markert + . [#32076] + + -- James Troup Tue, 11 May 1999 21:06:27 +0100 + +gnupg (0.9.5-1) unstable; urgency=low + + * New upstream version. + * debian/control (Description): no tabs. [Lintian] + + -- James Troup Wed, 24 Mar 1999 22:37:40 +0000 + +gnupg (0.9.4-1) unstable; urgency=low + + * New version. + * debian/control: s/GNUPG/GnuPG/ + + -- Werner Koch Mon, 8 Mar 1999 19:58:28 +0100 + +gnupg (0.9.3-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Mon, 22 Feb 1999 22:55:04 +0000 + +gnupg (0.9.2-1) unstable; urgency=low + + * New version. + * debian/rules (build): Removed CFLAGS as the default is now sufficient. + * debian/rules (clean): remove special handling cleanup in intl. + + -- Werner Koch Wed, 20 Jan 1999 21:23:11 +0100 + +gnupg (0.9.1-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Sat, 9 Jan 1999 22:29:11 +0000 + +gnupg (0.9.0-1) unstable; urgency=low + + * New upstream version. + * g10/armor.c (armor_filter): add missing new line in comment string; as + noticed by Stainless Steel Rat . + + -- James Troup Tue, 29 Dec 1998 20:22:43 +0000 + +gnupg (0.4.5-1) unstable; urgency=low + + * New upstream version. + * debian/rules (clean): force removal of intl/libintl.h which the + Makefiles fail to remove properly. + + -- James Troup Tue, 8 Dec 1998 22:40:23 +0000 + +gnupg (0.4.4-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Sat, 21 Nov 1998 01:34:29 +0000 + +gnupg (0.4.3-1) unstable; urgency=low + + * New upstream version. + * debian/README.Debian: new file; contains same information as is in the + preinst. Suggested by Wichert Akkerman . + * debian/rules (binary-arch): install `README.Debian' + * debian/control (Standards-Version): updated to 2.5.0.0. + + -- James Troup Sun, 8 Nov 1998 19:08:12 +0000 + +gnupg (0.4.2-1) unstable; urgency=low + + * New upstream version. + * debian/preinst: improve message about the NEWS file which isn't + actually installed when it's referred to, thanks to Martin Mitchell + . + * debian/rules (binary-arch): don't install the now non-existent `rfcs', + but do install `OpenPGP'. + + -- James Troup Sun, 18 Oct 1998 22:48:34 +0100 + +gnupg (0.4.1-1) unstable; urgency=low + + * New upstream version. + * debian/rules (binary-arch): fix the gpgm manpage symlink now installed + by `make install'. + + -- James Troup Sun, 11 Oct 1998 17:01:21 +0100 + +gnupg (0.4.0-1) unstable; urgency=high + + * New upstream version. [#26717] + * debian/copyright: tone down warning about alpha nature of gnupg. + * debian/copyright: new maintainer address. + * debian/control: update extended description. + * debian/rules (binary-arch): install FAQ and all ChangeLogs. + * debian/preinst: new; check for upgrade from (<= 0.3.2-1) and warn about + incompatibilities in keyring format and offer to move old copy out of + gpg out of the way for transition strategy and inform the user about + the old copies of gnupg available on my web page. + * debian/rules (binary-arch) install preinst. + * debian/rules (binary-arch): don't depend on the test target as it is + now partially interactive (tries to generate a key, which requires + someone else to be using the computer). + + -- James Troup Thu, 8 Oct 1998 00:47:07 +0100 + +gnupg (0.3.2-1) unstable; urgency=low + + * New upstream version. + * debian/control (Maintainer): new address. + * debian/copyright: updated list of changes. + + -- James Troup Thu, 9 Jul 1998 21:06:07 +0200 + +gnupg (0.3.1-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Tue, 7 Jul 1998 00:26:21 +0200 + +gnupg (0.3.0-2) unstable; urgency=low + + * Applied bug-fix patch from Werner. + + -- James Troup Fri, 26 Jun 1998 12:18:29 +0200 + +gnupg (0.3.0-1) unstable; urgency=low + + * New upstream version. + * debian/control: rewrote short and long description. + * cipher/Makefile.am: link tiger with -lc. + * debian/rules (binary-arch): strip loadable modules. + * util/secmem.c (lock_pool): get rid of errant test code; fix from + Werner Koch . + * debian/rules (test): new target which runs gnupg's test suite. + binary-arch depends on it, to ensure it's run whenever the package is + built. + + -- James Troup Thu, 25 Jun 1998 16:04:57 +0200 + +gnupg (0.2.19-1) unstable; urgency=low + + * New upstream version. + * debian/control: Updated long description. + + -- James Troup Sat, 30 May 1998 12:12:35 +0200 + +gnupg (0.2.18-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Sat, 16 May 1998 11:52:47 +0200 + +gnupg (0.2.17-1) unstable; urgency=high + + * New upstream version. + * debian/control (Standards-Version): updated to 2.4.1.0. + * debian/control: tone down warning about alpha nature of gnupg, as per + README. + * debian/copyright: ditto. + + -- James Troup Mon, 4 May 1998 22:36:51 +0200 + +gnupg (0.2.15-1) unstable; urgency=high + + * New upstream version. + + -- James Troup Fri, 10 Apr 1998 01:12:20 +0100 + +gnupg (0.2.13-1) unstable; urgency=high + + * New upstream version. + + -- James Troup Wed, 11 Mar 1998 01:52:51 +0000 + +gnupg (0.2.12-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Sat, 7 Mar 1998 13:52:40 +0000 + +gnupg (0.2.11-1) unstable; urgency=low + + * New upstream version. + + -- James Troup Wed, 4 Mar 1998 01:32:12 +0000 + +gnupg (0.2.10-1) unstable; urgency=low + + * New upstream version. + * Name changed upstream. + + -- James Troup Mon, 2 Mar 1998 07:32:05 +0000 + +g10 (0.2.7-1) unstable; urgency=low + + * Initial release. + + -- James Troup Fri, 20 Feb 1998 02:05:34 +0000 diff --git a/clean b/clean new file mode 100644 index 0000000..4b27f09 --- /dev/null +++ b/clean @@ -0,0 +1,9 @@ +po/*.gmo +po/stamp-po +build-gpgv-static/ +build-gpgv-udeb/ +build-gpgv-win32/ +build-maintainer/ +doc/gnupg.info +doc/gnupg.info-1 +doc/gnupg.info-2 diff --git a/compat b/compat new file mode 100644 index 0000000..b4de394 --- /dev/null +++ b/compat @@ -0,0 +1 @@ +11 diff --git a/control b/control new file mode 100644 index 0000000..983adc1 --- /dev/null +++ b/control @@ -0,0 +1,502 @@ +Source: gnupg2 +Section: utils +Priority: optional +Maintainer: Debian GnuPG Maintainers +Uploaders: + Eric Dorland , + Daniel Kahn Gillmor , +Standards-Version: 4.1.5 +Build-Depends: + automake, + autopoint, + debhelper (>= 11~), + file, + gettext, + ghostscript, + imagemagick, + libassuan-dev (>= 2.5.0), + libbz2-dev, + libcurl4-gnutls-dev, + libgcrypt20-dev (>= 1.7.0), + libgnutls28-dev (>= 3.0), + libgpg-error-dev (>= 1.26-2~), + libksba-dev (>= 1.3.4), + libldap2-dev, + libnpth0-dev (>= 1.2), + libreadline-dev, + librsvg2-bin, + libsqlite3-dev, + libusb-1.0-0-dev [!hurd-any], + openssh-client , + pkg-config, + texinfo, + transfig, + zlib1g-dev | libz-dev, +Build-Depends-Indep: + binutils-multiarch [!amd64 !i386], + libassuan-mingw-w64-dev (>= 2.5.0), + libgcrypt-mingw-w64-dev (>= 1.7.0), + libgpg-error-mingw-w64-dev (>= 1.26-2~), + libksba-mingw-w64-dev (>= 1.3.4), + libnpth-mingw-w64-dev (>= 1.2), + libz-mingw-w64-dev, + mingw-w64, +Vcs-Git: https://salsa.debian.org/debian/gnupg2.git +Vcs-Browser: https://salsa.debian.org/debian/gnupg2 +Homepage: https://www.gnupg.org/ +Rules-Requires-Root: no + +Package: gpgconf +Architecture: any +Multi-Arch: foreign +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Replaces: + gnupg (<< 2.1.21-4), + gnupg-agent (<< 2.1.21-4), +Breaks: + gnupg (<< 2.1.21-4), + gnupg-agent (<< 2.1.21-4), +Description: GNU privacy guard - core configuration utilities + GnuPG is GNU's tool for secure communication and data storage. + . + This package contains core utilities used by different tools in the + suite offered by GnuPG. It can be used to programmatically edit + config files for tools in the GnuPG suite, to launch or terminate + per-user daemons (if installed), etc. + +Package: gnupg-agent +Architecture: all +Section: oldlibs +Multi-Arch: foreign +Depends: + gpg-agent (>= ${source:Version}), + ${misc:Depends}, +Description: GNU privacy guard - cryptographic agent (dummy transitional package) + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This is a dummy transitional package; please use gpg-agent instead. + +Package: gpg-agent +Architecture: any +Multi-Arch: foreign +Depends: + gpgconf (= ${binary:Version}), + pinentry-curses | pinentry, + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}), + ${shlibs:Recommends}, +Suggests: + dbus-user-session, + libpam-systemd, + pinentry-gnome3, + scdaemon, +Replaces: + gnupg-agent (<< 2.1.21-4), +Breaks: + gnupg-agent (<< 2.1.21-4), +Provides: + gnupg-agent, +Description: GNU privacy guard - cryptographic agent + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains the agent program gpg-agent which handles all + secret key material for OpenPGP and S/MIME use. The agent also + provides a passphrase cache, which is used by pre-2.1 versions of + GnuPG for OpenPGP operations. Without this package, trying to do + secret-key operations with any part of the modern GnuPG suite will + fail. + +Package: gpg-wks-server +Architecture: any +Multi-Arch: foreign +Depends: + gpg (= ${binary:Version}), + gpg-agent (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}), + ${shlibs:Recommends}, +Description: GNU privacy guard - Web Key Service server + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package provides the GnuPG server for the Web Key Service + protocol. + . + A Web Key Service is a service that allows users to upload keys per + mail to be verified over https as described in + https://tools.ietf.org/html/draft-koch-openpgp-webkey-service + . + For more information see: https://wiki.gnupg.org/WKS + +Package: gpg-wks-client +Architecture: any +Multi-Arch: foreign +Depends: + dirmngr (= ${binary:Version}), + gpg (= ${binary:Version}), + gpg-agent (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}), + ${shlibs:Recommends}, +Description: GNU privacy guard - Web Key Service client + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package provides the GnuPG client for the Web Key Service + protocol. + . + A Web Key Service is a service that allows users to upload keys per + mail to be verified over https as described in + https://tools.ietf.org/html/draft-koch-openpgp-webkey-service + . + For more information see: https://wiki.gnupg.org/WKS + +Package: scdaemon +Architecture: any +Multi-Arch: foreign +Depends: + gpg-agent (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Enhances: + gpg-agent, +Description: GNU privacy guard - smart card support + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains the smart card program scdaemon, which is used + by gpg-agent to access OpenPGP smart cards. + +Package: gpgsm +Architecture: any +Multi-Arch: foreign +Depends: + gpgconf (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}), + ${shlibs:Recommends}, +Breaks: + gnupg2 (<< 2.1.10-2), +Replaces: + gnupg2 (<< 2.1.10-2), +Description: GNU privacy guard - S/MIME version + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains the gpgsm program. gpgsm is a tool to provide + digital encryption and signing services on X.509 certificates and the + CMS protocol. gpgsm includes complete certificate management. + +Package: gpg +Architecture: any +Multi-Arch: foreign +Depends: + gpgconf (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}), + ${shlibs:Recommends}, +Breaks: + gnupg (<< 2.1.21-4), +Replaces: + gnupg (<< 2.1.21-4), +Description: GNU Privacy Guard -- minimalist public key operations + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains /usr/bin/gpg itself, and is useful on its own + only for public key operations (encryption, signature verification, + listing OpenPGP certificates, etc). If you want full capabilities + (including secret key operations, network access, etc), please + install the "gnupg" package, which pulls in the full suite of tools. + +Package: gnupg +Architecture: all +Multi-Arch: foreign +Depends: + dirmngr (>= ${source:Version}), + dirmngr (<< ${source:Version}.1~), + gnupg-l10n (= ${source:Version}), + gnupg-utils (>= ${source:Version}), + gnupg-utils (<< ${source:Version}.1~), + gpg (>= ${source:Version}), + gpg (<< ${source:Version}.1~), + gpg-agent (>= ${source:Version}), + gpg-agent (<< ${source:Version}.1~), + gpg-wks-client (>= ${source:Version}), + gpg-wks-client (<< ${source:Version}.1~), + gpg-wks-server (>= ${source:Version}), + gpg-wks-server (<< ${source:Version}.1~), + gpgsm (>= ${source:Version}), + gpgsm (<< ${source:Version}.1~), + gpgv (>= ${source:Version}), + gpgv (<< ${source:Version}.1~), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + ${shlibs:Recommends}, +Suggests: + parcimonie, + xloadimage, +Breaks: + debsig-verify (<< 0.15), + dirmngr (<< ${binary:Version}), + gnupg2 (<< 2.1.11-7+exp1), + libgnupg-interface-perl (<< 0.52-3), + libgnupg-perl (<= 0.19-1), + libmail-gnupg-perl (<= 0.22-1), + monkeysphere (<< 0.38~), + php-crypt-gpg (<= 1.4.1-1), + python-apt (<= 1.1.0~beta4), + python-gnupg (<< 0.3.8-3), + python3-apt (<= 1.1.0~beta4), +Replaces: + gnupg2 (<< 2.1.11-7+exp1), +Description: GNU privacy guard - a free PGP replacement + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This package contains the full suite of GnuPG tools for cryptographic + communications and data storage. + +Package: gnupg2 +Architecture: all +Section: oldlibs +Multi-Arch: foreign +Depends: + gnupg (>= ${source:Version}), + ${misc:Depends}, +Description: GNU privacy guard - a free PGP replacement (dummy transitional package) + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC4880. + . + This is a dummy transitional package that provides symlinks from gpg2 + to gpg. + +Package: gpgv +Architecture: any +Priority: important +Multi-Arch: foreign +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Breaks: + gnupg2 (<< 2.0.21-2), + gpgv2 (<< 2.1.11-7+exp1), + python-debian (<< 0.1.29), +Replaces: + gnupg2 (<< 2.0.21-2), + gpgv2 (<< 2.1.11-7+exp1), +Suggests: + gnupg, +Description: GNU privacy guard - signature verification tool + GnuPG is GNU's tool for secure communication and data storage. + . + gpgv is actually a stripped-down version of gpg which is only able + to check signatures. It is somewhat smaller than the fully-blown gpg + and uses a different (and simpler) way to check that the public keys + used to make the signature are valid. There are no configuration + files and only a few options are implemented. + +Package: gpgv2 +Section: oldlibs +Architecture: all +Multi-Arch: foreign +Depends: + gpgv (>= ${source:Version}), + ${misc:Depends}, +Description: GNU privacy guard - signature verification tool (dummy transitional package) + GnuPG is GNU's tool for secure communication and data storage. gpgv + is a stripped-down version of gpg which is only able to check + signatures. + . + This is a dummy transitional package that provides symlinks from gpgv2 + to gpgv. + +Package: dirmngr +Architecture: any +Multi-Arch: foreign +Depends: + adduser, + gpgconf (= ${binary:Version}), + lsb-base (>= 3.2-13), + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gnupg (= ${binary:Version}), + ${shlibs:Recommends}, +Enhances: + gpg, + gpgsm, + squid, +Breaks: + gnupg2 (<< 2.1.10-2), +Replaces: + gnupg2 (<< 2.1.10-2), +Suggests: + dbus-user-session, + libpam-systemd, + pinentry-gnome3, + tor, +Description: GNU privacy guard - network certificate management service + dirmngr is a server for managing and downloading OpenPGP and X.509 + certificates, as well as updates and status signals related to those + certificates. For OpenPGP, this means pulling from the public + HKP/HKPS keyservers, or from LDAP servers. For X.509 this includes + Certificate Revocation Lists (CRLs) and Online Certificate Status + Protocol updates (OCSP). It is capable of using tor for network + access. + . + dirmngr is used for network access by gpg, gpgsm, and dirmngr-client, + among other tools. Unless this package is installed, the parts of + the GnuPG suite that try to interact with the network will fail. + +Package: gpgv-udeb +Package-Type: udeb +Section: debian-installer +Architecture: any +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Description: minimal signature verification tool + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC 4880. + . + This is GnuPG's signature verification tool, gpgv, packaged in minimal + form for use in debian-installer. + +Package: gpgv-static +Architecture: any +Multi-Arch: foreign +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + debian-archive-keyring, + debootstrap, +Description: minimal signature verification tool (static build) + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC 4880. + . + This is GnuPG's signature verification tool, gpgv, built statically + so that it can be directly used on any platform that is running on + the Linux kernel. Android and ChromeOS are two well known examples, + but there are many other platforms that this will work for, like + embedded Linux OSes. This gpgv in combination with debootstrap and + the Debian archive keyring allows the secure creation of chroot + installs on these platforms by using the full Debian signature + verification that is present in all official Debian mirrors. + +Package: gpgv-win32 +Architecture: all +Multi-Arch: foreign +Depends: + ${misc:Depends}, +Suggests: + wine, +Description: GNU privacy guard - signature verification tool (win32 build) + GnuPG is GNU's tool for secure communication and data storage. + . + gpgv is a stripped-down version of gnupg which is only able to check + signatures. It is smaller than the full-blown gnupg and uses a + different (and simpler) way to check that the public keys used to + make the signature are trustworthy. + . + This is a win32 version of gpgv. It's meant to be used by the win32-loader + component of Debian-Installer. + +Package: gnupg-l10n +Section: localization +Architecture: all +Multi-Arch: foreign +Depends: + ${misc:Depends}, +Enhances: + dirmngr, + gpg, + gpg-agent, +Breaks: + gnupg (<< 2.1.14-2~), + gnupg2 (<< 2.1.14-2~), +Replaces: + gnupg (<< 2.1.14-2~), + gnupg2 (<< 2.1.14-2~), +Description: GNU privacy guard - localization files + GnuPG is GNU's tool for secure communication and data storage. + It can be used to encrypt data and to create digital signatures. + It includes an advanced key management facility and is compliant + with the proposed OpenPGP Internet standard as described in RFC 4880. + . + This package contains the translation files for the use of GnuPG in + non-English locales. + +Package: gnupg-utils +Architecture: any +Multi-Arch: foreign +Replaces: + gnupg (<< 2.1.21-4), + gnupg-agent (<< 2.1.21-4), +Breaks: + gnupg (<< 2.1.21-4), + gnupg-agent (<< 2.1.21-4), +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Recommends: + gpg, + gpg-agent, + gpgconf, + gpgsm, +Description: GNU privacy guard - utility programs + GnuPG is GNU's tool for secure communication and data storage. + . + This package contains several useful utilities for manipulating + OpenPGP data and other related cryptographic elements. It includes: + . + * addgnupghome -- create .gnupg home directories + * applygnupgdefaults -- run gpgconf --apply-defaults for all users + * gpgcompose -- an experimental tool for constructing arbitrary + sequences of OpenPGP packets (e.g. for testing) + * gpgparsemail -- parse an e-mail message into annotated format + * gpgsplit -- split a sequence of OpenPGP packets into files + * gpg-zip -- encrypt or sign files in an archive + * kbxutil -- list, export, import Keybox data + * lspgpot -- convert PGP ownertrust values to GnuPG + * migrate-pubring-from-classic-gpg -- use only "modern" formats + * symcryptrun -- use simple symmetric encryption tool in GnuPG framework + * watchgnupg -- watch socket-based logs diff --git a/copyright b/copyright new file mode 100644 index 0000000..521924e --- /dev/null +++ b/copyright @@ -0,0 +1,253 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: GnuPG - The GNU Privacy Guard (modern version) +Upstream-Contact: GnuPG development mailing list +Source: https://gnupg.org/download/ + +Files: * +Copyright: 1992, 1995-2016, Free Software Foundation, Inc +License: GPL-3+ + +Files: agent/command.c + agent/command-ssh.c + agent/gpg-agent.c + common/homedir.c + common/sysutils.c + g10/mainproc.c +Copyright: 1998-2007, 2009, 2012, Free Software Foundation, Inc + 2013, Werner Koch +License: GPL-3+ + +Files: autogen.sh +Copyright: 2003, g10 Code GmbH +License: permissive + +Files: common/gc-opt-flags.h + common/i18n.h + tools/clean-sat.c + tools/no-libgcrypt.c +Copyright: 1998-2001, 2003, 2004, 2006, 2007 Free Software Foundation, Inc +License: permissive + +Files: common/localename.c +Copyright: 1985, 1989-1993, 1995-2003, 2007, 2008 Free Software Foundation, Inc. +License: LGPL-2.1+ + +Files: dirmngr/dns.c + dirmngr/dns.h +Copyright: 2008-2010, 2012-2016 William Ahern +License: Expat + +Files: doc/yat2m.c + scd/app-geldkarte.c +Copyright: 2004, 2005, g10 Code GmbH + 2006, 2008, 2009, 2011, Free Software Foundation, Inc +License: GPL-3+ + +Files: scd/ccid-driver.h + scd/ccid-driver.c +Copyright: 2003-2007, Free Software Foundation, Inc +License: GPL-3+ or BSD-3-clause + +Files: tools/rfc822parse.c + tools/rfc822parse.h +Copyright: 1999-2000, Werner Koch, Duesseldorf + 2003-2004, g10 Code GmbH +License: LGPL-3+ + +Files: tools/sockprox.c +Copyright: 2007, g10 Code GmbH +License: GPL-3+ + +Files: doc/OpenPGP +Copyright: 1998-2013 Free Software Foundation, Inc. + 1997, 1998, 2013 Werner Koch + 1998 The Internet Society +License: RFC-Reference + +Files: tests/gpgscm/* +Copyright: 2000, Dimitrios Souflis + 2016, Justus Winter, Werner Koch +License: TinySCHEME + +Files: debian/* +Copyright: 1998-2018 Debian GnuPG packagers, including + Eric Dorland + Daniel Kahn Gillmor + NIIBE Yutaka +License: GPL-3+ + +Files: debian/org.gnupg.scdaemon.metainfo.xml +Copyright: 2017 Daniel Kahn Gillmor +Comment: This file is licensed permissively for the sake of AppStream +License: CC0-1.0 + +License: TinySCHEME + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + . + Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + Neither the name of Dimitrios Souflis nor the names of the + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +License: permissive + This file is free software; as a special exception the author gives + unlimited permission to copy and/or distribute it, with or without + modifications, as long as this notice is preserved. + . + This file is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY, to the extent permitted by law; without even + the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. + +License: RFC-Reference + doc/OpenPGP merely cites and references IETF Draft + draft-ietf-openpgp-formats-07.txt. This is believed to be fair use; + but if not, it's covered by the source document's license under + the 'comment on' clause. The license statement follows. + . + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph + are included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + . + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + +License: GPL-3+ + GnuPG is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + . + GnuPG is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, see . + . + On Debian systems, the full text of the GNU General Public + License version 3 can be found in the file + `/usr/share/common-licenses/GPL-3'. + +License: LGPL-3+ + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation; either version 3 of + the License, or (at your option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this program; if not, see . + . + On Debian systems, the full text of the GNU Lesser General Public + License version 3 can be found in the file + `/usr/share/common-licenses/LGPL-3'. + +License: LGPL-2.1+ + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation; either version 2.1 of + the License, or (at your option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this program; if not, see . + . + On Debian systems, the full text of the GNU Lesser General Public + License version 2.1 can be found in the file + `/usr/share/common-licenses/LGPL-2.1'. + +License: BSD-3-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, and the entire permission notice in its entirety, + including the disclaimer of warranties. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. The name of the author may not be used to endorse or promote + products derived from this software without specific prior + written permission. + . + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to permit + persons to whom the Software is furnished to do so, subject to the + following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN + NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, + DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR + OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE + USE OR OTHER DEALINGS IN THE SOFTWARE. + +License: CC0-1.0 + To the extent possible under law, the author(s) have dedicated all + copyright and related and neighboring rights to this software to the public + domain worldwide. This software is distributed without any warranty. + . + On Debian systems, the complete text of the CC0 license, version 1.0, + can be found in /usr/share/common-licenses/CC0-1.0. diff --git a/dirmngr.NEWS b/dirmngr.NEWS new file mode 100644 index 0000000..b0c550f --- /dev/null +++ b/dirmngr.NEWS @@ -0,0 +1,49 @@ +dirmngr (2.1.18-1) unstable; urgency=medium + + If your machine is configured with system user session management, + dirmngr will be managed automatically by systemd's user sessions on + machines configured with use systemd. Please consider installing the + packages that the dirmngr package Suggests:, and see + /usr/share/doc/dirmngr/README.Debian for more details. + + -- Daniel Kahn Gillmor Mon, 23 Jan 2017 22:50:34 -0500 + +dirmngr (2.1.13-3) experimental; urgency=medium + + gpg and most related processes will auto-launch dirmngr if needed. + + Any user who wants to launch dirmngr manually should do so with: + + gpgconf --launch dirmngr + + and may want to terminate dirmngr when their session ends with: + + gpgconf --kill dirmngr + + Users on machines with systemd can ensure that dirmngr is always + running for their session (and that it gets terminated at logout) + with: + + gpgconf --kill dirmngr + systemctl --user enable dirmngr + systemctl --user start dirmngr + + -- Daniel Kahn Gillmor Tue, 28 Jun 2016 17:55:15 -0400 + +dirmngr (2.1.0~beta895-1) experimental; urgency=medium + + No more dirmngr system service! + =============================== + + As of the 2.1.0 beta series, dirmngr is a local daemon that works + closely with gnupg2. It is launched on its own, per-user, and + listens on a standard socket (usually ~/.gnupg/S.dirmngr). There is + no more system-wide dirmngr process. + + If there is a special case where a dirmngr system process is + actually needed, please report a bug in dirmngr, and we can sort out + a way to set one up for that case so that everyone with dirmngr + installed doesn't need to have it running. + + -- Daniel Kahn Gillmor Tue, 07 Oct 2014 10:33:52 -0400 + diff --git a/dirmngr.README.Debian b/dirmngr.README.Debian new file mode 100644 index 0000000..099240a --- /dev/null +++ b/dirmngr.README.Debian @@ -0,0 +1,47 @@ +dirmngr system integration +========================== + +Since 2.1.x, gpg and most related processes will auto-launch dirmngr +if needed. These auto-launched processes will inherit whatever +environment they started from, and they will not terminate +automatically. + +systemd +======= + +Since 2.1.17, users on machines with systemd will have a dirmngr +process launched automatically by systemd's user session, upon first +access of the standard socket. systemd will also cleanly tear this +process down at session logout. + +Users who don't want systemd to manage their dirmngr in this way for +all future sessions should do: + + systemctl --user mask --now dirmngr.socket + +Doing this means that dirmngr will fall back to its manual mode of +operation. (This decision can be reversed by the user with "unmask" +instead of "mask") + +See systemctl(1) for more details about managing the dirmngr.socket +unit. + +Manual dirmngr startup and teardown +=================================== + +Any user who wants to launch dirmngr manually (e.g., to talk to it +with a tool from outside the GnuPG suite) and is *not* using systemd +should first ensure that it is launched with: + + gpgconf --launch dirmngr + +If dirmngr is launched manually or automatically (but not supervised +by systemd), you also probably want to ensure that it terminates when +your session ends with: + + gpgconf --kill dirmngr + +If you're not using systemd, you may wish to add this command to your +session logout scripts. + + -- Daniel Kahn Gillmor , Mon, 23 Jan 2017 22:49:45 -0500 diff --git a/dirmngr.docs b/dirmngr.docs new file mode 100644 index 0000000..61e3257 --- /dev/null +++ b/dirmngr.docs @@ -0,0 +1,5 @@ +AUTHORS +NEWS +THANKS +TODO +doc/KEYSERVER diff --git a/dirmngr.install b/dirmngr.install new file mode 100644 index 0000000..4bd9ed2 --- /dev/null +++ b/dirmngr.install @@ -0,0 +1,6 @@ +debian/tmp/usr/bin/dirmngr +debian/tmp/usr/bin/dirmngr-client +debian/tmp/usr/lib/gnupg/dirmngr_ldap +debian/tmp/usr/share/gnupg/sks-keyservers.netCA.pem +doc/examples/systemd-user/dirmngr.service usr/lib/systemd/user +doc/examples/systemd-user/dirmngr.socket usr/lib/systemd/user diff --git a/dirmngr.links b/dirmngr.links new file mode 100644 index 0000000..ca801e7 --- /dev/null +++ b/dirmngr.links @@ -0,0 +1 @@ +usr/lib/systemd/user/dirmngr.socket /usr/lib/systemd/user/sockets.target.wants/dirmngr.socket diff --git a/dirmngr.maintscript b/dirmngr.maintscript new file mode 100644 index 0000000..aa11aa5 --- /dev/null +++ b/dirmngr.maintscript @@ -0,0 +1,5 @@ +rm_conffile /etc/default/dirmngr +rm_conffile /etc/dirmngr/dirmngr.conf +rm_conffile /etc/dirmngr/ldapservers.conf +rm_conffile /etc/init.d/dirmngr +rm_conffile /etc/logrotate.d/dirmngr diff --git a/dirmngr.manpages b/dirmngr.manpages new file mode 100644 index 0000000..93702d9 --- /dev/null +++ b/dirmngr.manpages @@ -0,0 +1,2 @@ +debian/tmp/usr/share/man/man1/dirmngr-client.1 +debian/tmp/usr/share/man/man8/dirmngr.8 diff --git a/gbp.conf b/gbp.conf new file mode 100644 index 0000000..7e57167 --- /dev/null +++ b/gbp.conf @@ -0,0 +1,37 @@ +[DEFAULT] +debian-branch = debian/master +pristine-tar = True +upstream-vcs-tag = gnupg-%(version)s + +[import-orig] +filter = [ + 'aclocal.m4', + 'build-aux/compile', + 'build-aux/config.rpath', + 'build-aux/depcomp', + 'build-aux/install-sh', + 'build-aux/missing', + 'build-aux/mkinstalldirs', + 'build-aux/texinfo.tex', + 'config.h.in', + 'configure', + 'doc/gnupg.info*', + 'INSTALL', + 'm4/intdiv0.m4', + 'm4/intl.m4', + 'm4/lock.m4', + 'm4/printf-posix.m4', + 'm4/size_max.m4', + 'm4/uintmax_t.m4', + 'm4/wint_t.m4', + '*/*/Makefile.in', + '*/Makefile.in', + 'Makefile.in', + 'po/*.gmo', + 'po/Makefile.in.in', + 'po/stamp-po', + ] +filter-pristine-tar = False + +[pq] +patch-numbers = False diff --git a/gnupg-l10n.install b/gnupg-l10n.install new file mode 100644 index 0000000..9aaad82 --- /dev/null +++ b/gnupg-l10n.install @@ -0,0 +1,2 @@ +debian/tmp/usr/share/gnupg/help.*.txt +debian/tmp/usr/share/locale diff --git a/gnupg-utils.install b/gnupg-utils.install new file mode 100644 index 0000000..f0957fe --- /dev/null +++ b/gnupg-utils.install @@ -0,0 +1,10 @@ +build/tools/gpg-zip usr/bin +build/tools/gpgsplit usr/bin +debian/migrate-pubring-from-classic-gpg usr/bin +debian/tmp/usr/bin/gpgparsemail +debian/tmp/usr/bin/kbxutil +debian/tmp/usr/bin/symcryptrun +debian/tmp/usr/bin/watchgnupg +debian/tmp/usr/sbin/addgnupghome +debian/tmp/usr/sbin/applygnupgdefaults +tools/lspgpot usr/bin diff --git a/gnupg-utils.manpages b/gnupg-utils.manpages new file mode 100644 index 0000000..45ae2c7 --- /dev/null +++ b/gnupg-utils.manpages @@ -0,0 +1,10 @@ +debian/gpg-zip.1 +debian/gpgsplit.1 +debian/kbxutil.1 +debian/lspgpot.1 +debian/migrate-pubring-from-classic-gpg.1 +debian/tmp/usr/share/man/man1/gpgparsemail.1 +debian/tmp/usr/share/man/man1/symcryptrun.1 +debian/tmp/usr/share/man/man1/watchgnupg.1 +debian/tmp/usr/share/man/man8/addgnupghome.8 +debian/tmp/usr/share/man/man8/applygnupgdefaults.8 diff --git a/gnupg.README.Debian b/gnupg.README.Debian new file mode 100644 index 0000000..24944d3 --- /dev/null +++ b/gnupg.README.Debian @@ -0,0 +1,44 @@ +Using "Modern" GnuPG +==================== + +As of version 2.1.11-7+exp1, the gnupg package is provided by the "modern" +version of GnuPG. + +This means: + + * supporting daemons are auto-launched as needed + + * all access to secret key material is handled by gpg-agent + + * all smartcard access is handled by scdaemon + + * all network access is handled by dirmngr + + * PGPv3 keys are no longer supported + + * secret keys are no longer stored in $GNUPGHOME/secring.gpg, but + instead in $GNUPGHOME/private-keys-v1.d/ + + * public keyrings are stored in keybox format (~/.gnupg/pubring.kbx) by + default for new users. Upgrading users will continue to use + pubring.gpg until they decide to explicitly convert. + +Converting an existing installation +----------------------------------- + +If you have an existing GnuPG homedir from "classic" GnuPG, secret +keys should be migrated automatically upon the first run of the +"modern" version. + +If you have any secret keys that are stored only in a smartcard, after +your first use of "modern" gpg you should insert the card and run: + + gpg --card-status + + (see https://bugs.debian.org/795881) + +Public keys will not be automatically migrated from pubring.gpg to +pubring.kbx, however. If you want to migrate your public keyring, you +can use a script like /usr/bin/migrate-pubring-from-classic-gpg + + -- Daniel Kahn Gillmor , Mon, 18 Apr 2016 19:08:36 -0400 diff --git a/gnupg.docs b/gnupg.docs new file mode 100644 index 0000000..2b55964 --- /dev/null +++ b/gnupg.docs @@ -0,0 +1,8 @@ +NEWS +README +THANKS +TODO +doc/DETAILS +doc/FAQ +doc/HACKING +doc/OpenPGP diff --git a/gnupg.info b/gnupg.info new file mode 100644 index 0000000..e4baa0f --- /dev/null +++ b/gnupg.info @@ -0,0 +1,3 @@ +debian/tmp/usr/share/info/gnupg.info* +doc/gnupg-card-architecture.png +doc/gnupg-module-overview.png diff --git a/gnupg2.links b/gnupg2.links new file mode 100644 index 0000000..96fde98 --- /dev/null +++ b/gnupg2.links @@ -0,0 +1,2 @@ +usr/bin/gpg usr/bin/gpg2 +usr/share/man/man1/gpg.1.gz usr/share/man/man1/gpg2.1.gz diff --git a/gpg-agent.NEWS b/gpg-agent.NEWS new file mode 100644 index 0000000..69b4e49 --- /dev/null +++ b/gpg-agent.NEWS @@ -0,0 +1,19 @@ +gnupg-agent (2.1.18-1) unstable; urgency=medium + + If your machine is configured with system user session management, + gpg-agent will be managed automatically by systemd's user sessions on + machines configured with use systemd. Please consider installing the + packages that the gnupg-agent package Suggests:, and see + /usr/share/doc/gnupg-agent/README.Debian for more details. + + -- Daniel Kahn Gillmor Mon, 23 Jan 2017 22:54:48 -0500 + +gnupg-agent (2.1.13-3) experimental; urgency=medium + + gpg-agent is no longer auto-launched by + /etc/X11/Xsession.d/90gpg-agent. Please read + /usr/share/doc/gnupg-agent/README.Debian for details about system + integration. + + -- Daniel Kahn Gillmor Tue, 28 Jun 2016 17:29:46 -0400 + diff --git a/gpg-agent.README.Debian b/gpg-agent.README.Debian new file mode 100644 index 0000000..f57d278 --- /dev/null +++ b/gpg-agent.README.Debian @@ -0,0 +1,82 @@ +gpg-agent system integration +============================ + +Since 2.1.x, gpg and most related processes will auto-launch gpg-agent +if needed. These auto-launched processes will inherit whatever +environment they started from, and they will not terminate +automatically. + +systemd +======= + +Since 2.1.17, users on machines with systemd will have their gpg-agent +process launched automatically by systemd's user session, upon first +access of any of the expected gpg-agent sockets (including the ssh +socket). systemd will also cleanly tear this process down at session +logout. + +If dbus-user-session and pinentry-gnome3 packages are installed, then +all user interaction with this systemd-managed gpg-agent process +(e.g. prompting for passwords or confirmations, etc) will take place +over the d-bus session, for better integration with graphical +environments like GNOME. + +Users who don't want systemd to manage their gpg-agent in this way for +all future sessions should do: + + systemctl --user mask --now gpg-agent.service gpg-agent.socket gpg-agent-ssh.socket gpg-agent-extra.socket gpg-agent-browser.socket + +Doing this means that gpg-agent will fall back to its manual mode of +operation. (This decision can be reversed by the user with "unmask" +instead of "mask") + +See systemctl(1) for more details about managing the gpg-agent*.socket +units. + +ssh-agent emulation +=================== + +gpg-agent offers an ssh-agent emulation which can be achieved by +setting the environment variable SSH_AUTH_SOCK to: + + /run/user/$(id -u)/gnupg/S.gpg-agent.ssh + +(replace $(id -u) with the user's numeric user ID, of course). + +But ssh doesn't have a way to tell ssh-agent how to prompt the user +when necessary; the systemd-managed gpg-agent process will only know +how to prompt the user if you have dbus-user-session and +pinentry-gnome3 installed. This is the recommended configuration for +gpg-agent's ssh-agent emulation on desktop machines running systemd, +and doesn't need any additional configuration. + +However, if dbus-user-session and pinentry-gnome3 are not in use, by +default the systemd-managed gpg-agent will not know how to get +feedback from the user when a request is first received by ssh. You +can give it a hint for all future ssh connections by running: + + gpg-connect-agent updatestartuptty /bye + +You may wish to do this in the login scripts for your user session if +you run systemd without dbus-user-session and pinentry-gnome3, and you +plan to use gpg-agent's ssh-agent emulation. + +Manual gpg-agent startup and teardown +===================================== + +Any user who wants to launch gpg-agent manually (e.g., to talk to it +with a tool from outside the GnuPG suite) and is *not* using systemd +should first ensure that it is launched with: + + gpgconf --launch gpg-agent + +If gpg-agent is launched manually or automatically (but not supervised +by systemd), you probably want to ensure that it terminates when your +session ends with: + + gpgconf --kill gpg-agent + +If you're not using systemd, you may wish to add this to your session +logout scripts. + + -- Daniel Kahn Gillmor , Mon, 23 Jan 2017 22:56:08 -0500 diff --git a/gpg-agent.examples b/gpg-agent.examples new file mode 100644 index 0000000..34213be --- /dev/null +++ b/gpg-agent.examples @@ -0,0 +1,2 @@ +doc/examples/pwpattern.list +doc/examples/trustlist.txt diff --git a/gpg-agent.install b/gpg-agent.install new file mode 100644 index 0000000..ae93fb5 --- /dev/null +++ b/gpg-agent.install @@ -0,0 +1,11 @@ +debian/Xsession.d/90gpg-agent etc/X11/Xsession.d +debian/systemd-environment-generator/90gpg-agent usr/lib/systemd/user-environment-generators +debian/tmp/usr/bin/gpg-agent +debian/tmp/usr/lib/gnupg/gpg-check-pattern +debian/tmp/usr/lib/gnupg/gpg-preset-passphrase +debian/tmp/usr/lib/gnupg/gpg-protect-tool +doc/examples/systemd-user/gpg-agent-browser.socket usr/lib/systemd/user +doc/examples/systemd-user/gpg-agent-extra.socket usr/lib/systemd/user +doc/examples/systemd-user/gpg-agent-ssh.socket usr/lib/systemd/user +doc/examples/systemd-user/gpg-agent.service usr/lib/systemd/user +doc/examples/systemd-user/gpg-agent.socket usr/lib/systemd/user diff --git a/gpg-agent.links b/gpg-agent.links new file mode 100644 index 0000000..90f6ce1 --- /dev/null +++ b/gpg-agent.links @@ -0,0 +1,6 @@ +usr/lib/gnupg/gpg-preset-passphrase usr/lib/gnupg2/gpg-preset-passphrase +usr/lib/gnupg/gpg-protect-tool usr/lib/gnupg2/gpg-protect-tool +usr/lib/systemd/user/gpg-agent-browser.socket usr/lib/systemd/user/sockets.target.wants/gpg-agent-browser.socket +usr/lib/systemd/user/gpg-agent-extra.socket usr/lib/systemd/user/sockets.target.wants/gpg-agent-extra.socket +usr/lib/systemd/user/gpg-agent-ssh.socket usr/lib/systemd/user/sockets.target.wants/gpg-agent-ssh.socket +usr/lib/systemd/user/gpg-agent.socket usr/lib/systemd/user/sockets.target.wants/gpg-agent.socket diff --git a/gpg-agent.logcheck.ignore.server b/gpg-agent.logcheck.ignore.server new file mode 100644 index 0000000..a2f2130 --- /dev/null +++ b/gpg-agent.logcheck.ignore.server @@ -0,0 +1,11 @@ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent and passphrase cache\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG network certificate management daemon\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent and passphrase cache \(restricted\)\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent \(access for web browsers\)\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Listening on GnuPG cryptographic agent \(ssh-agent emulation\)\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG network certificate management daemon\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent and passphrase cache\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent and passphrase cache \(restricted\)\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent \(ssh-agent emulation\)\.$ +^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Closed GnuPG cryptographic agent \(access for web browsers\)\.$ + diff --git a/gpg-agent.manpages b/gpg-agent.manpages new file mode 100644 index 0000000..ca2e72f --- /dev/null +++ b/gpg-agent.manpages @@ -0,0 +1,3 @@ +debian/gpg-check-pattern.1 +debian/tmp/usr/share/man/man1/gpg-agent.1 +debian/tmp/usr/share/man/man1/gpg-preset-passphrase.1 diff --git a/gpg-check-pattern.1 b/gpg-check-pattern.1 new file mode 100644 index 0000000..5094706 --- /dev/null +++ b/gpg-check-pattern.1 @@ -0,0 +1,35 @@ +.TH GPG-CHECK-PATTERN "1" "March 2016" "gpg-check-pattern (GnuPG) 2.1.11" "User Commands" + +.SH NAME +gpg-check-pattern \- Check a passphrase on stdin against the patternfile + +.SH SYNOPSIS +.B gpg\-check\-pattern +.RB [ options ] +.I patternfile + +.SH DESCRIPTION +.B gpg\-check\-pattern checks a passphrase given on stdin against a specified patternfile. + +.SH OPTIONS +.TP +.BR \-v ", " \-\-verbose +Produce verbose output +.TP +.BR \-\-check +run only a syntax check on the patternfile +.TP +.BR \-0 ", " \-\-null +input is expected to be null delimited +.PP +Please report bugs to . + +.SH COPYRIGHT +Copyright \(co 2016 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later + +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. + +This manpage was written by \fBDaniel Kahn Gillmor\fR for the Debian +distribution (but may be used by others). diff --git a/gpg-wks-client.1 b/gpg-wks-client.1 new file mode 100644 index 0000000..9cd70d5 --- /dev/null +++ b/gpg-wks-client.1 @@ -0,0 +1,178 @@ +.TH GPG\-WKS\-CLIENT "1" "May 2017" "gpg-wks-client (GnuPG) 2.1.20" "User Commands" + +.SH NAME +gpg\-wks\-client \- Client for the Web Key Service + +.SH SYNOPSIS +.B gpg\-wks\-client +.RB [ COMMAND ] +.RB [ OPTIONS ] +.RB [ ARGS ] + +.SH DESCRIPTION +.B gpg\-wks\-client +is a simple command line client for the Web Key Service. The executable +is usually located in /usr/lib/gnupg. +. +It allows a user to create a publication request and to respond to a +received confirmation request. Communication with the Web Key Service +is done via email. +. +It also can lookup the fingerprint of a USER\-ID in the Web Key +Directory. + +.SH COMMANDS +.TP +.B \-\-supported USER\-ID +Check whether provider of the given USER\-ID supports the Web Key +Service protocol, i.e. whether it has a Web Key Directory providing a +submission address. +.IP +Similar to: +.IP +.nf +.RS 12 +gpg\-connect\-agent \-\-dirmngr 'WKD_GET \-\-submission\-address \-\- USER\-ID' /bye +.RE +.fi +.TP +.B \-\-check USER\-ID +Check whether a key is available, and whether the listed key is valid +for the requested USER\-ID. +. +You might want to use +.IP +.nf +.RS 12 +gpg \-v \-\-auto\-key\-locate=clear,wkd,nodefault \-\-locate\-key USER\-ID +.RE +.fi +.IP +instead. +.TP +.B \-\-create FINGERPRINT USER\-ID +Create a publication request for the USER\-ID in the key with the given +FINGERPRINT. List all possible keys (including the fingerprint) for a +USER\-ID with: +.IP +.nf +.RS 12 +gpg --list-key USER\-ID +.RE +.fi +.IP +By default the publication request will be printed to STDOUT. You can +also write it to a file using the +.B \-\-output +option or send it using sendmail with the +.B \-\-send +option. +.TP +.B \-\-receive +Receive a MIME confirmation request on STDIN and acknowledge it. +.IP +By default the confirmation response will be printed to STDOUT. You can +also write it to a file using the +.B \-\-output +option or send it using sendmail with the +.B \-\-send +option. +.TP +.B \-\-read +Receive a plain text confirmation request. Similar to +.BR \-\-receive , +but takes only the message body on STDIN. +.TP +.B \-\-version +Show program version and some meta information. +.TP +.BR \-h ", " \-\-help +Output a short usage information. +.TP +.B \-\-warranty +Print warranty information. +.TP +.B \-\-dump-options +Dump all available options and commands. + +.SH OPTIONS +.TP +.BR \-v ", " \-\-verbose +Enable verbose output. +.TP +.BR \-q ", " \-\-quiet +Be somewhat more quiet. +.TP +.B \-\-send +Send the mail using sendmail. +.TP +.BR \-o ", " \-\-output " \fIFILE\fR" +Write the mail to FILE. +.TP +.BI \-\-status\-fd " FD" +Write status info to this FD. +.TP +.B \-\-debug +Set debugging flags. All flags are or-ed and flags may be given in C +syntax (e.g. 0x0042) or as a comma separated list of flag names. To get +a list of all supported flags the single word "help" can be used. +.TP +.BI \-\-gpg " GPG" +Use the specified command instead of +.BR gpg . +.TP +.BI \-\-fake\-submission\-addr " MAILADDR" +Send mail to MAILADDR instead of the submission address queried through +Web Key Service. + +.SH EXAMPLES +.SS Send a publication request +First find the fingerprint (a long string of hex digits) of the key you +want to publish: +.P +.nf +.RS 4 +gpg \-\-list\-key "Alice " +.RE +.fi +.P +Now create and send the publication request: +.P +.nf +.RS 4 +/usr/lib/gnupg/gpg\-wks\-client \-\-create \-\-send 0123456789ABCDEF0123456789ABCDEF01234567 "Alice " +.RE +.fi +.P +Instead of \fI"Alice "\fR you can also just give \fIalice@example.com\fR. +.P +.SS Confirm a confirmation request +Paste the full mail containing the confirmation request (including +headers) you got from the Web Key Service on STDIN after starting: +.P +.nf +.RS 4 +/usr/lib/gnupg/gpg\-wks\-client \-\-receive \-\-send +.RE +.fi + +.SH SEE ALSO +.IP \(em 4 +Latest draft for the protocol: + +.IP \(em 4 +GnuPG on Web Key Service: + + +.SH BUGS +Please report bugs to . + +.SH COPYRIGHT +Copyright \(co 2017 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later + +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. + +This manpage was written by \fBStefan Bühler\fR for the Debian +distribution (but may be used by others). diff --git a/gpg-wks-client.install b/gpg-wks-client.install new file mode 100644 index 0000000..1b331dd --- /dev/null +++ b/gpg-wks-client.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/gnupg/gpg-wks-client diff --git a/gpg-wks-client.manpages b/gpg-wks-client.manpages new file mode 100644 index 0000000..d2edd3e --- /dev/null +++ b/gpg-wks-client.manpages @@ -0,0 +1 @@ +debian/gpg-wks-client.1 diff --git a/gpg-wks-server.1 b/gpg-wks-server.1 new file mode 100644 index 0000000..4c01128 --- /dev/null +++ b/gpg-wks-server.1 @@ -0,0 +1,180 @@ +.TH GPG\-WKS\-SERVER "1" "May 2017" "gpg-wks-server (GnuPG) 2.1.20" "User Commands" + +.SH NAME +gpg\-wks\-server \- Server for the Web Key Service + +.SH SYNOPSIS +.B gpg\-wks\-server +.RB [ COMMAND ] +.RB [ OPTIONS ] +.RB [ ARGS ] + +.SH DESCRIPTION +.B gpg\-wks\-server +is a server for the Web Key Service. It can handle incoming mails with +the +.B \-\-receive +command. +.P +See the EXAMPLES section for procmail and crontab configurations. +.P +You also need a webserver configured to alias requests to +.I /.well\-known/openpgp/ +and below to the +.I /var/lib/gnupg/wks// +directory. + +.SH COMMANDS +.TP +.B \-\-receive +Receive a submission or confirmation. +.TP +.B \-\-cron +Run regular jobs. +.TP +.B \-\-list\-domains +List configured domains, and checks some file and directory permissions. +.TP +.B \-\-version +Show program version and some meta information. +.TP +.BR \-h ", " \-\-help +Output a short usage information. +.TP +.B \-\-warranty +Print warranty information. +.TP +.B \-\-dump-options +Dump all available options and commands. + +.SH OPTIONS +.TP +.BR \-v ", " \-\-verbose +Enable verbose output. +.TP +.BR \-q ", " \-\-quiet +Be somewhat more quiet. +.TP +.B \-\-send +Send the mail using sendmail. +.TP +.BR \-o ", " \-\-output " \fIFILE\fR" +Write the mail to FILE. +.TP +.BI \-\-from " ADDR" +Use ADDR as the default sender. +.TP +.BI \-\-header " NAME=VALUE" +Add "NAME: VALUE" as header to all mails. +.IP +Can be used to add a header for loop detections, see procmail example. +.TP +.B \-\-debug +Set debugging flags. All flags are or-ed and flags may be given in C +syntax (e.g. 0x0042) or as a comma separated list of flag names. To get +a list of all supported flags the single word "help" can be used. +.TP +.BI \-\-gpg " GPG" +Use the specified command instead of +.BR gpg . + +.SH DIRECTORIES +.TP +.B /var/lib/gnupg/wks/ +Contains a subdirectory for each domain to run the server for. Each +subdirectory is supposed to contain what should show up on +.BR https://.../.well\-known/openpgp/ . +.IP +The user running +.B gpg\-wks\-server +needs write access to these subdirectories. + +.SH EXAMPLES +.SS ~/.procmailrc +Store received emails in +.B ~/Mail/ +(create it manually first), uses \fIFrom: key\-submission@example.com\fR and +\fIX\-WKS\-Loop: example.com\fR as loop detection: +.P +.nf +.RS 4 +MAILDIR=$HOME/Mail +LOGFILE=$HOME/Mail/from +LOCKFILE=$HOME/Mail/.lockmail +VERBOSE=yes + +# filter out FROM_DAEMON mails (bounces, ...) into separate mailbox +:0 +* ^FROM_DAEMON +from\-daemon/ + +# archive (copy!) all "normal" mails +:0 c +archive/ + +# if not in a loop: handle mails with gpg\-wks\-server +:0 w +* !^From: key\-submission@example.com +* !^X\-WKS\-Loop: example.com +|gpg\-wks\-server \-v \-\-receive \\ + \-\-header X\-WKS\-Loop=example.com \\ + \-\-from key\-submission@example.com \-\-send + +# if handling failed: store in separate mailbox +:0 e +cruft/ +.RE +.fi + +.SS ~/.forward +In case procmail is not used automatically the following +.B ~/.forward +file might be useful: +.P +.nf +.RS 4 +"|exec /usr/bin/procmail || exit 75" +.RE +.fi +.P +The double quotes are supposed to be included in the file! + +.SS crontab +You should run the +.B \-\-cron +command once a day. Edit the crontab with +.P +.nf +.RS 4 +crontab \-e +.RE +.fi +.P +and append the following line: +.P +.nf +.RS 4 +42 3 * * * gpg\-wks\-server \-\-cron +.RE +.fi + +.SH SEE ALSO +.IP \(em 4 +Latest draft for the Web Key Service protocol: + +.IP \(em 4 +GnuPG on Web Key Service: + + +.SH BUGS +Please report bugs to . + +.SH COPYRIGHT +Copyright \(co 2017 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later + +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. + +This manpage was written by \fBStefan Bühler\fR for the Debian +distribution (but may be used by others). diff --git a/gpg-wks-server.install b/gpg-wks-server.install new file mode 100644 index 0000000..c18c2e7 --- /dev/null +++ b/gpg-wks-server.install @@ -0,0 +1 @@ +debian/tmp/usr/bin/gpg-wks-server diff --git a/gpg-wks-server.manpages b/gpg-wks-server.manpages new file mode 100644 index 0000000..5bd206c --- /dev/null +++ b/gpg-wks-server.manpages @@ -0,0 +1 @@ +debian/gpg-wks-server.1 diff --git a/gpg-zip.1 b/gpg-zip.1 new file mode 100644 index 0000000..cba5db4 --- /dev/null +++ b/gpg-zip.1 @@ -0,0 +1,102 @@ +.TH "GPG\-ZIP" 1 "November 2006" + +.SH NAME +gpg\-zip \- encrypt or sign files into an archive + +.SH SYNOPSIS +.B gpg\-zip +.RB [ OPTIONS ] +.IR filename1 " [" "filename2, ..." ] +.IR directory1 " [" "directory2, ..." ] + +.SH DESCRIPTION +This manual page documents briefly the +.B gpg\-zip +command. +.PP +.B gpg\-zip +encrypts or signs files into an archive. It is an gpg-ized tar using the +same format as PGP's PGP Zip. + +.SH OPTIONS +.TP +.BR \-e ", " \-\-encrypt +Encrypt data. This option may be combined with +.B \-\-symmetric +(for output that may be decrypted via a secret key or a passphrase). +.TP +.BR \-d ", " \-\-decrypt +Decrypt data. +.TP +.BR \-c ", " \-\-symmetric +Encrypt with a symmetric cipher using a passphrase. The default +symmetric cipher used is CAST5, but may be chosen with the +.B \-\-cipher\-algo +option to +.BR gpg (1). +.TP +.BR \-s ", " \-\-sign +Make a signature. See +.BR gpg (1). +.TP +.BR \-r ", " \-\-recipient " \fIUSER\fR" +Encrypt for user id \fIUSER\fR. See +.BR gpg (1). +.TP +.BR \-u ", " \-\-local\-user " \fIUSER\fR" +Use \fIUSER\fR as the key to sign with. See +.BR gpg (1). +.TP +.B \-\-list\-archive +List the contents of the specified archive. +.TP +.BR \-o ", " \-\-output " " \fIFILE\fR" +Write output to specified file +.IR FILE . +.TP +.BI \-\-gpg " GPG" +Use the specified command instead of +.BR gpg . +.TP +.BI \-\-gpg\-args " ARGS" +Pass the specified options to +.BR gpg (1). +.TP +.BI \-\-tar " TAR" +Use the specified command instead of +.BR tar . +.TP +.BI \-\-tar\-args " ARGS" +Pass the specified options to +.BR tar (1). +.TP +.BR \-h ", " \-\-help +Output a short usage information. +.TP +.B \-\-version +Output the program version. + +.SH DIAGNOSTICS +The program returns \fB0\fR if everything was fine, \fB1\fR otherwise. + +.SH EXAMPLES +Encrypt the contents of directory \fImydocs\fR for user Bob to file \fItest1\fR: +.IP +.B gpg\-zip \-\-encrypt \-\-output test1 \-\-gpg-args ""\-r Bob"" mydocs +.PP +List the contents of archive \fItest1\fR: +.IP +.B gpg\-zip \-\-list\-archive test1 + +.SH SEE ALSO +.BR gpg (1), +.BR tar (1) + +.SH AUTHOR +Copyright (C) 2005 Free Software Foundation, Inc. Please report bugs to +<\&bug-gnupg@gnu.org\&>. + +This manpage was written by \fBColin Tuckley\fR <\&colin@tuckley.org\&> +and \fBDaniel Leidert\fR <\&daniel.leidert@wgdd.de\&> for the Debian +distribution (but may be used by others). + diff --git a/gpg.install b/gpg.install new file mode 100644 index 0000000..0b53564 --- /dev/null +++ b/gpg.install @@ -0,0 +1 @@ +debian/tmp/usr/bin/gpg diff --git a/gpg.manpages b/gpg.manpages new file mode 100644 index 0000000..7c47415 --- /dev/null +++ b/gpg.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/gpg.1 diff --git a/gpgcompose.1 b/gpgcompose.1 new file mode 100644 index 0000000..f92fb05 --- /dev/null +++ b/gpgcompose.1 @@ -0,0 +1,56 @@ +.TH "gpgcompose" 1 "June 2017" + +.SH NAME +gpgcompose \- Generate a stream of OpenPGP packets + +.SH SYNOPSIS +.B gpgcompose +.RI [[ OPTION +.RI [ ARGS ]] +\&... ] + +.B gpgcompose --help + +.B gpgcompose +.I OPTION +.B --help + +.SH DESCRIPTION +.B gpgcompose +generates a stream of OpenPGP packets, including some which can +include other nested packets within a layer of encryption. The syntax +on the command line isn't stable enough to document currently, but +additional hints and examples can be found from the command line using +.BR \-\-help . + +.SH EXTERNAL DEPENDENCIES + +.B gpgcompose +is not capable of performing secret key operations on its own. +Creation of any OpenPGP object that requires secret key operations +(e.g., +.BR \-\-signature ) +will need to speak to an already-running +.BR gpg-agent . + +.SH FILES + +Occasionally, +.B gpgcompose +will need to look up existing public keys for reference (e.g., +.BR \-\-public-key ). +It will do so in +.BR ~/.gnupg/keyring.kbx, +or in +.B $GNUPGHOME/keyring.kbx +if that variable is set. + +.SH SEE ALSO + +RFC 4880, gpg(1), gpg-agent(1), gpg-connect-agent(1) + +.SH AUTHOR +gpgcompose is copyright (C) 2016, g10 Code GmbH. + +This manpage was written by Daniel Kahn Gillmor . + diff --git a/gpgcompose.install b/gpgcompose.install new file mode 100644 index 0000000..cb52401 --- /dev/null +++ b/gpgcompose.install @@ -0,0 +1 @@ +build-maintainer/g10/gpgcompose usr/bin diff --git a/gpgcompose.manpages b/gpgcompose.manpages new file mode 100644 index 0000000..55f0ef4 --- /dev/null +++ b/gpgcompose.manpages @@ -0,0 +1 @@ +debian/gpgcompose.1 diff --git a/gpgconf.examples b/gpgconf.examples new file mode 100644 index 0000000..3e74b94 --- /dev/null +++ b/gpgconf.examples @@ -0,0 +1 @@ +doc/examples/gpgconf.conf diff --git a/gpgconf.install b/gpgconf.install new file mode 100644 index 0000000..398d8a6 --- /dev/null +++ b/gpgconf.install @@ -0,0 +1,3 @@ +debian/tmp/usr/bin/gpg-connect-agent +debian/tmp/usr/bin/gpgconf +debian/tmp/usr/share/gnupg/distsigkey.gpg diff --git a/gpgconf.manpages b/gpgconf.manpages new file mode 100644 index 0000000..70bb0d7 --- /dev/null +++ b/gpgconf.manpages @@ -0,0 +1,2 @@ +debian/tmp/usr/share/man/man1/gpg-connect-agent.1 +debian/tmp/usr/share/man/man1/gpgconf.1 diff --git a/gpgsm.install b/gpgsm.install new file mode 100644 index 0000000..8822607 --- /dev/null +++ b/gpgsm.install @@ -0,0 +1 @@ +debian/tmp/usr/bin/gpgsm diff --git a/gpgsm.manpages b/gpgsm.manpages new file mode 100644 index 0000000..ad6a686 --- /dev/null +++ b/gpgsm.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/gpgsm.1 diff --git a/gpgsplit.1 b/gpgsplit.1 new file mode 100644 index 0000000..116ce89 --- /dev/null +++ b/gpgsplit.1 @@ -0,0 +1,41 @@ +.TH "gpgsplit" 1 "December 2005" + +.SH NAME +gpgsplit \- Split an OpenPGP message into packets + +.SH SYNOPSIS +.B gpgsplit +.RI [ OPTIONS ] +.RI [ FILES ] + +.SH DESCRIPTION +This manual page documents briefly the +.B gpgsplit +command. +.PP +.B gpgsplit +splits an OpenPGP message into packets. + +.SH OPTIONS +.TP +.BR \-v , \-\-verbose +Verbose. +.TP +.BR \-p , "\-\-prefix " \fISTRING\fR +Prepend filenames with \fISTRING\fR. +.TP +.B \-\-uncompress +Uncompress a packet. +.TP +.B \-\-secret\-to\-public +Convert secret keys to public keys. +.TP +.B \-\-no\-split +Write to stdout and don't actually split. + +.SH AUTHOR +Copyright (C) 2002 Free Software Foundation, Inc. Please report bugs to +. + +This manpage was written by Francois Wendling . + diff --git a/gpgv-static.1 b/gpgv-static.1 new file mode 100644 index 0000000..c8dcc1a --- /dev/null +++ b/gpgv-static.1 @@ -0,0 +1,32 @@ +.TH GPGV-STATIC "1" "November 2016" "GnuPG" "Gnu Privacy Guard 2.1" + +.SH NAME +gpgv-static - Verify OpenPGP signatures (static build) + +.SH SYNOPSIS +.B gpgv-static [\fIoptions\fP] \fIsigned_files\fP + +.SH DESCRIPTION +\fBgpgv\fR is an OpenPGP signature verification tool. + +\fBgpgv-static\fR is \fBgpgv\fR built statically so that it can be +directly used on any platform that is running on the Linux kernel, +such as Android, ChromeOS, or many embedded Linux systems. + +This version of \fBgpgv\fR in combination with \fBdebootstrap\fR and +the Debian archive keyring allows the secure creation of chroot +installs on these platforms by using the full Debian signature +verification that is present in all official Debian mirrors. + +You may wish to re-name the binary to plain \fBgpgv\fR when +transferring it into such a platform to create a chroot. + +Please read the documentation for \fBgpgv\fR for more details. + +.SH SEE ALSO +\fBgpg\fR(1) + +.SH AUTHOR +This manual page was written by Daniel Kahn Gillmor + for the Debian project, but may be used by +others under the same license as GnuPG itself. diff --git a/gpgv-static.install b/gpgv-static.install new file mode 100644 index 0000000..adb6deb --- /dev/null +++ b/gpgv-static.install @@ -0,0 +1 @@ +build-gpgv-static/g10/gpgv-static usr/bin/ diff --git a/gpgv-static.lintian-overrides b/gpgv-static.lintian-overrides new file mode 100644 index 0000000..fa0b8df --- /dev/null +++ b/gpgv-static.lintian-overrides @@ -0,0 +1,3 @@ +# gpgv-static is deliberately built statically. We cannot avoid +# embedding zlib. +gpgv-static: embedded-library usr/bin/gpgv-static: zlib diff --git a/gpgv-static.manpages b/gpgv-static.manpages new file mode 100644 index 0000000..e3f73aa --- /dev/null +++ b/gpgv-static.manpages @@ -0,0 +1 @@ +debian/gpgv-static.1 diff --git a/gpgv-udeb.install b/gpgv-udeb.install new file mode 100644 index 0000000..fe27533 --- /dev/null +++ b/gpgv-udeb.install @@ -0,0 +1 @@ +build-gpgv-udeb/g10/gpgv usr/bin/ diff --git a/gpgv-win32.install b/gpgv-win32.install new file mode 100644 index 0000000..cf3cd8c --- /dev/null +++ b/gpgv-win32.install @@ -0,0 +1 @@ +build-gpgv-win32/g10/gpgv.exe usr/share/win32 diff --git a/gpgv.install b/gpgv.install new file mode 100644 index 0000000..0a9f9a2 --- /dev/null +++ b/gpgv.install @@ -0,0 +1 @@ +debian/tmp/usr/bin/gpgv diff --git a/gpgv.manpages b/gpgv.manpages new file mode 100644 index 0000000..86a9e29 --- /dev/null +++ b/gpgv.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/gpgv.1 diff --git a/gpgv2.links b/gpgv2.links new file mode 100644 index 0000000..5107429 --- /dev/null +++ b/gpgv2.links @@ -0,0 +1,2 @@ +usr/bin/gpgv usr/bin/gpgv2 +usr/share/man/man1/gpgv.1.gz usr/share/man/man1/gpgv2.1.gz diff --git a/kbxutil.1 b/kbxutil.1 new file mode 100644 index 0000000..d59f1fe --- /dev/null +++ b/kbxutil.1 @@ -0,0 +1,62 @@ +.TH KBXUTIL "1" "March 2016" "kbxutil (GnuPG) 2.1.11" "User Commands" + +.SH NAME +kbxutil \- List, export, import Keybox data + +.SH SYNOPSIS +.B kbxutil +.RB [ OPTIONS ] +.RB [ FILES ] + +.SH DESCRIPTION +List, export, import Keybox data + +.SH COMMANDS +.TP +.B \-\-stats +show key statistics +.TP +.B \-\-import\-openpgp +import OpenPGP keyblocks +.TP +.B \-\-find\-dups +find duplicates +.TP +.B \-\-cut +export records + +.SH OPTIONS +.TP +.BI \-\-from " N" +first record to export +.TP +.BI \-\-to " N" +last record to export +.TP +.BR \-v ", " \-\-verbose +verbose +.TP +.BR \-q ", " \-\-quiet +be somewhat more quiet +.TP +.BR \-n ", " \-\-dry\-run +do not make any changes +.TP +.B \-\-debug +set debugging flags +.TP +.B \-\-debug\-all +enable full debugging + +.SH BUGS +Please report bugs to . + +.SH COPYRIGHT +Copyright \(co 2016 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later + +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. + +This manpage was written by \fBDaniel Kahn Gillmor\fR for the Debian +distribution (but may be used by others). diff --git a/lspgpot.1 b/lspgpot.1 new file mode 100644 index 0000000..ba27eca --- /dev/null +++ b/lspgpot.1 @@ -0,0 +1,22 @@ +.TH "lspgpot" 1 "December 2005" + +.SH NAME +lspgpot - extracts the ownertrust values from PGP keyrings and list them in +GnuPG ownertrust format. + + +.SH SYNOPSIS +.B lspgpot + + +.SH DESCRIPTION +.B lspgpot +extracts the ownertrust values from PGP keyrings and list them in +GnuPG ownertrust format. + +.SH AUTHOR +Copyright (C) 2002 Free Software Foundation, Inc. Please report bugs to +. + +This manpage was written by Francois Wendling . + diff --git a/migrate-pubring-from-classic-gpg b/migrate-pubring-from-classic-gpg new file mode 100755 index 0000000..13ee1f8 --- /dev/null +++ b/migrate-pubring-from-classic-gpg @@ -0,0 +1,76 @@ +#!/bin/bash + +# script to migrate fully from pubring.gpg to pubring.kbx + +# Author: Daniel Kahn Gillmor +# Date: 2016-04-01 +# License: GPLv3+ + +# This was written for the Debian project + +set -e + +GPG="${GPG:-gpg}" + +# select the default GnuPG home directory to work from: +GHD=${GNUPGHOME:-${HOME:-$(getent passwd "$(id -u)" | cut -f6 -d:)}/.gnupg} + +# Check that this is gnupg 2.1 or 2.2: +VERSION=$("$GPG" --version | head -n1 | cut -f3 -d\ | cut -f1,2 -d.) +if [ "$VERSION" != 2.1 ] && [ "$VERSION" != 2.2 ] ; then + printf '%s is version %s not version 2.1 or 2.2, this script might be wrong\n' "$GPG" "$VERSION" >&2 + exit 1 +fi + +usage() { + printf 'Usage: %s [GPGHOMEDIR|--default] +\tMigrate public keyring in GPGHOMEDIR from "classic" to "modern" GnuPG +\tusing %s version %s. + +\t--default migrates the GnuPG home directory at "%s" +' "$0" "$GPG" "$VERSION" "$GHD" +} + +if [ -z "$1" ]; then + usage >&2 + exit 1 +else + case "$1" in + --help|--usage|-h) + usage + exit + ;; + --default) + ;; + *) + GHD="$1" + ;; + esac +fi + +# ensure that there is a pubring.gpg to migrate: +if ! [ -f "$GHD/pubring.gpg" ]; then + printf 'There is no %s/pubring.gpg, no need to migrate\n' "$GHD" >&2 + exit +fi +if ! [ -s "$GHD/pubring.gpg" ]; then + mv -- "$GHD/pubring.gpg" "$GHD/pubring.gpg.empty" + printf '%s/pubring.gpg was empty (and has been moved out of the way), no need to migrate\n' "$GHD" >&2 + exit +fi + +BACKUP="$(mktemp -d "$GHD/migrate-from-classic-backup.$(date +%F).XXXXXX")" +printf 'Migrating from:\n%s\n[Backing up to %s]\n' "$(ls -l "$GHD/pubring.gpg")" "$BACKUP" >&2 + +"$GPG" --export-ownertrust > "$BACKUP/ownertrust.txt" +mv "$GHD/pubring.gpg" "$BACKUP/" +"$GPG" --import-options import-local-sigs,keep-ownertrust,repair-pks-subkey-bug --import < "$BACKUP/pubring.gpg" +"$GPG" --import-ownertrust < "$BACKUP/ownertrust.txt" +"$GPG" --check-trustdb + +if ! [ -f "$GHD/pubring.kbx" ]; then + printf 'No keybox was created at %s/pubring.kbx. Something went wrong!\n' "$GHD" >&2 + exit 1 +fi + +printf 'Migration completed successfully:\n%s\n' "$(ls -l "$GHD/pubring.kbx")" >&2 diff --git a/migrate-pubring-from-classic-gpg.1 b/migrate-pubring-from-classic-gpg.1 new file mode 100644 index 0000000..4d26b89 --- /dev/null +++ b/migrate-pubring-from-classic-gpg.1 @@ -0,0 +1,50 @@ +.TH "MIGRATE-PUBRING-FROM-CLASSIC-GPG" 1 "April 2016" + +.SH NAME +migrate\-pubring\-from\-classic\-gpg \- Migrate a public keyring from "classic" to "modern" GnuPG + +.SH SYNOPSIS +.B migrate\-pubring\-from\-classic\-gpg +.RB "[ " GPGHOMEDIR " | " +.IR \-\-default " ]" + +.SH DESCRIPTION + +.B migrate\-pubring\-from\-classic\-gpg +migrates the public keyring in GnuPG home directory GPGHOMEDIR from +the "classic" keyring format to the "modern" keybox format using GnuPG +versions 2.1 or 2.2. + +Specifying +.B \-\-default +selects the standard GnuPG home directory (looking at $GNUPGHOME +first, and falling back to ~/.gnupg if unset. + +.SH OPTIONS +.BR \-h ", " \-\-help ", " \-\-usage +Output a short usage information. + +.SH DIAGNOSTICS +The program sends quite a bit of text (perhaps too much) to stderr. + +During a migration, the tool backs up several pieces of data in a +timestamped subdirectory of the GPGHOMEDIR. + +.SH ENVIRONMENT VARIABLES + +.B GNUPGHOME +Selects the GnuPG home directory when set and --default is given. + +.B GPG +The name of the +.B gpg +executable (defaults to +.B gpg +). + +.SH SEE ALSO +.BR gpg (1) + +.SH AUTHOR +Copyright (C) 2016 Daniel Kahn Gillmor for the Debian project. Please +report bugs via the Debian BTS. diff --git a/org.gnupg.scdaemon.metainfo.xml b/org.gnupg.scdaemon.metainfo.xml new file mode 100644 index 0000000..bf79e4d --- /dev/null +++ b/org.gnupg.scdaemon.metainfo.xml @@ -0,0 +1,42 @@ + + + org.gnupg.scdaemon + GPL + scdaemon + USB SmartCard Readers + +

+ GnuPG's scdaemon provides access to USB tokens and smartcard + readers that provide cryptographic functionality (e.g. use of + protected secret keys). +

+ + + usb:v046Ap0005d* + usb:v046Ap0010d* + usb:v046Ap003Ed* + usb:v04E6p5111d* + usb:v04E6p5115d* + usb:v04E6p5116d* + usb:v04E6p5117d* + usb:v04E6pE001d* + usb:v04E6pE003d* + usb:v076Bp3821d* + usb:v076Bp6622d* + usb:v08E6p3437d* + usb:v08E6p3438d* + usb:v08E6p3478d* + usb:v08E6p34C2d* + usb:v08E6p34ECd* + usb:v0C4Bp0500d* + usb:v0D46p2012d* + usb:v1A44p0920d* + usb:v20A0p4107d* + usb:v20A0p4108d* + usb:v20A0p4109d* + usb:v20A0p4211d* + usb:v234Bp0000d* + usb:v058Fp9540d* + usb:v0BF8p1006d* + + diff --git a/package-dependencies.dot b/package-dependencies.dot new file mode 100644 index 0000000..8297f78 --- /dev/null +++ b/package-dependencies.dot @@ -0,0 +1,73 @@ +#!/usr/bin/dot + +# interrelationships between binary packages produced by gnupg2 source +# package: + +# it would be good to graph the external dependencies as well. + +digraph gnupg2 { + # odd-duck packages: + node [shape=box]; + gpgv_udeb [label="gpgv-udeb"]; + gpgv_static [label="gpgv-static"]; + gpgv_win32 [label="gpgv-win32"]; + + # meta-packages, transitional packages: + node [shape=diamond]; + gnupg_agent [label="gnupg-agent"]; + gnupg; + gnupg2; + gpgv2; + + + node [shape=ellipse]; + gpg_agent [label="gpg-agent"]; + gpg_wks_server [label="gpg-wks-server"]; + gpg_wks_client [label="gpg-wks-client"]; + gnupg_l10n [label="gnupg-l10n"]; + gnupg_utils [label="gnupg-utils"]; + + + # depends: + edge [color=black]; + gnupg_agent -> gpg_agent; + gpg_agent -> gpgconf; + gpg_wks_server -> gpg; + gpg_wks_server -> gpg_agent; + gpg_wks_client -> gpg; + gpg_wks_client -> gpg_agent; + gpg_wks_client -> dirmngr; + scdaemon -> gpg_agent; + gpgsm -> gpgconf; + gpg -> gpgconf; + gnupg -> dirmngr; + gnupg -> gnupg_l10n; + gnupg -> gnupg_utils; + gnupg -> gpg; + gnupg -> gpg_agent; + gnupg -> gpg_wks_client; + gnupg -> gpg_wks_server; + gnupg -> gpgsm; + gnupg -> gpgv; + gnupg2 -> gnupg; + gpgv2 -> gpgv; + dirmngr -> gpgconf; + + + # recommends: + edge [color=red]; + gpg_agent -> gnupg; + gpg_wks_server -> gnupg; + gpg_wks_client -> gnupg; + gpgsm -> gnupg; + gpg -> gnupg; + dirmngr -> gnupg; + gnupg_utils -> gpg; + gnupg_utils -> gpg_agent; + gnupg_utils -> gpgconf; + gnupg_utils -> gpgsm; + + # suggests: + edge [color=blue]; + gpgv -> gnupg; +} diff --git a/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch b/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch new file mode 100644 index 0000000..e75622c --- /dev/null +++ b/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch @@ -0,0 +1,88 @@ +From: Daniel Kahn Gillmor +Date: Tue, 11 Aug 2015 20:28:26 -0400 +Subject: Avoid simple memory dumps via ptrace + +This avoids needing to setgid gpg-agent. It probably doesn't defend +against all possible attacks, but it defends against one specific (and +easy) one. If there are other protections we should do them too. + +This will make it slightly harder to debug the agent because the +normal user won't be able to attach gdb to it directly while it runs. + +The remaining options for debugging are: + + * launch the agent from gdb directly + * connect gdb to a running agent as the superuser + +Upstream bug: https://dev.gnupg.org/T1211 +--- + agent/gpg-agent.c | 8 ++++++++ + configure.ac | 1 + + scd/scdaemon.c | 9 +++++++++ + 3 files changed, 18 insertions(+) + +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index 1fdc94d..7d0d906 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -48,6 +48,9 @@ + # include + #endif + #include ++#ifdef HAVE_PRCTL ++# include ++#endif + + #define GNUPG_COMMON_NEED_AFLOCAL + #include "agent.h" +@@ -1006,6 +1009,11 @@ main (int argc, char **argv ) + + early_system_init (); + ++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) ++ /* Disable ptrace on Linux without sgid bit */ ++ prctl(PR_SET_DUMPABLE, 0); ++#endif ++ + /* Before we do anything else we save the list of currently open + file descriptors and the signal mask. This info is required to + do the exec call properly. We don't need it on Windows. */ +diff --git a/configure.ac b/configure.ac +index f77317f..50e9355 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1379,6 +1379,7 @@ AC_CHECK_FUNCS([strerror strlwr tcgetattr mmap canonicalize_file_name]) + AC_CHECK_FUNCS([strcasecmp strncasecmp ctermid times gmtime_r strtoull]) + AC_CHECK_FUNCS([setenv unsetenv fcntl ftruncate inet_ntop]) + AC_CHECK_FUNCS([canonicalize_file_name]) ++AC_CHECK_FUNCS([prctl]) + AC_CHECK_FUNCS([gettimeofday getrusage getrlimit setrlimit clock_gettime]) + AC_CHECK_FUNCS([atexit raise getpagesize strftime nl_langinfo setlocale]) + AC_CHECK_FUNCS([waitpid wait4 sigaction sigprocmask pipe getaddrinfo]) +diff --git a/scd/scdaemon.c b/scd/scdaemon.c +index 8f8a026..e427b9e 100644 +--- a/scd/scdaemon.c ++++ b/scd/scdaemon.c +@@ -36,6 +36,9 @@ + #include + #include + #include ++#ifdef HAVE_PRCTL ++# include ++#endif + + #define GNUPG_COMMON_NEED_AFLOCAL + #include "scdaemon.h" +@@ -438,6 +441,12 @@ main (int argc, char **argv ) + npth_t pipecon_handler; + + early_system_init (); ++ ++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) ++ /* Disable ptrace on Linux without sgid bit */ ++ prctl(PR_SET_DUMPABLE, 0); ++#endif ++ + set_strusage (my_strusage); + gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN); + /* Please note that we may running SUID(ROOT), so be very CAREFUL diff --git a/patches/debian-packaging/avoid-beta-warning.patch b/patches/debian-packaging/avoid-beta-warning.patch new file mode 100644 index 0000000..5cb22e5 --- /dev/null +++ b/patches/debian-packaging/avoid-beta-warning.patch @@ -0,0 +1,44 @@ +From: Debian GnuPG Maintainers +Date: Tue, 14 Apr 2015 10:02:31 -0400 +Subject: avoid-beta-warning + +avoid self-describing as a beta + +Using autoreconf against the source as distributed in tarball form +invariably results in a package that thinks it's a "beta" package, +which produces the "THIS IS A DEVELOPMENT VERSION" warning string. + +since we use dh_autoreconf, i need this patch to avoid producing +builds that announce themselves as DEVELOPMENT VERSIONs. + +See discussion at: + + http://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029065.html +--- + autogen.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/autogen.sh b/autogen.sh +index b238550..9b86d3f 100755 +--- a/autogen.sh ++++ b/autogen.sh +@@ -229,7 +229,7 @@ if [ "$myhost" = "find-version" ]; then + esac + + beta=no +- if [ -e .git ]; then ++ if false; then + ingit=yes + tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null) + tmp=$(echo "$tmp" | sed s/^"$package"//) +@@ -245,8 +245,8 @@ if [ "$myhost" = "find-version" ]; then + rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null))) + else + ingit=no +- beta=yes +- tmp="-unknown" ++ beta=no ++ tmp="" + rev="0000000" + rvd="0" + fi diff --git a/patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch b/patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch new file mode 100644 index 0000000..3ca24f8 --- /dev/null +++ b/patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch @@ -0,0 +1,37 @@ +From: Daniel Kahn Gillmor +Date: Mon, 29 Aug 2016 12:34:42 -0400 +Subject: avoid regenerating defsincdate (use shipped file) + +upstream ships doc/defsincdate in its tarballs. but doc/Makefile.am +tries to rewrite doc/defsincdate if it notices that any of the files +have been modified more recently, and it does so assuming that we're +running from a git repo. + +However, we'd rather ship the documents cleanly without regenerating +defsincdate -- we don't have a git repo available (debian builds from +upstream tarballs) and any changes to the texinfo files (e.g. from +debian/patches/) might result in different dates on the files than we +expect after they're applied by dpkg or quilt or whatever, which makes +the datestamp unreproducible. +--- + doc/Makefile.am | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/doc/Makefile.am b/doc/Makefile.am +index d47d83e..c0a81b0 100644 +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -177,13 +177,6 @@ $(myman_pages) gnupg.7 : yat2m-stamp defs.inc + + dist-hook: defsincdate + +-defsincdate: $(gnupg_TEXINFOS) +- : >defsincdate ; \ +- if test -e $(top_srcdir)/.git; then \ +- (cd $(srcdir) && git log -1 --format='%ct' \ +- -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \ +- fi +- + defs.inc : defsincdate Makefile mkdefsinc + incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \ + ./mkdefsinc -C $(srcdir) --date "`cat $$incd 2>/dev/null`" \ diff --git a/patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch b/patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch new file mode 100644 index 0000000..6fc9ac6 --- /dev/null +++ b/patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch @@ -0,0 +1,47 @@ +From: Daniel Kahn Gillmor +Date: Sun, 20 Nov 2016 23:09:24 -0500 +Subject: dirmngr: Avoid automatically checking upstream swdb. + +* dirmngr/dirmngr.c (housekeeping_thread): Avoid automatically +checking upstream's software database. In Debian, software updates +should be handled by the distro mechanism, and additional upstream +checks only confuse the user. +* doc/dirmngr.texi: document that --allow-version-check does nothing. + +Signed-off-by: Daniel Kahn Gillmor +--- + dirmngr/dirmngr.c | 2 -- + doc/dirmngr.texi | 7 ++++--- + 2 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index 52bea68..928a349 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -1945,8 +1945,6 @@ housekeeping_thread (void *arg) + if (network_activity_seen) + { + network_activity_seen = 0; +- if (opt.allow_version_check) +- dirmngr_load_swdb (&ctrlbuf, 0); + workqueue_run_global_tasks (&ctrlbuf, 1); + } + else +diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi +index 76be528..742658e 100644 +--- a/doc/dirmngr.texi ++++ b/doc/dirmngr.texi +@@ -290,9 +290,10 @@ Set the size of the queue for pending connections. The default is 64. + @item --allow-version-check + @opindex allow-version-check + Allow Dirmngr to connect to @code{https://versions.gnupg.org} to get +-the list of current software versions. If this option is enabled +-the list is retrieved in case the local +-copy does not exist or is older than 5 to 7 days. See the option ++the list of current software versions. ++On debian-packaged versions, this option does nothing since software ++updates should be handled by the distribution. ++See the option + @option{--query-swdb} of the command @command{gpgconf} for more + details. Note, that regardless of this option a version check can + always be triggered using this command: diff --git a/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch b/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch new file mode 100644 index 0000000..bc358f5 --- /dev/null +++ b/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch @@ -0,0 +1,226 @@ +From: Daniel Kahn Gillmor +Date: Sat, 29 Oct 2016 02:00:50 -0400 +Subject: dirmngr: Avoid need for hkp housekeeping. + +* dirmngr/ks-engine-hkp.c (host_is_alive): New function. Test whether +host is alive and resurrects it if it has been dead long enough. +(select_random_host, map_host, ks_hkp_mark_host): Use host_is_alive +instead of testing hostinfo_t->dead directly. +(ks_hkp_housekeeping): Remove function, no longer needed. +* dirmngr/dirmngr.c (housekeeping_thread): Remove call to +ks_hkp_housekeeping. + +-- + +Rather than resurrecting hosts upon scheduled resurrection times, test +whether hosts should be resurrected as they're inspected for being +dead. This removes the need for explicit housekeeping, and makes host +resurrections happen "just in time", rather than being clustered on +HOUSEKEEPING_INTERVAL seconds. + +Signed-off-by: Daniel Kahn Gillmor +--- + dirmngr/dirmngr.c | 3 --- + dirmngr/dirmngr.h | 1 - + dirmngr/ks-engine-hkp.c | 72 ++++++++++++++++++++++++------------------------- + 3 files changed, 35 insertions(+), 41 deletions(-) + +diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c +index 31f8e0f..52bea68 100644 +--- a/dirmngr/dirmngr.c ++++ b/dirmngr/dirmngr.c +@@ -1926,12 +1926,10 @@ static void * + housekeeping_thread (void *arg) + { + static int sentinel; +- time_t curtime; + struct server_control_s ctrlbuf; + + (void)arg; + +- curtime = gnupg_get_time (); + if (sentinel) + { + log_info ("housekeeping is already going on\n"); +@@ -1944,7 +1942,6 @@ housekeeping_thread (void *arg) + memset (&ctrlbuf, 0, sizeof ctrlbuf); + dirmngr_init_default_ctrl (&ctrlbuf); + +- ks_hkp_housekeeping (curtime); + if (network_activity_seen) + { + network_activity_seen = 0; +diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h +index 5189f93..c27f837 100644 +--- a/dirmngr/dirmngr.h ++++ b/dirmngr/dirmngr.h +@@ -215,7 +215,6 @@ const char* dirmngr_get_current_socket_name (void); + int dirmngr_use_tor (void); + + /*-- Various housekeeping functions. --*/ +-void ks_hkp_housekeeping (time_t curtime); + void ks_hkp_reload (void); + + +diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c +index 546ea36..0454852 100644 +--- a/dirmngr/ks-engine-hkp.c ++++ b/dirmngr/ks-engine-hkp.c +@@ -214,6 +214,24 @@ host_in_pool_p (hostinfo_t hi, int tblidx) + return 0; + } + ++static int ++host_is_alive (hostinfo_t hi, time_t curtime) ++{ ++ if (!hi) ++ return 0; ++ if (!hi->dead) ++ return 1; ++ if (!hi->died_at) ++ return 0; /* manually marked dead */ ++ if (hi->died_at + RESURRECT_INTERVAL <= curtime ++ || hi->died_at > curtime) ++ { ++ hi->dead = 0; ++ log_info ("resurrected host '%s'", hi->name); ++ return 1; ++ } ++ return 0; ++} + + /* Select a random host. Consult HI->pool which indices into the global + hosttable. Returns index into HI->pool or -1 if no host could be +@@ -224,13 +242,15 @@ select_random_host (hostinfo_t hi) + int *tbl = NULL; + size_t tblsize = 0; + int pidx, idx; ++ time_t curtime; + ++ curtime = gnupg_get_time (); + /* We create a new table so that we randomly select only from + currently alive hosts. */ + for (idx = 0; + idx < hi->pool_len && (pidx = hi->pool[idx]) != -1; + idx++) +- if (hosttable[pidx] && !hosttable[pidx]->dead) ++ if (hosttable[pidx] && host_is_alive (hosttable[pidx], curtime)) + { + tblsize++; + tbl = xtryrealloc(tbl, tblsize * sizeof *tbl); +@@ -458,6 +478,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + int is_pool; + int new_hosts = 0; + char *cname; ++ time_t curtime; + + *r_host = NULL; + if (r_httpflags) +@@ -484,6 +505,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + } + else + hi = hosttable[idx]; ++ curtime = gnupg_get_time (); + + is_pool = hi->pool != NULL; + +@@ -590,7 +612,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + if (force_reselect) + hi->poolidx = -1; + else if (hi->poolidx >= 0 && hi->poolidx < hosttable_size +- && hosttable[hi->poolidx] && hosttable[hi->poolidx]->dead) ++ && hosttable[hi->poolidx] && !host_is_alive (hosttable[hi->poolidx], curtime)) + hi->poolidx = -1; + + /* Select a host if needed. */ +@@ -642,7 +664,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect, + free_dns_addrinfo (aibuf); + } + +- if (hi->dead) ++ if (!host_is_alive (hi, curtime)) + { + log_error ("host '%s' marked as dead\n", hi->name); + if (r_httphost) +@@ -747,7 +769,8 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive) + { + gpg_error_t err = 0; + hostinfo_t hi, hi2; +- int idx, idx2, idx3, n; ++ int idx, idx2, idx3, n, is_alive; ++ time_t curtime; + + if (!name || !*name || !strcmp (name, "localhost")) + return 0; +@@ -756,13 +779,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive) + if (idx == -1) + return gpg_error (GPG_ERR_NOT_FOUND); + ++ curtime = gnupg_get_time (); + hi = hosttable[idx]; +- if (alive && hi->dead) ++ is_alive = host_is_alive (hi, curtime); ++ if (alive && !is_alive) + { + hi->dead = 0; + err = ks_printf_help (ctrl, "marking '%s' as alive", name); + } +- else if (!alive && !hi->dead) ++ else if (!alive && is_alive) + { + hi->dead = 1; + hi->died_at = 0; /* Manually set dead. */ +@@ -796,14 +821,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive) + + hi2 = hosttable[n]; + if (!hi2) +- ; +- else if (alive && hi2->dead) ++ continue; ++ is_alive = host_is_alive (hi2, curtime); ++ if (alive && !is_alive) + { + hi2->dead = 0; + err = ks_printf_help (ctrl, "marking '%s' as alive", + hi2->name); + } +- else if (!alive && !hi2->dead) ++ else if (!alive && is_alive) + { + hi2->dead = 1; + hi2->died_at = 0; /* Manually set dead. */ +@@ -1089,34 +1115,6 @@ ks_hkp_resolve (ctrl_t ctrl, parsed_uri_t uri) + } + + +-/* Housekeeping function called from the housekeeping thread. It is +- used to mark dead hosts alive so that they may be tried again after +- some time. */ +-void +-ks_hkp_housekeeping (time_t curtime) +-{ +- int idx; +- hostinfo_t hi; +- +- for (idx=0; idx < hosttable_size; idx++) +- { +- hi = hosttable[idx]; +- if (!hi) +- continue; +- if (!hi->dead) +- continue; +- if (!hi->died_at) +- continue; /* Do not resurrect manually shot hosts. */ +- if (hi->died_at + RESURRECT_INTERVAL <= curtime +- || hi->died_at > curtime) +- { +- hi->dead = 0; +- log_info ("resurrected host '%s'", hi->name); +- } +- } +-} +- +- + /* Reload (SIGHUP) action for this module. We mark all host alive + * even those which have been manually shot. */ + void diff --git a/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch b/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch new file mode 100644 index 0000000..78c9307 --- /dev/null +++ b/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch @@ -0,0 +1,81 @@ +From: Daniel Kahn Gillmor +Date: Sat, 29 Oct 2016 01:25:05 -0400 +Subject: dirmngr: hkp: Avoid potential race condition when some hosts die. + +* dirmngr/ks-engine-hkp.c (select_random_host): Use atomic pass +through the host table instead of risking out-of-bounds write. + +-- + +Multiple threads may write to hosttable[x]->dead while +select_random_host() is running. For example, a housekeeping thread +might clear the ->dead bit on some entries, or another connection to +dirmngr might manually mark a host as alive. + +If one or more hosts are resurrected between the two loops over a +given table in select_random_host(), then the allocation of tbl might +not be large enough, resulting in a write past the end of tbl on the +second loop. + +This change collapses the two loops into a single loop to avoid this +discrepancy: each host's "dead" bit is now only checked once. + +As Werner points out, this isn't currently strictly necessary, since +npth will not switch threads unless a blocking system call is made, +and no blocking system call is made in these two loops. + +However, in a subsequent change in this series, we will call a +function in this loop, and that function may sometimes write(2), or +call other functions, which may themselves block. Keeping this as a +single-pass loop avoids the need to keep track of what might block and +what might not. + +Signed-off-by: Daniel Kahn Gillmor +--- + dirmngr/ks-engine-hkp.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c +index 32840e6..546ea36 100644 +--- a/dirmngr/ks-engine-hkp.c ++++ b/dirmngr/ks-engine-hkp.c +@@ -221,29 +221,26 @@ host_in_pool_p (hostinfo_t hi, int tblidx) + static int + select_random_host (hostinfo_t hi) + { +- int *tbl; +- size_t tblsize; ++ int *tbl = NULL; ++ size_t tblsize = 0; + int pidx, idx; + + /* We create a new table so that we randomly select only from + currently alive hosts. */ +- for (idx = 0, tblsize = 0; ++ for (idx = 0; + idx < hi->pool_len && (pidx = hi->pool[idx]) != -1; + idx++) + if (hosttable[pidx] && !hosttable[pidx]->dead) +- tblsize++; ++ { ++ tblsize++; ++ tbl = xtryrealloc(tbl, tblsize * sizeof *tbl); ++ if (!tbl) ++ return -1; /* memory allocation failed! */ ++ tbl[tblsize-1] = pidx; ++ } + if (!tblsize) + return -1; /* No hosts. */ + +- tbl = xtrymalloc (tblsize * sizeof *tbl); +- if (!tbl) +- return -1; +- for (idx = 0, tblsize = 0; +- idx < hi->pool_len && (pidx = hi->pool[idx]) != -1; +- idx++) +- if (hosttable[pidx] && !hosttable[pidx]->dead) +- tbl[tblsize++] = pidx; +- + if (tblsize == 1) /* Save a get_uint_nonce. */ + pidx = tbl[0]; + else diff --git a/patches/from-master/agent-Fix-cancellation-handling-for-scdaemon.patch b/patches/from-master/agent-Fix-cancellation-handling-for-scdaemon.patch new file mode 100644 index 0000000..ac1abb2 --- /dev/null +++ b/patches/from-master/agent-Fix-cancellation-handling-for-scdaemon.patch @@ -0,0 +1,140 @@ +From: NIIBE Yutaka +Date: Wed, 20 Sep 2017 10:42:28 +0900 +Subject: agent: Fix cancellation handling for scdaemon. + +* agent/call-scd.c (cancel_inquire): Remove. +(agent_card_pksign, agent_card_pkdecrypt, agent_card_writekey) +(agent_card_scd): Don't call cancel_inquire. + +-- + +Since libassuan 2.1.0, cancellation command "CAN" is handled within +the library, by assuan_transact. So, cancel_inquire just caused +spurious "CAN" command to scdaemon which resulted an error. + +Signed-off-by: NIIBE Yutaka +(cherry picked from commit 9f5e50e7c85aa8b847d38010241ed570ac114fc3) +--- + agent/call-scd.c | 41 ----------------------------------------- + 1 file changed, 41 deletions(-) + +diff --git a/agent/call-scd.c b/agent/call-scd.c +index bf7732b..e852c0d 100644 +--- a/agent/call-scd.c ++++ b/agent/call-scd.c +@@ -89,7 +89,6 @@ struct inq_needpin_parm_s + const char *getpin_cb_desc; + assuan_context_t passthru; /* If not NULL, pass unknown inquiries + up to the caller. */ +- int any_inq_seen; + + /* The next fields are used by inq_writekey_parm. */ + const unsigned char *keydata; +@@ -729,7 +728,6 @@ inq_needpin (void *opaque, const char *line) + size_t pinlen; + int rc; + +- parm->any_inq_seen = 1; + if ((s = has_leading_keyword (line, "NEEDPIN"))) + { + line = s; +@@ -813,30 +811,6 @@ hash_algo_option (int algo) + } + + +-static gpg_error_t +-cancel_inquire (ctrl_t ctrl, gpg_error_t rc) +-{ +- gpg_error_t oldrc = rc; +- +- /* The inquire callback was called and transact returned a +- cancel error. We assume that the inquired process sent a +- CANCEL. The passthrough code is not able to pass on the +- CANCEL and thus scdaemon would stuck on this. As a +- workaround we send a CANCEL now. */ +- rc = assuan_write_line (ctrl->scd_local->ctx, "CAN"); +- if (!rc) { +- char *line; +- size_t len; +- +- rc = assuan_read_line (ctrl->scd_local->ctx, &line, &len); +- if (!rc) +- rc = oldrc; +- } +- +- return rc; +-} +- +- + /* Create a signature using the current card. MDALGO is either 0 or + * gives the digest algorithm. DESC_TEXT is an additional parameter + * passed to GETPIN_CB. */ +@@ -877,7 +851,6 @@ agent_card_pksign (ctrl_t ctrl, + inqparm.getpin_cb_arg = getpin_cb_arg; + inqparm.getpin_cb_desc = desc_text; + inqparm.passthru = 0; +- inqparm.any_inq_seen = 0; + inqparm.keydata = NULL; + inqparm.keydatalen = 0; + +@@ -890,9 +863,6 @@ agent_card_pksign (ctrl_t ctrl, + put_membuf_cb, &data, + inq_needpin, &inqparm, + NULL, NULL); +- if (inqparm.any_inq_seen && (gpg_err_code(rc) == GPG_ERR_CANCELED || +- gpg_err_code(rc) == GPG_ERR_ASS_CANCELED)) +- rc = cancel_inquire (ctrl, rc); + + if (rc) + { +@@ -976,7 +946,6 @@ agent_card_pkdecrypt (ctrl_t ctrl, + inqparm.getpin_cb_arg = getpin_cb_arg; + inqparm.getpin_cb_desc = desc_text; + inqparm.passthru = 0; +- inqparm.any_inq_seen = 0; + inqparm.keydata = NULL; + inqparm.keydatalen = 0; + snprintf (line, DIM(line), "PKDECRYPT %s", keyid); +@@ -984,9 +953,6 @@ agent_card_pkdecrypt (ctrl_t ctrl, + put_membuf_cb, &data, + inq_needpin, &inqparm, + padding_info_cb, r_padding); +- if (inqparm.any_inq_seen && (gpg_err_code(rc) == GPG_ERR_CANCELED || +- gpg_err_code(rc) == GPG_ERR_ASS_CANCELED)) +- rc = cancel_inquire (ctrl, rc); + + if (rc) + { +@@ -1113,15 +1079,11 @@ agent_card_writekey (ctrl_t ctrl, int force, const char *serialno, + parms.getpin_cb_arg = getpin_cb_arg; + parms.getpin_cb_desc= NULL; + parms.passthru = 0; +- parms.any_inq_seen = 0; + parms.keydata = keydata; + parms.keydatalen = keydatalen; + + rc = assuan_transact (ctrl->scd_local->ctx, line, NULL, NULL, + inq_writekey_parms, &parms, NULL, NULL); +- if (parms.any_inq_seen && (gpg_err_code(rc) == GPG_ERR_CANCELED || +- gpg_err_code(rc) == GPG_ERR_ASS_CANCELED)) +- rc = cancel_inquire (ctrl, rc); + return unlock_scd (ctrl, rc); + } + +@@ -1346,7 +1308,6 @@ agent_card_scd (ctrl_t ctrl, const char *cmdline, + inqparm.getpin_cb_arg = getpin_cb_arg; + inqparm.getpin_cb_desc = NULL; + inqparm.passthru = assuan_context; +- inqparm.any_inq_seen = 0; + inqparm.keydata = NULL; + inqparm.keydatalen = 0; + +@@ -1356,8 +1317,6 @@ agent_card_scd (ctrl_t ctrl, const char *cmdline, + pass_data_thru, assuan_context, + inq_needpin, &inqparm, + pass_status_thru, assuan_context); +- if (inqparm.any_inq_seen && gpg_err_code(rc) == GPG_ERR_ASS_CANCELED) +- rc = cancel_inquire (ctrl, rc); + + assuan_set_flag (ctrl->scd_local->ctx, ASSUAN_CONVEY_COMMENTS, saveflag); + if (rc) diff --git a/patches/from-master/agent-compile-time-configuration-of-s2k-calibration.patch b/patches/from-master/agent-compile-time-configuration-of-s2k-calibration.patch new file mode 100644 index 0000000..482d232 --- /dev/null +++ b/patches/from-master/agent-compile-time-configuration-of-s2k-calibration.patch @@ -0,0 +1,72 @@ +From: Daniel Kahn Gillmor +Date: Fri, 8 Sep 2017 17:08:57 -0400 +Subject: agent: compile-time configuration of s2k calibration. + +* configure.ac: add --with-agent-s2k-calibration=MSEC, introduces +AGENT_S2K_CALIBRATION (measured in milliseconds) +* agent/protect.c (calibrate_s2k_count): Calibrate based on +AGENT_S2K_CALIBRATION. + +Signed-off-by: Daniel Kahn Gillmor +GnuPG-bug-id: 3399 +(cherry picked from commit 926d07c5fa05de05caef3a72b6fe156606ac0549) +--- + agent/protect.c | 6 +++--- + configure.ac | 10 +++++++++- + 2 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/agent/protect.c b/agent/protect.c +index 7b5abf2..16ae715 100644 +--- a/agent/protect.c ++++ b/agent/protect.c +@@ -163,7 +163,7 @@ calibrate_s2k_count_one (unsigned long count) + + + /* Measure the time we need to do the hash operations and deduce an +- S2K count which requires about 100ms of time. */ ++ S2K count which requires roughly some targeted amount of time. */ + static unsigned long + calibrate_s2k_count (void) + { +@@ -175,11 +175,11 @@ calibrate_s2k_count (void) + ms = calibrate_s2k_count_one (count); + if (opt.verbose > 1) + log_info ("S2K calibration: %lu -> %lums\n", count, ms); +- if (ms > 100) ++ if (ms > AGENT_S2K_CALIBRATION) + break; + } + +- count = (unsigned long)(((double)count / ms) * 100); ++ count = (unsigned long)(((double)count / ms) * AGENT_S2K_CALIBRATION); + count /= 1024; + count *= 1024; + if (count < 65536) +diff --git a/configure.ac b/configure.ac +index 50e9355..0b6425d 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -116,7 +116,6 @@ use_tls_library=no + large_secmem=no + show_tor_support=no + +- + GNUPG_BUILD_PROGRAM(gpg, yes) + GNUPG_BUILD_PROGRAM(gpgsm, yes) + # The agent is a required part and can't be disabled anymore. +@@ -244,6 +243,15 @@ fi + AC_DEFINE_UNQUOTED(SECMEM_BUFFER_SIZE,$SECMEM_BUFFER_SIZE, + [Size of secure memory buffer]) + ++AC_MSG_CHECKING([calibrated passphrase-stretching (s2k) duration]) ++AC_ARG_WITH(agent-s2k-calibration, ++ AC_HELP_STRING([--with-agent-s2k-calibration=MSEC], ++ [calibrate passphrase stretching (s2k) to MSEC milliseconds]), ++ agent_s2k_calibration=$withval, agent_s2k_calibration=100) ++AC_MSG_RESULT($agent_s2k_calibration milliseconds) ++AC_DEFINE_UNQUOTED(AGENT_S2K_CALIBRATION, $agent_s2k_calibration, ++ [Agent s2k calibration time (ms)]) ++ + AC_MSG_CHECKING([whether to enable trust models]) + AC_ARG_ENABLE(trust-models, + AC_HELP_STRING([--disable-trust-models], diff --git a/patches/from-master/assuan-Reorganize-waiting-for-socket.patch b/patches/from-master/assuan-Reorganize-waiting-for-socket.patch new file mode 100644 index 0000000..f7e8deb --- /dev/null +++ b/patches/from-master/assuan-Reorganize-waiting-for-socket.patch @@ -0,0 +1,117 @@ +From: Daniel Kahn Gillmor +Date: Wed, 8 Nov 2017 16:15:30 +0100 +Subject: assuan: Reorganize waiting for socket. + +* common/asshelp.c (wait_for_sock): New function, collecting +codepaths from... +(start_new_gpg_agent) here and... +(start_new_dirmngr) here. +-- + +This has no functional change, but makes it easier to make this +function more efficient. + +GnuPG-bug-id: 3490 +Signed-off-by: Daniel Kahn Gillmor +(cherry picked from commit 0471ff9d3bf8d6b9a359f3c426d70d0935066907) +--- + common/asshelp.c | 72 +++++++++++++++++++++++--------------------------------- + 1 file changed, 30 insertions(+), 42 deletions(-) + +diff --git a/common/asshelp.c b/common/asshelp.c +index f3a92f9..68a41be 100644 +--- a/common/asshelp.c ++++ b/common/asshelp.c +@@ -307,6 +307,32 @@ unlock_spawning (lock_spawn_t *lock, const char *name) + } + } + ++static gpg_error_t ++wait_for_sock (int secs, const char *name, const char *sockname, int verbose, assuan_context_t ctx, int *did_success_msg) ++{ ++ int i; ++ gpg_error_t err = 0; ++ for (i=0; i < secs; i++) ++ { ++ if (verbose) ++ log_info (_("waiting for the %s to come up ... (%ds)\n"), ++ name, secs - i); ++ gnupg_sleep (1); ++ err = assuan_socket_connect (ctx, sockname, 0, 0); ++ if (!err) ++ { ++ if (verbose) ++ { ++ log_info (_("connection to %s established\n"), ++ name); ++ *did_success_msg = 1; ++ } ++ break; ++ } ++ } ++ return err; ++} ++ + /* Try to connect to the agent via socket or start it if it is not + running and AUTOSTART is set. Handle the server's initial + greeting. Returns a new assuan context at R_CTX or an error +@@ -433,25 +459,8 @@ start_new_gpg_agent (assuan_context_t *r_ctx, + log_error ("failed to start agent '%s': %s\n", + agent_program, gpg_strerror (err)); + else +- { +- for (i=0; i < SECS_TO_WAIT_FOR_AGENT; i++) +- { +- if (verbose) +- log_info (_("waiting for the agent to come up ... (%ds)\n"), +- SECS_TO_WAIT_FOR_AGENT - i); +- gnupg_sleep (1); +- err = assuan_socket_connect (ctx, sockname, 0, 0); +- if (!err) +- { +- if (verbose) +- { +- log_info (_("connection to agent established\n")); +- did_success_msg = 1; +- } +- break; +- } +- } +- } ++ err = wait_for_sock (SECS_TO_WAIT_FOR_AGENT, "agent", ++ sockname, verbose, ctx, &did_success_msg); + } + + unlock_spawning (&lock, "agent"); +@@ -584,29 +593,8 @@ start_new_dirmngr (assuan_context_t *r_ctx, + log_error ("failed to start the dirmngr '%s': %s\n", + dirmngr_program, gpg_strerror (err)); + else +- { +- int i; +- +- for (i=0; i < SECS_TO_WAIT_FOR_DIRMNGR; i++) +- { +- if (verbose) +- log_info (_("waiting for the dirmngr " +- "to come up ... (%ds)\n"), +- SECS_TO_WAIT_FOR_DIRMNGR - i); +- gnupg_sleep (1); +- err = assuan_socket_connect (ctx, sockname, 0, 0); +- if (!err) +- { +- if (verbose) +- { +- log_info (_("connection to the dirmngr" +- " established\n")); +- did_success_msg = 1; +- } +- break; +- } +- } +- } ++ err = wait_for_sock (SECS_TO_WAIT_FOR_DIRMNGR, "dirmngr", ++ sockname, verbose, ctx, &did_success_msg); + } + + unlock_spawning (&lock, "dirmngr"); diff --git a/patches/from-master/assuan-Use-exponential-decay-for-first-1s-of-spinlock.patch b/patches/from-master/assuan-Use-exponential-decay-for-first-1s-of-spinlock.patch new file mode 100644 index 0000000..c12a489 --- /dev/null +++ b/patches/from-master/assuan-Use-exponential-decay-for-first-1s-of-spinlock.patch @@ -0,0 +1,71 @@ +From: Daniel Kahn Gillmor +Date: Wed, 8 Nov 2017 16:26:40 +0100 +Subject: assuan: Use exponential decay for first 1s of spinlock. + +* common/asshelp.c (wait_for_sock): instead of checking the socket +every second, we check 10 times in the first second (with exponential +decay). +-- + +This cuts the wall clock time for the standard test suite roughly by +half. + +GnuPG-bug-id: 3490 +Signed-off-by: Daniel Kahn Gillmor +(cherry picked from commit 149041b0b917f4298239fe18b5ebd5ead71584a6) +--- + common/asshelp.c | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +diff --git a/common/asshelp.c b/common/asshelp.c +index 68a41be..76f812d 100644 +--- a/common/asshelp.c ++++ b/common/asshelp.c +@@ -310,14 +310,32 @@ unlock_spawning (lock_spawn_t *lock, const char *name) + static gpg_error_t + wait_for_sock (int secs, const char *name, const char *sockname, int verbose, assuan_context_t ctx, int *did_success_msg) + { +- int i; + gpg_error_t err = 0; +- for (i=0; i < secs; i++) ++ int target_us = secs * 1000000; ++ int elapsed_us = 0; ++ /* ++ * 977us * 1024 = just a little more than 1s. ++ * so we will double this timeout 10 times in the first ++ * second, and then switch over to 1s checkins. ++ */ ++ int next_sleep_us = 977; ++ int lastalert = secs+1; ++ int secsleft; ++ ++ while (elapsed_us < target_us) + { + if (verbose) +- log_info (_("waiting for the %s to come up ... (%ds)\n"), +- name, secs - i); +- gnupg_sleep (1); ++ { ++ secsleft = (target_us - elapsed_us)/1000000; ++ if (secsleft < lastalert) ++ { ++ log_info (_("waiting for the %s to come up ... (%ds)\n"), ++ name, secsleft); ++ lastalert = secsleft; ++ } ++ } ++ gnupg_usleep (next_sleep_us); ++ elapsed_us += next_sleep_us; + err = assuan_socket_connect (ctx, sockname, 0, 0); + if (!err) + { +@@ -329,6 +347,9 @@ wait_for_sock (int secs, const char *name, const char *sockname, int verbose, as + } + break; + } ++ next_sleep_us *= 2; ++ if (next_sleep_us > 1000000) ++ next_sleep_us = 1000000; + } + return err; + } diff --git a/patches/from-master/common-Fix-gnupg_wait_processes.patch b/patches/from-master/common-Fix-gnupg_wait_processes.patch new file mode 100644 index 0000000..b1b9ed4 --- /dev/null +++ b/patches/from-master/common-Fix-gnupg_wait_processes.patch @@ -0,0 +1,82 @@ +From: NIIBE Yutaka +Date: Tue, 19 Sep 2017 12:28:43 +0900 +Subject: common: Fix gnupg_wait_processes. + +* common/exechelp-posix.c (gnupg_wait_processes): Loop for r_exitcodes +even if we already see an error. + +-- + +The value stored by waitpid for exit code is encoded; It requires +decoded by WEXITSTATUS macro, regardless of an error. + +For example, when one of processes is already exited and another is +still running, it resulted wrong value of in r_exitcodes[n]. + +Signed-off-by: NIIBE Yutaka +(cherry picked from commit eeb3da6eb717ed6a1a1069a7611eb37503e8672d) +--- + common/exechelp-posix.c | 50 +++++++++++++++++++++++++------------------------ + 1 file changed, 26 insertions(+), 24 deletions(-) + +diff --git a/common/exechelp-posix.c b/common/exechelp-posix.c +index 7237993..3acf74a 100644 +--- a/common/exechelp-posix.c ++++ b/common/exechelp-posix.c +@@ -784,30 +784,32 @@ gnupg_wait_processes (const char **pgmnames, pid_t *pids, size_t count, + } + } + +- if (ec == 0) +- for (i = 0; i < count; i++) +- { +- if (WIFEXITED (r_exitcodes[i]) && WEXITSTATUS (r_exitcodes[i]) == 127) +- { +- log_error (_("error running '%s': probably not installed\n"), +- pgmnames[i]); +- ec = GPG_ERR_CONFIGURATION; +- } +- else if (WIFEXITED (r_exitcodes[i]) && WEXITSTATUS (r_exitcodes[i])) +- { +- if (dummy) +- log_error (_("error running '%s': exit status %d\n"), +- pgmnames[i], WEXITSTATUS (r_exitcodes[i])); +- else +- r_exitcodes[i] = WEXITSTATUS (r_exitcodes[i]); +- ec = GPG_ERR_GENERAL; +- } +- else if (!WIFEXITED (r_exitcodes[i])) +- { +- log_error (_("error running '%s': terminated\n"), pgmnames[i]); +- ec = GPG_ERR_GENERAL; +- } +- } ++ for (i = 0; i < count; i++) ++ { ++ if (r_exitcodes[i] == -1) ++ continue; ++ ++ if (WIFEXITED (r_exitcodes[i]) && WEXITSTATUS (r_exitcodes[i]) == 127) ++ { ++ log_error (_("error running '%s': probably not installed\n"), ++ pgmnames[i]); ++ ec = GPG_ERR_CONFIGURATION; ++ } ++ else if (WIFEXITED (r_exitcodes[i]) && WEXITSTATUS (r_exitcodes[i])) ++ { ++ if (dummy) ++ log_error (_("error running '%s': exit status %d\n"), ++ pgmnames[i], WEXITSTATUS (r_exitcodes[i])); ++ else ++ r_exitcodes[i] = WEXITSTATUS (r_exitcodes[i]); ++ ec = GPG_ERR_GENERAL; ++ } ++ else if (!WIFEXITED (r_exitcodes[i])) ++ { ++ log_error (_("error running '%s': terminated\n"), pgmnames[i]); ++ ec = GPG_ERR_GENERAL; ++ } ++ } + + xfree (dummy); + return gpg_err_make (GPG_ERR_SOURCE_DEFAULT, ec); diff --git a/patches/from-master/gpg-Fix-comparison.patch b/patches/from-master/gpg-Fix-comparison.patch new file mode 100644 index 0000000..9fdc1cb --- /dev/null +++ b/patches/from-master/gpg-Fix-comparison.patch @@ -0,0 +1,26 @@ +From: "Neal H. Walfield" +Date: Fri, 6 Oct 2017 11:51:39 +0200 +Subject: gpg: Fix comparison. + +* g10/gpgcompose.c (literal_name): Complain if passed zero arguments, +not one or fewer. + +Signed-off-by: Neal H. Walfield +(cherry picked from commit 1ed21eee79749b976b4a935f2279b162634e9c5e) +--- + g10/gpgcompose.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/g10/gpgcompose.c b/g10/gpgcompose.c +index 430538e..226f793 100644 +--- a/g10/gpgcompose.c ++++ b/g10/gpgcompose.c +@@ -2746,7 +2746,7 @@ literal_name (const char *option, int argc, char *argv[], void *cookie) + { + struct litinfo *li = cookie; + +- if (argc <= 1) ++ if (argc <= 0) + log_fatal ("Usage: %s NAME\n", option); + + if (strlen (argv[0]) > 255) diff --git a/patches/from-master/gpg-default-to-3072-bit-RSA-keys.patch b/patches/from-master/gpg-default-to-3072-bit-RSA-keys.patch new file mode 100644 index 0000000..f37ac15 --- /dev/null +++ b/patches/from-master/gpg-default-to-3072-bit-RSA-keys.patch @@ -0,0 +1,116 @@ +From: Daniel Kahn Gillmor +Date: Thu, 7 Sep 2017 18:41:10 -0400 +Subject: gpg: default to 3072-bit RSA keys. + +* agent/command.c (hlp_genkey): update help text to suggest the use of +3072 bits. +* doc/wks.texi: Make example match default generation. +* g10/keygen.c (DEFAULT_STD_KEY_PARAM): update to +rsa3072/cert,sign+rsa3072/encr, and fix neighboring comment, +(gen_rsa, get_keysize_range): update default from 2048 to 3072). +* g10/keyid.c (pubkey_string): update comment so that first example +is the default 3072-bit RSA. + +-- + +3072-bit RSA is widely considered to be 128-bit-equivalent security. +This is a sensible default in 2017. + +Signed-off-by: Daniel Kahn Gillmor + +(cherry picked from commit 909fbca19678e6e36968607e8a2348381da39d8c) +--- + agent/command.c | 2 +- + doc/wks.texi | 4 ++-- + g10/keygen.c | 9 ++++----- + g10/keyid.c | 4 ++-- + 4 files changed, 9 insertions(+), 10 deletions(-) + +diff --git a/agent/command.c b/agent/command.c +index 20abb28..43c47f5 100644 +--- a/agent/command.c ++++ b/agent/command.c +@@ -843,7 +843,7 @@ static const char hlp_genkey[] = + "\n" + " C: GENKEY\n" + " S: INQUIRE KEYPARAM\n" +- " C: D (genkey (rsa (nbits 2048)))\n" ++ " C: D (genkey (rsa (nbits 3072)))\n" + " C: END\n" + " S: D (public-key\n" + " S: D (rsa (n 326487324683264) (e 10001)))\n" +diff --git a/doc/wks.texi b/doc/wks.texi +index 6d62282..a5e1f02 100644 +--- a/doc/wks.texi ++++ b/doc/wks.texi +@@ -338,10 +338,10 @@ the submission address: + The output of the last command looks similar to this: + + @example +- sec rsa2048 2016-08-30 [SC] ++ sec rsa3072 2016-08-30 [SC] + C0FCF8642D830C53246211400346653590B3795B + uid [ultimate] key-submission@@example.net +- ssb rsa2048 2016-08-30 [E] ++ ssb rsa3072 2016-08-30 [E] + @end example + + Take the fingerprint from that output and manually publish the key: +diff --git a/g10/keygen.c b/g10/keygen.c +index a4949f4..db5e635 100644 +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -46,11 +46,10 @@ + #include "../common/mbox-util.h" + + +-/* The default algorithms. If you change them remember to change them +- also in gpg.c:gpgconf_list. You should also check that the value ++/* The default algorithms. If you change them, you should ensure the value + is inside the bounds enforced by ask_keysize and gen_xxx. See also + get_keysize_range which encodes the allowed ranges. */ +-#define DEFAULT_STD_KEY_PARAM "rsa2048/cert,sign+rsa2048/encr" ++#define DEFAULT_STD_KEY_PARAM "rsa3072/cert,sign+rsa3072/encr" + #define FUTURE_STD_KEY_PARAM "ed25519/cert,sign+cv25519/encr" + + /* When generating keys using the streamlined key generation dialog, +@@ -1648,7 +1647,7 @@ gen_rsa (int algo, unsigned int nbits, KBNODE pub_root, + + if (nbits < 1024) + { +- nbits = 2048; ++ nbits = 3072; + log_info (_("keysize invalid; using %u bits\n"), nbits ); + } + else if (nbits > maxsize) +@@ -2117,7 +2116,7 @@ get_keysize_range (int algo, unsigned int *min, unsigned int *max) + default: + *min = opt.compliance == CO_DE_VS ? 2048: 1024; + *max = 4096; +- def = 2048; ++ def = 3072; + break; + } + +diff --git a/g10/keyid.c b/g10/keyid.c +index ba35ec2..e7a97e9 100644 +--- a/g10/keyid.c ++++ b/g10/keyid.c +@@ -73,7 +73,7 @@ pubkey_letter( int algo ) + is copied to the supplied buffer up a length of BUFSIZE-1. + Examples for the output are: + +- "rsa2048" - RSA with 2048 bit ++ "rsa3072" - RSA with 3072 bit + "elg1024" - Elgamal with 1024 bit + "ed25519" - ECC using the curve Ed25519. + "E_1.2.3.4" - ECC using the unsupported curve with OID "1.2.3.4". +@@ -83,7 +83,7 @@ pubkey_letter( int algo ) + If the option --legacy-list-mode is active, the output use the + legacy format: + +- "2048R" - RSA with 2048 bit ++ "3072R" - RSA with 3072 bit + "1024g" - Elgamal with 1024 bit + "256E" - ECDSA using a curve with 256 bit + diff --git a/patches/from-master/gpg-default-to-AES-256.patch b/patches/from-master/gpg-default-to-AES-256.patch new file mode 100644 index 0000000..4b93103 --- /dev/null +++ b/patches/from-master/gpg-default-to-AES-256.patch @@ -0,0 +1,35 @@ +From: Daniel Kahn Gillmor +Date: Thu, 7 Sep 2017 19:04:00 -0400 +Subject: gpg: default to AES-256. + +* g10/main.h (DEFAULT_CIPHER_ALGO): Prefer AES256 by default. + +-- + +It's 2017, and pretty much everyone has AES-256 available. Symmetric +crypto is also rarely the bottleneck (asymmetric crypto is much more +expensive). AES-256 provides some level of protection against +large-scale decryption efforts, and longer key lengths provide a hedge +against unforseen cryptanalysis. + +Signed-off-by: Daniel Kahn Gillmor +(cherry picked from commit 73ff075204df09db5248170a049f06498cdbb7aa) +--- + g10/main.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/g10/main.h b/g10/main.h +index 389a557..6f93de9 100644 +--- a/g10/main.h ++++ b/g10/main.h +@@ -31,7 +31,9 @@ + (i.e. uncompressed) rather than 1 (zip). However, the real world + issues of speed and size come into play here. */ + +-#if GPG_USE_AES128 ++#if GPG_USE_AES256 ++# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES256 ++#elif GPG_USE_AES128 + # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES + #elif GPG_USE_CAST5 + # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_CAST5 diff --git a/patches/from-master/gpgsm-default-to-3072-bit-keys.patch b/patches/from-master/gpgsm-default-to-3072-bit-keys.patch new file mode 100644 index 0000000..16c23c3 --- /dev/null +++ b/patches/from-master/gpgsm-default-to-3072-bit-keys.patch @@ -0,0 +1,130 @@ +From: Daniel Kahn Gillmor +Date: Thu, 7 Sep 2017 18:39:37 -0400 +Subject: gpgsm: default to 3072-bit keys. + +* doc/gpgsm.texi, doc/howto-create-a-server-cert.texi: : update +default to 3072 bits. +* sm/certreqgen-ui.c (gpgsm_gencertreq_tty): update default to +3072 bits. +* sm/certreqgen.c (proc_parameters): update default to 3072 bits. +* sm/gpgsm.c (main): print correct default_pubkey_algo. + +-- + +3072-bit RSA is widely considered to be 128-bit-equivalent security. +This is a sensible default in 2017. + +Signed-off-by: Daniel Kahn Gillmor + +(cherry picked from commit 7955262151a5c755814dd23414e6804f79125355) +--- + doc/gpgsm.texi | 2 +- + doc/howto-create-a-server-cert.texi | 14 +++++++------- + sm/certreqgen-ui.c | 2 +- + sm/certreqgen.c | 4 ++-- + sm/gpgsm.c | 2 +- + 5 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi +index ebe58bc..eb30368 100644 +--- a/doc/gpgsm.texi ++++ b/doc/gpgsm.texi +@@ -1082,7 +1082,7 @@ key. The algorithm must be capable of signing. This is a required + parameter. The only supported value for @var{algo} is @samp{rsa}. + + @item Key-Length: @var{nbits} +-The requested length of a generated key in bits. Defaults to 2048. ++The requested length of a generated key in bits. Defaults to 3072. + + @item Key-Grip: @var{hexstring} + This is optional and used to generate a CSR or certificate for an +diff --git a/doc/howto-create-a-server-cert.texi b/doc/howto-create-a-server-cert.texi +index 55f1a91..30e28bd 100644 +--- a/doc/howto-create-a-server-cert.texi ++++ b/doc/howto-create-a-server-cert.texi +@@ -31,14 +31,14 @@ Let's continue: + + @cartouche + @example +- What keysize do you want? (2048) +- Requested keysize is 2048 bits ++ What keysize do you want? (3072) ++ Requested keysize is 3072 bits + @end example + @end cartouche + +-Hitting enter chooses the default RSA key size of 2048 bits. Smaller +-keys are too weak on the modern Internet. If you choose a larger +-(stronger) key, your server will need to do more work. ++Hitting enter chooses the default RSA key size of 3072 bits. Keys ++smaller than 2048 bits are too weak on the modern Internet. If you ++choose a larger (stronger) key, your server will need to do more work. + + @cartouche + @example +@@ -124,7 +124,7 @@ request: + @example + These parameters are used: + Key-Type: RSA +- Key-Length: 2048 ++ Key-Length: 3072 + Key-Usage: sign, encrypt + Name-DN: CN=example.com + Name-DNS: example.com +@@ -224,7 +224,7 @@ To see the content of your certificate, you may now enter: + aka: (dns-name example.com) + aka: (dns-name www.example.com) + validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51 +- key type: 2048 bit RSA ++ key type: 3072 bit RSA + key usage: digitalSignature keyEncipherment + ext key usage: clientAuth (suggested), serverAuth (suggested), [...] + fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57 +diff --git a/sm/certreqgen-ui.c b/sm/certreqgen-ui.c +index 9772a3b..4f8a1ac 100644 +--- a/sm/certreqgen-ui.c ++++ b/sm/certreqgen-ui.c +@@ -138,7 +138,7 @@ gpgsm_gencertreq_tty (ctrl_t ctrl, estream_t output_stream) + unsigned int nbits; + int minbits = 1024; + int maxbits = 4096; +- int defbits = 2048; ++ int defbits = 3072; + const char *keyusage; + char *subject_name; + membuf_t mb_email, mb_dns, mb_uri, mb_result; +diff --git a/sm/certreqgen.c b/sm/certreqgen.c +index 4431870..1d610c1 100644 +--- a/sm/certreqgen.c ++++ b/sm/certreqgen.c +@@ -26,7 +26,7 @@ + $ cat >foo < 4096) && !cardkeyid) +diff --git a/sm/gpgsm.c b/sm/gpgsm.c +index da1783d..e05ddec 100644 +--- a/sm/gpgsm.c ++++ b/sm/gpgsm.c +@@ -1800,7 +1800,7 @@ main ( int argc, char **argv) + /* The next one is an info only item and should match what + proc_parameters actually implements. */ + es_printf ("default_pubkey_algo:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT, +- "RSA-2048"); ++ "RSA-3072"); + es_printf ("compliance:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT, "gnupg"); + + } diff --git a/patches/from-master/scd-Distinguish-cancel-by-user-and-protocol-error.patch b/patches/from-master/scd-Distinguish-cancel-by-user-and-protocol-error.patch new file mode 100644 index 0000000..d7f02af --- /dev/null +++ b/patches/from-master/scd-Distinguish-cancel-by-user-and-protocol-error.patch @@ -0,0 +1,68 @@ +From: NIIBE Yutaka +Date: Wed, 20 Sep 2017 10:06:43 +0900 +Subject: scd: Distinguish cancel by user and protocol error. + +* scd/apdu.h (SW_HOST_CANCELLED): New. +* scd/apdu.c (host_sw_string): Support SW_HOST_CANCELLED. +(pcsc_error_to_sw): Return SW_HOST_CANCELLED for PCSC_E_CANCELLED. +* scd/iso7816.c (map_sw): Return GPG_ERR_INV_RESPONSE for +SW_HOST_ABORTED and GPG_ERR_CANCELED for SW_HOST_CANCELLED. + +Signed-off-by: NIIBE Yutaka +(cherry picked from commit 2396055c096884d521c26b76f26263a146207c24) +--- + scd/apdu.c | 3 ++- + scd/apdu.h | 3 ++- + scd/iso7816.c | 3 ++- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/scd/apdu.c b/scd/apdu.c +index cd98cc9..0496a7a 100644 +--- a/scd/apdu.c ++++ b/scd/apdu.c +@@ -499,6 +499,7 @@ host_sw_string (long err) + case SW_HOST_ABORTED: return "aborted"; + case SW_HOST_NO_PINPAD: return "no pinpad"; + case SW_HOST_ALREADY_CONNECTED: return "already connected"; ++ case SW_HOST_CANCELLED: return "cancelled"; + default: return "unknown host status error"; + } + } +@@ -605,7 +606,7 @@ pcsc_error_to_sw (long ec) + { + case 0: rc = 0; break; + +- case PCSC_E_CANCELLED: rc = SW_HOST_ABORTED; break; ++ case PCSC_E_CANCELLED: rc = SW_HOST_CANCELLED; break; + case PCSC_E_NO_MEMORY: rc = SW_HOST_OUT_OF_CORE; break; + case PCSC_E_TIMEOUT: rc = SW_HOST_CARD_IO_ERROR; break; + case PCSC_E_NO_SERVICE: +diff --git a/scd/apdu.h b/scd/apdu.h +index 6751e8c..8a0d4bd 100644 +--- a/scd/apdu.h ++++ b/scd/apdu.h +@@ -71,7 +71,8 @@ enum { + SW_HOST_NO_READER = 0x1000c, + SW_HOST_ABORTED = 0x1000d, + SW_HOST_NO_PINPAD = 0x1000e, +- SW_HOST_ALREADY_CONNECTED = 0x1000f ++ SW_HOST_ALREADY_CONNECTED = 0x1000f, ++ SW_HOST_CANCELLED = 0x10010 + }; + + struct dev_list; +diff --git a/scd/iso7816.c b/scd/iso7816.c +index 081b080..29208c2 100644 +--- a/scd/iso7816.c ++++ b/scd/iso7816.c +@@ -93,8 +93,9 @@ map_sw (int sw) + case SW_HOST_CARD_IO_ERROR: ec = GPG_ERR_EIO; break; + case SW_HOST_GENERAL_ERROR: ec = GPG_ERR_GENERAL; break; + case SW_HOST_NO_READER: ec = GPG_ERR_ENODEV; break; +- case SW_HOST_ABORTED: ec = GPG_ERR_CANCELED; break; ++ case SW_HOST_ABORTED: ec = GPG_ERR_INV_RESPONSE; break; + case SW_HOST_NO_PINPAD: ec = GPG_ERR_NOT_SUPPORTED; break; ++ case SW_HOST_CANCELLED: ec = GPG_ERR_CANCELED; break; + + default: + if ((sw & 0x010000)) diff --git a/patches/gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch b/patches/gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch new file mode 100644 index 0000000..dd39186 --- /dev/null +++ b/patches/gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch @@ -0,0 +1,93 @@ +From: Daniel Kahn Gillmor +Date: Tue, 1 Nov 2016 00:45:23 -0400 +Subject: agent: Allow threads to interrupt main select loop with SIGCONT. + +* agent/gpg-agent.c (interrupt_main_thread_loop): New function on +non-windows platforms, allows other threads to interrupt the main loop +if there's something that the main loop might be interested in. + +-- + +For example, the main loop might be interested in changes in program +state that affect the timers it expects to see. + +I don't know how to do this on Windows platforms, but i welcome any +proposed improvements. + +Signed-off-by: Daniel Kahn Gillmor +--- + agent/agent.h | 1 + + agent/gpg-agent.c | 18 +++++++++++++++++- + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/agent/agent.h b/agent/agent.h +index cf50d92..ec156c3 100644 +--- a/agent/agent.h ++++ b/agent/agent.h +@@ -361,6 +361,7 @@ void *get_agent_scd_notify_event (void); + #endif + void agent_sighup_action (void); + int map_pk_openpgp_to_gcry (int openpgp_algo); ++void interrupt_main_thread_loop (void); + + /*-- command.c --*/ + gpg_error_t agent_inq_pinentry_launched (ctrl_t ctrl, unsigned long pid, +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index fe639ec..88f1805 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -415,6 +415,9 @@ static int have_homedir_inotify; + * works reliable. */ + static int reliable_homedir_inotify; + ++/* Record the pid of the main thread, for easier signalling */ ++static pid_t main_thread_pid = (pid_t)(-1); ++ + /* Number of active connections. */ + static int active_connections; + +@@ -2116,7 +2119,7 @@ get_agent_scd_notify_event (void) + GetCurrentProcess(), &h2, + EVENT_MODIFY_STATE|SYNCHRONIZE, TRUE, 0)) + { +- log_error ("setting syncronize for scd notify event failed: %s\n", ++ log_error ("setting synchronize for scd notify event failed: %s\n", + w32_strerror (-1) ); + CloseHandle (h); + } +@@ -2462,6 +2465,10 @@ handle_signal (int signo) + agent_sigusr2_action (); + break; + ++ /* nothing to do here, just take an extra cycle on the select loop */ ++ case SIGCONT: ++ break; ++ + case SIGTERM: + if (!shutdown_pending) + log_info ("SIGTERM received - shutting down ...\n"); +@@ -2800,6 +2807,13 @@ start_connection_thread_ssh (void *arg) + } + + ++void interrupt_main_thread_loop (void) ++{ ++#ifndef HAVE_W32_SYSTEM ++ kill (main_thread_pid, SIGCONT); ++#endif ++} ++ + /* helper function for readability: test whether a given struct + timespec is set to all-zeros */ + static inline int +@@ -2869,8 +2883,10 @@ handle_connections (gnupg_fd_t listen_fd, + npth_sigev_add (SIGUSR1); + npth_sigev_add (SIGUSR2); + npth_sigev_add (SIGINT); ++ npth_sigev_add (SIGCONT); + npth_sigev_add (SIGTERM); + npth_sigev_fini (); ++ main_thread_pid = getpid (); + #else + # ifdef HAVE_W32CE_SYSTEM + /* Use a dummy event. */ diff --git a/patches/gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch b/patches/gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch new file mode 100644 index 0000000..573dc09 --- /dev/null +++ b/patches/gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch @@ -0,0 +1,26 @@ +From: Daniel Kahn Gillmor +Date: Tue, 1 Nov 2016 00:57:44 -0400 +Subject: agent: Avoid scheduled checks on socket when inotify is working. + +* agent/gpg-agent.c (handle_connections): When inotify is working, we +do not need to schedule a timer to evaluate whether we control our own +socket or not. + +Signed-off-by: Daniel Kahn Gillmor +--- + agent/gpg-agent.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index 92b3d0b..5c906d1 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -3036,6 +3036,8 @@ handle_connections (gnupg_fd_t listen_fd, + + /* avoid a fine-grained timer if we don't need one: */ + timertbl[0].interval.tv_sec = need_tick () ? TIMERTICK_INTERVAL : 0; ++ /* avoid waking up to check sockets if we can count on inotify */ ++ timertbl[1].interval.tv_sec = (sock_inotify_fd == -1) ? CHECK_OWN_SOCKET_INTERVAL : 0; + + /* loop through all timers, fire any registered functions, and + plan next timer to trigger */ diff --git a/patches/gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch b/patches/gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch new file mode 100644 index 0000000..eec01d3 --- /dev/null +++ b/patches/gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch @@ -0,0 +1,101 @@ +From: Daniel Kahn Gillmor +Date: Tue, 1 Nov 2016 00:14:10 -0400 +Subject: agent: Avoid tight timer tick when possible. + +* agent/gpg-agent.c (need_tick): Evaluate whether the short-phase +handle_tick() is needed. +(handle_connections): On each cycle of the select loop, adjust whether +we should call handle_tick() or not. +(start_connection_thread_ssh, do_start_connection_thread): Signal the +main loop when the child terminates. +* agent/call-scd.c (start_scd): Call interrupt_main_thread_loop() once +the scdaemon thread context has started up. + +-- + +With this change, an idle gpg-agent that has no scdaemon running only +wakes up once a minute (to check_own_socket). + +Thanks to Ian Jackson and NIIBE Yutaka who helped me improve some of +the blocking and corner cases. + +Signed-off-by: Daniel Kahn Gillmor +--- + agent/call-scd.c | 2 ++ + agent/gpg-agent.c | 29 +++++++++++++++++++++++++++-- + 2 files changed, 29 insertions(+), 2 deletions(-) + +diff --git a/agent/call-scd.c b/agent/call-scd.c +index 16139fd..bf7732b 100644 +--- a/agent/call-scd.c ++++ b/agent/call-scd.c +@@ -415,6 +415,8 @@ start_scd (ctrl_t ctrl) + + primary_scd_ctx = ctx; + primary_scd_ctx_reusable = 0; ++ /* notify the main loop that something has changed */ ++ interrupt_main_thread_loop (); + + leave: + xfree (abs_homedir); +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index 88f1805..92b3d0b 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -2369,6 +2369,26 @@ create_directories (void) + } + + ++static int ++need_tick (void) ++{ ++#ifdef HAVE_W32_SYSTEM ++ /* We do not know how to interrupt the select loop on Windows, so we ++ always need a short tick there. */ ++ return 1; ++#else ++ /* if we were invoked like "gpg-agent cmd arg1 arg2" then we need to ++ watch our parent. */ ++ if (parent_pid != (pid_t)(-1)) ++ return 1; ++ /* if scdaemon is running, we need to check that it's alive */ ++ if (agent_scd_check_running ()) ++ return 1; ++ /* otherwise, nothing fine-grained to do. */ ++ return 0; ++#endif /*HAVE_W32_SYSTEM*/ ++} ++ + + /* This is the worker for the ticker. It is called every few seconds + and may only do fast operations. */ +@@ -2722,7 +2742,8 @@ do_start_connection_thread (ctrl_t ctrl) + + agent_deinit_default_ctrl (ctrl); + xfree (ctrl); +- active_connections--; ++ if (--active_connections == 0) ++ interrupt_main_thread_loop(); + return NULL; + } + +@@ -2802,7 +2823,8 @@ start_connection_thread_ssh (void *arg) + + agent_deinit_default_ctrl (ctrl); + xfree (ctrl); +- active_connections--; ++ if (--active_connections == 0) ++ interrupt_main_thread_loop(); + return NULL; + } + +@@ -3012,6 +3034,9 @@ handle_connections (gnupg_fd_t listen_fd, + thus a simple assignment is fine to copy the entire set. */ + read_fdset = fdset; + ++ /* avoid a fine-grained timer if we don't need one: */ ++ timertbl[0].interval.tv_sec = need_tick () ? TIMERTICK_INTERVAL : 0; ++ + /* loop through all timers, fire any registered functions, and + plan next timer to trigger */ + npth_clock_gettime (&curtime); diff --git a/patches/gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch b/patches/gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch new file mode 100644 index 0000000..2ef7fd6 --- /dev/null +++ b/patches/gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch @@ -0,0 +1,191 @@ +From: Daniel Kahn Gillmor +Date: Mon, 31 Oct 2016 21:27:36 -0400 +Subject: agent: Create framework of scheduled timers. + +agent/gpg-agent.c (handle_tick): Remove intermittent call to +check_own_socket. +(tv_is_set): Add inline helper function for readability. +(handle_connections) Create general table of pending scheduled +timeouts. + +-- + +handle_tick() does fine-grained, rapid activity. check_own_socket() +is supposed to happen at a different interval. + +Mixing the two of them makes it a requirement that one interval be a +multiple of the other, which isn't ideal if there are different delay +strategies that we might want in the future. + +Creating an extensible regular timer framework in handle_connections +should make it possible to have any number of cadenced timers fire +regularly, without requiring that they happen in cadences related to +each other. + +It should also make it possible to dynamically change the cadence of +any regularly-scheduled timeout. + +Signed-off-by: Daniel Kahn Gillmor +--- + agent/gpg-agent.c | 84 +++++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 57 insertions(+), 27 deletions(-) + +diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c +index 7d0d906..fe639ec 100644 +--- a/agent/gpg-agent.c ++++ b/agent/gpg-agent.c +@@ -2372,12 +2372,8 @@ create_directories (void) + static void + handle_tick (void) + { +- static time_t last_minute; + struct stat statbuf; + +- if (!last_minute) +- last_minute = time (NULL); +- + /* Check whether the scdaemon has died and cleanup in this case. */ + agent_scd_check_aliveness (); + +@@ -2397,15 +2393,6 @@ handle_tick (void) + } + #endif /*HAVE_W32_SYSTEM*/ + +- /* Code to be run from time to time. */ +-#if CHECK_OWN_SOCKET_INTERVAL > 0 +- if (last_minute + CHECK_OWN_SOCKET_INTERVAL <= time (NULL)) +- { +- check_own_socket (); +- last_minute = time (NULL); +- } +-#endif +- + /* Need to check for expired cache entries. */ + agent_cache_housekeeping (); + +@@ -2813,6 +2800,15 @@ start_connection_thread_ssh (void *arg) + } + + ++/* helper function for readability: test whether a given struct ++ timespec is set to all-zeros */ ++static inline int ++tv_is_set (struct timespec tv) ++{ ++ return tv.tv_sec || tv.tv_nsec; ++} ++ ++ + /* Connection handler loop. Wait for connection requests and spawn a + thread after accepting a connection. */ + static void +@@ -2830,9 +2826,11 @@ handle_connections (gnupg_fd_t listen_fd, + gnupg_fd_t fd; + int nfd; + int saved_errno; ++ int idx; + struct timespec abstime; + struct timespec curtime; + struct timespec timeout; ++ struct timespec *select_timeout; + #ifdef HAVE_W32_SYSTEM + HANDLE events[2]; + unsigned int events_set; +@@ -2849,6 +2847,14 @@ handle_connections (gnupg_fd_t listen_fd, + { "browser", start_connection_thread_browser }, + { "ssh", start_connection_thread_ssh } + }; ++ struct { ++ struct timespec interval; ++ void (*func) (void); ++ struct timespec next; ++ } timertbl[] = { ++ { { TIMERTICK_INTERVAL, 0 }, handle_tick }, ++ { { CHECK_OWN_SOCKET_INTERVAL, 0 }, check_own_socket } ++ }; + + + ret = npth_attr_init(&tattr); +@@ -2956,9 +2962,6 @@ handle_connections (gnupg_fd_t listen_fd, + listentbl[2].l_fd = listen_fd_browser; + listentbl[3].l_fd = listen_fd_ssh; + +- npth_clock_gettime (&abstime); +- abstime.tv_sec += TIMERTICK_INTERVAL; +- + for (;;) + { + /* Shutdown test. */ +@@ -2993,18 +2996,46 @@ handle_connections (gnupg_fd_t listen_fd, + thus a simple assignment is fine to copy the entire set. */ + read_fdset = fdset; + ++ /* loop through all timers, fire any registered functions, and ++ plan next timer to trigger */ + npth_clock_gettime (&curtime); +- if (!(npth_timercmp (&curtime, &abstime, <))) +- { +- /* Timeout. */ +- handle_tick (); +- npth_clock_gettime (&abstime); +- abstime.tv_sec += TIMERTICK_INTERVAL; +- } +- npth_timersub (&abstime, &curtime, &timeout); ++ abstime.tv_sec = abstime.tv_nsec = 0; ++ for (idx=0; idx < DIM(timertbl); idx++) ++ { ++ /* schedule any unscheduled timers */ ++ if ((!tv_is_set (timertbl[idx].next)) && tv_is_set (timertbl[idx].interval)) ++ npth_timeradd (&timertbl[idx].interval, &curtime, &timertbl[idx].next); ++ /* if a timer is due, fire it ... */ ++ if (tv_is_set (timertbl[idx].next)) ++ { ++ if (!(npth_timercmp (&curtime, &timertbl[idx].next, <))) ++ { ++ timertbl[idx].func (); ++ npth_clock_gettime (&curtime); ++ /* ...and reschedule it, if desired: */ ++ if (tv_is_set (timertbl[idx].interval)) ++ npth_timeradd (&timertbl[idx].interval, &curtime, &timertbl[idx].next); ++ else ++ timertbl[idx].next.tv_sec = timertbl[idx].next.tv_nsec = 0; ++ } ++ } ++ /* accumulate next timer to come due in abstime: */ ++ if (tv_is_set (timertbl[idx].next) && ++ ((!tv_is_set (abstime)) || ++ (npth_timercmp (&abstime, &timertbl[idx].next, >)))) ++ abstime = timertbl[idx].next; ++ } ++ /* choose a timeout for the select loop: */ ++ if (tv_is_set (abstime)) ++ { ++ npth_timersub (&abstime, &curtime, &timeout); ++ select_timeout = &timeout; ++ } ++ else ++ select_timeout = NULL; + + #ifndef HAVE_W32_SYSTEM +- ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, &timeout, ++ ret = npth_pselect (nfd+1, &read_fdset, NULL, NULL, select_timeout, + npth_sigev_sigmask ()); + saved_errno = errno; + +@@ -3014,7 +3045,7 @@ handle_connections (gnupg_fd_t listen_fd, + handle_signal (signo); + } + #else +- ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, &timeout, ++ ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, select_timeout, + events, &events_set); + saved_errno = errno; + +@@ -3059,7 +3090,6 @@ handle_connections (gnupg_fd_t listen_fd, + + if (!shutdown_pending) + { +- int idx; + ctrl_t ctrl; + npth_t thread; + diff --git a/patches/series b/patches/series new file mode 100644 index 0000000..f8baf11 --- /dev/null +++ b/patches/series @@ -0,0 +1,23 @@ +debian-packaging/avoid-beta-warning.patch +debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch +block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch +dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch +dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch +dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch +gpg-agent-idling/agent-Create-framework-of-scheduled-timers.patch +gpg-agent-idling/agent-Allow-threads-to-interrupt-main-select-loop-wi.patch +gpg-agent-idling/agent-Avoid-tight-timer-tick-when-possible.patch +gpg-agent-idling/agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch +from-master/gpgsm-default-to-3072-bit-keys.patch +from-master/gpg-default-to-3072-bit-RSA-keys.patch +from-master/gpg-default-to-AES-256.patch +from-master/agent-compile-time-configuration-of-s2k-calibration.patch +from-master/common-Fix-gnupg_wait_processes.patch +from-master/scd-Distinguish-cancel-by-user-and-protocol-error.patch +from-master/agent-Fix-cancellation-handling-for-scdaemon.patch +update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch +update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch +from-master/gpg-Fix-comparison.patch +from-master/assuan-Reorganize-waiting-for-socket.patch +from-master/assuan-Use-exponential-decay-for-first-1s-of-spinlock.patch +show-revocation-cert/gpg-Print-revocation-certificate-details-when-showing-wit.patch diff --git a/patches/show-revocation-cert/gpg-Print-revocation-certificate-details-when-showing-wit.patch b/patches/show-revocation-cert/gpg-Print-revocation-certificate-details-when-showing-wit.patch new file mode 100644 index 0000000..006c30c --- /dev/null +++ b/patches/show-revocation-cert/gpg-Print-revocation-certificate-details-when-showing-wit.patch @@ -0,0 +1,51 @@ +From: Daniel Kahn Gillmor +Date: Tue, 12 Jun 2018 02:41:30 -0400 +Subject: gpg: Print revocation certificate details when showing with-colons. + +* g10/import.c (import_revoke_cert): add options argument, and print +colon-delimited output for revocation certificate as requested. +-- + +I looked into trying to make this work with one of the functions in +g10/keylist.c, but i saw nothing that will accept a revocation +certificate on its own, so i'm replicating the functionality directly +in g10/import.c. This is a bit unfortunate because the code for +describing a revocation cert now exists in two separate places, but +refactoring both list_keyblock_print() and list_keyblock_colon() in +g10/keylist.c seems like a much heavier lift. + +GnuPG-Bug-id: 4018 +Signed-off-by: Daniel Kahn Gillmor +--- + g10/import.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/g10/import.c b/g10/import.c +index 6dad8ee..5236263 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -2890,6 +2890,24 @@ import_revoke_cert (ctrl_t ctrl, kbnode_t node, unsigned int options, + keyid[0] = node->pkt->pkt.signature->keyid[0]; + keyid[1] = node->pkt->pkt.signature->keyid[1]; + ++ if ((options & IMPORT_SHOW) && ++ (opt.with_colons)) ++ { ++ PKT_signature *sig = node->pkt->pkt.signature; ++ char *issuer_fpr = issuer_fpr = issuer_fpr_string (sig); ++ ++ es_fprintf (es_stdout, "rvs::%d:%08lX%08lX:%s:%s:::::::%s:::%d:\n", ++ sig->pubkey_algo, ++ (ulong) sig->keyid[0], (ulong) sig->keyid[1], ++ colon_datestr_from_sig (sig), ++ colon_expirestr_from_sig (sig), ++ issuer_fpr ? issuer_fpr : "", ++ sig->digest_algo); ++ ++ xfree (issuer_fpr); ++ es_fflush (es_stdout); ++ } ++ + pk = xmalloc_clear( sizeof *pk ); + rc = get_pubkey (ctrl, pk, keyid ); + if (gpg_err_code (rc) == GPG_ERR_NO_PUBKEY ) diff --git a/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch b/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch new file mode 100644 index 0000000..17cf894 --- /dev/null +++ b/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch @@ -0,0 +1,64 @@ +From: Daniel Kahn Gillmor +Date: Thu, 7 Sep 2017 18:49:35 -0400 +Subject: gpg: Default to SHA-512 for all signature types on RSA keys. + +* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA512 instead of SHA256 in +--gnupg mode (leave strict RFC and PGP modes alone). +* configure.ac: Do not allow disabling sha512. +* g10/misc.c (map_md_openpgp_to_gcry): Always support SHA512. + +-- + +SHA512 is more performant on most 64-bit platforms than SHA256, and +offers a better security margin. It is also widely implemented. + +Signed-off-by: Daniel Kahn Gillmor +--- + configure.ac | 2 +- + g10/main.h | 2 +- + g10/misc.c | 5 +---- + 3 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 0b6425d..c8c91aa 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -314,7 +314,7 @@ GNUPG_GPG_DISABLE_ALGO([rmd160],[RIPE-MD160 hash]) + GNUPG_GPG_DISABLE_ALGO([sha224],[SHA-224 hash]) + # SHA256 is a MUST algorithm for GnuPG. + GNUPG_GPG_DISABLE_ALGO([sha384],[SHA-384 hash]) +-GNUPG_GPG_DISABLE_ALGO([sha512],[SHA-512 hash]) ++# SHA512 is a MUST algorithm for GnuPG. + + + # Allow disabling of zip support. +diff --git a/g10/main.h b/g10/main.h +index 6f93de9..dcd3767 100644 +--- a/g10/main.h ++++ b/g10/main.h +@@ -41,7 +41,7 @@ + # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_3DES + #endif + +-#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA256:DIGEST_ALGO_SHA1) ++#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA512:DIGEST_ALGO_SHA1) + #define DEFAULT_S2K_DIGEST_ALGO DIGEST_ALGO_SHA1 + #ifdef HAVE_ZIP + # define DEFAULT_COMPRESS_ALGO COMPRESS_ALGO_ZIP +diff --git a/g10/misc.c b/g10/misc.c +index 9780969..86baff9 100644 +--- a/g10/misc.c ++++ b/g10/misc.c +@@ -743,11 +743,8 @@ map_md_openpgp_to_gcry (digest_algo_t algo) + case DIGEST_ALGO_SHA384: return 0; + #endif + +-#ifdef GPG_USE_SHA512 + case DIGEST_ALGO_SHA512: return GCRY_MD_SHA512; +-#else +- case DIGEST_ALGO_SHA512: return 0; +-#endif ++ + default: return 0; + } + } diff --git a/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch b/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch new file mode 100644 index 0000000..5860cd3 --- /dev/null +++ b/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch @@ -0,0 +1,46 @@ +From: Daniel Kahn Gillmor +Date: Wed, 3 Jan 2018 12:34:26 -0500 +Subject: gpg: Prefer SHA-512 and SHA-384 in personal-digest-preferences. + +* g10/keygen.c (keygen_set_std_prefs): prefer SHA-512 +and SHA-384 by default. + +-- + +In 8ede3ae29a39641a2f98ad9a4cf61ea99085a892, upstream changed the +defaults for --default-preference-list to advertise a preference for +SHA-512, without touching --personal-digest-preferences. This makes +the same change for --personal-digest-preferences, since every modern +OpenPGP library supports them all. + +Signed-off-by: Daniel Kahn Gillmor +--- + g10/keygen.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/g10/keygen.c b/g10/keygen.c +index db5e635..96f451f 100644 +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -386,16 +386,16 @@ keygen_set_std_prefs (const char *string,int personal) + if (personal) + { + /* The default internal hash algo order is: +- * SHA-256, SHA-384, SHA-512, SHA-224, SHA-1. ++ * SHA-512, SHA-384, SHA-256, SHA-224, SHA-1. + */ +- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256)) +- strcat (dummy_string, "H8 "); ++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512)) ++ strcat (dummy_string, "H10 "); + + if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384)) + strcat (dummy_string, "H9 "); + +- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512)) +- strcat (dummy_string, "H10 "); ++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256)) ++ strcat (dummy_string, "H8 "); + } + else + { diff --git a/rules b/rules new file mode 100755 index 0000000..85dbc24 --- /dev/null +++ b/rules @@ -0,0 +1,89 @@ +#!/usr/bin/make -f +# debian/rules file - for GnuPG +# Copyright 1994,1995 by Ian Jackson. +# Copyright 1998-2003 by James Troup. +# Copyright 2003-2004 by Matthias Urlichs. +# +# I hereby give you perpetual unlimited permission to copy, +# modify and relicense this file, provided that you do not remove +# my name from the file itself. (I assert my moral right of +# paternity under the Copyright, Designs and Patents Act 1988.) +# This file may have to be extensively modified + +include /usr/share/dpkg/architecture.mk + +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +# avoid -pie for gpgv-static on kfreebsd-amd64, and x32 +# platforms, which cannot support it by default: +ifeq (,$(filter $(DEB_HOST_ARCH), kfreebsd-amd64 x32)) +GPGV_STATIC_HARDENING = "-pie" +else +GPGV_STATIC_HARDENING = "" +endif + +# Avoid parallel tests on hppa and riscv64 architecture. +# Parallel tests generates high load on machine which causes timeouts and thus +# triggers unexpected failures. +ifeq (,$(filter $(DEB_HOST_ARCH), hppa riscv64)) +AUTOTEST_FLAGS = "--parallel" +else +AUTOTEST_FLAGS = "--no-parallel" +endif + +%: + dh $@ --with=autoreconf --builddirectory=build + +GPGV_UDEB_UNNEEDED = gpgtar bzip2 gpgsm scdaemon dirmngr doc tofu exec ldap gnutls sqlite libdns + +WIN32_FLAGS=LDFLAGS="-Xlinker --no-insert-timestamp -static" CFLAGS="-g -Os" CPPFLAGS= + +override_dh_auto_configure: + dh_auto_configure --builddirectory=build-gpgv-udeb -- \ + $(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x)) + dh_auto_configure --builddirectory=build-maintainer -- \ + --enable-maintainer-mode \ + $(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x)) + dh_auto_configure --builddirectory=build -- --libexecdir=\$${prefix}/lib/gnupg \ + --enable-wks-tools \ + --enable-all-tests \ + --with-agent-s2k-calibration=300 \ + --enable-symcryptrun --enable-large-secmem + +override_dh_auto_build-arch: + dh_auto_build --builddirectory=build-gpgv-udeb + dh_auto_build --builddirectory=build + dh_auto_build --builddirectory=build-maintainer + cp -a build-gpgv-udeb build-gpgv-static + rm -f build-gpgv-static/g10/gpgv + cd build-gpgv-static/g10 && $(MAKE) LDFLAGS="$$LDFLAGS $(GPGV_STATIC_HARDENING) -static" gpgv + mv build-gpgv-static/g10/gpgv build-gpgv-static/g10/gpgv-static + +override_dh_auto_build-indep: + mkdir -p build-gpgv-win32 + cd build-gpgv-win32 && $(WIN32_FLAGS) ../configure \ + $(foreach x, $(GPGV_UDEB_UNNEEDED), --disable-$(x)) \ + $(foreach x, libgpg-error libgcrypt libassuan ksba npth, --with-$x-prefix=/usr/i686-w64-mingw32) \ + --enable-gpg2-is-gpg \ + --with-zlib=/usr/i686-w64-mingw \ + --prefix=/usr/i686-w64-mingw32 \ + --host i686-w64-mingw32 + cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libcommon.a + cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libgpgrl.a + cd build-gpgv-win32/common && $(WIN32_FLAGS) $(MAKE) libsimple-pwquery.a + cd build-gpgv-win32/kbx && $(WIN32_FLAGS) $(MAKE) libkeybox.a + cd build-gpgv-win32/g10 && $(WIN32_FLAGS) $(MAKE) gpgv.exe + strip build-gpgv-win32/g10/gpgv.exe + + +override_dh_auto_test: + #dh_auto_test --builddirectory=build -- verbose=3 TESTFLAGS=$(AUTOTEST_FLAGS) + +override_dh_shlibdeps: +# Make ldap a recommends rather than a hard dependency. + dpkg-shlibdeps -Tdebian/dirmngr.substvars -dRecommends debian/dirmngr/usr/lib/gnupg/dirmngr_ldap -dDepends debian/dirmngr/usr/bin/dirmngr* + dh_shlibdeps -Ndirmngr + +# visualizations of package dependencies: +debian/%.png: debian/%.dot + dot -T png -o $@ $< diff --git a/scdaemon.examples b/scdaemon.examples new file mode 100644 index 0000000..29f41a8 --- /dev/null +++ b/scdaemon.examples @@ -0,0 +1 @@ +doc/examples/scd-event diff --git a/scdaemon.install b/scdaemon.install new file mode 100644 index 0000000..5b7bd35 --- /dev/null +++ b/scdaemon.install @@ -0,0 +1,2 @@ +debian/org.gnupg.scdaemon.metainfo.xml usr/share/metainfo +debian/tmp/usr/lib/gnupg/scdaemon diff --git a/scdaemon.manpages b/scdaemon.manpages new file mode 100644 index 0000000..9efee23 --- /dev/null +++ b/scdaemon.manpages @@ -0,0 +1 @@ +debian/tmp/usr/share/man/man1/scdaemon.1 diff --git a/scdaemon.udev b/scdaemon.udev new file mode 100644 index 0000000..b0d8fd8 --- /dev/null +++ b/scdaemon.udev @@ -0,0 +1,63 @@ +# do not edit this file, it will be overwritten on update + +SUBSYSTEM!="usb", GOTO="gnupg_rules_end" +ACTION!="add", GOTO="gnupg_rules_end" + +# USB SmartCard Readers +## Cherry GmbH (XX33, ST2000) +SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="0005", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="0010", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="003e", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## SCM Microsystems, Inc (SCR331-DI, SCR335, SCR3320, SCR331, SCR3310 and SPR532) +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5117", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="e001", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Omnikey AG (CardMan 3821, CardMan 6121) +SUBSYSTEM=="usb", ATTR{idVendor}=="076b", ATTR{idProduct}=="3821", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="076b", ATTR{idProduct}=="6622", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Gemalto +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3437", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3438", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3478", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="34c2", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="34ec", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Reiner (SCT cyberJack) +SUBSYSTEM=="usb", ATTR{idVendor}=="0c4b", ATTR{idProduct}=="0500", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Kobil (KAAN) +SUBSYSTEM=="usb", ATTR{idVendor}=="0d46", ATTR{idProduct}=="2012", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## VASCO (DIGIPASS 920) +SUBSYSTEM=="usb", ATTR{idVendor}=="1a44", ATTR{idProduct}=="0920", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Crypto Stick +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Nitrokey +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Gnuk Token +SUBSYSTEM=="usb", ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Alcor Micro Corp cardreader (in ThinkPad X250) +SUBSYSTEM=="usb", ATTR{idVendor}=="058f", ATTR{idProduct}=="9540", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Fujitsu Siemens +SUBSYSTEM=="usb", ATTR{idVendor}=="0bf8", ATTR{idProduct}=="1006", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +## Yubico +# Yubikey NEO OTP+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey NEO CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0112", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey NEO U2F+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey NEO OTP+U2F+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0404", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 OTP+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0405", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 U2F+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +# Yubikey 4 OTP+U2F+CCID +SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" + +LABEL="gnupg_rules_end" diff --git a/simplified-package-dependencies.dot b/simplified-package-dependencies.dot new file mode 100644 index 0000000..2edb3fb --- /dev/null +++ b/simplified-package-dependencies.dot @@ -0,0 +1,43 @@ +#!/usr/bin/dot + +# interrelationships between binary packages produced by gnupg2 source +# package, if we were to move to the simplified package structure: + +# it would be good to graph the external dependencies as well. + +digraph gnupg2 { + # odd-duck packages: + node [shape=box]; + gpgv_udeb [label="gpgv-udeb"]; + gpgv_static [label="gpgv-static"]; + gpgv_win32 [label="gpgv-win32"]; + + # meta-packages, transitional packages: + node [shape=diamond]; + gnupg_agent [label="gnupg-agent"]; + gnupg2; + gpgv2; + gpgsm; + dirmngr; + + node [shape=ellipse]; + gnupg_l10n [label="gnupg-l10n"]; + + # depends: + edge [color=black]; + scdaemon -> gnupg; + gnupg2 -> gnupg; + gnupg_agent -> gnupg; + gpgsm -> gnupg; + dirmngr -> gnupg; + gpgv2 -> gpgv; + + # recommends: + edge [color=red]; + gnupg -> gnupg_l10n; + gnupg -> gpgv; + + # suggests: + edge [color=blue]; + gpgv -> gnupg; +} diff --git a/source/format b/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/source/lintian-overrides b/source/lintian-overrides new file mode 100644 index 0000000..14caca0 --- /dev/null +++ b/source/lintian-overrides @@ -0,0 +1,2 @@ +# doc merely references / cites IETF RFC: +gnupg2 source: license-problem-non-free-RFC doc/OpenPGP diff --git a/source/options b/source/options new file mode 100644 index 0000000..f0f8ede --- /dev/null +++ b/source/options @@ -0,0 +1,3 @@ +# let dpkg-source create a debian.tar.bz2 with maximal compression +compression = "bzip2" +compression-level = 9 diff --git a/systemd-environment-generator/90gpg-agent b/systemd-environment-generator/90gpg-agent new file mode 100755 index 0000000..38fea9c --- /dev/null +++ b/systemd-environment-generator/90gpg-agent @@ -0,0 +1,10 @@ +#!/bin/bash + +# Author: rufo +# See https://bugs.debian.org/855868 + +if [ -n "$(gpgconf --list-options gpg-agent | \ + awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then + echo SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) + echo GSM_SKIP_SSH_AGENT_WORKAROUND=true +fi diff --git a/tests/control b/tests/control new file mode 100644 index 0000000..9178821 --- /dev/null +++ b/tests/control @@ -0,0 +1,3 @@ +Tests: gpgv-win32 +Depends: gpgv-win32, gnupg2, gpgv2 +Restrictions: needs-root, allow-stderr diff --git a/tests/gpgv-win32 b/tests/gpgv-win32 new file mode 100755 index 0000000..2e93882 --- /dev/null +++ b/tests/gpgv-win32 @@ -0,0 +1,54 @@ +#!/bin/sh + +set -e + +export GNUPGHOME=$(mktemp -d) + +arch=$(dpkg --print-architecture) + +case "$arch" in + amd64) + if ! dpkg --print-foreign-architectures | grep -Fqx i386; then + echo "I: setting up multiarch" + dpkg --add-architecture i386 + apt update # FIXME you might want to try this up to some N times to avoid failures on temporary network issues + fi + ;; + arm64) + if ! dpkg --print-foreign-architectures | grep -Fqx armhf; then + echo "I: setting up multiarch" + dpkg --add-architecture armhf + apt update # FIXME you might want to try this up to some N times to avoid failures on temporary network issues + fi + ;; + i386|armel|armhf|powerpc) + : nothing, tests should just work + ;; + *) + echo "I: skipping tests on $arch; only works on amd64, i386, arm64, armhf, armel, and powerpc" + exit + ;; +esac + +if ! dpkg-query --status wine32 | grep -Fqx 'Status: install ok installed'; then + DEBIAN_FRONTEND=noninteractive apt install -qy wine32 # FIXME ditto +fi + +echo 'no-allow-loopback-pinentry:16' | gpgconf --change-options gpg-agent + +# Generate a minimal signing key: +gpg2 --batch --debug-quick-random --pinentry-mode loopback --passphrase '' --quick-gen-key 'Test key for gpgv-win32 ' + +gpg2 -o "$GNUPGHOME/key.gpg" --export test-key@example.com + +# Sign this very script +rm -f "${0}.gpg" +gpg2 --output "${0}.gpg" --detach-sign "${0}" + +# Verify using gpgv +gpgv2 --keyring "$GNUPGHOME/key.gpg" "${0}.gpg" "${0}" + +# Verify using gpgv.exe +wine /usr/share/win32/gpgv.exe --keyring "Z://${GNUPGHOME}/key.gpg" "${0}.gpg" "${0}" + +rm -rf "$GNUPGHOME" diff --git a/upstream/signing-key.asc b/upstream/signing-key.asc new file mode 100644 index 0000000..1e57599 --- /dev/null +++ b/upstream/signing-key.asc @@ -0,0 +1,109 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQENBE0ti4EBCACqGtKlX9jI/enhlBdy2cyQP6Q7JoyxtaG6/ckAKWHYrqFTQk3I +Ue8TuDrGT742XFncG9PoMBfJDUNltIPgKFn8E9tYQqAOlpSA25bOb30cA2ADkrjg +jvDAH8cZ+fkIayWtObTxwqLfPivjFxEM//IdShFFVQj+QHmXYBJggWyEIil8Bje7 +KRw6B5ucs4qSzp5VH4CqDr9PDnLD8lBGHk0x8jpwh4V/yEODJKATY0Vj00793L8u +qA35ZiyczUvvJSLYvf7STO943GswkxdAfqxXbYifiK2gjE/7SAmB+2jFxsonUDOB +1BAY5s3FKqrkaxZr3BBjeuGGoCuiSX/cXRIhABEBAAG0Fldlcm5lciBLb2NoIChk +aXN0IHNpZymJAT4EEwECACgFAk0ti4ECGwMFCRDdnwIGCwkIBwMCBhUIAgkKCwQW +AgMBAh4BAheAAAoJECSbOdJPJeO2PlMIAJxPtFXf5yozPpFjRbSkSdjsk9eru05s +hKZOAKw3RUePTU80SRLPdg4AH+vkm1JMWFFpwvHlgfxqnE9rp13o7L/4UwNUwqH8 +5zCwu7SHz9cX3d4UUwzcP6qQP4BQEH9/xlpQS9eTK9b2RMyggqwd/J8mxjvoWzL8 +Klf/wl6jXHn/yP92xG9/YA86lNOL1N3/PhlZzLuJ6bdD9WzsEp/+kh3UDfjkIrOc +WkqwupB+d01R4bHPu9tvXy8Xut8Sok2zku2xVkEOsV2TXHbwuHO2AGC5pWDX6wgC +E4F5XeCB/0ovao2/bk22w1TxzP6PMxo6sLkmaF6D0frhM2bl4C/uSsq5AQ0ETS2L +gQEIAKHwucgbaRj0V7Ht0FnM6RmbqwZ7IFV2lR+YN1gkZaWRRCaJoPEZFKhhPEBX +1bDVwr/iTPaPPEtpi7oQoHk65yeLrhtOmXXpNVkV/5WQjAJIrWn+JQ3z/ZejxHUL +hzKsGg5FC6pRYcEyzRXHtv4BO9kBIKNVirZjEkQG4BnIrQgl6e2YFa47GNMqcQH7 +nJdwG1cGQOZOIDQQM41gBzwoSrStMA6DjHkukFegKfcSbSLArBtYNAwTwmW7RqOM +EJwlo0+NYx2Yn75x66bYwdlsP0FLOgez/O/IxoPRxXr0l4e+uj6dFHqvBi04dx6J +sPmXEyeAyLiCWSh7Rwq8uIhBUBUAEQEAAYkBJQQYAQIADwUCTS2LgQIbIAUJEN2f +AgAKCRAkmznSTyXjtrsSCACRNgfGkD0OqOiwYo1/+KyWnrQLusVvSYOw8hN66geU +3BO8iQ0Koy+m0QKY1kWjaHwewpg8ZebY4E2sHbNIC9Spyiyz29sAJ2invf4/4Mep +TgpxNiw4+XmykCkN1AfVhvMTQXMzRbO5ZwRtPpjsMr1j5vX1s6U3/RxSAItpAkCu +1GGTTOH0r12Ochc/um+QGAyO6WUj/IiZ1MX7toXW0SCo8DSl8z5Q7KmJWF6TQLK1 +Lku4bIVG1Huwo1/0WHc2vCad5BxHjgoy8TsKLTmvYQZWtnjWvQGV2UOABYWcacut +ZXQQ2PPCIY7LlpuS/45CXWbT5Y+mxY3y7dbz4aF+8uyCiJwEEAECAAYFAk0tjQQA +CgkQU7Yg0BzgxjBGTwQAi5qzI6cJslbyOl+TeDZVnLV0FmPuDg8dojvQrVDPxfem +IjxZZoMLCVM8ly8AC2JPrIYfN040C343saIc0tTtOwwmVMuy7G/Uex22CdWH/0HB +MpG4gFuOuQmW9QQDjEdh1DgwU2gAWonX54ZlMybWss+2NCikRwMflVUupH57BauZ +AQ0EVFA7IwEIAOYQcDfRdzqin/vZlwl1AyuJW+cDI3bYvesRtOIAJ+8FqOzp+nOZ +7a4mULkXUeRh3HcO91wughXoR3qP3klWIlqgTQQHxPVM25BEvnGPuMA86lWnKoSs +Xe9F5h0IMiu6aURvzMJC9VMgKwhhgCjejFf9n8zuiBkMN457Ubnt/9jxhpxmorDQ +Cpb7bR1mfdbsuCmOXwTNfbkAoGXceL/P6z9PskKrFk8CVCr8pseRiHzWgib4Bfr/ +mj68LKcQTH/Y6R16g154eC6PAvxrEDA+hgpVX0I7L781Byh9nqC+KDX5LvlGuQbg +B2IvrgLs6lfU3aRfTwqUDMj37rmXJTDy3TMAEQEAAbQyTklJQkUgWXV0YWthIChH +bnVQRyBSZWxlYXNlIEtleSkgPGduaWliZUBmc2lqLm9yZz6JATwEEwEIACYFAlRQ +OyMCGwMFCQPCZwAFCwcICQMEFQgJCgUWAgMBAAIeAQIXgAAKCRAgcbCKM70/BnX/ +CADQspqXXAVlrwU9SidzYbPAT1iGRmIkHwoD9rtPr/9xbg3jr8azCKpknE3VF0qz +UH6unsQwxTduGhey0sFwhi96WOqHiU8FYKxNPb786nACaCfOOB1MdymcIxMQ51mS +0PlIqtOPa1VpZcCVYr9SwQRqcDdy/Oh/Ljifuub4Shrs/VgYIcv74iGyLroSVt6G +KVNP/HFyQddSOLVcO+hqAQQ0QeTmPhnaaFa2OcZyW+6IGRLhd7N7M0xb988DKllf +huRRE1sZ3yO2RvcSq35u/5lChID5SS/wA9oDOPyVFLD4JiMPGmgzSO2aI+uT678O +jjoI5UD8hfbZpg1PZjYqhYlXuQENBFRQOyMBCAC94CWuMHLmP1B7oFxU0FjKv3D6 +RTpLSLqC/nqRWeKVdlSddR4LnO/r9ahRsGgekAEVyeD04SKAD7g3OWMhWvEsK6aY +gmzc0cLJCJRTsLW+X7kRWo33KUAKIpKYO8VF8iErWejajvo5UgN3y1V/anqlBU45 +DalLk/mu6JXOr6t7u83+IscTrFQTkW17wOxoc6i9zDOU1FoWZFyNU+hxpPCGndfn +S25qzaEpb1qzxYoHpyttCkGX4R3siX6gAkRLIPhsYK4sZihBZhTBgHdAVYSYkCrK +hRNWoSb3XpUhdT5l88uPozwxXruXmzk6WCv6ZdCJ+0rGShwJjU1j6g+Fksk9ABEB +AAGJASUEGAEIAA8FAlRQOyMCGwwFCQPCZwAACgkQIHGwijO9Pwbgqwf7BfdPgAkx +Mrt0BJeLJu1ItnCQ4cZ8rbuS5gwAxrY80QXDoJquwRWs1AXaBu0VW+9KvWdp0uhQ +b0Wy7fv40rRtC+T8nuE/1jaf2byMIfQwPVp3ODH+O3WZew1KvrQZquDKimgHxRso +WH5vq2VjohI8oQuQNN8AYeyxYo74eB8+3WfUrdw4MYiJcKd20MjoZZS16Klb99qm +LVZfE/dt/+wwZYFB7cpb5vvvE1voqS+ycD2Rt0irRg6ulw7OXoUrJ25sfkrv9otD +omDl9V//pyJZSp+IiwK4r0xnk8sjXHgXkzUdIyS0AB17Aw1+G2sbUKyX/SdOgzN7 +D8qEd3C7n53TwpkBDQRUUF8HAQgAh1mo8r+kVWVTNsNlyurm2tdZKiQbdeVgpBgc +DnqI3fAV58C3nC8DVuK5qVGZPB/jbu42jc8BXGP1l6UP+515LQL5GpTtV0pRWUO0 +2WOuTLZBVQcq53vzbg1xVo31rWV96mqGAPs8lGUCm09fpuiVKQojO6/Ihkg7/bnz +eSbcX5Xk9eKLhyB7tnakuYJeRYm4bjs+YDApK8IFQyevYF8pjTcbLTSNJPW9WLCs +ozsy11r4xdfRcTWjARVz5VzTnQ+Px8YtsnjQ3qwNJBpsqMLCdDN7YGhh/mlwPjgd +q/UFf5+bY6f3ew0vshBqInBQycBSmYyoX0Ye3sAS/OR4nu5ZaQARAQABtD5EYXZp +ZCBTaGF3IChHbnVQRyBSZWxlYXNlIFNpZ25pbmcgS2V5KSA8ZHNoYXdAamFiYmVy +d29ja3kuY29tPokBPgQTAQIAKAUCVFBfBwIbAwUJCbp27gYLCQgHAwIGFQgCCQoL +BBYCAwECHgECF4AACgkQBDdvPuCFaVmIoQf+POxCWkCTicRVlq0kust/iwYO1egK +9FWG130e2Irnv2lAZZN/0S5ibjHCYFp9gfMgmtVTF5oWXjSDAy/kIykQBBcUVx4S +CJbdMtKSdsSIQMz6P4DxXumxQm79msOsbi5TsdtUwjqdrbu2sHloE7ck/hTXUCkX +3zuqtxY7W23BCQxVVT5qUaFuAHkkQaaBgAb8gdgixmkIBfu9u8k3k9zUKm/PNfMj +xClvORkP8gev+XyzNgcXM49h5YYlmDT+Ahv99nUM1wg8yJTjefBAY0fL982Scx30 +nDQO3w7ihALUoj5+TXQjhs3sWPJ8u3pstr9XcfzEZC77/CZmRYNr8g5hBrkBDQRU +UF8HAQgAodT0id+C6PMV7C8JxE8POGvX2wA6QLw29ESO0Ws8+Jq9EPQ3114mH+sC ++kDsweCDMyaY34i8gvh6hWxG9JfZmSkRUv0QX2zvlcwr8SOZ9dXzrV7ip+QgpzO2 +2eYRnH/RB+KWfFzqSop51sd1Uls41qKphDEm/ZAnnTwxYWX6jElOCpIuemTAiSxp +qtjPXVftchSEy06/bDRFuC4FevfU5aWTg3FSZEZpk0KF5RZBdzvOfX9PwHf2Fxhg +QtLkAsdvvWzDToYD0qOecM/MGt1doryBo8IkAiHJ+TRNyVi6/fAq/rig3brF5ETG +N7W5IRRGoLetY++4YO+1gY7Ea+1tZwARAQABiQElBBgBAgAPBQJUUF8HAhsgBQkJ +unbuAAoJEAQ3bz7ghWlZ6PAH/iTMC5+H/Ynj7G1KOjhyoufPoM+j+g4Ec8RmEA6v +YOWIi8F4AU86iS6Sq2HkZXSKxLgAYbWuseFHS6QA/qZPDPdIv8TceE3jMW3ZEmmm +nCsS6cmkQhpjRCKuWGfaOyZIEV2BT6Ere+MU5jU+wRqkbJGk1BS8myQHkZRN/5dg +fo5syFYKY4T64Z7DvlbQF70cCARlsIwk4lN6QJ/iqaHR9c2sWtzHfxAvdctApdg5 +w8GRcEpdDMieejha/lBMRTYVWY1vrEg++mkkhvCOkBilDFFCVojOnSdTJy7dNZji +BlEFwlmcjLq984C5FRwj5+eN0Bev5hZsWobLeRqt8QOGMlG5AQ0EVFBfBwEIAK4b +kUPSxSlmE8GHAI4FNQDA+QZzIvLPpf1p5JqFULpJeelwfVtbj6qOfPKwXVvam0yH +OiyrMnffdlZ/6+QXjP665RdbsPzEDPxCH972eGmdw8yV95wmPCVaoyBTH9XBDTX2 +52h0vPjgcbbOLUvUuYBV8C74ir6ESoA20g/rjYEGjJ/UAtgBGIfMo0Vk2Qc6/7wx +M3jNPxUc/6h5oiggUkgdbFcgzC2sOAUj3nJ0CS01dNPJuAlGPRjig9o61/PiumSO +Vy98efAetsjLLS00ysAmjxj7eFuxnf73TJOyAItKZPv3i7K4LIgMZXwL71Ox00zU +dzm6H+/JomSorqtLlOUAEQEAAYkBJQQYAQIADwUCVFBfBwIbDAUJCbp27gAKCRAE +N28+4IVpWbkxB/0azsvpA9eJPr6oNu3Iw4aCvLQi9I2jodGXpsNg3GN+ATp3PKMi +21KsneqkYXzwxY+27HAwNSQEmMeyOh37nkPXJMlBgJ0+aV7J2nAj3as310gnV3kY +Id8NXvLi+YLngqfTyQpxedDhBeSyTYLAP96mDtUuGFQ9/TWBF0wjZkBqFllnsmmU +Cs9lMmdaFUk1cT1/R1vwiGz1mAaUzyP2NNUnXsoE25TkeXg+Kf95QkxS0C3C9S+c +A4jCCHXEuGFxMe4+6IbubsVepIUFrlzbUaYpYB8lwFQutoSJ1qLc2jFcW00Qy2Z2 +SOVYJ5oyMhZNei0ZFsgQ9tp2PhtICjm5JfvPmQENBFRDqVIBCAC0k8eZKDmNqdma +wOlJ/m62L2g8uXT/+/vAEGb1yaib09xI6tfGXzbqlDwrLIZcJsSIT/nt/ajJnIVb +c3137va4XbwMzsDpAMH4mmiToqk+izEChGm2knzrLwhoflR8aGsKL35QoZT/erdj +fgPeCRLvf25fHsN2Jb0WIMzC56VkMeFoza+9HZ5hrkemmm+gPvIvhEUopxCyOS8m +K5WjB4zzIdyDJfkqVpHvafNP0N4LIsedKdyHcj/K3kY4Kejl99GW1z1snBgPamoN +2/e52Pf6KTw2FjsSGZ72oalcrkBR4wacUizGxKcRD2Y6Xa0g9mwToWdNBQCIII+u +TzOzq1EDABEBAAG0IVdlcm5lciBLb2NoIChSZWxlYXNlIFNpZ25pbmcgS2V5KYkB +PQQTAQgAJwUCVEOpUgIbAwUJC6oF9QULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAK +CRCKhhscfv1g2aH7B/wIW6mVmTmzW2xc1q1MUdssExQBhEeONrbWJ/HiGZP/Maab +gQ/+wZuThTAwfGM5zFQBOvrBOGURhINU6lYQlcOrVo+V8Z1mNQKFWaKxJaY5Ku1b +B1OuX9FHLEiMibogHu5fjJIXBE8XrnvueejyFQ5g/uX2xcGgCWlMe49sR3K+lEl3 +n93xTmSNhP52r0gTjMjbqKWKUaIGJ5OcWSrvawdfqLXkxR8phq2AlHHEfxpcZsOp +9mZirWYQ5jcgGgFP0LYXUw/RnxFpOcrj45qufmyEL9QJKjBV5RaHJbqukefwUInP +QtVUmINqQxztSh5QxQP2tsUPIeEi5RAoCwLJam8z +=PXPh +-----END PGP PUBLIC KEY BLOCK----- diff --git a/watch b/watch new file mode 100644 index 0000000..e1c393d --- /dev/null +++ b/watch @@ -0,0 +1,5 @@ +version=4 + +opts=pgpsigurlmangle=s/$/.sig/ \ + https://gnupg.org/ftp/gcrypt/gnupg/gnupg@ANY_VERSION@@ARCHIVE_EXT@ \ + debian -- 2.30.2