Skip to content

Latest commit

 

History

History
347 lines (274 loc) · 15.1 KB

README.adoc

File metadata and controls

347 lines (274 loc) · 15.1 KB

GPG Build Scripts

A set of build scripts for GNU Privacy Guard.

OS \ GPG version 2.1, 2.2 latest head

Fedora 33

Fedora 33

Fedora 33 (latest)

Fedora 33 (head)

CentOS 8

CentOS 8

CentOS 8 (latest)

CentOS 8 (head)

CentOS 7

CentOS 7

CentOS 7 (latest)

CentOS 7 (head)

Ubuntu 20.04

Ubuntu 20.04

Ubuntu 20.04 (latest)

Ubuntu 20.04 (head)

Ubuntu 18.04

Ubuntu 18.04

Ubuntu 18.04 (latest)

Ubuntu 18.04 (head)

Ubuntu 16.04

Ubuntu 16.04

Ubuntu 16.04 (latest)

Ubuntu 16.04 (head)

Ubuntu 14.04

Ubuntu 14.04

Ubuntu 14.04 (latest)

Ubuntu 14.04 (head)

macOS 11.0

macOS 11.0

macOS 11.0 (latest)

macOS 11.0 (head)

macOS 10.15

macOS 10.15

macOS 10.15 (latest)

macOS 10.15 (head)

Docker

Prerequisites

Build should succeed on any Linux distribution, and similar systems. Popular GNU build tools are required. For Ubuntu, following packages should be enough: libgnutls28-dev, bzip2, make, gettext, texinfo, gnutls-bin, build-essential, g++. (List taken from this comment: https://gist.github.com/mattrude/3883a3801613b048d45b#gistcomment-2378027).

When building from Git, additional software is needed, in particular Git, Automake, and a recent version of Gettext. Note that Gettext available in Ubuntu Trusty is too old for this purpose—​this fact must be taken into account when building from Git in CI environment.

Scripts

Tip
Most likely you’ll want to run install_gpg_all.sh, however install_gpg_component.sh gives greater flexibility. Oh, and check out the examples subdirectory.

install_gpg_component.sh

Builds and installs a specific component of GnuPG. The source code is obtained either from released tarballs, or from Git repository.

When building stable releases from tarballs, two options are mandatory:

  • --component-name, which specifies a component name

  • --component-version, which specifies component version (can be latest)

Example: building the most recent release of Pinentry.
./install_gpg_component.sh \
  --component-name pinentry \
  --component-version latest
Example: building Pinentry version 1.1.0.
./install_gpg_component.sh \
  --component-name pinentry \
  --component-version 1.1.0

When building from Git repository, two options are mandatory:

  • --component-name, which specifies a component name

  • --component-git-ref, which specifies a Git branch or tag (commonly master)

Example: building Pinentry from Git as of current master.
./install_gpg_component.sh \
  --component-name pinentry \
  --component-git-ref master

For a complete list available options, run the script with --help option:

Example: printing script help.
./install_gpg_component.sh --help

install_gpg_all.sh

Builds and installs all components of GnuPG (but not GPGME, which must be installed separately via install_gpg_component.sh if desired).

The --suite-version parameter describes the combination of component versions. Supported values are: 2.1, 2.2, latest, and master, which are defined as follows:

Tip
Prefer latest over explicit versioning.

Any other arguments are passed to install_gpg_component.sh, which is invoked from install_gpg_all.sh for every component once. For example, following snippet will install the freshest GnuPG without documentation (--configure-opts "--disable-doc" will be passed to component install scripts):

./install_gpg_all.sh \
  --suite-version latest \
  --configure-opts "--disable-doc"

Tips & tricks

Passing options to ./configure script

The --configure-opts allows to pass options to ./configure scripts. For example:

./install_gpg_component.sh \
  --component-name pinentry \
  --component-version latest \
  --configure-opts "--enable-pinentry-qt --enable-pinentry-curses"

Setting a custom installation prefix is not that straightforward. The ./configure script assumes that all the dependencies are installed in /usr/lib, hence you need to override them as in example:

./install_gpg_all.sh \
  --suite-version latest \
  --configure-opts "\
    --prefix=/opt/gpg \
    --with-libgpg-error-prefix=/opt/gpg \
    --with-libassuan-prefix=/opt/gpg \
    --with-libgpg-error-prefix=/opt/gpg \
    --with-libgcrypt-prefix=/opt/gpg \
    --with-libassuan-prefix=/opt/gpg \
    --with-ksba-prefix=/opt/gpg \
    --with-npth-prefix=/opt/gpg"

You may see a bunch of warnings as some of these options are relevant only to few components, but that won’t break your build.

Verifying authenticity of tarballs

GnuPG team provides PGP signatures of released tarballs, which can be used to verify authenticity of these tarballs. Note that using this feature requires that another installation of GnuPG is available in advance.

In order to do so, firstly public keys of GnuPG team must be imported. The easiest way is to fetch them from some keyserver, for example from keyserver.ubuntu.com:

gpg \
  --keyserver hkp://keyserver.ubuntu.com:80 \
  --recv-keys AAAAAAAAAAAAAAAA BBBBBBBBBBBBBBBBBBBB CCCCCCCCCCCCCCCCCC

You should obtain key IDs from GnuPG home page rather than trust me, therefore above snippet contains only placeholders. Key ID is the last sixteen hexadecimal digits of its fingerprint.

Alternatively, you may write a whole ASCII-armored public key block, which is printed near the bottom of the aforementioned page, into some file, and then import it. Given that you have saved key block to a file GPG_KEYS.gpg, following imports it:

gpg --import GPG_KEYS.gpg

Keys are now imported but not trusted yet. It is enough for signature verification, though warnings will be printed. In order to enable verfication, use --verify option, for example:

./install_gpg_all.sh \
  --suite-version latest \
  --verify
Tip
If you want to learn how to exchange and trust keys, head to GNU Privacy Handbook.
Tip
For more information about checking integrity of GnuPG release tarballs, head to GnuPG home page.

Using with CI

GitHub Action

The scripts have been designed to work in GitHub Action. Use following listing as example of .github/workflows/my_workflow.yml:

name: My workflow

on:
  pull_request:
  push:
    branches:
      - master
      - 'release/**'

env:
  GPG_BUILD_DIR: "$GITHUB_WORKSPACE/build_gpg"
  GPG_CONFIGURE_OPTS: >
      --disable-doc --enable-pinentry-curses
      --disable-pinentry-emacs --disable-pinentry-gtk2 --disable-pinentry-gnome3
      --disable-pinentry-qt --disable-pinentry-qt4 --disable-pinentry-qt5
      --disable-pinentry-tqt --disable-pinentry-fltk

jobs:
  build:
    runs-on: ubuntu-latest
    if: "!contains(github.event.head_commit.message, 'skip ci')"
    container:
      image: centos:8
    strategy:
      matrix:
        env:
          - GPG_VERSION: "latest"
          - GPG_VERSION: "2.1"
    env: ${{ matrix.env }}
    steps:
      - name: Set up build environment
        run: |
          dnf -y -q update
          dnf -y -q install --skip-broken \
            git \
            clang gcc gcc-c++ make autoconf automake libtool byacc bison \
            bzip2 gzip ncurses-devel bzip2-devel zlib-devel gettext-devel \
            patch \
            texinfo \
            file \
            which
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - name: Build GPG
        run: >
          ./install_gpg_all.sh
          --suite-version "$GPG_VERSION"
          --build-dir "$GPG_BUILD_DIR"
          --configure-opts "$GPG_CONFIGURE_OPTS"

Installing GnuPG Made Easy (GPGME)

GPGME is not installed by install_gpg_all.sh script, however it can be installed with install_gpg_component.sh like every other component.

For example:

./install_gpg_all.sh \
  --suite-version latest

./install_gpg_component.sh \
  --component-name gpgme \
  --component-version latest
Note
GPGME requires libgpg-error and libassuan to compile. Also, other components of GnuPG suite are typically needed in order to actually use GPGME.

License

The MIT License (MIT)

Copyright (c) 2018 - 2021 Ribose Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.