diffstat of debian/ for gnupg2_2.2.16-1 gnupg2_2.2.16-2~progress5+u1 changelog | 78 +++ control | 13 patches/dirmngr-fix-handling-of-HTTPS-redirections-during-HKP.patch | 45 ++ patches/fix-speling.patch | 21 + patches/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch | 32 + patches/gpg-allow-import-of-previously-known-keys-even-without-UI.patch | 106 +++++ patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch | 97 ++++ patches/progress-linux/0002-gpg-default-to-4096-bit-RSA-keys.patch | 82 ++++ patches/series | 7 patches/tests-add-test-cases-for-import-without-uid.patch | 201 ++++++++++ rules | 3 11 files changed, 678 insertions(+), 7 deletions(-) diff -Nru gnupg2-2.2.16/debian/changelog gnupg2-2.2.16/debian/changelog --- gnupg2-2.2.16/debian/changelog 2019-05-29 00:13:01.000000000 +0000 +++ gnupg2-2.2.16/debian/changelog 2019-06-18 20:32:26.000000000 +0000 @@ -1,3 +1,41 @@ +gnupg2 (2.2.16-2~progress5+u1) engywuck-backports; urgency=medium + + * Uploading to engywuck-backports, remaining changes: + - Updating maintainer field. + - Updating uploaders field. + - Updating bugs field. + - Updating vcs fields. + - Setting default RSA key lenght to 4096 in gpgsm. + - Setting default RSA key lenght to 4096 in gpg. + * Merging debian version 2.2.16-2. + + -- Daniel Baumann Tue, 18 Jun 2019 22:32:26 +0200 + +gnupg2 (2.2.16-2) experimental; urgency=medium + + * fix HKPS redirections + * drop dh_missing --fail-missing (Closes: #930042) + * enable cert update without uids (Closes: #930665) + * fix upstream spelling of 'arbitrary' + + -- Daniel Kahn Gillmor Tue, 18 Jun 2019 12:59:57 -0400 + +gnupg2 (2.2.16-1~progress5+u1) engywuck-backports; urgency=medium + + * Uploading to engywuck-backports, remaining changes: + - Updating maintainer field. + - Updating uploaders field. + - Updating bugs field. + - Updating vcs fields. + - Setting default RSA key lenght to 4096 in gpgsm. + - Setting default RSA key lenght to 4096 in gpg. + * Merging upstream version 2.2.16. + * Merging debian version 2.2.16-1. + * Reverting use of dh_missing to fix FTBFS when building architecture- + dependent packages only (Closes: #930042). + + -- Daniel Baumann Wed, 05 Jun 2019 22:45:29 +0200 + gnupg2 (2.2.16-1) experimental; urgency=medium * clean up logcheck rules for gpg-agent (Closes: #918466) @@ -13,6 +51,20 @@ -- Daniel Kahn Gillmor Tue, 28 May 2019 20:13:01 -0400 +gnupg2 (2.2.15-1~progress5+u1) engywuck-backports; urgency=medium + + * Uploading to engywuck-backports, remaining changes: + - Updating maintainer field. + - Updating uploaders field. + - Updating bugs field. + - Updating vcs fields. + - Setting default RSA key lenght to 4096 in gpgsm. + - Setting default RSA key lenght to 4096 in gpg. + * Merging upstream version 2.2.15. + * Merging debian version 2.2.15-1. + + -- Daniel Baumann Mon, 01 Apr 2019 20:36:19 +0200 + gnupg2 (2.2.15-1) experimental; urgency=medium * new upstream release (still in experimental, due to freeze) @@ -20,6 +72,20 @@ -- Daniel Kahn Gillmor Mon, 01 Apr 2019 09:56:09 -0400 +gnupg2 (2.2.14-1~progress5+u1) engywuck-backports; urgency=medium + + * Uploading to engywuck-backports, remaining changes: + - Updating maintainer field. + - Updating uploaders field. + - Updating bugs field. + - Updating vcs fields. + - Setting default RSA key lenght to 4096 in gpgsm. + - Setting default RSA key lenght to 4096 in gpg. + * Merging upstream version 2.2.14. + * Merging debian version 2.2.14-1. + + -- Daniel Baumann Thu, 21 Mar 2019 02:56:09 +0100 + gnupg2 (2.2.14-1) experimental; urgency=medium * new upstream release (to experimental, due to freeze) @@ -29,6 +95,18 @@ -- Daniel Kahn Gillmor Wed, 20 Mar 2019 07:19:50 -0400 +gnupg2 (2.2.13-1~progress5+u1) engywuck-backports; urgency=medium + + * Initial upload to engywuck-backports. + * Updating maintainer field. + * Updating uploaders field. + * Updating bugs field. + * Updating vcs fields. + * Setting default RSA key lenght to 4096 in gpgsm. + * Setting default RSA key lenght to 4096 in gpg. + + -- Daniel Baumann Thu, 21 Mar 2019 02:52:00 +0100 + gnupg2 (2.2.13-1) unstable; urgency=medium * New upstream release (Closes: #919856) diff -Nru gnupg2-2.2.16/debian/control gnupg2-2.2.16/debian/control --- gnupg2-2.2.16/debian/control 2019-05-29 00:07:23.000000000 +0000 +++ gnupg2-2.2.16/debian/control 2019-06-18 20:32:26.000000000 +0000 @@ -1,10 +1,13 @@ Source: gnupg2 Section: utils Priority: optional -Maintainer: Debian GnuPG Maintainers -Uploaders: +Maintainer: Progress Linux Maintainers +XSBC-Uploaders: Daniel Baumann +XSBC-Original-Maintainer: Debian GnuPG Maintainers +XSBC-Original-Uploaders: Eric Dorland , Daniel Kahn Gillmor , +Bugs: mailto:maintainers@lists.progress-linux.org Standards-Version: 4.3.0 Build-Depends: automake, @@ -41,8 +44,10 @@ libnpth-mingw-w64-dev (>= 1.2), libz-mingw-w64-dev, mingw-w64, -Vcs-Git: https://salsa.debian.org/debian/gnupg2.git -b debian/experimental -Vcs-Browser: https://salsa.debian.org/debian/gnupg2 +Vcs-Browser: https://git.progress-linux.org/distributions/engywuck-backports/packages/gnupg2 +Vcs-Git: https://git.progress-linux.org/distributions/engywuck-backports/packages/gnupg2 +XSBC-Original-Vcs-Browser: https://salsa.debian.org/debian/gnupg2 +XSBC-Original-Vcs-Git: https://salsa.debian.org/debian/gnupg2.git -b debian/experimental Homepage: https://www.gnupg.org/ Rules-Requires-Root: no diff -Nru gnupg2-2.2.16/debian/patches/dirmngr-fix-handling-of-HTTPS-redirections-during-HKP.patch gnupg2-2.2.16/debian/patches/dirmngr-fix-handling-of-HTTPS-redirections-during-HKP.patch --- gnupg2-2.2.16/debian/patches/dirmngr-fix-handling-of-HTTPS-redirections-during-HKP.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.2.16/debian/patches/dirmngr-fix-handling-of-HTTPS-redirections-during-HKP.patch 2019-06-18 20:32:26.000000000 +0000 @@ -0,0 +1,45 @@ +From: Daniel Kahn Gillmor +Date: Tue, 11 Jun 2019 08:25:46 +0100 +Subject: dirmngr: fix handling of HTTPS redirections during HKP + +* dirmngr/ks-engine-hkp.c (send_request): Reinitialize HTTP session when +following a HTTP redirection. + +-- +inspired by patch from Damien Goutte-Gattat + +GnuPG-Bug_id: 4566 +Signed-off-by: Daniel Kahn Gillmor +--- + dirmngr/ks-engine-hkp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c +index 8754a6b..99d60f9 100644 +--- a/dirmngr/ks-engine-hkp.c ++++ b/dirmngr/ks-engine-hkp.c +@@ -1170,6 +1170,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, + /* FIXME: I am not sure whey we allow a downgrade for hkp requests. + * Needs at least an explanation here.. */ + ++ once_more: + err = http_session_new (&session, httphost, + ((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0) + | HTTP_FLAG_TRUST_DEF), +@@ -1179,7 +1180,6 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, + http_session_set_log_cb (session, cert_log_cb); + http_session_set_timeout (session, ctrl->timeout); + +- once_more: + err = http_open (&http, + post_cb? HTTP_REQ_POST : HTTP_REQ_GET, + request, +@@ -1259,6 +1259,8 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, + request = request_buffer; + http_close (http, 0); + http = NULL; ++ http_session_release (session); ++ session = NULL; + } + goto once_more; + diff -Nru gnupg2-2.2.16/debian/patches/fix-speling.patch gnupg2-2.2.16/debian/patches/fix-speling.patch --- gnupg2-2.2.16/debian/patches/fix-speling.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.2.16/debian/patches/fix-speling.patch 2019-06-18 20:32:26.000000000 +0000 @@ -0,0 +1,21 @@ +From: Daniel Kahn Gillmor +Date: Tue, 18 Jun 2019 13:10:07 -0400 +Subject: fix speling + +--- + doc/wks.texi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/wks.texi b/doc/wks.texi +index 62bdfa8..ae6c310 100644 +--- a/doc/wks.texi ++++ b/doc/wks.texi +@@ -61,7 +61,7 @@ Service provider. This is usuallay done to upload a key into a Web + Key Directory. + + With the @option{--supported} command the caller can test whether a +-site supports the Web Key Service. The argument is an arbitray ++site supports the Web Key Service. The argument is an arbitrary + address in the to be tested domain. For example + @file{foo@@example.net}. The command returns success if the Web Key + Service is supported. The operation is silent; to get diagnostic diff -Nru gnupg2-2.2.16/debian/patches/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch gnupg2-2.2.16/debian/patches/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch --- gnupg2-2.2.16/debian/patches/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.2.16/debian/patches/gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch 2019-06-18 20:32:26.000000000 +0000 @@ -0,0 +1,32 @@ +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:43 +0200 +Subject: gpg: accept subkeys with a good revocation but no self-sig during + import + +* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we +encounter a valid revocation signature. This allows import of subkey +revocation signatures, even in the absence of a corresponding subkey +binding signature. + +-- + +This fixes the remaining test in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor +--- + g10/import.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/g10/import.c b/g10/import.c +index eb7cacf..a3a8c48 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -3524,6 +3524,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self) + /* It's valid, so is it newer? */ + if (sig->timestamp >= rsdate) + { ++ knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid. */ + if (rsnode) + { + /* Delete the last revocation sig since diff -Nru gnupg2-2.2.16/debian/patches/gpg-allow-import-of-previously-known-keys-even-without-UI.patch gnupg2-2.2.16/debian/patches/gpg-allow-import-of-previously-known-keys-even-without-UI.patch --- gnupg2-2.2.16/debian/patches/gpg-allow-import-of-previously-known-keys-even-without-UI.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.2.16/debian/patches/gpg-allow-import-of-previously-known-keys-even-without-UI.patch 2019-06-18 20:32:26.000000000 +0000 @@ -0,0 +1,106 @@ +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:42 +0200 +Subject: gpg: allow import of previously known keys, even without UIDs + +* g10/import.c (import_one): Accept an incoming OpenPGP certificate that +has no user id, as long as we already have a local variant of the cert +that matches the primary key. + +-- + +This fixes two of the three broken tests in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor +--- + g10/import.c | 44 +++++++++++--------------------------------- + 1 file changed, 11 insertions(+), 33 deletions(-) + +diff --git a/g10/import.c b/g10/import.c +index 3e93ffa..eb7cacf 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -1742,7 +1742,6 @@ import_one (ctrl_t ctrl, + size_t an; + char pkstrbuf[PUBKEY_STRING_SIZE]; + int merge_keys_done = 0; +- int any_filter = 0; + KEYDB_HANDLE hd = NULL; + + if (r_valid) +@@ -1779,14 +1778,6 @@ import_one (ctrl_t ctrl, + log_printf ("\n"); + } + +- +- if (!uidnode ) +- { +- if (!silent) +- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); +- return 0; +- } +- + if (screener && screener (keyblock, screener_arg)) + { + log_error (_("key %s: %s\n"), keystr_from_pk (pk), +@@ -1854,17 +1845,10 @@ import_one (ctrl_t ctrl, + } + } + +- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) ) +- { +- if (!silent) +- { +- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); +- if (!opt.quiet ) +- log_info(_("this may be caused by a missing self-signature\n")); +- } +- stats->no_user_id++; +- return 0; +- } ++ /* Delete invalid parts, and note if we have any valid ones left. ++ * We will later abort import if this key is new but contains ++ * no valid uids. */ ++ delete_inv_parts (ctrl, keyblock, keyid, options); + + /* Get rid of deleted nodes. */ + commit_kbnode (&keyblock); +@@ -1874,24 +1858,11 @@ import_one (ctrl_t ctrl, + { + apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); + commit_kbnode (&keyblock); +- any_filter = 1; + } + if (import_filter.drop_sig) + { + apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); + commit_kbnode (&keyblock); +- any_filter = 1; +- } +- +- /* If we ran any filter we need to check that at least one user id +- * is left in the keyring. Note that we do not use log_error in +- * this case. */ +- if (any_filter && !any_uid_left (keyblock)) +- { +- if (!opt.quiet ) +- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); +- stats->no_user_id++; +- return 0; + } + + /* The keyblock is valid and ready for real import. */ +@@ -1949,6 +1920,13 @@ import_one (ctrl_t ctrl, + err = 0; + stats->skipped_new_keys++; + } ++ else if (err && !any_uid_left (keyblock)) ++ { ++ if (!silent) ++ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); ++ err = 0; ++ stats->no_user_id++; ++ } + else if (err) /* Insert this key. */ + { + /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */ diff -Nru gnupg2-2.2.16/debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch gnupg2-2.2.16/debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch --- gnupg2-2.2.16/debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.2.16/debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch 2019-06-18 20:32:26.000000000 +0000 @@ -0,0 +1,97 @@ +Author: Daniel Baumann +Subject: gpgsm: default to 4096-bit keys. + +diff -Naurp gnupg2.orig/doc/gpgsm.texi gnupg2/doc/gpgsm.texi +--- gnupg2.orig/doc/gpgsm.texi ++++ gnupg2/doc/gpgsm.texi +@@ -1082,7 +1082,7 @@ key. The algorithm must be capable of si + parameter. The only supported value for @var{algo} is @samp{rsa}. + + @item Key-Length: @var{nbits} +-The requested length of a generated key in bits. Defaults to 3072. ++The requested length of a generated key in bits. Defaults to 4096. + + @item Key-Grip: @var{hexstring} + This is optional and used to generate a CSR or certificate for an +diff -Naurp gnupg2.orig/doc/howto-create-a-server-cert.texi gnupg2/doc/howto-create-a-server-cert.texi +--- gnupg2.orig/doc/howto-create-a-server-cert.texi ++++ gnupg2/doc/howto-create-a-server-cert.texi +@@ -31,12 +31,12 @@ Let's continue: + + @cartouche + @example +- What keysize do you want? (3072) +- Requested keysize is 3072 bits ++ What keysize do you want? (4096) ++ Requested keysize is 4096 bits + @end example + @end cartouche + +-Hitting enter chooses the default RSA key size of 3072 bits. Keys ++Hitting enter chooses the default RSA key size of 4096 bits. Keys + smaller than 2048 bits are too weak on the modern Internet. If you + choose a larger (stronger) key, your server will need to do more work. + +@@ -124,7 +124,7 @@ request: + @example + These parameters are used: + Key-Type: RSA +- Key-Length: 3072 ++ Key-Length: 4096 + Key-Usage: sign, encrypt + Name-DN: CN=example.com + Name-DNS: example.com +@@ -224,7 +224,7 @@ To see the content of your certificate, + aka: (dns-name example.com) + aka: (dns-name www.example.com) + validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51 +- key type: 3072 bit RSA ++ key type: 4096 bit RSA + key usage: digitalSignature keyEncipherment + ext key usage: clientAuth (suggested), serverAuth (suggested), [...] + fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57 +diff -Naurp gnupg2.orig/sm/certreqgen.c gnupg2/sm/certreqgen.c +--- gnupg2.orig/sm/certreqgen.c ++++ gnupg2/sm/certreqgen.c +@@ -26,7 +26,7 @@ + $ cat >foo < 4096) && !cardkeyid) +diff -Naurp gnupg2.orig/sm/certreqgen-ui.c gnupg2/sm/certreqgen-ui.c +--- gnupg2.orig/sm/certreqgen-ui.c ++++ gnupg2/sm/certreqgen-ui.c +@@ -138,7 +138,7 @@ gpgsm_gencertreq_tty (ctrl_t ctrl, estre + unsigned int nbits; + int minbits = 1024; + int maxbits = 4096; +- int defbits = 3072; ++ int defbits = 4096; + const char *keyusage; + char *subject_name; + membuf_t mb_email, mb_dns, mb_uri, mb_result; +diff -Naurp gnupg2.orig/sm/gpgsm.c gnupg2/sm/gpgsm.c +--- gnupg2.orig/sm/gpgsm.c ++++ gnupg2/sm/gpgsm.c +@@ -1800,7 +1800,7 @@ main ( int argc, char **argv) + /* The next one is an info only item and should match what + proc_parameters actually implements. */ + es_printf ("default_pubkey_algo:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT, +- "RSA-3072"); ++ "RSA-4096"); + es_printf ("compliance:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT, "gnupg"); + + } diff -Nru gnupg2-2.2.16/debian/patches/progress-linux/0002-gpg-default-to-4096-bit-RSA-keys.patch gnupg2-2.2.16/debian/patches/progress-linux/0002-gpg-default-to-4096-bit-RSA-keys.patch --- gnupg2-2.2.16/debian/patches/progress-linux/0002-gpg-default-to-4096-bit-RSA-keys.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.2.16/debian/patches/progress-linux/0002-gpg-default-to-4096-bit-RSA-keys.patch 2019-06-18 20:32:26.000000000 +0000 @@ -0,0 +1,82 @@ +Author: Daniel Baumann +Subject: gpg: default to 4096-bit RSA keys. + +diff -Naurp gnupg2.orig/agent/command.c gnupg2/agent/command.c +--- gnupg2.orig/agent/command.c ++++ gnupg2/agent/command.c +@@ -843,7 +843,7 @@ static const char hlp_genkey[] = + "\n" + " C: GENKEY\n" + " S: INQUIRE KEYPARAM\n" +- " C: D (genkey (rsa (nbits 3072)))\n" ++ " C: D (genkey (rsa (nbits 4096)))\n" + " C: END\n" + " S: D (public-key\n" + " S: D (rsa (n 326487324683264) (e 10001)))\n" +diff -Naurp gnupg2.orig/doc/wks.texi gnupg2/doc/wks.texi +--- gnupg2.orig/doc/wks.texi ++++ gnupg2/doc/wks.texi +@@ -404,10 +404,10 @@ the submission address: + The output of the last command looks similar to this: + + @example +- sec rsa3072 2016-08-30 [SC] ++ sec rsa4096 2016-08-30 [SC] + C0FCF8642D830C53246211400346653590B3795B + uid [ultimate] key-submission@@example.net +- ssb rsa3072 2016-08-30 [E] ++ ssb rsa4096 2016-08-30 [E] + @end example + + Take the fingerprint from that output and manually publish the key: +diff -Naurp gnupg2.orig/g10/keygen.c gnupg2/g10/keygen.c +--- gnupg2.orig/g10/keygen.c ++++ gnupg2/g10/keygen.c +@@ -49,7 +49,7 @@ + /* The default algorithms. If you change them, you should ensure the value + is inside the bounds enforced by ask_keysize and gen_xxx. See also + get_keysize_range which encodes the allowed ranges. */ +-#define DEFAULT_STD_KEY_PARAM "rsa3072/cert,sign+rsa3072/encr" ++#define DEFAULT_STD_KEY_PARAM "rsa4096/cert,sign+rsa4096/encr" + #define FUTURE_STD_KEY_PARAM "ed25519/cert,sign+cv25519/encr" + + /* When generating keys using the streamlined key generation dialog, +@@ -1647,7 +1647,7 @@ gen_rsa (int algo, unsigned int nbits, K + + if (nbits < 1024) + { +- nbits = 3072; ++ nbits = 4096; + log_info (_("keysize invalid; using %u bits\n"), nbits ); + } + else if (nbits > maxsize) +@@ -2116,7 +2116,7 @@ get_keysize_range (int algo, unsigned in + default: + *min = opt.compliance == CO_DE_VS ? 2048: 1024; + *max = 4096; +- def = 3072; ++ def = 4096; + break; + } + +diff -Naurp gnupg2.orig/g10/keyid.c gnupg2/g10/keyid.c +--- gnupg2.orig/g10/keyid.c ++++ gnupg2/g10/keyid.c +@@ -73,7 +73,7 @@ pubkey_letter( int algo ) + is copied to the supplied buffer up a length of BUFSIZE-1. + Examples for the output are: + +- "rsa3072" - RSA with 3072 bit ++ "rsa4096" - RSA with 4096 bit + "elg1024" - Elgamal with 1024 bit + "ed25519" - ECC using the curve Ed25519. + "E_1.2.3.4" - ECC using the unsupported curve with OID "1.2.3.4". +@@ -83,7 +83,7 @@ pubkey_letter( int algo ) + If the option --legacy-list-mode is active, the output use the + legacy format: + +- "3072R" - RSA with 3072 bit ++ "4096R" - RSA with 4096 bit + "1024g" - Elgamal with 1024 bit + "256E" - ECDSA using a curve with 256 bit + diff -Nru gnupg2-2.2.16/debian/patches/series gnupg2-2.2.16/debian/patches/series --- gnupg2-2.2.16/debian/patches/series 2019-05-28 23:23:05.000000000 +0000 +++ gnupg2-2.2.16/debian/patches/series 2019-06-18 20:32:26.000000000 +0000 @@ -15,3 +15,10 @@ show-revocation-cert/gpg-Print-revocation-certificate-details-when-showing-wit.patch Make-gpg-zip-use-tar-from-PATH.patch fix-spelling.patch +dirmngr-fix-handling-of-HTTPS-redirections-during-HKP.patch +tests-add-test-cases-for-import-without-uid.patch +gpg-allow-import-of-previously-known-keys-even-without-UI.patch +gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch +fix-speling.patch +progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch +progress-linux/0002-gpg-default-to-4096-bit-RSA-keys.patch diff -Nru gnupg2-2.2.16/debian/patches/tests-add-test-cases-for-import-without-uid.patch gnupg2-2.2.16/debian/patches/tests-add-test-cases-for-import-without-uid.patch --- gnupg2-2.2.16/debian/patches/tests-add-test-cases-for-import-without-uid.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.2.16/debian/patches/tests-add-test-cases-for-import-without-uid.patch 2019-06-18 20:32:26.000000000 +0000 @@ -0,0 +1,201 @@ +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:41 +0200 +Subject: tests: add test cases for import without uid + +This commit adds a test case that does the following, in order: +- Import of a primary key plus user id +- Check that import of a subkey works, without a user id present in the +imported key +- Check that import of a subkey revocation works, without a user id or +subkey binding signature present in the imported key +- Check that import of a primary key revocation works, without a user id +present in the imported key + +-- + +Note that this test currently fails. The following changesets will +fix gpg so that the tests pass. + +GnuPG-Bug-id: 4393 +Signed-Off-By: Daniel Kahn Gillmor +--- + tests/openpgp/Makefile.am | 1 + + tests/openpgp/import-incomplete.scm | 68 ++++++++++++++++++++++ + .../import-incomplete/primary+revocation.asc | 9 +++ + .../primary+subkey+sub-revocation.asc | 10 ++++ + .../import-incomplete/primary+subkey+sub-sig.asc | 10 ++++ + .../openpgp/import-incomplete/primary+uid-sig.asc | 10 ++++ + tests/openpgp/import-incomplete/primary+uid.asc | 10 ++++ + 7 files changed, 118 insertions(+) + create mode 100755 tests/openpgp/import-incomplete.scm + create mode 100644 tests/openpgp/import-incomplete/primary+revocation.asc + create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc + create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc + create mode 100644 tests/openpgp/import-incomplete/primary+uid-sig.asc + create mode 100644 tests/openpgp/import-incomplete/primary+uid.asc + +diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am +index f6014c9..6423da1 100644 +--- a/tests/openpgp/Makefile.am ++++ b/tests/openpgp/Makefile.am +@@ -78,6 +78,7 @@ XTESTS = \ + gpgv-forged-keyring.scm \ + armor.scm \ + import.scm \ ++ import-incomplete.scm \ + import-revocation-certificate.scm \ + ecc.scm \ + 4gb-packet.scm \ +diff --git a/tests/openpgp/import-incomplete.scm b/tests/openpgp/import-incomplete.scm +new file mode 100755 +index 0000000..727a027 +--- /dev/null ++++ b/tests/openpgp/import-incomplete.scm +@@ -0,0 +1,68 @@ ++#!/usr/bin/env gpgscm ++ ++;; Copyright (C) 2016 g10 Code GmbH ++;; ++;; This file is part of GnuPG. ++;; ++;; GnuPG is free software; you can redistribute it and/or modify ++;; it under the terms of the GNU General Public License as published by ++;; the Free Software Foundation; either version 3 of the License, or ++;; (at your option) any later version. ++;; ++;; GnuPG is distributed in the hope that it will be useful, ++;; but WITHOUT ANY WARRANTY; without even the implied warranty of ++;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++;; GNU General Public License for more details. ++;; ++;; You should have received a copy of the GNU General Public License ++;; along with this program; if not, see . ++ ++(load (in-srcdir "tests" "openpgp" "defs.scm")) ++(setup-environment) ++ ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+uid.asc"))) ++ ++(info "Test import of new subkey, from a certificate without uid") ++(define keyid "573EA710367356BB") ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-sig.asc"))) ++(tr:do ++ (tr:pipe-do ++ (pipe:gpg `(--list-keys --with-colons ,keyid))) ++ (tr:call-with-content ++ (lambda (c) ++ ;; XXX we do not have a regexp library ++ (unless (any (lambda (line) ++ (and (string-prefix? line "sub:") ++ (string-contains? line "573EA710367356BB"))) ++ (string-split-newlines c)) ++ (exit 1))))) ++ ++(info "Test import of a subkey revocation, from a certificate without uid") ++(define keyid "573EA710367356BB") ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-revocation.asc"))) ++(tr:do ++ (tr:pipe-do ++ (pipe:gpg `(--list-keys --with-colons ,keyid))) ++ (tr:call-with-content ++ (lambda (c) ++ ;; XXX we do not have a regexp library ++ (unless (any (lambda (line) ++ (and (string-prefix? line "sub:r:") ++ (string-contains? line "573EA710367356BB"))) ++ (string-split-newlines c)) ++ (exit 1))))) ++ ++(info "Test import of revocation, from a certificate without uid") ++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+revocation.asc"))) ++(tr:do ++ (tr:pipe-do ++ (pipe:gpg `(--list-keys --with-colons ,keyid))) ++ (tr:call-with-content ++ (lambda (c) ++ ;; XXX we do not have a regexp library ++ (unless (any (lambda (line) ++ (and (string-prefix? line "pub:r:") ++ (string-contains? line "0843DA969AA8DAFB"))) ++ (string-split-newlines c)) ++ (exit 1))))) ++ +diff --git a/tests/openpgp/import-incomplete/primary+revocation.asc b/tests/openpgp/import-incomplete/primary+revocation.asc +new file mode 100644 +index 0000000..6b7b608 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+revocation.asc +@@ -0,0 +1,9 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [E] primary key, revocation signature over primary (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN2IeAQgFggAIBYhBLRpj5W82H/gSMzKKQhD2paaqNr7BQJc2ZQZAh0AAAoJ ++EAhD2paaqNr7qAwA/2jBUpnN0BxwRO/4CrxvrLIsL+C9aSXJUOTv8XkP4lvtAQD3 ++XsDFfFNgEueiTfF7HtOGt5LPmRqVvUpQSMVgJJW6CQ== ++=tM90 ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc +new file mode 100644 +index 0000000..83a51a5 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [D] primary key, subkey, subkey revocation (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK ++j++lwwWDAOlkVicDAQgHiHgEKBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC ++XNmnkAIdAgAKCRAIQ9qWmqja+ylaAQDmIKf86BJEq4OpDqU+V9D+wn2cyuxbyWVQ ++3r9LiL9qNwD/QAjyrhSN8L3Mfq+wdTHo5i0yB9ZCCpHLXSbhCqfWZwQ= ++=dwx2 ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc +new file mode 100644 +index 0000000..dc47a02 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [B] primary key, subkey, subkey binding sig (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK ++j++lwwWDAOlkVicDAQgHiHgEGBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC ++XNmUIQIbDAAKCRAIQ9qWmqja++vFAP98G1L+1/rWTGbsnxOAV2RocBYIroAvsbkR ++Ly6FdP8YNwEA7jOgT05CoKIe37MstpOz23mM80AK369Ca3JMmKKCQgg= ++=xuDu ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+uid-sig.asc b/tests/openpgp/import-incomplete/primary+uid-sig.asc +new file mode 100644 +index 0000000..134607d +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+uid-sig.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [C] primary key and self-sig expiring in 2024 (no user ID) ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN2IlgQTFggAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBLRpj5W8 ++2H/gSMzKKQhD2paaqNr7BQJc2ZR1BQkJZgHcAAoJEAhD2paaqNr79soA/0lWkUsu ++3NLwgbni6EzJxnTzgeNMpljqNpipHAwfix9hAP93AVtFdC8g7hdUZxawobl9lnSN ++9ohXOEBWvdJgVv2YAg== ++=KWIK ++-----END PGP PUBLIC KEY BLOCK----- +diff --git a/tests/openpgp/import-incomplete/primary+uid.asc b/tests/openpgp/import-incomplete/primary+uid.asc +new file mode 100644 +index 0000000..055f300 +--- /dev/null ++++ b/tests/openpgp/import-incomplete/primary+uid.asc +@@ -0,0 +1,10 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++Comment: [A] primary key, user ID, and self-sig expiring in 2021 ++ ++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ ++631VAN20CHRlc3Qga2V5iJYEExYIAD4WIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC ++XNmUGQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAIQ9qWmqja +++0G1AQDdQiwhXxjXLMqoth+D4SigVHTJK8ORwifzsy3UE7mPGwD/aZ67XbAF/lgI ++kv2O1Jo0u9BL9RNNF+L0DM7rAFbfMAs= ++=1eII ++-----END PGP PUBLIC KEY BLOCK----- diff -Nru gnupg2-2.2.16/debian/rules gnupg2-2.2.16/debian/rules --- gnupg2-2.2.16/debian/rules 2019-05-29 00:13:01.000000000 +0000 +++ gnupg2-2.2.16/debian/rules 2019-06-18 20:32:26.000000000 +0000 @@ -79,9 +79,6 @@ override_dh_auto_test: dh_auto_test --builddirectory=build -- verbose=3 TESTFLAGS=$(AUTOTEST_FLAGS) -override_dh_missing: - dh_missing --fail-missing - override_dh_shlibdeps: # Make ldap a recommends rather than a hard dependency. dpkg-shlibdeps -Tdebian/dirmngr.substvars -dRecommends debian/dirmngr/usr/lib/gnupg/dirmngr_ldap -dDepends debian/dirmngr/usr/bin/dirmngr*