Page MenuHome GnuPG
Feed All Stories

Feb 27 2022

jukivili closed T5826: Improve detached signing and verification speed as Resolved.
Feb 27 2022, 5:54 PM · gnupg
jukivili committed rG4e27b9defc60: g10/plaintext: do_hash: use iobuf_read for higher performance (authored by jukivili).
g10/plaintext: do_hash: use iobuf_read for higher performance
Feb 27 2022, 5:52 PM
jukivili committed rGf8943ce098f6: g10/sign: sign_file: use iobuf_read for higher detached signing speed (authored by jukivili).
g10/sign: sign_file: use iobuf_read for higher detached signing speed
Feb 27 2022, 5:52 PM
werner committed rG7c8c6060616a: agent: New flag "qual" for the trustlist.txt. (authored by werner).
agent: New flag "qual" for the trustlist.txt.
Feb 27 2022, 12:30 PM
werner committed rGf03c871c9e40: agent: Print the correct daemon name in presence of a --foo-program. (authored by werner).
agent: Print the correct daemon name in presence of a --foo-program.
Feb 27 2022, 12:30 PM
werner committed rGb901e63b4d8c: dimngr: Do not check the self-signature of a root CA cert. (authored by werner).
dimngr: Do not check the self-signature of a root CA cert.
Feb 27 2022, 12:30 PM
werner committed rG890e9849b58e: dirmngr: Support ECDSA for OCSP. (authored by werner).
dirmngr: Support ECDSA for OCSP.
Feb 27 2022, 12:30 PM
werner committed rGde87c8e1ead7: dirmngr: Support ECDSA for CRLs (authored by werner).
dirmngr: Support ECDSA for CRLs
Feb 27 2022, 12:30 PM

Feb 26 2022

werner committed rK24992a4a7a61: ocsp: Accept a server not responding with a nonce (authored by werner).
ocsp: Accept a server not responding with a nonce
Feb 26 2022, 10:37 PM
werner committed rKc9cde18bc84a: ocsp: Fix detecting the right response item (authored by werner).
ocsp: Fix detecting the right response item
Feb 26 2022, 10:37 PM
Mass59 added a comment to U8 Gpg4win Dashboard.
Feb 26 2022, 4:04 PM · gpg4win
NoSubstitute added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.
echo BYE | dirmngr -vv --server 2>certs.log

Lists all certificates

Feb 26 2022, 2:41 PM · gnupg (gpg22), dirmngr

Feb 25 2022

werner added a comment to T5850: Kleopatra: "Show not certified certificates" button shows any not fully valid certificates.

I tend to agree

Feb 25 2022, 4:32 PM · Restricted Project, kleopatra, Bug Report
werner closed T5823: DNS srv problem with Tor transparent proxy as Resolved.
Feb 25 2022, 9:15 AM · Not A Bug
werner added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.
echo BYE | dirmngr -vv --server 2>certs.log
Feb 25 2022, 9:10 AM · gnupg (gpg22), dirmngr
bernhard added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

@TheParanoidProgrammer this looks like a very good and thorough analysis, thanks again!

Feb 25 2022, 8:57 AM · gnupg (gpg22), dirmngr
bernhard committed rW41c7b331804a: Fix minor typo in get-gpg4win.htm4 (authored by bernhard).
Fix minor typo in get-gpg4win.htm4
Feb 25 2022, 8:40 AM
jukivili added a comment to T5826: Improve detached signing and verification speed.

I used "1<<30" by example of existing code in g10/free-packet.c, which is another place where iobuf_read is reading to NULL.

Feb 25 2022, 7:27 AM · gnupg
gniibe committed rG335805e1d482: gpg: Clarify a call of ask_for_detached_datafile. (authored by gniibe).
gpg: Clarify a call of ask_for_detached_datafile.
Feb 25 2022, 4:16 AM
gniibe added a comment to T5826: Improve detached signing and verification speed.

Patches look good for me.
Please go ahead.

Feb 25 2022, 1:53 AM · gnupg

Feb 24 2022

TheParanoidProgrammer added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

Ok, I managed to find 48504E974C0DAC5B5CD476C8202274B24C8C7172 via Powershell. It was in the CA store of my non-privileged user and since I always checked the certificate store as administrator it did not show up there. After removal of this intermediate certificate I am able to use hkps://keyserver.ubuntu.com.

Feb 24 2022, 10:43 PM · gnupg (gpg22), dirmngr
TheParanoidProgrammer added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

Ok, so order of loading is not a problem since the cache does not store them by insertion order, but instead indexes them by the first byte of their fingerprint.
So, I think the problem here is that the expired intermediate certificate (48504E974C0DAC5B5CD476C8202274B24C8C7172) is somehow loaded in Windows and since its fingerprint's first byte is less than the server-supplied intermediate (A053375BFE84E8B748782C7CEE15827A6AF5A405) Windows chooses this one. I can see that the expired intermediate certificate is indeed loaded on Windows if I increase verbosity of dirmngr logs. However, I am still unsure where this certificate lives. The log says it comes from the "CA" store, but searching for it visually or by fingerprint search in Windows Certificates Snap-In (MMC) does not let me find it.
I will keep looking, but if you want to reproduce in your VMs, I suppose adding the expired intermediate certificate and the expired root certificate to the system store should make this reproducible.

Feb 24 2022, 10:26 PM · gnupg (gpg22), dirmngr
jukivili closed T5785: libgcrypt-1.9.4 build failure on ppc64le as Resolved.
Feb 24 2022, 6:53 PM · Gentoo, Bug Report
jukivili added a comment to T5785: libgcrypt-1.9.4 build failure on ppc64le.

(note: -O2 is added only for compiling powerpc vector implementation files)

Feb 24 2022, 6:53 PM · Gentoo, Bug Report
jukivili added a comment to T5785: libgcrypt-1.9.4 build failure on ppc64le.

I added check to configure.ac for missing -O flag and tests with -O2. If adding -O2 does not help, then powerpc vector implementations wont be build at all.

Feb 24 2022, 6:53 PM · Gentoo, Bug Report
jukivili committed rC6951e0f591cc: powerpc: check for missing optimization level for vector register usage (authored by jukivili).
powerpc: check for missing optimization level for vector register usage
Feb 24 2022, 6:39 PM
jukivili closed T4486: Add AEAD mode AES-SIV to libgcrypt (RFC 5297) as Resolved.
Feb 24 2022, 6:06 PM · Feature Request, libgcrypt
jukivili closed T5356: gnupg2 test failure on s390x as Resolved.
Feb 24 2022, 6:05 PM · libgcrypt, Bug Report
jukivili closed T5694: poly1305-s390x.S is compiled despite --disable-asm as Resolved.
Feb 24 2022, 6:05 PM · libgcrypt, Bug Report
jukivili closed T5796: libgcrypt-1.9.4 build failure on ARM without NEON as Resolved.
Feb 24 2022, 6:05 PM · arm, libgcrypt, Gentoo, Bug Report
jukivili updated subscribers of T5826: Improve detached signing and verification speed.

Does the patches look ok to push to master? @werner @gniibe

Feb 24 2022, 6:04 PM · gnupg
jukivili added a comment to T5853: Decrypting OCB encrypted file fails....

Thanks. All my tests work now.

Feb 24 2022, 6:01 PM · gnupg (gpg23), Bug Report
ikloecker changed the status of T5858: Kleopatra: Crash when revoking self signature from Open to Testing.
Feb 24 2022, 4:42 PM · kleopatra, Restricted Project
ikloecker committed rKLEOPATRAe038551b4f14: Remove command to list the available smart card readers (authored by ikloecker).
Remove command to list the available smart card readers
Feb 24 2022, 4:38 PM
ikloecker committed rKLEOPATRA9cd07dc47584: Disable Ok button if no signatures can be revoked (authored by ikloecker).
Disable Ok button if no signatures can be revoked
Feb 24 2022, 4:25 PM
ikloecker committed rKLEOPATRA29b3f108d98a: Prevent crash when revoking certifications without certification key (authored by ikloecker).
Prevent crash when revoking certifications without certification key
Feb 24 2022, 4:25 PM
aheinecke closed T5857: Kleopatra: Change "List smartcard readers" to "select smartcard reader" as Resolved.

Removing the list seems reasonable to me, we can tell users in support that they should go to settings- > Smartcard to select the reader used.

Feb 24 2022, 3:21 PM · kleopatra, Restricted Project
ikloecker moved T5858: Kleopatra: Crash when revoking self signature from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Feb 24 2022, 3:02 PM · kleopatra, Restricted Project
ikloecker added a comment to T5857: Kleopatra: Change "List smartcard readers" to "select smartcard reader".

There is now a dedicated configuration module for smart card related settings. Currently, it's rather empty, but maybe there are more smart card settings you want to see there.

Feb 24 2022, 2:52 PM · kleopatra, Restricted Project
werner committed rG9116fd1e9a2d: g10: Avoid extra hash contexts when decrypting MDC input (authored by jukivili).
g10: Avoid extra hash contexts when decrypting MDC input
Feb 24 2022, 2:15 PM
werner closed T5820: Slow symmetric decryption speed as Resolved.
Feb 24 2022, 2:15 PM · gnupg (gpg23), Bug Report
werner added a comment to T5820: Slow symmetric decryption speed.

Cool. I did some quick tests with 2.2 on my pretty old X220 and it really makes sense to apply the patch there as well.:

Feb 24 2022, 2:07 PM · gnupg (gpg23), Bug Report
aheinecke committed rW0d147f47802e: MSI: Add INST_GPGOL=inactive feature (authored by aheinecke).
MSI: Add INST_GPGOL=inactive feature
Feb 24 2022, 1:25 PM
ikloecker committed rKLEOPATRA7c59b266e17f: Add config module for smart card related settings (authored by ikloecker).
Add config module for smart card related settings
Feb 24 2022, 1:06 PM
ikloecker committed rLIBKLEOb32aca3bef27: Extract the reader port combo box from the config entry UI (authored by ikloecker).
Extract the reader port combo box from the config entry UI
Feb 24 2022, 1:01 PM
ikloecker committed rLIBKLEO172385cf980d: Set placeholder text instead of an editable default text (authored by ikloecker).
Set placeholder text instead of an editable default text
Feb 24 2022, 1:01 PM
ikloecker committed rLIBKLEO6bf6d10f47b5: Bump library version (authored by ikloecker).
Bump library version
Feb 24 2022, 1:01 PM
werner edited projects for T5852: Use iobuf_copy where instead of manual iobuf_get/iobuf_put or iobuf_read/iobuf_write loops, added: gnupg (gpg23); removed gnupg.
Feb 24 2022, 12:43 PM · gnupg (gpg23)
werner added a comment to T5857: Kleopatra: Change "List smartcard readers" to "select smartcard reader".

aheinecke: Good idea

Feb 24 2022, 12:36 PM · kleopatra, Restricted Project
werner added a comment to T5859: Kleopatra: Revoke own key.

Do you mean revoking the entire key or a user-id, or a subkey? Having a way to revoke a user-id is probably the most interesting use-case. BTW, there is no "revoke a self-signature" - this is actually a revocation of the user-id or subkey.

Feb 24 2022, 12:25 PM · kleopatra, Restricted Project
aheinecke triaged T5859: Kleopatra: Revoke own key as Wishlist priority.
Feb 24 2022, 11:04 AM · kleopatra, Restricted Project
aheinecke added a comment to T5858: Kleopatra: Crash when revoking self signature.

Related to this is that I was looking for a way to revoke my own key and I thought that revoking the selfsig might work. So maybe it makes sense not to fix this by forbidding this operation but instead by allowing it with the same key.

Feb 24 2022, 11:01 AM · kleopatra, Restricted Project
aheinecke triaged T5858: Kleopatra: Crash when revoking self signature as High priority.
Feb 24 2022, 11:00 AM · kleopatra, Restricted Project
aheinecke closed T5336: Kleopatra: Add expiry for certifications in certify dialog as Resolved.
Feb 24 2022, 10:54 AM · kleopatra, Restricted Project
werner triaged T5856: Forcing aead when creating sign & encrypted files creates inconsistent results as High priority.
Feb 24 2022, 10:34 AM · gnupg (gpg23), Bug Report
ikloecker claimed T5857: Kleopatra: Change "List smartcard readers" to "select smartcard reader".

I have an uncommitted SmartCardConfigurationPage. I guess, I'll simply commit this and remove the "List smartcard readers" option.

Feb 24 2022, 10:05 AM · kleopatra, Restricted Project
aheinecke triaged T5857: Kleopatra: Change "List smartcard readers" to "select smartcard reader" as Wishlist priority.
Feb 24 2022, 9:35 AM · kleopatra, Restricted Project
bernhard added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

@TheParanoidProgrammer thanks for investigating further. It is highly appreciated!

Feb 24 2022, 9:16 AM · gnupg (gpg22), dirmngr
Jakuje updated the task description for T5856: Forcing aead when creating sign & encrypted files creates inconsistent results.
Feb 24 2022, 9:10 AM · gnupg (gpg23), Bug Report
Jakuje created T5856: Forcing aead when creating sign & encrypted files creates inconsistent results.
Feb 24 2022, 9:10 AM · gnupg (gpg23), Bug Report
TheParanoidProgrammer added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

On a side note, it turns out that Ubuntu Maintainers ship gpg with GnuTLS dynamically linked, so that's why I went down that road first. I compiled gpg from source for Ubuntu with ntbtls for further tests. Interesting insight is that find_cert_bysubject returns different certificates on first try on my Ubuntu Machine compared to my Windows 10 Machine:

Feb 24 2022, 1:06 AM · gnupg (gpg22), dirmngr

Feb 23 2022

TheParanoidProgrammer added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

Ok, I may see three potential problems in dirmngr->validate.c->validate_cert_chain(), but it may also be my limited familiarity with the gnupg source.

  • Here we leave the certificate validation loop at the first trusted root certificate, even if it is expired as we only mark this fact for later evaluation.
  • Here we seem to only ever go up the chain, never sideways as is the case in the original patch for this bug.
  • And probably most impactful, here we fail the whole validation if any of the previously checked certificates is expired, so that even if we would fix the second point by checking sibling certificates, we would still get an overall failure.
Feb 23 2022, 10:18 PM · gnupg (gpg22), dirmngr
TheParanoidProgrammer added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

What I wonder is: In a number of tests in our machines (mostly virtual machines), the TLS access to keyserver.ubuntu.com does work. I have yet to see a VM where it does not. So there must be a difference.

Feb 23 2022, 9:37 PM · gnupg (gpg22), dirmngr
TheParanoidProgrammer added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

Not a solution yet, but some more insights.
Starting from @NoSubstitute 's log output and from @bernhard 's statement that we use ntbTLS I verified that my dirmngr.exe was indeed compiled with NTBTLS 0.2.0. I did so by running strings "C:\Program Files (x86)\GnuPG\bin\dirmngr.exe" | grep TLS which returned "This is NTBTLS 0.2.0 - Not Too Bad TLS" among other strings. I also grepped for some debug strings introduced in newer commits to verify that the NTBTLS version used is not the current HEAD of master, but at least some commit before 64f895dba734802662cbb81b64cd0b4af198ee71. I will just assume it is the actual 0.2.0 release for now.

Feb 23 2022, 9:33 PM · gnupg (gpg22), dirmngr
jukivili committed rCd8825601f10a: Add SM4 ARMv8/AArch64 assembly implementation (authored by Tianjia Zhang <tianjia.zhang@linux.alibaba.com>).
Add SM4 ARMv8/AArch64 assembly implementation
Feb 23 2022, 6:24 PM
jukivili committed rC83e1649edd5e: Move VPUSH_API/VPOP_API macros to common header (authored by Tianjia Zhang <tianjia.zhang@linux.alibaba.com>).
Move VPUSH_API/VPOP_API macros to common header
Feb 23 2022, 6:23 PM
jukivili committed rC2508b755608c: Perform AEAD input 24KiB splitting only when input larger than 32KiB (authored by jukivili).
Perform AEAD input 24KiB splitting only when input larger than 32KiB
Feb 23 2022, 6:23 PM
aheinecke triaged T5854: Windows registry option to prevent modifications to signed/encrypted messages after validation by GpgOL as Wishlist priority.
Feb 23 2022, 6:09 PM · gpgol, Feature Request
aheinecke added a comment to T5854: Windows registry option to prevent modifications to signed/encrypted messages after validation by GpgOL.

The problem is that we replace the encrypted text and attachments with the decrypted / verified parts. This would already be a modification even without such changes like the category.

Feb 23 2022, 6:09 PM · gpgol, Feature Request
bernhard committed rW71d67a7e614b: Update systemrequirements (authored by bernhard).
Update systemrequirements
Feb 23 2022, 5:44 PM
ikloecker committed rKLEOPATRA91db9838aeaf: Improve accessibility of the filename requesters (authored by ikloecker).
Improve accessibility of the filename requesters
Feb 23 2022, 4:34 PM
ikloecker committed rLIBKLEO99aa5efa6abe: Allow setting the accessible name of the underlying line edit (authored by ikloecker).
Allow setting the accessible name of the underlying line edit
Feb 23 2022, 4:19 PM
ikloecker committed rLIBKLEOf112bfd045c6: Bump library version (authored by ikloecker).
Bump library version
Feb 23 2022, 4:19 PM
ikloecker committed rLIBKLEO6177a66253e9: Use QLineEdit instead of KLineEdit (authored by ikloecker).
Use QLineEdit instead of KLineEdit
Feb 23 2022, 4:19 PM
ikloecker committed rLIBKLEO9d68d7e32fb8: Improve accessibility of "Open file dialog" button (authored by ikloecker).
Improve accessibility of "Open file dialog" button
Feb 23 2022, 4:19 PM
werner closed T5838: gpg card not getting detected as Resolved.
Feb 23 2022, 4:07 PM · Not A Bug, scd, gnupg, RHEL
werner assigned T5854: Windows registry option to prevent modifications to signed/encrypted messages after validation by GpgOL to aheinecke.
Feb 23 2022, 4:06 PM · gpgol, Feature Request
werner added a project to T5598: AppImage of gpg: AppImage.
Feb 23 2022, 3:01 PM · AppImage, gnupg, Restricted Project, Feature Request
werner closed T4928: Win10 - Kleopatra config help button doesn't do anything as Resolved.

Works for me in the current Kleopatra.

Feb 23 2022, 3:00 PM · gpg4win, kleopatra
werner created AppImage.
Feb 23 2022, 2:59 PM
ikloecker claimed T5845: Kleopatra: Accessibility for file encryption.
Feb 23 2022, 1:35 PM · kleopatra, Restricted Project
werner added a member for Contributor: bef.
Feb 23 2022, 1:35 PM
ikloecker claimed T5824: Kleopatra: Full accessibility support.
Feb 23 2022, 11:46 AM · kleopatra
ikloecker changed the status of T5841: Kleopatra: Make keylist / keytreeview accessible from Open to Testing.

Ready for testing

Feb 23 2022, 11:46 AM · kleopatra, Restricted Project
ikloecker changed the status of T5841: Kleopatra: Make keylist / keytreeview accessible, a subtask of T5824: Kleopatra: Full accessibility support, from Open to Testing.
Feb 23 2022, 11:46 AM · kleopatra
ikloecker changed the status of T5841: Kleopatra: Make keylist / keytreeview accessible, a subtask of T5842: Gpg4win LTS 3.1.22, from Open to Testing.
Feb 23 2022, 11:46 AM · gpg4win, Restricted Project, Release Info
ikloecker added a comment to T5841: Kleopatra: Make keylist / keytreeview accessible.

I implemented the following solution:

  • People using screen readers can navigate from cell to cell with the arrow keys. Depending on the style there is no (or no easily perceivable) visual feedback, but that doesn't matter. A not blind person will simply perceive the Left/Right arrow keys as having no effect.
  • The special behavior of QTreeView which expands or collapses items with children on Left/Right does not work anymore. Expanding/collapsing subtrees with Plus/Minus/Asterisk still works.
Feb 23 2022, 11:45 AM · kleopatra, Restricted Project
ikloecker committed rLIBKLEOf7c43ec0ea88: Return more accessible text representations for empty model entries (authored by ikloecker).
Return more accessible text representations for empty model entries
Feb 23 2022, 11:14 AM
ikloecker committed rKLEOPATRAf9dd662a33d4: Prevent possible problems with delayed item layouting (authored by ikloecker).
Prevent possible problems with delayed item layouting
Feb 23 2022, 11:14 AM
Laurent Montel <montel@kde.org> committed rKLEOPATRAf3a01e0d2a03: Use KDE_INSTALL_KSERVICESDIR (authored by Laurent Montel <montel@kde.org>).
Use KDE_INSTALL_KSERVICESDIR
Feb 23 2022, 8:52 AM
gniibe added a comment to T5853: Decrypting OCB encrypted file fails....

It was the bug of generating AEAD packet, which does:

Feb 23 2022, 1:33 AM · gnupg (gpg23), Bug Report
gniibe committed rGfb007d93de7b: Fix the previous commit. (authored by gniibe).
Fix the previous commit.
Feb 23 2022, 1:18 AM
gniibe triaged T5853: Decrypting OCB encrypted file fails... as High priority.

Sorry for pushing immature fix. I located the cause, but I didn't have enough concentration for fix.

Feb 23 2022, 1:17 AM · gnupg (gpg23), Bug Report
gniibe claimed T5853: Decrypting OCB encrypted file fails....
Feb 23 2022, 1:14 AM · gnupg (gpg23), Bug Report
gniibe added a member for FIPS: Jakuje.
Feb 23 2022, 12:40 AM
gniibe added a member for FIPS: gniibe.
Feb 23 2022, 12:40 AM
gniibe added a member for FIPS: neverpanic.
Feb 23 2022, 12:40 AM
gniibe moved T5835: libgcrypt: More robust/portable integrity check from Backlog to Next on the FIPS board.
Feb 23 2022, 12:38 AM · Bug Report, libgcrypt, FIPS

Feb 22 2022

jukivili added a comment to T5853: Decrypting OCB encrypted file fails....

Just more background what I'm doing with these tests. I started testing with set of different sized test files (generated from urandom) to detect any bugs in my changes, which try to reduce amount of memory copies in iobuf_read/iobuf_write. Size ranges for these test-files are 0...17408, 32256...66560 and 130560...132096 bytes. These files are encrypted with different settings (public key/symmetric/cfb/ocb/different algos) and then decrypted and decrypted file compared to original.

Feb 22 2022, 6:08 PM · gnupg (gpg23), Bug Report
jukivili added a comment to T5853: Decrypting OCB encrypted file fails....

I tested the fix. It appears to break OCB encrypting files shorter than 65515 bytes:

$ gpg --batch --symmetric --passphrase=bug --output=enc_065514.gpg --rfc4880bis --force-aead --cipher-algo AES128 --compress-algo none plain_065514
$ ls -laF *065514*
-rw-rw-r-- 1 jussi jussi   100 Feb  22 18:51 enc_065514.gpg
-rw-rw-r-- 1 jussi jussi 65514 Feb  22 18:42 plain_065514
$ sha256sum plain_065514
5711955703f4d96f510ad5a660c3ccd0d01f0b2dd2561ba6586159ad941cbcde  plain_065514
$ gpg --batch --decrypt --passphrase=bug --output=- enc_065514.gpg | sha256sum
gpg: AES.OCB encrypted session key
gpg: encrypted with 1 passphrase
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  -
Feb 22 2022, 5:54 PM · gnupg (gpg23), Bug Report