From dec64ec3a193f4f5f7609c32572709239267a5a8 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 14 May 2024 12:44:11 -0400 Subject: [PATCH] Fix key to card failing with invalid time when moving keys to smartcard on master (Opt: Authenticated Heads) - Revert gnupg toolstack version bump to prior of #1661 merge (2.4.2 -> 2.4.0). Version bump not needed for reproducibility. - Investigation and upstream discussions will take their time resolving invalid time issue introduced by between 2.4.0 and latest gnupg, fix regression first under master) - oem-factory-reset - Adding DO_WITH_DEBUG to oem-factory-reset for all its gpg calls. If failing in debug mode, /tmp/debug.txt contains calls and errors - Wipe keyrings only (*.gpg, *.kbx) not conf files under gpg homedir (keep initrd/.gnupg/*.conf) - flake.nix - switch build derivative from qemu and qemu_kvm to qemu_full to have qemu-img tool which was missing to run qemu boards (v0.1.8 docker) - add gnupg so that qemu boards can call inject_gpg to inject public key in absence of flashrom+pflash support for internal flashing - flake.lock: Updated nix pinned package list under flake.lock with 'nix flake update' so qemu_full builds - README.md: have consistent docker testing + release (push) notes - .circleci/config.yml: depend on docker v0.1.8 (qemu_full built with canokey-qemu lib support, diffoscopeMinimal and gnupg for proper qemu testing) TODO: - some fd2 instead of fd1?! - oem-factory-resest has whiptail_or_die which sets whiptail box to HEIGHT 0. This doesn't show a scrolling window on gpg errors which is problematic with fbwhiptail, not whiptail Signed-off-by: Thierry Laurion --- .circleci/config.yml | 8 +-- README.md | 4 ++ flake.lock | 6 +- flake.nix | 8 ++- initrd/bin/oem-factory-reset | 60 +++++++------------ modules/gpg2 | 4 +- modules/libassuan | 6 +- modules/libgcrypt | 6 +- modules/libgpg-error | 4 +- modules/libksba | 6 +- patches/gpg2-2.2.10.patch | 27 --------- .../{gpg2-2.4.2.patch => gpg2-2.4.0.patch} | 0 ...suan-2.5.6.patch => libassuan-2.5.5.patch} | 0 ...suan-2.5.1.patch => libgcrypt-1.8.3.patch} | 42 ++++++------- ...ror-1.47.patch => libgpg-error-1.46.patch} | 0 ...ibksba-1.6.4.patch => libksba-1.6.3.patch} | 0 16 files changed, 73 insertions(+), 108 deletions(-) delete mode 100644 patches/gpg2-2.2.10.patch rename patches/{gpg2-2.4.2.patch => gpg2-2.4.0.patch} (100%) rename patches/{libassuan-2.5.6.patch => libassuan-2.5.5.patch} (100%) rename patches/{libassuan-2.5.1.patch => libgcrypt-1.8.3.patch} (89%) rename patches/{libgpg-error-1.47.patch => libgpg-error-1.46.patch} (100%) rename patches/{libksba-1.6.4.patch => libksba-1.6.3.patch} (100%) diff --git a/.circleci/config.yml b/.circleci/config.yml index 2ff6ed117..089d63cfb 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -45,7 +45,7 @@ commands: jobs: prep_env: docker: - - image: tlaurion/heads-dev-env:v0.1.6 + - image: tlaurion/heads-dev-env:v0.1.8 resource_class: large working_directory: ~/heads steps: @@ -111,7 +111,7 @@ jobs: build_and_persist: docker: - - image: tlaurion/heads-dev-env:v0.1.6 + - image: tlaurion/heads-dev-env:v0.1.8 resource_class: large working_directory: ~/heads parameters: @@ -139,7 +139,7 @@ jobs: build: docker: - - image: tlaurion/heads-dev-env:v0.1.6 + - image: tlaurion/heads-dev-env:v0.1.8 resource_class: large working_directory: ~/heads parameters: @@ -160,7 +160,7 @@ jobs: save_cache: docker: - - image: tlaurion/heads-dev-env:v0.1.6 + - image: tlaurion/heads-dev-env:v0.1.8 resource_class: large working_directory: ~/heads steps: diff --git a/README.md b/README.md index dbc082988..b7e9214d0 100644 --- a/README.md +++ b/README.md @@ -97,6 +97,10 @@ Maintenance notes on docker image Redo the steps above in case the flake.nix or nix.lock changes. Then publish on docker hub: ``` +docker tag linuxboot/heads:dev-env tlaurion/heads-dev-env:vx.y.z +docker push tlaurion/heads-dev-env:vx.y.z +#test against CircleCI in PR. Merge. +#make last version the latest docker tag tlaurion/heads-dev-env:vx.y.z tlaurion/heads-dev-env:latest docker push tlaurion/heads-dev-env:latest ``` diff --git a/flake.lock b/flake.lock index 491e53f71..0b2278f08 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1711703276, - "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", + "lastModified": 1715534503, + "narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", + "rev": "2057814051972fa1453ddfb0d98badbea9b83c06", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 87683c33c..a9ce9b359 100644 --- a/flake.nix +++ b/flake.nix @@ -75,14 +75,16 @@ canokeySupport = true; # This override enables Canokey support in QEMU, resulting in -device canokey being available. }) # Packages for qemu support with Canokey integration from previous override - #qemu_full #Heavier but contains qemu-img, kvm and everything else needed to do development cycles under docker - qemu # To test make BOARD=qemu-coreboot-* boards and then call make BOARD=qemu-coreboot-* with inject_gpg statement, and then run statement. - qemu_kvm # kvm additional support for qemu without all the qemu-img and everything else under qemu_full + qemu_full #Heavier but contains qemu-img, kvm and everything else needed to do development cycles under docker + #qemu # To test make BOARD=qemu-coreboot-* boards and then call make BOARD=qemu-coreboot-* with inject_gpg statement, and then run statement. + #qemu_kvm # kvm additional support for qemu without all the qemu-img and everything else under qemu_full ] ++ [ # Additional tools for debugging/editing/testing. vim # Mostly used amongst us, sorry if you'd like something else, open issue. swtpm # QEMU requirement to emulate tpm1/tpm2. dosfstools # QEMU requirement to produce valid fs to store exported public key to be fused through inject_key on qemu (so qemu flashrom emulated SPI support). + diffoscopeMinimal # Not sure exactly what is packed here, let's try. + gnupg #to inject public key inside of qemu create rom through inject_gpg target of targets/qemu.mk TODO: remove when pflash supported by flashrom #diffoscope #should we include it? Massive:11 GB uncompressed. Wow?!?! ] ++ [ # Tools for handling binary blobs in their compressed state. (blobs/xx30/vbios_[tw]530.sh) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 027480219..72d69ae88 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -38,8 +38,9 @@ MAX_HOTP_GPG_PIN_LENGTH=25 CUSTOM_PASS_AFFECTED_COMPONENTS="" # Default GPG Algorithm is RSA +# p256 also supported (TODO: nk3 supports RSA 4096 in secure element in firmare v1.7.1. Switch!? GPG_ALGO="RSA" -# Default RSA key length +# Default RSA key length is 3072 bits for OEM key gen. 4096 are way longer to generate in smartcard RSA_KEY_LENGTH=3072 GPG_USER_NAME="OEM Key" @@ -85,12 +86,11 @@ mount_boot() { fi } -#Generate a gpg master key: no expiration date, RSA 4096 bits +#Generate a gpg master key: no expiration date, ${RSA_KEY_LENGTH} bits #This key will be used to sign 3 subkeys: encryption, authentication and signing #The master key and subkeys will be copied to backup, and the subkeys moved from memory keyring to the smartcard generate_inmemory_RSA_master_and_subkeys() { TRACE_FUNC - echo "Generating GPG key material in memory:" echo "Generating GPG RSA ${RSA_KEY_LENGTH} bits master key..." # Generate GPG master key @@ -104,7 +104,7 @@ generate_inmemory_RSA_master_and_subkeys() { echo "Expire-Date: 0" # No expiration date echo "Passphrase: ${ADMIN_PIN}" # Admin PIN echo "%commit" # Commit changes - } | gpg --command-fd=0 --status-fd=1 --batch --gen-key >/tmp/gpg_card_edit_output 2>&1 + } | DO_WITH_DEBUG gpg --expert --batch --command-fd=0 --status-fd=1 --pinentry-mode=loopback --generate-key >/tmp/gpg_card_edit_output 2>&1 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "GPG Key generation failed!\n\n$ERROR" @@ -120,7 +120,7 @@ generate_inmemory_RSA_master_and_subkeys() { echo ${ADMIN_PIN} # Local keyring admin pin echo y # confirm echo save # save changes and commit to keyring - } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \ + } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \ >/tmp/gpg_card_edit_output 2>&1 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) @@ -137,7 +137,7 @@ generate_inmemory_RSA_master_and_subkeys() { echo ${ADMIN_PIN} # Local keyring admin pin echo y # confirm echo save # save changes and commit to keyring - } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \ + } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \ >/tmp/gpg_card_edit_output 2>&1 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) @@ -161,26 +161,12 @@ generate_inmemory_RSA_master_and_subkeys() { echo ${ADMIN_PIN} # Local keyring admin pin echo y # confirm echo save # save changes and commit to keyring - } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --expert --edit-key "${GPG_USER_MAIL}" \ + } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --expert --edit-key "${GPG_USER_MAIL}" \ >/tmp/gpg_card_edit_output 2>&1 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "GPG Key authentication subkey generation failed!\n\n$ERROR" fi - - DEBUG "Setting public key to ultimate trust..." - #Set the public key to the ultimate trust - { - echo trust # trust key in --edit-key mode - echo 5 # ultimate trust - echo y # confirm - echo save # save changes and commit to keyring - } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \ - >/tmp/gpg_card_edit_output 2>&1 - if [ $? -ne 0 ]; then - ERROR=$(cat /tmp/gpg_card_edit_output) - whiptail_error_die "GPG Key setting public key to ultimate trust failed!\n\n$ERROR" - fi } #Generate a gpg master key: no expiration date, p256 key (ECC) @@ -200,7 +186,7 @@ generate_inmemory_p256_master_and_subkeys() { echo "Passphrase: ${ADMIN_PIN}" # Local keyring admin pin echo "Expire-Date: 0" # No expiration date echo "%commit" # Commit changes - } | gpg --expert --batch --command-fd=0 --status-fd=1 --pinentry-mode=loopback --generate-key \ + } | DO_WITH_DEBUG gpg --expert --batch --command-fd=0 --status-fd=1 --pinentry-mode=loopback --generate-key \ >/tmp/gpg_card_edit_output 2>&1 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) @@ -216,10 +202,10 @@ generate_inmemory_p256_master_and_subkeys() { echo 11 # ECC own set capability echo Q # sign already present, do not modify echo 3 # P-256 - echo 0 # no expiration + echo 0 # No validity/expiration date echo ${ADMIN_PIN} # Local keyring admin pin echo save # save changes and commit to keyring - } | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1 + } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1 if [ $? -ne 0 ]; then ERROR_MSG=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "Failed to add ECC nistp256 signing key to master key\n\n${ERROR_MSG}" @@ -231,10 +217,10 @@ generate_inmemory_p256_master_and_subkeys() { echo 12 # ECC own set capability echo Q # Quit echo 3 # P-256 - echo 0 # no expiration + echo 0 # No validity/expiration date echo ${ADMIN_PIN} # Local keyring admin pin echo save # save changes and commit to keyring - } | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1 + } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1 if [ $? -ne 0 ]; then ERROR_MSG=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "Failed to add ECC nistp256 encryption key to master key\n\n${ERROR_MSG}" @@ -251,7 +237,7 @@ generate_inmemory_p256_master_and_subkeys() { echo 0 # no expiration echo ${ADMIN_PIN} # Local keyring admin pin echo save # save changes and commit to keyring - } | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1 + } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1 if [ $? -ne 0 ]; then ERROR_MSG=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "Failed to add ECC nistp256 authentication key to master key\n\n${ERROR_MSG}" @@ -297,7 +283,7 @@ keytocard_subkeys_to_smartcard() { echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN echo "key 3" #Toggle off Authentication key echo "save" #Save changes and commit to keyring - } | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \ + } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \ >/tmp/gpg_card_edit_output 2>&1 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) @@ -488,7 +474,7 @@ gpg_key_factory_reset() { echo factory-reset # factory reset smartcard echo y # confirm echo yes # confirm - } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ + } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ >/tmp/gpg_card_edit_output 2>&1 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) @@ -508,7 +494,7 @@ gpg_key_factory_reset() { echo admin # admin menu echo forcesig # toggle forcesig echo ${ADMIN_PIN_DEF} # local keyring PIN - } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ + } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ >/tmp/gpg_card_edit_output 2>&1 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) @@ -529,7 +515,7 @@ gpg_key_factory_reset() { echo 2 # ECC echo 3 # P-256 echo ${ADMIN_PIN_DEF} # local keyring PIN - } | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ + } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ >/tmp/gpg_card_edit_output 2>&1 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) @@ -551,7 +537,7 @@ gpg_key_factory_reset() { echo 1 # RSA echo ${RSA_KEY_LENGTH} #Authentication key size set to RSA_KEY_LENGTH echo ${ADMIN_PIN_DEF} #Local keyring PIN - } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ + } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ >/tmp/gpg_card_edit_output 2>&1 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) @@ -581,7 +567,7 @@ generate_OEM_gpg_keys() { echo ${GPG_USER_MAIL} # User email echo ${GPG_USER_COMMENT} # User comment echo ${USER_PIN_DEF} # Default user PIN since we just factory reset - } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \ + } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \ >/tmp/gpg_card_edit_output 2>&1 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) @@ -608,7 +594,7 @@ gpg_key_change_pin() { echo ${PIN_NEW} # confirm new PIN echo q # quit echo q - } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \ + } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \ >/tmp/gpg_card_edit_output 2>&1 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output | fold -s) @@ -686,7 +672,7 @@ generate_checksums() { fi DEBUG "Detach-signing boot files under kexec.sig: ${param_files}" - if sha256sum $param_files 2>/dev/null | gpg \ + if sha256sum $param_files 2>/dev/null | DO_WITH_DEBUG gpg \ --pinentry-mode loopback \ --passphrase "${USER_PIN}" \ --digest-algo SHA256 \ @@ -1142,7 +1128,7 @@ assert_signable # clear gpg-agent cache so that next gpg calls doesn't have past keyring in memory killall gpg-agent >/dev/null 2>&1 || true # clear local keyring -rm -rf /.gnupg/* >/dev/null 2>&1 || true +rm -rf /.gnupg/*.kbx /.gnupg/*.gpg >/dev/null 2>&1 || true # detect and set /boot device echo -e "\nDetecting and setting boot device...\n" @@ -1242,7 +1228,7 @@ if [ "$GPG_EXPORT" != "0" ]; then fi # ensure key imported locally -if ! cat "$PUBKEY" | gpg --import >/dev/null 2>/tmp/error; then +if ! cat "$PUBKEY" | DO_WITH_DEBUG gpg --import >/dev/null 2>/tmp/error; then ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error importing GPG key:\n\n$ERROR" fi diff --git a/modules/gpg2 b/modules/gpg2 index fe340c4ff..b121febc8 100644 --- a/modules/gpg2 +++ b/modules/gpg2 @@ -1,10 +1,10 @@ modules-$(CONFIG_GPG2) += gpg2 -gpg2_version := 2.4.2 +gpg2_version := 2.4.0 gpg2_dir := gnupg-$(gpg2_version) gpg2_tar := gnupg-$(gpg2_version).tar.bz2 gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar) -gpg2_hash := 97eb47df8ae5a3ff744f868005a090da5ab45cb48ee9836dbf5ee739a4e5cf49 +gpg2_hash := 1d79158dd01d992431dd2e3facb89fdac97127f89784ea2cb610c600fb0c1483 gpg2_depends := libgpg-error libgcrypt libksba libassuan npth libusb $(musl_dep) # For reproducibility reasons we have to override the exec_prefix diff --git a/modules/libassuan b/modules/libassuan index 7143534d1..e641854f5 100644 --- a/modules/libassuan +++ b/modules/libassuan @@ -1,10 +1,10 @@ modules-$(CONFIG_GPG2) += libassuan -libassuan_version := 2.5.6 +libassuan_version := 2.5.5 libassuan_dir := libassuan-$(libassuan_version) libassuan_tar := libassuan-$(libassuan_version).tar.bz2 libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar) -libassuan_hash := e9fd27218d5394904e4e39788f9b1742711c3e6b41689a31aa3380bd5aa4f426 +libassuan_hash := 8e8c2fcc982f9ca67dcbb1d95e2dc746b1739a4668bc20b3a3c5be632edb34e4 libassuan_configure := \ CFLAGS="-Os" \ @@ -14,7 +14,7 @@ libassuan_configure := \ --prefix "/" \ --disable-doc \ --disable-static \ - --with-libgpg-error-prefix="$(INSTALL)" \ + --with-gpg-error-prefix="$(INSTALL)" \ libassuan_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/libgcrypt b/modules/libgcrypt index 2b630c02d..a3ece058b 100644 --- a/modules/libgcrypt +++ b/modules/libgcrypt @@ -1,10 +1,10 @@ modules-$(CONFIG_GPG2) += libgcrypt -libgcrypt_version := 1.10.2 +libgcrypt_version := 1.10.1 libgcrypt_dir := libgcrypt-$(libgcrypt_version) libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2 libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar) -libgcrypt_hash := 3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03 +libgcrypt_hash := ef14ae546b0084cd84259f61a55e07a38c3b53afc0f546bffcef2f01baffe9de libgcrypt_configure := \ $(CROSS_TOOLS) \ @@ -14,7 +14,7 @@ libgcrypt_configure := \ --prefix "/" \ --disable-doc \ --disable-static \ - --with-libgpg-error-prefix="$(INSTALL)" \ + --with-gpg-error-prefix="$(INSTALL)" \ libgcrypt_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/libgpg-error b/modules/libgpg-error index b24c9f74f..0c8553560 100644 --- a/modules/libgpg-error +++ b/modules/libgpg-error @@ -1,10 +1,10 @@ modules-$(CONFIG_GPG2) += libgpg-error -libgpg-error_version := 1.47 +libgpg-error_version := 1.46 libgpg-error_dir := libgpg-error-$(libgpg-error_version) libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2 libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar) -libgpg-error_hash := 9e3c670966b96ecc746c28c2c419541e3bcb787d1a73930f5e5f5e1bcbbb9bdb +libgpg-error_hash := b7e11a64246bbe5ef37748de43b245abd72cfcd53c9ae5e7fc5ca59f1c81268d libgpg-error_configure := \ $(CROSS_TOOLS) \ diff --git a/modules/libksba b/modules/libksba index 99c226788..7230237a7 100644 --- a/modules/libksba +++ b/modules/libksba @@ -1,10 +1,10 @@ modules-$(CONFIG_GPG2) += libksba -libksba_version := 1.6.4 +libksba_version := 1.6.3 libksba_dir := libksba-$(libksba_version) libksba_tar := libksba-$(libksba_version).tar.bz2 libksba_url := https://gnupg.org/ftp/gcrypt/libksba/$(libksba_tar) -libksba_hash := bbb43f032b9164d86c781ffe42213a83bf4f2fee91455edfa4654521b8b03b6b +libksba_hash := 3f72c68db30971ebbf14367527719423f0a4d5f8103fc9f4a1c01a9fa440de5c libksba_configure := \ $(CROSS_TOOLS) \ @@ -13,7 +13,7 @@ libksba_configure := \ --host $(MUSL_ARCH)-linux-musl \ --prefix "/" \ --disable-static \ - --with-libgpg-error-prefix="$(INSTALL)" \ + --with-gpg-error-prefix="$(INSTALL)" \ libksba_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/patches/gpg2-2.2.10.patch b/patches/gpg2-2.2.10.patch deleted file mode 100644 index ed940b1b3..000000000 --- a/patches/gpg2-2.2.10.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -u --recursive /home/tlaurion/build/clean/gnupg-2.2.10/configure gnupg-2.2.10/configure ---- /home/tlaurion/build/clean/gnupg-2.2.10/configure 2016-08-17 09:20:25.000000000 -0400 -+++ gnupg-2.2.10/configure 2018-01-20 16:55:14.502067084 -0500 -@@ -572,7 +572,7 @@ - ac_clean_files= - ac_config_libobj_dir=. - LIBOBJS= --cross_compiling=no -+cross_compiling=yes - subdirs= - MFLAGS= - MAKEFLAGS= -diff -u --recursive gnupg-2.2.10/common/ttyio.c gnupg-2.2.10/common/ttyio.c.mod ---- gnupg-2.2.10/common/ttyio.c 2017-08-28 06:22:54.000000000 -0400 -+++ gnupg-2.2.10/common/ttyio.c.mod 2018-09-18 23:00:07.386250017 -0400 -@@ -190,7 +190,9 @@ - #elif defined (HAVE_W32CE_SYSTEM) - ttyfp = stderr; - #else -- ttyfp = batchmode? stderr : fopen (tty_get_ttyname (), "r+"); -+ //ttyfp = batchmode? stderr : fopen( tty_get_ttyname (), "r+"); -+ ttyfp = stderr; -+ - if( !ttyfp ) { - log_error("cannot open '%s': %s\n", tty_get_ttyname (), - strerror(errno) ); - diff --git a/patches/gpg2-2.4.2.patch b/patches/gpg2-2.4.0.patch similarity index 100% rename from patches/gpg2-2.4.2.patch rename to patches/gpg2-2.4.0.patch diff --git a/patches/libassuan-2.5.6.patch b/patches/libassuan-2.5.5.patch similarity index 100% rename from patches/libassuan-2.5.6.patch rename to patches/libassuan-2.5.5.patch diff --git a/patches/libassuan-2.5.1.patch b/patches/libgcrypt-1.8.3.patch similarity index 89% rename from patches/libassuan-2.5.1.patch rename to patches/libgcrypt-1.8.3.patch index ff27dbd27..902d96ec2 100644 --- a/patches/libassuan-2.5.1.patch +++ b/patches/libgcrypt-1.8.3.patch @@ -1,7 +1,7 @@ -diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure ---- libassuan-2.5.1-clean/configure 2017-12-07 06:55:50.000000000 -0800 -+++ libassuan-2.5.1/configure 2020-01-12 13:39:50.655638965 -0800 -@@ -10781,7 +10781,7 @@ +diff -u -r libgcrypt-1.8.3-clean/configure libgcrypt-1.8.3/configure +--- libgcrypt-1.8.3-clean/configure 2018-06-13 00:39:33.000000000 -0700 ++++ libgcrypt-1.8.3/configure 2020-01-12 13:32:34.840010800 -0800 +@@ -11292,7 +11292,7 @@ version_type=linux # correct to gnu/linux during the next big refactor need_lib_prefix=no need_version=no @@ -10,7 +10,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure if test "$host_cpu" = ia64; then # AIX 5 supports IA64 library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' -@@ -11020,16 +11020,16 @@ +@@ -11531,16 +11531,16 @@ ;; freebsd3.[01]* | freebsdelf3.[01]*) shlibpath_overrides_runpath=yes @@ -30,7 +30,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure ;; esac ;; -@@ -11042,7 +11042,7 @@ +@@ -11553,7 +11553,7 @@ soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no @@ -39,7 +39,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure ;; haiku*) -@@ -11055,7 +11055,7 @@ +@@ -11566,7 +11566,7 @@ shlibpath_var=LIBRARY_PATH shlibpath_overrides_runpath=yes sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' @@ -48,7 +48,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure ;; hpux9* | hpux10* | hpux11*) -@@ -11067,7 +11067,7 @@ +@@ -11578,7 +11578,7 @@ case $host_cpu in ia64*) shrext_cmds='.so' @@ -57,7 +57,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure dynamic_linker="$host_os dld.so" shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. -@@ -11082,7 +11082,7 @@ +@@ -11593,7 +11593,7 @@ ;; hppa*64*) shrext_cmds='.sl' @@ -66,7 +66,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure dynamic_linker="$host_os dld.sl" shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. -@@ -11115,7 +11115,7 @@ +@@ -11626,7 +11626,7 @@ dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no @@ -75,7 +75,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure ;; irix5* | irix6* | nonstopux*) -@@ -11152,7 +11152,7 @@ +@@ -11663,7 +11663,7 @@ shlibpath_overrides_runpath=no sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" @@ -84,7 +84,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure ;; # No shared lib support for Linux oldld, aout, or coff. -@@ -11173,7 +11173,7 @@ +@@ -11684,7 +11684,7 @@ # This implies no fast_install, which is unacceptable. # Some rework will be needed to allow for fast_install # before this can be enabled. @@ -93,7 +93,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure dynamic_linker='Android linker' # Don't embed -rpath directories since the linker doesn't support them. -@@ -11228,7 +11228,7 @@ +@@ -11739,7 +11739,7 @@ # This implies no fast_install, which is unacceptable. # Some rework will be needed to allow for fast_install # before this can be enabled. @@ -102,7 +102,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure # Append ld.so.conf contents to the search path if test -f /etc/ld.so.conf; then -@@ -11253,7 +11253,7 @@ +@@ -11764,7 +11764,7 @@ soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no @@ -111,7 +111,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure dynamic_linker='NetBSD ld.elf_so' ;; -@@ -11272,7 +11272,7 @@ +@@ -11783,7 +11783,7 @@ fi shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes @@ -120,7 +120,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure ;; newsos6) -@@ -11290,7 +11290,7 @@ +@@ -11801,7 +11801,7 @@ soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no @@ -129,7 +129,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure dynamic_linker='ldqnx.so' ;; -@@ -11352,7 +11352,7 @@ +@@ -11863,7 +11863,7 @@ soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes @@ -138,7 +138,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure # ldd complains unless libraries are executable postinstall_cmds='chmod +x $lib' ;; -@@ -11409,7 +11409,7 @@ +@@ -11920,7 +11920,7 @@ soname_spec='${libname}${release}${shared_ext}$major' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=yes @@ -147,7 +147,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure if test "$with_gnu_ld" = yes; then sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' else -@@ -11431,7 +11431,7 @@ +@@ -11942,7 +11942,7 @@ library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' shlibpath_var=LD_LIBRARY_PATH shlibpath_overrides_runpath=no @@ -156,7 +156,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure ;; uts4*) -@@ -15680,7 +15680,7 @@ +@@ -19824,7 +19824,7 @@ postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`' finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`' finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`' @@ -165,7 +165,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`' sys_lib_dlsearch_path_spec='`$ECHO "$sys_lib_dlsearch_path_spec" | $SED "$delay_single_quote_subst"`' hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`' -@@ -16896,7 +16896,7 @@ +@@ -21088,7 +21088,7 @@ finish_eval=$lt_finish_eval # Whether we should hardcode library paths into libraries. diff --git a/patches/libgpg-error-1.47.patch b/patches/libgpg-error-1.46.patch similarity index 100% rename from patches/libgpg-error-1.47.patch rename to patches/libgpg-error-1.46.patch diff --git a/patches/libksba-1.6.4.patch b/patches/libksba-1.6.3.patch similarity index 100% rename from patches/libksba-1.6.4.patch rename to patches/libksba-1.6.3.patch