dirmngrProject
ActivePublic

Members

  • This project does not have any members.

Watchers

  • This project does not have any watchers.

Recent Activity

Fri, May 29

gniibe added a commit to T4934: Returning automatic variable buffer from a function : rGab724d3206c8: dirmngr: dns: Fix allocation of string buffer in stack..
Fri, May 29, 4:22 AM · dirmngr, Testing, Bug Report

Thu, May 21

gniibe changed the status of T4934: Returning automatic variable buffer from a function from Open to Testing.

Fixed in master and applied to 2.2 branch too.

Thu, May 21, 7:39 AM · dirmngr, Testing, Bug Report

Apr 16 2020

werner added a commit to T4898: auto import CA certs with authInfo.caIssuers: rGaec7d136e4bd: sm: Always allow authorityInfoAccess lookup if CRLs are also enabled..
Apr 16 2020, 7:08 PM · dirmngr, S/MIME, gnupg (gpg23)
werner added a commit to T4898: auto import CA certs with authInfo.caIssuers: rGbbb7edb8807b: sm: Always allow authorityInfoAccess lookup if CRLs are also enabled..
Apr 16 2020, 7:07 PM · dirmngr, S/MIME, gnupg (gpg23)
werner added a commit to T4898: auto import CA certs with authInfo.caIssuers: rGd57209553da7: sm: Lookup missing issuers first using authorityInfoAccess..
Apr 16 2020, 6:07 PM · dirmngr, S/MIME, gnupg (gpg23)
werner added a commit to T4898: auto import CA certs with authInfo.caIssuers: rGf5efbd5a1169: sm: Lookup missing issuers first using authorityInfoAccess..
Apr 16 2020, 6:05 PM · dirmngr, S/MIME, gnupg (gpg23)
werner closed T4898: auto import CA certs with authInfo.caIssuers as Resolved.

We do this now always if --auto-issuer-key-retrieve is set. Also backported to 2.2

Apr 16 2020, 6:02 PM · dirmngr, S/MIME, gnupg (gpg23)

Apr 15 2020

werner added a commit to T4538: Support PSS signed CRLs: rG24d563749f50: sm: Support rsaPSS verification also for CMS signatures..
Apr 15 2020, 3:48 PM · dirmngr, S/MIME, libksba
werner added a commit to T4538: Support PSS signed CRLs: rGddc74f50d423: sm,dirmngr: Restrict allowed parameters used with rsaPSS..
Apr 15 2020, 3:48 PM · dirmngr, S/MIME, libksba
werner added a commit to T4538: Support PSS signed CRLs: rG0626cc8fed34: sm,dirmngr: Support rsaPSS signature verification..
Apr 15 2020, 3:48 PM · dirmngr, S/MIME, libksba
werner added a commit to T4538: Support PSS signed CRLs: rG8bf17eb94d0d: dirmngr: Support rsaPSS also in the general validate module..
Apr 15 2020, 3:48 PM · dirmngr, S/MIME, libksba
werner added a commit to T4538: Support PSS signed CRLs: rGc0d5c673542b: sm,dirmngr: Restrict allowed parameters used with rsaPSS..
Apr 15 2020, 11:11 AM · dirmngr, S/MIME, libksba

Apr 14 2020

werner added a commit to T4538: Support PSS signed CRLs: rKe6e9858970ed: Support rsaPSS also for CRLs..
Apr 14 2020, 4:53 PM · dirmngr, S/MIME, libksba
werner added a commit to T4538: Support PSS signed CRLs: rK17a09f41fc4b: Allow for Null hash algo parameters on rsaPSS and add pss flag..
Apr 14 2020, 4:53 PM · dirmngr, S/MIME, libksba
werner closed T4538: Support PSS signed CRLs as Resolved.

Data (ie.e CMS) signatures do now also work.

Apr 14 2020, 4:26 PM · dirmngr, S/MIME, libksba
werner added a commit to T4538: Support PSS signed CRLs: rG6c28d9343ea6: sm: Support rsaPSS verification also for CMS signatures..
Apr 14 2020, 3:51 PM · dirmngr, S/MIME, libksba

Apr 9 2020

Moonchild added a comment to T4249: No connection to Keyserver possible.

I'm honestly surprised this isn't being given any sort of priority.
gnupg for windows is simply broken. Even Kleopatra, its supplied and designated key management application doesn't work re: keyserver communication.

Apr 9 2020, 11:16 PM · gnupg, dirmngr, Bug Report, gpg4win
werner added a comment to T4538: Support PSS signed CRLs.

Okay certificate and CRL checking does now work with rsaPSS. Need to work on data signatures and check the compliance modes.

Apr 9 2020, 1:09 PM · dirmngr, S/MIME, libksba
werner added a commit to T4538: Support PSS signed CRLs: rGba34f1415366: dirmngr: Support rsaPSS also in the general validate module..
Apr 9 2020, 1:07 PM · dirmngr, S/MIME, libksba
werner added a commit to T4538: Support PSS signed CRLs: rGb45ab0ca08f8: sm,dirmngr: Support rsaPSS signature verification..
Apr 9 2020, 12:24 PM · dirmngr, S/MIME, libksba

Apr 8 2020

werner added a commit to T4538: Support PSS signed CRLs: rKf5695be600ab: Add read-only support for rsaPSS..
Apr 8 2020, 8:52 PM · dirmngr, S/MIME, libksba
werner claimed T4538: Support PSS signed CRLs.

I started to work on it so that I can actually use the certificates on my new D-Trust card. This will be a verify-only implementation.

Apr 8 2020, 8:37 PM · dirmngr, S/MIME, libksba

Mar 31 2020

werner triaged T4898: auto import CA certs with authInfo.caIssuers as Normal priority.
Mar 31 2020, 12:04 PM · dirmngr, S/MIME, gnupg (gpg23)
werner created T4898: auto import CA certs with authInfo.caIssuers.
Mar 31 2020, 12:04 PM · dirmngr, S/MIME, gnupg (gpg23)

Mar 9 2020

Moonchild added a comment to T4249: No connection to Keyserver possible.

I'm using enigmail 1.9.9 because I'm on a mail client that doesn't use WebExtensions, so it's using gnupg for keyserver stuff. In this case that means I've been able to verify it's a gnupg issue (both Kleopatra and enigmail displaying the same issue as CLI).

Mar 9 2020, 9:54 PM · gnupg, dirmngr, Bug Report, gpg4win
dkg added a comment to T4249: No connection to Keyserver possible.

@Moonchild wrote:

using enigmail with the new version

Mar 9 2020, 6:14 PM · gnupg, dirmngr, Bug Report, gpg4win
Moonchild added a comment to T4249: No connection to Keyserver possible.

Just registered to report pretty much the same.
I've been using gpg 2 for a long while and it's been doing just fine, up to the point where people started using keys it didn't recognise that require a later version.

Mar 9 2020, 1:03 PM · gnupg, dirmngr, Bug Report, gpg4win

Mar 5 2020

werner lowered the priority of T4538: Support PSS signed CRLs from Normal to Low.

It is actually questionable whether PSS is a better padding scheme than PKCS#1, see
https://www.metzdowd.com/pipermail/cryptography/2019-November/035449.html . PSS seems indeed be rarely used; quoting Peter from a followup on his writeup: “If I get time over the weekend, and I can find a CMS message signed with RSA-PSS, I'll create a forgery using xor256.”

Mar 5 2020, 10:27 AM · dirmngr, S/MIME, libksba

Mar 4 2020

aheinecke added a comment to T4538: Support PSS signed CRLs.

To summarize: The DGN CRL uses a the RSA-PSS Padding / Signature Scheme. ( https://de.wikipedia.org/wiki/Probabilistic_Signature_Scheme )

Mar 4 2020, 3:17 PM · dirmngr, S/MIME, libksba

Feb 26 2020

aheinecke added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

But searching on Keyservers is also in my opinion not a common use case for Kleopatra users.

Thanks for engaging constructively.

Feb 26 2020, 12:03 PM · Feature Request, Keyserver, dirmngr

Feb 21 2020

dkg added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

In T4513#132770, @aheinecke wrote:

Werner could you maybe at least check for an internet connection, I don't know how to do it on Linux but on Windows it's easy because windows has API for that.

Feb 21 2020, 6:33 PM · Feature Request, Keyserver, dirmngr

Feb 19 2020

Valodim added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

But searching on Keyservers is also in my opinion not a common use case for Kleopatra users.

Feb 19 2020, 6:43 PM · Feature Request, Keyserver, dirmngr
werner added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

and by that bypassing all key source tracking as done by gpg. In any case searching by name or mail address on a keyserver should not be done - at least not by a GUI tool as used by non experienced users.

Feb 19 2020, 4:34 PM · Feature Request, Keyserver, dirmngr
patrick added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

I agree that this is a tricky problem, but it should really be improved.

Feb 19 2020, 4:05 PM · Feature Request, Keyserver, dirmngr
werner added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

The problem is not to check whether there is a connection but on how to decide whether something is a pool or an explictly added single keyserver and how often should we try to connect or read from it. Without marking hosts as dead the auto search features won't work well.

Feb 19 2020, 1:30 PM · Feature Request, Keyserver, dirmngr
aheinecke added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

@Valodim probably not so much as dirmngr might behave differently and not mark hosts as dead.

Feb 19 2020, 1:17 PM · Feature Request, Keyserver, dirmngr
werner added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

The proper solution is of course to use pkill instead of killall. SCNR.

Feb 19 2020, 12:43 PM · Feature Request, Keyserver, dirmngr
Valodim updated subscribers of T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

I can attest to the "growing bit of popular lore": Roughly half the support requests I get to support@keys.openpgp.org boil down to an exchange of "it just doesn't work with a 'general error' message" -> "try killall dirmngr" -> "that did it". I have heard similar stories from @patrick from Enigmail users, and more than once heard people applying poweruser trickery like "I just have killall dirmngr in my resume.d".

Feb 19 2020, 11:37 AM · Feature Request, Keyserver, dirmngr

Nov 26 2019

werner triaged T4758: gnupg-2.2.18/dirmngr/ldap-parse-uri.c:57:27: style: Same expression on both sides of '||'. as Normal priority.

The LDAP code is actually in very bad shape because @neal added it without utilizing the ldap wrapper and thus a timeout won't work reliable.

Nov 26 2019, 11:17 AM · LDAP, dirmngr, Bug Report

Nov 25 2019

werner closed T4165: Dirmngr: Ipv6 causes network failure if Ipv6 can't be reached as Resolved.

Unusable v6 interfaces are now detected on Windows and then not used.

Nov 25 2019, 10:17 PM · Keyserver, Feature Request, dirmngr
werner closed T4594: dirmngr appears to unilaterally import system CAs as Resolved.
Nov 25 2019, 10:16 PM · Bug Report, dirmngr, gnupg (gpg22)

Nov 23 2019

werner closed T4547: improve error message ("Not enabled") when using Tor network and standard resolver as Resolved.

The manual states that --standard-resolver is mostly for debugging. The reason you get an "not enabled" is that we can't allow direct DNS queries in Tor mode which would happen with the system (standard) DNS resolver.

Nov 23 2019, 8:32 PM · dirmngr, gnupg (gpg22), Bug Report
werner added a commit to T4547: improve error message ("Not enabled") when using Tor network and standard resolver: rGdd373d4a2758: doc,dirmngr: Clarify --standard-resolver..
Nov 23 2019, 8:30 PM · dirmngr, gnupg (gpg22), Bug Report

Nov 11 2019

werner edited projects for T4447: Fix addition of new GPG keys to LDAP, added: gnupg (gpg23); removed gnupg.
Nov 11 2019, 6:33 PM · gnupg (gpg23), patch, LDAP, dirmngr, Bug Report
werner added a comment to T4447: Fix addition of new GPG keys to LDAP.

See also D475.

Nov 11 2019, 6:30 PM · gnupg (gpg23), patch, LDAP, dirmngr, Bug Report

Oct 25 2019

werner triaged T4729: WKD via http_proxy does not work if DNS is broken/unavailable as Normal priority.
Oct 25 2019, 11:01 AM · dns, gnupg (gpg23), dirmngr
werner triaged T4728: GnuPG fails to connect to 127.0.0.1 when many domains are specified in /etc/hosts as Normal priority.
Oct 25 2019, 11:00 AM · gnupg (gpg23), dns, dirmngr
mgorny added a comment to T4444: dirmngr fails with keyservers specified by IP without rDNS; reported as dead host or uses wrong Host header.

Ping.

Oct 25 2019, 10:54 AM · Keyserver, dns, dirmngr, Bug Report

Oct 24 2019

dkg added a comment to T4513: dirmngr should try the configured keyservers anyway even if they are all dead.

There is a growing bit of popular lore in the GnuPG community that "when keyserver operations fail, you solve that problem with killall dirmngr." I believe this suggestion is potentially damaging (the long-running daemon may be in the middle of operations for a client that you don't know about), but i suspect it is circulating as advice because it resolves the situation outlined in this ticket. For whatever ephemeral reason, dirmngr gets stuck, and fails to notice that this situation has resolved itself.

Oct 24 2019, 5:39 PM · Feature Request, Keyserver, dirmngr

Oct 17 2019

Valodim added a comment to T4593: dirmngr should not apply Kristian's CA when fetching from a keyserver that is not `hkps.pool.sks-keyservers.net`.

GnuPG ships a non-PKI certificate, specifically to authenticate hkps.pool.sks-keyservers.net. Now due to an implementation detail, this has been shown to potentially lead to authentication of other domains by this certificate, if a maintainer changes the default keyserver via the DIRMNGR_DEFAULT_KEYSERVER variable in configure.ac. Now arguably, this variable isn't exposed via ./configure, so it's not "officially" configurable - but evidently maintainers do want to change it. A trivial one-line patch was supplied to change the unintended and potentially security-problematic behavior into the (I believe) obviously intended one.

Oct 17 2019, 12:23 PM · gnupg (gpg22), Bug Report, dirmngr