commit e24f56445aa9ce281ad7bb7cf71939767ca7c9d6 Merge: 0a352b0c 4803ae23 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Thu Apr 10 16:43:34 2025 -0400 Merge branch 'debian/legacy-branch-2.2' into debian/unstable commit 0a352b0c2ab02cc164b2d3fb69337bc5f9529af2 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Thu Apr 10 15:13:13 2025 -0400 release to unstable commit 96c4344e365c66be9b7b937b524bbeb047eea6b7 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Thu Apr 10 15:12:34 2025 -0400 re-point to unstable commit f4d3f9390c661b4359a232976d30e0e3cf98c1a9 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Thu Apr 10 14:57:47 2025 -0400 d/changelog: merging in old entries commit 6f23c53dc96221a5498964ff634799909da608a3 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Thu Apr 10 14:37:29 2025 -0400 override warning about FreePG README commit efd8c0120a4491df48e5364f22d7fdaee7b5cdde Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Apr 9 16:03:51 2025 -0400 d/tests/verify-openpgp: allow stderr commit 4803ae237f2b02f410ddc0d82ca958d93bf1fbb0 Author: Andreas Metzler <ametzler@bebt.de> Date: Sun Mar 30 15:59:11 2025 +0200 Formatting fixes for migrate-pubring-from-classic-gpg.1 (Thanks to Bjarni Ingi Gislason) Closes: #1100793 commit 0ae1227a3f9f9e321bc7663002500073050eb05a Author: Andreas Metzler <ametzler@bebt.de> Date: Sat Mar 22 11:35:21 2025 +0100 upload to unstable commit 67774c459d4ed14e7f79244345d9d90c461caaea Author: Andreas Metzler <ametzler@bebt.de> Date: Sat Mar 22 11:18:06 2025 +0100 Revert FreePG patch for CSF newline cleanup. Closes: #1101011 commit 22ffc6f1ece34b76ce1574be36e1c19566b7ca9b Author: Andreas Metzler <ametzler@bebt.de> Date: Fri Mar 21 16:16:00 2025 +0100 Add CVE number to 2.2.46-2 changelog entry commit 0da7fbb8dc474fd61479d9ee5569d58617224f00 Author: Andreas Metzler <ametzler@bebt.de> Date: Sat Mar 15 16:20:16 2025 +0100 Formatting fixes for gpgcompose.1 by Bjarni Ingi Gislason. Closes: #1100448 commit 3d0080be65179ad1f3f3e56f4f16c3728e9dc353 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Thu Mar 13 09:55:07 2025 -0400 Prepare release to debian unstable commit 766f3dd9f9aaef69d5c238436e929f966e31d21f Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Thu Mar 13 08:50:26 2025 -0400 avoid a double-free commit c454aa395f1786dfd7c312cf41506de7289fde31 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Fri Mar 7 16:00:46 2025 -0500 Prepare release for Debian unstable commit 90d84241748ffef8dec1fed3df96937a303abdcf Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Fri Mar 7 15:59:43 2025 -0500 Avoid regression (Closes: #1099141) This backports the upstream patch to avoid a regression derived from the recent denial of service on signature verification. commit bbff1927aa53a746110f6f07ae3bd5b4f364ae78 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Mar 5 15:39:47 2025 -0500 Prepare debian release commit 17105f3a16a1dd86429cdce861ce4838b5070a2d Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Mar 5 14:10:34 2025 -0500 Verify text-mode Signatures over binary Literal Data Packets commit 49d9cd7a11f182e353a54e3c712e69966dadc303 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Mar 5 14:05:33 2025 -0500 Support --enable-large-rsa in non-batch mode (following FreePG) commit f239ea2571dd63b0fcee09b84f69e9cfcf70d9ff Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Mar 5 14:03:20 2025 -0500 update FreePG patches FreePG adopted "Fix newlines in CSF" patch commit 8244b3e2dc246c3b709140d85665c56ca38622f1 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Tue Feb 18 16:21:03 2025 -0500 prepare debian release commit 1cea86dce3534db0e4114b2c01920dbee270f1f7 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Tue Feb 18 16:18:21 2025 -0500 Avoid keyring DoS commit c60002ee17c13064e829068f9c998cfd3e1238fd Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Fri Feb 21 13:30:10 2025 -0500 Fix newline confusion around CSF commit 55249718f334108c20fb9e8210d869e75d70371c Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Tue Feb 18 16:02:56 2025 -0500 Disallow compressed signatures and certificates These are not used in the wild, are not specified, and represent an increased attack surface for GnuPG. commit 7c1481a76d8922dc5f1e04de9be5dac735a7c87c Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Tue Feb 18 15:59:03 2025 -0500 3 more patches adopted by FreePG (restore nl.po needed to keep a bunch of stuff that hadn't been shipped in the tarball we build from) (improve default digest algorithm) commit a3d37d0e1755508015c68315805c98fbc5558dd8 Author: Andreas Metzler <ametzler@bebt.de> Date: Sun Feb 2 07:35:41 2025 +0100 block-ptrace-on-secret-daemons accepted into FreePG, rename. commit ef71b368553a15cedd0ec3958faee69ea7850cd7 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Thu Jan 30 10:57:01 2025 -0500 drop GSM_SKIP_SSH_AGENT_WORKAROND hack as i wrote in id:87y0ysnvp8.fsf@fifthhorseman.net, > The link in the dropped comment doesn't say anything about GSM_SKIP_SSH_AGENT_WORKAROUND. > > The initial mention of the environment variable i could find was in > https://bugs.debian.org/855868 from 2017 (over 7 years ago), where rufo > (in cc) said: > > > At least until this patch > > (https://git.gnome.org/browse/gnome-session/commit/?id=818266a898b803960ce8dd6d330c1ef6934bba46) > > lands in gnome-session-bin, we also need to set > > GSM_SKIP_SSH_AGENT_WORKAROUND to prevent our SSH_AUTH_SOCK from being > > clobbered. Updated script below. > > That URL is wrong today, but correct commit is at: > > https://gitlab.gnome.org/GNOME/gnome-session/-/commit/818266a898b803960ce8dd6d330c1ef6934bba46 > > Which was rolled into gnome-session 3.25.3. oldoldstable is at 3.30.1, > so i think this is safe to remove. > > I've also looked at > https://codesearch.debian.net/search?q=GSM_SKIP_SSH_AGENT_WORKAROUND&literal=1 > and there is no other package in debian that contains this string at > all. commit d335f8d165f15adf49e8cd8c6d6bb92fbb9680ef Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Fri Jan 10 15:53:41 2025 -0500 prepare debian release commit 81c62a01e541da8f1b266a183f19fbcd6e826cfd Merge: bd85ebfd b7435f3e Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Fri Jan 10 15:52:54 2025 -0500 Update upstream source from tag 'upstream/2.2.46' Update to upstream version '2.2.46' with Debian dir 1fd052b5662b33ff84e204b70551585e3b8ee94f commit b7435f3e63e82aa600ed4ad5e18e6384f8fa62e3 Merge: 60df887b 7e48331a Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Fri Jan 10 15:52:49 2025 -0500 New upstream version 2.2.46 commit bd85ebfd05ab814a38b8914a1c7bb07408af8f36 Merge: 203424d0 60df887b Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Thu Jan 9 10:32:07 2025 -0500 Merge branch 'upstream-2.2' into debian/unstable This corrects my mistake in managing the upstream-2.2 branch during the merge of 2.2.46~pre1 commit 60df887bc62f45982f157c31e8afddca8943639e Merge: 3c9584d4 724db734 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Thu Jan 9 10:30:18 2025 -0500 Merging branch 'upstream-2.2' I failed to update my local upstream-2.2 branch before importing 2.2.46, so these branches got de-synced. This merge is a correction for that. commit 203424d0489872f7c8132eb47c6f8db079a5450f Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Jan 8 16:33:09 2025 -0500 prepare debian release commit 360645add019b07b5e8379e1ad47cab13d211fc6 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Jan 8 16:21:54 2025 -0500 systemd gpg-agent.socket: announce GPG_AGENT_INFO for the benefit of gnupg1 commit 9adc9b56a885eb5c6af8bfe3eb45398b6bcdec85 Author: Richard Hansen <rhansen@rhansen.org> Date: Wed Nov 13 17:19:15 2024 -0500 debian/Xsession.d/90gpg-agent: Add comment explaining GPG_AGENT_INFO That variable does nothing since v2.1.0, but gnupg1 might be installed. Also: * Inline the unnecessary `agent_sock` variable. * Quote parameter expansions to prevent field splitting (unlikely in these cases, but it's idiomatic). * Delete blank line at the end of the file. commit 96cc8985b0c425b7c410710ae60908c0b322d3d2 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Jan 8 16:13:03 2025 -0500 Let gpg-agent-ssh.socket check enable-ssh-support This was originally from Richard Hansen, see https://salsa.debian.org/debian/gnupg2/-/merge_requests/17 I also cleaned up some of the comments in the patch to make it a bit clearer. commit afc711b730ac15e3b2e7a234eca3838f33ca27f0 Author: Bastien Roucariès <rouca@debian.org> Date: Sat Aug 13 21:09:20 2022 +0000 Improve systemd integration of gnupg by injecting environment variable at start/stop Previously we used to set SSH_AUTH_SOCK using systemd environment. The former approach has the following drawbacks: - the lifetime of SSH_AUTH_SOCK is not tied to the lifetime of the service - it is hard to know where variables are set - it is hard custumize the socket variable, for instance for running multiple ssh-agent or testing purpuse Moreover conceptually it is better to set the environment variable in the same file that run the service (or socket) commit 02ca223dbf275e7879dfa4bb3809be508f2864d3 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Jan 8 15:19:53 2025 -0500 refresh patches commit daecc70510cb1ac253687451b6d2e483cf767373 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Jan 8 15:18:39 2025 -0500 d/changelog: update commit 551a147ba55ac8b3359e4981443dfee0761b6ee8 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Jan 8 15:17:44 2025 -0500 drop patch applied upstream commit 97b4c3805d00968f457edf9908c1eb1d0df7c539 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Jan 8 15:16:49 2025 -0500 prepare debian release commit c3b4f5e833ad617b34af133316f394c64570e9dc Merge: 5f82ed86 3c9584d4 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Jan 8 15:13:32 2025 -0500 Update upstream source from tag 'upstream/2.2.46_pre1' Update to upstream version '2.2.46~pre1' with Debian dir f52d193c644139b2c501d965624a24ff549909e8 commit 3c9584d4d682032dd8a91287d2b94abd64909a54 Merge: f85d326a 7e48331a Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Jan 8 15:13:24 2025 -0500 New upstream version 2.2.46~pre1 commit 5f82ed861abff8ce93ddd51f32ce5491347288c7 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Jan 8 14:07:19 2025 -0500 Collect FreePG patches together commit 1f754e0f53e0d95b31b53c239927d4ea92ff41e0 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Jan 8 13:57:32 2025 -0500 collect more patches following FreePG naming commit aa0485e96a3f6110221054dd6955ba476f53a913 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Jan 8 12:47:22 2025 -0500 gpgconf: override lintian complaint about distsigkey.gpg commit 4c2aed632fe483c8d4f4ecc20a52f2a3d37f898e Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Jan 8 10:13:58 2025 -0500 fix spelling commit d25ce64a65f286a9b927b7527d4731226fbcb27a Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Jan 8 09:50:28 2025 -0500 add lintian overrides for unused FreePG patches commit e8951a20937560ad49ba87fb6518d36f07c7781c Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Wed Jan 8 09:36:15 2025 -0500 prepare debian release commit 05fd5419f6bac8726dfda1e95322d2c8d45b6c0a Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Tue Jan 7 18:25:00 2025 -0500 drop outdated m4 files declaratively, not as patches commit 7e48331afb611a2b39e5ae74b8806b84e54db924 Author: Werner Koch <wk@gnupg.org> Date: Tue Jan 7 09:23:50 2025 +0100 Release 2.2.46 commit 076ed89deed4a57432e4d6fd871187356f7710da Author: Werner Koch <wk@gnupg.org> Date: Tue Jan 7 09:24:30 2025 +0100 po: msgmerge -- commit 09613aebf303093b76b2fc3b268393454afb093f Author: bubu <bubub@no-log.org> Date: Tue Jan 7 08:23:51 2025 +0100 po: Update french translation. -- (proofread by the debian-l10n-french team) GnuPG-bug-id: 7469 commit 3b68847e6c082ef251c52fcd70f27fa2b4aaf409 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Mon Jan 6 14:40:10 2025 -0500 put freepg patches first, sorted commit 0d3d62d5ed6929f666c717ff2a1bdbf07b149988 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Sat Jan 4 12:17:53 2025 -0500 Use freepg-labeled patches The [FreePG patchset](https://gitlab.com/freepg) is a common resource for GnuPG downstream packagers to track, maintain, and apply commonly-used patches for GnuPG that have been refused by upstream. We can use these patches to keep Debian in alignment with other distros. They replace patches that we already use. commit c8c86f25fd733136feb013f9b9eb829a24040b5b Author: Werner Koch <wk@gnupg.org> Date: Thu Nov 21 09:52:46 2024 +0100 gpg: Add the AEAD algo number to the DECRYPTION_INFO status line. * g10/decrypt-data.c (decrypt_data): Print the aead_algo -- GnuPG-bug-id: 7398 commit 5b3fc8abaae4016423069852728461303611f866 Author: Werner Koch <wk@gnupg.org> Date: Tue Nov 12 12:05:37 2024 +0100 gpgconf: Show also the used nPth version with -V * dirmngr/dirmngr.c (gpgconf_versions): Get and show nPth version. -- Note that this requires nPth 1.8 commit fc47bdad5966d29c5b289882a8442541079a5f91 Author: Werner Koch <wk@gnupg.org> Date: Thu Nov 7 15:06:17 2024 +0100 gpgtar: Make sure to create upper directories for regular files. * tools/gpgtar-extract.c (extract_directory): Factor parent directory creation out to .. (try_mkdir_p): new. (extract_regular): Create directory on ENOENT. * g10/pubkey-enc.c (get_it): Use log_info instead of log_error if the public key was not found for preference checking. -- If tarball was created with tar cf tarball file1.txt foo/file2.txt the tarball has no entry for foo/ and thus the extraction fails. This patch fixes this. GnuPG-bug-id: 7380 The second patch avoid a wrong exit status status line due to the use of log_error. But the actual cause needs stuill needs tobe investigated. commit 524a55f572899904a5d3a7e0a4f752585bfd84a3 Author: Andreas Metzler <ametzler@bebt.de> Date: Fri Nov 1 13:04:23 2024 +0100 Upload to unstable commit f0922cdf55b46f4e2e20ac3157a36dfb67a7e235 Author: Andreas Metzler <ametzler@bebt.de> Date: Fri Nov 1 11:54:19 2024 +0100 Do not err on importing rev-cert for expired key. Cherry-pick 48aa9e82657902ceb7ef081c6c55adbea5dd0217 from upstream GIT master Closes: #1086140 commit d5efff90089a9043f2f15908c30cf802a4df28ae Author: Andreas Metzler <ametzler@bebt.de> Date: Thu Oct 31 18:24:41 2024 +0100 Fix regression breaking gpgme testsuite. Fix by cherry-picked from upstream STABLE-BRANCH-2-2 branch 2ca38bee7a63c0f7185ca1dbf13da1cbc4933563 Closes: #1086271 commit 6c58694a885bb9e6b0d0324eeb59e22c29ec4d30 Author: Werner Koch <wk@gnupg.org> Date: Thu Oct 31 15:11:55 2024 +0100 gpg: Allow the use of an ADSK subkey as ADSK subkey. * g10/packet.h (PKT_public_key): Increased size of req_usage to 16. * g10/getkey.c (key_byname): Set allow_adsk in the context if ir was requested via req_usage. (finish_lookup): Allow RENC usage matching. * g10/keyedit.c (append_adsk_to_key): Adjust the assert. * g10/keygen.c (prepare_adsk): Also allow to find an RENC subkey. -- If an ADSK is to be added it may happen that an ADSK subkey is found first and this should then be used even that it does not have the E usage. However, it used to have that E usage when it was added. While testing this I found another pecularity: If you do gpg -k ADSK_SUBKEY_FPR without the '!' suffix and no corresponding encryption subkey is dound, you will get an unusabe key error. I hesitate to fix that due to possible side-effects. GnuPG-bug-id: 6882 Backported-from-master: d30e345692440b9c6677118c1d20b9d17d80f873 Note that we still use the NO_AKL and not the newer TRY_LDAP in 2.2. We may want to backport that change as well. commit 2ca38bee7a63c0f7185ca1dbf13da1cbc4933563 Author: NIIBE Yutaka <gniibe@fsij.org> Date: Thu Oct 31 11:47:55 2024 +0900 agent: Fix status output for LISTTRUSTED. * agent/trustlist.c (istrusted_internal): When LISTMODE is enabled, TRUSTLISTFPR status output should be done. -- GnuPG-bug-id: 7363 Fixes-commit: 4fa82eec43e8d205fa336113f6ea554923fd6986 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> commit 5a55b162c6ba8024edb6b858dcb400549f78f798 Author: Andreas Metzler <ametzler@bebt.de> Date: Sat Oct 26 18:29:17 2024 +0200 New upstream version 2.2.45 commit 50e505f105c19383a0e193b6381f08b760147fed Merge: f9de275f 724db734 Author: Andreas Metzler <ametzler@bebt.de> Date: Sat Oct 26 16:36:13 2024 +0200 Update upstream source from tag 'upstream/2.2.45' Update to upstream version '2.2.45' with Debian dir 505ffd0d9c71e0d7f0e317340976ef9bfa207f33 commit 724db734e3d93391dc9addf8dff2afc42777a81e Merge: 2bb3d7ba 8e3fc26d Author: Andreas Metzler <ametzler@bebt.de> Date: Sat Oct 26 16:35:53 2024 +0200 New upstream version 2.2.45 commit 5c0383d558cc9112c4c0984a3b2a6c98b29a92ca Author: Werner Koch <wk@gnupg.org> Date: Tue Oct 22 18:24:59 2024 +0200 Post release updates -- commit 8e3fc26d4a1e3d9e0a69198a30fd79bc564c58e6 Author: Werner Koch <wk@gnupg.org> Date: Tue Oct 22 15:50:33 2024 +0200 Release 2.2.45 commit 8838e795e93e8e335117f5089d6e3bef0466af0f Author: Werner Koch <wk@gnupg.org> Date: Tue Oct 22 15:50:23 2024 +0200 po: msgmerge -- commit ae383e0e73638fbed86e6343465e3ad32c4fa267 Author: Werner Koch <wk@gnupg.org> Date: Tue Oct 22 15:49:50 2024 +0200 po: Update German translation -- commit cb5f4aba57dc29271aeb2fa2799bf17c8078adbe Author: Werner Koch <wk@gnupg.org> Date: Mon Oct 14 16:46:27 2024 +0200 dirmngr: Print a brief list of URLs with LISTCRLS. * dirmngr/crlcache.c (crl_cache_list): Print a summary of URLs. * sm/call-dirmngr.c (gpgsm_dirmngr_run_command): Print a notice to stdout if the dirmngr has been disabled. -- GnuPG-bug-id: 7337 commit 69a8aefa5bf77136b77383b94e34ba784c1cce89 Author: Werner Koch <wk@gnupg.org> Date: Thu Oct 10 18:05:57 2024 +0200 gpgsm: Fix cached istrusted lookup. * sm/call-agent.c (gpgsm_agent_istrusted): Actually set istrusted list. -- Fixes-commit: 9087c1d3637cf1c61744ece0002dc0dc5675d7c9 commit 85d8fa57db0a64f565fc8ecb4465340a2fbc9985 Author: Werner Koch <wk@gnupg.org> Date: Mon Oct 7 08:16:31 2024 +0200 gpg: Emit status error for an invalid ADSK. * g10/keygen.c (prepare_adsk): Emit status error. -- This is useful for GPGME. GnuPG-bug-id: 7322 commit a5527edebbad3a3a4a5dc93d61133f75eac6bc89 Author: Werner Koch <wk@gnupg.org> Date: Fri Oct 4 12:03:11 2024 +0200 gpgsm: Add compatibility flag no-keyinfo-cache * sm/gpgsm.c (compatibility_flags): Add flag. * sm/gpgsm.h (COMPAT_NO_KEYINFO_CACHE): New. * sm/call-agent.c (gpgsm_agent_istrusted): Act upon it. (gpgsm_agent_keyinfo): Ditto. commit 9087c1d3637cf1c61744ece0002dc0dc5675d7c9 Author: Werner Koch <wk@gnupg.org> Date: Wed Oct 2 16:44:04 2024 +0200 gpgsm: Implement a cache for the KEYINFO queries. * sm/gpgsm.h (struct keyinfo_cache_item_s): New. (struct server_control_s): Add keyinfo_cache and keyinfo_cache_valid. * sm/call-agent.c (keyinfo_cache_disabled): New flag. (release_a_keyinfo_cache): New. (gpgsm_flush_keyinfo_cache): New. (struct keyinfo_status_parm_s): New. (keyinfo_status_cb): Implement a fill mode. (gpgsm_agent_keyinfo): Implement a cache. * sm/server.c (reset_notify): Flush the cache. * sm/gpgsm.c (gpgsm_deinit_default_ctrl): Ditto. -- In almost all cases we have just a few private keys in the agent and thus it is better to fetch them early. This does not work in a restricted connection but we take care and disable the cache in this case. This cache gives a a minor speed up. GnuPG-bug-id: 7308 (cherry picked from commit 241971fac0fc52efc87ed5753a01d18b0672d900) commit 09d4b8f496dd461a21d5ba0297710d683b16def4 Author: Werner Koch <wk@gnupg.org> Date: Wed Oct 2 14:20:03 2024 +0200 gpgsm: Use a cache for ISTRUSTED queries. * sm/call-agent.c (struct istrusted_cache_s): New. (istrusted_cache, istrusted_cache_valid): New. (istrusted_cache_disabled): New. (flush_istrusted_cache): New. (struct istrusted_status_parm_s): New. (istrusted_status_cb): Fill the cache. (gpgsm_agent_istrusted): Implement a cache. -- Not a really measurable performance improvements on Linux but maybe somewhat on Windows (not yet tested). However, it does not clutter the log files with IPC calls returning NOT_TRUSTED. GnuPG-bug-id: 7308 (cherry picked from commit ef2be95258d2e02659e96f6c4df5a9a1a233c8fd) commit 4fa82eec43e8d205fa336113f6ea554923fd6986 Author: Werner Koch <wk@gnupg.org> Date: Tue Oct 1 18:07:32 2024 +0200 agent: Add option --status to the LISTRUSTED command. * agent/trustlist.c (istrusted_internal): Add arg listmode and print new status line in this mode. Adjust callers. (agent_listtrusted): Add new args ctrl and status_mode. Get all trusted keys and then call is_trusted_internal for all of them. * agent/command.c (cmd_listtrusted): Add new option --status. -- This allows in a non-restricted connection to list all trusted keys in one go. (cherry picked from commit 4275d5fa7a51731544d243ba16628a9958ffe3ce) commit 269efd89a3611b2e7c29e47a69833e4837f1639a Author: Werner Koch <wk@gnupg.org> Date: Tue Oct 1 12:52:46 2024 +0200 Update NEWS -- commit 41626a16613a042e7ba2ec65420a41e63ede1f69 Author: Werner Koch <wk@gnupg.org> Date: Tue Oct 1 12:36:16 2024 +0200 gpgsm: Possible improvement for some rare P12 files. * sm/minip12.c (parse_shrouded_key_bag): Increase size of salt buffer. -- Reported on the mailing list. The change does not seem to have a big regression risk, thus applied. See below for the mail # ------------------------ >8 ------------------------ https://lists.gnupg.org/pipermail/gnupg-users/2024-September/067312.html commit f1e1cb0767a1802fb168188b54a20b45f2bb47f9 Author: Werner Koch <wk@gnupg.org> Date: Mon Jul 1 15:47:03 2024 +0200 gpgconf: Allow listing of some new options -- Also one old option. GnuPG-bug-id: 6882 (cherry picked from commit df977729ff3879fdeab7bce339b95ee3fd8ecc42) commit dcee2db36ba49a689625f8c4381000bb6e82ea76 Author: Werner Koch <wk@gnupg.org> Date: Mon Sep 30 18:22:25 2024 +0200 gpgsm: Use a cache to speed up parent certificate lookup. * sm/gpgsm.h (COMPAT_NO_CHAIN_CACHE): New. (struct cert_cache_item_s, cert_cache_item_t): New. (struct server_control_s): Add parent_cert_cache. * sm/gpgsm.c (compatibility_flags): Add "no-chain-cache". (parent_cache_stats): New. (gpgsm_exit): Print the stats with --debug=memstat. (gpgsm_deinit_default_ctrl): Release the cache. * sm/certchain.c (gpgsm_walk_cert_chain): Cache the certificates. (do_validate_chain): Ditto. -- This gives another boost of 30% (from 6.5 to 4.0 seconds in the test environment with ~1000 certs). do_validate_chain actually brings us the speedup becuase the gpgsm_walk_cert_chain is not used during a key listing. For the latter we actually cache all certificates because that was easier. GnuPG-bug-id: 7308 Adjusted for 2.2: - Add gpgsm_deinit_default_ctrl - Remove ctrl arg from keydb_new commit f9de275fd34a6b392643352f30790e469b8c7c71 Author: Andreas Metzler <ametzler@bebt.de> Date: Sat Sep 28 13:30:00 2024 +0200 Run wrap-and-sort -ast commit 55678cc06e49dd9a26158870773cbb007a4d640b Author: Andreas Metzler <ametzler@bebt.de> Date: Sat Sep 28 13:29:23 2024 +0200 Add myself to uploaders. commit 9543b3567b04aa5423852c29ecb77ff004c220f4 Author: Werner Koch <wk@gnupg.org> Date: Fri Sep 27 15:50:46 2024 +0200 sm: Optmize clearing of the ephemeral flag. * kbx/keybox-search.c (keybox_get_cert): Store the blob clags in the cert object. * sm/certchain.c (do_validate_chain): Skip clearing of the ephemeral flag if we know that it is not set. -- GnuPG-bug-id: 7308 commit ecda4b1e1694107000534e6f8dc6fed1947f61bd Author: Werner Koch <wk@gnupg.org> Date: Wed Jun 5 17:04:33 2024 +0200 gpg: Add magic parameter "default" to --quick-add-adsk. * g10/getkey.c (has_key_with_fingerprint): New. * g10/keyedit.c (menu_addadsk): Replace code by new function. (keyedit_quick_addadsk): Handle magic arg "default". * g10/keygen.c (append_all_default_adsks): New. -- GnuPG-bug-id: 6882 (cherry picked from commit 77afc9ee1c75a28083edf6d98888f9b472c3e39d) commit 45ae027ce404be5ef3f89384856cf823f859e37d Author: Werner Koch <wk@gnupg.org> Date: Tue Mar 21 16:30:18 2023 +0100 gpg: New command --quick-add-adsk * g10/gpg.c (enum cmd_and_opt_values): Add aQuickAddADSK. (opts): Add --quick-add-adsk. (main): Call the actual function. * g10/keyedit.c (keyedit_quick_addadsk): New. (menu_addadsk): Add arg adskfpr and change caller. -- GnuPG-bug-id: 6395 (cherry picked from commit 9f27e448bf1f825906f3c53e3428087d34bbd8fc) commit eafe17532069e7ad64904e1d04952587a9c4dbd1 Author: Werner Koch <wk@gnupg.org> Date: Thu Sep 26 10:37:32 2024 +0200 gpg: New option --default-new-key-adsk and "addadsk" for edit-key. * g10/free-packet.c (copy_public_key): Factor some code out to ... (copy_public_key_basics): new. * keygen.c (keygen_add_key_flags_and_expire): Rewrite and make public. * g10/keyedit.c (enum cmdids): Add cmdADDADSK. (keyedit_menu): Add command "addadsk". (menu_addadsk): New. * g10/options.h (opt): Add field def_new_key_adsks. * g10/gpg.c (oDefaultNewKeyADSK): New. (opts): Add --default-new-key-adsk. (main): Parse option. * g10/keyedit.c (menu_addadsk): Factor some code out to ... (append_adsk_to_key): new. Add compliance check. * g10/keygen.c (pADSK): New. (para_data_s): Add adsk to the union. (release_parameter_list): Free the adsk. (prepare_adsk): New. (get_parameter_adsk): New. (get_parameter_revkey): Remove unneeded arg key and change callers. (proc_parameter_file): Prepare adsk parameter from the configured fingerprints. (do_generate_keypair): Create adsk. -- GnuPG-bug-id: 6882 (cherry picked from commit ed118e2ed521d82c1be7765a0a19d5b4f19afe10) and modified to adjust to other code changes commit 7eb39815bd73a1df93c79a75edfddfca999ab629 Author: Werner Koch <wk@gnupg.org> Date: Fri May 31 17:21:49 2024 +0200 common: New function tokenize_to_strlist. * common/strlist.c (append_to_strlist_try): Factor code out to ... (do_append_to_strlist): new. (tokenize_to_strlist): New. * common/t-strlist.c (test_tokenize_to_strlist): New. (cherry picked from commit d2dca58338a4936b293c3ec6be4572d0e74b6a0d) commit c33523a0132e047032c4d65f9dedec0297bfbef3 Author: NIIBE Yutaka <gniibe@fsij.org> Date: Tue Sep 17 09:24:41 2024 +0900 common:w32: Don't expose unused functions. * common/exechelp.h [HAVE_W32_SYSTEM] (get_max_fds): Don't expose. (close_all_fds, get_all_open_fds): Likewise. * common/exechelp-w32.c: Don't expose unused functions. -- GnuPG-bug-id: 7293 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> commit 79ab52ff42e895037c15555b2ca6df6e34b5ad17 Author: Werner Koch <wk@gnupg.org> Date: Wed Sep 25 15:15:51 2024 +0200 gpg: Exclude expired trusted keys from the key validation process. * g10/trustdb.c (copy_key_item): New. (validate_keys): Use a stripped down UTK list w/o expired keys. -- This patch makes sure that an expired trusted key is not used for trust computation. The test case is to delete a trusted key from the keyring, import a copy of that key which has already expired, check that a signed key is not anymore fully trusted and finally import a prolonged version of the trusted key and check that the signed key is now again fully trusted. GnuPG-bug-id: 7200 commit 23d4e7f0a7963d4cb660942bf673f85ea987967d Author: Werner Koch <wk@gnupg.org> Date: Wed Sep 25 14:31:46 2024 +0200 gpg: Validate the trustdb after the import of a trusted key. * g10/import.c (import_one_real): Rename non_self to non_self_or_utk. If not set after chk_self_sigs check whether the imported key is an ultimately trusted key. -- The revalidation mark was only set if the imported key had a new key signature. This is in general correct but not if the imported key is a trusted key. GnuPG-bug-id: 7200 commit 3dd6887f13b42997a3c07a0e674d5d33290ac76f Author: Werner Koch <wk@gnupg.org> Date: Wed Sep 25 14:04:59 2024 +0200 gpg: Remove useless variable in validate_keys. * g10/trustdb.c (store_validation_status): Remove arg 'stored'. (validate_keys): Remove keyhashtable 'stored' which was never used. -- This has been here since 2003. The variable was never evaluated - only stored. Also added some comments. commit 9e8e48e00b85b66563b1a581b0ffd8cbc5262e10 Author: Werner Koch <wk@gnupg.org> Date: Thu Sep 19 10:00:24 2024 +0200 gpg: Avoid wrong decryption_failed for signed+OCB msg w/o pubkey. * g10/decrypt-data.c (struct decode_filter_context_s): Add flag checktag_failed. (aead_checktag): Set flag. (decrypt_data): Initially clear that flag and check the flag after the decryption. * g10/mainproc.c (proc_encrypted): Revert the log_get_errorcount based check. -- This fixes a bug where for an OCB encrypted and signed message with the signing key missing during decryption the DECRYPTION_FAILED status line was printed along with "WARNING: encrypted message has been manipulated". This was because we use log_error to show that the signature could not be verified due to the missing pubkey; the original fix looked at the error counter and thus triggered the decryption failed status. Fixes-commit: 82b39fe254703776209cebb88f428bf2d1eb596b GnuPG-bug-id: 7042 commit d9fdc165e65706f19e60221ad00b59a88fdff567 Author: Werner Koch <wk@gnupg.org> Date: Tue Sep 17 13:38:35 2024 +0200 agent: Fix detection of the trustflag de-vs. * agent/trustlist.c (read_one_trustfile): Fix comparison. -- Fixes-commit: 6d45fcdd3c3e8d039b05f7276e7619c19fc957d1 GnuPG-bug-Id: 5079 commit 306f1250d22771a3a229bc1db25f682985e468c6 Author: Andreas Metzler <ametzler@bebt.de> Date: Mon Sep 16 18:29:37 2024 +0200 Add bug closer commit 953f236edec2dac73ffc3f951b58ce6d4c9d62e0 Author: Andreas Metzler <ametzler@bebt.de> Date: Sun Sep 15 13:45:28 2024 +0200 Document changes commit c7b113a0c09a03d856eca3e846bb64ec59e60fb7 Author: Andreas Metzler <ametzler@bebt.de> Date: Sun Sep 15 13:36:20 2024 +0200 Drop outdated libassuan.m4 commit b543a5458065b49b42c9168e5eae182b12ec456b Author: Andreas Metzler <ametzler@bebt.de> Date: Sun Sep 15 13:24:02 2024 +0200 Refresh patches, drop cherry-picked one commit 5a9311e46107f591f34d40679eed5362c243b5e8 Merge: 9e369fb7 2bb3d7ba Author: Andreas Metzler <ametzler@bebt.de> Date: Sun Sep 15 13:04:36 2024 +0200 Update upstream source from tag 'upstream/2.2.44' Update to upstream version '2.2.44' with Debian dir c83b24b39e9e0826a6a84a29afa5b664a938a680 commit 2bb3d7bab032264e8b0cd1e70a8e34f7eb7c70c4 Merge: f85d326a 148a25f3 Author: Andreas Metzler <ametzler@bebt.de> Date: Sun Sep 15 13:04:17 2024 +0200 New upstream version 2.2.44 commit b357ff2aa64c6a0ff17941d99feeb1174035b031 Author: Werner Koch <wk@gnupg.org> Date: Thu Sep 12 11:06:09 2024 +0200 gpg: Don't bail out for unknown subkey packet versions. * g10/import.c (read_block): Don't show a warning for unbnown version also for non-primary-key packets. * g10/parse-packet.c (parse_key): Use log_info for unsupported v5 packets. -- This fixes the problem that 2.2 can't import keys with a v5 subkey. This fix allows a gnupg 2.6. version to export a key with an additional PQC subkey and 2.2 can still import the other subkeys. The second patch avoids that gpg returns with an error code. Updates-commit: de70a2f377c1647417fb8a2b6476c3744a901296
There is 1 open security issue in bookworm.
You can find information about how to handle this issue in the security team's documentation.
Among the 42 debian patches available in version 2.2.46-6 of the package, we noticed the following issues: