Package: gnupg
Version: 1.4.10-4
Severity: wishlist
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
a current flaw of the standalone version of win32-loader (source and binary
package in Debian) is that it downloads the d-i kernel and initrds through
Internet without any form of checking that those are authenticated binaries
from the Debian project (see #442180 for details).
In order to solve this, the Windows executable needs to check the signature on
the downloaded Release{,.gpg} file and then check the md5sums of various
files. The md5sum checksum verification is already implemented (although not
uploaded yet) with a md5sum implementation internal to NSIS. There are still
missing pieces on FTP-Master side (see #611087, which will get solved in their
upcoming meeting, I heard), but I would also need a gpgv.exe that could run on
the target Windows host, to check the downloaded Release{,.gpg} files.
Hence this wishlist bug. A tested patch is attached.
I limited the patch to a gpgv win32 port, but gpg.exe also gets built. You
might want to rename the package "gpg-win32" and put all executables built
inside, but I don't need that.
(I also "needed" to fix an imprecision in the code:
ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
- -CONFARGS += --host=$(DEB_HOST_GNU_TYPE)
+HOSTARG += --host=$(DEB_HOST_GNU_TYPE)
endif
)
Thanks in advance for considering, cheers,
OdyX
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (750, 'unstable'), (700, 'testing-proposed-updates'), (700,
'testing'), (101, 'testing-proposed-updates'), (101, 'experimental'), (101,
'unstable'), (101, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.37-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages gnupg depends on:
ii dpkg 1.15.8.10 Debian package management system
ii gpgv 1.4.10-4 GNU privacy guard - signature veri
ii install-info 4.13a.dfsg.1-6 Manage installed documentation in
ii libbz2-1.0 1.0.5-6 high-quality block-sorting file co
ii libc6 2.11.2-11 Embedded GNU C Library: Shared lib
ii libreadline6 6.1-3 GNU readline and history libraries
ii libusb-0.1-4 2:0.1.12-17 userspace USB programming library
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages gnupg recommends:
ii gnupg-curl 1.4.10-4 GNU privacy guard - a free PGP rep
ii libldap-2.4-2 2.4.23-7 OpenLDAP libraries
Versions of packages gnupg suggests:
pn gnupg-doc <none> (no description available)
ii imagemagick 8:6.6.0.4-3 image manipulation programs
ii libpcsclite1 1.5.5-4 Middleware to access a smart card
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iJwEAQECAAYFAk1RagoACgkQKA1Vt+jBwDhDpwP8DL4XJE1FeUTCeLcWc76lVAqn
tNf8u7diL4QvyOIt1D39+KuKwIM/jinwyc+7rvh5Drfv7ZpjVtQq/UQxFlAHOsVr
7Z17WeyoO5e+glueeGRJkFiXH5t86LXQE8+7znCBtwPub8kT6CifZe5tBoFKpp9J
OwO9/MPN0uDjPzo7sOk=
=XIm3
-----END PGP SIGNATURE-----
Index: debian/control
===================================================================
--- debian/control (révision 198)
+++ debian/control (copie de travail)
@@ -10,6 +10,7 @@
libusb-dev [!hurd-i386],
libreadline-dev, file, gettext, dpatch,
libcurl4-gnutls-dev
+Build-Depends-Indep: mingw32
Homepage: http://www.gnupg.org
Vcs-Browser: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/
Vcs-Svn: svn://svn.debian.org/svn/pkg-gnupg/gnupg/trunk/
@@ -96,3 +97,18 @@
.
This is GnuPG's signature verification tool, gpgv, packaged in minimal
form for use in debian-installer.
+
+Package: gpgv-win32
+Architecture: all
+Priority: extra
+Suggests: wine
+Description: GNU privacy guard - signature verification tool (win32 build)
+ GnuPG is GNU's tool for secure communication and data storage.
+ .
+ gpgv is a stripped-down version of gnupg which is only able to check
+ signatures. It is smaller than the full-blown gnupg and uses a
+ different (and simpler) way to check that the public keys used to
+ make the signature are trustworthy.
+ .
+ This is a win32 version of gpgv. It's meant to be used by the win32-loader
+ component of Debian-Installer.
Index: debian/changelog
===================================================================
--- debian/changelog (révision 198)
+++ debian/changelog (copie de travail)
@@ -1,8 +1,12 @@
gnupg (1.4.10-5) UNRELEASED; urgency=low
+ [ Thijs Kinkhorst ]
* Update references to RFC 2440 into RFC 4880. Thanks
Christoph Anton Mitterer (Closes: #592294).
+ [ Didier Raboud ]
+ * Add a gpgv-win32 package, to be used in win32-loader.
+
-- Thijs Kinkhorst <[email protected]> Wed, 11 Aug 2010 10:39:02 +0200
gnupg (1.4.10-4) unstable; urgency=high
Index: debian/rules
===================================================================
--- debian/rules (révision 198)
+++ debian/rules (copie de travail)
@@ -24,7 +24,7 @@
--enable-noexecstack
ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
-CONFARGS += --host=$(DEB_HOST_GNU_TYPE)
+HOSTARG += --host=$(DEB_HOST_GNU_TYPE)
endif
ifeq ($(DEB_BUILD_ARCH),ppc64)
@@ -51,6 +51,12 @@
../configure $(CONFARGS) $(HOSTARG) \
--without-bzip2 --without-readline --without-libcurl)
+build-win32/config.status:
+ dh_testdir
+ (mkdir -p $(@D); cd $(@D); CFLAGS="-g -Os" \
+ ../configure $(CONFARGS) --host i586-mingw32msvc \
+ --disable-gnupg-iconv --without-bzip2 --without-readline --without-libcurl)
+
##################################### build ##################################
build-deb-stamp: patch-stamp build-deb/config.status
@@ -74,16 +80,22 @@
$(MAKE) -C build-udeb/
touch $@
+build-win32-stamp: patch-stamp build-win32/config.status
+ dh_testdir
+ $(MAKE) -C build-win32/
+ touch $@
+
build: build-deb-stamp build-deb-curl-stamp build-udeb-stamp
+build-indep: build-win32-stamp
##################################### clean ##################################
clean: unpatch
dh_testdir
dh_testroot
- rm -rf build-udeb/ build-deb-curl/ build-deb/
+ rm -rf build-udeb/ build-deb-curl/ build-deb/ build-win32/
# find . -name \*~ | xargs rm -vf
- dh_clean build-deb-stamp build-deb-curl-stamp build-udeb-stamp patch-stamp
+ dh_clean build-deb-stamp build-deb-curl-stamp build-udeb-stamp build-win32-stamp patch-stamp
#################################### install #################################
@@ -107,34 +119,48 @@
#################################### binary ##################################
-binary-indep: build install
+binary-indep: build-indep
+ dh_testdir -i
+ dh_testroot -i
+ dh_installchangelogs -i NEWS
+ dh_installdocs -i
+ dh_install -i
+ dh_link -i
+ dh_strip -i
+ dh_compress -i
+ dh_fixperms -i
+ dh_installdeb -i
+ dh_gencontrol -i
+ dh_md5sums -i
+ dh_builddeb -i
+
binary-arch: build install
- dh_testdir
- dh_testroot
- dh_installchangelogs NEWS
+ dh_testdir -a
+ dh_testroot -a
+ dh_installchangelogs -a NEWS
# Do we want to ship these 100 of kB's changelogs?
for i in checks cipher doc g10 include keyserver mpi po tools util; do \
install -m 644 $$i/ChangeLog debian/gnupg/usr/share/doc/gnupg/changelog.$$i; \
done
install -m 644 ChangeLog debian/gnupg/usr/share/doc/gnupg/changelog.toplevel
install -m 644 keyserver/ChangeLog debian/gnupg-curl/usr/share/doc/gnupg-curl/changelog.keyserver
- dh_installdocs
- dh_installexamples
- dh_movefiles -pgpgv --sourcedir=debian/gnupg
- dh_install
- dh_installinfo doc/gnupg1.info
- dh_installman
- dh_installudev
- if which dh_bugfiles ; then dh_bugfiles ; fi
- dh_link
- dh_strip
- dh_compress
- dh_fixperms
- dh_installdeb
- dh_shlibdeps -X debian/gnupg/usr/lib/gnupg/gpgkeys_ldap -- -dRecommends $(CURDIR)/debian/gnupg/usr/lib/gnupg/gpgkeys_ldap -dDepends
- dh_gencontrol
- dh_md5sums
- dh_builddeb
+ dh_installdocs -a
+ dh_installexamples -a
+ dh_movefiles -a -pgpgv --sourcedir=debian/gnupg
+ dh_install -a
+ dh_installinfo -a doc/gnupg1.info
+ dh_installman -a
+ dh_installudev -a
+ if which dh_bugfiles ; then dh_bugfiles -a ; fi
+ dh_link -a
+ dh_strip -a
+ dh_compress -a
+ dh_fixperms -a
+ dh_installdeb -a
+ dh_shlibdeps -a -X debian/gnupg/usr/lib/gnupg/gpgkeys_ldap -- -dRecommends $(CURDIR)/debian/gnupg/usr/lib/gnupg/gpgkeys_ldap -dDepends
+ dh_gencontrol -a
+ dh_md5sums -a
+ dh_builddeb -a
binary: binary-indep binary-arch