GnuPG 2.2.30 cannot do symmetric encryption

  • Done
  • quality assurance status badge
Details
3 participants
  • Leo Famulari
  • Maxim Cournoyer
  • Michael Rohleder
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 14 Dec 2021 17:46
(address . bug-guix@gnu.org)
YbjKVHCCHa8OvKqS@jasmine.lan
Our GnuPG package is version 2.2.30, which includes this bug:


The effect of this bug is that symmetric encryption / decryption does
not work. The bug was fixed in 2.2.31 and 2.3.3.

Changing GnuPG will cause 2406 rebuilds. I think that's suboptimal but
it's the situation.

There is a gnupg-2.2.32 package, but it's hidden because it would break
emacs-pinentry:


Here is a patch that unhides gnupg-2.2.32, updates it to 2.2.33, and
makes emacs-pinentry use that package variant.

If emacs-pinentry cannot use a current GnuPG, what should we do? And
maybe we don't need emacs-pinentry anymore?:

From b80a537cb9529b2f186519684901fe2be9e0a0f0 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Tue, 14 Dec 2021 11:40:28 -0500
Subject: [PATCH] gnu: GnuPG: Update gnupg-2.2.32 to 2.2.33.

* gnu/packages/gnupg.scm (gnupg-2.2.32): Replace with ...
(gnupg-2.2.33): ... new variable.
* gnu/packages/emacs-xyz.scm (emacs-pinentry)[propagated-inputs]: Use
gnupg-2.2.33.
---
gnu/packages/emacs-xyz.scm | 2 +-
gnu/packages/gnupg.scm | 13 +++----------
2 files changed, 4 insertions(+), 11 deletions(-)

Toggle diff (47 lines)
diff --git a/gnu/packages/emacs-xyz.scm b/gnu/packages/emacs-xyz.scm
index 32915fb6ed..5ce07645ce 100644
--- a/gnu/packages/emacs-xyz.scm
+++ b/gnu/packages/emacs-xyz.scm
@@ -21238,7 +21238,7 @@ (define-public emacs-pinentry
"1lf30q6r8nz5cjzclbb9bbymsk2y75nskvb55hnjdv93gr3j0sik"))))
(build-system emacs-build-system)
(propagated-inputs
- (list gnupg))
+ (list gnupg-2.2.33))
(home-page "https://elpa.gnu.org/packages/pinentry.html")
(synopsis "GnuPG Pinentry server implementation")
(description
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index 665e9e3021..fc7c1fbee0 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -347,24 +347,17 @@ (define-public gnupg
(properties '((ftp-server . "ftp.gnupg.org")
(ftp-directory . "/gcrypt/gnupg")))))
-(define-public gnupg-2.2.32
+(define-public gnupg-2.2.33
(package
(inherit gnupg)
- (version "2.2.32")
-
- ;; Hide this version because packages like 'emacs-pinentry' propagate the
- ;; default GnuPG and "guix install gnupg emacs-pinentry" would fail with a
- ;; collision error.
- (properties `((hidden? . #t)
- ,@(package-properties gnupg)))
-
+ (version "2.2.33")
(source (origin
(inherit (package-source gnupg))
(uri (string-append "mirror://gnupg/gnupg/gnupg-" version
".tar.bz2"))
(sha256
(base32
- "0506gv54z10c96z5821z9p0ksibk1pfilsmag39ffqrcz0sinmxj"))))))
+ "1qz403080hwba8j8vpnfkvh7clg1dbg74kdn1d0p0g84iip87246"))))))
(define-public gnupg-1
(package (inherit gnupg)
--
2.34.0
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmG4ylEACgkQJkb6MLrK
fwgIoA/8CrX2kBUogCw4iu9Oq38/YcUeCLFv7SHyoZ9UqtmuDxTMini6sg4j4GcV
Fx0NdYdHuhYvrJHmNus+0jqIHa1+BJ5YzEsGKwYldEY458FeQCYVh2fJqhzu0mMi
MVBTa7ciHN5SpC8Bu73G2WRnUkJM7m8AoiOJP8KJjUZ1TCD2DHUdAAh6yrfuH3+0
cbYB52y/ld2KTkn/JkhmmSrh3xMjWweahIKQCaSYzleN/sLTw2CkMi8OZJB/4ERX
BQXFGQ9wNTUD5cxHDK3sqvYa9FQs00Gu7gelsTGzvWphhWq+cCOBuDzeNxwdIyDT
0E5f0uwpDzgnqQQEPlNrtOhF5nAYkBZKiAQAGOf+aPRUPpXPk+OHXV5ImSiIoW6x
BP5gZZDqswO0AgBoUipKtaklC9HZFH2vZD1qTfr5Ak+5DjZM1oaGML7QWQYY6bur
34GeM0OfHHrnZQSKKxMU9id3beLjjk/dlG8qLJBFXBNo21YeXdvgDLZaB9MY2Lek
qfVzdTk8OfzrR4MrO8STsCuYy+xKTEi23fkXw/cE/HrQO4MS3u4ADYEBQzjFcgc8
82uRn9r0wN7tesCC4sywlvTjCtfOOUMdHgeLNTgLZLF09dUCXRi96gF4yDHj5/QF
EmU61mw0Ru8JiDOisahx4i5sRZ0M1e491d+z4bkbrAcfZ9kaRQs=
=rqWB
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 14 Dec 2021 18:32
(address . bug-guix@gnu.org)
YbjVL1eB8/uHrpHJ@jasmine.lan
On Tue, Dec 14, 2021 at 11:46:12AM -0500, Leo Famulari wrote:
Toggle quote (3 lines)
> Here is a patch that unhides gnupg-2.2.32, updates it to 2.2.33, and
> makes emacs-pinentry use that package variant.

After sending this patch, I noticed that gnupg-2.2.32 is also used by
qgpgme. This bug was noticed earlier, but misinterpreted.

Expect a v2 patch that uses 'gnupg-next' instead of gnupg-2.2.33, and
adjusts all users accordingly.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmG41SwACgkQJkb6MLrK
fwhNBxAA1uUiwq7QU6o5Nn44+QGILw/JHDvBD2mFEdoz/VFOU3EsNiYW5oRIlGYf
+7gtKcnehOuZ27Ojg1IN99xm2vr/R+V49rQHZt1eRUc/pCVSu8Gy2AAnqXbAlpyW
PY7kQbCqfFGjMpbq6b0rNxqUaPJZUd6/Jhmqp6a1/G9inPz+n3JeGBtC/kcl+5k4
Tp927thw+ZSS7OZX3HEI2OUYewgyXg8tRpg14BkQBm50sDQrJEXOhOD2TLoP62Ld
8T+SZNIHy68Mzgr1XqNeXAZxkL5vTNUYJYrCE0IPdYZEm+r/PXVVWejd+JDFcyl/
Xu8kNbme9i7QrPIlyr0m8gb0RRbVi5PWPHO6MLqT+A7jfIgjRaPw0B3yDbET8Vcr
gtHP5FLkKa0FMvb6vPQtmBqKrLN3GS5omxanmMJn/Jv06IZDezYoBOg+Xrtdygrr
UN1T4KHvwaI6mU9yJh2O7lJJ9pCrv9L8srkubg4CWGyLk84GufUcIQo+DyzpeEu+
NKs3GscPUEZ2hiekDZvWPnNT4olHvA4MI6G8CNsjKr9U1NRekUmQs5dQPgqeuuFa
0b36HIqd7mcZexghmK8cTdLohWpmouHAqlq5sT/uwdRwfoGejJ+onU8/WxHgsjdF
885WtUALCaeHFfAaYXEfFYHweUmwz0xSxBeLxu1ajGzNWt0RwMw=
=BbfP
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 14 Dec 2021 18:33
[PATCH v2] gnu: GnuPG: Update gnupg-2.2.32 to 2.2.33.
(address . 52483@debbugs.gnu.org)
acf8ec40385cddea40b097479adbc62bcb870095.1639503219.git.leo@famulari.name
* gnu/packages/gnupg.scm (gnupg-2.2.32): Replace with ...
(gnupg-next): ... new variable.
(qgpgme)[native-inputs]: Replace gnupg-2.2.32 with gnupg-next.
* gnu/packages/emacs-xyz.scm (emacs-pinentry)[propagated-inputs]: Use
gnupg-next.
---
gnu/packages/emacs-xyz.scm | 2 +-
gnu/packages/gnupg.scm | 18 ++++--------------
2 files changed, 5 insertions(+), 15 deletions(-)

Toggle diff (60 lines)
diff --git a/gnu/packages/emacs-xyz.scm b/gnu/packages/emacs-xyz.scm
index 32915fb6ed..b9818e92b9 100644
--- a/gnu/packages/emacs-xyz.scm
+++ b/gnu/packages/emacs-xyz.scm
@@ -21238,7 +21238,7 @@ (define-public emacs-pinentry
"1lf30q6r8nz5cjzclbb9bbymsk2y75nskvb55hnjdv93gr3j0sik"))))
(build-system emacs-build-system)
(propagated-inputs
- (list gnupg))
+ (list gnupg-next))
(home-page "https://elpa.gnu.org/packages/pinentry.html")
(synopsis "GnuPG Pinentry server implementation")
(description
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index 665e9e3021..78dc1e2276 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -347,24 +347,17 @@ (define-public gnupg
(properties '((ftp-server . "ftp.gnupg.org")
(ftp-directory . "/gcrypt/gnupg")))))
-(define-public gnupg-2.2.32
+(define-public gnupg-next
(package
(inherit gnupg)
- (version "2.2.32")
-
- ;; Hide this version because packages like 'emacs-pinentry' propagate the
- ;; default GnuPG and "guix install gnupg emacs-pinentry" would fail with a
- ;; collision error.
- (properties `((hidden? . #t)
- ,@(package-properties gnupg)))
-
+ (version "2.2.33")
(source (origin
(inherit (package-source gnupg))
(uri (string-append "mirror://gnupg/gnupg/gnupg-" version
".tar.bz2"))
(sha256
(base32
- "0506gv54z10c96z5821z9p0ksibk1pfilsmag39ffqrcz0sinmxj"))))))
+ "1qz403080hwba8j8vpnfkvh7clg1dbg74kdn1d0p0g84iip87246"))))))
(define-public gnupg-1
(package (inherit gnupg)
@@ -440,11 +433,8 @@ (define-public qgpgme
(chdir "lang/qt")
#t)))))
(native-inputs
- ;; Use GnuPG 2.2.32. With 2.2.30, 'testSymmetricEncryptDecrypt' in
- ;; t-encrypt.cpp fails because 'gpg' wrongfully ask for a passphrase do
- ;; decrypt the cypher text.
(modify-inputs (package-native-inputs gpgme)
- (replace "gnupg" gnupg-2.2.32)
+ (replace "gnupg" gnupg-next)
(prepend pkg-config)))
(inputs
(modify-inputs (package-inputs gpgme)
--
2.34.0
L
L
Leo Famulari wrote on 17 Dec 2021 18:32
(address . 52483@debbugs.gnu.org)
YbzJmrStLCG2GCpn@jasmine.lan
On Tue, Dec 14, 2021 at 12:33:39PM -0500, Leo Famulari wrote:
Toggle quote (3 lines)
> -(define-public gnupg-2.2.32
> +(define-public gnupg-next

I noticed that this package variant omits the pinentry patch. In any
case, I'm testing a full upgrade of gnupg to 2.2.33 for the version-1.4.0
branch.
M
M
Maxim Cournoyer wrote on 18 Dec 2021 05:56
Re: bug#52483: GnuPG 2.2.30 cannot do symmetric encryption
(name . Leo Famulari)(address . leo@famulari.name)(address . 52483@debbugs.gnu.org)
87mtky4ik6.fsf_-_@gmail.com
Hi!

Leo Famulari <leo@famulari.name> writes:

Toggle quote (8 lines)
> On Tue, Dec 14, 2021 at 12:33:39PM -0500, Leo Famulari wrote:
>> -(define-public gnupg-2.2.32
>> +(define-public gnupg-next
>
> I noticed that this package variant omits the pinentry patch. In any
> case, I'm testing a full upgrade of gnupg to 2.2.33 for the version-1.4.0
> branch.

I'm testing this:

Toggle snippet (73 lines)
gnu: gnupg: Update to 2.3.3.

* gnu/packages/gnupg.scm (gnupg): Update to 2.3.3.
(gnupg-2.2.32): Delete variable.
(qgpgme)[native-inputs]: Use the regular gnupg package.

1 file changed, 4 insertions(+), 28 deletions(-)
gnu/packages/gnupg.scm | 32 ++++----------------------------

modified gnu/packages/gnupg.scm
@@ -279,15 +279,15 @@ (define-public npth
(define-public gnupg
(package
(name "gnupg")
- (version "2.2.30")
+ (version "2.3.3")
(source (origin
(method url-fetch)
- (uri (string-append "mirror://gnupg/gnupg/gnupg-" version
+ (uri (string-append "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-" version
".tar.bz2"))
(patches (search-patches "gnupg-default-pinentry.patch"))
(sha256
(base32
- "1111ry31gaxv76miqsy6l0kwxwlx8sz0jk41jhyrjwx649p6sqyc"))))
+ "0dz9x0r5021bhk1kjh29m1q13xbslwb8yn9qzcp7b9m1lrnvi2ap"))))
(build-system gnu-build-system)
(native-inputs
(list pkg-config))
@@ -347,25 +347,6 @@ (define-public gnupg
(properties '((ftp-server . "ftp.gnupg.org")
(ftp-directory . "/gcrypt/gnupg")))))
-(define-public gnupg-2.2.32
- (package
- (inherit gnupg)
- (version "2.2.32")
-
- ;; Hide this version because packages like 'emacs-pinentry' propagate the
- ;; default GnuPG and "guix install gnupg emacs-pinentry" would fail with a
- ;; collision error.
- (properties `((hidden? . #t)
- ,@(package-properties gnupg)))
-
- (source (origin
- (inherit (package-source gnupg))
- (uri (string-append "mirror://gnupg/gnupg/gnupg-" version
- ".tar.bz2"))
- (sha256
- (base32
- "0506gv54z10c96z5821z9p0ksibk1pfilsmag39ffqrcz0sinmxj"))))))
-
(define-public gnupg-1
(package (inherit gnupg)
(version "1.4.23")
@@ -437,14 +418,9 @@ (define-public qgpgme
"lang/cpp/src/libgpgmepp.la")
(symlink (string-append gpgme "/lib/libgpgme.la")
"src/libgpgme.la"))
- (chdir "lang/qt")
- #t)))))
+ (chdir "lang/qt"))))))
(native-inputs
- ;; Use GnuPG 2.2.32. With 2.2.30, 'testSymmetricEncryptDecrypt' in
- ;; t-encrypt.cpp fails because 'gpg' wrongfully ask for a passphrase do
- ;; decrypt the cypher text.
(modify-inputs (package-native-inputs gpgme)
- (replace "gnupg" gnupg-2.2.32)
(prepend pkg-config)))
(inputs
(modify-inputs (package-inputs gpgme)

Maxim
L
L
Leo Famulari wrote on 19 Dec 2021 00:53
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 52483@debbugs.gnu.org)
Yb50XTFDq95dwz4s@jasmine.lan
On Fri, Dec 17, 2021 at 11:56:41PM -0500, Maxim Cournoyer wrote:
Toggle quote (9 lines)
> I'm testing this:
>
> --8<---------------cut here---------------start------------->8---
> gnu: gnupg: Update to 2.3.3.
>
> * gnu/packages/gnupg.scm (gnupg): Update to 2.3.3.
> (gnupg-2.2.32): Delete variable.
> (qgpgme)[native-inputs]: Use the regular gnupg package.

Okay. Make sure to also adjust emacs-pinentry.

I tested with GnuPG 2.2.23 by building all packages that depend directly
on GnuPG. There were no new failures on x86_64-linux when using GnuPG
2.2.32.
M
M
Michael Rohleder wrote on 19 Dec 2021 02:32
(name . Leo Famulari)(address . leo@famulari.name)(address . 52483@debbugs.gnu.org)
875yrlbcqo.fsf@rohleder.de
Leo Famulari <leo@famulari.name> writes:
Toggle quote (6 lines)
> If emacs-pinentry cannot use a current GnuPG, what should we do? And
> maybe we don't need emacs-pinentry anymore?:
>
> https://emacs.stackexchange.com/a/64721
>

I don't think emacs-pinentry is needed, because adding
"allow-emacs-pinentry" to gpg-agent.conf worked (for me) (at least)
since several years in (guix) emacs w/o using emacs-pinentry (or other
emacs customization).

---
Wir kommen nackt auf diese Welt und atmen ein.
Wir atmen aus und verlassen diese Welt mit leeren Händen.
und dazwischen gestalten wir unser Leben.
-----BEGIN PGP SIGNATURE-----

iQFFBAEBCAAvFiEEdV4t5dDVhcUueCgwfHr/vv7yyyUFAmG+i78RHG1pa2VAcm9o
bGVkZXIuZGUACgkQfHr/vv7yyyXdegf7B2ghPt9jAkWEECnhsTx3hzkWV/ClDplb
xWX7s7hMqFqf0yVw5ab3vNGoQg4fRaTUwflK/W/rfEFaZw6Sewa7uW/3M+EBD+lq
uikXoeNOeaZCUedatBa0dOJy3/vOsHa0Up6KktiL+BvTDGrku8rJT3Bfs57tvOmS
xYGLF+plXfWi9FwtVc9MhGRS36DnZDyA5v9pj9weA3JE3cCiE4RN6RQMTxECHkko
ytxnyRgH/8OwV+beGyVtA0KoYLQNUdcnJxa3p4czpy3OEO0JhHDTT8JSi8UVzblU
BJDhYIoxWVTB1bJBCSfydcmeSBWNnqTPioAZBixus09fROSh9DDNYg==
=CqSh
-----END PGP SIGNATURE-----

M
M
Maxim Cournoyer wrote on 19 Dec 2021 21:25
(name . Leo Famulari)(address . leo@famulari.name)(address . 52483@debbugs.gnu.org)
874k744a0p.fsf@gmail.com
Hi Leo,

Leo Famulari <leo@famulari.name> writes:

Toggle quote (16 lines)
> On Fri, Dec 17, 2021 at 11:56:41PM -0500, Maxim Cournoyer wrote:
>> I'm testing this:
>>
>> --8<---------------cut here---------------start------------->8---
>> gnu: gnupg: Update to 2.3.3.
>>
>> * gnu/packages/gnupg.scm (gnupg): Update to 2.3.3.
>> (gnupg-2.2.32): Delete variable.
>> (qgpgme)[native-inputs]: Use the regular gnupg package.
>
> Okay. Make sure to also adjust emacs-pinentry.
>
> I tested with GnuPG 2.2.23 by building all packages that depend directly
> on GnuPG. There were no new failures on x86_64-linux when using GnuPG
> 2.2.32.

I ended up sticking with 2.2.33, since this is the current "LTS"
release. Unfortunately it fails 3 new tests of python-gnupg, and its
author think it is a regression in GnuPG itself [0].


We'll see what upstream has to say about it.

Thank you,

Maxim
L
L
Leo Famulari wrote on 19 Dec 2021 21:33
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 52483@debbugs.gnu.org)
Yb+XDLIBmabb5d7S@jasmine.lan
On Sun, Dec 19, 2021 at 03:25:42PM -0500, Maxim Cournoyer wrote:
Toggle quote (6 lines)
> I ended up sticking with 2.2.33, since this is the current "LTS"
> release. Unfortunately it fails 3 new tests of python-gnupg, and its
> author think it is a regression in GnuPG itself [0].
>
> [0] https://github.com/vsajip/python-gnupg/issues/163

Right, this is why I used 2.2.32.
L
L
Leo Famulari wrote on 19 Dec 2021 21:36
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 52483@debbugs.gnu.org)
Yb+XyR/XFKpKLr0s@jasmine.lan
On Sun, Dec 19, 2021 at 03:25:42PM -0500, Maxim Cournoyer wrote:
Toggle quote (4 lines)
> > I tested with GnuPG 2.2.23 by building all packages that depend directly
> > on GnuPG. There were no new failures on x86_64-linux when using GnuPG
> > 2.2.32.

I see that my message was confusing, with mixed up version numbers.
There's no regressions on x86_64 with 2.2.32. Since it fixes this bug,
I'd like to make it available soon. Maybe we can unhide the gnupg-2.2.32
variable, and remove emacs-pinentry, since everyone is saying that it's
no longer useful.
L
L
Leo Famulari wrote on 23 Dec 2021 01:01
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 52483@debbugs.gnu.org)
YcO8S9asaKAK6/fe@jasmine.lan
On Sun, Dec 19, 2021 at 03:36:25PM -0500, Leo Famulari wrote:
Toggle quote (11 lines)
> On Sun, Dec 19, 2021 at 03:25:42PM -0500, Maxim Cournoyer wrote:
> > > I tested with GnuPG 2.2.23 by building all packages that depend directly
> > > on GnuPG. There were no new failures on x86_64-linux when using GnuPG
> > > 2.2.32.
>
> I see that my message was confusing, with mixed up version numbers.
> There's no regressions on x86_64 with 2.2.32. Since it fixes this bug,
> I'd like to make it available soon. Maybe we can unhide the gnupg-2.2.32
> variable, and remove emacs-pinentry, since everyone is saying that it's
> no longer useful.

Here are patches for this: https://issues.guix.gnu.org/52744
L
L
Leo Famulari wrote on 26 Dec 2021 23:46
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 52483-done@debbugs.gnu.org)
Ycjw0XsEQZEwC06M@jasmine.lan
On Sun, Dec 19, 2021 at 03:36:25PM -0500, Leo Famulari wrote:
Toggle quote (11 lines)
> On Sun, Dec 19, 2021 at 03:25:42PM -0500, Maxim Cournoyer wrote:
> > > I tested with GnuPG 2.2.23 by building all packages that depend directly
> > > on GnuPG. There were no new failures on x86_64-linux when using GnuPG
> > > 2.2.32.
>
> I see that my message was confusing, with mixed up version numbers.
> There's no regressions on x86_64 with 2.2.32. Since it fixes this bug,
> I'd like to make it available soon. Maybe we can unhide the gnupg-2.2.32
> variable, and remove emacs-pinentry, since everyone is saying that it's
> no longer useful.

I pushed commit d03aa942d, which makes GnuPG 2.2.32 available in the UI.
I didn't remove emacs-pinentry... that's something that Emacs users
should decide how to handle.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 52483@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 52483
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch