Hello community, here is the log from the commit of package gpg2 for openSUSE:Factory checked in at 2020-01-16 18:17:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gpg2 (Old) and /work/SRC/openSUSE:Factory/.gpg2.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gpg2" Thu Jan 16 18:17:49 2020 rev:145 rq:763816 version:2.2.19 Changes: -------- --- /work/SRC/openSUSE:Factory/gpg2/gpg2.changes 2019-12-23 22:34:01.153731170 +0100 +++ /work/SRC/openSUSE:Factory/.gpg2.new.26092/gpg2.changes 2020-01-16 18:17:53.876861356 +0100 @@ -1,0 +2,9 @@ +Fri Jan 10 17:47:24 UTC 2020 - Pedro Monreal Gonzalez <[email protected]> + +- Accept key updates even without UIDs [bsc#1143158] +- Add patches: + * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch + * gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch + * gnupg-add-test-cases-for-import-without-uid.patch + +------------------------------------------------------------------- New: ---- gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch gnupg-add-test-cases-for-import-without-uid.patch gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gpg2.spec ++++++ --- /var/tmp/diff_new_pack.iv2dPI/_old 2020-01-16 18:17:55.220862116 +0100 +++ /var/tmp/diff_new_pack.iv2dPI/_new 2020-01-16 18:17:55.228862121 +0100 @@ -1,7 +1,7 @@ # # spec file for package gpg2 # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -37,6 +37,9 @@ Patch9: gnupg-detect_FIPS_mode.patch Patch11: gnupg-add_legacy_FIPS_mode_option.patch Patch12: gnupg-2.2.16-secmem.patch +Patch13: gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch +Patch14: gnupg-add-test-cases-for-import-without-uid.patch +Patch15: gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch BuildRequires: expect BuildRequires: fdupes BuildRequires: libassuan-devel >= 2.5.0 @@ -88,6 +91,9 @@ %patch9 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 touch -d 2018-05-04 doc/gpg.texi # to compensate for patch11 in order to not have man pages and info files have the build date (boo#1047218) %build ++++++ gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch ++++++ >From f361141a44365ff7db2d2cfbf118d5b54b52c3d5 Mon Sep 17 00:00:00 2001 From: Vincent Breitmoser <[email protected]> Date: Thu, 13 Jun 2019 21:27:43 +0200 Subject: [PATCH] gpg: accept subkeys with a good revocation but no self-sig during import * g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we encounter a valid revocation signature. This allows import of subkey revocation signatures, even in the absence of a corresponding subkey binding signature. -- This fixes the remaining test in import-incomplete.scm. GnuPG-Bug-id: 4393 Signed-off-by: Daniel Kahn Gillmor <[email protected]> --- g10/import.c | 1 + 1 file changed, 1 insertion(+) diff --git a/g10/import.c b/g10/import.c index 2be214e63..ae2453803 100644 --- a/g10/import.c +++ b/g10/import.c @@ -3536,6 +3536,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self) /* It's valid, so is it newer? */ if (sig->timestamp >= rsdate) { + knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid. */ if (rsnode) { /* Delete the last revocation sig since ++++++ gnupg-add-test-cases-for-import-without-uid.patch ++++++ >From 4c40bfa90bda748e5dada0bb1cc8fae14d744f07 Mon Sep 17 00:00:00 2001 From: Vincent Breitmoser <[email protected]> Date: Thu, 13 Jun 2019 21:27:41 +0200 Subject: [PATCH] tests: add test cases for import without uid This commit adds a test case that does the following, in order: - Import of a primary key plus user id - Check that import of a subkey works, without a user id present in the imported key - Check that import of a subkey revocation works, without a user id or subkey binding signature present in the imported key - Check that import of a primary key revocation works, without a user id present in the imported key -- Note that this test currently fails. The following changesets will fix gpg so that the tests pass. GnuPG-Bug-id: 4393 Signed-Off-By: Daniel Kahn Gillmor <[email protected]> --- tests/openpgp/Makefile.am | 1 + tests/openpgp/import-incomplete.scm | 68 +++++++++++++++++++ .../import-incomplete/primary+revocation.asc | 9 +++ .../primary+subkey+sub-revocation.asc | 10 +++ .../primary+subkey+sub-sig.asc | 10 +++ .../import-incomplete/primary+uid-sig.asc | 10 +++ .../openpgp/import-incomplete/primary+uid.asc | 10 +++ 7 files changed, 118 insertions(+) create mode 100755 tests/openpgp/import-incomplete.scm create mode 100644 tests/openpgp/import-incomplete/primary+revocation.asc create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc create mode 100644 tests/openpgp/import-incomplete/primary+uid-sig.asc create mode 100644 tests/openpgp/import-incomplete/primary+uid.asc diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am index e5be42b41..d886bc8f7 100644 --- a/tests/openpgp/Makefile.am +++ b/tests/openpgp/Makefile.am @@ -78,6 +78,7 @@ XTESTS = \ gpgv-forged-keyring.scm \ armor.scm \ import.scm \ + import-incomplete.scm \ import-revocation-certificate.scm \ ecc.scm \ 4gb-packet.scm \ diff --git a/tests/openpgp/import-incomplete.scm b/tests/openpgp/import-incomplete.scm new file mode 100755 index 000000000..727a027c6 --- /dev/null +++ b/tests/openpgp/import-incomplete.scm @@ -0,0 +1,68 @@ +#!/usr/bin/env gpgscm + +;; Copyright (C) 2016 g10 Code GmbH +;; +;; This file is part of GnuPG. +;; +;; GnuPG is free software; you can redistribute it and/or modify +;; it under the terms of the GNU General Public License as published by +;; the Free Software Foundation; either version 3 of the License, or +;; (at your option) any later version. +;; +;; GnuPG is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU General Public License for more details. +;; +;; You should have received a copy of the GNU General Public License +;; along with this program; if not, see <http://www.gnu.org/licenses/>. + +(load (in-srcdir "tests" "openpgp" "defs.scm")) +(setup-environment) + +(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+uid.asc"))) + +(info "Test import of new subkey, from a certificate without uid") +(define keyid "573EA710367356BB") +(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-sig.asc"))) +(tr:do + (tr:pipe-do + (pipe:gpg `(--list-keys --with-colons ,keyid))) + (tr:call-with-content + (lambda (c) + ;; XXX we do not have a regexp library + (unless (any (lambda (line) + (and (string-prefix? line "sub:") + (string-contains? line "573EA710367356BB"))) + (string-split-newlines c)) + (exit 1))))) + +(info "Test import of a subkey revocation, from a certificate without uid") +(define keyid "573EA710367356BB") +(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-revocation.asc"))) +(tr:do + (tr:pipe-do + (pipe:gpg `(--list-keys --with-colons ,keyid))) + (tr:call-with-content + (lambda (c) + ;; XXX we do not have a regexp library + (unless (any (lambda (line) + (and (string-prefix? line "sub:r:") + (string-contains? line "573EA710367356BB"))) + (string-split-newlines c)) + (exit 1))))) + +(info "Test import of revocation, from a certificate without uid") +(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+revocation.asc"))) +(tr:do + (tr:pipe-do + (pipe:gpg `(--list-keys --with-colons ,keyid))) + (tr:call-with-content + (lambda (c) + ;; XXX we do not have a regexp library + (unless (any (lambda (line) + (and (string-prefix? line "pub:r:") + (string-contains? line "0843DA969AA8DAFB"))) + (string-split-newlines c)) + (exit 1))))) + diff --git a/tests/openpgp/import-incomplete/primary+revocation.asc b/tests/openpgp/import-incomplete/primary+revocation.asc new file mode 100644 index 000000000..6b7b60802 --- /dev/null +++ b/tests/openpgp/import-incomplete/primary+revocation.asc @@ -0,0 +1,9 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: [E] primary key, revocation signature over primary (no user ID) + +mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ +631VAN2IeAQgFggAIBYhBLRpj5W82H/gSMzKKQhD2paaqNr7BQJc2ZQZAh0AAAoJ +EAhD2paaqNr7qAwA/2jBUpnN0BxwRO/4CrxvrLIsL+C9aSXJUOTv8XkP4lvtAQD3 +XsDFfFNgEueiTfF7HtOGt5LPmRqVvUpQSMVgJJW6CQ== +=tM90 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc new file mode 100644 index 000000000..83a51a549 --- /dev/null +++ b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc @@ -0,0 +1,10 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: [D] primary key, subkey, subkey revocation (no user ID) + +mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ +631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK +j++lwwWDAOlkVicDAQgHiHgEKBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC +XNmnkAIdAgAKCRAIQ9qWmqja+ylaAQDmIKf86BJEq4OpDqU+V9D+wn2cyuxbyWVQ +3r9LiL9qNwD/QAjyrhSN8L3Mfq+wdTHo5i0yB9ZCCpHLXSbhCqfWZwQ= +=dwx2 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc new file mode 100644 index 000000000..dc47a02d8 --- /dev/null +++ b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc @@ -0,0 +1,10 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: [B] primary key, subkey, subkey binding sig (no user ID) + +mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ +631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK +j++lwwWDAOlkVicDAQgHiHgEGBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC +XNmUIQIbDAAKCRAIQ9qWmqja++vFAP98G1L+1/rWTGbsnxOAV2RocBYIroAvsbkR +Ly6FdP8YNwEA7jOgT05CoKIe37MstpOz23mM80AK369Ca3JMmKKCQgg= +=xuDu +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tests/openpgp/import-incomplete/primary+uid-sig.asc b/tests/openpgp/import-incomplete/primary+uid-sig.asc new file mode 100644 index 000000000..134607d0e --- /dev/null +++ b/tests/openpgp/import-incomplete/primary+uid-sig.asc @@ -0,0 +1,10 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: [C] primary key and self-sig expiring in 2024 (no user ID) + +mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ +631VAN2IlgQTFggAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBLRpj5W8 +2H/gSMzKKQhD2paaqNr7BQJc2ZR1BQkJZgHcAAoJEAhD2paaqNr79soA/0lWkUsu +3NLwgbni6EzJxnTzgeNMpljqNpipHAwfix9hAP93AVtFdC8g7hdUZxawobl9lnSN +9ohXOEBWvdJgVv2YAg== +=KWIK +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tests/openpgp/import-incomplete/primary+uid.asc b/tests/openpgp/import-incomplete/primary+uid.asc new file mode 100644 index 000000000..055f30086 --- /dev/null +++ b/tests/openpgp/import-incomplete/primary+uid.asc @@ -0,0 +1,10 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: [A] primary key, user ID, and self-sig expiring in 2021 + +mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ +631VAN20CHRlc3Qga2V5iJYEExYIAD4WIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC +XNmUGQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAIQ9qWmqja ++0G1AQDdQiwhXxjXLMqoth+D4SigVHTJK8ORwifzsy3UE7mPGwD/aZ67XbAF/lgI +kv2O1Jo0u9BL9RNNF+L0DM7rAFbfMAs= +=1eII +-----END PGP PUBLIC KEY BLOCK----- ++++++ gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch ++++++ >From a1db83d8a3308277f01b96833c13693bd7e13ff9 Mon Sep 17 00:00:00 2001 From: Vincent Breitmoser <[email protected]> Date: Thu, 13 Jun 2019 21:27:42 +0200 Subject: [PATCH] gpg: allow import of previously known keys, even without UIDs * g10/import.c (import_one): Accept an incoming OpenPGP certificate that has no user id, as long as we already have a local variant of the cert that matches the primary key. -- This fixes two of the three broken tests in import-incomplete.scm. GnuPG-Bug-id: 4393 Signed-off-by: Daniel Kahn Gillmor <[email protected]> --- g10/import.c | 49 +++++++++++-------------------------------------- 1 file changed, 11 insertions(+), 38 deletions(-) Index: gnupg-2.2.19/g10/import.c =================================================================== --- gnupg-2.2.19.orig/g10/import.c +++ gnupg-2.2.19/g10/import.c @@ -1792,7 +1792,6 @@ import_one_real (ctrl_t ctrl, size_t an; char pkstrbuf[PUBKEY_STRING_SIZE]; int merge_keys_done = 0; - int any_filter = 0; KEYDB_HANDLE hd = NULL; if (r_valid) @@ -1829,14 +1828,6 @@ import_one_real (ctrl_t ctrl, log_printf ("\n"); } - - if (!uidnode ) - { - if (!silent) - log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); - return 0; - } - if (screener && screener (keyblock, screener_arg)) { log_error (_("key %s: %s\n"), keystr_from_pk (pk), @@ -1911,17 +1902,10 @@ import_one_real (ctrl_t ctrl, } } - if (!delete_inv_parts (ctrl, keyblock, keyid, options ) ) - { - if (!silent) - { - log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); - if (!opt.quiet ) - log_info(_("this may be caused by a missing self-signature\n")); - } - stats->no_user_id++; - return 0; - } + /* Delete invalid parts, and note if we have any valid ones left. + * We will later abort import if this key is new but contains + * no valid uids. */ + delete_inv_parts (ctrl, keyblock, keyid, options); /* Get rid of deleted nodes. */ commit_kbnode (&keyblock); @@ -1931,24 +1915,11 @@ import_one_real (ctrl_t ctrl, { apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); commit_kbnode (&keyblock); - any_filter = 1; } if (import_filter.drop_sig) { apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); commit_kbnode (&keyblock); - any_filter = 1; - } - - /* If we ran any filter we need to check that at least one user id - * is left in the keyring. Note that we do not use log_error in - * this case. */ - if (any_filter && !any_uid_left (keyblock)) - { - if (!opt.quiet ) - log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); - stats->no_user_id++; - return 0; } /* The keyblock is valid and ready for real import. */ @@ -2006,6 +1977,13 @@ import_one_real (ctrl_t ctrl, err = 0; stats->skipped_new_keys++; } + else if (err && !any_uid_left (keyblock)) + { + if (!silent) + log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); + err = 0; + stats->no_user_id++; + } else if (err) /* Insert this key. */ { /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */
