Bug 419656 - KMyMoney embedded GPG version out of date
Summary: KMyMoney embedded GPG version out of date
Status: RESOLVED FIXED
Alias: None
Product: kmymoney
Classification: Applications
Component: packaging (show other bugs)
Version: 5.0.6
Platform: Microsoft Windows Microsoft Windows
: NOR major
Target Milestone: ---
Assignee: KMyMoney Devel Mailing List
URL:
Keywords:
Depends on:
Blocks: 426400
  Show dependency treegraph
 
Reported: 2020-04-05 02:39 UTC by veperr
Modified: 2021-07-17 13:30 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description veperr 2020-04-05 02:39:44 UTC
SUMMARY
Two related issues (can split into separate bug reports if desired):
1) The version of GPG (2.0.22) included with KMyMoney (current release 5.0.6) was deemed End of Life on December 31, 2017, per: https://www.gnupg.org/download/index.html

2) KMyMoney will not work with current versions of Gpg4win (the official supported full version of GPG for Windows), instead it only works with the out of date embedded version of GPG. 

 

STEPS TO REPRODUCE
1. Install KMyMoney (kmymoney5-mingw64-5.0.6-8.1-setup.exe) on Windows 10
2. Install Gpg4win (Gpg4win 3.1.11) on Windows 10
3. Try to use Kleopatra (a component of Gpg4win) to manage Key Pairs per the Gpg4win instructions.

OBSERVED RESULT
KMyMoney will not recognize keypairs generated via Kleopatra (and thus generated by the underlying gpg.exe version 2.2.19.7300 installed by Gpg4win). Using the embedded (but out of date) version of gpg that came with KMyMoney works, but this is really bad to have to use security software that is over two years beyond end of life. 

EXPECTED RESULT
1) Version of gpg embedded in KMyMoney should be a currently supported version
2) KMyMoney should also (and preferentially) support using a non-embedded version of GPG, namely the version recommended on the GPG website (https://www.gnupg.org/index.html), in those cases where people have installed the current version of GPG (Gpg4Win) separately. 

SOFTWARE/OS VERSIONS
Windows: Windows 10, x64, 10.0.18362 Build 18362
macOS: 
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 
KDE Frameworks Version: 
Qt Version: 

ADDITIONAL INFORMATION
Both the homepage of the GPG website: https://www.gnupg.org/index.html
and the download page: https://www.gnupg.org/download/index.html
Reference Gpg4Win as the "Full featured Windows version of GnuPG".
This is why I believe KMyMoney should preferentially work with that version when installed, and when it is not, then fall back to the version embedded with KMyMoney (but that version to should be a version that is officially supported).

I ranked the severity as major as it's an out of date security component.

Thank you,
veperr
Comment 1 Ralf Habacker 2021-04-15 12:59:25 UTC
> Two related issues (can split into separate bug reports if desired):

> 2) KMyMoney should also (and preferentially) support using a non-embedded version of GPG,

please do that as this is a separate feature request.

> 1) Version of gpg embedded in KMyMoney should be a currently supported version

An update to 2.2.27 is in work for the cross compiled snapshots.

Snapshots from the binary factory does not have embedded gpg support yet, see bug 435761 for an associated feature request.
Comment 2 Ralf Habacker 2021-04-19 19:54:51 UTC
(In reply to Ralf Habacker from comment #1)
> An update to 2.2.27 is in the works for the cross-compiled snapshots.

The 32bit snapshots from https://kmymoney.org/snapshots.php now have a current gpg version (2.2.27) embedded.

Please note that this gpg update from version 2.0 to 2.2 means that existing private keys cannot be used by default. They must be exported from the older version and imported into the newer version.

1. before starting kmymoney or any gpg2 related command, open the command shell in the kmymoney bin directory and execute 

  robocopy /MIR %USERPROFILE%\gnupg %USERPROFILE%\AppData\Roaming\gnupg

2. open a second command shell in the bin directory of the old kmymoney installation and run

    gpg2 -list-secret-keys

    # inspect the list of displayed keys, see for pub 2048R/xxxxx or similar

    gpg2 --output <some-path>/xxxx.key --export-secret-keys xxxx
    
    # Repeat this for each additional key to be exported

3. switch to the command shell opened during the new installation and run
 
    gpg2 --import <some-path>/xxxx.key
   
see https://dev.gnupg.org/T3101 for more details.
Comment 3 Thomas Baumgart 2021-04-20 05:43:41 UTC
Can we somehow present this information (or a link to it) directly to the Windows user in case he tries to open a GPG encrypted KMyMoney file but GPG is not found?
Comment 4 Ralf Habacker 2021-04-21 09:26:23 UTC
(In reply to Thomas Baumgart from comment #3)
> Can we somehow present this information (or a link to it) directly to the
> Windows user in case he tries to open a GPG encrypted KMyMoney file but GPG
> is not found?

Errors on loading are displayed at https://invent.kde.org/office/kmymoney/-/blob/master/kmymoney/kmymoney.cpp#L3414 and GPG related issues are raised at https://invent.kde.org/office/kmymoney/-/blob/master/kmymoney/plugins/xml/xmlstorage.cpp#L134, which could be extended.

The question is how to detect this case? For example, on the basis of differences in available keys: Number of keys > 0 and number of private keys != number of keys.

Another problem arises when using the setup installer:
To fix this problem, the old gpg installation must still exist, which will not be the case if users use the setup variant, which will probably overwrite the old installation.
Comment 5 Ralf Habacker 2021-07-17 13:30:51 UTC
The snapshots from https://kmymoney.org/snapshots.php now have a current gpg version (2.2.27) embedded.