One nit that I overlooked initially is the memory leak, which is fixed with the following patch:
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Sep 30 2022
Sep 30 2022
Sep 29 2022
Sep 29 2022
dirmngr: Minor fix for baseDN fallback.
• werner committed rG2e22184ba5ac: gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant. (authored by • werner).
gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant.
• werner committed rG46f9b0071f54: gpg: Fix assertion failure due to errors in encrypt_filter. (authored by • werner).
gpg: Fix assertion failure due to errors in encrypt_filter.
• werner committed rGa51067a21f68: gpg: Make --require-compliance work for -se (authored by • werner).
gpg: Make --require-compliance work for -se
• werner changed the status of T6221: When encrypting, gpg claims DE_VS compliance with non-compliant gcrypt from Open to Testing.
Indeed, the status line should not be emitted in this case. Thanks.
• werner committed rG07c6743148d4: gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant. (authored by • werner).
gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant.
justus added a comment to T6221: When encrypting, gpg claims DE_VS compliance with non-compliant gcrypt.
% gpgconf --list-options gpg | grep compliance compliance:16:2::1:1::"gnupg:: compliance_de_vs:144:3::2:2::0:: % dpkg --list libgcrypt20 | cat Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=================-============-============-===================================== ii libgcrypt20:amd64 1.10.1-2 amd64 LGPL Crypto library - runtime library % gpg --version gpg (GnuPG) 2.2.39 libgcrypt 1.10.1 Copyright (C) 2022 g10 Code GmbH License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
• werner added a project to T6223: GPGME incorrectly parses the signature class in SIG_CREATED status lines: Feature Request.
Let's don't forget that we need to have a sig_class replacement.
• werner committed rMb1e5f3b18310: core: Fix SIG_CREATED status parsing for 0x1F sigs (authored by • werner).
core: Fix SIG_CREATED status parsing for 0x1F sigs
aheinecke triaged T6221: When encrypting, gpg claims DE_VS compliance with non-compliant gcrypt as Low priority.
With a gcrypt not claiming compliance you should not get the status compliant or not but GnuPG should error out with forbidden.
• werner added a comment to T6223: GPGME incorrectly parses the signature class in SIG_CREATED status lines.
This is not easy to fix because it would break the GPGME API. Here
are the values we can expect:
• werner triaged T6223: GPGME incorrectly parses the signature class in SIG_CREATED status lines as Normal priority.
I assume this is gpgme master. Please write proper bug reports.
• werner added a project to T6221: When encrypting, gpg claims DE_VS compliance with non-compliant gcrypt: gnupg (gpg22).
Justus, you should know how to write a proper bug report. Please do that and don't just paste some more or less random output here with just hint that Libgcrypt is not compliant. tia.
This is a debug option; I see no use case for this.
• gniibe added a comment to T6002: scute w/ gpg23: Support multiple cards/tokens, major update with KEYGRIP.
Merged the changes in t6002 branch into master.
Applied and pushed the change from @joeyberkovitz in rG3257385378bb: dirmngr: Interrogate LDAP server when base DN specified..
• gniibe committed rG3257385378bb: dirmngr: Interrogate LDAP server when base DN specified. (authored by joeyberkovitz).
dirmngr: Interrogate LDAP server when base DN specified.
• gniibe committed rG4b2066afb498: dirmngr: Change interrogate_ldap_dn for better memory semantics. (authored by • gniibe).
dirmngr: Change interrogate_ldap_dn for better memory semantics.
Register DCO for Joey Berkovitz.
dirnmgr: Fix the function prototype.
Sep 28 2022
Sep 28 2022
• werner committed rG536b5cd66305: dirmngr: Fix lost flags during LDAP upload (authored by • werner).
dirmngr: Fix lost flags during LDAP upload
gpg: Silence some diagnostics.
doc: Typo fix in a comment.
• werner committed rG32ce7ac0c674: dirmngr: Fix lost flags during LDAP upload (authored by • werner).
dirmngr: Fix lost flags during LDAP upload
That sounds quite cool.
• werner added a comment to T6220: gpg --full-generate-key does not use max RSA keysize when --enable-large-rsa is set.
Add --expert and use a decent version of GnuPG. 2.2 is our long term support branch and is not the current stable production version (which is 2.3.7)
Actually we developed PIV support to allow the use of PIV X.509 certificates and OpenPGP keys with Yubikeys. In fact, GnuPG is able to switch between the Yubikey PIV and OpenPGP applications on-the-fly while keeping their PIN verification states.
I was indeed using version 1.5.0 for testing, but I wish to clarify the purpose of Scute in my setup before proceeding.
• werner committed rGd65a0335e5cb: dirmngr: New server flag "areconly" (A-record-only) (authored by • werner).
dirmngr: New server flag "areconly" (A-record-only)
• werner committed rG6300035ba17b: dirmngr: New server flag "areconly" (A-record-only) (authored by • werner).
dirmngr: New server flag "areconly" (A-record-only)
2l47 added a comment to T6220: gpg --full-generate-key does not use max RSA keysize when --enable-large-rsa is set.
Perhaps --full-generate-key should provide more algorithm choices, then, e.g. ed25519?
• werner closed T6220: gpg --full-generate-key does not use max RSA keysize when --enable-large-rsa is set as Wontfix.
Sorry, this as been discussed ad nausea. We try our best to help people not to use useless and harmful (e.g. performance of the WoT) algorithm choices.
Fix keyinfo listing.
• gniibe committed rS3bf758969ded: Do not launch gpg-agent if no-autostart is active. (authored by • werner).
Do not launch gpg-agent if no-autostart is active.
• gniibe committed rS1a87b2f26ad9: Add option to return leaf certificate only. (authored by gouttegd).
Add option to return leaf certificate only.
• gniibe committed rS819009a5a782: Avoid segv in case of a MISSING_KEY error. (authored by • werner).
Avoid segv in case of a MISSING_KEY error.
• gniibe committed rS9a61a3267f7d: Avoid endless loop due to bogus certificate chains. (authored by • werner).
Avoid endless loop due to bogus certificate chains.
Add configure option only-marked
Tweak for GetSlotList for Firefox.
• gniibe committed rS458eea3371ea: Don't use SCD READCERT, but just use gpgsm. (authored by • gniibe).
Don't use SCD READCERT, but just use gpgsm.
Fix sign/decrypt operation.
Allow SeedRandom.
Fix C_GetSlotInfo.
Fix slot_get_status.
• gniibe committed rS88e3e58fa237: First step for multiple device support, using the keygrip. (authored by • gniibe).
First step for multiple device support, using the keygrip.
• gniibe committed rSf666690b817e: Second step for multiple device support. No monitoring cards. (authored by • gniibe).
Second step for multiple device support. No monitoring cards.
Remove $DISPSERIALNO support.
Fix NR_ATTR_CERT.
• gniibe committed rSfd72f517b923: Allow up to four cards (only use the first slot for now). (authored by • gniibe).
Allow up to four cards (only use the first slot for now).
l10n daemon script <scripty@kde.org> committed rLIBKLEOeec9c7327a6e: SVN_SILENT made messages (.desktop file) - always resolve ours (authored by l10n daemon script <scripty@kde.org>).
SVN_SILENT made messages (.desktop file) - always resolve ours
Sep 27 2022
Sep 27 2022
Which version of Scute are you using?
mlaurent committed rKLEOPATRA579461311cc7: GIT_SILENT: it compiles fine without deprecated methods (authored by mlaurent).
GIT_SILENT: it compiles fine without deprecated methods
vitusb added a comment to T6203: GpgOL (Gpg4Win 3.1.24) / Error in parsing mail-headers (empty mail-body without correct decoded encryption-scheme) when using gpgol.dll 2.5.4 (gpgol.dll 2.5.0 from 3.1.16 works).
I did a build of Gpg4Win 3.1.24 with Andre's provided patch :-)
The specs https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf page 10 says specifically:
Using Scute as a drop-in replacement doesn't currently work. Perhaps my config needs more adjustments than just:
module = /usr/lib/x86_64-linux-gnu/scute/scute.so
jukivili committed rC0cb29a5736cf: tests/hashtest: add hugeblock & disable-hwf options and 6 gig test vectors (authored by jukivili).
tests/hashtest: add hugeblock & disable-hwf options and 6 gig test vectors
jukivili committed rC9c828129b205: keccak: Use size_t to avoid integer overflow (authored by Jakuje).
keccak: Use size_t to avoid integer overflow
I've tested the different hw implementations (amd64, arm64, s390x) and they are all ok.
• gniibe committed rC3c04b692de1e: kdf:pkdf2: Check minimum allowed key size when running in FIPS mode. (authored by tobhe).
kdf:pkdf2: Check minimum allowed key size when running in FIPS mode.
• gniibe committed rC857e6f467d0f: kdf:pkdf2: Require longer input when FIPS mode. (authored by • gniibe).
kdf:pkdf2: Require longer input when FIPS mode.
• gniibe changed the status of T6219: Ensure minimum key length for KDF in FIPS mode from Open to Testing.
Thank you for your report.
Sep 26 2022
Sep 26 2022
Yes, I meant to use Scute as pkcsc11 module for pam_pkcs11. Thanks for explaining more verbosely what I meant.
I think Werner may have confused pam_pkcs11 with gnupg-pkcs11-scd. :)
My poor old laptop - its RAM will now have a hard time to run the huge tests ;-)
The test looks good. I hope I changed the API in all the hw optimized implementations.
• werner committed rGacabbc0078d8: dirmngr: Support gpgMailbox for mode MAILSUB and MAILEND. (authored by • werner).
dirmngr: Support gpgMailbox for mode MAILSUB and MAILEND.
• werner committed rG1b2ac21c4cf7: gpg: Don't consider unknown keys as non-compliant while decrypting. (authored by • werner).
gpg: Don't consider unknown keys as non-compliant while decrypting.
edited last paragraph of support page
aheinecke committed rW1b720351db2a: MSI: Add uids for 3.1.23 and 3.1.24 releases (authored by aheinecke).
MSI: Add uids for 3.1.23 and 3.1.24 releases
cklassen committed rWfe0ea5a9f3f4: fix for boxes on the right side of some pages (authored by cklassen).
fix for boxes on the right side of some pages
wiki link http -> https
I'm not sure what you mean with using Scute as PKCS#11 provider instead of pam_pkcs11, as pam_pkcs11 is not a provider but a user of PKCS#11
BTW, I have also in mind to use an AD entry to figure out the used keyserver. It turned out that people don't like to modify the schema of their AD but instead use a separate LDS.
aheinecke triaged T6216: Kleopatra: invalid S/MIME certificates are offered for encryption as Wishlist priority.
This is because Kleopatra does not differentiate between invalid S/MIME and unverified OpenPGP certificates and we want to be able to encrypt to unverified OpenPGP certificates.
mlaurent committed rLIBKLEOe5aee11a73a0: GIT_SILENT: it compiles fine without deprecated methods (authored by mlaurent).
GIT_SILENT: it compiles fine without deprecated methods
• gniibe committed rG993820c31521: dirmngr: Factor out interrogate_ldap_dn function. (authored by • gniibe).
dirmngr: Factor out interrogate_ldap_dn function.
To proceed, I pushed an initial part as rG993820c31521: dirmngr: Factor out interrogate_ldap_dn function., which doesn't change any behavior.
Then, the point of the change will be clearer.
Remove unused include
• werner triaged T6218: Using Yubikey with GnuPG+scdaemon and PKCS11 over pcscd errors as Normal priority.
There is a reason why pcsc-shared is not the default ;-). Please try using Scute (best the t6002 branch until it has been merged) as pkcs#11 provider instead of pam_pkcs11. And you should of course use the stable version of GnuPG and not the LTS (2.2).
• gniibe added a comment to T6160: pinentry Emacs support assumes socket location at ${TMPDIR}/emacs${UID}, fails to connect (need to respect XDG_RUNTIME_DIR).
pinentry-emacs is obsolete. It's for older Emacs (<= 25, IIUC) which had lisp/pinentry.el.
For Emacs 26 and newer, you can simply use epa-pinentry-mode having the value of loopback.
• gniibe changed the status of T5034: dev: Deprecate libassuan-config, libgcrypt-config, ksba-config, ntbtls-config, npth-config, and gpg-error-config from Open to Testing.
Sep 25 2022
Sep 25 2022
Fix looks good to me. This could be tested with new long running test (tests/hashtest) that would allocate 4GiB+ pattern block for inputting to gcry_md_write.
mlaurent committed rKLEOPATRA8f4c16e13170: filedialog.h is needed when we has QGPGME_SUPPORTS_SECRET_SUBKEY_EXPORT support (authored by mlaurent).
filedialog.h is needed when we has QGPGME_SUPPORTS_SECRET_SUBKEY_EXPORT support
Fix compile
Remove unused includes
l10n daemon script <scripty@kde.org> committed rKLEOPATRAc77ad3f5de7e: SVN_SILENT made messages (.desktop file) - always resolve ours (authored by l10n daemon script <scripty@kde.org>).
SVN_SILENT made messages (.desktop file) - always resolve ours
Sep 23 2022
Sep 23 2022
This still did not seem to help me in making the tests working on Fedora with git master. I am still getting wrong paths to the gpgconf
gpgscm: error running '/root/gnupg/tests/tools/gpgconf': probably not installed
There is a full reproducer and more complete log in https://bugzilla.redhat.com/show_bug.cgi?id=2089075#c11