CVS commit: pkgsrc/security/keychain

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/keychain
From: "Paolo Vincenzo Olivo" <vins%netbsd.org@localhost>
Date: Fri, 23 May 2025 17:47:05 +0000

Module Name:    pkgsrc
Committed By:   vins
Date:           Fri May 23 17:47:05 UTC 2025

Modified Files:
        pkgsrc/security/keychain: Makefile distinfo

Log Message:
security/keychain: update to 2.9.5

# upstream changes (since 2.9.2)

## keychain 2.9.5 (16 May 2025)

This is a bugfix release.

* Hardening checks were failing on Android and some MacOS environments. Make them
  more compatible and lower to warnings instead of aborting the script, until
  they have been tested in more environments.
  ([#177](https://github.com/funtoo/keychain/issues/177))

* Fixed issues with indentation of `note()`, `warn()`, `mesg()`.

* Convert `SSH_AUTH_SOCK in pidfile is invalid; ignoring it` into a debug message,
  as this is normal when rebooting your system so is not really useful to show
  typically. ([#176](https://github.com/funtoo/keychain/issues/176))

## keychain 2.9.4 (14 May 2025)

This is a minor bugfix release.

* Fix minor regression which allowed some warnings to display with `--quiet`.
([#175](https://github.com/funtoo/keychain/issues/175))

* "Cannot find separate public key" turned into a `note()` rather than `warn()`,
  along with several other non-critical notices. `note()` can be suppressed with
  `--quiet`, unlike `warn()`. ([#157](https://github.com/funtoo/keychain/issues/157))

* Minor improvement when wiping GnuPG keys with `--wipe` option so keychain output
  is more understandable when gpg-agent is not running.

## keychain 2.9.3 (14 May 2025)

This is a security and bug fix release. Many thanks to those who have reported
issues to GitHub, send in pull requests, and tested out fixes. 2.9.3 includes
the following updates:

* The `--quick` option logic had several bugs which have been resolved. Thanks
  to Filipe Fernandes (@ffernand) for reporting the issue and for assistance
  testing fixes. ([#167](https://github.com/funtoo/keychain/issues/167))

* Fix keychain `--query` exit code when no pidfile exists.
  ([#171](https://github.com/funtoo/keychain/issues/171))

* `--systemd` option should now be fixed.
  ([[#168](https://github.com/funtoo/keychain/issues/168)])

* Harden keychain so the use of the `--dir` and `--absolute` options cannot be
  used to instruct keychain to write pidfiles into insecure areas.
  ([#174](https://github.com/funtoo/keychain/issues/174))

  Prior to this release, it was possible to use these options in combination
  with bad (empty) default umask to write pidfiles into a public area on disk
  where they were writable by other users. In the worst case, this could allow
  arbitrary execution of the contents of the malicious pidfile by keychain.

  This hardening now makes it difficult for a user to configure their keychain
  in a way that would allow this to happen. Note that if you are not using the
  `--dir` or `--absolute` options, keychain will use the `$HOME/.keychain`
  directory by default, which is typically under the full control of the
  current user and thus not exploitable.

  The hardening changes include:

  * Setting a global restrictive `umask` in the script.
  * Remove pidfiles before redirecting data to them to ensure they are created
    with restrictive permissions from the `umask`.
  * Check the keychain pidfile directory to ensure it is owned by the current
    user, and only the current user can access it (mode 700). If not, abort
    with an informative error message.
  * Check any existing pidfiles prior to use to make sure they are owned by the
    current user, and only the current user can access them. If not, abort with
    an informative error message.


To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.42 pkgsrc/security/keychain/Makefile
cvs rdiff -u -r1.27 -r1.28 pkgsrc/security/keychain/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/keychain/Makefile
diff -u pkgsrc/security/keychain/Makefile:1.41 pkgsrc/security/keychain/Makefile:1.42
--- pkgsrc/security/keychain/Makefile:1.41      Sat May  3 16:08:16 2025
+++ pkgsrc/security/keychain/Makefile   Fri May 23 17:47:05 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.41 2025/05/03 16:08:16 vins Exp $
+# $NetBSD: Makefile,v 1.42 2025/05/23 17:47:05 vins Exp $
 
-DISTNAME=      keychain-2.9.2
+DISTNAME=      keychain-2.9.5
 CATEGORIES=    security
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=funtoo/}
 

Index: pkgsrc/security/keychain/distinfo
diff -u pkgsrc/security/keychain/distinfo:1.27 pkgsrc/security/keychain/distinfo:1.28
--- pkgsrc/security/keychain/distinfo:1.27      Sat May  3 16:08:16 2025
+++ pkgsrc/security/keychain/distinfo   Fri May 23 17:47:05 2025
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.27 2025/05/03 16:08:16 vins Exp $
+$NetBSD: distinfo,v 1.28 2025/05/23 17:47:05 vins Exp $
 
-BLAKE2s (keychain-2.9.2.tar.gz) = 29f3179b43e128641b730bc6bd0338b34de6381a3c2f69ccf34180f8e3b94b06
-SHA512 (keychain-2.9.2.tar.gz) = 1b4aa06037cb3f89f4cfa6a4c1a1104ca6a757175a636043b7fb4776773a81f20b38b058b86618b8e6b89cf7c61af86e6441da70ed92b0c18d31fb50b3dd8a96
-Size (keychain-2.9.2.tar.gz) = 41401 bytes
+BLAKE2s (keychain-2.9.5.tar.gz) = 2137b9315bcda59d83fdf6f4870164de42cf39b850d82354f0444399a6050029
+SHA512 (keychain-2.9.5.tar.gz) = 4241a16449062b3365e1119788ab1e56eaadd7c239b5a5af03f644fb44494cc415774c1ba4d2a9ad1e6341892ddcbe4573cda6f986ecc8e5857cfbb2066ac5ac
+Size (keychain-2.9.5.tar.gz) = 42685 bytes

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index