1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-23 10:29:58 +01:00

8705 Commits

Author SHA1 Message Date
NIIBE Yutaka
b6b735edab
scd:openpgp: Support longer data for INTERNAL_AUTHENTICATE.
* scd/app-openpgp.c (do_auth): Use extended Lc, when supported.

--

GnuPG-bug-id: 5682
Co-authored-by: Klas Lindfors
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-11-15 17:54:04 +01:00
Ingo Klöcker
027e34235b
build: Fix several "include file not found" problems
* dirmngr/Makefile.am (t_ldap_parse_uri_CFLAGS): Add KSBA_CFLAGS.
* kbx/Makefile.am (libkeybox_a_CFLAGS, libkeybox509_a_CFLAGS): Add
NPTH_CFLAGS.
* tools/Makefile.am (gpgtar_CFLAGS, gpg_wks_server_CFLAGS,
gpg_wks_client_CFLAGS, gpg_pair_tool_CFLAGS): Add LIBGCRYPT_CFLAGS.
--

The tools include gcrypt.h via common/util.h.

GnuPG-bug-id: 5592
2021-11-14 18:18:41 +01:00
Werner Koch
a43efc9294
agent: Print the non-option warning earlier.
* agent/gpg-agent.c (main): Move detection up.
--

The problem is that PARGS is re-used and when detecting a possible
incorrect use, the flag that "--" has already been seen has gone.
2021-11-14 18:09:22 +01:00
Werner Koch
d2b2dc4549
Update release signing keys
--

The last key is new.  As usual the key is on a dedicated card with the
Admin PIN accessible to a few core hackers.

# ------------------------ >8 ------------------------

pub   rsa3072 2017-03-17 [SC] [expires: 2027-03-15]
      5B80C5754298F0CB55D8ED6ABCEF7E294B092E28
sig    R     BCEF7E294B092E28 2017-03-17  Andre Heinecke (Release Signing Key)
uid                      Andre Heinecke (Release Signing Key)
sig 3        BCEF7E294B092E28 2017-03-17  Andre Heinecke (Release Signing Key)
sig          1FDF723CF462B6B1 2017-03-17  Andre Heinecke <aheinecke@intevation.de>

pub   ed25519 2020-08-24 [SC] [expires: 2030-06-30]
      6DAA6E64A76D2840571B4902528897B826403ADA
uid                      Werner Koch (dist signing 2020)
sig 3        528897B826403ADA 2020-08-24  Werner Koch (dist signing 2020)
sig          249B39D24F25E3B6 2020-08-24  Werner Koch (dist sig)
sig          63113AE866587D0A 2020-08-24  wk@gnupg.org
sig          E3FDFF218E45B72B 2020-08-24  Werner Koch (wheatstone commit signing)
sig          F2AD85AC1E42B367 2020-08-24  Werner Koch <wk@gnupg.org>

pub   ed25519 2021-05-19 [SC] [expires: 2027-04-04]
      AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD
uid                      Niibe Yutaka (GnuPG Release Key)
sig 3        E98E9B2D19C6C8BD 2021-05-19  Niibe Yutaka (GnuPG Release Key)
sig          00B45EBD4CA7BABE 2021-09-14  NIIBE Yutaka <gniibe@fsij.org>
sig          E267B052364F028D 2021-09-14  NIIBE Yutaka <gniibe@fsij.org>

pub   brainpoolP256r1 2021-10-15 [SC] [expires: 2029-12-31]
      02F38DFF731FF97CB039A1DA549E695E905BA208
uid                      GnuPG.com (Release Signing Key 2021)
sig 3        549E695E905BA208 2021-10-15  GnuPG.com (Release Signing Key 2021)
sig          528897B826403ADA 2021-10-15  Werner Koch (dist signing 2020)
sig          E3FDFF218E45B72B 2021-10-15  Werner Koch (wheatstone commit signing)
2021-11-13 21:02:22 +01:00
Werner Koch
bc6d56282e
gpg: Remove stale ultimately trusted keys from the trustdb.
* g10/tdbdump.c (export_ownertrust): Skip records marked with the
option --trusted-key.
(import_ownertrust): Clear the trusted-key flag.
* g10/tdbio.h (struct trust_record): Add field flags.
* g10/tdbio.c (tdbio_dump_record): Improve output.
(tdbio_read_record, tdbio_write_record): Handle flags.
* g10/trustdb.c (verify_own_keys): Clear stale trusted-keys and set
the flag for new --trusted-keys.
(tdb_update_ownertrust): Add arg as_trusted_key.  Update callers.
--

GnuPG-bug-id: 5685
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-11-13 20:59:17 +01:00
Werner Koch
8fe3f57643
gpgconf: New command --show-configs.
* tools/gpgconf.c (aShowConfigs): New.
(opts): Add --show-configs.
(CUTLINE_FMT): New.
(show_version_gnupg): Add arg "prefix" and adjust caller.
(my_copy_file): New.
(show_configs_one_file): New.New.
(show_configs): New.
(main): Call show_configs.
--

The ability to have a consolidated list of all config files is very
useful for support cases.  This is in particular important due to the
global config files and their conditional constructs.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-11-13 20:58:57 +01:00
Werner Koch
6507c6ab10
agent,dirmngr: New option --steal-socket
* agent/gpg-agent.c (oStealSocket): New.
(opts): Add option.
(steal_socket): New file global var.
(main): Set option.
(create_server_socket): Implement option.

* dirmngr/dirmngr.c (oStealSocket): New.
(opts): Add option.
(steal_socket): New file global var.
(main): Set option.  Add comment to eventually implement it.
--

Note that --steal-socket has currently no effect on dirmngr because
dirmngr does this anway.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-11-13 15:07:35 +01:00
Werner Koch
751b978ee1
doc: Clarify the "ntds" AKL mechanism.
--
2021-11-12 16:15:17 +01:00
NIIBE Yutaka
0982c6cb19 scd: More conservative selection of a card reader.
* scd/apdu.c (select_a_reader): Only SPRx32 is in the white list.

--

GnuPG-bug-id: 5644
Fixes-commit: 752422a792cecf459b37f517d634bcf272292b14
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-11-10 11:58:16 +09:00
Bernhard M. Wiedemann
46ada6a9bd
wks: Do not mark key files as executable 2021-11-09 08:47:40 +01:00
Bernhard M. Wiedemann
f54feb4470
wks: Allow access to newly created dirs 2021-11-09 08:47:40 +01:00
Werner Koch
8d6968c52c
doc: Minor fix for --http-proxy.
--
2021-11-05 09:00:19 +01:00
Werner Koch
6c5765907a
build: Let the release target also sign the wixlib.
--
2021-11-02 21:11:08 +01:00
Werner Koch
006131f628
common: Support MYPROC_SELF_EXE for Solaris
* common/homedir.c (MYPROC_SELF_EXE): Add case for SunOS.
--

GnuPG-bug-id: 5671
2021-11-02 20:57:10 +01:00
Werner Koch
bcd8f0239d
common: Silence warning from unix_rootdir on systems w/o /proc
* common/homedir.c (unix_rootdir): Silence diagnostic in the common
case.
(MYPROC_SELF_EXE): Support NetBSD.
--

GnuPG-bug-id: 5656
2021-11-02 20:57:03 +01:00
Ingo Klöcker
947fedf0e7
common: Respect gpgconf.ctl when looking up translations
* common/i18n.c (i18n_init): Use gnupg_localedir() instead of LOCALEDIR.
(i18n_localegettext): Ditto.
* tools/gpgconf-comp.c (my_dgettext): Ditto.
--

On Unix, gnupg_localedir() returns the locale directory relative to
the root directory of the gnupg installation if specified in the
gpgconf.ctl. Otherwise, it returns the built-in LOCALEDIR.

GnuPG-bug-id: 5999
2021-11-02 20:56:25 +01:00
Werner Koch
49d589c409
common: Support gpgconf.ctl also for BSDs.
* common/homedir.c (MYPROC_SELF_EXE): New.
(unix_rootdir): Use it here.  Also support GNUPG_BUILD_ROOT as
fallback.
--

In addition this adds a fallback method for AIX etc which do not have
an easy way to get the info.
2021-11-02 20:55:24 +01:00
Werner Koch
3828dd7a40
common: Add keyword sysconfdir to the optional gpgconf.ctl file.
* common/homedir.c (unix_rootdir): Add arg want_sysconfdir.
(gnupg_sysconfdir): Return it.
--

Our regression test suite has the problem that we can't disable the
use of the global config files or test them using the regualr
binaries.  This new keyword will allow us to overcome the problem.
2021-11-02 20:55:20 +01:00
Werner Koch
82328165cf
common: Support a gpgconf.ctl file under Unix.
* common/homedir.c (unix_rootdir): New.
(gnupg_bindir): Use it.
(gnupg_libexecdir): Use it.
(gnupg_libdir): Use it.
(gnupg_datadir): Use it.
(gnupg_localedir): Use it.
--

This feature is useful for building and using an AppImage version of
gnupg and probably also for some other use cases.

GnuPG-bug-id: 5999

Here is a sample gpgconf.ctl file
--8<---------------cut here---------------start------------->8---
# gpgconf.ctl
#
# This file is used to change the directories where the gpg components
# are installed.  It does not change the configuration directories.
# The file is expected in the same directory as gpgconf.  The physical
# installation directories are evaluated and no symlinks.  Blank lines
# and lines starting with pound signed are ignored.  No errors are
# printed for unknown keywords or commands.  The only defined key for
# now is "rootdir" which must be followed by one optional space, an
# equal sign, and the value for the root directory.  Environment
# variables are substituted in standard shell manner, the final value
# must start with a slash, trailing slashed are stripped.

rootdir = $APPDIR/gnupg
--8<---------------cut here---------------end--------------->8---
2021-11-02 20:55:04 +01:00
Werner Koch
f0162afb6b
common: New function substitute_envvars.
* common/stringhelp.c (substitute_envvars): New.  Based on code in
gpg-connect-agent.
* common/t-stringhelp.c: Include sysutils.h.
(test_substitute_envvars): New.
--

GnuPG-bug-id: 5599
2021-11-02 20:54:03 +01:00
Werner Koch
a756a61f19
common,w32: Do not always print "Garbled console data" warning.
* common/init.c (_init_common_subsystems): Silence message.
--
2021-11-02 20:50:34 +01:00
NIIBE Yutaka
152f028155
dns: Make reading resolv.conf more robust.
* dirmngr/dns.c (dns_resconf_loadfile): Skip "search" which
begins with '.'.

--

GnuPG-bug-id: 5657
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-11-02 20:49:51 +01:00
Werner Koch
918e921800
gpg: Fix printing of binary notations.
* g10/keylist.c (show_notation): Print binary notation from BDAT.
--

GnuPG-bug-id: 5667
2021-10-22 16:33:40 +02:00
Werner Koch
5e3eea4b73
gpgconf: create local option file even if a global file exists.
* tools/gpgconf-comp.c (munge_config_filename): New.
(change_options_program): Call it.
--

In case a system-wide config exists but no local file, the component
returns the name of the system-wide config file and gpgconf tried to
update this file.  This fixes this by detecting the presense of a
system-wide config file.

This applies only to 2.2; the configuration system in 2.3 has been
heavily changed to better handle system-wide configuration files.

GnuPG-bug-id: 5650
2021-10-22 12:10:47 +02:00
NIIBE Yutaka
752422a792 scd: Select a reader for PC/SC.
* scd/apdu.c (select_a_reader): New.
(open_pcsc_reader): Use select_a_reader.

--

GnuPG-bug-id: 5644
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-10-22 13:49:07 +09:00
Werner Koch
773b8fbbe9
gpg: New option --override-compliance-check
* g10/gpg.c (oOverrideComplianceCheck): New.
(opts): Add new option.
(main): Set option and add check for batch mode.
* g10/options.h (opt): Add flags.override_compliance_check.

* g10/sig-check.c (check_signature2): Factor complaince checking out
to ...
(check_key_verify_compliance): new.  Turn error into a warning in
override mode.
--

There is one important use case for this: For systems configured
globally to use de-vs mode, Ed25519 and other key types are not
allowed because they are not listred in the BSI algorithm catalog.
Now, our release signing keys happen to be Ed25519 and thus we need to
offer a way for users to check new versions even if the system is in
de-vs mode.  This does on purpose not work in --batch mode so that
scripted solutions won't accidently pass a signature check.

GnuPG-bug-id: 5655
Backported-from-master: fb26e144adfd93051501d58f5d0d4f8826ddf436
2021-10-13 17:34:12 +02:00
Werner Koch
bb750cf4ba
Post release updates
--
2021-10-06 21:15:11 +02:00
Werner Koch
476096099d
Release 2.2.32 gnupg-2.2.32 2021-10-06 20:23:37 +02:00
NIIBE Yutaka
a17f1b6074
gpg: Skip the packet when not used for AEAD.
* g10/free-packet.c (free_packet): Add the case for case
PKT_ENCRYPTED_AEAD.
--

GnuPG-bug-id: 5584
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(bug id fixed in this backport)
2021-10-06 20:03:34 +02:00
Werner Koch
323a20399d
dirmngr: New option --ignore-cert
* dirmngr/dirmngr.h (struct fingerprint_list_s): Add field binlen.
(opt): Add field ignored_certs.
* dirmngr/dirmngr.c: Add option --ignore-cert
(parse_rereadable_options): Handle that option.
(parse_ocsp_signer): Rename to ...
(parse_fingerprint_item): this and add two args.
* dirmngr/certcache.c (put_cert): Ignore all to be igored certs.
Change callers to handle the new error return.
--

This option is useful as a workaround in case we ill run into other
chain validation errors like what we fixed in
GnuPG-bug-id: 5639
Backported-from-master: 4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d
2021-10-06 11:06:01 +02:00
Werner Koch
341ab0123a
dirmngr: Fix Let's Encrypt certificate chain validation.
* dirmngr/certcache.c (find_cert_bysubject): Return the first trusted
certififcate if any.
--

This is basically the same as using OpenSSL with ist
X509_V_FLAG_TRUSTED_FIRST flag. See
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

GnuPG-bug-id: 5639
2021-10-06 10:56:43 +02:00
Werner Koch
48dc463ada
Post release updates
--
2021-09-16 11:54:18 +02:00
Werner Koch
ecf4c2f611
Release 2.2.31 gnupg-2.2.31 2021-09-15 16:43:23 +02:00
Werner Koch
6eb6304c04
po: Change German descriptions for password constraints.
--
2021-09-15 16:39:30 +02:00
Werner Koch
13e4e322eb
Update release signing keys.
--

These are now

# ------------------------ >8 ------------------------
pub   rsa3072 2017-03-17 [SC] [expires: 2027-03-15]
      5B80C5754298F0CB55D8ED6ABCEF7E294B092E28
sig    R     BCEF7E294B092E28 2017-03-17  Andre Heinecke (Release Signing Key)
uid                      Andre Heinecke (Release Signing Key)
sig 3        BCEF7E294B092E28 2017-03-17  Andre Heinecke (Release Signing Key)
sig          1FDF723CF462B6B1 2017-03-17  Andre Heinecke <aheinecke@intevation.de>

pub   ed25519 2020-08-24 [SC] [expires: 2030-06-30]
      6DAA6E64A76D2840571B4902528897B826403ADA
uid                      Werner Koch (dist signing 2020)
sig 3        528897B826403ADA 2020-08-24  Werner Koch (dist signing 2020)
sig          249B39D24F25E3B6 2020-08-24  Werner Koch (dist sig)
sig          63113AE866587D0A 2020-08-24  wk@gnupg.org
sig          E3FDFF218E45B72B 2020-08-24  Werner Koch (wheatstone commit signing)
sig          F2AD85AC1E42B367 2020-08-24  Werner Koch <wk@gnupg.org>

pub   ed25519 2021-05-19 [SC] [expires: 2027-04-04]
      AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD
uid                      Niibe Yutaka (GnuPG Release Key)
sig 3        E98E9B2D19C6C8BD 2021-05-19  Niibe Yutaka (GnuPG Release Key)
sig          00B45EBD4CA7BABE 2021-09-14  NIIBE Yutaka <gniibe@fsij.org>
sig          E267B052364F028D 2021-09-14  NIIBE Yutaka <gniibe@fsij.org>
2021-09-14 13:50:47 +02:00
Werner Koch
67e1834ad4
scd: Remove context reference counting from pc/sc
* scd/apdu.c (pcsc): Add flag context_valid, remove count.
(close_pcsc_reader): Use new flag instead of looking at magic context
value.
(pcsc_init): Set new flag.
(open_pcsc_reader): Use new flag.
(apdu_init): Clear new flag.

* scd/apdu.c: Remove assert.h.  Replace all assert by log_assert.
--

The previous fix 192113552faa98f40cc91fe014ec55861474626c did not
help, thus the new hypothesis is that PC/SC might return a valid
context with the value -1.  We now use a dedicated flag to track the
validity of the context.

The reference counting seems to be superfluous and is a relict due to
backporting from 2.3.  Removed.
2021-09-14 13:41:05 +02:00
Werner Koch
117afec018
common: New envvar GNUPG_EXEC_DEBUG_FLAGS.
* common/exechelp-w32.c (gnupg_spawn_process_detached): Silence
breakaway messages and turn them again into debug messages.
2021-09-13 17:12:23 +02:00
Werner Koch
92f5cbb018
doc: Clarify some gpg keyring options
--
GnuPG-bug-id: 5594
2021-09-09 17:45:33 +02:00
Werner Koch
f32994b0bf
scd: Support PC/SC for "getinfo reader_list".
* scd/apdu.c: Include membuf.h.
(pcsc): Add reader_list field.
(open_pcsc_reader): Fill that field.
(apdu_get_reader_list): New.
* scd/command.c: Remove header ccid-driver.h.
(pretty_assuan_send_data): New.
(cmd_getinfo): Print all reader names.
--

Note that depending on the card backend (ccid or PC/SC) it might be
necessary to first send a reset followed by SERIALNO to get an updated
list of reader.  Or well send KILLSCD.

The pretty printing of Assuan data lines does only work if you connect
direct to scdaemon because the wrapper in gpg-agent does not know
about this and combines the Assuan lines again.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-09-08 15:50:28 +02:00
Werner Koch
192113552f
scd: Fix possible assertion in close_pcsc_reader.
* scd/apdu.c (close_pcsc_reader): Don't ref-count if the context is
invalid.
(open_pcsc_reader): Compare the context against -1 which is our
indicator for an invalid context.
--

I got a crash report for Windows:

  DBG: chan_0x000000a4 <- RESTART
  DBG: chan_0x000000a4 -> OK
  DBG: chan_0x000000a4 <- SERIALNO
  DBG: open_pcsc_reader(portstr=(null))
  reader slot 0: not connected
  DBG: open_pcsc_reader => slot=0
  DBG: enter: apdu_connect: slot=0
  pcsc_connect failed: invalid PC/SC error code (0x6)
  reader slot 0: not connected
  DBG: leave: apdu_connect => sw=0x1000b
  DBG: enter: apdu_close_reader: slot=0
  DBG: enter: apdu_disconnect: slot=0
  DBG: leave: apdu_disconnect => sw=0x0
  Ohhhh jeeee: Assertion "pcsc.count > 0" in
    close_pcsc_reader failed (...2.2.28/scd/apdu.c:817)

no smartcard reader was connected but the box might sport a virtual
reader.  This patch should make it more robust.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-09-07 16:40:09 +02:00
Werner Koch
4b2cfec2dc
agent: Fix segv in GET_PASSPHRASE (regression)
* agent/command.c (cmd_get_passphrase): Do not deref PI.  PI is always
NULL.
--

Fixes-commit: db5dc7a91af3774cfbce0bc533e0f0b5498402fe
GnuPG-bug-id: 5577
2021-09-07 09:03:44 +02:00
Werner Koch
1f726b4123
gpg: Print a note about the obsolete option --secret-keyring.
--

GnuPG-bug-id: 2749
2021-08-28 18:37:41 +02:00
Werner Koch
b03a38355d
Fix announcement mail URL
--
2021-08-27 15:25:02 +02:00
NIIBE Yutaka
7e431e009e common: Fix put_membuf.
* common/membuf.c (put_membuf): Allow NULL for the second arg.

--

Cherry-picked from master commit of:
	f271c6916469c0054c143adb4cee0588866a2a61

There has been such a use case in keybox-blob.c.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-27 17:22:25 +09:00
NIIBE Yutaka
0ca84cbdf0 build: Fix removal of AC_TYPE_SIGNAL.
* configure.ac: AC_TYPE_SIGNAL is still needed.

--

Fixes-commit: d5f9481186eaf2ff28d7ab04fd36f0bbd1c9714d
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-27 09:58:47 +09:00
NIIBE Yutaka
a8ffc52cec po: Update Japanese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-27 08:57:19 +09:00
NIIBE Yutaka
d5f9481186 common: Fix get_signal_name for GNU/Linux.
* common/signal.c (get_signal_name): Use sigdescr_np if available.
* configure.ac: Check the function.

--

Backport master commit of:
	c4ba712736ddeda66055567874d573e79d22666b

GnuPG-bug-id: 5568
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-27 08:50:12 +09:00
Werner Koch
f64e0f63d6
Post release updates
--
2021-08-26 21:13:30 +02:00
Werner Koch
d583e750a6
Release 2.2.30 gnupg-2.2.30 2021-08-26 18:18:36 +02:00
Werner Koch
f151587d85
po: Auto update
--
2021-08-26 18:11:48 +02:00