[Pkg-gnupg-commit] [gnupg2] 01/01: actually use sks-keyservers CA by default if the user asks for hkps://hkps.pool.sks-keyservers.net
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Dec 11 03:08:59 UTC 2015
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch master
in repository gnupg2.
commit 19af19a46da59530c66bb302866b8ec32ae2fb8b
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Thu Dec 10 21:08:59 2015 -0500
actually use sks-keyservers CA by default if the user asks for hkps://hkps.pool.sks-keyservers.net
---
debian/changelog | 7 ++
debian/dirmngr.install | 3 +-
debian/gnupg2.install | 4 +-
debian/gpgsm.install | 2 +
...-keyservers-CA-where-it-should-have-been-.patch | 47 ++++++++
...eyservers-CA-by-default-for-the-hkps-pool.patch | 130 +++++++++++++++++++++
debian/patches/series | 2 +
debian/sks-keyservers.netCA.pem | 32 -----
8 files changed, 193 insertions(+), 34 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 76b7f17..eb0243c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+gnupg2 (2.1.10-2) unstable; urgency=medium
+
+ * actually use sks-keyservers CA by default if the user asks for
+ hkps://hkps.pool.sks-keyservers.net
+
+ -- Daniel Kahn Gillmor <dkg at fifthhorseman.net> Thu, 10 Dec 2015 21:08:48 -0500
+
gnupg2 (2.1.10-1) unstable; urgency=medium
* new upstream release
diff --git a/debian/dirmngr.install b/debian/dirmngr.install
index 4098779..68175cd 100644
--- a/debian/dirmngr.install
+++ b/debian/dirmngr.install
@@ -1,4 +1,5 @@
-debian/sks-keyservers.netCA.pem usr/share/dirmngr
debian/tmp/usr/bin/dirmngr
debian/tmp/usr/bin/dirmngr-client
debian/tmp/usr/lib/gnupg2/dirmngr_ldap
+debian/tmp/usr/share/gnupg2/dirmngr-conf.skel
+debian/tmp/usr/share/gnupg2/sks-keyservers.netCA.pem
diff --git a/debian/gnupg2.install b/debian/gnupg2.install
index d73691e..e0c05c3 100644
--- a/debian/gnupg2.install
+++ b/debian/gnupg2.install
@@ -5,5 +5,7 @@ debian/tmp/usr/bin/kbxutil
debian/tmp/usr/bin/watchgnupg
debian/tmp/usr/sbin/addgnupghome
debian/tmp/usr/sbin/applygnupgdefaults
-debian/tmp/usr/share/gnupg2
+debian/tmp/usr/share/gnupg2/distsigkey.gpg
+debian/tmp/usr/share/gnupg2/gpg-conf.skel
+debian/tmp/usr/share/gnupg2/help.*.txt
debian/tmp/usr/share/locale
diff --git a/debian/gpgsm.install b/debian/gpgsm.install
index 8822607..2708347 100644
--- a/debian/gpgsm.install
+++ b/debian/gpgsm.install
@@ -1 +1,3 @@
debian/tmp/usr/bin/gpgsm
+debian/tmp/usr/share/gnupg2/com-certs.pem
+debian/tmp/usr/share/gnupg2/qualified.txt
diff --git a/debian/patches/0005-include-sks-keyservers-CA-where-it-should-have-been-.patch b/debian/patches/0005-include-sks-keyservers-CA-where-it-should-have-been-.patch
new file mode 100644
index 0000000..c6262d5
--- /dev/null
+++ b/debian/patches/0005-include-sks-keyservers-CA-where-it-should-have-been-.patch
@@ -0,0 +1,47 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 10 Dec 2015 21:07:00 -0500
+Subject: include sks-keyservers CA where it should have been shipped
+
+---
+ dirmngr/sks-keyservers.netCA.pem | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+ create mode 100644 dirmngr/sks-keyservers.netCA.pem
+
+diff --git a/dirmngr/sks-keyservers.netCA.pem b/dirmngr/sks-keyservers.netCA.pem
+new file mode 100644
+index 0000000..24a2ad2
+--- /dev/null
++++ b/dirmngr/sks-keyservers.netCA.pem
+@@ -0,0 +1,32 @@
++-----BEGIN CERTIFICATE-----
++MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
++BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u
++ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw
++MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP
++c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr
++cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
++ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I
++6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj
++MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F
++45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS
++FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx
++Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4
++aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx
++MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y
++u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9
++p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP
++fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G
++A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY
++TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR
++OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u
++gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/
++X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5
++gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB
++UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04
++lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT
++BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB
++cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U
++f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G
++ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph
++WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg==
++-----END CERTIFICATE-----
diff --git a/debian/patches/0006-Use-sks-keyservers-CA-by-default-for-the-hkps-pool.patch b/debian/patches/0006-Use-sks-keyservers-CA-by-default-for-the-hkps-pool.patch
new file mode 100644
index 0000000..ee3ac4b
--- /dev/null
+++ b/debian/patches/0006-Use-sks-keyservers-CA-by-default-for-the-hkps-pool.patch
@@ -0,0 +1,130 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Mon, 19 Oct 2015 23:48:30 -0400
+Subject: Use sks-keyservers CA by default for the hkps pool.
+
+Ship the certificate for the sks-keyservers hkps pool. If the user
+has specified that they want to use
+hkps://hkps.pool.sks-keyservers.net, and they have not specified any
+hkp-cacert, then initialize the trust path with this targeted
+certificate.
+---
+ dirmngr/Makefile.am | 1 +
+ dirmngr/http.c | 22 +++++++++++++++++++++-
+ dirmngr/http.h | 3 ++-
+ dirmngr/ks-engine-hkp.c | 2 +-
+ dirmngr/ks-engine-http.c | 2 +-
+ dirmngr/t-http.c | 2 +-
+ 6 files changed, 27 insertions(+), 5 deletions(-)
+
+diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
+index c3bce0d..1c74d10 100644
+--- a/dirmngr/Makefile.am
++++ b/dirmngr/Makefile.am
+@@ -20,6 +20,7 @@
+ ## Process this file with automake to produce Makefile.in
+
+ EXTRA_DIST = OAUTHORS ONEWS ChangeLog-2011 tls-ca.pem
++dist_pkgdata_DATA = sks-keyservers.netCA.pem
+
+ bin_PROGRAMS = dirmngr dirmngr-client
+
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index 74b6911..c4f7cbc 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -130,6 +130,8 @@
+ "01234567890@" \
+ "!\"#$%&'()*+,-./:;<=>?[\\]^_{|}~"
+
++#define HKPS_POOL_CA_PEM GNUPG_DATADIR "/sks-keyservers.netCA.pem"
++
+ /* A long counter type. */
+ #ifdef HAVE_STRTOULL
+ typedef unsigned long long longcounter_t;
+@@ -562,7 +564,8 @@ http_session_release (http_session_t sess)
+ /* Create a new session object which is currently used to enable TLS
+ support. It may eventually allow reusing existing connections. */
+ gpg_error_t
+-http_session_new (http_session_t *r_session, const char *tls_priority)
++http_session_new (http_session_t *r_session, const char *tls_priority,
++ const char *intended_hostname)
+ {
+ gpg_error_t err;
+ http_session_t sess;
+@@ -600,6 +603,23 @@ http_session_new (http_session_t *r_session, const char *tls_priority)
+ goto leave;
+ }
+
++ /* if the user has not specified a CA list, and they are looking
++ * for the hkps pool from sks-keyservers.net, then default to
++ * Kristian's certificate authority:
++ */
++ if (!tls_ca_certlist)
++ {
++ if (intended_hostname &&
++ 0 == strcasecmp("hkps.pool.sks-keyservers.net", intended_hostname))
++ {
++ rc = gnutls_certificate_set_x509_trust_file
++ (sess->certcred, HKPS_POOL_CA_PEM, GNUTLS_X509_FMT_PEM);
++ if (rc < 0)
++ log_info ("setting CA from file '" HKPS_POOL_CA_PEM "' failed: %s\n",
++ gnutls_strerror (rc));
++
++ }
++ }
+ for (sl = tls_ca_certlist; sl; sl = sl->next)
+ {
+ rc = gnutls_certificate_set_x509_trust_file
+diff --git a/dirmngr/http.h b/dirmngr/http.h
+index 64f55e1..58b8c1a 100644
+--- a/dirmngr/http.h
++++ b/dirmngr/http.h
+@@ -98,7 +98,8 @@ void http_register_tls_callback (gpg_error_t (*cb)(http_t,http_session_t,int));
+ void http_register_tls_ca (const char *fname);
+
+ gpg_error_t http_session_new (http_session_t *r_session,
+- const char *tls_priority);
++ const char *tls_priority,
++ const char *intended_hostname);
+ http_session_t http_session_ref (http_session_t sess);
+ void http_session_release (http_session_t sess);
+
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index e458899..f6af688 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -990,7 +990,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
+
+ *r_fp = NULL;
+
+- err = http_session_new (&session, NULL);
++ err = http_session_new (&session, NULL, httphost);
+ if (err)
+ goto leave;
+ http_session_set_log_cb (session, cert_log_cb);
+diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
+index ae128ee..c51c0ce 100644
+--- a/dirmngr/ks-engine-http.c
++++ b/dirmngr/ks-engine-http.c
+@@ -65,7 +65,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
+ estream_t fp = NULL;
+ char *request_buffer = NULL;
+
+- err = http_session_new (&session, NULL);
++ err = http_session_new (&session, NULL, NULL);
+ if (err)
+ goto leave;
+ http_session_set_log_cb (session, cert_log_cb);
+diff --git a/dirmngr/t-http.c b/dirmngr/t-http.c
+index 63662a2..9d5ea5f 100644
+--- a/dirmngr/t-http.c
++++ b/dirmngr/t-http.c
+@@ -262,7 +262,7 @@ main (int argc, char **argv)
+ http_register_tls_callback (verify_callback);
+ http_register_tls_ca (cafile);
+
+- err = http_session_new (&session, NULL);
++ err = http_session_new (&session, NULL, NULL);
+ if (err)
+ log_error ("http_session_new failed: %s\n", gpg_strerror (err));
+
diff --git a/debian/patches/series b/debian/patches/series
index a85b42a..47b785e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,5 @@
0002-avoid-beta-warning.patch
0003-Avoid-simple-memory-dumps-via-ptrace.patch
0004-fix-keystrlen-when-no-keyid-format-option-has-been-g.patch
+0005-include-sks-keyservers-CA-where-it-should-have-been-.patch
+0006-Use-sks-keyservers-CA-by-default-for-the-hkps-pool.patch
diff --git a/debian/sks-keyservers.netCA.pem b/debian/sks-keyservers.netCA.pem
deleted file mode 100644
index 24a2ad2..0000000
--- a/debian/sks-keyservers.netCA.pem
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
-BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u
-ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw
-MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP
-c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr
-cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
-ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I
-6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj
-MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F
-45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS
-FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx
-Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4
-aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx
-MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y
-u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9
-p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP
-fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G
-A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY
-TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR
-OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u
-gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/
-X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5
-gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB
-UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04
-lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT
-BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB
-cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U
-f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G
-ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph
-WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg==
------END CERTIFICATE-----
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list