From wk at gnupg.org Mon Oct 1 17:26:57 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 01 Oct 2007 17:26:57 +0200 Subject: Important Assuan change under Windows. Message-ID: <87zlz2ua7y.fsf@wheatstone.g10code.de> Hi, while reviewing our Windows implementation of the Unix domain socket emulation, a serious flaw was detected: Any regular user on the local box would be able to connect to a server of another user. Given that the GnuPG-2 port to Windows is still in development and not for production use; no harm is caused. No version of GnuPG-1 (e.g. 1.4.7) is affected. I have fixed this now in the SVN of libassuan and GnuPG. Required changed for clients: * Build against the latest libassuan (-r 267). * That's all. Required changes for servers: * Build against the latest libassuan (-r 267) * Remove the w32-afunix calls. * Replace the socket creation calls with the new assuan wrappers. * Save a nonce created by the wrapper's bind implementaion. * On connection check that nonce. Here is a commented server example: static assuan_sock_nonce_t socket_nonce; This variable is used to save the nonce. struct sockaddr_un *serv_addr; socklen_t len; assuan_fd_t fd; The assuan_fd_t is used to cope with the problem that under Windows system file descriptors (as used by Libassuan) are actually of type HANDLE and implemented as pointers. With 32 bit systems it is not a problem to cast them to ints, however with 64 bit Windows this won't work, thus we use this new type. Under Unix it is typedefed as int or course. fd = assuan_sock_new (AF_UNIX, SOCK_STREAM, 0); if (fd == ASSUAN_INVALID_FD) handle_error() This is identical to socket. Again for portability, ASSUAN_INVALID_FD is used instead of the -1. serv_addr = xmalloc (sizeof (*serv_addr)); memset (serv_addr, 0, sizeof *serv_addr); serv_addr->sun_family = AF_UNIX; assert (strlen (socket_name) + 1 < sizeof (serv_addr->sun_path)); strcpy (serv_addr->sun_path, socket_name); len = (offsetof (struct sockaddr_un, sun_path) + strlen (serv_addr->sun_path) + 1); rc = assuan_sock_bind (fd, (struct sockaddr*) serv_addr, len); Here we have called the wrapper for bind. Only under Windows and only if a AF_UNIX socket is used, the bind wrapper makes a difference: In that case bind is called for AF_INET on the loopback interface and the returned TCP port is written to the file given by SOCKET_NAME. In addition a random nonce is written to the file. if (rc != -1 && (rc=assuan_sock_get_nonce ((struct sockaddr*)serv_addr, len, &socket_nonce))) fprintf (stderr, "error getting nonce for the socket\n"); if (rc == -1) handle_error (); Calling assuan_sock_get_nonce is important. It returns the nonce used by the server and is required later. It does not harm to call it for non AF_UNIX or non-Windows systems - in that case the entire nonce feature has an internal shortcut. For each connection - after the accept and before the first read - a new call is required: if (assuan_sock_check_nonce (accepted_fd, &socket_nonce)) { fprintf (stderr, "error reading nonce: %s\n", strerror (errno)); assuan_sock_close (fd); } else process_request () If it is a Unix domain socket under Windows (as indicated by SOCKET_NONE), assuan_sock_check_nonce reads 16 bytes from the client and compares it to the nonce associated with the listening socket. Thus only clients who are actually able to read the socket file and send the nonce to the server are granted access. Sending the nonce is handled on the client side by assuan_sock_connect. The check has not been integrated into something like a assuan_sock_accept so that it better integrates with an event system or alike. Assuan uses its own read code to read for the socket in during the check; it is not expected that it blocks; in case that is a problem, setting the socket to non-blocking mode will solve the problem. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From jan-oliver.wagner at intevation.de Fri Oct 12 23:23:36 2007 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Fri, 12 Oct 2007 23:23:36 +0200 Subject: import of external certificates via command line Message-ID: <200710122324.45353.jan-oliver.wagner@intevation.de> Hi, I wonder whether there is a way to import an external certificate (found with gpgsm --list-external-keys MyName ) via command line ... ? Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From antonio2 at blia.it Sat Oct 13 22:15:37 2007 From: antonio2 at blia.it (antonio) Date: Sat, 13 Oct 2007 22:15:37 +0200 Subject: dirmngr - unknown critical extensions 2.5.29.28 Message-ID: <200710132215.38006.antonio2@blia.it> Hi, I've had problems loading this crl [1] ... dirmngr[15543]: unknown critical CRL extension 2.5.29.28 dirmngr[15543]: crl_cache_insert via DP failed: Invalid CRL dirmngr[15543]: command ISVALID failed: Invalid CRL ... I've modified crlcache.c and it works, but it is only a temporary solution because I don't know differences between oid 2.5.29.20 (oidstr_crlNumber in crlcache.c) and 2.5.29.28 [2] ... /* Check for unknown critical extensions. */ for (idx=0; !(err=ksba_crl_get_extension (crl, idx, &oid, &critical, NULL, NULL)); idx++) { if (!critical || !strcmp (oid, oidstr_authorityKeyIdentifier) || !strcmp (oid, oidstr_crlNumber) + || !strcmp (oid, "2.5.29.28") ) ... [1] http://ca.cnipa.gov.it/crl3.crl [2] http://www.redhat.com/docs/manuals/cert-system/admin/7.2/Certificate.Extensions.14986.html -- Antonio http://www.blia.it From bjk at luxsci.net Sun Oct 14 00:53:26 2007 From: bjk at luxsci.net (Ben Kibbey) Date: Sat, 13 Oct 2007 18:53:26 -0400 Subject: pinentry timeout patch Message-ID: <200710132254.l9DMs2w9029914@rs19.luxsci.com> Attached is a patch for pinentry (ncurses and gtk2, gtk1 and QT still need to be done) that adds a command line option --timeout and protocol option SETTIMEOUT. pinentry will return ASSUAN_Timeout if there was no user input after the set amount of seconds. -- Benjamin J. Kibbey bjk at luxsci.net/jabber/freenode 3019 F5FC AA33 5BC7 BE9F 09D2 393E DBD2 40D5 FA7E -------------- next part -------------- A non-text attachment was scrubbed... Name: pinentry-0.7.3+timeout.diff Type: text/x-diff Size: 7204 bytes Desc: not available Url : /pipermail/attachments/20071013/8e7c39cf/attachment.bin From ueno at unixuser.org Mon Oct 15 09:31:46 2007 From: ueno at unixuser.org (Daiki Ueno) Date: Mon, 15 Oct 2007 16:31:46 +0900 Subject: [PATCH] ask passphrase twice when importing SSH keys to gpg-agent Message-ID: <54a15d860710150031x798b6171pc0cdb007c7e73ade@mail.gmail.com> Hello, I have tried gpg-agent with SSH support enabled for several months and it turned out very useful. One point that makes me uneasy is that gpg-agent asks passphrase only once for the first time import of SSH keys. I have sometimes mistyped initial passphrases and had to remove the key files manually. Here is a patch which makes gpg-agent ask the initial passphrases twice when importing SSH keys. 2007-10-15 Daiki Ueno * command-ssh.c (reenter_compare_cb): New function; imported from genkey.c. (ssh_identity_register): Ask initial passphrase twice. Regards, -- Daiki Ueno -------------- next part -------------- A non-text attachment was scrubbed... Name: gpg-agent-ssh-identity-register.diff Type: text/x-patch Size: 2623 bytes Desc: not available Url : /pipermail/attachments/20071015/32615849/attachment.bin From wk at gnupg.org Mon Oct 15 16:42:23 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 15 Oct 2007 16:42:23 +0200 Subject: [PATCH] ask passphrase twice when importing SSH keys to gpg-agent In-Reply-To: <54a15d860710150031x798b6171pc0cdb007c7e73ade@mail.gmail.com> (Daiki Ueno's message of "Mon, 15 Oct 2007 16:31:46 +0900") References: <54a15d860710150031x798b6171pc0cdb007c7e73ade@mail.gmail.com> Message-ID: <87ir58bfsg.fsf@wheatstone.g10code.de> On Mon, 15 Oct 2007 09:31, ueno at unixuser.org said: > Here is a patch which makes gpg-agent ask the initial passphrases > twice when importing SSH keys. Applied (-r 4593). Thanks, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Mon Oct 15 16:48:17 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 15 Oct 2007 16:48:17 +0200 Subject: pinentry timeout patch In-Reply-To: <200710132254.l9DMs2w9029914@rs19.luxsci.com> (Ben Kibbey's message of "Sat, 13 Oct 2007 18:53:26 -0400") References: <200710132254.l9DMs2w9029914@rs19.luxsci.com> Message-ID: <87d4vgbfim.fsf@wheatstone.g10code.de> On Sun, 14 Oct 2007 00:53, bjk at luxsci.net said: > Attached is a patch for pinentry (ncurses and gtk2, gtk1 and QT still > need to be done) that adds a command line option --timeout and protocol > option SETTIMEOUT. pinentry will return ASSUAN_Timeout if there was no > user input after the set amount of seconds. Thanks. I have some doubts that it is okay to use gtk_main_quit from a signal handler. Did you checked this okay? Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Mon Oct 15 17:04:46 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 15 Oct 2007 17:04:46 +0200 Subject: dirmngr - unknown critical extensions 2.5.29.28 In-Reply-To: <200710132215.38006.antonio2@blia.it> (antonio2@blia.it's message of "Sat, 13 Oct 2007 22:15:37 +0200") References: <200710132215.38006.antonio2@blia.it> Message-ID: <877ilober5.fsf@wheatstone.g10code.de> On Sat, 13 Oct 2007 22:15, antonio2 at blia.it said: > I've modified crlcache.c and it works, but it is only a temporary solution > because I don't know differences between oid 2.5.29.20 (oidstr_crlNumber in Thar is the issuingDistributionPoint; a different property than the crlNumber. Dirmngr does not yet support this and thus it can't accept this CRL. If you need to support it, please enter a request into our bug tracker (bugs.gnupg.org) and we will see what we can do. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Tue Oct 16 11:34:33 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 16 Oct 2007 11:34:33 +0200 Subject: import of external certificates via command line In-Reply-To: <200710122324.45353.jan-oliver.wagner@intevation.de> (Jan-Oliver Wagner's message of "Fri, 12 Oct 2007 23:23:36 +0200") References: <200710122324.45353.jan-oliver.wagner@intevation.de> Message-ID: <877iln768m.fsf@wheatstone.g10code.de> On Fri, 12 Oct 2007 23:23, jan-oliver.wagner at intevation.de said: > I wonder whether there is a way to import an external certificate (found with > gpgsm --list-external-keys MyName > ) via command line ... ? Just use it within a couple of hours after --list-external-keys. You can list these certifciates: gpg --with-ephemeral --list-keys By using them, they are made permanent. The ephemeral flag is a kludge to allow using the list-key mechanism (which chain building etc.) also for listing external keys. When running gpgsm --list-external-keys. the found certificates are stored in gpgsm's keybox and flagged as ephemeral. This allows us to remove them after some time so that they don't collect up in the keybox and clutter the output of a plain --list-keys. An external search may return hundreds of certificates and it is unlikey that you wall want them in your keybox. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From jan-oliver.wagner at intevation.de Thu Oct 18 21:49:05 2007 From: jan-oliver.wagner at intevation.de (Jan-Oliver Wagner) Date: Thu, 18 Oct 2007 21:49:05 +0200 Subject: import of external certificates via command line In-Reply-To: <877iln768m.fsf@wheatstone.g10code.de> References: <200710122324.45353.jan-oliver.wagner@intevation.de> <877iln768m.fsf@wheatstone.g10code.de> Message-ID: <200710182149.11497.jan-oliver.wagner@intevation.de> On Tuesday 16 October 2007 11:34, Werner Koch wrote: > On Fri, 12 Oct 2007 23:23, jan-oliver.wagner at intevation.de said: > > I wonder whether there is a way to import an external certificate (found > > with gpgsm --list-external-keys MyName > > ) via command line ... ? > > Just use it within a couple of hours after --list-external-keys. You > can list these certifciates: > > gpg --with-ephemeral --list-keys yes, I can see the certificate (using gpgsm, not gpg, of course). > By using them, they are made permanent. How do I do this? I tried to encrypt something to this ID but gpgsm says it is an unknown key. I exported the key successfully, but this did not make it permanent. Then I imported it successfully. Wouldn't it make sense to have --recv-keys implemented for gpgsm with the method to search a key and then import it? Currently, --recv-keys says it is not implemented. Best Jan -- Dr. Jan-Oliver Wagner Intevation GmbH Amtsgericht Osnabr?ck, HR B 18998 http://www.intevation.de/ Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From bjk at luxsci.net Sat Oct 20 20:28:57 2007 From: bjk at luxsci.net (Ben Kibbey) Date: Sat, 20 Oct 2007 14:28:57 -0400 Subject: pinentry timeout patch In-Reply-To: <87d4vgbfim.fsf@wheatstone.g10code.de> References: <200710132254.l9DMs2w9029914@rs19.luxsci.com> <87d4vgbfim.fsf@wheatstone.g10code.de> Message-ID: <200710201830.l9KIU3kr026934@rs19.luxsci.com> On Mon, Oct 15, 2007 at 04:48:17PM +0200, Werner Koch wrote: > On Sun, 14 Oct 2007 00:53, bjk at luxsci.net said: > > Attached is a patch for pinentry (ncurses and gtk2, gtk1 and QT still > > need to be done) that adds a command line option --timeout and protocol > > option SETTIMEOUT. pinentry will return ASSUAN_Timeout if there was no > > user input after the set amount of seconds. > > Thanks. > > I have some doubts that it is okay to use gtk_main_quit from a signal > handler. Did you checked this okay? Seems to work fine except when a button was clicked and the text entry was empty. Attached is a patch to fix it. -- Benjamin J. Kibbey bjk at luxsci.net/jabber/freenode 3019 F5FC AA33 5BC7 BE9F 09D2 393E DBD2 40D5 FA7E -------------- next part -------------- A non-text attachment was scrubbed... Name: pinentry-0.7.3+timeout-2.diff Type: text/x-diff Size: 7388 bytes Desc: not available Url : /pipermail/attachments/20071020/af0aa86c/attachment.bin From bjk at luxsci.net Thu Oct 25 15:59:20 2007 From: bjk at luxsci.net (Ben Kibbey) Date: Thu, 25 Oct 2007 09:59:20 -0400 Subject: assuan external loop over socket Message-ID: <200710251400.l9PE05WX010150@rs19.luxsci.com> The assuan info docs say connecting to a socket with the external IO loop isn't supported. Are there any plans to do this in the near future? I really do need this feature. Or maybe I'm misunderstanding howto send IO FD's to the server? I have a process that wants to listen on a socket without blocking. I've done the bind/listen/pth_accept() and have FD which is setup with assuan_init_socket_server_ext(). Then I select() on all file descriptors that are returned with asssuan_get_active_fds(). When I connect to the socket with socat, I get an IPC read error from assuan_process_next(). Maybe I'm doing something wrong? Thanks, -- Benjamin J. Kibbey bjk at luxsci.net/jabber/freenode 3019 F5FC AA33 5BC7 BE9F 09D2 393E DBD2 40D5 FA7E From marcus.brinkmann at ruhr-uni-bochum.de Fri Oct 26 15:33:09 2007 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri, 26 Oct 2007 15:33:09 +0200 Subject: assuan external loop over socket In-Reply-To: <200710251400.l9PE05WX010150@rs19.luxsci.com> References: <200710251400.l9PE05WX010150@rs19.luxsci.com> Message-ID: <87myu6xap6.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Thu, 25 Oct 2007 09:59:20 -0400, Ben Kibbey wrote: > > The assuan info docs say connecting to a socket with the external IO > loop isn't supported. Are there any plans to do this in the near future? If you need to do asynchronous assuan communication in the client, then yes, there is a small function missing, which I can add easily. However, from your description below you seem to have trouble in the server, which should be fully supported already. Can you clarify? > I really do need this feature. Or maybe I'm misunderstanding howto send > IO FD's to the server? I have a process that wants to listen on a socket > without blocking. I've done the bind/listen/pth_accept() and have FD > which is setup with assuan_init_socket_server_ext(). Then I select() on > all file descriptors that are returned with asssuan_get_active_fds(). You should select only on the inbound fd. For socket servers, this should be the same as the one returned by accept(), so there is no actual need to call assuan_get_active_fds(). > When I connect to the socket with socat, I get an IPC read error from > assuan_process_next(). Maybe I'm doing something wrong? I never tried with socat. You might want to try with gpg-connect-agent from the gnupg tools directory. The reference implementations are in dirmngr and gpa. Can one look at your code somewhere? Thanks, Marcus From bjk at luxsci.net Fri Oct 26 17:39:47 2007 From: bjk at luxsci.net (Ben Kibbey) Date: Fri, 26 Oct 2007 11:39:47 -0400 Subject: assuan external loop over socket In-Reply-To: <87myu6xap6.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <200710251400.l9PE05WX010150@rs19.luxsci.com> <87myu6xap6.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <200710261540.l9QFe2Rs011618@rs19.luxsci.com> On Fri, Oct 26, 2007 at 03:33:09PM +0200, Marcus Brinkmann wrote: > At Thu, 25 Oct 2007 09:59:20 -0400, > Ben Kibbey wrote: > > > > The assuan info docs say connecting to a socket with the external IO > > loop isn't supported. Are there any plans to do this in the near future? > > If you need to do asynchronous assuan communication in the client, > then yes, there is a small function missing, which I can add easily. > However, from your description below you seem to have trouble in the > server, which should be fully supported already. Can you clarify? Right now I only need server support, but I'll probably end up needing client support too. [...] > > When I connect to the socket with socat, I get an IPC read error from > > assuan_process_next(). Maybe I'm doing something wrong? > > I never tried with socat. You might want to try with > gpg-connect-agent from the gnupg tools directory. The reference > implementations are in dirmngr and gpa. Can one look at your code > somewhere? When using assuan_process() it'd show the hello line right after connecting with socat and IO with the server worked as usual. Checkout http://bjk.sourceforge.net/cgi-bin/gitweb.cgi?p=pwmd.git;a=blob;h=87ee996a02c16d7e716228727f7720df87adfb65;hb=86bea292a49f09c7083d76984f34c520b4204ce6;f=src/pwmd.c#l334. I've tried both pth_event() and select() on the FD and assuan_process_next() still gives me the IPC read error. Thanks, -- Benjamin J. Kibbey bjk at luxsci.net/jabber/freenode 3019 F5FC AA33 5BC7 BE9F 09D2 393E DBD2 40D5 FA7E From wk at gnupg.org Fri Oct 26 16:14:26 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 26 Oct 2007 16:14:26 +0200 Subject: [Announce] Libgcrypt 1.3.1 released Message-ID: <87tzoem08t.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of Libgcrypt 1.3.1. This is the second release of a series of development versions ebentually leading to a new stable 1.4 series. Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementaion of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use libgcrypt. Changes compared to 1.3.1 are: * The entire library is now under the LGPLv2. The helper programs and the manual are under the GPLv2. Kudos to Peter Gutmann for giving permissions to relicense the rndw32 and rndunix modules. * The Camellia cipher is now under the LGPL and build by default. * Fixed a bug in the detection of symbol prefixes which inhibited the build of optimzied assembler code on certain systems. * Updated the entropy gatherer for W32. Source code is hosted at the GnuPG FTP server and its mirrors as listed at http://www.gnupg.org/download/mirrors.html . On the primary server the source file and its digital signature is: ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/libgcrypt-1.3.1.tar.bz2 (930k) ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/libgcrypt-1.3.1.tar.bz2.sig This file is bzip2 compressed. The SHA-1 checksum is: eea6aea27d7e12297630de6b4fcba1b486c809c8 libgcrypt-1.3.1.tar.bz2 For help on developing with Libgcrypt you should send mail to the grcypt-devel mailing list [1]. Improving Libgcrypt is costly, but you can help! We are looking for organizations that find Libgcrypt useful and wish to contribute back. You can contribute by reporting bugs, improve the software [2], or by donating money. Commercial support contracts for Libgcrypt are available [3], and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company, is currently funding Libgcrypt development. We are always looking for interesting development projects. Happy hacking, Werner [1] See http://www.gnupg.org/documentation/mailing-lists.html . [2] Note that copyright assignments to the FSF are required. [3] See the service directory at http://www.gnupg.org/service.html . -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20071026/8e127367/attachment-0001.pgp -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From bjk at luxsci.net Sat Oct 27 21:20:32 2007 From: bjk at luxsci.net (Ben Kibbey) Date: Sat, 27 Oct 2007 15:20:32 -0400 Subject: assuan external loop over socket In-Reply-To: <87myu6xap6.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <200710251400.l9PE05WX010150@rs19.luxsci.com> <87myu6xap6.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <200710271921.l9RJL3wK010142@rs19.luxsci.com> On Fri, Oct 26, 2007 at 03:33:09PM +0200, Marcus Brinkmann wrote: > > When I connect to the socket with socat, I get an IPC read error from > > assuan_process_next(). Maybe I'm doing something wrong? > > I never tried with socat. You might want to try with > gpg-connect-agent from the gnupg tools directory. The reference > implementations are in dirmngr and gpa. Can one look at your code > somewhere? I think I found the problem. In assuan_init_socket_server_ext(), ctx->inbound.fd and ctx->outbound.fd are set to ASSUAN_INVALID_FD (-1) while ctx->connected_fd is set to the passed fd which is the fd returned by accept() (right?). So the IPC read error is because the file descriptor is invalid. Does the client have to set INPUT and OUTPUT file descriptors before any IO can happen? -- Benjamin J. Kibbey bjk at luxsci.net/jabber/freenode 3019 F5FC AA33 5BC7 BE9F 09D2 393E DBD2 40D5 FA7E From marcus.brinkmann at ruhr-uni-bochum.de Sun Oct 28 20:15:40 2007 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Sun, 28 Oct 2007 20:15:40 +0100 Subject: assuan external loop over socket In-Reply-To: <200710271921.l9RJL3wK010142@rs19.luxsci.com> References: <200710251400.l9PE05WX010150@rs19.luxsci.com> <87myu6xap6.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200710271921.l9RJL3wK010142@rs19.luxsci.com> Message-ID: <87bqajxd7n.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Sat, 27 Oct 2007 15:20:32 -0400, Ben Kibbey wrote: > > On Fri, Oct 26, 2007 at 03:33:09PM +0200, Marcus Brinkmann wrote: > > > When I connect to the socket with socat, I get an IPC read error from > > > assuan_process_next(). Maybe I'm doing something wrong? > > > > I never tried with socat. You might want to try with > > gpg-connect-agent from the gnupg tools directory. The reference > > implementations are in dirmngr and gpa. Can one look at your code > > somewhere? > > I think I found the problem. In assuan_init_socket_server_ext(), > ctx->inbound.fd and ctx->outbound.fd are set to ASSUAN_INVALID_FD (-1) > while ctx->connected_fd is set to the passed fd which is the fd returned > by accept() (right?). So the IPC read error is because the file > descriptor is invalid. Does the client have to set INPUT and OUTPUT file > descriptors before any IO can happen? Ah, ok. You still have to call assuan_accept () to run the bottom handler and run the initial hand shake of the protocol. Thanks, Marcus From ametzler at downhill.at.eu.org Sun Oct 28 19:20:31 2007 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sun, 28 Oct 2007 19:20:31 +0100 Subject: Libgcrypt 1.3.1 fails to build from source on HPPA (undefined reference to `__udiv_qrnnd') Message-ID: Hello, this reported by Frank Lichtenheld. libgcrypt11 1.3.1-1 fails to build on hppa: | Making all in tests | make[3]: Entering directory `/build/buildd/libgcrypt11-1.3.1/tests' | cc -DHAVE_CONFIG_H -I. -I.. -I../src -I../src -g -Wall -O2 -Wall -Wpointer-arith -c version.c | /bin/sh ../libtool --tag=CC --mode=link cc -g -Wall -O2 -Wall -Wpointer-arith -o version version.o ../src/libgcrypt.la | mkdir .libs | cc -g -Wall -O2 -Wall -Wpointer-arith -o .libs/version version.o ../src/.libs/libgcrypt.so | ../src/.libs/libgcrypt.so: undefined reference to `__udiv_qrnnd' The full buildlog and tree (both extracted and as tarball) is available on http://www.bebt.de/debian/libgcrypt/ cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From wk at gnupg.org Mon Oct 29 09:40:06 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 29 Oct 2007 09:40:06 +0100 Subject: Libgcrypt 1.3.1 fails to build from source on HPPA (undefined reference to `__udiv_qrnnd') In-Reply-To: (Andreas Metzler's message of "Sun, 28 Oct 2007 19:20:31 +0100") References: Message-ID: <87lk9miaah.fsf@wheatstone.g10code.de> On Sun, 28 Oct 2007 19:20, ametzler at downhill.at.eu.org said: > | ../src/.libs/libgcrypt.so: undefined reference to `__udiv_qrnnd' > > The full buildlog and tree (both extracted and as tarball) is > available on http://www.bebt.de/debian/libgcrypt/ I looked at it and it seems that configure script does not find the asm modules for HPPA (pa7100). This is required because there is only an asm version of udiv_qrnnd. I called config.links manually and it worked as expected. Unfortuntelly this script has no included debugging support. I debug config.links by a inserting a set -x into it. However, I don't have access to a HP box. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From ametzler at downhill.at.eu.org Mon Oct 29 20:20:13 2007 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Mon, 29 Oct 2007 20:20:13 +0100 Subject: Libgcrypt 1.3.1 fails to build from source on HPPA (undefined?reference to `__udiv_qrnnd') References: <87lk9miaah.fsf@wheatstone.g10code.de> Message-ID: Werner Koch wrote: [...] > I looked at it and it seems that configure script does not find the asm > modules for HPPA (pa7100). This is required because there is only an > asm version of udiv_qrnnd. I called config.links manually and it worked > as expected. > Unfortuntelly this script has no included debugging support. I debug > config.links by a inserting a set -x into it. However, I don't have > access to a HP box. ${target} seems to be empty when the script is invoked, see /mpi/asm-syntax.h. cu and- I am too tired to more checking today. -reas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From wk at gnupg.org Mon Oct 29 21:04:15 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 29 Oct 2007 21:04:15 +0100 Subject: libgpg-error 1.6 released In-Reply-To: <871wbdbtw6.fsf@wheatstone.g10code.de> (Werner Koch's message of "Mon, 29 Oct 2007 20:30:49 +0100") References: <87abq4qnj0.fsf@mocca.josefsson.org> <87ejfef2hs.fsf@wheatstone.g10code.de> <878x5mj87b.fsf@mocca.josefsson.org> <871wbdbtw6.fsf@wheatstone.g10code.de> Message-ID: <87sl3tads0.fsf_-_@wheatstone.g10code.de> Hi, libgpg-error 1.6 is now available. Noteworthy changes in version 1.6 (2007-10-29) ---------------------------------------------- * Fixed a build problem under Windows (with newer releases of mingw32). * Interface changes relative to the 1.4 release: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ GPG_ERR_UNFINISHED NEW GPG_ERR_SOURCE_GPA NEW GPG_ERR_SOURCE_KLEO NEW GPG_ERR_UNFINISHED is useful for asynchronous operations where you want to tell the caller that the operation is now on a work queue and could not be finished immediately. GPG_ERR_SOURCE_GPA is used by GPA for its experimental server mode. GPG_ERR_SOURCE_KLEO will be used by KDE's Kleopatra for its forthcoming server mode. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Mon Oct 29 21:25:51 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 29 Oct 2007 21:25:51 +0100 Subject: Libgcrypt 1.3.1 fails to build from source on HPPA (undefined?reference to `__udiv_qrnnd') In-Reply-To: (Andreas Metzler's message of "Mon, 29 Oct 2007 20:20:13 +0100") References: <87lk9miaah.fsf@wheatstone.g10code.de> Message-ID: <87ejfdacs0.fsf@wheatstone.g10code.de> On Mon, 29 Oct 2007 20:20, ametzler at downhill.at.eu.org said: > ${target} seems to be empty when the script is invoked, see /mpi/asm-syntax.h. Ah well, I forgot to fix it in mpi/config.links. Try this patch: 2007-10-29 Werner Koch * config.links: No Candadian Cross here, thus use $host instead of $target. Index: mpi/config.links =================================================================== --- mpi/config.links (revision 1265) +++ mpi/config.links (working copy) @@ -35,10 +35,10 @@ echo '/* created by config.links - do not edit */' >./mpi/asm-syntax.h -echo "/* Target: ${target} */" >>./mpi/asm-syntax.h +echo "/* Host: ${host} */" >>./mpi/asm-syntax.h if test "$try_asm_modules" = "yes" ; then -case "${target}" in +case "${host}" in powerpc-apple-darwin* | \ i[34567]86*-*-openbsd[12]* | \ i[34567]86*-*-openbsd3.[0123]*) @@ -326,7 +326,7 @@ mpi_mod_list= path=`echo "$mpi_extra_path $path generic" | tr ':' ' '` echo '/* Created by config.links - do not edit */' >./mpi/mod-source-info.h -echo "/* Target: ${target} */" >>./mpi/mod-source-info.h +echo "/* Host: ${host} */" >>./mpi/mod-source-info.h echo "static char mod_source_info[] =" >>./mpi/mod-source-info.h for fn in $mpi_required_modules ; do fnu=`echo $fn | sed 's/-/_/g'` -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From ametzler at downhill.at.eu.org Tue Oct 30 19:35:40 2007 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Tue, 30 Oct 2007 19:35:40 +0100 Subject: Libgcrypt 1.3.1 fails to build from source on HPPA?(undefined?reference to `__udiv_qrnnd') References: <87lk9miaah.fsf@wheatstone.g10code.de> <87ejfdacs0.fsf@wheatstone.g10code.de> Message-ID: Werner Koch wrote: > On Mon, 29 Oct 2007 20:20, ametzler at downhill.at.eu.org said: >> ${target} seems to be empty when the script is invoked, see /mpi/asm-syntax.h. > Ah well, I forgot to fix it in mpi/config.links. Try this patch: [...] Thank you. The patch works. cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From hanno at hboeck.de Tue Oct 30 23:14:45 2007 From: hanno at hboeck.de (Hanno =?utf-8?q?B=C3=B6ck?=) Date: Tue, 30 Oct 2007 23:14:45 +0100 Subject: Double-encoding of uids Message-ID: <200710302314.47827.hanno@hboeck.de> Hi, I've created a new UID some days ago for my key (3dbd3b20, uid is online), which seems to be broken, it's double encoded. pgpdump gives this: User ID - Johannes B\xc3\x83\xc2\xb6ck I'm using gentoo, gnupg version is 2.0.7, locale de_DE.utf-8. I've tried to create a new test key with umlauts, same thing. Any idea what's wrong? hanno at laverne ~ $ locale LANG=de_DE.utf8 LC_CTYPE="de_DE.utf8" LC_NUMERIC="de_DE.utf8" LC_TIME="de_DE.utf8" LC_COLLATE="de_DE.utf8" LC_MONETARY="de_DE.utf8" LC_MESSAGES="de_DE.utf8" LC_PAPER="de_DE.utf8" LC_NAME="de_DE.utf8" LC_ADDRESS="de_DE.utf8" LC_TELEPHONE="de_DE.utf8" LC_MEASUREMENT="de_DE.utf8" LC_IDENTIFICATION="de_DE.utf8" LC_ALL=de_DE.utf8 -- Hanno B?ck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber: hanno at hboeck.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : /pipermail/attachments/20071030/1a80be0a/attachment.pgp From wk at gnupg.org Wed Oct 31 12:08:49 2007 From: wk at gnupg.org (Werner Koch) Date: Wed, 31 Oct 2007 12:08:49 +0100 Subject: Double-encoding of uids In-Reply-To: <200710302314.47827.hanno@hboeck.de> ("Hanno =?utf-8?Q?B?= =?utf-8?Q?=C3=B6ck=22's?= message of "Tue, 30 Oct 2007 23:14:45 +0100") References: <200710302314.47827.hanno@hboeck.de> Message-ID: <87ve8n4k3i.fsf@wheatstone.g10code.de> On Tue, 30 Oct 2007 23:14, hanno at hboeck.de said: > I'm using gentoo, gnupg version is 2.0.7, locale de_DE.utf-8. > I've tried to create a new test key with umlauts, same thing. While asking for the confirmation of the new name, did it show the use character set like: Email-Adresse: Kommentar: Sie benutzen den Zeichensatz `iso-8859-1' Sie haben diese User-ID gew?hlt: "foo ?" Under your locale you should have seen 'utf-8'. As a workaround you may use --charset=utf8 to override the default taken from the locale. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From bernhard at intevation.de Wed Oct 31 12:41:27 2007 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 31 Oct 2007 12:41:27 +0100 Subject: gpg-agent and pinentry docs and testing Message-ID: <200710311241.31663.bernhard@intevation.de> Is there a way documented how to use pinentry in automated testing? Especially GUI testing? I have heard that there are keys possible without passphrase Is this true for both gpg and gpgsm? As pinentry would not pop up then, I guess, this would only allow to test part of the code path, as there is no call to pinentry now. Is there a different way to feed the gpg-agent a passphrase when it calls pinentry? Maybe a pinentry for testing? When the no-grab option is given I guess that regular X11 testing based tool could just fill in the passphrase. Has somebody already done this and is willing to share hints? BTW: I found minor issues with documentation, while search for this. See attached patch. Is there a way with textinfo to have "info gpgsm" also open the same page as "info gnupg2" does now? -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: gpg-agen-r4572-ber1.patch Type: text/x-diff Size: 882 bytes Desc: not available Url : /pipermail/attachments/20071031/56fce3a1/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1571 bytes Desc: not available Url : /pipermail/attachments/20071031/56fce3a1/attachment-0001.bin From hanno at hboeck.de Wed Oct 31 12:42:07 2007 From: hanno at hboeck.de (Hanno =?utf-8?q?B=C3=B6ck?=) Date: Wed, 31 Oct 2007 12:42:07 +0100 Subject: Double-encoding of uids In-Reply-To: <87ve8n4k3i.fsf@wheatstone.g10code.de> References: <200710302314.47827.hanno@hboeck.de> <87ve8n4k3i.fsf@wheatstone.g10code.de> Message-ID: <200710311242.10322.hanno@hboeck.de> Am Mittwoch 31 Oktober 2007 schrieb Werner Koch: > Under your locale you should have seen 'utf-8'. As a workaround you may > use --charset=utf8 to override the default taken from the locale. I see Sie benutzen den Zeichensatz `iso-8859-1' Sie haben diese User-ID gew?hlt: "f?? b? " Bug in gpg? -- Hanno B?ck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber: hanno at hboeck.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : /pipermail/attachments/20071031/740c4485/attachment.pgp From marcus.brinkmann at ruhr-uni-bochum.de Wed Oct 31 14:00:32 2007 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Wed, 31 Oct 2007 14:00:32 +0100 Subject: gpg-agent and pinentry docs and testing In-Reply-To: <200710311241.31663.bernhard@intevation.de> References: <200710311241.31663.bernhard@intevation.de> Message-ID: <87hck7mob3.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Wed, 31 Oct 2007 12:41:27 +0100, Bernhard Reiter wrote: > Is there a way documented how to use pinentry in automated testing? Not documented. The GPGME test suite does this, however. > Especially GUI testing? Never done that. > I have heard that there are keys possible without passphrase > Is this true for both gpg and gpgsm? Yes. In GPGME, we also use the old passphrase-fd mechanism for gpg (for this, we unset GPG_AGENT_INFO). However, for a function like genkey this is not sufficient. > As pinentry would not pop up then, I guess, this would only allow > to test part of the code path, as there is no call to pinentry now. Right. > Is there a different way to feed the gpg-agent a passphrase > when it calls pinentry? Maybe a pinentry for testing? This is possible, but such a pinentry has not been implemented yet. It would be quite easy to script one, though, as it does not have to do much. You could also use the preset passphrase mechanism of gpg-agent. However, it would be good idea to start a new gpg-agent for the test session then for cleanliness. > BTW: I found minor issues with documentation, while search for this. > See attached patch. Applied, thanks. > Is there a way with textinfo to have "info gpgsm" also open the > same page as "info gnupg2" does now? Should already be the case. In doc/gnupg.texi: @direntry * gpg2: (gnupg). OpenPGP encryption and signing tool. * gpgsm: (gnupg). S/MIME encryption and signing tool. @end direntry Thanks, Marcus From wk at gnupg.org Wed Oct 31 14:07:06 2007 From: wk at gnupg.org (Werner Koch) Date: Wed, 31 Oct 2007 14:07:06 +0100 Subject: Double-encoding of uids In-Reply-To: <200710311242.10322.hanno@hboeck.de> ("Hanno =?utf-8?Q?B?= =?utf-8?Q?=C3=B6ck=22's?= message of "Wed, 31 Oct 2007 12:42:07 +0100") References: <200710302314.47827.hanno@hboeck.de> <87ve8n4k3i.fsf@wheatstone.g10code.de> <200710311242.10322.hanno@hboeck.de> Message-ID: <87mytz4emd.fsf@wheatstone.g10code.de> On Wed, 31 Oct 2007 12:42, hanno at hboeck.de said: > Sie benutzen den Zeichensatz `iso-8859-1' > Bug in gpg? I doubt that. The code to detect the character set is straightforward and I have never heard of any problems on modern systems. You might want to check with your GNU/Linux distributor. Check that config.h has these lines: /* Define if you have and nl_langinfo(CODESET). */ #define HAVE_LANGINFO_CODESET 1 I theory it is possible that due a a failure of the iconv function gpg falls back to Latin-1. If you want to debug the problem, set a breakpoint at set_native_charset and also watch for changes of active_charset_name in util/strgutil.c. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Wed Oct 31 14:26:06 2007 From: wk at gnupg.org (Werner Koch) Date: Wed, 31 Oct 2007 14:26:06 +0100 Subject: gpg-agent and pinentry docs and testing In-Reply-To: <200710311241.31663.bernhard@intevation.de> (Bernhard Reiter's message of "Wed, 31 Oct 2007 12:41:27 +0100") References: <200710311241.31663.bernhard@intevation.de> Message-ID: <87ir4n4dqp.fsf@wheatstone.g10code.de> On Wed, 31 Oct 2007 12:41, bernhard at intevation.de said: > Is there a way documented how to use pinentry in automated testing? > Especially GUI testing? I can't tell. What I heard is that xnee can be used for this. > I have heard that there are keys possible without passphrase > Is this true for both gpg and gpgsm? Yes. > Is there a different way to feed the gpg-agent a passphrase > when it calls pinentry? Maybe a pinentry for testing? What I do to debug pinentry is using a wrapper like: #!/bin/sh printenv >/tmp/pinentry.env exec strace -o /tmp/pinentry.trc -e read=0 \ /foo/bar/pinentry-foo -e -d "$@" 2>/tmp/pinentry.err Something like this could be used to fake a pinentry. > BTW: I found minor issues with documentation, while search for this. > See attached patch. Thanks. > Is there a way with textinfo to have "info gpgsm" also open the > same page as "info gnupg2" does now? The distribution already installs it like this but Debian prefers to show the man pages instead. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From bernhard at intevation.de Wed Oct 31 14:53:39 2007 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 31 Oct 2007 14:53:39 +0100 Subject: This Mailman eats signatures (was: gpg-agent and pinentry docs and testing) In-Reply-To: <200710311241.31663.bernhard@intevation.de> References: <200710311241.31663.bernhard@intevation.de> Message-ID: <200710311453.47909.bernhard@intevation.de> In case you wonder, why my last emails had a "bad" signature. On Wednesday 31 October 2007 12:41, Bernhard Reiter wrote: > Nachricht wurde signiert mit dem Schl?ssel 0xE63B9E2D88CD872F. > ? > Status:Ung?ltige Signatur My guess is that Gnupg's Mailman eat the signature. The email I had send contained: Content-Type: text/x-diff; charset="iso-8859-1"; name="gpg-agen-r4572-ber1.patch" Mailman transformed it to: Content-Type: text/x-diff; charset="iso-8859-1"; name="gpg-agen-r4572-ber1.patch" My suggestion is to apply a patch or move to a version of Mailman that has been patched. Debian's package should have a patch already. Details https://sourceforge.net/tracker/index.php?func=detail&aid=933757&group_id=103&atid=300103. -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20071031/17f5e05c/attachment.pgp From bernhard at intevation.de Wed Oct 31 15:00:33 2007 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 31 Oct 2007 15:00:33 +0100 Subject: gpg-agent and pinentry docs and testing In-Reply-To: <87hck7mob3.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <200710311241.31663.bernhard@intevation.de> <87hck7mob3.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <200710311500.34507.bernhard@intevation.de> On Wednesday 31 October 2007 14:00, Marcus Brinkmann wrote: > At Wed, 31 Oct 2007 12:41:27 +0100, > > Bernhard Reiter wrote: > > Is there a way documented how to use pinentry in automated testing? > > Not documented. The GPGME test suite does this, however. Thanks for the hint. > > I have heard that there are keys possible without passphrase > > Is this true for both gpg and gpgsm? > > Yes. In GPGME, we also use the old passphrase-fd mechanism for gpg > (for this, we unset GPG_AGENT_INFO). > > However, for a function like genkey this is not sufficient. Obviously. > You could also use the preset passphrase mechanism of gpg-agent. At first I did not find this, because it is not mentioned in the part that documents gpg-agent nor in the part for pinentry. It is in info gnupg2 "Helper Tools" especially info gnupg2 "Helper Tools" gpg-preset-passphrase > > Is there a way with textinfo to have "info gpgsm" also open the > > same page as "info gnupg2" does now? > > Should already be the case. In doc/gnupg.texi: > > @direntry > * gpg2: (gnupg). OpenPGP encryption and signing tool. > * gpgsm: (gnupg). S/MIME encryption and signing tool. > @end direntry Ah! Right, it does this with "gpg2" and "gpgsm", but "gnupg" on Debian gives me still the manpage and "gpg" the gpgme info page. Thanks, Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20071031/b25e7026/attachment.pgp From brian5555 at gmail.com Wed Oct 31 18:15:57 2007 From: brian5555 at gmail.com (Brian Lee) Date: Wed, 31 Oct 2007 10:15:57 -0700 (PDT) Subject: Development problem with passphrase-fd Message-ID: <13514234.post@talk.nabble.com> I am working on an application that works by spawning GPG command line, using the passphrase-fd feature. The problem is that these commands worked fine when I tested them in DOS command prompt, but did not work in my program using CreateProcess. I tried both the "echo passphrase" and the "redirect from passphrase file" approaches, but none of them worked. I wonder if I could use CreateProcess, or there is a better way. Any suggestions would be appreciated. Here is the code of my test program on Windows XP: ================================================= #include "stdafx.h" #include #include #include //------------------------------------------------------------- HANDLE LaunchViaCreateProcess(LPCTSTR program, LPCTSTR sCommand) { HANDLE hProcess = NULL; PROCESS_INFORMATION processInfo; ZeroMemory(&processInfo, sizeof(processInfo)); STARTUPINFO startupInfo; ZeroMemory(&startupInfo, sizeof(startupInfo)); startupInfo.cb = sizeof(startupInfo); if (CreateProcess( (LPCTSTR)program, (LPTSTR)sCommand, NULL, NULL, FALSE, 0, NULL, NULL, &startupInfo, &processInfo)) { hProcess = processInfo.hProcess; printf("SUCCESS\n"); } else { printf("ERROR = %d \n", GetLastError()); } return hProcess; } //---------------------------------------------------- int _tmain(int argc, _TCHAR* argv[]) { HANDLE hProcess; LPTSTR sCommand; //sCommand = _tcsdup(TEXT("echo mypass| gpg --passphrase-fd 0 --output testfile.txt --decrypt testfile.txt.gpg")); sCommand = _tcsdup(TEXT("gpg --batch --passphrase-fd 0 --output testfile.txt --decrypt testfile.txt.txt.gpg < mypass.txt")); hProcess = LaunchViaCreateProcess( NULL, sCommand); return 0; } ================================================= Thanks in advance. Brian Lee -- View this message in context: http://www.nabble.com/Development-problem-with-passphrase-fd-tf4726552.html#a13514234 Sent from the GnuPG - Dev mailing list archive at Nabble.com. From sadam at clemson.edu Wed Oct 31 20:37:52 2007 From: sadam at clemson.edu (Adam Schreiber) Date: Wed, 31 Oct 2007 15:37:52 -0400 Subject: Possible GPGME bug Message-ID: <8298be230710311237k337cb490j9426eb96d7324623@mail.gmail.com> In fixing a bug in Seahorse, I found that our feature to revoke a sub key was no longer working. It uses the gpgme_op_edit API. I checked the challenge and responses of gpg --edit-key manually and found that they matched those our state machine expected. The responses of gpgme_op_edit are different. I will paste the relevant output of running each below. I am running gpg 1.4.7 and GPGME 1.1.4. Cheers, Adam Schreiber ----------------8<--------------------------------------------------------------------------------- gpg --status-fd=2 --command-fd=0 --edit-key fake1 gpg (GnuPG) 1.4.7; Copyright (C) 2006 Free Software Foundation, Inc. [GNUPG:] GET_LINE keyedit.prompt key 2 [GNUPG:] GOT_IT [GNUPG:] GET_LINE keyedit.prompt revkey [GNUPG:] GOT_IT [GNUPG:] GET_BOOL keyedit.revoke.subkey.okay yes [GNUPG:] GOT_IT [GNUPG:] GET_LINE ask_revocation_reason.code 3 [GNUPG:] GOT_IT Enter an optional description; end it with an empty line: [GNUPG:] GET_LINE ask_revocation_reason.text test key [GNUPG:] GOT_IT [GNUPG:] GET_LINE ask_revocation_reason.text [GNUPG:] GOT_IT Reason for revocation: Key is no longer used test key [GNUPG:] GET_BOOL ask_revocation_reason.okay yes [GNUPG:] GOT_IT [GNUPG:] USERID_HINT 0116FD16FA676606 fake1 [GNUPG:] NEED_PASSPHRASE 0116FD16FA676606 0116FD16FA676606 17 0 You need a passphrase to unlock the secret key for user: "fake1" [GNUPG:] GET_LINE keyedit.prompt quit [GNUPG:] GOT_IT [GNUPG:] GET_BOOL keyedit.save.okay -----------8<------------------------------------------------------------------------------------------------ [edit key] state: 0 / status: 49 / args: keyedit.prompt [edit key] state: 1 / status: 49 / args: keyedit.prompt [edit key] state: 2 / status: 48 / args: keyedit.revoke.subkey.okay [edit key] state: 3 / status: 49 / args: ask_revocation_reason.code [edit key] state: 4 / status: 49 / args: ask_revocation_reason.text [edit key] state: 5 / status: 48 / args: ask_revocation_reason.okay [edit key] state: 3 / status: 49 / args: ask_revocation_reason.code [edit key] state: 4 / status: 49 / args: ask_revocation_reason.code