gnupg: apply default server CA verification patch

See discussion at https://github.com/NixOS/nixpkgs/pull/63952#issuecomment-507048690. Upstream commit: commit 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254 Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Sun Jun 30 11:54:35 2019 -0400 dirmngr: Only use SKS pool CA for SKS pool * dirmngr/http.c (http_session_new): when checking whether the keyserver is the HKPS pool, check specifically against the pool name, as ./configure might have been used to select a different default keyserver. It makes no sense to apply Kristian's certificate authority to anything other than the literal host hkps.pool.sks-keyservers.net. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> GnuPG-Bug-Id: 4593
2019-06-30 19:05:31 +00:00 · 2019-06-30 19:05:31 +00:00 · ba23c14b84
commit ba23c14b84
parent c727083e65
1 changed files with 6 additions and 2 deletions
--- a/pkgs/tools/security/gnupg/22.nix
+++ b/pkgs/tools/security/gnupg/22.nix
@ -1,5 +1,5 @@
-{ fetchurl, stdenv, pkgconfig, libgcrypt, libassuan, libksba, libgpgerror
-, libiconv, npth, gettext, texinfo, pcsclite, sqlite
+{ fetchurl, fetchpatch, stdenv, pkgconfig, libgcrypt, libassuan, libksba
+, libgpgerror, libiconv, npth, gettext, texinfo, pcsclite, sqlite
 , buildPackages

 # Each of the dependencies below are optional.
@ -32,6 +32,10 @@ stdenv.mkDerivation rec {

  patches = [
    ./fix-libusb-include-path.patch
+    (fetchpatch {
+      url = https://files.gnupg.net/file/data/qmxjhc6kuja3orybj7st/PHID-FILE-vvzlnw36427pdnug2amc/file;
+      sha256 = "13snxkmlgmvn0rgxh5k2sgxkp5mbxqiznzm45sw649nvs3ccghq8";
+    })
  ];
  postPatch = ''
    sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' \