Page MenuHome GnuPG

gnupg 2.2.28 : test t-sexputil fails on Fedora 33 and AIX 7.1
Closed, ResolvedPublic


When running gnupg 2.2.8 tests on Fedora33 (x86_64 and PPC64LE) and AIX7.1 by means of Fedora-based .spec RPM %check, I have the following error, which did not appear with v2.2.27 in the same environments (all was perfect with version 2.2.27):

t-sexputil.c:464: test 0 failed: Unknown elliptic curve
FAIL: t-sexputil

> Known envvars: GPG_TTY(ttyname) TERM(ttytype) DISPLAY(display)

1 of 21 tests failed

I have very limited skills about gnupg2. I would appreciate to know how to get more trace details.




Related Objects

Event Timeline

werner added a subscriber: werner.

I am not sure about Fedora, but RedHat used to remove ECC support from Libgcrypt; GnuPG requires these curves. As long as you don't use ECC you things will work despite of this failed test. The test is new to check and does not anticipate a broken Libgcrypt.

Supported curves should be listed by

gpg --list-config --with-colons curve

For example:


Hi Werner,

There is 0 difference between the Fedora 2.2.27 .spec file and the Fedora 2.2.8 .spec file I used for running the tests, except:

  • the version of gnugp for sure and
  • a patch change within scd/apdu.c dealing with a call of: pcsc_connect() since code has changed between the 2 versions: may this be the cause of the failure? (Edited: hummm this patch seems no more required. I have the same failure without it)

And the environment is exactly the same for running the tests with 2.2.27 and 2.2.28.

So, that does not look to be a choice made by Fedora ; unless a change they made in 2.2.27 had no impact in 2.2.27 but has an impact in 2.2.28.
Fedora project is still using 2.2.27 . They have not moved to 2.2.28 yet. So, maybe they have done nothing yet to move to 2.2.28 or they have found the same issue I found and are analyzing what happened.

$ gpg --list-config --with-colons curve

AIX 71.
$ gpg --list-config --with-colons curve

  • a patch change within scd/apdu.c dealing with a call of: pcsc_connect() since code has changed between the 2 versions: may this be the cause of the failure? (Edited: hummm this patch seems no more required. And I have the same failure without it).

The thing is that I added a test for a new function which uses standard curves of Libgcrypt. But here we are again at the RedHat mess: They support the NIST curves but they removed support for Brainpool curves. Both are very similiar curves just different parameters. Brainpool is just in Europe out of fear that the NIST curves are rigged by the the NSA. Now, why RedHat removed Brainpool is probably just a legal dept thing who didn't have a clue. The tin foil hats probably see a different reason.

Now what to do: You may comment out the Brainpool test cases which actually make sthe test cases useless. You can also add test cases for NIST curves: You need to compute the compressed form. I was just to lazy to do this given that I had compressed public keys for Brainpool already here. After all the code is currently only used for smartcards which use compressed points : There is just one right now in our portfolio.

  • What we can do is to skip this test if we detect an unsuppotted curve and print a warning. Would that be helpful?
  • Or you build with a custom build version of Libgcrypt.

The site now shows: "NET::ERR_CERT_DATE_INVALID" and I have a limited access to the web page.
Thanks for you explanation. However, I now so few about gnupg, thus I'm not sure I cannot add test cases, probably not. I'll see later if we have to provide on AIX a behavior different than the one of RedHat. Meanwhile, about your last proposal, yes it would be very useful to detect the case, print a warning, and skip the test. That would be helpful. Moreover, if the test deals with smartcards, we do not have on AIX, thus this test is very probably not useful in our environment.

Fix: "I Know so few about gnupg, thus I'm not sure I COULD add test cases, probably not. "

Sorry for the expired certificate.

werner claimed this task.

With the next release you will get only a warning:

gnupg-2.2/common/t-sexputil.c:467: test 0 failed: Unknown elliptic curve - ignored
This is likely due to a patched version of Libgcrypt with removed support for Brainpool curves

Thanks werner. That helps us to know that such test failure is not a deep issue that would push us to not deliver this version of gnupg on AIX.