[ptxdist] [PATCH 5/5] gnupg: bump version and add gpgv patch from debian

[Clemens Gruber <clemens.gruber@pqgruber.com>]

Update to latest GnuPG stable and add patch to improve default security
when using gpgv.

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---

Note:
The enable-build-timestamp option is not available in the stable version
I looked into moving to the modern GnuPG version 2.1.x with ECC support
but ran into problems. I therefore bumped only the minor version.

 ...-tweak-default-options-for-extra-security.patch | 44 ++++++++++++++++++++++
 patches/gnupg-2.0.30/series                        |  1 +
 rules/gnupg.make                                   |  5 +--
 3 files changed, 47 insertions(+), 3 deletions(-)
 create mode 100644 patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
 create mode 100644 patches/gnupg-2.0.30/series

diff --git a/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch b/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
new file mode 100644
index 0000000..ea5c439
--- /dev/null
+++ b/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
@@ -0,0 +1,44 @@
+From b531f2fd75be3f616073cba714d73324525fd3e4 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Sat, 9 Jul 2016 10:20:02 +0900
+Subject: [PATCH] gpgv: Tweak default options for extra security.
+
+* g10/gpgv.c (main): Set opt.no_sig _cache, so that it doesn't depend on
+cached status.  Similarly, set opt.flags.require_cross_cert for backsig
+validation for subkey signature.
+
+--
+
+(backport of master
+commit e32c575e0f3704e7563048eea6d26844bdfc494b)
+
+It is common that an organization distributes binary keyrings with
+signature cache (Tag 12, Trust Packet) and people use gpgv to validate
+signature with such keyrings.  In such a use case, it is possible that
+the key validation itself is skipped.
+
+For the purpose of gpgv validation of signatures, we should not depend
+on signature cache in keyrings (if any), but we should validate the key
+by its self signature for primary key, and back signature for subkey.
+
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ g10/gpgv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/g10/gpgv.c b/g10/gpgv.c
+index b700f17..3b48a0e 100644
+--- a/g10/gpgv.c
++++ b/g10/gpgv.c
+@@ -163,6 +163,8 @@ main( int argc, char **argv )
+   opt.pgp2_workarounds = 1;
+   opt.keyserver_options.options|=KEYSERVER_AUTO_KEY_RETRIEVE;
+   opt.trust_model = TM_ALWAYS;
++  opt.no_sig_cache = 1;
++  opt.flags.require_cross_cert = 1;
+   opt.batch = 1;
+ 
+   opt.homedir = default_homedir ();
+-- 
+2.8.0.rc3
+
diff --git a/patches/gnupg-2.0.30/series b/patches/gnupg-2.0.30/series
new file mode 100644
index 0000000..62a2fae
--- /dev/null
+++ b/patches/gnupg-2.0.30/series
@@ -0,0 +1 @@
+0001-gpgv-tweak-default-options-for-extra-security.patch
diff --git a/rules/gnupg.make b/rules/gnupg.make
index 15e78eb..39f1687 100644
--- a/rules/gnupg.make
+++ b/rules/gnupg.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_GNUPG) += gnupg
 #
 # Paths and names
 #
-GNUPG_VERSION	:= 2.0.26
-GNUPG_MD5	:= fa7e704aad33eb114d1840164455aec1
+GNUPG_VERSION	:= 2.0.30
+GNUPG_MD5	:= 01bb47e669a78eaca90dbe6b4b4acc24
 GNUPG		:= gnupg-$(GNUPG_VERSION)
 GNUPG_SUFFIX	:= tar.bz2
 GNUPG_URL	:= ftp://ftp.gnupg.org/gcrypt/gnupg/$(GNUPG).$(GNUPG_SUFFIX)
@@ -40,7 +40,6 @@ GNUPG_CONF_OPT := $(CROSS_AUTOCONF_USR) \
 	--disable-doc \
 	--disable-gpgtar \
 	--disable-exec \
-	--disable-exec \
 	--disable-photo-viewers \
 	--disable-keyserver-helpers \
 	--disable-ldap \
-- 
2.10.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de