Noteworthy changes in version 2.5.5 (2025-03-07)
------------------------------------------------
* gpg: Fix a verification DoS due to a malicious subkey in the
keyring. [T7527]
* dirmngr: Fix possible hangs due to blocking connection requests.
[T6606, T7434]
* w32: On socket nonce mismatch close the socket. [T7434]
* w32: Print more detailed diagnostics for IPC errors.
* GPGME is not any more distributed with the Windows installer.
Please install gpg4win to get gpgme version.
See-also: gnupg-announce/2025q1/000491.html
Release-info: https://dev.gnupg.org/T7530https://dev.gnupg.org/source/gnupg/browse/master/NEWS
(From OE-Core rev: e0eaf598193012c6b0ada9e56be9bc0d6b19ec97)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Unfortunately this has been overlooked, and resulted in
erroneous updates to testing/development releases.
The check will report an 'unknown' latest version until 2.6.0
is released.
(From OE-Core rev: 7e505c1506ea6a079b0291f84e4ec6774064ef20)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Noteworthy changes in version 2.5.4 (2025-02-12)
------------------------------------------------
* gpg: New option --disable-pqc-encryption. [rG00c31f8b04]
* gpg: Fix --quick-add-key for Weierstrass ECC with usage given.[T7506]
* gpg: Fix handling with no CRC armor. [T7071]
* gpg: New private Kyber keys are now cross-referenced using a new
Link attribute. [T6638]
* gpg: Fix an import problem with keys having another primary key as
a subkey. [T7527]
* gpgsm: Allow unattended PKCS#12 export without passphrase.
[rG159e801043]
* gpgsm: Allow CSR generation with an unprotected key.
[rG89055f24f4]
* agent: New option --change-std-env-name. [T7522]
* agent: Fix ssh-agent's request_identities for skipped Brainpool
keys. [rG2469dc5aae]
* Do not package zlib and bzip2 object files in a speedo release
build. [T7442]
See-also: gnupg-announce/2025q1/000490.html
Release-info: https://dev.gnupg.org/T7480https://dev.gnupg.org/source/gnupg/browse/master/NEWS
(From OE-Core rev: 59f26c7311ae3d5596f517b739e7c3435db070a3)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
0001-fix-compile-failure-with-musl.patch
relocate.patch
refreshed for 2.5.2
Changelog:
============
* gpg: Add option 16 to --full-gen-key to create ECC+Kyber.
* gpg: For composite algos add the algo string to the colons listings.
* gpg: Validate the trustdb after the import of a trusted key.
* gpg: Exclude expired trusted keys from the key validation process.
* gpg: Fix a wrong decryption failed status for signed and OCB
encrypted messages without a signature verification key.
* gpg: Retain binary representation for import->export with Ed25519
key signatures.
* gpg: Fix comparing ed448 to ed25519 with --assert-pubkey-algo.
* gpg: Avoid a failure exit code for expired ultimately trusted keys.
* gpg: Emit status error for an invalid ADSK.
* gpg: Allow the use of an ADSK subkey as ADSK subkey.
* gpg: Fix --quick-set-expire for V5 subkey fingerprints.
* gpg: Robust error handling for SCD READKEY.
* gpg: Fix cv25519 v5 export regression.
* gpgsm: Nearly fourfold speedup of validated certificate listings.
* gpgsm: Improvement for some rare P12 files.
* gpgsm: Terminate key listing on output write error.
* agent: Add option --status to the LISTRUSTED command.
* agent: Fix detection of the yet unused trustflag de-vs.
* agent: Allow ssh to sign data larger than the Assuan line length.
* keyboxd: Fix a race condition on the database handle.
* dirmngr: A list of used URLs for loaded CRLs is printed first in
the output of the LISTCRL command.
* scd: More mitigations against lock ups with multiple cards or apps.
* gpgtar: Use log-file from common.conf only in --batch mode.
* gpgtar: Fix directory creation during extraction.
* gpg-mail-tube: Minor fixes.
* gpgconf: Add list flag to trusted-key et al.
* Implement GNUPG_ASSUME_COMPLIANCE envvar and registry key for
testing de-vs compliance mode.
* Enable additional runtime protections in speedo builds for windows.
* Fix a race condition in creating the socket directory.
* Fix a build problem on macOS (missing unistd.h).
(From OE-Core rev: 2ab817c434ac443e29d66105056675d6256e8a2c)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Due to upstream [build: Remove configure option --enable-gpg-is-gpg2][1],
drop option --enable-gpg-is-gpg2 and remove gpg2/gpgv2 installation
Due to upsream [doc: Remove included yat2m and build HTML versions of
the man pages.][2], it used standard detection on yat2m other than build
it from source. Because no native recipe provide yat2m in Yocto,
explicitly disable doc via option --disable-doc
[1] 2125f228d3
[2] 60c541f588
(From OE-Core rev: 3a00465f4b0c01580fb27e0c462696bd4f840828)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
* gpg,gpgv: New option --assert-pubkey-algo.
* gpg: Emit status lines for errors in the compression layer.
* gpg: Fix invocation with --trusted-keys and --no-options.
* gpgsm: Allow for a longer salt in PKCS#12 files.
* gpgtar: Make --status-fd=2 work on Windows.
* scd: Support for the ACR-122U NFC reader.
* scd: Suport D-TRUST ECC cards.
* scd: Allow auto detaching of kernel drivers; can be disabled with
the new compatibility-flag ccid-no-auto-detach.
* scd: Allow setting a PIN length of 6 also with a reset code for
openpgp cards.
* agent: Allow GET_PASSPHRASE in restricted mode.
* dirmngr: Trust system's root CAs for checking CRL issuers.
* dirmngr: Fix regression in 2.4.4 in fetching keys via hkps.
* gpg-wks-client: Make option --mirror work properly w/o specifying
domains.
* g13,gpg-wks-client: Allow command style options as in "g13 mount
foo".
* Allow tilde expansion for the foo-program options.
* Make the getswdb.sh tool usable outside the GnuPG tree.
(From OE-Core rev: eadaa195c8ded5f74bd7a146840c5dd610cd3c36)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
By default, the tests are built and run at do_compile and we can see
errors like below in log.do_compile:
gnupg-2.4.4/tests/cms/inittests: line 99: ../../sm/gpgsm: cannot execute binary file: Exec format error
Note that the do_compile process still succeeds. However, we'd better avoid
executing these target binaries at build time.
(From OE-Core rev: 74d48497470ce209bc6bdf49c2e2cfda67dce6ae)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
yat2m can be found within the build or from the recipe-sysroot-native if
runtime dependencies are present. The sysroot version has version differences
to the in tree copy. Specify the one we want to make the build determinstic.
(From OE-Core rev: 1feb5274db6e985e10f58359b148dabb4076917a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
refresh relocate.patch
Chanlog:
========
Bugs fixed for this release <https://dev.gnupg.org/#####>
gpg: New option --min-rsa-length. [rG5f39db70c0]
gpg: New option --forbid-gen-key. [rGc397ba3ac0]
gpg: New option --override-compliance-check. [T5655]
gpgconf: New command --show-configs. [rGa0fb78ee0f]
agent,dirmngr,keyboxd: New option --steal-socket. [rGb0079ab39d,rGdd708f60d5]
gpg: Fix printing of binary notations. [T5667]
gpg: Remove stale ultimately trusted keys from the trustdb. [T5685,T5742]
gpg: Fix indentation of --print-mds and --print-md sha512. [T5679]
gpg: Emit gpg 2.2 compatible Ed25519 signature. [T5331]
gpgsm: Detect circular chains in --list-chain. [rG74c5b35062]
dirmngr: Make reading resolv.conf more robust. [T5657]
dirmngr: Ask keyservers to provide the key fingerprints. [T5741]
gpgconf: Allow changing gpg's deprecated keyserver option. [T5462]
gpg-wks-server: Fix created file permissions. [rG60be00b033]
scd: Support longer data for ssh-agent authentication with openpgp cards. [T5682]
scd: Modify DEVINFO behavior to support looping forever. [T5359]
Support gpgconf.ctl for NetBSD and Solaris. [T5656,T5671]
Silence "Garbled console data" warning under Windows in most cases. [rGe293da3b21]
Silence warning about the rootdir under Unices w/o a mounted /proc file system. [T5656]
Fix possible build problems about missing include files. [T5592]
(From OE-Core rev: 66e06fd409c27f212f41b69a01416cea41a198cd)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop chunk from relocate.patch, the upstream code no longer exists.
(From OE-Core rev: 8f268f981d53615d8ac9ee3ee64d840dc7051ced)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Set a path to where sendmail would exist making the output deterministic
as it no longer depends on the build host and the presense of sendmail
there.
(From OE-Core rev: 32e03a430f13960fe07f08c04eaa58017d977f6c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove 0001-Use-pkg-config-to-find-pth-instead-of-pth-config.patch
as upstream has removed the .m4 files.
Rebase other patches.
(From OE-Core rev: 623b10d3428f84219f7fb0cbb539fbbba7161e2d)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This addresses CVE-2020-25125 and provides some other minor
updates and translations.
Updated commits for reference:
e234d04c3 Werner Koch Release 2.2.23
aeb8272ca Werner Koch gpg: Fix AEAD preference list overflow
038314665 Werner Koch po: auto update
1a4b0fd79 Yuri Chornoivan po: Update Ukrainian translation
93d10403a Jakub Bogusz po: Update Polish translation
a8a8105bc Werner Koch po: Add key-check.c to the list of translatable sources.
cad9955ac Petr Pisar po: Update Czech translation.
896c528ba Werner Koch gpg: Fix segv importing certain keys.
0a9665187 NIIBE Yutaka scd: Fix a regression for OpenPGP card.
bcae9cd4e Nagy Ferenc László po: Minor update to the Hungarian translation.
d2fe2ffd7 Werner Koch sm: Fix a bug in the rfc2253 parser
f799b3ddb Werner Koch Post release updates
(From OE-Core rev: 965683336816eba7cb0548e59faf224f74b306b1)
Signed-off-by: Saul Wold <saul.wold@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is already a relocate.patch for native which is used for reading
GNUPG_BINDIR from environment variables, now also enable it for nativesdk.
Otherwise, command like the following one doesn't work for nativesdk:
$ gpg-connect-agent --homedir ../keys/ reloadagent /bye
gpg-connect-agent: no running gpg-agent - starting '/opt/path/to/sysroots/x86_64-wrlinuxsdk-linux/usr/bin/gpg-agent'
gpg-connect-agent: failed to start agent '/opt/path/sysroots/x86_64-wrlinuxsdk-linux/usr/bin/gpg-agent': No such file or directory
(From OE-Core rev: c6b00b5594adec0a7d7a7f3617fb99b65ea8d9f1)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Enable nativesdk builds of gnupg and it's dependencies (libksba, npth,
and pinentry) to fix builds of nativesdk-opkg.
This is necessary on distribution which enable gpg signature
verification in opkg and also build SDK images that include opkg.
(From OE-Core rev: e935cba0122a93df611c9a846c16b7841b715fd8)
Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add minimal "gnupg-gpg" package containing just enough binaries to run
gpg and gpg-agent. Add dependency in normal "gnupg" package to preserve
old behavior.
Some applications like opkg don't need all functionality provided by
normal gnupg installations. This minimal package provides just enough
functionality to verify and manage keys in opkg, in order to minimize
disk overhead.
(From OE-Core rev: 6686c64ad30481d4d67af6a7b9bec7e7ae1a83fe)
Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The gpg commit signing in ostree-native doesn't work properly when
running from sstate. The ostree-native is linked with gpgme-native's
libraries, which have calls into gpg.
Ultimately it turned out the problem was that gpgme calls gpgconf and
some of the other gnupg-native binaries directly. Not all the
binaries have a wrapper which sets the environment variable GNUPG_BIN.
Without this wrapper these binaries it gets the path assignment from
the original compilation which causes a fault when running from sstate
in a new tmp directory because these paths will not exist.
(From OE-Core rev: f93bf3bd051923618ce3949d5686fdb8cf998645)
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
GnuPG hard-codes $bindir etc and uses them to find the helper binaries, such as
gpg-agent. This breaks if gnupg-native is reused from sstate for a different
build directory and GPG signing of packages is required.
Patch in getenv() checks for gnupg-native when returning the hardcoded paths,
and create a wrapper script which overrides GNUPG_BINDIR. There are more paths
that can be overridden, but this one is sufficient to make GnuPG work.
(From OE-Core rev: dfd69ff889ed78bf137116583d8ae351859ee203)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
