User Details
- User Since
- Mar 27 2017, 4:49 PM (398 w, 6 d)
- Availability
- Available
Aug 9 2018
Well, I have already tried to explain the use case: To make using cryptography easier for our users (for most of them the command line is the hell ...) I have integrated GnuPG in our webmailer. The webmailer has a key management page where you can import and export keys (up- and download, import from mail, attach to mail etc.), where you can edit trust settings, and where you can sign other keys and revoke such signatures. The webmailer certainly does not offer all capabilities of GnuPG but certainly a substantial subset.
Aug 8 2018
Oct 20 2017
I am preparing the patch I am using against 2.2.0. What is DCO?
Oct 1 2016
If a apply that fix to an unmodified 2.1.15, my problem is solved:
My test case (importing a PKCS#12 file with pinentry-mode=loopback if the agent
has not been started before) now works. Thank you!
If a apply that fix to an unmodified 2.1.15, my problem is solved. Thank you!
Sep 23 2016
Correction (not "->" but "."): Add this line:
inq_parm.ctx = agent_ctx;
Patch attached. Works for me for 2.1.14.
(Should work for 2.1.15, too, but I cannot test due to T2698.)
Same in current version 2.1.15 (file is identical)
Sep 22 2016
Perhaps the following change between 2.1.14 and 2.1.15 has something to do with the problem: It causes
both no-libgcrypt.o and $(LIBGCRYPT_LIBS) to be linked in.
diff -ru gnupg-2.1.14/dirmngr/Makefile.am gnupg-2.1.15/dirmngr/Makefile.am
- gnupg-2.1.14/dirmngr/Makefile.am 2016-06-16 17:23:13.000000000 +0200
+++ gnupg-2.1.15/dirmngr/Makefile.am 2016-08-18 17:00:16.000000000 +0200
@@ -94,8 +94,8 @@
dirmngr_ldap_CFLAGS = $(GPG_ERROR_CFLAGS) $(LIBGCRYPT_CFLAGS)
dirmngr_ldap_LDFLAGS =
dirmngr_ldap_LDADD = $(libcommon) no-libgcrypt.o \
- $(GPG_ERROR_LIBS) $(LDAPLIBS) $(LBER_LIBS) $(LIBINTL) \
- $(LIBICONV)
+ $(GPG_ERROR_LIBS) $(LIBGCRYPT_LIBS) $(LDAPLIBS) \
+ $(LBER_LIBS) $(LIBINTL) $(LIBICONV)
endif
dirmngr_client_SOURCES = dirmngr-client.c
There is a regression in GnuPG 2.1.15.
After building
npth-1.2 with --prefix=/xxx --enable-static --disable-shared libgpg-error-1.24 with --prefix=/xxx --enable-static --disable-shared libassuan-2.4.3 with --prefix=/xxx --enable-static --disable-shared --with-gpg-error-prefix=/xxx libgcrypt-1.7.3 with --prefix=/xxx --enable-static --disable-shared --with-gpg-error-prefix=/xxx libksba-1.3.5 with --prefix=/xxx --enable-static --disable-shared --with-gpg-error-prefix=/xxx
I can build without any problems:
gnupg-2.1.14 with --prefix=/xxx --with-gpg-error-prefix=/xxx --with-npth-prefix=/xxx --with-libassuan-prefix=/xxx --with-libgcrypt-prefix=/xxx --with-ksba-prefix=/xxx
But I cannot build
gnupg-2.1.15 with the identical options.
Compilation fails with these messages:
Making all in dirmngr
make[2]: Entering directory `/aaa/gnupg-2.1.15/dirmngr'
make all-am
make[3]: Entering directory `/aaa/gnupg-2.1.15/dirmngr'
gcc -I/xxx/include -I/xxx/include -Wall -Wno-pointer-sign -Wpointer-arith -g -O2 -lrt -o dirmngr_ldap dirmngr_ldap-dirmngr_ldap.o ../common/libcommon.a no-libgcrypt.o -L/xxx/lib -lgpg-error -L/xxx/lib -lgcrypt -lgpg-error -L/xxx/lib -lldap -llber
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_free':
/aaa/libgcrypt-1.7.3/src/visibility.c:1554: multiple definition of `gcry_free'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:111: first defined here
/usr/bin/ld: Warning: size of symbol `gcry_free' changed from 18 in no-libgcrypt.o to 5 in /xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o)
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_xstrdup':
/aaa/libgcrypt-1.7.3/src/visibility.c:1548: multiple definition of `gcry_xstrdup'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:100: first defined here
/usr/bin/ld: Warning: size of symbol `gcry_xstrdup' changed from 75 in no-libgcrypt.o to 5 in /xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o)
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_xrealloc':
/aaa/libgcrypt-1.7.3/src/visibility.c:1542: multiple definition of `gcry_xrealloc'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:73: first defined here
/usr/bin/ld: Warning: size of symbol `gcry_xrealloc' changed from 29 in no-libgcrypt.o to 5 in /xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o)
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_xcalloc':
/aaa/libgcrypt-1.7.3/src/visibility.c:1524: multiple definition of `gcry_xcalloc'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:90: first defined here
/usr/bin/ld: Warning: size of symbol `gcry_xcalloc' changed from 29 in no-libgcrypt.o to 5 in /xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o)
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_xmalloc':
/aaa/libgcrypt-1.7.3/src/visibility.c:1518: multiple definition of `gcry_xmalloc'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:48: first defined here
/usr/bin/ld: Warning: size of symbol `gcry_xmalloc' changed from 29 in no-libgcrypt.o to 5 in /xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o)
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_strdup':
/aaa/libgcrypt-1.7.3/src/visibility.c:1512: multiple definition of `gcry_strdup'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:57: first defined here
/usr/bin/ld: Warning: size of symbol `gcry_strdup' changed from 68 in no-libgcrypt.o to 5 in /xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o)
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_realloc':
/aaa/libgcrypt-1.7.3/src/visibility.c:1506: multiple definition of `gcry_realloc'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:68: first defined here
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_malloc_secure':
/aaa/libgcrypt-1.7.3/src/visibility.c:1494: multiple definition of `gcry_malloc_secure'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:43: first defined here
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_calloc':
/aaa/libgcrypt-1.7.3/src/visibility.c:1488: multiple definition of `gcry_calloc'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:85: first defined here
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_malloc':
/aaa/libgcrypt-1.7.3/src/visibility.c:1482: multiple definition of `gcry_malloc'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:37: first defined here
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_set_log_handler':
/aaa/libgcrypt-1.7.3/src/visibility.c:1470: multiple definition of `gcry_set_log_handler'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:144: first defined here
/usr/bin/ld: Warning: size of symbol `gcry_set_log_handler' changed from 2 in no-libgcrypt.o to 5 in /xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o)
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_set_fatalerror_handler':
/aaa/libgcrypt-1.7.3/src/visibility.c:1464: multiple definition of `gcry_set_fatalerror_handler'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:137: first defined here
/usr/bin/ld: Warning: size of symbol `gcry_set_fatalerror_handler' changed from 2 in no-libgcrypt.o to 5 in /xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o)
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_set_outofcore_handler':
/aaa/libgcrypt-1.7.3/src/visibility.c:1458: multiple definition of `gcry_set_outofcore_handler'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:130: first defined here
/usr/bin/ld: Warning: size of symbol `gcry_set_outofcore_handler' changed from 2 in no-libgcrypt.o to 5 in /xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o)
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_create_nonce':
/aaa/libgcrypt-1.7.3/src/visibility.c:1351: multiple definition of `gcry_create_nonce'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:149: first defined here
/usr/bin/ld: Warning: size of symbol `gcry_create_nonce' changed from 16 in no-libgcrypt.o to 90 in /xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o)
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_cipher_algo_name':
/aaa/libgcrypt-1.7.3/src/visibility.c:800: multiple definition of `gcry_cipher_algo_name'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:162: first defined here
/usr/bin/ld: Warning: size of symbol `gcry_cipher_algo_name' changed from 6 in no-libgcrypt.o to 5 in /xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o)
/xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o): In function `gcry_control':
/aaa/libgcrypt-1.7.3/src/visibility.c:74: multiple definition of `gcry_control'
no-libgcrypt.o:/aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c:123: first defined here
/usr/bin/ld: Warning: size of symbol `gcry_control' changed from 3 in no-libgcrypt.o to 163 in /xxx/lib/libgcrypt.a(libgcrypt_la-visibility.o)
collect2: ld gab 1 als Ende-Status zurück
make[3]: * [dirmngr_ldap] Fehler 1
make[3]: Leaving directory `/aaa/gnupg-2.1.15/dirmngr'
make[2]: * [all] Fehler 2
make[2]: Leaving directory `/aaa/gnupg-2.1.15/dirmngr'
make[1]: * [all-recursive] Fehler 1
make[1]: Leaving directory `/aaa/gnupg-2.1.15'
make: * [all] Fehler 2
Most probably /aaa/gnupg-2.1.15/dirmngr/no-libgcrypt.c is being used where it shouldn't.
Do you need further information?
Thank you
Aug 1 2016
Jul 31 2016
With T1590 irrelevant, issues 1862, 1970, and 2336 resolved (very special
thanks to everyone who helped in fixing them!), this is the only problem left in
version 2.1.14 that forces me to use a patched version of gpgsm for my webmailer.
My patch from 2014-04-30 works, but by mistake ("if (cmp < 0)" in place of "if
(cmp > 0)" it selects not the newest but the oldest one of the ambiguous
certificates what is bad in the DFN PKI because an older one of the certificates
is revoked, so I attach a new patch against 2.1.14.
Sorry for not providing further infos, I did not find the time before now.
I just tested with version 1.7.2; there the problem has disappeared.
I guess this change mentioned in the change log is the relevant one:
+2016-07-01 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+
+ Fix static build.
+ * tests/pubkey.c (_gcry_pk_util_get_nbits): Make function 'static'.
Thank you very much, the case can be closed.
Apr 25 2016
May 7 2015
Background information:
With GnuPG 2.1, my webmailer does no longer work.
In principle, I use the following procedure e. g. for signing an e-mail:
- My GnuPG 2.0 is compiled with the option
--with-pinentry-pgm=/path/to/pinentrywrapper
- The user enters text and passphrase into the HTML form.
- I encrypt the passphrase with symmetric cryptography
- I set the environment variable PINENTRY_USER_DATA to the encrypted password
(see also T799)
- I set the environment variable GPG_TTY to "PINENTRY/pinentry-permail"
- I also set the environment variables HOME and GNUPGHOME.
- I launch /path/to/gpg-agent --daemon --sh --no-allow-mark-trusted
- I parse the output GPG_AGENT_INFO=/path/to/socket:process_number:version_number
- Then I sign, encrypt, decrypt, verify or whatever the user wants by
- putting GPG_AGENT_INFO and all other needed variables into the environment
- starting /path/to/gpgsm with all needed options for the respective transaction
- Then gpgsm contacts the just started gpg-agent which calls my
/path/to/pinentrywrapper which detects the "magic" GPG_TTY setting and does not
try to start a dialog on the (non-existent) terminal or desktop, but simply
responds with the decrypted content of PINENTRY_USER_DATA whenever a passphrase
input is requested.
- Finally I kill the gpg-agent using the process_number extracted above.
This procedure does no longer work with GnuPG 2.1 because I cannot start a new
agent for every transaction: gpg-agent of 2.1 uses the default socket, not a new
one, and does not write its process_number into GPG_AGENT_INFO, and, most
important, gpgsm disregards GPG_AGENT_INFO so that I cannot tell gpgsm which
running gpg-agent to contact. (There can be multiple transactions at the same
time; I trust in gpg-agent to properly lock files where necessary.)
As long as there is no way of passing the entered passphrase from my webmailer
to gpg-agent in any other way than by writing it into the environment when
starting gpg-agent and using a special pinentry that reads this environment, I
have to start a new gpg-agent for every transaction because different
transactions may need different passphrases.
That, of course, is only an ugly, ugly circumvention of a limitation of gpgsm.
gpg2 knows options --pinentry-mode loopback --passphrase-fd file_number, and
gpg-agent offers all support for using these options. Only gpgsm does not
support it.
If gpgsm would also offer these options, the whole hack with a magic GPG_TTY,
with the encrypted PINENTRY_USER_DATA, with using a pinentry wrapper, and with
using special options when compiling GnuPG 2.0 would be completely unnecessary.
So please please please copy the code that implements --pinentry-mode loopback
--passphrase-fd file_number from gpg2 to gpgsm.
Thank you very much!
May 6 2015
Apr 30 2015
I propose to implement a partly solution as a start: Add a 4th parameter
"allow_ambiguous" to gpgsm_find_cert() in "sm/certlist.c".
When called from "sm/gpgsm.c" or "sm/server.c" or anywhere else, set this
parameter to 0. Then gpgsm_find_cert() will behave like before.
When called by inq_certificate() in "sm/call-dirmngr.c", set this parameter to
- Then gpgsm_find_cert() will not bail out an ambiguous certificates, but
return the newest one of the matching certificates (according to
validity.notBefore).
(I am not sure what to pass when called by run_command_inq_cb() in
"sm/call-dirmngr.c" because I did not yet understand in which situation this
callback is used.)
As far as I can see, this change never hurts, but it helps when there are
multiple certificates for intermediate CAs with identical subject and identical
key by allowing to use "gpgsm" without "--disable-crl-checs --disable-dirmngr".
See attached patch.
(A complete solution probably requires call-dirmngr to return all matching
certificates and dirmngr to try each of the returned certificates in a loop.)
Apr 28 2015
Great. Thanks for your work!
(With these fixes, I am now able to test whether T1644 is solved in 2.1.2,
unfortunately it is not.)
Apr 27 2015
The error "Ambiguous Name" is generated in "sm/certlist.c" in gpgsm_find_cert().
Arguments to this function are:
name:
"/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle
Universitaet Muenster - G02,O=Universitaet Muenster,C=DE"
keyid: NULL
Caller is the function inq_certificate() in "sm/call-dirmngr.c".
Argument to this function is:
line: "SENDCERT
/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle
Universitaet Muenster - G02,O=Universitaet Muenster,C=DE"
This is caused in function gpgsm_dirmngr_isvalid() in "sm/call-dirmngr.c" by
calling assuan_transact() with
line: "ISVALID A52EFAEFBC86EF98C5E9AA92B3ECEC4101080F0A.1700BFBB98F74B"
When looking up the CRL, GnuPG assumes that there is only one certificate with
the Distinguished Name of the Certification Authority.
But that is not true: Distinguished Names distinguish identities, not
certificates. The same identity can hold multiple certificates at the same time.
So GnuPG must be fixed to allow multiple valid certificates with the same
Distinguished Name.
Wenn looking up a CRL, GnuPG may use any of these certificates.
My proposal: Perhaps you could implement and use a dirmngr function "SENDANYCERT"?
With 2.1.2, the bug still exists:
[/home/permail/RHEL5/devel/gpgfamily/bin/gpgsm] [--no-greeting] [--yes]
[--auto-issuer-key-retrieve] [--batch] [--no-tty] [--homedir]
[/home/p/perske/.perMail/gnupghome] [--base64] [--detach] [--local-user]
[&7CF2C58D823C0ED461ED6B1FD13F9E96B6F7C436] [--status-fd] [8] [--output]
[/index/permail/RHEL5/devel/sso/work/pgp.fe5316b600000e8a.out] [--sign]
[/index/permail/RHEL5/devel/sso/work/pgp.fe5316b600000e8a.dat]
(using a self-written pinentry replacement)
Output is now reduced, but basically unchanged:
gpgsm: Note: non-critical certificate policy not allowed
gpgsm: certificate not found: Ambiguous name
gpgsm: certificate
#1700BFBB98F74B/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle
Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Not found
gpgsm: can't sign using '&7CF2C58D823C0ED461ED6B1FD13F9E96B6F7C436': Not found
Currently used versions:
gnupg-1.4.18.tar.bz2
gnupg-2.1.2.tar.bz2 (build process patched according to T1862)
libassuan-2.2.0.tar.bz2
libgcrypt-1.6.2.tar.bz2
libgpg-error-1.18.tar.bz2
libksba-1.3.2.tar.bz2
npth-1.1.tar.bz2
pinentry-0.9.0.tar.bz2
(my own) pinentry.c
Apr 25 2015
That's it! Setting
+ export LDFLAGS=-lrt
and then running the build process as described in my original report and in
msg6216, compilation is successful.
Thank you very, very much!
Apr 24 2015
A big step forward :-)
With the command sequence
+ [... for building prerequisites see original bug report ...]
+ tar jvxf ../gnupg-2.1.2.tar.bz2
+ cd gnupg-2.1.2
+ /bin/cp -i common/Makefile.am common/Makefile.am.orig </dev/null || true
+ /bin/cp -i common/Makefile.in common/Makefile.in.orig </dev/null || true
+ s1='s|^t_jnlib_src = t-support\.c t-support\.h$|t_jnlib_src = t-support.h|'
+ s2='s|^amobjects_18 = t-support\.\$(OBJEXT)$|amobjects_18 =|'
+ /bin/sed "$s1" <common/Makefile.am.orig >common/Makefile.am
+ /bin/sed "$s1;$s2" <common/Makefile.in.orig >common/Makefile.in
+ ./configure --prefix=/PREFIX --with-gpg-error-prefix=/PREFIX
--with-npth-prefix=/PREFIX --with-libassuan-prefix=/PREFIX
--with-libgcrypt-prefix=/PREFIX --with-ksba-prefix=/PREFIX
--with-pinentry-pgm=/PREFIX/bin/pinentrywrapper
+ make
the build process fails later:
[...]
make[2]: Leaving directory `/root/devel/rpgpg/work/gnupg-2.1.2/sm'
Making all in agent
make[2]: Entering directory `/root/devel/rpgpg/work/gnupg-2.1.2/agent'
[...]
gcc -I/PREFIX/include -I/PREFIX/include -I/PREFIX/include -I/PREFIX/include -g
-O2 -Wall -Wno-pointer-sign -Wpointer-arith -o gpg-agent gpg_agent-gpg-agent.o
gpg_agent-command.o gpg_agent-command-ssh.o gpg_agent-call-pinentry.o
gpg_agent-cache.o gpg_agent-trans.o gpg_agent-findkey.o gpg_agent-pksign.o
gpg_agent-pkdecrypt.o gpg_agent-genkey.o gpg_agent-protect.o
gpg_agent-trustlist.o gpg_agent-divert-scd.o gpg_agent-cvt-openpgp.o
gpg_agent-call-scd.o gpg_agent-learncard.o ../common/libcommonpth.a
-L/PREFIX/lib -lgcrypt -lgpg-error -lassuan -L/PREFIX/lib -lgpg-error
-L/PREFIX/lib -lnpth -lpthread -L/PREFIX/lib -lgpg-error
/PREFIX/lib/libnpth.a(npth.o): In function `npth_clock_gettime':
/root/devel/rpgpg/work/npth-1.1/src/npth.c:699: undefined reference to
`clock_gettime'
collect2: ld returned 1 exit status
make[2]: * [gpg-agent] Error 1
make[2]: Leaving directory `/root/devel/rpgpg/work/gnupg-2.1.2/agent'
make[1]: * [all-recursive] Error 1
make[1]: Leaving directory `/root/devel/rpgpg/work/gnupg-2.1.2'
make: *** [all] Error 2
Shall we keep in this issue or open a new one?
Apr 23 2015
See the description of my build steps in my original report: After
+ tar jvxf ../gnupg-2.1.2.tar.bz2
+ cd gnupg-2.1.2
I manually changed both common/Makefile.am and common/Makefile.in and then
continued with
+ ./configure --prefix=/PREFIX --with-gpg-error-prefix=/PREFIX
--with-npth-prefix=/PREFIX --with-libassuan-prefix=/PREFIX
--with-libgcrypt-prefix=/PREFIX --with-ksba-prefix=/PREFIX
--with-pinentry-pgm=/PREFIX/bin/pinentrywrapper
+ make
no change: I had already tried installing from scratch working in an empty
directory.
Apr 22 2015
Thank you, but I regret, the patch does not change anything.
(I have made the corresponding change in common/Makefile.in, too,
with same result.)
Mar 4 2015
Platform: Red Hat Enterprise Linux 5.11
ldconfig: I did not (assuming that make install does it if necessary)
Running "sudo ldconfig" after each "sudo make install" does not help.
Mar 3 2015
I really want to try, but I cannot compile 2.1.2 due to T1862.
Compiling with latest npth instead of latest pth does not change anything.
Without patch = segfault, with patch = works.
Jul 1 2014
Sorry, the fix does not remove the bug:
[/home/permail/RHEL5/devel/gpgfamily/bin/gpgsm] [--no-greeting] [--yes]
[--auto-issuer-key-retrieve] [--batch] [--no-tty] [--homedir]
[/home/p/perske/.perMail/gnupghome] [--base64] [--detach] [--local-user]
[&7CF2C58D823C0ED461ED6B1FD13F9E96B6F7C436] [--status-fd] [8] [--output]
[/index/permail/RHEL5/devel/sso/work/pgp.89542620000040ef.out] [--sign]
[/index/permail/RHEL5/devel/sso/work/pgp.89542620000040ef.dat]
(using a self-written pinentry replacement)
gpgsm: note: non-critical certificate policy not allowed
dirmngr[25485.0]: permanently loaded certificates: 0
dirmngr[25485.0]: runtime cached certificates: 0
dirmngr[25485.0]: no CRL available for issuer id
A52EFAEFBC86EF98C5E9AA92B3ECEC4101080F0A
gpgsm: certificate not found: Ambiguous name
dirmngr[25485.0]: assuan_inquire(SENDCERT) failed: IPC call has been cancelled
dirmngr[25485.0]: error fetching certificate by subject: No data
dirmngr[25485.0]: crl_parse_insert failed: Missing certificate
dirmngr[25485.0]: crl_cache_insert via DP failed: Missing certificate
dirmngr[25485.0]: command ISVALID failed: Missing certificate
gpgsm: certificate
#1700BFBB98F74B/1.2.840.113549.1.9.1=#636140756E692D6D75656E737465722E6465,CN=Zertifizierungsstelle
Universitaet Muenster - G02,O=Universitaet Muenster,C=DE
gpgsm: checking the CRL failed: Not found
gpgsm: can't sign using `&7CF2C58D823C0ED461ED6B1FD13F9E96B6F7C436': Not found
Currently used versions:
dirmngr-1.1.1.tar.bz2
dirmngr-1.1.1-pth-fix.patch
gnupg-1.4.17.tar.bz2
gnupg-2.0.24.tar.bz2
libassuan-2.1.1.tar.bz2
libgcrypt-1.6.1.tar.bz2
libgpg-error-1.13.tar.bz2
libksba-1.3.0.tar.bz2
pinentry-0.8.3.tar.bz2
pth-2.0.7.tar.gz
(my own) pinentry.c
The assuan_inquire(SENDCERT) above requests a certificate by distinguished name,
not by authority key identifier (see T1644 (perske on May 23 2014, 07:05 PM / Roundup)), thus it does not matter that the
certificates re-issued by the DFN-PKI kept their authority key identifiers; the
problem is triggered by (correctly) keeping the Distinguished Name.
(I did not yet analyze your bugfix.)
May 23 2014
Deeper analysis showed that not the keygrip but the DN is misinterpreted as
unique identifyer for a certificate when used in the SENDCERT inquire by
dirmngr. So I correct the title again.
The distinguished name distinguishes human beings or network end points but
neither certificates nor key pairs. For valid reasons, there can be multiple
certificates with the same DN and these certificates may contain the same or
different public keys. The GnuPG suite has to learn to handle this situation.
Using gpgsm with the options --disable-dirmngr --disable-crl-checks made our
webmailer work again, but places all users at inacceptable higher risk. So I
keep the priority setting "critical".
May 22 2014
Jan 24 2014
Looks good, compiling with libgcrypt-1.6.0 and creating a signed S/MIME e-mail
with gpgsm works.
Dec 24 2013
Dec 19 2013
To also fix Issue1449, enhance my correction this way:
rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3); if (rc) { log_error (_("setting LDAPv3 for `%s:%d' failed: %s\n"), host, port, ldap_err2string (rc)); /* FIXME: Need deinit (ld)? */ return -1; } rc = ldap_simple_bind_s (ld, opt.user, opt.pass); if (rc) { log_error (_("binding to `%s:%d' failed: %s\n"), host, port, ldap_err2string (rc)); /* FIXME: Need deinit (ld)? */ return -1; }
And add translations for the new error message.
Thank you
Nov 26 2009
Why "make it fail"; why not "make it run"?
I guess (did not test) that the bug can be fixed by replacing
#if @NEED__FILE_OFFSET_BITS@
with
#if @NEED__FILE_OFFSET_BITS@ - 0
or by making configure always setting a nonempty value;
depending on your preferred style of programming.
Nov 19 2009
Oct 13 2008
Background info: My e-mail program is currently calling gpg via fork() and
exec() and is thus very GnuPG version dependent. It does not create such
messages, but can display them. Trying to get rid of the version dependency,
I've tried to switch to GPGME and stumbled about a test message I've received
years ago. Unfortunately the header lines do not mention what mail program was
used for sending.
Oct 9 2008
Mar 19 2008
Nov 18 2007
-----BEGIN PGP SIGNED MESSAGE-----
May 21 2007
-----BEGIN PGP SIGNED MESSAGE-----
May 16 2007
-----BEGIN PGP SIGNED MESSAGE-----