From falko.strenzke at mtg.de Wed Mar 6 11:46:18 2024 From: falko.strenzke at mtg.de (Falko Strenzke) Date: Wed, 6 Mar 2024 11:46:18 +0100 Subject: enabling gcc's -fanalyzer option Message-ID: Hi, I enabled -fanalyzer for GnuPG in my project. It reports quite a few findings. Some of them (or even the majority) might be false positives. I haven't checked that, though. However, the one I quote below seems like a true positive (the line numbers in current master slightly deviate, but the picture is simple anyway: md has to be initialized to NULL when declared). Just as a suggestion from me to add a flag to the configure script to enable this gcc feature. I am still looking for a way to inform the static analyzer in the source code about certain semantics (i.e. restrictions on the values returned by functions in external libraries), this would be very helpful to suppress false positives. - Falko sign.c:1760:3: warning: use of uninitialized value ?md? [CWE-457] [-Wanalyzer-use-of-uninitialized-value] ?1760 |?? gcry_md_close (md); ????? |?? ^~~~~~~~~~~~~~~~~~ ? ?sign_symencrypt_file?: events 1-7 ??? | ??? | 1587 |?? gcry_md_hd_t md; ??? |????? |??????????????? ^~ ??? |????? |??????????????? | ??? |????? |??????????????? (1) region created on stack here ??? |????? |??????????????? (2) capacity: 8 bytes ??? |...... ??? | 1618 |?? if (rc) ??? |????? |????? ~ ??? |????? |????? | ??? |????? |????? (3) following ?true? branch (when ?rc != 0?)... ??? | 1619 |???? goto leave; ??? |????? |???? ~~~~ ??? |????? |???? | ??? |????? |???? (4) ...to here ??? |...... ??? | 1751 |?? if (rc) ??? |????? |????? ~ ??? |????? |????? | ??? |????? |????? (5) following ?true? branch (when ?rc != 0?)... ??? | 1752 |???? iobuf_cancel (out); ??? |????? |???? ~~~~~~~~~~~~~~~~~~ ??? |????? |???? | ??? |????? |???? (6) ...to here ??? |...... ??? | 1760 |?? gcry_md_close (md); ??? |????? |?? ~~~~~~~~~~~~~~~~~~ ??? |????? |?? | ??? |????? |?? (7) use of uninitialized value ?md? here ??? | -- *MTG AG* Dr. Falko Strenzke Executive System Architect Phone: +49 6151 8000 24 E-Mail: falko.strenzke at mtg.de Web: mtg.de Follow us ------------------------------------------------------------------------ MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany Commercial register: HRB 8901 Register Court: Amtsgericht Darmstadt Management Board: J?rgen Ruf (CEO), Tamer Kemer?z Chairman of the Supervisory Board: Dr. Thomas Milde This email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error, please inform the sender immediately and delete this email.Unauthorised copying or distribution of this email is not permitted. Data protection information: Privacy policy -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 73t6G3nkheDzgnUr.png Type: image/png Size: 4018 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: s50ppgeRmyFZOTKY.png Type: image/png Size: 14587 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: CS0G8v68No0Gz0mf.png Type: image/png Size: 13185 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4813 bytes Desc: Kryptografische S/MIME-Signatur URL: From wk at gnupg.org Wed Mar 6 15:55:03 2024 From: wk at gnupg.org (Werner Koch) Date: Wed, 06 Mar 2024 15:55:03 +0100 Subject: enabling gcc's -fanalyzer option In-Reply-To: (Falko Strenzke's message of "Wed, 6 Mar 2024 11:46:18 +0100") References: Message-ID: <87bk7rtnp4.fsf@jacob.g10code.de> Hi! and thanks for the report. On Wed, 6 Mar 2024 11:46, Falko Strenzke said: > I enabled -fanalyzer for GnuPG in my project. It reports quite a few findings. > Some of them (or even the majority) might be false positives. I haven't That is the reasons why we don't run this or other static analyzers regulary. Your case is pretty obvious. It is only in master due to gpg: Add parallelized filter for hashing. https://dev.gnupg.org/rG1ddd69935da629188dcf9215cd9e7a8f68b34a97 > Just as a suggestion from me to add a flag to the configure script to enable > this gcc feature. I am still looking for a way to inform the static analyzer make CFLAGS="-fanalyzet" is what I would do. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From yselkowi at redhat.com Mon Mar 11 04:41:47 2024 From: yselkowi at redhat.com (Yaakov Selkowitz) Date: Sun, 10 Mar 2024 23:41:47 -0400 Subject: [PATCH] gnome3: prefer gcr-4 Message-ID: <20240311034200.338133-1-yselkowi@redhat.com> Newer distributions are now using gcr-4, while older ones will still have gcr-3. The APIs used by pinentry have not changed in between versions, only the top-level header has changed. Also, for gcr-3, only gcr-base-3 is required. (I have attempted to sign up for a dev.gnupg.org account, but am still awaiting verification.) Signed-off-by: Yaakov Selkowitz --- configure.ac | 19 ++++++++++++++----- gnome3/pinentry-gnome3.c | 4 ++++ 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/configure.ac b/configure.ac index f9d090f..7dde8fb 100644 --- a/configure.ac +++ b/configure.ac @@ -458,15 +458,24 @@ AM_CONDITIONAL(BUILD_PINENTRY_GTK_2, test "$pinentry_gtk_2" = "yes") if test "$pinentry_gnome_3" != "no"; then PKG_CHECK_MODULES( GNOME3, - [gcr-3,gcr-base-3], + [gcr-4], [ pinentry_gnome_3=yes AC_DEFINE(GCR_API_SUBJECT_TO_CHANGE, 1, [Nod nod]) + AC_DEFINE(GCR_API_4, 1, [GCR API version]) ], - [ - AC_MSG_WARN([pkg-config could not find the module gcr-3,gcr-base-3]) - pinentry_gnome_3=no - ] + [PKG_CHECK_MODULES( + GNOME3, + [gcr-base-3], + [ + pinentry_gnome_3=yes + AC_DEFINE(GCR_API_SUBJECT_TO_CHANGE, 1, [Nod nod]) + ], + [ + AC_MSG_WARN([pkg-config could not find the module gcr-4 or gcr-base-3]) + pinentry_gnome_3=no + ] + )] ) fi diff --git a/gnome3/pinentry-gnome3.c b/gnome3/pinentry-gnome3.c index 8a8fbed..7f21d6f 100644 --- a/gnome3/pinentry-gnome3.c +++ b/gnome3/pinentry-gnome3.c @@ -23,7 +23,11 @@ # include "config.h" #endif +#ifdef GCR_API_4 +#include +#else #include +#endif #include #include -- 2.44.0 From yselkowi at redhat.com Mon Mar 11 04:19:36 2024 From: yselkowi at redhat.com (Yaakov Selkowitz) Date: Sun, 10 Mar 2024 23:19:36 -0400 Subject: [PATCH] gnome3: prefer gcr-4 Message-ID: <20240311031939.320469-1-yselkowi@redhat.com> Newer distributions are now using gcr-4, while older ones will still have gcr-3. The APIs used by pinentry have not changed in between versions, only the top-level header has changed. Also, for gcr-3, only gcr-base-3 is required. (I have attempted to sign up for a dev.gnupg.org account, but am still awaiting verification.) Signed-off-by: Yaakov Selkowitz --- configure.ac | 19 ++++++++++++++----- gnome3/pinentry-gnome3.c | 4 ++++ 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/configure.ac b/configure.ac index f9d090f..7dde8fb 100644 --- a/configure.ac +++ b/configure.ac @@ -458,15 +458,24 @@ AM_CONDITIONAL(BUILD_PINENTRY_GTK_2, test "$pinentry_gtk_2" = "yes") if test "$pinentry_gnome_3" != "no"; then PKG_CHECK_MODULES( GNOME3, - [gcr-3,gcr-base-3], + [gcr-4], [ pinentry_gnome_3=yes AC_DEFINE(GCR_API_SUBJECT_TO_CHANGE, 1, [Nod nod]) + AC_DEFINE(GCR_API_4, 1, [GCR API version]) ], - [ - AC_MSG_WARN([pkg-config could not find the module gcr-3,gcr-base-3]) - pinentry_gnome_3=no - ] + [PKG_CHECK_MODULES( + GNOME3, + [gcr-base-3], + [ + pinentry_gnome_3=yes + AC_DEFINE(GCR_API_SUBJECT_TO_CHANGE, 1, [Nod nod]) + ], + [ + AC_MSG_WARN([pkg-config could not find the module gcr-4 or gcr-base-3]) + pinentry_gnome_3=no + ] + )] ) fi diff --git a/gnome3/pinentry-gnome3.c b/gnome3/pinentry-gnome3.c index 8a8fbed..7f21d6f 100644 --- a/gnome3/pinentry-gnome3.c +++ b/gnome3/pinentry-gnome3.c @@ -23,7 +23,11 @@ # include "config.h" #endif +#ifdef GCR_API_4 +#include +#else #include +#endif #include #include -- 2.44.0 From wk at gnupg.org Mon Mar 11 11:52:17 2024 From: wk at gnupg.org (Werner Koch) Date: Mon, 11 Mar 2024 11:52:17 +0100 Subject: [PATCH] gnome3: prefer gcr-4 In-Reply-To: <20240311031939.320469-1-yselkowi@redhat.com> (Yaakov Selkowitz via Gnupg-devel's message of "Sun, 10 Mar 2024 23:19:36 -0400") References: <20240311031939.320469-1-yselkowi@redhat.com> Message-ID: <87a5n5oxb2.fsf@jacob.g10code.de> Hi! On Sun, 10 Mar 2024 23:19, Yaakov Selkowitz said: > Newer distributions are now using gcr-4, while older ones will still have > gcr-3. The APIs used by pinentry have not changed in between versions, > only the top-level header has changed. Also, for gcr-3, only gcr-base-3 > is required. I just pushed your change. Thanks. > (I have attempted to sign up for a dev.gnupg.org account, but am still > awaiting verification.) Approved. Sorry, there are so many bot generated attempts that we can't timely approve well sounding accounts. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From wk at gnupg.org Tue Mar 12 09:44:07 2024 From: wk at gnupg.org (Werner Koch) Date: Tue, 12 Mar 2024 09:44:07 +0100 Subject: [Announce] GnuPG 2.4.5 released Message-ID: <87edcfon54.fsf@jacob.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG release: version 2.4.5. This version fixes a couple of bugs and comes with some new features. What is GnuPG ============= The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation of the OpenPGP and S/MIME standards. GnuPG allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. The separate library GPGME provides a uniform API to use the GnuPG engine by software written in common programming languages. A wealth of frontend applications and libraries making use of GnuPG are available. As an universal crypto engine GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Noteworthy changes in version 2.4.5 =================================== * gpg,gpgv: New option --assert-pubkey-algo. [T6946] * gpg: Emit status lines for errors in the compression layer. [T6977] * gpg: Fix invocation with --trusted-keys and --no-options. [T7025] * gpgsm: Allow for a longer salt in PKCS#12 files. [T6757] * gpgtar: Make --status-fd=2 work on Windows. [T6961] * scd: Support for the ACR-122U NFC reader. [rG1682ca9f01] * scd: Suport D-TRUST ECC cards. [T7000,T7001] * scd: Allow auto detaching of kernel drivers; can be disabled with the new compatibility-flag ccid-no-auto-detach. [rGa1ea3b13e0] * scd: Allow setting a PIN length of 6 also with a reset code for openpgp cards. [T6843] * agent: Allow GET_PASSPHRASE in restricted mode. [rGadf4db6e20] * dirmngr: Trust system's root CAs for checking CRL issuers. [T6963] * dirmngr: Fix regression in 2.4.4 in fetching keys via hkps. [T6997] * gpg-wks-client: Make option --mirror work properly w/o specifying domains. [rG37cc255e49] * g13,gpg-wks-client: Allow command style options as in "g13 mount foo". [rGa09157ccb2] * Allow tilde expansion for the foo-program options. [T7017] * Make the getswdb.sh tool usable outside the GnuPG tree. Release-info: https://dev.gnupg.org/T6960 Getting the Software ==================== Please follow the instructions found at or read on: GnuPG may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at . Note that GnuPG is not available at ftp.gnu.org. The GnuPG source code compressed using BZIP2 and its OpenPGP signature are available here: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.5.tar.bz2 (7704k) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.5.tar.bz2.sig A new release of the Windows version in the form of the full featured Gpg4win installer including this version of GnuPG is available here: https://files.gpg4win.org/gpg4win-4.3.1.exe (34M) https://files.gpg4win.org/gpg4win-4.3.1.exe.sig and its source code is https://files.gpg4win.org/gpg4win-4.3.1.tar.xz (219M) https://files.gpg4win.org/gpg4win-4.3.1.tar.xz.sig Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.4.5.tar.bz2 you would use this command: gpg --verify gnupg-2.4.5.tar.bz2.sig gnupg-2.4.5.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.4.5.tar.bz2, you run the command like this: sha1sum gnupg-2.4.5.tar.bz2 and check that the output matches the next line: ae0935ead29a2dfa34d6b48d70808652bc3ca73b gnupg-2.4.5.tar.bz2 7c5fa919c2eb90194e844de027a36e87c7be8a80 gpg4win-4.3.1.exe Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Italian, Japanese, Norwegian, Polish, Russian, Turkish, and Ukrainian being almost completely translated. Documentation and Support ========================= The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in the manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T6960 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks ====== Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and has mostly been financed by donations. Several full-time employed developers and contractors are working exclusively on GnuPG and closely related software like Libgcrypt, GPGME, Kleopatra and Gpg4win. Fortunately, and this is still not common with free software, we have established a way of financing the development while keeping all our software free and freely available for everyone. Our model is similar to the way RedHat manages RHEL and Fedora: Except for the actual binary of the MSI installer for Windows and client specific configuration files, all the software is available under the GNU GPL and other Open Source licenses. Thus customers may even build and distribute their own version of the software as long as they do not use our trademarks GnuPG Desktop? or GnuPG VS-Desktop?. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, or helped with donations. *Thank you all* Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users at gnupg.org mailing list. List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa3072 2017-03-17 [expires: 2027-03-15] 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) brainpoolP256r1 2021-10-15 [expires: 2029-12-31] 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208 GnuPG.com (Release Signing Key 2021) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Arguing that you don't care about the right to privacy because you have nothing to hide is no different from saying you don't care about free speech because you have nothing to say. - Edward Snowden -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From ralph at ml.seichter.de Tue Mar 12 13:07:19 2024 From: ralph at ml.seichter.de (Ralph Seichter) Date: Tue, 12 Mar 2024 13:07:19 +0100 Subject: [Announcement] GnuPG for OS X 2.4.5 Message-ID: <874jdblklk.fsf@ra.horus-it.com> GnuPG for OS X / macOS release 2.4.5 is now available for download via https://sourceforge.net/p/gpgosx/docu/Download/ . The disk image signature key is available via public keyservers, and it can also be downloaded from https://www.seichter.de/pgp/gpgosx-signing.asc . pub ed25519/FD56297D9833FF7F 2022-07-07 [SC] [expires: 2027-07-06] Key fingerprint = EAB0 FE4F F793 D9E7 028E C8E2 FD56 297D 9833 FF7F uid [ultimate] Ralph Seichter (GnuPG for OS X signing key) GnuPG 2.4.x is installed in /usr/local/gnupg-2.4 instead of the formerly hardcoded directory /usr/local/gnupg-2.2. This enables installing both stable and LTS releases of GnuPG for OS X side by side, for advanced users' needs. The one caveat is that the latest installation will replace existing soft links in /usr/local/{bin,lib}. Please use absolute paths like /usr/local/gnupg-2.2/bin/gpg2 if necessary. Enjoy. -Ralph From bernhard at intevation.de Wed Mar 13 09:59:17 2024 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 13 Mar 2024 09:59:17 +0100 Subject: dev.gnupg.com handling of (release) tasks Message-ID: <202403130959.29749.bernhard@intevation.de> Moin Werner and team, congrats to the 2.4.5 GnuPG release. When checking the release task: https://dev.gnupg.org/T6960 I see that a number of listed tasks are not resolved yet. Also for the previous release task. Is this on purpose as some of some probably should be resolved. (Would it be helpful if I did set some of those on resolve? Is there a document describing when this should happen for dev helpers?) Regards, Bernhard -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Wed Mar 13 10:34:05 2024 From: wk at gnupg.org (Werner Koch) Date: Wed, 13 Mar 2024 10:34:05 +0100 Subject: dev.gnupg.com handling of (release) tasks In-Reply-To: <202403130959.29749.bernhard@intevation.de> (Bernhard Reiter via Gnupg-devel's message of "Wed, 13 Mar 2024 09:59:17 +0100") References: <202403130959.29749.bernhard@intevation.de> Message-ID: <87zfv2mq5u.fsf@jacob.g10code.de> On Wed, 13 Mar 2024 09:59, Bernhard Reiter said: > I see that a number of listed tasks are not resolved yet. This is on purpose. A reference to a task does not mean that a task has been completely resolved. For example a backport might still be needed or we keep it open because further things will go by this reference. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From andrewg at andrewg.com Sun Mar 17 00:30:07 2024 From: andrewg at andrewg.com (Andrew Gallagher) Date: Sat, 16 Mar 2024 23:30:07 +0000 Subject: Hockeypuck 2.2 Message-ID: Hi, all. I have a stable development branch for Hockeypuck 2.2 that is ready for beta testing. If anyone wants to help test, please pull the latest branch at https://github.com/pgpkeys-eu/hockeypuck/tree/branch-2.2.0 onto a test machine, and restore from a fresh dump (this is important). For testing purposes, please comment out any SeenCache setting from your config file. New features include: * No more update churn! (TM) * No more images * Automatic deletion of personal data from hard-revoked keys (*) * Automatic deletion of corrupted and misplaced packets * Proper handling of detached revocation signatures This update will require a dump and reload due to the large number of corrupt packets that need to be cleaned from the dataset. While it is technically possible to upgrade in-place and wait for the database to self-clean, this is highly inefficient and causes a large amount of disk load. My test nodes thrashed for over a week when I tested this?! Note also that for the same reason hockeypuck 2.2 *will not* sync with either hockeypuck 2.1 or sks-keyserver 1.1.6 - it is necessary to impose a hard version bump to prevent the deltas overwhelming sync. Any further ideas, comments, or questions are welcome! :-) Thanks, A (* https://github.com/hockeypuck/hockeypuck/wiki/HIP-5:-Reliable-personal-data-deletion-using-self-signatures) [crossposted from hockeypuck-devel at googlegroups.com] -------------- next part -------------- An HTML attachment was scrubbed... URL: From megamind6155 at nixnet.email Sun Mar 24 16:17:56 2024 From: megamind6155 at nixnet.email (megamind6155) Date: Sun, 24 Mar 2024 20:47:56 +0530 Subject: Cannot understand output of libgcrypt's hashing functions Message-ID: Hello, I'm trying to use libgcrypt to generate a hash. I'm pretty new to programming so I'm just testing out the library. This is the code I've written: #include #include #include #include int main(void) { const char* gcrypt_version = gcry_check_version(NULL); if (!gcrypt_version) { fprintf(stderr, "ERROR: libgcrypt was unable to initialize\n"); exit(2); } printf("Gcrypt Version: %s\n", gcrypt_version); gcry_control(GCRYCTL_DISABLE_SECMEM, 0); gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); if (!gcry_control(GCRYCTL_INITIALIZATION_FINISHED_P)) { fprintf(stderr, "ERROR: libgcrypt has not been initialized\n"); abort(); } char* text = "hello\n"; char hash_storage[200] = {0}; gcry_md_hash_buffer(GCRY_MD_MD5, hash_storage, text, strlen(text)); printf("%s\n", hash_storage); return 0; } As you can see I'm just trying to test out this function. Everything runs but at the end the printf prints out jibberish which I'm unable to interpret. How is the hash digest encoded? Yours faithfully, megamind6155. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From jcb62281 at gmail.com Mon Mar 25 01:39:36 2024 From: jcb62281 at gmail.com (Jacob Bachmeyer) Date: Sun, 24 Mar 2024 19:39:36 -0500 Subject: Cannot understand output of libgcrypt's hashing functions In-Reply-To: References: Message-ID: <6600C7C8.7060109@gmail.com> megamind6155 via Gnupg-devel wrote: > Hello, > > I'm trying to use libgcrypt to generate a hash. I'm pretty new to > programming so I'm just testing out the library. > > This is the code I've written: > > [...] > > As you can see I'm just trying to test out this function. Everything > runs but at the end the printf prints out jibberish which I'm unable > to interpret. How is the hash digest encoded? That jibberish is almost certainly a binary MD5 digest of "hello\n". Try piping the output of your program through "hexdump -C" and compare the last bytes to the output of "echo hello | md5sum" at a shell prompt. As for how to use this, try writing a simple routine to dump the hash value as hexadecimal instead of trying to print it as a string. -- Jacob From megamind6155 at nixnet.email Mon Mar 25 05:54:05 2024 From: megamind6155 at nixnet.email (megamind6155) Date: Mon, 25 Mar 2024 10:24:05 +0530 Subject: Cannot understand output of libgcrypt's hashing functions In-Reply-To: <6600C7C8.7060109@gmail.com> References: <6600C7C8.7060109@gmail.com> Message-ID: <9bc2fb89-1cdd-4a50-a457-6a0dc270cc4c@nixnet.email> I read out each element in the array as a hexadecimal and the output was matching. Thank you for your help. Yours faithfully, megamind6155. On 25/03/24 06:09, Jacob Bachmeyer wrote: > megamind6155 via Gnupg-devel wrote: >> Hello, >> >> I'm trying to use libgcrypt to generate a hash. I'm pretty new to >> programming so I'm just testing out the library. >> >> This is the code I've written: >> >> [...] >> >> As you can see I'm just trying to test out this function. Everything >> runs but at the end the printf prints out jibberish which I'm unable >> to interpret. How is the hash digest encoded? > That jibberish is almost certainly a binary MD5 digest of "hello\n". Try > piping the output of your program through "hexdump -C" and compare the > last bytes to the output of "echo hello | md5sum" at a shell prompt. > > As for how to use this, try writing a simple routine to dump the hash > value as hexadecimal instead of trying to print it as a string. > > > -- Jacob -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: