HOWTO: Patching GNUGP and KGPG for 8192-bit keys

richinsc · 11-22-2011, 06:34 PM

First a disclaimer. I assume no responsibility for problems caused by these instructions. The gentoo developers are also not responsible for supporting these instructions. I make these instructions freely available to the community. Proceed at your own risk.

Currently these instructions only cover GnuPG, I was working on the kgpg when I hit a snag. I was able to create a patch but haven't had success in applying the patch because ebuild structure is completely different from gnupg structure. I will include instructions for kgpg patch in an edit at a later time.

Feel free to recommend this for a sticky

I recently read a debian article on patching gnupg to allow for keys sizes up to 8192-bits. Having modified source before, I was aware of the overall process for creating a patch. However having switched from debian to gentoo, I was completely lost in how to patch a gentoo ebuild.

Logging into #gentoo-amd64 via irc.freenode.com I was able to garner an overview of Gentoo's portage and gain some starting points of reference. Below are the steps I took and the resources I used to achieve a successful patching of gnupg and kgpg.

First the resources that lead me through the process. I didn't understand what I was doing even after reading the docs until I after I was successfully able to build a custom gentoo package otherwise known as a overlay. It took me 3 days to figure out how to make it work, however the reason being I was being a stupid and not seeing past the edge of my nose on some things.

Resources:
http://gagravarr.livejournal.com/137173.html - The article that started it all.
http://www.debian-administration.org.../dkg/weblog/48
http://en.gentoo-wiki.com/wiki/Writing_Ebuilds - This is what you need the most
http://www.gentoo.org/proj/en/overlays/userguide.xml
http://packages.gentoo.org/package/app-crypt/gnupg
http://devmanual.gentoo.org/

When I first started this I had to first determine what version of gnupg i was using. emerge --search gnupg lead to me to this result.

Code:

$ emerge --search gnupg
Searching...    
[ Results for search key : gnupg ]
[ Applications found : 8 ]

*  app-crypt/gnupg
      Latest version available: 2.0.17
      Latest version installed: 2.0.17
      Size of files: 3,903 kB
      Homepage:      http://www.gnupg.org/
      Description:   The GNU Privacy Guard, a GPL pgp replacement
      License:       GPL-3

truncated....

When I first started and looked at this I really didn't pay attention to the version that much other than knowing that I was running version 2.0.17. When I started reading the ebuild instructions, I saw this in my /usr/portage/app-crypt/gnupg/ directory

Code:

$ ls /usr/portage/app-crypt/gnupg/
ChangeLog  files                gnupg-2.0.17-r2.ebuild  gnupg-2.0.17.ebuild  metadata.xml
Manifest   gnupg-1.4.11.ebuild  gnupg-2.0.17-r3.ebuild  gnupg-2.0.18.ebuild

This is where the 3 day problem started because I keep trying to work with gnupg-2.0.17-r3.ebuild not realizing that I was using the completely wrong ebuild. Don't make this mistake, make sure you explicitly check what version you are running. What caused me to see the error of my own stupidity was the gentoo package status page on gentoo package repository http://packages.gentoo.org/package/app-crypt/gnupg. It wasn't until I saw that gnupg-2.0.17-r3 was listed as unstable that I had realized that I wasted all my time trying to make a masked package work. Once I realized this I was able to get back on track.

So without my blind stupidity I present the steps I used to patch a custom version of gnupg.

After obtaining your version information you need to determine where the package source should be downloaded from. I used the following to figure this out.

Code:

# emerge -f gnupg -pv

These are the packages that would be fetched, in order:

Calculating dependencies... done!

http://mirror.lug.udel.edu/pub/gentoo/distfiles/gnupg-2.0.17.tar.bz2 ftp://ftp.lug.udel.edu/pub/gentoo/distfiles/gnupg-2.0.17.tar.bz2 http://mirror.datapipe.net/gentoo/distfiles/gnupg-2.0.17.tar.bz2 rsync://gentoo.mirrors.tds.net/gentoo/distfiles/gnupg-2.0.17.tar.bz2 ftp://gentoo.mirrors.tds.net/gentoo/distfiles/gnupg-2.0.17.tar.bz2 rsync://rsync.gtlib.gatech.edu/gentoo/distfiles/gnupg-2.0.17.tar.bz2 ftp://ftp.gtlib.gatech.edu/pub/gentoo/distfiles/gnupg-2.0.17.tar.bz2 http://gnupg.wildyou.net/gnupg/gnupg-2.0.17.tar.bz2 http://ftp.gnupg.zone-h.org/gnupg/gnupg-2.0.17.tar.bz2 http://public.planetmirror.com/pub/gnupg/gnupg-2.0.17.tar.bz2 http://www.mirror386.com/gnupg/gnupg/gnupg-2.0.17.tar.bz2 ftp://ftp.ring.gr.jp/pub/net/gnupg/gnupg/gnupg-2.0.17.tar.bz2 ftp://ftp.linux.it/pub/mirrors/gnupg/gnupg/gnupg-2.0.17.tar.bz2 http://sunsite.rediris.es/mirror/gnupg/gnupg/gnupg-2.0.17.tar.bz2 ftp://sunsite.icm.edu.pl/pub/security/gnupg/gnupg/gnupg-2.0.17.tar.bz2 ftp://ftp.demon.nl/pub/mirrors/gnupg/gnupg/gnupg-2.0.17.tar.bz2 ftp://ftp.cert.dfn.de/pub/tools/crypt/gcrypt/gnupg/gnupg-2.0.17.tar.bz2 ftp://gd.tuwien.ac.at/privacy/gnupg/gnupg/gnupg-2.0.17.tar.bz2 http://www.ring.gr.jp/pub/net/gnupg/gnupg/gnupg-2.0.17.tar.bz2 ftp://ftp.surfnet.nl/pub/security/gnupg/gnupg/gnupg-2.0.17.tar.bz2 ftp://ftp.bit.nl/mirror/gnupg/gnupg-2.0.17.tar.bz2 ftp://ftp.franken.de/pub/crypt/mirror/ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.17.tar.bz2 ftp://pgp.iijlab.net/pub/pgp/gnupg/gnupg-2.0.17.tar.bz2 ftp://ftp.rediris.es/mirror/gnupg/gnupg/gnupg-2.0.17.tar.bz2 http://gulus.usherbrooke.ca/pub/appl/GnuPG/gnupg/gnupg-2.0.17.tar.bz2 ftp://ftp.hi.is/pub/mirrors/gnupg/gnupg/gnupg-2.0.17.tar.bz2 http://ftp.uoi.gr/mirror/gcrypt/gnupg/gnupg-2.0.17.tar.bz2 ftp://igloo.linux.gr/pub/crypto/gnupg/gnupg/gnupg-2.0.17.tar.bz2 http://ftp.linux.it/pub/mirrors/gnupg/gnupg/gnupg-2.0.17.tar.bz2 ftp://ftp.iasi.roedu.net/pub/mirrors/ftp.gnupg.org/gnupg/gnupg-2.0.17.tar.bz2 ftp://ftp.uoi.gr/mirror/gcrypt/gnupg/gnupg-2.0.17.tar.bz2 http://ftp.gnupg.tsuren.net/gnupg/gnupg-2.0.17.tar.bz2 http://gnupg.unixmexico.org/ftp/gnupg/gnupg

I only needed the first one, I copied the link and ran wget to download the source to my home directory

Code:

$ wget http://mirror.lug.udel.edu/pub/gentoo/distfiles/gnupg-2.0.17.tar.bz2
$ ls gnupg-2.0.17.tar.bz2
gnupg-2.0.17.tar.bz2

Once the source was downloaded I realized I needed to make a patch, so created two subdirectories under my home directory named a and b.

Code:

$ ls ~/
a/ b/
truncated...

After creating the two directories I extracted the contents of the source file I downloaded.

Code:

$ tar -jxvf gnupg-2.0.17.tar.bz2 -C a/      
gnupg-2.0.17/
gnupg-2.0.17/agent/
gnupg-2.0.17/agent/protect.c
gnupg-2.0.17/agent/trans.c
gnupg-2.0.17/agent/genkey.c
gnupg-2.0.17/agent/command.c
gnupg-2.0.17/agent/protect-tool.c
gnupg-2.0.17/agent/minip12.h
gnupg-2.0.17/agent/agent.h
gnupg-2.0.17/agent/findkey.c
gnupg-2.0.17/agent/preset-passphrase.c
gnupg-2.0.17/agent/call-pinentry.c
gnupg-2.0.17/agent/gpg-agent.c
gnupg-2.0.17/agent/pkdecrypt.c
gnupg-2.0.17/agent/ChangeLog
gnupg-2.0.17/agent/pksign.c
gnupg-2.0.17/agent/call-scd.c
gnupg-2.0.17/agent/learncard.c
gnupg-2.0.17/agent/cache.c
gnupg-2.0.17/agent/minip12.c
gnupg-2.0.17/agent/Makefile.am
gnupg-2.0.17/agent/command-ssh.c

truncated....

$ tar -jxvf gnupg-2.0.17.tar.bz2 -C b/      
gnupg-2.0.17/
gnupg-2.0.17/agent/
gnupg-2.0.17/agent/protect.c
gnupg-2.0.17/agent/trans.c
gnupg-2.0.17/agent/genkey.c
gnupg-2.0.17/agent/command.c
gnupg-2.0.17/agent/protect-tool.c
gnupg-2.0.17/agent/minip12.h
gnupg-2.0.17/agent/agent.h
gnupg-2.0.17/agent/findkey.c
gnupg-2.0.17/agent/preset-passphrase.c
gnupg-2.0.17/agent/call-pinentry.c
gnupg-2.0.17/agent/gpg-agent.c
gnupg-2.0.17/agent/pkdecrypt.c
gnupg-2.0.17/agent/ChangeLog
gnupg-2.0.17/agent/pksign.c
gnupg-2.0.17/agent/call-scd.c
gnupg-2.0.17/agent/learncard.c
gnupg-2.0.17/agent/cache.c
gnupg-2.0.17/agent/minip12.c
gnupg-2.0.17/agent/Makefile.am
gnupg-2.0.17/agent/command-ssh.c

truncated....

After extracting the contents I began to edit the file I needed in directory b/ while leaving directory /a untouched. This is so that I could create the patch afterwards. I changed lines 50 and 1777.

Code:

$ vim b/gnupg-2.0.17/g10/keygen.c

50,1
#define DEFAULT_STD_KEYSIZE 2048 -> #define DEFAULT_STD_KEYSIZE 4096

1777,1
  unsigned int nbits, min, def = DEFAULT_STD_KEYSIZE, max=4096; ->	  unsigned int nbits, min, def = DEFAULT_STD_KEYSIZE, max=8192;

After saving the changes I then proceeded to create a patch which resulted in the patch file you see below.

Code:

~$ diff -uNr a/gnupg-2.0.17/ b/gnupg-2.0.17/ > ~/gnupg-2.0.17-keysize.patch

$ cat ~/gnupg-2.0.17-keysize.patch
diff -Naur a/gnupg-2.0.17/g10//keygen.c b/gnupg-2.0.17/g10//keygen.c
--- a/gnupg-2.0.17/g10//keygen.c        2011-01-10 13:09:46.000000000 -0500
+++ b/gnupg-2.0.17/g10//keygen.c        2011-11-21 11:22:04.000000000 -0500
@@ -47,7 +47,7 @@
    also in gpg.c:gpgconf_list.  You should also check that the value
    is inside the bounds enforced by ask_keysize and gen_xxx.  */
 #define DEFAULT_STD_ALGO    GCRY_PK_RSA
-#define DEFAULT_STD_KEYSIZE 2048
+#define DEFAULT_STD_KEYSIZE 4096 
 
 
 #define MAX_PREFS 30 
@@ -1774,7 +1774,7 @@
 static unsigned
 ask_keysize (int algo, unsigned int primary_keysize)
 {
-  unsigned int nbits, min, def = DEFAULT_STD_KEYSIZE, max=4096;
+  unsigned int nbits, min, def = DEFAULT_STD_KEYSIZE, max=8192;
   int for_subkey = !!primary_keysize;
   int autocomp = 0;

Now that the patch was created I referred back to the ebuild wiki page http://en.gentoo-wiki.com/wiki/Writing_Ebuilds. This is where the real interesting stuff started. Of course it only started for me after 3 days because I was trying to do an overlay for a masked version of gnupg. Here is what followed. I first appended the following to my /etc/make.conf file.

PORTDIR_OVERLAY="/usr/local/portage"

After this I started getting into to the meat of things.

Code:

# mkdir -p /usr/local/portage/app-crypt/gnupg/
# cp /usr/portage/app-crypt/gnupg/gnupg-2.0.17.ebuild /usr/local/portage/app-crypt/gnupg/gnupg-2.0.17.ebuild
# cp -R /usr/portage/app-crypt/gnupg/files/ /usr/portage/app-crypt/gnupg/
# cp /home/<username>/gnupg-2.0.17-keysize.patch /usr/portage/app-crypt/gnupg/files/
# cd /usr/portage/app-crypt/gnupg/

Once the proper files and directories were in place under /usr/local/portage I was now had to edit the ebuild file to ensure that my patch would be executed when emerge was executed.I inserted the following at line 62,1

Code:

gnupg # vim gnupg-2.0.17.ebuild

62,1
src_prepare() {
    epatch "${FILESDIR}"/${P}-keysize.patch
}

Once the ebuild was edited and the patch was in place I had to create the Manifest.

Code:

gnupg # ebuild gnupg-2.0.17.ebuild manifest

gnupg # cat Manifest
AUX gnupg-2.0.17-gpgsm-gencert.patch 1079 RMD160 58fdc7454cd23bd9731866f1350eee1d166487d0 SHA1 3f6710fb83de85c34c8edaf4c7aaddeb1ccc771d SHA256 aec0ea30d898f7f7369abac9a61a0713b6b9b89d231b9beff1ee82041983b7ed
AUX gnupg-2.0.17-keysize.patch 786 RMD160 d14d58a3a3ea3c82a1541611ae3f81c1734fa0cb SHA1 4019683219f89f8f716b57b07cd4c692119f455a SHA256 357d75a86aa7d0bba53c21adf4d602855f64fa9d0baca561f970f1353b68da9e
AUX gnupg-2.0.17-libgrcrypt150-bugfix.patch 1125 RMD160 529bd214cb1883e318fae40cfc582ec24d6ebfc2 SHA1 f4119372ae2dece42606eb266211ca7d4a8354a8 SHA256 a909e3d044292ec0869385a529dab5095ae788ea68a9cb70e63054266eb8cf0b
DIST gnupg-2.0.17.tar.bz2 3997356 RMD160 f919947a1896ac20c455534d91a3e2d3e5b60c1f SHA1 41ef5460417ca0a1131fc730849fe3afd49ad2de SHA256 ea649d5ecb2f97cc8d81c5796c6ad8d7d8581f9554241c39d2b11ab12139eea6
EBUILD gnupg-2.0.17-r3.ebuild 4407 RMD160 0bcf598f6c0424c80d048bbb9b41bd693f540f27 SHA1 bfaecdfa5e0acde98ce88919d0d08a38f64b02c5 SHA256 1be10b1e98a94a0522d28365c4d29deb651a50b395f157fba6422c378cfd5104
EBUILD gnupg-2.0.17.ebuild 4590 RMD160 05d456766e591f31c2a87edc68292505f024ac16 SHA1 e78ecf96c0d8ebe97a179ade94b3b5d7fe4249a5 SHA256 2689f9d584c195fa26dde297ae1014f58e8f5411887fd7c3cb88b1a247cf2a4b

Now that the manifest existed, the ebuild was edited and the patch was in place I was ready to install the overlay. You notice from the output below that portage sees a new package existing under /usr/local/portage. This is where it will install from.

Code:

emerge --ask gnupg -v

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] app-crypt/gnupg-2.0.17  USE="bzip2 ldap nls -adns -caps -doc -openct -pcsc-lite (-selinux) -smartcard -static" 0 kB [1]

Total: 1 package (1 reinstall), Size of downloads: 0 kB
Portage tree and overlays:
 [0] /usr/portage
 [1] /usr/local/portage

Would you like to merge these packages? [Yes/No] Y

Now I just had to wait for the compile to finish before I was able to test it out. I did notice that my patach ran at the beginning of the emerge so watch carefully to make sure yours does too. I tested gnupg to ensure it worked by generating a 8182 bit RSA test key. The test was successful.

richinsc · 11-22-2011, 08:46 PM

Having trouble getting the ebuild setup for kgpg still. I'll hit it over Thanksgiving weekend and post an update by Sunday. Comments and Suggestions welcome.

EDIT: If anyone wants to know what the patch file for kgpg looks like and wants to attempt to get a working ebuild, the patch is below.

Code:

$ cat /usr/local/portage/kde-base/kgpg/files/kgpg-4.6.5-keysize.patch 
diff -uNr a/kdeutils-4.6.5//kgpg/kgpgkeygenerate.cpp b/kdeutils-4.6.5//kgpg/kgpgkeygenerate.cpp
--- a/kdeutils-4.6.5//kgpg/kgpgkeygenerate.cpp  2011-01-18 16:24:55.000000000 -0500
+++ b/kdeutils-4.6.5//kgpg/kgpgkeygenerate.cpp  2011-11-21 20:49:29.000000000 -0500
@@ -91,6 +91,10 @@
     m_keysize->addItem(i18n("1024"));
     m_keysize->addItem(i18n("2048"));
     m_keysize->addItem(i18n("4096"));
+    m_keysize->addItem(i18n("5120"));
+    m_keysize->addItem(i18n("6144"));
+    m_keysize->addItem(i18n("7168"));
+    m_keysize->addItem(i18n("8192"));
     m_keysize->setCurrentIndex(1); // 1024
     m_keysize->setMinimumSize(m_keysize->sizeHint());
     sizeLabel->setBuddy(m_keysize);

richinsc · 11-23-2011, 10:42 AM

EDIT: Moved Post to Security Thread for More Exposure, and since it was off topic of howto.

--> http://www.linuxquestions.org/questi...43#post4531843

serafean · 11-27-2011, 04:10 AM

Just an FYI : you don't need to create an overlay for custom patches. Portage supports the localpatch /etc/portage/patches/ directory where you can put a patch you want applied to a specific package (specific version too). for instance /etc/portage/patches/media-tv/xbmc/xbmc-9999-libpng-1.5.patch will be applied to xbmc-9999 at merge.

Serafean

richinsc · 11-27-2011, 01:24 PM

Thanks serafean! I just learned something new about gentoo that I didn't know. Thanks for that information.