In T6195#163175, @werner wrote:keyboxd has nothing to do with this, it merely makes the lookup of keys a bit faster. The computation of the WoT itself takes long and there is no shortcut for it. Fortunately most users don't have a deeply meshed WoT with dedicated revokers etc., thus for them things are fast in the standard configuration.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Sep 15 2022
Sep 15 2022
Sep 14 2022
Sep 14 2022
keyboxd has nothing to do with this, it merely makes the lookup of keys a bit faster. The computation of the WoT itself takes long and there is no shortcut for it. Fortunately most users don't have a deeply meshed WoT with dedicated revokers etc., thus for them things are fast in the standard configuration.
I agree. We have to get rid of auto check trustdb and such stuff. I always found that impossible to program around because it either takes a long time (check-trustdb) or it might return invalid results (no check).
The solution for this is keyboxd.
If you run gpg --export-ownertrust you will notice that the trust has been set to ultimate (value is 6). However, due to the no-auto-check-trustdb in your gpg.conf that will valeu will only be shown after running gpg --check-trustdb. The value shown in the key listing is the computed value and the computation is done by --check-trustdb. I don't see a bug here.
Pushed changes.
Sep 13 2022
Sep 13 2022
ikloecker changed the status of T6187: Kleopatra: Import of p12 file fails with "invalid crypto engine" from Open to Testing.
The export/backup of the secret part of S/MIME certificates has been fixed with T6189: Secret key backup of S/MIME certificate creates bad result. An exported certificate should now be imported without problems.
Sep 12 2022
Sep 12 2022
ikloecker added a comment to T6187: Kleopatra: Import of p12 file fails with "invalid crypto engine".
Now "BER error" is reported, if the user tries to import a .p8 certificate. (The certificate exported by Kleopatra wasn't stored as PKCS#12, but presumably as PKCS#8 which gpgsm cannot import. See T6189: Secret key backup of S/MIME certificate creates bad result.)
Sep 9 2022
Sep 9 2022
• aheinecke closed T6190: GPGSM: Import / Export of raw and p8 certs / containers broken as Invalid.
--import [files] Import the certificates from the PEM or binary encoded files as well as from signed-only messages. This command may also be used to import a secret key from a PKCS#12 file.
Sep 8 2022
Sep 8 2022
Sep 7 2022
Sep 7 2022
• werner added a comment to T6187: Kleopatra: Import of p12 file fails with "invalid crypto engine".
BTW, gnupg/doc/DETAILS tells that the fingerprint is optional:
• gniibe added a comment to T6187: Kleopatra: Import of p12 file fails with "invalid crypto engine".
Pushed the fix for GPG_ERR_INV_ENGINE.
• gniibe added a comment to T6187: Kleopatra: Import of p12 file fails with "invalid crypto engine".
gpgsm may emit S IMPORT_PROBLEM 1 (with no fingerprint information) when it cannot find valid fingerprint.
I think that this case should be handled correctly by GPGME, not returning GPG_ERR_INV_ENGINE.
Sep 6 2022
Sep 6 2022
• aheinecke lowered the priority of T6190: GPGSM: Import / Export of raw and p8 certs / containers broken from Normal to Low.
• aheinecke renamed T6190: GPGSM: Import / Export of raw and p8 certs / containers broken from GPGSM: Import / Epxort of raw and p8 certs / containers broken to GPGSM: Import / Export of raw and p8 certs / containers broken.
• aheinecke closed T6189: Secret key backup of S/MIME certificate creates bad result, a subtask of T6190: GPGSM: Import / Export of raw and p8 certs / containers broken, as Resolved.
• aheinecke triaged T6190: GPGSM: Import / Export of raw and p8 certs / containers broken as Normal priority.
• aheinecke added a comment to T6187: Kleopatra: Import of p12 file fails with "invalid crypto engine".
Ok. That is about the Invalid Crypto Engine. But this does not explain why a .p12 export via Kleopatra leads to this error when we export a valid certificate. The same thing I do with Kleopatra on the Command Line works:
ikloecker placed T6187: Kleopatra: Import of p12 file fails with "invalid crypto engine" up for grabs.
The error is generated in parse_import in gpgme/src/import.c:
if (errno || args == tail || *tail != ' ') { /* The crypto backend does not behave. */ free (import); return trace_gpg_error (GPG_ERR_INV_ENGINE); }
Sep 3 2022
Sep 3 2022
• werner triaged T6185: `gpg2 --list-keys --with-colons > /dev/full` exits with status 0 as Low priority.
The more relavant error is that there is no status output on failure which is what gpgme uses (due to double forking).
gpgv returns success iff the signature is valid. That is the whole purpose of this tool.
Sep 2 2022
Sep 2 2022
ikloecker added a comment to T5620: GnuPG, pinentry: Passphrase pattern error / warning does not match new logic.
I have introduced this hint exactly because it's impossible to describe the rules automatically.
ikloecker added a comment to T5620: GnuPG, pinentry: Passphrase pattern error / warning does not match new logic.
These hints are taken from the help.txt file.
ikloecker added a comment to T5620: GnuPG, pinentry: Passphrase pattern error / warning does not match new logic.
gpg-agent passes to pinentry a short and a long hint for the passphrase constraints (see constraints-hint-* in pinentry.texi). If these hints are set, then pinentry shows them even before the user has started to enter a passphrase. The error message can then simply be "Read the hint, stupid!". Just kidding, of course.
Can you please give a more detailed example with regedit files to demonstrate that?
• werner lowered the priority of T5620: GnuPG, pinentry: Passphrase pattern error / warning does not match new logic from Normal to Low.
Can't we get them from the help.txt file? Putting a tooltip into the pattern file would be an option but needs substantial changes,
Aug 31 2022
Aug 31 2022
• werner added a comment to T6173: Invalid signing-key when doing a signature-check of GnuPG installer-packages, signed by Werner Koch's signing-key in de-vs Mode (aka VS-NfD Mode).
Small correction: We don't have replicas of our code signing key. I mistook this with out Authenticode signing key.
Aug 30 2022
Aug 30 2022
• werner triaged T6174: Option --require-comliance does not work in sign+encrypt mode as High priority.
• werner edited projects for T6173: Invalid signing-key when doing a signature-check of GnuPG installer-packages, signed by Werner Koch's signing-key in de-vs Mode (aka VS-NfD Mode), added: workaround, Restricted Project; removed gpg4win.
In general I use my standard ed25519 signing token for all software. However, GnuPG VS-Desktop is signed using a Brainpool key named GnuPG.com (stored on a smartcard with 2 replicas) for the simple reason that it does not raise questions when ppl update their GnuPG VS-Desktop and run into a non-compliant key.
• gniibe added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
In the situation of a certificate about to be expired in the cache:
dkg added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
Thanks, @gniibe -- i agree that this change to put_cert should be helpful, when encountering a certificate that is already invalid.
Aug 26 2022
Aug 26 2022
• gniibe added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
rejecting an intermediate certificate too.
• gniibe added a project to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired: Restricted Project.
Pushed the change of mine to master, since I can confirm that it results validate_cert_chain working better, because of put_cert's rejecting an intermediate certificate too.
Aug 25 2022
Aug 25 2022
• werner triaged T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired as Wishlist priority.
• werner added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
@dkg: Thanks for the detailed description of the problem.
• gniibe added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
Thank you @dkg for the analysis. Unfortunately, the certificate cache is hashed by SHA-1 FPR, so, I think that it is a bit difficult to implement moving certs "front" / "back".
dkg reopened T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired as "Open".
Thanks for the followup about R3, @mpilgrem! Looking at your logs in more details, and the source code for find_cert_bysubject in dirmngr/certcache.c, i think i see what the issue is. It's slightly more subtle than not terminating early if a known trusted root can validate a truncated chain.
Aug 24 2022
Aug 24 2022
dkg added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
@mpilgrem, i'm glad that removing the DST Root CA X3 from your windows control panel worked for you, but it still doesn't seem to be a reasonable fix from a GnuPG user perspective
The PKCS#12 import was a late add-on because I consider P#12 to be a nasty and insecure format. Unfortunately it survived and is now the mainly used interchange format. Eventually we need to improve things here. However, ppl should use smartcards for S/MIME.
If you use an IP address there is no server name and thus a) TLS can't check the name and b) virtual servers won't work. But as you stated this is not the problem: With rGb231959728a0056 (T2924) https is handled in another way than hkps.
Now, that change was only applied to KS_GET and not to KS_SEARCH. This is kind of correct but shows this surprising behaviour: For the preferred keyserver we really want to do a plain fetch and don't have all the hkp ip/name mapping we do.
• aheinecke renamed T6153: Kleopatra: No error when import from Keyserver fails from Kleopatra: Import from keyserver does not work to Kleopatra: No error when import from Keyserver fails.
mpilgrem added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
Doing the same thing on my second PC, I can be more precise:
Valodim reopened T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired as "Open".
I'll reopen this ticket here, since the underlying issue is not quite resolved yet as @dkg helpfully outlined above.
mpilgrem added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
Thank you dkg. I am new to 'certificates' generally - and a little knowledge is a dangerous thing - but this is what I did:
Aug 23 2022
Aug 23 2022
dkg added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
@mpilgrem: in the meantime, for connecting to keys.openpgp.org, which *has* cleaned up its certificate chain, you might also want to try killing your dirmngr process, and/or cleaning up the data in .gnupg/dirmngr-cache.d/.
dkg added a comment to T6142: On Windows, gpg 2.3.7 thinks the certificates of major keyservers have expired.
Basically, the website in question (e.g. https://openpgpkey.gnupg.org/, which exhibits this problem) serves up three certificates:
Aug 17 2022
Aug 17 2022
• aheinecke triaged T6138: gpgconf: List auto-key-import and include-key-block again as Normal priority.
Aug 15 2022
Aug 15 2022
• aheinecke moved T6119: GnuPG: Compliance mode status omitted when decrypting combined symmetric and asymmetric data from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Aug 2 2022
Aug 2 2022
• werner added a project to T6119: GnuPG: Compliance mode status omitted when decrypting combined symmetric and asymmetric data: Restricted Project.
Fixed in 2.2 and master. Did a couple of manual tests using 2.2 on Linux. gpgsplit comes handy to add a couple more tag-3 packets (same algos or one patched to camellia for the negative test)
• werner added a comment to T6119: GnuPG: Compliance mode status omitted when decrypting combined symmetric and asymmetric data.
This also points out that the cipher algos and modes of the symmetric encrypted session key packets where never checked for compliance. We only checked the compliance of the bulk encryption cipher algo.
• aheinecke renamed T6119: GnuPG: Compliance mode status omitted when decrypting combined symmetric and asymmetric data from GnuPG: Complaince mode status omitted when decrypting combined symmetric and asymmetric data to GnuPG: Compliance mode status omitted when decrypting combined symmetric and asymmetric data.
• aheinecke added a comment to T6119: GnuPG: Compliance mode status omitted when decrypting combined symmetric and asymmetric data.
This was added in b03fab09e188f7bb10237d4f20455e4026737e4e
• aheinecke added a comment to T6119: GnuPG: Compliance mode status omitted when decrypting combined symmetric and asymmetric data.
Oh, there appears to be a reason for that. In line 699 of mainproc.c:
/* Symmetric encryption and asymmetric encryption voids compliance. */ && (c->symkeys != !!c->pkenc_list )
Aug 1 2022
Aug 1 2022
Jul 28 2022
Jul 28 2022
• werner closed T6063: GnuPG: Ignore invalid hash algorithm preferences when signing & encrypting combined as Resolved.
• aheinecke added a comment to T6063: GnuPG: Ignore invalid hash algorithm preferences when signing & encrypting combined.
Yes, I think that makes sense in the way that we want to provide the best user experience for our own users even if they communicate with communication partners which creates problematic keys.
• werner added a comment to T6063: GnuPG: Ignore invalid hash algorithm preferences when signing & encrypting combined.
In de-vs mode we could change the implict algorithm from SHA-1 to SHA-256. That should solve the problem.
Jul 27 2022
Jul 27 2022
@werner Could these two patches could be backported to 2.2? These changes give same level of performance increase in 2.2 as seen in 2.3.
Fix will go into 2.2.37 and 2.3.8.
• werner shifted T6098: Path traversal bug in gpg-wks-server from the Restricted Space space to the S1 Public space.
• werner renamed T6098: Path traversal bug in gpg-wks-server from Pass traversal bug in gpg-wks-server to Path traversal bug in gpg-wks-server.
Jul 26 2022
Jul 26 2022
• werner triaged T6058: clarify need of --batch and/or --pinentry-mode looback with --passphrase-* options as Low priority.
There won't be any semantic changes for obvious reasons.
Jul 22 2022
Jul 22 2022
@gniibe Thanks!
In the repo, for all related software, it's done.
Note that versions since 2020-11-07 to 2021-07-03 have major problem with non-POSIX shell, which doesn't support $(..) construct.
Jul 19 2022
Jul 19 2022
ikloecker triaged T6093: gpg: Continues export of secret key if first passphrase dialog was canceled as Normal priority.
Jul 19 2022, 12:18 PM · gnupg22 (gnupg-2.2.42), gnupg24 (gnupg-2.4.1), Bug Report, Restricted Project
Jul 18 2022
Jul 18 2022
Thank you.
• gniibe edited projects for T6035: Portability issue: ftruncate, added: backport; removed Restricted Project.
It's in 2.3.7 and 2.2.36.
Jul 12 2022
Jul 12 2022
It's in 2.3.7.
Jul 11 2022
Jul 11 2022
• gniibe added a project to T6071: Duplicated output (repeated nearly once) of the GnuPG console-output to "stdout" on Windows-Console if "Legacy-Console" with any TrueType Fonts is activated under Windows: Windows.
In gnupg/common/ttyio.c, the function w32_write_console does:
- Call WriteConsoleW, and when it fails, it calls
- WriteConsoleA
Jul 10 2022
Jul 10 2022
Jul 7 2022
Jul 7 2022
• gniibe closed T5120: Incompatible Ed25519 secret key (no-encryption), a subtask of T5114: GnuPG fails to import back generated and exported EdDSA secret key., as Resolved.
Jul 6 2022
Jul 6 2022
• aheinecke triaged T6063: GnuPG: Ignore invalid hash algorithm preferences when signing & encrypting combined as High priority.
Jul 5 2022
Jul 5 2022