aboutsummaryrefslogtreecommitdiffstats
path: root/g10 (follow)
Commit message (Collapse)AuthorAgeFilesLines
* gpg: New option --forbid-gen-key.Werner Koch2021-11-221-9/+38
| | | | | | | | | | | | * g10/gpg.c (oForbidGenKey, opts): New option. (mopt): New local struct (gen_key_forbidden): New. (main): Set and handle the option. -- In large system installation it is sometimes useful to make it a bit harder for users to generate their own keys. An example is a policy to not use on-disk keys.
* gpg,gpgsm: Add option --min-rsa-length.Werner Koch2021-11-182-0/+6
| | | | | | | | | | | | | | | * common/compliance.c (min_compliant_rsa_length): New. (gnupg_pk_is_compliant): Take in account. (gnupg_pk_is_allowed): Ditto. (gnupg_set_compliance_extra_info): New. * g10/gpg.c (oMinRSALength): New. (opts): Add --min-rsa-length. (main): Set value. * g10/options.h (opt): Add field min_rsa_length. * sm/gpgsm.c (oMinRSALength): New. (opts): Add --min-rsa-length. (main): Set value. * sm/gpgsm.h (opt): Add field min_rsa_length.
* Update release signing keysWerner Koch2021-11-131-0/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -- The last key is new. As usual the key is on a dedicated card with the Admin PIN accessible to a few core hackers. # ------------------------ >8 ------------------------ pub rsa3072 2017-03-17 [SC] [expires: 2027-03-15] 5B80C5754298F0CB55D8ED6ABCEF7E294B092E28 sig R BCEF7E294B092E28 2017-03-17 Andre Heinecke (Release Signing Key) uid Andre Heinecke (Release Signing Key) sig 3 BCEF7E294B092E28 2017-03-17 Andre Heinecke (Release Signing Key) sig 1FDF723CF462B6B1 2017-03-17 Andre Heinecke <[email protected]> pub ed25519 2020-08-24 [SC] [expires: 2030-06-30] 6DAA6E64A76D2840571B4902528897B826403ADA uid Werner Koch (dist signing 2020) sig 3 528897B826403ADA 2020-08-24 Werner Koch (dist signing 2020) sig 249B39D24F25E3B6 2020-08-24 Werner Koch (dist sig) sig 63113AE866587D0A 2020-08-24 [email protected] sig E3FDFF218E45B72B 2020-08-24 Werner Koch (wheatstone commit signing) sig F2AD85AC1E42B367 2020-08-24 Werner Koch <[email protected]> pub ed25519 2021-05-19 [SC] [expires: 2027-04-04] AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD uid Niibe Yutaka (GnuPG Release Key) sig 3 E98E9B2D19C6C8BD 2021-05-19 Niibe Yutaka (GnuPG Release Key) sig 00B45EBD4CA7BABE 2021-09-14 NIIBE Yutaka <[email protected]> sig E267B052364F028D 2021-09-14 NIIBE Yutaka <[email protected]> pub brainpoolP256r1 2021-10-15 [SC] [expires: 2029-12-31] 02F38DFF731FF97CB039A1DA549E695E905BA208 uid GnuPG.com (Release Signing Key 2021) sig 3 549E695E905BA208 2021-10-15 GnuPG.com (Release Signing Key 2021) sig 528897B826403ADA 2021-10-15 Werner Koch (dist signing 2020) sig E3FDFF218E45B72B 2021-10-15 Werner Koch (wheatstone commit signing)
* gpg: Remove stale ultimately trusted keys from the trustdb.Werner Koch2021-11-136-32/+84
| | | | | | | | | | | | | | | | * g10/tdbdump.c (export_ownertrust): Skip records marked with the option --trusted-key. (import_ownertrust): Clear the trusted-key flag. * g10/tdbio.h (struct trust_record): Add field flags. * g10/tdbio.c (tdbio_dump_record): Improve output. (tdbio_read_record, tdbio_write_record): Handle flags. * g10/trustdb.c (verify_own_keys): Clear stale trusted-keys and set the flag for new --trusted-keys. (tdb_update_ownertrust): Add arg as_trusted_key. Update callers. -- GnuPG-bug-id: 5685 Signed-off-by: Werner Koch <[email protected]>
* gpg: Fix printing of binary notations.Werner Koch2021-10-221-2/+6
| | | | | | | * g10/keylist.c (show_notation): Print binary notation from BDAT. -- GnuPG-bug-id: 5667
* gpg: New option --override-compliance-checkWerner Koch2021-10-133-11/+47
| | | | | | | | | | | | | | | | | | | | | | | | * g10/gpg.c (oOverrideComplianceCheck): New. (opts): Add new option. (main): Set option and add check for batch mode. * g10/options.h (opt): Add flags.override_compliance_check. * g10/sig-check.c (check_signature2): Factor complaince checking out to ... (check_key_verify_compliance): new. Turn error into a warning in override mode. -- There is one important use case for this: For systems configured globally to use de-vs mode, Ed25519 and other key types are not allowed because they are not listred in the BSI algorithm catalog. Now, our release signing keys happen to be Ed25519 and thus we need to offer a way for users to check new versions even if the system is in de-vs mode. This does on purpose not work in --batch mode so that scripted solutions won't accidently pass a signature check. GnuPG-bug-id: 5655 Backported-from-master: fb26e144adfd93051501d58f5d0d4f8826ddf436
* gpg: Skip the packet when not used for AEAD.NIIBE Yutaka2021-10-061-0/+1
| | | | | | | | | | * g10/free-packet.c (free_packet): Add the case for case PKT_ENCRYPTED_AEAD. -- GnuPG-bug-id: 5584 Signed-off-by: NIIBE Yutaka <[email protected]> (bug id fixed in this backport)
* Update release signing keys.Werner Koch2021-09-141-0/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -- These are now # ------------------------ >8 ------------------------ pub rsa3072 2017-03-17 [SC] [expires: 2027-03-15] 5B80C5754298F0CB55D8ED6ABCEF7E294B092E28 sig R BCEF7E294B092E28 2017-03-17 Andre Heinecke (Release Signing Key) uid Andre Heinecke (Release Signing Key) sig 3 BCEF7E294B092E28 2017-03-17 Andre Heinecke (Release Signing Key) sig 1FDF723CF462B6B1 2017-03-17 Andre Heinecke <[email protected]> pub ed25519 2020-08-24 [SC] [expires: 2030-06-30] 6DAA6E64A76D2840571B4902528897B826403ADA uid Werner Koch (dist signing 2020) sig 3 528897B826403ADA 2020-08-24 Werner Koch (dist signing 2020) sig 249B39D24F25E3B6 2020-08-24 Werner Koch (dist sig) sig 63113AE866587D0A 2020-08-24 [email protected] sig E3FDFF218E45B72B 2020-08-24 Werner Koch (wheatstone commit signing) sig F2AD85AC1E42B367 2020-08-24 Werner Koch <[email protected]> pub ed25519 2021-05-19 [SC] [expires: 2027-04-04] AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD uid Niibe Yutaka (GnuPG Release Key) sig 3 E98E9B2D19C6C8BD 2021-05-19 Niibe Yutaka (GnuPG Release Key) sig 00B45EBD4CA7BABE 2021-09-14 NIIBE Yutaka <[email protected]> sig E267B052364F028D 2021-09-14 NIIBE Yutaka <[email protected]>
* gpg: Print a note about the obsolete option --secret-keyring.Werner Koch2021-08-281-1/+1
| | | | | | -- GnuPG-bug-id: 2749
* gpg: Return SUCCESS/FAILURE status also for --card-edit/name.Werner Koch2021-08-201-3/+8
| | | | | | | * g10/card-util.c (change_name): Call write_sc_op_status. -- Reported-by: Joey Berkovitz
* gpg: Let --fetch-key return an exit code on failure.Werner Koch2021-06-252-4/+20
| | | | | | | | * g10/keyserver.c (keyserver_fetch): Return an error code. * g10/gpg.c (main) <aFetchKeys>: Return 1 in case of no data. -- GnuPG-bug-id: 5376
* gpg: Partial fix for Unicode problem in output files.Werner Koch2021-06-101-1/+1
| | | | | | | | | | * g10/openfile.c (overwrite_filep): Use gnupg_access. -- As said, this is just an obvious but partial fix. We need to review things for the output module. Signed-off-by: Werner Koch <[email protected]>
* w32: Change spawn functions to use Unicode version of CreateProcess.Werner Koch2021-06-081-6/+14
| | | | | | | | | | | | | | | | | | * common/exechelp-w32.c (gnupg_spawn_process): Change to use CreateProcessW. (gnupg_spawn_process_fd): Ditto. (gnupg_spawn_process_detached): Ditto. * g10/exec.c (w32_system): Ditto. -- GnuPG-bug-id: 4398 We do not use this weirdo CREATE_UNICODE_ENVIRONMENT flag because it does not make any sense to have non-ASCII names in the environment. I can't imagine why this should be used at all and rationale for this API features is, well, sparse. (cherry picked from commit cf2f6d8a3f0594c03c383b4989a3041e9c4536d7)
* w32: Always use Unicode for console input and output.Werner Koch2021-06-081-2/+12
| | | | | | | | | | | | | | | | | * common/init.c (_init_common_subsystems) [W32]: Set the codepage to UTF-8 for input and putput. Switch gettext to UTF-8. * g10/gpg.c (utf8_strings) [W32]: Make sure this is always set. -- With this patch the former patch to use ReadConsoleW and WriteConsoleW in ttyio.c are kind of superfluous because the ANSI version of these functions are also able to read/write UTF-8 directly given the console code page has been set correctly. However, this seems to work only with recent versions of Windows-10. GnuPG-bug-id: 4365 (cherry picked from commit 8c41b8aac3efb78178fe1eaf52d8d1bbc44941a8) Removed changes for "gpgconf --show-codepages" of the original patch.
* gpg: Prepare for globing with UTF-8.Werner Koch2021-06-081-4/+4
| | | | | | | | | | | | | | * g10/gpg.c (_dowildcard): Remove. (my_strusage): Enable wildcards using our new system. -- This patch actually removes the current globing using a mingw feature. We are not able to use this because it does not handle Unicode filenames. The plan is to implement this in init.c. This patch merely configures gpg to request globing. GnuPG-bug-id: 4398 (cherry picked from commit 8e15506d6680bbee85bc01453da28fc90b4cb673)
* gpg,sm: Simplify keyserver spec parsing.Werner Koch2021-05-264-276/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | * common/keyserver.h: Remove. * sm/gpgsm.h (struct keyserver_spec): Remove. (opt): Change keyserver to a strlist_t. * sm/gpgsm.c (keyserver_list_free): Remove. (parse_keyserver_line): Remove. (main): Store keyserver in an strlist. * sm/call-dirmngr.c (prepare_dirmngr): Adjust for the strlist. Avoid an ambiguity in dirmngr by adding a prefix if needed. * g10/options.h (struct keyserver_spec): Move definition from keyserver.h to here. Remove most fields. * g10/keyserver.c (free_keyserver_spec): Adjust. (cmp_keyserver_spec): Adjust. (parse_keyserver_uri): Simplify. (keyidlist): Remove fakev3 arg which does not make any sense because we don't even support v3 keys. -- We now rely on the dirmngr to parse the keyserver specs. Thus a bad specification will not be caught immediately. However, even before that dirmngr had stricter tests. Signed-off-by: Werner Koch <[email protected]>
* gpg: Fix sending an OpenPGP key with umlaut to an LDAP keyserver.Werner Koch2021-05-181-75/+21
| | | | | | | | | | * g10/call-dirmngr.c (record_output): Rewrite. -- Thou shalt not percent-escape for C-unescaping. Fixes-commit: 51341badb623927f2a358588c725a356fc77dbe7 Signed-off-by: Werner Koch <[email protected]>
* gpg: Use a more descriptive prompt for symmetric decryption.Werner Koch2021-05-177-17/+35
| | | | | | | | | | | * g10/keydb.h (GETPASSWORD_FLAG_SYMDECRYPT): New. (passphrase_to_dek_ext): Remove this obsolete prototype. * g10/passphrase.c (passphrase_get): Add arg flags. Use new flag value. (passphrase_to_dek): Add arg flags and pass it on. * g10/mainproc.c (proc_symkey_enc): Use new flag. Signed-off-by: Werner Koch <[email protected]>
* gpg: Allow ECDH with a smartcard returning just the x-coordinate.Werner Koch2021-05-044-100/+143
| | | | | | | | | | | | | | | | | | | * g10/ecdh.c (pk_ecdh_encrypt_with_shared_point): Factor extraction part out to ... (extract_secret_x): new. Allow for x-only coordinate. (pk_ecdh_encrypt_with_shared_point): Change arg shared_mpi to (shared,nshared). Move param check to the top. Add extra safety check. (pk_ecdh_decrypt): Adjust for change. * g10/pkglue.c (get_data_from_sexp): New. (pk_encrypt): Use it for "s" and adjusted for changed pk_ecdh_encrypt_with_shared_point. * g10/pubkey-enc.c (get_it): Remove conversion to an MPI and call pk_ecdh_decrypt with the frame buffer. -- Backported-from-master: f129b0e97730b47d62482fba9599db39b526f3d2) Signed-off-by: Werner Koch <[email protected]>
* build: Silence two compiler warnings.Werner Koch2021-05-041-1/+1
| | | | --
* gpg: Fix mailbox based search via AKL keyserver method.Werner Koch2021-05-045-13/+11
| | | | | | | | | | | | | | | | | | * g10/keyserver.c (keyserver_import_name): Rename to ... (keyserver_import_mbox): this. And use mail search mode. * g10/getkey.c (get_pubkey_byname): Change the two callers. -- In contrast to a search via keyserver_import_ntds the older keyserver_import_name used a full match of the provided name despite that it is only called with an addr-spec (mbox). Due to the mode the pattern send to dirmngr was prefixed with a '=' and thus dirmngr used an exact search;. This did only work for provided user ids like "[email protected]" but not for "<[email protected]>" or "Foo <[email protected]>". The old code dates back to 2010. Signed-off-by: Werner Koch <[email protected]> (cherry picked from commit 4fcfac6feb2a6c2b14883ba406afc917e8d4be42)
* gpg: Auto import keys specified with --trusted-keys.Werner Koch2021-05-043-1/+41
| | | | | | | * g10/getkey.c (get_pubkey_with_ldap_fallback): New. * g10/trustdb.c (verify_own_keys): Use it. (cherry picked from commit 100037ac0f558e8959fc065d4703c85c2962489e)
* gpg: Allow decryption w/o public key but with correct card inserted.Werner Koch2021-05-042-0/+49
| | | | | | | | | | | | * agent/command.c (cmd_readkey): Add option --no-data and special handling for $SIGNKEYID and $AUTHKEYID. * g10/call-agent.c (agent_scd_getattr): Create shadow keys for KEY-FPR output. * g10/skclist.c (enum_secret_keys): Automagically get a missing public key for the current card. Signed-off-by: Werner Koch <[email protected]> Backported-from-master: 50293ec2ebf2a997dbad9a47166d694efcc0709a)
* gpg: Allow fingerprint based lookup with --locate-external-key.Werner Koch2021-05-036-44/+184
| | | | | | | | | | | | | | | | | | * g10/keyserver.c (keyserver_import_fprint_ntds): New. * g10/getkey.c (get_pubkey_byname): Detect an attempt to search by fingerprint in no_local mode. -- See the man page. For testing use gpg --auto-key-locate local,wkd,keyserver --locate-external-key \ FINGERPRINT with at least one LDAP keyserver given in dirmngr.conf. On Windows "ntds" may be used instead or in addtion to "keyserver". Signed-off-by: Werner Koch <[email protected]> (cherry picked from commit ec36eca08cdbf6653e7362e8e0e6c5f2c75b4a60)
* gpg: Lookup a missing public key of the current card via LDAP.Werner Koch2021-05-038-36/+77
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * g10/getkey.c (get_seckey_default_or_card): Lookup a missing public key from the current card via LDAP. * g10/call-dirmngr.c: Include keyserver-intetnal.h. (gpg_dirmngr_ks_get): Rename arg quick into flags. Take care of the new LDAP flag. * g10/keyserver-internal.h (KEYSERVER_IMPORT_FLAG_QUICK): New. Replace the use of the value 1 for the former quick arg. (KEYSERVER_IMPORT_FLAG_LDAP): New. * g10/keyserver.c (keyserver_get_chunk): Increase the reserved line length. * dirmngr/ks-action.c (ks_action_get): Add arg ldap_only. * dirmngr/server.c (cmd_ks_get): Add option --ldap. -- This change makes it easy to start working with gnupg: Just insert the smartcard or token provided to you and the first time you sign a message the public key associated with the current card will be imported and everything is set without any configuration. This works only with an LDAP directory because it can be expected that the public key has been put into the LDAP during card personalization. Of course an LDAP server needs to be configured; in a Windows AD domain this can be a mere "keyserver ldap:///" in dirmngr.conf. Other configured keyservers are ignored. Requirements for the card driver: The $SIGNKEYID attribute must exists and a query for the KEY-FPR attribute needs to return the OpenPGP fingerprint for that key. This is currently supported for OpenPGP cards and certain PKCS#15 cards. Signed-off-by: Werner Koch <[email protected]> (cherry picked from commit d7e707170fbe2956deb3d81e2802d21352079722)
* gpg: Minor restructuring of a function.Werner Koch2021-05-032-43/+51
| | | | | | | | -- This is for easier reading and future changing. (cherry picked from commit d984de172c29cd9a56e3a397bdb573519ff74e92)
* gpg: No warning in quiet mode for S2K mode 0.Werner Koch2021-04-291-1/+2
| | | | --
* common: Extend the openpgp_curve_to_oid function.Werner Koch2021-04-294-6/+7
| | | | | | | | | | | * common/openpgp-oid.c (openpgp_curve_to_oid): Add optional arg R_NBITS. Change all callers. -- In particular for ed25519 and cv25519 it is quite useful to have an ability to get the required algorithm. (cherry picked from commit 24095101a5069f15a9aea7512498ac436a76814a)
* gpg: Do not use self-sigs-only for LDAP keyserver imports.Werner Koch2021-04-133-3/+27
| | | | | | | | | | | | | | * dirmngr/ks-engine-ldap.c (ks_ldap_get): Print a SOURCE status. * g10/options.h (opts): New field expl_import_self_sigs_only. * g10/import.c (parse_import_options): Set it. * g10/keyserver.c (keyserver_get_chunk): Add special options for LDAP. -- I can be assumed that configured LDAP servers are somehow curated and not affected by rogue key signatures as the HKP servers are. Thus we can allow the import of key signature from LDAP keyservers by default. GnuPG-bug-id: 5387
* gpg: Fix new pseudo option compliance_de_vsWerner Koch2021-04-061-1/+1
| | | | | | | * g10/gpg.c (gpgconf_list): Take opt.compliance also in account. -- This makes it a one-stop check.
* gpgconf: Return a new pseudo option compliance_de_vs.Werner Koch2021-04-011-0/+5
| | | | | | | * tools/gpgconf-comp.c (gc_options_gpg): Add "compliance_de_vs". * g10/gpg.c (gpgconf_list): Return that pseudo option. Signed-off-by: Werner Koch <[email protected]>
* gpg: New option --force-sign-keyWerner Koch2021-03-113-4/+12
| | | | | | | | | | * g10/gpg.c (oForceSignKey,opts): New option "--force-sign-key". (main): Set it. * g10/options.h (opt): New flag flags.force_sign_key. * g10/keyedit.c (sign_uids): Use new flag. -- GnuPG-bug-id: 4584
* gpg: Keep temp files when opening images via xdg-openNicolas Fella via Gnupg-devel2021-03-011-1/+5
| | | | | | | | | | | | | * g10/photoid.c (get_default_photo_command): Change parameter for xdg-open. -- xdg-open spawns the user's preferred image viewer and then exits. Therefore we must not remove the temp file when it exits, otherwise by the time the actual image viewer is started the file doesn't exist any more. Signed-off-by: Nicolas Fella <[email protected]>
* Include the library version in the compliance checks.Werner Koch2021-01-281-0/+2
| | | | | | | | | | | | | | | | | | | * common/compliance.c (gnupg_gcrypt_is_compliant): New. (gnupg_rng_is_compliant): Also check library version. * g10/mainproc.c (proc_encrypted): Use new function. (check_sig_and_print): Ditto. * sm/decrypt.c (gpgsm_decrypt): Ditto. * sm/encrypt.c (gpgsm_encrypt): Ditto. * sm/verify.c (gpgsm_verify): Ditto -- This will eventually allow us to declare Libgcrypt 1.9 to be de-vs compliant. GnuPG can use this information then for its own checks. As of now GnuPG tests the version of the used library but that is a bit cumbersome to maintain. Signed-off-by: Werner Koch <[email protected]> (cherry picked from commit 90c514868ff5fcf6d39490d4874ac3a31ba9e85f)
* gpg: Fix ugly error message for an unknown symkey algorithm.Werner Koch2021-01-271-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | * g10/mainproc.c (proc_symkey_enc): Do not continue with an unknown algorithm. -- Trying to encrypt data created with printf "\x8c\x49\x05\x0e\x0a\x03\x01" fails in version 2.2.19 with gpg: packet(3) with unknown version 5 but with later versions with gpg: encrypted with unknown algorithm 14 gpg: Ohhhh jeeee: ... this is a bug \ ([...]/passphrase.c:433:passphrase_to_dek) so we better catch this case earlier. Reported-by: Tavis Ormandy Signed-off-by: Werner Koch <[email protected]>
* gpg: Fix --gpgconf-list case with no conf files at all.Werner Koch2021-01-081-58/+7
| | | | | | | | | | | | | | * g10/gpg.c (get_default_configname): Remove unused function. (main): Provide a proper filename to gpgconf_list. -- With the new option pasrer we used "UNKOWN" in this case. The problem was that gpgconf --list-options chekcs that an absolute file is provided and thus bails out if no config file is in /etc/gnupg or in ~/.gnupg/. get_default_configname was not anymore in use because its function is part of the new option parser.
* gpg: Initialize a variable even in a never used code path.Werner Koch2020-12-231-0/+2
| | | | | | | | | | * g10/sign.c (write_signature_packets): Init ERR. -- Actually we could also remove the conditional or replace it by a log_assert. GnuPG-bug-id: 5204
* gpg: Fix --trusted-key with fingerprint arg.Werner Koch2020-12-181-1/+2
| | | | | | | | | * g10/trustdb.c (tdb_register_trusted_key): Take care of that other constant. -- Fixes-commit: 810ea2cc684480c6aadceb2a10dd00f3fa67f2fb Signed-off-by: Werner Koch <[email protected]>
* Merge branch 'wk/stable-2.2-global-options' into STABLE-BRANCH-2-2Werner Koch2020-12-182-152/+145
|\ | | | | | | --
| * Backport of the new option parser from 2.3Werner Koch2020-12-042-152/+145
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * configure.ac (GPGRT_ENABLE_ARGPARSE_MACROS): Define. * common/argparse.c, common/argparse.h: Rewrite. * tests/gpgscm/main.c: Switch to the new option parser. * g10/gpg.c: Switch to the new option parser and enable a global conf file. * g10/gpgv.c: Ditto. * agent/gpg-agent.c: Ditto. * agent/preset-passphrase.c: Ditto. * agent/protect-tool.c: Ditto. * scd/scdaemon.c: Ditto. * dirmngr/dirmngr.c: Ditto. * dirmngr/dirmngr_ldap.c: Ditto * dirmngr/dirmngr-client.c: Ditto. * kbx/kbxutil.c: Ditto. * tools/gpg-card.c: Ditto. * tools/gpg-check-pattern.c: Ditto. * tools/gpg-connect-agent.c: Ditto. * tools/gpg-pair-tool.c: Ditto. * tools/gpg-wks-client.c: Ditto. * tools/gpg-wks-server.c: Ditto. * tools/gpgconf.c: Ditto. * tools/gpgsplit.c: Ditto. * tools/gpgtar.c: Ditto. * g13/g13.c: Ditto. * g13/g13-syshelp.c: Ditto. Do not force verbose mode. * sm/gpgsm.c: Ditto. Add option --no-options. -- This is backport from master commit cdbe10b762f38449b86da69076209324b0c99982 commit ba463128ce65a0f347643f7246a8e097c5be19f1 commit 3bc004decd289810bc1b6ad6fb8f47e45c770ce6 commit 2c823bd878fcdbcc4f6c34993e1d0539d9a6b237 commit 0e8f6e2aa98c212442001036fb5178cd6cd8af59 but without changing all functions names to gpgrt. Instead we use wrapper functions which, when building against old Libgpg-error versions, are implemented in argparse.c using code from the current libgpg-error. This allows to keep the dependency requirement at libgpg-error 1.27 to support older distributions. Tested builds against 1.27 and 1.40-beta. Note that g13-syshelp does not anymore default to --verbose because that can now be enabled in /etc/gnupg/g13-syshelp.conf. GnuPG-bug-id: 4788 Signed-off-by: Werner Koch <[email protected]>
* | gpg: New AKL method "ntds"Werner Koch2020-12-176-0/+68
| | | | | | | | | | | | | | | | | | | | | | * dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Change the new support for KEYDB_SEARCH_MODE_MAIL. (ks_ldap_get): Add a debug. * g10/options.h (AKL_NTDS): New. * g10/keyserver.c (keyserver_import_ntds): New. (keyserver_get_chunk): Allow KEYDB_SEARCH_MODE_MAIL. * g10/getkey.c (parse_auto_key_locate): Support "ntds". (get_pubkey_byname): Ditto.
* | dirmngr: Store all version 2 schema attributes.Werner Koch2020-12-171-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | * g10/call-dirmngr.c (ks_put_inq_cb): Emit "fpr" records. * dirmngr/ks-engine-ldap.c (extract_attributes): Add args extract-state and schemav2. Add data for the new schema version. remove the legacy code to handle UIDs in the "pub" line. (ks_ldap_put): Set new attributes for NTDS use the fingerprint as CN. Signed-off-by: Werner Koch <[email protected]> This is a backport from 2.3
* | dirmngr: Do not store the useless pgpSignerID in the LDAP.Werner Koch2020-12-171-15/+0
|/ | | | | | | | | | | | | | | | | | | | | | | * dirmngr/ks-engine-ldap.c (extract_attributes): Do not store the pgpSignerID. * g10/call-dirmngr.c (ks_put_inq_cb): Do not emit sig records. -- The pgpSignerID has no use in the LDAP and thus don't store it. David's idea back in 2004 was /* This bit is really for the benefit of people who store their keys in LDAP servers. It makes it easy to do queries for things like "all keys signed by Isabella". */ See-commit: 3ddd4410aef928827e1c8d4fb02c1ccd3f8eaea5 I consider this dangerous because such a query is not able to validate the signature, does not get revocation signatures, and also has no information about the validity of the signatures. Further many keys are spammed tehse days with faked signatures and it does not make sense to blow up the LDAP with such garbage. Signed-off-by: Werner Koch <[email protected]>
* gpg: Provide better diagnostic for replaced card keys.Werner Koch2020-11-132-1/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | * agent/divert-scd.c (divert_pksign): Add arg 'grip'. Replace OPENPGP key reference to keygrips. (divert_pkdecrypt): Ditto. * agent/protect.c (parse_shadow_info): Trim spaces. * agent/pkdecrypt.c (agent_pkdecrypt): Pass the keygrip. * agent/pksign.c (agent_pksign_do): Ditto. * g10/mainproc.c (print_pkenc_list): Print extra info for an invalid id error. * g10/sign.c (do_sign): Ditto. -- Using the keygrip instead of the identifier works on OpenPGP cards and thus we use that to make sure that we are working on the right card. For other cards we better don't do that to avoid regressions. Those other cards are also usually provided and do not allow to self-generate the keys. Note that old versions of the code (gpg 1.4) used the fingerprint as additional check but that was eventually removed and now that we use the keygrip all over the place, it is best to use this to identify a key. Signed-off-by: Werner Koch <[email protected]>
* gpg: Fix the encrypt+sign hash algo preference selection for ECDSA.Werner Koch2020-11-133-38/+58
| | | | | | | | | | | | | | | | | * g10/keydb.h (pref_hint): Change from union to struct and add field 'exact'. Adjust callers. * g10/pkclist.c (algo_available): Take care of the exact hint. * g10/sign.c (sign_file): Fix indentation. Rework the hash from recipient prefs. -- This fixes a encrypt+sign case like: One recipient key has SHA512 as highest ranked hash preference but the the signing key is a 256 bit curve. Because we don't want to use a truncated hash with ECDSA, we need to have an exact match - this is in particular important for smartcard which check that the hash matches the curves. Signed-off-by: Werner Koch <[email protected]>
* gpg: Support brainpool keygen with "key from card".Werner Koch2020-11-111-0/+4
| | | | | | | * g10/keygen.c (ask_algo): Add brainpool hack in the same as for Nist curves. Signed-off-by: Werner Koch <[email protected]>
* w32: Support Unicode also for config files etc.Werner Koch2020-11-104-4/+4
| | | | | | | | | | | | | | * common/sysutils.c (gnupg_fopen) [W32]: Use _wfopen if needed. Use new function in most places where fopen is used. -- The config files in 2.2 are still read using fopen - we need to change this to allow Unicode directory names. There is also one case where files are written using the old fopen. The new option parser in 2.3 does not have this problem but at some places fopen is also still used. GnuPG-bug-id: 5098 Signed-off-by: Werner Koch <[email protected]>
* card: Run factory-reset in locked stated.Werner Koch2020-11-092-7/+47
| | | | | | | | | | | | | | | | * scd/command.c (reset_notify): Add option --keep-lock. (do_reset): Add arg keep_lock. (cmd_lock): Send progress status. * g10/call-agent.c (agent_scd_apdu): Add more pseudo APDUs. * g10/card-util.c (send_apdu): Ditto. (factory_reset): Use lock commands. -- This is required so that for example Kleopatra does not detect the RESET and issues a SERIALNO of its own, thus conflicting with our SERIALNO undefined. Signed-off-by: Werner Koch <[email protected]>
* gpg: Fix recent commit for weak digest algos and smartcards.Werner Koch2020-11-091-1/+1
| | | | | | | | * g10/sign.c (sign_file): Fix condition. -- Fixes-commit: 4c181d51a6f1fd05b7f190a18769ba5e9f892f6a Signed-off-by: Werner Koch <[email protected]>
* gpg: Add canceled status message.Ben Kibbey2020-11-091-1/+1
| | | | | | | | | | | | | * common/status.h (STATUS_CANCELED_BY_USER): New. * g10/passphrase.c (passphrase_to_dek): Send STATUS_CANCELED_BY_USER instead of STATUS_MISSING_PASSPHRASE when canceled is set. -- This is to prevent further pinentry tries when the pinentry is canceled by the user during symmetric decryption. Signed-off-by: Ben Kibbey <[email protected]> (cherry picked from commit 31e47dfad0f40e31e8b3113b933696e8e4105136)
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-20 21:42:18 +0000