Page MenuHome GnuPG

Backport option reading in gpgconf to 2.2
Closed, ResolvedPublic

Description

The new option parser has only be partly ported to 2.2. What we do not have in 2.2 is reading the option values from gpgconf via the new parser. Thus 2.2 currently sees values which are not actually used. This is surprising for users.

Further Kleopatra depends on some values, for example the decisions on whether to automatically import keys via LDAP servers.

Details

Due Date
Mon, Jan 31, 12:00 AM

Event Timeline

werner triaged this task as High priority.Dec 13 2021, 1:51 PM
werner created this task.
werner created this object with edit policy "Contributor (Project)".
werner added a project: Restricted Project.Dec 13 2021, 1:57 PM
werner set Due Date to Fri, Dec 31, 12:00 AM.
werner changed Due Date from Fri, Dec 31, 12:00 AM to Mon, Jan 31, 12:00 AM.

A clumsy workaround for the Kleo bug is to put "keyserver ldap:///" into the global gpg.conf after an ignore section containing keyserver. This will let gpgconf emit "ldap:///" unless a local gpg.conf exists.

werner changed the task status from Open to Testing.Thu, Dec 30, 10:51 AM

Backport done but diligent testing is required.

With rG8c878ae4c9dfa9fe26aa15f4f9db3e86833575e9 some rules for allow-mark-trusted were removed from doc/examples/gpgconf.conf, but the comments below which are supposed to explain the example rules still talk about allow-mark-trusted.

Example:
/etc/gnupg/gpg.conf:

default-key B81CE112B26A8EA8BE7B95D2E375339BF4C51840

/etc/gnupg/gpgconf.conf:

ingo    gpg     default-key             [default]
*       gpg     default-key             [no-change]

Result in Kleopatra:
Default key is shown as B81CE112B26A8EA8BE7B95D2E375339BF4C51840 and is editable.

The comment in gpgconf.conf for the default flag says "Delete the option so that the default is used.". Therefore, I would have expected that default-key is reported as empty. According to gpgconf default-key has no default, so maybe that's why the default flag has no effect. OTOH, deleting the option would clearly have cleared the default-key option despite there not being some "fancy" default.

It doesn't feel intuitive that specifying the default flag for a setting for a specific user resets the no-change flag specified for all users, i.e. I would have expected default-key to be marked as not editable.

The following looks very much like a bug.

/etc/gnupg/gpgconf.conf:

ingo    gpg     encrypt-to              [default]
*       gpg     default-key             [no-change]
$ gpgconf --list-options gpg | grep default-key
reading options from '/etc/gnupg/gpg.conf'
reading options from '/home/ingo/dev/g10/.gnupghomes/2.2/gpg.conf'
default-key:0:0:use NAME as default secret key:1:1:NAME:::

-> default-key is NOT marked as "no change".

If I comment the line starting with ingo in gpgconf.conf, then I get the expected result:

$ gpgconf --list-options gpg | grep default-key
reading options from '/etc/gnupg/gpg.conf'
reading options from '/home/ingo/dev/g10/.gnupghomes/2.2/gpg.conf'
default-key:128:0:use NAME as default secret key:1:1:NAME:::

FWIW, when gpgconf reports an option of gpg as "no change", then the corresponding settings are not editable in Kleopatra. I will check the settings of the other components.

This also doesn't look right:

/etc/gnupg/gpgconf.conf:

*       gpg     verbose                 [no-change]
        gpg     quiet                   [no-change]
        gpg     debug-level             [no-change]
        gpg     log-file                [no-change]
        gpg     default-key             [no-change]
        gpg     encrypt-to              [no-change]
        gpg     compliance              [no-change]
        gpg     default-new-key-algo    [no-change]
        gpg     trust-model             [no-change]
        gpg     completes-needed        [no-change]
        gpg     marginals-needed        [no-change]
        gpg     max-cert-depth          [no-change]
        gpg     auto-key-locate         [no-change]
        gpg     auto-key-import         [no-change]
        gpg     auto-key-retrieve       [no-change]
        gpg     include-key-block       [no-change]
        gpg     disable-dirmngr         [no-change]
        gpg     keyserver               [no-change]
        gpg     try-secret-key          [no-change]
        gpg     reader-port             [no-change]

/etc/gnupg/gpg.conf:

# Monitor:1:0:Options controlling the diagnostic output:0:0::::
#verbose:4:0:verbose:0:0::::
#quiet:0:0:be somewhat more quiet:0:0::::
#debug-level:16:1::1:1::"none::
#log-file:0:1:write server mode logs to FILE:32:1:FILE:::

# Configuration:1:0:Options controlling the configuration:0:0::::
default-key             B81CE112B26A8EA8BE7B95D2E375339BF4C51840
encrypt-to              B81CE112B26A8EA8BE7B95D2E375339BF4C51840
#group                  global=B81CE112B26A8EA8BE7B95D2E375339BF4C51840
#compliance             de-vs
default-new-key-algo    rsa2048/cert,sign+rsa2048/encr
trust-model             pgp
completes-needed        2
marginals-needed        4       
max-cert-depth          5

# Input:1:0:Options controlling the input:0:0::::

# Output:1:0:Options controlling the output:0:0::::

# ImportExport:1:0:Options controlling key import and export:0:0::::
auto-key-locate         local,ldap
auto-key-import
auto-key-retrieve
include-key-block
#disable-dirmngr
keyserver               https://keys.gnupg.net

# Keylist:1:0:Options controlling key listings:0:0::::
try-secret-key          B81CE112B26A8EA8BE7B95D2E375339BF4C51840

# Security:1:0:Options controlling the security:0:0::::
reader-port             foo

$GNUPGHOME/gpg.conf:

auto-key-locate local,ldap,keyserver
auto-key-import
include-key-block
try-secret-key my-hidden-secret-key
reader-port bar
keyserver https://keys.gnupg.net
$ gpgconf --list-options gpg
reading options from '/etc/gnupg/gpg.conf'
reading options from '/home/ingo/dev/g10/.gnupghomes/2.2/gpg.conf'
Monitor:1:0:Options controlling the diagnostic output:0:0::::
verbose:132:0:verbose:0:0::::
quiet:128:0:be somewhat more quiet:0:0::::
debug-level:144:1::1:1::"none::
log-file:128:1:write server mode logs to FILE:32:1:FILE:::
Configuration:1:0:Options controlling the configuration:0:0::::
default-key:128:0:use NAME as default secret key:1:1:NAME:::"B81CE112B26A8EA8BE7B95D2E375339BF4C51840
encrypt-to:128:0:encrypt to user ID NAME as well:1:1:NAME:::"B81CE112B26A8EA8BE7B95D2E375339BF4C51840
group:4:1:set up email aliases:37:1:SPEC:::
compliance:144:2::1:1::"gnupg::
default-new-key-algo:128:3::1:1::::"rsa2048/cert%2csign+rsa2048/encr
trust-model:128:3::1:1::::"pgp
completes-needed:128:3::2:2::::2
marginals-needed:128:3::2:2::::4
max-cert-depth:128:3::2:2::::5
Input:1:0:Options controlling the input:0:0::::
Output:1:0:Options controlling the output:0:0::::
ImportExport:1:0:Options controlling key import and export:0:0::::
auto-key-locate:128:1:use MECHANISMS to locate keys by mail address:1:1:MECHANISMS:::"local%2cldap%2ckeyserver
auto-key-import:128:0::0:0::::1
auto-key-retrieve:128:2::0:0::::1
include-key-block:128:0::0:0::::1
disable-dirmngr:128:2:disable all access to the dirmngr:0:0::::
keyserver:128:0::1:1::::"https%3a//keys.gnupg.net
Keylist:1:0:Options controlling key listings:0:0::::
try-secret-key:128:0::1:1::::"my-hidden-secret-key
Security:1:0:Options controlling the security:0:0::::
reader-port:128:0::1:1::::"bar

Note that gpgconf uses the values from $GNUPGHOME/gpg.conf even though all options are flagged as "no-change" in /etc/gnupg/gpgconf.conf. Or is the "no-change" flag really only supposed to control the changing of options via gpgconf, but users are still allowed to hack their ~/.gnupg/gpg.conf with any old text editor?

I tried to see what gpgconf from master says, but I only get

$gpgconf --list-options gpg
gpgconf: unknown option 'try-secret-key' at '/etc/gnupg/gpgconf.conf', line 95
gpgconf: unknown option 'reader-port' at '/etc/gnupg/gpgconf.conf', line 96

This is problematic if one wants to use the same global gpgconf.conf with 2.2 and 2.3. 2.3 doesn't seem to support the ignore-invalid-option option and even if it did, I wouldn't know how to make it work for the global gpgconf.conf given the strict format of this file.

After commenting out the options that gpgconf 2.3 complains about I get:

$ gpgconf --version
gpgconf (GnuPG) 2.3.5-beta17
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

$ gpgconf --list-options gpg
Monitor:1:0:Options controlling the diagnostic output:0:0::::
verbose:132:0:verbose:0:0::::
quiet:128:0:be somewhat more quiet:0:0::::
no-greeting:0:3::0:0::::
debug-level:144:1::1:1::"none::
log-file:128:1:write server mode logs to FILE:32:1:FILE:::
Configuration:1:0:Options controlling the configuration:0:0::::
default-key:128:0:use NAME as default secret key:1:1:NAME:::"B81CE112B26A8EA8BE7B95D2E375339BF4C51840
encrypt-to:128:0:encrypt to user ID NAME as well:1:1:NAME:::"B81CE112B26A8EA8BE7B95D2E375339BF4C51840
group:4:1:set up email aliases:37:1:SPEC:::
compliance:144:2::1:1::"gnupg::
default-new-key-algo:128:3::1:1::::"rsa2048/cert%2csign+rsa2048/encr
trust-model:128:3::1:1::::"pgp
completes-needed:128:3::2:2::::2
marginals-needed:128:3::2:2::::4
max-cert-depth:128:3::2:2::::5
ImportExport:1:0:Options controlling key import and export:0:0::::
auto-key-locate:128:1:use MECHANISMS to locate keys by mail address:1:1:MECHANISMS:::"local%2cldap%2ckeyserver
auto-key-import:128:0:import missing key from a signature:0:0::::1
auto-key-retrieve:128:2::0:0::::1
include-key-block:128:0:include the public key in signatures:0:0::::1
disable-dirmngr:128:2:disable all access to the dirmngr:0:0::::
keyserver:128:3::1:1::::"https%3a//keys.gnupg.net
Security:1:3:Options controlling the security:0:0::::
default_pubkey_algo:144:3::1:1::"rsa2048/cert,sign+rsa2048/encr::
compliance_de_vs:144:3::2:2::0::
use_keyboxd:144:3::2:2::0::

Looking at the value of auto-key-locate, gpgconf 2.3 also seems to use values from the user's gpg.conf although the option is flagged as "no-change". So, it's not a backport-specific issue.

More weirdness. With gpgconf (GnuPG) 2.2.34-beta23 I get:

/etc/gnupg/gpgconf.conf:

[empty lines and comment lines]
#Monitor:1:0:Options controlling the diagnostic output:0:0::::
*       gpgsm   verbose                         [no-change]
        gpgsm   quiet                           [no-change]
        gpgsm   debug-level                     [no-change]
        gpgsm   log-file                        [no-change]

#Configuration:1:0:Options controlling the configuration:0:0::::
*       gpgsm   include-certs                   [no-change]
        gpgsm   compliance                      [no-change]

#Input:1:0:Options controlling the input:0:0::::

#Output:1:0:Options controlling the output:0:0::::
*       gpgsm   default-key                     [no-change]
        gpgsm   encrypt-to                      [no-change]
        gpgsm   keyserver                       [no-change]

#ImportExport:1:0:Options controlling key import and export:0:0::::
*       gpgsm   disable-dirmngr                 [no-change]
        gpgsm   auto-issuer-key-retrieve        [no-change]
        gpgsm   p12-charset                     [no-change]

#Keylist:1:0:Options controlling key listings:0:0::::

#Security:1:0:Options controlling the security:0:0::::
*       gpgsm   disable-crl-checks              [no-change]
        gpgsm   enable-crl-checks               [no-change]
        gpgsm   disable-trusted-cert-crl-check  [no-change]
        gpgsm   enable-ocsp                     [no-change]
        gpgsm   disable-policy-checks           [no-change]
        gpgsm   cipher-algo                     [no-change]
$ gpgconf --list-options gpgsm
Note: no default option file '/etc/gnupg/gpgsm.conf'
reading options from '/home/ingo/dev/g10/.gnupghomes/2.2/gpgsm.conf'
Monitor:1:0:Options controlling the diagnostic output:0:0::::
verbose:132:0:verbose:0:0::::
quiet:128:0:be somewhat more quiet:0:0::::
debug-level:144:1:set the debugging level to LEVEL:1:1:LEVEL:"none::
log-file:128:1:write server mode logs to FILE:32:1:FILE:::
Configuration:1:0:Options controlling the configuration:0:0::::
include-certs:16:2:number of certificates to include:2:2:N:-2::
compliance:16:2::1:1::"gnupg::
Input:1:0:Options controlling the input:0:0::::
Output:1:0:Options controlling the output:0:0::::
default-key:16:0:use USER-ID as default secret key:1:1:USER-ID:::
encrypt-to:16:0:encrypt to user ID NAME as well:1:1:NAME:::
keyserver:4:0::33:1::::
ImportExport:1:0:Options controlling key import and export:0:0::::
disable-dirmngr:0:2:disable all access to the dirmngr:0:0::::
auto-issuer-key-retrieve:0:0:fetch missing issuer certificates:0:0::::
p12-charset:16:1:use encoding NAME for PKCS#12 passphrases:1:1:NAME:::
Keylist:1:0:Options controlling key listings:0:0::::
Security:1:0:Options controlling the security:0:0::::
disable-crl-checks:0:0:never consult a CRL:0:0::::
enable-crl-checks:0:3::0:0::::
disable-trusted-cert-crl-check:0:2:do not check CRLs for root certificates:0:0::::
enable-ocsp:0:1:check validity using OCSP:0:0::::
disable-policy-checks:0:1:do not check certificate policies:0:0::::
cipher-algo:16:1:use cipher algorithm NAME:1:1:NAME:"AES::

Note that only the "Monitor" options in the first block are flagged as "no change" in the output of gpgconf.

With /etc/gnupg/gpgconf.conf

[empty lines and comment lines]
*	gpgsm	verbose				[no-change]
	gpgsm	quiet				[no-change]
	gpgsm	debug-level			[no-change]
	gpgsm	log-file			[no-change]
	gpgsm	include-certs			[no-change]
	gpgsm	compliance			[no-change]
	gpgsm	default-key			[no-change]
	gpgsm	encrypt-to			[no-change]
	gpgsm	keyserver			[no-change]
	gpgsm	disable-dirmngr			[no-change]
	gpgsm	auto-issuer-key-retrieve	[no-change]
	gpgsm	p12-charset			[no-change]
	gpgsm	disable-crl-checks		[no-change]
	gpgsm	enable-crl-checks		[no-change]
	gpgsm	disable-trusted-cert-crl-check	[no-change]
	gpgsm	enable-ocsp			[no-change]
	gpgsm	disable-policy-checks		[no-change]
	gpgsm	cipher-algo			[no-change]

all options are correctly flagged as "no change" in the output of gpgconf

ikloecker: gpgconf.conf ist not anymore used since we have the global config files.

@werner Hmm, okay. So I have tested the wrong thing. To me /etc/gnupg/gpgconf.conf looked very much like a global config file I was supposed to test. I have looked at /etc/gnupg, found the example gpgconf.conf and played around with it. It had some effects (see above), so I assumed that it should work. Since it's obvious from my tests, that it doesn't really work as documented anymore, all corresponding code should be removed entirely (or fixed if it should be kept for backward compatibility).

A quick grep of gnupg master shows:

  • examples still contains a gpgconf.conf.
  • tools.texi still documents /etc/gnupg/gpgconf.conf.
  • gc_process_gpgconf_conf() is still called in multiple places in tools/gpgconf.c.

At least, the obsolete gpgconf.conf has helped to detect several UI elements in Kleopatra's Settings dialog that were not disabled if the config entry was flagged as read-only.

While trying to test the X.509 directory server configuration in Kleopatra, I stumbled over difference between 2.2 and 2.3 and a possible regression in 2.2.

${GNUPGHOME}/gpgsm.conf:

keyserver ldaps://keyserver.example.com

GnuPG 2.3:

$ gpgconf --version
gpgconf (GnuPG) 2.3.5-beta17
[...]
$ gpgconf --list-options gpgsm | grep server:
keyserver:4:0::33:1::::"ldaps%3a//keyserver.example.com

GnuPG 2.2:

$ gpgconf --version
gpgconf (GnuPG) 2.2.34-beta23
[...]
$ gpgconf --list-options gpgsm | grep server:
Note: no default option file '/etc/gnupg/gpgsm.conf'
reading options from '/home/ingo/dev/g10/.gnupghomes/2.2/gpgsm.conf'
keyserver:4:0::33:1::::

I found out that in 2.3 find_option() is called with "keyserver" in retrieve_options_from_program while in 2.2 find_option() is called with "ldapserver" (which seems to be defined as alias for gpgsm's keyserver option). Apparently, the option parsing differs between 2.2 and 2.3 and in 2.2 it seems to be broken (at least for the keyserver option).