summaryrefslogtreecommitdiffstats
path: root/README (unfollow)
Commit message (Collapse)AuthorFilesLines
2024-11-25po: Update Traditional Chinese Translation.Kisaragi Hiu1-832/+748
-- - Follow conventions from other zh_TW user interfaces - Use "確定" for "OK" like KDE - Remove extra space between keyboard accelerator like in "取消(_C)" - Follow conventions of modern zh_TW - Character -> 字元 - 衹有 -> 「只」有 - Fix some "pinentry" translations Sometimes it was translated as an entry of PIN codes among a list and not the "pinentry" tool Signed-off-by: Kisaragi Hiu <mail@kisaragi-hiu.com>
2024-11-25gpg: Fix modifying signature data by pk_verify for Ed25519.NIIBE Yutaka1-6/+21
* g10/pkglue.c (pk_verify): When fixing R and S, make sure those are copies. -- GnuPG-bug-id: 7426 Fixing-commit: 0a5a854510fda6e6990938a3fca424df868fe676 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> Also avoid clearing the error by the S code of a failed mpi_print of R. Signed-off-by: Werner Koch <wk@gnupg.org>
2024-11-25common: Change daemon startup timeout from 5 to 8 seconds.Werner Koch1-3/+3
* common/asshelp.c (SECS_TO_WAIT_FOR_AGENT): Change from 5 to 8 seconds. (SECS_TO_WAIT_FOR_KEYBOXD): Ditto. (SECS_TO_WAIT_FOR_DIRMNGR): Ditto. -- Experience on Windows showed that right after re-booting we may need some more time to get things up.
2024-11-22gpg: Fix comparing ed448 vs ed25519 with --assert-pubkey-algo.Werner Koch2-1/+25
* g10/keyid.c (extra_algo_strength_offset): New. (compare_pubkey_string_part): Use the mapping. -- GnuPG-bug-id: 6425
2024-11-22doc: Explain that qualified.txt is a legacy method.Werner Koch1-10/+14
--
2024-11-18scd: No hard lock-up when apdu_connect never returns.NIIBE Yutaka1-4/+15
* scd/app.c (new_card_lock): New. (select_application): Scanning is serialized by NEW_CARD_LOCK. For app_new_register, we hold the W-lock. (initialize_module): Initialize NEW_CARD_LOCK. -- GnuPG-bug-id: 7402 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-11-15gpgconf: Include a minimal secure version in the --query-swdb output.Werner Koch1-2/+7
* tools/gpgconf.c (query_swdb): Parse the new minver tag.
2024-11-14gpg: Consider Kyber to be de-vs compliant.Werner Koch1-13/+61
* common/compliance.c (gnupg_pk_is_compliant) <CO_DE_VS>: Consider Brainpool Kyber variants compliant. (gnupg_pk_is_allowed): Ditto. (assumed_de_vs_compliance): Remove variable. (get_assumed_de_vs_compliance): New. (get_compliance_cache): Use new accessor. (gnupg_status_compliance_flag): Ditto. -- Use GNUPG_ASSUME_COMPLIANCE=de-vs gpg --compliance=de-vs .... for testing. This returns 2023 instead of 23 to indicate the non-approval state. GnuPG-bug-id: 6638
2024-11-14gpg: Allow "Kyber" as algorithm for the Subkey-Type keyword.Werner Koch1-0/+2
* g10/keygen.c (get_parameter_algo): Make "KYBER" to PUBKEY_ALGO_KYBER. -- GnuPG-bug-id: 7397
2024-11-14gpg: For composite algos add the algo string to the colons listings.Werner Koch3-2/+20
* g10/keylist.c (list_keyblock_colon): Put the algo string into the curve field for Kyber. -- GnuPG-bug-id: 6638
2024-11-13gpg: Add option to create Kyber with --full-gen-key.Werner Koch2-8/+167
* g10/keygen.c (PQC_STD_KEY_PARAM_PRI, PQC_STD_KEY_PARAM_SUB): New. (PQC_STD_KEY_PARAM): Construct from above. (gen_kyber): Allow short curve names. (ask_algo): Add Entry for ecc+kyber. (ask_kyber_variant): New. (generate_keypair): Generate ECC primary and Kyber sub. -- GnuPG-bug-id: 6638
2024-11-12gpgconf: Show also the used nPth version with -VWerner Koch1-1/+4
* dirmngr/dirmngr.c (gpgconf_versions): Get and show nPth version. -- Note that this requires nPth 1.8
2024-11-12gpg-mail-tube: Fix content type for an attached non-plaintext.Werner Koch1-2/+3
* tools/gpg-mail-tube.c (mail_tube_encrypt): Fix content type for an attached message. -- We can't use message/rfc822 if we encrypt this message as a simple PGP file.
2024-11-12scd: Clean up app_send_active_apps and app_send_card_list.NIIBE Yutaka1-8/+6
* scd/app.c (send_card_and_app_list): Only handle the case with WANTCARD=NULL. (app_send_card_list): Follow the change. (app_send_active_apps): Factor out the case with WANTCARD!=NULL. -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-11-11scd: Fix a memory leak.NIIBE Yutaka1-0/+4
* scd/app-help.c (app_help_read_length_of_cert): Free the BUFFER. -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-11-11scd: Fix resource leaks on error paths.NIIBE Yutaka2-4/+13
* scd/app-dinsig.c (do_readcert): Don't return directly but care about releasing memory. * scd/app-nks.c (readcert_from_ef): Likewise. -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-11-08gpg: Improve wording for only-pubkeys.Werner Koch2-2/+3
* g10/import.c (parse_import_options): Add a description to only-pubkeys. -- See gnupg-devel for a brief discussion.
2024-11-07gpgtar: Make sure to create upper directories for regular files.Werner Koch2-31/+74
* tools/gpgtar-extract.c (extract_directory): Factor parent directory creation out to .. (try_mkdir_p): new. (extract_regular): Create directory on ENOENT. * g10/pubkey-enc.c (get_it): Use log_info instead of log_error if the public key was not found for preference checking. -- If tarball was created with tar cf tarball file1.txt foo/file2.txt the tarball has no entry for foo/ and thus the extraction fails. This patch fixes this. GnuPG-bug-id: 7380 The second patch avoid a wrong exist status status line due to the use of log_error. But the actual cause needs stuill needs tobe investigated.
2024-11-07gpg-mail-type: Assume text/plain for missing content-type.Werner Koch1-10/+14
* tools/gpg-mail-tube.c (mail_tube_encrypt): Rename var ct_text for clarity. Replace debug diagnostic by log_info. Assume text/plain for missing content-type. -- Without this fix we would create message/rfc822 attachment instead of a text/plain attachment with the encrypted body.
2024-11-07gpgtar: Use log-file from common.conf only in --batch mode.Werner Koch2-3/+7
* tools/gpgtar.c (main): Do it. -- This makes the interactive use of gpgtar more convenient and is more aligned to what gpg and gpgsm do.
2024-11-07scd: Fix getinfo active_apps.NIIBE Yutaka1-1/+3
* scd/app.c (send_card_and_app_list): Avoid locking recursively. -- Fixes-commit: 25a140542a9186a27b7df9cd3ca3d478b59cbf1b GnuPG-bug-id: 7323 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-11-06scd: Serialize CARD access for send_card_and_app_list.NIIBE Yutaka1-2/+7
* scd/app.c (send_card_and_app_list): Lock the CARD. -- GnuPG-bug-id: 7323 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-11-05po: Align German trustlist question to what we use in Kleopatra.Werner Koch1-5/+2
-- This replaces our long standing wedding style prompt to something more straight.
2024-10-31gpg: Allow the use of an ADSK subkey as ADSK subkey.Werner Koch4-10/+16
* g10/packet.h (PKT_public_key): Increased size of req_usage to 16. * g10/getkey.c (key_byname): Set allow_adsk in the context if ir was requested via req_usage. (finish_lookup): Allow RENC usage matching. * g10/keyedit.c (append_adsk_to_key): Adjust the assert. * g10/keygen.c (prepare_adsk): Also allow to find an RENC subkey. -- If an ADSK is to be added it may happen that an ADSK subkey is found first and this should then be used even that it does not have the E usage. However, it used to have that E usage when it was added. While testing this I found another pecularity: If you do gpg -k ADSK_SUBKEY_FPR without the '!' suffix and no corresponding encryption subkey is dound, you will get an unusabe key error. I hesitate to fix that due to possible side-effects. GnuPG-bug-id: 6882
2024-10-31agent: Fix status output for LISTTRUSTED.NIIBE Yutaka1-2/+2
* agent/trustlist.c (istrusted_internal): When LISTMODE is enabled, TRUSTLISTFPR status output should be done. -- GnuPG-bug-id: 7363 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> Fixes-commit: 4275d5fa7a51731544d243ba16628a9958ffe3ce
2024-10-30gpg: Do not fail with an error for a "Note:" diagnosticWerner Koch1-2/+2
* g10/trustdb.c (validate_keys): Use log_info instead of log_error for not found or expired UTKs. -- Actually the not-found case used log_error for decades. The semantically simialr expired case did thus the same. The actual problem is for example in the import case where gpg exits with a failure despite that a key validation was requested. GnuPG-bug-id: 7351
2024-10-29speedo: Enable additional runtime protections on Windows.Werner Koch1-1/+1
* build-aux/speedo.mk (speedo_w32_cflags): Remove -mms-bitfields because it is for a long time the gcc default. Enable control flow protection. -- Note that due to mingw static linking problems with libssp the stack protector is not yet enabled. (cherry picked from commit afe87ffc08e14317f4ef5bbe2940d07203a43808)
2024-10-23gpgsm: Terminate key listing on output write error.Werner Koch4-15/+74
* sm/keylist.c (list_internal_keys): Detect write errors to the output stream. * sm/server.c (any_failure_printed): New var. (gpgsm_status2): Handle new var. Move statusfp init to ... (gpgsm_init_statusfp): new function. (gpgsm_exit_failure_status): New. * sm/gpgsm.c (main): Explicit statusfp init. (gpgsm_exit): Print failure status on error. -- Test by using gpgsm -k >/dev/full gpgsm -k --wit-colons >/dev/full and also by redirecting to a file on a small partition. GnuPG-bug-id: 6185
2024-10-22agent: Fix resource leak for PRIMARY_CTX.NIIBE Yutaka1-0/+3
* agent/call-daemon.c (wait_child_thread): Call assuan_release for PRIMARY_CTX when it's kept for reuse. -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-10-21common: Fix test for the assumed compliance.Werner Koch1-1/+1
* common/compliance.c (gnupg_status_compliance_flag): Fix test. -- In general the cache is used to query this flag but in this function it is used directly and we need to adjust the test. Thanks to Ingo for reporting this.
2024-10-16build: Don't remove --disable-endian-check.NIIBE Yutaka2-5/+23
* configure.ac (WORDS_BIGENDIAN): Use the autoconf macro, instead of our own BIG_ENDIAN_HOST. (DISABLED_ENDIAN_CHECK): Keep --disable-endian-check supported. * g10/rmd160.c (transform): Use WORDS_BIGENDIAN. -- Fixes-commit: f8bf5e01f76620cc550253cc2575754872cf64aa Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-10-16common: Fix a race condition in creating socketdir.NIIBE Yutaka1-4/+14
* common/homedir.c (_gnupg_socketdir_internal): Check return code of gnupg_mkdir and handle the case of GPG_ERR_EEXIST. -- GnuPG-bug-id: 7332 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-10-15gpgsm: Fix cached istrusted lookup.Werner Koch1-0/+2
* sm/call-agent.c (gpgsm_agent_istrusted): Actually set istrusted list. -- Fixes-commit: 9087c1d3637cf1c61744ece0002dc0dc5675d7c9
2024-10-14dirmngr: Print a brief list of URLs with LISTCRLS.Werner Koch3-0/+9
* dirmngr/crlcache.c (crl_cache_list): Print a summary of URLs. * sm/call-dirmngr.c (gpgsm_dirmngr_run_command): Print a notice to stdout if the dirmngr has been disabled. -- GnuPG-bug-id: 7337
2024-10-11build: Use AC_C_BIGENDIAN for detecting endian.NIIBE Yutaka2-83/+4
* acinclude.m4 (GNUPG_CHECK_ENDIAN): Remove. * configure.ac (BIG_ENDIAN_HOST): Use AC_C_BIGENDIAN to detect endian and set BIG_ENDIAN_HOST. -- Reported-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-10-08common,gpg,scd,sm: Fix for Curve25519 OID supporting new and old.NIIBE Yutaka9-19/+28
* common/util.h (openpgp_curve_to_oid): Add new argument to select OID by OpenPGP version. * common/openpgp-oid.c (openpgp_curve_to_oid): Implement returning selected OID for Curve25519. * common/openpgp-fpr.c (compute_openpgp_fpr_ecc): Follow the change, selecting by the version. * g10/export.c (match_curve_skey_pk): Likewise. (transfer_format_to_openpgp): Likewise. * g10/gpg.c (list_config): Likewise, print new OID. * g10/keygen.c (ecckey_from_sexp): Likewise, selecting by the version. * sm/encrypt.c (ecdh_encrypt): Likewise, don't care. * sm/minip12.c (build_ecc_key_sequence): Likewise, new OID. * scd/app-openpgp.c (ecdh_params, gen_challenge): Likewise, don't care. (ecc_read_pubkey, change_keyattr_from_string, ecc_writekey): Likewise, old OID. -- GnuPG-bug-id: 7316 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-10-08common,gpg,scd,sm: Use openpgp_oid_or_name_to_curve to get curve.NIIBE Yutaka4-16/+5
* common/sexputil.c (pubkey_algo_string): Use openpgp_oid_or_name_to_curve. * g10/card-util.c (current_card_status, ask_card_keyattr): Likewise. * scd/app-piv.c (writekey_ecc): Likewise. * sm/fingerprint.c (gpgsm_get_key_algo_info): Likewise. -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-10-07Implement GNUPG_ASSUME_COMPLIANCE envvar for testingWerner Koch4-5/+33
* common/compliance.c (assumed_de_vs_compliance): New. (get_compliance_cache): Check envvar and fake compliance. (gnupg_status_compliance_flag): Return 2023 for de-vs if in faked mode. * g10/gpg.c (gpgconf_list): For compliance_de_vs return 23 or 2023. -- The user visible changes are that GNUPG_ASSUME_COMPLIANCE=de-vs gpgconf --list-options gpg \ | awk -F: '$1=="compliance_de_vs" {print $8}' returns 2023 if "compliance de-vs" is found in gpg.conf. If eventually the software is arpproved the returned value will be 23 and not 1 as it was before. Consumers should check whether they see value of true (Kleopatra does this right now) and also check whether the value is > 2000 and in this case print a beta/non-approved warning. The envvar is currently used to assume that the underlying libgcrypt is compliant and approved. This is not yet the case but eventually libgcrypt will announce this itself and from then on the envvar is not anymore required for testing.
2024-10-07gpg: Emit status error for an invalid ADSK.Werner Koch2-0/+3
* g10/keygen.c (prepare_adsk): Emit status error. -- This is useful for GPGME. GnuPG-bug-id: 7322
2024-10-04gpgsm: Add compatibility flag no-keyinfo-cacheWerner Koch3-0/+9
* sm/gpgsm.c (compatibility_flags): Add flag. * sm/gpgsm.h (COMPAT_NO_KEYINFO_CACHE): New. * sm/call-agent.c (gpgsm_agent_istrusted): Act upon it. (gpgsm_agent_keyinfo): Ditto.
2024-10-02gpgsm: Implement a cache for the KEYINFO queries.Werner Koch4-20/+154
* sm/gpgsm.h (struct keyinfo_cache_item_s): New. (struct server_control_s): Add keyinfo_cache and keyinfo_cache_valid. * sm/call-agent.c (keyinfo_cache_disabled): New flag. (release_a_keyinfo_cache): New. (gpgsm_flush_keyinfo_cache): New. (struct keyinfo_status_parm_s): New. (keyinfo_status_cb): Implement a fill mode. (gpgsm_agent_keyinfo): Implement a cache. * sm/server.c (reset_notify): Flush the cache. * sm/gpgsm.c (gpgsm_deinit_default_ctrl): Ditto. -- In almost all cases we have just a few private keys in the agent and thus it is better to fetch them early. This does not work in a restricted connection but we take care and disable the cache in this case. This cache gives a a minor speed up. GnuPG-bug-id: 7308
2024-10-02gpgsm: Use a cache for ISTRUSTED queries.Werner Koch1-19/+122
* sm/call-agent.c (struct istrusted_cache_s): New. (istrusted_cache, istrusted_cache_valid): New. (istrusted_cache_disabled): New. (flush_istrusted_cache): New. (struct istrusted_status_parm_s): New. (istrusted_status_cb): Fill the cache. (gpgsm_agent_istrusted): Implement a cache. -- Not a really measurable performance improvements on Linux but maybe somewhat on Windows (not yet tested). However, it does not clutter the log files with IPC calls returning NOT_TRUSTED. GnuPG-bug-id: 7308
2024-10-01agent: Add option --status to the LISTRUSTED command.Werner Koch3-16/+60
* agent/trustlist.c (istrusted_internal): Add arg listmode and print new status line in this mode. Adjust callers. (agent_listtrusted): Add new args ctrl and status_mode. Get all trusted keys and then call is_trusted_internal for all of them. * agent/command.c (cmd_listtrusted): Add new option --status. -- This allows in a non-restricted connection to list all trusted keys in one go.
2024-10-01gpgsm: Possible improvement for some rare P12 files.Werner Koch1-1/+1
* sm/minip12.c (parse_shrouded_key_bag): Increase size of salt buffer. -- Reported on the mailing list. The change does not seem to have a big regression risk, thus applied. See below for the mail # ------------------------ >8 ------------------------ https://lists.gnupg.org/pipermail/gnupg-users/2024-September/067312.html
2024-10-01gpgconf: Add list flag to trusted-key et al.Werner Koch1-3/+3
* tools/gpgconf-comp.c (known_options_gpg): Add list flag to sume options. -- GnuPG-bug-id: 7313
2024-10-01gpg: Robust error handling for SCD READKEY.NIIBE Yutaka1-8/+10
* g10/keygen.c (ask_algo): List the card key only when it's valid. -- GnuPG-bug-id: 7309 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-09-30gpgsm: Silence messages about dirmngr cache lookup failed.Werner Koch1-2/+14
* sm/certchain.c (find_up_dirmngr): Skip if we know that there is no dirmngr.
2024-09-30gpgsm: Silence the fingerprint output in quiet mode.Werner Koch1-5/+9
* sm/certchain.c (ask_marktrusted): Avoid fingerprint printing in quiet mode -- And also don't print it anymore after the agent told us that the feature has been disabled.
2024-09-30gpgsm: Use a cache to speed up parent certificate lookup.Werner Koch3-8/+114
* sm/gpgsm.h (COMPAT_NO_CHAIN_CACHE): New. (struct cert_cache_item_s, cert_cache_item_t): New. (struct server_control_s): Add parent_cert_cache. * sm/gpgsm.c (compatibility_flags): Add "no-chain-cache". (parent_cache_stats): New. (gpgsm_exit): Print the stats with --debug=memstat. (gpgsm_deinit_default_ctrl): Release the cache. * sm/certchain.c (gpgsm_walk_cert_chain): Cache the certificates. (do_validate_chain): Ditto. -- This gives another boost of 30% (from 6.5 to 4.0 seconds in the test environment with ~1000 certs). do_validate_chain actually brings us the speedup becuase the gpgsm_walk_cert_chain is not used during a key listing. For the latter we actually cache all certificates because that was easier. GnuPG-bug-id: 7308
2024-09-27sm: Optmize clearing of the ephemeral flag.Werner Koch2-0/+25
* kbx/keybox-search.c (keybox_get_cert): Store the blob clags in the cert object. * sm/certchain.c (do_validate_chain): Skip clearing of the ephemeral flag if we know that it is not set. -- GnuPG-bug-id: 7308