INN commit: trunk (9 files)

INN Commit rra at isc.org
Sun Feb 11 14:43:07 UTC 2018


    Date: Sunday, February 11, 2018 @ 06:43:06
  Author: iulius
Revision: 10242

Add support for GnuPG's gpg binary to pgpverify and perl-nocem

gpg still validates signatures made with weak digest algorithms like
MD5 whereas gpgv no longer do.

Thanks to Thomas Hochstein for the patch (for pgpverify), which permits
to validate control articles for hierarchies that are still using old
PGP keys.

Also add autoconf magic to detect new $INN::Config::gpg variable (and
also for shell and Tcl scripts), and add make use of it in perl-nocem.

Detect gpg1 in preference to gpg and gpg2.

Modified:
  trunk/configure.ac
  trunk/control/perl-nocem.in
  trunk/control/pgpverify.in
  trunk/doc/pod/inn.conf.pod
  trunk/doc/pod/news.pod
  trunk/perl/INN/Config.pm.in
  trunk/scripts/innshellvars.in
  trunk/scripts/innshellvars.pl.in
  trunk/scripts/innshellvars.tcl.in

-----------------------------+
 configure.ac                |    6 +++-
 control/perl-nocem.in       |   31 +++++++++++++++++------
 control/pgpverify.in        |   55 +++++++++++++++++++++++++++++-------------
 doc/pod/inn.conf.pod        |    8 +++---
 doc/pod/news.pod            |   13 +++++++++
 perl/INN/Config.pm.in       |    3 +-
 scripts/innshellvars.in     |    1 
 scripts/innshellvars.pl.in  |    1 
 scripts/innshellvars.tcl.in |    1 
 9 files changed, 87 insertions(+), 32 deletions(-)

Modified: configure.ac
===================================================================
--- configure.ac	2018-02-04 15:38:19 UTC (rev 10241)
+++ configure.ac	2018-02-11 14:43:06 UTC (rev 10242)
@@ -315,10 +315,12 @@
 dnl GnuPG (which we prefer).
 DO_PGPVERIFY=true
 AC_ARG_VAR([GPGV], [Location of GnuPG gpgv program])
+AC_ARG_VAR([GPG], [Location of GnuPG gpg program])
 AC_ARG_VAR([PGP], [Location of PGP verification program])
-AC_PATH_PROGS([GPGV], [gpgv2 gpgv])
+AC_PATH_PROGS([GPGV], [gpgv1 gpgv gpgv2])
+AC_PATH_PROGS([GPG], [gpg1 gpg gpg2])
 AC_PATH_PROGS([PGP], [pgpv pgp pgpgpg])
-if test -z "$PGP" && test -z "$GPGV" ; then
+if test -z "$PGP" && test -z "$GPGV" && test -z "$GPG" ; then
     DO_PGPVERIFY=false
 fi
 AC_SUBST([DO_PGPVERIFY])

Modified: control/perl-nocem.in
===================================================================
--- control/perl-nocem.in	2018-02-04 15:38:19 UTC (rev 10241)
+++ control/perl-nocem.in	2018-02-11 14:43:06 UTC (rev 10242)
@@ -63,8 +63,8 @@
     openlog('nocem', '', $INN::Config::syslog_facility);
 }
 
-if (not $INN::Config::gpgv) {
-    logmsg('cannot find the gpgv binary', 'err');
+if (not $INN::Config::gpgv and not $INN::Config::gpg) {
+    logmsg('cannot find the gpgv or gpg binary', 'err');
     sleep 5;
     exit 1;
 }
@@ -286,8 +286,14 @@
     }
     if ($pid == 0) {
         open(STDERR, '>&STDOUT');
-        exec($INN::Config::gpgv, '--status-fd=1',
-            $keyring ? '--keyring=' . $keyring : '', $art);
+        if ($INN::Config::gpg) {
+            exec($INN::Config::gpg, '--status-fd=1',
+                '--verify', '--allow-weak-digest-algos',
+                $keyring ? '--keyring=' . $keyring : '', $art);
+        } else {
+            exec($INN::Config::gpgv, '--status-fd=1',
+                $keyring ? '--keyring=' . $keyring : '', $art);
+        }
         exit 126;
     }
 
@@ -298,7 +304,11 @@
         if ($? >> 8) {
             $status = $? >> 8;
         } else {
-            logmsg("Article $msgid: $INN::Config::gpgv killed by signal " . ($? & 255));
+            if ($INN::Config::gpg) {
+                logmsg("Article $msgid: $INN::Config::gpg killed by signal " . ($? & 255));
+            } else {
+                logmsg("Article $msgid: $INN::Config::gpgv killed by signal " . ($? & 255));
+            }
             return 0;
         }
     }
@@ -322,8 +332,13 @@
         # some other error we don't know about happened.
         # 126 is returned by the child if exec fails.
         s/ at \S+ line \d+\.\n$//; s/\n/_/;
-        logmsg("Article $msgid: $INN::Config::gpgv exited "
-            . (($status == 126) ? "($_)" : "with status $status"), 'err');
+        if ($INN::Config::gpg) {
+            logmsg("Article $msgid: $INN::Config::gpg exited "
+                . (($status == 126) ? "($_)" : "with status $status"), 'err');
+        } else {
+            logmsg("Article $msgid: $INN::Config::gpgv exited "
+                . (($status == 126) ? "($_)" : "with status $status"), 'err');
+        }
     }
     return 0;
 }
@@ -632,6 +647,6 @@
 
 =head1 SEE ALSO
 
-gpgv(1), grephistory(1), inn.conf(5), newsfeeds(5), pgp(1).
+gpg(1), gpgv(1), grephistory(1), inn.conf(5), newsfeeds(5), pgp(1).
 
 =cut

Modified: control/pgpverify.in
===================================================================
--- control/pgpverify.in	2018-02-04 15:38:19 UTC (rev 10241)
+++ control/pgpverify.in	2018-02-11 14:43:06 UTC (rev 10242)
@@ -4,7 +4,7 @@
 #
 # Written April 1996, <tale at isc.org> (David C Lawrence)
 # Currently maintained by Russ Allbery <eagle at eyrie.org>
-# Version 1.29, 2014-04-15
+# Version 1.30, 2018-01-21
 #
 # NOTICE TO INN MAINTAINERS:  The version that is shipped with INN is the
 # same as the version that I make available to the rest of the world
@@ -16,6 +16,11 @@
 # me about it; I want to know what old versions of Perl are still used in
 # practice.
 #
+# Changes from 1.29 -> 1.30
+# -- Support for GnuPG's gpg binary (in addition to gpgv).  Indeed, gpg
+#    still validates signatures made with weak digest algorithms like MD5
+#    whereas current versions of gpgv no longer do.
+#
 # Changes from 1.28 -> 1.29
 # -- Disambiguate numbered lists from description lists in POD to silent
 #    a pod2man warning.
@@ -129,6 +134,12 @@
 # -- Checks to ensure that the temporary file is really a file, and
 #    not a link or some other weirdness.
 
+# Path to the GnuPG gpg binary, if you have GnuPG and don't want to use
+# gpgv.  This will be used in preference to gpgv and PGP.  If you have INN
+# and the script is able to successfully include your INN::Config module,
+# the value of $INN::Config::gpg will override this.
+# $gpg = '/usr/local/bin/gpg';
+
 # Path to the GnuPG gpgv binary, if you have GnuPG.  If you do, this will
 # be used in preference to PGP.  For most current control messages, you
 # need a version of GnuPG that can handle RSA signatures.  If you have INN
@@ -203,7 +214,7 @@
 require 5;
 
 use strict;
-use vars qw($gpgv $pgp $keyring $tmp $tmpdir $lockdir $syslog_method
+use vars qw($gpg $gpgv $pgp $keyring $tmp $tmpdir $lockdir $syslog_method
             $syslog_facility $syslog_level $log_date $findid $test $messageid);
 
 use Fcntl qw(O_WRONLY O_CREAT O_EXCL);
@@ -225,6 +236,7 @@
 $pgp = $INN::Config::pgp
     if $INN::Config::pgp && $INN::Config::pgp ne "no-pgp-found-during-configure";
 $gpgv = $INN::Config::gpgv if $INN::Config::gpgv;
+$gpg = $INN::Config::gpg if $INN::Config::gpg;
 $tmp = ($INN::Config::pathtmp ? $INN::Config::pathtmp : $tmpdir) . "/pgp$$";
 $lockdir = $INN::Config::locks if $INN::Config::locks;
 $syslog_facility = $INN::Config::syslog_facility if $INN::Config::syslog_facility;
@@ -236,7 +248,11 @@
 $0 =~ s%^.*/%%;
 
 # Make sure that the signature verification program can be executed.
-if ($gpgv) {
+if ($gpg) {
+  if (! -x $gpg) {
+    &fail("$0: $gpg: " . (-e _ ? "cannot execute" : "no such file") . "\n");
+  }
+} elsif ($gpgv) {
   if (! -x $gpgv) {
     &fail("$0: $gpgv: " . (-e _ ? "cannot execute" : "no such file") . "\n");
   }
@@ -259,7 +275,7 @@
 # should, and the consequences of a multiprocess conflict is failure to
 # verify.
 my $lock;
-unless ($gpgv) {
+unless ($gpg or $gpgv) {
   $lock = "$lockdir/LOCK.$0";
   until (&shlock($lock) > 0) {
     sleep(2);
@@ -268,7 +284,7 @@
 
 # Verify the message.
 my ($ok, $signer) = pgp_verify($signature, $version, $message);
-unless ($gpgv) {
+unless ($gpg or $gpgv) {
   unlink ($lock) or &errmsg("$0: unlink $lock: $!\n");
 }
 print "$signer\n" if $signer;
@@ -388,8 +404,8 @@
   # Ignore SIGPIPE, since we're going to be talking to PGP.
   local $SIG{PIPE} = 'IGNORE';
 
-  # Set the PGP style based on whether $gpgv is set.
-  my $pgpstyle = ($gpgv ? 'GPG' : 'PGP2');
+  # Set the PGP style based on whether $gpg or $gpgv is set.
+  my $pgpstyle = ($gpg || $gpgv ? 'GPG' : 'PGP2');
 
   # Because this is a detached signature, we actually need to save both
   # the signature and the data to files and then run PGP on the signature
@@ -439,7 +455,12 @@
   # Figure out what command line we'll be using.
   my @command;
   if ($pgpstyle eq 'GPG') {
-    @command = ($gpgv, qw/--quiet --status-fd=1 --logger-fd=1/);
+    if ($gpg) {
+      @command = ($gpg, qw/--verify --allow-weak-digest-algos/);
+      push (@command, qw/--quiet --status-fd=1 --logger-fd=1/);
+    } else {
+      @command = ($gpgv, qw/--quiet --status-fd=1 --logger-fd=1/);
+    }
   } else {
     @command = ($pgp, '+batchmode', '+language=en');
   }
@@ -733,8 +754,8 @@
 the default key ring, which is in a F<.pgp> or F<.gnupg> subdirectory of
 the running user's home directory.
 
-INN, when using GnuPG, configures B<pgpverify> to use B<gpgv>, which by
-default expects keys to be in a keyring named F<trustedkeys.gpg>, since it
+INN, when using GnuPG, configures B<pgpverify> to use B<gpg> or B<gpgv>, which
+by default expects keys to be in a keyring named F<trustedkeys.gpg>, since it
 doesn't implement trust checking directly.  B<pgpverify> uses that file if
 present but falls back to F<pubring.gpg> if it's not found.  This bypasses
 the trust model for checking keys, but is compatible with the way that
@@ -801,12 +822,12 @@
 =head1 ENVIRONMENT
 
 B<pgpverify> does not modify or otherwise alter the environment before
-invoking the B<pgp> or B<gpgv> program.  It is the responsibility of the
-person who installs B<pgpverify> to ensure that when B<pgp> or B<gpgv>
-runs, it has the ability to locate and read a PGP key file that contains
-the PGP public keys for the appropriate Usenet hierarchy administrators.
-B<pgpverify> can be pointed to an appropriate key ring by editing
-variables at the beginning of this script.
+invoking the B<pgp>, B<gpgv> or B<gpg> program.  It is the responsibility of
+the person who installs B<pgpverify> to ensure that when B<pgp>, B<gpgv> or
+B<gpg> runs, it has the ability to locate and read a PGP key file that
+contains the PGP public keys for the appropriate Usenet hierarchy
+administrators.  B<pgpverify> can be pointed to an appropriate key ring by
+editing variables at the beginning of this script.
 
 =head1 NOTES
 
@@ -908,7 +929,7 @@
 
 =head1 SEE ALSO
 
-gpgv(1), pgp(1).
+gpg(1), gpgv(1), pgp(1).
 
 L<https://ftp.isc.org/pub/pgpcontrol/> is where the most recent versions of
 B<signcontrol> and B<pgpverify> live, along with PGP public keys used for

Modified: doc/pod/inn.conf.pod
===================================================================
--- doc/pod/inn.conf.pod	2018-02-04 15:38:19 UTC (rev 10241)
+++ doc/pod/inn.conf.pod	2018-02-11 14:43:06 UTC (rev 10242)
@@ -288,10 +288,10 @@
 =item I<pgpverify>
 
 Whether to enable PGP verification of control messages other than cancel.
-This is a boolean value and the default in the F<inn.conf> sample file
-is based on whether configure found pgp, pgpv, pgpgpg, gpgv or gpgv2.
-Note that if the parameter is not present in the configuration file,
-it defaults to false.
+This is a boolean value and the default in the F<inn.conf> sample file is
+based on whether configure found B<pgp>, B<pgpv>, B<pgpgpg>, B<gpgv>,
+B<gpgv1>, B<gpgv2>, B<gpg>, B<gpg1> or B<gpg2>.  Note that if the
+parameter is not present in the configuration file, it defaults to false.
 
 =item I<port>
 

Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod	2018-02-04 15:38:19 UTC (rev 10241)
+++ doc/pod/news.pod	2018-02-11 14:43:06 UTC (rev 10242)
@@ -46,6 +46,19 @@
 
 =item *
 
+Added support for GnuPG's B<gpg> binary (in addition to B<gpgv>)
+in B<pgpverify>.  Indeed, B<gpg> still validates signatures made
+with weak digest algorithms like MD5 whereas B<gpgv> no longer do.
+Thanks to Thomas Hochstein for the patch, which permits to validate
+control articles for hierarchies that are still using old PGP keys.
+
+=item *
+
+Added similar support for GnuPG's B<gpg> binary in B<perl-nocem> to
+validate NoCeM notices from issuers who are still using old PGP keys.
+
+=item *
+
 A few commands listed in the "Control commands to INND" section in
 daily Usenet reports were appearing as a mere letter; all of them are
 now properly converted to meaningful words.

Modified: perl/INN/Config.pm.in
===================================================================
--- perl/INN/Config.pm.in	2018-02-04 15:38:19 UTC (rev 10241)
+++ perl/INN/Config.pm.in	2018-02-11 14:43:06 UTC (rev 10242)
@@ -115,11 +115,12 @@
 
 
 ##  Paths of external used programs.
-my @EXTPROGVAR = qw($awk $egrep $gpgv $perl $pgp $sed
+my @EXTPROGVAR = qw($awk $egrep $gpgv $gpg $perl $pgp $sed
 $sort $getftp $uustat $uux);
 our $awk = '@AWK@';
 our $egrep = '@EGREP@';
 our $gpgv = '@GPGV@';
+our $gpg = '@GPG@';
 our $perl = '@PERL@';
 our $pgp = '@PGP@';
 our $sed = '@SED@';

Modified: scripts/innshellvars.in
===================================================================
--- scripts/innshellvars.in	2018-02-04 15:38:19 UTC (rev 10241)
+++ scripts/innshellvars.in	2018-02-11 14:43:06 UTC (rev 10242)
@@ -79,6 +79,7 @@
 EGREP='@EGREP@'
 PERL='@PERL@'
 GPGV='@GPGV@'
+GPG='@GPG@'
 PGP='@PGP@'
 SORT='@SORT@'
 GETFTP="@PATH_GETFTP@"

Modified: scripts/innshellvars.pl.in
===================================================================
--- scripts/innshellvars.pl.in	2018-02-04 15:38:19 UTC (rev 10241)
+++ scripts/innshellvars.pl.in	2018-02-11 14:43:06 UTC (rev 10242)
@@ -91,6 +91,7 @@
 $egrep = '@EGREP@' ;
 $perl = '@PERL@' ;
 $gpgv = '@GPGV@' ;
+$gpg = '@GPG@' ;
 $pgp = '@PGP@' ;
 $sort = '@SORT@' ;
 $getftp = "@PATH_GETFTP@" ;

Modified: scripts/innshellvars.tcl.in
===================================================================
--- scripts/innshellvars.tcl.in	2018-02-04 15:38:19 UTC (rev 10241)
+++ scripts/innshellvars.tcl.in	2018-02-11 14:43:06 UTC (rev 10242)
@@ -86,6 +86,7 @@
 set inn_egrep "@EGREP@"
 set inn_perl "@PERL@"
 set inn_gpgv "@GPGV@"
+set inn_gpg "@GPG@"
 set inn_pgp "@PGP@"
 set inn_sort "@SORT@"
 set inn_getftp "@PATH_GETFTP@"



More information about the inn-committers mailing list