Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: e3926c8043cf
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: fd593be44b29
Choose a head ref
  • 3 commits
  • 1 file changed
  • 1 contributor

Commits on Jun 30, 2019

  1. gnupg: change default keyserver to non-SKS 

    See https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f.

The SKS network is vulnerable to certificate poisoning, which can
destroy GnuPG installations. keys.openpgp.org is a new non-SKS keyserver
that is resistant to this type of attack.

With such an attack being possible, it is unsafe to use SKS keyservers
for almost anything, and so we should protect our users from a now
unsafe default. keys.openpgp.org offers some (but not all) functionality
of SKS, and is better than nothing.

This default is only present in gnupg22. gnupg20 and gnupg1orig are not
affected.
    @alyssais
    alyssais committed Jun 30, 2019

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    alyssais Alyssa Ross
    GPG key ID: F9DBED4859B271C0
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    c727083 View commit details

  2. gnupg: apply default server CA verification patch 

    See discussion at
#63952 (comment).

Upstream commit:

commit 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254
Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Sun Jun 30 11:54:35 2019 -0400

    dirmngr: Only use SKS pool CA for SKS pool

    * dirmngr/http.c (http_session_new): when checking whether the
    keyserver is the HKPS pool, check specifically against the pool name,
    as ./configure might have been used to select a different default
    keyserver.  It makes no sense to apply Kristian's certificate
    authority to anything other than the literal host
    hkps.pool.sks-keyservers.net.

    Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
    GnuPG-Bug-Id: 4593
    @alyssais
    alyssais committed Jun 30, 2019

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    alyssais Alyssa Ross
    GPG key ID: F9DBED4859B271C0
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    ba23c14 View commit details

  3. Merge pull request #63952 from alyssais/gnupg-sks 

    gnupg: change default keyserver to non-SKS
    @alyssais
    alyssais authored Jun 30, 2019

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    fd593be View commit details
Showing with 10 additions and 3 deletions.
  1. +10 −3 pkgs/tools/security/gnupg/22.nix
13 changes: 10 additions & 3 deletions pkgs/tools/security/gnupg/22.nix
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{ fetchurl, stdenv, pkgconfig, libgcrypt, libassuan, libksba, libgpgerror
, libiconv, npth, gettext, texinfo, pcsclite, sqlite
{ fetchurl, fetchpatch, stdenv, pkgconfig, libgcrypt, libassuan, libksba
, libgpgerror, libiconv, npth, gettext, texinfo, pcsclite, sqlite
, buildPackages

# Each of the dependencies below are optional.
@@ -32,8 +32,15 @@ stdenv.mkDerivation rec {

patches = [
./fix-libusb-include-path.patch
(fetchpatch {
url = https://files.gnupg.net/file/data/qmxjhc6kuja3orybj7st/PHID-FILE-vvzlnw36427pdnug2amc/file;
sha256 = "13snxkmlgmvn0rgxh5k2sgxkp5mbxqiznzm45sw649nvs3ccghq8";
})
];
postPatch = stdenv.lib.optionalString stdenv.isLinux ''
postPatch = ''
sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' \
configure doc/dirmngr.texi doc/gnupg.info-1
'' + stdenv.lib.optionalString stdenv.isLinux ''
sed -i 's,"libpcsclite\.so[^"]*","${stdenv.lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c
''; #" fix Emacs syntax highlighting :-(