nixpkgs/pkgs/tools/security/gnupg/22.nix
Alyssa Ross ba23c14b84
gnupg: apply default server CA verification patch
See discussion at
https://github.com/NixOS/nixpkgs/pull/63952#issuecomment-507048690.

Upstream commit:

commit 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254
Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Sun Jun 30 11:54:35 2019 -0400

    dirmngr: Only use SKS pool CA for SKS pool

    * dirmngr/http.c (http_session_new): when checking whether the
    keyserver is the HKPS pool, check specifically against the pool name,
    as ./configure might have been used to select a different default
    keyserver.  It makes no sense to apply Kristian's certificate
    authority to anything other than the literal host
    hkps.pool.sks-keyservers.net.

    Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
    GnuPG-Bug-Id: 4593
2019-06-30 19:06:17 +00:00

86 lines
3.2 KiB
Nix

{ fetchurl, fetchpatch, stdenv, pkgconfig, libgcrypt, libassuan, libksba
, libgpgerror, libiconv, npth, gettext, texinfo, pcsclite, sqlite
, buildPackages
# Each of the dependencies below are optional.
# Gnupg can be built without them at the cost of reduced functionality.
, pinentry ? null, guiSupport ? true
, adns ? null, gnutls ? null, libusb ? null, openldap ? null
, readline ? null, zlib ? null, bzip2 ? null
}:
with stdenv.lib;
assert guiSupport -> pinentry != null;
stdenv.mkDerivation rec {
name = "gnupg-${version}";
version = "2.2.16";
src = fetchurl {
url = "mirror://gnupg/gnupg/${name}.tar.bz2";
sha256 = "1jqlzp9b3kpfp1dkjqskm67jjrhvf9nh3lzf45321p7m9d2qvgkc";
};
depsBuildBuild = [ buildPackages.stdenv.cc ];
nativeBuildInputs = [ pkgconfig ];
buildInputs = [
libgcrypt libassuan libksba libiconv npth gettext texinfo
readline libusb gnutls adns openldap zlib bzip2 sqlite
];
patches = [
./fix-libusb-include-path.patch
(fetchpatch {
url = https://files.gnupg.net/file/data/qmxjhc6kuja3orybj7st/PHID-FILE-vvzlnw36427pdnug2amc/file;
sha256 = "13snxkmlgmvn0rgxh5k2sgxkp5mbxqiznzm45sw649nvs3ccghq8";
})
];
postPatch = ''
sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' \
configure doc/dirmngr.texi doc/gnupg.info-1
'' + stdenv.lib.optionalString stdenv.isLinux ''
sed -i 's,"libpcsclite\.so[^"]*","${stdenv.lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c
''; #" fix Emacs syntax highlighting :-(
pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry";
configureFlags = [
"--with-libgpg-error-prefix=${libgpgerror.dev}"
"--with-libgcrypt-prefix=${libgcrypt.dev}"
"--with-libassuan-prefix=${libassuan.dev}"
"--with-ksba-prefix=${libksba.dev}"
"--with-npth-prefix=${npth}"
] ++ optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}";
postInstall = ''
mkdir -p $out/lib/systemd/user
for f in doc/examples/systemd-user/*.{service,socket} ; do
substitute $f $out/lib/systemd/user/$(basename $f) \
--replace /usr/bin $out/bin
done
# add gpg2 symlink to make sure git does not break when signing commits
ln -s $out/bin/gpg $out/bin/gpg2
'';
meta = with stdenv.lib; {
homepage = https://gnupg.org;
description = "Modern (2.1) release of the GNU Privacy Guard, a GPL OpenPGP implementation";
license = licenses.gpl3Plus;
longDescription = ''
The GNU Privacy Guard is the GNU project's complete and free
implementation of the OpenPGP standard as defined by RFC4880. GnuPG
"modern" (2.1) is the latest development with a lot of new features.
GnuPG allows to encrypt and sign your data and communication, features a
versatile key management system as well as access modules for all kind of
public key directories. GnuPG, also known as GPG, is a command line tool
with features for easy integration with other applications. A wealth of
frontend applications and libraries are available. Version 2 of GnuPG
also provides support for S/MIME.
'';
maintainers = with maintainers; [ peti fpletz vrthra ];
platforms = platforms.all;
};
}