From a3c102dd057a5e48c29284e8530e2556a55d2c5b Mon Sep 17 00:00:00 2001 From: Muhammad Falak R Wani Date: Wed, 10 Jun 2026 16:42:38 +0530 Subject: [PATCH] dirmngr: add standalone spec to restore HTTPS keyserver support gnupg2 in Azure Linux 3.0 ships without the dirmngr daemon because gpg's configure script silently drops it when no TLS backend (gnutls or ntbtls) is available, and gnutls cannot be added to the gnupg2 BuildRequires without dragging gnutls + nettle + gmp + p11-kit + libtasn1 + libffi + libidn2 + libunistring + autogen-libopts + gc into the bootstrap toolchain (see toolkit/scripts/toolchain/build_official_toolchain_rpms.sh where gnupg2 is part of the readline -> npth -> libassuan -> libksba -> gnupg2 -> gpgme -> tdnf chain). This breaks every workflow that relies on `gpg --keyserver ... --recv-keys` over HKPS, including the upstream golang Docker image build. Add a new SPECS/dirmngr/dirmngr.spec that reuses the gnupg-%{version} source tarball but is built out-of-toolchain with gnutls-devel, curl-devel and openldap-devel, and ships only the dirmngr binary, the dirmngr-client utility, the dirmngr_ldap LDAP helper and their man pages. Everything else from the same tarball remains owned by gnupg2. Entangle Version and Release with gnupg2 in toolkit/scripts/check_entangled_specs.py so future gnupg2 CVE rebuilds automatically force a matching dirmngr rebuild and there is no risk of drift between the two packages. Fixes ADO 62225284 Refs microsoft/azurelinux#3142 Signed-off-by: Muhammad Falak R Wani --- SPECS/dirmngr/dirmngr.signatures.json | 5 + SPECS/dirmngr/dirmngr.spec | 124 +++++++++++++++++++++++ toolkit/scripts/check_entangled_specs.py | 4 + 3 files changed, 133 insertions(+) create mode 100644 SPECS/dirmngr/dirmngr.signatures.json create mode 100644 SPECS/dirmngr/dirmngr.spec diff --git a/SPECS/dirmngr/dirmngr.signatures.json b/SPECS/dirmngr/dirmngr.signatures.json new file mode 100644 index 00000000000..253cb6ed082 --- /dev/null +++ b/SPECS/dirmngr/dirmngr.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "gnupg-2.4.9.tar.bz2": "dd17ab2e9a04fd79d39d853f599cbc852062ddb9ab52a4ddeb4176fd8b302964" + } +} diff --git a/SPECS/dirmngr/dirmngr.spec b/SPECS/dirmngr/dirmngr.spec new file mode 100644 index 00000000000..057306defe6 --- /dev/null +++ b/SPECS/dirmngr/dirmngr.spec @@ -0,0 +1,124 @@ +Summary: Network daemon for managing OpenPGP and X.509 keyservers from GnuPG +Name: dirmngr +Version: 2.4.9 +Release: 2%{?dist} +License: BSD and CC0 and GPLv2+ and LGPLv2+ +Vendor: Microsoft Corporation +Distribution: Azure Linux +Group: Applications/Cryptography +URL: https://gnupg.org/index.html +# This spec is built from the GnuPG source tarball but ships ONLY the dirmngr +# daemon and its helpers. The companion gnupg2 package owns everything else +# from the same tarball. +# +# Why a separate spec instead of a gnupg2 subpackage: +# * dirmngr needs a TLS backend (gnutls) to talk to HKPS/HTTPS keyservers +# and gpg silently drops dirmngr from the install set when one is not +# present. Adding `BuildRequires: gnutls-devel` to gnupg2.spec is not an +# option because gnupg2 is part of the bootstrap toolchain +# (see toolkit/scripts/toolchain/build_official_toolchain_rpms.sh) and +# pulling gnutls (plus nettle, gmp, p11-kit, ...) into bootstrap would +# cascade into a full toolchain regeneration on x86_64 and aarch64. +# * Building dirmngr out-of-toolchain in its own spec keeps the bootstrap +# untouched while restoring `gpg --recv-keys` from HKPS keyservers. +# +# Version and Release are kept in lockstep with gnupg2 via +# toolkit/scripts/check_entangled_specs.py; bump them together when gnupg2 +# changes. +# +# NOTE: gnupg2.spec must NOT start linking against gnutls while this spec +# exists, or both packages will try to own /usr/bin/dirmngr and conflict. +# If that ever changes, retire this spec instead of keeping both. +Source0: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2 + +BuildRequires: zlib-devel +BuildRequires: bzip2-devel +BuildRequires: readline-devel +BuildRequires: npth-devel >= 1.2 +BuildRequires: libassuan-devel >= 2.5.0 +BuildRequires: libksba-devel >= 1.3.4 +BuildRequires: libgcrypt-devel > 1.9.1 +BuildRequires: libgpg-error-devel >= 1.48 +# TLS backend that lets dirmngr talk to HKPS/HTTPS keyservers. Without one, +# gnupg's configure silently disables dirmngr. +BuildRequires: gnutls-devel +# HKP/HTTP keyserver transport via libcurl. +BuildRequires: curl-devel +# LDAP keyserver helper (/usr/libexec/dirmngr_ldap). +BuildRequires: openldap-devel + +Requires: gnupg2 = %{version}-%{release} +Requires: libksba > 1.3.4 +Requires: libgcrypt >= 1.9.1 +Requires: libgpg-error >= 1.48 +Requires: npth >= 1.2 +Requires: libassuan >= 2.5.0 + +Provides: gnupg2-dirmngr = %{version}-%{release} + +%description +GnuPG's dirmngr daemon takes care of accessing OpenPGP keyservers (HKP, HKPS), +X.509 CRL/OCSP responders, and LDAP directories on behalf of gpg and gpgsm. +It is required by `gpg --keyserver ... --recv-keys` and other keyserver +operations. + +This package is built from the same GnuPG source tarball as the `gnupg2` +package but ships only the dirmngr binary, the dirmngr-client utility, the +dirmngr_ldap LDAP helper and their manual pages. Its Version and Release are +kept in lockstep with `gnupg2`. + +%prep +%autosetup -p1 -n gnupg-%{version} +# The CVE-2026-24882 patch carried by SPECS/gnupg2/gnupg2.spec only touches +# tpm2d/tpm2.c, which is unrelated to dirmngr and not shipped by this spec, +# so it is intentionally not applied here. + +%build +# Keep configure flags aligned with SPECS/gnupg2/gnupg2.spec so the produced +# dirmngr matches the gnupg2 build it co-installs with. --enable-gpg-is-gpg2 +# and --disable-keyboxd are inherited from that spec for the same reasons. +%configure \ + --enable-gpg-is-gpg2 \ + --disable-keyboxd +%make_build + +%install +ln -sf gpg2.1 doc/gpg.1 +ln -sf gpgv2.1 doc/gpgv.1 + +%make_install + +# This spec is scoped to dirmngr only. Prune every file produced by the +# upstream build that is already owned by the gnupg2 package, using a +# whitelist of dirmngr-related names so the prune is resilient to upstream +# adding or removing unrelated helpers in the future. +find %{buildroot}%{_bindir} -mindepth 1 -maxdepth 1 \ + ! -name 'dirmngr' ! -name 'dirmngr-client' -delete +[ -d %{buildroot}%{_sbindir} ] && find %{buildroot}%{_sbindir} -mindepth 1 -delete +find %{buildroot}%{_libexecdir} -mindepth 1 -maxdepth 1 \ + ! -name 'dirmngr*' -delete +rm -rf %{buildroot}%{_datadir}/gnupg +rm -rf %{buildroot}%{_datadir}/locale +rm -rf %{buildroot}%{_infodir} +rm -rf %{buildroot}%{_sysconfdir}/gnupg +find %{buildroot}%{_mandir}/man1 -mindepth 1 ! -name 'dirmngr*' -delete +[ -d %{buildroot}%{_mandir}/man7 ] && find %{buildroot}%{_mandir}/man7 -mindepth 1 -delete +find %{buildroot}%{_mandir}/man8 -mindepth 1 ! -name 'dirmngr*' -delete + +%files +%defattr(-,root,root) +%license COPYING COPYING.CC0 COPYING.GPL2 COPYING.LGPL3 COPYING.LGPL21 COPYING.other +%{_bindir}/dirmngr +%{_bindir}/dirmngr-client +%{_libexecdir}/dirmngr_ldap +%{_mandir}/man8/dirmngr.* +%{_mandir}/man1/dirmngr-client.* + +%changelog +* Wed Jun 10 2026 Muhammad Falak - 2.4.9-2 +- Initial Azure Linux 3.0 packaging of dirmngr as a standalone spec sharing + the gnupg source tree, restoring HTTPS keyserver functionality lost when + gnutls was dropped from the toolchain. Version and Release are entangled + with gnupg2 via check_entangled_specs.py, so the first release is 2 to + match the current gnupg2 Release. +- Fixes ADO 62225284 / GH#3142. diff --git a/toolkit/scripts/check_entangled_specs.py b/toolkit/scripts/check_entangled_specs.py index ba63a555712..094924f245a 100755 --- a/toolkit/scripts/check_entangled_specs.py +++ b/toolkit/scripts/check_entangled_specs.py @@ -59,6 +59,10 @@ "SPECS/cyrus-sasl/cyrus-sasl.spec", "SPECS/cyrus-sasl-bootstrap/cyrus-sasl-bootstrap.spec" ]), + frozenset([ + "SPECS/gnupg2/gnupg2.spec", + "SPECS/dirmngr/dirmngr.spec" + ]), frozenset([ "SPECS/shim-unsigned-x64/shim-unsigned-x64.spec", "SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.spec"