g10/import.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 gpg: accept subkeys with a good revocation but no self-sig during
 import

* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we
encounter a valid revocation signature. This allows import of subkey
revocation signatures, even in the absence of a corresponding subkey
binding signature.

--

This fixes the remaining test in import-incomplete.scm.

GnuPG-Bug-id: 4393
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

g10/import.c | 45 11 + 34 - 0 !
1 file changed, 11 insertions(+), 34 deletions(-)

 gpg: allow import of previously known keys, even without uids

* g10/import.c (import_one): Accept an incoming OpenPGP certificate that
has no user id, as long as we already have a local variant of the cert
that matches the primary key.

--

This fixes two of the three broken tests in import-incomplete.scm.

GnuPG-Bug-id: 4393
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

tests/openpgp/Makefile.am | 1 1 + 0 - 0 !
tests/openpgp/import-incomplete.scm | 67 67 + 0 - 0 !
tests/openpgp/import-incomplete/primary+revocation.asc | 9 9 + 0 - 0 !
tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc | 10 10 + 0 - 0 !
tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc | 10 10 + 0 - 0 !
tests/openpgp/import-incomplete/primary+uid-sig.asc | 10 10 + 0 - 0 !
tests/openpgp/import-incomplete/primary+uid.asc | 10 10 + 0 - 0 !
7 files changed, 117 insertions(+)

 tests: add test cases for import without uid

This commit adds a test case that does the following, in order:
- Import of a primary key plus user id
- Check that import of a subkey works, without a user id present in the
imported key
- Check that import of a subkey revocation works, without a user id or
subkey binding signature present in the imported key
- Check that import of a primary key revocation works, without a user id
present in the imported key

--

Note that this test currently fails.  The following changesets will
fix gpg so that the tests pass.

GnuPG-Bug-id: 4393
Signed-Off-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

doc/gpg.texi | 2 1 + 1 - 0 !
g10/gpg.c | 3 1 + 2 - 0 !
2 files changed, 2 insertions(+), 3 deletions(-)

 gpg: drop import-clean from default keyserver import options

* g10/gpg.c (main): drop IMPORT_CLEAN from the
default opt.keyserver_options.import_options
* doc/gpg.texi: reflect this change in the documentation

Given that SELF_SIGS_ONLY is already set, it's not clear what
additional benefit IMPORT_CLEAN provides.  Furthermore, IMPORT_CLEAN
means that receiving an OpenPGP certificate from a keyserver will
potentially delete data that is otherwise held in the local keyring,
which is surprising to users who expect retrieval from the keyservers
to be purely additive.

GnuPG-Bug-Id: 4628
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

agent/gpg-agent.c | 3 0 + 3 - 0 !
dirmngr/dirmngr.c | 3 0 + 3 - 0 !
2 files changed, 6 deletions(-)

 avoid-systemd-deprecation-warning

kbx/keyboxd.c | 79 77 + 2 - 0 !
1 file changed, 77 insertions(+), 2 deletions(-)

 add systemd support for keyboxd

doc/Makefile.am | 8 8 + 0 - 0 !
doc/examples/README | 2 2 + 0 - 0 !
doc/examples/systemd-user/README | 66 66 + 0 - 0 !
doc/examples/systemd-user/dirmngr.service | 8 8 + 0 - 0 !
doc/examples/systemd-user/dirmngr.socket | 11 11 + 0 - 0 !
doc/examples/systemd-user/gpg-agent-browser.socket | 13 13 + 0 - 0 !
doc/examples/systemd-user/gpg-agent-extra.socket | 13 13 + 0 - 0 !
doc/examples/systemd-user/gpg-agent-ssh.socket | 13 13 + 0 - 0 !
doc/examples/systemd-user/gpg-agent.service | 8 8 + 0 - 0 !
doc/examples/systemd-user/gpg-agent.socket | 12 12 + 0 - 0 !
10 files changed, 154 insertions(+)

 ship sample systemd unit files

This reverts the systemd-relevant parts of upstream's
eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed

In that commit, Werner Koch wrote:

> The use of systemd is deprecated because of additional complexity
> and the race between systemd based autolaunching and the explicit
> gnupg based and lockfile protected autolaunching.

FreePG aims to support socket-activated systemd integration for modern
Gnu/Linux systems that use GnuPG.  That integration does not appear to
actually have the race condition posited by Werner above, as described
by Coelacanthus in https://dev.gnupg.org/T6336#171407

GnuPG-bug-id: 6336

g10/keygen.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 gpg: default el gamal to 3072-bit keys.

* g10/keygen.c (gen_elg): update default from 2048 to 3072.

--

3072-bit El Gamal is widely considered to be 128-bit-equivalent security.

While using El Gamal might be ill-advised, if you're going to use it,
it might as well be a reasonable strength.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

(cherry picked from commit 909fbca19678e6e36968607e8a2348381da39d8c)

configure.ac | 2 1 + 1 - 0 !
g10/main.h | 2 1 + 1 - 0 !
g10/misc.c | 5 1 + 4 - 0 !
3 files changed, 3 insertions(+), 6 deletions(-)

 gpg: always support and default to using sha-512.

* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA512 instead of SHA256 in
  standard modes. Use SHA256 for PGP8, and SHA1 for archaic modes.
* configure.ac: Do not allow disabling sha512.
* g10/misc.c (map_md_openpgp_to_gcry): Always support SHA512.

--

SHA512 is more performant on most 64-bit platforms than SHA256, and
offers a better security margin.  It is also widely implemented.

RFC 4880 specifies SHA512, and any 4880-compatible client in the last
10 years supports it.  According to doc/gpg.texi, PGP 8 supports
SHA256.  There's no clear reason to default to SHA1 for compatibility
with those clients.  (RFC 2440 and PGP7 don't support SHA256, so leave
that alone)

GnuPG-bug-id: 7516
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

g10/keygen.c | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 gpg: prefer sha-512 and sha-384 in personal-digest-preferences.

* g10/keygen.c (keygen_set_std_prefs): prefer SHA-512
and SHA-384 by default.

--

In 8ede3ae29a39641a2f98ad9a4cf61ea99085a892, upstream changed the
defaults for --default-preference-list to advertise a preference for
SHA-512, without touching --personal-digest-preferences.  This makes
the same change for --personal-digest-preferences, since every modern
OpenPGP library supports them all.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

agent/gpg-agent.c | 8 8 + 0 - 0 !
configure.ac | 2 1 + 1 - 0 !
scd/scdaemon.c | 9 9 + 0 - 0 !
3 files changed, 18 insertions(+), 1 deletion(-)

 avoid simple memory dumps via ptrace

This avoids needing to setgid gpg-agent.  It probably doesn't defend
against all possible attacks, but it defends against one specific (and
easy) one.  If there are other protections we should do them too.

This will make it slightly harder to debug the agent because the
normal user won't be able to attach gdb to it directly while it runs.

The remaining options for debugging are:

 * launch the agent from gdb directly
 * connect gdb to a running agent as the superuser

Upstream bug: https://dev.gnupg.org/T1211

g10/import.c | 18 2 + 16 - 0 !
g10/mainproc.c | 17 15 + 2 - 0 !
g10/packet.h | 2 2 + 0 - 0 !
g10/parse-packet.c | 44 43 + 1 - 0 !
4 files changed, 62 insertions(+), 19 deletions(-)

 disallow compressed signatures and certificates

Compressed packets have significant attack surface, both due to the
potential for denial of service (zip bombs and the like) and for code
execution via memory corruption vulnerabilities in the decompressor.
Furthermore, I am not aware of any implementation that uses them in keys
or detached signatures.  Therefore, disallow their use in such contexts
entirely.

When parsing detached signatures, forbid any packet that is not a
signature or marker packet.  When parsing keys, return an error when
encountering a compressed packet, instead of decompressing the packet.

Furthermore, certificates, keys, and signatures are not allowed to
contain partial-length or indeterminate-length packets.  Reject those in
parse_packet, rather than activating the partial-length filter code.

GnuPG-bug-id: T5993
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>

doc/examples/systemd-user/gpg-agent-ssh.socket | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 [patch] ssh-agent emulation under systemd: inject ssh_auth_sock at
 socket start/stop
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If enable-ssh-support is set, we want the user's system environment to
know about the agent's socket.

By injecting it into the systemd session manager's user environment
when the socket is first opened:

- The lifetime of SSH_AUTH_SOCK is tied to the lifetime of the
  service.
- The variable is set in a user-visible file.
- It is easier to customize the socket variable, for instance for
  running multiple ssh-agent or testing purpuse.

doc/gpg.texi | 7 5 + 2 - 0 !
g10/gpg.c | 61 30 + 31 - 0 !
2 files changed, 35 insertions(+), 33 deletions(-)

 [patch gnupg 14/19] gpg: sync compliance mode cleanup with master

* g10/gpg.c (set_compliance_option): Clean up option settings for
compliance modes.
* doc/gpg.texi: note that --allow-old-cipher-algos must come after any
compliance setting.

--

This makes it possible to reset all options affected by any non-gnupg
compliance mode to their default values by using --compliance=gnupg.

This synchronizes the compliance mode behaviors with the master
branch, including commits:

- 54a8770aeb20eb9e18b5e95e51c376ec7820f8f6
- 0bdf5859935e3db15baaf5d0d96b723ddbd2acd5
- 04d58ff8475575f22a5ee1fb8c4f2c2dca0b5522
- aa46ba28ba75fc479b407c572c723b51b22d4a73
- 4b2729b983bf3c6c1186ebdf1962f64d8cb1b3a1

GnuPG-Bug-id: 7501
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

common/compliance.c | 7 7 + 0 - 0 !
common/compliance.h | 2 2 + 0 - 0 !
doc/gpg.texi | 40 18 + 22 - 0 !
g10/gpg.c | 3 3 + 0 - 0 !
g10/keygen.c | 9 9 + 0 - 0 !
5 files changed, 39 insertions(+), 22 deletions(-)

 [patch gnupg 15/19] gpg: emit rsa pubkey algorithm when in
 compatibility modes

* doc/gpg.texi (Compliance Options): --gnupg offers LibrePGP behavior,
and prefers LibrePGP where it diverges from OpenPGP; --rfc4880bis is
an alias for --gnupg; Explain that --rfc2440 is ancient; correct
punctuation. (default-new-key-algo): drop incorrect information
about defaults. (default-new-key-algo): Remind the user that this
should come after any compliance modes, like --allow-old-cipher-algos.
* g10/gpg.c (set_compliance_option): default pubkey algorithm for
legacy compliance is 3072-bit RSA.
* common/compliance.c (gnupg_compliance_label) new function,
prototyped...
* common/compliance.h: ...here.
* g10/keygen.c (parse_key_parameter_part): when using a legacy
compliance mode, ensure that new keys are only algorithms known by the
corresponding tools.

--

Before this fix, the following command:

   gpg --rfc4880 --quick-gen-key "$USERID"

would produce an OpenPGP secret key that would not be compatible for
use with an RFC 4880 client.  The generated certificate would be a
problem if the user has a another OpenPGP client that is limited to
RFC 4880, and it would be a problem for any peer who wants
to encrypt to or validate signatures from the corresponding
certificate.

With this fix, default key generation under a compatibility mode will
actually produce compatible, interoperable OpenPGP key.

GnuPG-bug-id: 7511
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

common/compliance.c | 6 5 + 1 - 0 !
common/compliance.h | 2 1 + 1 - 0 !
doc/gpg.texi | 15 6 + 9 - 0 !
g10/gpg.c | 7 7 + 0 - 0 !
g10/misc.c | 8 6 + 2 - 0 !
g10/options.h | 1 1 + 0 - 0 !
6 files changed, 26 insertions(+), 13 deletions(-)

 [patch gnupg 16/19] gpg: reintroduce --openpgp as distinct from
 --rfc4880

* common/compliance.{c,h}: add CO_OPENPGP
* options.h: #define OPENPGP by analogy with RFC4880
* g10/gpg.c (set_compliance_option): define oOpenPGP separately from
oRFC4880; re-point oDE_VS to use oRFC4880 to avoid changing oDE_VS.
* g10/misc.c (compliance_failure): Describe standards modes
* doc/gpg.texi: (Compliance options): distinguish between --rfc4880
and --openpgp
--

This change adopts baseline MTI digest algorithms for modern OpenPGP
when --compliance=openpgp is supplied.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

g10/encrypt.c | 5 5 + 0 - 0 !
g10/keygen.c | 19 16 + 3 - 0 !
2 files changed, 21 insertions(+), 3 deletions(-)

 [patch gnupg 17/19] gpg: emit librepgp material only in
 --compliance=gnupg

* g10/encrypt.c (use_aead): only emit LibrePGP AEAD/OCB if in
--compliance=gnupg or --force-ocb
* g10/keygen.c (keygen_set_std_prefs): when opt.compliance !=
CO_GNUPG, skip the LibrePGP AEAD algorithm preferences subpacket
during key generation. (keygen_upd_std_prefs): If opt.compliance !=
CO_GNUPG, don't advertise support for LibrePGP features (v5 keys,
OCB). (parse_key_parameter_part): Unless opt.compliance == CO_GNUPG,
error out when prompted to produce a v5 key.

--

Emit the following objects only in CO_GNUPG:

- AEAD/OCB
- preferred AEAD Algorithm subpackets
- Feature bit for "v5" and LibrePGP AEAD
- new v5 keys, new *448 keys

This change makes it so that --compliance=openpgp mode produces
objects that other OpenPGP-compatible implementations will be able to
handle.

In the case of encrypted data, it will decline to emit LibrePGP
AEAD/OCB, which means other implementations will be able to decrypt.

In the case of new keys, not only will OpenPGP-compatible peers be
able to communicate with the newly generated certificates, but if the
secret key is shared with other OpenPGP implementations they will be
able to handle it.

And we avoid setting feature advertisements which might encourage
other people to send LibrePGP-formatted material to the user, so that
when the secret key is shared with another OpenPGP-compatible
implementation, it will be able to handle the incoming material.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

g10/gpg.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch gnupg 18/19] gpg: --gpgconf-list: report actual compliance
 mode

* g10/gpg.c (gpgconf_list): report actual compliance mode

--

GnuPG-bug-id: 7518
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

doc/gpg.texi | 8 4 + 4 - 0 !
g10/gpg.c | 2 1 + 1 - 0 !
tests/openpgp/encrypt.scm | 2 1 + 1 - 0 !
3 files changed, 6 insertions(+), 6 deletions(-)

 [patch gnupg 19/19] gpg: default to --compliance=openpgp

* g10/gpg.c (main): default
set_compliance_option(oOpenPGP).
* tests/openpgp/encrypt.scm (Checking OCB): offer --compliance=gnupg
to make it possible to emit LibrePGP AEAD/OCB for the test.
* doc/gpg.texi: change description of what the default compliance
option is.

--

This change is made with the purpose of not inflicting LibrePGP
material on the ecosystem generally unless the user wants it done.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

doc/Makefile.am | 2 2 + 0 - 0 !
doc/examples/systemd-user/keyboxd.service | 8 8 + 0 - 0 !
doc/examples/systemd-user/keyboxd.socket | 11 11 + 0 - 0 !
3 files changed, 21 insertions(+)

 add keyboxd systemd support

doc/gpg.texi | 11 5 + 6 - 0 !
g10/keygen.c | 2 1 + 1 - 0 !
tests/openpgp/quick-key-manipulation.scm | 13 13 + 0 - 0 !
3 files changed, 19 insertions(+), 7 deletions(-)

 support large rsa keygen in non-batch mode

g10/filter.h | 2 2 + 0 - 0 !
g10/mainproc.c | 20 15 + 5 - 0 !
g10/mdfilter.c | 15 13 + 2 - 0 !
g10/plaintext.c | 28 26 + 2 - 0 !
tests/openpgp/Makefile.am | 7 5 + 2 - 0 !
tests/openpgp/issue7539-message.asc | 8 8 + 0 - 0 !
tests/openpgp/issue7539-signer.asc | 9 9 + 0 - 0 !
tests/openpgp/issue7539.scm | 29 29 + 0 - 0 !
8 files changed, 107 insertions(+), 11 deletions(-)

 gpg: verify text mode signatures over binary literal data packets

* tests/openpgp/issue7539{.scm,-signer.asc,message.asc}: Add test
with text-mode Signature over binary Literal Data Packet.
* tests/openpgp/Makefile.am: include 7539 test materials.
* g10/filter.h: add textmode and seen_cr members to
md_filter_context_t
* g10/mainproc.c (proc_plaintext): set mfx.textmode if the signature
is over a text document.
* g10/mdfilter.c (md_filter): when mfx.textmode is set, normalize line
endings to CRLF. (free_md_filter_context): clean up textmode and
seen_cr
* g10/plaintext.c (handle_plaintext): when mfx.textmode is set,
normalize line endings to CRLF.

--

GnuPG does not produce text signatures over binary literal data
packets, but the OpenPGP standard permits them, and other OpenPGP
implementations may produce them.

See the discussion starting at
https://mailarchive.ietf.org/arch/msg/openpgp/RLMBugGhg_c9xT7zmDrkBklRZB8/

This fix still doesn't handle the even-more-obscure struture where
there are both text and binary signatures over a binary literal data
packet, like so:

  OPS0 OPS1 LITb SIG1 SIG0

But a more complete fix would be more complex (it would require, for
instance, multiple message digest handles), and this initial fix is
still a substantial improvement over the status quo.

GnuPG-bug-id: 7539
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

autogen.sh | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 avoid-beta-warning

avoid self-describing as a beta

Using autoreconf against the source as distributed in tarball form
invariably results in a package that thinks it's a "beta" package,
which produces the "THIS IS A DEVELOPMENT VERSION" warning string.

since we use dh_autoreconf, i need this patch to avoid producing
builds that announce themselves as DEVELOPMENT VERSIONs.

See discussion at:

 http://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029065.html

doc/Makefile.am | 9 0 + 9 - 0 !
1 file changed, 9 deletions(-)

 avoid regenerating defsincdate (use shipped file)

upstream ships doc/defsincdate in its tarballs.  but doc/Makefile.am
tries to rewrite doc/defsincdate if it notices that any of the files
have been modified more recently, and it does so assuming that we're
running from a git repo.

However, we'd rather ship the documents cleanly without regenerating
defsincdate -- we don't have a git repo available (debian builds from
upstream tarballs) and any changes to the texinfo files (e.g. from

dirmngr/ks-engine-hkp.c | 23 10 + 13 - 0 !
1 file changed, 10 insertions(+), 13 deletions(-)

 dirmngr: hkp: avoid potential race condition when some hosts die.

* dirmngr/ks-engine-hkp.c (select_random_host): Use atomic pass
through the host table instead of risking out-of-bounds write.

--

Multiple threads may write to hosttable[x]->dead while
select_random_host() is running.  For example, a housekeeping thread
might clear the ->dead bit on some entries, or another connection to
dirmngr might manually mark a host as alive.

If one or more hosts are resurrected between the two loops over a
given table in select_random_host(), then the allocation of tbl might
not be large enough, resulting in a write past the end of tbl on the
second loop.

This change collapses the two loops into a single loop to avoid this
discrepancy: each host's "dead" bit is now only checked once.

As Werner points out, this isn't currently strictly necessary, since
npth will not switch threads unless a blocking system call is made,
and no blocking system call is made in these two loops.

However, in a subsequent change in this series, we will call a
function in this loop, and that function may sometimes write(2), or
call other functions, which may themselves block.  Keeping this as a
single-pass loop avoids the need to keep track of what might block and
what might not.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

dirmngr/dirmngr.c | 3 0 + 3 - 0 !
dirmngr/dirmngr.h | 1 0 + 1 - 0 !
dirmngr/ks-engine-hkp.c | 78 35 + 43 - 0 !
3 files changed, 35 insertions(+), 47 deletions(-)

 dirmngr: avoid need for hkp housekeeping.

* dirmngr/ks-engine-hkp.c (host_is_alive): New function.  Test whether
host is alive and resurrects it if it has been dead long enough.
(select_random_host, map_host, ks_hkp_mark_host): Use host_is_alive
instead of testing hostinfo_t->dead directly.
(ks_hkp_housekeeping): Remove function, no longer needed.
* dirmngr/dirmngr.c (housekeeping_thread): Remove call to
ks_hkp_housekeeping.

--

Rather than resurrecting hosts upon scheduled resurrection times, test
whether hosts should be resurrected as they're inspected for being
dead.  This removes the need for explicit housekeeping, and makes host
resurrections happen "just in time", rather than being clustered on
HOUSEKEEPING_INTERVAL seconds.

According to 392e068e9f143d41f6350345619543cbcd47380f,
dns_stuff_housekeeping only works on Windows, so it also isn't
necessary in debian, but it remains in place for now.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

dirmngr/dirmngr.c | 2 0 + 2 - 0 !
doc/dirmngr.texi | 7 4 + 3 - 0 !
2 files changed, 4 insertions(+), 5 deletions(-)

 dirmngr: avoid automatically checking upstream swdb.

* dirmngr/dirmngr.c (housekeeping_thread): Avoid automatically
checking upstream's software database.  In Debian, software updates
should be handled by the distro mechanism, and additional upstream
checks only confuse the user.
* doc/dirmngr.texi: document that --allow-version-check does nothing.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

agent/agent.h | 1 1 + 0 - 0 !
agent/gpg-agent.c | 150 116 + 34 - 0 !
2 files changed, 117 insertions(+), 34 deletions(-)

 [patch 01/12] agent: add agent_kick_the_loop function.

* agent/agent.h (agent_kick_the_loop): New.
* agent/gpg-agent.c [HAVE_W32_SYSTEM] (the_event2): New.
[HAVE_PSELECT_NO_EINTR] (event_pipe_fd): New.
[!HAVE_PSELECT_NO_EINTR] (main_thread_pid): New.
(create_an_event): New, factored out.
(get_agent_daemon_notify_event): Use create_an_event.
(handle_signal): Add a case for SIGCONT.
(agent_kick_the_loop): New.
(handle_connections): Call pselect possibly with the pipe.
Call eselect with THE_EVENT2.

--

GnuPG-bug-id: 6682
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

agent/gpg-agent.c | 107 45 + 62 - 0 !
1 file changed, 45 insertions(+), 62 deletions(-)

 [patch 1/9] agent: use a thread to monitor socket takeover.

agent/gpg-agent.c | 20 11 + 9 - 0 !
1 file changed, 11 insertions(+), 9 deletions(-)

 [patch 2/9] agent: fix the handling of socket takeover.

* agent/gpg-agent.c (handle_connections): Check the takeover when
interrupted.
(check_own_socket_thread): Kick the loop when detected.

--

GnuPG-bug-id: 6692
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

agent/gpg-agent.c | 8 6 + 2 - 0 !
1 file changed, 6 insertions(+), 2 deletions(-)

 [patch 3/9] agent: recover support check_own_socket_interval == 0.

agent/gpg-agent.c | 126 87 + 39 - 0 !
1 file changed, 87 insertions(+), 39 deletions(-)

 [patch 4/9] agent: have a thread monitoring parent pid and homedir.

agent/agent.h | 2 1 + 1 - 0 !
agent/cache.c | 45 34 + 11 - 0 !
agent/gpg-agent.c | 44 9 + 35 - 0 !
3 files changed, 44 insertions(+), 47 deletions(-)

 [patch 5/9] agent: better interaction between main loop and cache
 expiration.

agent/cache.c | 368 284 + 84 - 0 !
1 file changed, 284 insertions(+), 84 deletions(-)

 [patch 6/9] agent: introduce management of timer to expire cache
 entries.

* agent/cache.c (struct timer_s): New.
(struct cache_item_s): Add a member filed T for timer.
(the_timer_list, the_timer_list_new): New.
(insert_to_timer_list_new, insert_to_timer_list): New.
(remove_from_timer_list, remove_from_timer_list_new): New.
(housekeeping): Remove.
(compute_expiration, update_expiration): New.
(do_expire): New.
(TIMERTICK_INTERVAL): Remove.
(agent_cache_expiration): Use timer list to manage the expiration
of cache entries.
(agent_flush_cache): Call update_expiration when needed.
(agent_put_cache): Don't call housekeeping any more, but
update_expiration for an entry in question.
(agent_get_cache): Likewise.

--

GnuPG-bug-id: 6681
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

agent/cache.c | 3 0 + 3 - 0 !
1 file changed, 3 deletions(-)

 [patch 7/9] agent: fix the previous commit.

* agent/cache.c (remove_from_timer_list_new): Fix cut&paste error.
TV_SEC field should not be touched.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

agent/cache.c | 8 6 + 2 - 0 !
1 file changed, 6 insertions(+), 2 deletions(-)

 [patch 8/9] agent: fix timer list management.

* agent/cache.c (insert_to_timer_list): Update TV_SEC of the top entry
when inserted.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

agent/gpg-agent.c | 7 5 + 2 - 0 !
1 file changed, 5 insertions(+), 2 deletions(-)

 [patch 9/9] agent: fix sock_inotify_fd handling.

* agent/gpg-agent.c (handle_connections): Also check SOCK_INOTIFY_FD
when spawning check_onw_socket_thread.  When removal of the socket
is detected, do same as AGENT_PROBLEM_SOCKET_TAKEOVER.

--

GnuPG-bug-id: 6692
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

agent/cache.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 10/10] agent: fix timer round-up check when inserting an
 entry into cache.

* agent/cache.c (insert_to_timer_list): Round up when >= a half second.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

configure.ac | 2 1 + 1 - 0 !
doc/dirmngr.texi | 6 5 + 1 - 0 !
2 files changed, 6 insertions(+), 2 deletions(-)

 use hkps://keys.openpgp.org as the default keyserver

Upstream's choice of default keyserver is not federated with other
keyservers, is subject to flooding attacks, does no e-mail
verification, and is intermittently unreachable.

keys.openpgp.org is also not federated with other keyservers, but
avoids the other drawbacks.

Upstream intends to ship no keyserver default in the future, so it is
not worth trying to convince them to choose a better default.

regexp/Makefile.am | 8 3 + 5 - 0 !
1 file changed, 3 insertions(+), 5 deletions(-)

 build regexp against debian's unicode-data package

It should be simple enough to auto-generate the regexp table from
stock UnicodeData.txt.  Upstream doesn't seem inclined to keep it
up-to-date, and using the stock debian package that ships it instead
of upstream's stale version will take care of new case sensitivity
issues automatically.

This also reduces our dependence on material in the upstream tarball

common/Makefile.am | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 always build common/status-codes.h and common/audit-events.h

This reduces our dependence on files injected into the upstream
tarball.

This addresses part of #1071202

doc/examples/systemd-user/gpg-agent.socket | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 gpg-agent.socket: set gpg_agent_info in systemd for gnupg1

 GPG_AGENT_INFO is already set in debian/Xsession.d/90gpg-agent, but
 that only affects sessions that run Xsession.  This change affects any
 session that imports systemd environment variables.  See:
 https://gitlab.gnome.org/GNOME/gdm/-/commit/448134d3cdbc54e5359ea33d387993b0defdaefa
 https://github.com/sddm/sddm/issues/1276

README | 3 0 + 3 - 0 !
common/homedir.c | 2 1 + 1 - 0 !
2 files changed, 1 insertion(+), 4 deletions(-)

 do not use keyboxd as a default for new installs
 Do not initialize a common.conf with `use-keyboxd` in it on new installs,
 keyboxd completely breaks all --keyring arguments, silently...

g10/Makefile.am | 27 14 + 13 - 0 !
g10/internal-keydb.c | 118 118 + 0 - 0 !
2 files changed, 132 insertions(+), 13 deletions(-)

 gpgv: avoid assuan and npth dependencies

* g10/internal-keydb.c: (new file) stub functions for basic keydb
parsing without talking to keyboxd.
* g10/Makefile.am: gpgv depend on internal-keydb instead of
call-keyboxd; gpgv links to libcommon, not libcommonpth

--

This avoids unnecessary dependencies on libassuan and libnpth in gpgv.
Since gpgv is targeted toward minimal environments, keeping a reduced
set of dependencies is beneficial.

GnuPG-Bug-Id: T7603
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

po/nl.po | 1374 199 + 1175 - 0 !
1 file changed, 199 insertions(+), 1175 deletions(-)

 update dutch po file