[OE-core][scarthgap][PATCH] gnupg: upgrade 2.4.8 -> 2.4.9

[OE-core][scarthgap][PATCH] gnupg: upgrade 2.4.8 -> 2.4.9

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

Handles CVE-2025-68973.

Refresh patches.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-support/gnupg/gnupg/relocate.patch    | 14 +++++++-------
 .../gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb}       |  2 +-
 2 files changed, 8 insertions(+), 8 deletions(-)
 rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} (97%)

diff --git a/meta/recipes-support/gnupg/gnupg/relocate.patch b/meta/recipes-support/gnupg/gnupg/relocate.patch
index ea0252026aa..655dd3d0ce1 100644
--- a/meta/recipes-support/gnupg/gnupg/relocate.patch
+++ b/meta/recipes-support/gnupg/gnupg/relocate.patch
@@ -17,7 +17,7 @@ diff --git a/common/homedir.c b/common/homedir.c
 index 6f99f3e..f22aa9e 100644
 --- a/common/homedir.c
 +++ b/common/homedir.c
-@@ -1284,7 +1284,7 @@ gnupg_socketdir (void)
+@@ -1294,7 +1294,7 @@ gnupg_socketdir (void)
    if (!name)
      {
        unsigned int dummy;
@@ -26,7 +26,7 @@ index 6f99f3e..f22aa9e 100644
        gpgrt_annotate_leaked_object (name);
      }
  
-@@ -1316,7 +1316,7 @@ gnupg_sysconfdir (void)
+@@ -1326,7 +1326,7 @@ gnupg_sysconfdir (void)
    if (dir)
      return dir;
    else
@@ -35,7 +35,7 @@ index 6f99f3e..f22aa9e 100644
  #endif /*!HAVE_W32_SYSTEM*/
  }
  
-@@ -1352,7 +1352,7 @@ gnupg_bindir (void)
+@@ -1362,7 +1362,7 @@ gnupg_bindir (void)
        return name;
      }
    else
@@ -44,7 +44,7 @@ index 6f99f3e..f22aa9e 100644
  #endif /*!HAVE_W32_SYSTEM*/
  }
  
-@@ -1379,7 +1379,7 @@ gnupg_libexecdir (void)
+@@ -1389,7 +1389,7 @@ gnupg_libexecdir (void)
        return name;
      }
    else
@@ -53,7 +53,7 @@ index 6f99f3e..f22aa9e 100644
  #endif /*!HAVE_W32_SYSTEM*/
  }
  
-@@ -1409,7 +1409,7 @@ gnupg_libdir (void)
+@@ -1419,7 +1419,7 @@ gnupg_libdir (void)
        return name;
      }
    else
@@ -62,7 +62,7 @@ index 6f99f3e..f22aa9e 100644
  #endif /*!HAVE_W32_SYSTEM*/
  }
  
-@@ -1440,7 +1440,7 @@ gnupg_datadir (void)
+@@ -1450,7 +1450,7 @@ gnupg_datadir (void)
        return name;
      }
    else
@@ -71,7 +71,7 @@ index 6f99f3e..f22aa9e 100644
  #endif /*!HAVE_W32_SYSTEM*/
  }
  
-@@ -1472,7 +1472,7 @@ gnupg_localedir (void)
+@@ -1482,7 +1482,7 @@ gnupg_localedir (void)
        return name;
      }
    else
diff --git a/meta/recipes-support/gnupg/gnupg_2.4.8.bb b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
similarity index 97%
rename from meta/recipes-support/gnupg/gnupg_2.4.8.bb
rename to meta/recipes-support/gnupg/gnupg_2.4.9.bb
index a6e777abf89..4f60a4e7b28 100644
--- a/meta/recipes-support/gnupg/gnupg_2.4.8.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
@@ -23,7 +23,7 @@ SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-
                                 file://relocate.patch"
 SRC_URI:append:class-nativesdk = " file://relocate.patch"
 
-SRC_URI[sha256sum] = "b58c80d79b04d3243ff49c1c3fc6b5f83138eb3784689563bcdd060595318616"
+SRC_URI[sha256sum] = "dd17ab2e9a04fd79d39d853f599cbc852062ddb9ab52a4ddeb4176fd8b302964"
 
 EXTRA_OECONF = "--disable-ldap \
 		--disable-ccid-driver \

[OE-core][scarthgap][patch] gnupg: upgrade 2.4.8 -> 2.4.9

[Vijay Anusuri]

This release includes fix for CVE-2025-68973

Changelog:
==========
* gpg: Fix possible memory corruption in the armor parser.  [T7906]

* gpg: Avoid potential downgrade to SHA1 in 3rd party key
  signatures.  [rGddb012be7f]

* gpg: Error out on unverified output for non-detached signatures.
  [rG9d302f978b]

* gpg: Do not allow compressed key packets on import.  [T7014]

* scd: Fix a harmless read buffer over-read in a function used by
  PKCS#15 cards.  [T7662]

* dirmngr: Do not require a keyserver for "gpg --fetch-key".
  [T7693]

* agent: Fix ssh-agent's request_identities for skipped Brainpool
  keys.  [rG6bf5696c85]

Release-info: https://dev.gnupg.org/T8001

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} (97%)

diff --git a/meta/recipes-support/gnupg/gnupg_2.4.8.bb b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
similarity index 97%
rename from meta/recipes-support/gnupg/gnupg_2.4.8.bb
rename to meta/recipes-support/gnupg/gnupg_2.4.9.bb
index a6e777abf8..4f60a4e7b2 100644
--- a/meta/recipes-support/gnupg/gnupg_2.4.8.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
@@ -23,7 +23,7 @@ SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-
                                 file://relocate.patch"
 SRC_URI:append:class-nativesdk = " file://relocate.patch"
 
-SRC_URI[sha256sum] = "b58c80d79b04d3243ff49c1c3fc6b5f83138eb3784689563bcdd060595318616"
+SRC_URI[sha256sum] = "dd17ab2e9a04fd79d39d853f599cbc852062ddb9ab52a4ddeb4176fd8b302964"
 
 EXTRA_OECONF = "--disable-ldap \
 		--disable-ccid-driver \
-- 
2.43.0

RE: [OE-core][scarthgap][patch] gnupg: upgrade 2.4.8 -> 2.4.9

[Marko, Peter]

Sent already 2 days ago...
https://lists.openembedded.org/g/openembedded-core/message/229168

Peter

-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Vijay Anusuri via lists.openembedded.org
Sent: Monday, January 12, 2026 8:15
To: openembedded-core@lists.openembedded.org
Cc: Vijay Anusuri <vanusuri@mvista.com>
Subject: [OE-core][scarthgap][patch] gnupg: upgrade 2.4.8 -> 2.4.9

This release includes fix for CVE-2025-68973

Changelog:
==========
* gpg: Fix possible memory corruption in the armor parser.  [T7906]

* gpg: Avoid potential downgrade to SHA1 in 3rd party key
  signatures.  [rGddb012be7f]

* gpg: Error out on unverified output for non-detached signatures.
  [rG9d302f978b]

* gpg: Do not allow compressed key packets on import.  [T7014]

* scd: Fix a harmless read buffer over-read in a function used by
  PKCS#15 cards.  [T7662]

* dirmngr: Do not require a keyserver for "gpg --fetch-key".
  [T7693]

* agent: Fix ssh-agent's request_identities for skipped Brainpool
  keys.  [rG6bf5696c85]

Release-info: https://dev.gnupg.org/T8001

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} (97%)

diff --git a/meta/recipes-support/gnupg/gnupg_2.4.8.bb b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
similarity index 97%
rename from meta/recipes-support/gnupg/gnupg_2.4.8.bb
rename to meta/recipes-support/gnupg/gnupg_2.4.9.bb
index a6e777abf8..4f60a4e7b2 100644
--- a/meta/recipes-support/gnupg/gnupg_2.4.8.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
@@ -23,7 +23,7 @@ SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-
                                 file://relocate.patch"
 SRC_URI:append:class-nativesdk = " file://relocate.patch"
 
-SRC_URI[sha256sum] = "b58c80d79b04d3243ff49c1c3fc6b5f83138eb3784689563bcdd060595318616"
+SRC_URI[sha256sum] = "dd17ab2e9a04fd79d39d853f599cbc852062ddb9ab52a4ddeb4176fd8b302964"
 
 EXTRA_OECONF = "--disable-ldap \
 		--disable-ccid-driver \
-- 
2.43.0

Re: [OE-core][scarthgap][patch] gnupg: upgrade 2.4.8 -> 2.4.9

[Vijay Anusuri]

[-- Attachment #1: Type: text/plain, Size: 2664 bytes --]

Hi Peter,

Thanks for letting me know. Sorry, I missed your earlier patch — I see it
now.

Steve,

Please ignore my patch.

Thanks & Regards,
Vijay

On Mon, Jan 12, 2026 at 12:47 PM Marko, Peter <Peter.Marko@siemens.com>
wrote:

> Sent already 2 days ago...
> https://lists.openembedded.org/g/openembedded-core/message/229168
>
> Peter
>
> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org> On Behalf Of Vijay Anusuri via
> lists.openembedded.org
> Sent: Monday, January 12, 2026 8:15
> To: openembedded-core@lists.openembedded.org
> Cc: Vijay Anusuri <vanusuri@mvista.com>
> Subject: [OE-core][scarthgap][patch] gnupg: upgrade 2.4.8 -> 2.4.9
>
> This release includes fix for CVE-2025-68973
>
> Changelog:
> ==========
> * gpg: Fix possible memory corruption in the armor parser.  [T7906]
>
> * gpg: Avoid potential downgrade to SHA1 in 3rd party key
>   signatures.  [rGddb012be7f]
>
> * gpg: Error out on unverified output for non-detached signatures.
>   [rG9d302f978b]
>
> * gpg: Do not allow compressed key packets on import.  [T7014]
>
> * scd: Fix a harmless read buffer over-read in a function used by
>   PKCS#15 cards.  [T7662]
>
> * dirmngr: Do not require a keyserver for "gpg --fetch-key".
>   [T7693]
>
> * agent: Fix ssh-agent's request_identities for skipped Brainpool
>   keys.  [rG6bf5696c85]
>
> Release-info: https://dev.gnupg.org/T8001
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
>  meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>  rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb}
> (97%)
>
> diff --git a/meta/recipes-support/gnupg/gnupg_2.4.8.bb
> b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
> similarity index 97%
> rename from meta/recipes-support/gnupg/gnupg_2.4.8.bb
> rename to meta/recipes-support/gnupg/gnupg_2.4.9.bb
> index a6e777abf8..4f60a4e7b2 100644
> --- a/meta/recipes-support/gnupg/gnupg_2.4.8.bb
> +++ b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
> @@ -23,7 +23,7 @@ SRC_URI:append:class-native = "
> file://0001-configure.ac-use-a-custom-value-for-
>                                  file://relocate.patch"
>  SRC_URI:append:class-nativesdk = " file://relocate.patch"
>
> -SRC_URI[sha256sum] =
> "b58c80d79b04d3243ff49c1c3fc6b5f83138eb3784689563bcdd060595318616"
> +SRC_URI[sha256sum] =
> "dd17ab2e9a04fd79d39d853f599cbc852062ddb9ab52a4ddeb4176fd8b302964"
>
>  EXTRA_OECONF = "--disable-ldap \
>                 --disable-ccid-driver \
> --
> 2.43.0
>
>

[-- Attachment #2: Type: text/html, Size: 4597 bytes --]

Re: [OE-core][scarthgap][patch] gnupg: upgrade 2.4.8 -> 2.4.9

[Yoann Congal]

[-- Attachment #1: Type: text/plain, Size: 3475 bytes --]

Hi,

Le lun. 12 janv. 2026 à 08:30, Vijay Anusuri via lists.openembedded.org
<vanusuri=mvista.com@lists.openembedded.org> a écrit :

> Hi Peter,
>
> Thanks for letting me know. Sorry, I missed your earlier patch — I see it
> now.
>
> Steve,
>

FYI, I took over Steve's role as Stable/LTS maintainer


> Please ignore my patch.
>

Will do! :-)

Thanks!


> Thanks & Regards,
> Vijay
>
> On Mon, Jan 12, 2026 at 12:47 PM Marko, Peter <Peter.Marko@siemens.com>
> wrote:
>
>> Sent already 2 days ago...
>> https://lists.openembedded.org/g/openembedded-core/message/229168
>>
>> Peter
>>
>> -----Original Message-----
>> From: openembedded-core@lists.openembedded.org <
>> openembedded-core@lists.openembedded.org> On Behalf Of Vijay Anusuri via
>> lists.openembedded.org
>> Sent: Monday, January 12, 2026 8:15
>> To: openembedded-core@lists.openembedded.org
>> Cc: Vijay Anusuri <vanusuri@mvista.com>
>> Subject: [OE-core][scarthgap][patch] gnupg: upgrade 2.4.8 -> 2.4.9
>>
>> This release includes fix for CVE-2025-68973
>>
>> Changelog:
>> ==========
>> * gpg: Fix possible memory corruption in the armor parser.  [T7906]
>>
>> * gpg: Avoid potential downgrade to SHA1 in 3rd party key
>>   signatures.  [rGddb012be7f]
>>
>> * gpg: Error out on unverified output for non-detached signatures.
>>   [rG9d302f978b]
>>
>> * gpg: Do not allow compressed key packets on import.  [T7014]
>>
>> * scd: Fix a harmless read buffer over-read in a function used by
>>   PKCS#15 cards.  [T7662]
>>
>> * dirmngr: Do not require a keyserver for "gpg --fetch-key".
>>   [T7693]
>>
>> * agent: Fix ssh-agent's request_identities for skipped Brainpool
>>   keys.  [rG6bf5696c85]
>>
>> Release-info: https://dev.gnupg.org/T8001
>>
>> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
>> ---
>>  meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>  rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb}
>> (97%)
>>
>> diff --git a/meta/recipes-support/gnupg/gnupg_2.4.8.bb
>> b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
>> similarity index 97%
>> rename from meta/recipes-support/gnupg/gnupg_2.4.8.bb
>> rename to meta/recipes-support/gnupg/gnupg_2.4.9.bb
>> index a6e777abf8..4f60a4e7b2 100644
>> --- a/meta/recipes-support/gnupg/gnupg_2.4.8.bb
>> +++ b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
>> @@ -23,7 +23,7 @@ SRC_URI:append:class-native = "
>> file://0001-configure.ac-use-a-custom-value-for-
>>                                  file://relocate.patch"
>>  SRC_URI:append:class-nativesdk = " file://relocate.patch"
>>
>> -SRC_URI[sha256sum] =
>> "b58c80d79b04d3243ff49c1c3fc6b5f83138eb3784689563bcdd060595318616"
>> +SRC_URI[sha256sum] =
>> "dd17ab2e9a04fd79d39d853f599cbc852062ddb9ab52a4ddeb4176fd8b302964"
>>
>>  EXTRA_OECONF = "--disable-ldap \
>>                 --disable-ccid-driver \
>> --
>> 2.43.0
>>
>>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#229186):
> https://lists.openembedded.org/g/openembedded-core/message/229186
> Mute This Topic: https://lists.openembedded.org/mt/117220079/4316185
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> yoann.congal@smile.fr]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

-- 
Yoann Congal
Smile ECS

[-- Attachment #2: Type: text/html, Size: 6758 bytes --]

RE: [OE-core][scarthgap][PATCH] gnupg: upgrade 2.4.8 -> 2.4.9

[Marko, Peter]

Gentle ping

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Peter Marko via
> lists.openembedded.org
> Sent: Saturday, January 10, 2026 23:45
> To: openembedded-core@lists.openembedded.org
> Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Subject: [OE-core][scarthgap][PATCH] gnupg: upgrade 2.4.8 -> 2.4.9
> 
> From: Peter Marko <peter.marko@siemens.com>
> 
> Handles CVE-2025-68973.
> 
> Refresh patches.
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  meta/recipes-support/gnupg/gnupg/relocate.patch    | 14 +++++++-------
>  .../gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb}       |  2 +-
>  2 files changed, 8 insertions(+), 8 deletions(-)
>  rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} (97%)
> 
> diff --git a/meta/recipes-support/gnupg/gnupg/relocate.patch b/meta/recipes-
> support/gnupg/gnupg/relocate.patch
> index ea0252026aa..655dd3d0ce1 100644
> --- a/meta/recipes-support/gnupg/gnupg/relocate.patch
> +++ b/meta/recipes-support/gnupg/gnupg/relocate.patch
> @@ -17,7 +17,7 @@ diff --git a/common/homedir.c b/common/homedir.c
>  index 6f99f3e..f22aa9e 100644
>  --- a/common/homedir.c
>  +++ b/common/homedir.c
> -@@ -1284,7 +1284,7 @@ gnupg_socketdir (void)
> +@@ -1294,7 +1294,7 @@ gnupg_socketdir (void)
>     if (!name)
>       {
>         unsigned int dummy;
> @@ -26,7 +26,7 @@ index 6f99f3e..f22aa9e 100644
>         gpgrt_annotate_leaked_object (name);
>       }
> 
> -@@ -1316,7 +1316,7 @@ gnupg_sysconfdir (void)
> +@@ -1326,7 +1326,7 @@ gnupg_sysconfdir (void)
>     if (dir)
>       return dir;
>     else
> @@ -35,7 +35,7 @@ index 6f99f3e..f22aa9e 100644
>   #endif /*!HAVE_W32_SYSTEM*/
>   }
> 
> -@@ -1352,7 +1352,7 @@ gnupg_bindir (void)
> +@@ -1362,7 +1362,7 @@ gnupg_bindir (void)
>         return name;
>       }
>     else
> @@ -44,7 +44,7 @@ index 6f99f3e..f22aa9e 100644
>   #endif /*!HAVE_W32_SYSTEM*/
>   }
> 
> -@@ -1379,7 +1379,7 @@ gnupg_libexecdir (void)
> +@@ -1389,7 +1389,7 @@ gnupg_libexecdir (void)
>         return name;
>       }
>     else
> @@ -53,7 +53,7 @@ index 6f99f3e..f22aa9e 100644
>   #endif /*!HAVE_W32_SYSTEM*/
>   }
> 
> -@@ -1409,7 +1409,7 @@ gnupg_libdir (void)
> +@@ -1419,7 +1419,7 @@ gnupg_libdir (void)
>         return name;
>       }
>     else
> @@ -62,7 +62,7 @@ index 6f99f3e..f22aa9e 100644
>   #endif /*!HAVE_W32_SYSTEM*/
>   }
> 
> -@@ -1440,7 +1440,7 @@ gnupg_datadir (void)
> +@@ -1450,7 +1450,7 @@ gnupg_datadir (void)
>         return name;
>       }
>     else
> @@ -71,7 +71,7 @@ index 6f99f3e..f22aa9e 100644
>   #endif /*!HAVE_W32_SYSTEM*/
>   }
> 
> -@@ -1472,7 +1472,7 @@ gnupg_localedir (void)
> +@@ -1482,7 +1482,7 @@ gnupg_localedir (void)
>         return name;
>       }
>     else
> diff --git a/meta/recipes-support/gnupg/gnupg_2.4.8.bb b/meta/recipes-
> support/gnupg/gnupg_2.4.9.bb
> similarity index 97%
> rename from meta/recipes-support/gnupg/gnupg_2.4.8.bb
> rename to meta/recipes-support/gnupg/gnupg_2.4.9.bb
> index a6e777abf89..4f60a4e7b28 100644
> --- a/meta/recipes-support/gnupg/gnupg_2.4.8.bb
> +++ b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
> @@ -23,7 +23,7 @@ SRC_URI:append:class-native = " file://0001-configure.ac-
> use-a-custom-value-for-
>                                  file://relocate.patch"
>  SRC_URI:append:class-nativesdk = " file://relocate.patch"
> 
> -SRC_URI[sha256sum] =
> "b58c80d79b04d3243ff49c1c3fc6b5f83138eb3784689563bcdd060595318616"
> +SRC_URI[sha256sum] =
> "dd17ab2e9a04fd79d39d853f599cbc852062ddb9ab52a4ddeb4176fd8b302964"
> 
>  EXTRA_OECONF = "--disable-ldap \
>  		--disable-ccid-driver \

Re: [OE-core][scarthgap][PATCH] gnupg: upgrade 2.4.8 -> 2.4.9

[Yoann Congal]

[-- Attachment #1: Type: text/plain, Size: 4220 bytes --]

Le mer. 4 févr. 2026 à 08:20, Marko, Peter <Peter.Marko@siemens.com> a
écrit :

> Gentle ping
>

Thanks, I had missed it,
I've now added it to the series under test/review.


> > -----Original Message-----
> > From: openembedded-core@lists.openembedded.org <openembedded-
> > core@lists.openembedded.org> On Behalf Of Peter Marko via
> > lists.openembedded.org
> > Sent: Saturday, January 10, 2026 23:45
> > To: openembedded-core@lists.openembedded.org
> > Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> > Subject: [OE-core][scarthgap][PATCH] gnupg: upgrade 2.4.8 -> 2.4.9
> >
> > From: Peter Marko <peter.marko@siemens.com>
> >
> > Handles CVE-2025-68973.
> >
> > Refresh patches.
> >
> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > ---
> >  meta/recipes-support/gnupg/gnupg/relocate.patch    | 14 +++++++-------
> >  .../gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb}       |  2 +-
> >  2 files changed, 8 insertions(+), 8 deletions(-)
> >  rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb}
> (97%)
> >
> > diff --git a/meta/recipes-support/gnupg/gnupg/relocate.patch
> b/meta/recipes-
> > support/gnupg/gnupg/relocate.patch
> > index ea0252026aa..655dd3d0ce1 100644
> > --- a/meta/recipes-support/gnupg/gnupg/relocate.patch
> > +++ b/meta/recipes-support/gnupg/gnupg/relocate.patch
> > @@ -17,7 +17,7 @@ diff --git a/common/homedir.c b/common/homedir.c
> >  index 6f99f3e..f22aa9e 100644
> >  --- a/common/homedir.c
> >  +++ b/common/homedir.c
> > -@@ -1284,7 +1284,7 @@ gnupg_socketdir (void)
> > +@@ -1294,7 +1294,7 @@ gnupg_socketdir (void)
> >     if (!name)
> >       {
> >         unsigned int dummy;
> > @@ -26,7 +26,7 @@ index 6f99f3e..f22aa9e 100644
> >         gpgrt_annotate_leaked_object (name);
> >       }
> >
> > -@@ -1316,7 +1316,7 @@ gnupg_sysconfdir (void)
> > +@@ -1326,7 +1326,7 @@ gnupg_sysconfdir (void)
> >     if (dir)
> >       return dir;
> >     else
> > @@ -35,7 +35,7 @@ index 6f99f3e..f22aa9e 100644
> >   #endif /*!HAVE_W32_SYSTEM*/
> >   }
> >
> > -@@ -1352,7 +1352,7 @@ gnupg_bindir (void)
> > +@@ -1362,7 +1362,7 @@ gnupg_bindir (void)
> >         return name;
> >       }
> >     else
> > @@ -44,7 +44,7 @@ index 6f99f3e..f22aa9e 100644
> >   #endif /*!HAVE_W32_SYSTEM*/
> >   }
> >
> > -@@ -1379,7 +1379,7 @@ gnupg_libexecdir (void)
> > +@@ -1389,7 +1389,7 @@ gnupg_libexecdir (void)
> >         return name;
> >       }
> >     else
> > @@ -53,7 +53,7 @@ index 6f99f3e..f22aa9e 100644
> >   #endif /*!HAVE_W32_SYSTEM*/
> >   }
> >
> > -@@ -1409,7 +1409,7 @@ gnupg_libdir (void)
> > +@@ -1419,7 +1419,7 @@ gnupg_libdir (void)
> >         return name;
> >       }
> >     else
> > @@ -62,7 +62,7 @@ index 6f99f3e..f22aa9e 100644
> >   #endif /*!HAVE_W32_SYSTEM*/
> >   }
> >
> > -@@ -1440,7 +1440,7 @@ gnupg_datadir (void)
> > +@@ -1450,7 +1450,7 @@ gnupg_datadir (void)
> >         return name;
> >       }
> >     else
> > @@ -71,7 +71,7 @@ index 6f99f3e..f22aa9e 100644
> >   #endif /*!HAVE_W32_SYSTEM*/
> >   }
> >
> > -@@ -1472,7 +1472,7 @@ gnupg_localedir (void)
> > +@@ -1482,7 +1482,7 @@ gnupg_localedir (void)
> >         return name;
> >       }
> >     else
> > diff --git a/meta/recipes-support/gnupg/gnupg_2.4.8.bb b/meta/recipes-
> > support/gnupg/gnupg_2.4.9.bb
> > similarity index 97%
> > rename from meta/recipes-support/gnupg/gnupg_2.4.8.bb
> > rename to meta/recipes-support/gnupg/gnupg_2.4.9.bb
> > index a6e777abf89..4f60a4e7b28 100644
> > --- a/meta/recipes-support/gnupg/gnupg_2.4.8.bb
> > +++ b/meta/recipes-support/gnupg/gnupg_2.4.9.bb
> > @@ -23,7 +23,7 @@ SRC_URI:append:class-native = "
> file://0001-configure.ac-
> > use-a-custom-value-for-
> >                                  file://relocate.patch"
> >  SRC_URI:append:class-nativesdk = " file://relocate.patch"
> >
> > -SRC_URI[sha256sum] =
> > "b58c80d79b04d3243ff49c1c3fc6b5f83138eb3784689563bcdd060595318616"
> > +SRC_URI[sha256sum] =
> > "dd17ab2e9a04fd79d39d853f599cbc852062ddb9ab52a4ddeb4176fd8b302964"
> >
> >  EXTRA_OECONF = "--disable-ldap \
> >               --disable-ccid-driver \
>


-- 
Yoann Congal
Smile ECS

[-- Attachment #2: Type: text/html, Size: 6912 bytes --]

Re: [OE-core][scarthgap][PATCH] gnupg: upgrade 2.4.8 -> 2.4.9

[Yoann Congal]

On Sat Jan 10, 2026 at 11:44 PM CET, Peter Marko via lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
>
> Handles CVE-2025-68973.
>
> Refresh patches.
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  meta/recipes-support/gnupg/gnupg/relocate.patch    | 14 +++++++-------
>  .../gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb}       |  2 +-
>  2 files changed, 8 insertions(+), 8 deletions(-)
>  rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} (97%)

Hello,

I've tested that on autobuilder but got an error in oe-selftest-debian:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3138
  ERROR: autoconf-native-2.72e-r0 do_recipe_qa: GPG exited with code 2: gpg: signing failed: Corrupted protection
  gpg: signing failed: Corrupted protection
  ERROR: patch-native-2.7.6-r0 do_recipe_qa: GPG exited with code 2: gpg: signing failed: Corrupted protection
  gpg: signing failed: Corrupted protection

I've started a build with this gnupg upgrade reverted to confirm that
this is indeed the cause: 
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3142

Can you look at this?
Thanks!

Regards,

-- 
Yoann Congal
Smile ECS

RE: [OE-core][scarthgap][PATCH] gnupg: upgrade 2.4.8 -> 2.4.9

[Marko, Peter]

> -----Original Message-----
> From: Yoann Congal <yoann.congal@smile.fr>
> Sent: Wednesday, February 4, 2026 11:10
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>;
> openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][scarthgap][PATCH] gnupg: upgrade 2.4.8 -> 2.4.9
> 
> On Sat Jan 10, 2026 at 11:44 PM CET, Peter Marko via lists.openembedded.org
> wrote:
> > From: Peter Marko <peter.marko@siemens.com>
> >
> > Handles CVE-2025-68973.
> >
> > Refresh patches.
> >
> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > ---
> >  meta/recipes-support/gnupg/gnupg/relocate.patch    | 14 +++++++-------
> >  .../gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb}       |  2 +-
> >  2 files changed, 8 insertions(+), 8 deletions(-)
> >  rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb}
> (97%)
> 
> Hello,
> 
> I've tested that on autobuilder but got an error in oe-selftest-debian:
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3138
>   ERROR: autoconf-native-2.72e-r0 do_recipe_qa: GPG exited with code 2: gpg:
> signing failed: Corrupted protection
>   gpg: signing failed: Corrupted protection
>   ERROR: patch-native-2.7.6-r0 do_recipe_qa: GPG exited with code 2: gpg:
> signing failed: Corrupted protection
>   gpg: signing failed: Corrupted protection
> 
> I've started a build with this gnupg upgrade reverted to confirm that
> this is indeed the cause:
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3142
> 
> Can you look at this?
> Thanks!

Unfortunately, I'm not able to reproduce this failure.

On my Debian 11 I have:
SANITY_TESTED_DISTROS = ""
PACKAGE_CLASSES = "package_rpm"
RPM_GPG_SIGN_CHUNK = "1"
IMAGE_CLASSES += 'testimage'
And run:
oe-selftest -r signing -j 16
And get:
oe-selftest - INFO - RESULTS - signing.LockedSignatures.test_locked_signatures: PASSED (122.35s)
oe-selftest - INFO - RESULTS - signing.Signing.test_signing_packages: PASSED (155.34s)
oe-selftest - INFO - RESULTS - signing.Signing.test_signing_sstate_archive: PASSED (121.11s)
oe-selftest - INFO - oe-selftest - OK - All required tests passed (successes=3, skipped=0, failures=0, errors=0)

So I guess I just backport the CVE fix instead of this upgrade.

Peter

> 
> Regards,
> 
> --
> Yoann Congal
> Smile ECS

Re: [OE-core][scarthgap][PATCH] gnupg: upgrade 2.4.8 -> 2.4.9

[Yoann Congal]

On Wed Feb 18, 2026 at 10:28 PM CET, Peter Marko wrote:
>
>
>> -----Original Message-----
>> From: Yoann Congal <yoann.congal@smile.fr>
>> Sent: Wednesday, February 4, 2026 11:10
>> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>;
>> openembedded-core@lists.openembedded.org
>> Subject: Re: [OE-core][scarthgap][PATCH] gnupg: upgrade 2.4.8 -> 2.4.9
>> 
>> On Sat Jan 10, 2026 at 11:44 PM CET, Peter Marko via lists.openembedded.org
>> wrote:
>> > From: Peter Marko <peter.marko@siemens.com>
>> >
>> > Handles CVE-2025-68973.
>> >
>> > Refresh patches.
>> >
>> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
>> > ---
>> >  meta/recipes-support/gnupg/gnupg/relocate.patch    | 14 +++++++-------
>> >  .../gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb}       |  2 +-
>> >  2 files changed, 8 insertions(+), 8 deletions(-)
>> >  rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb}
>> (97%)
>> 
>> Hello,
>> 
>> I've tested that on autobuilder but got an error in oe-selftest-debian:
>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3138
>>   ERROR: autoconf-native-2.72e-r0 do_recipe_qa: GPG exited with code 2: gpg:
>> signing failed: Corrupted protection
>>   gpg: signing failed: Corrupted protection
>>   ERROR: patch-native-2.7.6-r0 do_recipe_qa: GPG exited with code 2: gpg:
>> signing failed: Corrupted protection
>>   gpg: signing failed: Corrupted protection
>> 
>> I've started a build with this gnupg upgrade reverted to confirm that
>> this is indeed the cause:
>> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3142
>> 
>> Can you look at this?
>> Thanks!
>
> Unfortunately, I'm not able to reproduce this failure.
>
> On my Debian 11 I have:
> SANITY_TESTED_DISTROS = ""
> PACKAGE_CLASSES = "package_rpm"
> RPM_GPG_SIGN_CHUNK = "1"
> IMAGE_CLASSES += 'testimage'
> And run:
> oe-selftest -r signing -j 16
> And get:
> oe-selftest - INFO - RESULTS - signing.LockedSignatures.test_locked_signatures: PASSED (122.35s)
> oe-selftest - INFO - RESULTS - signing.Signing.test_signing_packages: PASSED (155.34s)
> oe-selftest - INFO - RESULTS - signing.Signing.test_signing_sstate_archive: PASSED (121.11s)
> oe-selftest - INFO - oe-selftest - OK - All required tests passed (successes=3, skipped=0, failures=0, errors=0)

FYI, the failing build:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3138
... was on Debian 12
(It's the retry with this patch reverted that was on Debian 11)

Scarthgap has since been successfully retried on Debian 12 (without this
patch):
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3226

Can you check this on Debian 12?

Thanks!

> So I guess I just backport the CVE fix instead of this upgrade.
>
> Peter
>
>> 
>> Regards,
>> 
>> --
>> Yoann Congal
>> Smile ECS


-- 
Yoann Congal
Smile ECS

RE: [OE-core][scarthgap][PATCH] gnupg: upgrade 2.4.8 -> 2.4.9

[Marko, Peter]

> -----Original Message-----
> From: Yoann Congal <yoann.congal@smile.fr>
> Sent: Thursday, February 19, 2026 14:55
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>;
> openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][scarthgap][PATCH] gnupg: upgrade 2.4.8 -> 2.4.9
> 
> On Wed Feb 18, 2026 at 10:28 PM CET, Peter Marko wrote:
> >
> >
> >> -----Original Message-----
> >> From: Yoann Congal <yoann.congal@smile.fr>
> >> Sent: Wednesday, February 4, 2026 11:10
> >> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>;
> >> openembedded-core@lists.openembedded.org
> >> Subject: Re: [OE-core][scarthgap][PATCH] gnupg: upgrade 2.4.8 -> 2.4.9
> >>
> >> On Sat Jan 10, 2026 at 11:44 PM CET, Peter Marko via
> lists.openembedded.org
> >> wrote:
> >> > From: Peter Marko <peter.marko@siemens.com>
> >> >
> >> > Handles CVE-2025-68973.
> >> >
> >> > Refresh patches.
> >> >
> >> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> >> > ---
> >> >  meta/recipes-support/gnupg/gnupg/relocate.patch    | 14 +++++++-------
> >> >  .../gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb}       |  2 +-
> >> >  2 files changed, 8 insertions(+), 8 deletions(-)
> >> >  rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb}
> >> (97%)
> >>
> >> Hello,
> >>
> >> I've tested that on autobuilder but got an error in oe-selftest-debian:
> >> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3138
> >>   ERROR: autoconf-native-2.72e-r0 do_recipe_qa: GPG exited with code 2:
> gpg:
> >> signing failed: Corrupted protection
> >>   gpg: signing failed: Corrupted protection
> >>   ERROR: patch-native-2.7.6-r0 do_recipe_qa: GPG exited with code 2: gpg:
> >> signing failed: Corrupted protection
> >>   gpg: signing failed: Corrupted protection
> >>
> >> I've started a build with this gnupg upgrade reverted to confirm that
> >> this is indeed the cause:
> >> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3142
> >>
> >> Can you look at this?
> >> Thanks!
> >
> > Unfortunately, I'm not able to reproduce this failure.
> >
> > On my Debian 11 I have:
> > SANITY_TESTED_DISTROS = ""
> > PACKAGE_CLASSES = "package_rpm"
> > RPM_GPG_SIGN_CHUNK = "1"
> > IMAGE_CLASSES += 'testimage'
> > And run:
> > oe-selftest -r signing -j 16
> > And get:
> > oe-selftest - INFO - RESULTS -
> signing.LockedSignatures.test_locked_signatures: PASSED (122.35s)
> > oe-selftest - INFO - RESULTS - signing.Signing.test_signing_packages:
> PASSED (155.34s)
> > oe-selftest - INFO - RESULTS - signing.Signing.test_signing_sstate_archive:
> PASSED (121.11s)
> > oe-selftest - INFO - oe-selftest - OK - All required tests passed (successes=3,
> skipped=0, failures=0, errors=0)
> 
> FYI, the failing build:
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3138
> ... was on Debian 12
> (It's the retry with this patch reverted that was on Debian 11)
> 
> Scarthgap has since been successfully retried on Debian 12 (without this
> patch):
> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3226
> 
> Can you check this on Debian 12?

I have retested with Debian 12 and 13 and the tests were green.
I guess I'm missing some configuration from AB so I have no clue how to fix it...
So again, I'm just going to backport the CVE patch for now instead of upgrade...

Peter

> 
> Thanks!
> 
> > So I guess I just backport the CVE fix instead of this upgrade.
> >
> > Peter
> >
> >>
> >> Regards,
> >>
> >> --
> >> Yoann Congal
> >> Smile ECS
> 
> 
> --
> Yoann Congal
> Smile ECS