In T2291#140172, @gniibe wrote:Thank you for testing.
For the issue #1, I think it is the probelm of rG1cd615afe301: gpg,card: Allow no version information of Yubikey.. This was introduced by the support of PIV feature of Yubikey.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Dec 20 2020
Dec 20 2020
Dec 18 2020
Dec 18 2020
Dec 14 2020
Dec 14 2020
lopter added a comment to T2291: Smartcard interaction improvement (was: Shadowed private key design (for smartcard)).
• gniibe added a comment to T2291: Smartcard interaction improvement (was: Shadowed private key design (for smartcard)).
Thank you for testing.
For the issue #1, I think it is the probelm of rG1cd615afe301: gpg,card: Allow no version information of Yubikey., which is fixed already. This was introduced by the support of PIV feature of Yubikey.
Dec 12 2020
Dec 12 2020
lopter added a comment to T2291: Smartcard interaction improvement (was: Shadowed private key design (for smartcard)).
Report on some testing using master:
Dec 11 2020
Dec 11 2020
• werner closed T5178: scdaemon will throw "app_decipher failed" if "gpg --card-status" not issued beforehand as Resolved.
Dec 10 2020
Dec 10 2020
Dec 7 2020
Dec 7 2020
• gniibe changed the status of T5163: Cannot import NIST-P521 key to OpenPGP v3.3 smart card from Open to Testing.
Backported.
We need another patch, because there are two places for gpg --card-edit and gpg-card to check OpenPGPcard's version number if it's >= 2 or not.
Dec 4 2020
Dec 4 2020
Valodim added a comment to T4163: hkps://hkps.pool.sks-keyservers.net has to many bad servers to be a good default.
Perhaps of interest for this issue: the HKPS pool has consisted of only a single server for a couple of months now.
• gniibe added a comment to T2291: Smartcard interaction improvement (was: Shadowed private key design (for smartcard)).
In T2291#139821, @lopter wrote:if I am running master, it is now possible to have a setup where the same encryption key is shared by and usable from multiple smart cards?
lopter added a comment to T2291: Smartcard interaction improvement (was: Shadowed private key design (for smartcard)).
Thank you for all the work! Does it mean that, if I am running master, it is now possible to have a setup where the same encryption key is shared by and usable from multiple smart cards?
Dec 3 2020
Dec 3 2020
• gniibe edited projects for T5163: Cannot import NIST-P521 key to OpenPGP v3.3 smart card, added: gnupg, backport; removed gnupg (gpg22).
Fixed in master. I will backport to 2.2.
Nov 27 2020
Nov 27 2020
This has been fixed for Unix on 2.2 and 2.3. The command line fix for Windows is a larger thing already tracked by T4398.
• werner closed T5038: UTF-8 handling in the command line, a subtask of T1514: charset weirdness with non-ascii User IDs under non-UTF-8 locales, as Resolved.
• werner closed T1514: charset weirdness with non-ascii User IDs under non-UTF-8 locales as Resolved.
We changed the fallback to utf-8 in 2.2 and 2.3 and thus this bug can be closed. On Windows there is still the problem with the command line. However, this is better tracked with T5038 and its related tasks.
• werner added a parent task for T5038: UTF-8 handling in the command line: T4398: Rework Console and command line handling on Windows.
• werner added a project to T4614: GPG: Cancel on pinpad hangs decryption process for 20 seconds: backport.
• gniibe changed the status of T4614: GPG: Cancel on pinpad hangs decryption process for 20 seconds from Open to Testing.
Finally, with the physical device, I figure out what's going on.
The error handling in bulk_in in ccid-driver.c is not good for pinpad input.
It doesn't return an error when it is cancelled or timeout (for the user interaction).
And it calls libusb_clear_hald which causes screwed up situation.
Nov 26 2020
Nov 26 2020
Sorry, I realized this myself this morning and did couple of fixes. rG7113263a00d8 does this all however I forgot to mention the bug number.
Argh. The following patch replaces the previous patch. It fixes the calculation of the display serial number.
I think the calculation of the OpenPGP s/n is not correct. As you write, "Yubico seems to use the decimalized version of their S/N as the OpenPGP card S/N." This matches my observation for my Yubikey:
s/n printed on Yubikey: 9074582
Yubikey s/n (with our prefix): FF020001008A7796
OpenPGP AID: D2760001240102010006090745820000
Nov 25 2020
Nov 25 2020
Great. Please apply the patch.
Nov 24 2020
Nov 24 2020
Okay, I now got such a patch:
0001-scd-Rework-the-handling-of-the-displayed-serial-numb.patch16 KBDownload
I found a good enough solution: I changed the code to compute the OpenPGP s/n from the Yubikey s/n right after a Yubikey has been detected. Later, and if OpenPGP enabled on the YK, the S/N is already there but we use the S/N from the 0x4f DO. That is needed because we can't compute the OpenPGP version number ahead and use 0.0 in the S/N.
Please use shorter password.
For gpgsm, maximum is 31 chars.
Nov 23 2020
Nov 23 2020
• werner edited projects for T5084: Using GPGWin 3.1.13, Putty fails to load the private key from a YubiKey, added: gnupg; removed gnupg (gpg22).
Removing 2.2 tag because it has been fixed in one of the last releases.
• werner edited projects for T5114: GnuPG fails to import back generated and exported EdDSA secret key., added: gnupg; removed gnupg (gpg22).
Its done for 2.2 thus changing the tag.
Nov 20 2020
Nov 20 2020
How about distinguishing CARDNO and application specific SERIALNO?
Nov 18 2020
Nov 18 2020
• gniibe closed T5086: GnuPG fails to generate keys on-card in versions 2.2.22 and 2.2.23 as Resolved.
Nov 17 2020
Nov 17 2020
• werner changed the status of T4616: Smartcard: Card reset required - It should be automatic from Open to Testing.
A fix has been released; see T5052.
Nov 16 2020
Nov 16 2020
• gniibe renamed T4956: agent: Discrepancy of handling MPI for the interpretation of signed and unsigned from agent: Disrepancy of handling MPI for the interpretation of signed and unsigned to agent: Discrepancy of handling MPI for the interpretation of signed and unsigned.
Nov 12 2020
Nov 12 2020
BTW, the idea is to fade out support for gpg --card-status and --card-edit. Thus no new features there. New features shall only go into gpg-card.
Fixing --card-status is definitely a good idea. gpg-card shows almost the same information as gpg --card-status except that it shows the correct "Version" and "Serial number". It would probably make sense to unify the code of --card-status and gpg-card's list command.
Let me describe current situation.
Nov 11 2020
Nov 11 2020
I just noticed that gpg --card-status now prints a bogus OpenPGP version number for my Yubikey. And it prints an empty serial number.
# gpg --card-status Reader ...........: 1050:0407:X:0 Application ID ...: FF020001008A7796 Application type .: OpenPGP Version ..........: 77.96 Manufacturer .....: Yubico Serial number ....:
Nov 10 2020
Nov 10 2020
"Revoke Certification(s)" is available in
- Certifications Overview as context menu option for the user IDs
- Certifications Overview as context menu option for the signatures
- Certificate Details as context menu option for the user IDs
- Certificate Overview (aka key list) as context menu option for keys
- Certificate Overview (aka key list) as menu entry of Certificates menu
• gniibe changed the status of T5086: GnuPG fails to generate keys on-card in versions 2.2.22 and 2.2.23 from Open to Testing.
For 2.2, rG61aea64b3c17: scd: Fix the use case of verify_chv2 by CHECKPIN. fixed this problem.
It's fixed in master by T3465: --pinentry-mode loopback with --delete-secret-keys, with new confirmation interaction.
For 2.2, you can use --batch and --yes, see T4667: "gpg: deleting secret key failed: No pinentry" when in --batch mode with --pinentry=loopback.
Nov 9 2020
Nov 9 2020
Nov 5 2020
Nov 5 2020
• gniibe changed the status of T5121: a race condition between intr_cb call back and libusb_free_transfer in do_close_reader from Open to Testing.
Nov 4 2020
Nov 4 2020
• gniibe changed the status of T5116: GnuPG master shows an error when importing Ed25519 keys generated from Open to Testing.
Nov 3 2020
Nov 3 2020
• werner renamed T5119: TOFU messages are not completely and correctly localized to German from Messages are not completely and correctly localized to German to TOFO messages are not completely and correctly localized to German.
Nov 2 2020
Nov 2 2020
• werner added a comment to T5110: Primary Key Binding Signature not updated when updating Subkey Binding Signature.
Note: menu_backsign can be enhanced to detect such a case in the same way it detects missing backsigs.
We should find a way to figure out the OpenPGP S/N even if OpenPGP is disabled. I'll ask Yubico.
Oct 29 2020
Oct 29 2020
ikloecker added a comment to T4584: --quick-sign-key offers no way to override a current certification.
There is another problem: Even if the first certification was revoked, trying to add a new certification with --quick-sign-key fails because '"user id" was already signed by key ...'
Oct 28 2020
Oct 28 2020
I have tested this with Kleopatra. The good news is that SCD GETATTR $DISPSERIALNO now works for the piv app even if the openpgp app is enabled.
Unfortunately this new release has a regression affecting users with non-ascii account names. See T5098.
Oct 27 2020
Oct 27 2020
I am already working on it. The gpg command will be
I missed this one because I only searched for "revoke" ;-)
Seems to be a duplicate of T4095
• gniibe changed the status of T5100: OpenPGP app overwrites Yubikey serial number from Open to Testing.
Oct 23 2020
Oct 23 2020
• werner triaged T5110: Primary Key Binding Signature not updated when updating Subkey Binding Signature as Normal priority.
Only enabled for UNIX #ifdef/#else/#endif
I had overlooked this fix rG044379772fc5: common: Fix the previous commit., after the commit of rGb1c56cf9e2bb: common: Use gnupg_spawn_process_fd to invoke gpg-agent/dirmngr..
Oct 21 2020
Oct 21 2020
Oct 10 2020
Oct 10 2020
Oct 8 2020
Oct 8 2020
I'm testing:
diff --git a/agent/findkey.c b/agent/findkey.c index fa9e5b548..eec85ba67 100644 --- a/agent/findkey.c +++ b/agent/findkey.c @@ -996,7 +996,10 @@ agent_key_from_file (ctrl_t ctrl, const char *cache_nonce, if (r_passphrase) *r_passphrase = NULL;
Oct 6 2020
Oct 6 2020
aheinecke assigned T5098: Gpg4win problems for Windows Users with some non-ASCII account names to • werner.
We understand the problem, it's a regression from August. For T4083 we changed an internal function to better work with Windows UTF-16 filenames in preperation to at some point fully support UTF-16 and only use the wide character functions as system calls.
But that broke places where internally the local 8 bit encoding was still used.
bernhard updated the task description for T5098: Gpg4win problems for Windows Users with some non-ASCII account names.
aheinecke triaged T5098: Gpg4win problems for Windows Users with some non-ASCII account names as High priority.
I can reproduce this.
bernhard added a comment to T5098: Gpg4win problems for Windows Users with some non-ASCII account names.
Observation:
The umlaut is displayed incorrectly on the command line (cmd.app) when the keybox file is created.
(This may or may not be relevant.)
bernhard changed External Link from https://wald.intevation.org/forum/message.php?msg_id=7473 to https://wald.intevation.org/forum/forum.php?thread_id=2243&forum_id=84&group_id=11 on T5098: Gpg4win problems for Windows Users with some non-ASCII account names.
bernhard added projects to T5098: Gpg4win problems for Windows Users with some non-ASCII account names: Windows, gnupg.
Oct 5 2020
Oct 5 2020
Should not be too complicated.
Part of the task is the plumbing for that in GPGME of course, I'm not sure if werner will do the core "C" part directly or if you could do this also. But first let's get it added to GnuPG.
aheinecke added a subtask for T5093: GnuPG: Add quick-revsig: T5094: Kleopatra: Add "revsig" support.
aheinecke added a parent task for T5094: Kleopatra: Add "revsig" support: T5093: GnuPG: Add quick-revsig.
Sep 28 2020
Sep 28 2020
With 2.3 we add the keyboxd which uses sqlite (and thus indices) as database. This makes lookups much much faster and avoids problems with several processes accessing the pubring.kbx. If you want to try this you can do so with 2.3:
Sep 10 2020
Sep 10 2020
• werner closed T2312: GnuPG 2.1 migration fails due to permissions but appears to succeed as Resolved.
It should be possible to apply the patch rG7de9ed521e516879a72ec6ff6400aed4bdce5920
for 2.2 also to older 2.1 or 2.2 versions,
Sep 9 2020
Sep 9 2020
• werner added a comment to T2312: GnuPG 2.1 migration fails due to permissions but appears to succeed.
That keeps the group permissions of an existing directory. Needs to be backported to 2.2
• werner reopened T2312: GnuPG 2.1 migration fails due to permissions but appears to succeed as "Open".
The fix we have there has the problem that it forcefully changes the permissions. Consider the case that for example that group access was provided which will currently be reset with each start of gpg-agent.
bernhard added a comment to T5028: gpg --locate-key should refetch via wkd, if configured and no good pubkey found.
--locate-external-keys exists since 2.2.17 and ignores the local keys.
Sep 4 2020
Sep 4 2020
See
https://lists.wald.intevation.org/pipermail/gpg4win-announce/2020-September/000089.html
for the fixed Gpg4win 3.1.13