From 199e9a5ee4035048dc28cbe3cc944311a1b77d64 Mon Sep 17 00:00:00 2001 From: Douglas Teles Date: Wed, 24 Jun 2026 01:59:24 -0300 Subject: [PATCH] security: bump gnupg to 2.4.8, add libksba/npth/pinentry deps MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Live diagnostic on a R36S running the 20260624 image showed: archr:~ # gpg --version | head -1 gpg (GnuPG) 1.4.23 archr:~ # gpg --list-packets /usr/share/pacman/keyrings/archr.gpg :public key packet: ... unknown algorithm 22 GPG 1.4 is the "classic" branch, frozen before Ed25519 (algorithm 22) was added in 2.1.x (2014). pacman-key 7.x also calls into gpg with --check-signatures, a 2.x-only flag. With the ArchR master subkey being Ed25519 the legacy 1.4 binary can neither parse nor verify the keyring, so pacman -Sy fails with "no valid user IDs" and "signature ... is invalid" no matter how the user populates the keyring. Fix the build, not the key. JELOS-era pacman packages cap GnuPG at 1.4.23 because that's the minimal-deps branch; ArchR is now an Arch-family distro that ships pacman 7 as the user-facing update path, so it has to ship the modern GnuPG runtime that pacman expects. New packages: - libksba 1.8.0 - npth 1.8 - pinentry 1.3.2 (built with --enable-pinentry-tty/curses only; the GUI variants would pull GTK/Qt that the handheld doesn't have) Updated: - gnupg 1.4.23 -> 2.4.8 (latest LTS branch) Configure trims to the bits pacman uses: gpg + gpgsm + gpgconf. scdaemon, dirmngr, tofu, wks, gpg-card and the historical 1.4-era ciphers (idea/cast5/md5/rmd160) are disabled to keep the image lean. pinentry-tty is the configured pinentry program, since the handheld has no graphical desktop session to use the other variants. libassuan, libgcrypt and libgpg-error already live in projects/ArchR/ packages/security/ from earlier work — no new dep tree there. This unblocks the pacman pipeline on R36S: archr-keyring populate will parse the Ed25519 master, signature verification will accept the ArchR-signed archr.db, and pacman -Sy lands at the package list. Co-Authored-By: Claude Opus 4.7 --- .../ArchR/packages/security/gnupg/package.mk | 45 ++++++++++++------- .../packages/security/libksba/package.mk | 11 +++++ .../ArchR/packages/security/npth/package.mk | 11 +++++ .../packages/security/pinentry/package.mk | 25 +++++++++++ 4 files changed, 76 insertions(+), 16 deletions(-) create mode 100644 projects/ArchR/packages/security/libksba/package.mk create mode 100644 projects/ArchR/packages/security/npth/package.mk create mode 100644 projects/ArchR/packages/security/pinentry/package.mk diff --git a/projects/ArchR/packages/security/gnupg/package.mk b/projects/ArchR/packages/security/gnupg/package.mk index d5fddb1d6a..d0757470b3 100644 --- a/projects/ArchR/packages/security/gnupg/package.mk +++ b/projects/ArchR/packages/security/gnupg/package.mk @@ -1,24 +1,37 @@ # SPDX-License-Identifier: GPL-2.0-or-later -# Copyright (C) 2023 JELOS (https://github.com/JustEnoughLinuxOS) +# Copyright (C) 2026-present ArchR PKG_NAME="gnupg" -PKG_VERSION="1.4.23" +PKG_VERSION="2.4.8" +PKG_SHA256="b58c80d79b04d3243ff49c1c3fc6b5f83138eb3784689563bcdd060595318616" PKG_LICENSE="GPL" -PKG_SITE="https://gnupg.org/ftp/gcrypt/gnupg" -PKG_URL="${PKG_SITE}/gnupg-${PKG_VERSION}.tar.bz2" -PKG_DEPENDS_TARGET="toolchain zlib libgpg-error libgcrypt" -PKG_LONGDESC="The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation -of the OpenPGP and S/MIME standards." +PKG_SITE="https://gnupg.org/" +PKG_URL="${PKG_SITE}ftp/gcrypt/gnupg/gnupg-${PKG_VERSION}.tar.bz2" +PKG_DEPENDS_TARGET="toolchain zlib bzip2 libgpg-error libgcrypt libassuan \ + libksba npth pinentry" +PKG_LONGDESC="The GNU Privacy Guard 2.x: OpenPGP and S/MIME implementation." -PKG_CONFIGURE_OPTS_TARGET=" --disable-rpath \ - --enable-minimal \ - --disable-regex \ - --disable-asm \ - --enable-bzip2 \ - --enable-aes \ - --enable-rsa" +# Pacman 7.x calls into gpg with --check-signatures and Ed25519 keys; both +# are 2.x-only features that the LibreELEC-era 1.4.x branch never grew. + +PKG_CONFIGURE_OPTS_TARGET="--disable-rpath \ + --disable-doc \ + --disable-gpg-idea \ + --disable-gpg-cast5 \ + --disable-gpg-md5 \ + --disable-gpg-rmd160 \ + --disable-ldap \ + --disable-photo-viewers \ + --disable-card-support \ + --disable-scdaemon \ + --disable-dirmngr \ + --disable-wks-tools \ + --disable-tofu \ + --disable-gnutls \ + --with-pinentry-pgm=/usr/bin/pinentry-tty" pre_configure_target() { - export CFLAGS="${CFLAGS} -fcommon" + # GnuPG 2.x's configure occasionally trips over -Werror on hosts with + # newer GCCs. + export CFLAGS="${CFLAGS} -Wno-error" } - diff --git a/projects/ArchR/packages/security/libksba/package.mk b/projects/ArchR/packages/security/libksba/package.mk new file mode 100644 index 0000000000..c484399357 --- /dev/null +++ b/projects/ArchR/packages/security/libksba/package.mk @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (C) 2026-present ArchR + +PKG_NAME="libksba" +PKG_VERSION="1.8.0" +PKG_SHA256="296b9db9095749f2aa104202d7ab7fd09ad10710e00780a709c9754b1a1d9292" +PKG_LICENSE="LGPL" +PKG_SITE="https://gnupg.org/" +PKG_URL="https://gnupg.org/ftp/gcrypt/libksba/libksba-${PKG_VERSION}.tar.bz2" +PKG_DEPENDS_TARGET="toolchain libgpg-error" +PKG_LONGDESC="X.509 and CMS (PKCS#7) parsing library, required by GnuPG 2.x." diff --git a/projects/ArchR/packages/security/npth/package.mk b/projects/ArchR/packages/security/npth/package.mk new file mode 100644 index 0000000000..e9df8d761b --- /dev/null +++ b/projects/ArchR/packages/security/npth/package.mk @@ -0,0 +1,11 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (C) 2026-present ArchR + +PKG_NAME="npth" +PKG_VERSION="1.8" +PKG_SHA256="8bd24b4f23a3065d6e5b26e98aba9ce783ea4fd781069c1b35d149694e90ca3e" +PKG_LICENSE="LGPL" +PKG_SITE="https://gnupg.org/" +PKG_URL="https://gnupg.org/ftp/gcrypt/npth/npth-${PKG_VERSION}.tar.bz2" +PKG_DEPENDS_TARGET="toolchain" +PKG_LONGDESC="The New GNU Portable Threads library, required by GnuPG 2.x." diff --git a/projects/ArchR/packages/security/pinentry/package.mk b/projects/ArchR/packages/security/pinentry/package.mk new file mode 100644 index 0000000000..efb2fb6f42 --- /dev/null +++ b/projects/ArchR/packages/security/pinentry/package.mk @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (C) 2026-present ArchR + +PKG_NAME="pinentry" +PKG_VERSION="1.3.2" +PKG_SHA256="8e986ed88561b4da6e9efe0c54fa4ca8923035c99264df0b0464497c5fb94e9e" +PKG_LICENSE="GPL" +PKG_SITE="https://gnupg.org/" +PKG_URL="https://gnupg.org/ftp/gcrypt/pinentry/pinentry-${PKG_VERSION}.tar.bz2" +PKG_DEPENDS_TARGET="toolchain libgpg-error libassuan" +PKG_LONGDESC="Passphrase entry helpers used by GnuPG 2.x. ArchR ships only the +TTY/curses variants; the GUI ones (gnome3, qt5, gtk2, fltk) would pull +desktop dependencies that the handheld doesn't have." + +PKG_CONFIGURE_OPTS_TARGET="--enable-pinentry-tty \ + --enable-pinentry-curses \ + --disable-pinentry-emacs \ + --disable-pinentry-gnome3 \ + --disable-pinentry-gtk2 \ + --disable-pinentry-qt \ + --disable-pinentry-qt5 \ + --disable-pinentry-fltk \ + --disable-rpath \ + --without-libcap \ + --without-libsecret"