On Thu, Feb 05, 2026 at 03:34:39PM +0000, Stuart Henderson wrote: > I'm running into an intermittent build failure of notmuch on i386. > During configure it tries to use gmime to decrypt an email and check > that the session key is as expected. > > On amd64 and aarch64 this runs reliably for me. > > On i386 it's hit and miss, usually miss, reported "decryption failed". > > Extracting the check so I can run it separately as a test case, if > on first run it returns "decryption failed", re-running it typically > repeats the failure for a while, but after some time it starts working > (and then seems to work reliably if re-run using the same test dir).
That's probably to do with some caching in the gpg-agent. > No idea what triggered this, it didn't used to happen, and I don't > see any updates of related ports. Same happens if I backout gnupg to > 2.4.8. As mentioned elsewhere, it's the libgcrypt 1.12.0 update that makes gpg-agent fail in do_unprotect() calling gcry_test_pkey(). Diff below works arond this test failure for me. It's going to introduce a timing leak since it's disabling part of this commit: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=4f56fd8c5e03f389a9f27a5e9206b9dfb49c92e3 So I am unsure we want to commit this. I'd appreciate if someone else could confirm this and report it upstream. It's time for me to shut down my poor old x230i. Its fans started sounding like somoene's drilling a hole into my living room wall... > Any ideas? > > Test case attached. To use: pkg_add gmime30 gnupg, run the script, > if it fails ("decryption failed") then re-run the command printed > at the bottom. Success looks like > "9:496A0B6D15A5E7BA762FB8E5FE6DEE421D4D9BBFCEAD1CDD0CCF636D07ADE621". Index: Makefile =================================================================== RCS file: /cvs/ports/security/libgcrypt/Makefile,v diff -u -p -r1.100 Makefile --- Makefile 30 Jan 2026 09:05:01 -0000 1.100 +++ Makefile 5 Feb 2026 23:08:01 -0000 @@ -6,6 +6,7 @@ USE_NOEXECONLY= Yes COMMENT= crypto library based on code used in GnuPG DISTNAME= libgcrypt-1.12.0 +REVISION= 0 CATEGORIES= security Index: patches/patch-mpi_ec_c =================================================================== RCS file: patches/patch-mpi_ec_c diff -N patches/patch-mpi_ec_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-mpi_ec_c 5 Feb 2026 23:08:01 -0000 @@ -0,0 +1,12 @@ +Index: mpi/ec.c +--- mpi/ec.c.orig ++++ mpi/ec.c +@@ -305,7 +305,7 @@ ec_mod (gcry_mpi_t w, mpi_ec_t ec) + else + _gcry_mpi_mod (w, w, ec->p); + +- if ((ec->flags & GCRYECC_FLAG_LEAST_LEAK)) ++ if (0 && (ec->flags & GCRYECC_FLAG_LEAST_LEAK)) + w->nlimbs = ec->p->nlimbs; + } +
