diff options
| author | NIIBE Yutaka <[email protected]> | 2025-08-04 05:11:41 +0000 |
|---|---|---|
| committer | NIIBE Yutaka <[email protected]> | 2025-08-04 05:11:41 +0000 |
| commit | e148f888c99773df3d8e326ab98d55ba6c0b8575 (patch) | |
| tree | 5651274b59dc6c8c89a1b19f8c0a6574ed6aeaa3 | |
| parent | w32: Synchronous spawning gpg-agent/dirmngr/keyboxd. (diff) | |
| parent | agent: Fix for smartcard decryption, checking compressed format. (diff) | |
| download | gnupg-e148f888c99773df3d8e326ab98d55ba6c0b8575.tar.gz gnupg-e148f888c99773df3d8e326ab98d55ba6c0b8575.zip | |
Merge branch 'master' into gniibe/synch-spawn
| -rw-r--r-- | NEWS | 22 | ||||
| -rw-r--r-- | agent/agent.h | 3 | ||||
| -rw-r--r-- | agent/call-scd.c | 2 | ||||
| -rw-r--r-- | agent/command.c | 16 | ||||
| -rw-r--r-- | agent/divert-scd.c | 7 | ||||
| -rw-r--r-- | artwork/gnupg-favicon-3.ico | bin | 0 -> 1150 bytes | |||
| -rw-r--r-- | artwork/gnupg-lock-rb-256x256tr.png | bin | 0 -> 18957 bytes | |||
| -rw-r--r-- | artwork/gnupg-lock.png | bin | 0 -> 258441 bytes | |||
| -rw-r--r-- | artwork/gnupg-logo-1500x500-inv.png | bin | 0 -> 26326 bytes | |||
| -rw-r--r-- | common/compliance.c | 71 | ||||
| -rw-r--r-- | common/compliance.h | 1 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | dirmngr/ks-action.c | 6 | ||||
| -rw-r--r-- | dirmngr/ks-action.h | 2 | ||||
| -rw-r--r-- | dirmngr/ks-engine-ldap.c | 112 | ||||
| -rw-r--r-- | dirmngr/ks-engine.h | 2 | ||||
| -rw-r--r-- | dirmngr/server.c | 7 | ||||
| -rw-r--r-- | doc/DETAILS | 50 | ||||
| -rw-r--r-- | doc/HACKING | 20 | ||||
| -rw-r--r-- | doc/gpg.texi | 16 | ||||
| -rw-r--r-- | doc/gpgv.texi | 5 | ||||
| -rw-r--r-- | g10/build-packet.c | 35 | ||||
| -rw-r--r-- | g10/gpg.c | 7 | ||||
| -rw-r--r-- | g10/gpgv.c | 7 | ||||
| -rw-r--r-- | g10/import.c | 4 | ||||
| -rw-r--r-- | g10/keydb.h | 14 | ||||
| -rw-r--r-- | g10/keyedit.c | 4 | ||||
| -rw-r--r-- | g10/keylist.c | 49 | ||||
| -rw-r--r-- | g10/main.h | 1 | ||||
| -rw-r--r-- | g10/mainproc.c | 5 | ||||
| -rw-r--r-- | g10/options.h | 4 | ||||
| -rw-r--r-- | g10/packet.h | 16 | ||||
| -rw-r--r-- | g10/sign.c | 71 | ||||
| -rw-r--r-- | po/ca.po | 3 | ||||
| -rw-r--r-- | po/cs.po | 3 | ||||
| -rw-r--r-- | po/da.po | 3 | ||||
| -rw-r--r-- | po/de.po | 5 | ||||
| -rw-r--r-- | po/el.po | 3 | ||||
| -rw-r--r-- | po/eo.po | 3 | ||||
| -rw-r--r-- | po/es.po | 3 | ||||
| -rw-r--r-- | po/et.po | 3 | ||||
| -rw-r--r-- | po/fi.po | 3 | ||||
| -rw-r--r-- | po/fr.po | 3 | ||||
| -rw-r--r-- | po/gl.po | 3 | ||||
| -rw-r--r-- | po/hu.po | 3 | ||||
| -rw-r--r-- | po/id.po | 3 | ||||
| -rw-r--r-- | po/it.po | 3 | ||||
| -rw-r--r-- | po/ja.po | 3 | ||||
| -rw-r--r-- | po/nb.po | 3 | ||||
| -rw-r--r-- | po/nl.po | 3 | ||||
| -rw-r--r-- | po/pl.po | 3 | ||||
| -rw-r--r-- | po/pt.po | 3 | ||||
| -rw-r--r-- | po/ro.po | 3 | ||||
| -rw-r--r-- | po/ru.po | 3 | ||||
| -rw-r--r-- | po/sk.po | 3 | ||||
| -rw-r--r-- | po/sv.po | 3 | ||||
| -rw-r--r-- | po/tr.po | 3 | ||||
| -rw-r--r-- | po/uk.po | 3 | ||||
| -rw-r--r-- | po/zh_CN.po | 3 | ||||
| -rw-r--r-- | po/zh_TW.po | 3 | ||||
| -rw-r--r-- | sm/call-agent.c | 6 | ||||
| -rw-r--r-- | sm/keylist.c | 1 | ||||
| -rw-r--r-- | tools/decrypt.bat | 31 |
63 files changed, 612 insertions, 70 deletions
@@ -1,6 +1,26 @@ -Noteworthy changes in version 2.5.10 (unreleased) +Noteworthy changes in version 2.5.11 (unreleased) ------------------------------------------------- + Release-info: https://dev.gnupg.org/T7743 + + +Noteworthy changes in version 2.5.10 (2025-07-25) +------------------------------------------------- + + * gpg: Add a notation with version information to signatures. See + doc/DETAILS for, well, details. [rG11d3a83b04] + + * gpgv: New option --print-notation. [rGe3cc410003] + + * gpgsm: Fix caching of the trustlist's flags. [T7738] + + * agent: Fix for smartcard decryption returning x-coordinate only. + [T7709] + + * agent: Another fix for a regression with unknown curves and ssh. + See also 2.5.4. [rG55db12472f] + + * dirmngr: Implement command KS_DEL for ldap servers. [T5447] Release-info: https://dev.gnupg.org/T7719 diff --git a/agent/agent.h b/agent/agent.h index e891981b2..d1192f505 100644 --- a/agent/agent.h +++ b/agent/agent.h @@ -769,7 +769,8 @@ int agent_card_pkdecrypt (ctrl_t ctrl, void *getpin_cb_arg, const char *desc_text, const unsigned char *indata, size_t indatalen, - char **r_buf, size_t *r_buflen, int *r_padding); + unsigned char **r_buf, size_t *r_buflen, + int *r_padding); int agent_card_readcert (ctrl_t ctrl, const char *id, char **r_buf, size_t *r_buflen); diff --git a/agent/call-scd.c b/agent/call-scd.c index 28669206c..f47deb83e 100644 --- a/agent/call-scd.c +++ b/agent/call-scd.c @@ -609,7 +609,7 @@ agent_card_pkdecrypt (ctrl_t ctrl, void *getpin_cb_arg, const char *desc_text, const unsigned char *indata, size_t indatalen, - char **r_buf, size_t *r_buflen, int *r_padding) + unsigned char **r_buf, size_t *r_buflen, int *r_padding) { int rc; char line[ASSUAN_LINELENGTH]; diff --git a/agent/command.c b/agent/command.c index a9eb0104e..dcb758e37 100644 --- a/agent/command.c +++ b/agent/command.c @@ -541,14 +541,26 @@ cmd_istrusted (assuan_context_t ctx, char *line) { ctrl_t ctrl = assuan_get_pointer (ctx); int rc, n, i; - char *p; + char *p, *pn; char fpr[41]; /* Parse the fingerprint value. */ + pn = NULL; /* Indicates that we have not reparsed. */ + parseagain: for (p=line,n=0; hexdigitp (p); p++, n++) ; if (*p || !(n == 40 || n == 32)) - return set_error (GPG_ERR_ASS_PARAMETER, "invalid fingerprint"); + { + if (!pn && *p && strchr (p, ':')) + { + for (pn=p=line; *p ; p++) + if (*p != ':') + *pn++ = *p; + *pn = 0; + goto parseagain; + } + return set_error (GPG_ERR_ASS_PARAMETER, "invalid fingerprint"); + } i = 0; if (n==32) { diff --git a/agent/divert-scd.c b/agent/divert-scd.c index 7e0d8eccb..e0b5164b5 100644 --- a/agent/divert-scd.c +++ b/agent/divert-scd.c @@ -394,7 +394,7 @@ divert_pkdecrypt (ctrl_t ctrl, int depth; const unsigned char *ciphertext; size_t ciphertextlen; - char *plaintext; + unsigned char *plaintext; size_t plaintextlen; bin2hex (grip, 20, hexgrip); @@ -504,7 +504,7 @@ agent_card_ecc_kem (ctrl_t ctrl, const unsigned char *ecc_ct, size_t ecc_point_len, unsigned char *ecc_ecdh) { gpg_error_t err = 0; - char *ecdh = NULL; + unsigned char *ecdh = NULL; size_t len; int rc; char hexgrip[KEYGRIP_LEN*2+1]; @@ -517,7 +517,8 @@ agent_card_ecc_kem (ctrl_t ctrl, const unsigned char *ecc_ct, if (len == ecc_point_len) memcpy (ecc_ecdh, ecdh, len); - else if ((len - 1) * 2 == ecc_point_len - 1 && ecdh[0] == 0x02) + else if (len && (len - 1) * 2 == ecc_point_len - 1 + && (ecdh[0] & ~1) == 0x02) { /* It's x-coordinate-only (compressed) point representation. */ memcpy (ecc_ecdh, ecdh, len); diff --git a/artwork/gnupg-favicon-3.ico b/artwork/gnupg-favicon-3.ico Binary files differnew file mode 100644 index 000000000..89a496069 --- /dev/null +++ b/artwork/gnupg-favicon-3.ico diff --git a/artwork/gnupg-lock-rb-256x256tr.png b/artwork/gnupg-lock-rb-256x256tr.png Binary files differnew file mode 100644 index 000000000..202a4c29a --- /dev/null +++ b/artwork/gnupg-lock-rb-256x256tr.png diff --git a/artwork/gnupg-lock.png b/artwork/gnupg-lock.png Binary files differnew file mode 100644 index 000000000..d98ccab8a --- /dev/null +++ b/artwork/gnupg-lock.png diff --git a/artwork/gnupg-logo-1500x500-inv.png b/artwork/gnupg-logo-1500x500-inv.png Binary files differnew file mode 100644 index 000000000..b317ecb43 --- /dev/null +++ b/artwork/gnupg-logo-1500x500-inv.png diff --git a/common/compliance.c b/common/compliance.c index 6c271c199..db17e4aba 100644 --- a/common/compliance.c +++ b/common/compliance.c @@ -751,6 +751,77 @@ gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance) } + +/* This function returns the value for the "manu" LibrePGP/rfc4880bis + * notation. See doc/DETAILS for a description. This value is also + * used for the manuNotation in X.509/CMS. */ +const char * +gnupg_manu_notation_value (enum gnupg_compliance_mode compliance) +{ + static char buffer[48]; /* Empty string indicates not yet initialized */ + static char buffer2[40]; + + if (!*buffer) + { + char *buf; + const char *s; + int n; + const char *fields[4]; + const char *vers1, *vers2; + int vers1len, vers2len; + int arch_id, os_id; + + arch_id = 0; + buf = gcry_get_config (0, "cpu-arch"); + if (buf && (n=split_fields_colon (buf, fields, DIM (fields))) >= 2) + { + if (!strcmp (fields[1], "x86") && n > 2) + { + if (!strcmp (fields[2], "amd64")) + arch_id = 2; + else if (!strcmp (fields[2], "i386")) + arch_id = 1; + } + else if (!strcmp (fields[1], "arm")) + arch_id = 3; + } + gcry_free (buf); +#ifdef HAVE_W32_SYSTEM + os_id = 1; +#elif defined(__linux__) + os_id = 2; +#elif defined (__unix__) || defined(__APPLE__) + os_id = 3; +#else + os_id = 0; +#endif + vers1 = PACKAGE_VERSION; + for (s=vers1, n=0; *s; s++) + if (*s=='.') + if (++n == 2) + break; + vers1len = s-vers1; + + vers2 = gcry_check_version (NULL); + for (s=vers2, n=0; *s; s++) + if (*s=='.') + if (++n == 2) + break; + vers2len = s-vers2; + + snprintf (buffer2, sizeof buffer2, "2,%.*s+%.*s,%d,%d", + vers1len, vers1, vers2len, vers2, arch_id, os_id); + snprintf (buffer, sizeof buffer, "%s,%d", + buffer2, get_assumed_de_vs_compliance ()? 2023 : 23); + } + + if (compliance == CO_DE_VS) + return buffer; + else + return buffer2; +} + + /* Parse the value of --compliance. Returns the value corresponding * to the given STRING according to OPTIONS of size LENGTH, or -1 * indicating that the lookup was unsuccessful, or the list of options diff --git a/common/compliance.h b/common/compliance.h index 111fdc74b..1ab39d607 100644 --- a/common/compliance.h +++ b/common/compliance.h @@ -78,6 +78,7 @@ int gnupg_gcrypt_is_compliant (enum gnupg_compliance_mode compliance); const char *gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance); +const char *gnupg_manu_notation_value (enum gnupg_compliance_mode compliance); struct gnupg_compliance_option { diff --git a/configure.ac b/configure.ac index e654d4ddd..a4f026f37 100644 --- a/configure.ac +++ b/configure.ac @@ -29,7 +29,7 @@ min_automake_version="1.16.3" m4_define([mym4_package],[gnupg]) m4_define([mym4_major], [2]) m4_define([mym4_minor], [5]) -m4_define([mym4_micro], [10]) +m4_define([mym4_micro], [11]) # To start a new development series, i.e a new major or minor number # you need to mark an arbitrary commit before the first beta release diff --git a/dirmngr/ks-action.c b/dirmngr/ks-action.c index 6be2072e9..dd1865d4f 100644 --- a/dirmngr/ks-action.c +++ b/dirmngr/ks-action.c @@ -551,7 +551,7 @@ ks_action_put (ctrl_t ctrl, uri_item_t keyservers, /* Delete an OpenPGP key from all KEYSERVERS which use LDAP. The key * is specifified by PATTERNS. */ gpg_error_t -ks_action_del (ctrl_t ctrl, uri_item_t keyservers, strlist_t patterns) +ks_action_del (ctrl_t ctrl, uri_item_t keyservers, strlist_t fprlist) { gpg_error_t err = 0; gpg_error_t first_err = 0; @@ -567,7 +567,7 @@ ks_action_del (ctrl_t ctrl, uri_item_t keyservers, strlist_t patterns) || uri->parsed_uri->opaque ) { any_server = 1; - err = ks_ldap_del (ctrl, uri->parsed_uri, patterns); + err = ks_ldap_del (ctrl, uri->parsed_uri, fprlist); if (err && !first_err) first_err = err; } @@ -575,7 +575,7 @@ ks_action_del (ctrl_t ctrl, uri_item_t keyservers, strlist_t patterns) } if (!any_server) - err = gpg_error (GPG_ERR_NO_KEYSERVER); /* Actual: No LDAP keyserver */ + err = gpg_error (GPG_ERR_NO_KEYSERVER); /* No LDAP keyserver */ else if (!err && first_err) err = first_err; return err; diff --git a/dirmngr/ks-action.h b/dirmngr/ks-action.h index d222d6afe..0df497266 100644 --- a/dirmngr/ks-action.h +++ b/dirmngr/ks-action.h @@ -34,7 +34,7 @@ gpg_error_t ks_action_put (ctrl_t ctrl, uri_item_t keyservers, void *data, size_t datalen, void *info, size_t infolen); gpg_error_t ks_action_del (ctrl_t ctrl, uri_item_t keyservers, - strlist_t patterns); + strlist_t fprlist); gpg_error_t ks_action_query (ctrl_t ctrl, const char *ldapserver, unsigned int ks_get_flags, const char *filter, char **attr, diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c index ff4f005f4..9bb604707 100644 --- a/dirmngr/ks-engine-ldap.c +++ b/dirmngr/ks-engine-ldap.c @@ -3048,15 +3048,113 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri, } -/* Delete the keys given by PATTERNS from the keyserver identified by - * URI. */ +/* Delete the keys given by the list of fingerprints in FPRLIST from + * the keyserver identified by URI. The function stops at the first + * error encountered. */ gpg_error_t -ks_ldap_del (ctrl_t ctrl, parsed_uri_t uri, strlist_t patterns) +ks_ldap_del (ctrl_t ctrl, parsed_uri_t uri, strlist_t fprlist) { - (void)ctrl; - (void)uri; - (void)patterns; - return gpg_error (GPG_ERR_NOT_IMPLEMENTED); + gpg_error_t err = 0; + int ldap_err; + unsigned int serverinfo; + LDAP *ldap_conn = NULL; + char *basedn = NULL; + char *dn = NULL; + strlist_t fpr; + unsigned int count = 0; + unsigned int totalcount = 0; + + if (dirmngr_use_tor ()) + { + return no_ldap_due_to_tor (ctrl); + } + + for (fpr = fprlist; fpr; fpr = fpr->next) + totalcount++; + + err = my_ldap_connect (uri, 0, &ldap_conn, &basedn, NULL, NULL, &serverinfo); + if (err || !basedn) + { + if(opt.verbose) + log_info ("%s: connecting to server failed\n", __func__); + if (!err) + err = gpg_error (GPG_ERR_GENERAL); /* (no baseDN) */ + goto leave; + } + + if (!(serverinfo & SERVERINFO_REALLDAP)) + { + if(opt.verbose) + log_info ("%s: The PGP.com keyserver is not supported\n", __func__); + err = gpg_error (GPG_ERR_NOT_SUPPORTED); + goto leave; + } + + if (!(serverinfo & SERVERINFO_SCHEMAV2)) + { + if(opt.verbose) + log_info ("%s: The keyserver does not support the v2 schema\n", + __func__); + err = gpg_error (GPG_ERR_NOT_SUPPORTED); + goto leave; + } + + if (opt.verbose) + log_info ("%s: Using DN: %s,%s\n", __func__, + (serverinfo & SERVERINFO_NTDS)? "CN=<fingerprint>" + /* */ : "pgpCertID=<keyid>", + basedn); + for (fpr = fprlist; fpr; fpr = fpr->next) + { + if ((serverinfo & SERVERINFO_NTDS)) + { + xfree (dn); + dn = xtryasprintf ("CN=%s,%s", fpr->d, basedn); + } + else + { + unsigned int off; + + /* Simle method to get the keyID. Note that a v5 key + * (len>40) has the keyid at the left. If the length is + * less than 17 we assume a keyid has been given. */ + off = strlen (fpr->d); + if (off <= 40 && off > 16) + off = off - 16; + else + off = 0; + + xfree (dn); + dn = xtryasprintf ("pgpCertID=%.16s,%s", fpr->d+off, basedn); + } + + npth_unprotect (); + ldap_err = ldap_delete_ext_s (ldap_conn, dn, NULL, NULL); + npth_protect (); + if (ldap_err == LDAP_SUCCESS) + { + if (opt.verbose) + log_info ("%s: key %s deleted\n", __func__, fpr->d); + count++; + } + else + { + log_error ("%s: error deleting key %s: %s\n", + __func__, fpr->d, ldap_err2string (ldap_err)); + err = ldap_err_to_gpg_err (ldap_err); + break; /* Stop at the first failed deletion. */ + } + } + log_info ("%s: number of keys deleted: %u of %u\n", + __func__, count, totalcount); + + + leave: + if (ldap_conn) + ldap_unbind (ldap_conn); + xfree (dn); + xfree (basedn); + return err; } diff --git a/dirmngr/ks-engine.h b/dirmngr/ks-engine.h index dfc626d56..005d07490 100644 --- a/dirmngr/ks-engine.h +++ b/dirmngr/ks-engine.h @@ -82,7 +82,7 @@ gpg_error_t ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, gpg_error_t ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri, void *data, size_t datalen, void *info, size_t infolen); -gpg_error_t ks_ldap_del (ctrl_t ctrl, parsed_uri_t uri, strlist_t patterns); +gpg_error_t ks_ldap_del (ctrl_t ctrl, parsed_uri_t uri, strlist_t fprlist); gpg_error_t ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri, unsigned int ks_get_flags, const char *filter, char **attrs, diff --git a/dirmngr/server.c b/dirmngr/server.c index 3ad939a6b..747d0a914 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -2723,11 +2723,10 @@ cmd_ks_put (assuan_context_t ctx, char *line) static const char hlp_ks_del[] = - "KS_DEL --ldap {<pattern>}\n" + "KS_DEL --ldap {<fingerprints>}\n" "\n" - "Delete the keys matching PATTERN from the configured OpenPGP LDAP server\n" - "The pattern should be a fingerprint.\n" - "The option --ldap is mandatory.\n"; + "Delete the keys specified by primary keys FINGERPRINTS from the\n" + "configured OpenPGP LDAP server. The option --ldap is mandatory."; static gpg_error_t cmd_ks_del (assuan_context_t ctx, char *line) { diff --git a/doc/DETAILS b/doc/DETAILS index 0504c80bb..246c4227d 100644 --- a/doc/DETAILS +++ b/doc/DETAILS @@ -1666,6 +1666,7 @@ Status codes are: 1.3.6.1.4.1.11591.2 GnuPG 1.3.6.1.4.1.11591.2.1 notation 1.3.6.1.4.1.11591.2.1.1 pkaAddress + 1.3.6.1.4.1.11591.2.1.2 manuNotation (as IA5String) 1.3.6.1.4.1.11591.2.2 X.509 extensions 1.3.6.1.4.1.11591.2.2.1 standaloneCertificate 1.3.6.1.4.1.11591.2.2.2 wellKnownPrivateKey @@ -1774,7 +1775,6 @@ Description of some debug flags: - T6390 :: Notes on use of X25519 in GnuPG (https://dev.gnupg.org/T6390) - ** v3 fingerprints For packet version 3 we calculate the keyids this way: - RSA :: Low 64 bits of n @@ -1782,12 +1782,56 @@ Description of some debug flags: calculate a RMD160 hash value from it. This is used as the fingerprint and the low 64 bits are the keyid. -** gnupg.org notations +** Used notations + + - manu :: LibrePGP/rfc4880bis defined standard notation used by + GnuPG and other implementaions to convey additional + information about the implementation used to create + a key or signature. This is a list of comma delimited + values with these defined fields: + + | field | name | defined values | + |-------+------------------+------------------------| + | 1 | software product | see: prod-id | + | 2 | software version | e.g. "2.2", "2.5+1.12" | + | 3 | architecture | see: arch-id | + | 4 | operating system | see: os-id | + | 5 | compliance class | e.g. "23", "2023" | + + | prod-id | name | + |---------+-------------| + | 1 | PGP | + | 2 | GnuPG | + | 3 | Greenshield | + | 4 | RNP | + + | arch-id | cpu | + |---------+-------| + | 1 | i686 | + | 2 | amd64 | + | 3 | arm64 | + | 4 | riscv | + + | os-id | os | + |-------+---------| + | 1 | Windows | + | 2 | Linux | + | 3 | BSD | + + If a value for a field is not known, the empty string + may be used. The values are also used for the X.509/CMS + extension 1.3.6.1.4.1.11591.2.1.2. The compliance class + values are 23 for "de-vs" and 2023 for non-approved "de-vs". + + This notation shall be human readable. It is defined in + away to minimize its size but to be easily viewable by + standard software. - [email protected] :: Used by Kleopatra to implement the tag feature. These tags are used to mark keys for easier searching and grouping. - + - [email protected] :: Used by GnuPG to mark the compliance of + encryption subkeys. ** Simplified revocation certificates Revocation certificates consist only of the signature packet; diff --git a/doc/HACKING b/doc/HACKING index cb7e400fc..8cf49f4bd 100644 --- a/doc/HACKING +++ b/doc/HACKING @@ -443,3 +443,23 @@ plaintext packets and so on. The file g10/encode.c might be a good starting point to see how it is used - actually this is the other way: constructing messages using pushed filters but it may be easier to understand. + +** Notes on how to create test data + +On 2016-02-28 we created a lot of AEAD test data using a command +similar to this: + +--8<---------------cut here---------------start------------->8--- +for algo in eax ocb; do + for csize in 6 7 12 13 14 30; do + for len in 0 $(seq 0 200) $(seq 8100 8200) $(seq 16350 16400) \ + $(seq 20000 20100); do + awk </dev/null -v i=$len 'BEGIN{while(i){i--;printf"~"}}' \ + | gpg --no-options -v --rfc4880bis --batch --passphrase "abc" \ + --s2k-count 1025 --s2k-digest-algo sha256 -z0 \ + --force-aead --aead-algo $algo --cipher aes -a \ + --chunk-size $csize -c >symenc-aead-eax-c$csize-$len.asc + done + done +done +--8<---------------cut here---------------end--------------->8--- diff --git a/doc/gpg.texi b/doc/gpg.texi index 63e87e528..91bc73e8c 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1420,11 +1420,15 @@ give the opposite meaning. The options are: @item show-notations @itemx show-std-notations @itemx show-user-notations + @itemx show-hidden-notations @opindex list-options:show-notations @opindex list-options:show-std-notations @opindex list-options:show-user-notations + @opindex list-options:show-hidden-notations Show all, IETF standard, or user-defined signature notations in the - @option{--check-signatures} listings. Defaults to no. + @option{--check-sigs} listings. Hidden notations are those which + are automatically inserted by an implementation and not worthy to + mention. Defaults to no. @item show-x509-notations @opindex list-options:show-x509-notations @@ -1513,11 +1517,15 @@ the opposite meaning. The options are: @item show-notations @itemx show-std-notations @itemx show-user-notations + @itemx show-hidden-notations @opindex verify-options:show-notations @opindex verify-options:show-std-notations @opindex verify-options:show-user-notations + @opindex verify-options:show-hidden-notations Show all, IETF standard, or user-defined signature notations in the - signature being verified. Defaults to IETF standard. + signature being verified. Hidden notations are those which are + automatically inserted by an implementation and not worthy to + mention. Defaults to IETF standard. @item show-keyserver-urls @opindex verify-options:show-keyserver-urls @@ -3374,7 +3382,9 @@ given once only the name of the program and the major number is emitted, given twice the minor is also emitted, given thrice the micro is added, and given four times an operating system identification is also emitted. @option{--no-emit-version} (default) disables the version -line. +line. Note that unless the @option{--compatibility-flags} have +a "no-manu" flag set, the GnuPG and Libgcrypt major and minor version +(e.g. "2.6+1.11") is included in signature packets and keys. @item --sig-notation @{@var{name}=@var{value}@} @itemx --cert-notation @{@var{name}=@var{value}@} diff --git a/doc/gpgv.texi b/doc/gpgv.texi index 159c8dddb..005ff422f 100644 --- a/doc/gpgv.texi +++ b/doc/gpgv.texi @@ -122,6 +122,11 @@ refer to the file descriptor n and not to a file with that name. @opindex assert-pubkey-algo This option works in the same way as described for @command{gpg}. +@item --print-notation @var{name} +@itemx -N @var{name} +If the signature verifies print the notation @var{name} to stdout if +it exists. + @end table @mansect return value diff --git a/g10/build-packet.c b/g10/build-packet.c index 57a67d9f4..0eb83463f 100644 --- a/g10/build-packet.c +++ b/g10/build-packet.c @@ -1577,17 +1577,18 @@ notation_value_to_human_readable_string (struct notation *notation) return xstrdup (notation->value); } -/* Turn the notation described by the string STRING into a notation. - - STRING has the form: - - -name - Delete the notation. - - [email protected]=value - Normal notation - - [email protected]=value - Notation with critical bit set. - - The caller must free the result using free_notation(). */ +/* Turn the notation described by the string STRING into a notation. + * + * STRING has the form: + * + * - -name - Delete the notation. + * - [email protected]=value - Normal notation + * - [email protected]=value - Notation with critical bit set. + * + * The caller must free the result using free_notation(). */ struct notation * -string_to_notation(const char *string,int is_utf8) +string_to_notation (const char *string, int is_utf8) { const char *s; int saw_at=0; @@ -1676,6 +1677,22 @@ string_to_notation(const char *string,int is_utf8) return NULL; } + +/* Turn the notation described by NAME and VALUE into a notation. + * This will be a human readble non-critical notation. + * The caller must free the result using free_notation(). */ +struct notation * +name_value_to_notation (const char *name, const char *value) +{ + struct notation *notation; + + notation = xcalloc (1, sizeof *notation); + notation->name = xstrdup (name); + notation->value = xstrdup (value); + return notation; +} + + /* Like string_to_notation, but store opaque data rather than human readable data. */ struct notation * @@ -1059,6 +1059,7 @@ static struct compatibility_flags_s compatibility_flags [] = { COMPAT_PARALLELIZED, "parallelized" }, { COMPAT_T7014_OLD, "t7014-old" }, { COMPAT_COMPR_KEYS, "compr-keys" }, + { COMPAT_NO_MANU, "no-manu" }, { 0, NULL } }; @@ -2116,6 +2117,8 @@ parse_list_options(char *str) NULL}, {"show-user-notations",LIST_SHOW_USER_NOTATIONS,NULL, N_("show user-supplied notations during signature listings")}, + {"show-hidden-notations",LIST_SHOW_HIDDEN_NOTATIONS,NULL, + NULL}, {"show-x509-notations",LIST_SHOW_X509_NOTATIONS,NULL, NULL }, {"store-x509-notations",LIST_STORE_X509_NOTATIONS,NULL, NULL }, {"show-keyserver-urls",LIST_SHOW_KEYSERVER_URLS,NULL, @@ -3498,7 +3501,9 @@ main (int argc, char **argv) NULL}, {"show-user-notations",VERIFY_SHOW_USER_NOTATIONS,NULL, N_("show user-supplied notations during signature verification")}, - {"show-keyserver-urls",VERIFY_SHOW_KEYSERVER_URLS,NULL, + {"show-hidden-notations",VERIFY_SHOW_HIDDEN_NOTATIONS,NULL, + NULL}, + {"show-keyserver-urls",VERIFY_SHOW_KEYSERVER_URLS,NULL, N_("show preferred keyserver URLs during signature verification")}, {"show-uid-validity",VERIFY_SHOW_UID_VALIDITY,NULL, N_("show user ID validity during signature verification")}, diff --git a/g10/gpgv.c b/g10/gpgv.c index 6d3d25f50..686fc8891 100644 --- a/g10/gpgv.c +++ b/g10/gpgv.c @@ -58,6 +58,7 @@ enum cmd_and_opt_values { oQuiet = 'q', oVerbose = 'v', oOutput = 'o', + oPrintNotation = 'N', oBatch = 500, oKeyring, oIgnoreTimeConflict, @@ -91,6 +92,8 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_s (oWeakDigest, "weak-digest", N_("|ALGO|reject signatures made with ALGO")), ARGPARSE_s_n (oEnableSpecialFilenames, "enable-special-filenames", "@"), + ARGPARSE_s_s (oPrintNotation, "print-notation", + N_("|NAME|print the notation NAME to stdout")), ARGPARSE_s_s (oDebug, "debug", "@"), ARGPARSE_s_s (oAssertPubkeyAlgo,"assert-pubkey-algo", "@"), @@ -267,6 +270,10 @@ main( int argc, char **argv ) } break; + case oPrintNotation: + append_to_strlist (&opt.print_notations, pargs.r.ret_str); + break; + default : pargs.err = ARGPARSE_PRINT_ERROR; break; } } diff --git a/g10/import.c b/g10/import.c index 5985d177b..6e33ac976 100644 --- a/g10/import.c +++ b/g10/import.c @@ -3541,7 +3541,9 @@ list_standalone_revocation (ctrl_t ctrl, PKT_signature *sig, int sigrc) show_notation (sig, 3, 0, ((opt.list_options & LIST_SHOW_STD_NOTATIONS) ? 1 : 0) + - ((opt.list_options & LIST_SHOW_USER_NOTATIONS) ? 2 : 0)); + ((opt.list_options & LIST_SHOW_USER_NOTATIONS) ? 2 : 0) + + + ((opt.list_options & LIST_SHOW_HIDDEN_NOTATIONS) ? 4:0)); if (sig->flags.pref_ks && (opt.list_options & LIST_SHOW_KEYSERVER_URLS)) diff --git a/g10/keydb.h b/g10/keydb.h index 68bc81840..255110cc7 100644 --- a/g10/keydb.h +++ b/g10/keydb.h @@ -37,14 +37,14 @@ || IS_SUBKEY_REV(s) \ || IS_ATTST_SIGS(s) ) #define IS_SIG(s) (!IS_CERT(s)) -#define IS_KEY_SIG(s) ((s)->sig_class == 0x1f) -#define IS_UID_SIG(s) (((s)->sig_class & ~3) == 0x10) +#define IS_KEY_SIG(s) ((s)->sig_class == SIGCLASS_KEY) +#define IS_UID_SIG(s) (((s)->sig_class & ~3) == SIGCLASS_CERT) #define IS_ATTST_SIGS(s) ((s)->sig_class == 0x16) -#define IS_SUBKEY_SIG(s) ((s)->sig_class == 0x18) -#define IS_BACK_SIG(s) ((s)->sig_class == 0x19) -#define IS_KEY_REV(s) ((s)->sig_class == 0x20) -#define IS_UID_REV(s) ((s)->sig_class == 0x30) -#define IS_SUBKEY_REV(s) ((s)->sig_class == 0x28) +#define IS_SUBKEY_SIG(s) ((s)->sig_class == SIGCLASS_SUBKEY) +#define IS_BACK_SIG(s) ((s)->sig_class == SIGCLASS_BACKSIG) +#define IS_KEY_REV(s) ((s)->sig_class == SIGCLASS_KEYREV) +#define IS_UID_REV(s) ((s)->sig_class == SIGCLASS_CERTREV) +#define IS_SUBKEY_REV(s) ((s)->sig_class == SIGCLASS_SUBREV) struct getkey_ctx_s; typedef struct getkey_ctx_s *GETKEY_CTX; diff --git a/g10/keyedit.c b/g10/keyedit.c index b0f8ea5ed..1afaad6a9 100644 --- a/g10/keyedit.c +++ b/g10/keyedit.c @@ -299,7 +299,9 @@ keyedit_print_one_sig (ctrl_t ctrl, estream_t fp, ((opt. list_options & LIST_SHOW_STD_NOTATIONS) ? 1 : 0) + ((opt. - list_options & LIST_SHOW_USER_NOTATIONS) ? 2 : 0)); + list_options & LIST_SHOW_USER_NOTATIONS) ? 2 : 0) + + ((opt. + list_options & LIST_SHOW_HIDDEN_NOTATIONS) ? 4:0)); if (sig->flags.pref_ks && ((opt.list_options & LIST_SHOW_KEYSERVER_URLS) || extended)) diff --git a/g10/keylist.c b/g10/keylist.c index 7bd25de74..42e9f65f5 100644 --- a/g10/keylist.c +++ b/g10/keylist.c @@ -638,6 +638,7 @@ show_keyserver_url (PKT_signature * sig, int indent, int mode) * Defined bits in WHICH: * 1 - standard notations * 2 - user notations + * 4 - print notations normally hidden */ void show_notation (PKT_signature * sig, int indent, int mode, int which) @@ -653,6 +654,9 @@ show_notation (PKT_signature * sig, int indent, int mode, int which) /* There may be multiple notations in the same sig. */ for (nd = notations; nd; nd = nd->next) { + if (!(which & 4) && !strcmp (nd->name, "manu")) + continue; + if (mode != 2) { int has_at = !!strchr (nd->name, '@'); @@ -705,6 +709,41 @@ show_notation (PKT_signature * sig, int indent, int mode, int which) } +/* Output all the notation data in SIG matching a name given by + * --print-notation to stdout. */ +void +print_matching_notations (PKT_signature *sig) +{ + notation_t nd, notations; + strlist_t sl; + const char *s; + + if (!opt.print_notations) + return; + + notations = sig_to_notation (sig); + for (nd = notations; nd; nd = nd->next) + { + for (sl=opt.print_notations; sl; sl = sl->next) + if (!strcmp (sl->d, nd->name)) + break; + if (!sl || !*nd->value) + continue; + es_fprintf (es_stdout, "%s: ", nd->name); + for (s = nd->value; *s; s++) + { + if (*s == '\n') + es_fprintf (es_stdout, "\n%*s", (int)strlen (nd->name)+2, ""); + else if (*s >= ' ' || *s != '\t') + es_putc (*s, es_stdout); + } + es_putc ('\n', es_stdout); + } + + free_notation (notations); +} + + static void print_signature_stats (struct keylist_context *s) { @@ -1522,11 +1561,11 @@ list_signature_print (ctrl_t ctrl, kbnode_t keyblock, kbnode_t node, if (sig->flags.notation && (opt.list_options & LIST_SHOW_NOTATIONS)) show_notation (sig, 3, 0, ((opt. - list_options & LIST_SHOW_STD_NOTATIONS) ? 1 : 0) - + - ((opt. - list_options & LIST_SHOW_USER_NOTATIONS) ? 2 : - 0)); + list_options & LIST_SHOW_STD_NOTATIONS) ? 1 : 0) + + ((opt. + list_options & LIST_SHOW_USER_NOTATIONS) ? 2 : 0) + + ((opt. + list_options & LIST_SHOW_HIDDEN_NOTATIONS) ? 4 : 0)); if (sig->flags.notation && (opt.list_options diff --git a/g10/main.h b/g10/main.h index c0a3d5fa2..5d96b5e27 100644 --- a/g10/main.h +++ b/g10/main.h @@ -488,6 +488,7 @@ void show_preferences (PKT_user_id *uid, int indent, int mode, int verbose); void show_policy_url(PKT_signature *sig,int indent,int mode); void show_keyserver_url(PKT_signature *sig,int indent,int mode); void show_notation(PKT_signature *sig,int indent,int mode,int which); +void print_matching_notations (PKT_signature *sig); void dump_attribs (const PKT_user_id *uid, PKT_public_key *pk); void set_attrib_fd(int fd); void print_key_info (ctrl_t ctrl, estream_t fp, int indent, diff --git a/g10/mainproc.c b/g10/mainproc.c index ebbe4a6a7..5a7961099 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -2492,9 +2492,12 @@ check_sig_and_print (CTX c, kbnode_t node) show_notation (sig, 0, 1, (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0) - + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0))); + + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0) + + ((opt.verify_options &VERIFY_SHOW_HIDDEN_NOTATIONS)? 4:0) + )); else show_notation (sig, 0, 2, 0); + print_matching_notations (sig); } /* Fill PKSTRBUF with the algostring in case we later need it. */ diff --git a/g10/options.h b/g10/options.h index fe81a0baf..28fc2207a 100644 --- a/g10/options.h +++ b/g10/options.h @@ -214,6 +214,7 @@ struct int no_encrypt_to; int encrypt_to_default_key; int interactive; + strlist_t print_notations; /* Name of notations to print. */ struct notation *sig_notations; struct notation *cert_notations; strlist_t sig_policy_url; @@ -400,6 +401,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; #define COMPAT_PARALLELIZED 1 /* Use threaded hashing for signatures. */ #define COMPAT_T7014_OLD 2 /* Use initial T7014 test data. */ #define COMPAT_COMPR_KEYS 4 /* Allow import of compressed keys. (T7014) */ +#define COMPAT_NO_MANU 8 /* Do not include a "manu" notation. */ /* Compliance test macros. */ #define GNUPG (opt.compliance==CO_GNUPG || opt.compliance==CO_DE_VS) @@ -466,6 +468,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; #define LIST_STORE_X509_NOTATIONS (1<<18) #define LIST_SHOW_OWNERTRUST (1<<19) #define LIST_SHOW_TRUSTSIG (1<<20) +#define LIST_SHOW_HIDDEN_NOTATIONS (1<<21) #define VERIFY_SHOW_PHOTOS (1<<0) #define VERIFY_SHOW_POLICY_URLS (1<<1) @@ -476,6 +479,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; #define VERIFY_SHOW_UID_VALIDITY (1<<5) #define VERIFY_SHOW_UNUSABLE_UIDS (1<<6) #define VERIFY_SHOW_PRIMARY_UID_ONLY (1<<9) +#define VERIFY_SHOW_HIDDEN_NOTATIONS (1<<21) #define KEYSERVER_HTTP_PROXY (1<<0) #define KEYSERVER_TIMEOUT (1<<1) diff --git a/g10/packet.h b/g10/packet.h index ac6df7d5c..8162ad802 100644 --- a/g10/packet.h +++ b/g10/packet.h @@ -69,6 +69,21 @@ /* The usage bits which define encryption. */ #define PUBKEY_USAGE_XENC_MASK (PUBKEY_USAGE_ENC | PUBKEY_USAGE_RENC) +/* The signature classes. */ +#define SIGCLASS_DATA 0x00 /* Signature on a binary document. */ +#define SIGCLASS_TEXT 0x01 /* Signature on a text document. */ +#define SIGCLASS_SALONE 0x02 /* Standalone signature. */ +#define SIGCLASS_CERT 0x10 /* User ID certification signature. */ +#define SIGCLASS_CERT11 0x11 /* User ID certification signature. */ +#define SIGCLASS_CERT12 0x12 /* User ID certification signature. */ +#define SIGCLASS_CERT13 0x13 /* User ID certification signature. */ +#define SIGCLASS_SUBKEY 0x18 /* Key binding signature. */ +#define SIGCLASS_BACKSIG 0x19 /* Primary key binding signature. */ +#define SIGCLASS_KEY 0x1f /* Direct key signature (on primary key) */ +#define SIGCLASS_KEYREV 0x20 /* Key revoction signature. */ +#define SIGCLASS_SUBREV 0x28 /* Subkey revocation signature. */ +#define SIGCLASS_CERTREV 0x30 /* Certification revocation signature. */ + /* Bitflags to convey hints on what kind of signature is created. */ #define SIGNHINT_KEYSIG 1 #define SIGNHINT_SELFSIG 2 @@ -899,6 +914,7 @@ void build_attribute_subpkt(PKT_user_id *uid,byte type, const void *buf,u32 buflen, const void *header,u32 headerlen); struct notation *string_to_notation(const char *string,int is_utf8); +struct notation *name_value_to_notation (const char *name, const char *value); struct notation *blob_to_notation(const char *name, const char *data, size_t len); struct notation *sig_to_notation(PKT_signature *sig); diff --git a/g10/sign.c b/g10/sign.c index 399d5d76d..b3bda581c 100644 --- a/g10/sign.c +++ b/g10/sign.c @@ -66,18 +66,21 @@ typedef struct pt_extra_hash_data_s *pt_extra_hash_data_t; /* - * Create notations and other stuff. It is assumed that the strings in - * STRLIST are already checked to contain only printable data and have - * a valid NAME=VALUE format. + * Create notations and other stuff. It is assumed that the strings + * in STRLIST are already checked to contain only printable data and + * have a valid NAME=VALUE format. If with_manu is set a "manu" + * notation is also added: a value of 1 includes it in the standard + * way and a value of 23 assumes that the data is de-vs compliant. */ static void mk_notation_policy_etc (ctrl_t ctrl, PKT_signature *sig, - PKT_public_key *pk, PKT_public_key *pksk) + PKT_public_key *pk, PKT_public_key *pksk, int with_manu) { const char *string; char *p = NULL; strlist_t pu = NULL; struct notation *nd = NULL; + struct notation *ndmanu = NULL; struct expando_args args; log_assert (sig->version >= 4); @@ -94,6 +97,15 @@ mk_notation_policy_etc (ctrl_t ctrl, PKT_signature *sig, else if (IS_CERT(sig) && opt.cert_notations) nd = opt.cert_notations; + if (with_manu) + { + ndmanu = name_value_to_notation + ("manu", + gnupg_manu_notation_value (with_manu == 23? CO_DE_VS : CO_GNUPG)); + ndmanu->next = nd; + nd = ndmanu; + } + if (nd) { struct notation *item; @@ -113,6 +125,10 @@ mk_notation_policy_etc (ctrl_t ctrl, PKT_signature *sig, xfree (item->altvalue); item->altvalue = NULL; } + /* Restore the original nd and release ndmanu. */ + nd = ndmanu; + ndmanu->next = NULL; + free_notation (ndmanu); } /* Set policy URL. */ @@ -809,7 +825,7 @@ write_onepass_sig_packets (SK_LIST sk_list, IOBUF out, int sigclass ) /* * Helper to write the plaintext (literal data) packet. At - * R_EXTRAHASH a malloced object with the with the extra data hashed + * R_EXTRAHASH a malloced object with the extra data hashed * into v5 signatures is stored. */ static int @@ -920,7 +936,7 @@ write_plaintext_packet (iobuf_t out, iobuf_t inp, /* * Write the signatures from the SK_LIST to OUT. HASH must be a * non-finalized hash which will not be changes here. EXTRAHASH is - * either NULL or the extra data tro be hashed into v5 signatures. + * either NULL or the extra data to be hashed into v5 signatures. */ static int write_signature_packets (ctrl_t ctrl, @@ -930,6 +946,7 @@ write_signature_packets (ctrl_t ctrl, int status_letter, const char *cache_nonce) { SK_LIST sk_rover; + int with_manu; /* Loop over the certificates with secret keys. */ for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) @@ -966,7 +983,16 @@ write_signature_packets (ctrl_t ctrl, BUG (); build_sig_subpkt_from_sig (sig, pk, 0); - mk_notation_policy_etc (ctrl, sig, NULL, pk); + + if (opt.compliance == CO_DE_VS + && gnupg_rng_is_compliant (CO_DE_VS)) + with_manu = 23; /* FIXME: Also check that the algos are compliant?*/ + else if (!(opt.compat_flags & COMPAT_NO_MANU)) + with_manu = 1; + else + with_manu = 0; + + mk_notation_policy_etc (ctrl, sig, NULL, pk, with_manu); if (opt.flags.include_key_block && IS_SIG (sig)) err = mk_sig_subpkt_key_block (ctrl, sig, pk); else @@ -1813,10 +1839,15 @@ make_keysig_packet (ctrl_t ctrl, gcry_md_hd_t md; u32 pk_keyid[2], pksk_keyid[2]; unsigned int signhints; + int with_manu; - log_assert ((sigclass >= 0x10 && sigclass <= 0x13) || sigclass == 0x1F - || sigclass == 0x20 || sigclass == 0x18 || sigclass == 0x19 - || sigclass == 0x30 || sigclass == 0x28 ); + log_assert ((sigclass&~3) == SIGCLASS_CERT + || sigclass == SIGCLASS_KEY + || sigclass == SIGCLASS_KEYREV + || sigclass == SIGCLASS_SUBKEY + || sigclass == SIGCLASS_BACKSIG + || sigclass == SIGCLASS_CERTREV + || sigclass == SIGCLASS_SUBREV ); if (pksk->version >= 5) sigversion = 5; @@ -1853,14 +1884,15 @@ make_keysig_packet (ctrl_t ctrl, /* Hash the public key certificate. */ hash_public_key (md, pk); - if (sigclass == 0x18 || sigclass == 0x19 || sigclass == 0x28) + if (sigclass == SIGCLASS_SUBKEY || sigclass == SIGCLASS_BACKSIG + || sigclass == SIGCLASS_SUBREV) { /* Hash the subkey binding/backsig/revocation. */ hash_public_key (md, subpk); if ((subpk->pubkey_usage & PUBKEY_USAGE_RENC)) signhints |= SIGNHINT_ADSK; } - else if (sigclass != 0x1F && sigclass != 0x20) + else if (sigclass != SIGCLASS_KEY && sigclass != SIGCLASS_KEYREV) { /* Hash the user id. */ hash_uid (md, sigversion, uid); @@ -1879,7 +1911,20 @@ make_keysig_packet (ctrl_t ctrl, sig->sig_class = sigclass; build_sig_subpkt_from_sig (sig, pksk, signhints); - mk_notation_policy_etc (ctrl, sig, pk, pksk); + + with_manu = 0; + if ((signhints & SIGNHINT_SELFSIG) /* Only for self-signatures. */ + && ((sigclass&~3) == SIGCLASS_CERT /* on UIDs and subkeys. */ + || sigclass == SIGCLASS_SUBKEY)) + { + if (opt.compliance == CO_DE_VS + && gnupg_rng_is_compliant (CO_DE_VS)) + with_manu = 23; /* Always in de-vs mode. */ + else if (!(opt.compat_flags & COMPAT_NO_MANU)) + with_manu = 1; + } + + mk_notation_policy_etc (ctrl, sig, pk, pksk, with_manu); /* Crucial that the call to mksubpkt comes LAST before the calls * to finalize the sig as that makes it possible for the mksubpkt @@ -2897,6 +2897,9 @@ msgstr "|FD|escriu informació d'estat en aquest FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Forma d'ús: gpgv [opcions] [fitxers] (-h per a veure l'ajuda)" @@ -2692,6 +2692,9 @@ msgstr "|FD|zapsat informace o stavu do tohoto FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGORITMUS|zamítnout podpisy založené na ALGORITMU" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Použití: gpg [volby] [soubory] (-h pro pomoc)" @@ -2944,6 +2944,9 @@ msgstr "|FD|skriv statusinformation til denne FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Brug: gpgv [tilvalg] [filer] (-h for hjælp)" @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg-2.4.1\n" "Report-Msgid-Bugs-To: [email protected]\n" -"PO-Revision-Date: 2025-06-02 15:40+0200\n" +"PO-Revision-Date: 2025-07-25 15:50+0200\n" "Last-Translator: Werner Koch <[email protected]>\n" "Language-Team: German\n" "Language: de\n" @@ -2693,6 +2693,9 @@ msgstr "|FD|Statusinfo auf FD (Dateihandle) ausgeben" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|Weise mit ALGO erstellte Signaturen zurück" +msgid "|NAME|print the notation NAME to stdout" +msgstr "|NAME|Gebe die \"Notation\" NAME auf stdout aus" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Aufruf: gpgv [Optionen] [Dateien] (-h für Hilfe)" @@ -2818,6 +2818,9 @@ msgstr "|FD|εγγραφή των πληροφοριών κατάστασης σ msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Χρήση: gpgv [επιλογές] [αρχεία] (-h για βοήθεια)" @@ -2793,6 +2793,9 @@ msgstr "|FD|skribi statusinformojn al FD (dosierpriskribilo)" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + #, fuzzy msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Uzado: gpg [opcioj] [dosieroj] (-h por helpo)" @@ -2773,6 +2773,9 @@ msgstr "|FD|escribe información de estado en este descriptor de fichero" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|rechaza firmas hechas con ALGO" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Uso: gpgv [opciones] [ficheros] (-h para ayuda)" @@ -2802,6 +2802,9 @@ msgstr "|FP|kirjuta olekuinfo sellesse failipidemesse" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Kasuta: gpgv [võtmed] [failid] (-h näitab abiinfot)" @@ -2820,6 +2820,9 @@ msgstr "|FD|tilatiedot kirjoitetaan FD:iin" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Käyttö: gpgv [valitsimet] [tiedostot] (-h näyttää ohjeen)" @@ -2720,6 +2720,9 @@ msgstr "|FD|écrire l'état sur ce descripteur" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|rejeter les signatures faites avec ALGO" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Utilisation : gpgv [options] [fichiers] (-h pour l'aide)" @@ -2810,6 +2810,9 @@ msgstr "|DF|escribi-la información de estado a este DF" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Uso: gpgv [opcións] [ficheiros] (-h para ve-la axuda)" @@ -2802,6 +2802,9 @@ msgstr "|ÁL|állapotinformációk írása ÁL állományleíróra" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Használat: gpgv [opciók] [fájlok] (-h a súgóhoz)" @@ -2808,6 +2808,9 @@ msgstr "|FD|tulis info status ke FD ini" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Pemakaian: gpgv [opsi] [file] (-h untuk bantuan)" @@ -2704,6 +2704,9 @@ msgstr "|FD|scrivi le informazioni di stato sul FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|rifiuta le firme fatte con ALGO" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Uso: gpgv [opzioni] [file] (-h per l'aiuto)" @@ -2618,6 +2618,9 @@ msgstr "|FD|このFDにステイタス情報を書き出す" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|ALGOで作成された署名を拒絶する" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "使い方: gpgv [オプション] [ファイル] (ヘルプは -h)" @@ -2730,6 +2730,9 @@ msgstr "|FD|skrive statusinfo til denne FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|avvis signaturer som er laget med valgt ALGOritme" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Bruk: gpgv [valg] [filer] (-h for hjelp)" @@ -2771,6 +2771,9 @@ msgstr "|FD|statusinformatie naar deze bestandsindicator (FD) schrijven" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|handtekeningen gemaakt met ALGO verwerpen" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Gebruik: gpgv [opties] [bestanden] (-h voor hulp)" @@ -2661,6 +2661,9 @@ msgstr "|FD|pisanie opisu stanu do deskryptora FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|odrzucanie podpisów wykonanych podanym ALGOrytmem" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Składnia: gpgv [opcje] [pliki] (-h wyświetla pomoc)" @@ -2706,6 +2706,9 @@ msgstr "|FD|escrever informações de status para este FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|rejeitar assinaturas feitas com ALGO" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Uso: gpgv [opções] [ficheiros] (-h para ajuda)" @@ -2874,6 +2874,9 @@ msgstr "|FD|scrie informaţii de stare în acest FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Folosire: gpgv [opţiuni] [fişiere] (-h pentru ajutor)" @@ -2732,6 +2732,9 @@ msgstr "|FD|выводить информацию в файл с дескрип� msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|отвергать подписи, сделанные по данному алгоритму" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Вызов: gpgv [параметры] [файлы] (-h - подсказка)" @@ -2822,6 +2822,9 @@ msgstr "|FD|zapísať informácie o stave do tohto FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Použitie: gpgv [možnosti] [súbory] (-h pre pomoc)" @@ -3004,6 +3004,9 @@ msgstr "|FD|skriv statusinformation till denna FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Användning: gpgv [flaggor] [filer] (-h för hjälp)" @@ -2650,6 +2650,9 @@ msgstr "|FD|durum bilgisini bu FD'ye yaz" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|ALGO ile yapılan algoritmaları reddet" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Kullanım: gpgv [seçenekler] [dosyalar] (yardım için -h)" @@ -2771,6 +2771,9 @@ msgstr "|FD|записувати до дескриптора файла дані msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|відкидати підписи, створені за допомогою алгоритму ALGO" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Використання: gpgv [параметри] [файли] (-h — довідка)" diff --git a/po/zh_CN.po b/po/zh_CN.po index 8e0c267af..0d236b296 100644 --- a/po/zh_CN.po +++ b/po/zh_CN.po @@ -2620,6 +2620,9 @@ msgstr "|FD|把状态信息写入文件描述符 FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|拒绝由 ALGO 生成的签名" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "用法:gpgv [选项] [文件] (-h 获取帮助)" diff --git a/po/zh_TW.po b/po/zh_TW.po index 183967815..29489b9ff 100644 --- a/po/zh_TW.po +++ b/po/zh_TW.po @@ -2588,6 +2588,9 @@ msgstr "|檔案描述子|把狀態資訊寫入指定檔案描述子" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|駁回使用演算法建立的簽章" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "用法: gpgv [選項] [檔案] (或用 -h 求助)" diff --git a/sm/call-agent.c b/sm/call-agent.c index f2b7b6fba..c2875626b 100644 --- a/sm/call-agent.c +++ b/sm/call-agent.c @@ -979,6 +979,9 @@ istrusted_status_cb (void *opaque, const char *line) } else if ((s = has_leading_keyword (line, "TRUSTLISTFPR")) && *s) { + /* We see this only with the "LISTTRUSTED --status" command but + * not with ISTRUSTED. Thus the cache will only be filled by + * the former command. */ istrusted_cache_t ci; ci = xtrymalloc (sizeof *ci + strlen (s)); @@ -988,6 +991,9 @@ istrusted_status_cb (void *opaque, const char *line) memset (&ci->flags, 0, sizeof ci->flags); ci->next = parm->cache; parm->cache = ci; + /* Also need to clear the parm's flags which will be copied to + * the cache. */ + memset (&parm->flags, 0, sizeof ci->flags); } return 0; } diff --git a/sm/keylist.c b/sm/keylist.c index 41e7ca309..faa515ef5 100644 --- a/sm/keylist.c +++ b/sm/keylist.c @@ -179,6 +179,7 @@ static struct /* GnuPG extensions */ { "1.3.6.1.4.1.11591.2.1.1", "pkaAddress" }, + { "1.3.6.1.4.1.11591.2.1.2", "manuNotation" }, { "1.3.6.1.4.1.11591.2.2.1", "standaloneCertificate" }, { "1.3.6.1.4.1.11591.2.2.2", "wellKnownPrivateKey" }, { "1.3.6.1.4.1.11591.2.6.1", "gpgUsageCert", OID_FLAG_KP }, diff --git a/tools/decrypt.bat b/tools/decrypt.bat new file mode 100644 index 000000000..808689a11 --- /dev/null +++ b/tools/decrypt.bat @@ -0,0 +1,31 @@ +@echo on +rem Decrypt all files in the input to the output directory. +rem The input directory and the suffixes are defined by +rem constants given below. + +rem Set the input/output directories and the suffixes. +set INDIR=c:\input-files +set OUTDIR=c:\output-files +set INSUFFIX=.gpg +set OUTSUFFIX= +set LOGFILE=%APPDATA%\decrypt.log + +rem No serviceable parts below. + +set GPGARGS=--batch --yes --log-file "%LOGFILE%" --require-compliance +cd %INDIR% +mkdir %OUTDIR% 2>nul +for /R %%f in (*%INSUFFIX%) do ( + setlocal enabledelayedexpansion + for %%i in ("%%f") do ( + set filename=%%~ni + ) + set OUTPATH=%OUTDIR%\!filename!%OUTSUFFIX% + echo Decrypting %%f into !OUTPATH! >> "%LOGFILE%" + gpg %GPGARGS% -o "!OUTPATH!" -d -- "%%f" + if !errorlevel! neq 0 ( + echo Operation failed with return code: %errorlevel% >> "%LOGFILE%" + ) else ( + echo Operation finished successfully >> "%LOGFILE%" + ) +) |
