Merge pull request #274 from smlx/gpg-247

smlx · web-flow · commit e95377836aa8 · 2025-04-29T00:13:49.000+08:00
Support gnupg 2.4.7
diff --git a/go.mod b/go.mod
@@ -1,6 +1,7 @@
 module github.com/smlx/piv-agent
 
 go 1.23.2
+
 toolchain go1.24.1
 
 require (
diff --git a/internal/assuan/assuan.go b/internal/assuan/assuan.go
@@ -22,7 +22,7 @@ import (
 // version indicates the version of gpg-agent to emulate.
 // The gpg CLI client will emit a warning if this is lower than the version of
 // the gpg client itself.
-const version = "2.3.4"
+const version = "2.4.7"
 
 // The KeyService interface provides functions used by the Assuan FSM.
 type KeyService interface {
@@ -212,7 +212,8 @@ func New(rw io.ReadWriter, log *zap.Logger, n *notify.Notify,
 					}
 					if err != nil {
 						_, _ = io.WriteString(rw, "ERR 1 couldn't get key for keygrip\n")
-						return fmt.Errorf("couldn't get key for keygrip: %v", err)
+						log.Warn("couldn't get key for keygrip", zap.Error(err))
+						return nil // this is not a fatal error
 					}
 					_, err = io.WriteString(rw, "OK\n")
 				case setkeydesc:
@@ -253,6 +254,9 @@ func New(rw io.ReadWriter, log *zap.Logger, n *notify.Notify,
 					}
 					var plaintext, ciphertext []byte
 					ciphertext = bytes.Join(chunks, []byte("\n"))
+					// start notify timer
+					cancel := assuan.notify.Touch()
+					defer cancel()
 					plaintext, err = assuan.decrypter.Decrypt(nil, ciphertext, nil)
 					if err != nil {
 						return fmt.Errorf("couldn't decrypt: %v", err)
@@ -303,7 +307,7 @@ func (assuan *Assuan) havekey(rw io.ReadWriter, ks []KeyService) error {
 			_, _ = io.WriteString(rw, "ERR 1 couldn't list keygrips\n")
 			return err
 		}
-		// apply buggy libgcrypt encoding
+		// apply libgcrypt encoding
 		_, err = io.WriteString(rw, fmt.Sprintf("D %s\nOK\n",
 			PercentEncodeSExp(grips)))
 		return err
@@ -371,8 +375,8 @@ func haveKey(ks []KeyService, keygrips [][]byte) (bool, []byte, error) {
 	return false, nil, nil
 }
 
-// allKeygrips returns all keygrips available for any keyservice, concatenated
-// into a single byte slice.
+// allKeygrips returns all keygrips available for any of the given keyservices,
+// concatenated into a single byte slice.
 func allKeygrips(ks []KeyService) ([]byte, error) {
 	var grips []byte
 	for _, k := range ks {
diff --git a/internal/assuan/assuan_test.go b/internal/assuan/assuan_test.go
@@ -102,7 +102,7 @@ func TestSign(t *testing.T) {
 				"OK\n",
 				"OK\n",
 				"OK\n",
-				"D 2.3.4\n",
+				"D 2.4.7\n",
 				"OK\n",
 				"OK\n",
 				"OK\n",
@@ -314,7 +314,7 @@ func TestDecryptRSAKeyfile(t *testing.T) {
 				"OK\n",
 				"OK\n",
 				"OK\n",
-				"D 2.3.4\n",
+				"D 2.4.7\n",
 				"OK\n",
 				"OK\n",
 				"OK\n",
@@ -409,7 +409,7 @@ func TestSignRSAKeyfile(t *testing.T) {
 				"OK\n",
 				"OK\n",
 				"OK\n",
-				"D 2.3.4\n",
+				"D 2.4.7\n",
 				"OK\n",
 				"OK\n",
 				"OK\n",
@@ -600,7 +600,7 @@ func TestDecryptECDHKeyfile(t *testing.T) {
 				"OK\n",
 				"OK\n",
 				"OK\n",
-				"D 2.3.4\n",
+				"D 2.4.7\n",
 				"OK\n",
 				"OK\n",
 				"OK\n",
diff --git a/internal/assuan/fsm.go b/internal/assuan/fsm.go
@@ -158,6 +158,10 @@ var assuanTransitions = []fsm.Transition{
 		Src:   fsm.State(decryptingKeyIsSet),
 		Event: fsm.Event(pkdecrypt),
 		Dst:   fsm.State(waitingForCiphertext),
+	}, {
+		Src:   fsm.State(decryptingKeyIsSet),
+		Event: fsm.Event(reset),
+		Dst:   fsm.State(connected),
 	}, {
 		Src:   fsm.State(waitingForCiphertext),
 		Event: fsm.Event(havekey),
diff --git a/internal/assuan/sign.go b/internal/assuan/sign.go
@@ -29,8 +29,9 @@ func (a *Assuan) signRSA() ([]byte, error) {
 	if err != nil {
 		return nil, fmt.Errorf("couldn't sign: %v", err)
 	}
-	return []byte(fmt.Sprintf(`D (7:sig-val(3:rsa(1:s%d:%s)))`, len(signature),
-		PercentEncodeSExp(signature))), nil
+	var buf []byte
+	return fmt.Appendf(buf, `D (7:sig-val(3:rsa(1:s%d:%s)))`, len(signature),
+		PercentEncodeSExp(signature)), nil
 }
 
 // signECDSA returns a signature for the given hash.
@@ -60,6 +61,7 @@ func (a *Assuan) signECDSA() ([]byte, error) {
 		return nil, fmt.Errorf("couldn't read s as asn1.Integer")
 	}
 	// encode the params (r, s) into s-exp
-	return []byte(fmt.Sprintf(`D (7:sig-val(5:ecdsa(1:r32#%X#)(1:s32#%X#)))`,
-		r.Bytes(), s.Bytes())), nil
+	var buf []byte
+	return fmt.Appendf(buf, `D (7:sig-val(5:ecdsa(1:r32#%X#)(1:s32#%X#)))`,
+		r.Bytes(), s.Bytes()), nil
 }
diff --git a/internal/keyservice/gpg/keyservice.go b/internal/keyservice/gpg/keyservice.go
@@ -61,7 +61,7 @@ func (*KeyService) Name() string {
 func (g *KeyService) doDecrypt(k *packet.PrivateKey, uid string) error {
 	var pass []byte
 	var err error
-	for i := 0; i < retries; i++ {
+	for i := range retries {
 		pass, err = g.pinentry.GetPassphrase(
 			fmt.Sprintf("UserID: %s\rFingerprint: %X %X %X %X", uid,
 				k.Fingerprint[:5], k.Fingerprint[5:10], k.Fingerprint[10:15],

Original file line number	Diff line number	Diff line change
`@@ -29,8 +29,9 @@ func (a *Assuan) signRSA() ([]byte, error) {`
`29`	`29`	`if err != nil {`
`30`	`30`	`return nil, fmt.Errorf("couldn't sign: %v", err)`
`31`	`31`	`}`
`32`		- return []byte(fmt.Sprintf(`D (7:sig-val(3:rsa(1:s%d:%s)))`, len(signature),
`33`		`- PercentEncodeSExp(signature))), nil`
	`32`	`+ var buf []byte`
	`33`	+ return fmt.Appendf(buf, `D (7:sig-val(3:rsa(1:s%d:%s)))`, len(signature),
	`34`	`+ PercentEncodeSExp(signature)), nil`
`34`	`35`	`}`
`35`	`36`
`36`	`37`	`// signECDSA returns a signature for the given hash.`
`@@ -60,6 +61,7 @@ func (a *Assuan) signECDSA() ([]byte, error) {`
`60`	`61`	`return nil, fmt.Errorf("couldn't read s as asn1.Integer")`
`61`	`62`	`}`
`62`	`63`	`// encode the params (r, s) into s-exp`
`63`		- return []byte(fmt.Sprintf(`D (7:sig-val(5:ecdsa(1:r32#%X#)(1:s32#%X#)))`,
`64`		`- r.Bytes(), s.Bytes())), nil`
	`64`	`+ var buf []byte`
	`65`	+ return fmt.Appendf(buf, `D (7:sig-val(5:ecdsa(1:r32#%X#)(1:s32#%X#)))`,
	`66`	`+ r.Bytes(), s.Bytes()), nil`
`65`	`67`	`}`