On Sat Apr 18 09:39:25 2026 +0000, Paul Gofman wrote:
Not sure if that should be blocking this patch, but I think the way it is done can't be fully correct. Thing is, ncrypt is physically unable to export private key if ncrypt provider is security device (e. g., TPM with MS_PLATFORM_CRYPTO_PROVIDER). We currently do not support that (like, well, keys persistence at all in ncrypt as well as ncrypt provider structure), but the correct way is not to rely on extracting keys but use NCrypt functions whenever signature or encryption / decryption is required. I am not sure offhand if it is possible to hook exactly that with gnutls. GnuTLS was the reason for exporting the key. If we had a stack more like native we wouldn't have to do that, the TLS implementation would just use Ncrypt functions.
I have plans to remove GnuTLS from the picture, starting with Bcrypt. This is a long term project and I think we can follow the existing model for a while longer. Ncrypt keys could be stored in the registry just like CrypotAPI keys until we have support for TPMs / smartcards, etc. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/10561#note_137015