@pow, thanks for a reference. But problem here is that there are multiple products with same name.

@werner Yes, that sounds great, and would help already a lot, but extending it for card keys would be optimal. Thanks for your work.

In master (to be 2.3) you can add a Label: line into the sub key file of on-disk keys. I use this for quite some time now to show me alabel for my on-disk ssh keys so that I known which one was requested. We can and should extend this to card keys.

Same here, having YubiKeys and on-disk ssh keys from several computers, it is a bit a pain not to know which key is actually used. Any chances to get at least an update via manual editing of the comment?

I've also noticed this issue on windows when trying to symlink %APPDATA%\gnupg to $HOME/.gnupg under msys32.

Dear Martin,

Not sure what I did wrong this time, but it's broken again - GPG will again prompt for the PIN on my computer instead of on the Gemalto Ezio Shield reader :(

I'm using GnuPG 2.2.4-1ubuntu1.2 with your patch applied:

I believe that constraint of ret_keyblock != NULL is OK.
Pushing the fix.
Perhaps, backport to 2.2 should be done, too.

I have the same effect if I send a signed text-only or HTML email using Outlook 365 and our Exchange 365 and if I view the mail on Outlook on Android. The mail shows no contents only the file. If I view the mail using Outlook 365 on my PC or Windows 10 Mail it looks fine.
If I address it also to my Microsoft account and my Gmail account (using all adresses in the TO: field of the same mail) the email looks normal in the Gmail Android app and (!) in Outlook for Android.
So the same mail - both in the same Outlook for Android app - looks correct in my Microsoft account inbox but only shows the file in my Exchange inbox - in the same Outlook App. Weird… Nokia 7 plus, Android 9, newest patch level (September 2019) and no updates in Google Play Store.
BTW: In Exchange 365 I configured the message flow, default remote domain (there is no other) to never to use Rich Text, always and only HTML.

Thanks for the feedback! Right now it hangs only for a few seconds, then works as usual. No idea how this come, but I'll close the issue and contact the ML if it appears again.

In T4475#124816, @werner wrote:

Put

log-file /somewhere/scd.log
debug ipc,cardio
verbose

into ~/.gnupg/scdaemon.conf and kill scdaemon. Then look at the output. I would suggest to first stop the pcscd so that GnuPG's internal CCID driver will be used. Make also sure that there is no a permission problem with the usb port. In case of a CCID (card reader protocol) problem a

debug-ccid-driver

in scdaemon.conf will also be helpful.

If we can assume ret_keyblock != NULL (it is, in current implementation), it can be as simple as:

diff --git a/g10/getkey.c b/g10/getkey.c
index 6802026f6..27bbd354c 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -1354,6 +1354,8 @@ get_best_pubkey_byname (ctrl_t ctrl, enum get_pubkey_modes mode,
   int is_mbox = is_valid_mailbox (name);
   int wkd_tried = 0;

Please try with the latest GnuPG version (2.2.17) - it is unlikely that we can give support for an old version with Ubuntu's own set of patches. It is also advisable to post to the gnupg-users ML because over there you have hundreds of Ubuntu users.

See https://minerva.crocs.fi.muni.cz/ for a description of the timing attack.

I agree with @werner that when presented with a User ID with self-sig with preference, the preferences subpackets from the self-sig should take precedence.

I modified _gcry_ecc_fill_in_curve so that g_y has new value in eid4730.

I believe the issue is as follows. When given the option ttyname=... pinentry will open() the given tty and that fails since it is owned by the regular user and not root; strace reports:

openat(AT_FDCWD, "/dev/pts/1", O_RDONLY) = -1 EACCES (Permission denied)

However, when not given this option, pinentry will simply write() to stdout which causes no permission problem; through sudo and the terminal this goes to /dev/pts/1.

I found a way to replicate that error with just pinentry by doing (as root):

# tty
/dev/pts/1
# pinentry
OK Pleased to meet you
OPTION ttyname=/dev/pts/1
OK
GETPIN
S ERROR gtk2.open_tty_for_read 83918849
ERR 83918849 Permission denied <Pinentry>

When I remove OPTION ttyname=... there is no error.

My other terminals (xterm) are /dev/pts/1, /dev/pts/2, etc. and I can reproduce the bug in them too.

See also apt-get show libpam-poldi

Also in another terminal?

I did not (neither in my root shell nor in my user shell) but setting and exporting this environment variable does not make any difference: gpg --gen-key still fails as above. (Note that tty indeed returns /dev/pts/0 .)

Do you have

GPG_TTY=$(tty)
export GPG_TTY

That's my badness. I think that I haven't seen this problem, because I mainly use tokens (where keygrip difference doesn't matter, after --card-status).

Hi
FYI here is what I did to resolve:
running gpg.exe and gpg-agent.exe as Administrator and XP mode....
gp-agent:
set service Priority to REALTIME
Disabled Windows UAC virtualization.

Thanks for your help investigating this.

if you run

What is weird is that pinentry supposedly detects the absence of an X session and falls back on curses. For instance, I have: