diff --git a/g10/getkey.c b/g10/getkey.c index de5024198..051b21203 100644 --- a/g10/getkey.c +++ b/g10/getkey.c @@ -1272,6 +1272,48 @@ only_expired_enc_subkeys (kbnode_t keyblock) return any? 1 : 0; }
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Oct 4 2019
Oct 4 2019
• aheinecke renamed T4543: GpgOL: Moved S/MIME mails can no longer be read by other clients from GpgOL: Moved S/MIME mails with attachments can no longer be read by other clients to GpgOL: Moved S/MIME mails can no longer be read by other clients.
See https://minerva.crocs.fi.muni.cz/ for a description of the timing attack.
Oct 3 2019
Oct 3 2019
• werner committed rG7d9aad63c4f1: gpg: Ignore all SHA-1 signatures in 3rd party key signatures. (authored by • werner).
gpg: Ignore all SHA-1 signatures in 3rd party key signatures.
• werner committed rGedc36f59fcfc: gpg: Be prepared for chosen-prefix SHA-1 collisions in key signatures. (authored by • werner).
gpg: Be prepared for chosen-prefix SHA-1 collisions in key signatures.
• werner committed rGc4f2d9e3e1d7: gpg: Be prepared for chosen-prefix SHA-1 collisions in key signatures. (authored by • werner).
gpg: Be prepared for chosen-prefix SHA-1 collisions in key signatures.
• werner committed rG63dbc817e7dc: gpg: Read the UBID from the keybox and detect wrong blob type. (authored by • werner).
gpg: Read the UBID from the keybox and detect wrong blob type.
common: New function hex2fixedbuf.
• werner committed rGc7293a4d125c: kbx: Add first version of STORE command to keyboxd. (authored by • werner).
kbx: Add first version of STORE command to keyboxd.
• aheinecke committed rOe3e96e4a6052: Handle an error return in get_object_name (authored by • aheinecke).
Handle an error return in get_object_name
• aheinecke committed rO91c86d7cd53a: Restore S/MIME message class after decrypt (authored by • aheinecke).
Restore S/MIME message class after decrypt
• aheinecke committed rKLEOPATRAbe36be70e9e6: Allow hiding config modules (authored by • aheinecke).
Allow hiding config modules
• aheinecke added a subtask for T4716: Kleopatra: Allow hiding of config modules on Windows: T4660: Gpg4win 3.1.11.
• aheinecke added a parent task for T4660: Gpg4win 3.1.11: T4716: Kleopatra: Allow hiding of config modules on Windows.
ecc: Add Curve448.
Oct 2 2019
Oct 2 2019
dkg reopened T4400: GnuPG fails to parse algorithm preferences (and presumably features) from direct key signatures as "Open".
I agree with @werner that when presented with a User ID with self-sig with preference, the preferences subpackets from the self-sig should take precedence.
I modified _gcry_ecc_fill_in_curve so that g_y has new value in eid4730.
• gniibe committed rC1cfe2329b91c: ecc: Fix regression in keygrip computation for cv25519 (2). (authored by • gniibe).
ecc: Fix regression in keygrip computation for cv25519 (2).
Oct 1 2019
Oct 1 2019
I believe the issue is as follows. When given the option ttyname=... pinentry will open() the given tty and that fails since it is owned by the regular user and not root; strace reports:
openat(AT_FDCWD, "/dev/pts/1", O_RDONLY) = -1 EACCES (Permission denied)
However, when not given this option, pinentry will simply write() to stdout which causes no permission problem; through sudo and the terminal this goes to /dev/pts/1.
I found a way to replicate that error with just pinentry by doing (as root):
# tty /dev/pts/1 # pinentry OK Pleased to meet you OPTION ttyname=/dev/pts/1 OK GETPIN S ERROR gtk2.open_tty_for_read 83918849 ERR 83918849 Permission denied <Pinentry>
When I remove OPTION ttyname=... there is no error.
My other terminals (xterm) are /dev/pts/1, /dev/pts/2, etc. and I can reproduce the bug in them too.
web: Add a stub page for poldi.
See also apt-get show libpam-poldi
Also in another terminal?
I did not (neither in my root shell nor in my user shell) but setting and exporting this environment variable does not make any difference: gpg --gen-key still fails as above. (Note that tty indeed returns /dev/pts/0 .)
Do you have
GPG_TTY=$(tty) export GPG_TTY
doc: Remove cruft from a doc entry.
That's my badness. I think that I haven't seen this problem, because I mainly use tokens (where keygrip difference doesn't matter, after --card-status).
njcooke added a comment to T4647: "gpg.exe -se" fails when run programmatically, but does not fail when run from the command line.
Hi
FYI here is what I did to resolve:
running gpg.exe and gpg-agent.exe as Administrator and XP mode....
gp-agent:
set service Priority to REALTIME
Disabled Windows UAC virtualization.
Sep 30 2019
Sep 30 2019
Thanks for your help investigating this.
if you run
What is weird is that pinentry supposedly detects the absence of an X session and falls back on curses. For instance, I have:
• werner committed rGa605dbb430b1: gpg: Fix --recv-key in case of a given fingerprint. (authored by • werner).
gpg: Fix --recv-key in case of a given fingerprint.
• werner committed rGec81c437e71b: gpg: Fix expand GPG groups when resolving a key (authored by • werner).
gpg: Fix expand GPG groups when resolving a key
• werner edited projects for T4708: gpg cannot retrieve key via wkd from http2 server, added: Documentation, FAQ; removed Bug Report.
• werner renamed T3053: Change license for the website to CC BY-SA 4.0 from Chnage license for the website to CC BY-SA 4.0 to Change license for the website to CC BY-SA 4.0.
You should always run gpg with --verbose if you run into an unknown error. It shows more information; in your case info about the requested pinentry. The strace does not show this. You probably have no permission to launch the X version opf the pinentry because the xauth does not work. As a quick test use ssh -X root@localhost instead.
Sep 29 2019
Sep 29 2019
sysconfdir:/etc/gnupg bindir:/usr/bin libexecdir:/usr/lib/gnupg libdir:/usr/lib/gnupg datadir:/usr/share/gnupg localedir:/usr/share/locale socketdir:/root/.gnupg dirmngr-socket:/root/.gnupg/S.dirmngr agent-ssh-socket:/root/.gnupg/S.gpg-agent.ssh agent-extra-socket:/root/.gnupg/S.gpg-agent.extra agent-browser-socket:/root/.gnupg/S.gpg-agent.browser agent-socket:/root/.gnupg/S.gpg-agent homedir:/root/.gnupg
bionade24 updated the task description for T4714: Gnupg can't import or generate private key as root.
Please provide a full description of what you did. What command line did you use, have you su-ed or logged in regular.? What is the output of "gpgcof --list-dirs" ?
Sep 28 2019
Sep 28 2019
• gniibe added a project to T4620: no support for multiple (yubikey) smartcards plugged in at the same time: Restricted Project.
Laurent Montel <montel@kde.org> committed rKLEOPATRA53a068e7fe13: Fix hidpi support (authored by Laurent Montel <montel@kde.org>).
Fix hidpi support
asv awarded T4620: no support for multiple (yubikey) smartcards plugged in at the same time a Like token.
ecc: Add a keygrip testcase for cv25519.
• werner committed rCf67b6492e0b0: ecc: Fix regression in keygrip computation for cv25519. (authored by • werner).
ecc: Fix regression in keygrip computation for cv25519.
• werner lowered the priority of T4712: Keygrip broken in master for cv25519 from Unbreak Now! to Normal.
Sep 27 2019
Sep 27 2019
• werner committed rG9698761933f7: Merge branch 'switch-to-gpgk' into master (authored by • werner).
Merge branch 'switch-to-gpgk' into master
• werner committed rGb966a7c142ab: gpg: Fix a recently introduced printf format buglet. (authored by • werner).
gpg: Fix a recently introduced printf format buglet.
kbx: Fix error code return in keyboxd.
kbx: Store the UBIB in the blob.
• gniibe renamed T4563: gpg-agent fails to sign request of PKISSH from gpg-agent fails to sign request to gpg-agent fails to sign request of PKISSH.
• werner closed T4711: Misleading error messages and debug logs for DNS failures while fetching via WKD as Resolved.
Do not use this legacy debug stuff. Use --debug CATEGORY. For example
• gniibe edited projects for T4563: gpg-agent fails to sign request of PKISSH, added: Feature Request; removed Info Needed, Bug Report.
• werner committed rG280e9c9cfac3: kbx: First take on a cache for the keyboxd. (authored by • werner).
kbx: First take on a cache for the keyboxd.
kbx,gpg: Allow lookup using a UBID.
doc: Minor doc updates and a typo fix.
• werner committed rG1f987516f6b1: tests: Add two user-id parsing test cases. (authored by • werner).
tests: Add two user-id parsing test cases.
OK, I identify the problem.
Sep 26 2019
Sep 26 2019
jukivili committed rC4bebafb7bae8: Add stitched ChaCha20-Poly1305 ARMv8/AArch64 implementation (authored by jukivili).
Add stitched ChaCha20-Poly1305 ARMv8/AArch64 implementation
jukivili committed rC96b91e164160: Small tweak for PowerPC Chacha20-Poly1305 round loop (authored by jukivili).
Small tweak for PowerPC Chacha20-Poly1305 round loop
jukivili committed rC664370ea02df: Reduce size of x86-64 stitched Chacha20-Poly1305 implementations (authored by jukivili).
Reduce size of x86-64 stitched Chacha20-Poly1305 implementations
Sep 25 2019
Sep 25 2019
For pinpadtest.py, you need to offer an option --add (adding dummy byte), when you are using Cherry ST-2xxx.
For pinpadtest.py, you need to offer an option --add (adding dummy byte), when you are using Cherry ST-2xxx.
It is not supported, by CCID protocol itself. So, it is not supported by scdaemon, and by any of card readers (which I know of), either.
It is not supported, by CCID protocol itself. So, it is not supported by scdaemon, and by any of card readers (which I know of), either.
Sep 24 2019
Sep 24 2019
Fix gpg-error.c for preprocessor use.
Sep 23 2019
Sep 23 2019
Sep 22 2019
Sep 22 2019
Laurent Montel <montel@kde.org> committed rLIBKLEO766f7252dbfd: GIT_SILENT: Time to increase dependancy. Use new macro for generating designer… (authored by Laurent Montel <montel@kde.org>).
GIT_SILENT: Time to increase dependancy. Use new macro for generating designer…
Laurent Montel <montel@kde.org> committed rKLEOPATRA976709fde397: GIT_SILENT: Time to increase dependancy. Use new macro for generating designer… (authored by Laurent Montel <montel@kde.org>).
GIT_SILENT: Time to increase dependancy. Use new macro for generating designer…
Sep 21 2019
Sep 21 2019
• werner added a comment to T4123: Pinentry-qt does not always become active foreground window (especially when requesting pin for authentication).
It is not just about being annoying but for security reasons. It would be too easy for other applications *think webbrowser or Acrobat) to take a screenshot and pop up a modified version of that screenshot with data entries to act as a MitM.
Sep 20 2019
Sep 20 2019
$ gpg-connect-agent --dirmngr 'getinfo version' /bye
D 2.2.17
OK
Can you check which dirmngr version you are running
gpg-connect-agent --dirmngr 'getinfo version' /bye
thanks for the dns explanation - IMHO, there should be added something about that in the wiki
When it does not work for you on http1 either, then I guess, it's really just some outdatedness of my gpg/dirmngr and this ticket can be closed.
It does not work either. Your problem is the use of a wildcard DNS for archlinux32.org:
The test above was with gpg master but I got the same result with current 2.2:
ok, I disabled it again. btw: why do we need openpgpkey.archlinux32.org in the cert? Is this standard or did I misconfigure something?
Thanks. Here is a dirmngr log:
• gniibe committed rGbb5ed9fe1abf: build: Build gpg-pair-tool only when there is newer libgcrypt. (authored by • gniibe).
build: Build gpg-pair-tool only when there is newer libgcrypt.
Sep 19 2019
Sep 19 2019
I set archlinux32.org back to http2 - so you can see for yourself, how gpg fails to retrieve the key for buildmaster@archlinux32.org
I believe, it means, that it may fall back to http1.1 - the documentation is not clear to me on this.
A simple test however shows, that at least curl has no problems to use http1.1 or http1.0 with the http2 enabled nginx.
Does your ngix configuration mean that there is no fallback to standard http?
• gniibe committed rG7c81e5cb97c7: tools: Fix gpg-pair-tool to follow new API. (authored by • gniibe).
tools: Fix gpg-pair-tool to follow new API.
• gniibe committed rGf22a00416149: tools: Use new API of libgcrypt for gpg-pair-tool. (authored by • gniibe).
tools: Use new API of libgcrypt for gpg-pair-tool.