Makes public key, cipher and hash algorithms configurable.
The binaries are now gpg and gpgv with symlinks gpg2 and gpgv2.
The gpgv patch is now upstream and can be removed.
Signed-off-by: Clemens Gruber <clemens.gru...@pqgruber.com>
---
...-tweak-default-options-for-extra-security.patch | 44 --------------
patches/gnupg-2.0.30/series | 1 -
rules/gnupg.in | 68 +++++++++++++++++++++
rules/gnupg.make | 70 ++++++++++++++++------
4 files changed, 121 insertions(+), 62 deletions(-)
delete mode 100644
patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
delete mode 100644 patches/gnupg-2.0.30/series
diff --git
a/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
b/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
deleted file mode 100644
index ea5c43977..000000000
---
a/patches/gnupg-2.0.30/0001-gpgv-tweak-default-options-for-extra-security.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From b531f2fd75be3f616073cba714d73324525fd3e4 Mon Sep 17 00:00:00 2001
-From: NIIBE Yutaka <gni...@fsij.org>
-Date: Sat, 9 Jul 2016 10:20:02 +0900
-Subject: [PATCH] gpgv: Tweak default options for extra security.
-
-* g10/gpgv.c (main): Set opt.no_sig _cache, so that it doesn't depend on
-cached status. Similarly, set opt.flags.require_cross_cert for backsig
-validation for subkey signature.
-
---
-
-(backport of master
-commit e32c575e0f3704e7563048eea6d26844bdfc494b)
-
-It is common that an organization distributes binary keyrings with
-signature cache (Tag 12, Trust Packet) and people use gpgv to validate
-signature with such keyrings. In such a use case, it is possible that
-the key validation itself is skipped.
-
-For the purpose of gpgv validation of signatures, we should not depend
-on signature cache in keyrings (if any), but we should validate the key
-by its self signature for primary key, and back signature for subkey.
-
-Signed-off-by: NIIBE Yutaka <gni...@fsij.org>
----
- g10/gpgv.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/g10/gpgv.c b/g10/gpgv.c
-index b700f17..3b48a0e 100644
---- a/g10/gpgv.c
-+++ b/g10/gpgv.c
-@@ -163,6 +163,8 @@ main( int argc, char **argv )
- opt.pgp2_workarounds = 1;
- opt.keyserver_options.options|=KEYSERVER_AUTO_KEY_RETRIEVE;
- opt.trust_model = TM_ALWAYS;
-+ opt.no_sig_cache = 1;
-+ opt.flags.require_cross_cert = 1;
- opt.batch = 1;
-
- opt.homedir = default_homedir ();
---
-2.8.0.rc3
-
diff --git a/patches/gnupg-2.0.30/series b/patches/gnupg-2.0.30/series
deleted file mode 100644
index 62a2fae81..000000000
--- a/patches/gnupg-2.0.30/series
+++ /dev/null
@@ -1 +0,0 @@
-0001-gpgv-tweak-default-options-for-extra-security.patch
diff --git a/rules/gnupg.in b/rules/gnupg.in
index 25226558d..eac44f509 100644
--- a/rules/gnupg.in
+++ b/rules/gnupg.in
@@ -7,6 +7,7 @@ menuconfig GNUPG
select LIBASSUAN
select LIBGCRYPT
select LIBKSBA
+ select NPTH
select READLINE
select ZLIB
help
@@ -26,4 +27,71 @@ config GNUPG_GPGV
bool
prompt "Install gpgv2"
+menu "public key algorithms"
+
+config GNUPG_GPG_RSA
+ bool
+ default y
+ prompt "RSA"
+
+config GNUPG_GPG_ECDH
+ bool
+ prompt "ECDH"
+
+config GNUPG_GPG_ECDSA
+ bool
+ prompt "ECDSA"
+
+config GNUPG_GPG_EDDSA
+ bool
+ prompt "EdDSA"
+
+endmenu
+
+menu "cipher algorithms"
+
+config GNUPG_GPG_AES
+ bool
+ default y
+ prompt "AES"
+
+config GNUPG_GPG_BLOWFISH
+ bool
+ prompt "Blowfish"
+
+config GNUPG_GPG_CAMELLIA
+ bool
+ prompt "Camellia"
+
+config GNUPG_GPG_CAST5
+ bool
+ prompt "CAST5"
+
+config GNUPG_GPG_IDEA
+ bool
+ prompt "IDEA"
+
+config GNUPG_GPG_TWOFISH
+ bool
+ prompt "Twofish"
+
+endmenu
+
+menu "hash algorithms"
+
+config GNUPG_GPG_SHA
+ bool
+ default y
+ prompt "SHA"
+
+config GNUPG_GPG_MD5
+ bool
+ prompt "MD5"
+
+config GNUPG_GPG_RMD160
+ bool
+ prompt "RIPE-MD160"
+
+endmenu
+
endif
diff --git a/rules/gnupg.make b/rules/gnupg.make
index 39f168714..78a331673 100644
--- a/rules/gnupg.make
+++ b/rules/gnupg.make
@@ -1,7 +1,8 @@
# -*-makefile-*-
#
# Copyright (C) 2005 by Jiri Nesladek
-#
+# Copyright (C) 2018 by Clemens Gruber <clemens.gru...@pqgruber.com>
+#
# See CREDITS for details about who has contributed to this project.
#
# For further information about the PTXdist project and license conditions
@@ -16,8 +17,8 @@ PACKAGES-$(PTXCONF_GNUPG) += gnupg
#
# Paths and names
#
-GNUPG_VERSION := 2.0.30
-GNUPG_MD5 := 01bb47e669a78eaca90dbe6b4b4acc24
+GNUPG_VERSION := 2.2.4
+GNUPG_MD5 := 709e5af5bba84d251c520222e720972f
GNUPG := gnupg-$(GNUPG_VERSION)
GNUPG_SUFFIX := tar.bz2
GNUPG_URL := ftp://ftp.gnupg.org/gcrypt/gnupg/$(GNUPG).$(GNUPG_SUFFIX)
@@ -31,27 +32,61 @@ GNUPG_LICENSE := GPL-3.0+
GNUPG_CONF_TOOL := autoconf
GNUPG_CONF_OPT := $(CROSS_AUTOCONF_USR) \
- $(GLOBAL_LARGE_FILE_OPTION) \
--enable-gpg \
--disable-gpgsm \
- --disable-agent \
--disable-scdaemon \
- --disable-tools \
+ --disable-g13 \
+ --disable-dirmngr \
--disable-doc \
+ --disable-symcryptrun \
--disable-gpgtar \
+ --disable-wks-tools \
+ --disable-gpg-is-gpg2 \
+ --$(call ptx/endis, PTXCONF_GLOBAL_SELINUX)-selinux-support \
+ --disable-large-secmem \
+ --enable-trust-models \
+ --disable-tofu \
+ --disable-libdns \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_RSA)-gpg-rsa \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_ECDH)-gpg-ecdh \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_ECDSA)-gpg-ecdsa \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_EDDSA)-gpg-eddsa \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_IDEA)-gpg-idea \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_CAST5)-gpg-cast5 \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_BLOWFISH)-gpg-blowfish \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_AES)-gpg-aes128 \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_AES)-gpg-aes192 \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_AES)-gpg-aes256 \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_TWOFISH)-gpg-twofish \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_CAMELLIA)-gpg-camellia128 \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_CAMELLIA)-gpg-camellia192 \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_CAMELLIA)-gpg-camellia256 \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_MD5)-gpg-md5 \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_RMD160)-gpg-rmd160 \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_SHA)-gpg-sha224 \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_SHA)-gpg-sha384 \
+ --$(call ptx/endis, PTXCONF_GNUPG_GPG_SHA)-gpg-sha512 \
+ --disable-zip \
+ --disable-bzip2 \
--disable-exec \
--disable-photo-viewers \
- --disable-keyserver-helpers \
+ --disable-card-support \
+ --disable-ccid-driver \
+ --disable-dirmngr-auto-start \
+ $(GLOBAL_LARGE_FILE_OPTION) \
+ --disable-sqlite \
+ --disable-ntbtls \
+ --disable-gnutls \
--disable-ldap \
- --disable-hkp \
- --disable-finger \
- --disable-keyserver-path \
- --disable-standard-socket \
- --disable-dns-srv \
- --disable-nls \
--disable-rpath \
+ --disable-nls \
+ --enable-endian-check \
--disable-regex \
- --disable-bzip2
+ --enable-optimization \
+ --disable-werror \
+ --disable-all-tests \
+ --disable-run-gnupg-user-socket \
+
--enable-build-timestamp="$(PTXDIST_VERSION_YEAR)-$(PTXDIST_VERSION_MONTH)-01T00:00+0000"
ifndef PTXCONF_ICONV
GNUPG_CONF_OPT += --without-libiconv-prefix
@@ -71,11 +106,12 @@ $(STATEDIR)/gnupg.targetinstall:
@$(call install_fixup, gnupg,DESCRIPTION,missing)
ifdef PTXCONF_GNUPG_GPG
- @$(call install_copy, gnupg, 0, 0, 0755, -, /usr/bin/gpg2)
- @$(call install_link, gnupg, gpg2, /usr/bin/gpg)
+ @$(call install_copy, gnupg, 0, 0, 0755, -, /usr/bin/gpg)
+ @$(call install_link, gnupg, gpg, /usr/bin/gpg2)
endif
ifdef PTXCONF_GNUPG_GPGV
- @$(call install_copy, gnupg, 0, 0, 0755, -, /usr/bin/gpgv2)
+ @$(call install_copy, gnupg, 0, 0, 0755, -, /usr/bin/gpgv)
+ @$(call install_link, gnupg, gpgv, /usr/bin/gpgv2)
endif
@$(call install_finish, gnupg)
--
2.15.1
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
