Merge branch 'STABLE-BRANCH-2-4'

--
Resolved conflicts:
	NEWS
	common/exechelp-w32.c
	configure.ac

Author: dd9jn

.git-blame-ignore-revs

@@ -1,2 +1,4 @@
 # indent: Modernize mem2str.
 6a80d6f9206eae2c867c45daa5cd3e7d6c6ad114
+# doc: Fix spelling errors found by lintian.
+2ed1f68b48db7b5503045386de0500fddf70077e

Makefile.am

@@ -247,8 +247,8 @@ release:
          mkopt=""; \
 	 if [ -n "$$CUSTOM_SWDB" ]; then \
             mkopt="CUSTOM_SWB=1"; \
-	    x=$$(grep '^OVERRIDE_TARBALLS=' \
-                 $$HOME/.gnupg-autogen.rc|cut -d= -f2);\
+	    x=$$(grep '^[[:blank:]]*OVERRIDE_TARBALLS[[:blank:]]*=' \
+                 $$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs);\
 	    if [ -f "$$x/swdb.lst" ]; then \
 	      echo "/* Copying swdb.lst from the overrides directory */"; \
               cp "$$x/swdb.lst" . ; \
@@ -275,13 +275,15 @@ release:
 sign-release:
 	 +(set -e; \
 	  test $$(pwd | sed 's,.*/,,') = dist || cd dist; \
-	  x=$$(grep '^RELEASE_ARCHIVE=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\
+	  x=$$(grep '^[[:blank:]]*RELEASE_ARCHIVE[[:blank:]]*=' \
+                    $$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs);\
           if [ -z "$$x" ]; then \
              echo "error: RELEASE_ARCHIVE missing in ~/.gnupg-autogen.rc">&2; \
              exit 2;\
           fi;\
           myarchive="$$x/$(RELEASE_ARCHIVE_SUFFIX)";\
-	  x=$$(grep '^RELEASE_SIGNKEY=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\
+	  x=$$(grep '^[[:blank:]]*RELEASE_SIGNKEY[[:blank:]]*=' \
+                     $$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs);\
           if [ -z "$$x" ]; then \
              echo "error: RELEASE_SIGNKEY missing in ~/.gnupg-autogen.rc">&2; \
              exit 2;\

NEWS

@@ -1,6 +1,51 @@
 Noteworthy changes in version 2.5.0 (unreleased)
 ------------------------------------------------
 
+  Changes also found in 2.4.5:
+
+Noteworthy changes in version 2.4.5 (2024-03-07)
+------------------------------------------------
+
+  * gpg,gpgv: New option --assert-pubkey-algo.  [T6946]
+
+  * gpg: Emit status lines for errors in the compression layer.
+    [T6977]
+
+  * gpg: Fix invocation with --trusted-keys and --no-options.  [T7025]
+
+  * gpgsm: Allow for a longer salt in PKCS#12 files.  [T6757]
+
+  * gpgtar: Make --status-fd=2 work on Windows.  [T6961]
+
+  * scd: Support for the ACR-122U NFC reader.  [rG1682ca9f01]
+
+  * scd: Suport D-TRUST ECC cards.  [T7000,T7001]
+
+  * scd: Allow auto detaching of kernel drivers; can be disabled with
+    the new compatibility-flag ccid-no-auto-detach.  [rGa1ea3b13e0]
+
+  * scd: Allow setting a PIN length of 6 also with a reset code for
+    openpgp cards.  [T6843]
+
+  * agent: Allow GET_PASSPHRASE in restricted mode.  [rGadf4db6e20]
+
+  * dirmngr: Trust system's root CAs for checking CRL issuers.
+    [T6963]
+
+  * dirmngr: Fix regression in 2.4.4 in fetching keys via hkps.
+    [T6997]
+
+  * gpg-wks-client: Make option --mirror work properly w/o specifying
+    domains.  [rG37cc255e49]
+
+  * g13,gpg-wks-client: Allow command style options as in "g13 mount
+    foo".  [rGa09157ccb2]
+
+  * Allow tilde expansion for the foo-program options.  [T7017]
+
+  * Make the getswdb.sh tool usable outside the GnuPG tree.
+
+
   Changes also found in 2.4.4:
 
   * gpg: Do not keep an unprotected smartcard backup key on disk.  See
@@ -178,6 +223,7 @@ Noteworthy changes in version 2.5.0 (unreleased)
 Release dates of 2.4 versions
 -----------------------------
 
+Version 2.4.5 (2024-03-07) https://dev.gnupg.org/T6960
 Version 2.4.4 (2024-01-25) https://dev.gnupg.org/T6578
 Version 2.4.3 (2023-07-04) https://dev.gnupg.org/T6509
 Version 2.4.2 (2023-05-30) https://dev.gnupg.org/T6506
@@ -1392,7 +1438,7 @@ Noteworthy changes in version 2.3.0 (2021-04-07)
   Changes also found in 2.2.12:
 
   * tools: New commands --install-key and --remove-key for
-    gpg-wks-client.  This allows to prepare a Web Key Directory on a
+    gpg-wks-client.  This allows one to prepare a Web Key Directory on a
     local file system for later upload to a web server.
 
   * gpg: New --list-option "show-only-fpr-mbox".  This makes the use
@@ -1436,7 +1482,7 @@ Noteworthy changes in version 2.3.0 (2021-04-07)
     query.
 
   * gpg: Do not store the TOFU trust model in the trustdb.  This
-    allows to enable or disable a TOFO model without triggering a
+    allows one to enable or disable a TOFO model without triggering a
     trustdb rebuild.  [#4134]
 
   * scd: Fix cases of "Bad PIN" after using "forcesig".  [#4177]
@@ -1855,7 +1901,7 @@ Noteworthy changes in version 2.1.23 (2017-08-09)
     to your gpg.conf.
 
   * agent: Option --no-grab is now the default.  The new option --grab
-    allows to revert this.
+    allows one to revert this.
 
   * gpg: New import option "show-only".
 
@@ -2985,7 +3031,7 @@ Noteworthy changes in version 2.1.0 (2014-11-06)
  * gpg: Allow use of Brainpool curves.
 
  * gpg: Accepts a space separated fingerprint as user ID.  This
-   allows to copy and paste the fingerprint from the key listing.
+   allows one to copy and paste the fingerprint from the key listing.
 
  * gpg: The hash algorithm is now printed for signature records in key
    listings.
@@ -3765,7 +3811,7 @@ Noteworthy changes in version 1.9.10 (2004-07-22)
 
  * Fixed a serious bug in the checking of trusted root certificates.
 
- * New configure option --enable-agent-pnly allows to build and
+ * New configure option --enable-agent-only allows one to build and
    install just the agent.
 
  * Fixed a problem with the log file handling.
@@ -4160,7 +4206,7 @@ Noteworthy changes in version 1.1.92 (2002-09-11)
       extension specified with --load-extension are checked, along
       with their enclosing directories.
 
-    * The configure option --with-static-rnd=auto allows to build gpg
+    * The configure option --with-static-rnd=auto allows one to build gpg
       with all available entropy gathering modules included.  At
       runtime the best usable one will be selected from the list
       linux, egd, unix.  This is also the default for systems lacking
@@ -4543,7 +4589,7 @@ Noteworthy changes in version 1.0.2 (2000-07-12)
     * New command --export-secret-subkeys which outputs the
       the _primary_ key with it's secret parts deleted.  This is
       useful for automated decryption/signature creation as it
-      allows to keep the real secret primary key offline and
+      allows one to keep the real secret primary key offline and
       thereby protecting the key certificates and allowing to
       create revocations for the subkeys.  See the FAQ for a
       procedure to install such secret keys.

agent/agent.h

@@ -86,8 +86,8 @@ struct
   /* Enable pinentry debugging (--debug 1024 should also be used).  */
   int debug_pinentry;
 
-  /* Filename of the program to start as pinentry.  */
-  const char *pinentry_program;
+  /* Filename of the program to start as pinentry (malloced).  */
+  char *pinentry_program;
 
   /* Filename of the program to handle daemon tasks.  */
   const char *daemon_program[DAEMON_MAX_TYPE];

agent/command.c

@@ -1988,9 +1988,6 @@ cmd_get_passphrase (assuan_context_t ctx, char *line)
   struct pin_entry_info_s *pi2 = NULL;
   int is_generated;
 
-  if (ctrl->restricted)
-    return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
-
   opt_data = has_option (line, "--data");
   opt_check = has_option (line, "--check");
   opt_no_ask = has_option (line, "--no-ask");
@@ -2039,7 +2036,9 @@ cmd_get_passphrase (assuan_context_t ctx, char *line)
   if (!desc)
     return set_error (GPG_ERR_ASS_PARAMETER, "no description given");
 
-  if (!strcmp (cacheid, "X"))
+  /* The only limitation in restricted mode is that we don't consider
+   * the cache.  */
+  if (ctrl->restricted || !strcmp (cacheid, "X"))
     cacheid = NULL;
   if (!strcmp (errtext, "X"))
     errtext = NULL;
@@ -2121,7 +2120,7 @@ cmd_get_passphrase (assuan_context_t ctx, char *line)
           entry_errtext = NULL;
           is_generated = !!(pi->status & PINENTRY_STATUS_PASSWORD_GENERATED);
 
-          /* We don't allow an empty passpharse in this mode.  */
+          /* We don't allow an empty passphrase in this mode.  */
           if (!is_generated
               && check_passphrase_constraints (ctrl, pi->pin,
                                                pi->constraints_flags,

agent/gpg-agent.c

@@ -876,6 +876,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
       opt.debug = 0;
       opt.no_grab = 1;
       opt.debug_pinentry = 0;
+      xfree (opt.pinentry_program);
       opt.pinentry_program = NULL;
       opt.pinentry_touch_file = NULL;
       xfree (opt.pinentry_invisible_char);
@@ -936,7 +937,10 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
     case oNoGrab: opt.no_grab |= 1; break;
     case oGrab: opt.no_grab |= 2; break;
 
-    case oPinentryProgram: opt.pinentry_program = pargs->r.ret_str; break;
+    case oPinentryProgram:
+      xfree (opt.pinentry_program);
+      opt.pinentry_program = make_filename_try (pargs->r.ret_str, NULL);
+      break;
     case oPinentryTouchFile: opt.pinentry_touch_file = pargs->r.ret_str; break;
     case oPinentryInvisibleChar:
       xfree (opt.pinentry_invisible_char);