Hello community, here is the log from the commit of package gpg2 for openSUSE:Factory checked in at 2019-12-07 15:17:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gpg2 (Old) and /work/SRC/openSUSE:Factory/.gpg2.new.4691 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gpg2" Sat Dec 7 15:17:14 2019 rev:143 rq:751577 version:2.2.18 Changes: -------- --- /work/SRC/openSUSE:Factory/gpg2/gpg2.changes 2019-10-22 15:43:18.525570587 +0200 +++ /work/SRC/openSUSE:Factory/.gpg2.new.4691/gpg2.changes 2019-12-07 15:20:30.887752670 +0100 @@ -1,0 +2,50 @@ +Wed Nov 27 15:42:22 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Update to 2.2.18 [bsc#1157900, CVE-2019-14855] + * gpg: Changed the way keys are detected on a smartcards; this + allows the use of non-OpenPGP cards. In the case of a not very + likely regression the new option --use-only-openpgp-card is + available. [#4681] + * gpg: The commands --full-gen-key and --quick-gen-key now allow + direct key generation from supported cards. [#4681] + * gpg: Prepare against chosen-prefix SHA-1 collisions in key + signatures. This change removes all SHA-1 based key signature + newer than 2019-01-19 from the web-of-trust. Note that this + includes all key signature created with dsa1024 keys. The new + option --allow-weak-key-signatues can be used to override the new + and safer behaviour. [#4755,CVE-2019-14855] + * gpg: Improve performance for import of large keyblocks. [#4592] + * gpg: Implement a keybox compression run. [#4644] + * gpg: Show warnings from dirmngr about redirect and certificate + problems (details require --verbose as usual). + * gpg: Allow to pass the empty string for the passphrase if the + '--passphase=' syntax is used. [#4633] + * gpg: Fix printing of the KDF object attributes. + * gpg: Avoid surprises with --locate-external-key and certain + --auto-key-locate settings. [#4662] + * gpg: Improve selection of best matching key. [#4713] + * gpg: Delete key binding signature when deletring a subkey. + [#4665,#4457] + * gpg: Fix a potential loss of key sigantures during import with + self-sigs-only active. [#4628] + * gpg: Silence "marked as ultimately trusted" diagnostics if + option --quiet is used. [#4634] + * gpg: Silence some diagnostics during in key listsing even with + option --verbose. [#4627] + * gpg, gpgsm: Change parsing of agent's pkdecrypt results. [#4652] + * gpgsm: Support AES-256 keys. + * gpgsm: Fix a bug in triggering a keybox compression run if + --faked-system-time is used. + * dirmngr: System CA certificates are no longer used for the SKS + pool if GNUTLS instead of NTBTLS is used as TLS library. [#4594] + * dirmngr: On Windows detect usability of IPv4 and IPv6 interfaces + to avoid long timeouts. [#4165] + * scd: Fix BWI value for APDU level transfers to make Gemalto Ezio + Shield and Trustica Cryptoucan work. [#4654,#4566] + * wkd: gpg-wks-client --install-key now installs the required policy + file. +- Rebase patches: + * gnupg-2.2.8-files-are-digests.patch + * gnupg-add_legacy_FIPS_mode_option.patch + +------------------------------------------------------------------- Old: ---- gnupg-2.2.17.tar.bz2 gnupg-2.2.17.tar.bz2.sig New: ---- gnupg-2.2.18.tar.bz2 gnupg-2.2.18.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gpg2.spec ++++++ --- /var/tmp/diff_new_pack.vrgQy1/_old 2019-12-07 15:20:31.663752563 +0100 +++ /var/tmp/diff_new_pack.vrgQy1/_new 2019-12-07 15:20:31.663752563 +0100 @@ -1,7 +1,7 @@ # # spec file for package gpg2 # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: gpg2 -Version: 2.2.17 +Version: 2.2.18 Release: 0 Summary: File encryption, decryption, signature creation and verification utility License: GPL-3.0-or-later ++++++ gnupg-2.2.17.tar.bz2 -> gnupg-2.2.18.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/gpg2/gnupg-2.2.17.tar.bz2 /work/SRC/openSUSE:Factory/.gpg2.new.4691/gnupg-2.2.18.tar.bz2 differ: char 11, line 1 ++++++ gnupg-2.2.8-files-are-digests.patch ++++++ --- /var/tmp/diff_new_pack.vrgQy1/_old 2019-12-07 15:20:31.707752557 +0100 +++ /var/tmp/diff_new_pack.vrgQy1/_new 2019-12-07 15:20:31.707752557 +0100 @@ -4,11 +4,11 @@ g10/sign.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------ 3 files changed, 67 insertions(+), 6 deletions(-) -Index: gnupg-2.2.8/g10/gpg.c +Index: gnupg-2.2.18/g10/gpg.c =================================================================== ---- gnupg-2.2.8.orig/g10/gpg.c 2018-06-06 11:59:06.000000000 +0200 -+++ gnupg-2.2.8/g10/gpg.c 2018-06-08 16:34:33.287514003 +0200 -@@ -376,6 +376,7 @@ enum cmd_and_opt_values +--- gnupg-2.2.18.orig/g10/gpg.c ++++ gnupg-2.2.18/g10/gpg.c +@@ -378,6 +378,7 @@ enum cmd_and_opt_values oTTYtype, oLCctype, oLCmessages, @@ -16,7 +16,7 @@ oXauthority, oGroup, oUnGroup, -@@ -824,6 +825,7 @@ static ARGPARSE_OPTS opts[] = { +@@ -830,6 +831,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_s (oWeakDigest, "weak-digest","@"), ARGPARSE_s_n (oUnwrap, "unwrap", "@"), ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"), @@ -24,7 +24,7 @@ /* Aliases. I constantly mistype these, and assume other people do as well. */ -@@ -2392,6 +2394,7 @@ main (int argc, char **argv) +@@ -2412,6 +2414,7 @@ main (int argc, char **argv) opt.def_cert_expire = "0"; gnupg_set_homedir (NULL); opt.passphrase_repeat = 1; @@ -32,7 +32,7 @@ opt.emit_version = 0; opt.weak_digests = NULL; -@@ -2963,6 +2966,7 @@ main (int argc, char **argv) +@@ -2988,6 +2991,7 @@ main (int argc, char **argv) opt.verify_options&=~VERIFY_SHOW_PHOTOS; break; case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break; @@ -40,10 +40,10 @@ case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break; -Index: gnupg-2.2.8/g10/options.h +Index: gnupg-2.2.18/g10/options.h =================================================================== ---- gnupg-2.2.8.orig/g10/options.h 2018-05-31 12:03:06.000000000 +0200 -+++ gnupg-2.2.8/g10/options.h 2018-06-08 16:34:33.287514003 +0200 +--- gnupg-2.2.18.orig/g10/options.h ++++ gnupg-2.2.18/g10/options.h @@ -210,6 +210,7 @@ struct int no_auto_check_trustdb; int preserve_permissions; @@ -52,10 +52,10 @@ struct groupitem *grouplist; int mangle_dos_filenames; int enable_progress_filter; -Index: gnupg-2.2.8/g10/sign.c +Index: gnupg-2.2.18/g10/sign.c =================================================================== ---- gnupg-2.2.8.orig/g10/sign.c 2017-08-28 12:22:54.000000000 +0200 -+++ gnupg-2.2.8/g10/sign.c 2018-06-08 16:34:33.287514003 +0200 +--- gnupg-2.2.18.orig/g10/sign.c ++++ gnupg-2.2.18/g10/sign.c @@ -43,6 +43,8 @@ #include "../common/mbox-util.h" #include "../common/compliance.h" @@ -65,7 +65,7 @@ #ifdef HAVE_DOSISH_SYSTEM #define LF "\r\n" #else -@@ -727,6 +729,8 @@ write_signature_packets (ctrl_t ctrl, +@@ -749,6 +751,8 @@ write_signature_packets (ctrl_t ctrl, if (duration || opt.sig_policy_url || opt.sig_notations || opt.sig_keyserver_url) sig->version = 4; @@ -74,7 +74,7 @@ else sig->version = pk->version; -@@ -750,8 +754,12 @@ write_signature_packets (ctrl_t ctrl, +@@ -772,8 +776,12 @@ write_signature_packets (ctrl_t ctrl, mk_notation_policy_etc (sig, NULL, pk); } @@ -85,9 +85,9 @@ + log_bug("files-are-digests doesn't work with v4 sigs\n"); + } - rc = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce); + rc = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0); gcry_md_close (md); -@@ -813,6 +821,8 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -835,6 +843,8 @@ sign_file (ctrl_t ctrl, strlist_t filena SK_LIST sk_rover = NULL; int multifile = 0; u32 duration=0; @@ -96,7 +96,7 @@ pfx = new_progress_context (); afx = new_armor_context (); -@@ -830,7 +840,16 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -852,7 +862,16 @@ sign_file (ctrl_t ctrl, strlist_t filena fname = NULL; if( fname && filenames->next && (!detached || encryptflag) ) @@ -114,7 +114,7 @@ if(encryptflag==2 && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek))) -@@ -851,7 +870,7 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -873,7 +892,7 @@ sign_file (ctrl_t ctrl, strlist_t filena goto leave; /* prepare iobufs */ @@ -123,7 +123,7 @@ inp = NULL; /* we do it later */ else { inp = iobuf_open(fname); -@@ -989,7 +1008,7 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1011,7 +1030,7 @@ sign_file (ctrl_t ctrl, strlist_t filena for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) gcry_md_enable (mfx.md, hash_for (sk_rover->pk)); @@ -132,7 +132,7 @@ iobuf_push_filter( inp, md_filter, &mfx ); if( detached && !encryptflag) -@@ -1044,6 +1063,8 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1066,6 +1085,8 @@ sign_file (ctrl_t ctrl, strlist_t filena write_status_begin_signing (mfx.md); @@ -141,7 +141,7 @@ /* Setup the inner packet. */ if( detached ) { if( multifile ) { -@@ -1084,6 +1105,45 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1106,6 +1127,45 @@ sign_file (ctrl_t ctrl, strlist_t filena if( opt.verbose ) log_printf ("\n"); } @@ -187,7 +187,7 @@ else { /* read, so that the filter can calculate the digest */ while( iobuf_get(inp) != -1 ) -@@ -1102,8 +1162,8 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1124,8 +1184,8 @@ sign_file (ctrl_t ctrl, strlist_t filena /* write the signatures */ rc = write_signature_packets (ctrl, sk_list, out, mfx.md, ++++++ gnupg-add_legacy_FIPS_mode_option.patch ++++++ --- /var/tmp/diff_new_pack.vrgQy1/_old 2019-12-07 15:20:31.715752556 +0100 +++ /var/tmp/diff_new_pack.vrgQy1/_new 2019-12-07 15:20:31.715752556 +0100 @@ -3,11 +3,11 @@ g10/gpg.c | 9 +++++++++ 2 files changed, 27 insertions(+) -Index: gnupg-2.2.7/doc/gpg.texi +Index: gnupg-2.2.18/doc/gpg.texi =================================================================== ---- gnupg-2.2.7.orig/doc/gpg.texi 2018-05-04 16:14:30.949580264 +0200 -+++ gnupg-2.2.7/doc/gpg.texi 2018-05-04 16:14:34.025609243 +0200 -@@ -2097,6 +2097,24 @@ implies, this option is for experts only +--- gnupg-2.2.18.orig/doc/gpg.texi ++++ gnupg-2.2.18/doc/gpg.texi +@@ -2115,6 +2115,24 @@ implies, this option is for experts only understand the implications of what it allows you to do, leave this off. @option{--no-expert} disables this option. @@ -32,19 +32,19 @@ @end table -Index: gnupg-2.2.7/g10/gpg.c +Index: gnupg-2.2.18/g10/gpg.c =================================================================== ---- gnupg-2.2.7.orig/g10/gpg.c 2018-05-04 16:14:30.949580264 +0200 -+++ gnupg-2.2.7/g10/gpg.c 2018-05-04 16:15:00.441858109 +0200 +--- gnupg-2.2.18.orig/g10/gpg.c ++++ gnupg-2.2.18/g10/gpg.c @@ -425,6 +425,7 @@ enum cmd_and_opt_values - oKeyOrigin, oRequestOrigin, oNoSymkeyCache, + oUseOnlyOpenPGPCard, + oSetLegacyFips, oNoop }; -@@ -872,6 +873,7 @@ static ARGPARSE_OPTS opts[] = { +@@ -870,6 +871,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"), ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"), ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"), @@ -52,8 +52,8 @@ ARGPARSE_s_s (oDefaultNewKeyAlgo, "default-new-key-algo", "@"), -@@ -3568,6 +3570,13 @@ main (int argc, char **argv) - opt.def_new_key_algo = pargs.r.ret_str; +@@ -3600,6 +3602,13 @@ main (int argc, char **argv) + opt.flags.use_only_openpgp_card = 1; break; + case oSetLegacyFips:
