- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Oct 29 2020
I have added support for this to gpgme (and gpgme++/qgpgme). See T5094.
By the way, --quick-sign-key after --quick-revoke-sig refuses to recertify the key. -> T4584
There is another problem: Even if the first certification was revoked, trying to add a new certification with --quick-sign-key fails because '"user id" was already signed by key ...'
I found a bug. To reproduce generate a new key, then sign it with another key and then try to quick-revoke the signatures. This fails with "Not signed by you."
I forgot that we have LOCK and UNLOCK commands in scdaemon. This was implemented around 2005 but there are no more users in gpg meanwhile.
On purpose. We actually allow user ids and gpg should somehow reflect this. As requested by you I changed it in the man page to what is suggested.
I've noticed an inconsistency between the command arguments in the man page and in the usage/error message.
In short eddsa secret keys generated with current 2.3 can't be imported with 2.2, right? That will lead to a compatibility problem, so we need to fix that in 2.2.
IIUC, it is an issue of GnuPG 2.2.
The condition is where the secret 'd' starts by the first bit = 1 (that is, >= 0x80).
I located the bug in agent/cvt-openpgp.c. The function do_unprotect calls convert_secret_key with skey[1] as usual MPI (not opaque),
and gcry_sexp_build with "(d%m)" will put additional 0x00 at the beginning, which results 33-byte secret in R_KEY. Then, when gcry_pk_testkey is called with R_KEY, when it checks, because 32-byte is expected, it returns GPG_ERR_INV_OBJ. Then, do_unprotect returns GPG_ERR_BAD_PASSPHRASE.
With Debian's GnuPG 2.2.12, I got an error:
With bata1449, I cannot reproduce it.
I can import by gpg --import key-uids-sec.pgp
I tested with Debian's libgcrypt, as well as libgcrypt master (4a50c6b8).
Oct 28 2020
The backend part is ready. Someone(tm) now needs to add it to gpgme. Extending the sign key API might be the best solution.
I was already considering this. I bet some people will view it as a bug if it is possible to add something other than a fingerprint. I'll change it in the man page.
Minor remark: I would change this (in the documentation) to
gpg --quick-revoke-sig fpr fpr-of-signing-key [names]
as for --quick-sign-key, --quick-add-key, and --quick-set-expire, even if USER IDs can be used instead of fingerprints. We shouldn't advertise the usage of USER IDs, if we prefer the users to use the fingerprints. I suggest to also change user-id to fpr in the documentation of --quick-add-uid and --quick-revoke-uid. Using USER IDs for identifying keys is ambiguous and errorprone (e.g. if non-ASCII characters get involved, which, incidentally, is the reason why I started to work on KMail).
I have tested this with Kleopatra. The good news is that SCD GETATTR $DISPSERIALNO now works for the piv app even if the openpgp app is enabled.
Thanks for the info and my apologies for the regression. Please see my comment on T5045.
Unfortunately this new release has a regression affecting users with non-ascii account names. See T5098.
Pushed the change.
Oct 27 2020
I am facing a really similar problem currently in version 3.1.13 (on windows 10)
Although the self-test shows all checks passed. I found out that there is an issue with the cache dir file not being created/loaded.
See:
I am already working on it. The gpg command will be
I missed this one because I only searched for "revoke" ;-)
Seems to be a duplicate of T4095
IIUC, fix can be like this:
diff --git a/lang/python/src/core.py b/lang/python/src/core.py index 996c3b0f..646bbc60 100644 --- a/lang/python/src/core.py +++ b/lang/python/src/core.py @@ -147,7 +147,12 @@ class GpgmeWrapper(object): gpgme.gpg_raise_callback_exception(slf) return result
SCD commands:
- DEVINFO
- returns app apecific serialno
- SERIALNO
- returns app specific serialno
- LEARN
- returns canonical serialno
Oct 26 2020
The action to switch to the "Smartcard management" still lacks an icon. In the old KDE icon theme Oxygen there was an icon ("secure-card"), but the new Breeze icon theme lacks this icon. I have requested an icon for this for the Breeze theme. See https://bugs.kde.org/show_bug.cgi?id=428278.
Pushed the change.
Oct 24 2020
Oct 23 2020
What can be done is to use gpgconf --list-dirs bindir as a fallback for pinentry.
Sorry, hhis is a bug tracker and not a help line. Please ask on a mailing list - see gpg4win.org or gnupg.org
Backported to 2.2. Note that an updated libgcrypt is also required (for 2.2 and master)
For the Debian problem it might be better to use "gpgconf --launch" and we add an option here to wait for the daemon to be started. That can be implemented in gpg-connect-agent which then should get the same option.
Frankly, I do not like this change - in particulalr not for the stable branch. Having a timeout on connections is actually a Good Thing and better than to wait indefinitely. There is a high risk on regressions and that is not acceptable for the stable branch. The branch already had a couple of regressions in 2.2.2x and we need to fix them and not introduce others.