Page MenuHome GnuPG
Create Task
Maniphest T7600

Kleopatra: gpg.exe hangs on trying to exportably certify an already locally signed certificate with multiple UIDs
Testing, HighPublic
Actions

Description

with VS-Desktop-3.3.90.10-Beta, not reproducible in VS-Desktop-3.3.90.6-Beta

  • Import a pubkey with 2 UIDs
  • locally certify on import
  • then (from the certificate list) try to certify it exportably with a tag

The cli of the gpg.exe, taken from process explorer:

c:\\\\Program Files (x86)\\\\GnuPG VS-Desktop\\\\GnuPG\\\\bin\\\\gpg.exe" "--status-fd" "4" "--logger-fd" "8" "--no-tty" "--charset=utf8" "--enable-progress-filter" "--exit-on-status-write-error" "--ttyname=/dev/tty" "--command-fd" "12" "--with-colons" "--expert" "-u" "B0FBC8D8324859B9" "--set-notation=rem@gnupg.org=test" "--no-ask-cert-expire" "--default-cert-expire" "0" "--edit-key" "--" "FADC4675146CFAF3D86F137E1D3C5E6E3DB3C71D

gpgme-log:

2025-04-09_gpgme_log.txt1 MBDownload

Details

Version
VS-Desktop-3.3.90.10-Beta

Revisions and Commits

rGPGMEPP Gpgme plus plus
rGPGMEPP5b77f4072d03 Add missing transition and remove two ignored (and wrong) transitions
rGPGMEPP6f2e91d4d25a Validate the transition map
rGPGMEPPaee2b3048240 Ensure that all transitions go from one state to a different state

Event Timeline

ebo renamed this task from Kleopatra: gpg.exe hangs on trying to exportably certify an already locally signed certificate with multible UIDs to Kleopatra: gpg.exe hangs on trying to exportably certify an already locally signed certificate with multiple UIDs.Wed, Apr 9, 3:12 PM
ebo triaged this task as High priority.
ebo created this task.
ebo added subscribers: werner, ikloecker.
ikloecker added a comment.Wed, Apr 9, 4:08 PM

The dialog between gpg and Kleopatra looks like this:

[GNUPG:] KEY_CONSIDERED FADC4675146CFAF3D86F137E1D3C5E6E3DB3C71D 0<LF>
[GNUPG:] GET_LINE keyedit.prompt<LF>
sign
<LF>
[GNUPG:] GOT_IT<LF>
[GNUPG:] GET_BOOL keyedit.sign_all.okay<LF>
N
<LF>
[GNUPG:] GOT_IT<LF>
[GNUPG:] GET_LINE keyedit.prompt<LF>
uid D2C00A207DC184562E41517CBC5EF7175E8535E8
<LF>
[GNUPG:] GOT_IT<LF>
[GNUPG:] GET_LINE keyedit.prompt<LF>
uid 648AC172C3EC45F85AA2E68E46D3FEFABD1F5BD7
<LF>
[GNUPG:] GOT_IT<LF>
[GNUPG:] GET_LINE keyedit.prompt<LF>
sign
<LF>
[GNUPG:] GOT_IT<LF>
[GNUPG:] KEY_CONSIDERED FFDFEE2F0C8F278023284D90B0FBC8D8324859B9 0<LF>
[GNUPG:] GET_BOOL sign_uid.local_promote_okay<LF>
Y
<LF>
[GNUPG:] GOT_IT<LF>
[GNUPG:] GET_BOOL sign_uid.okay<LF>

and then nothing else.

I don't see why it breaks/hangs. The code of GpgSignKeyEditInteractor didn't change since GpgME 1.19.

ikloecker added a comment.Wed, Apr 9, 4:11 PM

The state machine in GpgSignKeyEditInteractor expects to see GET_BOOL sign_uid.okay and it should have answered with Y.

ikloecker claimed this task.Thu, Apr 10, 2:40 PM

After further investigation it looks like this bug exists since quite some time.

ebo added a comment.Thu, Apr 10, 2:44 PM

yeah, I did not have exactly the same setting for the tests in the different versions… so no regression

ikloecker added a commit: rGPGMEPPaee2b3048240: Ensure that all transitions go from one state to a different state.Thu, Apr 10, 3:50 PM
ikloecker added a commit: rGPGMEPP6f2e91d4d25a: Validate the transition map.
ikloecker added projects: gpd5x, gpgme.Thu, Apr 10, 3:53 PM

Fixed in gpgmepp for gpd5x. I think for VSD 3.3 we'll add a patch to gpg4win.

ikloecker changed the task status from Open to Testing.Thu, Apr 10, 3:54 PM
ikloecker moved this task from Backlog to WIP on the gpd5x board.
ikloecker added a comment.Thu, Apr 10, 3:57 PM

Very likely this bug exists since 2017 when support for promotion of local certifications to exportable certifications was added.

ebo updated the task description. (Show Details)Fri, Apr 11, 2:48 PM
ebo added a comment.Fri, Apr 11, 3:15 PM

this exact case is fixed in VS-Desktop-3.3.90.12-Beta
Adding further UIDs and making more certifications still works, too.

But now I get an error when certifying a certificate with one UID globally after a previous local certification: "userdefined errorcode 1"
The same when certifying only one UID of a certificate with several in the same way.

werner added a comment.Fri, Apr 11, 3:42 PM

That error code is actually not an error code but it is the ERROR state from the Kleo SFM. We have seen that yesterday already.

ikloecker added a commit: rGPGMEPP5b77f4072d03: Add missing transition and remove two ignored (and wrong) transitions.Fri, Apr 11, 4:52 PM
ebo moved this task from Backlog to QA on the vsd33 board.Mon, Apr 14, 11:28 AM