A workaround exists with the new option --ignore-crl-extensions.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Thu, Dec 5
Mon, Dec 2
Closed, since this was documentation for the workaround, four years ago.
Just a reminder: with Gnuk 1.2.15 and an ed25519 key PubkeyAuthentication unbound is required for hosts using the new feature.
Oct 8 2024
gpg4win 4 has been released with unicode support. Closing.
Mar 4 2024
In case if someone finds it through a search:
Jan 5 2024
Jul 24 2023
Mar 21 2023
README and INSTALL now suggest to to use a build directory.
Feb 1 2023
@MathiasMagnus This change is to support Win32-OpenSSH by gpg-agent emulation of ssh-agent; You can use gpg-agent emulation of ssh-agent when you use Win32-OpenSSH. That is, you can use GPG auth subkey for Win32-OpenSSH.
Jan 31 2023
@gniibe Am I misunderstanding something? I thought that with this change one is able to connect from a Windows box to a Linux box and have GPG agent forwarding work. I am still hitting pretty much the same issue described here: https://github.com/PowerShell/Win32-OpenSSH/issues/1564
On my Windows endpoint I'm running gpg.exe version 2.4.0.49237 and in C:\Users\mate\AppData\Roaming\gnupg\gpg-agent.conf I have a single line enable-win32-openssh-support. Running gpg-connect-agent.exe reloadagent /bye I have a gpg-agent running. Get-Process gpg-agent shows that it's running. In my Windows env I have SSH_AUTH_SOCK set to \\.\pipe\openssh-ssh-agent and my Linux endpoint is configured in SSH config with
ForwardAgent yes AddKeysToAgent yes RemoteForward /run/user/1015/gnupg/S.gpg-agent C\:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra
As the remote end reports /run/user/1015/gnupg/S.gpg-agent that socket for agent-socket when issuing gpgconf --list-dirs and my local gpgconfg.exe --list-dirs reports C%3a\Users\mate\AppData\Local\gnupg\S.gpg-agent.extra where I transform %3a to \: manually. SSH authentication works perfectly, when connecting pinentry-qt pops up to unlock my key and when connecting to yet another machine, my SSH agent is forwarded again. However, gpg fails to use my agent. Issuing gpg --list-secret-keys --verbose prints the following to the console:
gpg --list-secret-keys --verbose gpg: using pgp trust model getsockopt SO_ERROR failed connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed. gpg: no running gpg-agent - starting '/usr/bin/gpg-agent' getsockopt SO_ERROR failed connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed. gpg: waiting for the agent to come up ... (5s) getsockopt SO_ERROR failed connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed. getsockopt SO_ERROR failed connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed. getsockopt SO_ERROR failed connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed. getsockopt SO_ERROR failed connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed. getsockopt SO_ERROR failed connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed. getsockopt SO_ERROR failed connect_to C:/Users/mate/AppData/Local/gnupg/S.gpg-agent.extra port -2: failed. gpg: waiting for the agent to come up ... (4s) gpg: waiting for the agent to come up ... (3s) gpg: waiting for the agent to come up ... (2s) gpg: waiting for the agent to come up ... (1s) gpg: can't connect to the agent: End of file
What is missing to tie the knot on both ends without having to resort to 3rd party tools like @rupor-github 's agent-gui? The remote gpg version is 2.2.19, is that the issue? Must that also be 2.3.9+?
Dec 30 2022
Somehow I was waiting for such a comment ;-) Sure you are right and we will fix the README eventually.
Dec 27 2022
This is probably not the right place, but considering you're telling people *here* that they should not build in the source tree, your README and INSTALL files do tell the users to do exactly that.
Dec 22 2022
Pushed the change.
Dec 21 2022
I will push this change:
commit e89d57a2cb10bd04d266165015f159be2ab48984 Author: NIIBE Yutaka <gniibe@fsij.org> Date: Wed Dec 21 10:52:24 2022 +0900
Dec 20 2022
You should do it for all software ;-).
Sorry, one more thing: I should use out of source builds for all gnupg software (libgpg-error, libksba, etc)? It's fine if so, just want to check what the policy is.
Ah, thanks! I didn't know this was unsupported. I'll change what we're doing.
You are building in the source tree - not a good idea. This should be supported but we don't test this. Please make your life easier and don't do build this way. We try to fix this for the next release.
Dec 6 2022
Thanks !
A real fix will be in the next gpgrt release
Nov 25 2022
Implications are... you won't be possible to use new protocols introduced by newer OpenSSH:
Nov 24 2022
Thanks. Adding 'PubkeyAuthentication unbound' to my ~/.ssh/config seems to workaround it for me on openssh-9.1p1-3 (arch). I don't quite follow what the implications of that setting are though.
In my cases (tested with 9.1), here are the length of data to be signed by ssh-agent (emulation by gpg-agent).
- 164 bytes: Both features disabled by: ssh -o KexAlgorithms=-sntrup761x25519-sha512@openssh.com -o PubkeyAuthentication=unbound
- 192 bytes: Unbound only by: ssh -o PubkeyAuthentication=unbound
- 298 bytes: No Post Quantum only by: ssh -o KexAlgorithms=-sntrup761x25519-sha512@openssh.com
- 330 bytes: Both features enabled (no options)
Nov 22 2022
I tested with openssh 9.1. When I add -o PubkeyAuthentication=unbound, I can make the length of data smaller.
Nov 9 2022
In T5931#165009, @alexk wrote:A workaround you can add the following line to ~/.ssh/config or /etc/ssh/ssh_config:
KexAlgorithms -sntrup761x25519-sha512@openssh.comFor me ssh -o KexAlgorithms=-sntrup761x25519-sha512@openssh.com ... does work as well.
A workaround you can add the following line to ~/.ssh/config or /etc/ssh/ssh_config:
Oct 5 2022
Sep 22 2022
We should close this. The recent fix in 2.2 and the forthcoming 2.3 does everything we want. In the meantiime or if further problems turn up, --ignore-cert is a good workaround.
Sep 2 2022
Aug 31 2022
Small correction: We don't have replicas of our code signing key. I mistook this with out Authenticode signing key.
Aug 30 2022
In general I use my standard ed25519 signing token for all software. However, GnuPG VS-Desktop is signed using a Brainpool key named GnuPG.com (stored on a smartcard with 2 replicas) for the simple reason that it does not raise questions when ppl update their GnuPG VS-Desktop and run into a non-compliant key.
In the situation of a certificate about to be expired in the cache:
Thanks, @gniibe -- i agree that this change to put_cert should be helpful, when encountering a certificate that is already invalid.
Aug 26 2022
rejecting an intermediate certificate too.
Pushed the change of mine to master, since I can confirm that it results validate_cert_chain working better, because of put_cert's rejecting an intermediate certificate too.
Aug 25 2022
Aug 24 2022
Jul 12 2022
I'm going to backport this to 2.2, as it found useful.
May 2 2022
Jul 15 2021
Forgot to mention one thing: after changing my user folder directory I lost all my Outlook contacts. I was able to recover them... make sure you have a backup before attempting this!
Jul 12 2021
I just had the same issue as hurui200320. My user name contains a "ç" and Kleopatra did not start. The Windows event logger reported a crash in libstdc++-6.dll. This was with gpg4win-3.1.16. Installing gnupg 2.3.1 did not change anything.
Apr 15 2021
gpg4win 3.1 has no full Unicode support. You may try to install the new GnuPG 2.3 version on top of gpg4win to fix this problem or wait until we have releases gpg4win 4 which will come with GnuPG 2.3.