From: Clemens Gruber <clemens.gruber@pqgruber.com>
To: ptxdist@pengutronix.de
Cc: Clemens Gruber <clemens.gruber@pqgruber.com>
Subject: [ptxdist] [PATCH 5/5] gnupg: bump version and add gpgv patch from debian
Date: Mon, 17 Oct 2016 18:04:56 +0200 [thread overview]
Message-ID: <20161017160456.9396-5-clemens.gruber@pqgruber.com> (raw)
In-Reply-To: <20161017160456.9396-1-clemens.gruber@pqgruber.com>
Update to latest GnuPG stable and add patch to improve default security
when using gpgv.
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
Note:
The enable-build-timestamp option is not available in the stable version
I looked into moving to the modern GnuPG version 2.1.x with ECC support
but ran into problems. I therefore bumped only the minor version.
| 44 ++++++++++++++++++++++
patches/gnupg-2.0.30/series | 1 +
rules/gnupg.make | 5 +--
3 files changed, 47 insertions(+), 3 deletions(-)
create mode 100644 patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
create mode 100644 patches/gnupg-2.0.30/series
--git a/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch b/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
new file mode 100644
index 0000000..ea5c439
--- /dev/null
+++ b/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
@@ -0,0 +1,44 @@
+From b531f2fd75be3f616073cba714d73324525fd3e4 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Sat, 9 Jul 2016 10:20:02 +0900
+Subject: [PATCH] gpgv: Tweak default options for extra security.
+
+* g10/gpgv.c (main): Set opt.no_sig _cache, so that it doesn't depend on
+cached status. Similarly, set opt.flags.require_cross_cert for backsig
+validation for subkey signature.
+
+--
+
+(backport of master
+commit e32c575e0f3704e7563048eea6d26844bdfc494b)
+
+It is common that an organization distributes binary keyrings with
+signature cache (Tag 12, Trust Packet) and people use gpgv to validate
+signature with such keyrings. In such a use case, it is possible that
+the key validation itself is skipped.
+
+For the purpose of gpgv validation of signatures, we should not depend
+on signature cache in keyrings (if any), but we should validate the key
+by its self signature for primary key, and back signature for subkey.
+
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ g10/gpgv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/g10/gpgv.c b/g10/gpgv.c
+index b700f17..3b48a0e 100644
+--- a/g10/gpgv.c
++++ b/g10/gpgv.c
+@@ -163,6 +163,8 @@ main( int argc, char **argv )
+ opt.pgp2_workarounds = 1;
+ opt.keyserver_options.options|=KEYSERVER_AUTO_KEY_RETRIEVE;
+ opt.trust_model = TM_ALWAYS;
++ opt.no_sig_cache = 1;
++ opt.flags.require_cross_cert = 1;
+ opt.batch = 1;
+
+ opt.homedir = default_homedir ();
+--
+2.8.0.rc3
+
diff --git a/patches/gnupg-2.0.30/series b/patches/gnupg-2.0.30/series
new file mode 100644
index 0000000..62a2fae
--- /dev/null
+++ b/patches/gnupg-2.0.30/series
@@ -0,0 +1 @@
+0001-gpgv-tweak-default-options-for-extra-security.patch
diff --git a/rules/gnupg.make b/rules/gnupg.make
index 15e78eb..39f1687 100644
--- a/rules/gnupg.make
+++ b/rules/gnupg.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_GNUPG) += gnupg
#
# Paths and names
#
-GNUPG_VERSION := 2.0.26
-GNUPG_MD5 := fa7e704aad33eb114d1840164455aec1
+GNUPG_VERSION := 2.0.30
+GNUPG_MD5 := 01bb47e669a78eaca90dbe6b4b4acc24
GNUPG := gnupg-$(GNUPG_VERSION)
GNUPG_SUFFIX := tar.bz2
GNUPG_URL := ftp://ftp.gnupg.org/gcrypt/gnupg/$(GNUPG).$(GNUPG_SUFFIX)
@@ -40,7 +40,6 @@ GNUPG_CONF_OPT := $(CROSS_AUTOCONF_USR) \
--disable-doc \
--disable-gpgtar \
--disable-exec \
- --disable-exec \
--disable-photo-viewers \
--disable-keyserver-helpers \
--disable-ldap \
--
2.10.0
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
prev parent reply other threads:[~2016-10-17 16:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-17 16:04 [ptxdist] [PATCH 1/5] libgpg-error: bump version Clemens Gruber
2016-10-17 16:04 ` [ptxdist] [PATCH 2/5] libassuan: bump version and make build more reproducible Clemens Gruber
2016-10-17 16:04 ` [ptxdist] [PATCH 3/5] libksba: " Clemens Gruber
2016-10-17 16:04 ` [ptxdist] [PATCH 4/5] libgcrypt: " Clemens Gruber
2016-10-17 16:04 ` Clemens Gruber [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161017160456.9396-5-clemens.gruber@pqgruber.com \
--to=clemens.gruber@pqgruber.com \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox