From 44dc253c4c5342f5eda70ebf04ca9700e70c300c Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Mon, 24 Oct 2022 12:11:17 +0900 Subject: [PATCH 01/39] build: Update gpg-error.m4. * m4/gpg-error.m4: Update from libgpg-error 1.46. -- Signed-off-by: NIIBE Yutaka --- m4/gpg-error.m4 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/m4/gpg-error.m4 b/m4/gpg-error.m4 index 4b5cd40b6..a975e53d0 100644 --- a/m4/gpg-error.m4 +++ b/m4/gpg-error.m4 @@ -10,7 +10,7 @@ # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # -# Last-changed: 2022-02-15 +# Last-changed: 2022-09-21 dnl AM_PATH_GPG_ERROR([MINIMUM-VERSION, @@ -120,6 +120,10 @@ AC_DEFUN([AM_PATH_GPG_ERROR], fi if test -n "$gpgrt_libdir"; then break; fi done + if test -z "$libdir_candidates"; then + # No valid pkgconfig dir in any of the system directories, fallback + gpgrt_libdir=${possible_libdir1} + fi else # When we cannot determine system libdir-format, use this: gpgrt_libdir=${possible_libdir1} From 12273efdf4b5e208052a24fa77c860857ec32846 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 28 Oct 2022 11:46:25 +0200 Subject: [PATCH 02/39] doc: Make uploading of 2.2 manuals easier -- --- doc/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/Makefile.am b/doc/Makefile.am index aba09b9e4..06efa486c 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -206,8 +206,8 @@ online: gnupg.html gnupg.pdf gnupg-module-overview.png \ if echo "@PACKAGE_VERSION@" | grep -- "-beta" >/dev/null; then \ dashdevel="-devel" ; \ else \ - rsync -v gnupg.pdf $${user}@$${webhost}:webspace/manuals/ ; \ + rsync -v gnupg.pdf $${user}@$${webhost}:webspace/manuals/gnupg-2.2.pdf ; \ fi ; \ cd gnupg.html ; \ rsync -vr --exclude='.git' . \ - $${user}@$${webhost}:webspace/manuals/gnupg$${dashdevel}/ + $${user}@$${webhost}:webspace/manuals/gnupg-2.2$${dashdevel}/ From ea222a0d9c7359430dfe9be36f4446a3b60a64df Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 4 Sep 2019 10:43:18 +0200 Subject: [PATCH 03/39] scd: Use APP_LEARN_FLAG_KEYPAIRINFO with more apps. * scd/app-nks.c (do_learn_status_core): Use new flag. * scd/app-sc-hsm.c (do_learn_status): Ditto. -- The flag was already backported to some apps but not to these. --- scd/app-nks.c | 2 +- scd/app-sc-hsm.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scd/app-nks.c b/scd/app-nks.c index 8a99864cb..b09b71e67 100644 --- a/scd/app-nks.c +++ b/scd/app-nks.c @@ -866,7 +866,7 @@ do_learn_status_core (app_t app, ctrl_t ctrl, unsigned int flags, if (filelist[i].nks_app_id != nks_app_id) continue; - if (filelist[i].certtype && !(flags &1)) + if (filelist[i].certtype && !(flags & APP_LEARN_FLAG_KEYPAIRINFO)) { size_t len; diff --git a/scd/app-sc-hsm.c b/scd/app-sc-hsm.c index 1425b435b..ab9400719 100644 --- a/scd/app-sc-hsm.c +++ b/scd/app-sc-hsm.c @@ -1405,7 +1405,7 @@ do_learn_status (app_t app, ctrl_t ctrl, unsigned int flags) { gpg_error_t err; - if ((flags & 1)) + if ((flags & APP_LEARN_FLAG_KEYPAIRINFO)) err = 0; else { From 19791a1d4c9baa7ad2a1ec94c240d3d8af6a5bfa Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 19 Jun 2019 08:50:40 +0200 Subject: [PATCH 04/39] scd: Use app_get_slot at more places. -- This is helpful for backporting other changes. --- scd/app-dinsig.c | 25 +++++++++------- scd/app-nks.c | 15 +++++----- scd/app-openpgp.c | 76 +++++++++++++++++++++++++++-------------------- scd/app-sc-hsm.c | 33 +++++++++++--------- 4 files changed, 84 insertions(+), 65 deletions(-) diff --git a/scd/app-dinsig.c b/scd/app-dinsig.c index 5a2713e6b..378ec421c 100644 --- a/scd/app-dinsig.c +++ b/scd/app-dinsig.c @@ -100,7 +100,7 @@ do_learn_status (app_t app, ctrl_t ctrl, unsigned int flags) /* Return the certificate of the card holder. */ fid = 0xC000; - len = app_help_read_length_of_cert (app->slot, fid, &certoff); + len = app_help_read_length_of_cert (app_get_slot (app), fid, &certoff); if (!len) return 0; /* Card has not been personalized. */ @@ -113,7 +113,8 @@ do_learn_status (app_t app, ctrl_t ctrl, unsigned int flags) /* Now we need to read the certificate, so that we can get the public key out of it. */ - err = iso7816_read_binary (app->slot, certoff, len-certoff, &der, &derlen); + err = iso7816_read_binary (app_get_slot (app), certoff, len-certoff, + &der, &derlen); if (err) { log_info ("error reading entire certificate from FID 0x%04X: %s\n", @@ -192,14 +193,14 @@ do_readcert (app_t app, const char *certid, /* Read the entire file. fixme: This could be optimized by first reading the header to figure out how long the certificate actually is. */ - err = iso7816_select_file (app->slot, fid, 0); + err = iso7816_select_file (app_get_slot (app), fid, 0); if (err) { log_error ("error selecting FID 0x%04X: %s\n", fid, gpg_strerror (err)); return err; } - err = iso7816_read_binary (app->slot, 0, 0, &buffer, &buflen); + err = iso7816_read_binary (app_get_slot (app), 0, 0, &buffer, &buflen); if (err) { log_error ("error reading certificate from FID 0x%04X: %s\n", @@ -292,7 +293,7 @@ verify_pin (app_t app, pininfo.maxlen = 8; if (!opt.disable_pinpad - && !iso7816_check_pinpad (app->slot, ISO7816_VERIFY, &pininfo) ) + && !iso7816_check_pinpad (app_get_slot (app), ISO7816_VERIFY, &pininfo) ) { rc = pincb (pincb_arg, _("||Please enter your PIN at the reader's pinpad"), @@ -303,7 +304,7 @@ verify_pin (app_t app, gpg_strerror (rc)); return rc; } - rc = iso7816_verify_kp (app->slot, 0x81, &pininfo); + rc = iso7816_verify_kp (app_get_slot (app), 0x81, &pininfo); /* Dismiss the prompt. */ pincb (pincb_arg, NULL, NULL); } @@ -344,7 +345,8 @@ verify_pin (app_t app, return gpg_error (GPG_ERR_BAD_PIN); } - rc = iso7816_verify (app->slot, 0x81, pinvalue, strlen (pinvalue)); + rc = iso7816_verify (app_get_slot (app), 0x81, + pinvalue, strlen (pinvalue)); if (gpg_err_code (rc) == GPG_ERR_INV_VALUE) { /* We assume that ISO 9564-1 encoding is used and we failed @@ -365,7 +367,8 @@ verify_pin (app_t app, paddedpin[i++] = (((*s - '0') << 4) | 0x0f); while (i < sizeof paddedpin) paddedpin[i++] = 0xff; - rc = iso7816_verify (app->slot, 0x81, paddedpin, sizeof paddedpin); + rc = iso7816_verify (app_get_slot (app), 0x81, + paddedpin, sizeof paddedpin); } xfree (pinvalue); } @@ -483,7 +486,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo, rc = verify_pin (app, pincb, pincb_arg); if (!rc) - rc = iso7816_compute_ds (app->slot, 0, data, datalen, 0, + rc = iso7816_compute_ds (app_get_slot (app), 0, data, datalen, 0, outdata, outdatalen); return rc; } @@ -533,7 +536,7 @@ do_change_pin (app_t app, ctrl_t ctrl, const char *chvnostr, return err; } - err = iso7816_change_reference_data (app->slot, 0x81, + err = iso7816_change_reference_data (app_get_slot (app), 0x81, oldpin, oldpinlen, pinvalue, strlen (pinvalue)); xfree (pinvalue); @@ -548,7 +551,7 @@ gpg_error_t app_select_dinsig (app_t app) { static char const aid[] = { 0xD2, 0x76, 0x00, 0x00, 0x66, 0x01 }; - int slot = app->slot; + int slot = app_get_slot (app); int rc; rc = iso7816_select_application (slot, aid, sizeof aid, 0); diff --git a/scd/app-nks.c b/scd/app-nks.c index b09b71e67..c14041506 100644 --- a/scd/app-nks.c +++ b/scd/app-nks.c @@ -870,7 +870,7 @@ do_learn_status_core (app_t app, ctrl_t ctrl, unsigned int flags, { size_t len; - len = app_help_read_length_of_cert (app->slot, + len = app_help_read_length_of_cert (app_get_slot (app), filelist[i].fid, NULL); if (len) { @@ -962,7 +962,7 @@ readcert_from_ef (app_t app, int fid, unsigned char **cert, size_t *certlen) /* Read the entire file. fixme: This could be optimized by first reading the header to figure out how long the certificate actually is. */ - err = iso7816_select_file (app->slot, fid, 0); + err = iso7816_select_file (app_get_slot (app), fid, 0); if (err) { log_error ("nks: error selecting FID 0x%04X: %s\n", @@ -970,7 +970,7 @@ readcert_from_ef (app_t app, int fid, unsigned char **cert, size_t *certlen) return err; } - err = iso7816_read_binary (app->slot, 0, 0, &buffer, &buflen); + err = iso7816_read_binary (app_get_slot (app), 0, 0, &buffer, &buflen); if (err) { log_error ("nks: error reading certificate from FID 0x%04X: %s\n", @@ -1515,7 +1515,7 @@ do_writekey (app_t app, ctrl_t ctrl, /* mse[10] = 0x82; /\* RSA public exponent of up to 4 bytes. *\/ */ /* mse[12] = rsa_e_len; */ /* memcpy (mse+12, rsa_e, rsa_e_len); */ -/* err = iso7816_manage_security_env (app->slot, 0x81, 0xB6, */ +/* err = iso7816_manage_security_env (app_get_slot (app), 0x81, 0xB6, */ /* mse, sizeof mse); */ leave: @@ -1659,7 +1659,7 @@ verify_pin (app_t app, int pwid, const char *desc, } if (!opt.disable_pinpad - && !iso7816_check_pinpad (app->slot, ISO7816_VERIFY, &pininfo) ) + && !iso7816_check_pinpad (app_get_slot (app), ISO7816_VERIFY, &pininfo) ) { prompt = make_prompt (app, remaining, desc, extrapromptline); rc = pincb (pincb_arg, prompt, NULL); @@ -1671,7 +1671,7 @@ verify_pin (app_t app, int pwid, const char *desc, return rc; } - rc = iso7816_verify_kp (app->slot, pwid, &pininfo); + rc = iso7816_verify_kp (app_get_slot (app), pwid, &pininfo); pincb (pincb_arg, NULL, NULL); /* Dismiss the prompt. */ } else @@ -1694,7 +1694,8 @@ verify_pin (app_t app, int pwid, const char *desc, return rc; } - rc = iso7816_verify (app->slot, pwid, pinvalue, strlen (pinvalue)); + rc = iso7816_verify (app_get_slot (app), pwid, + pinvalue, strlen (pinvalue)); xfree (pinvalue); } diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c index da6dc7a89..e7288ef2d 100644 --- a/scd/app-openpgp.c +++ b/scd/app-openpgp.c @@ -384,7 +384,7 @@ get_cached_data (app_t app, int tag, else exmode = 0; - err = iso7816_get_data (app->slot, exmode, tag, &p, &len); + err = iso7816_get_data (app_get_slot (app), exmode, tag, &p, &len); if (err) return err; if (len) @@ -515,7 +515,7 @@ get_one_do (app_t app, int tag, unsigned char **result, size_t *nbytes, if (app->appversion > 0x0100 && data_objects[i].get_immediate_in_v11) { exmode = 0; - rc = iso7816_get_data (app->slot, exmode, tag, &buffer, &buflen); + rc = iso7816_get_data (app_get_slot (app), exmode, tag, &buffer, &buflen); if (rc) { *r_rc = rc; @@ -857,7 +857,7 @@ store_fpr (app_t app, int keynumber, u32 timestamp, unsigned char *fpr, tag2 = 0xCE + keynumber; flush_cache_item (app, 0xCD); - rc = iso7816_put_data (app->slot, 0, tag, fpr, 20); + rc = iso7816_put_data (app_get_slot (app), 0, tag, fpr, 20); if (rc) log_error (_("failed to store the fingerprint: %s\n"),gpg_strerror (rc)); @@ -870,7 +870,7 @@ store_fpr (app_t app, int keynumber, u32 timestamp, unsigned char *fpr, buf[2] = timestamp >> 8; buf[3] = timestamp; - rc = iso7816_put_data (app->slot, 0, tag2, buf, 4); + rc = iso7816_put_data (app_get_slot (app), 0, tag2, buf, 4); if (rc) log_error (_("failed to store the creation date: %s\n"), gpg_strerror (rc)); @@ -1756,7 +1756,7 @@ get_public_key (app_t app, int keyno) le_value = 256; /* Use legacy value. */ } - err = iso7816_read_public_key (app->slot, exmode, + err = iso7816_read_public_key (app_get_slot (app), exmode, (keyno == 0? "\xB6" : keyno == 1? "\xB8" : "\xA4"), 2, le_value, &buffer, &buflen); @@ -2279,7 +2279,7 @@ verify_a_chv (app_t app, /* Special case for def_chv2 mechanism. */ if (opt.verbose) log_info (_("using default PIN as %s\n"), "CHV2"); - rc = iso7816_verify (app->slot, 0x82, "123456", 6); + rc = iso7816_verify (app_get_slot (app), 0x82, "123456", 6); if (rc) { /* Verification of CHV2 with the default PIN failed, @@ -2312,7 +2312,7 @@ verify_a_chv (app_t app, } if (!opt.disable_pinpad - && !iso7816_check_pinpad (app->slot, ISO7816_VERIFY, &pininfo) + && !iso7816_check_pinpad (app_get_slot (app), ISO7816_VERIFY, &pininfo) && !check_pinpad_request (app, &pininfo, 0)) { /* The reader supports the verify command through the pinpad. @@ -2328,7 +2328,7 @@ verify_a_chv (app_t app, gpg_strerror (rc)); return rc; } - rc = iso7816_verify_kp (app->slot, 0x80+chvno, &pininfo); + rc = iso7816_verify_kp (app_get_slot (app), 0x80+chvno, &pininfo); /* Dismiss the prompt. */ pincb (pincb_arg, NULL, NULL); @@ -2359,7 +2359,8 @@ verify_a_chv (app_t app, rc = pin2hash_if_kdf (app, chvno, *pinvalue, pinlen); if (!rc) - rc = iso7816_verify (app->slot, 0x80+chvno, *pinvalue, *pinlen); + rc = iso7816_verify (app_get_slot (app), + 0x80 + chvno, *pinvalue, *pinlen); } if (rc) @@ -2501,7 +2502,8 @@ verify_chv3 (app_t app, return rc; if (!opt.disable_pinpad - && !iso7816_check_pinpad (app->slot, ISO7816_VERIFY, &pininfo) + && !iso7816_check_pinpad (app_get_slot (app), + ISO7816_VERIFY, &pininfo) && !check_pinpad_request (app, &pininfo, 1)) { /* The reader supports the verify command through the pinpad. */ @@ -2514,7 +2516,7 @@ verify_chv3 (app_t app, gpg_strerror (rc)); return rc; } - rc = iso7816_verify_kp (app->slot, 0x83, &pininfo); + rc = iso7816_verify_kp (app_get_slot (app), 0x83, &pininfo); /* Dismiss the prompt. */ pincb (pincb_arg, NULL, NULL); } @@ -2543,7 +2545,7 @@ verify_chv3 (app_t app, rc = pin2hash_if_kdf (app, 3, pinvalue, &pinlen); if (!rc) - rc = iso7816_verify (app->slot, 0x83, pinvalue, pinlen); + rc = iso7816_verify (app_get_slot (app), 0x83, pinvalue, pinlen); xfree (pinvalue); } @@ -2638,7 +2640,8 @@ do_setattr (app_t app, ctrl_t ctrl, const char *name, exmode = -254; /* Command chaining with max. 254 bytes. */ else exmode = 0; - rc = iso7816_put_data (app->slot, exmode, table[idx].tag, value, valuelen); + rc = iso7816_put_data (app_get_slot (app), + exmode, table[idx].tag, value, valuelen); if (rc) log_error ("failed to set '%s': %s\n", table[idx].name, gpg_strerror (rc)); @@ -2787,7 +2790,7 @@ do_change_pin (app_t app, ctrl_t ctrl, const char *chvnostr, /* Version 2 cards. */ if (!opt.disable_pinpad - && !iso7816_check_pinpad (app->slot, + && !iso7816_check_pinpad (app_get_slot (app), ISO7816_CHANGE_REFERENCE_DATA, &pininfo) && !check_pinpad_request (app, &pininfo, chvno == 3)) use_pinpad = 1; @@ -2930,7 +2933,7 @@ do_change_pin (app_t app, ctrl_t ctrl, const char *chvnostr, rc = pin2hash_if_kdf (app, 1, buffer+pinlen0, &pinlen); } if (!rc) - rc = iso7816_reset_retry_counter_with_rc (app->slot, 0x81, + rc = iso7816_reset_retry_counter_with_rc (app_get_slot (app), 0x81, buffer, pinlen0+pinlen); wipememory (buffer, pinlen0 + pinlen); xfree (buffer); @@ -2947,31 +2950,37 @@ do_change_pin (app_t app, ctrl_t ctrl, const char *chvnostr, { rc = pin2hash_if_kdf (app, 0, pinvalue, &pinlen); if (!rc) - rc = iso7816_put_data (app->slot, 0, 0xD3, pinvalue, pinlen); + rc = iso7816_put_data (app_get_slot (app), + 0, 0xD3, pinvalue, pinlen); } } else if (reset_mode) { rc = pin2hash_if_kdf (app, 1, pinvalue, &pinlen); if (!rc) - rc = iso7816_reset_retry_counter (app->slot, 0x81, pinvalue, pinlen); + rc = iso7816_reset_retry_counter (app_get_slot (app), + 0x81, pinvalue, pinlen); if (!rc && !app->app_local->extcap.is_v2) - rc = iso7816_reset_retry_counter (app->slot, 0x82, pinvalue, pinlen); + rc = iso7816_reset_retry_counter (app_get_slot (app), + 0x82, pinvalue, pinlen); } else if (!app->app_local->extcap.is_v2) { /* Version 1 cards. */ if (chvno == 1 || chvno == 2) { - rc = iso7816_change_reference_data (app->slot, 0x81, NULL, 0, + rc = iso7816_change_reference_data (app_get_slot (app), + 0x81, NULL, 0, pinvalue, strlen (pinvalue)); if (!rc) - rc = iso7816_change_reference_data (app->slot, 0x82, NULL, 0, + rc = iso7816_change_reference_data (app_get_slot (app), + 0x82, NULL, 0, pinvalue, strlen (pinvalue)); } else /* CHVNO == 3 */ { - rc = iso7816_change_reference_data (app->slot, 0x80 + chvno, NULL, 0, + rc = iso7816_change_reference_data (app_get_slot (app), + 0x80 + chvno, NULL, 0, pinvalue, strlen (pinvalue)); } } @@ -3045,7 +3054,7 @@ does_key_exist (app_t app, int keyidx, int generating, int force) assert (keyidx >=0 && keyidx <= 2); - if (iso7816_get_data (app->slot, 0, 0x006E, &buffer, &buflen)) + if (iso7816_get_data (app_get_slot (app), 0, 0x006E, &buffer, &buflen)) { log_error (_("error reading application data\n")); return gpg_error (GPG_ERR_GENERAL); @@ -3378,7 +3387,7 @@ change_keyattr (app_t app, int keyno, const unsigned char *buf, size_t buflen, return err; /* Change the attribute. */ - err = iso7816_put_data (app->slot, 0, 0xC1+keyno, buf, buflen); + err = iso7816_put_data (app_get_slot (app), 0, 0xC1+keyno, buf, buflen); if (err) log_error ("error changing key attribute (key=%d)\n", keyno+1); else @@ -3770,7 +3779,7 @@ rsa_writekey (app_t app, gpg_error_t (*pincb)(void*, const char *, char **), exmode = -254; else exmode = 0; - err = iso7816_put_data_odd (app->slot, exmode, 0x3fff, + err = iso7816_put_data_odd (app_get_slot (app), exmode, 0x3fff, template, template_len); } else @@ -3820,7 +3829,7 @@ rsa_writekey (app_t app, gpg_error_t (*pincb)(void*, const char *, char **), goto leave; /* Store the key. */ - err = iso7816_put_data (app->slot, 0, + err = iso7816_put_data (app_get_slot (app), 0, (app->appversion > 0x0007? 0xE0:0xE9)+keyno, template, template_len); } @@ -4094,7 +4103,7 @@ ecc_writekey (app_t app, gpg_error_t (*pincb)(void*, const char *, char **), exmode = -254; else exmode = 0; - err = iso7816_put_data_odd (app->slot, exmode, 0x3fff, + err = iso7816_put_data_odd (app_get_slot (app), exmode, 0x3fff, template, template_len); xfree (template); } @@ -4262,7 +4271,7 @@ do_genkey (app_t app, ctrl_t ctrl, const char *keynostr, const char *keytype, log_info (_("please wait while key is being generated ...\n")); start_at = time (NULL); - err = iso7816_generate_keypair (app->slot, exmode, 0x80, 0, + err = iso7816_generate_keypair (app_get_slot (app), exmode, 0x80, 0, (keyno == 0? "\xB6" : keyno == 1? "\xB8" : "\xA4"), 2, le_value, &buffer, &buflen); @@ -4623,7 +4632,8 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo, char *pinvalue; int pinlen; - rc = verify_a_chv (app, pincb, pincb_arg, 1, sigcount, &pinvalue, &pinlen); + rc = verify_a_chv (app, pincb, pincb_arg, 1, sigcount, + &pinvalue, &pinlen); if (rc) return rc; @@ -4636,7 +4646,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo, pinpad has been used. */ if (!app->did_chv2 && pinvalue && !app->app_local->extcap.is_v2) { - rc = iso7816_verify (app->slot, 0x82, pinvalue, pinlen); + rc = iso7816_verify (app_get_slot (app), 0x82, pinvalue, pinlen); if (gpg_err_code (rc) == GPG_ERR_BAD_PIN) rc = gpg_error (GPG_ERR_PIN_NOT_SYNCED); if (rc) @@ -4664,7 +4674,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo, exmode = 0; le_value = 0; } - rc = iso7816_compute_ds (app->slot, exmode, data, datalen, le_value, + rc = iso7816_compute_ds (app_get_slot (app), exmode, data, datalen, le_value, outdata, outdatalen); if (!rc && app->force_chv1) app->did_chv1 = 0; @@ -4756,7 +4766,7 @@ do_auth (app_t app, ctrl_t ctrl, const char *keyidstr, exmode = 0; le_value = 0; } - rc = iso7816_internal_authenticate (app->slot, exmode, + rc = iso7816_internal_authenticate (app_get_slot (app), exmode, indata, indatalen, le_value, outdata, outdatalen); } @@ -4951,7 +4961,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr, else exmode = le_value = 0; - rc = iso7816_decipher (app->slot, exmode, + rc = iso7816_decipher (app_get_slot (app), exmode, indata, indatalen, le_value, padind, outdata, outdatalen); xfree (fixbuf); @@ -5309,7 +5319,7 @@ gpg_error_t app_select_openpgp (app_t app) { static char const aid[] = { 0xD2, 0x76, 0x00, 0x01, 0x24, 0x01 }; - int slot = app->slot; + int slot = app_get_slot (app); gpg_error_t err; unsigned char *buffer; size_t buflen; diff --git a/scd/app-sc-hsm.c b/scd/app-sc-hsm.c index ab9400719..4b9f7fc03 100644 --- a/scd/app-sc-hsm.c +++ b/scd/app-sc-hsm.c @@ -483,7 +483,8 @@ read_ef_prkd (app_t app, unsigned short fid, prkdf_object_t *prkdresult, if (!fid) return gpg_error (GPG_ERR_NO_DATA); /* No private keys. */ - err = select_and_read_binary (app->slot, fid, "PrKDF", &buffer, &buflen, 255); + err = select_and_read_binary (app_get_slot (app), + fid, "PrKDF", &buffer, &buflen, 255); if (err) return err; @@ -831,7 +832,7 @@ read_ef_prkd (app_t app, unsigned short fid, prkdf_object_t *prkdresult, xfree (buffer); buffer = NULL; buflen = 0; - err = select_and_read_binary (app->slot, + err = select_and_read_binary (app_get_slot (app), ((SC_HSM_EE_PREFIX << 8) | (fid & 0xFF)), "CertEF", &buffer, &buflen, 1); if (!err && buffer[0] == 0x30) @@ -952,7 +953,8 @@ read_ef_cd (app_t app, unsigned short fid, cdf_object_t *result) if (!fid) return gpg_error (GPG_ERR_NO_DATA); /* No certificates. */ - err = select_and_read_binary (app->slot, fid, "CDF", &buffer, &buflen, 255); + err = select_and_read_binary (app_get_slot (app), fid, "CDF", + &buffer, &buflen, 255); if (err) return err; @@ -1201,7 +1203,7 @@ read_serialno(app_t app) size_t n, objlen, hdrlen, chrlen; int class, tag, constructed, ndef; - err = select_and_read_binary (app->slot, 0x2F02, "EF.C_DevAut", + err = select_and_read_binary (app_get_slot (app), 0x2F02, "EF.C_DevAut", &buffer, &buflen, 512); if (err) return err; @@ -1259,7 +1261,7 @@ read_meta (app_t app) if (err) return err; - err = list_ef (app->slot, &eflist, &eflistlen); + err = list_ef (app_get_slot (app), &eflist, &eflistlen); if (err) return err; @@ -1453,7 +1455,7 @@ readcert_by_cdf (app_t app, cdf_object_t cdf, return 0; } - err = select_and_read_binary (app->slot, cdf->fid, "CD", + err = select_and_read_binary (app_get_slot (app), cdf->fid, "CD", &buffer, &buflen, 4096); if (err) { @@ -1692,8 +1694,8 @@ verify_pin (app_t app, gpg_error_t (*pincb)(void*, const char *, char **), char *prompt; int sw; - sw = apdu_send_simple (app->slot, 0, 0x00, ISO7816_VERIFY, 0x00, 0x81, - -1, NULL); + sw = apdu_send_simple (app_get_slot (app), + 0, 0x00, ISO7816_VERIFY, 0x00, 0x81, -1, NULL); if (sw == SW_SUCCESS) return 0; /* PIN already verified */ @@ -1718,7 +1720,7 @@ verify_pin (app_t app, gpg_error_t (*pincb)(void*, const char *, char **), prompt = "||Please enter the PIN"; if (!opt.disable_pinpad - && !iso7816_check_pinpad (app->slot, ISO7816_VERIFY, &pininfo) ) + && !iso7816_check_pinpad (app_get_slot (app), ISO7816_VERIFY, &pininfo) ) { err = pincb (pincb_arg, prompt, NULL); if (err) @@ -1727,7 +1729,7 @@ verify_pin (app_t app, gpg_error_t (*pincb)(void*, const char *, char **), return err; } - err = iso7816_verify_kp (app->slot, 0x81, &pininfo); + err = iso7816_verify_kp (app_get_slot (app), 0x81, &pininfo); pincb (pincb_arg, NULL, NULL); /* Dismiss the prompt. */ } else @@ -1739,7 +1741,8 @@ verify_pin (app_t app, gpg_error_t (*pincb)(void*, const char *, char **), return err; } - err = iso7816_verify (app->slot, 0x81, pinvalue, strlen(pinvalue)); + err = iso7816_verify (app_get_slot (app), + 0x81, pinvalue, strlen(pinvalue)); xfree (pinvalue); } if (err) @@ -1884,7 +1887,8 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo, if (err) return err; - sw = apdu_send_le (app->slot, 1, 0x80, 0x68, prkdf->key_reference, algoid, + sw = apdu_send_le (app_get_slot (app), + 1, 0x80, 0x68, prkdf->key_reference, algoid, cdsblklen, cdsblk, 0, outdata, outdatalen); return iso7816_map_sw (sw); } @@ -2021,7 +2025,8 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr, if (err) return err; - sw = apdu_send_le (app->slot, 1, 0x80, 0x62, prkdf->key_reference, 0x21, + sw = apdu_send_le (app_get_slot (app), + 1, 0x80, 0x62, prkdf->key_reference, 0x21, p1blklen, p1blk, 0, &rspdata, &rspdatalen); err = iso7816_map_sw (sw); if (err) @@ -2047,7 +2052,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr, gpg_error_t app_select_sc_hsm (app_t app) { - int slot = app->slot; + int slot = app_get_slot (app); int rc; rc = iso7816_select_application (slot, sc_hsm_aid, sizeof sc_hsm_aid, 0); From adbe5a35a5f85a2231f378988edbc79c6ec42f72 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 24 Oct 2022 17:40:20 +0200 Subject: [PATCH 05/39] scd:nks: Support non-ESIGN signing with the Signature Card v2 * scd/app-nks.c (do_sign): Handle ECC for NKS cards -- Backported-from-master: 959c627892121ce9707bfa36f2510216b4f6f247 GnuPG-bug-id: 6252 --- scd/app-nks.c | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/scd/app-nks.c b/scd/app-nks.c index c14041506..348a6203c 100644 --- a/scd/app-nks.c +++ b/scd/app-nks.c @@ -1902,19 +1902,31 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo, return gpg_error (GPG_ERR_INV_VALUE); #undef X - /* Send an MSE for PSO:Computer_Signature. */ + /* Send an MSE for PSO:Compute_Signature. */ if (app->appversion > 2 && app->app_local->active_nks_app != NKS_APP_ESIGN) { unsigned char mse[6]; + unsigned int mselen; - mse[0] = 0x80; /* Algorithm reference. */ - mse[1] = 1; - mse[2] = 2; /* RSA, card does pkcs#1 v1.5 padding, no ASN.1 check. */ - mse[3] = 0x84; /* Private key reference. */ - mse[4] = 1; - mse[5] = kid; + if (algo == GCRY_PK_ECC) + { + mse[0] = 0x84; /* Private key reference. */ + mse[1] = 1; + mse[2] = kid; + mselen = 3; + } + else /* RSA */ + { + mse[0] = 0x80; /* Algorithm reference. */ + mse[1] = 1; + mse[2] = 2; /* Card does pkcs#1 v1.5 padding, no ASN.1 check. */ + mse[3] = 0x84; /* Private key reference. */ + mse[4] = 1; + mse[5] = kid; + mselen = 6; + } err = iso7816_manage_security_env (app_get_slot (app), 0x41, 0xB6, - mse, sizeof mse); + mse, mselen); } if (app->app_local->active_nks_app == NKS_APP_ESIGN) From 865386c0cf0b5975b4da66b8da4a5f77a0610081 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 31 Oct 2022 15:01:24 +0100 Subject: [PATCH 06/39] gpg: New option --compatibility-flags * g10/gpg.c (oCompatibilityFlags): New. (opts): Add option. (compatibility_flags): New list. (main): Set flags and print help. * g10/options.h (opt): Add field compatibility_flags. -- No flags are yet defined but it is good to have the framework. --- doc/gpg.texi | 8 ++++++++ g10/gpg.c | 20 ++++++++++++++++++++ g10/options.h | 8 +++++++- 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/doc/gpg.texi b/doc/gpg.texi index 39c996bd9..1fdb27ae2 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -2928,6 +2928,14 @@ therefore enables a fast listing of the encryption keys. @opindex interactive Prompt before overwriting any files. +@item --compatibility-flags @var{flags} +@opindex compatibility-flags +Set compatibility flags to work around problems due to non-compliant +keys or data. The @var{flags} are given as a comma separated +list of flag names and are OR-ed together. The special flag "none" +clears the list and allows to start over with an empty list. To get a +list of available flags the sole word "help" can be used. + @item --debug-level @var{level} @opindex debug-level Select the debug level for investigating problems. @var{level} may be diff --git a/g10/gpg.c b/g10/gpg.c index bd65612e3..069d69ee3 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -431,6 +431,7 @@ enum cmd_and_opt_values oForceSignKey, oForbidGenKey, oRequireCompliance, + oCompatibilityFlags, oNoop }; @@ -894,6 +895,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"), ARGPARSE_s_n (oForbidGenKey, "forbid-gen-key", "@"), ARGPARSE_s_n (oRequireCompliance, "require-compliance", "@"), + ARGPARSE_s_s (oCompatibilityFlags, "compatibility-flags", "@"), /* Options which can be used in special circumstances. They are not * published and we hope they are never required. */ ARGPARSE_s_n (oUseOnlyOpenPGPCard, "use-only-openpgp-card", "@"), @@ -986,6 +988,13 @@ static struct debug_flags_s debug_flags [] = }; +/* The list of compatibility flags. */ +static struct compatibility_flags_s compatibility_flags [] = + { + { 0, NULL } + }; + + #ifdef ENABLE_SELINUX_HACKS #define ALWAYS_ADD_KEYRINGS 1 #else @@ -2736,6 +2745,15 @@ main (int argc, char **argv) case oDebugIOLBF: break; /* Already set in pre-parse step. */ + case oCompatibilityFlags: + if (parse_compatibility_flags (pargs.r.ret_str, &opt.compat_flags, + compatibility_flags)) + { + pargs.r_opt = ARGPARSE_INVALID_ARG; + pargs.err = ARGPARSE_PRINT_ERROR; + } + break; + case oStatusFD: set_status_fd ( translate_sys2libc_fd_int (pargs.r.ret_int, 1) ); break; @@ -3772,6 +3790,8 @@ main (int argc, char **argv) } set_debug (debug_level); + if (opt.verbose) /* Print the compatibility flags. */ + parse_compatibility_flags (NULL, &opt.compat_flags, compatibility_flags); gnupg_set_compliance_extra_info (opt.min_rsa_length); if (DBG_CLOCK) log_clock ("start"); diff --git a/g10/options.h b/g10/options.h index b11e91c66..59e04ffef 100644 --- a/g10/options.h +++ b/g10/options.h @@ -290,6 +290,9 @@ struct int only_sign_text_ids; int no_symkey_cache; /* Disable the cache used for --symmetric. */ + + /* Compatibility flags (COMPAT_FLAG_xxxx). */ + unsigned int compat_flags; } opt; /* CTRL is used to keep some global variables we currently can't @@ -346,8 +349,11 @@ struct { EXTERN_UNLESS_MAIN_MODULE int memory_debug_mode; EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; +/* Compatibility flags */ +/* #define COMPAT_FOO 1 */ -/* Compatibility flags. */ + +/* Compliance test macors. */ #define GNUPG (opt.compliance==CO_GNUPG || opt.compliance==CO_DE_VS) #define RFC2440 (opt.compliance==CO_RFC2440) #define RFC4880 (opt.compliance==CO_RFC4880) From af1d4ff2eadc4d4175ccc24f88d38dc9d48dcfca Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 2 Nov 2022 17:10:59 +0100 Subject: [PATCH 07/39] gpg: Make --list-packets work w/o --no-armor for plain OCB packets. * g10/armor.c (is_armored): Add PKT_ENCRYPTED_AEAD. -- With this fix it is now possible to feed a vanilla packet of type 20 without first forcing gpg to assume binary mode. --- g10/armor.c | 1 + 1 file changed, 1 insertion(+) diff --git a/g10/armor.c b/g10/armor.c index 36215a33e..8fcb74ac5 100644 --- a/g10/armor.c +++ b/g10/armor.c @@ -233,6 +233,7 @@ is_armored (const byte *buf) case PKT_COMPRESSED: case PKT_ENCRYPTED: case PKT_ENCRYPTED_MDC: + case PKT_ENCRYPTED_AEAD: case PKT_PLAINTEXT: case PKT_OLD_COMMENT: case PKT_COMMENT: From 290f458ad66f4ffacea140fe03be9b36e46831d5 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 28 Oct 2022 09:29:30 +0200 Subject: [PATCH 08/39] gpg: Import stray revocation certificates. * g10/kbnode.c (new_kbnode2): New. * g10/import.c (delete_inv_parts): New arg r_otherrevsigs to store misplaced revocations. (import_revoke_cert): Allow to pass an entire list. (import_one): Import revocations found by delete_inv_parts. -- It might be useful to distribute revocations of old keys along with new keys. This is in particicualrr useful for WKD stored keys. This patch allows to put unrelated standalone revocations into a key. For example they can simply appended to a keyblock. Right now it is a bit inaesthetic to see diagnostics about misplaced or bad revocation signatures. Backported-from-master: 7aaedfb10767c74f3e6868dd1563cbbf1282ab2f --- g10/import.c | 65 +++++++++++++++++++++++++++++++++++++++++----------- g10/kbnode.c | 13 +++++++++++ g10/keydb.h | 1 + 3 files changed, 66 insertions(+), 13 deletions(-) diff --git a/g10/import.c b/g10/import.c index b2d5c1d27..cd3363fc7 100644 --- a/g10/import.c +++ b/g10/import.c @@ -126,7 +126,8 @@ static int import_revoke_cert (ctrl_t ctrl, kbnode_t node, unsigned int options, static int chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self); static int delete_inv_parts (ctrl_t ctrl, kbnode_t keyblock, - u32 *keyid, unsigned int options); + u32 *keyid, unsigned int options, + kbnode_t *r_otherrevsigs); static int any_uid_left (kbnode_t keyblock); static void remove_all_non_self_sigs (kbnode_t *keyblock, u32 *keyid); static int merge_blocks (ctrl_t ctrl, unsigned int options, @@ -420,7 +421,7 @@ read_key_from_file_or_buffer (ctrl_t ctrl, const char *fname, goto leave; } - if (!delete_inv_parts (ctrl, keyblock, keyid, 0) ) + if (!delete_inv_parts (ctrl, keyblock, keyid, 0, NULL) ) { err = gpg_error (GPG_ERR_NO_USER_ID); goto leave; @@ -1830,8 +1831,9 @@ update_key_origin (kbnode_t keyblock, u32 curtime, int origin, const char *url) * even most error messages are suppressed. ORIGIN is the origin of * the key (0 for unknown) and URL the corresponding URL. FROM_SK * indicates that the key has been made from a secret key. If R_SAVED - * is not NULL a boolean will be stored indicating whether the keyblock - * has valid parts. + * is not NULL a boolean will be stored indicating whether the + * keyblock has valid parts. Unless OTHERREVSIGS is NULL it is + * updated with encountered new revocation signatures. */ static gpg_error_t import_one_real (ctrl_t ctrl, @@ -1839,7 +1841,8 @@ import_one_real (ctrl_t ctrl, unsigned char **fpr, size_t *fpr_len, unsigned int options, int from_sk, int silent, import_screener_t screener, void *screener_arg, - int origin, const char *url, int *r_valid) + int origin, const char *url, int *r_valid, + kbnode_t *otherrevsigs) { gpg_error_t err = 0; PKT_public_key *pk; @@ -1974,7 +1977,8 @@ import_one_real (ctrl_t ctrl, } } - if (!delete_inv_parts (ctrl, keyblock, keyid, options ) ) + /* Delete invalid parts and bail out if there are no user ids left. */ + if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs)) { if (!silent) { @@ -2366,10 +2370,12 @@ import_one (ctrl_t ctrl, int origin, const char *url, int *r_valid) { gpg_error_t err; + kbnode_t otherrevsigs = NULL; + kbnode_t node; err = import_one_real (ctrl, keyblock, stats, fpr, fpr_len, options, from_sk, silent, screener, screener_arg, - origin, url, r_valid); + origin, url, r_valid, &otherrevsigs); if (gpg_err_code (err) == GPG_ERR_TOO_LARGE && gpg_err_source (err) == GPG_ERR_SOURCE_KEYBOX && ((options & (IMPORT_SELF_SIGS_ONLY | IMPORT_CLEAN)) @@ -2385,8 +2391,17 @@ import_one (ctrl_t ctrl, options |= IMPORT_SELF_SIGS_ONLY | IMPORT_CLEAN; err = import_one_real (ctrl, keyblock, stats, fpr, fpr_len, options, from_sk, silent, screener, screener_arg, - origin, url, r_valid); + origin, url, r_valid, &otherrevsigs); } + + /* Finally try to import other revocation certificates. For example + * those of a former key appended to the current key. */ + if (!err) + { + for (node = otherrevsigs; node; node = node->next) + import_revoke_cert (ctrl, node, options, stats); + } + release_kbnode (otherrevsigs); return err; } @@ -3358,9 +3373,8 @@ list_standalone_revocation (ctrl_t ctrl, PKT_signature *sig, int sigrc) } -/**************** - * Import a revocation certificate; this is a single signature packet. - */ +/* Import a revocation certificate; only the first packet in the + * NODE-list is considered. */ static int import_revoke_cert (ctrl_t ctrl, kbnode_t node, unsigned int options, struct import_stats_s *stats) @@ -3377,10 +3391,12 @@ import_revoke_cert (ctrl_t ctrl, kbnode_t node, unsigned int options, /* No error output for --show-keys. */ silent = (options & (IMPORT_SHOW | IMPORT_DRY_RUN)); - log_assert (!node->next ); log_assert (node->pkt->pkttype == PKT_SIGNATURE ); log_assert (IS_KEY_REV (node->pkt->pkt.signature)); + /* FIXME: We can do better here by using the issuer fingerprint if + * available. We should also make use of get_keyblock_byfprint_fast. */ + keyid[0] = node->pkt->pkt.signature->keyid[0]; keyid[1] = node->pkt->pkt.signature->keyid[1]; @@ -3726,12 +3742,15 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self) /* Delete all parts which are invalid and those signatures whose * public key algorithm is not available in this implementation; but * consider RSA as valid, because parse/build_packets knows about it. + * If R_OTHERREVSIGS is not NULL, it is used to return a list of + * revocation certificates which have been deleted from KEYBLOCK but + * should be handled later. * * Returns: True if at least one valid user-id is left over. */ static int delete_inv_parts (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, - unsigned int options) + unsigned int options, kbnode_t *r_otherrevsigs) { kbnode_t node; int nvalid=0, uid_seen=0, subkey_seen=0; @@ -3820,6 +3839,16 @@ delete_inv_parts (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, if(opt.verbose) log_info( _("key %s: revocation certificate" " at wrong place - skipped\n"),keystr(keyid)); + if (r_otherrevsigs) + { + PACKET *pkt; + + pkt = xcalloc (1, sizeof *pkt); + pkt->pkttype = PKT_SIGNATURE; + pkt->pkt.signature = copy_signature + (NULL, node->pkt->pkt.signature); + *r_otherrevsigs = new_kbnode2 (*r_otherrevsigs, pkt); + } delete_kbnode( node ); } else @@ -3842,6 +3871,16 @@ delete_inv_parts (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, delete_kbnode( node ); } } + else if (r_otherrevsigs) + { + PACKET *pkt; + + pkt = xcalloc (1, sizeof *pkt); + pkt->pkttype = PKT_SIGNATURE; + pkt->pkt.signature = copy_signature + (NULL, node->pkt->pkt.signature); + *r_otherrevsigs = new_kbnode2 (*r_otherrevsigs, pkt); + } } } else if (node->pkt->pkttype == PKT_SIGNATURE diff --git a/g10/kbnode.c b/g10/kbnode.c index 9ed6cafbf..aa1e17c94 100644 --- a/g10/kbnode.c +++ b/g10/kbnode.c @@ -98,6 +98,19 @@ new_kbnode( PACKET *pkt ) } +/* Same as new_kbnode but insert the new node in front of LIST. Returns + * the new list. */ +kbnode_t +new_kbnode2 (kbnode_t list, PACKET *pkt) +{ + kbnode_t n; + + n = new_kbnode (pkt); + n->next = list; + return n; +} + + KBNODE clone_kbnode( KBNODE node ) { diff --git a/g10/keydb.h b/g10/keydb.h index 0f8d711a9..63a9f1087 100644 --- a/g10/keydb.h +++ b/g10/keydb.h @@ -552,6 +552,7 @@ gpg_error_t hexkeygrip_from_pk (PKT_public_key *pk, char **r_grip); /*-- kbnode.c --*/ KBNODE new_kbnode( PACKET *pkt ); +kbnode_t new_kbnode2 (kbnode_t list, PACKET *pkt); KBNODE clone_kbnode( KBNODE node ); void release_kbnode( KBNODE n ); void delete_kbnode( KBNODE node ); From c1f5fcff42315345e40e445d8d6d8e0a10e23ad0 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 28 Oct 2022 11:17:39 +0200 Subject: [PATCH 09/39] gpg: Fix trusted introducer for user-ids with only the mbox. * g10/trustdb.c (check_regexp): Kludge to match user-ids with only an mbox. -- (Also re-indented the function) GnuPG-bug-id: 6238 --- g10/trustdb.c | 50 +++++++++++++++++++++++++++++++------------------- 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/g10/trustdb.c b/g10/trustdb.c index 1b6da96b0..fd9a245cc 100644 --- a/g10/trustdb.c +++ b/g10/trustdb.c @@ -1669,38 +1669,50 @@ sanitize_regexp(const char *old) return new; } + /* Used by validate_one_keyblock to confirm a regexp within a trust - signature. Returns 1 for match, and 0 for no match or regex - error. */ + * signature. Returns 1 for match, and 0 for no match or regex + * error. */ static int -check_regexp(const char *expr,const char *string) +check_regexp (const char *expr,const char *string) { int ret; char *regexp; + char *stringbuf = NULL; + regex_t pat; - regexp=sanitize_regexp(expr); + regexp = sanitize_regexp (expr); - { - regex_t pat; + ret = regcomp (&pat, regexp, (REG_ICASE|REG_EXTENDED)); + if (!ret) + { + if (*regexp == '<' && !strchr (string, '<') + && is_valid_mailbox (string)) + { + /* The R.E. starts with an angle bracket but STRING seems to + * be a plain mailbox (e.g. "foo@example.org"). The + * commonly used R.E. pattern "<[^>]+[@.]example\.org>$" + * won't be able to detect this. Thus we enclose STRING + * into angle brackets for checking. */ + stringbuf = xstrconcat ("<", string, ">", NULL); + string = stringbuf; + } + ret = regexec (&pat, string, 0, NULL, 0); + regfree (&pat); + } - ret=regcomp(&pat,regexp,REG_ICASE|REG_EXTENDED); - if(ret==0) - { - ret=regexec(&pat,string,0,NULL,0); - regfree(&pat); - } - ret=(ret==0); - } + ret = !ret; - if(DBG_TRUST) - log_debug("regexp '%s' ('%s') on '%s': %s\n", - regexp,expr,string,ret?"YES":"NO"); - - xfree(regexp); + if (DBG_TRUST) + log_debug ("regexp '%s' ('%s') on '%s'%s: %s\n", + regexp, expr, string, stringbuf? " (fixed)":"", ret? "YES":"NO"); + xfree (regexp); + xfree (stringbuf); return ret; } + /* * Return true if the key is signed by one of the keys in the given * key ID list. User IDs with a valid signature are marked by node From 6ba5b6b85451ef6374656b101ab3d4551e11b97b Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 10 Nov 2022 14:55:22 +0100 Subject: [PATCH 10/39] agent: Allow trustlist on Windows in Unicode homedirs. * agent/trustlist.c (agent_marktrusted): Use gnupg_access. --- agent/trustlist.c | 2 +- doc/DETAILS | 31 +++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/agent/trustlist.c b/agent/trustlist.c index 086d8ae76..a19af344a 100644 --- a/agent/trustlist.c +++ b/agent/trustlist.c @@ -646,7 +646,7 @@ agent_marktrusted (ctrl_t ctrl, const char *name, const char *fpr, int flag) if (!fname) return gpg_error_from_syserror (); - if ((ec = access (fname, W_OK)) && ec != GPG_ERR_ENOENT) + if ((ec = gnupg_access (fname, W_OK)) && ec != GPG_ERR_ENOENT) { xfree (fname); return gpg_error (GPG_ERR_EPERM); diff --git a/doc/DETAILS b/doc/DETAILS index 420f67df3..8e8552136 100644 --- a/doc/DETAILS +++ b/doc/DETAILS @@ -1540,6 +1540,37 @@ Description of some debug flags: * Miscellaneous notes +** List of useful RFCs and I-D. + - RFC-1423 :: PEM, Part III: Algorithms, Modes, and Identifiers + - RFC-1750 :: Randomness Recommendations for Security + - RFC-1991 :: PGP Message Exchange Formats (obsolete) + - RFC-2144 :: The CAST-128 Encryption Algorithm + - RFC-2279 :: UTF-8, a transformation format of ISO 10646 + - RFC-2440 :: OpenPGP (obsolete). + - RFC-3156 :: MIME Security with Pretty Good Privacy (PGP). + - RFC-3447 :: PKCS #1: RSA Cryptography Specifications Version 2.1 + - RFC-4880 :: OpenPGP + - RFC-5083 :: CMS - Authenticated-Enveloped-Data + - RFC-5084 :: CMS - AES-GCM + - RFC-5280 :: X.509 PKI Certificate and CRL Profile + - RFC-5480 :: ECC Subject Public Key Information + - RFC-5639 :: ECC Brainpool Standard Curves + - RFC-5652 :: CMS (STD0070) + - RFC-5753 :: ECC in CMS + - RFC-5758 :: CMS - Additional Algorithms for DSA and ECDSA + - RFC-6818 :: Updates to the X.509 PKI Certificate and CRL Profile + - RFC-6960 :: Online Certificate Status Protocol - OCSP + - RFC-8954 :: Online Certificate Status Protocol (OCSP) Nonce Extension + - RFC-8398 :: Internationalized Email Addresses in X.509 Certificates + - RFC-8399 :: Internationalization Updates to RFC 5280 + - RFC-8813 :: Clarifications for ECC Subject Public Key + - RFC-5915 :: ECC Private Key Structure + - RFC-5958 :: Asymmetric Key Packages + - RFC-6337 :: ECC in OpenPGP + - RFC-7292 :: PKCS #12: Personal Information Exchange Syntax v1.1 + - RFC-8351 :: The PKCS #8 EncryptedPrivateKeyInfo Media Type + + - draft-koch-openpgp-2015-rfc4880bis :: Updates to RFC-4880 ** v3 fingerprints For packet version 3 we calculate the keyids this way: From 84aba39491c29b3b65e4746a7301cb13cde43c8d Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 15 Nov 2022 14:52:40 +0100 Subject: [PATCH 11/39] scd:nks: Fix ECC signing if key not given by keygrip. * scd/app-nks.c (keygripstr_from_pk_file): Set r_algo if not in cache. --- scd/app-nks.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scd/app-nks.c b/scd/app-nks.c index 348a6203c..b872e6e57 100644 --- a/scd/app-nks.c +++ b/scd/app-nks.c @@ -450,6 +450,8 @@ keygripstr_from_pk_file (app_t app, int pkfid, int cfid, char *r_gripstr, if (!err) { + if (r_algo) + *r_algo = algo; if (r_algostr) { *r_algostr = algostr; From ce50dea7cfe16ab4acf2600b1ef40d47635c93d8 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 16 Nov 2022 17:15:36 +0100 Subject: [PATCH 12/39] gpg: Add a notation to encryption subkeys in de-vs mode. * g10/keygen.c (struct opaque_data_usage_and_pk): Add cpl_notation. (do_add_notation): New. (keygen_add_key_flags_and_expire): Set cpl@gnupg.org notation if requested. (write_keybinding): Request notation for subkeys in de-vs mode. -- GnuPG-bug-id: 6279 --- g10/keygen.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 57 insertions(+), 3 deletions(-) diff --git a/g10/keygen.c b/g10/keygen.c index 80d65c444..2041d30af 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -121,9 +121,11 @@ struct output_control_s }; -struct opaque_data_usage_and_pk { - unsigned int usage; - PKT_public_key *pk; +struct opaque_data_usage_and_pk +{ + unsigned int usage; + const char *cpl_notation; + PKT_public_key *pk; }; @@ -151,6 +153,9 @@ static gpg_error_t gen_card_key (int keyno, int algo, int is_primary, u32 expireval); static unsigned int get_keysize_range (int algo, unsigned int *min, unsigned int *max); +static void do_add_notation (PKT_signature *sig, + const char *name, const char *value, + int critical); @@ -301,12 +306,16 @@ keygen_add_key_flags (PKT_signature *sig, void *opaque) } +/* This is only used to write the key binding signature. It is not + * used for the primary key. */ static int keygen_add_key_flags_and_expire (PKT_signature *sig, void *opaque) { struct opaque_data_usage_and_pk *oduap = opaque; do_add_key_flags (sig, oduap->usage); + if (oduap->cpl_notation) + do_add_notation (sig, "cpl@gnupg.org", oduap->cpl_notation, 0); return keygen_add_key_expire (sig, oduap->pk); } @@ -789,6 +798,44 @@ keygen_add_keyserver_url(PKT_signature *sig, void *opaque) return 0; } + +/* This function is used to add a notations to a signature. In + * general the caller should have cleared exiting notations before + * adding new ones. For example by calling: + * + * delete_sig_subpkt(sig->hashed,SIGSUBPKT_NOTATION); + * delete_sig_subpkt(sig->unhashed,SIGSUBPKT_NOTATION); + * + * Only human readable notaions may be added. NAME and value are + * expected to be UTF-* strings. + */ +static void +do_add_notation (PKT_signature *sig, const char *name, const char *value, + int critical) +{ + unsigned char *buf; + unsigned int n1,n2; + + n1 = strlen (name); + n2 = strlen (value); + + buf = xmalloc (8 + n1 + n2); + + buf[0] = 0x80; /* human readable. */ + buf[1] = buf[2] = buf[3] = 0; + buf[4] = n1 >> 8; + buf[5] = n1; + buf[6] = n2 >> 8; + buf[7] = n2; + memcpy (buf+8, name, n1); + memcpy (buf+8+n1, value, n2); + build_sig_subpkt (sig, + (SIGSUBPKT_NOTATION|(critical?SIGSUBPKT_FLAG_CRITICAL:0)), + buf, 8+n1+n2 ); + xfree (buf); +} + + int keygen_add_notations(PKT_signature *sig,void *opaque) { @@ -838,6 +885,7 @@ keygen_add_notations(PKT_signature *sig,void *opaque) return 0; } + int keygen_add_revkey (PKT_signature *sig, void *opaque) { @@ -1096,6 +1144,12 @@ write_keybinding (ctrl_t ctrl, kbnode_t root, /* Make the signature. */ oduap.usage = use; + if ((use & PUBKEY_USAGE_ENC) + && opt.compliance == CO_DE_VS + && gnupg_rng_is_compliant (CO_DE_VS)) + oduap.cpl_notation = "de-vs"; + else + oduap.cpl_notation = NULL; oduap.pk = sub_pk; err = make_keysig_packet (ctrl, &sig, pri_pk, NULL, sub_pk, pri_psk, 0x18, 0, timestamp, 0, From 2e18c371d2417b86c34f986d075a2ef6a374ab92 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 17 Nov 2022 14:22:04 +0100 Subject: [PATCH 13/39] scd: Redact --debug cardio output of a VERIFY APDU. * scd/apdu.c (pcsc_send_apdu) [DBG_CARD_IO]: Detect and redact a VERIFY. (send_apdu_ccid): Ditto. -- This should handle the most common case. GnuPG-bug-id: 5085 --- scd/apdu.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/scd/apdu.c b/scd/apdu.c index 9568d2503..9fb5cbee4 100644 --- a/scd/apdu.c +++ b/scd/apdu.c @@ -772,7 +772,14 @@ pcsc_send_apdu (int slot, unsigned char *apdu, size_t apdulen, return err; if (DBG_CARD_IO) - log_printhex (apdu, apdulen, " PCSC_data:"); + { + /* Do not dump the PIN in a VERIFY command. */ + if (apdulen > 5 && apdu[1] == 0x20) + log_debug ("PCSC_data: %02X %02X %02X %02X %02X [redacted]\n", + apdu[0], apdu[1], apdu[2], apdu[3], apdu[4]); + else + log_printhex (apdu, apdulen, "PCSC_data:"); + } if ((reader_table[slot].pcsc.protocol & PCSC_PROTOCOL_T1)) send_pci.protocol = PCSC_PROTOCOL_T1; @@ -1697,7 +1704,14 @@ send_apdu_ccid (int slot, unsigned char *apdu, size_t apdulen, return err; if (DBG_CARD_IO) - log_printhex (apdu, apdulen, " raw apdu:"); + { + /* Do not dump the PIN in a VERIFY command. */ + if (apdulen > 5 && apdu[1] == 0x20) + log_debug (" raw apdu: %02x%02x%02x%02x%02x [redacted]\n", + apdu[0], apdu[1], apdu[2], apdu[3], apdu[4]); + else + log_printhex (apdu, apdulen, " raw apdu:"); + } maxbuflen = *buflen; if (pininfo) From b13c0b595ebdddc7760eeab901ee5a6d0e8daa10 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Wed, 6 Apr 2022 11:28:00 +0900 Subject: [PATCH 14/39] w32: Fix for make check. * common/Makefile.am (module_tests): Exclude t-exechelp and t-exectool. * common/t-stringhelp.c (mygetcwd): Convert '\' to '/'. * tests/gpgme/Makefile.am: Add $(EXEEXT). * tests/migrations/Makefile.am: Likewise. * tests/openpgp/Makefile.am: Likewise. -- Backport master commit of: 39d478f5ba5d74cdd1d2e40311ff120c932bac37 Signed-off-by: NIIBE Yutaka --- common/Makefile.am | 5 ++--- common/t-stringhelp.c | 10 +++++++++- tests/gpgme/Makefile.am | 2 +- tests/migrations/Makefile.am | 2 +- tests/openpgp/Makefile.am | 2 +- 5 files changed, 14 insertions(+), 7 deletions(-) diff --git a/common/Makefile.am b/common/Makefile.am index bd281d603..1cc89a08f 100644 --- a/common/Makefile.am +++ b/common/Makefile.am @@ -169,11 +169,10 @@ module_tests = t-stringhelp t-timestuff \ t-session-env t-openpgp-oid t-ssh-utils \ t-mapstrings t-zb32 t-mbox-util t-iobuf t-strlist \ t-name-value t-ccparray t-recsel t-w32-cmdline -if !HAVE_W32CE_SYSTEM -module_tests += t-exechelp t-exectool -endif if HAVE_W32_SYSTEM module_tests += t-w32-reg +else +module_tests += t-exechelp t-exectool endif if MAINTAINER_MODE diff --git a/common/t-stringhelp.c b/common/t-stringhelp.c index d76991f91..7d25cbd18 100644 --- a/common/t-stringhelp.c +++ b/common/t-stringhelp.c @@ -89,7 +89,15 @@ mygetcwd (void) return buffer; #else if (getcwd (buffer, size) == buffer) - return buffer; + { +#ifdef HAVE_W32_SYSTEM + char *p; + for (p = buffer; *p; p++) + if (*p == '\\') + *p = '/'; +#endif + return buffer; + } xfree (buffer); if (errno != ERANGE) { diff --git a/tests/gpgme/Makefile.am b/tests/gpgme/Makefile.am index 60fb01df9..8b1f3c7df 100644 --- a/tests/gpgme/Makefile.am +++ b/tests/gpgme/Makefile.am @@ -45,7 +45,7 @@ check: xcheck .PHONY: xcheck xcheck: - $(TESTS_ENVIRONMENT) $(abs_top_builddir)/tests/gpgscm/gpgscm \ + $(TESTS_ENVIRONMENT) $(abs_top_builddir)/tests/gpgscm/gpgscm$(EXEEXT) \ $(abs_srcdir)/run-tests.scm $(TESTFLAGS) $(TESTS) EXTRA_DIST = gpgme-defs.scm run-tests.scm setup.scm wrap.scm all-tests.scm diff --git a/tests/migrations/Makefile.am b/tests/migrations/Makefile.am index 6d2d2e8a6..4eaacb945 100644 --- a/tests/migrations/Makefile.am +++ b/tests/migrations/Makefile.am @@ -53,7 +53,7 @@ check: xcheck .PHONY: xcheck xcheck: - $(TESTS_ENVIRONMENT) $(abs_top_builddir)/tests/gpgscm/gpgscm \ + $(TESTS_ENVIRONMENT) $(abs_top_builddir)/tests/gpgscm/gpgscm$(EXEEXT) \ $(abs_srcdir)/run-tests.scm $(TESTFLAGS) $(TESTS) EXTRA_DIST = common.scm run-tests.scm setup.scm all-tests.scm \ diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am index 59f39e2f7..2b06fb18c 100644 --- a/tests/openpgp/Makefile.am +++ b/tests/openpgp/Makefile.am @@ -116,7 +116,7 @@ check: xcheck .PHONY: xcheck xcheck: - $(TESTS_ENVIRONMENT) $(abs_top_builddir)/tests/gpgscm/gpgscm \ + $(TESTS_ENVIRONMENT) $(abs_top_builddir)/tests/gpgscm/gpgscm$(EXEEXT) \ $(abs_srcdir)/run-tests.scm $(TESTFLAGS) $(TESTS) TEST_FILES = pubring.asc secring.asc plain-1o.asc plain-2o.asc plain-3o.asc \ From 1e62c4b7c24f50d043b74ce6fad36a615ec65757 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Wed, 6 Apr 2022 13:28:15 +0900 Subject: [PATCH 15/39] w32: Exclude tests with HOME. * common/t-session-env.c [HAVE_W32_SYSTEM] (test_all): HOME is not defined, so, exclude the tests. -- Backport master commit of: b47a23f5fac551727d24f65765e21485ed2bb02c Signed-off-by: NIIBE Yutaka --- common/t-session-env.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/common/t-session-env.c b/common/t-session-env.c index e2b942c6a..a65cb153f 100644 --- a/common/t-session-env.c +++ b/common/t-session-env.c @@ -154,6 +154,7 @@ test_all (void) listall (se); +#ifndef HAVE_W32_SYSTEM /* Retrieve a default one. */ s = session_env_getenv_or_default (se, "HOME", NULL); if (!s) @@ -161,14 +162,17 @@ test_all (void) fprintf (stderr, "failed to get default of HOME\n"); exit (1); } +#endif s = session_env_getenv (se, "HOME"); if (s) fail(0); /* This is a default value, thus we should not see it. */ +#ifndef HAVE_W32_SYSTEM s = session_env_getenv_or_default (se, "HOME", NULL); if (!s) fail(0); /* But here we should see it. */ +#endif /* Add a few more. */ err = session_env_putenv (se, "X1=A value"); From b94fe0e0077f1b8a1622eb67eac85675e6c24198 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Tue, 22 Nov 2022 15:03:43 +0900 Subject: [PATCH 16/39] tests: Use 233 for invalid value of FD. * tests/openpgp/issue2941.scm: Use 233. -- On Windows machine (emulated by Wine), 23 may be valid value for handle. Signed-off-by: NIIBE Yutaka --- tests/openpgp/issue2941.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/openpgp/issue2941.scm b/tests/openpgp/issue2941.scm index 8f625ebe3..306df6cb5 100755 --- a/tests/openpgp/issue2941.scm +++ b/tests/openpgp/issue2941.scm @@ -29,6 +29,6 @@ (for-each-p "Checking invocation with invalid file descriptors (issue2941)." (lambda (option) - (check-failure `(,(string-append "--" option "=23") --sign gpg.conf))) + (check-failure `(,(string-append "--" option "=233") --sign gpg.conf))) '("status-fd" "attribute-fd" "logger-fd" "override-session-key-fd" "passphrase-fd" "command-fd")) From 44cbe6fbc0627ef33918e8f489bb2a379cb4f347 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Tue, 22 Nov 2022 15:09:52 +0900 Subject: [PATCH 17/39] tests: Keep .log files in objdir. * tests/gpgscm/tests.scm (open-log-file): Keep the log file in objdir. -- Before the change, it is at ephemeral temp directory which is removed. This is not useful at all. Possibly, it was done before the introduce of ephemeral temp directory for each test and not changed. Signed-off-by: NIIBE Yutaka --- tests/gpgscm/tests.scm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/gpgscm/tests.scm b/tests/gpgscm/tests.scm index 51410020e..37c1d64c6 100644 --- a/tests/gpgscm/tests.scm +++ b/tests/gpgscm/tests.scm @@ -716,7 +716,9 @@ (define (open-log-file) (unless log-file-name - (set! log-file-name (string-append (basename name) ".log"))) + (set! log-file-name (path-join + (getenv "objdir") + (string-append name ".log")))) (catch '() (unlink log-file-name)) (open log-file-name (logior O_RDWR O_BINARY O_CREAT) #o600)) From 4ea7f03c1013f886e51c7740a06afaa9060dada7 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Tue, 22 Nov 2022 15:11:42 +0900 Subject: [PATCH 18/39] tests:gpgscm:w32: Fix for GetTempPath. * tests/gpgscm/ffi.c (do_get_temp_path): Remove the last backslash. -- Signed-off-by: NIIBE Yutaka --- tests/gpgscm/ffi.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/gpgscm/ffi.c b/tests/gpgscm/ffi.c index dde5b5282..355021cd3 100644 --- a/tests/gpgscm/ffi.c +++ b/tests/gpgscm/ffi.c @@ -353,6 +353,11 @@ do_get_temp_path (scheme *sc, pointer args) #ifdef HAVE_W32_SYSTEM if (GetTempPath (MAX_PATH+1, buffer) == 0) FFI_RETURN_STRING (sc, "/temp"); + else + { + size_t len = strlen (buffer); + buffer[len-1] = 0; + } FFI_RETURN_STRING (sc, buffer); #else FFI_RETURN_STRING (sc, "/tmp"); From ddfc90e5242ec751bf5275c6acbe12dc51d64b6d Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Tue, 22 Nov 2022 15:19:47 +0900 Subject: [PATCH 19/39] tests:w32: Fix for non-dot file name for Windows. * tests/migrations/from-classic.scm (assert-migrated): Handle the case on Windows. -- Signed-off-by: NIIBE Yutaka --- tests/migrations/from-classic.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/migrations/from-classic.scm b/tests/migrations/from-classic.scm index b473d702a..2033a4a77 100755 --- a/tests/migrations/from-classic.scm +++ b/tests/migrations/from-classic.scm @@ -26,7 +26,7 @@ (call-check `(,@GPG --list-secret-keys))) (define (assert-migrated) - (unless (file-exists? ".gpg-v21-migrated") + (unless (or (file-exists? ".gpg-v21-migrated") (file-exists? "gpg-v21-migrated")) (error "Not migrated")) (for-each From 8b1061a5dec787de063a83db334edd7349ab77d8 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Thu, 24 Nov 2022 15:22:32 +0900 Subject: [PATCH 20/39] tests: Fix to support --enable-all-tests and variants. * tests/gpgscm/tests.scm (test::scm): Add VARIANT argument. (tests::new): Likewise. (open-log-file, report): Support VARIANT. * tests/gpgme/all-tests.scm (setup-c, setup-py): Follow the change. * tests/gpgsm/all-tests.scm (setup): Likewise. * tests/gpgsm/run-tests.scm: Likewise. * tests/migrations/all-tests.scm: Likewise. * tests/migrations/run-tests.scm: Likewise. * tests/openpgp/all-tests.scm: Likewise. * tests/openpgp/run-tests.scm: Likewise. -- Fixes-commit: 1c88104a3f00f7ca3790fbaab8f67b2b68cd6e18 Signed-off-by: NIIBE Yutaka --- tests/gpgme/all-tests.scm | 3 +++ tests/gpgscm/tests.scm | 17 +++++++++++------ tests/gpgsm/all-tests.scm | 2 ++ tests/gpgsm/run-tests.scm | 2 ++ tests/migrations/all-tests.scm | 1 + tests/migrations/run-tests.scm | 1 + tests/openpgp/all-tests.scm | 13 ++++++++----- tests/openpgp/run-tests.scm | 2 ++ 8 files changed, 30 insertions(+), 11 deletions(-) diff --git a/tests/gpgme/all-tests.scm b/tests/gpgme/all-tests.scm index f72f8af97..1746c4ee1 100644 --- a/tests/gpgme/all-tests.scm +++ b/tests/gpgme/all-tests.scm @@ -39,6 +39,7 @@ (define setup-c (make-environment-cache (test::scm + #f #f (path-join "tests" "gpgme" "setup.scm" "tests" "gpg") (in-srcdir "tests" "gpgme" "setup.scm") @@ -46,6 +47,7 @@ (define setup-py (make-environment-cache (test::scm + #f #f (path-join "tests" "gpgme" "setup.scm" "lang" "python" "tests") (in-srcdir "tests" "gpgme" "setup.scm") @@ -71,6 +73,7 @@ (map (lambda (name) (apply test::scm `(,(:setup cmpnts) + #f ,(apply path-join `("tests" "gpgme" ,@(:path cmpnts) ,name)) ,(in-srcdir "tests" "gpgme" "wrap.scm") diff --git a/tests/gpgscm/tests.scm b/tests/gpgscm/tests.scm index 37c1d64c6..059d6a7e7 100644 --- a/tests/gpgscm/tests.scm +++ b/tests/gpgscm/tests.scm @@ -670,14 +670,14 @@ name)) (package - (define (scm setup name path . args) + (define (scm setup variant name path . args) ;; Start the process. (define (spawn-scm args' in out err) (spawn-process-fd `(,*argv0* ,@(verbosity (*verbose*)) ,(locate-test (test-name path)) ,@(if setup (force setup) '()) ,@args' ,@args) in out err)) - (new name #f spawn-scm #f #f CLOSED_FD (expect-failure? name))) + (new variant name #f spawn-scm #f #f CLOSED_FD (expect-failure? name))) (define (binary setup name path . args) ;; Start the process. @@ -685,9 +685,9 @@ (spawn-process-fd `(,(test-name path) ,@(if setup (force setup) '()) ,@args' ,@args) in out err)) - (new name #f spawn-binary #f #f CLOSED_FD (expect-failure? name))) + (new #f name #f spawn-binary #f #f CLOSED_FD (expect-failure? name))) - (define (new name directory spawn pid retcode logfd expect-failure) + (define (new variant name directory spawn pid retcode logfd expect-failure) (package ;; XXX: OO glue. @@ -718,7 +718,9 @@ (unless log-file-name (set! log-file-name (path-join (getenv "objdir") - (string-append name ".log")))) + (if variant + (string-append name "." variant ".log") + (string-append name ".log"))))) (catch '() (unlink log-file-name)) (open log-file-name (logior O_RDWR O_BINARY O_CREAT) #o600)) @@ -767,7 +769,10 @@ (seek logfd 0 SEEK_SET) (splice logfd STDERR_FILENO) (close logfd)) - (echo (string-append (status-string) ":") name)) + (echo (string-append (status-string) ":") + (if variant + (string-append "<" variant ">" name) + name))) (define (xml) (xx::tag diff --git a/tests/gpgsm/all-tests.scm b/tests/gpgsm/all-tests.scm index 1baa92468..80599b7cb 100644 --- a/tests/gpgsm/all-tests.scm +++ b/tests/gpgsm/all-tests.scm @@ -29,6 +29,7 @@ (define setup (make-environment-cache (test::scm + #f #f (path-join "tests" "gpgsm" "setup.scm") (in-srcdir "tests" "gpgsm" "setup.scm") @@ -36,6 +37,7 @@ (map (lambda (name) (test::scm setup + #f (path-join "tests" "gpgsm" name) (in-srcdir "tests" "gpgsm" name))) (parse-makefile-expand (in-srcdir "tests" "gpgsm" "Makefile.am") diff --git a/tests/gpgsm/run-tests.scm b/tests/gpgsm/run-tests.scm index 6b460b165..014520eec 100644 --- a/tests/gpgsm/run-tests.scm +++ b/tests/gpgsm/run-tests.scm @@ -27,6 +27,7 @@ (define setup (make-environment-cache (test::scm + #f #f (path-join "tests" "gpgsm" "setup.scm") (in-srcdir "tests" "gpgsm" "setup.scm")))) @@ -35,5 +36,6 @@ (load-tests "tests" "gpgsm") (map (lambda (name) (test::scm setup + #f (path-join "tests" "gpgsm" name) (in-srcdir "tests" "gpgsm" name))) tests))) diff --git a/tests/migrations/all-tests.scm b/tests/migrations/all-tests.scm index 421f69679..ba95f5c50 100644 --- a/tests/migrations/all-tests.scm +++ b/tests/migrations/all-tests.scm @@ -28,6 +28,7 @@ (map (lambda (name) (test::scm #f + #f (path-join "tests" "migrations" name) (in-srcdir "tests" "migrations" name))) (parse-makefile-expand (in-srcdir "tests" "migrations" "Makefile.am") diff --git a/tests/migrations/run-tests.scm b/tests/migrations/run-tests.scm index f44334c7d..d4db14f56 100644 --- a/tests/migrations/run-tests.scm +++ b/tests/migrations/run-tests.scm @@ -23,5 +23,6 @@ (load-tests "tests" "migrations") (map (lambda (name) (test::scm #f + #f (path-join "tests" "migrations" name) (in-srcdir "tests" "migrations" name))) tests))) diff --git a/tests/openpgp/all-tests.scm b/tests/openpgp/all-tests.scm index d687fe49b..7d36d8ddb 100644 --- a/tests/openpgp/all-tests.scm +++ b/tests/openpgp/all-tests.scm @@ -29,6 +29,7 @@ (define setup (make-environment-cache (test::scm + #f #f (path-join "tests" "openpgp" "setup.scm") (in-srcdir "tests" "openpgp" "setup.scm")))) @@ -40,7 +41,8 @@ (make-environment-cache (test::scm #f - (qualify (path-join "tests" "openpgp" "setup.scm") variant) + variant + (path-join "tests" "openpgp" "setup.scm") (in-srcdir "tests" "openpgp" "setup.scm") (string-append "--" variant)))) @@ -55,6 +57,7 @@ (define tests (map (lambda (name) (test::scm setup + #f (path-join "tests" "openpgp" name) (in-srcdir "tests" "openpgp" name))) all-tests)) @@ -64,14 +67,14 @@ tests (map (lambda (name) (test::scm setup-use-keyring - (qualify (path-join "tests" "openpgp" name) - "use-keyring") + "use-keyring" + (path-join "tests" "openpgp" name) (in-srcdir "tests" "openpgp" name) "--use-keyring")) all-tests) (map (lambda (name) (test::scm setup-extended-key-format - (qualify (path-join "tests" "openpgp" name) - "extended-key-format") + "extended-key-format" + (path-join "tests" "openpgp" name) (in-srcdir "tests" "openpgp" name) "--extended-key-format")) all-tests)))) diff --git a/tests/openpgp/run-tests.scm b/tests/openpgp/run-tests.scm index d4914bda7..264331089 100644 --- a/tests/openpgp/run-tests.scm +++ b/tests/openpgp/run-tests.scm @@ -28,6 +28,7 @@ (define setup (make-environment-cache (test::scm + #f #f (path-join "tests" "openpgp" "setup.scm") (in-srcdir "tests" "openpgp" "setup.scm")))) @@ -38,5 +39,6 @@ (load-tests "tests" "openpgp") (map (lambda (name) (test::scm setup + #f (path-join "tests" "openpgp" name) (in-srcdir "tests" "openpgp" name))) tests))) From ff266aef29119b365576617c06614f2cc0af0bf2 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Fri, 25 Nov 2022 13:14:58 +0900 Subject: [PATCH 21/39] w32: Fix for make check. * tests/gpgsm/Makefile.am: Add $(EXEEXT). -- Fixes-commit: a27e6505daabd7ea1405244d128ad3c2ef5bb6f6 Signed-off-by: NIIBE Yutaka --- tests/gpgsm/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/gpgsm/Makefile.am b/tests/gpgsm/Makefile.am index e784a3168..6c57c4c48 100644 --- a/tests/gpgsm/Makefile.am +++ b/tests/gpgsm/Makefile.am @@ -53,7 +53,7 @@ check: xcheck .PHONY: xcheck xcheck: - $(TESTS_ENVIRONMENT) $(abs_top_builddir)/tests/gpgscm/gpgscm \ + $(TESTS_ENVIRONMENT) $(abs_top_builddir)/tests/gpgscm/gpgscm$(EXEEXT) \ $(abs_srcdir)/run-tests.scm $(TESTFLAGS) $(TESTS) KEYS = 32100C27173EF6E9C4E9A25D3D69F86D37A4F939 From 791c162c7001e5c880ced65f61afecdf628677d0 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 17 Nov 2022 09:35:53 +0100 Subject: [PATCH 22/39] Update NEWS for 2.2.41 -- --- NEWS | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/NEWS b/NEWS index babf8eaf4..a778ac1c0 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,21 @@ Noteworthy changes in version 2.2.41 (unreleased) ------------------------------------------------- + * gpg: Also import stray revocation certificates. [rGbd825ead36af] + + * gpg: Add a notation to encryption subkeys in de-vs mode. [T6279] + + * gpg: Fix trusted introducer for mbox only user-ids. [T6238] + + * gpg: Report an error via status-fd for receiving a key from the + agent. [T5151] + + * scd: Support the Telesec Signature Card v2.0. [T6252] + + * Fix build regression depending on libgpg-error version. [T6244] + + Release-info: https://dev.gnupg.org/T6280 + Noteworthy changes in version 2.2.40 (2022-10-10) ------------------------------------------------- From 11f3232716716511ff9ea8c9c15c984ce4614d83 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 28 Nov 2022 08:21:59 +0100 Subject: [PATCH 23/39] gpg: Make --require-compliance work with out --status-fd * g10/mainproc.c (proc_encrypted): Set complaince_de_vs also if require-compliance is set. -- Without this fix require-compliance would fail if no --status-fd was used. --- g10/mainproc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/g10/mainproc.c b/g10/mainproc.c index 8e4d848bb..096f16c71 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -765,7 +765,7 @@ proc_encrypted (CTX c, PACKET *pkt) result = GPG_ERR_NO_SECKEY; /* Compute compliance with CO_DE_VS. */ - if (!result && is_status_enabled () + if (!result && (is_status_enabled () || opt.flags.require_compliance) /* Overriding session key voids compliance. */ && !opt.override_session_key /* Check symmetric cipher. */ From 15b8d100c9c8d0dc65706451d7edaef8b4abaafc Mon Sep 17 00:00:00 2001 From: Jussi Kivilinna Date: Thu, 10 Feb 2022 19:53:53 +0200 Subject: [PATCH 24/39] g10/plaintext: do_hash: use iobuf_read for higher performance * g10/plaintext.c (do_hash): Use iobuf_read instead of iobuf_get for reading data; Use gcry_md_write instead of gcry_md_putc for hash data. -- This patch reduces iobuf_read per byte processing overhead and speeds up detached signature verifying. Detached verifying speed on AMD Ryzen 5800X (4.3GiB file, SHA256): gpg process user time before: 9.410s after: 1.913s (4.9x faster) GnuPG-bug-id: T5826 Signed-off-by: Jussi Kivilinna (cherry picked from commit 4e27b9defc608f1fa31ca50f1ed1d5761b73b480) --- g10/plaintext.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/g10/plaintext.c b/g10/plaintext.c index 3bc86968b..10d567a8c 100644 --- a/g10/plaintext.c +++ b/g10/plaintext.c @@ -584,11 +584,16 @@ do_hash (gcry_md_hd_t md, gcry_md_hd_t md2, IOBUF fp, int textmode) } else { - while ((c = iobuf_get (fp)) != -1) + byte *buffer = xmalloc (32768); + int ret; + + while ((ret = iobuf_read (fp, buffer, 32768)) != -1) { if (md) - gcry_md_putc (md, c); + gcry_md_write (md, buffer, ret); } + + xfree (buffer); } } From 2302e180c010dffe0b792063955938cd3599e8fe Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 29 Nov 2022 11:58:11 +0100 Subject: [PATCH 25/39] gpg: use iobuf_read for higher detached signing speed * g10/sign.c (sign_file): Use iobuf_read instead of iobuf_get for reading data from detached file. -- This patch reduces iobuf_read per byte processing overhead and speeds up detached signing. Detached signing speed on AMD Ryzen 5800X (4.3GiB file, SHA256): gpg process user time before: 3.951s after: 1.898s (2.0x faster) GnuPG-bug-id: T5826 Signed-off-by: Jussi Kivilinna Backported-from-master: f8943ce098f6f193da791faf43fff823568697d9 Numbers above are given for the version in master but should be similar for here (2.2). --- g10/sign.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/g10/sign.c b/g10/sign.c index f27231950..17c6bcdf8 100644 --- a/g10/sign.c +++ b/g10/sign.c @@ -1211,8 +1211,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, iobuf_push_filter( inp, text_filter, &tfx ); } iobuf_push_filter( inp, md_filter, &mfx ); - while( iobuf_get(inp) != -1 ) - ; + while (iobuf_read (inp, NULL, 1<<30) != -1 ) + ; iobuf_close(inp); inp = NULL; } if( opt.verbose ) @@ -1220,8 +1220,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, } else { /* read, so that the filter can calculate the digest */ - while( iobuf_get(inp) != -1 ) - ; + while (iobuf_read (inp, NULL, 1<<30) != -1 ) + ; } } else { From cd29ab0435d38dbda7a4aa7a0ed53ffb06460afa Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Mon, 28 Nov 2022 16:57:14 +0900 Subject: [PATCH 26/39] gpg: Fix double-free in gpg --card-edit. * g10/card-util.c (change_name): Don't free ISONAME here. -- Signed-off-by: NIIBE Yutaka --- g10/card-util.c | 1 - 1 file changed, 1 deletion(-) diff --git a/g10/card-util.c b/g10/card-util.c index 25c284e85..cfbe10e75 100644 --- a/g10/card-util.c +++ b/g10/card-util.c @@ -801,7 +801,6 @@ change_name (void) { tty_printf (_("Error: Combined name too long " "(limit is %d characters).\n"), 39); - xfree (isoname); rc = gpg_error (GPG_ERR_TOO_LARGE); goto leave; } From edbe30c1528ca8c5d46a7d2718e3085e55ebde64 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 28 Nov 2022 12:43:11 +0100 Subject: [PATCH 27/39] gpg: New export-filter export-revocs * g10/options.h (EXPORT_REVOCS): New. * g10/export.c (export_select_filter): New. (struct export_filter_attic_s): Add field. (cleanup_export_globals): Cleanup. (parse_export_options): Add option "export-revocs". (parse_and_set_export_filter): Parse the select type. (do_export_revocs): New. (do_export_stream): Add a way to select things for export. -- Backported-from-master: c985b52e71a83d14099f00f80e3588bd3ad28b98 --- doc/gpg.texi | 5 ++ g10/export.c | 128 ++++++++++++++++++++++++++++++++++++++++++++++++-- g10/options.h | 1 + 3 files changed, 129 insertions(+), 5 deletions(-) diff --git a/doc/gpg.texi b/doc/gpg.texi index 1fdb27ae2..fac97c440 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -2611,6 +2611,11 @@ opposite meaning. The options are: to put into DNS zone files. An ORIGIN line is printed before each record to allow diverting the records to the corresponding zone file. + @item export-revocs + Export only standalone revocation certificates of the key. This + option does not export revocations of 3rd party certificate + revocations. + @item export-dane Instead of outputting the key material output OpenPGP DANE records suitable to put into DNS zone files. An ORIGIN line is printed before diff --git a/g10/export.c b/g10/export.c index 8e17df3ed..606f4eb22 100644 --- a/g10/export.c +++ b/g10/export.c @@ -62,15 +62,17 @@ struct export_stats_s }; -/* A global variable to store the selector created from +/* Global variables to store the selectors created from * --export-filter keep-uid=EXPR. * --export-filter drop-subkey=EXPR. + * --export-filter select=EXPR. * * FIXME: We should put this into the CTRL object but that requires a * lot more changes right now. */ static recsel_expr_t export_keep_uid; static recsel_expr_t export_drop_subkey; +static recsel_expr_t export_select_filter; /* An object used for a linked list to implement the @@ -80,6 +82,7 @@ struct export_filter_attic_s struct export_filter_attic_s *next; recsel_expr_t export_keep_uid; recsel_expr_t export_drop_subkey; + recsel_expr_t export_select_filter; }; static struct export_filter_attic_s *export_filter_attic; @@ -105,6 +108,8 @@ cleanup_export_globals (void) export_keep_uid = NULL; recsel_release (export_drop_subkey); export_drop_subkey = NULL; + recsel_release (export_select_filter); + export_select_filter = NULL; } @@ -129,6 +134,9 @@ parse_export_options(char *str,unsigned int *options,int noisy) {"export-pka", EXPORT_PKA_FORMAT, NULL, NULL }, {"export-dane", EXPORT_DANE_FORMAT, NULL, NULL }, + {"export-revocs", EXPORT_REVOCS, NULL, + N_("export only revocation certificates") }, + {"backup", EXPORT_BACKUP, NULL, N_("use the GnuPG key backup format")}, {"export-backup", EXPORT_BACKUP, NULL, NULL }, @@ -181,6 +189,8 @@ parse_export_options(char *str,unsigned int *options,int noisy) * * - secret :: 1 for a secret subkey, else 0. * - key_algo :: Public key algorithm id + * + * - select :: The key is only exported if the filter returns true. */ gpg_error_t parse_and_set_export_filter (const char *string) @@ -194,6 +204,8 @@ parse_and_set_export_filter (const char *string) err = recsel_parse_expr (&export_keep_uid, string+9); else if (!strncmp (string, "drop-subkey=", 12)) err = recsel_parse_expr (&export_drop_subkey, string+12); + else if (!strncmp (string, "select=", 7)) + err = recsel_parse_expr (&export_select_filter, string+7); else err = gpg_error (GPG_ERR_INV_NAME); @@ -214,6 +226,8 @@ push_export_filters (void) export_keep_uid = NULL; item->export_drop_subkey = export_drop_subkey; export_drop_subkey = NULL; + item->export_select_filter = export_select_filter; + export_select_filter = NULL; item->next = export_filter_attic; export_filter_attic = item; } @@ -232,6 +246,7 @@ pop_export_filters (void) cleanup_export_globals (); export_keep_uid = item->export_keep_uid; export_drop_subkey = item->export_drop_subkey; + export_select_filter = item->export_select_filter; } @@ -1885,6 +1900,78 @@ do_export_one_keyblock (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, } +/* Helper for do_export_stream which writes the own revocations + * certificates (if any) from KEYBLOCK to OUT. */ +static gpg_error_t +do_export_revocs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, + iobuf_t out, unsigned int options, int *any) +{ + gpg_error_t err = 0; + kbnode_t kbctx, node; + PKT_signature *sig; + + (void)ctrl; + + /* NB: walk_kbnode skips packets marked as deleted. */ + for (kbctx=NULL; (node = walk_kbnode (keyblock, &kbctx, 0)); ) + { + if (node->pkt->pkttype != PKT_SIGNATURE) + continue; + sig = node->pkt->pkt.signature; + + /* We are only interested in revocation certifcates. */ + if (!(IS_KEY_REV (sig) || IS_UID_REV (sig) || IS_SUBKEY_REV (sig))) + continue; + + if (!(sig->keyid[0] == keyid[0] && sig->keyid[1] == keyid[1])) + continue; /* Not a self-signature. */ + + /* Do not export signature packets which are marked as not + * exportable. */ + if (!(options & EXPORT_LOCAL_SIGS) + && !sig->flags.exportable) + continue; /* not exportable */ + + /* Do not export packets with a "sensitive" revocation key + * unless the user wants us to. */ + if (!(options & EXPORT_SENSITIVE_REVKEYS) + && sig->revkey) + { + int i; + + for (i = 0; i < sig->numrevkeys; i++) + if ((sig->revkey[i].class & 0x40)) + break; + if (i < sig->numrevkeys) + continue; + } + + if (!sig->flags.checked) + { + log_info ("signature not marked as checked - ignored\n"); + continue; + } + if (!sig->flags.valid) + { + log_info ("signature not not valid - ignored\n"); + continue; + } + + err = build_packet (out, node->pkt); + if (err) + { + log_error ("build_packet(%d) failed: %s\n", + node->pkt->pkttype, gpg_strerror (err)); + goto leave; + } + *any = 1; + } + + leave: + return err; +} + + /* Export the keys identified by the list of strings in USERS to the stream OUT. If SECRET is false public keys will be exported. With secret true secret keys will be exported; in this case 1 means the @@ -2070,6 +2157,32 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret, NULL, NULL); commit_kbnode (&keyblock); } + else if (export_keep_uid || export_drop_subkey || export_select_filter) + { + /* Need to merge so that for example the "usage" property + * has been setup. */ + merge_keys_and_selfsig (ctrl, keyblock); + } + + + if (export_select_filter) + { + int selected = 0; + struct impex_filter_parm_s parm; + parm.ctrl = ctrl; + + for (parm.node = keyblock; parm.node; parm.node = parm.node->next) + { + if (recsel_select (export_select_filter, + impex_filter_getval, &parm)) + { + selected = 1; + break; + } + } + if (!selected) + continue; /* Skip this keyblock. */ + } if (export_keep_uid) { @@ -2086,10 +2199,15 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret, } /* And write it. */ - err = do_export_one_keyblock (ctrl, keyblock, keyid, - out_help? out_help : out, - secret, options, stats, any, - desc, ndesc, descindex, cipherhd); + if ((options & EXPORT_REVOCS)) + err = do_export_revocs (ctrl, keyblock, keyid, + out_help? out_help : out, + options, any); + else + err = do_export_one_keyblock (ctrl, keyblock, keyid, + out_help? out_help : out, + secret, options, stats, any, + desc, ndesc, descindex, cipherhd); if (err) break; diff --git a/g10/options.h b/g10/options.h index 59e04ffef..4917b7055 100644 --- a/g10/options.h +++ b/g10/options.h @@ -390,6 +390,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; #define EXPORT_PKA_FORMAT (1<<6) #define EXPORT_DANE_FORMAT (1<<7) #define EXPORT_BACKUP (1<<10) +#define EXPORT_REVOCS (1<<11) #define LIST_SHOW_PHOTOS (1<<0) #define LIST_SHOW_POLICY_URLS (1<<1) From deac3e91eb68dd1e1a1d25a68f4f8139f06a56d9 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 29 Nov 2022 10:43:54 +0100 Subject: [PATCH 28/39] wkd: Make use of --debug extprog. * tools/wks-util.c (debug_gpg_invocation): New. (get_key_status_cb): Enable debug output. (wks_get_key): Show gpg invocation. (wks_list_key): Ditto. (wks_filter_uid): Ditto. --- tools/wks-util.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/tools/wks-util.c b/tools/wks-util.c index 3044fe2f8..3626c66b9 100644 --- a/tools/wks-util.c +++ b/tools/wks-util.c @@ -150,6 +150,21 @@ free_uidinfo_list (uidinfo_list_t list) } +static void +debug_gpg_invocation (const char *func, const char **argv) +{ + int i; + + if (!(opt.debug & DBG_EXTPROG_VALUE)) + return; + + log_debug ("%s: exec '%s' with", func, opt.gpg_program); + for (i=0; argv[i]; i++) + log_printf (" '%s'", argv[i]); + log_printf ("\n"); +} + + struct get_key_status_parm_s { @@ -164,7 +179,8 @@ get_key_status_cb (void *opaque, const char *keyword, char *args) { struct get_key_status_parm_s *parm = opaque; - /*log_debug ("%s: %s\n", keyword, args);*/ + if (DBG_CRYPTO) + log_debug ("%s: %s\n", keyword, args); if (!strcmp (keyword, "EXPORTED")) { parm->count++; @@ -239,6 +255,7 @@ wks_get_key (estream_t *r_key, const char *fingerprint, const char *addrspec, goto leave; } parm.fpr = fingerprint; + debug_gpg_invocation (__func__, argv); err = gnupg_exec_tool_stream (opt.gpg_program, argv, NULL, NULL, key, get_key_status_cb, &parm); @@ -332,6 +349,7 @@ wks_list_key (estream_t key, char **r_fpr, uidinfo_list_t *r_mboxes) err = gpg_error_from_syserror (); goto leave; } + debug_gpg_invocation (__func__, argv); err = gnupg_exec_tool_stream (opt.gpg_program, argv, key, NULL, listing, key_status_cb, NULL); @@ -510,6 +528,7 @@ wks_filter_uid (estream_t *r_newkey, estream_t key, const char *uid, err = gpg_error_from_syserror (); goto leave; } + debug_gpg_invocation (__func__, argv); err = gnupg_exec_tool_stream (opt.gpg_program, argv, key, NULL, newkey, key_status_cb, NULL); From 2f4492f3be6a6b9d553da07705a1b5cd48aee80b Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 29 Nov 2022 16:47:44 +0100 Subject: [PATCH 29/39] wkd: New option --add-revocs and some fixes. * tools/gpg-wks.h (opt): Add add_revocs. * tools/wks-util.c (wks_get_key): Add arg 'binary'. (wks_armor_key): New. (wks_find_add_revocs): New. (wks_cmd_install_key): Get key in binary mode and add revocations if enabled. * tools/gpg-wks-client.c (oAddRevocs): New. (opts): Add --add-revocs. (parse_arguments): Set option, (command_send): Get key in binary mode, add revocations if enabled, and explictly armor key. Remove kludge to skip the Content-type line in no_encrypt mode. (mirror_one_keys_userid): Always filter the key to get rid of the armor as received from dirmngr. Add revocations from the local keyring. -- Note that this also fixes an oddity of the new mirror command which used to store the keys armored as received from dirmngr. --- doc/wks.texi | 8 +++ tools/gpg-wks-client.c | 104 ++++++++++++++++++++-------- tools/gpg-wks.h | 6 +- tools/wks-util.c | 151 +++++++++++++++++++++++++++++++++++++++-- 4 files changed, 232 insertions(+), 37 deletions(-) diff --git a/doc/wks.texi b/doc/wks.texi index e398ccb4a..897d30d0c 100644 --- a/doc/wks.texi +++ b/doc/wks.texi @@ -222,6 +222,14 @@ operation. The format of @var{file} is one mail address (just the addrspec, e.g. "postel@@isi.edu") per line. Empty lines and lines starting with a '#' are ignored. +@item --add-revocs +@opindex add-revocs +If enabled append revocation certificates for the same addrspec as +used in the WKD to the key. Modern gpg version are able to import and +apply them for existing keys. Note that when used with the +@option{--mirror} command the revocation are searched in the local +keyring and not in an LDAP directory. + @item --verbose @opindex verbose Enable extra informational output. diff --git a/tools/gpg-wks-client.c b/tools/gpg-wks-client.c index 3aa8f98c4..45c14bc55 100644 --- a/tools/gpg-wks-client.c +++ b/tools/gpg-wks-client.c @@ -74,6 +74,7 @@ enum cmd_and_opt_values oWithColons, oBlacklist, oNoAutostart, + oAddRevocs, oDummy }; @@ -100,9 +101,9 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_c (aRemoveKey, "remove-key", "remove a key from a directory"), ARGPARSE_c (aPrintWKDHash, "print-wkd-hash", - "Print the WKD identifier for the given user ids"), + "print the WKD identifier for the given user ids"), ARGPARSE_c (aPrintWKDURL, "print-wkd-url", - "Print the WKD URL for the given user id"), + "print the WKD URL for the given user id"), ARGPARSE_group (301, ("@\nOptions:\n ")), @@ -117,6 +118,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oWithColons, "with-colons", "@"), ARGPARSE_s_s (oBlacklist, "blacklist", "@"), ARGPARSE_s_s (oDirectory, "directory", "@"), + ARGPARSE_s_n (oAddRevocs, "add-revocs", "add revocation certificates"), ARGPARSE_s_s (oFakeSubmissionAddr, "fake-submission-addr", "@"), @@ -254,6 +256,9 @@ parse_arguments (ARGPARSE_ARGS *pargs, ARGPARSE_OPTS *popts) case oBlacklist: add_blacklist (pargs->r.ret_str); break; + case oAddRevocs: + opt.add_revocs = 1; + break; case aSupported: case aCreate: @@ -1145,7 +1150,7 @@ command_send (const char *fingerprint, const char *userid) err = gpg_error (GPG_ERR_INV_USER_ID); goto leave; } - err = wks_get_key (&key, fingerprint, addrspec, 0); + err = wks_get_key (&key, fingerprint, addrspec, 0, 1); if (err) goto leave; @@ -1213,7 +1218,7 @@ command_send (const char *fingerprint, const char *userid) estream_t newkey; es_rewind (key); - err = wks_filter_uid (&newkey, key, thisuid->uid, 0); + err = wks_filter_uid (&newkey, key, thisuid->uid, 1); if (err) { log_error ("error filtering key: %s\n", gpg_strerror (err)); @@ -1238,11 +1243,47 @@ command_send (const char *fingerprint, const char *userid) * the key again. */ es_fclose (key); key = NULL; - err = wks_get_key (&key, fingerprint, addrspec, 1); + err = wks_get_key (&key, fingerprint, addrspec, 1, 1); if (err) goto leave; } + if (opt.add_revocs) + { + if (es_fseek (key, 0, SEEK_END)) + { + err = gpg_error_from_syserror (); + log_error ("error seeking stream: %s\n", gpg_strerror (err)); + goto leave; + } + err = wks_find_add_revocs (key, addrspec); + if (err) + { + log_error ("error finding revocations for '%s': %s\n", + addrspec, gpg_strerror (err)); + goto leave; + } + } + + + /* Now put the armor around the key. */ + { + estream_t newkey; + + es_rewind (key); + err = wks_armor_key (&newkey, key, + no_encrypt? NULL + /* */ : ("Content-Type: application/pgp-keys\n" + "\n")); + if (err) + { + log_error ("error armoring key: %s\n", gpg_strerror (err)); + goto leave; + } + es_fclose (key); + key = newkey; + } + /* Hack to support posteo but let them disable this by setting the * new policy-version flag. */ if (policy->protocol_version < 3 @@ -1287,7 +1328,7 @@ command_send (const char *fingerprint, const char *userid) if (no_encrypt) { void *data; - size_t datalen, n; + size_t datalen; if (posteo_hack) { @@ -1312,16 +1353,7 @@ command_send (const char *fingerprint, const char *userid) goto leave; } key = NULL; - /* We need to skip over the first line which has a content-type - * header not needed here. */ - for (n=0; n < datalen ; n++) - if (((const char *)data)[n] == '\n') - { - n++; - break; - } - - err = mime_maker_add_body_data (mime, (char*)data + n, datalen - n); + err = mime_maker_add_body_data (mime, data, datalen); xfree (data); if (err) goto leave; @@ -1808,7 +1840,7 @@ domain_matches_mbox (const char *domain, const char *mbox) /* Core of mirror_one_key with the goal of mirroring just one uid. * UIDLIST is used to figure out whether the given MBOX occurs several - * times in UIDLIST and then to single out the newwest one. This is + * times in UIDLIST and then to single out the newest one. This is * so that for a key with * uid: Joe Someone * uid: Joe @@ -1849,24 +1881,36 @@ mirror_one_keys_userid (estream_t key, const char *mbox, uidinfo_list_t uidlist, err = gpg_error (GPG_ERR_NO_USER_ID); goto leave; } - /* FIXME: Consult blacklist. */ - - /* Only if we have more than one user id we bother to run the - * filter. In this case the result will be put into NEWKEY*/ + /* Always filter the key so that the result will be non-armored. */ es_rewind (key); - if (uidlist->next) + err = wks_filter_uid (&newkey, key, thisuid->uid, 1); + if (err) { - err = wks_filter_uid (&newkey, key, thisuid->uid, 0); - if (err) - { - log_error ("error filtering key %s: %s\n", fpr, gpg_strerror (err)); - err = gpg_error (GPG_ERR_NO_PUBKEY); - goto leave; - } + log_error ("error filtering key %s: %s\n", fpr, gpg_strerror (err)); + err = gpg_error (GPG_ERR_NO_PUBKEY); + goto leave; } - err = wks_install_key_core (newkey? newkey : key, mbox); + if (opt.add_revocs) + { + if (es_fseek (newkey, 0, SEEK_END)) + { + err = gpg_error_from_syserror (); + log_error ("error seeking stream: %s\n", gpg_strerror (err)); + goto leave; + } + err = wks_find_add_revocs (newkey, mbox); + if (err) + { + log_error ("error finding revocations for '%s': %s\n", + mbox, gpg_strerror (err)); + goto leave; + } + es_rewind (newkey); + } + + err = wks_install_key_core (newkey, mbox); if (opt.verbose) log_info ("key %s published for '%s'\n", fpr, mbox); mirror_one_key_parm.nuids++; diff --git a/tools/gpg-wks.h b/tools/gpg-wks.h index 32aa8c328..59a0aca74 100644 --- a/tools/gpg-wks.h +++ b/tools/gpg-wks.h @@ -39,6 +39,7 @@ struct int use_sendmail; int with_colons; int no_autostart; + int add_revocs; const char *output; const char *gpg_program; const char *directory; @@ -91,11 +92,14 @@ void wks_set_status_fd (int fd); void wks_write_status (int no, const char *format, ...) GPGRT_ATTR_PRINTF(2,3); void free_uidinfo_list (uidinfo_list_t list); gpg_error_t wks_get_key (estream_t *r_key, const char *fingerprint, - const char *addrspec, int exact); + const char *addrspec, int exact, int binary); gpg_error_t wks_list_key (estream_t key, char **r_fpr, uidinfo_list_t *r_mboxes); gpg_error_t wks_filter_uid (estream_t *r_newkey, estream_t key, const char *uid, int binary); +gpg_error_t wks_armor_key (estream_t *r_newkey, estream_t key, + const char *prefix); +gpg_error_t wks_find_add_revocs (estream_t key, const char *addrspec); gpg_error_t wks_send_mime (mime_maker_t mime); gpg_error_t wks_parse_policy (policy_flags_t flags, estream_t stream, int ignore_unknown); diff --git a/tools/wks-util.c b/tools/wks-util.c index 3626c66b9..91a4a7da8 100644 --- a/tools/wks-util.c +++ b/tools/wks-util.c @@ -193,10 +193,11 @@ get_key_status_cb (void *opaque, const char *keyword, char *args) * mail address ADDRSPEC is included in the key. If EXACT is set the * returned user id must match Addrspec exactly and not just in the * addr-spec (mailbox) part. The key is returned as a new memory - * stream at R_KEY. */ + * stream at R_KEY. If BINARY is set the returned key is + * non-armored. */ gpg_error_t wks_get_key (estream_t *r_key, const char *fingerprint, const char *addrspec, - int exact) + int exact, int binary) { gpg_error_t err; ccparray_t ccp; @@ -218,8 +219,9 @@ wks_get_key (estream_t *r_key, const char *fingerprint, const char *addrspec, } /* Prefix the key with the MIME content type. */ - es_fputs ("Content-Type: application/pgp-keys\n" - "\n", key); + if (!binary) + es_fputs ("Content-Type: application/pgp-keys\n" + "\n", key); filterexp = es_bsprintf ("keep-uid=%s= %s", exact? "uid":"mbox", addrspec); if (!filterexp) @@ -239,7 +241,8 @@ wks_get_key (estream_t *r_key, const char *fingerprint, const char *addrspec, ccparray_put (&ccp, "--batch"); ccparray_put (&ccp, "--status-fd=2"); ccparray_put (&ccp, "--always-trust"); - ccparray_put (&ccp, "--armor"); + if (!binary) + ccparray_put (&ccp, "--armor"); ccparray_put (&ccp, "--export-options=export-minimal"); ccparray_put (&ccp, "--export-filter"); ccparray_put (&ccp, filterexp); @@ -550,6 +553,124 @@ wks_filter_uid (estream_t *r_newkey, estream_t key, const char *uid, } +/* Put the ascii-armor around KEY and return that as a new estream + * object at R_NEWKEY. Caller must make sure that KEY has been seeked + * to the right position (usually by calling es_rewind). The + * resulting NEWKEY has already been rewound. If PREFIX is not NULL, + * its content is written to NEWKEY propr to the armor; this may be + * used for MIME headers. */ +gpg_error_t +wks_armor_key (estream_t *r_newkey, estream_t key, const char *prefix) +{ + gpg_error_t err; + estream_t newkey; + struct b64state b64state; + char buffer[4096]; + size_t nread; + + *r_newkey = NULL; + + newkey = es_fopenmem (0, "w+b"); + if (!newkey) + { + err = gpg_error_from_syserror (); + return err; + } + + if (prefix) + es_fputs (prefix, newkey); + + err = b64enc_start_es (&b64state, newkey, "PGP PUBLIC KEY BLOCK"); + if (err) + goto leave; + + do + { + nread = es_fread (buffer, 1, sizeof buffer, key); + if (!nread) + break; + err = b64enc_write (&b64state, buffer, nread); + if (err) + goto leave; + } + while (!es_feof (key) && !es_ferror (key)); + if (!es_feof (key) || es_ferror (key)) + { + err = gpg_error_from_syserror (); + goto leave; + } + + err = b64enc_finish (&b64state); + if (err) + goto leave; + + es_rewind (newkey); + *r_newkey = newkey; + newkey = NULL; + + leave: + es_fclose (newkey); + return err; +} + + +/* Run gpg to export the revocation certificates for ADDRSPEC. Add + * them to KEY which is expected to be non-armored keyblock. */ +gpg_error_t +wks_find_add_revocs (estream_t key, const char *addrspec) +{ + gpg_error_t err; + ccparray_t ccp; + const char **argv = NULL; + char *filterexp = NULL; + + filterexp = es_bsprintf ("select=mbox= %s", addrspec); + if (!filterexp) + { + err = gpg_error_from_syserror (); + log_error ("error allocating memory buffer: %s\n", gpg_strerror (err)); + goto leave; + } + + ccparray_init (&ccp, 0); + + ccparray_put (&ccp, "--no-options"); + if (opt.verbose < 2) + ccparray_put (&ccp, "--quiet"); + else + ccparray_put (&ccp, "--verbose"); + ccparray_put (&ccp, "--batch"); + ccparray_put (&ccp, "--status-fd=2"); + ccparray_put (&ccp, "--export-options=export-revocs"); + ccparray_put (&ccp, "--export-filter"); + ccparray_put (&ccp, filterexp); + ccparray_put (&ccp, "--export"); + ccparray_put (&ccp, addrspec); + + ccparray_put (&ccp, NULL); + argv = ccparray_get (&ccp, NULL); + if (!argv) + { + err = gpg_error_from_syserror (); + goto leave; + } + debug_gpg_invocation (__func__, argv); + err = gnupg_exec_tool_stream (opt.gpg_program, argv, NULL, + NULL, key, + key_status_cb, NULL); + if (err) + { + log_error ("exporting revocs failed: %s\n", gpg_strerror (err)); + goto leave; + } + + leave: + xfree (filterexp); + xfree (argv); + return err; +} + + /* Helper to write mail to the output(s). */ gpg_error_t wks_send_mime (mime_maker_t mime) @@ -1122,7 +1243,7 @@ wks_cmd_install_key (const char *fname, const char *userid) { /* FNAME looks like a fingerprint. Get the key from the * standard keyring. */ - err = wks_get_key (&fp, fname, addrspec, 0); + err = wks_get_key (&fp, fname, addrspec, 0, 1); if (err) { log_error ("error getting key '%s' (uid='%s'): %s\n", @@ -1194,6 +1315,24 @@ wks_cmd_install_key (const char *fname, const char *userid) fp = fp2; } + if (opt.add_revocs) + { + if (es_fseek (fp, 0, SEEK_END)) + { + err = gpg_error_from_syserror (); + log_error ("error seeking stream: %s\n", gpg_strerror (err)); + goto leave; + } + err = wks_find_add_revocs (fp, addrspec); + if (err) + { + log_error ("error finding revocations for '%s': %s\n", + addrspec, gpg_strerror (err)); + goto leave; + } + es_rewind (fp); + } + err = wks_install_key_core (fp, addrspec); if (!opt.quiet) log_info ("key %s published for '%s'\n", fpr, addrspec); From d9271d594b5b81cc4242de141ef99767390e83a5 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 5 Dec 2022 14:31:45 +0100 Subject: [PATCH 30/39] gpgsm: Silence the "non-critical certificate policy not allowed". * sm/certchain.c (check_cert_policy): Print non-critical policy warning only in verbose mode. (cherry picked from commit 4f1b9e3abb337470e5e4809b3a7f2df33f5a63a4) --- sm/certchain.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sm/certchain.c b/sm/certchain.c index d2a180062..ba9f3ff83 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -350,7 +350,7 @@ check_cert_policy (ksba_cert_t cert, int listmode, estream_t fplist) /* With no critical policies this is only a warning */ if (!any_critical) { - if (!opt.quiet) + if (opt.verbose) do_list (0, listmode, fplist, _("Note: non-critical certificate policy not allowed")); return 0; @@ -380,7 +380,8 @@ check_cert_policy (ksba_cert_t cert, int listmode, estream_t fplist) /* With no critical policies this is only a warning */ if (!any_critical) { - do_list (0, listmode, fplist, + if (opt.verbose) + do_list (0, listmode, fplist, _("Note: non-critical certificate policy not allowed")); return 0; } From 115cc4d37c184e90100407b57d170259adf18b6c Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 6 Dec 2022 09:23:16 +0100 Subject: [PATCH 31/39] wkd: Do not send/install/mirror expired user ids. * tools/gpg-wks.h (struct uidinfo_list_s): Add fields expired and revoked. * tools/wks-util.c (append_to_uidinfo_list): Add args expired and revoked. (set_expired_revoked): New. (wks_list_key): Set expired and revoked. (wks_cmd_install_key): Skip expired uids. * tools/gpg-wks-client.c (command_check): Print flags. (command_send): Ignore expired keys. (mirror_one_key): Ditto. * g10/export.c (do_export_stream): Silence warning. -- GnuPG-bug-id: 6292 Backported-from-master: 278f85d1bc6cd012b3b2e87536e50954b21d2d91 --- g10/export.c | 4 ++-- tools/gpg-wks-client.c | 22 ++++++++++++++++++ tools/gpg-wks.h | 2 ++ tools/wks-util.c | 52 +++++++++++++++++++++++++++++++++++++----- 4 files changed, 72 insertions(+), 8 deletions(-) diff --git a/g10/export.c b/g10/export.c index 606f4eb22..ddd94cf05 100644 --- a/g10/export.c +++ b/g10/export.c @@ -2250,8 +2250,8 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret, keydb_release (kdbhd); if (err || !keyblock_out) release_kbnode( keyblock ); - if( !*any ) - log_info(_("WARNING: nothing exported\n")); + if( !*any && !opt.quiet) + log_info (_("WARNING: nothing exported\n")); return err; } diff --git a/tools/gpg-wks-client.c b/tools/gpg-wks-client.c index 45c14bc55..2139011e0 100644 --- a/tools/gpg-wks-client.c +++ b/tools/gpg-wks-client.c @@ -1095,6 +1095,9 @@ command_check (char *userid) log_info (" created: %s\n", asctimestamp (sl->created)); if (sl->mbox) log_info (" addr-spec: %s\n", sl->mbox); + if (sl->expired || sl->revoked) + log_info (" flags:%s%s\n", + sl->expired? " expired":"", sl->revoked?" revoked":""); } } if (!found) @@ -1133,6 +1136,7 @@ command_send (const char *fingerprint, const char *userid) uidinfo_list_t uidlist = NULL; uidinfo_list_t uid, thisuid; time_t thistime; + int any; if (classify_user_id (fingerprint, &desc, 1) || !(desc.mode == KEYDB_SEARCH_MODE_FPR @@ -1194,12 +1198,20 @@ command_send (const char *fingerprint, const char *userid) } thistime = 0; thisuid = NULL; + any = 0; for (uid = uidlist; uid; uid = uid->next) { if (!uid->mbox) continue; /* Should not happen anyway. */ if (policy->mailbox_only && ascii_strcasecmp (uid->uid, uid->mbox)) continue; /* UID has more than just the mailbox. */ + if (uid->expired) + { + if (opt.verbose) + log_info ("ignoring expired user id '%s'\n", uid->uid); + continue; + } + any = 1; if (uid->created > thistime) { thistime = uid->created; @@ -1208,6 +1220,14 @@ command_send (const char *fingerprint, const char *userid) } if (!thisuid) thisuid = uidlist; /* This is the case for a missing timestamp. */ + if (!any) + { + log_error ("public key %s has no mail address '%s'\n", + fingerprint, addrspec); + err = gpg_error (GPG_ERR_INV_USER_ID); + goto leave; + } + if (opt.verbose) log_info ("submitting key with user id '%s'\n", thisuid->uid); @@ -1949,6 +1969,8 @@ mirror_one_key (estream_t key) { if (!uid->mbox || (uid->flags & 1)) continue; /* No mail box or already processed. */ + if (uid->expired) + continue; if (!domain_matches_mbox (domain, uid->mbox)) continue; /* We don't want this one. */ if (is_in_blacklist (uid->mbox)) diff --git a/tools/gpg-wks.h b/tools/gpg-wks.h index 59a0aca74..a7c17ca52 100644 --- a/tools/gpg-wks.h +++ b/tools/gpg-wks.h @@ -81,6 +81,8 @@ struct uidinfo_list_s time_t created; /* Time the userid was created. */ char *mbox; /* NULL or the malloced mailbox from UID. */ unsigned int flags; /* These flags are cleared on creation. */ + unsigned int expired:1; + unsigned int revoked:1; char uid[1]; }; typedef struct uidinfo_list_s *uidinfo_list_t; diff --git a/tools/wks-util.c b/tools/wks-util.c index 91a4a7da8..2e8541491 100644 --- a/tools/wks-util.c +++ b/tools/wks-util.c @@ -101,7 +101,8 @@ wks_write_status (int no, const char *format, ...) * updated. C-style escaping is removed from UID. On error ERRNO is * set and NULL returned. */ static uidinfo_list_t -append_to_uidinfo_list (uidinfo_list_t *list, const char *uid, time_t created) +append_to_uidinfo_list (uidinfo_list_t *list, const char *uid, time_t created, + int expired, int revoked) { uidinfo_list_t r, sl; char *plainuid; @@ -121,6 +122,8 @@ append_to_uidinfo_list (uidinfo_list_t *list, const char *uid, time_t created) sl->created = created; sl->flags = 0; sl->mbox = mailbox_from_userid (plainuid); + sl->expired = !!expired; + sl->revoked = !!revoked; sl->next = NULL; if (!*list) *list = sl; @@ -296,6 +299,22 @@ key_status_cb (void *opaque, const char *keyword, char *args) } +/* Parse field 1 and set revoked and expired on return. */ +static void +set_expired_revoked (const char *string, int *expired, int *revoked) +{ + *expired = *revoked = 0; + /* Look at letters and stop at the first digit. */ + for ( ;*string && !digitp (string); string++) + { + if (*string == 'e') + *expired = 1; + else if (*string == 'r') + *revoked = 1; + } +} + + /* Run gpg on KEY and store the primary fingerprint at R_FPR and the * list of mailboxes at R_MBOXES. Returns 0 on success; on error NULL * is stored at R_FPR and R_MBOXES and an error code is returned. @@ -316,6 +335,7 @@ wks_list_key (estream_t key, char **r_fpr, uidinfo_list_t *r_mboxes) int lnr; char *fpr = NULL; uidinfo_list_t mboxes = NULL; + int expired, revoked; if (r_fpr) *r_fpr = NULL; @@ -364,6 +384,7 @@ wks_list_key (estream_t key, char **r_fpr, uidinfo_list_t *r_mboxes) es_rewind (listing); lnr = 0; + expired = revoked = 0; maxlen = 2048; /* Set limit. */ while ((len = es_read_line (listing, &line, &length_of_line, &maxlen)) > 0) { @@ -408,12 +429,20 @@ wks_list_key (estream_t key, char **r_fpr, uidinfo_list_t *r_mboxes) err = gpg_error (GPG_ERR_INV_ENGINE); goto leave; } - if (lnr > 1 && !strcmp (fields[0], "pub")) + if (!strcmp (fields[0], "pub")) { - /* More than one public key. */ - err = gpg_error (GPG_ERR_TOO_MANY); - goto leave; + if (lnr > 1) + { + /* More than one public key. */ + err = gpg_error (GPG_ERR_TOO_MANY); + goto leave; + } + if (nfields > 1) + set_expired_revoked (fields[1], &expired, &revoked); + else + expired = revoked = 0; } + if (!strcmp (fields[0], "sub") || !strcmp (fields[0], "ssb")) break; /* We can stop parsing here. */ @@ -428,8 +457,13 @@ wks_list_key (estream_t key, char **r_fpr, uidinfo_list_t *r_mboxes) } else if (!strcmp (fields[0], "uid") && nfields > 9) { + int uidexpired, uidrevoked; + + set_expired_revoked (fields[1], &uidexpired, &uidrevoked); if (!append_to_uidinfo_list (&mboxes, fields[9], - parse_timestamp (fields[5], NULL))) + parse_timestamp (fields[5], NULL), + expired || uidexpired, + revoked || uidrevoked)) { err = gpg_error_from_syserror (); goto leave; @@ -1280,6 +1314,12 @@ wks_cmd_install_key (const char *fname, const char *userid) continue; /* Should not happen anyway. */ if (ascii_strcasecmp (uid->mbox, addrspec)) continue; /* Not the requested addrspec. */ + if (uid->expired) + { + if (opt.verbose) + log_info ("ignoring expired user id '%s'\n", uid->uid); + continue; + } any = 1; if (uid->created > thistime) { From bcd3a5c3655ca5a76cb5fbdfe7e647430ce54fe9 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 6 Dec 2022 10:05:53 +0100 Subject: [PATCH 32/39] doc: Prepare NEWS -- --- NEWS | 12 ++++++++++++ README | 11 +++++------ 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index a778ac1c0..7349d63d8 100644 --- a/NEWS +++ b/NEWS @@ -10,8 +10,20 @@ Noteworthy changes in version 2.2.41 (unreleased) * gpg: Report an error via status-fd for receiving a key from the agent. [T5151] + * gpg: Make --require-compliance work without the --status-fd + option. [r11f3232716] + + * gpg: Improve signature verification speed by a factor of more than + four. Double detached signing speed. [T5826] + + * gpg: New --export-filter export-revocs. [rGedbe30c152] + * scd: Support the Telesec Signature Card v2.0. [T6252] + * wkd: New option --add-revocs for gpg-wks-client. [rG2f4492f3be] + + * wkd: Ignore expired user-ids in gpg-wks-client. [T6292] + * Fix build regression depending on libgpg-error version. [T6244] Release-info: https://dev.gnupg.org/T6280 diff --git a/README b/README index 1ff3f5f67..4f69df9e9 100644 --- a/README +++ b/README @@ -1,6 +1,6 @@ - The GNU Privacy Guard 2 - ========================= - Version 2.2 + The GNU Privacy Guard + ======================= + Version 2.2 (LTS) Copyright 1997-2019 Werner Koch Copyright 1998-2021 Free Software Foundation, Inc. @@ -25,9 +25,8 @@ can be freely used, modified and distributed under the terms of the GNU General Public License. - Note that the 2.0 series of GnuPG reached end-of-life on 2017-12-31. - It is not possible to install a 2.2.x version along with any 2.0.x - version. + Note that the 2.2 series of GnuPG is our current long term support + branch. The regular stable series is 2.3 (will be renamed to 2.4). * BUILD INSTRUCTIONS From 8346ebf168edf2015e441745e7f085a622e64375 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 6 Dec 2022 12:33:25 +0100 Subject: [PATCH 33/39] speedo: Introduce the OVERRIDE_TARBALLS feature -- --- build-aux/speedo.mk | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/build-aux/speedo.mk b/build-aux/speedo.mk index a274fefff..433dc9973 100644 --- a/build-aux/speedo.mk +++ b/build-aux/speedo.mk @@ -80,6 +80,9 @@ # AUTHENTICODE_KEY=/home/foo/.gnupg/my-authenticode-key.p12 # AUTHENTICODE_CERTS=/home/foo/.gnupg/my-authenticode-certs.pem # +# If a tarball has not been published while building a release it +# may be stored in a directory specified by: +# OVERRIDE_TARBALLS=/home/foo/override-tarballs #--8<---------------cut here---------------end--------------->8--- @@ -246,6 +249,7 @@ $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_CERTS)) $(eval $(call READ_AUTOGEN_template,OSSLSIGNCODE)) $(eval $(call READ_AUTOGEN_template,OSSLPKCS11ENGINE)) $(eval $(call READ_AUTOGEN_template,SCUTEMODULE)) +$(eval $(call READ_AUTOGEN_template,OVERRIDE_TARBALLS)) # All files given in AUTHENTICODE_FILES are signed before # they are put into the installer. @@ -999,6 +1003,13 @@ $(stampdir)/stamp-$(1)-00-unpack: $(stampdir)/stamp-directories cd "$$$${pkg}"; \ AUTOGEN_SH_SILENT=1 ./autogen.sh; \ elif [ -n "$$$${tar}" ]; then \ + tar2="$(OVERRIDE_TARBALLS)/$$$$(basename $$$${tar})";\ + if [ -f "$$$${tar2}" ]; then \ + tar="$$$$tar2"; \ + echo "speedo: /*"; \ + echo "speedo: * Note: using an override"; \ + echo "speedo: */"; \ + fi; \ echo "speedo: unpacking $(1) from $$$${tar}"; \ case "$$$${tar}" in \ *.gz) pretar=zcat ;; \ From 11d3114e1a86dd6ff5e054ac457bdc41710c773b Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 7 Dec 2022 12:35:22 +0100 Subject: [PATCH 34/39] speedo: Support CUSTOM_SWDB builds. -- --- Makefile.am | 17 ++++++++++++++++- build-aux/speedo.mk | 30 +++++++++++++++++------------- 2 files changed, 33 insertions(+), 14 deletions(-) diff --git a/Makefile.am b/Makefile.am index f3aa2067f..cfc68a0ad 100644 --- a/Makefile.am +++ b/Makefile.am @@ -189,10 +189,25 @@ release: ./autogen.sh --force; \ cd $(abs_top_builddir); \ rm -rf dist; mkdir dist ; cd dist ; \ + mkopt=""; \ + if [ -n "$$CUSTOM_SWDB" ]; then \ + mkopt="CUSTOM_SWB=1"; \ + x=$$(grep '^OVERRIDE_TARBALLS=' \ + $$HOME/.gnupg-autogen.rc|cut -d= -f2);\ + if [ -f "$$x/swdb.lst" ]; then \ + echo "/* Copying swdb.lst from the overrides directory */"; \ + cp "$$x/swdb.lst" . ; \ + cp "$$x/swdb.lst.sig" . ; \ + fi; \ + fi; \ + echo "/* Running configure */";\ $(abs_top_srcdir)/configure --enable-maintainer-mode; \ + echo "/* Running make distcheck */";\ $(MAKE) distcheck TESTFLAGS=--parallel; \ + echo "/* Unpacking release */";\ $(TAR) xjf $(RELEASE_NAME).tar.bz2 ;\ - $(MAKE) -f $(RELEASE_NAME)/build-aux/speedo.mk w32-release ;\ + echo "/* Running $(MAKE) -f $(RELEASE_NAME)/build-aux/speedo.mk w32-release $$mkopt";\ + $(MAKE) -f $(RELEASE_NAME)/build-aux/speedo.mk w32-release $$mkopt;\ echo "/* Build finished at $$(date -uIseconds) */" ;\ echo "/*" ;\ echo " * Please run the final step interactivly:" ;\ diff --git a/build-aux/speedo.mk b/build-aux/speedo.mk index 433dc9973..d010d6c3e 100644 --- a/build-aux/speedo.mk +++ b/build-aux/speedo.mk @@ -135,7 +135,10 @@ help-wixlib: @echo '' @echo 'Afterwards w32-release will build also a wixlib.' - +# NB: we can't use +$(MAKE) here because we would need to define the +# dependencies of our packages. This does not make much sense given that +# we have a clear order in how they are build and concurrent builds +# would anyway clutter up the logs. SPEEDOMAKE := $(MAKE) -f $(SPEEDO_MK) UPD_SWDB=1 native: check-tools @@ -226,7 +229,7 @@ STATIC=0 # external packages. TARBALLS=$(shell pwd)/../tarballs -# Number of parallel make jobs +# Number of parallel make jobs in each package MAKE_J=3 # Name to use for the w32 installer and sources @@ -877,17 +880,18 @@ endif # The playground area is our scratch area, where we unpack, build and # install the packages. $(stampdir)/stamp-directories: - $(MKDIR) $(root) || true - $(MKDIR) $(stampdir) || true - $(MKDIR) $(sdir) || true - $(MKDIR) $(bdir) || true - $(MKDIR) $(idir) || true + $(MKDIR) -p $(root) + $(MKDIR) -p $(stampdir) + $(MKDIR) -p $(sdir) + $(MKDIR) -p $(bdir) + $(MKDIR) -p $(idir) ifeq ($(TARGETOS),w32) - $(MKDIR) $(bdir6) || true - $(MKDIR) $(idir6) || true + $(MKDIR) -p $(bdir6) + $(MKDIR) -p $(idir6) endif touch $(stampdir)/stamp-directories + # Frob the name $1 by converting all '-' and '+' characters to '_'. define FROB_macro $(subst +,_,$(subst -,_,$(1))) @@ -981,7 +985,7 @@ endef # define SPKG_template -$(stampdir)/stamp-$(1)-00-unpack: $(stampdir)/stamp-directories +$(stampdir)/stamp-$(1)-00-unpack: @echo "speedo: /*" @echo "speedo: * $(1)" @echo "speedo: */" @@ -1256,7 +1260,7 @@ endef # Insert the template for each source package. $(foreach spkg, $(speedo_spkgs), $(eval $(call SPKG_template,$(spkg)))) -$(stampdir)/stamp-final: $(stampdir)/stamp-directories clean-pkg-versions +$(stampdir)/stamp-final: clean-pkg-versions ifeq ($(TARGETOS),w32) $(stampdir)/stamp-final: $(addprefix $(stampdir)/stamp-w64-final-,$(speedo_w64_build_list)) endif @@ -1535,9 +1539,9 @@ endif # -# Check availibility of standard tools +# Check availibility of standard tools and prepare everything. # -check-tools: +check-tools: $(stampdir)/stamp-directories # From e778c9ce8926c05f35fcc38cc7d863dc0d0242f3 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 7 Dec 2022 10:16:50 +0100 Subject: [PATCH 35/39] scd:p15: Skip deleted records. * scd/app-p15.c (select_and_read_record): Special case deleted records. Support 3 byte TLVs. (read_ef_prkdf): Skip deleted records. (read_ef_pukdf): Ditto. (read_ef_cdf): Ditto. (read_ef_aodf): Ditto. -- This fixes a problem with some CardOS 5 applications. --- scd/app-p15.c | 45 +++++++++++++++++++++++++++++++++++++-------- 1 file changed, 37 insertions(+), 8 deletions(-) diff --git a/scd/app-p15.c b/scd/app-p15.c index f1f1168ec..4a855b97d 100644 --- a/scd/app-p15.c +++ b/scd/app-p15.c @@ -744,7 +744,15 @@ select_and_read_record (app_t app, unsigned short efid, int recno, /* On CardOS with a Linear TLV file structure the records starts * with some tag (often the record number) followed by the length * byte for this record. Detect and remove this prefix. */ - if (*buflen > 2 && (*buffer)[0] != 0x30 && (*buffer)[1] == *buflen - 2) + if (*buflen == 2 && !(*buffer)[0] && !(*buffer)[1]) + ; /* deleted record. */ + else if (*buflen > 3 && (*buffer)[0] == 0xff + && buf16_to_uint ((*buffer)+1) == *buflen - 3) + { + memmove (*buffer, *buffer + 3, *buflen - 3); + *buflen = *buflen - 3; + } + else if (*buflen > 2 && (*buffer)[0] != 0x30 && (*buffer)[1] == *buflen - 2) { memmove (*buffer, *buffer + 2, *buflen - 2); *buflen = *buflen - 2; @@ -1771,6 +1779,9 @@ read_ef_prkdf (app_t app, unsigned short fid, prkdf_object_t *result) starting with 0x00 or 0xff as these values are commonly used to pad data blocks and are no valid ASN.1 encoding. Note the special handling for record mode at the end of the loop. */ + if (record_mode && buflen == 2 && !buffer[0] && !buffer[1]) + goto next_record; /* Deleted record - continue with next */ + while (n && *p && *p != 0xff) { const unsigned char *pp; @@ -2026,6 +2037,8 @@ read_ef_prkdf (app_t app, unsigned short fid, prkdf_object_t *result) err = 0; goto leave; } + if (buflen == 2 && !buffer[0] && !buffer[1]) + goto next_record; /* Deleted record - continue with next */ p = buffer; n = buflen; } @@ -2075,6 +2088,9 @@ read_ef_pukdf (app_t app, unsigned short fid, pukdf_object_t *result) * starting with 0x00 or 0xff as these values are commonly used to * pad data blocks and are no valid ASN.1 encoding. Note the * special handling for record mode at the end of the loop. */ + if (record_mode && buflen == 2 && !buffer[0] && !buffer[1]) + goto next_record; /* Deleted record - continue with next */ + while (n && *p && *p != 0xff) { const unsigned char *pp; @@ -2352,6 +2368,8 @@ read_ef_pukdf (app_t app, unsigned short fid, pukdf_object_t *result) err = 0; goto leave; } + if (buflen == 2 && !buffer[0] && !buffer[1]) + goto next_record; /* Deleted record - continue with next */ p = buffer; n = buflen; } @@ -2402,6 +2420,9 @@ read_ef_cdf (app_t app, unsigned short fid, int cdftype, cdf_object_t *result) starting with 0x00 or 0xff as these values are commonly used to pad data blocks and are no valid ASN.1 encoding. Note the special handling for record mode at the end of the loop. */ + if (record_mode && buflen == 2 && !buffer[0] && !buffer[1]) + goto next_record; /* Deleted record - continue with next */ + while (n && *p && *p != 0xff) { const unsigned char *pp; @@ -2623,8 +2644,8 @@ read_ef_cdf (app_t app, unsigned short fid, int cdftype, cdf_object_t *result) err = 0; next_record: - xfree (authid); - xfree (label); + xfree (authid); authid = NULL; + xfree (label); label = NULL; /* If the card uses a record oriented file structure, read the * next record. Otherwise we keep on parsing the current buffer. */ recno++; @@ -2633,11 +2654,14 @@ read_ef_cdf (app_t app, unsigned short fid, int cdftype, cdf_object_t *result) xfree (buffer); buffer = NULL; err = select_and_read_record (app, 0, recno, "CDF", &buffer, &buflen, NULL); - if (err) { - if (gpg_err_code (err) == GPG_ERR_NOT_FOUND) - err = 0; - goto leave; - } + if (err) + { + if (gpg_err_code (err) == GPG_ERR_NOT_FOUND) + err = 0; + goto leave; + } + if (buflen == 2 && !buffer[0] && !buffer[1]) + goto next_record; /* Deleted record - continue with next */ p = buffer; n = buflen; } @@ -2726,6 +2750,9 @@ read_ef_aodf (app_t app, unsigned short fid, aodf_object_t *result) starting with 0x00 or 0xff as these values are commonly used to pad data blocks and are no valid ASN.1 encoding. Note the special handling for record mode at the end of the loop. */ + if (record_mode && buflen == 2 && !buffer[0] && !buffer[1]) + goto next_record; /* Deleted record - continue with next */ + while (n && *p && *p != 0xff) { const unsigned char *pp; @@ -3295,6 +3322,8 @@ read_ef_aodf (app_t app, unsigned short fid, aodf_object_t *result) err = 0; goto leave; } + if (buflen == 2 && !buffer[0] && !buffer[1]) + goto next_record; /* Deleted record - continue with next */ p = buffer; n = buflen; } From 5351bc323a63fb221172b8656efea1e3aef418ec Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 9 Dec 2022 09:04:25 +0100 Subject: [PATCH 36/39] po: Update German translation -- --- po/de.po | 60 +++++++++----------------------------------------------- 1 file changed, 9 insertions(+), 51 deletions(-) diff --git a/po/de.po b/po/de.po index 9754b1a9a..a888f1817 100644 --- a/po/de.po +++ b/po/de.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg-2.1.0\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"PO-Revision-Date: 2022-04-25 18:05+0200\n" +"PO-Revision-Date: 2022-12-09 09:06+0100\n" "Last-Translator: Werner Koch \n" "Language-Team: German \n" "Language: de\n" @@ -1969,6 +1969,9 @@ msgstr "Unbrauchbare Teile des Schlüssel während des Exports entfernen" msgid "remove as much as possible from key during export" msgstr "Während des Exports soviel wie möglich vom Schlüssel entfernen" +msgid "export only revocation certificates" +msgstr "Nur Schlüsselwiderruf-Zertifikate exportieren" + msgid "use the GnuPG key backup format" msgstr "Das GnuPG Datensicherungsformat für Schlüssel benutzen" @@ -6559,13 +6562,16 @@ msgstr "Der RSA Modulus fehlt oder ist nicht %d Bits lang\n" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "Der öffentliche Exponent fehlt oder ist zu groß (mehr als %d Bit)\n" +msgid "Note: PIN has not yet been enabled." +msgstr "Hinweis: Die Null-PIN wurde noch nicht geändert" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "PIN-Callback meldete Fehler: %s\n" #, c-format msgid "the NullPIN has not yet been changed\n" -msgstr "Die Nullpin wurde noch nicht geändert\n" +msgstr "Die Null-PIN wurde noch nicht geändert\n" msgid "|N|Please enter a new PIN for the standard keys." msgstr "|N|Bitte eine neue PIN für den Standard-Schlüssel eingeben." @@ -9204,10 +9210,9 @@ msgstr "" #~ msgid " using certificate ID 0x%08lX\n" #~ msgstr " mittels Zertifikat ID 0x%08lX\n" -#, fuzzy #~ msgid "" #~ "keyserver option \"honor-keyserver-url\" may not be used in Tor mode\n" -#~ msgstr "Die Schlüsselserveroption \"%s\" ist im %s-Modus nicht erlaubt.\n" +#~ msgstr "Die Schlüsselserveroption \"%s\" ist im Tor-Modus nicht erlaubt.\n" #~ msgid "male" #~ msgstr "männlich" @@ -9224,53 +9229,6 @@ msgstr "" #~ msgid "only SHA-1 is supported for OCSP responses\n" #~ msgstr "Lediglich SHA-1 wird bei OCSP Antworten unterstützt\n" -#, fuzzy -#~| msgid "error creating temporary file: %s\n" -#~ msgid "error creating 'ultimately_trusted_keys' TOFU table: %s\n" -#~ msgstr "Fehler beim Erstellen einer temporären Datei: %s\n" - -#, fuzzy -#~| msgid "error creating temporary file: %s\n" -#~ msgid "error creating 'encryptions' TOFU table: %s\n" -#~ msgstr "Fehler beim Erstellen einer temporären Datei: %s\n" - -#, fuzzy -#~| msgid "error writing key: %s\n" -#~ msgid "resetting keydb: %s\n" -#~ msgstr "Fehler beim Schreiben des Schlüssels: %s\n" - -#, fuzzy -#~| msgid "" -#~| "Verified %ld message signed by \"%s\"\n" -#~| "in the past %s." -#~| msgid_plural "" -#~| "Verified %ld messages signed by \"%s\"\n" -#~| "in the past %s." -#~ msgid "%s: Verified %ld~signature in the past %s." -#~ msgid_plural "%s: Verified %ld~signatures in the past %s." -#~ msgstr[0] "" -#~ "%ld überprüfte Nachricht von \"%s\"\n" -#~ "in den letzten %s." -#~ msgstr[1] "" -#~ "%ld überprüfte Nachrichten von \"%s\"\n" -#~ "in den letzten %s." - -#, fuzzy -#~| msgid "" -#~| "Verified %ld message signed by \"%s\"\n" -#~| "in the past %s." -#~| msgid_plural "" -#~| "Verified %ld messages signed by \"%s\"\n" -#~| "in the past %s." -#~ msgid "Encrypted %ld~message in the past %s." -#~ msgid_plural "Encrypted %ld~messages in the past %s." -#~ msgstr[0] "" -#~ "%ld überprüfte Nachricht von \"%s\"\n" -#~ "in den letzten %s." -#~ msgstr[1] "" -#~ "%ld überprüfte Nachrichten von \"%s\"\n" -#~ "in den letzten %s." - #~ msgid "no keyserver known (use option --keyserver)\n" #~ msgstr "Kein Schlüsselserver bekannt (Option --keyserver verwenden)\n" From 42637c0ead8116894f1181c4eb1e32f712ef4704 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 9 Dec 2022 09:39:15 +0100 Subject: [PATCH 37/39] po: Auto update -- --- po/ca.po | 10 ++++++++++ po/cs.po | 10 ++++++++++ po/da.po | 10 ++++++++++ po/el.po | 10 ++++++++++ po/eo.po | 10 ++++++++++ po/es.po | 10 ++++++++++ po/et.po | 10 ++++++++++ po/fi.po | 10 ++++++++++ po/fr.po | 10 ++++++++++ po/gl.po | 10 ++++++++++ po/hu.po | 10 ++++++++++ po/id.po | 10 ++++++++++ po/it.po | 10 ++++++++++ po/ja.po | 10 ++++++++++ po/nb.po | 10 ++++++++++ po/pl.po | 10 ++++++++++ po/pt.po | 10 ++++++++++ po/ro.po | 10 ++++++++++ po/ru.po | 10 ++++++++++ po/sk.po | 10 ++++++++++ po/sv.po | 10 ++++++++++ po/tr.po | 10 ++++++++++ po/uk.po | 10 ++++++++++ po/zh_CN.po | 10 ++++++++++ po/zh_TW.po | 10 ++++++++++ 25 files changed, 250 insertions(+) diff --git a/po/ca.po b/po/ca.po index fdc93b8b9..262669ec0 100644 --- a/po/ca.po +++ b/po/ca.po @@ -2111,6 +2111,11 @@ msgstr "la clau secreta és inusable" msgid "remove as much as possible from key during export" msgstr "" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "genera un certificat de revocació" + msgid "use the GnuPG key backup format" msgstr "" @@ -6875,6 +6880,11 @@ msgstr "" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "" +#, fuzzy +#| msgid "Note: This key has been disabled.\n" +msgid "Note: PIN has not yet been enabled." +msgstr "Nota: Aquesta clau ha estat desactivada.\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "" diff --git a/po/cs.po b/po/cs.po index ae0490199..88060f4ff 100644 --- a/po/cs.po +++ b/po/cs.po @@ -1977,6 +1977,11 @@ msgstr "odstranit nepoužitelné části z klíče při exportu" msgid "remove as much as possible from key during export" msgstr "odstranit při exportu z klíče vše, co lze" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "vytvořit revokační certifikát" + msgid "use the GnuPG key backup format" msgstr "použít záložní formát klíče GnuPG" @@ -6504,6 +6509,11 @@ msgstr "schází RSA modulus nebo nemá velikost %d bitů\n" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "schází veřejný RSA exponent nebo je delší než %d bitů\n" +#, fuzzy +#| msgid "the NullPIN has not yet been changed\n" +msgid "Note: PIN has not yet been enabled." +msgstr "NullPIN ještě nebyl změněn\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "funkce PIN callback skončila chybou: %s\n" diff --git a/po/da.po b/po/da.po index 5651dd440..965e31a18 100644 --- a/po/da.po +++ b/po/da.po @@ -2123,6 +2123,11 @@ msgstr "fjern nøgledele der ikke kan bruges under eksport" msgid "remove as much as possible from key during export" msgstr "fjern så meget som muligt fra nøglen under eksport" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "opret et tilbagekaldscertifikat" + msgid "use the GnuPG key backup format" msgstr "" @@ -6862,6 +6867,11 @@ msgstr "RSA-modulus mangler eller har ikke størrelsen %d bit\n" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "RSA offentlig eksponent mangler eller større end %d bit\n" +#, fuzzy +#| msgid "the NullPIN has not yet been changed\n" +msgid "Note: PIN has not yet been enabled." +msgstr "NullPIN'en er endnu ikke ændret\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "PIN-tilbagekald returnerede fejl: %s\n" diff --git a/po/el.po b/po/el.po index a35f85ff2..ff88a2d18 100644 --- a/po/el.po +++ b/po/el.po @@ -2044,6 +2044,11 @@ msgstr "μη χρησιμοποιήσιμο μυστικό κλειδί" msgid "remove as much as possible from key during export" msgstr "" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "δημιουργία ενός πιστοποιητικού ανάκλησης" + msgid "use the GnuPG key backup format" msgstr "" @@ -6743,6 +6748,11 @@ msgstr "" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "" +#, fuzzy +#| msgid "Note: This key has been disabled.\n" +msgid "Note: PIN has not yet been enabled." +msgstr "Σημείωση: Αυτό το κλειδί έχει απενεργοποιηθεί.\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "" diff --git a/po/eo.po b/po/eo.po index 3b77e6e94..88697cdde 100644 --- a/po/eo.po +++ b/po/eo.po @@ -2027,6 +2027,11 @@ msgstr "neuzebla sekreta ŝlosilo" msgid "remove as much as possible from key during export" msgstr "" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "krei revokatestilon" + msgid "use the GnuPG key backup format" msgstr "" @@ -6661,6 +6666,11 @@ msgstr "" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "" +#, fuzzy +#| msgid "Note: This key has been disabled.\n" +msgid "Note: PIN has not yet been enabled." +msgstr "Noto: Ĉi tiu ŝlosilo estas malŝaltita.\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "" diff --git a/po/es.po b/po/es.po index 7364c83c3..b0a74c2db 100644 --- a/po/es.po +++ b/po/es.po @@ -1990,6 +1990,11 @@ msgstr "borrar partes inutilizables de la clave al exportar" msgid "remove as much as possible from key during export" msgstr "borrar tanto como sea posible de la clave al exportar" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "genera un certificado de revocación" + msgid "use the GnuPG key backup format" msgstr "usar el formato de backup de claves GnuPG" @@ -6503,6 +6508,11 @@ msgstr "falta el módulo RSA o no es de %d bits\n" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "falta el exponente público RSA o es mayor de %d bits\n" +#, fuzzy +#| msgid "the NullPIN has not yet been changed\n" +msgid "Note: PIN has not yet been enabled." +msgstr "el PIN-Nulo no ha sido cambiado\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "la función de manejo del PIN devolvió un error: %s\n" diff --git a/po/et.po b/po/et.po index 9871c13b5..66de18c22 100644 --- a/po/et.po +++ b/po/et.po @@ -2036,6 +2036,11 @@ msgstr "mittekasutatav salajane võti" msgid "remove as much as possible from key during export" msgstr "" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "genereeri tühistamise sertifikaat" + msgid "use the GnuPG key backup format" msgstr "" @@ -6665,6 +6670,11 @@ msgstr "" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "" +#, fuzzy +#| msgid "Note: This key has been disabled.\n" +msgid "Note: PIN has not yet been enabled." +msgstr "Märkus: See võti on blokeeritud.\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "" diff --git a/po/fi.po b/po/fi.po index eaadcbe84..dfedc0602 100644 --- a/po/fi.po +++ b/po/fi.po @@ -2052,6 +2052,11 @@ msgstr "salaista avainta ei voi käyttää" msgid "remove as much as possible from key during export" msgstr "" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "luo mitätöintivarmenne" + msgid "use the GnuPG key backup format" msgstr "" @@ -6726,6 +6731,11 @@ msgstr "" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "" +#, fuzzy +#| msgid "Note: This key has been disabled.\n" +msgid "Note: PIN has not yet been enabled." +msgstr "Huom: Tämä avain on poistettu käytöstä\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "" diff --git a/po/fr.po b/po/fr.po index 7bec71507..2e9d1b95f 100644 --- a/po/fr.po +++ b/po/fr.po @@ -2054,6 +2054,11 @@ msgstr "supprimer les parties inutilisables de la clef pendant l'exportation" msgid "remove as much as possible from key during export" msgstr "supprimer autant que possible de la clef pendant l'exportation" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "générer un certificat de révocation" + msgid "use the GnuPG key backup format" msgstr "" @@ -6778,6 +6783,11 @@ msgstr "le module RSA est manquant ou sa taille n'est pas de %d bits\n" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "l'exposant public RSA est manquant ou plus grand que %d bits\n" +#, fuzzy +#| msgid "the NullPIN has not yet been changed\n" +msgid "Note: PIN has not yet been enabled." +msgstr "le code personnel nul n'a pas encore été modifié\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "le rappel du code personnel a renvoyé une erreur : %s\n" diff --git a/po/gl.po b/po/gl.po index e79c7b989..4a1d544b7 100644 --- a/po/gl.po +++ b/po/gl.po @@ -2046,6 +2046,11 @@ msgstr "chave secreta non utilizable" msgid "remove as much as possible from key during export" msgstr "" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "xerar un certificado de revocación" + msgid "use the GnuPG key backup format" msgstr "" @@ -6729,6 +6734,11 @@ msgstr "" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "" +#, fuzzy +#| msgid "Note: This key has been disabled.\n" +msgid "Note: PIN has not yet been enabled." +msgstr "Nota: Esta chave está desactivada.\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "" diff --git a/po/hu.po b/po/hu.po index 42ca4b67e..4cbde016d 100644 --- a/po/hu.po +++ b/po/hu.po @@ -2035,6 +2035,11 @@ msgstr "használhatatlan titkos kulcs" msgid "remove as much as possible from key during export" msgstr "" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "visszavonási igazolás készítése" + msgid "use the GnuPG key backup format" msgstr "" @@ -6690,6 +6695,11 @@ msgstr "" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "" +#, fuzzy +#| msgid "Note: This key has been disabled.\n" +msgid "Note: PIN has not yet been enabled." +msgstr "Megjegyzés: Ez a kulcs le lett tiltva.\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "" diff --git a/po/id.po b/po/id.po index ed12a69f1..6fdd4e25e 100644 --- a/po/id.po +++ b/po/id.po @@ -2040,6 +2040,11 @@ msgstr "kunci rahasia tidak dapat dipakai" msgid "remove as much as possible from key during export" msgstr "" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "buat sertifikat revokasi" + msgid "use the GnuPG key backup format" msgstr "" @@ -6688,6 +6693,11 @@ msgstr "" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "" +#, fuzzy +#| msgid "Note: This key has been disabled.\n" +msgid "Note: PIN has not yet been enabled." +msgstr "Catatan: Kunci ini telah ditiadakan\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "" diff --git a/po/it.po b/po/it.po index c59b9b1ee..6aa906387 100644 --- a/po/it.po +++ b/po/it.po @@ -1960,6 +1960,11 @@ msgstr "rimuovere parti inutilizzabili dalla chiave durante l'esportazione" msgid "remove as much as possible from key during export" msgstr "rimuovere il più possibile dalla chiave durante l'esportazione" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "genera un certificato di revoca" + msgid "use the GnuPG key backup format" msgstr "utilizzare il formato di backup della chiave GnuPG" @@ -6511,6 +6516,11 @@ msgstr "Modulo RSA mancante o non di dimensione %d bit\n" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "Esponente pubblico RSA mancante o superiore a %d bit\n" +#, fuzzy +#| msgid "the NullPIN has not yet been changed\n" +msgid "Note: PIN has not yet been enabled." +msgstr "il NullPIN non è ancora stato modificato\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "Errore di richiamata PIN: %s\n" diff --git a/po/ja.po b/po/ja.po index f438d963f..78f742a01 100644 --- a/po/ja.po +++ b/po/ja.po @@ -1915,6 +1915,11 @@ msgstr "エクスポートの際、利用できない部分を除去する" msgid "remove as much as possible from key during export" msgstr "エクスポートの際、できるだけ除去する" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "失効証明書を生成" + msgid "use the GnuPG key backup format" msgstr "GnuPGの鍵のバックアップフォーマットを使います" @@ -6256,6 +6261,11 @@ msgstr "RSAのモジュラスがないか、%dビットのものではありま msgid "RSA public exponent missing or larger than %d bits\n" msgstr "RSA公開指数がないか %d ビットより大きすぎます\n" +#, fuzzy +#| msgid "the NullPIN has not yet been changed\n" +msgid "Note: PIN has not yet been enabled." +msgstr "NullPINが変更されていません\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "PINコールバックがエラーを返しました: %s\n" diff --git a/po/nb.po b/po/nb.po index 72cb3370b..1da38c520 100644 --- a/po/nb.po +++ b/po/nb.po @@ -1970,6 +1970,11 @@ msgstr "fjern ubrukelige deler fra nøkkelen under eksportering" msgid "remove as much as possible from key during export" msgstr "fjern så mye som mulig fra nøkkelen under eksportering" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "lag opphevelsessertifikat" + msgid "use the GnuPG key backup format" msgstr "bruk GnuPG-format til sikkerhetskopiering av nøkkel" @@ -6448,6 +6453,11 @@ msgstr "RSA-modulus mangler eller er av annen størrelse enn %d bit\n" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "offentlig RSA-eksponent mangler eller er større enn %d bit\n" +#, fuzzy +#| msgid "the NullPIN has not yet been changed\n" +msgid "Note: PIN has not yet been enabled." +msgstr "NullPIN er ikke blitt endret enda\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "PIN-callback returnerte en feil: %s\n" diff --git a/po/pl.po b/po/pl.po index 6aa8aed74..e055dd590 100644 --- a/po/pl.po +++ b/po/pl.po @@ -1936,6 +1936,11 @@ msgstr "usunięcie bezużytecznych części z klucza przy eksporcie" msgid "remove as much as possible from key during export" msgstr "usunięcie jak największej części klucza przy eksporcie" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "tworzenie certyfikatu unieważnienia klucza" + msgid "use the GnuPG key backup format" msgstr "użycie formatu kopii zapasowej klucza GnuPG" @@ -6534,6 +6539,11 @@ msgstr "reszta RSA brakująca lub o rozmiarze innym niż %d bity\n" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "publiczny wykładnik RSA brakujący lub większy niż %d bity\n" +#, fuzzy +#| msgid "the NullPIN has not yet been changed\n" +msgid "Note: PIN has not yet been enabled." +msgstr "NullPIN nie został jeszcze zmieniony\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "Zapytanie zwrotne o PIN zwróciło błąd: %s\n" diff --git a/po/pt.po b/po/pt.po index d86b2b7f1..39d89c6e8 100644 --- a/po/pt.po +++ b/po/pt.po @@ -2034,6 +2034,11 @@ msgstr "chave secreta não utilizável" msgid "remove as much as possible from key during export" msgstr "" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "gerar um certificado de revogação" + msgid "use the GnuPG key backup format" msgstr "" @@ -6683,6 +6688,11 @@ msgstr "" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "" +#, fuzzy +#| msgid "Note: This key has been disabled.\n" +msgid "Note: PIN has not yet been enabled." +msgstr "Nota: Esta chave foi desactivada.\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "" diff --git a/po/ro.po b/po/ro.po index 8b2e04dae..1deba4a79 100644 --- a/po/ro.po +++ b/po/ro.po @@ -2063,6 +2063,11 @@ msgstr "cheie secretă de nefolosit" msgid "remove as much as possible from key during export" msgstr "" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "generează un certificat de revocare" + msgid "use the GnuPG key backup format" msgstr "" @@ -6779,6 +6784,11 @@ msgstr "modulus-ul RSA lipseşte sau nu are %d biţi\n" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "exponentul public RSA lipseşte sau are mai mult de %d biţi\n" +#, fuzzy +#| msgid "Note: This key has been disabled.\n" +msgid "Note: PIN has not yet been enabled." +msgstr "Notă: Această cheie a fost deactivată.\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "apelul PIN a returnat eroare: %s\n" diff --git a/po/ru.po b/po/ru.po index 20272e35f..70a34b136 100644 --- a/po/ru.po +++ b/po/ru.po @@ -1938,6 +1938,11 @@ msgstr "удалить при экспорте непригодные части msgid "remove as much as possible from key during export" msgstr "при экспорте удалить из ключа как можно больше" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "создать сертификат отзыва" + msgid "use the GnuPG key backup format" msgstr "пользоваться архивным форматом ключей GnuPG" @@ -6482,6 +6487,11 @@ msgstr "Модули RSA пропущены, или их размер не ра msgid "RSA public exponent missing or larger than %d bits\n" msgstr "отсутствует открытая экспонента RSA, или ее размер превышает %d бит\n" +#, fuzzy +#| msgid "the NullPIN has not yet been changed\n" +msgid "Note: PIN has not yet been enabled." +msgstr "пустой PIN до сих пор не изменен\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "Функция обработки PIN возвратила ошибку: %s\n" diff --git a/po/sk.po b/po/sk.po index a84d2c099..4cae53578 100644 --- a/po/sk.po +++ b/po/sk.po @@ -2043,6 +2043,11 @@ msgstr "nepoužiteľný tajný kľúč" msgid "remove as much as possible from key during export" msgstr "" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "vytvoriť revokačný certifikát" + msgid "use the GnuPG key backup format" msgstr "" @@ -6717,6 +6722,11 @@ msgstr "" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "" +#, fuzzy +#| msgid "Note: This key has been disabled.\n" +msgid "Note: PIN has not yet been enabled." +msgstr "Poznámka: Tento kľúč bol označený ako neplatný (disabled).\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "" diff --git a/po/sv.po b/po/sv.po index 1cb393d62..e29227df7 100644 --- a/po/sv.po +++ b/po/sv.po @@ -2160,6 +2160,11 @@ msgstr "ta bort oanvändbara delar från nyckeln under exportering" msgid "remove as much as possible from key during export" msgstr "ta bort så mycket som möjligt från nyckeln under exportering" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "generera ett spärrcertifikat" + msgid "use the GnuPG key backup format" msgstr "" @@ -6982,6 +6987,11 @@ msgstr "RSA modulus saknas eller är inte %d bitar stor\n" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "Publik RSA-exponent saknas eller större än %d bitar\n" +#, fuzzy +#| msgid "the NullPIN has not yet been changed\n" +msgid "Note: PIN has not yet been enabled." +msgstr "NullPIN har ännu inte ändrats\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "PIN-återanrop returnerade fel: %s\n" diff --git a/po/tr.po b/po/tr.po index e6e4530cc..6aac67107 100644 --- a/po/tr.po +++ b/po/tr.po @@ -2099,6 +2099,11 @@ msgstr "ihraç sırasında anahtardan kullanışsız parçalar kaldırılır" msgid "remove as much as possible from key during export" msgstr "ihraç sırasında anahtardan mümkün olduğunca çok şey kaldırılır" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "bir yürürlükten kaldırma sertifikası üretir" + msgid "use the GnuPG key backup format" msgstr "" @@ -6892,6 +6897,11 @@ msgstr "RSA modülü ya eksik ya da %d bitlik değil\n" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "RSA genel üstel sayısı ya eksik ya da %d bitten büyük\n" +#, fuzzy +#| msgid "the NullPIN has not yet been changed\n" +msgid "Note: PIN has not yet been enabled." +msgstr "BoşPIN henüz değişmedi\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "PIN eylemcisi hata döndürdü: %s\n" diff --git a/po/uk.po b/po/uk.po index 9f1f5f6dc..010548ebe 100644 --- a/po/uk.po +++ b/po/uk.po @@ -1975,6 +1975,11 @@ msgstr "вилучити невикористовувані частини кл msgid "remove as much as possible from key during export" msgstr "вилучити максимум частин з ключа під час експортування" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "створити сертифікат відкликання" + msgid "use the GnuPG key backup format" msgstr "використовувати формат резервних копій ключів GnuPG" @@ -6600,6 +6605,11 @@ msgstr "" "Не вистачає відкритого показника RSA або розмірність показника перевищує %d " "бітів\n" +#, fuzzy +#| msgid "the NullPIN has not yet been changed\n" +msgid "Note: PIN has not yet been enabled." +msgstr "NullPIN ще не було змінено\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "Зворотний виклик пінкоду повернув повідомлення про помилку: %s\n" diff --git a/po/zh_CN.po b/po/zh_CN.po index 82fbe8653..8a277317f 100644 --- a/po/zh_CN.po +++ b/po/zh_CN.po @@ -1894,6 +1894,11 @@ msgstr "导出时移除密钥中未使用的部分" msgid "remove as much as possible from key during export" msgstr "导出时尽可能移除密钥中的可选部分" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "生成一份吊销证书" + msgid "use the GnuPG key backup format" msgstr "使用 GnuPG 密钥备份格式" @@ -6192,6 +6197,11 @@ msgstr "RSA 余数缺失或者不是 %d 位长\n" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "RSA 公钥指数缺失或长于 %d 位\n" +#, fuzzy +#| msgid "the NullPIN has not yet been changed\n" +msgid "Note: PIN has not yet been enabled." +msgstr "尚未变更 NullPIN\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "PIN 回调返回错误:%s\n" diff --git a/po/zh_TW.po b/po/zh_TW.po index 720eebbd9..c97ad99e7 100644 --- a/po/zh_TW.po +++ b/po/zh_TW.po @@ -1979,6 +1979,11 @@ msgstr "匯出時從金鑰中移除無法使用的部分" msgid "remove as much as possible from key during export" msgstr "匯出時盡可能地從金鑰中移除" +#, fuzzy +#| msgid "generate a revocation certificate" +msgid "export only revocation certificates" +msgstr "產生撤銷憑證" + msgid "use the GnuPG key backup format" msgstr "" @@ -6464,6 +6469,11 @@ msgstr "RSA 模組缺漏或者並非 %d 位元大\n" msgid "RSA public exponent missing or larger than %d bits\n" msgstr "RSA 公用指數缺漏或者大於 %d 位元\n" +#, fuzzy +#| msgid "the NullPIN has not yet been changed\n" +msgid "Note: PIN has not yet been enabled." +msgstr "NullPIN 還沒有變更過\n" + #, c-format msgid "PIN callback returned error: %s\n" msgstr "收回個人識別碼 (PIN) 時傳回錯誤: %s\n" From 75ad0ea6dcad2d0e7ffff06a91fc3f519b448404 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 9 Dec 2022 09:39:42 +0100 Subject: [PATCH 38/39] Release 2.2.41 --- NEWS | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 7349d63d8..cf4cce815 100644 --- a/NEWS +++ b/NEWS @@ -1,8 +1,6 @@ -Noteworthy changes in version 2.2.41 (unreleased) +Noteworthy changes in version 2.2.41 (2022-12-09) ------------------------------------------------- - * gpg: Also import stray revocation certificates. [rGbd825ead36af] - * gpg: Add a notation to encryption subkeys in de-vs mode. [T6279] * gpg: Fix trusted introducer for mbox only user-ids. [T6238] @@ -18,12 +16,15 @@ Noteworthy changes in version 2.2.41 (unreleased) * gpg: New --export-filter export-revocs. [rGedbe30c152] - * scd: Support the Telesec Signature Card v2.0. [T6252] + * gpg: Import stray revocation certificates to improve WKD + usability. [rGbd825ead36af] * wkd: New option --add-revocs for gpg-wks-client. [rG2f4492f3be] * wkd: Ignore expired user-ids in gpg-wks-client. [T6292] + * scd: Support the Telesec Signature Card v2.0. [T6252] + * Fix build regression depending on libgpg-error version. [T6244] Release-info: https://dev.gnupg.org/T6280 From 8c0dedd99b2610396bf5a055b979d51b17782a2b Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 9 Dec 2022 10:46:26 +0100 Subject: [PATCH 39/39] Post release updates -- --- NEWS | 6 ++++++ configure.ac | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index cf4cce815..96ef13516 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,9 @@ +Noteworthy changes in version 2.2.42 (unreleased) +------------------------------------------------- + + Release-info: https://dev.gnupg.org/T6307 + + Noteworthy changes in version 2.2.41 (2022-12-09) ------------------------------------------------- diff --git a/configure.ac b/configure.ac index 53b804151..52f52951d 100644 --- a/configure.ac +++ b/configure.ac @@ -29,7 +29,7 @@ min_automake_version="1.14" m4_define([mym4_package],[gnupg]) m4_define([mym4_major], [2]) m4_define([mym4_minor], [2]) -m4_define([mym4_micro], [41]) +m4_define([mym4_micro], [42]) # To start a new development series, i.e a new major or minor number # you need to mark an arbitrary commit before the first beta release