commit: 8a72f62b921efb43ace48874bbc8cfb2241648f0 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Wed Feb 4 03:12:46 2026 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Wed Feb 4 03:21:13 2026 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a72f62b
app-crypt/gnupg: backport LTO fix I sent a fix upstream for this and Werner ended up merging an identical patch as he'd missed mine. Backport that and drop filter-lto. There is an additional fix which didn't land that I'll send upstream once rebased soon but it's trivial. Bug: https://bugs.gentoo.org/854222 Bug: https://dev.gnupg.org/T4416 Signed-off-by: Sam James <sam <AT> gentoo.org> ...-stub-functions-to-avoid-LTO-linking-bugs.patch | 200 +++++++++++++++++++ ...ctions-to-avoid-LTO-linking-bugs-followup.patch | 47 +++++ app-crypt/gnupg/gnupg-2.5.17-r1.ebuild | 220 +++++++++++++++++++++ 3 files changed, 467 insertions(+) diff --git a/app-crypt/gnupg/files/0001-Fix-stub-functions-to-avoid-LTO-linking-bugs.patch b/app-crypt/gnupg/files/0001-Fix-stub-functions-to-avoid-LTO-linking-bugs.patch new file mode 100644 index 000000000000..65ff69294d40 --- /dev/null +++ b/app-crypt/gnupg/files/0001-Fix-stub-functions-to-avoid-LTO-linking-bugs.patch @@ -0,0 +1,200 @@ +https://bugs.gentoo.org/854222 + +From 81760cc931d69f37cf2a8ad54616a1af590fd2cf Mon Sep 17 00:00:00 2001 +Message-ID: <81760cc931d69f37cf2a8ad54616a1af590fd2cf.1770174575.git....@gentoo.org> +From: Werner Koch <[email protected]> +Date: Wed, 28 Jan 2026 13:45:00 +0100 +Subject: [PATCH GnuPG] Fix stub functions to avoid LTO linking bugs. + +-- +--- + g10/gpgv.c | 42 ++++++++++++++++++++++++++++-------------- + g10/test-stubs.c | 36 +++++++++++++++++++++++------------- + 2 files changed, 51 insertions(+), 27 deletions(-) + +diff --git a/g10/gpgv.c b/g10/gpgv.c +index b65dfa66b..23704e21c 100644 +--- a/g10/gpgv.c ++++ b/g10/gpgv.c +@@ -462,10 +462,13 @@ keyserver_any_configured (ctrl_t ctrl) + } + + int +-keyserver_import_keyid (u32 *keyid, void *dummy, unsigned int flags) ++keyserver_import_keyid (ctrl_t ctrl, ++ u32 *keyid,struct keyserver_spec *keyserver, ++ unsigned int flags) + { ++ (void)ctrl; + (void)keyid; +- (void)dummy; ++ (void)keyserver; + (void)flags; + return -1; + } +@@ -493,9 +496,14 @@ keyserver_import_fpr_ntds (ctrl_t ctrl, + } + + int +-keyserver_import_cert (const char *name) ++keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode, ++ unsigned char **fpr,size_t *fpr_len) + { ++ (void)ctrl; + (void)name; ++ (void)dane_mode; ++ (void)fpr; ++ (void)fpr_len; + return -1; + } + +@@ -511,11 +519,17 @@ keyserver_import_wkd (ctrl_t ctrl, const char *name, unsigned int flags, + return GPG_ERR_BUG; + } + +-int +-keyserver_import_mbox (const char *name,struct keyserver_spec *spec) ++gpg_error_t ++keyserver_import_mbox (ctrl_t ctrl, const char *mbox, ++ unsigned char **fpr, size_t *fprlen, ++ struct keyserver_spec *keyserver, unsigned int flags) + { +- (void)name; +- (void)spec; ++ (void)ctrl; ++ (void)mbox; ++ (void)fpr; ++ (void)fprlen; ++ (void)keyserver; ++ (void)flags; + return -1; + } + +@@ -647,14 +661,11 @@ parse_preferred_keyserver(PKT_signature *sig) + return NULL; + } + +-struct keyserver_spec * +-parse_keyserver_uri (const char *uri, int require_scheme, +- const char *configname, unsigned int configlineno) ++keyserver_spec_t ++parse_keyserver_uri (const char *string, int require_scheme) + { +- (void)uri; ++ (void)string; + (void)require_scheme; +- (void)configname; +- (void)configlineno; + return NULL; + } + +@@ -666,11 +677,14 @@ free_keyserver_spec (struct keyserver_spec *keyserver) + + /* Stubs to avoid linking to photoid.c */ + void +-show_photos (const struct user_attribute *attrs, int count, PKT_public_key *pk) ++show_photos (ctrl_t ctrl, const struct user_attribute *attrs, int count, ++ PKT_public_key *pk, PKT_user_id *uid) + { ++ (void)ctrl; + (void)attrs; + (void)count; + (void)pk; ++ (void)uid; + } + + int +diff --git a/g10/test-stubs.c b/g10/test-stubs.c +index 9b41c8929..16d10972d 100644 +--- a/g10/test-stubs.c ++++ b/g10/test-stubs.c +@@ -193,10 +193,13 @@ keyserver_any_configured (ctrl_t ctrl) + } + + int +-keyserver_import_keyid (u32 *keyid, void *dummy, unsigned int flags) ++keyserver_import_keyid (ctrl_t ctrl, ++ u32 *keyid,struct keyserver_spec *keyserver, ++ unsigned int flags) + { ++ (void)ctrl; + (void)keyid; +- (void)dummy; ++ (void)keyserver; + (void)flags; + return -1; + } +@@ -224,9 +227,14 @@ keyserver_import_fpr_ntds (ctrl_t ctrl, + } + + int +-keyserver_import_cert (const char *name) ++keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode, ++ unsigned char **fpr,size_t *fpr_len) + { ++ (void)ctrl; + (void)name; ++ (void)dane_mode; ++ (void)fpr; ++ (void)fpr_len; + return -1; + } + +@@ -242,15 +250,17 @@ keyserver_import_wkd (ctrl_t ctrl, const char *name, unsigned int flags, + return GPG_ERR_BUG; + } + +-int +-keyserver_import_mbox (ctrl_t ctrl, const char *mbox, unsigned char **fpr, +- size_t *fprlen, struct keyserver_spec *keyserver) ++gpg_error_t ++keyserver_import_mbox (ctrl_t ctrl, const char *mbox, ++ unsigned char **fpr, size_t *fprlen, ++ struct keyserver_spec *keyserver, unsigned int flags) + { + (void)ctrl; + (void)mbox; + (void)fpr; + (void)fprlen; + (void)keyserver; ++ (void)flags; + return -1; + } + +@@ -381,14 +391,11 @@ parse_preferred_keyserver(PKT_signature *sig) + return NULL; + } + +-struct keyserver_spec * +-parse_keyserver_uri (const char *uri, int require_scheme, +- const char *configname, unsigned int configlineno) ++keyserver_spec_t ++parse_keyserver_uri (const char *string, int require_scheme) + { +- (void)uri; ++ (void)string; + (void)require_scheme; +- (void)configname; +- (void)configlineno; + return NULL; + } + +@@ -400,11 +407,14 @@ free_keyserver_spec (struct keyserver_spec *keyserver) + + /* Stubs to avoid linking to photoid.c */ + void +-show_photos (const struct user_attribute *attrs, int count, PKT_public_key *pk) ++show_photos (ctrl_t ctrl, const struct user_attribute *attrs, int count, ++ PKT_public_key *pk, PKT_user_id *uid) + { ++ (void)ctrl; + (void)attrs; + (void)count; + (void)pk; ++ (void)uid; + } + + int +-- +2.53.0 + diff --git a/app-crypt/gnupg/files/0002-Fix-stub-functions-to-avoid-LTO-linking-bugs-followup.patch b/app-crypt/gnupg/files/0002-Fix-stub-functions-to-avoid-LTO-linking-bugs-followup.patch new file mode 100644 index 000000000000..751a1c9a4250 --- /dev/null +++ b/app-crypt/gnupg/files/0002-Fix-stub-functions-to-avoid-LTO-linking-bugs-followup.patch @@ -0,0 +1,47 @@ +https://bugs.gentoo.org/854222 + +From 40b28085f30f6031bd72ae24d736c9116d70f547 Mon Sep 17 00:00:00 2001 +Message-ID: <40b28085f30f6031bd72ae24d736c9116d70f547.1770174958.git....@gentoo.org> +From: Sam James <[email protected]> +Date: Sun, 4 Jan 2026 02:04:39 +0000 +Subject: [PATCH GnuPG] Fix -Wlto-type-mismatch warnings [T4416] + +* agent/t-protect.c (convert_from_openpgp_native): Sync stub definition. + +-- + +GnuPG-bug-id: 4416 + +When building with GCC -flto, some warnings appear because of +mismatched definitions in stubs (gpgv or tests). Sync them with the +real definitions to fix the warnings, as they just drifted over time. + +Followup to 81760cc931d69f37cf2a8ad54616a1af590fd2cf. + +Signed-off-by: Sam James <[email protected]> +--- + agent/t-protect.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/agent/t-protect.c b/agent/t-protect.c +index e6edbffba..9508de36a 100644 +--- a/agent/t-protect.c ++++ b/agent/t-protect.c +@@ -341,9 +341,12 @@ main (int argc, char **argv) + + /* Stub function. */ + gpg_error_t +-convert_from_openpgp_native (gcry_sexp_t s_pgp, const char *passphrase, +- unsigned char **r_key) ++convert_from_openpgp_native (ctrl_t ctrl, ++ gcry_sexp_t s_pgp, ++ const char *passphrase, ++ unsigned char **r_key) + { ++ (void)ctrl; + (void)s_pgp; + (void)passphrase; + (void)r_key; +-- +2.53.0 + diff --git a/app-crypt/gnupg/gnupg-2.5.17-r1.ebuild b/app-crypt/gnupg/gnupg-2.5.17-r1.ebuild new file mode 100644 index 000000000000..7453a3b2180e --- /dev/null +++ b/app-crypt/gnupg/gnupg-2.5.17-r1.ebuild @@ -0,0 +1,220 @@ +# Copyright 1999-2026 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Maintainers should: +# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/ +# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159 +# (find the one for the current release then subscribe to it + +# any subsequent ones linked within so you're covered for a while.) + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +# in-source builds are not supported: https://dev.gnupg.org/T6313#166339 +inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig + +MY_P="${P/_/-}" + +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" +HOMEPAGE="https://gnupg.org/"; +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" + +LICENSE="GPL-3+" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" +IUSE="+alternatives bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server" +RESTRICT="!test? ( test )" +REQUIRED_USE="test? ( tofu )" + +# Existence of executables is checked during configuration. +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=" + >=dev-libs/libassuan-3.0.0-r1:= + >=dev-libs/libgcrypt-1.11.0:= + >=dev-libs/libgpg-error-1.56 + >=dev-libs/libksba-1.6.3 + >=dev-libs/npth-1.2 + virtual/zlib:= + bzip2? ( app-arch/bzip2 ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:0= ) + smartcard? ( usb? ( virtual/libusb:1 ) ) + tofu? ( >=dev-db/sqlite-3.27 ) + tpm? ( >=app-crypt/tpm2-tss-2.4.0:= ) + ssl? ( >=net-libs/gnutls-3.2:0= ) +" +RDEPEND=" + ${DEPEND} + nls? ( virtual/libintl ) + selinux? ( sec-policy/selinux-gpg ) + wks-server? ( virtual/mta ) +" +PDEPEND=" + app-crypt/pinentry + alternatives? ( + app-alternatives/gpg[-freepg(-)] + ) +" +BDEPEND=" + virtual/pkgconfig + doc? ( sys-apps/texinfo ) + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" + +DOCS=( + ChangeLog NEWS README THANKS TODO VERSION + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER +) + +PATCHES=( + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch + "${FILESDIR}"/0001-Fix-stub-functions-to-avoid-LTO-linking-bugs.patch + "${FILESDIR}"/0002-Fix-stub-functions-to-avoid-LTO-linking-bugs-followup.patch +) + +src_prepare() { + default + + GNUPG_SYSTEMD_UNITS=( + dirmngr.service + dirmngr.socket + gpg-agent-browser.socket + gpg-agent-extra.socket + gpg-agent.service + gpg-agent.socket + gpg-agent-ssh.socket + ) + + cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die + + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, + # idea borrowed from libdbus, see + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 + # + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', + # which in turn requires discovery in Autoconf, something that upstream deeply resents. + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ + -i "${T}"/gpg-agent-ssh.socket || die + + # Since 2.5.3, --supervised is called --deprecated-supervised. See + # https://dev.gnupg.org/rGa019a0fcd8dfb9d1eae5bc991fdd54b7cf55641e + sed -i "s/--supervised/--deprecated-supervised/g" "${T}"/*.service || die +} + +my_src_configure() { + local myconf=( + $(use_enable bzip2) + $(use_enable nls) + $(use_enable smartcard scdaemon) + $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) + $(use_enable tofu) + $(use_enable tofu keyboxd) + $(use_enable tofu sqlite) + $(usex tpm '--with-tss=intel' '--disable-tpm2d') + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') + $(use_enable wks-server wks-tools) + $(use_with ldap) + $(use_with readline) + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. + --with-mailprog=/usr/libexec/sendmail + + --disable-ntbtls + --enable-gpgsm + --enable-large-secmem + + CC_FOR_BUILD="$(tc-getBUILD_CC)" + GPGRT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpgrt-config" + + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) + + if use prefix && use usb; then + # bug #649598 + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" + fi + + if [[ ${CHOST} == *-solaris* ]] ; then + # these somehow are treated as fatal, but Solaris has different + # types for getpeername with socket_t + append-flags -Wno-incompatible-pointer-types + append-flags -Wno-unused-label + fi + + # bug #663142 + if use user-socket; then + myconf+=( --enable-run-gnupg-user-socket ) + fi + + # glib fails and picks up clang's internal stdint.h causing weird errors + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h + + econf "${myconf[@]}" +} + +my_src_compile() { + default + + use doc && emake -C doc html +} + +my_src_test() { + export TESTFLAGS="--parallel=$(makeopts_jobs)" + + default +} + +my_src_install() { + emake DESTDIR="${D}" install + + use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert + + if use alternatives; then + # rename for app-alternatives/gpg + mv "${ED}"/usr/bin/gpg{,-reference} || die + mv "${ED}"/usr/bin/gpgv{,-reference} || die + mv "${ED}"/usr/share/man/man1/gpg{,-reference}.1 || die + mv "${ED}"/usr/share/man/man1/gpgv{,-reference}.1 || die + else + dosym gpg /usr/bin/gpg2 + dosym gpgv /usr/bin/gpgv2 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die + fi + + use doc && dodoc doc/gnupg.html/* +} + +my_src_install_all() { + einstalldocs + + use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot} + use doc && dodoc doc/*.png + + # Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed. + dodoc "${FILESDIR}"/README-systemd + systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}" +} + +pkg_postinst() { + # If /usr/bin/gpg and /usr/bin/gpgv do not exist, provide them. + if [[ ! -e ${EROOT}/usr/bin/gpg ]]; then + ln -sf -- gpg-reference "${EROOT}"/usr/bin/gpg || die + fi + + if [[ ! -e ${EROOT}/usr/bin/gpgv ]]; then + ln -sf -- gpgv-reference "${EROOT}"/usr/bin/gpgv || die + fi +}
