The pincache is actually not what you think it is. It is only used to allow switching between different application on a Yubikey which reqieres a new VERIFY command after switching back to the first application the card. What you feel as caching is the state of the card, which usually keeps its verification state until the card is powered down.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
May 12 2021
May 10 2021
(I disabled this boor and restored the state)
May 6 2021
I am also a MacOS Big Sur user who recently upgraded to 2.3.1 and had problems after upgrading. In my use case, I use the yubikey as the authentication for pass password manager which uses gpg under the hood.
That would required that we also add an option --enable-ccid-driver - better tell the macOS folks to put diable-ccid-driver into /etc/gnupg/scdaemon.conf
Or... we could add --disable-ccid-driver as default for macOS.
If it is built with LIBUSB enabled, please try adding the following to your scdaemon.conf:
disable-ccid
May 3 2021
I'm referring to this: https://www.gnupg.org/howtos/card-howto/en/ch02s03.html
@colemickens We don't maintain any ccid udev rules in GnuPG. What do you refer?
Apr 30 2021
Also let me know if there are any daemons I have to kill/restart when switching between GnuPG versions by changing the $PATH. Whenever I have problems with my YubiKey, I run gpgconf --kill gpg-agent, which I also executed when I switched from version 2.2.27 back to 2.3.1 but I have no idea whether this is required or sufficient.
$ gpg --version gpg (GnuPG) 2.3.1 libgcrypt 1.9.3 $ gpg --debug ipc --card-status gpg: reading options from '/Users/user/.gnupg/gpg.conf' gpg: reading options from '[cmdline]' gpg: enabled debug flags: ipc gpg: DBG: chan_3 <- OK Pleased to meet you, process 15218 gpg: DBG: connection to the gpg-agent established gpg: DBG: chan_3 -> RESET gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> OPTION ttyname=/dev/ttys007 gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> OPTION ttytype=xterm-256color gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> OPTION lc-ctype=en_US.UTF-8 gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> OPTION lc-messages=en_US.UTF-8 gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> GETINFO version gpg: DBG: chan_3 <- D 2.3.1 gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> OPTION allow-pinentry-notify gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> OPTION agent-awareness=2.1.0 gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> SCD GETINFO version gpg: DBG: chan_3 <- D 2.3.1 gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> SCD SERIALNO gpg: DBG: chan_3 <- ERR 100696144 Operation not supported by device <SCD> gpg: selecting card failed: Operation not supported by device gpg: OpenPGP card not available: Operation not supported by device gpg: secmem usage: 0/32768 bytes in 0 blocks
Run gpg --debug ipc --card-status to quickly see the communication with the scdaemon.
Apr 28 2021
@gniibe can you provide any commentary on why the gnupg ccid udev rule is so much smaller than the one debian maintains? Is the debian one considered authoritative these days?
Thanks @gniibe, that's very helpful advice and pointers. Very appreciated, cheers.
Perhaps, if a distro haven't offered setting of USB, it would be better to configure GnuPG build with --disable-ccid-driver and only support scdaemon with PC/SC. GPG for Windows does so.
- It's a breaking change for system with both of PC/SC and CCID. T4673 due to T3300
- If you configure with no libusb, users don't need 'disable-ccid' option.
- I don't know how "wide".
- In Debian, it is maintained here: https://salsa.debian.org/debian/gnupg2/-/blob/debian/main/debian/scdaemon.udev
- Yes.
Apr 26 2021
Hi, as a contributor to NixOS I'd also like some guidance. I'm testing the 2.3 upgrade ahead of 2.4, and it "breaks" Yubikey UX that I know many of us use. This might be because we appear to not yet install gnupg's CCID udev rules installed. A few questions:
Apr 25 2021
Thank you for the suggestion of disable-ccid that seems to have solved the problem.
Apr 23 2021
I can confirm disable-ccid works, thank you!
Please have a look at the log:
Apr 20 2021
IIUC, with libgcrypt in LIBGCRYPT-1.8-BRANCH (not yet released) and libgcrypt 1.9.3, the build process works well (the problem with SIP has been handled).
Apr 19 2021
Apr 15 2021
Ok, thank you. I think task can be closed.
mkheader has CFLAGS_FOR_BUILD since libassuan 2.5.4.
gost-s-box has so since libgcrypt 1.9.0.
Apr 13 2021
Ok.
But`CFLAGS_FOR_BUILD` not mentioned in build rule for mkheader
I'm sorry I disappeared on this issue for two weeks; I just got reminded of it by seeing the e-mail with the status change. I've updated to the latest gcrypt (which is the commit with the patch, now pushed to the repository) and was able to upload this to Apple without it being flagged; thanks!
Apr 12 2021
Apr 8 2021
CC_FOR_BUILD is used for building executables for the build machine.
CC_FOR_BUILD may be different to CC (for target).
Apr 7 2021
Referencing external patches is not sufficient
What is vcpkg?
Sorry, I can't parse your message. Please describe the problem or feature requests. Referencing external patches is not sufficient. What is vcpkg?
Apr 6 2021
Note that rndjent.c is already build with -O0 as can be seen in example above. That warning could be silenced by surrounding pragma with #ifdef __OPTIMIZE__ (with should be supported by GCC and Clang).
Apr 1 2021
IIUC... Could you please try this patch?
diff --git a/random/rndlinux.c b/random/rndlinux.c index a7a78906..c20c5d4c 100644 --- a/random/rndlinux.c +++ b/random/rndlinux.c @@ -35,10 +35,13 @@ #if defined(__APPLE__) && defined(__MACH__) #include <Availability.h> #ifdef __MAC_10_11 +#include <TargetConditionals.h> +#if !defined(TARGET_OS_IPHONE) || TARGET_OS_IPHONE == 0 extern int getentropy (void *buf, size_t buflen) __attribute__ ((weak_import)); #define HAVE_GETENTROPY #endif #endif +#endif #if defined(__linux__) || !defined(HAVE_GETENTROPY) #ifdef HAVE_SYSCALL # include <sys/syscall.h>
Fixed in 1.42.
Mar 31 2021
I was wrong in my last comment. Escaping by another \ is needed.
Mar 30 2021
A PATH with spaces is too Windowish (or macOS). IIRC, we had once checks that the used directories have proper names; we can expect this for build environment. Spaces in file names are horrible from a security POV it is just to easy to get things wrong (hello ssh).
So, I actually just filed an issue about this work: T5375, and then found this opposing task while following through on the various commits ;P... Apple actually forbids usage of getentropy in applications they publish to their App Store (citing ITMS-90338: Non-public API usage), and so there needs to be a way to disable this weak_import. FWIW, I'm not sure if this is only on iOS or on macOS as well (I haven't gotten around to trying to publish a macOS build with the new libgcrypt yet).
@gniibe Note that you also need to at least add the semicolons, as BSD sed is trying to parse "gp}" as substitution flags (which, honestly, makes more forward-compatible sense than GNU sed's behavior...).
Or, if we keep the code of newline (so that it will eventually support path with a space in future):
Thank you. Sorry for the use of GNU sed extension. It could be just a whitespace, if it's OK not to support path having a space.
sed -n -e "/^libraries/{s/libraries: =//;s/:/ /gp}") should work.
@gniibe OK, so... "worst case": I guess this worked? ;P
@gniibe Actually, I just realized that neither of the commands I provided work, as I failed to notice you were trying to also replace :'s with newlines (as I guess libraries from clang can return multiple paths). I'd momentarily edited my comment to just try to add back your colon replacement, before remembering you can't do that either: \n is a GNU sed extension. Hilariously, I'm always in contexts where I can assume I'm using bash (which isn't ok for configure), so I've never bothered to learn a technique that doesn't involve $'\n'... do you have a strategy for doing this replacement? :(
@gniibe Ah yeah, that was the commit I meant to reference when I said "--maybe caused by --", but then forgot to go back and fill in the commit hash ;P.
I wonder if this works in your use case:
diff --git a/m4/gpg-error.m4 b/m4/gpg-error.m4 index d910754e..aeedaf10 100644 --- a/m4/gpg-error.m4 +++ b/m4/gpg-error.m4 @@ -65,7 +65,7 @@ AC_DEFUN([AM_PATH_GPG_ERROR], min_gpg_error_version=ifelse([$1], ,1.33,$1) ok=no
If it is new, it may be the change of this commit rC8e3cd4c4677c: build: Update gpg-error.m4.
(To be clear, I also know enough about autoconf to not have been like, blocked from upgrading by this: overriding ac_cv_path_GPGRT_CONFIG worked, but I can't believe that's the intended way for someone to ensure they get the correct path for gpgrt-config ;P.)
@gniibe The problem is that the check seems to just find gpgrt-config from the path; like, I'm already passing --prefix and --host, but it is deciding to just arbitrarily pick up my system-wide copy of /usr/local/bin/gpgrt-config. Here's my entire configure invocation from that earlier failed build: note that the --prefix is the same as --with-gpg-error-prefix.
We are in transition from old gpg-error-config to new gpgrt-config. <-- This is the cause, while I tried to cover most use cases.
Mar 29 2021
Sorry to dig up an old report...
Sorry to dig up an old thread...
Mar 26 2021
Mar 11 2021
Tiger's /usr/include/AvailabilityMacros.h seems to provide what rndlinux.c was looking for: libgcrypt 1.9.2 just built!
Alright! Here is the error report from GCC:
Mar 1 2021
In T5250#143872, @kaie wrote:It seems gpgme-json is intended to execute in the Web JavaScript sandbox of a browser.
I said "we're offering the optional use of GPGME
At the time I started to add an optional binding from Thunderbird to GPGME, I wasn't aware of gpgme-json.
In T5250#141705, @werner wrote:Sure that TB uses GPGME - they claimed they won't use it due to license incompatibility (LGPL). I assumed they use gpgme-json via naticve messaging.
Feb 23 2021
Fixed in libgcrypt 1.9.2. Thanks!
Feb 17 2021
Feb 14 2021
Backward compatibility fixed using the MacPorts legacysupport PortGroup:
https://github.com/macports/macports-ports/commit/74b50424649a7c657521140fcd7f92ba79a3cec5
Feb 13 2021
This approach is too simplistic. See Ryan Schmidt's and Joshua Root's comments in https://trac.macports.org/ticket/62278
Feb 12 2021
Feb 9 2021
POSIX says so (use printf instead).
https://pubs.opengroup.org/onlinepubs/9699919799/utilities/echo.html
iirc the advise from the GNU coding standards is to use printf(1) instead of trying to figure out how echo(1) works.
Thank you. I'll fix. Perhaps, I'll ignore old UNIXen like AIX 6.1, which has no way to echo with no newlines.
Feb 5 2021
Looks like this has been addressed in af23ab5c5482d625ff52e60606cf044e2b0106c8. A quick test building the current version in master with --disable-asm worked for me.
Feb 2 2021
So, the change against libgcrypt 1.9.1 will be:
I got hit of search by "$ld$weak$os10.11$_getentropy".
So, I guess that it's 10.11 which has _getentropy as weak symbol, and 10.12 or later has implementation.
There is some (partly) good news: The function getentropy() is available in the packet manager MacPorts. It has a legacy support:
Feb 1 2021
Unfortunately, building without "--disable-asm" does not work if building a universal package under MacPorts (e.g. 32bit and 64bit x86 or 64bit x86 and arm64).
In T5268#142714, @gniibe wrote:To do that, I'd like to know, when the symbol getentropy was added.
no, that doesn't change anything.
In T5268#142612, @ballapete wrote:Wouldn't it be better to move these failures as a single one into the configure script that it definitely can tell "This Mac has getentropy()"?
Jan 31 2021
Does it build if configure with parameter 'ac_cv_sys_symbol_underscore=yes'? <path-to-libgcrypt-source>/configure ac_cv_sys_symbol_underscore=yes --host=aarch64-apple-darwin ...
Jan 30 2021
Compiling now works, but I get the following linker errors:
@jukivili Thanks for the reply! We've reverted that commit downstream in Gentoo as a temporary workaround, as due to some complications, our release systems needed to build without asm (for now) to ensure portability. Rest assured, this is not the default, and is discouraged for regular users.
Jan 29 2021
Building without "--disable-asm" works without any issues.
Thanks for your report.
FYI, this is not just an MacOS issue. We see that also on Gentoo Linux:
Wouldn't it be better to move these failures as a single one into the configure script that it definitely can tell "This Mac has getentropy()"?
I applied the two patches on Mac OS X 10.5.8, Leopard, to random/rndlinux.c, resulting in this unified diff: