public inbox for cygwin-apps-cvs@sourceware.org
help / color / mirror / Atom feed
* [setup - the official Cygwin setup program] branch master, updated. release_2.902-2-gf681d72f
@ 2020-03-12 15:58 Jon TURNEY
  0 siblings, 0 replies; only message in thread
From: Jon TURNEY @ 2020-03-12 15:58 UTC (permalink / raw)
  To: cygwin-apps-cvs




https://sourceware.org/git/gitweb.cgi?p=cygwin-apps/setup.git;h=f681d72f73742906af0dda247655ea6da264fb76

commit f681d72f73742906af0dda247655ea6da264fb76
Author: Jon Turney <jon.turney@dronecode.org.uk>
Date:   Sun Mar 1 13:40:21 2020 +0000

    Produce detatched signature for setup executable using new and old keys
    
    This is slightly fraught: If we don't specify a digest preference, sha1
    will be used with both keys, which we don't want.  Even if we do specify
    a digest preference, sha1 is still used for DSA, and gpg won't verify
    all the signatures, if they don't use the same hash algorithm (See [1]).
    So specify dsa2 as well, to allow sha256 to be used in both signatures.
    
    [1] https://dev.gnupg.org/T1462

https://sourceware.org/git/gitweb.cgi?p=cygwin-apps/setup.git;h=f724f2f38bdc95fd7068d1a183a8229d865d35f2

commit f724f2f38bdc95fd7068d1a183a8229d865d35f2
Author: Jon Turney <jon.turney@dronecode.org.uk>
Date:   Fri Feb 28 18:13:53 2020 +0000

    Run libgcrypt self-tests
    
    The libgcrypt in Fedora's mingw-libgcrypt package is patched to always
    run self-tests, even if FIPS mode isn't on.
    
    Ensure self-tests run before we turn on voluble debugging, to avoid even
    more log spam.
    
    If we're going to run the self-test, we should report if it fails :)


Diff:
---
 Makefile.am | 3 ++-
 crypto.cc   | 8 +++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 4ceeb98d..987909cd 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -306,10 +306,11 @@ release: upx
 
 UPLOAD_HOST=cygwin-admin@cygwin.com
 UPLOAD_PATH=/www/sourceware/htdocs/cygwin/setup
+SIGN_KEYS="--enable-dsa2 --personal-digest-preferences=sha256 -u 676041BA -u 1A698DE9E2E56300"
 
 upload: release
 	scp setup-${VER}.$(ARCH).exe setup-${VER}.$(ARCH).dbg ${UPLOAD_HOST}:${UPLOAD_PATH}
-	ssh ${UPLOAD_HOST} gpg --detach-sign ${UPLOAD_PATH}/setup-${VER}.$(ARCH).exe
+	ssh ${UPLOAD_HOST} gpg ${SIGN_KEYS} --detach-sign ${UPLOAD_PATH}/setup-${VER}.$(ARCH).exe
 
 clean-local:
 	rm -f setup*${EXEEXT} setup*.dbg
diff --git a/crypto.cc b/crypto.cc
index c4814b9e..2e4ba218 100644
--- a/crypto.cc
+++ b/crypto.cc
@@ -676,9 +676,15 @@ verify_ini_file_sig (io_stream *ini_file, io_stream *ini_sig_file, HWND owner)
     {
 #if CRYPTODEBUGGING
       gcry_set_log_handler (gcrypt_log_adaptor, NULL);
-      gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1);
 #endif
       gcry_check_version (NULL);
+
+      if ((rv = gcry_control (GCRYCTL_SELFTEST)) != GPG_ERR_NO_ERROR)
+        ERRKIND (owner, IDS_CRYPTO_ERROR, rv, "libgcrypt selftest failed");
+
+#if CRYPTODEBUGGING
+      gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1);
+#endif
       gcrypt_init = true;
     }
 



^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2020-03-12 15:58 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-12 15:58 [setup - the official Cygwin setup program] branch master, updated. release_2.902-2-gf681d72f Jon TURNEY

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).