libgcrypt fails to compile with Xcode 9 against iOS 11 SDK

Chris Ballinger chrisballinger at gmail.com
Fri Oct 27 19:24:06 CEST 2017


>From what I understand it's safer to use asm implementations of AES-GCM
because of potential timing attacks on pure software implementations.

* https://github.com/jedisct1/libsodium/issues/234#issuecomment-70028523
* https://bugzilla.mozilla.org/show_bug.cgi?id=868948#c17

I'm more concerned that the arm64 build is broken for a formerly-working
target. If you have a recent macOS device you should be able to run those
build scripts (using Xcode 9 command line tools) and see that the arm64
assembly does not compile for mach-o targets.

As far as tarball verification, adding a sha256sum verification step to the
build scripts is a good idea, thanks for pointing me in the right direction.


On Fri, Oct 27, 2017 at 3:22 AM, Werner Koch <wk at gnupg.org> wrote:

> On Thu, 26 Oct 2017 19:24, chrisballinger at gmail.com said:
>
> > However, the arm64 mach-o assembly issue is beyond my capabilities. From
> > what I understand using non-asm versions of AES-GCM is not recommended,
> and
>
> --disable-asm should always work.  From where did you get the
> recommendation not to use --disable-asm form arm64?  It will be slower
> but I doubt that this is really an issue for a messaging application.
>
> I have a macOS box but no IOS device - can I use it to test your
> problem?
>
> BTW, relying on TLS for checking the authenticity of Libgcrypt et
> al. downlods is not a good idea.  Please check gnupg/tools/getswdb.sh to
> see how we do it for GnuPG components: There is a signed file with the
> latest versions and their shaXsums.  The gnupg/tools/speedo.mk Makefile
> uses these checksums to verify the downloads.  However, directly
> verifying a certain tarball signature is also possible.  The trusted
> keys are distributed with GnuPG and their fingerprints are in all
> release announcements.
>
>
>
> Shalom-Salam,
>
>    Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20171027/0f6b9992/attachment.html>


More information about the Gcrypt-devel mailing list