security: bump gnupg to 2.4.8, add libksba/npth/pinentry deps

Live diagnostic on a R36S running the 20260624 image showed:

  archr:~ # gpg --version | head -1
  gpg (GnuPG) 1.4.23
  archr:~ # gpg --list-packets /usr/share/pacman/keyrings/archr.gpg
  :public key packet:
      ...
      unknown algorithm 22

GPG 1.4 is the "classic" branch, frozen before Ed25519 (algorithm 22)
was added in 2.1.x (2014). pacman-key 7.x also calls into gpg with
--check-signatures, a 2.x-only flag. With the ArchR master subkey
being Ed25519 the legacy 1.4 binary can neither parse nor verify the
keyring, so pacman -Sy fails with "no valid user IDs" and "signature
... is invalid" no matter how the user populates the keyring.

Fix the build, not the key. JELOS-era pacman packages cap GnuPG at
1.4.23 because that's the minimal-deps branch; ArchR is now an
Arch-family distro that ships pacman 7 as the user-facing update path,
so it has to ship the modern GnuPG runtime that pacman expects.

New packages:
- libksba 1.8.0
- npth 1.8
- pinentry 1.3.2 (built with --enable-pinentry-tty/curses only;
  the GUI variants would pull GTK/Qt that the handheld doesn't have)

Updated:
- gnupg 1.4.23 -> 2.4.8 (latest LTS branch)
  Configure trims to the bits pacman uses: gpg + gpgsm + gpgconf.
  scdaemon, dirmngr, tofu, wks, gpg-card and the historical 1.4-era
  ciphers (idea/cast5/md5/rmd160) are disabled to keep the image lean.
  pinentry-tty is the configured pinentry program, since the handheld
  has no graphical desktop session to use the other variants.

libassuan, libgcrypt and libgpg-error already live in projects/ArchR/
packages/security/ from earlier work — no new dep tree there.

This unblocks the pacman pipeline on R36S: archr-keyring populate will
parse the Ed25519 master, signature verification will accept the
ArchR-signed archr.db, and pacman -Sy lands at the package list.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Douglas Teles
2026-06-24 01:59:24 -03:00
parent cceafdaca0
commit 199e9a5ee4
4 changed files with 76 additions and 16 deletions
@@ -1,24 +1,37 @@
# SPDX-License-Identifier: GPL-2.0-or-later
# Copyright (C) 2023 JELOS (https://github.com/JustEnoughLinuxOS)
# Copyright (C) 2026-present ArchR
PKG_NAME="gnupg"
PKG_VERSION="1.4.23"
PKG_VERSION="2.4.8"
PKG_SHA256="b58c80d79b04d3243ff49c1c3fc6b5f83138eb3784689563bcdd060595318616"
PKG_LICENSE="GPL"
PKG_SITE="https://gnupg.org/ftp/gcrypt/gnupg"
PKG_URL="${PKG_SITE}/gnupg-${PKG_VERSION}.tar.bz2"
PKG_DEPENDS_TARGET="toolchain zlib libgpg-error libgcrypt"
PKG_LONGDESC="The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
of the OpenPGP and S/MIME standards."
PKG_SITE="https://gnupg.org/"
PKG_URL="${PKG_SITE}ftp/gcrypt/gnupg/gnupg-${PKG_VERSION}.tar.bz2"
PKG_DEPENDS_TARGET="toolchain zlib bzip2 libgpg-error libgcrypt libassuan \
libksba npth pinentry"
PKG_LONGDESC="The GNU Privacy Guard 2.x: OpenPGP and S/MIME implementation."
PKG_CONFIGURE_OPTS_TARGET=" --disable-rpath \
--enable-minimal \
--disable-regex \
--disable-asm \
--enable-bzip2 \
--enable-aes \
--enable-rsa"
# Pacman 7.x calls into gpg with --check-signatures and Ed25519 keys; both
# are 2.x-only features that the LibreELEC-era 1.4.x branch never grew.
PKG_CONFIGURE_OPTS_TARGET="--disable-rpath \
--disable-doc \
--disable-gpg-idea \
--disable-gpg-cast5 \
--disable-gpg-md5 \
--disable-gpg-rmd160 \
--disable-ldap \
--disable-photo-viewers \
--disable-card-support \
--disable-scdaemon \
--disable-dirmngr \
--disable-wks-tools \
--disable-tofu \
--disable-gnutls \
--with-pinentry-pgm=/usr/bin/pinentry-tty"
pre_configure_target() {
export CFLAGS="${CFLAGS} -fcommon"
# GnuPG 2.x's configure occasionally trips over -Werror on hosts with
# newer GCCs.
export CFLAGS="${CFLAGS} -Wno-error"
}
@@ -0,0 +1,11 @@
# SPDX-License-Identifier: GPL-2.0-or-later
# Copyright (C) 2026-present ArchR
PKG_NAME="libksba"
PKG_VERSION="1.8.0"
PKG_SHA256="296b9db9095749f2aa104202d7ab7fd09ad10710e00780a709c9754b1a1d9292"
PKG_LICENSE="LGPL"
PKG_SITE="https://gnupg.org/"
PKG_URL="https://gnupg.org/ftp/gcrypt/libksba/libksba-${PKG_VERSION}.tar.bz2"
PKG_DEPENDS_TARGET="toolchain libgpg-error"
PKG_LONGDESC="X.509 and CMS (PKCS#7) parsing library, required by GnuPG 2.x."
@@ -0,0 +1,11 @@
# SPDX-License-Identifier: GPL-2.0-or-later
# Copyright (C) 2026-present ArchR
PKG_NAME="npth"
PKG_VERSION="1.8"
PKG_SHA256="8bd24b4f23a3065d6e5b26e98aba9ce783ea4fd781069c1b35d149694e90ca3e"
PKG_LICENSE="LGPL"
PKG_SITE="https://gnupg.org/"
PKG_URL="https://gnupg.org/ftp/gcrypt/npth/npth-${PKG_VERSION}.tar.bz2"
PKG_DEPENDS_TARGET="toolchain"
PKG_LONGDESC="The New GNU Portable Threads library, required by GnuPG 2.x."
@@ -0,0 +1,25 @@
# SPDX-License-Identifier: GPL-2.0-or-later
# Copyright (C) 2026-present ArchR
PKG_NAME="pinentry"
PKG_VERSION="1.3.2"
PKG_SHA256="8e986ed88561b4da6e9efe0c54fa4ca8923035c99264df0b0464497c5fb94e9e"
PKG_LICENSE="GPL"
PKG_SITE="https://gnupg.org/"
PKG_URL="https://gnupg.org/ftp/gcrypt/pinentry/pinentry-${PKG_VERSION}.tar.bz2"
PKG_DEPENDS_TARGET="toolchain libgpg-error libassuan"
PKG_LONGDESC="Passphrase entry helpers used by GnuPG 2.x. ArchR ships only the
TTY/curses variants; the GUI ones (gnome3, qt5, gtk2, fltk) would pull
desktop dependencies that the handheld doesn't have."
PKG_CONFIGURE_OPTS_TARGET="--enable-pinentry-tty \
--enable-pinentry-curses \
--disable-pinentry-emacs \
--disable-pinentry-gnome3 \
--disable-pinentry-gtk2 \
--disable-pinentry-qt \
--disable-pinentry-qt5 \
--disable-pinentry-fltk \
--disable-rpath \
--without-libcap \
--without-libsecret"