From ba23c14b842e50cb9d8a228a6007207f2c28c1fe Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Sun, 30 Jun 2019 19:05:31 +0000 Subject: [PATCH] gnupg: apply default server CA verification patch See discussion at https://github.com/NixOS/nixpkgs/pull/63952#issuecomment-507048690. Upstream commit: commit 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254 Author: Daniel Kahn Gillmor Date: Sun Jun 30 11:54:35 2019 -0400 dirmngr: Only use SKS pool CA for SKS pool * dirmngr/http.c (http_session_new): when checking whether the keyserver is the HKPS pool, check specifically against the pool name, as ./configure might have been used to select a different default keyserver. It makes no sense to apply Kristian's certificate authority to anything other than the literal host hkps.pool.sks-keyservers.net. Signed-off-by: Daniel Kahn Gillmor GnuPG-Bug-Id: 4593 --- pkgs/tools/security/gnupg/22.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix index 978bf1d4e4b5..359432791b7f 100644 --- a/pkgs/tools/security/gnupg/22.nix +++ b/pkgs/tools/security/gnupg/22.nix @@ -1,5 +1,5 @@ -{ fetchurl, stdenv, pkgconfig, libgcrypt, libassuan, libksba, libgpgerror -, libiconv, npth, gettext, texinfo, pcsclite, sqlite +{ fetchurl, fetchpatch, stdenv, pkgconfig, libgcrypt, libassuan, libksba +, libgpgerror, libiconv, npth, gettext, texinfo, pcsclite, sqlite , buildPackages # Each of the dependencies below are optional. @@ -32,6 +32,10 @@ stdenv.mkDerivation rec { patches = [ ./fix-libusb-include-path.patch + (fetchpatch { + url = https://files.gnupg.net/file/data/qmxjhc6kuja3orybj7st/PHID-FILE-vvzlnw36427pdnug2amc/file; + sha256 = "13snxkmlgmvn0rgxh5k2sgxkp5mbxqiznzm45sw649nvs3ccghq8"; + }) ]; postPatch = '' sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' \