Loading pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch→pkgs/tools/security/gnupg/22-allow-import-of-previously-known-keys-even-without-UI.patch +13 −13 Original line number Diff line number Diff line Loading @@ -16,11 +16,12 @@ Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> g10/import.c | 44 +++++++++++--------------------------------- 1 file changed, 11 insertions(+), 33 deletions(-) diff --git a/g10/import.c b/g10/import.c index 5d3162c..f9acf95 100644 index cd3363fc7..8f10771db 100644 --- a/g10/import.c +++ b/g10/import.c @@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl, @@ -1858,7 +1858,6 @@ import_one_real (ctrl_t ctrl, size_t an; char pkstrbuf[PUBKEY_STRING_SIZE]; int merge_keys_done = 0; Loading @@ -28,11 +29,10 @@ index 5d3162c..f9acf95 100644 KEYDB_HANDLE hd = NULL; if (r_valid) @@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl, log_printf ("\n"); @@ -1896,13 +1895,6 @@ import_one_real (ctrl_t ctrl, } - - if (!uidnode ) - { - if (!silent) Loading @@ -43,12 +43,12 @@ index 5d3162c..f9acf95 100644 if (screener && screener (keyblock, screener_arg)) { log_error (_("key %s: %s\n"), keystr_from_pk (pk), @@ -1907,18 +1898,10 @@ import_one_real (ctrl_t ctrl, @@ -1977,18 +1969,10 @@ import_one_real (ctrl_t ctrl, } } - /* Delete invalid parts and bail out if there are no user ids left. */ - if (!delete_inv_parts (ctrl, keyblock, keyid, options)) - if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs)) - { - if (!silent) - { Loading @@ -62,11 +62,11 @@ index 5d3162c..f9acf95 100644 + /* Delete invalid parts, and note if we have any valid ones left. + * We will later abort import if this key is new but contains + * no valid uids. */ + delete_inv_parts (ctrl, keyblock, keyid, options); + delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs); /* Get rid of deleted nodes. */ commit_kbnode (&keyblock); @@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl, @@ -1998,24 +1982,11 @@ import_one_real (ctrl_t ctrl, { apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); commit_kbnode (&keyblock); Loading @@ -91,7 +91,7 @@ index 5d3162c..f9acf95 100644 } /* The keyblock is valid and ready for real import. */ @@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl, @@ -2073,6 +2044,13 @@ import_one_real (ctrl_t ctrl, err = 0; stats->skipped_new_keys++; } Loading pkgs/tools/security/gnupg/22.nix 0 → 100644 +115 −0 Original line number Diff line number Diff line { lib, stdenv, fetchurl, buildPackages , pkg-config, texinfo , gettext, libassuan, libgcrypt, libgpg-error, libiconv, libksba, npth , adns, bzip2, gnutls, libusb1, openldap, readline, sqlite, zlib , enableMinimal ? false , withPcsc ? !enableMinimal, pcsclite , guiSupport ? stdenv.isDarwin, pinentry }: with lib; let pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry"; in assert guiSupport -> enableMinimal == false; stdenv.mkDerivation rec { pname = "gnupg"; version = "2.2.41"; src = fetchurl { url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2"; hash = "sha256-E/MpEAel6FRvy3vAxmEM5EqqmzmVBZ1PgUW6Cf1b4+E="; }; depsBuildBuild = [ buildPackages.stdenv.cc ]; nativeBuildInputs = [ pkg-config texinfo ]; buildInputs = [ gettext libassuan libgcrypt libgpg-error libiconv libksba npth ] ++ lib.optionals (!enableMinimal) [ adns bzip2 gnutls libusb1 openldap readline sqlite zlib ]; patches = [ ./fix-libusb-include-path.patch ./tests-add-test-cases-for-import-without-uid.patch ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch # The following patch has no effect as the code is # "[d]isabled for 2.2.19 to due problems with the standard hkps pool." #./0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch ./22-allow-import-of-previously-known-keys-even-without-UI.patch ]; postPatch = '' sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' configure doc/dirmngr.texi doc/gnupg.info-1 # Fix broken SOURCE_DATE_EPOCH usage - remove on the next upstream update sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.am sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.in '' + lib.optionalString (stdenv.isLinux && withPcsc) '' sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c ''; configureFlags = [ "--with-libgpg-error-prefix=${libgpg-error.dev}" "--with-libgcrypt-prefix=${libgcrypt.dev}" "--with-libassuan-prefix=${libassuan.dev}" "--with-ksba-prefix=${libksba.dev}" "--with-npth-prefix=${npth}" ] ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}" ++ lib.optional stdenv.isDarwin "--disable-ccid-driver"; postInstall = if enableMinimal then '' rm -r $out/{libexec,sbin,share} for f in $(find $out/bin -type f -not -name gpg) do rm $f done '' else '' mkdir -p $out/lib/systemd/user for f in doc/examples/systemd-user/*.{service,socket} ; do substitute $f $out/lib/systemd/user/$(basename $f) \ --replace /usr/bin $out/bin done # add gpg2 symlink to make sure git does not break when signing commits ln -s $out/bin/gpg $out/bin/gpg2 # Make libexec tools available in PATH for f in $out/libexec/; do if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi ln -s $f $out/bin/$(basename $f) done ln -s -t $out/bin $out/libexec/* ''; enableParallelBuilding = true; passthru.tests.connman = nixosTests.gnupg; meta = with lib; { homepage = "https://gnupg.org"; description = "LTS release of the GNU Privacy Guard, a GPL OpenPGP implementation"; license = licenses.gpl3Plus; longDescription = '' The GNU Privacy Guard is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880. GnuPG "modern" (2.1) is the latest development with a lot of new features. GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME. ''; maintainers = with maintainers; [ fpletz vrthra ]; platforms = platforms.all; mainProgram = "gpg"; }; } pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch 0 → 100644 +107 −0 Original line number Diff line number Diff line From: Vincent Breitmoser <look@my.amazin.horse> Date: Thu, 13 Jun 2019 21:27:42 +0200 Subject: gpg: allow import of previously known keys, even without UIDs * g10/import.c (import_one): Accept an incoming OpenPGP certificate that has no user id, as long as we already have a local variant of the cert that matches the primary key. -- This fixes two of the three broken tests in import-incomplete.scm. GnuPG-Bug-id: 4393 Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- g10/import.c | 44 +++++++++++--------------------------------- 1 file changed, 11 insertions(+), 33 deletions(-) diff --git a/g10/import.c b/g10/import.c index 9fab46ca6..61896a6bf 100644 --- a/g10/import.c +++ b/g10/import.c @@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl, size_t an; char pkstrbuf[PUBKEY_STRING_SIZE]; int merge_keys_done = 0; - int any_filter = 0; KEYDB_HANDLE hd = NULL; if (r_valid) @@ -1992,13 +1991,6 @@ import_one_real (ctrl_t ctrl, } - if (!uidnode) - { - if (!silent) - log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); - return 0; - } - if (screener && screener (keyblock, screener_arg)) { log_error (_("key %s: %s\n"), keystr_from_pk (pk), @@ -2078,18 +2070,10 @@ import_one_real (ctrl_t ctrl, } } - /* Delete invalid parts and bail out if there are no user ids left. */ - if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs)) - { - if (!silent) - { - log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); - if (!opt.quiet) - log_info(_("this may be caused by a missing self-signature\n")); - } - stats->no_user_id++; - return 0; - } + /* Delete invalid parts, and note if we have any valid ones left. + * We will later abort import if this key is new but contains + * no valid uids. */ + delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs); /* Get rid of deleted nodes. */ commit_kbnode (&keyblock); @@ -2099,24 +2083,11 @@ import_one_real (ctrl_t ctrl, { apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); commit_kbnode (&keyblock); - any_filter = 1; } if (import_filter.drop_sig) { apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); commit_kbnode (&keyblock); - any_filter = 1; - } - - /* If we ran any filter we need to check that at least one user id - * is left in the keyring. Note that we do not use log_error in - * this case. */ - if (any_filter && !any_uid_left (keyblock)) - { - if (!opt.quiet ) - log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); - stats->no_user_id++; - return 0; } /* The keyblock is valid and ready for real import. */ @@ -2174,6 +2145,13 @@ import_one_real (ctrl_t ctrl, err = 0; stats->skipped_new_keys++; } + else if (err && !any_uid_left (keyblock)) + { + if (!silent) + log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); + err = 0; + stats->no_user_id++; + } else if (err) /* Insert this key. */ { /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */ pkgs/tools/security/gnupg/24.nix +35 −19 Original line number Diff line number Diff line { fetchurl, fetchpatch, lib, stdenv, pkg-config, libgcrypt, libassuan, libksba , libgpg-error, libiconv, npth, gettext, texinfo, buildPackages , nixosTests , guiSupport ? stdenv.isDarwin, enableMinimal ? false , adns, bzip2, gnutls, libusb1, openldap , pinentry, readline, sqlite, zlib { lib, stdenv, fetchurl, buildPackages , pkg-config, texinfo , gettext, libassuan, libgcrypt, libgpg-error, libiconv, libksba, npth , adns, bzip2, gnutls, libusb1, openldap, readline, sqlite, zlib , enableMinimal ? false , withPcsc ? !enableMinimal, pcsclite , guiSupport ? stdenv.isDarwin, pinentry , withTpm2Tss ? !stdenv.isDarwin && !enableMinimal, tpm2-tss }: with lib; let pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry"; in assert guiSupport -> enableMinimal == false; stdenv.mkDerivation rec { Loading @@ -16,44 +22,49 @@ stdenv.mkDerivation rec { src = fetchurl { url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2"; sha256 = "sha256-HXkVjdAdmSQx3S4/rLif2slxJ/iXhOosthDGAPsMFIM="; hash = "sha256-HXkVjdAdmSQx3S4/rLif2slxJ/iXhOosthDGAPsMFIM="; }; depsBuildBuild = [ buildPackages.stdenv.cc ]; nativeBuildInputs = [ pkg-config texinfo ]; buildInputs = [ libgcrypt libassuan libksba libiconv npth gettext ] ++ lib.optionals (!enableMinimal) ([ readline libusb1 gnutls adns openldap zlib bzip2 sqlite ] ++ lib.optional withTpm2Tss tpm2-tss); gettext libassuan libgcrypt libgpg-error libiconv libksba npth ] ++ lib.optionals (!enableMinimal) [ adns bzip2 gnutls libusb1 openldap readline sqlite zlib ] ++ lib.optionals withTpm2Tss [ tpm2-tss ]; patches = [ ./fix-libusb-include-path.patch ./tests-add-test-cases-for-import-without-uid.patch # TODO: Refresh patch? Doesn't apply on 2.4.0 #./allow-import-of-previously-known-keys-even-without-UI.patch ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch # The following patch has no effect as the code is # "[d]isabled for 2.3.2 to due problems with the standard hkps pool." #./0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch ./24-allow-import-of-previously-known-keys-even-without-UI.patch # Patch for DoS vuln from https://seclists.org/oss-sec/2022/q3/27 ./v3-0001-Disallow-compressed-signatures-and-certificates.patch ]; postPatch = '' sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1 '' + lib.optionalString (stdenv.isLinux && withPcsc) '' sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c ''; pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry"; configureFlags = [ "--with-libgpg-error-prefix=${libgpg-error.dev}" "--with-libgcrypt-prefix=${libgcrypt.dev}" "--with-libassuan-prefix=${libassuan.dev}" "--with-ksba-prefix=${libksba.dev}" "--with-npth-prefix=${npth}" ] ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}" ] ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}" ++ lib.optional withTpm2Tss "--with-tss=intel" ++ lib.optional stdenv.isDarwin "--disable-ccid-driver"; postInstall = if enableMinimal then '' rm -r $out/{libexec,sbin,share} Loading @@ -76,6 +87,11 @@ stdenv.mkDerivation rec { if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi ln -s $f $out/bin/$(basename $f) done for f in $out/libexec/; do if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi ln -s $f $out/bin/$(basename $f) done ''; enableParallelBuilding = true; Loading pkgs/top-level/all-packages.nix +6 −1 Original line number Diff line number Diff line Loading @@ -7902,8 +7902,13 @@ with pkgs; gnupg1orig = callPackage ../tools/security/gnupg/1.nix { }; gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { }; gnupg1 = gnupg1compat; # use config.packageOverrides if you prefer original gnupg1 gnupg22 = callPackage ../tools/security/gnupg/22.nix { pinentry = if stdenv.isDarwin then pinentry_mac else pinentry-gtk2; libgcrypt = libgcrypt_1_8; }; gnupg24 = callPackage ../tools/security/gnupg/24.nix { guiSupport = stdenv.isDarwin; pinentry = if stdenv.isDarwin then pinentry_mac else pinentry-gtk2; }; gnupg = gnupg24; Loading
pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch→pkgs/tools/security/gnupg/22-allow-import-of-previously-known-keys-even-without-UI.patch +13 −13 Original line number Diff line number Diff line Loading @@ -16,11 +16,12 @@ Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> g10/import.c | 44 +++++++++++--------------------------------- 1 file changed, 11 insertions(+), 33 deletions(-) diff --git a/g10/import.c b/g10/import.c index 5d3162c..f9acf95 100644 index cd3363fc7..8f10771db 100644 --- a/g10/import.c +++ b/g10/import.c @@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl, @@ -1858,7 +1858,6 @@ import_one_real (ctrl_t ctrl, size_t an; char pkstrbuf[PUBKEY_STRING_SIZE]; int merge_keys_done = 0; Loading @@ -28,11 +29,10 @@ index 5d3162c..f9acf95 100644 KEYDB_HANDLE hd = NULL; if (r_valid) @@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl, log_printf ("\n"); @@ -1896,13 +1895,6 @@ import_one_real (ctrl_t ctrl, } - - if (!uidnode ) - { - if (!silent) Loading @@ -43,12 +43,12 @@ index 5d3162c..f9acf95 100644 if (screener && screener (keyblock, screener_arg)) { log_error (_("key %s: %s\n"), keystr_from_pk (pk), @@ -1907,18 +1898,10 @@ import_one_real (ctrl_t ctrl, @@ -1977,18 +1969,10 @@ import_one_real (ctrl_t ctrl, } } - /* Delete invalid parts and bail out if there are no user ids left. */ - if (!delete_inv_parts (ctrl, keyblock, keyid, options)) - if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs)) - { - if (!silent) - { Loading @@ -62,11 +62,11 @@ index 5d3162c..f9acf95 100644 + /* Delete invalid parts, and note if we have any valid ones left. + * We will later abort import if this key is new but contains + * no valid uids. */ + delete_inv_parts (ctrl, keyblock, keyid, options); + delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs); /* Get rid of deleted nodes. */ commit_kbnode (&keyblock); @@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl, @@ -1998,24 +1982,11 @@ import_one_real (ctrl_t ctrl, { apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); commit_kbnode (&keyblock); Loading @@ -91,7 +91,7 @@ index 5d3162c..f9acf95 100644 } /* The keyblock is valid and ready for real import. */ @@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl, @@ -2073,6 +2044,13 @@ import_one_real (ctrl_t ctrl, err = 0; stats->skipped_new_keys++; } Loading
pkgs/tools/security/gnupg/22.nix 0 → 100644 +115 −0 Original line number Diff line number Diff line { lib, stdenv, fetchurl, buildPackages , pkg-config, texinfo , gettext, libassuan, libgcrypt, libgpg-error, libiconv, libksba, npth , adns, bzip2, gnutls, libusb1, openldap, readline, sqlite, zlib , enableMinimal ? false , withPcsc ? !enableMinimal, pcsclite , guiSupport ? stdenv.isDarwin, pinentry }: with lib; let pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry"; in assert guiSupport -> enableMinimal == false; stdenv.mkDerivation rec { pname = "gnupg"; version = "2.2.41"; src = fetchurl { url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2"; hash = "sha256-E/MpEAel6FRvy3vAxmEM5EqqmzmVBZ1PgUW6Cf1b4+E="; }; depsBuildBuild = [ buildPackages.stdenv.cc ]; nativeBuildInputs = [ pkg-config texinfo ]; buildInputs = [ gettext libassuan libgcrypt libgpg-error libiconv libksba npth ] ++ lib.optionals (!enableMinimal) [ adns bzip2 gnutls libusb1 openldap readline sqlite zlib ]; patches = [ ./fix-libusb-include-path.patch ./tests-add-test-cases-for-import-without-uid.patch ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch # The following patch has no effect as the code is # "[d]isabled for 2.2.19 to due problems with the standard hkps pool." #./0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch ./22-allow-import-of-previously-known-keys-even-without-UI.patch ]; postPatch = '' sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' configure doc/dirmngr.texi doc/gnupg.info-1 # Fix broken SOURCE_DATE_EPOCH usage - remove on the next upstream update sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.am sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.in '' + lib.optionalString (stdenv.isLinux && withPcsc) '' sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c ''; configureFlags = [ "--with-libgpg-error-prefix=${libgpg-error.dev}" "--with-libgcrypt-prefix=${libgcrypt.dev}" "--with-libassuan-prefix=${libassuan.dev}" "--with-ksba-prefix=${libksba.dev}" "--with-npth-prefix=${npth}" ] ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}" ++ lib.optional stdenv.isDarwin "--disable-ccid-driver"; postInstall = if enableMinimal then '' rm -r $out/{libexec,sbin,share} for f in $(find $out/bin -type f -not -name gpg) do rm $f done '' else '' mkdir -p $out/lib/systemd/user for f in doc/examples/systemd-user/*.{service,socket} ; do substitute $f $out/lib/systemd/user/$(basename $f) \ --replace /usr/bin $out/bin done # add gpg2 symlink to make sure git does not break when signing commits ln -s $out/bin/gpg $out/bin/gpg2 # Make libexec tools available in PATH for f in $out/libexec/; do if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi ln -s $f $out/bin/$(basename $f) done ln -s -t $out/bin $out/libexec/* ''; enableParallelBuilding = true; passthru.tests.connman = nixosTests.gnupg; meta = with lib; { homepage = "https://gnupg.org"; description = "LTS release of the GNU Privacy Guard, a GPL OpenPGP implementation"; license = licenses.gpl3Plus; longDescription = '' The GNU Privacy Guard is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880. GnuPG "modern" (2.1) is the latest development with a lot of new features. GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME. ''; maintainers = with maintainers; [ fpletz vrthra ]; platforms = platforms.all; mainProgram = "gpg"; }; }
pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch 0 → 100644 +107 −0 Original line number Diff line number Diff line From: Vincent Breitmoser <look@my.amazin.horse> Date: Thu, 13 Jun 2019 21:27:42 +0200 Subject: gpg: allow import of previously known keys, even without UIDs * g10/import.c (import_one): Accept an incoming OpenPGP certificate that has no user id, as long as we already have a local variant of the cert that matches the primary key. -- This fixes two of the three broken tests in import-incomplete.scm. GnuPG-Bug-id: 4393 Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> --- g10/import.c | 44 +++++++++++--------------------------------- 1 file changed, 11 insertions(+), 33 deletions(-) diff --git a/g10/import.c b/g10/import.c index 9fab46ca6..61896a6bf 100644 --- a/g10/import.c +++ b/g10/import.c @@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl, size_t an; char pkstrbuf[PUBKEY_STRING_SIZE]; int merge_keys_done = 0; - int any_filter = 0; KEYDB_HANDLE hd = NULL; if (r_valid) @@ -1992,13 +1991,6 @@ import_one_real (ctrl_t ctrl, } - if (!uidnode) - { - if (!silent) - log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); - return 0; - } - if (screener && screener (keyblock, screener_arg)) { log_error (_("key %s: %s\n"), keystr_from_pk (pk), @@ -2078,18 +2070,10 @@ import_one_real (ctrl_t ctrl, } } - /* Delete invalid parts and bail out if there are no user ids left. */ - if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs)) - { - if (!silent) - { - log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); - if (!opt.quiet) - log_info(_("this may be caused by a missing self-signature\n")); - } - stats->no_user_id++; - return 0; - } + /* Delete invalid parts, and note if we have any valid ones left. + * We will later abort import if this key is new but contains + * no valid uids. */ + delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs); /* Get rid of deleted nodes. */ commit_kbnode (&keyblock); @@ -2099,24 +2083,11 @@ import_one_real (ctrl_t ctrl, { apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); commit_kbnode (&keyblock); - any_filter = 1; } if (import_filter.drop_sig) { apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); commit_kbnode (&keyblock); - any_filter = 1; - } - - /* If we ran any filter we need to check that at least one user id - * is left in the keyring. Note that we do not use log_error in - * this case. */ - if (any_filter && !any_uid_left (keyblock)) - { - if (!opt.quiet ) - log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); - stats->no_user_id++; - return 0; } /* The keyblock is valid and ready for real import. */ @@ -2174,6 +2145,13 @@ import_one_real (ctrl_t ctrl, err = 0; stats->skipped_new_keys++; } + else if (err && !any_uid_left (keyblock)) + { + if (!silent) + log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); + err = 0; + stats->no_user_id++; + } else if (err) /* Insert this key. */ { /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */
pkgs/tools/security/gnupg/24.nix +35 −19 Original line number Diff line number Diff line { fetchurl, fetchpatch, lib, stdenv, pkg-config, libgcrypt, libassuan, libksba , libgpg-error, libiconv, npth, gettext, texinfo, buildPackages , nixosTests , guiSupport ? stdenv.isDarwin, enableMinimal ? false , adns, bzip2, gnutls, libusb1, openldap , pinentry, readline, sqlite, zlib { lib, stdenv, fetchurl, buildPackages , pkg-config, texinfo , gettext, libassuan, libgcrypt, libgpg-error, libiconv, libksba, npth , adns, bzip2, gnutls, libusb1, openldap, readline, sqlite, zlib , enableMinimal ? false , withPcsc ? !enableMinimal, pcsclite , guiSupport ? stdenv.isDarwin, pinentry , withTpm2Tss ? !stdenv.isDarwin && !enableMinimal, tpm2-tss }: with lib; let pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry"; in assert guiSupport -> enableMinimal == false; stdenv.mkDerivation rec { Loading @@ -16,44 +22,49 @@ stdenv.mkDerivation rec { src = fetchurl { url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2"; sha256 = "sha256-HXkVjdAdmSQx3S4/rLif2slxJ/iXhOosthDGAPsMFIM="; hash = "sha256-HXkVjdAdmSQx3S4/rLif2slxJ/iXhOosthDGAPsMFIM="; }; depsBuildBuild = [ buildPackages.stdenv.cc ]; nativeBuildInputs = [ pkg-config texinfo ]; buildInputs = [ libgcrypt libassuan libksba libiconv npth gettext ] ++ lib.optionals (!enableMinimal) ([ readline libusb1 gnutls adns openldap zlib bzip2 sqlite ] ++ lib.optional withTpm2Tss tpm2-tss); gettext libassuan libgcrypt libgpg-error libiconv libksba npth ] ++ lib.optionals (!enableMinimal) [ adns bzip2 gnutls libusb1 openldap readline sqlite zlib ] ++ lib.optionals withTpm2Tss [ tpm2-tss ]; patches = [ ./fix-libusb-include-path.patch ./tests-add-test-cases-for-import-without-uid.patch # TODO: Refresh patch? Doesn't apply on 2.4.0 #./allow-import-of-previously-known-keys-even-without-UI.patch ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch # The following patch has no effect as the code is # "[d]isabled for 2.3.2 to due problems with the standard hkps pool." #./0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch ./24-allow-import-of-previously-known-keys-even-without-UI.patch # Patch for DoS vuln from https://seclists.org/oss-sec/2022/q3/27 ./v3-0001-Disallow-compressed-signatures-and-certificates.patch ]; postPatch = '' sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1 '' + lib.optionalString (stdenv.isLinux && withPcsc) '' sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c ''; pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry"; configureFlags = [ "--with-libgpg-error-prefix=${libgpg-error.dev}" "--with-libgcrypt-prefix=${libgcrypt.dev}" "--with-libassuan-prefix=${libassuan.dev}" "--with-ksba-prefix=${libksba.dev}" "--with-npth-prefix=${npth}" ] ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}" ] ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}" ++ lib.optional withTpm2Tss "--with-tss=intel" ++ lib.optional stdenv.isDarwin "--disable-ccid-driver"; postInstall = if enableMinimal then '' rm -r $out/{libexec,sbin,share} Loading @@ -76,6 +87,11 @@ stdenv.mkDerivation rec { if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi ln -s $f $out/bin/$(basename $f) done for f in $out/libexec/; do if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi ln -s $f $out/bin/$(basename $f) done ''; enableParallelBuilding = true; Loading
pkgs/top-level/all-packages.nix +6 −1 Original line number Diff line number Diff line Loading @@ -7902,8 +7902,13 @@ with pkgs; gnupg1orig = callPackage ../tools/security/gnupg/1.nix { }; gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { }; gnupg1 = gnupg1compat; # use config.packageOverrides if you prefer original gnupg1 gnupg22 = callPackage ../tools/security/gnupg/22.nix { pinentry = if stdenv.isDarwin then pinentry_mac else pinentry-gtk2; libgcrypt = libgcrypt_1_8; }; gnupg24 = callPackage ../tools/security/gnupg/24.nix { guiSupport = stdenv.isDarwin; pinentry = if stdenv.isDarwin then pinentry_mac else pinentry-gtk2; }; gnupg = gnupg24;
