ghostfox/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

push sheeet
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Details
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Details
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Details
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Details
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Details
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
Details

Browse Source
This commit is contained in:
Dark Steveneq
2025-10-09 14:15:47 +02:00
commit 646b892680
49168 changed files with 5897842 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
pkgs/tools/security/gnupg/1compat.nix Normal file
View File

@@ -0,0 +1,35 @@
{
stdenv,
gnupg,
coreutils,
writeScript,
}:
stdenv.mkDerivation {
pname = "gnupg1compat";
version = gnupg.version;
builder = writeScript "gnupg1compat-builder" ''
PATH=${coreutils}/bin
# First symlink all top-level dirs
mkdir -p $out
ln -s "${gnupg}/"* $out
# Replace bin with directory and symlink it contents
rm $out/bin
mkdir -p $out/bin
ln -s "${gnupg}/bin/"* $out/bin
# Add symlinks for any executables that end in 2 and lack any non-*2 version
for f in $out/bin/*2; do
[[ -x $f ]] || continue # ignore failed globs and non-executable files
[[ -e ''${f%2} ]] && continue # ignore commands that already have non-*2 versions
ln -s -- "''${f##*/}" "''${f%2}"
done
'';
meta = gnupg.meta // {
description = gnupg.meta.description + " with symbolic links for gpg and gpgv";
priority = -1;
};
}

220
pkgs/tools/security/gnupg/24.nix Normal file
View File

@@ -0,0 +1,220 @@
{
lib,
stdenv,
fetchurl,
fetchFromGitLab,
buildPackages,
pkg-config,
texinfo,
gettext,
libassuan,
libgcrypt,
libgpg-error,
libiconv,
libksba,
npth,
adns,
bzip2,
gnutls,
libusb1,
openldap,
readline,
sqlite,
zlib,
openssh,
enableMinimal ? false,
withPcsc ? !enableMinimal,
pcsclite,
guiSupport ? stdenv.hostPlatform.isDarwin,
pinentry,
withTpm2Tss ? !stdenv.hostPlatform.isDarwin && !enableMinimal,
tpm2-tss,
nixosTests,
}:
assert guiSupport -> !enableMinimal;
stdenv.mkDerivation rec {
pname = "gnupg";
version = "2.4.8";
src = fetchurl {
url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2";
hash = "sha256-tYyA15sE0yQ/9JwcP8a1+DE46zeEaJVjvN0GBZUxhhY=";
};
depsBuildBuild = [ buildPackages.stdenv.cc ];
nativeBuildInputs = [
# XXX: do not add autoreconfHook without very careful testing!
# Problems that were identified during the last attempt:
# • Prints a warning about being a development version not
# suitable for production use.
# • Smartcards do not work, at least without pcscd.
pkg-config
texinfo
libgpg-error
];
buildInputs = [
gettext
libassuan
libgcrypt
libgpg-error
libiconv
libksba
npth
]
++ lib.optionals (!enableMinimal) [
adns
bzip2
gnutls
libusb1
openldap
readline
sqlite
zlib
]
++ lib.optionals withTpm2Tss [ tpm2-tss ];
# FreePG (https://freepg.org) is a set of commonly-used patches for GnuPG that
# have not been merged upstream. It is used by Arch Linux, Debian, Fedora and
# NixOS, and is maintained by Andrew Gallagher.
#
# The main purpose of including these patches in Nixpkgs is to maintain
# compatibility with OpenPGP.
#
freepgPatches = fetchFromGitLab {
domain = "gitlab.com";
owner = "freepg";
repo = "gnupg";
rev = "361c223eb00ca372fbf9506f5150ddbec193936f";
hash = "sha256-hRuwrB6G2vjp7Md6m+cwoi7g4GtW0sazAEN5RC+AKdg=";
};
patches = [
# Without this, scdaemon isn't linked to libusb, causing smartcards to not work correctly
./fix-libusb-include-path.patch
# Use pkg-config to find tss2-esys to fix static building
# Submitted upstream: https://dev.gnupg.org/D606
# The diff is larger than upstream because configure.ac was modified,
# requiring configure to be regenerated. For reasons we don't totally
# understand, regenerating configure has all sorts of other undesirable
# side effects. So to unbreak things, instead of regenerating configure,
# we can include just the configure changes relevant to the static patch
# in the patch file.
./static.patch
]
++ lib.map (v: "${freepgPatches}/STABLE-BRANCH-2-4-freepg/" + v) [
"0002-gpg-accept-subkeys-with-a-good-revocation-but-no-sel.patch"
"0003-gpg-allow-import-of-previously-known-keys-even-witho.patch"
"0004-tests-add-test-cases-for-import-without-uid.patch"
"0005-gpg-drop-import-clean-from-default-keyserver-import-.patch"
"0008-avoid-systemd-deprecation-warning.patch"
"0009-Add-systemd-support-for-keyboxd.patch"
"0010-Ship-sample-systemd-unit-files.patch"
"0011-el-gamal-default-to-3072-bits.patch"
"0012-gpg-default-digest-algorithm-SHA512.patch"
"0013-gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch"
"0018-Avoid-simple-memory-dumps-via-ptrace.patch"
"0019-Disallow-compressed-signatures-and-certificates.patch"
"0020-ssh-agent-emulation-under-systemd-inject-SSH_AUTH_SO.patch"
"0021-gpg-Sync-compliance-mode-cleanup-with-master.patch"
"0022-gpg-emit-RSA-pubkey-algorithm-when-in-compatibility-.patch"
"0023-gpg-Reintroduce-openpgp-as-distinct-from-rfc4880.patch"
"0024-gpg-Emit-LibrePGP-material-only-in-compliance-gnupg.patch"
"0025-gpg-gpgconf-list-report-actual-compliance-mode.patch"
"0026-gpg-Default-to-compliance-openpgp.patch"
"0027-gpg-Fix-newlines-in-Cleartext-Signature-Framework-CS.patch"
"0029-Add-keyboxd-systemd-support.patch"
"0033-Support-large-RSA-keygen-in-non-batch-mode.patch"
"0034-gpg-Verify-Text-mode-Signatures-over-binary-Literal-.patch"
];
postPatch =
# Switch the default key server to keys.openpgp.org
# The original motivation in 2019 was to switch away from the then-default SKS network: https://github.com/NixOS/nixpkgs/pull/63952
# In 2021 upstream also switched away, but to keyserver.ubuntu.com: https://dev.gnupg.org/rG47c4e3e00a7ef55f954c14b3c237496e54a853c1,
# while NixOS kept the keys.openpgp.org default: https://github.com/NixOS/nixpkgs/pull/159604
# TODO: Should this patch be removed so that the now-uncompromised default is used once again?
# A significant difference between the two seems to be that keys.openpgp.org is verifying keys, while keyserver.ubuntu.com isn't: https://unix.stackexchange.com/a/694528
# The keys.openpgp.org also has a great FAQ: https://keys.openpgp.org/about/faq
''
sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1
''
+ lib.optionalString (stdenv.hostPlatform.isLinux && withPcsc) ''
sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c
'';
env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.hostPlatform.isDarwin "-Wno-implicit-function-declaration";
configureFlags = [
"--sysconfdir=/etc"
# Needed for large RSA key support (patch 0033)
"--enable-large-secmem"
"--with-libgpg-error-prefix=${libgpg-error.dev}"
"--with-libgcrypt-prefix=${libgcrypt.dev}"
"--with-libassuan-prefix=${libassuan.dev}"
"--with-ksba-prefix=${libksba.dev}"
"GPGRT_CONFIG=${lib.getDev libgpg-error}/bin/gpgrt-config"
]
++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${
pinentry.binaryPath or "bin/pinentry"
}"
++ lib.optional withTpm2Tss "--with-tss=intel"
++ lib.optional stdenv.hostPlatform.isDarwin "--disable-ccid-driver";
postInstall =
if enableMinimal then
''
rm -r $out/{libexec,sbin,share}
for f in $(find $out/bin -type f -not -name gpg)
do
rm $f
done
''
else
''
# add gpg2 symlink to make sure git does not break when signing commits
ln -s $out/bin/gpg $out/bin/gpg2
# Make libexec tools available in PATH
for f in $out/libexec/*; do
if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi
ln -s $f $out/bin/$(basename $f)
done
'';
enableParallelBuilding = true;
nativeCheckInputs = [
# A test would be skipped without SSH
openssh
];
doCheck = !enableMinimal;
passthru.tests = nixosTests.gnupg;
meta = with lib; {
homepage = "https://gnupg.org";
changelog = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=${pname}.git;a=blob;f=NEWS;hb=refs/tags/${pname}-${version}";
description = "Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation";
license = licenses.gpl3Plus;
longDescription = ''
The GNU Privacy Guard is the GNU project's complete and free
implementation of the OpenPGP standard as defined by RFC4880. GnuPG
"modern" (2.1) is the latest development with a lot of new features.
GnuPG allows to encrypt and sign your data and communication, features a
versatile key management system as well as access modules for all kind of
public key directories. GnuPG, also known as GPG, is a command line tool
with features for easy integration with other applications. A wealth of
frontend applications and libraries are available. Version 2 of GnuPG
also provides support for S/MIME.
'';
maintainers = with maintainers; [
fpletz
sgo
];
platforms = platforms.all;
mainProgram = "gpg";
};
}

12
pkgs/tools/security/gnupg/fix-libusb-include-path.patch Normal file
View File

@@ -0,0 +1,12 @@
--- a/configure
+++ b/configure
@@ -9281,8 +9281,7 @@ fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking libusb include dir" >&5
$as_echo_n "checking libusb include dir... " >&6; }
usb_incdir_found="no"
- for _incdir in "" "/usr/include/libusb-1.0" \
- "/usr/local/include/libusb-1.0" "/usr/pkg/include/libusb-1.0"; do
+ for _incdir in "$($PKG_CONFIG --variable=includedir libusb-1.0)/libusb-1.0"; do
_libusb_save_cppflags=$CPPFLAGS
if test -n "${_incdir}"; then
CPPFLAGS="-I${_incdir} ${CPPFLAGS}"

216
pkgs/tools/security/gnupg/static.patch Normal file
View File

@@ -0,0 +1,216 @@
From 6a426b8093cf6633425d08a2d33ed24d200473a0 Mon Sep 17 00:00:00 2001
From: Alyssa Ross <hi@alyssa.is>
Date: Sun, 9 Feb 2025 08:51:32 +0100
Subject: [PATCH] build: use pkg-config to find tss2-esys
Otherwise, tss2-esys's dependencies (other tss2 libraries, OpenSSL)
won't be linked when tss2-esys is a static library.
---
Link: https://dev.gnupg.org/D606
configure | 131 +++++++++++++++++++++++++++++----------------------
configure.ac | 5 +-
2 files changed, 76 insertions(+), 60 deletions(-)
diff --git a/configure b/configure
index 59f027d..f53c99d 100755
--- a/configure
+++ b/configure
@@ -669,12 +669,12 @@ TEST_LIBTSS_FALSE
TEST_LIBTSS_TRUE
HAVE_LIBTSS_FALSE
HAVE_LIBTSS_TRUE
-LIBTSS_CFLAGS
-LIBTSS_LIBS
SWTPM
TSSSTARTUP
TPMSERVER
TSS_INCLUDE
+LIBTSS_LIBS
+LIBTSS_CFLAGS
W32SOCKLIBS
NETLIBS
CROSS_COMPILING_FALSE
@@ -1005,7 +1005,9 @@ PKG_CONFIG_LIBDIR
SQLITE3_CFLAGS
SQLITE3_LIBS
LIBGNUTLS_CFLAGS
-LIBGNUTLS_LIBS'
+LIBGNUTLS_LIBS
+LIBTSS_CFLAGS
+LIBTSS_LIBS'
# Initialize some variables set by options.
@@ -1771,6 +1773,9 @@ Some influential environment variables:
C compiler flags for LIBGNUTLS, overriding pkg-config
LIBGNUTLS_LIBS
linker flags for LIBGNUTLS, overriding pkg-config
+ LIBTSS_CFLAGS
+ C compiler flags for LIBTSS, overriding pkg-config
+ LIBTSS_LIBS linker flags for LIBTSS, overriding pkg-config
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
@@ -15465,64 +15470,77 @@ else
fi
elif test "$with_tss" = intel; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing Esys_Initialize" >&5
-$as_echo_n "checking for library containing Esys_Initialize... " >&6; }
-if ${ac_cv_search_Esys_Initialize+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char Esys_Initialize ();
-int
-main ()
-{
-return Esys_Initialize ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' tss2-esys; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_Esys_Initialize=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_Esys_Initialize+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_Esys_Initialize+:} false; then :
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBTSS" >&5
+$as_echo_n "checking for LIBTSS... " >&6; }
+if test -n "$LIBTSS_CFLAGS"; then
+ pkg_cv_LIBTSS_CFLAGS="$LIBTSS_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+ if test -n "$PKG_CONFIG" && \
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tss2-esys tss2-mu tss2-rc tss2-tctildr\""; } >&5
+ ($PKG_CONFIG --exists --print-errors "tss2-esys tss2-mu tss2-rc tss2-tctildr") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then
+ pkg_cv_LIBTSS_CFLAGS=`$PKG_CONFIG --cflags "tss2-esys tss2-mu tss2-rc tss2-tctildr" 2>/dev/null`
+ test "x$?" != "x0" && pkg_failed=yes
else
- ac_cv_search_Esys_Initialize=no
+ pkg_failed=yes
fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
+ else
+ pkg_failed=untried
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_Esys_Initialize" >&5
-$as_echo "$ac_cv_search_Esys_Initialize" >&6; }
-ac_res=$ac_cv_search_Esys_Initialize
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
- have_libtss=Intel
+if test -n "$LIBTSS_LIBS"; then
+ pkg_cv_LIBTSS_LIBS="$LIBTSS_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+ if test -n "$PKG_CONFIG" && \
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tss2-esys tss2-mu tss2-rc tss2-tctildr\""; } >&5
+ ($PKG_CONFIG --exists --print-errors "tss2-esys tss2-mu tss2-rc tss2-tctildr") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then
+ pkg_cv_LIBTSS_LIBS=`$PKG_CONFIG --libs "tss2-esys tss2-mu tss2-rc tss2-tctildr" 2>/dev/null`
+ test "x$?" != "x0" && pkg_failed=yes
else
- as_fn_error $? "Intel TPM Software Stack requested but not found" "$LINENO" 5
+ pkg_failed=yes
+fi
+ else
+ pkg_failed=untried
fi
+
+
+if test $pkg_failed = yes; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+ _pkg_short_errors_supported=yes
+else
+ _pkg_short_errors_supported=no
+fi
+ if test $_pkg_short_errors_supported = yes; then
+ LIBTSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "tss2-esys tss2-mu tss2-rc tss2-tctildr" 2>&1`
+ else
+ LIBTSS_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "tss2-esys tss2-mu tss2-rc tss2-tctildr" 2>&1`
+ fi
+ # Put the nasty error message in config.log where it belongs
+ echo "$LIBTSS_PKG_ERRORS" >&5
+
+ as_fn_error $? "Intel TPM Software Stack requested but not found" "$LINENO" 5
+elif test $pkg_failed = untried; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ as_fn_error $? "Intel TPM Software Stack requested but not found" "$LINENO" 5
+else
+ LIBTSS_CFLAGS=$pkg_cv_LIBTSS_CFLAGS
+ LIBTSS_LIBS=$pkg_cv_LIBTSS_LIBS
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ have_libtss=Intel
+fi
else
as_fn_error $? "Invalid TPM Software Stack requested: $with_tss" "$LINENO" 5
fi
@@ -15616,7 +15634,6 @@ $as_echo "$as_me: WARNING: Need Esys_TR_GetTpmHandle API (usually requires Intel
fi
- LIBTSS_LIBS="$LIBS -ltss2-mu -ltss2-rc -ltss2-tctildr"
$as_echo "#define HAVE_INTEL_TSS 1" >>confdefs.h
diff --git a/configure.ac b/configure.ac
index dc44465..92880e6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1574,8 +1574,8 @@ if test "$build_tpm2d" = "yes"; then
AC_SEARCH_LIBS([TSS_Create],[tss ibmtss],have_libtss=IBM,
[AC_MSG_ERROR([IBM TPM Software Stack requested but not found])])
elif test "$with_tss" = intel; then
- AC_SEARCH_LIBS([Esys_Initialize],[tss2-esys],have_libtss=Intel,
- [AC_MSG_ERROR([Intel TPM Software Stack requested but not found])])
+ PKG_CHECK_MODULES([LIBTSS], [tss2-esys tss2-mu tss2-rc tss2-tctildr],have_libtss=Intel,
+ [AC_MSG_ERROR([Intel TPM Software Stack requested but not found])])
else
AC_MSG_ERROR([Invalid TPM Software Stack requested: $with_tss])
fi
@@ -1605,7 +1605,6 @@ if test "$build_tpm2d" = "yes"; then
AC_MSG_WARN([Need Esys_TR_GetTpmHandle API (usually requires Intel TSS 2.4.0 or later, disabling TPM support)])
have_libtss=no
])
- LIBTSS_LIBS="$LIBS -ltss2-mu -ltss2-rc -ltss2-tctildr"
AC_DEFINE(HAVE_INTEL_TSS, 1, [Defined if we have the Intel TSS])
fi
LIBS="$_save_libs"
--
2.47.2

201
pkgs/tools/security/gnupg/tests-add-test-cases-for-import-without-uid.patch Normal file
View File

@@ -0,0 +1,201 @@
From: Vincent Breitmoser <look@my.amazin.horse>
Date: Thu, 13 Jun 2019 21:27:41 +0200
Subject: tests: add test cases for import without uid
This commit adds a test case that does the following, in order:
- Import of a primary key plus user id
- Check that import of a subkey works, without a user id present in the
imported key
- Check that import of a subkey revocation works, without a user id or
subkey binding signature present in the imported key
- Check that import of a primary key revocation works, without a user id
present in the imported key
--
Note that this test currently fails. The following changesets will
fix gpg so that the tests pass.
GnuPG-Bug-id: 4393
Signed-Off-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
tests/openpgp/Makefile.am | 1 +
tests/openpgp/import-incomplete.scm | 68 ++++++++++++++++++++++
.../import-incomplete/primary+revocation.asc | 9 +++
.../primary+subkey+sub-revocation.asc | 10 ++++
.../import-incomplete/primary+subkey+sub-sig.asc | 10 ++++
.../openpgp/import-incomplete/primary+uid-sig.asc | 10 ++++
tests/openpgp/import-incomplete/primary+uid.asc | 10 ++++
7 files changed, 118 insertions(+)
create mode 100755 tests/openpgp/import-incomplete.scm
create mode 100644 tests/openpgp/import-incomplete/primary+revocation.asc
create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc
create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc
create mode 100644 tests/openpgp/import-incomplete/primary+uid-sig.asc
create mode 100644 tests/openpgp/import-incomplete/primary+uid.asc
diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am
index f6014c9..6423da1 100644
--- a/tests/openpgp/Makefile.am
+++ b/tests/openpgp/Makefile.am
@@ -78,6 +78,7 @@ XTESTS = \
gpgv-forged-keyring.scm \
armor.scm \
import.scm \
+ import-incomplete.scm \
import-revocation-certificate.scm \
ecc.scm \
4gb-packet.scm \
diff --git a/tests/openpgp/import-incomplete.scm b/tests/openpgp/import-incomplete.scm
new file mode 100755
index 0000000..727a027
--- /dev/null
+++ b/tests/openpgp/import-incomplete.scm
@@ -0,0 +1,68 @@
+#!/usr/bin/env gpgscm
+
+;; Copyright (C) 2016 g10 Code GmbH
+;;
+;; This file is part of GnuPG.
+;;
+;; GnuPG is free software; you can redistribute it and/or modify
+;; it under the terms of the GNU General Public License as published by
+;; the Free Software Foundation; either version 3 of the License, or
+;; (at your option) any later version.
+;;
+;; GnuPG is distributed in the hope that it will be useful,
+;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;; GNU General Public License for more details.
+;;
+;; You should have received a copy of the GNU General Public License
+;; along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+(load (in-srcdir "tests" "openpgp" "defs.scm"))
+(setup-environment)
+
+(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+uid.asc")))
+
+(info "Test import of new subkey, from a certificate without uid")
+(define keyid "573EA710367356BB")
+(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-sig.asc")))
+(tr:do
+ (tr:pipe-do
+ (pipe:gpg `(--list-keys --with-colons ,keyid)))
+ (tr:call-with-content
+ (lambda (c)
+ ;; XXX we do not have a regexp library
+ (unless (any (lambda (line)
+ (and (string-prefix? line "sub:")
+ (string-contains? line "573EA710367356BB")))
+ (string-split-newlines c))
+ (exit 1)))))
+
+(info "Test import of a subkey revocation, from a certificate without uid")
+(define keyid "573EA710367356BB")
+(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-revocation.asc")))
+(tr:do
+ (tr:pipe-do
+ (pipe:gpg `(--list-keys --with-colons ,keyid)))
+ (tr:call-with-content
+ (lambda (c)
+ ;; XXX we do not have a regexp library
+ (unless (any (lambda (line)
+ (and (string-prefix? line "sub:r:")
+ (string-contains? line "573EA710367356BB")))
+ (string-split-newlines c))
+ (exit 1)))))
+
+(info "Test import of revocation, from a certificate without uid")
+(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+revocation.asc")))
+(tr:do
+ (tr:pipe-do
+ (pipe:gpg `(--list-keys --with-colons ,keyid)))
+ (tr:call-with-content
+ (lambda (c)
+ ;; XXX we do not have a regexp library
+ (unless (any (lambda (line)
+ (and (string-prefix? line "pub:r:")
+ (string-contains? line "0843DA969AA8DAFB")))
+ (string-split-newlines c))
+ (exit 1)))))
+
diff --git a/tests/openpgp/import-incomplete/primary+revocation.asc b/tests/openpgp/import-incomplete/primary+revocation.asc
new file mode 100644
index 0000000..6b7b608
--- /dev/null
+++ b/tests/openpgp/import-incomplete/primary+revocation.asc
@@ -0,0 +1,9 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: [E] primary key, revocation signature over primary (no user ID)
+
+mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
+631VAN2IeAQgFggAIBYhBLRpj5W82H/gSMzKKQhD2paaqNr7BQJc2ZQZAh0AAAoJ
+EAhD2paaqNr7qAwA/2jBUpnN0BxwRO/4CrxvrLIsL+C9aSXJUOTv8XkP4lvtAQD3
+XsDFfFNgEueiTfF7HtOGt5LPmRqVvUpQSMVgJJW6CQ==
+=tM90
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc
new file mode 100644
index 0000000..83a51a5
--- /dev/null
+++ b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc
@@ -0,0 +1,10 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: [D] primary key, subkey, subkey revocation (no user ID)
+
+mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
+631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK
+j++lwwWDAOlkVicDAQgHiHgEKBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
+XNmnkAIdAgAKCRAIQ9qWmqja+ylaAQDmIKf86BJEq4OpDqU+V9D+wn2cyuxbyWVQ
+3r9LiL9qNwD/QAjyrhSN8L3Mfq+wdTHo5i0yB9ZCCpHLXSbhCqfWZwQ=
+=dwx2
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc
new file mode 100644
index 0000000..dc47a02
--- /dev/null
+++ b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc
@@ -0,0 +1,10 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: [B] primary key, subkey, subkey binding sig (no user ID)
+
+mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
+631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK
+j++lwwWDAOlkVicDAQgHiHgEGBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
+XNmUIQIbDAAKCRAIQ9qWmqja++vFAP98G1L+1/rWTGbsnxOAV2RocBYIroAvsbkR
+Ly6FdP8YNwEA7jOgT05CoKIe37MstpOz23mM80AK369Ca3JMmKKCQgg=
+=xuDu
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/openpgp/import-incomplete/primary+uid-sig.asc b/tests/openpgp/import-incomplete/primary+uid-sig.asc
new file mode 100644
index 0000000..134607d
--- /dev/null
+++ b/tests/openpgp/import-incomplete/primary+uid-sig.asc
@@ -0,0 +1,10 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: [C] primary key and self-sig expiring in 2024 (no user ID)
+
+mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
+631VAN2IlgQTFggAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBLRpj5W8
+2H/gSMzKKQhD2paaqNr7BQJc2ZR1BQkJZgHcAAoJEAhD2paaqNr79soA/0lWkUsu
+3NLwgbni6EzJxnTzgeNMpljqNpipHAwfix9hAP93AVtFdC8g7hdUZxawobl9lnSN
+9ohXOEBWvdJgVv2YAg==
+=KWIK
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/openpgp/import-incomplete/primary+uid.asc b/tests/openpgp/import-incomplete/primary+uid.asc
new file mode 100644
index 0000000..055f300
--- /dev/null
+++ b/tests/openpgp/import-incomplete/primary+uid.asc
@@ -0,0 +1,10 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: [A] primary key, user ID, and self-sig expiring in 2021
+
+mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
+631VAN20CHRlc3Qga2V5iJYEExYIAD4WIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
+XNmUGQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAIQ9qWmqja
++0G1AQDdQiwhXxjXLMqoth+D4SigVHTJK8ORwifzsy3UE7mPGwD/aZ67XbAF/lgI
+kv2O1Jo0u9BL9RNNF+L0DM7rAFbfMAs=
+=1eII
+-----END PGP PUBLIC KEY BLOCK-----