From wk at gnupg.org Wed Jan 2 09:29:25 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 09:29:25 +0100 Subject: logger-file vs log-file options (gnupg-2 regression?) In-Reply-To: <9e0cf0bf0712291232s1636caa7y93aa8b7778ea4325@mail.gmail.com> (Alon Bar-Lev's message of "Sat, 29 Dec 2007 22:32:57 +0200") References: <9e0cf0bf0712291232s1636caa7y93aa8b7778ea4325@mail.gmail.com> Message-ID: <87k5msmxzu.fsf@wheatstone.g10code.de> On Sat, 29 Dec 2007 21:32, alon.barlev at gmail.com said: > The logger-file was changed to log-file in gnupg-2. The other way around: gnupg-2: 2004-03-23 Werner Koch * g10.c: New options --gpgconf-list, --debug-level and --log-file gnupg-1: 2004-11-17 Werner Koch * g10.c (open_info_file): New. (main): Unconditionally implement --status-file, --logger-file, > The man page continue to document logger-file. I'll fix the man page and add an --logger-file alias. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Wed Jan 2 09:35:27 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 09:35:27 +0100 Subject: compiling GnuPG for x86_64-pc-mingw32 In-Reply-To: <477828DC.8050601@idirect.com> (Tom Pegios's message of "Sun, 30 Dec 2007 18:25:16 -0500") References: <477828DC.8050601@idirect.com> Message-ID: <87fxxgmxps.fsf@wheatstone.g10code.de> On Mon, 31 Dec 2007 00:25, tomp at idirect.com said: > The x86_64-pc-mingw32 (64-bit) version of GnuPG can be built on MSYS > now but requires 2 changes to the source code. We don't support building on a native Windows platform. > If these 2 changes can be included in GnuPG this will allow for a > successful 64-bit build under windows without any file modifications. As soon as the mingw cross compiling kit on Debian requires this change it will be added. For the time being, please maintain your own patch. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From bernhard at intevation.de Wed Jan 2 12:34:42 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 12:34:42 +0100 Subject: import of external certificates via command line In-Reply-To: <87ir2synyj.fsf@wheatstone.g10code.de> References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200712211715.17932.bernhard@intevation.de> <87ir2synyj.fsf@wheatstone.g10code.de> Message-ID: <200801021234.46115.bernhard@intevation.de> On Friday 21 December 2007 18:09, Werner Koch wrote: > On Fri, 21 Dec 2007 17:15, bernhard at intevation.de said: > > No it does not give me the key, only the attributes. > > You may then use the listed fingerprint to export the key. ?Note that > you must use the fingerprint, the keyid is wrong and the issuer DN is > definitely wrong; only the fingerprint is ... Okay, the procedure as far as I know is: gpgsm --list-external-keys Boromir # select the fingerprint from the listing gpgsm --export b0:12:12:..... >boromirskey gpgsm --import boromirskey (tested with gpgsm 2.0.7) This is confusing, because gpgsm --export Boromir will _not_ work, even when there is only one key found. also this cannot be learned from the documentation and thus is obscure. Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1571 bytes Desc: not available URL: From wk at gnupg.org Wed Jan 2 13:37:00 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 13:37:00 +0100 Subject: import of external certificates via command line In-Reply-To: <200801021234.46115.bernhard@intevation.de> (Bernhard Reiter's message of "Wed, 2 Jan 2008 12:34:42 +0100") References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200712211715.17932.bernhard@intevation.de> <87ir2synyj.fsf@wheatstone.g10code.de> <200801021234.46115.bernhard@intevation.de> Message-ID: <877iisl7yr.fsf@wheatstone.g10code.de> On Wed, 2 Jan 2008 12:34, bernhard at intevation.de said: > This is confusing, because > gpgsm --export Boromir > will _not_ work, even when there is only one key found. > also this cannot be learned from the documentation and thus is obscure. We have similar thing in gpg for many years. Only the fingerprint unambiguously indentifies a key and thus we use this hack to also export those hidden certificates. That feature has been implemented on request from the KMail/Kleopatra folks. It is not documented because it is indeed obscure ;-). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From bernhard at intevation.de Wed Jan 2 13:41:22 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 13:41:22 +0100 Subject: exporting and importing some subkeys Message-ID: <200801021341.28169.bernhard@intevation.de> With gnupg 2.0.7 (and 2.0.5): Given two machines with .gnupg having your secret key and doing "addkey" on one, I encountered a problem trying to transfer the new subkey to the other. gpg2 --export-secret-key ABCDEF >mykey worked even when ABCDEF is the fingerprint of my new subkey. gpg2 --import mykey tells me that the key is already in my keyring. gpg2 --list-secret-keys does not have the new subkey, so I guess the problem to be in the import. Am I missing something? Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From bernhard at intevation.de Wed Jan 2 13:43:16 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 13:43:16 +0100 Subject: documentation: list format explained? Message-ID: <200801021343.17027.bernhard@intevation.de> Is there a section in the documentation which explains the different attributes of a key listing, e.g. in --edit --list-keys --list-secret keys? I have grepped for "ssb" and did not find it in the info source. Such a documentation would be very useful. Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From bernhard at intevation.de Wed Jan 2 14:18:45 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 14:18:45 +0100 Subject: import of external certificates via command line In-Reply-To: <877iisl7yr.fsf@wheatstone.g10code.de> References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200801021234.46115.bernhard@intevation.de> <877iisl7yr.fsf@wheatstone.g10code.de> Message-ID: <200801021418.46928.bernhard@intevation.de> On Wednesday 02 January 2008 13:37, Werner Koch wrote: > On Wed, ?2 Jan 2008 12:34, bernhard at intevation.de said: > > This is confusing, because > > ??????gpgsm --export Boromir > > ??????will _not_ work, even when there is only one key found. > > also this cannot be learned from the documentation and thus is obscure. > > We have similar thing in gpg for many years. ?Only the fingerprint > unambiguously indentifies a key and thus we use this hack to also export > those hidden certificates. ?That feature has been implemented on request > from the KMail/Kleopatra folks. Well, it is good to at least have a method. > It is not documented because it is indeed obscure ;-). To have a way to import externally found certificates is a feature that people are missing. So why not document the current way until a better one is implemented. Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From wk at gnupg.org Wed Jan 2 15:20:24 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 15:20:24 +0100 Subject: documentation: list format explained? In-Reply-To: <200801021343.17027.bernhard@intevation.de> (Bernhard Reiter's message of "Wed, 2 Jan 2008 13:43:16 +0100") References: <200801021343.17027.bernhard@intevation.de> Message-ID: <874pdwjolz.fsf@wheatstone.g10code.de> On Wed, 2 Jan 2008 13:43, bernhard at intevation.de said: > I have grepped for "ssb" and did not find it in the info source. > Such a documentation would be very useful. gnupg/doc/DETAILS 1. Field: Type of record pub = public key crt = X.509 certificate crs = X.509 certificate and private key available sub = subkey (secondary key) sec = secret key ssb = secret subkey (secondary key) uid = user id (only field 10 is used). uat = user attribute (same as user id except for field 10). sig = signature rev = revocation signature fpr = fingerprint: (fingerprint is in field 10) pkd = public key data (special field format, see below) grp = reserved for gpgsm rvk = revocation key tru = trust database information spk = signature subpacket [...] Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Wed Jan 2 15:22:13 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 15:22:13 +0100 Subject: import of external certificates via command line In-Reply-To: <200801021418.46928.bernhard@intevation.de> (Bernhard Reiter's message of "Wed, 2 Jan 2008 14:18:45 +0100") References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200801021234.46115.bernhard@intevation.de> <877iisl7yr.fsf@wheatstone.g10code.de> <200801021418.46928.bernhard@intevation.de> Message-ID: <87zlvoi9yi.fsf@wheatstone.g10code.de> On Wed, 2 Jan 2008 14:18, bernhard at intevation.de said: > To have a way to import externally found certificates > is a feature that people are missing. So why not document the current > way until a better one is implemented. We don't document obscure features because these makes it a bit easier for us to change the semantics. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From alon.barlev at gmail.com Wed Jan 2 15:29:18 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed, 2 Jan 2008 16:29:18 +0200 Subject: logger-file vs log-file options (gnupg-2 regression?) In-Reply-To: <87k5msmxzu.fsf@wheatstone.g10code.de> References: <9e0cf0bf0712291232s1636caa7y93aa8b7778ea4325@mail.gmail.com> <87k5msmxzu.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0801020629q37aa8a98q468b222f883d4df5@mail.gmail.com> Thanks, Any reason to break the parameter compatibility between the two versions? --logger-file does not work anymore. Alon. On 1/2/08, Werner Koch wrote: > On Sat, 29 Dec 2007 21:32, alon.barlev at gmail.com said: > > > The logger-file was changed to log-file in gnupg-2. > > The other way around: > > gnupg-2: > > 2004-03-23 Werner Koch > > * g10.c: New options --gpgconf-list, --debug-level and --log-file > > gnupg-1: > > 2004-11-17 Werner Koch > > * g10.c (open_info_file): New. > (main): Unconditionally implement --status-file, --logger-file, > > > The man page continue to document logger-file. > > I'll fix the man page and add an --logger-file alias. > > > Shalom-Salam, > > Werner > > -- > Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. > > From bernhard at intevation.de Wed Jan 2 16:20:01 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 16:20:01 +0100 Subject: import of external certificates via command line In-Reply-To: <87zlvoi9yi.fsf@wheatstone.g10code.de> References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200801021418.46928.bernhard@intevation.de> <87zlvoi9yi.fsf@wheatstone.g10code.de> Message-ID: <200801021620.05062.bernhard@intevation.de> On Wednesday 02 January 2008 15:22, Werner Koch wrote: > On Wed, ?2 Jan 2008 14:18, bernhard at intevation.de said: > > To have a way to import externally found certificates > > is a feature that people are missing. So why not document the current > > way until a better one is implemented. > > We don't document obscure features because these makes it a bit easier > for us to change the semantics. Werner, somehow I feel you are weaseling around the problem... It is a _non_ obscure problem that you cannot import an externally found certificate. Lack of mentioning this use case in the documentation does irritate an advanced user. You can a) fix the problem and add some option to gpgsm and the documentation so that the use case is possible b) mention the dirty workaround somewhere, maybe declare it and its semantics dirty. Doing b) is not very time intensive and will help Gnupg's quality, which is something I have learned by user feedback and my own experiences. I hope this feedback is welcome. Best, Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1571 bytes Desc: not available URL: From bernhard at intevation.de Wed Jan 2 16:23:01 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 16:23:01 +0100 Subject: documentation: list format explained? In-Reply-To: <874pdwjolz.fsf@wheatstone.g10code.de> References: <200801021343.17027.bernhard@intevation.de> <874pdwjolz.fsf@wheatstone.g10code.de> Message-ID: <200801021623.05604.bernhard@intevation.de> On Wednesday 02 January 2008 15:20, Werner Koch wrote: > > I have grepped for "ssb" and did not find it in the info source. > > Such a documentation would be very useful. > > gnupg/doc/DETAILS Ah! Thanks for the hint! I suggest to add a similiar hint towards the file in the gnupg2.info* files. > ?1. Field: ?Type of record > ???????? ? ?pub = public key > ? ? ? ? ? ? crt = X.509 certificate > ? ? ? ? ? ? crs = X.509 certificate and private key available > ???????? ? ?sub = subkey (secondary key) > ???????? ? ?sec = secret key > ???????? ? ?ssb = secret subkey (secondary key) -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From wk at gnupg.org Wed Jan 2 16:56:25 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 16:56:25 +0100 Subject: import of external certificates via command line In-Reply-To: <200801021620.05062.bernhard@intevation.de> (Bernhard Reiter's message of "Wed, 2 Jan 2008 16:20:01 +0100") References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200801021418.46928.bernhard@intevation.de> <87zlvoi9yi.fsf@wheatstone.g10code.de> <200801021620.05062.bernhard@intevation.de> Message-ID: <87sl1ggr12.fsf@wheatstone.g10code.de> On Wed, 2 Jan 2008 16:20, bernhard at intevation.de said: > somehow I feel you are weaseling around the problem... No. Before you can even run an external search you need to configure the dirmngr to *your* local environment. There is no universal way to find X.509 certificates - it highly depends on the concrete PKI! This is very different from PGP where it is common to store keys on the synced network of keyservers. All real world X.509 PKIs provide a custom way to lookup certificates - in general you need to use this custom method. Further, there is never a need to lookup certificates *if* the PKI is proper working. gpgsm will do this for you then. If we start to document how to get certifcates from certain PKIs we will soon end up with a large howto on how the PKIs all over the world are misconfigured and how to solve each of the problems. This is not the job of a general purpose software. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Wed Jan 2 17:01:33 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 17:01:33 +0100 Subject: logger-file vs log-file options (gnupg-2 regression?) In-Reply-To: <9e0cf0bf0801020629q37aa8a98q468b222f883d4df5@mail.gmail.com> (Alon Bar-Lev's message of "Wed, 2 Jan 2008 16:29:18 +0200") References: <9e0cf0bf0712291232s1636caa7y93aa8b7778ea4325@mail.gmail.com> <87k5msmxzu.fsf@wheatstone.g10code.de> <9e0cf0bf0801020629q37aa8a98q468b222f883d4df5@mail.gmail.com> Message-ID: <87odc4gqsi.fsf@wheatstone.g10code.de> On Wed, 2 Jan 2008 15:29, alon.barlev at gmail.com said: > Any reason to break the parameter compatibility between the two versions? > --logger-file does not work anymore. There has never been a --logger-file for gpg2. There is a --log-file and we only later added --logger-file to gpg-1. That is a bit unfortunate but that is a fact for 3 years. Also see: >> I'll fix the man page and add an --logger-file alias. .. to gpg2. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Wed Jan 2 17:04:07 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 17:04:07 +0100 Subject: logger-file vs log-file options (gnupg-2 regression?) In-Reply-To: <9e0cf0bf0801020629q37aa8a98q468b222f883d4df5@mail.gmail.com> (Alon Bar-Lev's message of "Wed, 2 Jan 2008 16:29:18 +0200") References: <9e0cf0bf0712291232s1636caa7y93aa8b7778ea4325@mail.gmail.com> <87k5msmxzu.fsf@wheatstone.g10code.de> <9e0cf0bf0801020629q37aa8a98q468b222f883d4df5@mail.gmail.com> Message-ID: <87k5msgqo8.fsf@wheatstone.g10code.de> Hi, FWIW, I just recall why we have different names: --log-file allows for a special name "socket:///fooo" whereas --logger-file does not. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From marcus.brinkmann at ruhr-uni-bochum.de Wed Jan 2 17:10:19 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Wed, 02 Jan 2008 17:10:19 +0100 Subject: Frontend for GPG In-Reply-To: <200712211048.25215.bernhard@intevation.de> References: <3ac86fa70712111623wd83e701vd07440a6966dde65@mail.gmail.com> <200712211048.25215.bernhard@intevation.de> Message-ID: <87sl1g5huc.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Fri, 21 Dec 2007 10:48:24 +0100, Bernhard Reiter wrote: > > [1 ] > [1.1 ] > On Wednesday 12 December 2007 01:23, Brad Tilley wrote: > > Are there any docs that describe a programmatic > > interface to gpg or how to go about this sort of thing with a > > os.system and/or os.popen library? > > The canonical way would be to use gpgme, > but of course this might already have to many feature for your use case. > It would be cool to have python gpgme bindings. http://pyme.sourceforge.net/ Thanks, Marcus From bernhard at intevation.de Wed Jan 2 18:01:08 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 18:01:08 +0100 Subject: import of external certificates via command line In-Reply-To: <87sl1ggr12.fsf@wheatstone.g10code.de> References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200801021620.05062.bernhard@intevation.de> <87sl1ggr12.fsf@wheatstone.g10code.de> Message-ID: <200801021801.13105.bernhard@intevation.de> On Wednesday 02 January 2008 16:56, Werner Koch wrote: > On Wed, ?2 Jan 2008 16:20, bernhard at intevation.de said: > > somehow I feel you are weaseling around the problem... > > No. ?Before you can even run an external search you need to configure > the dirmngr to *your* local environment. But when my external search is working, why can't I get those certificates right away? > ? ?There is no universal way to find X.509 certificates - it highly > ? ?depends on the concrete PKI! > > This is very different from PGP where it is common to store keys on the > synced network of keyservers. ?All real world X.509 PKIs provide a > custom way to lookup certificates - in general you need to use this > custom method. In Germany I know the Bavarian one which responds to ldap searches. There will always be keys that I do not have in my personal keybox but I can find by other means. All I want is a way to get these keys into my person keybox when I can already find them. > Further, there is never a need to lookup certificates *if* the PKI is > proper working. ?gpgsm will do this for you then. ? You sound like locally saved keys were a bad design idea. > If we start to > document how to get certifcates from certain PKIs we will soon end up > with a large howto on how the PKIs all over the world are misconfigured > and how to solve each of the problems. ?This is not the job of a general > purpose software. The purpose of a general purpose software is to be practical and if there a major PKIs which "special" in different ways it might be practical to support them so that the software is interoperable and useful. However this is not the point. There are directory services you can ask by LDAP which have reserved attributes for public keys. Gpgsm needs to be able to handle LDAP anyway, thus doing external searches for these directory services seem to be quite sensible to me. So why not import the found keys?? Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From bernhard at intevation.de Wed Jan 2 18:06:17 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 18:06:17 +0100 Subject: pyme (was: Frontend for GPG) In-Reply-To: <87sl1g5huc.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <3ac86fa70712111623wd83e701vd07440a6966dde65@mail.gmail.com> <200712211048.25215.bernhard@intevation.de> <87sl1g5huc.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <200801021806.18508.bernhard@intevation.de> On Wednesday 02 January 2008 17:10, Marcus Brinkmann wrote: > > It would be cool to have python gpgme bindings. > > http://pyme.sourceforge.net/ This looks abandoned, lowlevel and is based on SWIG. Nevertheless it could be a start. -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From wk at gnupg.org Wed Jan 2 18:19:15 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 18:19:15 +0100 Subject: import of external certificates via command line In-Reply-To: <200801021801.13105.bernhard@intevation.de> (Bernhard Reiter's message of "Wed, 2 Jan 2008 18:01:08 +0100") References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200801021620.05062.bernhard@intevation.de> <87sl1ggr12.fsf@wheatstone.g10code.de> <200801021801.13105.bernhard@intevation.de> Message-ID: <874pdwf8mk.fsf@wheatstone.g10code.de> On Wed, 2 Jan 2008 18:01, bernhard at intevation.de said: > But when my external search is working, why can't I get those certificates > right away? Because certificates are so often broken and will mess up the certificates you already have. Importing all certifcates available is a bad idea and only needed if the PKI is broken - if it is broken tehre is a good chance that everything gets messed up. > In Germany I know the Bavarian one which responds to ldap searches. > There will always be keys that I do not have in my personal keybox > but I can find by other means. I usually have to resort to a general LDAP browser to locate a specific certificate, The automatic mode works only with proper administered LDAP directies (like the one you are running). > You sound like locally saved keys were a bad design idea. I did not say this. > However this is not the point. There are directory services you can ask by > LDAP which have reserved attributes for public keys. Gpgsm needs to be able Tell me this attribute! There is no standard for it and thus everyone is using a different one. See also "retrieving a certificate by serial number and issuer name" (which is not possible). Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From alon.barlev at gmail.com Wed Jan 2 17:10:35 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed, 2 Jan 2008 18:10:35 +0200 Subject: logger-file vs log-file options (gnupg-2 regression?) In-Reply-To: <87k5msgqo8.fsf@wheatstone.g10code.de> References: <9e0cf0bf0712291232s1636caa7y93aa8b7778ea4325@mail.gmail.com> <87k5msmxzu.fsf@wheatstone.g10code.de> <9e0cf0bf0801020629q37aa8a98q468b222f883d4df5@mail.gmail.com> <87k5msgqo8.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0801020810y4d519ac1v77933a744ac81132@mail.gmail.com> On 1/2/08, Werner Koch wrote: > FWIW, I just recall why we have different names: --log-file allows for a > special name "socket:///fooo" whereas --logger-file does not. Oh... So we can forget about having the same arguments for both versions? [[ Now I understand that is "alias" ]] Alon. From lofi at freebsd.org Wed Jan 2 20:45:43 2008 From: lofi at freebsd.org (Michael Nottebrock) Date: Wed, 02 Jan 2008 20:45:43 +0100 Subject: dirmngr-1.0.1 needs explicit libiconv dependency for --disable-nls case Message-ID: <477BE9E7.7070101@freebsd.org> See subject. Patch similar to the one found in the attachment to http://www.freebsd.org/cgi/query-pr.cgi?pr=119016 should fix the problem. Cheers, -- ,_, | Michael Nottebrock | lofi at freebsd.org (/^ ^\) | FreeBSD - The Power to Serve | http://www.freebsd.org \u/ | K Desktop Environment on FreeBSD | http://freebsd.kde.org -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature URL: From marcus.brinkmann at ruhr-uni-bochum.de Wed Jan 2 23:32:28 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Wed, 02 Jan 2008 23:32:28 +0100 Subject: dirmngr-1.0.1 needs explicit libiconv dependency for --disable-nls case In-Reply-To: <477BE9E7.7070101@freebsd.org> References: <477BE9E7.7070101@freebsd.org> Message-ID: <87odc36epv.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Wed, 02 Jan 2008 20:45:43 +0100, Michael Nottebrock wrote: > > [1 ] > [1.1 ] > See subject. > > Patch similar to the one found in the attachment to > http://www.freebsd.org/cgi/query-pr.cgi?pr=119016 should fix the problem. Checked in, thank you! 2008-01-02 Marcus Brinkmann * Makefile.am (dirmngr_LDADD, dirmngr_ldap_LDADD, (dirmngr_client_LDADD): Add $(LIBICONV). Reported by Michael Nottebrock. Marcus -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 From bernhard at intevation.de Wed Jan 2 23:41:03 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 23:41:03 +0100 Subject: import of external certificates via command line In-Reply-To: <874pdwf8mk.fsf@wheatstone.g10code.de> References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200801021801.13105.bernhard@intevation.de> <874pdwf8mk.fsf@wheatstone.g10code.de> Message-ID: <200801022341.07949.bernhard@intevation.de> On Wednesday 02 January 2008 18:19, Werner Koch wrote: > On Wed, 2 Jan 2008 18:01, bernhard at intevation.de said: > > But when my external search is working, why can't I get those > > certificates right away? > > Because certificates are so often broken and will mess up the > certificates you already have. Importing all certifcates available is a > bad idea and only needed if the PKI is broken - if it is broken tehre is > a good chance that everything gets messed up. I am the whole thread writing about importing a subset of certificates that I have found by (possibly several) external searches, aka gpgsm --list-external-keys Frodo gpgsm --list-external-keys Sam ah, found, now gpgsm --with-import-please --list-external-keys Sam > > In Germany I know the Bavarian one which responds to ldap searches. > > There will always be keys that I do not have in my personal keybox > > but I can find by other means. > > I usually have to resort to a general LDAP browser to locate a specific > certificate, The automatic mode works only with proper administered LDAP > directies (like the one you are running). I have encountered a few now, ca.intevation.de, the Bavarian, ... And no matter how broken a directory service is, if --list-external-keys already found the certificiate, no matter where, it is completely beyond me, what there should not a command which will "import" this special subset of possible keys. > > You sound like locally saved keys were a bad design idea. > > I did not say this. You have said that a properly administered PKI would be able to locate the certificate you need anyway and used this argument to not add a special options to be able to important a selected group of externally found keys. I do not believe the argument because it is defeated by our own design which already (rightfully) takes into account existing PKIs. > > However this is not the point. There are directory services you can ask > > by LDAP which have reserved attributes for public keys. Gpgsm needs to be > > able > > Tell me this attribute! There is no standard for it and thus everyone > is using a different one. See also "retrieving a certificate by serial > number and issuer name" (which is not possible). http://tools.ietf.org/html/rfc4523 as 4.1. userCertificate The userCertificate attribute holds the X.509 certificates issued to the user by one or more certificate authorities, as discussed in clause 11.2.1 of [X.509]. ( 2.5.4.36 NAME 'userCertificate' DESC 'X.509 user certificate' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) It is reasonable to try this attribute when using the light weight database protocol. Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From patrick at mozilla-enigmail.org Wed Jan 2 23:01:55 2008 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Wed, 02 Jan 2008 23:01:55 +0100 Subject: Status of GnuPG2 on Windows Message-ID: <477C09D3.3040504@mozilla-enigmail.org> What is the current status of GnuPG 2.0 on Windows. In the "What's New" section of the 2.0.8 release, I read that Windows is now a supported platform. Does that mean that GnuPG 2 is now considered stable on Windows, or just that it basically works? Thanks, Patrick From wk at gnupg.org Thu Jan 3 10:51:50 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 03 Jan 2008 10:51:50 +0100 Subject: Status of GnuPG2 on Windows In-Reply-To: <477C09D3.3040504@mozilla-enigmail.org> (Patrick Brunschwig's message of "Wed, 02 Jan 2008 23:01:55 +0100") References: <477C09D3.3040504@mozilla-enigmail.org> Message-ID: <87myrnck3t.fsf@wheatstone.g10code.de> On Wed, 2 Jan 2008 23:01, patrick at mozilla-enigmail.org said: > What is the current status of GnuPG 2.0 on Windows. In the "What's New" > section of the 2.0.8 release, I read that Windows is now a supported > platform. Does that mean that GnuPG 2 is now considered stable on > Windows, or just that it basically works? It is stable. Which does not mean that there are now bugs ;-). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From marcus.brinkmann at ruhr-uni-bochum.de Fri Jan 4 15:50:43 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri, 04 Jan 2008 15:50:43 +0100 Subject: [Announce] GPGME 1.1.6 released Message-ID: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> Hi, We are pleased to announce version 1.1.6 of GnuPG Made Easy, a library designed to make access to GnuPG easier for applications. It may be found in the file (about 939 KB/730 KB compressed) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.gz ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.bz2 The following files are also available: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.gz.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.bz2.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.5-1.1.6.diff.gz It should soon appear on the mirrors listed at: http://www.gnupg.org/mirrors.html Bug reports and requests for assistance should be sent to: gnupg-devel at gnupg.org The sha1sum checksums for this distibution are ed2c9699367d1be32f84bf154673becd16deba0a gpgme-1.1.5-1.1.6.diff.gz 05218df939d72c2fd6d74f22c2b5d5ade0718b7a gpgme-1.1.6.tar.bz2 2c2994d98ab545d1bced14c0554f4a50fd8e0878 gpgme-1.1.6.tar.bz2.sig 8dee551f362fc428c25c9bd542ce944ac916347d gpgme-1.1.6.tar.gz 996e0b48a4f5e0ce3029e95c310ae64af92a6131 gpgme-1.1.6.tar.gz.sig Noteworthy changes in version 1.1.6 (2008-01-04) ------------------------------------------------ * Bug fixes for for W32. * A new, experimental (and thus undocumented and potentially unstable) interface for accessing gpg-conf through GPGME has been added. * Interface changes relative to the 1.1.1 release: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ gpgme_signature_t EXTENDED: New field chain_model. gpgme_op_getauditlog_start NEW. gpgme_op_getauditlog NEW. GPGME_AUDITLOG_HTML NEW. GPGME_AUDITLOG_WITH_HELP NEW. Marcus Brinkmann mb at g10code.de -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From alon.barlev at gmail.com Fri Jan 4 16:45:16 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri, 4 Jan 2008 17:45:16 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> On 1/4/08, Marcus Brinkmann wrote: > Hi, > > We are pleased to announce version 1.1.6 of GnuPG Made Easy, > a library designed to make access to GnuPG easier for applications. Hello, Please fix some qa issues. * QA Notice: Package has poor programming practices which may compile * fine but exhibit random runtime failures. * assuan-pipe-connect.c:593: warning: implicit declaration of function '_gpgme_io_pipe' assuan-pipe-connect.c:638: warning: implicit declaration of function '_gpgme_io_spawn' Attach is a temp fix, as including the priv-io.h conflict with other parts of the software. Also... One test fails: PASS: t-verify Hallo Leute! PASS: t-decrypt t-sign.c:107: KSBA: Not found (9.27) FAIL: t-sign Begin Result: Issuer ...: /CN=DFN Top Level Certification Authority/OU=DFN-PCA/O=Deutsches Forschungsnetz/C=DE/EMail=certify at pca.dfn.de Serial ...: 01 Subject ..: /CN=DFN Top Level Certification Authority/OU=DFN-PCA/O=Deutsches Forschungsnetz/C=DE/EMail=certify at pca.dfn.de During tests, the pinentry dialogs are shown, I must write "abc" for tests to run (many times), can you please make the test use silent passphrase? Best Regards, Alon Bar-Lev. -------------- next part -------------- A non-text attachment was scrubbed... Name: gpgme-1.1.6-qa.patch Type: text/x-diff Size: 580 bytes Desc: not available URL: From marcus.brinkmann at ruhr-uni-bochum.de Fri Jan 4 16:53:26 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri, 04 Jan 2008 16:53:26 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> Message-ID: <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Fri, 4 Jan 2008 17:45:16 +0200, "Alon Bar-Lev" wrote: > > [1 ] > On 1/4/08, Marcus Brinkmann wrote: > > Hi, > > > > We are pleased to announce version 1.1.6 of GnuPG Made Easy, > > a library designed to make access to GnuPG easier for applications. > > Hello, > > Please fix some qa issues. > * QA Notice: Package has poor programming practices which may compile > * fine but exhibit random runtime failures. > * assuan-pipe-connect.c:593: warning: implicit declaration of > function '_gpgme_io_pipe' > assuan-pipe-connect.c:638: warning: implicit declaration of function > '_gpgme_io_spawn' > > Attach is a temp fix, as including the priv-io.h conflict with other > parts of the software. The fix is fine, priv-io.h is not part of assuan, and thus repeating the internal declarations is good enough. > Also... One test fails: > > PASS: t-verify > Hallo Leute! > PASS: t-decrypt > t-sign.c:107: KSBA: Not found (9.27) > FAIL: t-sign > Begin Result: > Issuer ...: /CN=DFN Top Level Certification > Authority/OU=DFN-PCA/O=Deutsches > Forschungsnetz/C=DE/EMail=certify at pca.dfn.de > Serial ...: 01 > Subject ..: /CN=DFN Top Level Certification > Authority/OU=DFN-PCA/O=Deutsches > Forschungsnetz/C=DE/EMail=certify at pca.dfn.de Which version of gpgsm do you use? The tests run fine here. > During tests, the pinentry dialogs are shown, I must write "abc" for > tests to run (many times), can you please make the test use silent > passphrase? We already set GPG_AGENT_INFO to empty in the test environment (see TEST_ENVIRONMENT in tests/gpgsm/Makefile.am). I have no idea why this is not working for you. Did you run "make check" or invoked the test manually? Thanks, Marcus From alon.barlev at gmail.com Fri Jan 4 17:01:19 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri, 4 Jan 2008 18:01:19 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> On 1/4/08, Marcus Brinkmann wrote: > The fix is fine, priv-io.h is not part of assuan, and thus repeating > the internal declarations is good enough. This is not so good practice... You can separate these into their own header file and include it from both places. > Which version of gpgsm do you use? The tests run fine here. $ gpgsm --version gpgsm (GnuPG) 2.0.8 Copyright (C) 2007 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Cipher: 3DES, AES, AES192, AES256, SERPENT128, SERPENT192, SERPENT256, SEED, CAMELLIA128, CAMELLIA192, CAMELLIA256 Pubkey: RSA, ECDSA Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, WHIRLPOOL Used libraries: gcrypt(1.4.0), ksba(1.0.2), assuan(1.0.4) > We already set GPG_AGENT_INFO to empty in the test environment (see > TEST_ENVIRONMENT in tests/gpgsm/Makefile.am). I have no idea why this > is not working for you. Did you run "make check" or invoked the test > manually? I use "make check". GPG_AGENT_INFO= echo alon | gpg2 --sign Will result in running an agent by itself... right? Alon. From marcus.brinkmann at ruhr-uni-bochum.de Fri Jan 4 17:24:27 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri, 04 Jan 2008 17:24:27 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> Message-ID: <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Fri, 4 Jan 2008 18:01:19 +0200, "Alon Bar-Lev" wrote: > > On 1/4/08, Marcus Brinkmann wrote: > > The fix is fine, priv-io.h is not part of assuan, and thus repeating > > the internal declarations is good enough. > > This is not so good practice... You can separate these into their own > header file and include it from both places. Sometimes even good practices need to be broken. This is such a case. There is a better solution, but it requires major extensions to libassuan, which we are not currently planning for (to be specific: libassuan should provide hooks for everything gpgme needs to change in its implementation. Then we can just link to libassuan and remove the local copy). > > Which version of gpgsm do you use? The tests run fine here. > > $ gpgsm --version > gpgsm (GnuPG) 2.0.8 Ok, I used 2.0.4 for testing the release. It is possible that something changed which broke the test case, I'll have to check it out. Thanks for letting me know. > > We already set GPG_AGENT_INFO to empty in the test environment (see > > TEST_ENVIRONMENT in tests/gpgsm/Makefile.am). I have no idea why this > > is not working for you. Did you run "make check" or invoked the test > > manually? > > I use "make check". Probably also related to the gpg/gpgsm version. > GPG_AGENT_INFO= echo alon | gpg2 --sign > > Will result in running an agent by itself... right? Mmh. Did you specify gpg2 as default gpg for gpgme? And did it ask for the passphrase in tests/gpg or tests/gpgsm? Actually, in which particular test, gpg/t-sign? Thanks, Marcus From alon.barlev at gmail.com Fri Jan 4 17:32:05 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri, 4 Jan 2008 18:32:05 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> On 1/4/08, Marcus Brinkmann wrote: > Mmh. Did you specify gpg2 as default gpg for gpgme? And did it ask /usr/bin/gpg is link to /usr/bin/gpg2, gpgme configuration detect the correct version. > for the passphrase in tests/gpg or tests/gpgsm? Actually, in which > particular test, gpg/t-sign? make check-TESTS make[3]: Entering directory `/home/alonbl/tmp/xx/gpgme-1.1.6/tests/gpg' -----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.8 (GNU/Linux) hQEOA2rm1+5GqHH4EAP8CLySAWZ9QFCMUZKwaR80CEXY6WtSerNt30PuO9F3DUE2 FFzLT7rCfTSfa87hpa45dwH2NynxvW/sREFYysARlj3GVFy1jKXHZ2q9sRagCxbP PlpmnXsQ0/tScTJ892HAcB/GeuWPSvJ+Rfo5NpHOpXMQh2qlbvaOV93HFTS5En4D /iJTP7m0/w1+Pgb3SyhIu0sjnFra3pOoGpUe+mCd3KLizOcXcnFE2tZpZCQVmQsU cUDUICjehkj9e8dq7aUkwNi7G0mvspMxyL202i7Z833zvXepjPJlTayNWYMeKIqK EqfELsAqBRQ9vRUcOp29I0NWveeSfckB6nx/zFGSoFoqhQEOA1OB6k7im6N/EAP+ LCjEPPBz5gu8EYtfnwCtUC8SX33aUmFeTpd+kdNGXRC8dsf74A/ZoPciLFWLW63o M3wrz2MQVwHukv6xaSBjnbS4M+nTMtnYzZjXd1OwZZxO048z1Z50IuXFT3QfzMhD K7/YXbn7crXrrnVJ72EHX/nZ2xa0kBGsluZZEgwybmUD/jSgPqcDwydfgCqUDefZ TUMr4BaOyngthQUQcJjzy3x5npGv0SAJx0gkzft8URKBOxaY1zxXxQBIvMVpln0M EznBLzIUh0Xn5ZfjggMAUZyoeIh6iYLizeAVdLPdgwMnlctVjoG/cUb2ZQL24Z4N AJZm6m9S2/N+fuHCRUkf+QLq0kcByRxIm8iWRdBCatPX9ddRvdaBJ7owzxri5J/7 JzGoNoXfsM23sLwumu7sml/DYUV7cy5T78U/uTc14tv5CBXq4fraTcos3w== =bsZL -----END PGP MESSAGE----- PASS: t-encrypt Same for other tests. Alon. From tomp at idirect.com Fri Jan 4 18:53:56 2008 From: tomp at idirect.com (Tom Pegios) Date: Fri, 04 Jan 2008 12:53:56 -0500 Subject: GnuPG v2.0.8 on windows 32 bit platform Message-ID: <477E72B4.9000708@idirect.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Has anyone that has compiled GnuPG v2.0.8 for Windows(32) run into the following problem as I'm not sure if I'm doing something wrong Running make check for gpg2 shows ALL tests pass BUT make check fails on the following libraries. - - - ------------------------ in libksba-1.0.2 make[2]: Entering directory `/src/v2/libksba-1.0.2/tests' /bin/sh ../libtool --tag=CC --mode=link gcc -I/usr/local/include -g - - - -O2 -Wall-Wcast-align -Wshadow -Wstrict-prototypes -Wpointer-arith - - - -Wno-pointer-sign -o cert-basic.exe cert-basic.o ../src/libksba.la - - - -L/usr/local/lib -lgpg-errorgcc -I/usr/local/include -g -O2 -Wall - - - -Wcast-align -Wshadow -Wstrict-prototypes -Wpointer-arith - - - -Wno-pointer-sign -o .libs/cert-basic.exe cert-basic.o ../src/. libs/libksba.dll.a -L/usr/local/lib /usr/local/lib/libgpg-error.dll.a - - - -L/usr/local/lib cert-basic.o: In function `one_file': d:\M-SYS\src\v2\libksba-1.0.2\tests/cert-basic.c:591: undefined reference to `__ ksba_keyinfo_from_sexp' d:\M-SYS\src\v2\libksba-1.0.2\tests/cert-basic.c:602: undefined reference to `__ ksba_keyinfo_to_sexp' d:\M-SYS\src\v2\libksba-1.0.2\tests/cert-basic.c:615: undefined reference to `__ ksba_keyinfo_from_sexp' collect2: ld returned 1 exit status - - - ---------------------------------------- in libgcrypt-1.4.0 15 of 15 tests failed Please report to bug-libgcrypt at gnupg.org ======================================== make[2]: *** [check-TESTS] Error 1 make[2]: Leaving directory `/src/v2/libgcrypt-1.4.0/tests' make[1]: *** [check-am] Error 2 - - - ----------------------------- in libgpg-error-1.6 make check-TESTS make[2]: Entering directory `/src/v2/libgpg-error-1.6/tests' FAIL: t-strerror.exe FAIL: t-syserror.exe ==================================== 2 of 2 tests failed GPG2 seems to work properly but with the libraries falling the above tests I'm sure if I an trust GPG2 to work properly. anyone have any ideas ??? Tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (MingW32) iEYEAREIAAYFAkd+crMACgkQxDTq4V42xe555QCdGC1lcvWcFORQVIAdgQVA9w/l HhUAn00UFt4lqCoOIkFSy9KemDY8ZSqP =0aDl -----END PGP SIGNATURE----- From rdieter at math.unl.edu Fri Jan 4 18:04:04 2008 From: rdieter at math.unl.edu (Rex Dieter) Date: Fri, 04 Jan 2008 11:04:04 -0600 Subject: [Announce] GPGME 1.1.6 released References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> Message-ID: Alon Bar-Lev wrote: > Also... One test fails: > > PASS: t-verify > Hallo Leute! > PASS: t-decrypt > t-sign.c:107: KSBA: Not found (9.27) > FAIL: t-sign Confirmed 'make check' failure here too (fedora, using gnupg2-2.0.8) -- Rex From gpgme at katehok.ac93.org Sat Jan 5 00:07:04 2008 From: gpgme at katehok.ac93.org (Igor Belyi) Date: Fri, 04 Jan 2008 18:07:04 -0500 Subject: pyme In-Reply-To: <200801021806.18508.bernhard@intevation.de> References: <3ac86fa70712111623wd83e701vd07440a6966dde65@mail.gmail.com> <200712211048.25215.bernhard@intevation.de> <87sl1g5huc.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200801021806.18508.bernhard@intevation.de> Message-ID: <477EBC18.70300@katehok.ac93.org> Bernhard Reiter wrote: > On Wednesday 02 January 2008 17:10, Marcus Brinkmann wrote: > >>> It would be cool to have python gpgme bindings. >>> >> http://pyme.sourceforge.net/ >> > > This looks abandoned, lowlevel and is based on SWIG. > Nevertheless it could be a start. > I didn't abandon it. It works for me fine and there was no bug filed for some time - that's why there no activity. I naively thought it means that it works for everyone else as well. Yes, I probably should update it for the new revision of the gpgme and SWIG and probably add installation for the Windows.. And what's the problem with using SWIG? It helps to have python bindings for any library in no time. Let me know exactly what are your expectations from such bindings and I'll try to help. Cheers, Igor From wk at gnupg.org Sat Jan 5 15:13:54 2008 From: wk at gnupg.org (Werner Koch) Date: Sat, 05 Jan 2008 15:13:54 +0100 Subject: GnuPG v2.0.8 on windows 32 bit platform In-Reply-To: <477E72B4.9000708@idirect.com> (Tom Pegios's message of "Fri, 04 Jan 2008 12:53:56 -0500") References: <477E72B4.9000708@idirect.com> Message-ID: <87zlvkz7fh.fsf@wheatstone.g10code.de> On Fri, 4 Jan 2008 18:53, tomp at idirect.com said: > Has anyone that has compiled GnuPG v2.0.8 for Windows(32) run into the > following problem as I'm not sure if I'm doing something wrong Building it on Windows is not supported. Failing tests are very likely. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From bjk at luxsci.net Sat Jan 5 20:01:03 2008 From: bjk at luxsci.net (Ben Kibbey) Date: Sat, 5 Jan 2008 14:01:03 -0500 Subject: assuan_read_from_server() and return value In-Reply-To: <877ijdqp36.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <200711231902.lANJ22OU007693@rs41.luxsci.com> <87fxyjaksq.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712081745.lB8Hj2rF001140@rs41.luxsci.com> <87mysgug09.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712151733.lBFHX2n5026146@rs41.luxsci.com> <877ijdqp36.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <200801051902.m05J21LC013646@rs41.luxsci.com> On Mon, Dec 17, 2007 at 05:10:37PM +0100, Marcus Brinkmann wrote: > Ah, so now we are talking about the _assuan_read_from_server at the > "again:" label in _assuan_transact? > > In this case, the ERR should set OKAY to 0 and OFF to the offset of > the error code, and then assuan_transact should execute: > > if (!okay) > { > rc = atoi (line); > if (rc > 0 && rc < 100) > rc = _assuan_error (ASSUAN_Server_Fault); > else if (rc > 0 && rc <= 405) > rc = _assuan_error (rc); > } > > Thereby returning the error code as it should. Why is that code not > working for you? Didn't see this code. Sorry. This works as it should. If there is no error source set (which pinentry doesn't do) _assuan_error() will return the unmasked error code, and for the application (which uses gpg-error), it is impossible to determine if the error is an ASSUAN_ or GPG_ERR error code. So the problem (in my case) is with pinentry not setting an error source. I have an app that uses gpg-error codes. The app connects to pinentry via assuan_pipe_connect(). I call assuan_transact() to send the GETPIN command to pinentry. If I cancel the pinentry by selecting the Cancel button, assuan_transact() returns ASSUAN_Canceled (111). But for an app that uses gpg-error, the error is seen as GPG_ERR_INV_CARD (111). So in my app I have to test for both GPG_ERR_ASS_CANCELED and ASSUAN_Canceled. If nobody else is doing it, I could patch pinentry to use libgpg-error. I'm not sure how this would affect other clients though? Thanks, and sorry for the confusion. -- Benjamin J. Kibbey bjk at luxsci.net/jabber/freenode 3019 F5FC AA33 5BC7 BE9F 09D2 393E DBD2 40D5 FA7E From JPClizbe at tx.rr.com Sat Jan 5 20:03:36 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Sat, 05 Jan 2008 13:03:36 -0600 Subject: GnuPG v2.0.8 on windows 32 bit platform In-Reply-To: <87zlvkz7fh.fsf@wheatstone.g10code.de> References: <477E72B4.9000708@idirect.com> <87zlvkz7fh.fsf@wheatstone.g10code.de> Message-ID: <477FD488.1090903@tx.rr.com> Werner Koch wrote: > On Fri, 4 Jan 2008 18:53, tomp at idirect.com said: >> Has anyone that has compiled GnuPG v2.0.8 for Windows(32) run into the >> following problem as I'm not sure if I'm doing something wrong > > Building it on Windows is not supported. Failing tests are very likely. I think there are a good number of Windows users who would like to try GnuPG 2.0.8. GPG4WIN has been the usual source for a Windows build of GnuPG 2.0.x, but it is still at 2.0.7. With no source for a binary, users are going to attempt building it for themselves. Any chance of a GGP4Win 1.1.4 soon, or a GnuPG 2.0.8 zip/installer? -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 658 bytes Desc: OpenPGP digital signature URL: From hawke at hawkesnest.net Sun Jan 6 21:50:59 2008 From: hawke at hawkesnest.net (Alex Mauer) Date: Sun, 06 Jan 2008 14:50:59 -0600 Subject: exporting and importing some subkeys In-Reply-To: <200801021341.28169.bernhard@intevation.de> References: <200801021341.28169.bernhard@intevation.de> Message-ID: Bernhard Reiter wrote: > With gnupg 2.0.7 (and 2.0.5): > > Given two machines with .gnupg having your secret key > and doing "addkey" on one, I encountered a problem > trying to transfer the new subkey to the other. > > gpg2 --export-secret-key ABCDEF >mykey > > worked even when ABCDEF is the fingerprint of my new subkey. > gpg2 --import mykey > tells me that the key is already in my keyring. > > gpg2 --list-secret-keys does not have the new subkey, > so I guess the problem to be in the import. > > Am I missing something? No. GPG simply does not allow importing of secret subkeys. (aka merging of secret keys) I've asked about this before, and a quick search reveals several other people asking about it. See https://bugs.g10code.com/gnupg/issue318 This is also a problem when importing secret key stubs for a smartcard. -Alex Mauer "hawke" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Sun Jan 6 23:20:06 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 6 Jan 2008 17:20:06 -0500 Subject: exporting and importing some subkeys In-Reply-To: <200801021341.28169.bernhard@intevation.de> References: <200801021341.28169.bernhard@intevation.de> Message-ID: On Jan 2, 2008, at 7:41 AM, Bernhard Reiter wrote: > With gnupg 2.0.7 (and 2.0.5): > > Given two machines with .gnupg having your secret key > and doing "addkey" on one, I encountered a problem > trying to transfer the new subkey to the other. > > gpg2 --export-secret-key ABCDEF >mykey > > worked even when ABCDEF is the fingerprint of my new subkey. > gpg2 --import mykey > tells me that the key is already in my keyring. > > gpg2 --list-secret-keys does not have the new subkey, > so I guess the problem to be in the import. > > Am I missing something? What you ended up with is two machines with copies of the same secret key, but one of the machines had an extra subkey. The problem, as you saw, is that GPG (both v1 and v2) don't yet support merging secret keys. A merge is necessary (rather than a replacement) as there could be new subkeys on both machines, and the user probably wants to keep them all. ;) As a workaround, if you know for sure that one machine has a superset subkey-wise of the other, you can delete the secret key from the subset machine and then import a copy from the superset machine. David From bernhard at intevation.de Mon Jan 7 11:37:08 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Mon, 7 Jan 2008 11:37:08 +0100 Subject: pyme In-Reply-To: <477EBC18.70300@katehok.ac93.org> References: <3ac86fa70712111623wd83e701vd07440a6966dde65@mail.gmail.com> <200801021806.18508.bernhard@intevation.de> <477EBC18.70300@katehok.ac93.org> Message-ID: <200801071137.09535.bernhard@intevation.de> Igor, On Saturday 05 January 2008 00:07, Igor Belyi wrote: > >> http://pyme.sourceforge.net/ > > This looks abandoned, lowlevel and is based on SWIG. > > Nevertheless it could be a start. > I didn't abandon it. It works for me fine and there was no bug filed for > some time - that's why there no activity. ah, good to know! > I naively thought it means > that it works for everyone else as well. Yes, I probably should update > it for the new revision of the gpgme and SWIG and probably add > installation for the Windows.. Yes, this would be cool, even if it is just a remark saying that it works with the latest version. > And what's the problem with using SWIG? It helps to have python bindings > for any library in no time. Our experience with a few libraries wrapped in SWIG is that it tends to be hard on the interesting interface cases and usually produces binding that are not very pythonic nor high level. Thus we went back doing direct wrappers without SWIG as it did caused more work whenever we had a special case and interface tend to consist out out special causes. > Let me know exactly what are your expectations from such bindings and > I'll try to help. I would want Mailman and roundup to be able to receive and send encrypted emails, at some point in time we will give it a shot with pyme and then you will get reports. ;) Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From bernhard at intevation.de Mon Jan 7 12:02:30 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Mon, 7 Jan 2008 12:02:30 +0100 Subject: exporting and importing some subkeys In-Reply-To: References: <200801021341.28169.bernhard@intevation.de> Message-ID: <200801071202.35870.bernhard@intevation.de> Alex, David, thanks for your response! On Sunday 06 January 2008 21:50, Alex Mauer wrote: > Bernhard Reiter wrote: > > With gnupg 2.0.7 (and 2.0.5): > > > > Given two machines with .gnupg having your secret key > > and doing "addkey" on one, I encountered a problem > > trying to transfer the new subkey to the other. >?GPG simply does not allow importing of secret subkeys. (aka merging > of secret keys) ?I've asked about this before, and a quick search > reveals several other people asking about it. ?See > https://bugs.g10code.com/gnupg/issue318 Ii did not search for the keyword "merging", this is probably why I did not find the previous answer. Indeed I have used the workaround to delete the secret key from one keyring and reimport it from the other. Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From wk at gnupg.org Tue Jan 8 09:33:04 2008 From: wk at gnupg.org (Werner Koch) Date: Tue, 08 Jan 2008 09:33:04 +0100 Subject: GPG & Floating point? In-Reply-To: <20071220235141.GA27059@lina.inka.de> (Bernd Eckenfels's message of "Fri, 21 Dec 2007 00:51:41 +0100") References: <47669E03.1010105@per-se.com> <87zlw5a6m4.fsf@wheatstone.g10code.de> <20071220235141.GA27059@lina.inka.de> Message-ID: <87ir2467jz.fsf@wheatstone.g10code.de> On Fri, 21 Dec 2007 00:51, lists at lina.inka.de said: > (not sure if there is any way to speed up hashing besides hand crafting > assembler for the T1). Do you know whether the low level stuff (/dev/ncp?, asm?) is usable from user land? It would be interwsting to add support for the T1/T2 to libgcrypt. There is already assembler stuff for VIA's padlock and a framework to add other extensions is available. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From gpgme at katehok.ac93.org Tue Jan 8 15:04:13 2008 From: gpgme at katehok.ac93.org (Igor Belyi) Date: Tue, 08 Jan 2008 09:04:13 -0500 Subject: pyme In-Reply-To: <200801071137.09535.bernhard@intevation.de> References: <3ac86fa70712111623wd83e701vd07440a6966dde65@mail.gmail.com> <200801021806.18508.bernhard@intevation.de> <477EBC18.70300@katehok.ac93.org> <200801071137.09535.bernhard@intevation.de> Message-ID: <478382DD.1080703@katehok.ac93.org> Bernhard Reiter wrote: > Yes, this would be cool, even if it is just a remark saying that it > works with the latest version. > Well, as a user of Debian 'unstable' I know it works with GPGME 1.1.5 but you are right that I may need to have this info back on the SF page as well. I'll see if that could be automated. > Our experience with a few libraries wrapped in SWIG is that it tends to be > hard on the interesting interface cases and usually produces binding that are > not very pythonic nor high level. Thus we went back doing direct wrappers > without SWIG as it did caused more work whenever we had a special case and > interface tend to consist out out special causes. > It looks like GPGME is very good candidate for the SWIG - its interface design is almost object oriented so that there are very few supporting classes necessary to make it python friendly. And I do believe 'E' in there stands for 'Easy' which is the usual requirement for the 'high level' bindings. :) > I would want Mailman and roundup to be able to receive and send encrypted > emails, at some point in time we will give it a shot with pyme and then you > will get reports. ;) > I'd recommend to start with examples provided with pyme. There's even some Glade based GUI ones if you like that sort of things. :) And as for the reports - Bring them on! ;) Cheers, Igor From marcus.brinkmann at ruhr-uni-bochum.de Tue Jan 8 18:46:37 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Tue, 08 Jan 2008 18:46:37 +0100 Subject: assuan_read_from_server() and return value In-Reply-To: <200801051902.m05J21LC013646@rs41.luxsci.com> References: <200711231902.lANJ22OU007693@rs41.luxsci.com> <87fxyjaksq.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712081745.lB8Hj2rF001140@rs41.luxsci.com> <87mysgug09.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712151733.lBFHX2n5026146@rs41.luxsci.com> <877ijdqp36.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200801051902.m05J21LC013646@rs41.luxsci.com> Message-ID: <87ir249pmq.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Sat, 5 Jan 2008 14:01:03 -0500, Ben Kibbey wrote: > > On Mon, Dec 17, 2007 at 05:10:37PM +0100, Marcus Brinkmann wrote: > > Ah, so now we are talking about the _assuan_read_from_server at the > > "again:" label in _assuan_transact? > > > > In this case, the ERR should set OKAY to 0 and OFF to the offset of > > the error code, and then assuan_transact should execute: > > > > if (!okay) > > { > > rc = atoi (line); > > if (rc > 0 && rc < 100) > > rc = _assuan_error (ASSUAN_Server_Fault); > > else if (rc > 0 && rc <= 405) > > rc = _assuan_error (rc); > > } > > > > Thereby returning the error code as it should. Why is that code not > > working for you? > > Didn't see this code. Sorry. This works as it should. > > If there is no error source set (which pinentry doesn't do) > _assuan_error() will return the unmasked error code, and for the > application (which uses gpg-error), it is impossible to determine if the > error is an ASSUAN_ or GPG_ERR error code. So the problem (in my case) > is with pinentry not setting an error source. Alrighty! The problem is that _assuan_error is designed to be used for error codes within the application, not to interpret error codes from peers. The above code is thus "clearly wrong" (but see below), as it should inspect rc for an error source. However, unfortunately, there is no sane operation we can do if the peers "mismatch", ie if one uses gpg-error and the other doesn't. There is no lossless mapping from one to the other (in both directions). Even if there was such a mapping, the application would need to know about its details for user-defined error codes. This is a mess! So, the right thing to do is to just use gpg-error everywhere. I will adjust pinentry accordingly. And in the future, we might even decide to remove the ol' Assuan error stuff. It was useful for transition, but I think once all components of gnupg are moved to use gpg-error, it has outlived its purpose. I know that you have been saying this all along, but I was focusing first on the code and inquire stuff, because that was more difficult to deal with. Solving the pinentry error code problem is easy. Thanks, Marcus From lists at lina.inka.de Wed Jan 9 07:19:22 2008 From: lists at lina.inka.de (Bernd Eckenfels) Date: Wed, 9 Jan 2008 07:19:22 +0100 Subject: GPG & Floating point? In-Reply-To: <87ir2467jz.fsf@wheatstone.g10code.de> References: <47669E03.1010105@per-se.com> <87zlw5a6m4.fsf@wheatstone.g10code.de> <20071220235141.GA27059@lina.inka.de> <87ir2467jz.fsf@wheatstone.g10code.de> Message-ID: <20080109061922.GA26424@lina.inka.de> Hallo Werner, On Tue, Jan 08, 2008 at 09:33:04AM +0100, Werner Koch wrote: > Do you know whether the low level stuff (/dev/ncp?, asm?) is usable from > user land? It would be interwsting to add support for the T1/T2 to > libgcrypt. There is already assembler stuff for VIA's padlock and a > framework to add other extensions is available. I know there is a openssl and java crypto engine for T1/T2 so it should be possible. I am a Java guy (now) and dont know about the C interfaces. However it looks like the Solaris Crypto Framework which can be used by usermode is somewhat PKCS#11 based. Easiest would be to use the Solaris openssl version with pkcs11 support (libcrypto.so) but that might be a licensing problem? http://www.sun.com/blueprints/0306/819-5782.pdf Sorry for not having more information, however I could maybe give you some internal sun contact if you like, Werner. Greetings Bernd From marcus.brinkmann at ruhr-uni-bochum.de Thu Jan 10 05:41:47 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Thu, 10 Jan 2008 05:41:47 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> Message-ID: <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Fri, 4 Jan 2008 18:32:05 +0200, "Alon Bar-Lev" wrote: > > On 1/4/08, Marcus Brinkmann wrote: > > Mmh. Did you specify gpg2 as default gpg for gpgme? And did it ask > > /usr/bin/gpg is link to /usr/bin/gpg2, gpgme configuration detect the > correct version. gpg2 does not seem to support passing the passphrase via the command fd, and requires the use of a pinentry program. I added a dummy pinentry program to gpgme and a configuration file for gpg-agent to use it. You might try the SVN version again and see if that works for you (it does for me). The gpgsm problem is actually a bug in gpgsm's default qualified.txt file, where the last two entries miss the country code. I filed a report for that, so it will be fixed soon. Thanks, Marcus From alon.barlev at gmail.com Thu Jan 10 07:19:45 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 08:19:45 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801092219h38a4c28ck8f6987930d0003c0@mail.gmail.com> On 1/10/08, Marcus Brinkmann wrote: > gpg2 does not seem to support passing the passphrase via the command > fd, and requires the use of a pinentry program. Why not use: gpg --sign --batch --passphrase 'secret' Regards, Alon Bar-Lev. From alon.barlev at gmail.com Thu Jan 10 07:21:55 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 08:21:55 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801092219h38a4c28ck8f6987930d0003c0@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801092219h38a4c28ck8f6987930d0003c0@mail.gmail.com> Message-ID: <9e0cf0bf0801092221u34a4b79er80ec26696ff64fe1@mail.gmail.com> On 1/10/08, Alon Bar-Lev wrote: > On 1/10/08, Marcus Brinkmann wrote: > > gpg2 does not seem to support passing the passphrase via the command > > fd, and requires the use of a pinentry program. > > Why not use: > > gpg --sign --batch --passphrase 'secret' Or: gpg --sign --batch --passphrase-fd ### > > Regards, > Alon Bar-Lev. > From wk at gnupg.org Thu Jan 10 09:03:42 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 10 Jan 2008 09:03:42 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> (Marcus Brinkmann's message of "Thu, 10 Jan 2008 05:41:47 +0100") References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <877iiiumxt.fsf@wheatstone.g10code.de> On Thu, 10 Jan 2008 05:41, marcus.brinkmann at ruhr-uni-bochum.de said: > gpg2 does not seem to support passing the passphrase via the command > fd, and requires the use of a pinentry program. I added a dummy Right, the oinentry is required for interactive use. However if you add --batch you can still use an fd, string or file for the passphrase as usual. Note, that this fature will eventually be dropped for private key operations. > file, where the last two entries miss the country code. I filed a > report for that, so it will be fixed soon. Done. Thanks. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From alon.barlev at gmail.com Thu Jan 10 10:32:17 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 11:32:17 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <877iiiumxt.fsf@wheatstone.g10code.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> On 1/10/08, Werner Koch wrote: > Right, the oinentry is required for interactive use. However if you add > --batch you can still use an fd, string or file for the passphrase as > usual. Note, that this fature will eventually be dropped for private > key operations. Why drop? How can batch applications do crypto operations without this option? I guess they can write pinentry-env, and do: PINENTRY_USER_DATA=secret gpg --sign <> But this is much less secured than using fd. Alon. From wk at gnupg.org Thu Jan 10 12:17:59 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 10 Jan 2008 12:17:59 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> (Alon Bar-Lev's message of "Thu, 10 Jan 2008 11:32:17 +0200") References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> Message-ID: <871w8qszdk.fsf@wheatstone.g10code.de> On Thu, 10 Jan 2008 10:32, alon.barlev at gmail.com said: > Why drop? Because gpg2 will eventually work like gpgsm and not know anything about secret keys. > How can batch applications do crypto operations without this option? > I guess they can write pinentry-env, and do: > PINENTRY_USER_DATA=secret gpg --sign <> Well, this is a hack to write a custom pinentry. It is not intended to convey the passphrase. It is also very questionable why a batch application needs a passphrase protected key at all. The other solution is to use gpg-preset-passphrase. This is similar to a crypto file system and let you put the passphrase into RAM for later use. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From alon.barlev at gmail.com Thu Jan 10 12:26:09 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 13:26:09 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <871w8qszdk.fsf@wheatstone.g10code.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> On 1/10/08, Werner Koch wrote: > The other solution is to use gpg-preset-passphrase. This is similar to > a crypto file system and let you put the passphrase into RAM for later > use. But this will not work for batch application serving multiple users. Well... I can also --forget to present... But then it has some weakness if this command is not run... Alon. From alon.barlev at gmail.com Thu Jan 10 14:31:50 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 15:31:50 +0200 Subject: gnupg-2.0.8 - regression - double free Message-ID: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> Hello Werner, Please review: http://bugs.gentoo.org/show_bug.cgi?id=204662 I cannot reproduce this on my machine... But I guess it has something to do with latest win32 socket fixups. gettimeofday({1199970496, 693424}, NULL) = 0 sigprocmask(SIG_SETMASK, [HUP INT USR1 USR2 TERM], ~[KILL STOP RTMIN]) = 0 read(7, "", 1002) = 0 write(5, "gpg-agent[4264.7] DBG: <- [EOF]\n", 32) = 32 close(7) = 0 time(NULL) = 1199970496 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1920, ...}) = 0 write(5, "2008-01-10 14:08:16 gpg-agent[42"..., 74) = 74 sigprocmask(SIG_SETMASK, ~[KILL STOP RTMIN], [HUP INT USR1 USR2 TERM]) = 0 gettimeofday({1199970496, 694079}, NULL) = 0 open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = -1 ENXIO (No such device or address) writev(2, [{"*** glibc detected *** ", 23}, {"gpg-agent", 9}, {": ", 2}, {"double free or corruption (out)", 31}, {": 0x", 4}, {"0809f5e0", 8}, {" ***\n", 5}], 7) = 82 Also, please consider adding --forground to --daemon, it is impossible to debug the agent this way! Best Regards, Alon Bar-Lev From marcus.brinkmann at ruhr-uni-bochum.de Thu Jan 10 14:31:17 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Thu, 10 Jan 2008 14:31:17 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> Message-ID: <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Thu, 10 Jan 2008 13:26:09 +0200, "Alon Bar-Lev" wrote: > > On 1/10/08, Werner Koch wrote: > > The other solution is to use gpg-preset-passphrase. This is similar to > > a crypto file system and let you put the passphrase into RAM for later > > use. > > But this will not work for batch application serving multiple users. Can you describe your problem in more detail? > Well... I can also --forget to present... But then it has some > weakness if this command is not run... Thanks, Marcus From marcus.brinkmann at ruhr-uni-bochum.de Thu Jan 10 15:16:59 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Thu, 10 Jan 2008 15:16:59 +0100 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> Message-ID: <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Thu, 10 Jan 2008 15:31:50 +0200, "Alon Bar-Lev" wrote: > writev(2, [{"*** glibc detected *** ", 23}, {"gpg-agent", 9}, {": ", > 2}, {"double free or corruption (out)", 31}, {": 0x", 4}, {"0809f5e0", > 8}, {" ***\n", 5}], 7) = 82 Without a symbol table it is hard to find out what 0x0809f5e0 refers to. Can you ask the submitter to recompile with debug symbols and run addr2line (*after* reproducing the bug again and getting the correct address for the recompiled file)? Thanks, Marcus From alon.barlev at gmail.com Thu Jan 10 15:22:11 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 16:22:11 +0200 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> On 1/10/08, Marcus Brinkmann wrote: > At Thu, 10 Jan 2008 15:31:50 +0200, > "Alon Bar-Lev" wrote: > > writev(2, [{"*** glibc detected *** ", 23}, {"gpg-agent", 9}, {": ", > > 2}, {"double free or corruption (out)", 31}, {": 0x", 4}, {"0809f5e0", > > 8}, {" ***\n", 5}], 7) = 82 > > Without a symbol table it is hard to find out what 0x0809f5e0 refers > to. Can you ask the submitter to recompile with debug symbols and run > addr2line (*after* reproducing the bug again and getting the correct > address for the recompiled file)? I can... However it is best if you add your self as CC and communicate directly with the users. Alon. From alon.barlev at gmail.com Thu Jan 10 14:40:15 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 15:40:15 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> On 1/10/08, Marcus Brinkmann wrote: > Can you describe your problem in more detail? It is not my problem... Well... kind of... as you guys keep breaking backward compatibility, and I get all the bugs of depended packages. For example, if you have webmail that holds gpg keys on behalf of its users... Current implementations enables users to specify passphrase using html dialog, and pipe the passphrase into the gpg application. Agent mode is not suitable for this kind of operation. Alon. From marcus.brinkmann at ruhr-uni-bochum.de Thu Jan 10 17:37:36 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Thu, 10 Jan 2008 17:37:36 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> Message-ID: <873at5ab73.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Thu, 10 Jan 2008 15:40:15 +0200, "Alon Bar-Lev" wrote: > > On 1/10/08, Marcus Brinkmann wrote: > > Can you describe your problem in more detail? > > It is not my problem... Well... kind of... as you guys keep breaking > backward compatibility, and I get all the bugs of depended packages. gpg and gpg2 are separate product lines, which are both fully supported for the foreseeable future. > For example, if you have webmail that holds gpg keys on behalf of its > users... Current implementations enables users to specify passphrase > using html dialog, and pipe the passphrase into the gpg application. > Agent mode is not suitable for this kind of operation. That's a very specialized application domain which requires a ton of further considerations, and a lot of effort to get it "right" (arguably, your assumptions already restrict the feasible security that can be achieved). Under such circumstances, I don't think it is unreasonable to require some extra effort in choosing an appropriate pinentry solution. The gpg2 framework allows for a number of solutions here, but which one is best requires careful considerations to the specific requirements. Thanks, Marcus From alon.barlev at gmail.com Thu Jan 10 17:49:00 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 18:49:00 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <873at5ab73.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <873at5ab73.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801100849yd460935xcaf5689310770288@mail.gmail.com> On 1/10/08, Marcus Brinkmann wrote: > At Thu, 10 Jan 2008 15:40:15 +0200, > "Alon Bar-Lev" wrote: > > > > On 1/10/08, Marcus Brinkmann wrote: > > > Can you describe your problem in more detail? > > > > It is not my problem... Well... kind of... as you guys keep breaking > > backward compatibility, and I get all the bugs of depended packages. > > gpg and gpg2 are separate product lines, which are both fully > supported for the foreseeable future. Forcing users to install both versions on their system, maintaining problem with each is incorrect approach. But whatever... we cannot change this now. > > For example, if you have webmail that holds gpg keys on behalf of its > > users... Current implementations enables users to specify passphrase > > using html dialog, and pipe the passphrase into the gpg application. > > Agent mode is not suitable for this kind of operation. > > That's a very specialized application domain which requires a ton of > further considerations, and a lot of effort to get it "right" > (arguably, your assumptions already restrict the feasible security > that can be achieved). Under such circumstances, I don't think it is > unreasonable to require some extra effort in choosing an appropriate > pinentry solution. The gpg2 framework allows for a number of > solutions here, but which one is best requires careful considerations > to the specific requirements. This answer is political and not technical... There are working applications *NOW* and you are going to break them. But again... this is irrelevant now... from experience you guys will do whatever you like, forwarding the issue to distribution maintainers. Alon. From alon.barlev at gmail.com Thu Jan 10 18:08:41 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 19:08:41 +0200 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> Message-ID: <9e0cf0bf0801100908w337df34ao50cf27b352867bdc@mail.gmail.com> On 1/10/08, Alon Bar-Lev wrote: > On 1/10/08, Marcus Brinkmann wrote: > > At Thu, 10 Jan 2008 15:31:50 +0200, > > "Alon Bar-Lev" wrote: > > > writev(2, [{"*** glibc detected *** ", 23}, {"gpg-agent", 9}, {": ", > > > 2}, {"double free or corruption (out)", 31}, {": 0x", 4}, {"0809f5e0", > > > 8}, {" ***\n", 5}], 7) = 82 > > > > Without a symbol table it is hard to find out what 0x0809f5e0 refers > > to. Can you ask the submitter to recompile with debug symbols and run > > addr2line (*after* reproducing the bug again and getting the correct > > address for the recompiled file)? > > I can... However it is best if you add your self as CC and communicate > directly with the users. > > Alon. > Done, but I think this address is of the block released and not the code. Please add your-self to CC of the bug. I cannot (don't wish to) solve all of gnupg issues. Alon. From marcus.brinkmann at ruhr-uni-bochum.de Thu Jan 10 19:55:41 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Thu, 10 Jan 2008 19:55:41 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801100849yd460935xcaf5689310770288@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <873at5ab73.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100849yd460935xcaf5689310770288@mail.gmail.com> Message-ID: <871w8pa4sx.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Thu, 10 Jan 2008 18:49:00 +0200, "Alon Bar-Lev" wrote: > > > For example, if you have webmail that holds gpg keys on behalf of its > > > users... Current implementations enables users to specify passphrase > > > using html dialog, and pipe the passphrase into the gpg application. > > > Agent mode is not suitable for this kind of operation. > > > > That's a very specialized application domain which requires a ton of > > further considerations, and a lot of effort to get it "right" > > (arguably, your assumptions already restrict the feasible security > > that can be achieved). Under such circumstances, I don't think it is > > unreasonable to require some extra effort in choosing an appropriate > > pinentry solution. The gpg2 framework allows for a number of > > solutions here, but which one is best requires careful considerations > > to the specific requirements. > > This answer is political and not technical... There are working > applications *NOW* and you are going to break them. Consider applications using GPGME. These applications will register a passphrase callback handler, but with gpg2 it will simply not be used, and for the application it looks like no passphrase is required to use the key. I suggest that if you know about specific applications that work with gpg but break with gpg2, you let us know about the details and we work something out in each particular case. This invitation extends to all software developers and distribution maintainers, of course. We are in fact very concerned about backward compatibility, which you can see by our track record in maintaining the libgcrypt and GPGME API/ABI, for example. > But again... this is irrelevant now... from experience you guys will > do whatever you like, forwarding the issue to distribution > maintainers. We want to work together with you and other distribution maintainers, but we can not promise to never change anything, as that would preclude useful and important improvements in the architecture. If you are concerned about particular problems, we are very interested in hearing about them. The issue at hand is, by the way, deeply technical: We want to move to an architecture where secret key management is unified and properly encapsulated. That this makes sense can be seen from the important use case of smart card readers with number pads, where the pin is never even seen by the host computer. This is not a new development. For example, we have for years refused to extend GPGME by secret key management interfaces (apart from the generic edit interface as a work around), specifically because of the architectural problems such interfaces would create. Thanks, Marcus From marcus.brinkmann at ruhr-uni-bochum.de Thu Jan 10 22:57:52 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Thu, 10 Jan 2008 22:57:52 +0100 Subject: assuan_read_from_server() and return value In-Reply-To: <200801051902.m05J21LC013646@rs41.luxsci.com> References: <200711231902.lANJ22OU007693@rs41.luxsci.com> <87fxyjaksq.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712081745.lB8Hj2rF001140@rs41.luxsci.com> <87mysgug09.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712151733.lBFHX2n5026146@rs41.luxsci.com> <877ijdqp36.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200801051902.m05J21LC013646@rs41.luxsci.com> Message-ID: <87zlvd8hsu.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Sat, 5 Jan 2008 14:01:03 -0500, Ben Kibbey wrote: > If there is no error source set (which pinentry doesn't do) > _assuan_error() will return the unmasked error code, and for the > application (which uses gpg-error), it is impossible to determine if the > error is an ASSUAN_ or GPG_ERR error code. So the problem (in my case) > is with pinentry not setting an error source. I just checked into pinentry: 2008-01-10 Marcus Brinkmann * assuan-handler.c (dispatch_command): Use Syntax_Error instead of Invalid_Command. * assuan.h (assuan_error_t): Change all error codes to gpg-error codes. If you want, why not check it out and see if that works for you? I did some tests here and it seems to work as a drop in replacement for older pinentries. > I have an app that uses gpg-error codes. The app connects to pinentry > via assuan_pipe_connect(). I call assuan_transact() to send the GETPIN > command to pinentry. If I cancel the pinentry by selecting the Cancel > button, assuan_transact() returns ASSUAN_Canceled (111). But for an app > that uses gpg-error, the error is seen as GPG_ERR_INV_CARD (111). So in > my app I have to test for both GPG_ERR_ASS_CANCELED and ASSUAN_Canceled. gpg-agent maps GPG_ERR_ASS_CANCELED to GPG_ERR_CANCELED, because internall ASSUAN_Canceled is mapped to the latter. However, the above change makes pinentry return GPG_ERR_CANCELED in case it is canceled, for your convenience. Thanks, Marcus From wk at gnupg.org Fri Jan 11 12:31:05 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Jan 2008 12:31:05 +0100 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> (Alon Bar-Lev's message of "Thu, 10 Jan 2008 16:22:11 +0200") References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> Message-ID: <87prw861l2.fsf@wheatstone.g10code.de> On Thu, 10 Jan 2008 15:22, alon.barlev at gmail.com said: > I can... However it is best if you add your self as CC and communicate > directly with the users. If you want to report a bug, pleade use the gnupg bug tracker and don't point to specifc distribution related one. And please take me out of the CC from the gentoo bug tracker - all these BTS status messages are meanigless to me.q Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From alon.barlev at gmail.com Fri Jan 11 15:30:56 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri, 11 Jan 2008 16:30:56 +0200 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <87prw861l2.fsf@wheatstone.g10code.de> References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> <87prw861l2.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0801110630v42218768o3d4eae5e9b775684@mail.gmail.com> On 1/11/08, Werner Koch wrote: > If you want to report a bug, pleade use the gnupg bug tracker and don't > point to specifc distribution related one. And please take me out of > the CC from the gentoo bug tracker - all these BTS status messages are > meanigless to me.q Instead of be thankful that people find issue in your outputs, and open an issue in your tracker your-self, you issue procedural statement. People work hard to reproduce this issue, and find the cause... You can work with them or against them. Do what ever you feel like, you can ignore the issue if you like. Or you can use the resources and channels to the users that can reproduce this issue, via the distribution channel. I removed you from the CC, after all this bug is not gnupg related, so its contents is indeed meaningless to you guys. Masked this version out, so people will not use it. Alon. From wk at gnupg.org Fri Jan 11 17:04:10 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Jan 2008 17:04:10 +0100 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <9e0cf0bf0801110630v42218768o3d4eae5e9b775684@mail.gmail.com> (Alon Bar-Lev's message of "Fri, 11 Jan 2008 16:30:56 +0200") References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> <87prw861l2.fsf@wheatstone.g10code.de> <9e0cf0bf0801110630v42218768o3d4eae5e9b775684@mail.gmail.com> Message-ID: <878x2w5oxx.fsf@wheatstone.g10code.de> On Fri, 11 Jan 2008 15:30, alon.barlev at gmail.com said: > People work hard to reproduce this issue, and find the cause... You > can work with them or against them. That is good and appreciated. However it is ineffective to report bugs only for one distribution. For one an upstream author can't follow all bug trackers of all GNU/Linux,Solaris,*BSD,etc. distributions. And second, fixing or talking about a bug within one distro excludes all those who have a similar problem but using a different distribution. Thus, if you encounter an upstream bug and you are somewhat convinced that it is not distribution specific, please report it to upstream and set a pointer into the distro's BTS to that bug report. The GnuPG BTS even has an URL field to backlink it to the first reporter's BTS. > I removed you from the CC, after all this bug is not gnupg related, so > its contents is indeed meaningless to you guys. Thanks. > Masked this version out, so people will not use it. I don't understand this, seems to be Gentoo specific. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From bernhard at intevation.de Fri Jan 11 17:07:32 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Fri, 11 Jan 2008 17:07:32 +0100 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <9e0cf0bf0801110630v42218768o3d4eae5e9b775684@mail.gmail.com> References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> <87prw861l2.fsf@wheatstone.g10code.de> <9e0cf0bf0801110630v42218768o3d4eae5e9b775684@mail.gmail.com> Message-ID: <200801111707.37299.bernhard@intevation.de> Alon, On Friday 11 January 2008 15:30, Alon Bar-Lev wrote: > On 1/11/08, Werner Koch wrote: > > If you want to report a bug, pleade use the gnupg bug tracker and don't > > point to specifc distribution related one. ?And please take me out of > > the CC from the gentoo bug tracker - all these BTS status messages are > > meanigless to me.q > > Instead of be thankful that people find issue in your outputs, and > open an issue in your tracker your-self, you issue procedural > statement. you are listening with the wrong ear. Werner is pretty busy (an financing a lot of the GnuPG development), he just got you the short message with the content so save time. The longer version would be something like: Thanks for the report! We are considering all reports and are grateful for people testing and helping with the development. Note that because of the number of problem tracker software, it is really hard for us to learn and use them all. Also the number of open issues with GnuPG makes our time scarce. We would appreciate if you could not ad us to other nosy lists, but file a report in GnuPG's tracker. > People work hard to reproduce this issue, and find the cause... You > can work with them or against them. > Do what ever you feel like, you can ignore the issue if you like. Werner has a long good track record of working with users, other developers, maintainers and so on. Giving the short answer can be expected on some development list. Actually I want him to answer shortly and save time for the coding. :) > Or you can use the resources and channels to the users that can > reproduce this issue, via the distribution channel. if done for all reported problems by users, this is almost impossible. Otherwise Gnupg-development would come to a halt. Werner and Marcus are the toplevel developers, it is very suitable to someone to proof that the problem is relevant and try to reduce reproduction time on their side if at all possible. > I removed you from the CC, after all this bug is not gnupg related, so > its contents is indeed meaningless to you guys. Good to hear that is it not GnuPG. :) > Masked this version out, so people will not use it. I hope that the developer of the software part that is responsible for the defect will fix this soon, so Gnupg 2.0.8 can be used again. Best, Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From alan-jenkins at tuffmail.co.uk Fri Jan 11 18:09:11 2008 From: alan-jenkins at tuffmail.co.uk (Alan Jenkins) Date: Fri, 11 Jan 2008 17:09:11 +0000 Subject: gpg-agent timer tick Message-ID: <4787A2B7.4020806@tuffmail.co.uk> gpg-agent has a 2 second timer tick. alan at singularity:~$ gpg-agent --daemon GPG_AGENT_INFO=/tmp/gpg-21C85K/S.gpg-agent:28978:1; export GPG_AGENT_INFO; alan at singularity:~$ sudo powertop -d -t 5 | grep gpg-agent 0.2% ( 0.6) gpg-agent : schedule_timeout (process_timeout) gpg-agent:1557:handle_connections(int listen_fd, int listen_fd_ssh): time_ev = pth_event (PTH_EVENT_TIME, pth_timeout (2, 0)); This is potentially a Bad Thing for CPU power consumption, because it reduces the amount of time the CPU can spend in deep sleep states. I saw something similar in ssh-agent, but I couldn't interest anyone in my patch. Let me know if you're interested here and I'll submit a patch. Specifically, gpg-agent uses the timer tick to handle the case where the "command-line" argument is present: gpg-agent --daemon [command-line] In that case it runs the command given. The tick handler is used to check, every two seconds, whether the command is still running; if not, gpg-agent quits. A better way to do this is to run the command as a child of gpg-agent, and rely on the SIGCHLD signal instead of a timer tick. The timer tick is also used to check the Scdaemon (whatever that is :-) is still running. However, since it use waitpid() to check this, Scdaemon must already be being run a child, so that shouldn't be a problem. I noticed this problem because I got interested the powertop project, and gpg-agent gets started by some package management software I use. Thanks, Alan From wk at gnupg.org Fri Jan 11 18:42:14 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Jan 2008 18:42:14 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> (Alon Bar-Lev's message of "Thu, 10 Jan 2008 15:40:15 +0200") References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> Message-ID: <87ejco45u1.fsf@wheatstone.g10code.de> On Thu, 10 Jan 2008 14:40, alon.barlev at gmail.com said: > For example, if you have webmail that holds gpg keys on behalf of its > users... Current implementations enables users to specify passphrase Actually one guy contacted me offlist to help with a university webmail application. We agreed that adding the envvar PINENTRY_USER_DATA allows to pass user data all the way down to pinentry, so that he could write a wrapper for pinentry. If you have a specific problem please describe it at the list and we can discuss a solution. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Fri Jan 11 19:14:46 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Jan 2008 19:14:46 +0100 Subject: gpg-agent timer tick In-Reply-To: <4787A2B7.4020806@tuffmail.co.uk> (Alan Jenkins's message of "Fri, 11 Jan 2008 17:09:11 +0000") References: <4787A2B7.4020806@tuffmail.co.uk> Message-ID: <87ejconsa1.fsf@wheatstone.g10code.de> On Fri, 11 Jan 2008 18:09, alan-jenkins at tuffmail.co.uk said: > This is potentially a Bad Thing for CPU power consumption, because it > reduces the amount of time the CPU can spend in deep sleep states. I I thought that 2 seconds are long enough but tehre is no reason why we can't have a config option for this. > my patch. Let me know if you're interested here and I'll submit a FSF copyright assignment is required, so it might be easier if we do it. > In that case it runs the command given. The tick handler is used to > check, every two seconds, whether the command is still running; if > not, gpg-agent quits. 10 seconds or even longer should not pose a problem. > A better way to do this is to run the command as a child of gpg-agent, > and rely on the SIGCHLD signal instead of a timer tick. The problem with this approach is that any bug in gpg-agent causes the entire child hierarchy to die. Yes there should be no bug in gpg-agent but in some cases (e.g. resource problems) it just prefers to exit. It is really annoying to see your desktop vanishing along with all the unsaved data. > The timer tick is also used to check the Scdaemon (whatever that is > :-) > is still running. However, since it use waitpid() to check this, > Scdaemon must already be being run a child, so that shouldn't be a Scdaemon handles smartcards. We could indeed change this to use SIGCHLD but given that we need a ticker anyway I don't think that makes much sense. Note that a future version will use the ticker to do housekeeping for the saved passphrases. Would a option to set the timer tick help you? Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From g.esp at free.fr Fri Jan 11 18:50:34 2008 From: g.esp at free.fr (Gilles Espinasse) Date: Fri, 11 Jan 2008 18:50:34 +0100 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <878x2w5oxx.fsf@wheatstone.g10code.de> References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> <87prw861l2.fsf@wheatstone.g10code.de> <9e0cf0bf0801110630v42218768o3d4eae5e9b775684@mail.gmail.com> <878x2w5oxx.fsf@wheatstone.g10code.de> Message-ID: <1200073834.4787ac6aa297e@imp.free.fr> Selon Werner Koch : > > Masked this version out, so people will not use it. > > I don't understand this, seems to be Gentoo specific. > This is the way packages are qualified on Gentoo. With masked status, package normally not appear on update list unless you specifically request it. Gilles From alan-jenkins at tuffmail.co.uk Sat Jan 12 00:14:20 2008 From: alan-jenkins at tuffmail.co.uk (Alan Jenkins) Date: Fri, 11 Jan 2008 23:14:20 +0000 Subject: gpg-agent timer tick In-Reply-To: <87ejconsa1.fsf@wheatstone.g10code.de> References: <4787A2B7.4020806@tuffmail.co.uk> <87ejconsa1.fsf@wheatstone.g10code.de> Message-ID: <4787F84C.9080409@tuffmail.co.uk> Werner Koch wrote: > On Fri, 11 Jan 2008 18:09, alan-jenkins at tuffmail.co.uk said: > > >> This is potentially a Bad Thing for CPU power consumption, because it >> reduces the amount of time the CPU can spend in deep sleep states. I >> > > I thought that 2 seconds are long enough but tehre is no reason why we > can't have a config option for this. Having the CPU wake up every 2 seconds still isn't ideal. It may not seem that much of an issue on its own, but the problem is that there are many programs which do the same. Say you have four programs that do exactly the same thing. Then the CPU is potentially waking up every half a second, which is not so good. It's possible to co-ordinate timeouts between programs, as with using glib's g_timeout_add_seconds(), which limits such wakeups to one a second no matter how many programs use it. Redhat have hacked several programs they distribute to round their wakeups to the nearest second and perhaps gpg-agent could do the same. It's also a pity to add another config option unless it's really necessary. Ultimately, a number of people are hoping to eliminate these sorts of timer ticks altogether. I'm just seeing whether I can shift some of the simpler cases that cross my path. I don't know if there's anything I can say to inspire you, but it's one of the things the "$100-dollar laptop" (http://laptop.org/) project had to look at. If you look on Redhat Bugzilla it might give you an idea of the amount of work that is going into this issue generally: . > > >> my patch. Let me know if you're interested here and I'll submit a >> > > FSF copyright assignment is required, so it might be easier if we do it. > > >> In that case it runs the command given. The tick handler is used to >> check, every two seconds, whether the command is still running; if >> not, gpg-agent quits. >> > > 10 seconds or even longer should not pose a problem. > > >> A better way to do this is to run the command as a child of gpg-agent, >> and rely on the SIGCHLD signal instead of a timer tick. >> > > The problem with this approach is that any bug in gpg-agent causes the > entire child hierarchy to die. Yes there should be no bug in gpg-agent > but in some cases (e.g. resource problems) it just prefers to exit. It > is really annoying to see your desktop vanishing along with all the > unsaved data. > Yes, that sure would be annoying. That's not quite what happens though. Child processes aren't automatically killed when their parent terminates. The reason that seems to happen with shells is that the shell is a "session leader"; it starts commands in the same "session", and when the "session leader" dies all the other processes in the session get sent SIGHUP. (Something like that. I'm not familiar with this but I've read up on it). When gpg-agent "daemonizes" by calling setsid(), it starts a new session containing only itself. Since it does this after running the command, the command will carry on running even if gpg-agent dies. So I think you're technically wrong. *However*, depending on how gpg-agent is used, there could still be a similar effect. For example, if the last command in a .Xsession file was: gpg-agent startkde I think when gpg-agent terminates, the login manager would assume you've logged out and your session is over. So I agree what I described was probably a bad idea. That's still fixable though. I've attached an example which uses a more complex method and avoids the problem. The command being run (e.g. the session) has a simple parent process that waits for its death, and a child process that runs the daemon. The parent notifies the daemon when the child command dies, by writing to a pipe. > >> The timer tick is also used to check the Scdaemon (whatever that is >> :-) >> is still running. However, since it use waitpid() to check this, >> Scdaemon must already be being run a child, so that shouldn't be a >> > > Scdaemon handles smartcards. > > We could indeed change this to use SIGCHLD but given that we need a > ticker anyway I don't think that makes much sense. Note that a future > version will use the ticker to do housekeeping for the saved > passphrases. > I did wonder about the generic name (handle_tick()). You don't need a ticker though; you can can use a timer. You don't need to say "wake me up every 10 seconds so I can see if I need to do anything"; you can say "the users passphrase is going to expire in half an hour; wake me up at that point". If you have multiple timers or timers that need cancelling or readjusting, it may end up slightly easier / clearer if you use the timers in libpth. > Would a option to set the timer tick help you? > I have to admit non of this would directly benefit me - I only use gpg-agent on a desktop. The option might help if I was using it on a laptop. A realistic figure for a functional laptop is 10 wake-ups per second, so it can be worth looking at a program doing 0.5 wakeup/s. Many thanks! (I think you deserve them if you read this entire email). Alan From alan-jenkins at tuffmail.co.uk Sat Jan 12 01:13:59 2008 From: alan-jenkins at tuffmail.co.uk (Alan Jenkins) Date: Sat, 12 Jan 2008 00:13:59 +0000 Subject: gpg-agent timer tick In-Reply-To: <4787F84C.9080409@tuffmail.co.uk> References: <4787A2B7.4020806@tuffmail.co.uk> <87ejconsa1.fsf@wheatstone.g10code.de> <4787F84C.9080409@tuffmail.co.uk> Message-ID: <47880647.3050001@tuffmail.co.uk> > That's still fixable though. I've attached an example which uses a > more complex method and avoids the problem. Except I hadn't. So here's the missing attachment. Alan -------------- next part -------------- A non-text attachment was scrubbed... Name: example.c Type: text/x-csrc Size: 2465 bytes Desc: not available URL: From alon.barlev at gmail.com Sat Jan 12 10:21:48 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sat, 12 Jan 2008 11:21:48 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <87ejco45u1.fsf@wheatstone.g10code.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <87ejco45u1.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> On 1/11/08, Werner Koch wrote: > If you have a specific problem please describe it at the list and we can > discuss a solution. All I ask is to stop breaking the interface. Find some way to pass the passphrase from gnupg to the pinentry program. You can even have a new configuration option in gpg-agent.conf to ignore this by default. But please don't break the interface. BTW: Waiting for new release of gpgme with all fixed. Alon. From wk at gnupg.org Sat Jan 12 19:51:22 2008 From: wk at gnupg.org (Werner Koch) Date: Sat, 12 Jan 2008 19:51:22 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> (Alon Bar-Lev's message of "Sat, 12 Jan 2008 11:21:48 +0200") References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <87ejco45u1.fsf@wheatstone.g10code.de> <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> Message-ID: <87fxx2nahh.fsf@wheatstone.g10code.de> On Sat, 12 Jan 2008 10:21, alon.barlev at gmail.com said: > All I ask is to stop breaking the interface. As Marcus already explained, there is no interface break. gpg2 is an entirely different program and we have always declared that it is only _mostly identical_ to the standalone gpg. This is one of the reasons why we promised to maintain both programs. (The other reason is that GnuPG-1 is easier to build and more portable to older and pre-POSIX systems). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Sat Jan 12 20:12:33 2008 From: wk at gnupg.org (Werner Koch) Date: Sat, 12 Jan 2008 20:12:33 +0100 Subject: gpg-agent timer tick In-Reply-To: <4787F84C.9080409@tuffmail.co.uk> (Alan Jenkins's message of "Fri, 11 Jan 2008 23:14:20 +0000") References: <4787A2B7.4020806@tuffmail.co.uk> <87ejconsa1.fsf@wheatstone.g10code.de> <4787F84C.9080409@tuffmail.co.uk> Message-ID: <87bq7qn9i6.fsf@wheatstone.g10code.de> On Sat, 12 Jan 2008 00:14, alan-jenkins at tuffmail.co.uk said: > that there are many programs which do the same. Say you have four > programs that do exactly the same thing. Then the CPU is potentially > waking up every half a second, which is not so good. I understand. I a conventionally programming environment it is usually the best to distribute CPU work most evenly over the time and thus making shure that not all timer fire exactly at the full seconds or so. Well for power saving this is different. gpg-agent should do something about it. > second no matter how many programs use it. Redhat have hacked several > programs they distribute to round their wakeups to the nearest second > and perhaps gpg-agent could do the same. Shall we change the timer code to do just that? Run on the full even second? > the simpler cases that cross my path. I don't know if there's > anything I can say to inspire you, but it's one of the things the I know. However I hve not thought that gpg-agent is really a candidate for it. You convinced me. > Yes, that sure would be annoying. That's not quite what happens > though. Child processes aren't automatically killed when their parent > terminates. The reason that seems to happen with shells is that the > shell is a "session leader"; it starts commands in the same "session", I know. However, the current code is pretty weel matured and I don't want to add new bugs right now. In particular not if we need a timer anyway and if we the change to sync all timer events will be easier than changing this code. > I did wonder about the generic name (handle_tick()). You don't need a > ticker though; you can can use a timer. You don't need to say "wake > me up every 10 seconds so I can see if I need to do anything"; you can > say "the users passphrase is going to expire in half an hour; wake me > up at that point". If you have multiple timers or timers that need > cancelling or readjusting, it may end up slightly easier / clearer if > you use the timers in libpth. I think that this code wouul be more complex than a timer tick to handle such things. > Many thanks! (I think you deserve them if you read this entire email). I assigned bug 871 to it. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From alon.barlev at gmail.com Sat Jan 12 20:28:49 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sat, 12 Jan 2008 21:28:49 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <87fxx2nahh.fsf@wheatstone.g10code.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <87ejco45u1.fsf@wheatstone.g10code.de> <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> <87fxx2nahh.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0801121128j6930000id0c86afa75c3805b@mail.gmail.com> On 1/12/08, Werner Koch wrote: > On Sat, 12 Jan 2008 10:21, alon.barlev at gmail.com said: > > > All I ask is to stop breaking the interface. > > As Marcus already explained, there is no interface break. gpg2 is an > entirely different program and we have always declared that it is only > _mostly identical_ to the standalone gpg. > > This is one of the reasons why we promised to maintain both programs. > (The other reason is that GnuPG-1 is easier to build and more portable > to older and pre-POSIX systems). I don't understand what you are talking about, from gpg2 man page: --passphrase-fd n Read the passphrase from file descriptor n. Only the first line will be read from file descriptor n. If you use 0 for n, the passphrase will be read from stdin. This can only be used if only one passphrase is supplied. Note that this passphrase is only used if the option --batch has also been given. This is different from gpg. --passphrase-file file Read the passphrase from file file. Only the first line will be read from file file. This can only be used if only one passphrase is supplied. Obviously, a passphrase stored in a file is of questionable security if other users can read this file. Don't use this option if you can avoid it. Note that this passphrase is only used if the option --batch has also been given. This is different from gpg. --passphrase string Use string as the passphrase. This can only be used if only one passphrase is supplied. Obviously, this is of very questionable security on a multi-user system. Don't use this option if you can avoid it. Note that this passphrase is only used if the option --batch has also been given. This is different from gpg. So unless you release gpg3, removing these parameters breaks your interface. Alon. From bjk at luxsci.net Sat Jan 12 23:25:05 2008 From: bjk at luxsci.net (Ben Kibbey) Date: Sat, 12 Jan 2008 17:25:05 -0500 Subject: assuan_read_from_server() and return value In-Reply-To: <87zlvd8hsu.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <200711231902.lANJ22OU007693@rs41.luxsci.com> <87fxyjaksq.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712081745.lB8Hj2rF001140@rs41.luxsci.com> <87mysgug09.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712151733.lBFHX2n5026146@rs41.luxsci.com> <877ijdqp36.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200801051902.m05J21LC013646@rs41.luxsci.com> <87zlvd8hsu.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <200801122226.m0CMQ29o028953@rs41.luxsci.com> On Thu, Jan 10, 2008 at 10:57:52PM +0100, Marcus Brinkmann wrote: > If you want, why not check it out and see if that works for you? I > did some tests here and it seems to work as a drop in replacement for > older pinentries. Works good. Thanks! -- Benjamin J. Kibbey bjk at luxsci.net/jabber/freenode 3019 F5FC AA33 5BC7 BE9F 09D2 393E DBD2 40D5 FA7E From marcus.brinkmann at ruhr-uni-bochum.de Sun Jan 13 15:29:18 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Sun, 13 Jan 2008 15:29:18 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <87ejco45u1.fsf@wheatstone.g10code.de> <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> Message-ID: <87ejcldcjl.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Sat, 12 Jan 2008 11:21:48 +0200, "Alon Bar-Lev" wrote: > BTW: Waiting for new release of gpgme with all fixed. There will not be a release just for fixing the test suite with gpg2. Thanks, Marcus From alon.barlev at gmail.com Sun Jan 13 17:47:31 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 13 Jan 2008 18:47:31 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <87ejcldcjl.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <87ejco45u1.fsf@wheatstone.g10code.de> <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> <87ejcldcjl.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801130847s10d9cc45gcee7907cbb78e9f2@mail.gmail.com> On 1/13/08, Marcus Brinkmann wrote: > At Sat, 12 Jan 2008 11:21:48 +0200, > "Alon Bar-Lev" wrote: > > BTW: Waiting for new release of gpgme with all fixed. > > There will not be a release just for fixing the test suite with gpg2. How do you expect we push this to users this way? We will get a lot of bugs opened by users who find this, wasting our time. Please release a new version or official patch (it is the same thing). Alon. From gpgme at katehok.ac93.org Sun Jan 13 18:50:52 2008 From: gpgme at katehok.ac93.org (Igor Belyi) Date: Sun, 13 Jan 2008 12:50:52 -0500 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801130847s10d9cc45gcee7907cbb78e9f2@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <87ejco45u1.fsf@wheatstone.g10code.de> <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> <87ejcldcjl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801130847s10d9cc45gcee7907cbb78e9f2@mail.gmail.com> Message-ID: <478A4F7C.1020303@katehok.ac93.org> Just my couple cents. Alon Bar-Lev wrote: > How do you expect we push this to users this way? > We will get a lot of bugs opened by users who find this, wasting our time. > Please release a new version or official patch (it is the same thing). > > Alon. > The beauty of GPL is that if you as a maintainer of Gentoo package think that Gentoo will be better of with the behavior changed you are free to do that. Debian package maintainers do that all the time - they get upstream source and then keep bunch of patches to make it Debian friendly or to have fixes for their user faster. Yes, if number of those patches grows too much - you have a problem and may need to take care of pushing them back to the mainstream or in extreme cases fork out the whole product. You basically, need to decide where's your efforts are better spend - trying to convince upstream maintainer or maintain this patch compatible with next releases. In short, there's no point in getting personal (even if a person is a distro). You have an editor and a compiler, right? That's all you need! Cheers, Igor From alon.barlev at gmail.com Sun Jan 13 18:59:17 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 13 Jan 2008 19:59:17 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <478A4F7C.1020303@katehok.ac93.org> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <87ejco45u1.fsf@wheatstone.g10code.de> <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> <87ejcldcjl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801130847s10d9cc45gcee7907cbb78e9f2@mail.gmail.com> <478A4F7C.1020303@katehok.ac93.org> Message-ID: <9e0cf0bf0801130959w20cb766ev387f799697e93f2f@mail.gmail.com> On 1/13/08, Igor Belyi wrote: > The beauty of GPL is that if you as a maintainer of Gentoo package think > that Gentoo will be better of with the behavior changed you are free to > do that. Debian package maintainers do that all the time - they get > upstream source and then keep bunch of patches to make it Debian > friendly or to have fixes for their user faster. Yes, if number of those > patches grows too much - you have a problem and may need to take care of > pushing them back to the mainstream or in extreme cases fork out the > whole product. You basically, need to decide where's your efforts are > better spend - trying to convince upstream maintainer or maintain this > patch compatible with next releases. > > In short, there's no point in getting personal (even if a person is a > distro). You have an editor and a compiler, right? That's all you need! Gee.... Thanks for clearing this! But if upstream releases product without proper QA (this case with its own products!!!), I see no reason why the work should be delegated downstream. I work with many types of people and upstreams, g10 is the hardest to work with, this also effect the service its users get. gnupg-2.0.8 already not provided to our users, gpgme-1.6 the same. If other downstream will create patch for these, I will gladly add, I just don't understand why upstream which aware of an issue does not release a fix. BTW: Look at the changelog of last couple of version, you will notice how many patches from Gentoo were accepted... And still we left with some patches/tweecks. Alon. From gpgme at katehok.ac93.org Sun Jan 13 19:33:42 2008 From: gpgme at katehok.ac93.org (Igor Belyi) Date: Sun, 13 Jan 2008 13:33:42 -0500 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801130959w20cb766ev387f799697e93f2f@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <87ejco45u1.fsf@wheatstone.g10code.de> <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> <87ejcldcjl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801130847s10d9cc45gcee7907cbb78e9f2@mail.gmail.com> <478A4F7C.1020303@katehok.ac93.org> <9e0cf0bf0801130959w20cb766ev387f799697e93f2f@mail.gmail.com> Message-ID: <478A5986.6080903@katehok.ac93.org> Alon Bar-Lev wrote: > On 1/13/08, Igor Belyi wrote: > >> In short, there's no point in getting personal (even if a person is a >> distro). You have an editor and a compiler, right? That's all you need! >> > > Gee.... Thanks for clearing this! > You are welcome. ;) > But if upstream releases product without proper QA (this case with > its own products!!!), I see no reason why the work should be delegated > downstream. > There could be any number of reasons - for example, they don't have enough people for this. A missed test failing usually does not effect end user and thus do not justifies a new release. > I work with many types of people and upstreams, g10 is the hardest > to work with, this also effect the service its users get. > That's the beauty of life - people are different. Some are hard, some are easy. Even users are different - I don't hear much complains about g10 from users. Plus, the "hard" part could also come from the lack of resources they have - I don't believe anyone hard on you on purpose. > gnupg-2.0.8 already not provided to our users, gpgme-1.6 the same. > If other downstream will create patch for these, I will gladly add, > I just don't understand why upstream which aware of an issue does not > release a fix. > Are we still talking about a fix in a test? The easiest solution is not to run this failing one, do you want somebody else to create a patch for you for that?! I suspect I missed something - I thought you were pushing a change in the main code. > BTW: Look at the changelog of last couple of version, you will notice how > many patches from Gentoo were accepted... And still we left with some > patches/tweecks. > I'm very happy to hear that. That's the way to make the world a happier place! Some patches/tweaks left is not a problem on a grand scale. The life will be such a waste without some exciting patches made by brave disto maintainers. :) Cheers, Igor From marcus.brinkmann at ruhr-uni-bochum.de Sun Jan 13 20:17:38 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Sun, 13 Jan 2008 20:17:38 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801130959w20cb766ev387f799697e93f2f@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <87ejco45u1.fsf@wheatstone.g10code.de> <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> <87ejcldcjl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801130847s10d9cc45gcee7907cbb78e9f2@mail.gmail.com> <478A4F7C.1020303@katehok.ac93.org> <9e0cf0bf0801130959w20cb766ev387f799697e93f2f@mail.gmail.com> Message-ID: <878x2tcz71.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Sun, 13 Jan 2008 19:59:17 +0200, "Alon Bar-Lev" wrote: > But if upstream releases product without proper QA (this case with > its own products!!!), I see no reason why the work should be delegated > downstream. The GPGME release was tested with gpg, not gpg2. gpg is what GPGME configure searches for and uses by default. But now that gpg2 starts to get used more frequently, I think it makes sense to add a compilation against gpg2 to the pre-release test procedure. > I work with many types of people and upstreams, g10 is the hardest > to work with, this also effect the service its users get. > > gnupg-2.0.8 already not provided to our users, gpgme-1.6 the same. > If other downstream will create patch for these, I will gladly add, > I just don't understand why upstream which aware of an issue does not > release a fix. Because making a release costs time and money. Not only for g10 Code, but also for all distributions etc. who want to stay up to date. By requesting a release one is effectively saying that the changes since the last release are worth these costs, and in this case I don't think so. > BTW: Look at the changelog of last couple of version, you will notice how > many patches from Gentoo were accepted... And still we left with some > patches/tweecks. Sometimes things fall off the table. If you send me a list with open issues I can respond to them specifically and individually. Thanks, Marcus Brinkmann -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 From alan-jenkins at tuffmail.co.uk Sun Jan 13 22:10:14 2008 From: alan-jenkins at tuffmail.co.uk (Alan Jenkins) Date: Sun, 13 Jan 2008 21:10:14 +0000 Subject: gpg-agent timer tick In-Reply-To: <87bq7qn9i6.fsf@wheatstone.g10code.de> References: <4787A2B7.4020806@tuffmail.co.uk> <87ejconsa1.fsf@wheatstone.g10code.de> <4787F84C.9080409@tuffmail.co.uk> <87bq7qn9i6.fsf@wheatstone.g10code.de> Message-ID: <478A7E36.1070208@tuffmail.co.uk> Werner Koch wrote: > On Sat, 12 Jan 2008 00:14, alan-jenkins at tuffmail.co.uk said: > > >> that there are many programs which do the same. Say you have four >> programs that do exactly the same thing. Then the CPU is potentially >> waking up every half a second, which is not so good. >> > > I understand. I a conventionally programming environment it is usually > the best to distribute CPU work most evenly over the time and thus > making shure that not all timer fire exactly at the full seconds or so. > Well for power saving this is different. gpg-agent should do something > about it. > > >> second no matter how many programs use it. Redhat have hacked several >> programs they distribute to round their wakeups to the nearest second >> and perhaps gpg-agent could do the same. >> > > Shall we change the timer code to do just that? Run on the full even > second? > > >> the simpler cases that cross my path. I don't know if there's >> anything I can say to inspire you, but it's one of the things the >> > > I know. However I hve not thought that gpg-agent is really a candidate > for it. You convinced me. > > >> Yes, that sure would be annoying. That's not quite what happens >> though. Child processes aren't automatically killed when their parent >> terminates. The reason that seems to happen with shells is that the >> shell is a "session leader"; it starts commands in the same "session", >> > > I know. However, the current code is pretty weel matured and I don't > want to add new bugs right now. In particular not if we need a timer > anyway and if we the change to sync all timer events will be easier than > changing this code. > > >> I did wonder about the generic name (handle_tick()). You don't need a >> ticker though; you can can use a timer. You don't need to say "wake >> me up every 10 seconds so I can see if I need to do anything"; you can >> say "the users passphrase is going to expire in half an hour; wake me >> up at that point". If you have multiple timers or timers that need >> cancelling or readjusting, it may end up slightly easier / clearer if >> you use the timers in libpth. >> > > I think that this code wouul be more complex than a timer tick to handle > such things. > > >> Many thanks! (I think you deserve them if you read this entire email). >> > > I assigned bug 871 to it. > Thanks. OK, I think I understand your points. I think the best thing would be if the timer tick could be changed to 10 seconds (by default). It's a one line change; you said you thought it'd be OK, and its also what openssh-agent does. I don't know of any difference between ssh-agent and gpg-agent that means the latter needs to wake up 5 times as often. If you do that, I don't think it's worth rounding the timeouts to the nearest second. It wouldn't really help; you can only save 0.1 wake-ups a second, and if you manage to do that it's probably because you're sharing wake-ups with something running at 1 wakeup a second. --- I had another look at how gpg-agent was getting started on my system, and it turned out it's not even asked to run a command. So what it's doing is waking up every two seconds and going "nope, I didn't run a command, so I don't need to check it's still running", and going back to sleep again :-). So as used on my system, the timer tick could be disabled completely. That still leaves the problem of implementing passphrase expiry and other timeouts in future though. I looked a bit harder at libpth and I can see that using timers would involve more code than a timer tick. I do think using timers is the "right way to do it" though - no unnecessary wake-ups, no reason to limit precision. I would argue that it wouldn't increase the internal complexity - it's more a matter of additional lines of code and additional exposure to potential "gotcha's" in libpth. And in this case it's not a matter of ripping out mature code and rewriting it with added bugs. You don't have any timeouts in there yet, so when you do add them it'll be new code either way. --- For waiting for a command to finish, I am forced to concede that any technique I propose will lack the elegance of simplicity :-). It was an interesting exercise though. In particular adding an extra process as a parent of the command causes problems in at least one case I can think of - gpg-agent goes into infinite loop, user runs "killall gpg-agent"; they end up killing the parent process because it has the same name, and they lose their session. I think the reason this is awkward is that gpg-agent is a console program which is used in an X11 world. If gpg-agent was only run from console logins, it could preserve its controlling TTY and it'd be killed when the user logged out. If it was an X11 program, it could run without a TTY and rely on X session management to tell it when the session ended. I don't think that's going to happen though. Hope this has been useful. Alan From thomas at maier-komor.de Sat Jan 12 14:06:33 2008 From: thomas at maier-komor.de (Thomas Maier-Komor) Date: Sat, 12 Jan 2008 14:06:33 +0100 Subject: gnupg2 on solaris10-sparc Message-ID: <4788BB59.4060904@maier-komor.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I had to do some adjustments to get gnupg 2 to compile on solaris10-sparc: ./configure --prefix=/opt/local CC=cc CFLAGS=-xO3 "LDFLAGS=-R/opt/local/lib -R/opt/csw/lib -liconv -lgpg-error" RUNPATH should be picked up for the libraries needed by gpg, otherwise one has to set LD_LIBRARY_PATH, which is highly discouraged. - -liconv and -lgpg-error must be added at the end, because Sun's ld always only collects symbols and libraries that have already been referenced. So either move -liconv to the end or add it another time at the end. add "-L../jnlib/ -ljnlib" in keyserver for target gpg2keys_finger add "-L../jnlib/ -ljnlib -lintl" in keyserver for targets gpg2keys_hkp gpg2keys_curl tests/asschk.c:311 macro __FUNCTION__ isn't know to Sun Studio That's about it - great software! I'd be happy if you could patch the build process accordingly. Thanks, Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (SunOS) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHiLtY6U+hp8PKQZIRAuywAJ93vsuzE3R1s3j6AThwRkaxhbZW9ACfScnc vITAFmx0mqHHLfeoQSU0tQk= =Bmgx -----END PGP SIGNATURE----- From wk at gnupg.org Mon Jan 14 19:47:07 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 14 Jan 2008 19:47:07 +0100 Subject: [Peter Gutmann] Public-key distribution via HTTP Message-ID: <87myr8kzx0.fsf@wheatstone.g10code.de> An embedded message was scrubbed... From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Subject: Public-key distribution via HTTP Date: Sat, 12 Jan 2008 21:17:40 +1300 Size: 4012 URL: -------------- next part -------------- -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Thu Jan 17 18:01:43 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 17 Jan 2008 18:01:43 +0100 Subject: gnupg2 on solaris10-sparc In-Reply-To: <4788BB59.4060904@maier-komor.de> (Thomas Maier-Komor's message of "Sat, 12 Jan 2008 14:06:33 +0100") References: <4788BB59.4060904@maier-komor.de> Message-ID: <87abn4e688.fsf@wheatstone.g10code.de> On Sat, 12 Jan 2008 14:06, thomas at maier-komor.de said: > I had to do some adjustments to get gnupg 2 to compile on solaris10-sparc: > > ./configure --prefix=/opt/local CC=cc CFLAGS=-xO3 > "LDFLAGS=-R/opt/local/lib -R/opt/csw/lib -liconv -lgpg-error" I'll look at that. > tests/asschk.c:311 macro __FUNCTION__ isn't know to Sun Studio Fixed: * asschk.c (read_assuan): Use __func__ instead of __FUNCTION__. Can you please run gpgsm --version which shows GnuPG's version as well as the versions of the libraries used. Thanks, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From alan-jenkins at tuffmail.co.uk Fri Jan 18 20:13:49 2008 From: alan-jenkins at tuffmail.co.uk (Alan Jenkins) Date: Fri, 18 Jan 2008 19:13:49 +0000 Subject: gpg-agent timer tick In-Reply-To: <478A7E36.1070208@tuffmail.co.uk> References: <4787A2B7.4020806@tuffmail.co.uk> <87ejconsa1.fsf@wheatstone.g10code.de> <4787F84C.9080409@tuffmail.co.uk> <87bq7qn9i6.fsf@wheatstone.g10code.de> <478A7E36.1070208@tuffmail.co.uk> Message-ID: <4790FA6D.5000003@tuffmail.co.uk> Alan Jenkins wrote: > Werner Koch wrote: > >> I assigned bug 871 to it. >> > Thanks. OK, I think I understand your points. > > I think the best thing would be if the timer tick could be changed to > 10 seconds (by default). It's a one line change; you said you thought > it'd be OK, and its also what openssh-agent does. I don't know of any > difference between ssh-agent and gpg-agent that means the latter needs > to wake up 5 times as often. > > If you do that, I don't think it's worth rounding the timeouts to the > nearest second. It wouldn't really help; you can only save 0.1 > wake-ups a second - and if you manage to do that, it's probably > because you're sharing wake-ups with something running at 1 wakeup a > second. Going from 1.1 to 1.0 isn't much of an improvement. Did that make sense? Thanks, Alan From bjk at luxsci.net Sat Jan 19 18:52:11 2008 From: bjk at luxsci.net (Ben Kibbey) Date: Sat, 19 Jan 2008 12:52:11 -0500 Subject: assuan external loop over socket In-Reply-To: <878x3tqpjz.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <200710251400.l9PE05WX010150@rs19.luxsci.com> <87myu6xap6.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712021750.lB2Ho2Wg013657@rs41.luxsci.com> <87eje3aka2.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712151734.lBFHY2UD027812@rs41.luxsci.com> <878x3tqpjz.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <200801191753.m0JHr21t024900@rs41.luxsci.com> On Mon, Dec 17, 2007 at 05:00:31PM +0100, Marcus Brinkmann wrote: > > I did find another use > > in my app for external IO over a socket, so the sooner this feature can > > get added, the better. :) > > Did you consider not using assuan_transact for asynchronous operations > a la GPGME? Even if this is not the best solution, it would help me > if you could say that doing so would address your use case completely, > or if you see other interfaces to be affected. Basically I don't want a client to wait for a command to complete on the server. As it is now, my client uses assuan_transact() to send the command and then has to wait for a result. The command is a key retrieval via pinentry and may take some time to complete. Are you recommending using GPGME or just async IO like GPGME? If I were to select() on the socket FD I would just use assuan_write_line() and assuan_read_line() and do the parsing myself? Thanks, -- Benjamin J. Kibbey bjk at luxsci.net/jabber/freenode 3019 F5FC AA33 5BC7 BE9F 09D2 393E DBD2 40D5 FA7E From marcus.brinkmann at ruhr-uni-bochum.de Sat Jan 19 20:00:45 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Sat, 19 Jan 2008 20:00:45 +0100 Subject: assuan external loop over socket In-Reply-To: <200801191753.m0JHr21t024900@rs41.luxsci.com> References: <200710251400.l9PE05WX010150@rs19.luxsci.com> <87myu6xap6.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712021750.lB2Ho2Wg013657@rs41.luxsci.com> <87eje3aka2.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712151734.lBFHY2UD027812@rs41.luxsci.com> <878x3tqpjz.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200801191753.m0JHr21t024900@rs41.luxsci.com> Message-ID: <87wsq5abdu.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Sat, 19 Jan 2008 12:52:11 -0500, Ben Kibbey wrote: > > On Mon, Dec 17, 2007 at 05:00:31PM +0100, Marcus Brinkmann wrote: > > > I did find another use > > > in my app for external IO over a socket, so the sooner this feature can > > > get added, the better. :) > > > > Did you consider not using assuan_transact for asynchronous operations > > a la GPGME? Even if this is not the best solution, it would help me > > if you could say that doing so would address your use case completely, > > or if you see other interfaces to be affected. > > Basically I don't want a client to wait for a command to complete on the > server. As it is now, my client uses assuan_transact() to send the > command and then has to wait for a result. The command is a key > retrieval via pinentry and may take some time to complete. Right, assuan_transact is not designed to be used asynchronously. > Are you recommending using GPGME or just async IO like GPGME? The latter (assuming that GPGME does not provide what you need). > If I were > to select() on the socket FD I would just use assuan_write_line() and > assuan_read_line() and do the parsing myself? Yes. It's only comments, OK, D, and ERR lines you have to parse. Well, and INQUIRE if you need that. That's not insubstantial code, so some support from assuan may be useful. Maybe a function that parses a line for status/err/ok/data/inquire? Ie, only the line parser part from assuan_transact? I am not sure assuan can do much more than that for you without a whole lot of more infrastructure in libassuan. I am open for suggestions on this one. I agree it is not suboptimal, but looking at GPGME, most of the complexity comes from places where libassuan can't help. libassuan is then reduced to connection build-up and low-level I/O. Better than nothing, hu? :) Thanks, Marcus From bjk at luxsci.net Sat Jan 19 21:06:00 2008 From: bjk at luxsci.net (Ben Kibbey) Date: Sat, 19 Jan 2008 15:06:00 -0500 Subject: assuan external loop over socket In-Reply-To: <87wsq5abdu.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <200710251400.l9PE05WX010150@rs19.luxsci.com> <87myu6xap6.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712021750.lB2Ho2Wg013657@rs41.luxsci.com> <87eje3aka2.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712151734.lBFHY2UD027812@rs41.luxsci.com> <878x3tqpjz.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200801191753.m0JHr21t024900@rs41.luxsci.com> <87wsq5abdu.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <200801192007.m0JK71R3025572@rs41.luxsci.com> On Sat, Jan 19, 2008 at 08:00:45PM +0100, Marcus Brinkmann wrote: > > Are you recommending using GPGME or just async IO like GPGME? > > The latter (assuming that GPGME does not provide what you need). > > > If I were > > to select() on the socket FD I would just use assuan_write_line() and > > assuan_read_line() and do the parsing myself? > > Yes. It's only comments, OK, D, and ERR lines you have to parse. > Well, and INQUIRE if you need that. That's not insubstantial code, so > some support from assuan may be useful. Maybe a function that parses > a line for status/err/ok/data/inquire? Ie, only the line parser part > from assuan_transact? I am not sure assuan can do much more than that > for you without a whole lot of more infrastructure in libassuan. Seems easy enough. > > I am open for suggestions on this one. I agree it is not suboptimal, > but looking at GPGME, most of the complexity comes from places where > libassuan can't help. > > libassuan is then reduced to connection build-up and low-level I/O. > Better than nothing, hu? :) Without a doubt. Thanks. -- Benjamin J. Kibbey bjk at luxsci.net/jabber/freenode 3019 F5FC AA33 5BC7 BE9F 09D2 393E DBD2 40D5 FA7E From bernhard at intevation.de Wed Jan 23 09:13:44 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 23 Jan 2008 09:13:44 +0100 Subject: GnuPG Summer riddle 2007 Message-ID: <200801230913.49178.bernhard@intevation.de> -------------- next part -------------- Dear GnuPG Experts, for your pleasure I am presenting the first GnuPG Summer Riddle! 20080123ber Rules: a) To not spoil the fun for others, please indicate "SOLUTION" in email followups, if you think you've got it. b) The applications below use the python interpreter with #!/usr/bin/python, have been tested on Debian Sarge and Sid with python2.3, 2.4 and 2.5 and do not depend on external factors like a manipulated binary or operating system. They are save to run and signed with my key (as you will see). c) For extra difficulty: Do not look into the application files. d) The only reward this riddle offers is confidence in your analytic skills. e) No need to cry "Wolf!" - no signatures nor cryptographic algorithms have been harmed by this riddle. Werner has been notifed this summer ... Story: It was one of these summer nights in August 2007. The weather was hot and humid so I could not sleep, but I also was too tired to do real work and thus me and my Officer of Out-Of-Planet-operations hang around on IRC. Chatchatting and wasting time, suddenly a strange visitor dropped in. Well, it takes a while until somebody qualifies as "strange" on IRC, but this person? certainly did. *** Spoff (n=Spoff at 212.22.103.87) has joined channel #gnupg Spooff: Hi there, anybody home? #gnupg> Yes, barely. ;) Are you Earth's crypto experts? #gnupg> Not really. I am just flying by and checked up on the "GnuPG" software. Quite + interesting .. but not really advanced by galatic standards. Tell us how to improve it. No time to teach you, it also would violate ethic standard #F451. #gnupg> Hey, proof it! If you make a signature I can easily run a different file through + my little application and it will have the same signature. /me laughs out loud. * Spoff prepares to send an example file. *** DCC file send request [2] from Spoff[@212.22.103.87]: manglesig (9312 bytes) Spoff is n=Spoff at 212.22.103.87 (Spaceman Spoff) *** On channels #gnupg *** Via server calvino.freenode.net (Milan, IT) Where are you from? I am from planet a-s-n, way outside of your solar system. + Studying some of your culture has been fun, I am jumping to the next station soon. Bye and thanks for all the crypto!j *** Signoff: Spoff has quit (Ping Timeout.) Okay, I now had this binary on my harddisc. So far so good. My curiosity was tickled. I have used a qemu based sandbox system (its clock being screwd) and gave it a try and it worked! Wow! This was really cool!!! And now to the sad part of the story: To my and your dismay, I have made a mistake - probably because I am tired, while cleaning up some of the experiments, I accidently deleted the binary called "manglesig". ;(( I have tried the rest of the night, but in the morning I though I might have all dreamed it, but I could recover one of the examples which I am attaching to this email. Three files "app4.py", "app5.py" and a signature of app4.py. See for yourself: export LANG=en_GB gpg2 --version | grep ver License GPLv3+: GNU GPL version 3 or later gpg2 --verify app4.py.sig app4.py gpg: Signature made Thu Aug 23 17:37:49 2007 CEST using DSA key ID DA4A1116 gpg: Good signature from "Bernhard Reiter " gpg2 --verify app4.py.sig app5.py gpg: Signature made Thu Aug 23 17:37:49 2007 CEST using DSA key ID DA4A1116 gpg: Good signature from "Bernhard Reiter " ./app4.py Hi, I'm your app tonight. ./app5.py Showing resistors is futile, you will be policed! How is this possible??? -------------- next part -------------- A non-text attachment was scrubbed... Name: gsr1.7z Type: application/octet-stream Size: 396 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From bernhard at intevation.de Wed Jan 23 09:34:19 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 23 Jan 2008 09:34:19 +0100 Subject: GnuPG Summer riddle 2007 In-Reply-To: <200801230913.49178.bernhard@intevation.de> References: <200801230913.49178.bernhard@intevation.de> Message-ID: <200801230934.20400.bernhard@intevation.de> In cause you wonder why the signature on my last email appears broken, I guess you have just hit the following Mailman defect: [ 815297 ] Breaking signatures in message/rfc822 attachement! http://sourceforge.net/tracker/index.php?func=detail&aid=815297&group_id=103&atid=100103 Reported 2003, patch solving part of the problem available, Debian had it last time I've looked. Here is a patch that shows you what you could do to fix the mail so you can verify the signature on on. (So I have not made this part of the riddle.) Please lobby Mailman developers to take this security issue seriously. :( Best, Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: gnupg-devel-fix-sig.diff Type: text/x-diff Size: 485 bytes Desc: not available URL: From stuff at babylonfarms.com Sat Jan 26 20:47:36 2008 From: stuff at babylonfarms.com (Troy) Date: Sat, 26 Jan 2008 13:47:36 -0600 Subject: not receiving commit announcements Message-ID: <479B8E58.4010500@babylonfarms.com> Hello I've noticed as well as another I've Talked to that we have not been receiving announcements, does anyone know why? Troy From wk at gnupg.org Sat Jan 26 23:00:31 2008 From: wk at gnupg.org (Werner Koch) Date: Sat, 26 Jan 2008 23:00:31 +0100 Subject: not receiving commit announcements In-Reply-To: <479B8E58.4010500@babylonfarms.com> (stuff@babylonfarms.com's message of "Sat, 26 Jan 2008 13:47:36 -0600") References: <479B8E58.4010500@babylonfarms.com> Message-ID: <87r6g4z1q8.fsf@wheatstone.g10code.de> On Sat, 26 Jan 2008 20:47, stuff at babylonfarms.com said: > I've noticed as well as another I've Talked to that we have not been > receiving announcements, does anyone know why? Sorry, my fault. It was a permission problem due to switching to the new box. Note that the commit messages are not always reliable because too large commits are filtered out. I see what I can do switch off the diffing for larger changes. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From jon at oxer.com.au Sun Jan 27 00:35:47 2008 From: jon at oxer.com.au (Jonathan Oxer) Date: Sun, 27 Jan 2008 10:35:47 +1100 Subject: not receiving commit announcements In-Reply-To: <87r6g4z1q8.fsf@wheatstone.g10code.de> References: <479B8E58.4010500@babylonfarms.com> <87r6g4z1q8.fsf@wheatstone.g10code.de> Message-ID: <1201390547.6006.1.camel@jbook.ivt.com.au> On Sat, 2008-01-26 at 23:00 +0100, Werner Koch wrote: > Note that the commit messages are not always reliable because too large > commits are filtered out. I see what I can do switch off the diffing > for larger changes. It would be easier for you to just turn off diff inclusion for all commit messages: as long as the message contains a link to the repository where the diff can be viewed that should be convenient enough IMHO. Cheers :-) -- Jonathan Oxer Ph +61 4 3851 6600 From eric at debian.org Sun Jan 27 05:15:24 2008 From: eric at debian.org (Eric Dorland) Date: Sat, 26 Jan 2008 23:15:24 -0500 Subject: (forw) Bug#461980: gnupg-agent: manpage typos Message-ID: <20080127041524.GG16143@gambit> Hello, The attached patch fixes a number of spelling errors in the gpg-agent manpage contributed by a Debian user. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=461980#10 contains an additional patch to fix some spelling errors. Please keep the Cc line when replying to this mail. -- Eric Dorland ICQ: #61138586, Jabber: hooty at jabber.com -------------- next part -------------- An embedded message was scrubbed... From: Justin Pryzby Subject: Bug#461980: gnupg-agent: manpage typos Date: Mon, 21 Jan 2008 15:05:29 -0500 Size: 18159 URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From wk at gnupg.org Sun Jan 27 14:19:05 2008 From: wk at gnupg.org (Werner Koch) Date: Sun, 27 Jan 2008 14:19:05 +0100 Subject: (forw) Bug#461980: gnupg-agent: manpage typos In-Reply-To: <20080127041524.GG16143@gambit> (Eric Dorland's message of "Sat, 26 Jan 2008 23:15:24 -0500") References: <20080127041524.GG16143@gambit> Message-ID: <87ir1fxv7a.fsf@wheatstone.g10code.de> On Sun, 27 Jan 2008 05:15, eric at debian.org said: > The attached patch fixes a number of spelling errors in the gpg-agent > manpage contributed by a Debian user. Unfortunately the patch is against a generated file. We need it against the source (doc/gpg-agent.texi and some included .text files) Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Mon Jan 28 08:44:46 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 28 Jan 2008 08:44:46 +0100 Subject: (forw) Bug#461980: gnupg-agent: manpage typos In-Reply-To: <20080127225553.GA8634@quoininc.com> (Justin Pryzby's message of "Sun, 27 Jan 2008 17:55:53 -0500") References: <20080127041524.GG16143@gambit> <87ir1fxv7a.fsf@wheatstone.g10code.de> <20080127225553.GA8634@quoininc.com> Message-ID: <87wspuv1g1.fsf@wheatstone.g10code.de> On Sun, 27 Jan 2008 23:55, jpryzby+d at quoininc.com said: > Including a new patch against the source files, with some additional > fixes ("manly", "be possible"). Also some of the original fixes > applied to additional parts. Thanks. I applied it except for: > --- gnupg2-2.0.8/doc/qualified.txt > +++ gnupg2-2.0.8.orig/doc/qualified.txt > @@ -4,7 +4,7 @@ > # signatures are. Comments like this one and empty lines are allowed > # Lines do have a length limit but this is not a serious limitation as > # the format of the entries is fixed and checked by gpgsm: A > +# non-comment line starts with optional white spaces, followed by > -# non-comment line starts with optional whitespace, followed by > # exactly 40 hex character, white space and a lowercased 2 letter > # country code. Additional data delimited with by a white space is > # current ignored but might late be used for other purposes. Is there a reason why you did not fixed "white space" in the next 3 lines? > > Also my original note: > |Note also that use of "respective" seems wrong. The closest I can > |think of is "with respect to", but I'm not sure. Ignore requests to change the current @code{tty} respective the X window system's @code{DISPLAY} variable. This is useful to lock the What I mean is: The one option changes @code{tty} and the other option @code{DISPLAY}. Thus I use "respective" similar how we use the same word in German; I am not sure whether this is correct. However, "with respect to" is not what I mean. > Also that I (personally?) prefer "prefix" to "prepend". Okay. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From broonie at debian.org Tue Jan 29 12:57:57 2008 From: broonie at debian.org (Mark Brown) Date: Tue, 29 Jan 2008 11:57:57 +0000 Subject: (forw) Bug#461980: gnupg-agent: manpage typos In-Reply-To: <87wspuv1g1.fsf@wheatstone.g10code.de> References: <20080127041524.GG16143@gambit> <87ir1fxv7a.fsf@wheatstone.g10code.de> <20080127225553.GA8634@quoininc.com> <87wspuv1g1.fsf@wheatstone.g10code.de> Message-ID: <20080129115756.GA5681@sirena.org.uk> On Mon, Jan 28, 2008 at 08:44:46AM +0100, Werner Koch wrote: > On Sun, 27 Jan 2008 23:55, jpryzby+d at quoininc.com said: > Ignore requests to change the current @code{tty} respective the X > window system's @code{DISPLAY} variable. This is useful to lock the > What I mean is: The one option changes @code{tty} and the other option > @code{DISPLAY}. Thus I use "respective" similar how we use the same > word in German; I am not sure whether this is correct. However, "with > respect to" is not what I mean. Would something like this cover it? Ignore requests to change the current @code{tty} and the X window system's @code{DISPLAY} varaible. -- "You grabbed my hand and we fell into it, like a daydream - or a fever." From jpryzby+d at quoininc.com Sun Jan 27 23:55:53 2008 From: jpryzby+d at quoininc.com (Justin Pryzby) Date: Sun, 27 Jan 2008 17:55:53 -0500 Subject: (forw) Bug#461980: gnupg-agent: manpage typos In-Reply-To: <87ir1fxv7a.fsf@wheatstone.g10code.de> References: <20080127041524.GG16143@gambit> <87ir1fxv7a.fsf@wheatstone.g10code.de> Message-ID: <20080127225553.GA8634@quoininc.com> tag 461980 patch thanks On Sun, Jan 27, 2008 at 02:19:05PM +0100, Werner Koch wrote: > On Sun, 27 Jan 2008 05:15, eric at debian.org said: > > > The attached patch fixes a number of spelling errors in the gpg-agent > > manpage contributed by a Debian user. > > Unfortunately the patch is against a generated file. We need it against > the source (doc/gpg-agent.texi and some included .text files) Including a new patch against the source files, with some additional fixes ("manly", "be possible"). Also some of the original fixes applied to additional parts. Also my original note: |Note also that use of "respective" seems wrong. The closest I can |think of is "with respect to", but I'm not sure. Also that I (personally?) prefer "prefix" to "prepend". -------------- next part -------------- --- gnupg2-2.0.8/doc/gpg-agent.texi +++ gnupg2-2.0.8.orig/doc/gpg-agent.texi @@ -117,8 +117,8 @@ @node Agent Commands @section Commands +Commands are not distinguished from options execpt for the fact that +only one one command is allowed. -Commands are not distinguished from options except for the fact that -only one command is allowed. @table @gnupgtabopt @item --version @@ -214,7 +214,7 @@ @end table How these messages are mapped to the actual debugging flags is not +specified and may change with newer releaes of this program. They are -specified and may change with newer releases of this program. They are however carefully selected to best aid in debugging. @item --debug @var{flags} @@ -256,7 +256,7 @@ @item --no-detach @opindex no-detach +Don't detach the process from the console. This is manly usefule for -Don't detach the process from the console. This is mainly useful for debugging. @item -s @@ -268,9 +268,9 @@ @opindex c @opindex csh Format the info output in daemon mode for use with the standard Bourne +shell respective the C-shell . The default is to guess it based on the -shell respective the C-shell. The default is to guess it based on the environment variable @code{SHELL} which is in almost all cases +sufficient. -correct. @item --write-env-file @var{file} @opindex write-env-file @@ -304,7 +304,7 @@ @opindex allow-mark-trusted Allow clients to mark keys as trusted, i.e. put them into the @file{trustlist.txt} file. This is by default not allowed to make it +harder for users to inadvertly accept Root-CA keys. -harder for users to inadvertently accept Root-CA keys. @item --ignore-cache-for-signing @opindex ignore-cache-for-signing @@ -314,25 +314,25 @@ @item --default-cache-ttl @var{n} @opindex default-cache-ttl +Set the time a cache entry is valid to @var{n} seconds. The default are -Set the time a cache entry is valid to @var{n} seconds. The default is 600 seconds. @item --default-cache-ttl-ssh @var{n} @opindex default-cache-ttl Set the time a cache entry used for SSH keys is valid to @var{n} +seconds. The default are 1800 seconds. -seconds. The default is 1800 seconds. @item --max-cache-ttl @var{n} @opindex max-cache-ttl Set the maximum time a cache entry is valid to @var{n} seconds. After +this time a cache entry will get expired even if it has been accessed +recently. The default are 2 hours (7200 seconds). -this time a cache entry will be expired even if it has been accessed -recently. The default is 2 hours (7200 seconds). @item --max-cache-ttl-ssh @var{n} @opindex max-cache-ttl-ssh Set the maximum time a cache entry used for SSH keys is valid to @var{n} +seconds. After this time a cache entry will get expired even if it has +been accessed recently. The default are 2 hours (7200 seconds). -seconds. After this time a cache entry will be expired even if it has -been accessed recently. The default is 2 hours (7200 seconds). @item --enforce-passphrase-constraints @opindex enforce-passphrase-constraints @@ -362,8 +362,8 @@ pattern or even against a complete dictionary is not very effective to enforce good passphrases. Users will soon figure up ways to bypass such a policy. A better policy is to educate users on good security +behavior and optional to run a passphrase cracker regularly on all +users passphrases t catch the very simple ones. -behavior and optionally to run a passphrase cracker regularly on all -users passphrases to catch the very simple ones. @item --max-passphrase-days @var{n} @opindex max-passphrase-days @@ -378,11 +378,11 @@ @item --pinentry-program @var{filename} @opindex pinentry-program Use program @var{filename} as the PIN entry. The default is installation +dependend and can be shown with the @code{--version} command. -dependent and can be shown with the @code{--version} command. @item --pinentry-touch-file @var{filename} @opindex pinentry-touch-file +By default the file name of the socket gpg-agent is listening for -By default the filename of the socket gpg-agent is listening for requests is passed to Pinentry, so that it can touch that file before exiting (it does this only in curses mode). This option changes the file passed to Pinentry to @var{filename}. The special name @@ -394,7 +394,7 @@ @item --scdaemon-program @var{filename} @opindex scdaemon-program Use program @var{filename} as the Smartcard daemon. The default is +installation dependend and can be shown with the @code{--version} -installation dependent and can be shown with the @code{--version} command. @item --disable-scdaemon @@ -411,7 +411,7 @@ named @file{S.gpg-agent}, located in the home directory, and not create a random socket below a temporary directory. Tools connecting to @command{gpg-agent} should first try to connect to the socket given in +environment variable @var{GPG_AGENT_INFO} and the fall back to this -environment variable @var{GPG_AGENT_INFO} and then fall back to this socket. This option may not be used if the home directory is mounted as a remote file system. Note, that @option{--use-standard-socket} is the default on Windows systems. @@ -436,7 +436,7 @@ @itemx --keep-display @opindex keep-tty @opindex keep-display +Ignore requests to change change the current @code{tty} respective the X -Ignore requests to change the current @code{tty} respective the X window system's @code{DISPLAY} variable. This is useful to lock the pinentry to pop up at the @code{tty} or display you started the agent. @@ -448,7 +448,7 @@ In this mode of operation, the agent does not only implement the gpg-agent protocol, but also the agent protocol used by OpenSSH +(through a seperate socket). Consequently, it should possible to use -(through a separate socket). Consequently, it should be possible to use the gpg-agent as a drop-in replacement for the well known ssh-agent. SSH Keys, which are to be used through the agent, need to be added to @@ -459,7 +459,7 @@ the newly received key and storing it in a gpg-agent specific directory. +Once, a key has been added to the gpg-agent this way, the gpg-agent -Once a key has been added to the gpg-agent this way, the gpg-agent will be ready to use the key. Note: in case the gpg-agent receives a signature request, the user might @@ -468,7 +468,7 @@ mechanism for telling the agent on which display/terminal it is running, gpg-agent's ssh-support will use the TTY or X display where gpg-agent has been started. To switch this display to the current one, the +follwing command may be used: -following command may be used: @smallexample echo UPDATESTARTUPTTY | gpg-connect-agent @@ -556,17 +556,17 @@ This file is used when support for the secure shell agent protocol has been enabled (@pxref{option --enable-ssh-support}). Only keys present in this file are used in the SSH protocol. The @command{ssh-add} tool +y be used to add new entries to this file; you may also add them -may be used to add new entries to this file; you may also add them manually. Comment lines, indicated by a leading hash mark, as well as +empty lines are ignored. An entry starts with optional white spaces, -empty lines are ignored. An entry starts with optional whitespace, followed by the keygrip of the key given as 40 hex digits, optionally followed by the caching TTL in seconds and another optional field for +arbitrary flags. A @code{!} may be prepended to the keygrip to -arbitrary flags. The keygrip may be prefixed with a @code{!} to disable this entry. +The follwoing example lists exactly one key. Note that keys available -The following example lists exactly one key. Note that keys available through a OpenPGP smartcard in the active smartcard reader are +implictly added to this list; i.e. there is no need to list them. -implicitly added to this list; i.e. there is no need to list them. @example # Key added on 2005-02-25 15:08:29 @@ -585,7 +585,7 @@ Note that on larger installations, it is useful to put predefined files into the directory @file{/etc/skel/.gnupg/} so that newly created users start up with a working configuration. For existing users the +a small helper script is provied to create these files (@pxref{addgnupghome}). -a small helper script is provided to create these files (@pxref{addgnupghome}). @@ -604,7 +604,7 @@ @item SIGHUP @cpindex SIGHUP +This signal flushes all chached passphrases and if the program has been -This signal flushes all cached passphrases and if the program has been started with a configuration file, the configuration file is read again. Only certain options are honored: @code{quiet}, @code{verbose}, @code{debug}, @code{debug-all}, @code{debug-level}, @code{no-grab}, @@ -650,7 +650,7 @@ An alternative way is by replacing @command{ssh-agent} with @command{gpg-agent}. If for example @command{ssh-agent} is started as +part of the Xsession intialization you may simply replace -part of the Xsession initialization, you may simply replace @command{ssh-agent} by a script like: @cartouche --- gnupg2-2.0.8/doc/yat2m.c +++ gnupg2-2.0.8.orig/doc/yat2m.c @@ -42,7 +42,7 @@ the next input line if that line begins with @section, @subsection or @chapheading. + To insert verbatim troff markup, the follwing texinfo code may be - To insert verbatim troff markup, the following texinfo code may be used: @ifset manverb @@ -842,7 +842,7 @@ { char *line; int lnr = 0; + /* Fixme: The follwing state variables don't carry over to include - /* Fixme: The following state variables don't carry over to include files. */ int in_verbatim = 0; int skip_to_end = 0; /* Used to skip over menu entries. */ --- gnupg2-2.0.8/doc/scdaemon.texi +++ gnupg2-2.0.8.orig/doc/scdaemon.texi @@ -58,8 +58,8 @@ @node Scdaemon Commands @section Commands +Commands are not distinguished from options execpt for the fact that +only one one command is allowed. -Commands are not distinguished from options except for the fact that -only one command is allowed. @table @gnupgtabopt @item --version @@ -140,7 +140,7 @@ @end table How these messages are mapped to the actual debugging flags is not +specified and may change with newer releaes of this program. They are -specified and may change with newer releases of this program. They are however carefully selected to best aid in debugging. @quotation Note @@ -208,7 +208,7 @@ @item --no-detach @opindex no-detach +Don't detach the process from the console. This is manly usefule for -Don't detach the process from the console. This is mainly useful for debugging. @item --log-file @var{file} @@ -646,7 +646,7 @@ level functions and sends the data directly to the card. @var{hexstring} is expected to be a proper APDU. If @var{hexstring} is not given no commands are send to the card; However the command will +implictly check whether the card is ready for use. -implicitly check whether the card is ready for use. Using the option @code{--atr} returns the ATR of the card as a status message before any data like this: --- gnupg2-2.0.8/doc/qualified.txt +++ gnupg2-2.0.8.orig/doc/qualified.txt @@ -4,7 +4,7 @@ # signatures are. Comments like this one and empty lines are allowed # Lines do have a length limit but this is not a serious limitation as # the format of the entries is fixed and checked by gpgsm: A +# non-comment line starts with optional white spaces, followed by -# non-comment line starts with optional whitespace, followed by # exactly 40 hex character, white space and a lowercased 2 letter # country code. Additional data delimited with by a white space is # current ignored but might late be used for other purposes. --- gnupg2-2.0.8/doc/tools.texi +++ gnupg2-2.0.8.orig/doc/tools.texi @@ -1185,7 +1185,7 @@ @item unescape @var{args} Remove C-style escapes from @var{args}. Note that @code{\0} and + at code{\x00} terminate the returned string implictly. The string to be - at code{\x00} terminate the returned string implicitly. The string to be converted are the entire arguments right behind the delimiting space of the function name. @@ -1272,7 +1272,7 @@ @itemx /nosubst Enable and disable variable substitution. It defaults to disabled unless the command line option @option{--subst} has been used. +If /subst as been enabled once, leading white spaces are removed from -If /subst as been enabled once, leading whitespace is removed from input lines which makes scripts easier to read. @item /while @var{condition} --- gnupg2-2.0.8/doc/gpgsm.texi +++ gnupg2-2.0.8.orig/doc/gpgsm.texi @@ -58,7 +58,7 @@ @node GPGSM Commands @section Commands +Commands are not distinguished from options execpt for the fact that -Commands are not distinguished from options except for the fact that only one command is allowed. @menu @@ -612,7 +612,7 @@ @end table How these messages are mapped to the actual debugging flags is not +specified and may change with newer releaes of this program. They are -specified and may change with newer releases of this program. They are however carefully selected to best aid in debugging. @item --debug @var{flags} @@ -738,7 +738,7 @@ start with a hash mark and empty lines are ignored. Lines do have a length limit but this is not a serious limitation as the format of the entries is fixed and checked by gpgsm: A non-comment line starts with +optional white spaces, followed by exactly 40 hex character, white space -optional whitespace, followed by exactly 40 hex character, white space and a lowercased 2 letter country code. Additional data delimited with by a white space is current ignored but might late be used for other purposes. From jpryzby+d at quoininc.com Mon Jan 28 15:27:32 2008 From: jpryzby+d at quoininc.com (Justin Pryzby) Date: Mon, 28 Jan 2008 09:27:32 -0500 Subject: (forw) Bug#461980: gnupg-agent: manpage typos In-Reply-To: <87wspuv1g1.fsf@wheatstone.g10code.de> References: <20080127041524.GG16143@gambit> <87ir1fxv7a.fsf@wheatstone.g10code.de> <20080127225553.GA8634@quoininc.com> <87wspuv1g1.fsf@wheatstone.g10code.de> Message-ID: <20080128142732.GA12958@quoininc.com> On Mon, Jan 28, 2008 at 08:44:46AM +0100, Werner Koch wrote: > On Sun, 27 Jan 2008 23:55, jpryzby+d at quoininc.com said: > > > Including a new patch against the source files, with some additional > > fixes ("manly", "be possible"). Also some of the original fixes > > applied to additional parts. > > Thanks. I applied it except for: > > > --- gnupg2-2.0.8/doc/qualified.txt > > +++ gnupg2-2.0.8.orig/doc/qualified.txt > > @@ -4,7 +4,7 @@ > > # signatures are. Comments like this one and empty lines are allowed > > # Lines do have a length limit but this is not a serious limitation as > > # the format of the entries is fixed and checked by gpgsm: A > > +# non-comment line starts with optional white spaces, followed by > > -# non-comment line starts with optional whitespace, followed by > > # exactly 40 hex character, white space and a lowercased 2 letter > > # country code. Additional data delimited with by a white space is > > # current ignored but might late be used for other purposes. > > Is there a reason why you did not fixed "white space" in the next 3 > lines? Probably because I searched for "white spaces" with an "s" and so didn't find that occurance. I think most occurances of "white space[s]" can be changed to "white space[s]", but it's worth it to check if it makes sense for each case. > > Also my original note: > > |Note also that use of "respective" seems wrong. The closest I can > > |think of is "with respect to", but I'm not sure. > > Ignore requests to change the current @code{tty} respective the X > window system's @code{DISPLAY} variable. This is useful to lock the > > What I mean is: The one option changes @code{tty} and the other option > @code{DISPLAY}. Thus I use "respective" similar how we use the same > word in German; I am not sure whether this is correct. However, "with > respect to" is not what I mean. I'm not sure about this case; however, in: ./doc/gpg-agent.texi |@item -s |@itemx --sh |@itemx -c |@itemx --csh |@opindex s |@opindex sh |@opindex c |@opindex csh |Format the info output in daemon mode for use with the standard Bourne |shell respective the C-shell. The default is to guess it based on the |environment variable @code{SHELL} which is in almost all cases |correct. I would say: |Format the info output in daemon mode for use with the standard Bourne |shell or the C-shell, respectively. The default is to guess it based on the |environment variable @code{SHELL} which is correct in almost all cases. I think "... respectively ..." is what's needed in the other cases I saw, too (but the rest of the sentence has to be changed, too). |@item --keep-tty |@itemx --keep-display |@opindex keep-tty |@opindex keep-display |Ignore requests to change the current @code{tty} or X |window system @code{DISPLAY} variable, respectively. This is useful to lock the |pinentry to pop up at the @code{tty} or display you started the agent. In ./doc/DETAILS, I'm not sure: | The default is the standard gpg Web of Trust model respective | the standard X.509 model. The defined values are Is this supposed to mean: | The default is the standard gpg Web of Trust model, rather than | the standard X.509 model. The defined values are ? Justin From jpryzby+d at quoininc.com Tue Jan 29 15:22:51 2008 From: jpryzby+d at quoininc.com (Justin Pryzby) Date: Tue, 29 Jan 2008 09:22:51 -0500 Subject: (forw) Bug#461980: gnupg-agent: manpage typos In-Reply-To: <20080129115756.GA5681@sirena.org.uk> References: <20080127041524.GG16143@gambit> <87ir1fxv7a.fsf@wheatstone.g10code.de> <20080127225553.GA8634@quoininc.com> <87wspuv1g1.fsf@wheatstone.g10code.de> <20080129115756.GA5681@sirena.org.uk> Message-ID: <20080129142251.GA31662@quoininc.com> On Tue, Jan 29, 2008 at 11:57:57AM +0000, Mark Brown wrote: > On Mon, Jan 28, 2008 at 08:44:46AM +0100, Werner Koch wrote: > > On Sun, 27 Jan 2008 23:55, jpryzby+d at quoininc.com said: > > > Ignore requests to change the current @code{tty} respective the X > > window system's @code{DISPLAY} variable. This is useful to lock the > > > What I mean is: The one option changes @code{tty} and the other option > > @code{DISPLAY}. Thus I use "respective" similar how we use the same > > word in German; I am not sure whether this is correct. However, "with > > respect to" is not what I mean. > > Would something like this cover it? > > Ignore requests to change the current @code{tty} and the X > window system's @code{DISPLAY} varaible. No, see my earlier message; this one should be: |Ignore requests to change the current @code{tty} or X |window system @code{DISPLAY} variable, respectively. This is useful Justin From wk at gnupg.org Tue Jan 29 18:27:58 2008 From: wk at gnupg.org (Werner Koch) Date: Tue, 29 Jan 2008 18:27:58 +0100 Subject: (forw) Bug#461980: gnupg-agent: manpage typos In-Reply-To: <20080129142251.GA31662@quoininc.com> (Justin Pryzby's message of "Tue, 29 Jan 2008 09:22:51 -0500") References: <20080127041524.GG16143@gambit> <87ir1fxv7a.fsf@wheatstone.g10code.de> <20080127225553.GA8634@quoininc.com> <87wspuv1g1.fsf@wheatstone.g10code.de> <20080129115756.GA5681@sirena.org.uk> <20080129142251.GA31662@quoininc.com> Message-ID: <87sl0gee3l.fsf@wheatstone.g10code.de> On Tue, 29 Jan 2008 15:22, jpryzby+d at quoininc.com said: > |Ignore requests to change the current @code{tty} or X > |window system @code{DISPLAY} variable, respectively. This is useful Right, I got the same hint off-list. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Tue Jan 29 18:38:40 2008 From: wk at gnupg.org (Werner Koch) Date: Tue, 29 Jan 2008 18:38:40 +0100 Subject: (forw) Bug#461980: gnupg-agent: manpage typos In-Reply-To: <20080128142732.GA12958@quoininc.com> (Justin Pryzby's message of "Mon, 28 Jan 2008 09:27:32 -0500") References: <20080127041524.GG16143@gambit> <87ir1fxv7a.fsf@wheatstone.g10code.de> <20080127225553.GA8634@quoininc.com> <87wspuv1g1.fsf@wheatstone.g10code.de> <20080128142732.GA12958@quoininc.com> Message-ID: <87lk68edlr.fsf@wheatstone.g10code.de> On Mon, 28 Jan 2008 15:27, jpryzby+d at quoininc.com said: All applied. > In ./doc/DETAILS, I'm not sure: > > | The default is the standard gpg Web of Trust model respective > | the standard X.509 model. The defined values are > > Is this supposed to mean: > > | The default is the standard gpg Web of Trust model, rather than > | the standard X.509 model. The defined values are No. I changed it to: The defaults are the standard Web of Trust model for gpg and the the standard X.509 model for gpgsm. The defined values are Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From misa at rpath.com Wed Jan 30 16:44:26 2008 From: misa at rpath.com (Mihai Ibanescu) Date: Wed, 30 Jan 2008 10:44:26 -0500 Subject: Certification signatures on subkeys Message-ID: <20080130154426.GA8107@roadrunner.rdu.rpath.com> Hi, I noticed something strange on a key I imported: http://pool.sks-keyservers.net:11371/pks/lookup?search=0x10FA4CD1&op=vindex As you can see, the subkey has certification (type 0x10-0x13) signatures on its subkey. At least the way I read RFC4880, the only types of signatures that should be present on a subkey are key binding or revocation signatures. Am I missing something? If this is a valid scenario, can someone point me to a spec with a description of how the certification signature is hashed in this case? RFC4880 indicates only how it gets hashed when attached to a User ID or User Attribute case. Thanks! Mihai PS apologies if this doesn't belong to gnupg-devel. From dshaw at jabberwocky.com Wed Jan 30 19:46:10 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 30 Jan 2008 13:46:10 -0500 Subject: Certification signatures on subkeys In-Reply-To: <20080130154426.GA8107@roadrunner.rdu.rpath.com> References: <20080130154426.GA8107@roadrunner.rdu.rpath.com> Message-ID: <20080130184610.GA15357@jabberwocky.com> On Wed, Jan 30, 2008 at 10:44:26AM -0500, Mihai Ibanescu wrote: > Hi, > > I noticed something strange on a key I imported: > > http://pool.sks-keyservers.net:11371/pks/lookup?search=0x10FA4CD1&op=vindex > > As you can see, the subkey has certification (type 0x10-0x13) signatures on > its subkey. > > At least the way I read RFC4880, the only types of signatures that should be > present on a subkey are key binding or revocation signatures. That is correct. The key is a little bit mangled. GPG ignores 0x10-0x13 signatures on subkeys, as they are not allowed there. David From wk at gnupg.org Thu Jan 31 21:11:24 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 31 Jan 2008 21:11:24 +0100 Subject: not receiving commit announcements In-Reply-To: <1201390547.6006.1.camel@jbook.ivt.com.au> (Jonathan Oxer's message of "Sun, 27 Jan 2008 10:35:47 +1100") References: <479B8E58.4010500@babylonfarms.com> <87r6g4z1q8.fsf@wheatstone.g10code.de> <1201390547.6006.1.camel@jbook.ivt.com.au> Message-ID: <871w7xzrf7.fsf@wheatstone.g10code.de> On Sun, 27 Jan 2008 00:35, jon at oxer.com.au said: > It would be easier for you to just turn off diff inclusion for all > commit messages: as long as the message contains a link to the I changed the script to limit so that ChangeLogs are shown first and the rest of the diff is truncated after 500 lines with an warning note at the top. *.po files are also skipped because they tend to get very large at times if the oine numbers of the sources strings changed. That should keep the length of the commit messages at a reasonable length. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From jmoore3rd at bellsouth.net Thu Jan 31 22:57:21 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu, 31 Jan 2008 16:57:21 -0500 Subject: not receiving commit announcements In-Reply-To: <871w7xzrf7.fsf@wheatstone.g10code.de> References: <479B8E58.4010500@babylonfarms.com> <87r6g4z1q8.fsf@wheatstone.g10code.de> <1201390547.6006.1.camel@jbook.ivt.com.au> <871w7xzrf7.fsf@wheatstone.g10code.de> Message-ID: <47A24441.90005@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - -------- Original Message -------- Subject: Re: not receiving commit announcements From: Werner Koch To: Jonathan Oxer Cc: Gnupg-devel at gnupg.org Date: Thursday, January 31, 2008 3:11:24 PM > I changed the script to limit so that ChangeLogs are shown first and the > rest of the diff is truncated after 500 lines with an warning note at > the top. *.po files are also skipped because they tend to get very > large at times if the oine numbers of the sources strings changed. > > That should keep the length of the commit messages at a reasonable > length. Simple solutions have always been the Hallmark of Your unrecognized genius Werner. *.po Files are always large and, while important, are not as important as the many other improvements You regularly introduce to the Encryption Community. ;) A Big 'Nod of Approval' goes towards You. :-D JOHN 8-) Timestamp: Thursday 31 Jan 2008, 16:56 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9-svn4675: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue iQEcBAEBCgAGBQJHokQ6AAoJEBCGy9eAtCsPOtcH/3QXWHLjklEiX0ziVhhTHUaJ 9+PFn4OitI5+YsxPWPSaIwTj+zYrn+V8LBwaEbO7n+HVFEf+3eRDMldzCq3LWzF2 FtfXZoCak+uUqUVA9ugNIPur5ciiO6dikfsV7Q/ccDV9LxvSgxXoLyjUPncym/OD QpoCRIN4CL3nkXtqL8E0D/MHrECBlQrAAeG735zhMMgsJRg4NfE0eKTDoTOCq7LO t8YGmZ45ZbBujo7oFgro83aFHfwZdnIfAoTzK7hDNeWWjvN23C7joEBLDRaMR5cb OP6PgDJOdSH8K77B8+qjPF9odp4lcvtLx55wLkgEflw8hm5yw6Vl012Mg173ydE= =bJMz -----END PGP SIGNATURE----- From cjwatson at debian.org Wed Jan 30 22:40:50 2008 From: cjwatson at debian.org (Colin Watson) Date: Wed, 30 Jan 2008 21:40:50 -0000 Subject: Certification signatures on subkeys In-Reply-To: <20080130184610.GA15357@jabberwocky.com> References: <20080130154426.GA8107@roadrunner.rdu.rpath.com> <20080130184610.GA15357@jabberwocky.com> Message-ID: <20080130211400.GA8836@riva.ucam.org> On Wed, Jan 30, 2008 at 01:46:10PM -0500, David Shaw wrote: > On Wed, Jan 30, 2008 at 10:44:26AM -0500, Mihai Ibanescu wrote: > > I noticed something strange on a key I imported: > > > > http://pool.sks-keyservers.net:11371/pks/lookup?search=0x10FA4CD1&op=vindex This is my key. > > As you can see, the subkey has certification (type 0x10-0x13) signatures on > > its subkey. > > > > At least the way I read RFC4880, the only types of signatures that should be > > present on a subkey are key binding or revocation signatures. > > That is correct. > > The key is a little bit mangled. GPG ignores 0x10-0x13 signatures on > subkeys, as they are not allowed there. I tried to get rid of them with 'gpg --edit-key' (which automatically moved the signatures to a UID on the primary key), but --send-keys and --recv-keys caused them to be added right back. Repeating this procedure moved the signatures again so that the UID in question now has two copies of each of these signatures at the end of its signature list. In other words, it looks like any time I go through an --edit-key / --send-keys / --recv-keys cycle (however extended), I'm going to grow six new signatures on my key. Could GnuPG be fixed to check for duplicates before it moves signatures? The delsig UI is going to be extremely tedious for getting rid of these and of course won't affect the keyservers. Thanks, -- Colin Watson [cjwatson at debian.org]