gpgsm --import --quiet is not quiet
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	dkg
	Nov 25 2019, 8:43 PM

Description

I'm trying to quietly import a PKCS#12 object with an empty passphrase with gpgsm, but it produces quite a bit of noise on stderr, despite my providing the --quiet option:

$ gpgsm --pinentry-mode=loopback --passphrase-fd 4 4<<<'' --homedir=$(mktemp -d) --batch --quiet --import <test.p12
gpgsm: 992 bytes of 3DES encrypted text
gpgsm: processing certBag
gpgsm: issuer certificate (#/CN=Sample LAMPS Certificate Authority) not found
gpgsm: 872 bytes of 3DES encrypted text
gpgsm: processing certBag
gpgsm: 1224 bytes of 3DES encrypted text
gpgsm: DBG: keygrip= D3 E5 44 6E 1D 01 22 86 F3 97 4B F4 BB CD 56 19 4A 2B E5 FC
$

--quiet is apparently not doing the job it is supposed to do here.

I've attached the test.p12 file i'm working with if anyone wants to try to replicate.

test.p124 KBDownload

Details

Version: 2.2.17

Revisions and Commits

rG GnuPG
	rG332098a0f717 sm: Fix issuer certificate look error due to legacy error code.
	rGa170f0e73f38 sm: Do not print certain issuer not found diags in quiet mode.
	rG473b83d1b9ef sm: Fix issuer certificate look error due to legacy error code.
	rG615d2e4fb158 sm: Silence some output on --quiet
	rGbcdbf0fcf3c1 sm: Silence some output on --quiet

Related Objects

Mentioned In: T5949: Release GnuPG 2.2.36

Event Timeline

dkg created this task.Nov 25 2019, 8:43 PM

• werner triaged this task as Low priority.Nov 25 2019, 10:19 PM

Other ways that gpgsm --quiet is not quiet:

$ gpgsm --homedir /home/dkg/tmp/tmp.9N2MLnakUz --disable-dirmngr --quiet --disable-crl-checks --disable-policy-checks --disable-ocsp --import bob.encrypt.crt
gpgsm: issuer certificate (#/CN=Sample LAMPS Certificate Authority) not found
$

$ echo test | gpgsm --homedir /home/dkg/tmp/tmp.9N2MLnakUz --disable-dirmngr --quiet --disable-crl-checks --disable-policy-checks --disable-ocsp --recipient '&3B9045B756394324AB9F2AFC73F72972A5E5E134' --encrypt > test.p7
gpgsm: encrypted data created
$

• werner added a commit: rGbcdbf0fcf3c1: sm: Silence some output on --quiet.Feb 24 2021, 8:40 AM

• werner added a commit: rG615d2e4fb158: sm: Silence some output on --quiet.

Done in 2.2 and 2.3. The issuer certificate thing is a real error message and thus it should be printed.

Thanks for the fixes, @werner!

If "issuer certificate (…) not found" is a real error message, it is pretty opaque to me. the only thing I asked for was an --import, not any sort of verification or validation of the certificate. What is the error? From my testing, it looks like gpgsm does actually import the certificate, and it returns 0 (typically meaning "success").

By comparison , importing an OpenPGP certificate (or "keyblock" if you prefer) into gpg with --quiet doesn't give me any warning messages, even if I import a certificate which is expired or otherwise unusable.

I'm re-opening this because I think the remaining message is a warning at worst, maybe eve just informational, and i generally expect --quiet to suppress any informational or warning message, as long as the stated intent (--import) succeeds.

• werner added a commit: rG473b83d1b9ef: sm: Fix issuer certificate look error due to legacy error code..Feb 25 2021, 9:17 AM

• werner added a commit: rGa170f0e73f38: sm: Do not print certain issuer not found diags in quiet mode..

Okay, okay, I had in mind that we print them because we used to put such certificates into the ephemeral certificate storage because it is not possible to check the signature. But I reliazed that this changed quite some time ago and we can view these error messages as informative only. They are now not anymore printed int quiet mode. Well, for 2.3 - not sure whether I should backport this to 2.2.

• werner closed this task as Resolved.Feb 25 2021, 9:20 AM

thanks, @werner!

• werner mentioned this in T5949: Release GnuPG 2.2.36.Jul 6 2022, 8:30 PM

• werner added a commit: rG332098a0f717: sm: Fix issuer certificate look error due to legacy error code..Feb 26 2023, 7:15 PM