public inbox for cygwin-apps-cvs@sourceware.org help / color / mirror / Atom feed
From: Jon TURNEY <jturney@sourceware.org> To: cygwin-apps-cvs@sourceware.org Subject: [setup - the official Cygwin setup program] branch master, updated. release_2.902-2-gf681d72f Date: Thu, 12 Mar 2020 15:58:46 +0000 (GMT) [thread overview] Message-ID: <20200312155846.A9BE13942014@sourceware.org> (raw) https://sourceware.org/git/gitweb.cgi?p=cygwin-apps/setup.git;h=f681d72f73742906af0dda247655ea6da264fb76 commit f681d72f73742906af0dda247655ea6da264fb76 Author: Jon Turney <jon.turney@dronecode.org.uk> Date: Sun Mar 1 13:40:21 2020 +0000 Produce detatched signature for setup executable using new and old keys This is slightly fraught: If we don't specify a digest preference, sha1 will be used with both keys, which we don't want. Even if we do specify a digest preference, sha1 is still used for DSA, and gpg won't verify all the signatures, if they don't use the same hash algorithm (See [1]). So specify dsa2 as well, to allow sha256 to be used in both signatures. [1] https://dev.gnupg.org/T1462 https://sourceware.org/git/gitweb.cgi?p=cygwin-apps/setup.git;h=f724f2f38bdc95fd7068d1a183a8229d865d35f2 commit f724f2f38bdc95fd7068d1a183a8229d865d35f2 Author: Jon Turney <jon.turney@dronecode.org.uk> Date: Fri Feb 28 18:13:53 2020 +0000 Run libgcrypt self-tests The libgcrypt in Fedora's mingw-libgcrypt package is patched to always run self-tests, even if FIPS mode isn't on. Ensure self-tests run before we turn on voluble debugging, to avoid even more log spam. If we're going to run the self-test, we should report if it fails :) Diff: --- Makefile.am | 3 ++- crypto.cc | 8 +++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/Makefile.am b/Makefile.am index 4ceeb98d..987909cd 100644 --- a/Makefile.am +++ b/Makefile.am @@ -306,10 +306,11 @@ release: upx UPLOAD_HOST=cygwin-admin@cygwin.com UPLOAD_PATH=/www/sourceware/htdocs/cygwin/setup +SIGN_KEYS="--enable-dsa2 --personal-digest-preferences=sha256 -u 676041BA -u 1A698DE9E2E56300" upload: release scp setup-${VER}.$(ARCH).exe setup-${VER}.$(ARCH).dbg ${UPLOAD_HOST}:${UPLOAD_PATH} - ssh ${UPLOAD_HOST} gpg --detach-sign ${UPLOAD_PATH}/setup-${VER}.$(ARCH).exe + ssh ${UPLOAD_HOST} gpg ${SIGN_KEYS} --detach-sign ${UPLOAD_PATH}/setup-${VER}.$(ARCH).exe clean-local: rm -f setup*${EXEEXT} setup*.dbg diff --git a/crypto.cc b/crypto.cc index c4814b9e..2e4ba218 100644 --- a/crypto.cc +++ b/crypto.cc @@ -676,9 +676,15 @@ verify_ini_file_sig (io_stream *ini_file, io_stream *ini_sig_file, HWND owner) { #if CRYPTODEBUGGING gcry_set_log_handler (gcrypt_log_adaptor, NULL); - gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1); #endif gcry_check_version (NULL); + + if ((rv = gcry_control (GCRYCTL_SELFTEST)) != GPG_ERR_NO_ERROR) + ERRKIND (owner, IDS_CRYPTO_ERROR, rv, "libgcrypt selftest failed"); + +#if CRYPTODEBUGGING + gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1); +#endif gcrypt_init = true; }
reply other threads:[~2020-03-12 15:58 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200312155846.A9BE13942014@sourceware.org \ --to=jturney@sourceware.org \ --cc=cygwin-apps-cvs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).