Merge pull request #1677 from tlaurion/fix_key_to_card

Revert gpg version bump and unify key to card  code to properly create bug upstream

.circleci/config.yml

@@ -45,7 +45,7 @@ commands:
 jobs:
   prep_env:
     docker:
-      - image: tlaurion/heads-dev-env:v0.1.6
+      - image: tlaurion/heads-dev-env:v0.1.8
     resource_class: large
     working_directory: ~/heads
     steps:
@@ -111,7 +111,7 @@ jobs:
 
   build_and_persist:
     docker:
-      - image: tlaurion/heads-dev-env:v0.1.6
+      - image: tlaurion/heads-dev-env:v0.1.8
     resource_class: large
     working_directory: ~/heads
     parameters:
@@ -139,7 +139,7 @@ jobs:
 
   build:
     docker:
-      - image: tlaurion/heads-dev-env:v0.1.6
+      - image: tlaurion/heads-dev-env:v0.1.8
     resource_class: large
     working_directory: ~/heads
     parameters:
@@ -160,7 +160,7 @@ jobs:
 
   save_cache:
     docker:
-      - image: tlaurion/heads-dev-env:v0.1.6
+      - image: tlaurion/heads-dev-env:v0.1.8
     resource_class: large
     working_directory: ~/heads
     steps:

README.md

@@ -97,6 +97,10 @@ Maintenance notes on docker image
 Redo the steps above in case the flake.nix or nix.lock changes. Then publish on docker hub:
 
 ```
+docker tag linuxboot/heads:dev-env tlaurion/heads-dev-env:vx.y.z
+docker push tlaurion/heads-dev-env:vx.y.z
+#test against CircleCI in PR. Merge.
+#make last version the latest
 docker tag tlaurion/heads-dev-env:vx.y.z tlaurion/heads-dev-env:latest
 docker push tlaurion/heads-dev-env:latest
 ```

flake.lock

@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1711703276,
-        "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
+        "lastModified": 1715534503,
+        "narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
+        "rev": "2057814051972fa1453ddfb0d98badbea9b83c06",
         "type": "github"
       },
       "original": {

flake.nix

@@ -75,14 +75,16 @@
           canokeySupport = true; # This override enables Canokey support in QEMU, resulting in -device canokey being available.
         })
         # Packages for qemu support with Canokey integration from previous override
-        #qemu_full #Heavier but contains qemu-img, kvm and everything else needed to do development cycles under docker
-        qemu # To test make BOARD=qemu-coreboot-* boards and then call make BOARD=qemu-coreboot-* with inject_gpg statement, and then run statement.
-        qemu_kvm # kvm additional support for qemu without all the qemu-img and everything else under qemu_full
+        qemu_full #Heavier but contains qemu-img, kvm and everything else needed to do development cycles under docker
+        #qemu # To test make BOARD=qemu-coreboot-* boards and then call make BOARD=qemu-coreboot-* with inject_gpg statement, and then run statement.
+        #qemu_kvm # kvm additional support for qemu without all the qemu-img and everything else under qemu_full
       ] ++ [
         # Additional tools for debugging/editing/testing.
         vim # Mostly used amongst us, sorry if you'd like something else, open issue.
         swtpm # QEMU requirement to emulate tpm1/tpm2.
         dosfstools # QEMU requirement to produce valid fs to store exported public key to be fused through inject_key on qemu (so qemu flashrom emulated SPI support).
+        diffoscopeMinimal # Not sure exactly what is packed here, let's try.
+        gnupg #to inject public key inside of qemu create rom through inject_gpg target of targets/qemu.mk TODO: remove when pflash supported by flashrom
         #diffoscope #should we include it? Massive:11 GB uncompressed. Wow?!?!
       ] ++ [
         # Tools for handling binary blobs in their compressed state. (blobs/xx30/vbios_[tw]530.sh)

initrd/bin/oem-factory-reset

@@ -38,8 +38,9 @@ MAX_HOTP_GPG_PIN_LENGTH=25
 CUSTOM_PASS_AFFECTED_COMPONENTS=""
 
 # Default GPG Algorithm is RSA
+# p256 also supported (TODO: nk3 supports RSA 4096 in secure element in firmare v1.7.1. Switch!?
 GPG_ALGO="RSA"
-# Default RSA key length
+# Default RSA key length is 3072 bits for OEM key gen. 4096 are way longer to generate in smartcard
 RSA_KEY_LENGTH=3072
 
 GPG_USER_NAME="OEM Key"
@@ -85,12 +86,11 @@ mount_boot() {
     fi
 }
 
-#Generate a gpg master key: no expiration date, RSA 4096 bits
+#Generate a gpg master key: no expiration date, ${RSA_KEY_LENGTH} bits
 #This key will be used to sign 3 subkeys: encryption, authentication and signing
 #The master key and subkeys will be copied to backup, and the subkeys moved from memory keyring to the smartcard
 generate_inmemory_RSA_master_and_subkeys() {
     TRACE_FUNC
-    echo "Generating GPG key material in memory:"
 
     echo "Generating GPG RSA ${RSA_KEY_LENGTH} bits master key..."
     # Generate GPG master key
@@ -104,7 +104,7 @@ generate_inmemory_RSA_master_and_subkeys() {
         echo "Expire-Date: 0"                    # No expiration date
         echo "Passphrase: ${ADMIN_PIN}"          # Admin PIN
         echo "%commit"                           # Commit changes
-    } | gpg --command-fd=0 --status-fd=1 --batch --gen-key >/tmp/gpg_card_edit_output 2>&1
+    } | DO_WITH_DEBUG gpg --expert --batch --command-fd=0 --status-fd=1 --pinentry-mode=loopback --generate-key >/tmp/gpg_card_edit_output 2>&1
     if [ $? -ne 0 ]; then
         ERROR=$(cat /tmp/gpg_card_edit_output)
         whiptail_error_die "GPG Key generation failed!\n\n$ERROR"
@@ -120,7 +120,7 @@ generate_inmemory_RSA_master_and_subkeys() {
         echo ${ADMIN_PIN}      # Local keyring admin pin
         echo y                 # confirm
         echo save              # save changes and commit to keyring
-    } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \
+    } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \
         >/tmp/gpg_card_edit_output 2>&1
     if [ $? -ne 0 ]; then
         ERROR=$(cat /tmp/gpg_card_edit_output)
@@ -137,7 +137,7 @@ generate_inmemory_RSA_master_and_subkeys() {
         echo ${ADMIN_PIN}      # Local keyring admin pin
         echo y                 # confirm
         echo save              # save changes and commit to keyring
-    } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \
+    } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \
         >/tmp/gpg_card_edit_output 2>&1
     if [ $? -ne 0 ]; then
         ERROR=$(cat /tmp/gpg_card_edit_output)
@@ -161,26 +161,12 @@ generate_inmemory_RSA_master_and_subkeys() {
         echo ${ADMIN_PIN}      # Local keyring admin pin
         echo y                 # confirm
         echo save              # save changes and commit to keyring
-    } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --expert --edit-key "${GPG_USER_MAIL}" \
+    } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --expert --edit-key "${GPG_USER_MAIL}" \
         >/tmp/gpg_card_edit_output 2>&1
     if [ $? -ne 0 ]; then
         ERROR=$(cat /tmp/gpg_card_edit_output)
         whiptail_error_die "GPG Key authentication subkey generation failed!\n\n$ERROR"
     fi
-
-    DEBUG "Setting public key to ultimate trust..."
-    #Set the public key to the ultimate trust
-    {
-        echo trust # trust key in --edit-key mode
-        echo 5     # ultimate trust
-        echo y     # confirm
-        echo save  # save changes and commit to keyring
-    } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \
-        >/tmp/gpg_card_edit_output 2>&1
-    if [ $? -ne 0 ]; then
-        ERROR=$(cat /tmp/gpg_card_edit_output)
-        whiptail_error_die "GPG Key setting public key to ultimate trust failed!\n\n$ERROR"
-    fi
 }
 
 #Generate a gpg master key: no expiration date, p256 key (ECC)
@@ -200,7 +186,7 @@ generate_inmemory_p256_master_and_subkeys() {
         echo "Passphrase: ${ADMIN_PIN}"          # Local keyring admin pin
         echo "Expire-Date: 0"                    # No expiration date
         echo "%commit"                           # Commit changes
-    } | gpg --expert --batch --command-fd=0 --status-fd=1 --pinentry-mode=loopback --generate-key \
+    } | DO_WITH_DEBUG gpg --expert --batch --command-fd=0 --status-fd=1 --pinentry-mode=loopback --generate-key \
         >/tmp/gpg_card_edit_output 2>&1
     if [ $? -ne 0 ]; then
         ERROR=$(cat /tmp/gpg_card_edit_output)
@@ -216,10 +202,10 @@ generate_inmemory_p256_master_and_subkeys() {
         echo 11           # ECC own set capability
         echo Q            # sign already present, do not modify
         echo 3            # P-256
-        echo 0            # no expiration
+        echo 0            # No validity/expiration date
         echo ${ADMIN_PIN} # Local keyring admin pin
         echo save         # save changes and commit to keyring
-    } | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
+    } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
     if [ $? -ne 0 ]; then
         ERROR_MSG=$(cat /tmp/gpg_card_edit_output)
         whiptail_error_die "Failed to add ECC nistp256 signing key to master key\n\n${ERROR_MSG}"
@@ -231,10 +217,10 @@ generate_inmemory_p256_master_and_subkeys() {
         echo 12           # ECC own set capability
         echo Q            # Quit
         echo 3            # P-256
-        echo 0            # no expiration
+        echo 0            # No validity/expiration date
         echo ${ADMIN_PIN} # Local keyring admin pin
         echo save         # save changes and commit to keyring
-    } | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
+    } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
     if [ $? -ne 0 ]; then
         ERROR_MSG=$(cat /tmp/gpg_card_edit_output)
         whiptail_error_die "Failed to add ECC nistp256 encryption key to master key\n\n${ERROR_MSG}"
@@ -251,7 +237,7 @@ generate_inmemory_p256_master_and_subkeys() {
         echo 0            # no expiration
         echo ${ADMIN_PIN} # Local keyring admin pin
         echo save         # save changes and commit to keyring
-    } | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
+    } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
     if [ $? -ne 0 ]; then
         ERROR_MSG=$(cat /tmp/gpg_card_edit_output)
         whiptail_error_die "Failed to add ECC nistp256 authentication key to master key\n\n${ERROR_MSG}"
@@ -297,7 +283,7 @@ keytocard_subkeys_to_smartcard() {
         echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN
         echo "key 3"            #Toggle off Authentication key
         echo "save"             #Save changes and commit to keyring
-    } | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \
+    } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \
         >/tmp/gpg_card_edit_output 2>&1
     if [ $? -ne 0 ]; then
         ERROR=$(cat /tmp/gpg_card_edit_output)
@@ -488,7 +474,7 @@ gpg_key_factory_reset() {
         echo factory-reset # factory reset smartcard
         echo y             # confirm
         echo yes           # confirm
-    } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \
+    } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \
         >/tmp/gpg_card_edit_output 2>&1
     if [ $? -ne 0 ]; then
         ERROR=$(cat /tmp/gpg_card_edit_output)
@@ -508,7 +494,7 @@ gpg_key_factory_reset() {
             echo admin            # admin menu
             echo forcesig         # toggle forcesig
             echo ${ADMIN_PIN_DEF} # local keyring PIN
-        } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \
+        } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \
             >/tmp/gpg_card_edit_output 2>&1
         if [ $? -ne 0 ]; then
             ERROR=$(cat /tmp/gpg_card_edit_output)
@@ -529,7 +515,7 @@ gpg_key_factory_reset() {
             echo 2                # ECC
             echo 3                # P-256
             echo ${ADMIN_PIN_DEF} # local keyring PIN
-        } | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \
+        } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \
             >/tmp/gpg_card_edit_output 2>&1
         if [ $? -ne 0 ]; then
             ERROR=$(cat /tmp/gpg_card_edit_output)
@@ -551,7 +537,7 @@ gpg_key_factory_reset() {
             echo 1                 # RSA
             echo ${RSA_KEY_LENGTH} #Authentication key size set to RSA_KEY_LENGTH
             echo ${ADMIN_PIN_DEF}  #Local keyring PIN
-        } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \
+        } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \
             >/tmp/gpg_card_edit_output 2>&1
         if [ $? -ne 0 ]; then
             ERROR=$(cat /tmp/gpg_card_edit_output)
@@ -581,7 +567,7 @@ generate_OEM_gpg_keys() {
         echo ${GPG_USER_MAIL}    # User email
         echo ${GPG_USER_COMMENT} # User comment
         echo ${USER_PIN_DEF}     # Default user PIN since we just factory reset
-    } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
+    } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
         >/tmp/gpg_card_edit_output 2>&1
     if [ $? -ne 0 ]; then
         ERROR=$(cat /tmp/gpg_card_edit_output)
@@ -608,7 +594,7 @@ gpg_key_change_pin() {
         echo ${PIN_NEW}  # confirm new PIN
         echo q           # quit
         echo q
-    } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
+    } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
         >/tmp/gpg_card_edit_output 2>&1
     if [ $? -ne 0 ]; then
         ERROR=$(cat /tmp/gpg_card_edit_output | fold -s)
@@ -686,7 +672,7 @@ generate_checksums() {
     fi
 
     DEBUG "Detach-signing boot files under kexec.sig: ${param_files}"
-    if sha256sum $param_files 2>/dev/null | gpg \
+    if sha256sum $param_files 2>/dev/null | DO_WITH_DEBUG gpg \
         --pinentry-mode loopback \
         --passphrase "${USER_PIN}" \
         --digest-algo SHA256 \
@@ -1142,7 +1128,7 @@ assert_signable
 # clear gpg-agent cache so that next gpg calls doesn't have past keyring in memory
 killall gpg-agent >/dev/null 2>&1 || true
 # clear local keyring
-rm -rf /.gnupg/* >/dev/null 2>&1 || true
+rm -rf /.gnupg/*.kbx /.gnupg/*.gpg >/dev/null 2>&1 || true
 
 # detect and set /boot device
 echo -e "\nDetecting and setting boot device...\n"
@@ -1242,7 +1228,7 @@ if [ "$GPG_EXPORT" != "0" ]; then
 fi
 
 # ensure key imported locally
-if ! cat "$PUBKEY" | gpg --import >/dev/null 2>/tmp/error; then
+if ! cat "$PUBKEY" | DO_WITH_DEBUG gpg --import >/dev/null 2>/tmp/error; then
     ERROR=$(tail -n 1 /tmp/error | fold -s)
     whiptail_error_die "Error importing GPG key:\n\n$ERROR"
 fi

modules/gpg2

@@ -1,10 +1,10 @@
 modules-$(CONFIG_GPG2) += gpg2
 
-gpg2_version := 2.4.2
+gpg2_version := 2.4.0
 gpg2_dir := gnupg-$(gpg2_version)
 gpg2_tar := gnupg-$(gpg2_version).tar.bz2
 gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar)
-gpg2_hash := 97eb47df8ae5a3ff744f868005a090da5ab45cb48ee9836dbf5ee739a4e5cf49
+gpg2_hash := 1d79158dd01d992431dd2e3facb89fdac97127f89784ea2cb610c600fb0c1483
 gpg2_depends := libgpg-error libgcrypt libksba libassuan npth libusb $(musl_dep)
 
 # For reproducibility reasons we have to override the exec_prefix

modules/libassuan

@@ -1,10 +1,10 @@
 modules-$(CONFIG_GPG2) += libassuan
 
-libassuan_version := 2.5.6
+libassuan_version := 2.5.5
 libassuan_dir := libassuan-$(libassuan_version)
 libassuan_tar := libassuan-$(libassuan_version).tar.bz2
 libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar)
-libassuan_hash := e9fd27218d5394904e4e39788f9b1742711c3e6b41689a31aa3380bd5aa4f426
+libassuan_hash := 8e8c2fcc982f9ca67dcbb1d95e2dc746b1739a4668bc20b3a3c5be632edb34e4
 
 libassuan_configure := \
 	CFLAGS="-Os" \
@@ -14,7 +14,7 @@ libassuan_configure := \
 	--prefix "/" \
 	--disable-doc \
 	--disable-static \
-	--with-libgpg-error-prefix="$(INSTALL)" \
+	--with-gpg-error-prefix="$(INSTALL)" \
 
 libassuan_target := $(MAKE_JOBS) \
 	DESTDIR="$(INSTALL)" \

modules/libgcrypt

@@ -1,10 +1,10 @@
 modules-$(CONFIG_GPG2) += libgcrypt
 
-libgcrypt_version := 1.10.2
+libgcrypt_version := 1.10.1
 libgcrypt_dir := libgcrypt-$(libgcrypt_version)
 libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2
 libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar)
-libgcrypt_hash := 3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03
+libgcrypt_hash := ef14ae546b0084cd84259f61a55e07a38c3b53afc0f546bffcef2f01baffe9de
 
 libgcrypt_configure := \
 	$(CROSS_TOOLS) \
@@ -14,7 +14,7 @@ libgcrypt_configure := \
 	--prefix "/" \
 	--disable-doc \
 	--disable-static \
-	--with-libgpg-error-prefix="$(INSTALL)" \
+	--with-gpg-error-prefix="$(INSTALL)" \
 
 libgcrypt_target := $(MAKE_JOBS) \
 	DESTDIR="$(INSTALL)" \

modules/libgpg-error

@@ -1,10 +1,10 @@
 modules-$(CONFIG_GPG2) += libgpg-error
 
-libgpg-error_version := 1.47
+libgpg-error_version := 1.46
 libgpg-error_dir := libgpg-error-$(libgpg-error_version)
 libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2
 libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar)
-libgpg-error_hash := 9e3c670966b96ecc746c28c2c419541e3bcb787d1a73930f5e5f5e1bcbbb9bdb
+libgpg-error_hash := b7e11a64246bbe5ef37748de43b245abd72cfcd53c9ae5e7fc5ca59f1c81268d
 
 libgpg-error_configure := \
 	$(CROSS_TOOLS) \

modules/libksba

@@ -1,10 +1,10 @@
 modules-$(CONFIG_GPG2) += libksba
 
-libksba_version := 1.6.4
+libksba_version := 1.6.3
 libksba_dir := libksba-$(libksba_version)
 libksba_tar := libksba-$(libksba_version).tar.bz2
 libksba_url := https://gnupg.org/ftp/gcrypt/libksba/$(libksba_tar)
-libksba_hash := bbb43f032b9164d86c781ffe42213a83bf4f2fee91455edfa4654521b8b03b6b
+libksba_hash := 3f72c68db30971ebbf14367527719423f0a4d5f8103fc9f4a1c01a9fa440de5c
 
 libksba_configure := \
 	$(CROSS_TOOLS) \
@@ -13,7 +13,7 @@ libksba_configure := \
 	--host $(MUSL_ARCH)-linux-musl \
 	--prefix "/" \
 	--disable-static \
-	--with-libgpg-error-prefix="$(INSTALL)" \
+	--with-gpg-error-prefix="$(INSTALL)" \
 
 libksba_target := $(MAKE_JOBS) \
 	DESTDIR="$(INSTALL)" \

patches/gpg2-2.2.10.patch

@@ -1,27 +0,0 @@
-diff -u --recursive /home/tlaurion/build/clean/gnupg-2.2.10/configure gnupg-2.2.10/configure
---- /home/tlaurion/build/clean/gnupg-2.2.10/configure	2016-08-17 09:20:25.000000000 -0400
-+++ gnupg-2.2.10/configure	2018-01-20 16:55:14.502067084 -0500
-@@ -572,7 +572,7 @@
- ac_clean_files=
- ac_config_libobj_dir=.
- LIBOBJS=
--cross_compiling=no
-+cross_compiling=yes
- subdirs=
- MFLAGS=
- MAKEFLAGS=
-diff -u --recursive gnupg-2.2.10/common/ttyio.c gnupg-2.2.10/common/ttyio.c.mod 
---- gnupg-2.2.10/common/ttyio.c	2017-08-28 06:22:54.000000000 -0400
-+++ gnupg-2.2.10/common/ttyio.c.mod	2018-09-18 23:00:07.386250017 -0400
-@@ -190,7 +190,9 @@
- #elif defined (HAVE_W32CE_SYSTEM)
-     ttyfp = stderr;
- #else
--    ttyfp = batchmode? stderr : fopen (tty_get_ttyname (), "r+");
-+    //ttyfp = batchmode? stderr : fopen( tty_get_ttyname (), "r+");
-+    ttyfp = stderr;
-+
-     if( !ttyfp ) {
- 	log_error("cannot open '%s': %s\n", tty_get_ttyname (),
-                   strerror(errno) );
-

patches/libgcrypt-1.8.3.patch

@@ -1,7 +1,7 @@
-diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
---- libassuan-2.5.1-clean/configure	2017-12-07 06:55:50.000000000 -0800
-+++ libassuan-2.5.1/configure	2020-01-12 13:39:50.655638965 -0800
-@@ -10781,7 +10781,7 @@
+diff -u -r libgcrypt-1.8.3-clean/configure libgcrypt-1.8.3/configure
+--- libgcrypt-1.8.3-clean/configure	2018-06-13 00:39:33.000000000 -0700
++++ libgcrypt-1.8.3/configure	2020-01-12 13:32:34.840010800 -0800
+@@ -11292,7 +11292,7 @@
    version_type=linux # correct to gnu/linux during the next big refactor
    need_lib_prefix=no
    need_version=no
@@ -10,7 +10,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
    if test "$host_cpu" = ia64; then
      # AIX 5 supports IA64
      library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-@@ -11020,16 +11020,16 @@
+@@ -11531,16 +11531,16 @@
      ;;
    freebsd3.[01]* | freebsdelf3.[01]*)
      shlibpath_overrides_runpath=yes
@@ -30,7 +30,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
      ;;
    esac
    ;;
-@@ -11042,7 +11042,7 @@
+@@ -11553,7 +11553,7 @@
    soname_spec='${libname}${release}${shared_ext}$major'
    shlibpath_var=LD_LIBRARY_PATH
    shlibpath_overrides_runpath=no
@@ -39,7 +39,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
    ;;
  
  haiku*)
-@@ -11055,7 +11055,7 @@
+@@ -11566,7 +11566,7 @@
    shlibpath_var=LIBRARY_PATH
    shlibpath_overrides_runpath=yes
    sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
@@ -48,7 +48,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
    ;;
  
  hpux9* | hpux10* | hpux11*)
-@@ -11067,7 +11067,7 @@
+@@ -11578,7 +11578,7 @@
    case $host_cpu in
    ia64*)
      shrext_cmds='.so'
@@ -57,7 +57,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
      dynamic_linker="$host_os dld.so"
      shlibpath_var=LD_LIBRARY_PATH
      shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-@@ -11082,7 +11082,7 @@
+@@ -11593,7 +11593,7 @@
      ;;
    hppa*64*)
      shrext_cmds='.sl'
@@ -66,7 +66,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
      dynamic_linker="$host_os dld.sl"
      shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
      shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-@@ -11115,7 +11115,7 @@
+@@ -11626,7 +11626,7 @@
    dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
    shlibpath_var=LD_LIBRARY_PATH
    shlibpath_overrides_runpath=no
@@ -75,7 +75,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
    ;;
  
  irix5* | irix6* | nonstopux*)
-@@ -11152,7 +11152,7 @@
+@@ -11663,7 +11663,7 @@
    shlibpath_overrides_runpath=no
    sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
    sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
@@ -84,7 +84,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
    ;;
  
  # No shared lib support for Linux oldld, aout, or coff.
-@@ -11173,7 +11173,7 @@
+@@ -11684,7 +11684,7 @@
    # This implies no fast_install, which is unacceptable.
    # Some rework will be needed to allow for fast_install
    # before this can be enabled.
@@ -93,7 +93,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
  
    dynamic_linker='Android linker'
    # Don't embed -rpath directories since the linker doesn't support them.
-@@ -11228,7 +11228,7 @@
+@@ -11739,7 +11739,7 @@
    # This implies no fast_install, which is unacceptable.
    # Some rework will be needed to allow for fast_install
    # before this can be enabled.
@@ -102,7 +102,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
  
    # Append ld.so.conf contents to the search path
    if test -f /etc/ld.so.conf; then
-@@ -11253,7 +11253,7 @@
+@@ -11764,7 +11764,7 @@
    soname_spec='${libname}${release}${shared_ext}$major'
    shlibpath_var=LD_LIBRARY_PATH
    shlibpath_overrides_runpath=no
@@ -111,7 +111,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
    dynamic_linker='NetBSD ld.elf_so'
    ;;
  
-@@ -11272,7 +11272,7 @@
+@@ -11783,7 +11783,7 @@
    fi
    shlibpath_var=LD_LIBRARY_PATH
    shlibpath_overrides_runpath=yes
@@ -120,7 +120,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
    ;;
  
  newsos6)
-@@ -11290,7 +11290,7 @@
+@@ -11801,7 +11801,7 @@
    soname_spec='${libname}${release}${shared_ext}$major'
    shlibpath_var=LD_LIBRARY_PATH
    shlibpath_overrides_runpath=no
@@ -129,7 +129,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
    dynamic_linker='ldqnx.so'
    ;;
  
-@@ -11352,7 +11352,7 @@
+@@ -11863,7 +11863,7 @@
    soname_spec='${libname}${release}${shared_ext}$major'
    shlibpath_var=LD_LIBRARY_PATH
    shlibpath_overrides_runpath=yes
@@ -138,7 +138,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
    # ldd complains unless libraries are executable
    postinstall_cmds='chmod +x $lib'
    ;;
-@@ -11409,7 +11409,7 @@
+@@ -11920,7 +11920,7 @@
    soname_spec='${libname}${release}${shared_ext}$major'
    shlibpath_var=LD_LIBRARY_PATH
    shlibpath_overrides_runpath=yes
@@ -147,7 +147,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
    if test "$with_gnu_ld" = yes; then
      sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
    else
-@@ -11431,7 +11431,7 @@
+@@ -11942,7 +11942,7 @@
    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
    shlibpath_var=LD_LIBRARY_PATH
    shlibpath_overrides_runpath=no
@@ -156,7 +156,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
    ;;
  
  uts4*)
-@@ -15680,7 +15680,7 @@
+@@ -19824,7 +19824,7 @@
  postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`'
  finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`'
  finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`'
@@ -165,7 +165,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
  sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`'
  sys_lib_dlsearch_path_spec='`$ECHO "$sys_lib_dlsearch_path_spec" | $SED "$delay_single_quote_subst"`'
  hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`'
-@@ -16896,7 +16896,7 @@
+@@ -21088,7 +21088,7 @@
  finish_eval=$lt_finish_eval
  
  # Whether we should hardcode library paths into libraries.