|Summary:||gnupg2-2.0.8 missing german root cert(s)|
|Product:||[Fedora] Fedora||Reporter:||Klaus Steinberger <klaus.steinberger>|
|Component:||gnupg2||Assignee:||Rex Dieter <rdieter>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||8||CC:||axel.thimm, ltinkl, michael.pope, nalin, tuju|
|Fixed In Version:||2.0.9-2.fc8||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-07-30 20:11:22 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Klaus Steinberger 2008-01-04 09:01:31 UTC
Description of problem: Version-Release number of selected component (if applicable): 2.0.8-1.fc8.i386 How reproducible: install update Steps to Reproduce: 1. install the update to gnupg2-2.0.8-1.fc8.i386 2. Try to sign a mail in kontact/kmail 3. Error message "nich gefunden" pops up Actual results: Message could not be signed Expected results: Additional info: A reinstall of the older gnupg2 Package solves the problem. Maybe a rebuild of kontact/kmail against the newer gnupg2 Package is necessary?
Comment 1 Rex Dieter 2008-01-04 15:07:07 UTC
WORKSFORME on my f7 box, I'll go try reproducing on f8...
Comment 2 Rex Dieter 2008-01-04 15:15:04 UTC
Confirmed ok for me too on f8. I notice your error is "nich gefunden" (German?), maybe it's a locale-specific issue? Please confirm your locale in use, and I'll try changing that too.
Comment 3 Klaus Steinberger 2008-01-11 07:36:01 UTC
Sorry for my late response, was very busy this week. Yes that's german: My Locale is de_DE.UTF-8 the complete error message is: "Signierung fehlgeschlagen. nich gefunden" Please note that there is also a little typo in the localisation, it should correctly read: "Signierung fehlgeschlagen: nicht gefunden" But this error message is not very informative, as it doesn't what's not found! I also changed to US locale (switched to US throug control-center), and the problem remains. The error message is now: "signing error: not found" The only cure I found was to force the installation of the old gnupg2 RPM. I suppose that kontact/kmail needs a recompilation against the newer libassuan, as libassuan is only available as a static library. Sincerly, Klaus Steinberger
Comment 4 Mike Pope 2008-01-16 04:44:51 UTC
I can reproduce this problem in en_AU.UTF-8, and its in gpg rather than kmail. Running strace on kmail while signing reveals that it is running "gpg ... --sign --detach --armor -u <uid>", which fails with the message: gpg: protection algorithm 1 (IDEA) is not supported gpg: the IDEA cipher plugin is not present gpg: please see http://www.gnupg.org/faq/why-not-idea.html for more information gpg: skipped "<uid>": unknown cipher algorithm gpg: signing failed: unknown cipher algorithm This can be repeated at the command line. In fact, I can not get any "gpg --sign" to work, even with --disable-cipher-algo IDEA or similar settings in the gnupg config file. gpg2 is no better.
Comment 5 Mike Pope 2008-01-18 06:24:44 UTC
Further to the above, I am not able to reproduce on F8/x86_64 with gnupg-1.4.7-7.x86_64/gnupg2-2.0.8-1.fc8.x86_64. The above observation was on F8/i686 with gnupg-1.4.7-7/gnupg2-2.0.8-1.fc8. I should also add that where I wrote <uid>, it was chosen from a number of known-good-key uids from the local keyring.
Comment 6 Juha Tuomala 2008-02-07 16:33:32 UTC
I've the default locale in f8 and kmail fails to encrypt messages. Signing works fine but not encryption.
Comment 7 Juha Tuomala 2008-02-07 16:35:18 UTC
kdepim-3.5.8-11.svn20080109.ent.fc8 gnupg2-2.0.8-2.fc8 $ arch x86_64
Comment 8 Rex Dieter 2008-02-07 17:20:10 UTC
Our hunch atm is on pinentry, try this test build (when it finishes): http://koji.fedoraproject.org/koji/taskinfo?taskID=401236
Comment 9 Juha Tuomala 2008-02-07 17:47:55 UTC
This updates seems to work for me. Nowdays messages in sent folder aren't correclty encrypted, so you need to send yourself to be sure it encrypts. Also noticed that kmail doesn't follow kaddressbook settings for encryption anymore.
Comment 10 Fedora Update System 2008-02-07 17:58:03 UTC
pinentry-0.7.4-1.fc8 has been submitted as an update for Fedora 8
Comment 11 Fedora Update System 2008-02-07 18:09:31 UTC
pinentry-0.7.4-1.fc7 has been submitted as an update for Fedora 7
Comment 12 Fedora Update System 2008-02-13 04:57:12 UTC
pinentry-0.7.4-1.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update pinentry'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-1492
Comment 13 Klaus Steinberger 2008-02-14 11:59:54 UTC
I just installed pinentry-0.7.4-1.fc8 from Fedora 8 testing, the problem still persists
Comment 14 Juha Tuomala 2008-02-14 13:24:47 UTC
Klaus, I'd be happy to test this with someone, please drop me an email to firstname.lastname@example.org , my key is in keyserver.
Comment 15 Klaus Steinberger 2008-02-15 11:17:32 UTC
Juha, no way to test it, since gnupg2-2.0.8 it just tells me a "not found" error instead of the pinentry. The new pinentry version doesn't help, just the reinstallation of gunpg2-2.0.7 cure's the problem. As a side note: I use an S/MIME key for signing. Sincerly, Klaus
Comment 16 Fedora Update System 2008-02-21 02:52:36 UTC
pinentry-0.7.4-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2008-02-21 02:56:59 UTC
pinentry-0.7.4-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 Klaus Steinberger 2008-02-21 17:09:15 UTC
As I already noted the new pinentry Version doesn't cure the problem it persists! The only solution I found for me is to block update of gnupg2 and stay on gnupg2-2.0.7-3.fc8 The new pinentry doesn't help, but its ok so far as it doesn't break the old gnupg2 version. Please again look deeper into changes in gnupg2!
Comment 19 Rex Dieter 2008-02-21 17:24:48 UTC
Klaus, Mike (comment #4), seem to be the only ones able to reproduce the problem. Both of you are on i386. So, reopening and setting to i386-specific. I'll be getting an f8/i386 box here in a bit, but in the meantime, frankly, I'm stumped on how to further debug this, much less fix. Would either of you mind taking your issue to gnupg's upstream devs at http://lists.gnupg.org/mailman/listinfo/gnupg-devel ? They would likely be able to offer better help, insight at this point.
Comment 20 Rex Dieter 2008-02-21 17:25:48 UTC
And while you're at it, please confirm problem still exists in the latest gnupg2-2.0.8-2 builds in updates.
Comment 21 Klaus Steinberger 2008-02-21 17:37:31 UTC
Yes it persists definitely with gnupg2-2.0.8-2, I just installed it to confirm. Sincerly, Klaus
Comment 22 Mike Pope 2008-02-22 00:08:11 UTC
I can confirm that the problem is still there with gnupg2-2.0.8-2 on F8/ix86/fully-updated, and gnupg-1.4.7-7 for that matter. However, I fear its NOTABUG. I have a lot of ``old'' (1997!) keys derived from good old pgp, which alas, used the IDEA cypher extensively. So whenever I try to sign something, gpg looks for an IDEA module to operate on my keys. As the error message was showing, there is no IDEA module present in either gpg, and for good reason: Bloody Software Patents. I therefore absolve Fedora from fixing this one. I suspect if I rebuilt pgp-2.something,and called it gpg, all would be well. Or built gnupg myself with the IDEA module that is out there (see http://www.nabble.com/IDEA-td15049933.html). But I am probably just going to make some new keys and retire the IDEA-based ones. Good luck Klaus if this is what you are seeing too.
Comment 23 Klaus Steinberger 2008-03-06 08:28:34 UTC
I don't believe that the problem is with IDEA keys, alas if it would be, the cryptic error message would be a bug for itself. I don't have such old keys in my keyring, at least I believe there are no IDEA cypher inside. Also signing on the command line works well with gnupg2-2.0.8-2, but not together with kmail. I even updated to the latest kde updates for Fedora 8, but as far as I install also gnupg2-2.0.8-2 signing in kmail will no longer work. Again the only cure is to revert to gnupg2-2.0.7-3.fc8 Sincerly, Klaus
Comment 24 Andreas Petzold 2008-07-16 10:13:56 UTC
S/MIME signing is broken for me in kmail on a fully up-to-date f8 box. The error message is "Signing failed: not found". I've noticed the following error messages in the gnupg log: gpgsm: invalid country code in `/usr/share/gnupg/qualified.txt', line 196 gpgsm: checking the list of qualified root certificates failed: Bad data [....] gpgsm: checking for qualified certificate failed: Not found gpgsm: error creating signature: Not found gpgsm[20979.0] DBG: -> ERR 150994971 Not found Line 196 and line 211 of /usr/share/gnupg/qualified.txt contain fingerprints of German CA certs. However the lines are missing the country code "de", which needs to be appended to the fingerprint just like for the other CAs. Appending "de" to the fingerprint lines fixes the problem and signing works again. Cheers, Andreas
Comment 25 Rex Dieter 2008-07-16 15:34:08 UTC
Excellent detective-work! OK, I've confirmed that the German code "de" exists in gnupg-2.0.9. I'll issue an update asap.
Comment 26 Fedora Update System 2008-07-16 16:12:33 UTC
gnupg2-2.0.9-2.fc8 has been submitted as an update for Fedora 8
Comment 27 Rex Dieter 2008-07-16 16:14:47 UTC
Hrm, we may be seeing some separate issues here, but we'll see how it goes.
Comment 28 Rex Dieter 2008-07-16 16:58:11 UTC
On closer inspection, gnupg-2.0.9's file is broken too.
Comment 29 Rex Dieter 2008-07-16 17:01:58 UTC
bleh, ignore me. it's good.
Comment 30 Andreas Petzold 2008-07-17 07:50:45 UTC
I've downloaded gnupg2-2.0.9-2.fc8 (i386) from koji and I can confirm that signing emails (S/MIME) in kmail works again.
Comment 31 Fedora Update System 2008-07-17 14:15:15 UTC
gnupg2-2.0.9-2.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update gnupg2'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-6469
Comment 32 Fedora Update System 2008-07-30 20:11:19 UTC
gnupg2-2.0.9-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.