From beebe at math.utah.edu Wed Feb 1 00:28:26 2006 From: beebe at math.utah.edu (Nelson H. F. Beebe) Date: Wed Feb 1 02:09:51 2006 Subject: GnuPG in the news Message-ID: The latest issue of the Linux Journal magazine, March 2006, carries an article on pp. 52--56 about GnuPG: GnuPG Hacks Tony Stieber http://www.linuxjournal.com/article/8732 ------------------------------------------------------------------------------- - Nelson H. F. Beebe Tel: +1 801 581 5254 - - University of Utah FAX: +1 801 581 4148 - - Department of Mathematics, 110 LCB Internet e-mail: beebe@math.utah.edu - - 155 S 1400 E RM 233 beebe@acm.org beebe@computer.org - - Salt Lake City, UT 84112-0090, USA URL: http://www.math.utah.edu/~beebe/ - ------------------------------------------------------------------------------- From benjamin at pythagoras.no-ip.org Thu Feb 2 01:00:54 2006 From: benjamin at pythagoras.no-ip.org (Benjamin Donnachie) Date: Thu Feb 2 03:18:11 2006 Subject: Fix for smartcards with gpg 1.4.2 under Mac OS X Message-ID: <43E14BB6.7000009@pythagoras.no-ip.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A quick and dirty fix to get gnupg v1.4.2 to work with Mac OS X's built in smartcard support with a USB reader... Edit g10/g10.c in the gnupg source directory and change: #ifdef ENABLE_CARD_SUPPORT # ifdef _WIN32 opt.pcsc_driver = "winscard.dll"; #else opt.pcsc_driver = "libpcsclite.so"; #endif #endif /*ENABLE_CARD_SUPPORT*/ to: #ifdef ENABLE_CARD_SUPPORT # ifdef _WIN32 opt.pcsc_driver = "winscard.dll"; #else opt.pcsc_driver = "/System/Library/Frameworks/PCSC.framework/PCSC"; // opt.pcsc_driver = "libpcsclite.so"; #endif #endif /*ENABLE_CARD_SUPPORT*/ Make sure that pcscd is running and smartcard support should work! Remember, smartcard readers should now be installed in /usr/libexec/SmartCardServices/drivers/ - see http://developer.apple.com/qa/qa2004/qa1359.html This isn't a very elegant solution, but it works... Ben -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQIVAwUBQ+FLtegNmph0Y1E2AQLdGw/8Dk7p4mVyxHZKXlpH8tCRJYee+3UTRj1U 5naUtrhXElxy9Fuv/OqxIeoGDOHpZxatlBFYZr3fQMmcTxM8UXIooaQpBwJB/I58 EJiFyD/Oqbb0HDW/uLQ465cOPxVzexvV+MtX5hMxnOtHFrsl5SWK7r6La/aA1OxX 07N0PutmQLtswVchuB7H36iDidXPeSCCA8HowCvJlKlS7pkYUJFIuvMD6pjb/ejR SqEgx7GoxtthXvANpOfaefqRRJbnuSmOJVGNQYp5bXCppSeas3CUPyUgcDFTTKiw TYcgj9Xm+kn/Up8sJ+lEX+X6XuZQNM6ON0o4JXdimIks38WdVmI+ynmjOsolD9FX T3naaxSI7geUoAXrSbB8owIRMxNrpJBHHadIVunoitLmEkoaKT8p5TyiUIg2FffE evkMn3nl+Hc16eN1hgXTChV46+ts5vVYHUFZ0zcOAUvCXNjXSYtGyNEunZrnd3i6 emLv0Ag9bIa9gVWNRB8/9m62tpB/wbGJV2ipVKjn0PvkUY59iw4XTCxeR0ckKZc7 AHziA0C6ARdDujJBtB6SvjPe74giA4/qpPoKT8wIFTVfWlTaNfmWLiH5UcVh9TH3 vef+G4hrz+CvxVWbNf4Ip1QLGtG5neGQux6Ls8u0VuYrOnkx9E2n0+XfXezb3Sd1 x7nNETypIJ8= =bc6Q -----END PGP SIGNATURE----- From JPClizbe at comcast.net Thu Feb 2 06:07:50 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Thu Feb 2 06:18:57 2006 Subject: Fix for smartcards with gpg 1.4.2 under Mac OS X In-Reply-To: <43E14BB6.7000009@pythagoras.no-ip.org> References: <43E14BB6.7000009@pythagoras.no-ip.org> Message-ID: <43E193A6.2040204@comcast.net> Benjamin Donnachie wrote: > > A quick and dirty fix to get gnupg v1.4.2 to work with Mac OS X's built > in smartcard support with a USB reader... > > Edit g10/g10.c in the gnupg source directory and change: > to: > > #ifdef ENABLE_CARD_SUPPORT > # ifdef _WIN32 > opt.pcsc_driver = "winscard.dll"; > #else > opt.pcsc_driver = "/System/Library/Frameworks/PCSC.framework/PCSC"; > // opt.pcsc_driver = "libpcsclite.so"; > #endif > #endif /*ENABLE_CARD_SUPPORT*/ > > Make sure that pcscd is running and smartcard support should work! > > Remember, smartcard readers should now be installed in > /usr/libexec/SmartCardServices/drivers/ - see > http://developer.apple.com/qa/qa2004/qa1359.html > > This isn't a very elegant solution, but it works... not very portable either. Here's the fix that's in 1.4.3-cvs: #ifdef ENABLE_CARD_SUPPORT #if defined(_WIN32) || defined(__CYGWIN__) opt.pcsc_driver = "winscard.dll"; #elif defined(__APPLE__) opt.pcsc_driver = "/System/Library/Frameworks/PCSC.framework/PCSC"; #else opt.pcsc_driver = "libpcsclite.so"; #endif #endif /*ENABLE_CARD_SUPPORT*/ -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 671 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060201/9de7c9b4/signature.pgp From wk at gnupg.org Thu Feb 2 09:17:03 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 2 09:21:54 2006 Subject: Fix for smartcards with gpg 1.4.2 under Mac OS X In-Reply-To: <43E193A6.2040204@comcast.net> (John Clizbe's message of "Wed, 01 Feb 2006 23:07:50 -0600") References: <43E14BB6.7000009@pythagoras.no-ip.org> <43E193A6.2040204@comcast.net> Message-ID: <87acdatbsw.fsf@wheatstone.g10code.de> On Wed, 01 Feb 2006 23:07:50 -0600, John Clizbe said: > opt.pcsc_driver = "/System/Library/Frameworks/PCSC.framework/PCSC"; Or just put pcsc-driver /System/Library/Frameworks/PCSC.framework/PCSC into your gpg.conf. Salam-Shalom, Werner From benjamin at pythagoras.no-ip.org Thu Feb 2 10:56:32 2006 From: benjamin at pythagoras.no-ip.org (Benjamin Donnachie) Date: Thu Feb 2 10:56:33 2006 Subject: Fix for smartcards with gpg 1.4.2 under Mac OS X In-Reply-To: <43E193A6.2040204@comcast.net> References: <43E14BB6.7000009@pythagoras.no-ip.org> <43E193A6.2040204@comcast.net> Message-ID: <43E1D750.7030709@pythagoras.no-ip.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Clizbe wrote: >>A quick and dirty fix to get gnupg v1.4.2 to work with Mac OS X's built >>in smartcard support with a USB reader... >>This isn't a very elegant solution, but it works... > not very portable either. True, but at the time I just wanted to get it working. > Here's the fix that's in 1.4.3-cvs: Definitely much neater! :) Ben -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQIVAwUBQ+HXUOgNmph0Y1E2AQLJTw//Ygfo291+lqr7oOqnObE4/LzF6vdYh0gn NiN/QKXIEU6QJUQPM1L9O6wVlJgDWAxvwAWAvt8dKE907zuWapAF9rkJuYqhFKAk T6pj1CK4FxFaeysyt12KxZ5MI2BzFRX/s604Da/Bce6gcND67i3KUZjm4Gid5PVK EtlbElyN2QjqT1RRUaTx3xgEwPgGlej0Zl1Eggh/JYinSWwwvSnc1qKQ/F9VX03R CPJxRQAcmiyxqzCEAWp1W1o8hNAetPLuDcPO711632H0Q/JDtwdeVJpa4eaMbkx+ uzgux5NM/csc9XrhjAWry3sDqGKHQIfCwBLUUdcO05ZlbpFvh91FyxjMbQFI4mWY 9KmjG26bvlloAov8pf3eRR5q9UNo5WV8e1GkY014amY0yqRmZzVvxrDCzw0FdDPr eh1Zzh+5FKcQ1c1kBC2VBlnrOSgyyhXI21/hvZ9/FeyXbwyLcIK1UpX47Cctz0NM 9ODgPEYa5GwCt1EbLvSMuonImurorvIsyWGH+gjCWKDH0/9U0gCkwSf/AMCqe+/4 rUZRqSlopP+2e+3yg1WO21vm3IrsTa1ozZL3iz0HHvIhxStgAN46qizLexgJWyB2 RhG4aP2xMrgEQ2waNG/vp7irb/ayCc+9io2j5Imz2e8Vu66SeEnU8sn9gQIucTT6 aipyJkOH470= =kacy -----END PGP SIGNATURE----- From benjamin at pythagoras.no-ip.org Thu Feb 2 11:01:45 2006 From: benjamin at pythagoras.no-ip.org (Benjamin Donnachie) Date: Thu Feb 2 11:01:39 2006 Subject: Fix for smartcards with gpg 1.4.2 under Mac OS X In-Reply-To: <87acdatbsw.fsf@wheatstone.g10code.de> References: <43E14BB6.7000009@pythagoras.no-ip.org> <43E193A6.2040204@comcast.net> <87acdatbsw.fsf@wheatstone.g10code.de> Message-ID: <43E1D889.1080007@pythagoras.no-ip.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: > Or just put > pcsc-driver /System/Library/Frameworks/PCSC.framework/PCSC > into your gpg.conf. D'oh! Yup - that's definitely much easier... After spending quite some time debugging egroupware, I just jumped straight in at the code level - I didn't even consider that there might be a config option! The main thing for me is that it works now! :) Take care, Ben -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQIVAwUBQ+HYiOgNmph0Y1E2AQIMBg//YWf+oHwT9D1BErn7sqj0qiJDqiv4HHER uBuYe9QFJlJymK7+GkdX2WxS14cUKpYR43oL6bNtgS9Ro6jKwPte5iWLFICaLTNr 7K7i4OTlGLi5odWHzdXaLLM3UZ1DmCNPxVFdsv1neeyn0HaFDH7tjznyYYbwP8ev tFzDJ0mB6XiheVWkXdu3ZUoCcWLaTLZyiZq9RUhp79E6u69B26D0IUVNU5YRSS71 /f9ATmcF4uv6GKklIdlYCoR3kCYNZ3BMTuF0J6ELCO/x+TSrH2qpWC34qPAHrRp6 4SNepityGg4zdieRcsabou7zHYwxg5k9HT3ktvQS7fysFimlYoLj7D6gMvJ3edVT MZSmeZKCHxqLYuEhkyjgYmVXuMfBAvOZ9YycDDem8dK1z3USG5HVVLHWOrXdRKvs IZRcWYOJP6ejanw0bKQYVM1VBIo+BNN+CkItye4dLvUSjHI9SNmvQ9ZgdjVbwYYo M7T/m9Q/E2+7qE43tRZ44cwR21znu+nryY3AplGGCnCzngvelvyZA3jUQB7nHmaG fyotH83gWdUzZq28dpkCyxQlWYIyxPVjzLsyULP6wzQJ6AkOybWKkk3b8n9UMTQJ ZX+vZtxf7ZhTLHoklsTi/qE0soDR6ClWC18BRtjzivIkoFS+8qG8WY9t2XlhAryI I0oXDG/u0K4= =o8KT -----END PGP SIGNATURE----- From richard at vdberg.org Wed Feb 1 16:49:10 2006 From: richard at vdberg.org (Richard van den Berg) Date: Thu Feb 2 15:18:08 2006 Subject: Cygwin gnupg does not strip windows style paths Message-ID: <43E0D876.10007@vdberg.org> I am using gnupg 1.4.1 under cygwin (I know there is a 1.4.2, but I could not find a cygwin package for it) together with Enigmail 0.94 as a Thunderbird plugin. This is on a Windows XP machine. When Enigmail is set to encrypt each attachment separately, the full file path is set as filename in the literal data packet: gpg --list-packets attachment.pgp [snip] :literal data packet: mode b (62), created 1138796155, name="C:\Documents and Settings\john doe\My Documents\some document.pdf", raw data: 155724 bytes As a result, other software (like PGP) will use this name as the filename for the new file to be created. This results in C__Documents and Settings_john doe_My Documents_some document.pdf Additionally, the path name is unwanted information leakage. I think the root cause is that when gnupg is compiled under cygwin, it is considered to be a Unix variant. When enigmail then calls gpg with a Windows style path, the backslash does not get recognized as a directory separator. I've switch over to use gnupg for native Windows, and the problem went away. Sincerely, Richard van den Berg From will at cs.wisc.edu Thu Feb 2 19:58:24 2006 From: will at cs.wisc.edu (Will McDonald) Date: Thu Feb 2 21:18:16 2006 Subject: Function to test passphrase Message-ID: <20060202185824.GT27232@cs.wisc.edu> Hello, I'd like to write a little program that would simply test whether a given passphrase is correct or not for a private key, then return true or false. I've looked at the sources, but it wasn't immediately obvious to me what gnupg functions to start with. Obiously there are a few steps to this (loading the private key, testing the passphrase)... Can someone point me to which functions I should be looking at? Also, any tips? Thanks, -will -- :wq From j.scott.edwards.nwos at gmail.com Tue Feb 14 03:18:30 2006 From: j.scott.edwards.nwos at gmail.com (J. Scott Edwards) Date: Tue Feb 14 03:18:00 2006 Subject: Can you use one key to authenticate another key automatically? Message-ID: <4095da870602131818s37b89b6fo701e4ee440c26f5f@mail.gmail.com> I am working on an app that has hundreds of thousands of files stored on a server. I am planning to have an detached signature for each, to insure that they are the originals when they are read by the client app. The question is, if there are multiple people creating the files, is there a secure way to automatically verify that each one is authentic? For example, could there be one public signature that the user could download. And then when the app downloads a file and sees it was signed by another user, the app automatically downloads that user's public key, uses the master key to authenticate it. Or is there a gaping hole in this plan, that I am missing? Is there a better way of handling, say hundreds of signatures? Thanks for advise -Scott From cam at mathematica.scientia.net Tue Feb 14 18:24:29 2006 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Tue Feb 14 19:24:18 2006 Subject: Can you use one key to authenticate another key automatically? In-Reply-To: <4095da870602131818s37b89b6fo701e4ee440c26f5f@mail.gmail.com> References: <4095da870602131818s37b89b6fo701e4ee440c26f5f@mail.gmail.com> Message-ID: <43F2124D.8070002@mathematica.scientia.net> J. Scott Edwards wrote: >I am working on an app that has hundreds of thousands of files stored >on a server. I am planning to have an detached signature for each, to >insure that they are the originals when they are read by the client >app. > >The question is, if there are multiple people creating the files, is >there a secure way to automatically verify that each one is authentic? > For example, could there be one public signature that the user could >download. And then when the app downloads a file and sees it was >signed by another user, the app automatically downloads that user's >public key, uses the master key to authenticate it. Or is there a >gaping hole in this plan, that I am missing? Is there a better way of >handling, say hundreds of signatures? > > Perhaps what you're looking for are trust signatures... Chris. From wk at gnupg.org Wed Feb 15 08:49:25 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 15 09:06:42 2006 Subject: [Announce] False positive signature verification in GnuPG Message-ID: <87u0b1xdru.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From fw at deneb.enyo.de Wed Feb 15 19:06:24 2006 From: fw at deneb.enyo.de (Florian Weimer) Date: Wed Feb 15 20:48:00 2006 Subject: [Announce] False positive signature verification in GnuPG In-Reply-To: <87u0b1xdru.fsf@wheatstone.g10code.de> (Werner Koch's message of "Wed, 15 Feb 2006 08:49:25 +0100") References: <87u0b1xdru.fsf@wheatstone.g10code.de> Message-ID: <87u0b0jy3j.fsf@mid.deneb.enyo.de> * Werner Koch: > All versions of gnupg prior to 1.4.2.1 are affected if they are used > in certain unattended operation modes. Does this include, for instance, version 1.0.6? There are somewhat conflicting claims floating around regarding the list of affected versions. From dshaw at jabberwocky.com Wed Feb 15 20:56:09 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 15 20:55:39 2006 Subject: [Announce] False positive signature verification in GnuPG In-Reply-To: <87u0b0jy3j.fsf@mid.deneb.enyo.de> References: <87u0b1xdru.fsf@wheatstone.g10code.de> <87u0b0jy3j.fsf@mid.deneb.enyo.de> Message-ID: <20060215195609.GA14288@jabberwocky.com> On Wed, Feb 15, 2006 at 07:06:24PM +0100, Florian Weimer wrote: > * Werner Koch: > > > All versions of gnupg prior to 1.4.2.1 are affected if they are used > > in certain unattended operation modes. > > Does this include, for instance, version 1.0.6? There are somewhat > conflicting claims floating around regarding the list of affected > versions. Yes, it does include version 1.0.6. David From lionel at mamane.lu Thu Feb 16 22:26:52 2006 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Thu Feb 16 23:25:05 2006 Subject: poldi bug: SIGSEGV if no reader Message-ID: <20060216212652.GA31891@capsaicin.mamane.lu> Hi, I found a bug in poldi; I didn't find a poldi category on http://bugs.gnupg.org/cgi-bin/gnatsweb.pl?database=gnupg, so I send it here. When pcscd is running, but no reader is connected, poldi makes the program segfault. Here is a backtrace: #0 0xb7e7e15a in strcmp () from /lib/tls/i686/cmov/libc.so.6 #1 0xb7e92bc7 in __tzstring () from /lib/tls/i686/cmov/libc.so.6 #2 0xb7e93e80 in __tzfile_compute () from /lib/tls/i686/cmov/libc.so.6 #3 0xb7e93a18 in __tz_convert () from /lib/tls/i686/cmov/libc.so.6 #4 0xb7e91d8d in localtime_r () from /lib/tls/i686/cmov/libc.so.6 #5 0xb7eddd24 in vsyslog () from /lib/tls/i686/cmov/libc.so.6 #6 0xb7b89183 in log_get_stream () from /lib/security/pam_poldi.so #7 0xb7b89416 in log_error () from /lib/security/pam_poldi.so #8 0xb7b82f33 in pam_sm_authenticate () from /lib/security/pam_poldi.so #9 0xb7f4ca9a in _pam_dispatch () from /lib/libpam.so.0 #10 0xb7f4ed9e in pam_authenticate () from /lib/libpam.so.0 and an strace (5 is the socket used to communicate with pcscd): close(5) = 0 open("/usr/share/locale/en_GB.UTF-8/LC_MESSAGES/libgpg-error.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_GB.utf8/LC_MESSAGES/libgpg-error.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_GB/LC_MESSAGES/libgpg-error.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libgpg-error.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.utf8/LC_MESSAGES/libgpg-error.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/libgpg-error.mo", O_RDONLY) = -1 ENOENT (No such file or directory) time([1140124486]) = 1140124486 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV (core dumped) +++ and an ltrace: pam_set_item(0x80707f8, 9, 0xbfbbc06c, 0xbfbbc16c, 0) = 0 pam_get_item(0x80707f8, 2, 0xbfbbc348, 0xbfbbc16c, 0) = 0 pam_set_item(0x80707f8, 2, 0, 0xbfbbc16c, 0) = 0 pam_authenticate(0x80707f8, 0, 0, 0xbfbbc16c, 0 misc_conv(1, 0xbfbb9d68, 0xbfbb9d64, 0, 0x6cebf48) = 0 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ Besides the wait-timeout option is not documented (but should really be set by default!). Thanks for your attention to this, -- Lionel From dshaw at jabberwocky.com Fri Feb 17 04:44:02 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 17 04:43:41 2006 Subject: [Announce] First release candidate for 1.4.3 available Message-ID: <20060217034402.GA18494@jabberwocky.com> We are pleased to announce the availability of the first release candidate for the forthcoming 1.4.3 version of GnuPG: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.3rc1.tar.bz2 (2.9M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.3rc1.tar.bz2.sig SHA-1 checksums for the above files are: 6c2d5f65c2acde6eaeb1ae3a4bc9ae971f942126 gnupg-1.4.3rc1.tar.bz2 62f13c67d5a32bb9747db0da667e420e5391f1e7 gnupg-1.4.3rc1.tar.bz2.sig Note that this is only a release candidate, and as such is not intended for use on production systems. If you are inclined to help test, however, we would appreciate you trying this new version and reporting any problems. Noteworthy changes since 1.4.2: * If available, cURL-based keyserver helpers are built that can retrieve keys using HKP or any protocol that cURL supports (HTTP, HTTPS, FTP, FTPS, etc). If cURL is not available, HKP and HTTP are still supported using a built-in cURL emulator. To force building the old pre-cURL keyserver helpers, use the configure option --enable-old-keyserver-helpers. Note that none of this affects finger or LDAP support, which are unchanged. Note also that a future version of GnuPG will remove the old keyserver helpers altogether. * Implemented Public Key Association (PKA) trust sub model. This is an optional trust model on top of the standard ones. It make use of special DNS records and notation data to associate a mail address with an OpenPGP key. It is by default not used. To use it you need to set the new option --allow-pka-lookup and an appropriate trust-model. Also added new keyserver option auto-pka-retrieve which is enabled by default but only working if --allow-pka-lookup is also used. * When exporting subkeys, those specified with a key ID or fingerpint and the '!' suffix are now merged into one keyblock. * Added "gpg-zip", a program to create encrypted archives that can interoperate with PGP Zip. * Added support for signing subkey "back signatures". Requiring back signatures to be present is currently off by default, but will be changed to on by default in the future, once more keys contain the back signature. A new "backsign" command in the --edit-key menu can be used to update signing subkeys with back signatures. * The key cleaning options for --import-options and --export-options have been further polished. "import-clean" and "export-clean" replace the older import-clean-sigs/import-clean-uids and export-clean-sigs/export-clean-uids option pairs. * New "minimize" command in the --edit-key menu removes everything that can be removed from a key, rendering it as small as possible. There are corresponding "export-minimal" and "import-minimal" commands for --export-options and --import-options. * New --fetch-keys command to retrieve keys by specifying a URI. This allows direct key retrieval from a web page or other location that can be specified in a URI. Available protocols are HTTP and finger, plus anything that cURL supplies, if built with cURL support. Happy Hacking, David, Timo, Werner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : /pipermail/attachments/20060216/6c151e4c/attachment-0001.pgp From lionel at mamane.lu Fri Feb 17 08:25:11 2006 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Fri Feb 17 08:24:33 2006 Subject: poldi bug: SIGSEGV if no reader In-Reply-To: <20060216212652.GA31891@capsaicin.mamane.lu> References: <20060216212652.GA31891@capsaicin.mamane.lu> Message-ID: <20060217072511.GA1742@capsaicin.mamane.lu> On Thu, Feb 16, 2006 at 10:26:52PM +0100, Lionel Elie Mamane wrote: > When pcscd is running, but no reader is connected, poldi makes the > program segfault. Here is a backtrace: Similarly, if another application (such as scdaemon) is holding the card open from pcscd, pcscd tells poldi "sharing violation" and poldi aborts the whole process rather than cleanly returning a PAM code for "couldn't authenticate". I understand scdaemon is holding the card open to allow PIN caching? That's rather problematic, because then it will never be able to coexist peacefully with poldi. Unless pcscd can serve more than one client at a time, but I suspect there is a good reason for pcscd to serve only client at a time; what would happen if poldi would try to access the card in the middle of key generation? I suppose having poldi use the scdaemon is out of the question, too, because they are being executed by different users? Is there a clean way to solve this? -- Lionel From j.scott.edwards.nwos at gmail.com Fri Feb 17 14:07:09 2006 From: j.scott.edwards.nwos at gmail.com (J. Scott Edwards) Date: Fri Feb 17 15:06:09 2006 Subject: Is there any interest in submitting added comments? Message-ID: <4095da870602170507k6b1f959dua618db20e54684e5@mail.gmail.com> While I was digging around in the source files to understand gpg, I added a few comments in a couple of files to help me remember what was happening (I have a terrible memory). Is there any interest in my submitting them back? If so what is the best way to do that? From malte.gell at gmx.de Fri Feb 17 16:18:17 2006 From: malte.gell at gmx.de (Malte Gell) Date: Fri Feb 17 18:18:42 2006 Subject: [Announce] First release candidate for 1.4.3 available In-Reply-To: <20060217034402.GA18494@jabberwocky.com> References: <20060217034402.GA18494@jabberwocky.com> Message-ID: <200602171618.18586.malte.gell@gmx.de> On Friday 17 February 2006 04:44, David Shaw wrote: > * Added support for signing subkey "back signatures". Requiring > back signatures to be present is currently off by default, but > will be changed to on by default in the future, once more keys > contain the back signature. A new "backsign" command in the > --edit-key menu can be used to update signing subkeys with back > signatures. Is the backsign command of 1.4.3rc1 stable enough to provide existing keys with a back signature? Are there any PGP implementations that have problems with keys containing such a signature? Thanx Malte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 400 bytes Desc: not available Url : /pipermail/attachments/20060217/d4a0b3e0/attachment.pgp From dshaw at jabberwocky.com Fri Feb 17 18:26:09 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 17 18:25:35 2006 Subject: Back signatures (was Re: [Announce] First release candidate for 1.4.3 available) In-Reply-To: <200602171618.18586.malte.gell@gmx.de> References: <20060217034402.GA18494@jabberwocky.com> <200602171618.18586.malte.gell@gmx.de> Message-ID: <20060217172609.GD20125@jabberwocky.com> On Fri, Feb 17, 2006 at 04:18:17PM +0100, Malte Gell wrote: > On Friday 17 February 2006 04:44, David Shaw wrote: > > > * Added support for signing subkey "back signatures". Requiring > > back signatures to be present is currently off by default, but > > will be changed to on by default in the future, once more keys > > contain the back signature. A new "backsign" command in the > > --edit-key menu can be used to update signing subkeys with back > > signatures. > > Is the backsign command of 1.4.3rc1 stable enough to provide existing > keys with a back signature? Yes. > Are there any PGP implementations that have problems with keys > containing such a signature? I don't know of one. Any PGP program that doesn't ignore unknown noncritical signature subpackets would be pretty broken. David From wk at gnupg.org Fri Feb 17 19:03:10 2006 From: wk at gnupg.org (Werner Koch) Date: Fri Feb 17 23:08:02 2006 Subject: Is there any interest in submitting added comments? In-Reply-To: <4095da870602170507k6b1f959dua618db20e54684e5@mail.gmail.com> (J. Scott Edwards's message of "Fri, 17 Feb 2006 06:07:09 -0700") References: <4095da870602170507k6b1f959dua618db20e54684e5@mail.gmail.com> Message-ID: <87ek21x3q9.fsf@wheatstone.g10code.de> On Fri, 17 Feb 2006 06:07:09 -0700, J Scott Edwards said: > While I was digging around in the source files to understand gpg, I > added a few comments in a couple of files to help me remember what was > happening (I have a terrible memory). Is there any interest in my > submitting them back? If so what is the best way to do that? In general yes. However I believe that such commenst are copyrightab;le works and thus we would need copyright assignments to the FSF. So if you want to do that paperwork, I'd appreciate to receive those comments. I plan to update the internal documentation anyway while migrating the current code to the 1.9 code line. You might want to give some hints where better commenting is eally needed to understand the code. Salam-Shalom, Werner From walter.haidinger at gmx.at Sun Feb 19 13:28:35 2006 From: walter.haidinger at gmx.at (Walter Haidinger) Date: Sun Feb 19 15:17:58 2006 Subject: New schema to store keys in standard LDAP servers? Message-ID: <43F86473.9040200@gmx.at> Hi! I'm looking for the LDAP schema regarded to in the GnuPG 1.4.0 announcement: "The LDAP keyserver helper now supports storing, retrieving, and searching for keys in both the old NAI "LDAP keyserver" as well as the more recent method to store OpenPGP keys in standard LDAP servers." Is the schema for the latter "more recent method" available anywhere? I'd like to use my existing OpenLDAP server as a keyserver for GnuPG. Btw, can GnuPG only store private keys on LDAP too? Regards, Walter From j.scott.edwards.nwos at gmail.com Mon Feb 20 03:12:47 2006 From: j.scott.edwards.nwos at gmail.com (J. Scott Edwards) Date: Mon Feb 20 03:12:10 2006 Subject: Is there any interest in submitting added comments? In-Reply-To: <87ek21x3q9.fsf@wheatstone.g10code.de> References: <4095da870602170507k6b1f959dua618db20e54684e5@mail.gmail.com> <87ek21x3q9.fsf@wheatstone.g10code.de> Message-ID: <4095da870602191812j465fd719t7200256965281a8c@mail.gmail.com> On 2/17/06, Werner Koch wrote: > On Fri, 17 Feb 2006 06:07:09 -0700, J Scott Edwards said: > > > While I was digging around in the source files to understand gpg, I > > added a few comments in a couple of files to help me remember what was > > happening (I have a terrible memory). Is there any interest in my > > submitting them back? If so what is the best way to do that? > > In general yes. However I believe that such commenst are > copyrightab;le works and thus we would need copyright assignments to > the FSF. So if you want to do that paperwork, I'd appreciate to > receive those comments. That wouldn't be a problem, just let me know what to do. > I plan to update the internal documentation anyway while migrating the > current code to the 1.9 code line. You might want to give some hints > where better commenting is eally needed to understand the code. > Sure, I could do that. What kind of time frame is the 1.9 migration? Thanks -Scott From meissner at suse.de Mon Feb 20 17:14:52 2006 From: meissner at suse.de (Marcus Meissner) Date: Tue Feb 21 12:20:09 2006 Subject: Not completely fixed? (was: False positive signature verification in GnuPG) In-Reply-To: <87u0b1xdru.fsf@wheatstone.g10code.de> References: <87u0b1xdru.fsf@wheatstone.g10code.de> Message-ID: <20060220161452.GB28569@suse.de> On Wed, Feb 15, 2006 at 08:49:25AM +0100, Werner Koch wrote: > False positive signature verification in GnuPG > ============================================== > > Summary > ======= > > The Gentoo project identified a security related bug in GnuPG. When > using any current version of GnuPG for unattended signature > verification (e.g. by scripts and mail programs), false positive > signature verification of detached signatures may occur. > > This problem affects the tool *gpgv*, as well as using "gpg --verify" > to imitate gpgv, if only the exit code of the process is used to > decide whether a detached signature is valid. This is a plausible > mode of operation for gpgv. There is also another signature checking related bug, but not acknowledged by Werner. gpg -o xx xx.asc with the attached ASCII signature protected file does not return an error on a crafted signature. gpg version before 1.4 did fail on this, gpg 1.4 does not. $ gpg -o xx xx.asc gpg: malformed CRC $ echo $? 2 $ 1.4 does accept it: $ gpg -o xx xx.asc $ echo $? 0 $ While files with other content report: $ gpg -o xx xx.any gpg: no valid OpenPGP data found. gpg: processing message failed: eof $ echo $? 2 $ The SUSE Security Team still considers this a bug, even if upstream does not. Ciao, Marcus -------------- next part -------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This message is a test -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) ysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrK ysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrK ysrKysrKysrKysrKysrKysrKyso= -----END PGP SIGNATURE----- From wk at gnupg.org Tue Feb 21 13:57:49 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Feb 21 14:02:08 2006 Subject: Not completely fixed? In-Reply-To: <20060220161452.GB28569@suse.de> (Marcus Meissner's message of "Mon, 20 Feb 2006 17:14:52 +0100") References: <87u0b1xdru.fsf@wheatstone.g10code.de> <20060220161452.GB28569@suse.de> Message-ID: <87ek1wkgxe.fsf@wheatstone.g10code.de> On Mon, 20 Feb 2006 17:14:52 +0100, Marcus Meissner said: > While files with other content report: > $ gpg -o xx xx.any > gpg: no valid OpenPGP data found. > gpg: processing message failed: eof > $ echo $? > 2 > $ Just to explain this one: The code uses a heuristic to test whether it is a binary or armored messages. If it decided that it is armored, the de-armoring code is run and that one will eventually complain that this does not look like OpenPGP. We added this diagnostic quite some time ago on because too often garbled armored messages led to user confusion. The thing with binary messages is that gpg will happily parse them if they look like an OpenPGP packets and only terminate with an error if they don't. It is easy to make up OpenPGP data without any actual use. Minor changes in the parser may change what gpg considers acceptable. The exact semantics have never been defined, so I don't considere this a bug. gpg is not a OpenPGP packet validator. Changing that now will probably break more things than do any good. There are a few non-security related issues with the last update; we are right now sorting them out. Shalom-Salam, Werner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 199 bytes Desc: not available Url : /pipermail/attachments/20060221/56779c86/attachment.pgp From wk at gnupg.org Tue Feb 21 18:00:32 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Feb 21 19:32:11 2006 Subject: Not completely fixed? In-Reply-To: <20060220161452.GB28569@suse.de> (Marcus Meissner's message of"Mon, 20 Feb 2006 17:14:52 +0100") References: <87u0b1xdru.fsf@wheatstone.g10code.de><20060220161452.GB28569@suse.de> Message-ID: <000101c63708$533e5da0$86c8a8c0@MervaSBS2003.local> On Mon, 20 Feb 2006 17:14:52 +0100, Marcus Meissner said: > While files with other content report: > $ gpg -o xx xx.any > gpg: no valid OpenPGP data found. > gpg: processing message failed: eof > $ echo $? > 2 > $ Just to explain this one: The code uses a heuristic to test whether it is a binary or armored messages. If it decided that it is armored, the de-armoring code is run and that one will eventually complain that this does not look like OpenPGP. We added this diagnostic quite some time ago on because too often garbled armored messages led to user confusion. The thing with binary messages is that gpg will happily parse them if they look like an OpenPGP packets and only terminate with an error if they don't. It is easy to make up OpenPGP data without any actual use. Minor changes in the parser may change what gpg considers acceptable. The exact semantics have never been defined, so I don't considere this a bug. gpg is not a OpenPGP packet validator. Changing that now will probably break more things than do any good. There are a few non-security related issues with the last update; we are right now sorting them out. Shalom-Salam, Werner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 199 bytes Desc: not available Url : /pipermail/attachments/20060221/f099ed0d/attachment-0001.pgp From will at cs.wisc.edu Tue Feb 21 20:02:55 2006 From: will at cs.wisc.edu (Will McDonald) Date: Tue Feb 21 20:03:21 2006 Subject: Function to test passphrase In-Reply-To: <20060202185824.GT27232@cs.wisc.edu> References: <20060202185824.GT27232@cs.wisc.edu> Message-ID: <20060221190255.GM758@cs.wisc.edu> Any ideas here? I'm just looking for some pointers out how to do simple passphrase verification of a key. Any direction is appreciated. Thanks, -will On Thu, Feb 02, 2006 at 12:58:24PM -0600, Will McDonald wrote: > Hello, > I'd like to write a little program that would simply test whether a given > passphrase is correct or not for a private key, then return true or false. > I've looked at the sources, but it wasn't immediately obvious to me what gnupg > functions to start with. Obiously there are a few steps to this (loading the > private key, testing the passphrase)... > > Can someone point me to which functions I should be looking at? Also, any > tips? > > Thanks, > -will -- :wq From harakiri_23 at yahoo.com Tue Feb 21 21:28:09 2006 From: harakiri_23 at yahoo.com (Harakiri) Date: Tue Feb 21 23:17:51 2006 Subject: Function to test passphrase In-Reply-To: <20060221190255.GM758@cs.wisc.edu> Message-ID: <20060221202809.7551.qmail@web52209.mail.yahoo.com> Simple - try to sign a file - use status-fd and catch a GOOD_PASSPHRASE or BAD_PASSPHRASE from the stdout --- Will McDonald wrote: > Any ideas here? I'm just looking for some pointers > out how to do simple > passphrase verification of a key. Any direction is > appreciated. > > Thanks, > -will > > On Thu, Feb 02, 2006 at 12:58:24PM -0600, Will > McDonald wrote: > > Hello, > > I'd like to write a little program that would > simply test whether a given > > passphrase is correct or not for a private key, > then return true or false. > > I've looked at the sources, but it wasn't > immediately obvious to me what gnupg > > functions to start with. Obiously there are a few > steps to this (loading the > > private key, testing the passphrase)... > > > > Can someone point me to which functions I should > be looking at? Also, any > > tips? > > > > Thanks, > > -will > -- > :wq > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From will at cs.wisc.edu Wed Feb 22 00:18:32 2006 From: will at cs.wisc.edu (Will McDonald) Date: Wed Feb 22 00:17:50 2006 Subject: Function to test passphrase In-Reply-To: <20060221223525.GW24450@vanheusden.com> References: <20060202185824.GT27232@cs.wisc.edu> <20060221190255.GM758@cs.wisc.edu> <20060221223525.GW24450@vanheusden.com> Message-ID: <20060221231832.GP758@cs.wisc.edu> Excellent - this is exactly what I was looking for! You've even saved me the development. FYI, I'm trying to recover my ~26 character passphrase. Luckily I *mostly* remember it (or at least my mnemonic), so I used Regexp::Genex in perl to generate a few hundred thousand permutations - a manageable size. This, along with your program, make a good pair. Thanks, Folkert! On Tue, Feb 21, 2006 at 11:35:26PM +0100, Folkert van Heusden wrote: > I do it by, well, look here: http://www.vanheusden.com/nasty/ > > On Tue, Feb 21, 2006 at 01:02:55PM -0600, Will McDonald wrote: > > Any ideas here? I'm just looking for some pointers out how to do simple > > passphrase verification of a key. Any direction is appreciated. > > > > Thanks, > > -will > > > > On Thu, Feb 02, 2006 at 12:58:24PM -0600, Will McDonald wrote: > > > Hello, > > > I'd like to write a little program that would simply test whether a given > > > passphrase is correct or not for a private key, then return true or false. > > > I've looked at the sources, but it wasn't immediately obvious to me what gnupg > > > functions to start with. Obiously there are a few steps to this (loading the > > > private key, testing the passphrase)... > > > > > > Can someone point me to which functions I should be looking at? Also, any > > > tips? > > > > > > Thanks, > > > -will > > -- > > :wq > > > > _______________________________________________ > > Gnupg-devel mailing list > > Gnupg-devel@gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-devel > > > Folkert van Heusden -- :wq From folkert at vanheusden.com Tue Feb 21 23:35:26 2006 From: folkert at vanheusden.com (Folkert van Heusden) Date: Wed Feb 22 01:17:57 2006 Subject: Function to test passphrase In-Reply-To: <20060221190255.GM758@cs.wisc.edu> References: <20060202185824.GT27232@cs.wisc.edu> <20060221190255.GM758@cs.wisc.edu> Message-ID: <20060221223525.GW24450@vanheusden.com> I do it by, well, look here: http://www.vanheusden.com/nasty/ On Tue, Feb 21, 2006 at 01:02:55PM -0600, Will McDonald wrote: > Any ideas here? I'm just looking for some pointers out how to do simple > passphrase verification of a key. Any direction is appreciated. > > Thanks, > -will > > On Thu, Feb 02, 2006 at 12:58:24PM -0600, Will McDonald wrote: > > Hello, > > I'd like to write a little program that would simply test whether a given > > passphrase is correct or not for a private key, then return true or false. > > I've looked at the sources, but it wasn't immediately obvious to me what gnupg > > functions to start with. Obiously there are a few steps to this (loading the > > private key, testing the passphrase)... > > > > Can someone point me to which functions I should be looking at? Also, any > > tips? > > > > Thanks, > > -will > -- > :wq > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel Folkert van Heusden -- www.vanheusden.com/multitail - multitail is tail on steroids. multiple windows, filtering, coloring, anything you can think of ---------------------------------------------------------------------- Phone: +31-6-41278122, PGP-key: 1F28D8AE, www.vanheusden.com From dominique at leuenberger.net Tue Feb 21 20:44:45 2006 From: dominique at leuenberger.net (Dominique Leuenberger) Date: Wed Feb 22 12:02:36 2006 Subject: gnupg shared keyfiles Win / Linux Message-ID: <43FB6DAD.20508@leuenberger.net> Hello, somewhere in the web I found what I want to do should be possible, but still, I'm failing: I have my private and public keyrings on a memory stick (fingerprint protected, so no worries) and would like to use my gpg keyrings in Windows and Linux. So the partition on the stick is FAT16. Windows has absolutely no problem with this configuration, works as expected but in Linux, when typing 'gpg --list-keys' ( or whatever uses the keys) I get the following output: *** QUOTE *** gpg: checking the trustdb gpg: lock not made: link() failed: Operation not permitted gpg: can't lock `/home/dimstar/.gnupg/pubring.gpg' gpg: failed to rebuild keyring cache: general error gpg: lock not made: link() failed: Operation not permitted gpg: fatal: can't acquire lock - giving up secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 *** END QUOTE *** Any ideas what I can do in this case? Some special parameters on mounting the partition? I'm using OpenSuSE 10.0 OSS (ok, not the fastest distro, but still not to bad) and gpg 1.4.2 Thanks for your replies to my email address (not a frequent reader of the list) Dominique Leuenberger From wk at gnupg.org Wed Feb 22 13:19:29 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 22 13:22:05 2006 Subject: gnupg shared keyfiles Win / Linux In-Reply-To: <43FB6DAD.20508@leuenberger.net> (Dominique Leuenberger's message of "Tue, 21 Feb 2006 20:44:45 +0100") References: <43FB6DAD.20508@leuenberger.net> Message-ID: <877j7ntwku.fsf@wheatstone.g10code.de> On Tue, 21 Feb 2006 20:44:45 +0100, Dominique Leuenberger said: > I have my private and public keyrings on a memory stick (fingerprint > protected, so no worries) and would like to use my gpg keyrings in A fingerprint reader on a memory stick to protect against access to a lost device is useless unless you make sure to keep all fingerprints away from the stick - which occurs to me as a very hard task. It is all to easy to take off a fingerprint from the case and use this to unlock the device. I'd call this use of biometric snake-oil. A good passphrase is a far better protection. > gpg: lock not made: link() failed: Operation not permitted > gpg: can't lock `/home/dimstar/.gnupg/pubring.gpg' You are using a FAT file system which does not know about links. Use another file system for the stick. Or use gpg --lock-never. Shalom-Salam, Werner From christianbiere at gmx.de Thu Feb 23 18:39:17 2006 From: christianbiere at gmx.de (Christian Biere) Date: Thu Feb 23 20:17:54 2006 Subject: Possible bug in g10/g10.c Message-ID: <20060223173917.GA5274@cyclonus> Hi, due to my siege against misuse of ctype functions I always stumble over the compiler warnings in g10/g10.c. If I remember correctly, last time I accepted that the compiler is at fault because there are isascii() checks. Well, the compiler isn't really at fault if isascii() doesn't resolve to something determinable at compile-time. Actually, my really uses a table-reference under some circumstances, so the compiler is dead on. That was the prequel. Here goes the main issue - taken from g10/g10.c: /* we only support printable text - therefore we enforce the use * of only printable characters (an empty value is valid) */ for( s++; *s ; s++ ) { if ( isascii (*s) ) <<<<< Isn't there a '!' missing? highbit = 1; else if (iscntrl(*s)) { <<<< Not ASCII, crash likely log_error(_("a notation value must not use" " any control characters\n") ); return; } } The next lines amplify my impression that the above lines are buggy: if( highbit ) /* must use UTF8 encoding */ sl = add_to_strlist2( notation_data, string, utf8_strings ); else sl = add_to_strlist( notation_data, string ); -- Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: not available Url : /pipermail/attachments/20060223/eb6de251/attachment.pgp From christianbiere at gmx.de Thu Feb 23 18:55:02 2006 From: christianbiere at gmx.de (Christian Biere) Date: Thu Feb 23 20:18:07 2006 Subject: Issue with certain key Message-ID: <20060223175502.GB5274@cyclonus> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: not available Url : /pipermail/attachments/20060223/db534749/attachment-0001.pgp From dshaw at jabberwocky.com Thu Feb 23 20:26:20 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 23 20:25:46 2006 Subject: Issue with certain key In-Reply-To: <20060223175502.GB5274@cyclonus> References: <20060223175502.GB5274@cyclonus> Message-ID: <20060223192620.GG14298@jabberwocky.com> On Thu, Feb 23, 2006 at 06:55:02PM +0100, Christian Biere wrote: > Hi, > > I cannot retrieve this key using GnuPG 1.4.2.1 on NetBSD: > > gpg: requesting key FC05DA69 from hkp server blackhole.pca.dfn.de > gpg: mpi larger than indicated length (2 bytes) > gpg: read_block: read error: invalid packet > gpg: Total number processed: 0 > gpg: no valid OpenPGP data found. > > All checks pass when I run "make check". I've also tried > pgpkeys.mit.edu. Is there something wrong with this key? > According to its owner, it's alright. So it must be a bug, > right? Yes. There are corrupt signatures on that key. GnuPG 1.4.3 has code to skip the corrupt signatures rather than reject the whole key. David From dshaw at jabberwocky.com Thu Feb 23 20:29:25 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 23 20:29:42 2006 Subject: Possible bug in g10/g10.c In-Reply-To: <20060223173917.GA5274@cyclonus> References: <20060223173917.GA5274@cyclonus> Message-ID: <20060223192925.GH14298@jabberwocky.com> On Thu, Feb 23, 2006 at 06:39:17PM +0100, Christian Biere wrote: > Hi, > > due to my siege against misuse of ctype functions I always stumble > over the compiler warnings in g10/g10.c. If I remember correctly, last > time I accepted that the compiler is at fault because there are > isascii() checks. Well, the compiler isn't really at fault if > isascii() doesn't resolve to something determinable at compile-time. > Actually, my really uses a table-reference under some > circumstances, so the compiler is dead on. That was the prequel. > > Here goes the main issue - taken from g10/g10.c: > > /* we only support printable text - therefore we enforce the use > * of only printable characters (an empty value is valid) */ > for( s++; *s ; s++ ) { > if ( isascii (*s) ) <<<<< Isn't there a '!' missing? > highbit = 1; > else if (iscntrl(*s)) { <<<< Not ASCII, crash likely > log_error(_("a notation value must not use" > " any control characters\n") ); > return; > } > } That's a bug. I've fixed it for 1.4.3. Thanks for the report! David From christianbiere at gmx.de Thu Feb 23 21:05:14 2006 From: christianbiere at gmx.de (Christian Biere) Date: Thu Feb 23 21:04:42 2006 Subject: Possible bug in g10/g10.c In-Reply-To: <20060223192925.GH14298@jabberwocky.com> References: <20060223173917.GA5274@cyclonus> <20060223192925.GH14298@jabberwocky.com> Message-ID: <20060223200514.GC17459@cyclonus> David Shaw wrote: > > for( s++; *s ; s++ ) { > > if ( isascii (*s) ) <<<<< Isn't there a '!' missing? > > highbit = 1; > That's a bug. I've fixed it for 1.4.3. Thanks for the report! On a related note, the replacement functions for strcasecmp() and strncasecmp() in util/strgutil.c are wrong. The standard says tolower() is used - not toupper() - and it also uses the difference of the lowercased characters as result. It may not matter in GnuPG but it would be a pity if someone copied this code. -- Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: not available Url : /pipermail/attachments/20060223/00b4a5b0/attachment.pgp From christianbiere at gmx.de Sat Feb 25 14:53:38 2006 From: christianbiere at gmx.de (Christian Biere) Date: Sat Feb 25 14:53:10 2006 Subject: Issue with certain key In-Reply-To: <20060223192620.GG14298@jabberwocky.com> References: <20060223175502.GB5274@cyclonus> <20060223192620.GG14298@jabberwocky.com> Message-ID: <20060225135338.GB10577@cyclonus> David Shaw wrote: > On Thu, Feb 23, 2006 at 06:55:02PM +0100, Christian Biere wrote: > > gpg: requesting key FC05DA69 from hkp server blackhole.pca.dfn.de > > gpg: mpi larger than indicated length (2 bytes) > > gpg: read_block: read error: invalid packet > > gpg: Total number processed: 0 > > gpg: no valid OpenPGP data found. > > All checks pass when I run "make check". I've also tried > > pgpkeys.mit.edu. Is there something wrong with this key? > > According to its owner, it's alright. So it must be a bug, > > right? > Yes. There are corrupt signatures on that key. GnuPG 1.4.3 has code > to skip the corrupt signatures rather than reject the whole key. Thanks for confirming this. It's a little bit odd though. I'm sure I used blackhole.pca.dfn.de to retrieve this key initially and that one uses SKS unlike pgpkeys.mit.edu which uses the broken PKS. It's really strange but on Debian with GnuPG 1.4.2 I can retrieve the key and cannot reproduce the warning. On NetBSD, no dice. The key seems to have corrupted my key ring slightly too because I get that warning whenever I use GnuPG now. It's still working fine but always emits that warning additionally. I even tried an empty ~/.gnupg and the suggested subkeys.pgp.net but I always get the warning as above. I'll fetch GnuPG from CVS and retry. -- Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: not available Url : /pipermail/attachments/20060225/1dbf3b9f/attachment.pgp From dshaw at jabberwocky.com Sat Feb 25 15:55:20 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Feb 25 15:54:53 2006 Subject: Issue with certain key In-Reply-To: <20060225135338.GB10577@cyclonus> References: <20060223175502.GB5274@cyclonus> <20060223192620.GG14298@jabberwocky.com> <20060225135338.GB10577@cyclonus> Message-ID: <20060225145520.GA21617@jabberwocky.com> On Sat, Feb 25, 2006 at 02:53:38PM +0100, Christian Biere wrote: > David Shaw wrote: > > On Thu, Feb 23, 2006 at 06:55:02PM +0100, Christian Biere wrote: > > > gpg: requesting key FC05DA69 from hkp server blackhole.pca.dfn.de > > > gpg: mpi larger than indicated length (2 bytes) > > > gpg: read_block: read error: invalid packet > > > gpg: Total number processed: 0 > > > gpg: no valid OpenPGP data found. > > > > All checks pass when I run "make check". I've also tried > > > pgpkeys.mit.edu. Is there something wrong with this key? > > > According to its owner, it's alright. So it must be a bug, > > > right? > > > Yes. There are corrupt signatures on that key. GnuPG 1.4.3 has code > > to skip the corrupt signatures rather than reject the whole key. > > Thanks for confirming this. It's a little bit odd though. I'm sure I > used blackhole.pca.dfn.de to retrieve this key initially and that one > uses SKS unlike pgpkeys.mit.edu which uses the broken PKS. It's really > strange but on Debian with GnuPG 1.4.2 I can retrieve the key and > cannot reproduce the warning. On NetBSD, no dice. The key seems to > have corrupted my key ring slightly too because I get that warning > whenever I use GnuPG now. It's still working fine but always emits > that warning additionally. I even tried an empty ~/.gnupg and the > suggested subkeys.pgp.net but I always get the warning as above. I'll > fetch GnuPG from CVS and retry. The problem with corrupted signatures is that they tend to spread from keyserver to keyserver unless the keyserver does sanity checks. David From christianbiere at gmx.de Sat Feb 25 17:08:48 2006 From: christianbiere at gmx.de (Christian Biere) Date: Sat Feb 25 17:08:11 2006 Subject: Issue with certain key In-Reply-To: <20060225135338.GB10577@cyclonus> References: <20060223175502.GB5274@cyclonus> <20060223192620.GG14298@jabberwocky.com> <20060225135338.GB10577@cyclonus> Message-ID: <20060225160848.GA26239@cyclonus> Christian Biere wrote: > David Shaw wrote: > > On Thu, Feb 23, 2006 at 06:55:02PM +0100, Christian Biere wrote: > > > gpg: requesting key FC05DA69 from hkp server blackhole.pca.dfn.de > > > gpg: mpi larger than indicated length (2 bytes) > > > gpg: read_block: read error: invalid packet > > > gpg: Total number processed: 0 > > > gpg: no valid OpenPGP data found. > > Yes. There are corrupt signatures on that key. GnuPG 1.4.3 has code > > to skip the corrupt signatures rather than reject the whole key. > I'll fetch GnuPG from CVS and retry. I used 1.4.3rc1 because the auto* tools just hate me. This fixes the problem with the key but I had to delete it from my keyring in order to get rid of the warnings with 1.4.2. I thought 1.4.3 would discard the corrupt signatures during the import but I guess it really just skips them at run-time. By the way, it's probably a good idea to update the website with respect to CVS. I fetched GnuPG from CVS just read that you're using SVN since July. -- Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: not available Url : /pipermail/attachments/20060225/31994401/attachment.pgp From JPClizbe at comcast.net Sat Feb 25 21:45:19 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Sat Feb 25 21:53:17 2006 Subject: Issue with certain key In-Reply-To: <20060225160848.GA26239@cyclonus> References: <20060223175502.GB5274@cyclonus> <20060223192620.GG14298@jabberwocky.com> <20060225135338.GB10577@cyclonus> <20060225160848.GA26239@cyclonus> Message-ID: <4400C1DF.8020105@comcast.net> Christian Biere wrote: > By the way, it's probably a good idea to update the website with > respect to CVS. I fetched GnuPG from CVS just read that you're > using SVN since July. Christian, I don't believe that the CVS tree is current. I don't think it has been updated since the switch to SVN or shortly after. svn co svn://cvs.gnupg.org/gnupg/trunk gnupg14 svn co svn://cvs.gnupg.org/gnupg/branches/GNUPG-1-9-BRANCH gnupg19 -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 669 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060225/aea1054b/signature.pgp From christianbiere at gmx.de Sat Feb 25 22:11:11 2006 From: christianbiere at gmx.de (Christian Biere) Date: Sat Feb 25 22:10:33 2006 Subject: Issue with certain key In-Reply-To: <4400C1DF.8020105@comcast.net> References: <20060223175502.GB5274@cyclonus> <20060223192620.GG14298@jabberwocky.com> <20060225135338.GB10577@cyclonus> <20060225160848.GA26239@cyclonus> <4400C1DF.8020105@comcast.net> Message-ID: <20060225211111.GB6038@cyclonus> John Clizbe wrote: > Christian Biere wrote: > > By the way, it's probably a good idea to update the website with > > respect to CVS. I fetched GnuPG from CVS just read that you're > > using SVN since July. > I don't believe that the CVS tree is current. I don't think it has > been updated since the switch to SVN or shortly after. Yes, that's what I meant. This information is nowhere on http://www.gnupg.org/. The website still points to CVS. So I fetched the sources from CVS and then saw the README file which says GnuPG is developed using Subversion since July 2005. > svn co svn://cvs.gnupg.org/gnupg/trunk gnupg14 > svn co svn://cvs.gnupg.org/gnupg/branches/GNUPG-1-9-BRANCH gnupg19 This information should be on the website, or not? -- Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: not available Url : /pipermail/attachments/20060225/cfc1fce5/attachment.pgp From kssingvo at suse.de Mon Feb 27 14:08:06 2006 From: kssingvo at suse.de (Klaus Singvogel) Date: Mon Feb 27 16:18:01 2006 Subject: Several questions about s2k Message-ID: <20060227130806.GA19574@suse.de> Hello, I'm package maintainer of gnupg at SuSE/Novell. We got a problem report, which is far beyond the typical installation / compilation problems. Instead it covers the s2k mode, with which I'm not very familiar with. I think it's not a nice behaviour to copy&paste the problems of someone else. So please, have a look at https://bugzilla.novell.com/show_bug.cgi?id=153565 and comment back. I'll do some comments on the insecure memory part (1st part). Thanks in advance. Regards, Klaus. PS: I added the reporter of the problem into the CC: -- Klaus Singvogel SUSE LINUX Products GmbH Maxfeldstr. 5 E-Mail: Klaus.Singvogel@SuSE.de 90409 Nuernberg Phone: +49 (0) 911 740530 Germany GnuPG-Key-ID: 1024R/5068792D 1994-06-27 From malte.gell at gmx.de Mon Feb 27 22:46:08 2006 From: malte.gell at gmx.de (Malte Gell) Date: Mon Feb 27 22:46:46 2006 Subject: Several questions about s2k In-Reply-To: <20060227130806.GA19574@suse.de> References: <20060227130806.GA19574@suse.de> Message-ID: <200602272246.09241.malte.gell@gmx.de> On Monday 27 February 2006 14:08, Klaus Singvogel wrote: > I think it's not a nice behaviour to copy&paste the problems of > someone else. So please, have a look at > https://bugzilla.novell.com/show_bug.cgi?id=153565 > and comment back. since I use SUSE Linux 10.0 as well, I tested what Olli did. The options he used can be used in one single line: gpg --no-options --s2k-mode 3 --s2k-cipher-algo aes256 --s2k-digest-algo sha512 --gen-key This perfectly created a new standard DSA/ElG key pair on SUSE 10.0 That "cert-digest-algo SHA512" doesn?t work with DSA keys is obvious, RSA keys allow to chose any hash algo. The only error message reported is "gpg: invalid item `S2' in preference string" and this smells like a typo in ~/.gnupg/gpg.conf rather than a bug. Olli invoked "grep s2k gpg.conf" which cannot tell the typo, because according to the error message "S2" is the wrong value used somewhere. So, what does "grep S2 ~/.gnupg/gpg.conf" say? hth Malte From malte.gell at gmx.de Tue Feb 28 02:31:10 2006 From: malte.gell at gmx.de (Malte Gell) Date: Tue Feb 28 02:31:11 2006 Subject: Several questions about s2k In-Reply-To: References: <20060227130806.GA19574@suse.de> <200602272246.09241.malte.gell@gmx.de> Message-ID: <200602280231.11109.malte.gell@gmx.de> On Tuesday 28 February 2006 00:32, Olli Artemjev wrote: > I've updated comments on novell bugreport page. > Please refresh. 2:21 a.m. will look at it tomorrow ;-) > 1. The gpg.conf used in my tests is avaliable from bugreport. > Also attaching here. Thanx, looked at it, I may have found the issue, you use disable-cipher-algo 3DES disable-pubkey-algo 3DES and this causes the error message "gpg: invalid item `S2' in preference string", admittedly it sounds confusing, but has nothing to do with the s2k options. So, you are right, it was not a typo. But, 3DES is a requirement by OpenPGP and must never be disabled, but this is what you did in your gpg.conf and this has confused GnuPG. Malte From dshaw at jabberwocky.com Tue Feb 28 03:40:44 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 28 03:40:15 2006 Subject: Several questions about s2k In-Reply-To: <200602280231.11109.malte.gell@gmx.de> References: <20060227130806.GA19574@suse.de> <200602272246.09241.malte.gell@gmx.de> <200602280231.11109.malte.gell@gmx.de> Message-ID: <20060228024044.GA17895@jabberwocky.com> On Tue, Feb 28, 2006 at 02:31:10AM +0100, Malte Gell wrote: > On Tuesday 28 February 2006 00:32, Olli Artemjev wrote: > > I've updated comments on novell bugreport page. > > Please refresh. > > 2:21 a.m. will look at it tomorrow ;-) > > > 1. The gpg.conf used in my tests is avaliable from bugreport. > > Also attaching here. > > Thanx, looked at it, I may have found the issue, you use > > disable-cipher-algo 3DES > disable-pubkey-algo 3DES > > and this causes the error message "gpg: invalid item `S2' in preference > string", admittedly it sounds confusing, but has nothing to do with the > s2k options. So, you are right, it was not a typo. > > But, 3DES is a requirement by OpenPGP and must never be disabled, but > this is what you did in your gpg.conf and this has confused GnuPG. No. It's possible to disable 3DES - noncompliant with OpenPGP, and will make you incapable of communicating with many people, but possible. The error message you saw was GnuPG warning you that it could not make a preference list for the new key you were generating when 3DES was missing. The key will be generated fine, but ironically, without a preference list on the key, the only cipher that will be used is 3DES.. The "disable-pubkey-algo 3DES" line is just nonsense (and ignored) as 3DES is not a public key algorithm. That gpg.conf file has a lot of values hardcoded that will make it impossible for you to communicate with some people. Please read the section about interoperability in the manual, and especially the bit about "Only override this safe default if you really know what you are doing." 99% of the time, using --cipher-algo, --digest-algo, or --compress-algo is a mistake. David From malte.gell at gmx.de Tue Feb 28 19:10:19 2006 From: malte.gell at gmx.de (Malte Gell) Date: Tue Feb 28 19:10:12 2006 Subject: Several questions about s2k In-Reply-To: References: <20060227130806.GA19574@suse.de> <200602280231.11109.malte.gell@gmx.de> Message-ID: <200602281910.20337.malte.gell@gmx.de> On Tuesday 28 February 2006 07:25, Olli Artemjev wrote: > On Tue, 28 Feb 2006, Malte Gell wrote: > > On Tuesday 28 February 2006 00:32, Olli Artemjev wrote: > >> I've updated comments on novell bugreport page. > >> Please refresh. I think --expert was made to allow "silly" things, but maybe not really everything one might intend to do. > > But, 3DES is a requirement by OpenPGP and must never be disabled, > > but this is what you did in your gpg.conf and this has confused > > GnuPG. > > well.. why? What should I read to get a reason of that ? 3des is weak > for my paranoia ;-)) why should I enable it? ?-) David, one developers said something about this on the list, I would suggest you subscribe to gnupg-users / gnupg-devel to ask about these things. Generally I?d say disabling 3des makes not much sense, because you use --cipher-algo aes256 to encrypt your stuff with AES256, so why additionally trying to disable 3des? Instead of filing bug reports at Novell, I think you get more response and answers from the right people if you subscribe to the mailing lists, see: http://www.gnupg.org/(en)/documentation/mailing-lists.html Regards Malte From marji22 at yahoo.com Tue Feb 28 20:33:17 2006 From: marji22 at yahoo.com (CHRISTINA MARJI) Date: Tue Feb 28 22:17:53 2006 Subject: Gnupg compile error Message-ID: <20060228193317.80210.qmail@web31106.mail.mud.yahoo.com> Hi, I have downloaded gnupg 1.4.2.1 source code from gnupg.org. I get the following errors when I run the make utility: make[1]: Entering directory `/home/tina/gnupg-1.4.2.1/checks' ../g10/gpg --homedir . --quiet --yes --no-permission-warning --import ./pubdemo. asc gpg: mpi larger than indicated length (124 bytes) gpg: read_block: read error: invalid packet gpg: no valid OpenPGP data found. gpg: import from `./pubdemo.asc' failed: invalid keyring make[1]: *** [prepared.stamp] Error 2 make[1]: Leaving directory `/home/tina/gnupg-1.4.2.1/checks' make: *** [check-recursive] Error 1 Can someone help me regarding this matter. Thank you Christina Michael __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From marcus.brinkmann at ruhr-uni-bochum.de Wed Feb 22 13:11:54 2006 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri Mar 3 11:13:57 2006 Subject: [Announce] GPGME 1.1.1 released Message-ID: <87y8031tkl.wl%marcus.brinkmann@ruhr-uni-bochum.de> We are pleased to announce version 1.1.1 of GnuPG Made Easy, a library designed to make access to GnuPG easier for applications. It may be found in the file (about 860 KB/663 KB compressed) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.1.tar.gz ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.1.tar.bz2 The following files are also available: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.1.tar.gz.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.1.tar.bz2.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.0-1.1.1.diff.gz It should soon appear on the mirrors listed at: http://www.gnupg.org/mirrors.html Bug reports and requests for assistance should be sent to: gnupg-devel@gnupg.org The sha1sum checksums for this distibution are 9db9b31fe83c2d37572995ca9857971f02d0a3dd gpgme-1.1.0-1.1.1.diff.gz 0cc2de4258897b5ef2b2750e652f608d56cdd282 gpgme-1.1.1.tar.bz2 899ca06e739a317a175b6217b56051d912530f3e gpgme-1.1.1.tar.bz2.sig bb93fb4414f1e4790b7af035a3e7abc64805d68c gpgme-1.1.1.tar.gz 7b70ae11584b5e8f814532a832477e3fba226c5e gpgme-1.1.1.tar.gz.sig Noteworthy changes in version 1.1.1 (2006-02-22) ------------------------------------------------ * Fixed a bug in that the fingerprints of subkeys are not available. * Clarified usage of the SECRET flag in key listings. It is now reset for stub keys. * Reading signature notations and policy URLs on key signatures is supported. They can be found in the new field notations of the gpgme_key_sig_t structure. This has to be enabled with the keylist mode flag GPGME_KEYLIST_MODE_SIG_NOTATIONS. * A new gpgme_free() function solves the problem of using different allocators in a single program. This function should now be used instead calling free() to release the buffer returned by gpgme_data_release_and_get_mem. It is recommended that you always do this, but it is only necessary on certain platforms, so backwards compatibility is provided. In other words: If free() worked for you before, it will keep working. * New status codes GPGME_PKA_TRUST_GOOD and GPGME_PKA_TRUST_BAD. They are analyzed by the verify handlers and made available in the new PKA_TRUST and PKA_ADDRESS fields of the signature result structure. * Interface changes relative to the 1.1.0 release: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ gpgme_key_sig_t EXTENDED: New field notations. GPGME_KEYLIST_MODE_SIG_NOTATIONS NEW gpgme_free NEW GPGME_STATUS_PKA_TRUST_BAD NEW GPGME_STATUS_PKA_TRUST_GOOD NEW gpgme_signature_t EXTENDED: New field pka_trust. gpgme_signature_t EXTENDED: New field pka_address. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Marcus Brinkmann mb@g10code.de _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From vladimir at sycore.org Mon Feb 27 19:18:00 2006 From: vladimir at sycore.org (Vladimir S. Petukhov) Date: Mon Mar 20 19:00:23 2006 Subject: gpgme memory leak? What's wrong? Message-ID: <200602271941.46142.vladimir@sycore.org> Hi! Sorry for my English... Next code: while (true) { GpgmeCtx gpgme_ctx; gpgme_new (&gpgme_ctx); gpgme_set_textmode (gpgme_ctx, 1); gpgme_set_armor (gpgme_ctx, 1); gpgme_set_passphrase_cb (gpgme_ctx, &passphrase_cb, NULL); gpgme_data_new_from_mem (&gpgme_data_in, "test", 5, 0); gpgme_data_new (&gpgme_data_out); gpgme_op_sign gpgme_data_out, GPGME_SIG_MODE_CLEAR); gpgme_data_release (gpgme_data_out); gpgme_data_release (gpgme_data_in); gpgme_release (gpgme_ctx); } as same as: GpgmeCtx gpgme_ctx; gpgme_new (&gpgme_ctx); gpgme_set_textmode (gpgme_ctx, 1); gpgme_set_armor (gpgme_ctx, 1); gpgme_set_passphrase_cb (gpgme_ctx, &passphrase_cb, NULL); while (true) { gpgme_data_new_from_mem (&gpgme_data_in, "test", 5, 0); gpgme_data_new (&gpgme_data_out); gpgme_op_sign gpgme_data_out, GPGME_SIG_MODE_CLEAR); gpgme_data_release (gpgme_data_out); gpgme_data_release (gpgme_data_in); } gpgme_release (gpgme_ctx); .. sign mesage well, but allocate memory incrementally. What's wrong? (version 1.4.2)