From hans at at.or.at Wed Nov 2 06:35:10 2011 From: hans at at.or.at (Hans-Christoph Steiner) Date: Wed, 2 Nov 2011 01:35:10 -0400 Subject: integrating OTR keys into PGP key Message-ID: As part of the Guardian Project, I am starting work on a 6 month project = around keeping keys in sync across phone and laptop and am currently = thinking about extending gnupg to handle OTR keys. I've talked a bit = with DKG about it, and I am beginning to think that this is a possible = workable approach for us. Things are still in the exploratory phase, so = things are somewhat vague, including use cases and threat models. Right now, I am interested in people's opinion on how useful, feasible, = and how much time it would take to integrate IM accounts and OTR keys = into PGP keys, working towards the idea that the PGP key becomes the = central repository of digital identity. .hc ---------------------------------------------------------------------------- Looking at things from a more basic level, you can come up with a more direct solution... It may sound small in theory, but it in practice, it can change entire economies. - Amy Smith From hans at at.or.at Wed Nov 2 15:02:02 2011 From: hans at at.or.at (Hans-Christoph Steiner) Date: Wed, 2 Nov 2011 10:02:02 -0400 Subject: integrating OTR keys into PGP key In-Reply-To: <4EB14B8F.7090900@fifthhorseman.net> References: <4EB14B8F.7090900@fifthhorseman.net> Message-ID: <9A906213-991A-4545-B01B-C6133DDA11E6@at.or.at> On Nov 2, 2011, at 9:54 AM, Daniel Kahn Gillmor wrote: > On 11/02/2011 01:35 AM, Hans-Christoph Steiner wrote: >> >> As part of the Guardian Project, I am starting work on a 6 month project = >> around keeping keys in sync across phone and laptop and am currently = >> thinking about extending gnupg to handle OTR keys. I've talked a bit = >> with DKG about it, and I am beginning to think that this is a possible = >> workable approach for us. Things are still in the exploratory phase, so = >> things are somewhat vague, including use cases and threat models. >> >> Right now, I am interested in people's opinion on how useful, feasible, = >> and how much time it would take to integrate IM accounts and OTR keys = >> into PGP keys, working towards the idea that the PGP key becomes the = >> central repository of digital identity. > > fwiw, i don't think that gnupg is the thing that would need to be > extended here -- it's more that OTR would need to be able to fetch and > store keys in gnupg's keyring, rather than maintaining its own keystore. > (for both secret key material of the OTR operator, as well as for > public key and identity material of the operator's peers). That's fully expected, I plan to tackle adding support for this in both Pidgin and Adium. > gnupg already permits quite a bit of flexibility in terms of what it can > do, so i think the bulk of work in this project would be extending and > integrating the key management capabilities for OTR. Is there any built-in assumption that user accounts will be in email address form? IM handles are not always in that form for services that are not XMPP/Jabber. Can you point me towards where to start for including OTR keys in my PGP key? Another aspect of this project is the possibility of keeping the private key in sync between two machines. .hc ---------------------------------------------------------------------------- There is no way to peace, peace is the way. -A.J. Muste From dkg at fifthhorseman.net Wed Nov 2 14:54:23 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 02 Nov 2011 09:54:23 -0400 Subject: integrating OTR keys into PGP key In-Reply-To: References: Message-ID: <4EB14B8F.7090900@fifthhorseman.net> On 11/02/2011 01:35 AM, Hans-Christoph Steiner wrote: > > As part of the Guardian Project, I am starting work on a 6 month project = > around keeping keys in sync across phone and laptop and am currently = > thinking about extending gnupg to handle OTR keys. I've talked a bit = > with DKG about it, and I am beginning to think that this is a possible = > workable approach for us. Things are still in the exploratory phase, so = > things are somewhat vague, including use cases and threat models. > > Right now, I am interested in people's opinion on how useful, feasible, = > and how much time it would take to integrate IM accounts and OTR keys = > into PGP keys, working towards the idea that the PGP key becomes the = > central repository of digital identity. fwiw, i don't think that gnupg is the thing that would need to be extended here -- it's more that OTR would need to be able to fetch and store keys in gnupg's keyring, rather than maintaining its own keystore. (for both secret key material of the OTR operator, as well as for public key and identity material of the operator's peers). gnupg already permits quite a bit of flexibility in terms of what it can do, so i think the bulk of work in this project would be extending and integrating the key management capabilities for OTR. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: From dkg at fifthhorseman.net Wed Nov 2 20:01:58 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 02 Nov 2011 15:01:58 -0400 Subject: integrating OTR keys into PGP key In-Reply-To: <9A906213-991A-4545-B01B-C6133DDA11E6@at.or.at> References: <4EB14B8F.7090900@fifthhorseman.net> <9A906213-991A-4545-B01B-C6133DDA11E6@at.or.at> Message-ID: <4EB193A6.5090701@fifthhorseman.net> On 11/02/2011 10:02 AM, Hans-Christoph Steiner wrote: > That's fully expected, I plan to tackle adding support for this in both Pidgin and Adium. i'd think that doing this work in libotr would be the first priority, then adding integrated UI for whatever clients you're using. > Is there any built-in assumption that user accounts will be in email address form? OpenPGP certificates are structured like this: ????primary key ????User ID 0 ??? self-certification ??? third-party certification ??? ... other third-party certifications ... ????User ID 1 ??? self-certification ??? third-party certification ??? ... other third-party certifications ... ?? ... other User IDs ... ???subkey 0 ?? self-certification ???subkey 1 ?? self-certification ? ... other subkeys ... Note that the User IDs are bound directly to the primary key, and the subkeys are also bound directly to the primary key. Subkeys are *not* directly associated with specific User IDs. There is no requirement that User IDs be in RFC 822 form; that's just a common convention. Note that the monkeysphere already uses User IDs for servers of the form "ssh://foo.example.org" (certainly not an e-mail address), and gpg copes with that just fine. I suspect what you'll want is to add a subkey that is marked as authentication-capable, and that will be the key used for OTR. You may also want to add a notation to the subkey self-sig that indicates it is for OTR use. Then, you'll want to think clearly about how you want to represent the various instant-messaging transports as User IDs. You probably want them to be canonical and unambiguous. (e.g. don't use "foo at AIM", since it's possible that a future TLD named "aim" could be allocated by the IANA -- maybe "aim:exampleuser" is better?) hth, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Thu Nov 3 16:47:16 2011 From: wk at gnupg.org (Werner Koch) Date: Thu, 03 Nov 2011 16:47:16 +0100 Subject: integrating OTR keys into PGP key In-Reply-To: <4EB14B8F.7090900@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Wed, 02 Nov 2011 09:54:23 -0400") References: <4EB14B8F.7090900@fifthhorseman.net> Message-ID: <877h3hfbsr.fsf@vigenere.g10code.de> On Wed, 2 Nov 2011 14:54, dkg at fifthhorseman.net said: > gnupg already permits quite a bit of flexibility in terms of what it can > do, so i think the bulk of work in this project would be extending and > integrating the key management capabilities for OTR. Then, pretty please use gpgme. If you need a special flag or a way to identify OTR keys (maybe a different capability), let us talk about it. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From rdsears at mtu.edu Sat Nov 5 20:42:12 2011 From: rdsears at mtu.edu (Ryan Sears) Date: Sat, 05 Nov 2011 15:42:12 -0400 Subject: SHA-256 with 2048-bit DSA key Message-ID: <4EB59194.6070104@mtu.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi all, I'm trying to understand more precisely how PGP works for another project I'm working on (PGP signature verification in JavaScript), so I've taken to prototyping it with python to make sure that all my math works out. The problem is, I can't seem to get my u1 to calculate properly, and I suspect that it's my method of hashing the message itself. I see that the new FIPS 186-3 standard says: z = the leftmost min(N, outlen) bits of Hash(M') Which leads me to believe that the full 256 bit hash from SHA-256 can be used. Am I wrong in making this assumption? I know that the old standard forced you to truncate to 160 bits (which would have been the left 20 bytes, right?). I've even tried truncating the values I get, but to no avail :(. I know that the PGP standard dictates that you need to convert all LF to CRLF, which I've done and verified with a hex editor. For some reason though, my hash value doesn't seem to work! Does anyone have any ideas as to where I could be making a mistake? The signature was created with enigmail, and the keys with GnuPG if it helps! Thank you! Ryan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAk61kXwACgkQt/95fIeU+XY4HgD+PmNfgKo5vjKgrJkPo+n4MAR+ 2WVYXfKT5SpYEQDJSh0A/2dvSQGtOtHb/BJAboKbPkM/EbnR2622JRAm3aVEJCFJ =yy80 -----END PGP SIGNATURE----- From alex at gpgtools.org Sun Nov 6 11:10:51 2011 From: alex at gpgtools.org (Alex (via GPGTools)) Date: Sun, 6 Nov 2011 11:10:51 +0100 Subject: SHA-256 with 2048-bit DSA key In-Reply-To: <4EB59194.6070104@mtu.edu> References: <4EB59194.6070104@mtu.edu> Message-ID: <50228151-7B98-4D12-A0F4-1478F34942EB@gpgtools.org> Hi Ryan, > PGP signature verification in JavaScript this might be of interest for you: https://github.com/GPGTools/Mobile/wiki/Introduction Best regards, Alex On 05.11.2011, at 20:42, Ryan Sears wrote: > Hi all, > > I'm trying to understand more precisely how PGP works for another > project I'm working on (PGP signature verification in JavaScript), so > I've taken to prototyping it with python to make sure that all my math > works out. > > The problem is, I can't seem to get my u1 to calculate properly, and I > suspect that it's my method of hashing the message itself. I see that > the new FIPS 186-3 standard says: > > z = the leftmost min(N, outlen) bits of Hash(M') > > Which leads me to believe that the full 256 bit hash from SHA-256 can be > used. Am I wrong in making this assumption? I know that the old standard > forced you to truncate to 160 bits (which would have been the left 20 > bytes, right?). I've even tried truncating the values I get, but to no > avail :(. > > I know that the PGP standard dictates that you need to convert all LF to > CRLF, which I've done and verified with a hex editor. > > For some reason though, my hash value doesn't seem to work! Does anyone > have any ideas as to where I could be making a mistake? > > The signature was created with enigmail, and the keys with GnuPG if it > helps! > > Thank you! > Ryan -- http://gpgtools.org From wk at gnupg.org Sun Nov 6 15:58:25 2011 From: wk at gnupg.org (Werner Koch) Date: Sun, 06 Nov 2011 15:58:25 +0100 Subject: SHA-256 with 2048-bit DSA key In-Reply-To: <50228151-7B98-4D12-A0F4-1478F34942EB@gpgtools.org> (alex@gpgtools.org's message of "Sun, 6 Nov 2011 11:10:51 +0100") References: <4EB59194.6070104@mtu.edu> <50228151-7B98-4D12-A0F4-1478F34942EB@gpgtools.org> Message-ID: <877h3dcn72.fsf@vigenere.g10code.de> On Sun, 6 Nov 2011 11:10, alex at gpgtools.org said: >> For some reason though, my hash value doesn't seem to work! Does anyone >> have any ideas as to where I could be making a mistake? Run gpg with option --debug 64 do see what it hashes. Watch out for files named dbgmd*. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Nov 7 09:55:26 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 07 Nov 2011 09:55:26 +0100 Subject: Creating a subkey from an existing key Message-ID: <878vnsb9c1.fsf@vigenere.g10code.de> Hi! GPGSM has a way to create a self-signed certificate or a certificate signing requests using an existing key. This feature was missing from GPG, thus I added it. If you use the *development version* of GnuPG (GIT master), you may now add a subkey to your key using an already existing key. This can be used to turn a key originally created for X.509 into an OpenPGP subkey. You can also do all other kind of useless tricks. Example: $ gpg --expert --edit-key foo [...] gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECDSA (sign only) (11) ECDSA (set your own capabilities) (12) ECDH (encrypt only) (13) Existing key Your selection? 13 Enter the keygrip: dddd Not a valid keygrip (expecting 40 hex digits) Enter the keygrip: 767FE23B5382793B50A27A282D9B87E44577EB69 Possible actions for a DSA key: Sign Authenticate Current allowed actions: Sign (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? q Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y Really create? (y/N) y pub [...] sub 1024D/12345678 created: 2011-11-07 expires: never usage: S [...] gpg> save To see the keygrips of a key you can may use the option --with-keygrip. Extending this feature to the primary key is possible, I was merely too lazy to implement. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dkg at fifthhorseman.net Mon Nov 7 14:39:14 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 07 Nov 2011 08:39:14 -0500 Subject: Creating a subkey from an existing key In-Reply-To: <878vnsb9c1.fsf@vigenere.g10code.de> References: <878vnsb9c1.fsf@vigenere.g10code.de> Message-ID: <4EB7DF82.7050509@fifthhorseman.net> On 11/07/2011 03:55 AM, Werner Koch wrote: > GPGSM has a way to create a self-signed certificate or a certificate > signing requests using an existing key. This feature was missing from > GPG, thus I added it. Thank you for this, Werner! This is a great feature to have available. I hope to test it out soon. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: From jim at meyering.net Mon Nov 7 15:54:35 2011 From: jim at meyering.net (Jim Meyering) Date: Mon, 07 Nov 2011 15:54:35 +0100 Subject: how to determine default GPG key ID? Message-ID: <8739e0nftg.fsf@rho.meyering.net> Hello, Is there some way to make GPG print the default key ID without actually signing something or having access to a signature? Preferably without having to create a temporary file, either... I.e., this is the ID that gpg would use if I were to sign something with no override. I.e., gpg may examine some envvars (not sure about that) or some .gnupg/gpg.conf's local-user definition. But even determining which .gnupg/gpg.conf file to read is not trivial, since gpg's choice depends on envvars like GPG_HOME. Currently in gnulib's maint.mk file, I do this; gpg_key_ID ?= \ $$(git cat-file tag v$(VERSION) > .ann-sig \ && gpgv .ann-sig - < /dev/null 2>&1 \ | sed -n '/.*key ID \([0-9A-F]*\)/s//\1/p'; rm -f .ann-sig) which is ok, since we always have a GPG-signed tag on the release, and from that we can determine the ID of the signing key. Even that could be improved if there's a way to extract the signing key ID without having to use a temporary file. However, in some other contexts I've wanted to automatically determine the default key ID, yet did not have a signature handy. Jim From jim at meyering.net Mon Nov 7 15:36:25 2011 From: jim at meyering.net (Jim Meyering) Date: Mon, 07 Nov 2011 15:36:25 +0100 Subject: bug with DNS back-end? Message-ID: <878vnsngnq.fsf@rho.meyering.net> Hi, I noticed that attempting to refresh Simon Josefsson's key, via this gpg --refresh B565716F always elicits this warning: gpg: requesting key B565716F from dns:simon.josefsson.org?type=CERT gpgkeys: no keyserver host provided gpg: keyserver internal error gpg: WARNING: unable to refresh key B565716F via dns:simon.josefsson.org?type=CERT: keyserver error gpg: refreshing 1 key from hkp://pool.sks-keyservers.net gpg: requesting key B565716F from hkp server pool.sks-keyservers.net gpg: key B565716F: "Simon Josefsson " not changed gpg: Total number processed: 1 gpg: unchanged: 1 Is that expected? From wk at gnupg.org Mon Nov 7 20:26:55 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 07 Nov 2011 20:26:55 +0100 Subject: bug with DNS back-end? In-Reply-To: <878vnsngnq.fsf@rho.meyering.net> (Jim Meyering's message of "Mon, 07 Nov 2011 15:36:25 +0100") References: <878vnsngnq.fsf@rho.meyering.net> Message-ID: <87ehxjag3k.fsf@vigenere.g10code.de> On Mon, 7 Nov 2011 15:36, jim at meyering.net said: > gpg: requesting key B565716F from dns:simon.josefsson.org?type=CERT > gpgkeys: no keyserver host provided > gpg: keyserver internal error What GnuPG version is that? Most key retrieval methods in 2.1 do not yet work. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From jim at meyering.net Mon Nov 7 20:36:06 2011 From: jim at meyering.net (Jim Meyering) Date: Mon, 07 Nov 2011 20:36:06 +0100 Subject: bug with DNS back-end? In-Reply-To: <87ehxjag3k.fsf@vigenere.g10code.de> (Werner Koch's message of "Mon, 07 Nov 2011 20:26:55 +0100") References: <878vnsngnq.fsf@rho.meyering.net> <87ehxjag3k.fsf@vigenere.g10code.de> Message-ID: <877h3bn2s9.fsf@rho.meyering.net> Werner Koch wrote: > On Mon, 7 Nov 2011 15:36, jim at meyering.net said: > >> gpg: requesting key B565716F from dns:simon.josefsson.org?type=CERT >> gpgkeys: no keyserver host provided >> gpg: keyserver internal error > > What GnuPG version is that? Most key retrieval methods in 2.1 do not > yet work. Hi Werner, This is with both gpg 1 and 2: (on fedora 16) gnupg-1.4.11-3.fc15.x86_64 gnupg2-2.0.18-2.fc16.x86_64 From wk at gnupg.org Mon Nov 7 20:53:43 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 07 Nov 2011 20:53:43 +0100 Subject: how to determine default GPG key ID? In-Reply-To: <8739e0nftg.fsf@rho.meyering.net> (Jim Meyering's message of "Mon, 07 Nov 2011 15:54:35 +0100") References: <8739e0nftg.fsf@rho.meyering.net> Message-ID: <87aa87aeuw.fsf@vigenere.g10code.de> On Mon, 7 Nov 2011 15:54, jim at meyering.net said: > Is there some way to make GPG print the default key ID > without actually signing something or having access to $ gpgconf --list-options gpg | awk -F: '$1 == "default-key" {print $10}' The '\"' indicates that the value is a string. This works by paring the config file. There is no other reliable method to figure it out. GPG uses the first usable key in the keyring and the order of the keys in the ring is not defined. > definition. But even determining which .gnupg/gpg.conf file to > read is not trivial, since gpg's choice depends on envvars like > GPG_HOME. (It is GNUPGHOME). Right. Thus we came up with gpgconf. It actually invokes gpg to get some metadata on the options. A bit complicated but this system allows us to create a configuraion GUI on the fly. > Currently in gnulib's maint.mk file, I do this; > > gpg_key_ID ?= \ > $$(git cat-file tag v$(VERSION) > .ann-sig \ > && gpgv .ann-sig - < /dev/null 2>&1 \ > | sed -n '/.*key ID \([0-9A-F]*\)/s//\1/p'; rm -f .ann-sig) > > which is ok, since we always have a GPG-signed tag on the release, and > from that we can determine the ID of the signing key. Even that could > be improved if there's a way to extract the signing key ID without having > to use a temporary file. That is easy: git cat-file tag v$(VERSION) \ | gpgv --status-fd 1 --keyring /dev/null 2>/dev/null \ | awk '$1 == "[GNUPG:]" && $2 == "ERRSIG" {print $3}' "--keyring /dev/null" makes sure that you will always get an error back. --status-fd is very import - it needs to be used by all scripts because it has a well defined output format which will never change. The script above returns the long keyid. Usually GPG only prints the abbreviated short keyid. You may pass the long keyid anywhere where the short keyid is expected. You can't get the fingerprint from a signature because it is not in the signature file. The tags like ERRSIG are described in doc/DETAILS. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From jim at meyering.net Mon Nov 7 23:09:41 2011 From: jim at meyering.net (Jim Meyering) Date: Mon, 07 Nov 2011 23:09:41 +0100 Subject: how to determine default GPG key ID? In-Reply-To: <87aa87aeuw.fsf@vigenere.g10code.de> (Werner Koch's message of "Mon, 07 Nov 2011 20:53:43 +0100") References: <8739e0nftg.fsf@rho.meyering.net> <87aa87aeuw.fsf@vigenere.g10code.de> Message-ID: <871utjmvoa.fsf@rho.meyering.net> Werner Koch wrote: > On Mon, 7 Nov 2011 15:54, jim at meyering.net said: > >> Is there some way to make GPG print the default key ID >> without actually signing something or having access to > > $ gpgconf --list-options gpg | awk -F: '$1 == "default-key" {print $10}' Ahhhh.... Perfect. ;-) I didn't know about gpgconf. ... >> Currently in gnulib's maint.mk file, I do this; >> >> gpg_key_ID ?= \ >> $$(git cat-file tag v$(VERSION) > .ann-sig \ >> && gpgv .ann-sig - < /dev/null 2>&1 \ >> | sed -n '/.*key ID \([0-9A-F]*\)/s//\1/p'; rm -f .ann-sig) >> >> which is ok, since we always have a GPG-signed tag on the release, and >> from that we can determine the ID of the signing key. Even that could >> be improved if there's a way to extract the signing key ID without having >> to use a temporary file. > > That is easy: > > git cat-file tag v$(VERSION) \ > | gpgv --status-fd 1 --keyring /dev/null 2>/dev/null \ > | awk '$1 == "[GNUPG:]" && $2 == "ERRSIG" {print $3}' > > "--keyring /dev/null" makes sure that you will always get an error back. > --status-fd is very import - it needs to be used by all scripts because > it has a well defined output format which will never change. The script > above returns the long keyid. Usually GPG only prints the abbreviated > short keyid. You may pass the long keyid anywhere where the short keyid > is expected. You can't get the fingerprint from a signature because it > is not in the signature file. The tags like ERRSIG are described in > doc/DETAILS. Nice! Thank you for the tips! Note that I had to add the two "-" arguments to placate gpgv. Also, I have a slight preference for sed here: gpg_key_ID ?= \ $$(git cat-file tag v$(VERSION) \ | gpgv --status-fd 1 --keyring /dev/null - - 2>/dev/null \ | sed -n '/^\[GNUPG:\] ERRSIG /{s///;s/ .*//p;q}') From alex at gpgtools.org Tue Nov 8 09:15:52 2011 From: alex at gpgtools.org (Alex (via GPGTools)) Date: Tue, 8 Nov 2011 09:15:52 +0100 Subject: RFC 4880 Test Suite Message-ID: Dear all, I've recognized the "check" make target in the GnuPG and Libgcrypt sources and I'm wondering what the best source for an RFC 4880 test suite might be. The background is a (planned) OpenPGP core library in JavaScript and the goal is to identify what parts are missing / are already working. For this we need many technology agnostic example keys, messages, and expectations. Do you have any hints or suggestions? Best regards, Alex -- http://gpgtools.org From wk at gnupg.org Tue Nov 8 13:13:09 2011 From: wk at gnupg.org (Werner Koch) Date: Tue, 08 Nov 2011 13:13:09 +0100 Subject: RFC 4880 Test Suite In-Reply-To: (alex@gpgtools.org's message of "Tue, 8 Nov 2011 09:15:52 +0100") References: Message-ID: <87obwm7qy2.fsf@vigenere.g10code.de> On Tue, 8 Nov 2011 09:15, alex at gpgtools.org said: > I've recognized the "check" make target in the GnuPG and Libgcrypt > sources and I'm wondering what the best source for an RFC 4880 test > suite might be. The background is a (planned) OpenPGP core library in I don't know of any test suite. The IETF suggests interop tests and not reference test suites. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From jim at meyering.net Fri Nov 11 11:38:19 2011 From: jim at meyering.net (Jim Meyering) Date: Fri, 11 Nov 2011 11:38:19 +0100 Subject: [PATCH] tests: avoid write-beyond-end-of-heap buffer Message-ID: <87ipmr2bc4.fsf@rho.meyering.net> In libgcrypt's "make check" (latest from git), I was surprised to see the "basic" test fail. Here's a patch: Avoid scary-looking (with MALLOC_CHECK_=3) "make check" test failure: *** glibc detected *** /h/j/w/co/libgcrypt/tests/.libs/lt-basic: free(): invalid pointer: 0x0000000001f9d080 *** ======= Backtrace: ========= /lib64/libc.so.6[0x3a5807c606] /w/libgcrypt/src/.libs/libgcrypt.so.19(+0x100c9)[0x7f890edb90c9] /w/libgcrypt/src/.libs/libgcrypt.so.19(+0xb03e)[0x7f890edb403e] /w/libgcrypt/src/.libs/libgcrypt.so.19(gcry_free+0x18)[0x7f890edb1eef] /w/libgcrypt/tests/.libs/lt-basic[0x4091f4] /w/libgcrypt/tests/.libs/lt-basic[0x40b541] /lib64/libc.so.6(__libc_start_main+0xed)[0x3a5802169d] /w/libgcrypt/tests/.libs/lt-basic[0x401979] ======= Memory map: ======== 00400000-00411000 r-xp 00000000 08:08 2787510 /w/co/libgcrypt/tests/.libs/lt-basic ... >From 722e6d470371bb3d995e0a6a67cd9c2ffd7bb664 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Fri, 11 Nov 2011 11:34:45 +0100 Subject: [PATCH] tests: avoid write-beyond-end-of-heap buffer * basic.c (check_bulk_cipher_modes): Allocate one more byte in each of the two test buffers. Otherwise, running "env -i MALLOC_CHECK_=3 ./basic" would abort. --- tests/ChangeLog | 7 +++++++ tests/basic.c | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/tests/ChangeLog b/tests/ChangeLog index 8e96898..573b331 100644 --- a/tests/ChangeLog +++ b/tests/ChangeLog @@ -1,3 +1,10 @@ +2011-11-11 Jim Meyering + + tests: avoid write-beyond-end-of-heap buffer + * basic.c (check_bulk_cipher_modes): Allocate one more byte in + each of the two test buffers. Otherwise, running + "env -i MALLOC_CHECK_=3 ./basic" would abort. + 2011-09-15 Werner Koch * register.c: Remove. diff --git a/tests/basic.c b/tests/basic.c index cdc3462..9b2d0a8 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -1251,9 +1251,9 @@ check_bulk_cipher_modes (void) fprintf (stderr, "Starting bulk cipher checks.\n"); buflen = 16*100; /* We check a 1600 byte buffer. */ - buffer_base = gcry_xmalloc (buflen+15); + buffer_base = gcry_xmalloc (buflen+16); buffer = buffer_base + (16 - ((size_t)buffer_base & 0x0f)); - outbuf_base = gcry_xmalloc (buflen+15); + outbuf_base = gcry_xmalloc (buflen+16); outbuf = outbuf_base + (16 - ((size_t)outbuf_base & 0x0f)); -- 1.7.8.rc0.61.g8a042 From vivarto at gmail.com Sun Nov 13 06:02:41 2011 From: vivarto at gmail.com (Veet Vivarto) Date: Sat, 12 Nov 2011 19:02:41 -1000 Subject: How to change the secret key passphrase on command line with just one command? Message-ID: Hi, Is there a way to change the secret key passphrase programmatically, with just one line without having to go through the "Edit" menu? Thank you in advance for any information. Vivarto -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Sun Nov 13 11:47:59 2011 From: wk at gnupg.org (Werner Koch) Date: Sun, 13 Nov 2011 11:47:59 +0100 Subject: How to change the secret key passphrase on command line with just one command? In-Reply-To: (Veet Vivarto's message of "Sat, 12 Nov 2011 19:02:41 -1000") References: Message-ID: <87obwgxpr4.fsf@gnupg.org> On Sun, 13 Nov 2011 06:02, vivarto at gmail.com said: > Is there a way to change the secret key passphrase programmatically, with > just one line without having to go through the "Edit" menu? > Thank you in advance for any information. OpenPGP: gpg --passwd USERID S/MIME: gpgsm --passwd USERID Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From gniibe at fsij.org Thu Nov 24 08:00:12 2011 From: gniibe at fsij.org (Niibe Yutaka) Date: Thu, 24 Nov 2011 16:00:12 +0900 Subject: Gnuk version 0.15 Message-ID: <1322118012.2104.8.camel@latx1.gniibe.org> Hi, Gnuk version 0.15 is out. Gnuk is software implementation of a USB token for GNU Privacy Guard. Gnuk supports OpenPGP card protocol version 2, and it runs on STM32 processor. While it's being stable, I am considering features of such Tokens. Gnuk simply implements OpenPGP card protocol 2.0. With about a year experience with Gnuk, I understand that it's not "portable .gnupg". Gnuk Token doesn't have public keyring and trust database. Does it make sense to add an external flash memory so that Gnuk Token can have public keyring and trust database? Any comments will be appreciated. Highlights are (in gnuk-0.15/NEWS): * New targets: FST_01 and FST_01_00 Flying Stone Technology's open hardware, Flying Stone Tiny 01 is supported. * Flash writing tool for "DfuSe" is improved Now, it support holes and unaligned blocks in hex file. * Experimental PIN-pad support (by TV controller) change Now, Gnuk has codetables for conversion from CIR code to ASCII code. Note that only four controllers (of Dell, Sharp, Sony, and Toshiba) are supported and tested. * It is possible for users to keep using OPENPGP_CARD_INITIAL_PW1 With a bug fix of verify_user_0, it's now possible. Although it's not recommended. * Important bug fix and a workaround In version 0.14, __main_stack_size__ (for interrupt handler) was too small for some cases. This is fixed in 0.15. In src/Makefile.in, added -mfix-cortex-m3-ldrd for correctly linking C library for thumb2. This is needed for newer summon-arm-toolchain. Happy Hacking, -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part URL: From jim at meyering.net Sun Nov 27 21:52:48 2011 From: jim at meyering.net (Jim Meyering) Date: Sun, 27 Nov 2011 21:52:48 +0100 Subject: cert-related "make check" failures Message-ID: <874nxpp9sv.fsf@rho.meyering.net> Hello, With these five working directories (all up to date from git): gnupg libgcrypt libassuan libksba libgpg-error I ran the following on my Fedora-16 desktop: dir=/tmp/gpg-test-install cfg="./configure --enable-maintainer-mode --prefix=$dir" (cd libgpg-error && eval $cfg && make && make check && make install) cfg="$cfg --with-gpg-error-prefix=$dir" (cd libksba && eval $cfg && make && make check && make install) cfg="$cfg --with-ksba-prefix=$dir" (cd libassuan && eval $cfg && make && make check && make install) cfg="$cfg --with-libassuan-prefix=$dir" (cd libgcrypt && eval $cfg && make && make check && make install) cfg="$cfg --with-libgcrypt-prefix=$dir" (export LD_LIBRARY_PATH=$dir/lib; cd gnupg && eval $cfg && make && make check) [minor aside, I would have used a loop, but there is an inconsistency. Would you accept a patch to correct that? It would simply allow libgpg-error's configure script to accept a matching --with-libgpg-error-prefix option in addition to its current --with-gpg-error-prefix. ] As for results of the gnupg "make check" run, first, this one failed: FAIL: import-all-certs Then (minutes of no progress) the following test hung, so I poked around. pstree showed this: | | | `-make check | | | `-make check-TESTS | | | `-sh -c... | | | `-validate-all-ce ./validate-all-certs | | | `-gpgsm -q --import --with-validation ... So I killed that validate-all-certs script, which resulted in this: /bin/sh: line 5: 9732 Hangup GNUPGHOME=`/bin/pwd` GPG_AGENT_INFO= \ LC_ALL=C GPGSM=../../sm/gpgsm silent=yes ${dir}$tst FAIL: validate-all-certs Then there was one more failure: FAIL: signature-verification From jim at meyering.net Sun Nov 27 22:38:32 2011 From: jim at meyering.net (Jim Meyering) Date: Sun, 27 Nov 2011 22:38:32 +0100 Subject: gpg-agent: use --disable-scdaemon, yet still get SC-related error? Message-ID: <87fwh9i6uf.fsf@rho.meyering.net> Does this ring a bell with anyone? I'm using gpg-agent from Fedora 16's gnupg2-2.0.18-2.fc16.x86_64, invoked with these options: exec gpg-agent --daemon \ --disable-scdaemon \ --enable-ssh-support \ --use-standard-socket \ --log-file $HOME/.ssh/log \ $HOME/.xinitrc-real Yet in spite of that --disable-scdaemon option, I still get what looks like an SC-related error in the log each time I try to use gpg: (and the agent fails to do its job): 2011-11-27 22:29:21 gpg-agent[13380] error getting default authentication keyID of card: Not supported From wk at gnupg.org Mon Nov 28 10:25:28 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 28 Nov 2011 10:25:28 +0100 Subject: cert-related "make check" failures In-Reply-To: <874nxpp9sv.fsf@rho.meyering.net> (Jim Meyering's message of "Sun, 27 Nov 2011 21:52:48 +0100") References: <874nxpp9sv.fsf@rho.meyering.net> Message-ID: <87ty5oa99z.fsf@vigenere.g10code.de> On Sun, 27 Nov 2011 21:52, jim at meyering.net said: > [minor aside, I would have used a loop, but there is an inconsistency. > Would you accept a patch to correct that? > It would simply allow libgpg-error's configure script to accept > a matching --with-libgpg-error-prefix option in addition to > its current --with-gpg-error-prefix. ] Sure. > As for results of the gnupg "make check" run, first, this one failed: > > FAIL: import-all-certs You are not doing a VPATH build on your checkout. This means that this code in tests.pkits/common.sh: if [ -f PKITS_data.tar.bz2 ]; then : else if [ "$pgmname" = "import-all-certs" ]; then if [ "$silent" = "yes" ]; then tmp1="Note: "; tmp2=' ' else tmp1="- ____ "; tmp2="$tmp1" fi echo "${tmp1}PKITS_data.tar.bz2 is not installed" echo "${tmp2}All tests will be skipped (this is not an error)" fi # Exit code 77 is used by the Makefile for skipping a tests. exit 77 fi detects the presence of PKITS_data.tar.bz in the current directory and thus does not skip the tests. That file is not distributed but only kept in the repo. Those PKITS tests are quite fragile and I have not run them for years. IIRC, we once had an option to explictly enable the tests but I later changed it to use the presence of the test sdata as a trigger. The test are anyway outdated and not fully implemented. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Nov 28 10:31:48 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 28 Nov 2011 10:31:48 +0100 Subject: gpg-agent: use --disable-scdaemon, yet still get SC-related error? In-Reply-To: <87fwh9i6uf.fsf@rho.meyering.net> (Jim Meyering's message of "Sun, 27 Nov 2011 22:38:32 +0100") References: <87fwh9i6uf.fsf@rho.meyering.net> Message-ID: <87pqgca8zf.fsf@vigenere.g10code.de> On Sun, 27 Nov 2011 22:38, jim at meyering.net said: > Yet in spite of that --disable-scdaemon option, I still get what looks > like an SC-related error in the log each time I try to use gpg: > (and the agent fails to do its job): > > 2011-11-27 22:29:21 gpg-agent[13380] error getting default authentication > keyID of card: Not supported Not a real error, should be reworded as "note". Will do so for master. The gpg-agent always tries to use a key from a smartcard for ssh authentication. Thus it asks scdaemon whether a suitable smartcard is plugged in. With scdaemon disabled or no suitabale smartcard, gpg-agent tries the next key from the list kept in ~/.gnupg/sshcontrol : "# List of allowed ssh keys. Only keys present in this file are used\n" "# in the SSH protocol. The ssh-add tool may add new entries to this\n" "# file to enable them; you may also add them manually. Comment\n" "# lines, like this one, as well as empty lines are ignored. Lines do\n" "# have a certain length limit but this is not serious limitation as\n" "# the format of the entries is fixed and checked by gpg-agent. A\n" "# non-comment line starts with optional white spaces, followed by the\n" "# keygrip of the key given as 40 hex digits, optionally followed by a\n" "# the caching TTL in seconds and another optional field for arbitrary\n" "# flags. Prepend the keygrip with an '!' mark to disable it.\n" Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From jim at meyering.net Mon Nov 28 11:06:40 2011 From: jim at meyering.net (Jim Meyering) Date: Mon, 28 Nov 2011 11:06:40 +0100 Subject: gpg-agent: use --disable-scdaemon, yet still get SC-related error? In-Reply-To: <87pqgca8zf.fsf@vigenere.g10code.de> (Werner Koch's message of "Mon, 28 Nov 2011 10:31:48 +0100") References: <87fwh9i6uf.fsf@rho.meyering.net> <87pqgca8zf.fsf@vigenere.g10code.de> Message-ID: <87zkfgftn3.fsf@rho.meyering.net> Werner Koch wrote: > On Sun, 27 Nov 2011 22:38, jim at meyering.net said: > >> Yet in spite of that --disable-scdaemon option, I still get what looks >> like an SC-related error in the log each time I try to use gpg: >> (and the agent fails to do its job): >> >> 2011-11-27 22:29:21 gpg-agent[13380] error getting default authentication >> keyID of card: Not supported > > Not a real error, should be reworded as "note". Will do so for master. Thanks. However, with --disable-scdaemon why even bother to call card_key_available()? Or, if calling it, why not return immediately when opt.disable_scdaemon is set? Looking at the code, I would have been tempted to skip calling that function altogether when !opt.disable_scdaemon. I.e., /* First check whether a key is currently available in the card reader - this should be allowed even without being listed in sshcontrol. */ if (!opt.disable_scdaemon && !card_key_available (ctrl, &key_public, &cardsn)) { err = ssh_send_key_public (key_blobs, key_public, cardsn); gcry_sexp_release (key_public); key_public = NULL; xfree (cardsn); if (err) goto out; key_counter++; } Otherwise, that "note" seems confusing, since it appears to be talking about SC-related support, which I've explicitly disabled. From jim at meyering.net Mon Nov 28 13:43:37 2011 From: jim at meyering.net (Jim Meyering) Date: Mon, 28 Nov 2011 13:43:37 +0100 Subject: cert-related "make check" failures In-Reply-To: <87ty5oa99z.fsf@vigenere.g10code.de> (Werner Koch's message of "Mon, 28 Nov 2011 10:25:28 +0100") References: <874nxpp9sv.fsf@rho.meyering.net> <87ty5oa99z.fsf@vigenere.g10code.de> Message-ID: <87ty5oe7t2.fsf@rho.meyering.net> Werner Koch wrote: > On Sun, 27 Nov 2011 21:52, jim at meyering.net said: > >> [minor aside, I would have used a loop, but there is an inconsistency. >> Would you accept a patch to correct that? >> It would simply allow libgpg-error's configure script to accept >> a matching --with-libgpg-error-prefix option in addition to >> its current --with-gpg-error-prefix. ] > > Sure. Ok. Sending separately. I've made the change in libgpg-error's src/gpg-error.m4 and propagated that (nearly identical patches) to the four other git repositories, since all four have to know about this new configure option. From jim at meyering.net Mon Nov 28 13:44:09 2011 From: jim at meyering.net (Jim Meyering) Date: Mon, 28 Nov 2011 13:44:09 +0100 Subject: [PATCH libgpg-error] accept --with-libgpg-error-prefix as well as --with-gpg-error-prefix Message-ID: <87r50se7s6.fsf@rho.meyering.net> * src/gpg-error.m4 (AM_PATH_GPG_ERROR): Also accept --with-libgpg-error-prefix=PFX, for consistency with our three library sibling packages. --- ChangeLog | 7 +++++++ src/gpg-error.m4 | 14 ++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ecf78dd..b838b86 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2011-11-28 Jim Meyering + + accept --with-libgpg-error-prefix as well as --with-gpg-error-prefix + * src/gpg-error.m4 (AM_PATH_GPG_ERROR): Also accept + --with-libgpg-error-prefix=PFX, for consistency with our three + library sibling packages. + 2011-08-23 Werner Koch * src/err-codes.h.in: Add GPG_ERR_DUP_KEY and GPG_ERR_AMBIGUOUS. diff --git a/src/gpg-error.m4 b/src/gpg-error.m4 index ef07fd7..f0b9f1f 100644 --- a/src/gpg-error.m4 +++ b/src/gpg-error.m4 @@ -15,10 +15,20 @@ dnl Test for libgpg-error and define GPG_ERROR_CFLAGS and GPG_ERROR_LIBS dnl AC_DEFUN([AM_PATH_GPG_ERROR], [ AC_REQUIRE([AC_CANONICAL_HOST]) - AC_ARG_WITH(gpg-error-prefix, - AC_HELP_STRING([--with-gpg-error-prefix=PFX], + dnl --with-libgpg-error-prefix=PFX is the preferred name for this option, + dnl since that is consistent with how our three siblings use the directory/ + dnl package name in --with-$dir_name-prefix=PFX. + AC_ARG_WITH(libgpg-error-prefix, + AC_HELP_STRING([--with-libgpg-error-prefix=PFX], [prefix where GPG Error is installed (optional)]), gpg_error_config_prefix="$withval", gpg_error_config_prefix="") + + dnl Accept --with-gpg-error-prefix and make it work the same as + dnl --with-libgpg-error-prefix above, for backwards compatibility, + dnl but do not document this old, inconsistently-named option. + AC_ARG_WITH(gpg-error-prefix,, + gpg_error_config_prefix="$withval", gpg_error_config_prefix="") + if test x$gpg_error_config_prefix != x ; then if test x${GPG_ERROR_CONFIG+set} != xset ; then GPG_ERROR_CONFIG=$gpg_error_config_prefix/bin/gpg-error-config -- 1.7.8.rc3.31.g017d1 From jim at meyering.net Mon Nov 28 13:44:58 2011 From: jim at meyering.net (Jim Meyering) Date: Mon, 28 Nov 2011 13:44:58 +0100 Subject: [PATCH libassuan] accept --with-libgpg-error-prefix as well as --with-gpg-error-prefix Message-ID: <87lir0e7qt.fsf@rho.meyering.net> * m4/gpg-error.m4: Update from git master. --- ChangeLog | 5 +++++ m4/gpg-error.m4 | 14 ++++++++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index bd6f2c5..ee8e140 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2011-11-28 Jim Meyering + + accept --with-libgpg-error-prefix as well as --with-gpg-error-prefix + * m4/gpg-error.m4: Update from git master. + 2011-08-10 Werner Koch * configure.ac: Use http://bugs.gnupg.org as bug reporting diff --git a/m4/gpg-error.m4 b/m4/gpg-error.m4 index ef07fd7..f0b9f1f 100644 --- a/m4/gpg-error.m4 +++ b/m4/gpg-error.m4 @@ -15,10 +15,20 @@ dnl Test for libgpg-error and define GPG_ERROR_CFLAGS and GPG_ERROR_LIBS dnl AC_DEFUN([AM_PATH_GPG_ERROR], [ AC_REQUIRE([AC_CANONICAL_HOST]) - AC_ARG_WITH(gpg-error-prefix, - AC_HELP_STRING([--with-gpg-error-prefix=PFX], + dnl --with-libgpg-error-prefix=PFX is the preferred name for this option, + dnl since that is consistent with how our three siblings use the directory/ + dnl package name in --with-$dir_name-prefix=PFX. + AC_ARG_WITH(libgpg-error-prefix, + AC_HELP_STRING([--with-libgpg-error-prefix=PFX], [prefix where GPG Error is installed (optional)]), gpg_error_config_prefix="$withval", gpg_error_config_prefix="") + + dnl Accept --with-gpg-error-prefix and make it work the same as + dnl --with-libgpg-error-prefix above, for backwards compatibility, + dnl but do not document this old, inconsistently-named option. + AC_ARG_WITH(gpg-error-prefix,, + gpg_error_config_prefix="$withval", gpg_error_config_prefix="") + if test x$gpg_error_config_prefix != x ; then if test x${GPG_ERROR_CONFIG+set} != xset ; then GPG_ERROR_CONFIG=$gpg_error_config_prefix/bin/gpg-error-config -- 1.7.8.rc3.31.g017d1 From jim at meyering.net Mon Nov 28 13:45:36 2011 From: jim at meyering.net (Jim Meyering) Date: Mon, 28 Nov 2011 13:45:36 +0100 Subject: [PATCH libksba] accept --with-libgpg-error-prefix as well as --with-gpg-error-prefix Message-ID: <87fwh8e7pr.fsf@rho.meyering.net> * m4/gpg-error.m4: Update from git master. --- ChangeLog | 5 +++++ m4/gpg-error.m4 | 14 ++++++++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ab252d9..ce9a49d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2011-11-28 Jim Meyering + + accept --with-libgpg-error-prefix as well as --with-gpg-error-prefix + * m4/gpg-error.m4: Update from git master. + 2011-03-01 Werner Koch Release 1.2.0. diff --git a/m4/gpg-error.m4 b/m4/gpg-error.m4 index 2e5a0ab..35cbc78 100644 --- a/m4/gpg-error.m4 +++ b/m4/gpg-error.m4 @@ -15,10 +15,20 @@ dnl Test for libgpg-error and define GPG_ERROR_CFLAGS and GPG_ERROR_LIBS dnl AC_DEFUN([AM_PATH_GPG_ERROR], [ AC_REQUIRE([AC_CANONICAL_HOST]) - AC_ARG_WITH(gpg-error-prefix, - AC_HELP_STRING([--with-gpg-error-prefix=PFX], + dnl --with-libgpg-error-prefix=PFX is the preferred name for this option, + dnl since that is consistent with how our three siblings use the directory/ + dnl package name in --with-$dir_name-prefix=PFX. + AC_ARG_WITH(libgpg-error-prefix, + AC_HELP_STRING([--with-libgpg-error-prefix=PFX], [prefix where GPG Error is installed (optional)]), gpg_error_config_prefix="$withval", gpg_error_config_prefix="") + + dnl Accept --with-gpg-error-prefix and make it work the same as + dnl --with-libgpg-error-prefix above, for backwards compatibility, + dnl but do not document this old, inconsistently-named option. + AC_ARG_WITH(gpg-error-prefix,, + gpg_error_config_prefix="$withval", gpg_error_config_prefix="") + if test x$gpg_error_config_prefix != x ; then if test x${GPG_ERROR_CONFIG+set} != xset ; then GPG_ERROR_CONFIG=$gpg_error_config_prefix/bin/gpg-error-config -- 1.7.8.rc3.31.g017d1 From jim at meyering.net Mon Nov 28 13:46:16 2011 From: jim at meyering.net (Jim Meyering) Date: Mon, 28 Nov 2011 13:46:16 +0100 Subject: [PATCH libgcrypt] accept --with-libgpg-error-prefix as well as --with-gpg-error-prefix Message-ID: <87aa7ge7on.fsf@rho.meyering.net> * m4/gpg-error.m4: Update from git master. --- ChangeLog | 5 +++++ m4/gpg-error.m4 | 15 +++++++++++++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4bd3ee2..8d3d04d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2011-11-28 Jim Meyering + + accept --with-libgpg-error-prefix as well as --with-gpg-error-prefix + * m4/gpg-error.m4: Update from git master. + 2011-09-15 Werner Koch * configure.ac: Bump LT version at C19/A0/R0 due to the ABI change. diff --git a/m4/gpg-error.m4 b/m4/gpg-error.m4 index 8d82925..eb5d7c4 100644 --- a/m4/gpg-error.m4 +++ b/m4/gpg-error.m4 @@ -14,10 +14,21 @@ dnl [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]]) dnl Test for libgpg-error and define GPG_ERROR_CFLAGS and GPG_ERROR_LIBS dnl AC_DEFUN([AM_PATH_GPG_ERROR], -[ AC_ARG_WITH(gpg-error-prefix, - AC_HELP_STRING([--with-gpg-error-prefix=PFX], +[ + dnl --with-libgpg-error-prefix=PFX is the preferred name for this option, + dnl since that is consistent with how our three siblings use the directory/ + dnl package name in --with-$dir_name-prefix=PFX. + AC_ARG_WITH(libgpg-error-prefix, + AC_HELP_STRING([--with-libgpg-error-prefix=PFX], [prefix where GPG Error is installed (optional)]), gpg_error_config_prefix="$withval", gpg_error_config_prefix="") + + dnl Accept --with-gpg-error-prefix and make it work the same as + dnl --with-libgpg-error-prefix above, for backwards compatibility, + dnl but do not document this old, inconsistently-named option. + AC_ARG_WITH(gpg-error-prefix,, + gpg_error_config_prefix="$withval", gpg_error_config_prefix="") + if test x$gpg_error_config_prefix != x ; then if test x${GPG_ERROR_CONFIG+set} != xset ; then GPG_ERROR_CONFIG=$gpg_error_config_prefix/bin/gpg-error-config -- 1.7.8.rc3.31.g017d1 From jim at meyering.net Mon Nov 28 13:47:08 2011 From: jim at meyering.net (Jim Meyering) Date: Mon, 28 Nov 2011 13:47:08 +0100 Subject: [PATCH gnupg] accept --with-libgpg-error-prefix as well as --with-gpg-error-prefix Message-ID: <874nxoe7n7.fsf@rho.meyering.net> * m4/gpg-error.m4: Update from git master. --- ChangeLog | 5 +++++ m4/gpg-error.m4 | 14 ++++++++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index bd02016..7e17ba8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2011-11-28 Jim Meyering + + accept --with-libgpg-error-prefix as well as --with-gpg-error-prefix + * m4/gpg-error.m4: Update from git master. + 2011-09-23 Werner Koch * configure.ac: Remove check for gcry_kdf_derive. diff --git a/m4/gpg-error.m4 b/m4/gpg-error.m4 index 2e5a0ab..35cbc78 100644 --- a/m4/gpg-error.m4 +++ b/m4/gpg-error.m4 @@ -15,10 +15,20 @@ dnl Test for libgpg-error and define GPG_ERROR_CFLAGS and GPG_ERROR_LIBS dnl AC_DEFUN([AM_PATH_GPG_ERROR], [ AC_REQUIRE([AC_CANONICAL_HOST]) - AC_ARG_WITH(gpg-error-prefix, - AC_HELP_STRING([--with-gpg-error-prefix=PFX], + dnl --with-libgpg-error-prefix=PFX is the preferred name for this option, + dnl since that is consistent with how our three siblings use the directory/ + dnl package name in --with-$dir_name-prefix=PFX. + AC_ARG_WITH(libgpg-error-prefix, + AC_HELP_STRING([--with-libgpg-error-prefix=PFX], [prefix where GPG Error is installed (optional)]), gpg_error_config_prefix="$withval", gpg_error_config_prefix="") + + dnl Accept --with-gpg-error-prefix and make it work the same as + dnl --with-libgpg-error-prefix above, for backwards compatibility, + dnl but do not document this old, inconsistently-named option. + AC_ARG_WITH(gpg-error-prefix,, + gpg_error_config_prefix="$withval", gpg_error_config_prefix="") + if test x$gpg_error_config_prefix != x ; then if test x${GPG_ERROR_CONFIG+set} != xset ; then GPG_ERROR_CONFIG=$gpg_error_config_prefix/bin/gpg-error-config -- 1.7.8.rc3.31.g017d1 From wk at gnupg.org Mon Nov 28 14:54:50 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 28 Nov 2011 14:54:50 +0100 Subject: gpg-agent: use --disable-scdaemon, yet still get SC-related error? In-Reply-To: <87zkfgftn3.fsf@rho.meyering.net> (Jim Meyering's message of "Mon, 28 Nov 2011 11:06:40 +0100") References: <87fwh9i6uf.fsf@rho.meyering.net> <87pqgca8zf.fsf@vigenere.g10code.de> <87zkfgftn3.fsf@rho.meyering.net> Message-ID: <87fwh89wt1.fsf@vigenere.g10code.de> On Mon, 28 Nov 2011 11:06, jim at meyering.net said: > Looking at the code, I would have been tempted to skip calling that function > altogether when !opt.disable_scdaemon. I did exactly this after your mail. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From jim at meyering.net Mon Nov 28 15:05:44 2011 From: jim at meyering.net (Jim Meyering) Date: Mon, 28 Nov 2011 15:05:44 +0100 Subject: gpg-agent: use --disable-scdaemon, yet still get SC-related error? In-Reply-To: <87fwh89wt1.fsf@vigenere.g10code.de> (Werner Koch's message of "Mon, 28 Nov 2011 14:54:50 +0100") References: <87fwh9i6uf.fsf@rho.meyering.net> <87pqgca8zf.fsf@vigenere.g10code.de> <87zkfgftn3.fsf@rho.meyering.net> <87fwh89wt1.fsf@vigenere.g10code.de> Message-ID: <87sjl8cpfr.fsf@rho.meyering.net> Werner Koch wrote: > On Mon, 28 Nov 2011 11:06, jim at meyering.net said: > >> Looking at the code, I would have been tempted to skip calling that function >> altogether when !opt.disable_scdaemon. > > I did exactly this after your mail. Thanks! From jim at meyering.net Mon Nov 28 15:08:08 2011 From: jim at meyering.net (Jim Meyering) Date: Mon, 28 Nov 2011 15:08:08 +0100 Subject: gpg-agent: use --disable-scdaemon, yet still get SC-related error? In-Reply-To: <4ED32FD2.5060409@gnome.org> (Stef Walter's message of "Mon, 28 Nov 2011 07:53:06 +0100") References: <87fwh9i6uf.fsf@rho.meyering.net> <4ED32FD2.5060409@gnome.org> Message-ID: <87mxbgcpbr.fsf@rho.meyering.net> Stef Walter wrote: > On 2011-11-27 22:38, Jim Meyering wrote: >> Does this ring a bell with anyone? >> >> I'm using gpg-agent from Fedora 16's gnupg2-2.0.18-2.fc16.x86_64, >> invoked with these options: >> >> exec gpg-agent --daemon \ >> --disable-scdaemon \ >> --enable-ssh-support \ >> --use-standard-socket \ >> --log-file $HOME/.ssh/log \ >> $HOME/.xinitrc-real >> >> Yet in spite of that --disable-scdaemon option, I still get what looks >> like an SC-related error in the log each time I try to use gpg: >> (and the agent fails to do its job): >> >> 2011-11-27 22:29:21 gpg-agent[13380] error getting default authentication >> keyID of card: Not supported > > You probably need to disable gnome-keyring-daemon's gpg-agent. It > doesn't support certain agent commands (yet?). > > Use 'gnome-session-properties' and uncheck the 'GPG Password Agent' > that says 'GNOME Keyring'. Thank you for the suggestion. That would probably help if I were using gnome, but gnome is not involved. The above is what I use to start X with awesome as my window manager. From wk at gnupg.org Mon Nov 28 15:11:05 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 28 Nov 2011 15:11:05 +0100 Subject: cert-related "make check" failures In-Reply-To: <87ty5oe7t2.fsf@rho.meyering.net> (Jim Meyering's message of "Mon, 28 Nov 2011 13:43:37 +0100") References: <874nxpp9sv.fsf@rho.meyering.net> <87ty5oa99z.fsf@vigenere.g10code.de> <87ty5oe7t2.fsf@rho.meyering.net> Message-ID: <87borw9w1y.fsf@vigenere.g10code.de> On Mon, 28 Nov 2011 13:43, jim at meyering.net said: > Ok. Sending separately. Applied. Thanks, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From jim at meyering.net Mon Nov 28 15:24:53 2011 From: jim at meyering.net (Jim Meyering) Date: Mon, 28 Nov 2011 15:24:53 +0100 Subject: cert-related "make check" failures In-Reply-To: <87borw9w1y.fsf@vigenere.g10code.de> (Werner Koch's message of "Mon, 28 Nov 2011 15:11:05 +0100") References: <874nxpp9sv.fsf@rho.meyering.net> <87ty5oa99z.fsf@vigenere.g10code.de> <87ty5oe7t2.fsf@rho.meyering.net> <87borw9w1y.fsf@vigenere.g10code.de> Message-ID: <87ehwscoju.fsf@rho.meyering.net> Werner Koch wrote: > On Mon, 28 Nov 2011 13:43, jim at meyering.net said: > >> Ok. Sending separately. > > Applied. Thanks. With that, I can chain build your five packages like this: (modulo gnupg's three make check failures) p=/tmp/gpg-tmp mkdir $p || exit 1 export PATH=$p/bin:$PATH export LD_LIBRARY_PATH=$p/lib # Run this in another window. #tail -n0 -F {libgpg-error,libksba,libassuan,libgcrypt,gnupg}/log & prev= cfg="./configure --enable-maintainer-mode --prefix=$p" for i in libgpg-error libassuan libksba libgcrypt gnupg; do echo $i... test -n "$prev" && cfg="$cfg --with-$prev-prefix=$p" (cd $i && eval $cfg && make && make check && make install) > $i/log 2>&1 \ || { echo FAIL; break; } prev=$i done