mirrors/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-25 23:20:55 +00:00
Code Issues Wiki Activity
nixpkgs/pkgs/tools/security/gnupg/22.nix
Alyssa Ross c727083e65
gnupg: change default keyserver to non-SKS 
See https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f.

The SKS network is vulnerable to certificate poisoning, which can
destroy GnuPG installations. keys.openpgp.org is a new non-SKS keyserver
that is resistant to this type of attack.

With such an attack being possible, it is unsafe to use SKS keyservers
for almost anything, and so we should protect our users from a now
unsafe default. keys.openpgp.org offers some (but not all) functionality
of SKS, and is better than nothing.

This default is only present in gnupg22. gnupg20 and gnupg1orig are not
affected.
2019-06-30 14:09:02 +00:00

82 lines
3 KiB
Nix
Raw Blame History

{ fetchurl, stdenv, pkgconfig, libgcrypt, libassuan, libksba, libgpgerror
, libiconv, npth, gettext, texinfo, pcsclite, sqlite
, buildPackages
# Each of the dependencies below are optional.
# Gnupg can be built without them at the cost of reduced functionality.
, pinentry ? null, guiSupport ? true
, adns ? null, gnutls ? null, libusb ? null, openldap ? null
, readline ? null, zlib ? null, bzip2 ? null
}:
with stdenv.lib;
assert guiSupport -> pinentry != null;
stdenv.mkDerivation rec {
name = "gnupg-${version}";
version = "2.2.16";
src = fetchurl {
url = "mirror://gnupg/gnupg/${name}.tar.bz2";
sha256 = "1jqlzp9b3kpfp1dkjqskm67jjrhvf9nh3lzf45321p7m9d2qvgkc";
};
depsBuildBuild = [ buildPackages.stdenv.cc ];
nativeBuildInputs = [ pkgconfig ];
buildInputs = [
libgcrypt libassuan libksba libiconv npth gettext texinfo
readline libusb gnutls adns openldap zlib bzip2 sqlite
];
patches = [
./fix-libusb-include-path.patch
];
postPatch = ''
sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' \
configure doc/dirmngr.texi doc/gnupg.info-1
'' + stdenv.lib.optionalString stdenv.isLinux ''
sed -i 's,"libpcsclite\.so[^"]*","${stdenv.lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c
''; #" fix Emacs syntax highlighting :-(
pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry";
configureFlags = [
"--with-libgpg-error-prefix=${libgpgerror.dev}"
"--with-libgcrypt-prefix=${libgcrypt.dev}"
"--with-libassuan-prefix=${libassuan.dev}"
"--with-ksba-prefix=${libksba.dev}"
"--with-npth-prefix=${npth}"
] ++ optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}";
postInstall = ''
mkdir -p $out/lib/systemd/user
for f in doc/examples/systemd-user/*.{service,socket} ; do
substitute $f $out/lib/systemd/user/$(basename $f) \
--replace /usr/bin $out/bin
done
# add gpg2 symlink to make sure git does not break when signing commits
ln -s $out/bin/gpg $out/bin/gpg2
'';
meta = with stdenv.lib; {
homepage = https://gnupg.org;
description = "Modern (2.1) release of the GNU Privacy Guard, a GPL OpenPGP implementation";
license = licenses.gpl3Plus;
longDescription = ''
The GNU Privacy Guard is the GNU project's complete and free
implementation of the OpenPGP standard as defined by RFC4880. GnuPG
"modern" (2.1) is the latest development with a lot of new features.
GnuPG allows to encrypt and sign your data and communication, features a
versatile key management system as well as access modules for all kind of
public key directories. GnuPG, also known as GPG, is a command line tool
with features for easy integration with other applications. A wealth of
frontend applications and libraries are available. Version 2 of GnuPG
also provides support for S/MIME.
'';
maintainers = with maintainers; [ peti fpletz vrthra ];
platforms = platforms.all;
};
}
View git blame Copy permalink