From 4fe0d5ed5d29a5f0d717dec973a64682c2edae1e Mon Sep 17 00:00:00 2001 From: Doron Behar Date: Wed, 21 Dec 2022 09:22:24 +0200 Subject: libgpg-error: 1.45 -> 1.46 Changelog: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgpg-error.git;a=blob;f=NEWS;hb=refs/tags/libgpg-error-1.46 --- pkgs/development/libraries/libgpg-error/default.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libgpg-error/default.nix b/pkgs/development/libraries/libgpg-error/default.nix index 4f687d41dd6..79da233fc6f 100644 --- a/pkgs/development/libraries/libgpg-error/default.nix +++ b/pkgs/development/libraries/libgpg-error/default.nix @@ -17,17 +17,22 @@ }; in stdenv.mkDerivation (rec { pname = "libgpg-error"; - version = "1.45"; + version = "1.46"; src = fetchurl { url = "mirror://gnupg/${pname}/${pname}-${version}.tar.bz2"; - sha256 = "sha256-Vw+O5PtL/3t0lc/5IMJ1ACrqIUfpodIgwGghMmf4CiY="; + sha256 = "sha256-t+EaZCRrvl7zd0jeQ7JFq9cs/NU8muXn/FylnxyBJo0="; }; postPatch = '' sed '/BUILD_TIMESTAMP=/s/=.*/=1970-01-01T00:01+0000/' -i ./configure ''; + configureFlags = [ + # See https://dev.gnupg.org/T6257#164567 + "--enable-install-gpg-error-config" + ]; + outputs = [ "out" "dev" "info" ]; outputBin = "dev"; # deps want just the lib, most likely -- cgit 1.4.1 From 2d44dc9643c28346ea5b22561869d04a62a80be0 Mon Sep 17 00:00:00 2001 From: Doron Behar Date: Wed, 21 Dec 2022 09:42:14 +0200 Subject: libassuan: Use automatically detected libgpg-error --- pkgs/development/libraries/libassuan/default.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/pkgs/development/libraries/libassuan/default.nix b/pkgs/development/libraries/libassuan/default.nix index 3a00ca498cb..97f4548cb38 100644 --- a/pkgs/development/libraries/libassuan/default.nix +++ b/pkgs/development/libraries/libassuan/default.nix @@ -13,11 +13,7 @@ stdenv.mkDerivation rec { outputBin = "dev"; # libassuan-config depsBuildBuild = [ buildPackages.stdenv.cc ]; - buildInputs = [ npth gettext ]; - - configureFlags = [ - "--with-libgpg-error-prefix=${libgpg-error.dev}" - ]; + buildInputs = [ npth gettext libgpg-error ]; doCheck = true; -- cgit 1.4.1 From d3b076da3890aa212889226519d7d19760e64690 Mon Sep 17 00:00:00 2001 From: Doron Behar Date: Wed, 21 Dec 2022 09:12:31 +0200 Subject: gnupg: 2.3.7 -> 2.4.0 --- pkgs/tools/security/gnupg/23.nix | 106 --------------------------------------- pkgs/tools/security/gnupg/24.nix | 100 ++++++++++++++++++++++++++++++++++++ pkgs/top-level/all-packages.nix | 4 +- 3 files changed, 102 insertions(+), 108 deletions(-) delete mode 100644 pkgs/tools/security/gnupg/23.nix create mode 100644 pkgs/tools/security/gnupg/24.nix diff --git a/pkgs/tools/security/gnupg/23.nix b/pkgs/tools/security/gnupg/23.nix deleted file mode 100644 index 0b7941ce46e..00000000000 --- a/pkgs/tools/security/gnupg/23.nix +++ /dev/null @@ -1,106 +0,0 @@ -{ fetchurl, fetchpatch, lib, stdenv, pkg-config, libgcrypt, libassuan, libksba -, libgpg-error, libiconv, npth, gettext, texinfo, buildPackages -, guiSupport ? stdenv.isDarwin, enableMinimal ? false -, adns, bzip2, gnutls, libusb1, openldap -, pinentry, readline, sqlite, zlib -, withPcsc ? !enableMinimal, pcsclite -, withTpm2Tss ? !stdenv.isDarwin && !enableMinimal, tpm2-tss -}: - -assert guiSupport -> enableMinimal == false; - -stdenv.mkDerivation rec { - pname = "gnupg"; - version = "2.3.7"; - - src = fetchurl { - url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2"; - sha256 = "sha256-7hY6X7nsmf/BsY5l+u+NCGgAxXE9FaZyq1fTeZ2oNmk="; - }; - - depsBuildBuild = [ buildPackages.stdenv.cc ]; - nativeBuildInputs = [ pkg-config texinfo ]; - buildInputs = [ - libgcrypt libassuan libksba libiconv npth gettext - ] ++ lib.optionals (!enableMinimal) ([ - readline libusb1 gnutls adns openldap zlib bzip2 sqlite - ] ++ lib.optional withTpm2Tss tpm2-tss); - - patches = [ - ./fix-libusb-include-path.patch - ./tests-add-test-cases-for-import-without-uid.patch - ./allow-import-of-previously-known-keys-even-without-UI.patch - ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch - - # Patch for DoS vuln from https://seclists.org/oss-sec/2022/q3/27 - ./v3-0001-Disallow-compressed-signatures-and-certificates.patch - - # Fix regression when using YubiKey devices as smart cards. - # See https://dev.gnupg.org/T6070 for details. - # Committed upstream, remove this patch when updating to the next release. - (fetchpatch { - url = "https://dev.gnupg.org/rGf34b9147eb3070bce80d53febaa564164cd6c977?diff=1"; - sha256 = "sha256-J/PLSz8yiEgtGv+r3BTGTHrikV70AbbHQPo9xbjaHFE="; - }) - ]; - postPatch = '' - sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1 - '' + lib.optionalString (stdenv.isLinux && withPcsc) '' - sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c - ''; - - pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry"; - configureFlags = [ - "--with-libgpg-error-prefix=${libgpg-error.dev}" - "--with-libgcrypt-prefix=${libgcrypt.dev}" - "--with-libassuan-prefix=${libassuan.dev}" - "--with-ksba-prefix=${libksba.dev}" - "--with-npth-prefix=${npth}" - ] ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}" - ++ lib.optional withTpm2Tss "--with-tss=intel"; - postInstall = if enableMinimal - then '' - rm -r $out/{libexec,sbin,share} - for f in $(find $out/bin -type f -not -name gpg) - do - rm $f - done - '' else '' - mkdir -p $out/lib/systemd/user - for f in doc/examples/systemd-user/*.{service,socket} ; do - substitute $f $out/lib/systemd/user/$(basename $f) \ - --replace /usr/bin $out/bin - done - - # add gpg2 symlink to make sure git does not break when signing commits - ln -s $out/bin/gpg $out/bin/gpg2 - - # Make libexec tools available in PATH - for f in $out/libexec/; do - if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi - ln -s $f $out/bin/$(basename $f) - done - ''; - - enableParallelBuilding = true; - - meta = with lib; { - homepage = "https://gnupg.org"; - description = "Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation"; - license = licenses.gpl3Plus; - longDescription = '' - The GNU Privacy Guard is the GNU project's complete and free - implementation of the OpenPGP standard as defined by RFC4880. GnuPG - "modern" (2.1) is the latest development with a lot of new features. - GnuPG allows to encrypt and sign your data and communication, features a - versatile key management system as well as access modules for all kind of - public key directories. GnuPG, also known as GPG, is a command line tool - with features for easy integration with other applications. A wealth of - frontend applications and libraries are available. Version 2 of GnuPG - also provides support for S/MIME. - ''; - maintainers = with maintainers; [ fpletz vrthra ]; - platforms = platforms.all; - mainProgram = "gpg"; - }; -} diff --git a/pkgs/tools/security/gnupg/24.nix b/pkgs/tools/security/gnupg/24.nix new file mode 100644 index 00000000000..e7d1381a180 --- /dev/null +++ b/pkgs/tools/security/gnupg/24.nix @@ -0,0 +1,100 @@ +{ fetchurl, fetchpatch, lib, stdenv, pkg-config, libgcrypt, libassuan, libksba +, libgpg-error, libiconv, npth, gettext, texinfo, buildPackages +, guiSupport ? stdenv.isDarwin, enableMinimal ? false +, adns, bzip2, gnutls, libusb1, openldap +, pinentry, readline, sqlite, zlib +, withPcsc ? !enableMinimal, pcsclite +, withTpm2Tss ? !stdenv.isDarwin && !enableMinimal, tpm2-tss +}: + +assert guiSupport -> enableMinimal == false; + +stdenv.mkDerivation rec { + pname = "gnupg"; + version = "2.4.0"; + + src = fetchurl { + url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2"; + sha256 = "sha256-HXkVjdAdmSQx3S4/rLif2slxJ/iXhOosthDGAPsMFIM="; + }; + + depsBuildBuild = [ buildPackages.stdenv.cc ]; + nativeBuildInputs = [ pkg-config texinfo ]; + buildInputs = [ + libgcrypt libassuan libksba libiconv npth gettext + ] ++ lib.optionals (!enableMinimal) ([ + readline libusb1 gnutls adns openldap zlib bzip2 sqlite + ] ++ lib.optional withTpm2Tss tpm2-tss); + + patches = [ + ./fix-libusb-include-path.patch + ./tests-add-test-cases-for-import-without-uid.patch + # TODO: Refresh patch? Doesn't apply on 2.4.0 + #./allow-import-of-previously-known-keys-even-without-UI.patch + ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch + + # Patch for DoS vuln from https://seclists.org/oss-sec/2022/q3/27 + ./v3-0001-Disallow-compressed-signatures-and-certificates.patch + + ]; + postPatch = '' + sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1 + '' + lib.optionalString (stdenv.isLinux && withPcsc) '' + sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c + ''; + + pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry"; + configureFlags = [ + "--with-libgpg-error-prefix=${libgpg-error.dev}" + "--with-libgcrypt-prefix=${libgcrypt.dev}" + "--with-libassuan-prefix=${libassuan.dev}" + "--with-ksba-prefix=${libksba.dev}" + "--with-npth-prefix=${npth}" + ] ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}" + ++ lib.optional withTpm2Tss "--with-tss=intel"; + postInstall = if enableMinimal + then '' + rm -r $out/{libexec,sbin,share} + for f in $(find $out/bin -type f -not -name gpg) + do + rm $f + done + '' else '' + mkdir -p $out/lib/systemd/user + for f in doc/examples/systemd-user/*.{service,socket} ; do + substitute $f $out/lib/systemd/user/$(basename $f) \ + --replace /usr/bin $out/bin + done + + # add gpg2 symlink to make sure git does not break when signing commits + ln -s $out/bin/gpg $out/bin/gpg2 + + # Make libexec tools available in PATH + for f in $out/libexec/; do + if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi + ln -s $f $out/bin/$(basename $f) + done + ''; + + enableParallelBuilding = true; + + meta = with lib; { + homepage = "https://gnupg.org"; + description = "Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation"; + license = licenses.gpl3Plus; + longDescription = '' + The GNU Privacy Guard is the GNU project's complete and free + implementation of the OpenPGP standard as defined by RFC4880. GnuPG + "modern" (2.1) is the latest development with a lot of new features. + GnuPG allows to encrypt and sign your data and communication, features a + versatile key management system as well as access modules for all kind of + public key directories. GnuPG, also known as GPG, is a command line tool + with features for easy integration with other applications. A wealth of + frontend applications and libraries are available. Version 2 of GnuPG + also provides support for S/MIME. + ''; + maintainers = with maintainers; [ fpletz vrthra ]; + platforms = platforms.all; + mainProgram = "gpg"; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 0c6794a435d..92961bc1e1f 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -7529,11 +7529,11 @@ with pkgs; gnupg1orig = callPackage ../tools/security/gnupg/1.nix { }; gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { }; gnupg1 = gnupg1compat; # use config.packageOverrides if you prefer original gnupg1 - gnupg23 = callPackage ../tools/security/gnupg/23.nix { + gnupg24 = callPackage ../tools/security/gnupg/24.nix { guiSupport = stdenv.isDarwin; pinentry = if stdenv.isDarwin then pinentry_mac else pinentry-gtk2; }; - gnupg = gnupg23; + gnupg = gnupg24; gnupg-pkcs11-scd = callPackage ../tools/security/gnupg-pkcs11-scd { }; -- cgit 1.4.1 From 05e6f8e36f0afaa8c5f0f66eeba4b61afa324058 Mon Sep 17 00:00:00 2001 From: Doron Behar Date: Sun, 25 Dec 2022 01:30:20 +0200 Subject: systemd: use gnupg.override instead of callPackage --- pkgs/top-level/all-packages.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 92961bc1e1f..99702755762 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -26136,7 +26136,7 @@ with pkgs; # break some cyclic dependencies util-linux = util-linuxMinimal; # provide a super minimal gnupg used for systemd-machined - gnupg = callPackage ../tools/security/gnupg/23.nix { + gnupg = gnupg.override { enableMinimal = true; guiSupport = false; }; -- cgit 1.4.1