1. 20 Jan, 2023 4 commits
    • Werner Koch's avatar
      gpg: Replace --override-compliance-check by a real fix. · d98bf02a
      Werner Koch authored
      * common/compliance.c (gnupg_pk_is_allowed): Handle EdDSA.
      * g10/gpg.c (oOverrideComplianceCheck): Remove.
      (opts): Turn --override-compliance-check into a dummy option.
      * g10/options.h (opt): Remove override_compliance_check.
      * g10/sig-check.c (check_key_verify_compliance): Remove use of that
      The introduction of --override-compliance-check actually hid the real
      cause for the signature verification problem in de-vs mode for the
      Ed25519 key.  The real fix is to handle the EdDSA algorithm in
      Fixes-commit: fb26e144
      GnuPG-bug-id: 5655
    • Werner Koch's avatar
      gpg: Do not require --status-fd along with --require-compliance. · b9528830
      Werner Koch authored
      * g10/mainproc.c (check_sig_and_print): Do not check whether status is
      enabled when checking compliance.
    • Werner Koch's avatar
      doc: Update copyright notices. · c0a6b6b2
      Werner Koch authored
      Note that we now print Copyright g10 Code instead of FSF.
    • Werner Koch's avatar
      wkd: Support option --output for command --check. · 33b6ee50
      Werner Koch authored
      * tools/wks-util.c (write_to_file): Rename to ...
      (wks_write_to_file): this, make global, and support NULL for fname.
      * tools/gpg-wks-client.c (command_check): Write to key.
  2. 19 Jan, 2023 4 commits
    • Werner Koch's avatar
      doc: Revert last change the gpg --unwrap description · e28b6c30
      Werner Koch authored
      Note that --unwrap is an option and not a command.  Thus it modifies
      the behaviour of the default operation or of -d.
    • Werner Koch's avatar
      common: Detect PNG and JPEG file formats. · 9a50be0d
      Werner Koch authored
      * common/miscellaneous.c (is_file_compressed): Add detect code.
      GnuPG-bug-id: 6332
    • Werner Koch's avatar
      wkd: Let gpg-wks-client --supported print some diagnostics. · 227c78ce
      Werner Koch authored
      * tools/call-dirmngr.c (wkd_get_status_cb): Deetect and output warning
      and note stati from dirmngr.
      This is in particular helpful to check for non-proper TLS
    • Werner Koch's avatar
      gpg: Detect already compressed data also when using a pipe. · 60963d98
      Werner Koch authored
      * common/iobuf.c (file_filter_ctx_t): Add fields for the peek feature.
      (file_filter): Implement peeking.
      (iobuf_ioctl): Add new IOBUF_IOCTL_PEEK.
      * common/iobuf.h (IOBUF_IOCTL_PEEK, IOBUFCTRL_PEEK): New.
      * common/miscellaneous.c (is_file_compressed): Rewrite.  Detect PDF.
      * g10/encrypt.c (encrypt_simple): Peek before detecting compression.
      (encrypt_crypt): Ditto.
      * g10/sign.c (sign_file): Also detect already compressed data.
      * g10/options.h (opt): Add explicit_compress_option.
      * g10/gpg.c (main): Set opt.explicit_compress_option for -z.
      Note that this patch also introduces a compression check for signing
      which was never done in the past.
      GnuPG-bug-id: 6332
  3. 18 Jan, 2023 2 commits
  4. 12 Jan, 2023 1 commit
    • Werner Koch's avatar
      sm: Fix compliance checking for ECC signature verification. · 338a5eca
      Werner Koch authored
      * common/compliance.c (gnupg_pk_is_compliant): Also consider the
      gcrypt vids for ECDSA et al.
      (gnupg_pk_is_allowed): Ditto.
      * sm/verify.c (gpgsm_verify): Consider the curve.  Print a compliance
      notice for a non-compliant key.
      * sm/certchain.c (gpgsm_validate_chain): Silence the "switching to
      chain model".
  5. 11 Jan, 2023 3 commits
  6. 21 Dec, 2022 1 commit
  7. 16 Dec, 2022 15 commits
  8. 12 Dec, 2022 1 commit
  9. 09 Dec, 2022 2 commits
    • Werner Koch's avatar
      scd:p15: Skip deleted records. · 061efac0
      Werner Koch authored
      * scd/app-p15.c (select_and_read_record): Special case deleted
      records.  Support 3 byte TLVs.
      (read_ef_prkdf): Skip deleted records.
      (read_ef_pukdf): Ditto.
      (read_ef_cdf): Ditto.
      (read_ef_aodf): Ditto.
      This fixes a problem with some CardOS 5 applications.
    • NIIBE Yutaka's avatar
      build: Remove Windows CE support. · f32d0c9c
      NIIBE Yutaka authored
      * agent/Makefile.am [HAVE_W32CE_SYSTEM]: Remove.
      * am/cmacros.am [HAVE_W32CE_SYSTEM]: Remove.
      * autogen.sh: Remove W32ce_ variables.
      * configure.ac: Likewise.
      * dirmngr/Makefile.am (extra_bin_ldflags): Remove.
      * g10/Makefile.am [HAVE_W32CE_SYSTEM]: Remove.
      * kbx/Makefile.am: Likewise.
      * sm/Makefile.am (extra_bin_ldflags): Remove.
      * tools/Makefile.am (extra_bin_ldflags): Remove.
      Signed-off-by: default avatarNIIBE Yutaka <gniibe@fsij.org>
  10. 06 Dec, 2022 1 commit
    • Werner Koch's avatar
      wkd: Do not send/install/mirror expired user ids. · 278f85d1
      Werner Koch authored
      * tools/gpg-wks.h (struct uidinfo_list_s): Add fields expired and
      * tools/wks-util.c (append_to_uidinfo_list): Add args expired and
      (set_expired_revoked): New.
      (wks_list_key): Set expired and revoked.
      (wks_cmd_install_key): Skip expired uids.
      * tools/gpg-wks-client.c (command_check): Print flags.
      (command_send): Ignore expired keys.
      (mirror_one_key): Ditto.
      * g10/export.c (do_export_stream): Silence warning.
      GnuPG-bug-id: 6292
  11. 05 Dec, 2022 5 commits
    • Werner Koch's avatar
      gpgsm: Print the revocation time also with --verify. · 58819c02
      Werner Koch authored
      * sm/certchain.c (is_cert_still_valid): Print revocation reason.
    • Werner Koch's avatar
      gpgsm: Fix "problem re-searching certificate" case. · 1c2bdd80
      Werner Koch authored
      * sm/keydb.c (keydb_set_cert_flags): Fix error test.
    • Werner Koch's avatar
      gpgsm: Print revocation date and reason in cert listings. · b6abaed2
      Werner Koch authored
      * dirmngr/ocsp.c (ocsp_isvalid): Add args r_revoked_at and
      * dirmngr/server.c (cmd_isvalid): Emit a new REVOCATIONINFO status.
      (cmd_checkocsp): Ditto.
      * sm/call-dirmngr.c (struct isvalid_status_parm_s): Add new fields.
      (isvalid_status_cb): Parse REVOCATIONINFO.
      (gpgsm_dirmngr_isvalid): Add args r_revoked_at and
      * sm/gpgsm.h (struct server_control_s): Add fields revoked_art and
      * sm/keylist.c (list_cert_raw): Print revocation date.
      (list_cert_std): Ditto.
      Note that for now we do this only for OCSP because it is an important
      piece of information when using the chain model.  For a sample key see
      commit 7fa1d3cc.
    • Werner Koch's avatar
      gpgsm: Silence the "non-critical certificate policy not allowed". · 4f1b9e3a
      Werner Koch authored
      * sm/certchain.c (check_cert_policy): Print non-critical policy
      warning only in verbose mode.
    • Werner Koch's avatar
      gpgsm: Always use the chain model if the root-CA requests this. · 7fa1d3cc
      Werner Koch authored
      * sm/call-dirmngr.c (gpgsm_dirmngr_isvalid): Do not use
      option --force-default-responder.
      * sm/certchain.c (is_cert_still_valid): Rename arg for clarity.
      (gpgsm_validate_chain): Always switch to chain model.
      The trustlist.txt may indicate that a root CA issues certificates
      which shall be validated using the chain model.  This is for example
      the case for qualified signatures.  Before this change we did this
      only if the default shell model indicated that a certificate has
      expired.  This optimization is technically okay but has one problem:
      The chain model requires the use of OCSP but we switch to this only
      when running the chain model validation.  To catch revoked
      certificates using OCSP we need to always switch to the chain model
      unless OCSP has been enabled anyway.
      Note that the old --force-default-responder option is not anymore
      Test cases are certificates issued by
        # CN=TeleSec qualified Root CA 1
        # O=Deutsche Telekom AG
        # C=DE
        # DE 123475223
        90:C6:13:6C:7D:EF:EF:E9:7C:C7:64:F9:D2:67:8E:AD:03:E5:52:96 \
          S cm qual relax
      A sample revoked certificate is
      -----BEGIN CERTIFICATE-----
      -----END CERTIFICATE-----
  12. 02 Dec, 2022 1 commit
    • Werner Koch's avatar
      gpg: New export option "mode1003". · 1a85ee9a
      Werner Koch authored
      * agent/command.c (cmd_export_key): Add option --mode1003.
      (command_has_option): Ditto.
      * g10/build-packet.c (do_key): Implement mode 1003.
      * g10/parse-packet.c (parse_key): Ditto.
      * g10/options.h (EXPORT_MODE1003): New.o
      * g10/call-agent.c (agent_export_key): Add arg mode1003.
      * g10/export.c (parse_export_options): Add "mode1003"
      (secret_key_to_mode1003): New.
      (receive_seckey_from_agent): Add arg mode1003.
      (do_export_one_keyblock): Pass option down.
      This option allows to export a secret key in GnuPG's native format.
      Thus no re-encryption is required and further the public key parameters
      are also authenticated if a protection passphrase has been used.
      Note that --import is not yet able to handle this new mode.  Although
      old version of GnuPG will bail out with "invalid packet" if a mode1003
      exported secret key is seen.