[Pkg-gnupg-maint] Bug#612462: gnupg: Please provide a win32 port of gpgv

Didier Raboud odyx at debian.org
Tue Feb 8 16:06:37 UTC 2011 

Package: gnupg
Version: 1.4.10-4
Severity: wishlist
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, 

a current flaw of the standalone version of win32-loader (source and binary
package in Debian) is that it downloads the d-i kernel and initrds through
Internet without any form of checking that those are authenticated binaries
from the Debian project (see #442180 for details).

In order to solve this, the Windows executable needs to check the signature on
the downloaded Release{,.gpg} file and then check the md5sums of various
files. The md5sum checksum verification is already implemented (although not
uploaded yet) with a md5sum implementation internal to NSIS. There are still
missing pieces on FTP-Master side (see #611087, which will get solved in their
upcoming meeting, I heard), but I would also need a gpgv.exe that could run on
the target Windows host, to check the downloaded Release{,.gpg} files.

Hence this wishlist bug. A tested patch is attached.

I limited the patch to a gpgv win32 port, but gpg.exe also gets built. You
might want to rename the package "gpg-win32" and put all executables built
inside, but I don't need that.

(I also "needed" to fix an imprecision in the code: 

 ifneq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
- -CONFARGS += --host=$(DEB_HOST_GNU_TYPE)
+HOSTARG += --host=$(DEB_HOST_GNU_TYPE)
 endif

)

Thanks in advance for considering, cheers,

OdyX

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (750, 'unstable'), (700, 'testing-proposed-updates'), (700, 'testing'), (101, 'testing-proposed-updates'), (101, 'experimental'), (101, 'unstable'), (101, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnupg depends on:
ii  dpkg                    1.15.8.10        Debian package management system
ii  gpgv                    1.4.10-4         GNU privacy guard - signature veri
ii  install-info            4.13a.dfsg.1-6   Manage installed documentation in 
ii  libbz2-1.0              1.0.5-6          high-quality block-sorting file co
ii  libc6                   2.11.2-11        Embedded GNU C Library: Shared lib
ii  libreadline6            6.1-3            GNU readline and history libraries
ii  libusb-0.1-4            2:0.1.12-17      userspace USB programming library
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages gnupg recommends:
ii  gnupg-curl                    1.4.10-4   GNU privacy guard - a free PGP rep
ii  libldap-2.4-2                 2.4.23-7   OpenLDAP libraries

Versions of packages gnupg suggests:
pn  gnupg-doc                    <none>      (no description available)
ii  imagemagick                  8:6.6.0.4-3 image manipulation programs
ii  libpcsclite1                 1.5.5-4     Middleware to access a smart card 

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iJwEAQECAAYFAk1RagoACgkQKA1Vt+jBwDhDpwP8DL4XJE1FeUTCeLcWc76lVAqn
tNf8u7diL4QvyOIt1D39+KuKwIM/jinwyc+7rvh5Drfv7ZpjVtQq/UQxFlAHOsVr
7Z17WeyoO5e+glueeGRJkFiXH5t86LXQE8+7znCBtwPub8kT6CifZe5tBoFKpp9J
OwO9/MPN0uDjPzo7sOk=
=XIm3
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gpgv-win32.patch
Type: text/x-diff
Size: 5321 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20110208/6003cfe8/attachment.patch>

More information about the Pkg-gnupg-maint mailing list