Fixed in 1.10.2.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Apr 13 2023
Apr 13 2023
• gniibe closed T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt as Resolved.
Fixed in 1.10.2.
• gniibe closed T6204: gpgme:python Fix setup.py, using pkg-config (not deprecated gpg-error-config and gpgme-config), a subtask of T5683: Deprecation of gpg-error-config, as Resolved.
• gniibe closed T6204: gpgme:python Fix setup.py, using pkg-config (not deprecated gpg-error-config and gpgme-config) as Resolved.
Fixed in 1.19.0.
• gniibe closed T6273: AM_PATH_GPGME requires preceding invocation of AM_PATH_GPG_ERROR as Resolved.
Fixed in 1.19.0.
Fixed in 1.19.0.
Apr 12 2023
Apr 12 2023
It is a bit complicated. Let me describe the situation.
ENOSYS is POSIX. My point is that: getrandom was introduced in Linux kernel with flags for particular purpose (differentiate use of /dev/random and /dev/urandom), but that feature has gone.
But, for FIPS behavior, RHEL and related OS use (possibly, some would say misuse) getrandom with GRND_RANDOM. This use is RHEL specific (not for other GNU/Linux). Use of getrandom is non-POSIX.
Returning ENOSYS is too strict, in my opinion; Because the code in question doesn't work for machines other than CentOS/Fedora/RHEL. For other machines, it would be natural to just rely on getentropy (rather standard call).
Apr 11 2023
Apr 11 2023
• gniibe committed rCfa21ddc158b5: random: Use getrandom only when it's appropriate. (authored by • gniibe).
random: Use getrandom only when it's appropriate.
Apr 10 2023
Apr 10 2023
Fixed in 1.47.
• gniibe added a project to T6443: ntbtls-0.3.1 does not configure against libgpg-error-1.47: ntbtls.
• gniibe changed the status of T6444: pinentry-1.2.1 does not configure against libgpg-error-1.47 from Open to Testing.
• gniibe changed the status of T6442: libgcrypt-1.10.2: getrandom() is not available everywhere from Open to Testing.
• gniibe changed the status of T6443: ntbtls-0.3.1 does not configure against libgpg-error-1.47 from Open to Testing.
• gniibe added a comment to T6257: Without gpg-error-config installed (libgpg-error-1.46) libgcrypt-1.10.1 does not configure.
Fixed in libgcrypt 1.10.2.
@debohman Thank you!
• gniibe committed rE9c17795ec25f: gpgrt-config: Simplify to set gpgrt_libdir. (authored by • gniibe).
gpgrt-config: Simplify to set gpgrt_libdir.
@debohman Thank you for the log. Thank you also for your testing pinentry master.
• gniibe closed T6288: Document gpgrt-config in detail or improve it to support simple invocation as Resolved.
Fixed in libgpg-error 1.47.
Possibly, your problem may be gpg-error.m4 in pinentry. If so, you can replace m4/gpg-error.m4 in pinentry by src/gpg-error.m4 in libgpg-error.
Then, regenerate configure of pinentry.
(In the repo of pinentry gpg-error.m4 is already updated.)
@debohman Please describe your failure.
The functionality of gpg-error-config is replaced by gpgrt-config. However, the script of gpg-error-config itself cannot be replaced by gpgrt-config.
(As the output of configure said,) in the configure script, gpgrt-config is invoked with --libdir somewhere (/usr/local/lib/x86_64-linux-gnu, in my case above) option to work as the gpg-error-config script replacement.
Thank you for the report.
Please see T6444.
Please describe your problem in a way other people can reproduce.
Apr 7 2023
Apr 7 2023
po: Update Japanese Translation.
• gniibe closed T6388: libgcrypt: gpgrt-config not found in $PREFIX if there are no less-preferred options found via $CC as Resolved.
Fixed in 1.10.2.
Apr 6 2023
Apr 6 2023
• gniibe committed rGcb055ecb9109: gpg: Fix handling of importing cv25519 secret key. (authored by • gniibe).
gpg: Fix handling of importing cv25519 secret key.
• gniibe changed the status of T6322: The warning "lower 3 bits of the secret key are not cleared" keeps showing even cv25519 key was generated by GnuPG from Open to Testing.
• gniibe claimed T6322: The warning "lower 3 bits of the secret key are not cleared" keeps showing even cv25519 key was generated by GnuPG.
Sorry, it took time (for me) to understand the issue, as this is not 100%-reproducible bug. And it was not clear (for me) that how passphrase were offered in the interaction, so, I was not possible to see if it's encrypted or not.
build: Update gpg-error.m4.
Apr 5 2023
Apr 5 2023
build: Update gpg-error.m4.
Fix to silence a warning.
build: Update gpg-error.m4.
build: Update gpg-error.m4.
build: Update gpg-error.m4.
build: Update gpg-error.m4.
Fix for modern compiler.
build: Update gpg-error.m4.
Apr 4 2023
Apr 4 2023
• gniibe changed the status of T6384: libgcrypt link error if cipher chacha20 is not included from Open to Testing.
Fixed in master and 1.10 branch.
• gniibe committed rC137f1fd82bc9: cipher: Enable the fast path to ChaCha20 only when supported. (authored by • gniibe).
cipher: Enable the fast path to ChaCha20 only when supported.
core: Add GPG_ERR_SOURCE_TKD.
Probably, this change should work:
diff --git a/po/zh_CN/kleopatra.po b/po/zh_CN/kleopatra.po index 56b06e04..f34112a9 100644 --- a/po/zh_CN/kleopatra.po +++ b/po/zh_CN/kleopatra.po @@ -4680,7 +4680,7 @@ msgstr "发件人" #: src/crypto/gui/resultitemwidget.cpp:132 #, kde-format msgid "Force decryption" -msgstr "强制加密" +msgstr "强制解密"
• gniibe changed the status of T6432: libgcrypt - flag munging does not account for -Oz from Open to Testing.
After testing the builds of master for several distributions/gcc/clang, applied to 1.10 branch too.
Apr 3 2023
Apr 3 2023
Thank you for the report.
Fixed in master. Let us consider if it will be backported to 1.10 (or not).
build: Allow build with -Oz.
Apr 1 2023
Apr 1 2023
m4: Update gpg-error.m4.
• gniibe committed rEc61e831b6f0c: m4: Fix behavior with older gpg-error-config and gpgrt-config. (authored by • gniibe).
m4: Fix behavior with older gpg-error-config and gpgrt-config.
Mar 25 2023
Mar 25 2023
• gniibe added a comment to T6388: libgcrypt: gpgrt-config not found in $PREFIX if there are no less-preferred options found via $CC .
@tlaurion Thank you for the report, but your particular problem is irrelevant to this ticket.
I lightly looked the log and noticed that the cross build would have some confusions for pkg-config, however, that's not our problem but yours.
For the particular failures in your build, the issues look like a problem of musl linker. It seems that it requires all dependency of libraries to be used, even if an executable doesn't use a library directly.
If it is the case, we need a patch... something like:
Mar 24 2023
Mar 24 2023
• gniibe changed the status of T6417: FIPS service indicator regarding the public key algorithm flags and objects from Open to Testing.
Pushed the change.
• gniibe committed rC1c916b8c99ea: fips: More elaborate way of getting FIPS pk flags indicators. (authored by • gniibe).
fips: More elaborate way of getting FIPS pk flags indicators.
Having GPG_ERR_BAD_PUK makes sense. So, I added a tag for gpg-error.
Mar 23 2023
Mar 23 2023
build: Update gpg-error.m4.
• gniibe changed the status of T6388: libgcrypt: gpgrt-config not found in $PREFIX if there are no less-preferred options found via $CC from Open to Testing.
Fixed in master (of libgpg-error).
Pushed the change to libgcrypt (master and 1.10 branch).
• gniibe committed rEed36ba06f907: m4: Fallback to $possible_libdir1, when not found with $CC. (authored by • gniibe).
m4: Fallback to $possible_libdir1, when not found with $CC.
Mar 22 2023
Mar 22 2023
• gniibe added a comment to T6388: libgcrypt: gpgrt-config not found in $PREFIX if there are no less-preferred options found via $CC .
Thank you for the bug report.
Mar 21 2023
Mar 21 2023
Mar 20 2023
Mar 20 2023
• gniibe closed T1734: [SUGGESTION] Implement a function to re-generate public keys and(!) "stubs" from private keys stored on smartcard only as Resolved.
gpg-agent now supports READKEY --card command which creates stub file when it's not yet available on host computer.
It was implemented by rG82cbab906a3e: agent: Add --card option for READKEY.
Mar 14 2023
Mar 14 2023
• gniibe committed rCfae63f517906: tests: Improve test coverage for FIPS service indicators. (authored by Jakuje).
tests: Improve test coverage for FIPS service indicators.
• gniibe committed rCe0a5a9eb8301: fips: Explicitly disable overriding random in FIPS mode. (authored by Jakuje).
fips: Explicitly disable overriding random in FIPS mode.
fips: Explicitly allow only some PK flags.
doc: Document the new FIPS indicators.
Mar 8 2023
Mar 8 2023
scd: Fix checking memory allocation.
• gniibe moved T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt from Backlog to Next on the FIPS board.
• gniibe changed the status of T6376: FIPS 140-3: add explicit indicators for md and mac to unblock MD5 in apt from Open to Testing.
Thank you.
Applied to both (master and 1.10).
• gniibe committed rCdc4a60e2d70b: fips: Unblock MD5 in fips mode but mark non-approved in indicator. (authored by tobhe).
fips: Unblock MD5 in fips mode but mark non-approved in indicator.
• gniibe committed rCc88672a327f6: fips: Add explicit indicators for md and mac algorithms. (authored by tobhe).
fips: Add explicit indicators for md and mac algorithms.
• gniibe changed the status of T6397: PCT failures inconsistency in regards to the FIPS error state from Open to Testing.
• gniibe changed the status of T6396: the gcry_pk_hash_sign/verify operates in FIPS non-operational mode from Open to Testing.
• gniibe changed the status of T6394: FIPS requires running PCT tests unconditionally from Open to Testing.
• gniibe changed the status of T6393: DRBG with SHA384 is no longer allowed in FIPS mode (and looks like impossible to enable anyway) from Open to Testing.
• gniibe moved T6397: PCT failures inconsistency in regards to the FIPS error state from Next to Ready for release on the FIPS board.
• gniibe moved T6396: the gcry_pk_hash_sign/verify operates in FIPS non-operational mode from Next to Ready for release on the FIPS board.
• gniibe moved T6394: FIPS requires running PCT tests unconditionally from Next to Ready for release on the FIPS board.
Mar 7 2023
Mar 7 2023
• gniibe committed rCf5fe94810f30: kdf: Update tests in regards to the allowed parameters in FIPS mode. (authored by Jakuje).
kdf: Update tests in regards to the allowed parameters in FIPS mode.
fips: Check return value from ftell
• gniibe moved T6393: DRBG with SHA384 is no longer allowed in FIPS mode (and looks like impossible to enable anyway) from Backlog to Next on the FIPS board.
• gniibe claimed T6393: DRBG with SHA384 is no longer allowed in FIPS mode (and looks like impossible to enable anyway).
Applied your patch (from gitlab) to both (master and 1.10).
random: Remove unused SHA384 DRBGs.
• gniibe moved T6396: the gcry_pk_hash_sign/verify operates in FIPS non-operational mode from Backlog to Next on the FIPS board.
Applied to both (1.10 and master).
• gniibe committed rC654d0dfa0499: visibility: Check FIPS operational status for MD+Sign operation. (authored by Jakuje).
visibility: Check FIPS operational status for MD+Sign operation.
• gniibe added a comment to T6393: DRBG with SHA384 is no longer allowed in FIPS mode (and looks like impossible to enable anyway).
You are right, there is no way to use DRBG with SHA384 by libgcrypt.
• gniibe moved T6397: PCT failures inconsistency in regards to the FIPS error state from Backlog to Next on the FIPS board.
• gniibe moved T6394: FIPS requires running PCT tests unconditionally from Backlog to Next on the FIPS board.
Applied to both (1.10 and master).
Applied to both (of 1.10 and master).
• gniibe committed rC2ddeec574bc1: ecc: Do not allow skipping tests in FIPS Mode. (authored by Jakuje).
ecc: Do not allow skipping tests in FIPS Mode.
• gniibe committed rC23a2d1285e35: ecc: Make the PCT recoverable in FIPS mode and consistent with RSA. (authored by Jakuje).
ecc: Make the PCT recoverable in FIPS mode and consistent with RSA.
Mar 6 2023
Mar 6 2023
Mar 3 2023
Mar 3 2023
• gniibe added a comment to T6390: ECC: Explain GnuPG's CV25519 key and its ECDH (comarison to X25519).
Note that for the OpenPGP implementations which use X25519 API, it is not possible to calculate [scalar]G with scalar having least significant three bits != 0.
Feb 27 2023
Feb 27 2023
• gniibe added a comment to T6390: ECC: Explain GnuPG's CV25519 key and its ECDH (comarison to X25519).
CV25519 private key secret part:
- Standard MPI (big-endian) of 255-bit
- The value should have zeros for least significant three bits, its most significant bit (255th bit) should be set.
- the value should be the one after decodeScalar25519 function in RFC7748
CV25519 public part from secret part:
- Simply calculated by [secret-part]G
• gniibe triaged T6390: ECC: Explain GnuPG's CV25519 key and its ECDH (comarison to X25519) as Normal priority.
Feb 22 2023
Feb 22 2023
Fix returning EC_POINT.