mirror of
https://github.com/archr-linux/Arch-R.git
synced 2026-07-12 18:19:42 -07:00
security: bump gnupg to 2.4.8, add libksba/npth/pinentry deps
Live diagnostic on a R36S running the 20260624 image showed:
archr:~ # gpg --version | head -1
gpg (GnuPG) 1.4.23
archr:~ # gpg --list-packets /usr/share/pacman/keyrings/archr.gpg
:public key packet:
...
unknown algorithm 22
GPG 1.4 is the "classic" branch, frozen before Ed25519 (algorithm 22)
was added in 2.1.x (2014). pacman-key 7.x also calls into gpg with
--check-signatures, a 2.x-only flag. With the ArchR master subkey
being Ed25519 the legacy 1.4 binary can neither parse nor verify the
keyring, so pacman -Sy fails with "no valid user IDs" and "signature
... is invalid" no matter how the user populates the keyring.
Fix the build, not the key. JELOS-era pacman packages cap GnuPG at
1.4.23 because that's the minimal-deps branch; ArchR is now an
Arch-family distro that ships pacman 7 as the user-facing update path,
so it has to ship the modern GnuPG runtime that pacman expects.
New packages:
- libksba 1.8.0
- npth 1.8
- pinentry 1.3.2 (built with --enable-pinentry-tty/curses only;
the GUI variants would pull GTK/Qt that the handheld doesn't have)
Updated:
- gnupg 1.4.23 -> 2.4.8 (latest LTS branch)
Configure trims to the bits pacman uses: gpg + gpgsm + gpgconf.
scdaemon, dirmngr, tofu, wks, gpg-card and the historical 1.4-era
ciphers (idea/cast5/md5/rmd160) are disabled to keep the image lean.
pinentry-tty is the configured pinentry program, since the handheld
has no graphical desktop session to use the other variants.
libassuan, libgcrypt and libgpg-error already live in projects/ArchR/
packages/security/ from earlier work — no new dep tree there.
This unblocks the pacman pipeline on R36S: archr-keyring populate will
parse the Ed25519 master, signature verification will accept the
ArchR-signed archr.db, and pacman -Sy lands at the package list.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -1,24 +1,37 @@
|
||||
# SPDX-License-Identifier: GPL-2.0-or-later
|
||||
# Copyright (C) 2023 JELOS (https://github.com/JustEnoughLinuxOS)
|
||||
# Copyright (C) 2026-present ArchR
|
||||
|
||||
PKG_NAME="gnupg"
|
||||
PKG_VERSION="1.4.23"
|
||||
PKG_VERSION="2.4.8"
|
||||
PKG_SHA256="b58c80d79b04d3243ff49c1c3fc6b5f83138eb3784689563bcdd060595318616"
|
||||
PKG_LICENSE="GPL"
|
||||
PKG_SITE="https://gnupg.org/ftp/gcrypt/gnupg"
|
||||
PKG_URL="${PKG_SITE}/gnupg-${PKG_VERSION}.tar.bz2"
|
||||
PKG_DEPENDS_TARGET="toolchain zlib libgpg-error libgcrypt"
|
||||
PKG_LONGDESC="The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
|
||||
of the OpenPGP and S/MIME standards."
|
||||
PKG_SITE="https://gnupg.org/"
|
||||
PKG_URL="${PKG_SITE}ftp/gcrypt/gnupg/gnupg-${PKG_VERSION}.tar.bz2"
|
||||
PKG_DEPENDS_TARGET="toolchain zlib bzip2 libgpg-error libgcrypt libassuan \
|
||||
libksba npth pinentry"
|
||||
PKG_LONGDESC="The GNU Privacy Guard 2.x: OpenPGP and S/MIME implementation."
|
||||
|
||||
PKG_CONFIGURE_OPTS_TARGET=" --disable-rpath \
|
||||
--enable-minimal \
|
||||
--disable-regex \
|
||||
--disable-asm \
|
||||
--enable-bzip2 \
|
||||
--enable-aes \
|
||||
--enable-rsa"
|
||||
# Pacman 7.x calls into gpg with --check-signatures and Ed25519 keys; both
|
||||
# are 2.x-only features that the LibreELEC-era 1.4.x branch never grew.
|
||||
|
||||
PKG_CONFIGURE_OPTS_TARGET="--disable-rpath \
|
||||
--disable-doc \
|
||||
--disable-gpg-idea \
|
||||
--disable-gpg-cast5 \
|
||||
--disable-gpg-md5 \
|
||||
--disable-gpg-rmd160 \
|
||||
--disable-ldap \
|
||||
--disable-photo-viewers \
|
||||
--disable-card-support \
|
||||
--disable-scdaemon \
|
||||
--disable-dirmngr \
|
||||
--disable-wks-tools \
|
||||
--disable-tofu \
|
||||
--disable-gnutls \
|
||||
--with-pinentry-pgm=/usr/bin/pinentry-tty"
|
||||
|
||||
pre_configure_target() {
|
||||
export CFLAGS="${CFLAGS} -fcommon"
|
||||
# GnuPG 2.x's configure occasionally trips over -Werror on hosts with
|
||||
# newer GCCs.
|
||||
export CFLAGS="${CFLAGS} -Wno-error"
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
# SPDX-License-Identifier: GPL-2.0-or-later
|
||||
# Copyright (C) 2026-present ArchR
|
||||
|
||||
PKG_NAME="libksba"
|
||||
PKG_VERSION="1.8.0"
|
||||
PKG_SHA256="296b9db9095749f2aa104202d7ab7fd09ad10710e00780a709c9754b1a1d9292"
|
||||
PKG_LICENSE="LGPL"
|
||||
PKG_SITE="https://gnupg.org/"
|
||||
PKG_URL="https://gnupg.org/ftp/gcrypt/libksba/libksba-${PKG_VERSION}.tar.bz2"
|
||||
PKG_DEPENDS_TARGET="toolchain libgpg-error"
|
||||
PKG_LONGDESC="X.509 and CMS (PKCS#7) parsing library, required by GnuPG 2.x."
|
||||
@@ -0,0 +1,11 @@
|
||||
# SPDX-License-Identifier: GPL-2.0-or-later
|
||||
# Copyright (C) 2026-present ArchR
|
||||
|
||||
PKG_NAME="npth"
|
||||
PKG_VERSION="1.8"
|
||||
PKG_SHA256="8bd24b4f23a3065d6e5b26e98aba9ce783ea4fd781069c1b35d149694e90ca3e"
|
||||
PKG_LICENSE="LGPL"
|
||||
PKG_SITE="https://gnupg.org/"
|
||||
PKG_URL="https://gnupg.org/ftp/gcrypt/npth/npth-${PKG_VERSION}.tar.bz2"
|
||||
PKG_DEPENDS_TARGET="toolchain"
|
||||
PKG_LONGDESC="The New GNU Portable Threads library, required by GnuPG 2.x."
|
||||
@@ -0,0 +1,25 @@
|
||||
# SPDX-License-Identifier: GPL-2.0-or-later
|
||||
# Copyright (C) 2026-present ArchR
|
||||
|
||||
PKG_NAME="pinentry"
|
||||
PKG_VERSION="1.3.2"
|
||||
PKG_SHA256="8e986ed88561b4da6e9efe0c54fa4ca8923035c99264df0b0464497c5fb94e9e"
|
||||
PKG_LICENSE="GPL"
|
||||
PKG_SITE="https://gnupg.org/"
|
||||
PKG_URL="https://gnupg.org/ftp/gcrypt/pinentry/pinentry-${PKG_VERSION}.tar.bz2"
|
||||
PKG_DEPENDS_TARGET="toolchain libgpg-error libassuan"
|
||||
PKG_LONGDESC="Passphrase entry helpers used by GnuPG 2.x. ArchR ships only the
|
||||
TTY/curses variants; the GUI ones (gnome3, qt5, gtk2, fltk) would pull
|
||||
desktop dependencies that the handheld doesn't have."
|
||||
|
||||
PKG_CONFIGURE_OPTS_TARGET="--enable-pinentry-tty \
|
||||
--enable-pinentry-curses \
|
||||
--disable-pinentry-emacs \
|
||||
--disable-pinentry-gnome3 \
|
||||
--disable-pinentry-gtk2 \
|
||||
--disable-pinentry-qt \
|
||||
--disable-pinentry-qt5 \
|
||||
--disable-pinentry-fltk \
|
||||
--disable-rpath \
|
||||
--without-libcap \
|
||||
--without-libsecret"
|
||||
Reference in New Issue
Block a user