A set of build scripts for GNU Privacy Guard.
| OS \ GPG version | 2.1, 2.2 | latest | head |
|---|---|---|---|
Fedora 33 |
|
|
|
CentOS 8 |
|
|
|
CentOS 7 |
|
|
|
Ubuntu 20.04 |
|
|
|
Ubuntu 18.04 |
|
|
|
Ubuntu 16.04 |
|
|
|
Ubuntu 14.04 |
|
|
|
macOS 11.0 |
|
|
|
macOS 10.15 |
|
|
|
Build should succeed on any Linux distribution, and similar systems. Popular
GNU build tools are required. For Ubuntu, following packages should be enough:
libgnutls28-dev, bzip2, make, gettext, texinfo, gnutls-bin,
build-essential, g++. (List taken from this comment:
https://gist.github.com/mattrude/3883a3801613b048d45b#gistcomment-2378027).
When building from Git, additional software is needed, in particular Git, Automake, and a recent version of Gettext. Note that Gettext available in Ubuntu Trusty is too old for this purpose—this fact must be taken into account when building from Git in CI environment.
|
Tip
|
Most likely you’ll want to run install_gpg_all.sh, however
install_gpg_component.sh gives greater flexibility. Oh, and check out
the examples subdirectory.
|
Builds and installs a specific component of GnuPG. The source code is obtained either from released tarballs, or from Git repository.
When building stable releases from tarballs, two options are mandatory:
-
--component-name, which specifies a component name -
--component-version, which specifies component version (can belatest)
./install_gpg_component.sh \
--component-name pinentry \
--component-version latest./install_gpg_component.sh \
--component-name pinentry \
--component-version 1.1.0When building from Git repository, two options are mandatory:
-
--component-name, which specifies a component name -
--component-git-ref, which specifies a Git branch or tag (commonlymaster)
./install_gpg_component.sh \
--component-name pinentry \
--component-git-ref masterFor a complete list available options, run the script with --help option:
./install_gpg_component.sh --helpBuilds and installs all components of GnuPG (but not GPGME, which must be
installed separately via install_gpg_component.sh if desired).
The --suite-version parameter describes the combination of component versions.
Supported values are: 2.1, 2.2, latest, and master, which are defined as
follows:
-
2.1means GnuPG 2.1, and other component as in this Gist: https://gist.github.com/mattrude/3883a3801613b048d45b -
2.2means GnuPG 2.1, and other component as in this Gist: https://gist.github.com/vt0r/a2f8c0bcb1400131ff51 -
Currently no all in one support for explicit versioning with
2.3,2.4, etc. arguments yet. Uselatestinstead. -
latestmeans the latest version of GnuPG and all its components. They are obtained from https://versions.gnupg.org/swdb.lst, which is maintained by GnuPG developers, and which is used by GnuPG’s stock software updater. -
mastermeans whatever is currently onmasterbranch in Git.
|
Tip
|
Prefer latest over explicit versioning.
|
Any other arguments are passed to install_gpg_component.sh, which is invoked
from install_gpg_all.sh for every component once. For example, following
snippet will install the freshest GnuPG without documentation
(--configure-opts "--disable-doc" will be passed to component install
scripts):
./install_gpg_all.sh \
--suite-version latest \
--configure-opts "--disable-doc"The --configure-opts allows to pass options to ./configure scripts. For
example:
./install_gpg_component.sh \
--component-name pinentry \
--component-version latest \
--configure-opts "--enable-pinentry-qt --enable-pinentry-curses"Setting a custom installation prefix is not that straightforward.
The ./configure script assumes that all the dependencies are installed in
/usr/lib, hence you need to override them as in example:
./install_gpg_all.sh \
--suite-version latest \
--configure-opts "\
--prefix=/opt/gpg \
--with-libgpg-error-prefix=/opt/gpg \
--with-libassuan-prefix=/opt/gpg \
--with-libgpg-error-prefix=/opt/gpg \
--with-libgcrypt-prefix=/opt/gpg \
--with-libassuan-prefix=/opt/gpg \
--with-ksba-prefix=/opt/gpg \
--with-npth-prefix=/opt/gpg"You may see a bunch of warnings as some of these options are relevant only to few components, but that won’t break your build.
GnuPG team provides PGP signatures of released tarballs, which can be used to verify authenticity of these tarballs. Note that using this feature requires that another installation of GnuPG is available in advance.
In order to do so, firstly public keys of GnuPG team must be imported. The easiest way is to fetch them from some keyserver, for example from keyserver.ubuntu.com:
gpg \
--keyserver hkp://keyserver.ubuntu.com:80 \
--recv-keys AAAAAAAAAAAAAAAA BBBBBBBBBBBBBBBBBBBB CCCCCCCCCCCCCCCCCCYou should obtain key IDs from GnuPG home page rather than trust me, therefore above snippet contains only placeholders. Key ID is the last sixteen hexadecimal digits of its fingerprint.
Alternatively, you may write a whole ASCII-armored public key block, which is
printed near the bottom of the aforementioned page, into some file, and then
import it. Given that you have saved key block to a file GPG_KEYS.gpg,
following imports it:
gpg --import GPG_KEYS.gpgKeys are now imported but not trusted yet. It is enough for signature
verification, though warnings will be printed. In order to enable verfication,
use --verify option, for example:
./install_gpg_all.sh \
--suite-version latest \
--verify|
Tip
|
If you want to learn how to exchange and trust keys, head to GNU Privacy Handbook. |
|
Tip
|
For more information about checking integrity of GnuPG release tarballs, head to GnuPG home page. |
The scripts have been designed to work in GitHub Action. Use following listing
as example of .github/workflows/my_workflow.yml:
name: My workflow
on:
pull_request:
push:
branches:
- master
- 'release/**'
env:
GPG_BUILD_DIR: "$GITHUB_WORKSPACE/build_gpg"
GPG_CONFIGURE_OPTS: >
--disable-doc --enable-pinentry-curses
--disable-pinentry-emacs --disable-pinentry-gtk2 --disable-pinentry-gnome3
--disable-pinentry-qt --disable-pinentry-qt4 --disable-pinentry-qt5
--disable-pinentry-tqt --disable-pinentry-fltk
jobs:
build:
runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, 'skip ci')"
container:
image: centos:8
strategy:
matrix:
env:
- GPG_VERSION: "latest"
- GPG_VERSION: "2.1"
env: ${{ matrix.env }}
steps:
- name: Set up build environment
run: |
dnf -y -q update
dnf -y -q install --skip-broken \
git \
clang gcc gcc-c++ make autoconf automake libtool byacc bison \
bzip2 gzip ncurses-devel bzip2-devel zlib-devel gettext-devel \
patch \
texinfo \
file \
which
- uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Build GPG
run: >
./install_gpg_all.sh
--suite-version "$GPG_VERSION"
--build-dir "$GPG_BUILD_DIR"
--configure-opts "$GPG_CONFIGURE_OPTS"GPGME is not installed by install_gpg_all.sh script, however it can be
installed with install_gpg_component.sh like every other component.
For example:
./install_gpg_all.sh \
--suite-version latest
./install_gpg_component.sh \
--component-name gpgme \
--component-version latest|
Note
|
GPGME requires libgpg-error and libassuan to compile. Also, other
components of GnuPG suite are typically needed in order to actually use GPGME.
|
The MIT License (MIT)
Copyright (c) 2018 - 2021 Ribose Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.