From maschoch at compuserve.com Sun Jan 2 10:52:06 2005 From: maschoch at compuserve.com (Martin Schoch) Date: Sun Jan 2 14:38:25 2005 Subject: GnuPG 1.9.14 and idea Message-ID: <1755967323.20050102105206@compuserve.com> Hello list, short question: Des GnuPG 1.9.14 support the extension "idea"? -- Thanks. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 361 bytes Desc: not available Url : /pipermail/attachments/20050102/697f5577/attachment.bin From maschoch at compuserve.com Sun Jan 2 16:35:58 2005 From: maschoch at compuserve.com (Martin Schoch) Date: Sun Jan 2 19:02:15 2005 Subject: Bad signature W.K. Message-ID: Hello I am using GnuPG 1.4.0 and the signature from Werner Koch shows up as bad: enigmail> /usr/local/bin/gpg --batch --no-tty --status-fd 2 --verify gpg: Signature made Die 28 Dez 2004 11:54:41 CET using DSA key ID 010A57ED gpg: BAD signature from "Werner Koch " Any idea? -- Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 374 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050102/c2fdec25/signature.bin From dalgoda at ix.netcom.com Sun Jan 2 07:13:15 2005 From: dalgoda at ix.netcom.com (Mike Castle) Date: Mon Jan 3 09:05:47 2005 Subject: typo in configure.ac Message-ID: <20050102061315.GD29293@thune.sonic.net> s/availbale/available/ -- Mike Castle dalgoda@ix.netcom.com www.netcom.com/~dalgoda/ We are all of us living in the shadow of Manhattan. -- Watchmen fatal ("You are in a maze of twisty compiler features, all different"); -- gcc From dalgoda at ix.netcom.com Sun Jan 2 07:25:33 2005 From: dalgoda at ix.netcom.com (Mike Castle) Date: Mon Jan 3 09:05:51 2005 Subject: gnupg tries to build with non-existent libusb Message-ID: <20050102062533.GE29293@thune.sonic.net> Strange goings on. Tried this with 1.4.0, 1.9.13 and 1.9.14. Results all the same. if i486-linux-gcc -DHAVE_CONFIG_H -I. -I../../gnupg-1.9.14/scd -I.. -I../../gnupg-1.9.14/intl -I../../gnupg-1.9.14/common -DLOCALEDIR=\"/usr/share/locale\" -DGNUPG_BINDIR="\"/usr/bin\"" -DGNUPG_LIBEXECDIR="\"/usr/libexec\"" -DGNUPG_LIBDIR="\"/usr/lib/gnupg\"" -DGNUPG_DATADIR="\"/usr/share/gnupg\"" -I/usr/include -g -O2 -Wall -MT ccid-driver.o -MD -MP -MF ".deps/ccid-driver.Tpo" -c -o ccid-driver.o ../../gnupg-1.9.14/scd/ccid-driver.c; \ then mv -f ".deps/ccid-driver.Tpo" ".deps/ccid-driver.Po"; else rm -f ".deps/ccid-driver.Tpo"; exit 1; fi ../../gnupg-1.9.14/scd/ccid-driver.c:85:17: usb.h: No such file or directory Hmm... I'd installed libusb at sometime in the past, and removed the header files, but forgot the remove the libraries. Configure should probably check for a working usb.h in addition to libusb (guess this might qualify for a situation where someone forgot include libusb-devel or whatever on their system). mrc -- Mike Castle dalgoda@ix.netcom.com www.netcom.com/~dalgoda/ We are all of us living in the shadow of Manhattan. -- Watchmen fatal ("You are in a maze of twisty compiler features, all different"); -- gcc From wk at gnupg.org Mon Jan 3 09:30:29 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 3 16:01:45 2005 Subject: GnuPG 1.9.14 and idea In-Reply-To: <1755967323.20050102105206@compuserve.com> (Martin Schoch's message of "Sun, 2 Jan 2005 10:52:06 +0100") References: <1755967323.20050102105206@compuserve.com> Message-ID: <871xd2ewyi.fsf@wheatstone.g10code.de> On Sun, 2 Jan 2005 10:52:06 +0100, Martin Schoch said: > Des GnuPG 1.9.14 support the extension "idea"? No it won't. IDEA is patented and libgcrypt does not implement it for this reason. Werner From patrick.brunschwig at gmx.net Mon Jan 3 13:16:09 2005 From: patrick.brunschwig at gmx.net (Patrick Brunschwig) Date: Mon Jan 3 16:02:13 2005 Subject: Bad signature W.K. In-Reply-To: References: Message-ID: <41D93789.4010303@gmx.net> Martin Schoch wrote: > Hello > > I am using GnuPG 1.4.0 and the signature from Werner Koch shows up as bad: > > enigmail> /usr/local/bin/gpg --batch --no-tty --status-fd 2 --verify > gpg: Signature made Die 28 Dez 2004 11:54:41 CET using DSA key ID 010A57ED > gpg: BAD signature from "Werner Koch " > > Any idea? > Your signature is bad as well. If you're using GnuPG 1.4, you should upgrade to Enigmail 0.89.6. I guess that Werner suffers from the same problem as you: a mail client that is not 100% compliant to GnuPG 1.4. Patrick -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050103/dce82155/signature.bin From dshaw at jabberwocky.com Mon Jan 3 15:53:34 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jan 3 16:02:37 2005 Subject: gnupg tries to build with non-existent libusb In-Reply-To: <20050102062533.GE29293@thune.sonic.net> References: <20050102062533.GE29293@thune.sonic.net> Message-ID: <20050103145334.GF28182@jabberwocky.com> On Sat, Jan 01, 2005 at 10:25:33PM -0800, Mike Castle wrote: > Strange goings on. Tried this with 1.4.0, 1.9.13 and 1.9.14. Results all > the same. > > if i486-linux-gcc -DHAVE_CONFIG_H -I. -I../../gnupg-1.9.14/scd -I.. -I../../gnupg-1.9.14/intl -I../../gnupg-1.9.14/common -DLOCALEDIR=\"/usr/share/locale\" -DGNUPG_BINDIR="\"/usr/bin\"" -DGNUPG_LIBEXECDIR="\"/usr/libexec\"" -DGNUPG_LIBDIR="\"/usr/lib/gnupg\"" -DGNUPG_DATADIR="\"/usr/share/gnupg\"" -I/usr/include -g -O2 -Wall -MT ccid-driver.o -MD -MP -MF ".deps/ccid-driver.Tpo" -c -o ccid-driver.o ../../gnupg-1.9.14/scd/ccid-driver.c; \ > then mv -f ".deps/ccid-driver.Tpo" ".deps/ccid-driver.Po"; else rm -f ".deps/ccid-driver.Tpo"; exit 1; fi > ../../gnupg-1.9.14/scd/ccid-driver.c:85:17: usb.h: No such file or directory > > Hmm... I'd installed libusb at sometime in the past, and removed the header > files, but forgot the remove the libraries. > > Configure should probably check for a working usb.h in addition to libusb > (guess this might qualify for a situation where someone forgot include > libusb-devel or whatever on their system). It shouldn't. The people who package the xxx-devel packages generally expect this sort of problem and distribute e.g. libusb-0.1.so.4 rather than libusb.a or libusb.so. Nevertheless, I'm going to improve the libusb check anyway. It certainly doesn't hurt to do a test compile before enabling libusb. David From dshaw at jabberwocky.com Mon Jan 3 15:53:51 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jan 3 16:02:40 2005 Subject: typo in configure.ac In-Reply-To: <20050102061315.GD29293@thune.sonic.net> References: <20050102061315.GD29293@thune.sonic.net> Message-ID: <20050103145351.GG28182@jabberwocky.com> On Sat, Jan 01, 2005 at 10:13:15PM -0800, Mike Castle wrote: > > s/availbale/available/ Which configure? I can't find it in 1.4.0. David From jaboles at fastmail.fm Mon Jan 3 13:31:20 2005 From: jaboles at fastmail.fm (Jonathan Boles) Date: Mon Jan 3 16:25:07 2005 Subject: Bad signature W.K. In-Reply-To: References: Message-ID: <5F1DCD00-5D83-11D9-ACCB-000A959E0734@fastmail.fm> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/01/2005, at 2:35 AM, Martin Schoch wrote: > Hello > > I am using GnuPG 1.4.0 and the signature from Werner Koch shows up as > bad: Incidentally, so did yours. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFB2Tsir/NM+QSmMkQRAiJqAJ91YYlmT4p4R60gHDgo8rUF65dmTgCcCALx MRXM4O2HrFMrpWzKypZ7LrM= =2VqD -----END PGP SIGNATURE----- From ah0k at na.rim.or.jp Sun Jan 2 15:50:03 2005 From: ah0k at na.rim.or.jp (Masashi SAKURADA) Date: Mon Jan 3 16:54:01 2005 Subject: en@quoto.po Message-ID: <20050102.235003.41684113.ah0k@na.rim.or.jp> Hi list, I'm a new subscriber. When I make gnupg, I always get this errors, -- en@quot.po:5739: `msgid' and `msgstr' entries do not both end with '\n' en@quot.po:5743: `msgid' and `msgstr' entries do not both end with '\n' en@quot.po:5747: `msgid' and `msgstr' entries do not both end with '\n' en@quot.po:5751: `msgid' and `msgstr' entries do not both end with '\n' /usr/local/bin/msgfmt: found 408 fatal errors *** Error code 1 -- I know that in this source, 408 strings end without '/n'. How do you all work arround this errors. ------------------------------------------Masashi SAKURADA/AH0K/JR2GMC TEL 052-773-2638/FAX 052-773-2692/PHS 070-5647-2594 E-mail: ah0k@na.rim.or.jp URL: http://www.ah0k.com/ PGP-fingerprint: 9332 0E9F 78AB E793 0E9F 84C6 FA74 3A11 3235 EC1E PGP-Public-Key: http://www.ah0k.com/personal/c1868.html ?????????(http://www.santensho.net/)???????????? From wk at gnupg.org Mon Jan 3 18:19:26 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 3 18:15:27 2005 Subject: Bad signature W.K. In-Reply-To: <41D93789.4010303@gmx.net> (Patrick Brunschwig's message of "Mon, 03 Jan 2005 13:16:09 +0100") References: <41D93789.4010303@gmx.net> Message-ID: <878y7aa0rl.fsf@wheatstone.g10code.de> On Mon, 03 Jan 2005 13:16:09 +0100, Patrick Brunschwig said: > I guess that Werner suffers from the same problem as you: a mail client > that is not 100% compliant to GnuPG 1.4. Right. I have not yet updated Gnus. Werner From albrecht.dress at arcor.de Mon Jan 3 18:25:30 2005 From: albrecht.dress at arcor.de (=?iso-8859-1?q?Albrecht_Dre=DF?=) Date: Mon Jan 3 18:22:08 2005 Subject: GnuPG 1.4.0 spec file error Message-ID: <1104773138l.4195l.1l@antares.localdomain> Hi all, the spec file included in the gnupg-1.4.0 package installs the keyserver helpers in /usr/libexec, but the gpg executable tries to execute them from the folder /usr/libexec/gnupg/ (this may actually also be a Makefile problem). The following patch to gnupg.spec moves the helpers accordingly: --- gnupg.spec.orig 2005-01-03 17:49:18.000000000 +0100 +++ gnupg.spec 2005-01-03 18:03:30.912931488 +0100 @@ -12,7 +12,7 @@ Vendor: GNU Privacy Guard Project Name: %{name} Version: %{version} -Release: 1 +Release: 2 Copyright: GPL Group: Applications/Cryptography Group(cs): Aplikace/?ifrov?n? @@ -166,6 +166,8 @@ rm %{buildroot}%{_datadir}/%{name}/FAQ rm %{buildroot}%{_datadir}/%{name}/faq.html rm %{buildroot}%{_infodir}/dir +mkdir %{buildroot}%{_libexecdir}/gnupg +mv %{buildroot}%{_libexecdir}/gpgkeys* %{buildroot}%{_libexecdir}/gnupg/. %files -f %{name}.lang %defattr (-,root,root) @@ -181,7 +183,7 @@ %attr (4755,root,root) %{_bindir}/gpg %attr (0755,root,root) %{_bindir}/gpgv %attr (0755,root,root) %{_bindir}/gpgsplit -%attr (0755,root,root) %{_libexecdir}/* +%attr (0755,root,root) %{_libexecdir}/gnupg/* %post /sbin/install-info %{_infodir}/gpg.info %{_infodir}/dir 2>/dev/null || : Cheers, Albrecht. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Albrecht Dre? - Johanna-Kirchner-Stra?e 13 - D-53123 Bonn (Germany) Phone (+49) 228 6199571 - mailto:albrecht.dress@arcor.de GnuPG public key: http://home.arcor.de/dralbrecht.dress/pubkey.asc _________________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050103/e60fc5ac/attachment.bin From rwatson at freebsd.org Mon Jan 3 20:58:01 2005 From: rwatson at freebsd.org (Robert Watson) Date: Tue Jan 4 09:01:25 2005 Subject: GnuPG + FreeBSD 5.3 = intermitent memory warning In-Reply-To: <20041215040534.GC32762@jabberwocky.com> Message-ID: On Tue, 14 Dec 2004, David Shaw wrote: > It took me a while to track this down, and thanks to Atom for helping me > run some FreeBSD tests. It turns out that this isn't a GnuPG specific > problem. The same problem can be duplicated by running any program that > calls mlock() on FreeBSD. > > FreeBSD has a "1/3 of memory" hard limit for mlock(). What seems to > have happened is that for whatever reason, Atom's system was very close > to the 1/3 magic number, and so when GnuPG tried to get its lock, it was > sometimes refused. This also explains why a busy system seemed to > aggravate the problem. > > In terms of what to do about this in GnuPG, I'm not sure if there should > be anything done. I think the the current GnuPG behavior is pretty > good: try to get locked memory, and if it can't, warn the user. I wonder if it would make sense for gnupg to print additional error information when printing the insecure memory warning? Specifically, to help identify what errno value was returned by a failing call to mlock(). This would make it easier to determine the cause of a reported failure ("EPERM - not running setuid", "EAGAIN - system/process resource limits reached"). Robert N M Watson From maschoch at compuserve.com Sun Jan 2 11:02:42 2005 From: maschoch at compuserve.com (Martin Schoch) Date: Tue Jan 4 17:27:34 2005 Subject: Merge pubring files Message-ID: <361155563.20050102110242@compuserve.com> Hello list, well I know - quite OT - but I would like to ask this: I have two different systems - both with GnuPG. On every system keys are updated or loaded from key server. Is it possible to merge now the two pubring files to have only one which is up to date? Thanks. -- Regards, Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 361 bytes Desc: not available Url : /pipermail/attachments/20050102/00619506/attachment.bin From dshaw at jabberwocky.com Tue Jan 4 17:57:31 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jan 4 17:54:22 2005 Subject: Merge pubring files In-Reply-To: <361155563.20050102110242@compuserve.com> References: <361155563.20050102110242@compuserve.com> Message-ID: <20050104165731.GC20047@jabberwocky.com> On Sun, Jan 02, 2005 at 11:02:42AM +0100, Martin Schoch wrote: > Hello list, > > well I know - quite OT - but I would like to ask this: > > I have two different systems - both with GnuPG. On every system > keys are updated or loaded from key server. > > Is it possible to merge now the two pubring files to have only > one which is up to date? Sure, just --import the pubring.gpg file from one machine into the other. David From maschoch at compuserve.com Tue Jan 4 19:02:06 2005 From: maschoch at compuserve.com (Martin Schoch) Date: Tue Jan 4 18:59:17 2005 Subject: Merge pubring files References: <361155563.20050102110242@compuserve.com> <20050104165731.GC20047__36200.200537178$1104858582$gmane$org@jabberwocky.com> Message-ID: * David Shaw, 4 Jan 2005, 17:57: > Sure, just --import the pubring.gpg file from one machine into the > other. Thanks - yes I already found the answer. -- ms From wk at gnupg.org Tue Jan 4 22:12:34 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 4 22:10:30 2005 Subject: GnuPG + FreeBSD 5.3 = intermitent memory warning In-Reply-To: (Robert Watson's message of "Mon, 3 Jan 2005 19:58:01 +0000 (GMT)") References: Message-ID: <87fz1gj3ul.fsf@wheatstone.g10code.de> On Mon, 3 Jan 2005 19:58:01 +0000 (GMT), Robert Watson said: > I wonder if it would make sense for gnupg to print additional error > information when printing the insecure memory warning? Specifically, to I'll look at it. IIRC, we need to save away the errno because printing of the message might get deferred. Werner From ryan at ostrich-emulators.com Wed Jan 5 04:17:38 2005 From: ryan at ostrich-emulators.com (ryan p bobko) Date: Wed Jan 5 04:18:49 2005 Subject: gpgme tests fail Message-ID: <200501042217.38411.ryan@ostrich-emulators.com> Hi Folks, I'm trying to work with GPGME 1.0.1, and I'm not having much luck. (In fact, I'm trying to update an existing program that uses GPGME 0.3, but I'll leave those complications for another time...) I get the following output from ./configure: GPGME v1.0.1 has been configured as follows: GnuPG path: /usr/local/bin/gpg GnuPG version: 1.4.0, min. 1.2.2 GpgSM path: no GpgSM version: unknown, min. 1.9.6 GPGME Pthread: yes GPGME Pth: I don't know if the blank "GPGME Pth:" should worry me, but everything seems to compile just fine. However, when I try to run the test programs, I get: t-decrypt.c:64: GPGME: Decryption failed and t-encrypt.c:59: GPGME: End of file Neither of which makes me think it's working. How can I figure out what's going wrong here? The specified lines of code aren't particularly interesting, and as far as I can see, there's no debug or verbose options. Thanks for the help, ry -- Health nuts are going to feel stupid someday, lying in hospitals dying of nothing. -- Redd Foxx From thomas-gmane at kuehne.cn Wed Jan 5 06:19:16 2005 From: thomas-gmane at kuehne.cn (Thomas Kuehne) Date: Wed Jan 5 06:17:49 2005 Subject: [Patch] internatinal domain names for email addresses Message-ID: Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050105/9c772b51/signature.bin From thomas-gmane at kuehne.cn Wed Jan 5 07:21:17 2005 From: thomas-gmane at kuehne.cn (Thomas Kuehne) Date: Wed Jan 5 07:15:41 2005 Subject: [Patch] international domain names for email addresses In-Reply-To: References: Message-ID: > todo: > - beautified display of UIDs containing IDN > - handling IDNs during the trust signatur generation In addition: - handling keyservers with IDNs Thomas K?hne -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050105/92c6fe9d/signature-0001.bin From dragonheart at gentoo.org Tue Jan 4 22:10:48 2005 From: dragonheart at gentoo.org (Daniel) Date: Wed Jan 5 08:48:11 2005 Subject: PIC issue with gnupg-1.4.0 Message-ID: <200501050640.51936.dragonheart@gentoo.org> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050105/a615a900/attachment.bin From wk at gnupg.org Wed Jan 5 09:39:57 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Jan 5 09:35:31 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: (Thomas Kuehne's message of "Wed, 05 Jan 2005 06:19:16 +0100") References: Message-ID: <87mzvogtgi.fsf@wheatstone.g10code.de> On Wed, 05 Jan 2005 06:19:16 +0100, Thomas Kuehne said: > The attached patch against gnupg-1.4.0 enables internatinal domain names > in the UID generation. Using rfc822 mailbox format in the user IDs is merely a suggestion and not required. It is out of GnuPG's scope to handle this. A frontend might do so but GnuPG won't - mainly for reasons of complexity. Salam-Shalom, Werner From dshaw at jabberwocky.com Thu Jan 6 06:40:56 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jan 6 06:37:56 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: <87mzvogtgi.fsf@wheatstone.g10code.de> References: <87mzvogtgi.fsf@wheatstone.g10code.de> Message-ID: <20050106054056.GC3133@jabberwocky.com> On Wed, Jan 05, 2005 at 09:39:57AM +0100, Werner Koch wrote: > On Wed, 05 Jan 2005 06:19:16 +0100, Thomas Kuehne said: > > > The attached patch against gnupg-1.4.0 enables internatinal domain names > > in the UID generation. > > Using rfc822 mailbox format in the user IDs is merely a suggestion and > not required. It is out of GnuPG's scope to handle this. A frontend > might do so but GnuPG won't - mainly for reasons of complexity. Plus, the user ID string is already UTF8. Is there any need to encode it further in punycode? David From thomas-gmane at kuehne.cn Thu Jan 6 07:24:19 2005 From: thomas-gmane at kuehne.cn (Thomas Kuehne) Date: Thu Jan 6 07:19:17 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> References: <87mzvogtgi.fsf@wheatstone.g10code.de> <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> Message-ID: David Shaw wrote: | On Wed, Jan 05, 2005 at 09:39:57AM +0100, Werner Koch wrote: | |>On Wed, 05 Jan 2005 06:19:16 +0100, Thomas Kuehne said: |> |> |>>The attached patch against gnupg-1.4.0 enables internatinal domain |>>names in the UID generation. |> |>Using rfc822 mailbox format in the user IDs is merely a suggestion and |>not required. It is out of GnuPG's scope to handle this. A frontend |>might do so but GnuPG won't - mainly for reasons of complexity. | Plus, the user ID string is already UTF8. Is there any need to encode | it further in punycode? The problem are the domain names: 1) Current gpg rejects non-ASCI domains. "HKP fetch error: bad URI" "Not a valid email address" 2) Host selection/comparison fail. ??.idn.kuehne.cn == xn--fiq228c.idn.kuehne.cn ma?.idn.kuehne.cn == mass.idn.kuehne.cn Thomas From atom at suspicious.org Thu Jan 6 08:36:49 2005 From: atom at suspicious.org (Atom 'Smasher') Date: Thu Jan 6 08:30:12 2005 Subject: --with-colons and stdin Message-ID: <20050106073340.60912.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 i just noticed that --with-colons (and --with-key-data) does not display field #12 [Key capabilities] when reading from stdin... $ gpg --with-colons --list-keys 0xB88D52E4D9F57808 ## key capabilities ARE shown ## $ gpg --with-colons < 0xB88D52E4D9F57808.key ## key capabilities NOT shown ## gpg (GnuPG) 1.4.0 FreeBSD 5.3-RELEASE - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "A good many observers have remarked that if equality could come at once the Negro would not be ready for it. I submit that the white American is even more unprepared." -- Martin Luther King, Jr. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB3OqYAAoJEAx/d+cTpVciE7wH/3zVhm70rDdjFLAvG1F1E/vv NszdCegBRB2NK/2eQNqnUk8B11PxLd6/hbaPfKPbu5vQmk994yLBnEYDYEtCSLUJ wqEzLC+SfzyKqGpO1eKpiVcfCuoP8JBGXxWWWiIbczI5C/TaBvxrz7d6RhpB0teA gTS5pmwtdZ/cJsHu37SUt4QHadfL6uOo0sQ4ZAmWL3eHUO7ymaCSVr1rEzLhABtj LC7iUOZaJUkzRvg3C//Am0IUp9FHqeUP1R0ZjFtlPGhnjo4TzRNJpXAvD8OmN3r9 /gABvkpajN08r4PzyQwyvoWxadwKqblyv4B6qJxhuet0QPckcHN2uAHsCqFHhGk= =y05T -----END PGP SIGNATURE----- From wk at gnupg.org Thu Jan 6 09:31:01 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 6 09:32:16 2005 Subject: --with-colons and stdin In-Reply-To: <20050106073340.60912.qmail@suspicious.org> (atom@suspicious.org's message of "Thu, 6 Jan 2005 02:36:49 -0500 (EST)") References: <20050106073340.60912.qmail@suspicious.org> Message-ID: <878y77dkmy.fsf@wheatstone.g10code.de> On Thu, 6 Jan 2005 02:36:49 -0500 (EST), Atom 'Smasher' said: > $ gpg --with-colons --list-keys 0xB88D52E4D9F57808 > ## key capabilities ARE shown ## > $ gpg --with-colons < 0xB88D52E4D9F57808.key > ## key capabilities NOT shown ## These are two different things: The first lists keys from the keyring whereas the second one does a default action. This may be a decryption, verification or a brief dump of key data. Salam-Shalom, Werner From wk at gnupg.org Thu Jan 6 09:33:51 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 6 09:32:38 2005 Subject: PIC issue with gnupg-1.4.0 In-Reply-To: <200501050640.51936.dragonheart@gentoo.org> (dragonheart@gentoo.org's message of "Wed, 5 Jan 2005 06:40:48 +0930") References: <200501050640.51936.dragonheart@gentoo.org> Message-ID: <874qhvdki8.fsf@wheatstone.g10code.de> On Wed, 5 Jan 2005 06:40:48 +0930, Daniel said: > As reported in > http://bugs.gentoo.org/show_bug.cgi?id=74521 > http://bugs.gentoo.org/show_bug.cgi?id=76487 > There is a definition problem with pic. Please report to the gettext maintainers. intl/ is a copy from the standard gettext and only to be used on systems where no gettext is available. Shouldn't be the case for any GNU based system. Shalom-Salam, Werner From atom at suspicious.org Thu Jan 6 09:52:21 2005 From: atom at suspicious.org (Atom 'Smasher') Date: Thu Jan 6 09:45:22 2005 Subject: --with-colons and stdin In-Reply-To: <878y77dkmy.fsf@wheatstone.g10code.de> References: <20050106073340.60912.qmail@suspicious.org> <878y77dkmy.fsf@wheatstone.g10code.de> Message-ID: <20050106084906.97775.qmail@suspicious.org> On Thu, 6 Jan 2005, Werner Koch wrote: > On Thu, 6 Jan 2005 02:36:49 -0500 (EST), Atom 'Smasher' said: > >> $ gpg --with-colons --list-keys 0xB88D52E4D9F57808 >> ## key capabilities ARE shown ## > >> $ gpg --with-colons < 0xB88D52E4D9F57808.key >> ## key capabilities NOT shown ## > > These are two different things: > > The first lists keys from the keyring whereas the second one does a > default action. This may be a decryption, verification or a brief dump > of key data. ==================== the default action appears to be displaying info about the key, except for capabilities. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The people I put in jail have more honor than the top administration in this organization." -- Bob Hoffman, B.A.T.F. agent, "60 Minutes", January 1993 From dshaw at jabberwocky.com Thu Jan 6 15:11:56 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jan 6 15:08:54 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: References: <87mzvogtgi.fsf@wheatstone.g10code.de> <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> Message-ID: <20050106141156.GB8501@jabberwocky.com> On Thu, Jan 06, 2005 at 07:24:19AM +0100, Thomas Kuehne wrote: > David Shaw wrote: > | On Wed, Jan 05, 2005 at 09:39:57AM +0100, Werner Koch wrote: > | > |>On Wed, 05 Jan 2005 06:19:16 +0100, Thomas Kuehne said: > |> > |> > |>>The attached patch against gnupg-1.4.0 enables internatinal domain > |>>names in the UID generation. > |> > |>Using rfc822 mailbox format in the user IDs is merely a suggestion and > |>not required. It is out of GnuPG's scope to handle this. A frontend > |>might do so but GnuPG won't - mainly for reasons of complexity. > > | Plus, the user ID string is already UTF8. Is there any need to encode > | it further in punycode? > > The problem are the domain names: > > 1) Current gpg rejects non-ASCI domains. > "HKP fetch error: bad URI" > "Not a valid email address" This is different problem (and different code) than user IDs. I do think the keyserver helpers should handle IDNA for keyserver hostnames. This should not be part of gpg, though. Let gpg pass the utf8 keyserver name to the gpgkeys_foo program and if gpgkeys_foo needs to do IDNA-to-ascii that should be done there. I hear the curl people are planning on IDNA support, so if we do end up using curl for the HTTP-ish keyservers, this may happen automatically there. > 2) Host selection/comparison fail. > ??????.idn.kuehne.cn == xn--fiq228c.idn.kuehne.cn > ma?.idn.kuehne.cn == mass.idn.kuehne.cn Not sure what you mean here. Host selection and comparison where in the program? David From thomas-gmane at kuehne.cn Thu Jan 6 16:50:47 2005 From: thomas-gmane at kuehne.cn (Thomas Kuehne) Date: Thu Jan 6 16:45:18 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> References: <87mzvogtgi.fsf@wheatstone.g10code.de> <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> Message-ID: Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050106/37f7a1d4/signature-0001.bin From dshaw at jabberwocky.com Thu Jan 6 17:04:19 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jan 6 17:01:22 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: References: <87mzvogtgi.fsf@wheatstone.g10code.de> <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> Message-ID: <20050106160418.GA10845@jabberwocky.com> On Thu, Jan 06, 2005 at 04:50:47PM +0100, Thomas Kuehne wrote: > The HKP is a different problem, but the "Not a valid email address" > isn't. Maybe relaxing the test code for the domain part is the way > to go. (see attachement) That's a good point. Note that you can make it work even now if you use --allow-freeform-uid. > 1) key selection: > gpg --edit-key user@xn--fiq228c.idn.kuehne.cn > gpg --edit-key user@??????.idn.kuehne.cn Perhaps I am missing something, but it strikes me that users should never be using the punycode format directly. This is an encoding to accomodate software that cannot handle unicode. Since GnuPG does handle unicode, the user should be using the actual unicode name and not translating it and then typing in the translation. > 2) the regular expression of trust signatures with level > 0 Is there a problem with the regexps and non-7-bit UTF8 characters? David From md at Linux.IT Thu Jan 6 17:20:09 2005 From: md at Linux.IT (Marco d'Itri) Date: Thu Jan 6 17:33:16 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: <20050106054056.GC3133@jabberwocky.com> References: <87mzvogtgi.fsf@wheatstone.g10code.de> <20050106054056.GC3133@jabberwocky.com> Message-ID: <20050106162009.GA11972@wonderland.linux.it> On Jan 06, David Shaw wrote: > Plus, the user ID string is already UTF8. Is there any need to encode > it further in punycode? No, IDNAa are specified to be used only in protocols which do not support UTF-8. -- ciao, Marco -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20050106/c7e129d7/attachment.bin From jas at extundo.com Thu Jan 6 17:16:27 2005 From: jas at extundo.com (Simon Josefsson) Date: Thu Jan 6 17:33:35 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> (David Shaw's message of "Thu, 6 Jan 2005 11:04:19 -0500") References: <87mzvogtgi.fsf@wheatstone.g10code.de> <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> Message-ID: David Shaw writes: >> 1) key selection: >> gpg --edit-key user@xn--fiq228c.idn.kuehne.cn >> gpg --edit-key user@??????.idn.kuehne.cn > > Perhaps I am missing something, but it strikes me that users should > never be using the punycode format directly. This is an encoding to > accomodate software that cannot handle unicode. Since GnuPG does > handle unicode, the user should be using the actual unicode name and > not translating it and then typing in the translation. The IDNA specification require that any field that is IDN-unaware use the punycode format. RFC 3490: An "IDN-unaware domain name slot" is defined in this document to be any domain name slot that is not an IDN-aware domain name slot. Obviously, this includes any domain name slot whose specification predates IDNA. ... 2) Whenever a domain name is put into an IDN-unaware domain name slot (see section 2), it MUST contain only ASCII characters. The OpenPGP specification could be updated to say that the any RFC 2822 User-ID field may be considered IDN-aware. More changes may be required as well. Generally, users will have to use the punycode format until all protocols have been updated. Thanks, Simon From wk at gnupg.org Thu Jan 6 17:37:28 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 6 17:35:44 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: (Thomas Kuehne's message of "Thu, 06 Jan 2005 16:50:47 +0100") References: <87mzvogtgi.fsf@wheatstone.g10code.de> <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> Message-ID: <87pt0ia4zb.fsf@wheatstone.g10code.de> On Thu, 06 Jan 2005 16:50:47 +0100, Thomas Kuehne said: > 1) key selection: > gpg --edit-key user@xn--fiq228c.idn.kuehne.cn > gpg --edit-key user@=B8=E6=87.idn.kuehne.cn This is just one of the problems with i18n domain names. More and more will follow with all kind of applications. Many people warned against it but hey have been ignored the same way as when the DNS was practically turned to a flat name space system. The only think we can do is a suggestion on what to put into user IDs. As it stands now, the suggestion is to use punycode encoded addresses. Frontends may detect that and display them however they like it. If you don't like that, use --allow-free-form-uid and wait for the fun happening when scripts trying to take up such a address. Salam-Shalom, Werner From wk at gnupg.org Thu Jan 6 17:41:12 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 6 17:40:36 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: <20050106160418.GA10845@jabberwocky.com> (David Shaw's message of "Thu, 6 Jan 2005 11:04:19 -0500") References: <87mzvogtgi.fsf@wheatstone.g10code.de> <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845@jabberwocky.com> Message-ID: <87llb6a4t3.fsf@wheatstone.g10code.de> On Thu, 6 Jan 2005 11:04:19 -0500, David Shaw said: >> 2) the regular expression of trust signatures with level > 0 > Is there a problem with the regexps and non-7-bit UTF8 characters? Probably: A space need not anymore be a space but when you look at it you can't distinguish it. Shalom-Salam, Werner From thomas-gmane at kuehne.cn Thu Jan 6 17:46:04 2005 From: thomas-gmane at kuehne.cn (Thomas Kuehne) Date: Thu Jan 6 17:41:12 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> References: <87mzvogtgi.fsf@wheatstone.g10code.de> <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> Message-ID: David Shaw wrote: > On Thu, Jan 06, 2005 at 04:50:47PM +0100, Thomas Kuehne wrote: > >>1) key selection: >>gpg --edit-key user@xn--fiq228c.idn.kuehne.cn >>gpg --edit-key user@??.idn.kuehne.cn > > > Perhaps I am missing something, but it strikes me that users should > never be using the punycode format directly. This is an encoding to > accomodate software that cannot handle unicode. No it's not only to accomodate legacy software. The underlying DNS protocoll simply doesn't support "raw" Unicode. User input is generally Unicode, but preprocessed host names - e.g. from scripts - are usually in punycode. >>2) the regular expression of trust signatures with level > 0 > > Is there a problem with the regexps and non-7-bit UTF8 characters? see above I think it's imposible to generate regexps that match IDN parts. "??" -> "xn--ndam" but "???" -> "xn--4ca0bs" Thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050106/d56315a7/signature.bin From dshaw at jabberwocky.com Thu Jan 6 17:49:48 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jan 6 17:48:48 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: References: <87mzvogtgi.fsf@wheatstone.g10code.de> <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> Message-ID: <20050106164948.GB10845@jabberwocky.com> On Thu, Jan 06, 2005 at 05:16:27PM +0100, Simon Josefsson wrote: > David Shaw writes: > > >> 1) key selection: > >> gpg --edit-key user@xn--fiq228c.idn.kuehne.cn > >> gpg --edit-key user@??????.idn.kuehne.cn > > > > Perhaps I am missing something, but it strikes me that users should > > never be using the punycode format directly. This is an encoding to > > accomodate software that cannot handle unicode. Since GnuPG does > > handle unicode, the user should be using the actual unicode name and > > not translating it and then typing in the translation. > > The IDNA specification require that any field that is IDN-unaware use > the punycode format. RFC 3490: > > An "IDN-unaware domain name slot" is defined in this document to be > any domain name slot that is not an IDN-aware domain name slot. > Obviously, this includes any domain name slot whose specification > predates IDNA. > ... > 2) Whenever a domain name is put into an IDN-unaware domain name slot > (see section 2), it MUST contain only ASCII characters. > > The OpenPGP specification could be updated to say that the any RFC > 2822 User-ID field may be considered IDN-aware. More changes may be > required as well. Not impossible, I suppose, but it's a little tricky with OpenPGP since OpenPGP user IDs do not have *any* "domain name slot". User IDs are just a UTF8 string. The whole "Name " syntax is just tradition. David From dshaw at jabberwocky.com Thu Jan 6 17:56:43 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jan 6 17:53:41 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: References: <87mzvogtgi.fsf@wheatstone.g10code.de> <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> Message-ID: <20050106165643.GA11298@jabberwocky.com> On Thu, Jan 06, 2005 at 05:46:04PM +0100, Thomas Kuehne wrote: > David Shaw wrote: > >On Thu, Jan 06, 2005 at 04:50:47PM +0100, Thomas Kuehne wrote: > > > >>1) key selection: > >>gpg --edit-key user@xn--fiq228c.idn.kuehne.cn > >>gpg --edit-key user@??????.idn.kuehne.cn > > > > > >Perhaps I am missing something, but it strikes me that users should > >never be using the punycode format directly. This is an encoding to > >accomodate software that cannot handle unicode. > > No it's not only to accomodate legacy software. The underlying DNS > protocoll simply doesn't support "raw" Unicode. Sure, but GnuPG isn't a mail program :) There is no need to store user IDs as punycode which is just a unicode representation. Store them as actual unicode and let the mail program convert if it needs to. > I think it's imposible to generate regexps that match IDN parts. > > "??" -> "xn--ndam" > but > "???" -> "xn--4ca0bs" I don't see why someone would want to translate back and forth between punycode and unicode *inside GnuPG*. If the ultimate goal is a unicode user ID, just use unicode. When searching for a user ID that is unicode, enter unicode search terms. Use punycode only where you can't use unicode (DNS). Will the regexp code in GnuPG do the right thing when matching utf8 against utf8 ? Anything else is an apples to oranges comparison. David From thomas-gmane at kuehne.cn Thu Jan 6 18:28:32 2005 From: thomas-gmane at kuehne.cn (Thomas Kuehne) Date: Thu Jan 6 18:23:02 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: <20050106165643.GA11298__26053.4114357599$1105031044$gmane$org@jabberwocky.com> References: <87mzvogtgi.fsf@wheatstone.g10code.de> <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> <20050106165643.GA11298__26053.4114357599$1105031044$gmane$org@jabberwocky.com> Message-ID: David Shaw wrote: > Will the regexp code in GnuPG do the right thing when matching utf8 > against utf8 ? I'm currently somehow failing to test it ;) Does the UID "___\u00FC___" match the regexp "___\u0075\u0308___" ? Thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050106/9d632c82/signature-0001.bin From dshaw at jabberwocky.com Thu Jan 6 18:51:30 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jan 6 18:48:29 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: References: <87mzvogtgi.fsf@wheatstone.g10code.de> <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> <20050106165643.GA11298__26053.4114357599$1105031044$gmane$org@jabberwocky.com> Message-ID: <20050106175129.GD11298@jabberwocky.com> On Thu, Jan 06, 2005 at 06:28:32PM +0100, Thomas Kuehne wrote: > David Shaw wrote: > >Will the regexp code in GnuPG do the right thing when matching utf8 > >against utf8 ? > > I'm currently somehow failing to test it ;) > > Does the UID "___\u00FC___" match the regexp "___\u0075\u0308___" ? It shouldn't. David From thomas-gmane at kuehne.cn Thu Jan 6 19:05:15 2005 From: thomas-gmane at kuehne.cn (Thomas Kuehne) Date: Thu Jan 6 18:59:46 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: <20050106175129.GD11298__15415.9844191328$1105034340$gmane$org@jabberwocky.com> References: <87mzvogtgi.fsf@wheatstone.g10code.de> <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> <20050106165643.GA11298__26053.4114357599$1105031044$gmane$org@jabberwocky.com> <20050106175129.GD11298__15415.9844191328$1105034340$gmane$org@jabberwocky.com> Message-ID: >>>Will the regexp code in GnuPG do the right thing when matching utf8 >>>against utf8 ? >> >>I'm currently somehow failing to test it ;) >> >>Does the UID "___\u00FC___" match the regexp "___\u0075\u0308___" ? > > > It shouldn't. "\u00FC" and "\u0075\u0308" are canonical-equivalent. They should match. http://www.unicode.org/faq/normalization.html http://www.unicode.org/reports/tr15/ Thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050106/26bb822f/signature.bin From dshaw at jabberwocky.com Thu Jan 6 19:25:16 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jan 6 19:22:16 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: References: <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> <20050106165643.GA11298__26053.4114357599$1105031044$gmane$org@jabberwocky.com> <20050106175129.GD11298__15415.9844191328$1105034340$gmane$org@jabberwocky.com> Message-ID: <20050106182516.GE11298@jabberwocky.com> On Thu, Jan 06, 2005 at 07:05:15PM +0100, Thomas Kuehne wrote: > >>>Will the regexp code in GnuPG do the right thing when matching utf8 > >>>against utf8 ? > >> > >>I'm currently somehow failing to test it ;) > >> > >>Does the UID "___\u00FC___" match the regexp "___\u0075\u0308___" ? > > > > > >It shouldn't. > > "\u00FC" and "\u0075\u0308" are canonical-equivalent. > They should match. > > http://www.unicode.org/faq/normalization.html > http://www.unicode.org/reports/tr15/ Are both of those strings utf8? I was under the impression that the utf8 spec disallowed multiple ways to encode a particular character for security reasons (so people couldn't "hide" illegal characters in the encoding). David From thomas-gmane at kuehne.cn Thu Jan 6 21:13:06 2005 From: thomas-gmane at kuehne.cn (Thomas Kuehne) Date: Thu Jan 6 21:07:55 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: <20050106182516.GE11298__4269.66365562311$1105036381$gmane$org@jabberwocky.com> References: <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> <20050106165643.GA11298__26053.4114357599$1105031044$gmane$org@jabberwocky.com> <20050106175129.GD11298__15415.9844191328$1105034340$gmane$org@jabberwocky.com> <20050106182516.GE11298__4269.66365562311$1105036381$gmane$org@jabberwocky.com> Message-ID: David Shaw wrote: > On Thu, Jan 06, 2005 at 07:05:15PM +0100, Thomas Kuehne wrote: > >>>>>Will the regexp code in GnuPG do the right thing when matching utf8 >>>>>against utf8 ? >>>> >>>>I'm currently somehow failing to test it ;) >>>> >>>>Does the UID "___\u00FC___" match the regexp "___\u0075\u0308___" ? >>> >>> >>>It shouldn't. >> >>"\u00FC" and "\u0075\u0308" are canonical-equivalent. >>They should match. >> >>http://www.unicode.org/faq/normalization.html >>http://www.unicode.org/reports/tr15/ > > > Are both of those strings utf8? I was under the impression that the > utf8 spec disallowed multiple ways to encode a particular character > for security reasons (so people couldn't "hide" illegal characters in > the encoding). UTF-8 only encode codepoints (0x00FC, 0x0075 and 0x0308). Unicode rules how those codepoints are interpreted. Some "characters" can be represented via different codepoint representations. A simple example is "?" U+00FC LATIN SMALL LETTER U WITH DIAERESIS or U+0075 LATIN SMALL LETTER U U+0308 COMBINING DIAERESIS There are much more complicated cases in polytonic Greek, Hangul(Korean) and Hebrew. One way to ease the problem would be to specify one of the 4 so called normalization forms in RFC2440 3.4. (Text). Nevertheless user input needs to be normalized. Thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050106/74ada1a3/signature.bin From dshaw at jabberwocky.com Thu Jan 6 21:26:16 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jan 6 21:23:20 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: References: <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> <20050106165643.GA11298__26053.4114357599$1105031044$gmane$org@jabberwocky.com> <20050106175129.GD11298__15415.9844191328$1105034340$gmane$org@jabberwocky.com> <20050106182516.GE11298__4269.66365562311$1105036381$gmane$org@jabberwocky.com> Message-ID: <20050106202616.GA12426@jabberwocky.com> On Thu, Jan 06, 2005 at 09:13:06PM +0100, Thomas Kuehne wrote: > David Shaw wrote: > >On Thu, Jan 06, 2005 at 07:05:15PM +0100, Thomas Kuehne wrote: > > > >>>>>Will the regexp code in GnuPG do the right thing when matching utf8 > >>>>>against utf8 ? > >>>> > >>>>I'm currently somehow failing to test it ;) > >>>> > >>>>Does the UID "___\u00FC___" match the regexp "___\u0075\u0308___" ? > >>> > >>> > >>>It shouldn't. > >> > >>"\u00FC" and "\u0075\u0308" are canonical-equivalent. > >>They should match. > >> > >>http://www.unicode.org/faq/normalization.html > >>http://www.unicode.org/reports/tr15/ > > > > > >Are both of those strings utf8? I was under the impression that the > >utf8 spec disallowed multiple ways to encode a particular character > >for security reasons (so people couldn't "hide" illegal characters in > >the encoding). > > UTF-8 only encode codepoints (0x00FC, 0x0075 and 0x0308). > > Unicode rules how those codepoints are interpreted. > Some "characters" can be represented via different codepoint > representations. > > A simple example is "?" > > U+00FC LATIN SMALL LETTER U WITH DIAERESIS > or > U+0075 LATIN SMALL LETTER U > U+0308 COMBINING DIAERESIS > > There are much more complicated cases in polytonic Greek, Hangul(Korean) > and Hebrew. > > One way to ease the problem would be to specify one of the 4 so called > normalization forms in RFC2440 3.4. (Text). Ah, I did not understand. Wow, that's a massive headache. David From wk at gnupg.org Thu Jan 6 21:50:55 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 6 21:50:28 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: <20050106182516.GE11298@jabberwocky.com> (David Shaw's message of "Thu, 6 Jan 2005 13:25:16 -0500") References: <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> <20050106165643.GA11298__26053.4114357599$1105031044$gmane$org@jabberwocky.com> <20050106175129.GD11298__15415.9844191328$1105034340$gmane$org@jabberwocky.com> <20050106182516.GE11298@jabberwocky.com> Message-ID: <87acrm9t8w.fsf@wheatstone.g10code.de> On Thu, 6 Jan 2005 13:25:16 -0500, David Shaw said: > Are both of those strings utf8? I was under the impression that the > utf8 spec disallowed multiple ways to encode a particular character > for security reasons (so people couldn't "hide" illegal characters in That's right. Not only for security reasons but so that strcmp still works. Werner From wk at gnupg.org Thu Jan 6 21:53:12 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 6 21:50:37 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: (Thomas Kuehne's message of "Thu, 06 Jan 2005 21:13:06 +0100") References: <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> <20050106165643.GA11298__26053.4114357599$1105031044$gmane$org@jabberwocky.com> <20050106175129.GD11298__15415.9844191328$1105034340$gmane$org@jabberwocky.com> <20050106182516.GE11298__4269.66365562311$1105036381$gmane$org@jabberwocky.com> Message-ID: <87652a9t53.fsf@wheatstone.g10code.de> On Thu, 06 Jan 2005 21:13:06 +0100, Thomas Kuehne said: > Nevertheless user input needs to be normalized. GnuPG expects uft-8 and print utf-8 so there is no need for messing around with the strings. --charset is just a convenience thing until utf-8 is really deployes everywhere (20 years or so from now). Werner From jas at extundo.com Thu Jan 6 23:34:50 2005 From: jas at extundo.com (Simon Josefsson) Date: Thu Jan 6 23:31:40 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: <20050106164948.GB10845__1153.30785415626$1105030701$gmane$org@jabberwocky.com> (David Shaw's message of "Thu, 6 Jan 2005 11:49:48 -0500") References: <87mzvogtgi.fsf@wheatstone.g10code.de> <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> <20050106164948.GB10845__1153.30785415626$1105030701$gmane$org@jabberwocky.com> Message-ID: David Shaw writes: > On Thu, Jan 06, 2005 at 05:16:27PM +0100, Simon Josefsson wrote: >> David Shaw writes: >> >> >> 1) key selection: >> >> gpg --edit-key user@xn--fiq228c.idn.kuehne.cn >> >> gpg --edit-key user@??????.idn.kuehne.cn >> > >> > Perhaps I am missing something, but it strikes me that users should >> > never be using the punycode format directly. This is an encoding to >> > accomodate software that cannot handle unicode. Since GnuPG does >> > handle unicode, the user should be using the actual unicode name and >> > not translating it and then typing in the translation. >> >> The IDNA specification require that any field that is IDN-unaware use >> the punycode format. RFC 3490: >> >> An "IDN-unaware domain name slot" is defined in this document to be >> any domain name slot that is not an IDN-aware domain name slot. >> Obviously, this includes any domain name slot whose specification >> predates IDNA. >> ... >> 2) Whenever a domain name is put into an IDN-unaware domain name slot >> (see section 2), it MUST contain only ASCII characters. >> >> The OpenPGP specification could be updated to say that the any RFC >> 2822 User-ID field may be considered IDN-aware. More changes may be >> required as well. > > Not impossible, I suppose, but it's a little tricky with OpenPGP since > OpenPGP user IDs do not have *any* "domain name slot". User IDs are > just a UTF8 string. The whole "Name " syntax is > just tradition. Given how IDNA is written, I suspect the only option is to encode the tradition in the specification, and make it clear for implementations whether the field is IDN-aware or not. Or OpenPGP could adopt a better i18n-strategy than IDNA, but I suspect the IETF would disagree with that. Thanks, Simon From jas at extundo.com Fri Jan 7 00:02:00 2005 From: jas at extundo.com (Simon Josefsson) Date: Thu Jan 6 23:58:21 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: <20050106202616.GA12426__12426.4800026596$1105044078$gmane$org@jabberwocky.com> (David Shaw's message of "Thu, 6 Jan 2005 15:26:16 -0500") References: <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> <20050106165643.GA11298__26053.4114357599$1105031044$gmane$org@jabberwocky.com> <20050106175129.GD11298__15415.9844191328$1105034340$gmane$org@jabberwocky.com> <20050106182516.GE11298__4269.66365562311$1105036381$gmane$org@jabberwocky.com> <20050106202616.GA12426__12426.4800026596$1105044078$gmane$org@jabberwocky.com> Message-ID: David Shaw writes: >> UTF-8 only encode codepoints (0x00FC, 0x0075 and 0x0308). >> >> Unicode rules how those codepoints are interpreted. >> Some "characters" can be represented via different codepoint >> representations. >> >> A simple example is "?" >> >> U+00FC LATIN SMALL LETTER U WITH DIAERESIS >> or >> U+0075 LATIN SMALL LETTER U >> U+0308 COMBINING DIAERESIS >> >> There are much more complicated cases in polytonic Greek, Hangul(Korean) >> and Hebrew. >> >> One way to ease the problem would be to specify one of the 4 so called >> normalization forms in RFC2440 3.4. (Text). > > Ah, I did not understand. Wow, that's a massive headache. Using the Punycode form in the OpenPGP User-ID is another option. And from what I can tell, it is the only option that can be used without changing OpenPGP. IDNA take care of normalization, so that for both the input U+00FC and U+0075 U+0308, the output will be xn--tda. Regards, Simon From thomas-gmane at kuehne.cn Fri Jan 7 07:57:57 2005 From: thomas-gmane at kuehne.cn (Thomas Kuehne) Date: Fri Jan 7 07:52:15 2005 Subject: [Patch] internatinal domain names for email addresses In-Reply-To: <87652a9t53.fsf__962.136782664125$1105045892$gmane$org@wheatstone.g10code.de> References: <20050106054056.GC3133__25089.327680371$1104990806$gmane$org@jabberwocky.com> <20050106141156.GB8501__23828.3851802864$1105021171$gmane$org@jabberwocky.com> <20050106160418.GA10845__16345.7980416299$1105027860$gmane$org@jabberwocky.com> <20050106165643.GA11298__26053.4114357599$1105031044$gmane$org@jabberwocky.com> <20050106175129.GD11298__15415.9844191328$1105034340$gmane$org@jabberwocky.com> <20050106182516.GE11298__4269.66365562311$1105036381$gmane$org@jabberwocky.com> <87652a9t53.fsf__962.136782664125$1105045892$gmane$org@wheatstone.g10code.de> Message-ID: Werner Koch wrote: > On Thu, 06 Jan 2005 21:13:06 +0100, Thomas Kuehne said: > > >>Nevertheless user input needs to be normalized. > > > GnuPG expects uft-8 and print utf-8 so there is no need for messing > around with the strings. --charset is just a convenience thing until > utf-8 is really deployes everywhere (20 years or so from now). It's not the question of what character set to use (Unicode encoded in UTF-8) but the consequences of Unicode. http://www.unicode.org/reports/tr15/ | This document describes specifications for four normalized forms of | Unicode text. With these forms, equivalent text (canonical or | compatibility) will have identical binary representations. When | implementations keep strings in a normalized form, they can be assured | that equivalent strings have a unique binary representation. Currently no normalization is checked and as a consequence "equivalent text" isn't garanteed to be recognized by strcmp. Thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050107/77e5e180/signature.bin From chris at unixpages.org Thu Jan 6 22:17:36 2005 From: chris at unixpages.org (Christian Brueffer) Date: Fri Jan 7 09:53:30 2005 Subject: pubkey problems Message-ID: <20050106211736.GA32440@unixpages.org> Hi, since about September I have a problem with my public key on the keyservers, namely: chris@haakonia:~ $ gpg --refresh-keys gpg: refreshing 40 keys from x-hkp://wwwkeys.de.pgp.net [...] gpg: mpi too large (22867 bits) gpg: read_block: read error: invalid packet gpg: no valid OpenPGP data found. gpg: Total number processed: 39 gpg: unchanged: 39 The error occurs, when my key is processed. Of course the key can't be imported into gpg now. I have tested gpg 1.4.0 and 1.9.14, but no success. It seems like the key includes a corrupted signature or something. This problem was discussed on sks-devel some time back and they have fixed their server to deal with this kind of problem. Any ideas? - Christian -- Christian Brueffer chris@unixpages.org brueffer@FreeBSD.org GPG Key: http://people.freebsd.org/~brueffer/brueffer.key.asc GPG Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20050106/4f5611a8/attachment.bin From gnupg-devel=gnupg.org at lists.palfrader.org Fri Jan 7 11:20:53 2005 From: gnupg-devel=gnupg.org at lists.palfrader.org (Peter Palfrader) Date: Fri Jan 7 11:36:13 2005 Subject: get a key by short subkey keyid Message-ID: <20050107102053.GH4392@opium.palfrader.org> Hi, gpg --keyserver ldap://keyserver.pgp.com/ --recv 1069EFEB does not fetch the key that has a subkey with keyid 1069EFEB. It does work with long keyids tho. Maybe this helps: diff -ur gnupg-1.4.0/keyserver/gpgkeys_ldap.c gnupg-1.4.0-mine/keyserver/gpgkeys_ldap.c --- gnupg-1.4.0/keyserver/gpgkeys_ldap.c 2004-10-15 12:14:02.000000000 +0200 +++ gnupg-1.4.0-mine/keyserver/gpgkeys_ldap.c 2005-01-07 11:15:44.108925212 +0100 @@ -1023,8 +1023,11 @@ else { /* short key id */ - - sprintf(search,"(pgpkeyid=%.8s)",getkey); + + if(include_subkeys) + sprintf(search,"(|(pgpkeyid=%.8s)(pgpsubkeyid=*%.8s))",getkey,getkey); + else + sprintf(search,"(pgpkeyid=%.8s)",getkey); } if(verbose>2) -- Peter From jharris at widomaker.com Fri Jan 7 13:42:55 2005 From: jharris at widomaker.com (Jason Harris) Date: Fri Jan 7 13:39:20 2005 Subject: pubkey problems In-Reply-To: <20050106211736.GA32440@unixpages.org> References: <20050106211736.GA32440@unixpages.org> Message-ID: <20050107124255.GQ684@wilma.widomaker.com> On Thu, Jan 06, 2005 at 10:17:36PM +0100, Christian Brueffer wrote: > since about September I have a problem with my public key on the > keyservers, namely: > > chris@haakonia:~ $ gpg --refresh-keys > gpg: refreshing 40 keys from x-hkp://wwwkeys.de.pgp.net > [...] > gpg: mpi too large (22867 bits) > gpg: read_block: read error: invalid packet > gpg: no valid OpenPGP data found. > gpg: Total number processed: 39 > gpg: unchanged: 39 > > The error occurs, when my key is processed. Of course the key can't be > This problem was discussed on sks-devel some time back and they have > fixed their server to deal with this kind of problem. > > Any ideas? http://pgpkeys.pca.dfn.de:11371/pks/lookup?op=stats says that server hasn't been upgraded. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050107/a4dfa52f/attachment.bin From chris at unixpages.org Fri Jan 7 14:19:16 2005 From: chris at unixpages.org (Christian Brueffer) Date: Fri Jan 7 14:47:54 2005 Subject: pubkey problems In-Reply-To: <20050107124255.GQ684@wilma.widomaker.com> References: <20050106211736.GA32440@unixpages.org> <20050107124255.GQ684@wilma.widomaker.com> Message-ID: <20050107131916.GA33025@unixpages.org> On Fri, Jan 07, 2005 at 07:42:55AM -0500, Jason Harris wrote: > On Thu, Jan 06, 2005 at 10:17:36PM +0100, Christian Brueffer wrote: > > > since about September I have a problem with my public key on the > > keyservers, namely: > > > > chris@haakonia:~ $ gpg --refresh-keys > > gpg: refreshing 40 keys from x-hkp://wwwkeys.de.pgp.net > > [...] > > gpg: mpi too large (22867 bits) > > gpg: read_block: read error: invalid packet > > gpg: no valid OpenPGP data found. > > gpg: Total number processed: 39 > > gpg: unchanged: 39 > > > > The error occurs, when my key is processed. Of course the key can't be > > > This problem was discussed on sks-devel some time back and they have > > fixed their server to deal with this kind of problem. > > > > Any ideas? > > http://pgpkeys.pca.dfn.de:11371/pks/lookup?op=stats says > that server hasn't been upgraded. > Damn, you're right. Tried your keyserver and it works. The error message looked like it was coming from gpg itself. Anyway, sorry for the noise and thanks Jason. - Christian -- Christian Brueffer chris@unixpages.org brueffer@FreeBSD.org GPG Key: http://people.freebsd.org/~brueffer/brueffer.key.asc GPG Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20050107/6a4b0061/attachment.bin From rdieter at math.unl.edu Fri Jan 7 19:53:54 2005 From: rdieter at math.unl.edu (Rex Dieter) Date: Fri Jan 7 19:50:14 2005 Subject: gnupg-1.9.14 requies libgpg-error >= 1.0 to build Message-ID: <41DEDAC2.9070006@math.unl.edu> FYI, gnupg-1.9.14 requires libgpg-error >= 1.0 to build: GPG_ERR_PROTOCOL_VIOLATION is undefined in gnupg-1.9.14/agent/preset-passphrase.c -- Rex From wk at gnupg.org Fri Jan 7 20:18:08 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 7 20:15:27 2005 Subject: gnupg-1.9.14 requies libgpg-error >= 1.0 to build In-Reply-To: <41DEDAC2.9070006@math.unl.edu> (Rex Dieter's message of "Fri, 07 Jan 2005 12:53:54 -0600") References: <41DEDAC2.9070006@math.unl.edu> Message-ID: <874qht2glr.fsf@wheatstone.g10code.de> On Fri, 07 Jan 2005 12:53:54 -0600, Rex Dieter said: > gnupg-1.9.14 requires libgpg-error >= 1.0 to build: Thanks. Fixed in my working copy. Werner From zvrba at globalnet.hr Sat Jan 8 17:13:34 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Sat Jan 8 17:21:18 2005 Subject: OpenPGP javacard implementation Message-ID: <41E006AE.1030802@globalnet.hr> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi! I have written a prototype OpenPGP applet for the Javacard platform. The ~ homepage of the project is: http://www.core-dump.com.hr/index.pl?node_id=421 In the package are all relevant instructions on how to test it against the gpg and Sun's emulated reference Javacard implementation. I need help in porting and testing to real cards. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB4AauUIHQih3H6ZQRAwm0AJ4n/Kl5QA6K5VaPwO9sbZrWB3Q56wCgiqxy 1aQiMd5NNRPGyAQj77UMcC8= =dBPu -----END PGP SIGNATURE----- From dany_list at natzo.com Sun Jan 9 00:50:58 2005 From: dany_list at natzo.com (dany_list@natzo.com) Date: Sun Jan 9 00:38:57 2005 Subject: OpenPGP card - adding subkeys on PC keyring generates encrypted "pass-free" files Message-ID: <41E071E2.1030002@natzo.com> Hello, I got my OpenPGP card and played around for a while. It worked well except for one case which produces a weird behavior : Conditions : Win2K + GPG 1.4.0, Towitoko micro 130 USB smartcard reader, OpenPGP card from g10code.de I couldn't use the on-card key generation (it looks like a PC/SC problem) so I generated the primary signing key (RSA 1024) as well an encryption subkey (RSA 1024) on my PC. Then I used the keytocard command twice to move those two keys to the card. Now --edit-key gives me : ---------------------------------- sec 1024R/04B4BC74 created: 2005-01-08 expires: never card-no: 0001 00000123 ssb 1024R/6E62C723 created: 2005-01-08 expires: never card-no: 0001 00000123 ---------------------------------- So using this configuration I can easily encrypt and decrypt stuff. -------------------------------------- C:\GnuPG>gpg -e -r 0x6E62C723 test.txt test.txt contains the string "test me now" C:\GnuPG>gpg -d test.txt.gpg gpg: detected reader `SCM Microsystems Inc. CHIPDRIVE USB SmartCardReader 0' gpg: DBG: asking for PIN 'PIN' PIN gpg: encrypted with 1024-bit RSA key, ID 6E62C723, created 2005-01-08 "Card Tester " test me now -------------------------------------- If I don't insert the card and try to decrypt I get : ------------------------------------------ C:\GnuPG>gpg -d test.txt.gpg gpg: detected reader `SCM Microsystems Inc. CHIPDRIVE USB SmartCardReader 0' gpg: pcsc_connect failed: removed card (0x80100069) gpg: card reader not available gpg: encrypted with 1024-bit RSA key, ID 6E62C723, created 2005-01-08 "Card Tester " gpg: public key decryption failed: general error gpg: decryption failed: secret key not available --------------------------------------------- For your information, --list-packets reports : ------------------------------------------------ C:\GnuPG>gpg --list-packets < test.txt.gpg :pubkey enc packet: version 3, algo 1, keyid 3FC9C8B76E62C723 data: [1023 bits] gpg: detected reader `SCM Microsystems Inc. CHIPDRIVE USB SmartCardReader 0' gpg: pcsc_connect failed: removed card (0x80100069) gpg: card reader not available :encrypted data packet: length: 78 mdc_method: 2 gpg: encrypted with 1024-bit RSA key, ID 6E62C723, created 2005-01-08 "Card Tester " gpg: public key decryption failed: general error gpg: decryption failed: secret key not available ----------------------------------------------- So now, if I just add one subkey (encrypt, RSA 1024) to my keyring (without transferring anything to the card) ---------------------------------- sec 1024R/04B4BC74 created: 2005-01-08 expires: never card-no: 0001 00000123 ssb 1024R/6E62C723 created: 2005-01-08 expires: never card-no: 0001 00000123 ssb 1024R/B8910295 created: 2005-01-08 expires: never (1) Card Tester -------------------------------------- and encrypt the same file using the same previous recipient (the RSA encrypt key from the card) -------------------------------------------- C:\GnuPG>gpg -e -r 0x6E62C723 test.txt =====>> This is where the fun comes up, you can get the clear text without entering any pin or passphrase ! ------------------------------------------------- C:\GnuPG>gpg -d test.txt.gpg gpg: encrypted with 1024-bit RSA key, ID B8910295, created 2005-01-08 "Card Tester " test me now --------------------------------------------------- As you can see the message has been encrypted with the latest RSA key added (off-card) even if I explicitly selected the other one (0xB8910295 instead of 0x6E62C723) For information, the list-packets give : ---------------------------------------------------- C:\GnuPG>gpg --list-packets < test.txt.gpg :pubkey enc packet: version 3, algo 1, keyid 00756FAAB8910295 data: [1024 bits] :encrypted data packet: length: 78 mdc_method: 2 gpg: encrypted with 1024-bit RSA key, ID B8910295, created 2005-01-08 "Card Tester " :compressed packet: algo=2 :literal data packet: mode b (62), created 1105224996, name="test.txt", raw data: 13 bytes -------------------------------------------------------- I tried the same thing without using any smartcard (1 primary RSA (sign) and 2 subkeys (RSA encrypt)) and it asked me for the passphrase. Am I missing something here regarding the way a new subkey is added with a primary signing key on the OpenPGP card ? Why didn't gnupg use the keyid I specified ? It was very disturbing as I was sending encrypted test messages to myself and was surprised to discover that I could decrypt them without having the card inserted (or entering any passphrase). Sorry for this long (first) post. I hope someone will help me understanding this phenomena. I'm trying to write a quick tutorial on how to use easily those cards with GnuPG and also Enigmail for Thunderbird so proper warnings should be issued to explain the limitations. Thanks Dany From dany_list at natzo.com Sun Jan 9 01:36:59 2005 From: dany_list at natzo.com (dany_list@natzo.com) Date: Sun Jan 9 01:24:52 2005 Subject: PART 2 - OpenPGP card - adding subkeys on PC keyring generates encrypted "pass-free" files - Part 2 In-Reply-To: <41E071E2.1030002@natzo.com> References: <41E071E2.1030002@natzo.com> Message-ID: <41E07CAB.2040206@natzo.com> Using the edit-key command I tried to setup a password for this additional subkey 0xB8910295 (I did select it first using key 2) I was surprised to discover that gnupg wiped out all my links (card-no : xxxx) to the smarcard : sec 1024R/04B4BC74 created: 2005-01-08 expires: never ssb 1024R/6E62C723 created: 2005-01-08 expires: never ssb 1024R/B8910295 created: 2005-01-08 expires: never (1) Card Tester From now I can only encrypt/decrypt using the third key (secret in the keyring). So to summarize I have the following issues : - adding a RSA1024 encrypt subkey to my keyring which contains links to the OpenPGP card will make any further encryption to use this new subkey (even if forced with -r 0x...) - This new subkey doesn't have any passphrase associated to it so resulting encrypted files can be decrypted freely - Setting up a password for this specific third subkey wipes out the links to the OpenPGP for the two other keys (primary and 1st sub key) Dany dany_list@natzo.com wrote: > Hello, > > I got my OpenPGP card and played around for a while. It worked well > except for one case which produces a weird behavior : > > Conditions : > Win2K + GPG 1.4.0, Towitoko micro 130 USB smartcard reader, OpenPGP > card from g10code.de > > I couldn't use the on-card key generation (it looks like a PC/SC > problem) so I generated the primary signing key (RSA 1024) as well an > encryption subkey (RSA 1024) on my PC. Then I used the keytocard > command twice to move those two keys to the card. > Now --edit-key gives me : > ---------------------------------- > sec 1024R/04B4BC74 created: 2005-01-08 expires: never > card-no: 0001 00000123 > ssb 1024R/6E62C723 created: 2005-01-08 expires: never > card-no: 0001 00000123 > ---------------------------------- > > So using this configuration I can easily encrypt and decrypt stuff. > > -------------------------------------- > C:\GnuPG>gpg -e -r 0x6E62C723 test.txt test.txt contains the > string "test me now" > > C:\GnuPG>gpg -d test.txt.gpg > gpg: detected reader `SCM Microsystems Inc. CHIPDRIVE USB > SmartCardReader 0' > gpg: DBG: asking for PIN 'PIN' > > PIN > gpg: encrypted with 1024-bit RSA key, ID 6E62C723, created 2005-01-08 > "Card Tester " > test me now > -------------------------------------- > > If I don't insert the card and try to decrypt I get : > > ------------------------------------------ > C:\GnuPG>gpg -d test.txt.gpg > gpg: detected reader `SCM Microsystems Inc. CHIPDRIVE USB > SmartCardReader 0' > gpg: pcsc_connect failed: removed card (0x80100069) > gpg: card reader not available > gpg: encrypted with 1024-bit RSA key, ID 6E62C723, created 2005-01-08 > "Card Tester " > gpg: public key decryption failed: general error > gpg: decryption failed: secret key not available > --------------------------------------------- > > For your information, --list-packets reports : > > ------------------------------------------------ > C:\GnuPG>gpg --list-packets < test.txt.gpg > :pubkey enc packet: version 3, algo 1, keyid 3FC9C8B76E62C723 > data: [1023 bits] > gpg: detected reader `SCM Microsystems Inc. CHIPDRIVE USB > SmartCardReader 0' > gpg: pcsc_connect failed: removed card (0x80100069) > gpg: card reader not available > :encrypted data packet: > length: 78 > mdc_method: 2 > gpg: encrypted with 1024-bit RSA key, ID 6E62C723, created 2005-01-08 > "Card Tester " > gpg: public key decryption failed: general error > gpg: decryption failed: secret key not available > ----------------------------------------------- > > So now, if I just add one subkey (encrypt, RSA 1024) to my keyring > (without transferring anything to the card) > ---------------------------------- > sec 1024R/04B4BC74 created: 2005-01-08 expires: never > card-no: 0001 00000123 > ssb 1024R/6E62C723 created: 2005-01-08 expires: never > card-no: 0001 00000123 > ssb 1024R/B8910295 created: 2005-01-08 expires: never (1) > Card Tester > -------------------------------------- > and encrypt the same file using the same previous recipient (the RSA > encrypt key from the card) > > -------------------------------------------- > C:\GnuPG>gpg -e -r 0x6E62C723 test.txt > > =====>> This is where the fun comes up, you can get the clear text > without entering any pin or passphrase ! > > ------------------------------------------------- > C:\GnuPG>gpg -d test.txt.gpg > gpg: encrypted with 1024-bit RSA key, ID B8910295, created 2005-01-08 > "Card Tester " > test me now > --------------------------------------------------- > > As you can see the message has been encrypted with the latest RSA key > added (off-card) even if I explicitly selected the other one > (0xB8910295 instead of 0x6E62C723) > > For information, the list-packets give : > > ---------------------------------------------------- > C:\GnuPG>gpg --list-packets < test.txt.gpg > :pubkey enc packet: version 3, algo 1, keyid 00756FAAB8910295 > data: [1024 bits] > :encrypted data packet: > length: 78 > mdc_method: 2 > gpg: encrypted with 1024-bit RSA key, ID B8910295, created 2005-01-08 > "Card Tester " > :compressed packet: algo=2 > :literal data packet: > mode b (62), created 1105224996, name="test.txt", > raw data: 13 bytes > -------------------------------------------------------- > > I tried the same thing without using any smartcard (1 primary RSA > (sign) and 2 subkeys (RSA encrypt)) and it asked me for the passphrase. > > Am I missing something here regarding the way a new subkey is added > with a primary signing key on the OpenPGP card ? > Why didn't gnupg use the keyid I specified ? > > It was very disturbing as I was sending encrypted test messages to > myself and was surprised to discover that I could decrypt them without > having the card inserted (or entering any passphrase). > > Sorry for this long (first) post. I hope someone will help me > understanding this phenomena. I'm trying to write a quick tutorial on > how to use easily those cards with GnuPG and also Enigmail for > Thunderbird so proper warnings should be issued to explain the > limitations. > > Thanks > Dany > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel From dany_list at natzo.com Sun Jan 9 02:54:16 2005 From: dany_list at natzo.com (dany_list@natzo.com) Date: Sun Jan 9 02:42:14 2005 Subject: PART 3 - OpenPGP card - adding subkeys on PC keyring generates encrypted "pass-free" files - Part 2 In-Reply-To: <41E07CAB.2040206@natzo.com> References: <41E071E2.1030002@natzo.com> <41E07CAB.2040206@natzo.com> Message-ID: <41E08EC8.6010303@natzo.com> I found in an old post from Werner Koch (http://lists.gnupg.org/pipermail/gnupg-users/2002-August/014723.html) some interesting things about subkeys : "GnuPG always tries to use a subkey first, the primary key is the last resort. An exception is key signing where only the primary key is used." So I found out about the keyid! stuff and were able to encrypt using the card or additional subkey. The only thing I still don't understant is why the smartcard get removed from the primary key when I do a passwd command on a newly added RSA encrypt subkey found only in my local keyring. Also why does this encryption subkey have a blank passphrase by default ? Dany dany_list@natzo.com wrote: > Using the edit-key command I tried to setup a password for this > additional subkey 0xB8910295 (I did select it first using key 2) > > I was surprised to discover that gnupg wiped out all my links (card-no > : xxxx) to the smarcard : > > sec 1024R/04B4BC74 created: 2005-01-08 expires: never > ssb 1024R/6E62C723 created: 2005-01-08 expires: > never ssb 1024R/B8910295 created: > 2005-01-08 expires: never (1) Card Tester > > From now I can only encrypt/decrypt using the third key (secret in the > keyring). > > So to summarize I have the following issues : > - adding a RSA1024 encrypt subkey to my keyring which contains links > to the OpenPGP card will make any further encryption to use this new > subkey (even if forced with -r 0x...) > - This new subkey doesn't have any passphrase associated to it so > resulting encrypted files can be decrypted freely > - Setting up a password for this specific third subkey wipes out the > links to the OpenPGP for the two other keys (primary and 1st sub key) > > Dany > > > > dany_list@natzo.com wrote: > >> Hello, >> >> I got my OpenPGP card and played around for a while. It worked well >> except for one case which produces a weird behavior : >> >> Conditions : >> Win2K + GPG 1.4.0, Towitoko micro 130 USB smartcard reader, OpenPGP >> card from g10code.de >> >> I couldn't use the on-card key generation (it looks like a PC/SC >> problem) so I generated the primary signing key (RSA 1024) as well an >> encryption subkey (RSA 1024) on my PC. Then I used the keytocard >> command twice to move those two keys to the card. >> Now --edit-key gives me : >> ---------------------------------- >> sec 1024R/04B4BC74 created: 2005-01-08 expires: never >> card-no: 0001 00000123 >> ssb 1024R/6E62C723 created: 2005-01-08 expires: never >> card-no: 0001 00000123 >> ---------------------------------- >> >> So using this configuration I can easily encrypt and decrypt stuff. >> >> -------------------------------------- >> C:\GnuPG>gpg -e -r 0x6E62C723 test.txt test.txt contains the >> string "test me now" >> >> C:\GnuPG>gpg -d test.txt.gpg >> gpg: detected reader `SCM Microsystems Inc. CHIPDRIVE USB >> SmartCardReader 0' >> gpg: DBG: asking for PIN 'PIN' >> >> PIN >> gpg: encrypted with 1024-bit RSA key, ID 6E62C723, created 2005-01-08 >> "Card Tester " >> test me now >> -------------------------------------- >> >> If I don't insert the card and try to decrypt I get : >> >> ------------------------------------------ >> C:\GnuPG>gpg -d test.txt.gpg >> gpg: detected reader `SCM Microsystems Inc. CHIPDRIVE USB >> SmartCardReader 0' >> gpg: pcsc_connect failed: removed card (0x80100069) >> gpg: card reader not available >> gpg: encrypted with 1024-bit RSA key, ID 6E62C723, created 2005-01-08 >> "Card Tester " >> gpg: public key decryption failed: general error >> gpg: decryption failed: secret key not available >> --------------------------------------------- >> >> For your information, --list-packets reports : >> >> ------------------------------------------------ >> C:\GnuPG>gpg --list-packets < test.txt.gpg >> :pubkey enc packet: version 3, algo 1, keyid 3FC9C8B76E62C723 >> data: [1023 bits] >> gpg: detected reader `SCM Microsystems Inc. CHIPDRIVE USB >> SmartCardReader 0' >> gpg: pcsc_connect failed: removed card (0x80100069) >> gpg: card reader not available >> :encrypted data packet: >> length: 78 >> mdc_method: 2 >> gpg: encrypted with 1024-bit RSA key, ID 6E62C723, created 2005-01-08 >> "Card Tester " >> gpg: public key decryption failed: general error >> gpg: decryption failed: secret key not available >> ----------------------------------------------- >> >> So now, if I just add one subkey (encrypt, RSA 1024) to my keyring >> (without transferring anything to the card) >> ---------------------------------- >> sec 1024R/04B4BC74 created: 2005-01-08 expires: never >> card-no: 0001 00000123 >> ssb 1024R/6E62C723 created: 2005-01-08 expires: never >> card-no: 0001 00000123 >> ssb 1024R/B8910295 created: 2005-01-08 expires: never >> (1) Card Tester >> -------------------------------------- >> and encrypt the same file using the same previous recipient (the RSA >> encrypt key from the card) >> >> -------------------------------------------- >> C:\GnuPG>gpg -e -r 0x6E62C723 test.txt >> >> =====>> This is where the fun comes up, you can get the clear text >> without entering any pin or passphrase ! >> >> ------------------------------------------------- >> C:\GnuPG>gpg -d test.txt.gpg >> gpg: encrypted with 1024-bit RSA key, ID B8910295, created 2005-01-08 >> "Card Tester " >> test me now >> --------------------------------------------------- >> >> As you can see the message has been encrypted with the latest RSA key >> added (off-card) even if I explicitly selected the other one >> (0xB8910295 instead of 0x6E62C723) >> >> For information, the list-packets give : >> >> ---------------------------------------------------- >> C:\GnuPG>gpg --list-packets < test.txt.gpg >> :pubkey enc packet: version 3, algo 1, keyid 00756FAAB8910295 >> data: [1024 bits] >> :encrypted data packet: >> length: 78 >> mdc_method: 2 >> gpg: encrypted with 1024-bit RSA key, ID B8910295, created 2005-01-08 >> "Card Tester " >> :compressed packet: algo=2 >> :literal data packet: >> mode b (62), created 1105224996, name="test.txt", >> raw data: 13 bytes >> -------------------------------------------------------- >> >> I tried the same thing without using any smartcard (1 primary RSA >> (sign) and 2 subkeys (RSA encrypt)) and it asked me for the passphrase. >> >> Am I missing something here regarding the way a new subkey is added >> with a primary signing key on the OpenPGP card ? >> Why didn't gnupg use the keyid I specified ? >> >> It was very disturbing as I was sending encrypted test messages to >> myself and was surprised to discover that I could decrypt them >> without having the card inserted (or entering any passphrase). >> >> Sorry for this long (first) post. I hope someone will help me >> understanding this phenomena. I'm trying to write a quick tutorial on >> how to use easily those cards with GnuPG and also Enigmail for >> Thunderbird so proper warnings should be issued to explain the >> limitations. >> >> Thanks >> Dany >> >> _______________________________________________ >> Gnupg-devel mailing list >> Gnupg-devel@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-devel > > > > From mo at g10code.com Sun Jan 9 15:03:22 2005 From: mo at g10code.com (Moritz Schulte) Date: Sun Jan 9 15:45:09 2005 Subject: [Announce] Libgcrypt 1.2.1 released Message-ID: <20050109140322.GB16385@sarkutty> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From dshaw at jabberwocky.com Sun Jan 9 16:38:44 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jan 9 17:02:31 2005 Subject: get a key by short subkey keyid In-Reply-To: <20050107102053.GH4392@opium.palfrader.org> References: <20050107102053.GH4392@opium.palfrader.org> Message-ID: <20050109153844.GB12681@jabberwocky.com> On Fri, Jan 07, 2005 at 11:20:53AM +0100, Peter Palfrader wrote: > gpg --keyserver ldap://keyserver.pgp.com/ --recv 1069EFEB > does not fetch the key that has a subkey with keyid 1069EFEB. It does > work with long keyids tho. [ using "(|(pgpkeyid=%.8s)(pgpsubkeyid=*%.8s))" to match short subkey ids ] I'm not sure what to do about this. You're quite right that this works in theory, but it is very slow due to the pattern match in the server. In a perfect world, the query would actually be: "(|(pgpcertid=*%.8s)(pgpsubkeyid=*%.8s))" As pgpcertid is guaranteed to be present in the schema, and pgpkeyid is not. Naturally, that's even slower with two pattern matches. If the server is slow enough, using the pattern match can result in the user getting no answer. On ldap://keyserver.pgp.com, using straight pgpkeyid it answers within 1 second. pgpkeyid|pgpsubkeyid or pgpcertid|pgpsubkeyid take 5 minutes and then the server times out the request. The results on ldap://keyserver-beta.pgp.com (the Global Directory) are considerably better: pgpkeyid <1 second pgpkeyid|pgpsubkeyid 4.5 seconds pgpcertid|pgpsubkeyid 4.5 seconds David From dany_list at natzo.com Sun Jan 9 17:54:34 2005 From: dany_list at natzo.com (Dany Nativel) Date: Sun Jan 9 17:42:40 2005 Subject: Pb with built-in CCID driver when performing on-card key generation Message-ID: <41E161CA.9040109@natzo.com> I don't have any problem generating a key on-card using a serial reader for example (GCR415) on FreeBSD. Now if I use the SCR331 (firmware updated to the latest .18), I can go through the key generation but it fails at the end : gpg: ccid_transceive failed: (0x1000d) gpg: apdu_send_simple(0) failed: aborted You will find below a quick log of what happened. I remember having the same problem on a Windows machine with the same reader (maybe I should try with the --disable-ccid to see how it goes with PC/SC). =========================================== bash-2.05b$ gpg --card-edit gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information Command> admin Command> generate Make off-card backup of encryption key? (Y/n) y gpg: DBG: asking for PIN 'PIN' PIN Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: ONCARDBIS Email address: ggg@qol.qqq Comment: You selected this USER-ID: "ONCARDBIS " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o gpg: existing key will be replaced gpg: 3 Admin PIN attempts remaining before card is permanently locked gpg: DBG: asking for PIN '|A|Admin PIN' Admin PIN gpg: please wait while key is being generated ... gpg: key generation completed (17 seconds) gpg: signing failed: wrong secret key used gpg: make_keysig_packet failed: wrong secret key used You need a Passphrase to protect your secret key. ..+++++ +++++ gpg: ccid_transceive failed: (0x1000a) gpg: apdu_send_simple(0) failed: card I/O error gpg: failed to store the key: general error gpg: storing key onto card failed: general error gpg: ccid_transceive failed: (0x1000d) gpg: apdu_send_simple(0) failed: aborted gpg: error reading application data gpg: key generation failed: general error Key generation failed: general error Command> gpg: ccid_transceive failed: (0x1000d) gpg: apdu_send_simple(0) failed: aborted gpg: ccid_transceive failed: (0x1000d) gpg: apdu_send_simple(0) failed: aborted gpg: ccid_transceive failed: (0x1000d) gpg: apdu_send_simple(0) failed: aborted gpg: ccid_transceive failed: (0x1000d) gpg: apdu_send_simple(0) failed: aborted gpg: ccid_transceive failed: (0x1000d) gpg: apdu_send_simple(0) failed: aborted gpg: ccid_transceive failed: (0x1000d) gpg: apdu_send_simple(0) failed: aborted From dany_list at natzo.com Sun Jan 9 18:08:07 2005 From: dany_list at natzo.com (Dany Nativel) Date: Sun Jan 9 17:56:06 2005 Subject: On-card key generation - Errors Message-ID: <41E164F7.4070701@natzo.com> When performing an on-card key generation (OpenPGP card + FreeBSD + GemplusGCR415) I get some error messages at the end. I also wasn't able to use this key at all for either signing or decrypting. gpg: please wait while key is being generated ... gpg: key generation completed (26 seconds) gpg: signing failed: wrong secret key used gpg: make_keysig_packet failed: wrong secret key used gpg: existing key will be replaced gpg: please wait while key is being generated ... gpg: key generation completed (20 seconds) gpg: signatures created so far: 0 gpg: signatures created so far: 0 gpg: existing key will be replaced gpg: please wait while key is being generated ... gpg: key generation completed (14 seconds) gpg: signatures created so far: 2 gpg: signatures created so far: 2 gpg: key 41ADB9DD marked as ultimately trusted public and secret key created and signed. Dany ====================================================== bash-2.05b$ gpg --card-edit gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: detected reader `GemPC410 0 0' Application ID ...: D2760001240101000001000000110000 Version ..........: 1.0 Manufacturer .....: PPC Card Systems Serial number ....: 00000011 Name of cardholder: [not set] Language prefs ...: de Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: 6F61 422F F950 173D 46F2 17D4 51FF D2A7 B4D0 9EF9 Encryption key....: 24BA 7364 DE14 4C4D C911 BBA6 CBE9 1A7D 6E7E 49F9 Authentication key: 5E74 FC83 8A12 8111 78F9 6BB4 B9C8 7460 32A1 539C General key info..: [none] Command> admin Admin commands are allowed Command> generate Make off-card backup of encryption key? (Y/n) n gpg: NOTE: keys are already stored on the card! Replace existing keys? (y/N) y gpg: DBG: asking for PIN 'PIN' PIN Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: ONCARD-NOBACKUP Email address: Comment: You selected this USER-ID: "ONCARD-NOBACKUP" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o gpg: existing key will be replaced gpg: 3 Admin PIN attempts remaining before card is permanently locked gpg: DBG: asking for PIN '|A|Admin PIN' Admin PIN gpg: please wait while key is being generated ... gpg: key generation completed (26 seconds) gpg: signing failed: wrong secret key used gpg: make_keysig_packet failed: wrong secret key used gpg: existing key will be replaced gpg: please wait while key is being generated ... gpg: key generation completed (20 seconds) gpg: signatures created so far: 0 gpg: signatures created so far: 0 gpg: existing key will be replaced gpg: please wait while key is being generated ... gpg: key generation completed (14 seconds) gpg: signatures created so far: 2 gpg: signatures created so far: 2 gpg: key 41ADB9DD marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024R/41ADB9DD 2005-01-09 Key fingerprint = 7815 7459 657E 29C6 B2DA D89C C9C9 D516 41AD B9DD uid ONCARD-NOBACKUP sub 1024R/4D07C21C 2005-01-09 sub 1024R/504D2B68 2005-01-09 Command> toggle Invalid command (try "help") Command> help quit quit this menu admin show admin commands help show this help list list all available data name change card holder's name url change URL to retrieve key fetch fetch the key specified in the card URL login change the login name lang change the language preferences sex change card holder's sex cafpr change a CA fingerprint forcesig toggle the signature force PIN flag generate generate new keys passwd menu to change or unblock the PIN Command> q bash-2.05b$ gpg --edit-key gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information usage: gpg [options] --edit-key user-id [commands] bash-2.05b$ gpg --edit-key ONCARD gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information Secret key is available. pub 1024R/41ADB9DD created: 2005-01-09 expires: never usage: CSEA trust: ultimate validity: ultimate sub 1024R/4D07C21C created: 2005-01-09 expires: never usage: E sub 1024R/504D2B68 created: 2005-01-09 expires: never usage: A [ultimate] (1). ONCARD-NOBACKUP Command> toggle sec 1024R/41ADB9DD created: 2005-01-09 expires: never card-no: 0001 000000F4 ssb 1024R/4D07C21C created: 2005-01-09 expires: never card-no: 0001 000000F4 ssb 1024R/504D2B68 created: 2005-01-09 expires: never card-no: 0001 000000F4 (1) ONCARD-NOBACKUP Command> q bash-2.05b$ gpg -e -r ONCARD-NOBACKUP test4.txt gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: ONCARD-NOBACKUP: skipped: unusable public key gpg: test4.txt: encryption failed: unusable public key bash-2.05b$ From mo at g10code.com Sun Jan 9 18:39:52 2005 From: mo at g10code.com (Moritz Schulte) Date: Sun Jan 9 18:35:40 2005 Subject: On-card key generation - Errors In-Reply-To: <41E164F7.4070701@natzo.com> References: <41E164F7.4070701@natzo.com> Message-ID: <20050109173951.GA9627@sarkutty> On Sun, Jan 09, 2005 at 06:08:07PM +0100, Dany Nativel wrote: > gpg: please wait while key is being generated ... > gpg: key generation completed (26 seconds) > gpg: signing failed: wrong secret key used > gpg: make_keysig_packet failed: wrong secret key used [...] > bash-2.05b$ gpg -e -r ONCARD-NOBACKUP test4.txt [...] > gpg: ONCARD-NOBACKUP: skipped: unusable public key > gpg: test4.txt: encryption failed: unusable public key [...] Dany, thanks for your bug report. We have discovered this bug about a week ago; there should be a patch and/or a new release fixing this problem available soon. Thanks, Moritz -- Moritz Schulte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 193 bytes Desc: not available Url : /pipermail/attachments/20050109/3d644402/attachment.bin From dany_list at natzo.com Sun Jan 9 19:30:53 2005 From: dany_list at natzo.com (Dany Nativel) Date: Sun Jan 9 20:21:27 2005 Subject: How do you use your OpenPGP card ? Message-ID: <41E1785D.7040006@natzo.com> I've been able to generate my primary RSA signing key off-card as well as an encryption RSA key. When I execute the "keytocard" command it asks me where I want to store the Primary key : (1) Signature Key (3) Authentication Key I tried both and they work and I wondering what it the best practice out there. What's behind the Authentication Key ? Dany --------------------------------------------------------------------------------------------------------------------------------- sec 1024R/48D72CFD created: 2005-01-09 expires: never ssb 1024R/7E360C43 created: 2005-01-09 expires: never (1) NUMBER5 Command> keytocard Really move the primary key? (y/N) y gpg: detected reader `GemPC410 0 0' Signature key ....: 8422 DA92 7A7F 6BAB 608F D3AF 6E35 E902 3186 D0DD Encryption key....: A1D1 CE23 AAC1 1135 1742 5C0C A953 9748 7FFB 5067 Authentication key: 7CBB 67EA 4845 9535 4F3A F188 61A6 A1A2 504D 2B68 Please select where to store the key: (1) Signature key (3) Authentication key Your selection? From mail at joachim-breitner.de Sun Jan 9 21:43:17 2005 From: mail at joachim-breitner.de (Joachim Breitner) Date: Sun Jan 9 21:42:40 2005 Subject: How do you use your OpenPGP card ? In-Reply-To: <41E1785D.7040006@natzo.com> References: <41E1785D.7040006@natzo.com> Message-ID: <1105303397.9301.2.camel@localhost.localdomain> Hi, your primary key should definately go to the Signature Key slot, since it is used to sign your subkeys, your friends' keys and, unless you have a dedicated signature subkey, your messages. The Authentication Key slot is for keys that you use to log in somewhere, for example using Moritz' libpam-poldi or maybe some kind of ssh daemon. HTH, nomeata Am Sonntag, den 09.01.2005, 19:30 +0100 schrieb Dany Nativel: > I've been able to generate my primary RSA signing key off-card as well > as an encryption RSA key. > > When I execute the "keytocard" command it asks me where I want to store > the Primary key : > > (1) Signature Key > (3) Authentication Key > > I tried both and they work and I wondering what it the best practice out > there. > What's behind the Authentication Key ? > > Dany > > --------------------------------------------------------------------------------------------------------------------------------- > sec 1024R/48D72CFD created: 2005-01-09 expires: never > ssb 1024R/7E360C43 created: 2005-01-09 expires: never > (1) NUMBER5 > > Command> keytocard > Really move the primary key? (y/N) y > gpg: detected reader `GemPC410 0 0' > Signature key ....: 8422 DA92 7A7F 6BAB 608F D3AF 6E35 E902 3186 D0DD > Encryption key....: A1D1 CE23 AAC1 1135 1742 5C0C A953 9748 7FFB 5067 > Authentication key: 7CBB 67EA 4845 9535 4F3A F188 61A6 A1A2 504D 2B68 > > Please select where to store the key: > (1) Signature key > (3) Authentication key > Your selection? > > > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel -- Joachim "nomeata" Breitner mail: mail@joachim-breitner.de | ICQ# 74513189 | GPG-Key: 4743206C JID: joachimbreitner@amessage.de | http://www.joachim-breitner.de/ Debian Developer: nomeata@debian.org Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html From wk at gnupg.org Mon Jan 10 09:30:17 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 10 09:30:30 2005 Subject: PART 3 - OpenPGP card - adding subkeys on PC keyring generates encrypted "pass-free" files - Part 2 In-Reply-To: <41E08EC8.6010303@natzo.com> (dany_list@natzo.com's message of "Sun, 09 Jan 2005 02:54:16 +0100") References: <41E071E2.1030002@natzo.com> <41E07CAB.2040206@natzo.com> <41E08EC8.6010303@natzo.com> Message-ID: <873bx9hejq.fsf@wheatstone.g10code.de> On Sun, 09 Jan 2005 02:54:16 +0100, dany list@natzo com said: > The only thing I still don't understant is why the smartcard get > removed from the primary key when I do a passwd command on a newly That is a bug. I'll look at it later the day. > added RSA encrypt subkey found only in my local keyring. Also why does > this encryption subkey have a blank passphrase by default ? Need to investigate that too. Thanks, Werner From gnupg-users-owner at gnupg.org Mon Jan 10 10:28:33 2005 From: gnupg-users-owner at gnupg.org (gnupg-users-owner@gnupg.org) Date: Mon Jan 10 13:13:10 2005 Subject: [Fwd: OpenPGP javacard implementation] Message-ID: <20050110092833.GC27919@cypress.com> ----- Forwarded message from Zeljko Vrba ----- Message-ID: <41E0066F.5090602@globalnet.hr> Date: Sat, 08 Jan 2005 17:12:31 +0100 From: Zeljko Vrba MIME-Version: 1.0 To: gnupg-users-owner@gnupg.org, gnupg-devel-owner@gnupg.org Subject: OpenPGP javacard implementation X-Enigmail-Version: 0.89.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi! I have written a prototype OpenPGP applet for the Javacard platform. The ~ homepage of the project is: http://www.core-dump.com.hr/index.pl?node_id=421 In the package are all relevant instructions on how to test it against the gpg and Sun's emulated reference Javacard implementation. I need help in porting and testing to real cards. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB4AZvUIHQih3H6ZQRAyauAKCziv7Fk8SqL2R0DsjOACaJDTuSNgCfdh1g sKZ9XFcf0KoGmSSF/v2CKk8= =sFAt -----END PGP SIGNATURE----- ----- End forwarded message ----- From wk at gnupg.org Tue Jan 11 16:37:03 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 11 20:55:08 2005 Subject: Pb with built-in CCID driver when performing on-card key generation In-Reply-To: <41E161CA.9040109@natzo.com> (Dany Nativel's message of "Sun, 09 Jan 2005 17:54:34 +0100") References: <41E161CA.9040109@natzo.com> Message-ID: <87d5wc9duo.fsf@wheatstone.g10code.de> On Sun, 09 Jan 2005 17:54:34 +0100, Dany Nativel said: > You will find below a quick log of what happened. I remember having > the same problem on a Windows machine with the same reader (maybe I > should try with the --disable-ccid to see how it goes with PC/SC). Try this. Ludovic Rousseau's driver might handle it better. Please send me the output of gpg --card-status --debug-ccid-driver as well as the reader part of an "lsusb -v". I send you an updated ccid driver in private mail too. Thanks, Werner From ryan at ostrich-emulators.com Wed Jan 12 03:21:45 2005 From: ryan at ostrich-emulators.com (ryan p bobko) Date: Wed Jan 12 07:32:44 2005 Subject: gpgme test fail (more info) Message-ID: <200501112121.45727.ryan@ostrich-emulators.com> Hi Folks, I previously posted about some trouble I'm having running the tests from the gpgme /tests/gpg directory. I've now confirmed this problem on another system, so I thought I'd post more details. Basically, all of the tests appear to fail even though the compilation and linking and whatnot seem to succeed flawlessly. I'm trying to GPGME version 1.0.2. I have libgpg-error 1.0 installed. I've tried compiling on a reasonably-updated Fedora Core 2, and a Slackware 10.0 install. FC2 is using GCC 3.3.3, while the Slackware install is compiling with GCC 3.3.4. Also, the error seems to come from the call to _gpgme_wait_on_condition (gpgme_ctx_t ctx, volatile int *cond) in wait-private.c. I stuck a couple debug statements in there, and it looks like it goes through the while loop several times before bombing on err = item->handler (item->handler_value, ctx->fdt.fds[i].fd); (about line 120). Interestingly, the error value returned is 117440664, which seems unusual to me. The handler_value is 134528664, which also seems a bit odd to my mind. Any ideas on what is causing this? I'm not well versed in the code, but the values I just quoted seem like gibberish you might get from corrupted memory or an overflowing uint or something. Thanks for your attention, ry -- Love is a perky elf dancing a merry little jig and then suddenly he turns on you with a miniature machine gun. --Matt Groening From marcus.brinkmann at ruhr-uni-bochum.de Wed Jan 12 12:18:20 2005 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Wed Jan 12 12:54:37 2005 Subject: [gpgme] change work dir In-Reply-To: <200412122045.15659.micron@madlab.it> References: <200412060948.43005.micron@madlab.it> <200412111535.42558.micron@madlab.it> <87llc3tvfr.wl@ulysses.g10code.de> <200412122045.15659.micron@madlab.it> Message-ID: <87fz16q4jn.wl@ulysses.g10code.de> At Sun, 12 Dec 2004 20:45:15 +0100, micron wrote: > > I didn't try your test program with my fix, but I am sure you will ;) > Yep, now both gpgme_ctx_set_engine_info and gpgme_set_engine_info work fine. Thanks for testing it. I have added some documentation to the info file, the only thing you need to be aware of is that we only guarantee that this works as expected if you call gpgme_ctx_set_engine_info before starting the first operation (and for the default of course you have to call gpgme_set_engine_info before creating the context). If you want to use this in your project, you will need to depend on 1.1.0, which is of course not yet released. If you really need it before that, we can talk about merging it back to the 1.0 line, although I would prefer not to do that. Thanks, Marcus From wk at gnupg.org Thu Jan 13 11:51:58 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 13 12:38:56 2005 Subject: test - please ignore Message-ID: <87oeftzjn5.fsf@wheatstone.g10code.de> I updated the machines and configured greylisting. Werner From bh at intevation.de Thu Jan 13 15:55:04 2005 From: bh at intevation.de (Bernhard Herzog) Date: Thu Jan 13 16:48:09 2005 Subject: test - please ignore In-Reply-To: <87oeftzjn5.fsf@wheatstone.g10code.de> (Werner Koch's message of "Thu, 13 Jan 2005 11:51:58 +0100") References: <87oeftzjn5.fsf@wheatstone.g10code.de> Message-ID: Werner Koch writes: > I updated the machines and configured greylisting. Are these updates the reason that anonymous CVS doesn't work anymore? cvs -z3 -d :pserver:anoncvs@cvs.gnupg.org:/cvs/gnupg checkout -r GNUPG-1-9-BRANCH gnupg /cvs/gnupg: no such repository Bernhard -- Intevation GmbH http://intevation.de/ Skencil http://skencil.org/ Thuban http://thuban.intevation.org/ From micron at madlab.it Thu Jan 13 19:28:00 2005 From: micron at madlab.it (micron) Date: Thu Jan 13 20:04:35 2005 Subject: [gpgme] change work dir In-Reply-To: <87fz16q4jn.wl@ulysses.g10code.de> References: <200412060948.43005.micron@madlab.it> <200412122045.15659.micron@madlab.it> <87fz16q4jn.wl@ulysses.g10code.de> Message-ID: <200501131928.00649.micron@madlab.it> On Wednesday 12 January 2005 12:18, Marcus Brinkmann wrote: > the only thing you need to be aware of is that we only guarantee > that this works as expected if you call gpgme_ctx_set_engine_info > before starting the first operation (and for the default of course you > have to call gpgme_set_engine_info before creating the context). No problem, I'll take care of this > If you want to use this in your project, you will need to depend on > 1.1.0, which is of course not yet released. If you really need it > before that, we can talk about merging it back to the 1.0 line, > although I would prefer not to do that. At the moment I'm using gpgme from cvs. There's no problem, I'll wait for version 1.1.0, I don't want to create problems to the project. Well, as we're talking about this, when will be released version 1.1.0 (approximatively)? Cheers micron -- |? micron<- ICQ #118796665 |? GPG Key: |? ~ Keyserver: pgp.mit.edu |? ~ KeyID: 6D632BED ~ "Progress is merely a realisation of utopias" ~ From wk at gnupg.org Thu Jan 13 20:39:00 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 13 20:35:25 2005 Subject: test - please ignore In-Reply-To: (Bernhard Herzog's message of "Thu, 13 Jan 2005 15:55:04 +0100") References: <87oeftzjn5.fsf@wheatstone.g10code.de> Message-ID: <87r7kpunjf.fsf@wheatstone.g10code.de> On Thu, 13 Jan 2005 15:55:04 +0100, Bernhard Herzog said: > Are these updates the reason that anonymous CVS doesn't work anymore? Yep. Debian weirdness. First it decided to remove the sshd (!) and than it overwrote inetd.conf with its own idea on how to call the cvs pserver. Works again. Thanks, Werner From fw at deneb.enyo.de Thu Jan 13 23:02:28 2005 From: fw at deneb.enyo.de (Florian Weimer) Date: Thu Jan 13 23:46:03 2005 Subject: test - please ignore In-Reply-To: <87r7kpunjf.fsf@wheatstone.g10code.de> (Werner Koch's message of "Thu, 13 Jan 2005 20:39:00 +0100") References: <87oeftzjn5.fsf@wheatstone.g10code.de> <87r7kpunjf.fsf@wheatstone.g10code.de> Message-ID: <8765219edn.fsf@deneb.enyo.de> * Werner Koch: > On Thu, 13 Jan 2005 15:55:04 +0100, Bernhard Herzog said: > >> Are these updates the reason that anonymous CVS doesn't work anymore? > > Yep. Debian weirdness. First it decided to remove the sshd (!) and > than it overwrote inetd.conf with its own idea on how to call the cvs > pserver. Please file bug reports. This shouldn't happen. From wk at gnupg.org Fri Jan 14 16:58:56 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 14 17:05:15 2005 Subject: test - please ignore In-Reply-To: <8765219edn.fsf@deneb.enyo.de> (Florian Weimer's message of "Thu, 13 Jan 2005 23:02:28 +0100") References: <87oeftzjn5.fsf@wheatstone.g10code.de> <87r7kpunjf.fsf@wheatstone.g10code.de> <8765219edn.fsf@deneb.enyo.de> Message-ID: <871xcogfy7.fsf@wheatstone.g10code.de> On Thu, 13 Jan 2005 23:02:28 +0100, Florian Weimer said: > Please file bug reports. This shouldn't happen. The problem is that I didn't run a typescript when doing that and thus I don't have traces of what happend. yes, this is my fault, but apt-get has always worked for me without any problems (except for always insisting on installing portmap ;) and thus I didn't what one should have done. Werner From thstit03 at fht-esslingen.de Sat Jan 15 11:23:32 2005 From: thstit03 at fht-esslingen.de (thstit03@fht-esslingen.de) Date: Sat Jan 15 12:03:44 2005 Subject: [gpgme] gpgme_data_seek error Message-ID: <32984.84.56.135.25.1105784612.squirrel@84.56.135.25> Hi Folks, using gpgme_data_rewind() works fine, but replacing it with gpgme_data_seek() does not work. What I do is: 1. creating a gpgme_data_t variable 2. using gpgme_data_new to gpgme-create it 3. gpgme_data_write to fill it 4. gpgme_data_seek/gpgme_data_rewind the variable to be able to read from it [gpgme_data_seek(variable, 0, SEEK_SET) / gpgme_data_rewind(variable)] Using gpgme_data_rewind(): All works fine. Using gpgme_data_seek(): First run is ok, in the second run gpgme_data_seek() fails with EINVAL "Invalid argument". Because gpgme_data_rewind() is just calling gpgme_data_seek(), I don't understand where the problem is?! Thanks for helping, th From micron at madlab.it Sat Jan 15 13:22:40 2005 From: micron at madlab.it (micron) Date: Sat Jan 15 13:19:54 2005 Subject: [gpgme] gpgme_data_seek error In-Reply-To: <32984.84.56.135.25.1105784612.squirrel@84.56.135.25> References: <32984.84.56.135.25.1105784612.squirrel@84.56.135.25> Message-ID: <200501151322.41115.micron@madlab.it> On Saturday 15 January 2005 11:23, thstit03@fht-esslingen.de wrote: > Using gpgme_data_rewind(): All works fine. > Using gpgme_data_seek(): First run is ok, in the second run > gpgme_data_seek() fails with EINVAL "Invalid argument". Look into the ml archives, some month ago I had the same problem. Also read LargeFileSupport section into info file and you'll probably find problem solution (as I did). Cheers micron -- |? micron<- ICQ #118796665 |? GPG Key: |? ~ Keyserver: pgp.mit.edu |? ~ KeyID: 6D632BED ~ "Progress is merely a realisation of utopias" ~ From thstit03 at fht-esslingen.de Sat Jan 15 15:37:11 2005 From: thstit03 at fht-esslingen.de (thstit03@fht-esslingen.de) Date: Sat Jan 15 15:33:49 2005 Subject: [gpgme] gpgme_data_seek error In-Reply-To: <200501151322.41115.micron@madlab.it> References: <32984.84.56.135.25.1105784612.squirrel@84.56.135.25> <200501151322.41115.micron@madlab.it> Message-ID: <1105799765.3917.2.camel@Kermit> Am Sa, den 15.01.2005 schrieb micron um 13:22: > Also read LargeFileSupport section into info file and you'll probably find > problem solution (as I did). Thanks a lot, using "-D_FILE_OFFSET_BITS=64" did the trick for me! th From sinful at freemail.hu Sat Jan 15 19:04:02 2005 From: sinful at freemail.hu (LaySoft) Date: Sat Jan 15 19:36:54 2005 Subject: Keyfile formats Message-ID: <41E95B12.9090507@freemail.hu> Hello! Where can I find specifications about the formats of pubring.gpg and secring.gpg files? Bye! Lay From skeleten at shillest.net Sat Jan 15 19:49:32 2005 From: skeleten at shillest.net (Norihiko Murase) Date: Sat Jan 15 20:26:29 2005 Subject: BUG(configure): "--without-included-zlib" behaves OPPOSITELY Message-ID: <20050116034932.c86bec%skeleten@shillest.net> Hi, I found the bug in the configure script when I executed it for building GnuPG-1.2.6. This bug remains also in the version 1.2.7. The '--without-included-zlib' configure option does behave OPPOSITELY (just like '--with-included-zlib'). If I specify this option '--without-included-zlib' explicitly, then it shows the following: ---------- checking whether included zlib is requested... yes ---------- The option '--without-included-zlib' should NOT set GnuPG to use the zlib in gnupg-1.2.6/zlib regardless of the default. For the time being, we can avoid this behavior by applying the following patch: ----------(cut here)---------- --- configure.orig Wed Aug 25 23:48:25 2004 +++ configure Mon Dec 6 03:51:26 2004 @@ -2187,7 +2187,7 @@ # Check whether --with-included-zlib or --without-included-zlib was given. if test "${with_included_zlib+set}" = set; then withval="$with_included_zlib" - g10_force_zlib=yes + g10_force_zlib="$withval" else g10_force_zlib=no fi; ----------(cut here)---------- --- Norihiko Murase From skeleten at shillest.net Sat Jan 15 19:56:46 2005 From: skeleten at shillest.net (Norihiko Murase) Date: Sat Jan 15 20:26:35 2005 Subject: [request] add --rpath for zlib and bzip2 Message-ID: <20050116035646.cf0ca3%skeleten@shillest.net> Hi, I tried building GnuPG-1.2.6 under the following environment: CPU: i386 family OS: FreeBSD 4.8-RELEASE Compiler: gcc-2.95.4 (/usr/bin/gcc) However, the built binaries (gpg, gpgv, ...) load the shared libraries INCORRECTLY even if I add --enable-rpath option to the configure script. ---------- % ldd gnupg-1.2.6/g10/{gpg,gpgv} gnupg-1.2.6/g10/gpg: libz.so => /usr/lib/libz.so (0x280f3000) libbz2.so.1 => /usr/lib/libbz2.so.1 (0x28100000) libc.so.4 => /usr/lib/libc.so.4 (0x28110000) gnupg-1.2.6/g10/gpgv: libz.so => /usr/lib/libz.so (0x280a2000) libbz2.so.1 => /usr/lib/libbz2.so.1 (0x280af000) libc.so.4 => /usr/lib/libc.so.4 (0x280bf000) % ---------- They should have loaded /usr/local/lib/lib{z,bz2}.so, NOT that in /usr/lib. I did build GnuPG-1.2.6 in the following method: [01]% bzip2 -cd gnupg-1.2.6.tar.bz2 | gtar xf - [02]% cd gnupg-1.2.6 [03]% patch -p1 < ../patch_1 The patch 'patch_1' is described at http:// [04]% env MAKE=gmake ./configure \ --prefix=/usr/local/GnuPG \ ..... \ --disable-nls \ --enable-rpath --without-included-zlib \ --with-zlib=/usr/local --with-bzip2=/usr/local [05]% gmake The binaries (gpg, gpgv, ...) built in this method should have loaded /usr/local/lib/libbz2.so /usr/local/lib/libz.so However, the following libraries are loaded: /usr/lib/libbz2.so /usr/lib/libz.so as the above result of ldd command tells. I consider that the solution for this problem is to add the --rpath option when you build binaries with the --enable-rpath option specified. -L/usr/local/lib -Wl,--rpath -Wl,/usr/local/lib ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -L/usr/local/lib -Wl,--rpath -Wl,/usr/local/lib ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ... -lz -lbz2 It is also a fact that we can avoid this by setting LDFLAGS environment variable "-R/usr/local/lib:/usr/local/lib" when we execute the configure script. % env MAKE=gmake LDFLAGS="-R/usr/local/lib:/usr/local/lib" \ ./configure ..... --- Norihiko Murase From skeleten at shillest.net Sat Jan 15 19:59:37 2005 From: skeleten at shillest.net (Norihiko Murase) Date: Sat Jan 15 20:26:42 2005 Subject: REPORT(configure): Unnecessary warning about the make utility Message-ID: <20050116035937.d1a6f5%skeleten@shillest.net> Hi, I was warned about the make utility when I tried executing the configure script though I had already installed GNU make, whose name is gmake. ---------- configure: WARNING: *** *** It seems that you are not using GNU make. Some make tools have serious .....(snip)..... *** ---------- The configure script seems to check the variable MAKE; however, I think it is not necessary to print out this warning after checking the variable --- only writing this in the document clearly is ok. ---------- 0) Note that the following software should be installed before building GnuPG: zlib (optional) bzip2 (optional) GNU make (MANDATORY!!!) ---------- We can easily stop the configure script from warning on the make utility by setting the variable MAKE such as % env MAKE=gmake ./configure ... --- Norihiko Murase From alex at bofh.net.pl Sat Jan 15 19:52:58 2005 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Sat Jan 15 20:35:34 2005 Subject: Keyfile formats In-Reply-To: <41E95B12.9090507@freemail.hu> References: <41E95B12.9090507@freemail.hu> Message-ID: <41E9668A.4090801@bofh.net.pl> LaySoft wrote: > Hello! > > Where can I find specifications about the formats of pubring.gpg and > secring.gpg files? rfc2440 www.ietf.org/rfc/rfc2440.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050115/af0fccfb/signature.pgp From JPClizbe at comcast.net Sun Jan 16 02:43:37 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Sun Jan 16 03:15:48 2005 Subject: Keyfile formats In-Reply-To: <41E95B12.9090507@freemail.hu> References: <41E95B12.9090507@freemail.hu> Message-ID: <41E9C6C9.4090300@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 LaySoft wrote: > Hello! > > Where can I find specifications about the formats of pubring.gpg and > secring.gpg files? You have already looked at the GnuPG source code, right? You probably want to look at the relevant RFC, 2440: http://www.ietf.org/rfc/rfc2440.txt I've got the link for the latest draft revision floating around here somewhere. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-14 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB6cbJHQSsSmCNKhARAgo4AKC9qCJMB6Mze5k5Nt/SglyPCA0KbwCeN/du AtsgfrdkjqObiEYtOzyfSkk= =cx08 -----END PGP SIGNATURE----- From atom at suspicious.org Sun Jan 16 03:32:55 2005 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Jan 16 04:24:56 2005 Subject: Keyfile formats In-Reply-To: <41E95B12.9090507@freemail.hu> References: <41E95B12.9090507@freemail.hu> Message-ID: <20050116022844.42305.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, 15 Jan 2005, LaySoft wrote: > Where can I find specifications about the formats of pubring.gpg and > secring.gpg files? ==================== mostly the pubring.gpg and secring.gpg are just concatenations of public and private keys, respectively. you can see what they're made of using pgpdump... $ pgpdump ~/.gnupg/pubring.gpg or "gpg --list-packets": $ gpg --list-packets ~/.gnupg/pubring.gpg - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "I haven't failed, I just found 100,000 ways that don't work." -- Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB6dJcAAoJEAx/d+cTpVci+C0IAK4JlhtZic/856KACOlJMERp sbtUU2TdlikmTHFY93C9Trkm1h59l78XdTpuonQCqe4MyVcQf0/s+KQ7oNVT8jyz c+JPxUa10IJpV/lFIXJqc/NtlExAkV/bLTKs3zUJ5J9aqP8s3O5OrOMdD3xS4dyi zSV9V4wTX7L4A8lioanGH9Dr6X7d2moAxovLb6kJydQTM6riJ2Aq9AXJ69xXYVnu mHhFhgkCljaBxTe4QU+18t52idoXTkz73FL8xkkC5y1stI9urJq+7zQXCRra1jkK e8IM35sSNrFGG+gLBoELCtnGZfS8Rvj42r79UzsYBBTPkt6jM154Nv4kWxfFa2I= =/gaS -----END PGP SIGNATURE----- From wk at gnupg.org Sun Jan 16 17:35:48 2005 From: wk at gnupg.org (Werner Koch) Date: Sun Jan 16 17:39:53 2005 Subject: Keyfile formats In-Reply-To: <41E9668A.4090801@bofh.net.pl> (Janusz A. Urbanowicz's message of "Sat, 15 Jan 2005 19:52:58 +0100") References: <41E95B12.9090507@freemail.hu> <41E9668A.4090801@bofh.net.pl> Message-ID: <87zmz9uyaj.fsf@wheatstone.g10code.de> On Sat, 15 Jan 2005 19:52:58 +0100, Janusz A Urbanowicz said: > rfc2440 However this is just coincidence - don't work on the directly; use gpg --export or --import. Werner From wk at gnupg.org Mon Jan 17 11:20:27 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 17 11:20:25 2005 Subject: REPORT(configure): Unnecessary warning about the make utility In-Reply-To: <20050116035937.d1a6f5%skeleten@shillest.net> (Norihiko Murase's message of "Sun, 16 Jan 2005 03:59:37 +0900") References: <20050116035937.d1a6f5%skeleten@shillest.net> Message-ID: <87wtuc1hn8.fsf@wheatstone.g10code.de> On Sun, 16 Jan 2005 03:59:37 +0900, Norihiko Murase said: > The configure script seems to check the variable MAKE; > however, I think it is not necessary to print out this > warning after checking the variable --- only writing this in > the document clearly is ok. I the past we had quite some problem with auomake not producing proper make files. The warning was very helpful in this regard. Today it should not be anymore necessary to use GNU make. I'll remove the warning from 1.4. Thanks, Werner From mwlucas at blackhelicopters.org Sun Jan 16 20:21:04 2005 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Mon Jan 17 14:41:33 2005 Subject: README goofs Message-ID: <20050116192104.GA55518@bewilderbeast.blackhelicopters.org> Hi, This is minor, but it's going to itch until I say something: The README specifies a md5 checksum, but you publish a SHA1 checksum. The README also specifies a gzipped tarball, but you have a bzipped tarball. Patch (such as it is) attached. Thanks! ==ml -- Michael W. Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com -------------- next part -------------- --- README-dist Sun Jan 16 14:15:54 2005 +++ README Sun Jan 16 14:17:43 2005 @@ -54,7 +54,7 @@ this. Don't skip it - this is an important step! 2) Unpack the tarball. With GNU tar you can do it this way: - "tar xzvf gnupg-x.y.z.tar.gz" + "tar xyvf gnupg-x.y.z.tar.bz2" 3) "cd gnupg-x.y.z" @@ -104,13 +104,13 @@ b) If you don't have any of the above programs, you have to verify - the MD5 checksum: + the SHA1 checksum: - $ md5sum gnupg-x.y.z.tar.gz + $ sha1 gnupg-1.4.0.tar.bz2 This should yield an output _similar_ to this: - fd9351b26b3189c1d577f0970f9dcadc gnupg-x.y.z.tar.gz + SHA1 (gnupg-1.4.0.tar.bz2) = 0054635a131b7af383e956fa9e1520ac44cad116 Now check that this checksum is _exactly_ the same as the one published via the announcement list and probably via Usenet. From Axel.Thimm at ATrpms.net Mon Jan 17 17:45:31 2005 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Mon Jan 17 18:28:14 2005 Subject: gpg-agent does not cache passphrase anymore Message-ID: <20050117164531.GL9505@neu.physik.fu-berlin.de> I upgraded from FC2 to FC3 to the same upstream versions of stable and development gnupg bits, but now the passphrase doe not get cached anymore, how can I debug this? When gpg tries to sign a mail, I still get the pinentry popup, give my passphrase and the mail gets signed, so communication of the different components is still in order. But trying to sign again reasks immediately for the passphrase. The used components are: $ rpm -q gnupg gnupg2 pinentry libgcrypt gpgme pinentry gnupg-1.4.0-0_24.rhfc3.at gnupg2-1.9.14-25.1.rhfc3.at pinentry-0.7.1-9.rhfc3.at libgcrypt-1.2.0-9.rhfc3.at gpgme-1.0.2-15.rhfc3.at pinentry-0.7.1-9.rhfc3.at The gpg-agent config (~/.gnupg/gpg-agent.conf) is pinentry-program /usr/bin/pinentry-gtk #no-grab default-cache-ttl 7200 Thanks! -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050117/ab3b7df3/attachment.pgp From wk at gnupg.org Mon Jan 17 18:41:19 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 17 18:40:24 2005 Subject: gpg-agent does not cache passphrase anymore In-Reply-To: <20050117164531.GL9505@neu.physik.fu-berlin.de> (Axel Thimm's message of "Mon, 17 Jan 2005 17:45:31 +0100") References: <20050117164531.GL9505@neu.physik.fu-berlin.de> Message-ID: <87r7kkvtq8.fsf@wheatstone.g10code.de> On Mon, 17 Jan 2005 17:45:31 +0100, Axel Thimm said: > development gnupg bits, but now the passphrase doe not get cached > anymore, how can I debug this? No need to debug it. Update to 1.9.15. Werner From clbianco at tiscalinet.it Tue Jan 18 13:31:57 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Tue Jan 18 14:19:12 2005 Subject: Proposed seat.test patch Message-ID: Dear all, The seat.test file assumes it is executed in a system where the text files are in LF format. Trying to execute it in a CRLF system (i.e. a Win32 one) results in a failed test, even if gpg.exe is actually behaving correctly. The following patch should solve the problem: ************************************************************************* --- seat-orig.test Sat Jun 29 13:29:54 2002 +++ seat.test Tue Jan 18 12:00:33 2005 @@ -2,10 +2,25 @@ . $srcdir/defs.inc || exit 3 +AMB=`../scripts/config.guess` + for i in $plain_files ; do echo "$usrpass1" | $GPG --passphrase-fd 0 --always-trust -seat \ -r two -o x --yes $i $GPG -o y --yes x - cmp $i y || error "$i: mismatch" + + case "$AMB" in + + *-mingw32*) + unix2dos -c 7bit -n $i z + cmp z y || error "$i: mismatch" + ;; + + *) + cmp $i y || error "$i: mismatch" + ;; + + esac + done ************************************************************************* Maybe also Cygwin should be added together with mingw32, I don't know... -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From wk at gnupg.org Tue Jan 18 16:31:57 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 18 16:30:24 2005 Subject: Proposed seat.test patch In-Reply-To: (Carlo Luciano Bianco's message of "Tue, 18 Jan 2005 13:31:57 +0100") References: Message-ID: <87vf9usqhe.fsf@wheatstone.g10code.de> On Tue, 18 Jan 2005 13:31:57 +0100, Carlo Luciano Bianco said: > The seat.test file assumes it is executed in a system where the text files > are in LF format. Trying to execute it in a CRLF system (i.e. a Win32 one) > results in a failed test, even if gpg.exe is actually behaving correctly. The test suite is not intended to be used UNIX. Tests for Windows are desirable but they need to other things than the core functions. Before adding tests for Windows we should write better tests for Unix. Shalom-Salam, Werner From dshaw at jabberwocky.com Wed Jan 19 15:36:00 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jan 19 16:07:44 2005 Subject: [Fwd: OpenPGP javacard implementation] In-Reply-To: <20050110092833.GC27919@cypress.com> References: <20050110092833.GC27919@cypress.com> Message-ID: <20050119143600.GB9556@jabberwocky.com> On Mon, Jan 10, 2005 at 09:28:33AM +0000, gnupg-users-owner@gnupg.org wrote: > I have written a prototype OpenPGP applet for the Javacard > platform. The ~ homepage of the project is: > > http://www.core-dump.com.hr/index.pl?node_id=421 > > In the package are all relevant instructions on how to test it > against the gpg and Sun's emulated reference Javacard > implementation. That's pretty cool. The Java Ring is really a Java card underneath, so you could carry the applet around on your finger. David From jharris at widomaker.com Wed Jan 19 20:05:34 2005 From: jharris at widomaker.com (Jason Harris) Date: Wed Jan 19 20:38:09 2005 Subject: [Fwd: OpenPGP javacard implementation] In-Reply-To: <20050119143600.GB9556@jabberwocky.com> References: <20050110092833.GC27919@cypress.com> <20050119143600.GB9556@jabberwocky.com> Message-ID: <20050119190533.GA31686@wilma.widomaker.com> On Wed, Jan 19, 2005 at 09:36:00AM -0500, David Shaw wrote: > On Mon, Jan 10, 2005 at 09:28:33AM +0000, gnupg-users-owner@gnupg.org wrote: > > > I have written a prototype OpenPGP applet for the Javacard > > platform. The ~ homepage of the project is: > > > > http://www.core-dump.com.hr/index.pl?node_id=421 > > > > In the package are all relevant instructions on how to test it > > against the gpg and Sun's emulated reference Javacard > > implementation. > > That's pretty cool. The Java Ring is really a Java card underneath, > so you could carry the applet around on your finger. > Don't forget plain iButtons. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050119/1ff2de3e/attachment.pgp From maschoch at compuserve.com Wed Jan 19 20:47:29 2005 From: maschoch at compuserve.com (Martin Schoch) Date: Wed Jan 19 21:27:01 2005 Subject: gpgsm question Message-ID: Hello I am new with 1.9.x GnuPG and compiled 1.9.15. The new gpg2 seems to work but with gpgsm I get an error message: gpgsm --version gpgsm: error while loading shared libraries: libksba.so.8: cannot open shared object file: No such file or directory Any idea? Thanks. -- ms - Fedora Core 3 - Linux 2.6.10-1.741_FC3 - KDE 3.3.1-2.4.FC3 From maschoch at compuserve.com Wed Jan 19 21:51:02 2005 From: maschoch at compuserve.com (Martin Schoch) Date: Wed Jan 19 21:47:10 2005 Subject: gpgme question In-Reply-To: References: Message-ID: * Rex Dieter , 19 Jan 2005, 21:20: > Yeah, you're missing the libksba.so.8 shared library that gpgsm was > linked against. I think I found the problem - seems that a link was not ok. -- ms - Fedora Core 3 - Linux 2.6.10-1.741_FC3 - KDE 3.3.1-2.4.FC3 From clbianco at tiscalinet.it Thu Jan 20 13:01:36 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Thu Jan 20 12:58:09 2005 Subject: Proposed seat.test patch References: <87vf9usqhe.fsf__41266.4894167849$1106062547$gmane$org@wheatstone.g10code.de> Message-ID: Il /18 gen 2005/, *Werner Koch* ha scritto: > Before adding tests for Windows we should write better tests for Unix. I agree, but I don't think this is a "new test for Windows". It is just a very small patch for the only one test, out of the existing 25 ones, which does not work in Mingw environment. -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From pierre.doucy at gmail.com Thu Jan 20 14:22:08 2005 From: pierre.doucy at gmail.com (Pierre Doucy) Date: Thu Jan 20 15:42:27 2005 Subject: Keypair generation, storage Message-ID: Hi all, as part of a school project, I'm implementing the X9.62 (ECDSA) algorithm into gnupg. I've done quite well until now, but I have a few questions now : 1) I'va had segfaults in the do_fingerprint_md function (which does something with the public key) for quite a while, until I realised that the "public key" it uses is retrieved that way : for( i=0; i < npkey; i++ ) pk.pkey[i] = sk->skey[i]; which I thought was a little bit silly at first. Then I realised that all the other algorithms constructed their private keys as an array containing all the public parameters, then the private parameters. Can anyone explain me the rationale for this ? 2) Now that I've corrected the last problem, my key generation routines seem to work well, but when $ gpg --gen-key [...] I get the following error : gpg: Ohhhh jeeee: can't encode a 160 bit MD into a 255 bits frame secmem usage: 2304/3232 bytes in 7/11 blocks of pool 3328/32768 Abort trap Can anyone give me a hint on what this means and how I can correct this ? I know it happens in do_encode_md : do_encode_md( MD_HANDLE md, int algo, size_t len, unsigned nbits, const byte *asn, size_t asnlen, int v3compathack ) { int nframe = (nbits+7) / 8; [...] if( len + asnlen + 4 > nframe ) log_bug("can't encode a %d bit MD into a %d bits frame\n", (int)(len*8), (int)nbits); but I really don't understand what's going on here. Any idea ? Thanks very much in advance. Pierre DOUCY -- Cats are intended to teach us that not everything in nature has a function. From sbt at megacceso.com Thu Jan 20 17:27:47 2005 From: sbt at megacceso.com (Sergi Blanch i =?ISO-8859-1?Q?Torn=E9?=) Date: Thu Jan 20 18:27:01 2005 Subject: Keypair generation, storage In-Reply-To: References: Message-ID: <1106238467.4979.20.camel@quark.calcurco.org> Hi, I did something similar in my research project, if you like you can reuse it. Now, we continue with the development, and we will release a new patch shortly: http://alumnes.eps.udl.es/%7Ed4372211/index.en.html El dj 20 de 01 del 2005 a les 14:22 +0100, en/na Pierre Doucy va escriure: > Hi all, > > as part of a school project, I'm implementing the X9.62 (ECDSA) > algorithm into gnupg. > I've done quite well until now, but I have a few questions now : > > 1) I'va had segfaults in the do_fingerprint_md function (which does > something with the public key) for quite a while, until I realised > that the "public key" it uses is retrieved that way : > > for( i=0; i < npkey; i++ ) > pk.pkey[i] = sk->skey[i]; > > which I thought was a little bit silly at first. Then I realised that > all the other algorithms constructed their private keys as an array > containing all the public parameters, then the private parameters. > Can anyone explain me the rationale for this ? Explain why the private key have the public parameters? For me is easy. For example, when your funtion 'sign()' are called, only need to use one struct. Over Elliptic Curves you could have a cryptosystem setup {p,a,b,G,n,h}, a secret key {d}, and public one {P=[d]G}; it will have sense to save separatelly in the smardcards case (other way the struct will be huge). It's an answer for your, or it say a delirium. > > 2) Now that I've corrected the last problem, my key generation > routines seem to work well, but when > $ gpg --gen-key > [...] > > I get the following error : > > gpg: Ohhhh jeeee: can't encode a 160 bit MD into a 255 bits frame > secmem usage: 2304/3232 bytes in 7/11 blocks of pool 3328/32768 > Abort trap > > Can anyone give me a hint on what this means and how I can correct > this ? I know it happens in do_encode_md : > > do_encode_md( MD_HANDLE md, int algo, size_t len, unsigned nbits, > const byte *asn, size_t asnlen, int v3compathack ) > { > int nframe = (nbits+7) / 8; > [...] > > if( len + asnlen + 4 > nframe ) > log_bug("can't encode a %d bit MD into a %d bits frame\n", > (int)(len*8), (int)nbits); > > > but I really don't understand what's going on here. Any idea ? I had the same problem and i find the solution in the function 'encode_md_value()', in the same file 'g10/seskey.c'. This one call your problematic 'do_encode_md()'. There are an if/else for DSA algorithms, and you can add your ECDSA. > > Thanks very much in advance. > > Pierre DOUCY Remember one important think: your algorithm number must be between 101 and 110. /Sergi. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 202 bytes Desc: =?ISO-8859-1?Q?Aix=F2?= =?ISO-8859-1?Q?_=E9s?= una part d'un missatge, signada digitalment Url : /pipermail/attachments/20050120/f44db634/attachment.pgp From n-roeser at gmx.net Thu Jan 20 18:58:50 2005 From: n-roeser at gmx.net (Nico R.) Date: Thu Jan 20 18:52:18 2005 Subject: gnupg-1.4.0 outputs some verbose information to stdout Message-ID: <41EFF15A.5060407@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! If you set a high verbosity level ("--verbose --verbose" on the command line, or "verbose" twice in gpg.conf), gnupg-1.4.0 writes some information to stdout (using fputs/printf IIRC). This may be not desired/expected in some programs or by users. It's easily worked around, though, by adding --no-verbose as additional gpg option, for example in Enigmail. Is printing the verbose information to stdout wanted behavior? I think it should go to stderr instead. Have a look at g10/parse-packet.c for details, and assume that list_mode == 1. Cheers, - -- Nico -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFB7/FYxI5uhYOGv4URApAgAJ97hTgqiYNIRmUAHtXZC0b2Hg+bDACfTBYM bI29sUfOqotRvtUuQdpHIHw= =tf8s -----END PGP SIGNATURE----- From wk at gnupg.org Thu Jan 20 20:02:24 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 20 20:00:27 2005 Subject: gnupg-1.4.0 outputs some verbose information to stdout In-Reply-To: <41EFF15A.5060407@gmx.net> (Nico R.'s message of "Thu, 20 Jan 2005 18:58:50 +0100") References: <41EFF15A.5060407@gmx.net> Message-ID: <877jm72abj.fsf@wheatstone.g10code.de> On Thu, 20 Jan 2005 18:58:50 +0100, Nico R said: > Is printing the verbose information to stdout wanted behavior? I think > it should go to stderr instead. Lets say: it has always been this way for no particular reason. We can't change it now because scripts parsing the output expect it on stdout. Werner From atom at smasher.org Thu Jan 20 20:12:17 2005 From: atom at smasher.org (Atom Smasher) Date: Thu Jan 20 21:03:47 2005 Subject: gnupg-1.4.0 outputs some verbose information to stdout In-Reply-To: <877jm72abj.fsf@wheatstone.g10code.de> References: <41EFF15A.5060407@gmx.net> <877jm72abj.fsf@wheatstone.g10code.de> Message-ID: <20050120190737.95857.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 20 Jan 2005, Werner Koch wrote: > On Thu, 20 Jan 2005 18:58:50 +0100, Nico R said: > >> Is printing the verbose information to stdout wanted behavior? I think >> it should go to stderr instead. > > Lets say: it has always been this way for no particular reason. We > can't change it now because scripts parsing the output expect it on > stdout. ============== hhmmm.... "--all-verbose-to-stderr"? "--verbose-fd"? i don't know about anyone else, but on my scripts it gets in the way. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- On finding Osama Bin Laden in Central Asia: "We're going to hunt them down one at a time... it doesn't matter where they hide, as we work with our friends we will find them and bring them to justice." -- President George W. Bush, 22 Nov 2002 On finding Saddam Hussein in the Mideast: "We are continuing the pursuit and it's a matter of time before [Saddam] is found and brought to justice." -- White House spokesman McClellan, 17 Sep 2003 On finding who leaked the identity of undercover CIA agent Valerie Plame in the close confines of the White House: "I don't know if we're going to find out the senior administration official. I don't have any idea." -- President George W. Bush, Oct 7 2003 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB8AKYAAoJEAx/d+cTpVcimp0H/16Lw6EEHodXSOrQ7/uoiiRF 84ZOohlyHr5Sg2eOf+MYRqNLYKfC/ni0qV+TpMxbJa+UUdeutKYq3OBvD7TsWPpM wDRgkNv5oKxNrECzed5DAzn30oqMFPUSu5IqpJcTOneyeBC1BQ/TgyGo1xXm7X7N cRXsbP9G2huihqF6oaFPa4Gc8wqZFiZZ570iK6L60oIamTiNPc2mQcG3Y7/wHOmX mZ02Zg7V7J3lP69aJVmjo9qGQ/qMwifIhjunDpZwXO0JGEkU3Aap0YARPoH1qJ5S Mmr1VzIfCVmSLDFsyvtoW7RIU+Dx7wPgjLoq7M0df25JRDwn5EIslZonaN0GlFw= =rs7M -----END PGP SIGNATURE----- From mss at mawhrin.net Thu Jan 20 20:14:51 2005 From: mss at mawhrin.net (Mikhail Sobolev) Date: Thu Jan 20 21:28:43 2005 Subject: Storage on a pocket device Message-ID: <20050120191450.GA20352@mawhrin.net> Hi This might be a strange question. I'd like to keep my secret keys on a pocket device (Zaurus, iPAQ). Is it possible to somehow implement this? Kind Regards, -- Misha -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20050120/9a8f4754/attachment-0001.pgp From gnupg-devel=gnupg.org at lists.palfrader.org Thu Jan 20 21:35:01 2005 From: gnupg-devel=gnupg.org at lists.palfrader.org (Peter Palfrader) Date: Thu Jan 20 22:36:18 2005 Subject: README goofs In-Reply-To: <20050116192104.GA55518@bewilderbeast.blackhelicopters.org> References: <20050116192104.GA55518@bewilderbeast.blackhelicopters.org> Message-ID: <20050120203501.GD2517@opium.palfrader.org> On Sun, 16 Jan 2005, Michael W. Lucas wrote: > This is minor, but it's going to itch until I say something: > --- README-dist Sun Jan 16 14:15:54 2005 > +++ README Sun Jan 16 14:17:43 2005 > @@ -54,7 +54,7 @@ > this. Don't skip it - this is an important step! > > 2) Unpack the tarball. With GNU tar you can do it this way: > - "tar xzvf gnupg-x.y.z.tar.gz" > + "tar xyvf gnupg-x.y.z.tar.bz2" Surely you mean x_j_vf. > - fd9351b26b3189c1d577f0970f9dcadc gnupg-x.y.z.tar.gz > + SHA1 (gnupg-1.4.0.tar.bz2) = 0054635a131b7af383e956fa9e1520ac44cad116 0054635a131b7af383e956fa9e1520ac44cad116 gnupg-x.y.z.tar.gz -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/ From mo at g10code.com Thu Jan 20 21:50:20 2005 From: mo at g10code.com (Moritz Schulte) Date: Thu Jan 20 22:51:53 2005 Subject: Keypair generation, storage In-Reply-To: References: Message-ID: <20050120205020.GB23596@sarkutty> On Thu, Jan 20, 2005 at 02:22:08PM +0100, Pierre Doucy wrote: > Then I realised that all the other algorithms constructed their > private keys as an array containing all the public parameters, then > the private parameters. Can anyone explain me the rationale for > this ? Simple: in many situations, the public key is seen as a subset of the secret key; the public key is the secret key, with the secret elements removed. > gpg: Ohhhh jeeee: can't encode a 160 bit MD into a 255 bits frame [...] > but I really don't understand what's going on here. Any idea ? encode_md_value() contains a special case for DSA; I guess, you would need something similar for your new algorithm. Moritz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 193 bytes Desc: not available Url : /pipermail/attachments/20050120/bde1f731/attachment.pgp From grosser.meister.morti at gmx.net Fri Jan 21 04:44:06 2005 From: grosser.meister.morti at gmx.net (=?ISO-8859-1?Q?Mathias_Panzenb=F6ck?=) Date: Fri Jan 21 05:40:47 2005 Subject: nsis win32 installer Message-ID: <41F07A86.6010000@gmx.net> I hope this is the right place to put this: I have written a little nsis ( http://nsis.sf.net/ ) script so you can easiely build a installer for gnupg. Just extract the gnupg binaries, the .mo files and iconv.dll into the same folder in which my setup.nsi lies and compile the script. A gnupg-setup.exe will be generated. :) Some registry keys will not be generated for *all* users (HomeDir etc.), so it don't works perfect in multiuser environments. Maybe i can fix this later. Where should I put the setup.nsi? Can I attach it to a mail to the mailinglist? From JPClizbe at comcast.net Fri Jan 21 07:23:05 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Jan 21 07:19:51 2005 Subject: nsis win32 installer In-Reply-To: <41F07A86.6010000@gmx.net> References: <41F07A86.6010000@gmx.net> Message-ID: <41F09FC9.3010404@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mathias Panzenb?ck wrote: > I hope this is the right place to put this: > > I have written a little nsis ( http://nsis.sf.net/ ) script so you can > easiely build a installer for gnupg. > Just extract the gnupg binaries, the .mo files and iconv.dll into the > same folder in which my setup.nsi lies and compile the script. > A gnupg-setup.exe will be generated. :) > Some registry keys will not be generated for *all* users (HomeDir etc.), > so it don't works perfect in multiuser environments. Maybe i can fix > this later. > > Where should I put the setup.nsi? Can I attach it to a mail to the > mailinglist? Did you check the NSIS script, at scripts/w32installer.nsi in the 1.4.1-cvs code to see if you're duplicating effort? Rather than have competiing scripts, it would make more sense to me if work was invested in improving the existing script Werner has begun. Just my ?0.02. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-14 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB8J/IHQSsSmCNKhARAkHuAKCZUKQ+wiEzHWFJZwlhUJyu/35R1wCeNdBs fNVCeeJm1t9hvWFmjWqF1hI= =ex0+ -----END PGP SIGNATURE----- From wk at gnupg.org Fri Jan 21 09:31:38 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 21 09:30:30 2005 Subject: nsis win32 installer In-Reply-To: <41F09FC9.3010404@comcast.net> (John Clizbe's message of "Fri, 21 Jan 2005 00:23:05 -0600") References: <41F07A86.6010000@gmx.net> <41F09FC9.3010404@comcast.net> Message-ID: <87651ryyhh.fsf@wheatstone.g10code.de> On Fri, 21 Jan 2005 00:23:05 -0600, John Clizbe said: > Rather than have competiing scripts, it would make more sense to me if > work was invested in improving the existing script Werner has begun. I'd really appreciate it. Two problems: 1. The custom page for options does not show up. The stuff is currently commented out; I have attached the ini file. It shall be used to select the language for gnupg (i.e. not of the installer). We can generate the actual drop down box using a script so that we only offer available languages. nsis allows to include them but I am not sure how to best initialize them - well, we can generate the ini file too. 2. Need to find a way to get the current language of the installer and use this as the default for gnupg's language. That language needs to be mapped from Windows code (1031)to a proper locale code "de". tia, Werner p.s. the mk-w32-dist script calls nsis this way: cd dist-w32 makensis -v3 -nocd -DVERSION=1.4.1-cvs -DPROD_VERSION=1.4.1.1 \ -DGNUPG_SRCDIR=.. ../scripts/w32installer.nsi -------------- next part -------------- A non-text attachment was scrubbed... Name: w32installer.nsi.gz Type: application/x-gunzip Size: 3302 bytes Desc: not available Url : /pipermail/attachments/20050121/0dd36fd8/w32installer.nsi.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: w32inst-opt.ini Type: application/octet-stream Size: 127 bytes Desc: not available Url : /pipermail/attachments/20050121/0dd36fd8/w32inst-opt.obj From pierre.doucy at gmail.com Fri Jan 21 11:15:05 2005 From: pierre.doucy at gmail.com (Pierre Doucy) Date: Fri Jan 21 11:11:50 2005 Subject: Keypair generation, storage In-Reply-To: <1106238467.4979.20.camel@quark.calcurco.org> References: <1106238467.4979.20.camel@quark.calcurco.org> Message-ID: > > I had the same problem and i find the solution in the function > 'encode_md_value()', in the same file 'g10/seskey.c'. This one call your > problematic 'do_encode_md()'. There are an if/else for DSA algorithms, > and you can add your ECDSA. > Thank you both of you, I didn't see that > Remember one important think: your algorithm number must be between 101 > and 110. > Once again what's the rationale here ? I haven't seen any code (nor looked for it, I have to admint) that enforces it... Thanks, Pierre -- Cats are intended to teach us that not everything in nature has a function. From sbt at megacceso.com Fri Jan 21 11:25:49 2005 From: sbt at megacceso.com (Sergi Blanch i =?ISO-8859-1?Q?Torn=E9?=) Date: Fri Jan 21 11:22:09 2005 Subject: Keypair generation, storage In-Reply-To: References: <1106238467.4979.20.camel@quark.calcurco.org> Message-ID: <1106303149.4876.18.camel@quark.calcurco.org> El dv 21 de 01 del 2005 a les 11:15 +0100, en/na Pierre Doucy va escriure: > > Remember one important think: your algorithm number must be between 101 > > and 110. > > > > Once again what's the rationale here ? I haven't seen any code (nor > looked for it, I have to admint) that enforces it... This is the rank of numbers for an experimental algotirhms. /Sergi -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 202 bytes Desc: =?ISO-8859-1?Q?Aix=F2?= =?ISO-8859-1?Q?_=E9s?= una part d'un missatge, signada digitalment Url : /pipermail/attachments/20050121/b7a14513/attachment.pgp From stephane at sente.ch Fri Jan 21 11:28:21 2005 From: stephane at sente.ch (=?ISO-8859-1?Q?St=E9phane_Corth=E9sy?=) Date: Fri Jan 21 12:25:18 2005 Subject: Bug with --list-mode in gpg 1.4.0? Message-ID: <2CA87684-6B97-11D9-AA2A-0003938D7B00@sente.ch> Hi, Using gpg 1.4.0, I encrypted a message with 3 keys - 2 friends' and mine (private key in keyring). Then I list keys used for encryption, but list doesn't show my key, though it has been used. I used the following commands: gpg --verbose --armor --recipient friend1 --recipient friend2 --recipient mykey --encrypt test gpg: ELG-E/AES encrypted for: "x1x1x1x1 friend1" gpg: ELG-E/AES encrypted for: "x2x2x2x2 friend2" gpg: ELG-E/AES encrypted for: "x3x3x3x3 me" gpg --list-only test.asc gpg: encrypted with 2048-bit ELG-E key, ID x1x1x1x1, created ... gpg: encrypted with 2048-bit ELG-E key, ID x2x2x2x2, created ... It misses my key. Now with that command: gpg --status-fd 2 --list-only test.asc [GNUPG:] ENC_TO x1x1x1x1 16 0 [GNUPG:] ENC_TO x2x2x2x2 16 0 [GNUPG:] ENC_TO x3x3x3x3 16 0 gpg: encrypted with 2048-bit ELG-E key, ID x1x1x1x1, created ... gpg: encrypted with 2048-bit ELG-E key, ID x2x2x2x2, created ... This proves that my key has been used, but --list-only mode doesn't show it if I don't use either --verbose of --status-fd options. Is it correct? St?phane From grosser.meister.morti at gmx.net Fri Jan 21 15:44:12 2005 From: grosser.meister.morti at gmx.net (=?ISO-8859-1?Q?Mathias_Panzenb=F6ck?=) Date: Fri Jan 21 15:59:44 2005 Subject: nsis win32 installer In-Reply-To: <87651ryyhh.fsf@wheatstone.g10code.de> References: <41F07A86.6010000@gmx.net> <41F09FC9.3010404@comcast.net> <87651ryyhh.fsf@wheatstone.g10code.de> Message-ID: <41F1153C.8000700@gmx.net> ok, the installer semes to be ok. but i would sugest one thing: the registrykey HKCU Software/GNU/GnuPG/HomeDir and .../OptFile is not setup by this script. i would add a second script "user-setup.nsi" which would setup all HKCU keys. this script should be installed by the first to $INSTDIR/user-setup.exe and should be linked in the startmenu-folder. at the end of the gnupg installation a MsgBox should ask if you would like to run the user-setup and that all user have to do this, so they have ther own gnupg key db. what do you think? From sbt at megacceso.com Fri Jan 21 16:33:26 2005 From: sbt at megacceso.com (Sergi Blanch i =?ISO-8859-1?Q?Torn=E9?=) Date: Fri Jan 21 17:56:40 2005 Subject: New elliptic curves patch Message-ID: <1106321606.4416.24.camel@quark.calcurco.org> Hi! We are pleased to announce the availability of eccGnuPG 0.1.6. This is a project that implement a patch of elliptic curve cryptosystem for GnuPG. And this is own first release over the 1.4.x branch. But remember this is completely experimental! In this release we improve the procedures, solve an ECElGamal IFP weakness because of the low key length, and also we did more polite some funtion calls. The web site is: http://alumnes.eps.udl.es/%7Ed4372211/index.en.html And the sources are: http://alumnes.eps.udl.es/%7Ed4372211/src/gnupg-1.4.0-ecc0.1.6.diff.bz2 Signed on: http://alumnes.eps.udl.es/% 7Ed4372211/src/gnupg-1.4.0-ecc0.1.6.diff.bz2.asc And the hash: cf868cfc93951b5ee662ef8ce52e66338013a7a8 for bz2. Right now, we are thinking in the next step in development. If you have any suggestion or doubt, we like to discuss it. And don't forget that you can send reports if a bug is finded. /Sergi. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: =?ISO-8859-1?Q?Aix=F2?= =?ISO-8859-1?Q?_=E9s?= una part d'un missatge, signada digitalment Url : /pipermail/attachments/20050121/e5fcd5d0/attachment-0001.pgp From peter_e at gmx.net Sat Jan 22 11:22:20 2005 From: peter_e at gmx.net (Peter Eisentraut) Date: Sat Jan 22 12:19:06 2005 Subject: Starting gpg-agent from Xsession Message-ID: <200501221122.20702.peter_e@gmx.net> I've been experimenting with ways to start gpg-agent automatically from Xsession (on Debian, in particular) so that users don't have to modify their .xsession or .xinitrc or whatever. Basically, this would amount to doing something like this in /etc/X11/Xsession.d/something (which is sourced by Xsession, so the effect is the same), which is mostly analogous to the ssh-agent handling: if $SOMEUSERSETTING; then if [ -x /usr/bin/gpg-agent ] && [ -z "$GPG_AGENT_INFO" ]; then eval `gpg-agent --daemon` fi fi The problem that I see, however, is that this does not terminate the gpg-agent when the X session finishes (unlike ssh-agent). I've also played with a number of other invocation methods such as --server, --no-detach, or invoking the window manager as an argument of gpg-agent (which is how ssh-agent does it), without success. Does anyone have a good idea how this could be accomplished? Or is it not a problem to let the gpg-agent running? Or is this whole thing a bad idea altogether? Comments welcome. From albrecht.dress at arcor.de Sat Jan 22 14:33:25 2005 From: albrecht.dress at arcor.de (=?iso-8859-1?q?Albrecht_Dre=DF?=) Date: Sat Jan 22 17:03:07 2005 Subject: Starting gpg-agent from Xsession References: <200501221122.20702.peter_e@gmx.net> Message-ID: <1106400813l.21978l.0l@antares.localdomain> Am 22.01.05 11:22 schrieb(en) Peter Eisentraut: > if $SOMEUSERSETTING; then > if [ -x /usr/bin/gpg-agent ] && [ -z "$GPG_AGENT_INFO" ]; then > eval `gpg-agent --daemon` I recommend adding echo $GPG_AGENT_INFO > $HOME/.gpg-agent-info here... Now add if [ -z "$GPG_AGENT_INFO" ] ; then if [ -f $HOME/.gpg-agent-info ] ; then export GPG_AGENT_INFO=$(cat .gpg-agent-info) fi fi export GPG_TTY=$(tty) to $HOME/.bashrc, so even if the user logs in on a virtual console, the agent will be found, and it will automagically use the curses pinentry if necessary. > The problem that I see, however, is that this does not terminate the > gpg-agent when the X session finishes (unlike ssh-agent). I've also > played with a number of other invocation methods such as --server, > --no-detach, or invoking the window manager as an argument of gpg-agent > (which is how ssh-agent does it), without success. I'm using gdm, and I simply added the following to the beginning of the file /etc/X11/gdm/PostSession/Default: GPGAGENTINFO="$HOME/.gpg-agent-info" if [ -f $GPGAGENTINFO ] ; then AGENTPID=$(cat $GPGAGENTINFO | sed -e 's/^[^:]*://' -e 's/:.*//') if [ -n "$AGENTPID" ] ; then kill -TERM $AGENTPID > /dev/null 2>&1 fi rm -f $GPGAGENTINFO fi Works perfectly for me... I guess you'll have to tweak other files if you are using xdm or kdm, though. Hope this helps, Albrecht. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Albrecht Dre? - Johanna-Kirchner-Stra?e 13 - D-53123 Bonn (Germany) Phone (+49) 228 6199571 - mailto:albrecht.dress@arcor.de GnuPG public key: http://home.arcor.de/dralbrecht.dress/pubkey.asc _________________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050122/ac83b971/attachment.pgp From atom at smasher.org Sat Jan 22 20:17:23 2005 From: atom at smasher.org (Atom Smasher) Date: Sat Jan 22 21:09:37 2005 Subject: symmetric key Message-ID: <20050122191236.20682.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 IIRC, 1.2.x derived a symmetric session key from the symmetric passphrase... is that still the case with 1.4.x? i'm also curious if it would be feasible to make "--override-session-key" work with encryption. this would allow some packet-hacking to produce a message that can be decrypted with multiple symmetric passphrases. of course it would also be nice if this could be done by using "-c" multiple times. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "A nation that continues year after year to spend more money on military defense than on programs of social uplift is approaching spiritual death." -- Martin Luther King, Jr. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB8qbOAAoJEAx/d+cTpVciyi8H/Rdl9ksQ7CmtKFq+wiyXqHIY hl6P5sokxBnxnpHp+TxmvrrGDGfZ88JduZmbbfIg0S33QUtrly2uPG711sialwWA UfBEXdpj7iOIe2TdPFqlItqTIGir1lf3cF7ZV9hJgLb3+GpfgTCm0HniRv0YUWID pwxBrrm5o+yjxr4lIzq/EBoriJgVJTb7EpBGNSGg4BzQcHiMRl4SNHy1zfXr4atX HRlLl6V7XMsUeNsfYxvLSXj9r8KHcP1pVfjGnWo6KqTFSArNnI89snKDKsJ9ruGK bujguxGaf095ycDF+wzJj/Eb9EE8cSOgltyTQ+/ccCs5XMtQT7AQYhu1LWZPSlI= =B4WS -----END PGP SIGNATURE----- From skeleten at shillest.net Sun Jan 23 00:34:40 2005 From: skeleten at shillest.net (Norihiko Murase) Date: Sun Jan 23 00:31:52 2005 Subject: README typos Message-ID: <20050123083440.694b23%skeleten@shillest.net> Hi, I found the following typos in gnupg-1.4.0/README: s/libary/library/ s/libarry/library/ s/a availbale/available/ s/getext/gettext/ I attach the patch for fixing them: ----------(cut here)---------- diff -r -U 2 gnupg-1.4.0.orig/README gnupg-1.4.0/README --- gnupg-1.4.0.orig/README Tue Dec 14 16:22:21 2004 +++ gnupg-1.4.0/README Sun Jan 23 07:42:29 2005 @@ -488,7 +488,7 @@ --without-readline - Do not include support for the readline libary + Do not include support for the readline library even if it is available. The default is to check - whether the readline libarry is a availbale and + whether the readline library is available and use it to allow fancy command line editing. @@ -519,5 +519,5 @@ you a bus error. - --disable-dynload + --disable-dynload If you have problems with dynamic loading, this option disables all dynamic loading stuff. Note @@ -525,5 +525,5 @@ --disable-asm - Do not use assembler modules. It is not possible + Do not use assembler modules. It is not possible to use this on some CPU types. @@ -604,5 +604,5 @@ --enable-selinux-support This prevents access to certain files and won't - allow import or export of secret keys. + allow import or export of secret keys. --disable-gnupg-iconv @@ -614,5 +614,5 @@ support. This option allows to explicity disable the use of iconv. Note, that iconv is also - disabled if getext has been disabled. + disabled if gettext has been disabled. --enable-backsigs ----------(cut here)---------- Thanks, --- Norihiko Murase From skeleten at shillest.net Sat Jan 22 23:55:00 2005 From: skeleten at shillest.net (Norihiko Murase) Date: Sun Jan 23 02:39:31 2005 Subject: README typos Message-ID: <20050123075500.44fa91%skeleten@shillest.net> Hi, I found the following typos in gnupg-1.4.0/README: s/libary/library/ s/libarry/library/ s/a availbale/available/ s/getext/gettext/ I attach the patch for fixing them: ----------(cut here)---------- diff -r -U 2 gnupg-1.4.0.orig/README gnupg-1.4.0/README --- gnupg-1.4.0.orig/README Tue Dec 14 16:22:21 2004 +++ gnupg-1.4.0/README Sun Jan 23 07:42:29 2005 @@ -488,7 +488,7 @@ --without-readline - Do not include support for the readline libary + Do not include support for the readline library even if it is available. The default is to check - whether the readline libarry is a availbale and + whether the readline library is available and use it to allow fancy command line editing. @@ -519,5 +519,5 @@ you a bus error. - --disable-dynload + --disable-dynload If you have problems with dynamic loading, this option disables all dynamic loading stuff. Note @@ -525,5 +525,5 @@ --disable-asm - Do not use assembler modules. It is not possible + Do not use assembler modules. It is not possible to use this on some CPU types. @@ -604,5 +604,5 @@ --enable-selinux-support This prevents access to certain files and won't - allow import or export of secret keys. + allow import or export of secret keys. --disable-gnupg-iconv @@ -614,5 +614,5 @@ support. This option allows to explicity disable the use of iconv. Note, that iconv is also - disabled if getext has been disabled. + disabled if gettext has been disabled. --enable-backsigs ----------(cut here)---------- Thanks, --- Norihiko Murase From dshaw at jabberwocky.com Sun Jan 23 02:14:57 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jan 23 05:22:50 2005 Subject: README typos In-Reply-To: <20050123083440.694b23%skeleten@shillest.net> References: <20050123083440.694b23%skeleten@shillest.net> Message-ID: <20050123011457.GA31107@jabberwocky.com> On Sun, Jan 23, 2005 at 08:34:40AM +0900, Norihiko Murase wrote: > Hi, > > I found the following typos in gnupg-1.4.0/README: > s/libary/library/ > > s/libarry/library/ > s/a availbale/available/ > > s/getext/gettext/ Fixed, thanks! David From dshaw at jabberwocky.com Tue Jan 25 03:48:55 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jan 25 05:11:50 2005 Subject: symmetric key In-Reply-To: <20050122191236.20682.qmail@smasher.org> References: <20050122191236.20682.qmail@smasher.org> Message-ID: <20050125024855.GB5270@jabberwocky.com> On Sat, Jan 22, 2005 at 02:17:23PM -0500, Atom Smasher wrote: > IIRC, 1.2.x derived a symmetric session key from the symmetric > passphrase... is that still the case with 1.4.x? Yes, unless you are making a message that is encrypted with both a public key and a passphrase (i.e. --symmetric --encrypt). In that case, the session key is random. David From dragonheart at gentoo.org Tue Jan 25 22:34:44 2005 From: dragonheart at gentoo.org (Daniel) Date: Wed Jan 26 07:51:08 2005 Subject: GnuPG 1.4.0 not refreshing keys via hkp:// over IPv6 network connection Message-ID: <200501260704.50480.dragonheart@gentoo.org> I'm trying to help a user work out ipv6 key fetches using gpg and the following errors have occurred: http://bugs.gentoo.org/show_bug.cgi?id=79038 Particularly of note is comment #10 when it tries to execute part of a ipv6 address. The TCP dump seems to show the server just refusing a response after the get is issued. Is there a place where this can be tested against? -- Daniel Black Gentoo Crypto/PPC/dev-embedded/Forensics/NetMon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050126/b8ea8993/attachment.pgp From wk at gnupg.org Wed Jan 26 13:00:41 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Jan 26 15:13:10 2005 Subject: GnuPG 1.4.0 not refreshing keys via hkp:// over IPv6 network connection In-Reply-To: <200501260704.50480.dragonheart@gentoo.org> (dragonheart@gentoo.org's message of "Wed, 26 Jan 2005 07:04:44 +0930") References: <200501260704.50480.dragonheart@gentoo.org> Message-ID: <878y6gflhy.fsf@wheatstone.g10code.de> On Wed, 26 Jan 2005 07:04:44 +0930, Daniel said: > http://bugs.gentoo.org/show_bug.cgi?id=79038 Please post the relevant parts of that bug report. People might be travelling without net access and still trying to do something. Thanks, Werner From jharris at widomaker.com Wed Jan 26 18:21:35 2005 From: jharris at widomaker.com (Jason Harris) Date: Wed Jan 26 20:02:25 2005 Subject: GnuPG 1.4.0 not refreshing keys via hkp:// over IPv6 network connection In-Reply-To: <878y6gflhy.fsf@wheatstone.g10code.de> References: <200501260704.50480.dragonheart@gentoo.org> <878y6gflhy.fsf@wheatstone.g10code.de> Message-ID: <20050126172135.GR684@wilma.widomaker.com> On Wed, Jan 26, 2005 at 01:00:41PM +0100, Werner Koch wrote: > On Wed, 26 Jan 2005 07:04:44 +0930, Daniel said: > > http://bugs.gentoo.org/show_bug.cgi?id=79038 > > Please post the relevant parts of that bug report. People might be > travelling without net access and still trying to do something. Indeed, I downloaded 263kB to see that the keyserver is pgp.mit.edu, which doesn't even have an IPv6 address. If you actually want to connect and retrieve keys via IPv6, try this keyserver: keyserver.linux.it. 11h57m4s IN CNAME lorien.prato.linux.it. lorien.prato.linux.it. 57m9s IN AAAA 2001:1418:13:10::1 (which is SKS behind an Apache proxy (non-caching).) These have AAAA records, but don't offer HKP via IPv6, IIRC: keyserver.stack.nl. 1H IN CNAME mud.stack.nl. mud.stack.nl. 2D IN AAAA 2001:610:1108:5011:207:e9ff:fe14:b498 seppia.noreply.org. 20M IN AAAA 2001:858:10f::1 (IPv4: keyserver.noreply.org) -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050126/c76e4d75/attachment.pgp From npcole at yahoo.co.uk Wed Jan 26 18:55:48 2005 From: npcole at yahoo.co.uk (Nicholas Cole) Date: Wed Jan 26 20:34:57 2005 Subject: trust model details Message-ID: <20050126175548.94718.qmail@web25404.mail.ukl.yahoo.com> Could I make a suggestion for a new file in docs that describes the details of the various trust models? The specific question I have at the moment is: how does the --max-cert-depth interact with the "pgp" delegated trust model? Does each key that has delegated trust still count as a "link" in the chain for the purposes of the maximum cert depth? Best wishes, N. ___________________________________________________________ ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com From dshaw at jabberwocky.com Wed Jan 26 21:21:03 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jan 26 21:18:00 2005 Subject: trust model details In-Reply-To: <20050126175548.94718.qmail@web25404.mail.ukl.yahoo.com> References: <20050126175548.94718.qmail@web25404.mail.ukl.yahoo.com> Message-ID: <20050126202103.GA9789@jabberwocky.com> On Wed, Jan 26, 2005 at 05:55:48PM +0000, Nicholas Cole wrote: > Could I make a suggestion for a new file in docs that > describes the details of the various trust models? > > The specific question I have at the moment is: > > how does the --max-cert-depth interact with the "pgp" > delegated trust model? Does each key that has > delegated trust still count as a "link" in the chain > for the purposes of the maximum cert depth? Yes. The depth count in trust signatures can shorten the --max-cert-depth value, but never lengthen it. David From albrecht.dress at arcor.de Wed Jan 26 21:24:03 2005 From: albrecht.dress at arcor.de (=?iso-8859-1?q?Albrecht_Dre=DF?=) Date: Wed Jan 26 21:20:23 2005 Subject: New pinentry release? In-Reply-To: <87zn0nogjt.fsf@wheatstone.g10code.de> (from wk@gnupg.org on Thu Dec 9 12:29:58 2004) References: <1102536841l.29937l.1l@antares.localdomain> <87zn0nogjt.fsf@wheatstone.g10code.de> Message-ID: <1106771043l.11833l.1l@antares.localdomain> Am 09.12.04 12:29 schrieb(en) Werner Koch: > On Wed, 08 Dec 2004 20:14:00 +0000, Albrecht Dre? said: > > > what do you think about preparing a new pinentry release? There has > been > > no change in the CVS sice end-september, and frequently people are > asking > > me about the gtk+-2 extension.... > > Marcus: Didn't we changed this in the CVS already? I can't check > right now because I am on the train and using the Debian packages one. > > Anyway, we should do such a release soon. We are also preparing ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Hmmm..... ;-) -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Albrecht Dre? - Johanna-Kirchner-Stra?e 13 - D-53123 Bonn (Germany) Phone (+49) 228 6199571 - mailto:albrecht.dress@arcor.de GnuPG public key: http://home.arcor.de/dralbrecht.dress/pubkey.asc _________________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050126/9b6160d2/attachment.pgp From skeleten at shillest.net Wed Jan 26 21:53:46 2005 From: skeleten at shillest.net (Norihiko Murase) Date: Wed Jan 26 21:51:00 2005 Subject: (1.4.0) configure: add_history in -lreadline Message-ID: <20050127055346.bd0c7%skeleten@shillest.net> Hi, I tried building Ver.1.4.0, but the detection of add_history in the readline library did NOT work correctly (did say "no".) # According to the ChangeLog file, you modified configure.ac # in CVS on 2004-12-18, so this problem may have been # already fixed. # # Sorry, but I can't check it because I don't have # # autoconf installed. X-) I attach the information about the system of me: (01) environment * CPU: i386 family * OS: FreeBSD 4.8-RELEASE * Compiler: gcc-2.95.4 (/usr/bin/gcc) * Softwares: - GNU Readline 5.0 - GNU Libiconv 1.9.2 - zlib 1.2.2 - bzip2 1.0.2 (/usr/{include,lib}/) (02) options for configure env CPPFLAGS="-I/usr/local/GNUReadline/include" \ MAKE='gmake' \ LDFLAGS="-R/usr/local/GNUReadline/lib:/usr/local/Libiconv/lib:/usr/local/zlib/lib -L/usr/local/GNUReadline/lib" \ ./configure \ --prefix=/usr/local/GnuPG \ --enable-static-rnd=linux \ --disable-card-support \ --enable-gnupg-iconv \ --disable-backsigs \ --enable-key-cache=1024 \ --enable-largefile \ --disable-nls \ --disable-rpath \ --enable-regex \ --with-readline \ --without-included-zlib \ --with-libiconv-prefix=/usr/local/Libiconv \ --without-included-regex \ --with-zlib=/usr/local/zlib (03) messages from configure ---------- checking for add_history in -lreadline... no checking readline/readline.h usability... yes checking readline/readline.h presence... yes checking for readline/readline.h... yes ---------- (04) config.log ---------- configure:21390: checking for add_history in -lreadline configure:21420: gcc -o conftest -g -O2 -I/usr/local/GNUReadline/include -I/usr/local/include -I/usr/local/Libiconv/include -I/usr/local/zlib/include -R/usr/local/GNUReadline/lib:/usr/local/Libiconv/lib:/usr/local/zlib/lib:/usr/lib -L/usr/local/GNUReadline/lib -L/usr/local/lib -L/usr/local/zlib/lib conftest.c -lreadline >&5 /usr/local/GNUReadline/lib/libreadline.so: undefined reference to `tgetnum' /usr/local/GNUReadline/lib/libreadline.so: undefined reference to `tgoto' /usr/local/GNUReadline/lib/libreadline.so: undefined reference to `tgetflag' /usr/local/GNUReadline/lib/libreadline.so: undefined reference to `tputs' /usr/local/GNUReadline/lib/libreadline.so: undefined reference to `tgetent' /usr/local/GNUReadline/lib/libreadline.so: undefined reference to `tgetstr' configure:21426: $? = 1 configure: failed program was: | /* confdefs.h. */ | ...(snip)... | #define VERSION "1.4.0" ...(snip)... | #define HAVE_BZIP2 1 | /* end confdefs.h. */ | ...(snip)... | /* We use char because int might match the return type of a gcc2 | builtin and then its argument prototype would still apply. */ | char add_history (); | int | main () | { | add_history (); | ; | return 0; | } configure:21451: result: no ---------- This "failed" program shown above can be compiled by adding "-lcurses" as the option for gcc. The symbols ('tgetnum', 'tgoto', ...), which gcc complains about, are in /usr/lib/libcurses.{a,so}. # Thank you for fixing the README typos and the bug of # --without-included-zlib and --without-included-regex !! # :-) :-) ===== Norihiko Murase @ The Univ. of Aizu The School of Computer Science and Engineering Department of Computer Software --- E-mail: skeleten@shillest.net s1080224@u-aizu.ac.jp From dshaw at jabberwocky.com Wed Jan 26 23:00:15 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jan 26 22:57:20 2005 Subject: (1.4.0) configure: add_history in -lreadline In-Reply-To: <20050127055346.bd0c7%skeleten@shillest.net> References: <20050127055346.bd0c7%skeleten@shillest.net> Message-ID: <20050126220015.GA11478@jabberwocky.com> On Thu, Jan 27, 2005 at 05:53:46AM +0900, Norihiko Murase wrote: > Hi, > I tried building Ver.1.4.0, but the detection of add_history > in the readline library did NOT work correctly (did say "no".) > > # According to the ChangeLog file, you modified configure.ac > # in CVS on 2004-12-18, so this problem may have been > # already fixed. > # # Sorry, but I can't check it because I don't have > # # autoconf installed. X-) It should be fixed from that checkin. I've tested it on various machines and it correctly detects the readline dependency. We will be releasing a 1.4.1 release candidate soon, and perhaps you can give it a try then. David From wk at gnupg.org Thu Jan 27 08:44:46 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 27 11:24:43 2005 Subject: New pinentry release? In-Reply-To: <1106771043l.11833l.1l@antares.localdomain> ( =?utf-8?q?Albrecht_Dre=C3=9F's_message_of?= "Wed, 26 Jan 2005 20:24:03 +0000") References: <1102536841l.29937l.1l@antares.localdomain> <87zn0nogjt.fsf@wheatstone.g10code.de> <1106771043l.11833l.1l@antares.localdomain> Message-ID: <87vf9jb9jl.fsf@wheatstone.g10code.de> Hi! Thanks for the reminder - will do a release today. Werner From stephane at sente.ch Thu Jan 27 09:14:03 2005 From: stephane at sente.ch (=?ISO-8859-1?Q?St=E9phane_Corth=E9sy?=) Date: Thu Jan 27 11:49:29 2005 Subject: Setting user personal prefs Message-ID: <647c8d345af505102a5639aaba13aa07@sente.ch> Hi, Since gpg 1.4, user can set some prefs on his keys: algos, keyserver. (it would be nice to be able to get that information with gpgme). Wouldn't it be nice if user could also add some new user-defined prefs to his key/userIDs? For example, related to mail, "accepts PGP/MIME", "Always PGP/MIME", "Always encrypted", etc. We could define well-known extensions to the prefs, having a name ("x-Mail-MIME", "x-Mail-Encryption", etc.) and a value. That would allow MUAs to be smarter, in that case: after they fetched all pubkeys in user keyring, when a user composes a new message, message PGP settings could be set by default according to recipients preferred settings. Just a thought, St?phane P.-S. I got no feedback on bug(?) reported on this list on Jan 21st. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20050127/632e783a/PGP.pgp From wk at gnupg.org Thu Jan 27 15:00:15 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 27 15:00:35 2005 Subject: gnupg-1.4.0 outputs some verbose information to stdout In-Reply-To: <20050120190737.95857.qmail@smasher.org> (Atom Smasher's message of "Thu, 20 Jan 2005 14:12:17 -0500 (EST)") References: <41EFF15A.5060407@gmx.net> <877jm72abj.fsf@wheatstone.g10code.de> <20050120190737.95857.qmail@smasher.org> Message-ID: <87oefb9dlc.fsf@wheatstone.g10code.de> On Thu, 20 Jan 2005 14:12:17 -0500 (EST), Atom Smasher said: > hhmmm.... "--all-verbose-to-stderr"? "--verbose-fd"? > i don't know about anyone else, but on my scripts it gets in the way. I have reconsidered: The implicit packet dumping in double verbose mode is now send to stderr and not to stdout. I hope this works for everyone; if it turns out to be a problem we may add an option to revert to the old behaviour. Salam-Shalom, Werner From wk at gnupg.org Thu Jan 27 15:07:32 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 27 15:05:36 2005 Subject: Setting user personal prefs In-Reply-To: <647c8d345af505102a5639aaba13aa07@sente.ch> ( =?utf-8?q?St=C3=A9phane_Corth=C3=A9sy's_message_of?= "Thu, 27 Jan 2005 09:14:03 +0100") References: <647c8d345af505102a5639aaba13aa07@sente.ch> Message-ID: <87k6pz9d97.fsf@wheatstone.g10code.de> On Thu, 27 Jan 2005 09:14:03 +0100, St?phane Corth?sy said: > Since gpg 1.4, user can set some prefs on his keys: algos, > keyserver. (it would be nice to be able to get that information with > gpgme). That is pretty much OpenPGP specific and thus we don't want to have an explicit API for it. Using the command callback mechanism should work. > Wouldn't it be nice if user could also add some new user-defined prefs > to his key/userIDs? For example, related to mail, "accepts PGP/MIME", > "Always PGP/MIME", "Always encrypted", etc. You are not on the OpenPGP WG, right? Well, Hal Finney of PGP proposed such flags and it has been discussed whether they should be standarized. It seems the outcome is that they will go with their scheme, which is IMHO fine because OpenPGP should not be overloaded with MUA specific things. Ah well, notation data is used and gpgme provides it, we might need to add a few flags to the gpg invocation, though. I'll forward the proposal. Werner From wk at gnupg.org Thu Jan 27 15:08:49 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 27 15:05:44 2005 Subject: ["Hal Finney"] Notation packet for PGP/MIME ability Message-ID: <87fz0n9d72.fsf@wheatstone.g10code.de> An embedded message was scrubbed... From: hal@finney.org ("Hal Finney") Subject: Notation packet for PGP/MIME ability Date: Thu, 13 Jan 2005 00:01:19 -0800 (PST) Size: 4183 Url: /pipermail/attachments/20050127/7d3bc7ca/attachment.mht From Janos.Farkas-lists+priv-#RVXrkLgxX70*-gpg-dev at lists.xeon.eu.org Thu Jan 27 16:23:51 2005 From: Janos.Farkas-lists+priv-#RVXrkLgxX70*-gpg-dev at lists.xeon.eu.org (Janos.Farkas-lists+priv-#RVXrkLgxX70*-gpg-dev@lists.xeon.eu.org) Date: Thu Jan 27 19:22:01 2005 Subject: [1.4.0] hidden recipient vs. ID 00000000 Message-ID: Hi! Apparently not too many use the -R option (for hidden recipient): > gpg --version gpg (GnuPG) 1.4.0 ... > echo|gpg -eR `whoami`|gpg gpg: anonymous recipient; trying secret key XXXXXXXX ... gpg: okay, we are the anonymous recipient. gpg: encrypted with 1312-bit RSA key, ID 00000000, created 1998-02-09 "Werner Koch " I guess that no ID is signified by the id zero in some place, which is seemingly "allocated" by a friend of us ;) Nevertheless, I was surprised when opening such a file almost claimed it was destined to Werner... Is this worthy to put on the bug list? -- Janos | romfs is at http://romfs.sourceforge.net/ | Don't talk about silence. From dshaw at jabberwocky.com Thu Jan 27 21:07:33 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jan 27 21:04:19 2005 Subject: [1.4.0] hidden recipient vs. ID 00000000 In-Reply-To: References: Message-ID: <20050127200733.GD32218@jabberwocky.com> On Thu, Jan 27, 2005 at 04:23:51PM +0100, Janos.Farkas-lists+priv-#RVXrkLgxX70*-gpg-dev@lists.xeon.eu.org wrote: > Hi! > > Apparently not too many use the -R option (for hidden recipient): > > > gpg --version > gpg (GnuPG) 1.4.0 > ... > > > echo|gpg -eR `whoami`|gpg > gpg: anonymous recipient; trying secret key XXXXXXXX ... > gpg: okay, we are the anonymous recipient. > gpg: encrypted with 1312-bit RSA key, ID 00000000, created 1998-02-09 > "Werner Koch " > > I guess that no ID is signified by the id zero in some place, which is > seemingly "allocated" by a friend of us ;) > > Nevertheless, I was surprised when opening such a file almost claimed it > was destined to Werner... That's pretty amusing. The problem is that hidden recipients are indicated, as you noted, by a keyid of all zeroes. However, the old v3 Elgamal signing keys, being unsupported, also end up with a keyid of all zeroes. Werner's old key is a v3 Elgamal, and so it looks like all hidden recipient messages are handled by him. Try the attached patch. It changes the "no keyid" case to all FFs instead of zeroes. All FFs is as good as all zeroes here, especially since all zeroes is reserved. David -------------- next part -------------- Index: keyid.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/keyid.c,v retrieving revision 1.52 diff -u -r1.52 keyid.c --- keyid.c 30 Dec 2004 03:26:57 -0000 1.52 +++ keyid.c 27 Jan 2005 20:00:02 -0000 @@ -280,7 +280,7 @@ sk->keyid[1]=keyid[1]; } else - sk->keyid[0]=sk->keyid[1]=keyid[0]=keyid[1]=lowbits=0; + sk->keyid[0]=sk->keyid[1]=keyid[0]=keyid[1]=lowbits=0xFFFFFFFF; } else { @@ -298,7 +298,7 @@ sk->keyid[1] = keyid[1]; } else - sk->keyid[0]=sk->keyid[1]=keyid[0]=keyid[1]=lowbits=0; + sk->keyid[0]=sk->keyid[1]=keyid[0]=keyid[1]=lowbits=0xFFFFFFFF; } return lowbits; @@ -334,7 +334,7 @@ pk->keyid[1] = keyid[1]; } else - pk->keyid[0]=pk->keyid[1]=keyid[0]=keyid[1]=lowbits=0; + pk->keyid[0]=pk->keyid[1]=keyid[0]=keyid[1]=lowbits=0xFFFFFFFF; } else { @@ -352,7 +352,7 @@ pk->keyid[1] = keyid[1]; } else - pk->keyid[0]=pk->keyid[1]=keyid[0]=keyid[1]=lowbits=0; + pk->keyid[0]=pk->keyid[1]=keyid[0]=keyid[1]=lowbits=0xFFFFFFFF; } return lowbits; From mss at mawhrin.net Thu Jan 27 21:20:06 2005 From: mss at mawhrin.net (Mikhail Sobolev) Date: Thu Jan 27 21:16:13 2005 Subject: Storage on a pocket device In-Reply-To: <20050120191450.GA20352@mawhrin.net> References: <20050120191450.GA20352@mawhrin.net> Message-ID: <20050127202006.GA20813@mawhrin.net> Hi I asked this question: On Thu, Jan 20, 2005 at 10:14:51PM +0300, Mikhail Sobolev wrote: > This might be a strange question. I'd like to keep my secret keys on a > pocket device (Zaurus, iPAQ). Is it possible to somehow implement this? However nobody followed up. Does it mean that idea is just not reasonable at all? Let me describe the use case a bit better. I have something on my Linux PDA. All my secret keys is stored on the PDA. When I start to work on my workstation, the PDA is connected somehow to it (USB, Bluetooth). Whenever an operation involving the secret key is required, this operation is performed on the PDA. How does it sound? Is it possible to implement it using current tools (gnupg, gnupg agent)? Kind Regards, -- Misha -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20050127/391119a2/attachment.pgp From wk at gnupg.org Thu Jan 27 20:01:44 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 27 21:33:28 2005 Subject: ["Hal Finney"] Notation packet for PGP/MIME ability In-Reply-To: <1106851669l.5292l.1l@antares.localdomain> ( =?utf-8?q?Albrecht_Dre=C3=9F's_message_of?= "Thu, 27 Jan 2005 18:47:49 +0000") References: <87fz0n9d72.fsf@wheatstone.g10code.de> <1106851669l.5292l.1l@antares.localdomain> Message-ID: <87r7k666hz.fsf@wheatstone.g10code.de> On Thu, 27 Jan 2005 18:47:49 +0000, Albrecht Dre? said: > Such a feature would be mega! It would also be great to have a simple > access to it through gpgme, as it would *really* simplify writing a > user-friendly MUA. I general I agree; whoever it is also an excuse not to do PGP/MIME. We have to look for the best way to implement it in gpgme. It makes a lot of sense to have it there. > been discussed there) I would suggest to add RFC2440 to the possible > formats, as some clients (e.g. pgp4pine or [spit] Outlook/GData) rely on Thats actual the simple (i.e. one part) partitioned format. Salam-Shalom, Werner From albrecht.dress at arcor.de Thu Jan 27 19:47:49 2005 From: albrecht.dress at arcor.de (=?iso-8859-1?q?Albrecht_Dre=DF?=) Date: Thu Jan 27 22:08:28 2005 Subject: ["Hal Finney"] Notation packet for PGP/MIME ability In-Reply-To: <87fz0n9d72.fsf@wheatstone.g10code.de> (from wk@gnupg.org on Thu Jan 27 15:08:49 2005) References: <87fz0n9d72.fsf@wheatstone.g10code.de> Message-ID: <1106851669l.5292l.1l@antares.localdomain> Am 27.01.05 15:08 schrieb(en) Werner Koch: > An example preferred-email-encoding notation packet will have the > following fields: > > Flags: 0x80, 0x00, 0x00, 0x00 > > Name: preferred-email-encoding@pgp.com > > Value: pgpmime,partitioned > > This would mean that the key holder can handle both PGP/MIME and > partitioned formats, but that he prefers to receive PGP/MIME. Such a feature would be mega! It would also be great to have a simple access to it through gpgme, as it would *really* simplify writing a user-friendly MUA. However (I'm also not following the OpenPGP WG, so mayby it has already been discussed there) I would suggest to add RFC2440 to the possible formats, as some clients (e.g. pgp4pine or [spit] Outlook/GData) rely on it. Cheers, Albrecht. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Albrecht Dre? - Johanna-Kirchner-Stra?e 13 - D-53123 Bonn (Germany) Phone (+49) 228 6199571 - mailto:albrecht.dress@arcor.de GnuPG public key: http://home.arcor.de/dralbrecht.dress/pubkey.asc _________________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050127/7bd5eef6/attachment.pgp From alex at bofh.net.pl Thu Jan 27 23:42:07 2005 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Thu Jan 27 23:38:38 2005 Subject: Storage on a pocket device In-Reply-To: <20050127202006.GA20813@mawhrin.net> References: <20050120191450.GA20352@mawhrin.net> <20050127202006.GA20813@mawhrin.net> Message-ID: <41F96E3F.1030803@bofh.net.pl> Mikhail Sobolev wrote: > Hi > > I asked this question: > > On Thu, Jan 20, 2005 at 10:14:51PM +0300, Mikhail Sobolev wrote: > >>This might be a strange question. I'd like to keep my secret keys on a >>pocket device (Zaurus, iPAQ). Is it possible to somehow implement this? > > However nobody followed up. Does it mean that idea is just not > reasonable at all? It is reasonable, to some extent. You want to use PDA as cryptographic token. > Let me describe the use case a bit better. I have something on my Linux > PDA. All my secret keys is stored on the PDA. When I start to work on > my workstation, the PDA is connected somehow to it (USB, Bluetooth). > Whenever an operation involving the secret key is required, this > operation is performed on the PDA. How does it sound? There are two problems with the approach. 1. You assume to connection between PDA and the 'big' machine is very transparent for the application, opaque for other applications and authenticated. Which is quite difficult to do properly. 2. The keys are stealable with the device. Usually, crypto tokens are made in a way that makes it supposedly impossible to retrieve the keys from the device. For general-purpose devices employed in the function of tokens this is done by keeping the keying material in encrypted blob which is very carefully decrypted after authentication of the operation by user. The carefullness is to avoid leaking of sensitive information to public-accessible memory of the device - in gnupg on a 'big' machine this is why the memory is mlock(2)ed - so the keys won't leave trace in swap. Again, this can be done but it is difficult. > Is it possible to implement it using current tools (gnupg, gnupg agent)? I don't think so. I once thought about the same but for PalmOS device. But the security gain for everyday use is not that much and this solution is not as convenient as it looks at first sight. OpenPGP smartcard has most of the pros while lacking most of the disadvantages. Alex From wk at gnupg.org Fri Jan 28 10:49:08 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 28 11:58:43 2005 Subject: Storage on a pocket device In-Reply-To: <41F96E3F.1030803@bofh.net.pl> (Janusz A. Urbanowicz's message of "Thu, 27 Jan 2005 23:42:07 +0100") References: <20050120191450.GA20352@mawhrin.net> <20050127202006.GA20813@mawhrin.net> <41F96E3F.1030803@bofh.net.pl> Message-ID: <87r7k551ez.fsf@wheatstone.g10code.de> On Thu, 27 Jan 2005 23:42:07 +0100, Janusz A Urbanowicz said: > I once thought about the same but for PalmOS device. But the security > gain for everyday use is not that much and this solution is not as For signing documents a PDA might be useful if you trust the software used on the PDA: You may use it to display the document before signing it. Well, it will only work with plain text, as soon as PDF etc. comes into the play the software required on the PDA gets too complex and might already be trojaned. Salam-Shalom, Werner From Janos.Farkas-lists+priv-#RVXrkLgxX70*-gpg-dev at lists.xeon.eu.org Fri Jan 28 15:56:40 2005 From: Janos.Farkas-lists+priv-#RVXrkLgxX70*-gpg-dev at lists.xeon.eu.org (Janos.Farkas-lists+priv-#RVXrkLgxX70*-gpg-dev@lists.xeon.eu.org) Date: Fri Jan 28 15:52:56 2005 Subject: [1.4.0] hidden recipient vs. ID 00000000 In-Reply-To: <20050127200733.GD32218@jabberwocky.com> References: <20050127200733.GD32218@jabberwocky.com> Message-ID: On 2005-01-27 at 15:07:33, David Shaw wrote: > Try the attached patch. It changes the "no keyid" case to all FFs > instead of zeroes. All FFs is as good as all zeroes here, especially > since all zeroes is reserved. It's definitely less disturbing now, thanks! :) |o| gpg: okay, we are the anonymous recipient. |o| gpg: encrypted with RSA key, ID 00000000 -- Janos | romfs is at http://romfs.sourceforge.net/ | Don't talk about silence. From Dave.Stucki at Summit.Fiserv.com Fri Jan 28 15:27:02 2005 From: Dave.Stucki at Summit.Fiserv.com (Stucki, Dave) Date: Fri Jan 28 16:09:54 2005 Subject: Compiling gnupg on HP-UX 11.11 Message-ID: Hello all, 'configure' ran clean. When I first did the 'make' on the source, I received the following error message in the standard output, which caused the compile to fail: : conversion from `utf-8' to `roman8' not available So I changed my locale from the hp-ux standard "C" to "C.utf8" and attempted again to "make clean" and "make" again. This time with success. Then I did a "make install". Logged in fresh and tried to create a new key pair and received the same error: gpg: conversion from `utf-8' to `roman8' not available Attempting to get the binary to run successfully, I again changed my locale from "C" to "C.utf8". Key pair was successfully generated. Tried to use the key pair to generate an encrypted hash of a plain text file and the output looked like a binary file, instead of a crypt hash. I've looked high and low and even opened a call with HP to get help, all to no avail. Anyone who might have a clue about this problem? Regards, Dave Stucki Senior Systems Programmer/Analyst HP Certified System Administrator Summit Information Systems dave dot stucki at summit dot fiserv dot com From dshaw at jabberwocky.com Fri Jan 28 17:25:36 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jan 28 20:48:39 2005 Subject: Compiling gnupg on HP-UX 11.11 In-Reply-To: References: Message-ID: <20050128162536.GA3117@jabberwocky.com> On Fri, Jan 28, 2005 at 06:27:02AM -0800, Stucki, Dave wrote: > Hello all, > > 'configure' ran clean. > When I first did the 'make' on the source, I received the following > error message in the standard output, which caused the compile to fail: > > : conversion from `utf-8' to `roman8' not available > > So I changed my locale from the hp-ux standard "C" to "C.utf8" and attempted > again to "make clean" and "make" again. This time with success. Then I did > a "make install". Logged in fresh and tried to create a new key pair and > received > the same error: > > gpg: conversion from `utf-8' to `roman8' not available > > Attempting to get the binary to run successfully, I again changed my locale > from "C" to "C.utf8". Key pair was successfully generated. It looks like you have two different, and unrelated problems here. This one is just that you have a problem converting utf8 to whatever character set you are using. OpenPGP stores things like user IDs in utf8. The character set choosing algorithm will be better in 1.4.1, but in the meantime setting the locale to C.utf8 is fine. > Tried to use the key pair to generate an encrypted hash of a plain > text file and the output looked like a binary file, instead of a > crypt hash. This is a different problem. GnuPG outputs binary unless told otherwise. If you want ascii armor, you need to add --armor to your command line. David From mo at g10code.com Fri Jan 28 21:02:20 2005 From: mo at g10code.com (Moritz Schulte) Date: Fri Jan 28 20:58:04 2005 Subject: gpg-agent: ssh support Message-ID: <20050128200220.GA7361@sarkutty> Hello folks, I have commited my changes, which add ssh-agent support to the gpg-agent, into GNUPG-1-9-BRANCH. What this means: gpg-agent contains the new option `--ssh-support', which enables the ssh-agent emulation. From the manual: In this mode of operation, the agent does not only implement the gpg-agent protocol, but also the agent protocol used by OpenSSH (through a seperate socket). Consequently, it should possible to use the gpg-agent as a drop-in replacement for the well known ssh-agent. SSH Keys, which are to be used through the agent, need to be added to the gpg-agent initially through the ssh-add utility. When a key is added, ssh-add will ask for the password of the provided key file and send the unprotected key material to the agent; this causes the gpg-agent to ask for a passphrase, which is to be used for encrypting the newly received key and storing it in a gpg-agent specific directory. Once, a key has been added to the gpg-agent this way, the gpg-agent will be ready to use the key. Note: in case the gpg-agent receives a signature request, the user might need to be prompted for a passphrase, which is necessary for decrypting the stored key. Since the ssh-agent protocol does not contain a mechanism for telling the agent on which display/terminal it is running, gpg-agent's --ssh-support switch implies --keep-display and --keep-tty. This strategy causes the gpg-agent to open a pinentry on the display or on the terminal, on which it (the gpg-agent) was started. Comments/feedback/bug reports are very welcome; happy hacking. Thanks, Moritz. -- Moritz Schulte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 193 bytes Desc: not available Url : /pipermail/attachments/20050128/8631f869/attachment-0001.pgp From lists at lina.inka.de Fri Jan 28 20:48:48 2005 From: lists at lina.inka.de (Bernd Eckenfels) Date: Fri Jan 28 21:31:48 2005 Subject: [1.4.0] hidden recipient vs. ID 00000000 In-Reply-To: References: <20050127200733.GD32218@jabberwocky.com> Message-ID: <20050128194848.GA9516@lina.inka.de> On Fri, Jan 28, 2005 at 03:56:40PM +0100, Janos.Farkas-lists+priv-#RVXrkLgxX70*-gpg-dev@lists.xeon.eu.org wrote: > On 2005-01-27 at 15:07:33, David Shaw wrote: > > Try the attached patch. It changes the "no keyid" case to all FFs > > instead of zeroes. All FFs is as good as all zeroes here, especially > > since all zeroes is reserved. > > It's definitely less disturbing now, thanks! :) Is all-FF keyid a valid one? If yes this patch does not make it any better. Ie. it makes normal handling worse. Special values and in-band signalling sux pretty often. Bernd From albrecht.dress at arcor.de Fri Jan 28 21:38:10 2005 From: albrecht.dress at arcor.de (=?iso-8859-1?q?Albrecht_Dre=DF?=) Date: Fri Jan 28 21:34:56 2005 Subject: pinentry SUID root problem (+ fix?) Message-ID: <1106944691l.4864l.2l@antares.localdomain> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050128/f78631f6/attachment.pgp From albrecht.dress at arcor.de Fri Jan 28 22:10:31 2005 From: albrecht.dress at arcor.de (=?iso-8859-1?q?Albrecht_Dre=DF?=) Date: Fri Jan 28 22:06:54 2005 Subject: bug in gpg-1.9.15 Makefile Message-ID: <1106946631l.4864l.3l@antares.localdomain> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050128/88647b55/attachment.pgp From dshaw at jabberwocky.com Fri Jan 28 22:28:04 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jan 28 22:24:49 2005 Subject: [1.4.0] hidden recipient vs. ID 00000000 In-Reply-To: <20050128194848.GA9516@lina.inka.de> References: <20050127200733.GD32218@jabberwocky.com> <20050128194848.GA9516@lina.inka.de> Message-ID: <20050128212804.GB3117@jabberwocky.com> On Fri, Jan 28, 2005 at 08:48:48PM +0100, Bernd Eckenfels wrote: > On Fri, Jan 28, 2005 at 03:56:40PM +0100, Janos.Farkas-lists+priv-#RVXrkLgxX70*-gpg-dev@lists.xeon.eu.org wrote: > > On 2005-01-27 at 15:07:33, David Shaw wrote: > > > Try the attached patch. It changes the "no keyid" case to all FFs > > > instead of zeroes. All FFs is as good as all zeroes here, especially > > > since all zeroes is reserved. > > > > It's definitely less disturbing now, thanks! :) > > Is all-FF keyid a valid one? If yes this patch does not make it any better. > Ie. it makes normal handling worse. Special values and in-band signalling > sux pretty often. All-FF and All-00 are both valid. All-00 is overloaded to mean "anonymous recipient" on top of its usual meaning. There is a small problem since a V3 key that isn't RSA is illegal according to the spec. Quite literally, they have *no* key IDs. So how should it be represented? The old code represented it as all-00. The new code represents it as all-FF. Pick a value. They all have problems. The real answer is to delete illegal keys and/or refuse to import them (which GnuPG does). If someone happens to have such a key, well, this is just as bad as all-00, but at least doesn't break anonymous messages. David From mail at joachim-breitner.de Sat Jan 29 18:26:49 2005 From: mail at joachim-breitner.de (Joachim Breitner) Date: Sat Jan 29 19:02:44 2005 Subject: gpg-agent: ssh support In-Reply-To: <20050128200220.GA7361@sarkutty> References: <20050128200220.GA7361@sarkutty> Message-ID: <1107019609.9963.6.camel@localhost.localdomain> Hi Moritz, hi List, good news, thanks so far. I got a suggestion. Would it be possible to have gpg-agent encrypt the ssh key with my gpg key instead of yet another password? This way, I would not notice the difference between whether the gpg or the ssh key is used, and I'd get some added value when using the openpgp-smartcards. thx, nomeata BTW: Today I hacked your poldi code to read the PIN from the login data field from the card. I'll fix up the code and send you a patch maybe tomorrow, but you might want to implement it differently, more cleanly that is. Am Freitag, den 28.01.2005, 21:02 +0100 schrieb Moritz Schulte: > Hello folks, > > I have commited my changes, which add ssh-agent support to the > gpg-agent, into GNUPG-1-9-BRANCH. What this means: gpg-agent contains > the new option `--ssh-support', which enables the ssh-agent emulation. > > From the manual: > > In this mode of operation, the agent does not only implement the > gpg-agent protocol, but also the agent protocol used by OpenSSH > (through a seperate socket). Consequently, it should possible to use > the gpg-agent as a drop-in replacement for the well known ssh-agent. > > SSH Keys, which are to be used through the agent, need to be added to > the gpg-agent initially through the ssh-add utility. When a key is > added, ssh-add will ask for the password of the provided key file and > send the unprotected key material to the agent; this causes the > gpg-agent to ask for a passphrase, which is to be used for encrypting > the newly received key and storing it in a gpg-agent specific > directory. > > Once, a key has been added to the gpg-agent this way, the gpg-agent > will be ready to use the key. > > Note: in case the gpg-agent receives a signature request, the user > might need to be prompted for a passphrase, which is necessary for > decrypting the stored key. Since the ssh-agent protocol does not > contain a mechanism for telling the agent on which display/terminal it > is running, gpg-agent's --ssh-support switch implies --keep-display > and --keep-tty. This strategy causes the gpg-agent to open a pinentry > on the display or on the terminal, on which it (the gpg-agent) was > started. > > Comments/feedback/bug reports are very welcome; happy hacking. > > Thanks, > Moritz. > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel -- Joachim Breitner e-Mail: mail@joachim-breitner.de Homepage: http://www.joachim-breitner.de ICQ#: 74513189 Bitte senden Sie mir keine Word- oder PowerPoint-Anh?nge. Siehe http://www.fsf.org/philosophy/no-word-attachments.de.html From fw at deneb.enyo.de Sat Jan 29 21:15:06 2005 From: fw at deneb.enyo.de (Florian Weimer) Date: Sat Jan 29 21:11:13 2005 Subject: [1.4.0] hidden recipient vs. ID 00000000 In-Reply-To: <20050128212804.GB3117@jabberwocky.com> (David Shaw's message of "Fri, 28 Jan 2005 16:28:04 -0500") References: <20050127200733.GD32218@jabberwocky.com> <20050128194848.GA9516@lina.inka.de> <20050128212804.GB3117@jabberwocky.com> Message-ID: <87fz0kkn5h.fsf@deneb.enyo.de> * David Shaw: > On Fri, Jan 28, 2005 at 08:48:48PM +0100, Bernd Eckenfels wrote: >> On Fri, Jan 28, 2005 at 03:56:40PM +0100, Janos.Farkas-lists+priv-#RVXrkLgxX70*-gpg-dev@lists.xeon.eu.org wrote: >> > On 2005-01-27 at 15:07:33, David Shaw wrote: >> > > Try the attached patch. It changes the "no keyid" case to all FFs >> > > instead of zeroes. All FFs is as good as all zeroes here, especially >> > > since all zeroes is reserved. >> > >> > It's definitely less disturbing now, thanks! :) >> >> Is all-FF keyid a valid one? If yes this patch does not make it any better. >> Ie. it makes normal handling worse. Special values and in-band signalling >> sux pretty often. > > All-FF and All-00 are both valid. All-00 is overloaded to mean > "anonymous recipient" on top of its usual meaning. > > There is a small problem since a V3 key that isn't RSA is illegal > according to the spec. Quite literally, they have *no* key IDs. So > how should it be represented? The old code represented it as all-00. > The new code represents it as all-FF. Pick a value. They all have > problems. All-0 is not a valid V3 key ID because its LSB is not set. All-1 is theoretically valid, but rather unlikely (it imposes rather strict requirements on the lower bits in both prime factors). From dshaw at jabberwocky.com Sat Jan 29 21:59:33 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jan 29 21:56:15 2005 Subject: [1.4.0] hidden recipient vs. ID 00000000 In-Reply-To: <87fz0kkn5h.fsf@deneb.enyo.de> References: <20050127200733.GD32218@jabberwocky.com> <20050128194848.GA9516@lina.inka.de> <20050128212804.GB3117@jabberwocky.com> <87fz0kkn5h.fsf@deneb.enyo.de> Message-ID: <20050129205933.GA16028@jabberwocky.com> On Sat, Jan 29, 2005 at 09:15:06PM +0100, Florian Weimer wrote: > * David Shaw: > > > On Fri, Jan 28, 2005 at 08:48:48PM +0100, Bernd Eckenfels wrote: > >> On Fri, Jan 28, 2005 at 03:56:40PM +0100, Janos.Farkas-lists+priv-#RVXrkLgxX70*-gpg-dev@lists.xeon.eu.org wrote: > >> > On 2005-01-27 at 15:07:33, David Shaw wrote: > >> > > Try the attached patch. It changes the "no keyid" case to all FFs > >> > > instead of zeroes. All FFs is as good as all zeroes here, especially > >> > > since all zeroes is reserved. > >> > > >> > It's definitely less disturbing now, thanks! :) > >> > >> Is all-FF keyid a valid one? If yes this patch does not make it any better. > >> Ie. it makes normal handling worse. Special values and in-band signalling > >> sux pretty often. > > > > All-FF and All-00 are both valid. All-00 is overloaded to mean > > "anonymous recipient" on top of its usual meaning. > > > > There is a small problem since a V3 key that isn't RSA is illegal > > according to the spec. Quite literally, they have *no* key IDs. So > > how should it be represented? The old code represented it as all-00. > > The new code represents it as all-FF. Pick a value. They all have > > problems. > > All-0 is not a valid V3 key ID because its LSB is not set. All-1 is > theoretically valid, but rather unlikely (it imposes rather strict > requirements on the lower bits in both prime factors). True, but it doesn't matter in this case since all-0 and all-1 are both valid in the context of the key ID in a session key packet since v4 keys can be all-0 or all-1. Remember that the problem that started this discussion is that an all-0 key ID conflicts with the anonymous key ID. David From fw at deneb.enyo.de Sat Jan 29 23:08:36 2005 From: fw at deneb.enyo.de (Florian Weimer) Date: Sat Jan 29 23:04:44 2005 Subject: [1.4.0] hidden recipient vs. ID 00000000 In-Reply-To: <20050129205933.GA16028@jabberwocky.com> (David Shaw's message of "Sat, 29 Jan 2005 15:59:33 -0500") References: <20050127200733.GD32218@jabberwocky.com> <20050128194848.GA9516@lina.inka.de> <20050128212804.GB3117@jabberwocky.com> <87fz0kkn5h.fsf@deneb.enyo.de> <20050129205933.GA16028@jabberwocky.com> Message-ID: <87psznkhwb.fsf@deneb.enyo.de> * David Shaw: >> All-0 is not a valid V3 key ID because its LSB is not set. All-1 is >> theoretically valid, but rather unlikely (it imposes rather strict >> requirements on the lower bits in both prime factors). > > True, but it doesn't matter in this case since all-0 and all-1 are > both valid in the context of the key ID in a session key packet since > v4 keys can be all-0 or all-1. But this is extremely unlikely. Currently, it's not computationally feasible to create such V4 keys. IMHO, RFC 2440bis should even outlaw generation of keys which such key IDs. From dshaw at jabberwocky.com Sun Jan 30 00:18:19 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jan 30 00:15:08 2005 Subject: [1.4.0] hidden recipient vs. ID 00000000 In-Reply-To: <87psznkhwb.fsf@deneb.enyo.de> References: <20050127200733.GD32218@jabberwocky.com> <20050128194848.GA9516@lina.inka.de> <20050128212804.GB3117@jabberwocky.com> <87fz0kkn5h.fsf@deneb.enyo.de> <20050129205933.GA16028@jabberwocky.com> <87psznkhwb.fsf@deneb.enyo.de> Message-ID: <20050129231819.GB16028@jabberwocky.com> On Sat, Jan 29, 2005 at 11:08:36PM +0100, Florian Weimer wrote: > * David Shaw: > > >> All-0 is not a valid V3 key ID because its LSB is not set. All-1 is > >> theoretically valid, but rather unlikely (it imposes rather strict > >> requirements on the lower bits in both prime factors). > > > > True, but it doesn't matter in this case since all-0 and all-1 are > > both valid in the context of the key ID in a session key packet since > > v4 keys can be all-0 or all-1. > > But this is extremely unlikely. Indeed. 1 in 2^64 chance for either. > Currently, it's not computationally feasible to create such V4 keys. Not computationally feasible to create such a collision, but I'm talking about a natural collision: the all-0 or all-1 key ID has the same chance as any other key ID in v4. Which is to say very, very unlikely but not zero. > IMHO, RFC 2440bis should even outlaw generation of keys which such > key IDs. I understand the desire to outlaw all-0 keys, but why would you outlaw all-1 keys? (or did you just mean all-0?) David From mo at g10code.com Sun Jan 30 01:19:59 2005 From: mo at g10code.com (Moritz Schulte) Date: Sun Jan 30 03:49:35 2005 Subject: gpg-agent: ssh support In-Reply-To: <1107019609.9963.6.camel@localhost.localdomain> References: <20050128200220.GA7361@sarkutty> <1107019609.9963.6.camel@localhost.localdomain> Message-ID: <20050130001958.GA6612@sarkutty> On Sat, Jan 29, 2005 at 06:26:49PM +0100, Joachim Breitner wrote: > I got a suggestion. Would it be possible to have gpg-agent encrypt > the ssh key with my gpg key instead of yet another password? This > way, I would not notice the difference between whether the gpg or > the ssh key is used, and I'd get some added value when using the > openpgp-smartcards. Hmm. Well, the agent does not support this way of protecting a key at the moment. I don't like this idea too much, 'cause it would make the code more complex. Werner, what do you think about this? Joachim: it should take little work to make the ssh emulation of gpg-agent support the openpgp card natively. As far as I know, most of what is needed is there: a way to install a "shadowed" version of the key beneath private-keys-v1.d; code in agent to divert an operation on a shadowed key to scdaemon. I have to admit, I have not fully understood this mechanism yet; I have not managed to install such a shadowed key with the correct shadow information, so that the agent can use it. Werner: am I right in assuming, that this code (at least the part in the protect-tool (which is to be used for this purpose, right?) is not really usuable yet? How can I make it work? :) Thanks, Moritz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 193 bytes Desc: not available Url : /pipermail/attachments/20050130/288da70d/attachment.pgp From fw at deneb.enyo.de Sun Jan 30 11:34:22 2005 From: fw at deneb.enyo.de (Florian Weimer) Date: Sun Jan 30 12:41:10 2005 Subject: [1.4.0] hidden recipient vs. ID 00000000 In-Reply-To: <20050129231819.GB16028@jabberwocky.com> (David Shaw's message of "Sat, 29 Jan 2005 18:18:19 -0500") References: <20050127200733.GD32218@jabberwocky.com> <20050128194848.GA9516@lina.inka.de> <20050128212804.GB3117@jabberwocky.com> <87fz0kkn5h.fsf@deneb.enyo.de> <20050129205933.GA16028@jabberwocky.com> <87psznkhwb.fsf@deneb.enyo.de> <20050129231819.GB16028@jabberwocky.com> Message-ID: <871xc3rys1.fsf@deneb.enyo.de> * David Shaw: >> IMHO, RFC 2440bis should even outlaw generation of keys which such >> key IDs. > > I understand the desire to outlaw all-0 keys, but why would you outlaw > all-1 keys? (or did you just mean all-0?) I did mean all-0. From abnbsdloc5 at neuf.fr Sun Jan 30 23:27:20 2005 From: abnbsdloc5 at neuf.fr (Alain Bench) Date: Mon Jan 31 15:19:18 2005 Subject: Compiling gnupg on HP-UX 11.11 In-Reply-To: <20050128162536.GA3117@jabberwocky.com> References: <20050128162536.GA3117@jabberwocky.com> Message-ID: <20050130222720.GA30909@neuf.fr> Hello Daves, On Friday, January 28, 2005 at 11:25:36 AM -0500, David M. Shaw wrote: > On Fri, Jan 28, 2005 at 06:27:02AM -0800, Stucki, Dave wrote: >> gpg: conversion from `utf-8' to `roman8' not available > you have a problem converting utf8 to whatever character set Yes: HP-UX is known to use uncommon names for charsets, and be over-picky about those names as parameters. It doesn't accept "UTF-8" name which is both standard and hardcoded in GnuPG. It wants "utf8". There may perhaps be a workaround on the system: Creating an alias utf-8 to utf8 in /usr/lib/nls/iconv/config.iconv or something like that. There is an alias section, and comments about the expected format. Or install libiconv 1.9.2 to replace HP iconv. > setting the locale to C.utf8 is fine. Fine on an UTF-8 terminal. Broken UID creation and display on a HP-Roman8 terminal. Bye! Alain. -- Give your computer's unused idle processor cycles to a scientific goal: The Folding@home project at . From stefan at freiheit.com Mon Jan 31 19:56:29 2005 From: stefan at freiheit.com (Stefan Richter) Date: Mon Jan 31 21:13:49 2005 Subject: GnuPG for Java with GPGME bindings Message-ID: <1107197789.5791.100.camel@plutonium.toxine.lan> Hi *, I want to announce the availability of a Java library that implements gpgme bindings using native C-calls via JNI (Java Native Interface): "GnuPG for Java" It is an alpha release (0.1.2), but it already implements encrypt, decrypt, sign, verify and keysearch (by fingerprint and text query). Currently it runs only under 32-Bit/Intel GNU/Linux (with an installed gpgme lib and gpg). At least, this is where I tested it. Thanks to Werner, this library is published under LGPL. Check this for the binary (Jar) and Javadoc: ftp://ftp.gnupg.org/gcrypt/alpha/gnupgjava/ If you need features, tell me what you need first, because I do it in my spare time. We are currently working on a gui client for Java, that uses "GnuPG for Java", something like kgpg/gpa etc. A first version will be published this week. Hope this will bring the wonders of free and strong cryptography to corporate java developers. ;-) cheers, Stefan -- Stefan Richter Dipl.-Ing., Dipl.-Inf. freiheit.com technologies gmbh Theodorstr. 42-90/ 22761 Hamburg, Germany fon +49 (0)40 / 890584-0 fax +49 (0)40 / 890584-20 Buy books and support free software | http://bookzilla.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil Url : /pipermail/attachments/20050131/30fb4781/attachment.pgp From colby at arcsight.com Mon Jan 31 20:52:18 2005 From: colby at arcsight.com (Colby DeRodeff) Date: Mon Jan 31 22:22:34 2005 Subject: Kmail and Crypto Error Message-ID: <200501311152.19106.colby@arcsight.com> Hi I just upgrade to the latest version of kde and Kmail looking forward to the inclusion of the ?gypten Project work. So I have gpg 1.4 and the latest kmail (1.7.2) the problem I am having is that when I try to select the signing key as soon as I click the button the whole application crashes and I get the following output on the command line: Kleo::ProgressBar::startStopBusyTimer() cur = -1; tot = 0; real = -1 (new value) switch to reset Kleo::ProgressBar::setTotalSteps( 0 ) kmail: symbol lookup error: /usr/lib/libkleopatra.so.0: undefined symbol: _ZN12QProgressBarD2Ev Any help is greatly appreciated. Thanks -colby -- ~~~~~~~~~~~~~~~~~~~ Colby DeRodeff GCIA, GSNA Sr. Security Engineer Content Team @ ArcSight Inc. www.arcsight.com colby@arcsight.com ph (408) 864-2647