In T6229#163870, @werner wrote:The other key slots are claimed to be used for expired or archived keys as you rightfully mention. We need to figure out the real world semantic behind this before we can repurpose such keys.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Oct 6 2022
Oct 6 2022
manonfgoo added a comment to T6229: Include ability to use any/all of the keys stored on YubiKey's PIV applet ("retired" keys).
manonfgoo added a comment to T6229: Include ability to use any/all of the keys stored on YubiKey's PIV applet ("retired" keys).
Pleaee have a look at https://dev.gnupg.org/T5790, i added a patch.
Attached you find a patch to this issue. This Patch sets the "keypair" attribute to the keys 0x82 to 0x95 unconditionaly.
• werner triaged T6229: Include ability to use any/all of the keys stored on YubiKey's PIV applet ("retired" keys) as Low priority.
The other key slots are claimed to be used for expired or archived keys as you rightfully mention. We need to figure out the real world semantic behind this before we can repurpose such keys.
• werner committed rG7ccd489aa2e5: wkd: New command --mirror for gpg-wks-client. (authored by • werner).
wkd: New command --mirror for gpg-wks-client.
That's more than sufficient. Thanks.
• gniibe committed rCefdc87b305ff: tests: Reproducer for short dklen in FIPS mode (authored by Jakuje).
tests: Reproducer for short dklen in FIPS mode
• gniibe committed rC6e832840a8b7: random: Extend the comment about FIPS specifics (authored by Jakuje).
random: Extend the comment about FIPS specifics
l10n daemon script <scripty@kde.org> committed rKLEOPATRA4d4d4a78ae07: GIT_SILENT Sync po/docbooks with svn (authored by l10n daemon script <scripty@kde.org>).
GIT_SILENT Sync po/docbooks with svn
Oct 5 2022
Oct 5 2022
• werner closed T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired, a subtask of T5882: Cross signing certificate in X.509 support, as Resolved.
• werner committed rK4b7d9cd4a018: Detect a possible overflow directly in the TLV parser. (authored by • werner).
Detect a possible overflow directly in the TLV parser.
• werner committed rG7a01e806eac4: dirmngr: Support paged LDAP mode for KS_GET (authored by • werner).
dirmngr: Support paged LDAP mode for KS_GET
Post release updates
Release 1.6.1
• gniibe committed rPTHe894f0197fb4: w32: Add comment for our intentional casting for TlsSetValue. (authored by • gniibe).
w32: Add comment for our intentional casting for TlsSetValue.
I tried to clarify the comment in the following merge request. Feel free to pull it from there or adjust if it is too verbose or missing some points:
mlaurent committed rLIBKLEO0f469f64c238: GIT_SILENT: make sure to depend against qt6.4, kpimtextedit needs it (authored by mlaurent).
GIT_SILENT: make sure to depend against qt6.4, kpimtextedit needs it
mlaurent committed rKLEOPATRA0cd00b23dd13: GIT_SILENT: make sure to depend against qt6.4, kpimtextedit needs it (authored by mlaurent).
GIT_SILENT: make sure to depend against qt6.4, kpimtextedit needs it
Oct 4 2022
Oct 4 2022
Hello,
I'm having the same issue here, and as I've an image in the signature of my emails the signature is not visible at all when I sign the messages.
The image attached seems to be well included in the attachments and the image is readable.
Thanks,
isundil
• werner added a comment to rCa6a6e94027ab: random: Get maximum 32B of entropy at once in FIPS Mode.
A minor clarification in the code comment would be enough. Something like: Some non-standard kernel return only 32 bytes of strong entropy to satisfy current FIPS requirements.
Yes, that's probably right. I talked to the vendor and they were nice enough to send us specs and samples. However, without a strong business case support for these cards we can't prioritize this work.
• werner closed T6226: Native PKCS#11 support, by attaching any module/library, without having to use workarounds (alternative gpg-agent etc.) as Wontfix.
Most PCKS#11 drivers are proprietary software which do not fit well into a free software system. Thus we avoid them. And of course we provide pcksc#11 support: Install Scute. There are no workarounds like alternative gpg-agent's - those things don't work reliable and are not supported.
• werner closed T6225: Gpg4win 4.0.3 and GnuPG 2.3.7 cannot use OpenPGP Card with ECC Keys as Resolved.
This is a duplicate of T6070. Please wait for gnupg 2.3.8
margirou updated the task description for T6226: Native PKCS#11 support, by attaching any module/library, without having to use workarounds (alternative gpg-agent etc.).
I am attaching one last log I have while trying to use the SC-HSM and using the debug options mentioned. From what I understand, the keys and certificates are recognised by scdaemon, but, for some reason, they don't show up in gpg --card-edit --expert or in Kleopatra. Having AES symmetric keys also causes the PrKDF to show up as invalid.
margirou updated the task description for T6225: Gpg4win 4.0.3 and GnuPG 2.3.7 cannot use OpenPGP Card with ECC Keys.
• werner committed rG4de98d4468f3: dirmngr: New options --first and --next for KS_GET. (authored by • werner).
dirmngr: New options --first and --next for KS_GET.
• werner moved T6219: Ensure minimum key length for KDF in FIPS mode from Backlog to Ready for release on the FIPS board.
Also applied to 1.10 branch.
Why is that not stated in my man page which knows about kernel 3.19? Is that a regression or a RedHat specific patch?
• werner added a comment to rCa6a6e94027ab: random: Get maximum 32B of entropy at once in FIPS Mode.
Why is that not stated in my man page which knows about kernel 3.19? Is that a regression or a RedHat specific patch?
• gniibe committed rCa6a6e94027ab: random: Get maximum 32B of entropy at once in FIPS Mode (authored by Jakuje).
random: Get maximum 32B of entropy at once in FIPS Mode
l10n daemon script <scripty@kde.org> committed rKLEOPATRA10ed3105966c: GIT_SILENT Sync po/docbooks with svn (authored by l10n daemon script <scripty@kde.org>).
GIT_SILENT Sync po/docbooks with svn
l10n daemon script <scripty@kde.org> committed rLIBKLEO3ca12f40beff: GIT_SILENT Sync po/docbooks with svn (authored by l10n daemon script <scripty@kde.org>).
GIT_SILENT Sync po/docbooks with svn
Oct 3 2022
Oct 3 2022
l10n daemon script <scripty@kde.org> committed rLIBKLEO9697f54a92e8: GIT_SILENT Sync po/docbooks with svn (authored by l10n daemon script <scripty@kde.org>).
GIT_SILENT Sync po/docbooks with svn
l10n daemon script <scripty@kde.org> committed rKLEOPATRA0f22dd2be8d1: GIT_SILENT Sync po/docbooks with svn (authored by l10n daemon script <scripty@kde.org>).
GIT_SILENT Sync po/docbooks with svn
Oct 2 2022
Oct 2 2022
tests: Avoid memory leak
jukivili committed rC0909186b9e66: t-rsa-testparm: fix 'function declaration isn’t a prototype' warning (authored by jukivili).
t-rsa-testparm: fix 'function declaration isn’t a prototype' warning
tests/benchmark: remove VLA usage
tests/bench-slope: remove VLA usage
cipher-ccm: remove VLA usage
mpi/ec: remove VLA usage
Patch applied to master, thanks.
l10n daemon script <scripty@kde.org> committed rLIBKLEO44002c652e0f: GIT_SILENT Sync po/docbooks with svn (authored by l10n daemon script <scripty@kde.org>).
GIT_SILENT Sync po/docbooks with svn
l10n daemon script <scripty@kde.org> committed rKLEOPATRA839c9123a2a6: GIT_SILENT Sync po/docbooks with svn (authored by l10n daemon script <scripty@kde.org>).
GIT_SILENT Sync po/docbooks with svn
Oct 1 2022
Oct 1 2022
In T6218#163787, @gouttegd wrote:Does the latest Scute require an instance of gpg-agent and/or scdaemon running to work?
Yes. Scute relies on those to interact with the token.
Sep 30 2022
Sep 30 2022
mlaurent committed rKLEOPATRAa2bb1403493a: Fix bug 459861: Compile error from missing #include lines (authored by mlaurent).
Fix bug 459861: Compile error from missing #include lines
Does the latest Scute require an instance of gpg-agent and/or scdaemon running to work?
• werner committed rG3390951ffd69: gpg: Show just keyserver and port with --send-keys. (authored by • werner).
gpg: Show just keyserver and port with --send-keys.
One nit that I overlooked initially is the memory leak, which is fixed with the following patch:
libgcrypt-leak.patch732 BDownload
Sep 29 2022
Sep 29 2022
dirmngr: Minor fix for baseDN fallback.
• werner committed rG2e22184ba5ac: gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant. (authored by • werner).
gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant.
• werner committed rG46f9b0071f54: gpg: Fix assertion failure due to errors in encrypt_filter. (authored by • werner).
gpg: Fix assertion failure due to errors in encrypt_filter.
• werner committed rGa51067a21f68: gpg: Make --require-compliance work for -se (authored by • werner).
gpg: Make --require-compliance work for -se
• werner changed the status of T6221: When encrypting, gpg claims DE_VS compliance with non-compliant gcrypt from Open to Testing.
Indeed, the status line should not be emitted in this case. Thanks.
• werner committed rG07c6743148d4: gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant. (authored by • werner).
gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant.
justus added a comment to T6221: When encrypting, gpg claims DE_VS compliance with non-compliant gcrypt.
% gpgconf --list-options gpg | grep compliance compliance:16:2::1:1::"gnupg:: compliance_de_vs:144:3::2:2::0:: % dpkg --list libgcrypt20 | cat Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=================-============-============-===================================== ii libgcrypt20:amd64 1.10.1-2 amd64 LGPL Crypto library - runtime library % gpg --version gpg (GnuPG) 2.2.39 libgcrypt 1.10.1 Copyright (C) 2022 g10 Code GmbH License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
• werner added a project to T6223: GPGME incorrectly parses the signature class in SIG_CREATED status lines: Feature Request.
Let's don't forget that we need to have a sig_class replacement.
• werner committed rMb1e5f3b18310: core: Fix SIG_CREATED status parsing for 0x1F sigs (authored by • werner).
core: Fix SIG_CREATED status parsing for 0x1F sigs
• aheinecke triaged T6221: When encrypting, gpg claims DE_VS compliance with non-compliant gcrypt as Low priority.
With a gcrypt not claiming compliance you should not get the status compliant or not but GnuPG should error out with forbidden.
• werner added a comment to T6223: GPGME incorrectly parses the signature class in SIG_CREATED status lines.
This is not easy to fix because it would break the GPGME API. Here
are the values we can expect:
• werner triaged T6223: GPGME incorrectly parses the signature class in SIG_CREATED status lines as Normal priority.
I assume this is gpgme master. Please write proper bug reports.
• werner added a project to T6221: When encrypting, gpg claims DE_VS compliance with non-compliant gcrypt: gnupg (gpg22).
Justus, you should know how to write a proper bug report. Please do that and don't just paste some more or less random output here with just hint that Libgcrypt is not compliant. tia.
This is a debug option; I see no use case for this.
• gniibe added a comment to T6002: scute w/ gpg23: Support multiple cards/tokens, major update with KEYGRIP.
Merged the changes in t6002 branch into master.
Applied and pushed the change from @joeyberkovitz in rG3257385378bb: dirmngr: Interrogate LDAP server when base DN specified..
• gniibe committed rG3257385378bb: dirmngr: Interrogate LDAP server when base DN specified. (authored by joeyberkovitz).
dirmngr: Interrogate LDAP server when base DN specified.
• gniibe committed rG4b2066afb498: dirmngr: Change interrogate_ldap_dn for better memory semantics. (authored by • gniibe).
dirmngr: Change interrogate_ldap_dn for better memory semantics.
Register DCO for Joey Berkovitz.
dirnmgr: Fix the function prototype.
Sep 28 2022
Sep 28 2022
• werner committed rG536b5cd66305: dirmngr: Fix lost flags during LDAP upload (authored by • werner).
dirmngr: Fix lost flags during LDAP upload
gpg: Silence some diagnostics.
doc: Typo fix in a comment.
• werner committed rG32ce7ac0c674: dirmngr: Fix lost flags during LDAP upload (authored by • werner).
dirmngr: Fix lost flags during LDAP upload
That sounds quite cool.
• werner added a comment to T6220: gpg --full-generate-key does not use max RSA keysize when --enable-large-rsa is set.
Add --expert and use a decent version of GnuPG. 2.2 is our long term support branch and is not the current stable production version (which is 2.3.7)
Actually we developed PIV support to allow the use of PIV X.509 certificates and OpenPGP keys with Yubikeys. In fact, GnuPG is able to switch between the Yubikey PIV and OpenPGP applications on-the-fly while keeping their PIN verification states.
I was indeed using version 1.5.0 for testing, but I wish to clarify the purpose of Scute in my setup before proceeding.
• werner committed rGd65a0335e5cb: dirmngr: New server flag "areconly" (A-record-only) (authored by • werner).
dirmngr: New server flag "areconly" (A-record-only)
• werner committed rG6300035ba17b: dirmngr: New server flag "areconly" (A-record-only) (authored by • werner).
dirmngr: New server flag "areconly" (A-record-only)
2l47 added a comment to T6220: gpg --full-generate-key does not use max RSA keysize when --enable-large-rsa is set.
Perhaps --full-generate-key should provide more algorithm choices, then, e.g. ed25519?
• werner closed T6220: gpg --full-generate-key does not use max RSA keysize when --enable-large-rsa is set as Wontfix.
Sorry, this as been discussed ad nausea. We try our best to help people not to use useless and harmful (e.g. performance of the WoT) algorithm choices.
Fix keyinfo listing.
• gniibe committed rS3bf758969ded: Do not launch gpg-agent if no-autostart is active. (authored by • werner).
Do not launch gpg-agent if no-autostart is active.
• gniibe committed rS1a87b2f26ad9: Add option to return leaf certificate only. (authored by gouttegd).
Add option to return leaf certificate only.
• gniibe committed rS819009a5a782: Avoid segv in case of a MISSING_KEY error. (authored by • werner).
Avoid segv in case of a MISSING_KEY error.