You mean that common blocks can't be used anymore? The RISC-OS had this problem but it was the only architecture I was aware of that required "extern" trickery.

That means that the GnuPG Backend does not work. I do not think that the office update is the reason, me and others use GpgOL with the most recent versions of Office Pro Plus without issue.
Have you possibly modified you gnupg config files? If there is a bad value in there it would result in such an error.

We briefly talked in the OpenPGP WG about the u32 problem and agreed that this is not an issue for 2440bis. The mismatch between creation date and expiration period is one of those minor PGP flaws. PGP-2 even used days to specify the expiration period.

Avoiding a failure for older versions means that the test suite won't catch this particular bug if it is reintroduced in future versions. That seems suboptimal for me, but given the complexity of the dependency chain, i don't know how to solve it. I prefer just raising an error with older versions of GnuPG as with rMf2aeb2563ba2 , as this is a test of the json interface, which isn't in widespread use yet.

Changing back to wontfix given the wontfix resolution of T4826

This is not a problem for 2107 (when you and i are 6 feet under). it's a problem well before then for anything that has an expiration date of 2107 or later (as demonstrated by the legitimate example certificate here today).

I would like to understand why this changed. T4061 might be relevant here. This has been fixed after the 2.2.19 release.

Well thanks for reporting it ;-)

I don't care; encryption won't work for us 6ft under. (This is a protocol problem which someone should address in a couple of decades)

That looks pretty much like another gawk regression. The easiest fix is to install another AWK version (e.g. mawk).

This is a problem for gpgv and gpg as well. gpg reports:

It looks like at least for OpenPGP, the layer below GPGME is also broken for expiration dates in this time window (see T4826)

I don't mind a workaround that avoids an ABI/API fix as long as it defers actual failures until 2038.

I'm reopening this because i think users of these 32-bit platforms are going to run into issues before 2038 happens. Certs could appear expired before they are actually expired, for example, because of the wraparound time.

I would prefer to have a procedure that do not reset PINs to their default values, but as long as all PINs are set to known and valid values when KDF is setup it will not make the token unusable after that, so it seems reasonable to me.

Or, #5 would be:

Hi Andre,

1. I am the sender, and can guarantee both correct keys were used. The same two keys do work in the Kleopatra clipboard tool (with recipient tool's email parser) , just not with standalone files (at least not with his file decryption be tool).

1. It could be a user error on my part, but the Kleopatra GUI is showing both keys with check marks, so I have trouble imagining what I could do different.

1. Recipient is not using Kleopatra, as noted in the original ticket. It is possible (and I suspect, likely) that the problem is an incompatibility between these two tools. If this is the case, then we need to find which tool is not following the standard, or perhaps the standard is ambiguous.

1. Since filing the ticket I have discovered that if I (sender) use command line GPG (ugh!), the recipient can decrypt the file with his tool. This seems to point the finger towards Kleopatra as the more likely cause of the problem.

1. There was a screenshot included in the original ticket showing very clearly the recipients tool doesn't recognize the presence of a second (i.e. recipient's) key.

I am attaching the screen shot from the recipient’s tool again, for your convenience.
I am also adding a screen shot of the my (i.e., sender’s) set-up in Kleopatra.
Rich

G. Richard Newell
Assoc. Technical Fellow, FPGA Business Unit, Microchip Technology
(408) 643-6146 (office), (408) 882-4785 (mobile), +1 (925) 478-7258 (Skype)
PGP: (2009 DSA-1024, ELG-4096) B751 FC13 8B4E 49DA 2270 35A2 20E4 E66A D0D0 2E34

     (2016 SSA-4096, RSA-4096) 65F5 CCD6 23B3 BD3D CEDE AB58 171F F4DE E7D0 3ECA

From: aheinecke (Andre Heinecke) [mailto:noreply@dev.gnupg.org]
Sent: Monday, January 27, 2020 12:37 AM
To: richard.newell@microsemi.com
Subject: [Task] [Closed] T4824: Encrypted file appears to not be encrypted by recipients public key

EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe
aheinecke closed this task as "Invalid".
aheinecke added a comment.

Hi,

I have difficutlty to accept that as an issue in our tracker. Somehow the GUI for Kleopatra appears to be confusing for your "Sender" which apparently is not you, correct? This results in the wrong keys selected for encryption.
With this amount of information I cannot see any path of change for our software.
Could you maybe provide a screenshot how the recipient selection looks for your user in Kleopatra, so that we can discover why it might be confusing or why the recipients key is not selected correctly?

I'm setting this issue as "Invalid" in the meantime. Not out of disrespect or so, only because I don't see how the information from this issue can currently lead to a change in our software. I can change the status later again.

Thanks,
Andre

TASK DETAIL
https://dev.gnupg.org/T4824

EMAIL PREFERENCES
https://dev.gnupg.org/settings/panel/emailpreferences/

To: aheinecke

Cc: aheinecke, grichardnewell, Neurone, Rafixmod, ccharabaruk, gp_ast

This is an automated email from the GnuPG development hub. If you have registered in the past at https://bugs.gnupg.org/ your account was migrated automatically. You can visit https://dev.gnupg.org/ to set a new password and update your email preferences.

thanks for looking at this, @aheinecke ! if you or @werner know of any internal side effects where this does matter, it would be great to add a test that documents them.

I am interested in that. I have a yubikey here that I wish to use productively for brainpool-256 signing, bp-512 (just for fun) encrypting and cv25519 authentication. I need to use brainpool signing and encryption subkeys for VS-NfD compliant communication and I want to be more modern then RSA ;-)

Merged into master. Thanks!

Thanks! I would merge your commits but I'll like to talk to werner tomorrow about the always adding "--with-keygrip" I also think its useful but it might have expensive internal side effects that I am not aware of.

I have difficutlty to accept that as an issue in our tracker. Somehow the GUI for Kleopatra appears to be confusing for your "Sender" which apparently is not you, correct? This results in the wrong keys selected for encryption.
With this amount of information I cannot see any path of change for our software.
Could you maybe provide a screenshot how the recipient selection looks for your user in Kleopatra, so that we can discover why it might be confusing or why the recipients key is not selected correctly?

@Amaud, I read your code in Python. IIUC, it asks users PW1, Reset Code, and PW3 to setup, just before registering KDF DO (as you describe in https://dev.gnupg.org/T3891#114950).

(if you don't want to publish the full strace output here because you're concerned it might leak some information about your machine or your network, but you're ok sharing it with me personally, you can send it to me privately by e-mail, encrypted to the OpenPGP certificate with fingerprint C4BC2DDB38CCE96485EBE9C2F20691179038E5C6, and sent to one of the e-mail addresses associated with that certificate. please make a note here if you do that)

ok, that's deeply weird. i'm assuming that this machine has IPv4 connectivity. I have no idea why dirmngr would be returning EAFNOSUPPORT in that case.

Right after the failed connection I see:

$ gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye
S # hosttable (idx, ipv6, ipv4, dead, name, time):
S #   0   4 d keys.openpgp.org (37.218.245.50)  (5s)
OK

Regarding Cygwin: The sources are a bit hard to find.
https://cygwin.com/packages.html
-> https://cygwin.com/packaging/repos.html
-> https://cygwin.com/git-cygwin-packages/
-> https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/libgcrypt.git;a=summary

Regarding GNU/kFreeBSD, my machine is using the FreeBSD 9.0 kernel, which does not yet have the security.bsd.unprivileged_mlock oid. Like what was mentioned here: https://lists.debian.org/debian-bsd/2014/08/msg00092.html

For Cygwin, I can't find how its libgcrypt package is built.
I found this for MSYS2: https://github.com/msys2/MSYS2-packages/tree/master/libgcrypt
This for Mingw-w64: https://github.com/msys2/MINGW-packages/tree/master/mingw-w64-libgcrypt

I tested on FreeBSD. Same errors (t-secmen and t-sexp) are reproducible when we set:

branch dkg/fix-4821 contains a fix for this, in commit 414938cfedbdb97b83d00e8619dec9502096be22

in particular, c4cf527ea227edb468a84bf9b8ce996807bd6992 and f2aeb2563ba2f55eea7f52041e52062fdc839a64

The dkg/fix-4820 branch now has these two fixes.

Thanks for concrete cases. Sorry, not responding earlier. It was an experimental feature, firstly only available in Gnuk Token.

For easier reference or searchability, the test error looks like this:

I implemented the script described previsouly (https://dev.gnupg.org/T3891#114950) in the smartpgp-cli utility provided in the SmartPGP repository (see commit https://github.com/ANSSI-FR/SmartPGP/commit/4be0fa442b43c2bafd5f0171417ff68fd88cbe2d).

This appears to be a different error than above. here we see:

With tls-debug 16:

dirmngr[9162.6] DBG: chan_6 <- END
dirmngr[9162.6] DBG: dns: libdns initialized
dirmngr[9162.6] DBG: dns: getsrv(_pgpkey-https._tcp.keys.openpgp.org) -> 0 records
dirmngr[9162.6] DBG: dns: resolve_dns_name(keys.openpgp.org): Success
dirmngr[9162.6] resolve_dns_addr for 'keys.openpgp.org': 'keys.openpgp.org' [already known]
dirmngr[9162.6] resolve_dns_addr for 'keys.openpgp.org': 'keys.openpgp.org' [already known]
dirmngr[9162.6] DBG: gnutls:L3: ASSERT: /var/tmp/portage/net-libs/gnutls-3.6.11.1-r1/work/gnutls-3.6.11.1/lib/x509/common.c[_gnutls_x509_get_raw_field2]:1575
dirmngr[9162.6] DBG: gnutls:L3: ASSERT: /var/tmp/portage/net-libs/gnutls-3.6.11.1-r1/work/gnutls-3.6.11.1/lib/x509/x509.c[gnutls_x509_crt_get_subject_unique_id]:3902
dirmngr[9162.6] DBG: gnutls:L3: ASSERT: /var/tmp/portage/net-libs/gnutls-3.6.11.1-r1/work/gnutls-3.6.11.1/lib/x509/x509.c[gnutls_x509_crt_get_issuer_unique_id]:3952
dirmngr[9162.6] DBG: gnutls:L3: ASSERT: /var/tmp/portage/net-libs/gnutls-3.6.11.1-r1/work/gnutls-3.6.11.1/lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
dirmngr[9162.6] DBG: gnutls:L3: ASSERT: /var/tmp/portage/net-libs/gnutls-3.6.11.1-r1/work/gnutls-3.6.11.1/lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
dirmngr[9162.6] DBG: gnutls:L3: ASSERT: /var/tmp/portage/net-libs/gnutls-3.6.11.1-r1/work/gnutls-3.6.11.1/lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
dirmngr[9162.6] DBG: gnutls:L3: ASSERT: /var/tmp/portage/net-libs/gnutls-3.6.11.1-r1/work/gnutls-3.6.11.1/lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
dirmngr[9162.6] number of system provided CAs: 142
dirmngr[9162.6] DBG: gnutls:L5: REC[0x7fd5a400c360]: Allocating epoch #0
dirmngr[9162.6] DBG: gnutls:L2: added 6 protocols, 29 ciphersuites, 18 sig algos and 9 groups into priority list
dirmngr[9162.6] DBG: Using TLS library: GNUTLS 3.6.11
dirmngr[9162.6] DBG: http.c:connect_server: trying name='keys.openpgp.org' port=443
dirmngr[9162.6] DBG: dns: resolve_dns_name(keys.openpgp.org): Success
dirmngr[9162.6] error creating socket: Address family not supported by protocol
dirmngr[9162.6] error connecting to 'https://keys.openpgp.org:443': Address family not supported by protocol
dirmngr[9162.6] DBG: gnutls:L13: BUF[HSK]: Emptied buffer
dirmngr[9162.6] DBG: gnutls:L5: REC[0x7fd5a400c360]: Start of epoch cleanup
dirmngr[9162.6] DBG: gnutls:L5: REC[0x7fd5a400c360]: End of epoch cleanup
dirmngr[9162.6] DBG: gnutls:L5: REC[0x7fd5a400c360]: Epoch #0 freed
dirmngr[9162.6] marking host 'keys.openpgp.org' as dead
dirmngr[9162.6] host 'keys.openpgp.org' marked as dead
dirmngr[9162.6] command 'KS_PUT' failed: No keyserver available
dirmngr[9162.6] DBG: chan_6 -> ERR 167772346 No keyserver available <Dirmngr>
dirmngr[9162.6] DBG: chan_6 <- BYE
dirmngr[9162.6] DBG: chan_6 -> OK closing connection
dirmngr[9162.6] handler for fd 6 terminated

Could it be that the system installed CAs are not sufficient for the TSL handshake? But then also curl should fail on that host. But curl https://keys.openpgp.org is fine.

On Solaris, the test errors are because of:

USAGE
       Because of the impact on system resources, the use of mlock() and
       munlock() is restricted to users with the {PRIV_PROC_LOCK_MEMORY}
       privilege.

OK, I identified the problem on OpenIndiana. The inclusion of <unistd.h> causes inclusion of <sys/types.h> before config.h. I'm going to fix this.

Patch have been applied to master, https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=79ed620ec46adbb08f5cea6a4865a95a436e4109