public inbox for cygwin-apps-cvs@sourceware.org
help / color / mirror / Atom feed
From: Jon TURNEY <jturney@sourceware.org>
To: cygwin-apps-cvs@sourceware.org
Subject: [setup - the official Cygwin setup program] branch master, updated. release_2.902-2-gf681d72f
Date: Thu, 12 Mar 2020 15:58:46 +0000 (GMT) [thread overview]
Message-ID: <20200312155846.A9BE13942014@sourceware.org> (raw)
https://sourceware.org/git/gitweb.cgi?p=cygwin-apps/setup.git;h=f681d72f73742906af0dda247655ea6da264fb76
commit f681d72f73742906af0dda247655ea6da264fb76
Author: Jon Turney <jon.turney@dronecode.org.uk>
Date: Sun Mar 1 13:40:21 2020 +0000
Produce detatched signature for setup executable using new and old keys
This is slightly fraught: If we don't specify a digest preference, sha1
will be used with both keys, which we don't want. Even if we do specify
a digest preference, sha1 is still used for DSA, and gpg won't verify
all the signatures, if they don't use the same hash algorithm (See [1]).
So specify dsa2 as well, to allow sha256 to be used in both signatures.
[1] https://dev.gnupg.org/T1462
https://sourceware.org/git/gitweb.cgi?p=cygwin-apps/setup.git;h=f724f2f38bdc95fd7068d1a183a8229d865d35f2
commit f724f2f38bdc95fd7068d1a183a8229d865d35f2
Author: Jon Turney <jon.turney@dronecode.org.uk>
Date: Fri Feb 28 18:13:53 2020 +0000
Run libgcrypt self-tests
The libgcrypt in Fedora's mingw-libgcrypt package is patched to always
run self-tests, even if FIPS mode isn't on.
Ensure self-tests run before we turn on voluble debugging, to avoid even
more log spam.
If we're going to run the self-test, we should report if it fails :)
Diff:
---
Makefile.am | 3 ++-
crypto.cc | 8 +++++++-
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 4ceeb98d..987909cd 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -306,10 +306,11 @@ release: upx
UPLOAD_HOST=cygwin-admin@cygwin.com
UPLOAD_PATH=/www/sourceware/htdocs/cygwin/setup
+SIGN_KEYS="--enable-dsa2 --personal-digest-preferences=sha256 -u 676041BA -u 1A698DE9E2E56300"
upload: release
scp setup-${VER}.$(ARCH).exe setup-${VER}.$(ARCH).dbg ${UPLOAD_HOST}:${UPLOAD_PATH}
- ssh ${UPLOAD_HOST} gpg --detach-sign ${UPLOAD_PATH}/setup-${VER}.$(ARCH).exe
+ ssh ${UPLOAD_HOST} gpg ${SIGN_KEYS} --detach-sign ${UPLOAD_PATH}/setup-${VER}.$(ARCH).exe
clean-local:
rm -f setup*${EXEEXT} setup*.dbg
diff --git a/crypto.cc b/crypto.cc
index c4814b9e..2e4ba218 100644
--- a/crypto.cc
+++ b/crypto.cc
@@ -676,9 +676,15 @@ verify_ini_file_sig (io_stream *ini_file, io_stream *ini_sig_file, HWND owner)
{
#if CRYPTODEBUGGING
gcry_set_log_handler (gcrypt_log_adaptor, NULL);
- gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1);
#endif
gcry_check_version (NULL);
+
+ if ((rv = gcry_control (GCRYCTL_SELFTEST)) != GPG_ERR_NO_ERROR)
+ ERRKIND (owner, IDS_CRYPTO_ERROR, rv, "libgcrypt selftest failed");
+
+#if CRYPTODEBUGGING
+ gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1);
+#endif
gcrypt_init = true;
}
reply other threads:[~2020-03-12 15:58 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200312155846.A9BE13942014@sourceware.org \
--to=jturney@sourceware.org \
--cc=cygwin-apps-cvs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).