Our tests are now in tests/basic.c.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Dec 15 2020
For CMAC tests, we would need to use newer test vectors.
Dec 14 2020
Unfortunately and confusingly, PKISSH returns "OpenSSH" when asked by "ssh -V".
Please install real OpenSSH, if this is the case for you.
Quote from IRC:
hey, i've some problems with my smartcard since quite some time. i'm not sure whether it's openssh related or gnupg. it's a openpgpcard v2.0 and i have to workaround ssh logins by using "SSH_AUTH_SOCK=0 ssh ...". .gnupg/gpg-agent.conf -
gpg --edit-card and --card-status works fine and sign/encrypt works fine as well. only ssh auth fails
openssh 8.1_p1, gnupg 2.2.20
Yeah but it seems to be the same issue / reason. I wasn't aware that PKISSH is something else. I thought it was an extension/protocol or something
I added "Feature Request", because this is a request to support:
- A feature of bug compatibility, which is implemented wrongly in PKISSH
- for a specific algo of key, which is not considered so useful (== ECDSA)
- PKISSH, which is variant of OpenSSH
In T4563#140184, @idl0r wrote:I was and I am using OpenSSH on both sides, client and server.
I was and I am using OpenSSH on both sides, client and server.
I do not think that we should support a fork of openssh right now. If we would support it we are bound to maintain that for years - this is not a good idea.
Well, I have no idea about the technical background to be honest but without this patch it doesn't work at all for me, unless I stop using the agent or workaround it by using SSH_AUTH_SOCK=0. With this patch, I can use the agent again. I don't know how many others are affected by this but it made it usable again, which wasn't the case for months already.
In theory, I don't think the patch gnupg.patch works. It just ignore the flag.
In T2291#140172, @gniibe wrote:Thank you for testing.
For the issue #1, I think it is the probelm of rG1cd615afe301: gpg,card: Allow no version information of Yubikey.. This was introduced by the support of PIV feature of Yubikey.
Thank you for testing.
For the issue #1, I think it is the probelm of rG1cd615afe301: gpg,card: Allow no version information of Yubikey., which is fixed already. This was introduced by the support of PIV feature of Yubikey.
Dec 13 2020
Dec 12 2020
Report on some testing using master:
You're right. Thank you.
Oh, any chance GPG could inform the user when using export-pka that it is dead/deprecated? Also thanks for the quick reply.
PKA is dead but anyway: What you see is a record from a DNS zone file which has a specific semantic. The 14 for example means that 20 bytes follow.
Dec 11 2020
The specs might just want to say that it just expects the wildcard to be broken, not that it expects an empty record.
Than put something into the TXT - it does not matter and is only used to break the wildcard.
Hartmut, please read Andre's mail again - we can't do anything about it if Outlook considers an extra delay of 20ms as too slow.
Andre,
thats wrong.
if i disable the Addin, the effect is gone.
Best regards
Hartmut
Von: aheinecke (Andre Heinecke) <noreply@dev.gnupg.org>
Gesendet: Freitag, 11. Dezember 2020 08:35
An: hartmut.jacobi@hotmail.de
Betreff: [Task] [Closed] T5176: Problem with Office 365 GnuPG Outlook addin, Outlook reports not to be primary Mail client
aheinecke closed this task as "Invalid".
aheinecke added a comment.
Hi, you can change the default mail app under systemsettings in windwos 10, this has nothing to do with GpgOL, and the delayed start report, I can't do anything about. Outlook just shows this for any COM Addin to shift the blame, seriously we took 0,02s or 20ms on your system for our initialization. That is reasonably fast.
TASK DETAIL
https://dev.gnupg.org/T5176
EMAIL PREFERENCES
https://dev.gnupg.org/settings/panel/emailpreferences/
To: aheinecke
Cc: aheinecke, gnupg, HackyJ, Neurone, ccharabaruk, gp_ast
This is an automated email from the GnuPG development hub. If you have registered in the past at https://bugs.gnupg.org/ your account was migrated automatically. You can visit https://dev.gnupg.org/ to set a new password and update your email preferences.
Hi, you can change the default mail app under systemsettings in windwos 10, this has nothing to do with GpgOL, and the delayed start report, I can't do anything about. Outlook just shows this for any COM Addin to shift the blame, seriously we took 0,02s or 20ms on your system for our initialization. That is reasonably fast.
Reading the code again, I think that some configuration of NKS card doesn't work well, when it has no certificates but keys (e.g. IDLM config).
I'm going to fix do_readkey as well (the approach #1).
Dec 10 2020
Cloudflare doesn't seem to allow empty DNS TXT records...
From the specs:
There's a wildcard CNAME, it's not _really_ configured. It's not a good assumption that a CNAME == configured and it doesn't have a reasonable fallback, IMHO.
If you configure the subdomain in the DNS this will be used. Thus get a cert for it. The old method should not be used and thus if the openpgpkey subdomain exists gpg concludes that the admin is aware of the new scheme.
Hm, I don't want to remove the CNAME just so that GPG WKD would work, is there a way to fix this? Is there a good reason why after "Advanced"/subdomain lookup it doesn't try "direct"?
Oh, it's using the openpgpkey subdomain because of the CNAME but that's not actually being served by the server.
Nope, of course SNI is used. You problem is a different one. For example no root certificate, a server configured to allow only TLS 1.3, or a not supported algorithm. Decent versions of GnuPG print some hints if run with -v. BTW, an easier way to test is to use "gpg --locate-external-key" which basically does the same you did.
Should work now with GnuPG master (from today). Probably also works with GnuPG 2.2.18.
In T5150#140039, @gniibe wrote:With little (mostly no) knowledge of NKS card, I think I fixed this issue.
With my Yubikey NEO, when I use OTP (touching the button to generate OTP output as key input), I observed "card eject" event:
2020-12-10 11:23:05 scdaemon[7254] DBG: ccid-driver: CCID: interrupt callback 0 (2) 2020-12-10 11:23:05 scdaemon[7254] DBG: ccid-driver: CCID: NotifySlotChange: 02 2020-12-10 11:23:05 scdaemon[7254] DBG: ccid-driver: CCID: card removed 2020-12-10 11:23:05 scdaemon[7254] DBG: enter: apdu_get_status: slot=0 hang=0 2020-12-10 11:23:05 scdaemon[7254] DBG: leave: apdu_get_status => sw=0x1000c status=0 2020-12-10 11:23:05 scdaemon[7254] DBG: Removal of a card: 0
Thanks a lot for your time to locate the problem. I took the approach of #2.
Dec 9 2020
I have reproduced the bug
A backtrace with gdb from migw-w64 results in
I did a fresh install of Gpg4win 3.1.14 and imported my standard pubkey, by using
gpg --locate-key bernhard@intevation.de
on the command line.
This works now. Thanks.
I'm not sure why I thought that it would work now. With current master I get
$ gpg-connect-agent "SCD READKEY --info-only -- 39400430E38BB96F105B740A7119FE113578B59D" /bye ERR 100663414 Invalid ID <SCD>
Sorry, I can' reproduce thus. What kind of key is causing the crash?
I am affected by the same bug and the patch seems to work for me. Login via gpg-agent with ssh support is possible again, which wasn't before, since some openssh and/or gnupg update. Not sure.
Should work now with GnuPG master (because PIV is not supported by 2.2).
Should work now with GnuPG 2.2.18+, but so far only tested with master.