Page MenuHome GnuPG
Feed Advanced Search

Today

ikloecker reassigned T6067: dirmngr 2.2 does not ask keyservers for fingerprints from ikloecker to werner.
Thu, Jul 7, 1:35 PM · gnupg (gpg22), Restricted Project, dirmngr
ikloecker added a parent task for T6067: dirmngr 2.2 does not ask keyservers for fingerprints: T6042: Cannot search on keyserver from kleopatra 3.1.22 inside an AppImage of GnuPG Desktop or GnuPG VS Desktop.
Thu, Jul 7, 1:31 PM · gnupg (gpg22), Restricted Project, dirmngr
ikloecker created T6067: dirmngr 2.2 does not ask keyservers for fingerprints.
Thu, Jul 7, 1:30 PM · gnupg (gpg22), Restricted Project, dirmngr
gniibe closed T5953: batch signature fails with imported ed25519 signing key as of 2.2.34 as Resolved.
Thu, Jul 7, 6:53 AM · gnupg (gpg22), Bug Report
gniibe closed T5120: Incompatible Ed25519 secret key (no-encryption) as Resolved.
Thu, Jul 7, 6:51 AM · gnupg (gpg22), Bug Report
gniibe removed a project from T5953: batch signature fails with imported ed25519 signing key as of 2.2.34: Testing.

Fixed in 2.2.36.

Thu, Jul 7, 6:51 AM · gnupg (gpg22), Bug Report
gniibe closed T6033: Regression in GnuPG 2.2.34 with some ECC keys as Resolved.
Thu, Jul 7, 6:50 AM · Bug Report, gnupg (gpg22)
gniibe removed a project from T6033: Regression in GnuPG 2.2.34 with some ECC keys: Testing.

Fixed in 2.2.36.

Thu, Jul 7, 6:50 AM · Bug Report, gnupg (gpg22)

Yesterday

werner added a comment to T5949: Release GnuPG 2.2.36.

Please note that due to vacation issues the signatures use the gnupg.com Brainpool based release key and some Linux distributions come with Brainpool removed from GnuPG.

Wed, Jul 6, 8:33 PM · gnupg (gpg22), Release Info
werner updated the task description for T5949: Release GnuPG 2.2.36.
Wed, Jul 6, 8:30 PM · gnupg (gpg22), Release Info

Thu, Jun 23

werner added a project to T6038: gpg-wks-client excludes uid with URL in comment: gnupg (gpg22).
Thu, Jun 23, 10:43 AM · gnupg (gpg22), wkd, Bug Report

Wed, Jun 22

gniibe added a project to T6033: Regression in GnuPG 2.2.34 with some ECC keys: Testing.
Wed, Jun 22, 6:38 AM · Bug Report, gnupg (gpg22)

Tue, Jun 21

gniibe added a comment to T6033: Regression in GnuPG 2.2.34 with some ECC keys.

My intention to refer rG7b1db7192 was to specify the HEAD of STABLE-BRANCH-2-2, meaning "the head of STABLE-BRANCH-2-2 today". The commit itself has no meaning.

Tue, Jun 21, 7:32 AM · Bug Report, gnupg (gpg22)

Mon, Jun 20

werner triaged T6037: Allow import of nwer DFN generated P12 files as Normal priority.
Mon, Jun 20, 4:43 PM · gnupg (gpg22), S/MIME
werner added a comment to T6033: Regression in GnuPG 2.2.34 with some ECC keys.

I fixed the title, because it is not a Windows only issue.

Mon, Jun 20, 1:07 PM · Bug Report, gnupg (gpg22)
werner renamed T6033: Regression in GnuPG 2.2.34 with some ECC keys from Regression in GnuPG 2.2.34 on Windows to Regression in GnuPG 2.2.34 with some ECC keys.
Mon, Jun 20, 1:06 PM · Bug Report, gnupg (gpg22)
werner added a comment to T6033: Regression in GnuPG 2.2.34 with some ECC keys.

The mentioned "g10: Fix garbled status messages in NOTATION_DATA" has nothing to do with the problem. So it can'r be the actual cause. Anway, I hope to get a 2.2.36 out this week.

Mon, Jun 20, 1:05 PM · Bug Report, gnupg (gpg22)
gniibe added a comment to T6033: Regression in GnuPG 2.2.34 with some ECC keys.

I can replicate the error by 2.2.35, but I cannot replicate it with rG7b1db7192.
I tested:

  • GNU/Linux
    • i686
    • x86_64
  • Windows
    • i686
Mon, Jun 20, 8:33 AM · Bug Report, gnupg (gpg22)

Fri, Jun 17

werner assigned T6033: Regression in GnuPG 2.2.34 with some ECC keys to gniibe.

The likely cause is that the secret key is not protected. Problem seems to be in gpg-agent.

Fri, Jun 17, 12:39 PM · Bug Report, gnupg (gpg22)
werner triaged T6033: Regression in GnuPG 2.2.34 with some ECC keys as High priority.

Looking again at your report, I don't think it is an IPC problem (bad magic cooky was my assumption). I can replicate this with the current 2.2 but not with 2.3. Both un Unix.

Fri, Jun 17, 12:36 PM · Bug Report, gnupg (gpg22)

Thu, Jun 16

werner edited projects for T6033: Regression in GnuPG 2.2.34 with some ECC keys, added: Not A Bug, Windows, gnupg (gpg22); removed Bug Report.

You deleted the socket file but you did not restart the agent. Thus gpg can't contact the agent anymore. On Windows we use a socket emulation which requires the socket's file only for a new connection (to get the port and magic cookie).

Thu, Jun 16, 6:48 PM · Bug Report, gnupg (gpg22)

Thu, Jun 9

gniibe closed T5831: Backport (f808012a) scd: Use lock_slot for apdu_send_direct. to GnuPG 2.2 as Resolved.
Thu, Jun 9, 7:56 AM · gnupg (gpg22), Bug Report, scd
gniibe added a comment to T5977: Smartcard PIN stays in clear in memory.

Backported to GnuPG 2.2.

Thu, Jun 9, 7:39 AM · Testing, backport, libassuan, pinentry, scd, gnupg (gpg22), Bug Report

Jun 7 2022

werner raised the priority of T5079: Add compliance flag to trustlist.txt from Normal to High.

A use case for this is to allow the use of S/MIME for de-vs mode and for standard mode while clearly indicating compliant certificates. As of now all certificates matching compliant algorithms are indicated as compliant. The new flag could be used to distinguish between them.

Jun 7 2022, 4:06 PM · Restricted Project, Feature Request, gnupg (gpg22)

Jun 1 2022

gniibe claimed T5977: Smartcard PIN stays in clear in memory.
Jun 1 2022, 5:05 AM · Testing, backport, libassuan, pinentry, scd, gnupg (gpg22), Bug Report

May 25 2022

gniibe added a comment to T5977: Smartcard PIN stays in clear in memory.

Pushed the solution which doesn't require new flag for libassuan.

May 25 2022, 9:42 AM · Testing, backport, libassuan, pinentry, scd, gnupg (gpg22), Bug Report
gniibe added a project to T5977: Smartcard PIN stays in clear in memory: Testing.
May 25 2022, 9:39 AM · Testing, backport, libassuan, pinentry, scd, gnupg (gpg22), Bug Report
gniibe added a project to T5977: Smartcard PIN stays in clear in memory: backport.
May 25 2022, 7:59 AM · Testing, backport, libassuan, pinentry, scd, gnupg (gpg22), Bug Report
gniibe added a comment to T5977: Smartcard PIN stays in clear in memory.

^-- I withdraw the solution (with error value) above.

May 25 2022, 4:57 AM · Testing, backport, libassuan, pinentry, scd, gnupg (gpg22), Bug Report

May 24 2022

gniibe added a project to T5120: Incompatible Ed25519 secret key (no-encryption): Testing.
May 24 2022, 2:02 PM · gnupg (gpg22), Bug Report
gniibe added a project to T5953: batch signature fails with imported ed25519 signing key as of 2.2.34: Testing.
May 24 2022, 2:01 PM · gnupg (gpg22), Bug Report
gniibe added a comment to T5977: Smartcard PIN stays in clear in memory.

Or, it would be good for client side (in this case, gpg-agent) to specify the flag in the inquiry callback, that is, it's a kind of transient flag for a single transaction.

May 24 2022, 10:45 AM · Testing, backport, libassuan, pinentry, scd, gnupg (gpg22), Bug Report
gniibe added a comment to T5977: Smartcard PIN stays in clear in memory.

Revised version with new flag ASSUAN_CLEAR_INQUIRY_DATA.

May 24 2022, 10:33 AM · Testing, backport, libassuan, pinentry, scd, gnupg (gpg22), Bug Report

May 20 2022

werner triaged T5990: Option to ignore the user trustlist.txt as Normal priority.
May 20 2022, 9:18 AM · Restricted Project, gnupg (gpg22), S/MIME, gpgagent

May 19 2022

gniibe added a comment to T5977: Smartcard PIN stays in clear in memory.

For this particular issue of assuan_inquire, if it's needed, the point we should fix is:

May 19 2022, 6:29 AM · Testing, backport, libassuan, pinentry, scd, gnupg (gpg22), Bug Report

May 18 2022

werner added a project to T5977: Smartcard PIN stays in clear in memory: libassuan.
May 18 2022, 9:14 AM · Testing, backport, libassuan, pinentry, scd, gnupg (gpg22), Bug Report
werner added a comment to T5977: Smartcard PIN stays in clear in memory.

AFAICS, we need to implement a new Assuan flag and wipe the data passed to the callback after the callback returned.

May 18 2022, 9:14 AM · Testing, backport, libassuan, pinentry, scd, gnupg (gpg22), Bug Report

May 14 2022

ludovic added a comment to T5979: SCardListReaders: Conditional jump or move depends on uninitialised value(s).

I just wrote a blog article about this problem
https://ludovicrousseau.blogspot.com/2022/05/scardlistreaders-and-non-initialized.html

May 14 2022, 4:13 PM · backport, gnupg, scd, patch

May 13 2022

werner triaged T5977: Smartcard PIN stays in clear in memory as High priority.
May 13 2022, 2:40 PM · Testing, backport, libassuan, pinentry, scd, gnupg (gpg22), Bug Report
werner triaged T5979: SCardListReaders: Conditional jump or move depends on uninitialised value(s) as High priority.

Thanks for opening a ticket.

May 13 2022, 2:36 PM · backport, gnupg, scd, patch

May 12 2022

ikloecker changed the status of T5972: Can't insert charaters in a magic-wand generated password from Open to Testing.

Editing a formatted password should work now as expected.

May 12 2022, 4:08 PM · Testing, Restricted Project, gnupg (gpg22), gpgagent, pinentry
ikloecker added a project to T5972: Can't insert charaters in a magic-wand generated password : Restricted Project.
May 12 2022, 2:18 PM · Testing, Restricted Project, gnupg (gpg22), gpgagent, pinentry
ebo reassigned T5972: Can't insert charaters in a magic-wand generated password from ebo to ikloecker.
May 12 2022, 11:51 AM · Testing, Restricted Project, gnupg (gpg22), gpgagent, pinentry
ebo added a comment to T5972: Can't insert charaters in a magic-wand generated password .

Its an issue of cursor position. If one either deletes or inputs a a character anywhere in the password string, the cursor always jumps to the end of the string.

May 12 2022, 11:50 AM · Testing, Restricted Project, gnupg (gpg22), gpgagent, pinentry

May 11 2022

werner triaged T5972: Can't insert charaters in a magic-wand generated password as Normal priority.
May 11 2022, 5:18 PM · Testing, Restricted Project, gnupg (gpg22), gpgagent, pinentry

May 2 2022

dkg added a comment to T5954: Building for windows requires gpgrt (libgpg-error) 1.45, but configure.ac claims 1.27.

Debian requires all builds to use software that we have local copies of in the archive, which appears to rule out the use of speedo (it fetches source over the internet during build). So i've modified debian packaging to annotate that the Windows builds need a different version of libgpg-error than that defined in configure.ac.

May 2 2022, 6:03 PM · gnupg (gpg22), Bug Report

Apr 30 2022

gniibe added a comment to T5120: Incompatible Ed25519 secret key (no-encryption).

it would be useful to add a test

Apr 30 2022, 4:14 AM · gnupg (gpg22), Bug Report

Apr 28 2022

dkg added a comment to T5120: Incompatible Ed25519 secret key (no-encryption).

Thanks for working on this, @gniibe! Maybe it would be useful to add a test to the test suite that tries to import and use a secret key of this particular structure.

Apr 28 2022, 10:07 PM · gnupg (gpg22), Bug Report
werner closed T5793: gpgsm: Wrong length when parsing octetstring in constructed encoding + definite length as Resolved.
Apr 28 2022, 8:52 AM · Testing, S/MIME, gnupg (gpg22)
werner closed T5954: Building for windows requires gpgrt (libgpg-error) 1.45, but configure.ac claims 1.27 as Wontfix.

Use our build system and things work. In particular you need to use the software versions as listed at versions.gnupg.org and available via the build-auch/getswdb.sh. Even better use the speedo build system for Windows. Everything else is not a supported build configuration.

Apr 28 2022, 8:45 AM · gnupg (gpg22), Bug Report
gniibe claimed T5953: batch signature fails with imported ed25519 signing key as of 2.2.34.

Thank you for the report.

Apr 28 2022, 4:45 AM · gnupg (gpg22), Bug Report
gniibe reopened T5120: Incompatible Ed25519 secret key (no-encryption) as "Open".

The fix was not right, because gpg-agent side are not changed. See T5953.

Apr 28 2022, 4:39 AM · gnupg (gpg22), Bug Report
dkg created T5954: Building for windows requires gpgrt (libgpg-error) 1.45, but configure.ac claims 1.27.
Apr 28 2022, 4:38 AM · gnupg (gpg22), Bug Report

Apr 27 2022

dkg updated the task description for T5953: batch signature fails with imported ed25519 signing key as of 2.2.34.
Apr 27 2022, 11:01 PM · gnupg (gpg22), Bug Report
dkg created T5953: batch signature fails with imported ed25519 signing key as of 2.2.34.
Apr 27 2022, 10:58 PM · gnupg (gpg22), Bug Report

Apr 25 2022

werner closed T5928: Release GnuPG 2.2.35 as Resolved.
Apr 25 2022, 7:12 PM · Release Info, gnupg (gpg22)
werner triaged T5949: Release GnuPG 2.2.36 as Low priority.
Apr 25 2022, 6:20 PM · gnupg (gpg22), Release Info
werner closed T4729: WKD via http_proxy does not work if DNS is broken/unavailable as Resolved.

Was fixed in 2.3.5

Apr 25 2022, 4:53 PM · gnupg (gpg22), Restricted Project, dns, dirmngr

Apr 14 2022

werner closed T5235: Delays in dirmngr http connections on Windows as Resolved.

We have not seen this problem anymore in recent versions. Thus closing.

Apr 14 2022, 3:02 PM · can't replicate, dirmngr, ntbtls, Windows, gnupg (gpg22)
werner closed T5639: dirmngr uses the wrong Let's encrypt chain as Resolved.

We have a solulion for this bug. For further improvements we will use T5882.

Apr 14 2022, 2:00 PM · gnupg (gpg22), dirmngr
werner closed T5809: Expire subkey violates assertion "! sig->hashed" as Resolved.
  • Fixed in 2.3
  • assert replaced by a fatal error message
Apr 14 2022, 1:57 PM · Testing, gnupg (gpg22), Bug Report

Apr 13 2022

werner updated the task description for T5703: Release GnuPG 2.2.34.
Apr 13 2022, 2:37 PM · Release Info, gnupg (gpg22)
werner triaged T5928: Release GnuPG 2.2.35 as Low priority.
Apr 13 2022, 2:23 PM · Release Info, gnupg (gpg22)

Apr 7 2022

werner added a comment to T5910: CVE-2018-25032 for zlib <=1.2.11 (CVSS 8.1 high).

Updated the copy on our mirror as welll as the gpg4win and swdb packages files.

Apr 7 2022, 11:45 AM · gnupg (gpg22), CVE, gpg4win

Apr 5 2022

werner lowered the priority of T5910: CVE-2018-25032 for zlib <=1.2.11 (CVSS 8.1 high) from Unbreak Now! to High.

The fix is from 2018 but was not picked up widely; see
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531

Apr 5 2022, 12:14 PM · gnupg (gpg22), CVE, gpg4win

Mar 29 2022

gniibe added a comment to T5809: Expire subkey violates assertion "! sig->hashed".

Not applying the change to GnuPG 2.2, users can use GnuPG 2.3 for that.

Mar 29 2022, 4:28 AM · Testing, gnupg (gpg22), Bug Report

Mar 24 2022

gniibe merged task T5673: Using empty passphrase key pair, gpg2.2.9 fails to decrypt with error "No secret key" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful into T5804: Using empty passphrase key pair, gpg2.3.4 fails to decrypt with error "No passphrase given" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful .
Mar 24 2022, 6:02 AM · gnupg (gpg22), Bug Report
gniibe added a comment to T5673: Using empty passphrase key pair, gpg2.2.9 fails to decrypt with error "No secret key" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful .

Merged into T5804.

Mar 24 2022, 5:59 AM · gnupg (gpg22), Bug Report
gniibe claimed T5809: Expire subkey violates assertion "! sig->hashed".
Mar 24 2022, 5:38 AM · Testing, gnupg (gpg22), Bug Report
gniibe added a project to T5809: Expire subkey violates assertion "! sig->hashed": Testing.
Mar 24 2022, 5:38 AM · Testing, gnupg (gpg22), Bug Report

Mar 23 2022

gniibe removed a project from T5673: Using empty passphrase key pair, gpg2.2.9 fails to decrypt with error "No secret key" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful : Info Needed.

Thank you. Confirmed.

Mar 23 2022, 9:41 AM · gnupg (gpg22), Bug Report

Mar 22 2022

engel97 added a comment to T5673: Using empty passphrase key pair, gpg2.2.9 fails to decrypt with error "No secret key" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful .

Attached is the keyring package containing both pub and sec ring files. When run into GPG2.2.9, this gets migrated to the newer format but it fails when the the passphrase is empty(which works in older gpg)

Mar 22 2022, 5:14 PM · gnupg (gpg22), Bug Report

Mar 21 2022

werner moved T4729: WKD via http_proxy does not work if DNS is broken/unavailable from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Mar 21 2022, 10:56 PM · gnupg (gpg22), Restricted Project, dns, dirmngr
werner changed the status of T4729: WKD via http_proxy does not work if DNS is broken/unavailable from Open to Testing.
Mar 21 2022, 10:56 PM · gnupg (gpg22), Restricted Project, dns, dirmngr
werner added a comment to T4729: WKD via http_proxy does not work if DNS is broken/unavailable.

Actually this is pretty obvious; we better ignore such misbehaving servers.

Mar 21 2022, 10:40 PM · gnupg (gpg22), Restricted Project, dns, dirmngr
werner changed the status of T4394: Use I/O callbacks in gpgtar from Open to Testing.

No need for callbacks actually. We can do it in a simpler way. See commit rGe5ef5e3b914d5c8f0b841b078b164500ea157804

Mar 21 2022, 1:27 PM · gnupg (gpg22), gpgtar

Mar 17 2022

werner closed T5880: Old version of Zlib in GnuPG as Resolved.

SWDB updated - thus the latest zlib will be part of the next Windows build.

Mar 17 2022, 8:04 AM · CVE, gnupg (gpg22), gpg4win
gniibe added projects to T5673: Using empty passphrase key pair, gpg2.2.9 fails to decrypt with error "No secret key" on a gpg1.4/2.0 keyring format even though the secret keys migration was successful : gnupg (gpg22), Info Needed.
Mar 17 2022, 3:33 AM · gnupg (gpg22), Bug Report
gniibe added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

I think that the particular issue of Let's Encrypt Certificate was handled correctly already.

Mar 17 2022, 1:15 AM · gnupg (gpg22), dirmngr
gniibe added a parent task for T5639: dirmngr uses the wrong Let's encrypt chain: T5882: Cross signing certificate in X.509 support.
Mar 17 2022, 12:46 AM · gnupg (gpg22), dirmngr

Mar 16 2022

werner claimed T4729: WKD via http_proxy does not work if DNS is broken/unavailable.
Mar 16 2022, 4:31 PM · gnupg (gpg22), Restricted Project, dns, dirmngr
werner raised the priority of T4729: WKD via http_proxy does not work if DNS is broken/unavailable from Normal to High.
Mar 16 2022, 4:30 PM · gnupg (gpg22), Restricted Project, dns, dirmngr
gniibe closed T5120: Incompatible Ed25519 secret key (no-encryption) as Resolved.
Mar 16 2022, 3:07 PM · gnupg (gpg22), Bug Report
gniibe added a comment to T5809: Expire subkey violates assertion "! sig->hashed".

I think that this commit rG8fd150b05b74: gpg: Remove all support for v3 keys and always create v4-signatures. matters.

Mar 16 2022, 7:37 AM · Testing, gnupg (gpg22), Bug Report

Mar 15 2022

werner raised the priority of T5880: Old version of Zlib in GnuPG from Low to Normal.

All 4 CVEs are findings related to standard conforming compiler optimizations which OTOH break long standing assumptions on C coding. “Let us show that our compiler produces the fastes code ever and ignore any assumptions coders had made over the last 50 year”.

Mar 15 2022, 3:22 PM · CVE, gnupg (gpg22), gpg4win

Mar 9 2022

lukele added a comment to T5874: gpgconf has verbose mode enabled by default.

Great, thank you very much!

Mar 9 2022, 2:10 PM · gnupg (gpg22), Bug Report
werner closed T5874: gpgconf has verbose mode enabled by default as Resolved.

Thanks for notifying. Will be fixed in the next release (mid Apri).

Mar 9 2022, 2:04 PM · gnupg (gpg22), Bug Report
gniibe added a project to T5793: gpgsm: Wrong length when parsing octetstring in constructed encoding + definite length: Testing.

Fixed in master and 2.2 branch.

Mar 9 2022, 2:58 AM · Testing, S/MIME, gnupg (gpg22)

Mar 8 2022

gniibe added a comment to T5793: gpgsm: Wrong length when parsing octetstring in constructed encoding + definite length.

I located the cause; Current implementation cannot parse the data like:

2611:d=5  hl=4 l=1632 cons:      cont [ 0 ]        
2615:d=6  hl=4 l= 500 prim:       OCTET STRING
3119:d=6  hl=4 l=1124 prim:       OCTET STRING
Mar 8 2022, 5:25 AM · Testing, S/MIME, gnupg (gpg22)
gniibe updated the task description for T5793: gpgsm: Wrong length when parsing octetstring in constructed encoding + definite length.
Mar 8 2022, 1:52 AM · Testing, S/MIME, gnupg (gpg22)

Mar 7 2022

gniibe claimed T5793: gpgsm: Wrong length when parsing octetstring in constructed encoding + definite length.
Mar 7 2022, 11:25 AM · Testing, S/MIME, gnupg (gpg22)

Feb 28 2022

TheParanoidProgrammer added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

do you mean "dirmngr on Windows choses this one"? As in my mental model, dirmngr only loads all certifices from the windows stores on startup, but not during operations when requests come in (I maybe wrong though, I did not inspect the source code on this).

Feb 28 2022, 12:35 PM · gnupg (gpg22), dirmngr
TheParanoidProgrammer added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

But in Windows 10 I get nothing in the certs.log file.

Feb 28 2022, 12:20 PM · gnupg (gpg22), dirmngr

Feb 26 2022

NoSubstitute added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.
echo BYE | dirmngr -vv --server 2>certs.log

Lists all certificates

Feb 26 2022, 2:41 PM · gnupg (gpg22), dirmngr

Feb 25 2022

werner added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.
echo BYE | dirmngr -vv --server 2>certs.log
Feb 25 2022, 9:10 AM · gnupg (gpg22), dirmngr
bernhard added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

@TheParanoidProgrammer this looks like a very good and thorough analysis, thanks again!

Feb 25 2022, 8:57 AM · gnupg (gpg22), dirmngr

Feb 24 2022

TheParanoidProgrammer added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

Ok, I managed to find 48504E974C0DAC5B5CD476C8202274B24C8C7172 via Powershell. It was in the CA store of my non-privileged user and since I always checked the certificate store as administrator it did not show up there. After removal of this intermediate certificate I am able to use hkps://keyserver.ubuntu.com.

Feb 24 2022, 10:43 PM · gnupg (gpg22), dirmngr
TheParanoidProgrammer added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

Ok, so order of loading is not a problem since the cache does not store them by insertion order, but instead indexes them by the first byte of their fingerprint.
So, I think the problem here is that the expired intermediate certificate (48504E974C0DAC5B5CD476C8202274B24C8C7172) is somehow loaded in Windows and since its fingerprint's first byte is less than the server-supplied intermediate (A053375BFE84E8B748782C7CEE15827A6AF5A405) Windows chooses this one. I can see that the expired intermediate certificate is indeed loaded on Windows if I increase verbosity of dirmngr logs. However, I am still unsure where this certificate lives. The log says it comes from the "CA" store, but searching for it visually or by fingerprint search in Windows Certificates Snap-In (MMC) does not let me find it.
I will keep looking, but if you want to reproduce in your VMs, I suppose adding the expired intermediate certificate and the expired root certificate to the system store should make this reproducible.

Feb 24 2022, 10:26 PM · gnupg (gpg22), dirmngr
bernhard added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

@TheParanoidProgrammer thanks for investigating further. It is highly appreciated!

Feb 24 2022, 9:16 AM · gnupg (gpg22), dirmngr
TheParanoidProgrammer added a comment to T5639: dirmngr uses the wrong Let's encrypt chain.

On a side note, it turns out that Ubuntu Maintainers ship gpg with GnuTLS dynamically linked, so that's why I went down that road first. I compiled gpg from source for Ubuntu with ntbtls for further tests. Interesting insight is that find_cert_bysubject returns different certificates on first try on my Ubuntu Machine compared to my Windows 10 Machine:

Feb 24 2022, 1:06 AM · gnupg (gpg22), dirmngr