By default, the tests are built and run at do_compile and we can see
errors like below in log.do_compile:
gnupg-2.3.7/tests/cms/inittests: line 99: ../../sm/gpgsm: cannot execute binary file: Exec format error
Note that the do_compile process still succeeds. However, we'd better avoid
executing these target binaries at build time.
(From OE-Core rev: b02f99a0b82ed55a07c00b32805ad676c04ee4ab)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(master rev: 74d48497470ce209bc6bdf49c2e2cfda67dce6ae)
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is vulnerability of libksba and we use fixed libksba version
(currently 1.6.4).
(From OE-Core rev: 12007a6d19db220e6540948de9818332192ecde1)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
refresh relocate.patch
Chanlog:
========
Bugs fixed for this release <https://dev.gnupg.org/#####>
gpg: New option --min-rsa-length. [rG5f39db70c0]
gpg: New option --forbid-gen-key. [rGc397ba3ac0]
gpg: New option --override-compliance-check. [T5655]
gpgconf: New command --show-configs. [rGa0fb78ee0f]
agent,dirmngr,keyboxd: New option --steal-socket. [rGb0079ab39d,rGdd708f60d5]
gpg: Fix printing of binary notations. [T5667]
gpg: Remove stale ultimately trusted keys from the trustdb. [T5685,T5742]
gpg: Fix indentation of --print-mds and --print-md sha512. [T5679]
gpg: Emit gpg 2.2 compatible Ed25519 signature. [T5331]
gpgsm: Detect circular chains in --list-chain. [rG74c5b35062]
dirmngr: Make reading resolv.conf more robust. [T5657]
dirmngr: Ask keyservers to provide the key fingerprints. [T5741]
gpgconf: Allow changing gpg's deprecated keyserver option. [T5462]
gpg-wks-server: Fix created file permissions. [rG60be00b033]
scd: Support longer data for ssh-agent authentication with openpgp cards. [T5682]
scd: Modify DEVINFO behavior to support looping forever. [T5359]
Support gpgconf.ctl for NetBSD and Solaris. [T5656,T5671]
Silence "Garbled console data" warning under Windows in most cases. [rGe293da3b21]
Silence warning about the rootdir under Unices w/o a mounted /proc file system. [T5656]
Fix possible build problems about missing include files. [T5592]
(From OE-Core rev: 66e06fd409c27f212f41b69a01416cea41a198cd)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop chunk from relocate.patch, the upstream code no longer exists.
(From OE-Core rev: 8f268f981d53615d8ac9ee3ee64d840dc7051ced)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Set a path to where sendmail would exist making the output deterministic
as it no longer depends on the build host and the presense of sendmail
there.
(From OE-Core rev: 32e03a430f13960fe07f08c04eaa58017d977f6c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove 0001-Use-pkg-config-to-find-pth-instead-of-pth-config.patch
as upstream has removed the .m4 files.
Rebase other patches.
(From OE-Core rev: 623b10d3428f84219f7fb0cbb539fbbba7161e2d)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This addresses CVE-2020-25125 and provides some other minor
updates and translations.
Updated commits for reference:
e234d04c3 Werner Koch Release 2.2.23
aeb8272ca Werner Koch gpg: Fix AEAD preference list overflow
038314665 Werner Koch po: auto update
1a4b0fd79 Yuri Chornoivan po: Update Ukrainian translation
93d10403a Jakub Bogusz po: Update Polish translation
a8a8105bc Werner Koch po: Add key-check.c to the list of translatable sources.
cad9955ac Petr Pisar po: Update Czech translation.
896c528ba Werner Koch gpg: Fix segv importing certain keys.
0a9665187 NIIBE Yutaka scd: Fix a regression for OpenPGP card.
bcae9cd4e Nagy Ferenc László po: Minor update to the Hungarian translation.
d2fe2ffd7 Werner Koch sm: Fix a bug in the rfc2253 parser
f799b3ddb Werner Koch Post release updates
(From OE-Core rev: 965683336816eba7cb0548e59faf224f74b306b1)
Signed-off-by: Saul Wold <saul.wold@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is already a relocate.patch for native which is used for reading
GNUPG_BINDIR from environment variables, now also enable it for nativesdk.
Otherwise, command like the following one doesn't work for nativesdk:
$ gpg-connect-agent --homedir ../keys/ reloadagent /bye
gpg-connect-agent: no running gpg-agent - starting '/opt/path/to/sysroots/x86_64-wrlinuxsdk-linux/usr/bin/gpg-agent'
gpg-connect-agent: failed to start agent '/opt/path/sysroots/x86_64-wrlinuxsdk-linux/usr/bin/gpg-agent': No such file or directory
(From OE-Core rev: c6b00b5594adec0a7d7a7f3617fb99b65ea8d9f1)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Enable nativesdk builds of gnupg and it's dependencies (libksba, npth,
and pinentry) to fix builds of nativesdk-opkg.
This is necessary on distribution which enable gpg signature
verification in opkg and also build SDK images that include opkg.
(From OE-Core rev: e935cba0122a93df611c9a846c16b7841b715fd8)
Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add minimal "gnupg-gpg" package containing just enough binaries to run
gpg and gpg-agent. Add dependency in normal "gnupg" package to preserve
old behavior.
Some applications like opkg don't need all functionality provided by
normal gnupg installations. This minimal package provides just enough
functionality to verify and manage keys in opkg, in order to minimize
disk overhead.
(From OE-Core rev: 6686c64ad30481d4d67af6a7b9bec7e7ae1a83fe)
Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The gpg commit signing in ostree-native doesn't work properly when
running from sstate. The ostree-native is linked with gpgme-native's
libraries, which have calls into gpg.
Ultimately it turned out the problem was that gpgme calls gpgconf and
some of the other gnupg-native binaries directly. Not all the
binaries have a wrapper which sets the environment variable GNUPG_BIN.
Without this wrapper these binaries it gets the path assignment from
the original compilation which causes a fault when running from sstate
in a new tmp directory because these paths will not exist.
(From OE-Core rev: f93bf3bd051923618ce3949d5686fdb8cf998645)
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
GnuPG hard-codes $bindir etc and uses them to find the helper binaries, such as
gpg-agent. This breaks if gnupg-native is reused from sstate for a different
build directory and GPG signing of packages is required.
Patch in getenv() checks for gnupg-native when returning the hardcoded paths,
and create a wrapper script which overrides GNUPG_BINDIR. There are more paths
that can be overridden, but this one is sufficient to make GnuPG work.
(From OE-Core rev: dfd69ff889ed78bf137116583d8ae351859ee203)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
gunpg added TLS support to the dirmngr for 2.1.0, mostly we linked with
gnutls and had the RDEPENDS for gnutls. Since we had TLS support continue
enabling it by default.
(From OE-Core rev: 7f9806afb0b05fcd6af14910ed488a2ce277913c)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These are recipes where the upstream has moved to GPLv3 and these old
versions are the last ones under the GPLv2 license.
There are several reasons for making this move. There is a different
quality of service with these recipes in that they don't get security
fixes and upstream no longer care about them, in fact they're actively
hostile against people using old versions. The recipes tend to need a
different kind of maintenance to work with changes in the wider ecosystem
and there needs to be isolation between changes made in the v3 versions
and those in the v2 versions.
There are probably better ways to handle a "non-GPLv3" system but right
now having these in OE-Core makes them look like a first class citizen
when I believe they have potential for a variety of undesireable issues.
Moving them into a separate layer makes their different needs clearer, it
also makes it clear how many of these there are. Some are probably not
needed (e.g. mc), I also wonder whether some are useful (e.g. gmp)
since most things that use them are GPLv3 only already. Someone could
now more clearly see how to streamline the list of recipes here.
I'm proposing we mmove to this separate layer for 2.3 with its future
maintinership and testing to be determined in 2.4 and beyond.
(From OE-Core rev: 19b7e950346fb1dde6505c45236eba6cd9b33b4b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update LIC_FILES_CHKSUM md5 checksum, because "http" has been
changed to "https".
(From OE-Core rev: ec672ab878ca203385b3fbd764c17af6b56d8475)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
