gnupg: Update gnupg from 2.2.12-1+deb10u1 to 2.2.12-1+deb10u2

[masami256]

Purpose

Update gnupg package version gnupg from 2.2.12-1+deb10u1 to 2.2.12-1+deb10u2.

Test

1. Build gnupg package
2. Use gpg commands on the qemu environment

Test Results

Build test

masami@ubuntu1804:~/emlinux/qemuarm64-emlinux$ bitbake -f gnupg 
Loading cache: 100% |##########################################################################################################################################################################################################| Time: 0:00:00
Loaded 2356 entries from dependency cache.
NOTE: Resolving any missing task queue dependencies

Build Configuration:
BB_VERSION           = "1.42.0"
BUILD_SYS            = "x86_64-linux"
NATIVELSBSTRING      = "ubuntu-18.04"
TARGET_SYS           = "aarch64-emlinux-linux"
MACHINE              = "qemuarm64"
DISTRO               = "emlinux"
DISTRO_VERSION       = "2.5"
TUNE_FEATURES        = "aarch64 armv8a crc"
TARGET_FPU           = ""
meta                 
meta-yocto-bsp       = "warrior:d4b57c68b22027c2bedff335dee06af963e4f8a8"
meta-debian          = "update-gnupg-2.2.12-1+deb10u2:15f26a44ea12e8af8b6cbd53e60670b6231aa038"
meta-debian-extended = "deb10-security-updates:eff0781f290b178268e45af844f8ba48477eee4a"
meta-emlinux         = "warrior:13b69e67ff346705c72338aa8402f794098dbb8d"

NOTE: Tainting hash to force rebuild of task /home/masami/emlinux/qemuarm64-emlinux/../repos/meta-debian/recipes-debian/gnupg/gnupg_debian.bb, do_build                                                                        | ETA:  0:00:00
WARNING: /home/masami/emlinux/qemuarm64-emlinux/../repos/meta-debian/recipes-debian/gnupg/gnupg_debian.bb.do_build is tainted from a forced run                                                                                | ETA:  0:00:00
Initialising tasks: 100% |#####################################################################################################################################################################################################| Time: 0:00:01
Sstate summary: Wanted 154 Found 147 Missed 7 Current 315 (95% match, 98% complete)
NOTE: Executing SetScene Tasks
NOTE: Executing RunQueue Tasks
NOTE: Tasks Summary: Attempted 2117 tasks of which 2101 didn't need to be rerun and all succeeded.

Summary: There was 1 WARNING message shown.

Create a key

root@qemuarm64:~# gpg --gen-key
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
                                                                                                                                                                                                                                              
gpg: directory '/home/root/.gnupg' created
gpg: keybox '/home/root/.gnupg/pubring.kbx' created
Note: Use "gpg2 --full-generate-key" for a full featured key generation dialog.
                                                                                                                                                                                                                                              
GnuPG needs to construct a user ID to identify your key.
                                                                                                                                                                                                                                              
Real name: Test User
Email address: root@localhost
You selected this USER-ID:
    "Test User <root@localhost>"
                                                                                                                                                                                                                                          
Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number 
generator a better chance to gain enough entropy.    
~~~ snip ~~~
[ 1454.479806] random: crng init done
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/root/.gnupg/trustdb.gpg: trustdb created
gpg: key 3DDB4BDA5A3DB897 marked as ultimately trusted
gpg: directory '/home/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/root/.gnupg/openpgp-revocs.d/176F71CDFC1A2553BC18F5F83DDB4BDA5A3DB897.rev'
public and secret key created and signed.

pub   rsa3072 2022-07-04 [SC] [expires: 2024-07-03]
      176F71CDFC1A2553BC18F5F83DDB4BDA5A3DB897
uid                      Test User <root@localhost>
sub   rsa3072 2022-07-04 [E] [expires: 2024-07-03]

root@qemuarm64:~# 

Show keys

root@qemuarm64:~# gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2024-07-03
/home/root/.gnupg/pubring.kbx
-----------------------------
pub   rsa3072 2022-07-04 [SC] [expires: 2024-07-03]
      176F71CDFC1A2553BC18F5F83DDB4BDA5A3DB897
uid           [ultimate] Test User <root@localhost>
sub   rsa3072 2022-07-04 [E] [expires: 2024-07-03]

root@qemuarm64:~# 

Change password

root@qemuarm64:~# gpg --passwd "Test User"
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. 
~~~ snip ~~~
root@qemuarm64:~# echo $?
0

Update expire date

root@qemuarm64:~# gpg --fingerprint "Test User"
pub   rsa3072 2022-07-04 [SC] [expires: 2024-07-03]
      176F 71CD FC1A 2553 BC18  F5F8 3DDB 4BDA 5A3D B897
uid           [ultimate] Test User <root@localhost>
sub   rsa3072 2022-07-04 [E] [expires: 2024-07-03]
root@qemuarm64:~# gpg --fingerprint "Test User"
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2032-07-01
pub   rsa3072 2022-07-04 [SC] [expires: 2032-07-01]
      176F 71CD FC1A 2553 BC18  F5F8 3DDB 4BDA 5A3D B897
uid           [ultimate] Test User <root@localhost>
sub   rsa3072 2022-07-04 [E] [expires: 2024-07-03]

Encrypt and decrypt

root@qemuarm64:~# echo TEST > test.txt
root@qemuarm64:~# gpg -a -r "Test User" -e test.txt 
root@qemuarm64:~# ls
test.txt  test.txt.asc
root@qemuarm64:~# cat test.txt.asc 
-----BEGIN PGP MESSAGE-----

hQGMA25wOBxqVQH8AQv7BNekqrPf3SRCL12/KhdUrv2Y5XC72w36kfEWLr+yEkzc
8gQer+QEdCub7BCgV5J0Q7p1EI53vrTGIzzO9MbZHR5BVy21VqzYO/QaH1n/A1aV
fylKBwdsqgM605MYU5pyUDcaIFOmu6q3fN24+lE/acnj1a5BW1WMz1Bef5nT5+7v
wEi9xc+D55Fx8f6mln04fKqTDjM5ucDXtSo5HU27XE6pqDApHHGfRIF2Tt+82XHd
oct3aU0+JSUuVwNBfgAiGQMf+DhgwkQ0zMTU+qkNmYj8e8IGjuWpnp3lDbPNp5WJ
Kc35rwxp3UYgXIVlx5lE3zTynCayk8bbHkXWnOFUKwXwRT8b9hnZgQZyre523lrn
zTGqARBvNCJO29g28JHWJimeiUAg8QKaH3fsfq0ezzr6R7vj0fRn5zh70W2fDWWg
eD2Bt0TuOduJG3Ql8ijQ4Nc81mYitekqaO5VkUuEYQ2scS+REf4lodjCfYaa1PkF
2RziciTpCgLPaGO0pjcu0kgBY4NtxOppH/QdWd73jBgNDLPmoQjfwid8NiF+MDAZ
g8ZqcGsqwcZgnL6gdNC8MsvU6OGyKgXHXO4PNUEDM11lmdiyjOVTR98=
=BRpc
-----END PGP MESSAGE-----
root@qemuarm64:~# gpg -d test.txt.asc 
gpg: encrypted with 3072-bit RSA key, ID 6E70381C6A5501FC, created 2022-07-04
      "Test User <root@localhost>"
TEST
root@qemuarm64:~# gpg -o test.txt -d test.txt.asc            
gpg: encrypted with 3072-bit RSA key, ID 6E70381C6A5501FC, created 2022-07-04
      "Test User <root@localhost>"
root@qemuarm64:~# cat test.txt
TEST

Signing.

root@qemuarm64:~# rm test.txt.asc 
root@qemuarm64:~# gpg -u "Test User" --clear-sign test.txt
root@qemuarm64:~# cat test.txt.asc 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

TEST
-----BEGIN PGP SIGNATURE-----

iQHDBAEBCgAtFiEEF29xzfwaJVO8GPX4PdtL2lo9uJcFAmLCTrwPHHJvb3RAbG9j
YWxob3N0AAoJED3bS9paPbiXazkL/AvGbymO1ZGvcsbaP1K7eAV4jZ17azi5TOMG
/at+yQB8P3X+GUwnWxUgEFdJ9KBuxIGvezhuVHRyk+LEmog0HSBFLuYfV723pyNh
mPHN8Hq4+4rsOHZuAgjA7lnWUd0l30Kqf5wqobu9pgeO59RcjUDpU+/DjSGEVG+u
drVmhT1d5YbaEtjk+y+aOhw3F9OelfbGznnwM+chBfQNG8fHUm7RozwBImOPTKAk
p17aOKc4agGgg3SdEm/Fz/+mYbrKcXH+YAZ/FfMY3SMob6qA3zwYPMFlNeXPxLJg
pgbjpY7+Fjx87ixZFnyvglmw7SmLF/e1DuzNgctjD67p26DpawdZ1Mz1X43Fj3+s
UVASr3hqIts4CsarNyqvFwPi1+kfJ8/Vkblp6skjdueXqTVdWXeLKd4t7gOsNuvB
atw3dQMuPqF0NLDN3R4fdlXzxGAaQoTyKP0uq9EJpb04la0If/+1Rlf/wq8fpfL1
NCsn749nFtyzexr5yaJ71mdKuymofg==
=UYvR
-----END PGP SIGNATURE-----

Verify sign.

root@qemuarm64:~# gpg -u "Test User" -d ./test.txt.asc 
TEST
gpg: Signature made Mon Jul  4 02:21:48 2022 UTC
gpg:                using RSA key 176F71CDFC1A2553BC18F5F83DDB4BDA5A3DB897
gpg:                issuer "root@localhost"
gpg: Good signature from "Test User <root@localhost>" [ultimate]

Revoke key

root@qemuarm64:~# gpg --out revoke.asc --gen-revoke 176F71CDFC1A2553BC18F5F83DDB4BDA5A3DB897                                                                                                                                                  
                                                                                                                                                                                                                                              
sec  rsa3072/3DDB4BDA5A3DB897 2022-07-04 Test User <root@localhost>   
~~~ snip ~~~
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
> 
Reason for revocation: No reason specified
(No description given)
Is this okay? (y/N) y
ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others! 

Import revoked key and check that key is revoked.

root@qemuarm64:~# gpg --import revoke.asc 
gpg: key 3DDB4BDA5A3DB897: "Test User <root@localhost>" revocation certificate imported
gpg: Total number processed: 1
gpg:    new key revocations: 1
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2032-07-01
root@qemuarm64:~# gpg --list-keys
/home/root/.gnupg/pubring.kbx
-----------------------------
pub   rsa3072 2022-07-04 [SC] [revoked: 2022-07-04]
      176F71CDFC1A2553BC18F5F83DDB4BDA5A3DB897
uid           [ revoked] Test User <root@localhost>