From 9f54a26a6e2f18d80034e59095404013bacff2d9 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 11 2018 19:50:31 +0000 Subject: import gnupg2-2.0.22-5.el7_5 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..72bdca2 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/gnupg-2.0.22.tar.bz2 diff --git a/.gnupg2.metadata b/.gnupg2.metadata new file mode 100644 index 0000000..24b6425 --- /dev/null +++ b/.gnupg2.metadata @@ -0,0 +1 @@ +9ba9ee288e9bf813e0f1e25cbe06b58d3072d8b8 SOURCES/gnupg-2.0.22.tar.bz2 diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/gnupg-2.0.18-protect-tool-env.patch b/SOURCES/gnupg-2.0.18-protect-tool-env.patch new file mode 100644 index 0000000..e0c6c48 --- /dev/null +++ b/SOURCES/gnupg-2.0.18-protect-tool-env.patch @@ -0,0 +1,28 @@ +diff -u -r gnupg-2.0.18.orig/agent/protect-tool.c gnupg-2.0.18/agent/protect-tool.c +--- gnupg-2.0.18.orig/agent/protect-tool.c 2011-07-22 14:00:44.000000000 +0200 ++++ gnupg-2.0.18/agent/protect-tool.c 2012-04-10 22:42:17.397613438 +0200 +@@ -102,6 +102,7 @@ + static int opt_status_msg; + static const char *opt_p12_charset; + static const char *opt_agent_program; ++static session_env_t opt_session_env; + + static char *get_passphrase (int promptno); + static void release_passphrase (char *pw); +@@ -1040,6 +1041,7 @@ + + opt_homedir = default_homedir (); + ++ opt_session_env = session_env_new (); + + pargs.argc = &argc; + pargs.argv = &argv; +@@ -1091,7 +1093,7 @@ + opt.verbose, + opt_homedir, + opt_agent_program, +- NULL, NULL, NULL); ++ NULL, NULL, opt_session_env); + + if (opt_prompt) + opt_prompt = percent_plus_unescape (opt_prompt, 0); diff --git a/SOURCES/gnupg-2.0.20-insttools.patch b/SOURCES/gnupg-2.0.20-insttools.patch new file mode 100644 index 0000000..80b796d --- /dev/null +++ b/SOURCES/gnupg-2.0.20-insttools.patch @@ -0,0 +1,60 @@ +diff -up gnupg-2.0.20/tools/Makefile.am.insttools gnupg-2.0.20/tools/Makefile.am +--- gnupg-2.0.20/tools/Makefile.am.insttools 2013-05-10 14:55:49.000000000 +0200 ++++ gnupg-2.0.20/tools/Makefile.am 2013-05-28 11:30:22.711552140 +0200 +@@ -36,8 +36,8 @@ sbin_SCRIPTS = addgnupghome applygnupgde + + bin_SCRIPTS = gpgsm-gencert.sh + if HAVE_USTAR +-# bin_SCRIPTS += gpg-zip +-noinst_SCRIPTS = gpg-zip ++bin_SCRIPTS += gpg-zip ++#noinst_SCRIPTS = gpg-zip + endif + + if BUILD_SYMCRYPTRUN +@@ -53,7 +53,7 @@ else + endif + + +-bin_PROGRAMS = gpgconf gpg-connect-agent gpgkey2ssh ${symcryptrun} ${gpgtar} ++bin_PROGRAMS = gpgconf gpg-connect-agent ${symcryptrun} ${gpgtar} gpgsplit + if !HAVE_W32_SYSTEM + bin_PROGRAMS += watchgnupg gpgparsemail + endif +@@ -62,7 +62,7 @@ if !DISABLE_REGEX + libexec_PROGRAMS = gpg-check-pattern + endif + +-noinst_PROGRAMS = clean-sat mk-tdata make-dns-cert gpgsplit ++noinst_PROGRAMS = clean-sat mk-tdata make-dns-cert gpgkey2ssh + + common_libs = $(libcommon) ../jnlib/libjnlib.a ../gl/libgnu.a + pwquery_libs = ../common/libsimple-pwquery.a +diff -up gnupg-2.0.20/tools/Makefile.in.insttools gnupg-2.0.20/tools/Makefile.in +--- gnupg-2.0.20/tools/Makefile.in.insttools 2013-05-10 15:56:30.000000000 +0200 ++++ gnupg-2.0.20/tools/Makefile.in 2013-05-28 11:29:48.556819325 +0200 +@@ -107,12 +107,12 @@ DIST_COMMON = $(srcdir)/Makefile.am $(sr + @GNUPG_PROTECT_TOOL_PGM_TRUE@am__append_6 = -DGNUPG_DEFAULT_PROTECT_TOOL="\"@GNUPG_PROTECT_TOOL_PGM@\"" + @HAVE_W32_SYSTEM_TRUE@am__append_7 = gpg-connect-agent-w32info.o + bin_PROGRAMS = gpgconf$(EXEEXT) gpg-connect-agent$(EXEEXT) \ +- gpgkey2ssh$(EXEEXT) $(am__EXEEXT_1) $(am__EXEEXT_2) \ +- $(am__EXEEXT_3) ++ $(am__EXEEXT_1) $(am__EXEEXT_2) \ ++ $(am__EXEEXT_3) gpgsplit$(EXEEXT) + @HAVE_W32_SYSTEM_FALSE@am__append_8 = watchgnupg gpgparsemail + @DISABLE_REGEX_FALSE@libexec_PROGRAMS = gpg-check-pattern$(EXEEXT) + noinst_PROGRAMS = clean-sat$(EXEEXT) mk-tdata$(EXEEXT) \ +- make-dns-cert$(EXEEXT) gpgsplit$(EXEEXT) ++ make-dns-cert$(EXEEXT) gpgkey2ssh$(EXEEXT) + subdir = tools + ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 + am__aclocal_m4_deps = $(top_srcdir)/gl/m4/absolute-header.m4 \ +@@ -488,7 +488,7 @@ AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ER + sbin_SCRIPTS = addgnupghome applygnupgdefaults + bin_SCRIPTS = gpgsm-gencert.sh + # bin_SCRIPTS += gpg-zip +-@HAVE_USTAR_TRUE@noinst_SCRIPTS = gpg-zip ++@HAVE_USTAR_TRUE@bin_SCRIPTS += gpg-zip + @BUILD_SYMCRYPTRUN_FALSE@symcryptrun = + @BUILD_SYMCRYPTRUN_TRUE@symcryptrun = symcryptrun + @BUILD_GPGTAR_FALSE@gpgtar = diff --git a/SOURCES/gnupg-2.0.20-ocsp-keyusage.patch b/SOURCES/gnupg-2.0.20-ocsp-keyusage.patch new file mode 100644 index 0000000..ad80887 --- /dev/null +++ b/SOURCES/gnupg-2.0.20-ocsp-keyusage.patch @@ -0,0 +1,17 @@ +diff -up gnupg-2.0.20/sm/certlist.c.keyusage gnupg-2.0.20/sm/certlist.c +--- gnupg-2.0.20/sm/certlist.c.keyusage 2013-05-10 14:55:49.000000000 +0200 ++++ gnupg-2.0.20/sm/certlist.c 2013-05-15 14:15:57.420276618 +0200 +@@ -146,10 +146,9 @@ cert_usage_p (ksba_cert_t cert, int mode + + if (mode == 5) + { +- if (use != ~0 +- && (have_ocsp_signing +- || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN +- |KSBA_KEYUSAGE_CRL_SIGN)))) ++ if (have_ocsp_signing ++ || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN ++ |KSBA_KEYUSAGE_CRL_SIGN))) + return 0; + log_info (_("certificate should not have " + "been used for OCSP response signing\n")); diff --git a/SOURCES/gnupg-2.0.20-secmem.patch b/SOURCES/gnupg-2.0.20-secmem.patch new file mode 100644 index 0000000..9b115d6 --- /dev/null +++ b/SOURCES/gnupg-2.0.20-secmem.patch @@ -0,0 +1,33 @@ +diff -up gnupg-2.0.20/g10/gpg.c.secmem gnupg-2.0.20/g10/gpg.c +--- gnupg-2.0.20/g10/gpg.c.secmem 2013-05-10 14:55:46.000000000 +0200 ++++ gnupg-2.0.20/g10/gpg.c 2013-05-15 14:13:50.989541530 +0200 +@@ -794,7 +794,7 @@ make_libversion (const char *libname, co + + if (maybe_setuid) + { +- gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */ ++ gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); /* Drop setuid. */ + maybe_setuid = 0; + } + s = getfnc (NULL); +@@ -898,7 +898,7 @@ build_list (const char *text, char lette + char *string; + + if (maybe_setuid) +- gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */ ++ gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); /* Drop setuid. */ + + indent = utf8_charcount (text); + len = 0; +diff -up gnupg-2.0.20/sm/gpgsm.c.secmem gnupg-2.0.20/sm/gpgsm.c +--- gnupg-2.0.20/sm/gpgsm.c.secmem 2013-05-10 14:55:49.000000000 +0200 ++++ gnupg-2.0.20/sm/gpgsm.c 2013-05-15 14:11:18.819249598 +0200 +@@ -493,7 +493,7 @@ make_libversion (const char *libname, co + + if (maybe_setuid) + { +- gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */ ++ gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); /* Drop setuid. */ + maybe_setuid = 0; + } + s = getfnc (NULL); diff --git a/SOURCES/gnupg-2.0.22-cve-2018-12020.patch b/SOURCES/gnupg-2.0.22-cve-2018-12020.patch new file mode 100644 index 0000000..7ea32a2 --- /dev/null +++ b/SOURCES/gnupg-2.0.22-cve-2018-12020.patch @@ -0,0 +1,16 @@ +diff -up gnupg-2.0.22/g10/mainproc.c.sanitize-filename gnupg-2.0.22/g10/mainproc.c +--- gnupg-2.0.22/g10/mainproc.c.sanitize-filename 2016-03-24 12:57:29.280170800 +0100 ++++ gnupg-2.0.22/g10/mainproc.c 2018-06-21 13:42:53.448177540 +0200 +@@ -631,7 +631,11 @@ proc_plaintext( CTX c, PACKET *pkt ) + if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) ) + log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n")); + else if( opt.verbose ) +- log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name); ++ { ++ char *tmp = make_printable_string (pt->name, pt->namelen, 0); ++ log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp); ++ xfree (tmp); ++ } + free_md_filter_context( &c->mfx ); + if (gcry_md_open (&c->mfx.md, 0, 0)) + BUG (); diff --git a/SOURCES/gnupg-2.0.22-fips-algo.patch b/SOURCES/gnupg-2.0.22-fips-algo.patch new file mode 100644 index 0000000..450d92b --- /dev/null +++ b/SOURCES/gnupg-2.0.22-fips-algo.patch @@ -0,0 +1,78 @@ +diff -up gnupg-2.0.22/g10/encode.c.fips gnupg-2.0.22/g10/encode.c +--- gnupg-2.0.22/g10/encode.c.fips 2013-10-04 14:32:53.000000000 +0200 ++++ gnupg-2.0.22/g10/encode.c 2013-10-11 10:35:29.779420279 +0200 +@@ -732,7 +732,7 @@ encrypt_filter( void *opaque, int contro + if( efx->cfx.dek->algo == -1 ) { + /* because 3DES is implicitly in the prefs, this can only + * happen if we do not have any public keys in the list */ +- efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO; ++ efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO; + } + + /* In case 3DES has been selected, print a warning if +diff -up gnupg-2.0.22/g10/gpg.c.fips gnupg-2.0.22/g10/gpg.c +--- gnupg-2.0.22/g10/gpg.c.fips 2013-10-11 10:35:29.775420188 +0200 ++++ gnupg-2.0.22/g10/gpg.c 2013-10-11 10:35:29.780420301 +0200 +@@ -1973,7 +1973,7 @@ main (int argc, char **argv) + opt.compress_algo = -1; /* defaults to DEFAULT_COMPRESS_ALGO */ + opt.s2k_mode = 3; /* iterated+salted */ + opt.s2k_count = 0; /* Auto-calibrate when needed. */ +- opt.s2k_cipher_algo = CIPHER_ALGO_CAST5; ++ opt.s2k_cipher_algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : CIPHER_ALGO_CAST5; + opt.completes_needed = 1; + opt.marginals_needed = 3; + opt.max_cert_depth = 5; +diff -up gnupg-2.0.22/g10/mainproc.c.fips gnupg-2.0.22/g10/mainproc.c +--- gnupg-2.0.22/g10/mainproc.c.fips 2013-10-04 15:00:22.000000000 +0200 ++++ gnupg-2.0.22/g10/mainproc.c 2016-03-24 12:52:24.463174830 +0100 +@@ -696,9 +696,11 @@ proc_plaintext( CTX c, PACKET *pkt ) + often. There is no good way to specify what algorithms to + use in that case, so these three are the historical + answer. */ +- gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 ); ++ if( !gcry_fips_mode_active() ) ++ gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 ); + gcry_md_enable( c->mfx.md, DIGEST_ALGO_SHA1 ); +- gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 ); ++ if( !gcry_fips_mode_active() ) ++ gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 ); + } + if( opt.pgp2_workarounds && only_md5 && !opt.skip_verify ) { + /* This is a kludge to work around a bug in pgp2. It does only +@@ -2160,24 +2162,30 @@ proc_tree( CTX c, KBNODE node ) + else if( !c->any.data ) { + /* detached signature */ + free_md_filter_context( &c->mfx ); +- if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0)) +- BUG (); ++ if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0)) { ++ log_error("Digest algorithm not available probably due to FIPS mode.\n"); ++ return; ++ } + + if( !opt.pgp2_workarounds ) + ; + else if( sig->digest_algo == DIGEST_ALGO_MD5 + && is_RSA( sig->pubkey_algo ) ) { + /* enable a workaround for a pgp2 bug */ +- if (gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0)) +- BUG (); ++ if (gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0)) { ++ log_error("Digest algorithm not available probably due to FIPS mode.\n"); ++ return; ++ } + } + else if( sig->digest_algo == DIGEST_ALGO_SHA1 + && sig->pubkey_algo == PUBKEY_ALGO_DSA + && sig->sig_class == 0x01 ) { + /* enable the workaround also for pgp5 when the detached + * signature has been created in textmode */ +- if (gcry_md_open (&c->mfx.md2, sig->digest_algo, 0 )) +- BUG (); ++ if (gcry_md_open (&c->mfx.md2, sig->digest_algo, 0 )) { ++ log_error("Digest algorithm not available.\n"); ++ return; ++ } + } + #if 0 /* workaround disabled */ + /* Here we have another hack to work around a pgp 2 bug diff --git a/SOURCES/gnupg-2.0.22-rsa-es.patch b/SOURCES/gnupg-2.0.22-rsa-es.patch new file mode 100644 index 0000000..73c7f0b --- /dev/null +++ b/SOURCES/gnupg-2.0.22-rsa-es.patch @@ -0,0 +1,21 @@ +diff -up gnupg-2.0.22/g10/misc.c.bz1233182 gnupg-2.0.22/g10/misc.c +--- gnupg-2.0.22/g10/misc.c.bz1233182 2015-06-17 13:15:32.930000000 +0200 ++++ gnupg-2.0.22/g10/misc.c 2015-06-19 13:56:28.246000000 +0200 +@@ -421,6 +421,8 @@ openpgp_cipher_algo_name (int algo) + int + map_pk_openpgp_to_gcry (int algo) + { ++ if (is_RSA (algo)) ++ return (GCRY_PK_RSA); + switch (algo) + { + case PUBKEY_ALGO_ECDSA: return 301 /*GCRY_PK_ECDSA*/; +@@ -1417,7 +1419,7 @@ pubkey_nbits( int algo, gcry_mpi_t *key + "(public-key(elg(p%m)(g%m)(y%m)))", + key[0], key[1], key[2] ); + } +- else if( algo == GCRY_PK_RSA ) { ++ else if( is_RSA (algo) ) { + rc = gcry_sexp_build ( &sexp, NULL, + "(public-key(rsa(n%m)(e%m)))", + key[0], key[1] ); diff --git a/SOURCES/gnupg-2.0.22.tar.bz2.sig b/SOURCES/gnupg-2.0.22.tar.bz2.sig new file mode 100644 index 0000000..23b7bdd Binary files /dev/null and b/SOURCES/gnupg-2.0.22.tar.bz2.sig differ diff --git a/SPECS/gnupg2.spec b/SPECS/gnupg2.spec new file mode 100644 index 0000000..38cdc42 --- /dev/null +++ b/SPECS/gnupg2.spec @@ -0,0 +1,572 @@ +Summary: Utility for secure communication and data storage +Name: gnupg2 +Version: 2.0.22 +Release: 5%{?dist} + +License: GPLv3+ +Group: Applications/System +Source0: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2 +Source1: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2.sig +# svn export svn://cvs.gnupg.org/gnupg/trunk gnupg2; tar cjf gnupg-svn.tar.bz2 gnupg2 +#Source0: gnupg2-20090809svn.tar.bz2 +Patch1: gnupg-2.0.20-insttools.patch +Patch3: gnupg-2.0.20-secmem.patch +Patch4: gnupg-2.0.18-protect-tool-env.patch +Patch5: gnupg-2.0.20-ocsp-keyusage.patch +Patch6: gnupg-2.0.22-fips-algo.patch +Patch7: gnupg-2.0.22-rsa-es.patch +Patch8: gnupg-2.0.22-cve-2018-12020.patch + +URL: http://www.gnupg.org/ + +#BuildRequires: automake libtool texinfo transfig +BuildRequires: bzip2-devel +BuildRequires: curl-devel +BuildRequires: docbook-utils +BuildRequires: gettext +BuildRequires: libassuan-devel >= 2.0.0 +BuildRequires: libgcrypt-devel >= 1.4 +BuildRequires: libgpg-error-devel => 1.4 +BuildRequires: libksba-devel >= 1.0.2 +BuildRequires: openldap-devel +BuildRequires: libusb-devel +BuildRequires: pcsc-lite-libs +BuildRequires: pth-devel +BuildRequires: readline-devel ncurses-devel +BuildRequires: zlib-devel + +Requires(post): /sbin/install-info +Requires(postun): /sbin/install-info +Requires: pinentry + +%if 0%{?rhel} > 5 +# pgp-tools, perl-GnuPG-Interface requires 'gpg' (not sure why) -- Rex +Provides: gpg = %{version}-%{release} +# Obsolete GnuPG-1 package +Provides: gnupg = %{version}-%{release} +Obsoletes: gnupg <= 1.4.10 +%endif + +%package smime +Summary: CMS encryption and signing tool and smart card support for GnuPG +Requires: gnupg2 = %{version}-%{release} +Group: Applications/Internet + + +%description +GnuPG is GNU's tool for secure communication and data storage. It can +be used to encrypt data and to create digital signatures. It includes +an advanced key management facility and is compliant with the proposed +OpenPGP Internet standard as described in RFC2440 and the S/MIME +standard as described by several RFCs. + +GnuPG 2.0 is a newer version of GnuPG with additional support for +S/MIME. It has a different design philosophy that splits +functionality up into several modules. The S/MIME and smartcard functionality +is provided by the gnupg2-smime package. + +%description smime +GnuPG is GNU's tool for secure communication and data storage. This +package adds support for smart cards and S/MIME encryption and signing +to the base GnuPG package + +%prep +%setup -q -n gnupg-%{version} + +%if 0%{?rhel} > 5 +%patch1 -p1 -b .insttools +%endif +%patch3 -p1 -b .secmem +%patch4 -p1 -b .ptool-env +%patch5 -p1 -b .keyusage +%patch6 -p1 -b .fips +%patch7 -p1 -b .rsa-es +%patch8 -p1 -b .sanitize-filename + +# pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper) +# Note: this is just the name of the default shared lib to load in scdaemon, +# it can use other implementations too (including non-pcsc ones). +%global pcsclib %(basename $(ls -1 %{_libdir}/libpcsclite.so.? 2>/dev/null ) 2>/dev/null ) + +sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/{scdaemon,pcsc-wrapper}.c + + +%build + +%configure \ + --disable-rpath \ + --enable-standard-socket + +# need scratch gpg database for tests +mkdir -p $HOME/.gnupg + +make %{?_smp_mflags} + + +%install +make install DESTDIR=%{buildroot} \ + INSTALL="install -p" \ + docdir=%{_docdir}/%{name}-%{version} + +%if ! (0%{?rhel} > 5) +# drop file conflicting with gnupg-1.x +rm -f %{buildroot}%{_mandir}/man1/gpg-zip.1* +%endif + +%find_lang %{name} + +# gpgconf.conf +mkdir -p %{buildroot}%{_sysconfdir}/gnupg +touch %{buildroot}%{_sysconfdir}/gnupg/gpgconf.conf + +# more docs +install -m644 -p AUTHORS COPYING ChangeLog NEWS THANKS TODO \ + %{buildroot}%{_docdir}/%{name}-%{version}/ + +%if 0%{?rhel} > 5 +# compat symlinks +ln -sf gpg2 %{buildroot}%{_bindir}/gpg +ln -sf gpgv2 %{buildroot}%{_bindir}/gpgv +ln -sf gpg2.1 %{buildroot}%{_mandir}/man1/gpg.1 +ln -sf gpgv2.1 %{buildroot}%{_mandir}/man1/gpgv.1 +%endif + +# info dir +rm -f %{buildroot}%{_infodir}/dir + + +%check +# need scratch gpg database for tests +mkdir -p $HOME/.gnupg +# we skip the test on ppc as it hangs and we do not ship gnupg2 +# as multilib anyway +%ifnarch ppc +make -k check +%endif + +%post +/sbin/install-info %{_infodir}/gnupg.info %{_infodir}/dir ||: + +%preun +if [ $1 -eq 0 ]; then + /sbin/install-info --delete %{_infodir}/gnupg.info %{_infodir}/dir ||: +fi + + +%files -f %{name}.lang +%defattr(-,root,root,-) +#doc AUTHORS COPYING ChangeLog NEWS README THANKS TODO +%{_docdir}/%{name}-%{version}/ +%dir %{_sysconfdir}/gnupg +%ghost %config(noreplace) %{_sysconfdir}/gnupg/gpgconf.conf +## docs say to install suid root, but fedora/rh security folk say not to +#attr(4755,root,root) %{_bindir}/gpg2 +%{_bindir}/gpg2 +%{_bindir}/gpgv2 +%{_bindir}/gpg-connect-agent +%{_bindir}/gpg-agent +%{_bindir}/gpgconf +%{_bindir}/gpgparsemail +%if 0%{?rhel} > 5 +%{_bindir}/gpg +%{_bindir}/gpgv +%{_bindir}/gpgsplit +%{_bindir}/gpg-zip +%else +%{_bindir}/gpgkey2ssh +%endif +%{_bindir}/watchgnupg +%{_sbindir}/* +%{_datadir}/gnupg/ +%{_libexecdir}/* +%{_infodir}/*.info* +%{_mandir}/man?/* +%exclude %{_datadir}/gnupg/com-certs.pem +%exclude %{_mandir}/man?/gpgsm* +%exclude %{_mandir}/man?/scdaemon* +%exclude %{_libexecdir}/scdaemon + +%files smime +%defattr(-,root,root,-) +%{_bindir}/gpgsm* +%{_bindir}/kbxutil +%{_libexecdir}/scdaemon +%{_mandir}/man?/gpgsm* +%{_mandir}/man?/scdaemon* +%{_datadir}/gnupg/com-certs.pem + + +%changelog +* Thu Jun 21 2018 Tomáš Mráz - 2.0.22-5 +- fix CVE-2018-12020 - missing sanitization of original filename + +* Thu Mar 24 2016 Tomáš Mráz - 2.0.22-4 +- allow import of RSA-E and RSA-S keys (patch by Marcel Kolaja) (#1233182) +- do not abort when missing hash algorithm in FIPS mode (#1078962) + +* Fri Jan 24 2014 Daniel Mach - 2.0.22-3 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 2.0.22-2 +- Mass rebuild 2013-12-27 + +* Thu Oct 10 2013 Tomáš Mráz - 2.0.22-1 +- new upstream release fixing CVE-2013-4402 and CVE-2013-4351 + +* Fri Aug 23 2013 Tomáš Mráz - 2.0.21-1 +- new upstream release + +* Wed May 15 2013 Tomas Mraz - 2.0.20-1 +- new upstream release + +* Thu Feb 14 2013 Fedora Release Engineering - 2.0.19-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 2 2013 Tomas Mraz - 2.0.19-7 +- fix CVE-2012-6085 - skip invalid key packets (#891142) + +* Thu Nov 22 2012 Tomas Mraz - 2.0.19-6 +- use AES as default crypto algorithm in FIPS mode (#879047) + +* Fri Nov 16 2012 Jamie Nguyen - 2.0.19-5 +- rebuild for - 2.0.19-4 +- fix negated condition (#843842) + +* Thu Jul 26 2012 Tomas Mraz - 2.0.19-3 +- add compat symlinks and provides if built on RHEL + +* Thu Jul 19 2012 Fedora Release Engineering - 2.0.19-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Apr 24 2012 Tomas Mraz - 2.0.19-1 +- new upstream release +- set environment in protect-tool (#548528) +- do not reject OCSP signing certs without keyUsage (#720174) + +* Fri Jan 13 2012 Fedora Release Engineering - 2.0.18-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Oct 12 2011 Rex Dieter 2.0.18-2 +- build with --enable-standard-socket + +* Wed Aug 17 2011 Tomas Mraz - 2.0.18-1 +- new upstream release (#728481) + +* Mon Jul 25 2011 Tomas Mraz - 2.0.17-2 +- fix a bug that shows up with the new libgcrypt release (#725369) + +* Thu Jan 20 2011 Tomas Mraz - 2.0.17-1 +- new upstream release (#669611) + +* Tue Aug 17 2010 Tomas Mraz - 2.0.16-3 +- drop the provides/obsoletes for gnupg +- drop the man page file conflicting with gnupg-1.x + +* Fri Aug 13 2010 Tomas Mraz - 2.0.16-2 +- drop the compat symlinks as gnupg-1.x is revived + +* Tue Jul 27 2010 Rex Dieter - 2.0.16-1 +- gnupg-2.0.16 + +* Fri Jul 23 2010 Rex Dieter - 2.0.14-4 +- gpgsm realloc patch (#617706) + +* Fri Jun 18 2010 Tomas Mraz - 2.0.14-3 +- initialize small amount of secmem for list of algorithms in help (#598847) + (necessary in the FIPS mode of libgcrypt) + +* Tue Feb 9 2010 Tomas Mraz - 2.0.14-2 +- disable selinux support - it is too rudimentary and restrictive (#562982) + +* Mon Jan 11 2010 Tomas Mraz - 2.0.14-1 +- new upstream version +- fix a few tests so they do not need to execute gpg-agent + +* Tue Dec 8 2009 Michael Schwendt - 2.0.13-4 +- Explicitly BR libassuan-static in accordance with the Packaging + Guidelines (libassuan-devel is still static-only). + +* Fri Oct 23 2009 Tomas Mraz - 2.0.13-3 +- drop s390 specific ifnarchs as all the previously missing dependencies + are now there +- split out gpgsm into a smime subpackage to reduce main package dependencies + +* Wed Oct 21 2009 Tomas Mraz - 2.0.13-2 +- provide/obsolete gnupg-1 and add compat symlinks to be able to drop + gnupg-1 + +* Fri Sep 04 2009 Rex Dieter - 2.0.13-1 +- gnupg-2.0.13 +- Unable to use gpg-agent + input methods (#228953) + +* Fri Jul 24 2009 Fedora Release Engineering - 2.0.12-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jun 17 2009 Rex Dieter - 2.0.12-1 +- gnupg-2.0.12 + +* Wed Mar 04 2009 Rex Dieter - 2.0.11-1 +- gnupg-2.0.11 + +* Tue Feb 24 2009 Fedora Release Engineering - 2.0.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sat Jan 31 2009 Karsten Hopp 2.0.10-1 +- don't require pcsc-lite-libs and libusb on mainframe where + we don't have those packages as there's no hardware for that + +* Tue Jan 13 2009 Rex Dieter 2.0.10-1 +- gnupg-2.0.10 + +* Mon Aug 04 2008 Rex Dieter 2.0.9-3 +- workaround rpm quirks + +* Sat May 24 2008 Tom "spot" Callaway 2.0.9-2 +- Patch from upstream to fix curl 7.18.1+ and gcc4.3+ compile error + +* Mon May 19 2008 Tom "spot" Callaway 2.0.9-1.1 +- minor release bump for sparc rebuild + +* Wed Mar 26 2008 Rex Dieter 2.0.9-1 +- gnupg2-2.0.9 +- drop Provides: openpgp +- versioned Provides: gpg +- own %%_sysconfdir/gnupg + +* Fri Feb 08 2008 Rex Dieter 2.0.8-3 +- respin (gcc43) + +* Wed Jan 23 2008 Rex Dieter 2.0.8-2 +- avoid kde-filesystem dep (#427316) + +* Thu Dec 20 2007 Rex Dieter 2.0.8-1 +- gnupg2-2.0.8 + +* Mon Dec 17 2007 Rex Dieter 2.0.8-0.1.rc1 +- gnupg2-2.0.8rc1 + +* Tue Dec 04 2007 Rex Dieter 2.0.7-5 +- respin for openldap + +* Mon Nov 12 2007 Rex Dieter 2.0.7-4 +- Requires: kde-filesystem (#377841) + +* Wed Oct 03 2007 Rex Dieter 2.0.7-3 +- %%build: (re)add mkdir -p $HOME/.gnupg + +* Wed Oct 03 2007 Rex Dieter 2.0.7-2 +- Requires: dirmngr (#312831) + +* Mon Sep 10 2007 Rex Dieter 2.0.7-1 +- gnupg-2.0.7 + +* Fri Aug 24 2007 Rex Dieter 2.0.6-2 +- respin (libassuan) + +* Thu Aug 16 2007 Rex Dieter 2.0.6-1 +- gnupg-2.0.6 +- License: GPLv3+ + +* Thu Aug 02 2007 Rex Dieter 2.0.5-4 +- License: GPLv3 + +* Mon Jul 16 2007 Rex Dieter 2.0.5-3 +- 2.0.5 too many open files fix + +* Fri Jul 06 2007 Rex Dieter 2.0.5-2 +- gnupg-2.0.5 +- gpg-agent not restarted after kde session crash/killed (#196327) +- BR: libassuan-devel > 1.0.2, libksba-devel > 1.0.2 + +* Fri May 18 2007 Rex Dieter 2.0.4-1 +- gnupg-2.0.4 + +* Thu Mar 08 2007 Rex Dieter 2.0.3-1 +- gnupg-2.0.3 + +* Fri Feb 02 2007 Rex Dieter 2.0.2-1 +- gnupg-2.0.2 + +* Wed Dec 06 2006 Rex Dieter 2.0.1-2 +- CVE-2006-6235 (#219934) + +* Wed Nov 29 2006 Rex Dieter 2.0.1-1 +- gnupg-2.0.1 +- CVE-2006-6169 (#217950) + +* Sat Nov 25 2006 Rex Dieter 2.0.1-0.3.rc1 +- gnupg-2.0.1rc1 + +* Thu Nov 16 2006 Rex Dieter 2.0.0-4 +- update %%description +- drop dearmor patch + +* Mon Nov 13 2006 Rex Dieter 2.0.0-3 +- BR: libassuan-static >= 1.0.0 + +* Mon Nov 13 2006 Rex Dieter 2.0.0-2 +- gnupg-2.0.0 + +* Fri Nov 10 2006 Rex Dieter 1.9.95-3 +- upstream 64bit patch + +* Mon Nov 06 2006 Rex Dieter 1.9.95-2 +- fix (more) file conflicts with gnupg + +* Mon Nov 06 2006 Rex Dieter 1.9.95-1 +- 1.9.95 + +* Wed Oct 25 2006 Rex Dieter 1.9.94-1 +- 1.9.94 + +* Wed Oct 18 2006 Rex Dieter 1.9.93-1 +- 1.9.93 + +* Wed Oct 11 2006 Rex Dieter 1.9.92-2 +- fix file conflicts with gnupg + +* Wed Oct 11 2006 Rex Dieter 1.9.92-1 +- 1.9.92 + +* Tue Oct 10 2006 Rex Dieter 1.9.91-4 +- make check ||: (apparently checks return err even on success?) + +* Tue Oct 10 2006 Rex Dieter 1.9.91-3 +- --enable-selinux-support +- x86_64: --disable-optimization (to avoid gpg2 segfaults), for now + +* Thu Oct 05 2006 Rex Dieter 1.9.91-1 +- 1.9.91 + +* Wed Oct 04 2006 Rex Dieter 1.9.22-8 +- respin + +* Tue Sep 26 2006 Rex Dieter 1.9.90-1 +- 1.9.90 (doesn't build, not released) + +* Mon Sep 18 2006 Rex Dieter 1.9.23-1 +- 1.9.23 (doesn't build, not released) + +* Mon Sep 18 2006 Rex Dieter 1.9.22-7 +- gpg-agent-startup.sh: fix case where valid .gpg-agent-info exists + +* Mon Sep 18 2006 Rex Dieter 1.9.22-6 +- fix "syntax error in gpg-agent-startup.sh" (#206887) + +* Thu Sep 07 2006 Rex Dieter 1.9.22-3 +- fc6 respin (for libksba-1.0) + +* Tue Aug 29 2006 Rex Dieter 1.9.22-2 +- fc6 respin + +* Fri Jul 28 2006 Rex Dieter 1.9.22-1 +- 1.9.22 + +* Thu Jun 22 2006 Rex Dieter 1.9.21-3 +- fix "gpg-agent not restarted after kde session crash/killed (#196327) + +* Thu Jun 22 2006 Rex Dieter 1.9.21-2 +- 1.9.21 +- omit gpg2 binary to address CVS-2006-3082 (#196190) + +* Mon Mar 6 2006 Ville Skyttä > 1.9.20-3 +- Don't hardcode pcsc-lite lib name (#184123) + +* Thu Feb 16 2006 Rex Dieter 1.9.20-2 +- fc4+: use /etc/kde/(env|shutdown) for scripts (#175744) + +* Fri Feb 10 2006 Rex Dieter +- fc5: gcc/glibc respin + +* Tue Dec 20 2005 Rex Dieter 1.9.20-1 +- 1.9.20 + +* Thu Dec 01 2005 Rex Dieter 1.9.19-8 +- include gpg-agent-(startup|shutdown) scripts (#136533) +- BR: libksba-devel >= 1.9.12 +- %%check: be permissive about failures (for now) + +* Wed Nov 30 2005 Rex Dieter 1.9.19-3 +- BR: libksba-devel >= 1.9.13 + +* Tue Oct 11 2005 Rex Dieter 1.9.19-2 +- back to BR: libksba-devel = 1.9.11 + +* Tue Oct 11 2005 Rex Dieter 1.9.19-1 +- 1.9.19 + +* Fri Aug 26 2005 Rex Dieter 1.9.18-9 +- configure: NEED_KSBA_VERSION=0.9.12 -> 0.9.11 + +* Fri Aug 26 2005 Rex Dieter 1.9.18-7 +- re-enable 'make check', rebuild against (older) libksba-0.9.11 + +* Tue Aug 9 2005 Rex Dieter 1.9.18-6 +- don't 'make check' by default (regular builds pass, but FC4/5+plague fails) + +* Mon Aug 8 2005 Rex Dieter 1.9.18-5 +- 1.9.18 +- drop pth patch (--enable-gpg build fixed) +- update description (from README) + +* Fri Jul 1 2005 Ville Skyttä - 1.9.17-1 +- 1.9.17, signal info patch applied upstream (#162264). +- Patch to fix lvalue build error with gcc4 (upstream #485). +- Patch scdaemon and pcsc-wrapper to load the versioned (non-devel) + pcsc-lite lib by default. + +* Fri May 13 2005 Michael Schwendt - 1.9.16-3 +- Include upstream's patch for signal.c. + +* Tue May 10 2005 Michael Schwendt - 1.9.16-1 +- Merge changes from Rex's 1.9.16-1 (Thu Apr 21): +- opensc support unconditional +- remove hard-coded .gz from %%post/%%postun +- add %%check section +- add pth patch +- Put back patch modified from 1.9.15-4 to make tests verbose + and change signal.c to describe received signals better. + +* Sun May 8 2005 Michael Schwendt +- Drop patch0 again. + +* Sun May 8 2005 Michael Schwendt - 1.9.15-4 +- Add patch0 temporarily to get some output from failing test. + +* Sat May 7 2005 David Woodhouse 1.9.15-3 +- Rebuild. + +* Thu Apr 7 2005 Michael Schwendt +- rebuilt + +* Tue Feb 1 2005 Michael Schwendt - 0:1.9.15-1 +- Make install-info in scriptlets less noisy. + +* Tue Jan 18 2005 Rex Dieter 1.9.15-0.fdr.1 +- 1.9.15 + +* Fri Jan 07 2005 Rex Dieter 1.9.14-0.fdr.2 +- note patch/hack to build against older ( <1.0) libgpg-error-devel + +* Thu Jan 06 2005 Rex Dieter 1.9.14-0.fdr.1 +- 1.9.14 +- enable opensc support +- BR: libassuan-devel >= 0.6.9 + +* Thu Oct 21 2004 Rex Dieter 1.9.11-0.fdr.4 +- remove suid. + +* Thu Oct 21 2004 Rex Dieter 1.9.11-0.fdr.3 +- remove Provides: newpg + +* Wed Oct 20 2004 Rex Dieter 1.9.11-0.fdr.2 +- Requires: pinentry +- gpg2 suid +- update description + +* Tue Oct 19 2004 Rex Dieter 1.9.11-0.fdr.1 +- first try +- leave out opensc support (for now), enable --with-opensc +