From wk at gnupg.org Wed Jan 2 09:29:25 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 09:29:25 +0100 Subject: logger-file vs log-file options (gnupg-2 regression?) In-Reply-To: <9e0cf0bf0712291232s1636caa7y93aa8b7778ea4325@mail.gmail.com> (Alon Bar-Lev's message of "Sat, 29 Dec 2007 22:32:57 +0200") References: <9e0cf0bf0712291232s1636caa7y93aa8b7778ea4325@mail.gmail.com> Message-ID: <87k5msmxzu.fsf@wheatstone.g10code.de> On Sat, 29 Dec 2007 21:32, alon.barlev at gmail.com said: > The logger-file was changed to log-file in gnupg-2. The other way around: gnupg-2: 2004-03-23 Werner Koch * g10.c: New options --gpgconf-list, --debug-level and --log-file gnupg-1: 2004-11-17 Werner Koch * g10.c (open_info_file): New. (main): Unconditionally implement --status-file, --logger-file, > The man page continue to document logger-file. I'll fix the man page and add an --logger-file alias. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Wed Jan 2 09:35:27 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 09:35:27 +0100 Subject: compiling GnuPG for x86_64-pc-mingw32 In-Reply-To: <477828DC.8050601@idirect.com> (Tom Pegios's message of "Sun, 30 Dec 2007 18:25:16 -0500") References: <477828DC.8050601@idirect.com> Message-ID: <87fxxgmxps.fsf@wheatstone.g10code.de> On Mon, 31 Dec 2007 00:25, tomp at idirect.com said: > The x86_64-pc-mingw32 (64-bit) version of GnuPG can be built on MSYS > now but requires 2 changes to the source code. We don't support building on a native Windows platform. > If these 2 changes can be included in GnuPG this will allow for a > successful 64-bit build under windows without any file modifications. As soon as the mingw cross compiling kit on Debian requires this change it will be added. For the time being, please maintain your own patch. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From bernhard at intevation.de Wed Jan 2 12:34:42 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 12:34:42 +0100 Subject: import of external certificates via command line In-Reply-To: <87ir2synyj.fsf@wheatstone.g10code.de> References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200712211715.17932.bernhard@intevation.de> <87ir2synyj.fsf@wheatstone.g10code.de> Message-ID: <200801021234.46115.bernhard@intevation.de> On Friday 21 December 2007 18:09, Werner Koch wrote: > On Fri, 21 Dec 2007 17:15, bernhard at intevation.de said: > > No it does not give me the key, only the attributes. > > You may then use the listed fingerprint to export the key. ?Note that > you must use the fingerprint, the keyid is wrong and the issuer DN is > definitely wrong; only the fingerprint is ... Okay, the procedure as far as I know is: gpgsm --list-external-keys Boromir # select the fingerprint from the listing gpgsm --export b0:12:12:..... >boromirskey gpgsm --import boromirskey (tested with gpgsm 2.0.7) This is confusing, because gpgsm --export Boromir will _not_ work, even when there is only one key found. also this cannot be learned from the documentation and thus is obscure. Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1571 bytes Desc: not available URL: From wk at gnupg.org Wed Jan 2 13:37:00 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 13:37:00 +0100 Subject: import of external certificates via command line In-Reply-To: <200801021234.46115.bernhard@intevation.de> (Bernhard Reiter's message of "Wed, 2 Jan 2008 12:34:42 +0100") References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200712211715.17932.bernhard@intevation.de> <87ir2synyj.fsf@wheatstone.g10code.de> <200801021234.46115.bernhard@intevation.de> Message-ID: <877iisl7yr.fsf@wheatstone.g10code.de> On Wed, 2 Jan 2008 12:34, bernhard at intevation.de said: > This is confusing, because > gpgsm --export Boromir > will _not_ work, even when there is only one key found. > also this cannot be learned from the documentation and thus is obscure. We have similar thing in gpg for many years. Only the fingerprint unambiguously indentifies a key and thus we use this hack to also export those hidden certificates. That feature has been implemented on request from the KMail/Kleopatra folks. It is not documented because it is indeed obscure ;-). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From bernhard at intevation.de Wed Jan 2 13:41:22 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 13:41:22 +0100 Subject: exporting and importing some subkeys Message-ID: <200801021341.28169.bernhard@intevation.de> With gnupg 2.0.7 (and 2.0.5): Given two machines with .gnupg having your secret key and doing "addkey" on one, I encountered a problem trying to transfer the new subkey to the other. gpg2 --export-secret-key ABCDEF >mykey worked even when ABCDEF is the fingerprint of my new subkey. gpg2 --import mykey tells me that the key is already in my keyring. gpg2 --list-secret-keys does not have the new subkey, so I guess the problem to be in the import. Am I missing something? Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From bernhard at intevation.de Wed Jan 2 13:43:16 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 13:43:16 +0100 Subject: documentation: list format explained? Message-ID: <200801021343.17027.bernhard@intevation.de> Is there a section in the documentation which explains the different attributes of a key listing, e.g. in --edit --list-keys --list-secret keys? I have grepped for "ssb" and did not find it in the info source. Such a documentation would be very useful. Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From bernhard at intevation.de Wed Jan 2 14:18:45 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 14:18:45 +0100 Subject: import of external certificates via command line In-Reply-To: <877iisl7yr.fsf@wheatstone.g10code.de> References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200801021234.46115.bernhard@intevation.de> <877iisl7yr.fsf@wheatstone.g10code.de> Message-ID: <200801021418.46928.bernhard@intevation.de> On Wednesday 02 January 2008 13:37, Werner Koch wrote: > On Wed, ?2 Jan 2008 12:34, bernhard at intevation.de said: > > This is confusing, because > > ??????gpgsm --export Boromir > > ??????will _not_ work, even when there is only one key found. > > also this cannot be learned from the documentation and thus is obscure. > > We have similar thing in gpg for many years. ?Only the fingerprint > unambiguously indentifies a key and thus we use this hack to also export > those hidden certificates. ?That feature has been implemented on request > from the KMail/Kleopatra folks. Well, it is good to at least have a method. > It is not documented because it is indeed obscure ;-). To have a way to import externally found certificates is a feature that people are missing. So why not document the current way until a better one is implemented. Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From wk at gnupg.org Wed Jan 2 15:20:24 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 15:20:24 +0100 Subject: documentation: list format explained? In-Reply-To: <200801021343.17027.bernhard@intevation.de> (Bernhard Reiter's message of "Wed, 2 Jan 2008 13:43:16 +0100") References: <200801021343.17027.bernhard@intevation.de> Message-ID: <874pdwjolz.fsf@wheatstone.g10code.de> On Wed, 2 Jan 2008 13:43, bernhard at intevation.de said: > I have grepped for "ssb" and did not find it in the info source. > Such a documentation would be very useful. gnupg/doc/DETAILS 1. Field: Type of record pub = public key crt = X.509 certificate crs = X.509 certificate and private key available sub = subkey (secondary key) sec = secret key ssb = secret subkey (secondary key) uid = user id (only field 10 is used). uat = user attribute (same as user id except for field 10). sig = signature rev = revocation signature fpr = fingerprint: (fingerprint is in field 10) pkd = public key data (special field format, see below) grp = reserved for gpgsm rvk = revocation key tru = trust database information spk = signature subpacket [...] Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Wed Jan 2 15:22:13 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 15:22:13 +0100 Subject: import of external certificates via command line In-Reply-To: <200801021418.46928.bernhard@intevation.de> (Bernhard Reiter's message of "Wed, 2 Jan 2008 14:18:45 +0100") References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200801021234.46115.bernhard@intevation.de> <877iisl7yr.fsf@wheatstone.g10code.de> <200801021418.46928.bernhard@intevation.de> Message-ID: <87zlvoi9yi.fsf@wheatstone.g10code.de> On Wed, 2 Jan 2008 14:18, bernhard at intevation.de said: > To have a way to import externally found certificates > is a feature that people are missing. So why not document the current > way until a better one is implemented. We don't document obscure features because these makes it a bit easier for us to change the semantics. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From alon.barlev at gmail.com Wed Jan 2 15:29:18 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed, 2 Jan 2008 16:29:18 +0200 Subject: logger-file vs log-file options (gnupg-2 regression?) In-Reply-To: <87k5msmxzu.fsf@wheatstone.g10code.de> References: <9e0cf0bf0712291232s1636caa7y93aa8b7778ea4325@mail.gmail.com> <87k5msmxzu.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0801020629q37aa8a98q468b222f883d4df5@mail.gmail.com> Thanks, Any reason to break the parameter compatibility between the two versions? --logger-file does not work anymore. Alon. On 1/2/08, Werner Koch wrote: > On Sat, 29 Dec 2007 21:32, alon.barlev at gmail.com said: > > > The logger-file was changed to log-file in gnupg-2. > > The other way around: > > gnupg-2: > > 2004-03-23 Werner Koch > > * g10.c: New options --gpgconf-list, --debug-level and --log-file > > gnupg-1: > > 2004-11-17 Werner Koch > > * g10.c (open_info_file): New. > (main): Unconditionally implement --status-file, --logger-file, > > > The man page continue to document logger-file. > > I'll fix the man page and add an --logger-file alias. > > > Shalom-Salam, > > Werner > > -- > Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. > > From bernhard at intevation.de Wed Jan 2 16:20:01 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 16:20:01 +0100 Subject: import of external certificates via command line In-Reply-To: <87zlvoi9yi.fsf@wheatstone.g10code.de> References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200801021418.46928.bernhard@intevation.de> <87zlvoi9yi.fsf@wheatstone.g10code.de> Message-ID: <200801021620.05062.bernhard@intevation.de> On Wednesday 02 January 2008 15:22, Werner Koch wrote: > On Wed, ?2 Jan 2008 14:18, bernhard at intevation.de said: > > To have a way to import externally found certificates > > is a feature that people are missing. So why not document the current > > way until a better one is implemented. > > We don't document obscure features because these makes it a bit easier > for us to change the semantics. Werner, somehow I feel you are weaseling around the problem... It is a _non_ obscure problem that you cannot import an externally found certificate. Lack of mentioning this use case in the documentation does irritate an advanced user. You can a) fix the problem and add some option to gpgsm and the documentation so that the use case is possible b) mention the dirty workaround somewhere, maybe declare it and its semantics dirty. Doing b) is not very time intensive and will help Gnupg's quality, which is something I have learned by user feedback and my own experiences. I hope this feedback is welcome. Best, Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1571 bytes Desc: not available URL: From bernhard at intevation.de Wed Jan 2 16:23:01 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 16:23:01 +0100 Subject: documentation: list format explained? In-Reply-To: <874pdwjolz.fsf@wheatstone.g10code.de> References: <200801021343.17027.bernhard@intevation.de> <874pdwjolz.fsf@wheatstone.g10code.de> Message-ID: <200801021623.05604.bernhard@intevation.de> On Wednesday 02 January 2008 15:20, Werner Koch wrote: > > I have grepped for "ssb" and did not find it in the info source. > > Such a documentation would be very useful. > > gnupg/doc/DETAILS Ah! Thanks for the hint! I suggest to add a similiar hint towards the file in the gnupg2.info* files. > ?1. Field: ?Type of record > ???????? ? ?pub = public key > ? ? ? ? ? ? crt = X.509 certificate > ? ? ? ? ? ? crs = X.509 certificate and private key available > ???????? ? ?sub = subkey (secondary key) > ???????? ? ?sec = secret key > ???????? ? ?ssb = secret subkey (secondary key) -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From wk at gnupg.org Wed Jan 2 16:56:25 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 16:56:25 +0100 Subject: import of external certificates via command line In-Reply-To: <200801021620.05062.bernhard@intevation.de> (Bernhard Reiter's message of "Wed, 2 Jan 2008 16:20:01 +0100") References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200801021418.46928.bernhard@intevation.de> <87zlvoi9yi.fsf@wheatstone.g10code.de> <200801021620.05062.bernhard@intevation.de> Message-ID: <87sl1ggr12.fsf@wheatstone.g10code.de> On Wed, 2 Jan 2008 16:20, bernhard at intevation.de said: > somehow I feel you are weaseling around the problem... No. Before you can even run an external search you need to configure the dirmngr to *your* local environment. There is no universal way to find X.509 certificates - it highly depends on the concrete PKI! This is very different from PGP where it is common to store keys on the synced network of keyservers. All real world X.509 PKIs provide a custom way to lookup certificates - in general you need to use this custom method. Further, there is never a need to lookup certificates *if* the PKI is proper working. gpgsm will do this for you then. If we start to document how to get certifcates from certain PKIs we will soon end up with a large howto on how the PKIs all over the world are misconfigured and how to solve each of the problems. This is not the job of a general purpose software. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Wed Jan 2 17:01:33 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 17:01:33 +0100 Subject: logger-file vs log-file options (gnupg-2 regression?) In-Reply-To: <9e0cf0bf0801020629q37aa8a98q468b222f883d4df5@mail.gmail.com> (Alon Bar-Lev's message of "Wed, 2 Jan 2008 16:29:18 +0200") References: <9e0cf0bf0712291232s1636caa7y93aa8b7778ea4325@mail.gmail.com> <87k5msmxzu.fsf@wheatstone.g10code.de> <9e0cf0bf0801020629q37aa8a98q468b222f883d4df5@mail.gmail.com> Message-ID: <87odc4gqsi.fsf@wheatstone.g10code.de> On Wed, 2 Jan 2008 15:29, alon.barlev at gmail.com said: > Any reason to break the parameter compatibility between the two versions? > --logger-file does not work anymore. There has never been a --logger-file for gpg2. There is a --log-file and we only later added --logger-file to gpg-1. That is a bit unfortunate but that is a fact for 3 years. Also see: >> I'll fix the man page and add an --logger-file alias. .. to gpg2. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Wed Jan 2 17:04:07 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 17:04:07 +0100 Subject: logger-file vs log-file options (gnupg-2 regression?) In-Reply-To: <9e0cf0bf0801020629q37aa8a98q468b222f883d4df5@mail.gmail.com> (Alon Bar-Lev's message of "Wed, 2 Jan 2008 16:29:18 +0200") References: <9e0cf0bf0712291232s1636caa7y93aa8b7778ea4325@mail.gmail.com> <87k5msmxzu.fsf@wheatstone.g10code.de> <9e0cf0bf0801020629q37aa8a98q468b222f883d4df5@mail.gmail.com> Message-ID: <87k5msgqo8.fsf@wheatstone.g10code.de> Hi, FWIW, I just recall why we have different names: --log-file allows for a special name "socket:///fooo" whereas --logger-file does not. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From marcus.brinkmann at ruhr-uni-bochum.de Wed Jan 2 17:10:19 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Wed, 02 Jan 2008 17:10:19 +0100 Subject: Frontend for GPG In-Reply-To: <200712211048.25215.bernhard@intevation.de> References: <3ac86fa70712111623wd83e701vd07440a6966dde65@mail.gmail.com> <200712211048.25215.bernhard@intevation.de> Message-ID: <87sl1g5huc.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Fri, 21 Dec 2007 10:48:24 +0100, Bernhard Reiter wrote: > > [1 ] > [1.1 ] > On Wednesday 12 December 2007 01:23, Brad Tilley wrote: > > Are there any docs that describe a programmatic > > interface to gpg or how to go about this sort of thing with a > > os.system and/or os.popen library? > > The canonical way would be to use gpgme, > but of course this might already have to many feature for your use case. > It would be cool to have python gpgme bindings. http://pyme.sourceforge.net/ Thanks, Marcus From bernhard at intevation.de Wed Jan 2 18:01:08 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 18:01:08 +0100 Subject: import of external certificates via command line In-Reply-To: <87sl1ggr12.fsf@wheatstone.g10code.de> References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200801021620.05062.bernhard@intevation.de> <87sl1ggr12.fsf@wheatstone.g10code.de> Message-ID: <200801021801.13105.bernhard@intevation.de> On Wednesday 02 January 2008 16:56, Werner Koch wrote: > On Wed, ?2 Jan 2008 16:20, bernhard at intevation.de said: > > somehow I feel you are weaseling around the problem... > > No. ?Before you can even run an external search you need to configure > the dirmngr to *your* local environment. But when my external search is working, why can't I get those certificates right away? > ? ?There is no universal way to find X.509 certificates - it highly > ? ?depends on the concrete PKI! > > This is very different from PGP where it is common to store keys on the > synced network of keyservers. ?All real world X.509 PKIs provide a > custom way to lookup certificates - in general you need to use this > custom method. In Germany I know the Bavarian one which responds to ldap searches. There will always be keys that I do not have in my personal keybox but I can find by other means. All I want is a way to get these keys into my person keybox when I can already find them. > Further, there is never a need to lookup certificates *if* the PKI is > proper working. ?gpgsm will do this for you then. ? You sound like locally saved keys were a bad design idea. > If we start to > document how to get certifcates from certain PKIs we will soon end up > with a large howto on how the PKIs all over the world are misconfigured > and how to solve each of the problems. ?This is not the job of a general > purpose software. The purpose of a general purpose software is to be practical and if there a major PKIs which "special" in different ways it might be practical to support them so that the software is interoperable and useful. However this is not the point. There are directory services you can ask by LDAP which have reserved attributes for public keys. Gpgsm needs to be able to handle LDAP anyway, thus doing external searches for these directory services seem to be quite sensible to me. So why not import the found keys?? Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From bernhard at intevation.de Wed Jan 2 18:06:17 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 18:06:17 +0100 Subject: pyme (was: Frontend for GPG) In-Reply-To: <87sl1g5huc.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <3ac86fa70712111623wd83e701vd07440a6966dde65@mail.gmail.com> <200712211048.25215.bernhard@intevation.de> <87sl1g5huc.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <200801021806.18508.bernhard@intevation.de> On Wednesday 02 January 2008 17:10, Marcus Brinkmann wrote: > > It would be cool to have python gpgme bindings. > > http://pyme.sourceforge.net/ This looks abandoned, lowlevel and is based on SWIG. Nevertheless it could be a start. -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From wk at gnupg.org Wed Jan 2 18:19:15 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2008 18:19:15 +0100 Subject: import of external certificates via command line In-Reply-To: <200801021801.13105.bernhard@intevation.de> (Bernhard Reiter's message of "Wed, 2 Jan 2008 18:01:08 +0100") References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200801021620.05062.bernhard@intevation.de> <87sl1ggr12.fsf@wheatstone.g10code.de> <200801021801.13105.bernhard@intevation.de> Message-ID: <874pdwf8mk.fsf@wheatstone.g10code.de> On Wed, 2 Jan 2008 18:01, bernhard at intevation.de said: > But when my external search is working, why can't I get those certificates > right away? Because certificates are so often broken and will mess up the certificates you already have. Importing all certifcates available is a bad idea and only needed if the PKI is broken - if it is broken tehre is a good chance that everything gets messed up. > In Germany I know the Bavarian one which responds to ldap searches. > There will always be keys that I do not have in my personal keybox > but I can find by other means. I usually have to resort to a general LDAP browser to locate a specific certificate, The automatic mode works only with proper administered LDAP directies (like the one you are running). > You sound like locally saved keys were a bad design idea. I did not say this. > However this is not the point. There are directory services you can ask by > LDAP which have reserved attributes for public keys. Gpgsm needs to be able Tell me this attribute! There is no standard for it and thus everyone is using a different one. See also "retrieving a certificate by serial number and issuer name" (which is not possible). Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From alon.barlev at gmail.com Wed Jan 2 17:10:35 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed, 2 Jan 2008 18:10:35 +0200 Subject: logger-file vs log-file options (gnupg-2 regression?) In-Reply-To: <87k5msgqo8.fsf@wheatstone.g10code.de> References: <9e0cf0bf0712291232s1636caa7y93aa8b7778ea4325@mail.gmail.com> <87k5msmxzu.fsf@wheatstone.g10code.de> <9e0cf0bf0801020629q37aa8a98q468b222f883d4df5@mail.gmail.com> <87k5msgqo8.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0801020810y4d519ac1v77933a744ac81132@mail.gmail.com> On 1/2/08, Werner Koch wrote: > FWIW, I just recall why we have different names: --log-file allows for a > special name "socket:///fooo" whereas --logger-file does not. Oh... So we can forget about having the same arguments for both versions? [[ Now I understand that is "alias" ]] Alon. From lofi at freebsd.org Wed Jan 2 20:45:43 2008 From: lofi at freebsd.org (Michael Nottebrock) Date: Wed, 02 Jan 2008 20:45:43 +0100 Subject: dirmngr-1.0.1 needs explicit libiconv dependency for --disable-nls case Message-ID: <477BE9E7.7070101@freebsd.org> See subject. Patch similar to the one found in the attachment to http://www.freebsd.org/cgi/query-pr.cgi?pr=119016 should fix the problem. Cheers, -- ,_, | Michael Nottebrock | lofi at freebsd.org (/^ ^\) | FreeBSD - The Power to Serve | http://www.freebsd.org \u/ | K Desktop Environment on FreeBSD | http://freebsd.kde.org -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature URL: From marcus.brinkmann at ruhr-uni-bochum.de Wed Jan 2 23:32:28 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Wed, 02 Jan 2008 23:32:28 +0100 Subject: dirmngr-1.0.1 needs explicit libiconv dependency for --disable-nls case In-Reply-To: <477BE9E7.7070101@freebsd.org> References: <477BE9E7.7070101@freebsd.org> Message-ID: <87odc36epv.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Wed, 02 Jan 2008 20:45:43 +0100, Michael Nottebrock wrote: > > [1 ] > [1.1 ] > See subject. > > Patch similar to the one found in the attachment to > http://www.freebsd.org/cgi/query-pr.cgi?pr=119016 should fix the problem. Checked in, thank you! 2008-01-02 Marcus Brinkmann * Makefile.am (dirmngr_LDADD, dirmngr_ldap_LDADD, (dirmngr_client_LDADD): Add $(LIBICONV). Reported by Michael Nottebrock. Marcus -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 From bernhard at intevation.de Wed Jan 2 23:41:03 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 2 Jan 2008 23:41:03 +0100 Subject: import of external certificates via command line In-Reply-To: <874pdwf8mk.fsf@wheatstone.g10code.de> References: <200710122324.45353.jan-oliver.wagner@intevation.de> <200801021801.13105.bernhard@intevation.de> <874pdwf8mk.fsf@wheatstone.g10code.de> Message-ID: <200801022341.07949.bernhard@intevation.de> On Wednesday 02 January 2008 18:19, Werner Koch wrote: > On Wed, 2 Jan 2008 18:01, bernhard at intevation.de said: > > But when my external search is working, why can't I get those > > certificates right away? > > Because certificates are so often broken and will mess up the > certificates you already have. Importing all certifcates available is a > bad idea and only needed if the PKI is broken - if it is broken tehre is > a good chance that everything gets messed up. I am the whole thread writing about importing a subset of certificates that I have found by (possibly several) external searches, aka gpgsm --list-external-keys Frodo gpgsm --list-external-keys Sam ah, found, now gpgsm --with-import-please --list-external-keys Sam > > In Germany I know the Bavarian one which responds to ldap searches. > > There will always be keys that I do not have in my personal keybox > > but I can find by other means. > > I usually have to resort to a general LDAP browser to locate a specific > certificate, The automatic mode works only with proper administered LDAP > directies (like the one you are running). I have encountered a few now, ca.intevation.de, the Bavarian, ... And no matter how broken a directory service is, if --list-external-keys already found the certificiate, no matter where, it is completely beyond me, what there should not a command which will "import" this special subset of possible keys. > > You sound like locally saved keys were a bad design idea. > > I did not say this. You have said that a properly administered PKI would be able to locate the certificate you need anyway and used this argument to not add a special options to be able to important a selected group of externally found keys. I do not believe the argument because it is defeated by our own design which already (rightfully) takes into account existing PKIs. > > However this is not the point. There are directory services you can ask > > by LDAP which have reserved attributes for public keys. Gpgsm needs to be > > able > > Tell me this attribute! There is no standard for it and thus everyone > is using a different one. See also "retrieving a certificate by serial > number and issuer name" (which is not possible). http://tools.ietf.org/html/rfc4523 as 4.1. userCertificate The userCertificate attribute holds the X.509 certificates issued to the user by one or more certificate authorities, as discussed in clause 11.2.1 of [X.509]. ( 2.5.4.36 NAME 'userCertificate' DESC 'X.509 user certificate' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 ) It is reasonable to try this attribute when using the light weight database protocol. Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From patrick at mozilla-enigmail.org Wed Jan 2 23:01:55 2008 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Wed, 02 Jan 2008 23:01:55 +0100 Subject: Status of GnuPG2 on Windows Message-ID: <477C09D3.3040504@mozilla-enigmail.org> What is the current status of GnuPG 2.0 on Windows. In the "What's New" section of the 2.0.8 release, I read that Windows is now a supported platform. Does that mean that GnuPG 2 is now considered stable on Windows, or just that it basically works? Thanks, Patrick From wk at gnupg.org Thu Jan 3 10:51:50 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 03 Jan 2008 10:51:50 +0100 Subject: Status of GnuPG2 on Windows In-Reply-To: <477C09D3.3040504@mozilla-enigmail.org> (Patrick Brunschwig's message of "Wed, 02 Jan 2008 23:01:55 +0100") References: <477C09D3.3040504@mozilla-enigmail.org> Message-ID: <87myrnck3t.fsf@wheatstone.g10code.de> On Wed, 2 Jan 2008 23:01, patrick at mozilla-enigmail.org said: > What is the current status of GnuPG 2.0 on Windows. In the "What's New" > section of the 2.0.8 release, I read that Windows is now a supported > platform. Does that mean that GnuPG 2 is now considered stable on > Windows, or just that it basically works? It is stable. Which does not mean that there are now bugs ;-). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From marcus.brinkmann at ruhr-uni-bochum.de Fri Jan 4 15:50:43 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri, 04 Jan 2008 15:50:43 +0100 Subject: [Announce] GPGME 1.1.6 released Message-ID: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> Hi, We are pleased to announce version 1.1.6 of GnuPG Made Easy, a library designed to make access to GnuPG easier for applications. It may be found in the file (about 939 KB/730 KB compressed) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.gz ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.bz2 The following files are also available: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.gz.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.bz2.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.5-1.1.6.diff.gz It should soon appear on the mirrors listed at: http://www.gnupg.org/mirrors.html Bug reports and requests for assistance should be sent to: gnupg-devel at gnupg.org The sha1sum checksums for this distibution are ed2c9699367d1be32f84bf154673becd16deba0a gpgme-1.1.5-1.1.6.diff.gz 05218df939d72c2fd6d74f22c2b5d5ade0718b7a gpgme-1.1.6.tar.bz2 2c2994d98ab545d1bced14c0554f4a50fd8e0878 gpgme-1.1.6.tar.bz2.sig 8dee551f362fc428c25c9bd542ce944ac916347d gpgme-1.1.6.tar.gz 996e0b48a4f5e0ce3029e95c310ae64af92a6131 gpgme-1.1.6.tar.gz.sig Noteworthy changes in version 1.1.6 (2008-01-04) ------------------------------------------------ * Bug fixes for for W32. * A new, experimental (and thus undocumented and potentially unstable) interface for accessing gpg-conf through GPGME has been added. * Interface changes relative to the 1.1.1 release: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ gpgme_signature_t EXTENDED: New field chain_model. gpgme_op_getauditlog_start NEW. gpgme_op_getauditlog NEW. GPGME_AUDITLOG_HTML NEW. GPGME_AUDITLOG_WITH_HELP NEW. Marcus Brinkmann mb at g10code.de -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From alon.barlev at gmail.com Fri Jan 4 16:45:16 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri, 4 Jan 2008 17:45:16 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> On 1/4/08, Marcus Brinkmann wrote: > Hi, > > We are pleased to announce version 1.1.6 of GnuPG Made Easy, > a library designed to make access to GnuPG easier for applications. Hello, Please fix some qa issues. * QA Notice: Package has poor programming practices which may compile * fine but exhibit random runtime failures. * assuan-pipe-connect.c:593: warning: implicit declaration of function '_gpgme_io_pipe' assuan-pipe-connect.c:638: warning: implicit declaration of function '_gpgme_io_spawn' Attach is a temp fix, as including the priv-io.h conflict with other parts of the software. Also... One test fails: PASS: t-verify Hallo Leute! PASS: t-decrypt t-sign.c:107: KSBA: Not found (9.27) FAIL: t-sign Begin Result: Issuer ...: /CN=DFN Top Level Certification Authority/OU=DFN-PCA/O=Deutsches Forschungsnetz/C=DE/EMail=certify at pca.dfn.de Serial ...: 01 Subject ..: /CN=DFN Top Level Certification Authority/OU=DFN-PCA/O=Deutsches Forschungsnetz/C=DE/EMail=certify at pca.dfn.de During tests, the pinentry dialogs are shown, I must write "abc" for tests to run (many times), can you please make the test use silent passphrase? Best Regards, Alon Bar-Lev. -------------- next part -------------- A non-text attachment was scrubbed... Name: gpgme-1.1.6-qa.patch Type: text/x-diff Size: 580 bytes Desc: not available URL: From marcus.brinkmann at ruhr-uni-bochum.de Fri Jan 4 16:53:26 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri, 04 Jan 2008 16:53:26 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> Message-ID: <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Fri, 4 Jan 2008 17:45:16 +0200, "Alon Bar-Lev" wrote: > > [1 ] > On 1/4/08, Marcus Brinkmann wrote: > > Hi, > > > > We are pleased to announce version 1.1.6 of GnuPG Made Easy, > > a library designed to make access to GnuPG easier for applications. > > Hello, > > Please fix some qa issues. > * QA Notice: Package has poor programming practices which may compile > * fine but exhibit random runtime failures. > * assuan-pipe-connect.c:593: warning: implicit declaration of > function '_gpgme_io_pipe' > assuan-pipe-connect.c:638: warning: implicit declaration of function > '_gpgme_io_spawn' > > Attach is a temp fix, as including the priv-io.h conflict with other > parts of the software. The fix is fine, priv-io.h is not part of assuan, and thus repeating the internal declarations is good enough. > Also... One test fails: > > PASS: t-verify > Hallo Leute! > PASS: t-decrypt > t-sign.c:107: KSBA: Not found (9.27) > FAIL: t-sign > Begin Result: > Issuer ...: /CN=DFN Top Level Certification > Authority/OU=DFN-PCA/O=Deutsches > Forschungsnetz/C=DE/EMail=certify at pca.dfn.de > Serial ...: 01 > Subject ..: /CN=DFN Top Level Certification > Authority/OU=DFN-PCA/O=Deutsches > Forschungsnetz/C=DE/EMail=certify at pca.dfn.de Which version of gpgsm do you use? The tests run fine here. > During tests, the pinentry dialogs are shown, I must write "abc" for > tests to run (many times), can you please make the test use silent > passphrase? We already set GPG_AGENT_INFO to empty in the test environment (see TEST_ENVIRONMENT in tests/gpgsm/Makefile.am). I have no idea why this is not working for you. Did you run "make check" or invoked the test manually? Thanks, Marcus From alon.barlev at gmail.com Fri Jan 4 17:01:19 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri, 4 Jan 2008 18:01:19 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> On 1/4/08, Marcus Brinkmann wrote: > The fix is fine, priv-io.h is not part of assuan, and thus repeating > the internal declarations is good enough. This is not so good practice... You can separate these into their own header file and include it from both places. > Which version of gpgsm do you use? The tests run fine here. $ gpgsm --version gpgsm (GnuPG) 2.0.8 Copyright (C) 2007 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Cipher: 3DES, AES, AES192, AES256, SERPENT128, SERPENT192, SERPENT256, SEED, CAMELLIA128, CAMELLIA192, CAMELLIA256 Pubkey: RSA, ECDSA Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, WHIRLPOOL Used libraries: gcrypt(1.4.0), ksba(1.0.2), assuan(1.0.4) > We already set GPG_AGENT_INFO to empty in the test environment (see > TEST_ENVIRONMENT in tests/gpgsm/Makefile.am). I have no idea why this > is not working for you. Did you run "make check" or invoked the test > manually? I use "make check". GPG_AGENT_INFO= echo alon | gpg2 --sign Will result in running an agent by itself... right? Alon. From marcus.brinkmann at ruhr-uni-bochum.de Fri Jan 4 17:24:27 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri, 04 Jan 2008 17:24:27 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> Message-ID: <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Fri, 4 Jan 2008 18:01:19 +0200, "Alon Bar-Lev" wrote: > > On 1/4/08, Marcus Brinkmann wrote: > > The fix is fine, priv-io.h is not part of assuan, and thus repeating > > the internal declarations is good enough. > > This is not so good practice... You can separate these into their own > header file and include it from both places. Sometimes even good practices need to be broken. This is such a case. There is a better solution, but it requires major extensions to libassuan, which we are not currently planning for (to be specific: libassuan should provide hooks for everything gpgme needs to change in its implementation. Then we can just link to libassuan and remove the local copy). > > Which version of gpgsm do you use? The tests run fine here. > > $ gpgsm --version > gpgsm (GnuPG) 2.0.8 Ok, I used 2.0.4 for testing the release. It is possible that something changed which broke the test case, I'll have to check it out. Thanks for letting me know. > > We already set GPG_AGENT_INFO to empty in the test environment (see > > TEST_ENVIRONMENT in tests/gpgsm/Makefile.am). I have no idea why this > > is not working for you. Did you run "make check" or invoked the test > > manually? > > I use "make check". Probably also related to the gpg/gpgsm version. > GPG_AGENT_INFO= echo alon | gpg2 --sign > > Will result in running an agent by itself... right? Mmh. Did you specify gpg2 as default gpg for gpgme? And did it ask for the passphrase in tests/gpg or tests/gpgsm? Actually, in which particular test, gpg/t-sign? Thanks, Marcus From alon.barlev at gmail.com Fri Jan 4 17:32:05 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri, 4 Jan 2008 18:32:05 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> On 1/4/08, Marcus Brinkmann wrote: > Mmh. Did you specify gpg2 as default gpg for gpgme? And did it ask /usr/bin/gpg is link to /usr/bin/gpg2, gpgme configuration detect the correct version. > for the passphrase in tests/gpg or tests/gpgsm? Actually, in which > particular test, gpg/t-sign? make check-TESTS make[3]: Entering directory `/home/alonbl/tmp/xx/gpgme-1.1.6/tests/gpg' -----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.8 (GNU/Linux) hQEOA2rm1+5GqHH4EAP8CLySAWZ9QFCMUZKwaR80CEXY6WtSerNt30PuO9F3DUE2 FFzLT7rCfTSfa87hpa45dwH2NynxvW/sREFYysARlj3GVFy1jKXHZ2q9sRagCxbP PlpmnXsQ0/tScTJ892HAcB/GeuWPSvJ+Rfo5NpHOpXMQh2qlbvaOV93HFTS5En4D /iJTP7m0/w1+Pgb3SyhIu0sjnFra3pOoGpUe+mCd3KLizOcXcnFE2tZpZCQVmQsU cUDUICjehkj9e8dq7aUkwNi7G0mvspMxyL202i7Z833zvXepjPJlTayNWYMeKIqK EqfELsAqBRQ9vRUcOp29I0NWveeSfckB6nx/zFGSoFoqhQEOA1OB6k7im6N/EAP+ LCjEPPBz5gu8EYtfnwCtUC8SX33aUmFeTpd+kdNGXRC8dsf74A/ZoPciLFWLW63o M3wrz2MQVwHukv6xaSBjnbS4M+nTMtnYzZjXd1OwZZxO048z1Z50IuXFT3QfzMhD K7/YXbn7crXrrnVJ72EHX/nZ2xa0kBGsluZZEgwybmUD/jSgPqcDwydfgCqUDefZ TUMr4BaOyngthQUQcJjzy3x5npGv0SAJx0gkzft8URKBOxaY1zxXxQBIvMVpln0M EznBLzIUh0Xn5ZfjggMAUZyoeIh6iYLizeAVdLPdgwMnlctVjoG/cUb2ZQL24Z4N AJZm6m9S2/N+fuHCRUkf+QLq0kcByRxIm8iWRdBCatPX9ddRvdaBJ7owzxri5J/7 JzGoNoXfsM23sLwumu7sml/DYUV7cy5T78U/uTc14tv5CBXq4fraTcos3w== =bsZL -----END PGP MESSAGE----- PASS: t-encrypt Same for other tests. Alon. From tomp at idirect.com Fri Jan 4 18:53:56 2008 From: tomp at idirect.com (Tom Pegios) Date: Fri, 04 Jan 2008 12:53:56 -0500 Subject: GnuPG v2.0.8 on windows 32 bit platform Message-ID: <477E72B4.9000708@idirect.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Has anyone that has compiled GnuPG v2.0.8 for Windows(32) run into the following problem as I'm not sure if I'm doing something wrong Running make check for gpg2 shows ALL tests pass BUT make check fails on the following libraries. - - - ------------------------ in libksba-1.0.2 make[2]: Entering directory `/src/v2/libksba-1.0.2/tests' /bin/sh ../libtool --tag=CC --mode=link gcc -I/usr/local/include -g - - - -O2 -Wall-Wcast-align -Wshadow -Wstrict-prototypes -Wpointer-arith - - - -Wno-pointer-sign -o cert-basic.exe cert-basic.o ../src/libksba.la - - - -L/usr/local/lib -lgpg-errorgcc -I/usr/local/include -g -O2 -Wall - - - -Wcast-align -Wshadow -Wstrict-prototypes -Wpointer-arith - - - -Wno-pointer-sign -o .libs/cert-basic.exe cert-basic.o ../src/. libs/libksba.dll.a -L/usr/local/lib /usr/local/lib/libgpg-error.dll.a - - - -L/usr/local/lib cert-basic.o: In function `one_file': d:\M-SYS\src\v2\libksba-1.0.2\tests/cert-basic.c:591: undefined reference to `__ ksba_keyinfo_from_sexp' d:\M-SYS\src\v2\libksba-1.0.2\tests/cert-basic.c:602: undefined reference to `__ ksba_keyinfo_to_sexp' d:\M-SYS\src\v2\libksba-1.0.2\tests/cert-basic.c:615: undefined reference to `__ ksba_keyinfo_from_sexp' collect2: ld returned 1 exit status - - - ---------------------------------------- in libgcrypt-1.4.0 15 of 15 tests failed Please report to bug-libgcrypt at gnupg.org ======================================== make[2]: *** [check-TESTS] Error 1 make[2]: Leaving directory `/src/v2/libgcrypt-1.4.0/tests' make[1]: *** [check-am] Error 2 - - - ----------------------------- in libgpg-error-1.6 make check-TESTS make[2]: Entering directory `/src/v2/libgpg-error-1.6/tests' FAIL: t-strerror.exe FAIL: t-syserror.exe ==================================== 2 of 2 tests failed GPG2 seems to work properly but with the libraries falling the above tests I'm sure if I an trust GPG2 to work properly. anyone have any ideas ??? Tom -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (MingW32) iEYEAREIAAYFAkd+crMACgkQxDTq4V42xe555QCdGC1lcvWcFORQVIAdgQVA9w/l HhUAn00UFt4lqCoOIkFSy9KemDY8ZSqP =0aDl -----END PGP SIGNATURE----- From rdieter at math.unl.edu Fri Jan 4 18:04:04 2008 From: rdieter at math.unl.edu (Rex Dieter) Date: Fri, 04 Jan 2008 11:04:04 -0600 Subject: [Announce] GPGME 1.1.6 released References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> Message-ID: Alon Bar-Lev wrote: > Also... One test fails: > > PASS: t-verify > Hallo Leute! > PASS: t-decrypt > t-sign.c:107: KSBA: Not found (9.27) > FAIL: t-sign Confirmed 'make check' failure here too (fedora, using gnupg2-2.0.8) -- Rex From gpgme at katehok.ac93.org Sat Jan 5 00:07:04 2008 From: gpgme at katehok.ac93.org (Igor Belyi) Date: Fri, 04 Jan 2008 18:07:04 -0500 Subject: pyme In-Reply-To: <200801021806.18508.bernhard@intevation.de> References: <3ac86fa70712111623wd83e701vd07440a6966dde65@mail.gmail.com> <200712211048.25215.bernhard@intevation.de> <87sl1g5huc.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200801021806.18508.bernhard@intevation.de> Message-ID: <477EBC18.70300@katehok.ac93.org> Bernhard Reiter wrote: > On Wednesday 02 January 2008 17:10, Marcus Brinkmann wrote: > >>> It would be cool to have python gpgme bindings. >>> >> http://pyme.sourceforge.net/ >> > > This looks abandoned, lowlevel and is based on SWIG. > Nevertheless it could be a start. > I didn't abandon it. It works for me fine and there was no bug filed for some time - that's why there no activity. I naively thought it means that it works for everyone else as well. Yes, I probably should update it for the new revision of the gpgme and SWIG and probably add installation for the Windows.. And what's the problem with using SWIG? It helps to have python bindings for any library in no time. Let me know exactly what are your expectations from such bindings and I'll try to help. Cheers, Igor From wk at gnupg.org Sat Jan 5 15:13:54 2008 From: wk at gnupg.org (Werner Koch) Date: Sat, 05 Jan 2008 15:13:54 +0100 Subject: GnuPG v2.0.8 on windows 32 bit platform In-Reply-To: <477E72B4.9000708@idirect.com> (Tom Pegios's message of "Fri, 04 Jan 2008 12:53:56 -0500") References: <477E72B4.9000708@idirect.com> Message-ID: <87zlvkz7fh.fsf@wheatstone.g10code.de> On Fri, 4 Jan 2008 18:53, tomp at idirect.com said: > Has anyone that has compiled GnuPG v2.0.8 for Windows(32) run into the > following problem as I'm not sure if I'm doing something wrong Building it on Windows is not supported. Failing tests are very likely. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From bjk at luxsci.net Sat Jan 5 20:01:03 2008 From: bjk at luxsci.net (Ben Kibbey) Date: Sat, 5 Jan 2008 14:01:03 -0500 Subject: assuan_read_from_server() and return value In-Reply-To: <877ijdqp36.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <200711231902.lANJ22OU007693@rs41.luxsci.com> <87fxyjaksq.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712081745.lB8Hj2rF001140@rs41.luxsci.com> <87mysgug09.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712151733.lBFHX2n5026146@rs41.luxsci.com> <877ijdqp36.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <200801051902.m05J21LC013646@rs41.luxsci.com> On Mon, Dec 17, 2007 at 05:10:37PM +0100, Marcus Brinkmann wrote: > Ah, so now we are talking about the _assuan_read_from_server at the > "again:" label in _assuan_transact? > > In this case, the ERR should set OKAY to 0 and OFF to the offset of > the error code, and then assuan_transact should execute: > > if (!okay) > { > rc = atoi (line); > if (rc > 0 && rc < 100) > rc = _assuan_error (ASSUAN_Server_Fault); > else if (rc > 0 && rc <= 405) > rc = _assuan_error (rc); > } > > Thereby returning the error code as it should. Why is that code not > working for you? Didn't see this code. Sorry. This works as it should. If there is no error source set (which pinentry doesn't do) _assuan_error() will return the unmasked error code, and for the application (which uses gpg-error), it is impossible to determine if the error is an ASSUAN_ or GPG_ERR error code. So the problem (in my case) is with pinentry not setting an error source. I have an app that uses gpg-error codes. The app connects to pinentry via assuan_pipe_connect(). I call assuan_transact() to send the GETPIN command to pinentry. If I cancel the pinentry by selecting the Cancel button, assuan_transact() returns ASSUAN_Canceled (111). But for an app that uses gpg-error, the error is seen as GPG_ERR_INV_CARD (111). So in my app I have to test for both GPG_ERR_ASS_CANCELED and ASSUAN_Canceled. If nobody else is doing it, I could patch pinentry to use libgpg-error. I'm not sure how this would affect other clients though? Thanks, and sorry for the confusion. -- Benjamin J. Kibbey bjk at luxsci.net/jabber/freenode 3019 F5FC AA33 5BC7 BE9F 09D2 393E DBD2 40D5 FA7E From JPClizbe at tx.rr.com Sat Jan 5 20:03:36 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Sat, 05 Jan 2008 13:03:36 -0600 Subject: GnuPG v2.0.8 on windows 32 bit platform In-Reply-To: <87zlvkz7fh.fsf@wheatstone.g10code.de> References: <477E72B4.9000708@idirect.com> <87zlvkz7fh.fsf@wheatstone.g10code.de> Message-ID: <477FD488.1090903@tx.rr.com> Werner Koch wrote: > On Fri, 4 Jan 2008 18:53, tomp at idirect.com said: >> Has anyone that has compiled GnuPG v2.0.8 for Windows(32) run into the >> following problem as I'm not sure if I'm doing something wrong > > Building it on Windows is not supported. Failing tests are very likely. I think there are a good number of Windows users who would like to try GnuPG 2.0.8. GPG4WIN has been the usual source for a Windows build of GnuPG 2.0.x, but it is still at 2.0.7. With no source for a binary, users are going to attempt building it for themselves. Any chance of a GGP4Win 1.1.4 soon, or a GnuPG 2.0.8 zip/installer? -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 658 bytes Desc: OpenPGP digital signature URL: From hawke at hawkesnest.net Sun Jan 6 21:50:59 2008 From: hawke at hawkesnest.net (Alex Mauer) Date: Sun, 06 Jan 2008 14:50:59 -0600 Subject: exporting and importing some subkeys In-Reply-To: <200801021341.28169.bernhard@intevation.de> References: <200801021341.28169.bernhard@intevation.de> Message-ID: Bernhard Reiter wrote: > With gnupg 2.0.7 (and 2.0.5): > > Given two machines with .gnupg having your secret key > and doing "addkey" on one, I encountered a problem > trying to transfer the new subkey to the other. > > gpg2 --export-secret-key ABCDEF >mykey > > worked even when ABCDEF is the fingerprint of my new subkey. > gpg2 --import mykey > tells me that the key is already in my keyring. > > gpg2 --list-secret-keys does not have the new subkey, > so I guess the problem to be in the import. > > Am I missing something? No. GPG simply does not allow importing of secret subkeys. (aka merging of secret keys) I've asked about this before, and a quick search reveals several other people asking about it. See https://bugs.g10code.com/gnupg/issue318 This is also a problem when importing secret key stubs for a smartcard. -Alex Mauer "hawke" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Sun Jan 6 23:20:06 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 6 Jan 2008 17:20:06 -0500 Subject: exporting and importing some subkeys In-Reply-To: <200801021341.28169.bernhard@intevation.de> References: <200801021341.28169.bernhard@intevation.de> Message-ID: On Jan 2, 2008, at 7:41 AM, Bernhard Reiter wrote: > With gnupg 2.0.7 (and 2.0.5): > > Given two machines with .gnupg having your secret key > and doing "addkey" on one, I encountered a problem > trying to transfer the new subkey to the other. > > gpg2 --export-secret-key ABCDEF >mykey > > worked even when ABCDEF is the fingerprint of my new subkey. > gpg2 --import mykey > tells me that the key is already in my keyring. > > gpg2 --list-secret-keys does not have the new subkey, > so I guess the problem to be in the import. > > Am I missing something? What you ended up with is two machines with copies of the same secret key, but one of the machines had an extra subkey. The problem, as you saw, is that GPG (both v1 and v2) don't yet support merging secret keys. A merge is necessary (rather than a replacement) as there could be new subkeys on both machines, and the user probably wants to keep them all. ;) As a workaround, if you know for sure that one machine has a superset subkey-wise of the other, you can delete the secret key from the subset machine and then import a copy from the superset machine. David From bernhard at intevation.de Mon Jan 7 11:37:08 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Mon, 7 Jan 2008 11:37:08 +0100 Subject: pyme In-Reply-To: <477EBC18.70300@katehok.ac93.org> References: <3ac86fa70712111623wd83e701vd07440a6966dde65@mail.gmail.com> <200801021806.18508.bernhard@intevation.de> <477EBC18.70300@katehok.ac93.org> Message-ID: <200801071137.09535.bernhard@intevation.de> Igor, On Saturday 05 January 2008 00:07, Igor Belyi wrote: > >> http://pyme.sourceforge.net/ > > This looks abandoned, lowlevel and is based on SWIG. > > Nevertheless it could be a start. > I didn't abandon it. It works for me fine and there was no bug filed for > some time - that's why there no activity. ah, good to know! > I naively thought it means > that it works for everyone else as well. Yes, I probably should update > it for the new revision of the gpgme and SWIG and probably add > installation for the Windows.. Yes, this would be cool, even if it is just a remark saying that it works with the latest version. > And what's the problem with using SWIG? It helps to have python bindings > for any library in no time. Our experience with a few libraries wrapped in SWIG is that it tends to be hard on the interesting interface cases and usually produces binding that are not very pythonic nor high level. Thus we went back doing direct wrappers without SWIG as it did caused more work whenever we had a special case and interface tend to consist out out special causes. > Let me know exactly what are your expectations from such bindings and > I'll try to help. I would want Mailman and roundup to be able to receive and send encrypted emails, at some point in time we will give it a shot with pyme and then you will get reports. ;) Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From bernhard at intevation.de Mon Jan 7 12:02:30 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Mon, 7 Jan 2008 12:02:30 +0100 Subject: exporting and importing some subkeys In-Reply-To: References: <200801021341.28169.bernhard@intevation.de> Message-ID: <200801071202.35870.bernhard@intevation.de> Alex, David, thanks for your response! On Sunday 06 January 2008 21:50, Alex Mauer wrote: > Bernhard Reiter wrote: > > With gnupg 2.0.7 (and 2.0.5): > > > > Given two machines with .gnupg having your secret key > > and doing "addkey" on one, I encountered a problem > > trying to transfer the new subkey to the other. >?GPG simply does not allow importing of secret subkeys. (aka merging > of secret keys) ?I've asked about this before, and a quick search > reveals several other people asking about it. ?See > https://bugs.g10code.com/gnupg/issue318 Ii did not search for the keyword "merging", this is probably why I did not find the previous answer. Indeed I have used the workaround to delete the secret key from one keyring and reimport it from the other. Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From wk at gnupg.org Tue Jan 8 09:33:04 2008 From: wk at gnupg.org (Werner Koch) Date: Tue, 08 Jan 2008 09:33:04 +0100 Subject: GPG & Floating point? In-Reply-To: <20071220235141.GA27059@lina.inka.de> (Bernd Eckenfels's message of "Fri, 21 Dec 2007 00:51:41 +0100") References: <47669E03.1010105@per-se.com> <87zlw5a6m4.fsf@wheatstone.g10code.de> <20071220235141.GA27059@lina.inka.de> Message-ID: <87ir2467jz.fsf@wheatstone.g10code.de> On Fri, 21 Dec 2007 00:51, lists at lina.inka.de said: > (not sure if there is any way to speed up hashing besides hand crafting > assembler for the T1). Do you know whether the low level stuff (/dev/ncp?, asm?) is usable from user land? It would be interwsting to add support for the T1/T2 to libgcrypt. There is already assembler stuff for VIA's padlock and a framework to add other extensions is available. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From gpgme at katehok.ac93.org Tue Jan 8 15:04:13 2008 From: gpgme at katehok.ac93.org (Igor Belyi) Date: Tue, 08 Jan 2008 09:04:13 -0500 Subject: pyme In-Reply-To: <200801071137.09535.bernhard@intevation.de> References: <3ac86fa70712111623wd83e701vd07440a6966dde65@mail.gmail.com> <200801021806.18508.bernhard@intevation.de> <477EBC18.70300@katehok.ac93.org> <200801071137.09535.bernhard@intevation.de> Message-ID: <478382DD.1080703@katehok.ac93.org> Bernhard Reiter wrote: > Yes, this would be cool, even if it is just a remark saying that it > works with the latest version. > Well, as a user of Debian 'unstable' I know it works with GPGME 1.1.5 but you are right that I may need to have this info back on the SF page as well. I'll see if that could be automated. > Our experience with a few libraries wrapped in SWIG is that it tends to be > hard on the interesting interface cases and usually produces binding that are > not very pythonic nor high level. Thus we went back doing direct wrappers > without SWIG as it did caused more work whenever we had a special case and > interface tend to consist out out special causes. > It looks like GPGME is very good candidate for the SWIG - its interface design is almost object oriented so that there are very few supporting classes necessary to make it python friendly. And I do believe 'E' in there stands for 'Easy' which is the usual requirement for the 'high level' bindings. :) > I would want Mailman and roundup to be able to receive and send encrypted > emails, at some point in time we will give it a shot with pyme and then you > will get reports. ;) > I'd recommend to start with examples provided with pyme. There's even some Glade based GUI ones if you like that sort of things. :) And as for the reports - Bring them on! ;) Cheers, Igor From marcus.brinkmann at ruhr-uni-bochum.de Tue Jan 8 18:46:37 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Tue, 08 Jan 2008 18:46:37 +0100 Subject: assuan_read_from_server() and return value In-Reply-To: <200801051902.m05J21LC013646@rs41.luxsci.com> References: <200711231902.lANJ22OU007693@rs41.luxsci.com> <87fxyjaksq.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712081745.lB8Hj2rF001140@rs41.luxsci.com> <87mysgug09.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712151733.lBFHX2n5026146@rs41.luxsci.com> <877ijdqp36.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200801051902.m05J21LC013646@rs41.luxsci.com> Message-ID: <87ir249pmq.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Sat, 5 Jan 2008 14:01:03 -0500, Ben Kibbey wrote: > > On Mon, Dec 17, 2007 at 05:10:37PM +0100, Marcus Brinkmann wrote: > > Ah, so now we are talking about the _assuan_read_from_server at the > > "again:" label in _assuan_transact? > > > > In this case, the ERR should set OKAY to 0 and OFF to the offset of > > the error code, and then assuan_transact should execute: > > > > if (!okay) > > { > > rc = atoi (line); > > if (rc > 0 && rc < 100) > > rc = _assuan_error (ASSUAN_Server_Fault); > > else if (rc > 0 && rc <= 405) > > rc = _assuan_error (rc); > > } > > > > Thereby returning the error code as it should. Why is that code not > > working for you? > > Didn't see this code. Sorry. This works as it should. > > If there is no error source set (which pinentry doesn't do) > _assuan_error() will return the unmasked error code, and for the > application (which uses gpg-error), it is impossible to determine if the > error is an ASSUAN_ or GPG_ERR error code. So the problem (in my case) > is with pinentry not setting an error source. Alrighty! The problem is that _assuan_error is designed to be used for error codes within the application, not to interpret error codes from peers. The above code is thus "clearly wrong" (but see below), as it should inspect rc for an error source. However, unfortunately, there is no sane operation we can do if the peers "mismatch", ie if one uses gpg-error and the other doesn't. There is no lossless mapping from one to the other (in both directions). Even if there was such a mapping, the application would need to know about its details for user-defined error codes. This is a mess! So, the right thing to do is to just use gpg-error everywhere. I will adjust pinentry accordingly. And in the future, we might even decide to remove the ol' Assuan error stuff. It was useful for transition, but I think once all components of gnupg are moved to use gpg-error, it has outlived its purpose. I know that you have been saying this all along, but I was focusing first on the code and inquire stuff, because that was more difficult to deal with. Solving the pinentry error code problem is easy. Thanks, Marcus From lists at lina.inka.de Wed Jan 9 07:19:22 2008 From: lists at lina.inka.de (Bernd Eckenfels) Date: Wed, 9 Jan 2008 07:19:22 +0100 Subject: GPG & Floating point? In-Reply-To: <87ir2467jz.fsf@wheatstone.g10code.de> References: <47669E03.1010105@per-se.com> <87zlw5a6m4.fsf@wheatstone.g10code.de> <20071220235141.GA27059@lina.inka.de> <87ir2467jz.fsf@wheatstone.g10code.de> Message-ID: <20080109061922.GA26424@lina.inka.de> Hallo Werner, On Tue, Jan 08, 2008 at 09:33:04AM +0100, Werner Koch wrote: > Do you know whether the low level stuff (/dev/ncp?, asm?) is usable from > user land? It would be interwsting to add support for the T1/T2 to > libgcrypt. There is already assembler stuff for VIA's padlock and a > framework to add other extensions is available. I know there is a openssl and java crypto engine for T1/T2 so it should be possible. I am a Java guy (now) and dont know about the C interfaces. However it looks like the Solaris Crypto Framework which can be used by usermode is somewhat PKCS#11 based. Easiest would be to use the Solaris openssl version with pkcs11 support (libcrypto.so) but that might be a licensing problem? http://www.sun.com/blueprints/0306/819-5782.pdf Sorry for not having more information, however I could maybe give you some internal sun contact if you like, Werner. Greetings Bernd From marcus.brinkmann at ruhr-uni-bochum.de Thu Jan 10 05:41:47 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Thu, 10 Jan 2008 05:41:47 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> Message-ID: <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Fri, 4 Jan 2008 18:32:05 +0200, "Alon Bar-Lev" wrote: > > On 1/4/08, Marcus Brinkmann wrote: > > Mmh. Did you specify gpg2 as default gpg for gpgme? And did it ask > > /usr/bin/gpg is link to /usr/bin/gpg2, gpgme configuration detect the > correct version. gpg2 does not seem to support passing the passphrase via the command fd, and requires the use of a pinentry program. I added a dummy pinentry program to gpgme and a configuration file for gpg-agent to use it. You might try the SVN version again and see if that works for you (it does for me). The gpgsm problem is actually a bug in gpgsm's default qualified.txt file, where the last two entries miss the country code. I filed a report for that, so it will be fixed soon. Thanks, Marcus From alon.barlev at gmail.com Thu Jan 10 07:19:45 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 08:19:45 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801092219h38a4c28ck8f6987930d0003c0@mail.gmail.com> On 1/10/08, Marcus Brinkmann wrote: > gpg2 does not seem to support passing the passphrase via the command > fd, and requires the use of a pinentry program. Why not use: gpg --sign --batch --passphrase 'secret' Regards, Alon Bar-Lev. From alon.barlev at gmail.com Thu Jan 10 07:21:55 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 08:21:55 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801092219h38a4c28ck8f6987930d0003c0@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801092219h38a4c28ck8f6987930d0003c0@mail.gmail.com> Message-ID: <9e0cf0bf0801092221u34a4b79er80ec26696ff64fe1@mail.gmail.com> On 1/10/08, Alon Bar-Lev wrote: > On 1/10/08, Marcus Brinkmann wrote: > > gpg2 does not seem to support passing the passphrase via the command > > fd, and requires the use of a pinentry program. > > Why not use: > > gpg --sign --batch --passphrase 'secret' Or: gpg --sign --batch --passphrase-fd ### > > Regards, > Alon Bar-Lev. > From wk at gnupg.org Thu Jan 10 09:03:42 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 10 Jan 2008 09:03:42 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> (Marcus Brinkmann's message of "Thu, 10 Jan 2008 05:41:47 +0100") References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <877iiiumxt.fsf@wheatstone.g10code.de> On Thu, 10 Jan 2008 05:41, marcus.brinkmann at ruhr-uni-bochum.de said: > gpg2 does not seem to support passing the passphrase via the command > fd, and requires the use of a pinentry program. I added a dummy Right, the oinentry is required for interactive use. However if you add --batch you can still use an fd, string or file for the passphrase as usual. Note, that this fature will eventually be dropped for private key operations. > file, where the last two entries miss the country code. I filed a > report for that, so it will be fixed soon. Done. Thanks. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From alon.barlev at gmail.com Thu Jan 10 10:32:17 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 11:32:17 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <877iiiumxt.fsf@wheatstone.g10code.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> On 1/10/08, Werner Koch wrote: > Right, the oinentry is required for interactive use. However if you add > --batch you can still use an fd, string or file for the passphrase as > usual. Note, that this fature will eventually be dropped for private > key operations. Why drop? How can batch applications do crypto operations without this option? I guess they can write pinentry-env, and do: PINENTRY_USER_DATA=secret gpg --sign <> But this is much less secured than using fd. Alon. From wk at gnupg.org Thu Jan 10 12:17:59 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 10 Jan 2008 12:17:59 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> (Alon Bar-Lev's message of "Thu, 10 Jan 2008 11:32:17 +0200") References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> Message-ID: <871w8qszdk.fsf@wheatstone.g10code.de> On Thu, 10 Jan 2008 10:32, alon.barlev at gmail.com said: > Why drop? Because gpg2 will eventually work like gpgsm and not know anything about secret keys. > How can batch applications do crypto operations without this option? > I guess they can write pinentry-env, and do: > PINENTRY_USER_DATA=secret gpg --sign <> Well, this is a hack to write a custom pinentry. It is not intended to convey the passphrase. It is also very questionable why a batch application needs a passphrase protected key at all. The other solution is to use gpg-preset-passphrase. This is similar to a crypto file system and let you put the passphrase into RAM for later use. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From alon.barlev at gmail.com Thu Jan 10 12:26:09 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 13:26:09 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <871w8qszdk.fsf@wheatstone.g10code.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> On 1/10/08, Werner Koch wrote: > The other solution is to use gpg-preset-passphrase. This is similar to > a crypto file system and let you put the passphrase into RAM for later > use. But this will not work for batch application serving multiple users. Well... I can also --forget to present... But then it has some weakness if this command is not run... Alon. From alon.barlev at gmail.com Thu Jan 10 14:31:50 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 15:31:50 +0200 Subject: gnupg-2.0.8 - regression - double free Message-ID: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> Hello Werner, Please review: http://bugs.gentoo.org/show_bug.cgi?id=204662 I cannot reproduce this on my machine... But I guess it has something to do with latest win32 socket fixups. gettimeofday({1199970496, 693424}, NULL) = 0 sigprocmask(SIG_SETMASK, [HUP INT USR1 USR2 TERM], ~[KILL STOP RTMIN]) = 0 read(7, "", 1002) = 0 write(5, "gpg-agent[4264.7] DBG: <- [EOF]\n", 32) = 32 close(7) = 0 time(NULL) = 1199970496 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1920, ...}) = 0 write(5, "2008-01-10 14:08:16 gpg-agent[42"..., 74) = 74 sigprocmask(SIG_SETMASK, ~[KILL STOP RTMIN], [HUP INT USR1 USR2 TERM]) = 0 gettimeofday({1199970496, 694079}, NULL) = 0 open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = -1 ENXIO (No such device or address) writev(2, [{"*** glibc detected *** ", 23}, {"gpg-agent", 9}, {": ", 2}, {"double free or corruption (out)", 31}, {": 0x", 4}, {"0809f5e0", 8}, {" ***\n", 5}], 7) = 82 Also, please consider adding --forground to --daemon, it is impossible to debug the agent this way! Best Regards, Alon Bar-Lev From marcus.brinkmann at ruhr-uni-bochum.de Thu Jan 10 14:31:17 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Thu, 10 Jan 2008 14:31:17 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040745v47141dbfkaf54ad97138bc59b@mail.gmail.com> <87wsqp37ux.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> Message-ID: <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Thu, 10 Jan 2008 13:26:09 +0200, "Alon Bar-Lev" wrote: > > On 1/10/08, Werner Koch wrote: > > The other solution is to use gpg-preset-passphrase. This is similar to > > a crypto file system and let you put the passphrase into RAM for later > > use. > > But this will not work for batch application serving multiple users. Can you describe your problem in more detail? > Well... I can also --forget to present... But then it has some > weakness if this command is not run... Thanks, Marcus From marcus.brinkmann at ruhr-uni-bochum.de Thu Jan 10 15:16:59 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Thu, 10 Jan 2008 15:16:59 +0100 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> Message-ID: <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Thu, 10 Jan 2008 15:31:50 +0200, "Alon Bar-Lev" wrote: > writev(2, [{"*** glibc detected *** ", 23}, {"gpg-agent", 9}, {": ", > 2}, {"double free or corruption (out)", 31}, {": 0x", 4}, {"0809f5e0", > 8}, {" ***\n", 5}], 7) = 82 Without a symbol table it is hard to find out what 0x0809f5e0 refers to. Can you ask the submitter to recompile with debug symbols and run addr2line (*after* reproducing the bug again and getting the correct address for the recompiled file)? Thanks, Marcus From alon.barlev at gmail.com Thu Jan 10 15:22:11 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 16:22:11 +0200 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> On 1/10/08, Marcus Brinkmann wrote: > At Thu, 10 Jan 2008 15:31:50 +0200, > "Alon Bar-Lev" wrote: > > writev(2, [{"*** glibc detected *** ", 23}, {"gpg-agent", 9}, {": ", > > 2}, {"double free or corruption (out)", 31}, {": 0x", 4}, {"0809f5e0", > > 8}, {" ***\n", 5}], 7) = 82 > > Without a symbol table it is hard to find out what 0x0809f5e0 refers > to. Can you ask the submitter to recompile with debug symbols and run > addr2line (*after* reproducing the bug again and getting the correct > address for the recompiled file)? I can... However it is best if you add your self as CC and communicate directly with the users. Alon. From alon.barlev at gmail.com Thu Jan 10 14:40:15 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 15:40:15 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> On 1/10/08, Marcus Brinkmann wrote: > Can you describe your problem in more detail? It is not my problem... Well... kind of... as you guys keep breaking backward compatibility, and I get all the bugs of depended packages. For example, if you have webmail that holds gpg keys on behalf of its users... Current implementations enables users to specify passphrase using html dialog, and pipe the passphrase into the gpg application. Agent mode is not suitable for this kind of operation. Alon. From marcus.brinkmann at ruhr-uni-bochum.de Thu Jan 10 17:37:36 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Thu, 10 Jan 2008 17:37:36 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> Message-ID: <873at5ab73.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Thu, 10 Jan 2008 15:40:15 +0200, "Alon Bar-Lev" wrote: > > On 1/10/08, Marcus Brinkmann wrote: > > Can you describe your problem in more detail? > > It is not my problem... Well... kind of... as you guys keep breaking > backward compatibility, and I get all the bugs of depended packages. gpg and gpg2 are separate product lines, which are both fully supported for the foreseeable future. > For example, if you have webmail that holds gpg keys on behalf of its > users... Current implementations enables users to specify passphrase > using html dialog, and pipe the passphrase into the gpg application. > Agent mode is not suitable for this kind of operation. That's a very specialized application domain which requires a ton of further considerations, and a lot of effort to get it "right" (arguably, your assumptions already restrict the feasible security that can be achieved). Under such circumstances, I don't think it is unreasonable to require some extra effort in choosing an appropriate pinentry solution. The gpg2 framework allows for a number of solutions here, but which one is best requires careful considerations to the specific requirements. Thanks, Marcus From alon.barlev at gmail.com Thu Jan 10 17:49:00 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 18:49:00 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <873at5ab73.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <873at5ab73.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801100849yd460935xcaf5689310770288@mail.gmail.com> On 1/10/08, Marcus Brinkmann wrote: > At Thu, 10 Jan 2008 15:40:15 +0200, > "Alon Bar-Lev" wrote: > > > > On 1/10/08, Marcus Brinkmann wrote: > > > Can you describe your problem in more detail? > > > > It is not my problem... Well... kind of... as you guys keep breaking > > backward compatibility, and I get all the bugs of depended packages. > > gpg and gpg2 are separate product lines, which are both fully > supported for the foreseeable future. Forcing users to install both versions on their system, maintaining problem with each is incorrect approach. But whatever... we cannot change this now. > > For example, if you have webmail that holds gpg keys on behalf of its > > users... Current implementations enables users to specify passphrase > > using html dialog, and pipe the passphrase into the gpg application. > > Agent mode is not suitable for this kind of operation. > > That's a very specialized application domain which requires a ton of > further considerations, and a lot of effort to get it "right" > (arguably, your assumptions already restrict the feasible security > that can be achieved). Under such circumstances, I don't think it is > unreasonable to require some extra effort in choosing an appropriate > pinentry solution. The gpg2 framework allows for a number of > solutions here, but which one is best requires careful considerations > to the specific requirements. This answer is political and not technical... There are working applications *NOW* and you are going to break them. But again... this is irrelevant now... from experience you guys will do whatever you like, forwarding the issue to distribution maintainers. Alon. From alon.barlev at gmail.com Thu Jan 10 18:08:41 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu, 10 Jan 2008 19:08:41 +0200 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> Message-ID: <9e0cf0bf0801100908w337df34ao50cf27b352867bdc@mail.gmail.com> On 1/10/08, Alon Bar-Lev wrote: > On 1/10/08, Marcus Brinkmann wrote: > > At Thu, 10 Jan 2008 15:31:50 +0200, > > "Alon Bar-Lev" wrote: > > > writev(2, [{"*** glibc detected *** ", 23}, {"gpg-agent", 9}, {": ", > > > 2}, {"double free or corruption (out)", 31}, {": 0x", 4}, {"0809f5e0", > > > 8}, {" ***\n", 5}], 7) = 82 > > > > Without a symbol table it is hard to find out what 0x0809f5e0 refers > > to. Can you ask the submitter to recompile with debug symbols and run > > addr2line (*after* reproducing the bug again and getting the correct > > address for the recompiled file)? > > I can... However it is best if you add your self as CC and communicate > directly with the users. > > Alon. > Done, but I think this address is of the block released and not the code. Please add your-self to CC of the bug. I cannot (don't wish to) solve all of gnupg issues. Alon. From marcus.brinkmann at ruhr-uni-bochum.de Thu Jan 10 19:55:41 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Thu, 10 Jan 2008 19:55:41 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801100849yd460935xcaf5689310770288@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <873at5ab73.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100849yd460935xcaf5689310770288@mail.gmail.com> Message-ID: <871w8pa4sx.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Thu, 10 Jan 2008 18:49:00 +0200, "Alon Bar-Lev" wrote: > > > For example, if you have webmail that holds gpg keys on behalf of its > > > users... Current implementations enables users to specify passphrase > > > using html dialog, and pipe the passphrase into the gpg application. > > > Agent mode is not suitable for this kind of operation. > > > > That's a very specialized application domain which requires a ton of > > further considerations, and a lot of effort to get it "right" > > (arguably, your assumptions already restrict the feasible security > > that can be achieved). Under such circumstances, I don't think it is > > unreasonable to require some extra effort in choosing an appropriate > > pinentry solution. The gpg2 framework allows for a number of > > solutions here, but which one is best requires careful considerations > > to the specific requirements. > > This answer is political and not technical... There are working > applications *NOW* and you are going to break them. Consider applications using GPGME. These applications will register a passphrase callback handler, but with gpg2 it will simply not be used, and for the application it looks like no passphrase is required to use the key. I suggest that if you know about specific applications that work with gpg but break with gpg2, you let us know about the details and we work something out in each particular case. This invitation extends to all software developers and distribution maintainers, of course. We are in fact very concerned about backward compatibility, which you can see by our track record in maintaining the libgcrypt and GPGME API/ABI, for example. > But again... this is irrelevant now... from experience you guys will > do whatever you like, forwarding the issue to distribution > maintainers. We want to work together with you and other distribution maintainers, but we can not promise to never change anything, as that would preclude useful and important improvements in the architecture. If you are concerned about particular problems, we are very interested in hearing about them. The issue at hand is, by the way, deeply technical: We want to move to an architecture where secret key management is unified and properly encapsulated. That this makes sense can be seen from the important use case of smart card readers with number pads, where the pin is never even seen by the host computer. This is not a new development. For example, we have for years refused to extend GPGME by secret key management interfaces (apart from the generic edit interface as a work around), specifically because of the architectural problems such interfaces would create. Thanks, Marcus From marcus.brinkmann at ruhr-uni-bochum.de Thu Jan 10 22:57:52 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Thu, 10 Jan 2008 22:57:52 +0100 Subject: assuan_read_from_server() and return value In-Reply-To: <200801051902.m05J21LC013646@rs41.luxsci.com> References: <200711231902.lANJ22OU007693@rs41.luxsci.com> <87fxyjaksq.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712081745.lB8Hj2rF001140@rs41.luxsci.com> <87mysgug09.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712151733.lBFHX2n5026146@rs41.luxsci.com> <877ijdqp36.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200801051902.m05J21LC013646@rs41.luxsci.com> Message-ID: <87zlvd8hsu.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Sat, 5 Jan 2008 14:01:03 -0500, Ben Kibbey wrote: > If there is no error source set (which pinentry doesn't do) > _assuan_error() will return the unmasked error code, and for the > application (which uses gpg-error), it is impossible to determine if the > error is an ASSUAN_ or GPG_ERR error code. So the problem (in my case) > is with pinentry not setting an error source. I just checked into pinentry: 2008-01-10 Marcus Brinkmann * assuan-handler.c (dispatch_command): Use Syntax_Error instead of Invalid_Command. * assuan.h (assuan_error_t): Change all error codes to gpg-error codes. If you want, why not check it out and see if that works for you? I did some tests here and it seems to work as a drop in replacement for older pinentries. > I have an app that uses gpg-error codes. The app connects to pinentry > via assuan_pipe_connect(). I call assuan_transact() to send the GETPIN > command to pinentry. If I cancel the pinentry by selecting the Cancel > button, assuan_transact() returns ASSUAN_Canceled (111). But for an app > that uses gpg-error, the error is seen as GPG_ERR_INV_CARD (111). So in > my app I have to test for both GPG_ERR_ASS_CANCELED and ASSUAN_Canceled. gpg-agent maps GPG_ERR_ASS_CANCELED to GPG_ERR_CANCELED, because internall ASSUAN_Canceled is mapped to the latter. However, the above change makes pinentry return GPG_ERR_CANCELED in case it is canceled, for your convenience. Thanks, Marcus From wk at gnupg.org Fri Jan 11 12:31:05 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Jan 2008 12:31:05 +0100 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> (Alon Bar-Lev's message of "Thu, 10 Jan 2008 16:22:11 +0200") References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> Message-ID: <87prw861l2.fsf@wheatstone.g10code.de> On Thu, 10 Jan 2008 15:22, alon.barlev at gmail.com said: > I can... However it is best if you add your self as CC and communicate > directly with the users. If you want to report a bug, pleade use the gnupg bug tracker and don't point to specifc distribution related one. And please take me out of the CC from the gentoo bug tracker - all these BTS status messages are meanigless to me.q Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From alon.barlev at gmail.com Fri Jan 11 15:30:56 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri, 11 Jan 2008 16:30:56 +0200 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <87prw861l2.fsf@wheatstone.g10code.de> References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> <87prw861l2.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0801110630v42218768o3d4eae5e9b775684@mail.gmail.com> On 1/11/08, Werner Koch wrote: > If you want to report a bug, pleade use the gnupg bug tracker and don't > point to specifc distribution related one. And please take me out of > the CC from the gentoo bug tracker - all these BTS status messages are > meanigless to me.q Instead of be thankful that people find issue in your outputs, and open an issue in your tracker your-self, you issue procedural statement. People work hard to reproduce this issue, and find the cause... You can work with them or against them. Do what ever you feel like, you can ignore the issue if you like. Or you can use the resources and channels to the users that can reproduce this issue, via the distribution channel. I removed you from the CC, after all this bug is not gnupg related, so its contents is indeed meaningless to you guys. Masked this version out, so people will not use it. Alon. From wk at gnupg.org Fri Jan 11 17:04:10 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Jan 2008 17:04:10 +0100 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <9e0cf0bf0801110630v42218768o3d4eae5e9b775684@mail.gmail.com> (Alon Bar-Lev's message of "Fri, 11 Jan 2008 16:30:56 +0200") References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> <87prw861l2.fsf@wheatstone.g10code.de> <9e0cf0bf0801110630v42218768o3d4eae5e9b775684@mail.gmail.com> Message-ID: <878x2w5oxx.fsf@wheatstone.g10code.de> On Fri, 11 Jan 2008 15:30, alon.barlev at gmail.com said: > People work hard to reproduce this issue, and find the cause... You > can work with them or against them. That is good and appreciated. However it is ineffective to report bugs only for one distribution. For one an upstream author can't follow all bug trackers of all GNU/Linux,Solaris,*BSD,etc. distributions. And second, fixing or talking about a bug within one distro excludes all those who have a similar problem but using a different distribution. Thus, if you encounter an upstream bug and you are somewhat convinced that it is not distribution specific, please report it to upstream and set a pointer into the distro's BTS to that bug report. The GnuPG BTS even has an URL field to backlink it to the first reporter's BTS. > I removed you from the CC, after all this bug is not gnupg related, so > its contents is indeed meaningless to you guys. Thanks. > Masked this version out, so people will not use it. I don't understand this, seems to be Gentoo specific. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From bernhard at intevation.de Fri Jan 11 17:07:32 2008 From: bernhard at intevation.de (Bernhard Reiter) Date: Fri, 11 Jan 2008 17:07:32 +0100 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <9e0cf0bf0801110630v42218768o3d4eae5e9b775684@mail.gmail.com> References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> <87prw861l2.fsf@wheatstone.g10code.de> <9e0cf0bf0801110630v42218768o3d4eae5e9b775684@mail.gmail.com> Message-ID: <200801111707.37299.bernhard@intevation.de> Alon, On Friday 11 January 2008 15:30, Alon Bar-Lev wrote: > On 1/11/08, Werner Koch wrote: > > If you want to report a bug, pleade use the gnupg bug tracker and don't > > point to specifc distribution related one. ?And please take me out of > > the CC from the gentoo bug tracker - all these BTS status messages are > > meanigless to me.q > > Instead of be thankful that people find issue in your outputs, and > open an issue in your tracker your-self, you issue procedural > statement. you are listening with the wrong ear. Werner is pretty busy (an financing a lot of the GnuPG development), he just got you the short message with the content so save time. The longer version would be something like: Thanks for the report! We are considering all reports and are grateful for people testing and helping with the development. Note that because of the number of problem tracker software, it is really hard for us to learn and use them all. Also the number of open issues with GnuPG makes our time scarce. We would appreciate if you could not ad us to other nosy lists, but file a report in GnuPG's tracker. > People work hard to reproduce this issue, and find the cause... You > can work with them or against them. > Do what ever you feel like, you can ignore the issue if you like. Werner has a long good track record of working with users, other developers, maintainers and so on. Giving the short answer can be expected on some development list. Actually I want him to answer shortly and save time for the coding. :) > Or you can use the resources and channels to the users that can > reproduce this issue, via the distribution channel. if done for all reported problems by users, this is almost impossible. Otherwise Gnupg-development would come to a halt. Werner and Marcus are the toplevel developers, it is very suitable to someone to proof that the problem is relevant and try to reduce reproduction time on their side if at all possible. > I removed you from the CC, after all this bug is not gnupg related, so > its contents is indeed meaningless to you guys. Good to hear that is it not GnuPG. :) > Masked this version out, so people will not use it. I hope that the developer of the software part that is responsible for the defect will fix this soon, so Gnupg 2.0.8 can be used again. Best, Bernhard -- Managing Director - Owner: www.intevation.net (Free Software Company) Germany Coordinator: fsfeurope.org. Coordinator: www.Kolab-Konsortium.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From alan-jenkins at tuffmail.co.uk Fri Jan 11 18:09:11 2008 From: alan-jenkins at tuffmail.co.uk (Alan Jenkins) Date: Fri, 11 Jan 2008 17:09:11 +0000 Subject: gpg-agent timer tick Message-ID: <4787A2B7.4020806@tuffmail.co.uk> gpg-agent has a 2 second timer tick. alan at singularity:~$ gpg-agent --daemon GPG_AGENT_INFO=/tmp/gpg-21C85K/S.gpg-agent:28978:1; export GPG_AGENT_INFO; alan at singularity:~$ sudo powertop -d -t 5 | grep gpg-agent 0.2% ( 0.6) gpg-agent : schedule_timeout (process_timeout) gpg-agent:1557:handle_connections(int listen_fd, int listen_fd_ssh): time_ev = pth_event (PTH_EVENT_TIME, pth_timeout (2, 0)); This is potentially a Bad Thing for CPU power consumption, because it reduces the amount of time the CPU can spend in deep sleep states. I saw something similar in ssh-agent, but I couldn't interest anyone in my patch. Let me know if you're interested here and I'll submit a patch. Specifically, gpg-agent uses the timer tick to handle the case where the "command-line" argument is present: gpg-agent --daemon [command-line] In that case it runs the command given. The tick handler is used to check, every two seconds, whether the command is still running; if not, gpg-agent quits. A better way to do this is to run the command as a child of gpg-agent, and rely on the SIGCHLD signal instead of a timer tick. The timer tick is also used to check the Scdaemon (whatever that is :-) is still running. However, since it use waitpid() to check this, Scdaemon must already be being run a child, so that shouldn't be a problem. I noticed this problem because I got interested the powertop project, and gpg-agent gets started by some package management software I use. Thanks, Alan From wk at gnupg.org Fri Jan 11 18:42:14 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Jan 2008 18:42:14 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> (Alon Bar-Lev's message of "Thu, 10 Jan 2008 15:40:15 +0200") References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040801v7d372b72g2ca50efab827d579@mail.gmail.com> <87sl1d36f8.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> Message-ID: <87ejco45u1.fsf@wheatstone.g10code.de> On Thu, 10 Jan 2008 14:40, alon.barlev at gmail.com said: > For example, if you have webmail that holds gpg keys on behalf of its > users... Current implementations enables users to specify passphrase Actually one guy contacted me offlist to help with a university webmail application. We agreed that adding the envvar PINENTRY_USER_DATA allows to pass user data all the way down to pinentry, so that he could write a wrapper for pinentry. If you have a specific problem please describe it at the list and we can discuss a solution. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Fri Jan 11 19:14:46 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Jan 2008 19:14:46 +0100 Subject: gpg-agent timer tick In-Reply-To: <4787A2B7.4020806@tuffmail.co.uk> (Alan Jenkins's message of "Fri, 11 Jan 2008 17:09:11 +0000") References: <4787A2B7.4020806@tuffmail.co.uk> Message-ID: <87ejconsa1.fsf@wheatstone.g10code.de> On Fri, 11 Jan 2008 18:09, alan-jenkins at tuffmail.co.uk said: > This is potentially a Bad Thing for CPU power consumption, because it > reduces the amount of time the CPU can spend in deep sleep states. I I thought that 2 seconds are long enough but tehre is no reason why we can't have a config option for this. > my patch. Let me know if you're interested here and I'll submit a FSF copyright assignment is required, so it might be easier if we do it. > In that case it runs the command given. The tick handler is used to > check, every two seconds, whether the command is still running; if > not, gpg-agent quits. 10 seconds or even longer should not pose a problem. > A better way to do this is to run the command as a child of gpg-agent, > and rely on the SIGCHLD signal instead of a timer tick. The problem with this approach is that any bug in gpg-agent causes the entire child hierarchy to die. Yes there should be no bug in gpg-agent but in some cases (e.g. resource problems) it just prefers to exit. It is really annoying to see your desktop vanishing along with all the unsaved data. > The timer tick is also used to check the Scdaemon (whatever that is > :-) > is still running. However, since it use waitpid() to check this, > Scdaemon must already be being run a child, so that shouldn't be a Scdaemon handles smartcards. We could indeed change this to use SIGCHLD but given that we need a ticker anyway I don't think that makes much sense. Note that a future version will use the ticker to do housekeeping for the saved passphrases. Would a option to set the timer tick help you? Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From g.esp at free.fr Fri Jan 11 18:50:34 2008 From: g.esp at free.fr (Gilles Espinasse) Date: Fri, 11 Jan 2008 18:50:34 +0100 Subject: gnupg-2.0.8 - regression - double free In-Reply-To: <878x2w5oxx.fsf@wheatstone.g10code.de> References: <9e0cf0bf0801100531s3fccab1es6229a23fe93559a1@mail.gmail.com> <877iihahpf.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100622r6ba719far52af533b982ab379@mail.gmail.com> <87prw861l2.fsf@wheatstone.g10code.de> <9e0cf0bf0801110630v42218768o3d4eae5e9b775684@mail.gmail.com> <878x2w5oxx.fsf@wheatstone.g10code.de> Message-ID: <1200073834.4787ac6aa297e@imp.free.fr> Selon Werner Koch : > > Masked this version out, so people will not use it. > > I don't understand this, seems to be Gentoo specific. > This is the way packages are qualified on Gentoo. With masked status, package normally not appear on update list unless you specifically request it. Gilles From alan-jenkins at tuffmail.co.uk Sat Jan 12 00:14:20 2008 From: alan-jenkins at tuffmail.co.uk (Alan Jenkins) Date: Fri, 11 Jan 2008 23:14:20 +0000 Subject: gpg-agent timer tick In-Reply-To: <87ejconsa1.fsf@wheatstone.g10code.de> References: <4787A2B7.4020806@tuffmail.co.uk> <87ejconsa1.fsf@wheatstone.g10code.de> Message-ID: <4787F84C.9080409@tuffmail.co.uk> Werner Koch wrote: > On Fri, 11 Jan 2008 18:09, alan-jenkins at tuffmail.co.uk said: > > >> This is potentially a Bad Thing for CPU power consumption, because it >> reduces the amount of time the CPU can spend in deep sleep states. I >> > > I thought that 2 seconds are long enough but tehre is no reason why we > can't have a config option for this. Having the CPU wake up every 2 seconds still isn't ideal. It may not seem that much of an issue on its own, but the problem is that there are many programs which do the same. Say you have four programs that do exactly the same thing. Then the CPU is potentially waking up every half a second, which is not so good. It's possible to co-ordinate timeouts between programs, as with using glib's g_timeout_add_seconds(), which limits such wakeups to one a second no matter how many programs use it. Redhat have hacked several programs they distribute to round their wakeups to the nearest second and perhaps gpg-agent could do the same. It's also a pity to add another config option unless it's really necessary. Ultimately, a number of people are hoping to eliminate these sorts of timer ticks altogether. I'm just seeing whether I can shift some of the simpler cases that cross my path. I don't know if there's anything I can say to inspire you, but it's one of the things the "$100-dollar laptop" (http://laptop.org/) project had to look at. If you look on Redhat Bugzilla it might give you an idea of the amount of work that is going into this issue generally: . > > >> my patch. Let me know if you're interested here and I'll submit a >> > > FSF copyright assignment is required, so it might be easier if we do it. > > >> In that case it runs the command given. The tick handler is used to >> check, every two seconds, whether the command is still running; if >> not, gpg-agent quits. >> > > 10 seconds or even longer should not pose a problem. > > >> A better way to do this is to run the command as a child of gpg-agent, >> and rely on the SIGCHLD signal instead of a timer tick. >> > > The problem with this approach is that any bug in gpg-agent causes the > entire child hierarchy to die. Yes there should be no bug in gpg-agent > but in some cases (e.g. resource problems) it just prefers to exit. It > is really annoying to see your desktop vanishing along with all the > unsaved data. > Yes, that sure would be annoying. That's not quite what happens though. Child processes aren't automatically killed when their parent terminates. The reason that seems to happen with shells is that the shell is a "session leader"; it starts commands in the same "session", and when the "session leader" dies all the other processes in the session get sent SIGHUP. (Something like that. I'm not familiar with this but I've read up on it). When gpg-agent "daemonizes" by calling setsid(), it starts a new session containing only itself. Since it does this after running the command, the command will carry on running even if gpg-agent dies. So I think you're technically wrong. *However*, depending on how gpg-agent is used, there could still be a similar effect. For example, if the last command in a .Xsession file was: gpg-agent startkde I think when gpg-agent terminates, the login manager would assume you've logged out and your session is over. So I agree what I described was probably a bad idea. That's still fixable though. I've attached an example which uses a more complex method and avoids the problem. The command being run (e.g. the session) has a simple parent process that waits for its death, and a child process that runs the daemon. The parent notifies the daemon when the child command dies, by writing to a pipe. > >> The timer tick is also used to check the Scdaemon (whatever that is >> :-) >> is still running. However, since it use waitpid() to check this, >> Scdaemon must already be being run a child, so that shouldn't be a >> > > Scdaemon handles smartcards. > > We could indeed change this to use SIGCHLD but given that we need a > ticker anyway I don't think that makes much sense. Note that a future > version will use the ticker to do housekeeping for the saved > passphrases. > I did wonder about the generic name (handle_tick()). You don't need a ticker though; you can can use a timer. You don't need to say "wake me up every 10 seconds so I can see if I need to do anything"; you can say "the users passphrase is going to expire in half an hour; wake me up at that point". If you have multiple timers or timers that need cancelling or readjusting, it may end up slightly easier / clearer if you use the timers in libpth. > Would a option to set the timer tick help you? > I have to admit non of this would directly benefit me - I only use gpg-agent on a desktop. The option might help if I was using it on a laptop. A realistic figure for a functional laptop is 10 wake-ups per second, so it can be worth looking at a program doing 0.5 wakeup/s. Many thanks! (I think you deserve them if you read this entire email). Alan From alan-jenkins at tuffmail.co.uk Sat Jan 12 01:13:59 2008 From: alan-jenkins at tuffmail.co.uk (Alan Jenkins) Date: Sat, 12 Jan 2008 00:13:59 +0000 Subject: gpg-agent timer tick In-Reply-To: <4787F84C.9080409@tuffmail.co.uk> References: <4787A2B7.4020806@tuffmail.co.uk> <87ejconsa1.fsf@wheatstone.g10code.de> <4787F84C.9080409@tuffmail.co.uk> Message-ID: <47880647.3050001@tuffmail.co.uk> > That's still fixable though. I've attached an example which uses a > more complex method and avoids the problem. Except I hadn't. So here's the missing attachment. Alan -------------- next part -------------- A non-text attachment was scrubbed... Name: example.c Type: text/x-csrc Size: 2465 bytes Desc: not available URL: From alon.barlev at gmail.com Sat Jan 12 10:21:48 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sat, 12 Jan 2008 11:21:48 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <87ejco45u1.fsf@wheatstone.g10code.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <87ejco45u1.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> On 1/11/08, Werner Koch wrote: > If you have a specific problem please describe it at the list and we can > discuss a solution. All I ask is to stop breaking the interface. Find some way to pass the passphrase from gnupg to the pinentry program. You can even have a new configuration option in gpg-agent.conf to ignore this by default. But please don't break the interface. BTW: Waiting for new release of gpgme with all fixed. Alon. From wk at gnupg.org Sat Jan 12 19:51:22 2008 From: wk at gnupg.org (Werner Koch) Date: Sat, 12 Jan 2008 19:51:22 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> (Alon Bar-Lev's message of "Sat, 12 Jan 2008 11:21:48 +0200") References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <87ejco45u1.fsf@wheatstone.g10code.de> <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> Message-ID: <87fxx2nahh.fsf@wheatstone.g10code.de> On Sat, 12 Jan 2008 10:21, alon.barlev at gmail.com said: > All I ask is to stop breaking the interface. As Marcus already explained, there is no interface break. gpg2 is an entirely different program and we have always declared that it is only _mostly identical_ to the standalone gpg. This is one of the reasons why we promised to maintain both programs. (The other reason is that GnuPG-1 is easier to build and more portable to older and pre-POSIX systems). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Sat Jan 12 20:12:33 2008 From: wk at gnupg.org (Werner Koch) Date: Sat, 12 Jan 2008 20:12:33 +0100 Subject: gpg-agent timer tick In-Reply-To: <4787F84C.9080409@tuffmail.co.uk> (Alan Jenkins's message of "Fri, 11 Jan 2008 23:14:20 +0000") References: <4787A2B7.4020806@tuffmail.co.uk> <87ejconsa1.fsf@wheatstone.g10code.de> <4787F84C.9080409@tuffmail.co.uk> Message-ID: <87bq7qn9i6.fsf@wheatstone.g10code.de> On Sat, 12 Jan 2008 00:14, alan-jenkins at tuffmail.co.uk said: > that there are many programs which do the same. Say you have four > programs that do exactly the same thing. Then the CPU is potentially > waking up every half a second, which is not so good. I understand. I a conventionally programming environment it is usually the best to distribute CPU work most evenly over the time and thus making shure that not all timer fire exactly at the full seconds or so. Well for power saving this is different. gpg-agent should do something about it. > second no matter how many programs use it. Redhat have hacked several > programs they distribute to round their wakeups to the nearest second > and perhaps gpg-agent could do the same. Shall we change the timer code to do just that? Run on the full even second? > the simpler cases that cross my path. I don't know if there's > anything I can say to inspire you, but it's one of the things the I know. However I hve not thought that gpg-agent is really a candidate for it. You convinced me. > Yes, that sure would be annoying. That's not quite what happens > though. Child processes aren't automatically killed when their parent > terminates. The reason that seems to happen with shells is that the > shell is a "session leader"; it starts commands in the same "session", I know. However, the current code is pretty weel matured and I don't want to add new bugs right now. In particular not if we need a timer anyway and if we the change to sync all timer events will be easier than changing this code. > I did wonder about the generic name (handle_tick()). You don't need a > ticker though; you can can use a timer. You don't need to say "wake > me up every 10 seconds so I can see if I need to do anything"; you can > say "the users passphrase is going to expire in half an hour; wake me > up at that point". If you have multiple timers or timers that need > cancelling or readjusting, it may end up slightly easier / clearer if > you use the timers in libpth. I think that this code wouul be more complex than a timer tick to handle such things. > Many thanks! (I think you deserve them if you read this entire email). I assigned bug 871 to it. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From alon.barlev at gmail.com Sat Jan 12 20:28:49 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sat, 12 Jan 2008 21:28:49 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <87fxx2nahh.fsf@wheatstone.g10code.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <87ejco45u1.fsf@wheatstone.g10code.de> <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> <87fxx2nahh.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0801121128j6930000id0c86afa75c3805b@mail.gmail.com> On 1/12/08, Werner Koch wrote: > On Sat, 12 Jan 2008 10:21, alon.barlev at gmail.com said: > > > All I ask is to stop breaking the interface. > > As Marcus already explained, there is no interface break. gpg2 is an > entirely different program and we have always declared that it is only > _mostly identical_ to the standalone gpg. > > This is one of the reasons why we promised to maintain both programs. > (The other reason is that GnuPG-1 is easier to build and more portable > to older and pre-POSIX systems). I don't understand what you are talking about, from gpg2 man page: --passphrase-fd n Read the passphrase from file descriptor n. Only the first line will be read from file descriptor n. If you use 0 for n, the passphrase will be read from stdin. This can only be used if only one passphrase is supplied. Note that this passphrase is only used if the option --batch has also been given. This is different from gpg. --passphrase-file file Read the passphrase from file file. Only the first line will be read from file file. This can only be used if only one passphrase is supplied. Obviously, a passphrase stored in a file is of questionable security if other users can read this file. Don't use this option if you can avoid it. Note that this passphrase is only used if the option --batch has also been given. This is different from gpg. --passphrase string Use string as the passphrase. This can only be used if only one passphrase is supplied. Obviously, this is of very questionable security on a multi-user system. Don't use this option if you can avoid it. Note that this passphrase is only used if the option --batch has also been given. This is different from gpg. So unless you release gpg3, removing these parameters breaks your interface. Alon. From bjk at luxsci.net Sat Jan 12 23:25:05 2008 From: bjk at luxsci.net (Ben Kibbey) Date: Sat, 12 Jan 2008 17:25:05 -0500 Subject: assuan_read_from_server() and return value In-Reply-To: <87zlvd8hsu.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <200711231902.lANJ22OU007693@rs41.luxsci.com> <87fxyjaksq.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712081745.lB8Hj2rF001140@rs41.luxsci.com> <87mysgug09.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200712151733.lBFHX2n5026146@rs41.luxsci.com> <877ijdqp36.wl%marcus.brinkmann@ruhr-uni-bochum.de> <200801051902.m05J21LC013646@rs41.luxsci.com> <87zlvd8hsu.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <200801122226.m0CMQ29o028953@rs41.luxsci.com> On Thu, Jan 10, 2008 at 10:57:52PM +0100, Marcus Brinkmann wrote: > If you want, why not check it out and see if that works for you? I > did some tests here and it seems to work as a drop in replacement for > older pinentries. Works good. Thanks! -- Benjamin J. Kibbey bjk at luxsci.net/jabber/freenode 3019 F5FC AA33 5BC7 BE9F 09D2 393E DBD2 40D5 FA7E From marcus.brinkmann at ruhr-uni-bochum.de Sun Jan 13 15:29:18 2008 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Sun, 13 Jan 2008 15:29:18 +0100 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801040832q45fa6929n7c071efbc0d26dd@mail.gmail.com> <87bq7u9trn.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <87ejco45u1.fsf@wheatstone.g10code.de> <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> Message-ID: <87ejcldcjl.wl%marcus.brinkmann@ruhr-uni-bochum.de> At Sat, 12 Jan 2008 11:21:48 +0200, "Alon Bar-Lev" wrote: > BTW: Waiting for new release of gpgme with all fixed. There will not be a release just for fixing the test suite with gpg2. Thanks, Marcus From alon.barlev at gmail.com Sun Jan 13 17:47:31 2008 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 13 Jan 2008 18:47:31 +0200 Subject: [Announce] GPGME 1.1.6 released In-Reply-To: <87ejcldcjl.wl%marcus.brinkmann@ruhr-uni-bochum.de> References: <874pdt4pbw.wl%marcus.brinkmann@ruhr-uni-bochum.de> <877iiiumxt.fsf@wheatstone.g10code.de> <9e0cf0bf0801100132t24fd40a6sf3ad8a7ab8327864@mail.gmail.com> <871w8qszdk.fsf@wheatstone.g10code.de> <9e0cf0bf0801100326t53a2a898l92bf4941f9662c84@mail.gmail.com> <878x2xajtl.wl%marcus.brinkmann@ruhr-uni-bochum.de> <9e0cf0bf0801100540i273e84bas9e02be654fb00f04@mail.gmail.com> <87ejco45u1.fsf@wheatstone.g10code.de> <9e0cf0bf0801120121s46132699lb5182b66269cf9e7@mail.gmail.com> <87ejcldcjl.wl%marcus.brinkmann@ruhr-uni-bochum.de> Message-ID: <9e0cf0bf0801130847s10d9cc45gcee7907cbb78e9f2@mail.gmail.com> On 1/13/08, Marcus Brinkmann wrote: > At Sat, 12 Jan 2008 11:21:48 +0200, > "Alon Bar-Lev" wrote: > > BTW: Waiting for new release of gpgme with all fixed. > > There will not be a release just for fixing the test suite with gpg2. How do you expect we push this to users this way? We will get a lot of bugs opened by users who find this, wasting our time. Please release a new version or official patch (it is t