From ba3f84dbe169263bf03fba9e1b1558916eff6587 Mon Sep 17 00:00:00 2001 From: Noa Aarts Date: Wed, 30 Oct 2024 19:26:24 +0100 Subject: [PATCH 1/4] gnupg: format with nixfmt --- pkgs/tools/security/gnupg/24.nix | 151 +++++++++++++++++++++---------- 1 file changed, 101 insertions(+), 50 deletions(-) diff --git a/pkgs/tools/security/gnupg/24.nix b/pkgs/tools/security/gnupg/24.nix index b55417b60af3a..2e6f9e93eec8f 100644 --- a/pkgs/tools/security/gnupg/24.nix +++ b/pkgs/tools/security/gnupg/24.nix @@ -1,12 +1,33 @@ -{ lib, stdenv, fetchurl, buildPackages -, pkg-config, texinfo -, gettext, libassuan, libgcrypt, libgpg-error, libiconv, libksba, npth -, adns, bzip2, gnutls, libusb1, openldap, readline, sqlite, zlib -, enableMinimal ? false -, withPcsc ? !enableMinimal, pcsclite -, guiSupport ? stdenv.hostPlatform.isDarwin, pinentry -, withTpm2Tss ? !stdenv.hostPlatform.isDarwin && !enableMinimal, tpm2-tss -, nixosTests +{ + lib, + stdenv, + fetchurl, + buildPackages, + pkg-config, + texinfo, + gettext, + libassuan, + libgcrypt, + libgpg-error, + libiconv, + libksba, + npth, + adns, + bzip2, + gnutls, + libusb1, + openldap, + readline, + sqlite, + zlib, + enableMinimal ? false, + withPcsc ? !enableMinimal, + pcsclite, + guiSupport ? stdenv.hostPlatform.isDarwin, + pinentry, + withTpm2Tss ? !stdenv.hostPlatform.isDarwin && !enableMinimal, + tpm2-tss, + nixosTests, }: assert guiSupport -> !enableMinimal; @@ -21,12 +42,31 @@ stdenv.mkDerivation rec { }; depsBuildBuild = [ buildPackages.stdenv.cc ]; - nativeBuildInputs = [ pkg-config texinfo ]; - buildInputs = [ - gettext libassuan libgcrypt libgpg-error libiconv libksba npth - ] ++ lib.optionals (!enableMinimal) [ - adns bzip2 gnutls libusb1 openldap readline sqlite zlib - ] ++ lib.optionals withTpm2Tss [ tpm2-tss ]; + nativeBuildInputs = [ + pkg-config + texinfo + ]; + buildInputs = + [ + gettext + libassuan + libgcrypt + libgpg-error + libiconv + libksba + npth + ] + ++ lib.optionals (!enableMinimal) [ + adns + bzip2 + gnutls + libusb1 + openldap + readline + sqlite + zlib + ] + ++ lib.optionals withTpm2Tss [ tpm2-tss ]; patches = [ ./fix-libusb-include-path.patch @@ -38,46 +78,54 @@ stdenv.mkDerivation rec { ./v3-0001-Disallow-compressed-signatures-and-certificates.patch ]; - postPatch = '' - sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1 - '' + lib.optionalString (stdenv.hostPlatform.isLinux && withPcsc) '' + postPatch = + '' + sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1 + '' + + lib.optionalString (stdenv.hostPlatform.isLinux && withPcsc) '' sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c ''; - configureFlags = [ - "--sysconfdir=/etc" - "--with-libgpg-error-prefix=${libgpg-error.dev}" - "--with-libgcrypt-prefix=${libgcrypt.dev}" - "--with-libassuan-prefix=${libassuan.dev}" - "--with-ksba-prefix=${libksba.dev}" - "GPGRT_CONFIG=${lib.getDev libgpg-error}/bin/gpgrt-config" - ] - ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentry.binaryPath or "bin/pinentry"}" - ++ lib.optional withTpm2Tss "--with-tss=intel" - ++ lib.optional stdenv.hostPlatform.isDarwin "--disable-ccid-driver"; + configureFlags = + [ + "--sysconfdir=/etc" + "--with-libgpg-error-prefix=${libgpg-error.dev}" + "--with-libgcrypt-prefix=${libgcrypt.dev}" + "--with-libassuan-prefix=${libassuan.dev}" + "--with-ksba-prefix=${libksba.dev}" + "GPGRT_CONFIG=${lib.getDev libgpg-error}/bin/gpgrt-config" + ] + ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${ + pinentry.binaryPath or "bin/pinentry" + }" + ++ lib.optional withTpm2Tss "--with-tss=intel" + ++ lib.optional stdenv.hostPlatform.isDarwin "--disable-ccid-driver"; - postInstall = if enableMinimal - then '' - rm -r $out/{libexec,sbin,share} - for f in $(find $out/bin -type f -not -name gpg) - do - rm $f - done - '' else '' - # add gpg2 symlink to make sure git does not break when signing commits - ln -s $out/bin/gpg $out/bin/gpg2 + postInstall = + if enableMinimal then + '' + rm -r $out/{libexec,sbin,share} + for f in $(find $out/bin -type f -not -name gpg) + do + rm $f + done + '' + else + '' + # add gpg2 symlink to make sure git does not break when signing commits + ln -s $out/bin/gpg $out/bin/gpg2 - # Make libexec tools available in PATH - for f in $out/libexec/; do - if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi - ln -s $f $out/bin/$(basename $f) - done + # Make libexec tools available in PATH + for f in $out/libexec/; do + if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi + ln -s $f $out/bin/$(basename $f) + done - for f in $out/libexec/; do - if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi - ln -s $f $out/bin/$(basename $f) - done - ''; + for f in $out/libexec/; do + if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi + ln -s $f $out/bin/$(basename $f) + done + ''; enableParallelBuilding = true; @@ -99,7 +147,10 @@ stdenv.mkDerivation rec { frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME. ''; - maintainers = with maintainers; [ fpletz sgo ]; + maintainers = with maintainers; [ + fpletz + sgo + ]; platforms = platforms.all; mainProgram = "gpg"; }; From 4441cba66d689e547aa62edffa2e83fe1c7de374 Mon Sep 17 00:00:00 2001 From: Noa Aarts Date: Wed, 30 Oct 2024 19:27:08 +0100 Subject: [PATCH 2/4] gnupg: 2.4.5 -> 2.4.7 --- pkgs/tools/security/gnupg/24.nix | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/pkgs/tools/security/gnupg/24.nix b/pkgs/tools/security/gnupg/24.nix index 2e6f9e93eec8f..c59b9475ef05c 100644 --- a/pkgs/tools/security/gnupg/24.nix +++ b/pkgs/tools/security/gnupg/24.nix @@ -34,11 +34,11 @@ assert guiSupport -> !enableMinimal; stdenv.mkDerivation rec { pname = "gnupg"; - version = "2.4.5"; + version = "2.4.7"; src = fetchurl { url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2"; - hash = "sha256-9o99ddBssWNcM2002ESvl0NsP2TqFLy3yGl4L5b0Qnc="; + hash = "sha256-eyRwbk2n4OOwbKBoIxAnQB8jgQLEHJCWMTSdzDuF60Y="; }; depsBuildBuild = [ buildPackages.stdenv.cc ]; @@ -86,6 +86,8 @@ stdenv.mkDerivation rec { sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c ''; + NIX_CFLAGS_COMPILE = lib.optionalString stdenv.hostPlatform.isDarwin "-Wno-implicit-function-declaration"; + configureFlags = [ "--sysconfdir=/etc" @@ -120,11 +122,6 @@ stdenv.mkDerivation rec { if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi ln -s $f $out/bin/$(basename $f) done - - for f in $out/libexec/; do - if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi - ln -s $f $out/bin/$(basename $f) - done ''; enableParallelBuilding = true; From 447c3ce668ca4ab74ee9ab356d53c2081c0a38e9 Mon Sep 17 00:00:00 2001 From: Stig Palmquist Date: Thu, 26 Dec 2024 10:05:47 +0100 Subject: [PATCH 3/4] gnupg24: add freepg patches Add patches to GnuPG 2.4 from FreePG, a common resource for GnuPG downstream packagers to track, maintain, and apply commonly-used patches for GnuPG that have been refused by upstream. https://gitlab.com/freepg/gnupg/ --- pkgs/tools/security/gnupg/24.nix | 36 ++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/pkgs/tools/security/gnupg/24.nix b/pkgs/tools/security/gnupg/24.nix index c59b9475ef05c..1fab8918c7afb 100644 --- a/pkgs/tools/security/gnupg/24.nix +++ b/pkgs/tools/security/gnupg/24.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchurl, + fetchFromGitLab, buildPackages, pkg-config, texinfo, @@ -68,15 +69,32 @@ stdenv.mkDerivation rec { ] ++ lib.optionals withTpm2Tss [ tpm2-tss ]; - patches = [ - ./fix-libusb-include-path.patch - ./tests-add-test-cases-for-import-without-uid.patch - ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch - ./24-allow-import-of-previously-known-keys-even-without-UI.patch - ./24-revert-rfc4880bis-defaults.patch - # Patch for DoS vuln from https://seclists.org/oss-sec/2022/q3/27 - ./v3-0001-Disallow-compressed-signatures-and-certificates.patch - ]; + freepgPatches = fetchFromGitLab { + domain = "gitlab.com"; + owner = "freepg"; + repo = "gnupg"; + rev = "541772915dc4ec832c37f85bc629a22051f0e8f7"; + hash = "sha256-QOUY6EfJbTTN242BtzLojDgECGjUwbLfPJgzn/mj5L8="; + }; + + patches = + [ + ./fix-libusb-include-path.patch + # Patch for CVE-2022-3219 + ./v3-0001-Disallow-compressed-signatures-and-certificates.patch + ] + ++ lib.map (v: "${freepgPatches}/STABLE-BRANCH-2-4-freepg/" + v) [ + # 0001-Add-gitlab-build-toolchain.patch + "0002-gpg-accept-subkeys-with-a-good-revocation-but-no-sel.patch" + "0003-gpg-allow-import-of-previously-known-keys-even-witho.patch" + "0004-tests-add-test-cases-for-import-without-uid.patch" + "0005-gpg-drop-import-clean-from-default-keyserver-import-.patch" + "0006-Do-not-use-OCB-mode-even-if-AEAD-OCB-key-preference-.patch" + "0007-Revert-the-introduction-of-the-RFC4880bis-draft-into.patch" + "0008-avoid-systemd-deprecation-warning.patch" + "0009-Add-systemd-support-for-keyboxd.patch" + "0010-doc-Remove-profile-and-systemd-example-files.patch" + ]; postPatch = '' From 570332a5f546cd9601f477960aa4b7d75c9b0844 Mon Sep 17 00:00:00 2001 From: Stig Palmquist Date: Thu, 26 Dec 2024 11:40:11 +0100 Subject: [PATCH 4/4] libgcrypt: 1.10.3 -> 1.11.0 https://lists.gnu.org/archive/html/info-gnu/2024-06/msg00004.html --- pkgs/development/libraries/libgcrypt/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libgcrypt/default.nix b/pkgs/development/libraries/libgcrypt/default.nix index 4ac7d48213e2a..bc7e661e6c960 100644 --- a/pkgs/development/libraries/libgcrypt/default.nix +++ b/pkgs/development/libraries/libgcrypt/default.nix @@ -17,11 +17,11 @@ assert enableCapabilities -> stdenv.hostPlatform.isLinux; stdenv.mkDerivation rec { pname = "libgcrypt"; - version = "1.10.3"; + version = "1.11.0"; src = fetchurl { url = "mirror://gnupg/libgcrypt/${pname}-${version}.tar.bz2"; - hash = "sha256-iwhwiXrFrGfe1Wjc+t9Flpz6imvrD9YK8qnq3Coycqo="; + hash = "sha256-CRIMmGfOfyCB1qqhd1OGuYwvLyRhNXYarkfYH1hoW5w="; }; outputs = [