Loading pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patchdeleted 100644 → 0 +0 −34 Original line number Diff line number Diff line From 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Sun, 30 Jun 2019 11:54:35 -0400 Subject: [PATCH] dirmngr: Only use SKS pool CA for SKS pool * dirmngr/http.c (http_session_new): when checking whether the keyserver is the HKPS pool, check specifically against the pool name, as ./configure might have been used to select a different default keyserver. It makes no sense to apply Kristian's certificate authority to anything other than the literal host hkps.pool.sks-keyservers.net. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> GnuPG-Bug-Id: 4593 --- dirmngr/http.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dirmngr/http.c b/dirmngr/http.c index 384f2569d..8e5d53939 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -767,7 +767,7 @@ http_session_new (http_session_t *r_session, is_hkps_pool = (intended_hostname && !ascii_strcasecmp (intended_hostname, - get_default_keyserver (1))); + "hkps.pool.sks-keyservers.net")); /* If the user has not specified a CA list, and they are looking * for the hkps pool from sks-keyservers.net, then default to -- 2.22.0 pkgs/tools/security/gnupg/22.nix +0 −5 Original line number Diff line number Diff line Loading @@ -36,11 +36,6 @@ stdenv.mkDerivation rec { ./fix-libusb-include-path.patch ./tests-add-test-cases-for-import-without-uid.patch ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch # The following patch has no effect as the code is # "[d]isabled for 2.2.19 to due problems with the standard hkps pool." #./0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch ./22-allow-import-of-previously-known-keys-even-without-UI.patch ]; Loading pkgs/tools/security/gnupg/24.nix +0 −6 Original line number Diff line number Diff line Loading @@ -37,13 +37,7 @@ stdenv.mkDerivation rec { ./fix-libusb-include-path.patch ./tests-add-test-cases-for-import-without-uid.patch ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch # The following patch has no effect as the code is # "[d]isabled for 2.3.2 to due problems with the standard hkps pool." #./0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch ./24-allow-import-of-previously-known-keys-even-without-UI.patch # Patch for DoS vuln from https://seclists.org/oss-sec/2022/q3/27 ./v3-0001-Disallow-compressed-signatures-and-certificates.patch ]; Loading Loading
pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patchdeleted 100644 → 0 +0 −34 Original line number Diff line number Diff line From 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Sun, 30 Jun 2019 11:54:35 -0400 Subject: [PATCH] dirmngr: Only use SKS pool CA for SKS pool * dirmngr/http.c (http_session_new): when checking whether the keyserver is the HKPS pool, check specifically against the pool name, as ./configure might have been used to select a different default keyserver. It makes no sense to apply Kristian's certificate authority to anything other than the literal host hkps.pool.sks-keyservers.net. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> GnuPG-Bug-Id: 4593 --- dirmngr/http.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dirmngr/http.c b/dirmngr/http.c index 384f2569d..8e5d53939 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -767,7 +767,7 @@ http_session_new (http_session_t *r_session, is_hkps_pool = (intended_hostname && !ascii_strcasecmp (intended_hostname, - get_default_keyserver (1))); + "hkps.pool.sks-keyservers.net")); /* If the user has not specified a CA list, and they are looking * for the hkps pool from sks-keyservers.net, then default to -- 2.22.0
pkgs/tools/security/gnupg/22.nix +0 −5 Original line number Diff line number Diff line Loading @@ -36,11 +36,6 @@ stdenv.mkDerivation rec { ./fix-libusb-include-path.patch ./tests-add-test-cases-for-import-without-uid.patch ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch # The following patch has no effect as the code is # "[d]isabled for 2.2.19 to due problems with the standard hkps pool." #./0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch ./22-allow-import-of-previously-known-keys-even-without-UI.patch ]; Loading
pkgs/tools/security/gnupg/24.nix +0 −6 Original line number Diff line number Diff line Loading @@ -37,13 +37,7 @@ stdenv.mkDerivation rec { ./fix-libusb-include-path.patch ./tests-add-test-cases-for-import-without-uid.patch ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch # The following patch has no effect as the code is # "[d]isabled for 2.3.2 to due problems with the standard hkps pool." #./0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch ./24-allow-import-of-previously-known-keys-even-without-UI.patch # Patch for DoS vuln from https://seclists.org/oss-sec/2022/q3/27 ./v3-0001-Disallow-compressed-signatures-and-certificates.patch ]; Loading
