Parallel decrypts fail in 2.1.19

[Michael Smith]

We use gpg extensively, particularly as a part of salt-ssh. Lately,
salt-ssh runs against multiple instances have begun to fail in
rendering gpg-encrypted data. Looking into it, I learned that running
one gpg -d at a time works without any problem, but several runs in
parallel fail.

1. I create a file encrypted to myself. (I'm the default recipient.)
$ gpg -qeo junk <<< junk
2. I can decrypt the file if it's in a single run.
$ gpg -qd junk
junk
3. I cannot decrypt the junk with 10 runs in parallel. (Pinentry opens
during this run.)
$ yes junk | head -n10 | xargs -n1 -P10 gpg -qd
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
gpg: decryption failed: No secret key
4. gpg-agent is no longer running

So...

I threw these options into ~/.gnupg/gpg-agent.log:
debug-pinentry
debug-level guru
log-file /tmp/agent.log
debug 1024
verbose

And tried the above again. This bit caught my eye:

2017-03-22 21:25:13 gpg-agent[3624] Warning: using insecure memory!
56ab56...
2017-03-22 21:25:14 gpg-agent[3624] DBG: rsa_decrypt  res: [out of core]
2017-03-22 21:25:14 gpg-agent[3624] O j: ... this is a bug
(sexp.c:1433:do_vsexp_sscan)

I searched for that output online and came across this message:
https://lists.gnutls.org/pipermail/gnupg-devel/2017-January/032489.html

The description there matches my experience, but that particular
double free seems to have been resolved already in 2.1.18, so I guess
I'm seeing a new bug. Has anyone come across this?

$ gpg --version
gpg (GnuPG) 2.1.19
libgcrypt 1.7.6

- Michael A. Smith

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Enquiry about the GnuPGP

[Subhash Shrivastava]

What is the full form of GnuPG
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPGv2 & 'pinentry' on Linux w/ remote access

[Sander Smeenk via Gnupg-users]

Hi,

I'm trying to make the big step from GnuPG v1 to v2 but i'm experiencing
agonizing pains caused by the forced use of "pinentry" by gpg-agent and
friends, or rather the way the GPG_TTY stuff works?

I'm on Linux and i am not using Unity/Gnome/whatever, so i start X by
calling 'startx' and it invokes my .xsession that has ...

| GPG_TTY=$(tty)
| export GPG_TTY
| eval $(gpg-agent --daemon)

... where ssh-agent used to be, just before starting the window manager.
Then i have this gpg-agent.conf:

| enable-ssh-support
| pinentry-program /usr/bin/pinentry-curses
| default-cache-ttl 300
| max-cache-ttl 99

With this config, trying to decrypt a GPG-file, everything stalls
and undescriptive errors appear after staring at a blinking cursor
for quite some time.

So i learned that i could update GPG_TTY from my shellrc by doing...

| GPG_TTY=$(tty)
| export GPG_TTY
| gpg-connect-agent updatestartuptty /bye >/dev/null

... every time a new shell spawns. This kind-of works.
At least the pinentry pops up in a terminal.

For GPG-related commands, the pinentry seems to pop-up at the terminal
that is running a GPG-related command, but trying to use ssh randomly
pops the pinentry in a terminal unrelated to where i am running ssh.
Probably the terminal that was started last?

Then, when i then ^C the ssh command that is seemingly hanging because
a pinentry popped up on some other workspace's terminal, the pinentry
program on the unrelated terminal completely messes up said terminal.

Sometimes resulting in *'s being displayed while typing, or letters
disappearing from the input altogether. In such situations it turns out
pinentry-curses was still running, even though my shell was also
interactive.

I can't fathom what i am doing wrong but i must be doing something wrong.

Any tips?

And i haven't even started looking at "how can u use a gpg-agent that
is already running on a box that i am logging in remotely" yet, sort of
what 'keychain' can do with ssh-agent.

Regards,
-Sndr.
-- 
| How can there be self-help "groups"?
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Compiling GPG on Solaris 10

[Terry Stewart]

Thanks for the help everyone

Looking on my system I found an old version of libgcrypt-config in 
/usr/bin.  I was installing into /usr/local/bin but /usr/bin was before 
that in my PATH


All working and compiled now

Regards

Terry


On 22/03/17 07:33, Werner Koch wrote:

On Wed, 22 Mar 2017 00:10, terry.stew...@mrc-bsu.cam.ac.uk said:


*** You need libgcrypt to build this program.
**  This library is for example available at
*** ftp://ftp.gnupg.org/gcrypt/libgcrypt/
*** (at least version 1.5.0 using API 1 is required.)

Did you install the development package for Libgcrypt or build and
installed it yourself?

/usr/local/bin/libgcrypt-config --version

Is the first thing which configure runs to get the libgcrypt
configuration (then --libs and --cflags is used).

If you look into config.log or scroll your tty up for the output of
configure, you will see some lines explaining why Libgcrypt was not
found.


Shalom-Salam,

Werner



--

Terry Stewart
MRC Biostatistics Unit
Cambridge Institute of Public Health
Forvie Site
Robinson Way
Cambridge Biomedical Campus
Cambridge
CB2 0SR

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Compiling GPG on Solaris 10

[Terry Stewart]

Hi Werner

Thanks for replying.  I compiled libgcrypt from source (from 
https://www.gnupg.org/download/index.html) as well as the other dependencies


All these dependencies installed without error using
./configure
gmake
gmake check
gmake install

>> /usr/local/bin/libgcrypt-config --version
1.7.6

Configure was complaining about readline so I reinstalled that as well

checking whether regular expression support is requested... yes
checking for library containing regcomp... none required
checking for regcomp... yes
checking whether your system's regexp library is broken... no
checking zlib.h usability... yes
checking zlib.h presence... yes
checking for zlib.h... yes
checking for deflateInit2_ in -lz... yes
checking for bzlib.h... yes
checking for BZ2_bzCompressInit in -lbz2... yes
checking whether readline via "-lreadline" is present and sane... no
checking whether readline via "-lreadline -ltermcap" is present and 
sane... yes

configure: checking for cc features
checking if gcc ignores unknown -Wno-* options... no
checking if gcc supports -Wno-pointer-sign... no
checking if gcc supports -Wpointer-arith... yes
configure: checking system features for estream-printf
checking for stdint.h... (cached) yes
checking for long long int... (cached) yes
checking for long double... yes
checking for intmax_t... yes
checking for uintmax_t... yes
checking for ptrdiff_t... yes
checking size of unsigned long... (cached) 4
checking size of void *... 4
checking for nl_langinfo and THOUSANDS_SEP... no
configure: checking system features for estream
configure:
***
*** You need libgcrypt to build this program.
**  This library is for example available at
***   ftp://ftp.gnupg.org/gcrypt/libgcrypt/
*** (at least version 1.5.0 using API 1 is required.)
***
configure: error:




On 22/03/17 07:33, Werner Koch wrote:

On Wed, 22 Mar 2017 00:10, terry.stew...@mrc-bsu.cam.ac.uk said:


*** You need libgcrypt to build this program.
**  This library is for example available at
*** ftp://ftp.gnupg.org/gcrypt/libgcrypt/
*** (at least version 1.5.0 using API 1 is required.)

Did you install the development package for Libgcrypt or build and
installed it yourself?

/usr/local/bin/libgcrypt-config --version

Is the first thing which configure runs to get the libgcrypt
configuration (then --libs and --cflags is used).

If you look into config.log or scroll your tty up for the output of
configure, you will see some lines explaining why Libgcrypt was not
found.


Shalom-Salam,

Werner



--

Terry Stewart
MRC Biostatistics Unit
Cambridge Institute of Public Health
Forvie Site
Robinson Way
Cambridge Biomedical Campus
Cambridge
CB2 0SR

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Compiling GPG on Solaris 10

[Terry Stewart]

Hi Andy

I didn't have, but I've just installed it now.

13:07:>> automake --version
automake (GNU automake) 1.15

However no luck, still failing with the same error

checking for deflateInit2_ in -lz... yes
checking for bzlib.h... yes
checking for BZ2_bzCompressInit in -lbz2... yes
checking whether readline via "-lreadline" is present and sane... no
checking whether readline via "-lreadline -ltermcap" is present and 
sane... no
checking whether readline via "-lreadline -lcurses" is present and 
sane... no
checking whether readline via "-lreadline -lncurses" is present and 
sane... no

configure: checking for cc features
checking if gcc ignores unknown -Wno-* options... no
checking if gcc supports -Wno-pointer-sign... no
checking if gcc supports -Wpointer-arith... yes
configure: checking system features for estream-printf
checking for stdint.h... (cached) yes
checking for long long int... (cached) yes
checking for long double... yes
checking for intmax_t... yes
checking for uintmax_t... yes
checking for ptrdiff_t... yes
checking size of unsigned long... (cached) 4
checking size of void *... 4
checking for nl_langinfo and THOUSANDS_SEP... no
configure: checking system features for estream
configure:
***
*** You need libgcrypt to build this program.
**  This library is for example available at
***   ftp://ftp.gnupg.org/gcrypt/libgcrypt/
*** (at least version 1.5.0 using API 1 is required.)
***
configure: error:
***
*** Required libraries not found. Please consult the above messages
*** and install them before running configure again.
***


On 22/03/17 02:08, Andreas Hörmandinger wrote:

Hi,

do you have automake too?
If you take a quick look at *configure.ac * of 
gpg 2.0, you will notice that it checks the presence of libgcrypt via 
the automake macro *AM_PATH_LIBGCRYPT.


*
hth,
Andy

2017-03-22 0:10 GMT+01:00 terry >:


Hi
I'm having problems compiling GPG on a Solaris 10 server using gcc
v.3.4.3 and gmake v.3.80

I've successfully compiled and installed the dependencies

Libgpg-error (v 1.27)
Libgcrypt(v 1.7.6)
Libksba  (v 1.3.5)
Libassuan(v 2.4.3)
nPth (v 1.3)
as below

./configure (no arguments, just used default)
gmake
gmake check (all tests passed)
gmake install

All libraries went into /usr/local/lib by default where I can see them
When it came to compiling gnupg-2.0.30 I have hit problems with
configure, which fails with the following
configure: checking system features for estream
configure:
***
*** You need libgcrypt to build this program.
**  This library is for example available at
*** ftp://ftp.gnupg.org/gcrypt/libgcrypt/

*** (at least version 1.5.0 using API 1 is required.)
***
configure:
***
*** It is now required to build with support for the
*** GNU Portable Threads Library (Pth). Please install this
*** library first.  The library is for example available at
*** ftp://ftp.gnu.org/gnu/pth/
*** On a Debian GNU/Linux system you can install it using
***   apt-get install libpth-dev
*** To build GnuPG for Windows you need to use the W32PTH
*** package; available at:
*** ftp://ftp.g10code.com/g10code/w32pth/

***
configure: error:
***
*** Required libraries not found. Please consult the above messages
*** and install them before running configure again.

I then installed pth-2.0.7 (again configure, gmake, gmake check
gmake install) and configure found pth, but I'm still getting the
libgcrypt error
I can see the libraries in /usr/local/lib
-rwxr-xr-x   1 root root274K Mar 21 17:46
libgpg-error.so.0.22.0
lrwxrwxrwx   1 root root  22 Mar 21 17:46
libgpg-error.so.0 -> libgpg-error.so.0.22.0
lrwxrwxrwx   1 root root  22 Mar 21 17:46
libgpg-error.so -> libgpg-error.so.0.22.0
-rwxr-xr-x   1 root root1.1K Mar 21 17:46
libgpg-error.la 
-rwxr-xr-x   1 root root477K Mar 21 17:47
libassuan.so.0.7.3
lrwxrwxrwx   1 root root  18 Mar 21 17:47
libassuan.so.0 -> libassuan.so.0.7.3
lrwxrwxrwx   1 root root  18 Mar 21 17:47 libassuan.so
-> libassuan.so.0.7.3
-rwxr-xr-x   1 root root1.2K Mar 21 17:47 libassuan.la

-rwxr-xr-x   1 root root844K Mar 21 17:48
libksba.so.8.11.6
lrwxrwxrwx   1 root root  17 Mar 21 17:48 libksba.so.8
-> libksba.so.8.11.6
lrwxrwxrwx   1 root root  17 Mar 21 17:48 libksba.so
-> libksba.so.8.11.6
-rwxr-xr-x   1 root root1.1K Mar 21 17:48 libksba.la

-rwxr-xr-x   1 root root 17K 

Re: Mac Pinentry problem

[Peter Lebbing]

On 17/03/17 22:44, Rainer Hoerbe wrote:
> I copied my key to a OpenPGP card and was able to create signatures
> and authentication via SSH using the card. Now moving the the Mac I
> am stuck with pinentry-mac, because it keeps asking me for another
> card.

I think GnuPG hasn't deleted your secret key stubs which still point to
the old smartcard with the different serial number. Unless I'm very much
mistaken, this is a shortcoming of GnuPG 2.1 currently.

The agent identifies keys by their so-called keygrip. You can see the
keygrips for your private key with:

$ gpg2 --with-keygrip -K 64C2F99E904F1906

These keygrips correspond to files in ~/.gnupg/private-keys-v1.d/. Just
bluntly remove these files, but be careful to only delete files
belonging to smartcard stubs! Double check each keygrip before deleting
them. In fact, make a backup of the directory first :-).

> gpg --delete-secret-keys 0x64C2F99E904F1906
> gpg2 --card-status
> gpg2 --clearsign /etc/hosts

Did you mean to write "gpg" there rather than "gpg2"?

You didn't indicate which version of GnuPG you're using, but your
problem sounds like a 2.1 problem to me. If you are using GnuPG 2.1, you
shouldn't mix it with GnuPG 1.4, that road leads to pain. They don't
share their private key storage, and might or might not share public key
storage depending on which version created the public key storage on the
very first invocation.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Compiling GPG on Solaris 10

[Werner Koch]

On Wed, 22 Mar 2017 00:10, terry.stew...@mrc-bsu.cam.ac.uk said:

> *** You need libgcrypt to build this program.
> **  This library is for example available at
> *** ftp://ftp.gnupg.org/gcrypt/libgcrypt/
> *** (at least version 1.5.0 using API 1 is required.)

Did you install the development package for Libgcrypt or build and
installed it yourself?

/usr/local/bin/libgcrypt-config --version

Is the first thing which configure runs to get the libgcrypt
configuration (then --libs and --cflags is used).

If you look into config.log or scroll your tty up for the output of
configure, you will see some lines explaining why Libgcrypt was not
found.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpbMIEB0OvWc.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users