Ich you do not have a working TPM or emulation but the tpm libraries installed run configure with the option

--disable-tpm2d

In T5411#149872, @aheinecke wrote:

Our windows explorer plugin keeps libgpg-error loaded when you install an upgrade. That is why our installer asks for a reboot at the end of the install. You have ignored the reboot and you then get the error.

We have another ticket T5012 for this issue.

Our windows explorer plugin keeps libgpg-error loaded when you install an upgrade. That is why our installer asks for a reboot at the end of the install. You have ignored the reboot and you then get the error.

I had the same issue opening GPA or Kleopatra going from 3.1.14 to 3.1.16 on Windows 10. I don't have Outlook installed.

Thanks for clarification, indeed attempt to decrypt data returns an error afterwards.

Well, while importing you get the warning:

Yes, for migration from GnuPG 2.0 reasons, a batch import delays the key checking (i.e. converting from OpenPGP to GnuPG internal format) to the first use. Thus you don't see an error immediately. But if you encrypt something , you won't be able to decrypt it again:

Thanks, Werner.
During further work on this got another issue:

Thanks. I meanwhile pushed a fix to 2.3 so that a warning is shown if the low bits are set.

Thanks for the replies, this makes things clear. We'll update RNP to correctly set/unset those bits while saving a generated secret key and a way to fix up previously generated keys.

Right, as long as there is only one format in widespread use (based on a long existing 4880bis draft) only this format should go over the wire.
Thus, it is a matter how the key is exported. In cryptography you should never have several options - one clearly defined format is what you want. We have had enough trouble with PGP5 peculiarities but in that case their implementation had more users and thus GnuPG had to work around it. Not good, but there was no standard at all at this time.

@onickolay No sorry needed. It was me, who cannot answer promptly.

@gniibe sorry for pinging, but this issue gets attention as TB users (with RNP OpenPGP backend) cannot import to GnuPG EdDSA secret key which was generated by RNP since it doesn't tweak bits when storing or exporting a secret key.
Should we update RNP to tweak those bits during storage to be more compatible (given that those bits doesn't make any difference)?

Nah, I think I laid out all my arguments by now. I don't have more to add, so I'll just let it be.

Not at all. But 2.1 was such a large change that users really should have read the announcement and think about their use case. We have exensivly communicated the changes and can expect that users test their new installation. IF you have further comments, please use the mailing list.

I'm still sad that you don't acknowledge the problem I am describing. It seems that you are writing your software for the kind of user who reads all your documentation first. That kind of user does not exist.

The option has been removed form the repo more than 11 years ago and the gnupg with this changes (2.1.0) was released 7 years ago including an extensive writeup on all the major changes including notices that the secret keys will be converted and moved.

I propose the following patch to inform the user about the obsolete --secret-keyring option. The same is done for many other obsolete options.

This is very saddening and alarming from a respected member of the community whose opinion matters.

Please try 3.1.16 and make sure that you don't have other variants of gpg4win installed or Outlook plugins also using parts of gpg4win or its libraries.

You should have read the release notes of 2.1 (first point). We can't keep a bug open because you had a wrong understanding of GnuPG properties. Sorry.

Well, the keys are not generated but public keys are imported. @gniibe's key has meanwhile expired but we keep it because it will allow users to verify some older source packages. An expired signature key is not an error but merely means that one should evaluate the meaning of the signature with more diligence.

Sorry, I don't understand what you are trying to say, so let me give you some more detail.

Everything in ~/.gnupg is and has always been private to gnupg unless explicitly stated otherwise.

Check that the file exists and that you have permissions to read the file. You may use an editor to try this out.

Do I correctly understand that issue will be resolved on GnuPG side by tweaking key bits before private-key import/and/or/operations?

We should not support a different OID or representation of 22519 which will only lead to incompatibilities and trouble existing users. 25519 is in too widespread use than to allow for any changes.

Check out https://gnupg.org

But where i can find miling list ? I need get back my pgp key, because it's
now bock.

No, sorry. For help please use one of the mailing lists.

Take care: It is not clear whether you may use a [C} subkey for certification. GnuPG currently accepts this but the RFC can also be read as primary keys needs to to do the certification.

For signing (aka certifying) another key you need a (sub)key with the "certify" capability. Your signing subkey can only be used for signing data but not for certifying keys. This isn't specific to gpgme. See https://datatracker.ietf.org/doc/html/rfc4880#section-5.2.3.21.

Yes, you need the secret part of the primary key. gpgme has this info but it is easy to miss. Even our gpgme/tests/run-keylist.c debug tool did not show it directly. I modified it to make this more clear, see the latest gpgme commit. Here is an example for my key:

$ ./run-keylist --verbose --with-secret  63113AE866587D0A
keyid   : 63113AE866587D0A
caps    : esc
flags   : secret
upd     : 0 (0)
fpr    0: AEA84EDCF01AD86C4701C85C63113AE866587D0A
grip   0: CE5C1F1B8C96F1A078A2D1932EEE738A854ED976
curve  0: ed25519
caps   0: sc
flags  0:
fpr    1: E05BA20ED4F17768613B03C53CD7B3A055039224
grip   1: 7A1E3130C9CBDBF203A0AD8E186D9C511D5019FF
curve  1: cv25519
caps   1: e
flags  1: secret
fpr    2: 8777461F2A074EBC480D359419CC1C9E085B107A
grip   2: FF35C6E765F440145095750DC97D43D496C5ABEA
curve  2: ed25519
caps   2: s
flags  2: secret

Then let's get it in there. It's pretty easy to traverse a directory.

reading your report again: You clicked on a folder and expected that all encrypted files in this folder will be decrypted? That is unfortunately not supported.

I have the same message when i try to decrypt files larger than 1.5GB in size; i atached the report "gpgconf --show-version"

I am also a MacOS Big Sur user who recently upgraded to 2.3.1 and had problems after upgrading. In my use case, I use the yubikey as the authentication for pass password manager which uses gpg under the hood.

I'm referring to this: https://www.gnupg.org/howtos/card-howto/en/ch02s03.html

@colemickens We don't maintain any ccid udev rules in GnuPG. What do you refer?

@gniibe can you provide any commentary on why the gnupg ccid udev rule is so much smaller than the one debian maintains? Is the debian one considered authoritative these days?

Thanks @gniibe, that's very helpful advice and pointers. Very appreciated, cheers.

Perhaps, if a distro haven't offered setting of USB, it would be better to configure GnuPG build with --disable-ccid-driver and only support scdaemon with PC/SC. GPG for Windows does so.

1. It's a breaking change for system with both of PC/SC and CCID. T4673 due to T3300
   • If you configure with no libusb, users don't need 'disable-ccid' option.
2. I don't know how "wide".
3. In Debian, it is maintained here: https://salsa.debian.org/debian/gnupg2/-/blob/debian/main/debian/scdaemon.udev
4. Yes.

Hi, as a contributor to NixOS I'd also like some guidance. I'm testing the 2.3 upgrade ahead of 2.4, and it "breaks" Yubikey UX that I know many of us use. This might be because we appear to not yet install gnupg's CCID udev rules installed. A few questions:

Thank you for the suggestion of disable-ccid that seems to have solved the problem.

I can confirm disable-ccid works, thank you!

Please have a look at the log:

Please tell us more details on how we can replicate your problem. Which Windows version, any non-standard software installed, non-standard installation direcories etc. You may also provide the output of

So Facebook simply does not support Ed25519 keys; there implementation is a bit limited. To be fair, there is no published RFC describing 25519 for OpenPGP; all major implementations work with drafts regarding 25519.

The configure run tells you what libraries are missing - none in your case. However, something is wrong with your development setup: The configure run detected libksba but cc compiler did not found it anymore. Check that you don't have any special envvars set etc. What is the actual compiler command which failed (make sure not to pass V=0 to make for this).

Dear Werner,

This does not look like a bug report. Please ask on a mailing list for help.

The problem ist not an "ugly error message" but it does not recognize that the e-mail IS encyrpted by Symantec-PGP! But the plugin always says:

Please do not repeat you question, this won't give you anymore attention. Read my comment above and please ask on a mailing list etc.

Good morning,

I think the option you are looking for is "--homedir" with that option on the command line you can redirect where GnuPG looks for options and keys.

Please try using the current version (3.1.14) and if the problem persists re-open this bug. In this case we will also need a more detailed report.

(Reporter has problems running his own keyserver and accessing it.)

When building from git make sure that you have all tools installed and use
./autogen.sh --force
before running configure. Do not use autoreconf etc.

Hartmut, please read Andre's mail again - we can't do anything about it if Outlook considers an extra delay of 20ms as too slow.

Andre,

thats wrong.
if i disable the Addin, the effect is gone.

Best regards
Hartmut

Von: aheinecke (Andre Heinecke) <noreply@dev.gnupg.org>
Gesendet: Freitag, 11. Dezember 2020 08:35
An: hartmut.jacobi@hotmail.de
Betreff: [Task] [Closed] T5176: Problem with Office 365 GnuPG Outlook addin, Outlook reports not to be primary Mail client

aheinecke closed this task as "Invalid".
aheinecke added a comment.

Hi, you can change the default mail app under systemsettings in windwos 10, this has nothing to do with GpgOL, and the delayed start report, I can't do anything about. Outlook just shows this for any COM Addin to shift the blame, seriously we took 0,02s or 20ms on your system for our initialization. That is reasonably fast.

TASK DETAIL
https://dev.gnupg.org/T5176

EMAIL PREFERENCES
https://dev.gnupg.org/settings/panel/emailpreferences/

To: aheinecke

Cc: aheinecke, gnupg, HackyJ, Neurone, ccharabaruk, gp_ast

This is an automated email from the GnuPG development hub. If you have registered in the past at https://bugs.gnupg.org/ your account was migrated automatically. You can visit https://dev.gnupg.org/ to set a new password and update your email preferences.

Hi, you can change the default mail app under systemsettings in windwos 10, this has nothing to do with GpgOL, and the delayed start report, I can't do anything about. Outlook just shows this for any COM Addin to shift the blame, seriously we took 0,02s or 20ms on your system for our initialization. That is reasonably fast.

There's a wildcard CNAME, it's not _really_ configured. It's not a good assumption that a CNAME == configured and it doesn't have a reasonable fallback, IMHO.

If you configure the subdomain in the DNS this will be used. Thus get a cert for it. The old method should not be used and thus if the openpgpkey subdomain exists gpg concludes that the admin is aware of the new scheme.

Hm, I don't want to remove the CNAME just so that GPG WKD would work, is there a way to fix this? Is there a good reason why after "Advanced"/subdomain lookup it doesn't try "direct"?

Oh, it's using the openpgpkey subdomain because of the CNAME but that's not actually being served by the server.

Thank you very much

Select your key in the certificate view, click right, select "Backup Secret keys ...", store to a file. Then copy that file in a secure why (USB stick etc) to the new box, import it there.

I am sorry, but this is not a help desk but a bug tracker. See https://gpg4win.org or https://gnupg.org to find out which community support is available.

Please ask on a mailing list - this is a bug tracker and somehow expects bug descriptions.

This is a support question. Please use one of the public support channels as listed at gnupg.org or ask for a quote at a commercial service (https://gnupg.org/service.html).

Let me comment this

I am sharing completed info, please look into it, at may I know the cause
gpg: enabled debug flags: lookup
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search 0: SUBSTR: 'JPMCBANK_GPG_PROD_2020'
gpg: DBG: keydb_search: searching keybox (resource 0 of 1)
gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => Success
gpg: DBG: finish_lookup: checking key 88BEBD28 (all)(req_usage=1)
gpg: DBG: checking subkey 022E17B7
gpg: DBG: subkey might be fine
gpg: DBG: using key 022E17B7
gpg: using subkey F423A07D022E17B7 instead of primary key 9D09927E88BEBD28
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search 0: SUBSTR: 'JPMCBANK_GPG_UAT_2019'
gpg: DBG: keydb_search: searching keybox (resource 0 of 1)
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search 0: LONG_KID: 'BFFCAF61B48701FD'
gpg: DBG: keydb_search: searching keybox (resource 0 of 1)
gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => Success
gpg: DBG: finish_lookup: checking key B48701FD (all)(req_usage=0)
gpg: DBG: using key B48701FD
gpg: using pgp trust model
gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => Success
gpg: DBG: finish_lookup: checking key B48701FD (all)(req_usage=2)
gpg: DBG: checking subkey 403048E0
gpg: DBG: usage does not match: want=2 have=1
gpg: DBG: no suitable subkeys found - trying primary
gpg: DBG: primary key usage does not match: want=2 have=5
gpg: DBG: no suitable key found - giving up
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search 0: SUBSTR: 'JPMCBANK_GPG_UAT_2019'
gpg: DBG: keydb_search: searching keybox (resource 0 of 1)
gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => EOF
gpg: JPMCBANK_GPG_UAT_2019: skipped: Unusable public key
gpg: E:\New\steps.txt: sign+encrypt failed: Unusable public key
gpg: secmem usage: 1376/32768 bytes in 3 blocks