FWIW: It does works when using GNUPGHOME instead.

This has always been the case. git blame shows for check_signatures_trust:

This seems to be the case on 2.2.46 as well, fwiw. i don't think it's new in 2.4.7.

similarly, gpgconf --homedir /tmp/gg --kill all does not terminate keyboxd, despite the fact that gpgconf(1) says:

Hello Eva,

The beta145 Werner talks about can be found here: https://www.gpg4win.org/version5.html
It is from our master branch which is not de-vs capable at this time.

Hello Werner,
thank you for your support ...

Please test using the latest gpg4win installer (beta145).

The problem is that it may take really long to read the certificates form a card and some card applications even require to give a PIN for reading the certs. A background operation may thus surprisingly lock up the box

This was using GCC to build, but on AIX. I believe support for dollar signs in identifiers are platform specific.

GCC allows dollars in identifier, that's the reason why we haven't encountered this issue, I suppose.

Thank you for your report.

thanks for the fix in f29c8dba743eb7574399345ce341bbfb1f8f9bee !

rG25d48663f9 seems to fix this for me. However in my test cases I got a hang in dirmngr simply by running several gpgsm instances to get the details of an X.509 key. I had different logging options enabled, though.

I had this again yesterday. I don't think that scdaemon is involved. gpg-agent.log has this

2025-03-05 15:54:29 gpg-agent[1248] socket file removed - retrying binding
2025-03-05 15:54:29 gpg-agent[1248] Der Socket kann nicht an `C:\\Users\\g10code\\AppData\\Local\\gnupg\\S.gpg-agent' gebunden werden: Unknown error
2025-03-05 15:54:29 gpg-agent[1248] system error code: 0 (0x0)
2025-03-05 15:54:29 gpg-agent[1248] secmem usage: 0/32768 bytes in 0 blocks
2025-03-05 15:55:17 gpg-agent[2088] socket file removed - retrying binding
2025-03-05 15:55:17 gpg-agent[2088] Es wird auf Socket `C:\\Users\\g10code\\AppData\\Local\\gnupg\\S.gpg-agent' gehört
2025-03-05 15:55:17 gpg-agent[2088] socket file removed - retrying binding
2025-03-05 15:55:17 gpg-agent[2088] Es wird auf Socket `C:\\Users\\g10code\\AppData\\Local\\gnupg\\S.gpg-agent.extra' gehört
2025-03-05 15:55:17 gpg-agent[2088] socket file removed - retrying binding
2025-03-05 15:55:17 gpg-agent[2088] Es wird auf Socket `C:\\Users\\g10code\\AppData\\Local\\gnupg\\S.gpg-agent.browser' gehört
2025-03-05 15:55:17 gpg-agent[2088] socket file removed - retrying binding
2025-03-05 15:55:17 gpg-agent[2088] Es wird auf Socket `C:\\Users\\g10code\\AppData\\Local\\gnupg\\S.gpg-agent.ssh' gehört
2025-03-05 15:55:17 gpg-agent[2088] gpg-agent (GnuPG) 2.5.5-beta11 started

and scdaemon logged

2025-03-05 15:55:19 scdaemon[4100] Es wird auf Socket `C:\\Users\\g10code\\AppData\\Local\\gnupg\\S.scdaemon' gehört
2025-03-05 15:55:19 scdaemon[4100] Handhabungsroutine für fd -1 gestartet
2025-03-05 15:55:19 scdaemon[4100] DBG: chan_0x00000000000002d0 -> OK GNU Privacy Guard's Smartcard server ready, process 4100

i.e. there wasn't any scdaemon running before the second gpg-agent started successfully.

Thanks for the report! That's indeed a regression introduced by the changes for T7527: Keyring/keybox denial of service. Commenting/Removing line https://dev.gnupg.org/source/gnupg/browse/master/g10/getkey.c$343 seems to fix the regression, but (very likely) this would reintroduce the issues reported in T7527: Keyring/keybox denial of service.

whether you use --pinentry-mode=loopback or --pinentry-mode=cancel or --pinentry-mode=error, if gpg-agent has cached the password already, the decryption will work; otherwise, it will fail with an error like that describe above.

here's an example of no prompting at all using --pinentry-mode=loopback:

master is development and you can't expect that it always build on all platforms.

Here is a patch against master which normalizes line-endings when verifying text signatures over binary literal data packets

This is also causing problems with ostree, see https://bugs.debian.org/1098951 and https://github.com/ostreedev/ostree/issues/3386

I remove the milestone tag, as that one means "fixed in version 2.2.46" and added the general gnupg tag

The same effect seems to be happening on signatures made from expired keys.

Looks like scdaemon which I experienced today also but without having enabled scdaemon logging.

Logs of a recent hang

I don't see a bug here and any change in this domain disks a regression with existing data. BTW, the mode byte was not even part of the signed data before signature version 5.

My comment from a year ago still holds true; you may want to fix your testing framework and re-openig this bug iff you can show that there will be no regression with PGP 7 and later.

Thank you @werner ! I can confirm that the patches that have landed on STABLE-BRANCH-2-4 do clear up the DoS i was seeing for signature verification.

The patch below fixes the master branch to be compliant with the standards for CSF message generation and verification.

Also fixed for 2.4

This has been fixed in master with rG48978ccb4e:

Right when you use a different homedir you also need to pass --homedir to gpgconf or set GNUPGHOME before invoking gpgconf. If you call gpgconf via GPGME the --homedir option is passed; afaics we don't have a kill option gpgme.

Well, the different outcome depends on the order of the certificates or the string comparision in keyboxd. So it is not a keyboxd vs. pubring.kbx thing.

Okay, I can reproduce it when not using keyboxd.

Sorry. I can't reproduce this. Neither with master nor with the 2.4 repo version.

the reproducer is:

I don't think this is fixed. With this patch in place, if i import blocker.cert first, and then import distsigkey.gpg, it looks to me like i still can't verify signatures made from any of the GnuPG signing keys.

Can now be tested after the release of libassuan 3.0.2 (T6163)

As I am delving a bit into cryptocurrencies and since i have a ledger security token and a bip32 24 word mnemonic now backed up as stamped metal i have stumbled accross this topic:

Just a note that i've tested this and --clearsign appears to be problematic for 2.4.7 as well as 2.2.40.

I was referring to your comment earlier in this very issue:

Where do you find a statement that --keyring is deprecated? I planned to to remove it with 2.1 but there were too many requests to keep it and live with the problems of multiple keyrings. Thus the option stayed, it is just so that in addition to pubring.gpg and pubring.gpg we now also have the option for keyboxd - which is the default for new installations.

Looks the same in VSD 3.3.0 ans in Gpg4win:

I'm not going to keep re-opening a ticket that you keep closing. So i'm just going to state here what i believe to be the upstream intent is. If you think this is wrong, i'd love a clarification. I believe that "deprecated" means that the GnuPG project believes that an option or configuration choice should not be used, and will eventually go away.

The actual cause here was that right before storing the imported key we need to decide whether to insert or update a keyblock. For this we need to lookup the key in our database and the lookup function does the usual thing by looking at any fingerprint. This is wrong: Here we need to lookup only by primary fingerprint. This is what the above patches do.

That is not a new issue. We have the very same issue since ever. However, without keyboxd you had random results depending on the order of the keys in the keyring.

That is an installation/migration question and the warning is just a convenience thing to remind the few early users of keyboxd to migrate to common.conf.

As usual use ./deadbeef.... as the filename to distinguish it from a fingerprint.

To be clear about what's going on here, blocker.cert has simply adopted the primary keys of each certificate found in /usr/share/gnupg/distsigkey.gpg -- i think GnuPG requires each component key in its keystore to have a unique fingerprint across all component keys in the keystore. so when one certificate claims those fingerprints as subkeys, any certificate that has a primary key with a matching fingerprint gets rejected with doesn't match our copy.

I understand you as saying you won't fix the fact that the warning is not emitted during initial homedir setup. I'm not sure why that scenario is not worthy of a warning when a post-setup scenario is, but okay.

thanks for correcting that, @ikloecker. i've corrected the initial report.

Daniel confused --list-options with --dump-options. The linked completion script uses the latter.

I'm glad that inotify is already in use, that's a reasonable thing on the Linux platform.

Won't be fixed for the creation thing.

This is the old code from gnupg-2.0/agent/gpg-agent.c:

inotify is already used used on Linux to check for a lost homedir. The once-in-a-minute check should be the same as with the other daemons and has proved to be very useful. The whole thing has been discussed over and over again a long time ago and - as with other system daemon - we agreed on scheduling at the full second.

Removed extraneous space.

If you say so, i won't press this. I will just leave this ticket with an observation that even for someone who reads the source code this is not intelligible. At the top of gpgconf_list in g10/gpg.c, the comment says:

This warning doesn't seem to be complete; no such warning is produced on the first run of gpg. For example (with no ~/.gnupg):

$ man gpg
       --gpgconf-list
              This command is similar to --list-config but in general only internally used by the gpgconf tool.

In general, "only internally used" means: Don't use this yourself or accept what it does.

in combination with this patch it should be easy to modify gpgconf_list() (in g10/gpg,c) to emit compliance from the settings/cli options.