diff options
| author | VinÃcius Zavam <egypcio@FreeBSD.org> | 2022-02-28 22:12:47 +0000 |
|---|---|---|
| committer | VinÃcius Zavam <egypcio@FreeBSD.org> | 2022-02-28 22:12:47 +0000 |
| commit | 5ea1e5b4bbefd1ac2eef64f71f70ffe3ceaab55e (patch) | |
| tree | 4401fc085611c3c6c25a3006276a2826cedb9862 /security | |
| parent | 649135779d246ebd039ab9a2df15fbbf2fa3f0a4 (diff) | |
| download | ports-5ea1e5b4bbefd1ac2eef64f71f70ffe3ceaab55e.tar.gz ports-5ea1e5b4bbefd1ac2eef64f71f70ffe3ceaab55e.zip | |
security/monkeysphere: update 0.42 to 0.43
* Depend on a modern version of GnuPG (>= 2.1.11) for --export-ssh-key
* Depend on OpenSSH's ssh-keygen directly for most SSH fingerprints
* Depend on OpenSSH >= 6.0 for ed25519 and "sshd -T"
* Use runuser instead of su
* Support Ed25519 authentication-capable subkeys for users
* Use https for all outbound links
* Clean up spelling
* Use 3072 bits for RSA keys everywhere by default
* Provide clearer error message for PEM2OPENPGP_NEWKEY
* Avoid locking out users unnecessarily
https://github.com/dkg/monkeysphere/tree/monkeysphere_0.43
Diffstat (limited to 'security')
18 files changed, 51 insertions, 436 deletions
diff --git a/security/monkeysphere/Makefile b/security/monkeysphere/Makefile index 156be1f05700..76a9197ea1ec 100644 --- a/security/monkeysphere/Makefile +++ b/security/monkeysphere/Makefile @@ -1,13 +1,14 @@ # Created by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> PORTNAME= monkeysphere -PORTVERSION= 0.42 +PORTVERSION= 0.43 CATEGORIES= security MAINTAINER= egypcio@FreeBSD.org COMMENT= Use the OpenPGP web of trust to verify ssh connections LICENSE= GPLv3 +LICENSE_FILE= ${WRKSRC}/COPYING LIB_DEPENDS= libassuan.so:security/libassuan \ libgcrypt.so:security/libgcrypt \ @@ -15,16 +16,17 @@ LIB_DEPENDS= libassuan.so:security/libassuan \ RUN_DEPENDS= gpg2:security/gnupg \ lockfile:mail/procmail \ bash:shells/bash \ - p5-Crypt-OpenSSL-RSA>=0:security/p5-Crypt-OpenSSL-RSA \ - p5-Digest-SHA1>=0:security/p5-Digest-SHA1 + p5-Crypt-OpenSSL-RSA>=0:security/p5-Crypt-OpenSSL-RSA -USES= gmake shebangfix +USES= gmake perl5 shebangfix USE_GITHUB= yes GH_ACCOUNT= dkg GH_TAGNAME= ${PORTNAME}_${PORTVERSION} -SHEBANG_FILES= src/share/checkperms src/transitions/0.23 \ - src/transitions/0.28 src/share/keytrans +SHEBANG_FILES= src/monkeysphere* \ + src/share/c* src/share/defaultenv src/share/keytrans \ + src/transitions/0.23 src/transitions/0.28 \ + tests/basic tests/common tests/keytrans tests/phony* USERS= monkeysphere GROUPS= monkeysphere @@ -35,26 +37,26 @@ OPTIONS_DEFINE= DOCS post-patch: @${REINPLACE_CMD} -i '' 's|/etc/monkeysphere|${PREFIX}/etc/monkeysphere|g' \ - ${WRKSRC}/src/share/defaultenv \ - ${WRKSRC}/src/transitions/0.23 \ - ${WRKSRC}/man/man1/monkeysphere.1 \ - ${WRKSRC}/man/man8/monkeysphere-authentication.8 \ - ${WRKSRC}/man/man8/monkeysphere-host.8 \ - ${WRKSRC}/etc/monkeysphere-authentication.conf - @${REINPLACE_CMD} -i '' 's|/var/lib/monkeysphere|/var/monkeysphere|g' \ - ${WRKSRC}/src/transitions/0.23 \ - ${WRKSRC}/man/man1/monkeysphere.1 \ - ${WRKSRC}/man/man8/monkeysphere-authentication.8 \ - ${WRKSRC}/man/man8/monkeysphere-host.8 \ - ${WRKSRC}/src/monkeysphere-host \ - ${WRKSRC}/src/monkeysphere-authentication + ${WRKSRC}/etc/*.conf ${WRKSRC}/examples/* \ + ${WRKSRC}/man/man1/* ${WRKSRC}/man/man7/* ${WRKSRC}/man/man8/* \ + ${WRKSRC}/src/monkeysphere* \ + ${WRKSRC}/src/share/c* ${WRKSRC}/src/share/defaultenv ${WRKSRC}/src/share/keytrans \ + ${WRKSRC}/src/share/m/* ${WRKSRC}/src/share/mh/* \ + ${WRKSRC}/tests/basic ${WRKSRC}/tests/keytrans ${WRKSRC}/tests/phony* @${REINPLACE_CMD} -i '' 's|/usr/share/monkeysphere|${PREFIX}/share/monkeysphere|g' \ - ${WRKSRC}/src/monkeysphere-host \ - ${WRKSRC}/src/monkeysphere-authentication \ - ${WRKSRC}/src/monkeysphere - # and clean up cruft from any patches or sed replacements: - ${FIND} ${WRKSRC} \( -name \*.bak -o -name \*.orig \) -delete - @${REINPLACE_CMD} 's|gcc|${CC}|g' ${WRKSRC}/Makefile + ${WRKSRC}/etc/*.conf ${WRKSRC}/examples/* \ + ${WRKSRC}/man/man1/* ${WRKSRC}/man/man7/* ${WRKSRC}/man/man8/* \ + ${WRKSRC}/src/monkeysphere* \ + ${WRKSRC}/src/share/c* ${WRKSRC}/src/share/defaultenv ${WRKSRC}/src/share/keytrans \ + ${WRKSRC}/src/share/m/* ${WRKSRC}/src/share/mh/* \ + ${WRKSRC}/tests/basic ${WRKSRC}/tests/keytrans ${WRKSRC}/tests/phony* + @${REINPLACE_CMD} -i '' 's|/var/lib/monkeysphere|/var/monkeysphere|g' \ + ${WRKSRC}/etc/*.conf ${WRKSRC}/examples/* \ + ${WRKSRC}/man/man1/* ${WRKSRC}/man/man7/* ${WRKSRC}/man/man8/* \ + ${WRKSRC}/src/monkeysphere* \ + ${WRKSRC}/src/share/c* ${WRKSRC}/src/share/defaultenv ${WRKSRC}/src/share/keytrans \ + ${WRKSRC}/src/share/m/* ${WRKSRC}/src/share/mh/* \ + ${WRKSRC}/tests/basic ${WRKSRC}/tests/keytrans ${WRKSRC}/tests/phony* post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/agent-transfer diff --git a/security/monkeysphere/distinfo b/security/monkeysphere/distinfo index ac36986c9689..aa59049ee6f1 100644 --- a/security/monkeysphere/distinfo +++ b/security/monkeysphere/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1645881389 -SHA256 (dkg-monkeysphere-0.42-monkeysphere_0.42_GH0.tar.gz) = 8190047383a91c17301be8063f59b9f9c07b349853f865ce0f6d199094cfe90d -SIZE (dkg-monkeysphere-0.42-monkeysphere_0.42_GH0.tar.gz) = 110434 +TIMESTAMP = 1646065321 +SHA256 (dkg-monkeysphere-0.43-monkeysphere_0.43_GH0.tar.gz) = 5f0d39aecda508ac23883f3255d0f43b4c1f596dbcf718f859f64114cdfa3a17 +SIZE (dkg-monkeysphere-0.43-monkeysphere_0.43_GH0.tar.gz) = 111791 diff --git a/security/monkeysphere/files/patch-examples_make-x509-certreqs b/security/monkeysphere/files/patch-examples_make-x509-certreqs deleted file mode 100644 index 86c0cc0efe89..000000000000 --- a/security/monkeysphere/files/patch-examples_make-x509-certreqs +++ /dev/null @@ -1,34 +0,0 @@ ---- examples/make-x509-certreqs.orig 2018-10-16 16:24:55 UTC -+++ examples/make-x509-certreqs -@@ -69,12 +69,12 @@ EOF - gencertreq() { - keyid="$1" - -- timestamp=$(gpg --fixed-list-mode --with-colons --list-keys "0x$keyid!" | grep ^pub: | cut -f6 -d:) -+ timestamp=$(gpg2 --fixed-list-mode --with-colons --list-keys "0x$keyid!" | grep ^pub: | cut -f6 -d:) - - san='' - primary='' - # find all the $proto-using User IDs: -- uids=$(gpg --fixed-list-mode --with-colons --list-keys "0x$keyid!" | \ -+ uids=$(gpg2 --fixed-list-mode --with-colons --list-keys "0x$keyid!" | \ - grep '^uid:' | cut -f10 -d: | \ - grep '^'"${proto}"'\\x3a//' | \ - sed -r -e 's!^'"${proto}"'\\x3a//!!' -e 's!:[0-9]+$!!') -@@ -83,7 +83,7 @@ gencertreq() { - printf "Certificate Request for TLS WWW server %s\n[OpenPGP key %s]\n" "$primary" "$keyid" - openssl req -text -new \ - -config <(get_openssl_config "$timestamp" "$uids") \ -- -key <(gpg --export-secret-key "$keyid" | openpgp2ssh "$keyid") \ -+ -key <(gpg2 --export-secret-key "$keyid" | openpgp2ssh "$keyid") \ - -subj "/CN=${primary}/" - } - -@@ -92,6 +92,6 @@ export GNUPGHOME=/var/lib/monkeysphere/host - # default to looking for https keys. - proto="${1:-https}" - --for fpr in $(gpg --fixed-list-mode --with-colons --fingerprint --list-secret-keys "${proto}://" | awk -F: '/^fpr:/{ if (ok) { print $10 } ; ok=0 } /^sec:/{ ok=1 }'); do -+for fpr in $(gpg2 --fixed-list-mode --with-colons --fingerprint --list-secret-keys "${proto}://" | awk -F: '/^fpr:/{ if (ok) { print $10 } ; ok=0 } /^sec:/{ ok=1 }'); do - gencertreq "$fpr" - done diff --git a/security/monkeysphere/files/patch-examples_monkeysphere-monitor-keys b/security/monkeysphere/files/patch-examples_monkeysphere-monitor-keys deleted file mode 100644 index 9b80668e0f86..000000000000 --- a/security/monkeysphere/files/patch-examples_monkeysphere-monitor-keys +++ /dev/null @@ -1,11 +0,0 @@ ---- examples/monkeysphere-monitor-keys.orig 2018-10-16 16:24:55 UTC -+++ examples/monkeysphere-monitor-keys -@@ -31,7 +31,7 @@ - - # FIXME: does this handle revocations and re-keying? if a sysadmin - # switches over to this arrangement, how will the system check for --# revocations? Scheduling a simple gpg --refresh should handle -+# revocations? Scheduling a simple gpg2 --refresh should handle - # revocations. I'm not sure how to best handle re-keyings. - - use strict; diff --git a/security/monkeysphere/files/patch-src_agent-transfer_main.c b/security/monkeysphere/files/patch-src_agent-transfer_main.c new file mode 100644 index 000000000000..00401b20ceee --- /dev/null +++ b/security/monkeysphere/files/patch-src_agent-transfer_main.c @@ -0,0 +1,20 @@ +--- src/agent-transfer/main.c.orig 2022-02-28 17:21:23 UTC ++++ src/agent-transfer/main.c +@@ -385,7 +385,7 @@ size_t get_ssh_sz (gcry_mpi_t mpi) { + int send_to_ssh_agent(struct exporter *e, int fd, unsigned int seconds, int confirm, const char *comment) { + const char *key_type; + int ret; +- size_t len, mpilen; ++ size_t len=0, mpilen=0; + off_t offset; + unsigned char *msgbuf = NULL; + uint32_t tmp; +@@ -450,7 +450,7 @@ int send_to_ssh_agent(struct exporter *e, int fd, unsi + qdata = gcry_mpi_get_opaque (e->q, &qsz); + ddata = gcry_mpi_get_opaque (e->d, &dsz); + if (qsz != 33*8 || dsz != 32*8 || !qdata || !ddata) { +- fprintf (stderr, "Ed25519 key did not have the expected components (q: %d %p, d: %d %p)\n", ++ fprintf (stderr, "Ed25519 key did not have the expected components (q: %d %s, d: %d %s)\n", + qsz, qdata, dsz, ddata); + return -1; + } diff --git a/security/monkeysphere/files/patch-src_monkeysphere b/security/monkeysphere/files/patch-src_monkeysphere deleted file mode 100644 index 9b308e3449d3..000000000000 --- a/security/monkeysphere/files/patch-src_monkeysphere +++ /dev/null @@ -1,20 +0,0 @@ ---- src/monkeysphere.orig 2018-10-16 16:24:55 UTC -+++ src/monkeysphere -@@ -62,7 +62,7 @@ EOF - - # user gpg command to define common options - gpg_user() { -- LC_ALL=C "${GPG:-gpg}" --fixed-list-mode --no-greeting --quiet --no-tty "$@" -+ LC_ALL=C "${GPG:-gpg2}" --fixed-list-mode --no-greeting --quiet --no-tty "$@" - } - - # output the ssh fingerprint of a gpg key -@@ -92,7 +92,7 @@ check_gpg_sec_key_id() { - case $(echo "$gpgSecOut" | grep -c '^sec:') in - 0) - failure "No secret keys found. Create an OpenPGP key with the following command: -- gpg --gen-key" -+ gpg2 --gen-key" - ;; - 1) - echo "$gpgSecOut" | cut -d: -f5 diff --git a/security/monkeysphere/files/patch-src_monkeysphere-authentication b/security/monkeysphere/files/patch-src_monkeysphere-authentication deleted file mode 100644 index 3f5c26ef687e..000000000000 --- a/security/monkeysphere/files/patch-src_monkeysphere-authentication +++ /dev/null @@ -1,20 +0,0 @@ ---- src/monkeysphere-authentication.orig 2018-10-16 16:24:55 UTC -+++ src/monkeysphere-authentication -@@ -73,7 +73,7 @@ gpg_core() { - GNUPGHOME="$GNUPGHOME_CORE" - export GNUPGHOME - -- gpg --fixed-list-mode --no-greeting --quiet --no-tty "$@" -+ gpg2 --fixed-list-mode --no-greeting --quiet --no-tty "$@" - } - - # function to interact with the gpg sphere keyring -@@ -81,7 +81,7 @@ gpg_sphere() { - GNUPGHOME="$GNUPGHOME_SPHERE" - export GNUPGHOME - -- su_monkeysphere_user gpg --fixed-list-mode --no-greeting --quiet --no-tty "$@" -+ su_monkeysphere_user gpg2 --fixed-list-mode --no-greeting --quiet --no-tty "$@" - } - - check_openpgp2ssh_sanity() { diff --git a/security/monkeysphere/files/patch-src_monkeysphere-host b/security/monkeysphere/files/patch-src_monkeysphere-host deleted file mode 100644 index 6602f69cc060..000000000000 --- a/security/monkeysphere/files/patch-src_monkeysphere-host +++ /dev/null @@ -1,49 +0,0 @@ ---- src/monkeysphere-host.orig 2018-10-16 16:24:55 UTC -+++ src/monkeysphere-host -@@ -71,7 +71,7 @@ EOF - - # function to interact with the gpg keyring - gpg_host() { -- GNUPGHOME="$GNUPGHOME_HOST" LC_ALL=C gpg --no-auto-check-trustdb --trust-model=always --no-greeting --quiet --no-tty --fixed-list-mode "$@" -+ GNUPGHOME="$GNUPGHOME_HOST" LC_ALL=C gpg2 --no-auto-check-trustdb --trust-model=always --no-greeting --quiet --no-tty --fixed-list-mode "$@" - } - - # list the info about the a key, in colon format, to stdout -@@ -297,10 +297,10 @@ show_key() { - trap cleanup EXIT - - # import the host key into the tmp dir -- gpg --quiet --import <"$HOST_KEY_FILE" -+ gpg2 --quiet --import <"$HOST_KEY_FILE" - - # get the gpg fingerprint -- if gpg --quiet --list-keys \ -+ if gpg2 --quiet --list-keys \ - --with-colons --with-fingerprint "$id" \ - | awk -F: '/^fpr:/{ if (ok) { print $10 } ; ok=0 } /^pub:/{ ok=1 }' > "$GNUPGHOME"/fingerprint ; then - fingerprint=$(cat "$GNUPGHOME"/fingerprint) -@@ -311,13 +311,13 @@ show_key() { - # list the host key info - # FIXME: make no-show-keyring work so we don't have to do the grep'ing - # FIXME: can we show uid validity somehow? -- gpg --list-keys --list-options show-unusable-uids "$fingerprint" 2>/dev/null \ -+ gpg2 --list-keys --list-options show-unusable-uids "$fingerprint" 2>/dev/null \ - | egrep -v "^${GNUPGHOME}/pubring.(gpg|kbx)$" \ - | egrep -v '^-+$' \ - | grep -v '^$' - - # list revokers, if there are any -- revokers=$(gpg --list-keys --with-colons --fixed-list-mode "$fingerprint" \ -+ revokers=$(gpg2 --list-keys --with-colons --fixed-list-mode "$fingerprint" \ - | awk -F: '/^rvk:/{ print $10 }' ) - if [ "$revokers" ] ; then - echo "The following keys are allowed to revoke this host key:" -@@ -331,7 +331,7 @@ show_key() { - - # list the ssh fingerprint - printf "ssh fingerprint: %s\n" \ -- "$(gpg --export --no-armor "$fingerprint" 2>/dev/null | "$SYSSHAREDIR/keytrans" openpgp2sshfpr "$fingerprint")" -+ "$(gpg2 --export --no-armor "$fingerprint" 2>/dev/null | "$SYSSHAREDIR/keytrans" openpgp2sshfpr "$fingerprint")" - - # remove the tmp file - trap - EXIT diff --git a/security/monkeysphere/files/patch-src_share_common b/security/monkeysphere/files/patch-src_share_common deleted file mode 100644 index 1c2b501f5de0..000000000000 --- a/security/monkeysphere/files/patch-src_share_common +++ /dev/null @@ -1,69 +0,0 @@ ---- src/share/common.orig 2018-10-16 16:24:55 UTC -+++ src/share/common -@@ -495,7 +495,7 @@ gpg2ssh() { - - keyID="$1" - -- gpg --export --no-armor "$keyID" | openpgp2ssh "$keyID" 2>/dev/null -+ gpg2 --export --no-armor "$keyID" | openpgp2ssh "$keyID" 2>/dev/null - } - - # output known_hosts line from ssh key -@@ -601,7 +601,7 @@ gpg2authorized_keys() { - - # script to determine if gpg version is equal to or greater than specified version - is_gpg_version_greater_equal() { -- local gpgVersion=$(gpg --version | head -1 | awk '{ print $3 }') -+ local gpgVersion=$(gpg2 --version | head -1 | awk '{ print $3 }') - local latest=$(printf '%s\n%s\n' "$1" "$gpgVersion" \ - | tr '.' ' ' | sort -g -k1 -k2 -k3 \ - | tail -1 | tr ' ' '.') -@@ -622,7 +622,7 @@ gpg_fetch_userid() { - - log verbose " checking keyserver $KEYSERVER... " - foundkeyids="$(echo | \ -- gpg --quiet --batch --with-colons \ -+ gpg2 --quiet --batch --with-colons \ - --command-fd 0 --keyserver "$KEYSERVER" \ - --search ="$userID" 2>/dev/null)" - returnCode="$?" -@@ -637,7 +637,7 @@ $foundkeyids - foundkeyids="$(printf "%s" "$foundkeyids" | grep '^pub:' | cut -f2 -d: | sed 's/^/0x/')" - log verbose " Found keyids on keyserver: $(printf "%s" "$foundkeyids" | tr '\n' ' ')" - if [ -n "$foundkeyids" ]; then -- echo | gpg --quiet --batch --with-colons \ -+ echo | gpg2 --quiet --batch --with-colons \ - --command-fd 0 --keyserver "$KEYSERVER" \ - --recv-keys $foundkeyids &>/dev/null - returnCode="$?" -@@ -693,7 +693,7 @@ process_user_id() { - gpg_fetch_userid "$userID" - - # output gpg info for (exact) userid and store -- gpgOut=$(gpg --list-key --fixed-list-mode --with-colons \ -+ gpgOut=$(gpg2 --list-key --fixed-list-mode --with-colons \ - --with-fingerprint --with-fingerprint \ - ="$userID" 2>/dev/null) || returnCode="$?" - -@@ -962,8 +962,8 @@ list_primary_fingerprints() { - rm -rf "$fake" - } - trap cleanup EXIT -- GNUPGHOME="$fake" gpg --no-tty --quiet --import --ignore-time-conflict 2>/dev/null -- GNUPGHOME="$fake" gpg --with-colons --fingerprint --list-keys | \ -+ GNUPGHOME="$fake" gpg2 --no-tty --quiet --import --ignore-time-conflict 2>/dev/null -+ GNUPGHOME="$fake" gpg2 --with-colons --fingerprint --list-keys | \ - awk -F: '/^fpr:/{ if (ok) { print $10 } ; ok=0 } /^pub:/{ ok=1 }' - trap - EXIT - cleanup -@@ -981,8 +981,8 @@ get_cert_info() { - fi - rm -rf "$fake" - } -- GNUPGHOME="$fake" gpg --no-tty --quiet --import --ignore-time-conflict 2>/dev/null -- GNUPGHOME="$fake" gpg --with-colons --fingerprint --fixed-list-mode --list-keys "$1" -+ GNUPGHOME="$fake" gpg2 --no-tty --quiet --import --ignore-time-conflict 2>/dev/null -+ GNUPGHOME="$fake" gpg2 --with-colons --fingerprint --fixed-list-mode --list-keys "$1" - trap - EXIT - cleanup - } diff --git a/security/monkeysphere/files/patch-src_share_keytrans b/security/monkeysphere/files/patch-src_share_keytrans deleted file mode 100644 index 3eeea26fd878..000000000000 --- a/security/monkeysphere/files/patch-src_share_keytrans +++ /dev/null @@ -1,20 +0,0 @@ ---- src/share/keytrans.orig 2019-01-17 11:12:48 UTC -+++ src/share/keytrans -@@ -20,7 +20,7 @@ - - # Usage: - --# pem2openpgp 'ssh://'$(hostname -f) < /etc/ssh/ssh_host_rsa_key | gpg --import -+# pem2openpgp 'ssh://'$(hostname -f) < /etc/ssh/ssh_host_rsa_key | gpg2 --import - - - -@@ -35,7 +35,7 @@ - - # Example usage: - --# gpg --export-secret-subkeys --export-options export-reset-subkey-passwd $KEYID | \ -+# gpg2 --export-secret-subkeys --export-options export-reset-subkey-passwd $KEYID | \ - # openpgp2ssh $KEYID | ssh-add /dev/stdin - - diff --git a/security/monkeysphere/files/patch-src_share_m_gen__subkey b/security/monkeysphere/files/patch-src_share_m_gen__subkey deleted file mode 100644 index a1fc8a614fa3..000000000000 --- a/security/monkeysphere/files/patch-src_share_m_gen__subkey +++ /dev/null @@ -1,11 +0,0 @@ ---- src/share/m/gen_subkey.orig 2018-10-16 16:24:55 UTC -+++ src/share/m/gen_subkey -@@ -46,7 +46,7 @@ Type '$PGRM help' for usage." - - # determine which keyType to use from gpg version - keyType=7 -- case $(gpg --version | head -1 | awk '{ print $3 }' | cut -d. -f1) in -+ case $(gpg2 --version | head -1 | awk '{ print $3 }' | cut -d. -f1) in - 1) - if is_gpg_version_greater_equal 1.4.10 ; then - keyType=8 diff --git a/security/monkeysphere/files/patch-src_share_m_ssh__proxycommand b/security/monkeysphere/files/patch-src_share_m_ssh__proxycommand deleted file mode 100644 index 09fb7f9fd28d..000000000000 --- a/security/monkeysphere/files/patch-src_share_m_ssh__proxycommand +++ /dev/null @@ -1,11 +0,0 @@ ---- src/share/m/ssh_proxycommand.orig 2018-10-16 16:24:55 UTC -+++ src/share/m/ssh_proxycommand -@@ -301,7 +301,7 @@ EOF - - log info <<EOF - Run the following command for more info about the found keys: --gpg --check-sigs --list-options show-uid-validity =${userID} -+gpg2 --check-sigs --list-options show-uid-validity =${userID} - EOF - - # FIXME: should we do anything extra here if the retrieved diff --git a/security/monkeysphere/files/patch-src_share_m_subkey__to__ssh__agent b/security/monkeysphere/files/patch-src_share_m_subkey__to__ssh__agent deleted file mode 100644 index 2d9dd7bb5636..000000000000 --- a/security/monkeysphere/files/patch-src_share_m_subkey__to__ssh__agent +++ /dev/null @@ -1,11 +0,0 @@ ---- src/share/m/subkey_to_ssh_agent.orig 2018-10-16 16:24:55 UTC -+++ src/share/m/subkey_to_ssh_agent -@@ -54,7 +54,7 @@ subkey_to_ssh_agent() { - - if [ -z "$secretkeys" ]; then - failure "You have no secret keys in your keyring! --You might want to run 'gpg --gen-key'." -+You might want to run 'gpg2 --gen-key'." - fi - - # $2 regex means "is some kind of valid, or at least not invalid" diff --git a/security/monkeysphere/files/patch-src_share_mh_add__revoker b/security/monkeysphere/files/patch-src_share_mh_add__revoker deleted file mode 100644 index a51e198120a7..000000000000 --- a/security/monkeysphere/files/patch-src_share_mh_add__revoker +++ /dev/null @@ -1,35 +0,0 @@ ---- src/share/mh/add_revoker.orig 2018-10-16 16:24:55 UTC -+++ src/share/mh/add_revoker -@@ -71,12 +71,12 @@ else - - # download the key from the keyserver as the monkeysphere user - log verbose "searching keyserver $KEYSERVER for revoker keyID $revokerKeyID..." -- su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --quiet --keyserver "$KEYSERVER" --recv-key "0x${revokerKeyID}!" \ -+ su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg2 --quiet --keyserver "$KEYSERVER" --recv-key "0x${revokerKeyID}!" \ - || failure "Could not receive a key with this ID from keyserver '$KEYSERVER'." - - # get the full fingerprint of new revoker key - log debug "getting fingerprint of revoker key..." -- fingerprint=$(su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --list-key --with-colons --with-fingerprint "${revokerKeyID}" \ -+ fingerprint=$(su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg2 --list-key --with-colons --with-fingerprint "${revokerKeyID}" \ - | awk -F: '/^fpr:/{ if (ok) { print $10 }; ok=0 } /^pub:/{ ok=1 }') - - # test that there is only a single fingerprint -@@ -90,7 +90,7 @@ EOF - fi - - log info "revoker key found:" -- su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --fingerprint "0x${fingerprint}!" -+ su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg2 --fingerprint "0x${fingerprint}!" - - if [ "$PROMPT" = "true" ] ; then - printf "Are you sure you want to add the above key as a revoker\nof the key '$keyID'? (Y/n) " >&2 -@@ -104,7 +104,7 @@ EOF - - # export the new key to the host keyring - log debug "loading revoker key into host keyring..." -- su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --quiet --export "0x${fingerprint}!" \ -+ su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg2 --quiet --export "0x${fingerprint}!" \ - | gpg_host --import - fi - diff --git a/security/monkeysphere/files/patch-src_share_mh_publish__key b/security/monkeysphere/files/patch-src_share_mh_publish__key deleted file mode 100644 index 609222685bf2..000000000000 --- a/security/monkeysphere/files/patch-src_share_mh_publish__key +++ /dev/null @@ -1,20 +0,0 @@ ---- src/share/mh/publish_key.orig 2018-10-16 16:24:55 UTC -+++ src/share/mh/publish_key -@@ -46,7 +46,7 @@ trap cleanup EXIT - - # import the key into the tmp dir - su_monkeysphere_user \ -- gpg --quiet --import <"$HOST_KEY_FILE" -+ gpg2 --quiet --import <"$HOST_KEY_FILE" - - ANCHORFILE="" - for anchorfile in "${SYSCONFIGDIR}/monkeysphere-host-x509-anchors.crt" "${SYSCONFIGDIR}/monkeysphere-x509-anchors.crt"; do -@@ -59,7 +59,7 @@ done - # publish key - log debug "publishing key with the following gpg command line and options:" - su_monkeysphere_user \ -- gpg --keyserver "$KEYSERVER" ${ANCHORFILE:+--keyserver-options "ca-cert-file=$ANCHORFILE"} --send-keys "0x${keyID}!" -+ gpg2 --keyserver "$KEYSERVER" ${ANCHORFILE:+--keyserver-options "ca-cert-file=$ANCHORFILE"} --send-keys "0x${keyID}!" - - # remove the tmp file - trap - EXIT diff --git a/security/monkeysphere/files/patch-src_share_mh_revoke__key b/security/monkeysphere/files/patch-src_share_mh_revoke__key deleted file mode 100644 index 2616c1b6191b..000000000000 --- a/security/monkeysphere/files/patch-src_share_mh_revoke__key +++ /dev/null @@ -1,29 +0,0 @@ ---- src/share/mh/revoke_key.orig 2018-10-16 16:24:55 UTC -+++ src/share/mh/revoke_key -@@ -72,11 +72,11 @@ y - else - # note: we're not using the gpg_host function because we actually - # want to use gpg's UI in this case, so we want to omit --no-tty -- revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --armor --gen-revoke "0x${keyID}!") \ -+ revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg2 --no-greeting --quiet --armor --gen-revoke "0x${keyID}!") \ - || failure "Failed to generate revocation certificate!" - fi - -- # if you run gpg --gen-revoke but cancel it or quit in the middle, -+ # if you run gpg2 --gen-revoke but cancel it or quit in the middle, - # it returns success, but emits no revocation certificate: - if ! [ "$revcert" ] ; then - failure "Revocation canceled." -@@ -94,9 +94,9 @@ y - printf "Not publishing.\n" >&2 - else - local newhome=$(msmktempdir) -- GNUPGHOME="$newhome" gpg --no-tty --quiet --import < "$HOST_KEY_FILE" -- GNUPGHOME="$newhome" gpg --no-tty --quiet --import <<< "$revcert" -- GNUPGHOME="$newhome" gpg --keyserver "$KEYSERVER" --send-keys "0x${keyID}!" -+ GNUPGHOME="$newhome" gpg2 --no-tty --quiet --import < "$HOST_KEY_FILE" -+ GNUPGHOME="$newhome" gpg2 --no-tty --quiet --import <<< "$revcert" -+ GNUPGHOME="$newhome" gpg2 --keyserver "$KEYSERVER" --send-keys "0x${keyID}!" - rm -rf "$newhome" - fi - fi diff --git a/security/monkeysphere/files/patch-src_transitions_0.23 b/security/monkeysphere/files/patch-src_transitions_0.23 deleted file mode 100644 index 56f83c6aa1a1..000000000000 --- a/security/monkeysphere/files/patch-src_transitions_0.23 +++ /dev/null @@ -1,67 +0,0 @@ ---- src/transitions/0.23.orig 2019-01-17 11:12:48 UTC -+++ src/transitions/0.23 -@@ -72,7 +72,7 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then - # get the old host keygrip (don't know why there would be more - # than one, but we'll transfer all tsigs made by any key that - # had been given ultimate ownertrust): -- for authgrip in $(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --export-ownertrust | \ -+ for authgrip in $(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg2 --quiet --no-tty --no-permission-warning --export-ownertrust | \ - grep ':6:$' | \ - sed -r 's/^[A-F0-9]{24}([A-F0-9]{16}):6:$/\1/') ; do - -@@ -88,7 +88,7 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then - # one of those certifications (even if later - # certifications had different parameters). - -- GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --fingerprint --with-colons --fixed-list-mode --check-sigs | \ -+ GNUPGHOME="$SYSDATADIR"/gnupg-host gpg2 --quiet --no-tty --no-permission-warning --fingerprint --with-colons --fixed-list-mode --check-sigs | \ - cut -f 1,2,5,8,9,10 -d: | \ - egrep '^(fpr:::::|sig:!:'"$authgrip"':[[:digit:]]+ [[:digit:]]+:)' | \ - while IFS=: read -r type validity grip trustparams trustdomain fpr ; do -@@ -130,7 +130,7 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then - - CERTKEY=$(mktemp ${TMPDIR:-/tmp}/mstransition.XXXXXXXX) - log "Adding identity certifier with fingerprint %s\n" "$keyfpr" -- GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --export "0x$keyfpr" --export-options export-clean >"$CERTKEY" -+ GNUPGHOME="$SYSDATADIR"/gnupg-host gpg2 --quiet --no-tty --no-permission-warning --export "0x$keyfpr" --export-options export-clean >"$CERTKEY" - MONKEYSPHERE_PROMPT=false monkeysphere-authentication add-identity-certifier $finaldomain --trust "$truststring" --depth "$trustdepth" "$CERTKEY" - rm -f "$CERTKEY" - # clear the fingerprint so that we don't -@@ -150,9 +150,9 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then - log "Not transferring host key info because host directory already exists.\n" - else - if [ -s "$SYSDATADIR"/ssh_host_rsa_key ] || \ -- GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --with-colons --list-secret-keys | grep -q '^sec:' ; then -+ GNUPGHOME="$SYSDATADIR"/gnupg-host gpg2 --quiet --no-tty --no-permission-warning --with-colons --list-secret-keys | grep -q '^sec:' ; then - -- FPR=$(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --with-colons --fixed-list-mode --list-secret-keys --fingerprint | awk -F: '/^fpr:/{ print $10 }' ) -+ FPR=$(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg2 --quiet --no-tty --no-permission-warning --with-colons --fixed-list-mode --list-secret-keys --fingerprint | awk -F: '/^fpr:/{ print $10 }' ) - - # create host home - mkdir -p $(dirname "$MHDATADIR") -@@ -169,12 +169,12 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then - # FIXME: if all self-sigs are expired, then the secret key import may - # fail anyway. How should we deal with that? - -- if (GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --export-secret-keys && \ -- GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --export "$FPR") | \ -- GNUPGHOME="$NEWDATADIR" gpg --quiet --no-tty --import ; then -+ if (GNUPGHOME="$SYSDATADIR"/gnupg-host gpg2 --quiet --no-tty --no-permission-warning --export-secret-keys && \ -+ GNUPGHOME="$SYSDATADIR"/gnupg-host gpg2 --quiet --no-tty --no-permission-warning --export "$FPR") | \ -+ GNUPGHOME="$NEWDATADIR" gpg2 --quiet --no-tty --import ; then - : we are in good shape! - else -- if ! GNUPGHOME="$NEWDATADIR" gpg --quiet --no-tty --list-secret-key >/dev/null ; then -+ if ! GNUPGHOME="$NEWDATADIR" gpg2 --quiet --no-tty --list-secret-key >/dev/null ; then - log "The old host key (%s) was not imported properly.\n" "$FPR" - exit 1 - fi -@@ -204,7 +204,7 @@ fi - if [ -d "${SYSDATADIR}/gnupg-authentication" ] ; then - - GNUPGHOME="${SYSDATADIR}/gnupg-authentication" \ -- gpg --quiet --no-tty --no-permission-warning --export 2>/dev/null | \ -+ gpg2 --quiet --no-tty --no-permission-warning --export 2>/dev/null | \ - monkeysphere-authentication gpg-cmd --import 2>/dev/null || \ - log "No OpenPGP certificates imported into monkeysphere-authentication trust sphere.\n" - diff --git a/security/monkeysphere/pkg-plist b/security/monkeysphere/pkg-plist index 9b2e0105cece..7ce066cf1fb4 100644 --- a/security/monkeysphere/pkg-plist +++ b/security/monkeysphere/pkg-plist @@ -19,9 +19,9 @@ man/man8/monkeysphere-host.8.gz sbin/monkeysphere-authentication sbin/monkeysphere-host %%PORTDOCS%%%%DOCSDIR%%/Changelog +%%PORTDOCS%%%%DOCSDIR%%/examples/crontab %%PORTDOCS%%%%DOCSDIR%%/examples/make-x509-certreqs %%PORTDOCS%%%%DOCSDIR%%/examples/monkeysphere-monitor-keys -%%PORTDOCS%%%%DOCSDIR%%/examples/crontab %%PORTDOCS%%%%DOCSDIR%%/examples/ssh_config %%PORTDOCS%%%%DOCSDIR%%/examples/sshd_config %%DATADIR%%/VERSION |