Page MenuHome GnuPG
Projects gnupg

gnupgProject
ActivePublic
Watch Project

Milestones
View All

Subprojects
View All

Members

  • This project does not have any members.
  • View All

Watchers (2)

Details

Description

Bugs, feature requests, memos, and support related to GnuPG.

Note that the tags gnug24, gnupg26 etc are used to indicate that a certain task is scheduled to be fixed in that version. This tag here is used if there is no concrete version affected or a schedule has not yet been set.

Recent Activity
View All

Fri, May 23

werner closed T7428: Release GnuPG 2.4.8 as Resolved.
Fri, May 23, 11:58 AM · gnupg, Release Info

Mon, May 19

chengr28 added a comment to T7577: GnuPG could not work when TCP congestion provider is set to BBR2 in Windows.

Spent some time discovering and unfortunately it's Windows's bug in loopback interface.
I wrote a test demo (blocking mode) to exchange data and watched their packets, found that network stack would drop packets when congestion control algorithm is set to BBR2. It seems the second data exchange was broken.

Mon, May 19, 3:20 PM · Support, Not A Bug, gnupg, Bug Report

Fri, May 16

dkg added a comment to T5993: gpg should reject compressed packets outside of messages.
In T5993#201111, @werner wrote:

For example Poppler uses GnuPG comment packets to lower its own attack surface by leaving all OpenPGP handling to gpg. The patch (or at least the version we noticed in Fedora and Debian) entirely breaks this use.

Fri, May 16, 4:12 PM · Feature Request, gnupg
werner closed T5993: gpg should reject compressed packets outside of messages as Resolved.
Fri, May 16, 2:46 PM · Feature Request, gnupg
werner added a comment to T5993: gpg should reject compressed packets outside of messages.

(The commits had a wrong bug it in their message)

Fri, May 16, 2:44 PM · Feature Request, gnupg
werner added a comment to T5993: gpg should reject compressed packets outside of messages.

It might be useful to have samples of compressed keys:

Fri, May 16, 2:20 PM · Feature Request, gnupg
werner updated subscribers of T5993: gpg should reject compressed packets outside of messages.

No, we can't do much about this. It has always been easy to create compression bombs and the more relevant thing here is compressed signed or encrypted data. Or just compressed mails. The patch by @DemiMarie is way to complicated for what it wants to achieve and actually breaks existing use cases. For example Poppler uses GnuPG comment packets to lower its own attack surface by leaving all OpenPGP handling to gpg. The patch (or at least the version we noticed in Fedora and Debian) entirely breaks this use.

Fri, May 16, 12:04 PM · Feature Request, gnupg

Wed, May 14

werner added a comment to T7589: Unable to export SSH keys for ED25519 keys generate on a SmartCard.

Using the primary key for ssh was not intended and thus not tested. I have not yet found the time too look closer at your report. Just one remark:

Wed, May 14, 12:32 PM · gnupg, ssh, Bug Report
werner added a project to T7589: Unable to export SSH keys for ED25519 keys generate on a SmartCard: gnupg.
Wed, May 14, 12:07 PM · gnupg, ssh, Bug Report

Tue, May 13

werner closed T7171: Allow for empty Subject in X.509 as Resolved.
Tue, May 13, 3:21 PM · libksba, Bug Report, gnupg, S/MIME
werner closed T6941: gpgsm/dirmngr: support for end-entity certificates with an empty "Subject DN", a subtask of T7171: Allow for empty Subject in X.509, as Resolved.
Tue, May 13, 3:00 PM · libksba, Bug Report, gnupg, S/MIME
werner added a subtask for T7171: Allow for empty Subject in X.509: T6941: gpgsm/dirmngr: support for end-entity certificates with an empty "Subject DN".
Tue, May 13, 2:58 PM · libksba, Bug Report, gnupg, S/MIME

Fri, May 9

werner set External Link to https://lists.gnupg.org/pipermail/gnupg-announce/2025q2/000492.html on T7586: Release GnuPG 2.5.6.
Fri, May 9, 5:02 PM · gnupg, Release Info

Thu, May 8

ikloecker added a comment to T7620: gpgme_get_key fails to detect secret encryption subkey after key generation on card (until context is recreated).
In T7620#200845, @Saturneric wrote:

I think it would be much better if GnuPG automatically performed a key listing immediately after key generation when a smartcard is involved. This would allow GnuPG to detect the presence of the subkey on the card right away, rather than leaving it marked as a stub until the user manually lists keys.

Thu, May 8, 9:14 PM · gnupg, gpgme, Bug Report
Saturneric added a comment to T7620: gpgme_get_key fails to detect secret encryption subkey after key generation on card (until context is recreated).

I see that you generated the secret encryption subkey with backup. This means that the secret subkey is generated on your computer, then copied to the card, and then deleted from your computer. The deletion is the reason why the subkey is marked as stub. Only after listing the keys on the card gpg notices that the secret key is actually on the card.

Thu, May 8, 6:37 PM · gnupg, gpgme, Bug Report
werner updated the task description for T7586: Release GnuPG 2.5.6.
Thu, May 8, 3:43 PM · gnupg, Release Info
werner closed T7632: gnupg test suite fails to build on AIX. as Resolved.
Thu, May 8, 3:32 PM · AIX, gnupg, Bug Report
werner closed T7638: gpg on Solaris does not print a signal description as Resolved.
Thu, May 8, 3:32 PM · Solaris, gnupg, Bug Report
werner closed T7576: keyboxd: Searching <email@Example.COM> as Resolved.
Thu, May 8, 3:31 PM · gnupg, Bug Report
werner closed T7583: 2.5.5 removes sig on clean that 2.5.4 and earlier kept as Resolved.
Thu, May 8, 3:30 PM · gnupg, Bug Report
werner closed T7547: signatures from revoked or expired keys show up as missing keys, a subtask of T7527: Keyring/keybox denial of service, as Resolved.
Thu, May 8, 3:29 PM · OpenPGP, gnupg, Bug Report
werner updated the task description for T7586: Release GnuPG 2.5.6.
Thu, May 8, 3:29 PM · gnupg, Release Info

Wed, May 7

dkg added a comment to T7583: 2.5.5 removes sig on clean that 2.5.4 and earlier kept.

btw, my clue was that in that last --check-sigs, if i used --debug-all i got this:

Wed, May 7, 10:35 PM · gnupg, Bug Report
dkg added a comment to T7583: 2.5.5 removes sig on clean that 2.5.4 and earlier kept.

This affects certification-only primary keys when doing web-of-trust calculations.

Wed, May 7, 9:46 PM · gnupg, Bug Report
collinfunk added a comment to T7638: gpg on Solaris does not print a signal description.

Hi Werner, I submitted a patch right after this bug report using AC_CHECK_DECLS([_sys_siglist]) [1].

Wed, May 7, 3:03 AM · Solaris, gnupg, Bug Report

Tue, May 6

dkg added a comment to T7611: WoT: adding a marginal trustsig reduces the validity of a downstream certificate.

To avoid further noise on this ticket, i've done as requested and posted to gnupg-devel : (https://lists.gnupg.org/pipermail/gnupg-devel/2025-May/035875.html

Tue, May 6, 10:26 PM · Not A Bug, gnupg
ikloecker added a comment to T7620: gpgme_get_key fails to detect secret encryption subkey after key generation on card (until context is recreated).

The first call of get_key receives the following key listing from gpg:

2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: sec:-:256:19:C4A24EB0B5F2E025:1746474606:::u:::s
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: cESCA:::D2760001240100000006180489130000::brainp
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: oolP256r1:23::0:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: fpr:::::::::DEC0948C398A6E7B50746EC6C4A24EB0B5F2
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: E025:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: grp:::::::::06BDACFBDEDBC5783A75AE5E7251FA3369C4
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: 0FF4:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: uid:-::::1746474606::2222D8E2F373B9BDEE0DEA2A20A
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: 9402214E9F984::Eric <eric@bktus.com>::::::::::0:
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: <LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: ssb:-:256:19:EAFC5EA29B758B22:1746474606::::::a:
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: ::D2760001240100000006180489130000::brainpoolP25
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: 6r1:23:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: fpr:::::::::1AD596DDEC9B8CF3C1AC6C41EAFC5EA29B75
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: 8B22:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: grp:::::::::52F0797C0B0439BBD718E2534D46656A6C45
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: 6A78:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: ssb:-:256:18:A874804DB497B91C:1746474606::::::e:
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: ::#::brainpoolP256r1:23:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: fpr:::::::::33B273C7BD46E4EB63DD6874A874804DB497
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: B91C:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: grp:::::::::34A1F8D9B2AA0CF07C2E042D70E10F9D4EBE
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: E734:<LF>

Note the line

ssb:-:256:18:A874804DB497B91C:1746474606::::::e:::#::brainpoolP256r1:23:<LF>

where the # marks the subkey as stub.

Tue, May 6, 9:21 AM · gnupg, gpgme, Bug Report
werner added a comment to T7638: gpg on Solaris does not print a signal description.

Right now we have

Tue, May 6, 8:32 AM · Solaris, gnupg, Bug Report
collinfunk added a comment to T7638: gpg on Solaris does not print a signal description.

Interesting, that sounds like a portable method. I am not very familiar with GPG internals, but to me that sounds like quite a bit of work. Unless there is another benefit to doing so, I don't think it is worth it just to print signal names.

Tue, May 6, 4:26 AM · Solaris, gnupg, Bug Report

Mon, May 5

Saturneric added a comment to T7620: gpgme_get_key fails to detect secret encryption subkey after key generation on card (until context is recreated).

I have now identified the exact conditions and a reproducible path for the issue I previously reported. I will also attach the relevant gpgme.log.

Mon, May 5, 10:01 PM · gnupg, gpgme, Bug Report
werner added a comment to T7620: gpgme_get_key fails to detect secret encryption subkey after key generation on card (until context is recreated).

I doubt that this is a gpgme problem. With a gpgme log we will be able see the exact commands send to gpg and replicate this on the command line.

Mon, May 5, 5:45 PM · gnupg, gpgme, Bug Report
werner added a comment to T7628: gpg uses "month" as a synonym for 30 days.

And the US administration might even change the definition of a year to, say, 100 months so that potus can rightfully keep his promise that there won't be more election in the foreseeable future ;-)

Mon, May 5, 4:27 PM · gnupg, Bug Report
ikloecker added a comment to T7628: gpg uses "month" as a synonym for 30 days.

By the way, "years" is also "incorrect" once in ~4 years because it uses n*365 days. Werner's advice still applies. Enter an ISO date if you want an exact date. Or use a UI tool like Kleopatra.

Mon, May 5, 3:31 PM · gnupg, Bug Report
werner triaged T7632: gnupg test suite fails to build on AIX. as High priority.
Mon, May 5, 11:12 AM · AIX, gnupg, Bug Report
werner triaged T7638: gpg on Solaris does not print a signal description as Low priority.

The main problem here was that this all is not async-safe and thus I once implemented only the standard cases I could test easily.

Mon, May 5, 11:11 AM · Solaris, gnupg, Bug Report
ikloecker added a comment to T7620: gpgme_get_key fails to detect secret encryption subkey after key generation on card (until context is recreated).

The logs of gpgme would be helpful, i.e. run your test program with GPGME_DEBUG=8:$(pwd)/gpgme-$(date +"%Y-%m-%d-%H%M%S").log to create a log file with gpgme's logs.

Mon, May 5, 11:07 AM · gnupg, gpgme, Bug Report
werner added a comment to T7611: WoT: adding a marginal trustsig reduces the validity of a downstream certificate.

For the records:

Mon, May 5, 9:24 AM · Not A Bug, gnupg
werner added a comment to T7611: WoT: adding a marginal trustsig reduces the validity of a downstream certificate.

A bug tracker shall never be used for discussion because the audience is not as expected. Only very few people follow a certain bug but several hundreds are following discussion on gnupg-devel@. That is basic hacker knowledge.

Mon, May 5, 9:14 AM · Not A Bug, gnupg
werner changed the status of T7583: 2.5.5 removes sig on clean that 2.5.4 and earlier kept from Open to Testing.
Mon, May 5, 9:12 AM · gnupg, Bug Report

Sun, May 4

collinfunk created T7638: gpg on Solaris does not print a signal description.
Sun, May 4, 8:43 PM · Solaris, gnupg, Bug Report
heiko added a comment to T7611: WoT: adding a marginal trustsig reduces the validity of a downstream certificate.

I am surprised that you don't want to use the issue tracker for issues.
GnuPG's trust calculations are quite clearly broken, by any metric. There's nothing to discuss here.

Sun, May 4, 8:13 PM · Not A Bug, gnupg
werner closed T7611: WoT: adding a marginal trustsig reduces the validity of a downstream certificate as Resolved.

Heiko, I told you already in T7106 that it is not a good idea to re-open a ticket. If you really want to discuss stuff, take that to a mailing list.

Sun, May 4, 8:06 PM · Not A Bug, gnupg
heiko reopened T7611: WoT: adding a marginal trustsig reduces the validity of a downstream certificate as "Open".

I see two interesting angles from which to think about this Web of Trust calculation:

Sun, May 4, 1:26 PM · Not A Bug, gnupg

Fri, May 2

werner added a comment to T7583: 2.5.5 removes sig on clean that 2.5.4 and earlier kept.

Yes, this is related to T7547. With my last fix for that I overlooked that we use PUBKEY_USAGE_CERT to internally request the primary key but that one is not set because in general USAGE_SIG means the same (except for some case in PGP7 mode).

Fri, May 2, 11:03 AM · gnupg, Bug Report
werner added a project to T7632: gnupg test suite fails to build on AIX.: AIX.
Fri, May 2, 10:30 AM · AIX, gnupg, Bug Report
werner triaged T7629: gcc 15 warns about -Wunterminated-string-initialization in gnupg as Low priority.
Fri, May 2, 10:26 AM · gnupg, Bug Report
werner closed T7611: WoT: adding a marginal trustsig reduces the validity of a downstream certificate as Resolved.

> I'm not sure i understand why "the latest" should be preferred.

Fri, May 2, 10:26 AM · Not A Bug, gnupg
collinfunk added a project to T7629: gcc 15 warns about -Wunterminated-string-initialization in gnupg: gnupg.
Fri, May 2, 6:50 AM · gnupg, Bug Report
collinfunk added a project to T7632: gnupg test suite fails to build on AIX.: gnupg.
Fri, May 2, 6:49 AM · AIX, gnupg, Bug Report
dkg added a comment to T7611: WoT: adding a marginal trustsig reduces the validity of a downstream certificate.

A bit more experimentation shows the same behavior, even if Alice's tsig of Bill is full, not marginal, and even if all signatures are made in the same second, which is the finest resolution that OpenPGP objects can report.

Fri, May 2, 12:48 AM · Not A Bug, gnupg