There are several interface cahnges, adjust tests accordingly.

"datareporting.policy.dataSubmissionEnabled" setting doesn't prevent
donation prompt anymore, TB...

There is no need for fetching dogtail via git anymore, all relevant (for
us) distributions have ...

While --auto-key-locate in general is not safe, it's okay when used with
the default value - ign...

Clicking the actual "New" or "Send / Receive" buttons do not work, the
working button is the sib...

GnuPG does not treat + as a separator in this case.

New policy editor / global config handles Split-GPG policy now, don't
get in its way.

QubesOS/q...

* origin/pr/92:
spec: add BR python3-setuptools

They disrupt tests

* origin/pr/88:
Clean up spec file cruft
Use ppoll() instead of pselect()

No change in behavior on any supported version.

It didn't report the final failed attempt as a failure.

This avoids the FD_SETSIZE limit.

split-gpg1 always behaves as if this is set, with the exception that
broken pipes cause all furt...

If --status-fd, --logger-fd, or --attribute-fd is given more than once,
GnuPG will (with a few e...

Non-batch mode is intended for interactive use, and split-gpg1 is never
interactive. --command-...

--command-fd appears safe, and indeed for a while it was thought to be
safe. However, it turns ...

This fixes a regression if the client has been updated but the server
has not.

* origin/pr/80:
Allow "qubes-gpg-client --verify - a.sig"
Check that standard streams are op...

* origin/pr/83:
gpg-client: check for too many file names

This is useful and removes another incompatibility.

Otherwise confusing things could happen later.

This also ensures that an invalid FD will be detected early.

It really is global to the program, and since it is immutable, the usual
problems with globals d...

split-gpg1 uses pipes for all I/O to and from GnuPG. Pipes are
unidirectional, so it is not pos...

Previously, both add_arg_to_fd_list() and handle_opt_verify() had their
own logic for adding fil...

* origin/pr/86:
Allow --show-session-key

* origin/pr/81:
Allow exporting public keyring backups
Allow --export-ownertrust

* origin/pr/82:
Avoid dropping a trailing empty string
Do not send argv[0] to server
Fix c...

This will ease migration to split-gpg2, as users can now export a full
backup of their public ke...

If the last argument sent by the client was the empty string, it would
silently be dropped by th...

The server will just ignore it and does not need to know it. Send an
empty string instead.

'struct command_hdr' requires 4-byte alignment, but a char array only
requires 1-byte alignment,...

If the client sends a header with length 0, the server will crash (in
parse_options()) because a...

If the input length was exactly 1024 bytes, the NUL terminator would be
written one past the end...

The static remote_argv and untrusted_remote_argv arrays are *not* far
too big. In fact, if untr...

It is used by notmuch when operating on encrypted messages.

The code failed to properly NULL-terminate argument lists, causing the
server to treat uninitial...

These are used by Mutt to suppress unwanted output. Without them, Mutt
waits for the user to pr...

This allows exporting ownertrust, which is useful for migrating from
split-gpg1 to split-gpg2.

...

Previously they were silently ignored.

This ensures that file descriptors that are already open do not get
clobbered. The syntax is ne...

The pipe remapping code relies on all of the pipes being created at file
descriptors that are no...

This is necessary for some programs, as found via a search on GitHub.
All verify and options acc...

* origin/pr/75:
.qubesbuilder: replace 'spec' by 'build'
Add Qubes Builder v2 integration

* origin/pr/77:
tests: really just sign in test_010_send_receive_signed_only
tests: adjust m...

Depending on version, there might be an info bar with GPG details at
the top of the message. Thi...

There is no more 'Close' button, and dogtail doesn't seem to support
sending window manager acti...

The settings dialog has settings category buttons (with categories name)
not connected to actual...

With --photo-viewer=/bin/true, show-photos is effectively a no-op, so it
is safe to allow as a l...

* origin/pr/73:
Fix list and verify option processing

* origin/pr/70:
Drop --pgp2
Reject options ignored by the wrapper script

The argument to --verify-options was not sanitized, and the argument to
--list-options was sanit...

GnuPG itself no longer supports this option.

They are useless attack surface.

Sending progress dialog may disappear a moment after the main compose
window. Do not treat it as...

* origin/pr/71:
Update gpg-client-wrapper
add alias `--sign-with` to `-u`

It is a safe option and clients should be allowed to use it.

The client must exit when, and only when, it gets the exit code from the
server. The server mus...

Otherwise there is a race condition, as described in man:pselect(2).
The call to pthread_sigmask...

It is of size 0 not 1.

Otherwise streams could be flushed twice.

By creating the pipes with O_CLOEXEC, closing them in the child process
can be avoided. The ker...

The file descriptor remapping code had a fatal flaw: if the read side of
one of the pipes that w...

There is no reason to use an int here. Allows an assertion to go away.

Terminating the process on SIGPIPE is a terrible idea if there are
multiple pipes being written ...

The max allowed file descriptor limit is 1023, not 1024. Update the
assertion accordingly.

The signature file should not become a controlling terminal, and its
file descriptor should not ...

The previous code did not properly validate file descriptor arguments.
I was not able to figure ...

`read_fds` can contain rather large, attacker-controlled numbers, but
`i` cannot. This avoids a...

Co-authored-by: Demi Marie Obenour <[email protected]>

(short option for `--local-user`)

fixes https://github.com/QubesOS/qubes-issues/issues/3325

Ensure all file descriptors are bounds-checked before being used as
array subscripts.

Disallow 'show-photos', 'show-keyring', and 'help', as well as duplicate
options.

Tested manual...

Images in GPG keys can come from untrusted sources via
qubes.GpgImportKey. Viewing them in the ...

* origin/pr/67:
`--output` is more than just stdout redirection
Use set_output for -o as wel...

* origin/pr/61:
Reject non-UTF-8 compatible display charsets
Allow `--utf8-strings`
Ignore...