From e21f81408226c5c31d94bf979c4d4f5b4c267338 Mon Sep 17 00:00:00 2001 From: wiz Date: Sat, 25 Dec 2004 02:54:13 +0000 Subject: Update to 1.4.0, provided by Stefan Krüger in PR 28738. While here, convert to options.mk. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GnuPG 1.4 Highlights ==================== This is a brief overview of the changes between the GnuPG 1.2 series and the new GnuPG 1.4 series. To read the full list of highlights for each revision that led up to 1.4, see the NEWS file in the GnuPG distribution. This document is based on the NEWS file, and is thus the highlights of the highlights. When upgrading, note that RFC-2440, the OpenPGP standard, is currently being revised. Most of the revisions in the latest draft (2440bis-12) have already been incorporated into GnuPG 1.4. Algorithm Changes ----------------- OpenPGP supports many different algorithms for encryption, hashing, and compression, and taking into account the OpenPGP revisions, GnuPG 1.4 supports a slightly different algorithm set than 1.2 did. The SHA256, SHA384, and SHA512 hashes are now supported for read and write. The BZIP2 compression algorithm is now supported for read and write. Due to the recent successful attack on the MD5 hash algorithm (discussed in , among other places), MD5 is deprecated for OpenPGP use. It is still allowed in GnuPG 1.4 for backwards compatibility, but a warning is given when it is used. The TIGER/192 hash is no longer available. This should not be interpreted as a statement as to the quality of TIGER/192 - rather, the revised OpenPGP standard removes support for several unused or mostly unused hashes, and TIGER/192 was one of them. Similarly, Elgamal signatures and the Elgamal signing key type have been removed from the OpenPGP standard, and thus from GnuPG. Please do not confuse Elgamal signatures with DSA or DSS signatures or with Elgamal encryption. Elgamal signatures were very rarely used and were not supported in any product other than GnuPG. Elgamal encryption was and still is part of OpenPGP and GnuPG. Very old (pre-1.0) versions of GnuPG supported a nonstandard (contrary to OpenPGP) Elgamal key type. While no recent version of GnuPG permitted the generation of such keys, GnuPG 1.2 could still use them. GnuPG 1.4 no longer allows the use of these keys or the (also nonstandard) messages generated using them. At build time, it is possible to select which algorithms will be built into GnuPG. This can be used to build a smaller program binary for embedded uses where space is tight. Keyserver Changes ----------------- GnuPG 1.4 does all keyserver operations via plugin or helper applications. This allows the main GnuPG program to be smaller and simpler. People who package GnuPG for various reasons have the flexibility to include or leave out support for any keyserver type as desired. Support for fetching keys via HTTP and finger has been added. This is mainly useful for setting a preferred keyserver URL like "http://www.jabberwocky.com/key.asc". or "finger:wk at g10code.com". The LDAP keyserver helper now supports storing, retrieving, and searching for keys in both the old NAI "LDAP keyserver" as well as the more recent method to store OpenPGP keys in standard LDAP servers. This is compatible with the storage schema that PGP uses, so both products can interoperate with the same LDAP server. The LDAP keyserver helper is compatible with the PGP company's new "Global Directory" service. If the LDAP library you use supports LDAP-over-TLS and LDAPS, then GnuPG detects this and supports them as well. Note that using TLS or LDAPS does not improve the security of GnuPG itself, but may be useful in certain key distribution scenarios. HTTP Basic authentication is now supported for all HKP and HTTP keyserver functions, either through a proxy or via direct access. The HKP keyserver plugin supports the new machine-readable key listing format for those keyservers that provide it. IPv6 is supported for HKP and HTTP keyserver access. When using a HKP keyserver with multiple DNS records (such as subkeys.pgp.net which has the addresses of multiple servers around the world), all DNS address records are tried until one succeeds. This prevents a single down server in the rotation from stopping access. DNS SRV records are used in HKP keyserver lookups to allow administrators to load balance and select keyserver ports automatically. Timeout support has been added to the keyserver plugins. This allows users to set an upper limit on how long to wait for the keyserver before giving up. Preferred Keyserver URL ----------------------- Preferred keyserver support has been added. Users may set a preferred keyserver via the --edit-key command "keyserver". If the --keyserver-option honor-keyserver-url is set (and it is by default), then the preferred keyserver is used when refreshing that key with --refresh-keys. The --sig-keyserver-url option can be used to inform signature recipients where the signing key can be downloaded. When verifying the signature, if the signing key is not present, and the keyserver options honor-keyserver-url and auto-key-retrieve are set, this URL will be used to retrieve the key. Trust Signatures ---------------- GnuPG 1.4 supports OpenPGP trust signatures, which allow a user to specify the trust level and distance from the user along with the signature so users can delegate different levels of certification ability to other users, possibly restricted by a regular expression on the user ID. Trust Models ------------ GnuPG 1.4 supports several ways of looking at trust: Classic - The classic PGP trust model, where people sign each others keys and thus build up an assurance (called "validity") that the key belongs to the right person. This was the default trust model in GnuPG 1.2. Always - Bypass all trust checks, and make all keys fully valid. Direct - Users may set key validity directly. PGP - The PGP 7 and 8 behavior which combines Classic trust with trust signatures overlaid on top. This is the default trust model in GnuPG 1.4. The OpenPGP Smartcard --------------------- GnuPG 1.4 supports the OpenPGP smartcard () Secret keys may be kept fully or partially on the smartcard. The smartcard may be used for primary keys or subkeys. Other Interesting New Features ------------------------------ For those using Security-Enhanced Linux , the configure option --enable-selinux-support prevents GnuPG from processing its own files (i.e. reading the secret keyring for something other than getting a secret key from it). This simplifies writing ACLs for the SELinux kernel. Readline support is now available at all prompts if the system provides a readline library. GnuPG can now create messages that can be decrypted with either a passphrase or a secret key. These messages may be generated with --symmetric --encrypt or --symmetric --sign --encrypt. --list-options and --verify-options allow the user to customize exactly what key listings or signature verifications look like, enabling or disabling things such as photo display, preferred keyserver URL, calculated validity for each user ID, etc. The --primary-keyring option designates the keyring that the user wants new keys imported into. The --hidden-recipient (or -R) command encrypts to a user, but hides the identity of that user. This is the same functionality as --throw-keyid, but can be used on a per-user basis. Full algorithm names (e.g. "3DES", "SHA1", "ZIP") can now be used interchangeably with the short algorithm names (e.g. "S2", "H2", "Z1") anywhere algorithm names are used in GnuPG. The --keyid-format option selects short (99242560), long (DB698D7199242560), 0xshort (0x99242560), or 0xlong (0xDB698D7199242560) key ID displays. This lets users tune the display to what they prefer. While it is not recommended for extended periods, it is possible to run both GnuPG 1.2.x and GnuPG 1.4 during the transition. To aid in this, GnuPG 1.4 tries to load a config file suffixed with its version before it loads the default config file. For example, 1.4 will try for gpg.conf-1.4 and gpg.conf-1 before falling back to the regular gpg.conf file. --- security/gnupg/Makefile | 52 +++++++---------------------------------- security/gnupg/PLIST | 9 +++++-- security/gnupg/distinfo | 16 +++++-------- security/gnupg/patches/patch-aa | 8 +++---- security/gnupg/patches/patch-ab | 6 ++--- security/gnupg/patches/patch-ac | 11 --------- security/gnupg/patches/patch-ad | 35 --------------------------- security/gnupg/patches/patch-ae | 13 ----------- security/gnupg/patches/patch-af | 15 ------------ security/gnupg/patches/patch-ak | 8 +++---- 10 files changed, 33 insertions(+), 140 deletions(-) delete mode 100644 security/gnupg/patches/patch-ac delete mode 100644 security/gnupg/patches/patch-ad delete mode 100644 security/gnupg/patches/patch-ae delete mode 100644 security/gnupg/patches/patch-af (limited to 'security/gnupg') diff --git a/security/gnupg/Makefile b/security/gnupg/Makefile index 76e2b845943..7631d05ee13 100644 --- a/security/gnupg/Makefile +++ b/security/gnupg/Makefile @@ -1,15 +1,15 @@ -# $NetBSD: Makefile,v 1.71 2004/11/08 21:17:01 tv Exp $ +# $NetBSD: Makefile,v 1.72 2004/12/25 02:54:13 wiz Exp $ -DISTNAME= gnupg-1.2.6 -PKGREVISION= 1 +DISTNAME= gnupg-1.4.0 CATEGORIES= security MASTER_SITES= ftp://ftp.gnupg.org/gcrypt/gnupg/ \ - ftp://ftp.planetmirror.com/pub/gnupg/gnupg/ \ + ftp://ftp.planetmirror.com/pub/gnupg/ \ ftp://gd.tuwien.ac.at/privacy/gnupg/gnupg/ \ ftp://ftp.jyu.fi/pub/crypt/gcrypt/gnupg/ \ - ftp://ftp.freenet.de/pub/ftp.gnupg.org/gcrypt/gnupg/ + ftp://ftp.cert.dfn.de/pub/tools/crypt/gcrypt/gnupg/ \ + ftp://ftp.ring.gr.jp/pub/net/gnupg/gnupg/ EXTRACT_SUFX= .tar.bz2 -# don't remove this -- we may add idea.c.gz to it below +# don't remove this -- we may add idea.c.gz to it in options.mk DISTFILES= ${DISTNAME}${EXTRACT_SUFX} MAINTAINER= wiz@NetBSD.org @@ -24,7 +24,7 @@ GNU_CONFIGURE= yes USE_BUILDLINK3= yes USE_PKGLOCALEDIR= yes USE_GNU_TOOLS+= make -CONFIGURE_ARGS+= --enable-tiger --with-static-rnd=auto +CONFIGURE_ARGS+= --with-static-rnd=auto CONFIGURE_ARGS+= --with-mailprog=/usr/sbin/sendmail TEST_TARGET= check @@ -32,45 +32,12 @@ EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX} INFO_FILES= gpg.info gpgv.info -.include "../../mk/bsd.prefs.mk" - -BUILD_DEFS+= USE_I586 USE_IDEA USE_OPENLDAP M68060 - -.if defined(USE_I586) && ${USE_I586} == YES -# use assembler routines optimized for i586 -ONLY_FOR_PLATFORM= *-*-i386 -MACHINE_GNU_ARCH= i586 -.endif - -.if defined(M68060) && ${M68060} == YES -# be more efficient on M68060 machines -CONFIGURE_ENV+= M68060=${M68060} -CFLAGS+= -m68060 -.endif - -.if defined(USE_IDEA) && ${USE_IDEA} == YES -# use of IDEA as crypto function -LICENCE= fee-based-commercial-use -DISTFILES+= idea.c.gz -SITES_idea.c.gz=ftp://ftp.gnupg.dk/pub/contrib-dk/ \ - http://www.gnupg.dk/contrib-dk/ +.include "options.mk" INSTALLATION_DIRS= bin libexec/gnupg man/man1 man/man7 share/gnupg -pre-configure: - ${GZCAT} ${DISTDIR}/idea.c.gz > ${WRKSRC}/cipher/idea.c -.endif - -.if defined(USE_OPENLDAP) && ${USE_OPENLDAP} == YES -.include "../../databases/openldap/buildlink3.mk" -PLIST_SUBST+= OPENLDAP="" -.else -CONFIGURE_ARGS+=--disable-ldap -PLIST_SUBST+= OPENLDAP="@comment " -.endif - +# XXX: still needed? .if ${OPSYS} == "FreeBSD" - SUBST_CLASSES= fixme SUBST_STAGE.fixme= post-configure SUBST_FILES.fixme= mpi/i386/mpih-add1.S mpi/i386/mpih-lshift.S \ @@ -78,7 +45,6 @@ SUBST_FILES.fixme= mpi/i386/mpih-add1.S mpi/i386/mpih-lshift.S \ mpi/i386/mpih-mul3.S mpi/i386/mpih-rshift.S \ mpi/i386/mpih-sub1.S SUBST_SED.fixme= -e "s,ALIGN (3),ALIGN (4),g" - .endif post-install: diff --git a/security/gnupg/PLIST b/security/gnupg/PLIST index 1fa65f12a50..8bb28b905cd 100644 --- a/security/gnupg/PLIST +++ b/security/gnupg/PLIST @@ -1,10 +1,14 @@ -@comment $NetBSD: PLIST,v 1.13 2004/07/28 15:17:42 wiz Exp $ +@comment $NetBSD: PLIST,v 1.14 2004/12/25 02:54:13 wiz Exp $ bin/gpg bin/gpgsplit bin/gpgv +libexec/gnupg/gpgkeys_finger +libexec/gnupg/gpgkeys_hkp +libexec/gnupg/gpgkeys_http libexec/gnupg/gpgkeys_mailto ${OPENLDAP}libexec/gnupg/gpgkeys_ldap man/man1/gpg.1 +man/man1/gpg.ru.1 man/man1/gpgv.1 man/man7/gnupg.7 share/gnupg/DETAILS @@ -17,6 +21,8 @@ ${PKGLOCALEDIR}/locale/cs/LC_MESSAGES/gnupg.mo ${PKGLOCALEDIR}/locale/da/LC_MESSAGES/gnupg.mo ${PKGLOCALEDIR}/locale/de/LC_MESSAGES/gnupg.mo ${PKGLOCALEDIR}/locale/el/LC_MESSAGES/gnupg.mo +${PKGLOCALEDIR}/locale/en@boldquot/LC_MESSAGES/gnupg.mo +${PKGLOCALEDIR}/locale/en@quot/LC_MESSAGES/gnupg.mo ${PKGLOCALEDIR}/locale/eo/LC_MESSAGES/gnupg.mo ${PKGLOCALEDIR}/locale/es/LC_MESSAGES/gnupg.mo ${PKGLOCALEDIR}/locale/et/LC_MESSAGES/gnupg.mo @@ -27,7 +33,6 @@ ${PKGLOCALEDIR}/locale/hu/LC_MESSAGES/gnupg.mo ${PKGLOCALEDIR}/locale/id/LC_MESSAGES/gnupg.mo ${PKGLOCALEDIR}/locale/it/LC_MESSAGES/gnupg.mo ${PKGLOCALEDIR}/locale/ja/LC_MESSAGES/gnupg.mo -${PKGLOCALEDIR}/locale/nl/LC_MESSAGES/gnupg.mo ${PKGLOCALEDIR}/locale/pl/LC_MESSAGES/gnupg.mo ${PKGLOCALEDIR}/locale/pt/LC_MESSAGES/gnupg.mo ${PKGLOCALEDIR}/locale/pt_BR/LC_MESSAGES/gnupg.mo diff --git a/security/gnupg/distinfo b/security/gnupg/distinfo index 73e0ed13047..0c96a9773ad 100644 --- a/security/gnupg/distinfo +++ b/security/gnupg/distinfo @@ -1,13 +1,9 @@ -$NetBSD: distinfo,v 1.31 2004/08/26 13:39:05 lukem Exp $ +$NetBSD: distinfo,v 1.32 2004/12/25 02:54:13 wiz Exp $ -SHA1 (gnupg-1.2.6.tar.bz2) = 4bc72a7307c4d57618cdba48ad0c6148c1f00a74 -Size (gnupg-1.2.6.tar.bz2) = 2550665 bytes +SHA1 (gnupg-1.4.0.tar.bz2) = 0054635a131b7af383e956fa9e1520ac44cad116 +Size (gnupg-1.4.0.tar.bz2) = 2722669 bytes SHA1 (idea.c.gz) = 82fded4ec31b97b3b2dd22741880b67cfee40f84 Size (idea.c.gz) = 5216 bytes -SHA1 (patch-aa) = 3babbdc4386f0edaed4a6e1bb851312528d6ff9e -SHA1 (patch-ab) = af66565a44b5db979dc1362733193f3d6888a34f -SHA1 (patch-ac) = cc029e0b2dcc18b1d8de0c1145719bb2bf329467 -SHA1 (patch-ad) = fc9e85c88e53738faa47f55b769e98dce2c190dc -SHA1 (patch-ae) = 827cdfbc4ed04c382f593051188a5aad0977b0ed -SHA1 (patch-af) = bdc03318447a78ac52b3dbefc59f90fcebc0b20d -SHA1 (patch-ak) = bf0d2648382f8737bdda4eac486f23ee76f43b4f +SHA1 (patch-aa) = 2916ba7403fea027d872fe62ce271c2e8b8ac3be +SHA1 (patch-ab) = 29a7d0b736322eb1ecf0925a2419b513f323000e +SHA1 (patch-ak) = d6a13c41905c7d0c5bf883add227bc7d5267dc06 diff --git a/security/gnupg/patches/patch-aa b/security/gnupg/patches/patch-aa index 45bd3fce2e0..3989b307889 100644 --- a/security/gnupg/patches/patch-aa +++ b/security/gnupg/patches/patch-aa @@ -1,8 +1,8 @@ -$NetBSD: patch-aa,v 1.9 2003/08/25 21:25:25 itojun Exp $ +$NetBSD: patch-aa,v 1.10 2004/12/25 02:54:13 wiz Exp $ ---- cipher/idea-stub.c.orig 2003-07-31 00:15:51.000000000 +0900 -+++ cipher/idea-stub.c 2003-08-26 06:19:38.000000000 +0900 -@@ -131,9 +131,9 @@ +--- cipher/idea-stub.c.orig 2004-11-17 16:50:56.000000000 +0100 ++++ cipher/idea-stub.c +@@ -132,9 +132,9 @@ load_module (const char *name) } sym = dlsym (handle, "idea_get_info"); diff --git a/security/gnupg/patches/patch-ab b/security/gnupg/patches/patch-ab index c5dbb32a6b4..35edcd63aa4 100644 --- a/security/gnupg/patches/patch-ab +++ b/security/gnupg/patches/patch-ab @@ -1,8 +1,8 @@ -$NetBSD: patch-ab,v 1.23 2004/07/28 15:17:42 wiz Exp $ +$NetBSD: patch-ab,v 1.24 2004/12/25 02:54:13 wiz Exp $ ---- mpi/config.links.orig 2004-01-13 12:21:39.000000000 +0100 +--- mpi/config.links.orig 2004-10-26 19:06:47.000000000 +0200 +++ mpi/config.links -@@ -197,6 +197,14 @@ case "${target}" in +@@ -197,6 +197,14 @@ case "${host}" in cat $srcdir/mpi/m68k/syntax.h >>./mpi/asm-syntax.h path="m68k" ;; diff --git a/security/gnupg/patches/patch-ac b/security/gnupg/patches/patch-ac deleted file mode 100644 index 909de271793..00000000000 --- a/security/gnupg/patches/patch-ac +++ /dev/null @@ -1,11 +0,0 @@ -$NetBSD: patch-ac,v 1.15 2004/07/28 15:17:42 wiz Exp $ - -ftp://ftp.kame.net/pub/kame/misc/gnupg-1.2.2-IPv6.diff.gz - ---- config.h.in.orig 2004-07-26 14:26:11.000000000 +0200 -+++ config.h.in -@@ -616,3 +616,4 @@ - - #include "g10defs.h" - -+#undef HAVE_GETADDRINFO diff --git a/security/gnupg/patches/patch-ad b/security/gnupg/patches/patch-ad deleted file mode 100644 index 984a339f55e..00000000000 --- a/security/gnupg/patches/patch-ad +++ /dev/null @@ -1,35 +0,0 @@ -$NetBSD: patch-ad,v 1.5 2003/12/25 14:05:02 wiz Exp $ - -ftp://ftp.kame.net/pub/kame/misc/gnupg-1.2.2-IPv6.diff.gz - ---- util/http.c.orig Tue Dec 23 18:33:34 2003 -+++ util/http.c -@@ -751,6 +751,28 @@ connect_server( const char *server, usho - sock_close (sd); - return -1; - } -+#elif defined(HAVE_GETADDRINFO) -+ struct addrinfo hints, *res0, *res; -+ char portstr[20]; -+ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_socktype = SOCK_STREAM; -+ snprintf(portstr, sizeof(portstr), "%u", port); -+ if (getaddrinfo(server, portstr, &hints, &res0) != 0) -+ return -1; -+ for (res = res0; res; res = res->ai_next) { -+ sd = socket(res->ai_family, res->ai_socktype, res->ai_protocol); -+ if (sd < 0) -+ continue; -+ if (connect(sd, res->ai_addr, res->ai_addrlen) < 0) { -+ close(sd); -+ sd = -1; -+ continue; -+ } -+ break; -+ } -+ freeaddrinfo(res0); -+ return sd; - #else - struct sockaddr_in addr; - struct hostent *host; diff --git a/security/gnupg/patches/patch-ae b/security/gnupg/patches/patch-ae deleted file mode 100644 index 14dbbf4ea89..00000000000 --- a/security/gnupg/patches/patch-ae +++ /dev/null @@ -1,13 +0,0 @@ -$NetBSD: patch-ae,v 1.7 2004/07/28 15:17:42 wiz Exp $ - ---- configure.ac.orig 2004-07-26 14:18:06.000000000 +0200 -+++ configure.ac -@@ -633,7 +633,7 @@ AC_CHECK_FUNCS(strerror stpcpy strsep st - AC_CHECK_FUNCS(strcasecmp strncasecmp ctermid times) - AC_CHECK_FUNCS(memmove gettimeofday getrusage setrlimit clock_gettime) - AC_CHECK_FUNCS(atexit raise getpagesize strftime nl_langinfo setlocale) --AC_CHECK_FUNCS(waitpid wait4 sigaction sigprocmask rand pipe stat) -+AC_CHECK_FUNCS(waitpid wait4 sigaction sigprocmask rand pipe stat getaddrinfo) - AC_REPLACE_FUNCS(mkdtemp) - AC_CHECK_TYPES([struct sigaction, sigset_t],,,[#include ]) - diff --git a/security/gnupg/patches/patch-af b/security/gnupg/patches/patch-af deleted file mode 100644 index 046eeedcbf0..00000000000 --- a/security/gnupg/patches/patch-af +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-af,v 1.6 2004/07/28 15:17:42 wiz Exp $ - -ftp://ftp.kame.net/pub/kame/misc/gnupg-1.2.2-IPv6.diff.gz - ---- configure.orig Tue Dec 23 14:28:22 2003 -+++ configure -@@ -13579,7 +13579,7 @@ done - - - --for ac_func in waitpid wait4 sigaction sigprocmask rand pipe stat -+for ac_func in waitpid wait4 sigaction sigprocmask rand pipe stat getaddrinfo - do - as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` - echo "$as_me:$LINENO: checking for $ac_func" >&5 diff --git a/security/gnupg/patches/patch-ak b/security/gnupg/patches/patch-ak index f8bb135e776..b36907ce81a 100644 --- a/security/gnupg/patches/patch-ak +++ b/security/gnupg/patches/patch-ak @@ -1,8 +1,8 @@ -$NetBSD: patch-ak,v 1.1 2003/12/01 14:16:17 he Exp $ +$NetBSD: patch-ak,v 1.2 2004/12/25 02:54:13 wiz Exp $ ---- include/types.h.orig Wed Jul 30 09:44:43 2003 -+++ include/types.h Sun Nov 30 12:04:15 2003 -@@ -103,7 +103,12 @@ +--- include/types.h.orig 2003-09-28 13:35:29.000000000 +0200 ++++ include/types.h +@@ -103,7 +103,12 @@ typedef unsigned long u32; #undef u64 /* maybe there is a macro with this name */ #if SIZEOF_UINT64_T == 8 typedef uint64_t u64; -- cgit v1.2.3