Bug 427500 - gnupg2-2.0.8 missing german root cert(s)
gnupg2-2.0.8 missing german root cert(s)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: gnupg2 (Show other bugs)
8
i386 Linux
low Severity high
: ---
: ---
Assigned To: Rex Dieter
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-04 04:01 EST by Klaus Steinberger
Modified: 2008-07-30 16:11 EDT (History)
5 users (show)

See Also:
Fixed In Version: 2.0.9-2.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-30 16:11:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Klaus Steinberger 2008-01-04 04:01:31 EST
Description of problem:


Version-Release number of selected component (if applicable): 2.0.8-1.fc8.i386


How reproducible: install update


Steps to Reproduce:
1. install the update to gnupg2-2.0.8-1.fc8.i386
2. Try to sign a mail in kontact/kmail
3. Error message "nich gefunden" pops up
  
Actual results:
Message could not be signed

Expected results:


Additional info:
A reinstall of the older gnupg2 Package solves the problem. Maybe a rebuild of
kontact/kmail against the newer gnupg2 Package is necessary?
Comment 1 Rex Dieter 2008-01-04 10:07:07 EST
WORKSFORME on my f7 box, I'll go try reproducing on f8...
Comment 2 Rex Dieter 2008-01-04 10:15:04 EST
Confirmed ok for me too on f8.

I notice your error is "nich gefunden" (German?), maybe it's a locale-specific 
issue? 

Please confirm your locale in use, and I'll try changing that too.
Comment 3 Klaus Steinberger 2008-01-11 02:36:01 EST
Sorry for my late response, was very busy this week.

Yes that's german:

My Locale is de_DE.UTF-8 the complete error message is:  "Signierung
fehlgeschlagen. nich gefunden"

Please note that there is also a little typo in the localisation, it should
correctly read:  "Signierung fehlgeschlagen: nicht gefunden"

But this error message is not very informative, as it doesn't what's not found!

I also changed to US locale (switched to US throug control-center), and the
problem remains. The error message is now: "signing error: not found"

The only cure I found was to force the installation of the old gnupg2 RPM.

I suppose that kontact/kmail needs a recompilation against the newer libassuan,
as libassuan is only available as a static library.

Sincerly,
Klaus Steinberger
Comment 4 Mike Pope 2008-01-15 23:44:51 EST
I can reproduce this problem in en_AU.UTF-8, and its in gpg rather than kmail.  
Running strace on kmail while signing reveals that it is 
running "gpg ... --sign --detach --armor -u <uid>", which fails with the 
message:
gpg: protection algorithm 1 (IDEA) is not supported
gpg: the IDEA cipher plugin is not present
gpg: please see http://www.gnupg.org/faq/why-not-idea.html for more 
information
gpg: skipped "<uid>": unknown cipher algorithm
gpg: signing failed: unknown cipher algorithm
This can be repeated at the command line. In fact, I can not get 
any "gpg --sign" to work, even with --disable-cipher-algo IDEA or similar 
settings in the gnupg config file.  gpg2 is no better.
Comment 5 Mike Pope 2008-01-18 01:24:44 EST
Further to the above, I am not able to reproduce on F8/x86_64 with 
gnupg-1.4.7-7.x86_64/gnupg2-2.0.8-1.fc8.x86_64.  The above observation was on 
F8/i686 with gnupg-1.4.7-7/gnupg2-2.0.8-1.fc8.  I should also add that where I 
wrote <uid>, it was chosen from a number of known-good-key uids from the local 
keyring.
Comment 6 Juha Tuomala 2008-02-07 11:33:32 EST
I've the default locale in f8 and kmail fails to encrypt messages. Signing 
works fine but not encryption.
Comment 7 Juha Tuomala 2008-02-07 11:35:18 EST
kdepim-3.5.8-11.svn20080109.ent.fc8
gnupg2-2.0.8-2.fc8
$ arch
x86_64

Comment 8 Rex Dieter 2008-02-07 12:20:10 EST
Our hunch atm is on pinentry, try this test build (when it finishes):
http://koji.fedoraproject.org/koji/taskinfo?taskID=401236
Comment 9 Juha Tuomala 2008-02-07 12:47:55 EST
This updates seems to work for me. Nowdays messages in sent folder 
aren't correclty encrypted, so you need to send yourself to be sure
it encrypts.

Also noticed that kmail doesn't follow kaddressbook settings for 
encryption anymore.
Comment 10 Fedora Update System 2008-02-07 12:58:03 EST
pinentry-0.7.4-1.fc8 has been submitted as an update for Fedora 8
Comment 11 Fedora Update System 2008-02-07 13:09:31 EST
pinentry-0.7.4-1.fc7 has been submitted as an update for Fedora 7
Comment 12 Fedora Update System 2008-02-12 23:57:12 EST
pinentry-0.7.4-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update pinentry'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-1492
Comment 13 Klaus Steinberger 2008-02-14 06:59:54 EST
I just installed pinentry-0.7.4-1.fc8 from Fedora 8 testing, the problem still
persists
Comment 14 Juha Tuomala 2008-02-14 08:24:47 EST
Klaus, I'd be happy to test this with someone, please drop me an email to 
juha.tuomala@iki.fi , my key is in keyserver.
Comment 15 Klaus Steinberger 2008-02-15 06:17:32 EST
Juha,

no way to test it, since gnupg2-2.0.8 it just tells me a "not found" error
instead of the pinentry. The new pinentry version doesn't help, just the
reinstallation of gunpg2-2.0.7 cure's the problem.

As a side note:  I use an S/MIME key for signing.

Sincerly,
Klaus
Comment 16 Fedora Update System 2008-02-20 21:52:36 EST
pinentry-0.7.4-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2008-02-20 21:56:59 EST
pinentry-0.7.4-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Klaus Steinberger 2008-02-21 12:09:15 EST
As I already noted the new pinentry Version doesn't cure the problem it persists!

The only solution I found for me is to block update of gnupg2 and stay on
gnupg2-2.0.7-3.fc8

The new pinentry doesn't help, but its ok so far as it doesn't break the old
gnupg2 version.

Please again look deeper into changes in gnupg2!
Comment 19 Rex Dieter 2008-02-21 12:24:48 EST
Klaus, Mike (comment #4), seem to be the only ones able to reproduce the
problem.  Both of you are on i386.  So, reopening and setting to i386-specific.

I'll be getting an f8/i386 box here in a bit, but in the meantime, frankly, I'm
stumped on how to further debug this, much less fix.  Would either of you mind
taking your issue to gnupg's upstream devs at 
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
?  They would likely be able to offer better help, insight at this point.
Comment 20 Rex Dieter 2008-02-21 12:25:48 EST
And while you're at it, please confirm problem still exists in the latest
gnupg2-2.0.8-2 builds in updates.
Comment 21 Klaus Steinberger 2008-02-21 12:37:31 EST
Yes it persists definitely with gnupg2-2.0.8-2, I just installed it to confirm.

Sincerly,
Klaus
Comment 22 Mike Pope 2008-02-21 19:08:11 EST
I can confirm that the problem is still there with gnupg2-2.0.8-2 on 
F8/ix86/fully-updated, and gnupg-1.4.7-7 for that matter.  However, I fear its 
NOTABUG.  I have a lot of ``old'' (1997!) keys derived from good old pgp, 
which alas, used the IDEA cypher extensively.  So whenever I try to sign 
something, gpg looks for an IDEA module to operate on my keys.  As the error 
message was showing, there is no IDEA module present in either gpg, and for 
good reason: Bloody Software Patents.  I therefore absolve Fedora from fixing 
this one.

I suspect if I rebuilt pgp-2.something,and called it gpg, all would be well.
Or built gnupg myself with the IDEA module that is out there (see 
http://www.nabble.com/IDEA-td15049933.html).
But I am probably just going to make some new keys and retire the IDEA-based 
ones.  Good luck Klaus if this is what you are seeing too.
Comment 23 Klaus Steinberger 2008-03-06 03:28:34 EST
I don't believe that the problem is with IDEA keys, alas if it would be, the
cryptic error message would be a bug for itself. I don't have such old keys in
my keyring, at least I believe there are no IDEA cypher inside. Also signing on
the command line works well with gnupg2-2.0.8-2, but not together with kmail.

I even updated to the latest kde updates for Fedora 8, but as far as I install
also gnupg2-2.0.8-2 signing in kmail will no longer work. Again the only cure is
to revert to gnupg2-2.0.7-3.fc8

Sincerly,
Klaus
Comment 24 Andreas Petzold 2008-07-16 06:13:56 EDT
S/MIME signing is broken for me in kmail on a fully up-to-date f8 box. The 
error message is "Signing failed: not found".

I've noticed the following error messages in the gnupg log:
gpgsm[20609]: invalid country code in `/usr/share/gnupg/qualified.txt', line 
196
gpgsm[20609]: checking the list of qualified root certificates failed: Bad 
data
[....]
gpgsm[20979]: checking for qualified certificate failed: Not found
gpgsm[20979]: error creating signature: Not found 
gpgsm[20979.0] DBG: -> ERR 150994971 Not found 

Line 196 and line 211 of /usr/share/gnupg/qualified.txt contain fingerprints 
of German CA certs. However the lines are missing the country code "de", which 
needs to be appended to the fingerprint just like for the other CAs. 
Appending "de" to the fingerprint lines fixes the problem and signing works 
again.

Cheers,
Andreas
Comment 25 Rex Dieter 2008-07-16 11:34:08 EDT
Excellent detective-work!

OK, I've confirmed that the German code "de" exists in gnupg-2.0.9.  I'll issue
an update asap.
Comment 26 Fedora Update System 2008-07-16 12:12:33 EDT
gnupg2-2.0.9-2.fc8 has been submitted as an update for Fedora 8
Comment 27 Rex Dieter 2008-07-16 12:14:47 EDT
Hrm, we may be seeing some separate issues here, but we'll see how it goes.
Comment 28 Rex Dieter 2008-07-16 12:58:11 EDT
On closer inspection, gnupg-2.0.9's file is broken too.
Comment 29 Rex Dieter 2008-07-16 13:01:58 EDT
bleh, ignore me.  it's good.
Comment 30 Andreas Petzold 2008-07-17 03:50:45 EDT
I've downloaded gnupg2-2.0.9-2.fc8 (i386) from koji and I can confirm that 
signing emails (S/MIME) in kmail works again.
Comment 31 Fedora Update System 2008-07-17 10:15:15 EDT
gnupg2-2.0.9-2.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update gnupg2'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-6469
Comment 32 Fedora Update System 2008-07-30 16:11:19 EDT
gnupg2-2.0.9-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.