It seems to be 1.1.6 from 2010 or so. They use gpg 1.4.20 which misses a critical security fix.

OOooh yeee.
Ok. Didn't know how bad gpg4usb really is.
I looked into it. Gpg4usb distributes their own binary GPGME version https://github.com/gpg4usb/gpg4usb/tree/master/linbuild/lib I don't even know which version that is. They are in violation of the GPL as they don't offer the source code of that GPGME version.

I'll volunteer to look into it. IMO "Invalid Crypto Engine" points definitely to a GPGME bug and I want to know whats going on there.

Thank you for the quick turn-around! I especially appreciate the difficulty of out-of-release-cycle changes.

This bug tracker does not support gpg4usb - please use their bug tracker.

Workaround is to click cancel so that the next key is tried; right?

This crash was new in Gpg4win-3.1.0 introduced with: dc48589b3d429d7d156c75b4e7bc784b140f40ce

Thank you for the report. I can reproduce the problem. I extended the title a bit so that its easier to find for others who might also see this.

@dcialdella Well as you are here already you can open one here. Alternatively I would have thought Ubuntu's Launchpad.

Do not define NDEBUG - defining this is a bad idea. Anyway, I will fix that problem.

@aheinecke thanks for the post.
When you said "open a new issue" is create here or in Ubuntu forums a new issue ?
I'll do. when ?
I imagine ni some weeks will be solved but I use the tool everyday for secure text.

Both CRL downloads and the error handling / reporting is much improved in Gpg4win-3.1.1

This is resolved in my opinion. I've tested with some larger CRL's and it worked on Windows.

@dcialdella I've checked the Ubuntu Patches, they don't include the patch that caused the problem for GpgOL in this issue. Please report your problem either to Ubuntu or open a new issue, ideally with some instructions how to reproduce your problem.

I've just checked the current build to the previous one (even when I get rid of the build directories, I keep a copy of the config.log since you never know when it might come in handy).

FYI: this most recent update broke builds on OS X 10.9 for Qt, but everything else is fine.

Thanks.

I assume -z0 could be used as a workaround but without compression then.
Fix goes into 2.2.7 to be release tomorrow (tm)

No longer happens when the good old ldapwrapper is used.

gpg 2.2.4-1ubunt amd64 GNU Privacy Guard -- minimalist p

It's possible that was one of the upstream patches they decided to include.

It is in 1.30 which I released a few minutes ago. Only minor other changes.

@dcialdella Do you have a "non standard" GnuPG / GPGME installed? What are the versions?

I have the same issue with Xubuntu 18.04 lts, and GNUPG.
./start_linux_64bit
[Error] Source: GPGME String: "Invalid crypto engine"
[Error] Source: GPGME String: "Invalid crypto engine"
[Error] Source: GPGME String: "Invalid crypto engine"

The last change to the python installer was, IIRC, one I discussed with Justus off-list around the middle of, um, last year? Maybe the year before?

Now there it gets complicated. According to the card software author in 3.3 and even 2.2 there is a fix. BUT there was a small amount of cards already created in 3.3 without the fix. Nobody ever told my how to diferentiate them.
There is no Version 3.3.1 you can by - it is only 3.3. So you can buy one and hope you have a good one.
At least this is my understanding.

@aheinecke maybe recheck with GNUPG 2.2.6 or 2.2.7.

I'm using the kdepim-docker for tests, that is based on KDE Neon, that is based on Ubuntu xenial (16.04), so the version for GnuPG2 is 2.1.11-6ubuntu2. Good to know, that the GnuPG version also matters for this stuff.

Hi Andre,

Thanks for the tip, moving unopened secure email to a folder is the solution, I guess I just had to ask.

Beta? the last issue I report I was told to test on the beta which worked and forgot upgrade afterward.

ALL GOOD! Merci!

Jacques

From: aheinecke (Andre Heinecke) <noreply@dev.gnupg.org>
Sent: April 27, 2018 12:43 AM
To: Jacques Latour <Jacques.Latour@cira.ca>
Subject: [Task] [Closed] T3943: gpgOL

aheinecke closed this task as "Invalid".
aheinecke added a comment.

yes sorry, but due to a design limitation it's impossible to move mails while the decrypted / verified content is visible. Our task for this is T3459https://dev.gnupg.org/T3459 (so I'm closing here as invalid even though the problem is valid.)

As workaround you have to move mails while they are not shown. E.g. if you move them without selecting them, or unselect a mail by shift clicking it. Here is an example what I mean by that:
https://files.intevation.de/users/aheinecke/gpgol_moving.gif

Btw. Is there a reason why you are using a beta and not 3.1.0 ?

TASK DETAIL
https://dev.gnupg.org/T3943

EMAIL PREFERENCES
https://dev.gnupg.org/settings/panel/emailpreferences/

To: aheinecke

Cc: aheinecke, latour_jacques, gp_ast

This is an automated email from the GnuPG development hub. If you have registered in the past at https://bugs.gnupg.org/ your account was migrated automatically. You can visit https://dev.gnupg.org/ to set a new password and update your email preferences.

Ok so it was impossible to detect when a mail is printed and block the printing until the decryption was completed.

This was fixed with 7eed3c4c5e9f84bed0e412213cf404a18cd54358

I can't reproduce this with GnuPG 2.2.6 or 2.2.7 beta and GPGME 1.11.0 . There I correctly get User Canceled for OpenPGP but "No Secret Key" for S/MIME, also using GpgME++.

Hi Carlos,

yes sorry, but due to a design limitation it's impossible to move mails while the decrypted / verified content is visible. Our task for this is T3459 (so I'm closing here as invalid even though the problem is valid.)

I note that this problem could also affect a user with multiple identities, one of which has their decryption keys on a smartcard. If a message arrives encrypted to both identities, but the user does not have their smartcard available, they will hit the same issue.

Does v3.3.1 fix this? (The release notes for it seem to imply that's not the case.)

Not to mention making sure we test for a time after the end of the old 32-bit clock.

Still happens. There are also "BER" errors that seem random.

Alright, I will create a ticket with Exquilla to see with them if this could be fixed on their side.

Very strange behavior caused this. Outlook seems to detach from an object model call, handle a window message, and then return the object model call.

See also T2448

This for importing passwords using a somewhat heuristic approach to accommodate for all the weird things other PKCS#12 implementations do. I have not looked into the specs for a decade and thus can't tell you the reason for that limitations. There might have been one back then. In any case PKCS#12 is the most insecure things in the PKCS suite and it is questionable whether this can be called a standard.

Also confirming the workaround. Not sure whether it would have done me any justice to counter-sign the key after accepting it locally, since I only verified it against their web page. The web page is hard to find with a Google search, since Google does not turn the unspaced hexadecimal fingerprint into something that matches the space-every-four-digits format used on their PGP/GPG instruction page. Searching for "Facebook PGP key" works, though.

Thanks for the quick reply @aheinecke.

I (as the maintainer of pinentry-qt) fully agree with your sentiment. I changed it in pinentry-qt (since version 1.0.0) so that the keyboard input is only grabbed (which is a security feature) when the input focus is on the passphrase entry as I found it very annoying myself.

This task and Forum reports about CRL errors caused me to investigate a bit and we found a Bug with CRL's on Windows. T3923 which might be the root cause.

Looks ok now in my tests. I still want to test against more CA's with more CLRs (e.g. COMODO and CACert)

Was Okish in my last tests. But I did not fix anything compared to 3.1.0

The commit mentioned fixes the problem.

I can confirm the workaround. After importing the key from Facebook everything works as expected!
Thank you very much!

Thank you very much. It helped. I can reproduce the problem now.

Same here with Mails from Facebook, here's the log

"Invalid crypto engine" Means that there is some internal error in the signature verification / decryption.

I got an Idea how to improve the situation here. But its very complex and might break Outlook even for unencrypted mails. So it's very invasive.

Right now building the release.

@nitroalex Perhaps, creating new ticker is better for this topic.
In the current OpenPGP card specification, there is no way for an application (except having a list of card implementation information) to know wich algo and which curve is supported or not.
So, what an application does is try and error.
I don't like this situation, but I don't know how we can modify the specification.

Linux, Ubuntu

Is that on Windows?