I located the problem. The test program use-exact-key invokes two gpg-es connecting by pipe (one gpg to generate a signature, another gpg to verify the signature). Those multiple gpg-es race accessing keyboxd.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Apr 28 2022
Apr 27 2022
Apr 26 2022
@werner Please backport to 2.2.
Another test, it took 30 minutes to replicate.
My Yubikey (Yubico.com Yubikey 4/5 OTP+U2F+CCID) (key Ed25519) works fine with OpenSSH using kex of sntrup761x25519-sha512@openssh.com.
Thank you. I can replicate the issue.
Apr 25 2022
I pushed the change above. I also pushed another change with IOBUF_INPUT_TEMP.
Sorry, I was confused. For RSA-4096, data is hashed by gpg-agent and hashed data is signed by a card.
We are using rsa-4096 on smartcard for quite some time; so I wonder what's the problem here. Is that that we don't use our Assuan hack for large key material with OpenPGP.3?
There is another case: RSA-4096 key. scdaemon rejects data by Invalid value. Unfortunately, there is no fix for this, as it's really too large. Even if scdaemon allows larger data, the card implementation rejects, when it conforms to PKCS #1 standard (data should not be larger than 40% of the modulus).
Thank you for the bug report.
Apr 22 2022
Should also go into 2.2
The rest of the code looks fine.
The links for the Windows installer as given in the mail was wrong. The corrected links are
I confirmed that the patch above works with newer Gnuk (>= 1.2.16).
Apr 21 2022
Apr 19 2022
Apr 14 2022
Passing fds etc adds complex extra code to gpg-agent. This was not the original design goal, although we violated this anyway by have some OpenPGP specific code there. This needs more thinking. Due to our internal use of OCB we can't make it FIPS compliant without large changes.
I have not yet tested OpenSSH 9 and thus the patch to master is here just as a test. Please better use gnupg 2.3 (stable) instead of 2.2 (LTS) because it is unlikely that we will backport all this new ssh stuff.
Patches applied and pushed. For the common/t-ssh-utils, I applied my fix for the use case with key on command line when FIPS mode is enabled (MD5 error is OK, in this case).
Apr 13 2022
Apr 12 2022
For anyone stumbling across this issue I created a docker image containing gpg with the patch above applied: https://github.com/smlx/gnupg-piv-agent
Apr 7 2022
Mar 29 2022
The patch I proposed was partial one, not fully solved the problem of socket resource leak on Windows.
Mar 25 2022
Confirmed to work, thanks!
Thank you. Applied.
Implemented.
it still shows the no certificate or invalid encoded error message:
Mar 24 2022
I gave it a try. It works now, but it still shows the no certificate or invalid encoded error message:
Thank you. Confirmed.
Thank you for the reproducible test case. Confirmed.
Mar 23 2022
Thank you.
Mar 22 2022
I guess I don't understand what you mean by "native building". This build was with MinGW, which is as "native" as MinGW64 is.
The reason for the problem is (AFAIU) that MinGW64 went after Microsoft's change in stat due to the 32-bit vs 64-bit time and off_t values issue.s That change breaks backward compatibility in more than one way: programs compiled on some versions of Windows will not run on other versions. mingw.org's MinGW kept the original semantics and symbols, which is why _stat32 exists in the mingw.org's headers, but is not exposed by default.
Turned into a feature request because native building on Windows is not supported.
Mar 21 2022
Now, the problem is not about the case of pid == getpid () any more.
That would be bad for unattended use cases. Recording the time the lock file was created might be a solution. Then cleanup only after 15 minutes or so.
Note that there is a race condition still (after a fix of one race condition which may be somewhat likely and reproducible, and another fix of race condition when there is a stale lockfile).
Fixed another race in commit: rG2f1afc129662: common: Fix another race condition, and address the other one.
Mar 19 2022
{F3381469}I uploaded the whole homedir containing the keys after they were migrated by the new gnupg2.3.4. It should have all of the keys in there. Don't worry, these keys are just for testing and not used anywhere.
Mar 18 2022
Before the fix above, https://bugs.debian.org/972525 can be explained by the following scenario:
Fixed in master. Should be backported when found stable.
I pushed a change for t-dotlock.c for testing.
Mar 17 2022
Mar 16 2022
I can't replicate this symptom (gpg1 generated key, no problem after migration).
Could you share the *.key file under private-keys-v1.d?
Mar 9 2022
Reagarding the OpenPGP specs: there is a new draft with LOTS of changes to already agreed upon formats and conducted interop tests. Almost everything we implemented in GnuPG and RNP has had rough consensus in the WG. Minor things like AEAD chunk size were the contested pieces. However, now they want to change everything with the possible outcome of discretization the long established trust in the stability and durability of the PGP data and key format.
Sorry. While v5 things in the specification is still in flux, from the viewpoint of the implementation, this patch is 100% valid and it makes sense.
Mar 8 2022
Thank you for the report.
Mar 7 2022
Mar 2 2022
What about at least accepting env variables OR tilde expansions? That will make it easier to integrate with dotfiles that intentionally use a home-dir based executable without having to pass the full path, so it could work cross platforms.