[Announce] GPGME 1.1.6 released

Hi,

We are pleased to announce version 1.1.6 of GnuPG Made Easy,
a library designed to make access to GnuPG easier for applications.
It may be found in the file (about 939 KB/730 KB compressed)
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.gz
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.bz2

The following files are also available:
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.gz.sig
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.6.tar.bz2.sig
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.5-1.1.6.diff.gz

It should soon appear on the mirrors listed at:
http://www.gnupg.org/mirrors.html

Bug reports and requests for assistance should be sent to:
gnupg-devel@...

The sha1sum checksums for this distibution are
ed2c9699367d1be32f84bf154673becd16deba0a  gpgme-1.1.5-1.1.6.diff.gz
05218df939d72c2fd6d74f22c2b5d5ade0718b7a  gpgme-1.1.6.tar.bz2
2c2994d98ab545d1bced14c0554f4a50fd8e0878  gpgme-1.1.6.tar.bz2.sig
8dee551f362fc428c25c9bd542ce944ac916347d  gpgme-1.1.6.tar.gz
996e0b48a4f5e0ce3029e95c310ae64af92a6131  gpgme-1.1.6.tar.gz.sig


Noteworthy changes in version 1.1.6 (2008-01-04)
------------------------------------------------

 * Bug fixes for for W32.

 * A new, experimental (and thus undocumented and potentially
   unstable) interface for accessing gpg-conf through GPGME has been
   added.

 * Interface changes relative to the 1.1.1 release:
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 gpgme_signature_t               EXTENDED: New field chain_model.
 gpgme_op_getauditlog_start      NEW.
 gpgme_op_getauditlog            NEW.
 GPGME_AUDITLOG_HTML             NEW.
 GPGME_AUDITLOG_WITH_HELP        NEW.


Marcus Brinkmann
mb@...

--
g10 Code GmbH       http://g10code.com      AmtsGer. Wuppertal HRB 14459
Hüttenstr. 61                               Geschäftsführung Werner Koch
D-40699 Erkrath  -=- The GnuPG Experts -=-  USt-Id DE215605608


_______________________________________________
Gnupg-announce mailing list
Gnupg-announce@...
http://lists.gnupg.org/mailman/listinfo/gnupg-announce
_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On 1/4/08, Marcus Brinkmann <marcus.brinkmann@...> wrote:
> Hi,
>
> We are pleased to announce version 1.1.6 of GnuPG Made Easy,
> a library designed to make access to GnuPG easier for applications.

Hello,

Please fix some qa issues.
 * QA Notice: Package has poor programming practices which may compile
 *            fine but exhibit random runtime failures.
 * assuan-pipe-connect.c:593: warning: implicit declaration of
function '_gpgme_io_pipe'
assuan-pipe-connect.c:638: warning: implicit declaration of function
'_gpgme_io_spawn'

Attach is a temp fix, as including the priv-io.h conflict with other
parts of the software.

Also... One test fails:

PASS: t-verify
Hallo Leute!
PASS: t-decrypt
t-sign.c:107: KSBA: Not found (9.27)
FAIL: t-sign
Begin Result:
Issuer ...: /CN=DFN Top Level Certification
Authority/OU=DFN-PCA/O=Deutsches
Forschungsnetz/C=DE/EMail=certify@...
Serial ...: 01
Subject ..: /CN=DFN Top Level Certification
Authority/OU=DFN-PCA/O=Deutsches
Forschungsnetz/C=DE/EMail=certify@...

During tests, the pinentry dialogs are shown, I must write "abc" for
tests to run (many times), can you please make the test use silent
passphrase?

Best Regards,
Alon Bar-Lev.

[gpgme-1.1.6-qa.patch]

---

diff -urNp gpgme-1.1.6.org/assuan/assuan-pipe-connect.c gpgme-1.1.6/assuan/assuan-pipe-connect.c
--- gpgme-1.1.6.org/assuan/assuan-pipe-connect.c 2007-09-27 15:00:05.000000000 +0200
+++ gpgme-1.1.6/assuan/assuan-pipe-connect.c 2008-01-04 17:35:04.000000000 +0200
@@ -39,6 +39,11 @@
 
 #include "assuan-defs.h"
 
+int _gpgme_io_pipe (int filedes[2], int inherit_idx);
+int _gpgme_io_spawn (const char *path, char **argv,
+     struct spawn_fd_item_s *fd_child_list,
+     struct spawn_fd_item_s *fd_parent_list);
+
 /* Hacks for Slowaris.  */
 #ifndef PF_LOCAL
 # ifdef PF_UNIX

---

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

At Fri, 4 Jan 2008 17:45:16 +0200,
"Alon Bar-Lev" <alon.barlev@...> wrote:
The fix is fine, priv-io.h is not part of assuan, and thus repeating
the internal declarations is good enough.
 
Which version of gpgsm do you use?  The tests run fine here.

> During tests, the pinentry dialogs are shown, I must write "abc" for
> tests to run (many times), can you please make the test use silent
> passphrase?

We already set GPG_AGENT_INFO to empty in the test environment (see
TEST_ENVIRONMENT in tests/gpgsm/Makefile.am).  I have no idea why this
is not working for you.  Did you run "make check" or invoked the test
manually?

Thanks,
Marcus


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On 1/4/08, Marcus Brinkmann <marcus.brinkmann@...> wrote:
> The fix is fine, priv-io.h is not part of assuan, and thus repeating
> the internal declarations is good enough.

This is not so good practice... You can separate these into their own
header file and include it from both places.

> Which version of gpgsm do you use?  The tests run fine here.

$ gpgsm --version
gpgsm (GnuPG) 2.0.8
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Cipher: 3DES, AES, AES192, AES256, SERPENT128, SERPENT192, SERPENT256,
SEED, CAMELLIA128, CAMELLIA192, CAMELLIA256
Pubkey: RSA, ECDSA
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, WHIRLPOOL
Used libraries: gcrypt(1.4.0), ksba(1.0.2), assuan(1.0.4)

> We already set GPG_AGENT_INFO to empty in the test environment (see
> TEST_ENVIRONMENT in tests/gpgsm/Makefile.am).  I have no idea why this
> is not working for you.  Did you run "make check" or invoked the test
> manually?

I use "make check".

GPG_AGENT_INFO= echo alon | gpg2 --sign

Will result in running an agent by itself... right?

Alon.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

At Fri, 4 Jan 2008 18:01:19 +0200,
"Alon Bar-Lev" <alon.barlev@...> wrote:
>
> On 1/4/08, Marcus Brinkmann <marcus.brinkmann@...> wrote:
> > The fix is fine, priv-io.h is not part of assuan, and thus repeating
> > the internal declarations is good enough.
>
> This is not so good practice... You can separate these into their own
> header file and include it from both places.

Sometimes even good practices need to be broken.  This is such a case.
There is a better solution, but it requires major extensions to
libassuan, which we are not currently planning for (to be specific:
libassuan should provide hooks for everything gpgme needs to change in
its implementation.  Then we can just link to libassuan and remove the
local copy).

> > Which version of gpgsm do you use?  The tests run fine here.
>
> $ gpgsm --version
> gpgsm (GnuPG) 2.0.8

Ok, I used 2.0.4 for testing the release.  It is possible that
something changed which broke the test case, I'll have to check it
out.  Thanks for letting me know.

> > We already set GPG_AGENT_INFO to empty in the test environment (see
> > TEST_ENVIRONMENT in tests/gpgsm/Makefile.am).  I have no idea why this
> > is not working for you.  Did you run "make check" or invoked the test
> > manually?
>
> I use "make check".

Probably also related to the gpg/gpgsm version.
 
> GPG_AGENT_INFO= echo alon | gpg2 --sign
>
> Will result in running an agent by itself... right?

Mmh.  Did you specify gpg2 as default gpg for gpgme?  And did it ask
for the passphrase in tests/gpg or tests/gpgsm?  Actually, in which
particular test, gpg/t-sign?

Thanks,
Marcus



_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On 1/4/08, Marcus Brinkmann <marcus.brinkmann@...> wrote:
> Mmh.  Did you specify gpg2 as default gpg for gpgme?  And did it ask

/usr/bin/gpg is link to /usr/bin/gpg2, gpgme configuration detect the
correct version.

> for the passphrase in tests/gpg or tests/gpgsm?  Actually, in which
> particular test, gpg/t-sign?

make  check-TESTS
make[3]: Entering directory `/home/alonbl/tmp/xx/gpgme-1.1.6/tests/gpg'
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.8 (GNU/Linux)

hQEOA2rm1+5GqHH4EAP8CLySAWZ9QFCMUZKwaR80CEXY6WtSerNt30PuO9F3DUE2
FFzLT7rCfTSfa87hpa45dwH2NynxvW/sREFYysARlj3GVFy1jKXHZ2q9sRagCxbP
PlpmnXsQ0/tScTJ892HAcB/GeuWPSvJ+Rfo5NpHOpXMQh2qlbvaOV93HFTS5En4D
/iJTP7m0/w1+Pgb3SyhIu0sjnFra3pOoGpUe+mCd3KLizOcXcnFE2tZpZCQVmQsU
cUDUICjehkj9e8dq7aUkwNi7G0mvspMxyL202i7Z833zvXepjPJlTayNWYMeKIqK
EqfELsAqBRQ9vRUcOp29I0NWveeSfckB6nx/zFGSoFoqhQEOA1OB6k7im6N/EAP+
LCjEPPBz5gu8EYtfnwCtUC8SX33aUmFeTpd+kdNGXRC8dsf74A/ZoPciLFWLW63o
M3wrz2MQVwHukv6xaSBjnbS4M+nTMtnYzZjXd1OwZZxO048z1Z50IuXFT3QfzMhD
K7/YXbn7crXrrnVJ72EHX/nZ2xa0kBGsluZZEgwybmUD/jSgPqcDwydfgCqUDefZ
TUMr4BaOyngthQUQcJjzy3x5npGv0SAJx0gkzft8URKBOxaY1zxXxQBIvMVpln0M
EznBLzIUh0Xn5ZfjggMAUZyoeIh6iYLizeAVdLPdgwMnlctVjoG/cUb2ZQL24Z4N
AJZm6m9S2/N+fuHCRUkf+QLq0kcByRxIm8iWRdBCatPX9ddRvdaBJ7owzxri5J/7
JzGoNoXfsM23sLwumu7sml/DYUV7cy5T78U/uTc14tv5CBXq4fraTcos3w==
=bsZL
-----END PGP MESSAGE-----
PASS: t-encrypt
<Dialog appear>

Same for other tests.

Alon.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

Alon Bar-Lev wrote:

> Also... One test fails:
>
> PASS: t-verify
> Hallo Leute!
> PASS: t-decrypt
> t-sign.c:107: KSBA: Not found (9.27)
> FAIL: t-sign

Confirmed 'make check' failure here too (fedora, using gnupg2-2.0.8)

-- Rex


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

At Fri, 4 Jan 2008 18:32:05 +0200,
"Alon Bar-Lev" <alon.barlev@...> wrote:
>
> On 1/4/08, Marcus Brinkmann <marcus.brinkmann@...> wrote:
> > Mmh.  Did you specify gpg2 as default gpg for gpgme?  And did it ask
>
> /usr/bin/gpg is link to /usr/bin/gpg2, gpgme configuration detect the
> correct version.

gpg2 does not seem to support passing the passphrase via the command
fd, and requires the use of a pinentry program.  I added a dummy
pinentry program to gpgme and a configuration file for gpg-agent to
use it.  You might try the SVN version again and see if that works for
you (it does for me).

The gpgsm problem is actually a bug in gpgsm's default qualified.txt
file, where the last two entries miss the country code.  I filed a
report for that, so it will be fixed soon.

Thanks,
Marcus


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On 1/10/08, Marcus Brinkmann <marcus.brinkmann@...> wrote:
> gpg2 does not seem to support passing the passphrase via the command
> fd, and requires the use of a pinentry program.

Why not use:

gpg --sign --batch --passphrase 'secret'

Regards,
Alon Bar-Lev.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On 1/10/08, Alon Bar-Lev <alon.barlev@...> wrote:
> On 1/10/08, Marcus Brinkmann <marcus.brinkmann@...> wrote:
> > gpg2 does not seem to support passing the passphrase via the command
> > fd, and requires the use of a pinentry program.
>
> Why not use:
>
> gpg --sign --batch --passphrase 'secret'

Or:
gpg --sign --batch --passphrase-fd ###

>
> Regards,
> Alon Bar-Lev.
>

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On Thu, 10 Jan 2008 05:41, marcus.brinkmann@... said:

> gpg2 does not seem to support passing the passphrase via the command
> fd, and requires the use of a pinentry program.  I added a dummy

Right, the oinentry is required for interactive use.  However if you add
--batch you can still use an fd, string or file for the passphrase as
usual.  Note, that this fature will eventually be dropped for private
key operations.

> file, where the last two entries miss the country code.  I filed a
> report for that, so it will be fixed soon.

Done.  Thanks.


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On 1/10/08, Werner Koch <wk@...> wrote:
> Right, the oinentry is required for interactive use.  However if you add
> --batch you can still use an fd, string or file for the passphrase as
> usual.  Note, that this fature will eventually be dropped for private
> key operations.

Why drop?
How can batch applications do crypto operations without this option?
I guess they can write pinentry-env, and do:
PINENTRY_USER_DATA=secret gpg --sign <>

But this is much less secured than using fd.

Alon.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On Thu, 10 Jan 2008 10:32, alon.barlev@... said:

> Why drop?

Because gpg2 will eventually work like gpgsm and not know anything about
secret keys.

> How can batch applications do crypto operations without this option?
> I guess they can write pinentry-env, and do:
> PINENTRY_USER_DATA=secret gpg --sign <>

Well, this is a hack to write a custom pinentry.  It is not intended to
convey the passphrase.  It is also very questionable why a batch
application needs a passphrase protected key at all.

The other solution is to use gpg-preset-passphrase.  This is similar to
a crypto file system and let you put the passphrase into RAM for later
use.



Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On 1/10/08, Werner Koch <wk@...> wrote:
> The other solution is to use gpg-preset-passphrase.  This is similar to
> a crypto file system and let you put the passphrase into RAM for later
> use.

But this will not work for batch application serving multiple users.
Well... I can also --forget to present... But then it has some
weakness if this command is not run...

Alon.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

At Thu, 10 Jan 2008 13:26:09 +0200,
"Alon Bar-Lev" <alon.barlev@...> wrote:
>
> On 1/10/08, Werner Koch <wk@...> wrote:
> > The other solution is to use gpg-preset-passphrase.  This is similar to
> > a crypto file system and let you put the passphrase into RAM for later
> > use.
>
> But this will not work for batch application serving multiple users.

Can you describe your problem in more detail?

> Well... I can also --forget to present... But then it has some
> weakness if this command is not run...

Thanks,
Marcus


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On 1/10/08, Marcus Brinkmann <marcus.brinkmann@...> wrote:
> Can you describe your problem in more detail?

It is not my problem... Well... kind of... as you guys keep breaking
backward compatibility, and I get all the bugs of depended packages.

For example, if you have webmail that holds gpg keys on behalf of its
users... Current implementations enables users to specify passphrase
using html dialog, and pipe the passphrase into the gpg application.
Agent mode is not suitable for this kind of operation.

Alon.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

At Thu, 10 Jan 2008 15:40:15 +0200,
"Alon Bar-Lev" <alon.barlev@...> wrote:
>
> On 1/10/08, Marcus Brinkmann <marcus.brinkmann@...> wrote:
> > Can you describe your problem in more detail?
>
> It is not my problem... Well... kind of... as you guys keep breaking
> backward compatibility, and I get all the bugs of depended packages.

gpg and gpg2 are separate product lines, which are both fully
supported for the foreseeable future.
 
> For example, if you have webmail that holds gpg keys on behalf of its
> users... Current implementations enables users to specify passphrase
> using html dialog, and pipe the passphrase into the gpg application.
> Agent mode is not suitable for this kind of operation.

That's a very specialized application domain which requires a ton of
further considerations, and a lot of effort to get it "right"
(arguably, your assumptions already restrict the feasible security
that can be achieved).  Under such circumstances, I don't think it is
unreasonable to require some extra effort in choosing an appropriate
pinentry solution.  The gpg2 framework allows for a number of
solutions here, but which one is best requires careful considerations
to the specific requirements.

Thanks,
Marcus


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On 1/10/08, Marcus Brinkmann <marcus.brinkmann@...> wrote:
Forcing users to install both versions on their system, maintaining
problem with each is incorrect approach. But whatever... we cannot
change this now.

This answer is political and not technical... There are working
applications *NOW* and you are going to break them.
But again... this is irrelevant now... from experience you guys will
do whatever you like, forwarding the issue to distribution
maintainers.

Alon.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

At Thu, 10 Jan 2008 18:49:00 +0200,
"Alon Bar-Lev" <alon.barlev@...> wrote:
Consider applications using GPGME.  These applications will register a
passphrase callback handler, but with gpg2 it will simply not be used,
and for the application it looks like no passphrase is required to use
the key.

I suggest that if you know about specific applications that work with
gpg but break with gpg2, you let us know about the details and we work
something out in each particular case.  This invitation extends to all
software developers and distribution maintainers, of course.  We are
in fact very concerned about backward compatibility, which you can see
by our track record in maintaining the libgcrypt and GPGME API/ABI,
for example.

> But again... this is irrelevant now... from experience you guys will
> do whatever you like, forwarding the issue to distribution
> maintainers.

We want to work together with you and other distribution maintainers,
but we can not promise to never change anything, as that would
preclude useful and important improvements in the architecture.  If
you are concerned about particular problems, we are very interested in
hearing about them.

The issue at hand is, by the way, deeply technical: We want to move to
an architecture where secret key management is unified and properly
encapsulated.  That this makes sense can be seen from the important
use case of smart card readers with number pads, where the pin is
never even seen by the host computer.

This is not a new development.  For example, we have for years refused
to extend GPGME by secret key management interfaces (apart from the
generic edit interface as a work around), specifically because of the
architectural problems such interfaces would create.

Thanks,
Marcus


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

On Thu, 10 Jan 2008 14:40, alon.barlev@... said:

> For example, if you have webmail that holds gpg keys on behalf of its
> users... Current implementations enables users to specify passphrase

Actually one guy contacted me offlist to help with a university webmail
application.  We agreed that adding the envvar PINENTRY_USER_DATA allows
to pass user data all the way down to pinentry, so that he could write a
wrapper for pinentry.

If you have a specific problem please describe it at the list and we can
discuss a solution.



Salam-Shalom,

   Werner


--
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@...
http://lists.gnupg.org/mailman/listinfo/gnupg-devel