thanks for your reply
gpg -K
gpg: enabled debug flags: memstat
/home/usernet/.gnupg/pubring.kbx
uid [ absoluta ]
uid [ absoluta ]
ssb cv25519 2022-02-13 [E]
gpg -h
gpg (GnuPG) 2.2.4
libgcrypt 1.8.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
It is a bit hard for us to decipher the Spanish diagnostics. Before we can try to help you please update to a deent version of gpg and libgcrypt. At least the version for Ubuntu is way too old; Libgcrypt is 5 years old, the current version of the lTS branch is 1.8.10. GnuPG is also 10 years old and in the mean time we have fixed several critical bugs; the current version of this legacy branch is 2.2.41! Note that Ubuntu might have fixed some bugs despit ethe version number - we just can't know.
Hi, thank you so much and sorry for delay.
This beta is working for us perfectly.
Thank you very much, we will try it and let you know
Regards
Lukas
I'm using the standard pinentry provided by Homebrew: https://formulae.brew.sh/formula/pinentry#default
gpg -v -K does not require a pinentry. You can check this by adding debug-pinentry and log-file /some/file to the gpg-agent.conf - you should not see any pinentry invocation.
Please try the following beta: https://files.gpg4win.org/Beta/gpg4win-4.2.1-beta55/gpg4win-4.2.1-beta55.exe This should solve your problem. And if not you can now open the encrypted attachments with Kleopatra and it will show your mail.
Ok and its possible to know, how long its should usually take to make new release ?
Can you tell me more about support contract or when i can find more information about it ?
Regards
Lukas
I guess you need to wait until we do a new release. If your company relies on this software it might be a good idea to enter into a support contract as other do.
i dont get any responce, what is next step in this case.
Regards
Lukas
I am closing this, for now as this issue lacks actionable details, we would need an example mail or debug data. So my intent is just to close it and reopen if the issue still occurs with Gpg4win-4.2.1
Noticed this issue while searching for a different one.
I think this could be fixed with T6686 if it has not already been fixed by a previous change that relaxed the detection of the encrypted message part better.
So by we already have code to handle this problem, we had code for "No body but multipart/mixed" and your message was "empty body but multipart mixed" so I just needed to also check for an empty body and the code worked.
Ah damn, now that I closed this as a duplicate I found that we already have code to handle this problem.
Well the message is content-type multipart/mixed. For GpgOL to investigate the mail it needs to be multipart/signed oder application/encrypted or application/pgp-encrypted. (and some other things) But multipart/mixed is something that we don't take a second look at because this means "unencrypted mail with attachments."
Thank you for the response, @werner! (original reporter here)
thank you, i send you test mail
Regards
Hi, my suspicion with the different tenant is that some middleware of yours is inserting something like "DANGER this could not be Virus Scanned by your super secure and expensive middleware" which then results in the mail beeing multipart/mixed instead of pgp/encrypted in the MIME type. Could you ask your communication partner with the problem to send such a mail to you and with CC to "andre.heinecke@demo.gnupg.com
"I was trying to solve it with support, but it was not solved until today, this issue we are facing more thank like 2years.
I guess its need to be solved with more advanced support than classic one.
Regards
Looks more like a support question but feel free to create a sample message, encrypt it to info at gnupg.com (WKD) and attach that message to this report.
This is a support requests. Please consult one of the mailing lists or the gpg4win forum. In case this turned out to actually be a bug, please feel free to reopen it.
The data is indeed corrupt. Check with the sender of that key.
IF you look at the data you will soon notice that one line is longer than the others.
Please ask on the gnupg mailing list for support. In case that turns out to be a real bug, please re-open this bug.
If it were the case, I think that graceful shutdown of the system would need to terminate the client of scdaemon at first.
The root cause might be that the "DEVINFO --watch" command causes ...
I also experienced hang on shutdown with GPG 2.4.1 and bisecting reveals that the first bad commit is rG2ccbcfec121f.
The user tried to sneak in an ad link and he has thus been banned. Here is his probably AI generated comment for documentation:
Thanks for your follwup. Let me remark that it is sufficient to stop all gnupg processes (pkill gpg-agent) and then rename the ~/.gnupg to .gnupg-save-NNNN. This way you have a backup and gpg will create a new ~/.gnupg.
OCB mode (i.e. packet 20) is only used if the keys announce it. Thus only after moving a (private) key from GnuPG to a non-GnuPG compatible implementation you will run into this problem. The compatibility options won't override the preference system.
Thanks for the description; this is good for documentation.
Ooops: You need to put
Okay, gpg2 --card-status is accessible using sudo/su.
But I still don't know why bumping from 2.2.41 to 2.4.0 the use of pcsc-lite + ccid stopped work.
I can't access even trying using root.
pcsc-lite was already installed. I tried using disable-ccid-driver as advised but didn't help, scd.log don't even get written using this option.
You need write access to the usb device (e.g. /dev/bus/usb/001/011) or you install pcscd and put "disable-ccid-driver" into scdaemon.conf.
Sorry, I mistakenly closed this task. I reopen it.
Could it be the case that your implementation actually used those bits to calculate a public key?
Sorry for a bit late follow up. How do you calculate a public key? RNP's crypto backend, Botan, is calculating public key without taking in account bits which should be tweaked. I.e. both tweaked and non-tweaked secret keys would produce the same public key. The same is with decryption. Could it be the case that your implementation actually used those bits to calculate a public key?
So here is a redacted CLI-dump of the exact sequence I'm describing in my post. This is with untweaked keys and gpg 2.2.40 and a factory-reset yubikey.
So in case this was not clear... What I'm describing is very similar to the original description, but it is "inverted" - the untweaked key works flawlessly (import and decryption) except for keytocard. And the tweaked key can't be imported - either "Bad Secret Key" or asking for passphrase.
@onickolay Yes, I have. I have used --check-cv25519-bits and it said that it needs patching. I then did --fix-cv25519-bits and exported the key. Looking at the CV25519 private-key bytes produced by my code and by RNP, I confirmed that they did the exact same transformation.
When trying to re-import the exported key into gpg, I got the "Bad Secret Key" error again
@bigmomma Just for a quick check - did you try to use RNP's CLI command --edit-key --fix-cv25519-bits, as it's not clear from the message?
Hi! I would like to chime in on this issue as I am having some weird problems with a CV25519 sub-key and after stumbling upon this thread, I think it is related to this.
Unfortunately, I can't post the key material here, because it is my actual encryption private-key.
Closing. Not a bug in pinentry. The user ID of the key is encoded incorrectly and pinentry just displays the incorrectly encoded user ID.
It's irrelevant whether you can trick the combination of gpg and PowerShell to show the wrong encoded user ID correctly. The user ID is still encoded wrongly and every standard-compliant implementation of OpenPGP will show garbage when displaying the user ID.
Interestingly enough if I set LC_LCTYPE environment variable in powershell $env:LC_CTYPE = "C.UTF-8" - it behaves correctly and generates UTF-8 encoded names.
Looking at the hexdump of the user ID in the exported (and dearmored) public key this looks like a classic double-encoding problem, i.e. UTF-8 encoded UTF-8:
42 6A C3 83 C2 B8 72 6E
^^^^^^^^^^^Just found out something weird - powershell tells me the default characterset is iso-8859-1
~~~
PS C:\Users\bbs> [System.Text.Encoding]::Default
okay, installed 2.2.29 and tried showkey:
C:\Users\bbs> gpg.exe --show-key D:\bbs_gpg.public.pgp
pub rsa4096 2022-11-06 [SC]
0F20E48DEA9FD7A5626DBA0067BDA85044042E3B
uid Bjørn Bouet Smith <bjornsmith@gmail.com>
sub rsa4096 2022-11-06 [E]https://gpg4win.org/download.html, but there isn't a Gpg4win release with GnuPG 2.2.29. The most recent Gpg4win 3.x has GnuPG 2.2.28. (All releases of Gpg4win 4.x include GnuPG 2.3.x.)
Yes, seems so. In either case, there's nothing we can do anything about since the versions provided by us appear to work correctly.
But it is strange that the version can show the characters correctly - so it can encode and decode to the same output.
On Linux, I also get garbled output for your key:
$ gpg --show-key <bbs_gpg.public.pgp pub rsa4096/67BDA85044042E3B 2022-11-06 [SC] 0F20E48DEA9FD7A5626DBA0067BDA85044042E3B uid Bjørn Bouet Smith <bjornsmith@gmail.com> sub rsa4096/08D7C29E12A34AD2 2022-11-06 [E]
This indicates that the user ID was encoded incorrectly by the gpg included in git when you created the key.
I am not sure if the export is correct - or if you need something else?
If I import the keys into gpgwin it shows up garbled - both in the console version of gpg.exe and Kleopatra, but if I run
gpg.exe -k
With the old gpg version it shows up as:
/c/Users/bbs/.gnupg/pubring.kbx
-------------------------------
pub rsa4096 2022-11-06 [SC]
0F20E48DEA9FD7A5626DBA0067BDA85044042E3B
uid [ultimate] Bjørn Bouet Smith <bjornsmith@gmail.com>
sub rsa4096 2022-11-06 [E]This is the key exported with:
gpg.exe --output D:\bbs_gpg.public.pgp --armor --export bjornsmith@gmail.com
It seems like gpgwin generates keys where the name are not compatible with each other.
How did you generate the key? On the command line? Which command line did you use? Can you attach the public key to this report?
Also - gpgwin is no better:
So because I use some thing that "almost everyone does not use" - but something that you distribute you do not even want to fix it?
Hi Werner,
An old version is still installed and the libgpg-error-0.dll could not be replaced. Make sure that you deinstalled old gpg4win versions and other gnupg versions. The file version of the DLL shall be 1.46.x.x.
I have over 75 PGP addresses:
That is expected. The export re-encrypts the secret parts to comply with the OpenPGP specs and this includes a salt andf IV and thus the output must be different.
No. And this is out of scope for Kleopatra. You can use existing file sync tools to sync the files in ~/.gnupg. Which files to sync depends on what you want to sync. For details, I suggest to ask on the gnupg-users mailing list.
FWIW, your comments about the autostart script do not match with the running processes. Obviously, the autostart script starts gpg-agent with different command line options than the running process. My conclusion is that the autostart script isn't used. Or maybe it is started, but gpg-agent immediately terminates because it notices that another instance is already running.
If you add an autostart script then you may have to add a corresponding shutdown script as well, e.g. a script running gpgconf --kill all. You cannot expect that daemons, that you start via an autostart script, magically know when they should terminate.
In fact, decent 2.2 versions (>=2.2.21) have the ability to decrypt AEAD packets - this has been implemented exactly for the case that some things get wrong at the user site. But we can't change old versions - we are not the Sirius Computer Corporation. I close this ticket because we can can't do anything if you are not able/willing to update to the latest version of the respective branch. Sorry.
@werner
The setpref S9 S8 S7 S2 H10 H9 H8 H11 H2 Z2 Z3 Z1 worked!
S9, etc. are short-hand IDs, for the cipher algorithms, digest algorithms, etc. Use showpref instead of pref to get the preference list in human-readable form (AES256, SHA512, etc.) instead of in expert form (cryptic IDs).
Hi @werner
I had missed your earlier post quoted below on using setperf.
Create the keys with gpg 2.2. I'm not aware of such documentation apart from the manual page of GnuPG. And, as I tried to explain, this situation isn't really different from any other software. If you create a document with the newest version of LibreOffice then you cannot expect it to look exactly the same with an older version of LibreOffice. It's your responsibility not to use new features of the new LibreOffice if you still need to use an older version on another machine.
@ikloecker Thanks for the clarification (appreciated).
Backward compatibility means that newer versions work with data created with older versions of a program. What you are asking for is forward compatibility, i.e. you want older versions of a program to work with data created with newer versions of a program. In the extreme that would mean that gpg must not use modern encryption algorithms because old versions of gpg cannot deal with them. It should be obvious that this doesn't make any sense.
@ikloecker thanks for your reply.
Use a gpg 2.3 version:
Hi Werner
.
Firstly, let me say how much I appreciate the work you and others do at OpenPG.org! Really.