* [ptxdist] [PATCH 2/5] libassuan: bump version and make build more reproducible
2016-10-17 16:04 [ptxdist] [PATCH 1/5] libgpg-error: bump version Clemens Gruber
@ 2016-10-17 16:04 ` Clemens Gruber
2016-10-17 16:04 ` [ptxdist] [PATCH 3/5] libksba: " Clemens Gruber
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Clemens Gruber @ 2016-10-17 16:04 UTC (permalink / raw)
To: ptxdist; +Cc: Clemens Gruber
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
rules/libassuan.make | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/rules/libassuan.make b/rules/libassuan.make
index 7069aa0..46bf3e3 100644
--- a/rules/libassuan.make
+++ b/rules/libassuan.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_LIBASSUAN) += libassuan
#
# Paths and names
#
-LIBASSUAN_VERSION := 2.2.0
-LIBASSUAN_MD5 := a104faed3e97b9c302c5d67cc22b1d60
+LIBASSUAN_VERSION := 2.4.3
+LIBASSUAN_MD5 := 8e01a7c72d3e5d154481230668e6eb5a
LIBASSUAN := libassuan-$(LIBASSUAN_VERSION)
LIBASSUAN_SUFFIX := tar.bz2
LIBASSUAN_URL := ftp://ftp.gnupg.org/gcrypt/libassuan/$(LIBASSUAN).$(LIBASSUAN_SUFFIX)
@@ -32,7 +32,12 @@ LIBASSUAN_LICENSE_FILES := \
# Prepare
# ----------------------------------------------------------------------------
-LIBASSUAN_CONF_TOOL := autoconf
+#
+# autoconf
+#
+LIBASSUAN_AUTOCONF := \
+ $(CROSS_AUTOCONF_USR) \
+ --enable-build-timestamp="$(PTXDIST_VERSION_YEAR)-$(PTXDIST_VERSION_MONTH)-01T00:00+0000"
# ----------------------------------------------------------------------------
# Target-Install
--
2.10.0
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ptxdist] [PATCH 3/5] libksba: bump version and make build more reproducible
2016-10-17 16:04 [ptxdist] [PATCH 1/5] libgpg-error: bump version Clemens Gruber
2016-10-17 16:04 ` [ptxdist] [PATCH 2/5] libassuan: bump version and make build more reproducible Clemens Gruber
@ 2016-10-17 16:04 ` Clemens Gruber
2016-10-17 16:04 ` [ptxdist] [PATCH 4/5] libgcrypt: " Clemens Gruber
2016-10-17 16:04 ` [ptxdist] [PATCH 5/5] gnupg: bump version and add gpgv patch from debian Clemens Gruber
3 siblings, 0 replies; 5+ messages in thread
From: Clemens Gruber @ 2016-10-17 16:04 UTC (permalink / raw)
To: ptxdist; +Cc: Clemens Gruber
Version bump, add build timestamp and enable optimizations.
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
rules/libksba.make | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/rules/libksba.make b/rules/libksba.make
index 68a6769..66074ff 100644
--- a/rules/libksba.make
+++ b/rules/libksba.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_LIBKSBA) += libksba
#
# Paths and names
#
-LIBKSBA_VERSION := 1.3.2
-LIBKSBA_MD5 := c3c9a66e22d87fe3ae59865250b8a09c
+LIBKSBA_VERSION := 1.3.5
+LIBKSBA_MD5 := 8302a3e263a7c630aa7dea7d341f07a2
LIBKSBA := libksba-$(LIBKSBA_VERSION)
LIBKSBA_SUFFIX := tar.bz2
LIBKSBA_URL := ftp://ftp.gnupg.org/gcrypt/libksba/$(LIBKSBA).$(LIBKSBA_SUFFIX)
@@ -33,7 +33,13 @@ LIBKSBA_LICENSE_FILES := \
# Prepare
# ----------------------------------------------------------------------------
-LIBKSBA_CONF_TOOL := autoconf
+#
+# autoconf
+#
+LIBKSBA_AUTOCONF := \
+ $(CROSS_AUTOCONF_USR) \
+ --enable-build-timestamp="$(PTXDIST_VERSION_YEAR)-$(PTXDIST_VERSION_MONTH)-01T00:00+0000" \
+ --enable-optimization
# ----------------------------------------------------------------------------
# Target-Install
--
2.10.0
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ptxdist] [PATCH 4/5] libgcrypt: bump version and make build more reproducible
2016-10-17 16:04 [ptxdist] [PATCH 1/5] libgpg-error: bump version Clemens Gruber
2016-10-17 16:04 ` [ptxdist] [PATCH 2/5] libassuan: bump version and make build more reproducible Clemens Gruber
2016-10-17 16:04 ` [ptxdist] [PATCH 3/5] libksba: " Clemens Gruber
@ 2016-10-17 16:04 ` Clemens Gruber
2016-10-17 16:04 ` [ptxdist] [PATCH 5/5] gnupg: bump version and add gpgv patch from debian Clemens Gruber
3 siblings, 0 replies; 5+ messages in thread
From: Clemens Gruber @ 2016-10-17 16:04 UTC (permalink / raw)
To: ptxdist; +Cc: Clemens Gruber
Version bump, add build timestamp, disable documentation and tests.
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
rules/libgcrypt.make | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/rules/libgcrypt.make b/rules/libgcrypt.make
index 9553870..4ffe6bc 100644
--- a/rules/libgcrypt.make
+++ b/rules/libgcrypt.make
@@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_LIBGCRYPT) += libgcrypt
#
# Paths and names
#
-LIBGCRYPT_VERSION := 1.5.3
-LIBGCRYPT_MD5 := 993159b2924ae7b0e4eaff0743c2db35
+LIBGCRYPT_VERSION := 1.7.3
+LIBGCRYPT_MD5 := c869e542cc13a1c28d8055487bf7f5c4
LIBGCRYPT := libgcrypt-$(LIBGCRYPT_VERSION)
LIBGCRYPT_SUFFIX := tar.bz2
LIBGCRYPT_URL := http://artfiles.org/gnupg.org/libgcrypt/$(LIBGCRYPT).$(LIBGCRYPT_SUFFIX) ftp://ftp.gnupg.org/gcrypt/libgcrypt/$(LIBGCRYPT).$(LIBGCRYPT_SUFFIX)
@@ -38,9 +38,12 @@ LIBGCRYPT_LICENSE_FILES := \
#
LIBGCRYPT_AUTOCONF := \
$(CROSS_AUTOCONF_USR) \
+ --enable-build-timestamp="$(PTXDIST_VERSION_YEAR)-$(PTXDIST_VERSION_MONTH)-01T00:00+0000" \
--enable-optimization \
--disable-random-daemon \
- --disable-asm
+ --disable-asm \
+ --disable-large-data-tests \
+ --disable-doc
#
# ASM needs MPI, which we don't have
#
--
2.10.0
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ptxdist] [PATCH 5/5] gnupg: bump version and add gpgv patch from debian
2016-10-17 16:04 [ptxdist] [PATCH 1/5] libgpg-error: bump version Clemens Gruber
` (2 preceding siblings ...)
2016-10-17 16:04 ` [ptxdist] [PATCH 4/5] libgcrypt: " Clemens Gruber
@ 2016-10-17 16:04 ` Clemens Gruber
3 siblings, 0 replies; 5+ messages in thread
From: Clemens Gruber @ 2016-10-17 16:04 UTC (permalink / raw)
To: ptxdist; +Cc: Clemens Gruber
Update to latest GnuPG stable and add patch to improve default security
when using gpgv.
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
Note:
The enable-build-timestamp option is not available in the stable version
I looked into moving to the modern GnuPG version 2.1.x with ECC support
but ran into problems. I therefore bumped only the minor version.
| 44 ++++++++++++++++++++++
patches/gnupg-2.0.30/series | 1 +
rules/gnupg.make | 5 +--
3 files changed, 47 insertions(+), 3 deletions(-)
create mode 100644 patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
create mode 100644 patches/gnupg-2.0.30/series
--git a/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch b/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
new file mode 100644
index 0000000..ea5c439
--- /dev/null
+++ b/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
@@ -0,0 +1,44 @@
+From b531f2fd75be3f616073cba714d73324525fd3e4 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Sat, 9 Jul 2016 10:20:02 +0900
+Subject: [PATCH] gpgv: Tweak default options for extra security.
+
+* g10/gpgv.c (main): Set opt.no_sig _cache, so that it doesn't depend on
+cached status. Similarly, set opt.flags.require_cross_cert for backsig
+validation for subkey signature.
+
+--
+
+(backport of master
+commit e32c575e0f3704e7563048eea6d26844bdfc494b)
+
+It is common that an organization distributes binary keyrings with
+signature cache (Tag 12, Trust Packet) and people use gpgv to validate
+signature with such keyrings. In such a use case, it is possible that
+the key validation itself is skipped.
+
+For the purpose of gpgv validation of signatures, we should not depend
+on signature cache in keyrings (if any), but we should validate the key
+by its self signature for primary key, and back signature for subkey.
+
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ g10/gpgv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/g10/gpgv.c b/g10/gpgv.c
+index b700f17..3b48a0e 100644
+--- a/g10/gpgv.c
++++ b/g10/gpgv.c
+@@ -163,6 +163,8 @@ main( int argc, char **argv )
+ opt.pgp2_workarounds = 1;
+ opt.keyserver_options.options|=KEYSERVER_AUTO_KEY_RETRIEVE;
+ opt.trust_model = TM_ALWAYS;
++ opt.no_sig_cache = 1;
++ opt.flags.require_cross_cert = 1;
+ opt.batch = 1;
+
+ opt.homedir = default_homedir ();
+--
+2.8.0.rc3
+
diff --git a/patches/gnupg-2.0.30/series b/patches/gnupg-2.0.30/series
new file mode 100644
index 0000000..62a2fae
--- /dev/null
+++ b/patches/gnupg-2.0.30/series
@@ -0,0 +1 @@
+0001-gpgv-tweak-default-options-for-extra-security.patch
diff --git a/rules/gnupg.make b/rules/gnupg.make
index 15e78eb..39f1687 100644
--- a/rules/gnupg.make
+++ b/rules/gnupg.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_GNUPG) += gnupg
#
# Paths and names
#
-GNUPG_VERSION := 2.0.26
-GNUPG_MD5 := fa7e704aad33eb114d1840164455aec1
+GNUPG_VERSION := 2.0.30
+GNUPG_MD5 := 01bb47e669a78eaca90dbe6b4b4acc24
GNUPG := gnupg-$(GNUPG_VERSION)
GNUPG_SUFFIX := tar.bz2
GNUPG_URL := ftp://ftp.gnupg.org/gcrypt/gnupg/$(GNUPG).$(GNUPG_SUFFIX)
@@ -40,7 +40,6 @@ GNUPG_CONF_OPT := $(CROSS_AUTOCONF_USR) \
--disable-doc \
--disable-gpgtar \
--disable-exec \
- --disable-exec \
--disable-photo-viewers \
--disable-keyserver-helpers \
--disable-ldap \
--
2.10.0
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 5+ messages in thread