From owner-svn-ports-all@freebsd.org Mon Feb 25 14:43:28 2019 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE9E6150C876; Mon, 25 Feb 2019 14:43:27 +0000 (UTC) (envelope-from egypcio@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5D04F8FEE0; Mon, 25 Feb 2019 14:43:27 +0000 (UTC) (envelope-from egypcio@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4EDBF1E662; Mon, 25 Feb 2019 14:43:27 +0000 (UTC) (envelope-from egypcio@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x1PEhRkx000871; Mon, 25 Feb 2019 14:43:27 GMT (envelope-from egypcio@FreeBSD.org) Received: (from egypcio@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x1PEhN1F000850; Mon, 25 Feb 2019 14:43:23 GMT (envelope-from egypcio@FreeBSD.org) Message-Id: <201902251443.x1PEhN1F000850@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: egypcio set sender to egypcio@FreeBSD.org using -f From: =?UTF-8?Q?Vin=c3=adcius_Zavam?= Date: Mon, 25 Feb 2019 14:43:23 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r493870 - in head/security/monkeysphere: . files X-SVN-Group: ports-head X-SVN-Commit-Author: egypcio X-SVN-Commit-Paths: in head/security/monkeysphere: . files X-SVN-Commit-Revision: 493870 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 5D04F8FEE0 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.979,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 14:43:28 -0000 Author: egypcio Date: Mon Feb 25 14:43:23 2019 New Revision: 493870 URL: https://svnweb.freebsd.org/changeset/ports/493870 Log: security/monkeysphere: update 0.41 to 0.42 - Makefile adopt the port; pet portlint; remove comment about 'applying patches' on the post-patch stage; unmute post-patch. - files/* patch src/share/mh/revoke_keys, to use gpg2; move patch-gpg2 (410 lines), and split it to have separated patches; regen all patches using makepatch. Approved by: rene (mentor) Differential Revision: https://reviews.freebsd.org/D18871 Added: head/security/monkeysphere/files/patch-examples_make-x509-certreqs (contents, props changed) head/security/monkeysphere/files/patch-examples_monkeysphere-monitor-keys (contents, props changed) head/security/monkeysphere/files/patch-src_monkeysphere (contents, props changed) head/security/monkeysphere/files/patch-src_monkeysphere-authentication (contents, props changed) head/security/monkeysphere/files/patch-src_monkeysphere-host (contents, props changed) head/security/monkeysphere/files/patch-src_share_common (contents, props changed) head/security/monkeysphere/files/patch-src_share_keytrans (contents, props changed) head/security/monkeysphere/files/patch-src_share_m_gen__subkey (contents, props changed) head/security/monkeysphere/files/patch-src_share_m_ssh__proxycommand (contents, props changed) head/security/monkeysphere/files/patch-src_share_m_subkey__to__ssh__agent (contents, props changed) head/security/monkeysphere/files/patch-src_share_mh_add__revoker (contents, props changed) head/security/monkeysphere/files/patch-src_share_mh_publish__key (contents, props changed) head/security/monkeysphere/files/patch-src_share_mh_revoke__key (contents, props changed) head/security/monkeysphere/files/patch-src_transitions_0.23 (contents, props changed) Deleted: head/security/monkeysphere/files/patch-gpg2 Modified: head/security/monkeysphere/Makefile head/security/monkeysphere/distinfo head/security/monkeysphere/pkg-deinstall Modified: head/security/monkeysphere/Makefile ============================================================================== --- head/security/monkeysphere/Makefile Mon Feb 25 14:39:01 2019 (r493869) +++ head/security/monkeysphere/Makefile Mon Feb 25 14:43:23 2019 (r493870) @@ -2,13 +2,12 @@ # $FreeBSD$ PORTNAME= monkeysphere -PORTVERSION= 0.41 +PORTVERSION= 0.42 CATEGORIES= security MASTER_SITES= http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/ -# hack for debian orig tarballs DISTFILES= ${PORTNAME}_${DISTVERSION}.orig${EXTRACT_SUFX} -MAINTAINER= ports@FreeBSD.org +MAINTAINER= egypcio@FreeBSD.org COMMENT= Use the OpenPGP web of trust to verify ssh connections LICENSE= GPLv3 @@ -23,6 +22,7 @@ RUN_DEPENDS= gpg2:security/gnupg \ p5-Digest-SHA1>=0:security/p5-Digest-SHA1 USES= gmake shebangfix + SHEBANG_FILES= src/share/checkperms src/transitions/0.23 \ src/transitions/0.28 src/share/keytrans @@ -33,7 +33,6 @@ MAKE_ARGS+= ETCPREFIX=${PREFIX} MANPREFIX=${PREFIX}/ma OPTIONS_DEFINE= DOCS -# use proper system paths for FreeBSD instead of debian's: post-patch: @${REINPLACE_CMD} -i '' 's|/etc/monkeysphere|${PREFIX}/etc/monkeysphere|g' \ ${WRKSRC}/src/share/defaultenv \ Modified: head/security/monkeysphere/distinfo ============================================================================== --- head/security/monkeysphere/distinfo Mon Feb 25 14:39:01 2019 (r493869) +++ head/security/monkeysphere/distinfo Mon Feb 25 14:43:23 2019 (r493870) @@ -1,3 +1,3 @@ -TIMESTAMP = 1482302762 -SHA256 (monkeysphere_0.41.orig.tar.gz) = 911a2f1622ddb81151b0f41cf569ccf2154d10a09b2f446dbe98fac7279fe74b -SIZE (monkeysphere_0.41.orig.tar.gz) = 109040 +TIMESTAMP = 1547723173 +SHA256 (monkeysphere_0.42.orig.tar.gz) = c1c956b1c86aaa44134fc1a9d75f5aef61266e3a9d8a6218b45d6c54bb7c58c1 +SIZE (monkeysphere_0.42.orig.tar.gz) = 110415 Added: head/security/monkeysphere/files/patch-examples_make-x509-certreqs ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/monkeysphere/files/patch-examples_make-x509-certreqs Mon Feb 25 14:43:23 2019 (r493870) @@ -0,0 +1,34 @@ +--- examples/make-x509-certreqs.orig 2018-10-16 16:24:55 UTC ++++ examples/make-x509-certreqs +@@ -69,12 +69,12 @@ EOF + gencertreq() { + keyid="$1" + +- timestamp=$(gpg --fixed-list-mode --with-colons --list-keys "0x$keyid!" | grep ^pub: | cut -f6 -d:) ++ timestamp=$(gpg2 --fixed-list-mode --with-colons --list-keys "0x$keyid!" | grep ^pub: | cut -f6 -d:) + + san='' + primary='' + # find all the $proto-using User IDs: +- uids=$(gpg --fixed-list-mode --with-colons --list-keys "0x$keyid!" | \ ++ uids=$(gpg2 --fixed-list-mode --with-colons --list-keys "0x$keyid!" | \ + grep '^uid:' | cut -f10 -d: | \ + grep '^'"${proto}"'\\x3a//' | \ + sed -r -e 's!^'"${proto}"'\\x3a//!!' -e 's!:[0-9]+$!!') +@@ -83,7 +83,7 @@ gencertreq() { + printf "Certificate Request for TLS WWW server %s\n[OpenPGP key %s]\n" "$primary" "$keyid" + openssl req -text -new \ + -config <(get_openssl_config "$timestamp" "$uids") \ +- -key <(gpg --export-secret-key "$keyid" | openpgp2ssh "$keyid") \ ++ -key <(gpg2 --export-secret-key "$keyid" | openpgp2ssh "$keyid") \ + -subj "/CN=${primary}/" + } + +@@ -92,6 +92,6 @@ export GNUPGHOME=/var/lib/monkeysphere/host + # default to looking for https keys. + proto="${1:-https}" + +-for fpr in $(gpg --fixed-list-mode --with-colons --fingerprint --list-secret-keys "${proto}://" | awk -F: '/^fpr:/{ if (ok) { print $10 } ; ok=0 } /^sec:/{ ok=1 }'); do ++for fpr in $(gpg2 --fixed-list-mode --with-colons --fingerprint --list-secret-keys "${proto}://" | awk -F: '/^fpr:/{ if (ok) { print $10 } ; ok=0 } /^sec:/{ ok=1 }'); do + gencertreq "$fpr" + done Added: head/security/monkeysphere/files/patch-examples_monkeysphere-monitor-keys ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/monkeysphere/files/patch-examples_monkeysphere-monitor-keys Mon Feb 25 14:43:23 2019 (r493870) @@ -0,0 +1,11 @@ +--- examples/monkeysphere-monitor-keys.orig 2018-10-16 16:24:55 UTC ++++ examples/monkeysphere-monitor-keys +@@ -31,7 +31,7 @@ + + # FIXME: does this handle revocations and re-keying? if a sysadmin + # switches over to this arrangement, how will the system check for +-# revocations? Scheduling a simple gpg --refresh should handle ++# revocations? Scheduling a simple gpg2 --refresh should handle + # revocations. I'm not sure how to best handle re-keyings. + + use strict; Added: head/security/monkeysphere/files/patch-src_monkeysphere ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/monkeysphere/files/patch-src_monkeysphere Mon Feb 25 14:43:23 2019 (r493870) @@ -0,0 +1,20 @@ +--- src/monkeysphere.orig 2018-10-16 16:24:55 UTC ++++ src/monkeysphere +@@ -62,7 +62,7 @@ EOF + + # user gpg command to define common options + gpg_user() { +- LC_ALL=C "${GPG:-gpg}" --fixed-list-mode --no-greeting --quiet --no-tty "$@" ++ LC_ALL=C "${GPG:-gpg2}" --fixed-list-mode --no-greeting --quiet --no-tty "$@" + } + + # output the ssh fingerprint of a gpg key +@@ -92,7 +92,7 @@ check_gpg_sec_key_id() { + case $(echo "$gpgSecOut" | grep -c '^sec:') in + 0) + failure "No secret keys found. Create an OpenPGP key with the following command: +- gpg --gen-key" ++ gpg2 --gen-key" + ;; + 1) + echo "$gpgSecOut" | cut -d: -f5 Added: head/security/monkeysphere/files/patch-src_monkeysphere-authentication ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/monkeysphere/files/patch-src_monkeysphere-authentication Mon Feb 25 14:43:23 2019 (r493870) @@ -0,0 +1,20 @@ +--- src/monkeysphere-authentication.orig 2018-10-16 16:24:55 UTC ++++ src/monkeysphere-authentication +@@ -73,7 +73,7 @@ gpg_core() { + GNUPGHOME="$GNUPGHOME_CORE" + export GNUPGHOME + +- gpg --fixed-list-mode --no-greeting --quiet --no-tty "$@" ++ gpg2 --fixed-list-mode --no-greeting --quiet --no-tty "$@" + } + + # function to interact with the gpg sphere keyring +@@ -81,7 +81,7 @@ gpg_sphere() { + GNUPGHOME="$GNUPGHOME_SPHERE" + export GNUPGHOME + +- su_monkeysphere_user gpg --fixed-list-mode --no-greeting --quiet --no-tty "$@" ++ su_monkeysphere_user gpg2 --fixed-list-mode --no-greeting --quiet --no-tty "$@" + } + + check_openpgp2ssh_sanity() { Added: head/security/monkeysphere/files/patch-src_monkeysphere-host ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/monkeysphere/files/patch-src_monkeysphere-host Mon Feb 25 14:43:23 2019 (r493870) @@ -0,0 +1,49 @@ +--- src/monkeysphere-host.orig 2018-10-16 16:24:55 UTC ++++ src/monkeysphere-host +@@ -71,7 +71,7 @@ EOF + + # function to interact with the gpg keyring + gpg_host() { +- GNUPGHOME="$GNUPGHOME_HOST" LC_ALL=C gpg --no-auto-check-trustdb --trust-model=always --no-greeting --quiet --no-tty --fixed-list-mode "$@" ++ GNUPGHOME="$GNUPGHOME_HOST" LC_ALL=C gpg2 --no-auto-check-trustdb --trust-model=always --no-greeting --quiet --no-tty --fixed-list-mode "$@" + } + + # list the info about the a key, in colon format, to stdout +@@ -297,10 +297,10 @@ show_key() { + trap cleanup EXIT + + # import the host key into the tmp dir +- gpg --quiet --import <"$HOST_KEY_FILE" ++ gpg2 --quiet --import <"$HOST_KEY_FILE" + + # get the gpg fingerprint +- if gpg --quiet --list-keys \ ++ if gpg2 --quiet --list-keys \ + --with-colons --with-fingerprint "$id" \ + | awk -F: '/^fpr:/{ if (ok) { print $10 } ; ok=0 } /^pub:/{ ok=1 }' > "$GNUPGHOME"/fingerprint ; then + fingerprint=$(cat "$GNUPGHOME"/fingerprint) +@@ -311,13 +311,13 @@ show_key() { + # list the host key info + # FIXME: make no-show-keyring work so we don't have to do the grep'ing + # FIXME: can we show uid validity somehow? +- gpg --list-keys --list-options show-unusable-uids "$fingerprint" 2>/dev/null \ ++ gpg2 --list-keys --list-options show-unusable-uids "$fingerprint" 2>/dev/null \ + | egrep -v "^${GNUPGHOME}/pubring.(gpg|kbx)$" \ + | egrep -v '^-+$' \ + | grep -v '^$' + + # list revokers, if there are any +- revokers=$(gpg --list-keys --with-colons --fixed-list-mode "$fingerprint" \ ++ revokers=$(gpg2 --list-keys --with-colons --fixed-list-mode "$fingerprint" \ + | awk -F: '/^rvk:/{ print $10 }' ) + if [ "$revokers" ] ; then + echo "The following keys are allowed to revoke this host key:" +@@ -331,7 +331,7 @@ show_key() { + + # list the ssh fingerprint + printf "ssh fingerprint: %s\n" \ +- "$(gpg --export --no-armor "$fingerprint" 2>/dev/null | "$SYSSHAREDIR/keytrans" openpgp2sshfpr "$fingerprint")" ++ "$(gpg2 --export --no-armor "$fingerprint" 2>/dev/null | "$SYSSHAREDIR/keytrans" openpgp2sshfpr "$fingerprint")" + + # remove the tmp file + trap - EXIT Added: head/security/monkeysphere/files/patch-src_share_common ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/monkeysphere/files/patch-src_share_common Mon Feb 25 14:43:23 2019 (r493870) @@ -0,0 +1,69 @@ +--- src/share/common.orig 2018-10-16 16:24:55 UTC ++++ src/share/common +@@ -495,7 +495,7 @@ gpg2ssh() { + + keyID="$1" + +- gpg --export --no-armor "$keyID" | openpgp2ssh "$keyID" 2>/dev/null ++ gpg2 --export --no-armor "$keyID" | openpgp2ssh "$keyID" 2>/dev/null + } + + # output known_hosts line from ssh key +@@ -601,7 +601,7 @@ gpg2authorized_keys() { + + # script to determine if gpg version is equal to or greater than specified version + is_gpg_version_greater_equal() { +- local gpgVersion=$(gpg --version | head -1 | awk '{ print $3 }') ++ local gpgVersion=$(gpg2 --version | head -1 | awk '{ print $3 }') + local latest=$(printf '%s\n%s\n' "$1" "$gpgVersion" \ + | tr '.' ' ' | sort -g -k1 -k2 -k3 \ + | tail -1 | tr ' ' '.') +@@ -622,7 +622,7 @@ gpg_fetch_userid() { + + log verbose " checking keyserver $KEYSERVER... " + foundkeyids="$(echo | \ +- gpg --quiet --batch --with-colons \ ++ gpg2 --quiet --batch --with-colons \ + --command-fd 0 --keyserver "$KEYSERVER" \ + --search ="$userID" 2>/dev/null)" + returnCode="$?" +@@ -637,7 +637,7 @@ $foundkeyids + foundkeyids="$(printf "%s" "$foundkeyids" | grep '^pub:' | cut -f2 -d: | sed 's/^/0x/')" + log verbose " Found keyids on keyserver: $(printf "%s" "$foundkeyids" | tr '\n' ' ')" + if [ -n "$foundkeyids" ]; then +- echo | gpg --quiet --batch --with-colons \ ++ echo | gpg2 --quiet --batch --with-colons \ + --command-fd 0 --keyserver "$KEYSERVER" \ + --recv-keys $foundkeyids &>/dev/null + returnCode="$?" +@@ -693,7 +693,7 @@ process_user_id() { + gpg_fetch_userid "$userID" + + # output gpg info for (exact) userid and store +- gpgOut=$(gpg --list-key --fixed-list-mode --with-colons \ ++ gpgOut=$(gpg2 --list-key --fixed-list-mode --with-colons \ + --with-fingerprint --with-fingerprint \ + ="$userID" 2>/dev/null) || returnCode="$?" + +@@ -962,8 +962,8 @@ list_primary_fingerprints() { + rm -rf "$fake" + } + trap cleanup EXIT +- GNUPGHOME="$fake" gpg --no-tty --quiet --import --ignore-time-conflict 2>/dev/null +- GNUPGHOME="$fake" gpg --with-colons --fingerprint --list-keys | \ ++ GNUPGHOME="$fake" gpg2 --no-tty --quiet --import --ignore-time-conflict 2>/dev/null ++ GNUPGHOME="$fake" gpg2 --with-colons --fingerprint --list-keys | \ + awk -F: '/^fpr:/{ if (ok) { print $10 } ; ok=0 } /^pub:/{ ok=1 }' + trap - EXIT + cleanup +@@ -981,8 +981,8 @@ get_cert_info() { + fi + rm -rf "$fake" + } +- GNUPGHOME="$fake" gpg --no-tty --quiet --import --ignore-time-conflict 2>/dev/null +- GNUPGHOME="$fake" gpg --with-colons --fingerprint --fixed-list-mode --list-keys "$1" ++ GNUPGHOME="$fake" gpg2 --no-tty --quiet --import --ignore-time-conflict 2>/dev/null ++ GNUPGHOME="$fake" gpg2 --with-colons --fingerprint --fixed-list-mode --list-keys "$1" + trap - EXIT + cleanup + } Added: head/security/monkeysphere/files/patch-src_share_keytrans ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/monkeysphere/files/patch-src_share_keytrans Mon Feb 25 14:43:23 2019 (r493870) @@ -0,0 +1,20 @@ +--- src/share/keytrans.orig 2019-01-17 11:12:48 UTC ++++ src/share/keytrans +@@ -20,7 +20,7 @@ + + # Usage: + +-# pem2openpgp 'ssh://'$(hostname -f) < /etc/ssh/ssh_host_rsa_key | gpg --import ++# pem2openpgp 'ssh://'$(hostname -f) < /etc/ssh/ssh_host_rsa_key | gpg2 --import + + + +@@ -35,7 +35,7 @@ + + # Example usage: + +-# gpg --export-secret-subkeys --export-options export-reset-subkey-passwd $KEYID | \ ++# gpg2 --export-secret-subkeys --export-options export-reset-subkey-passwd $KEYID | \ + # openpgp2ssh $KEYID | ssh-add /dev/stdin + + Added: head/security/monkeysphere/files/patch-src_share_m_gen__subkey ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/monkeysphere/files/patch-src_share_m_gen__subkey Mon Feb 25 14:43:23 2019 (r493870) @@ -0,0 +1,11 @@ +--- src/share/m/gen_subkey.orig 2018-10-16 16:24:55 UTC ++++ src/share/m/gen_subkey +@@ -46,7 +46,7 @@ Type '$PGRM help' for usage." + + # determine which keyType to use from gpg version + keyType=7 +- case $(gpg --version | head -1 | awk '{ print $3 }' | cut -d. -f1) in ++ case $(gpg2 --version | head -1 | awk '{ print $3 }' | cut -d. -f1) in + 1) + if is_gpg_version_greater_equal 1.4.10 ; then + keyType=8 Added: head/security/monkeysphere/files/patch-src_share_m_ssh__proxycommand ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/monkeysphere/files/patch-src_share_m_ssh__proxycommand Mon Feb 25 14:43:23 2019 (r493870) @@ -0,0 +1,11 @@ +--- src/share/m/ssh_proxycommand.orig 2018-10-16 16:24:55 UTC ++++ src/share/m/ssh_proxycommand +@@ -301,7 +301,7 @@ EOF + + log info <&2 +@@ -104,7 +104,7 @@ EOF + + # export the new key to the host keyring + log debug "loading revoker key into host keyring..." +- su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --quiet --export "0x${fingerprint}!" \ ++ su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg2 --quiet --export "0x${fingerprint}!" \ + | gpg_host --import + fi + Added: head/security/monkeysphere/files/patch-src_share_mh_publish__key ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/monkeysphere/files/patch-src_share_mh_publish__key Mon Feb 25 14:43:23 2019 (r493870) @@ -0,0 +1,20 @@ +--- src/share/mh/publish_key.orig 2018-10-16 16:24:55 UTC ++++ src/share/mh/publish_key +@@ -46,7 +46,7 @@ trap cleanup EXIT + + # import the key into the tmp dir + su_monkeysphere_user \ +- gpg --quiet --import <"$HOST_KEY_FILE" ++ gpg2 --quiet --import <"$HOST_KEY_FILE" + + ANCHORFILE="" + for anchorfile in "${SYSCONFIGDIR}/monkeysphere-host-x509-anchors.crt" "${SYSCONFIGDIR}/monkeysphere-x509-anchors.crt"; do +@@ -59,7 +59,7 @@ done + # publish key + log debug "publishing key with the following gpg command line and options:" + su_monkeysphere_user \ +- gpg --keyserver "$KEYSERVER" ${ANCHORFILE:+--keyserver-options "ca-cert-file=$ANCHORFILE"} --send-keys "0x${keyID}!" ++ gpg2 --keyserver "$KEYSERVER" ${ANCHORFILE:+--keyserver-options "ca-cert-file=$ANCHORFILE"} --send-keys "0x${keyID}!" + + # remove the tmp file + trap - EXIT Added: head/security/monkeysphere/files/patch-src_share_mh_revoke__key ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/monkeysphere/files/patch-src_share_mh_revoke__key Mon Feb 25 14:43:23 2019 (r493870) @@ -0,0 +1,29 @@ +--- src/share/mh/revoke_key.orig 2018-10-16 16:24:55 UTC ++++ src/share/mh/revoke_key +@@ -72,11 +72,11 @@ y + else + # note: we're not using the gpg_host function because we actually + # want to use gpg's UI in this case, so we want to omit --no-tty +- revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg --no-greeting --quiet --armor --gen-revoke "0x${keyID}!") \ ++ revcert=$(GNUPGHOME="$GNUPGHOME_HOST" gpg2 --no-greeting --quiet --armor --gen-revoke "0x${keyID}!") \ + || failure "Failed to generate revocation certificate!" + fi + +- # if you run gpg --gen-revoke but cancel it or quit in the middle, ++ # if you run gpg2 --gen-revoke but cancel it or quit in the middle, + # it returns success, but emits no revocation certificate: + if ! [ "$revcert" ] ; then + failure "Revocation canceled." +@@ -94,9 +94,9 @@ y + printf "Not publishing.\n" >&2 + else + local newhome=$(msmktempdir) +- GNUPGHOME="$newhome" gpg --no-tty --quiet --import < "$HOST_KEY_FILE" +- GNUPGHOME="$newhome" gpg --no-tty --quiet --import <<< "$revcert" +- GNUPGHOME="$newhome" gpg --keyserver "$KEYSERVER" --send-keys "0x${keyID}!" ++ GNUPGHOME="$newhome" gpg2 --no-tty --quiet --import < "$HOST_KEY_FILE" ++ GNUPGHOME="$newhome" gpg2 --no-tty --quiet --import <<< "$revcert" ++ GNUPGHOME="$newhome" gpg2 --keyserver "$KEYSERVER" --send-keys "0x${keyID}!" + rm -rf "$newhome" + fi + fi Added: head/security/monkeysphere/files/patch-src_transitions_0.23 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/monkeysphere/files/patch-src_transitions_0.23 Mon Feb 25 14:43:23 2019 (r493870) @@ -0,0 +1,67 @@ +--- src/transitions/0.23.orig 2019-01-17 11:12:48 UTC ++++ src/transitions/0.23 +@@ -72,7 +72,7 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then + # get the old host keygrip (don't know why there would be more + # than one, but we'll transfer all tsigs made by any key that + # had been given ultimate ownertrust): +- for authgrip in $(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --export-ownertrust | \ ++ for authgrip in $(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg2 --quiet --no-tty --no-permission-warning --export-ownertrust | \ + grep ':6:$' | \ + sed -r 's/^[A-F0-9]{24}([A-F0-9]{16}):6:$/\1/') ; do + +@@ -88,7 +88,7 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then + # one of those certifications (even if later + # certifications had different parameters). + +- GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --fingerprint --with-colons --fixed-list-mode --check-sigs | \ ++ GNUPGHOME="$SYSDATADIR"/gnupg-host gpg2 --quiet --no-tty --no-permission-warning --fingerprint --with-colons --fixed-list-mode --check-sigs | \ + cut -f 1,2,5,8,9,10 -d: | \ + egrep '^(fpr:::::|sig:!:'"$authgrip"':[[:digit:]]+ [[:digit:]]+:)' | \ + while IFS=: read -r type validity grip trustparams trustdomain fpr ; do +@@ -130,7 +130,7 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then + + CERTKEY=$(mktemp ${TMPDIR:-/tmp}/mstransition.XXXXXXXX) + log "Adding identity certifier with fingerprint %s\n" "$keyfpr" +- GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --export "0x$keyfpr" --export-options export-clean >"$CERTKEY" ++ GNUPGHOME="$SYSDATADIR"/gnupg-host gpg2 --quiet --no-tty --no-permission-warning --export "0x$keyfpr" --export-options export-clean >"$CERTKEY" + MONKEYSPHERE_PROMPT=false monkeysphere-authentication add-identity-certifier $finaldomain --trust "$truststring" --depth "$trustdepth" "$CERTKEY" + rm -f "$CERTKEY" + # clear the fingerprint so that we don't +@@ -150,9 +150,9 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then + log "Not transferring host key info because host directory already exists.\n" + else + if [ -s "$SYSDATADIR"/ssh_host_rsa_key ] || \ +- GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --with-colons --list-secret-keys | grep -q '^sec:' ; then ++ GNUPGHOME="$SYSDATADIR"/gnupg-host gpg2 --quiet --no-tty --no-permission-warning --with-colons --list-secret-keys | grep -q '^sec:' ; then + +- FPR=$(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --with-colons --fixed-list-mode --list-secret-keys --fingerprint | awk -F: '/^fpr:/{ print $10 }' ) ++ FPR=$(GNUPGHOME="$SYSDATADIR"/gnupg-host gpg2 --quiet --no-tty --no-permission-warning --with-colons --fixed-list-mode --list-secret-keys --fingerprint | awk -F: '/^fpr:/{ print $10 }' ) + + # create host home + mkdir -p $(dirname "$MHDATADIR") +@@ -169,12 +169,12 @@ if [ -d "$SYSDATADIR"/gnupg-host ] ; then + # FIXME: if all self-sigs are expired, then the secret key import may + # fail anyway. How should we deal with that? + +- if (GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --export-secret-keys && \ +- GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --quiet --no-tty --no-permission-warning --export "$FPR") | \ +- GNUPGHOME="$NEWDATADIR" gpg --quiet --no-tty --import ; then ++ if (GNUPGHOME="$SYSDATADIR"/gnupg-host gpg2 --quiet --no-tty --no-permission-warning --export-secret-keys && \ ++ GNUPGHOME="$SYSDATADIR"/gnupg-host gpg2 --quiet --no-tty --no-permission-warning --export "$FPR") | \ ++ GNUPGHOME="$NEWDATADIR" gpg2 --quiet --no-tty --import ; then + : we are in good shape! + else +- if ! GNUPGHOME="$NEWDATADIR" gpg --quiet --no-tty --list-secret-key >/dev/null ; then ++ if ! GNUPGHOME="$NEWDATADIR" gpg2 --quiet --no-tty --list-secret-key >/dev/null ; then + log "The old host key (%s) was not imported properly.\n" "$FPR" + exit 1 + fi +@@ -204,7 +204,7 @@ fi + if [ -d "${SYSDATADIR}/gnupg-authentication" ] ; then + + GNUPGHOME="${SYSDATADIR}/gnupg-authentication" \ +- gpg --quiet --no-tty --no-permission-warning --export 2>/dev/null | \ ++ gpg2 --quiet --no-tty --no-permission-warning --export 2>/dev/null | \ + monkeysphere-authentication gpg-cmd --import 2>/dev/null || \ + log "No OpenPGP certificates imported into monkeysphere-authentication trust sphere.\n" + Modified: head/security/monkeysphere/pkg-deinstall ============================================================================== --- head/security/monkeysphere/pkg-deinstall Mon Feb 25 14:39:01 2019 (r493869) +++ head/security/monkeysphere/pkg-deinstall Mon Feb 25 14:43:23 2019 (r493870) @@ -1,26 +1,19 @@ #!/bin/sh - -# a package removal script for monkeysphere (borrowing from +# +# A package removal script for monkeysphere (borrowed from # monkeysphere's debian/monkeysphere.postrm) - -# Author: Daniel Kahn Gillmor +# +# Original Author: Daniel Kahn Gillmor # Copyright 2008,2009 -# FIXME: is /var/monkeysphere the right place for this stuff on -# FreeBSD? -VARLIB="/var/monkeysphere" +# monkeysphere's home dir (via UIDs) +MSHD="/var/monkeysphere" - case $2 in POST-DEINSTALL) - USER=monkeysphere -# FIXME: This doesn't do anything! Under what circumstances do we -# want to actually automatically purge all of /var/monkeysphere? - -# (note: FreeBSD does not seem to want the package-specific user to be -# purged at package removal) - if [ -d "$VARLIB" ] ; then - echo "Warning: You may want to remove monkeysphere's cached authentication data and keyrings in $VARLIB" - fi + USER=monkeysphere + if [ -d "$MSHD" ] ; then + echo "Warning: You may want to remove ${USER}'s cached authentication data and keyrings in $MSHD" + fi ;; esac