#1 Fix regression in gpgme signature verification (#1566988)
Closed 2 years ago by tmz. Opened 2 years ago by tmz.
rpms/ tmz/gnupg2 master  into  master

@@ -0,0 +1,38 @@ 

+ From e2bd152a928d79ddfb95fd2f7911c80a1a8d5a21 Mon Sep 17 00:00:00 2001

+ From: Werner Koch <wk@gnupg.org>

+ Date: Thu, 12 Apr 2018 11:49:36 +0200

+ Subject: [PATCH 1/1] gpg: Relax printing of STATUS_FAILURE.

+ 

+ * g10/gpg.c (g10_exit): Print STATUS_FAILURE only based on passed

+ return code and not on the presence of any call to log_error.

+ --

+ 

+ This fixes an actual regression in GPGME where FAILURE is considered

+ for example by a signature verify operation.  The operation will simply

+ fail and not just record that that a signature could not be verified.

+ In particular for files with more than one signature a log_error if

+ often called to show that a pubkey is missing for one of the

+ signatures.  Using that log_error is correct in that case.

+ 

+ Fixes-commit: 0336e5d1a7b9d46e06c838e6a98aecfcc9542882

+ Signed-off-by: Werner Koch <wk@gnupg.org>

+ ---

+  g10/gpg.c | 2 +-

+  1 file changed, 1 insertion(+), 1 deletion(-)

+ 

+ diff --git a/g10/gpg.c b/g10/gpg.c

+ index fbbdd92..aaeddee 100644

+ --- a/g10/gpg.c

+ +++ b/g10/gpg.c

+ @@ -5111,7 +5111,7 @@ g10_exit( int rc )

+    /* If we had an error but not printed an error message, do it now.

+     * Note that write_status_failure will never print a second failure

+     * status line. */

+ -  if (log_get_errorcount (0))

+ +  if (rc)

+      write_status_failure ("gpg-exit", gpg_error (GPG_ERR_GENERAL));

+  

+    gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE);

+ -- 

+ 2.8.0.rc3

+ 

file modified
+8 -1

@@ -1,7 +1,7 @@ 

  Summary: Utility for secure communication and data storage

  Name:    gnupg2

  Version: 2.2.6

- Release: 1%{?dist}

+ Release: 2%{?dist}

  

  License: GPLv3+

  Group:   Applications/System

@@ -18,6 +18,9 @@ 

  Patch6:  gnupg-2.1.1-fips-algo.patch

  # allow 8192 bit RSA keys in keygen UI with large RSA

  Patch9:  gnupg-2.1.21-large-rsa.patch

+ # fix gpgme regression in 2.2.6

+ # https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=e2bd152a928d79ddfb95fd2f7911c80a1a8d5a21

+ Patch10: gnupg-2.2.6-fix-gpgme-verify.patch

  

  URL:     http://www.gnupg.org/

  

@@ -97,6 +100,7 @@ 

  %patch5 -p1 -b .keyusage

  %patch6 -p1 -b .fips

  %patch9 -p1 -b .large-rsa

+ %patch10 -p1 -b .gpgme-verify

  

  # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)

  # Note: this is just the name of the default shared lib to load in scdaemon,

@@ -211,6 +215,9 @@ 

  

  

  %changelog

+ * Sat Apr 21 2018 Todd Zullinger <tmz@pobox.com> - 2.2.6-2

+ - Fix regression in gpgme signature verification (#1566988)

+ 

  * Wed Apr 11 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.6-1

  - upgrade to 2.2.6

  

A regression in gnupg-2.2.6 causes spurious signature verification
failures in gpgme. This affects dnf when importing keys (particularly
for repo verification). It prevents users from enabling repositories
which set repo_gpgcheck enabled and don't already have the repo signing
key in place.

The upstream patch is here.

This fix should be merged to f26, f27, and f28. Since those are all fast-forward merges, it's probably easiest to do that after merging this PR than to file separate PR's. But I can do the latter if it's helpful. Alternatively, I'd be happy to become a comaintainer of gnupg2 so this can be pushed quickly.

After digging deeper on this I found that upstream ended up patching gpgme to address this and some other issues. That patch is applied in gpgme, so this patch should not be needed.

Pull-Request has been closed by tmz

2 years ago