From gniibe at fsij.org Tue Mar 1 07:04:40 2011 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 01 Mar 2011 15:04:40 +0900 Subject: scute in Debian? In-Reply-To: <4D40CDCF.60008@fsij.org> References: <4D40CDCF.60008@fsij.org> Message-ID: <4D6C8C78.7090405@fsij.org> 2011-01-27 10:43, NIIBE Yutaka wrote: > Now, I am trying scute. I found that it is not in Debian yet, and I > couldn't find WNPP or something. If there is no problem to package it > for Debian, I am willing to do so. Any opinions? I submitted ITP for scute (#615930). http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=615930 -- From wk at gnupg.org Tue Mar 1 15:02:32 2011 From: wk at gnupg.org (Werner Koch) Date: Tue, 01 Mar 2011 15:02:32 +0100 Subject: [Announce] Libksba 1.2.0 released Message-ID: <87r5arrlaf.fsf@vigenere.g10code.de> Hello! We are pleased to announce version 1.2.0 of Libksba. Libksba is an X.509 and CMS (PKCS#7) library. It is for example required to build the S/MIME part of GnuPG-2 (gpgsm). The only build requirement for Libksba itself is the libgpg-error package. There are no other dependencies; actual cryptographic operations need to be done by the user. Libksba is distributed under the GPLv3+. There are no user tools accompanying this software, thus it is mostly relevant to developers. This release adds features required by the GnuPG 2.1 development version. You may download the library and its OpenPGP signature from: ftp://ftp.gnupg.org/gcrypt/libksba/libksba-1.2.0.tar.bz2 (575k) ftp://ftp.gnupg.org/gcrypt/libksba/libksba-1.2.0.tar.bz2.sig Noteworthy changes in version 1.2.0 (2011-03-01) ------------------------------------------------ * New functions to allow the creation of X.509 certificates. * Interface changes relative to the 1.1.0 release: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ksba_certreq_set_serial NEW. ksba_certreq_set_issuer NEW. ksba_certreq_set_validity NEW. ksba_certreq_set_siginfo NEW. Commercial support contracts for Libksba are available, and they help finance continued maintenance. g10 Code, a Duesseldorf based company owned and headed by Libksba's principal author, is currently funding its development. We are always looking for interesting development projects. See also http://www.gnupg.org/service.html . Happy hacking, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk at gnupg.org Tue Mar 1 18:15:24 2011 From: wk at gnupg.org (Werner Koch) Date: Tue, 01 Mar 2011 18:15:24 +0100 Subject: Creating X.509 certificates with GnuPG Message-ID: <87mxlesqxf.fsf@vigenere.g10code.de> Hi, those who follow the commit list may have noticed it: It is now possible to create an X.509 certificate using GPGSM. The reason I implemented this is that it was pretty easy to twist the PKCS#10 generation code to allow the creation of X.509 certificates directly. Another reasons is that I was never able to recall the OpenSSL commands to create a certificate (in particular not if you want an rfc822Name). Here is how the UI looks: $ gpgsm --gen-key >x.pem Please select what kind of key you want: (1) RSA (2) Existing key (3) Existing key from card Your selection? 1 What keysize do you want? (2048) Requested keysize is 2048 bits Possible actions for a RSA key: (1) sign, encrypt (2) sign (3) encrypt Your selection? 1 Enter the X.509 subject name: CN=Joe Hacker, O=Hackers United, C=unv Enter email addresses (end with an empty line): > joe at example.org > joe.hacker at example.org > Enter DNS names (optional; end with an empty line): > Enter URIs (optional; end with an empty line): > Create self-signed certificate? (y/N) y These parameters are used: Key-Type: RSA Key-Length: 2048 Key-Usage: sign, encrypt Serial: random Name-DN: CN=Joe Hacker, O=Hackers United, C=unv Name-Email: joe at example.org Name-Email: joe.hacker at example.org Proceed with creation? (y/N) y Now creating self-signed certificate. This may take a while ... gpgsm: about to sign the certificate for key: &B71FA28BCE8B2[...] gpgsm: certificate created Ready. $ gpgsm --import x.pem gpgsm: certificate imported gpgsm: total number processed: 1 gpgsm: imported: 1 Running gpgsm -k on it shows: ID: 0x159A7D3D S/N: 6E3E32BC38A687E8 Issuer: /CN=Joe Hacker/O=Hackers United/C=unv Subject: /CN=Joe Hacker/O=Hackers United/C=unv aka: joe at example.org aka: joe.hacker at example.org validity: 2011-03-01 17:02:46 through 2063-04-05 17:00:00 key type: 2048 bit RSA chain length: unlimited fingerprint: A0:31:50:B1:A4:56:FD:54:63:35:5F:25:59:F5:7A:B5:15:9A:7D:3D Now if you want a "real" certificate you use the option --batch along with a proper parameter file; the manual explains them all. This feature may even be used to write a proper CA tool. Note that the DNS name prompt is useful to create server certificates. Surprisingly the "existing key" options are useful to create certificates from already existing keys (e.g. an OpenPGP keys). You need the latest gnupg from git and the new libksba 1.2.0. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Mar 2 10:16:16 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Mar 2011 10:16:16 +0100 Subject: gpgme export-minimal option In-Reply-To: <4D41649C.6020702@imag.fr> (Cyril Soler's message of "Thu, 27 Jan 2011 13:27:08 +0100") References: <4D41649C.6020702@imag.fr> Message-ID: <87oc5trifz.fsf@vigenere.g10code.de> On Thu, 27 Jan 2011 13:27, cyril.soler at imag.fr said: > Could you confirm that this option is available, in which version , and how I can use it ? Well, I implemented it more than a year ago: 2010-02-16 Werner Koch * gpgme-tool.c (spacep, has_option, skip_options): New. (cmd_export): Implement option --minimal. * gpgme.h.in (GPGME_EXPORT_MODE_MINIMAL): New. * export.c (export_start, export_ext_start): Implement it. * engine-gpg.c (export_common): Ditto. Unfortunately the last regular release is even older (January 2010); we should get a 1.3.1 out RSN. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From anjul_narain at yahoo.com Fri Mar 4 18:18:37 2011 From: anjul_narain at yahoo.com (Anjul Narain Varma) Date: Fri, 4 Mar 2011 09:18:37 -0800 (PST) Subject: GPG v1.2.3 decryption of large files Message-ID: <636781.72612.qm@web114419.mail.gq1.yahoo.com> Hello, ? Does anyone know of issues with GPG v 1.2.3 and decryption of large files?? The file decrypts fine but it contains gargbage characters at the end of the file. ?Is it a bug? ? I am using Bouncy Castle to PGP encrypt my file. My client is using GPG v1.2.3 to decrypt it.?If the file size is greater than 1 MB or so, the decryption is successful however there are garbage characters at the end of the file. There are no such issues with GPG v1.4.9. ? Appreciate any help. ? thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From John at enigmail.net Sat Mar 5 06:15:11 2011 From: John at enigmail.net (John Clizbe) Date: Fri, 04 Mar 2011 23:15:11 -0600 Subject: GPG v1.2.3 decryption of large files In-Reply-To: <636781.72612.qm@web114419.mail.gq1.yahoo.com> References: <636781.72612.qm@web114419.mail.gq1.yahoo.com> Message-ID: <4D71C6DF.9060701@enigmail.net> Anjul Narain Varma wrote: > Does anyone know of issues with GPG v 1.2.3 and decryption of large > files?? The file decrypts fine but it contains gargbage characters at > the end of the file. Is it a bug? It's possible. 1.2.3 is also QUITE old. > > I am using Bouncy Castle to PGP encrypt my file. My client is using GPG > v1.2.3 to decrypt it. If the file size is greater than 1 MB or so, the > decryption is successful however there are garbage characters at the end > of the file. > There are no such issues with GPG v1.4.9. There you have it. The most direct solution would appear to be for the client to upgrade to a more current release of GnuPG. (>= 1.4.9) -- John P. Clizbe Inet: John (a) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 889 bytes Desc: OpenPGP digital signature URL: From kgo at grant-olson.net Sun Mar 6 02:00:28 2011 From: kgo at grant-olson.net (Grant Olson) Date: Sat, 05 Mar 2011 20:00:28 -0500 Subject: Do OpenPGP cards support T=0? Message-ID: <4D72DCAC.5080205@grant-olson.net> It looks like they don't, but I'm just trying to get confirmation. Background: I got a hold of an ACR83, a pinpad enabled reader with a sexy form factor. It was supposed to be CCID compliant, but it's not quite. I've been trying to get driver working. A minor modification to libccid enabled some basic CCID communication. But then it hangs when trying to negotiate the IFSD, the variable data packet size for T=1 transmissions. Over on the MUSCLE-card list, it was suggested I tried a card that ran in T=0 mode. I thought the OpenPGP smartcard spec said that cards should support both versions of APDU. I hacked my local copy of scdaemon (STABLE-BRANCH-2-0) to always force the T=0 protocol. Then I get error messages that the card doesn't support T=0 on both my ACR83 and my working SCM-3310. Re-reading the spec, I don't think T=0 protocol is actually required on the card. But if anyone can verify that this is indeed true, that the ZeitControl card doesn't support T=0, and I didn't screw up in my hacked version of scdaemon, I'd appreciate it. -- -Grant "Look around! Can you construct some sort of rudimentary lathe?" From kgo at grant-olson.net Sun Mar 6 19:48:38 2011 From: kgo at grant-olson.net (Grant Olson) Date: Sun, 06 Mar 2011 13:48:38 -0500 Subject: Fwd: Do OpenPGP cards support T=0? In-Reply-To: <4D738887.7040100@pietig.com> References: <4D737F36.3070800@suhr.info> <4D738887.7040100@pietig.com> Message-ID: <4D73D706.5050809@grant-olson.net> On 03/06/2011 08:13 AM, Achim Pietig wrote: > Hi, > > the OpenPGP smart card application is designed to run under T=0 or T=1, so it is possible to add the application for e.g. on a GSM card. > > The Zeitcontrol implementation supports T=1 only, because T=0 does not support Extended Length and it makes the development much more complex. > > An ISO compliant smart card shows all supported protocols in the ATR, the ZC card shows T=1 only. A reader should detect this automatically. > It is normally not possible to run a not announced protocol. > Thanks for all the info. I suspected the ATR had the info, but the only public doc I could find explaining the ATR format was really difficult to understand. If anyone has a link to a decent doc, it would be greatly appreciated. -- -Grant "Look around! Can you construct some sort of rudimentary lathe?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 565 bytes Desc: OpenPGP digital signature URL: From kevhilton at gmail.com Mon Mar 7 03:46:10 2011 From: kevhilton at gmail.com (Kevin Hilton) Date: Sun, 6 Mar 2011 20:46:10 -0600 Subject: Git Compile Error Message-ID: Not that I'm helping to much, however this is what I'm getting pulling the latest git developmental branch when trying to build: ecdh.c: In function `pk_ecdh_encrypt_with_shared_point': ecdh.c:255: error: `GCRY_CIPHER_MODE_AESWRAP' undeclared (first use in this func tion) ecdh.c:255: error: (Each undeclared identifier is reported only once ecdh.c:255: error: for each function it appears in.) make[2]: *** [ecdh.o] Error 1 make[2]: Leaving directory `/home/admin/src/gnupg/g10' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/admin/src/gnupg' make: *** [all] Error 2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From kgo at grant-olson.net Mon Mar 7 07:32:36 2011 From: kgo at grant-olson.net (Grant Olson) Date: Mon, 07 Mar 2011 01:32:36 -0500 Subject: Git Compile Error In-Reply-To: References: Message-ID: <4D747C04.9060003@grant-olson.net> On 03/06/2011 09:46 PM, Kevin Hilton wrote: > Not that I'm helping to much, however this is what I'm getting pulling > the latest git developmental branch when trying to build: > > ecdh.c: In function `pk_ecdh_encrypt_with_shared_point': > ecdh.c:255: error: `GCRY_CIPHER_MODE_AESWRAP' undeclared (first use in > this func > tion) > ecdh.c:255: error: (Each undeclared identifier is reported only once > ecdh.c:255: error: for each function it appears in.) > make[2]: *** [ecdh.o] Error 1 > make[2]: Leaving directory `/home/admin/src/gnupg/g10' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/home/admin/src/gnupg' > make: *** [all] Error 2 > That probably means you either: 1) Don't have gcrypt installed. 2) Don't have a new enough version. 3) You don't have the development libraries for gcrypt, or they're not in a normal location. If you're building off of the head of the git tree, you'll probably either need to build the newest official version of gcrypt, or get latest branch of that from source control as well. I thought either ./autogen.sh or ./configure would yell if you didn't have a new enough version of gcrypt. Did you run autogen? -- -Grant "Look around! Can you construct some sort of rudimentary lathe?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 565 bytes Desc: OpenPGP digital signature URL: From kevhilton at gmail.com Mon Mar 7 07:49:59 2011 From: kevhilton at gmail.com (Kevin Hilton) Date: Mon, 7 Mar 2011 00:49:59 -0600 Subject: Building GnuPG Message-ID: Trying to build 2.1.0-git3582e2e using cygwin. I used the following: $ ./configure --sysconfdir=/etc/ --enable-maintainer-mode --enable-symcryptrun --enable-gpgtar --disable-nls But am receiving the following error: gcc -I/usr/local/include -I/usr/local/include -I/usr/local/include -g -O2 -O3 -W all -Wcast-align -Wshadow -Wstrict-prototypes -Wformat -Wno-format-y2k -Wformat- security -W -Wno-sign-compare -Wno-missing-field-initializers -Wdeclaration-afte r-statement -Wno-pointer-sign -Wpointer-arith -o t-convert.exe t-convert.o lib common.a ../gl/libgnu.a -L/usr/local/lib -lgcrypt -lgpg-error -lassuan -L/usr/lo cal/lib -lgpg-error -L/usr/local/lib -lgpg-error -liconv /usr/local/lib/libgpg-error.a(libgpg_error_la-init.o): In function `real_init': /home/admin/src/libgpg-error-1.9/src/init.c:68: undefined reference to `_libintl _bindtextdomain' /usr/local/lib/libgpg-error.a(libgpg_error_la-strerror.o): In function `gpg_stre rror_r': /home/admin/src/libgpg-error-1.9/src/strerror.c:161: undefined reference to `_li bintl_dgettext' /usr/local/lib/libgpg-error.a(libgpg_error_la-strerror.o): In function `gpg_stre rror': /home/admin/src/libgpg-error-1.9/src/strerror.c:50: undefined reference to `_lib intl_dgettext' /usr/local/lib/libgpg-error.a(libgpg_error_la-strsource.o): In function `gpg_str source': /home/admin/src/libgpg-error-1.9/src/strsource.c:36: undefined reference to `_li bintl_dgettext' collect2: ld returned 1 exit status make[3]: *** [t-convert.exe] Error 1 Obviously there seems a linking error to the gettext library. I thought however using the --disable-nls switch would prevent this. I'm open to suggestions. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From squalyl at gmail.com Mon Mar 7 12:21:08 2011 From: squalyl at gmail.com (=?UTF-8?Q?S=C3=A9bastien_Lorquet?=) Date: Mon, 7 Mar 2011 12:21:08 +0100 Subject: Fwd: Do OpenPGP cards support T=0? In-Reply-To: <4D73D706.5050809@grant-olson.net> References: <4D737F36.3070800@suhr.info> <4D738887.7040100@pietig.com> <4D73D706.5050809@grant-olson.net> Message-ID: Can someone post the ATR of the failing card? Regards PS: a "should" is not a mandatory requirement. On Sun, Mar 6, 2011 at 7:48 PM, Grant Olson wrote: > On 03/06/2011 08:13 AM, Achim Pietig wrote: > > Hi, > > > > the OpenPGP smart card application is designed to run under T=0 or T=1, > so it is possible to add the application for e.g. on a GSM card. > > > > The Zeitcontrol implementation supports T=1 only, because T=0 does not > support Extended Length and it makes the development much more complex. > > > > An ISO compliant smart card shows all supported protocols in the ATR, the > ZC card shows T=1 only. A reader should detect this automatically. > > It is normally not possible to run a not announced protocol. > > > > Thanks for all the info. I suspected the ATR had the info, but the only > public doc I could find explaining the ATR format was really difficult > to understand. > > If anyone has a link to a decent doc, it would be greatly appreciated. > > -- > -Grant > > "Look around! Can you construct some sort of rudimentary lathe?" > > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Mon Mar 7 14:48:28 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 07 Mar 2011 14:48:28 +0100 Subject: Fwd: Do OpenPGP cards support T=0? In-Reply-To: <4D73D706.5050809@grant-olson.net> (Grant Olson's message of "Sun, 06 Mar 2011 13:48:38 -0500") References: <4D737F36.3070800@suhr.info> <4D738887.7040100@pietig.com> <4D73D706.5050809@grant-olson.net> Message-ID: <871v2joxcj.fsf@vigenere.g10code.de> On Sun, 6 Mar 2011 19:48, kgo at grant-olson.net said: > Thanks for all the info. I suspected the ATR had the info, but the only > public doc I could find explaining the ATR format was really difficult > to understand. The only freely available specs I know of are the EMV specs (www.emvco.com). The ISO specs are a bit expensive but even harder to read. gnupg/scd/atr.c has a function to print the ATR in a human readable format. There is also an old project by me with a very similar tool (ftp://ftp.g10code.com/g10code/gscutils/). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Mar 7 14:54:12 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 07 Mar 2011 14:54:12 +0100 Subject: Git Compile Error In-Reply-To: <4D747C04.9060003@grant-olson.net> (Grant Olson's message of "Mon, 07 Mar 2011 01:32:36 -0500") References: <4D747C04.9060003@grant-olson.net> Message-ID: <87vczvniij.fsf@vigenere.g10code.de> On Mon, 7 Mar 2011 07:32, kgo at grant-olson.net said: > If you're building off of the head of the git tree, you'll probably > either need to build the newest official version of gcrypt, or get > latest branch of that from source control as well. Libgcrypt 1.4.6 is required - however configure tests for it. The test and his installation may mismatch; use ./configure --with-libgcrypt-prefix=/foo/bar/mystuff if you installed libgcrypt with --prefix=/foo/bar/mystuff Note, the next 2.1 beta will require libgcrypt 1.5 (beta) anyway. Better install that one instead of a new 1.4. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From squalyl at gmail.com Mon Mar 7 15:35:31 2011 From: squalyl at gmail.com (=?UTF-8?Q?S=C3=A9bastien_Lorquet?=) Date: Mon, 7 Mar 2011 15:35:31 +0100 Subject: Fwd: Do OpenPGP cards support T=0? In-Reply-To: <871v2joxcj.fsf@vigenere.g10code.de> References: <4D737F36.3070800@suhr.info> <4D738887.7040100@pietig.com> <4D73D706.5050809@grant-olson.net> <871v2joxcj.fsf@vigenere.g10code.de> Message-ID: It's not that difficult, it's based on a set of bitmaps. OK, it's awful, I know. I guess the ATR is the one that was posted on the muscle mailing list: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C Here we go: First byte is Ts, 3B means direct convention (bits on wire are as on RS-232), 3F means inverse convention (bits on wire are in negative logic and bit endian is reversed, very few cards use this today) Then you have T0 = 0xDA. 0xD encodes a Y[1] bitfield and 0xA encodes the number of historical bytes (10) that will follow the initial sequence of "interface bytes". The Y[1] bitfield is 0xD = 0b1101. That means, this byte is followed by 3 other bytes: TD[1], TC[1] and TA[1]. TB[1] is not present (deprecated as per ISO7816-3). TA[1] = 0x18 : encodes Fi and Di to calculate the baud rate. TC[1] = 0xFF : encodes N (extra guard time) TD[1] = 0x81 : Y[2]=1000 -> we now have TD[2], while TC[2], TB[2] and TA[2] are absent. T=1 is supported by default. TD[2] = 0xB1 : Y[3] = 1011 -> we now have TD[3], TB[3], TA[3], and again T=1 is supported. TA[3] = 0xFE : don't know... TB[3] = 0x75 : don't know... TD[3] = 0x1F, Y[4] = 0001 -> we have TA[4] and no TD[4] (end of sequence) and T=15 meaning global info TA[4] = 0x03 = 0b00 000011, for T=15 this means clock stop is not supported, classes A and B supported (5 volts and 3.3 volts) "00 31 C5 73 C0 01 40 00 90 00" are the 10 historical bytes including a dummy SW "9000" 0C is TCK, the XOR of all bytes in the ATR including TCK shall result in 0x00. So as already said, we now have the proof that this card does not claim to support T=0. Sebastien On Mon, Mar 7, 2011 at 2:48 PM, Werner Koch wrote: > On Sun, 6 Mar 2011 19:48, kgo at grant-olson.net said: > > > Thanks for all the info. I suspected the ATR had the info, but the only > > public doc I could find explaining the ATR format was really difficult > > to understand. > > The only freely available specs I know of are the EMV specs > (www.emvco.com). The ISO specs are a bit expensive but even harder to > read. gnupg/scd/atr.c has a function to print the ATR in a human > readable format. There is also an old project by me with a very similar > tool (ftp://ftp.g10code.com/g10code/gscutils/). > > > Shalom-Salam, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Tue Mar 8 14:16:04 2011 From: wk at gnupg.org (Werner Koch) Date: Tue, 08 Mar 2011 14:16:04 +0100 Subject: GnuPG 2.1 beta 2 released Message-ID: <87hbbdoiqz.fsf@vigenere.g10code.de> Hello! We just released the second *beta version* of GnuPG 2.1. It has been released to give you the opportunity to check out the new features. It is marked as a beta versions and the plan is to release a couple more betas in the next months before we can declare 2.1.0 stable enough for general use. In any case the 2.1 series won't replace the 2.0 series. If you need stable and fully maintained version of GnuPG, you should in general use 2.0.x or even 1.4.x. Eventually we will release 2.2 as the new stable version but that may take some time. Noteworthy changes in version 2.1.0beta2 (2011-03-08) ----------------------------------------------------- * ECC support for GPG as described by draft-jivsov-openpgp-ecc-06.txt. * New GPGSM feature to create certificates from a parameter file. Add prompt to the --gen-key UI to create self-signed certificates. * Dirmngr has taken over the function of the keyserver helpers. Thus we now have a specified direct interface to keyservers via Dirmngr. LDAP, DNS and mail backends are not yet implemented. * TMPDIR is now also honored when creating a socket using --no-standard-socket and with symcryptrun's temp files. * Fixed a bug where SCdaemon sends a signal to Gpg-agent running in non-daemon mode. * Print "AES128" instead of "AES". This change introduces a little incompatibility for tools using "gpg --list-config". We hope that these tools are written robust enough to accept this new algorithm name as well. * Fixed CRL loading under W32 (bug#1010). * Fixed TTY management for pinentries and session variable update problem. Noteworthy changes already found in beta1: * GPG does not anymore use secring.gpg but delegates all secret key operations to gpg-agent. The import command moves secret keys to the agent. * The OpenPGP import command is now able to merge secret keys. * The G13 tool for disk encryption key management has been added. * If the agent's --use-standard-socket option is active, all tools try to start and daemonize the agent on the fly. In the past this was only supported on W32; on non-W32 systems the new configure option --disable-standard-socket may now be used to disable this new default. * Dirmngr is now a part of this package. Dirmngr is now also expected to run as a system service and the configuration directories are changed to the GnuPG name space. * Removed GPG options: --export-options: export-secret-subkey-passwd --simple-sk-checksum * New GPG options: --try-secret-key * Support DNS lookups for SRV, PKA and CERT on W32. * The default for --include-cert is now to include all certificates in the chain except for the root certificate. * Numerical values may now be used as an alternative to the debug-level keywords. * New GPGSM option --ignore-cert-extension. * Support for Windows CE. * Given sufficient permissions Dirmngr is started automagically. * Bug fixes. Migration from 1.4 or 2.0 ========================= The major change in 2.1 is that gpg-agent now takes care of the OpenPGP secret keys (those managed by GPG). The former secring.gpg will not be used anymore. Newly generated keys are generated and stored in the agent's key store (~/.gnupg/private-keys-v1.d/). To migrate your existing keys to the agent you should run this command gpg2 --import ~/.gnupg/secring.gpg The agent will you ask for the passphrase of each key. You may use the Cancel button of the Pinentry to skip importing this key. If you want to stop the import process and you use one of the latest pinentries, you should close the pinentry window instead of hitting the cancel button. Secret keys already imported are skipped by the import command. It is advisable to keep the secring.gpg for use with older versions of GPG. Note that gpg-agent now uses a fixed socket by default. All tools will start the gpg-agent as needed. In general there is no more need to set the GPG_AGENT_INFO environment variable. The SSH_AUTH_SOCK environment variable should be set to a fixed value. GPG's smartcard commands --card-edit and --card-status as well as the card related sub-commands of --edit-key are not yet supported. However, signing and decryption with a smartcard does work. The Dirmngr is now part of GnuPG proper. Thus there is no more need to install the separate dirmngr package. The directroy layout of Dirmngr changed to make use of the GnuPG directories; for example you use /etc/gnupg/trusted-certs and /var/lib/gnupg/extra-certs. Dirmngr needs to be started as a system daemon. Getting the Software ==================== GnuPG 2.1 is available at ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0beta2.tar.bz2 ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0beta2.tar.bz2.sig and soon on all mirrors . Note that libgcrypt 1.5.0 is now required; it is available at ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/libgcrypt-1.5.0-beta1.tar.bz2 Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * You are expected to have a trusted version of GnuPG installed, thus you may simply check the supplied signature. For example to check the signature of the file gnupg-2.1.0beta2.tar.bz2 you would use this command: gpg --verify gnupg-2.1.0beta2.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a key server like gpg --recv-key 4F25E3B6 The distribution key 4F25E3B6 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! Internationalization ==================== This version comes only with support for English and German. More languages will be added for the real release. Documentation ============= We are currently working on an installation guide to explain in more detail how to configure the new features. As of now the chapters on gpg-agent and gpgsm include brief information on how to set up the whole thing. Please watch the GnuPG website for updates of the documentation. In the meantime you may search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. Future Plans ============ Some tasks we would like to do before a 2.1 release: * Replace the pubring.gpg public key store with the keybox format. * Re-enable importing keys to a smartcard * Re-enable LDAP, kDNS and mail keyserver methods Support ======= Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or by donating money. Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. A service directory is available at: http://www.gnupg.org/service.html Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Happy Hacking, The GnuPG Team -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From anjul_narain at yahoo.com Fri Mar 11 19:45:52 2011 From: anjul_narain at yahoo.com (Anjul Narain Varma) Date: Fri, 11 Mar 2011 10:45:52 -0800 (PST) Subject: GPG v1.2.3 decryption of large files In-Reply-To: <4D71C6DF.9060701@enigmail.net> Message-ID: <601242.73532.qm@web114413.mail.gq1.yahoo.com> Actually my client (a bank in this case) is using GPG 1.2.3 and does not want to upgrade right away. Is there a patch available for GPG 1.2.3 which can fix this issue ? Appreciate any help. --- On Sat, 3/5/11, John Clizbe wrote: From: John Clizbe Subject: Re: GPG v1.2.3 decryption of large files To: Cc: gnupg-devel at gnupg.org Date: Saturday, March 5, 2011, 10:45 AM Anjul Narain Varma wrote: > Does anyone know of issues with GPG v 1.2.3 and decryption of large > files?? The file decrypts fine but it contains gargbage characters at > the end of the file.? Is it a bug? It's possible. 1.2.3 is also QUITE old. >? > I am using Bouncy Castle to PGP encrypt my file. My client is using GPG > v1.2.3 to decrypt it. If the file size is greater than 1 MB or so, the > decryption is successful however there are garbage characters at the end > of the file. > There are no such issues with GPG v1.4.9. There you have it. The most direct solution would appear to be for the client to upgrade to a more current release of GnuPG. (>= 1.4.9) -- John P. Clizbe? ? ? ? ? ? ? ? ? ? ? Inet:???John (a) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797? hkp://keyserver.gingerbear.net? or ? ???mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -----Inline Attachment Follows----- _______________________________________________ Gnupg-devel mailing list Gnupg-devel at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From cswiger at mac.com Fri Mar 11 20:03:05 2011 From: cswiger at mac.com (Chuck Swiger) Date: Fri, 11 Mar 2011 11:03:05 -0800 Subject: GPG v1.2.3 decryption of large files In-Reply-To: <601242.73532.qm@web114413.mail.gq1.yahoo.com> References: <601242.73532.qm@web114413.mail.gq1.yahoo.com> Message-ID: On Mar 11, 2011, at 10:45 AM, Anjul Narain Varma wrote: > Actually my client (a bank in this case) is using GPG 1.2.3 and does not want to upgrade right away. Is there a patch available for GPG 1.2.3 which can fix this issue ? Appreciate any help. You can make a patch yourself: curl 'ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.11.tar.bz2' -o gnupg-1.4.11.tar.bz2 curl 'ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.2.3.tar.bz2' -o gnupg-1.2.3.tar.bz2 tar xf gnupg-1.2.3.tar.bz tar xf gnupg-1.4.11.tar.bz2 diff -dur gnupg-1.2.3 gnupg-1.4.11 > patch.txt If you didn't want all of the changes and fixes made since v1.2.3, feel free to edit the patch.txt to only include a subset. Regards, -- -Chuck PS: gnutar might need a -j flag.. From kevhilton at gmail.com Sat Mar 12 14:41:26 2011 From: kevhilton at gmail.com (Kevin Hilton) Date: Sat, 12 Mar 2011 07:41:26 -0600 Subject: gcry_kdf_derive Message-ID: Seems strange to get this error since I've built and installed libgcrypt-1.5.0-beta1 configure: checking system features for estream configure: *** *** Libgcrypt 1.5.0 has not yet been released and thus the API *** is a bit in a flux. Your version misses the function *** gcry_kdf_derive *** You need to install a newer Libgcrypt version. *** configure: error: *** *** Required libraries not found. Please consult the above messages *** and install them before running configure again. *** -------------- next part -------------- An HTML attachment was scrubbed... URL: From flameeyes at gmail.com Tue Mar 15 02:15:20 2011 From: flameeyes at gmail.com (Diego Elio =?ISO-8859-1?Q?Petten=F2?=) Date: Tue, 15 Mar 2011 02:15:20 +0100 Subject: GPG v1.2.3 decryption of large files In-Reply-To: References: <601242.73532.qm@web114413.mail.gq1.yahoo.com> Message-ID: <1300151720.2520.13.camel@raven.home.flameeyes.eu> Il giorno ven, 11/03/2011 alle 11.03 -0800, Chuck Swiger ha scritto: > > diff -dur gnupg-1.2.3 gnupg-1.4.11 > patch.txt Wouldn't that forget to list newly-created files and deleted files? ^^;; -- Diego Elio Petten? ? Flameeyes http://blog.flameeyes.eu/ From kgo at grant-olson.net Tue Mar 22 01:00:36 2011 From: kgo at grant-olson.net (Grant Olson) Date: Mon, 21 Mar 2011 20:00:36 -0400 Subject: Anyone else having problems with the po/ directory and git operations. Message-ID: <4D87E6A4.7020904@grant-olson.net> Git hasn't been letting me switch branches easily or rebase because of some files in the po/ directory I just can't clean up. I've tried running a clean checkout, and even deleting the files in question, but git keeps complaining that I've got unstaged changes. Is anyone else seeing this? grant at johnyaya:~/src/gnupg$ git branch STABLE-BRANCH-2-0 grant-2-0 master master-grant * master_grant grant at johnyaya:~/src/gnupg$ git rebase -i master po/de.po: needs update po/tr.po: needs update po/zh_CN.po: needs update po/zh_TW.po: needs update Working tree is dirty grant at johnyaya:~/src/gnupg$ git stash Saved working directory and index state WIP on master_grant: b9bcc77 Make use of gcry_kdf_derive. HEAD is now at b9bcc77 Make use of gcry_kdf_derive. grant at johnyaya:~/src/gnupg$ git rebase -i master po/tr.po: needs update po/zh_CN.po: needs update po/zh_TW.po: needs update Working tree is dirty grant at johnyaya:~/src/gnupg$ git checkout -f grant at johnyaya:~/src/gnupg$ git rebase -i master po/tr.po: needs update po/zh_CN.po: needs update po/zh_TW.po: needs update Working tree is dirty grant at johnyaya:~/src/gnupg$ -- -Grant "Look around! Can you construct some sort of rudimentary lathe?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 564 bytes Desc: OpenPGP digital signature URL: From kgo at grant-olson.net Tue Mar 22 00:47:27 2011 From: kgo at grant-olson.net (Grant Olson) Date: Mon, 21 Mar 2011 19:47:27 -0400 Subject: Smartcard decryption still doesn't work on 2.1 beta... Message-ID: <4D87E38F.40904@grant-olson.net> I tracked this down to get_it() in g10/pubkey_enc.c. The card flag never gets set, so we never hit the right branch of code. At first I thought it would be as easy as checking to see if sk.mode == 1002, and setting the flag, but it seems like the key passed into get_it intentionally doesn't have any secret key info. It also doesn't have valid settings for sk->flags.serialno_valid or sk->serialno. I did write a patch for my system. It works by adding one last step to get_seckey() in g10/getkey.c. After everything else succeeds, it calls agent_get_keyinfo(), and sets pk->serialno and pk->flags.serialno_valid to the correct values. I haven't attached a patch because (1) I'm not sure if this is the best solution, and (2) I didn't want to provide any copyright contamination. But the patch is probably 10-15 lines once I clean it up. So let me know if you want it Werner. -- -Grant "Look around! Can you construct some sort of rudimentary lathe?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 564 bytes Desc: OpenPGP digital signature URL: From chris at boyle.name Tue Mar 22 01:11:17 2011 From: chris at boyle.name (Chris Boyle) Date: Tue, 22 Mar 2011 00:11:17 +0000 Subject: Anyone else having problems with the po/ directory and git operations. In-Reply-To: <4D87E6A4.7020904@grant-olson.net> References: <4D87E6A4.7020904@grant-olson.net> Message-ID: On 22 March 2011 00:00, Grant Olson wrote: > Git hasn't been letting me switch branches easily or rebase because of > some files in the po/ directory I just can't clean up. ?I've tried > running a clean checkout, and even deleting the files in question, but > git keeps complaining that I've got unstaged changes. Yes, look in gnupg/.git/config - there is a filter "cleanpo" at the end which I commented out, which appears to solve this. I guessed it's intended to keep .po files tidy, but someone has committed some in an untidy state, and now it keeps wanting to apply changes? -- Chris Boyle http://chris.boyle.name/ From wk at gnupg.org Wed Mar 23 10:24:38 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 23 Mar 2011 10:24:38 +0100 Subject: Smartcard decryption still doesn't work on 2.1 beta... In-Reply-To: <4D87E38F.40904@grant-olson.net> (Grant Olson's message of "Mon, 21 Mar 2011 19:47:27 -0400") References: <4D87E38F.40904@grant-olson.net> Message-ID: <87tyeugpex.fsf@vigenere.g10code.de> On Tue, 22 Mar 2011 00:47, kgo at grant-olson.net said: > At first I thought it would be as easy as checking to see if sk.mode == > 1002, and setting the flag, but it seems like the key passed into get_it > intentionally doesn't have any secret key info. It also doesn't have Right. gpg shall not know anything about smartcards. It is now all up to gpg-agent to decide whether a smartcard is to be used. If gpg wants to know whether the key is on a smartcard, it has to ask gpg-agent for that information. It is pretty likely that some stuff does not yet work; there are still a few FIXMEs in the code. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dansully at uchicago.edu Mon Mar 28 22:29:01 2011 From: dansully at uchicago.edu (Daniel Sullivan) Date: Mon, 28 Mar 2011 15:29:01 -0500 Subject: GPGMe Question (possibly round 2) References: <730834B4-4B3B-4DE2-97E3-EB4A35A27F39@uchicago.edu> Message-ID: <225AEFE1-A8FB-4F61-997A-BC6AB7F6FA23@uchicago.edu> Hi, I already sent this message once, I apologize if it is a dupe; I sent it before I was approved to be on the mailing list so I'm not sure if it actually got through... --- This is my first posting to this list, I apologize if I am posting to the wrong place. If this email should be directed to a different email address please let me know and I will make sure to bark up somebody else's tree. Basically I am having a difficult time troubleshooting a compile error that I am receiving while tying to use gpgme. Essentially I'm trying to just get my application to initially compile, so I'm not having a problem interacting with the API specifically, per se. Admittedly I am learning C++ at the same time I am doing this, so I am a newbie in many regards. Please forgive me for asking a potentially silly question. For the purposes of this email I've created a small application to re-create the issue I am seeing. Using NetBeans, I've done the following things to my project; 1) Added the /opt/local/lib/libgpgme.a library file to my project (as a library). 2) Extended my "include" path to include /opt/local/include, which is where the gpgme.h header file is located. My entire source code looks like this; ---snip--- #include #include #include #include using namespace std; int main(int argc, char** argv) { setlocale (LC_ALL, ""); gpgme_check_version (NULL); return 0; } ---snip--- >From what I understand, the syntax I am using is correct (http://pyme.sourceforge.net/doc/gpgme/Library-Version-Check.html). It appears that the line "gpgme_check_version (NULL);" is causing an issue; if I comment it out the application compiles and executes without warning or error. The compile error I am getting (full thing is attached), are a whole bunch of undefined symbols, the first of which is; " Undefined symbols: "_gpg_strerror", referenced from: _gpgme_strerror in libgpgme.a(error.o) " Now, If I look at the actual gpgme.h header file, it doesn't appear that any of the actual methods that are listed in the compiler error appear in the header file. Am I supposed to be passing some sort of a flag to the compiler to allow it to continue with unresolved symbols? Does this question make sense? Basically I am trying to figure out how all of the attached symbols could possibly be resolved if they do not appear in gpgme.h... Dan Sullivan 312-607-3702 -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: gpgme.txt URL: From dansully at uchicago.edu Mon Mar 28 21:47:36 2011 From: dansully at uchicago.edu (Daniel Sullivan) Date: Mon, 28 Mar 2011 14:47:36 -0500 Subject: GPGMe Question Message-ID: <730834B4-4B3B-4DE2-97E3-EB4A35A27F39@uchicago.edu> Hi, This is my first posting to this list, I apologize if I am posting to the wrong place. If this email should be directed to a different email address please let me know and I will make sure to bark up somebody else's tree. Basically I am having a difficult time troubleshooting a compile error that I am receiving while tying to use gpgme. Essentially I'm trying to just get my application to initially compile, so I'm not having a problem interacting with the API specifically, per se. Admittedly I am learning C++ at the same time I am doing this, so I am a newbie in many regards. Please forgive me for asking a potentially silly question. For the purposes of this email I've created a small application to re-create the issue I am seeing. Using NetBeans, I've done the following things to my project; 1) Added the /opt/local/lib/libgpgme.a library file to my project (as a library). 2) Extended my "include" path to include /opt/local/include, which is where the gpgme.h header file is located. My entire source code looks like this; ---snip--- #include #include #include #include using namespace std; int main(int argc, char** argv) { setlocale (LC_ALL, ""); gpgme_check_version (NULL); return 0; } ---snip--- >From what I understand, the syntax I am using is correct (http://pyme.sourceforge.net/doc/gpgme/Library-Version-Check.html). It appears that the line "gpgme_check_version (NULL);" is causing an issue; if I comment it out the application compiles and executes without warning or error. The compile error I am getting (full thing is attached), are a whole bunch of undefined symbols, the first of which is; " Undefined symbols: "_gpg_strerror", referenced from: _gpgme_strerror in libgpgme.a(error.o) " Now, If I look at the actual gpgme.h header file, it doesn't appear that any of the actual methods that are listed in the compiler error appear in the header file. Am I supposed to be passing some sort of a flag to the compiler to allow it to continue with unresolved symbols? Does this question make sense? Basically I am trying to figure out how all of the attached symbols could possibly be resolved if they do not appear in gpgme.h... Dan Sullivan 312-607-3702 -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: gpgme.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ATT00001.txt URL: From rjh at sixdemonbag.org Mon Mar 28 23:08:05 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 28 Mar 2011 14:08:05 -0700 Subject: GPGMe Question (possibly round 2) In-Reply-To: <225AEFE1-A8FB-4F61-997A-BC6AB7F6FA23@uchicago.edu> References: <730834B4-4B3B-4DE2-97E3-EB4A35A27F39@uchicago.edu> <225AEFE1-A8FB-4F61-997A-BC6AB7F6FA23@uchicago.edu> Message-ID: <19075bd84285f396a38f37d480473269@localhost> On Mon, 28 Mar 2011 15:29:01 -0500, Daniel Sullivan wrote: > This is my first posting to this list, I apologize if I am posting to the > wrong place. If this email should be directed to a different email address > please let me know and I will make sure to bark up somebody else's tree. Here or GnuPG-Users are good choices. GnuPG-Users is probably a better choice, but here works fine. > Admittedly I am learning > C++ at the same time I am doing this, so I am a newbie in many regards. C++ may be part of the problem. Have you tried telling NetBeans this is a straight C program? (You will need to change your code for it to compile as C: #include should become #include , and you'll need to remove #include and the using statement.) I would not recommend using C libraries if you're just beginning to learn C++. Modern C++ code is written in a vastly different style than C. If you're just learning C++ and you're linking against C, you're going to effectively be trying to learn how to program in two different languages at the same time. Please don't think I'm trying to discourage you -- nothing of the sort. C++ and C are both worth learning. It's just that trying to learn them both at the same time will be a bit of a challenge. :) Best of luck! From dansully at uchicago.edu Tue Mar 29 00:28:46 2011 From: dansully at uchicago.edu (Daniel Sullivan) Date: Mon, 28 Mar 2011 17:28:46 -0500 Subject: GPGMe Question (possibly round 2) In-Reply-To: <19075bd84285f396a38f37d480473269@localhost> References: <730834B4-4B3B-4DE2-97E3-EB4A35A27F39@uchicago.edu> <225AEFE1-A8FB-4F61-997A-BC6AB7F6FA23@uchicago.edu> <19075bd84285f396a38f37d480473269@localhost> Message-ID: <36F5D6CE-99C1-4E87-A14E-5233FC85E3AE@uchicago.edu> Robert, Thank-you for your reply. I found this post by Werner Koch that said I could use C++ with gpgme. Is this not correct? http://marc.info/?l=gnupg-devel&m=111831193618621 Dan Sullivan On Mar 28, 2011, at 4:08 PM, Robert J. Hansen wrote: > On Mon, 28 Mar 2011 15:29:01 -0500, Daniel Sullivan > > wrote: >> This is my first posting to this list, I apologize if I am posting to > the >> wrong place. If this email should be directed to a different email > address >> please let me know and I will make sure to bark up somebody else's tree. > > Here or GnuPG-Users are good choices. GnuPG-Users is probably a better > choice, but here works fine. > >> Admittedly I am learning >> C++ at the same time I am doing this, so I am a newbie in many regards. > > C++ may be part of the problem. Have you tried telling NetBeans this is a > straight C program? (You will need to change your code for it to compile > as C: #include should become #include , and you'll need > to remove #include and the using statement.) > > I would not recommend using C libraries if you're just beginning to learn > C++. Modern C++ code is written in a vastly different style than C. If > you're just learning C++ and you're linking against C, you're going to > effectively be trying to learn how to program in two different languages at > the same time. > > Please don't think I'm trying to discourage you -- nothing of the sort. > C++ and C are both worth learning. It's just that trying to learn them > both at the same time will be a bit of a challenge. :) > > Best of luck! > From rjh at sixdemonbag.org Tue Mar 29 01:08:10 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 28 Mar 2011 19:08:10 -0400 Subject: GPGMe Question (possibly round 2) In-Reply-To: <36F5D6CE-99C1-4E87-A14E-5233FC85E3AE@uchicago.edu> References: <730834B4-4B3B-4DE2-97E3-EB4A35A27F39@uchicago.edu> <225AEFE1-A8FB-4F61-997A-BC6AB7F6FA23@uchicago.edu> <19075bd84285f396a38f37d480473269@localhost> <36F5D6CE-99C1-4E87-A14E-5233FC85E3AE@uchicago.edu> Message-ID: <75C1ADA5-242A-4669-9CC6-D22FFADDA40C@sixdemonbag.org> > Thank-you for your reply. I found this post by Werner Koch that said I could use C++ with gpgme. Is this not correct? It is always possible to make C++ code interact with C code, but it may be beyond a beginner's skills. From rjh at sixdemonbag.org Tue Mar 29 01:17:37 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 28 Mar 2011 19:17:37 -0400 Subject: GPGMe Question (possibly round 2) In-Reply-To: <225AEFE1-A8FB-4F61-997A-BC6AB7F6FA23@uchicago.edu> References: <730834B4-4B3B-4DE2-97E3-EB4A35A27F39@uchicago.edu> <225AEFE1-A8FB-4F61-997A-BC6AB7F6FA23@uchicago.edu> Message-ID: <932A0174-8B02-4269-A7B4-1607E1F1861B@sixdemonbag.org> > My entire source code looks like this; Incidentally, what OS are you using to build this? From rjh at sixdemonbag.org Tue Mar 29 01:33:43 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 28 Mar 2011 19:33:43 -0400 Subject: GPGMe Question (possibly round 2) In-Reply-To: <932A0174-8B02-4269-A7B4-1607E1F1861B@sixdemonbag.org> References: <730834B4-4B3B-4DE2-97E3-EB4A35A27F39@uchicago.edu> <225AEFE1-A8FB-4F61-997A-BC6AB7F6FA23@uchicago.edu> <932A0174-8B02-4269-A7B4-1607E1F1861B@sixdemonbag.org> Message-ID: <5784A80A-3AD5-4B05-843F-D5EA36052F57@sixdemonbag.org> And, finally, are you also remembering to link against libgpg-error? Keep in mind that your original error relates to "_gpg_strerror", which I suspect is found in libgpg-error. (I apologize for these fragmentary responses. I rarely use gpgme.) From chris at boyle.name Wed Mar 30 16:08:01 2011 From: chris at boyle.name (Chris Boyle) Date: Wed, 30 Mar 2011 15:08:01 +0100 Subject: Patch for 4096-bit keys on OpenPGP cards Message-ID: I've written a patch[0] (N.B.: ugly first attempt) to remove the current 3072-bit hardware key size limit relating to the Assuan line length, and last night successfully used it to generate (and encrypt, decrypt, sign and verify with) a 4096-bit key on an OpenPGP device[1]. This is against 2.0.17 currently, because smartcards in 2.1 appear to be part-way through an architectural change[2] and I'm impatient. :-) I realise I'm working behind the curve here and am happy to redo this once cards work in >=2.1. The patch uses s-expressions instead of status lines to return the key from key generation (it seems software key generation already did this), and inquiries instead of SETDATA for the input to PKDECRYPT. There are at least the following things wrong with this: * It is a flag day between gpg2, gpg-agent and scdaemon (i.e. if any of them are not upgraded, generation/decryption with cards will fail), and it doesn't need to be. It could still send the SETDATA commands / status lines, if the key is small enough. * I was getting just version info and an exit(0) when trying gpg2 --card-edit $MY_NEW_KEY_ID, and haven't investigated why yet. * I have not checked that I haven't broken things with any other hardware. I only have the Crypto Stick. * It refuses to attempt >4096 bits; perhaps future cards will allow that. * Changelogs/docs changes might be incomplete. * Nobody else has seen it yet. :-) I hope to eventually see this capability merged, whether by this method or some other, but I don't know if there's any interest in doing so before 2.1? I am guessing not. Anyway, it is useful to me here and now, which is why I wrote it. I'll continue to tidy it up a bit: I guess fix the first two problems in that list. Obviously if anyone wants to tell me more about anything I should change in order to get it merged, I'm all ears. (At some point, I will want to start "production" use of my Crypto Stick, without a backup of the key, at which point I would need to buy another in order to test key generation again, since it only has capacity for one key (3 RSA pairs). Wondering whether to splash out for that sooner or later.) [0] https://chris.boyle.name/tmp/20110330-gnupg-big-card-keys-hack.patch [1] http://www.crypto-stick.org/ [2] http://lists.gnupg.org/pipermail/gnupg-devel/2011-March/026010.html -- Chris Boyle http://chris.boyle.name/ From dansully at uchicago.edu Wed Mar 30 16:23:06 2011 From: dansully at uchicago.edu (Daniel Sullivan) Date: Wed, 30 Mar 2011 09:23:06 -0500 Subject: GPGMe Question (possibly round 2) In-Reply-To: <5784A80A-3AD5-4B05-843F-D5EA36052F57@sixdemonbag.org> References: <730834B4-4B3B-4DE2-97E3-EB4A35A27F39@uchicago.edu> <225AEFE1-A8FB-4F61-997A-BC6AB7F6FA23@uchicago.edu> <932A0174-8B02-4269-A7B4-1607E1F1861B@sixdemonbag.org> <5784A80A-3AD5-4B05-843F-D5EA36052F57@sixdemonbag.org> Message-ID: <3D2EDBF2-6D92-4F05-856F-7081437B0D81@uchicago.edu> Alright, I switched to straight C and had to add a couple of additional libraries (including libgpg-error and assuan) and was able to get things to compile. I can use the library now. Thanks so much. Dan Sullivan On Mar 28, 2011, at 6:33 PM, Robert J. Hansen wrote: > And, finally, are you also remembering to link against libgpg-error? Keep in mind that your original error relates to "_gpg_strerror", which I suspect is found in libgpg-error. > > (I apologize for these fragmentary responses. I rarely use gpgme.) > From rjh at sixdemonbag.org Wed Mar 30 17:35:46 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 30 Mar 2011 08:35:46 -0700 Subject: GPGMe Question (possibly round 2) In-Reply-To: <3D2EDBF2-6D92-4F05-856F-7081437B0D81@uchicago.edu> References: <730834B4-4B3B-4DE2-97E3-EB4A35A27F39@uchicago.edu> <225AEFE1-A8FB-4F61-997A-BC6AB7F6FA23@uchicago.edu> <932A0174-8B02-4269-A7B4-1607E1F1861B@sixdemonbag.org> <5784A80A-3AD5-4B05-843F-D5EA36052F57@sixdemonbag.org> <3D2EDBF2-6D92-4F05-856F-7081437B0D81@uchicago.edu> Message-ID: On Wed, 30 Mar 2011 09:23:06 -0500, Daniel Sullivan wrote: > Alright, I switched to straight C and had to add a couple of additional > libraries (including libgpg-error and assuan) and was able to get things to > compile. I can use the library now. Thanks so much. We're happy to help. I hope you won't give up on learning C++ just because you've switched to C. C and C++ are each worth learning. If you have any future questions, ask away! From wk at gnupg.org Wed Mar 30 17:35:29 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 30 Mar 2011 17:35:29 +0200 Subject: Patch for 4096-bit keys on OpenPGP cards In-Reply-To: (Chris Boyle's message of "Wed, 30 Mar 2011 15:08:01 +0100") References: Message-ID: <87r59od3jy.fsf@vigenere.g10code.de> On Wed, 30 Mar 2011 16:08, chris at boyle.name said: > once cards work in >=2.1. The patch uses s-expressions instead of It would have been much easier to send 2 status lines for long key parameters. At least this is what I had in mind. With ECC coming soon, I doubt that it makes much sense to do this at all. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Mar 30 17:36:24 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 30 Mar 2011 17:36:24 +0200 Subject: GPGMe Question (possibly round 2) In-Reply-To: <3D2EDBF2-6D92-4F05-856F-7081437B0D81@uchicago.edu> (Daniel Sullivan's message of "Wed, 30 Mar 2011 09:23:06 -0500") References: <730834B4-4B3B-4DE2-97E3-EB4A35A27F39@uchicago.edu> <225AEFE1-A8FB-4F61-997A-BC6AB7F6FA23@uchicago.edu> <932A0174-8B02-4269-A7B4-1607E1F1861B@sixdemonbag.org> <5784A80A-3AD5-4B05-843F-D5EA36052F57@sixdemonbag.org> <3D2EDBF2-6D92-4F05-856F-7081437B0D81@uchicago.edu> Message-ID: <87mxkcd3if.fsf@vigenere.g10code.de> On Wed, 30 Mar 2011 16:23, dansully at uchicago.edu said: > Alright, I switched to straight C and had to add a couple of FWIW, gpgme works fine with C++; KDE is using that for years. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From chris at boyle.name Wed Mar 30 17:57:47 2011 From: chris at boyle.name (Chris Boyle) Date: Wed, 30 Mar 2011 16:57:47 +0100 Subject: Patch for 4096-bit keys on OpenPGP cards In-Reply-To: <87r59od3jy.fsf@vigenere.g10code.de> References: <87r59od3jy.fsf@vigenere.g10code.de> Message-ID: On 30 March 2011 16:35, Werner Koch wrote: > With ECC coming soon, I doubt that it makes much sense to do this at > all. Interesting... when you say ECC coming soon, do you mean there is (or soon will be) GnuPG-compatible ECC hardware available to buy? I'd appreciate any pointers to where to look for that. Thanks, -- Chris Boyle http://chris.boyle.name/ From wk at gnupg.org Wed Mar 30 18:05:42 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 30 Mar 2011 18:05:42 +0200 Subject: Patch for 4096-bit keys on OpenPGP cards In-Reply-To: (Chris Boyle's message of "Wed, 30 Mar 2011 16:57:47 +0100") References: <87r59od3jy.fsf@vigenere.g10code.de> Message-ID: <87ipv0d25l.fsf@vigenere.g10code.de> On Wed, 30 Mar 2011 17:57, chris at boyle.name said: > Interesting... when you say ECC coming soon, do you mean there is (or > soon will be) GnuPG-compatible ECC hardware available to buy? I'd In fact ECC smartcards used to be much cheaper than RSA cards because they can be implemented without an crypto accelerator. For the next spec of the card we try to cleanup the ECC specs. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From chris at boyle.name Wed Mar 30 20:08:44 2011 From: chris at boyle.name (Chris Boyle) Date: Wed, 30 Mar 2011 19:08:44 +0100 Subject: Patch for 4096-bit keys on OpenPGP cards In-Reply-To: References: Message-ID: On 30 March 2011 15:08, Chris Boyle wrote: > ?* I was getting just version info and an exit(0) when trying gpg2 > --card-edit $MY_NEW_KEY_ID, and haven't investigated why yet. s/--card-edit/--edit-key/; -- Chris Boyle http://chris.boyle.name/ From chris at boyle.name Wed Mar 30 22:10:24 2011 From: chris at boyle.name (Chris Boyle) Date: Wed, 30 Mar 2011 21:10:24 +0100 Subject: Patch for 4096-bit keys on OpenPGP cards In-Reply-To: References: Message-ID: On 30 March 2011 19:08, Chris Boyle wrote: > On 30 March 2011 15:08, Chris Boyle wrote: >> ?* I was getting just version info and an exit(0) when trying gpg2 >> --card-edit $MY_NEW_KEY_ID, and haven't investigated why yet. > > s/--card-edit/--edit-key/; ...and it turned out that I had simply typo'd the key ID, and that is the behaviour of --edit-key with a non-existent key ID. Sorry for the noise. :-) -- Chris Boyle http://chris.boyle.name/