update GnuPG and friends to 2.4.0 #1350
Conversation
|
@saper: took your PR and pushed it on my github to be built by CircleCI at https://app.circleci.com/pipelines/github/tlaurion/heads/1561/workflows/933c2b4e-c532-4166-bec5-2be8ca9166f2 (CircleCI error). |
|
GPGRT_CONFIG is not found in libgcrypt configure script... |
|
afaik gpgrt-config is not strictly necessary. Looks like CI runs with a different compilation flags ( |
|
@saper This is the issue where solution is not working Related patch proposed is to be tested, not merged, upstream (and doesn't fix the issue at stake): |
|
We rely on pkg-config to provide proper paths, where as of now, libgpg-error.so is found, but libgpg-error.so.1 is searched in wrong path and fails linking, both locally and under CircleCI (debian-11 based for build reproducibility (not to be confounded with reproducibility of builds. We just want a setup to recommend that works for all, in the meantime of having a build stack that produces same binaries). I was trying to fix this and point you again to gpg-card binary addition (new from 2.3+) which needs to be explored to hopefully remove the screen scraping, that as you seen, is fragile and does not survive version bumps (and is a maintainership nightmare long term). |
|
Updated #1350 (comment) |
@saper if you had a previous version of libgpgerror.so where searched for, that is why it works in your build env but that lucky build cannot be made again anywhere else. I wiped install/x86, had to rebuild complaining modules (eg: make BOARD=x230-hotp-maximized libgpg-error.clean) to reproduce same thing that CircleCI complains about. Make install statements of modules copy things under install/x86 which are then reused by modules that depend on them. CircleCI on the other hand builds clean (3 levels of cache) where only coreboot buildstack was reused (musl-cross-make cache + build/x86/coreboot-) since modules/ definition changed, so the biggest cache could not be reused. Biggest cache is the one containing build/x86/* and install/x86 cache, so basically building "clean" (with muslc-cross cache and coreboot builds cache). |
|
https://app.circleci.com/pipelines/github/tlaurion/heads?branch=gnupg-2.4.0-update |
|
Seems like rhe issue are with tests not reusing same toolchain and libraries used for compilation. Getting rid of the faulty tests under libgcrypt might be the solution here |
|
I have disconnected the tests from the libgcrypt build with 924f78f |
saper
force-pushed
the
gnupg-2.4.0-update
branch
from
924f78f to
740581c
Compare
|
Force pushed the last commit with a whitespace fix by @tlaurion |
saper
force-pushed
the
gnupg-2.4.0-update
branch
from
740581c to
4d2d8d6
Compare
|
Note that ppc64 related patches are gone, will test those in next batch of tests, hopefully I will remember. |
|
Some notes on size changes (produced by playing with initrd.cpio.xz under /tmp dir), comparing output of |
|
Also note that neither gpg-connect-agent, gpgsm nor gpg-card are needed, but sizes above show respective added space consomption outside of initrd.cpio.xz being compressed (which can be obtained by comparing coreboot stitching output in logs of CircleCI output, and where addition of those 3 breaks builds of legacy boards and t520 board as of now). I would advise removing gpg-connect-agent as well unless really necessary. |
|
Sure, we can drop gpg-connect-agent and gpgsm for now, if we use them only for testing. |
|
Suppressed things further for gpg under https://github.com/tlaurion/heads/tree/gnupg-2.4.0-update |
saper
force-pushed
the
gnupg-2.4.0-update
branch
from
4d2d8d6 to
4ff8267
Compare
@saper what do you mean? |
|
Also note that the following would be needed for the factory reset/reownership wizard to work with 2.4 |
…on top of coreboot 4.19 and 5.10.5 test CircleCI build (see which boards won't take it on 5.x kernels)
@saper damnit I forgot. |
There was a problem hiding this comment.
Basically: why this patch has been removed for ppc64 @saper?
There was a problem hiding this comment.
No reason, I probably made a mistake and though this has already been included upstream.
198.15 -> 277.69 kB
676.03 -> 408.95 kB \o/
741.81 -> 502.42 kB
562.01 -> 783.14 kB
830.63 -> 917.89 kB
Tests require libgpg-error library built for the host machine which we do not nessarily have in the build environment.
…on top of coreboot 4.19 and 5.10.5 test CircleCI build (see which boards won't take it on 5.x kernels)
|
To be tested on top of #1381 |
|
I wouldn't hold my breath :( |
| @@ -53,6 +54,6 @@ gpg2_target := $(MAKE_JOBS) \ | |||
| DESTDIR="$(INSTALL)" \ | |||
| install | |||
|
|
|||
| gpg2_output := g10/gpg agent/gpg-agent scd/scdaemon | |||
| gpg2_output := g10/gpg agent/gpg-agent scd/scdaemon tools/gpg-connect-agent | |||
There was a problem hiding this comment.
We should revert adding tools/gpg-connect-agent
| @@ -13,7 +13,6 @@ libassuan_configure := \ | |||
| --host $(MUSL_ARCH)-linux-musl \ | |||
| --prefix "/" \ | |||
| --disable-static \ | |||
| --disable-debug \ | |||
There was a problem hiding this comment.
We should revert removing --disable-debug?
--disable-doc can be enabled
| @@ -41,6 +41,7 @@ gpg2_configure := \ | |||
| --disable-wks-tools \ | |||
| --disable-gnutls \ | |||
| --disable-dirmngr \ | |||
| --disable-ntbtls \ | |||
There was a problem hiding this comment.
Could add
--disable-libdns
| @@ -1,10 +1,10 @@ | |||
| modules-$(CONFIG_GPG2) += gpg2 | |||
|
|
|||
| gpg2_version := 2.2.21 | |||
| gpg2_version := 2.4.0 | |||
There was a problem hiding this comment.
2.4.1 fixes issues with copy to card for yubikey.
2.4.2 is out.
|
Merged under #1422 with minor modification |
gnupg 2.2.21 -> 2.4.0
libgcrypt 1.8.6 -> 1.10.1
libassuan 2.5.3 -> 2.5.5
libksba 1.4.0 -> 1.6.3
libgpg-error 1.46