Page MenuHome GnuPG

Handle invalid compliance settings
Closed, ResolvedPublic

Description

As we talked about:

In Kleopatra it would be good to figure out if there is a conflict in compliance settings. E.g. the user wants to use the de-vs mode with a non compliant libgcrypt. In that case we should be able to detect that through gpgconf instead of having all operations fail with "Forbidden".

That way we can open a Message box and inform the user that the requested operation mode is in conflict.

When done in GnuPG please assign this back to me that I can write the Kleopatra side. I am thinking of showing a warning like:

"This version $VERSION cannot be operated in the requested compliance mode $compliance.
Most operations will fail with the error "Forbidden" unless you change the compliance mode through the
GnuPG System configuration.

If you have questions regarding the compliance of $VERSION please contact mailto://info@gnupg.com"

Details

Version
master

Event Timeline

with the next GnuPG version (2.2.28 and 2.3.0) you can do a read

$ gpgconf --list-options gpg | grep ^compliance_de_vs
compliance_de_vs:146:3::1:1::0::

to check whether gnupg is prepared for compliance de-vs and using a suitable libgcrypt. This does not indicate that the selected algorithm is compliant because there are many ways to override this. You need to look closer at GPG_ERR_FORBIDDEN in this case.

Do you need more status message similar to

ERROR random-compliance XXX
werner triaged this task as High priority.
werner added a subscriber: werner.

Has this been implemented?

ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jul 24 2023, 2:12 PM