| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There wasn't a release-announcement email, but there is a Phab
ticket describing the release, https://dev.gnupg.org/T7428:
gpg: Fix a verification DoS due to a malicious subkey in the keyring. [T7527]
gpg: Fix a regression in 2.4.7 for generating a key from card. [T7457]
gpg: Fix --quick-add-key for Weierstrass ECC with usage given. [T7506]
gpg: Fully implement the group key flag. [rGedd01d8fc4]
gpg: Make combination of show-only-fpr-mbox and show-unusable-uid work. [rGeb2a90d343]
gpgsm: Do not return an error code when importing a certificate with an empty subject. [T7171]
scd: Accept P15 cards with a zero-length label. [rG18b4ebb28a]
keyboxd: Use case-insensitive search for mail addresses. [T7576]
gpgconf: Fix reload and kill of keyboxd. [T7569]
w32: Fix posssible lockup due to lost select results. [rG9448d01d61]
When upgrading in-place, expect the gpg command-line tool to
complain about outdated agents and keyboxes until those are
re-started as well (typically by re-starting the environment).
PR: 286993
Reported-by: p5B2EA84B3@t-online
Provided-by: Herbert J. Skuhra
|
| |
|
|
|
| |
Some bugfixes and small features, release notes at
https://lists.gnupg.org/pipermail/gnupg-announce/2024q4/000487.html
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turned out running autoreconf causes unexpected side effect that
gpg displays message as following.
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
So stop running autoreconf to regenerate doc/Makefile.in from patched
doc/Makefile.am, and directly patch doc/Makefile.in instead.
This partially reverts commit dd1496c651a27f6327bf030f8671e7291012cc69.
Reported by: gahr
Approved by: portmgr (implicit, just fix it)
Fixes: dd1496c651a2 security/gnupg: Update to 2.4.6
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* There is a bug in 2.4.6 that is related to --enable-gpg-is-gpg2
option of configure script and result in error about file name of
man pages. To fix it we need to patch doc/Makefile.am and regenerate
doc/Makefile.in. So,
1. Add autoreconf to USES.
2. Replace patch to configure with that to m4/gpg-error.m4.
3. Add gettext-tools to USES. Running autoreconf requires autopoint
command included in gettext-tools and it is necessary even if NLS
option is off.
* Pet portclippy
* Tidy up Makefile with portfmt.
ReleaseNotes: https://lists.gnupg.org/pipermail/gnupg-announce/2024q4/000486.html
PR: 282594
Approved by: maintainer timeout
|
| | |
|
| |
|
|
|
|
| |
ReleaseNotes: https://lists.gnupg.org/pipermail/gnupg-announce/2024q1/000482.html
PR: 278605
Approved by: maintainer timeout
|
| |
|
|
| |
Approved by: portmgr (blanket)
|
| |
|
|
|
|
|
|
| |
Changelog: https://dev.gnupg.org/T6578
Sponsored by: The FreeBSD Foundation
Approved by: adridg (maintainer)
Differential Revision: https://reviews.freebsd.org/D43787
|
| |
|
|
| |
Approved by: portmgr (blanket)
|
| |
|
|
|
|
| |
Reported by: des
Approved by: portmgr blanket
Fixes: 06227fb64bf2 security/gnupg: Create symlink for manpage
|
| |
|
|
|
|
|
|
|
|
|
| |
When security/gnupg1 isn't installed, ${PREFIX}/bin/gpg symlink is
created whose target is 'gpg2'. It means gpg2 can also be invoked as
'gpg'. And under such situation it is convenient for user if gpg2(1)
man page can also be accessed as gpg(1). So create
${PREFIX}/man/man1/gpg.1.gz symlink whose target is 'gpg2.1.gz'.
PR: 272519
Approved by: maintainer timeout
|
| |
|
|
|
|
|
|
| |
This reverts commit 7fa24cff0d8a99e5d44839d4b358fafaf69cffbe.
The problem has been fixed in libintl in fb889ca82944.
PR: 272472
|
| |
|
|
|
|
|
|
|
|
| |
Link the threading library after libgpg-error (and libgcrypt, which also
links to libgpg-error) so the threading library is initialised before
libgpg-error. The initialisation function of libgpg-error calls gettext
functions that call threading functions (mutex locking).
PR: 272472
Tested by: yasu
|
| |
|
|
|
|
|
|
|
|
| |
2.4.3: https://dev.gnupg.org/T6509
2.4.2: https://dev.gnupg.org/T6506
2.4.1: https://dev.gnupg.org/T6454
2.4.0: https://dev.gnupg.org/T6303
PR: 272083
Approved by: maintainer timeout (3 weeks)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Convert the USE_LDAP=yes to USES=ldap and adds the following features:
- Adds the argument USES=ldap:server to add openldap2{4|5|6}-server as
RUN_DEPENDS
- Adds the argument USES=ldap<version> and replaces WANT_OPENLDAP_VER
- Adds OPENLDAP versions in bsd.default-versions.mk
- Adds USE_OPENLDAP/WANT_OPENLDAP_VER in Mk/bsd.sanity.mk
- Changes consumers to use the features
Reviewed by: delphij
Approved by: portmgr
Differential Revision: https://reviews.freebsd.org/D38233
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
https://lists.gnupg.org/pipermail/gnupg-announce/2022q4/000476.html
Some additional changes to submitted patch:
- Change PORTVERSION to DISTVERSION
- Generate patch using "make makepatch"
- Remove obsolete configure switch
PR: 267152
Reviewed by: adridg (maintainer)
Tested by: Dennis Clarke <dclarke@blastwave.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has been common practice to have one or more URLs at the end of the
ports' pkg-descr files, one per line and prefixed with "WWW:". These
URLs should point at a project website or other relevant resources.
Access to these URLs required processing of the pkg-descr files, and
they have often become stale over time. If more than one such URL was
present in a pkg-descr file, only the first one was tarnsfered into
the port INDEX, but for many ports only the last line did contain the
port specific URL to further information.
There have been several proposals to make a project URL available as
a macro in the ports' Makefiles, over time.
This commit implements such a proposal and moves one of the WWW: entries
of each pkg-descr file into the respective port's Makefile. A heuristic
attempts to identify the most relevant URL in case there is more than
one WWW: entry in some pkg-descr file. URLs that are not moved into the
Makefile are prefixed with "See also:" instead of "WWW:" in the pkg-descr
files in order to preserve them.
There are 1256 ports that had no WWW: entries in pkg-descr files. These
ports will not be touched in this commit.
The portlint port has been adjusted to expect a WWW entry in each port
Makefile, and to flag any remaining "WWW:" lines in pkg-descr files as
deprecated.
Approved by: portmgr (tcberner)
|
| |
|
|
|
|
|
|
|
|
| |
There were installation instructions that dated from ~2017
which are no longer relevant after a fix was applied upstream.
An IPv4 host connecting to a dual-stack hks server now gets a meaningful
errno and retries the connection (as IPv4 only).
Reported by: Pau Amma
PR: 262881
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There have been lots of missing CONFLICTS_INSTALL entries, either
because conflicting ports were added without updating existing ports,
due to name changes of generated packages, due to mis-understanding
the format and semantics of the conflicts entries, or just due to
typoes in package names.
This patch is the result of a comparison of all files contained in
the official packages with each other. This comparison was based on
packages built with default options and may therefore have missed
further conflicts with optionally installed files.
Where possible, version numbers in conflicts entries have been
generalized, some times taking advantage of the fact that a port
cannot conflict with itself (due to logic in bsd.port.mk that
supresses the pattern match result in that case).
A few ports that set the conflicts variables depending on complex
conditions (e.g. port options), have been left unmodified, despite
probably containing outdated package names.
These changes should only affect the installation of locally built
ports, not the package building with poudriere. They should give an
early indication of the install conflict in cases where currently
the pkg command aborts an installation when it detects that an
existing file would be overwritten,
Approved by: portmgr (implicit)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
PR259775 reports that (auto)configuration behaves weirdly.
This is caused by a mismatch between an enum in the code
and a table that expects to match the enum values. When
BUILD_WITH_TPM2D is off (the default; I have not looked if
it can even be turned on in ports) one table entry is
Patch also submitted upstream.
PR: 259775
Reported by: O. Hartmann
MFH: 2021Q3
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The conflict checks compare the patterns first against the package
names without version (as reported by "pkg query "%n"), then - if
there was no match - agsinst the full package names including the
version (as reported by "pkg query "%n-%v").
Many CONFLICTS definitions used patterns like "bash-[0-9]*" to filter
for the bash package in any version. But that pattern is functionally
identical with just "bash".
Approved by: portmgr (blanket)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* agent: Fix segv in GET_PASSPHRASE (regression). [#5577]
* dirmngr: Fix Let's Encrypt certificate chain validation. [#5639]
* gpg: Change default and maximum AEAD chunk size to 4 MiB.
[ad3dabc9fb]
* gpg: Print a warning when importing a bad cv25519 secret key.
[#5464]
* gpg: Fix --list-packets for undecryptable AEAD packets. [#5584]
* gpg: Verify backsigs for v5 keys correctly. [#5628]
* keyboxd: Fix checksum computation for no UBID entry on disk.
[#5573]
* keyboxd: Fix "invalid object" error with cv448 keys. [#5609]
* dirmngr: New option --ignore-cert. [4b3e9a44b5]
* agent: Fix calibrate_get_time use of clock_gettime. [#5623]
* Silence process spawning diagnostics on Windows. [f2b01025c3]
* Support a gpgconf.ctl file under Unix and use this for the
regression tests. [#5999]
* The Windows installer now also installs the new keyboxd.
(Put "use-keyboxd" into common.conf to use a fast SQLite
database instead of the pubring.kbx file.)
Release-info: https://dev.gnupg.org/T5565
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* gpg: Allow fingerprint based lookup with --locate-external-key.
[ec36eca08c]
* gpg: Allow decryption w/o public key but with correct card
inserted. [50293ec2eb]
* gpg: Auto import keys specified with --trusted-keys. [100037ac0f]
* gpg: Do not use import-clean for LDAP keyserver imports. [#5387]
* gpg: Fix mailbox based search via AKL keyserver method. [4fcfac6feb]
* gpg: Fix memory corruption with --clearsign introduced with 2.3.1.
[#5430]
* gpg: Use a more descriptive prompt for symmetric decryption.
[6dfae2f402]
* gpg: Improve speed of secret key listing. [40da61b89b]
* gpg: Support keygrip search with traditional keyring. [#5469]
* gpg: Let --fetch-key return an exit code on failure. [#5376]
* gpg: Emit the NO_SECKEY status again for decryption. [#5562]
* gpgsm: Support decryption of password based encryption (pwri).
[eeb65d3bbd]
* gpgsm: Support AES-GCM decryption. [4980fb3c6d]
* gpgsm: Let --dump-cert --show-cert also print an OpenPGP
fingerprint. [52bbdc731f]
* gpgsm: Fix finding of issuer in use-keyboxd mode. [6b76693ff5]
* gpgsm: New option --ldapserver as an alias for --keyserver.
[89df86157e]
* agent: Use SHA-256 for SSH fingerprint by default. [#5434]
* agent: Fix calling handle_pincache_put. [#5436]
* agent: Fix importing protected secret key. [#5122]
* agent: Fix a regression in agent_get_shadow_info_type. [#5393]
* agent: Add translatable text for Caps Lock hint. [#4950]
* agent: New option --pinentry-formatted-passphrase. [#5517]
* agent: Add checkpin inquiry for pinentry. [#5517,#5532]
* agent: New option --check-sym-passphrase-pattern. [#5517]
* agent: Use the sysconfdir for a pattern file.
* agent: Make QT_QPA_PATFORMTHEME=qt5ct work for the pinentry.
[1305baf099]
* dirmngr: LDAP search by a mailbox now ignores revoked keys.
[1406f551f1]
* dirmngr: For KS_SEARCH return the fingerprint also with LDAP.
[#5441]
* dirmngr: Allow for non-URL specified ldap keyservers. [#5405,#5452]
* dirmngr: New option --ldapserver. [52cf32ce2f]
* dirmngr: Fix regression in KS_GET for mail address pattern.
[#5497]
* card: New option --shadow for the list command. [2fce99d73a]
* tests: Make sure the built keyboxd is used. [#5406]
* scd: Fix computing shared secrets for 512 bit curves.
[9e24f2a45c]
* scd: Fix unblock PIN by a Reset Code with KDF. [#5413]
* scd: Fix PC/SC removed card problem. [8d81fd7c01]
* scd: Recover the partial match for PORTSTR for PC/SC.
[53bdc6288f]
* scd: Make sure to release the PC/SC context. [#5416]
* scd: Fix zero-byte handling in ECC. [#5163]
* scd: Fix serial number detection for Yubikey 5. [#5442]
* scd: Add basic support for AET JCOP cards. [544ec7872a]
* scd: Detect external interference when --pcsc-shared is in use.
[#5484]
* scd: Fix access to the list of cards. [#5524]
* gpgconf: Do not list a disabled tpm2d. [#5408]
* gpgconf: Make runtime changes with different homedir work.
[31c0aa2ff3]
* keyboxd: Fix searching for exact mail adddress. [f79e9540ca]
* keyboxd: Fix searching with multiple patterns. [101ba4f18a]
* gpgtar: Fix file size computation under Windows. [14e36bdbe1]
* tools: Extend gpg-check-pattern. [73c03e0232]
* wkd: Fix client issue with leading or trailing spaces in
user-ids. [b4345f7521]
* Under Windows add a fallback in case the console can't cope with
Unicode. [#5491]
* Under Windows use LOCAL_APPDATA for the socket directory. [#5537]
* Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to Pinentry.
[#3659]
* Change the default keyserver to keyserver.ubuntu.com. This is a
temporary change due to the shutdown of the SKS keyserver pools.
[55b5928099]
Release-info: https://dev.gnupg.org/T5405L
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* A new experimental key database daemon is provided. To enable it
put "use-keyboxd" into gpg.conf and gpgsm.conf. Keys are stored
in a SQLite database and make key lookup much faster.
* New tool gpg-card as a flexible frontend for all types of
supported smartcards.
* New option --chuid for gpg, gpgsm, gpgconf, gpg-card, and
gpg-connect-agent.
* The gpg-wks-client tool is now installed under bin; a wrapper for
its old location at libexec is also installed.
* tpm2d: New daemon to physically bind keys to the local machine.
See https://gnupg.org/blog/20210315-using-tpm-with-gnupg-2.3.html
* gpg: Switch to ed25519/cv25519 as default public key algorithms.
* gpg: Verification results now depend on the --sender option and
the signer's UID subpacket. [#4735]
* gpg: Do not use any 64-bit block size cipher algorithm for
encryption. Use AES as last resort cipher preference instead of
3DES. This can be reverted using --allow-old-cipher-algos.
* gpg: Support AEAD encryption mode using OCB or EAX.
* gpg: Support v5 keys and signatures.
* gpg: Support curve X448 (ed448, cv448).
* gpg: Allow use of group names in key listings. [e825aea2ba]
* gpg: New option --full-timestrings to print date and time.
* gpg: New option --force-sign-key. [#4584]
* gpg: New option --no-auto-trust-new-key.
* gpg: The legacy key discovery method PKA is no longer supported.
The command --print-pka-records and the PKA related import and
export options have been removed.
* gpg: Support export of Ed448 Secure Shell keys.
* gpgsm: Add basic ECC support.
* gpgsm: Support creation of EdDSA certificates. [#4888]
* agent: Allow the use of "Label:" in a key file to customize the
pinentry prompt. [5388537806]
* agent: Support ssh-agent extensions for environment variables.
With a patched version of OpenSSH this avoids the need for the
"updatestartuptty" kludge. [224e26cf7b]
* scd: Improve support for multiple card readers and tokens.
* scd: Support PIV cards.
* scd: Support for Rohde&Schwarz Cybersecurity cards.
* scd: Support Telesec Signature Cards v2.0
* scd: Support multiple application on certain smartcard.
* scd: New option --application-priority.
* scd: New option --pcsc-shared; see man page for important notes.
* dirmngr: Support a gpgNtds parameter in LDAP keyserver URLs.
* The symcryptrun tool, a wrapper for the now obsolete external
Chiasmus tool, has been removed.
* Full Unicode support under Windows for the command line. [#4398]
Release-info: https://dev.gnupg.org/T5343
|
| |
|
|
| |
Reported by: lwhsu
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* gpg: Fix regression in 2.2.24 for gnupg_remove function under
Windows. [#5230]
* gpgconf: Fix case with neither local nor global gpg.conf. [9f37d3e6f3]
* gpgconf: Fix description of two new options. [#5221]
* Build Windows installer without timestamps. Note that the
Authenticode signatures still carry a timestamp.
Release-info: https://dev.gnupg.org/T5234
Notes:
svn path=/head/; revision=561299
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Note that this release removes bin/symcryptrun which had essentially no
expected current use-case.
* gpg: New AKL method "ntds".
* gpg: Fix --trusted-key with fingerprint arg.
* scd: Fix writing of ECC keys to an OpenPGP card. [#5163]
* scd: Make an USB error fix specific to SPR532 readers. [#5167]
* dirmngr: With new LDAP keyservers store the new attributes. Never
store the useless pgpSignerID. Fix a long standing bug storing
some keys on an ldap server.
* dirmngr: Support the new Active Direcory LDAP schema for
keyservers.
* dirmngr: Allow LDAP OpenPGP searches via fingerprint.
* dirmngr: Do not block other threads during keyserver LDAP calls.
* Support global configuration files. [#4788]
* Fix the iconv fallback handling to UTF-8. [#5038]
Release-info: https://dev.gnupg.org/T5153
Notes:
svn path=/head/; revision=558894
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* scd: Fix regression in 2.2.24 requiring gpg --card-status before
signing or decrypting. [#5065]
* gpgsm: Using Libksba 1.5.0 signatures with a rarely used
combination of attributes can now be verified. [#5146]
Release-info: https://dev.gnupg.org/T5140
Notes:
svn path=/head/; revision=556165
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Allow Unicode file names on Windows almost everywhere. Note that
it is still not possible to use Unicode strings on the command
line. This change also fixes a regression in 2.2.22 related to
non-ascii file names. [#5098]
* Fix localized time printing on Windows. [#5073]
* gpg: New command --quick-revoke-sig. [#5093]
* gpg: Do not use weak digest algos if selected by recipient
preference during sign+encrypt. [4c181d51a6]
* gpg: Switch to AES256 for symmetric encryption in de-vs mode.
[166e779634]
* gpg: Silence weak digest warnings with --quiet. [#4893]
* gpg: Print new status line CANCELED_BY_USER for a cancel during
symmetric encryption. [f05d1772c4]
* gpg: Fix the encrypt+sign hash algo preference selection for
ECDSA. This is in particular needed for keys created from
existing smartcard based keys. [aeed0b93ff]
* agent: Fix secret key import of GnuPG 2.3 generated Ed25519 keys.
[#5114]
* agent: Keep some permissions of private-keys-v1.d. [#2312]
* dirmngr: Align sks-keyservers.netCA.pem use between ntbtls and
gnutls builds. [e4f3b74c91]
* dirmngr: Fix the pool keyserver case for a single host in the
pool. [72e04b03b1a7]
* scd: Fix the use case of verify_chv2 by CHECKPIN. [61aea64b3c]
* scd: Various improvements to the ccid-driver. [#4616,#5065]
* scd: Minor fixes for Yubikey [25bec16d0b]
* gpgconf: New option --show-versions.
* w32: Install gpg-check-pattern and example profiles. Install
Windows subsystem variant of gpgconf (gpgconf-w32).
* i18n: Complete overhaul and completion of the Italian translation.
Thanks to Denis Renzi.
* Require Libgcrypt 1.8 because 1.7 has long reached end-of-life.
Release-info: https://dev.gnupg.org/T5052
Notes:
svn path=/head/; revision=555559
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Importing an OpenPGP key having a preference list for AEAD algorithms
will lead to an array overflow and thus often to a crash or other
undefined behaviour.
Importing an arbitrary key can often easily be triggered by an attacker
and thus triggering this bug. Exploiting the bug aside from crashes is
not trivial but likely possible for a dedicated attacker. The major
hurdle for an attacker is that only every second byte is under their
control with every first byte having a fixed value of 0x04.
Software distribution verification should not be affected by this bug
because such a system uses a curated list of keys.
MFH: 2020Q3
Security: CVE-2020-25125
Notes:
svn path=/head/; revision=547499
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also, sort plist. The new gpgsplit binary is getting installed as
gpgsplit2 to avoid a conflict with security/gnupg1.
Noteworthy changes in version 2.2.22
====================================
* gpg: Change the default key algorithm to rsa3072.
* gpg: Add regular expression support for Trust Signatures on all
platforms. [#4843]
* gpg: Fix regression in 2.2.21 with non-default --passphrase-repeat
option. [#4991]
* gpg: Ignore --personal-digest-prefs for ECDSA keys. [#5021]
* gpgsm: Make rsaPSS a de-vs compliant scheme.
* gpgsm: Show also the SHA256 fingerprint in key listings.
* gpgsm: Do not require a default keyring for --gpgconf-list. [#4867]
* gpg-agent: Default to extended key format and record the creation
time of keys. Add new option --disable-extended-key-format.
* gpg-agent: Support the WAYLAND_DISPLAY envvar. [#5016]
* gpg-agent: Allow using --gpgconf-list even if HOME does not
exist. [#4866]
* gpg-agent: Make the Pinentry work even if the envvar TERM is set
to the empty string. [#4137]
* scdaemon: Add a workaround for Gnuk tokens <= 2.15 which wrongly
incremented the error counter when using the "verify" command of
"gpg --edit-key" with only the signature key being present.
* dirmngr: Better handle systems with disabled IPv6. [#4977]
* gpgpslit: Install tool. It was not installed in the past to avoid
conflicts with the version installed by GnuPG 1.4. [#5023]
(We're installing it as gpgsplit2 to avoid conflict with security/gnupg1)
* gpgtar: Handle Unicode file names on Windows correctly (requires
libgpg-error 1.39). [#4083]
* gpgtar: Make --files-from and --null work as documented. [#5027]
* Build the Windows installer with the new Ntbtls 0.2.0 so that TLS
connections succeed for servers demanding GCM.
Release-info: https://dev.gnupg.org/T5030
Notes:
svn path=/head/; revision=546681
|
| |
|
|
| |
Notes:
svn path=/head/; revision=542249
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* gpg: Improve symmetric decryption speed by about 25%.
See commit 144b95cc9d.
* gpg: Support decryption of AEAD encrypted data packets.
* gpg: Add option --no-include-key-block. [#4856]
* gpg: Allow for extra padding in ECDH. [#4908]
* gpg: Only a single pinentry is shown for symmetric encryption if
the pinentry supports this. [#4971]
* gpg: Print a note if no keys are given to --delete-key. [#4959]
* gpg,gpgsm: The ridiculous passphrase quality bar is not anymore
shown. [#2103]
* gpgsm: Certificates without a CRL distribution point are now
considered valid without looking up a CRL. The new option
--enable-issuer-based-crl-check can be used to revert to the
former behaviour.
* gpgsm: Support rsaPSS signature verification. [#4538]
* gpgsm: Unless CRL checking is disabled lookup a missing issuer
certificate using the certificate's authorityInfoAccess. [#4898]
* gpgsm: Print the certificate's serial number also in decimal
notation.
* gpgsm: Fix possible NULL-deref in messages of --gen-key. [#4895]
* scd: Support the CardOS 5 based D-Trust Card 3.1.
* dirmngr: Allow http URLs with "LOOKUP --url".
* wkd: Take name of sendmail from configure. Fixes an OpenBSD
specific bug. [#4886]
Release-info: https://dev.gnupg.org/T4897
Notes:
svn path=/head/; revision=541749
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Noteworthy changes in version 2.2.20
====================================
* Protect the error counter against overflow to guarantee that the
tools can't be tricked into returning success after an error.
* gpg: Make really sure that --verify-files always returns an error.
* gpg: Fix key listing --with-secret if a pattern is given. [#4061]
* gpg: Fix detection of certain keys used as default-key. [#4810]
* gpg: Fix default-key selection when a card is available. [#4850]
* gpg: Fix key expiration and key usage for keys created with a
creation date of zero. [#4670]
* gpgsm: Fix import of some CR,LF terminated certificates. [#4847]
* gpg: New options --include-key-block and --auto-key-import to
allow encrypted replies after an initial signed message. [#4856]
* gpg: Allow the use of a fingerprint with --trusted-key. [#4855]
* gpg: New property "fpr" for use by --export-filter.
* scdaemon: Disable the pinpad if a KDF DO is used. [#4832]
* dirmngr: Improve finding OCSP certificates. [#4536]
* Avoid build problems with LTO or gcc-10. [#4831]
Release-info: https://dev.gnupg.org/T4860
Notes:
svn path=/head/; revision=528793
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* gpg: Fix double free when decrypting for hidden recipients.
Regression in 2.2.18. [#4762].
* gpg: Use auto-key-locate for encryption even for mail addressed
given with angle brackets. [#4726]
* gpgsm: Add special case for certain expired intermediate
certificates. [#4696]
Release-info: https://dev.gnupg.org/T4768
Notes:
svn path=/head/; revision=519219
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* gpg: Changed the way keys are detected on a smartcards; this
allows the use of non-OpenPGP cards. In the case of a not very
likely regression the new option --use-only-openpgp-card is
available. [#4681]
* gpg: The commands --full-gen-key and --quick-gen-key now allow
direct key generation from supported cards. [#4681]
* gpg: Prepare against chosen-prefix SHA-1 collisions in key
signatures. This change removes all SHA-1 based key signature
newer than 2019-01-19 from the web-of-trust. Note that this
includes all key signature created with dsa1024 keys. The new
option --allow-weak-key-signatues can be used to override the new
and safer behaviour. [#4755,CVE-2019-14855]
* gpg: Improve performance for import of large keyblocks. [#4592]
* gpg: Implement a keybox compression run. [#4644]
* gpg: Show warnings from dirmngr about redirect and certificate
problems (details require --verbose as usual).
* gpg: Allow to pass the empty string for the passphrase if the
'--passphase=' syntax is used. [#4633]
* gpg: Fix printing of the KDF object attributes.
* gpg: Avoid surprises with --locate-external-key and certain
--auto-key-locate settings. [#4662]
* gpg: Improve selection of best matching key. [#4713]
* gpg: Delete key binding signature when deletring a subkey.
[#4665,#4457]
* gpg: Fix a potential loss of key sigantures during import with
self-sigs-only active. [#4628]
* gpg: Silence "marked as ultimately trusted" diagnostics if
option --quiet is used. [#4634]
* gpg: Silence some diagnostics during in key listsing even with
option --verbose. [#4627]
* gpg, gpgsm: Change parsing of agent's pkdecrypt results. [#4652]
* gpgsm: Support AES-256 keys.
* gpgsm: Fix a bug in triggering a keybox compression run if
--faked-system-time is used.
* dirmngr: System CA certificates are no longer used for the SKS
pool if GNUTLS instead of NTBTLS is used as TLS library. [#4594]
* dirmngr: On Windows detect usability of IPv4 and IPv6 interfaces
to avoid long timeouts. [#4165]
* scd: Fix BWI value for APDU level transfers to make Gemalto Ezio
Shield and Trustica Cryptoucan work. [#4654,#4566]
* wkd: gpg-wks-client --install-key now installs the required policy
file.
Release-info: https://dev.gnupg.org/T4684
Notes:
svn path=/head/; revision=518443
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gnupg's scdaemon opens smart cards in exclusive mode, which prevents other
applications (such as PKCS#11 libraries) from concurrently accessing the
card). Upstream refuses to fix the problem. This commit adds a
--shared-access option to scdaemon. When enabled, scdaemon will access the
smart card in shared mode, playing nicely with other applications. The
default behavior is unchanged.
See Also:
https://github.com/GPGTools/MacGPG2/commit/d6cb8039a0cdc74b9bdd89a3dfa93248aa2c4100
https://dev.gnupg.org/T3267
https://dev.gnupg.org/D320
https://github.com/OpenSC/OpenSC/issues/953
Reviewed by: adamw
Approved by: adamw (maintainer)
Obtained-from: GPGTools
Sponsored by: Axcient
Differential Revision: https://reviews.freebsd.org/D22473
Notes:
svn path=/head/; revision=518435
|
| |
|
|
|
|
|
|
| |
Submitted by: asomers
Differential Revision: https://reviews.freebsd.org/D22492
Notes:
svn path=/head/; revision=518122
|
| |
|
|
| |
Notes:
svn path=/head/; revision=518086
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gnupg ships its man pages as texinfo files, precompiled into info files.
This change causes make to rebuild them every time. There are two reasons:
* Rebuilding them automatically corrects several Linuxisms in paths (e.g.
/etc => /usr/local/etc).
* Rebuilding them is a neccessary precondition for making any local changes
that will affect the content of the man pages, which I intend to do in a
future commit.
Reviewed by: adamw
Approved by: adamw (maintainer)
Sponsored by: Axcient
Differential Revision: https://reviews.freebsd.org/D22471
Notes:
svn path=/head/; revision=518074
|
| |
|
|
| |
Notes:
svn path=/head/; revision=509954
|
| |
|
|
|
|
|
| |
Requested by: koobs
Notes:
svn path=/head/; revision=509952
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cristoph Lukas asked me why the WKS server was disabled, and I have
no idea. It was added r462573, and that commit message and associated
bug report don't list why --disable-wks-tools was added. (Folks,
please use commit messages for writing, you know, messages.)
We've been installing the gpg-wks-server manpage, so this commit
enables the WKS server and installs the binary, and bumps PORTREVISION
for it.
While here, sort the plist.
Notes:
svn path=/head/; revision=509948
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
as defined in Mk/bsd.default-versions.mk which has moved from GCC 8.3
to GCC 9.1 under most circumstances now after revision 507371.
This includes ports
- with USE_GCC=yes or USE_GCC=any,
- with USES=fortran,
- using Mk/bsd.octave.mk which in turn features USES=fortran, and
- with USES=compiler specifying openmp, nestedfct, c11, c++0x, c++11-lang,
c++11-lib, c++14-lang, c++17-lang, or gcc-c++11-lib
plus, everything INDEX-11 shows with a dependency on lang/gcc9 now.
PR: 238330
Notes:
svn path=/head/; revision=507372
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* gpg: Ignore all key-signatures received from keyservers. This
change is required to mitigate a DoS due to keys flooded with
faked key-signatures. The old behaviour can be achieved by adding
keyserver-options no-self-sigs-only,no-import-clean
to your gpg.conf. [#4607]
* gpg: If an imported keyblocks is too large to be stored in the
keybox (pubring.kbx) do not error out but fallback to an import
using the options "self-sigs-only,import-clean". [#4591]
* gpg: New command --locate-external-key which can be used to
refresh keys from the Web Key Directory or via other methods
configured with --auto-key-locate.
* gpg: New import option "self-sigs-only".
* gpg: In --auto-key-retrieve prefer WKD over keyservers. [#4595]
* dirmngr: Support the "openpgpkey" subdomain feature from
draft-koch-openpgp-webkey-service-07. [#4590].
* dirmngr: Add an exception for the "openpgpkey" subdomain to the
CSRF protection. [#4603]
* dirmngr: Fix endless loop due to http errors 503 and 504. [#4600]
* dirmngr: Fix TLS bug during redirection of HKP requests. [#4566]
* gpgconf: Fix a race condition when killing components. [#4577]
Release-info: https://dev.gnupg.org/T4606
MFH: 2019Q3
Notes:
svn path=/head/; revision=506281
|
