[Pkg-gnupg-commit] [gnupg2] 02/03: more patches from upstream
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Sep 14 21:25:59 UTC 2016
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch master
in repository gnupg2.
commit 4fadb524f18949ecd75fea73afcf8b762069b79e
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Sep 14 16:46:36 2016 -0400
more patches from upstream
---
...cryption-of-R-work-w-o-try-secret-key-or-.patch | 45 ++++
...se-negatives-in-Ed25519-signature-verific.patch | 193 ++++++++++++++++++
.../0010-agent-invoke-scdaemon-with-homedir.patch | 63 ++++++
.../0011-scd-Clean-up-unused-shutdown-method.patch | 199 ++++++++++++++++++
...elease-the-card-reader-after-card-removal.patch | 30 +++
...-common-Check-read-errors-in-name-value.c.patch | 36 ++++
...0014-scd-Fix-an-action-after-card-removal.patch | 51 +++++
...nate-on-deletion-of-the-socket-file-Linux.patch | 161 +++++++++++++++
...minate-on-deletion-of-the-socket-file-Lin.patch | 226 +++++++++++++++++++++
.../0017-gpg-Make-output-work-with-verify.patch | 57 ++++++
...18-gpg-Add-options-output-and-yes-to-gpgv.patch | 96 +++++++++
.../0019-gpg-Remove-option-yes-from-gpgv.patch | 73 +++++++
...nt-fingerprint-regardless-of-keyid-format.patch | 61 ++++++
...-spelling-conenction-should-be-connection.patch | 38 ++++
debian/patches/series | 14 ++
15 files changed, 1343 insertions(+)
diff --git a/debian/patches/0008-gpg-Make-decryption-of-R-work-w-o-try-secret-key-or-.patch b/debian/patches/0008-gpg-Make-decryption-of-R-work-w-o-try-secret-key-or-.patch
new file mode 100644
index 0000000..77cbf78
--- /dev/null
+++ b/debian/patches/0008-gpg-Make-decryption-of-R-work-w-o-try-secret-key-or-.patch
@@ -0,0 +1,45 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 29 Aug 2016 07:55:06 +0200
+Subject: gpg: Make decryption of -R work w/o --try-secret-key or
+ --default-key.
+
+* g10/getkey.c (enum_secret_keys): At state 3 enumerate the keys in all
+cases not just when --try-all-secrets is used.
+--
+
+Regression-due-to: 82b90eee100cf1c9680517059b2d35e295dd992a
+Reported-by: Carola Grunwald
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+ g10/getkey.c | 17 +++++++----------
+ 1 file changed, 7 insertions(+), 10 deletions(-)
+
+diff --git a/g10/getkey.c b/g10/getkey.c
+index 90083ba..8b17598 100644
+--- a/g10/getkey.c
++++ b/g10/getkey.c
+@@ -3620,17 +3620,14 @@ enum_secret_keys (ctrl_t ctrl, void **context, PKT_public_key *sk)
+ c->state++;
+ break;
+
+- case 3: /* Init search context to try all keys. */
+- if (opt.try_all_secrets)
++ case 3: /* Init search context to enum all secret keys. */
++ err = getkey_bynames (&c->ctx, NULL, NULL, 1, &keyblock);
++ if (err)
+ {
+- err = getkey_bynames (&c->ctx, NULL, NULL, 1, &keyblock);
+- if (err)
+- {
+- release_kbnode (keyblock);
+- keyblock = NULL;
+- getkey_end (c->ctx);
+- c->ctx = NULL;
+- }
++ release_kbnode (keyblock);
++ keyblock = NULL;
++ getkey_end (c->ctx);
++ c->ctx = NULL;
+ }
+ c->state++;
+ break;
diff --git a/debian/patches/0009-gpg-Fix-false-negatives-in-Ed25519-signature-verific.patch b/debian/patches/0009-gpg-Fix-false-negatives-in-Ed25519-signature-verific.patch
new file mode 100644
index 0000000..f2ddc08
--- /dev/null
+++ b/debian/patches/0009-gpg-Fix-false-negatives-in-Ed25519-signature-verific.patch
@@ -0,0 +1,193 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 25 Aug 2016 15:18:51 +0200
+Subject: gpg: Fix false negatives in Ed25519 signature verification.
+
+* g10/pkglue.c (pk_verify): Fix Ed25519 signatrue values.
+* tests/openpgp/verify.scm (msg_ed25519_rshort): New
+(msg_ed25519_sshort): New.
+("Checking that a valid Ed25519 signature is verified as such"): New.
+--
+
+About one out of 256 signature won't verify due to stripped zero
+bytes. See the source comment for details.
+
+Reported-by: Andre Heinecke
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+ g10/pkglue.c | 58 ++++++++++++++++++++++++++++++++++++--
+ tests/openpgp/verify.scm | 73 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 128 insertions(+), 3 deletions(-)
+
+diff --git a/g10/pkglue.c b/g10/pkglue.c
+index 232c489..35c4cd1 100644
+--- a/g10/pkglue.c
++++ b/g10/pkglue.c
+@@ -58,6 +58,7 @@ pk_verify (pubkey_algo_t pkalgo, gcry_mpi_t hash,
+ {
+ gcry_sexp_t s_sig, s_hash, s_pkey;
+ int rc;
++ unsigned int neededfixedlen = 0;
+
+ /* Make a sexp from pkey. */
+ if (pkalgo == PUBKEY_ALGO_DSA)
+@@ -103,6 +104,9 @@ pk_verify (pubkey_algo_t pkalgo, gcry_mpi_t hash,
+ curve, pkey[1]);
+ xfree (curve);
+ }
++
++ if (openpgp_oid_is_ed25519 (pkey[0]))
++ neededfixedlen = 256 / 8;
+ }
+ else
+ return GPG_ERR_PUBKEY_ALGO;
+@@ -144,11 +148,59 @@ pk_verify (pubkey_algo_t pkalgo, gcry_mpi_t hash,
+ }
+ else if (pkalgo == PUBKEY_ALGO_EDDSA)
+ {
+- if (!data[0] || !data[1])
++ gcry_mpi_t r = data[0];
++ gcry_mpi_t s = data[1];
++ size_t rlen, slen, n; /* (bytes) */
++ char buf[64];
++
++ log_assert (neededfixedlen <= sizeof buf);
++
++ if (!r || !s)
++ rc = gpg_error (GPG_ERR_BAD_MPI);
++ else if ((rlen = (gcry_mpi_get_nbits (r)+7)/8) > neededfixedlen || !rlen)
++ rc = gpg_error (GPG_ERR_BAD_MPI);
++ else if ((slen = (gcry_mpi_get_nbits (s)+7)/8) > neededfixedlen || !slen)
+ rc = gpg_error (GPG_ERR_BAD_MPI);
+ else
+- rc = gcry_sexp_build (&s_sig, NULL,
+- "(sig-val(eddsa(r%M)(s%M)))", data[0], data[1]);
++ {
++ /* We need to fixup the length in case of leading zeroes.
++ * OpenPGP does not allow leading zeroes and the parser for
++ * the signature packet has no information on the use curve,
++ * thus we need to do it here. We won't do it for opaque
++ * MPIs under the assumption that they are known to be fine;
++ * we won't see them here anyway but the check is anyway
++ * required. Fixme: A nifty feature for gcry_sexp_build
++ * would be a format to left pad the value (e.g. "%*M"). */
++ rc = 0;
++
++ if (rlen < neededfixedlen
++ && !gcry_mpi_get_flag (r, GCRYMPI_FLAG_OPAQUE)
++ && !(rc=gcry_mpi_print (GCRYMPI_FMT_USG, buf, sizeof buf, &n, r)))
++ {
++ log_assert (n < neededfixedlen);
++ memmove (buf + (neededfixedlen - n), buf, n);
++ memset (buf, 0, neededfixedlen - n);
++ r = gcry_mpi_set_opaque_copy (NULL, buf, neededfixedlen * 8);
++ }
++ if (slen < neededfixedlen
++ && !gcry_mpi_get_flag (s, GCRYMPI_FLAG_OPAQUE)
++ && !(rc=gcry_mpi_print (GCRYMPI_FMT_USG, buf, sizeof buf, &n, s)))
++ {
++ log_assert (n < neededfixedlen);
++ memmove (buf + (neededfixedlen - n), buf, n);
++ memset (buf, 0, neededfixedlen - n);
++ s = gcry_mpi_set_opaque_copy (NULL, buf, neededfixedlen * 8);
++ }
++
++ if (!rc)
++ rc = gcry_sexp_build (&s_sig, NULL,
++ "(sig-val(eddsa(r%M)(s%M)))", r, s);
++
++ if (r != data[0])
++ gcry_mpi_release (r);
++ if (s != data[1])
++ gcry_mpi_release (s);
++ }
+ }
+ else if (pkalgo == PUBKEY_ALGO_ELGAMAL || pkalgo == PUBKEY_ALGO_ELGAMAL_E)
+ {
+diff --git a/tests/openpgp/verify.scm b/tests/openpgp/verify.scm
+index de03db5..2f03027 100755
+--- a/tests/openpgp/verify.scm
++++ b/tests/openpgp/verify.scm
+@@ -236,6 +236,67 @@ FWIAQUplk7JWbyRKAJ92ZJyJpWfzb0yc1s7MY65r2qEHrg==
+ ;; Two clear text signatures in a row
+ (define msg_clsclss_asc_multiple (string-append msg_cls_asc msg_clss_asc))
+
++
++;; An Ed25519 cleartext message with an R parameter of only 247 bits
++;; so that the code to re-insert the stripped zero byte kicks in. The
++;; S parameter has 253 bits but that does not strip a full byte.
++(define msg_ed25519_rshort "
++-----BEGIN PGP SIGNED MESSAGE-----
++Hash: SHA256
++
++Dear Emily:
++ I'm still confused as to what groups articles should be posted
++to. How about an example?
++ -- Still Confused
++
++Dear Still:
++ Ok. Let's say you want to report that Gretzky has been traded from
++the Oilers to the Kings. Now right away you might think rec.sport.hockey
++would be enough. WRONG. Many more people might be interested. This is a
++big trade! Since it's a NEWS article, it belongs in the news.* hierarchy
++as well. If you are a news admin, or there is one on your machine, try
++news.admin. If not, use news.misc.
++ The Oilers are probably interested in geology, so try sci.physics.
++He is a big star, so post to sci.astro, and sci.space because they are also
++interested in stars. Next, his name is Polish sounding. So post to
++soc.culture.polish. But that group doesn't exist, so cross-post to
++news.groups suggesting it should be created. With this many groups of
++interest, your article will be quite bizarre, so post to talk.bizarre as
++well. (And post to comp.std.mumps, since they hardly get any articles
++there, and a \"comp\" group will propagate your article further.)
++ You may also find it is more fun to post the article once in each
++group. If you list all the newsgroups in the same article, some newsreaders
++will only show the the article to the reader once! Don't tolerate this.
++ -- Emily Postnews Answers Your Questions on Netiquette
++-----BEGIN PGP SIGNATURE-----
++
++iJEEARYIADoWIQSyHeq0+HX7PaQvHR0TlWNoKgINCgUCV772DhwccGF0cmljZS5s
++dW11bWJhQGV4YW1wbGUubmV0AAoJEBOVY2gqAg0KMAIA90EtUwAja0iJGpO91wyz
++GLh9pS5v495V0r94yU6uUyUA/RT/StyPWe1wbnEZuacZnLbUV6Yy/aTXCVAlxf0r
++TusO
++=vQ3f
++-----END PGP SIGNATURE-----
++")
++
++;; An Ed25519 cleartext message with an S parameter of only 248 bits
++;; so that the code to re-insert the stripped zero byte kicks in.
++(define msg_ed25519_sshort "
++-----BEGIN PGP SIGNED MESSAGE-----
++Hash: SHA256
++
++All articles that coruscate with resplendence are not truly auriferous.
++-----BEGIN PGP SIGNATURE-----
++
++iJEEARYIADoWIQSyHeq0+HX7PaQvHR0TlWNoKgINCgUCV771QhwccGF0cmljZS5s
++dW11bWJhQGV4YW1wbGUubmV0AAoJEBOVY2gqAg0KHVEBAI66OPDYXKWO3r6SaFT+
++uxmh8x4ZerW41vMA9gkJ4AEKAPjoe/Z7fDqo1lCptIFutFAGbfNxcm/53prfx2fT
++GisM
++=L7sk
++-----END PGP SIGNATURE-----
++")
++
++
++
+ ;; Fixme: We need more tests with manipulated cleartext signatures.
+
+ ;;
+@@ -272,3 +333,15 @@ FWIAQUplk7JWbyRKAJ92ZJyJpWfzb0yc1s7MY65r2qEHrg==
+ (pipe:spawn `(, at GPG --verify)))
+ (error "verification succeded but should not")))
+ '(bad_ls_asc bad_fols_asc bad_olsf_asc bad_ools_asc))
++
++
++;;; Need to import the ed25519 sample key used for
++;;; the next two tests.
++(call-check `(, at GPG --quiet --yes --import ,(in-srcdir key-file2)))
++(for-each-p
++ "Checking that a valid Ed25519 signature is verified as such"
++ (lambda (armored-file)
++ (pipe:do
++ (pipe:echo (eval armored-file (current-environment)))
++ (pipe:spawn `(, at GPG --verify))))
++ '(msg_ed25519_rshort msg_ed25519_sshort))
diff --git a/debian/patches/0010-agent-invoke-scdaemon-with-homedir.patch b/debian/patches/0010-agent-invoke-scdaemon-with-homedir.patch
new file mode 100644
index 0000000..7e89ed7
--- /dev/null
+++ b/debian/patches/0010-agent-invoke-scdaemon-with-homedir.patch
@@ -0,0 +1,63 @@
+From: NIIBE Yutaka <gniibe at fsij.org>
+Date: Fri, 2 Sep 2016 13:41:19 +0900
+Subject: agent: invoke scdaemon with --homedir.
+
+* agent/call-scd.c (start_scd): Supply --homedir option when it's not
+default homedir.
+
+--
+
+Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
+---
+ agent/call-scd.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/agent/call-scd.c b/agent/call-scd.c
+index b776840..934ab4c 100644
+--- a/agent/call-scd.c
++++ b/agent/call-scd.c
+@@ -195,10 +195,11 @@ start_scd (ctrl_t ctrl)
+ gpg_error_t err = 0;
+ const char *pgmname;
+ assuan_context_t ctx = NULL;
+- const char *argv[3];
++ const char *argv[5];
+ assuan_fd_t no_close_list[3];
+ int i;
+ int rc;
++ char *abs_homedir = NULL;
+
+ if (opt.disable_scdaemon)
+ return gpg_error (GPG_ERR_NOT_SUPPORTED);
+@@ -313,7 +314,22 @@ start_scd (ctrl_t ctrl)
+
+ argv[0] = pgmname;
+ argv[1] = "--multi-server";
+- argv[2] = NULL;
++ if (gnupg_default_homedir_p ())
++ argv[2] = NULL;
++ else
++ {
++ abs_homedir = make_absfilename_try (gnupg_homedir (), NULL);
++ if (!abs_homedir)
++ {
++ log_error ("error building filename: %s\n",
++ gpg_strerror (gpg_error_from_syserror ()));
++ goto leave;
++ }
++
++ argv[2] = "--homedir";
++ argv[3] = abs_homedir;
++ argv[4] = NULL;
++ }
+
+ i=0;
+ if (!opt.running_detached)
+@@ -393,6 +409,7 @@ start_scd (ctrl_t ctrl)
+ primary_scd_ctx_reusable = 0;
+
+ leave:
++ xfree (abs_homedir);
+ if (err)
+ {
+ unlock_scd (ctrl, err);
diff --git a/debian/patches/0011-scd-Clean-up-unused-shutdown-method.patch b/debian/patches/0011-scd-Clean-up-unused-shutdown-method.patch
new file mode 100644
index 0000000..63b363e
--- /dev/null
+++ b/debian/patches/0011-scd-Clean-up-unused-shutdown-method.patch
@@ -0,0 +1,199 @@
+From: NIIBE Yutaka <gniibe at fsij.org>
+Date: Fri, 2 Sep 2016 13:58:33 +0900
+Subject: scd: Clean up unused shutdown method.
+
+* scd/apdu.c (shutdown_ccid_reader, apdu_shutdown_reader): Remove.
+(reset_ccid_reader): Don't set shutdown_reader.
+* scd/ccid-driver.c (ccid_shutdown_reader): Remove.
+
+--
+
+Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
+---
+ scd/apdu.c | 48 -------------------------------------
+ scd/apdu.h | 1 -
+ scd/ccid-driver.c | 72 -------------------------------------------------------
+ 3 files changed, 121 deletions(-)
+
+diff --git a/scd/apdu.c b/scd/apdu.c
+index 268a2c6..c139d76 100644
+--- a/scd/apdu.c
++++ b/scd/apdu.c
+@@ -101,7 +101,6 @@ struct reader_table_s {
+ int (*connect_card)(int);
+ int (*disconnect_card)(int);
+ int (*close_reader)(int);
+- int (*shutdown_reader)(int);
+ int (*reset_reader)(int);
+ int (*get_status_reader)(int, unsigned int *);
+ int (*send_apdu_reader)(int,unsigned char *,size_t,
+@@ -462,7 +461,6 @@ new_reader_slot (void)
+ reader_table[reader].connect_card = NULL;
+ reader_table[reader].disconnect_card = NULL;
+ reader_table[reader].close_reader = NULL;
+- reader_table[reader].shutdown_reader = NULL;
+ reader_table[reader].reset_reader = NULL;
+ reader_table[reader].get_status_reader = NULL;
+ reader_table[reader].send_apdu_reader = NULL;
+@@ -2476,14 +2474,6 @@ close_ccid_reader (int slot)
+
+
+ static int
+-shutdown_ccid_reader (int slot)
+-{
+- ccid_shutdown_reader (reader_table[slot].ccid.handle);
+- return 0;
+-}
+-
+-
+-static int
+ reset_ccid_reader (int slot)
+ {
+ int err;
+@@ -2649,7 +2639,6 @@ open_ccid_reader (const char *portstr)
+ }
+
+ reader_table[slot].close_reader = close_ccid_reader;
+- reader_table[slot].shutdown_reader = shutdown_ccid_reader;
+ reader_table[slot].reset_reader = reset_ccid_reader;
+ reader_table[slot].get_status_reader = get_status_ccid;
+ reader_table[slot].send_apdu_reader = send_apdu_ccid;
+@@ -3264,43 +3253,6 @@ apdu_prepare_exit (void)
+ }
+
+
+-/* Shutdown a reader; that is basically the same as a close but keeps
+- the handle ready for later use. A apdu_reset_reader or apdu_connect
+- should be used to get it active again. */
+-int
+-apdu_shutdown_reader (int slot)
+-{
+- int sw;
+-
+- if (DBG_READER)
+- log_debug ("enter: apdu_shutdown_reader: slot=%d\n", slot);
+-
+- if (slot < 0 || slot >= MAX_READER || !reader_table[slot].used )
+- {
+- if (DBG_READER)
+- log_debug ("leave: apdu_shutdown_reader => SW_HOST_NO_DRIVER\n");
+- return SW_HOST_NO_DRIVER;
+- }
+- sw = apdu_disconnect (slot);
+- if (sw)
+- {
+- if (DBG_READER)
+- log_debug ("leave: apdu_shutdown_reader => 0x%x (apdu_disconnect)\n",
+- sw);
+- return sw;
+- }
+- if (reader_table[slot].shutdown_reader)
+- {
+- sw = reader_table[slot].shutdown_reader (slot);
+- if (DBG_READER)
+- log_debug ("leave: apdu_shutdown_reader => 0x%x (close_reader)\n", sw);
+- return sw;
+- }
+- if (DBG_READER)
+- log_debug ("leave: apdu_shutdown_reader => SW_HOST_NOT_SUPPORTED\n");
+- return SW_HOST_NOT_SUPPORTED;
+-}
+-
+ /* Enumerate all readers and return information on whether this reader
+ is in use. The caller should start with SLOT set to 0 and
+ increment it with each call until an error is returned. */
+diff --git a/scd/apdu.h b/scd/apdu.h
+index 1694eac..7ca4c14 100644
+--- a/scd/apdu.h
++++ b/scd/apdu.h
+@@ -96,7 +96,6 @@ int apdu_open_remote_reader (const char *portstr,
+ void *writefnc_value,
+ void (*closefnc) (void *opaque),
+ void *closefnc_value);
+-int apdu_shutdown_reader (int slot);
+ int apdu_close_reader (int slot);
+ void apdu_prepare_exit (void);
+ int apdu_enum_reader (int slot, int *used);
+diff --git a/scd/ccid-driver.c b/scd/ccid-driver.c
+index b1523cb..478e038 100644
+--- a/scd/ccid-driver.c
++++ b/scd/ccid-driver.c
+@@ -1717,78 +1717,6 @@ do_close_reader (ccid_driver_t handle)
+ }
+
+
+-/* Reset a reader on HANDLE. This is useful in case a reader has been
+- plugged of and inserted at a different port. By resetting the
+- handle, the same reader will be get used. Note, that on error the
+- handle won't get released.
+-
+- This does not return an ATR, so ccid_get_atr should be called right
+- after this one.
+-*/
+-int
+-ccid_shutdown_reader (ccid_driver_t handle)
+-{
+- int rc = 0;
+- libusb_device_handle *idev = NULL;
+- unsigned char *ifcdesc_extra = NULL;
+- size_t ifcdesc_extra_len;
+- int ifc_no, ep_bulk_out, ep_bulk_in, ep_intr;
+-
+- if (!handle || !handle->rid)
+- return CCID_DRIVER_ERR_INV_VALUE;
+-
+- do_close_reader (handle);
+-
+- if (scan_or_find_devices (-1, handle->rid, NULL, NULL,
+- &ifcdesc_extra, &ifcdesc_extra_len,
+- &ifc_no, &ep_bulk_out, &ep_bulk_in, &ep_intr,
+- &idev, NULL) || !idev)
+- {
+- DEBUGOUT_1 ("no CCID reader with ID %s\n", handle->rid);
+- return CCID_DRIVER_ERR_NO_READER;
+- }
+-
+- if (idev)
+- {
+- handle->idev = idev;
+- handle->ifc_no = ifc_no;
+- handle->ep_bulk_out = ep_bulk_out;
+- handle->ep_bulk_in = ep_bulk_in;
+- handle->ep_intr = ep_intr;
+-
+- if (parse_ccid_descriptor (handle, ifcdesc_extra, ifcdesc_extra_len))
+- {
+- DEBUGOUT ("device not supported\n");
+- rc = CCID_DRIVER_ERR_NO_READER;
+- goto leave;
+- }
+-
+- rc = libusb_claim_interface (idev, ifc_no);
+- if (rc)
+- {
+- DEBUGOUT_1 ("usb_claim_interface failed: %d\n", rc);
+- rc = CCID_DRIVER_ERR_CARD_IO_ERROR;
+- goto leave;
+- }
+- }
+-
+- leave:
+- free (ifcdesc_extra);
+- if (rc)
+- {
+- if (handle->idev)
+- libusb_close (handle->idev);
+- handle->idev = NULL;
+- if (handle->dev_fd != -1)
+- close (handle->dev_fd);
+- handle->dev_fd = -1;
+- }
+-
+- return rc;
+-
+-}
+-
+-
+ int
+ ccid_set_progress_cb (ccid_driver_t handle,
+ void (*cb)(void *, const char *, int, int, int),
diff --git a/debian/patches/0012-scd-Release-the-card-reader-after-card-removal.patch b/debian/patches/0012-scd-Release-the-card-reader-after-card-removal.patch
new file mode 100644
index 0000000..a9351ae
--- /dev/null
+++ b/debian/patches/0012-scd-Release-the-card-reader-after-card-removal.patch
@@ -0,0 +1,30 @@
+From: NIIBE Yutaka <gniibe at fsij.org>
+Date: Fri, 2 Sep 2016 14:45:26 +0900
+Subject: scd: Release the card reader after card removal.
+
+* scd/command.c (update_reader_status_file): Call apdu_close_reader.
+
+--
+
+GnuPG-bug-id: 2651
+Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
+---
+ scd/command.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/scd/command.c b/scd/command.c
+index 239480b..2909330 100644
+--- a/scd/command.c
++++ b/scd/command.c
+@@ -2340,7 +2340,10 @@ update_reader_status_file (int set_card_removed_flag)
+
+ /* Set the card removed flag for all current sessions. */
+ if (vr->any && vr->status == 0 && set_card_removed_flag)
+- update_card_removed (idx, 1);
++ {
++ apdu_close_reader (vr->slot);
++ update_card_removed (idx, 1);
++ }
+
+ vr->any = 1;
+
diff --git a/debian/patches/0013-common-Check-read-errors-in-name-value.c.patch b/debian/patches/0013-common-Check-read-errors-in-name-value.c.patch
new file mode 100644
index 0000000..65bc845
--- /dev/null
+++ b/debian/patches/0013-common-Check-read-errors-in-name-value.c.patch
@@ -0,0 +1,36 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Fri, 2 Sep 2016 15:33:34 +0200
+Subject: common: Check read errors in name-value.c
+
+* common/name-value.c: Check for read errors.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+ common/name-value.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/common/name-value.c b/common/name-value.c
+index 0b32a44..ebc48e5 100644
+--- a/common/name-value.c
++++ b/common/name-value.c
+@@ -665,7 +665,7 @@ do_nvc_parse (nvc_t *result, int *errlinep, estream_t stream,
+
+ if (errlinep)
+ *errlinep = 0;
+- while ((len = es_read_line (stream, &buf, &buf_len, NULL)))
++ while ((len = es_read_line (stream, &buf, &buf_len, NULL)) > 0)
+ {
+ char *p;
+ if (errlinep)
+@@ -735,6 +735,11 @@ do_nvc_parse (nvc_t *result, int *errlinep, estream_t stream,
+ goto leave;
+ }
+ }
++ if (len < 0)
++ {
++ err = gpg_error_from_syserror ();
++ goto leave;
++ }
+
+ /* Add the final entry. */
+ if (raw_value)
diff --git a/debian/patches/0014-scd-Fix-an-action-after-card-removal.patch b/debian/patches/0014-scd-Fix-an-action-after-card-removal.patch
new file mode 100644
index 0000000..d699060
--- /dev/null
+++ b/debian/patches/0014-scd-Fix-an-action-after-card-removal.patch
@@ -0,0 +1,51 @@
+From: NIIBE Yutaka <gniibe at fsij.org>
+Date: Sat, 3 Sep 2016 15:27:30 +0900
+Subject: scd: Fix an action after card removal.
+
+* scd/command.c (update_card_removed): Call apdu_close_reader here.
+
+--
+
+This is update of the commit 8fe81055762d9c9e6f03fb7853a985c94ef73ac3
+It is better apdu_close_reader is called in update_card_removed.
+
+The commit 1598a4476466822e7e9c757ac471089d3db4b545 introduced a
+regression, it doesn't close the reader after removal of the card, while
+the code before the commit call apdu_close_reader in do_reset.
+So, this fix.
+
+GnuPG-bug-id: 2449
+Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
+---
+ scd/command.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/scd/command.c b/scd/command.c
+index 2909330..9d978ab 100644
+--- a/scd/command.c
++++ b/scd/command.c
+@@ -223,8 +223,11 @@ update_card_removed (int vrdr, int value)
+ /* Let the card application layer know about the removal. */
+ if (value)
+ {
++ int slot = vreader_slot (vrdr);
++
+ log_debug ("Removal of a card: %d\n", vrdr);
+- application_notify_card_reset (vreader_slot (vrdr));
++ apdu_close_reader (slot);
++ application_notify_card_reset (slot);
+ vreader_table[vrdr].slot = -1;
+ }
+ }
+@@ -2340,10 +2343,7 @@ update_reader_status_file (int set_card_removed_flag)
+
+ /* Set the card removed flag for all current sessions. */
+ if (vr->any && vr->status == 0 && set_card_removed_flag)
+- {
+- apdu_close_reader (vr->slot);
+- update_card_removed (idx, 1);
+- }
++ update_card_removed (idx, 1);
+
+ vr->any = 1;
+
diff --git a/debian/patches/0015-agent-Terminate-on-deletion-of-the-socket-file-Linux.patch b/debian/patches/0015-agent-Terminate-on-deletion-of-the-socket-file-Linux.patch
new file mode 100644
index 0000000..90de7c1
--- /dev/null
+++ b/debian/patches/0015-agent-Terminate-on-deletion-of-the-socket-file-Linux.patch
@@ -0,0 +1,161 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Tue, 6 Sep 2016 10:53:45 +0200
+Subject: agent: Terminate on deletion of the socket file (Linux only).
+
+* configure.ac (AC_CHECK_FUNCS): Chec for inotify_init.
+* agent/gpg-agent.c [HAVE_INOTIFY_INIT]: Include sys/inotify.h.
+(my_inotify_is_name) [HAVE_INOTIFY_INIT]: New.
+(handle_connections) [HAVE_INOTIFY_INIT]: New.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+ agent/gpg-agent.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ configure.ac | 8 ++++++
+ 2 files changed, 82 insertions(+)
+
+diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
+index 42073d9..07e75c0 100644
+--- a/agent/gpg-agent.c
++++ b/agent/gpg-agent.c
+@@ -47,6 +47,9 @@
+ #ifdef HAVE_SIGNAL_H
+ # include <signal.h>
+ #endif
++#ifdef HAVE_INOTIFY_INIT
++# include <sys/inotify.h>
++#endif /*HAVE_INOTIFY_INIT*/
+ #include <npth.h>
+ #ifdef HAVE_PRCTL
+ # include <sys/prctl.h>
+@@ -2407,6 +2410,31 @@ start_connection_thread_ssh (void *arg)
+ }
+
+
++#ifdef HAVE_INOTIFY_INIT
++/* Read an inotify event and return true if it matches NAME. */
++static int
++my_inotify_is_name (int fd, const char *name)
++{
++ union {
++ struct inotify_event ev;
++ char _buf[sizeof (struct inotify_event) + 100 + 1];
++ } buf;
++ int n;
++
++ n = npth_read (fd, &buf, sizeof buf);
++ if (n < sizeof (struct inotify_event))
++ return 0;
++ if (buf.ev.len < strlen (name)+1)
++ return 0;
++ if (strcmp (buf.ev.name, name))
++ return 0; /* Not the desired file. */
++
++ return 1; /* Found. */
++}
++#endif /*HAVE_INOTIFY_INIT*/
++
++
++
+ /* Connection handler loop. Wait for connection requests and spawn a
+ thread after accepting a connection. */
+ static void
+@@ -2430,6 +2458,9 @@ handle_connections (gnupg_fd_t listen_fd,
+ HANDLE events[2];
+ unsigned int events_set;
+ #endif
++#ifdef HAVE_INOTIFY_INIT
++ int my_inotify_fd;
++#endif /*HAVE_INOTIFY_INIT*/
+ struct {
+ const char *name;
+ void *(*func) (void *arg);
+@@ -2467,6 +2498,28 @@ handle_connections (gnupg_fd_t listen_fd,
+ # endif
+ #endif
+
++#ifdef HAVE_INOTIFY_INIT
++ if (disable_check_own_socket)
++ my_inotify_fd = -1;
++ else if ((my_inotify_fd = inotify_init ()) == -1)
++ log_info ("error enabling fast daemon termination: %s\n",
++ strerror (errno));
++ else
++ {
++ /* We need to watch the directory for the file becuase there
++ * won't be an IN_DELETE_SELF for a socket file. */
++ char *slash = strrchr (socket_name, '/');
++ log_assert (slash && slash[1]);
++ *slash = 0;
++ if (inotify_add_watch (my_inotify_fd, socket_name, IN_DELETE) == -1)
++ {
++ close (my_inotify_fd);
++ my_inotify_fd = -1;
++ }
++ *slash = '/';
++ }
++#endif /*HAVE_INOTIFY_INIT*/
++
+ /* On Windows we need to fire up a separate thread to listen for
+ requests from Putty (an SSH client), so we can replace Putty's
+ Pageant (its ssh-agent implementation). */
+@@ -2508,6 +2561,14 @@ handle_connections (gnupg_fd_t listen_fd,
+ if (FD2INT (listen_fd_ssh) > nfd)
+ nfd = FD2INT (listen_fd_ssh);
+ }
++#ifdef HAVE_INOTIFY_INIT
++ if (my_inotify_fd != -1)
++ {
++ FD_SET (my_inotify_fd, &fdset);
++ if (my_inotify_fd > nfd)
++ nfd = my_inotify_fd;
++ }
++#endif /*HAVE_INOTIFY_INIT*/
+
+ listentbl[0].l_fd = listen_fd;
+ listentbl[1].l_fd = listen_fd_extra;
+@@ -2582,6 +2643,15 @@ handle_connections (gnupg_fd_t listen_fd,
+ ctrl_t ctrl;
+ npth_t thread;
+
++#ifdef HAVE_INOTIFY_INIT
++ if (my_inotify_fd != -1 && FD_ISSET (my_inotify_fd, &read_fdset)
++ && my_inotify_is_name (my_inotify_fd, GPG_AGENT_SOCK_NAME))
++ {
++ shutdown_pending = 1;
++ log_info ("socket file has been removed - shutting down\n");
++ }
++#endif /*HAVE_INOTIFY_INIT*/
++
+ for (idx=0; idx < DIM(listentbl); idx++)
+ {
+ if (listentbl[idx].l_fd == GNUPG_INVALID_FD)
+@@ -2628,6 +2698,10 @@ handle_connections (gnupg_fd_t listen_fd,
+ }
+ }
+
++#ifdef HAVE_INOTIFY_INIT
++ if (my_inotify_fd != -1)
++ close (my_inotify_fd);
++#endif /*HAVE_INOTIFY_INIT*/
+ cleanup ();
+ log_info (_("%s %s stopped\n"), strusage(11), strusage(13));
+ npth_attr_destroy (&tattr);
+diff --git a/configure.ac b/configure.ac
+index 201b0b8..d452021 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1389,6 +1389,14 @@ AC_CHECK_FUNCS([memicmp stpcpy strsep strlwr strtoul memmove stricmp strtol \
+ flockfile funlockfile getpwnam getpwuid \
+ getenv inet_pton strpbrk])
+
++# See whether libc supports the Linux inotify interface
++case "${host}" in
++ *-*-linux*)
++ AC_CHECK_FUNCS([inotify_init])
++ ;;
++esac
++
++
+ if test "$have_android_system" = yes; then
+ # On Android ttyname is a stub but prints an error message.
+ AC_DEFINE(HAVE_BROKEN_TTYNAME,1,
diff --git a/debian/patches/0016-dirmngr-Terminate-on-deletion-of-the-socket-file-Lin.patch b/debian/patches/0016-dirmngr-Terminate-on-deletion-of-the-socket-file-Lin.patch
new file mode 100644
index 0000000..09a0b1a
--- /dev/null
+++ b/debian/patches/0016-dirmngr-Terminate-on-deletion-of-the-socket-file-Lin.patch
@@ -0,0 +1,226 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Wed, 7 Sep 2016 12:36:48 +0200
+Subject: dirmngr: Terminate on deletion of the socket file (Linux only).
+
+* dirmngr/dirmngr.c [HAVE_INOTIFY_INIT]: Include sys/inotify.h.
+(oDisableCheckOwnSocket): New.
+(opts): Add --disable-check-own-socket.
+(disable_check_own_socket): New var.
+(parse_rereadable_options): Set that var.
+(my_inotify_is_name) [HAVE_INOTIFY_INIT]: New.
+(handle_connections) [HAVE_INOTIFY_INIT]: New.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+ dirmngr/dirmngr.c | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++---
+ doc/dirmngr.texi | 6 ++++
+ 2 files changed, 105 insertions(+), 4 deletions(-)
+
+diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
+index 0667e59..4a9e638 100644
+--- a/dirmngr/dirmngr.c
++++ b/dirmngr/dirmngr.c
+@@ -39,6 +39,9 @@
+ #ifdef HAVE_SIGNAL_H
+ # include <signal.h>
+ #endif
++#ifdef HAVE_INOTIFY_INIT
++# include <sys/inotify.h>
++#endif /*HAVE_INOTIFY_INIT*/
+ #include <npth.h>
+
+ #include "dirmngr-err.h"
+@@ -134,6 +137,7 @@ enum cmd_and_opt_values {
+ oUseTor,
+ oKeyServer,
+ oNameServer,
++ oDisableCheckOwnSocket,
+ aTest
+ };
+
+@@ -218,6 +222,7 @@ static ARGPARSE_OPTS opts[] = {
+ ARGPARSE_s_i (oGnutlsDebug, "gnutls-debug", "@"),
+ ARGPARSE_s_i (oGnutlsDebug, "tls-debug", "@"),
+ ARGPARSE_s_i (oDebugWait, "debug-wait", "@"),
++ ARGPARSE_s_n (oDisableCheckOwnSocket, "disable-check-own-socket", "@"),
+ ARGPARSE_s_n (oNoGreeting, "no-greeting", "@"),
+ ARGPARSE_s_s (oHomedir, "homedir", "@"),
+ ARGPARSE_s_s (oLDAPWrapperProgram, "ldap-wrapper-program", "@"),
+@@ -274,6 +279,9 @@ static int opt_gnutls_debug = -1;
+ /* Flag indicating that a shutdown has been requested. */
+ static volatile int shutdown_pending;
+
++/* Flags to indicate that we shall not watch our own socket. */
++static int disable_check_own_socket;
++
+ /* Counter for the active connections. */
+ static int active_connections;
+
+@@ -528,6 +536,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
+ http_register_tls_ca (NULL);
+ FREE_STRLIST (opt.keyserver);
+ /* Note: We do not allow resetting of opt.use_tor at runtime. */
++ disable_check_own_socket = 0;
+ return 1;
+ }
+
+@@ -554,6 +563,8 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
+ }
+ break;
+
++ case oDisableCheckOwnSocket: disable_check_own_socket = 1; break;
++
+ case oLDAPWrapperProgram:
+ opt.ldap_wrapper_program = pargs->r.ret_str;
+ break;
+@@ -1840,6 +1851,35 @@ start_connection_thread (void *arg)
+ }
+
+
++#ifdef HAVE_INOTIFY_INIT
++/* Read an inotify event and return true if it matches NAME. */
++static int
++my_inotify_is_name (int fd, const char *name)
++{
++ union {
++ struct inotify_event ev;
++ char _buf[sizeof (struct inotify_event) + 100 + 1];
++ } buf;
++ int n;
++ const char *s;
++
++ s = strrchr (name, '/');
++ if (s && s[1])
++ name = s + 1;
++
++ n = npth_read (fd, &buf, sizeof buf);
++ if (n < sizeof (struct inotify_event))
++ return 0;
++ if (buf.ev.len < strlen (name)+1)
++ return 0;
++ if (strcmp (buf.ev.name, name))
++ return 0; /* Not the desired file. */
++
++ return 1; /* Found. */
++}
++#endif /*HAVE_INOTIFY_INIT*/
++
++
+ /* Main loop in daemon mode. */
+ static void
+ handle_connections (assuan_fd_t listen_fd)
+@@ -1857,6 +1897,9 @@ handle_connections (assuan_fd_t listen_fd)
+ struct timespec curtime;
+ struct timespec timeout;
+ int saved_errno;
++#ifdef HAVE_INOTIFY_INIT
++ int my_inotify_fd;
++#endif /*HAVE_INOTIFY_INIT*/
+
+ npth_attr_init (&tattr);
+ npth_attr_setdetachstate (&tattr, NPTH_CREATE_DETACHED);
+@@ -1871,12 +1914,43 @@ handle_connections (assuan_fd_t listen_fd)
+ npth_sigev_fini ();
+ #endif
+
++#ifdef HAVE_INOTIFY_INIT
++ if (disable_check_own_socket)
++ my_inotify_fd = -1;
++ else if ((my_inotify_fd = inotify_init ()) == -1)
++ log_info ("error enabling fast daemon termination: %s\n",
++ strerror (errno));
++ else
++ {
++ /* We need to watch the directory for the file because there
++ * won't be an IN_DELETE_SELF for a socket file. */
++ char *slash = strrchr (socket_name, '/');
++ log_assert (slash && slash[1]);
++ *slash = 0;
++ if (inotify_add_watch (my_inotify_fd, socket_name, IN_DELETE) == -1)
++ {
++ close (my_inotify_fd);
++ my_inotify_fd = -1;
++ }
++ *slash = '/';
++ }
++#endif /*HAVE_INOTIFY_INIT*/
++
++
+ /* Setup the fdset. It has only one member. This is because we use
+ pth_select instead of pth_accept to properly sync timeouts with
+ to full second. */
+ FD_ZERO (&fdset);
+ FD_SET (FD2INT (listen_fd), &fdset);
+ nfd = FD2INT (listen_fd);
++#ifdef HAVE_INOTIFY_INIT
++ if (my_inotify_fd != -1)
++ {
++ FD_SET (my_inotify_fd, &fdset);
++ if (my_inotify_fd > nfd)
++ nfd = my_inotify_fd;
++ }
++#endif /*HAVE_INOTIFY_INIT*/
+
+ npth_clock_gettime (&abstime);
+ abstime.tv_sec += TIMERTICK_INTERVAL;
+@@ -1928,11 +2002,28 @@ handle_connections (assuan_fd_t listen_fd)
+ }
+
+ if (ret <= 0)
+- /* Interrupt or timeout. Will be handled when calculating the
+- next timeout. */
+- continue;
++ {
++ /* Interrupt or timeout. Will be handled when calculating the
++ next timeout. */
++ continue;
++ }
++
++ if (shutdown_pending)
++ {
++ /* Do not anymore accept connections. */
++ continue;
++ }
++
++#ifdef HAVE_INOTIFY_INIT
++ if (my_inotify_fd != -1 && FD_ISSET (my_inotify_fd, &read_fdset)
++ && my_inotify_is_name (my_inotify_fd, socket_name))
++ {
++ shutdown_pending = 1;
++ log_info ("socket file has been removed - shutting down\n");
++ }
++#endif /*HAVE_INOTIFY_INIT*/
+
+- if (!shutdown_pending && FD_ISSET (FD2INT (listen_fd), &read_fdset))
++ if (FD_ISSET (FD2INT (listen_fd), &read_fdset))
+ {
+ plen = sizeof paddr;
+ fd = INT2FD (npth_accept (FD2INT(listen_fd),
+@@ -1967,6 +2058,10 @@ handle_connections (assuan_fd_t listen_fd)
+ }
+ }
+
++#ifdef HAVE_INOTIFY_INIT
++ if (my_inotify_fd != -1)
++ close (my_inotify_fd);
++#endif /*HAVE_INOTIFY_INIT*/
+ npth_attr_destroy (&tattr);
+ cleanup ();
+ log_info ("%s %s stopped\n", strusage(11), strusage(13));
+diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
+index 629e621..43a1d84 100644
+--- a/doc/dirmngr.texi
++++ b/doc/dirmngr.texi
+@@ -213,6 +213,12 @@ When running in server mode, wait @var{n} seconds before entering the
+ actual processing loop and print the pid. This gives time to attach a
+ debugger.
+
++ at item --disable-check-own-socket
++ at opindex disable-check-own-socket
++On some platforms @command{dirmngr} is able to detect the removal of
++its socket file and shutdown itself. This option disable this
++self-test for debugging purposes.
++
+ @item -s
+ @itemx --sh
+ @itemx -c
diff --git a/debian/patches/0017-gpg-Make-output-work-with-verify.patch b/debian/patches/0017-gpg-Make-output-work-with-verify.patch
new file mode 100644
index 0000000..7444da0
--- /dev/null
+++ b/debian/patches/0017-gpg-Make-output-work-with-verify.patch
@@ -0,0 +1,57 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 8 Sep 2016 00:45:45 +0200
+Subject: gpg: Make --output work with --verify.
+
+* g10/mainproc.c (proc_plaintext): Handle opt.output.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+ doc/gpg.texi | 16 +++++++++-------
+ g10/mainproc.c | 7 ++++++-
+ 2 files changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/doc/gpg.texi b/doc/gpg.texi
+index 7261f48..8fda9ae 100644
+--- a/doc/gpg.texi
++++ b/doc/gpg.texi
+@@ -3421,13 +3421,15 @@ show fingerprint
+
+ @item gpg --verify @code{pgpfile}
+ @itemx gpg --verify @code{sigfile}
+-Verify the signature of the file but do not output the data. The
+-second form is used for detached signatures, where @code{sigfile}
+-is the detached signature (either ASCII armored or binary) and
+-are the signed data; if this is not given, the name of
+-the file holding the signed data is constructed by cutting off the
+-extension (".asc" or ".sig") of @code{sigfile} or by asking the
+-user for the filename.
++Verify the signature of the file but do not output the data unless
++requested. The second form is used for detached signatures, where
++ at code{sigfile} is the detached signature (either ASCII armored or
++binary) and are the signed data; if this is not given, the name of the
++file holding the signed data is constructed by cutting off the
++extension (".asc" or ".sig") of @code{sigfile} or by asking the user
++for the filename. If the option @option{--output} is also used the
++signed data is written to the file specified by that option; use
++ at code{-} to write the signed data to stdout.
+ @end table
+
+
+diff --git a/g10/mainproc.c b/g10/mainproc.c
+index 3d3f88b..5f97d45 100644
+--- a/g10/mainproc.c
++++ b/g10/mainproc.c
+@@ -757,7 +757,12 @@ proc_plaintext( CTX c, PACKET *pkt )
+
+ if (!rc)
+ {
+- rc = handle_plaintext (pt, &c->mfx, c->sigs_only, clearsig);
++ /* It we are in --verify mode, we do not want to output the
++ * signed text. However, if --output is also used we do what
++ * has been requested and write out the signed data. */
++ rc = handle_plaintext (pt, &c->mfx,
++ (opt.outfp || opt.outfile)? 0 : c->sigs_only,
++ clearsig);
+ if (gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only)
+ {
+ /* Can't write output but we hash it anyway to check the
diff --git a/debian/patches/0018-gpg-Add-options-output-and-yes-to-gpgv.patch b/debian/patches/0018-gpg-Add-options-output-and-yes-to-gpgv.patch
new file mode 100644
index 0000000..54e1c4b
--- /dev/null
+++ b/debian/patches/0018-gpg-Add-options-output-and-yes-to-gpgv.patch
@@ -0,0 +1,96 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 8 Sep 2016 10:50:51 +0200
+Subject: gpg: Add options --output and --yes to gpgv.
+
+* g10/gpgv.c (oOutput, oAnswerYes): New.
+(opts): Add --output and --yes.
+(main): Implement options.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+ doc/gpg.texi | 3 ++-
+ doc/gpgv.texi | 10 ++++++++++
+ g10/gpgv.c | 7 +++++++
+ 3 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/doc/gpg.texi b/doc/gpg.texi
+index 8fda9ae..11456c2 100644
+--- a/doc/gpg.texi
++++ b/doc/gpg.texi
+@@ -2153,7 +2153,8 @@ Assume the input data is not in ASCII armored format.
+ @item --output @var{file}
+ @itemx -o @var{file}
+ @opindex output
+-Write output to @var{file}.
++Write output to @var{file}. To write to stdout use @code{-} as the
++filename.
+
+ @item --max-output @code{n}
+ @opindex max-output
+diff --git a/doc/gpgv.texi b/doc/gpgv.texi
+index 1d9a81e..6676bde 100644
+--- a/doc/gpgv.texi
++++ b/doc/gpgv.texi
+@@ -92,6 +92,16 @@ are replaced by the HOME directory. If the filename
+ does not contain a slash, it is assumed to be in the
+ home-directory ("~/.gnupg" if --homedir is not used).
+
++ at item --output @var{file}
++ at itemx -o @var{file}
++ at opindex output
++Write output to @var{file}. This option can be used to get the signed
++text from a cleartext or binary signature; it also works for detached
++signatures, but in that case this option is in general not
++useful. Unless you write to stdout (using @code{-} for @var{file}) you
++should also use the option @option{--yes} to force overwriting an
++existing file.
++
+ @item --status-fd @var{n}
+ @opindex status-fd
+ Write special status strings to the file descriptor @var{n}. See the
+diff --git a/g10/gpgv.c b/g10/gpgv.c
+index 4ef3e8b..284595e 100644
+--- a/g10/gpgv.c
++++ b/g10/gpgv.c
+@@ -55,6 +55,7 @@ enum cmd_and_opt_values {
+ aNull = 0,
+ oQuiet = 'q',
+ oVerbose = 'v',
++ oOutput = 'o',
+ oBatch = 500,
+ oKeyring,
+ oIgnoreTimeConflict,
+@@ -62,6 +63,8 @@ enum cmd_and_opt_values {
+ oLoggerFD,
+ oHomedir,
+ oWeakDigest,
++ oAnswerYes,
++ oAnswerNo,
+ aTest
+ };
+
+@@ -73,6 +76,7 @@ static ARGPARSE_OPTS opts[] = {
+ ARGPARSE_s_n (oQuiet, "quiet", N_("be somewhat more quiet")),
+ ARGPARSE_s_s (oKeyring, "keyring",
+ N_("|FILE|take the keys from the keyring FILE")),
++ ARGPARSE_s_s (oOutput, "output", N_("|FILE|write output to FILE")),
+ ARGPARSE_s_n (oIgnoreTimeConflict, "ignore-time-conflict",
+ N_("make timestamp conflicts only a warning")),
+ ARGPARSE_s_i (oStatusFD, "status-fd",
+@@ -81,6 +85,7 @@ static ARGPARSE_OPTS opts[] = {
+ ARGPARSE_s_s (oHomedir, "homedir", "@"),
+ ARGPARSE_s_s (oWeakDigest, "weak-digest",
+ N_("|ALGO|reject signatures made with ALGO")),
++ ARGPARSE_s_n (oAnswerYes, "yes", "@"),
+
+ ARGPARSE_end ()
+ };
+@@ -188,6 +193,8 @@ main( int argc, char **argv )
+ gcry_control (GCRYCTL_SET_VERBOSITY, (int)opt.verbose);
+ break;
+ case oKeyring: append_to_strlist( &nrings, pargs.r.ret_str); break;
++ case oOutput: opt.outfile = pargs.r.ret_str; break;
++ case oAnswerYes: opt.answer_yes = 1; break;
+ case oStatusFD: set_status_fd( pargs.r.ret_int ); break;
+ case oLoggerFD:
+ log_set_fd (translate_sys2libc_fd_int (pargs.r.ret_int, 1));
diff --git a/debian/patches/0019-gpg-Remove-option-yes-from-gpgv.patch b/debian/patches/0019-gpg-Remove-option-yes-from-gpgv.patch
new file mode 100644
index 0000000..96dab80
--- /dev/null
+++ b/debian/patches/0019-gpg-Remove-option-yes-from-gpgv.patch
@@ -0,0 +1,73 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 8 Sep 2016 14:34:07 +0200
+Subject: gpg: Remove option --yes from gpgv
+
+* g10/gpgv.c (opts): Remove --yes.
+(main): Always set opt.ANSWER_YES.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+ doc/gpgv.texi | 12 ++++++------
+ g10/gpgv.c | 5 +----
+ 2 files changed, 7 insertions(+), 10 deletions(-)
+
+diff --git a/doc/gpgv.texi b/doc/gpgv.texi
+index 6676bde..9a74c27 100644
+--- a/doc/gpgv.texi
++++ b/doc/gpgv.texi
+@@ -95,12 +95,12 @@ home-directory ("~/.gnupg" if --homedir is not used).
+ @item --output @var{file}
+ @itemx -o @var{file}
+ @opindex output
+-Write output to @var{file}. This option can be used to get the signed
+-text from a cleartext or binary signature; it also works for detached
+-signatures, but in that case this option is in general not
+-useful. Unless you write to stdout (using @code{-} for @var{file}) you
+-should also use the option @option{--yes} to force overwriting an
+-existing file.
++Write output to @var{file}; to write to stdout use @code{-}. This
++option can be used to get the signed text from a cleartext or binary
++signature; it also works for detached signatures, but in that case
++this option is in general not useful. Note that an existing file will
++be overwritten.
++
+
+ @item --status-fd @var{n}
+ @opindex status-fd
+diff --git a/g10/gpgv.c b/g10/gpgv.c
+index 284595e..81773db 100644
+--- a/g10/gpgv.c
++++ b/g10/gpgv.c
+@@ -63,8 +63,6 @@ enum cmd_and_opt_values {
+ oLoggerFD,
+ oHomedir,
+ oWeakDigest,
+- oAnswerYes,
+- oAnswerNo,
+ aTest
+ };
+
+@@ -85,7 +83,6 @@ static ARGPARSE_OPTS opts[] = {
+ ARGPARSE_s_s (oHomedir, "homedir", "@"),
+ ARGPARSE_s_s (oWeakDigest, "weak-digest",
+ N_("|ALGO|reject signatures made with ALGO")),
+- ARGPARSE_s_n (oAnswerYes, "yes", "@"),
+
+ ARGPARSE_end ()
+ };
+@@ -170,6 +167,7 @@ main( int argc, char **argv )
+ opt.no_sig_cache = 1;
+ opt.flags.require_cross_cert = 1;
+ opt.batch = 1;
++ opt.answer_yes = 1;
+
+ opt.weak_digests = NULL;
+
+@@ -194,7 +192,6 @@ main( int argc, char **argv )
+ break;
+ case oKeyring: append_to_strlist( &nrings, pargs.r.ret_str); break;
+ case oOutput: opt.outfile = pargs.r.ret_str; break;
+- case oAnswerYes: opt.answer_yes = 1; break;
+ case oStatusFD: set_status_fd( pargs.r.ret_int ); break;
+ case oLoggerFD:
+ log_set_fd (translate_sys2libc_fd_int (pargs.r.ret_int, 1));
diff --git a/debian/patches/0020-gpg-print-fingerprint-regardless-of-keyid-format.patch b/debian/patches/0020-gpg-print-fingerprint-regardless-of-keyid-format.patch
new file mode 100644
index 0000000..0117b1b
--- /dev/null
+++ b/debian/patches/0020-gpg-print-fingerprint-regardless-of-keyid-format.patch
@@ -0,0 +1,61 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 8 Sep 2016 14:47:04 +0200
+Subject: gpg: print fingerprint regardless of keyid-format
+
+* g10/keylist.c (print_fingerprint): use compact format independent of
+ keyid-format; (print_key_line): always print the fingerprint
+
+--
+
+The choice of fingerprint display should be independent of the
+keyid-format.
+
+Currently, the representation of the fingerprint changes depending on
+whether the user has specified --keyid-format to anything besides
+"none". (this is common, for example, if someone happens to have
+"keyid-format long" in their gpg.conf for interoperability with older
+versions of gpg)
+
+With this changeset, keyid-format governs only the format of the
+displayed keyID, while the fingerprint display is governed only by the
+fingerprint options:
+
+ [default]::
+ compact fpr of pubkey only
+ --with-fingerprint::
+ human-readable form of fpr of pubkey only
+ --with-fingerprint --with-fingerprint::
+ human-readable form of pubkey and subkey
+ --with-subkey-fingerprint:
+ compact fpr for pubkey and subkeys
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ g10/keylist.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/g10/keylist.c b/g10/keylist.c
+index 59344b2..a71effc 100644
+--- a/g10/keylist.c
++++ b/g10/keylist.c
+@@ -1679,7 +1679,7 @@ print_fingerprint (estream_t override_fp, PKT_public_key *pk, int mode)
+ }
+
+ if (!opt.fingerprint && !opt.with_fingerprint
+- && opt.with_subkey_fingerprint && opt.keyid_format == KF_NONE)
++ && opt.with_subkey_fingerprint)
+ compact = 1;
+
+ if (pk->main_keyid[0] == pk->keyid[0]
+@@ -1871,7 +1871,10 @@ print_key_line (estream_t fp, PKT_public_key *pk, int secret)
+
+ tty_fprintf (fp, "\n");
+
+- if (pk->flags.primary && opt.keyid_format == KF_NONE)
++ /* if the user hasn't explicitly asked for human-readable
++ fingerprints, show compact fpr of primary key: */
++ if (pk->flags.primary &&
++ !opt.fingerprint && !opt.with_fingerprint)
+ print_fingerprint (fp, pk, 20);
+ }
+
diff --git a/debian/patches/0021-spelling-conenction-should-be-connection.patch b/debian/patches/0021-spelling-conenction-should-be-connection.patch
new file mode 100644
index 0000000..270a825
--- /dev/null
+++ b/debian/patches/0021-spelling-conenction-should-be-connection.patch
@@ -0,0 +1,38 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Wed, 14 Sep 2016 17:20:26 -0400
+Subject: spelling: conenction should be connection
+
+* dirmngr/server.c, sm/server.c: s/conenction/connection/
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ dirmngr/server.c | 2 +-
+ sm/server.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/dirmngr/server.c b/dirmngr/server.c
+index 3ac4160..fe87bbe 100644
+--- a/dirmngr/server.c
++++ b/dirmngr/server.c
+@@ -275,7 +275,7 @@ strcpy_escaped_plus (char *d, const unsigned char *s)
+
+
+ /* This function returns true if a Tor server is running. The sattus
+- is cached for the current conenction. */
++ is cached for the current connection. */
+ static int
+ is_tor_running (ctrl_t ctrl)
+ {
+diff --git a/sm/server.c b/sm/server.c
+index ce8085d..b4fcb43 100644
+--- a/sm/server.c
++++ b/sm/server.c
+@@ -1099,7 +1099,7 @@ static const char hlp_getinfo[] =
+ " agent-check - Return success if the agent is running.\n"
+ " cmd_has_option CMD OPT\n"
+ " - Returns OK if the command CMD implements the option OPT.\n"
+- " offline - Returns OK if the conenction is in offline mode.";
++ " offline - Returns OK if the connection is in offline mode.";
+ static gpg_error_t
+ cmd_getinfo (assuan_context_t ctx, char *line)
+ {
diff --git a/debian/patches/series b/debian/patches/series
index 57f00aa..49fff0e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,17 @@
0005-gpg-Fix-regression-in-gpgv-s-printing-of-the-keyid.patch
0006-gpg-Avoid-homedir-creation-by-list-config.patch
0007-tests-Run-test-requiring-the-network-only-in-maintai.patch
+0008-gpg-Make-decryption-of-R-work-w-o-try-secret-key-or-.patch
+0009-gpg-Fix-false-negatives-in-Ed25519-signature-verific.patch
+0010-agent-invoke-scdaemon-with-homedir.patch
+0011-scd-Clean-up-unused-shutdown-method.patch
+0012-scd-Release-the-card-reader-after-card-removal.patch
+0013-common-Check-read-errors-in-name-value.c.patch
+0014-scd-Fix-an-action-after-card-removal.patch
+0015-agent-Terminate-on-deletion-of-the-socket-file-Linux.patch
+0016-dirmngr-Terminate-on-deletion-of-the-socket-file-Lin.patch
+0017-gpg-Make-output-work-with-verify.patch
+0018-gpg-Add-options-output-and-yes-to-gpgv.patch
+0019-gpg-Remove-option-yes-from-gpgv.patch
+0020-gpg-print-fingerprint-regardless-of-keyid-format.patch
+0021-spelling-conenction-should-be-connection.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list