As of 2.2.17, GnuPG will refuse to accept any third-party
certifications from OpenPGP certificates pulled from the keyserver
network.
The SKS keyserver network currently has at least a dozen popular
certificates which are flooded with enough unusable third-party
certifications that they cannot be retrieved in any reasonable amount
of time.
The hkps://keys.openpgp.org keyserver installation offers HKPS,
performs cryptographic validation, and by policy does not distribute
third-party certifications anyway.
It is not distributed or federated yet, unfortunately, but it is
functional, which is more than can be said for the dying SKS pool.
And given that GnuPG is going to reject all the third-party
certifications anyway, there is no clear "web of trust" rationale for
relying on the SKS pool.
One sticking point is that keys.openpgp.org does not distribute user
IDs unless the user has proven control of the associated e-mail
address. This means that on standard upstream GnuPG, retrieving
revocations or subkey updates of those certificates will fail, because
upstream GnuPG ignores any incoming certificate without a user ID,
even if it knows a user ID in the local copy of the certificate (see
https://dev.gnupg.org/T4393).
However, we have three patches in
debian/patches/import-merge-without-userid/ that together fix that
bug.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gbp-Pq: Name Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch
* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA512 instead of SHA256 in
--gnupg mode (leave strict RFC and PGP modes alone).
* configure.ac: Do not allow disabling sha512.
* g10/misc.c (map_md_openpgp_to_gcry): Always support SHA512.
--
SHA512 is more performant on most 64-bit platforms than SHA256, and
offers a better security margin. It is also widely implemented.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gbp-Pq: Topic update-defaults
Gbp-Pq: Name gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch
This avoids needing to setgid gpg-agent. It probably doesn't defend
against all possible attacks, but it defends against one specific (and
easy) one. If there are other protections we should do them too.
This will make it slightly harder to debug the agent because the
normal user won't be able to attach gdb to it directly while it runs.
The remaining options for debugging are:
* launch the agent from gdb directly
* connect gdb to a running agent as the superuser
Upstream bug: https://dev.gnupg.org/T1211
Gbp-Pq: Topic block-ptrace-on-secret-daemons
Gbp-Pq: Name Avoid-simple-memory-dumps-via-ptrace.patch
* common/mischelp.h (wipememory): Replace macro with function
prototype.
(wipememory2): Remove.
* common/mischelp.c (wipememory): New.
* configure.ac (AC_CHECK_FUNCS): Check for 'explicit_bzero' and
remove duplicated checks.
--
In new wipememory function, memory is cleared through platform
provided secure memory zeroing function, SecureZeroMemory
or explicit_bzero.
If none of these is available, memset is called through
volatile function pointer to so that compiler won't optimize
away the call.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
(cherry picked from commit 2a650772b4e1c78a4fd20bc88433930e5551fe9c)
* configure.ac: Add option --enable-npth-debug
--
This requires a not yet release nPth version to have an effect.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ldap-wrapper.c: Revamp module to make use of es_poll for
portability.
* configure.ac: Always use the ldap wrapper.
--
Since the migration from GNU Pth to nPth the ldap wrapper never worked
reliable on Windows. Our long term use of the old Window CE wrapper
thing didn't fixed this either. The new code uses the portable
es_poll function and thus code which is tested at several other
places. It Should(tm) fix the Windows issues.
GnuPG-bug-id: 3937
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac (require_pipe_to_unblock_pselect): Default is "yes".
* scd/scdaemon.c (scd_kick_the_loop): Minor clean up.
--
Normally SIGCONT or SIGUSR2 works for unblocking pselect. But on my
machine with GNU/Linux, when a machine is suspend/resume-ed, pselect
keeps blocked, while signal itself is delivered.
It's better to use pipe.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* configure.ac (HAVE_PSELECT_NO_EINTR): New.
* scd/scdaemon.c (scd_kick_the_loop): Write to pipe.
(handle_connections): Use pipe.
--
On NetBSD, signal to the same process cannot unblock pselect,
with unknown reason. Use pipe instead, for such systems.
GnuPG-bug-id: 3778
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* configure.ac: Check ucred.h as well as sys/ucred.h.
* agent/command-ssh.c: Add inclusion of ucred.h.
--
It was T2981, adding ucred.h for Solaris. We also need sys/ucred.h
for FreeBSD and macOS.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
--
assuan_sock_set_system_hooks is used unconditionally in gnupg since
commit 9f641430dcdecbd7ee205d407cb19bb4262aa95d, and as such it requires
libassuan 2.5.0 (function introduced in
commit 90dc81682b13a7cf716a8a26b891051cbd4b0caf)
For a detailed description see:
https://lists.gnupg.org/pipermail/gnupg-devel/2017-December/033323.html
* configure.ac: (USE_RUN_GNUPG_USER_SOCKET): New ac_define.
* common/homedir.c (_gnupg_socketdir_internal): Add extra directories.
--
This allows to build GnuPG with an extra socketdir below /run. See
https://lists.gnupg.org/pipermail/gnupg-devel/2017-November/033250.html
for a longer explanation why this is sometimes useful.
Suggested-by: Rainer Perske
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac: Do not add -Werror to mycflags.
--
On Windows and possible also on other platforms we expect to a get a
few errors or warnins. Thus we can't use -Werror by default. This is
why we have a separate configure options --enable-werror ;-).
Fixes-commit: 3ecd1a41be7c880976987d13e88342c98f37e064
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac (YAT2M): Only define when found.
* doc/Makefile.am: Portability fix.
--
This is not intended to apply to master, but 2.2 branch only. When
new libgpg-error is required, installation of yat2m can be assumed.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* configure.ac (GNUPG_REGISTRY_DIR): Remove leading backslash.
--
Windows does not like the leading backslash and won't read
the key.
Problem reported in the Gpg4win Message boards.
This bug was introduced by rev. 75ba215e
Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
* configure.ac: Implement that option.
--
This can be used as a workaround in case of bogus autoconf tests.
GnuPG-bug-id: 2423
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac: Do not mess with the user provided CFLAGS.
--
A problem was claimed with some configure tests if the user provided
CFLAGS=-Werror. The commit introducing this
Fixes-commit: 02eb9fc9d5863abcfed6af704e618f8cac7cc2e8
does not mention a concrete case. Anyway, messing with CFLAGS is a
bad idea because configure tests will then test something different
than what is used later (cf. autoconf manual). Tests which depend on
the whether -Werror is used needsto be fixed.
Note that in certain cases we modify CFLAGS. This is only done for
some configure options or if the platform requires the use of special
compiler flags (e.g. on HP/UX).
GnuPG-bug-id: 2423
* configure.ac (GNUPG_SWDB_TAG): New ac_define. Set it to "gnupg22".
* tools/gpgconf.c (query_swdb): Use it.
* build-aux/speedo.mk: Change tag "gnupg21" to "gnupg22".
* Makefile.am (distcheck-hook): Ditto.
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac: New option --enable-all-tests.
* tests/gpgscm/ffi.c (ffi_init): New gloabl var *run-all-tests*.
* tests/openpgp/all-tests.scm (all-tests): Use that var instead
of *maintainer-mode*.
* Makefile.am (AM_DISTCHECK_CONFIGURE_FLAGS): Add --enable-all-tests.
--
It is better to have a separate option to run all tests than to put
this on top of --enable-maintainer-mode. This way we can also make
sure to run all tests during "make distcheck".
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac: Leak the maintainer mode flag into 'config.h'.
* tests/gpgscm/ffi.c: Pass it into the scheme environment.
* tests/openpgp/all-tests.scm: Only run tests against non-default
configurations (keyring, extended-key-format) in maintainer mode.
--
Werner is concerned that the tests do take up too much time and asked
me to reduce the runtime of the tests for normal users.
Signed-off-by: Justus Winter <justus@g10code.com>
* common/homedir.c (default_homedir): Strip trailing slashes.
(gnupg_set_homedir): Ditto.
--
is_gnupg_default_homedir() does not ignore trailing slashes when
comparing directory names. This can lead to multiple agents started
on the same directory if the homedir was specified with --homedir or
GNUPGHOME without or with a number of slashes.
We now make sure that the home directory name never ends in a
slash (except for the roo of course).
GnuPG-bug-id: 3295
Signed-off-by: Werner Koch <wk@gnupg.org>
--
dev.gnupg org is the development platform but the canonical bug
address is and has always been bugs.gnupg.org. We should keep on
using this address for the case that we switch the tracker again or
split it off the development system.
That is also the reason why we should keep on communicating a plain
bug number without the 'T' prefix.
Signed-off-by: Werner Koch <wk@gnupg.org>