From tobias.wendorff at tu-dortmund.de Sat Jan 4 23:19:03 2020 From: tobias.wendorff at tu-dortmund.de (Tobias Wendorff) Date: Sat, 4 Jan 2020 23:19:03 +0100 Subject: OpenSSH got U2F support - an idea for GnuPG? Message-ID: <59c64022654dff9a902fbab9fe075347.squirrel@webmail.tu-dortmund.de> Hi there, in November 2019, Yubikey released a patch for libfido2, which acts as a middleware to talk between OpenSSH and U2F/FIDO2 tokens (so it also works for the older FIDO(1) standard. Actually libfido2 now "emulates" PKCS#11 (PIV card interface). Also OpenSSH got patched to talk to U2F tokens now. Duo wrote a nice article on it: https://duo.com/labs/tech-notes/u2f-key-support-in-openssh Would it be possible to use this technique on GnuPG? Sure, it doesn't suite all security needs. But it could allow anyone with a U2F/FIDO2 token to use GnuPG f.e. for signing? Would be happy to discuss to pros / cons with you. Best regards, Tobias From bruno at clisp.org Mon Jan 6 12:11:42 2020 From: bruno at clisp.org (Bruno Haible) Date: Mon, 06 Jan 2020 12:11:42 +0100 Subject: cannot build libgpg-error-1.36 on AIX Message-ID: <15786741.UddaovaPSF@omega> Hi, I'd like to test gsasl on AIX. But gsasl requires libgcrypt, and libgcrypt requires libgpg-error, and the latest libgpg-error [1] fails to build on AIX 7.2. Here is the output for a 32-bit mode build with xlc: =============================================================================== /bin/sh ../libtool --tag=CC --mode=link xlc -qthreaded -qtls -g -L/home/haible/prefix32/lib -o gen-posix-lock-obj gen-posix-lock-obj.o ../libtool[1568]: preserve_args+= --tag CC: not found ../libtool[124]: libtool_args+= -qthreaded: not found ../libtool[766]: compile_command+= -qthreaded: not found ../libtool[767]: finalize_command+= -qthreaded: not found ../libtool[768]: compiler_flags+= -qthreaded: not found ../libtool[124]: libtool_args+= -qtls: not found ../libtool[766]: compile_command+= -qtls: not found ../libtool[767]: finalize_command+= -qtls: not found ../libtool[768]: compiler_flags+= -qtls: not found ../libtool[124]: libtool_args+= -g: not found ../libtool[902]: compile_command+= -g: not found ../libtool[903]: finalize_command+= -g: not found ../libtool[124]: libtool_args+= -L/home/haible/prefix32/lib: not found ../libtool[484]: deplibs+= -L/home/haible/prefix32/lib: not found ../libtool[487]: lib_search_path+= /home/haible/prefix32/lib: not found ../libtool[124]: libtool_args+= -o: not found ../libtool[902]: compile_command+= -o: not found ../libtool[903]: finalize_command+= -o: not found ../libtool[124]: libtool_args+= gen-posix-lock-obj: not found ../libtool[130]: compile_command+= @OUTPUT@: not found ../libtool[131]: finalize_command+= @OUTPUT@: not found ../libtool[124]: libtool_args+= gen-posix-lock-obj.o: not found ../libtool[780]: objs+= gen-posix-lock-obj.o: not found ../libtool[902]: compile_command+= gen-posix-lock-obj.o: not found ../libtool[903]: finalize_command+= gen-posix-lock-obj.o: not found ../libtool[3689]: compile_command+= : not found ../libtool[3690]: finalize_command+= : not found libtool: link: xlc /opt/IBM/xlc/13.1.3/bin/.orig/xlc: 1501-294 (S) No input file specified. Please use -qhelp for more information. make: 1254-004 The error code from the last command is 249. Stop. make: 1254-004 The error code from the last command is 1. =============================================================================== The output for a 64-bit build with xlc and 32-bit and 64-bit builds with gcc look similar. Most likely this is caused by the fact that libgpg-error 1.36 include libtool version 2.4.2. The newest libtool version is 2.4.6, and AFAIK it supports AIX fine. Bruno [1] https://www.gnupg.org/download/index.html From bruno at clisp.org Mon Jan 6 15:08:08 2020 From: bruno at clisp.org (Bruno Haible) Date: Mon, 06 Jan 2020 15:08:08 +0100 Subject: cannot build libgpg-error-1.36 on Solaris 10 Message-ID: <3231297.qna9oehyeU@omega> Building libgpg-error-1.36 on Solaris 10 with cc (CC="cc -xarch=generic64 -O") fails like this: Making all in src gawk -f ../../src/mkerrnos.awk ../../src/errnos.in >code-to-errno.h gawk -f ../../src/mkerrcodes1.awk ../../src/errnos.in >_mkerrcodes.h cc -xarch=generic64 -O -E -I/home/haible/prefix-x86_64/include -D_REENTRANT -P _mkerrcodes.h | grep GPG_ERR_ | \ gawk -f ../../src/mkerrcodes.awk >mkerrcodes.h rm _mkerrcodes.h cc -xarch=generic64 -O -I. -I../../src -o mkerrcodes ../../src/mkerrcodes.c ./mkerrcodes | gawk -f ../../src/mkerrcodes2.awk >code-from-errno.h gawk -f ../../src/mkstrtable.awk -v textidx=2 -v nogettext=1 \ ../../src/err-sources.h.in >err-sources-sym.h gawk -f ../../src/mkstrtable.awk -v textidx=2 -v nogettext=1 \ ../../src/err-codes.h.in >err-codes-sym.h gawk -f ../../src/mkstrtable.awk -v textidx=2 -v nogettext=1 \ -v prefix=GPG_ERR_ -v namespace=errnos_ \ ../../src/errnos.in >errnos-sym.h cc -xarch=generic64 -O -g -O0 -I. -I../../src -o mkheader ../../src/mkheader.c cc: Warning: option -0 passed to ld ld: fatal: unrecognized option '-0' ld: fatal: use the -z help option for usage information *** Error code 1 make: Fatal error: Command failed for target `mkheader' The option -O0 is only understood by GCC and compatible compilers. Building with gcc (CC="gcc -m64 -O2"), on the other hand, works fine. The test then fails, though: Making check in src make check-am make check-TESTS ./../../src/gpg-error-config-test.sh: bad substitution FAIL: ../../src/gpg-error-config-test.sh ======================================= 1 of 1 test failed Please report to https://bugs.gnupg.org ======================================= *** Error code 1 That's because /bin/sh on this platform is not POSIX compliant. Bruno From gniibe at fsij.org Tue Jan 7 08:24:51 2020 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 07 Jan 2020 16:24:51 +0900 Subject: cannot build libgpg-error-1.36 on Solaris 10 In-Reply-To: <3231297.qna9oehyeU@omega> References: <3231297.qna9oehyeU@omega> Message-ID: <87h817d8zg.fsf@jumper.gniibe.org> Hello, Bruno Haible wrote: > Building libgpg-error-1.36 on Solaris 10 with cc (CC="cc -xarch=generic64 -O") > fails like this: [...] > cc -xarch=generic64 -O -g -O0 -I. -I../../src -o mkheader ../../src/mkheader.c > cc: Warning: option -0 passed to ld > ld: fatal: unrecognized option '-0' > ld: fatal: use the -z help option for usage information > *** Error code 1 > make: Fatal error: Command failed for target `mkheader' > > The option -O0 is only understood by GCC and compatible compilers. Thanks. I just pushed the change to master. > The test then fails, though: > > Making check in src > make check-am > make check-TESTS > ./../../src/gpg-error-config-test.sh: bad substitution > FAIL: ../../src/gpg-error-config-test.sh > ======================================= > 1 of 1 test failed > Please report to https://bugs.gnupg.org > ======================================= > *** Error code 1 > > That's because /bin/sh on this platform is not POSIX compliant. This part was fixed in: https://dev.gnupg.org/T4574 -- From wk at gnupg.org Wed Jan 8 14:37:22 2020 From: wk at gnupg.org (Werner Koch) Date: Wed, 08 Jan 2020 14:37:22 +0100 Subject: OpenSSH got U2F support - an idea for GnuPG? In-Reply-To: <59c64022654dff9a902fbab9fe075347.squirrel@webmail.tu-dortmund.de> (Tobias Wendorff's message of "Sat, 4 Jan 2020 23:19:03 +0100") References: <59c64022654dff9a902fbab9fe075347.squirrel@webmail.tu-dortmund.de> Message-ID: <87r20af4rx.fsf@wheatstone.g10code.de> Hi, I started to read the protocol description weeks ago but other tasks then deflected me from this. It is for sure something we should eventually support. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From aheinecke at gnupg.org Fri Jan 10 11:27:44 2020 From: aheinecke at gnupg.org (Andre Heinecke) Date: Fri, 10 Jan 2020 11:27:44 +0100 Subject: [PATCH] Add rpath so the Qt libs are found at runtime In-Reply-To: <2017691.irdbgypaU6@asterixp50> References: <2017691.irdbgypaU6@asterixp50> Message-ID: <2078189.1smr38zsmB@esus> Hi David, Thanks for the Patch. I've pushed it. Best Regards, Andre -- GnuPG.com - a brand of g10 Code, the GnuPG experts. g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459 GF Werner Koch, USt-Id DE215605608, www.g10code.com. GnuPG e.V., Rochusstr. 44, D-40479 D?sseldorf. VR 11482 D?sseldorf Vorstand: W.Koch, M.Gollowitzer, A.Heinecke. Mail: board at gnupg.org Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-2104-4938799 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From faure at kde.org Sat Jan 11 21:24:29 2020 From: faure at kde.org (David Faure) Date: Sat, 11 Jan 2020 21:24:29 +0100 Subject: [PATCH] Fix compilation with ncurses-devel-6.1 Message-ID: <1822205.PYKUYFuaPT@asterixp50> Another one (I can't remember if I sent it already, sorry if I did) >From 5d787a2ced5dffec75add2d07f5604c48d933b38 Mon Sep 17 00:00:00 2001 From: David Faure Date: Sun, 22 Jul 2018 23:56:48 +0200 Subject: [PATCH] Fix compilation with ncurses-devel-6.1 /usr/include/ncursesw/curses.h is evil and #defines ttytype. --- pinentry/pinentry.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pinentry/pinentry.h b/pinentry/pinentry.h index 009e884..59d4f48 100644 --- a/pinentry/pinentry.h +++ b/pinentry/pinentry.h @@ -28,6 +28,8 @@ extern "C" { #endif #endif +#undef ttytype + typedef enum { PINENTRY_COLOR_NONE, PINENTRY_COLOR_DEFAULT, PINENTRY_COLOR_BLACK, PINENTRY_COLOR_RED, -- 2.16.4 -- David Faure, faure at kde.org, http://www.davidfaure.fr Working on KDE Frameworks 5 From gnupg-devel at spodhuis.org Sun Jan 12 00:18:01 2020 From: gnupg-devel at spodhuis.org (Phil Pennock) Date: Sat, 11 Jan 2020 18:18:01 -0500 Subject: openpgpkey-control : WKD website content management Message-ID: <20200111231800.GA13950@breadbox.private.spodhuis.org> I've just published something I've been using for a little while: https://github.com/PennockTech/openpgpkey-control I use WKD, but I don't use WKS. I want content of websites to be redeployable, and tracked with revision history. The repo above manages that for me. It should be something which anyone can fork, change the content of config/, then use for their own sites. It uses shell (bash), and Python3 in one place, for handling zbase32; it has no dependencies upon any Python not in the standard library. (This is why I hadn't published it before now, but I just broke out my personal zbase32 library and included it in-repo; seems to work). In the repo: bin/ and lib/ are static, while config/ has three very simple control files. The content of keyrings/ and sites/ is managed by the tools in bin/. Update the keyids in config/keys and run bin/update-keyrings to pull in keys from your external GnuPG keyring. Run bin/update-sites to blow away and re-create the sites/ directory; it uses config/keys and config/domains to control what gets created. It needs Python (3) installed. Run bin/deploy-sites to deploy websites; controlled by config/deploys; at present, only the `rsync` mechanism is supported, it's all I've needed. `rsync:delete` is used in practice, but leave off the `:delete` until you're happy. I just added exim.org to this setup. Having the repo be public should be fine: there are no secret memberships in exim.org and the whole point is to make PGP keys publicly available. The email addresses are all obfuscated, either by being inside a PGP key, or via zbase32 encoding, so it should be spammer-safe (until they start using PGP). Regards, -Phil -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 996 bytes Desc: Digital signature URL: From aheinecke at gnupg.org Mon Jan 13 12:29:17 2020 From: aheinecke at gnupg.org (Andre Heinecke) Date: Mon, 13 Jan 2020 12:29:17 +0100 Subject: openpgpkey-control : WKD website content management In-Reply-To: <20200111231800.GA13950@breadbox.private.spodhuis.org> References: <20200111231800.GA13950@breadbox.private.spodhuis.org> Message-ID: <20508932.HmnKDd37xd@esus> Hi, That is great! Thank you. I have added it to the WKD Hosting page in the wiki as a start. https://wiki.gnupg.org/WKDHosting Best Regards, Andre -- GnuPG.com - a brand of g10 Code, the GnuPG experts. g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459 GF Werner Koch, USt-Id DE215605608, www.g10code.com. GnuPG e.V., Rochusstr. 44, D-40479 D?sseldorf. VR 11482 D?sseldorf Vorstand: W.Koch, M.Gollowitzer, A.Heinecke. Mail: board at gnupg.org Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-2104-4938799 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From gniibe at fsij.org Tue Jan 14 06:03:58 2020 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 14 Jan 2020 14:03:58 +0900 Subject: [PATCH] Fix compilation with ncurses-devel-6.1 In-Reply-To: <1822205.PYKUYFuaPT@asterixp50> References: <1822205.PYKUYFuaPT@asterixp50> Message-ID: <877e1u4ojl.fsf@iwagami.gniibe.org> Hello, Just my comment to explain the situation. David Faure wrote: > --- a/pinentry/pinentry.h > +++ b/pinentry/pinentry.h > @@ -28,6 +28,8 @@ extern "C" { > #endif > #endif > > +#undef ttytype > + > typedef enum { > PINENTRY_COLOR_NONE, PINENTRY_COLOR_DEFAULT, > PINENTRY_COLOR_BLACK, PINENTRY_COLOR_RED, > -- I haven't had any experience with Ncurses 6.1, thus, I checked the possible cause. I realized that when Ncurses is built with --enable-reentrant, the symbol "ttytype" will be a macro (to access per thread variable), which conflicts the use case of pinentry's "ttytype", as a member in a struct. -- From wiktor at metacode.biz Tue Jan 14 12:05:49 2020 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Tue, 14 Jan 2020 12:05:49 +0100 Subject: OpenSSH got U2F support - an idea for GnuPG? In-Reply-To: <59c64022654dff9a902fbab9fe075347.squirrel@webmail.tu-dortmund.de> Message-ID: <278269bc-80ea-90c7-121f-ba87f287975a@metacode.biz> Hi Tobias, U2F devices sign data in a specified format so it's not possible to sign any byte array [0], this could conflict with the way GnuPG calculates what should be signed. If you check out OpenSSH U2F support in detail you'll see that they defined special key type (ecdsa-sk [1]) that I guess is used by server to wrap raw bytes in U2F structure before signature verification. [0]: https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-overview-v1.2-ps-20170411.html#authentication-generating-a-signature [1]: https://duo.com/labs/tech-notes/u2f-key-support-in-openssh One interesting aspect of U2F is that virtually all tokens on the market implement "unlimited number of keys" feature by having one manufacturer-burned secret key and then deriving signing key from that secret key and key handle (that's key ID that is passed by the application). To be honest I think if someone has U2F token then there is a high chance that this also includes OpenPGP applet. If not, the U2F token can only be used for signing data, not for encryption. One advantage of U2F tokens though is their relative low price. Kind regards, Wiktor -- https://metacode.biz/@wiktor From aheinecke at gnupg.org Thu Jan 16 15:16:31 2020 From: aheinecke at gnupg.org (Andre Heinecke) Date: Thu, 16 Jan 2020 15:16:31 +0100 Subject: [PATCH] Fix compilation with ncurses-devel-6.1 In-Reply-To: <877e1u4ojl.fsf@iwagami.gniibe.org> References: <1822205.PYKUYFuaPT@asterixp50> <877e1u4ojl.fsf@iwagami.gniibe.org> Message-ID: <1685260.TpLO468hZX@esus> Hi, On Tuesday 14 January 2020 06:03:58 CET NIIBE Yutaka wrote: > I haven't had any experience with Ncurses 6.1, thus, I checked the > possible cause. > > I realized that when Ncurses is built with --enable-reentrant, the > symbol "ttytype" will be a macro (to access per thread variable), which > conflicts the use case of pinentry's "ttytype", as a member in a struct. thanks NIIBE, what do you think, should we just apply the patch? I was not so happy to just have an #undef in a header because depending on where you include it it might break other things. Best Regards, Andre Heinecke -- GnuPG.com - a brand of g10 Code, the GnuPG experts. g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459 GF Werner Koch, USt-Id DE215605608, www.g10code.com. GnuPG e.V., Rochusstr. 44, D-40479 D?sseldorf. VR 11482 D?sseldorf Vorstand: W.Koch, M.Gollowitzer, A.Heinecke. Mail: board at gnupg.org Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-2104-4938799 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From gnupg-devel at spodhuis.org Mon Jan 20 02:22:20 2020 From: gnupg-devel at spodhuis.org (Phil Pennock) Date: Sun, 19 Jan 2020 20:22:20 -0500 Subject: openpgpkey-control : WKD website content management In-Reply-To: <20508932.HmnKDd37xd@esus> References: <20200111231800.GA13950@breadbox.private.spodhuis.org> <20508932.HmnKDd37xd@esus> Message-ID: <20200120012219.GA32100@breadbox.private.spodhuis.org> On 2020-01-13 at 12:29 +0100, Andre Heinecke wrote: > That is great! Thank you. > > I have added it to the WKD Hosting page in the wiki as a start. > https://wiki.gnupg.org/WKDHosting Thanks for that. :) In case it's of interest, it's grown a little. I don't intend to bother the list repeatedly about this, but since it's useful and open source, built around GnuPG, I'm going to do so this once more. The repo is currently authoritative not just for my own domains but for "exim.org" too. We can fork for Exim just as soon as another maintainer wants to deal with this book-keeping. :-D As well openpgpkey content areas, it now also generates DNS zonefile fragments for the domain, in a stable output order (diff minimization) and can create "key bundles", which are sets of keys which are an export-clean export from a keyring containing only the keys in the bundle. Ie, "minimal plus cross-sigs between present keys". This is the process I've been using for a while for making . Before I just did it manually, but now a tool in the repo can make this. I think this might be useful for other projects. There's also a _demo_ Dockerfile/Caddyfile for creating a container which can be used to implement the openpgpkey.example.org website. If your org has a container hosting setup for production, this should help with getting you "one more website" running in a manageable way. Myself, I'm still using rsync to deploy to existing websites. There are no plans to make docker a required tool; it's simply a demo which I hope might be useful. -Phil -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 996 bytes Desc: Digital signature URL: From gniibe at fsij.org Mon Jan 20 09:10:12 2020 From: gniibe at fsij.org (NIIBE Yutaka) Date: Mon, 20 Jan 2020 17:10:12 +0900 Subject: [PATCH] Fix compilation with ncurses-devel-6.1 In-Reply-To: <1685260.TpLO468hZX@esus> References: <1822205.PYKUYFuaPT@asterixp50> <877e1u4ojl.fsf@iwagami.gniibe.org> <1685260.TpLO468hZX@esus> Message-ID: <875zh67dln.fsf@jumper.gniibe.org> Andre Heinecke wrote: > On Tuesday 14 January 2020 06:03:58 CET NIIBE Yutaka wrote: >> I haven't had any experience with Ncurses 6.1, thus, I checked the >> possible cause. >> >> I realized that when Ncurses is built with --enable-reentrant, the >> symbol "ttytype" will be a macro (to access per thread variable), which >> conflicts the use case of pinentry's "ttytype", as a member in a struct. > > thanks NIIBE, what do you think, should we just apply the patch? I was not so > happy to just have an #undef in a header because depending on where you > include it it might break other things. Currently, #undef-ing seems an easy choice for pinentry. If we want something Right, we'd open a can of worms. The best thing is that Ncurses will/would eventually offer a good API/ABI with the use case of --enable-reentrant (in future). Then, the users of Ncurses can keep existing code with no change. But it seems difficult, because it will once again break the ABI. Technically, it can be cleanly implemented with thread local variables (of C11), but Ncurses already uses macros and functions to achieve that. --