--
The claim that VALIDSIG is the same as GOODSIG is simply wrong.
Attempt to clarify it. Also, the paragraph about primary-key-fpr and
sig-version was weirdly re-ordered during the org-mode conversion in
65eb98966a569a91c97d0c23ba5582a9a7558de0; repair it.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* g10/getkey.c (free_akl): If AKL is NULL, just return.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
Reported-by: Sami Farin.
GnuPG-bug-id: 2045
* scd/Makefile.am (sc_copykeys_*): Remove.
* scd/sc-copykeys.c: Remove.
* scd/pcsc-wrapper.c: Remove.
* scd/{card-common.h,card-dinsig.c,card-p15.c,card.c}: Remove.
--
sc-copykeys doesn't work any more because it's based on old API.
pcsc-wrapper has gone because of nPth which is compatible to pthreads.
The card* files are old files, now we have app*.
* tools/gpgsm-gencert.sh: remove deprecated script entirely. It is
fully replaced by gpgsm --gen-key
* doc/tools.texi: remove gpgsm-gencert.sh documentation
* .gitignore: no longer ignore gpgsm-gencert.sh manpage
* doc/Makefile.am: quit making the manpage
* tools/Makefile.am: quit distributing the script
* doc/howto-create-a-server-cert.texi: overhaul documentation to use
gpgsm --gen-key and tweak explanations
--
The commit deprecating gpgsm-gencert.sh
(81972ca7d53ff1996e0086702a09d4405bdc2a7e) dates back exactly 6 years.
https://codesearch.debian.net/results/gpgsm-gencert.sh
suggests that in all of debian it is only referenced in documentation
(for poldi and scute) and example files (libept), and isn't actually
used directly anywhere.
Furthermore, trying to use gpgsm-gencert.sh to make a simple webserver
certificate-signing request failed for me, following the examples in
doc/howto-create-a-server-cert.texi exactly.
It's time we ripped off this band-aid :)
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* agent/gpg-agent.c (main): Unset INSIDE_EMACS envvar.
--
The variable is set only temporarily when gpg is called from Emacs,
keeping it during the session makes no sense.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
* common/i18n.c (msg_cache_s, msg_cache_head_s): New.
(msgcache): New.
(i18n_localegettext): Implement locale dependent lookup.
--
This is the second and final part of the change to use the gpg
provided locale for Pinentry strings. It does not yet work on
Windows, though.
This commit should resolve
Debian-bug-id: 788983
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/session-env.c (stdenvnames): Add DBUS_SESSION_BUS_ADDRESS.
--
pinentry-gnome3 talks to the gcr prompter via dbus. Without this
environment variable, it can't find the correct session to talk to.
* agent/agent.h (LunderscorePROTO): New.
* common/util.h (GNUPG_GCC_ATTR_FORMAT_ARG): New.
* common/i18n.h (GNUPG_GCC_ATTR_FORMAT_ARG): New. Use for
i18n_localegettext. Expand LunderscorePROTO.
* agent/genkey.c (check_passphrase_constraints): Use xtryasprintf
again to keep the old translations.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
* po/Makevars (XGETTEXT_OPTIONS): Add keyword "L_".
* common/i18n.c (i18n_localegettext): New stub.
* common/i18n.h: Expand the LunderscoreIMPL macro.
* agent/agent.h (L_): New.
(LunderscoreIMPL): New.
* agent/call-pinentry.c (setup_qualitybar): Add arg ctrl anc change
caller.
* agent/findkey.c (try_unprotect_cb): Add local var ctrl.
* agent/genkey.c (check_passphrase_constraints): Replace xtryasprintf
by xtrystrdup to avoid gcc warning. Unfortinately this changes the
string.
(agent_ask_new_passphrase): Cleanup the use of initial_errtext.
--
Static strings in gpg-agent need to be translated according to the
locale set by the caller. This is required so that a gpg-agent can be
started in one locale and a gpg can be run in another. If we don't do
this the static strings (prompt, buttons) are not or in the wrong
locale translated while dynamic strings (e.g. key description) uses
the locale of gpg.
This is only the first part of the change the actual local switching
still needs to be implemented.
Debian-bug-id: 788983
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/gpg-agent.c (create_server_socket): Add arg "cygwin". Call
assuan_sock_set_flag if Assuan version is recent enough.
(main): Create ssh server socket with Cygwin flag set.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/agent.h (check_passphrase_constraints): Add parameter
failed_constraint and remove parameter silent. Update callers.
* agent/genkey.c (check_passphrase_constraints): Add parameter
failed_constraint and remove parameter silent. If FAILED_CONSTRAINT
is not NULL and OPT.ENFORCE_PASSPHRASE_CONSTRAINTS is FALSE, save the
error text in *FAILED_CONSTRAINT and don't call take_this_one_anyway
or take_this_one_anyway2. If FAILED_CONSTRAINT is NULL, act as if
SILENT was set.
(agent_ask_new_passphrase): Change initial_errtext's type from a const
char * to a char *. Pass it to check_passphrase_constraints. If it
contains malloc's memory, free it.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
Based on a patch provided by Watson Yuuma Sato <yuuma.sato@gmail.com>
in issue 2018.
* agent/gpg-agent.c (finalize_rereadable_options): Don't raise
max-cache-ttl to default-cache-ttl. Likewise for max-cache-ttl-ssh
and default-cache-ttl-ssh.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
This closes issue #2009.
* g10/parse-packet.c (parse): Make the description more accurate when
listing packets: old format packets don't support partial lengths,
only indeterminate lengths (RFC 4880, Section 4.2).
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* agent/agent.h (opt): Remove field ssh_support.
* agent/gpg-agent.c (ssh_support): New. Replace all opt.ssh_support
by this.
(main): Do not set ssh_support along with setting putty_support.
Signed-off-by: Werner Koch <wk@gnupg.org>
* sm/server.c (option_handler): Add "offline".
(cmd_getinfo): Ditto.
* sm/certchain.c (is_cert_still_valid):
(do_validate_chain):
* sm/gpgsm.c (gpgsm_init_default_ctrl): Default "offline" to the value
of --disable-dirmngr.
* sm/call-dirmngr.c (start_dirmngr_ext): Better also check for
ctrl->offline.
--
Adding this option makes it easier to implement the corresponding
feature in gpgme.
Signed-off-by: Werner Koch <wk@gnupg.org>
* sm/keydb.c (keydb_store_cert): Clear ephemeral flag for
existing certs if store should not be ephemeral.
--
Previously keydb_store_cert would ignore ephemeral certificates
when asked to store a non ephemeral certificate and insert
it again without the flags. This resulted in duplicated
certificates in the keybox.
GnuPG-bug-id: 1921
Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
* g13/g13.c: Make use of debug_parse_flag.
* scd/scdaemon.c: Ditto.
* sm/gpgsm.c: Ditto
* agent/gpg-agent.c: Ditto. But do not terminate on "help"
* dirmngr/dirmngr.c: Ditto.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/adpu.c (pcsc_pinpad_verify, pcsc_pinpad_modify): Bigger buffer
for TPDU card reader.
--
GnuPG-bug-id: 2003, 2004
This is needed for PC/SC on Debian Jessie. Note that it's not only
for Cherry ST-2000, but also, for any TPDU card readers.
* g10/gpg.c (opts): Change arg for oDebug to a string.
(debug_flags): New; factored out from set_debug.
(set_debug): Remove "--debug-level help". Use parse_debug_flag to
print the used flags.
(main): Use parse_debug_flag for oDebug.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keydb.c (kid_list_s): Keep a state in the table.
(kid_not_found_table): Rename to kid_found_table.
(n_kid_not_found_table): Rename to kid_found_table_count.
(kid_not_found_p): Return found state.
(kid_not_found_insert): Add arg found.
(keydb_search): Store found state in the table.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/apdu.c (pcsc_vendor_specific_init): Set pinmax to 15.
* scd/ccid-driver.c (ccid_transceive_secure): Add zero for the
template of APDU.
--
GnuPG-bug-id: 2003, 2004
* g10/keylist.c (keylist_context): Add field good_sigs.
(list_keyblock_print): Updated good_sigs.
(print_signature_stats): Print number of good signatures and use
log_info instead of tty_printf.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keydb.c (kid_list_t): New.
(kid_not_found_table, n_kid_not_found_table): New.
(kid_not_found_p, kid_not_found_insert, kid_not_found_flush): New.
(keydb_insert_keyblock): Flush the new cache.
(keydb_delete_keyblock): Ditto.
(keydb_update_keyblock): Ditto.
(keydb_search): Use the new cache.
(keydb_dump_stats): New.
* g10/gpg.c (g10_exit): Dump keydb stats.
--
What we do here is to keep track of key searches by long keyids (as
stored in all signatures) so that we do not need to scan the keybox
again after we already found that this keyid will result in
not-found. As soon as we change gpg to run as a co-process we should
store this table per session because other instances of gpg may have
updated the keybox without us knowing.
On a test ring with
gpg: 94721 good signatures
gpg: 6831 bad signatures
gpg: 150703 signatures not checked due to missing keys
gpg: 5 signatures not checked due to errors
gpg: keydb: kid_not_found_table: total: 14132
this new cache speeds a --check-sigs listing up from 28 minutes to
less than 3 minutes.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ldap-wrapper.c (ldap_wrapper_thread): Do not close the
stdout reader after EOF from read_log_data.
* dirmngr/crlcache.c (crl_cache_reload_crl): Close the reader before
the next iteration.
--
I assumed that the log_fd also has a reader object but that reader
object is used for stdout and needs to be closed by the consumer.
The real bug with the non-released ldap_wrapper control objects was
that when looping over distribution points we did not closed the used
reader object before the next iteration. Now, the test case had more
than one DP and thus we lost one reader object.
Signed-off-by: Werner Koch <wk@gnupg.org>