Jan 17 2022
- gnupg-448 branch using KWP for ECDH 448
- security report
I'm not completely sure but it might be convenient to mark HMAC keys with lengths less that 112 as non-approved in FIPS mode for both generation and verification. It could be easily implemented by adding a check using cipher/mac-hmac.c:hmac_get_keylen() or at the algo level. What do you think?
Sending a private key with just the local protection is not a good idea. It is better to export the key and then send it in an encrypted mail - for example in symmetric mode with a strong password.
Btw. had to revert your unique ptr change ;-) I didn't want to raise the c++ level just for that.
ikloecker I have just added the ki18n main code to pinentry-qt as qti18n.cpp this fixes it for me. I have commented out everything but the base catalog.
Please no holy wars on the type of curves. NIST as its opinon, Europe has its opinion, DJB has of course a different opinion. Please use the the cryptography ML for such political/technical discussions.
OTOH, inst-qttranslations.nsi copies all .qm files needed by the qt_<language>.qm files.
For the appimage I have added a patch (backported from ki18n) that makes sure that the Qt translations for qtbase are loaded even if the (unneeded) translations for qtscript, qtmultimedia, and qtxmlpatterns are missing. See 0001-Load-Qt-translations-even-if-some-catalogs-are-missi.patch.
Saw this again and the commit was not in the Stable 2.2 branch. I have cherry picked it. This should resolve this issue.
sorry, I'm a bit confused now and probably everything I wrote above is incorrect.
thanks for approving account.
build error happens in automatic configuration (when --enable-ppc-crypto-support is omitted from ./configure) and -mcpu=powerpc64le, -mcpu=power8 or power9 or -mpower8-vector flags are not passed to compiler.
Thank you, applied.
Also, add another change.
Backported to 2.2, too.
On behalf of @gyakovlev (pending approval for his account):
[03:05:23] <@gyakovlev> AC_DEFINE(HAVE_COMPATIBLE_CC_PPC_ALTIVEC,1, [03:05:23] <@gyakovlev> [Defined if underlying compiler supports PowerPC AltiVec/VSX/crypto intrinsics]) [03:05:34] <@gyakovlev> they should definitely check for __POWER8_VECTOR__ 1 [03:05:44] <@gyakovlev> it's not plain altivec [03:06:52] <@gyakovlev> that power check should check for __POWER8_VECTOR__ [03:06:52] <@gyakovlev> not only for what they check already. [03:08:59] <@gyakovlev> it probably should be checked after __powerpc64__ or instead of it.
Looks like it's triggered if e.g. -mcpu=power9 isn't in CFLAGS.
Build log here:
Jan 16 2022
Jan 15 2022
Jan 14 2022
Yes I think changing the textinteraction flags for these labels would be fine. But as this is only for one customer we should probably add some config like "no links". I think the about dialog things are more problematic as they come from Frameworks.
Is the problem links which can be clicked? Or the mere displaying of links? If the former needs to be changed, then removing the Qt::LinksAccessibleByMouse and Qt::LinksAccessibleByKeyboard flags from the textInteractionFlags of QLabel, QTextEdit, QTextBrowser would do it.
Oh, this is something we should fix anyway because users when evaluating Kleopatra and making configuration changes regularly run "gpgconf --kill all" anyway. Could it be that the SCD DEVINFO --watch fails because the gpg-agent is not yet started again?
Jan 13 2022
Note: Currently, killing the background processes causes a SIGPIPE (broken pipe) in the worker thread of the DeviceInfoWatcher. Kleopatra seems to survive this, but I'm not sure the thread survives. Starting a new SCD DEVINFO --watch fails with General error. On exit, the thread then receives a SIGABRT which crashes Kleopatra.
Jan 12 2022
You'll have to talk to the people you got pinentry-mac from.
No, these are simply the technically available algorithms. I'll see what I can do.
I don't know about pinentry-mac but it seems to be another name for
one our our regular pinentry variants.
Enable the setting Create OpenPGP encrypted files with ".pgp" file extensions instead of ".gpg in Kleopatra's Settings.
We provide lots of different flavors of pinentry, but we do not provide pinentry-mac. You'll have to talk to the people you got pinentry-mac from.
Rename the file and you are done.
Thanks for diving into the history of that code.
Here is the backport to 2.2:
In the original code, register_trusted_keyid is used in keygen.c, so that it updates user_utk_list, thus, will be into utk_list.
This should be done, by adding the keyid to utk_list directly.
Things have been a bit buggy here (probably, since the beginning).
Let me clarify:
- It was on 2003-11-01 (ChangeLog is on 2003-10-31 probably in US): rG5c37fd90bf81: * trustdb.h, trustdb.c (register_trusted_keyid): New. Adds a keyid to the list…
Jan 11 2022
I found this post when I was searching everywhere for a solution, and I was delighted. I've recently been trying to upload GpgFrontned in the Apple Store vs Microsoft and I'm having some trouble.
I went through the documentation related to FIPS and updated some wording to match reality. It will probably require still some more work.
This is my draft for the FIPS indicator KDF. I think we do not need to keep the original GCRYCTL_FIPS_SERVICE_INDICATOR if we replace it also in the tests. This will also need some tests and documentation update.