GPG Keychain: Password length is limited to 100 characters or less

ProxyCell's Avatar

ProxyCell

06 Oct, 2017 05:23 PM

I tried entering in a large password today during a NEW KEY creation with the 1.4 (1377) version and it threw up an error message saying that my password should be LESS THAN 300 CHARACTERS but I couldn't even get one above 100 characters. 101 was too many and threw up the same error.

This is running on macOS 10.13 (High Sierra)

Expected
The ability to enter in passwords of greater than 100 characters but less than 300

Additional info
I have a screenshot posted here: https://gpgtools.lighthouseapp.com/projects/65684-gpg-keychain-acce...

macOS           10.13       17A405
GPG Suite       2017.1      2002    (4161887)
GPGMail         3.0b1       1244    (7f051cc)
GPG Keychain    1.4         1377    (3384573)
GPGServices     1.11.1      961     (d6060fa)
MacGPG2         2.2.0       893     (ab15b08)
GPGPreferences  2.1         977     (b1e419a)
Libmacgpg       0.8         819     (c8cf2e0)
pinentry        0.9.7       6       (6aeb033)
  1. 1 Posted by ProxyCell on 06 Oct, 2017 05:24 PM

    ProxyCell's Avatar

    I'm reposting my screenshot here, just for ease and clarity.

  2. Support Staff 2 Posted by Luke Le on 10 Dec, 2017 12:01 PM

    Luke Le's Avatar

    Hi Proxy,

    your issue is addresses in our latest version of GPG Suite 2017.2
    It would be great if you could install it and confirm that the issue is resolved.
    https://gpgtools.org

    Thanks!

  3. 3 Posted by ProxyCell on 10 Dec, 2017 05:38 PM

    ProxyCell's Avatar

    Hi Luke Le,

    I installed the 2017.2 update through the in-app updater about a day or so ago when it popped up on it's own.

    Today I gave it a try and attempted to create a new key with a password length longer than 100 characters and it failed again. I used a password of exactly 101 characters in length and I can confirm that it does still work when using one of 100 characters long.

    It displayed the exact same error message though, still saying 300. I dug through the commits on GitHub and found that back in June the max of 300 was changed to 100 in /Source/SheetController.m and the English localization title and message object names were also changed at the same time but the "300" was not amended to "100"

    However in the more recent commit 10 days ago it was changed:
    https://github.com/GPGTools/GPGKeychainAccess/commit/9397b115e3baff...

    Sadly, this is NOT included in the current 2017.2 distributed installer package. I checked in my own local /Applications/GPG.../Resources/en.lproj/Localizable.strings and it still has "300" there.

    I reinstalled the entire 2017.2 and it is still "300" so my best guess is that these latest changes were not included as they came in after the 1.4.1 GPG Keychain version change in the "/Version.config" file yet happened on the exact same date.

    Otherwise I am also curious as to why it was reduced in the code from 300 to 100? Is there a technical reason for why it was changed?

  4. Support Staff 4 Posted by Luke Le on 14 Dec, 2017 12:30 PM

    Luke Le's Avatar

    Hi ProxyCell,

    you are absolutely correct that this change didn't make it into the release. I believed it did. The nightly which you can find under the following URL now does include the matching passphrase restrictions:
    https://releases.gpgtools.org/nightlies

    We have adjusted the passphrase length in accordance with the official GnuPG distribution. Unfortunately I cannot find the pretty long email thread on the GnuPG developer list discussing this change.

  5. Steve closed this discussion on 26 Mar, 2018 03:54 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac