From gniibe at fsij.org Fri Jul 6 04:19:33 2012 From: gniibe at fsij.org (NIIBE Yutaka) Date: Fri, 06 Jul 2012 11:19:33 +0900 Subject: Gnuk version 0.21 Message-ID: <1341541173.3445.4.camel@latx1.gniibe.org> Hi, Gnuk version 0.21 is released today. Gnuk is software implementation of a USB token for GNU Privacy Guard. Gnuk supports OpenPGP card protocol version 2, and it runs on STM32F103 processor. This is another "release candidate" to version 1.0. In this release, a test suite is added. No new features will be added for version 1.0. Highlights are (in gnuk-0.21/NEWS): * Test suite A functinality test suite is added under test/ directory. * New tool: stlinkv2.py This tool is SWD flash ROM writer for ST-Link/V2. * New tool: usb_strings.py This tool is to dump USB strings, which include revision detail and config options. * Protection improvement (even when internal data is disclosed) Even if PW1 and PW3 are same, content of encrypted DEK is different now. -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part URL: From wking at tremily.us Sun Jul 15 16:58:21 2012 From: wking at tremily.us (W. Trevor King) Date: Sun, 15 Jul 2012 10:58:21 -0400 Subject: Assuan vs. D-Bus? In-Reply-To: <20120406193841.GA19004@odin.tremily.us> References: <87mx72t4zh.fsf@vigenere.g10code.de> <4F71CF60.2040403@ruhr-uni-bochum.de> <20120327180044.GA30604@odin.tremily.us> <20120406193841.GA19004@odin.tremily.us> Message-ID: <20120715145821.GA3043@odin.tremily.us> On Fri, Apr 06, 2012 at 03:38:41PM -0400, W. Trevor King wrote: > On Tue, Mar 27, 2012 at 02:00:44PM -0400, W. Trevor King wrote: > > If the documentation patches look good, I think I'll add support for a > > ~/.gnupg/S.gpgme-tool socket next, to increase the similarity with > > gpg-agent operation. > > I started looking into this today, and here are my thoughts so far. Thinking about this some more, what are the odds that we can scrap Assuan and use D-Bus? They seem to be doing the same thing, and D-Bus has a wider user base, and therefore more development time and support. I see that Marcus has already qworked on D-Bus, and I'm curious to see what he thinks about the two protocols. -- This email may be signed or encrypted with GnuPG (http://www.gnupg.org). For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Sun Jul 15 19:30:05 2012 From: wk at gnupg.org (Werner Koch) Date: Sun, 15 Jul 2012 19:30:05 +0200 Subject: Assuan vs. D-Bus? In-Reply-To: <20120715145821.GA3043@odin.tremily.us> (W. Trevor King's message of "Sun, 15 Jul 2012 10:58:21 -0400") References: <87mx72t4zh.fsf@vigenere.g10code.de> <4F71CF60.2040403@ruhr-uni-bochum.de> <20120327180044.GA30604@odin.tremily.us> <20120406193841.GA19004@odin.tremily.us> <20120715145821.GA3043@odin.tremily.us> Message-ID: <87ehodortu.fsf@vigenere.g10code.de> On Sun, 15 Jul 2012 16:58, wking at tremily.us said: > Thinking about this some more, what are the odds that we can scrap > Assuan and use D-Bus? They seem to be doing the same thing, and D-Bus None. Assuan has been designed to minimize complexity - d-bus is just the opposite. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From quannguyen at mbm.vn Tue Jul 17 04:13:19 2012 From: quannguyen at mbm.vn (=?UTF-8?B?Tmd1eeG7hW4gSOG7k25nIFF1w6Ju?=) Date: Tue, 17 Jul 2012 09:13:19 +0700 Subject: APDU to do decipher in OpenPGP card? Message-ID: <5004CA3F.9020308@mbm.vn> Hello, I'm implementing the OpenPGP card support for OpenSC. I'm trying to do decipher on OpenPGP card but have difficulty building the APDU. For example, this is an APDU used for decrypting one my email: 00 2A 80 86 00 01 01 00 19 90 86 A0 62 D2 60 B1 .*..........b.`. 76 C9 61 90 5D AB 57 6C 3D CD 6C F1 08 07 FA AB v.a.].Wl=.l..... 64 C9 66 9E 05 63 4D 22 EA 8B 0D 34 59 56 25 62 d.f..cM"...4YV%b 5F DA 77 52 95 21 4E 12 73 98 4A 14 17 F7 B0 E9 _.wR.!N.s.J..... 14 32 9C A6 33 6C 83 C4 2D 67 BC B0 3B DD FA 2F .2..3l..-g..;../ 8A 17 08 3B 4A F6 2D 21 BA AA CA 8F 35 29 81 A7 ...;J.-!....5).. 1F 96 4F 52 55 07 09 AF 75 F1 AE 62 C1 3D CA 5A ..ORU...u..b.=.Z 4E 29 FC A4 7F E7 23 BB 8B B5 D8 AA DC F7 D3 3E N)....#........> 6B 62 1E CE 06 D6 20 3D E2 A5 16 D5 B2 EE D8 F0 kb.... =........ 7E E8 5B AB B5 3D 37 55 F8 64 00 78 80 02 35 74 ~.[..=7U.d.x..5t 00 8E 7C 67 A0 2B 4B A5 19 A2 F1 E5 00 56 91 07 ..|g.+K......V.. BF 89 2C 9F B7 F9 94 73 98 58 18 38 97 F1 29 1C ..,....s.X.8..). 1C 49 78 BD 99 39 10 E2 0E 82 92 59 CE 71 26 D9 .Ix..9.....Y.q&. 1E AD FF DC 74 43 D7 09 7F 14 9A 8B 43 10 EC 19 ....tC......C... 2D 30 F9 EC 95 69 57 39 45 F7 C3 12 06 C1 2B 9C -0...iW9E.....+. 94 E1 2F 75 46 5F 37 86 50 D6 23 E0 53 AE 91 DF ../uF_7.P.#.S... 2B 4F BC 2C D7 38 2B BE 01 00 But the card responds "6A 88" (Reference data not found). Could you please point out what is wrong in my above APDU? Is there any note about the input data for the Decipher APDU? -- Regards, Qu?n Y!IM: ng_hquan_vn -------------- next part -------------- An HTML attachment was scrubbed... URL: From achim at pietig.com Tue Jul 17 13:52:54 2012 From: achim at pietig.com (Achim Pietig) Date: Tue, 17 Jul 2012 13:52:54 +0200 Subject: APDU to do decipher in OpenPGP card? In-Reply-To: <5004CA3F.9020308@mbm.vn> References: <5004CA3F.9020308@mbm.vn> Message-ID: <50055216.4040505@pietig.com> Hello Qu?n, the error 6A88 occurs if no decrypt key is present in the card. You should import a key first with PUT DATA. The plain text of the cryptogram shall be formatted in compliance with PKCS#1, as decribed on page 40 of the OpenPGP card specification. Then the plain text is encrypted with the DEC key and the result has the same length than the modulus of the DEC key. The cryptogram is sent with a leading 00 byte (padding indicator), so the complete length of the command data is modulus + 1. For key length > 1024 you have to use extended length format for the APDU. Regards, Achim Am 17.07.2012 04:13, schrieb Nguy?n H?ng Qu?n: > Hello, > > I'm implementing the OpenPGP card support for OpenSC. I'm trying to do decipher on OpenPGP card but have difficulty building the APDU. > For example, this is an APDU used for decrypting one my email: > > 00 2A 80 86 00 01 01 00 19 90 86 A0 62 D2 60 B1 .*..........b.`. > 76 C9 61 90 5D AB 57 6C 3D CD 6C F1 08 07 FA AB v.a.].Wl=.l..... > 64 C9 66 9E 05 63 4D 22 EA 8B 0D 34 59 56 25 62 d.f..cM"...4YV%b > 5F DA 77 52 95 21 4E 12 73 98 4A 14 17 F7 B0 E9 _.wR.!N.s.J..... > 14 32 9C A6 33 6C 83 C4 2D 67 BC B0 3B DD FA 2F .2..3l..-g..;../ > 8A 17 08 3B 4A F6 2D 21 BA AA CA 8F 35 29 81 A7 ...;J.-!....5).. > 1F 96 4F 52 55 07 09 AF 75 F1 AE 62 C1 3D CA 5A ..ORU...u..b.=.Z > 4E 29 FC A4 7F E7 23 BB 8B B5 D8 AA DC F7 D3 3E N)....#........> > 6B 62 1E CE 06 D6 20 3D E2 A5 16 D5 B2 EE D8 F0 kb.... =........ > 7E E8 5B AB B5 3D 37 55 F8 64 00 78 80 02 35 74 ~.[..=7U.d.x..5t > 00 8E 7C 67 A0 2B 4B A5 19 A2 F1 E5 00 56 91 07 ..|g.+K......V.. > BF 89 2C 9F B7 F9 94 73 98 58 18 38 97 F1 29 1C ..,....s.X.8..). > 1C 49 78 BD 99 39 10 E2 0E 82 92 59 CE 71 26 D9 .Ix..9.....Y.q&. > 1E AD FF DC 74 43 D7 09 7F 14 9A 8B 43 10 EC 19 ....tC......C... > 2D 30 F9 EC 95 69 57 39 45 F7 C3 12 06 C1 2B 9C -0...iW9E.....+. > 94 E1 2F 75 46 5F 37 86 50 D6 23 E0 53 AE 91 DF ../uF_7.P.#.S... > 2B 4F BC 2C D7 38 2B BE 01 00 > > But the card responds "6A 88" (Reference data not found). > Could you please point out what is wrong in my above APDU? Is there any note about the input data for the Decipher APDU? > > -- > Regards, > Qu?n > > Y!IM: ng_hquan_vn > > > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel > From quannguyen at mbm.vn Wed Jul 18 05:23:18 2012 From: quannguyen at mbm.vn (Quan Nguyen) Date: Wed, 18 Jul 2012 10:23:18 +0700 Subject: APDU to do decipher in OpenPGP card? In-Reply-To: <50055216.4040505@pietig.com> References: <5004CA3F.9020308@mbm.vn> <50055216.4040505@pietig.com> Message-ID: Thanks Achim, It looks like my input data is correct. I have 2048-bit key in the card and the encrypted message is 256 bytes long: 00 2A 80 86 00 01 01 # CLA, INS, P1P2, Lc = 257 00 # Indicator DB 2D 96 07 B0 17 7A 4D # Message 256 bytes BF 54 C8 1A 2C 0D 1A 98 32 31 D4 CD E3 0B FE EB 96 74 00 D2 FC 7A 4C B6 60 E5 CE 4F 80 EC 9F 9A 22 40 F6 88 CD 7F D9 1E F3 FA 1D AF C9 F8 F7 17 9B 14 73 E0 49 F4 47 E1 9C FF 4D EB AE 60 5B 71 8D 03 BB 7C 73 62 25 2B B0 E1 8B A7 55 96 B4 1C 89 8D 84 27 04 5A 33 BF 26 B4 D1 EF 5B 68 2B 9C 42 F0 2E 0F E7 94 3F 23 81 DC D2 CD 9F 6B 6C E0 D1 12 6B B7 EA DF 01 2F 8D 9A F8 19 7E 60 57 33 78 BD B1 96 58 08 4E E8 23 CB 46 97 5A 43 BA 25 63 50 4F 03 EE 24 5C 24 61 C0 1F 04 6D B4 EB 39 EC 66 82 26 E2 2C 0C FC 5C 39 D1 9C 3C E9 DA 6A 01 A0 1F 01 9A F4 A2 77 51 2C 30 91 3C 4C 9A 7D 24 E4 88 DE D8 A9 67 C0 F3 EF BA 14 21 FD 4E 12 60 09 BC BF BD 4E D1 4A F0 C5 78 23 B3 62 9A 5A 66 6F 06 BB 52 5D 79 FF CC 49 36 DF 11 BB C9 9C 41 D7 0B B7 57 4B 78 1D 01 00 # Le I stored a pairs of key & certificate to the card (using my code in OpenSC), then used the certificate to encrypt one email and now I'm trying to decrypt it with the private key bound with that certificate. When doing DECIPHER, how the card know which key to be used if the card contains more than 1 key with the same modulus length (currently my card contains 2 keys of the same 2048-bit length)? On Tue, Jul 17, 2012 at 6:52 PM, Achim Pietig wrote: > > Hello Qu?n, > > the error 6A88 occurs if no decrypt key is present in the card. > You should import a key first with PUT DATA. > > The plain text of the cryptogram shall be formatted in compliance with PKCS#1, as decribed on page 40 of the OpenPGP card specification. > Then the plain text is encrypted with the DEC key and the result has the same length than the modulus of the DEC key. > The cryptogram is sent with a leading 00 byte (padding indicator), so the complete length of the command data is modulus + 1. > For key length > 1024 you have to use extended length format for the APDU. > > Regards, > Achim -- Regards, Qu?n From martin at martinpaljak.net Wed Jul 18 08:25:02 2012 From: martin at martinpaljak.net (Martin Paljak) Date: Wed, 18 Jul 2012 09:25:02 +0300 Subject: APDU to do decipher in OpenPGP card? In-Reply-To: References: <5004CA3F.9020308@mbm.vn> <50055216.4040505@pietig.com> Message-ID: On Wed, Jul 18, 2012 at 6:23 AM, Quan Nguyen wrote: > When doing DECIPHER, how the card know which key to be used if the > card contains more than 1 key with the same modulus length (currently > my card contains 2 keys of the same 2048-bit length)? Only one key is meant for decryption. If you have a certificate generated against the authentication key (for use in SSL) then you must have the same key for decryption private key as well. Martin From quannguyen at mbm.vn Wed Jul 18 11:27:57 2012 From: quannguyen at mbm.vn (=?UTF-8?B?Tmd1eeG7hW4gSOG7k25nIFF1w6Ju?=) Date: Wed, 18 Jul 2012 16:27:57 +0700 Subject: APDU to do decipher in OpenPGP card? In-Reply-To: <50065BEA.50200@pietig.com> References: <5004CA3F.9020308@mbm.vn> <50055216.4040505@pietig.com> <50065BEA.50200@pietig.com> Message-ID: <5006819D.6000007@mbm.vn> Thank Achim, Martin and Peter, I imported same private key to DEC key and it works! It also means that my code to import key with OpenSC works correctly. On 07/18/2012 01:47 PM, Achim Pietig wrote: > Hi, > > the card supports 3 keys - SIG, DEC and AUT. > Each key is related to a special function: > SIG: PSO:Sign > DEC: PSO:Decrypt > AUT: INTERNAL AUTHENTICATE > > The 3rd key for AUT and the certificate storage cannot be used with Decrypt. > But you can import the AUT-key into the Dec-Key also. > But this will not run with GnuPG, because GnuPG occupies the SIG and DEC keys for mail. > The AUT key and the certificate DO is not used by GnuPG and can be used for client server authentication with other software. > > In the next version of the OpenPGP card I will add certificate DOs for SIG and DEC as well. > > Regards > Achim > > > Am 18.07.2012 05:23, schrieb Quan Nguyen: >> Thanks Achim, >> >> It looks like my input data is correct. >> I have 2048-bit key in the card and the encrypted message is 256 bytes long: >> >> 00 2A 80 86 00 01 01 # CLA, INS, P1P2, Lc = 257 >> 00 # Indicator >> DB 2D 96 07 B0 17 7A 4D # Message 256 bytes >> BF 54 C8 1A 2C 0D 1A 98 32 31 D4 CD E3 0B FE EB >> 96 74 00 D2 FC 7A 4C B6 60 E5 CE 4F 80 EC 9F 9A >> 22 40 F6 88 CD 7F D9 1E F3 FA 1D AF C9 F8 F7 17 >> 9B 14 73 E0 49 F4 47 E1 9C FF 4D EB AE 60 5B 71 >> 8D 03 BB 7C 73 62 25 2B B0 E1 8B A7 55 96 B4 1C >> 89 8D 84 27 04 5A 33 BF 26 B4 D1 EF 5B 68 2B 9C >> 42 F0 2E 0F E7 94 3F 23 81 DC D2 CD 9F 6B 6C E0 >> D1 12 6B B7 EA DF 01 2F 8D 9A F8 19 7E 60 57 33 >> 78 BD B1 96 58 08 4E E8 23 CB 46 97 5A 43 BA 25 >> 63 50 4F 03 EE 24 5C 24 61 C0 1F 04 6D B4 EB 39 >> EC 66 82 26 E2 2C 0C FC 5C 39 D1 9C 3C E9 DA 6A >> 01 A0 1F 01 9A F4 A2 77 51 2C 30 91 3C 4C 9A 7D >> 24 E4 88 DE D8 A9 67 C0 F3 EF BA 14 21 FD 4E 12 >> 60 09 BC BF BD 4E D1 4A F0 C5 78 23 B3 62 9A 5A >> 66 6F 06 BB 52 5D 79 FF CC 49 36 DF 11 BB C9 9C >> 41 D7 0B B7 57 4B 78 1D >> 01 00 # Le >> >> I stored a pairs of key & certificate to the card (using my code in >> OpenSC), then used the certificate to encrypt one email and now I'm >> trying to decrypt it with the private key bound with that certificate. >> >> When doing DECIPHER, how the card know which key to be used if the >> card contains more than 1 key with the same modulus length (currently >> my card contains 2 keys of the same 2048-bit length)? >> >> On Tue, Jul 17, 2012 at 6:52 PM, Achim Pietig wrote: >>> Hello Qu?n, >>> >>> the error 6A88 occurs if no decrypt key is present in the card. >>> You should import a key first with PUT DATA. >>> >>> The plain text of the cryptogram shall be formatted in compliance with PKCS#1, as decribed on page 40 of the OpenPGP card specification. >>> Then the plain text is encrypted with the DEC key and the result has the same length than the modulus of the DEC key. >>> The cryptogram is sent with a leading 00 byte (padding indicator), so the complete length of the command data is modulus + 1. >>> For key length > 1024 you have to use extended length format for the APDU. >>> >>> Regards, >>> Achim >> >> -- >> Regards, >> Qu?n >> >> -- Regards, Qu?n Y!IM: ng_hquan_vn From tom at ritter.vg Fri Jul 20 00:20:33 2012 From: tom at ritter.vg (Tom Ritter) Date: Thu, 19 Jul 2012 18:20:33 -0400 Subject: [guardian-dev] Format of exported subkeys from gnupg In-Reply-To: <50085CAC.3040605@guardianproject.info> References: <50085CAC.3040605@guardianproject.info> Message-ID: On 19 July 2012 15:14, Abel Luck wrote: > Hello, > > I'm with the Guardian Project, picking up where Hans left off last year > [0] in an attempt to integrate OTR keys as subkeys in gnupg. > > Guardian is working on a OTR key conversion utility [1] to convert > between the myriad formats of OTR keys (all DSA btw). > > In order to do this I need access to the raw DSA parameters: p, q, g, y > and x. > > My question is how can I take the output produced by > --export-secret-keys and access those 5 numbers? > > Inversely, how can I take 5 numbers and produce an importable file to > import OTR subkeys into a master key? > > I've been poking around in g10/export.c in gnupg2, and see that it is > using s-expressions internally. It looks like I might need to roll my > owner parser and writer, is there any documentation on this format? > > Alternatively, if I could mangle the exported data into an openssl > format, I could use existing openssl tools to pull out the data I need. > > gpgsm exports p12, but I can't see how to make it work with gpg subkeys. > > Any advice in this area would be much appreciated. I think what you're looking for is the OpenPGP specification. That should allow you to create an ASCII-armored or binary representation of the data to import into GPG, and tells you the format that GPG outputs. http://tools.ietf.org/html/rfc4880#section-5.5.3 Fortunetly, it's much easier than working with S-Expressions (IMO at least.) (Feel free to follow up with me on-list or off-list, I'd be happy to help out the Guardian Project as best I can.) -tom From wk at gnupg.org Fri Jul 20 09:29:54 2012 From: wk at gnupg.org (Werner Koch) Date: Fri, 20 Jul 2012 09:29:54 +0200 Subject: [guardian-dev] Format of exported subkeys from gnupg In-Reply-To: (Tom Ritter's message of "Thu, 19 Jul 2012 18:20:33 -0400") References: <50085CAC.3040605@guardianproject.info> Message-ID: <877gtykhzh.fsf@vigenere.g10code.de> On Fri, 20 Jul 2012 00:20, tom at ritter.vg said: > outputs. http://tools.ietf.org/html/rfc4880#section-5.5.3 Fortunetly, > it's much easier than working with S-Expressions (IMO at least.) Hans worked on GnuPG 2.1 which has an easy way to access the secret key parameters. $ gpg2 -K --with-keygrip CD8687F6 sec 1024D/CD8687F6 2006-01-17 Keygrip = 21EB68B1FFA01EF777E2D0B1A92A2276D82C2F1C uid Heinrich Heine ssb 1024g/4ECFEF6F 2006-01-17 Keygrip = 654EFA6F19DF08ABFEB88092BC4867D4C5A95460 If you want to script that you should add --with-colons and a grep for "^grp:". Now with the keygrip you can locate the secret key: $ ls ~/.gnupg/private-keys-v1.d/654EFA6F19DF08ABFEB88092BC4867D4C5A95460.key Now if you have not set a passphrase (check out "gpg2 --passwd") you may use gpg-protect-tool to convert the S-expression into the advanced format: $ /us[...]/libexec/gpg-protect-tool ~/.gnu[...]67D4C5A95460.key (private-key (elg (p #00A6B1DAED[...]#) (g #05#) (y #00BC5B46C0[...]#) (x #03C544C345[...]#) ) ) Libgcrypt has a parser for it. You should find example code to extract stuff in libgcrypt/tests/. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From gniibe at fsij.org Fri Jul 20 09:48:47 2012 From: gniibe at fsij.org (NIIBE Yutaka) Date: Fri, 20 Jul 2012 16:48:47 +0900 Subject: scd-backport-2-0 branch In-Reply-To: <1340586823.2074.7.camel@latx1.gniibe.org> References: <1340333380.2119.1.camel@latx1.gniibe.org> <877guzlpnd.fsf@vigenere.g10code.de> <1340586823.2074.7.camel@latx1.gniibe.org> Message-ID: <1342770527.31861.2.camel@cfw2.gniibe.org> On 2012-06-25 at 10:13 +0900, NIIBE Yutaka wrote: > I added one more change of following (I will add this change to master > branch too). Then, rebase and merge scd-backport-2-0 branch into > STABLE-BRANCH-2-0. I forgot to test ccid-driver with Gnuk. Today, I found a problem and I committed following change to STABLE-BRANCH-2-0. This is backport, it has been in the master branch. diff --git a/scd/ccid-driver.c b/scd/ccid-driver.c index 5281a2f..49dde61 100644 --- a/scd/ccid-driver.c +++ b/scd/ccid-driver.c @@ -3129,6 +3129,7 @@ ccid_transceive_secure (ccid_driver_t handle, { case VENDOR_SCM: /* Tested with SPR 532. */ case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */ + case VENDOR_FSIJ: /* Tested with Gnuk (0.21). */ break; case VENDOR_VASCO: /* Tested with DIGIPASS 920 */ pinlen_max = 15; -- From abel at guardianproject.info Sat Jul 21 00:09:30 2012 From: abel at guardianproject.info (Abel Luck) Date: Fri, 20 Jul 2012 22:09:30 +0000 Subject: [guardian-dev] Format of exported subkeys from gnupg In-Reply-To: <50098029.9090409@guardianproject.info> References: <50085CAC.3040605@guardianproject.info> <877gtykhzh.fsf@vigenere.g10code.de> <50098029.9090409@guardianproject.info> Message-ID: <5009D71A.2090201@guardianproject.info> Abel Luck: > Werner Koch: >> > $ ls ~/.gnupg/private-keys-v1.d/654EFA6F19DF08ABFEB88092BC4867D4C5A95460.key > Thanks for the info Werner! > > Using GnuPG 2.0.19 my .gnupg/private-keys-v1.d/ directory is empty, is > this expected? > > Also, what about the method you described is 2.1 specific, ideally we'd > like this to work on 2.0 versions as well, but 2.1 is definitely a start! > > Abel > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: OpenPGP digital signature URL: From abel at guardianproject.info Sat Jul 21 00:09:54 2012 From: abel at guardianproject.info (Abel Luck) Date: Fri, 20 Jul 2012 22:09:54 +0000 Subject: Format of exported subkeys from gnupg Message-ID: <5009D732.9080108@guardianproject.info> Hello, I'm with the Guardian Project, picking up where Hans left off last year [0] in an attempt to integrate OTR keys as subkeys in gnupg. Guardian is working on a OTR key conversion utility [1] to convert between the myriad formats of OTR keys (all DSA btw). In order to do this I need access to the raw DSA parameters: p, q, g, y and x. My question is how can I take the output produced by --export-secret-keys and access those 5 numbers? Inversely, how can I take 5 numbers and produce an importable file to import OTR subkeys into a master key? I've been poking around in g10/export.c in gnupg2, and see that it is using s-expressions internally. It looks like I might need to roll my owner parser and writer, is there any documentation on this format? Alternatively, if I could mangle the exported data into an openssl format, I could use existing openssl tools to pull out the data I need. gpgsm exports p12, but I can't see how to make it work with gpg subkeys. Any advice in this area would be much appreciated. ~abel [0]: http://lists.gnupg.org/pipermail/gnupg-devel/2011-November/026294.html [1]: https://github.com/guardianproject/otrfileconverter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: OpenPGP digital signature URL: From abel at guardianproject.info Sat Jul 21 00:41:45 2012 From: abel at guardianproject.info (Abel Luck) Date: Fri, 20 Jul 2012 22:41:45 +0000 Subject: Format of exported subkeys from gnupg In-Reply-To: <5009D732.9080108@guardianproject.info> References: <5009D732.9080108@guardianproject.info> Message-ID: <5009DEA9.2070800@guardianproject.info> Some of you got this message twice, I apologize. My email server didn't have reverse DNS setup properly. ~abel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Sun Jul 22 17:59:05 2012 From: wk at gnupg.org (Werner Koch) Date: Sun, 22 Jul 2012 17:59:05 +0200 Subject: [guardian-dev] Format of exported subkeys from gnupg In-Reply-To: <5009D71A.2090201@guardianproject.info> (Abel Luck's message of "Fri, 20 Jul 2012 22:09:30 +0000") References: <50085CAC.3040605@guardianproject.info> <877gtykhzh.fsf@vigenere.g10code.de> <50098029.9090409@guardianproject.info> <5009D71A.2090201@guardianproject.info> Message-ID: <87pq7niy7q.fsf@vigenere.g10code.de> On Sat, 21 Jul 2012 00:09, abel at guardianproject.info said: >> Using GnuPG 2.0.19 my .gnupg/private-keys-v1.d/ directory is empty, is >> this expected? Unless you use S.MIME it is indeed empty for 2.0. Only 2.1 uses it also for OpenPGP. >> Also, what about the method you described is 2.1 specific, ideally we'd >> like this to work on 2.0 versions as well, but 2.1 is definitely a start! 2.1 will replace 2.0. Actually our work on the N900 and the HTC Touch Pro to port Kontact to them was done using 2.1. Thus I strongly suggest to use 2.1 for any new platforms. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From hans at guardianproject.info Sun Jul 22 18:14:09 2012 From: hans at guardianproject.info (Hans-Christoph Steiner) Date: Sun, 22 Jul 2012 12:14:09 -0400 Subject: Format of exported subkeys from gnupg In-Reply-To: <87pq7niy7q.fsf@vigenere.g10code.de> References: <50085CAC.3040605@guardianproject.info> <877gtykhzh.fsf@vigenere.g10code.de> <50098029.9090409@guardianproject.info> <5009D71A.2090201@guardianproject.info> <87pq7niy7q.fsf@vigenere.g10code.de> Message-ID: <500C26D1.1040805@guardianproject.info> On 07/22/2012 11:59 AM, Werner Koch wrote: > On Sat, 21 Jul 2012 00:09, abel at guardianproject.info said: > >>> Using GnuPG 2.0.19 my .gnupg/private-keys-v1.d/ directory is empty, is >>> this expected? > > Unless you use S.MIME it is indeed empty for 2.0. Only 2.1 uses it also > for OpenPGP. > >>> Also, what about the method you described is 2.1 specific, ideally we'd >>> like this to work on 2.0 versions as well, but 2.1 is definitely a start! > > 2.1 will replace 2.0. Actually our work on the N900 and the HTC Touch > Pro to port Kontact to them was done using 2.1. Thus I strongly suggest > to use 2.1 for any new platforms. We're trying to parse existing keys on a wide variety of platforms so that we can convert between various formats. This an essential part of our idea to make the gpg key the master crypto identity, and then use subkeys for various other applications, like OTR, TextSecure, S/MIME, etc. Then the user will only need to deal with one single key for trust relationships. Right now, we are starting out by generating DSA subkeys in gpg, and exporting them for use in OTR. libotr's private key format is a hex-based S-expression. The subkey export format for gpg v2.0 is not clear to us, so any pointers on docs or the place in the gpg code to figure that out would be most appreciated. .hc From guninski at guninski.com Wed Jul 25 15:33:41 2012 From: guninski at guninski.com (Georgi Guninski) Date: Wed, 25 Jul 2012 16:33:41 +0300 Subject: Using second keyring may be misleading? In-Reply-To: References: <20120614141029.GC2776@sivokote.iziade.m$> <8762asvl0j.fsf@vigenere.g10code.de> <20120615123056.GC2438@sivokote.iziade.m$> <4FE3ED3B.8070303@fifthhorseman.net> <20120622144046.GF2777@sivokote.iziade.m$> <6D30623D-191E-4163-8120-CAEAF4867D70@jabberwocky.com> <20120622161242.GG2777@sivokote.iziade.m$> <9FB524C6-E9BF-43D7-94E5-E4FA9180ABDF@jabberwocky.com> Message-ID: <20120725133341.GD2598@sivokote.iziade.m$> On Sun, Jun 24, 2012 at 08:42:07AM +0100, Nicholas Cole wrote: > 3. I know this is a particular problem with version 3 key ids. How > much stronger are version 4? > For a v.4 64 bit keyid collision the most naiive attack will need about 2^64 calls to SHA1. Currently a GPU costing about $500 will break it in about 220 years. So 220 GPUs will break it in a about year. Total budget (electricity, etc) might be in the range of $200K - $300K - someone familiar with hash cracking told me so. Might be wrong though. From gniibe at fsij.org Thu Jul 26 12:10:08 2012 From: gniibe at fsij.org (NIIBE Yutaka) Date: Thu, 26 Jul 2012 19:10:08 +0900 Subject: Gnuk version 1.0 Message-ID: <1343297408.3528.2.camel@cfw2.gniibe.org> Hi, Gnuk version 1.0 is released. Gnuk is software implementation of a USB token for GNU Privacy Guard. Gnuk supports OpenPGP card protocol version 2, and it runs on STM32F103 processor. This is version 1.0, finally. This includes bug fixes only. New features (such as ECC) will be added to forthcoming development branch. I keep maintain 1.0 series. For a while, I won't start development branch, but improve documentation. I have a plan to manufacture FST-01 (my own design of STM32F103 board), so that everyone can enjoy Gnuk. Now, I am in Brazil to attend FISL13. My talk will be from 16:00 today, at the room GNU (40T). There, you will be able to see the engineering prototype of FST-01 wrapped by heat shrink tube. Happy Hacking, -- From isimluk at fedoraproject.org Thu Jul 26 14:43:55 2012 From: isimluk at fedoraproject.org (Simon Lukasik) Date: Thu, 26 Jul 2012 14:43:55 +0200 Subject: The OPTION pinentry-mode loopback Message-ID: <50113B8B.3080505@fedoraproject.org> Hello list, I am excited to see PINENTRY_MODE_LOOPBACK in gpg-agent. To my reading, the gpg-agent in this mode will not run a pinentry. But it will ask the client (e.g. gpg2) for PASSPHRASE. On the other hand, gpg2 does not answer such inquiry: gpg: DBG: ignoring gpg-agent inquiry 'PASSPHRASE Could you please elaborate more about the intended usage for this mode?? In this mode the gpgme_set_passphrase_cb could make sense again -- Which would deliver great value to those who can't migrate their legacy apps from gpg1. Thanks, Simon Lukasik From ekleog at gmail.com Fri Jul 27 20:53:18 2012 From: ekleog at gmail.com (Leo Gaspard) Date: Fri, 27 Jul 2012 20:53:18 +0200 Subject: gpgme_set_locale on global context fails ? Message-ID: <5012E39E.2050204@gmail.com> Hello ! I'm learning GPGME, and just tried to use gpgme_set_locale. However, it looks like it doesn't work on the global context, only on a normal one. Here is what I mean : #include #include #include int main() { setlocale(LC_ALL, ""); gpgme_ctx_t ctx; gpgme_new(&ctx); printf("%d\n", gpgme_set_locale(ctx, LC_ALL, setlocale(LC_ALL, NULL))); return 0; } It outputs 0, as expected. Now, the issue : #include #include #include int main() { setlocale(LC_ALL, ""); printf("%d\n", gpgme_set_locale(NULL, LC_ALL, setlocale(LC_ALL, NULL))); return 0; } It outputs 117440567 ; that is "source: GPGME ; error: Invalid value". Do you have any idea of what it may have come from ? I have GPGME version 1.3.1, and GnuPG version 2.0.19, as distributed by archlinux. Thanks in advance, Ekleog From wking at tremily.us Fri Jul 27 22:40:42 2012 From: wking at tremily.us (W. Trevor King) Date: Fri, 27 Jul 2012 16:40:42 -0400 Subject: [GnuPG] gpgme_set_locale on global context fails ? In-Reply-To: <5012E39E.2050204@gmail.com> References: <5012E39E.2050204@gmail.com> Message-ID: <20120727204041.GA14467@odin.tremily.us> On Fri, Jul 27, 2012 at 08:53:18PM +0200, Leo Gaspard wrote: > I'm learning GPGME, and just tried to use gpgme_set_locale. However, > it looks like it doesn't work on the global context, only on a > normal one. That would be because the definition is currently: gpgme_error_t gpgme_set_locale (gpgme_ctx_t ctx, int category, const char *value) { ? if (!ctx) return TRACE_ERR (gpg_error (GPG_ERR_INV_VALUE)); It looks like Marcus just got into the zone with: commit b34add3fe438a693e236a835135bd11b4e177daa Author: Marcus Brinkmann Date: Thu May 26 16:01:26 2011 +0200 Check context pointers for null pointer on entry points. But it looks like gpgme_set_locale actually does handle the !ctx case well. Cheers, Trevor -- This email may be signed or encrypted with GnuPG (http://www.gnupg.org). For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: From ekleog at gmail.com Fri Jul 27 23:43:39 2012 From: ekleog at gmail.com (Leo Gaspard) Date: Fri, 27 Jul 2012 23:43:39 +0200 Subject: [GnuPG] gpgme_set_locale on global context fails ? In-Reply-To: <20120727204041.GA14467@odin.tremily.us> References: <5012E39E.2050204@gmail.com> <20120727204041.GA14467@odin.tremily.us> Message-ID: <50130B8B.20507@gmail.com> On 27/07/2012 22:40, W. Trevor King wrote: > On Fri, Jul 27, 2012 at 08:53:18PM +0200, Leo Gaspard wrote: >> I'm learning GPGME, and just tried to use gpgme_set_locale. However, >> it looks like it doesn't work on the global context, only on a >> normal one. > > That would be because the definition is currently: > > [...] > > But it looks like gpgme_set_locale actually does handle the !ctx case > well. Oh. Just tried, and it looks like global context's locale is set only through setlocale. Then, why does the documentation (http://www.gnupg.org/documentation/manuals/gpgme/Locale.html#Locale) states that "The function gpgme_set_locale sets the locale of the context ctx, /or the default locale if ctx is a null pointer/." ? Should I still call gpgme_set_locale(NULL, ...) and ignore its result for upwards compatibility ? Thanks ! Leo Gaspard From marcus.brinkmann at ruhr-uni-bochum.de Sat Jul 28 01:18:29 2012 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: 28 Jul 2012 01:18:29 +0200 Subject: [GnuPG] gpgme_set_locale on global context fails ? In-Reply-To: <20120727204041.GA14467@odin.tremily.us> References: <5012E39E.2050204@gmail.com> <20120727204041.GA14467@odin.tremily.us> Message-ID: <501321C5.1050709@ruhr-uni-bochum.de> Hi, thanks, it turns out my checking-spree went over the line with that one. ;) Reverted in 434735f71e6969248651ac01c6bd6f6789a6305d. Marcus On 07/27/2012 10:40 PM, W. Trevor King wrote: > On Fri, Jul 27, 2012 at 08:53:18PM +0200, Leo Gaspard wrote: >> I'm learning GPGME, and just tried to use gpgme_set_locale. However, >> it looks like it doesn't work on the global context, only on a >> normal one. > > That would be because the definition is currently: > > gpgme_error_t > gpgme_set_locale (gpgme_ctx_t ctx, int category, const char *value) > { > ? > if (!ctx) > return TRACE_ERR (gpg_error (GPG_ERR_INV_VALUE)); > > It looks like Marcus just got into the zone with: > > commit b34add3fe438a693e236a835135bd11b4e177daa > Author: Marcus Brinkmann > Date: Thu May 26 16:01:26 2011 +0200 > > Check context pointers for null pointer on entry points. > > But it looks like gpgme_set_locale actually does handle the !ctx case > well. > > Cheers, > Trevor > > > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel > From ekleog at gmail.com Sat Jul 28 20:51:54 2012 From: ekleog at gmail.com (Leo Gaspard) Date: Sat, 28 Jul 2012 20:51:54 +0200 Subject: gpgme_data_seek with SEEK_END on memory-based data fails Message-ID: <501434CA.3090208@gmail.com> Hello all ! I recently stumbled upon a strange result while using gpgme_data_seek(data, off, SEEK_END). So, I read the source code for this function (and had a quite hard time crawling to finally find mem_seek). It looks like there is an error in the function : the offset is negative but is then substracted from the position, which results in an out-of-bounds pointer and then in a crash. Proposed "patch" : file "src/data-mem.c", line 140, turn the "minus" into a "plus". Hope that helps, Leo Gaspard From marcus.brinkmann at ruhr-uni-bochum.de Sat Jul 28 22:12:47 2012 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: 28 Jul 2012 22:12:47 +0200 Subject: gpgme_data_seek with SEEK_END on memory-based data fails In-Reply-To: <501434CA.3090208@gmail.com> References: <501434CA.3090208@gmail.com> Message-ID: <501447BF.1070005@ruhr-uni-bochum.de> On 07/28/2012 08:51 PM, Leo Gaspard wrote: > Proposed "patch" : file "src/data-mem.c", line 140, turn the "minus" > into a "plus". Nice catch. Surely nobody ever used that before :) Fixed in 83e74202cd7c4c975d149c49e2507fdb0e60ef32 Thanks, Marcus From ekleog at gmail.com Sat Jul 28 23:18:46 2012 From: ekleog at gmail.com (Leo Gaspard) Date: Sat, 28 Jul 2012 23:18:46 +0200 Subject: gpgme_data_seek with SEEK_END on memory-based data fails In-Reply-To: <501447BF.1070005@ruhr-uni-bochum.de> References: <501434CA.3090208@gmail.com> <501447BF.1070005@ruhr-uni-bochum.de> Message-ID: <50145736.3040109@gmail.com> On 28/07/2012 22:12, Marcus Brinkmann wrote: > On 07/28/2012 08:51 PM, Leo Gaspard wrote: >> Proposed "patch" : file "src/data-mem.c", line 140, turn the "minus" >> into a "plus". > > Nice catch. Surely nobody ever used that before :) Hello Marcus, I have to admit that I probably wouldn't have noticed it if I wasn't writing a javascript wrapper for gpgme. Giving you some context, I'm trying to write a firefox addon to extend PGP signing and encrypting to webmails, so as to allow the average grandmother to use PGP, as she doesn't have thunderbird installed and wouldn't understand enigmail's instructions. Let alone mutt & co. So, I was writing the test suite when I found this bug. You may look at mailock on github, if you want to have a look at the test suite. Interesting files in there are lib/gpgme/low.js (the low-level API, retranscription of gpgme to javascript) and test/test-gpgme-low.js (the test suite). So... Here is the end of my ad campaign. :) Cheers, Leo From wk at gnupg.org Sun Jul 29 11:41:39 2012 From: wk at gnupg.org (Werner Koch) Date: Sun, 29 Jul 2012 11:41:39 +0200 Subject: gpgme_data_seek with SEEK_END on memory-based data fails In-Reply-To: <50145736.3040109@gmail.com> (Leo Gaspard's message of "Sat, 28 Jul 2012 23:18:46 +0200") References: <501434CA.3090208@gmail.com> <501447BF.1070005@ruhr-uni-bochum.de> <50145736.3040109@gmail.com> Message-ID: <87lii29a5o.fsf@vigenere.g10code.de> On Sat, 28 Jul 2012 23:18, ekleog at gmail.com said: > Giving you some context, I'm trying to write a firefox addon to extend > PGP signing and encrypting to webmails, so as to allow the average That is really good news. Thanks for tackling the major problem with webmail. Let us know if you think gpgme works correct for you now so that we can do a new release right in time for Debian Wheezy. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From ekleog at gmail.com Sun Jul 29 20:25:21 2012 From: ekleog at gmail.com (Leo Gaspard) Date: Sun, 29 Jul 2012 20:25:21 +0200 Subject: gpgme_data_seek with SEEK_END on memory-based data fails In-Reply-To: <87lii29a5o.fsf@vigenere.g10code.de> References: <501434CA.3090208@gmail.com> <501447BF.1070005@ruhr-uni-bochum.de> <50145736.3040109@gmail.com> <87lii29a5o.fsf@vigenere.g10code.de> Message-ID: <50158011.1080201@gmail.com> On 29/07/2012 11:41, Werner Koch wrote: > Let us know if you think gpgme works correct for you now so that we can > do a new release right in time for Debian Wheezy. Hello Werner, I didn't compile gpgme on my own, and so can't tell you whether it works for sure. Moreover, I didn't implement the whole GPGME interface in JS at the moment, and so can't tell whether there are any other issue with anything after manual section 7.5.4. But the two issues I noticed should now be fixed, according to what I saw in the commits. I removed them from my tests, waiting for the release to come in archlinux's repositories, but all the other tests work right. However, before a release, I'd like t know... is there a way to get/set through GPGME the keyserver used by the context ? I figured out that there is a GPGCONF protocol used by GPGME, but didn't find any documentation on how to use it. (BTW, it is not in the doc, only in the code, so that could be the answer) If there isn't yet, it could be an interesting feature to add before the release, as it isn't yet a really featureful release, isn't it ? If this feature isn't there yet, and you think it might be useful (as I do), maybe might I help by writing a patch for it ? (just looked at the source, looks like this would require adding gpgme_get|set_keyserver, adding a const char *keyserver property in the context, and adding a flag check to gpg_encrypt_sign & co.). However, I wouldn't be able to write the patch before 15 days, as I'm going to take an aikido course in Japan. :D Cheers & HTH, Leo From ekleog at gmail.com Sun Jul 29 22:59:39 2012 From: ekleog at gmail.com (Leo Gaspard) Date: Sun, 29 Jul 2012 22:59:39 +0200 Subject: gpgme_data_seek with SEEK_END on memory-based data fails Message-ID: <5015A43B.3080404@gmail.com> Hello again, I finally decided to write the patch immediately. I placed the output of "git format-patch -M origin/master" in the attachment. Things that are still TODO: * Adapt gpgme-tool.c ? (Didn't have enough time to understand what it was about... a CLI tool ?) * Is there a keyserver concept for gpgsm ? * Write the doc. * Check it (builds and) runs the tests : I didn't have enough time to read doc on compiling & testing. I hope I didn't break any binary compatibility or such. Is there anything I should do (legal stuff, copyright waiver or such things) ? (It's my first "real" participation in an open-source project.) I'll go away tomorrow for two weeks, so please answer quickly if you want me to do such things quickly ! Hope that helps, Leo -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Allow-to-set-a-context-s-keyserver.patch Type: text/x-patch Size: 15366 bytes Desc: not available URL: From wk at gnupg.org Mon Jul 30 11:03:40 2012 From: wk at gnupg.org (Werner Koch) Date: Mon, 30 Jul 2012 11:03:40 +0200 Subject: gpgme_data_seek with SEEK_END on memory-based data fails In-Reply-To: <50158011.1080201@gmail.com> (Leo Gaspard's message of "Sun, 29 Jul 2012 20:25:21 +0200") References: <501434CA.3090208@gmail.com> <501447BF.1070005@ruhr-uni-bochum.de> <50145736.3040109@gmail.com> <87lii29a5o.fsf@vigenere.g10code.de> <50158011.1080201@gmail.com> Message-ID: <87d33d8vtf.fsf@vigenere.g10code.de> On Sun, 29 Jul 2012 20:25, ekleog at gmail.com said: > However, before a release, I'd like t know... is there a way to > get/set through GPGME the keyserver used by the context ? I figured > out that there is a GPGCONF protocol used by GPGME, but didn't find This is not per context setting but global one. Yes, the documentation is quite limited. We did this as an experimental interface once and only recently changed it to a supported interface. > If there isn't yet, it could be an interesting feature to add before > the release, as it isn't yet a really featureful release, isn't it ? For various reasons it can't be done with a per context setting. In fact 2.1 will have some substantially changed to the keyserver infrastructure. You need to use gpgconf to modify the global (well, per user) configuration. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From ekleog at gmail.com Mon Jul 30 12:42:29 2012 From: ekleog at gmail.com (Leo Gaspard) Date: Mon, 30 Jul 2012 12:42:29 +0200 Subject: gpgme_data_seek with SEEK_END on memory-based data fails In-Reply-To: <87d33d8vtf.fsf@vigenere.g10code.de> References: <501434CA.3090208@gmail.com> <501447BF.1070005@ruhr-uni-bochum.de> <50145736.3040109@gmail.com> <87lii29a5o.fsf@vigenere.g10code.de> <50158011.1080201@gmail.com> <87d33d8vtf.fsf@vigenere.g10code.de> Message-ID: <50166515.4020701@gmail.com> On 30/07/2012 11:03, Werner Koch wrote: > On Sun, 29 Jul 2012 20:25, ekleog at gmail.com said: >> If there isn't yet, it could be an interesting feature to add before >> the release, as it isn't yet a really featureful release, isn't it ? > > For various reasons it can't be done with a per context setting. In > fact 2.1 will have some substantially changed to the keyserver > infrastructure. You need to use gpgconf to modify the global (well, per > user) configuration. So, I suppose the patch I sent on the mailing list yesterday doesn't work ? It adds the --keyserver option to gpg for imports and exports. I don't really understand how gpgme works underneath, but, as --armor & co. work, I supposed it should work, like any other flag, isn't it ? Hope that helps, Leo From wk at gnupg.org Mon Jul 30 18:28:35 2012 From: wk at gnupg.org (Werner Koch) Date: Mon, 30 Jul 2012 18:28:35 +0200 Subject: gpgme_data_seek with SEEK_END on memory-based data fails In-Reply-To: <50166515.4020701@gmail.com> (Leo Gaspard's message of "Mon, 30 Jul 2012 12:42:29 +0200") References: <501434CA.3090208@gmail.com> <501447BF.1070005@ruhr-uni-bochum.de> <50145736.3040109@gmail.com> <87lii29a5o.fsf@vigenere.g10code.de> <50158011.1080201@gmail.com> <87d33d8vtf.fsf@vigenere.g10code.de> <50166515.4020701@gmail.com> Message-ID: <87y5m16wng.fsf@vigenere.g10code.de> On Mon, 30 Jul 2012 12:42, ekleog at gmail.com said: > So, I suppose the patch I sent on the mailing list yesterday doesn't work ? I have not said this ;-). I have two problems with the patch: - It is very specific for keyservers and not a general way to describe, well, what keyservers are. We already have ways to locate keys from remote resources. See the GPGME_KEYLIST_MODE_* flags. This needs to be unified with other uses of the keys. And it also needs to be in line with planned or already done changes in 2.1. - You break the ABI and API with your patch - this is not acceptable for a stable library. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mail at tgries.de Mon Jul 30 22:53:53 2012 From: mail at tgries.de (Thomas Gries) Date: Mon, 30 Jul 2012 22:53:53 +0200 Subject: compilation of GnuPG developers version failed: two libraries are missing in ftp Message-ID: <5016F461.1010101@tgries.de> RE: http://www.gnupg.org/download/cvs_access.en.html http://www.gnupg.org/download/integrity_check.en.html I wanted to compile the developers version from git and installed the dependencies from ftp. But the configure command still throws _two _errors because the required versions are unavailable: configure: you need libassuan .. at least version 2.1.0 (API 2) is required configure: It is now required to build .. New Portable Threads library (at least version 0.91 (API 1) is required. These versions are NOT available on ftp://ftp.gnupg.org/gcrypt/libassuan or /npth 1. Where can I find the missing libraries ? 2. Please update the http://www.gnupg.org/download/integrity_check.en.html page with npth information and checksum Regards, Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 480 bytes Desc: OpenPGP digital signature URL: From mail at tgries.de Tue Jul 31 00:21:36 2012 From: mail at tgries.de (Thomas Gries) Date: Tue, 31 Jul 2012 00:21:36 +0200 Subject: compilation of GnuPG developers version failed: two libraries are missing in ftp In-Reply-To: <501701DE.1030109@sumptuouscapital.com> References: <5016F461.1010101@tgries.de> <501701DE.1030109@sumptuouscapital.com> Message-ID: <501708F0.30104@tgries.de> Am 30.07.2012 23:51, schrieb Kristian Fiskerstrand: > On 2012-07-30 22:53, Thomas Gries wrote: >> RE: >> http://www.gnupg.org/download/cvs_access.en.html >> http://www.gnupg.org/download/integrity_check.en.html > > ... > >> 1. Where can I find the missing libraries ? > You can find them in the git repositories at least, respectively > git://git.gnupg.org/npth.git > git://git.gnupg.org/libassuan.git > > > Please can you update the information in the ./configure script of gnupg core so that it contains the links ? Thanks. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 480 bytes Desc: OpenPGP digital signature URL: From dkg at fifthhorseman.net Tue Jul 31 00:29:52 2012 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 30 Jul 2012 18:29:52 -0400 Subject: dealing with misplaced signatures Message-ID: <50170AE0.9070601@fifthhorseman.net> Clint Adams reports in http://bugs.debian.org/683339: -------------------------- This key has two signatures on a subkey: http://keys.mayfirst.org/pks/lookup?op=get&search=0xED34CEABE27BAABC gpg --edit-key will correctly detect them as being in the wrong place, and move them to another wrong place, unless the uid/uat being moved to happens to be the target of the signature. Since sks appears to be buggy, those signatures will remain on the subkey, and be replaced on a --recv-keys or --refresh. Then a subsequent --edit-key will move them again. It would be nice if something could prevent these things from happening. -------------------------- The "sks appears to be buggy" remark refers to the fact that sks appears to allow certain types of signature in places that they don't make sense: http://bugs.debian.org/683328 This is why sks is willing to return regular identity certification packets after a subkey binding cert. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: From kristian.fiskerstrand at sumptuouscapital.com Mon Jul 30 23:51:26 2012 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Mon, 30 Jul 2012 23:51:26 +0200 Subject: compilation of GnuPG developers version failed: two libraries are missing in ftp In-Reply-To: <5016F461.1010101@tgries.de> References: <5016F461.1010101@tgries.de> Message-ID: <501701DE.1030109@sumptuouscapital.com> On 2012-07-30 22:53, Thomas Gries wrote: > RE: > http://www.gnupg.org/download/cvs_access.en.html > http://www.gnupg.org/download/integrity_check.en.html ... > > 1. Where can I find the missing libraries ? You can find them in the git repositories at least, respectively git://git.gnupg.org/npth.git git://git.gnupg.org/libassuan.git -- ---------------------------- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk ---------------------------- Corruptissima re publica plurim? leges The greater the degeneration of the republic, the more of its laws ---------------------------- This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is now available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ ---------------------------- Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 898 bytes Desc: OpenPGP digital signature URL: From mail at tgries.de Tue Jul 31 01:23:50 2012 From: mail at tgries.de (Thomas Gries) Date: Tue, 31 Jul 2012 01:23:50 +0200 Subject: compilation of GnuPG developers version failed fig2dev In-Reply-To: <501701DE.1030109@sumptuouscapital.com> References: <5016F461.1010101@tgries.de> <501701DE.1030109@sumptuouscapital.com> Message-ID: <50171786.8030505@tgries.de> 1. Where can I find the missing libraries ? > You can find them in the git repositories at least, respectively > git://git.gnupg.org/npth.git > git://git.gnupg.org/libassuan.git > Thanks. make error: Entering directory /work/gnu/doc "fig2dev not found" Please add a point that installation of the program "transfig" is required, apparently for generating some documentation pdfs. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 480 bytes Desc: OpenPGP digital signature URL: From guninski at guninski.com Tue Jul 31 07:39:57 2012 From: guninski at guninski.com (Georgi Guninski) Date: Tue, 31 Jul 2012 08:39:57 +0300 Subject: dealing with misplaced signatures In-Reply-To: <50170AE0.9070601@fifthhorseman.net> References: <50170AE0.9070601@fifthhorseman.net> Message-ID: <20120731053957.GA2691@sivokote.iziade.m$> Was the sig of the subkey made with vanilla gpg or was it manipulated? On Mon, Jul 30, 2012 at 06:29:52PM -0400, Daniel Kahn Gillmor wrote: > Clint Adams reports in http://bugs.debian.org/683339: > > -------------------------- > This key has two signatures on a subkey: > > http://keys.mayfirst.org/pks/lookup?op=get&search=0xED34CEABE27BAABC > > gpg --edit-key will correctly detect them as being in the wrong place, > and move them to another wrong place, unless the uid/uat being moved > to happens to be the target of the signature. > > Since sks appears to be buggy, those signatures will remain on the > subkey, and be replaced on a --recv-keys or --refresh. Then > a subsequent --edit-key will move them again. > > It would be nice if something could prevent these things from happening. > > -------------------------- > > > The "sks appears to be buggy" remark refers to the fact that sks appears > to allow certain types of signature in places that they don't make sense: > > http://bugs.debian.org/683328 > > This is why sks is willing to return regular identity certification > packets after a subkey binding cert. > > --dkg > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel From wk at gnupg.org Tue Jul 31 11:18:40 2012 From: wk at gnupg.org (Werner Koch) Date: Tue, 31 Jul 2012 11:18:40 +0200 Subject: compilation of GnuPG developers version failed: two libraries are missing in ftp In-Reply-To: <501708F0.30104@tgries.de> (Thomas Gries's message of "Tue, 31 Jul 2012 00:21:36 +0200") References: <5016F461.1010101@tgries.de> <501701DE.1030109@sumptuouscapital.com> <501708F0.30104@tgries.de> Message-ID: <87r4rs70gf.fsf@vigenere.g10code.de> On Tue, 31 Jul 2012 00:21, mail at tgries.de said: > Please can you update the information in the ./configure script of gnupg > core so that it contains the links ? We do this for the next release. It is pointless do to this during development. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dkg at fifthhorseman.net Tue Jul 31 17:13:21 2012 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 31 Jul 2012 11:13:21 -0400 Subject: dealing with misplaced signatures In-Reply-To: <20120731053957.GA2691@sivokote.iziade.m$> References: <50170AE0.9070601@fifthhorseman.net> <20120731053957.GA2691@sivokote.iziade.m$> Message-ID: <5017F611.4030300@fifthhorseman.net> On 07/31/2012 01:39 AM, Georgi Guninski wrote: > Was the sig of the subkey made with vanilla gpg or was it manipulated? examining the sig, it happens to be byte-for-byte identical with a sig on one of the User IDs. As a result of gpg's (faulty) moving of the sig to the last user ID, we see the same sig show up after several of the User IDs as well. observe all the places where this particular sig shows up: $ gpg --export 0xED34CEABE27BAABC | gpgsplit $ md5sum * | egrep '(^848762|(attribute|id|key)$)' 95687f448844ff7144ae806a3d44059e 000001-006.public_key f92637abe07b5fe3fcc48c384703c932 000002-013.user_id 925db22aabd790504bb80b8d0e1a6202 000019-013.user_id 8487624d4fd7292872c7de2c83ec895d 000041-002.sig 580775fce5bd929da507fc031969b891 000044-013.user_id 8487624d4fd7292872c7de2c83ec895d 000046-002.sig 12086b15b600f899937a91ec7fac99a7 000048-013.user_id 565800d7a2d5c675622a03829c9d8ef5 000090-013.user_id ab2cf4addd27785fdbef507767d769a8 000134-013.user_id 0537fb472a556e7f441909014a5cb133 000156-013.user_id cc5f36051c98ac72364e950ab0f18bf5 000191-013.user_id 8487624d4fd7292872c7de2c83ec895d 000194-002.sig 714723044960babc2a8ccaff426099f3 000196-013.user_id b5e8df1259ef36974559aa865719ee63 000243-013.user_id 8487624d4fd7292872c7de2c83ec895d 000284-002.sig 0a15d0f11daff87b908ecc0e8aebbc0d 000289-013.user_id e1aa33ca83b5d2f629ddb216c50c88c0 000340-013.user_id 8487624d4fd7292872c7de2c83ec895d 000385-002.sig af4faed7d2101b27fdd0fb4ca819f420 000389-017.attribute 8487624d4fd7292872c7de2c83ec895d 000426-002.sig 7b65f1bbcf1c826bafec1b829d6b9530 000430-014.public_subkey 9c2e77755a1e3cce68d1f0d302f361fd 000432-014.public_subkey 8487624d4fd7292872c7de2c83ec895d 000435-002.sig $ --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Tue Jul 31 23:29:10 2012 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 31 Jul 2012 17:29:10 -0400 Subject: dealing with misplaced signatures In-Reply-To: <5017F611.4030300@fifthhorseman.net> References: <50170AE0.9070601@fifthhorseman.net> <20120731053957.GA2691@sivokote.iziade.m$> <5017F611.4030300@fifthhorseman.net> Message-ID: <9E8D7E34-4A6A-4E21-BE3C-4084BA5F3773@jabberwocky.com> On Jul 31, 2012, at 11:13 AM, Daniel Kahn Gillmor wrote: > On 07/31/2012 01:39 AM, Georgi Guninski wrote: >> Was the sig of the subkey made with vanilla gpg or was it manipulated? > > examining the sig, it happens to be byte-for-byte identical with a sig > on one of the User IDs. > > As a result of gpg's (faulty) moving of the sig to the last user ID, we > see the same sig show up after several of the User IDs as well. What's happening here is that the key is mangled on SKS (whether SKS mangled it or it was imported already mangled doesn't matter). GPG fetches it, and there is some code to move misplaced packets to the right place. Unfortunately, as you noticed, that code does not work if there is more than one user ID. This code actually dates to 1998. The comment: "* Note: This function does not work if there is more than one user ID." David