From jon at jrock.us Tue Aug 1 00:09:47 2006 From: jon at jrock.us (Jonathan Rockway) Date: Tue Aug 1 00:08:47 2006 Subject: [Fwd: perl EUID change causing failure] In-Reply-To: <44CE660B.7080206@ipowerweb.com> References: <44CE660B.7080206@ipowerweb.com> Message-ID: <44CE7FAB.1060803@jrock.us> Might I suggest using a pre-implemented perl solution? Crypt::OpenPGP: http://search.cpan.org/~btrott/Crypt-OpenPGP-1.03/lib/Crypt/OpenPGP.pm GnuPG::Interface: http://search.cpan.org/~ftobin/GnuPG-Interface-0.33/ And also, GPG, Mail::GPG, Crypt::GPG, or Mail::GnuPG. http://search.cpan.org/search?query=gpg&mode=all In other words, other people have already worked out the details, so why not try one of those modules before fighting with something that's not really worth your time? Regards, Jonathan Rockway Marcel Chastain - Security Administration wrote: > I have a perl wrapper around gpg for use within a web app. It changes > its 'EUID' (Effective UserID) early in the script. > From there, it attempts to run > /usr/local/bin/gpg --list-public-keys > > My test script: > #!/usr/bin/perl > $ENV{'GNUPGHOME'} = '/home/username/.gnupg'; > my $uid = getpwnam("username"); > $> = $uid; > print `/usr/local/bin/gpg --list-public-keys`; > > The output: > gpg: Ohhhh jeeee: ... this is a bug (gpg.c:1880:main) > secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 > > (replace the word 'username' with a user on your system for testing > purposes) > Now, this *only* happens when setting the EUID. I can set the > RealUID($<) and things work perfectly. > > Does this have something to do with the code updates mentioned in the > "What's New" section..? ( > http://lists.gnupg.org/pipermail/gnupg-announce/2006q2/000226.html ) > > User IDs are now capped at 2048 bytes. This avoids a memory > allocation attack (see CVE-2006-3082). > > Running gnupg 1.4.4 compiled from ports, freebsd 4.11-STABLE . > > > > ------------------------------------------------------------------------ > > Subject: > perl EUID change causing failure > From: > Marcel Chastain - Security Administration > Date: > Wed, 26 Jul 2006 16:26:48 -0700 > To: > gnupg-devel@gnupg.org > > To: > gnupg-devel@gnupg.org > > > I have a perl wrapper around gpg for use within our company's internal > control panel. It changes its 'EUID' (Effective UserID) early in the > script. > From there, it attempts to run > /usr/local/bin/gpg --list-public-keys > > My test script: > #!/usr/bin/perl > $ENV{'GNUPGHOME'} = '/home/username/.gnupg'; > my $uid = getpwnam("username"); > $> = $uid; > print `/usr/local/bin/gpg --list-public-keys`; > > The output: > gpg: Ohhhh jeeee: ... this is a bug (gpg.c:1880:main) > secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 > > (replace the word 'username' with a user on your system for testing > purposes) > Now, this *only* happens when setting the EUID. I can set the RealUID > and things work perfectly. > > Running gnupg 1.4.4 compiled from ports, freebsd 4.11-STABLE . > > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From mchastain at ipowerweb.com Tue Aug 1 02:21:44 2006 From: mchastain at ipowerweb.com (Marcel Chastain - Security Administration) Date: Tue Aug 1 02:14:11 2006 Subject: [Fwd: perl EUID change causing failure] In-Reply-To: <44CE7FAB.1060803@jrock.us> References: <44CE660B.7080206@ipowerweb.com> <44CE7FAB.1060803@jrock.us> Message-ID: <44CE9E98.3040502@ipowerweb.com> Yeah, I already have a workaround in place, I just wanted to report it to the community/developers. This is a new bug, and I think they'd be interested in why it's happening... Perhaps the gnupg-devel mailing list would be better..? Jonathan Rockway wrote: > Might I suggest using a pre-implemented perl solution? > > Crypt::OpenPGP: > http://search.cpan.org/~btrott/Crypt-OpenPGP-1.03/lib/Crypt/OpenPGP.pm > GnuPG::Interface: http://search.cpan.org/~ftobin/GnuPG-Interface-0.33/ > > And also, GPG, Mail::GPG, Crypt::GPG, or Mail::GnuPG. > > http://search.cpan.org/search?query=gpg&mode=all > > In other words, other people have already worked out the details, so why > not try one of those modules before fighting with something that's not > really worth your time? > > Regards, > Jonathan Rockway > > > Marcel Chastain - Security Administration wrote: > >> I have a perl wrapper around gpg for use within a web app. It changes >> its 'EUID' (Effective UserID) early in the script. >> From there, it attempts to run >> /usr/local/bin/gpg --list-public-keys >> >> My test script: >> #!/usr/bin/perl >> $ENV{'GNUPGHOME'} = '/home/username/.gnupg'; >> my $uid = getpwnam("username"); >> $> = $uid; >> print `/usr/local/bin/gpg --list-public-keys`; >> >> The output: >> gpg: Ohhhh jeeee: ... this is a bug (gpg.c:1880:main) >> secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 >> >> (replace the word 'username' with a user on your system for testing >> purposes) >> Now, this *only* happens when setting the EUID. I can set the >> RealUID($<) and things work perfectly. >> >> Does this have something to do with the code updates mentioned in the >> "What's New" section..? ( >> http://lists.gnupg.org/pipermail/gnupg-announce/2006q2/000226.html ) >> >> User IDs are now capped at 2048 bytes. This avoids a memory >> allocation attack (see CVE-2006-3082). >> >> Running gnupg 1.4.4 compiled from ports, freebsd 4.11-STABLE . >> >> >> >> ------------------------------------------------------------------------ >> >> Subject: >> perl EUID change causing failure >> From: >> Marcel Chastain - Security Administration >> Date: >> Wed, 26 Jul 2006 16:26:48 -0700 >> To: >> gnupg-devel@gnupg.org >> >> To: >> gnupg-devel@gnupg.org >> >> >> I have a perl wrapper around gpg for use within our company's internal >> control panel. It changes its 'EUID' (Effective UserID) early in the >> script. >> From there, it attempts to run >> /usr/local/bin/gpg --list-public-keys >> >> My test script: >> #!/usr/bin/perl >> $ENV{'GNUPGHOME'} = '/home/username/.gnupg'; >> my $uid = getpwnam("username"); >> $> = $uid; >> print `/usr/local/bin/gpg --list-public-keys`; >> >> The output: >> gpg: Ohhhh jeeee: ... this is a bug (gpg.c:1880:main) >> secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 >> >> (replace the word 'username' with a user on your system for testing >> purposes) >> Now, this *only* happens when setting the EUID. I can set the RealUID >> and things work perfectly. >> >> Running gnupg 1.4.4 compiled from ports, freebsd 4.11-STABLE . >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> >> > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > -- ####################### Marcel C. Security Administration iPower, Inc. From dshaw at jabberwocky.com Tue Aug 1 04:37:08 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Aug 1 04:35:46 2006 Subject: [Fwd: perl EUID change causing failure] In-Reply-To: <44CE9E98.3040502@ipowerweb.com> References: <44CE660B.7080206@ipowerweb.com> <44CE7FAB.1060803@jrock.us> <44CE9E98.3040502@ipowerweb.com> Message-ID: <20060801023708.GA3769@jabberwocky.com> On Mon, Jul 31, 2006 at 05:21:44PM -0700, Marcel Chastain - Security Administration wrote: > Yeah, I already have a workaround in place, I just wanted to report it > to the community/developers. This is a new bug, and I think they'd be > interested in why it's happening... Perhaps the gnupg-devel mailing list > would be better..? This is not a bug, and it certainly isn't new behavior. GnuPG will not run if the euid does not match the uid. On a number of platforms, GnuPG is installed setuid root so it can grab locked/unswappable memory. Once it has allocated a block of memory, it drops root privs. To prevent any chance of an attacker fooling the system into letting it keep root privs, it will halt if euid!=uid. David From bo.berglund at telia.com Tue Aug 1 09:29:37 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Tue Aug 1 09:33:39 2006 Subject: gpg4win-1.0.4, possible to have multiple keys per user??? Message-ID: When trying out gpg4win-1.0.4 I tried to add my old keyring from my use of PGP 7.0.3 to the GnuPG keyring. It seemed to work but when I sent email to someone for whom I also have the new GnuPG key there is an encryption error talking about not finding the key to the recipient. But that is clearly wrong, the rescipient (and myself) have multiple public keys on my keyring at this moment and GnuPG fails to identify a single one of them... After removing again the PGP 7.0.3 keys from the GnuPG keyring only keeping the GnuPG keys I was able to send the message out. I was working from within Outlook 2003 using the plugin that came with gpg4win-1.0.4. Is there a setting in the keyring manager to allow multiple keys for single email addresses such that the encryption adds *all* of them to the message??? Also when some are old PGP 7.0.3 keys? Bo Berglund From ludovic.courtes at laas.fr Tue Aug 1 10:46:05 2006 From: ludovic.courtes at laas.fr (Ludovic =?iso-8859-1?Q?Court=E8s?=) Date: Tue Aug 1 11:13:58 2006 Subject: GPGME: Exporting a private key Message-ID: <87bqr4desy.fsf@laas.fr> Hi, (I couldn't find a `gpgme-users' list so I'm trying this one.) Is there are way to export a private key with GPGME? Currently, `gpgme_op_export ()' and friends don't seem to allow for this. Also, rather than using `gpgme_op_export ()' and passing it a pattern (whose format and interpretation are not well documented, BTW), it would be nice if one could export a specific key: gpgme_error_t gpgme_key_export (gpgme_key_t key, int armor, gpgme_data_t keydata); Is it something that would be feasible? Thanks, Ludovic. From bo.berglund at telia.com Tue Aug 1 11:31:52 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Tue Aug 1 11:31:43 2006 Subject: [gpgol] plugin hides visibility of internet headers? Message-ID: I just installed gpg4win-1.0.4 with the gpgol plugin. Now I wanted to check a message with the Outlook 2003 function "view options" where I usually see the trace of the message transfer. But now the options bottom pane is always empty also for non-encrypted messages... Is this caused by GPGOL or something else? I just noticed it after I installed the gpg4win system.... From bo.berglund at telia.com Tue Aug 1 11:35:46 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Tue Aug 1 11:38:33 2006 Subject: [gpgol] how to check if a message is encrypted or not? Message-ID: <8t7uc2d62rq1m4brea5h48mpat1qtohimt@4ax.com> If I open a message in Outlook (using the GPGOL plugin) and I see the PGP block then I can use the decrypt button to see the decrypted message. I am requested to enter my passphrase first. But when I then look at the next message it is automatically decrypted for me without entering the passphrase and I don't see the PGP block anymore. So how can I look through a number of messages to see which ones are encrypted and which are not? As soon as the passphrase has been entered once it seems completely transparent, all messages look alike even those I *know* are encrypted! /Bo From wk at gnupg.org Tue Aug 1 12:10:27 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Aug 1 12:16:34 2006 Subject: GPGME: Exporting a private key In-Reply-To: <87bqr4desy.fsf@laas.fr> (Ludovic =?utf-8?Q?Court=C3=A8s's?= message of "Tue, 01 Aug 2006 10:46:05 +0200") References: <87bqr4desy.fsf@laas.fr> Message-ID: <874pwwwyuk.fsf@wheatstone.g10code.de> On Tue, 1 Aug 2006 10:46, Ludovic Court?s said: > (I couldn't find a `gpgme-users' list so I'm trying this one.) Thar is fine. > Is there are way to export a private key with GPGME? Currently, > `gpgme_op_export ()' and friends don't seem to allow for this. No. And we won't add such a feature. This has been discussed here (or at gnupg-devel@) several times. > Also, rather than using `gpgme_op_export ()' and passing it a pattern > (whose format and interpretation are not well documented, BTW), it would For OpenPGP the pattern are the same as what you may use with gpg (e.g. gpg -r PATTERN) > be nice if one could export a specific key: > > gpgme_error_t gpgme_key_export (gpgme_key_t key, int armor, > gpgme_data_t keydata); > Use the fingerprint of the key (hexified). This is the most specific way of identifying a key. Shalom-Salam, Werner From wk at gnupg.org Tue Aug 1 12:13:48 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Aug 1 12:16:54 2006 Subject: [gpgol] plugin hides visibility of internet headers? In-Reply-To: (Bo Berglund's message of "Tue, 01 Aug 2006 11:31:52 +0200") References: Message-ID: <87zmeovk4j.fsf@wheatstone.g10code.de> On Tue, 1 Aug 2006 11:31, Bo Berglund said: > I just installed gpg4win-1.0.4 with the gpgol plugin. > Now I wanted to check a message with the Outlook 2003 function "view > options" where I usually see the trace of the message transfer. > But now the options bottom pane is always empty also for non-encrypted > messages... > Is this caused by GPGOL or something else? I just noticed it after I > installed the gpg4win system.... Interesting. We don't do any specific things to hide them but well, OL is a strange comrade when it comes to plugins. Salam-Shalom, Werner From ludovic.courtes at laas.fr Tue Aug 1 13:49:35 2006 From: ludovic.courtes at laas.fr (Ludovic =?iso-8859-1?Q?Court=E8s?=) Date: Tue Aug 1 13:49:19 2006 Subject: GPGME: Exporting a private key References: <87bqr4desy.fsf@laas.fr> <874pwwwyuk.fsf@wheatstone.g10code.de> Message-ID: <87d5bk8yls.fsf@laas.fr> Hi, Werner Koch writes: > No. And we won't add such a feature. This has been discussed here > (or at gnupg-devel@) several times. I guess you're referring to [0,1]. Sorry, I had not come across them. I do understand the rationale expressed in these messages, but the issue is that other pieces of software may still want to manipulate the secret key themselves. For example, my initial goal was to interface GNUtls' OpenPGP mechanisms with GPGME, and it turns out that a `gnutls_openpgp_privkey_t' can only be initialized from an exported key. Perhaps GNUtls' API should be changed in a way that doesn't assume the ability to read one's private key (perhaps using GPGME)? >> be nice if one could export a specific key: >> >> gpgme_error_t gpgme_key_export (gpgme_key_t key, int armor, >> gpgme_data_t keydata); >> > > Use the fingerprint of the key (hexified). This is the most specific > way of identifying a key. From wk at gnupg.org Tue Aug 1 17:37:08 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Aug 1 19:58:13 2006 Subject: [Announce] GnuPG 1.4.5 released (another security fix) Message-ID: <87y7u8tql7.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From mchastain at ipowerweb.com Tue Aug 1 20:30:14 2006 From: mchastain at ipowerweb.com (Marcel Chastain - Security Administration) Date: Tue Aug 1 20:22:36 2006 Subject: [Fwd: perl EUID change causing failure] In-Reply-To: <20060801023708.GA3769@jabberwocky.com> References: <44CE660B.7080206@ipowerweb.com> <44CE7FAB.1060803@jrock.us> <44CE9E98.3040502@ipowerweb.com> <20060801023708.GA3769@jabberwocky.com> Message-ID: <44CF9DB6.8000800@ipowerweb.com> David Shaw wrote: > On Mon, Jul 31, 2006 at 05:21:44PM -0700, Marcel Chastain - Security > Administration wrote: > >> Yeah, I already have a workaround in place, I just wanted to report >> it to the community/developers. This is a new bug, and I think they'd >> be interested in why it's happening... Perhaps the gnupg-devel >> mailing list would be better..? >> > > This is not a bug, and it certainly isn't new behavior. GnuPG will > not run if the euid does not match the uid. On a number of platforms, > GnuPG is installed setuid root so it can grab locked/unswappable > memory. Once it has allocated a block of memory, it drops root privs. > To prevent any chance of an attacker fooling the system into letting > it keep root privs, it will halt if euid!=uid. > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > This is certainly a dirty/harsh/feng-shui-less way of failing/exiting. I would expect a normal internal check, and an appropriate error message if this sort of thing is expected, i.e. "Security Violation" or something similar. I mean, if you change the behavior of a program to disallow a certain condition, you test for that condition and exit properly, right..? Perhaps I'm gullible, but when a program tells me "Ohhhh jeeeee: ... this is a bug" I tend to think that it is a bug. But you are right, the program probably thinks that it is being tricked into keeping root privileges, hence the harsh failure and funky message. Thanks for your help. ;-) -- ####################### Marcel C. Security Administration iPower, Inc. From shavital at mac.com Tue Aug 1 20:40:36 2006 From: shavital at mac.com (Charly Avital) Date: Tue Aug 1 20:39:10 2006 Subject: [Announce] GnuPG 1.4.5 released (another security fix) In-Reply-To: <87y7u8tql7.fsf@wheatstone.g10code.de> References: <87y7u8tql7.fsf@wheatstone.g10code.de> Message-ID: <44CFA024.3090501@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Compiled for PPC MacOS 10.4.7 with IDEA. Runs fine. Thanks. Charly Werner Koch wrote the following on 8/1/06 11:37 AM: > Hello! > > We are pleased to announce the availability of a new stable GnuPG > release: Version 1.4.5 > > This is maintenance release to fix a recently detected flaw in the > handling of certain packets, see the NEWS part below. > > UPDATING TO THIS VERSION IS HIGHLY RECOMMENDED! > [...] > Happy Hacking, > > > The GnuPG Team (David, Werner and the other contributors) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRM+gGc3GMi2FW4PvAQhbWAf9GZo3V8C+fjJjRADusy2lbi8PWqShoR4c AzQSs4xAbnV/N4+nhPJP/tgKqPVCEpmZM3LFrjXvY+X0dqEupbda5bMlCPhEfQcH sWkJHc7hv/in5YuodZ9nekYEedo3QPw6l1O9fTwPkcCOO8R+2C0uw8Cez2ln9swA GbB71Nz0856KHHqiLJGV1ESXu1bnkBf0s+0+b28L8LwooyRoMyUUXDDOcujOZJY+ k9xmtNy26tNfwtuPTU51IYRkJiBNb7aBwJlT3u4uzjpfJBjGJMMlf23WWj5AeICk K+xNSSjTJpa+50Xf2pp68lqiirSFR+PlvVmdEEI7f9GAy79UdIlfig== =vIhK -----END PGP SIGNATURE----- From bo.berglund at telia.com Tue Aug 1 20:48:24 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Tue Aug 1 20:47:03 2006 Subject: [Announce] GnuPG 1.4.5 released (another security fix) References: <87y7u8tql7.fsf__24036.1977056184$1154455425$gmane$org@wheatstone.g10code.de> Message-ID: On Tue, 01 Aug 2006 17:37:08 +0200, Werner Koch wrote: >Hello! > >We are pleased to announce the availability of a new stable GnuPG >release: Version 1.4.5 > >This is maintenance release to fix a recently detected flaw in the >handling of certain packets, see the NEWS part below. > > UPDATING TO THIS VERSION IS HIGHLY RECOMMENDED! > Is there a new binary version also for gpg4win that includes this release? /Bo From johnmoore3rd at joimail.com Tue Aug 1 20:59:42 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Tue Aug 1 20:58:59 2006 Subject: [Announce] GnuPG 1.4.5 released (another security fix) In-Reply-To: References: <87y7u8tql7.fsf__24036.1977056184$1154455425$gmane$org@wheatstone.g10code.de> Message-ID: <44CFA49E.2040204@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Bo Berglund wrote: > Is there a new binary version also for gpg4win that includes this > release? Not just yet; however, Werner's Release Announcement *did* state that the 'New' gpg4win package _will_ be available very shortly. JOHN :-D Timestamp: Tuesday 01 Aug 2006, 14:58 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5-svn4214: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJEz6SXAAoJEBCGy9eAtCsPsAEH/01hchg7KwB9fXfrd7w+uErp uC3c7B279TjoSRDhwLYIqjtCo4l6ejqMWQwdDvbMGVx3NpctJVBzEA36b+fO5fAz KaVFm49mxM+Fcpnopau0uMAx69OU9VTvl8L3dsDPDAt42UQgvBYqkxz6EktYLHns R7erevYyHl3AUNsGauyunbxrmBbgm+R7sNsmvsBk9ak8y0Jv0Lujs/SBSF5MC4QN WnO3E3yqTqTKQ8rqwjeoLhUcZ2yxN0xB/vBcqqVLYsgdM8/ixfwmFPvk/bZkUAzl sdVusQ494aCsv1z0mchxr7pg9Pvav5u7tFeoPvUazQ5kGipf3bptr1BrYncUWv4= =fdpj -----END PGP SIGNATURE----- From bo.berglund at telia.com Tue Aug 1 22:59:22 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Tue Aug 1 22:58:30 2006 Subject: [gpgol] Swedish characters are mangled or disappear... Message-ID: I have now discovered a new problem with the OL plug-in... It seems to not handle umlauted characters in the mail body very well. I installed GPGOL from gpg4win-1.0.4 and I also have (on my laptop) installed gpg4win-1.0.4 plus the enigmail plugin to Thunderbird. Now for my tests concerning Swedish characters: 1. Written as html mail in Outlook2003 - When received by myself the ?????? characters display just fine. - When received by another person with basically the same setup but with the Windows locale set to US-English the Swedish characters are replaced with jumbled characters (2 or 3, I don't recall). 2. Written as plaintext in Thunderbird - When received in Thunderbird all looks good. - When received with my own Outlook 2003 the Swedish characters are simply gone (disappeared) - I have no response from the US person yet.... /Bo Bo Berglund From dguido at gmail.com Wed Aug 2 00:06:54 2006 From: dguido at gmail.com (Daniel Guido) Date: Wed Aug 2 01:25:38 2006 Subject: solaris certification Message-ID: <9c2204930608011506x1d17cfd0ycc9c86622ed997fd@mail.gmail.com> Can someone update me on the status of certifying GPG to run on Solaris (all versions, all processors)? I'm looking to place GPG into an environment which requires high assurance and I won't do it unless I hear it from the GPG developers themselves that all of GPG's functionality works in the manner it should on Solaris. Thanks! -- Dan Guido From rjh at sixdemonbag.org Wed Aug 2 01:41:35 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed Aug 2 01:40:16 2006 Subject: solaris certification In-Reply-To: <9c2204930608011506x1d17cfd0ycc9c86622ed997fd@mail.gmail.com> References: <9c2204930608011506x1d17cfd0ycc9c86622ed997fd@mail.gmail.com> Message-ID: <44CFE6AF.9090306@sixdemonbag.org> Daniel Guido wrote: > Can someone update me on the status of certifying GPG to run on > Solaris (all versions, all processors)? I'm looking to place GPG into > an environment which requires high assurance and I won't do it unless > I hear it from the GPG developers themselves that all of GPG's > functionality works in the manner it should on Solaris. An answer is already found in the GNU General Public License, where it basically says there is no warranty whatsoever. If you need a single throat to strangle in case things go wrong and your high-availability system goes astray, you may wish to consider contracting with g10 Code, who will be better able to provide you with things like warranties and guarantees of functionality and merchantability. From dshaw at jabberwocky.com Wed Aug 2 02:22:44 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Aug 2 02:21:18 2006 Subject: solaris certification In-Reply-To: <9c2204930608011506x1d17cfd0ycc9c86622ed997fd@mail.gmail.com> References: <9c2204930608011506x1d17cfd0ycc9c86622ed997fd@mail.gmail.com> Message-ID: <20060802002244.GB7139@jabberwocky.com> On Tue, Aug 01, 2006 at 06:06:54PM -0400, Daniel Guido wrote: > Can someone update me on the status of certifying GPG to run on > Solaris (all versions, all processors)? I'm looking to place GPG into > an environment which requires high assurance and I won't do it unless > I hear it from the GPG developers themselves that all of GPG's > functionality works in the manner it should on Solaris. It's hard to fully answer this question. What does "certifying" mean to you? Yes, I am one of the GPG developers, and yes, I say that GPG functions correctly on Solaris. However, why should you trust me? ;) GPG is supported via the community. If you need a higher level of support (i.e. an email address or a phone number you can use and get an guaranteed answer), you might want to take a look at http://www.gnupg.org/service.html where you can contact companies who offer service contracts. David From dguido at gmail.com Wed Aug 2 04:07:49 2006 From: dguido at gmail.com (Daniel Guido) Date: Wed Aug 2 04:06:21 2006 Subject: solaris certification In-Reply-To: <20060802002244.GB7139@jabberwocky.com> References: <9c2204930608011506x1d17cfd0ycc9c86622ed997fd@mail.gmail.com> <20060802002244.GB7139@jabberwocky.com> Message-ID: <9c2204930608011907j1e0642e0p5048788b74300042@mail.gmail.com> (Please correct me where I'm wrong here) I think I can clarify a bit further. My concerns revolve around the RNG in use by GPG prior to Solaris 10 (which comes with functioning /dev/[u]random implementation). There seems to be 2 options if you're using a version prior to Solaris 10: - Use Andreas Maier's SUNrand to emulate /dev/[u]random - Use EGD Despite the great amount of work put into EGD I'd much rather have a /dev/random. Knowing that, I'd like to use Maier's kernel module, but has anyone actually evaluated it and decided that "yes, the output from this module IS random to an acceptable degree and it's acceptable to use it with GPG"? Is there any reason why you would not suggest using that kernel module to support GPG? On 8/1/06, David Shaw wrote: > On Tue, Aug 01, 2006 at 06:06:54PM -0400, Daniel Guido wrote: > > Can someone update me on the status of certifying GPG to run on > > Solaris (all versions, all processors)? I'm looking to place GPG into > > an environment which requires high assurance and I won't do it unless > > I hear it from the GPG developers themselves that all of GPG's > > functionality works in the manner it should on Solaris. > > It's hard to fully answer this question. What does "certifying" mean > to you? Yes, I am one of the GPG developers, and yes, I say that GPG > functions correctly on Solaris. However, why should you trust me? ;) > > GPG is supported via the community. If you need a higher level of > support (i.e. an email address or a phone number you can use and get > an guaranteed answer), you might want to take a look at > http://www.gnupg.org/service.html where you can contact companies who > offer service contracts. > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Dan Guido From dguido at gmail.com Wed Aug 2 04:23:54 2006 From: dguido at gmail.com (Daniel Guido) Date: Wed Aug 2 04:22:23 2006 Subject: solaris certification In-Reply-To: <9c2204930608011907j1e0642e0p5048788b74300042@mail.gmail.com> References: <9c2204930608011506x1d17cfd0ycc9c86622ed997fd@mail.gmail.com> <20060802002244.GB7139@jabberwocky.com> <9c2204930608011907j1e0642e0p5048788b74300042@mail.gmail.com> Message-ID: <9c2204930608011923h3eecf8bbiffab9450ae729a74@mail.gmail.com> Ah, even more explanatory is this page: http://www.gnupg.org/(en)/download/supported_systems.html Without forgetting my more specific questions in the last e-mail, what does it take for Solaris to move from the "Other OSs" category to the "Supported Systems" category? On 8/1/06, Daniel Guido wrote: > (Please correct me where I'm wrong here) > > I think I can clarify a bit further. My concerns revolve around the > RNG in use by GPG prior to Solaris 10 (which comes with functioning > /dev/[u]random implementation). > > There seems to be 2 options if you're using a version prior to Solaris 10: > - Use Andreas Maier's SUNrand to emulate /dev/[u]random > - Use EGD > > Despite the great amount of work put into EGD I'd much rather have a > /dev/random. Knowing that, I'd like to use Maier's kernel module, but > has anyone actually evaluated it and decided that "yes, the output > from this module IS random to an acceptable degree and it's acceptable > to use it with GPG"? Is there any reason why you would not suggest > using that kernel module to support GPG? > > On 8/1/06, David Shaw wrote: > > On Tue, Aug 01, 2006 at 06:06:54PM -0400, Daniel Guido wrote: > > > Can someone update me on the status of certifying GPG to run on > > > Solaris (all versions, all processors)? I'm looking to place GPG into > > > an environment which requires high assurance and I won't do it unless > > > I hear it from the GPG developers themselves that all of GPG's > > > functionality works in the manner it should on Solaris. > > > > It's hard to fully answer this question. What does "certifying" mean > > to you? Yes, I am one of the GPG developers, and yes, I say that GPG > > functions correctly on Solaris. However, why should you trust me? ;) > > > > GPG is supported via the community. If you need a higher level of > > support (i.e. an email address or a phone number you can use and get > > an guaranteed answer), you might want to take a look at > > http://www.gnupg.org/service.html where you can contact companies who > > offer service contracts. > > > > David > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users@gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > > -- > Dan Guido > -- Dan Guido From dshaw at jabberwocky.com Wed Aug 2 04:59:17 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Aug 2 04:57:53 2006 Subject: solaris certification In-Reply-To: <9c2204930608011907j1e0642e0p5048788b74300042@mail.gmail.com> References: <9c2204930608011506x1d17cfd0ycc9c86622ed997fd@mail.gmail.com> <20060802002244.GB7139@jabberwocky.com> <9c2204930608011907j1e0642e0p5048788b74300042@mail.gmail.com> Message-ID: <20060802025917.GD7139@jabberwocky.com> On Tue, Aug 01, 2006 at 10:07:49PM -0400, Daniel Guido wrote: > (Please correct me where I'm wrong here) > > I think I can clarify a bit further. My concerns revolve around the > RNG in use by GPG prior to Solaris 10 (which comes with functioning > /dev/[u]random implementation). > > There seems to be 2 options if you're using a version prior to Solaris 10: > - Use Andreas Maier's SUNrand to emulate /dev/[u]random > - Use EGD > > Despite the great amount of work put into EGD I'd much rather have a > /dev/random. Knowing that, I'd like to use Maier's kernel module, but > has anyone actually evaluated it and decided that "yes, the output > from this module IS random to an acceptable degree and it's acceptable > to use it with GPG"? Is there any reason why you would not suggest > using that kernel module to support GPG? No reason from the GPG perspective: meaning that GPG should automatically detect that /dev/[u]random exists at ./configure time and build in the necessary code to talk to it, but also meaning that you need to decide whether SUNrand is something you want to use. I don't mean this to imply that SUNrand is bad or weak or anything like that, just that nobody can make this decision for you. You might want to play around with http://www.fourmilab.ch/random/ David From wk at gnupg.org Wed Aug 2 08:55:29 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Aug 2 09:01:16 2006 Subject: [gpgol] Swedish characters are mangled or disappear... In-Reply-To: (Bo Berglund's message of "Tue, 01 Aug 2006 22:59:22 +0200") References: Message-ID: <87hd0vtyn2.fsf@wheatstone.g10code.de> On Tue, 1 Aug 2006 22:59, Bo Berglund said: > 1. Written as html mail in Outlook2003 > - When received by myself the ?????? characters display just fine. > - When received by another person with basically the same setup but > with the Windows locale set to US-English the Swedish characters are > replaced with jumbled characters (2 or 3, I don't recall). GPGol assumes UTF-8 encoding for all mails. I think this is a reasonable assumption today and frankly I have not tested it with other locales. > 2. Written as plaintext in Thunderbird > - When received in Thunderbird all looks good. > - When received with my own Outlook 2003 the Swedish characters are > simply gone (disappeared) > - I have no response from the US person yet.... Similar problem, we assume UTF-8 but receive Latin-foo. It should be possible to use the OpenPGP armor header Charset to tell the receiving side about the sued charset and then translate the body. Quite some work, though. Shalom-Salam, Werner From wk at gnupg.org Wed Aug 2 08:56:09 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Aug 2 09:01:27 2006 Subject: [Announce] GnuPG 1.4.5 released (another security fix) In-Reply-To: <44CFA49E.2040204@joimail.com> (John W. Moore, III's message of "Tue, 01 Aug 2006 14:59:42 -0400") References: <87y7u8tql7.fsf__24036.1977056184$1154455425$gmane$org@wheatstone.g10code.de> <44CFA49E.2040204@joimail.com> Message-ID: <87d5bjtyly.fsf@wheatstone.g10code.de> On Tue, 1 Aug 2006 20:59, John W. Moore III said: > Not just yet; however, Werner's Release Announcement *did* state that > the 'New' gpg4win package _will_ be available very shortly. Working on it right now. Salam-Shalom, Werner From wk at gnupg.org Wed Aug 2 09:02:40 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Aug 2 09:06:15 2006 Subject: GPGME: Exporting a private key In-Reply-To: <87d5bk8yls.fsf@laas.fr> (Ludovic =?utf-8?Q?Court=C3=A8s's?= message of "Tue, 01 Aug 2006 13:49:35 +0200") References: <87bqr4desy.fsf@laas.fr> <874pwwwyuk.fsf@wheatstone.g10code.de> <87d5bk8yls.fsf@laas.fr> Message-ID: <878xm7tyb3.fsf@wheatstone.g10code.de> On Tue, 1 Aug 2006 13:49, Ludovic Court?s said: > For example, my initial goal was to interface GNUtls' OpenPGP mechanisms > with GPGME, and it turns out that a `gnutls_openpgp_privkey_t' can only > be initialized from an exported key. Perhaps GNUtls' API should be That makes sense as along as you don't want to closely integrate gpg and gnutls. > changed in a way that doesn't assume the ability to read one's private > key (perhaps using GPGME)? I need to look closer at the API and discuss this with the gnutls folks. >>From the GPGME user's viewpoint, the most specific way of identifying a > key is its `gpgme_key_t' object, even if, behind the scene, it all boils > down to using the key's fingerprint. Yes, sure. The API is pretty old and used to be an ad-hoc approach which truned out to be pretty usable. Marcus, can you please check whether e can provide a second API passing a key_t? Shalom-Salam, Werner From ludovic.courtes at laas.fr Wed Aug 2 10:12:30 2006 From: ludovic.courtes at laas.fr (Ludovic =?iso-8859-1?Q?Court=E8s?=) Date: Wed Aug 2 10:11:46 2006 Subject: GPGME: Exporting a private key References: <87bqr4desy.fsf@laas.fr> <874pwwwyuk.fsf@wheatstone.g10code.de> <87d5bk8yls.fsf@laas.fr> <878xm7tyb3.fsf@wheatstone.g10code.de> Message-ID: <87hd0v4kup.fsf@laas.fr> Hi, Werner Koch writes: > On Tue, 1 Aug 2006 13:49, Ludovic Court?s said: > >> For example, my initial goal was to interface GNUtls' OpenPGP mechanisms >> with GPGME, and it turns out that a `gnutls_openpgp_privkey_t' can only >> be initialized from an exported key. Perhaps GNUtls' API should be > > That makes sense as along as you don't want to closely integrate gpg > and gnutls. I'd love to closely integrate GPG and GNUtls but the current situation doesn't allow me to do any better than what I outlined above. Concretely, I resorted to exporting both the public key and private key with GPG, putting them into files (hmm...) and feeding those files to GNUtls (via `gnutls_certificate_set_openpgp_key_file ()'). This is indeed not ideal. ;-) But this is getting a bit off-topic. Thanks, Ludovic. From wk at gnupg.org Wed Aug 2 10:08:56 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Aug 2 10:25:32 2006 Subject: [Announce] Gpg4win 1.0.5 released (security fix) Message-ID: <874pwvtv8n.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk at gnupg.org Wed Aug 2 10:39:39 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Aug 2 10:41:15 2006 Subject: GPGME: Exporting a private key In-Reply-To: <87hd0v4kup.fsf@laas.fr> (Ludovic =?utf-8?Q?Court=C3=A8s's?= message of "Wed, 02 Aug 2006 10:12:30 +0200") References: <87bqr4desy.fsf@laas.fr> <874pwwwyuk.fsf@wheatstone.g10code.de> <87d5bk8yls.fsf@laas.fr> <878xm7tyb3.fsf@wheatstone.g10code.de> <87hd0v4kup.fsf@laas.fr> Message-ID: <87zmensf90.fsf@wheatstone.g10code.de> On Wed, 2 Aug 2006 10:12, Ludovic Court?s said: > Concretely, I resorted to exporting both the public key and private key > with GPG, putting them into files (hmm...) and feeding those files to > GNUtls (via `gnutls_certificate_set_openpgp_key_file ()'). This is > indeed not ideal. ;-) As long as we are not talking about servers, I envision gnutls directly talking to gpg-agent and having gpg-agent do ths private key operation. This has the extra advantage of instantly allowing the use of a smart card. Actually the same can be done for keys from an X.509 certificate - gpg-agent does not even know about the protocol, it only does the lower layer pkcs#1 stuff. Salam-Shalom, Werner From bo.berglund at telia.com Wed Aug 2 11:52:17 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Wed Aug 2 11:52:12 2006 Subject: [gpgol] Swedish characters are mangled or disappear... References: <87hd0vtyn2.fsf@wheatstone.g10code.de> Message-ID: On Wed, 02 Aug 2006 08:55:29 +0200, Werner Koch wrote: >On Tue, 1 Aug 2006 22:59, Bo Berglund said: > >> 1. Written as html mail in Outlook2003 >> - When received by myself the ?????? characters display just fine. >> - When received by another person with basically the same setup but >> with the Windows locale set to US-English the Swedish characters are >> replaced with jumbled characters (2 or 3, I don't recall). > >GPGol assumes UTF-8 encoding for all mails. I think this is a >reasonable assumption today and frankly I have not tested it with >other locales. > >> 2. Written as plaintext in Thunderbird >> - When received in Thunderbird all looks good. >> - When received with my own Outlook 2003 the Swedish characters are >> simply gone (disappeared) >> - I have no response from the US person yet.... > >Similar problem, we assume UTF-8 but receive Latin-foo. > >It should be possible to use the OpenPGP armor header Charset to tell >the receiving side about the sued charset and then translate the >body. Quite some work, though. > You are right! When I explicitly set Thunderbird to encode UTF-8 then the characters do not get mangled! Thanks :-) By default Thunderbird seems to encode Western ISO 8859-1. I have to look in the settings to see if I can set UTF-8 as the default in Thunderbird. I will also need to know where to set the character encoding default in Outlook 2003 of course (probably a lot harder to circumvent Microsofts Intelli(non)sense....) /Bo From bo.berglund at telia.com Wed Aug 2 11:59:48 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Wed Aug 2 11:58:48 2006 Subject: [gpgol] Swedish characters are mangled or disappear... References: <87hd0vtyn2.fsf@wheatstone.g10code.de> Message-ID: <3ot0d21kch4eh6vhp0c60nbucj83n8erdj@4ax.com> On Wed, 02 Aug 2006 08:55:29 +0200, Werner Koch wrote: >On Tue, 1 Aug 2006 22:59, Bo Berglund said: >> 2. Written as plaintext in Thunderbird >> - When received in Thunderbird all looks good. >> - When received with my own Outlook 2003 the Swedish characters are >> simply gone (disappeared) >> - I have no response from the US person yet.... > >Similar problem, we assume UTF-8 but receive Latin-foo. > Tried to find somewhere to set the default encoding in Thunderbird but no matter what I do it still uses Western on a new message so I have to remember always to manually set it to UTF-8. What a drag! Is there anyone here who knows Thunderbird on the Windows platform and can tell me how to change the default encoding to UTF-8??? /Bo From dshaw at jabberwocky.com Wed Aug 2 18:10:04 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Aug 2 18:08:52 2006 Subject: [Fwd: perl EUID change causing failure] In-Reply-To: <44CF9DB6.8000800@ipowerweb.com> References: <44CE660B.7080206@ipowerweb.com> <44CE7FAB.1060803@jrock.us> <44CE9E98.3040502@ipowerweb.com> <20060801023708.GA3769@jabberwocky.com> <44CF9DB6.8000800@ipowerweb.com> Message-ID: <20060802161004.GA27352@jabberwocky.com> On Tue, Aug 01, 2006 at 11:30:14AM -0700, Marcel Chastain - Security Administration wrote: > David Shaw wrote: > >On Mon, Jul 31, 2006 at 05:21:44PM -0700, Marcel Chastain - Security > >Administration wrote: > > > >>Yeah, I already have a workaround in place, I just wanted to report > >>it to the community/developers. This is a new bug, and I think they'd > >>be interested in why it's happening... Perhaps the gnupg-devel > >>mailing list would be better..? > >> > > > >This is not a bug, and it certainly isn't new behavior. GnuPG will > >not run if the euid does not match the uid. On a number of platforms, > >GnuPG is installed setuid root so it can grab locked/unswappable > >memory. Once it has allocated a block of memory, it drops root privs. > >To prevent any chance of an attacker fooling the system into letting > >it keep root privs, it will halt if euid!=uid. > This is certainly a dirty/harsh/feng-shui-less way of > failing/exiting. It is, yes. > Perhaps I'm gullible, but when a program tells me > > "Ohhhh jeeeee: ... this is a bug" > > I tend to think that it is a bug. > > But you are right, the program probably thinks that it is being tricked > into keeping root privileges, hence the harsh failure and funky message. That's exactly the reason. That assertion was put in to prevent a possible root privilege elevation if someone managed to trick the memory locking code. You're the first person that I recall hitting that assertion under normal operation. David From dshaw at jabberwocky.com Wed Aug 2 18:13:49 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Aug 2 18:13:06 2006 Subject: Security of truncated hash functions In-Reply-To: <44CB30C2.6000607@gmail.com> References: <44CB2998.9000704@tiscali.it> <44CB30C2.6000607@gmail.com> Message-ID: <20060802161349.GB27352@jabberwocky.com> On Sat, Jul 29, 2006 at 07:26:18PM +0930, Alphax wrote: > Qed wrote: > > Suppose you need a 160 bit digest. > > You can choose RIPEMD160/SHA1 or a truncated version of a bigger one > > (e.g.: SHA2 family). > > Which solution would be safer? > > Is a digest algo designed for a given length stronger than a truncated > > longer one? > > > > Since you're asking about 160-bit hashes on the GnuPG mailing list, I'll > assume that you're asking about using the "DSA2" option to use truncated > hashes with DSA keys that have q=160. > > Now, I could be completely wrong, but "common sense" seems to suggest > that there's no reason why it's any safer; in fact, you may be worse off. Note, though, that NIST explicitly allows (i.e. requires) hash truncation in the new DSA spec. At least in the context of DSA, the official answer is that either a full SHA1 or a truncated SHA256 is roughly of the same safety. David From dshaw at jabberwocky.com Wed Aug 2 18:25:21 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Aug 2 18:23:59 2006 Subject: Security of truncated hash functions In-Reply-To: <20060802161349.GB27352@jabberwocky.com> References: <44CB2998.9000704@tiscali.it> <44CB30C2.6000607@gmail.com> <20060802161349.GB27352@jabberwocky.com> Message-ID: <20060802162521.GC27352@jabberwocky.com> On Wed, Aug 02, 2006 at 12:13:49PM -0400, David Shaw wrote: > On Sat, Jul 29, 2006 at 07:26:18PM +0930, Alphax wrote: > > Qed wrote: > > > Suppose you need a 160 bit digest. > > > You can choose RIPEMD160/SHA1 or a truncated version of a bigger one > > > (e.g.: SHA2 family). > > > Which solution would be safer? > > > Is a digest algo designed for a given length stronger than a truncated > > > longer one? > > > > > > > Since you're asking about 160-bit hashes on the GnuPG mailing list, I'll > > assume that you're asking about using the "DSA2" option to use truncated > > hashes with DSA keys that have q=160. > > > > Now, I could be completely wrong, but "common sense" seems to suggest > > that there's no reason why it's any safer; in fact, you may be worse off. > > Note, though, that NIST explicitly allows (i.e. requires) hash > truncation in the new DSA spec. At least in the context of DSA, the > official answer is that either a full SHA1 or a truncated SHA256 is > roughly of the same safety. Er, sorry. That should be "either a truncated SHA256 or a truncated SHA512 is roughly of the same safety". David From rubis.paul at gmail.com Mon Aug 7 04:37:17 2006 From: rubis.paul at gmail.com (Rubis Paul) Date: Mon Aug 7 05:50:45 2006 Subject: test Message-ID: <32f8dcde0608061937s7c471616ud373636d784abb1e@mail.gmail.com> test From rubis.paul at gmail.com Mon Aug 7 04:39:28 2006 From: rubis.paul at gmail.com (Rubis Paul) Date: Mon Aug 7 05:50:49 2006 Subject: Key Certificates in GNUPG Message-ID: <32f8dcde0608061939g262e3aadmffe3ba85879461cf@mail.gmail.com> Hi , I am trying to generate some RSA keys and store them as certificates. I am using libgcrypt library to generate RSA keys. a. Is there any function in Libgrypt or Libksba to generate certificates ? b. in the source directory of GNUPG, i can see certlist.c, certreqgen.c etc under the 'sm' directory using structures defiened in ksba.h file for creating certificate. Is there any format defined for the certificate ? if yes, where i can see that ? also if i want to store it on my own format , what are the implications? c. I am really new to this. Could some one tell me what exactly i have to do in order to store RSA keys generated using libgcrypt as a certificate. Thanks in advance, rubis From bo.berglund at telia.com Tue Aug 8 23:13:32 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Tue Aug 8 23:13:01 2006 Subject: [gpgol] Plugin handling of messages.... Message-ID: I am using the GPGol plugin from gpg4win-1.0.4. While testing GPGol I have noticed a few strange phenomena as follows: Message saved decrypted ------------------------ 1) I receive an encrypted message 2) I use the decrypt button to decypt it 3) My passphrase is required for decryption (OK) 4) After reading I close the message window 5) A while later I again open the message and now it is no longer encrypted!!!! It appears immediately with the clear text! So I thought that the passphrase maybe was cached and used automatically. So I closed Outlook and waited several hours and then again started OL 2003 and opened the message, but it still popped up in cleartext! However, this does not happen to all messages I receive as GPG messages. Some of them behave like I expected (decryption is only for viewing and does not alter the data saved in the PST file). It might be so that plaintext messages are OK whereas HTML messages are autosaved after decryption. Replies do not encrypt ---------------------- As a variation to the above I did this: 1-2-3 as above 4) Now with decrypted message visible I hit the Reply button 5) I see my own cleartext mail signature and the message I am replying to in a PGP block. 6) The encryption button is depressed indicating that the message will be encrypted. 7) I add a bit of text and send the message out. 8) When I look at the message in my sent items folder it is *not* encrypted, i.e. the original PGP block is there but the text I added is not encrypted. The person I sent to also see my added text as cleartext and his own original text as a PGP block. It really looks like the existence of a PGP block *within* a larger message that precedes the block with cleartext inhibits the encryption on send. Maybe the plugin checks if the message is already encrypted by checking for the existence of a PGP block? Recipient with unknown public key causes Outlook crash ------------------------------------------------------ I tried to send a message for testing the reply issue where I included one of my email addresses as recipient even though I have not associated a public key to that address. I did this to really see what was being sent. But what happened was that when I clicked the send button GPGol popped up a dialog where it told me that one recipient was not found (expected). When I clicked OK it said that I should select a recipient key first. So I did this but it still came back to the same message (obviously there was no matching key). So I clicked cancel instead, but this brought up a dioalogue telling me that if I cancel then the message will be sent *unencrypted*!!!! So now I could not use the OK button because of the missing key and not use Cancel because the least I want is to send the message unencrypted!!! So I used the X button in the upper right corner of the dialog instead. This produced a message saying something like "bad passphrase" and when I clicked OK on that Outlook2003 crashed and offered to send a debug message to Microsoft!!! Why did this happen? The message should be encrypted and there are at least two keys to use (the recipient and my own key). The fact that the Cc address was not associated with a valid key is no excuse for not encrypting the message, and there should *never* be a fallback to sending the message in cleartext. :-( Are there settings somewhere that I have missed for this? I found the GPGol settings in the Outlok Tools/Options/GnuPG and I have made sure that all the checkboxes are unchecked. Issues: - Decryption of messages seem permanent at least for certain types - Replies do not encrypt even though the encrypt button is activated - Unacceptable handling when a recipient key is not known /Bo Bo Berglund From rubis.paul at gmail.com Wed Aug 9 03:45:46 2006 From: rubis.paul at gmail.com (Rubis Paul) Date: Wed Aug 9 03:44:19 2006 Subject: Key Certificates in GNUPG In-Reply-To: <32f8dcde0608061939g262e3aadmffe3ba85879461cf@mail.gmail.com> References: <32f8dcde0608061939g262e3aadmffe3ba85879461cf@mail.gmail.com> Message-ID: <32f8dcde0608081845v791c40eaj752c8cf37bca8971@mail.gmail.com> Resending due to no repsonse..... On 8/7/06, Rubis Paul wrote: > Hi , > I am trying to generate some RSA keys and store them as > certificates. I am using libgcrypt library to generate RSA keys. > > a. Is there any function in Libgrypt or Libksba to generate certificates ? > > b. in the source directory of GNUPG, i can see certlist.c, > certreqgen.c etc under the 'sm' directory using structures defiened in > ksba.h file for creating certificate. Is there any format defined for > the certificate ? if yes, where i can see that ? also if i want to > store it on my own format , what are the implications? > > c. I am really new to this. Could some one tell me what exactly i have > to do in order to store RSA keys generated using libgcrypt as a > certificate. > > Thanks in advance, > rubis > From wk at gnupg.org Wed Aug 9 08:46:33 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Aug 9 08:51:35 2006 Subject: Key Certificates in GNUPG In-Reply-To: <32f8dcde0608061939g262e3aadmffe3ba85879461cf@mail.gmail.com> (Rubis Paul's message of "Mon, 7 Aug 2006 08:09:28 +0530") References: <32f8dcde0608061939g262e3aadmffe3ba85879461cf@mail.gmail.com> Message-ID: <87oduue792.fsf@wheatstone.g10code.de> On Mon, 7 Aug 2006 04:39, Rubis Paul said: > a. Is there any function in Libgrypt or Libksba to generate certificates ? Not yet. We don't have a need for it right now. For CA software you need more than just the ability to create a certificate. > b. in the source directory of GNUPG, i can see certlist.c, > certreqgen.c etc under the 'sm' directory using structures defiened in > ksba.h file for creating certificate. Is there any format defined for No gpgsm creates pkcs#10 requests. These are requests to a CA to create a certificate from the request. > c. I am really new to this. Could some one tell me what exactly i have > to do in order to store RSA keys generated using libgcrypt as a > certificate. www.cacert.org ? Salam-Shalom, Werner From jas at extundo.com Wed Aug 9 16:40:46 2006 From: jas at extundo.com (Simon Josefsson) Date: Wed Aug 9 18:06:53 2006 Subject: Key Certificates in GNUPG In-Reply-To: <87oduue792.fsf@wheatstone.g10code.de> (Werner Koch's message of "Wed, 09 Aug 2006 08:46:33 +0200") References: <32f8dcde0608061939g262e3aadmffe3ba85879461cf@mail.gmail.com> <87oduue792.fsf@wheatstone.g10code.de> Message-ID: <87u04m6kgh.fsf@latte.josefsson.org> Werner Koch writes: > On Mon, 7 Aug 2006 04:39, Rubis Paul said: > >> a. Is there any function in Libgrypt or Libksba to generate certificates ? > > Not yet. We don't have a need for it right now. For CA software you > need more than just the ability to create a certificate. There is a tool 'certtool' in GnuTLS though, which can generate X.509 certificates. It uses libgcrypt. /Simon From JPClizbe at comcast.net Thu Aug 10 07:01:55 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Thu Aug 10 07:32:01 2006 Subject: Key Certificates in GNUPG In-Reply-To: <87oduue792.fsf@wheatstone.g10code.de> References: <32f8dcde0608061939g262e3aadmffe3ba85879461cf@mail.gmail.com> <87oduue792.fsf@wheatstone.g10code.de> Message-ID: <44DABDC3.5090901@comcast.net> Werner Koch wrote: > On Mon, 7 Aug 2006 04:39, Rubis Paul said: >> c. I am really new to this. Could some one tell me what exactly i have >> to do in order to store RSA keys generated using libgcrypt as a >> certificate. > > www.cacert.org ? cacert is an excellent suggestion for setting up a CA. And the code is available for use by others. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 662 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060810/8095cd14/signature.pgp From vinod.jacob at gmail.com Thu Aug 10 13:24:50 2006 From: vinod.jacob at gmail.com (Vinod Jacob) Date: Thu Aug 10 14:49:07 2006 Subject: encrypt/sign 2048 bit RSA key using another Rsa 2048 bit Key Message-ID: <8a4271520608100424v291c1067wc3a7c07ab99035ba@mail.gmail.com> Hi, I am using libgcrypt 2048 bit encryption. what is the maximum size of the buffer that i can encrypt using 2048 bit key.is it 2048 bit ? I am getting incorrect values when i try to encrypt a buffer of size( more that 2048 bit ). Encryption/decryption function is success .But when i tried to print the decrypted buffer , it is showing different values. so what i needs to do if ,1 want to encrypt buffer of large size ? (i know we can encrypt large buffer using AES and encrypt AEs keys using RSA ).But my requirement is to encrypt large buffer using RSA . Let me try to explain what i am trying to do in more detail, I have to encrypt/sign Rsa ( 2048 bit) keys using another Rsa 2048 bit Key say Entity A there is one Rsa Keys A_pub_key & A_sec_key and say Entity b there is one Rsa keys B_pub_key & B_sec_key i want to encrypt A_sec_key using B_pub_key is it possible ? how i have to do encrypt a RSA key using another RSA key ? Do i need to take each mpi values and do encryption ? is it posssible to concate each mpi value and encrypt it? here is the piece of the code i am using, ============================== if(gcry_ac_open(&GcryptRsaHd, GCRY_AC_RSA, 0)!=0) { printf (" Gcrypt RSA Cipher Open : %s\n", gpg_strerror(GcryptErrVal) ); //return RSA_CIPHER_OPEN_FAILURE ; } data = gcry_ac_key_data_get(RsaKey); for (i = 0; i < gcry_ac_data_length(data); i++) { gcry_ac_data_get_index(data, 0 , i, &sName[i], &mpiTemp[i]); printf(" MPI %s Bits : %d \n" ,sName[i] ,gcry_mpi_get_nbits(mpiTemp[i])); GcryptErrVal = gcry_ac_data_encrypt( GcryptRsaHd ,/*GCRY_AC_FLAG_NO_BLINDING*/0,tGcryptRsaPubKey,mpiTemp[i],&GcryptEncryptData[i]); if ( GcryptErrVal ) { printf (" KeyEncryption : %s :%s \n",gpg_strerror( GcryptErrVal ), gpg_strsource( GcryptErrVal )); gcry_ac_close(GcryptRsaHd); //return SECURITY_FAILURE; } else { printf("KeyEncryption : %s \n",gpg_strerror( GcryptErrVal )); } } printf(":::::::::::key Decryption function ::::::::::::::::::::::::\n"); GcryptErrVal = gcry_ac_data_new( &GcryptDecryptedData); for (i=0 ;i<6; i++) { GcryptErrVal = gcry_ac_data_decrypt(GcryptRsaHd ,0/*GCRY_AC_FLAG_NO_BLINDING*/,tGcryptRsaSecKey ,&mpiTemp2[i],GcryptEncryptData[i]); if ( GcryptErrVal ) { printf (" KeyDecryption : %s :%s \n",gpg_strerror( GcryptErrVal ), gpg_strsource( GcryptErrVal )); //return SECURITY_FAILURE; } else { printf (" KeyDecryption : %s \n",gpg_strerror( GcryptErrVal )); printf(" MPI %s Bits : %d \n" ,sName[i] ,gcry_mpi_get_nbits(mpiTemp2[i])); if(gcry_mpi_cmp(mpiTemp[i],mpiTemp2[i] )==0) { printf ("MPI cmp success \n"); } else printf ("*********MPI CMP FAILURE ***********\n"); if (gcry_ac_data_set(GcryptDecryptedData, GCRY_AC_FLAG_COPY,/*RsaKeyMpiNames[i]*/sName[i], mpiTemp2[i])) { gcry_ac_close(GcryptRsaHd); gcry_mpi_release(mpiTemp2[i]); //return -3; } gcry_mpi_release(mpiTemp2[i]); } } gcry_ac_key_init(&GcryptTestKey,GcryptRsaHd,GCRY_AC_KEY_SECRET , GcryptDecryptedData); GcryptErrVal = gcry_ac_key_test(GcryptRsaHd ,GcryptTestKey ); if(GcryptErrVal) { printf ("********** Testing Rsa Secret Key : %s\n",gpg_strerror( GcryptErrVal ),gpg_strsource( GcryptErrVal )); gcry_ac_close(GcryptRsaHd); //return RSA_KEY_TEST_FAILURE; /* TBC */ } else printf ("************Testing Rsa Secret Key : %s\n",gpg_strerror( GcryptErrVal ),gpg_strsource( GcryptErrVal )); But I am getting out put KeyEncryption : Success MPI e Bits : 6 KeyEncryption : Success MPI d Bits : 2041 KeyEncryption : Success MPI p Bits : 1024 KeyEncryption : Success MPI q Bits : 1024 KeyEncryption : Success MPI u Bits : 1024 KeyEncryption : Success :::::::::::key Decryption function :::::::::::::::::::::::: KeyDecryption : Success MPI n Bits : 0 *********MPI CMP FAILURE *********** KeyDecryption : Success MPI e Bits : 6 MPI cmp success KeyDecryption : Success MPI d Bits : 2041 MPI cmp success KeyDecryption : Success MPI p Bits : 1024 MPI cmp success KeyDecryption : Success MPI q Bits : 1024 MPI cmp success KeyDecryption : Success MPI u Bits : 1024 MPI cmp success ********** Testing Rsa Secret Key : Invalid public key algorithm What is the problem ? could some one help me in solving this one ? thanks Vinod From vinod.jacob at gmail.com Thu Aug 10 14:25:55 2006 From: vinod.jacob at gmail.com (Vinod Jacob) Date: Thu Aug 10 14:49:29 2006 Subject: encrypt/sign 2048 bit RSA key using another Rsa 2048 bit Key Message-ID: <8a4271520608100525p3c617ee5g301d31ccdc13707@mail.gmail.com> Hi, I am using libgcrypt 2048 bit encryption. what is the maximum size of the buffer that i can encrypt using 2048 bit key.is it 2048 bit ? I am getting incorrect values when i try to encrypt a buffer of size more that 2048 bit . Encryption/decryption function is successfully finishing .But when i tried to print the decrypted buffer , it is showing different values. so what would i need to do, if , I want to encrypt buffer of large size ? (i know we can encrypt large buffer using AES and encrypt AEs keys using RSA ).But my requirement is to encrypt large buffer using RSA . Let me try to explain what i am trying to do in more detail. I have to encrypt/sign Rsa ( 2048 bit) keys using another Rsa 2048 bit Key let's say Entity A there is one Rsa Keys A_pub_key & A_sec_key and say Entity b there is one Rsa keys B_pub_key & B_sec_key Now i want to encrypt A_sec_key using B_pub_key. is this possible ? how to encrypt RSA key using another RSA key ? Do i need to take each mpi values and do encryption ? is it posssible to concate each mpi value and then encrypt it? here is the piece of the code i am using, ============================== if(gcry_ac_open(&GcryptRsaHd, GCRY_AC_RSA, 0)!=0) { printf (" Gcrypt RSA Cipher Open : %s\n", gpg_strerror(GcryptErrVal) ); //return RSA_CIPHER_OPEN_FAILURE ; } data = gcry_ac_key_data_get(RsaKey); for (i = 0; i < gcry_ac_data_length(data); i++) { gcry_ac_data_get_index(data, 0 , i, &sName[i], &mpiTemp[i]); printf(" MPI %s Bits : %d \n" ,sName[i] ,gcry_mpi_get_nbits(mpiTemp[i])); GcryptErrVal = gcry_ac_data_encrypt( GcryptRsaHd ,/*GCRY_AC_FLAG_NO_BLINDING*/0,tGcryptRsaPubKey,mpiTemp[i],&GcryptEncryptData[i]); if ( GcryptErrVal ) { printf (" KeyEncryption : %s :%s \n",gpg_strerror( GcryptErrVal ), gpg_strsource( GcryptErrVal )); gcry_ac_close(GcryptRsaHd); //return SECURITY_FAILURE; } else { printf("KeyEncryption : %s \n",gpg_strerror( GcryptErrVal )); } } printf(":::::::::::key Decryption function ::::::::::::::::::::::::\n"); GcryptErrVal = gcry_ac_data_new( &GcryptDecryptedData); for (i=0 ;i<6; i++) { GcryptErrVal = gcry_ac_data_decrypt(GcryptRsaHd ,0/*GCRY_AC_FLAG_NO_BLINDING*/,tGcryptRsaSecKey ,&mpiTemp2[i],GcryptEncryptData[i]); if ( GcryptErrVal ) { printf (" KeyDecryption : %s :%s \n",gpg_strerror( GcryptErrVal ), gpg_strsource( GcryptErrVal )); //return SECURITY_FAILURE; } else { printf (" KeyDecryption : %s \n",gpg_strerror( GcryptErrVal )); printf(" MPI %s Bits : %d \n" ,sName[i] ,gcry_mpi_get_nbits(mpiTemp2[i])); if(gcry_mpi_cmp(mpiTemp[i],mpiTemp2[i] )==0) { printf ("MPI cmp success \n"); } else printf ("*********MPI CMP FAILURE ***********\n"); if (gcry_ac_data_set(GcryptDecryptedData, GCRY_AC_FLAG_COPY,/*RsaKeyMpiNames[i]*/sName[i], mpiTemp2[i])) { gcry_ac_close(GcryptRsaHd); gcry_mpi_release(mpiTemp2[i]); //return -3; } gcry_mpi_release(mpiTemp2[i]); } } gcry_ac_key_init(&GcryptTestKey,GcryptRsaHd,GCRY_AC_KEY_SECRET , GcryptDecryptedData); GcryptErrVal = gcry_ac_key_test(GcryptRsaHd ,GcryptTestKey ); if(GcryptErrVal) { printf ("********** Testing Rsa Secret Key : %s\n",gpg_strerror( GcryptErrVal ),gpg_strsource( GcryptErrVal )); gcry_ac_close(GcryptRsaHd); //return RSA_KEY_TEST_FAILURE; /* TBC */ } else printf ("************Testing Rsa Secret Key : %s\n",gpg_strerror( GcryptErrVal ),gpg_strsource( GcryptErrVal )); And this is the output.. ============== KeyEncryption : Success MPI e Bits : 6 KeyEncryption : Success MPI d Bits : 2041 KeyEncryption : Success MPI p Bits : 1024 KeyEncryption : Success MPI q Bits : 1024 KeyEncryption : Success MPI u Bits : 1024 KeyEncryption : Success :::::::::::key Decryption function :::::::::::::::::::::::: KeyDecryption : Success MPI n Bits : 0 *********MPI CMP FAILURE *********** KeyDecryption : Success MPI e Bits : 6 MPI cmp success KeyDecryption : Success MPI d Bits : 2041 MPI cmp success KeyDecryption : Success MPI p Bits : 1024 MPI cmp success KeyDecryption : Success MPI q Bits : 1024 MPI cmp success KeyDecryption : Success MPI u Bits : 1024 MPI cmp success ********** Testing Rsa Secret Key : Invalid public key algorithm What is that i am missing here? could some one help me in solving this one ? thanks Vinod From Thomas.Necker at marconi.com Thu Aug 10 17:24:25 2006 From: Thomas.Necker at marconi.com (Thomas Necker) Date: Thu Aug 10 19:29:03 2006 Subject: Export-Classification Message-ID: Hello For the purpose of doing an export classification of GnuPG (actually only gpgv) I had some discussions whether GnuPG is of "US origin" or not. Can somebody tell me whether GnuPG contains parts originating from the US? Thanks in advance. Thomas From rubis.paul at gmail.com Thu Aug 10 19:47:22 2006 From: rubis.paul at gmail.com (Rubis Paul) Date: Thu Aug 10 19:46:06 2006 Subject: AES 256 bit key generation Message-ID: <32f8dcde0608101047u1edbc30fj6ac98f4f3acec08e@mail.gmail.com> Hi all, I want to create as AEs key of size 256 bits.is there any function in libgcrypt to generate AES key ? Now i am using libgcrypt random number generation to create an AES key .is this correct ? I am sedning my code //Symmetric key generation (128 bit) printf("Generating symmetric key (128 bit)...\n"); //Allocate a byte-array for holding the key unsigned char* key = (unsigned char*) malloc(BLOCKSIZE*sizeof(char)); //Use secure random number generation gcry_randomize(key, BLOCKSIZE, GCRY_STRONG_RANDOM); printf("Setting the key...\n"); err = gcry_cipher_setkey(hd, key, BLOCKSIZE); is this the corret way of generating AES key ? what is the best mode of AES encryption ( like , GCRY_CIPHER_MODE_CFB, etc) ? Thanks Rubis From dshaw at jabberwocky.com Thu Aug 10 19:49:42 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Aug 10 19:48:13 2006 Subject: Export-Classification In-Reply-To: References: Message-ID: <20060810174942.GC12275@jabberwocky.com> On Thu, Aug 10, 2006 at 05:24:25PM +0200, Thomas Necker wrote: > Hello > > For the purpose of doing an export classification of GnuPG (actually > only gpgv) I had some discussions whether GnuPG is of "US origin" or > not. Can somebody tell me whether GnuPG contains parts originating > from the US? Thanks in advance. Yes, it does. All of those parts (all of GnuPG, actually) fall under the TSU exception, which more or less exempts open source crypto from restriction. This is a simplification, of course. Export classification is a vastly more complex topic than can be covered in an email. http://www.bis.doc.gov/encryption/PubAvailEncSourceCodeNofify.html David From wk at gnupg.org Fri Aug 11 12:42:00 2006 From: wk at gnupg.org (Werner Koch) Date: Fri Aug 11 12:46:47 2006 Subject: encrypt/sign 2048 bit RSA key using another Rsa 2048 bit Key In-Reply-To: <8a4271520608100525p3c617ee5g301d31ccdc13707@mail.gmail.com> (Vinod Jacob's message of "Thu, 10 Aug 2006 17:55:55 +0530") References: <8a4271520608100525p3c617ee5g301d31ccdc13707@mail.gmail.com> Message-ID: <8764gz5zbb.fsf@wheatstone.g10code.de> On Thu, 10 Aug 2006 14:25, Vinod Jacob said: > what is the maximum size of the buffer that i can encrypt using 2048 > bit key.is it 2048 bit ? Please read some basic literature about applied cryptography. Libgcrypt can't help you unless you have a basic knowledge. @Book{Sch:96:AC, author = "Bruce Schneier", title = "Applied Cryptography", language = "USenglish", edition = "second", publisher = pub-WIL, address = pub-WIL:adr, pages = "xxiii + 758", year = "1996", ISBN = "0-471-11709-9", } is good for an overview. @Book{Men:96:HAC, author = "Alfred J. Menezes and Paul van Oorschot and Scott Vanstone", title = "Handbook of Applied Cryptography", language = "USenglish", publisher = pub-CRC, address = pub-CRC:adr, pages = "xxvii + 780", year = "1996", ISBN = "0-8493-8523-7", keywords = "cryptograpy", } Is what you need to read if you want to implement low-level stuff. @Book{Fer:03:PC, author = "Niels Ferguson and Bruce Schneier", title = "Practical Cryptography", language = "USenglish", edition = "first", publisher = pub-WIL, address = pub-WIL:adr, pages = "xx + 410", year = "2003", ISBN = "0-471-22357-3", URL = "http://www.macfergus.com/pc/" } Is what you really need to read. Shalom-Salam, Werner From jon at jrock.us Fri Aug 11 17:38:36 2006 From: jon at jrock.us (Jonathan Rockway) Date: Fri Aug 11 18:37:54 2006 Subject: AES 256 bit key generation In-Reply-To: <32f8dcde0608101047u1edbc30fj6ac98f4f3acec08e@mail.gmail.com> References: <32f8dcde0608101047u1edbc30fj6ac98f4f3acec08e@mail.gmail.com> Message-ID: <44DCA47C.5070107@jrock.us> AES is a symmetric cypher, so you can use anything you want as the key, although I'm pretty sure that you must never use the same key to encrypt two different messages. (See "Initialization Vector". I know this is required for stream cyphers like RC4, but I'm not sure about block cyphers like AES.) If anything, using a different key every time ensures that two identical messages encrypt to different cyphertexts, which is a good thing. Also be sure to read up on ECB / CBC. You should probably look this up in the AES section of Applied Cryptography before you deploy any code, though. Regards, Jonathan Rockway > I want to create as AEs key of size 256 bits.is there any function in > libgcrypt to generate AES key ? > Now i am using libgcrypt random number generation to create an AES key > .is this correct ? From brian at nixthis.com Fri Aug 11 17:39:57 2006 From: brian at nixthis.com (Brian Rosenvinge) Date: Fri Aug 11 19:10:30 2006 Subject: GPG question Message-ID: <44DCA4CD.7050807@nixthis.com> I need to decrypt a file that has been sent to me and immediately re-encrypt the file for three new recipients. I would like to automate the process with a batch file. To avoid the file being left un-encrypted during the batch process I would like to redirect the output of the decrypt command into the encrypt command for the new recipients. I have been unsuccessful in my attempts, can anyone help me out? Thanks Brian From dshaw at jabberwocky.com Fri Aug 11 19:19:13 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Aug 11 19:17:43 2006 Subject: GPG question In-Reply-To: <44DCA4CD.7050807@nixthis.com> References: <44DCA4CD.7050807@nixthis.com> Message-ID: <20060811171913.GA16299@jabberwocky.com> On Fri, Aug 11, 2006 at 10:39:57AM -0500, Brian Rosenvinge wrote: > I need to decrypt a file that has been sent to me and immediately > re-encrypt the file for three new recipients. I would like to automate > the process with a batch file. To avoid the file being left > un-encrypted during the batch process I would like to redirect the > output of the decrypt command into the encrypt command for the new > recipients. > > I have been unsuccessful in my attempts, can anyone help me out? cat thefile.gpg | gpg | gpg -r recipient_1 -r recipient_2 -r recipient_3 --encrypt > output.gpg The catch is that the first gpg instance is doing to need to prompt you for a passphrase, and the second gpg instance may need to prompt you whether the recipients are trusted (if you don't have a trust path to them). An easy way to fix this, is to add a "--trust-model always" to the second instance (assuming you really do trust those recipient keys). David From brian at nixthis.com Fri Aug 11 21:19:52 2006 From: brian at nixthis.com (Brian Rosenvinge) Date: Fri Aug 11 21:18:54 2006 Subject: GPG question In-Reply-To: <20060811171913.GA16299@jabberwocky.com> References: <44DCA4CD.7050807@nixthis.com> <20060811171913.GA16299@jabberwocky.com> Message-ID: <44DCD858.6050207@nixthis.com> Thanks so much, it worked like a charm. I just had to change "cat" to "type". I don't mind supplying the passphrase in the script or in a file if there is a way to automate this process. I am not sure where a "--passphrase-fd" could be used, if it is even possible. Thanks Brian David Shaw wrote: >On Fri, Aug 11, 2006 at 10:39:57AM -0500, > >cat thefile.gpg | gpg | gpg -r recipient_1 -r recipient_2 -r recipient_3 --encrypt > output.gpg > >The catch is that the first gpg instance is doing to need to prompt >you for a passphrase, and the second gpg instance may need to prompt >you whether the recipients are trusted (if you don't have a trust path >to them). An easy way to fix this, is to add a "--trust-model always" >to the second instance (assuming you really do trust those recipient >keys). > >David > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From schoflist at dakim.com Sat Aug 12 19:42:45 2006 From: schoflist at dakim.com (John Schofield) Date: Sat Aug 12 21:09:00 2006 Subject: Keyserver Software Recommendations Message-ID: <62B17198-EAE8-405B-8710-A32E61D13796@dakim.com> I am setting up a keyserver for private, internal use in my company; it will not synchronize with the global keyserver network. All clients will be running the latest version of GnuPG distributed through the Ubuntu Dapper repositories. The servers (there will be multiple, and will need to be synchronized) will be running Debian Sarge. I'm having trouble figuring out which keyserver to install. OpenPGP Public Key Server is easy to install and configure, but hasn't been updated in three years. This message from 2005 recommends SKS. I've attempted to install SKS, and had some issues, but haven't gone all-out in installing it. Should I make the effort? A year later, is SKS still the most-recommended keyserver software? Thanks very much! John Schofield From dshaw at jabberwocky.com Sat Aug 12 21:19:42 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Aug 12 21:18:16 2006 Subject: Keyserver Software Recommendations In-Reply-To: <62B17198-EAE8-405B-8710-A32E61D13796@dakim.com> References: <62B17198-EAE8-405B-8710-A32E61D13796@dakim.com> Message-ID: <20060812191942.GA18998@jabberwocky.com> On Sat, Aug 12, 2006 at 10:42:45AM -0700, John Schofield wrote: > I am setting up a keyserver for private, internal use in my company; > it will not synchronize with the global keyserver network. > > All clients will be running the latest version of GnuPG distributed > through the Ubuntu Dapper repositories. > > The servers (there will be multiple, and will need to be > synchronized) will be running Debian Sarge. > > I'm having trouble figuring out which keyserver to install. > > OpenPGP Public Key Server is easy to > install and configure, but hasn't been updated in three years. > > This message October/027189.html> from 2005 recommends SKS. I've attempted to > install SKS, and had some issues, but haven't gone all-out in > installing it. Should I make the effort? > > A year later, is SKS still the most-recommended keyserver software? In short, yes. Given your requirements, SKS is the best (and really only) choice. Make the effort, and if you have problems, ask on the SKS mailing list: http://lists.nongnu.org/mailman/listinfo/sks-devel David From peter at palfrader.org Mon Aug 14 14:50:49 2006 From: peter at palfrader.org (Peter Palfrader) Date: Mon Aug 14 14:49:33 2006 Subject: Keyserver Software Recommendations In-Reply-To: <20060812191942.GA18998@jabberwocky.com> References: <62B17198-EAE8-405B-8710-A32E61D13796@dakim.com> <20060812191942.GA18998@jabberwocky.com> Message-ID: <20060814125048.GK2173@asteria.noreply.org> On Sat, 12 Aug 2006, David Shaw wrote: > On Sat, Aug 12, 2006 at 10:42:45AM -0700, John Schofield wrote: > > A year later, is SKS still the most-recommended keyserver software? > > In short, yes. Given your requirements, SKS is the best (and really > only) choice. Make the effort, and if you have problems, ask on the > SKS mailing list: http://lists.nongnu.org/mailman/listinfo/sks-devel If you run sarge on the servers my package might be of use. You'll have to build it yourself from source. Checkout the tree using svn co https://svn.clearairturbulence.org/debian-sks/trunk/sks and then dpkg-buildpackage -rfakeroot -uc -us it after installing the build dependencies. The package is not really of the quality I'ld like it to be, but it's not all that bad either. Peter -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `- http://www.debian.org/ From brian at nixthis.com Mon Aug 14 16:25:39 2006 From: brian at nixthis.com (Brian Rosenvinge) Date: Mon Aug 14 16:24:45 2006 Subject: GPG question In-Reply-To: <20060811171913.GA16299@jabberwocky.com> References: <44DCA4CD.7050807@nixthis.com> <20060811171913.GA16299@jabberwocky.com> Message-ID: <44E087E3.4030506@nixthis.com> I have been trying to automate the pass phrase for the first GPG instance below. Is it possible with this string and if so where would I add the command? Sorry if this is a dumb question, I am just getting started trying to script using GPG. David Shaw wrote: > > >cat thefile.gpg | gpg | gpg -r recipient_1 -r recipient_2 -r recipient_3 --encrypt > output.gpg > >The catch is that the first gpg instance is going to need to prompt >you for a passphrase, and the second gpg instance may need to prompt >you whether the recipients are trusted (if you don't have a trust path >to them). An easy way to fix this, is to add a "--trust-model always" >to the second instance (assuming you really do trust those recipient >keys). > >David > > Brian Rosenvinge wrote: >> I need to decrypt a file that has been sent to me and immediately >> re-encrypt the file for three new recipients. I would like to automate >> the process with a batch file. To avoid the file being left >> un-encrypted during the batch process I would like to redirect the >> output of the decrypt command into the encrypt command for the new >> recipients. >> >> I have been unsuccessful in my attempts, can anyone help me out? > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From dshaw at jabberwocky.com Mon Aug 14 16:39:42 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Aug 14 16:38:17 2006 Subject: GPG question In-Reply-To: <44E087E3.4030506@nixthis.com> References: <44DCA4CD.7050807@nixthis.com> <20060811171913.GA16299@jabberwocky.com> <44E087E3.4030506@nixthis.com> Message-ID: <20060814143942.GA15984@jabberwocky.com> On Mon, Aug 14, 2006 at 09:25:39AM -0500, Brian Rosenvinge wrote: > I have been trying to automate the pass phrase for the first GPG > instance below. Is it possible with this string and if so where would I > add the command? Sorry if this is a dumb question, I am just getting > started trying to script using GPG. GPG can do it, of course, but automating passphrases is something that needs some thought before you go ahead. There are three ways to pass a passphrase to GPG: via a file, via a file descriptor, or just on the command line. Any of these will work, but you need to ask yourself whether this is a risk in your environment. For example, if you pass the passphrase on the command line, anyone who can log into the box can see the passphrase via 'ps'. If you pass the passphrase via a file, anyone who can read that file can see the passphrase. These details are also different on Unix-like systems or Win32 (not sure which you are using). You also need to ask yourself: if you're just going to hardcode a passphrase anyway, would it be better to simply use a key with no passphrase at all? On the command line: gpg --passphrase (the-passphrase) Via a file: gpg --passphrase-file (the-filename) Via a file descriptor gpg --passphrase-fd (the-fd) David From wk at gnupg.org Mon Aug 14 17:13:29 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Aug 14 17:16:32 2006 Subject: GPG question In-Reply-To: <20060814143942.GA15984@jabberwocky.com> (David Shaw's message of "Mon, 14 Aug 2006 10:39:42 -0400") References: <44DCA4CD.7050807@nixthis.com> <20060811171913.GA16299@jabberwocky.com> <44E087E3.4030506@nixthis.com> <20060814143942.GA15984@jabberwocky.com> Message-ID: <87mza72vvq.fsf@wheatstone.g10code.de> On Mon, 14 Aug 2006 16:39, David Shaw said: > You also need to ask yourself: if you're just going to hardcode a > passphrase anyway, would it be better to simply use a key with no > passphrase at all? That is actually what we are suggesting since years. FWIW: The problem some people have with this is that there are policies in place (even demanded by law) to keep private key material stored encrypted. These policies don't tell from where to take the protection key, though. Obviously they silently allow for storing it in a file or even passing on the command line. It is all plain stupid but sometimes one need to work around such dump requirement. This is the actual reason why we added features for insecure supplying of a passphrase. Shalom-Salam, Werner From brian at nixthis.com Mon Aug 14 17:27:16 2006 From: brian at nixthis.com (Brian Rosenvinge) Date: Mon Aug 14 17:26:02 2006 Subject: GPG question In-Reply-To: <87mza72vvq.fsf@wheatstone.g10code.de> References: <44DCA4CD.7050807@nixthis.com> <20060811171913.GA16299@jabberwocky.com> <44E087E3.4030506@nixthis.com> <20060814143942.GA15984@jabberwocky.com> <87mza72vvq.fsf@wheatstone.g10code.de> Message-ID: <44E09654.1030509@nixthis.com> Thanks guys for all of the information. Unfortunately I am being asked to automate this entire process so the passphrase must be included. We will definitely be doing everything in our power to avoid exposing the passphrase. Thanks again Brian Werner Koch wrote: >On Mon, 14 Aug 2006 16:39, David Shaw said: > > > >>You also need to ask yourself: if you're just going to hardcode a >>passphrase anyway, would it be better to simply use a key with no >>passphrase at all? >> >> > >That is actually what we are suggesting since years. > >FWIW: The problem some people have with this is that there are >policies in place (even demanded by law) to keep private key material >stored encrypted. These policies don't tell from where to take the >protection key, though. Obviously they silently allow for storing it >in a file or even passing on the command line. It is all plain stupid >but sometimes one need to work around such dump requirement. This is >the actual reason why we added features for insecure supplying of a >passphrase. > > >Shalom-Salam, > > Werner > > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From cfrankb at gmail.com Tue Aug 15 06:58:28 2006 From: cfrankb at gmail.com (Charles Franklin Bernard) Date: Tue Aug 15 08:14:20 2006 Subject: GPG and 1024-bit (or multiple) subkeys Message-ID: <16ddfd640608142158p32caa8e2yc1b447bf8eedd142@mail.gmail.com> New to list; first post. We send member companies our 1024 bit public key with its 1024-bit subkey to encrypt their A/R files before they're FTP'd to us. A new customer is requesting we generate a new key for them that has a 2048 sub key, claiming GPG requires this by default. So I added another subkey, 2048-bit, but the customer says GPG is looking for a 2048 subkey *by itself*. Does that make sense? Doesn't GPG have an easy programmatic way to specify a subkey and/or bit size? Thanks, Frank From rjh at sixdemonbag.org Tue Aug 15 08:29:15 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue Aug 15 08:27:51 2006 Subject: GPG and 1024-bit (or multiple) subkeys In-Reply-To: <16ddfd640608142158p32caa8e2yc1b447bf8eedd142@mail.gmail.com> References: <16ddfd640608142158p32caa8e2yc1b447bf8eedd142@mail.gmail.com> Message-ID: <44E169BB.3060407@sixdemonbag.org> Charles Franklin Bernard wrote: > A new customer is requesting we generate a new key for them that has > a 2048 sub key, claiming GPG requires this by default. GnuPG defaults to 2048 bits for new RSA and El Gamal keys. (It may default to 2048 for DSA now, as well; if so, this is a new addition in the last few weeks.) However, there's nothing in GnuPG that prohibits the use of shorter keys. > So I added another subkey, 2048-bit, but the customer says GPG is > looking for a 2048 subkey *by itself*. Does that make sense? Not especially. Subkeys don't exist in isolation. They only exist as part of a larger key. Your customer's request doesn't appear to be particularly well-phrased. That's going to limit any help anyone on the list can provide. From cfrankb at gmail.com Tue Aug 15 18:41:14 2006 From: cfrankb at gmail.com (Charles Franklin Bernard) Date: Tue Aug 15 18:39:46 2006 Subject: GPG and 1024-bit (or multiple) subkeys In-Reply-To: <16ddfd640608142158p32caa8e2yc1b447bf8eedd142@mail.gmail.com> References: <16ddfd640608142158p32caa8e2yc1b447bf8eedd142@mail.gmail.com> Message-ID: <16ddfd640608150941x389817a0y4f05ae8b4ec2197f@mail.gmail.com> > > So I added another subkey, 2048-bit, but the customer says GPG is > > looking for a 2048 subkey *by itself*. Does that make sense? > > Not especially. Subkeys don't exist in isolation. They only exist as > part of a larger key. > > Your customer's request doesn't appear to be particularly well-phrased. > That's going to limit any help anyone on the list can provide. "By itself" meaning a key without any other subkey. They want us to generate a new public key with only one subkey, and that at 2048-bit instead of 1024. I suppose we could also make a copy of our existing public key, then delete the 1024-bit subkey (keeping the 2048-bit subkey we recently added), but I'm hoping there's a command line argument/flag for GPG to encrypt a file using a public key with two subkeys, specifying the 2048-bit subkey and ignoring the 1024-bit subkey. Thanks, Frank From dshaw at jabberwocky.com Tue Aug 15 19:10:40 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Aug 15 19:09:14 2006 Subject: GPG and 1024-bit (or multiple) subkeys In-Reply-To: <16ddfd640608142158p32caa8e2yc1b447bf8eedd142@mail.gmail.com> References: <16ddfd640608142158p32caa8e2yc1b447bf8eedd142@mail.gmail.com> Message-ID: <20060815171040.GA19612@jabberwocky.com> On Mon, Aug 14, 2006 at 09:58:28PM -0700, Charles Franklin Bernard wrote: > New to list; first post. > We send member companies our 1024 bit public key with its 1024-bit > subkey to encrypt their A/R files before they're FTP'd to us. A new > customer is requesting we generate a new key for them that has a 2048 > sub key, claiming GPG requires this by default. So I added another > subkey, 2048-bit, but the customer says GPG is looking for a 2048 > subkey *by itself*. Does that make sense? In short, no. Your customer is confused. GPG does not require any particular key size. By default, it will generate 2048-bit keys, but it will work quite happily with 1024-bit, 4096-bit, or whatever you feel like using. > Doesn't GPG have an easy programmatic way to specify a subkey and/or > bit size? Yes, it does, but given that the premise behind the customer's question is wrong, this may not be the answer: Note that you can append an exclamation mark (!) to key IDs or fingerprints. This flag tells GnuPG to use the specified primary or secondary key and not to try and calculate which primary or secondary key to use. David From tmz at pobox.com Tue Aug 15 19:23:53 2006 From: tmz at pobox.com (Todd Zullinger) Date: Tue Aug 15 19:54:07 2006 Subject: GPG and 1024-bit (or multiple) subkeys In-Reply-To: <16ddfd640608150941x389817a0y4f05ae8b4ec2197f@mail.gmail.com> References: <16ddfd640608142158p32caa8e2yc1b447bf8eedd142@mail.gmail.com> <16ddfd640608150941x389817a0y4f05ae8b4ec2197f@mail.gmail.com> Message-ID: <20060815172353.GB11749@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Charles Franklin Bernard wrote: > "By itself" meaning a key without any other subkey. They want us to > generate a new public key with only one subkey, and that at 2048-bit > instead of 1024. I'd ask them to explain why they think this is required by GnuPG and why they believe it needs to be a new key. I can understand that they might desire a stronger encryption subkey (2048 vs. 1024), but if they're only requesting this because they misunderstand how the system works, then they are just wasting your time. :) > I suppose we could also make a copy of our existing public key, then > delete the 1024-bit subkey (keeping the 2048-bit subkey we recently > added), but I'm hoping there's a command line argument/flag for GPG > to encrypt a file using a public key with two subkeys, specifying > the 2048-bit subkey and ignoring the 1024-bit subkey. There is. Just append a ! to the keyid. See the section "How to specify a user ID" in the gpg man page. If you had a key like this: pub 1024D/1B324765 2006-05-21 uid [ultimate] Testing sub 2048g/263C2EA4 2006-05-21 sub 4096g/9BDAA7FA 2006-08-15 You could tell gpg to encrypt to the 2048 subkey like so: $ gpg -e -r 263C2EA4! ... (note that you may need to quote or otherwise protect the ! from being interpreted by your shell.) If the senders you are dealing with don't grok this, then export your whole key, delete the 1024 subkey, export the pubkey containing only the 2048 subkey for them and then import your full key again. - -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== Even if you're on the right track, you'll get run over if you just sit there. -- Will Rogers -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQFDBAEBAgAtBQJE4gMoJhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90 bXouYXNjAAoJEEMlk4u+rwzjhgYH/33peFQhKuPXxVXBOSRn6r1Ln1q3WeT6VnPD vE3mwovHVgsPbANAZ3+XvY7/i9dMv7+9NbBdXwUzdJOI6rSmE5d/NdZ/bEmyLtGJ j7wrCSPkMJow07EnWJT0NL2sdbbw4WdfzvXCGONZzwwkkUyKvEdqOcIWqAZ4jC6J qcV4Aug4J7ryaWpm7ZYECj8k/h2r+wK7v1tA46yqups7ihDzwBrZFoZaziZTVnkX Dv0XCFBFjD2Szja02cTs3FBBikSkbQnm2TPRqmf9e1xwhblmLNIGghdwadSNTvks djDA9bKAN+Ei/OgapCDYeF6JWtnpvkqSjrRri19Dn6ddKTXydfE= =+CBK -----END PGP SIGNATURE----- From johanw at vulcan.xs4all.nl Tue Aug 15 21:09:43 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue Aug 15 21:13:00 2006 Subject: GPG and 1024-bit (or multiple) subkeys In-Reply-To: <20060815171040.GA19612@jabberwocky.com> Message-ID: <200608151909.k7FJ9hqk029447@vulcan.xs4all.nl> David Shaw wrote: >In short, no. Your customer is confused. GPG does not require any >particular key size. By default, it will generate 2048-bit keys, but >it will work quite happily with 1024-bit, 4096-bit, or whatever you >feel like using. I remember the pgp 2 code having a limitation to 16k RSA keys due to special integer precision libs (the default pgp 2 doesn't create keys larger than 2048 bits but hacked versions exist that ganerate 16k keys). Is there such a limitation in gpg, or can I happily use a 128k RSA or El Gamal key with no other problems than them being very slow? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From JPClizbe at comcast.net Tue Aug 15 21:52:59 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Aug 15 22:31:52 2006 Subject: GPG and 1024-bit (or multiple) subkeys In-Reply-To: <16ddfd640608150941x389817a0y4f05ae8b4ec2197f@mail.gmail.com> References: <16ddfd640608142158p32caa8e2yc1b447bf8eedd142@mail.gmail.com> <16ddfd640608150941x389817a0y4f05ae8b4ec2197f@mail.gmail.com> Message-ID: <44E2261B.3010807@comcast.net> Charles Franklin Bernard wrote: >> > So I added another subkey, 2048-bit, but the customer says GPG is >> > looking for a 2048 subkey *by itself*. Does that make sense? >> >> Not especially. Subkeys don't exist in isolation. They only exist as >> part of a larger key. >> >> Your customer's request doesn't appear to be particularly well-phrased. >> That's going to limit any help anyone on the list can provide. > > "By itself" meaning a key without any other subkey. They want us to > generate a new public key with only one subkey, and that at 2048-bit > instead of 1024. That requirement sounds like a RSA key instead of a DSA/ElGamal key pair. Adding a subkey should meet the customer's needs unless someone in the customer's IT organization doesn't understand the details of OpenPGP very well. Individual subkeys may be specified by adding ! to the key ID, eg. 0xDecafBad! -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 662 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060815/657d754c/signature.pgp From wk at gnupg.org Wed Aug 16 09:10:59 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Aug 16 09:16:59 2006 Subject: GPG and 1024-bit (or multiple) subkeys In-Reply-To: <200608151909.k7FJ9hqk029447@vulcan.xs4all.nl> (Johan Wevers's message of "Tue, 15 Aug 2006 21:09:43 +0200 (MET DST)") References: <200608151909.k7FJ9hqk029447@vulcan.xs4all.nl> Message-ID: <87r6zh17gc.fsf@wheatstone.g10code.de> On Tue, 15 Aug 2006 21:09, Johan Wevers said: > keys larger than 2048 bits but hacked versions exist that ganerate 16k > keys). Is there such a limitation in gpg, or can I happily use a 128k > RSA or El Gamal key with no other problems than them being very slow? The only limitations I am aware of are the amount of random you may get by one call and that the key as well as intermediate results need to fit into the allocated secure memory. Shalom-Salam, Werner From alphasigmax at gmail.com Wed Aug 16 11:23:33 2006 From: alphasigmax at gmail.com (Alphax) Date: Wed Aug 16 11:25:20 2006 Subject: GPG and 1024-bit (or multiple) subkeys In-Reply-To: <87r6zh17gc.fsf@wheatstone.g10code.de> References: <200608151909.k7FJ9hqk029447@vulcan.xs4all.nl> <87r6zh17gc.fsf@wheatstone.g10code.de> Message-ID: <44E2E415.6000008@gmail.com> Werner Koch wrote: > On Tue, 15 Aug 2006 21:09, Johan Wevers said: > >> keys larger than 2048 bits but hacked versions exist that ganerate 16k >> keys). Is there such a limitation in gpg, or can I happily use a 128k >> RSA or El Gamal key with no other problems than them being very slow? > > The only limitations I am aware of are the amount of random you may > get by one call and that the key as well as intermediate results need > to fit into the allocated secure memory. > I can verify this; the key generation size limit is currently set to 4096 bits, but can be increased to 8192 bits without too many problems. Someone reported that they were able to generate keys of 11296 bits (they are painfully slow to use), but for much more than that you get errors like |gpg: out of secure memory while allocating 5108 bytes |gpg: (this may be caused by too many secret keys used simultaneously |or due to excessive large key sizes) Now, although it can't generate keys that big, GPG can *use* a key of 16384 bits (presumably generated with one of Disastry's PGP 2.6.3 builds); again, operations involving such keys are painfully slow and not worth the effort. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060816/7bfa9ca2/signature.pgp From rubis.paul at gmail.com Thu Aug 17 06:40:23 2006 From: rubis.paul at gmail.com (Rubis Paul) Date: Thu Aug 17 06:39:09 2006 Subject: Creating Rsa Public Key self signature Message-ID: <32f8dcde0608162140nc5dbf8ag54c84ad6ade99513@mail.gmail.com> Hi, I am generating one RSA key pair using libgcrypt.As per the project requirement ,i want to store the RSa public key as self signaure(signed by corresponding rsa private key). The rsa public key is of type gcry_ac_key_t ,but the input type for gcry_ac_data_sign is of type gcry_mpi_t .so how can i create a self signature using libgcrypt ?. i trying like this ...is this correct data = gcry_ac_key_data_get(KeyToBeSigned); for (i = 0; i < gcry_ac_data_length(data); i++) { gcry_ac_data_get_index(data,0, i,&mpiName,&mpiTemp); GcryptErrValue = gcry_ac_data_sign(GcryptRsaHd ,SecKey,mpiTemp,&KeySignature); } if i do like this , i will get the signature for each mpi value [ for public key there will be 2 mpi (n,e) values]. so how can i create a self signature for rsa public key ? I am using AES keys to encrypt some file contents.The AES keys used for file encryption is encrypted using RSA Keys.I am creating RSA Key pairs for different users.According to my project requirement i want to encrypt /sign an RSA key of one user using Rsa key of other user.How can i encrypt /sign the RSA private of one user with the another RSa key of other user ? I have gone through the Libgcrypt manuel.But I couldn't find ..Is this possible ? Thanks, Rubis Paul From larstiq at larstiq.dyndns.org Thu Aug 17 13:12:49 2006 From: larstiq at larstiq.dyndns.org (Wouter van Heyst) Date: Thu Aug 17 14:46:44 2006 Subject: openpgp card woes: 'secret key not available' Message-ID: <20060817111249.GJ8575@larstiq.dyndns.org> Hi all, in my ongoing quest to make use of my OpenPGP card I've finally managed to add several card subkeys to my key following http://www.fsfe.org/en/card/howto/subkey_howto However, I seem to have done something wrong (again): > gpg -ev msg gpg: using subkey B0DACEAB instead of primary key 0DC0B7D6 gpg: reading from `msg' File `msg.gpg' exists. Overwrite? (y/N) y gpg: writing to `msg.gpg' gpg: RSA/AES encrypted for: "B0DACEAB Wouter van Heyst " So far, so good. > gpg -vd msg.gpg gpg: public key is B0DACEAB gpg: using subkey B0DACEAB instead of primary key 0DC0B7D6 gpg: detected reader `SCM SCR 335 (21120617208489) 00 00' gpg: reader slot 0: active protocol: T1 gpg: slot 0: ATR=3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 gpg: AID: D2 76 00 01 24 01 01 01 00 01 00 00 03 54 00 00 PIN gpg: verify CHV1 failed: invalid passphrase gpg: using subkey B0DACEAB instead of primary key 0DC0B7D6 gpg: encrypted with 1024-bit RSA key, ID B0DACEAB, created 2006-08-15 "Wouter van Heyst " gpg: public key decryption failed: invalid passphrase gpg: decryption failed: secret key not available gpg complains about an invalid passphrase, but it didn't even prompt for one. I'm also not sure what the 'secret key not available' is about, according to `gpg --card-status`: Encryption key....: 6D70 3242 0A9E A10F 2A57 9E88 D886 E99A B0DA CEAB created ....: 2006-08-15 13:37:02 I've ensured gpg-agent and/or scdaemon are not running, they have caused weird problems in the past. Not sure what is wrong now. mvgr, Wouter van Heyst From gnucl3us at gmail.com Fri Aug 18 05:27:14 2006 From: gnucl3us at gmail.com (1wing-angel) Date: Fri Aug 18 07:13:17 2006 Subject: GnuPG (Windows XP) Problem Message-ID: <5860788.post@talk.nabble.com> Hi, I have a problem. I have 2 computers and I set one up with GnuPG(GPG) with a key. I use Thunderbird to send and receive encrypted email with no problems. The second computer is not set with any key. I want to setup the second computer with with the "Same" email like the first computer with a key, but it doesn't work. When I start to generate my key, it fails. Here is what I did. I typed in my name, enter the "Same" email, basically everything is all the same. Once I entered my pass phrase, it starts generating the key. After a couple of minutes, I get the below error. gpg: no writable public keyring found: eof Key generation failed: eof gpg: can't create `C:/GnuPG\random_seed': No such file or directory *My path variable under mycomputer/properties/path is the following* %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier" Some people add the path ";c:\program files\GNU\GnuPG" after MailFrontier or whatever their path is set to, but I'm assuming that I don't need to do that because on my other computer it is setup with GnuPG and has the same path as mentioned above and still everything is ok. I'm all out of ideas on how to fix this. I've googled all day and I found a few people with the same problem, but theres were in linux and mine is in Windows. The solution for linux was to make sure it had read and write access(something similar to that) and a few other things which looked pretty easy to fix by the way. I tried grabbing some of those hints and applying them to Windows, but it doesn't seem to work. It was at least worth a try tho......... smile.gif But so far I've found nothing related to Windows. That's about all the information I can think of right now. PS, If there's a way to fix this, please inform me. Detailed instructions would be nice by the way. Thank You. Running....... Windows XP and latest version of GnuPG -- View this message in context: http://www.nabble.com/GnuPG-%28Windows-XP%29-Problem-tf2124327.html#a5860788 Sent from the GnuPG - User forum at Nabble.com. From gnucl3us at gmail.com Fri Aug 18 05:27:57 2006 From: gnucl3us at gmail.com (1wing-angel) Date: Fri Aug 18 07:13:29 2006 Subject: Weird Error Message Message-ID: <5860789.post@talk.nabble.com> I have a computer setup with GnuPG and everything so far is working ok. I recently sent a "Signed email"(not encrypted) to one of my friends at hotmail. She responded back, her message came through ok but then there was an error. The below is the following error. OpenPGP Security Info Error - signature verification failed gpg command line and output: G:\\Program Files\\GNU\\GnuPG\\gpg.exe --charset utf8 --batch --no-tty --status-fd 2 -d gpg: Signature made 08/15/06 01:19:02 using DSA key ID FJEIFLSA gpg: BAD signature from "My_name "; ^ What does the above mean? Should I be alarmed? -- View this message in context: http://www.nabble.com/Weird-Error-Message-tf2124328.html#a5860789 Sent from the GnuPG - User forum at Nabble.com. From JPClizbe at comcast.net Fri Aug 18 09:43:40 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Aug 18 09:43:21 2006 Subject: GnuPG (Windows XP) Problem In-Reply-To: <5860788.post@talk.nabble.com> References: <5860788.post@talk.nabble.com> Message-ID: <44E56FAC.3010108@comcast.net> 1wing-angel wrote: > Hi, > > I have a problem. I have 2 computers and I set one up with GnuPG(GPG) with a > key. I use Thunderbird to send and receive encrypted email with no problems. > The second computer is not set with any key. I want to setup the second > computer with with the "Same" email like the first computer with a key, but > it doesn't work. When I start to generate my key, it fails. Here is what I > did. > > I typed in my name, enter the "Same" email, basically everything is all the > same. Once I entered my pass phrase, it starts generating the key. After a > couple of minutes, I get the below error. Unless you have some specific need, eg work vs play, you /really/ don't need to generate another key. Just copy the keyring files from your first PC. But since the emails address is the same, It'd be easier just to use your existing key(s). > > gpg: no writable public keyring found: eof > Key generation failed: eof > gpg: can't create `C:/GnuPG\random_seed': No such file or directory Please run the GnuPG installer and accept the defaults for GnuPG's directory placements. You'll have a *MUCH* easier time by doing so. Using C:\GnuPG is great for Windows 95 and earlier. It's not so good for XP. > *My path variable under mycomputer/properties/path is the following* > > %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;;"C:\Program > Files\Zone Labs\ZoneAlarm\MailFrontier" > > Some people add the path ";c:\program files\GNU\GnuPG" after MailFrontier or > whatever their path is set to, but I'm assuming that I don't need to do that > because on my other computer it is setup with GnuPG and has the same path as > mentioned above and still everything is ok. You do need the PATH set if you intend to use GnuPG at the command prompt. > I'm all out of ideas on how to fix this. I've googled all day and I found a > few people with the same problem, but theres were in linux and mine is in > Windows. The solution for linux was to make sure it had read and write > access(something similar to that) and a few other things which looked pretty > easy to fix by the way. I tried grabbing some of those hints and applying > them to Windows, but it doesn't seem to work. It was at least worth a try > tho......... smile.gif > > But so far I've found nothing related to Windows. That's about all the > information I can think of right now. Well, if you're using Thunderbird and GnuPG, it's safe to assume you're also using Enigmail. Check the Enigmail site? There's a windows specific page there, among others. > PS, If there's a way to fix this, please inform me. Detailed instructions > would be nice by the way. Please see http://enigmail.mozdev.org/gpgconf.html I believe it should be detailed enough. Short list: Run the GnuPG installer, accept the default locations, use your existing keys. > Thank You. > > Running....... > Windows XP and latest version of GnuPG -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 662 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060818/4107cfd4/signature-0001.pgp From shavital at mac.com Fri Aug 18 12:11:55 2006 From: shavital at mac.com (Charly Avital) Date: Fri Aug 18 12:10:44 2006 Subject: Weird Error Message In-Reply-To: <5860789.post@talk.nabble.com> References: <5860789.post@talk.nabble.com> Message-ID: <44E5926B.5080009@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 1. Was the person to whom you sent a signed e-mail able to verify your signature, and if she verified it, what was the result? 2. I *guess* that your correspondent, when she answered to your message, quoted it in full, including your signature. The check sum of her text and of your quoted message does not correspond to your original signature. This is why the signature is BAD. I guess... Charly 1wing-angel wrote the following on 8/17/06 11:27 PM: > I have a computer setup with GnuPG and everything so far is working ok. I > recently sent a "Signed email"(not encrypted) to one of my friends at > hotmail. She responded back, her message came through ok but then there was > an error. The below is the following error. > > OpenPGP Security Info > > Error - signature verification failed > > gpg command line and output: > G:\\Program Files\\GNU\\GnuPG\\gpg.exe --charset utf8 --batch --no-tty > --status-fd 2 -d > gpg: Signature made 08/15/06 01:19:02 using DSA key ID FJEIFLSA > gpg: BAD signature from "My_name "; > > ^ What does the above mean? Should I be alarmed? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBROWSZs3GMi2FW4PvAQh//AgAmhxBQGwEPDTAM8kQF09Xz9jralYiR4IT /l4OgMEJl2mHtbUXsLRSwklXbo2ch1peR2f6DoK+fENK5KlcMAsqChyu9/HisCJO QtOUxy2C0vAbMOeJwkK1E1nLYh0LOMQguTw6CLyYsbYaeZs3tn360WsAVAOzw7Mq LdgH7T9YHtJPU6cFNKK8+0etMJtm6jwDg1w+hvfsBE9EncYS8afVR4IKB3x20KZp w8su8j49WPJThPG4RIk78C2PJPw3R+9ngRaFK5rbkj5CaFrTJbxHhsDl2i5J+BHW aektQ3qRGsbRlG7cgbxTbFZNMgYe59sCyR9RutwQw7JyWDux7LpGDw== =5YKB -----END PGP SIGNATURE----- From gnucl3us at hotmail.com Tue Aug 15 05:08:31 2006 From: gnucl3us at hotmail.com (John wOnk3r) Date: Fri Aug 18 12:40:13 2006 Subject: GnuPG (GPG) Problem Message-ID: Hi, I have a problem. I have 2 computers and I set one up with GnuPG(GPG) with a key. I use Thunderbird to send and receive encrypted email with no problems. The second computer is not set with any key. I want to setup the second computer with with the "Same" email like the first computer with a key, but it doesn't work. When I start to generate my key, it fails. Here is what I did. I typed in my name, enter the "Same" email, basically everything is all the same. Once I entered my pass phrase, it starts generating the key. After a couple of minutes, I get the below error. gpg: no writable public keyring found: eof Key generation failed: eof gpg: can't create `C:/GnuPG\random_seed': No such file or directory My question is, is it possible to have 2 computers with the same email settings but with a different key, OR is there a possibibilty that I can use the same key for both computers? If yes, how would I set that up? PS, Detailed instructions would be nice by the way. Thank You. _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From potter.nicholas at gmail.com Wed Aug 16 19:06:17 2006 From: potter.nicholas at gmail.com (Nicholas Potter) Date: Fri Aug 18 12:40:20 2006 Subject: Error generating new keys on Windows with gnupg 1.4.5 Message-ID: <44E35089.1@gmail.com> Did anyone find a solution to this? I'm having the same problem Thanks >>> Whenever I try to generate a new secret key on Windows with gnupg 1.4.3, I get the following output immediately following the second request for my passphrase: gpg: NOTE: you should run 'diskperf -y' to enable the disk statistics A few seconds after that, a Windows error box pops up with this message: Microsoft Visual C++ Runtime Library Runtime Error! Program: z:\gnupg\gpg.exe This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. Has anyone seen anything like this or know where to start debugging it? I don't know if it makes any difference, but I have HKLU\Software\GNU\gpgProgram set to z:\gnupg\gnupg.exe and HomeDir is set to z:\gnupg. Please keep me in CC on any replies as I am not subscribed. Thanks in advance, Ras >>> -- Nicholas Potter Please avoid sending me Word or PowerPoint attachments. Instead, use the opendocument format or send the file as text or a pdf. See http://www.gnu.org/philosophy/no-word-attachments.html http://www.openoffice.org "Who watches the Watchers?" From rhodes69 at cotse.net Fri Aug 18 07:42:27 2006 From: rhodes69 at cotse.net (Ron B.) Date: Fri Aug 18 12:40:26 2006 Subject: Weird Error Message In-Reply-To: <5860789.post@talk.nabble.com> References: <5860789.post@talk.nabble.com> Message-ID: <44E55343.6050708@cotse.net> 1wing-angel wrote: > I have a computer setup with GnuPG and everything so far is working ok. I > recently sent a "Signed email"(not encrypted) to one of my friends at > hotmail. She responded back, her message came through ok but then there was > an error. The below is the following error. > > OpenPGP Security Info > > Error - signature verification failed > > gpg command line and output: > G:\\Program Files\\GNU\\GnuPG\\gpg.exe --charset utf8 --batch --no-tty > --status-fd 2 -d > gpg: Signature made 08/15/06 01:19:02 using DSA key ID FJEIFLSA > gpg: BAD signature from "My_name "; > > ^ What does the above mean? Should I be alarmed? > No need for alarm; what probably happened was that hotmail probably changed the number of characters per line. PGP and GPG recognize even this minor difference as a change in the original document. From JPClizbe at comcast.net Fri Aug 18 21:17:12 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Aug 18 21:16:28 2006 Subject: GnuPG (GPG) Problem In-Reply-To: References: Message-ID: <44E61238.3030001@comcast.net> John wOnk3r wrote: > Hi, > > I have a problem. I have 2 computers and I set one up with GnuPG(GPG) with a > key. I use Thunderbird to send and receive encrypted email with no problems. > The second computer is not set with any key. I want to setup the second > computer with with the "Same" email like the first computer with a key, but > it doesn't work. When I start to generate my key, it fails. Here is what I > did. /"I want to setup the second computer with with the "Same" email like the first computer"/ Then your easiest route is to use the same key unless you need to keep your identity on each machine separate. But if that was the case, you wouldn't be using the same email address. Just copy the keyring files. > I typed in my name, enter the "Same" email, basically everything is all the > same. Once I entered my pass phrase, it starts generating the key. After a > couple of minutes, I get the below error. > > gpg: no writable public keyring found: eof > Key generation failed: eof > gpg: can't create `C:/GnuPG\random_seed': No such file or directory Don't use C:\GnuPG. Accept the GnuPG installer defaults. > My question is, is it possible to have 2 computers with the same email > settings but with a different key Yes, but then the recipients of email from each machine would have to keep track of two keys. They also would not know whether to use machine A's or machine B's key to send you an encrypted message. > OR is there a possibibility that I can use the same key for both computers? > If yes, how would I set that up? Quite possible. I use the same keys on about a dozen machines running various operating systems. You would copy your keyring files (*.gpg) and gpg.conf from the GnuPG home directory on the first machine to the GnuPG home directory on the second machine. > PS, Detailed instructions would be nice by the way. http://enigmail.mozdev.org/gpgconf.html > Thank You. You're Welcome, but stick with just the one email address when sending, OK? -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 662 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060818/9ee23a4b/signature.pgp From brian at nixthis.com Fri Aug 18 21:20:40 2006 From: brian at nixthis.com (Brian Rosenvinge) Date: Fri Aug 18 21:19:16 2006 Subject: Multiple recipients Message-ID: <44E61308.2040404@nixthis.com> Is it possible with GPG to take the public keys of three or more users and merge them into a single key? The single key could then be used to encrypt a file that all three or more recipients could read using their respective private key. Thanks Brian From dshaw at jabberwocky.com Fri Aug 18 21:25:26 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Aug 18 21:23:54 2006 Subject: Multiple recipients In-Reply-To: <44E61308.2040404@nixthis.com> References: <44E61308.2040404@nixthis.com> Message-ID: <20060818192526.GA2625@jabberwocky.com> On Fri, Aug 18, 2006 at 02:20:40PM -0500, Brian Rosenvinge wrote: > Is it possible with GPG to take the public keys of three or more users > and merge them into a single key? The single key could then be used to > encrypt a file that all three or more recipients could read using their > respective private key. No. OpenPGP doesn't work that way. For convenience, you can put stuff in the gpg.conf file like this: group merged_named = user1 user2 user3 and then encrypt to "merged_names", but that's still encrypting to all three separately. David From rjh at sixdemonbag.org Fri Aug 18 21:28:39 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri Aug 18 21:27:05 2006 Subject: Multiple recipients In-Reply-To: <44E61308.2040404@nixthis.com> References: <44E61308.2040404@nixthis.com> Message-ID: <44E614E7.4050204@sixdemonbag.org> Brian Rosenvinge wrote: > Is it possible with GPG to take the public keys of three or more > users and merge them into a single key? The single key could then be > used to encrypt a file that all three or more recipients could read > using their respective private key. What's wrong with gpg -r -r -r --encrypt file.txt ? From brian at nixthis.com Fri Aug 18 21:34:57 2006 From: brian at nixthis.com (Brian Rosenvinge) Date: Fri Aug 18 21:33:34 2006 Subject: Multiple recipients In-Reply-To: <44E614E7.4050204@sixdemonbag.org> References: <44E61308.2040404@nixthis.com> <44E614E7.4050204@sixdemonbag.org> Message-ID: <44E61661.3060209@nixthis.com> A vendor will be encrypting files for us and making them available via FTP. We have three users that will decrypt the files at different times. The vendor will not accept more than one key from us and we wanted each of our users to have their own key for security and auditing purposes down the line. Robert J. Hansen wrote: >Brian Rosenvinge wrote: > > >>Is it possible with GPG to take the public keys of three or more >>users and merge them into a single key? The single key could then be >>used to encrypt a file that all three or more recipients could read >>using their respective private key. >> >> > >What's wrong with > > gpg -r -r -r --encrypt file.txt > >? > > From dshaw at jabberwocky.com Fri Aug 18 21:56:19 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Aug 18 21:54:53 2006 Subject: Multiple recipients In-Reply-To: <44E61661.3060209@nixthis.com> References: <44E61308.2040404@nixthis.com> <44E614E7.4050204@sixdemonbag.org> <44E61661.3060209@nixthis.com> Message-ID: <20060818195619.GC2625@jabberwocky.com> On Fri, Aug 18, 2006 at 02:34:57PM -0500, Brian Rosenvinge wrote: > A vendor will be encrypting files for us and making them available via > FTP. We have three users that will decrypt the files at different > times. The vendor will not accept more than one key from us and we > wanted each of our users to have their own key for security and auditing > purposes down the line. OpenPGP doesn't work that way. You can either give the single key to each user, or have one "special" user decrypt the message and then re-encrypt it to multiple users. David From vinod.jacob at gmail.com Fri Aug 18 22:06:48 2006 From: vinod.jacob at gmail.com (Vinod Jacob) Date: Fri Aug 18 22:05:09 2006 Subject: extra chars added to the decrypted string ( RSA encryption) Message-ID: <8a4271520608181306g687fce6eyeb33d31f8b94b1@mail.gmail.com> Hi all, This is my second mail to the list, thanks for the book references, i could start coding with more confidence. thanks Werner! Still i have to admit that i am still a newbie to the libgcrypt world, but had to start coding because of the time constraints of the project. Hope people would bear with me and would help me ! the Problem : I get some additional characters to the decrypted char buffer. Say, i am trying to encrypt, a 256 byte buffer, with a 2048 rsa key. when i print the decrypted data, there are some additional characters added . But if the data buffer is less than 256, (say 255) , the decrypted data matches with the initial data. here is the code: ---------------------- #include #include #include #include "./src/gcrypt.h" int main() { gcry_ac_data_t data; gcry_ac_key_t key1,key2; gcry_ac_key_pair_t keypair; gcry_ac_handle_t handle; gcry_ac_key_spec_rsa_t rsa_spec; gcry_error_t err; char buf[256]={"123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8"}; char newbuf[256]; gcry_control (GCRYCTL_DISABLE_SECMEM, 0); size_t r,v; rsa_spec.e = gcry_mpi_new (0); gcry_mpi_set_ui (rsa_spec.e, 1) ; err = gcry_ac_open (&handle, GCRY_AC_RSA, 0); err = gcry_ac_key_pair_generate (handle, 2048, &rsa_spec, &keypair, NULL); key1 = gcry_ac_key_pair_extract (keypair, GCRY_AC_KEY_SECRET); key2 = gcry_ac_key_pair_extract (keypair, GCRY_AC_KEY_PUBLIC); int err1= gcry_mpi_scan (&mpi1, GCRYMPI_FMT_USG, buf , 256, &r); if (err1==0) { printf ("Scan Success\n"); } printf ("bytes Scanned = %d \n", r); err = gcry_ac_data_encrypt (handle, GCRY_AC_FLAG_NO_BLINDING, key2, mpi1, &data ); if (err==0) { printf ("Success\n"); } printf ("In Return : %d \n", r); err = gcry_ac_data_decrypt (handle, GCRY_AC_FLAG_NO_BLINDING, key1, &mpi2, data); if (err==0) { printf ("Success\n"); } gcry_mpi_print (GCRYMPI_FMT_USG, (unsigned char *)newbuf ,256, &v, mpi2 ); printf ("bytes Printed = %d \n", v); printf ("\n buffer: %s\n", newbuf ); gcry_ac_close(handle); return 0; } here is the output printed on terminal if the buffer is actually 255 bytes: ( this works) ==================================================== Scan Success bytes Scanned = 0 Success In Return : 0 Success bytes Printed = 256 buffer: 123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 here is the output printed on terminal if the buffer is actually 256 bytes: (this doesn't Work) ================================================================= Scan Success bytes Scanned = 0 Success In Return : 0 Success bytes Printed = 256 buffer: 123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8123456 8xs? See the extra characters in this case. Any Pointers? thanks in advance, Vinod From brian at nixthis.com Fri Aug 18 22:09:43 2006 From: brian at nixthis.com (Brian Rosenvinge) Date: Fri Aug 18 22:08:18 2006 Subject: Multiple recipients In-Reply-To: <20060818195619.GC2625@jabberwocky.com> References: <44E61308.2040404@nixthis.com> <44E614E7.4050204@sixdemonbag.org> <44E61661.3060209@nixthis.com> <20060818195619.GC2625@jabberwocky.com> Message-ID: <44E61E87.5090805@nixthis.com> We have decided to decrypt using a "special" user and re-encrypt the file to multiple users. Our concern is that unless we want to do this manually it has to be scripted and that will require the "special" user's passphrase to live in the script or on a server in plaintext. No one in IS wants to add this to their daily responsibilities and we really should not have access to the data anyway as it is meant for our finance department. David Shaw wrote: >On Fri, Aug 18, 2006 at 02:34:57PM -0500, Brian Rosenvinge wrote: > > >>A vendor will be encrypting files for us and making them available via >>FTP. We have three users that will decrypt the files at different >>times. The vendor will not accept more than one key from us and we >>wanted each of our users to have their own key for security and auditing >>purposes down the line. >> >> > >OpenPGP doesn't work that way. You can either give the single key to >each user, or have one "special" user decrypt the message and >then re-encrypt it to multiple users. > >David > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From rubis.paul at gmail.com Fri Aug 18 22:22:48 2006 From: rubis.paul at gmail.com (Rubis Paul) Date: Fri Aug 18 22:21:10 2006 Subject: Resend: Creating Rsa Public Key self signature Message-ID: <32f8dcde0608181322r2d290ba5p44a9a25e0c9b452e@mail.gmail.com> Hi, I have generated an RSA key pair using libgcrypt.As per the project requirement ,i have to encrypt this Rsa key with another master RSA key. gcry_ac_data_encrypt () expects input type as gcry_mpi_t. But RSA key it self is of type gcry_ac_key_t. Now, I am planning to do the convertion in the below given way.. data = gcry_ac_key_data_get(KeyToBeEncrypted); for (i = 0; i < gcry_ac_data_length(data); i++) { gcry_ac_data_get_index(data,0, i,&mpiName,&mpiTemp); GcryptErrValue = gcry_ac_data_encrypt(GcryptRsaHd ,PubKey,mpiTemp,&KeySignature); } Is this a correct way of doing this ? Is there any other way by which i can encrypt the entire key , rather than manipulating with each encrypted MPI values ? Thanks, Rubis Paul From qed at tiscali.it Fri Aug 18 22:20:39 2006 From: qed at tiscali.it (Qed) Date: Fri Aug 18 22:26:30 2006 Subject: Multiple recipients In-Reply-To: <44E61661.3060209@nixthis.com> References: <44E61308.2040404@nixthis.com> <44E614E7.4050204@sixdemonbag.org> <44E61661.3060209@nixthis.com> Message-ID: <44E62117.3030008@tiscali.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 08/18/2006 09:34 PM, Brian Rosenvinge wrote: > A vendor will be encrypting files for us and making them available via > FTP. We have three users that will decrypt the files at different > times. The vendor will not accept more than one key from us and we > wanted each of our users to have their own key for security and auditing > purposes down the line. I don't know if it is feasible, but you could give to every user the same encryption subkey(used ONLY for the task above) binded to their, different, master keys. - -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE5iEXH+Dh0Dl5XacRA8LkAJ9mg3V4xg3BlGCMfQiCXeM698TQmQCgh7Ea T6McDPz9+x8ONgVL5/79LhI= =6lh7 -----END PGP SIGNATURE----- From qed at tiscali.it Fri Aug 18 21:56:10 2006 From: qed at tiscali.it (Qed) Date: Fri Aug 18 22:26:46 2006 Subject: Multiple recipients In-Reply-To: <44E61661.3060209@nixthis.com> References: <44E61308.2040404@nixthis.com> <44E614E7.4050204@sixdemonbag.org> <44E61661.3060209@nixthis.com> Message-ID: <44E61B5A.9020609@tiscali.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 08/18/2006 09:34 PM, Brian Rosenvinge wrote: > A vendor will be encrypting files for us and making them available via > FTP. We have three users that will decrypt the files at different > times. The vendor will not accept more than one key from us and we > wanted each of our users to have their own key for security and auditing > purposes down the line. I don't know if it is feasible, but you could give to every user the same encryption subkey(used ONLY for the task above) binded to their, different, master keys. - -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE5htaH+Dh0Dl5XacRA1+hAJ9QSFKVSN7poQPKVk+G9BdtuIBAKACgjELV UBbnY0uYd+6B2bW2Up0nZGc= =9vpG -----END PGP SIGNATURE----- From brian at nixthis.com Fri Aug 18 23:01:43 2006 From: brian at nixthis.com (Brian) Date: Fri Aug 18 23:00:26 2006 Subject: Multiple recipients In-Reply-To: <44E61B5A.9020609@tiscali.it> References: <44E61308.2040404@nixthis.com> <44E614E7.4050204@sixdemonbag.org> <44E61661.3060209@nixthis.com> <44E61B5A.9020609@tiscali.it> Message-ID: <44E62AB7.50904@nixthis.com> I started to read up on subkeys but did not understand them enough to know if they did what we needed. I will take another look. Qed wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: RIPEMD160 > >On 08/18/2006 09:34 PM, Brian Rosenvinge wrote: > > >>A vendor will be encrypting files for us and making them available via >>FTP. We have three users that will decrypt the files at different >>times. The vendor will not accept more than one key from us and we >>wanted each of our users to have their own key for security and auditing >>purposes down the line. >> >> >I don't know if it is feasible, but you could give to every user the >same encryption subkey(used ONLY for the task above) binded to their, >different, master keys. >- -- > > Q.E.D. >War is Peace >Freedom is Slavery >Ignorance is Strength > >ICQ UIN: 301825501 >OpenPGP key ID: 0x58D14EB3 >Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 >Check fingerprints before trusting a key! >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.5 (GNU/Linux) > >iD8DBQFE5htaH+Dh0Dl5XacRA1+hAJ9QSFKVSN7poQPKVk+G9BdtuIBAKACgjELV >UBbnY0uYd+6B2bW2Up0nZGc= >=9vpG >-----END PGP SIGNATURE----- > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From dshaw at jabberwocky.com Fri Aug 18 23:17:55 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Aug 18 23:16:26 2006 Subject: Multiple recipients In-Reply-To: <44E61B5A.9020609@tiscali.it> References: <44E61308.2040404@nixthis.com> <44E614E7.4050204@sixdemonbag.org> <44E61661.3060209@nixthis.com> <44E61B5A.9020609@tiscali.it> Message-ID: <20060818211755.GA2854@jabberwocky.com> On Fri, Aug 18, 2006 at 09:56:10PM +0200, Qed wrote: > On 08/18/2006 09:34 PM, Brian Rosenvinge wrote: > > A vendor will be encrypting files for us and making them available via > > FTP. We have three users that will decrypt the files at different > > times. The vendor will not accept more than one key from us and we > > wanted each of our users to have their own key for security and auditing > > purposes down the line. > I don't know if it is feasible, but you could give to every user the > same encryption subkey(used ONLY for the task above) binded to their, > different, master keys. Doesn't this violate the "have their own key for security and auditing purposes" requirement? David From qed at tiscali.it Sat Aug 19 00:19:55 2006 From: qed at tiscali.it (Qed) Date: Sat Aug 19 00:18:50 2006 Subject: Multiple recipients In-Reply-To: <20060818211755.GA2854@jabberwocky.com> References: <44E61308.2040404@nixthis.com> <44E614E7.4050204@sixdemonbag.org> <44E61661.3060209@nixthis.com> <44E61B5A.9020609@tiscali.it> <20060818211755.GA2854@jabberwocky.com> Message-ID: <44E63D0B.90400@tiscali.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 08/18/2006 11:17 PM, David Shaw wrote: >>> A vendor will be encrypting files for us and making them available via >>> FTP. We have three users that will decrypt the files at different >>> times. The vendor will not accept more than one key from us and we >>> wanted each of our users to have their own key for security and auditing >>> purposes down the line. >> I don't know if it is feasible, but you could give to every user the >> same encryption subkey(used ONLY for the task above) binded to their, >> different, master keys. > > Doesn't this violate the "have their own key for security and auditing > purposes" requirement? I fully agree. - -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE5j0LH+Dh0Dl5XacRAwoUAJ9cN3L4TJ+oXd/LiJleGL/yZvtm9ACeNB8D eGqgv38KF7mbwFzYbgKwNUA= =GoRa -----END PGP SIGNATURE----- From gnucl3us at gmail.com Sat Aug 19 01:14:20 2006 From: gnucl3us at gmail.com (1wing-angel) Date: Sat Aug 19 01:12:49 2006 Subject: Problem retrieving encrypted email Message-ID: <5879314.post@talk.nabble.com> I don't know if this is a Thunderbird issue, a GnuPG issue, or a Engimail issue. I'm assuming it's Thunderbird's problem. I also don't know if I should post this to you guys or Thunderbird or Enigmail, but anyway I hope this is the right place. So far everything is working ok, BUT whenever I send a "Signed and Encrypted" email to myself, it goes through Gmail but I can't receive it with my Thunderbird email client. When I log onto my Gmail account, the signed and encrypted email is there in my inbox, but when I try to retrieve the message from my Thunderbird email client, it doesn't work. It doesn't give me any error messages or anything. *I use the latest Thunderbird and Engimail* How would I retrieve the signed and encrypted email that I sent to myself with my Thunderbird email client? I'm thinking this is a configuration issue. I just don't know where to look. I've checked the Thunderbird configuration settings, but it doesn't give me any hints. Maybe one of you guys/gals can lend me a hand? Thank you. -- View this message in context: http://www.nabble.com/Problem-retrieving-encrypted-email-tf2130189.html#a5879314 Sent from the GnuPG - User forum at Nabble.com. From gnucl3us at gmail.com Sat Aug 19 01:14:55 2006 From: gnucl3us at gmail.com (1wing-angel) Date: Sat Aug 19 01:13:17 2006 Subject: Problem retrieving encrypted email Message-ID: <5879315.post@talk.nabble.com> I don't know if this is a Thunderbird issue, a GnuPG issue, or a Engimail issue. I'm assuming it's Thunderbird's problem. I also don't know if I should post this to you guys or Thunderbird or Enigmail, but anyway I hope this is the right place. So far everything is working ok, BUT whenever I send a "Signed and Encrypted" email to myself, it goes through Gmail but I can't receive it with my Thunderbird email client. When I log onto my Gmail account, the signed and encrypted email is there in my inbox, but when I try to retrieve the message from my Thunderbird email client, it doesn't work. It doesn't give me any error messages or anything. *I use the latest Thunderbird and Engimail* How would I retrieve the signed and encrypted email that I sent to myself with my Thunderbird email client? I'm thinking this is a configuration issue. I just don't know where to look. I've checked the Thunderbird configuration settings, but it doesn't give me any hints. Maybe one of you guys/gals can lend me a hand? Thank you. -- View this message in context: http://www.nabble.com/Problem-retrieving-encrypted-email-tf2130190.html#a5879315 Sent from the GnuPG - User forum at Nabble.com. From gnucl3us at gmail.com Sat Aug 19 01:17:37 2006 From: gnucl3us at gmail.com (1wing-angel) Date: Sat Aug 19 01:15:57 2006 Subject: Problem retrieving encrypted email Message-ID: <5879316.post@talk.nabble.com> I don't know if this is a Thunderbird issue, a GnuPG issue, or a Engimail issue. I'm assuming it's Thunderbird's problem. I also don't know if I should post this to you guys or Thunderbird or Enigmail, but anyway I hope this is the right place. So far everything is working ok, BUT whenever I send a "Signed and Encrypted" email to myself, it goes through Gmail but I can't receive it with my Thunderbird email client. When I log onto my Gmail account, the signed and encrypted email is there in my inbox, but when I try to retrieve the message from my Thunderbird email client, it doesn't work. It doesn't give me any error messages or anything. *I use the latest Thunderbird and Engimail* How would I retrieve the signed and encrypted email that I sent to myself with my Thunderbird email client? I'm thinking this is a configuration issue. I just don't know where to look. I've checked the Thunderbird configuration settings, but it doesn't give me any hints. Maybe one of you guys/gals can lend me a hand? Thank you. -- View this message in context: http://www.nabble.com/Problem-retrieving-encrypted-email-tf2130191.html#a5879316 Sent from the GnuPG - User forum at Nabble.com. From gnucl3us at gmail.com Sat Aug 19 04:58:06 2006 From: gnucl3us at gmail.com (1wing-angel) Date: Sat Aug 19 04:56:34 2006 Subject: Problem retrieving signed and encrypted emails Message-ID: <5881188.post@talk.nabble.com> I don't know if this is a Thunderbird issue, a GnuPG issue, or a Engimail issue. I'm assuming it's Thunderbird's problem. I also don't know if I should post this to you guys or Thunderbird or Enigmail, but anyway I hope this is the right place. So far everything is working ok, BUT whenever I send a "Signed and Encrypted" email to myself, it goes through Gmail but I can't receive it with my Thunderbird email client. When I log onto my Gmail account, the signed and encrypted email is there in my inbox, but when I try to retrieve the message from my Thunderbird email client, it doesn't work. It doesn't give me any error messages or anything. *I use the latest Thunderbird and Engimail* How would I retrieve the signed and encrypted email that I sent to myself with my Thunderbird email client? I'm thinking this is a configuration issue. I just don't know where to look. I've checked the Thunderbird configuration settings, but it doesn't give me any hints. Maybe one of you guys/gals can lend me a hand? Thank you. EDIT: I just confirmed that if the message is "signed" by me and when I send it to myself using Thunderbird, I can't retreive it back. BUT when I log into Gmail's account, the "signed" email is there in my inbox. What's going on here? How come I can't retreive signed and encrypted emails with my Thunderbird email client? -- View this message in context: http://www.nabble.com/Problem-retrieving-signed-and-encrypted-emails-tf2130915.html#a5881188 Sent from the GnuPG - User forum at Nabble.com. From JPClizbe at comcast.net Sat Aug 19 06:02:02 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Sat Aug 19 06:06:00 2006 Subject: Problem retrieving encrypted email In-Reply-To: <5879316.post@talk.nabble.com> References: <5879316.post@talk.nabble.com> Message-ID: <44E68D3A.3080504@comcast.net> 1wing-angel wrote: > I don't know if this is a Thunderbird issue, a GnuPG issue, or a Engimail > issue. I'm assuming it's Thunderbird's problem. I also don't know if I > should post this to you guys or Thunderbird or Enigmail, but anyway I hope > this is the right place. > > So far everything is working ok, BUT whenever I send a "Signed and > Encrypted" email to myself, it goes through Gmail but I can't receive it > with my Thunderbird email client. > > When I log onto my Gmail account, the signed and encrypted email is there in > my inbox, but when I try to retrieve the message from my Thunderbird email > client, it doesn't work. It doesn't give me any error messages or anything. > > *I use the latest Thunderbird and Engimail* > > How would I retrieve the signed and encrypted email that I sent to myself > with my Thunderbird email client? > > I'm thinking this is a configuration issue. I just don't know where to look. > I've checked the Thunderbird configuration settings, but it doesn't give me > any hints. Maybe one of you guys/gals can lend me a hand? > > Thank you. Well, since it's a problem with POP3 retrieval, it's not GnuPG or Enigmail. Does POP work for other messages from GMail? Try these: http://mail.google.com/support/bin/answer.py?answer=13273 http://mail.google.com/support/bin/answer.py?answer=38343 -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 662 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060818/ec0b5379/signature.pgp From bo.berglund at telia.com Sat Aug 19 08:30:26 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Sat Aug 19 08:33:47 2006 Subject: What does key properties validity and trust 'None' mean??? Message-ID: <2bbde2t19ld56133kmhaqja36corrdkq7o@4ax.com> We are new to GPG and we have used gpg4win 1.0.5 to install the programs on Windows XP Pro PC:s. Some years ago we used PGP 7, but now it turns out that we cannot get it to work on our XP-Pro PC:s so we are trying GPG instead. But we are facing a problem when we keys and export our public keys. When we import the resulting ASC file from others into WinPT by drag-drop it looks like it succeeds, but when the key has reached the window we see that the validity and trust columns show up as None! What can we do to change this? Our own keys are Ultimate both in trust and validity, yet the public keys seem to lose this, why? In one case I have validity=Full but trust=None and I don't know why this happened.... Can someone please explain what we are doing wrong here? Is there another step after generating a key pair or after exporting the public key to make it valid and trusted? Or is this done by the other side (the one importing the public key)? /Bo Bo Berglund From shavital at mac.com Sat Aug 19 08:44:14 2006 From: shavital at mac.com (Charly Avital) Date: Sat Aug 19 08:42:47 2006 Subject: Problem retrieving signed and encrypted emails In-Reply-To: <5881188.post@talk.nabble.com> References: <5881188.post@talk.nabble.com> Message-ID: <44E6B33E.10700@mac.com> Hi, I have received your post on this subject four times: the three first versions were identical, the fourth one (quoted hereafter) is different both in Subject and contents (you have added an EDIT paragraph). I am checking my own POP settings, to find out whether something is wrong with them, that has me receive three times your same message. So far, you are the only sender with whom I have experienced this multiple receipts, for these three specific messages only. Or maybe it was some kind of hiccup of the list's server. To the point: In addition to the indications supplied in this forum by John Clizbe, to check your POP settings in your *gmail* account (where I too think your problem might be), may I suggest a wild guess, that you also check your Thunderbird's Junk mailbox where your signed or encrypted messages might be, if, for some unknown reason, Thunderbird's junk filters are intercepting those messages. As I said, I wild guess. Charly 1wing-angel wrote the following on 8/18/06 10:58 PM: > I don't know if this is a Thunderbird issue, a GnuPG issue, or a Engimail > issue. I'm assuming it's Thunderbird's problem. I also don't know if I > should post this to you guys or Thunderbird or Enigmail, but anyway I hope > this is the right place. > > So far everything is working ok, BUT whenever I send a "Signed and > Encrypted" email to myself, it goes through Gmail but I can't receive it > with my Thunderbird email client. > > When I log onto my Gmail account, the signed and encrypted email is there in > my inbox, but when I try to retrieve the message from my Thunderbird email > client, it doesn't work. It doesn't give me any error messages or anything. > > *I use the latest Thunderbird and Engimail* > > How would I retrieve the signed and encrypted email that I sent to myself > with my Thunderbird email client? > > I'm thinking this is a configuration issue. I just don't know where to look. > I've checked the Thunderbird configuration settings, but it doesn't give me > any hints. Maybe one of you guys/gals can lend me a hand? > > Thank you. > > EDIT: I just confirmed that if the message is "signed" by me and when I send > it to myself using Thunderbird, I can't retreive it back. BUT when I log > into Gmail's account, the "signed" email is there in my inbox. What's going > on here? How come I can't retreive signed and encrypted emails with my > Thunderbird email client? From bo.berglund at telia.com Sat Aug 19 08:47:32 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Sat Aug 19 08:50:27 2006 Subject: Problem retrieving signed and encrypted emails References: <5881188.post@talk.nabble.com> <44E6B33E.10700@mac.com> Message-ID: <3ocde2p0pu9um8gf7uur4lia5cqmis2k6h@4ax.com> On Sat, 19 Aug 2006 02:44:14 -0400, Charly Avital wrote: >I have received your post on this subject four times: the three first >versions were identical, the fourth one (quoted hereafter) is different >both in Subject and contents (you have added an EDIT paragraph). > >I am checking my own POP settings, to find out whether something is >wrong with them, that has me receive three times your same message. So >far, you are the only sender with whom I have experienced this multiple >receipts, for these three specific messages only. Or maybe it was some >kind of hiccup of the list's server. I also noted this multiple posting and the timestamps are different too, so it might be that the OP wanted to create more responses by flooding the group with his messages. But I think this works the other way, I for one am not likely to respond to someone who does this. And another bad idea is to post the same message several times in different threads. Causes me to do the same thing, ignore the question.... /Bo Bo Berglund From samuel at Update.UU.SE Sat Aug 19 10:11:58 2006 From: samuel at Update.UU.SE (Samuel ]slund) Date: Sat Aug 19 10:10:37 2006 Subject: What does key properties validity and trust 'None' mean??? In-Reply-To: <2bbde2t19ld56133kmhaqja36corrdkq7o@4ax.com> References: <2bbde2t19ld56133kmhaqja36corrdkq7o@4ax.com> Message-ID: <20060819081158.GH8959@Update.UU.SE> On Sat, Aug 19, 2006 at 08:30:26AM +0200, Bo Berglund wrote: > We are new to GPG and we have used gpg4win 1.0.5 to install the > programs on Windows XP Pro PC:s. Some years ago we used PGP 7, but now > it turns out that we cannot get it to work on our XP-Pro PC:s so we > are trying GPG instead. > > But we are facing a problem when we keys and export our public keys. > When we import the resulting ASC file from others into WinPT by > drag-drop it looks like it succeeds, but when the key has reached the > window we see that the validity and trust columns show up as None! > > What can we do to change this? Our own keys are Ultimate both in trust > and validity, yet the public keys seem to lose this, why? > In one case I have validity=Full but trust=None and I don't know why > this happened.... > > Can someone please explain what we are doing wrong here? > Is there another step after generating a key pair or after exporting > the public key to make it valid and trusted? > Or is this done by the other side (the one importing the public key)? If I read you correctly you are exporting Keys from PGP7 for use with GnuPG. Since you have used PGP before I assume that you are familiar with the "web-of-trust". The owner trust on a key is not exported when you export the key, thus you have to assign it yourself and unless you have signed a key yourself no key will be truted unless you asign some owner trust to the keys in the path to the key you want to use. I hope this makes sence, //Samuel From alphasigmax at gmail.com Sat Aug 19 10:55:08 2006 From: alphasigmax at gmail.com (Alphax) Date: Sat Aug 19 10:56:32 2006 Subject: Problem retrieving encrypted email In-Reply-To: <5879316.post@talk.nabble.com> References: <5879316.post@talk.nabble.com> Message-ID: <44E6D1EC.5050901@gmail.com> 1wing-angel wrote: > I don't know if this is a Thunderbird issue, a GnuPG issue, or a Engimail > issue. I'm assuming it's Thunderbird's problem. I also don't know if I > should post this to you guys or Thunderbird or Enigmail, but anyway I hope > this is the right place. > > So far everything is working ok, BUT whenever I send a "Signed and > Encrypted" email to myself, it goes through Gmail but I can't receive it > with my Thunderbird email client. > > When I log onto my Gmail account, the signed and encrypted email is there in > my inbox, but when I try to retrieve the message from my Thunderbird email > client, it doesn't work. It doesn't give me any error messages or anything. > I belive it's actually an issue with Gmail. Suppose you send an email (via Gmail's web interface or their SMTP server) to a mailing list. The mailing list will send a copy of the message back to you (if you've enabled it); however, Gmail recieves it and says "Oh, you already sent that, I won't bother delivering it to you". I'm not sure if it ever appears in your inbox, but it won't be forwarded by any filters, and it probably won't be accessible via the POP3 interface either. I'm fairly certain that the behaviour is identical for sending an email to yourself. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060819/f9774a76/signature-0001.pgp From bo.berglund at telia.com Sat Aug 19 11:01:31 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Sat Aug 19 11:04:22 2006 Subject: What does key properties validity and trust 'None' mean??? References: <2bbde2t19ld56133kmhaqja36corrdkq7o@4ax.com> <20060819081158.GH8959@Update.UU.SE> Message-ID: On Sat, 19 Aug 2006 10:11:58 +0200, samuel@Update.UU.SE (Samuel ]slund) wrote: > >If I read you correctly you are exporting Keys from PGP7 for use with >GnuPG. Since you have used PGP before I assume that you are familiar >with the "web-of-trust". The owner trust on a key is not exported when >you export the key, thus you have to assign it yourself and unless you >have signed a key yourself no key will be truted unless you asign some >owner trust to the keys in the path to the key you want to use. > >I hope this makes sence, >//Samuel No, I was referring to PGP7 just to indicate that I have been using encryption before even though I am new to GnuPG. The old PGP keys are not the issue (yet). But your answer cleared the handling for me. In short these are the steps: 1. Create a key pair in GPG 2. Export your public key to an asc file 3. Hand this over to a person you want to communicate with 4. He imports the key into WinPT by drag-drop Now both Validity and Trust are 'None' 5. Next he selects the key and uses Key/Sign to sign the key At this stage the Validity switches to 'Full' but Trust is None 6. Finally he opens the key properties and changes "Ownertrust" This can be changedto something like Ultimate or Full Now the key is fully trusted and valid, I guess. PGP7 compatibility I was already able to import my old PGP keys into GnuPG (WinRT) so I could read my old encrypted emails from a few years back through GnuPG. I found one strange glitch though, old emails containing Swedish characters decrypt to cleartext but are missing the Swedish chars. So the words look really strange when there are supposed to be one of ?????? there, these are simply gone.... /Bo Bo Berglund From mlisten at hammernoch.net Sat Aug 19 12:30:50 2006 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Sat Aug 19 12:29:58 2006 Subject: What does key properties validity and trust 'None' mean??? In-Reply-To: References: <2bbde2t19ld56133kmhaqja36corrdkq7o@4ax.com> <20060819081158.GH8959@Update.UU.SE> Message-ID: <44E6E85A.2060902@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bo Berglund wrote on 19.08.2006 11:01 Uhr: > I found one strange glitch though, old emails containing Swedish > characters decrypt to cleartext but are missing the Swedish chars. So > the words look really strange when there are supposed to be one of > ?????? there, these are simply gone.... This may be a drawback of the PGP program. The versions after 2.63 (at least 5.x and 6.x) did not state the charset used, so all the non-Ascii characters are transposed when you decrypt on a platform using a different charset than the encrypting machine. The only thing you can do about this to decrypt the old emails, filter them through a script to recode the non-ASCIIs and reencrypt the with gpg. HTH Ludwig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBROboWFYnpxVXVowdAQLM5wgAxM/WzC2rN7hVSi2J094zvFBdeiCke0vn TCx3OUXOPfHho9DPDLjgNQnl5+rr4sLDniUXI1/Y2CjkGMiSHogPM72XTOGhWH/E N1yVT7RTNLuZtjh4OPKY6KmHqyZjXP2wvjHgwsyuxG2OB+UlxfG+pitSiwncTloO 8OIyl+Bd4it/xvAsRzM8zgJUB4Ga7ZGIEiQG/t8H3LQ6CEQEd8QbiLoDeI46KaTG 9HBmN1z/OXJUgI8ytzxD2OPWE99ROSAjHr8th3sJ2+OoMBDityRvU96Y7m9JEW4m wfYnIedowuDM91RP4j/yHy/Xw60w2Eqibu+NkbXUtAG/1EmLyJPlNQ== =DAZm -----END PGP SIGNATURE----- From ivalladolidt at terra.es Sat Aug 19 16:46:07 2006 From: ivalladolidt at terra.es (Ismael Valladolid Torres) Date: Sat Aug 19 19:25:57 2006 Subject: GnuPG (GPG) Problem In-Reply-To: <44E61238.3030001@comcast.net> References: <44E61238.3030001@comcast.net> Message-ID: <20060819144607.GB1104@ASPIRE> John Clizbe escribe: > Just copy the keyring files. I store my private keyring and a public keyring containing only my public key on a pendrive, then in your gpg.conf: keyring /path/to/pendrive/pubring.gpg secret-keyring /path/to/pendrive/secring.gpg Using several different computers it works like a charm. Cordially, Ismael -- Dropping science like when Galileo dropped his orange! From jon at jrock.us Sat Aug 19 19:54:06 2006 From: jon at jrock.us (Jonathan Rockway) Date: Sat Aug 19 20:53:20 2006 Subject: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem] In-Reply-To: <20060819144607.GB1104@ASPIRE> References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> Message-ID: <44E7503E.5040708@jrock.us> I would recommend that you don't do that. What if you lose the drive? Then your private key is compromised. Do you have a revocation certificate in a safe location? If not, you can't even tell anyone that your private key has been compromised! Not good! The OpenPGP smartcard is a much safer option, since it will not give up the private key (even if you have the password), and will lock itself after 3 incorrect password attempts. (And after 3 incorrect Admin PIN attempts, it will destroy itself, which is pretty inconvenient for someone trying to steal your key.) Compare this to a pen drive that will let anyone copy off the secret key and guess the passphrase on their friendly local supercomputer cluster. The other advantage is that if your card gets stolen, you *know* that it's been stolen. If you have your key lying around in your homedir somewhere, someone could just make a copy of it, and you'd never know. With the OpenPGP card, if it's not in your hand, you can consider it stolen. For $20, you can't go wrong. Get an OpenPGP card and be happy :) http://www.kernelconcepts.de/products/security-en.shtml Regards, Jonathan Rockway Ismael Valladolid Torres wrote: > John Clizbe escribe: > >> Just copy the keyring files. >> > > I store my private keyring and a public keyring containing only my > public key on a pendrive, then in your gpg.conf: > > keyring /path/to/pendrive/pubring.gpg > secret-keyring /path/to/pendrive/secring.gpg > > Using several different computers it works like a charm. > > Cordially, Ismael > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 370 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060819/01efd96f/signature.pgp From rjh at sixdemonbag.org Sat Aug 19 21:37:28 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat Aug 19 21:36:03 2006 Subject: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem] In-Reply-To: <44E7503E.5040708@jrock.us> References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> <44E7503E.5040708@jrock.us> Message-ID: <44E76878.2080606@sixdemonbag.org> Jonathan Rockway wrote: > I would recommend that you don't do that. What if you lose the > drive? Then your private key is compromised. Let's not use the word 'compromised'. Let's call it 'loss of control'. If I leave my wallet on my desktop for an hour while I go to a meeting, are my credit cards compromised? I think we'd agree that they're probably not. If I get mugged and my wallet stolen, are my credit cards compromised? I think we'd agree that they are. Compromise usually means not only a failure of access controls, but a strong likelihood of unauthorized persons exploiting the failure of access controls. Losing a dongle doesn't necessarily mean it's been compromised. It means you have a problem, yes, one that's in need of addressing, but it doesn't necessarily call for a key revocation. > Do you have a revocation certificate in a safe location? Having a revocation certificate is totally unrelated to the issue of whether one uses a USB dongle or a cryptographic card. > The OpenPGP smartcard is a much safer option, since it will not give > up the private key (even if you have the password), and will lock > itself after 3 incorrect password attempts. (And after 3 incorrect > Admin PIN attempts, it will destroy itself, which is pretty > inconvenient for someone trying to steal your key.) Compare this to > a pen drive that will let anyone copy off the secret key and guess > the passphrase on their friendly local supercomputer cluster. The entire point of a passphrase on a key is so that even if the attacker _does_ have a supercomputer cluster it will be of no use. An OpenPGP card may allow you to get away with a weaker passphrase, but there's nothing inherently dumb about putting a private key on a USB dongle as long as the passphrase is sufficiently strong. Given the choice between trusting flash memory to wipe itself, and trusting that strong cryptography is going to stand up to even dedicated cryptologic attacks, I'll put my money on the latter any day of the week. > The other advantage is that if your card gets stolen, you *know* that > it's been stolen. I have a two gig USB dongle on my (physical) keyring right next to my car and office keys. If that gets stolen, trust me: I'll know. Whereas if you were to go through my wallet and randomly pilfer one of my cards, I might not know it for a while: while I use my ATM card almost daily, I can't remember the last time I needed to pull out my amateur radio license. What it boils down to is this: there are no silver bullets. There is more than one way to do it. If the OpenPGP card works for you, then great, go for it. But if the OpenPGP card doesn't work for someone else, then you're wasting their time by telling them "oh, don't do that, use an OpenPGP card." Speaking for myself, I have doubts about the long-term security of RSA/1024. I much prefer RSA/2048 instead. Thus, the OpenPGP card fails to meet my own security policy... whereas storing a copy of my private key on my USB dongle, with a high-security passphrase, is a far better solution than an OpenPGP card. From JPClizbe at comcast.net Sat Aug 19 21:33:58 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Sat Aug 19 21:44:13 2006 Subject: What does key properties validity and trust 'None' mean??? In-Reply-To: <2bbde2t19ld56133kmhaqja36corrdkq7o@4ax.com> References: <2bbde2t19ld56133kmhaqja36corrdkq7o@4ax.com> Message-ID: <44E767A6.60707@comcast.net> Bo Berglund wrote: > We are new to GPG and we have used gpg4win 1.0.5 to install the > programs on Windows XP Pro PC:s. Some years ago we used PGP 7, but now > it turns out that we cannot get it to work on our XP-Pro PC:s so we > are trying GPG instead. You may wish to find a copy of PGP 8.0.x or 8.1. The freeware versions will get you the key manager and clipboard functionality. > But we are facing a problem when we keys and export our public keys. > When we import the resulting ASC file from others into WinPT by > drag-drop it looks like it succeeds, but when the key has reached the > window we see that the validity and trust columns show up as None! PGP anf GnuPG store 'trust' settings in different ways. PGP stores it and part of the key; gnuPG uses a separate file. You should be able to imprt your PGP keyring files directly into GnuPG, eg. gpg --import secring.skr gpg --import pubring.pkr > What can we do to change this? Our own keys are Ultimate both in trust > and validity, yet the public keys seem to lose this, why? > In one case I have validity=Full but trust=None and I don't know why > this happened.... Imported key *pairs* will need to be set to Ultimate trust. This corresponds to the 'Implicit Trust' check box in PGP's Key Properties box. Keys that were set to Full or Partial trust in PGP will need to have those settings reapplied in GnuPG - You can do this with WinPT or GPGshell or even the command line. > Can someone please explain what we are doing wrong here? > Is there another step after generating a key pair or after exporting > the public key to make it valid and trusted? > Or is this done by the other side (the one importing the public key)? Is the key self-signed or signed by a trusted key? -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 662 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060819/62ce48f7/signature.pgp From gnucl3us at gmail.com Sun Aug 20 00:16:29 2006 From: gnucl3us at gmail.com (1wing-angel) Date: Sun Aug 20 00:15:17 2006 Subject: Problem retrieving signed and encrypted emails In-Reply-To: <44E6B33E.10700@mac.com> References: <5881188.post@talk.nabble.com> <44E6B33E.10700@mac.com> Message-ID: <5888795.post@talk.nabble.com> I'm sorry if you guys/gals recieved multilple copies of my post. It's just that I had problems posting up on this forum. I accidently posted 3 of the same post, which I then deleted 2 and kept the other one. Anyway it was just a mistake and I apologize. Ok this is to Charly Avital. I checked my pop settings in *Gmail* The below is the settings for my POP Gmail account. ################################################################################### Fowarding is disabled(Keep Gmail's copy in the inbox is selected) The status for POP Download is "Enabled for all mail that has arrived since 2:33pm" When messages are accessed with POP delete Gmail's copy ################################################################################### ^ The above is my settings for POP Gmail. I also checked over my Thunderbird Junk Filters, but no messages are stored there. I even tried sending a signed and encrypted email to myself to see if it would be stored in my Thunderbird Junk Folders, but no. Maybe my firewall is blocking it? I have ZoneAlarm Suite. The below is my settings for "Email Privacy" in ZoneAlarm Suite. But I don't think that ZoneAlarm is the cause of this because I believe ZoneAlarm is setup for my OutLook Express(which I don't use) I just thought I point this out, it might give you all some hints ?? File attachment is enabled. Outbound MailSafe Protection is enabled. Junk E-mail filter is enabled. *Thunderbird is selected as my default email client* Hmmmm what else should I mention........Oh I sent a signed and encrypted email to myself using Thunderbird. When I go to my Gmail account, it is in my inbox. When I try to retrieve the message with Thunderbird, I get none. But when I reply back to myself using my Gmail account, I can retreive it with my Thunderbird client. If you go to the below link, that is how I setup my Gmail with Thunderbird client. http://mail.google.com/support/bin/answer.py?answer=13285 Other additional settings/configurations that I added to Thunderbird Client is the following: #################################################################################### Server Settings(tab) - Empty Trash on Exit is checked Composition and Addressing(tab) - Compose messages in HTML format is unchecked. OpenGPG Security(tab) - Enable OpenGPG support (Enigmail) for this identity is checked. Use email address of this identity to identify OpenGPG key is selected. Local Disk(tab) - Empty Trash on Exit is checked. #################################################################################### That's about it, the others are all default. If you guys/gals want me to give you the complete configurations for Thunderbird or Gmail account, just ask ok? Well that's about it, hope the above can give out some clues. Charly Avital wrote: > > Hi, > > I have received your post on this subject four times: the three first > versions were identical, the fourth one (quoted hereafter) is different > both in Subject and contents (you have added an EDIT paragraph). > > I am checking my own POP settings, to find out whether something is > wrong with them, that has me receive three times your same message. So > far, you are the only sender with whom I have experienced this multiple > receipts, for these three specific messages only. Or maybe it was some > kind of hiccup of the list's server. > > To the point: > In addition to the indications supplied in this forum by John Clizbe, to > check your POP settings in your *gmail* account (where I too think your > problem might be), may I suggest a wild guess, that you also check your > Thunderbird's Junk mailbox where your signed or encrypted messages might > be, if, for some unknown reason, Thunderbird's junk filters are > intercepting those messages. As I said, I wild guess. > > Charly > > > 1wing-angel wrote the following on 8/18/06 10:58 PM: >> I don't know if this is a Thunderbird issue, a GnuPG issue, or a Engimail >> issue. I'm assuming it's Thunderbird's problem. I also don't know if I >> should post this to you guys or Thunderbird or Enigmail, but anyway I >> hope >> this is the right place. >> >> So far everything is working ok, BUT whenever I send a "Signed and >> Encrypted" email to myself, it goes through Gmail but I can't receive it >> with my Thunderbird email client. >> >> When I log onto my Gmail account, the signed and encrypted email is there >> in >> my inbox, but when I try to retrieve the message from my Thunderbird >> email >> client, it doesn't work. It doesn't give me any error messages or >> anything. >> >> *I use the latest Thunderbird and Engimail* >> >> How would I retrieve the signed and encrypted email that I sent to myself >> with my Thunderbird email client? >> >> I'm thinking this is a configuration issue. I just don't know where to >> look. >> I've checked the Thunderbird configuration settings, but it doesn't give >> me >> any hints. Maybe one of you guys/gals can lend me a hand? >> >> Thank you. >> >> EDIT: I just confirmed that if the message is "signed" by me and when I >> send >> it to myself using Thunderbird, I can't retreive it back. BUT when I log >> into Gmail's account, the "signed" email is there in my inbox. What's >> going >> on here? How come I can't retreive signed and encrypted emails with my >> Thunderbird email client? > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/Problem-retrieving-signed-and-encrypted-emails-tf2130915.html#a5888795 Sent from the GnuPG - User forum at Nabble.com. From dshaw at jabberwocky.com Sun Aug 20 03:17:58 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Aug 20 03:16:40 2006 Subject: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem] In-Reply-To: <44E76878.2080606@sixdemonbag.org> References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> <44E7503E.5040708@jrock.us> <44E76878.2080606@sixdemonbag.org> Message-ID: <20060820011758.GA5092@jabberwocky.com> On Sat, Aug 19, 2006 at 02:37:28PM -0500, Robert J. Hansen wrote: > > The OpenPGP smartcard is a much safer option, since it will not give > > up the private key (even if you have the password), and will lock > > itself after 3 incorrect password attempts. (And after 3 incorrect > > Admin PIN attempts, it will destroy itself, which is pretty > > inconvenient for someone trying to steal your key.) Compare this to > > a pen drive that will let anyone copy off the secret key and guess > > the passphrase on their friendly local supercomputer cluster. > > The entire point of a passphrase on a key is so that even if the > attacker _does_ have a supercomputer cluster it will be of no use. An > OpenPGP card may allow you to get away with a weaker passphrase, but > there's nothing inherently dumb about putting a private key on a USB > dongle as long as the passphrase is sufficiently strong. This is quite correct and frequently misunderstood. After all, the secret key encryption is essentially the same symmetric encryption that is used to encrypt messages. If you're trusting it to protect your messages, you probably should trust it to protect your key as well. The big difference, as I see it, between a smartcard and a flash key, is not so much in how it protects the key "at rest" (i.e. a stolen smartcard or flash key), but how it protects the key when in use. A flash key has a mountable filesystem with actual files on it. A compromised host machine could copy the secret key file, while simultaneously keylogging the passphrase for it. A smartcard cannot give up the secret key in normal use - there is simply no interface to do that. (I'm not counting electron microscopes and the like as "normal use" here. Normal use is sticking the card into a reader.) A compromised host machine could keylog the passphrase, but can't get the key. In either case, a compromised host can *use* the key, say to decrypt something, or make a signature. > Speaking for myself, I have doubts about the long-term security of > RSA/1024. I much prefer RSA/2048 instead. Thus, the OpenPGP card fails > to meet my own security policy... whereas storing a copy of my private > key on my USB dongle, with a high-security passphrase, is a far better > solution than an OpenPGP card. Yes. Smartcards really lag behind what general purpose machines can generate. 1024 is fairly rare these days, and even 4096 is becoming more common. David From dylan at vaughnworks.com Sun Aug 20 07:21:58 2006 From: dylan at vaughnworks.com (Dylan Vaughn) Date: Sun Aug 20 07:20:59 2006 Subject: Multi-user gpg-agent question Message-ID: <1156051318.5344.17.camel@sdhoc> Hello, I am trying to figure out an issue I'm having with gpg-agent. I have set up gpg and gpg-agent according to the guides here: http://www.madboa.com/geek/gpg-quickstart/ (for gpg) and here: http://www.debian-administration.org/articles/378 (for gpg-agent) I am running Debian sarge, and using all standard debian packages. The issue is that after I start gpg-agent for one user, it does not work for any other user on my machine. For example, after I do an initial decrypt call with: dylan@dylan:~ $ gpg -o clear.txt -d encrypted.txt.asc which works fine, i.e. the pinentry-curses program asks me for my passphrase the first time and gpg-agent uses the cached passphrase on subsequent decrypt calls, then when I switch to a different user on my machine and try to do the same thing gpg-agent doesn't prompt me for my passphrase on the initial attempt and instead gives me this message: dylan2@sunbeam:~/test$ eval "$(gpg-agent --daemon)" dylan2@sunbeam:~/test$ gpg -o clear.txt -d test.txt.asc You need a passphrase to unlock the secret key for user: "Dylan2 Vaughn " 2048-bit ELG-E key, ID 34FC7CBC, created 2006-08-19 (main key ID 71D43350) gpg: cancelled by user gpg: encrypted with 2048-bit ELG-E key, ID 34FC7CBC, created 2006-08-19 "Dylan2 Vaughn " gpg: public key decryption failed: bad passphrase gpg: decryption failed: secret key not available However, I can do the normal encrypt / decrypt stuff with the root user after doing it the first time with my 'dylan' user. Also, if I initially log into the 'dylan2' user account after rebooting, I can do the encrypt / decrypt with that user but then not any others (except root). What am I doing wrong? Any help would be appreciated. Thanks, Dylan -- Dylan Vaughn -- CEO Vaughn Works, Inc. dylan@vaughnworks.com From The_Polymorph at rocketmail.com Sun Aug 20 07:31:17 2006 From: The_Polymorph at rocketmail.com (Caitlin) Date: Sun Aug 20 09:25:53 2006 Subject: GnuPG neophyte inquiries. Message-ID: <20060820053117.42069.qmail@web50803.mail.yahoo.com> Hi all. Ok. I'm quite interested in GnuPG but I felt compelled to ask a few questions. Ready? 1). My roommate and I share a WinXP box. If I install GnuPG 1.4.5 on it, would this represent a potential security concern? 2). Would I have to copy and paste encrypted messages received via email to a disk (for example) then transport them to the machine mentioned in #1 for decryption? 3). If a security issue arises with the version of GnuPG I'm using, what happens to my keyring, private key, etc. when I upgrade? I'm assuming I would have to send my friends/associates a newly generated public key so we could resume communication? 4). How secure (generally speaking) is installing GnuPG on a flash drive and using it for all GnuPG related activity? I'm a college student and security on the campus network is clearly of paramount importance. Thanks all, Caitlin __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From bo.berglund at telia.com Sun Aug 20 09:28:30 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Sun Aug 20 09:27:26 2006 Subject: What does key properties validity and trust 'None' mean??? References: <2bbde2t19ld56133kmhaqja36corrdkq7o@4ax.com> <44E767A6.60707@comcast.net> Message-ID: <853ge29n16rkpihk4askau9jlk22u685qs@4ax.com> On Sat, 19 Aug 2006 14:33:58 -0500, John Clizbe wrote: >Bo Berglund wrote: >> We are new to GPG and we have used gpg4win 1.0.5 to install the >> programs on Windows XP Pro PC:s. Some years ago we used PGP 7, but now >> it turns out that we cannot get it to work on our XP-Pro PC:s so we >> are trying GPG instead. > >You may wish to find a copy of PGP 8.0.x or 8.1. The freeware versions will get >you the key manager and clipboard functionality. We can't do this since the licensing for freeware states it is for non-commercial use and we want to use it also for the company. Actually 7.0.3 also had this license condition so we could not use that either. And Microsoft has put in stops on installing PGP 7.0.3 in the Windows XP-Pro operating system, I believe from SP2... Last fall I managed to install 7.0.3 on my XP-Pro PC after tricking the WinXP detection of the setup.exe files it won't accept. It worked just fine but then I did not use it for a while. Meanwhile there were a bunch of Windows updates installed and finally when I was going to test it again recently it caused Outlook2003 to just bomb out with a message talking about notifying Microsoft of the error. :-( So I guess Microsoft has put in more stops on the use of PGP 7.0.3 in Windows XP-Pro. And due to the licensing we decided to look for other solutions. That's how we found GnuPG. > >> But we are facing a problem when we keys and export our public keys. >> When we import the resulting ASC file from others into WinPT by >> drag-drop it looks like it succeeds, but when the key has reached the >> window we see that the validity and trust columns show up as None! > >PGP anf GnuPG store 'trust' settings in different ways. PGP stores it and part >of the key; gnuPG uses a separate file. You should be able to imprt your PGP >keyring files directly into GnuPG, eg. > > gpg --import secring.skr > gpg --import pubring.pkr I have done this and it works. But that was not the gist of my problem, it deals with adding public keys from persons who just installed GnuPG and created new key pairs. I learned here now that we have to: - Import the key into WinPT (Trust and Validity is now None) - Sign the key (Validity is now Full) - Change ownertrust to Full (only possible for a signed key) We did not know about the two last steps and this is the reason for my post. Bo Berglund From bo.berglund at telia.com Sun Aug 20 09:40:45 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Sun Aug 20 09:39:27 2006 Subject: GnuPG (GPG) Problem References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> Message-ID: On Sat, 19 Aug 2006 16:46:07 +0200, Ismael Valladolid Torres wrote: >John Clizbe escribe: >> Just copy the keyring files. > >I store my private keyring and a public keyring containing only my >public key on a pendrive, then in your gpg.conf: > >keyring /path/to/pendrive/pubring.gpg >secret-keyring /path/to/pendrive/secring.gpg > I wonder about the gpg.conf file: Is it used at all in Windows? I looked at my own one at "C:\Documents and Settings\\Application Data\gnupg" and found only commented out lines there. The word keyring appeared only twice and this was in descriptive text, not in a setting. So how does one do this on Windows???? Bo Berglund From gct3 at blueyonder.co.uk Sun Aug 20 15:34:51 2006 From: gct3 at blueyonder.co.uk (Graham) Date: Sun Aug 20 15:33:41 2006 Subject: GnuPG neophyte inquiries. In-Reply-To: <20060820053117.42069.qmail@web50803.mail.yahoo.com> References: <20060820053117.42069.qmail@web50803.mail.yahoo.com> Message-ID: <200608201435.13448.gct3@blueyonder.co.uk> On Sunday 20 August 2006 6:31 am, Caitlin wrote: > Hi all. Hi and welcome :-) > Ok. I'm quite interested in GnuPG but I felt compelled to ask a few > questions. Ready? > > 1). My roommate and I share a WinXP box. If I install GnuPG 1.4.5 on > it, would this represent a potential security concern? There should be no security problems. Only you will know your passphrase, but if you let anybody have access to your passphrases, then they will be able to decrypt messages on your box. I take it that you use different (passworded) accounts and therefore you would not normally gain access to the data of your roommate, and he/she not your data. To keep things extra secure, however, I would keep your keyring separate and download it into your machine before use and delete the keyring on ending your session. > 2). Would I have to copy and paste encrypted messages received via > email to a disk (for example) then transport them to the machine > mentioned in #1 for decryption? Depending upon the email program you use, this should be done automatically. I would suggest you use Thunderbird as your email program with the Enigmail extension to handle GnuPG, but you may wish to stick with another. Just make sure it supports the OpenPGP standard. > 3). If a security issue arises with the version of GnuPG I'm using, > what happens to my keyring, private key, etc. when I upgrade? I'm > assuming I would have to send my friends/associates a newly generated > public key so we could resume communication? People are trying all the time to find chinks in GnuPG's armour in order that the security and stability of the program is maintained. They do occasionally find chinks and as these are reported to the GnuPG developers a new version is very quickly out. It all depends on the security risk, but I have never had to generate new keys for this purpose in the six years I've been using GnuPG. There is an OpenPGP standard to which GnuPG adheres, so there shouldn't be any reason why your keyring, private keys, etc can't be used with a new version of GnuPG. > 4). How secure (generally speaking) is installing GnuPG on a flash > drive and using it for all GnuPG related activity? I'm a college > student and security on the campus network is clearly of paramount > importance. As I am (although a VERY mature student!). There is no problem with security (other than general problems with Windows security) in using a flash drive. It all depends if you are using a machine that will recognise your flash drive. What I do under Linux is carry my keyring on an SD/MMC card and connect a card reader to the USB port of the machine. It is then recognised as a mass storage device. I point the email program to GnuPG and my keyring at its location. I'm not sure how I would do it under WinXP, but you might like to look up WinPT, a front end for GnuPG on Windows. -- Graham -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 245 bytes Desc: not available Url : /pipermail/attachments/20060820/36a3fb4c/attachment.pgp From ivalladolidt at terra.es Sun Aug 20 16:10:24 2006 From: ivalladolidt at terra.es (Ismael Valladolid Torres) Date: Sun Aug 20 16:09:17 2006 Subject: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem] In-Reply-To: <44E7503E.5040708@jrock.us> References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> <44E7503E.5040708@jrock.us> Message-ID: <20060820141024.GA1804@ASPIRE> Jonathan Rockway escribe: > I would recommend that you don't do that. What if you lose the drive? > Then your private key is compromised. Do you have a revocation > certificate in a safe location? If not, you can't even tell anyone that > your private key has been compromised! Not good! Sure! I use the key stored in the drive only on computers at work. At home I store a copy of the key in the hard drive. Moreover yes, I have a revocation certificate. > For $20, you can't go wrong. Get an OpenPGP card and be happy :) > > http://www.kernelconcepts.de/products/security-en.shtml I am a smartcard programmer. Sure an OpenPGP card is just a standard smartcard with special elementary files in its filesystem. Could I make my own OpenPGP card from a common smartcard given I know its administrative codes? If applets are involved probably it could also be loaded in any card supporting Java. Cordially, Ismael -- Dropping science like when Galileo dropped his orange! From ivalladolidt at terra.es Sun Aug 20 16:12:50 2006 From: ivalladolidt at terra.es (Ismael Valladolid Torres) Date: Sun Aug 20 16:11:28 2006 Subject: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem] In-Reply-To: <44E76878.2080606@sixdemonbag.org> References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> <44E7503E.5040708@jrock.us> <44E76878.2080606@sixdemonbag.org> Message-ID: <20060820141250.GB1804@ASPIRE> Robert J. Hansen escribe: > Speaking for myself, I have doubts about the long-term security of > RSA/1024. I much prefer RSA/2048 instead. Thus, the OpenPGP card fails > to meet my own security policy... whereas storing a copy of my private > key on my USB dongle, with a high-security passphrase, is a far better > solution than an OpenPGP card. A smartcard is very convenient as far as it's a multi application device, so you can store much other info apart from GnuPG keys, i.e. Mozilla passwords or such. Cordially, Ismael -- Dropping science like when Galileo dropped his orange! From rjh at sixdemonbag.org Sun Aug 20 16:13:55 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun Aug 20 16:12:32 2006 Subject: GnuPG neophyte inquiries. In-Reply-To: <20060820053117.42069.qmail@web50803.mail.yahoo.com> References: <20060820053117.42069.qmail@web50803.mail.yahoo.com> Message-ID: <44E86E23.6040207@sixdemonbag.org> Caitlin wrote: > 1). My roommate and I share a WinXP box. If I install GnuPG 1.4.5 on > it, would this represent a potential security concern? We can't answer this question with a 'yes' or a 'no'. Decisions about security are up to you. We can hopefully give you some questions which will help you make your decision, though. 1. Do you trust your roommate? 2. Do you trust Windows XP? If both questions are answered 'yes', then it's very unlikely sharing a Windows XP box with your roommate would present a security concern. But if you don't trust your roommate, or you don't trust Windows XP, then pretty much anything you do on your PC needs to be considered suspect--not just GnuPG. > 2). Would I have to copy and paste encrypted messages received via > email to a disk (for example) then transport them to the machine > mentioned in #1 for decryption? Usually, you run GnuPG on the same machine you receive email on. If you do that, then there are many mail clients that offer excellent GnuPG integration. (Shameless plug: Mozilla Thunderbird, available from http://mozilla.com, has a GnuPG plug-in called Enigmail, available from http://enigmail.mozdev.org. I have had excellent results with this setup.) > 3). If a security issue arises with the version of GnuPG I'm using, > what happens to my keyring, private key, etc. when I upgrade? That depends on what security issue is discovered. If it's a bug in how the keys are generated or stored, then you may have to generate a new pair. If it's a bug elsewhere in GnuPG, then your keyring, public key, private key, configuration file, etc., will be absolutely unchanged. Bugs of the first sort are very rare. To my recollection there's only been one such bug since GnuPG hit 1.0, and it affected only about 1,000 people. > 4). How secure (generally speaking) is installing GnuPG on a flash > drive and using it for all GnuPG related activity? I'm a college > student and security on the campus network is clearly of paramount > importance. You may want to look into something called Portable Thunderbird, which is a Thunderbird + Enigmail installation meant to be run from a flash drive. Without knowing particulars of your environment it's hard to give you simple answers, but I can tell you that many people use Portable Thunderbird in such environments with strong success. However, I'd strongly recommend keeping anti-virus software on your home PC and checking your flash drive for infection whenever you come back home after using a campus PC. University computers tend to be breeding grounds for all sorts of nasty things. From qed at tiscali.it Sun Aug 20 16:16:48 2006 From: qed at tiscali.it (Qed) Date: Sun Aug 20 16:15:18 2006 Subject: GnuPG neophyte inquiries. In-Reply-To: <20060820053117.42069.qmail@web50803.mail.yahoo.com> References: <20060820053117.42069.qmail@web50803.mail.yahoo.com> Message-ID: <44E86ED0.20408@tiscali.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 08/20/2006 07:31 AM, Caitlin wrote: > 1). My roommate and I share a WinXP box. If I install GnuPG 1.4.5 on > it, would this represent a potential security concern? Your keyring would be stored in your personal home dir, if you have installed XP on a NTFS partition(i.e.: permissions are enabled) ad you trust that machine there aren't security risks; to decrease a bit your paranoia level ;-) you could enable windows file encryption(EFS) on you keyring files/directory. > 2). Would I have to copy and paste encrypted messages received via > email to a disk (for example) then transport them to the machine > mentioned in #1 for decryption? Only if that machine doesn't have an internet connection. There are OpenPGP plugins for almost every MUA. > 3). If a security issue arises with the version of GnuPG I'm using, > what happens to my keyring, private key, etc. when I upgrade? I'm > assuming I would have to send my friends/associates a newly generated > public key so we could resume communication? No, since the security issue is not related to the underlying cryptographic algorithms(e.g.: some time ago ElGamal signatures were discovered to be weak, so in newer version of GnuPG the generation of such keys is disabled). > 4). How secure (generally speaking) is installing GnuPG on a flash > drive and using it for all GnuPG related activity? I'm a college > student and security on the campus network is clearly of paramount > importance. The machine you are using to do crypto stuff must be trusted in any case. - -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE6G7QH+Dh0Dl5XacRA+BVAJsEUYPyMy/wPCOojcRXD+RYs+RRQgCeObmQ OFyolos10vXWw/Fy9f2LgVE= =tDeL -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sun Aug 20 16:18:13 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun Aug 20 16:16:38 2006 Subject: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem] In-Reply-To: <20060820141250.GB1804@ASPIRE> References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> <44E7503E.5040708@jrock.us> <44E76878.2080606@sixdemonbag.org> <20060820141250.GB1804@ASPIRE> Message-ID: <44E86F25.5050003@sixdemonbag.org> Ismael Valladolid Torres wrote: > A smartcard is very convenient as far as it's a multi application > device, so you can store much other info apart from GnuPG keys, > i.e. Mozilla passwords or such. ... I'm sorry, I'm scratching my head over here trying to figure out how a flash drive doesn't also share these properties. In fact, given the limited space available on a smartcard, the limited application support for them, etc., it seems flash drives are the clear winner in this context. From ivalladolidt at terra.es Sun Aug 20 16:18:15 2006 From: ivalladolidt at terra.es (Ismael Valladolid Torres) Date: Sun Aug 20 16:16:50 2006 Subject: Common gpg.conf to Linux and Windows, was Re: GnuPG (GPG) Problem In-Reply-To: References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> Message-ID: <20060820141815.GC1804@ASPIRE> Bo Berglund escribe: > So how does one do this on Windows???? I use Cygwin's gnupg so gpg.conf is at ~/.gnupg/gpg.conf just as usual on a UNIX computer. Below my gpg.conf, these are lines used on both Linux and Windows: default-cert-check-level 3 default-recipient-self keyserver pgp.rediris.es keyserver-options auto-key-retrieve include-revoked include-subkeys no-mangle-dos-filenames no-secmem-warning keyring /path/to/pubring.gpg secret-keyring /path/to/secring.gpg default-key 0xDE721AF4 default-recipient-self encrypt-to 0xDE721AF4 And below code needed on Windows to make enigmail work with Cygwin's GnuPG: exec-path /bin:/usr/sbin/gnupg lock-never Sure it can be improved so any suggestions are welcome. Cordially, Ismael -- Dropping science like when Galileo dropped his orange! From johanw at vulcan.xs4all.nl Sun Aug 20 22:08:37 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun Aug 20 22:16:19 2006 Subject: Book advice Message-ID: <200608202008.k7KK8bMf017162@vulcan.xs4all.nl> Hello, Not directly related to GnuPG, but does anyone here know the book "Handbook of Applied Cryptography" fromn A.J. Menezes, P.C. van Oorschoot and S.A. Vanstone, printed in 1996? I found it on eDonkey and wanted to know if someone knows if it is advisable. It appears quite mathematical in its approach, much more so than Schneier's "Applied Cryptography". -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Sun Aug 20 23:09:46 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun Aug 20 23:07:16 2006 Subject: GnuPG neophyte inquiries. In-Reply-To: <44E86ED0.20408@tiscali.it> Message-ID: <200608202109.k7KL9kER016699@vulcan.xs4all.nl> Qed wrote: >No, since the security issue is not related to the underlying >cryptographic algorithms(e.g.: some time ago ElGamal signatures were >discovered to be weak, so in newer version of GnuPG the generation of >such keys is disabled). They were not weak, there was an implementation error in GnuPG. Since it is (according to Werner, I don't know enough of it to judge that statement myself) very hard to implement this correctly it was dropped. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From mfuhr at fuhr.org Mon Aug 21 03:57:28 2006 From: mfuhr at fuhr.org (Michael Fuhr) Date: Mon Aug 21 06:34:02 2006 Subject: Book advice In-Reply-To: <200608202008.k7KK8bMf017162@vulcan.xs4all.nl> References: <200608202008.k7KK8bMf017162@vulcan.xs4all.nl> Message-ID: <20060821015728.GA20461@winnie.fuhr.org> On Sun, Aug 20, 2006 at 10:08:37PM +0200, Johan Wevers wrote: > Not directly related to GnuPG, but does anyone here know the book > "Handbook of Applied Cryptography" fromn A.J. Menezes, P.C. van Oorschoot > and S.A. Vanstone, printed in 1996? I found it on eDonkey and wanted to > know if someone knows if it is advisable. It appears quite mathematical > in its approach, much more so than Schneier's "Applied Cryptography". I have both books, among others. HAC seems to be highly regarded as a reference amongst cryptographers, while AC is more of a popular exposition for non-cryptographers. HAC is more academic in tone; it's dense with definitions, facts, algorithms, and examples, and the chapter endnotes contain a lot of background information. It's also free[1]. AC is more conversational, making it approachable for newcomers. If you've read AC and want more detail then HAC might have what you're looking for. Both books are about a decade old so you'll find nothing about AES and only brief mention of elliptic curves. Newer books worth considering are _Practical Cryptography_ by Ferguson and Schneier, with less coverage than AC but with more emphasis on using cryptography to build a secure system; and _Modern Cryptography_ by Mao, with more math and rigor. The latter book has production flaws like numerous typos and a poor binding (at least on my copy) but I liked the author's emphasis on showing why "textbook crypto" is insufficient for building secure systems -- something obvious to cryptographers but less so to the naive. Rescorla's _SSL and TLS_ is good, being a detailed description of how a real, widely-used protocol works. Another interesting book is _Decrypted Secrets_ by Bauer, especially if you're interested in rotor machines and cryptanalysis of classical ciphers. Here are a few links with book recommendations: http://www.youdzone.com/cryptobooks.html http://en.wikipedia.org/wiki/Books_on_cryptography http://www.schlafly.net/crypto/faq.htm [1] http://www.cacr.math.uwaterloo.ca/hac/ -- Michael Fuhr From The_Polymorph at rocketmail.com Mon Aug 21 07:26:21 2006 From: The_Polymorph at rocketmail.com (Caitlin) Date: Mon Aug 21 07:25:12 2006 Subject: Thanks all. Re: GnuPG neophyte inquiries. Message-ID: <20060821052621.86738.qmail@web50803.mail.yahoo.com> Hi. Thanks for all of the responses. I'll be purchasing: 'PGP & GPG Email for the Practical Paranoid' By NoStarch Press ($24.95) next week. Thanks, ~Caitlin __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From wk at gnupg.org Mon Aug 21 10:32:57 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Aug 21 10:36:46 2006 Subject: Multi-user gpg-agent question In-Reply-To: <1156051318.5344.17.camel@sdhoc> (Dylan Vaughn's message of "Sat, 19 Aug 2006 22:21:58 -0700") References: <1156051318.5344.17.camel@sdhoc> Message-ID: <87zmdy5w06.fsf@wheatstone.g10code.de> On Sun, 20 Aug 2006 07:21, Dylan Vaughn said: > The issue is that after I start gpg-agent for one user, it does not work > for any other user on my machine. For example, after I do an initial Well, you need to start it for each user. > subsequent decrypt calls, then when I switch to a different user on my > machine and try to do the same thing gpg-agent doesn't prompt me for my > passphrase on the initial attempt and instead gives me this message: > > dylan2@sunbeam:~/test$ eval "$(gpg-agent --daemon)" > dylan2@sunbeam:~/test$ gpg -o clear.txt -d test.txt.asc The invocation og gpg-agent may have failed. You better run gpg-agent this way for testing: gpg-agent --daemon it should emit the the following lines: GPG_AGENT_INFO=/tmp/gpg-3JMzhv/S.gpg-agent:32230:1; export GPG_AGENT_INFO; SSH_AUTH_SOCK=/tmp/gpg-gA6FYU/S.gpg-agent.ssh; export SSH_AUTH_SOCK; SSH_AGENT_PID=32230; export SSH_AGENT_PID; The SSH lines are because I have enable-ssh-support in my gpg-agent.conf. That is what the eval evaluates. Now cut+paste the GPG_AGENT_INFO line into the shell to manually do the eval. Then you can test whether it works: $ gpg-connect-agent enter for example GET_CONFIRMATION foo and the pinentry will appear to ask you about foo. Click on OK and you will seethe OK :-). Ctrl-D terminates gpg-connect-agent. You may run it with the option --verbose to see sonme diagnostics. The best way to debug it is by invoking gpg in a different way: $ gpg-agent --daemon --debug 1024 /bin/sh gpg-agent[32264]: reading options from `/home/test/.gnupg/gpg-agent.conf' gpg-agent[32264]: listening on socket `/tmp/gpg-g4KTHx/S.gpg-agent' gpg-agent[32264]: listening on socket `/tmp/gpg-MxP8eV/S.gpg-agent.ssh' This runs a shell under the control of the gpg-agent and also sets up the environment variables. How you may use gpg --use-agent at this shell but we want to try it manually: sh-3.00$ gpg-connect-agent gpg-agent[32265]: handler 0x808cae0 for fd 0 started gpg-agent[32265.0x808cde8] DBG: -> OK Pleased to meet you gpg-agent[32265.0x808cde8] DBG: <- RESET gpg-agent[32265.0x808cde8] DBG: -> OK gpg-agent[32265.0x808cde8] DBG: <- OPTION display=localhost:11.0 gpg-agent[32265.0x808cde8] DBG: -> OK gpg-agent[32265.0x808cde8] DBG: <- OPTION ttyname=/dev/pts/2 gpg-agent[32265.0x808cde8] DBG: -> OK gpg-agent[32265.0x808cde8] DBG: <- OPTION ttytype=xterm gpg-agent[32265.0x808cde8] DBG: -> OK gpg-agent[32265.0x808cde8] DBG: <- OPTION lc-ctype=en_US gpg-agent[32265.0x808cde8] DBG: -> OK gpg-agent[32265.0x808cde8] DBG: <- OPTION lc-messages=C gpg-agent[32265.0x808cde8] DBG: -> OK Here we have connected succesfully to the agent and the inital handshake has been done. "debug 1024" let you see all this. Now we enter: GET_CONFIRMATION bar and gpg-agent does its magic: gpg-agent[32265.0x808cde8] DBG: <- GET_CONFIRMATION bar gpg-agent[32265]: starting a new PIN Entry gpg-agent[32265]: DBG: connection to PIN entry established gpg-agent[32265]: command get_confirmation failed: Not confirmed gpg-agent[32265.0x808cde8] DBG: -> ERR 67108978 Not confirmed Well I clicked on cancel and gpg-agent returned ERR 67108978 Not confirmed the status code for cancel gpg-agent[32265.0x808cde8] DBG: <- [EOF] gpg-agent[32265]: handler 0x808cae0 for fd 0 terminated gpg-connect-agent has disconnected from the agent. and we want to terminate the agent too: sh-3.00$ exit exit $ gpg-agent[32265]: parent process died - shutting down gpg-agent[32265]: gpg-agent (GnuPG) 1.9.23-svn4218 stopped gpg-agent[32265]: secmem usage: 0/16384 bytes in 0 blocks System is clean again and ready for another test ;-) I hope this helps to understand how the agaent works. The actual command gpg uses to get the passphrase is: GET_PASSPHRASE X X X X (enter the X verbatim). You should also read the manual where the installation of the gpg-agent ins described. The manual is in info format, thus enter "info gnupg". The next version will also come with man pages automatically created from the Texinfo source. Shalom-Salam, Werner From qed at tiscali.it Mon Aug 21 10:42:12 2006 From: qed at tiscali.it (Qed) Date: Mon Aug 21 10:40:46 2006 Subject: Book advice In-Reply-To: <200608202008.k7KK8bMf017162@vulcan.xs4all.nl> References: <200608202008.k7KK8bMf017162@vulcan.xs4all.nl> Message-ID: <44E971E4.4030501@tiscali.it> On 08/20/2006 10:08 PM, Johan Wevers wrote: > Not directly related to GnuPG, but does anyone here know the book > "Handbook of Applied Cryptography" fromn A.J. Menezes, P.C. van Oorschoot > and S.A. Vanstone, printed in 1996? I found it on eDonkey and wanted to > know if someone knows if it is advisable. It appears quite mathematical > in its approach, much more so than Schneier's "Applied Cryptography". At http://www.cacr.math.uwaterloo.ca/hac/ you can find the last e-version of this nice book directly from its authors. -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! From wk at gnupg.org Mon Aug 21 10:38:35 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Aug 21 10:41:34 2006 Subject: What does key properties validity and trust 'None' mean??? In-Reply-To: <853ge29n16rkpihk4askau9jlk22u685qs@4ax.com> (Bo Berglund's message of "Sun, 20 Aug 2006 09:28:30 +0200") References: <2bbde2t19ld56133kmhaqja36corrdkq7o@4ax.com> <44E767A6.60707@comcast.net> <853ge29n16rkpihk4askau9jlk22u685qs@4ax.com> Message-ID: <87veom5vqs.fsf@wheatstone.g10code.de> Hi! FWIW, there is a little script in the gpg-distribution: # lspgpot - script to extract the ownertrust values # from PGP keyrings and list them in GnuPG ownertrust format. I have not used it for a long time, but it might be helpful. Run it with PGP's pubring as argument. Salam-Shalom, Werner -------------- next part -------------- #!/bin/sh # lspgpot - script to extract the ownertrust values # from PGP keyrings and list them in GnuPG ownertrust format. # # This file is free software; as a special exception the author gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. if ! gpg --version > /dev/null 2>&1 ; then echo "GnuPG not available!" exit 1 fi gpg --dry-run --with-fingerprint --with-colons $* | awk ' BEGIN { FS=":" printf "# Ownertrust listing generated by lspgpot\n" printf "# This can be imported using the command:\n" printf "# gpg --import-ownertrust\n\n" } $1 == "fpr" { fpr = $10 } $1 == "rtv" && $2 == 1 && $3 == 2 { printf "%s:3:\n", fpr; next } $1 == "rtv" && $2 == 1 && $3 == 5 { printf "%s:4:\n", fpr; next } $1 == "rtv" && $2 == 1 && $3 == 6 { printf "%s:5:\n", fpr; next } ' From alex at bofh.net.pl Mon Aug 21 12:17:41 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Mon Aug 21 12:16:20 2006 Subject: Multiple recipients In-Reply-To: <44E61E87.5090805@nixthis.com> References: <44E61308.2040404@nixthis.com> <44E614E7.4050204@sixdemonbag.org> <44E61661.3060209@nixthis.com> <20060818195619.GC2625@jabberwocky.com> <44E61E87.5090805@nixthis.com> Message-ID: <20060821101741.GE21667@hell.pl> On Fri, Aug 18, 2006 at 03:09:43PM -0500, Brian Rosenvinge wrote: > We have decided to decrypt using a "special" user and re-encrypt the > file to multiple users. Our concern is that unless we want to do this > manually it has to be scripted and that will require the "special" > user's passphrase to live in the script or on a server in plaintext. No > one in IS wants to add this to their daily responsibilities and we > really should not have access to the data anyway as it is meant for our > finance department. > put the special key on a smartcard with no passphrase, only the physical avaliability of the sc will descrypt the data, and the key will be unstealable electronically a From alex at bofh.net.pl Mon Aug 21 12:30:47 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Mon Aug 21 12:29:15 2006 Subject: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem] In-Reply-To: <44E86F25.5050003@sixdemonbag.org> References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> <44E7503E.5040708@jrock.us> <44E76878.2080606@sixdemonbag.org> <20060820141250.GB1804@ASPIRE> <44E86F25.5050003@sixdemonbag.org> Message-ID: <20060821103047.GF21667@hell.pl> On Sun, Aug 20, 2006 at 09:18:13AM -0500, Robert J. Hansen wrote: > Ismael Valladolid Torres wrote: > > A smartcard is very convenient as far as it's a multi application > > device, so you can store much other info apart from GnuPG keys, > > i.e. Mozilla passwords or such. > > ... I'm sorry, I'm scratching my head over here trying to figure out how > a flash drive doesn't also share these properties. In fact, given the > limited space available on a smartcard, the limited application support > for them, etc., it seems flash drives are the clear winner in this context. You can't read a private key from the smartcard, but you can read it from the flashdrive. SC is a crypto processor + storage, flashdrive only storage. From rjh at sixdemonbag.org Mon Aug 21 12:54:25 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon Aug 21 12:53:21 2006 Subject: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem] In-Reply-To: <20060821103047.GF21667@hell.pl> References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> <44E7503E.5040708@jrock.us> <44E76878.2080606@sixdemonbag.org> <20060820141250.GB1804@ASPIRE> <44E86F25.5050003@sixdemonbag.org> <20060821103047.GF21667@hell.pl> Message-ID: <44E990E1.40503@sixdemonbag.org> Janusz A. Urbanowicz wrote: > You can't read a private key from the smartcard, but you can read it > from the flashdrive. SC is a crypto processor + storage, flashdrive > only storage. All of which is true. However, the bit to which I was replying was: "A smartcard is very convenient as far as it's a multi application device, so you can store much other info apart from GnuPG keys, i.e. Mozilla passwords or such." ... And I'm still trying to figure out how that's different from a flash drive. Maybe there is a difference and I'm not seeing it. Or maybe there isn't one. From henkdebruijn at wanadoo.nl Mon Aug 21 12:50:05 2006 From: henkdebruijn at wanadoo.nl (Henk M. de Bruijn) Date: Mon Aug 21 13:35:19 2006 Subject: GnuPG (GPG) Problem In-Reply-To: References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> Message-ID: <13510146929.20060821125005@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Sun, 20 Aug 2006 09:40:45 +0200GMT (20-8-2006, 9:40 +0200, where I live), Bo Berglund wrote: ... > I wonder about the gpg.conf file: > Is it used at all in Windows? > I looked at my own one at "C:\Documents and > Settings\\Application Data\gnupg" and found only commented > out lines there. The word keyring appeared only twice and this was in > descriptive text, not in a setting. > So how does one do this on Windows???? Mine is in my gnupg home directory c:\program files\gnupg and works like a charm. - -- Henk M. de Bruijn ______________________________________________________________________ The Bat! Natural E-Mail System version 3.81.15 Beta Pro on Windows XP SP2 Request-PGP: http://www.biglumber.com/x/web?qs=0x6C9F6CE78C32408B Gossamer Spider Web of Trust http://www.gswot.org A progressive and innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4225HdB (Msys/MingW32) iQEVAwUBROmP0BHuy+60ZN0PAQpN0Qf9GQNU6l6RXueBN9sb/3gvon1t4Jp2HqV/ fnmri1bijnahKTMF+3BjwrMS/qW1rANeQal6ansZKtOH9Msw4vqbcg2xUV6j5ELd Rr6OWVHXhZI3fF44SIPBBlL0OfdNnJzDJJTAUvRMbSd3GK6fv3FuB18qSvYDP9bZ 0wJqn2yriL/UqYlbAXguY9XXHLI54Bn9C07ktbGFuzj/BqSVJ869zHx1vOFu5xHU /WZd+35UXIhcqz0fHjGVhL2s7t7SRDwfBEnLrONpsumNHPqNO0qo+8T2mQRGpfiw oDCjZEiKILTTOOMCrJiud6FLCnnxYMrIIEv00kHBkk0K/JRGTrbGqg== =MmfH -----END PGP SIGNATURE----- From alphasigmax at gmail.com Mon Aug 21 14:27:06 2006 From: alphasigmax at gmail.com (Alphax) Date: Mon Aug 21 14:28:29 2006 Subject: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem] In-Reply-To: <44E990E1.40503@sixdemonbag.org> References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> <44E7503E.5040708@jrock.us> <44E76878.2080606@sixdemonbag.org> <20060820141250.GB1804@ASPIRE> <44E86F25.5050003@sixdemonbag.org> <20060821103047.GF21667@hell.pl> <44E990E1.40503@sixdemonbag.org> Message-ID: <44E9A69A.1090304@gmail.com> Robert J. Hansen wrote: > Janusz A. Urbanowicz wrote: >> You can't read a private key from the smartcard, but you can read it >> from the flashdrive. SC is a crypto processor + storage, flashdrive >> only storage. > > All of which is true. However, the bit to which I was replying was: > > "A smartcard is very convenient as far as it's a multi application > device, so you can store much other info apart from GnuPG keys, i.e. > Mozilla passwords or such." > > ... And I'm still trying to figure out how that's different from a flash > drive. Maybe there is a difference and I'm not seeing it. Or maybe > there isn't one. > I don't use a flash drive or a smartcard, for the following reasons: - Flash drives are too prone to failures at bizzare moments - Smartcards are largely experimental and don't have the instant usability of a USB stick (/me mutters something about "The right tool for the right job"...) -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060821/7b54c007/signature.pgp From rjh at sixdemonbag.org Mon Aug 21 14:54:41 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon Aug 21 14:53:15 2006 Subject: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem] In-Reply-To: <44E9A69A.1090304@gmail.com> References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> <44E7503E.5040708@jrock.us> <44E76878.2080606@sixdemonbag.org> <20060820141250.GB1804@ASPIRE> <44E86F25.5050003@sixdemonbag.org> <20060821103047.GF21667@hell.pl> <44E990E1.40503@sixdemonbag.org> <44E9A69A.1090304@gmail.com> Message-ID: <44E9AD11.5010305@sixdemonbag.org> Alphax wrote > - Flash drives are too prone to failures at bizzare moments > - Smartcards are largely experimental and don't have the instant > usability of a USB stick A few years ago Rainbow Technologies came out with a device they called the iKey. Smartcard with a USB connector, about the same form factor as a car key. Lovely hardware, but programming for it is a bear. From rjh at sixdemonbag.org Mon Aug 21 14:59:50 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon Aug 21 14:58:19 2006 Subject: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem] In-Reply-To: <44E9A69A.1090304@gmail.com> References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> <44E7503E.5040708@jrock.us> <44E76878.2080606@sixdemonbag.org> <20060820141250.GB1804@ASPIRE> <44E86F25.5050003@sixdemonbag.org> <20060821103047.GF21667@hell.pl> <44E990E1.40503@sixdemonbag.org> <44E9A69A.1090304@gmail.com> Message-ID: <44E9AE46.8000208@sixdemonbag.org> Alphax wrote: > I don't use a flash drive or a smartcard, for the following reasons: ... and in a follow-up to my own follow-up, apparently Rainbow got bought out by SafeNet. The iKey is still available and the specs haven't changed from the last I used them some years ago. They're handy little devices. Any possibility of supporting this from GnuPG? If so, it might be a good compromise between smartcard and flash-based solutions. Of course, it still only supports RSA/1024. Sigh. From wk at gnupg.org Mon Aug 21 15:19:36 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Aug 21 15:21:46 2006 Subject: Don't store your key on a flash drive! In-Reply-To: <44E9A69A.1090304@gmail.com> (alphasigmax@gmail.com's message of "Mon, 21 Aug 2006 21:57:06 +0930") References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> <44E7503E.5040708@jrock.us> <44E76878.2080606@sixdemonbag.org> <20060820141250.GB1804@ASPIRE> <44E86F25.5050003@sixdemonbag.org> <20060821103047.GF21667@hell.pl> <44E990E1.40503@sixdemonbag.org> <44E9A69A.1090304@gmail.com> Message-ID: <87d5au445z.fsf@wheatstone.g10code.de> On Mon, 21 Aug 2006 14:27, Alphax said: > - Smartcards are largely experimental and don't have the instant > usability of a USB stick About 800 million users of cell phones probably don't share your opinion that GSM cards are only experimental. Shalom-Salam, Werner From qed at tiscali.it Mon Aug 21 15:39:14 2006 From: qed at tiscali.it (Qed) Date: Mon Aug 21 15:37:39 2006 Subject: GnuPG neophyte inquiries. In-Reply-To: References: <20060820053117.42069.qmail@web50803.mail.yahoo.com> <44E86ED0.20408@tiscali.it> Message-ID: <44E9B782.2040104@tiscali.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 08/21/2006 02:59 PM, Mark H. Wood wrote: >>> 1). My roommate and I share a WinXP box. If I install GnuPG 1.4.5 on >>> it, would this represent a potential security concern? >> Your keyring would be stored in your personal home dir, if you have >> installed XP on a NTFS partition(i.e.: permissions are enabled) > > Assuming they spent the extra $100 for XP Professional rather than the > XP Toy^wHome edition that comes with most PCs (which has only the > protection-free VFAT). I had forgotten that distinction, I use Un*x. But I believe even the home version has NTFS support, not per-user/group permissions(maybe there was a tweak to enable them) nor EFS. - -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE6beCH+Dh0Dl5XacRAxjoAJ9zQ4Zsxh32UOI0vARDT/P5TjkI1ACeNEhk FehMNsIRMt0ACKuFw9Zjl7w= =uiJ8 -----END PGP SIGNATURE----- From mwood at IUPUI.Edu Mon Aug 21 14:59:08 2006 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Mon Aug 21 16:32:51 2006 Subject: GnuPG neophyte inquiries. In-Reply-To: <44E86ED0.20408@tiscali.it> References: <20060820053117.42069.qmail@web50803.mail.yahoo.com> <44E86ED0.20408@tiscali.it> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 20 Aug 2006, Qed wrote: > -----pgpenvelope processed message > > On 08/20/2006 07:31 AM, Caitlin wrote: >> 1). My roommate and I share a WinXP box. If I install GnuPG 1.4.5 on >> it, would this represent a potential security concern? > Your keyring would be stored in your personal home dir, if you have > installed XP on a NTFS partition(i.e.: permissions are enabled) Assuming they spent the extra $100 for XP Professional rather than the XP Toy^wHome edition that comes with most PCs (which has only the protection-free VFAT). - -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu Typically when a software vendor says that a product is "intuitive" he means the exact opposite. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFE6a4is/NR4JuTKG8RAq26AJ9PMiuL3EgjTbodD+IHKvqXLWoCRgCfeMWi 6oFQdu5mdMQ7gWWzphuc6Fg= =Ypql -----END PGP SIGNATURE----- From vedaal at hush.com Mon Aug 21 20:11:16 2006 From: vedaal at hush.com (vedaal@hush.com) Date: Mon Aug 21 20:09:57 2006 Subject: Don't store your key on a flash drive! Message-ID: <20060821181117.37708DA827@mailserver7.hushmail.com> >Date: Sat, 19 Aug 2006 21:17:58 -0400 >From: David Shaw >Subject: Re: Don't store your key on a flash drive! [was Re: GnuPG > (GPG) Problem] [...] >> there's nothing inherently dumb about putting a private key on a >USB >> dongle as long as the passphrase is sufficiently strong. > >This is quite correct and frequently misunderstood. After all, >the >secret key encryption is essentially the same symmetric encryption >that is used to encrypt messages. If you're trusting it to >protect >your messages, you probably should trust it to protect your key as >well. if the secret key was generated before the fix of the * quick-check * problem of PGP symmetric encryption, http://eprint.iacr.org/2005/033 then does the passphrase need to be changed with a newer version of gnupg, or did this only apply to symmetric encryption of messages, and not symmetric encryption of the secret key? TIA, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From wk at gnupg.org Mon Aug 21 21:47:21 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Aug 21 21:51:42 2006 Subject: Don't store your key on a flash drive! In-Reply-To: <20060821181117.37708DA827@mailserver7.hushmail.com> (vedaal@hush.com's message of "Mon, 21 Aug 2006 14:11:16 -0400") References: <20060821181117.37708DA827@mailserver7.hushmail.com> Message-ID: <87fyfp3m7q.fsf@wheatstone.g10code.de> On Mon, 21 Aug 2006 20:11, vedaal@hush.com said: > if the secret key was generated before the fix of the > * quick-check * problem of PGP symmetric encryption, > http://eprint.iacr.org/2005/033 It has always beed solid practise to avoid oracles thus this problem is not very real. Shalom-Salam, Werner From bo.berglund at telia.com Tue Aug 22 07:13:16 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Tue Aug 22 07:12:07 2006 Subject: What does key properties validity and trust 'None' mean??? References: <2bbde2t19ld56133kmhaqja36corrdkq7o@4ax.com> <44E767A6.60707@comcast.net> <853ge29n16rkpihk4askau9jlk22u685qs@4ax.com> <87veom5vqs.fsf@wheatstone.g10code.de> Message-ID: On Mon, 21 Aug 2006 10:38:35 +0200, Werner Koch wrote: >Hi! > >FWIW, there is a little script in the gpg-distribution: > ># lspgpot - script to extract the ownertrust values ># from PGP keyrings and list them in GnuPG ownertrust format. > >I have not used it for a long time, but it might be helpful. Run it >with PGP's pubring as argument. > Probably good on Linux systems but I can't find anything in my GnuPG installation on WindowsXP-Pro. And I doubt scripts will run on Windows... (I installed using gpg4win-1.0.4) Bo Berglund From bo.berglund at telia.com Tue Aug 22 07:21:22 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Tue Aug 22 07:20:07 2006 Subject: GnuPG (GPG) Problem References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> <13510146929.20060821125005__12139.0621447519$1156165375$gmane$org@wanadoo.nl> Message-ID: <1q4le2p259r1ef78r3oo6ufu6erd3rngk6@4ax.com> On Mon, 21 Aug 2006 12:50:05 +0200, "Henk M. de Bruijn" wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > >On Sun, 20 Aug 2006 09:40:45 +0200GMT (20-8-2006, 9:40 +0200, where I >live), Bo Berglund wrote: > >... > >> I wonder about the gpg.conf file: >> Is it used at all in Windows? >> I looked at my own one at "C:\Documents and >> Settings\\Application Data\gnupg" and found only commented >> out lines there. The word keyring appeared only twice and this was in >> descriptive text, not in a setting. > >> So how does one do this on Windows???? > >Mine is in my gnupg home directory c:\program files\gnupg and works like a >charm. As I said, on my installation there is nothing in the isntall dir for GnuPG only in my home (which on Windows translates to C:\Documents and Settings\) it is located in a subdir \Application Data\gnupg and mine is completely empty of any active lines. Seems like it is not in use at all (because if it were every line should not be commented out). Maybe the Windows version stores all of this in the Registry? This forum tends to treat everything from a Linux perspective, which is fine except for us who use Windows where Linux tricks seem not to work... I was just hooking on to this discussion in order to find out how one can control *where* GnuPG will look for the keyrings.... the conf file apparently is not the answer. Bo Berglund From oskar at rbgi.net Tue Aug 22 06:41:17 2006 From: oskar at rbgi.net (Oskar L.) Date: Tue Aug 22 07:58:24 2006 Subject: Structure of pubring.gpg Message-ID: <2174.62.142.192.136.1156221677.squirrel@mail.rbgi.net> Why are the keys in pubring.gpg in the order in witch they were imported? Is this not considered a security risk? Would it not be safer and more convenient to have the keys sorted by user ID or key ID? I deleted all files in my .gnupg directory, and then imported a public key. Then I exported the key in binary form and compared the file with pubring.gpg in a hex editor. The beginning of both files were identical, but from the middle and onward they differed. How and why are keys changed when imported? Oskar From wk at gnupg.org Tue Aug 22 12:36:14 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Aug 22 12:41:42 2006 Subject: Structure of pubring.gpg In-Reply-To: <2174.62.142.192.136.1156221677.squirrel@mail.rbgi.net> (Oskar L.'s message of "Tue, 22 Aug 2006 07:41:17 +0300 (EEST)") References: <2174.62.142.192.136.1156221677.squirrel@mail.rbgi.net> Message-ID: <87veol12ht.fsf@wheatstone.g10code.de> On Tue, 22 Aug 2006 06:41, Oskar L. said: > Why are the keys in pubring.gpg in the order in witch they were imported? pubring.gpg is an internal data structure of gpg and only to be used by gpg. If you want to export import stuff, you need to use the gpg commands --import or --export. > pubring.gpg in a hex editor. The beginning of both files were identical, > but from the middle and onward they differed. How and why are keys changed Check keyring.c to understand why it as been implemented this way. Shalom-Salam, Werner From wk at gnupg.org Tue Aug 22 12:47:05 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Aug 22 12:51:37 2006 Subject: GnuPG (GPG) Problem In-Reply-To: <1q4le2p259r1ef78r3oo6ufu6erd3rngk6@4ax.com> (Bo Berglund's message of "Tue, 22 Aug 2006 07:21:22 +0200") References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> <13510146929.20060821125005__12139.0621447519$1156165375$gmane$org@wanadoo.nl> <1q4le2p259r1ef78r3oo6ufu6erd3rngk6@4ax.com> Message-ID: <87r6z911zq.fsf@wheatstone.g10code.de> On Tue, 22 Aug 2006 07:21, Bo Berglund said: > Settings\) it is located in a subdir \Application Data\gnupg > and mine is completely empty of any active lines. Seems like it is not That is just fine. > in use at all (because if it were every line should not be commented > out). Maybe the Windows version stores all of this in the Registry? No. > I was just hooking on to this discussion in order to find out how one > can control *where* GnuPG will look for the keyrings.... > the conf file apparently is not the answer. This is all controlled by the option: --homedir @var{dir} Set the name of the home directory to @var{dir}. If his option is not used, the home directory defaults to @file{~/.gnupg}. It is only recognized when given on the command line. It also overrides any home directory stated through the environment variable @env{GNUPGHOME} or (on W32 systems) by means on the Registry entry HKCU\Software\GNU\GnuPG:HomeDir. ~/.gnupg translates to something like "USER/Application Data/gnupg" - but it depends on the Windows version and the localization. Down inside gpg the Windows constant CSIDL_APPDATA is used to locate that directory. The default location for keyrings as well as for the configuration file is then in the homedir. You may use the options --keyring, --secret-keyring and --no-default-keyring to change the location of these files. Almost everyone is fine with the defaults. Salam-Shalom, Werner From ashok.musuvathy at gs.com Tue Aug 22 13:04:27 2006 From: ashok.musuvathy at gs.com (Musuvathy, Ashok) Date: Tue Aug 22 14:25:49 2006 Subject: GnuPG (GPG) Problem In-Reply-To: <87r6z911zq.fsf@wheatstone.g10code.de> Message-ID: <92DF157A152AFE499293DCDBCF81A10D028F1829@gsmblnp01es.firmwide.corp.gs.com> If I use the options --keyring and --secret-keyring to point gpg to the ring files, How does it affect the usage of random_seed and trustdb.gpg files ? Would it still work OK if there is no access to ~/.gnupg directory ? Ashok -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Werner Koch Sent: Tuesday, August 22, 2006 11:47 AM To: bo.berglund@agiusa.com Cc: gnupg-users@gnupg.org Subject: Re: GnuPG (GPG) Problem On Tue, 22 Aug 2006 07:21, Bo Berglund said: > Settings\) it is located in a subdir \Application Data\gnupg > and mine is completely empty of any active lines. Seems like it is not That is just fine. > in use at all (because if it were every line should not be commented > out). Maybe the Windows version stores all of this in the Registry? No. > I was just hooking on to this discussion in order to find out how one > can control *where* GnuPG will look for the keyrings.... > the conf file apparently is not the answer. This is all controlled by the option: --homedir @var{dir} Set the name of the home directory to @var{dir}. If his option is not used, the home directory defaults to @file{~/.gnupg}. It is only recognized when given on the command line. It also overrides any home directory stated through the environment variable @env{GNUPGHOME} or (on W32 systems) by means on the Registry entry HKCU\Software\GNU\GnuPG:HomeDir. ~/.gnupg translates to something like "USER/Application Data/gnupg" - but it depends on the Windows version and the localization. Down inside gpg the Windows constant CSIDL_APPDATA is used to locate that directory. The default location for keyrings as well as for the configuration file is then in the homedir. You may use the options --keyring, --secret-keyring and --no-default-keyring to change the location of these files. Almost everyone is fine with the defaults. Salam-Shalom, Werner _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From jon at jrock.us Tue Aug 22 22:34:15 2006 From: jon at jrock.us (Jonathan Rockway) Date: Tue Aug 22 22:32:50 2006 Subject: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem] In-Reply-To: <20060820141024.GA1804@ASPIRE> References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> <44E7503E.5040708@jrock.us> <20060820141024.GA1804@ASPIRE> Message-ID: <44EB6A47.5030307@jrock.us> > I am a smartcard programmer. Sure an OpenPGP card is just a standard > smartcard with special elementary files in its filesystem. Could I > make my own OpenPGP card from a common smartcard given I know its > administrative codes? Yup, that's what the "Open" in "OpenPGP Smartcard" means :) I'm not a smartcard programmer, so I bought one instead. If you'd like to make OpenPGP smartcards and sell them, that would be great! Regards, Jonathan Rockway From beffcon at gmail.com Wed Aug 23 06:22:05 2006 From: beffcon at gmail.com (Beff Con) Date: Wed Aug 23 07:59:29 2006 Subject: why cissp says this about PGP/GnuPG? Message-ID: Hi, list! I'm reading a book named "ALL-in-One CISSP Certification Exam Guide" by Shon Harris, 3ed. And in "Chapter 8 Cryptography", I came across a paragraph like this: "How strong of a protection mechanism is required depends on the sensitivity of the data being protected. It is not necessary to encrypt information about a friend's Saturday barbeque with a top-secret encryption algorithm; conversely, it is not a good idea to send intercepted spy information using PGP. Each type of encryption mechanism has its place and purpose." I wonder why PGP is not good enough to encrypt spy information? thanks in advance! Beff From rjh at sixdemonbag.org Wed Aug 23 08:18:40 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed Aug 23 08:17:20 2006 Subject: why cissp says this about PGP/GnuPG? In-Reply-To: References: Message-ID: <44EBF340.5030507@sixdemonbag.org> Beff Con wrote: > I'm reading a book named "ALL-in-One CISSP Certification Exam > Guide" by Shon Harris, 3ed. And in "Chapter 8 Cryptography", I came > across a paragraph like this: Be warned that the CISSP certification is not universally loved. Many people feel that it is of dubious quality. > top-secret encryption algorithm; conversely, it is not a good idea to > send intercepted spy information using PGP. Each type of encryption > mechanism has its place and purpose." > > I wonder why PGP is not good enough to encrypt spy information? Excellent question, given that AES has been certified for use with TS material, and the recent SHAs are on the fast track for similar approval. I think this reflects more the prejudices of the book author and/or the CISSP exam than it does actual reality. From chd at chud.net Wed Aug 23 18:54:00 2006 From: chd at chud.net (Chris De Young) Date: Wed Aug 23 20:58:15 2006 Subject: why cissp says this about PGP/GnuPG? In-Reply-To: References: Message-ID: <20060823165400.GA25819@dionysus.chud.net> > "How strong of a protection mechanism is required depends on the > sensitivity of the data being protected. It is not necessary to > encrypt information about a friend's Saturday barbeque with a > top-secret encryption algorithm; I'd even disagree with this -- while it's not necessary, I'd say it is actually desirable. Today, it's not necessarily a bad assumption that an encrypted message is interesting; I suspect that although there are exceptions, by and large people only bother to encrypt "interesting" things. If it becomes routine to also encrypt "let's go get coffee" messages, the simple fact that something is encrypted no longer makes it automatically worthy of scrutiny. -C -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060823/43b74eac/attachment.pgp From pg at futureware.at Wed Aug 23 12:52:59 2006 From: pg at futureware.at (Philipp =?utf-8?q?G=C3=BChring?=) Date: Thu Aug 24 15:20:02 2006 Subject: why cissp says this about PGP/GnuPG? In-Reply-To: <44EBF340.5030507@sixdemonbag.org> References: <44EBF340.5030507@sixdemonbag.org> Message-ID: <200608231253.00382.pg@futureware.at> Hi, > Be warned that the CISSP certification is not universally loved. Many > people feel that it is of dubious quality. Are there any facts or reasons against CISSP? Are there any alternatives? > > top-secret encryption algorithm; conversely, it is not a good idea to > > send intercepted spy information using PGP. Each type of encryption > > mechanism has its place and purpose." > > > > I wonder why PGP is not good enough to encrypt spy information? > Excellent question, given that AES has been certified for use with TS > material, and the recent SHAs are on the fast track for similar > approval. I think this reflects more the prejudices of the book author > and/or the CISSP exam than it does actual reality. My personal opinion is that PGP was designed to protect normal confidential data, not to protect spy information. Spy communication has more demand for steganography (making sure that you don?t even notice the transmission and not just that you can?t read it), and less demand for "public" key systems ;-) Perhaps it is also means that you should not use PGP, but GnuPG instead, because of the --hidden-recipient function in GnuPG (which is missing in PGP, if I am not mistaken), which is also an essential feature for spies. Best regards, Philipp G?hring From rjh at sixdemonbag.org Thu Aug 24 16:50:46 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu Aug 24 16:49:29 2006 Subject: why cissp says this about PGP/GnuPG? In-Reply-To: <200608231253.00382.pg@futureware.at> References: <44EBF340.5030507@sixdemonbag.org> <200608231253.00382.pg@futureware.at> Message-ID: <44EDBCC6.3080604@sixdemonbag.org> Philipp G?hring wrote: > Are there any facts or reasons against CISSP? Are there any > alternatives? Many. Google for "CISSP criticisms" and you'll find a lot of reasons to suspect the CISSP, along with some well-regarded alternatives to it. CISSP nominally requires four years of industry experience in computer security before they'll grant a cert, but in reality their definition of "industry experience" is very broad and permissive. I'd much rather judge someone on the basis of the industry experience they used to get their CISSP than I would on the basis of the CISSP itself. > My personal opinion is that PGP was designed to protect normal > confidential data, not to protect spy information. This is not true. The OpenPGP standard was designed to stand up to absolutely brutal cryptanalytic attacks. When it comes to email cryptography standards, OpenPGP really is the gold standard. > Spy communication has more demand for steganography (making sure that > you don?t even notice the transmission and not just that you can?t > read it), and less demand for "public" key systems ;-) I don't mean to sound sarcastic or caustic, but I really wish people who advocate steganography would first read the academic literature on it. I'm fond of Moulin and O'Sullivan's "An Information-Theoretic Analysis of Data Hiding". Steganography does not have a strong theoretical foundation. As such, I think it's dangerous to think steganographic implementations are ready for prime time. From wk at gnupg.org Thu Aug 24 20:16:40 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Aug 24 20:19:12 2006 Subject: Freenigma command line tool Message-ID: <87ejv6vw1j.fsf@wheatstone.g10code.de> Hi, some of you might have heard about the new freenigma encryption service for Firefox. For those who want to play with it and use it in ther ways, I have written a command line tool to access that service. It is not yet very advanced but not too large files (i.e. they need to fit into the core) may be encrypted and decrypted. See the README for details (below). I plan to extend this tool over time. To successfully build it you need to have GNUTLS installed (e.g. for Debian "apt-get install libgnutls11-dev"). ftp://ftp.g10code.com/g10code/freenigma/freenigma-service-0.5.0.tar.bz2 ftp://ftp.g10code.com/g10code/freenigma/freenigma-service-0.5.0.tar.bz2.sig Shalom-Salam, Werner ======== FREENIGMA-SERVICE =================== Version 0.5 A tool to access the freenigma service from the command line. Copyright 2006 g10 Code GmbH This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without modifications, as long as this notice is preserved. This file is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY, to the extent permitted by law; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. "freenigma" is a registered trademark of the freenigma GmbH. How to install ============== Standard configure and make procedure applies. As of now the checks done by configure are very limited, so please make sure that a development version of GNUTLS is installed. How to use ========== You need an account on a freenigma server. In this example we assume this account is . To encrypt the file foo.txt to you would use: frngmsvc -u joe.hacker@example.org --encrypt big.boss@example.org if you need to encrypt to more people, just add their mail addresses. The output goes to stdout. If you receive the encrypted file "bar.txt.asc", you use: frngmsvc -u joe.hacker@example.org --decrypt foo.txt.asc and as usual the output goes to stdout. If you don't want to use the -u option, you may always put this into your Bourne shell's init file. FREENIGMA_USER=joe.hacker@example.org; export FREENIGMA_USER There are a couple of other options available, run with the option --help to see them. Currently all operations are done in memory so take care when processing large files. That's all. More on freenigma at http://www.freenigma.com . From JPClizbe at comcast.net Fri Aug 25 09:01:20 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Aug 25 09:01:39 2006 Subject: why cissp says this about PGP/GnuPG? In-Reply-To: <200608231253.00382.pg@futureware.at> References: <44EBF340.5030507@sixdemonbag.org> <200608231253.00382.pg@futureware.at> Message-ID: <44EEA040.8010606@comcast.net> Philipp G?hring wrote: > Hi, > >> Be warned that the CISSP certification is not universally loved. Many >> people feel that it is of dubious quality. > > Are there any facts or reasons against CISSP? > Are there any alternatives? > Google security+certifications http://www.google.com/search?&q=security+certifications The top page on my search was http://certification.about.com/od/securitycerts/a/seccertessentls.htm It's a good place to start. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 662 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060825/ab1889f4/signature.pgp From JPClizbe at comcast.net Fri Aug 25 09:41:11 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Aug 25 09:47:51 2006 Subject: GnuPG (GPG) Problem In-Reply-To: References: <44E61238.3030001@comcast.net> <20060819144607.GB1104@ASPIRE> Message-ID: <44EEA997.2070509@comcast.net> Bo Berglund wrote: > On Sat, 19 Aug 2006 16:46:07 +0200, Ismael Valladolid Torres > wrote: > >>John Clizbe escribe: >>> Just copy the keyring files. >> >>I store my private keyring and a public keyring containing only my >>public key on a pendrive, then in your gpg.conf: >> >>keyring /path/to/pendrive/pubring.gpg >>secret-keyring /path/to/pendrive/secring.gpg You should also move the trustdb to the pendrive. First copy it then add the following line to gpg.conf: --trustdb-name /path/to/pendrive/trustdb.gpg >> > > I wonder about the gpg.conf file: > Is it used at all in Windows? Yes. > I looked at my own one at "C:\Documents and > Settings\\Application Data\gnupg" and found only commented > out lines there. The word keyring appeared only twice and this was in > descriptive text, not in a setting. The default in the registry is %APPDATA%\GnuPG. That expands to C:\Documents and Settings\\Application Data\GnuPG". You should probably store gpg.conf on your pen drive and choose one of the methods below for overriding the default - that way, you are taking the complete environment with you on the pen drive. There are three ways of changing it. In increasing priority 1) Use Regedit.exe, navigate to the key HKCU\Software\Gnu\GnuPG and change the HomeDir value 2) set the environment variable GNUPGHOME 3) include --homedir /path/to/pendrive/ on the commnd line each time you invoke gpg This totally portable environment is the approach used by the GPG2GO project. See http://www.angelfire.com/mb2/mbgpg2go/tp.html That sounds like a template gpg.conf. I know one like that ships with the Cygwin implementation. You may wish to check out the page http://enigmail.mozdev.org/gpgconf.html It contains a sample gpg.conf for windows you may download to your PC: http://enigmail.mozdev.org/gpg.conf Its contents are: +++++ default-recipient-self keyserver random.sks.keyserver.penguin.de default-cert-check-level 3 keyserver-options auto-key-retrieve include-revoked include-subkeys no-mangle-dos-filenames no-secmem-warning # If you installed idea.dll, uncomment the following line # load-extension Lib\idea +++++ Here's mine +++++ comment "When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG" comment "Be part of the ?33t ECHELON -- Use Strong Encryption." comment "It's YOUR right - for the time being." # # SKS keyserver keyserver minsky.surfnet.nl # # The option lines are one line only. They tend to wrap. # keyserver-options auto-key-retrieve include-subkeys include-revoked repair-pks-subkey-bug import-clean-sigs import-clean-uids export-clean-sigs export-clean-uids # import-options import-local-sigs repair-pks-subkey-bug import-clean-sigs import-clean-uids # export-options include-local-sigs export-clean-sigs export-clean-uids allow-non-selfsigned-uid # # Not always needed, since self-builts have IDEA hardwired into the binary #load-extension Lib\idea # no-default-keyring keyring pubring.gpg primary-keyring pubring.gpg secret-keyring O:\GnuPG\secring.gpg # default-key 0x608D2A10 default-recipient-self encrypt-to 0x18BB373A # bzip2-compress-level 9 compress-level 9 # no-greeting no-secmem-warning armor no-mangle-dos-filenames no-auto-check-trustdb # done by cron/scheduled tasks expert enable-dsa2 +++++ -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 662 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060825/3e0ce951/signature-0001.pgp From JPClizbe at comcast.net Fri Aug 25 09:50:15 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Aug 25 09:49:29 2006 Subject: What does key properties validity and trust 'None' mean??? In-Reply-To: <853ge29n16rkpihk4askau9jlk22u685qs@4ax.com> References: <2bbde2t19ld56133kmhaqja36corrdkq7o@4ax.com> <44E767A6.60707@comcast.net> <853ge29n16rkpihk4askau9jlk22u685qs@4ax.com> Message-ID: <44EEABB7.1010705@comcast.net> Bo Berglund wrote: > I have done this and it works. But that was not the gist of my > problem, it deals with adding public keys from persons who just > installed GnuPG and created new key pairs. > > I learned here now that we have to: > - Import the key into WinPT (Trust and Validity is now None) > - Sign the key (Validity is now Full) > - Change ownertrust to Full (only possible for a signed key) > > We did not know about the two last steps and this is the reason for my > post. > You should *ONLY* set ownertrust to Full if you trust the key owner to fully verify the identity of keys he signs, or if you don't care. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 662 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060825/db9d3e3d/signature.pgp From JPClizbe at comcast.net Fri Aug 25 09:54:50 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Aug 25 09:54:04 2006 Subject: What does key properties validity and trust 'None' mean??? In-Reply-To: References: <2bbde2t19ld56133kmhaqja36corrdkq7o@4ax.com> <44E767A6.60707@comcast.net> <853ge29n16rkpihk4askau9jlk22u685qs@4ax.com> <87veom5vqs.fsf@wheatstone.g10code.de> Message-ID: <44EEACCA.1090001@comcast.net> Bo Berglund wrote: > On Mon, 21 Aug 2006 10:38:35 +0200, Werner Koch wrote: > >>Hi! >> >>FWIW, there is a little script in the gpg-distribution: >> >># lspgpot - script to extract the ownertrust values >># from PGP keyrings and list them in GnuPG ownertrust format. >> >>I have not used it for a long time, but it might be helpful. Run it >>with PGP's pubring as argument. >> > Probably good on Linux systems but I can't find anything in my GnuPG > installation on WindowsXP-Pro. And I doubt scripts will run on > Windows... > (I installed using gpg4win-1.0.4) > Feeling adventurous? Look into Cygwin for running those scripts. It's one of several POSIX compatibility layers. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 662 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060825/eaccc943/signature.pgp From bpgadhia at yahoo.com Fri Aug 25 01:19:14 2006 From: bpgadhia at yahoo.com (BharatG) Date: Fri Aug 25 11:51:23 2006 Subject: Decrypting Files Automatically Message-ID: <5974781.post@talk.nabble.com> Hi, I am trying to decrypt a file automatically.I want to use it in a dts package. I am using following command: type passphrase | gpg --passphrase-fd 0 --decypt-file "File Name" in my case it looks like: type "C:\SampleProjects\GnuPGDotNet\GnuPG\passphrase.txt" | gpg --passphrase-fd 0 decrypt-files "C:\DocLib\EncryptedFile\Clock1.swf.gpg" I get one of the following errors: Reading passphrase from file descriptor 0 usage: gpg [options] [filename] OR Reading passphrase from file descriptor 0 gpg: encrypted with ELG-E key, ID ECEB4FC5 gpg: decryption failed: secret key not available I am using GPG version of 1.4.5 on windowsXP professional and default dirctory of secring is C:\Documents and Settings\bgadhia\Application Data\gnupg. And my public key is at C:\DocLib\PublicKey I am able to encrypt and decrypt using UI tools provieded by GPG and WinPT. Can anyone please help me. Thank you in advance. Bharat Gadhia -- View this message in context: http://www.nabble.com/Decrypting-Files-Automatically-tf2161882.html#a5974781 Sent from the GnuPG - User forum at Nabble.com. From bpgadhia at yahoo.com Fri Aug 25 01:20:15 2006 From: bpgadhia at yahoo.com (BharatG) Date: Fri Aug 25 11:51:26 2006 Subject: Decrypting Files Automatically Message-ID: <5974796.post@talk.nabble.com> Hi, I am trying to decrypt a file automatically.I want to use it in a dts package. I am using following command: type passphrase | gpg --passphrase-fd 0 --decypt-file "File Name" in my case it looks like: type "C:\SampleProjects\GnuPGDotNet\GnuPG\passphrase.txt" | gpg --passphrase-fd 0 decrypt-files "C:\DocLib\EncryptedFile\Clock1.swf.gpg" I get one of the following errors: Reading passphrase from file descriptor 0 usage: gpg [options] [filename] OR Reading passphrase from file descriptor 0 gpg: encrypted with ELG-E key, ID ECEB4FC5 gpg: decryption failed: secret key not available I am using GPG version of 1.4.5 on windowsXP professional and default dirctory of secring is C:\Documents and Settings\bgadhia\Application Data\gnupg. And my public key is at C:\DocLib\PublicKey I am able to encrypt and decrypt using UI tools provieded by GPG and WinPT. Can anyone please help me. Thank you in advance. Bharat Gadhia -- View this message in context: http://www.nabble.com/Decrypting-Files-Automatically-tf2161885.html#a5974796 Sent from the GnuPG - User forum at Nabble.com. From synth_spring at Safe-mail.net Thu Aug 24 23:28:13 2006 From: synth_spring at Safe-mail.net (synth_spring@Safe-mail.net) Date: Fri Aug 25 11:51:31 2006 Subject: "sig!3" entry vs "sig!" entry on certain GnuPG keys from the PuTTY software site Message-ID: The web site for the PuTTY software provides GnuPG keys to verify downloads of the PuTTY software. see http://www.chiark.greenend.org.uk/~sgtatham/putty/keys.html With these keys imported into the GnuPG public keyring, issuing "gpg --check-sigs" produced the following output (the user name has been redacted): C:/Documents and Settings/[redacted]/Application Data/gnupg\pubring.gpg ------------------------------------------------------------------------- pub 1024R/1E34AC41 2000-12-20 uid PuTTY Master Key (RSA) sig! 1E34AC41 2000-12-20 PuTTY Master Key (RSA) sig! B41CAE29 2000-12-20 PuTTY Releases (RSA) sig! 32B903A9 2000-12-20 PuTTY Development Snapshots (RSA) pub 1024R/B41CAE29 2000-12-20 uid PuTTY Releases (RSA) sig! B41CAE29 2000-12-20 PuTTY Releases (RSA) sig! 1E34AC41 2000-12-20 PuTTY Master Key (RSA) pub 1024R/32B903A9 2000-12-20 uid PuTTY Development Snapshots (RSA) sig! 32B903A9 2000-12-20 PuTTY Development Snapshots (RSA) sig! 1E34AC41 2000-12-20 PuTTY Master Key (RSA) pub 1024D/6A93B34E 2000-12-20 uid PuTTY Master Key (DSA) sig!3 6A93B34E 2000-12-20 PuTTY Master Key (DSA) sig! 08B0A90B 2000-12-20 PuTTY Releases (DSA) sig! 7D3E4A00 2000-12-20 PuTTY Development Snapshots (DSA) pub 1024D/08B0A90B 2000-12-20 uid PuTTY Releases (DSA) sig!3 08B0A90B 2000-12-20 PuTTY Releases (DSA) sig! 6A93B34E 2000-12-20 PuTTY Master Key (DSA) pub 1024D/7D3E4A00 2000-12-20 uid PuTTY Development Snapshots (DSA) sig!3 7D3E4A00 2000-12-20 PuTTY Development Snapshots (DSA) sig! 6A93B34E 2000-12-20 PuTTY Master Key (DSA) 4 signatures not checked due to missing keys For the self-signatures on the DSA-type keys (and only the DSA-type keys) there is a "sig!3" entry instead of a "sig!" entry. The other signatures on the DSA-type keys just have a "sig!" entry. It has been said elsewhere that the 3 in the "sig!3" entry indicates a certificate check level of 3. However, the 3 does not appear on the self-signature entries for the RSA-type keys. Is this to do with the key types (the DSA type and the RSA type), the way that the keys were created and/or signed, or some other reason? From alphasigmax at gmail.com Fri Aug 25 15:21:21 2006 From: alphasigmax at gmail.com (Alphax) Date: Fri Aug 25 15:22:56 2006 Subject: "sig!3" entry vs "sig!" entry on certain GnuPG keys from the PuTTY software site In-Reply-To: References: Message-ID: <44EEF951.70408@gmail.com> synth_spring@Safe-mail.net wrote: > The web site for the PuTTY software provides GnuPG keys to verify > downloads of the PuTTY software. see > http://www.chiark.greenend.org.uk/~sgtatham/putty/keys.html > > With these keys imported into the GnuPG public keyring, issuing "gpg > --check-sigs" produced the following output (the user name has been > redacted): > > > For the self-signatures on the DSA-type keys (and only the DSA-type > keys) there is a "sig!3" entry instead of a "sig!" entry. The other > signatures on the DSA-type keys just have a "sig!" entry. It has been > said elsewhere that the 3 in the "sig!3" entry indicates a > certificate check level of 3. However, the 3 does not appear on the > self-signature entries for the RSA-type keys. Is this to do with the > key types (the DSA type and the RSA type), the way that the keys were > created and/or signed, or some other reason? > It's to do with the way the keys were signed at the time they were generated. There is a "default certification level" option that can be used either on the command line or in a config file - normally GnuPG will ask you for the certification level when you sign a key, but the default /can/ be used if the right options are set, and /will/ be used at the time of key generation. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060825/641b4ad3/signature.pgp From tmz at pobox.com Fri Aug 25 15:40:08 2006 From: tmz at pobox.com (Todd Zullinger) Date: Fri Aug 25 16:58:15 2006 Subject: "sig!3" entry vs "sig!" entry on certain GnuPG keys from the PuTTY software site In-Reply-To: <44EEF951.70408@gmail.com> References: <44EEF951.70408@gmail.com> Message-ID: <20060825134008.GD30101@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alphax wrote: > There is a "default certification level" option that can be used > either on the command line or in a config file - normally GnuPG will > ask you for the certification level when you sign a key, but the > default /can/ be used if the right options are set, and /will/ be > used at the time of key generation. I believe you will not normally be asked for a cert-level, at least not with most recent versions of gpg (I forget when that changed exactly). You must set ask-cert-level in your config or on the command line to be prompted. - -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== What it means to take rights seriously is that one will honor them even when there is a significant social cost in doing so. -- Ronald Dworkin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQFDBAEBAgAtBQJE7v24JhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90 bXouYXNjAAoJEEMlk4u+rwzjBxAH/3g+/Whk3cubupcbQPQ0uIa/NjwxZOH20ABZ ZWyTR1++ZHJgNxyUcqN+MkeiVCtS3uieqEFfDV40v53aZE2flAr/gDZWcwG5Xlek qWJOn9EnOzjsoHLVbWekBGA88IAx4X6yyBd5qvoEwYynkW/tIInNQqmtg1/HNYmI IjJjtGrWSATEdJ5o4Ojmqmwz0R4vhpVVSfXXReQ42Fb03VXBgy6/soNjZzsUrza2 IrjTyW23+W0vfKbgEZTjrqG+Kdz5BXHfPlG4TRqwdGlRCJUT5Twzhv1NiXW1m3Q3 spnI8bm6SDWBXcLD51yFZ8bDkAObffpQ86XyrDWnz3YcYK48k4A= =jwpd -----END PGP SIGNATURE----- From bo.berglund at telia.com Fri Aug 25 20:55:42 2006 From: bo.berglund at telia.com (Bo Berglund) Date: Sat Aug 26 09:38:50 2006 Subject: What does key properties validity and trust 'None' mean??? References: <2bbde2t19ld56133kmhaqja36corrdkq7o@4ax.com> <44E767A6.60707@comcast.net> <853ge29n16rkpihk4askau9jlk22u685qs@4ax.com> <44EEABB7.1010705@comcast.net> Message-ID: <6phue2hegfkfpl4kbhk1t8qq4rg7qta2mj@4ax.com> On Fri, 25 Aug 2006 02:50:15 -0500, John Clizbe wrote: >Bo Berglund wrote: >> I have done this and it works. But that was not the gist of my >> problem, it deals with adding public keys from persons who just >> installed GnuPG and created new key pairs. >> >> I learned here now that we have to: >> - Import the key into WinPT (Trust and Validity is now None) >> - Sign the key (Validity is now Full) >> - Change ownertrust to Full (only possible for a signed key) >> >> We did not know about the two last steps and this is the reason for my >> post. >> > >You should *ONLY* set ownertrust to Full if you trust the key owner to fully >verify the identity of keys he signs, or if you don't care. In order to get GPG to work I had to sign the received keys myself. Now I am wondering if maybe the procedure is wrong, maybe we should sign our own public keys when they have been stored in the ASC file instead? Will WinPT recognize this and set the Validity flag? /Bo Bo Berglund From johanw at vulcan.xs4all.nl Sat Aug 26 10:36:18 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sat Aug 26 10:33:59 2006 Subject: Decrypting Files Automatically In-Reply-To: <5974796.post@talk.nabble.com> Message-ID: <200608260836.k7Q8aIXX023781@vulcan.xs4all.nl> BharatG wrote: >type passphrase | gpg --passphrase-fd 0 --decypt-file "File Name" >in my case it looks like: >type "C:\SampleProjects\GnuPGDotNet\GnuPG\passphrase.txt" | gpg >--passphrase-fd 0 decrypt-files "C:\DocLib\EncryptedFile\Clock1.swf.gpg" Peculiarity with windows dealing with pipes. There should not be a space between the passphrase and the pipe sign. BTW, I don't know if the file contains a newline/retrun either, otherwise that might also cause problems. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From benjamin at py-soft.co.uk Sun Aug 27 02:57:05 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun Aug 27 03:13:44 2006 Subject: why cissp says this about PGP/GnuPG? In-Reply-To: References: Message-ID: <44F0EDE1.1080601@py-soft.co.uk> Beff Con wrote: > I wonder why PGP is not good enough to encrypt spy information? Personally, I'd use a one time pad for that sort of information. Ben From j.lysdal at gmail.com Sun Aug 27 15:41:28 2006 From: j.lysdal at gmail.com (=?UTF-8?Q?J=C3=B8rgen_Lysdal?=) Date: Sun Aug 27 15:39:52 2006 Subject: trust signature? Message-ID: <9afe34fe0608270641w491950a1gd088f0be8959e09d@mail.gmail.com> Hi, why can i only use tsign from the key edit menu, and not directly with a command like i can do with sign and lsign? From laurent.jumet at skynet.be Sun Aug 27 17:06:38 2006 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Sun Aug 27 17:09:40 2006 Subject: trust signature? In-Reply-To: <9afe34fe0608270641w491950a1gd088f0be8959e09d@mail.gmail.com> Message-ID: Hello ! "J?rgen Lysdal" wrote: > why can i only use tsign from the key edit menu, and not directly with > a command like i can do with sign and lsign? It seems that only "sign" and "lsign" have a shortcut from the command line. -- Laurent Jumet KeyID: 0xCFAF704C From shavital at mac.com Sun Aug 27 19:31:46 2006 From: shavital at mac.com (Charly Avital) Date: Sun Aug 27 19:30:17 2006 Subject: trust signature? In-Reply-To: References: Message-ID: <44F1D702.4090000@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I can use tsign in the command line. It is included in the Command> prompt, after you use --edit-key. Charly Running gpg 1.4.5 compiled from source code, for Macintosh OS 10.4.7 Laurent Jumet wrote the following on 8/27/06 11:06 AM: > Hello ! > > "J?rgen Lysdal" wrote: > >> why can i only use tsign from the key edit menu, and not directly with >> a command like i can do with sign and lsign? > > It seems that only "sign" and "lsign" have a shortcut from the command line. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRPHW/83GMi2FW4PvAQgrAAf/dYzfUSuixWTfhRrz5Pq6rqd2oNWjFJQV 273Dw3RppCtf3V091w+n5WftW2vWb4kYLS7fhUuipe0HAZVsJjN4pHA6SOr5Y+7G KT5vPS2vbsNdJSG1Xb8Arwk8oyKAREBBr6vTuIwM/eGUzLQD2ypJaQ0JeejaGlRv sVTUG/nj7P6kTUaAMg3lVd6ZTRayS5tcalUcV7ogvDvQr7PoJDYT0ly0HIc6wLLt /qNX/IMvFuyhmsla528V5JgDAsMsQJUCRK+ozf2PD6nmYqkCHQs6d5VG+uDP6N6Y 6CDsvYmNCTo5HQ3H/t6TLEtI0X6Qav/JZMyvix8VH6OMl+6+gO5OOg== =TCgo -----END PGP SIGNATURE----- From msmith3 at blueyonder.co.uk Sat Aug 26 16:51:28 2006 From: msmith3 at blueyonder.co.uk (Mark Smith) Date: Mon Aug 28 03:30:01 2006 Subject: Restoring my HTML mails Message-ID: <44F05FF0.5030104@blueyonder.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Everyone, I've just installed GnuPG and Enigmail for my Thunderbird client. During the installation process of Enigmail, the wizard changes some options including changing composition and reading of emails in plain text rather than HTML. I was wondering how I reset Thunderbird to compose/read emails as HTML? Many thanks Mark Smith -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE8F/ngXqLQh/f2GwRAmZxAKCXwzNbj0uOusBeIa/DjIZwzk5I8gCcCUpL FguWqCZiE0KyVDEHzjegtYI= =OFzq -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: pgpkeys.asc Type: application/pgp-keys Size: 1700 bytes Desc: not available Url : /pipermail/attachments/20060826/8fec36f3/pgpkeys.key From lhb at array-it.com Mon Aug 28 03:07:53 2006 From: lhb at array-it.com (Haibo Liu) Date: Mon Aug 28 04:28:35 2006 Subject: Help! Gnupg can't run in php program Message-ID: <001401c6ca3e$63ae2ca0$b81816da@arrayit.com> Hello, Does anybody use GnuPG in PHP program? The server is on Debian OP. I create my key pair in the ./gnupg directory. And the command "gpg --help" runs as normal. But the command "gpg --list-keys" failed. What's the problem? My code is below: "; echo "cmd: $cmd, return code: $val_return
"; $cmd = "gpg --homedir ./gnupg --list-keys"; system($cmd, $val_return); echo "
"; echo "cmd: $cmd, return code: $val_return
"; ?> lhb From rjh at sixdemonbag.org Mon Aug 28 05:39:01 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon Aug 28 05:37:37 2006 Subject: Help! Gnupg can't run in php program In-Reply-To: <001401c6ca3e$63ae2ca0$b81816da@arrayit.com> References: <001401c6ca3e$63ae2ca0$b81816da@arrayit.com> Message-ID: <44F26555.7020602@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Haibo Liu wrote: > I create my key pair in the ./gnupg directory. In which .gnupg directory, though? Your web server probably runs as a different user. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJE8mVVAAoJELcA9IL+r4EJIMcIAORDmNlBMpY1i3a6wm6DGGSd H2efHGgPzv/EaDBZkVmnIgptQ2A+3oZwJvZY2iO6dNsSY09qSiU4ZFY19z7lKLVs aVXslKCD3rbXAWAcfLOgR1GyBhRlba9ZV9Kbehnkd5W3ZRMg4o4VvYtBAchqQiFh LIRseBSjRepdqdMnZKgGeiA9laHQ85u7zQNKIsb6JxElxhrYbCO52n3j0M6Dr8sx HO4dg8WGgW3Rjt3i3Plh7VrJt+XVTUEjxKVJHn7JcPFAbBSJSrykwIhPfKx6blil grs94AS9pLDrs/fbfp6AMGvoOFTMICEXG36eBTWp3DXatO3k71gvJSG2KThH86w= =qJMr -----END PGP SIGNATURE----- From bluejump at mac.com Mon Aug 28 06:56:50 2006 From: bluejump at mac.com (Kajsa Anka) Date: Mon Aug 28 06:58:26 2006 Subject: I don't get it - utf8 on Mac Message-ID: <0001HW.C118443200354937F0284530@news.gmane.org> I'm new to gpg and I've recently compiled and installed gpg on my Mac and it seem to work. However, I don't understand how to get it to use UTF-8, what happens is that I launch gpg like this gpg --gen-key --utf8-strings and start fill in the data I get Comment: You are using the `US-ASCII' character set. You selected this USER-ID: "H?kan ?berg " The terminal is set to use utf8. So I'm doing something wrong but what? From simon at ruderich.com Mon Aug 28 08:48:24 2006 From: simon at ruderich.com (Simon Ruderich) Date: Mon Aug 28 10:28:59 2006 Subject: Help! Gnupg can't run in php program In-Reply-To: <44F26555.7020602@sixdemonbag.org> References: <001401c6ca3e$63ae2ca0$b81816da@arrayit.com> <44F26555.7020602@sixdemonbag.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 28.08.2006, at 05:39, Robert J. Hansen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Haibo Liu wrote: > >> I create my key pair in the ./gnupg directory. >> > > In which .gnupg directory, though? Your web server probably runs as a > different user. > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQEcBAEBCgAGBQJE8mVVAAoJELcA9IL+r4EJIMcIAORDmNlBMpY1i3a6wm6DGGSd > H2efHGgPzv/EaDBZkVmnIgptQ2A+3oZwJvZY2iO6dNsSY09qSiU4ZFY19z7lKLVs > aVXslKCD3rbXAWAcfLOgR1GyBhRlba9ZV9Kbehnkd5W3ZRMg4o4VvYtBAchqQiFh > LIRseBSjRepdqdMnZKgGeiA9laHQ85u7zQNKIsb6JxElxhrYbCO52n3j0M6Dr8sx > HO4dg8WGgW3Rjt3i3Plh7VrJt+XVTUEjxKVJHn7JcPFAbBSJSrykwIhPfKx6blil > grs94AS9pLDrs/fbfp6AMGvoOFTMICEXG36eBTWp3DXatO3k71gvJSG2KThH86w= > =qJMr > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users You should use an absolute path to the gnupg home directory and you have to ensure that the user which runs the webserver has read access to the directory. Simon - ---- > privacy is necessary > using http://gnupg.org > public key id: 0x6115F804EFB33229 http://ruderich.com/ simonruderich.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFE8pG4YRX4BO+zMikRCtXSAJ9d0nO/p0uZIgrG5LQkwabm3DUWtgCghhM1 Ml903+yAIG8jsUcLOIYqJZU= =S8oU -----END PGP SIGNATURE----- From bpgadhia at yahoo.com Fri Aug 25 19:55:26 2006 From: bpgadhia at yahoo.com (BharatG) Date: Mon Aug 28 11:25:53 2006 Subject: GPG question In-Reply-To: <44DCD858.6050207@nixthis.com> References: <44DCA4CD.7050807@nixthis.com> <20060811171913.GA16299@jabberwocky.com> <44DCD858.6050207@nixthis.com> Message-ID: <5988271.post@talk.nabble.com> Hi, I am also dealing with same problem of automating the decryption process. I have done according help manual as shwon below. I get error and I do not know how to proceed: generic command: type passphrase | gpg --passphrase-fd 0 --decypt-file "File Name" in my case it looks like: type "C:\SampleProjects\GnuPGDotNet\GnuPG\passphrase.txt" | gpg --passphrase-fd 0 decrypt-files "C:\DocLib\EncryptedFile\Clock1.swf.gpg" I get one of the following errors: Reading passphrase from file descriptor 0 usage: gpg [options] [filename] OR if I use --decrypt-files instead decrypt-files I get following error: Reading passphrase from file descriptor 0 gpg: encrypted with ELG-E key, ID ECEB4FC5 gpg: decryption failed: secret key not available I am using GPG version of 1.4.5 on windowsXP professional and default dirctory of secring is C:\Documents and Settings\bgadhia\Application Data\gnupg. And my public key is at C:\DocLib\PublicKey I am able to encrypt and decrypt using UI tools provieded by GPG and WinPT. Bharat Gadhia Brian Rosenvinge wrote: > > Thanks so much, it worked like a charm. I just had to change "cat" to > "type". > > I don't mind supplying the passphrase in the script or in a file if > there is a way to automate this process. I am not sure where a > "--passphrase-fd" could be used, if it is even possible. > > Thanks Brian > > David Shaw wrote: > >>On Fri, Aug 11, 2006 at 10:39:57AM -0500, >> >>cat thefile.gpg | gpg | gpg -r recipient_1 -r recipient_2 -r recipient_3 --encrypt > output.gpg >> >>The catch is that the first gpg instance is doing to need to prompt >>you for a passphrase, and the second gpg instance may need to prompt >>you whether the recipients are trusted (if you don't have a trust path >>to them). An easy way to fix this, is to add a "--trust-model always" >>to the second instance (assuming you really do trust those recipient >>keys). >> >>David >> >>_______________________________________________ >>Gnupg-users mailing list >>Gnupg-users@gnupg.org >>http://lists.gnupg.org/mailman/listinfo/gnupg-users >> >> > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/GPG-question-tf2091871.html#a5988271 Sent from the GnuPG - User forum at Nabble.com. From linux at thorstenhau.de Mon Aug 28 10:21:23 2006 From: linux at thorstenhau.de (Thorsten Haude) Date: Mon Aug 28 12:02:29 2006 Subject: Restoring my HTML mails In-Reply-To: <44F05FF0.5030104@blueyonder.co.uk> References: <44F05FF0.5030104@blueyonder.co.uk> Message-ID: <20060828082123.GC5804@eumel.yoo.local> Hi, * Mark Smith wrote (2006-08-26 15:51): >I've just installed GnuPG and Enigmail for my Thunderbird client. >During the installation process of Enigmail, the wizard changes some >options including changing composition and reading of emails in plain >text rather than HTML. This installer is full of emaily goodness! >I was wondering how I reset Thunderbird to compose/read emails as HTML? Not at all would be best: http://www.georgedillon.com/web/html_email_is_evil.shtml http://www.vexen.co.uk/notes/htmlemails.html But believe it or not, bashing HTML is not the reason I wrote this mail, it's the funny MIME structure. Is this the result of Enigmail? Are these the default options? This seems to be the run-of-the-mill traditional signature with attached public key. Is this the normal way you send mails? Thorsten Klez.e: Strandlied -- When all else fails, there's always delusion. - Conan O'Brien -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060828/66e268bd/attachment.pgp From alphasigmax at gmail.com Mon Aug 28 13:32:42 2006 From: alphasigmax at gmail.com (Alphax) Date: Mon Aug 28 13:34:02 2006 Subject: Help! Gnupg can't run in php program In-Reply-To: References: <001401c6ca3e$63ae2ca0$b81816da@arrayit.com> <44F26555.7020602@sixdemonbag.org> Message-ID: <44F2D45A.80008@gmail.com> Simon Ruderich wrote: > Enigmail gave me gpg: unexpected armor: -----BEGIN PGP SIGNED MESSAGE-----\n gpg: invalid radix64 character 3A skipped gpg: CRC error; 31D9CE - A8932B gpg: [don't know]: invalid packet (ctb=1d) GPGShell validated your sig ok, as did copy/pasting onto the command line. Something funny going on with Apple Mail? -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060828/c6ca3aba/signature.pgp From benjamin at py-soft.co.uk Mon Aug 28 13:45:01 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Mon Aug 28 13:42:47 2006 Subject: I don't get it - utf8 on Mac In-Reply-To: <0001HW.C118443200354937F0284530@news.gmane.org> References: <0001HW.C118443200354937F0284530@news.gmane.org> Message-ID: <44F2D73D.3040301@py-soft.co.uk> Kajsa Anka wrote: > The terminal is set to use utf8. So I'm doing something wrong > but what? Have you tried the UTF8 related instructions on http://desp.night.pl/terminal.html ? Ben From wk at gnupg.org Mon Aug 28 14:13:32 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Aug 28 14:38:29 2006 Subject: [Announce] Libgcrypt 1.2.3 released Message-ID: <878xl93vo3.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From dshaw at jabberwocky.com Mon Aug 28 14:59:31 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Aug 28 14:57:57 2006 Subject: I don't get it - utf8 on Mac In-Reply-To: <0001HW.C118443200354937F0284530@news.gmane.org> References: <0001HW.C118443200354937F0284530@news.gmane.org> Message-ID: <20060828125931.GE8373@jabberwocky.com> On Mon, Aug 28, 2006 at 06:56:50AM +0200, Kajsa Anka wrote: > I'm new to gpg and I've recently compiled and installed gpg > on my Mac and it seem to work. However, I don't understand > how to get it to use UTF-8, what happens is that I launch > gpg like this > > gpg --gen-key --utf8-strings > > and start fill in the data I get > > Comment: > You are using the `US-ASCII' character set. > You selected this USER-ID: > "H?kan ?berg " > > The terminal is set to use utf8. So I'm doing something wrong > but what? It's not your fault. There is an old bug in the Mac libraries such that it reports everything as US-ASCII. Stick "display-charset utf-8" in your gpg.conf file and that will override the libraries. David From wk at gnupg.org Mon Aug 28 19:19:05 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Aug 28 19:33:32 2006 Subject: [Announce] Gpg4win 1.0.6 released Message-ID: <87zmdo7p86.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From bluejump at mac.com Mon Aug 28 23:01:40 2006 From: bluejump at mac.com (Kajsa Anka) Date: Mon Aug 28 23:00:55 2006 Subject: I don't get it - utf8 on Mac References: <0001HW.C118443200354937F0284530@news.gmane.org> <44F2D73D.3040301@py-soft.co.uk> Message-ID: <0001HW.C119265400067185F0407530@news.gmane.org> On Mon, 28 Aug 2006 13:45:01 +0200, Benjamin Donnachie wrote (in article <44F2D73D.3040301@py-soft.co.uk>): > Have you tried the UTF8 related instructions on > http://desp.night.pl/terminal.html ? Thanks, that fixed it. jem From bluejump at mac.com Mon Aug 28 23:02:04 2006 From: bluejump at mac.com (Kajsa Anka) Date: Mon Aug 28 23:03:38 2006 Subject: I don't get it - utf8 on Mac References: <0001HW.C118443200354937F0284530@news.gmane.org> <20060828125931.GE8373@jabberwocky.com> Message-ID: <0001HW.C119266C0006771CF0407530@news.gmane.org> On Mon, 28 Aug 2006 14:59:31 +0200, David Shaw wrote (in article <20060828125931.GE8373@jabberwocky.com>): > It's not your fault. There is an old bug in the Mac libraries such > that it reports everything as US-ASCII. Stick "display-charset utf-8" > in your gpg.conf file and that will override the libraries. Ahh, thanks. jem From SeidlS at schneider.com Mon Aug 28 22:22:23 2006 From: SeidlS at schneider.com (SeidlS@schneider.com) Date: Mon Aug 28 23:59:07 2006 Subject: Using subkeys to renew an expiring key Message-ID: I have been working on a process to encrypt data files and send it to other organizations for processing. As part of this process, we decided to set our key to expire every year. Last year we did not act before the key expired and that same day added an additional subkey that would expire in September, 2006. We are now trying to be pro-active and work to "renew" the key and distribute it before it expires. I have two questions regarding how to "renew" this key. 1) Is the correct way to renew the key to add another subkey that expires in September, 2007, or is there a better way? 2) If we do add another subkey that expires in September, 2007, how well will the two subkeys work together? It's going to be difficult to get everyone to convert to the updated key in the same day, so we won't be able to revoke the subkey at the same time we generate the new one. Another way to say this, we may be encrypting a file with the subkey added, while one or more organization may be using the old key (without the new subkey) and one or more organizations may be using the new key (with the new subkey). Will this work correctly?? Are there any other concerns that are being overlooked? Thanks Scott Seidl Electronic Communication Services seidls@schneider.com Tel) 920-592-2163 This document, and any attachments therein, contains proprietary and confidential information that may not be disclosed without the prior written permission of Schneider National, Inc. and its subsidiaries. Unauthorized use or misuse of this information and its contents is strictly prohibited. Schneider National, Inc. vigorously protects its rights. From qed at tiscali.it Tue Aug 29 00:44:20 2006 From: qed at tiscali.it (Qed) Date: Tue Aug 29 00:43:01 2006 Subject: Using subkeys to renew an expiring key In-Reply-To: References: Message-ID: <44F371C4.6040207@tiscali.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 08/28/2006 10:22 PM, SeidlS@schneider.com wrote: > I have two questions regarding how to "renew" this key. > 1) Is the correct way to renew the key to add another subkey that expires > in September, 2007, or is there a better way? This wouldn't renew your master key, you have to change expiration date with 'expire' command from --edit-key shell. > 2) If we do add another subkey that expires in September, 2007, how well > will the two subkeys work together? It's going to be difficult to get > everyone to convert to the updated key in the same day, so we won't be able > to revoke the subkey at the same time we generate the new one. Another > way to say this, we may be encrypting a file with the subkey added, while > one or more organization may be using the old key (without the new subkey) > and one or more organizations may be using the new key (with the new > subkey). Will this work correctly?? Unless you'd specify explicitely to use the old subkey, the most recent one will be used; you can encrypt the message to both subkeys(if not expired). - -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD4DBQFE83HEH+Dh0Dl5XacRA89rAJd+qlbECQ0HyJ69k6XctlAQX8F3AKCDB/qB gHNulETqkC52SpdZkagOXg== =1EKs -----END PGP SIGNATURE----- From bpgadhia at yahoo.com Mon Aug 28 17:49:02 2006 From: bpgadhia at yahoo.com (BharatG) Date: Tue Aug 29 10:47:24 2006 Subject: Decrypting Files Automatically In-Reply-To: <200608260836.k7Q8aIXX023781@vulcan.xs4all.nl> References: <5974796.post@talk.nabble.com> <200608260836.k7Q8aIXX023781@vulcan.xs4all.nl> Message-ID: <6022798.post@talk.nabble.com> Hi Johan, Thank you for the suggestion. I do not have any space in between passpharse and pipe sign and my passphrase does not contain any newline/return. Thank you. Bharat. Johan Wevers wrote: > > BharatG wrote: > >>type passphrase | gpg --passphrase-fd 0 --decypt-file "File Name" >>in my case it looks like: >>type "C:\SampleProjects\GnuPGDotNet\GnuPG\passphrase.txt" | gpg >>--passphrase-fd 0 decrypt-files "C:\DocLib\EncryptedFile\Clock1.swf.gpg" > > Peculiarity with windows dealing with pipes. There should not be a space > between the passphrase and the pipe sign. > > BTW, I don't know if the file contains a newline/retrun either, otherwise > that might also cause problems. > > -- > ir. J.C.A. Wevers // Physics and science fiction site: > johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html > PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/Decrypting-Files-Automatically-tf2161885.html#a6022798 Sent from the GnuPG - User forum at Nabble.com. From gonzalob at gonz0.com.ar Mon Aug 28 21:30:50 2006 From: gonzalob at gonz0.com.ar (Gonzalo =?ISO-8859-1?Q?Berm=FAdez?=) Date: Tue Aug 29 10:47:29 2006 Subject: What does key properties validity and trust 'None' mean??? In-Reply-To: <1156642870.1510.9.camel@gonzalo.mi-casa.local> References: <2bbde2t19ld56133kmhaqja36corrdkq7o@4ax.com> <44E767A6.60707@comcast.net> <853ge29n16rkpihk4askau9jlk22u685qs@4ax.com> <44EEABB7.1010705@comcast.net> <6phue2hegfkfpl4kbhk1t8qq4rg7qta2mj@4ax.com> <1156642870.1510.9.camel@gonzalo.mi-casa.local> Message-ID: <1156793450.1699.4.camel@gonzalo.mi-casa.local> A key is valid in a keyring once it's signed by an ultimately trusted key for that keyring, or when it gets enough signatures from other fully or marginally trusted keys in the ring (this requirement depends on your configuration, by default one fully trusted key or three marginals make a key valid). This is why John told you to assign a trust level of full only to people you fully trust ;-). Otherwise your ring may be filled up valid keys that you shouldn't really consider as such. Note that you don't need a key's ownertrust to be full for it to work, it just has to be valid. These two concepts are different. p.S: forgive me Bo for sending this to your email, I meant to send it to the list. On Fri, 2006-08-25 at 20:55 +0200, Bo Berglund wrote: > On Fri, 25 Aug 2006 02:50:15 -0500, John Clizbe > wrote: > > >Bo Berglund wrote: > >> I have done this and it works. But that was not the gist of my > >> problem, it deals with adding public keys from persons who just > >> installed GnuPG and created new key pairs. > >> > >> I learned here now that we have to: > >> - Import the key into WinPT (Trust and Validity is now None) > >> - Sign the key (Validity is now Full) > >> - Change ownertrust to Full (only possible for a signed key) > >> > >> We did not know about the two last steps and this is the reason for my > >> post. > >> > > > >You should *ONLY* set ownertrust to Full if you trust the key owner to fully > >verify the identity of keys he signs, or if you don't care. > > In order to get GPG to work I had to sign the received keys myself. > Now I am wondering if maybe the procedure is wrong, maybe we should > sign our own public keys when they have been stored in the ASC file > instead? Will WinPT recognize this and set the Validity flag? > > /Bo > > Bo Berglund > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Saludos Gonzalo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 323 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20060828/82f12c12/attachment.pgp From gonzalob at gonz0.com.ar Tue Aug 29 01:12:32 2006 From: gonzalob at gonz0.com.ar (Gonzalo =?ISO-8859-1?Q?Berm=FAdez?=) Date: Tue Aug 29 10:47:32 2006 Subject: Using subkeys to renew an expiring key In-Reply-To: References: Message-ID: <1156806752.3908.11.camel@gonzalo.mi-casa.local> On Mon, 2006-08-28 at 15:22 -0500, SeidlS@schneider.com wrote: > I have two questions regarding how to "renew" this key. > 1) Is the correct way to renew the key to add another subkey that expires > in September, 2007, or is there a better way? I do not know of a better way, so my answer would be yes, it's the correct way. > 2) If we do add another subkey that expires in September, 2007, how well > will the two subkeys work together? It's going to be difficult to get > everyone to convert to the updated key in the same day, so we won't be able > to revoke the subkey at the same time we generate the new one. Another > way to say this, we may be encrypting a file with the subkey added, while > one or more organization may be using the old key (without the new subkey) > and one or more organizations may be using the new key (with the new > subkey). Will this work correctly?? Those who update will start encrypting to the new key, while those who don't will keep encrypting with the old one until it expires (once it does expire, they won't be able to encrypt at all until fetching the new one). In either case, you will still be able to decrypt messages encrypted to any of those keys, as long as you have the secret keymaterials, since these do not expire nor get revoked, only public keys do. > Are there any other concerns that are being overlooked? -- Saludos Gonzalo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 323 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20060828/e93a57a0/attachment.pgp From SeidlS at schneider.com Tue Aug 29 16:33:01 2006 From: SeidlS at schneider.com (SeidlS@schneider.com) Date: Tue Aug 29 16:37:33 2006 Subject: Using subkeys to renew an expiring key In-Reply-To: <44F371C4.6040207@tiscali.it> Message-ID: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > On 08/28/2006 10:22 PM, SeidlS@schneider.com wrote: > > I have two questions regarding how to "renew" this key. > > 1) Is the correct way to renew the key to add another subkey that expires > > in September, 2007, or is there a better way? > This wouldn't renew your master key, you have to change expiration date > with 'expire' command from --edit-key shell. > > > 2) If we do add another subkey that expires in September, 2007, how well > > will the two subkeys work together? It's going to be difficult to get > > everyone to convert to the updated key in the same day, so we won't be able > > to revoke the subkey at the same time we generate the new one. Another > > way to say this, we may be encrypting a file with the subkey added, while > > one or more organization may be using the old key (without the new subkey) > > and one or more organizations may be using the new key (with the new > > subkey). Will this work correctly?? > Unless you'd specify explicitely to use the old subkey, the most recent > one will be used; you can encrypt the message to both subkeys(if not > expired). > - -- How do you encrypt to both subkeys? Is this an option turned on with the GPG command, or does it mean actually running the input file through two seperate GPG commands? -Scott > > Q.E.D. > War is Peace > Freedom is Slavery > Ignorance is Strength > > ICQ UIN: 301825501 > OpenPGP key ID: 0x58D14EB3 > Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 > Check fingerprints before trusting a key! > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (GNU/Linux) > > iD4DBQFE83HEH+Dh0Dl5XacRA89rAJd+qlbECQ0HyJ69k6XctlAQX8F3AKCDB/qB > gHNulETqkC52SpdZkagOXg== > =1EKs > -----END PGP SIGNATURE----- From SeidlS at schneider.com Tue Aug 29 16:36:26 2006 From: SeidlS at schneider.com (SeidlS@schneider.com) Date: Tue Aug 29 16:38:01 2006 Subject: Using subkeys to renew an expiring key In-Reply-To: <1156806752.3908.11.camel@gonzalo.mi-casa.local> Message-ID: > On Mon, 2006-08-28 at 15:22 -0500, SeidlS@schneider.com wrote: > > > I have two questions regarding how to "renew" this key. > > 1) Is the correct way to renew the key to add another subkey that expires > > in September, 2007, or is there a better way? > > I do not know of a better way, so my answer would be yes, it's the > correct way. > > > 2) If we do add another subkey that expires in September, 2007, how well > > will the two subkeys work together? It's going to be difficult to get > > everyone to convert to the updated key in the same day, so we won't be able > > to revoke the subkey at the same time we generate the new one. Another > > way to say this, we may be encrypting a file with the subkey added, while > > one or more organization may be using the old key (without the new subkey) > > and one or more organizations may be using the new key (with the new > > subkey). Will this work correctly?? > > Those who update will start encrypting to the new key, while those who > don't will keep encrypting with the old one until it expires (once it > does expire, they won't be able to encrypt at all until fetching the new > one). In either case, you will still be able to decrypt messages > encrypted to any of those keys, as long as you have the secret > keymaterials, since these do not expire nor get revoked, only public > keys do. Your talking about document inbound to my process, encrypted by the other organizations. That should work without an issue as you pointed out, but what about the outbound process? In that instance we would be encrypting the file and sending it to the other organizations to be decrypted... would those orgainzations that haven't updated to the new key have problems decrypting the file? -Scott > > > Are there any other concerns that are being overlooked? > -- > Saludos > Gonzalo > [attachment "signature.asc" deleted by Scott Seidl/Schneider] > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From qed at tiscali.it Tue Aug 29 17:14:49 2006 From: qed at tiscali.it (Qed) Date: Tue Aug 29 17:13:12 2006 Subject: Using subkeys to renew an expiring key In-Reply-To: References: Message-ID: <44F459E9.2040505@tiscali.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 08/29/2006 04:33 PM, SeidlS@schneider.com wrote: > How do you encrypt to both subkeys? Is this an option turned on with the > GPG command, or does it mean actually running the input file through two > seperate GPG commands? - From gpg manpage: gpg -r subkey1_ID! -r subkey2_ID! -e exclamation marks are mandatory. - -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE9FnoH+Dh0Dl5XacRA1sCAJ4yAWZJN1uS9N08JUmskajtjDFKAQCeJtC+ QxnGPB35pOQriUmNWPkJdfI= =WHEk -----END PGP SIGNATURE----- From qed at tiscali.it Tue Aug 29 17:28:00 2006 From: qed at tiscali.it (Qed) Date: Tue Aug 29 17:26:23 2006 Subject: Using subkeys to renew an expiring key In-Reply-To: References: Message-ID: <44F45D00.7050509@tiscali.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 08/29/2006 04:36 PM, SeidlS@schneider.com wrote: > Your talking about document inbound to my process, encrypted by the other > organizations. That should work without an issue as you pointed out, but > what about the outbound process? In that instance we would be encrypting > the file and sending it to the other organizations to be decrypted... would > those orgainzations that haven't updated to the new key have problems > decrypting the file? This is a rather strange statement. Other organizations should have their OWN pubkeys to which documents sent to them are encrypted. - -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE9F0AH+Dh0Dl5XacRA16VAJ9vwgPr/SQc2rMigKqUyxmJKDwOsQCfYN+e QvYTudheYNA74t8sY9ctY5k= =wEpX -----END PGP SIGNATURE----- From SeidlS at schneider.com Tue Aug 29 17:42:05 2006 From: SeidlS at schneider.com (SeidlS@schneider.com) Date: Tue Aug 29 17:44:05 2006 Subject: Using subkeys to renew an expiring key In-Reply-To: <44F45D00.7050509@tiscali.it> Message-ID: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > On 08/29/2006 04:36 PM, SeidlS@schneider.com wrote: > > Your talking about document inbound to my process, encrypted by the other > > organizations. That should work without an issue as you pointed out, but > > what about the outbound process? In that instance we would be encrypting > > the file and sending it to the other organizations to be decrypted... would > > those orgainzations that haven't updated to the new key have problems > > decrypting the file? > This is a rather strange statement. > Other organizations should have their OWN pubkeys to which documents > sent to them are encrypted. > - -- > Good Point. I wasn't thinking of that. So for outbound documents, the only issue that could exist would be verifying our signature if we are signing the document? Or is the signature part of the master key and wouldn't be impacted by adding an additional subkey? -Scott > Q.E.D. > War is Peace > Freedom is Slavery > Ignorance is Strength > > ICQ UIN: 301825501 > OpenPGP key ID: 0x58D14EB3 > Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 > Check fingerprints before trusting a key! > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (GNU/Linux) > > iD8DBQFE9F0AH+Dh0Dl5XacRA16VAJ9vwgPr/SQc2rMigKqUyxmJKDwOsQCfYN+e > QvYTudheYNA74t8sY9ctY5k= > =wEpX > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From qed at tiscali.it Tue Aug 29 18:08:48 2006 From: qed at tiscali.it (Qed) Date: Tue Aug 29 18:07:11 2006 Subject: Using subkeys to renew an expiring key In-Reply-To: References: Message-ID: <44F46690.6020207@tiscali.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 08/29/2006 05:42 PM, SeidlS@schneider.com wrote: [..snip..] >> This is a rather strange statement. >> Other organizations should have their OWN pubkeys to which documents >> sent to them are encrypted. > Good Point. I wasn't thinking of that. So for outbound documents, the > only issue that could exist would be verifying our signature if we are > signing the document? Right. > Or is the signature part of the master key and > wouldn't be impacted by adding an additional subkey? If signing subkeys are not present you have only to worry about the expiration date on the master key. - -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE9GaQH+Dh0Dl5XacRA4jQAJ9XjRyh4KX3b4QmIJQFZBjlFitgAwCfTdil /i1p2iXIj9yKWKAWOtInxKI= =nI/R -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue Aug 29 18:09:23 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Aug 29 18:07:59 2006 Subject: Using subkeys to renew an expiring key In-Reply-To: References: Message-ID: <20060829160923.GC3166@jabberwocky.com> On Mon, Aug 28, 2006 at 03:22:23PM -0500, SeidlS@schneider.com wrote: > > I have been working on a process to encrypt data files and send it to other > organizations for processing. As part of this process, we decided to set > our key to expire every year. Last year we did not act before the key > expired and that same day added an additional subkey that would expire in > September, 2006. We are now trying to be pro-active and work to "renew" > the key and distribute it before it expires. It's not clear what you mean by "set our key to expire every year". Are you expiring your whole key, or just the additional subkey? > I have two questions regarding how to "renew" this key. > 1) Is the correct way to renew the key to add another subkey that expires > in September, 2007, or is there a better way? Your choice. You can extend the expiration of your subkey if you like. If the reason you used a 1-year expiration was to limit the use of the key, then sure, make a new subkey. > 2) If we do add another subkey that expires in September, 2007, how well > will the two subkeys work together? It's going to be difficult to get > everyone to convert to the updated key in the same day, so we won't be able > to revoke the subkey at the same time we generate the new one. Another > way to say this, we may be encrypting a file with the subkey added, while > one or more organization may be using the old key (without the new subkey) > and one or more organizations may be using the new key (with the new > subkey). Will this work correctly?? There is a flaw in this question. Why are you revoking a subkey that will expire? After September, 2006, the older subkey won't work. David From Martin.Taylor at Oxfordshire.gov.uk Tue Aug 29 17:01:38 2006 From: Martin.Taylor at Oxfordshire.gov.uk (Taylor, Martin - Resources - ICT Services) Date: Tue Aug 29 18:55:29 2006 Subject: why cissp says this about PGP/GnuPG? Message-ID: <9920C0EB89D1F94DB1FB7DEEE66D9F5C017D88C6@CENEXCHANGEBE01.oxfordshire.gov.uk> "Robert J. Hansen" wrote: > Philipp G??hring wrote: > > Are there any facts or reasons against CISSP? Are there any > > alternatives? > > Many. Google for "CISSP criticisms" and you'll find a lot of reasons to suspect the CISSP, along with some well-regarded alternatives to it. > > CISSP nominally requires four years of industry experience in computer security before they'll grant a cert, but in reality their definition of "industry experience" is very broad and permissive. I'd much rather judge someone on the basis of the industry experience they used to get their CISSP than I would on the basis of the CISSP itself. > > > My personal opinion is that PGP was designed to protect normal > > confidential data, not to protect spy information. > It is unfortunate that this thread has to some extent turned into an attack on the CISSP qualification. Firstly, the best source for the content of the CISSP exam is the "Official (ISC2) Guide to the CISSP Exam", by Hansch, Berti and Hare, published by Auerbach. The chapter on cryptography says nothing at all about PGP as a product (apart from a mention in the potted history of cryptography included in the chapter), or about any other product, but rather concentrates on the principles of cryptography, and on generic mechanisms. I would agree that Shon Harris' prejudices are being exposed here, and I suggest that CISSP exam candidates who imbibe these prejudices will not be doing themselves a favour. Secondly, and I confess my obvious interest here, I would suggest that at present the CISSP qualification, for all its faults, is the most effective qualification in existence for the information security generalist. I agree that hard industry experience is important, and as with any other qualification, an ability to walk the walk is more important than talking the talk. Martin Taylor CISSP Information Security Manager Oxfordshire County Council UK The information in this e-mail, together with any attachments, is confidential. If you have received this message in error you must not print off, copy, use or disclose the contents. The information may be covered by legal and/or professional privilege. Please delete from your system and inform the sender of the error. As an e-mail can be an informal method of communication, the views expressed may be personal to the sender and should not be taken as necessarily representing the views of the Oxfordshire County Council. As e-mails are transmitted over a public network the Oxfordshire County Council cannot accept any responsibility for the accuracy or completeness of this message. It is your responsibility to carry out all necessary virus checks. You should be aware that all emails received and sent by this Council are subject to the Freedom of Information Act 2000 and therefore may be disclosed to other parties under that Act. www.oxfordshire.gov.uk From simon at ruderich.com Tue Aug 29 23:27:11 2006 From: simon at ruderich.com (Simon Ruderich) Date: Tue Aug 29 23:25:41 2006 Subject: Help! Gnupg can't run in php program In-Reply-To: <44F2D45A.80008@gmail.com> References: <001401c6ca3e$63ae2ca0$b81816da@arrayit.com> <44F26555.7020602@sixdemonbag.org> <44F2D45A.80008@gmail.com> Message-ID: <25A45D45-1A0B-4467-9654-598DE3C87C76@ruderich.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 28.08.2006, at 13:32, Alphax wrote: > Simon Ruderich wrote: > >> >> > > > Enigmail gave me > > gpg: unexpected armor: -----BEGIN PGP SIGNED MESSAGE-----\n > gpg: invalid radix64 character 3A skipped > > gpg: CRC error; 31D9CE - A8932B > gpg: [don't know]: invalid packet (ctb=1d) > > GPGShell validated your sig ok, as did copy/pasting onto the command > line. Something funny going on with Apple Mail? > > -- > Alphax > Death to all fanatics! > Down with categorical imperative! > OpenPGP key: http://tinyurl.com/lvq4g Weird. Don't know what this could be, I sent the mail like I did everytime. Does this happen with this mail too? Simon - ---- > privacy is necessary > using http://gnupg.org > public key id: 0x6115F804EFB33229 http://ruderich.com/ simonruderich.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFE9LEvYRX4BO+zMikRCuOLAJ9alMUhTrFu/eT7eY9qxop0SNQ/BgCeNGkt ZplDQNNopnB5QkP8hFu6xoI= =Lmow -----END PGP SIGNATURE----- From lhb at array-it.com Wed Aug 30 10:18:33 2006 From: lhb at array-it.com (Haibo Liu) Date: Wed Aug 30 10:25:07 2006 Subject: Help! Gnupg can't run in php program References: <001401c6ca3e$63ae2ca0$b81816da@arrayit.com> <44F2625F.9030608@gmail.com> Message-ID: <00c901c6cc0c$e28d4220$b81816da@arrayit.com> Thanks for you help. I now get a solution from www.zend.com. Try echo system("gpg --help"), then echo system("gpg --list-keys"). If help works but list keys does not, then you might try the following:- 1. Set the following permissions chmod 777 .gnupg chmod 666 trustdb.gpg chmod 604 secring.gpg chmod 604 random_seed chmod 644 pubring.gpg 2. use the --homedir setting with gpg i.e. gpg --list-keys -- homedir /usr/local/home/root/.gnupg ----- Original Message ----- From: "Cameron Metzke" To: "Haibo Liu" Sent: Monday, August 28, 2006 11:26 AM Subject: Re: Help! Gnupg can't run in php program > Make sure you have the right permissions on your ./gnupg folder and > relivent files to allow the user www-data to access them, just an idea :) > Haibo Liu wrote: >> Hello, >> >> Does anybody use GnuPG in PHP program? >> The server is on Debian OP. >> >> I create my key pair in the ./gnupg directory. >> And the command "gpg --help" runs as normal. >> But the command "gpg --list-keys" failed. >> >> What's the problem? >> >> My code is below: >> >> > >> $val_return = -1; >> >> $cmd = "gpg --help"; >> system($cmd, $val_return); >> >> echo "
"; >> echo "cmd: $cmd, return code: $val_return
"; >> >> $cmd = "gpg --homedir ./gnupg --list-keys"; >> system($cmd, $val_return); >> >> echo "
"; >> echo "cmd: $cmd, return code: $val_return
"; >> >> ?> >> >> lhb >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > From bjorn.mayer at staufen.net Tue Aug 29 23:54:57 2006 From: bjorn.mayer at staufen.net (=?iso-8859-15?Q?Bj=F6rn_Mayer?=) Date: Thu Aug 31 17:11:14 2006 Subject: Problem with gpg --batch --gen-key Message-ID: Hi folks, I am trying to generate a key from within a Java application. Everything seems to go right, but at the beginning, everything stops. I have no idea what could be wrong... Anyone of you guys? C:\>gpg --batch --gen-key Key-Type: DSA Key-Length: 1024 Subkey-Type: ELG-E Subkey-Length: 1024 Name-Real: qwertz Name-Comment: qwertz Name-Email: qwert@qwert.de Expire-Date: 0 Passphrase: password %pubring C:\gpg\pubring.pgp %secring C:\gpg\secring.pgp %commit +++++.+++++.++++++++++..++++++++++++++++++++.+++++++++++++++.+++++++++++++++.+++ ++++++++++++++++++++++..++++++++++++++++++++++++++++++.+++++..+++++............. ............>+++++......................+++++ .++++++++++.++++++++++++++++++++..++++++++++++++++++++.+++++++++++++++.+++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++>+++++..........+++++^^^ Every single hint will be very welcome!!! Bjorn From pg at futureware.at Thu Aug 31 03:20:12 2006 From: pg at futureware.at (Philipp =?iso-8859-1?q?G=FChring?=) Date: Thu Aug 31 17:11:20 2006 Subject: importing preference changes Message-ID: <200608310320.13007.pg@futureware.at> Hi, I imported a DSA-1024-160 testkey into GnuPG, and got the following message: gpg --homedir work/696/ --import work/696/request.key Set preference list to: Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA1, SHA256, RIPEMD160 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify Really update the preferences? (y/N) I am a bit puzzled that importing a key makes gnupg ask me, whether I want to update my preferences ... I have the feeling that this could be a security risk, if it changed the preferences in an insecure way ... Why doesn?t it show the previous settings, so that I know what it actually changes? Best regards, Philipp G?hring From brian at nixthis.com Thu Aug 31 17:16:45 2006 From: brian at nixthis.com (Brian) Date: Thu Aug 31 17:15:55 2006 Subject: Decrypting Files Automatically In-Reply-To: <6022798.post@talk.nabble.com> References: <5974796.post@talk.nabble.com> <200608260836.k7Q8aIXX023781@vulcan.xs4all.nl> <6022798.post@talk.nabble.com> Message-ID: <44F6FD5D.8000606@nixthis.com> I am using something like this. gpg --passphrase-fd 0 -o "New File" -d "File Name.gpg" Hi Johan, >Thank you for the suggestion. I do not have any space in between passpharse >and pipe sign and my passphrase does not contain any newline/return. >Thank you. >Bharat. > >Johan Wevers wrote: > > >>BharatG wrote: >> >> >> >>>type passphrase | gpg --passphrase-fd 0 --decypt-file "File Name" >>>in my case it looks like: >>>type "C:\SampleProjects\GnuPGDotNet\GnuPG\passphrase.txt" | gpg >>>--passphrase-fd 0 decrypt-files "C:\DocLib\EncryptedFile\Clock1.swf.gpg" >>> >>> >>Peculiarity with windows dealing with pipes. There should not be a space >>between the passphrase and the pipe sign. >> >>BTW, I don't know if the file contains a newline/retrun either, otherwise >>that might also cause problems. >> >>-- >>ir. J.C.A. Wevers // Physics and science fiction site: >>johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html >>PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html >> >>_______________________________________________ >>Gnupg-users mailing list >>Gnupg-users@gnupg.org >>http://lists.gnupg.org/mailman/listinfo/gnupg-users >> >> >> >> > > > From dshaw at jabberwocky.com Thu Aug 31 17:28:55 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Aug 31 17:27:21 2006 Subject: importing preference changes In-Reply-To: <200608310320.13007.pg@futureware.at> References: <200608310320.13007.pg@futureware.at> Message-ID: <20060831152855.GB9452@jabberwocky.com> On Thu, Aug 31, 2006 at 03:20:12AM +0200, Philipp G?hring wrote: > Hi, > > I imported a DSA-1024-160 testkey into GnuPG, and got the following message: > > gpg --homedir work/696/ --import work/696/request.key > Set preference list to: > Cipher: AES256, AES192, AES, CAST5, 3DES > Digest: SHA1, SHA256, RIPEMD160 > Compression: ZLIB, BZIP2, ZIP, Uncompressed > Features: MDC, Keyserver no-modify > Really update the preferences? (y/N) > > I am a bit puzzled that importing a key makes gnupg ask me, whether > I want to update my preferences ... Any time you import a key, GnuPG will check to see if the key is advertising preferences that GnuPG can't fulfil. If you don't update the preferences to match reality, you can receive messages that you won't be able to decrypt. > I have the feeling that this could be a security risk, if it changed the > preferences in an insecure way ... This does not parse. Do you have some reason to believe the preference system is insecure? If so, please state it directly. > Why doesn?t it show the previous settings, so that I know what it actually > changes? It does. Are you piping the GPG output somewhere and missing it? The full message printed would be something like: gpg: WARNING: key XXXXXXXX contains preferences for unavailable gpg: algorithms on these user IDs: gpg: "whatever": preference for cipher algorithm AES gpg: it is strongly suggested that you update your preferences and gpg: re-distribute this key to avoid potential algorithm mismatch problems David From wk at gnupg.org Thu Aug 31 17:45:31 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Aug 31 18:08:36 2006 Subject: [Announce] Libksba 1.0.0 released. Message-ID: <877j0o29k4.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce