From 4b15a008f2cbb41b3bd0cb66c19b683554ff1edc Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Sun, 30 Jun 2019 14:04:22 +0000 Subject: [PATCH 1/3] gnupg: change default keyserver to non-SKS See https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f. The SKS network is vulnerable to certificate poisoning, which can destroy GnuPG installations. keys.openpgp.org is a new non-SKS keyserver that is resistant to this type of attack. With such an attack being possible, it is unsafe to use SKS keyservers for almost anything, and so we should protect our users from a now unsafe default. keys.openpgp.org offers some (but not all) functionality of SKS, and is better than nothing. This default is only present in gnupg22. gnupg20 and gnupg1orig are not affected. (cherry picked from commit c727083e6565293c0e38f033fc1db07b187bddb0) --- pkgs/tools/security/gnupg/22.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix index c802f44aa976c..1222e375359df 100644 --- a/pkgs/tools/security/gnupg/22.nix +++ b/pkgs/tools/security/gnupg/22.nix @@ -31,7 +31,10 @@ stdenv.mkDerivation rec { patches = [ ./fix-libusb-include-path.patch ]; - postPatch = stdenv.lib.optionalString stdenv.isLinux '' + postPatch = '' + sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' \ + configure doc/dirmngr.texi doc/gnupg.info-1 + '' + stdenv.lib.optionalString stdenv.isLinux '' sed -i 's,"libpcsclite\.so[^"]*","${stdenv.lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c ''; #" fix Emacs syntax highlighting :-( From 9abbb2e0198f9384ed2c55e95c6ae242cfb5a88d Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Sun, 30 Jun 2019 19:05:31 +0000 Subject: [PATCH 2/3] gnupg: apply default server CA verification patch See discussion at https://github.com/NixOS/nixpkgs/pull/63952#issuecomment-507048690. Upstream commit: commit 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254 Author: Daniel Kahn Gillmor Date: Sun Jun 30 11:54:35 2019 -0400 dirmngr: Only use SKS pool CA for SKS pool * dirmngr/http.c (http_session_new): when checking whether the keyserver is the HKPS pool, check specifically against the pool name, as ./configure might have been used to select a different default keyserver. It makes no sense to apply Kristian's certificate authority to anything other than the literal host hkps.pool.sks-keyservers.net. Signed-off-by: Daniel Kahn Gillmor GnuPG-Bug-Id: 4593 (cherry picked from commit ba23c14b842e50cb9d8a228a6007207f2c28c1fe) --- pkgs/tools/security/gnupg/22.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix index 1222e375359df..d09c861eac6fa 100644 --- a/pkgs/tools/security/gnupg/22.nix +++ b/pkgs/tools/security/gnupg/22.nix @@ -1,4 +1,4 @@ -{ fetchurl, stdenv, pkgconfig, libgcrypt, libassuan, libksba +{ fetchurl, fetchpatch, stdenv, pkgconfig, libgcrypt, libassuan, libksba , libiconv, npth, gettext, texinfo, pcsclite, sqlite # Each of the dependencies below are optional. @@ -30,6 +30,10 @@ stdenv.mkDerivation rec { patches = [ ./fix-libusb-include-path.patch + (fetchpatch { + url = https://files.gnupg.net/file/data/qmxjhc6kuja3orybj7st/PHID-FILE-vvzlnw36427pdnug2amc/file; + sha256 = "13snxkmlgmvn0rgxh5k2sgxkp5mbxqiznzm45sw649nvs3ccghq8"; + }) ]; postPatch = '' sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' \ From 46dc46458b866ac9d4a20fd35a6eade4e35c8670 Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Wed, 3 Jul 2019 16:34:01 +0000 Subject: [PATCH 3/3] gnupg: vendor SKS patch This quickly became a 404 upstream. Fixes https://github.com/NixOS/nixpkgs/64256. (cherry picked from commit 4cab72953c6a8823a85302e8f0303477d1b20ae9) --- ...gr-Only-use-SKS-pool-CA-for-SKS-pool.patch | 34 +++++++++++++++++++ pkgs/tools/security/gnupg/22.nix | 5 +-- 2 files changed, 35 insertions(+), 4 deletions(-) create mode 100644 pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch diff --git a/pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch b/pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch new file mode 100644 index 0000000000000..061fb0e8de9c1 --- /dev/null +++ b/pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch @@ -0,0 +1,34 @@ +From 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254 Mon Sep 17 00:00:00 2001 +From: Daniel Kahn Gillmor +Date: Sun, 30 Jun 2019 11:54:35 -0400 +Subject: [PATCH] dirmngr: Only use SKS pool CA for SKS pool + +* dirmngr/http.c (http_session_new): when checking whether the +keyserver is the HKPS pool, check specifically against the pool name, +as ./configure might have been used to select a different default +keyserver. It makes no sense to apply Kristian's certificate +authority to anything other than the literal host +hkps.pool.sks-keyservers.net. + +Signed-off-by: Daniel Kahn Gillmor +GnuPG-Bug-Id: 4593 +--- + dirmngr/http.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dirmngr/http.c b/dirmngr/http.c +index 384f2569d..8e5d53939 100644 +--- a/dirmngr/http.c ++++ b/dirmngr/http.c +@@ -767,7 +767,7 @@ http_session_new (http_session_t *r_session, + + is_hkps_pool = (intended_hostname + && !ascii_strcasecmp (intended_hostname, +- get_default_keyserver (1))); ++ "hkps.pool.sks-keyservers.net")); + + /* If the user has not specified a CA list, and they are looking + * for the hkps pool from sks-keyservers.net, then default to +-- +2.22.0 + diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix index d09c861eac6fa..0863f127cc192 100644 --- a/pkgs/tools/security/gnupg/22.nix +++ b/pkgs/tools/security/gnupg/22.nix @@ -30,10 +30,7 @@ stdenv.mkDerivation rec { patches = [ ./fix-libusb-include-path.patch - (fetchpatch { - url = https://files.gnupg.net/file/data/qmxjhc6kuja3orybj7st/PHID-FILE-vvzlnw36427pdnug2amc/file; - sha256 = "13snxkmlgmvn0rgxh5k2sgxkp5mbxqiznzm45sw649nvs3ccghq8"; - }) + ./0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch ]; postPatch = '' sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' \