Handling GPG signatures for pkgsrc with netpgp

[Pierre Pronchery <khorben%defora.org@localhost>]

			Hi tech-pkg@,

I would like to mention that I have made good progress in the context of 
handling GPG signatures for pkgsrc with netpgp instead of GnuPG, and I 
am now able to use netpgp to both generate and verify signed binary 
packages from pkgsrc! Some bugs are still lurking, but this is a start.

It currently requires applying the packages attached, and setting the 
gpg2netpgp wrapper attached in /etc/pkg_install.conf, e.g.:
GPG=/usr/local/bin/gpg2netpgp

There is a security issue with this setup - without being a regression 
though. Long story short, it is possible to fool netpgp into reporting 
what looks like a detached signature as being successfully verified, 
whereas it will look at content within the signature instead of the file 
to verify. I have no patch to fix this yet.

I sent these patches to agc@ and security-officer@ for review back on 
October 10th when I had more time to work on this, but I need to carry 
on so I am posting it here. As usual clones of my work repositories can 
be found there:
https://git.edgebsd.org/gitweb/?p=pkgsrc.git;a=summary

Being cryptography software and not my own code in the first place, I 
will appreciate a green light before committing any of these. This is 
quite exciting though, as save for a few issues remaining, it is no 
longer necessary to bootstrap GnuPG to import keys or support signed 
packages :)

Cheers,
-- khorben

On 05/10/2016 01:57, Pierre Pronchery wrote:
> I thought you might want to know, I have managed to create GPG-signed
> binary packages with pkgsrc, using netpgp alone (and without any
> additional patch) thanks to the wrapper attached. It only requires
> setting GPG=gpg2netpgp in pkg_install.conf.
>
> By the way, I am writing to you directly assuming you are the official
> maintainer for netpgp; please let me know if there is a different
> upstream nowadays.
>
> Cheers!
> -- khorben
>
> On 08/09/2016 17:57, Pierre Pronchery wrote:
> > On 09/ 8/16 09:24 AM, Alistair Crooks wrote:
> > > Thanks for your mail and patch.
> > >
> > > I'll have a look at this one tomorrow, it's a bit late tonight.
> >
> > I have found another crash, if netpgpkeys fails to import a key while
> > the keyring is still empty:
> >
> > $ netpgpkeys --homedir /tmp/nonexistent --import-key /dev/null
> > netpgp: warning homedir "/tmp/nonexistent" not found
> > /tmp/nonexistent/pubring.gpg: No such file or directory
> > Can't read pubring /tmp/nonexistent/pubring.gpg
> > Can't read pub keyring
> > Segmentation fault
> >
> > The patch attached fixes this issue.
> >
> > HTH,
> > -- khorben
> >
> > > On 7 September 2016 at 08:48, Pierre Pronchery <khorben%defora.org@localhost
> > > <mailto:khorben%defora.org@localhost>> wrote:
> > >
> > >                             Hi Alistair,
> > >
> > >     I hope you are doing good. I have encountered this bug in NetPGP:
> > >
> > >     $ netpgpkeys --import-key
> > >     Segmentation fault
> > >
> > >     In this case, I would expect netpgpkeys to either bail, or read keys
> > >     from the standard input. I have written a patch for the latter,
> > >     which I am attaching here.
> > >
> > >     Let me know what you think.
> > >
> > >     Cheers,

--
khorben

From c4527d02d0ec4124607e3d883c6ef1aa366e8153 Mon Sep 17 00:00:00 2001
From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date: Thu, 8 Sep 2016 18:04:40 +0200
Subject: [PATCH 01/11] Do not crash when listing keys without a keyring

---
 crypto/external/bsd/netpgp/dist/src/lib/keyring.c | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/crypto/external/bsd/netpgp/dist/src/lib/keyring.c b/crypto/external/bsd/netpgp/dist/src/lib/keyring.c
index 712ee90..5c1a1ad 100644
--- a/crypto/external/bsd/netpgp/dist/src/lib/keyring.c
+++ b/crypto/external/bsd/netpgp/dist/src/lib/keyring.c
@@ -994,17 +994,19 @@ pgp_keyring_list(pgp_io_t *io, const pgp_keyring_t *keyring, const int psigs)
 	pgp_key_t		*key;
 	unsigned		 n;
 
-	(void) fprintf(io->res, "%u key%s\n", keyring->keyc,
-		(keyring->keyc == 1) ? "" : "s");
-	for (n = 0, key = keyring->keys; n < keyring->keyc; ++n, ++key) {
-		if (pgp_is_key_secret(key)) {
-			pgp_print_keydata(io, keyring, key, "sec",
-				&key->key.seckey.pubkey, 0);
-		} else {
-			pgp_print_keydata(io, keyring, key, "signature ", &key->key.pubkey, psigs);
+	(void) fprintf(io->res, "%u key%s\n",
+		(keyring != NULL) ? keyring->keyc : 0,
+		(keyring == NULL || keyring->keyc <= 1) ? "" : "s");
+	if (keyring != NULL)
+		for (n = 0, key = keyring->keys; n < keyring->keyc; ++n, ++key) {
+			if (pgp_is_key_secret(key)) {
+				pgp_print_keydata(io, keyring, key, "sec",
+					&key->key.seckey.pubkey, 0);
+			} else {
+				pgp_print_keydata(io, keyring, key, "signature ", &key->key.pubkey, psigs);
+			}
+			(void) fputc('\n', io->res);
 		}
-		(void) fputc('\n', io->res);
-	}
 	return 1;
 }
 
-- 
2.7.3

From 6ddae18fce892dc2d247aaf2e43f2dab94ed3812 Mon Sep 17 00:00:00 2001
From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date: Fri, 7 Oct 2016 00:43:57 +0200
Subject: [PATCH 02/11] Do not truncate pass-phrases without a newline
 character

This also fixes a crash when the pass-phrase entered is empty.
---
 crypto/external/bsd/netpgp/dist/src/lib/reader.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/crypto/external/bsd/netpgp/dist/src/lib/reader.c b/crypto/external/bsd/netpgp/dist/src/lib/reader.c
index be00b09..dc1e379 100644
--- a/crypto/external/bsd/netpgp/dist/src/lib/reader.c
+++ b/crypto/external/bsd/netpgp/dist/src/lib/reader.c
@@ -160,6 +160,7 @@ int
 pgp_getpassphrase(void *in, char *phrase, size_t size)
 {
 	char	*p;
+	size_t	 len;
 
 	if (in == NULL) {
 		while ((p = getpass("netpgp passphrase: ")) == NULL) {
@@ -169,7 +170,9 @@ pgp_getpassphrase(void *in, char *phrase, size_t size)
 		if (fgets(phrase, (int)size, in) == NULL) {
 			return 0;
 		}
-		phrase[strlen(phrase) - 1] = 0x0;
+		len = strlen(phrase);
+		if (len >= 1 && phrase[len - 1] == '\n')
+			phrase[len - 1] = '\0';
 	}
 	return 1;
 }
-- 
2.7.3

From 9906d436a698e2ade079080425a5b9f6c0a86e94 Mon Sep 17 00:00:00 2001
From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date: Fri, 7 Oct 2016 00:52:10 +0200
Subject: [PATCH 03/11] Avoid some type casts

---
 crypto/external/bsd/netpgp/dist/src/lib/keyring.c | 4 ++--
 crypto/external/bsd/netpgp/dist/src/lib/keyring.h | 2 +-
 crypto/external/bsd/netpgp/dist/src/lib/netpgp.c  | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/crypto/external/bsd/netpgp/dist/src/lib/keyring.c b/crypto/external/bsd/netpgp/dist/src/lib/keyring.c
index 5c1a1ad..a7a03e6 100644
--- a/crypto/external/bsd/netpgp/dist/src/lib/keyring.c
+++ b/crypto/external/bsd/netpgp/dist/src/lib/keyring.c
@@ -214,7 +214,7 @@ pgp_get_writable_seckey(pgp_key_t *data)
 
 /* utility function to zero out memory */
 void
-pgp_forget(void *vp, unsigned size)
+pgp_forget(void *vp, size_t size)
 {
 	(void) memset(vp, 0x0, size);
 }
@@ -246,7 +246,7 @@ decrypt_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
 	case PGP_GET_PASSPHRASE:
 		(void) pgp_getpassphrase(decrypt->passfp, pass, sizeof(pass));
 		*content->skey_passphrase.passphrase = netpgp_strdup(pass);
-		pgp_forget(pass, (unsigned)sizeof(pass));
+		pgp_forget(pass, sizeof(pass));
 		return PGP_KEEP_MEMORY;
 
 	case PGP_PARSER_ERRCODE:
diff --git a/crypto/external/bsd/netpgp/dist/src/lib/keyring.h b/crypto/external/bsd/netpgp/dist/src/lib/keyring.h
index 920ad0f6..e595e63 100644
--- a/crypto/external/bsd/netpgp/dist/src/lib/keyring.h
+++ b/crypto/external/bsd/netpgp/dist/src/lib/keyring.h
@@ -100,7 +100,7 @@ int pgp_keyring_list(pgp_io_t *, const pgp_keyring_t *, const int);
 int pgp_keyring_json(pgp_io_t *, const pgp_keyring_t *, mj_t *, const int);
 
 void pgp_set_seckey(pgp_contents_t *, const pgp_key_t *);
-void pgp_forget(void *, unsigned);
+void pgp_forget(void *, size_t);
 
 const uint8_t *pgp_get_key_id(const pgp_key_t *);
 unsigned pgp_get_userid_count(const pgp_key_t *);
diff --git a/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c b/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c
index 14b1a2c..6d499f7 100644
--- a/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c
+++ b/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c
@@ -1458,7 +1458,7 @@ netpgp_sign_file(netpgp_t *netpgp,
 				(unsigned)armored, (unsigned)cleartext,
 				overwrite);
 	}
-	pgp_forget(seckey, (unsigned)sizeof(*seckey));
+	pgp_forget(seckey, sizeof(*seckey));
 	return ret;
 }
 
@@ -1582,7 +1582,7 @@ netpgp_sign_memory(netpgp_t *netpgp,
 	} else {
 		ret = 0;
 	}
-	pgp_forget(seckey, (unsigned)sizeof(*seckey));
+	pgp_forget(seckey, sizeof(*seckey));
 	return ret;
 }
 
-- 
2.7.3

From fe37ecc94c08abfa738e1965099fd56b1946f230 Mon Sep 17 00:00:00 2001
From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date: Fri, 7 Oct 2016 00:52:38 +0200
Subject: [PATCH 04/11] Do not use random data for pass-phrases on EOF

---
 crypto/external/bsd/netpgp/dist/src/lib/keyring.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crypto/external/bsd/netpgp/dist/src/lib/keyring.c b/crypto/external/bsd/netpgp/dist/src/lib/keyring.c
index a7a03e6..024bfd41 100644
--- a/crypto/external/bsd/netpgp/dist/src/lib/keyring.c
+++ b/crypto/external/bsd/netpgp/dist/src/lib/keyring.c
@@ -244,7 +244,8 @@ decrypt_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
 		break;
 
 	case PGP_GET_PASSPHRASE:
-		(void) pgp_getpassphrase(decrypt->passfp, pass, sizeof(pass));
+		if (pgp_getpassphrase(decrypt->passfp, pass, sizeof(pass)) == 0)
+			pass[0] = '\0';
 		*content->skey_passphrase.passphrase = netpgp_strdup(pass);
 		pgp_forget(pass, sizeof(pass));
 		return PGP_KEEP_MEMORY;
-- 
2.7.3

From 713e2c2f5963b43055f14d657b85a5843a3924ec Mon Sep 17 00:00:00 2001
From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date: Fri, 7 Oct 2016 01:35:04 +0200
Subject: [PATCH 05/11] Expect a FILE * for pgp_decrypt_seckey()

---
 crypto/external/bsd/netpgp/dist/src/lib/keyring.c | 2 +-
 crypto/external/bsd/netpgp/dist/src/lib/keyring.h | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/crypto/external/bsd/netpgp/dist/src/lib/keyring.c b/crypto/external/bsd/netpgp/dist/src/lib/keyring.c
index 024bfd41..28bfeb7 100644
--- a/crypto/external/bsd/netpgp/dist/src/lib/keyring.c
+++ b/crypto/external/bsd/netpgp/dist/src/lib/keyring.c
@@ -301,7 +301,7 @@ decrypt_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
 \return secret key
 */
 pgp_seckey_t *
-pgp_decrypt_seckey(const pgp_key_t *key, void *passfp)
+pgp_decrypt_seckey(const pgp_key_t *key, FILE *passfp)
 {
 	pgp_stream_t	*stream;
 	const int	 printerrors = 1;
diff --git a/crypto/external/bsd/netpgp/dist/src/lib/keyring.h b/crypto/external/bsd/netpgp/dist/src/lib/keyring.h
index e595e63..60e675b 100644
--- a/crypto/external/bsd/netpgp/dist/src/lib/keyring.h
+++ b/crypto/external/bsd/netpgp/dist/src/lib/keyring.h
@@ -53,6 +53,7 @@
 #ifndef KEYRING_H_
 #define KEYRING_H_
 
+#include <stdio.h>
 #include "packet.h"
 #include "packet-parse.h"
 #include "mj.h"
@@ -91,7 +92,7 @@ const pgp_pubkey_t *pgp_get_pubkey(const pgp_key_t *);
 unsigned   pgp_is_key_secret(const pgp_key_t *);
 const pgp_seckey_t *pgp_get_seckey(const pgp_key_t *);
 pgp_seckey_t *pgp_get_writable_seckey(pgp_key_t *);
-pgp_seckey_t *pgp_decrypt_seckey(const pgp_key_t *, void *);
+pgp_seckey_t *pgp_decrypt_seckey(const pgp_key_t *, FILE *);
 
 unsigned   pgp_keyring_fileread(pgp_keyring_t *, const unsigned,
 					const char *);
-- 
2.7.3

From 838158b0906559ae4cdec57fcc247e1291d390b4 Mon Sep 17 00:00:00 2001
From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date: Fri, 7 Oct 2016 01:51:44 +0200
Subject: [PATCH 06/11] Do not ask for a passphrase when empty

---
 crypto/external/bsd/netpgp/dist/src/lib/keyring.c | 25 ++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/crypto/external/bsd/netpgp/dist/src/lib/keyring.c b/crypto/external/bsd/netpgp/dist/src/lib/keyring.c
index 28bfeb7..6c07192 100644
--- a/crypto/external/bsd/netpgp/dist/src/lib/keyring.c
+++ b/crypto/external/bsd/netpgp/dist/src/lib/keyring.c
@@ -226,7 +226,7 @@ typedef struct {
 	pgp_seckey_t		*seckey;
 } decrypt_t;
 
-static pgp_cb_ret_t 
+static pgp_cb_ret_t
 decrypt_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
 {
 	const pgp_contents_t	*content = &pkt->u;
@@ -293,6 +293,20 @@ decrypt_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
 	return PGP_RELEASE_MEMORY;
 }
 
+static pgp_cb_ret_t
+decrypt_cb_empty(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
+{
+	const pgp_contents_t	*content = &pkt->u;
+
+	switch (pkt->tag) {
+	case PGP_GET_PASSPHRASE:
+		*content->skey_passphrase.passphrase = netpgp_strdup("");
+		return PGP_KEEP_MEMORY;
+	default:
+		return decrypt_cb(pkt, cbinfo);
+	}
+}
+
 /**
 \ingroup Core_Keys
 \brief Decrypts secret key from given keydata with given passphrase
@@ -307,8 +321,17 @@ pgp_decrypt_seckey(const pgp_key_t *key, FILE *passfp)
 	const int	 printerrors = 1;
 	decrypt_t	 decrypt;
 
+	/* XXX first try with an empty passphrase */
 	(void) memset(&decrypt, 0x0, sizeof(decrypt));
 	decrypt.key = key;
+	stream = pgp_new(sizeof(*stream));
+	pgp_keydata_reader_set(stream, key);
+	pgp_set_callback(stream, decrypt_cb_empty, &decrypt);
+	stream->readinfo.accumulate = 1;
+	pgp_parse(stream, !printerrors);
+	if (decrypt.seckey != NULL)
+		return decrypt.seckey;
+	/* ask for a passphrase */
 	decrypt.passfp = passfp;
 	stream = pgp_new(sizeof(*stream));
 	pgp_keydata_reader_set(stream, key);
-- 
2.7.3

From 602b423c5ed58863f78e249b9d9a5c6d14b38ddc Mon Sep 17 00:00:00 2001
From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date: Sun, 9 Oct 2016 17:53:44 +0200
Subject: [PATCH 07/11] Correct option "--armor"

---
 crypto/external/bsd/netpgp/dist/src/netpgp/netpgp.1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/external/bsd/netpgp/dist/src/netpgp/netpgp.1 b/crypto/external/bsd/netpgp/dist/src/netpgp/netpgp.1
index 6843ef9..fee099e 100644
--- a/crypto/external/bsd/netpgp/dist/src/netpgp/netpgp.1
+++ b/crypto/external/bsd/netpgp/dist/src/netpgp/netpgp.1
@@ -203,7 +203,7 @@ library.
 In addition to one of the preceding commands, a number of qualifiers
 or options may be given.
 .Bl -tag -width Ar
-.It Fl Fl armour , Fl armor
+.It Fl Fl armour , Fl Fl armor
 This option, however it is spelled, wraps the signature as an
 ASCII-encoded piece of text, for ease of use.
 .It Fl Fl cipher Ar ciphername
-- 
2.7.3

From 1b0f84eeb65cbb80f0ebcdcbb1d2aa68a9096719 Mon Sep 17 00:00:00 2001
From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date: Sun, 9 Oct 2016 19:39:57 +0200
Subject: [PATCH 08/11] Also document alternate option "--detach"

---
 crypto/external/bsd/netpgp/dist/src/netpgp/netpgp.1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/external/bsd/netpgp/dist/src/netpgp/netpgp.1 b/crypto/external/bsd/netpgp/dist/src/netpgp/netpgp.1
index fee099e..8ca6f0f 100644
--- a/crypto/external/bsd/netpgp/dist/src/netpgp/netpgp.1
+++ b/crypto/external/bsd/netpgp/dist/src/netpgp/netpgp.1
@@ -216,7 +216,7 @@ access to the cipher used.
 The default cipher algorithm is the
 .Dq CAST5
 algorithm.
-.It Fl Fl detached
+.It Fl Fl detach , Fl Fl detached
 When signing a file, place the resulting signature in a separate
 file from the one being signed.
 .It Fl Fl hash-alg Ar hash-algorithm
-- 
2.7.3

From b666b35dc039357e49dc5161b57edd9e47a8c83c Mon Sep 17 00:00:00 2001
From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date: Sun, 9 Oct 2016 22:06:53 +0200
Subject: [PATCH 09/11] Output signatures to the standard output for "-"

---
 crypto/external/bsd/netpgp/dist/src/lib/signature.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/crypto/external/bsd/netpgp/dist/src/lib/signature.c b/crypto/external/bsd/netpgp/dist/src/lib/signature.c
index 4c16f7d..48d4e39 100644
--- a/crypto/external/bsd/netpgp/dist/src/lib/signature.c
+++ b/crypto/external/bsd/netpgp/dist/src/lib/signature.c
@@ -903,7 +903,10 @@ open_output_file(pgp_output_t **output,
 
 	/* setup output file */
 	if (outname) {
-		fd = pgp_setup_file_write(output, outname, overwrite);
+		if (strcmp(outname, "-") == 0)
+			fd = pgp_setup_file_write(output, NULL, overwrite);
+		else
+			fd = pgp_setup_file_write(output, outname, overwrite);
 	} else {
 		unsigned        flen = (unsigned)(strlen(inname) + 4 + 1);
 		char           *f = NULL;
-- 
2.7.3

From 7348af4a2606203c0465659a7062f49759b7e08a Mon Sep 17 00:00:00 2001
From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date: Sun, 9 Oct 2016 22:07:39 +0200
Subject: [PATCH 10/11] No longer hard-code the suffix length

---
 crypto/external/bsd/netpgp/dist/src/lib/signature.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/external/bsd/netpgp/dist/src/lib/signature.c b/crypto/external/bsd/netpgp/dist/src/lib/signature.c
index 48d4e39..0cd8d6a 100644
--- a/crypto/external/bsd/netpgp/dist/src/lib/signature.c
+++ b/crypto/external/bsd/netpgp/dist/src/lib/signature.c
@@ -908,7 +908,7 @@ open_output_file(pgp_output_t **output,
 		else
 			fd = pgp_setup_file_write(output, outname, overwrite);
 	} else {
-		unsigned        flen = (unsigned)(strlen(inname) + 4 + 1);
+		size_t          flen = strlen(inname) + 1 + strlen(suffix) + 1;
 		char           *f = NULL;
 
 		if ((f = calloc(1, flen)) == NULL) {
-- 
2.7.3

From ff6fc1a22e53cf935c8b75b071d3def3d87071c4 Mon Sep 17 00:00:00 2001
From: Pierre Pronchery <khorben%EdgeBSD.org@localhost>
Date: Sun, 9 Oct 2016 22:40:06 +0200
Subject: [PATCH 11/11] Support detached signatures for the standard input

---
 crypto/external/bsd/netpgp/dist/include/netpgp.h    |  2 +-
 crypto/external/bsd/netpgp/dist/src/lib/netpgp.c    |  5 +++--
 crypto/external/bsd/netpgp/dist/src/lib/signature.c | 19 +++++++++++--------
 crypto/external/bsd/netpgp/dist/src/lib/signature.h |  1 +
 crypto/external/bsd/netpgp/dist/src/libpaa/libpaa.c |  2 +-
 crypto/external/bsd/netpgp/dist/src/netpgp/netpgp.c |  3 ++-
 6 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/crypto/external/bsd/netpgp/dist/include/netpgp.h b/crypto/external/bsd/netpgp/dist/include/netpgp.h
index 0378697..720d52d 100644
--- a/crypto/external/bsd/netpgp/dist/include/netpgp.h
+++ b/crypto/external/bsd/netpgp/dist/include/netpgp.h
@@ -88,7 +88,7 @@ int netpgp_sign_file(netpgp_t *, const char *, const char *, char *, int, int, i
 int netpgp_verify_file(netpgp_t *, const char *, const char *, int);
 
 /* memory signing and encryption */
-int netpgp_sign_memory(netpgp_t *, const char *, char *, size_t, char *, size_t, const unsigned, const unsigned);
+int netpgp_sign_memory(netpgp_t *, const char *, char *, size_t, char *, size_t, const unsigned, const unsigned, const unsigned);
 int netpgp_verify_memory(netpgp_t *, const void *, const size_t, void *, size_t, const int);
 int netpgp_encrypt_memory(netpgp_t *, const char *, void *, const size_t, char *, size_t, int);
 int netpgp_decrypt_memory(netpgp_t *, const void *, const size_t, char *, size_t, const int);
diff --git a/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c b/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c
index 6d499f7..018d60b 100644
--- a/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c
+++ b/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c
@@ -1509,7 +1509,8 @@ netpgp_sign_memory(netpgp_t *netpgp,
 		char *out,
 		size_t outsize,
 		const unsigned armored,
-		const unsigned cleartext)
+		const unsigned cleartext,
+		const unsigned detached)
 {
 	const pgp_key_t		*keypair;
 	const pgp_key_t		*pubkey;
@@ -1571,7 +1572,7 @@ netpgp_sign_memory(netpgp_t *netpgp,
 	signedmem = pgp_sign_buf(io, mem, size, seckey,
 				get_birthtime(netpgp_getvar(netpgp, "birthtime")),
 				get_duration(netpgp_getvar(netpgp, "duration")),
-				hashalg, armored, cleartext);
+				hashalg, armored, cleartext, detached);
 	if (signedmem) {
 		size_t	m;
 
diff --git a/crypto/external/bsd/netpgp/dist/src/lib/signature.c b/crypto/external/bsd/netpgp/dist/src/lib/signature.c
index 0cd8d6a..307f327 100644
--- a/crypto/external/bsd/netpgp/dist/src/lib/signature.c
+++ b/crypto/external/bsd/netpgp/dist/src/lib/signature.c
@@ -1097,7 +1097,8 @@ pgp_sign_buf(pgp_io_t *io,
 		const uint64_t duration,
 		const char *hashname,
 		const unsigned armored,
-		const unsigned cleartext)
+		const unsigned cleartext,
+		const unsigned detached)
 {
 	pgp_litdata_enum	 ld_type;
 	pgp_create_sig_t	*sig;
@@ -1171,13 +1172,15 @@ pgp_sign_buf(pgp_io_t *io,
 		hash = pgp_sig_get_hash(sig);
 		hash->add(hash, input, (unsigned)insize);
 
-		/* output file contents as Literal Data packet */
-		if (pgp_get_debug_level(__FILE__)) {
-			(void) fprintf(stderr, "** Writing out data now\n");
-		}
-		pgp_write_litdata(output, input, (const int)insize, ld_type);
-		if (pgp_get_debug_level(__FILE__)) {
-			fprintf(stderr, "** After Writing out data now\n");
+		if (!detached) {
+			/* output file contents as Literal Data packet */
+			if (pgp_get_debug_level(__FILE__)) {
+				(void) fprintf(stderr, "** Writing out data now\n");
+			}
+			pgp_write_litdata(output, input, (const int)insize, ld_type);
+			if (pgp_get_debug_level(__FILE__)) {
+				fprintf(stderr, "** After Writing out data now\n");
+			}
 		}
 
 		/* add creation time to signature */
diff --git a/crypto/external/bsd/netpgp/dist/src/lib/signature.h b/crypto/external/bsd/netpgp/dist/src/lib/signature.h
index 9e691dd..5a27f91 100644
--- a/crypto/external/bsd/netpgp/dist/src/lib/signature.h
+++ b/crypto/external/bsd/netpgp/dist/src/lib/signature.h
@@ -161,6 +161,7 @@ pgp_memory_t   *pgp_sign_buf(pgp_io_t *,
 				const uint64_t,
 				const char *,
 				const unsigned,
+				const unsigned,
 				const unsigned);
 
 unsigned pgp_keyring_read_from_mem(pgp_io_t *,
diff --git a/crypto/external/bsd/netpgp/dist/src/libpaa/libpaa.c b/crypto/external/bsd/netpgp/dist/src/libpaa/libpaa.c
index 8ec8daab..909ec30 100644
--- a/crypto/external/bsd/netpgp/dist/src/libpaa/libpaa.c
+++ b/crypto/external/bsd/netpgp/dist/src/libpaa/libpaa.c
@@ -255,7 +255,7 @@ paa_format_response(paa_response_t *response, netpgp_t *netpgp, char *in, char *
 	(void) memset(sig, 0x0, sizeof(sig));
 	(void) snprintf(sig, sizeof(sig), "%s;%s;%s;", response->userid, response->realm, challenge);
 	sigc = netpgp_sign_memory(netpgp, response->userid, challenge,
-		(unsigned)challengec, sig, sizeof(sig), 0, 0);
+		(unsigned)challengec, sig, sizeof(sig), 0, 0, 0);
 	sig64c = b64encode(sig, (const unsigned)sigc, base64_signature,
 		sizeof(base64_signature), (int)0);
 	outc += snprintf(&out[outc], outsize - outc, ",\r\n    signature=\"%.*s\"", sig64c, base64_signature);
diff --git a/crypto/external/bsd/netpgp/dist/src/netpgp/netpgp.c b/crypto/external/bsd/netpgp/dist/src/netpgp/netpgp.c
index df0481c..bbc5739 100644
--- a/crypto/external/bsd/netpgp/dist/src/netpgp/netpgp.c
+++ b/crypto/external/bsd/netpgp/dist/src/netpgp/netpgp.c
@@ -296,7 +296,8 @@ netpgp_cmd(netpgp_t *netpgp, prog_t *p, char *f)
 					in, cc, out,
 					maxsize, p->armour,
 					(p->cmd == CLEARSIGN) ? cleartext :
-								!cleartext);
+								!cleartext,
+					p->detached);
 			ret = show_output(out, ret, "Bad memory signature");
 			free(in);
 			free(out);
-- 
2.7.3

#!/bin/sh
#Copyright (c) 2016 Pierre Pronchery <khorben%edgebsd.org@localhost>
#This file is part of EdgeBSD Infrastructure
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
#   list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice,
#   this list of conditions and the following disclaimer in the documentation
#   and/or other materials provided with the distribution.
#
#THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
#AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
#IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
#FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
#DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
#CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
#OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
#OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.



#variables
PROGNAME="gpg2netpgp"
#executables
CAT="/bin/cat"
MKTEMP="/usr/bin/mktemp"
NETPGP="/usr/bin/netpgp"
NETPGPKEYS="/usr/bin/netpgpkeys"
RM="/bin/rm -f"


#functions
#gpg2netpgp_verify
_gpg2netpgp_verify()
{
	ret=0
	armored=0
	break=0
	ext=".sig"

	#options
	while [ $# -gt 0 ]; do
		arg="$1"

		case "$arg" in
			--armor)
				armored=1
				;;
			--verify)
				;;
			--)
				shift
				break=1
				;;
			*)
				break=1
				;;
		esac
		[ $break -eq 0 ] || break
		shift
	done
	#detect armoring
	read line < "$1"
	case "$line" in
		"-----BEGIN PGP MESSAGE-----"*|"-----BEGIN PGP SIGNATURE-----"*|"-----BEGIN PGP SIGNED MESSAGE-----"*)
			armored=1
			;;
	esac
	[ $armored -eq 0 ] || ext=".asc"
	#verify
	if [ $# -eq 2 -a "$2" = "-" ]; then
		filename="$($MKTEMP)"
		[ $? -eq 0 ]					|| return 2
		#XXX TOCTOU
		if [ -e "$filename$ext" ]; then
			$RM -- "$filename"
			return 2
		fi
		$CAT -- "$1" > "$filename$ext"			|| ret=2
		$CAT > "$filename"				|| ret=2
		if [ $ret -eq 0 ]; then
			$NETPGP --verify --detached -- "$filename$ext"
			ret=$?
		fi
		$RM -- "$filename" "$filename$ext"
	elif [ $# -eq 1 ]; then
		$NETPGP --verify -- "$1"
		ret=$?
	else
		_usage
		ret=$?
	fi
	return $ret
}


#error
_error()
{
	echo "$PROGNAME: $@" 1>&2
	return 2
}


#usage
_usage()
{
	echo "Usage: $PROGNAME [--homedir dir][--options file][options] command [args]" 1>&2
	return 1
}


#main
args=
exec="$NETPGP"
break=0
while [ $# -gt 0 ]; do
	arg="$1"
	shift

	case "$arg" in
		--help)
			_usage
			exit $?
			;;
		--armor|--decrypt|--encrypt|--homedir|--sign|--verbose|--version)
			#pass-through
			args="$args $arg"
			;;
		--export)
			exec="$NETPGPKEYS"
			args="$args --export-key"
			;;
		--gen-key)
			exec="$NETPGPKEYS"
			args="$args --generate-key"
			;;
		--import)
			exec="$NETPGPKEYS"
			args="$args --import-key"
			;;
		--list-keys|--list-sigs)
			#pass-through (netpgpkeys)
			exec="$NETPGPKEYS"
			args="$args $arg"
			;;
		--keyring|--output)
			#pass-through with argument
			args="$args $arg=$1"
			shift
			;;
		--no-verbose|-q|--quiet)
			#ignore
			;;
		--verify)
			#XXX special case
			exec="_gpg2netpgp_verify"
			args="$args $arg"
			;;
		-a)
			args="$args --armor"
			;;
		-b|--detach-sign)
			args="$args --sign --detached"
			;;
		--cipher-algo)
			args="$args --cipher=$1"
			shift
			;;
		-d)
			args="$args --decrypt"
			;;
		--digest-algo)
			args="$args --hash-alg=$1"
			shift
			;;
		-e)
			args="$args --encrypt"
			;;
		-o)
			args="$args --output=$1"
			shift
			;;
		-s)
			args="$args --sign"
			;;
		-u|--local-user)
			args="$args --userid=$1"
			shift
			;;
		--)
			args="$args $arg"
			break=1
			;;
		-)
			;;
		-?|--*)
			_error "$arg: Unsupported option"
			ret=$?
			_usage
			exit $ret
			;;
		*)
			args="$args $arg"
			break=1
			;;
	esac
	[ $break -eq 0 ] || break
done

#run netpgp
$exec $args $@