gnupg22: drop, libgcrypt_1_8: drop (#371269)

{

  lib,

  stdenv,

  fetchurl,

  libgpg-error,

  enableCapabilities ? false,

  libcap,

  buildPackages,

  # for passthru.tests

  gnupg,

  libotr,

  rsyslog,

}:

assert enableCapabilities -> stdenv.hostPlatform.isLinux;

stdenv.mkDerivation rec {

  pname = "libgcrypt";

  version = "1.8.10";

  src = fetchurl {

    url = "mirror://gnupg/libgcrypt/libgcrypt-${version}.tar.bz2";

    sha256 = "sha256-aJaRVQH5UeI9AtywRTRpwswiqk13oAH/c6JkfC0p590=";

  };

  outputs = [

    "out"

    "dev"

    "info"

  ];

  outputBin = "dev";

  # The CPU Jitter random number generator must not be compiled with

  # optimizations and the optimize -O0 pragma only works for gcc.

  # The build enables -O2 by default for everything else.

  hardeningDisable = lib.optional stdenv.cc.isClang "fortify";

  depsBuildBuild = [ buildPackages.stdenv.cc ];

  buildInputs = [ libgpg-error ] ++ lib.optional enableCapabilities libcap;

  strictDeps = true;

  configureFlags =

    [ "--with-libgpg-error-prefix=${libgpg-error.dev}" ]

    ++ lib.optional (

      stdenv.hostPlatform.isMusl || (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64)

    ) "--disable-asm"; # for darwin see https://dev.gnupg.org/T5157

  # Necessary to generate correct assembly when compiling for aarch32 on

  # aarch64

  configurePlatforms = [

    "host"

    "build"

  ];

  postConfigure = ''

    sed -i configure \

        -e 's/NOEXECSTACK_FLAGS=$/NOEXECSTACK_FLAGS="-Wa,--noexecstack"/'

  '';

  # Make sure libraries are correct for .pc and .la files

  # Also make sure includes are fixed for callers who don't use libgpgcrypt-config

  postFixup =

    ''

      sed -i 's,#include <gpg-error.h>,#include "${libgpg-error.dev}/include/gpg-error.h",g' "$dev/include/gcrypt.h"

    ''

    + lib.optionalString enableCapabilities ''

      sed -i 's,\(-lcap\),-L${libcap.lib}/lib \1,' $out/lib/libgcrypt.la

    '';

  doCheck = true;

  passthru.tests = {

    inherit gnupg libotr rsyslog;

  };

  meta = with lib; {

    homepage = "https://www.gnu.org/software/libgcrypt/";

    changelog = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=${pname}.git;a=blob;f=NEWS;hb=refs/tags/${pname}-${version}";

    description = "General-purpose cryptographic library";

    license = licenses.lgpl2Plus;

    platforms = platforms.all;

    knownVulnerabilities = [

      "CVE-2021-40528"

    ];

  };

}

From: Vincent Breitmoser <look@my.amazin.horse>

Date: Thu, 13 Jun 2019 21:27:42 +0200

Subject: gpg: allow import of previously known keys, even without UIDs

* g10/import.c (import_one): Accept an incoming OpenPGP certificate that

has no user id, as long as we already have a local variant of the cert

that matches the primary key.

--

This fixes two of the three broken tests in import-incomplete.scm.

GnuPG-Bug-id: 4393

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

---

 g10/import.c | 44 +++++++++++---------------------------------

 1 file changed, 11 insertions(+), 33 deletions(-)

diff --git a/g10/import.c b/g10/import.c

index cd3363fc7..8f10771db 100644

--- a/g10/import.c

+++ b/g10/import.c

@@ -1858,7 +1858,6 @@ import_one_real (ctrl_t ctrl,

   size_t an;

   char pkstrbuf[PUBKEY_STRING_SIZE];

   int merge_keys_done = 0;

-  int any_filter = 0;

   KEYDB_HANDLE hd = NULL;

   if (r_valid)

@@ -1896,13 +1895,6 @@ import_one_real (ctrl_t ctrl,

     }

-  if (!uidnode )

-    {

-      if (!silent)

-        log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));

-      return 0;

-    }

-

   if (screener && screener (keyblock, screener_arg))

     {

       log_error (_("key %s: %s\n"), keystr_from_pk (pk),

@@ -1977,18 +1969,10 @@ import_one_real (ctrl_t ctrl,

 	  }

     }

-  /* Delete invalid parts and bail out if there are no user ids left.  */

-  if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs))

-    {

-      if (!silent)

-        {

-          log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));

-          if (!opt.quiet )

-            log_info(_("this may be caused by a missing self-signature\n"));

-        }

-      stats->no_user_id++;

-      return 0;

-    }

+  /* Delete invalid parts, and note if we have any valid ones left.

+   * We will later abort import if this key is new but contains

+   * no valid uids.  */

+  delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs);

   /* Get rid of deleted nodes.  */

   commit_kbnode (&keyblock);

@@ -1998,24 +1982,11 @@ import_one_real (ctrl_t ctrl,

     {

       apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);

       commit_kbnode (&keyblock);

-      any_filter = 1;

     }

   if (import_filter.drop_sig)

     {

       apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig);

       commit_kbnode (&keyblock);

-      any_filter = 1;

-    }

-

-  /* If we ran any filter we need to check that at least one user id

-   * is left in the keyring.  Note that we do not use log_error in

-   * this case. */

-  if (any_filter && !any_uid_left (keyblock))

-    {

-      if (!opt.quiet )

-        log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk));

-      stats->no_user_id++;

-      return 0;

     }

   /* The keyblock is valid and ready for real import.  */

@@ -2073,6 +2044,13 @@ import_one_real (ctrl_t ctrl,

       err = 0;

       stats->skipped_new_keys++;

     }

+  else if (err && !any_uid_left (keyblock))

+    {

+      if (!silent)

+        log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid));

+      err = 0;

+      stats->no_user_id++;

+    }

   else if (err)  /* Insert this key. */

     {

       /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY.  */

{

  lib,

  stdenv,

  fetchurl,

  buildPackages,

  pkg-config,

  texinfo,

  gettext,

  libassuan,

  libgcrypt,

  libgpg-error,

  libiconv,

  libksba,

  npth,

  adns,

  bzip2,

  gnutls,

  libusb1,

  openldap,

  readline,

  sqlite,

  zlib,

  enableMinimal ? false,

  withPcsc ? !enableMinimal,

  pcsclite,

  guiSupport ? stdenv.hostPlatform.isDarwin,

  pinentry,

  nixosTests,

}:

assert guiSupport -> !enableMinimal;

stdenv.mkDerivation rec {

  pname = "gnupg";

  version = "2.2.41";

  src = fetchurl {

    url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2";

    hash = "sha256-E/MpEAel6FRvy3vAxmEM5EqqmzmVBZ1PgUW6Cf1b4+E=";

  };

  depsBuildBuild = [ buildPackages.stdenv.cc ];

  nativeBuildInputs = [

    pkg-config

    texinfo

  ];

  buildInputs =

    [

      gettext

      libassuan

      libgcrypt

      libgpg-error

      libiconv

      libksba

      npth

    ]

    ++ lib.optionals (!enableMinimal) [

      adns

      bzip2

      gnutls

      libusb1

      openldap

      readline

      sqlite

      zlib

    ];

  patches = [

    ./fix-libusb-include-path.patch

    ./tests-add-test-cases-for-import-without-uid.patch

    ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch

    ./22-allow-import-of-previously-known-keys-even-without-UI.patch

  ];

  postPatch =

    ''

      sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' configure doc/dirmngr.texi doc/gnupg.info-1

      # Fix broken SOURCE_DATE_EPOCH usage - remove on the next upstream update

      sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.am

      sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.in

    ''

    + lib.optionalString (stdenv.hostPlatform.isLinux && withPcsc) ''

      sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c

    '';

  configureFlags =

    [

      "--with-libgpg-error-prefix=${libgpg-error.dev}"

      "--with-libgcrypt-prefix=${libgcrypt.dev}"

      "--with-libassuan-prefix=${libassuan.dev}"

      "--with-ksba-prefix=${libksba.dev}"

      "GPGRT_CONFIG=${lib.getDev libgpg-error}/bin/gpgrt-config"

    ]

    ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${

      pinentry.binaryPath or "bin/pinentry"

    }"

    ++ lib.optional stdenv.hostPlatform.isDarwin "--disable-ccid-driver";

  postInstall =

    if enableMinimal then

      ''

        rm -r $out/{libexec,sbin,share}

        for f in $(find $out/bin -type f -not -name gpg)

        do

          rm $f

        done

      ''

    else

      ''

        mkdir -p $out/lib/systemd/user

        for f in doc/examples/systemd-user/*.{service,socket} ; do

          substitute $f $out/lib/systemd/user/$(basename $f) \

            --replace /usr/bin $out/bin

        done

        # add gpg2 symlink to make sure git does not break when signing commits

        ln -s $out/bin/gpg $out/bin/gpg2

        # Make libexec tools available in PATH

        for f in $out/libexec/; do

          if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi

          ln -s $f $out/bin/$(basename $f)

        done

        ln -s -t $out/bin $out/libexec/*

      '';

  enableParallelBuilding = true;

  passthru.tests = nixosTests.gnupg;

  meta = with lib; {

    homepage = "https://gnupg.org";

    changelog = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=${pname}.git;a=blob;f=NEWS;hb=refs/tags/${pname}-${version}";

    description = "LTS release of the GNU Privacy Guard, a GPL OpenPGP implementation";

    license = licenses.gpl3Plus;

    longDescription = ''

      The GNU Privacy Guard is the GNU project's complete and free

      implementation of the OpenPGP standard as defined by RFC4880.  GnuPG

      "modern" (2.1) is the latest development with a lot of new features.

      GnuPG allows to encrypt and sign your data and communication, features a

      versatile key management system as well as access modules for all kind of

      public key directories.  GnuPG, also known as GPG, is a command line tool

      with features for easy integration with other applications.  A wealth of

      frontend applications and libraries are available.  Version 2 of GnuPG

      also provides support for S/MIME.

    '';

    maintainers = with maintainers; [ fpletz ];

    platforms = platforms.all;

    mainProgram = "gpg";

  };

}

  gmtp = throw "'gmtp' has been removed due to lack of maintenance upstream. Consider using 'gnome-music' instead"; # Added 2024-09-14

  gnome-latex = throw "'gnome-latex' has been superseded by 'enter-tex'"; # Added 2024-09-18

  gnu-cobol = gnucobol; # Added 2024-09-17

  gnupg22 = throw "'gnupg22' is end-of-life. Consider using 'gnupg24' instead"; # Added 2025-01-05

  gogs = throw ''

    Gogs development has stalled. Also, it has several unpatched, critical vulnerabilities that

    weren't addressed within a year: https://github.com/gogs/gogs/issues/7777

  libbitcoin-network = throw "libbitcoin-network has been removed as it required an obsolete version of Boost and had no maintainer in Nixpkgs"; # Added 2024-11-24

  libbitcoin-protocol = throw "libbitcoin-protocol has been removed as it required an obsolete version of Boost and had no maintainer in Nixpkgs"; # Added 2024-11-24

  libdwg = throw "libdwg has been removed as upstream is unmaintained, the code doesn't build without significant patches, and the package had no reverse dependencies"; # Added 2024-12-28

  libgcrypt_1_8 = throw "'libgcrypt_1_8' is end-of-life. Consider using 'libgcrypt' instead"; # Added 2025-01-05

  libgme = game-music-emu; # Added 2022-07-20

  libgnome-keyring3 = libgnome-keyring; # Added 2024-06-22

  libgpgerror = throw "'libgpgerror' has been renamed to/replaced by 'libgpg-error'"; # Converted to throw 2024-10-17

  gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { };

  gnupg1 = gnupg1compat;    # use config.packageOverrides if you prefer original gnupg1

  gnupg22 = callPackage ../tools/security/gnupg/22.nix {

    pinentry = if stdenv.hostPlatform.isDarwin then pinentry_mac else pinentry-gtk2;

    libgcrypt = libgcrypt_1_8;

  };

  gnupg24 = callPackage ../tools/security/gnupg/24.nix {

    pinentry = if stdenv.hostPlatform.isDarwin then pinentry_mac else pinentry-gtk2;

  };

  libgcrypt = callPackage ../development/libraries/libgcrypt { };

  libgcrypt_1_8 = callPackage ../development/libraries/libgcrypt/1.8.nix { };

  libgdiplus = callPackage ../development/libraries/libgdiplus {

      inherit (darwin.apple_sdk.frameworks) Carbon;

  };