I think in my previous messages the most important feature I'm missing was not
clear as I've mostly talked about subkeys and ECC curves. But what really
hinders me in making Kleopatra's key gen dialog more user friendly immediately,
even with default parameters for the key, is the API limit of only one user ID.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Mar 23 2016
Mar 22 2016
Leaving the GUI vs. Commandline argument aside. I still think the batch keygen
API needs to be "modernized"
E.g. with improved authentication support in gnupg 2.1 it will become more
common to generate a key with an authentication subkey. Even the common case of
different Certify / Sign / Encrypt subkeys is not supported by the current API.
Maybe the Curves / Algos can be split up but I think gpgme needs API to query
supported Curves / Algos from GnuPG as this is more dynamic in GnuPG 2.1 then it
has been in previous versions.
Mar 17 2016
The actual plan is to restrict the wauys how gpgme can create keys. In the
future there will be only one way to create a key and no way to select an
algorithm. Those who want to use non-default algorithm should resort to the
command line and the --expert option.
Fixed with commit 1aad5c6.
Thanks for the easy test case.
Mar 16 2016
I believe I have also seen this issue (or something very similar) on my Windows
7 64bit machine. I am running gpg 2.1.11. I hope this isn't redundant, but it
seems that I need to restart scdaemon anytime I unplug/replug my yubikey or
suspend/resume my computer.
Sometimes it doesn't recover even after restarting scdaemon. In those cases, I
am able to fix it by stopping scdaemon, removing the yubikey, starting scdaemon,
and finally reinserting the yubikey.
As Dashamir Hoxha in the mailinglist gnupg-users mentioned, even with the
--quiet flag enabled, there still is logging output after/during the validation
of the trust-db.
When the user enables the --quiet flag, there should be no log_info output to
the stdin. At most points in the code its managed like in ./g10/trustdb.c:970
(Commit b752d2c93778e6a1c1de3eddf8fc725b0ddd354e in master from the public Git).
But after the silenced output there, it goes into the validate function, where
still is a log_info output in ./g10/trustdb.c:2057 (Same commit as mentioned
above).
relevant to T1424
Mar 10 2016
Mar 8 2016
Sorry, I was using --check-trustdb as a shorthand for the actual function.
Mar 7 2016
On Sunday 06 March 2016 at 15:18:54, Neal Walfield via BTS wrote:
is for --check-trustdb
Mar 6 2016
Thanks for reporting this. The right solution is for --check-trustdb to ignore
legacy keys.
Mar 4 2016
If i remove the com-certs I get the exact same behavior as I'm seeing on windows.
aheinecke@esus ~/a/e/src> export GNUPGHOME=$(mktemp -d)
aheinecke@esus ~/a/e/src> gpgsm -k
gpgsm: keybox '/tmp/tmp.hyElMR6oUi/pubring.kbx' created
aheinecke@esus ~/a/e/src> gpg2 --import
~/arbeit/gpg4win/zertifikate/testuserA-pub.asc
gpg: /tmp/tmp.hyElMR6oUi/trustdb.gpg: trustdb created
gpg: key 6CFBC912: public key "Test UserA <testusera@example.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
aheinecke@esus ~/a/e/src> gpgsm -k
gpgsm: keydb_search failed: Invalid argument
From the debug output it looks to me that gnupg is using keyring functions to
work with the keybox.
I can reproduce this now without Kleopatra and on GNU/Linux:
export GNUPGHOME=$(mktemp -d)
gpgsm -k
< imports /opt/gnupg/share/gnupg/com-certs.pem >
(this is not done on windows so maybe the errors differ because of that)
gpg2 --import ~/arbeit/gpg4win/zertifikate/testuserA-pub.asc
Result:
gpg: [don't know]: invalid packet (ctb=00)
gpg: keydb_get_keyblock failed: Value not found
gpg: [don't know]: invalid packet (ctb=00)
gpg: /tmp/tmp.f5ub2ZRYC0/pubring.kbx: copy to
'/tmp/tmp.f5ub2ZRYC0/pubring.kbx.tmp' failed: Invalid packet
gpg: error writing keyring '/tmp/tmp.f5ub2ZRYC0/pubring.kbx': Invalid packet
gpg: [don't know]: invalid packet (ctb=00)
gpg: keydb_search failed: Invalid packet
gpg: key 6CFBC912: public key "[User ID not found]" imported
gpg: [don't know]: invalid packet (ctb=00)
gpg: error reading
'/home/aheinecke/arbeit/gpg4win/zertifikate/testuserA-pub.asc': Invalid packet
gpg: import from '/home/aheinecke/arbeit/gpg4win/zertifikate/testuserA-pub.asc'
failed: Invalid packet
gpg: Total number processed: 0
gpg: imported: 1
gpg2 --version
gpg (GnuPG) 2.1.11
libgcrypt 1.7.0-beta307
I'll try now with git master.
The debug output from gnupg for an import that caused a corruped keybox.
It's not for the attached pubring.kbx but I have the file that was generated If
you need it.
What I did in the log was to start kleopatra (The output of process is 2428 is
likely the debug output of the initial keylisting kleopatra did)
Then imported a test key and afterwards closed kleopatra.
Mar 3 2016
Feb 10 2016
Feb 1 2016
Jens,
thanks for the report. Now I can classify this as GnuPG "modern" issue. :)
Bernhard
Jan 26 2016
Meanwhile the toggle command is a dummy and the extra infos for secret keys are
always displayed.
Jan 21 2016
Jan 20 2016
Thanks, now this works as expected for me :-)
Jan 15 2016
Jan 11 2016
This was implemented for 2.1. We won't backport it to 1.4 or 2.0.
Right, getkey_next had a somewhat surprising semantic. I fixed that with commit
b280aa6.
It also works with ECDSA keys.
Jan 8 2016
Current master b2da3951 segfaults on me.
Btw. I think this is likely because i have a local ID without an Authentication
subkey for aheinecke@gnupg.org
(gdb) run --export-ssh-key aheinecke@gnupg.org
Starting program: /opt/gnupg/bin/gpg2 --export-ssh-key aheinecke@gnupg.org
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: enabled debug flags: memstat
Program received signal SIGSEGV, Segmentation fault.
lookup (ctx=ctx@entry=0x6dd940, ret_keyblock=ret_keyblock@entry=0x0,
ret_found_key=ret_found_key@entry=0x7fffffffd998,
want_secret=<optimized out>) at ../../g10/getkey.c:3116
3116 *ret_keyblock = keyblock; /* Return the keyblock. */
(gdb) bt full
#0 lookup (ctx=ctx@entry=0x6dd940, ret_keyblock=ret_keyblock@entry=0x0,
ret_found_key=ret_found_key@entry=0x7fffffffd998,
want_secret=<optimized out>) at ../../g10/getkey.c:3116 rc = 0 no_suitable_key = 0 keyblock = 0x0 found_key = 0x701980
#1 0x0000000000415bb6 in getkey_next (ctx=0x6dd940, pk=0x0, ret_keyblock=0x0)
at ../../g10/getkey.c:1636
rc = <optimized out> found_key = 0x0
#2 0x000000000045713a in export_ssh_key (ctrl=0x6dd810, userid=0x7fffffffe420
"aheinecke@gnupg.org") at ../../g10/export.c:1437
getkeyctx = 0x6dd940 keyblock = 0x6fd160 desc = {mode = KEYDB_SEARCH_MODE_SUBSTR, skipfnc = 0x0, skipfncvalue =
0x0, sn = 0x0, snlen = 0, u = {
name = 0x7fffffffe420 "aheinecke@gnupg.org", fpr = "
\344\377\377\377\177", '\000' <repeats 17 times>, kid = {
4294960160, 32767}, grip = " \344\377\377\377\177", '\000'
<repeats 13 times>}, exact = 0}
curtime = 1452288169 pk = 0x0 identifier = 0x6ddb80 "" mb = {len = 0, size = 4096, buf = 0x6e5d70 "", out_of_core = 0} fp = 0x6dd810 b64_state = {flags = 7199040, idx = 0, quad_count = -153676256, fp =
0x10, stream = 0x6dd800, title = 0x6ddb80 "",
radbuf = "\000\000\000", crc = 0, stop_seen = -1, invalid_encoding =
0, lasterr = 0}
fname = 0x7fffffffe420 "aheinecke@gnupg.org"
#3 0x000000000040dc00 in main (argc=1, argv=0x7fffffffdfe8) at ../../g10/gpg.c:4193
pargs = {argc = 0x7fffffffdb9c, argv = 0x7fffffffdb90, flags = 32769,
err = 0, r_opt = 0, r_type = 0, r = {ret_int = 0,
ret_long = 0, ret_ulong = 0, ret_str = 0x0}, internal = {idx = 2,
inarg = 0, stopped = 1,
last = 0x7fffffffe420 "aheinecke@gnupg.org", aliases = 0x0,
cur_alias = 0x0, iio_list = 0x0}}
a = 0x6dd800 orig_argc = 0 orig_argv = 0x6ddb80 fname = 0x7fffffffe420 "aheinecke@gnupg.org" sl = 0x0 remusr = 0x6ddb40 locusr = 0x0 nrings = 0x0 afx = 0x7fffffffe420 configfp = 0x7fffffffe420 configlineno = 27 parse_debug = 7198720 cmd = aExportSshKey malloc_hooks = {malloc = 0x405ee0 <gcry_malloc@plt>, realloc = 0x406d40
<gcry_realloc@plt>, free = 0x406290 <gcry_free@plt>}
ctrl = 0x6dd810
Done with commit 4970868 to be released with 2.1.11.
This uses a new command and not an export option so that export options can be
kept in the conf file.
ECDSA keys (NIST keys) do not yet work.
Jan 7 2016
Right, this is what I actually had in mind. Using the "<keyid>!" notaion it
would also be possible to export any primary of subkey in ssh format.
Jan 5 2016
Commit e70f7a5 fixes this for 2.1.
Should be backported.
Thanks.
I've tested to generate an rsa2048 key with backup on a v2.0 card and it works
now. I have not tested restoring from backup etc. But as this report was about
the failed generation, this issue is resolved imo.
Thanks!
Dec 31 2015
Dec 26 2015
The patch seems to have fixed it.
Dec 24 2015
I removed the not-working checkbkupkey subcommand in
44aee35e69540510617aea4b886ef845590960fe
Also fixed the bkuptocard subcommand in: 40959add1ba0efc1f4aa87fa075fa42423eff73c
Dec 22 2015
Thank you again.
It is likely that the token itself doesn't work well after wakeup from sleep
mode. In this case, all that we can do is re-inserting the token manually.
I'm not sure how PC/SC service handles USB reset after wakeup.
Sorry to say, but mapping the error to "no reader" doesn't help. The first
reset event doesn't get handled. Later it trys to remove the reader but it's
not getting correctly resetted/reinserted again.
I've attached the debug log again
Thank you for further testing.
I think that current code doesn't handle the case when card goes inactive/reset
while reader keeps working. Current code only goes to the reset sequence for a
card again when it detects reader failure. So, although the concept is
different, I think mapping PSCS_W_CARD_RESET to SW_HOST_NO_READER (for now) will
work. Given the situation we don't yet support multiple cards, this workaround
would be OK for a while.
Nope. Neither mapping the "reset card" event to SW_HOST_CARD_INACTIVE or
SW_HOST_NO_CARD helps. It seems that somewhere in the code the return code
SW error codes are not being handled correctly and the card doesn't get
resetted.
I've attached a small log where you can see that pcsc returns the error
reason "reset card" which then gets remapped to "Card reset required" (was
general error before). I also can see that the error is getting mapped to
GPG_ERR_CARD_RESET (because of the error message "Card reset required")
leaving the daemon around with no working card and reporting general errors
again (0x100b).
Additional Info: This bug only happens when you put your computer/laptop
into sleep mode while the smartcard/reader (yubikey) is plugged in. If I
remove the reader before putting it to sleep and attaching it after getting
out of the sleep mode, the scdaemon works fine.
Dec 21 2015
Maybe it's more appropriate to map the PSCS_W_CARD_RESET event to the
SW_HOST_CARD_INACTIVE error code which later gets mapped to GPG_ERR_CARD_RESET
error code.
I've attached the patch file. It would make sense to backport this mapping as
well. Right now it's not yet tested.
I found another problem with the smartcard service under windows. Putting
the system into sleep mode and waking it up again creates an 0x80100068
error code (aka PCSC_W_RESET_CARD).
I'll test if it helps to map the RESET_CARD event to the same REMOVE_CARD
event to get the card reactivated after sleep mode.
Logfile:
2015-12-21 22:16:57 scdaemon[10040] DBG: send apdu: c=00 i=CA p1=00 p2=C4
lc=-1 le=256 em=0
2015-12-21 22:16:57 scdaemon[10040] DBG: PCSC_data: 00 CA 00 C4 00
2015-12-21 22:16:57 scdaemon[10040] pcsc_transmit failed: reset card
(0x80100068)
2015-12-21 22:16:57 scdaemon[10040] apdu_send_simple(0) failed: general
error
Dec 18 2015
Dec 17 2015
I'm considering fixing this.
Dec 15 2015
For my case with OpenPGPcard, the patch fixed the problem of wrong fingerprint
computation. Please test with the patch.
Sorry for my mistake for reading your post. I considered it would be the case
for m, but I also fixed the case for e, the exponent.
Here, I reproduce the problem with OpenPGPcard (while it only occurs 1/256 with
Gnuk Token).
I confirmed that original OpenPGPcard returns e as four bytes 00 01 00 01 with
0x00 in front. This causes 100% failure for fingerprint computation.
I'm going to test the patch with OpenPGPcard. (I'm now installing newer
libgpg-error, to build master of GnuPG.)
Dec 14 2015
gniibe: its not one failure in 248. It was 248 failures in 248 tries...
werner: I had to downgrade to have a working system. I hope I'll find time to
reproduce this this week
Thank you for the bug report. The ratio of 1 failure among 248 made me a great
hint to locate the bug.
I think that it is fingerprint computation bug, which is fixed here:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d40975cbe8ff86fcc4a1b4963fdffc66ddee85ce
Dec 11 2015
Thank you for your testing.
Your change is pushed with my comment:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d1a97585c5e73fbc7d4cf90e38f76ffc5aea305f
I'll backport this to GnuPG 2.0.
Dec 10 2015
Here's the logfile with all the errors (guru debug level) vanilla 2.1.10
After some time spending fighting with the build tools of gnupg (cross compile
for windows under debian) I managed to build the installer with my patched
file.
Most important: The most common error thrown is the 0x8010001e
(E_SERVICE_STOPPED) This is the important one. The other error 0x8010001d
(E_NO_SERVICE) is only thrown in the transition from ok to stopped. So only
sometimes.
This was my process:
git clone git://git.gnupg.org/gnupg.git
cd gnupg
git checkout tags/gnupg-2.1.10
./autogen.sh
cat ../0001-scd-Fix-removal-of-unplugged-usb-readers.patch | patch -p1
sed -i -e 's/^SELFCHECK=1/SELFCHECK=0/' build-aux/speedo.mk
make -f build-aux/speedo.mk w32-installer
I've created new logfiles (vanilla 2.1.10 und patched 2.1.10) to show the
difference and confirm that it'S actually working now :-)
I'm okay with signing off the commit. I can test this for Windows 8.1 or 10,
my only problem is that I'm not able to compile gpg for windows right now. Or
are there instructions somewhere on how to achieve this?
Thank you again.
I think that Windows 8 (and later) changed the PC/SC service. The service is
only available when smartcard is there, and after the removal, it returns
PCSC_E_NO_SERVICE error. This is not expected for current code.
I'm applying your patch with my comment like above. Do you agree to put the
line in the commit log?:
Signed-off-by: Daniel Hoffend <dh@dotlan.net>
I don't have Windows 8 machine. So, I leave this issue as testing.
No, I just installed version 2.1.10 (which included your mentioned fix). But the
error still applies.
In my case the smartcard reader never gets closed, cause the error thrown by the
pcsc/scd gets only mapped to a general_error which does not result in
removing/closing the reader interface.
I've the feeling that we've to take a closer look at the errors thrown (at least
those 2 in my patch). Maybe there're even more possible events.
If you like I can upload the debug log of scdaemon 2.1.10 ... (if that helps).
Somehow I don't have any issues when running linux, this bug applies to windows
only atm. Maybe it's just that windows is throwing different errors or events
compared to linux.
Thank you for the bug report with log.
It could be related to the bug which was just fixed:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=f42c50dbf00c2e6298ca6830cbe6d36805fa54a3
I'm backporting this to 2.0.x.
Dec 7 2015
After looking at the gnupg 2.0 branch I would say the patch could be applied
to the 2.0 and 2.1 branch to fix the issue in both branches stable/modern
since both version are affected (tested with 2.1.9 and 2.0.29 from gpg2win)
When this feature becomes available, then we should probably disable
"gtk-entry-password-hint-timeout". See the following Debian bug report for details:
Dec 4 2015
Err, fixed in 6ac57a48.