- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Jan 22 2022
Jan 21 2022
Sorry about that! Maybe consider adding a line "Check that the issue persists in the latest version" to the "How to file a bug". I was going through this list, so it would have caught me.
This looks like a missing escaping issue in the sender (scdaemon?) or an unwanted unescaping issue in the receiver of the string (which uses Kleo::hexdecode()).
Jan 20 2022
Thanks
gpgme_key_t is a different kind of object than a gpgme_foo_result_t and thus has different properties.
Please try again with a recent version of GnuPG (2.2.33 or 2.3.4) and libksba (1.6.0) and reopen this bug if the problem persists.
The bug with the long filenames has been fixed but it is not yet released. Release will be in gpg4win 4.0.1 See T5754.
Test cases are recovered in rC535a4d345872: fips: Recover test cases for selftest, add skipping in FIPS mode..
Hi gniibe,
Unfortunately, gdb session log and ktrace log don't have enough information to locate the cause/problem.
Jan 19 2022
While trying to test the X.509 directory server configuration in Kleopatra, I stumbled over difference between 2.2 and 2.3 and a possible regression in 2.2.
Sorry, it's my misunderstanding.
_gcry_fips_run_selftest can be run by GCRYCTL_SELFTEST.
I was confused by the function name. Perhaps, it is good to change the name of function to _gcry_run_selftest.
@werner Those removed tests are selftests which are only invoked by FIPS mode for its requirement of selftests.
AFAICS, the last commit removes some tests. We should never remove a test just because FIPS does not allow it. The old tests need to be run in non-fips mode.
Pushed the change in rC76aad97dd312: fips: Reject shorter key for HMAC in FIPS mode..
thanks, looks good!
Jan 18 2022
that's great news to my eyes. thanks werner!
$ gpg --debug 0 --gpgconf-test gpg: reading options from '/etc/gnupg/gpg.conf' gpg: reading options from '/home/foo/.gnupg/gpg.conf' gpg: reading options from '[cmdline]' gpg: reading options from '/etc/gnupg/common.conf' gpg: reading options from '/home/foo/.gnupg/common.conf'
Excuse me you are right of course. man gpgconf | grep quot says it all.
man gpg | grep quote nor man gpgconf | grep quote does not tell anything about it. I recognized the single opening quote of "string at post processing the output of gpgconf --list-options to generate a gpgconf.conf template. I just expected a closing quote for "string".
From which version on there will be global config files? The only info I found was about /etc/gnupg/gpgconf.conf and /etc/skel/.gnupg/* to manage presets.
vitusb: We had this discussion on cryptography@ years ago. No need to start it again - or well, try it over there. This is a bug tracker and not a discussion forum.
@werner Hmm, okay. So I have tested the wrong thing. To me /etc/gnupg/gpgconf.conf looked very much like a global config file I was supposed to test. I have looked at /etc/gnupg, found the example gpgconf.conf and played around with it. It had some effects (see above), so I assumed that it should work. Since it's obvious from my tests, that it doesn't really work as documented anymore, all corresponding code should be removed entirely (or fixed if it should be kept for backward compatibility).
ikloecker: gpgconf.conf ist not anymore used since we have the global config files.
Thank you.
With /etc/gnupg/gpgconf.conf
[empty lines and comment lines] * gpgsm verbose [no-change] gpgsm quiet [no-change] gpgsm debug-level [no-change] gpgsm log-file [no-change] gpgsm include-certs [no-change] gpgsm compliance [no-change] gpgsm default-key [no-change] gpgsm encrypt-to [no-change] gpgsm keyserver [no-change] gpgsm disable-dirmngr [no-change] gpgsm auto-issuer-key-retrieve [no-change] gpgsm p12-charset [no-change] gpgsm disable-crl-checks [no-change] gpgsm enable-crl-checks [no-change] gpgsm disable-trusted-cert-crl-check [no-change] gpgsm enable-ocsp [no-change] gpgsm disable-policy-checks [no-change] gpgsm cipher-algo [no-change]
all options are correctly flagged as "no change" in the output of gpgconf
More weirdness. With gpgconf (GnuPG) 2.2.34-beta23 I get:
These curves are not the default in the compliance mode "gnupg" only if you explicitly switch to the BSI defined "VS-NfD" mode they become default.
This is related to the fix for T5100. We had to to remove the version number from the AID and gpg --card-status takes the version number from the AID. gpg-card was fixed for this but gpg --card-status not.
--apply-defaults is an obsolete option because we now have global config files. I would also like to get rid of --debug-level but that won't be easy. Using --debug LIST_OF_DEBUG_FLAGS is a more versatile way of specifying debug options.
Nope. The double quote indicates a string. See the man page.
And we need to fix selftest for shorter keys.
@pmgdeb : IIUC, what we need is:
diff --git a/cipher/md.c b/cipher/md.c index 34336b5c..4f4fc9bf 100644 --- a/cipher/md.c +++ b/cipher/md.c @@ -903,6 +903,9 @@ prepare_macpads (gcry_md_hd_t a, const unsigned char *key, size_t keylen) { GcryDigestEntry *r;
Thank you, applied.
Jan 17 2022
Potential fix posted here: https://invent.kde.org/pim/kleopatra/-/merge_requests/11
Thanks for looking into this, @gniibe! over on https://bugs.debian.org/1003313 Helmut is asking for a re-consideration because he wanted to match arm-linux-musleabihf. Would you be ok with a change like my proposal rE371d1c952297f781277b979a4662859ec80fe836 (on branch dkg/expand-musl), that expands *-*-linux-musl to *-*-linux-musl* ?
In T5512#153650, @Jakuje wrote:This is my draft for the FIPS indicator KDF. I think we do not need to keep the original GCRYCTL_FIPS_SERVICE_INDICATOR if we replace it also in the tests. This will also need some tests and documentation update.
libgcrypt-fips-indicator-kdf.patch3 KBDownload
In T5783#153879, @werner wrote:Sending a private key with just the local protection is not a good idea.
In T5784#153872, @werner wrote:Please no holy wars on the type of curves. NIST as its opinon, Europe has its opinion, DJB has of course a different opinion. Please use the the cryptography ML for such political/technical discussions.
After commenting out the options that gpgconf 2.3 complains about I get:
$ gpgconf --version gpgconf (GnuPG) 2.3.5-beta17 Copyright (C) 2021 Free Software Foundation, Inc. License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
I tried to see what gpgconf from master says, but I only get
$gpgconf --list-options gpg gpgconf: unknown option 'try-secret-key' at '/etc/gnupg/gpgconf.conf', line 95 gpgconf: unknown option 'reader-port' at '/etc/gnupg/gpgconf.conf', line 96
This also doesn't look right:
The following looks very much like a bug.
Example:
/etc/gnupg/gpg.conf:
default-key B81CE112B26A8EA8BE7B95D2E375339BF4C51840
With rG8c878ae4c9dfa9fe26aa15f4f9db3e86833575e9 some rules for allow-mark-trusted were removed from doc/examples/gpgconf.conf, but the comments below which are supposed to explain the example rules still talk about allow-mark-trusted.