Update to latest GnuPG stable and add patch to improve default security when using gpgv.
Signed-off-by: Clemens Gruber <clemens.gru...@pqgruber.com> --- Note: The enable-build-timestamp option is not available in the stable version I looked into moving to the modern GnuPG version 2.1.x with ECC support but ran into problems. I therefore bumped only the minor version. ...-tweak-default-options-for-extra-security.patch | 44 ++++++++++++++++++++++ patches/gnupg-2.0.30/series | 1 + rules/gnupg.make | 5 +-- 3 files changed, 47 insertions(+), 3 deletions(-) create mode 100644 patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch create mode 100644 patches/gnupg-2.0.30/series diff --git a/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch b/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch new file mode 100644 index 0000000..ea5c439 --- /dev/null +++ b/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch @@ -0,0 +1,44 @@ +From b531f2fd75be3f616073cba714d73324525fd3e4 Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka <gni...@fsij.org> +Date: Sat, 9 Jul 2016 10:20:02 +0900 +Subject: [PATCH] gpgv: Tweak default options for extra security. + +* g10/gpgv.c (main): Set opt.no_sig _cache, so that it doesn't depend on +cached status. Similarly, set opt.flags.require_cross_cert for backsig +validation for subkey signature. + +-- + +(backport of master +commit e32c575e0f3704e7563048eea6d26844bdfc494b) + +It is common that an organization distributes binary keyrings with +signature cache (Tag 12, Trust Packet) and people use gpgv to validate +signature with such keyrings. In such a use case, it is possible that +the key validation itself is skipped. + +For the purpose of gpgv validation of signatures, we should not depend +on signature cache in keyrings (if any), but we should validate the key +by its self signature for primary key, and back signature for subkey. + +Signed-off-by: NIIBE Yutaka <gni...@fsij.org> +--- + g10/gpgv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/g10/gpgv.c b/g10/gpgv.c +index b700f17..3b48a0e 100644 +--- a/g10/gpgv.c ++++ b/g10/gpgv.c +@@ -163,6 +163,8 @@ main( int argc, char **argv ) + opt.pgp2_workarounds = 1; + opt.keyserver_options.options|=KEYSERVER_AUTO_KEY_RETRIEVE; + opt.trust_model = TM_ALWAYS; ++ opt.no_sig_cache = 1; ++ opt.flags.require_cross_cert = 1; + opt.batch = 1; + + opt.homedir = default_homedir (); +-- +2.8.0.rc3 + diff --git a/patches/gnupg-2.0.30/series b/patches/gnupg-2.0.30/series new file mode 100644 index 0000000..62a2fae --- /dev/null +++ b/patches/gnupg-2.0.30/series @@ -0,0 +1 @@ +0001-gpgv-tweak-default-options-for-extra-security.patch diff --git a/rules/gnupg.make b/rules/gnupg.make index 15e78eb..39f1687 100644 --- a/rules/gnupg.make +++ b/rules/gnupg.make @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_GNUPG) += gnupg # # Paths and names # -GNUPG_VERSION := 2.0.26 -GNUPG_MD5 := fa7e704aad33eb114d1840164455aec1 +GNUPG_VERSION := 2.0.30 +GNUPG_MD5 := 01bb47e669a78eaca90dbe6b4b4acc24 GNUPG := gnupg-$(GNUPG_VERSION) GNUPG_SUFFIX := tar.bz2 GNUPG_URL := ftp://ftp.gnupg.org/gcrypt/gnupg/$(GNUPG).$(GNUPG_SUFFIX) @@ -40,7 +40,6 @@ GNUPG_CONF_OPT := $(CROSS_AUTOCONF_USR) \ --disable-doc \ --disable-gpgtar \ --disable-exec \ - --disable-exec \ --disable-photo-viewers \ --disable-keyserver-helpers \ --disable-ldap \ -- 2.10.0 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de