fixup! fixup! sequoia-chameleon-gnupg: rebuild to fix vulnerabilities in sequoia-wot

classabbyamp · classabbyamp · commit 02b0f1859048 · 2026-05-27T17:09:58.000-04:00
diff --git a/srcpkgs/sequoia-chameleon-gnupg/patches/fix-tests.patch b/srcpkgs/sequoia-chameleon-gnupg/patches/fix-tests.patch
@@ -0,0 +1,71 @@
+From 90e370fef788980e49aa807ac28531264bb9f404 Mon Sep 17 00:00:00 2001
+From: Malte Meiboom <malte@sequoia-pgp.org>
+Date: Fri, 20 Feb 2026 13:50:40 +0100
+Subject: [PATCH] Fix missing time corrections
+
+- `gpg-sq` can set a fake system time via `--faked-system-time`.
+- Fixed some occurrences where `None` was used as time instead of the
+  passed fake time.
+- fixes: #156
+---
+ src/decrypt.rs       | 2 +-
+ src/generate_key.rs  | 2 +-
+ src/gpg.rs           | 2 +-
+ tests/gpg/decrypt.rs | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/decrypt.rs b/src/decrypt.rs
+index 2749532..d722389 100644
+--- a/src/decrypt.rs
++++ b/src/decrypt.rs
+@@ -715,7 +715,7 @@ impl<'a, 'store> DHelper<'a, 'store> {
+                         .filter_map(|cert| cert.to_cert().ok().cloned())
+                     {
+                         if let Some(key) = cert.keys()
+-                            .with_policy(&self.config.de_vs_producer, None)
++                            .with_policy(&self.config.de_vs_producer, self.config.now())
+                             .key_handle(recipient.clone()).next()
+                         {
+                             compliant = compliant &&
+diff --git a/src/generate_key.rs b/src/generate_key.rs
+index 85e41b4..5dd42f9 100644
+--- a/src/generate_key.rs
++++ b/src/generate_key.rs
+@@ -280,7 +280,7 @@ async fn real_cmd_quick_add_key(config: &mut crate::Config<'_>, args: &[String])
+             all_expired_or_revoked: false,
+         })?;
+ 
+-    let vcert = cert.with_policy(config.policy(), None)?;
++    let vcert = cert.with_policy(config.policy(), config.now())?;
+     let mut primary_signer =
+         config.get_signer(&vcert, cert.primary_key().role_as_unspecified()).await?;
+ 
+diff --git a/src/gpg.rs b/src/gpg.rs
+index 81d5353..b4e4d38 100644
+--- a/src/gpg.rs
++++ b/src/gpg.rs
+@@ -721,7 +721,7 @@ impl<'store> Config<'store> {
+                             all_expired_or_revoked: false,
+                         })?;
+ 
+-                    if let Ok(vcert) = cert.with_policy(self.policy(), None) {
++                    if let Ok(vcert) = cert.with_policy(self.policy(), self.now()) {
+                         for sk in vcert.keys().key_flags(&flags).alive()
+                             .revoked(false)
+                         {
+diff --git a/tests/gpg/decrypt.rs b/tests/gpg/decrypt.rs
+index 3fefe95..a34f693 100644
+--- a/tests/gpg/decrypt.rs
++++ b/tests/gpg/decrypt.rs
+@@ -489,7 +489,7 @@ fn encrypt_for(recipient_certs: &[&Cert]) -> Result<Vec<u8>> {
+         // Make sure we add at least one subkey from every
+         // certificate.
+         let mut found_one = false;
+-        for key in cert.keys().with_policy(p, None)
++        for key in cert.keys().with_policy(p, Experiment::now())
+             .supported().alive().revoked(false).for_transport_encryption()
+         {
+             recipients.push(key);
+-- 
+GitLab
+
