[ptxdist] [PATCH 1/5] libgpg-error: bump version

[ptxdist] [PATCH 1/5] libgpg-error: bump version

[Clemens Gruber]

Bump version and disable building tests.

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
 rules/libgpg-error.make | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/libgpg-error.make b/rules/libgpg-error.make
index 93592b0..3709391 100644
--- a/rules/libgpg-error.make
+++ b/rules/libgpg-error.make
@@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_LIBGPG_ERROR) += libgpg-error
 #
 # Paths and names
 #
-LIBGPG_ERROR_VERSION	:= 1.20
-LIBGPG_ERROR_MD5	:= 9997d9203b672402a04760176811589d
+LIBGPG_ERROR_VERSION	:= 1.24
+LIBGPG_ERROR_MD5	:= feb42198c0aaf3b28eabe8f41a34b983
 LIBGPG_ERROR		:= libgpg-error-$(LIBGPG_ERROR_VERSION)
 LIBGPG_ERROR_SUFFIX	:= tar.bz2
 LIBGPG_ERROR_URL	:= \
@@ -50,7 +50,8 @@ LIBGPG_ERROR_CONF_OPT	:= \
 	--disable-rpath \
 	--enable-build-timestamp="$(PTXDIST_VERSION_YEAR)-$(PTXDIST_VERSION_MONTH)-01T00:00+0000" \
 	--disable-languages \
-	--disable-doc
+	--disable-doc \
+	--disable-tests
 
 $(STATEDIR)/libgpg-error.prepare:
 	@$(call targetinfo)
-- 
2.10.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH 2/5] libassuan: bump version and make build more reproducible

[Clemens Gruber]

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
 rules/libassuan.make | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/rules/libassuan.make b/rules/libassuan.make
index 7069aa0..46bf3e3 100644
--- a/rules/libassuan.make
+++ b/rules/libassuan.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_LIBASSUAN) += libassuan
 #
 # Paths and names
 #
-LIBASSUAN_VERSION	:= 2.2.0
-LIBASSUAN_MD5		:= a104faed3e97b9c302c5d67cc22b1d60
+LIBASSUAN_VERSION	:= 2.4.3
+LIBASSUAN_MD5		:= 8e01a7c72d3e5d154481230668e6eb5a
 LIBASSUAN		:= libassuan-$(LIBASSUAN_VERSION)
 LIBASSUAN_SUFFIX	:= tar.bz2
 LIBASSUAN_URL		:= ftp://ftp.gnupg.org/gcrypt/libassuan/$(LIBASSUAN).$(LIBASSUAN_SUFFIX)
@@ -32,7 +32,12 @@ LIBASSUAN_LICENSE_FILES	:= \
 # Prepare
 # ----------------------------------------------------------------------------
 
-LIBASSUAN_CONF_TOOL := autoconf
+#
+# autoconf
+#
+LIBASSUAN_AUTOCONF := \
+	$(CROSS_AUTOCONF_USR) \
+	--enable-build-timestamp="$(PTXDIST_VERSION_YEAR)-$(PTXDIST_VERSION_MONTH)-01T00:00+0000"
 
 # ----------------------------------------------------------------------------
 # Target-Install
-- 
2.10.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH 3/5] libksba: bump version and make build more reproducible

[Clemens Gruber]

Version bump, add build timestamp and enable optimizations.

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
 rules/libksba.make | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/rules/libksba.make b/rules/libksba.make
index 68a6769..66074ff 100644
--- a/rules/libksba.make
+++ b/rules/libksba.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_LIBKSBA) += libksba
 #
 # Paths and names
 #
-LIBKSBA_VERSION	:= 1.3.2
-LIBKSBA_MD5	:= c3c9a66e22d87fe3ae59865250b8a09c
+LIBKSBA_VERSION	:= 1.3.5
+LIBKSBA_MD5	:= 8302a3e263a7c630aa7dea7d341f07a2
 LIBKSBA		:= libksba-$(LIBKSBA_VERSION)
 LIBKSBA_SUFFIX	:= tar.bz2
 LIBKSBA_URL	:= ftp://ftp.gnupg.org/gcrypt/libksba/$(LIBKSBA).$(LIBKSBA_SUFFIX)
@@ -33,7 +33,13 @@ LIBKSBA_LICENSE_FILES := \
 # Prepare
 # ----------------------------------------------------------------------------
 
-LIBKSBA_CONF_TOOL := autoconf
+#
+# autoconf
+#
+LIBKSBA_AUTOCONF := \
+	$(CROSS_AUTOCONF_USR) \
+	--enable-build-timestamp="$(PTXDIST_VERSION_YEAR)-$(PTXDIST_VERSION_MONTH)-01T00:00+0000" \
+	--enable-optimization
 
 # ----------------------------------------------------------------------------
 # Target-Install
-- 
2.10.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH 4/5] libgcrypt: bump version and make build more reproducible

[Clemens Gruber]

Version bump, add build timestamp, disable documentation and tests.

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
 rules/libgcrypt.make | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/rules/libgcrypt.make b/rules/libgcrypt.make
index 9553870..4ffe6bc 100644
--- a/rules/libgcrypt.make
+++ b/rules/libgcrypt.make
@@ -17,8 +17,8 @@ PACKAGES-$(PTXCONF_LIBGCRYPT) += libgcrypt
 #
 # Paths and names
 #
-LIBGCRYPT_VERSION	:= 1.5.3
-LIBGCRYPT_MD5		:= 993159b2924ae7b0e4eaff0743c2db35
+LIBGCRYPT_VERSION	:= 1.7.3
+LIBGCRYPT_MD5		:= c869e542cc13a1c28d8055487bf7f5c4
 LIBGCRYPT		:= libgcrypt-$(LIBGCRYPT_VERSION)
 LIBGCRYPT_SUFFIX	:= tar.bz2
 LIBGCRYPT_URL		:= http://artfiles.org/gnupg.org/libgcrypt/$(LIBGCRYPT).$(LIBGCRYPT_SUFFIX) ftp://ftp.gnupg.org/gcrypt/libgcrypt/$(LIBGCRYPT).$(LIBGCRYPT_SUFFIX)
@@ -38,9 +38,12 @@ LIBGCRYPT_LICENSE_FILES	:= \
 #
 LIBGCRYPT_AUTOCONF := \
 	$(CROSS_AUTOCONF_USR) \
+	--enable-build-timestamp="$(PTXDIST_VERSION_YEAR)-$(PTXDIST_VERSION_MONTH)-01T00:00+0000" \
 	--enable-optimization \
 	--disable-random-daemon \
-	--disable-asm
+	--disable-asm \
+	--disable-large-data-tests \
+	--disable-doc
 #
 # ASM needs MPI, which we don't have
 #
-- 
2.10.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH 5/5] gnupg: bump version and add gpgv patch from debian

[Clemens Gruber]

Update to latest GnuPG stable and add patch to improve default security
when using gpgv.

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---

Note:
The enable-build-timestamp option is not available in the stable version
I looked into moving to the modern GnuPG version 2.1.x with ECC support
but ran into problems. I therefore bumped only the minor version.

 ...-tweak-default-options-for-extra-security.patch | 44 ++++++++++++++++++++++
 patches/gnupg-2.0.30/series                        |  1 +
 rules/gnupg.make                                   |  5 +--
 3 files changed, 47 insertions(+), 3 deletions(-)
 create mode 100644 patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
 create mode 100644 patches/gnupg-2.0.30/series

diff --git a/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch b/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
new file mode 100644
index 0000000..ea5c439
--- /dev/null
+++ b/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
@@ -0,0 +1,44 @@
+From b531f2fd75be3f616073cba714d73324525fd3e4 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Sat, 9 Jul 2016 10:20:02 +0900
+Subject: [PATCH] gpgv: Tweak default options for extra security.
+
+* g10/gpgv.c (main): Set opt.no_sig _cache, so that it doesn't depend on
+cached status.  Similarly, set opt.flags.require_cross_cert for backsig
+validation for subkey signature.
+
+--
+
+(backport of master
+commit e32c575e0f3704e7563048eea6d26844bdfc494b)
+
+It is common that an organization distributes binary keyrings with
+signature cache (Tag 12, Trust Packet) and people use gpgv to validate
+signature with such keyrings.  In such a use case, it is possible that
+the key validation itself is skipped.
+
+For the purpose of gpgv validation of signatures, we should not depend
+on signature cache in keyrings (if any), but we should validate the key
+by its self signature for primary key, and back signature for subkey.
+
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ g10/gpgv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/g10/gpgv.c b/g10/gpgv.c
+index b700f17..3b48a0e 100644
+--- a/g10/gpgv.c
++++ b/g10/gpgv.c
+@@ -163,6 +163,8 @@ main( int argc, char **argv )
+   opt.pgp2_workarounds = 1;
+   opt.keyserver_options.options|=KEYSERVER_AUTO_KEY_RETRIEVE;
+   opt.trust_model = TM_ALWAYS;
++  opt.no_sig_cache = 1;
++  opt.flags.require_cross_cert = 1;
+   opt.batch = 1;
+ 
+   opt.homedir = default_homedir ();
+-- 
+2.8.0.rc3
+
diff --git a/patches/gnupg-2.0.30/series b/patches/gnupg-2.0.30/series
new file mode 100644
index 0000000..62a2fae
--- /dev/null
+++ b/patches/gnupg-2.0.30/series
@@ -0,0 +1 @@
+0001-gpgv-tweak-default-options-for-extra-security.patch
diff --git a/rules/gnupg.make b/rules/gnupg.make
index 15e78eb..39f1687 100644
--- a/rules/gnupg.make
+++ b/rules/gnupg.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_GNUPG) += gnupg
 #
 # Paths and names
 #
-GNUPG_VERSION	:= 2.0.26
-GNUPG_MD5	:= fa7e704aad33eb114d1840164455aec1
+GNUPG_VERSION	:= 2.0.30
+GNUPG_MD5	:= 01bb47e669a78eaca90dbe6b4b4acc24
 GNUPG		:= gnupg-$(GNUPG_VERSION)
 GNUPG_SUFFIX	:= tar.bz2
 GNUPG_URL	:= ftp://ftp.gnupg.org/gcrypt/gnupg/$(GNUPG).$(GNUPG_SUFFIX)
@@ -40,7 +40,6 @@ GNUPG_CONF_OPT := $(CROSS_AUTOCONF_USR) \
 	--disable-doc \
 	--disable-gpgtar \
 	--disable-exec \
-	--disable-exec \
 	--disable-photo-viewers \
 	--disable-keyserver-helpers \
 	--disable-ldap \
-- 
2.10.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de