werner (Werner Koch)Administrator
Engineering

Projects

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Sunday

  • Clear sailing ahead.

User Details

User Since
Mar 27 2017, 4:48 PM (120 w, 3 d)
Roles
Administrator
Availability
Available

Recent Activity

Yesterday

werner committed rGe07584b52307: doc: Fix a debug hint on the keybox format. (authored by werner).
doc: Fix a debug hint on the keybox format.
Thu, Jul 18, 2:12 PM
werner committed rG824ca6f042dc: kbx: Allow "gpgsm --faked-system-time" to kick off a compression run. (authored by werner).
kbx: Allow "gpgsm --faked-system-time" to kick off a compression run.
Thu, Jul 18, 2:00 PM
werner edited projects for T4631: Difficulties to generate key on OpenPGP Smart Card V3.3, added: scd, OpenPGP; removed Info Needed.

Are you using pcscd (is that process running) or the internal driver.? Please try the latter if you are not already using it.

Thu, Jul 18, 11:15 AM · OpenPGP, scd, Bug Report
werner triaged T4633: gpg argument "--passphrase=" yields 'missing argument for option "--passphrase="' as High priority.
Thu, Jul 18, 11:13 AM · gnupg (gpg22), Bug Report
werner triaged T4634: "gpg --quiet --quick-gen-key" is not quiet: emits "key $FPR marked as ultimately trusted" to stderr. as Wishlist priority.
Thu, Jul 18, 11:11 AM · gnupg (gpg22), Bug Report
werner triaged T4640: Outdated text and links at <http://git.gnupg.org/> as Normal priority.
Thu, Jul 18, 11:10 AM · gpgweb, Bug Report
werner edited projects for T4640: Outdated text and links at <http://git.gnupg.org/>, added: gpgweb; removed Trash, Documentation.
Thu, Jul 18, 11:10 AM · gpgweb, Bug Report
werner added a comment to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.

The code has comments why we do a first clean_key on the imported keyblock.

Thu, Jul 18, 11:07 AM · Keyserver, gnupg (gpg22), Bug Report
werner added a comment to rA98d7c7ea3f37: build: Use {CFLAGS,CPPFLAGS,LDFLAGS}_FOR_BUILD for helper programs..

I wonder why the flags can't go into CC_FOR_BUILD.

Thu, Jul 18, 10:59 AM

Wed, Jul 17

werner added a comment to T4619: Unable to decrypt symmetric-key encrypted data.

The problem here is that trial decryption may cost a lot of time because of the passphrase KDF function which, on purpose, takes long. There is one exception: A simple S2K (algo 0) takes no time and its use makes sense iff the passphrase has been created directly as a random string. However, I do not see the use cases for of a set of many passphrases compared to just use public key crypto.

Wed, Jul 17, 12:19 PM · gnupg (gpg22), Bug Report
werner closed T4632: Make it easier to cross-compile gpg-error as Wontfix.

In fact this specific scheme of indirect access to pthread objects is there to minimize dependencies of libgpg-error. It makes cross-compiling a bit harder but that is anyway the case because you need to check a lot of things for a new platform.

Wed, Jul 17, 12:12 PM · gpgrt, Feature Request
werner triaged T4630: libgcrypt: POWER GHASH Vector Acceleration as Low priority.
Wed, Jul 17, 12:07 PM · Feature Request, libgcrypt
werner added a comment to T4630: libgcrypt: POWER GHASH Vector Acceleration.

Please STOP adding such bug reports or feature requests. They are not helpful and such discussion are better done at the mailing list. In case you want to spend money to speed up things you may contact gnupg.com for a quote.

Wed, Jul 17, 12:07 PM · Feature Request, libgcrypt
werner triaged T4635: ship gpgscm and necessary *.scm files from gpgrt as Low priority.

It is on on my private todo list but thanks for opening a puplic issue for tracking.

Wed, Jul 17, 12:02 PM · Tests, gpgrt, Feature Request

Tue, Jul 16

werner triaged T4529: libgcrypt: POWER AES Vector Acceleration as Normal priority.

Please do not change the priority back. That is a maintainer's task. I consider this along with adding replicas of issues to a bit rude.

Tue, Jul 16, 8:33 AM · libgcrypt, Feature Request
werner triaged T4530: libgcrypt: POWER SHA-2 Vector Acceleration as Normal priority.

Please do not change the priority back without discussing this with the maintainer first. Thanks.

Tue, Jul 16, 8:31 AM · libgcrypt, Feature Request
werner triaged T4627: "gpg --verbose --list-secret-keys" prints a lot of warning messages unrelated to secret keys as Low priority.
Tue, Jul 16, 8:29 AM · gnupg (gpg22), Bug Report
werner closed T4629: POWER AES Vector Acceleration as Spite.
Tue, Jul 16, 8:27 AM · libgcrypt, Feature Request
werner triaged T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned as Normal priority.
Tue, Jul 16, 8:25 AM · Keyserver, gnupg (gpg22), Bug Report
werner added a comment to T4628: new import-clean default for keys from keyservers modifies the local keyring when anything is returned.

You are partly right. I missed that we also do clean the original keyblock while updating a key. The code is

Tue, Jul 16, 8:17 AM · Keyserver, gnupg (gpg22), Bug Report
werner added a comment to T4594: dirmngr appears to unilaterally import system CAs.

I see. I am also mostly testing with ntbtls so I was wondering about the report. Thanks for reporting and fixing.

Tue, Jul 16, 8:04 AM · Bug Report, dirmngr, gnupg (gpg22)

Mon, Jul 15

werner added a comment to T4615: gpg.exe very slow.

You need to delete the flooded keys to make things go faster.

Mon, Jul 15, 4:07 PM · Bug Report, gpg4win
werner committed rC1c2cecbb35e1: sexp: Improve argument checking of sexp parser. (authored by werner).
sexp: Improve argument checking of sexp parser.
Mon, Jul 15, 9:52 AM
werner added a comment to E510: Weekly Standup.

Last week:

  • Office work
  • GnuPG 2.2.17 release
Mon, Jul 15, 8:38 AM
werner is attending E510: Weekly Standup.
Mon, Jul 15, 8:37 AM
werner triaged T4617: Odd behavior for HTTP(S) scheme in --keyserver config as Low priority.
Mon, Jul 15, 8:16 AM · Documentation, Keyserver, dirmngr
werner updated subscribers of T4620: no support for multiple (yubikey) smartcards plugged in at the same time.

The card frame works received a lot of changes in master but we won't backport it to 2.2. Sorry.

Mon, Jul 15, 8:14 AM · Bug Report
werner triaged T4623: pkg-config for mingw needs to emit -lws2_32 as Low priority.
Mon, Jul 15, 8:10 AM · Windows, gpgrt, Bug Report
werner triaged T4624: libassuan-config and libassuan.pc both put -lws2_32 before -lgpg-error, which fails during static linking as Low priority.
Mon, Jul 15, 8:09 AM · Windows, libassuan, Bug Report
werner committed rD21258d2561d3: drafts,openpgp-webkey-service: Typo fix (authored by werner).
drafts,openpgp-webkey-service: Typo fix
Mon, Jul 15, 7:35 AM

Fri, Jul 12

werner added a comment to T4592: gpg takes > 30s to list the keys from a 17MiB `pubring.gpg` that contains a single certificate.

A linked list of 100000 items is not a usable data structure. The problem however is not the linked list but the DoS due to the number of signatures being well beyond the design limit. 1000 key signatures is already a large number and only few people have them. We need to put a limit on them.

Fri, Jul 12, 6:40 PM · gnupg (gpg23), Bug Report
werner committed rGfb1c8978f57b: scd: Remove useless GNUPG_SCD_MAIN_HEADER macro. (authored by werner).
scd: Remove useless GNUPG_SCD_MAIN_HEADER macro.
Fri, Jul 12, 1:41 PM
werner added a comment to T4573: Files encrypted on another platform using password based encryption (-c) intermittently fail to decrypt on Kleopatra.

@gniibe: We move this issue over to mail. I'll forward it to you.

Fri, Jul 12, 8:28 AM · gnupg (gpg22), Bug Report
werner added a comment to T4592: gpg takes > 30s to list the keys from a 17MiB `pubring.gpg` that contains a single certificate.

Okay, for 100000 signature this is clearly a win if no key lookup is needed.

Fri, Jul 12, 8:27 AM · gnupg (gpg23), Bug Report

Wed, Jul 10

werner added a comment to T4541: C implementation of AES is vulnerable to side-channel attacks.

Check out the mailing list gcrypt-devel@

Wed, Jul 10, 7:23 PM · side-channel, libgcrypt, Bug Report
werner triaged T4618: DANE OpenPGP certificate retrieval does not verify DNSSEC signatures as Normal priority.

Sure it is not validated. Standard clients do not provide the system features to do that. That is one of the problems with DNSSEC adoption - it works only for servers in practice.

Wed, Jul 10, 7:17 PM · dns, dirmngr
werner updated subscribers of T4592: gpg takes > 30s to list the keys from a 17MiB `pubring.gpg` that contains a single certificate.

@gniibe: I doubt that your fix really makes a difference. The majority of time is spend on searching the keyring for keys. This is why I have the gpgk thing in the works.

Wed, Jul 10, 8:50 AM · gnupg (gpg23), Bug Report

Tue, Jul 9

werner committed rD8682e3571b01: swdb: Release gnupg 2.2.17 (authored by werner).
swdb: Release gnupg 2.2.17
Tue, Jul 9, 7:20 PM
werner committed rD6a6ff3270c5e: web: Announce 2.2.17 (authored by werner).
web: Announce 2.2.17
Tue, Jul 9, 7:20 PM
werner closed T4606: Release GnuPG 2.2.17 as Resolved.

Release done.

Tue, Jul 9, 5:21 PM · Release Info, gnupg (gpg22)
werner committed rG2671c4dda3db: Post release updates (authored by werner).
Post release updates
Tue, Jul 9, 4:57 PM
werner committed rGe58dd1e7364c: po: Auto update (authored by werner).
po: Auto update
Tue, Jul 9, 4:57 PM
werner committed rGad0c61972a41: po: Update Russian translation. (authored by Ineiev <ineiev@gnu.org>).
po: Update Russian translation.
Tue, Jul 9, 4:57 PM
werner committed rG591523ec94b6: Release 2.2.17 (authored by werner).
Release 2.2.17
Tue, Jul 9, 4:57 PM
werner committed rG4f8149b94620: po: Update Czech translation (authored by petr_p).
po: Update Czech translation
Tue, Jul 9, 4:57 PM
werner committed rGbec3a6ee2e50: po: Update Polish translation (authored by werner).
po: Update Polish translation
Tue, Jul 9, 4:57 PM
werner committed rG05abc36a12b1: po: Update German translation (authored by werner).
po: Update German translation
Tue, Jul 9, 4:57 PM
werner closed T4577: extended-key-format test of openpgp/decrypt-unwrap-verify.scm fails on sparc64 and x32 as Resolved.
Tue, Jul 9, 3:22 PM · gpgagent, gnupg, Bug Report
werner set External Link to https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html on T4606: Release GnuPG 2.2.17.
Tue, Jul 9, 3:21 PM · Release Info, gnupg (gpg22)
werner added a comment to T4606: Release GnuPG 2.2.17.

I did this already on July 3 with commit 458973f502b9a43ecf29e804a2c0c86e78f5927a

Tue, Jul 9, 1:27 PM · Release Info, gnupg (gpg22)
werner added a comment to T4615: gpg.exe very slow.

You probably have one of the spammed keys in your keyring. This is a problem with the keyserver networks. Do not use --auto-key-retrieve and avoid using the keyservers until we provide a mitigation with the next gpg4win/gnupg release. See also T4591

Tue, Jul 9, 12:25 PM · Bug Report, gpg4win
werner committed rGb6effaf4669b: gpg: Fix regression in option "self-sigs-only". (authored by werner).
gpg: Fix regression in option "self-sigs-only".
Tue, Jul 9, 11:26 AM
werner committed rG3c2cf5ea9520: gpg: Do not try the import fallback if the options are already used. (authored by werner).
gpg: Do not try the import fallback if the options are already used.
Tue, Jul 9, 11:26 AM
werner committed rGa29156d5a650: gpg: Do not try the import fallback if the options are already used. (authored by werner).
gpg: Do not try the import fallback if the options are already used.
Tue, Jul 9, 11:15 AM
werner committed rGeec150eca78a: gpg: Fix regression in option "self-sigs-only". (authored by werner).
gpg: Fix regression in option "self-sigs-only".
Tue, Jul 9, 11:15 AM

Mon, Jul 8

werner added a comment to T4276: Context.decrypt() throws an error if *any* signature is bad.

Using several python versions?

Mon, Jul 8, 9:53 AM · gpgme, Python, Bug Report
werner added a comment to rG39c40e572c56: scd: Fix keygrip search..

Sorry for that

Mon, Jul 8, 9:51 AM
werner added a comment to E507: Weekly Standup.

Last week:

  • Changes to mitigate the SKS server DoS
  • RC for 2.2.17
Mon, Jul 8, 9:47 AM

Fri, Jul 5

werner added a comment to T3464: successful decryption with session key reports failure if public key is unknown.

Because this is a GPGME bug.

Fri, Jul 5, 6:36 PM · gpgme, Bug Report
werner added a comment to T4607: enable `import-clean` by default.

That is a limit for the web key service to publish a certificate. IIRC, Debian developers do not use this but Debian creates the WKD from a database.

Fri, Jul 5, 6:34 PM · Feature Request
werner committed rG40ea9dbdc29b: Prepare NEWS for the next release (authored by werner).
Prepare NEWS for the next release
Fri, Jul 5, 3:45 PM
werner added a comment to T4158: UIF (User Interaction Flag) DO support.

I think we should not backport this to 2.2 - okay?

Fri, Jul 5, 11:14 AM · Feature Request, scd, gnupg
werner removed a project from T3464: successful decryption with session key reports failure if public key is unknown: gnupg (gpg22).
Fri, Jul 5, 11:12 AM · gpgme, Bug Report
werner edited projects for T4601: gpg --quiet --quick-sign-key is not quiet, added: gnupg (gpg23); removed gnupg (gpg22).
Fri, Jul 5, 11:08 AM · gnupg (gpg23), Bug Report
werner added a comment to T4601: gpg --quiet --quick-sign-key is not quiet.

Quiet tricky to get right; needs some rework.

Fri, Jul 5, 11:08 AM · gnupg (gpg23), Bug Report
werner closed T4595: GPG: auto-key-retrieve should prefer WKD over Keyserver as Resolved.

Done for master and 2.2.

Fri, Jul 5, 10:49 AM · gnupg (gpg22), wkd
werner closed T4595: GPG: auto-key-retrieve should prefer WKD over Keyserver, a subtask of T4606: Release GnuPG 2.2.17, as Resolved.
Fri, Jul 5, 10:49 AM · Release Info, gnupg (gpg22)
werner committed rG3242837d203a: gpg: With --auto-key-retrieve prefer WKD over keyservers. (authored by werner).
gpg: With --auto-key-retrieve prefer WKD over keyservers.
Fri, Jul 5, 10:44 AM
werner committed rG6396f8d115f2: wkd: Change client/server limit back to 64 KiB (authored by werner).
wkd: Change client/server limit back to 64 KiB
Fri, Jul 5, 10:44 AM
werner added a commit to T4595: GPG: auto-key-retrieve should prefer WKD over Keyserver: rG3242837d203a: gpg: With --auto-key-retrieve prefer WKD over keyservers..
Fri, Jul 5, 10:44 AM · gnupg (gpg22), wkd
werner committed rG96bf8f477805: gpg: With --auto-key-retrieve prefer WKD over keyservers. (authored by werner).
gpg: With --auto-key-retrieve prefer WKD over keyservers.
Fri, Jul 5, 10:33 AM
werner added a commit to T4595: GPG: auto-key-retrieve should prefer WKD over Keyserver: rG96bf8f477805: gpg: With --auto-key-retrieve prefer WKD over keyservers..
Fri, Jul 5, 10:33 AM · gnupg (gpg22), wkd
werner committed rGb0e8724b1025: wkd: Change client/server limit back to 64 KiB (authored by werner).
wkd: Change client/server limit back to 64 KiB
Fri, Jul 5, 10:33 AM
werner lowered the priority of T4393: GnuPG should always accept key updates even if the update does not contain UIDs from Normal to Low.
Fri, Jul 5, 8:02 AM · gnupg (gpg23), Feature Request
werner added a comment to T4393: GnuPG should always accept key updates even if the update does not contain UIDs.

Not sending the user id packet, is just a bad idea because that user id exists and from my understanding they are sending the self-signatures anyway. They should not try to argue with the GDPR here, that is privacy theater. The key itself is a personal data and due to technical reasons this data is required. What they can do is to accept only user ids which carry just only mail address and no comments or name. posteo.de for example requires this for years and the WKD drafts has a feature to support this.

Fri, Jul 5, 7:58 AM · gnupg (gpg23), Feature Request
werner added a comment to T4607: enable `import-clean` by default.

You are right. I again mixed this up with gpg-wks-client. Over there we have a limit implemented unsing --max-output to avoid compression based attacks.

Fri, Jul 5, 7:51 AM · Feature Request
werner triaged T4613: document implementation guidance for WKD clients in draft-koch-openpgp-webkey-service as Normal priority.
Fri, Jul 5, 7:32 AM · Documentation, wkd

Thu, Jul 4

werner edited projects for T4512: gpg's --keyserver option should be more robustly deprecated, added: gnupg (gpg23); removed gnupg (gpg22), dirmngr.

Given the recent problems with the keyservers, I expect that the keyserver feature will go away anyway and thus I do not think we will put any more effort into this. Thus I re-tag this as gpg 2.3.

Thu, Jul 4, 5:15 PM · gnupg (gpg23), Documentation, Keyserver, Bug Report
werner added a comment to T4566: dirmngr fails with HTTP 302 redirection to hkps.

And of course, thanks for your fix.

Thu, Jul 4, 5:05 PM · gnupg (gpg22), dirmngr, Bug Report
werner closed T4566: dirmngr fails with HTTP 302 redirection to hkps as Resolved.

Applied to both branches. I have run no tests myself, though.

Thu, Jul 4, 5:04 PM · gnupg (gpg22), dirmngr, Bug Report
werner committed rG064aeb14c9b8: dirmngr: fix handling of HTTPS redirections during HKP (authored by dkg).
dirmngr: fix handling of HTTPS redirections during HKP
Thu, Jul 4, 5:02 PM
werner committed rGefb6e08ea2ca: dirmngr: fix handling of HTTPS redirections during HKP (authored by dkg).
dirmngr: fix handling of HTTPS redirections during HKP
Thu, Jul 4, 4:33 PM
werner closed T4603: dirmngr WKD redirection changes paths as Resolved.

Fix will be in 2.2.17

Thu, Jul 4, 4:26 PM · gnupg (gpg22), wkd, dirmngr, Bug Report
werner closed T4603: dirmngr WKD redirection changes paths, a subtask of T4606: Release GnuPG 2.2.17, as Resolved.
Thu, Jul 4, 4:26 PM · Release Info, gnupg (gpg22)
werner closed T4591: gpg drops flooded certificates entirely if the certficate is too large, and gpg is using `pubring.kbx` as Resolved.

Fix will be in 2.2.17.
See T4612 for the revocation case.

Thu, Jul 4, 4:25 PM · Bug Report, gnupg (gpg22)
werner closed T4591: gpg drops flooded certificates entirely if the certficate is too large, and gpg is using `pubring.kbx`, a subtask of T4606: Release GnuPG 2.2.17, as Resolved.
Thu, Jul 4, 4:25 PM · Release Info, gnupg (gpg22)
werner created T4612: Add spare space to the keybox to always allow the import of revocations..
Thu, Jul 4, 4:23 PM · Bug Report, gnupg (gpg22)
werner closed T4604: gpg 2.2 fails to download keys from a keyserver as Wontfix.

Re 1.: I don't view this as a bug. gpg prints stats on what it has been done and clearly it has processed a key. If it would have imported the key you would see another stat line telling about this. There was however a bug in the stats output which has been fixed.

Thu, Jul 4, 4:14 PM · Bug Report
werner triaged T4605: automatically upgrade from `pubring.gpg` to `pubring.kbx` as Normal priority.
Thu, Jul 4, 4:01 PM · gnupg (gpg22), Feature Request
werner closed T4607: enable `import-clean` by default as Resolved.
Thu, Jul 4, 4:00 PM · Feature Request
werner closed T4607: enable `import-clean` by default, a subtask of T4606: Release GnuPG 2.2.17, as Resolved.
Thu, Jul 4, 4:00 PM · Release Info, gnupg (gpg22)
werner committed rG2b7151b0a57f: gpg: Add "self-sigs-only" and "import-clean" to the keyserver options. (authored by werner).
gpg: Add "self-sigs-only" and "import-clean" to the keyserver options.
Thu, Jul 4, 3:59 PM
werner added a commit to T4607: enable `import-clean` by default: rG2b7151b0a57f: gpg: Add "self-sigs-only" and "import-clean" to the keyserver options..
Thu, Jul 4, 3:59 PM · Feature Request
werner added a parent task for T4607: enable `import-clean` by default: T4606: Release GnuPG 2.2.17.
Thu, Jul 4, 3:47 PM · Feature Request
werner added a subtask for T4606: Release GnuPG 2.2.17: T4607: enable `import-clean` by default.
Thu, Jul 4, 3:47 PM · Release Info, gnupg (gpg22)
werner committed rG23c978640812: gpg: Add "self-sigs-only" and "import-clean" to the keyserver options. (authored by werner).
gpg: Add "self-sigs-only" and "import-clean" to the keyserver options.
Thu, Jul 4, 3:45 PM
werner added a commit to T4607: enable `import-clean` by default: rG23c978640812: gpg: Add "self-sigs-only" and "import-clean" to the keyserver options..
Thu, Jul 4, 3:45 PM · Feature Request
werner lowered the priority of T4599: remap `--search` to `--locate-keys` (with warning) from High to Normal.
Thu, Jul 4, 3:23 PM · gnupg (gpg23), dirmngr
werner committed rG4cbd058a3da9: gpg: Avoid printing false AKL error message. (authored by werner).
gpg: Avoid printing false AKL error message.
Thu, Jul 4, 3:22 PM
werner committed rG46f3283b345e: gpg: New command --locate-external-key. (authored by werner).
gpg: New command --locate-external-key.
Thu, Jul 4, 3:22 PM