Apr 23 2020
Aug 28 2018
This was actually reported against 2.0.31 which reached EOL 8 months ago.
Apr 6 2018
Sorry, the patch above is completely wrong, since pk->pubkey_usage is not the right key to check.
If someone claims this is a kind of vulnerability, I think that what we need to fix is signature checking side:
Speaking about this, similar patch would be required to gpg1.4.
The bug is specific to 2.2, which may select available key on card. When such a selection, checking the PK->REQ_USAGE was missed.
Apr 5 2018
Shouldn't this also be applied to STABLE-BRANCH-1-4?
Apr 3 2018
I think that I located the bug and fixed. I wonder why Werner put gpg20 tag.
Apr 2 2018
Mar 20 2018
Oct 22 2017
Same issue exists in 2.2:
Oct 20 2017
A backport to 2.0 does not make anymore sense given EOF in 2 months.
No info received, similar to another fixed bug, and for 2.0 which will soon reach EOL.
2.0 will reach EOL soon and we have received no response. Thus closing. If the problem persists with 2.2 (e.g. from gpg4win 3.0) please re-open this bug.
Won't be fixed for 1.4.
@perske, may I ask you to send a DCO and an possible updated patch against 2.2 to gnupg-devel@ ? I would like to add it to 2.2.2. Sorry for the delays.
Aug 9 2017
Aug 3 2017
This looks suspiciously like T1547: gnupg >= 2.0.21 won't build on OSX 10.8.5 with XCode5.
Jul 17 2017
gpgtools will have to update.
I just verified that this is indeed fixed.
Jul 13 2017
I tried to find evidence that such a change ever landed in 2.0. I now believe the mistake is in the NEWS file. As 2.0 is nearing EOL, we won't backport this.
gnupg uses LC_ALL, LC_MESSAGES, LANG and the system default determined with GetThreadLocale() on Windows. Can you please check if you have set any of these environment variables?
Landed in 67cd81ed90ad88cbe607b7f7d1a0b1e08b8ac1f1.
Jul 6 2017
The sqlite backend was a little experiement that I did and it will not be merged.
Jul 5 2017
As the @neal branch has not been updated anymore, I wonder what the status of this report is. Do we have a canonical test case and a performance goal, or anything else that let's us evaluate this? @werner ?
Jul 3 2017
No I don't recall any such problems, sorry.
Jul 2 2017
For information, this issue was also discussed on both gnupg-user and gnupg-devel back in january 2017. I mention it here for reference.
Jul 1 2017
Jun 27 2017
Jun 23 2017
Any updates / thoughts on how this might be fixed?
Libgcrypt 1.6 reaches EOL in 7 days, so we won't fix it.
Jun 21 2017
Jun 17 2017
What is your operating system?
Apr 25 2017
Apr 4 2017
Apr 3 2017
Mar 30 2017
Mar 22 2017
The problem is, that some projects liek gpgtools for MacOS are reluctantly sticking to
So, I'd love to have this patch committed in order to ease the transition phase from
2.0 to 2.1 for them.
Feb 5 2017
This was included in 2.0.30, but somehow was missing from the 2.1.x branch.
I've included it in master as of 8a9d4b55b09d04482b46055f0a60f01b86738df3