That should be easy on Unix but on Windows we have the nul nul: and iirc also /dev/nul.

ack

In T6556#175399, @werner wrote:

@iklocker: Which gpg bug to you mean?

@werner: What do you mean by "We have a fix for now"? Are you referring to @gniibe's patch?

We have a fix for now and thus I lower the priority. Given that EasyPG mimics the GPGME API we should here also use another pipe to convey the passphrase (e.g. for symmetric encryption).

@iklocker: Which gpg bug to you mean?

This is hopefully resolved. Setting to done because the fix cannot be verified with our builds of Kleopatra.

It also doesn't occur with the AppImage (Do we build a debug or unoptimized build for the AppImage?).

The problem doesn't occur with the development build. It also doesn't seem to occur with our Windows build.

Well 5.4.2 o.O and we on Tumbleweed are at 13.x gcc

I found this in the change log of Qt 5.4.2:

- On x86 and x86-64 systems with ELF binaries (especially Linux), due to
  a new optimization in GCC 5.x in combination with a recent version of
  GNU binutils, compiling Qt applications with -fPIE is no longer
  enough with GCC 5.x. Applications now need to be compiled with
  the -fPIC option if Qt's option "reduce relocations" is active. For
  backward compatibility only, Qt accepts the use of -fPIE for GCC 4.x
  versions.
  Note that Clang is known to generate incompatible code even with -fPIC if
  the -flto option is active.

So I think that the problem here is that ArchLinux either does not build Qt6 with -fPIC or it does and others don't and that our check for wether or not to add -fPIC is not really working as it should. When compiling executables we should also add -fPIE instead of -fPIC.

I found this related to that: https://sourceware.org/bugzilla/show_bug.cgi?id=28875

I have analyzed this. In the ribbon we get a mailitem OOM object as reference, but that can be a different pointer then the one we used for decryption / verification. Our trick for this was to assign mailitems a custom uuid property and then look for that from the riboon pointer so that we can update accoringly with our internal Mail object representation.

Fixed. I'll copy the ideas in comment T6698#175165 to a separate task.

At least GnuPG only shows the most recent key signature tag. So if we leave it out when adding another signature then we remove this.

Yes remove this / leave this empty. I think the idea was that if you certify lots of users and wanted to have the same tag. But I guess that would be covered by bulk signing anyway and can actually be more trouble if you accidentally use the wrong tag.

Compiles for me, too with Qt 6.5.2 from tumbleweed.

Fixed. Backport? (Depends on first preparations for bulk certification and is probably not really relevant for VSD.)

The official build for Arch Linux doesn't seem to run into this problem. The Qt6 build is configured with

./configure \
  --prefix=/usr \
  --disable-fd-passing \
  --disable-static \
  --disable-gpgsm-test \
  --enable-languages=cpp,qt6

See https://archlinux.org/packages/core/x86_64/gpgme/

Thanks. For the record, done at https://lists.gnupg.org/pipermail/gnupg-users/2023-August/066692.html.

BTW. you should use gpg --quick-set-expire FINGERPRINT 5y this is easier for scripting. Using
--export-options no-export-clean should keep the old signatures.

gpg only uses the latest self-signatures and ignores old one. Thus I do not understand your problem.

Changed the task description to easier find it

Hi,
This is a classical support question. Please use one of the community channels under:
https://www.gpg4win.de/community.html
for this.

Fixed. Removing Gentoo tag because it's not Gentoo-specific.

It may be better to open a separate issue for the issue in gpg, so that it's not overlooked/forgotten when the issue in gpgtar is fixed.

That is intentional. If we are able to remove a file we do it. Solution for you is easy: gpg .... -o - </dev/null >/dev/null

That is intentional. If we are able to remove a file we do it. Solution for you is easy: gpg .... -o - </dev/null >/dev/null

This looks like the same problem I encountered in Gentoo's Portage. To unlock the binary package signing key, Portage will run the equivalent of gpg --homedir ... --digest-algo ... --local-user ... --output /dev/null /dev/null. If unlocking fails (due to e.g. wrong password), /dev/null is removed: https://bugs.gentoo.org/912808

Needs to be checked for 2.4 - no backport to 2.2, though.

Needs to be checked again with stable. No backport to 2..2, though.

Won't be backported to 2.2 once we got something in 2.4.

Ok. Thanks for testing. That confirms my suspicion. rOdd3ff8397aaf62e58fa9405ddc5397cb6bcfdc29 is to blame here with the setReadFlag line as the specific cause. Because it is intended to trigger a save back. The problem was that we had circumstances where other addins changed the mail and really wanted it to be saved back to the server. So we call "save" before decrypting the mail to ensure that these changes are saved and then we decrypt, put in our temporary plaintext and ensure that the plaintext never is saved.

I testet it with 4.10 and GggOL 2.5.6. The file isn't changed if I open it. So it seems the change happend in 4.2.0.

Do you know if this is something new that started to happen with 4.2.0 for the first time or did it happen with 4.1.0, too?

I'll swap us over to out of source build for this as well. I've been doing it gradually for the gpg suite. Thanks.

The following patch fixes this (for me):

diff --git a/lang/qt/tests/Makefile.am b/lang/qt/tests/Makefile.am
index 32ad6466..aedd3264 100644
--- a/lang/qt/tests/Makefile.am
+++ b/lang/qt/tests/Makefile.am
@@ -51,10 +51,10 @@ LDADD = ../../cpp/src/libgpgmepp.la ../src/libqgpgme.la \
         ../../../src/libgpgme.la @GPGME_QT5_LIBS@ @GPG_ERROR_LIBS@ \
         @GPGME_QT5TEST_LIBS@ @LDADD_FOR_TESTS_KLUDGE@ -lstdc++

This happens because you build in the source directory and therefore the wrong debug.h is found. While this should work in general we strongly suggest to use a separate build directory.

No problem ;) Sorry for my snarky reply. Hope it worked for you now.

Noticed this issue was still open. This was resolved.

OK, I'm sorry, please accept my apologies for not having read the dialog message carefully enough. It seems I ignore the second sentence, replacing it with the omnipresent "Do you want to continue?" in my mind. Maybe the excuse is that it was terribly hot and damp in my office, preventing me from thinking.

😂 Skandal! Ein BUG!: "Möchten Sie die Installation ohne Administrator-Rechte fortfahren?" und Sie sagen "Nein". Ja dann brechen wir ab weil sie eben *nicht* fortfahren wollen.

Strong objection to close: When answering the question with "no", installation aborts!

This could have something to do with our changes to g4wihelp.c to adapt to the new plugin API.

You can install Gpg4win without admin rights. It requests "Highest available" rights by default to be installed into the protected Program Files (x86) folder. When you are not in the Administrators group It will install into your home directory much like firefox does. Any maybe if you don't want to leave a footprint installing Gpg4win on the System (without admin rights) where you don't have admin rights is kind of beside the point. You either leave a footprint by the installation or you could just use the installed Gpg4win there.

Pushed the change to:

• libgpg-error
• libassuan master
• libgcrypt master
• ntbtls
• npth
• libksba
• gpgme
• scute

Yes, gpgtar emits a SUCCESS status. gpgme should probably check for this.

[For bug reports please don't refer to some other site - at least a brief but useful description should always be included]

I mostly used ed25519 keys and thus I do the avove command pretty often without problems. Can you please add

-v --debug lookup

to the command line show us the log (send privately to my standard mail address (wk@gnu...) if you feel that data is too sensitive for the public).

Thank you. that worked. A pitty gpgv can't read from fd using process substitution

7b7e16ae923d:/data/loglib# gpgv --keyring <(gpg -o - --dearmor ../ecs.keys) jul-ecs-formatter-1.5.0.jar.as
c jul-ecs-formatter-1.5.0.jar
gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
gpgv: Signature made Sun Aug 21 07:52:24 2022 UTC
gpgv:                using RSA key 46095ACC8548582C1A2699A9D27D666CD88E42B4
gpgv: Can't check signature: No public key

But I had two steps even before, so this could work.

7b7e16ae923d:/data/loglib# gpgv --keyring ../ecs.keys.gpg jul-ecs-formatter-1.5.0.jar.asc jul-ecs-formatte
r-1.5.0.jar
gpgv: Signature made Sun Aug 21 07:52:24 2022 UTC
gpgv:                using RSA key 46095ACC8548582C1A2699A9D27D666CD88E42B4
gpgv: Good signature from "Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org>"

gpgv might not support ASCII armored key files. Try with a binary key file.

Hi, thanks for prompt response. I have just bunch of public keys I want to verify against. They have form of
-----BEGIN PGP PUBLIC KEY BLOCK-----. If I try using the key file as a keyring I get error.

I think you should simply use gpgv for verifying signatures. gpgv exists for exactly this use case. You don't even have to import anything because you can directly pass a keyring to gpgv.

without understanding more of your setup, which user starts it with which rights and when and so on we cannot really help you here. This is a classical support question. You might want to check the permissions on the lock file. Maybe they are created by a user with higher privileges e.g. to interactively manage the keys, and then the batch user comes along and does not have the permission to obtain or create the lock file. My suggestion would indeed be to use the --homedir parameter in the batch script and ensure that the user has full access rights to that folder and no "Adminstrator" messes with the files / permissions in there.

I pushed the commit: rE64532db11fcd: build: New configure option --with-libtool-modification.

Okay, will go into the next revision. Thanks.

Thanks for the reply!

The patch to the specs would be this:

        The three data items hashed for document signatures need to
-       mirror the values of the Literal Data packet.  For detached
-       and cleartext signatures 6 zero bytes are hashed instead.
+       mirror the values of the Literal Data packet.  Note that for a
+       detached signatures this means to hash 6 0x00 octets and for a
+       cleartext signature this means to hash a 't' followed by 5 0x00
+       octets.

Regading your first point: From gnupg (2.4) sign.c:hash_sigversion_to_magic