diff -Nru gnupg2-2.1.11/debian/changelog gnupg2-2.1.11/debian/changelog --- gnupg2-2.1.11/debian/changelog 2016-04-08 10:00:00.000000000 +0200 +++ gnupg2-2.1.11/debian/changelog 2016-09-09 13:52:43.000000000 +0200 @@ -1,3 +1,10 @@ +gnupg2 (2.1.11-6ubuntu2.1) xenial; urgency=medium + + * debian/patches/0006-allow-secret-key-removal.patch: + - cherry pick ac9ff644 from gnupg upstream (LP: #1621839) + + -- Michael Vogt Fri, 09 Sep 2016 13:14:08 +0200 + gnupg2 (2.1.11-6ubuntu2) xenial; urgency=medium * Fix upstart user-session integration with new pinentry: diff -Nru gnupg2-2.1.11/debian/patches/0006-allow-secret-key-removal.patch gnupg2-2.1.11/debian/patches/0006-allow-secret-key-removal.patch --- gnupg2-2.1.11/debian/patches/0006-allow-secret-key-removal.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnupg2-2.1.11/debian/patches/0006-allow-secret-key-removal.patch 2016-09-09 13:51:57.000000000 +0200 @@ -0,0 +1,172 @@ +From: Werner Koch +Date: Tue, 10 May 2016 09:01:42 +0000 (+0200) +Subject: gpg: Allow unattended deletion of secret keys. +X-Git-Tag: gnupg-2.1.13~90 +X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=ac9ff644b12c4dfa55d466af8ae6af54d1646893 + +gpg: Allow unattended deletion of secret keys. + +* agent/command.c (cmd_delete_key): Make the --force option depend on +--disallow-loopback-passphrase. +* g10/call-agent.c (agent_delete_key): Add arg FORCE. +* g10/delkey.c (do_delete_key): Pass opt.answer_yes to +agent_delete_key. +-- + +Unless the agent has been configured with +--disallow-loopback-passpharse an unattended deletion of a secret key +is now possible with gpg by using --batch _and_ --yes. + +Signed-off-by: Werner Koch +--- + +Index: gnupg2-2.1.11/agent/command.c +=================================================================== +--- gnupg2-2.1.11.orig/agent/command.c ++++ gnupg2-2.1.11/agent/command.c +@@ -2412,8 +2412,9 @@ cmd_export_key (assuan_context_t ctx, ch + static const char hlp_delete_key[] = + "DELETE_KEY [--force] \n" + "\n" +- "Delete a secret key from the key store.\n" +- "Unless --force is used the agent asks the user for confirmation.\n"; ++ "Delete a secret key from the key store. If --force is used\n" ++ "and a loopback pinentry is allowed, the agent will not ask\n" ++ "the user for confirmation."; + static gpg_error_t + cmd_delete_key (assuan_context_t ctx, char *line) + { +@@ -2428,6 +2429,11 @@ cmd_delete_key (assuan_context_t ctx, ch + force = has_option (line, "--force"); + line = skip_options (line); + ++ /* If the use of a loopback pinentry has been disabled, we assume ++ * that a silent deletion of keys shall also not be allowed. */ ++ if (!opt.allow_loopback_pinentry) ++ force = 0; ++ + err = parse_keygrip (ctx, line, grip); + if (err) + goto leave; +Index: gnupg2-2.1.11/doc/gpg-agent.texi +=================================================================== +--- gnupg2-2.1.11.orig/doc/gpg-agent.texi ++++ gnupg2-2.1.11/doc/gpg-agent.texi +@@ -303,6 +303,10 @@ internal cache of @command{gpg-agent} wi + Allow clients to use the loopback pinentry features; see the option + @option{pinentry-mode} for details. + ++The @option{--force} option of the Assuan command @command{DELETE_KEY} ++is also controlled by this option: The option is ignored if a loopback ++pinentry is disallowed. ++ + @item --no-allow-external-cache + @opindex no-allow-external-cache + Tell Pinentry not to enable features which use an external cache for +@@ -786,8 +790,17 @@ fi + @section Agent's Assuan Protocol + + Note: this section does only document the protocol, which is used by +-GnuPG components; it does not deal with the ssh-agent protocol. ++GnuPG components; it does not deal with the ssh-agent protocol. To ++see the full specification of each command, use ++ ++@example ++ gpg-connect-agent 'help COMMAND' /bye ++@end example ++ ++@noindent ++or just 'help' to list all available commands. + ++@noindent + The @command{gpg-agent} daemon is started on demand by the GnuPG + components. + +Index: gnupg2-2.1.11/doc/gpg.texi +=================================================================== +--- gnupg2-2.1.11.orig/doc/gpg.texi ++++ gnupg2-2.1.11/doc/gpg.texi +@@ -348,13 +348,20 @@ safeguard against accidental deletion of + + @item --delete-secret-keys @code{name} + @opindex delete-secret-keys +-Remove key from the secret keyring. In batch mode the key +-must be specified by fingerprint. ++gRemove key from the secret keyring. In batch mode the key must be ++specified by fingerprint. The option @option{--yes} can be used to ++advice gpg-agent not to request a confirmation. This extra ++pre-caution is done because @command{gpg} can't be sure that the ++secret key (as controlled by gpg-agent) is only used for the given ++OpenPGP public key. ++ + + @item --delete-secret-and-public-key @code{name} + @opindex delete-secret-and-public-key + Same as @option{--delete-key}, but if a secret key exists, it will be + removed first. In batch mode the key must be specified by fingerprint. ++The option @option{--yes} can be used to advice gpg-agent not to ++request a confirmation. + + @item --export + @opindex export +Index: gnupg2-2.1.11/g10/call-agent.c +=================================================================== +--- gnupg2-2.1.11.orig/g10/call-agent.c ++++ gnupg2-2.1.11/g10/call-agent.c +@@ -2350,9 +2350,11 @@ agent_export_key (ctrl_t ctrl, const cha + + /* Ask the agent to delete the key identified by HEXKEYGRIP. If DESC + is not NULL, display DESC instead of the default description +- message. */ ++ message. If FORCE is true the agent is advised not to ask for ++ confirmation. */ + gpg_error_t +-agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc) ++agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc, ++ int force) + { + gpg_error_t err; + char line[ASSUAN_LINELENGTH]; +@@ -2377,7 +2379,8 @@ agent_delete_key (ctrl_t ctrl, const cha + return err; + } + +- snprintf (line, DIM(line)-1, "DELETE_KEY %s", hexkeygrip); ++ snprintf (line, DIM(line)-1, "DELETE_KEY%s %s", ++ force? " --force":"", hexkeygrip); + err = assuan_transact (agent_ctx, line, NULL, NULL, + default_inq_cb, &dfltparm, + NULL, NULL); +Index: gnupg2-2.1.11/g10/call-agent.h +=================================================================== +--- gnupg2-2.1.11.orig/g10/call-agent.h ++++ gnupg2-2.1.11/g10/call-agent.h +@@ -196,7 +196,7 @@ gpg_error_t agent_export_key (ctrl_t ctr + + /* Delete a key from the agent. */ + gpg_error_t agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, +- const char *desc); ++ const char *desc, int force); + + /* Change the passphrase of a key. */ + gpg_error_t agent_passwd (ctrl_t ctrl, const char *hexkeygrip, const char *desc, +Index: gnupg2-2.1.11/g10/delkey.c +=================================================================== +--- gnupg2-2.1.11.orig/g10/delkey.c ++++ gnupg2-2.1.11/g10/delkey.c +@@ -185,8 +185,14 @@ do_delete_key( const char *username, int + prompt = gpg_format_keydesc (node->pkt->pkt.public_key, + FORMAT_KEYDESC_DELKEY, 1); + err = hexkeygrip_from_pk (node->pkt->pkt.public_key, &hexgrip); ++ /* NB: We require --yes to advise the agent not to ++ * request a confirmation. The rationale for this extra ++ * pre-caution is that since 2.1 the secret key may also ++ * be used for other protocols and thus deleting it from ++ * the gpg would also delete the key for other tools. */ + if (!err) +- err = agent_delete_key (NULL, hexgrip, prompt); ++ err = agent_delete_key (NULL, hexgrip, prompt, ++ opt.answer_yes); + xfree (prompt); + xfree (hexgrip); + if (err) diff -Nru gnupg2-2.1.11/debian/patches/series gnupg2-2.1.11/debian/patches/series --- gnupg2-2.1.11/debian/patches/series 2016-03-31 06:25:34.000000000 +0200 +++ gnupg2-2.1.11/debian/patches/series 2016-09-09 13:51:57.000000000 +0200 @@ -3,3 +3,4 @@ 0003-Avoid-simple-memory-dumps-via-ptrace.patch 0004-avoid-gpgtar.test-when-disable-gpgtar-is-configured.patch 0005-common-Change-simple_query-to-ignore-status-messages.patch +0006-allow-secret-key-removal.patch