Your message dated Sat, 15 Aug 2009 22:25:07 +0200
with message-id <1250367907.7694.10.ca...@leidi>
and subject line Bug#519333: fixed in gnupg 1.4.10~rc1-1
has caused the Debian Bug report #519333,
regarding WONTFIX/DEFERRED: gnupg: Please include support for encrypted 
keyserver queries (hkps)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
519333: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519333
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnupg
Version: 1.4.9-5
Severity: wishlist
Tags: patch

Hello,

There is a move towards providing keyserver queries over an encrypted
transport for the purposes of stopping the leakage of key query
information that could be used for transactional surveillance
purposes. There are keyservers now in the global pool that are setup
to provide encrypted transport, with more on their way.

The SKS keyserver develoopers are actively discussing how to add TLS
wrapped keyserver queries natively in the keyserver code[0]. Until
then people are setting up front-end SSL proxies, using things like
nginx.  In fact, along with some other folks, I am running one which
supports this in the SKS pool[1] zimmerman.mayfirst.org.
                                                                                
                                                          
The gnupg developers have introduced a patch to the upstream stable
branch of gnupg 1.4[2] which provides a simple mechanism for
performing secure hkps queries to keyservers, and according to the
original author, this will be in gpg2 in the next round of patch
integration[3]. The PGP developers are also implementing this in their
code. Also, the IETF seem to have also come to a similar position
recently[4].

It would be very much appreciated if debian adopted the attached patch
so more people could have convenient access to this feature. When
upstream's STABLE-1.4 branch is released, then it could be simply
dropped. I've built and tested this and it works flawlessly, its a
relatively small patch and upstream has already adopted it, so it
seems like a win all around.

Micah


0. thread starts at: 
http://lists.gnu.org/archive/html/sks-devel/2009-03/msg00025.html
1. https://zimmerman.mayfirst.org or if you have installed the patch: 
hkps://zimmerman.mayfirst.org
2. 
http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924
3. http://lists.gnu.org/archive/html/sks-devel/2009-03/msg00036.html
4. http://www.imc.org/ietf-openpgp/mail-archive/msg30930.html


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages gnupg depends on:
ii  gpgv                   1.4.9-4           GNU privacy guard - signature veri
ii  libbz2-1.0             1.0.5-1           high-quality block-sorting file co
ii  libc6                  2.9-4             GNU C Library: Shared libraries
ii  libcurl3-gnutls        7.18.2-8          Multi-protocol file transfer libra
ii  libreadline5           5.2-4             GNU readline and history libraries
ii  libusb-0.1-4           2:0.1.12-13       userspace USB programming library
ii  zlib1g                 1:1.2.3.3.dfsg-13 compression library - runtime

Versions of packages gnupg recommends:
ii  libldap-2.4-2                 2.4.15-1   OpenLDAP libraries

Versions of packages gnupg suggests:
pn  gnupg-doc              <none>            (no description available)
ii  imagemagick            7:6.3.7.9.dfsg1-3 image manipulation programs
ii  libpcsclite1           1.5.2-1           Middleware to access a smart card 

-- no debconf information
diff --new-file -u -r gnupg-1.4.9/debian/changelog gnupg-1.4.9_hks/debian/changelog
--- gnupg-1.4.9/debian/changelog	2009-03-09 11:26:36.000000000 -0400
+++ gnupg-1.4.9_hks/debian/changelog	2009-03-09 10:48:14.000000000 -0400
@@ -1,3 +1,13 @@
+gnupg (1.4.9-5) unstable; urgency=low
+
+  * Added upstream patch r4924 and r4753 to gpgkeys_hkp.c
+    and r4743 to gpgkeys_curl.c to support SSLized HKP (hkps) requests
+  * Add a symlink to debian/gnupg.links for gpgkeys_hkps -> gpgkeys_hkp
+  * Added Build-Depends on libcurl4-gnutls-dev to get https transport
+    support for hkps queries
+
+ -- Micah Anderson <[email protected]>  Sat, 07 Mar 2009 21:46:08 -0500
+
 gnupg (1.4.9-4) unstable; urgency=low
 
   [ Daniel Leidert (dale) ]
diff --new-file -u -r gnupg-1.4.9/debian/control gnupg-1.4.9_hks/debian/control
--- gnupg-1.4.9/debian/control	2009-03-09 11:26:36.000000000 -0400
+++ gnupg-1.4.9_hks/debian/control	2009-03-09 10:47:31.000000000 -0400
@@ -8,7 +8,7 @@
 Standards-Version: 3.8.0
 Build-Depends: debhelper (>> 5), libz-dev, libldap2-dev, libbz2-dev,
  libusb-dev [!hurd-i386],
- libreadline5-dev, file, gettext, dpatch
+ libreadline5-dev, file, gettext, dpatch, libcurl4-gnutls-dev
 Homepage: http://www.gnupg.org
 Vcs-Browser: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/
 Vcs-Svn: svn://svn.debian.org/svn/pkg-gnupg/gnupg/trunk/
diff --new-file -u -r gnupg-1.4.9/debian/gnupg.links gnupg-1.4.9_hks/debian/gnupg.links
--- gnupg-1.4.9/debian/gnupg.links	2009-03-09 11:26:36.000000000 -0400
+++ gnupg-1.4.9_hks/debian/gnupg.links	2009-03-09 10:47:43.000000000 -0400
@@ -1 +1,2 @@
 usr/share/doc/gnupg/changelog.g10.gz usr/share/doc/gnupg/changelog.gz
+usr/lib/gnupg/gpgkeys_hkp usr/lib/gnupg/gpgkeys_hkps
diff --new-file -u -r gnupg-1.4.9/debian/patches/00list gnupg-1.4.9_hks/debian/patches/00list
--- gnupg-1.4.9/debian/patches/00list	2009-03-09 11:26:36.000000000 -0400
+++ gnupg-1.4.9_hks/debian/patches/00list	2009-03-09 10:47:16.000000000 -0400
@@ -3,3 +3,4 @@
 25_it.po_fixes
 25_fr.po_fixes
 99_yat2m_fix_samp_handling
+99_support_hkps
diff --new-file -u -r gnupg-1.4.9/debian/patches/99_support_hkps.dpatch gnupg-1.4.9_hks/debian/patches/99_support_hkps.dpatch
--- gnupg-1.4.9/debian/patches/99_support_hkps.dpatch	1969-12-31 19:00:00.000000000 -0500
+++ gnupg-1.4.9_hks/debian/patches/99_support_hkps.dpatch	2009-03-09 10:47:01.000000000 -0400
@@ -0,0 +1,308 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_support_hkps.dpatch by Micah Anderson <Micah Anderson <[email protected]>>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Add support for hkps queries for secure keyserver queries
+## DP:
+## DP: <URL:http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924>
+
+...@dpatch@
+diff -urNad gnupg-1.4.9~/keyserver/gpgkeys_curl.c gnupg-1.4.9/keyserver/gpgkeys_curl.c
+--- gnupg-1.4.9~/keyserver/gpgkeys_curl.c	2007-10-23 05:59:12.000000000 -0400
++++ gnupg-1.4.9/keyserver/gpgkeys_curl.c	2009-03-09 10:42:15.000000000 -0400
+@@ -1,5 +1,5 @@
+ /* gpgkeys_curl.c - fetch a key via libcurl
+- * Copyright (C) 2004, 2005, 2006, 2007 Free Software Foundation, Inc.
++ * Copyright (C) 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+  *
+  * This file is part of GnuPG.
+  *
+@@ -286,7 +286,7 @@
+ 
+   if(follow_redirects)
+     {
+-      curl_easy_setopt(curl,CURLOPT_FOLLOWLOCATION,1);
++      curl_easy_setopt(curl,CURLOPT_FOLLOWLOCATION,1L);
+       if(follow_redirects>0)
+ 	curl_easy_setopt(curl,CURLOPT_MAXREDIRS,follow_redirects);
+     }
+@@ -298,10 +298,10 @@
+     {
+       fprintf(console,"gpgkeys: curl version = %s\n",curl_version());
+       curl_easy_setopt(curl,CURLOPT_STDERR,console);
+-      curl_easy_setopt(curl,CURLOPT_VERBOSE,1);
++      curl_easy_setopt(curl,CURLOPT_VERBOSE,1L);
+     }
+ 
+-  curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,opt->flags.check_cert);
++  curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert);
+   curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file);
+ 
+   if(proxy)
+diff -urNad gnupg-1.4.9~/keyserver/gpgkeys_hkp.c gnupg-1.4.9/keyserver/gpgkeys_hkp.c
+--- gnupg-1.4.9~/keyserver/gpgkeys_hkp.c	2007-10-23 05:59:12.000000000 -0400
++++ gnupg-1.4.9/keyserver/gpgkeys_hkp.c	2009-03-09 10:42:15.000000000 -0400
+@@ -1,6 +1,6 @@
+ /* gpgkeys_hkp.c - talk to an HKP keyserver
+- * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006,
+- *               2007 Free Software Foundation, Inc.
++ * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
++ *               2009 Free Software Foundation, Inc.
+  *
+  * This file is part of GnuPG.
+  *
+@@ -54,6 +54,7 @@
+ static CURL *curl;
+ static struct ks_options *opt;
+ static char errorbuffer[CURL_ERROR_SIZE];
++static char *proto,*port;
+ 
+ static size_t
+ curl_mrindex_writer(const void *ptr,size_t size,size_t nmemb,void *stream)
+@@ -186,13 +187,10 @@
+   strcpy(key,"keytext=");
+   strcat(key,encoded_key);
+ 
+-  strcpy(request,"http://";);
++  strcpy(request,proto);
+   strcat(request,opt->host);
+   strcat(request,":");
+-  if(opt->port)
+-    strcat(request,opt->port);
+-  else
+-    strcat(request,"11371");
++  strcat(request,port);
+   strcat(request,opt->path);
+   /* request is MAX_URL+15 bytes long - MAX_URL covers the whole URL,
+      including any supplied path.  The 15 covers /pks/add. */
+@@ -202,9 +200,9 @@
+     fprintf(console,"gpgkeys: HTTP URL is `%s'\n",request);
+ 
+   curl_easy_setopt(curl,CURLOPT_URL,request);
+-  curl_easy_setopt(curl,CURLOPT_POST,1);
++  curl_easy_setopt(curl,CURLOPT_POST,1L);
+   curl_easy_setopt(curl,CURLOPT_POSTFIELDS,key);
+-  curl_easy_setopt(curl,CURLOPT_FAILONERROR,1);
++  curl_easy_setopt(curl,CURLOPT_FAILONERROR,1L);
+ 
+   res=curl_easy_perform(curl);
+   if(res!=0)
+@@ -253,13 +251,10 @@
+       return KEYSERVER_NOT_SUPPORTED;
+     }
+ 
+-  strcpy(request,"http://";);
++  strcpy(request,proto);
+   strcat(request,opt->host);
+   strcat(request,":");
+-  if(opt->port)
+-    strcat(request,opt->port);
+-  else
+-    strcat(request,"11371");
++  strcat(request,port);
+   strcat(request,opt->path);
+   /* request is MAX_URL+55 bytes long - MAX_URL covers the whole URL,
+      including any supplied path.  The 60 overcovers this /pks/... etc
+@@ -334,13 +329,10 @@
+ 
+   fprintf(output,"NAME %s BEGIN\n",getkey);
+ 
+-  strcpy(request,"http://";);
++  strcpy(request,proto);
+   strcat(request,opt->host);
+   strcat(request,":");
+-  if(opt->port)
+-    strcat(request,opt->port);
+-  else
+-    strcat(request,"11371");
++  strcat(request,port);
+   strcat(request,opt->path);
+   append_path(request,"/pks/lookup?op=get&options=mr&search=");
+   strcat(request,searchkey_encoded);
+@@ -420,13 +412,10 @@
+ 
+   fprintf(output,"SEARCH %s BEGIN\n",searchkey);
+ 
+-  strcpy(request,"http://";);
++  strcpy(request,proto);
+   strcat(request,opt->host);
+   strcat(request,":");
+-  if(opt->port)
+-    strcat(request,opt->port);
+-  else
+-    strcat(request,"11371");
++  strcat(request,port);
+   strcat(request,opt->path);
+   append_path(request,"/pks/lookup?op=index&options=mr&search=");
+ 
+@@ -631,6 +620,28 @@
+ 	}
+     }
+ 
++
++  if(!opt->scheme)
++    {
++      fprintf(console,"gpgkeys: no scheme supplied!\n");
++      ret=KEYSERVER_SCHEME_NOT_FOUND;
++      goto fail;
++    }
++
++  if(ascii_strcasecmp(opt->scheme,"hkps")==0)
++    {
++      proto="https://";;
++      port="11372";
++    }
++  else
++    {
++      proto="http://";;
++      port="11371";
++    }
++
++  if(opt->port)
++    port=opt->port;
++
+   if(!opt->host)
+     {
+       fprintf(console,"gpgkeys: no keyserver host provided\n");
+@@ -661,9 +672,12 @@
+     {
+       fprintf(console,"gpgkeys: curl version = %s\n",curl_version());
+       curl_easy_setopt(curl,CURLOPT_STDERR,console);
+-      curl_easy_setopt(curl,CURLOPT_VERBOSE,1);
++      curl_easy_setopt(curl,CURLOPT_VERBOSE,1L);
+     }
+ 
++  curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert);
++  curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file);
++
+   if(proxy)
+     curl_easy_setopt(curl,CURLOPT_PROXY,proxy);
+ 
+diff -urNad gnupg-1.4.9~/keyserver/gpgkeys_hkp.diff gnupg-1.4.9/keyserver/gpgkeys_hkp.diff
+--- gnupg-1.4.9~/keyserver/gpgkeys_hkp.diff	1969-12-31 19:00:00.000000000 -0500
++++ gnupg-1.4.9/keyserver/gpgkeys_hkp.diff	2009-03-09 10:42:15.000000000 -0400
+@@ -0,0 +1,124 @@
++Index: gpgkeys_hkp.c
++===================================================================
++--- gpgkeys_hkp.c	(revision 4923)
+++++ gpgkeys_hkp.c	(revision 4924)
++@@ -1,6 +1,6 @@
++ /* gpgkeys_hkp.c - talk to an HKP keyserver
++- * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007,
++- *               2008 Free Software Foundation, Inc.
+++ * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
+++ *               2009 Free Software Foundation, Inc.
++  *
++  * This file is part of GnuPG.
++  *
++@@ -54,6 +54,7 @@
++ static CURL *curl;
++ static struct ks_options *opt;
++ static char errorbuffer[CURL_ERROR_SIZE];
+++static char *proto,*port;
++ 
++ static size_t
++ curl_mrindex_writer(const void *ptr,size_t size,size_t nmemb,void *stream)
++@@ -186,13 +187,10 @@
++   strcpy(key,"keytext=");
++   strcat(key,encoded_key);
++ 
++-  strcpy(request,"http://";);
+++  strcpy(request,proto);
++   strcat(request,opt->host);
++   strcat(request,":");
++-  if(opt->port)
++-    strcat(request,opt->port);
++-  else
++-    strcat(request,"11371");
+++  strcat(request,port);
++   strcat(request,opt->path);
++   /* request is MAX_URL+15 bytes long - MAX_URL covers the whole URL,
++      including any supplied path.  The 15 covers /pks/add. */
++@@ -253,13 +251,10 @@
++       return KEYSERVER_NOT_SUPPORTED;
++     }
++ 
++-  strcpy(request,"http://";);
+++  strcpy(request,proto);
++   strcat(request,opt->host);
++   strcat(request,":");
++-  if(opt->port)
++-    strcat(request,opt->port);
++-  else
++-    strcat(request,"11371");
+++  strcat(request,port);
++   strcat(request,opt->path);
++   /* request is MAX_URL+55 bytes long - MAX_URL covers the whole URL,
++      including any supplied path.  The 60 overcovers this /pks/... etc
++@@ -334,13 +329,10 @@
++ 
++   fprintf(output,"NAME %s BEGIN\n",getkey);
++ 
++-  strcpy(request,"http://";);
+++  strcpy(request,proto);
++   strcat(request,opt->host);
++   strcat(request,":");
++-  if(opt->port)
++-    strcat(request,opt->port);
++-  else
++-    strcat(request,"11371");
+++  strcat(request,port);
++   strcat(request,opt->path);
++   append_path(request,"/pks/lookup?op=get&options=mr&search=");
++   strcat(request,searchkey_encoded);
++@@ -420,13 +412,10 @@
++ 
++   fprintf(output,"SEARCH %s BEGIN\n",searchkey);
++ 
++-  strcpy(request,"http://";);
+++  strcpy(request,proto);
++   strcat(request,opt->host);
++   strcat(request,":");
++-  if(opt->port)
++-    strcat(request,opt->port);
++-  else
++-    strcat(request,"11371");
+++  strcat(request,port);
++   strcat(request,opt->path);
++   append_path(request,"/pks/lookup?op=index&options=mr&search=");
++ 
++@@ -633,6 +622,28 @@
++ 	}
++     }
++ 
+++
+++  if(!opt->scheme)
+++    {
+++      fprintf(console,"gpgkeys: no scheme supplied!\n");
+++      ret=KEYSERVER_SCHEME_NOT_FOUND;
+++      goto fail;
+++    }
+++
+++  if(ascii_strcasecmp(opt->scheme,"hkps")==0)
+++    {
+++      proto="https://";;
+++      port="11372";
+++    }
+++  else
+++    {
+++      proto="http://";;
+++      port="11371";
+++    }
+++
+++  if(opt->port)
+++    port=opt->port;
+++
++   if(!opt->host)
++     {
++       fprintf(console,"gpgkeys: no keyserver host provided\n");
++@@ -666,6 +677,9 @@
++       curl_easy_setopt(curl,CURLOPT_VERBOSE,1L);
++     }
++ 
+++  curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert);
+++  curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file);
+++
++   if(proxy)
++     curl_easy_setopt(curl,CURLOPT_PROXY,proxy);
++ 

--- End Message ---
--- Begin Message ---
Source: gnupg
Source-Version: 1.4.10~rc1-1

The upcoming version 1.4.10 comes with support for the hkps scheme. See
http://lists.gnupg.org/pipermail/gnupg-devel/2009-August/025290.html for
a short howto. Please be aware, that the correct syntax is:

keyserver-options ca-cert-file=/home/foo/.gnupg/ca.crt

Note the `=' sign. Further the tilde sign won't work (at least it
doesn't work here).

Any feedback is appreciated (to gnupg-devel or this report). Closing
this report after upload of RC1 of 1.4.10 to experimental.

Regards, Daniel



--- End Message ---

Reply via email to