From sam at gentoo.org Sun Jan 4 03:11:28 2026 From: sam at gentoo.org (Sam James) Date: Sun, 4 Jan 2026 02:11:28 +0000 Subject: [PATCH GnuPG] Fix -Wlto-type-mismatch warnings [T4416] Message-ID: <4cc541d6db5198d5f01860b228d09f26b5692479.1767492688.git.sam@gentoo.org> * agent/t-protect.c (convert_from_openpgp_native): Sync stub definition. * g10/gpgv.c (keyserver_import_keyid): Sync stub definition. (keyserver_import_cert): Ditto. (keyserver_import_mbox): Ditto. (struct keyserver_spec): Ditto. (parse_keyserver_uri): Ditto. (keyserver_export_pubkey): Ditto. (show_photos): Ditto. * g10/test-stubs.c (keyserver_import_keyid): Sync stub definition. (keyserver_import_cert): Ditto. (keyserver_import_mbox): Ditto. (parse_keyserver_uri): Ditto. (show_photos): Ditto. -- GnuPG-bug-id: 4416 When building with GCC -flto, some warnings appear because of mismatched definitions in stubs (gpgv or tests). Sync them with the real definitions to fix the warnings, as they just drifted over time. Signed-off-by: Sam James --- DCO at https://lists.gnupg.org/pipermail/gnupg-devel/2025-August/036044.html agent/t-protect.c | 7 +++++-- g10/gpgv.c | 49 +++++++++++++++++++++++++++++++---------------- g10/test-stubs.c | 37 ++++++++++++++++++++++------------- 3 files changed, 62 insertions(+), 31 deletions(-) diff --git a/agent/t-protect.c b/agent/t-protect.c index e6edbffba..95452eb29 100644 --- a/agent/t-protect.c +++ b/agent/t-protect.c @@ -341,9 +341,12 @@ main (int argc, char **argv) /* Stub function. */ gpg_error_t -convert_from_openpgp_native (gcry_sexp_t s_pgp, const char *passphrase, - unsigned char **r_key) +convert_from_openpgp_native (ctrl_t ctrl, + gcry_sexp_t s_pgp, + const char *passphrase, + unsigned char **r_key) { + (void)ctrl; (void)s_pgp; (void)passphrase; (void)r_key; diff --git a/g10/gpgv.c b/g10/gpgv.c index b65dfa66b..f5bd404ed 100644 --- a/g10/gpgv.c +++ b/g10/gpgv.c @@ -462,10 +462,13 @@ keyserver_any_configured (ctrl_t ctrl) } int -keyserver_import_keyid (u32 *keyid, void *dummy, unsigned int flags) +keyserver_import_keyid (ctrl_t ctrl, u32 *keyid, + struct keyserver_spec *keyserver, + unsigned int flags) { + (void)ctrl; (void)keyid; - (void)dummy; + (void)keyserver; (void)flags; return -1; } @@ -493,9 +496,14 @@ keyserver_import_fpr_ntds (ctrl_t ctrl, } int -keyserver_import_cert (const char *name) +keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode, + unsigned char **fpr,size_t *fpr_len) { + (void)ctrl; (void)name; + (void)dane_mode; + (void)fpr; + (void)fpr_len; return -1; } @@ -511,11 +519,18 @@ keyserver_import_wkd (ctrl_t ctrl, const char *name, unsigned int flags, return GPG_ERR_BUG; } -int -keyserver_import_mbox (const char *name,struct keyserver_spec *spec) +gpg_error_t +keyserver_import_mbox (ctrl_t ctrl, const char *mbox, + unsigned char **fpr,size_t *fpr_len, + struct keyserver_spec *keyserver, + unsigned int flags) { - (void)name; - (void)spec; + (void)ctrl; + (void)mbox; + (void)fpr; + (void)fpr_len; + (void)keyserver; + (void)flags; return -1; } @@ -647,15 +662,14 @@ parse_preferred_keyserver(PKT_signature *sig) return NULL; } -struct keyserver_spec * -parse_keyserver_uri (const char *uri, int require_scheme, - const char *configname, unsigned int configlineno) +gpg_error_t +keyserver_export_pubkey (ctrl_t ctrl, PKT_public_key *pk, + int assume_new_key) { - (void)uri; - (void)require_scheme; - (void)configname; - (void)configlineno; - return NULL; + (void)ctrl; + (void)pk; + (void)assume_new_key; + return 0; } void @@ -666,11 +680,14 @@ free_keyserver_spec (struct keyserver_spec *keyserver) /* Stubs to avoid linking to photoid.c */ void -show_photos (const struct user_attribute *attrs, int count, PKT_public_key *pk) +show_photos (ctrl_t ctrl, const struct user_attribute *attrs, int count, + PKT_public_key *pk, PKT_user_id *uid) { + (void)ctrl; (void)attrs; (void)count; (void)pk; + (void)uid; } int diff --git a/g10/test-stubs.c b/g10/test-stubs.c index 9b41c8929..f00f31808 100644 --- a/g10/test-stubs.c +++ b/g10/test-stubs.c @@ -193,10 +193,13 @@ keyserver_any_configured (ctrl_t ctrl) } int -keyserver_import_keyid (u32 *keyid, void *dummy, unsigned int flags) +keyserver_import_keyid (ctrl_t ctrl, u32 *keyid, + struct keyserver_spec *keyserver, + unsigned int flags) { + (void)ctrl; (void)keyid; - (void)dummy; + (void)keyserver; (void)flags; return -1; } @@ -224,9 +227,14 @@ keyserver_import_fpr_ntds (ctrl_t ctrl, } int -keyserver_import_cert (const char *name) +keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode, + unsigned char **fpr,size_t *fpr_len) { + (void)ctrl; (void)name; + (void)dane_mode; + (void)fpr; + (void)fpr_len; return -1; } @@ -242,15 +250,18 @@ keyserver_import_wkd (ctrl_t ctrl, const char *name, unsigned int flags, return GPG_ERR_BUG; } -int -keyserver_import_mbox (ctrl_t ctrl, const char *mbox, unsigned char **fpr, - size_t *fprlen, struct keyserver_spec *keyserver) +gpg_error_t +keyserver_import_mbox (ctrl_t ctrl, const char *mbox, + unsigned char **fpr,size_t *fpr_len, + struct keyserver_spec *keyserver, + unsigned int flags) { (void)ctrl; (void)mbox; (void)fpr; - (void)fprlen; + (void)fpr_len; (void)keyserver; + (void)flags; return -1; } @@ -382,13 +393,10 @@ parse_preferred_keyserver(PKT_signature *sig) } struct keyserver_spec * -parse_keyserver_uri (const char *uri, int require_scheme, - const char *configname, unsigned int configlineno) +parse_keyserver_uri (const char *string, int require_scheme) { - (void)uri; + (void)string; (void)require_scheme; - (void)configname; - (void)configlineno; return NULL; } @@ -400,11 +408,14 @@ free_keyserver_spec (struct keyserver_spec *keyserver) /* Stubs to avoid linking to photoid.c */ void -show_photos (const struct user_attribute *attrs, int count, PKT_public_key *pk) +show_photos (ctrl_t ctrl, const struct user_attribute *attrs, int count, + PKT_public_key *pk, PKT_user_id *uid) { + (void)ctrl; (void)attrs; (void)count; (void)pk; + (void)uid; } int -- 2.52.0 From sam at gentoo.org Sun Jan 4 06:18:24 2026 From: sam at gentoo.org (Sam James) Date: Sun, 4 Jan 2026 05:18:24 +0000 Subject: [PATCH GnuPG v2] Fix -Wlto-type-mismatch warnings [T4416] In-Reply-To: <4cc541d6db5198d5f01860b228d09f26b5692479.1767492688.git.sam@gentoo.org> References: <4cc541d6db5198d5f01860b228d09f26b5692479.1767492688.git.sam@gentoo.org> Message-ID: <21e2bca92f2d95c942036a3b42f29469648a5bca.1767503904.git.sam@gentoo.org> * agent/t-protect.c (convert_from_openpgp_native): Sync stub definition. * g10/gpgv.c (keyserver_import_keyid): Sync stub definition. (keyserver_import_cert): Ditto. (keyserver_import_mbox): Ditto. (struct keyserver_spec): Ditto. (parse_keyserver_uri): Ditto. (keyserver_export_pubkey): Ditto. (show_photos): Ditto. * g10/test-stubs.c (keyserver_import_keyid): Sync stub definition. (keyserver_import_cert): Ditto. (keyserver_import_mbox): Ditto. (parse_keyserver_uri): Ditto. (show_photos): Ditto. -- GnuPG-bug-id: 4416 When building with GCC -flto, some warnings appear because of mismatched definitions in stubs (gpgv or tests). Sync them with the real definitions to fix the warnings, as they just drifted over time. Signed-off-by: Sam James --- v2: Fixed formatting. agent/t-protect.c | 7 +++++-- g10/gpgv.c | 49 +++++++++++++++++++++++++++++++---------------- g10/test-stubs.c | 37 ++++++++++++++++++++++------------- 3 files changed, 62 insertions(+), 31 deletions(-) diff --git a/agent/t-protect.c b/agent/t-protect.c index e6edbffba..9508de36a 100644 --- a/agent/t-protect.c +++ b/agent/t-protect.c @@ -341,9 +341,12 @@ main (int argc, char **argv) /* Stub function. */ gpg_error_t -convert_from_openpgp_native (gcry_sexp_t s_pgp, const char *passphrase, - unsigned char **r_key) +convert_from_openpgp_native (ctrl_t ctrl, + gcry_sexp_t s_pgp, + const char *passphrase, + unsigned char **r_key) { + (void)ctrl; (void)s_pgp; (void)passphrase; (void)r_key; diff --git a/g10/gpgv.c b/g10/gpgv.c index b65dfa66b..065f06db4 100644 --- a/g10/gpgv.c +++ b/g10/gpgv.c @@ -462,10 +462,13 @@ keyserver_any_configured (ctrl_t ctrl) } int -keyserver_import_keyid (u32 *keyid, void *dummy, unsigned int flags) +keyserver_import_keyid (ctrl_t ctrl, u32 *keyid, + struct keyserver_spec *keyserver, + unsigned int flags) { + (void)ctrl; (void)keyid; - (void)dummy; + (void)keyserver; (void)flags; return -1; } @@ -493,9 +496,14 @@ keyserver_import_fpr_ntds (ctrl_t ctrl, } int -keyserver_import_cert (const char *name) +keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode, + unsigned char **fpr,size_t *fpr_len) { + (void)ctrl; (void)name; + (void)dane_mode; + (void)fpr; + (void)fpr_len; return -1; } @@ -511,11 +519,18 @@ keyserver_import_wkd (ctrl_t ctrl, const char *name, unsigned int flags, return GPG_ERR_BUG; } -int -keyserver_import_mbox (const char *name,struct keyserver_spec *spec) +gpg_error_t +keyserver_import_mbox (ctrl_t ctrl, const char *mbox, + unsigned char **fpr,size_t *fpr_len, + struct keyserver_spec *keyserver, + unsigned int flags) { - (void)name; - (void)spec; + (void)ctrl; + (void)mbox; + (void)fpr; + (void)fpr_len; + (void)keyserver; + (void)flags; return -1; } @@ -647,15 +662,14 @@ parse_preferred_keyserver(PKT_signature *sig) return NULL; } -struct keyserver_spec * -parse_keyserver_uri (const char *uri, int require_scheme, - const char *configname, unsigned int configlineno) +gpg_error_t +keyserver_export_pubkey (ctrl_t ctrl, PKT_public_key *pk, + int assume_new_key) { - (void)uri; - (void)require_scheme; - (void)configname; - (void)configlineno; - return NULL; + (void)ctrl; + (void)pk; + (void)assume_new_key; + return 0; } void @@ -666,11 +680,14 @@ free_keyserver_spec (struct keyserver_spec *keyserver) /* Stubs to avoid linking to photoid.c */ void -show_photos (const struct user_attribute *attrs, int count, PKT_public_key *pk) +show_photos (ctrl_t ctrl, const struct user_attribute *attrs, int count, + PKT_public_key *pk, PKT_user_id *uid) { + (void)ctrl; (void)attrs; (void)count; (void)pk; + (void)uid; } int diff --git a/g10/test-stubs.c b/g10/test-stubs.c index 9b41c8929..7b9af8470 100644 --- a/g10/test-stubs.c +++ b/g10/test-stubs.c @@ -193,10 +193,13 @@ keyserver_any_configured (ctrl_t ctrl) } int -keyserver_import_keyid (u32 *keyid, void *dummy, unsigned int flags) +keyserver_import_keyid (ctrl_t ctrl, u32 *keyid, + struct keyserver_spec *keyserver, + unsigned int flags) { + (void)ctrl; (void)keyid; - (void)dummy; + (void)keyserver; (void)flags; return -1; } @@ -224,9 +227,14 @@ keyserver_import_fpr_ntds (ctrl_t ctrl, } int -keyserver_import_cert (const char *name) +keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode, + unsigned char **fpr, size_t *fpr_len) { + (void)ctrl; (void)name; + (void)dane_mode; + (void)fpr; + (void)fpr_len; return -1; } @@ -242,15 +250,18 @@ keyserver_import_wkd (ctrl_t ctrl, const char *name, unsigned int flags, return GPG_ERR_BUG; } -int -keyserver_import_mbox (ctrl_t ctrl, const char *mbox, unsigned char **fpr, - size_t *fprlen, struct keyserver_spec *keyserver) +gpg_error_t +keyserver_import_mbox (ctrl_t ctrl, const char *mbox, + unsigned char **fpr,size_t *fpr_len, + struct keyserver_spec *keyserver, + unsigned int flags) { (void)ctrl; (void)mbox; (void)fpr; - (void)fprlen; + (void)fpr_len; (void)keyserver; + (void)flags; return -1; } @@ -382,13 +393,10 @@ parse_preferred_keyserver(PKT_signature *sig) } struct keyserver_spec * -parse_keyserver_uri (const char *uri, int require_scheme, - const char *configname, unsigned int configlineno) +parse_keyserver_uri (const char *string, int require_scheme) { - (void)uri; + (void)string; (void)require_scheme; - (void)configname; - (void)configlineno; return NULL; } @@ -400,11 +408,14 @@ free_keyserver_spec (struct keyserver_spec *keyserver) /* Stubs to avoid linking to photoid.c */ void -show_photos (const struct user_attribute *attrs, int count, PKT_public_key *pk) +show_photos (ctrl_t ctrl, const struct user_attribute *attrs, int count, + PKT_public_key *pk, PKT_user_id *uid) { + (void)ctrl; (void)attrs; (void)count; (void)pk; + (void)uid; } int -- 2.52.0 From mario.haustein at hrz.tu-chemnitz.de Sun Jan 4 17:07:33 2026 From: mario.haustein at hrz.tu-chemnitz.de (Mario Haustein) Date: Sun, 04 Jan 2026 17:07:33 +0100 Subject: [PATCH GnuPG 2/2] scd:p15: Add support for D-Trust Card 6.1/6.4 Message-ID: <2488114.NG923GbCHz@localdomain> * scd/app-p15.c (CARD_TYPE_STARCOS_37): New. (CARD_PRODUCT_DTRUST6): New. (read_p15_info): Add workaround for wrongly encoded PIN reference in EF.AOD (prepare_verify_pin): Use select_df_by_path to select application, as the card operating system doesn't support path-based selections. (do_sign): Support for key reference IDs longer than one byte. Signed-off-by: Mario Haustein --- scd/app-p15.c | 102 +++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 97 insertions(+), 5 deletions(-) diff --git a/scd/app-p15.c b/scd/app-p15.c index d12179bb4..4e187b364 100644 --- a/scd/app-p15.c +++ b/scd/app-p15.c @@ -77,7 +77,8 @@ typedef enum CARD_TYPE_CARDOS_54, CARD_TYPE_AET, /* A.E.T. Europe JCOP card. */ CARD_TYPE_BELPIC, /* Belgian eID card specs. */ - CARD_TYPE_STARCOS_32 + CARD_TYPE_STARCOS_32, + CARD_TYPE_STARCOS_37 } card_type_t; @@ -90,6 +91,7 @@ typedef enum CARD_PRODUCT_RSCS, /* Rohde&Schwarz Cybersecurity */ CARD_PRODUCT_DTRUST3, /* D-Trust GmbH (bundesdruckerei.de) */ CARD_PRODUCT_DTRUST4, + CARD_PRODUCT_DTRUST6, CARD_PRODUCT_GENUA, /* GeNUA mbH */ CARD_PRODUCT_NEXUS, /* Technology Nexus */ CARD_PRODUCT_CVISION /* Cryptovision GmbH */ @@ -135,6 +137,9 @@ static struct { 25, X("\x3b\x9f\x96\x81\xb1\xfe\x45\x1f\x07\x00\x64\x05" "\x1e\xb2\x00\x31\xb0\x73\x96\x21\xdb\x05\x90\x00\x5c"), CARD_TYPE_STARCOS_32 }, + { 21, X("\x3b\xda\x96\xff\x81\xb1\xfe\x45\x1f\x07\x80\x58" + "\x44\x54\x52\x20\x56\x31\x2e\x31\xe2"), + CARD_TYPE_STARCOS_37 }, { 0 } }; #undef X @@ -144,7 +149,8 @@ static struct #define IS_CARDOS_5(a) ((a)->app_local->card_type == CARD_TYPE_CARDOS_50 \ || (a)->app_local->card_type == CARD_TYPE_CARDOS_53 \ || (a)->app_local->card_type == CARD_TYPE_CARDOS_54) -#define IS_STARCOS_3(a) ((a)->app_local->card_type == CARD_TYPE_STARCOS_32) +#define IS_STARCOS_3(a) ((a)->app_local->card_type == CARD_TYPE_STARCOS_32 \ + || (a)->app_local->card_type == CARD_TYPE_STARCOS_37) /* The default PKCS-15 home DF */ @@ -560,6 +566,7 @@ cardtype2str (card_type_t cardtype) case CARD_TYPE_BELPIC: return "Belgian eID"; case CARD_TYPE_AET: return "AET"; case CARD_TYPE_STARCOS_32:return "STARCOS 3.2"; + case CARD_TYPE_STARCOS_37:return "STARCOS 3.7"; } return ""; } @@ -573,6 +580,7 @@ cardproduct2str (card_product_t cardproduct) case CARD_PRODUCT_RSCS: return "R&S"; case CARD_PRODUCT_DTRUST3: return "D-Trust 3"; case CARD_PRODUCT_DTRUST4: return "D-Trust 4.1/4.4"; + case CARD_PRODUCT_DTRUST6: return "D-Trust 6.1/6.4"; case CARD_PRODUCT_GENUA: return "GeNUA"; case CARD_PRODUCT_NEXUS: return "Nexus"; case CARD_PRODUCT_CVISION: return "Cryptovison"; @@ -872,13 +880,11 @@ select_ef_by_path (app_t app, const unsigned short *path, size_t pathlen) } -#if 0 /* Currently not used. */ static gpg_error_t select_df_by_path (app_t app, const unsigned short *path, size_t pathlen) { return select_by_path (app, path, pathlen, 1); } -#endif /* Parse a cert Id string (or a key Id string) and return the binary @@ -3921,6 +3927,37 @@ read_p15_info (app_t app) { app->app_local->card_product = CARD_PRODUCT_DTRUST4; } + if (!app->app_local->card_product + && app->app_local->token_label + && !strncmp (app->app_local->token_label, "D-TRUST Card 6.", 15) + && app->app_local->card_type == CARD_TYPE_STARCOS_37) + { + aodf_object_t aodf; + + app->app_local->card_product = CARD_PRODUCT_DTRUST6; + + for (prkdf = app->app_local->private_key_info; prkdf; prkdf = prkdf- >next) + { + /* The card supports only OAEP and ECIES decryption, which are not + * supported by GnuPG right now. Thus we mask the respectiv usage + * flags. */ + prkdf->usageflags.decrypt = 0; + prkdf->usageflags.unwrap = 0; + prkdf->usageflags.derive = 0; + } + + for (aodf = app->app_local->auth_object_info; aodf; aodf = aodf->next) + if (aodf->auth_type == AUTH_TYPE_PIN + && aodf->pin_reference_valid + && aodf->label != NULL + && !strcmp(aodf->label, "Authentication-PIN")) + { + /* D-Trust encoded the wrong PIN reference in EF.AOD so we have to + * workaround it. */ + aodf->pin_reference = 0x82; + break; + } + } /* Now print the info about the PrKDF. */ @@ -5130,6 +5167,16 @@ prepare_verify_pin (app_t app, const char *keyref, log_error ("p15: error selecting PKCS#15 AID for key %s: %s\n", keyref, gpg_strerror (err)); } + else if (prkdf && app->app_local->card_product == CARD_PRODUCT_DTRUST6) + { + /* The card operating system does not support selecting the application + * by direct path selection. We need to select all file ids as a + * directory file. */ + err = select_df_by_path (app, prkdf->path, prkdf->pathlen); + if (err) + log_error ("p15: error selecting directory file for key %s: %s\n", + keyref, gpg_strerror (err)); + } else if (prkdf) { /* Standard case: Select the key file. Note that this may @@ -5731,7 +5778,8 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo, } if (app->app_local->card_type == CARD_TYPE_BELPIC || app->app_local->card_product == CARD_PRODUCT_NEXUS - || app->app_local->card_product == CARD_PRODUCT_DTRUST4) + || app->app_local->card_product == CARD_PRODUCT_DTRUST4 + || app->app_local->card_product == CARD_PRODUCT_DTRUST6) { /* The default for these cards is to use a plain hash. We * assume that due to the used certificate the correct hash @@ -5859,6 +5907,50 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo, 0xf3, 0x25, NULL, 0); } } + else if (app->app_local->card_product == CARD_PRODUCT_DTRUST6) + { + unsigned char mse[10]; + + i = 0; + err = 0; + + /* D-Trust-Card uses 3 byte long (negative) key reference IDs */ + mse[i++] = 0x84; /* Key reference. */ + mse[i++] = 3; + mse[i++] = (prkdf->key_reference >> 16) & 0xff; + mse[i++] = (prkdf->key_reference >> 8) & 0xff; + mse[i++] = prkdf->key_reference & 0xff; + + if (prkdf->is_ecc) + { + mse[i++] = 0x89; + mse[i++] = 2; + mse[i++] = 0x13; + mse[i++] = 0x35; + } + else + { + mse[i++] = 0x89; /* Algorithm reference (BCD encoded). */ + mse[i++] = 3; + mse[i++] = 0x13; /* RSA PKCS#1 (standard) (1 3 2 3). */ + mse[i++] = 0x23; + switch (hashalgo) + { + case GCRY_MD_SHA1: mse[i++] = 0x10; break; + case GCRY_MD_RMD160: mse[i++] = 0x20; break; + case GCRY_MD_SHA256: mse[i++] = 0x30; break; + case GCRY_MD_SHA384: mse[i++] = 0x40; break; + case GCRY_MD_SHA512: mse[i++] = 0x50; break; + case GCRY_MD_SHA224: mse[i++] = 0x60; break; + default: err = gpg_error (GPG_ERR_DIGEST_ALGO); break; + } + } + + log_assert (i <= DIM(mse)); + if (!err) + err = iso7816_manage_security_env (app_get_slot (app), 0x41, 0xB6, + mse, i); + } else if (app->app_local->card_product == CARD_PRODUCT_CVISION) { /* I can't make the Starcos 3.2 work the correct way, so let's -- 2.52.0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 870 bytes Desc: This is a digitally signed message part. URL: From mario.haustein at hrz.tu-chemnitz.de Sun Jan 4 17:06:54 2026 From: mario.haustein at hrz.tu-chemnitz.de (Mario Haustein) Date: Sun, 04 Jan 2026 17:06:54 +0100 Subject: [PATCH GnuPG 1/2] scd: allow to query FCP when selecting an application Message-ID: <3758773.R56niFO833@localdomain> * scd/iso7816.c (iso7816_select_application_ext): Add flag die query FCP * scd/iso7816.h: define new response type flags * scd/app.c: apply new flags * scd/app-piv.c: ditto * scd/app-p15.c: query FCI during application selection and fallback to FCP if file ID tag 0x83 is not found. -- Some cards (for example STARCOS 3.7 based D-Trust Cards 6.1/6.4) don't return the file ID of the application in the FCI response of the SELECT command (P2=0x00). Instead the file ID is only returned if the FCP is queried in the SELECT command (P2=0x04). If the file ID is not returned in the FCI, we will fall back to the FCP and then to the default home file ID if the FCP also fails. Signed-off-by: Mario Haustein --- scd/app-p15.c | 48 +++++++++++++++++++++++++++++++++++++++++------- scd/app-piv.c | 4 ++-- scd/app.c | 2 +- scd/iso7816.c | 15 +++++++++++++-- scd/iso7816.h | 5 +++++ 5 files changed, 62 insertions(+), 12 deletions(-) diff --git a/scd/app-p15.c b/scd/app-p15.c index f5c5f7a17..d12179bb4 100644 --- a/scd/app-p15.c +++ b/scd/app-p15.c @@ -6431,6 +6431,8 @@ app_select_p15 (app_t app) { int slot = app_get_slot (app); int rc; + const char *aid; + size_t aidlen; unsigned short def_home_df = 0; card_type_t card_type = CARD_TYPE_UNKNOWN; int direct = 0; @@ -6438,14 +6440,17 @@ app_select_p15 (app_t app) unsigned char *fci = NULL; size_t fcilen; - rc = iso7816_select_application_ext (slot, pkcs15_aid, sizeof pkcs15_aid, 1, - &fci, &fcilen); + aid = pkcs15_aid; + aidlen = sizeof pkcs15_aid; + rc = iso7816_select_application_ext (slot, aid, aidlen, + ISO7816_SELECT_FCI, &fci, &fcilen); if (rc) { /* D-TRUST Card 4.x uses a different AID. */ - rc = iso7816_select_application_ext (slot, pkcs15dtrust4_aid, - sizeof pkcs15dtrust4_aid, 1, - &fci, &fcilen); + aid = pkcs15dtrust4_aid; + aidlen = sizeof pkcs15dtrust4_aid; + rc = iso7816_select_application_ext (slot, aid, aidlen, + ISO7816_SELECT_FCI, &fci, &fcilen); } if (rc) { /* Not found: Try to locate it from 2F00. We use direct path @@ -6516,7 +6521,7 @@ app_select_p15 (app_t app) goto leave; } - /* Set the home DF from the FCI returned by the select. */ + /* Set the home DF from the FCI returned by the select. */ if (!def_home_df && fci) { const unsigned char *s; @@ -6525,14 +6530,43 @@ app_select_p15 (app_t app) s = find_tlv (fci, fcilen, 0x83, &n); if (s && n == 2) def_home_df = buf16_to_ushort (s); + else if (fcilen) + { + log_printhex (fci, fcilen, "fci:"); + log_info ("p15: select did not return the DF - querying FCP\n"); + } + } + + /* Set the home DF from the FCP returned by the select, when not already + * contained in the FCI. STARCOS 3.7 (at least the D-Trust Card 6.1/6.4 + * requires to request FCP instead of FCI. */ + if (!def_home_df) + { + const unsigned char *s; + size_t n; + + xfree (fci); + + fci = NULL; + fcilen = 0; + rc = iso7816_select_application_ext (slot, aid, aidlen, + ISO7816_SELECT_FCP, &fci, &fcilen); + + if (!rc && fci) + { + s = find_tlv (fci, fcilen, 0x83, &n); + if (s && n == 2) + def_home_df = buf16_to_ushort (s); + } else { if (fcilen) - log_printhex (fci, fcilen, "fci:"); + log_printhex (fci, fcilen, "fcp:"); log_info ("p15: select did not return the DF - using default\n"); def_home_df = DEFAULT_HOME_DF; } } + app->app_local->home_df = def_home_df; /* Store the card type. FIXME: We might want to put this into diff --git a/scd/app-piv.c b/scd/app-piv.c index f35815e58..a5f2d6219 100644 --- a/scd/app-piv.c +++ b/scd/app-piv.c @@ -3684,8 +3684,8 @@ app_select_piv (app_t app) /* Note that we select using the AID without the 2 octet version * number. This allows for better reporting of future specs. We * need to use the use-zero-for-P2-flag. */ - err = iso7816_select_application_ext (slot, piv_aid, sizeof piv_aid, 0x0001, - &apt, &aptlen); + err = iso7816_select_application_ext (slot, piv_aid, sizeof piv_aid, + ISO7816_SELECT_FCI, &apt, &aptlen); if (err) goto leave; diff --git a/scd/app.c b/scd/app.c index f08067e87..0329d3fb0 100644 --- a/scd/app.c +++ b/scd/app.c @@ -792,7 +792,7 @@ app_new_register (int slot, ctrl_t ctrl, const char *name, buf = NULL; if (!iso7816_select_application_ext (slot, otp_aid, sizeof otp_aid, - 1, &buf, &buflen) + ISO7816_SELECT_FCI, &buf, &buflen) && buflen > 3) card->cardversion = ((buf[0]<<16)|(buf[1]<<8)| buf[2]); } diff --git a/scd/iso7816.c b/scd/iso7816.c index 6634cd4a7..533e579de 100644 --- a/scd/iso7816.c +++ b/scd/iso7816.c @@ -152,9 +152,20 @@ iso7816_select_application_ext (int slot, const char *aid, size_t aidlen, unsigned int flags, unsigned char **result, size_t *resultlen) { + int p2; int sw; - sw = apdu_send (slot, 0, 0x00, CMD_SELECT_FILE, 4, - (flags&1)? 0:0x0c, aidlen, aid, + + switch (flags) + { + case ISO7816_SELECT_FCI: p2 = 0x00; break; + case ISO7816_SELECT_FCP: p2 = 0x04; break; + case ISO7816_SELECT_NORESP: + default: + p2 = 0x0c; + } + + sw = apdu_send (slot, 0, 0x00, CMD_SELECT_FILE, 4, p2, + aidlen, aid, result, resultlen); return map_sw (sw); } diff --git a/scd/iso7816.h b/scd/iso7816.h index 67b9f47ab..aef5c2092 100644 --- a/scd/iso7816.h +++ b/scd/iso7816.h @@ -29,6 +29,11 @@ #define ISO7816_CHANGE_REFERENCE_DATA 0x24 #define ISO7816_RESET_RETRY_COUNTER 0x2C +/* Flags to encode which data should be returned by SELECT */ +#define ISO7816_SELECT_NORESP 0 /* no response to SELECT */ +#define ISO7816_SELECT_FCI 1 /* query FCI (file control information) by SELECT */ +#define ISO7816_SELECT_FCP 2 /* query FCP (file control parameters) by SELECT */ + /* Error codes returned by iso7816_verify_status. A non-negative * number gives the number of left tries. * NB: The values are also used by the CHV-STATUS lines and thus are -- 2.52.0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 870 bytes Desc: This is a digitally signed message part. URL: From mario.haustein at hrz.tu-chemnitz.de Sun Jan 4 17:06:18 2026 From: mario.haustein at hrz.tu-chemnitz.de (Mario Haustein) Date: Sun, 04 Jan 2026 17:06:18 +0100 Subject: [PATCH GnuPG 0/2] Add support for D-Trust Card 6.1/6.4 Message-ID: <1974271.CQOukoFCf9@localdomain> Dear GnuPG maintainers, attached you will find a series of patches which adds support for D-Trust electronic Signature and Sealing Cards version 6.1/6.4. To get the cards working some minor changes on the ISO7816 layer were necessary. The PKCS#15 application has to be selected by its AID, but is later selected by its file ID to retrieve data about keys, authentication objects, certificates and so on. The file ID is retrieved from the FCI response of the initial SELECT. This kind of D-Trust Cards (maybe this holds for all cards of the underlying STARCOS 3.7 card operating system) doesn't return the file ID tag in the FCI. The tag is only returned in the FCP response. Thus I had to alter iso7816_select_application_ext() such that it is possible to select which response is requested. With this patch, the PKCS#15 driver will continue to use the FCI and just fall back to the FCP if the tag is not present in the FCI. This introduces a bit of complexity, but reduces the chance of introducing a regression. According to ISO 7816 part 4 the file ID is part of the file parameters so querying just the FCP seems to be sufficient from my point. I can prepare a more simpler patch for this, but don't have a representative set of cards to prove this assumption. The rest of the driver is implemented straight-forward. Just the encoding of the key reference in EF.PrKD made it necessary to introduce a further case in do_sign(). The card issuer chose a key reference number whose ASN.1 representation is 3 byte long. But the current STARCOS-case in do_sign() assumes a 1 byte long reference. It further doesn't implement the EC-ciphers. As I am not sure whether all STARCOS-cards supports ECC, it was the safest option to introduce a new case with hard coded key reference length and implemented ECC support. Merging these two cases nevertheless would be possible. But I do not have access to other STARCOS-cards for testing. Kind regards Mario Haustein Mario Haustein (2): scd: allow to query FCP when selecting an application scd:p15: Add support for D-Trust Card 6.1/6.4 scd/app-p15.c | 150 ++++++++++++++++++++++++++++++++++++++++++++++---- scd/app-piv.c | 4 +- scd/app.c | 2 +- scd/iso7816.c | 15 ++++- scd/iso7816.h | 5 ++ 5 files changed, 159 insertions(+), 17 deletions(-) -- 2.52.0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 870 bytes Desc: This is a digitally signed message part. URL: From sachin.t at ibm.com Mon Jan 5 09:16:55 2026 From: sachin.t at ibm.com (Sachin T) Date: Mon, 5 Jan 2026 08:16:55 +0000 Subject: [PATCH libassuan] Add fixes to support IBM z/OS platform. Message-ID: Hi Maintainers, Please review patch required for libassuan on IBM z/OS platform. Patch details - * m4/libtool.m4: use pass_all dependency checking on z/OS. * src/assuan-socket.c: Include sys/time.h header which defines fd_set, struct timeval. Regards, Sachin --- * m4/libtool.m4: use pass_all dependency checking on z/OS. * src/assuan-socket.c: Include sys/time.h header which defines fd_set, struct timeval Signed-off-by: Sachin T --- m4/libtool.m4 | 4 ++++ src/assuan-socket.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/m4/libtool.m4 b/m4/libtool.m4 index c6f534e..720d2bd 100644 --- a/m4/libtool.m4 +++ b/m4/libtool.m4 @@ -3348,6 +3348,10 @@ openbsd*) fi ;; +openedition*) + lt_cv_deplibs_check_method=pass_all + ;; + osf3* | osf4* | osf5*) lt_cv_deplibs_check_method=pass_all ;; diff --git a/src/assuan-socket.c b/src/assuan-socket.c index 4c859a5..b33f575 100644 --- a/src/assuan-socket.c +++ b/src/assuan-socket.c @@ -48,6 +48,10 @@ #include "assuan-defs.h" #include "debug.h" +#ifdef __MVS__ +#include +#endif + /* Hacks for Slowaris. */ #ifndef PF_LOCAL # ifdef PF_UNIX -- 2.51.2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrewg at andrewg.com Mon Jan 5 14:55:36 2026 From: andrewg at andrewg.com (Andrew Gallagher) Date: Mon, 5 Jan 2026 13:55:36 +0000 Subject: Undocumented novel Ed448 point encoding breaks interoperability Message-ID: <4e12f3b7-3a6c-41b8-8f8d-83a89db9da63@andrewg.com> Hi, It has been brought to my attention that Ed448 keys are being encoded without prefix octets in their MPIs/SOSes, which breaks compatibility with go-crypto (and perhaps others) and is not documented anywhere that I can find. The librepgp specification requires prefix octets for all ECC curve point representations. The offending code appears to be in libgcrypt/cipher/ecc.c: ``` rc = _gcry_ecc_eddsa_encodepoint (ec->Q, ec, Gx, Gy, (ec->dialect != ECC_DIALECT_SAFECURVE && !!(flags & PUBKEY_FLAG_COMP)), &encpk, &encpklen); ``` https://github.com/gpg/libgcrypt/blob/9e3af928ee1100fc979a75dd4ae6a4ace2c36bef/cipher/ecc.c#L775 This selectively uses prefix octets (or not) depending on the value of `ec->dialect`, which is only set to `ECC_DIALECT_SAFECURVE` for ed448. This means that ed448 curve points are noncompliant with section 13.3 of the librepgp specification, which reads: > The EdDSA algorithm defines a specific point compression format. To indicate the use of this compression format and to make sure that the key can be represented in the Multiprecision Integer (MPI) format the octet string specifying the point is prefixed with the octet 0x40. This encoding is an extension of the encoding given in [SEC1] which uses 0x04 to indicate an uncompressed point. For example, the length of a public key for the curve Ed25519 is 263 bit: 7 bit to represent the 0x40 prefix octet and 32 octets for the native value of the public key. https://datatracker.ietf.org/doc/html/draft-koch-librepgp#name-eddsa-point-format Ed25519 follows the above spec, but Ed448 does not. Is this an error in the specification or an error in the implementation? A From m at the13thletter.info Mon Jan 5 20:42:44 2026 From: m at the13thletter.info (Marco Ricci) Date: Mon, 5 Jan 2026 20:42:44 +0100 Subject: How to start gpg-agent v2.4.8 on Windows (gpg4win 4.4.1) with OpenSSH emulation? In-Reply-To: <87ikdppmyp.fsf@jacob.g10code.de> References: <87ms31pnnl.fsf@jacob.g10code.de> <87ikdppmyp.fsf@jacob.g10code.de> Message-ID: Dear GnuPG developers, dear Werner. Thus spoke Werner Koch: > Regarding OpenSSH support on Windows please checkout [the last comment > on] https://dev.gnupg.org/T3883 > > [...] > > I forgot to mention that you start gpg-agent and thus ssh support > using > > gpgconf --launch gpg-agent > > or just use "gpg -K" which launches the gpg-agent as a side-effect. I have since resolved my underlying problem (spawning gpg-agent with OpenSSH emulation support) directly; it turned out to be user error. I have multiple copies of GnuPG (via MSYS, via Git, via gpg4win) installed, at different versions and with different home directories, and apparently, I was using one of the outdated copies that did not yet implement OpenSSH emulation. Using the current GnuPG 2.4.8 from gpg4win manually while double-checking that the correct binaries and the correct home directory is used, I can successfully launch `gpg-agent` with OpenSSH emulation by putting `enable-win32-openssh-support` manually into the `gpg-agent.conf` file, then calling `gpg-connect-agent /bye`. That said, regarding your reply: I was specifically asking for the correct, documented way to pass command-line arguments to the invocation of `gpg-agent`, because I wanted to debug whether I was launching `gpg-agent` correctly. The manual page for `gpg-agent` (Section 2.2 "Option Summary") seemed to suggest that it is possible to put options "on the command line" (which I could not get to work) "or, after stripping off the two leading dashes, in the configuration file" (which ultimately worked for me, after sorting out the confusion concerning the multiple versions and home directories). Thus, my question. I have encountered further... quirks concerning `gpg-agent` and `gpgconf`, but those probably make more sense to report in your issue tracker, not this mailing list. Cheers, Marco -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 325 bytes Desc: OpenPGP digital signature URL: From sam at gentoo.org Tue Jan 6 03:54:23 2026 From: sam at gentoo.org (Sam James) Date: Tue, 6 Jan 2026 02:54:23 +0000 Subject: [PATCH GnuPG v3] Fix -Wlto-type-mismatch warnings [T4416] In-Reply-To: <21e2bca92f2d95c942036a3b42f29469648a5bca.1767503904.git.sam@gentoo.org> References: <21e2bca92f2d95c942036a3b42f29469648a5bca.1767503904.git.sam@gentoo.org> Message-ID: <27d9f0aab7c50339b9c8e9dbf66072bdf718d27c.1767668063.git.sam@gentoo.org> * agent/t-protect.c (convert_from_openpgp_native): Sync stub definition. * g10/gpgv.c (keyserver_import_keyid): Sync stub definition. (keyserver_import_cert): Ditto. (keyserver_import_mbox): Ditto. (parse_keyserver_uri): Ditto. (show_photos): Ditto. * g10/test-stubs.c (keyserver_import_keyid): Sync stub definition. (keyserver_import_cert): Ditto. (keyserver_import_mbox): Ditto. (parse_keyserver_uri): Ditto. (show_photos): Ditto. -- GnuPG-bug-id: 4416 When building with GCC -flto, some warnings appear because of mismatched definitions in stubs (gpgv or tests). Sync them with the real definitions to fix the warnings, as they just drifted over time. Signed-off-by: Sam James --- v3: Fix a copypasto. v2: Fix formatting. agent/t-protect.c | 7 +++++-- g10/gpgv.c | 42 +++++++++++++++++++++++++++++------------- g10/test-stubs.c | 37 ++++++++++++++++++++++++------------- 3 files changed, 58 insertions(+), 28 deletions(-) diff --git a/agent/t-protect.c b/agent/t-protect.c index e6edbffba..9508de36a 100644 --- a/agent/t-protect.c +++ b/agent/t-protect.c @@ -341,9 +341,12 @@ main (int argc, char **argv) /* Stub function. */ gpg_error_t -convert_from_openpgp_native (gcry_sexp_t s_pgp, const char *passphrase, - unsigned char **r_key) +convert_from_openpgp_native (ctrl_t ctrl, + gcry_sexp_t s_pgp, + const char *passphrase, + unsigned char **r_key) { + (void)ctrl; (void)s_pgp; (void)passphrase; (void)r_key; diff --git a/g10/gpgv.c b/g10/gpgv.c index b65dfa66b..2d2e43af0 100644 --- a/g10/gpgv.c +++ b/g10/gpgv.c @@ -462,10 +462,13 @@ keyserver_any_configured (ctrl_t ctrl) } int -keyserver_import_keyid (u32 *keyid, void *dummy, unsigned int flags) +keyserver_import_keyid (ctrl_t ctrl, u32 *keyid, + struct keyserver_spec *keyserver, + unsigned int flags) { + (void)ctrl; (void)keyid; - (void)dummy; + (void)keyserver; (void)flags; return -1; } @@ -493,9 +496,14 @@ keyserver_import_fpr_ntds (ctrl_t ctrl, } int -keyserver_import_cert (const char *name) +keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode, + unsigned char **fpr,size_t *fpr_len) { + (void)ctrl; (void)name; + (void)dane_mode; + (void)fpr; + (void)fpr_len; return -1; } @@ -511,11 +519,18 @@ keyserver_import_wkd (ctrl_t ctrl, const char *name, unsigned int flags, return GPG_ERR_BUG; } -int -keyserver_import_mbox (const char *name,struct keyserver_spec *spec) +gpg_error_t +keyserver_import_mbox (ctrl_t ctrl, const char *mbox, + unsigned char **fpr,size_t *fpr_len, + struct keyserver_spec *keyserver, + unsigned int flags) { - (void)name; - (void)spec; + (void)ctrl; + (void)mbox; + (void)fpr; + (void)fpr_len; + (void)keyserver; + (void)flags; return -1; } @@ -648,13 +663,11 @@ parse_preferred_keyserver(PKT_signature *sig) } struct keyserver_spec * -parse_keyserver_uri (const char *uri, int require_scheme, - const char *configname, unsigned int configlineno) +parse_keyserver_uri (const char *string, + int require_scheme) { - (void)uri; + (void)string; (void)require_scheme; - (void)configname; - (void)configlineno; return NULL; } @@ -666,11 +679,14 @@ free_keyserver_spec (struct keyserver_spec *keyserver) /* Stubs to avoid linking to photoid.c */ void -show_photos (const struct user_attribute *attrs, int count, PKT_public_key *pk) +show_photos (ctrl_t ctrl, const struct user_attribute *attrs, int count, + PKT_public_key *pk, PKT_user_id *uid) { + (void)ctrl; (void)attrs; (void)count; (void)pk; + (void)uid; } int diff --git a/g10/test-stubs.c b/g10/test-stubs.c index 9b41c8929..7b9af8470 100644 --- a/g10/test-stubs.c +++ b/g10/test-stubs.c @@ -193,10 +193,13 @@ keyserver_any_configured (ctrl_t ctrl) } int -keyserver_import_keyid (u32 *keyid, void *dummy, unsigned int flags) +keyserver_import_keyid (ctrl_t ctrl, u32 *keyid, + struct keyserver_spec *keyserver, + unsigned int flags) { + (void)ctrl; (void)keyid; - (void)dummy; + (void)keyserver; (void)flags; return -1; } @@ -224,9 +227,14 @@ keyserver_import_fpr_ntds (ctrl_t ctrl, } int -keyserver_import_cert (const char *name) +keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode, + unsigned char **fpr, size_t *fpr_len) { + (void)ctrl; (void)name; + (void)dane_mode; + (void)fpr; + (void)fpr_len; return -1; } @@ -242,15 +250,18 @@ keyserver_import_wkd (ctrl_t ctrl, const char *name, unsigned int flags, return GPG_ERR_BUG; } -int -keyserver_import_mbox (ctrl_t ctrl, const char *mbox, unsigned char **fpr, - size_t *fprlen, struct keyserver_spec *keyserver) +gpg_error_t +keyserver_import_mbox (ctrl_t ctrl, const char *mbox, + unsigned char **fpr,size_t *fpr_len, + struct keyserver_spec *keyserver, + unsigned int flags) { (void)ctrl; (void)mbox; (void)fpr; - (void)fprlen; + (void)fpr_len; (void)keyserver; + (void)flags; return -1; } @@ -382,13 +393,10 @@ parse_preferred_keyserver(PKT_signature *sig) } struct keyserver_spec * -parse_keyserver_uri (const char *uri, int require_scheme, - const char *configname, unsigned int configlineno) +parse_keyserver_uri (const char *string, int require_scheme) { - (void)uri; + (void)string; (void)require_scheme; - (void)configname; - (void)configlineno; return NULL; } @@ -400,11 +408,14 @@ free_keyserver_spec (struct keyserver_spec *keyserver) /* Stubs to avoid linking to photoid.c */ void -show_photos (const struct user_attribute *attrs, int count, PKT_public_key *pk) +show_photos (ctrl_t ctrl, const struct user_attribute *attrs, int count, + PKT_public_key *pk, PKT_user_id *uid) { + (void)ctrl; (void)attrs; (void)count; (void)pk; + (void)uid; } int -- 2.52.0 From wk at gnupg.org Tue Jan 6 11:16:51 2026 From: wk at gnupg.org (Werner Koch) Date: Tue, 06 Jan 2026 11:16:51 +0100 Subject: [PATCH GnuPG 0/2] Add support for D-Trust Card 6.1/6.4 In-Reply-To: <1974271.CQOukoFCf9@localdomain> (Mario Haustein via Gnupg-devel's message of "Sun, 04 Jan 2026 17:06:18 +0100") References: <1974271.CQOukoFCf9@localdomain> Message-ID: <87h5sznizw.fsf@jacob.g10code.de> Hi Mario, Thanks for your work. Please give us some days to apply your patch. Too many other things to do in the first days of a new year. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From wk at gnupg.org Wed Jan 7 09:11:03 2026 From: wk at gnupg.org (Werner Koch) Date: Wed, 07 Jan 2026 09:11:03 +0100 Subject: How to start gpg-agent v2.4.8 on Windows (gpg4win 4.4.1) with OpenSSH emulation? In-Reply-To: (Marco Ricci via Gnupg-devel's message of "Mon, 5 Jan 2026 20:42:44 +0100") References: <87ms31pnnl.fsf@jacob.g10code.de> <87ikdppmyp.fsf@jacob.g10code.de> Message-ID: <87y0m9n8q0.fsf@jacob.g10code.de> On Mon, 5 Jan 2026 20:42, Marco Ricci said: > I have since resolved my underlying problem (spawning gpg-agent with > OpenSSH emulation support) directly; it turned out to be user error. Good. > I have multiple copies of GnuPG (via MSYS, via Git, via gpg4win) That is actually a problem which we see more and more. For gpg4win 5 we have changed things so that it will be easier to install several versions and have Kleopatra and gpgol use the intended one. > correct, documented way to pass command-line arguments to the invocation > of `gpg-agent`, because I wanted to debug whether I was launching Only if you start gpg-agent by hand and not let other compinet start it you can do: gpg-agent --verbose --enable-something --daemon But gpg-agent may not already run as it would not start in this case. It is better to let the components (or "gpgconf --launch gpg-agent") start gpg-agent and put options into the config file. Note that there may also be global config file. If you use gpg-agent --debug 0 you can see the used config files: C:\Users\dd9jn>gpg-agent --debug 0 gpg-agent[2928]: reading options from '[cmdline]' gpg-agent[2928]: reading options from 'C:/Users/dd9jn/AppData/Roaming/gnupg/common.conf' gpg-agent[2928]: gpg-agent running and available in this case we have only a local common.conf. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From jakeginesin at gmail.com Sat Jan 10 06:00:20 2026 From: jakeginesin at gmail.com (Jake Ginesin) Date: Sat, 10 Jan 2026 00:00:20 -0500 Subject: libgcrypt P256 signature malleability via weak DER enforcement Message-ID: Hi, libgcrypt's ECDSA signatures are malleable, as the signature verifier accepts malforned DER-encoded signatures. We currently fail in three scenarios: 1. Missing leading zero: per X.690 section 8.3.3, integers are two's complement. A positive integer with high bit set requires a leading 0x00 to avoid being interpreted as negative. libgcrypt accepts signatures missing this byte. 2. Extra leading zeros: per X.690 section 8.3.2, integer encoding must be minimal. libgcrypt accepts r/s values with unnecessary leading zeros. 3. BER long-form length: per X.690 section 10.1, DER requires the definite length form encoded in the minimum number of octets. libgcrypt accepts BER-style long-form encoding where short-form is required. The test vectors are available here: https://github.com/C2SP/wycheproof/blob/main/testvectors_v1/ecdsa_secp256k1_sha256_test.json (tcId 6, 8, 84, 128 are relevant for this issue) Similar issues received CVEs in other libraries (CVE-2020-13822, CVE-2024-42460). Happy to provide my proof-of-concept exploits, Wycheproof-libgcrypt harness, or discuss further. Thanks, Jake https://jakegines.in -------------- next part -------------- An HTML attachment was scrubbed... URL: