From jussi.kivilinna at iki.fi Fri Nov 4 06:17:22 2022 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Fri, 4 Nov 2022 07:17:22 +0200 Subject: libgcrypt clang asm configure issue. In-Reply-To: References: Message-ID: <8a37bc94-5f27-6cda-e1af-b185450b1d69@iki.fi> Hello, On 28.10.2022 22.00, Dmytro Kovalov via Gnupg-users wrote: > Hello, > > I found a strange libgcrypt behavior on ARM with clang built. > > There is a big gap in performance of libgcrypt, built by clang, in comparison with gcc on my ARM target machine. > The simple profile test shows 100-500% advantage of gcc gcrypt. > I found an awkward workaround to beat this issue, but need your help to find the best way to fix it. > > The root cause is next: > Due to clang strict assembler syntax rules the unified assembler ARM check doesn't pass. > Assembler check fails while ./configure for flags: > HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS > HAVE_GCC_INLINE_ASM_NEON > > As a workaround I remove '%' from registers names in > configure.ac , > arm mips lib *.S files, > cipher/*arm.S,*armv7-neon.S files. > > Could you please help with a more correct - polite way to compile libgcrypt with assembler code? This looks correct fix for improving compatibility with clang. It seems that GNU assembler works with those extra '%', but clang arm assembler does not. Only some of the arm assembly in libgcrypt have those extra '%' on register names but not all. -Jussi > > Tested on: > libgcrypt-1.8.6 > libgcrypt-1.9.3 > > Equipment: > > build machine: > intel based cpu x86_64 > Ubnuntu-20.04 > > Software > compiler ? ? ? ?: clang 11.1.0 > linker lld ? ? ?: lld 11.1.0 > assembler ? ? ? : llvm-as 11.1.0 > cflags ? ? ? ? ?: "-m32 -march=armv7-a -mthumb -mfpu=vfpv3-d16 --target=arm-linux-gnueabihf" > > arm-linux-gnueabihf sysroot based on glibc 2.31 > > libgcrypt configuring: > CC="arm-linux-gnueabihf-clang" \ > ./configure \ > ? --with-libgpg-error-prefix= \ > ? --prefix= \ > ? --host=arm-linux-gnueabihf \ > ? --enable-static \ > ? --disable-doc > > > target machine: > hardware: > model name : ARMv7 Processor rev 4 (v7l) > BogoMIPS : 2304.00 > Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae aes pmull sha1 sha2 crc32 > > > Best Regards, > Dmytro Kovalov > Dmytro.a.kovalov at globallogic.com > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users From lawisking at gmail.com Fri Nov 4 13:55:58 2022 From: lawisking at gmail.com (K S) Date: Fri, 4 Nov 2022 07:55:58 -0500 Subject: Difference between versions--Question In-Reply-To: <1841143.CQOukoFCf9@daneel> References: <1841143.CQOukoFCf9@daneel> Message-ID: How do I run configure to get the compression routines? I ran the build exactly like the README file indicated I should. FYI, this is the first time I've built from source. kcs On Mon, Oct 31, 2022 at 9:44 AM Ingo Kl?cker wrote: > > On Montag, 31. Oktober 2022 10:23:10 CET K S via Gnupg-users wrote: > > Question: > > Why aren't those identical? I notice the source build has only > > Uncompressed as an option. > [...] > > Is there something I missed in my build? > > configure most likely didn't find the development files of the compression > libraries. Check the output of configure. > > Regards, > Ingo > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users From angel.de.vicente at iac.es Fri Nov 4 20:03:35 2022 From: angel.de.vicente at iac.es (Angel de Vicente) Date: Fri, 04 Nov 2022 19:03:35 +0000 Subject: Problems with Gnus (Emacs) + GnuPG for signing a mail with S/MIME Message-ID: <87wn8ar188.fsf@iac.es> Hello, I've been trying to figure out why my setting (Emacs + Gnus) is giving me trouble to sign SMIME messages. Well, the only problem seems to be when I select the option for loopback pinentry, and only for SMIME messags. For signing with PGP loopback seems to work fine and I get asked the passphrase in the Emacs minibuffer, but for SMIME there seems to be a problem. By setting epg-debug in Emacs to True I found that most of the moves are OK, but that the error comes from not being able to get the passphrase: the " *gpg-error* buffer comes with: ,---- | gpgsm: Note: non-critical certificate policy not allowed | gpgsm: Note: non-critical certificate policy not allowed | gpgsm: Note: non-critical certificate policy not allowed | gpgsm: CRLs not checked due to --disable-crl-checks option | gpgsm: DBG: adding certificates at level -2 | gpgsm: ignoring gpg-agent inquiry 'PASSPHRASE' | gpgsm: error creating signature: No passphrase given `---- while the gpg-agent.log tells me: ,---- | DBG: chan_9 -> OK Pleased to meet you, process 3382246 | DBG: chan_9 <- RESET | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION ttytype=dumb | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION display=:0.0 | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION xauthority=/home/angelv/.Xauthority | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION putenv=XDG_SESSION_TYPE=x11 | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION putenv=INSIDE_EMACS=28.2,epg | DBG: chan_9 -> OK | DBG: chan_9 <- GETINFO version | DBG: chan_9 -> D 2.2.40 | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION allow-pinentry-notify | DBG: chan_9 -> OK | DBG: chan_9 <- OPTION pinentry-mode=loopback | DBG: chan_9 -> OK | DBG: chan_9 <- HAVEKEY FC155E4BAF3DA44364C84711DA0B7137EA89D084 | DBG: chan_9 -> OK | DBG: chan_9 <- ISTRUSTED D1EB23A46D17D68FD92564C2F1F1601764D8E349 | DBG: chan_9 -> S TRUSTLISTFLAG relax | DBG: chan_9 -> OK | DBG: chan_9 <- RESET | DBG: chan_9 -> OK | DBG: chan_9 <- SIGKEY FC155E4BAF3DA44364C84711DA0B7137EA89D084 | DBG: chan_9 -> OK | DBG: chan_9 <- SETKEYDESC | Please+enter+the+passphrase+to+unlock+the+secret+key+for+the+X.509+certificate:%0A%22/CN=Angel+M+de+Vicente/O=Instituto+de+Astrofisica+de+Canarias/STREET=Calle+V?a+L?ctea,+s\x2fn/ST=Santa+Cruz+de+Tenerife/C=ES%22%0AS/N+00B4307E9B17A8814A2B5CAE68E09B520E,+ID+0x74A5504B,%0Acreated+2022-10-31,+expires+2024-10-30.%0A | DBG: chan_9 -> OK | DBG: chan_9 <- SETHASH 9 96D6D02821BA0498546EF7BD466B9712FD1C8126AD583F895CD8DDA26DD07B7BBFD74F8A5A6E3087C0893C7BBDD78CCB | DBG: chan_9 -> OK | DBG: chan_9 <- PKSIGN | DBG: agent_get_cache 'FC155E4BAF3DA44364C84711DA0B7137EA89D084'.0 (mode 2) ... | DBG: ... miss | DBG: agent_get_cache '6F4B59E5A9FBC6FB684CB55FDBB7CC30EEE197E3'.0 (mode 2) (stored cache key) ... | DBG: ... miss | DBG: chan_9 -> S INQUIRE_MAXLEN 255 | DBG: chan_9 -> [[Confidential data not shown]] | DBG: chan_9 <- [[Confidential data not shown]] | failed to unprotect the secret key: No passphrase given | failed to read the secret key | command 'PKSIGN' failed: No passphrase given | DBG: chan_9 -> ERR 67109041 No passphrase given | DBG: chan_9 <- [eof] `---- I have removed gnome-keyring and seahorse in my system (in case there was a conflict with them). Any ideas as to what might cause this? Many thanks -- ?ngel de Vicente Research Software Engineer (Supercomputing and BigData) Tel.: +34 922-605-747 Web.: http://research.iac.es/proyecto/polmag/ GPG: 0x8BDC390B69033F52 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 694 bytes Desc: not available URL: From andreaussi at yahoo.it Wed Nov 9 19:10:11 2022 From: andreaussi at yahoo.it (Andrea Lenarduzzi) Date: Wed, 9 Nov 2022 18:10:11 +0000 (UTC) Subject: Troubleshooting help References: <1423155609.3361075.1668017411823.ref@mail.yahoo.com> Message-ID: <1423155609.3361075.1668017411823@mail.yahoo.com> Hi, ? I've a lot of problems to use gpg with OmniKey AG OMNIKEY 3x21 and Alcor Micro Corp. AU9540. gpg: selecting card failed I'm on Manjaro rolling with Gnome 42.4 Can you help me to troubleshooting? Than you regards Uzzi -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Thu Nov 10 09:54:17 2022 From: wk at gnupg.org (Werner Koch) Date: Thu, 10 Nov 2022 09:54:17 +0100 Subject: Troubleshooting help In-Reply-To: <1423155609.3361075.1668017411823@mail.yahoo.com> (Andrea Lenarduzzi via Gnupg-users's message of "Wed, 9 Nov 2022 18:10:11 +0000 (UTC)") References: <1423155609.3361075.1668017411823.ref@mail.yahoo.com> <1423155609.3361075.1668017411823@mail.yahoo.com> Message-ID: <87pmdvyyti.fsf@wheatstone.g10code.de> Hi! On Wed, 9 Nov 2022 18:10, Andrea Lenarduzzi said: > Hi, ? I've a lot of problems to use gpg with OmniKey AG OMNIKEY 3x21 > and Alcor Micro Corp. AU9540. gpg: selecting card failed Better get a solid reader and not those Windows reader which delegate parts of their duties in their Windows driver (Short APDU mode problems). However, you can try to use the pcscd instead of the GnuPG internal CCID driver. Add disabled-ccid-driver to ~/.gnupg/scdaemon.com and make sure pcscd is installed and running. -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From andreaussi at yahoo.it Thu Nov 10 12:57:56 2022 From: andreaussi at yahoo.it (Andrea Lenarduzzi) Date: Thu, 10 Nov 2022 11:57:56 +0000 (UTC) Subject: Troubleshooting help In-Reply-To: <87pmdvyyti.fsf@wheatstone.g10code.de> References: <1423155609.3361075.1668017411823.ref@mail.yahoo.com> <1423155609.3361075.1668017411823@mail.yahoo.com> <87pmdvyyti.fsf@wheatstone.g10code.de> Message-ID: <1308906829.3842637.1668081476010@mail.yahoo.com> Hi, thank you for feedback. this is my reports:sudo systemctl status pcscd? pcscd.service - PC/SC Smart Card Daemon? ? ?Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: disabled)? ? ?Active: active (running) since Thu 2022-11-10 12:50:23 CET; 1min 55s agoTriggeredBy: ? pcscd.socket? ? ? ?Docs: man:pcscd(8)? ?Main PID: 464651 (pcscd)? ? ? Tasks: 7 (limit: 76874)? ? ?Memory: 1.3M? ? ? ? CPU: 77ms? ? ?CGroup: /system.slice/pcscd.service? ? ? ? ? ? ???464651 /usr/bin/pcscd --foreground --auto-exit nov 10 12:50:23 Mes-CesiD02 systemd[1]: Started PC/SC Smart Card Daemon. cat ~/.gnupg/scdaemon.conf ###+++--- GPGConf ---+++####reader-port /dev/input/event12#pcsc-driver /usr/lib/pcsc/drivers/omnikey_ifdokccid.bundle/Contents/Linux/ifdokccid.sodisabled-ccid-driver###+++--- GPGConf ---+++### ven 21 ott 2022, 20:44:55 CEST# GPGConf edited this configuration file.# It will disable options before this marked block, but it will# never change anything below these lines.reader-port 32768card-timeout 5 gpg: selecting card failed Il gioved? 10 novembre 2022 alle ore 09:56:09 CET, Werner Koch ha scritto: Hi! On Wed,? 9 Nov 2022 18:10, Andrea Lenarduzzi said: > Hi, ? I've a lot of problems to use gpg with OmniKey AG OMNIKEY 3x21 > and Alcor Micro Corp. AU9540. gpg: selecting card failed Better get a solid reader and not those Windows reader which delegate parts of their duties in their Windows driver (Short APDU mode problems).? However, you can try to use the pcscd instead of the GnuPG internal CCID driver.? Add disabled-ccid-driver to ~/.gnupg/scdaemon.com and make sure pcscd is installed and running. -- The pioneers of a warless world are the youth that refuse military service.? ? ? ? ? ? - A. Einstein -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Fri Nov 11 08:36:09 2022 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Nov 2022 08:36:09 +0100 Subject: Troubleshooting help In-Reply-To: <1308906829.3842637.1668081476010@mail.yahoo.com> (Andrea Lenarduzzi's message of "Thu, 10 Nov 2022 11:57:56 +0000 (UTC)") References: <1423155609.3361075.1668017411823.ref@mail.yahoo.com> <1423155609.3361075.1668017411823@mail.yahoo.com> <87pmdvyyti.fsf@wheatstone.g10code.de> <1308906829.3842637.1668081476010@mail.yahoo.com> Message-ID: <87a64yx7rq.fsf@wheatstone.g10code.de> On Thu, 10 Nov 2022 11:57, Andrea Lenarduzzi said: > disabled-ccid-driver I hope that is a c=P error. The option is called "disable-ccid-driver" and not "disabled-..." > reader-port 32768 That is a very unlikley reader port sepcification you need to use the strings as shown by PC/SC. If you run 2.2 gpg-connect-agent 'scd getinfo reader_list' /bye may give you a list of available reader. > gpg: selecting card failed Likely with the above reader port. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From andreaussi at yahoo.it Fri Nov 11 11:58:42 2022 From: andreaussi at yahoo.it (Andrea Lenarduzzi) Date: Fri, 11 Nov 2022 10:58:42 +0000 (UTC) Subject: Troubleshooting help In-Reply-To: <87a64yx7rq.fsf@wheatstone.g10code.de> References: <1423155609.3361075.1668017411823.ref@mail.yahoo.com> <1423155609.3361075.1668017411823@mail.yahoo.com> <87pmdvyyti.fsf@wheatstone.g10code.de> <1308906829.3842637.1668081476010@mail.yahoo.com> <87a64yx7rq.fsf@wheatstone.g10code.de> Message-ID: <1715716383.4527694.1668164322397@mail.yahoo.com> Thank you gpg-connect-agent 'scd getinfo reader_list' /byeD 058F:9540:X:0%0A076B:3031:X:0%0AOK but gpg --card-edit gpg: selecting card failed:?with #reader-port 32768 and disable-ccid-driver Il venerd? 11 novembre 2022 alle ore 08:38:08 CET, Werner Koch ha scritto: On Thu, 10 Nov 2022 11:57, Andrea Lenarduzzi said: > disabled-ccid-driver I hope that is a c=P error.? The option is called "disable-ccid-driver" and not "disabled-..." > reader-port 32768 That is a very unlikley reader port sepcification? you need to use the strings as shown by PC/SC.? If you run 2.2 ? gpg-connect-agent 'scd getinfo reader_list' /bye may give you a list of available reader. > gpg: selecting card failed Likely with the above reader port. Shalom-Salam, ? Werner -- The pioneers of a warless world are the youth that refuse military service.? ? ? ? ? ? - A. Einstein -------------- next part -------------- An HTML attachment was scrubbed... URL: From bernhard at intevation.de Fri Nov 11 13:43:59 2022 From: bernhard at intevation.de (Bernhard Reiter) Date: Fri, 11 Nov 2022 13:43:59 +0100 Subject: Troubleshooting help In-Reply-To: <1715716383.4527694.1668164322397@mail.yahoo.com> References: <1423155609.3361075.1668017411823.ref@mail.yahoo.com> <87a64yx7rq.fsf@wheatstone.g10code.de> <1715716383.4527694.1668164322397@mail.yahoo.com> Message-ID: <202211111344.00412.bernhard@intevation.de> Am Freitag 11 November 2022 11:58:42 schrieb Andrea Lenarduzzi via Gnupg-users: > gpg: selecting card failed:?with #reader-port 32768 and disable-ccid-driver You probably know that -v (several times) and --debug-all on many GnuPG binaries can greatly increase the verbosity and thus help to see more. Bernhard -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From bernhard at intevation.de Fri Nov 11 14:06:34 2022 From: bernhard at intevation.de (Bernhard Reiter) Date: Fri, 11 Nov 2022 14:06:34 +0100 Subject: Difference between versions--Question In-Reply-To: References: <1841143.CQOukoFCf9@daneel> Message-ID: <202211111406.42092.bernhard@intevation.de> Hi Kevin, Am Freitag 04 November 2022 13:55:58 schrieb K S via Gnupg-users: > How do I run configure to get the compression routines? checkout the "config.log" or the output of your configure command run to see if there are messages concerning compression libraries. > FYI, this is the first time I've built from source. It is cool that you have tried it! :) Bernhard -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From bernhard at intevation.de Fri Nov 11 14:14:28 2022 From: bernhard at intevation.de (Bernhard Reiter) Date: Fri, 11 Nov 2022 14:14:28 +0100 Subject: Problems with Gnus (Emacs) + GnuPG for signing a mail with S/MIME In-Reply-To: <87wn8ar188.fsf@iac.es> References: <87wn8ar188.fsf@iac.es> Message-ID: <202211111414.29442.bernhard@intevation.de> Am Freitag 04 November 2022 20:03:35 schrieb Angel de Vicente: > Any ideas as to what might cause this? Not really, I would start the analysis by asserting that gpgsm --sign still works outside of Emacs and then somehow try to emulate the loopback mode. Maybe there is a different problem somewhere. Bernhard -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Fri Nov 11 15:35:59 2022 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Nov 2022 15:35:59 +0100 Subject: Troubleshooting help In-Reply-To: <1715716383.4527694.1668164322397@mail.yahoo.com> (Andrea Lenarduzzi's message of "Fri, 11 Nov 2022 10:58:42 +0000 (UTC)") References: <1423155609.3361075.1668017411823.ref@mail.yahoo.com> <1423155609.3361075.1668017411823@mail.yahoo.com> <87pmdvyyti.fsf@wheatstone.g10code.de> <1308906829.3842637.1668081476010@mail.yahoo.com> <87a64yx7rq.fsf@wheatstone.g10code.de> <1715716383.4527694.1668164322397@mail.yahoo.com> Message-ID: <87wn81woc0.fsf@wheatstone.g10code.de> On Fri, 11 Nov 2022 10:58, Andrea Lenarduzzi said: > Thank you > gpg-connect-agent 'scd getinfo reader_list' /byeD 058F:9540:X:0%0A076B:3031:X:0%0AOK Unencoding the above list: 058F:9540:X:0 076B:3031:X:0 Thus you have two reader and you need to either use --8<---------------cut here---------------start------------->8--- reader-port 058F:9540:X:0 --8<---------------cut here---------------end--------------->8--- or --8<---------------cut here---------------start------------->8--- reader-port 076B:3031:X:0 --8<---------------cut here---------------end--------------->8--- into your ~/.gnupg/scdameon.con and restart the daemon (gpgconf --kill all) Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From kloecker at kde.org Fri Nov 11 15:38:10 2022 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Fri, 11 Nov 2022 15:38:10 +0100 Subject: Difference between versions--Question In-Reply-To: <202211111406.42092.bernhard@intevation.de> References: <202211111406.42092.bernhard@intevation.de> Message-ID: <5623161.DvuYhMxLoT@daneel> On Freitag, 11. November 2022 14:06:34 CET Bernhard Reiter wrote: > Am Freitag 04 November 2022 13:55:58 schrieb K S via Gnupg-users: > > How do I run configure to get the compression routines? > > checkout the "config.log" or the output of your configure command run > to see if there are messages concerning compression libraries. It depends on your distribution what packages you need to install to get support for compression. Typically, those packages would be called something like zlib-devel, zip-devel, bzip2-devel, or similar. configure will very likely have told you that it didn't find zlib, zip and bzip2. Just running configure without looking at its output will allow you to build an application, but you may miss optional feature like, in the case of gnupg, support for different types of compression. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From angel.de.vicente at iac.es Fri Nov 11 14:40:13 2022 From: angel.de.vicente at iac.es (Angel de Vicente) Date: Fri, 11 Nov 2022 13:40:13 +0000 Subject: Problems with Gnus (Emacs) + GnuPG for signing a mail with S/MIME In-Reply-To: <202211111414.29442.bernhard@intevation.de> (Bernhard Reiter's message of "Fri, 11 Nov 2022 14:14:28 +0100") References: <87wn8ar188.fsf@iac.es> <202211111414.29442.bernhard@intevation.de> Message-ID: <87edu9a9tu.fsf@iac.es> Hello, Bernhard Reiter writes: > Am Freitag 04 November 2022 20:03:35 schrieb Angel de Vicente: >> Any ideas as to what might cause this? > > Not really, I would start the analysis by asserting that > gpgsm --sign > still works outside of Emacs and then somehow try to emulate the loopback > mode. Maybe there is a different problem somewhere. gpgsm --sign outside of Emacs does work without any problems. I actually have no problems signing with S/MIME also inside Emacs (as far as the passphrase has been cached). And I have no problems signing with PGP (pinentry loopback works fine then). So it looks like something that affects exclusively pinentry loopback while signing with S/MIME (actually you will see this e-mail signed with S/MIME. Basically I try to sign it, if I get the error because the passphrase was not cached, I simply sign a region with PGP (which asks me correctly for the passphrase and it gets cached, and then I have no problem signing and sending the message). I really have no clue what could be going on... Thanks, -- ?ngel de Vicente Research Software Engineer (Supercomputing and BigData) Tel.: +34 922-605-747 Web.: http://research.iac.es/proyecto/polmag/ GPG: 0x8BDC390B69033F52 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5877 bytes Desc: not available URL: From bernhard at intevation.de Fri Nov 11 17:02:41 2022 From: bernhard at intevation.de (Bernhard Reiter) Date: Fri, 11 Nov 2022 17:02:41 +0100 Subject: Problems with Gnus (Emacs) + GnuPG for signing a mail with S/MIME In-Reply-To: <87edu9a9tu.fsf@iac.es> References: <87wn8ar188.fsf@iac.es> <202211111414.29442.bernhard@intevation.de> <87edu9a9tu.fsf@iac.es> Message-ID: <202211111702.49493.bernhard@intevation.de> Am Freitag 11 November 2022 14:40:13 schrieb Angel de Vicente: > I actually have no problems signing with S/MIME also inside Emacs (as > far as the passphrase has been cached). And I have no problems signing > with PGP (pinentry loopback works fine then). > > So it looks like something that affects exclusively pinentry loopback > while signing with S/MIME As always, there must be a difference in how OpenPGP and S/MIME signing with GnuPG is called from Emacs/Gnus. (There is a small chance that it is with the specific keypair you are using.) Comparing detailed logs of OpenPGP and S/MIME might reveal the difference. I darkly remember Gnus using GPGME, if this is the case, maybe a GPGME_DEBUG log can help you. Otherwise you need to look into how Emacs can produce more details about what it is going (I am not an Emacs user, so I cannot really help you there.) Regards Bernhard -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From gusnan at librem.one Sat Nov 12 22:53:07 2022 From: gusnan at librem.one (Andreas =?UTF-8?B?UsO2bm5xdWlzdA==?=) Date: Sat, 12 Nov 2022 22:53:07 +0100 Subject: GPA conversion to GTK3 Message-ID: <20221112225307.421d3be7@debian-i7> Hi! I have been hacking on Gnu Privacy Assistant (GPA), porting it to GTK3, and I have come quite far - If you have any interest in it, please check it out on https://github.com/gusnan/gpa (port-gtk3 branch). I have converted the menus to the modern GtkBuilder style, and I have moved the xpm images to the source folder (It might not have been necessary, I'm not sure), but it works just fine now. The GTK3 style is to compile images to C source, and including it in the program compilation (Which avoids the necessity to load the images from disc runtime). There's still warnings about alignment stuff (I'm not sure on how to handle those), and there's a g_cclosure_marshal_* that I am not sure I have handled correctly - needs investigation. I might have missed connecting menu items and signals properly, so please try it out and report back here (or as github issues / pull requests). Please notice that this is nowhere near release quality yet. And yes, I have noted that gpg4win has abandoned gpa, which I guess is part of the reason of the lower priority for it, but that doesn't mean that us Linux people cannot use it, right? Another thing that probably should be mentioned is that I use GtkToolbar to make it work as close to the GTK2 version as possible, but for GTK4 this widget is removed, and needs to be replaced with something else in the future. (Let's hope that is some time away). And I don't mind horribly if the code isn't used, it was a nice exercise. best /Andreas R?nnquist gusnan at librem.one From bernhard at intevation.de Mon Nov 14 09:16:23 2022 From: bernhard at intevation.de (Bernhard Reiter) Date: Mon, 14 Nov 2022 09:16:23 +0100 Subject: GPA conversion to GTK3 In-Reply-To: <20221112225307.421d3be7@debian-i7> References: <20221112225307.421d3be7@debian-i7> Message-ID: <202211140916.23562.bernhard@intevation.de> Hi Andreas, Am Samstag 12 November 2022 22:53:07 schrieb Andreas R?nnquist via Gnupg-users: > And yes, I have noted that gpg4win has abandoned gpa, which I guess is > part of the reason of the lower priority for it, but that doesn't mean > that us Linux people cannot use it, right? "abandoned" is not the right word for it, to be fair. ;) It is that GPA has not seen much active development within the whole GnuPG development team for all platforms. In my observation this is because a) there is a good expert user interface with Kleopatra already b) and maintaining two would bind efforts that are well invested elsewhere. c) for a better user experience the export UIs like GPA and Kleopatra should appear less. So GPA is looking for new maintainers and it is great that you are hacking on it. Hope more people join this and other related OpenPGP endtoend efforts. Best Regards, Bernhard -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Mon Nov 14 10:44:48 2022 From: wk at gnupg.org (Werner Koch) Date: Mon, 14 Nov 2022 10:44:48 +0100 Subject: Problems with Gnus (Emacs) + GnuPG for signing a mail with S/MIME In-Reply-To: <87wn8ar188.fsf@iac.es> (Angel de Vicente's message of "Fri, 04 Nov 2022 19:03:35 +0000") References: <87wn8ar188.fsf@iac.es> Message-ID: <87o7t9vpin.fsf@wheatstone.g10code.de> On Fri, 4 Nov 2022 19:03, Angel de Vicente said: > Any ideas as to what might cause this? No. But you may want to add debug-pinentry to gpg-agent/conf Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From angel.de.vicente at iac.es Mon Nov 14 11:31:16 2022 From: angel.de.vicente at iac.es (Angel de Vicente) Date: Mon, 14 Nov 2022 10:31:16 +0000 Subject: Problems with Gnus (Emacs) + GnuPG for signing a mail with S/MIME In-Reply-To: <87o7t9vpin.fsf@wheatstone.g10code.de> (Werner Koch's message of "Mon, 14 Nov 2022 10:44:48 +0100") References: <87wn8ar188.fsf@iac.es> <87o7t9vpin.fsf@wheatstone.g10code.de> Message-ID: <87iljh7rpn.fsf@iac.es> Hello, Werner Koch writes: >> Any ideas as to what might cause this? > > No. But you may want to add > > debug-pinentry Thanks. I had already tried that, but didn't seem to report anything useful to figure out the problem in my case... -- ?ngel de Vicente Research Software Engineer (Supercomputing and BigData) Tel.: +34 922-605-747 Web.: http://research.iac.es/proyecto/polmag/ GPG: 0x8BDC390B69033F52 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5877 bytes Desc: not available URL: From andreaussi at yahoo.it Tue Nov 15 19:08:53 2022 From: andreaussi at yahoo.it (Andrea Lenarduzzi) Date: Tue, 15 Nov 2022 18:08:53 +0000 (UTC) Subject: Troubleshooting help In-Reply-To: <87wn81woc0.fsf@wheatstone.g10code.de> References: <1423155609.3361075.1668017411823.ref@mail.yahoo.com> <1423155609.3361075.1668017411823@mail.yahoo.com> <87pmdvyyti.fsf@wheatstone.g10code.de> <1308906829.3842637.1668081476010@mail.yahoo.com> <87a64yx7rq.fsf@wheatstone.g10code.de> <1715716383.4527694.1668164322397@mail.yahoo.com> <87wn81woc0.fsf@wheatstone.g10code.de> Message-ID: <1366606404.921846.1668535733691@mail.yahoo.com> Thank you.Now a FSFE Card is read.How can I write a .pgp on virgin card? Thank you Il venerd? 11 novembre 2022 alle ore 15:38:08 CET, Werner Koch ha scritto: On Fri, 11 Nov 2022 10:58, Andrea Lenarduzzi said: >? Thank you > gpg-connect-agent 'scd getinfo reader_list' /byeD 058F:9540:X:0%0A076B:3031:X:0%0AOK Unencoding the above list: 058F:9540:X:0 076B:3031:X:0 Thus you have two reader and you need to either use --8<---------------cut here---------------start------------->8--- reader-port 058F:9540:X:0 --8<---------------cut here---------------end--------------->8--- or --8<---------------cut here---------------start------------->8--- reader-port 076B:3031:X:0 --8<---------------cut here---------------end--------------->8--- into your ~/.gnupg/scdameon.con and restart the daemon (gpgconf --kill all) Shalom-Salam, ? Werner -- The pioneers of a warless world are the youth that refuse military service.? ? ? ? ? ? - A. Einstein -------------- next part -------------- An HTML attachment was scrubbed... URL: From cdmichaela3 at tutanota.com Fri Nov 18 03:35:24 2022 From: cdmichaela3 at tutanota.com (Michaela Tilson) Date: Fri, 18 Nov 2022 03:35:24 +0100 (CET) Subject: Safest Way to get GPG Message-ID: Good morning, I'm sorry this question has already been posted on the mailing list, but the existing answers are a little out of date and I'm looking forward to updated advice from security experts on this. What is the safest/most reliable way to get GnuPG as a command line application on macOS? I know it can be found with either 1) GPG Tools, 2) GnuPG for OS X, or 3) one of the package managers. GPG Tools is most often recommended, but this may be due to GUI integration. Its drawback is that it offers the LTS instead of the stable version. I appreciate Ralph Seichter's work on the GnuPG for OS X project, but his GPG 2.3.8 package uses Libksba 1.6.0, which was recently announced to have security vulnerabilities. I can say it did not instill confidence in me. :) Finally, Homebrew, but not MacPorts/Fink, has GnuPG 2.3 in its repository. But I've read that even popular package managers are prone to supply chain attacks if they don't ship with the OS itself. Compared to Unix, there may be no perfect option to safely obtain GPG 2.3 on macOS other than compiling it yourself, but recommendations on how to do it in the best way (including possible mitigations and countermeasures) are appreciated. Many thanks, Michaela From jscott at posteo.net Sun Nov 20 05:59:32 2022 From: jscott at posteo.net (John Scott) Date: Sun, 20 Nov 2022 04:59:32 +0000 Subject: Read random bytes from Gnuk potentially frequently without destroying the card Message-ID: <31c60cb2dab324df5874743e9899e70d0a3d697f.camel@posteo.net> Hi all, Just for fun and because I have extra Gnuk tokens lying around, I'd like to try writing a program for my libreCMC router that feeds the Linux entropy pool with data from the token's true RNG. The help text for scdaemon states > # RANDOM > # > # Get NBYTES of random from the card and send them back as data. > # This usually involves EEPROM write on the card and thus excessive > # use of this command may destroy the card. I note that the help text says "usually." Can anyone confirm whether Gnuks specifically do a ROM write in this case? If they still do the write, I have a follow-up question. I also notice that OpenSC has the feature to get an arbitrary number of random bytes from the card with its OpenPGP module (it's not limited to 256 like requests to scdaemon are), like this: $ pkcs11-tool --generate-random 1024 I realize this isn't the list for OpenSC questions, but does this probably use the same mechanism under-the-hood and hence invoke a write as well, or is there a chance that it avoids the write? Thanks for the excellent libre software, and happy hacking -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: This is a digitally signed message part URL: From dgouttegattat at incenp.org Sun Nov 20 14:24:59 2022 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Sun, 20 Nov 2022 13:24:59 +0000 Subject: Read random bytes from Gnuk potentially frequently without destroying the card In-Reply-To: <31c60cb2dab324df5874743e9899e70d0a3d697f.camel@posteo.net> References: <31c60cb2dab324df5874743e9899e70d0a3d697f.camel@posteo.net> Message-ID: <4287088.UPlyArG6xL@borealin.local.incenp.org> Hi, On Sunday, 20 November 2022 04:59:32 GMT John Scott via Gnupg-users wrote: > I'd like to try writing a program for my libreCMC router that feeds the > Linux entropy pool with data from the token's true RNG. FYI, I wrote a similar program a few years ago: scdrand [1]. It uses Scdaemon?s RANDOM command to extract random bytes from any Scdaemon-supported token (be it a Gnuk token, an actual smartcard, a Yubikey, etc.) and feed them to the kernel?s entropy pool. I am not really using it anymore because I found that I had no longer any need for it with recent Linux kernels, but it should still work. Of course, this should not dissuade you from writing your own program. :) > I also notice that OpenSC has the feature to get an arbitrary number of > random bytes from the card with its OpenPGP module [?] does this > probably use the same mechanism under-the-hood Yes. Both Scdaemon?s RANDOM and pkcs11-tool?s --generate-random work by sending the token a ISO7816 "GET CHALLENGE" command, which instructs the token to send back random bytes. Whether ?excessive use? of that command end up damaging the token, and what is ?excessive use?, ultimately depends on how that command is implemented token-side. In the specific case of the Gnuk token, the GET CHALLENGE command is implemented using the same logic as the one used in NeuG [2]. I have not looked in details how NeuG works, but given that it is specifically intended as a random number generator, I?d say it?s safe to assume than using it as intended cannot ?destroy the token?. :) Hope that helps. - Damien [1] https://git.incenp.org/damien/scdtools [2] https://www.gniibe.org/memo/development/gnuk/rng/neug.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From cdmichaela3 at tutanota.com Mon Nov 21 03:30:12 2022 From: cdmichaela3 at tutanota.com (Michaela Tilson) Date: Mon, 21 Nov 2022 03:30:12 +0100 (CET) Subject: Safest Way to get GPG In-Reply-To: References: Message-ID: Good morning, I'm wondering if anyone on this mailing list has any suggestions for my question. FYI, using gpgconf --show-versions to check the latest version of GnuPG for OS X shows KSBA 1.6.0. Many thanks, Michaela Nov 18, 2022, 02:35 by gnupg-users at gnupg.org: > Good morning, > > I'm sorry this question has already been posted on the mailing list, but the existing answers are a little out of date and I'm looking forward to updated advice from security experts on this. What is the safest/most reliable way to get GnuPG as a command line application on macOS? > From dgouttegattat at incenp.org Mon Nov 21 21:59:12 2022 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Mon, 21 Nov 2022 20:59:12 +0000 Subject: Safest Way to get GPG In-Reply-To: References: Message-ID: <21153237.4csPzL39Zc@borealin.local.incenp.org> Hi, On Friday, 18 November 2022 02:35:24 GMT Michaela Tilson via Gnupg-users wrote: > I'm looking forward to updated advice from security experts on this. What is the safest/most reliable way to get GnuPG as a command line application on macOS? Not pretending to be any kind of security expert, but on my professional Mac, I use MacPorts, with a custom copy of the ports repository where I upgraded gnupg2 to the latest release from the 2.3 branch. > GPG Tools is most often recommended, but this may be due to GUI integration. Its drawback is that it offers the LTS instead of the stable version. I _also_ use GPG Tools, but _solely_ for the Apple Mail plugin. The plugin uses the MacPorts-installed GnuPG binaries and daemons instead of those from GPG Tools, so I can benefit from the 2.3 branch. > But I've read that even popular package managers are prone to supply chain attacks if they don't ship with the OS itself. As mentioned above, I have a local clone of the ports repository and I install my ports from there. I did that for GnuPG primarily so that I could bump the version from 2.2.x to 2.3.x, but even if you don?t change anything to the ports tree, having it locally on your machine allows you to manually inspect any Portfile ? in particular, you can check the hashes for the source tarballs, and compare them with the hashes from the GnuPG website and/or from the latest announcement e-mail. (And if you already have access to a working GnuPG installation somewhere ? on another machine maybe???, you can then download the GnuPG tarballs from gnupg.org along with the corresponding signatures, check the signatures, and compute the hashes yourself on the now verified tarballs. Then compare with the hashes in the Portfiles.) Hope that helps! - Damien -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From cdmichaela3 at tutanota.com Fri Nov 25 09:14:38 2022 From: cdmichaela3 at tutanota.com (Michaela Tilson) Date: Fri, 25 Nov 2022 09:14:38 +0100 (CET) Subject: Safest Way to get GPG In-Reply-To: <21153237.4csPzL39Zc@borealin.local.incenp.org> References: <21153237.4csPzL39Zc@borealin.local.incenp.org> Message-ID: Hi Damien, Thanks for your helpful advice. Does anyone else have any suggestions for best practices for safely installing the 2.3 branch under macOS? Many thanks, Michaela Nov 21, 2022, 20:59 by dgouttegattat at incenp.org: > Hope that helps! > > - Damien > From beijing.fengxu at gmail.com Mon Nov 28 07:29:59 2022 From: beijing.fengxu at gmail.com (Martin Brook) Date: Mon, 28 Nov 2022 14:29:59 +0800 Subject: macos IKEv2 auth with yubikey Message-ID: Hi, All, My name is Martin, and I'm from south China. I've invested nearly a month in searching for IKEv2 vpn auth with yubikey on macos. I have installed pgp-agent already. I try to choose the cert in yubikey and hopefully the pgp-agent could interact with yubikey, but failed to prompt every time when i started IKEv2 vpn connection. I am wondering if there's any possibilities to do it ? Could anybody advise on this issue ? Appreciated in advance. PS: 1. SSH auth works fine with yubikey on my macos. But there's no command like 'enable-ssh-support' for IKEv2 VPN. .gnupg/gpg-agent.conf on my mac for ssh auth shown below: pinentry-program /opt/homebrew/bin/pinentry-mac enable-ssh-support default-cache-ttl 600 mac-cache-ttl 7200 2. I've achieved IKEv2 vpn auth with yubikey on windows. It seems windows can interact with Yubikey perfectly but not on macos. Looking forward to hearing from you, Thank you. BR Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrewg at andrewg.com Mon Nov 28 12:20:49 2022 From: andrewg at andrewg.com (Andrew Gallagher) Date: Mon, 28 Nov 2022 11:20:49 +0000 Subject: macos IKEv2 auth with yubikey In-Reply-To: References: Message-ID: On 28/11/2022 06:29, Martin Brook via Gnupg-users wrote: > 2. I've achieved IKEv2 vpn auth with yubikey on windows. It seems > windows can interact with Yubikey perfectly but not on macos. Hi, Martin. How did you get this to work on Windows? Which IKE software are you using on each platform? A -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From gniibe at fsij.org Tue Nov 29 08:18:27 2022 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 29 Nov 2022 16:18:27 +0900 Subject: Read random bytes from Gnuk potentially frequently without destroying the card In-Reply-To: <4287088.UPlyArG6xL@borealin.local.incenp.org> References: <31c60cb2dab324df5874743e9899e70d0a3d697f.camel@posteo.net> <4287088.UPlyArG6xL@borealin.local.incenp.org> Message-ID: <87cz96xm7w.fsf@akagi.fsij.org> Damien Goutte-Gattat wrote: > In the specific case of the Gnuk token, the GET CHALLENGE command is > implemented using the same logic as the one used in NeuG [2]. I have not > looked in details how NeuG works, but given that it is specifically intended > as a random number generator, I?d say it?s safe to assume than using it as > intended cannot ?destroy the token?. :) No, it never destroy the token. So, for Gnuk Token, use it freely. > # RANDOM > # > # Get NBYTES of random from the card and send them back as data. > # This usually involves EEPROM write on the card and thus excessive > # use of this command may destroy the card. I didn't know this help text. I think that it's specific to Zeitcontrol card. For Gnuk on STM32F103 (not the emulation version), it runs ADC (Analogue to Digital Converter) for randomness. It never destroy anything. While intended usage of ADC is measurement of some analog input, we use ADC to get noise (in theory, each sample has 0.5-bit of information, nobody knows). -- From gniibe at fsij.org Tue Nov 29 08:04:25 2022 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 29 Nov 2022 16:04:25 +0900 Subject: Air32F103 might run at 108MHz Message-ID: <87iliyxmva.fsf@akagi.fsij.org> Hello, I learned about Air32F103, another clone of STM32F103. Unfortunately, there is no reference manual available yet. Air32F103: https://wiki.luatos.com/chips/air32f103/index.html Datasheet (in Chinese) *is* available here: https://wiki.luatos.com/chips/air32f103/hardware.html I looked around the code at: https://gitee.com/iosetting/air32f103-template/blob/master/Libraries/AIR32F10xLib/inc/air32f10x_rcc.h Because we can see a constant RCC_USBCLKSource_PLLCLK_4Div5, I guess that it could run at 108MHz with 0 wait cycle, USB enabled. If we don't care about side channel signal (for flash accelerator), perhaps, it could run at 216MHz. Currently, for Gnuk, GD32F103 (which is used for FST-01SZ) runs at 96MHz with 0 wait cycle, USB enabled. (It can run at 108MHz, but not with USB.) --