diff --git a/.gitignore b/.gitignore index 5a51f9fd2..a525f1485 100644 --- a/.gitignore +++ b/.gitignore @@ -158,3 +158,5 @@ tools/gpgtar private-keys-v1.d/ x.parm /VERSION +/swdb.lst +/swdb.lst.sig diff --git a/build-aux/getswdb.sh b/build-aux/getswdb.sh new file mode 100755 index 000000000..aa889ee79 --- /dev/null +++ b/build-aux/getswdb.sh @@ -0,0 +1,121 @@ +#!/bin/sh +# Get the online version of the GnuPG software version database +# Copyright (C) 2014 Werner Koch +# +# This file is free software; as a special exception the author gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +# The URL of the file to retrieve. +urlbase="https://www.gnupg.org/" + +WGET=wget +GPGV=gpgv + +srcdir=$(dirname "$0") +distsigkey="$srcdir/../g10/distsigkey.gpg" + +# Convert a 3 part version number it a numeric value. +cvtver () { + awk 'NR==1 {split($NF,A,".");X=1000000*A[1]+1000*A[2]+A[3];print X;exit 0}' +} + +# Prints usage information. +usage() +{ + cat <&2 + ;; + esac + shift +done + +# Get GnuPG version from VERSIOn file. For a GIT checkout this means +# that ./autogen.sh must have been run first. For a regular tarball +# VERSION is always available. +if [ ! -f "$srcdir/../VERSION" ]; then + echo "VERSION file missing - run autogen.sh first." >&2 + exit 1 +fi +version=$(cat "$srcdir/../VERSION") +version_num=$(echo "$version" | cvtver) + +# +# Download the list and verify. +# +if [ $skip_download = yes ]; then + if [ ! -f swdb.lst ]; then + echo "swdb.lst is missing." >&2 + exit 1 + fi + if [ ! -f swdb.lst.sig ]; then + echo "swdb.lst.sig is missing." >&2 + exit 1 + fi +else + if ! $WGET -q -O swdb.lst "$urlbase/swdb.lst" ; then + echo "download of swdb.lst failed." >&2 + exit 1 + fi + if ! $WGET -q -O swdb.lst.sig "$urlbase/swdb.lst.sig" ; then + echo "download of swdb.lst.sig failed." >&2 + exit 1 + fi +fi +if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then + echo "list of software versions is not valid!" >&2 + exit 1 +fi + +# +# Check that the online version of GnuPG is not less than this version +# to help detect rollback attacks. +# +gnupg_ver=$(awk '$1=="gnupg21_ver" {print $2;exit}' swdb.lst) +if [ -z "$gnupg_ver" ]; then + echo "GnuPG 2.1 version missing in swdb.lst!" >&2 + exit 1 +fi +gnupg_ver_num=$(echo "$gnupg_ver" | cvtver) +if [ $(( $gnupg_ver_num >= $version_num )) = 0 ]; then + echo "GnuPG version in swdb.lst is less than this version!" >&2 + echo " This version: $version" >&2 + echo " SWDB version: $gnupg_ver" >&2 + exit 1 +fi diff --git a/build-aux/speedo.mk b/build-aux/speedo.mk index 4f0751fca..69af39ce4 100644 --- a/build-aux/speedo.mk +++ b/build-aux/speedo.mk @@ -64,6 +64,21 @@ MAKE_J=3 # Name to use for the w32 installer and sources INST_NAME=gnupg-w32 + +# Directory names. +# They must be absolute, as we switch directories pretty often. +root := $(shell pwd)/PLAY +sdir := $(root)/src +bdir := $(root)/build +bdir6:= $(root)/build-w64 +idir := $(root)/inst +idir6:= $(root)/inst-w64 +stampdir := $(root)/stamps +topsrc := $(shell cd $(dir $(SPEEDO_MK)).. && pwd) +auxsrc := $(topsrc)/build-aux/speedo +patdir := $(topsrc)/build-aux/speedo/patches +w32src := $(topsrc)/build-aux/speedo/w32 + # =====BEGIN LIST OF PACKAGES===== # The packages that should be built. The order is also the build order. # Fixme: Do we need to build pkg-config for cross-building? @@ -118,17 +133,34 @@ speedo_gnupg_style = \ speedo_make_only_style = \ zlib +# Get the content of the software DB. +SWDB := $(shell $(topsrc)/build-aux/getswdb.sh && echo okay) +ifeq ($(strip $(SWDB)),) +$(error Error getting GnuPG software version database) +endif + # Version numbers of the released packages -# Fixme: Take the version numbers from gnupg-doc/web/swdb.mac -libgpg_error_ver = 1.13 -npth_ver = 0.91 -libgcrypt_ver = 1.6.1 -libassuan_ver = 2.1.1 -libksba_ver = 1.3.0 -gpgme_ver = 1.5.0 -pinentry_ver = 0.8.4 -gpa_ver = 0.9.5 -gpgex_ver = 1.0.0 +gnupg_ver = $(shell cat $(topsrc)/VERSION) +libgpg_error_ver = $(shell awk '$$1=="libgpg_error_ver" {print $$2}' swdb.lst) +npth_ver = $(shell awk '$$1=="npth_ver" {print $$2}' swdb.lst) +libgcrypt_ver = $(shell awk '$$1=="libgcrypt_ver" {print $$2}' swdb.lst) +libassuan_ver = $(shell awk '$$1=="libassuan_ver" {print $$2}' swdb.lst) +libksba_ver = $(shell awk '$$1=="libksba_ver" {print $$2}' swdb.lst) +gpgme_ver = $(shell awk '$$1=="gpgme_ver" {print $$2}' swdb.lst) +pinentry_ver = $(shell awk '$$1=="pinentry_ver" {print $$2}' swdb.lst) +gpa_ver = $(shell awk '$$1=="gpa_ver" {print $$2}' swdb.lst) +gpgex_ver = $(shell awk '$$1=="gpgex_ver" {print $$2}' swdb.lst) + +$(info Information from the version database) +$(info GnuPG ..........: $(gnupg_ver)) +$(info Libgpg-error ...: $(libgpg_error_ver)) +$(info Npth ...........: $(npth_ver)) +$(info Libgcrypt ......: $(libgcrypt_ver)) +$(info Libassuan ......: $(libassuan_ver)) +$(info GPGME ..........: $(gpgme_ver)) +$(info Pinentry .......: $(pinentry_ver)) +$(info GPA ............: $(gpa_ver)) +$(info GpgEX.... ......: $(gpgex_ver)) # Version number for external packages @@ -397,19 +429,6 @@ MKDIR=mkdir MAKENSIS=makensis BUILD_ISODATE=$(shell date -u +%Y-%m-%d) -# These paths must be absolute, as we switch directories pretty often. -root := $(shell pwd)/PLAY -sdir := $(root)/src -bdir := $(root)/build -bdir6:= $(root)/build-w64 -idir := $(root)/inst -idir6:= $(root)/inst-w64 -stampdir := $(root)/stamps -topsrc := $(shell cd $(dir $(SPEEDO_MK)).. && pwd) -auxsrc := $(topsrc)/build-aux/speedo -patdir := $(topsrc)/build-aux/speedo/patches -w32src := $(topsrc)/build-aux/speedo/w32 - # The next two macros will work only after gnupg has been build. INST_VERSION=$(shell head -1 $(idir)/INST_VERSION) INST_PROD_VERSION=$(shell head -1 $(idir)/INST_PROD_VERSION)