Perhaps i wasn't clear enough in the earlier messages on this thread. The inclusion of restrictively-licensed code in a file that also claims LGPL/GPL appears to be an unredistributable license. Could you please clarify why the GPL or LGPL applies to libksba while it contains src/cms.asn in its current form?
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
May 29 2019
we've never shipped a binary gpgscm in any debian package. I was just reviewing the differences between what we ship and what upstream ships, and i noticed this discrepancy.
I also experienced this issue while testing my --delete-secret-key patches. Passing --pinentry-program /usr/bin/pinentry-tty to the gpg-agent worked around it.
Add confirmation prompt for exactly-specified public subkeys.
Add documentation.
Add documentation.
Thanks, the mentioned OpenSSL option should be helpful.
A high level test description is:
- Configure both gpgsm and dirmngr to use OCSP.
- Import the responder signer certificate with gpgsm --import.
- Use a certificate with OCSP responder extension present, or configure a default OCSP responder in dirmngr.
- Configure your OCSP responder to identify itself with key ID (and not subject name)
- Attempt to sign or verify with gpgsm.
- You should get an error, with dirmngr logs showing that the responder signer certificate could not be found.
Thank you for a quick fix (despite this being a minor problem).
Thanks for taking the time to describe this attack vector. We will need to study this closer to balance such a change with other side effects of this.
gpgscm will anyway be moved to libgpg-error and then installed as part of that package. Given that we install it for quite some time with gnupg, I won't remove it unless we can be sure that it has been installed by libgpg-error. Feel free to remove it from Debian, though,
I wrote a patch in a topic branch: rG108c22c9c50a: g10,agent: Support CONFIRM for --delete-key.
I think that gpg-agent side,
- agent/call-pinentry.c: This part is good
- agent/command.c: I wonder if use of status for passing the information of prompt is good or not
Perhaps, we need an improvement in
- g10/call-agent.c: how to ask user, by cpr_* function with no keyword is good?
- Currently, only using DESC
- Only applying to DELETE_KEY command
- Can be applied also to:
- PKSIGN
- PKDECRYPT
Fix pushed.
I think that detecting strerror_s by configure is better, because it's a new feature on Windows.
May 28 2019
I do not have a PoC (or much interest in making one, I have too many more important things to do), but I believe this to be correct, based heavily on PPC knowledge of Nicolas König <koenigni@student.ethz.ch> . This attack also applies to AMD, Intel, and ARM.
Remove gpg_ prefix from function.
Squashed: D482
Squashed: D485
Squashed: D488
A better solution has been commited: cc6069ac6ecd
I should add that using gpg on the command line works fine over SSH. The problem occurs only inside Emacs over SSH.
Ah, I added the --verbose option and got this output (sanitized by me):
Sorry, I forgot to mention it. You need to add -v to the command line.
Thank you, werner. Could you please tell me an exact GPG command to do this signing, and tell me where the output line should appear? I tried this command on the command line:
Which pinentry are you using in in what mode? Please do a sign operation and watch out for a line similar to:
My understanding of this issue and the fix for it is that Outlook with exchange detects that our mails are S/MIME mails. As the attachments are modified by us outlook wants to save the changes on move. This fails because it can't do the crypto. Leading to the error. This also happens when such a mail is closed.
I also tried adding this to my gpg-agent.conf file:
Oh, in case it wasn't clear, the idea that another application (GNU emacs) is receiving keystrokes meant for the gpg-agent prompt is probably a security risk....
We did not remove the "<>" from the content id. This worked for the first display but when forwarding they got doubled and it broke.
Do you have any test cases? Note that T3966 is due to missing support for SHA-256.
Can you please give more details and tell whether this is powerpc specific.