Skip to content

dirmngr: add standalone spec to restore HTTPS keyserver support#17704

Draft
mfrw wants to merge 1 commit into
3.0-devfrom
mfrw/gnupg2-dirmngr-subpkg
Draft

dirmngr: add standalone spec to restore HTTPS keyserver support#17704
mfrw wants to merge 1 commit into
3.0-devfrom
mfrw/gnupg2-dirmngr-subpkg

Conversation

@mfrw

@mfrw mfrw commented Jun 12, 2026

Copy link
Copy Markdown
Member

gnupg2 in Azure Linux 3.0 ships without the dirmngr daemon because gpg's
configure script silently drops it when no TLS backend (gnutls or ntbtls)
is available, and gnutls cannot be added to the gnupg2 BuildRequires
without dragging gnutls + nettle + gmp + p11-kit + libtasn1 + libffi +
libidn2 + libunistring + autogen-libopts + gc into the bootstrap
toolchain (see toolkit/scripts/toolchain/build_official_toolchain_rpms.sh
where gnupg2 is part of the readline -> npth -> libassuan -> libksba ->
gnupg2 -> gpgme -> tdnf chain).

This breaks every workflow that relies on gpg --keyserver ... --recv-keys over HKPS, including the upstream golang Docker image
build.

Add a new SPECS/dirmngr/dirmngr.spec that reuses the gnupg-%{version}
source tarball but is built out-of-toolchain with gnutls-devel,
curl-devel and openldap-devel, and ships only the dirmngr binary, the
dirmngr-client utility, the dirmngr_ldap LDAP helper and their man
pages. Everything else from the same tarball remains owned by gnupg2.

Entangle Version and Release with gnupg2 in
toolkit/scripts/check_entangled_specs.py so future gnupg2 CVE rebuilds
automatically force a matching dirmngr rebuild and there is no risk of
drift between the two packages.

Fixes ADO 62225284
Refs #3142

Signed-off-by: Muhammad Falak R Wani falakreyaz@gmail.com

@mfrw
dirmngr: add standalone spec to restore HTTPS keyserver support
a3c102d 
gnupg2 in Azure Linux 3.0 ships without the dirmngr daemon because gpg's
configure script silently drops it when no TLS backend (gnutls or ntbtls)
is available, and gnutls cannot be added to the gnupg2 BuildRequires
without dragging gnutls + nettle + gmp + p11-kit + libtasn1 + libffi +
libidn2 + libunistring + autogen-libopts + gc into the bootstrap
toolchain (see toolkit/scripts/toolchain/build_official_toolchain_rpms.sh
where gnupg2 is part of the readline -> npth -> libassuan -> libksba ->
gnupg2 -> gpgme -> tdnf chain).

This breaks every workflow that relies on `gpg --keyserver ...
--recv-keys` over HKPS, including the upstream golang Docker image
build.

Add a new SPECS/dirmngr/dirmngr.spec that reuses the gnupg-%{version}
source tarball but is built out-of-toolchain with gnutls-devel,
curl-devel and openldap-devel, and ships only the dirmngr binary, the
dirmngr-client utility, the dirmngr_ldap LDAP helper and their man
pages. Everything else from the same tarball remains owned by gnupg2.

Entangle Version and Release with gnupg2 in
toolkit/scripts/check_entangled_specs.py so future gnupg2 CVE rebuilds
automatically force a matching dirmngr rebuild and there is no risk of
drift between the two packages.

Fixes ADO 62225284
Refs #3142

Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging Tools 3.0-dev PRs Destined for AzureLinux 3.0 labels Jun 12, 2026
mfrw
mfrw commented Jun 12, 2026
View reviewed changes

@mfrw mfrw left a comment
edited
Loading

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Related:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

3.0-dev PRs Destined for AzureLinux 3.0 Packaging Tools

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mfrw