That was obvious. rG6fc5df1e10129f3171d80cf731f310b9e8d97c26 fixes this.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
May 24 2019
May 16 2019
When doing a "gpgsm --with-validation -k foo" (assuming you have a cert foo) gpgsm now goes into a loop and prints the certficates that match "foo" over and over again. I have not tested if it was caused by this change but I think it is likely.
I imported 39 certificate files at once with Kleopatra with about 700 certificates and it worked. Took a long time though so It would be nice if Kleopatra would show a progess indicator or some indication that the import is running. But this is a different issue.
May 15 2019
Will give you more detailed info about your certificate. For even more details use --dump-chain instead of --list-chain.
May 14 2019
The last lines that the process currently holding wrote in the log:
To reproduce this issue I started Kleopatra with an empty GNUPGHOME and imported 10 S/MIME certs at once (which spawns a gpgsm process each) with enabled logging.
Thanks for the hint on the existing OID I already looked into that and planned to use one from the GnuPG arc, But an existing OID is better. I still need to figure useful workflows but something like this will be useful for smartcards..
May 13 2019
May 12 2019
May 3 2019
Mar 27 2019
I forgot: Instead of importing the missing internal CA, this works:
I agree, the question is which CRL is checked when how. Maybe there is some mistake on my side. Here is a recipe for Debian:
I don't think this is a bug. Failure to encrypt when CRL check fails is expected.
Mar 26 2019
Mar 14 2019
Mar 4 2019
Ouch indeed. Looks like you run into a "hanging" gpg-agent situation in that case our main background process is blocked and all other processes wait for it to respond and nothing works anymore.
This should never happen and we need to fix it. But so far we have not found a way to reproduce it.
Feb 28 2019
Looking at other threads I found the problem in some .lock file in my gnupg directory. One of them was locked by a running process and I was not able to delete. So I opened up task manager and I had dozens of gnupg related processes running. I killed all of them and removed any .lock file.
This way Kleopatra started again but the certificate above (aruba) was not present in the imported ones. And, of course, I'm not going to import it anymore, will use my sixt sense to trust certificates...
The exact file that created the lock is attached
I zipped it to avoid an unintended import that kills Kleopatra.
The only action I can do is quit the program telling it to stop the background actvity, but I cannot use it anymore...
Ouch, worse problem here. After closing kleopatra telling it to stop doing whatever it was, I restarted the application and now it's stuck in "Loading certificate cache"
The certificate was defintely missing the tag lines, thanks. I also tried opening the certificate from that page (Windows has no problems without the tag lines) and exporting it explicitly as base64, and the output file is fine.
The problem is that the import now seems to go well, but no certificate is imported at all. I tried several times and the import box just closes after selecting the file.
I tried to close Kleopatra and it says there are ongoing background operations. At least 15 mins passed between the import and the closing tentative.
Actually, it is stuck doing something.
Thanks for the report.
Btw. I only noticed this now as I always had "disable-tor" in my config but recently removed it for testing.
Feb 27 2019
We also need to fix for encryption and signature in CSR.
Feb 14 2019
Thanks for that summary.
Feb 13 2019
Since it seems there is a renewed interest in adding ECC support to GpgSM (as indicated by the T4098 feature request), I would like to write down here more details about this task.
Feb 6 2019
See also T4013 which is about ed25519 key support
Dec 18 2018
werner,
I'm the spanish user. Are you also setting default ocsp responder option?
Setting only ocsp_signer doesn't worked, there are several CA's with diferent ocsp responders.
The reporter said that it did not work for him.
Dec 17 2018
A list of SHA-1 fingerprints for the valid certificates. With our without colons.
@werner what should the contents of the file look like?
I had to look it up in the code and man page too ;-)
Good to know. I thought that ocsp-signer was only used if ocsp-responder is explitly set. I've suggested the workaround in the Message Board.
Is using
In Wald someone reports that this also appears to happen when decrypting. https://wald.intevation.org/forum/message.php?msg_id=6377 Probably run-threaded will help to flush this out.
Dec 14 2018
Dec 13 2018
Nov 19 2018
Nov 15 2018
Nov 12 2018
Oct 24 2018
Sep 4 2018
The original reporter in the gpg4win-forums reports that this does not work reliably. :-/
Gpg4win-3.1.3 was released.
Aug 31 2018
Aug 30 2018
We have a progress dialog now and only show details on request. I've also fixed a bug that you could trigger learning the keys twice which lead to undefined behavior.
Aug 21 2018
Aug 20 2018
Hi,
Can I ask if there is any update on the issue that I face?
Aug 17 2018
Ok
Thanks for your answer
There is currently no ECC key support in the S/MIME component of Gpg4win. I've edited the task a bit to reflect that. So it is impossible to generate an ECC Key for S/MIME with Kleopatra.
Aug 6 2018
Jul 24 2018
I can't reproduce this. When I make Dirmngr offline I correctly get a No CRL known error. So it must be something different.
Jul 18 2018
Tester reports that this works now.
I got feedback from the user that had the problem. It's fixed with 2.2.9 which contains your commit afaik.
Jul 17 2018
This was a misunderstanding. Import is possible. The german translation of Kleopatra wrongly indicated an error because it translated "unknown certificates" as "ungültige Zertifikate".
Jul 16 2018
Jul 12 2018
it is not due to windows but due to the use of NTBTLS. I have the same problem here... and found it: We call es_fflush to let ntbtls flush its internal buffers but libgpg-error's estream module does no propagate this explicit flush to the cookie functions of ntbtls. Thus ntbtls gets stuck most of the time. I am not sure when this regression happened but it is pretty obvious.
Jul 11 2018
I have logging to a socket always enabled. That may explain why I don't see that error on Unix.
Jun 25 2018
Jun 19 2018
Hi Werner,
I have performed some experiments on the issue I have and the following are the results:
Jun 8 2018
I was not aware that you could do this at all. You are right in that to start supporting this we first need to update libksba.
Jun 6 2018
Hi Werner,
The issue is the following:
I have 2 certificates in the trusted-certificates folder that is searched by gpgsm (C:\ProgramData\Gnu\etc\gnupg\trusted-certs) which I want to trust. When dirmngr starts, it reads the Windows trusted certifcate store (certlm.msc for both system and user - I don't know the path / location of the windows certificates folder outside certlm) and builds the list of certificates to use. Once this list is read and if any duplicates are found in the trusted-certificate folder, it ignores them - they are already present.
I do not fully understand your problem. Can you please explain it with an example and also state the full file names of the mentioned folders?
May 31 2018
May 14 2018
Do you have any other implementation to test against?
May 8 2018
But why is that the case for OpenPGP Signatures, then? The difference does not make sense to me.
The key receives fully trust and thus we get the "green" flag plus the "expired" flag. In my test with OpenPGP the key was not trysted and thus we did not got only the "expired" flag. At some distant past we agreed on these rules.
gpgsm behaves exactly as gpg and as explain in doc/DETAILS. VALIDSIG is issues even for signatures done by an expired certificate. Let me check whey GPGME claims "green" here while it does not not an expired OpenPGP signature.
Wait. Users should not have the ability in the GUI to mess with the CRL cache. That is internal / private stuff. And something for developers, so this should be removed from the GUI altogether.