From wk at gnupg.org Wed Nov 1 00:22:22 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 1 00:25:05 2006 Subject: Logo contest closed Message-ID: <873b94t6j5.fsf@wheatstone.g10code.de> Hi, we have received 28 submissions to the logo contest. It is now up to the folks listed as GnuPG authors in AUTHORS to decide. I will mail them later the day. If you are interested in the submissions, please check out http://logo-contest.gnupg.org . Note: If you submitted a logo and your name does not appear in the list, please let me know. I had to fish quite some submissions out of my spam folder so there is a slight chance that one got lost. Salam-Shalom, Werner From wk at gnupg.org Wed Nov 1 11:59:02 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 1 12:01:53 2006 Subject: Logo contest closed In-Reply-To: <873b94t6j5.fsf@wheatstone.g10code.de> (Werner Koch's message of "Wed\, 01 Nov 2006 00\:22\:22 +0100") References: <873b94t6j5.fsf@wheatstone.g10code.de> Message-ID: <8764dzwhzd.fsf@wheatstone.g10code.de> On Wed, 1 Nov 2006 00:22, Werner Koch said: > If you are interested in the submissions, please check out > http://logo-contest.gnupg.org . I have added two more logo which reached me a bit too late due to greylisting. Salam-Shalom, Werner From randy at randyburns.us Wed Nov 1 15:00:24 2006 From: randy at randyburns.us (Randy Burns) Date: Wed Nov 1 16:54:59 2006 Subject: Logo contest closed In-Reply-To: <8764dzwhzd.fsf@wheatstone.g10code.de> Message-ID: <20061101140024.74110.qmail@web50906.mail.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I'm not a contest judge, but if I were a judge, this contest would be over after seeing the Robbie Tingey submission. Win or not, that's a great one. Good job! Randy > On Wed, 1 Nov 2006 00:22, Werner Koch said: > > > If you are interested in the submissions, please check out > > http://logo-contest.gnupg.org . > > I have added two more logo which reached me a bit too late due > to greylisting. > > > Salam-Shalom, > > Werner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) - GPGshell v3.52 Comment: Public Keys at http://geocities.com/burns98 iQEVAwUBRUioNqnb/pgz4RdHAQj6/Af/cSN3nKKQwDT0LDw++PZXq4pK4opRkipj PY5p6lL7rCvxpRTpv18H9ri47+fhxNLr3grPUbLXaqCtKhFar91SiiQw7FyQkRj3 q2+v0bAIsxURnc15zdzsQvTddJInQkMJYNpnxg4SVntiNQx0SFNkH0yKB3CG332y CiBaiaxxuz31epQfcdqF15DhcJSxc16QnrTGur9sYN0qIgikpgbI76WjEYfqFZov RALr6t7iBEILdHIYMuVFL8bgO4agEcX3moUNlrnTt2ZJO9/K/CMd46WVdy6lIyuw gPyJFVPYNZpXLTwgrDUPHVNkGFrJg/OTeDFVerLfoNb+g4IWRd1zoQ== =sbCl -----END PGP SIGNATURE----- From michael.kallas at web.de Wed Nov 1 18:18:08 2006 From: michael.kallas at web.de (Michael Kallas) Date: Wed Nov 1 18:16:52 2006 Subject: deleting signatures from uids In-Reply-To: <20061031135804.GV31897@localhost.localdomain> References: <20061031135804.GV31897@localhost.localdomain> Message-ID: <4548D6D0.1030707@web.de> Hi, Stijn Hoop schrieb: > On the keyservers, there are therefore lots of signatures on my key > from others that a) are really not useful anymore or b) that I have > never even met (how did those get there!). Fortunately it looks like > I can delete those signatures locally with --edit-key and then using > 'delsig'. However I cannot get the keyservers to accept the new key > without the useless signatures; they only seem to add new ones (as > is evident from the multiple self-signatures now present). This works as designed, as far as I know. Else an attacker might be able to remove signatures from your key. Best wishes Michael -- Nobody can save your freedom but YOU - become a fellow of the FSF Europe! http://www.fsfe.org/en -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 374 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061101/3572e181/signature.pgp From johanw at vulcan.xs4all.nl Wed Nov 1 19:23:52 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Nov 1 19:20:29 2006 Subject: deleting signatures from uids In-Reply-To: <20061031135804.GV31897@localhost.localdomain> Message-ID: <200611011823.kA1INq7c008409@vulcan.xs4all.nl> Stijn Hoop wrote: >'delsig'. However I cannot get the keyservers to accept the new key >without the useless signatures; they only seem to add new ones (as >is evident from the multiple self-signatures now present). Yes, keyservers will merge new signatures with the key but wil not delete signatures. Don't try, others have gone that path before and didn't succeed. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From randy at randyburns.us Wed Nov 1 20:03:19 2006 From: randy at randyburns.us (Randy Burns) Date: Wed Nov 1 20:01:51 2006 Subject: deleting signatures from uids In-Reply-To: <20061031135804.GV31897@localhost.localdomain> Message-ID: <20061101190320.28361.qmail@web50901.mail.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - --- Stijn Hoop wrote: [snip] > Am I running into a limitation of the public key > server architecture? Yes. Just publish it yourself on a free website. I've done it myself about the simplest way available here: geocities (dot) com / burns98 All the best, Randy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) - GPGshell v3.52 Comment: Public Keys at http://geocities.com/burns98 iQEVAwUBRUjvmKnb/pgz4RdHAQj5Fwf9E3vhQ93wZ67EynQNIMqa2JPIOUDx1NGd iARVMFQXF4MmyO/Vd3Y6WWKkuGUK3/OtnZjATBOBsv1X0ELemhoCrd+zuxHCmMGS zb/M99unJanGQb8uhE06Qa2fA5COG9InLeYbVDu1WMtHQxScxxA1BDRrMKXT426X f8bRYoVJqmOza/km5w885DBh2w4EW0p23+wuqzDR+elswd7iICFRGHa6LkVXRggX KE/NwNqiI2XaUqg9S0fdkwk0bCT+LyTrIl+9fdfFTaNnSmMn+gN5uP0sf8azaD/y pUnPOf51kFeuR3KLNa7KUI3wTOUu1Tsoljbjq5fhIhl/3rkiol1koA== =jxnQ -----END PGP SIGNATURE----- From smolinski at de.ibm.com Wed Nov 1 21:30:29 2006 From: smolinski at de.ibm.com (Holger Smolinski) Date: Wed Nov 1 21:26:10 2006 Subject: Holger Smolinski/Germany/IBM is on a cource until 10/23 Message-ID: I will be out of the office starting 01.11.2006 and will not return until 02.11.2006. There is a public holiday in Germany, and I will respond when I will have returned. From DuWayne.Mahlen at lacek.com Wed Nov 1 23:09:35 2006 From: DuWayne.Mahlen at lacek.com (DuWayne.Mahlen@lacek.com) Date: Thu Nov 2 00:25:10 2006 Subject: Windows GnuPG implementation for the enterprise Message-ID: Hello all, I was told this is where to announce a new way to implement GnuPG in a Windows environment. As the transmission of PII has been scrutinized, we along with many other groups have had to require the encryption of all data in and out. As more users and novice users join the encryption front, my staff and I had been presented with the almost daunting task of user training and key management, not to mention the potential proprietary solution costs. After an extensive fruitless search, I decided to write a user friendly Windows frontend designed around a specific GnuPG install, integrated with Windows domain groups . I've dubbed it eGPG and released it to the world for free at www.egpg.org. Thank you for your time and my thanks to the GnuPG team. Thanks, DuWayne Mahlen IT Manager The Lacek Group Office: +1-612-596-3550 E-mail: duwayne.mahlen@lacek.com Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to email or messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of the sender's company shall be understood as neither given nor endorsed by it. From rmeden at yahoo.com Thu Nov 2 05:43:19 2006 From: rmeden at yahoo.com (Robert Eden) Date: Thu Nov 2 05:42:05 2006 Subject: Summary: Windows GUI recommendation for USB disk Message-ID: <20061102044319.93842.qmail@web52104.mail.yahoo.com> Thanks to everyone for their suggestions. I was looking for a simple exe-only tool I could put on a USB disk to make it very easy for Windows users to encrypt files with a symmetric key. Quite a few folks suggested GPGshell. It was a good choice, but had one problem... when it encrypts files it follows the GPG pattern of putting the new file in the same location of the old. If I used that, I'd be afraid users would copy the files to the USB drive and encrypt it there. Even if they deleted the file, it would have to be followed by an erase tool, which needs to be installed.... too much trouble. It also did more than symmetric keys, which may confuse my users.. I also learned that 7-zip now supports hard encryption. A *great* idea. We already use 7-zip internally, and that was actually my problem with it. If folk were already used to using 7-zip, I bet they wouldn't bother to check the "encrypt" button. So, I ended up writing my own tool in with wxGlade and WxPerl. I didn't know such a GUI tool existed for Perl! I've been programing perl for years... I did one TK project, and really didn't want to go down that path... wxGlade and wxPerl made it pretty painless, once I learned the tools. I'm sure I'll make use of it again. My tool prompts the user for a pass-phrase (twice), places some simple restrictions on the pass-phrase (10 characters, 3 words), and opens up a dialog box. The user then drags files/directories using explorer to the dialog box, which lists the files and starts gpg to encrypt them. (runs two encryption threads at once). Files are stored in the same directory as the executable. If someone wants a copy let me know and I'll look into releasing it. Robert ----- Original Message ---- From: Robert Eden To: gnupg-users@gnupg.org Sent: Monday, October 23, 2006 2:02:32 PM Subject: Windows GUI recommendation for USB disk I'd like to place a static windows GUI executable on a USB disk to encourage folks to encrypt data while using snail-mail. I don't want windows shell extensions as that would require an installer (WinPT ). I'm thinking just a single EXE that provides a simple GUI and supports symmetric keys... I don't know if GPA does this, I've been having trouble getting it to compile on my cygwin install. (The README talks about a pre-built binary, but it doesn't exist) Any recommendations? Robert _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From qed at tiscali.it Thu Nov 2 13:52:27 2006 From: qed at tiscali.it (Qed) Date: Thu Nov 2 13:50:31 2006 Subject: deleting signatures from uids In-Reply-To: <20061031135804.GV31897@localhost.localdomain> References: <20061031135804.GV31897@localhost.localdomain> Message-ID: <4549EA0B.6050808@tiscali.it> On 10/31/2006 02:58 PM, Stijn Hoop wrote: [..snip..] > In a way I can see why; removing signatures from uids seems like it > should require a passphrase, however it doesn't work that way. I've > also read that it's nearly impossible to remove a key from the > keyservers, however that's also not what I want to do, just update it. > > Am I running into a limitation of the public key server > architecture? If so I guess I'll have to live with the crufty > signatures, but if not, what am I doing wrong? This is not a limitation, it'a a feature :-) and this is also the reason why you should not play with PGP on keyservers, the result will be often another abandoned key. -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! From blueness at gmx.net Thu Nov 2 15:27:48 2006 From: blueness at gmx.net (Mica Mijatovic) Date: Thu Nov 2 15:34:04 2006 Subject: Summary: Windows GUI recommendation for USB disk In-Reply-To: <20061102044319.93842.qmail@web52104.mail.yahoo.com> References: <20061102044319.93842.qmail@web52104.mail.yahoo.com> Message-ID: <1262022374.20061102152748@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA224 Was Wed, 1 Nov 2006, at 20:43:19 -0800 (PST), when Robert Eden wrote: > My tool prompts the user for a pass-phrase (twice), places some > simple restrictions on the pass-phrase (10 characters, 3 words), and > opens up a dialog box. The user then drags files/directories using > explorer to the dialog box, which lists the files and starts gpg to > encrypt them. (runs two encryption threads at once). Files are stored > in the same directory as the executable. > If someone wants a copy let me know and I'll look into releasing it. I'd like to see it and try out, Robert. - -- Mica ~~~ For personal mail please use my address as it is *exactly* given in my "From" field, otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ -----BEGIN PGP SIGNATURE----- iQCZAwUBRUoAYwYWnlFQ1cE7AQvzxAQghqq+1X8Rlpbzqd5++AJSv8T14nIUcBzo q7a4Fj0ivSFxYxGo6/bnKs502RAMf6BAyv70f192Oun93x5K1LsFlka9+txDn5cM i767O/nX31WdCSwhyk7rF+A/QIHv1hfBUmvjXBumbSe83l20Ao2XPY3EADmG1SeU gt5UNOazt6BXAH1t =8e8r -----END PGP SIGNATURE----- From hhhobbit at securemecca.net Thu Nov 2 18:49:20 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Thu Nov 2 18:47:33 2006 Subject: Logo contest closed In-Reply-To: <0MKq2p-1GfUS318tk-0007LC@mx.perfora.net> References: <0MKq2p-1GfUS318tk-0007LC@mx.perfora.net> Message-ID: <1162489761.17510.52.camel@sirius.brigham.net> On Wed, 2006-11-01 at 06:00 -0800, randy@randyburns wrote: > I'm not a contest judge, but if I were a judge, this contest > would be over after seeing the Robbie Tingey submission. Win or > not, that's a great one. Good job! I am glad you picked so quickly. I am also not a judge and I am glad I am not a judge. That is because I have narrowed it to these with very great difficulty. I still have some concerns with how hard it would be to make T-Shirts or other memorabilia with some of them. Artists also need to know that a reversal of a black <-> white or color shift should be a possibility for a logo on dark media (I really do prefer black t-shirts in the winter - they are warmer). Submission 6: Thomas Wittek: ---------------------------- The first is classic and elegant, and it may even be possible to reverse color it for black t-shirts (hey it gets cold in some parts of the world and I am cold right now). Submission 9: Daniel Huber: --------------------------- By all means the first - classic and elegant, but some concerns about the key colors on t-shirts, etc. Submission 14: Christian Javier ALVAREZ de Toledo: -------------------------------------------------- I think it is possible by making making the black letters and horns white and the white P (key) black, to put it on a dark / black background. I also like the small thumbnails. Submission 18: Tri Seprian Damayanto: ------------------------------------- I especially liked the elegant simplicity of the third sketch of the Gnu. Again, with a black to white reversal, it can go on a dark background. Submission 19: Andrey Alekseev & Sergey Lukyanov: ------------------------------------------------- Drop dead gorgeous but it is copyrighted already! Where is the Gnu Copyright? The reproducibility on pages may not come off as well as what is showing on the page. I think the richness of colors would be impossible on a T-Shirt. It doesn't stop me from liking it. Keep how hard it is do a print of it on various media in mind judges. We aren't working with a Microsoft budget. Submission 29: Arnfinn Sarau: ------------------------------ THE FIRST! But do it with just "Gnu-Privacy-Guard" or with "Gnu-Privacy-Guard OpenPGP compliant" or even omit that altogether if that is okay with Arnfinn. You could also use a lighter blue in the PG on dark backgrounds like black t-shirts. This one is not only easily done in various ways, but the four (that is a dark brown sliver between the light gold / dark gold) color design is easy to work with and looks beautiful. That doesn't mean the others aren't good, but a Logo should be simple, easily put on various media including t-shirts, etc. You have five nanoseconds (what the attention span of humans has been reduced to now) before people don't see it any more. I would like to express thanks to all of the submissions and the work the people did. Thanks for all of the fine efforts! Judges, remember that the logo will exist for a long time, so pick well. I gave what I liked in numerical, not preference order. It is after all the judges preferences that count. I just hope I gave them some helpful pointers. Consider it like the vote of one of audience members in a game contest. You still have to make the final decision. HHH From wk at gnupg.org Thu Nov 2 19:12:30 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 2 19:14:37 2006 Subject: Logo contest closed In-Reply-To: <8764dzwhzd.fsf@wheatstone.g10code.de> (Werner Koch's message of "Wed\, 01 Nov 2006 11\:59\:02 +0100") References: <873b94t6j5.fsf@wheatstone.g10code.de> <8764dzwhzd.fsf@wheatstone.g10code.de> Message-ID: <87r6wlra41.fsf@wheatstone.g10code.de> Hi! I have been reminded of another logo in my spam filters. It was received on Monday; thus in time. It is now at http://logog-contest.gnupg.org/subm-31.html . Shalom-Salam, Werner From jmoore3rd at bellsouth.net Thu Nov 2 20:59:53 2006 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu Nov 2 20:58:39 2006 Subject: deleting signatures from uids In-Reply-To: <4549EA0B.6050808@tiscali.it> References: <20061031135804.GV31897@localhost.localdomain> <4549EA0B.6050808@tiscali.it> Message-ID: <454A4E39.7020008@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Qed wrote: > This is not a limitation, it'a a feature :-) and this is also the reason > why you should not play with PGP on keyservers, the result will be often > another abandoned key. Best alternative: Revoke UID and then reload Key to Keyservers. This will then indicate once the 'Gossip Sharing' is complete that the UID is no longer any good. :-/ JOHN ;) Timestamp: Thursday 02 Nov 2006, 14:59 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4315: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFSk4wAAoJEBCGy9eAtCsP8/gH/A/GSVpVWSz5KTVonbRc5XmT TZxTG1vNp48Vkvbtc9YOq7EZDbc69gT6dhb7/rneNgRRfi99UFHA4/dcmwJg2WCc Bzw4aCCUVBRrKsO7oPM0pvhSWHyqJtYj50JaUJsHo8OBN8Zn7Z6vQofvhc/oRsf7 paKVi6jWNYTJ51hPMxrKcwrS3JCXyZcJAvC/jTybimSs7Dmd5B7QUG+f/BBxfhNS GLKjNDfAwnyeOSxdzLxxO8BLpjFTHng64gZyKfiwrJCsaDJ/BJokM/hUjncCdrCL 1fLgM3yR76spUJYuhabzHBvTaarNVu3xgPbiPAIY2eSCMciIrBDMw/I3qvmn9FQ= =Nszc -----END PGP SIGNATURE----- From pdunbar at boothnewspapers.com Thu Nov 2 20:03:56 2006 From: pdunbar at boothnewspapers.com (Patrick R. Dunbar) Date: Thu Nov 2 20:59:45 2006 Subject: Question about use of --cipher-algo AES & --openpgp when encrypting a document Message-ID: <454A411C.2010204@boothnewspapers.com> I am required to encrypt a document using the --cipher-algo AES switch using gpg on a Solaris 10 system using gpg (GnuPG) 1.2.6. The company that is receiving this file requires that the file be encrypted with the --openpgp switch. I have run --edit-key showpref on the receiving key and it shows that AES is a usable cipher. My question: does the --openpgp switch interfere with the --cipher-algo AES switch? Also is there any way to check if a gpg encrypted file is encrypted using AES? Thanks in advance for any replies. Pat Dunbar From henkdebruijn at wanadoo.nl Thu Nov 2 20:31:49 2006 From: henkdebruijn at wanadoo.nl (Henk M. de Bruijn) Date: Thu Nov 2 21:13:04 2006 Subject: Logo contest closed In-Reply-To: <87r6wlra41.fsf@wheatstone.g10code.de> References: <873b94t6j5.fsf@wheatstone.g10code.de> <8764dzwhzd.fsf@wheatstone.g10code.de> <87r6wlra41.fsf@wheatstone.g10code.de> Message-ID: <671680680.20061102203149@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, 02 Nov 2006 19:12:30 +0100GMT (2-11-2006, 19:12 +0200, where I live), Werner Koch wrote: WK> I have been reminded of another logo in my spam filters. It was WK> received on Monday; thus in time. It is now at WK> http://logog-contest.gnupg.org/subm-31.html . You typed a "g" too much ;-) http://logo-contest.gnupg.org/subm-31.html . - -- Henk ______________________________________________________________________ The Bat! Natural E-Mail System version 3.86.03 ALPHA (beta) Pro on Windows XP SP2 Request-PGP: http://www.biglumber.com/x/web?qs=0x6C9F6CE78C32408B Gossamer Spider Web of Trust http://www.gswot.org A progressive and innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4315HdB-dynamic-IDEA-Tiger192 (Cygwin/MingW32) iQEVAwUBRUpHnxHuy+60ZN0PAQoRtgf/aB6uOw2XAw2CLp2tIbunL2GcieG/HMcv 9k/vFyPYi/wQcnWSLkqmx78AQjuZi71S6q2bg5J8uWNjXjMfuw8mCOjCqeJ+Wu3v orbMHsTBXb7ifOjzd07hG0mSNIjVw3PiLdwlBNLAngcx9i8CkMHZGmBN2qP8SW7y IrknWS7iYAf0/+Ni0k/kwCYMWTjgksIzNzc//IYNaeH0gxTVMIGUm3+4bP5LG3dU E/VsSZzquYe2FyGinYtrEam0tZBpDfKCiS+9IRBD2qdcTWF3ySicJOf1rkIctas7 FKGQPSlk9aMpbNaBGBqgxEBX58ZgKFPIpFGzxxEiubYc0HFI9DAXIQ== =AtBh -----END PGP SIGNATURE----- From hawke at hawkesnest.net Thu Nov 2 21:39:45 2006 From: hawke at hawkesnest.net (Alex Mauer) Date: Thu Nov 2 21:39:38 2006 Subject: deleting signatures from uids In-Reply-To: <4549EA0B.6050808__33980.4716445089$1162472273$gmane$org@tiscali.it> References: <20061031135804.GV31897@localhost.localdomain> <4549EA0B.6050808__33980.4716445089$1162472273$gmane$org@tiscali.it> Message-ID: Qed wrote: > This is not a limitation, it'a a feature :-) and this is also the reason > why you should not play with PGP on keyservers, the result will be often > another abandoned key. Is there any reason that the keyserver needs to continue to redistribute expired, revoked, or otherwise invalid (e.g. superseded) signatures? I can't think of any. I can kind of see why you might want to show the full history of a key, but does it really need to be distributed out to everyone? If this is a security risk, surely the keyserver options "import-clean-sigs" and "import-clean-uids" are also, are they not? -Alex Mauer "hawke" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061102/5ef1b0ca/signature.pgp From me at psmay.com Thu Nov 2 21:52:28 2006 From: me at psmay.com (Peter S. May) Date: Thu Nov 2 21:58:31 2006 Subject: deleting signatures from uids In-Reply-To: References: <20061031135804.GV31897@localhost.localdomain> <4549EA0B.6050808__33980.4716445089$1162472273$gmane$org@tiscali.it> Message-ID: <454A5A8C.8010007@psmay.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Mauer wrote: > Is there any reason that the keyserver needs to continue to redistribute > expired, revoked, or otherwise invalid (e.g. superseded) signatures? > > I can't think of any. I would think that it's important for keyservers to widely distribute the revocation certificates of revoked signatures. If the keyservers simply omitted revoked signatures from search results, how would a client know that this uid was revoked? Stripping data that isn't particularly useful is a job better left to the client. Word -- PSM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFSlp7ei6R+3iF2vwRAm8bAJ0U4sYSBNg16mrkUt225GsKkFwhnACfYq7j 9Xt8sE66OrN4gZpxCmN1LAU= =JYLy -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Thu Nov 2 22:24:07 2006 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu Nov 2 22:23:05 2006 Subject: Logo contest closed In-Reply-To: <671680680.20061102203149@wanadoo.nl> References: <873b94t6j5.fsf@wheatstone.g10code.de> <8764dzwhzd.fsf@wheatstone.g10code.de> <87r6wlra41.fsf@wheatstone.g10code.de> <671680680.20061102203149@wanadoo.nl> Message-ID: <454A61F7.4050001@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 NOT a Judge...But a very avid, discerning User. Since every submission has been made in .png Format I have save my Favorites. Those individuals using senderface.xpi within their T- Bird installs will be able to see some of my selections based upon the email address they Open the Header on. Now, I would like to make one Comment: this based upon the fact that many submissions were made with Comments about their suitability for T-Shirts and other Printed Media. Worldwide, there are a great many lithography presses using the 5 color method. Please keep in mind that this method of printing is going to be the 'least' expensive for the foreseeable future. Additionally; I, too, would love to have 2 XXL T-Shirts advocating GnuPG. Just provide breast pockets for Mountain Dew & cigs since this is required for future development! ;) I would also prefer the Final Selection be made available in .jpeg format for use on those Sites that will only accept this format for Upload. 'Nuff Said! Curious users may request my Reply direct and I'll do so with my preferred selections displayed in the senderface box. JOHN :-D Timestamp: Thursday 02 Nov 2006, 16:22 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4315: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFSmH1AAoJEBCGy9eAtCsP/ooH/R5OkXYYq+HuE2Pup3FiMmUa PLASv1/3Mv/vyxTvUltnHPDLFvMGx6KQ028HRD9Ed+2O5Trf9aozlz+r+5sB11r6 YM9OX7bi3t8oM4Spi5Wm1PCF7M6NNp+e+5w2NKic3O3QObtQZzLAXEq0F/yWt5/6 9YFd0VRf8Hm8mZEp1XG0nbUHKJ/Mp7SUMokjBgTVY2N7lrjeRcm0+1qC0iaBi1DD p7asFDLR1oVdOsbxwxX5wdG+Kr3DQjwCnGs0C9a10xf8U8vpXXotpnSCkqdcMDDs +KGyCjLW/YftZCkIL9V8ij3zKxKT31i6H38W7CMZgtoAklnRQSxyWZDYdvbjLmw= =vaGF -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: senderface0_9_4.xpi Type: application/x-xpinstall Size: 17361 bytes Desc: not available Url : /pipermail/attachments/20061102/1735d083/senderface0_9_4-0001.bin From hawke at hawkesnest.net Thu Nov 2 22:46:02 2006 From: hawke at hawkesnest.net (Alex L. Mauer) Date: Thu Nov 2 22:44:56 2006 Subject: deleting signatures from uids In-Reply-To: <454A5A8C.8010007__18987.6263998032$1162501427$gmane$org@psmay.com> References: <20061031135804.GV31897@localhost.localdomain> <4549EA0B.6050808__33980.4716445089$1162472273$gmane$org@tiscali.it> <454A5A8C.8010007__18987.6263998032$1162501427$gmane$org@psmay.com> Message-ID: Peter S. May wrote: > I would think that it's important for keyservers to widely distribute > the revocation certificates of revoked signatures. Agreed. But it's not important to distribute signatures that have been revoked. > If the keyservers > simply omitted revoked signatures from search results, how would a > client know that this uid was revoked? Because the server could, and presumably would, still distribute revocation signatures, but not the signatures they revoke. > Stripping data that isn't > particularly useful is a job better left to the client. I disagree. Downloading the data only to discard it is a waste of time and bandwidth. -Alex Mauer "hawke" -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. OpenPGP key id: 51192FF2 @ subkeys.pgp.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061102/2a50601d/signature.pgp From rjh at sixdemonbag.org Thu Nov 2 22:50:47 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu Nov 2 22:49:08 2006 Subject: Question about use of --cipher-algo AES & --openpgp when encrypting a document In-Reply-To: <454A411C.2010204@boothnewspapers.com> References: <454A411C.2010204@boothnewspapers.com> Message-ID: <454A6837.2050806@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Patrick R. Dunbar wrote: > My question: does the --openpgp switch interfere with the --cipher-algo > AES switch? No. > Also is there any way to check if a gpg encrypted file is encrypted > using AES? Add "-vvvv" to the command-line and you'll get a ton of useful output. E.g.: rjhansen:~ rjh$ gpg -vvvv foo.gpg gpg: using character set `US-ASCII' :pubkey enc packet: version 3, algo 1, keyid 97B2C95A0569E3E6 data: [2048 bits] gpg: public key is 0569E3E6 gpg: using subkey 0569E3E6 instead of primary key FEAF8109 You need a passphrase to unlock the secret key for user: "Robert J. Hansen" gpg: using subkey 0569E3E6 instead of primary key FEAF8109 2048-bit RSA key, ID 0569E3E6, created 2005-02-22 (main key ID FEAF8109) gpg: public key encrypted data: good DEK :encrypted data packet: length: 311 gpg: encrypted with 2048-bit RSA key, ID 0569E3E6, created 2005-02-22 "Robert J. Hansen" gpg: AES encrypted data :compressed packet: algo=1 :literal data packet: mode b (62), created 1162504119, name="rand.cc", raw data: 472 bytes gpg: original file name='rand.cc' gpg: decryption okay gpg: WARNING: message was not integrity protected ... Looks just fine to me. :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFSmg3AAoJELcA9IL+r4EJVTIIAKe+ZznM+mBsj9bDDERZkfaL A38k/nNbRZEBc6H9ZpazbNhWDnqGNMYS3UOc40kQ20O/W/yrGyQ1IDP69pD/F7rG HhQAW9TwG6smsPFthDlrIOEs3E50Fk6Jsc4rH5qtNIVrbGSTFNkSh1VCQ0SlJofW +sv4MgifMr2dRMKGDi6EmwuM5yMpTjcQnbcNLTQotZR2ANnVOct7M/g2LtKqx0nX YtUxcROe5j7t2iqcIZGr9x+5ROrScv80DdRd1lnSy34rXEtHaTMjajZ0Mxm/KwwV 7kmjemNwrc8FJRGYikjiz6405+milMIpYuhOSvwBaRAEmR5QybajhpayZN+kPac= =JSkL -----END PGP SIGNATURE----- From me at psmay.com Thu Nov 2 23:01:12 2006 From: me at psmay.com (Peter S. May) Date: Thu Nov 2 22:59:29 2006 Subject: deleting signatures from uids In-Reply-To: References: <20061031135804.GV31897@localhost.localdomain> <4549EA0B.6050808__33980.4716445089$1162472273$gmane$org@tiscali.it> <454A5A8C.8010007__18987.6263998032$1162501427$gmane$org@psmay.com> Message-ID: <454A6AA8.4030206@psmay.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex L. Mauer wrote: > Peter S. May wrote: > >> I would think that it's important for keyservers to widely distribute >> the revocation certificates of revoked signatures. > > Agreed. But it's not important to distribute signatures that have been > revoked. > >> If the keyservers >> simply omitted revoked signatures from search results, how would a >> client know that this uid was revoked? > > Because the server could, and presumably would, still distribute > revocation signatures, but not the signatures they revoke. Yeah. Posted before thinking. The revocations are still good without the uids themselves. >> Stripping data that isn't >> particularly useful is a job better left to the client. > > I disagree. Downloading the data only to discard it is a waste of time > and bandwidth. Again, such is true for the uids themselves. But revocations for uids that the client doesn't have might or might not be considered superfluous. Perhaps we find a revocation for a uid we don't have yet on one keyserver and discard it, then find that uid still available on another keyserver, not yet revoked. I have no idea how that's handled. None whatsoever. Tired PSM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFSmqlei6R+3iF2vwRAtt2AJ4xPW0IB+O8upVxTfh9wpYdV9oylgCeMi5/ XsJKh/f//z5rOafDA4DGZqw= =WlmY -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Thu Nov 2 23:13:16 2006 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu Nov 2 23:11:49 2006 Subject: deleting signatures from uids In-Reply-To: <454A6AA8.4030206@psmay.com> References: <20061031135804.GV31897@localhost.localdomain> <4549EA0B.6050808__33980.4716445089$1162472273$gmane$org@tiscali.it> <454A5A8C.8010007__18987.6263998032$1162501427$gmane$org@psmay.com> <454A6AA8.4030206@psmay.com> Message-ID: <454A6D7C.9010308@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Peter S. May wrote: > Again, such is true for the uids themselves. But revocations for uids > that the client doesn't have might or might not be considered > superfluous. Perhaps we find a revocation for a uid we don't have yet > on one keyserver and discard it, then find that uid still available on > another keyserver, not yet revoked. I have no idea how that's handled. > None whatsoever. OK...More Interesting still. I Revoke a UID and provide a 'Reason' (which GnuPG allows) My Reason: Changed ISP (in my Case the Truth; joimail.com to bellsouth.net) Now I Upload to the Keyservers; what happens to the Signatures on my former UID? I still do not know. Based upon what what I have read/been told....no worries. I signed both New UIDs. And most of the Sigs were on my Generic UID. Therefore > Trust should follow with the signing of the new UID by a Good sig from the Generic UID. I kinda feel that this is where the GSWoT Sig on my New email address counts for something. JOHN ;) Timestamp: Thursday 02 Nov 2006, 17:13 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4315: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFSm17AAoJEBCGy9eAtCsPIl4H/2e3xhYqecy8aOBTQ8xoA+PV hQzA59uXpj6vJDNch2rZbVqlXcBMAU4M4ZbcXrxcfF43ZrHqMkqp+V5ZGEnHLe7U aUFzgE1ozMgR9C69FsuO92RY5/Ii77CKKxxgK/znEstdH8AwcFK8w4Vg0ikznvsy ZRWkP+Hj/NICyDvK2Yb9Iv6YgQeOIpf90OdsJrCiWRMdRmNUjbLSYz0RZgf2GqYj HNOcKD2s96pBW1HIPDVYepLAqoaMACUe2QBrZfU0ZD0QbvTJmd35wpHIDUqFCsUX Wh2gjMFNUBr0/6DTf7AaZJKM829sVYG5nnpt5ch7OJg0lBYhwob8oY4uZBV88+g= =UHbV -----END PGP SIGNATURE----- From hhhobbit at securemecca.net Thu Nov 2 23:56:49 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Thu Nov 2 23:55:03 2006 Subject: Gnupg-users Digest, Vol 38, Issue 2 In-Reply-To: <0MKpmJ-1Gfk5500cq-0006bf@mx.perfora.net> References: <0MKpmJ-1Gfk5500cq-0006bf@mx.perfora.net> Message-ID: <1162508209.20169.26.camel@sirius.brigham.net> On Thu, 2006-11-02 at 19:12 +0100, Werner Koch wrote: > I have been reminded of another logo in my spam filters. It was > received on Monday; thus in time. It is now at > http://logog-contest.gnupg.org/subm-31.html . I think you meant (provided for those who use only the mouse: http://logo-contest.gnupg.org/subm-31.html HHH From hhhobbit at securemecca.net Thu Nov 2 23:58:25 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Thu Nov 2 23:56:29 2006 Subject: Summary: Windows GUI recommendation for USB disk Message-ID: <1162508305.20169.28.camel@sirius.brigham.net> Robert Eden wrote: > Thanks to everyone for their suggestions. > > I was looking for a simple exe-only tool I could put on a USB > disk to make it very easy for Windows users to encrypt files > with a symmetric key. > > Quite a few folks suggested GPGshell. It was a good choice, but > had one problem... when it encrypts files it follows the GPG > pattern of putting the new file in the same location of the old. > If I used that, I'd be afraid users would copy the files to the > USB drive and encrypt it there. Even if they deleted the file, > it would have to be followed by an erase tool, which needs to be > installed.... too much trouble. It also did more than symmetric > keys, which may confuse my users.. > > I also learned that 7-zip now supports hard encryption. A > *great* idea. We already use 7-zip internally, and that was > actually my problem with it. If folk were already used to using > 7-zip, I bet they wouldn't bother to check the "encrypt" button. > > So, I ended up writing my own tool in with wxGlade and WxPerl. > I didn't know such a GUI tool existed for Perl! I've been > programing perl for years... I did one TK project, and really > didn't want to go down that path... wxGlade and wxPerl made it > pretty painless, once I learned the tools. I'm sure I'll make > use of it again. > > My tool prompts the user for a pass-phrase (twice), places some > simple restrictions on the pass-phrase (10 characters, 3 words), > and opens up a dialog box. The user then drags directories / > files using explorer to the dialog box, which lists the files > and starts gpg to encrypt them. (runs two encryption threads at > once). Files are stored in the same directory as the executable. > > If someone wants a copy let me know and I'll look into releasing > it. I will take more than the copy. Do you have any more pointers on wxGlade and wxPerl? I have some projects that aren't even affiliated with encryption that would be very useful to have. Send any pointers on wxPerl to me off-group. If you want to support it over 2-3 years (or longer), by all means release it! 7-zip, like most zip programs encryption doesn't even come close to the level of protection that you are getting with GnuPG. Even if you are using the lowest level cipher GnuPG provides, it is a quantum leap over the zip programs enciphering. Quoting from the man page for zip (roughly comparable to 7-zip and probably uses the exact same code for enciphering): (And where security is truly important, use strong encryption such as Pretty Good Privacy instead of the relatively weak encryption provided by standard zipfile utilities.) I think this would be a VERY useful tool to have. Your first alteration may be the choice of cipher to use and perhaps a settable default cipher. Most people don't set their default cipher in gpg.conf. HHH From hhhobbit at securemecca.net Fri Nov 3 01:10:11 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Fri Nov 3 01:08:41 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <0MKpmJ-1Gfk5500cq-0006bf@mx.perfora.net> References: <0MKpmJ-1Gfk5500cq-0006bf@mx.perfora.net> Message-ID: <1162512611.20169.79.camel@sirius.brigham.net> On Thu, 2006-11-02 at 16:26 -0500, Patrick R. Dunbar wrote: > I am required to encrypt a document using the --cipher-algo AES switch > using gpg on a Solaris 10 system using gpg (GnuPG) 1.2.6. > The company that is receiving this file requires that the file be > encrypted with the --openpgp switch. > I have run --edit-key showpref on the receiving key and it shows that > AES is a usable cipher. > > My question: does the --openpgp switch interfere with the --cipher-algo > AES switch? > Also is there any way to check if a gpg encrypted file is encrypted > using AES? > > Thanks in advance for any replies. The --openpgp should not cause any problems for you. For all of the following, I used the exact same file to encrypt and the same password and only changed the encipher program. I give the first six bytes of each file for each cipher method: 3DES: 8C 0D 04 02 03 02 CAST5: 8C 0D 04 03 03 02 BLOWFISH: 8C 0D 04 04 03 02 AES: 8C 0D 04 07 03 02 AES192: 8C 0D 04 08 03 02 AES256: 8C 0D 04 09 03 02 TWOFISH: 8C 0D 04 0A 03 02 It looks like byte four is your key, and 0x07 is what indicates an AES enciphered file. But if you are using AES192 it would be 0x08, and AES256 would be 0x09. Tell me if I got it wrong people! The reason why is rather than the "file" program saying "data", it could tell from the first three bytes that the file is an OpenPGP (only GnuPG?) file with a symmetric cipher (the 03 02 in bytes 5-6?), and the fourth byte can tell us which cipher it is. I ordered them in ascending order NUMERICALLY, not in choice of cipher, but they are roughly in order for that as well (with TWOFISH some where in among those AES ciphers, not necessarily better than any of them). Does that do it for you? I could send you the program to do it, but it would have to be compiled on Solaris 8 which is all I have available to me. This really does need to be integrated into all of the vendors "file" program on all of the nixes. I wouldn't worry too much about AES. Both PGP and GnuPG and a lot of other programs will handle it if that is REALLY what you are asking. I think it is what you are asking. I decided to turn on the fire hose 8^). Hey, you asked for it and "file" didn't provide it! I would use C, but you could use PERL and do it yourself. HHH From hhhobbit at securemecca.net Fri Nov 3 04:15:44 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Fri Nov 3 04:14:05 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <1162512611.20169.79.camel@sirius.brigham.net> References: <0MKpmJ-1Gfk5500cq-0006bf@mx.perfora.net> <1162512611.20169.79.camel@sirius.brigham.net> Message-ID: <1162523744.20169.113.camel@sirius.brigham.net> On Thu, 2006-11-02 at 17:10 -0700, Henry Hertz Hobbit wrote: > On Thu, 2006-11-02 at 16:26 -0500, Patrick R. Dunbar > wrote: > > > > I am required to encrypt a document using the --cipher-algo AES switch > > using gpg on a Solaris 10 system using gpg (GnuPG) 1.2.6. > > The company that is receiving this file requires that the file be > > encrypted with the --openpgp switch. > > I have run --edit-key showpref on the receiving key and it shows that > > AES is a usable cipher. > > > > My question: does the --openpgp switch interfere with the --cipher-algo > > AES switch? > > Also is there any way to check if a gpg encrypted file is encrypted > > using AES? > > > > Thanks in advance for any replies. > > The --openpgp should not cause any problems for you. And here is the program to check for the file type. It is ARDENTLY hoped that the "file" programmers get all of it squared away (I may have something wrong) so this program can disappear. /*********************************************************************** \ * * File: cfile.c * Date: Thu Nov 2 18:50:53 MST 2006 * Author: Henry Hertz Hobbit * Contact: hhhobbit at securemecca.com * * This program checks whether a file is an OpenPGP (GnuPG only?) * file that was encrypted with a symmetric cipher, and shows * what cipher was used to encrypt it. * * If somebody can show me how I am wrong in the header or in any * of the byte values for the encryption, please steer me in the * appropriate way. Here was what I found: * * 3DES: 8C 0D 04 02 03 02 * CAST5: 8C 0D 04 03 03 02 * BLOWFISH: 8C 0D 04 04 03 02 * AES: 8C 0D 04 07 03 02 * AES192: 8C 0D 04 08 03 02 * AES256: 8C 0D 04 09 03 02 * TWOFISH: 8C 0D 04 0A 03 02 * * * It is Gnu licensed and it is HOPED that the various versions * of the file program will incorporate this information into * them so that this program will no longer exist. * \***********************************************************************/ #include #include #include #include #include #include #define MESSAGE_STRING 256 #define INBLOCK_SIZE 16 #define KNOWN_CIPHERS 12 #define FILENAME argv char message[MESSAGE_STRING]; unsigned char inBlock[INBLOCK_SIZE]; char cipherName[KNOWN_CIPHERS][12] = { " unknown\n", " unknown\n", " 3DES\n", " CAST5\n", " BLOWFISH\n", " unknown\n", " unknown\n", " AES\n", " AES192\n", " AES256\n", " TWOFISH\n", " unknown\n" }; unsigned char preamble[4] = { 0x8c, 0x0d, 0x04, 0x00 }; unsigned char lastTwo[4] = { 0x03, 0x02, 0x00, 0x00 }; int main(int argc, char *argv[]) { int flp; int inFd; int bytesRead; unsigned char *lastTwoPtr; unsigned char *cipherTypePtr; unsigned char tmp; int cipherType; if (argc < 2) { puts("usage: cfile [file_spec ..]"); exit(0); } lastTwoPtr = (inBlock + 4); cipherTypePtr = (inBlock + 3); for (flp = 1; flp < argc; flp++) { if ((inFd = open(FILENAME[flp], O_RDONLY)) == -1) { fprintf(stderr, "could not open file %s...skipping\n", FILENAME[flp]); continue; } bytesRead = read(inFd, inBlock, (size_t)INBLOCK_SIZE); close(inFd); strncpy(message, FILENAME[flp], MESSAGE_STRING); if (bytesRead < 6) { if (bytesRead > 0) { strncat(message,": data\n", MESSAGE_STRING); } else { strncat(message, ": empty file\n", MESSAGE_STRING); } } else { if ((memcmp(inBlock, preamble, (size_t)3) == 0) && (memcmp(lastTwoPtr, lastTwo, (size_t)2) == 0)) { strncat(message, ": OpenPGP symmetric cipher = ",MESSAGE_STRING); tmp = *cipherTypePtr; cipherType = (int)tmp; if (cipherType < KNOWN_CIPHERS) { strncat(message, cipherName[cipherType], MESSAGE_STRING); } else { strncat(message, cipherName[0], MESSAGE_STRING); } } else /* not an OpenPGP symmetric cipher file */ { strncat(message, ": (unknown - use file command)\n", MESSAGE_STRING); } } fputs(message, stdout); } /* end of file loop */ exit(0); } If anybody that has PGP or any other symmetric cipher program could do the following, I would appreciate it. 1. Create a folder named PGP_SymCiphers 2. Create a file named test.txt with the following line in it: password = simple (or pick your own) Encrypted with = { YOUR Encryption Program Name } 3. backup the file if necessary to baktest.txt 4. Repeatedly encrypt test.txt with every cipher, but change the extension to the cipher name, e.g. test.3des for the 3DES encrypted file. 5. zip the folder and send it to me. I could care less what a RFC page says - THEY FREQUENTLY LIE! The acid test is what is actually in the file. HHH From me at psmay.com Fri Nov 3 04:56:53 2006 From: me at psmay.com (Peter S. May) Date: Fri Nov 3 04:59:58 2006 Subject: Question about use of --cipher-algo AES & --openpgp when encrypting a document In-Reply-To: <454A411C.2010204@boothnewspapers.com> References: <454A411C.2010204@boothnewspapers.com> Message-ID: <454ABE05.9070803@psmay.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patrick R. Dunbar wrote: > Also is there any way to check if a gpg encrypted file is encrypted > using AES? Henry had some interesting answers, and his program does work for many cases, but it's slightly ad-hoc and there are many valid possibilities it might not work for. You really need a program that knows how to read the whole format. Last I checked, gpg does this nicely. ;-) Try: gpg --list-packets --list-only enc.gpg - --list-packets describes what's in the file. --list-only prevents it trying to decrypt just to look at what's inside; you don't need to decrypt to find out the cipher algo. Here's what the output looked like for something encrypted with CAST5: :symkey enc packet: version 4, cipher 3, s2k 3, hash 2 salt aa0896216033e71c, count 96 gpg: CAST5 encrypted data :encrypted data packet: length: unknown gpg: encrypted with 1 passphrase And with TWOFISH: :symkey enc packet: version 4, cipher 10, s2k 3, hash 2 salt 24fa7e952bcca00e, count 96 gpg: TWOFISH encrypted data :encrypted data packet: length: unknown mdc_method: 2 gpg: encrypted with 1 passphrase And with AES: :symkey enc packet: version 4, cipher 7, s2k 3, hash 2 salt 9182cb227dcb6d3b, count 96 gpg: AES encrypted data :encrypted data packet: length: unknown mdc_method: 2 gpg: encrypted with 1 passphrase The numbers after "cipher" (3 for CAST5, 10 for TWOFISH, 7 for AES-128) correspond to whatever the most current variant of RFC 2440 is (bis 18, http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-18.txt , is set to expire on the 11th of this month), or, more specifically, GPG's interpretation thereof. Hope that helps PSM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFSr4Dei6R+3iF2vwRAsF9AKCTyz6rD1cjVTIr3XtWq8Q2xxOMzACgmQ9S KlcsACLpBh6HdfcNPYlhelY= =EB4R -----END PGP SIGNATURE----- From psmay at halfgeek.org Thu Nov 2 21:23:50 2006 From: psmay at halfgeek.org (Peter S. May) Date: Fri Nov 3 11:07:50 2006 Subject: libgcrypt: I think I found a mistake in doc/gcrypt.info Message-ID: <454A53D6.4080007@halfgeek.org> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061102/ac77428e/signature.pgp From malayter at gmail.com Fri Nov 3 15:53:21 2006 From: malayter at gmail.com (Ryan Malayter) Date: Fri Nov 3 16:17:52 2006 Subject: Summary: Windows GUI recommendation for USB disk In-Reply-To: <1162508305.20169.28.camel@sirius.brigham.net> References: <1162508305.20169.28.camel@sirius.brigham.net> Message-ID: <5d7f07420611030653y1c7ec612n9ef98888b300641d@mail.gmail.com> On 11/2/06, Henry Hertz Hobbit wrote: > 7-zip, like most zip programs encryption doesn't even come close > to the level of protection that you are getting with GnuPG. Even > if you are using the lowest level cipher GnuPG provides, it is a > quantum leap over the zip programs enciphering. Quoting from > the man page for zip (roughly comparable to 7-zip and probably > uses the exact same code for enciphering): > > (And where security is truly important, use strong > encryption such as Pretty Good Privacy instead of the > relatively weak encryption provided by standard zipfile > utilities.) > When encrypting to a *.7z file, 7-zip uses AES-256 in CBC mode, with a passphrase-to-key function based on SHA-256. This is actually stronger than most cipher preferences on OpenPGP keys. It is not the same as the weak "winZip"-derived encryption. Of course, these files can only be read by 7-zip, but it is free and open source. (It also compresses a lot better than standard ZIP's DEFLATE algoritm, if more slowly). -- RPM ========================= All problems can be solved by diplomacy, but violence and treachery are equally effective, and more fun. -Anonymous From wk at gnupg.org Fri Nov 3 16:29:18 2006 From: wk at gnupg.org (Werner Koch) Date: Fri Nov 3 16:31:54 2006 Subject: libgcrypt: I think I found a mistake in doc/gcrypt.info In-Reply-To: <454A53D6.4080007@halfgeek.org> (Peter S. May's message of "Thu\, 02 Nov 2006 15\:23\:50 -0500") References: <454A53D6.4080007@halfgeek.org> Message-ID: <87bqnok0q9.fsf@wheatstone.g10code.de> On Thu, 2 Nov 2006 21:23, Peter S. May said: > I think I spotted a little error in libgcrypt's doc/gcrypt.info. Context > diff from 1.2.3 attached. Thanks. Salam-Shalom, Werner From rjh at sixdemonbag.org Fri Nov 3 16:40:21 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri Nov 3 16:38:20 2006 Subject: Summary: Windows GUI recommendation for USB disk In-Reply-To: <5d7f07420611030653y1c7ec612n9ef98888b300641d@mail.gmail.com> References: <1162508305.20169.28.camel@sirius.brigham.net> <5d7f07420611030653y1c7ec612n9ef98888b300641d@mail.gmail.com> Message-ID: <454B62E5.10101@sixdemonbag.org> Ryan Malayter wrote: > When encrypting to a *.7z file, 7-zip uses AES-256 in CBC mode, with > a passphrase-to-key function based on SHA-256. This is actually > stronger than most cipher preferences on OpenPGP keys. This may be just my own personal quirk, but it seems misleading to me to describe AES256 as "stronger" than, say, AES128. The threshold just to break AES128 is so immense that it may as well be a brick wall; describing AES256 as "stronger" just means the brick wall is, well, still a brick wall. Once you reach a certain threshold point as far as resistance to brute-force attacks, to really make something "stronger" requires introducing resistance to other kinds of attacks. E.g., I'd say that an 3DES hardware token guarded by a fireteam of armed Marines is far stronger than an AES256 key stored on a PC running unpatched Windows 95 on an always-on unfirewalled Internet connection, despite the fact the AES256 key has about 144 bits more keyspace. Let's just describe 7zip as using strong crypto, and leave it at that. :) From dave.smith at st.com Fri Nov 3 17:07:34 2006 From: dave.smith at st.com (David SMITH) Date: Fri Nov 3 17:05:59 2006 Subject: Summary: Windows GUI recommendation for USB disk In-Reply-To: <454B62E5.10101@sixdemonbag.org> References: <1162508305.20169.28.camel@sirius.brigham.net> <5d7f07420611030653y1c7ec612n9ef98888b300641d@mail.gmail.com> <454B62E5.10101@sixdemonbag.org> Message-ID: <20061103160734.GC12355@bristol.st.com> On Fri, Nov 03, 2006 at 09:40:21AM -0600, Robert J. Hansen wrote: > The threshold just to > break AES128 is so immense that it may as well be a brick wall; ...at the moment. One Xbox360 runs more FLOPS than the world's fastest supercomputer of little more than a decade ago (a fact that I still find incredible). Of course, encryption is more about integer performance than FLOPS, but I suspect that integer performance has scaled in the same orders of magnitude. -- David Smith | Tel: +44 (0)1454 462380 Home: +44 (0)1454 616963 STMicroelectronics | Fax: +44 (0)1454 462305 Mobile: +44 (0)7932 642724 1000 Aztec West | TINA: 065 2380 GPG Key: 0xF13192F2 Almondsbury | Work Email: Dave.Smith@st.com BRISTOL, BS32 4SQ | Home Email: David.Smith@ds-electronics.co.uk From rjh at sixdemonbag.org Fri Nov 3 17:39:54 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri Nov 3 17:37:54 2006 Subject: Summary: Windows GUI recommendation for USB disk In-Reply-To: <20061103160734.GC12355@bristol.st.com> References: <1162508305.20169.28.camel@sirius.brigham.net> <5d7f07420611030653y1c7ec612n9ef98888b300641d@mail.gmail.com> <454B62E5.10101@sixdemonbag.org> <20061103160734.GC12355@bristol.st.com> Message-ID: <454B70DA.1040103@sixdemonbag.org> David SMITH wrote: > ...at the moment. Welcome to the Second Law of Thermodynamics! Enjoy your stay. By the Second Law, every time a bit of information is erased you have to pay the entropy tax of (kT * ln 2) J. Let's assume that for each key you try, you have to erase 1000 bits of information--this is wildly optimistic, given how complex key schedules usually are, but it'll make for nice numbers. On average you'll have to brute-force 2**127 keys before you find the proper 128-bit AES key. 1000 = 10**3 2**127 approx. eq. 10**38 10**41 * (3 * 10**-21) = 3 * 10**20 J A one-megaton nuclear weapon liberates approximately 10**15 J of energy. 3 * 10**20 J divided by 10**15 J = 300,000 megatons By comparison, the 1863 Krakatoa explosion liberated about 21,000 megatons. If you're interested, we can also do a quantum-mechanical analysis of the minimum time required to do this computation. It gets equally silly. http://en.wikipedia.org/wiki/Rolf_Landauer http://en.wikipedia.org/wiki/Margolus-Levitin_theorem ... It's true that quantum computers and reversible computing will both reduce this number considerably. However, if you're going to talk about science fiction--which is what large-scale quantum and reversible computing is nowadays--then why not go whole-hog and posit the existence of a psychic who's 100% effective in predicting keys? From blueness at gmx.net Fri Nov 3 18:38:23 2006 From: blueness at gmx.net (Mica Mijatovic) Date: Fri Nov 3 20:59:22 2006 Subject: Logo contest closed In-Reply-To: <87r6wlra41.fsf@wheatstone.g10code.de> References: <873b94t6j5.fsf@wheatstone.g10code.de> <8764dzwhzd.fsf@wheatstone.g10code.de> <87r6wlra41.fsf@wheatstone.g10code.de> Message-ID: <1734938651.20061103183823@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA224 Was Thu, 02 Nov 2006, at 19:12:30 +0100, when Werner Koch wrote: > Hi! > I have been reminded of another logo in my spam filters. It was > received on Monday; thus in time. It is now at > http://logog-contest.gnupg.org/subm-31.html . This one attracted my attention most. A bit pity, btw, that names of authors were revealed (both to the public and the "jury") before the final selection is made. - -- Mica ~~~ For personal mail please use my address as it is *exactly* given in my "From" field, otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ Yes, this kid is a bit slow, but with respect to what the party it was, I am happy that he doesn't bark. -----BEGIN PGP SIGNATURE----- iQCZAwUBRUt+jgYWnlFQ1cE7AQvhCgQgyKAaKztbZpiynTRCRl0tv8AL71MgAqlD skh6M9IycxTgyB2P9tAVLPinR0kWSnkHbfTaKqozS33VnG9GN4/GYZ2uKPJTmPA5 23TP7qLbfLjO+BxYXd4RvGt88g4lqJefxnt6lohXGkHzkculZtnaL1GY4jmNjWhu rcX8j7grsLFp1yAP =6+Kq -----END PGP SIGNATURE----- From hhhobbit at securemecca.net Sat Nov 4 00:47:25 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Sat Nov 4 00:45:52 2006 Subject: Summary: Windows GUI recommendation for USB disk In-Reply-To: <454B62E5.10101@sixdemonbag.org> References: <1162508305.20169.28.camel@sirius.brigham.net> <5d7f07420611030653y1c7ec612n9ef98888b300641d@mail.gmail.com> <454B62E5.10101@sixdemonbag.org> Message-ID: <1162597646.5017.135.camel@sirius.brigham.net> On Fri, 2006-11-03 at 09:40 -0600, Robert J. Hansen wrote: > Ryan Malayter wrote: > > When encrypting to a *.7z file, 7-zip uses AES-256 in CBC mode, with > > a passphrase-to-key function based on SHA-256. This is actually > > stronger than most cipher preferences on OpenPGP keys. > > This may be just my own personal quirk, but it seems misleading to me to > describe AES256 as "stronger" than, say, AES128. The threshold just to > break AES128 is so immense that it may as well be a brick wall; > describing AES256 as "stronger" just means the brick wall is, well, > still a brick wall. Once you reach a certain threshold point as far as > resistance to brute-force attacks, to really make something "stronger" > requires introducing resistance to other kinds of attacks. > > E.g., I'd say that an 3DES hardware token guarded by a fireteam of armed > Marines is far stronger than an AES256 key stored on a PC running > unpatched Windows 95 on an always-on unfirewalled Internet connection, > despite the fact the AES256 key has about 144 bits more keyspace. > > Let's just describe 7zip as using strong crypto, and leave it at that. :) I already told Ryan that WinZip also has both AES128 and AES256. I did a download of it yesterday and found that out for sure. I also asked Ryan to do a test to find if WinZip <-> 7-Zip can share their AES encrypted files. You are absolutely correct in saying that they are both brick walls. The weakness is not in the algorithm or even the number of bits you use. I primarily use TWOFISH, but it is still that brick wall. It just has different colored bricks. The weakness is normally in the pass-phrase (password). Trying as hard as I can, I have had nothing but grief in trying to train people in how to create them and have finally understood it is going to be "pencil", no matter what for some people. That is the limit of their memory and imagination. Well, even the smart ones will resort to using "joshua" (case-insensitive of course). Go look at War-Games if you don't know where the pass-phrases came from. I gave Ryan the humorous example of a fellow student who locked their terminal at school while they went to the restroom. I told him I could hack through his screen password. I did, and changed it to another one. I had noticed him looking at the pictures of nature on the wall and fixating on a green frog. I hacked in with only about four attempts, then locked it again with a pass-phrase indicating the hack. The strongest encryption in the world is useless without a GOOD password or pass-phrase. It may be useless even then with a keyboard logger. Kevin Mitnick didn't exploit weaknesses in systems so much as exploiting the weaknesses in people. This all kind of begs the question though. I can't even get the files to another security researcher (Mike Burgess) because the Symantec AV scanner on Comcast's SMTP server barfs on a PLAIN zipped file right now. It attaches my message (with the ZIP attachment) to a message saying it can't scan the zip file. It will ALWAYS do that if I encrypt the zip file (whether I use the salt-cipher or AES) that I zip. But I can attach a normal zipped file and use GnuPG (OpenPGP) encryption and it sails right on through. I can see my zip attachments that are bounced in both Thunderbird and Evolution, but Mike can't see them in Outlook (any pointers Outlook people?). If the message doesn't make it the other side and that is what you wanted to do in the first place the encryption is useless. Systems depend on EACH AND EVERY ELEMENT that go into their creation. Passwords and pass-phrases are what I will attack every time, not the brute force of something even as lowly as CAST5 or 3DES. I GUARANTEE that unless people are trained in how to create novel passwords and pass-phrases AND *DO* IT, I WILL probably be successful. And I only have a normal IQ. Don't go up against the geniuses like Mitnick, Schneier and Werner and others. They will beat you every time. HHH From wk at gnupg.org Sun Nov 5 13:13:20 2006 From: wk at gnupg.org (Werner Koch) Date: Sun Nov 5 13:17:08 2006 Subject: Logo contest closed In-Reply-To: <1734938651.20061103183823@gmx.net> (Mica Mijatovic's message of "Fri\, 3 Nov 2006 18\:38\:23 +0100") References: <873b94t6j5.fsf@wheatstone.g10code.de> <8764dzwhzd.fsf@wheatstone.g10code.de> <87r6wlra41.fsf@wheatstone.g10code.de> <1734938651.20061103183823@gmx.net> Message-ID: <87bqnm8527.fsf@wheatstone.g10code.de> On Fri, 3 Nov 2006 18:38, Mica Mijatovic said: > A bit pity, btw, that names of authors were revealed (both to the public > and the "jury") before the final selection is made. I thought about this but cleaning the submissions from the names would have been a lot of work. I sincerely hope all will vote on the content and not on the repudiation of the author. Shalom-Salam, Werner From maccrest at gmail.com Sun Nov 5 11:52:34 2006 From: maccrest at gmail.com (Crest da Zoltral) Date: Sun Nov 5 13:54:56 2006 Subject: How to enable a block cipher or hash algorithm for a keypair? Message-ID: <454DC272.7060606@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I searched any documentation i found on the net about how to edit keys, but I didn't found a way to enable a different cipher or digest? With `gpg --edit-key $key_id showpref` it's only possible to view the preferences and `gpg --edit-key $key_id pref` seems only to print the prefs in shorter harder to read form. So how can I enable Twofish and SHA-512 (without overriding the preferences with --cipher-algo and - --digest-algo)? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iQIVAwUBRU3CXP950yjRhRAFAQp7jA/+PYr2n3HLdDt35aElObrEiHayO6DdtD18 apjmFl/B+iKEitVzxCN3j3rHuBx7GoXABu8JvYnfwnvNecdJRtK5qGPmmUF57UAN JOCA6/a1W+0PdIdNqVjCTTErWecJziRe+94wJtdfIGjHj42+4j4J5TGZNBSsOcbe xMNUwHyuQVMb2PogBnVd3hKxIYB2ES/v78grgxGRb31y1Xh/257kSy4RDdss/0Re sRvMpsxKyupunwR+6ZSTWyIBX017mU0EW1L/Rzc4h/CIXQDafjvr1W4cOTdBvrCD ueCpUQ4J5OAEJkMgg84A02VQTvHFvCNTJUkzXSEM6UZZ0hPhHOAsDVtpgkgq3oxM IRYJ4cHj97/LKOSNFfNy5iMRnfG380BF5QKKoJ9Pt1xToa8TNUK3g10oWN3EPovM wYxSyGJgB4IbE9ffnw2UukSPhEZMHZ7Mi+DlNDWsIosVurHkPvHNFGyuX9mLc423 tq5cnkoHcLAoR2IuKLxT7Tks2utIPlWekXgzWQA6iLZ8Ehu9cEKTL4irqU9uVpqL pLueAibHGWz/iScpNeAJ8WqO7kldFJTPmpAR6BfGEc6H3z2Z1VRVE6ZLylG5DapR sWYo55c/pBq0ckUM5SUWhegfFRq5yDDeHbU9HK94843BF3Sy6EalEFij3+PXBezA W+qkWqXwZ6I= =xeZj -----END PGP SIGNATURE----- From alphasigmax at gmail.com Sun Nov 5 14:36:59 2006 From: alphasigmax at gmail.com (Alphax) Date: Sun Nov 5 14:35:57 2006 Subject: How to enable a block cipher or hash algorithm for a keypair? In-Reply-To: <454DC272.7060606@gmail.com> References: <454DC272.7060606@gmail.com> Message-ID: <454DE8FB.4030107@gmail.com> Crest da Zoltral wrote: > I searched any documentation i found on the net about how to edit keys, > but I didn't found a way to enable a different cipher or digest? With > `gpg --edit-key $key_id showpref` it's only possible to view the > preferences and `gpg --edit-key $key_id pref` seems only to print the > prefs in shorter harder to read form. So how can I enable Twofish and > SHA-512 (without overriding the preferences with --cipher-algo and > --digest-algo)? $ gpg --edit-key 0xDEADBEEF Secret key is available pub 2048R/0xDEADBEEF created: 2006-01-01 expires: never usage: SC trust: ultimate validity: ultimate sub 2048g/0xCAFEBABE created: 2006-01-01 expires: never usage: E [ultimate] (1). Person (comment) Command> setpref h8 h10 h3 h2 s4 s9 s10 s8 s7 z3 z2 z1 mdc no-ks-modify Set preference list to: Cipher: BLOWFISH, AES256, TWOFISH, AES192, AES, 3DES Digest: SHA256, SHA512, RIPEMD160, SHA1 Compression: BZIP2, ZLIB, ZIP, Uncompressed Features: MDC, Keyserver no-modify Really update the preferences? (y/N) You need a passphrase to unlock the secret key for user: "Person (comment) " 2048-bit RSA key, ID 0xDEADBEEF, created 2006-01-01 Enter passphrase: Command> quit Save changes? (y/N) y HTH, -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061106/7a4e3013/signature.pgp From rjh at sixdemonbag.org Sun Nov 5 16:29:43 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun Nov 5 16:27:57 2006 Subject: How to enable a block cipher or hash algorithm for a keypair? In-Reply-To: <454DC272.7060606@gmail.com> References: <454DC272.7060606@gmail.com> Message-ID: <454E0367.20600@sixdemonbag.org> Crest da Zoltral wrote: > I searched any documentation i found on the net about how to edit keys, > but I didn't found a way to enable a different cipher or digest? With > `gpg --edit-key $key_id showpref` it's only possible to view the > preferences and `gpg --edit-key $key_id pref` seems only to print the > prefs in shorter harder to read form. So how can I enable Twofish and > SHA-512 (without overriding the preferences with --cipher-algo and > --digest-algo)? While Alphax gave you some good advice, it may also be unnecessary advice or irrelevant advice. You don't need to do anything, really, to enable a different cipher or digest. They're all enabled. It isn't as if, should you receive BLOWFISH-encrypted traffic, that you need to make sure your key is set to read BLOWFISH. The available algorithms--all of which are enabled--can be found just by typing: gpg --version For instance, I get: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 ... If what you want is to start using a different algorithm, a better idea than using --cipher-algo and --digest-algo is to use the algorithm preferences. Try adding these two lines to gpg.conf: personal-cipher-preferences TWOFISH AES256 AES192 AES128 3DES personal-digest-preferences SHA512 SHA384 SHA256 SHA224 RIPEMD160 ... Also, you may want to consider whether you really want to start using SHA512. There's nothing wrong with it, but only very recent versions of PGP understand it. If interoperability is a concern, you're much better off with SHA256, which is understood by PGP 8.1 and later. From jdever at triad.rr.com Mon Nov 6 00:38:35 2006 From: jdever at triad.rr.com (Jim Dever) Date: Mon Nov 6 02:35:23 2006 Subject: gpg error messag Message-ID: <454E75FB.8070604@triad.rr.com> Can anyone help me out with the meaning of this error message? Thanks! ===== enigmail> C:\Program Files\GNU\GnuPG\gpg.exe --charset utf8 --no-version --batch --no-tty --status-fd 2 --verify gpg: Signature made 10/10/06 01:02:23 using RSA key ID CA57AD7C gpg: WARNING: signature digest conflict in message gpg: Can't check signature: general error enigmail.js: Enigmail.decryptMessageEnd: Error in command execution ===== -- Jim From rjh at sixdemonbag.org Mon Nov 6 02:46:27 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon Nov 6 02:44:27 2006 Subject: gpg error messag In-Reply-To: <454E75FB.8070604@triad.rr.com> References: <454E75FB.8070604@triad.rr.com> Message-ID: <454E93F3.6080507@sixdemonbag.org> Jim Dever wrote: > Can anyone help me out with the meaning of this error message? It will help us out considerably if you can tell us more about your problem. What operating system are you using? What version of GnuPG are you using? What hash algorithm does the message say it's using? What program generated the message in question? What version of Enigmail? What... etcetera? From dshaw at jabberwocky.com Mon Nov 6 03:52:38 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Nov 6 03:50:49 2006 Subject: How to enable a block cipher or hash algorithm for a keypair? In-Reply-To: <454E0367.20600@sixdemonbag.org> References: <454DC272.7060606@gmail.com> <454E0367.20600@sixdemonbag.org> Message-ID: <20061106025238.GA10246@jabberwocky.com> On Sun, Nov 05, 2006 at 09:29:43AM -0600, Robert J. Hansen wrote: > ... If what you want is to start using a different algorithm, a better > idea than using --cipher-algo and --digest-algo is to use the algorithm > preferences. Try adding these two lines to gpg.conf: > > personal-cipher-preferences TWOFISH AES256 AES192 AES128 3DES > personal-digest-preferences SHA512 SHA384 SHA256 SHA224 RIPEMD160 Note, though, that neither of these will take effect unless the other keys participating in the encryption agree. You can only use an algorithm that is present in the preferences of all keys you are encrypting to. David From jdever at triad.rr.com Mon Nov 6 04:44:26 2006 From: jdever at triad.rr.com (Jim Dever) Date: Mon Nov 6 04:42:40 2006 Subject: gpg error messag In-Reply-To: <454E93F3.6080507@sixdemonbag.org> References: <454E75FB.8070604@triad.rr.com> <454E93F3.6080507@sixdemonbag.org> Message-ID: <454EAF9A.3080300@triad.rr.com> Robert J. Hansen wrote: > Jim Dever wrote: >> Can anyone help me out with the meaning of this error message? > > It will help us out considerably if you can tell us more about your > problem. What operating system are you using? What version of GnuPG > are you using? What hash algorithm does the message say it's using? > What program generated the message in question? What version of > Enigmail? What... etcetera? Ok... Using Windows XP Pro, Thunderbird 1.5.0.7 Enigmail 0.94.1.0, GnuPG 1.4.5. I'm trying to verify the signature on the automated email from the PGP Global directory keyserver. This is the only email that has ever shown this message. Here's the Enigmail Console output with a -vv added to it. Hash appears to be SHA1. Thanks. ===== enigmail> C:\Program Files\GNU\GnuPG\gpg.exe --charset utf8 --no-version -vv --b atch --no-tty --status-fd 2 --verify gpg: armor: BEGIN PGP SIGNED MESSAGE gpg: armor header: Hash: SHA1 :packet 63: length 11 :literal data packet: mode t (74), created 0, name="", raw data: unknown length gpg: original file name='' gpg: armor: BEGIN PGP SIGNATURE gpg: armor header: Version: PGP Universal 2.0.4 :signature packet: algo 1, keyid 9710B89BCA57AD7C version 3, created 1160456543, md5len 5, sigclass 01 digest algo 8, begin of digest 0b 1a data: [2046 bits] gpg: Signature made 10/10/06 01:02:23 using RSA key ID CA57AD7C gpg: WARNING: signature digest conflict in message gpg: Can't check signature: general error enigmail.js: Enigmail.decryptMessageEnd: Error in command execution ===== -- Jim OpenPGP KeyID: 0x006921e Keyserver: ldap://keyserver.pgp.com From dshaw at jabberwocky.com Mon Nov 6 05:45:38 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Nov 6 05:43:40 2006 Subject: gpg error messag In-Reply-To: <454EAF9A.3080300@triad.rr.com> References: <454E75FB.8070604@triad.rr.com> <454E93F3.6080507@sixdemonbag.org> <454EAF9A.3080300@triad.rr.com> Message-ID: <20061106044538.GC10246@jabberwocky.com> On Sun, Nov 05, 2006 at 10:44:26PM -0500, Jim Dever wrote: > Robert J. Hansen wrote: > > Jim Dever wrote: > >> Can anyone help me out with the meaning of this error message? > > > > It will help us out considerably if you can tell us more about your > > problem. What operating system are you using? What version of GnuPG > > are you using? What hash algorithm does the message say it's using? > > What program generated the message in question? What version of > > Enigmail? What... etcetera? > > Ok... Using Windows XP Pro, Thunderbird 1.5.0.7 Enigmail 0.94.1.0, GnuPG > 1.4.5. > > I'm trying to verify the signature on the automated email from the PGP > Global directory keyserver. This is the only email that has ever shown > this message. Here's the Enigmail Console output with a -vv added to > it. Hash appears to be SHA1. The program that generated this message has a problem. First it announces that the signature hash is going to be SHA1: > gpg: armor header: Hash: SHA1 Then it provides the signature: > :signature packet: algo 1, keyid 9710B89BCA57AD7C > version 3, created 1160456543, md5len 5, sigclass 01 > digest algo 8, begin of digest 0b 1a > data: [2046 bits] Digest algo 8 is SHA256, not SHA1. You might be able to manipulate things into verifying the signature by editing the file to change the SHA1 string to SHA256, but the real problem is probably in whatever program generated the message. David From dshaw at jabberwocky.com Mon Nov 6 06:20:42 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Nov 6 06:19:02 2006 Subject: deleting signatures from uids In-Reply-To: References: <20061031135804.GV31897@localhost.localdomain> <4549EA0B.6050808__33980.4716445089$1162472273$gmane$org@tiscali.it> Message-ID: <20061106052042.GB1685@jabberwocky.com> On Thu, Nov 02, 2006 at 02:39:45PM -0600, Alex Mauer wrote: > Qed wrote: > > This is not a limitation, it'a a feature :-) and this is also the reason > > why you should not play with PGP on keyservers, the result will be often > > another abandoned key. > > Is there any reason that the keyserver needs to continue to redistribute > expired, revoked, or otherwise invalid (e.g. superseded) signatures? > > I can't think of any. > > I can kind of see why you might want to show the full history of a key, > but does it really need to be distributed out to everyone? > > If this is a security risk, surely the keyserver options > "import-clean-sigs" and "import-clean-uids" are also, are they not? No. GnuPG has the ability to verify signatures, and so can correctly do this. It's not as simple as just dropping all expired signatures. You must distribute some signatures, even though they aren't usable (for example, the last in a series of expired signatures). Keyservers don't have any crypto support, so can't verify signatures, and so can't do any sort of signature cleaning safely. David From jdever at triad.rr.com Mon Nov 6 06:47:18 2006 From: jdever at triad.rr.com (Jim Dever) Date: Mon Nov 6 06:46:00 2006 Subject: gpg error messag In-Reply-To: <20061106044538.GC10246@jabberwocky.com> References: <454E75FB.8070604@triad.rr.com> <454E93F3.6080507@sixdemonbag.org> <454EAF9A.3080300@triad.rr.com> <20061106044538.GC10246@jabberwocky.com> Message-ID: <454ECC66.1050501@triad.rr.com> David Shaw wrote: > > You might be able to manipulate things into verifying the signature by > editing the file to change the SHA1 string to SHA256, but the real > problem is probably in whatever program generated the message. Thanks! I thought that might be the problem although I didn't know how to determine what hash the message was actually using. What's ridiculous is that the message was produced by the PGP Global Directory keyserver. The message is PGP/MIME in HTML format and I don't even see a HASH string in the message source at all. Thanks for your help! -- Jim From patrick at mozilla-enigmail.org Mon Nov 6 11:19:18 2006 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Mon Nov 6 11:18:00 2006 Subject: gpg error messag In-Reply-To: <454ECC66.1050501__24672.3227356144$1162792290$gmane$org@triad.rr.com> References: <454E75FB.8070604@triad.rr.com> <454E93F3.6080507@sixdemonbag.org> <454EAF9A.3080300@triad.rr.com> <20061106044538.GC10246@jabberwocky.com> <454ECC66.1050501__24672.3227356144$1162792290$gmane$org@triad.rr.com> Message-ID: Jim Dever wrote: > David Shaw wrote: > > >> You might be able to manipulate things into verifying the signature by >> editing the file to change the SHA1 string to SHA256, but the real >> problem is probably in whatever program generated the message. > > Thanks! I thought that might be the problem although I didn't know how > to determine what hash the message was actually using. What's > ridiculous is that the message was produced by the PGP Global Directory > keyserver. The message is PGP/MIME in HTML format and I don't even see > a HASH string in the message source at all. The hash string should be in the message header, something like Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; I'm pretty sure that something is defined -- Enigmail will not try to verify the message if no hash algorithm is provided. -Patrick From wk at gnupg.org Mon Nov 6 11:20:09 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 6 11:22:47 2006 Subject: GnuPG 1.9.95 released Message-ID: <87ac34op0m.fsf@wheatstone.g10code.de> Hi, I have just released version 1.9.95 of GnuPG. This one fixes some build problems and is expected to be the last release before 2.0.0. Thanks to Nilg?n Belma Bug?ner for providing the first complete translation (tr). Available at the usual place: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.95.tar.bz2 (3780k) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.95.tar.bz2.sig or as a patch (without PO file updates): ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.94-1.9.95.diff.bz2 (10k) Shalom-Salam, Werner -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20061106/ecc2f5eb/attachment.pgp From dshaw at jabberwocky.com Mon Nov 6 14:17:44 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Nov 6 14:15:56 2006 Subject: gpg error messag In-Reply-To: References: <454E75FB.8070604@triad.rr.com> <454E93F3.6080507@sixdemonbag.org> <454EAF9A.3080300@triad.rr.com> <20061106044538.GC10246@jabberwocky.com> <454ECC66.1050501__24672.3227356144$1162792290$gmane$org@triad.rr.com> Message-ID: <20061106131744.GA3057@jabberwocky.com> On Mon, Nov 06, 2006 at 11:19:18AM +0100, Patrick Brunschwig wrote: > Jim Dever wrote: > > David Shaw wrote: > > > > > >> You might be able to manipulate things into verifying the signature by > >> editing the file to change the SHA1 string to SHA256, but the real > >> problem is probably in whatever program generated the message. > > > > Thanks! I thought that might be the problem although I didn't know how > > to determine what hash the message was actually using. What's > > ridiculous is that the message was produced by the PGP Global Directory > > keyserver. The message is PGP/MIME in HTML format and I don't even see > > a HASH string in the message source at all. > > The hash string should be in the message header, something like > Content-Type: multipart/signed; micalg=pgp-sha1; > protocol="application/pgp-signature"; > > I'm pretty sure that something is defined -- Enigmail will not try to > verify the message if no hash algorithm is provided. Ah, I recall this problem. I reported it to the PGP GD people quite a while ago, and I thought it had been fixed. The GD was generating a PGP/MIME micalg setting of pgp-sha1, but the actual signature was being made with SHA256. David From jdever at triad.rr.com Mon Nov 6 18:05:44 2006 From: jdever at triad.rr.com (Jim Dever) Date: Mon Nov 6 18:03:50 2006 Subject: gpg error messag In-Reply-To: <20061106131744.GA3057@jabberwocky.com> References: <454E75FB.8070604@triad.rr.com> <454E93F3.6080507@sixdemonbag.org> <454EAF9A.3080300@triad.rr.com> <20061106044538.GC10246@jabberwocky.com> <454ECC66.1050501__24672.3227356144$1162792290$gmane$org@triad.rr.com> <20061106131744.GA3057@jabberwocky.com> Message-ID: <454F6B68.9060606@triad.rr.com> David Shaw wrote: > Ah, I recall this problem. I reported it to the PGP GD people quite a > while ago, and I thought it had been fixed. The GD was generating a > PGP/MIME micalg setting of pgp-sha1, but the actual signature was > being made with SHA256. Found it. That's exactly what's happening and obviously the problem still hasn't been fixed (or else it raised its ugly head again). ===== Content-type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary=PGP_Universal_2F4EB16A_4F41CA65_EABA882D_FCFE19A6 ===== Thanks to you both! -- Jim From johanw at vulcan.xs4all.nl Mon Nov 6 19:39:07 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Nov 6 19:40:43 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <1162523744.20169.113.camel@sirius.brigham.net> Message-ID: <200611061839.kA6Id7xb011448@vulcan.xs4all.nl> Henry Hertz Hobbit wrote: >* 3DES: 8C 0D 04 02 03 02 >* CAST5: 8C 0D 04 03 03 02 >* BLOWFISH: 8C 0D 04 04 03 02 >* AES: 8C 0D 04 07 03 02 >* AES192: 8C 0D 04 08 03 02 >* AES256: 8C 0D 04 09 03 02 >* TWOFISH: 8C 0D 04 0A 03 02 I guess IDEA is 8C 0D 04 01 03 02. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Mon Nov 6 20:02:14 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Nov 6 20:00:24 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <200611061839.kA6Id7xb011448@vulcan.xs4all.nl> References: <1162523744.20169.113.camel@sirius.brigham.net> <200611061839.kA6Id7xb011448@vulcan.xs4all.nl> Message-ID: <20061106190214.GA5029@jabberwocky.com> On Mon, Nov 06, 2006 at 07:39:07PM +0100, Johan Wevers wrote: > Henry Hertz Hobbit wrote: > > >* 3DES: 8C 0D 04 02 03 02 > >* CAST5: 8C 0D 04 03 03 02 > >* BLOWFISH: 8C 0D 04 04 03 02 > >* AES: 8C 0D 04 07 03 02 > >* AES192: 8C 0D 04 08 03 02 > >* AES256: 8C 0D 04 09 03 02 > >* TWOFISH: 8C 0D 04 0A 03 02 > > I guess IDEA is 8C 0D 04 01 03 02. This method for identifying ciphers is not reliable. There are many ways for a file to be packed, and this method will do the wrong thing for all but one of the ways. David From me at psmay.com Mon Nov 6 20:21:49 2006 From: me at psmay.com (Peter S. May) Date: Mon Nov 6 20:20:16 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <200611061839.kA6Id7xb011448@vulcan.xs4all.nl> References: <200611061839.kA6Id7xb011448@vulcan.xs4all.nl> Message-ID: <454F8B4D.9090308@psmay.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Johan Wevers wrote: > Henry Hertz Hobbit wrote: > >> * 3DES: 8C 0D 04 02 03 02 >> * CAST5: 8C 0D 04 03 03 02 >> * BLOWFISH: 8C 0D 04 04 03 02 >> * AES: 8C 0D 04 07 03 02 >> * AES192: 8C 0D 04 08 03 02 >> * AES256: 8C 0D 04 09 03 02 >> * TWOFISH: 8C 0D 04 0A 03 02 > > I guess IDEA is 8C 0D 04 01 03 02. > For various reasons (in particular, the flexibility of packet formats in OpenPGP), you _must not_ expect the fourth byte of a message to always represent the cipher algorithm; it can appear elsewhere. If you need to know what cipher algorithm the message you have is in, pipe it to gpg --list-packets --list-only If you just want the number, try this: gpg --list-packets --list-only 2>&1 | \ perl -n -e '/^:symkey enc packet:.*?cipher (\d+)/ and print "$1\n"' The number that results, if any, maps according to RFC 2440 or its most current de facto variant. bis-18 () lists these ciphers: ID Algorithm -- --------- 0 - Plaintext or unencrypted data 1 - IDEA [IDEA] 2 - TripleDES (DES-EDE, [SCHNEIER] [HAC] - 168 bit key derived from 192) 3 - CAST5 (128 bit key, as per RFC 2144) 4 - Blowfish (128 bit key, 16 rounds) [BLOWFISH] 5 - Reserved 6 - Reserved 7 - AES with 128-bit key [AES] 8 - AES with 192-bit key 9 - AES with 256-bit key 10 - Twofish with 256-bit key [TWOFISH] 100 to 110 - Private/Experimental algorithm. If you'd rather have the name, try gpg --list-packets --list-only 2>&1 | \ perl -n -e '/^gpg: (.*?) encrypted data$/ and print "$1\n"' And note that this is not likely to work as expected on anything that isn't symmetric-encrypted input. Have fun PSM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFT4tEei6R+3iF2vwRAuP6AJ4kvPtpt/3Ponzqr4JUdrNS6H5EpgCcCMS5 GC8pte0laTZU/EBDdO8t488= =vug9 -----END PGP SIGNATURE----- From brunij at earthlink.net Mon Nov 6 18:14:07 2006 From: brunij at earthlink.net (Joseph Bruni) Date: Mon Nov 6 20:50:09 2006 Subject: keyserver Message-ID: <2157265.1162833247825.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> Hello, I would like to set up a keyserver at my business for a small number of users (c. 100). I've tried to build the latest versions of PKS, CKS, and SKS, but these projects haven't been updated in a long time and no longer build because of old library dependencies. Does anyone on this list manage a keyserver and if so, what are you using? Regards, Joe From dshaw at jabberwocky.com Mon Nov 6 21:14:51 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Nov 6 21:13:01 2006 Subject: keyserver In-Reply-To: <2157265.1162833247825.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> References: <2157265.1162833247825.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> Message-ID: <20061106201451.GB5029@jabberwocky.com> On Mon, Nov 06, 2006 at 10:14:07AM -0700, Joseph Bruni wrote: > Hello, > > I would like to set up a keyserver at my business for a small number > of users (c. 100). I've tried to build the latest versions of PKS, > CKS, and SKS, but these projects haven't been updated in a long time > and no longer build because of old library dependencies. > > Does anyone on this list manage a keyserver and if so, what are you > using? There are two good ways to run a keyserver. If you are planning on syncing your internal keyserver with the outside world, then SKS is for you. If you are having problems building it, ask on the SKS mailing list at http://lists.nongnu.org/mailman/listinfo/sks-devel If you are not planning to sync with the outside world, then may I suggest using LDAP? Many sites already have a LDAP server, and GnuPG will quite happily use it as a keyserver. The LDAP schema for OpenPGP keys is at http://asteria.noreply.org/~weasel/PGPKeyserverSchema.zip David From nealpd at bellsouth.net Mon Nov 6 21:39:33 2006 From: nealpd at bellsouth.net (nealpd@bellsouth.net) Date: Mon Nov 6 23:24:44 2006 Subject: pgp decryption Failed - 2 Message-ID: <20061106203933.CVNP7297.ibm58aec.bellsouth.net@mail.bellsouth.net> We are using gnupg version 1.2.1. When our customer sends in an encrypted file we are unable to decrypt it because it keeps getting an error of "pgp decryption Failed - 2". The customer can then start completely over and encrypt the file again, send it through and it works fine then. The file always fails on the first couple of tries though. They have asked us to research and find out what the "pgp decryption Failed - 2" error message means and I can find nothing in my documention to tell me what it is. From brunij at earthlink.net Tue Nov 7 05:13:30 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Tue Nov 7 05:11:33 2006 Subject: keyserver In-Reply-To: <20061106201451.GB5029@jabberwocky.com> References: <2157265.1162833247825.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> <20061106201451.GB5029@jabberwocky.com> Message-ID: On Nov 6, 2006, at 1:14 PM, David Shaw wrote: > If you are not planning to sync with the outside world, then may I > suggest using LDAP? I considered the use of LDAP since I just recently built an OpenLDAP server for us to use for centralized user authentication and it would fit right in. But, from what I understand about using LDAP as a keyserver, one would lack the key-data merging capability since LDAP servers don't know about OpenPGP-specific data. When GnuPG submits key data to an LDAP server, does it perform merging (read-modify-write) or does it just submit the local copy of the key, overwriting the previous key? I was able to get PKS to compile on Linux and it works. My problem was initially with trying to build on OS X since the db2 configure script is so old that it doesn't recognize Darwin. I pulled the pks- current code which uses the DB4.1 database and got it working on Linux. But it doesn't support some of the more recent OpenPGP features (attributes). (I'm not sure that that is a show-stopper, though.) I was intrigued by CKS but it's dependency on the defunct RpSQL was a show-stopper, and using PostgreSQL as a back-end is some serious over- kill for an access pattern that never changes. SKS seems good but the use of yet another oddball language (ocaml) is annoying and I ran into problems with it trying to compile on SuSE Linux -- I'll bring those issues up on the SKS list if anyone there is still participating. I noticed, David, that your name is one of the contributers to the PKS project. I was hoping that the GnuPG project might "adopt" the idea of a keyserver and run with it, keeping it up to date. Has the idea of public keyservers run out of steam? Joe -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20061106/222999f1/smime.bin From brunij at earthlink.net Tue Nov 7 05:31:45 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Tue Nov 7 05:29:51 2006 Subject: pgp decryption Failed - 2 In-Reply-To: <20061106203933.CVNP7297.ibm58aec.bellsouth.net@mail.bellsouth.net> References: <20061106203933.CVNP7297.ibm58aec.bellsouth.net@mail.bellsouth.net> Message-ID: Do you get the same result when using the current version of GnuPG (i.e. 1.4.5)? Is the file sent ASCII armored? When you say "sends" what is the method (FTP, email, etc.)? If using FTP, is the transfer method text or binary? Is one of the computers in question using Windows? What is your customer using for encryption (PGP, GnuPG)? You say that "they" asked you to research the error message. Who is "they"? Are they receiving the error message when encrypting or are you when decrypting? Or are they receiving an error message when you encrypt a response file to them? -Joe On Nov 6, 2006, at 1:39 PM, wrote: > We are using gnupg version 1.2.1. When our customer sends in an > encrypted file we are unable to decrypt it because it keeps > getting an > error of "pgp decryption Failed - 2". The customer can then start > completely over and encrypt the file again, send it through and it > works fine then. The file always fails on the first couple of tries > though. They have asked us to research and find out what the "pgp > decryption Failed - 2" error message means and I can find nothing > in my > documention to tell me what it is. > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20061106/bc701cd1/smime.bin From olaf.gellert at intrusion-lab.net Tue Nov 7 10:12:07 2006 From: olaf.gellert at intrusion-lab.net (Olaf Gellert) Date: Tue Nov 7 10:08:06 2006 Subject: keyserver In-Reply-To: References: <2157265.1162833247825.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> <20061106201451.GB5029@jabberwocky.com> Message-ID: <45504DE7.4090106@intrusion-lab.net> Joseph Oreste Bruni wrote: > I considered the use of LDAP since I just recently built an OpenLDAP > server for us to use for centralized user authentication and it would > fit right in. But, from what I understand about using LDAP as a > keyserver, one would lack the key-data merging capability since LDAP > servers don't know about OpenPGP-specific data. Don't know. > I was able to get PKS to compile on Linux and it works. My problem was > initially with trying to build on OS X since the db2 configure script is > so old that it doesn't recognize Darwin. I pulled the pks-current code > which uses the DB4.1 database and got it working on Linux. But it > doesn't support some of the more recent OpenPGP features (attributes). > (I'm not sure that that is a show-stopper, though.) It is. PKS does not support multiple subkeys and some other features of modern keys. Actually nearly all keyserver administrators switched to SKS (it syncs fine and supports all recent keys). > SKS seems good but the use of yet another oddball language (ocaml) is > annoying and I ran into problems with it trying to compile on SuSE Linux > -- I'll bring those issues up on the SKS list if anyone there is still > participating. Should run on SuSE without too many problems (I have installed SKS on a SuSE system). Hopefully you have the correct version of the OCAML-Compiler etc. Just ask at the SKS mailing list, it is usually low traffic but very responsive. > I noticed, David, that your name is one of the contributers to the PKS > project. I was hoping that the GnuPG project might "adopt" the idea of a > keyserver and run with it, keeping it up to date. Has the idea of public > keyservers run out of steam? I guess not. There are some problems with recent public keyservers (which are not technical problems but legal problems, eg. privacy of the data (because keys actually cannot removed or blacklisted)), but this does not matter for a private key server. But a keyserver is something completely different than GnuPG, so the crypto gurus take care for GPG and some other gurus develop key servers. Maybe a key server that supports cryptography would need a team of both. Any takers? ;-) Cheers, Olaf -- Dipl.Inform. Olaf Gellert INTRUSION-LAB.NET Senior Researcher, www.intrusion-lab.net PKI - and IDS - Services olaf.gellert@intrusion-lab.net From dshaw at jabberwocky.com Tue Nov 7 15:01:59 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Nov 7 15:00:34 2006 Subject: keyserver In-Reply-To: References: <2157265.1162833247825.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> <20061106201451.GB5029@jabberwocky.com> Message-ID: <20061107140159.GC5584@jabberwocky.com> On Mon, Nov 06, 2006 at 09:13:30PM -0700, Joseph Oreste Bruni wrote: > > On Nov 6, 2006, at 1:14 PM, David Shaw wrote: > > >If you are not planning to sync with the outside world, then may I > >suggest using LDAP? > > > I considered the use of LDAP since I just recently built an OpenLDAP > server for us to use for centralized user authentication and it would > fit right in. But, from what I understand about using LDAP as a > keyserver, one would lack the key-data merging capability since LDAP > servers don't know about OpenPGP-specific data. > > When GnuPG submits key data to an LDAP server, does it perform > merging (read-modify-write) or does it just submit the local copy of > the key, overwriting the previous key? LDAP overwrites. SKS or PKS merges. It's an interesting question which behavior is better, but (as in many things) the answer comes down to the behavior that is "better" is the one that you like more. :) Personally, I think that LDAP is better for key populations that have a distinct boundary: a company, for example. In a company, key merging isn't really that useful or desirable, as generally there isn't much back-and-forth key signing. Rather, the company signs each key with the authoritative company key. Since you already have a running LDAP setup, it seems like an obvious solution to use it rather than have to maintain a whole second server (with backups, etc). LDAP has another side benefit if you choose to make it visible outside the company: people who use PGP will automatically find keys for your employees and encrypt their mail. When encrypting to user@example.com, PGP universal looks for ldap://keys.example.com and asks it for the user@example.com key. Put "auto-key-locate ldap" in your gpg.conf, and GnuPG will do the same. > I was able to get PKS to compile on Linux and it works. My problem > was initially with trying to build on OS X since the db2 configure > script is so old that it doesn't recognize Darwin. I pulled the pks- > current code which uses the DB4.1 database and got it working on > Linux. But it doesn't support some of the more recent OpenPGP > features (attributes). (I'm not sure that that is a show-stopper, > though.) I wouldn't use PKS at this point. It is unmaintained code, and has many known bugs. It is simply not an option any longer. > SKS seems good but the use of yet another oddball language (ocaml) is > annoying and I ran into problems with it trying to compile on SuSE > Linux -- I'll bring those issues up on the SKS list if anyone there > is still participating. SKS has a good user population on their list. They can very likely help you. > I noticed, David, that your name is one of the contributers to the > PKS project. I was hoping that the GnuPG project might "adopt" the > idea of a keyserver and run with it, keeping it up to date. Has the > idea of public keyservers run out of steam? My involvement with PKS was really that of desperation. PKS was the main and only keyserver software for years, and worked great. As OpenPGP grew, though, the keyserver wasn't really grown to match, and so had serious key-mangling problems with the the more modern OpenPGP features. I couldn't persuade many people to stop running it and move to SKS, so I got involved long enough to fix the worst of the bugs. The current state of PKS is that it still doesn't work with modern keys, but at least it doesn't destroy them any longer. The SKS developer (Yaron Minsky) has done an excellent job with SKS, and virtually all the public keyservers run SKS these days. David From hhhobbit at securemecca.net Tue Nov 7 17:04:35 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Tue Nov 7 17:02:55 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <0MKpyh-1GhAt80Ofz-00048g@mx.perfora.net> References: <0MKpyh-1GhAt80Ofz-00048g@mx.perfora.net> Message-ID: <1162915475.4894.261.camel@sirius.brigham.net> On Mon, 2006-11-06 at 14:02 -0500, David Shaw wrote: > On Mon, Nov 06, 2006 at 07:39:07PM +0100, Johan Wevers wrote: > > Henry Hertz Hobbit wrote: > > > > >* 3DES: 8C 0D 04 02 03 02 > > >* CAST5: 8C 0D 04 03 03 02 > > >* BLOWFISH: 8C 0D 04 04 03 02 > > >* AES: 8C 0D 04 07 03 02 > > >* AES192: 8C 0D 04 08 03 02 > > >* AES256: 8C 0D 04 09 03 02 > > >* TWOFISH: 8C 0D 04 0A 03 02 > > > > I guess IDEA is 8C 0D 04 01 03 02. > > This method for identifying ciphers is not reliable. > There are many ways for a file to be packed, and this > method will do the wrong thing for all but one of the > ways. I am from Missouri today, and I am stubborn mule. 8^) First, please remember that we are talking about only symmetrically enciphered files without email etc. Just encrypting a file on the computer. That was what the person was doing, and they were not using the --armor (-a) option. You will of course NOT get the above first six bytes with the armor option since the very first character is not a valid ASCII text character. Please specify at least one way (preferable to have two or three) where this is not the case for a symmetrically enciphered file that is written to the disk (not piped into email, etc.). I am not saying that you are wrong. It is just that I have tried it quite a few ways and I always come up with the same first six bytes for any given cipher, including even some where GnuGP gives me messages like this $ gpg -d < TOOMUCH.gpg > BACK gpg: AES encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected $ diff TOOMUCH BACK $ rm BACK If it is a file created with a non-GnuPG, but OpenPGP compliant program, please send me the file and the password. I don't have anything but GnuPG. I will be removing all keys but mine to run the test with. I will be looking for: [1] gpg's message of what cipher was used to encrypt the file. It would be preferable to have the file that was encrypted with a symmetric cipher to contain only the phrase: Hello World! If I can't decrypt it, I would consider that to mean it is not OpenPGP compliant. [2] The first six bytes of the file. I will compare that with what is in the chart. Even if you do have an encrypted file that doesn't use these, is there anything wrong with the file command returning the answers given for the first six bytes of the file? I can't find any information that they are used for any other kind of file. Peter S. May - Thanks for the PERL scripts. HHH From wk at gnupg.org Tue Nov 7 17:38:46 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 7 17:42:01 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <1162915475.4894.261.camel@sirius.brigham.net> (Henry Hertz Hobbit's message of "Tue\, 07 Nov 2006 09\:04\:35 -0700") References: <0MKpyh-1GhAt80Ofz-00048g@mx.perfora.net> <1162915475.4894.261.camel@sirius.brigham.net> Message-ID: <878xinmctl.fsf@wheatstone.g10code.de> On Tue, 7 Nov 2006 17:04, hhhobbit@securemecca.net said: > First, please remember that we are talking about only symmetrically > enciphered files without email etc. Just encrypting a file on the This doesn't matter. There are still several ways such a file may look. It might work for you today but it my produce the wrong result with the next update or with another OpenPGP implementation. A script to detect the cipher algoritm needs to implement the standard and not merely use some heuristic. That is for what standards are. Salam-Shalom, Werner From dshaw at jabberwocky.com Tue Nov 7 17:44:50 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Nov 7 17:42:56 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <1162915475.4894.261.camel@sirius.brigham.net> References: <0MKpyh-1GhAt80Ofz-00048g@mx.perfora.net> <1162915475.4894.261.camel@sirius.brigham.net> Message-ID: <20061107164450.GC8338@jabberwocky.com> On Tue, Nov 07, 2006 at 09:04:35AM -0700, Henry Hertz Hobbit wrote: > On Mon, 2006-11-06 at 14:02 -0500, David Shaw wrote: > > > On Mon, Nov 06, 2006 at 07:39:07PM +0100, Johan Wevers wrote: > > > Henry Hertz Hobbit wrote: > > > > > > >* 3DES: 8C 0D 04 02 03 02 > > > >* CAST5: 8C 0D 04 03 03 02 > > > >* BLOWFISH: 8C 0D 04 04 03 02 > > > >* AES: 8C 0D 04 07 03 02 > > > >* AES192: 8C 0D 04 08 03 02 > > > >* AES256: 8C 0D 04 09 03 02 > > > >* TWOFISH: 8C 0D 04 0A 03 02 > > > > > > I guess IDEA is 8C 0D 04 01 03 02. > > > > This method for identifying ciphers is not reliable. > > There are many ways for a file to be packed, and this > > method will do the wrong thing for all but one of the > > ways. > > I am from Missouri today, and I am stubborn mule. 8^) > > First, please remember that we are talking about only symmetrically > enciphered files without email etc. Just encrypting a file on the > computer. That was what the person was doing, and they were not > using the --armor (-a) option. You will of course NOT get the > above first six bytes with the armor option since the very first > character is not a valid ASCII text character. > > Please specify at least one way (preferable to have two or three) > where this is not the case for a symmetrically enciphered file > that is written to the disk (not piped into email, etc.). I am > not saying that you are wrong. It is just that I have tried it > quite a few ways and I always come up with the same first six bytes > for any given cipher, including even some where GnuGP gives me > messages like this I've attached two files that will both give you the wrong answer using the "first six bytes" methodology. David -------------- next part -------------- ?^kp???%?-?????jFF? ?L -------------- next part -------------- A non-text attachment was scrubbed... Name: file2.gpg Type: application/octet-stream Size: 47 bytes Desc: not available Url : /pipermail/attachments/20061107/2b31b8ed/file2.obj From emlynj at gmail.com Tue Nov 7 15:50:45 2006 From: emlynj at gmail.com (Emlyn Jones) Date: Tue Nov 7 17:54:42 2006 Subject: Multiple Sym. Encrypted Packets Message-ID: Hello, I've written some code to generate an encrypted message which I can successfully decrypt using gpg. Currently the packet stream contains one Public-Key Encrypted Session Key Packet and one Symmetrically Encrypted Data Packet and works perfectly. However, I would like to set up the packet stream to contain multiple pairs of these packets. When I try it gpg fails to correctly read the packet immediately following the SED packet (it finds an invalid packet). Am I making sense? This works: [PKESK][SED] as does this: [PKESK] [PKESK][SED] This doesn't: [PKESK][SED][PKESK][SED] (fails reading the second PKESK) This will read the two PKESK packets and the first SED but not the final one: [PKESK][PKESK][SED][SED] I have two questions: i)Should this be possible? ii)Are there any tools (other than gpg -vvv) to help debug what gpg is finding in my packet stream? iii)I'm pretty confident the size of the SED packet is specified correctly but do I need to make sure that the SED packet size is a multiple of the algorithm's block size? Any pointers gratefully received. Thanks, Emlyn. From me at psmay.com Tue Nov 7 18:26:14 2006 From: me at psmay.com (Peter S. May) Date: Tue Nov 7 18:24:43 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <1162915475.4894.261.camel@sirius.brigham.net> References: <0MKpyh-1GhAt80Ofz-00048g@mx.perfora.net> <1162915475.4894.261.camel@sirius.brigham.net> Message-ID: <4550C1B6.80201@psmay.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Henry Hertz Hobbit wrote: > Even if you do have an encrypted file that doesn't use these, > is there anything wrong with the file command returning the > answers given for the first six bytes of the file? I can't > find any information that they are used for any other kind > of file. A trivial example: Your specified headers all take the form 8c 0d 04 XX ... The first byte, 8c, or bin 10001100, represents an old-format packet, tag 3, length type 0 (one octet length). 0d is the length (13), 04 is the packet version (4), XX is the cipher algorithm, and the rest may vary. A 100% semantically identical packet could be formatted starting like this: c3 ff 00 00 00 0d 04 XX ... The point isn't that this is normal, but that it is _allowed_ and _could_ be normal in another implementation. A related (and more real) problem with this heuristic check is that no part of the standard requires the tag-3 packet to be the first packet in the file. Because of this, you really need to use a program that knows how to grok all of OpenPGP to do this sort of checking. It's really not that hard to design one after having read RFC 2440--I can think of a few ways I'd do it in Perl--but there's no point in writing a new program for checking the packets in a GnuPG-produced file when GnuPG already does the same thing. My two more cents -- PSM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUMGxei6R+3iF2vwRAj23AKCq5pGs9LUGWXdq1GKIRcNkckW8bQCfUV1N Udr4sof6gyjayVVOTpwvNaI= =wIh2 -----END PGP SIGNATURE----- From me at psmay.com Tue Nov 7 18:45:18 2006 From: me at psmay.com (Peter S. May) Date: Tue Nov 7 18:43:36 2006 Subject: Multiple Sym. Encrypted Packets In-Reply-To: References: Message-ID: <4550C62E.8070809@psmay.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My thinking is that this isn't so much a problem with packet formats as general syntax. It sounds like you're trying to put two distinct OpenPGP messages into the same file. The section "OpenPGP Messages" (10.3 in RFC2440-bis-18) in the spec defines the orders of packets that make sense. If you've taken a compiler design course or know how to use yacc/bison, it's straightforward to find that [PKESK][SED][PKESK][SED] and [PKESK][PKESK][SED][SED] are not syntactically valid. If you want your stream to contain multiple OpenPGP messages, you'll have to figure out how to do it outside of OpenPGP proper. Good fortune PSM Emlyn Jones wrote: > Hello, > I've written some code to generate an encrypted message which I can > successfully decrypt using gpg. Currently the packet stream contains > one Public-Key Encrypted Session Key Packet and one Symmetrically > Encrypted Data Packet and works perfectly. However, I would like to > set up the packet stream to contain multiple pairs of these packets. > When I try it gpg fails to correctly read the packet immediately > following the SED packet (it finds an invalid packet). Am I making > sense? > This works: > [PKESK][SED] > as does this: > [PKESK] [PKESK][SED] > > This doesn't: > [PKESK][SED][PKESK][SED] (fails reading the second PKESK) > > This will read the two PKESK packets and the first SED but not the final > one: > [PKESK][PKESK][SED][SED] > > I have two questions: > i)Should this be possible? > ii)Are there any tools (other than gpg -vvv) to help debug what gpg > is finding in my packet stream? > iii)I'm pretty confident the size of the SED packet is specified > correctly but do I need to make sure that the SED packet size is a > multiple of the algorithm's block size? > > Any pointers gratefully received. > Thanks, > Emlyn. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUMYmei6R+3iF2vwRAhZSAKCJFNWzaUbpIEsKLN5GhtAQ06r26wCgqIaq Rf35KOxBShwNvsekgo2kjHc= =hmp9 -----END PGP SIGNATURE----- From wk at gnupg.org Tue Nov 7 18:47:56 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 7 18:52:32 2006 Subject: Multiple Sym. Encrypted Packets In-Reply-To: (Emlyn Jones's message of "Tue\, 7 Nov 2006 14\:50\:45 +0000") References: Message-ID: <87u01bkv1v.fsf@wheatstone.g10code.de> On Tue, 7 Nov 2006 15:50, emlynj@gmail.com said: > This doesn't: > [PKESK][SED][PKESK][SED] (fails reading the second PKESK) Right. This is because the sematics of two concatenated OpenPGP messages are not well defined. > This will read the two PKESK packets and the first SED but not the final one: > [PKESK][PKESK][SED][SED] Indeed. GnuPG views this as [PKESK][PKESK][SED] and ignore the extra data at the end. > i)Should this be possible? > ii)Are there any tools (other than gpg -vvv) to help debug what gpg > is finding in my packet stream? Not really. > iii)I'm pretty confident the size of the SED packet is specified > correctly but do I need to make sure that the SED packet size is a > multiple of the algorithm's block size? PKESK = Public-Key Encrypted Session Key Packets (Tag 1) SKESK = Symmetric-Key Encrypted Session Key Packets (Tag 3) SED = Symmetrically Encrypted Data Packet (Tag 9 or 18) Using just an SED is only allowed for PGP2 compatibility. It is better to use a random session key for the ESD and encrypt that session key using a SKESK. Then you may use an arbitrary number and order of PKESK and SKESK: [PKESK][SKESK][PKESK][PKESK][SKESK][SKESK][SED] The actual content is encrypted in the SED and the other packets merely encrypt the random session used with the SED. Shalom-Salam, Werner From z.himsel at gmail.com Wed Nov 8 04:31:53 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Wed Nov 8 04:29:49 2006 Subject: Shell script to encrypt/decrypt/sign/verify from clibpoard Message-ID: <8d5f78b30611071931i535adb3x60d55ae592459208@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm trying to make a shell script that would run in my that would read from the clipboard and encrypt/sign/decrypt/verify (probably have one script for each action, or pass an arg to the script to perform certain actions). How would I get gpg to read from the clipboard and then write the output back to that. Note: I am using gpg-agent, so user input is not a problem. - -- Zach Himsel OpenPGP Public Key: 0xD1093592 |_|0|_| =========================== |_|_|0| () ASCII Ribbon Campaign: against |0|0|0| /\ HTML mail & vCard signatures -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Key ID: 0xD1093592 Comment: ================================= Comment: () ASCII Ribbon Campaign: against Comment: /\ HTML mail & vCard signatures iQEVAwUBRVFPn5HoJdzRCTWSAQL4nwf/UsgYcucWMM0F3M8QzBwnVFwkW4IxisdI h39At5aaG9NqVqL59eKHbMz9wItwyIT+gOIWTC2nZZCMjySJesw3XEgUftfRHUFt ggpNFRwwQB+kCHizDwv3FemFVs/gB5xsmMf3iYkd7ZqEvJhoEemRM/uyoL6eWkx/ AynAb64/xDMBtLBBBCu+ivFBH6odDW/sA4DbXAd0XIIgU6gsgQmNePJW6awl1sR4 CeFUkBH+UXZUPQBUv6md5YpKCFLhXHifBzDJO+AxqUMEnqKTeqkgdpbhTOV+G2gt xMExg+04zuOWPlOggUJq1IX+U+G9O2epRxQxrXdYVU4v2Antqqa5eg== =QZ1e -----END PGP SIGNATURE----- From z.himsel at gmail.com Wed Nov 8 06:02:38 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Wed Nov 8 06:01:04 2006 Subject: Fwd: Shell script to encrypt/decrypt/sign/verify from clibpoard In-Reply-To: <8d5f78b30611071955o1b16ddcapb55e4f8ac1493b5d@mail.gmail.com> References: <8d5f78b30611071931i535adb3x60d55ae592459208@mail.gmail.com> <8298be230611071945q11b50073ke8346d2b24bd76fb@mail.gmail.com> <8d5f78b30611071955o1b16ddcapb55e4f8ac1493b5d@mail.gmail.com> Message-ID: <8d5f78b30611072102l2c58e863v5c0258d76106db21@mail.gmail.com> SORRY GUYS!! I forgot to hit "Reply-to-all" so it didn't send to the group, just to Adam Schreiber. ---------- Forwarded message ---------- From: Zach Himsel Date: Nov 7, 2006 10:55 PM Subject: Re: Shell script to encrypt/decrypt/sign/verify from clibpoard To: Adam Schreiber -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/7/06, Adam Schreiber wrote: > If you're using the GNOME Desktop, Seahorse includes a panel applet > that does exactly that. > http://gnome.org/projects/seahorse > > Adam Schreiber > I'm using KDE, sorry. But I do actually use KGPG, which is (I'm guessing) the KDE equivalent of Seahorse. That is what I currently use to encrypt/sign/... my clipboard. But I have to go through 20 million steps in order to do that (copy input, click KGPG's Kicker icon, paste the input into KGPG's editor, click encrypt/sign/..., choose the key to encrypt it to (or my secret key for signing), copy the output to the clipboard, close the editor, paste the output to wherever I needed it). It becomes a pain in the ass to do *all the time*. I wanted to make a script to do all that in three steps (copy input, run script, paste output). I realized that KDE's clipboard program, Klipper, supports "actions". I.e. if it receives a clipboard entry beginning with a particular reg-exp, it will execute a certain action, or something like that. I'm not sure, but I'm investigating it. - -- Zach Himsel OpenPGP Public Key: 0xD1093592 |_|0|_| =========================== |_|_|0| () ASCII Ribbon Campaign: against |0|0|0| /\ HTML mail & vCard signatures -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Key ID: 0xD1093592 Comment: ================================= Comment: () ASCII Ribbon Campaign: against Comment: /\ HTML mail & vCard signatures iQEVAwUBRVFVN5HoJdzRCTWSAQLsPAf+NSsqdIcTc684YxuQsQwJtB856sXmW/EL nfHH6RLMJRf21Q8lf67SmLJend3AvqHpzLhkUuvKVGZlCajh/fMKN+MxHMeS3Dae JiRvCTomwUpADxX7R4rBT0puVOXShPvTbGMMibYXI9OSzSKVWUOKAy5kTF8jEs3Q MBtr8osKmv0JvFLYHJLVXhcavK2MPW5TOClNIUVvI5/Tn3W5t5mrr5tJbCy/D2uo /B5gBnUDcHJQBjxl2//5N9qDYskrOtM0FSLhXlUt/xSR4JXDk84HKx/baQBaPsaZ jpQjg9owNgJa5K8CWr7pDIZyw88iuCID+QtqD/CWrdGwX6GLAp3BuQ== =Myc7 -----END PGP SIGNATURE----- -- Zach Himsel OpenPGP Public Key: 0xD1093592 |_|0|_| =========================== |_|_|0| () ASCII Ribbon Campaign: against |0|0|0| /\ HTML mail & vCard signatures From z.himsel at gmail.com Wed Nov 8 06:19:35 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Wed Nov 8 06:17:52 2006 Subject: Shell script to encrypt/decrypt/sign/verify from clibpoard In-Reply-To: <8298be230611072049l3fe8a08fxb2ecb3da4305ed86@mail.gmail.com> References: <8d5f78b30611071931i535adb3x60d55ae592459208@mail.gmail.com> <8298be230611071945q11b50073ke8346d2b24bd76fb@mail.gmail.com> <8d5f78b30611071955o1b16ddcapb55e4f8ac1493b5d@mail.gmail.com> <8298be230611072049l3fe8a08fxb2ecb3da4305ed86@mail.gmail.com> Message-ID: <8d5f78b30611072119x1b10bdfdi16803b8b3ada2c1f@mail.gmail.com> On 11/7/06, Adam Schreiber wrote: > That does sound complicated. It is... and it gets worse after *every* email I encrypt (which is quite a few) :-) > If you're in a programming mood, it might be interesting to see a QT > implementation of Seahorse's libcryptui. Our DBus interface can be > used in a desktop agnostic fashion. I'm *always* in a programming mood! :) But unfortunately, I don't know QT. Right now, I'll get by. I think there was a program I heard about somewhere that enabled the clipboard to be read from the console. OR.... Google could always code some kind of GnuPG encryption feature in their Gmail UI (which I am waiting for, and have suggested it to them many times). I know about Freenigma, but it is too "proprietary"/one-sided (it doesn't let you import your keyrings, and it locks your account with a custom created key) -- Zach Himsel OpenPGP Public Key: 0xD1093592 |_|0|_| =========================== |_|_|0| () ASCII Ribbon Campaign: against |0|0|0| /\ HTML mail & vCard signatures From brunij at earthlink.net Wed Nov 8 16:41:27 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Wed Nov 8 16:40:11 2006 Subject: keyserver In-Reply-To: <20061107140159.GC5584@jabberwocky.com> References: <2157265.1162833247825.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> <20061106201451.GB5029@jabberwocky.com> <20061107140159.GC5584@jabberwocky.com> Message-ID: <28AC24D2-7D61-457B-803B-44D0AF2C2C82@earthlink.net> On Nov 7, 2006, at 7:01 AM, David Shaw wrote: > Personally, I think that LDAP is better for key populations that have > a distinct boundary: a company, for example. In a company, key > merging isn't really that useful or desirable, as generally there > isn't much back-and-forth key signing. Rather, the company signs each > key with the authoritative company key. > > Since you already have a running LDAP setup, it seems like an obvious > solution to use it rather than have to maintain a whole second server > (with backups, etc). > > LDAP has another side benefit if you choose to make it visible outside > the company: people who use PGP will automatically find keys for your > employees and encrypt their mail. When encrypting to > user@example.com, PGP universal looks for ldap://keys.example.com and > asks it for the user@example.com key. Put "auto-key-locate ldap" in > your gpg.conf, and GnuPG will do the same. I was able to get my LDAP server to work as a keyserver using the information found in the articles from earlier this year on this list but a few changes needed to be made to the layout and to the ACL. If I write up a how-to, would you be interested in hosting the page on the gnupg web site? I was thinking: OpenLDAP supports external modules. Perhaps an approach to supporting signature merging in LDAP would be to write a module that could perform this activity. Just a thought. That might be taking the LDAP server beyond what an LDAP server should be though... Joe -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20061108/f09b197a/smime.bin From adam.schreiber at gmail.com Wed Nov 8 05:49:58 2006 From: adam.schreiber at gmail.com (Adam Schreiber) Date: Thu Nov 9 17:19:03 2006 Subject: Shell script to encrypt/decrypt/sign/verify from clibpoard In-Reply-To: <8d5f78b30611071955o1b16ddcapb55e4f8ac1493b5d@mail.gmail.com> References: <8d5f78b30611071931i535adb3x60d55ae592459208@mail.gmail.com> <8298be230611071945q11b50073ke8346d2b24bd76fb@mail.gmail.com> <8d5f78b30611071955o1b16ddcapb55e4f8ac1493b5d@mail.gmail.com> Message-ID: <8298be230611072049l3fe8a08fxb2ecb3da4305ed86@mail.gmail.com> On 11/7/06, Zach Himsel wrote: > On 11/7/06, Adam Schreiber wrote: > > If you're using the GNOME Desktop, Seahorse includes a panel applet > > that does exactly that. > > http://gnome.org/projects/seahorse > > > I'm using KDE, sorry. But I do actually use KGPG, which is (I'm > guessing) the KDE equivalent of Seahorse. That is what I currently use > to encrypt/sign/... my clipboard. But I have to go through 20 million > steps in order to do that (copy input, click KGPG's Kicker icon, paste > the input into KGPG's editor, click encrypt/sign/..., choose the key > to encrypt it to (or my secret key for signing), copy the output to > the clipboard, close the editor, paste the output to wherever I needed > it). It becomes a pain in the ass to do *all the time*. I wanted to > make a script to do all that in three steps (copy input, run script, > paste output). That does sound complicated. The applet I wrote simply takes the clipboard, acts upon it and then places the result back in the clipboard used either ctrl-v or middle click. If you're in a programming mood, it might be interesting to see a QT implementation of Seahorse's libcryptui. Our DBus interface can be used in a desktop agnostic fashion. Cheers, Adam From adam.schreiber at gmail.com Wed Nov 8 04:45:54 2006 From: adam.schreiber at gmail.com (Adam Schreiber) Date: Thu Nov 9 17:19:11 2006 Subject: Shell script to encrypt/decrypt/sign/verify from clibpoard In-Reply-To: <8d5f78b30611071931i535adb3x60d55ae592459208@mail.gmail.com> References: <8d5f78b30611071931i535adb3x60d55ae592459208@mail.gmail.com> Message-ID: <8298be230611071945q11b50073ke8346d2b24bd76fb@mail.gmail.com> On 11/7/06, Zach Himsel wrote: > I'm trying to make a shell script that would run in my that > would read from the clipboard and encrypt/sign/decrypt/verify > (probably have one script for each action, or pass an arg to the > script to perform certain actions). How would I get gpg to read from > the clipboard and then write the output back to that. If you're using the GNOME Desktop, Seahorse includes a panel applet that does exactly that. http://gnome.org/projects/seahorse Adam Schreiber From yahya_alameddine at yahoo.com Thu Nov 9 02:05:32 2006 From: yahya_alameddine at yahoo.com (Yahya Alameddine) Date: Thu Nov 9 17:19:16 2006 Subject: Gnupg Integrity check Message-ID: <20061109010532.22310.qmail@web56310.mail.re3.yahoo.com> Hello Guys I am a new user to Gnupg and i am having problems checking the integrity of the thunderbird Enigmail extension "enigmail-0.94.1.2-tb15-win+lin+mac.xpi" I have placed both the enigmail file (.xpi) and its signature file (.asc) provided by the official site in the same folder and i have used the following command: "gpg --verify enigmail-0.94.1.2-tb15-win+lin+mac.xpi.asc " It is returning the following result: gpg: Signature made 11/06/06 10:43:05 using DSA key ID 9369CDF3 gpg: Can't check signature: public key not found KNOWING THAT: I have placed the public key that i have copied from the site in the same folder under multiple names: 1-pubring.gpg 2-enigmail-0.94.1.2-tb15-win+lin+mac.xpi.gpg 3-pubring.asc The integrity check gave me the finger, i have searched everywhere for an answer but it is the same unclear answers. Please help Thk you guys From brunij at earthlink.net Thu Nov 9 17:51:18 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Thu Nov 9 17:49:09 2006 Subject: Gnupg Integrity check In-Reply-To: <20061109010532.22310.qmail@web56310.mail.re3.yahoo.com> References: <20061109010532.22310.qmail@web56310.mail.re3.yahoo.com> Message-ID: You need to import the key in order for gpg to use it. Use the "gpg -- import" command. You will then need to sign the key so that gpg considers it "valid" using the "--sign-key" command or using the "sign" sub-command from inside the "--edit-key" menu. On Nov 8, 2006, at 6:05 PM, Yahya Alameddine wrote: > KNOWING THAT: I have placed the public key that i have copied from > the site in the same folder under > > multiple names: > > 1-pubring.gpg > 2-enigmail-0.94.1.2-tb15-win+lin+mac.xpi.gpg > 3-pubring.asc > > The integrity check gave me the finger, i have searched everywhere > for an answer but it is the same unclear answers. From dmdm00 at yahoo.com Thu Nov 9 19:06:17 2006 From: dmdm00 at yahoo.com (axel muller) Date: Thu Nov 9 20:25:04 2006 Subject: --edit-key command Message-ID: <20061109180617.18657.qmail@web55408.mail.re4.yahoo.com> what is the command in the edit-key section to add a missing uid to a key for example i have been asked in this way: Need add uid of send@... only has uid of config@... a) so how to add uid of send? Also would be nice for some unique shortname (8 characters or less) at the moment my key has a 12 charter name b) how to change to a unique shortname of say "pelt"? many thanks ___________________________________________________________ Der fr?he Vogel f?ngt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail: http://mail.yahoo.de From brunij at earthlink.net Thu Nov 9 20:33:02 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Thu Nov 9 20:30:55 2006 Subject: --edit-key command In-Reply-To: <20061109180617.18657.qmail@web55408.mail.re4.yahoo.com> References: <20061109180617.18657.qmail@web55408.mail.re4.yahoo.com> Message-ID: <547ED771-2FC7-4233-ACD3-53A1036F0DD5@earthlink.net> Typing "help" at the --edit-key prompt will display a list and explanation of the various commands available. In this case, the "adduid" command would be used. Joe On Nov 9, 2006, at 11:06 AM, axel muller wrote: > what is the command in the edit-key section to add a > missing uid to a key > for example i have been asked in this way: > > > Need add uid of send@... > only has uid of config@... > > a) so how to add uid of send? > > Also would be nice for some unique shortname (8 > characters or less) > at the moment my key has a 12 charter name > > b) how to change to a unique shortname of say "pelt"? > > > many thanks > > > > > > > > > > > ___________________________________________________________ > Der fr?he Vogel f?ngt den Wurm. Hier gelangen Sie zum neuen Yahoo! > Mail: http://mail.yahoo.de > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From hhhobbit at securemecca.net Fri Nov 10 16:14:57 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Fri Nov 10 16:13:25 2006 Subject: Question about use of --cipher-algo AES & --openpgp In-Reply-To: <0MKqZr-1Ghfru3IMV-0002h8@mx.perfora.net> References: <0MKqZr-1Ghfru3IMV-0002h8@mx.perfora.net> Message-ID: <1163171698.5007.297.camel@sirius.brigham.net> On Tue, 2006-11-07 at 12:26 -0500, Peter S. May wrote: > Henry Hertz Hobbit wrote: > > Even if you do have an encrypted file that doesn't use these, > > is there anything wrong with the file command returning the > > answers given for the first six bytes of the file? I can't > > find any information that they are used for any other kind > > of file. > > A trivial example: Your specified headers all take the form > > 8c 0d 04 XX ... > > The first byte, 8c, or bin 10001100, represents an old-format packet, > tag 3, length type 0 (one octet length). 0d is the length (13), 04 is > the packet version (4), XX is the cipher algorithm, and the rest may vary. > > A 100% semantically identical packet could be formatted starting like this: > > c3 ff 00 00 00 0d 04 XX ... > > The point isn't that this is normal, but that it is _allowed_ and > _could_ be normal in another implementation. A related (and more real) > problem with this heuristic check is that no part of the standard > requires the tag-3 packet to be the first packet in the file. Because > of this, you really need to use a program that knows how to grok all of > OpenPGP to do this sort of checking. It's really not that hard to > design one after having read RFC 2440--I can think of a few ways I'd do > it in Perl--but there's no point in writing a new program for checking > the packets in a GnuPG-produced file when GnuPG already does the same thing. > > My two more cents -- PSM It is a worthwhile and at a much higher value than two cents, but I was NOT thinking of a new program. I was thinking of the magic number and the "file" command. Evidently, OpenPGP is totally incompatible with that and always will be. At least I can't see a way to make it fit. If you can, be my guest. It would require enumerating all of the possibilities and putting in ALL of them, but being careful you don't clobber something else in the process. This is now going beyond the scope of the initial request. It is just that I have sat there looking at files before with a file command giving back "data" not knowing what to do. In one case I was looking at thousands of unknown files amidst Mechanical Engineering AutoCad files and not knowing what they were. I removed them, but looking back on the episode I had no way of knowing what went where anyway. Those files also had no extension to give me a clue and the file command just gave me back "data." I do suggest the following script instead (unless you like one line PERL statements): #!/bin/sh # change the following if you have multiple versions GPG=/usr/local/bin/gpg echo if test "$#" -eq 0 then echo usage: "ciphertype " echo exit 1 fi for FILE in $* do if [ -s ${FILE} ] then echo ${FILE} echo --------------------------------- $GPG --list-packets --list-only ${FILE} 2>&1 | head -n 1 echo fi done exit ----- Here is the result of running it on some files: $ ./ciphertype TOOMUCH.AES192 TOOMUCH.TWOFISH TOOMUCH TOOMUCH.AES192 --------------------------------- gpg: AES192 encrypted data TOOMUCH.TWOFISH --------------------------------- gpg: TWOFISH encrypted data TOOMUCH --------------------------------- gpg: no valid OpenPGP data found. Either that, or just run gpg with the -list-packets --list-only and look at all of it. I suspect the assumption that the encryption type always showing up on the first line may be a wrong one. Therefore my advice is to just show all of it. At least you know where I was heading - magic data in the magic database for the file command to recognize the files. OpenPGP is not the first, nor will they be the last to be incompatible. All that does is reinforce the notion that you can't just throw the file name extension out the door and try to depend on the file command for everything. In this case the extension is needed. I would prefer to have both the magic info / "date" command AND the file name extension. It also may be nice to have just one extension for all OpenPGP compliant programs. If that isn't possible for what ever reason, people using PGP should not have problems sending to GnuPG users or vice-versa. It seems like I read about somebody having problems with it. The work-around seemed to be a change in the config files. If that is the case, then the config files should be changed, with a FAQ somewhere on how to alter older configs for interoperability. This does go to the subject in question; well I think it does. At least now you know where I was headed. We just didn't make it ... Sorry HHH From hhhobbit at securemecca.net Fri Nov 10 16:43:17 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Fri Nov 10 16:41:24 2006 Subject: Question about use of --cipher-algo AES & --openpgp In-Reply-To: <1163171698.5007.297.camel@sirius.brigham.net> References: <0MKqZr-1Ghfru3IMV-0002h8@mx.perfora.net> <1163171698.5007.297.camel@sirius.brigham.net> Message-ID: <1163173397.5007.317.camel@sirius.brigham.net> On Fri, 2006-11-10 at 08:14 -0700, Henry Hertz Hobbit wrote: > command for everything. In this case the extension is needed. I > would prefer to have both the magic info / "date" command AND > the file name extension. It also may be nice to have just one OOPS! I meant 'magic info / "file" command AND the file name extension'. I AM tired! I am going to take a nap. As an example, Ethereal (Wireshark) doesn't put on an extension when you save in pcap (tcpdump) format on Linux (I think it should). But you better put ".trace" on the end of it when you send the file to somebody who uses MS Windows. They depend on the extension. I didn't pick that one randomly. That extension means at least six different things, showing just how important the magic data and the file command are. Even the PGP extension has multiple meanings: http://filext.com/detaillist.php?extdetail=pgp&Search=Search We are lucky with GPG (so far): http://filext.com/detaillist.php?extdetail=gpg&Search=Search There is nothing with extension ".openpgp". HHH From me at psmay.com Fri Nov 10 18:06:14 2006 From: me at psmay.com (Peter S. May) Date: Fri Nov 10 18:04:25 2006 Subject: Question about use of --cipher-algo AES & --openpgp In-Reply-To: <1163171698.5007.297.camel@sirius.brigham.net> References: <0MKqZr-1Ghfru3IMV-0002h8@mx.perfora.net> <1163171698.5007.297.camel@sirius.brigham.net> Message-ID: <4554B186.9030300@psmay.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Henry Hertz Hobbit wrote: > It is a worthwhile and at a much higher value than two cents, but I > was NOT thinking of a new program. I was thinking of the magic number > and the "file" command. Evidently, OpenPGP is totally incompatible > with that and always will be. At least I can't see a way to make it > fit. If you can, be my guest. It would require enumerating all of the > possibilities and putting in ALL of them, but being careful you don't > clobber something else in the process. I don't know how the internals of "file" work. If I were trying to get a generic file-like program to grok OpenPGP, here's probably how I'd go about it: * If the first non-blank line started "--- BEGIN PGP ", it would probably be reasonable to call it armored OpenPGP and perhaps look into it further, to figure out a subtype. * If the file program decides the file isn't any other type it recognizes, take a look at the first byte of the file, which must be a valid OpenPGP packet tag. You could run some or all of these tests before passing the file on to GPGME, which would ultimately determine a file's reasonable OpenPGP compatibility. Some assumptions based on bis-18: (in pseudocode, of course) function is_pgp_packet_tag (byte) if byte & 0xC0 == 0xC0 // new format tag tag_number = byte & 0x3f else if byte & 0xC0 == 0x80 // old format tag tag_number = (byte & 0x3c) >> 2 else return false // first bit is always set if tag_number == 0 return false // 0 is reserved // the rest of the assumptions may change with future // versions of the spec and need to be kept up to date if tag_number == 15 or tag_number == 16 return false // 15 and 16 are not currently defined if tag_number >= 20 return false // Values 20 to 59 are not currently defined // Values 60 to 63 are defined as private and GPG can't grok them After those checks, I would either pass the file on to GPGME or run one more heuristic first: Read a packet header. If it's valid, extract the length it specifies and jump forward that many bytes. Then repeat. If any of the tags are !is_pgp_packet_tag(), or if the last length specifier you find leads you past the end of the file, it's not OpenPGP. Else, it has a significant chance of being formally correct. Might be too complicated a check for file, but I think it would work. PSM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFVLGDei6R+3iF2vwRAputAKCHDJd+amCEfpx4Bqr/Rdhg6bhYDQCfTWrB eiuu9uMUKolveQBULvybWv4= =VsH/ -----END PGP SIGNATURE----- From anonymous at remailer.metacolo.com Fri Nov 10 23:35:24 2006 From: anonymous at remailer.metacolo.com (Anonymous Sender) Date: Sat Nov 11 01:24:33 2006 Subject: Shell script to encrypt/decrypt/sign/verify from clibpoard In-Reply-To: <8d5f78b30611072119x1b10bdfdi16803b8b3ada2c1f@mail.gmail.com> References: <8d5f78b30611071931i535adb3x60d55ae592459208@mail.gmail.com> <8298be230611071945q11b50073ke8346d2b24bd76fb@mail.gmail.com> <8d5f78b30611071955o1b16ddcapb55e4f8ac1493b5d@mail.gmail.com> <8298be230611072049l3fe8a08fxb2ecb3da4305ed86@mail.gmail.com> <8d5f78b30611072119x1b10bdfdi16803b8b3ada2c1f@mail.gmail.com> Message-ID: <1f8f4037520e32252b0635e6485d054d@remailer.metacolo.com> Zach Himsel [08/11/2006]: > I think there was a program I heard about somewhere that enabled the > clipboard to be read from the console. Could that be Kim Saunders' "xclip"? It's available at http://people.debian.org/~kims/xclip From pessoa at angulosolido.pt Fri Nov 10 23:39:02 2006 From: pessoa at angulosolido.pt (Pedro Pessoa) Date: Sat Nov 11 01:24:47 2006 Subject: Failure to sign with gpgsm Message-ID: <200611102239.02554.pessoa@angulosolido.pt> Altough I can sign with a certificate from Thawte, when using a certificate from the Portuguese nacional laywer association I'm having this error: gpgsm: error creating signature: No value The certificate tree is correctly verified: gpgsm: DBG: gcry_pk_verify: Success gpgsm: certificate is good gpgsm: DBG: got issuer's certificate: gpgsm: DBG: BEGIN Certificate `issuer': (...) gpgsm: DBG: gcry_pk_verify: Success gpgsm: error creating signature: No value Any thoughts on this? What's going on? I've tried the following versions: gnupg2 1.9.16 with libksba 0.9.11 and gnupg2 1.9.22 with libksba 0.9.15 both give out the same error. Thanks a lot! Pedro From wk at gnupg.org Sat Nov 11 15:15:03 2006 From: wk at gnupg.org (Werner Koch) Date: Sat Nov 11 15:17:16 2006 Subject: Latest news from Duesseldorf and Bolzano Message-ID: <874pt6134o.fsf@wheatstone.g10code.de> Hi! Today it is not just the awakening of Hoppeditz [1] but also GnuPG 2.0.0 has hit the server: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.0.tar.bz2 (3813k) ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.0.tar.bz2.sig A real announcement will follow soon. Shalom-Salam, Werner [1] http://wn.wikipedia.org/wiki/Hoppeditz (German) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20061111/ae7887db/attachment.pgp From benjamin at py-soft.co.uk Sat Nov 11 19:51:00 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sat Nov 11 19:58:39 2006 Subject: OpenPGP Card implementation In-Reply-To: <4533ABC1.3050903@digitalbrains.com> References: <4533ABC1.3050903@digitalbrains.com> Message-ID: <45561B94.3010003@py-soft.co.uk> Peter Lebbing wrote: > Is the implementation of the current OpenPGP Card open source? If so, > how can I obtain the source? It struck me as ironic that OpenPGP isn't that open! I started work on an open implementation on a BasicCard but, due to licensing restrictions, I am unable to get a card with RSA card built in and implementing RSA using the binary left to right method in Basic with limited memory and processing power is no mean feat! Plus the development kit is only available under Windows! When I get more time I hope to return to it, but it's not a priority for me. Ben From mailing at edv-fervers.de Sat Nov 11 18:55:06 2006 From: mailing at edv-fervers.de (Volker Fervers) Date: Sat Nov 11 20:54:43 2006 Subject: Latest news from Duesseldorf and Bolzano In-Reply-To: <874pt6134o.fsf@wheatstone.g10code.de> References: <874pt6134o.fsf@wheatstone.g10code.de> Message-ID: <200611111855.10212.mailing@edv-fervers.de> Am Samstag, 11. November 2006 15:15 schrieb Werner Koch: > [1] http://wn.wikipedia.org/wiki/Hoppeditz (German) http://de.wikipedia.org/wiki/Hoppeditz From daniel-gnupg-users at rio-grande.ping.de Sat Nov 11 22:32:38 2006 From: daniel-gnupg-users at rio-grande.ping.de (Daniel Hess) Date: Sun Nov 12 00:24:07 2006 Subject: Latest news from Duesseldorf and Bolzano In-Reply-To: <874pt6134o.fsf@wheatstone.g10code.de> References: <874pt6134o.fsf@wheatstone.g10code.de> Message-ID: <20061111213237.GA1836@rio-grande.ping.de> Hello On Sat, Nov 11, 2006 at 03:15:03PM +0100, Werner Koch wrote: > Today it is not just the awakening of Hoppeditz [1] but also GnuPG > 2.0.0 has hit the server: > > ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.0.tar.bz2 (3813k) > ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.0.tar.bz2.sig > > A real announcement will follow soon. I've problems building it on debian unstable with GNU Pth. The build is aborted with the following error message: if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I../gl -I/usr/include \ -I/usr/include -Wall -g -O2 -Wall -Wcast-align -Wshadow -Wstrict-prototypes -Wno-format-y2k -Wformat-security -Wformat-nonliteral -Wno-pointer-sign -MT libcommonpth_a-estream.o -MD -MP -MF ".deps/libcommonpth_a-estream.Tpo" -c -o libcommonpth_a-estream.o `test -f 'estream.c' || echo './'`estream.c; \ then mv -f ".deps/libcommonpth_a-estream.Tpo" ".deps/libcommonpth_a-estream.Po"; else rm -f ".deps/libcommonpth_a-estream.Tpo"; exit 1; fi estream.c: In function ?es_print?: estream.c:1689: error: ?cookie_io_functions_t? has no member named ?pth_write? I've traced it down to pth.h which has PTH_SYSCALL_SOFT to 1 per default, because it's configured with --enable-pthread, which implies --enable-syscall-soft, by debian. With PTH_SYSCALL_SOFT set to 1 the pth.h header enables some #defines which replace write with pth_write. This way io.write is replaced with io.pth_write and the non existing member pth_write is used, which does not succeed. I've now placed an "# define PTH_SYSCALL_SOFT 0" top of "# include ", which disables the define in pth.h. Greetings Daniel From brunij at earthlink.net Sun Nov 12 02:53:14 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Sun Nov 12 02:51:08 2006 Subject: Latest news from Duesseldorf and Bolzano In-Reply-To: <874pt6134o.fsf@wheatstone.g10code.de> References: <874pt6134o.fsf@wheatstone.g10code.de> Message-ID: <94ADB1B1-4D01-4CB2-BC3C-A5D51B9141A5@earthlink.net> Does not build on OS X (10.4.8). While trying to build libgpg-error I received the following link error: ld: common symbols not allowed with MH_DYLIB output format with the - multi_module option ../intl/libintl.a(loadmsgcat.o) definition of common __nl_msg_cat_cntr (size 4) ../intl/libintl.a(dcigettext.o) definition of common _libintl_nl_domain_bindings (size 4) ../intl/libintl.a(plural-exp.o) definition of common _libintl_gettext_germanic_plural (size 20) On Nov 11, 2006, at 7:15 AM, Werner Koch wrote: > Hi! > > Today it is not just the awakening of Hoppeditz [1] but also GnuPG > 2.0.0 has hit the server: > > ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.0.tar.bz2 (3813k) > ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.0.tar.bz2.sig > > A real announcement will follow soon. > > > Shalom-Salam, > > Werner > > > [1] http://wn.wikipedia.org/wiki/Hoppeditz (German) > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20061111/54301cae/smime-0001.bin From peter at digitalbrains.com Sun Nov 12 12:56:47 2006 From: peter at digitalbrains.com (Peter Lebbing) Date: Sun Nov 12 12:54:59 2006 Subject: Question about use of --cipher-algo AES & --openpgp In-Reply-To: <1163171698.5007.297.camel@sirius.brigham.net> References: <0MKqZr-1Ghfru3IMV-0002h8@mx.perfora.net> <1163171698.5007.297.camel@sirius.brigham.net> Message-ID: <45570BFF.9010806@digitalbrains.com> Henry Hertz Hobbit wrote: > > and the "file" command. Evidently, OpenPGP is totally incompatible > with that and always will be. At least I can't see a way to make it > fit. If you can, be my guest. It would require enumerating all of the > possibilities and putting in ALL of them, but being careful you don't > clobber something else in the process. The "file" command is a very useful tool for identifying files, but in my opinion it is not necessary that it can obtain detailed information from a file. You could probably write a magic info entry that succesfully identifies a file as generally an OpenPGP file (of course always with the possibility of false positives). Once you know it's OpenPGP, you just use gpg to look at the details. "file" gives you a good hint towards which tool to use to interpret the file, and that tool can subsequently be used to get the real information about the file. Peter. From peter at digitalbrains.com Sun Nov 12 13:12:45 2006 From: peter at digitalbrains.com (Peter Lebbing) Date: Sun Nov 12 13:10:58 2006 Subject: OpenPGP Card implementation In-Reply-To: <45561B94.3010003@py-soft.co.uk> References: <4533ABC1.3050903@digitalbrains.com> <45561B94.3010003@py-soft.co.uk> Message-ID: <45570FBD.9010103@digitalbrains.com> Benjamin Donnachie wrote: > It struck me as ironic that OpenPGP isn't that open! I started work on > an open implementation on a BasicCard but, due to licensing > restrictions, I am unable to get a card with RSA card built in and > implementing RSA using the binary left to right method in Basic with > limited memory and processing power is no mean feat! I got interested as well and though I understand it, I also see a lot of added value in a true Open Source implementation. I'm looking into implementing it on a general processor microcontroller, I have experience with microcontroller programming. The main problem I see so far is working out a way to get decent random numbers, for blinding and key generation. Personally I don't use the latter function, because it lacks the possibility for backups. So far, it seems all cards that offer a true RNG out-of-the-box are exactly those cards that also have other crypto functions, and all have Non-Disclosure Agreements. It would be so great if general-purpose CPU smartcards would be taken to a new level with true RNG and more memory without any NDA's! Limited memory is an issue, but I think not a show stopper. Hardware TRNG isn't even difficult to create AFAIK, but obviously you can't add one to a smartcard yourself. I understand the decisions taken in the current and only implementation of the OpenPGP card, but it's interesting to try other approaches. In the worst case you build experience :). And when there is an unsurmountable problem, it might provide a nice code-base to work from when a future card would overcome those problems (I'm mostly thinking of TRNG and memory size). Peter. From hhhobbit at securemecca.net Sun Nov 12 13:18:41 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Sun Nov 12 13:16:53 2006 Subject: Question about use of --cipher-algo AES & --openpgp In-Reply-To: <0MKqdz-1Gj4Xu401G-0002Qs@mx.perfora.net> References: <0MKqdz-1Gj4Xu401G-0002Qs@mx.perfora.net> Message-ID: <45571121.9080209@securemecca.net> "Peter S. May" wrote: > I don't know how the internals of "file" work. If I were trying to get > a generic file-like program to grok OpenPGP, here's probably how I'd go > about it: > > * If the first non-blank line started "--- BEGIN PGP ", it would > probably be reasonable to call it armored OpenPGP and perhaps look into > it further, to figure out a subtype. > * If the file program decides the file isn't any other type it > recognizes, take a look at the first byte of the file, which must be a > valid OpenPGP packet tag. You could run some or all of these tests > before passing the file on to GPGME, which would ultimately determine a > file's reasonable OpenPGP compatibility. Some assumptions based on bis-18: > > (in pseudocode, of course) > > function is_pgp_packet_tag (byte) > if byte & 0xC0 == 0xC0 // new format tag > tag_number = byte & 0x3f > else if byte & 0xC0 == 0x80 // old format tag > tag_number = (byte & 0x3c) >> 2 > else > return false // first bit is always set > > if tag_number == 0 > return false // 0 is reserved > > // the rest of the assumptions may change with future > // versions of the spec and need to be kept up to date > if tag_number == 15 or tag_number == 16 > return false // 15 and 16 are not currently defined > if tag_number >= 20 > return false > // Values 20 to 59 are not currently defined > // Values 60 to 63 are defined as private and GPG can't grok them > > After those checks, I would either pass the file on to GPGME or run one > more heuristic first: Read a packet header. If it's valid, extract the > length it specifies and jump forward that many bytes. Then repeat. If > any of the tags are !is_pgp_packet_tag(), or if the last length > specifier you find leads you past the end of the file, it's not OpenPGP. > Else, it has a significant chance of being formally correct. > > Might be too complicated a check for file, but I think it would work. > > PSM I was originally only going to respond to the Peter May out of group. The more I think about it, that would be the wrong thing to do. If what he has is what everybody can live with (I didn't see any objections) not only for now but into the forseeable future we are okay. If you can't live with it, speak up now and tell us WHERE we are going wrong! This discussion if continued will be going out of group. First, the file command does read into a --armor encrypted file and from what is on the very first line, it KNOWS what it is: $ file TOOMUCH.asc TOOMUCH.asc: PGP armored data message It is when you do NOT use --armor (-a) when file doesn't know what to do with it. The file command uses the magic database. On my system and most Linux systems it would be here but it will be in different places on different systems: $ ls -1 /usr/share/file magic # human readable for "file" command magic.mgc # binary USED by "file" command magic.mime # human readable for KMimeMagic magic.mime.mgc # binary USED by KMimeMagic You don't edit these files directly, They are created from source. You will NOT see the magic.mime* files if you don't have KDE. To know a little about magic, just do: man magic # this will tell where the magic files are man file You can see that the byte order can be easily handled as LONG as it doesn't start to conflict with something else. The file command can't use GPGME (what do you if it isn't there?). file needs to be self contained except for its database. If you look for ELF in the "magic" file, the very first thing you see is: # ORCA/EZ assembler: # # This will not identify ORCA/M source files, since those have # some sort of date code instead of the two zero bytes at 6 and 7 # XXX Conflicts with ELF file will NEVER identify that kind of a file because of a conflict with ELF. Usually, if there are conflicts, the people submitting the information will drop it if they have far less files. It isn't who is first that trumps the others. It is which file is most likely to be seen when you have collisions that wins out. Most people don't even know what an ORCA/EZ assembler file is. I picked ELF for a reason. If you look at how ELF does it you can see how they handle SOME of the conditionals which need to be handled for various big-endian / little-endian and chip bit sizes to arrive at the proper string. That would give you some idea of how to pick the proper strings for the encryption types. The only problem is, ELF ALWAYS starts with the first four bytes "\177ELF". We don't have that with a PGP encrypted file. We have multiple ways of starting, etc. There is a slight possibility of unrolling all that into MULTIPLE definitions but not just ONE. It still looks to me like what OpenPGP has done is incompatible with the file program. If you want to look into it further, I suggest we go off-group to do it, but ONLY if everybody is happy that your analysis is correct and COMPLETE! It looks awfully convoluted to me though (not your analysis - their multiple ways for creating an encrypted file). The file command never was designed with what OpenPGP has done in creating their files in mind. And if they add even more it will become even more impossible at putting the information into the magic database that file uses. So people better make sure they use the correct filename extension (.gpg or .pgp) when they create an OpenPGP encrypted file. That will probably be all we have to go on to identify what it is. We will need the OpenPGP programs to do the rest of the identification. HHH PS If I didn't know better, I would say they designed the various file header formats to be incompatible with the file command. From benjamin at py-soft.co.uk Sun Nov 12 15:07:00 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun Nov 12 15:02:21 2006 Subject: gpg-agent and pinentry MacOS In-Reply-To: <451155CF.3020308@sara.nl> References: <4510D9C9.1090707@sara.nl> <45115225.6010207@py-soft.co.uk> <451155CF.3020308@sara.nl> Message-ID: <45572A84.40207@py-soft.co.uk> Remco Post wrote: >> I think that's been fixed in the latest version. Unfortunately, I was >> busy packaging up 1.4.5 and haven't had chance to look at gpg2 again. >> I'll try to get a "proper" package for gpg2 done over the next week or so. > cool, thanks. Now that v2 has been released, I hope to get it done soon (work permitting). Ben From ivalladolidt at terra.es Mon Nov 13 11:46:21 2006 From: ivalladolidt at terra.es (Ismael Valladolid Torres) Date: Mon Nov 13 13:54:06 2006 Subject: OpenPGP Card implementation In-Reply-To: <45570FBD.9010103@digitalbrains.com> References: <4533ABC1.3050903@digitalbrains.com> <45561B94.3010003@py-soft.co.uk> <45570FBD.9010103@digitalbrains.com> Message-ID: <20061113104621.GG1352@gmail.com> Peter Lebbing escribe: > I got interested as well and though I understand it, I also see a lot of > added value in a true Open Source implementation. I'm looking into > implementing it on a general processor microcontroller, I have > experience with microcontroller programming. The main problem I see so > far is working out a way to get decent random numbers, for blinding and > key generation. Personally I don't use the latter function, because it > lacks the possibility for backups. Usually microcontroller manufacturers (Atmel, Infineon, Samsung...) do include hardware based RNG in their chips, don't they? Cordially, Ismael -- Ismael Valladolid Torres "Il est vain de pleurer sur l'esprit, il suffit de travailler pour lui." Albert Camus http://digitrazos.info/ http://lamediahostia.blogspot.com/ OpenPGP key ID: 0xDE721AF4 http://www.hispasonic.com/foro73.html Jabber ID: ivalladt@jabberes.org From wk at gnupg.org Mon Nov 13 12:27:32 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 13 14:03:54 2006 Subject: [Announce] GnuPG 2.0 released Message-ID: <87d57r37tn.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From benjamin at py-soft.co.uk Mon Nov 13 14:31:14 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Mon Nov 13 14:29:56 2006 Subject: OpenPGP Card implementation In-Reply-To: <45570FBD.9010103@digitalbrains.com> References: <4533ABC1.3050903@digitalbrains.com> <45561B94.3010003@py-soft.co.uk> <45570FBD.9010103@digitalbrains.com> Message-ID: <455873A2.2000007@py-soft.co.uk> Peter Lebbing wrote: > I got interested as well and though I understand it, I also see a lot of > added value in a true Open Source implementation. Replied off list. Ben From wk at gnupg.org Mon Nov 13 15:05:33 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 13 15:11:36 2006 Subject: OpenPGP Card implementation In-Reply-To: <45561B94.3010003@py-soft.co.uk> (Benjamin Donnachie's message of "Sat\, 11 Nov 2006 18\:51\:00 +0000") References: <4533ABC1.3050903@digitalbrains.com> <45561B94.3010003@py-soft.co.uk> Message-ID: <87psbrzbki.fsf@wheatstone.g10code.de> On Sat, 11 Nov 2006 19:51, benjamin@py-soft.co.uk said: > It struck me as ironic that OpenPGP isn't that open! I started work on OpenPGP is define by RFC2440 and as "open" as any RFC. The OpenPGP card Speification by Achim Pietig and me is very similar to an RFC. > an open implementation on a BasicCard but, due to licensing > restrictions, I am unable to get a card with RSA card built in and That is indeed a pity and the reason why we can't discose the source code of the card. Most of it is in Zeitcontrol's OS for the card and the actual application is very small. Thanks to the pay-tv's lawyers and the tv card crackers the problems on selling certain crypto cards exists. The rumour goes that they blackmail the chip vendors (like Atmel) to stop processing chips which are too easy to be used by tv card crackers. I call that "security through lawyers". Shalom-Salam, Werner From wk at gnupg.org Mon Nov 13 15:07:35 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 13 15:11:46 2006 Subject: OpenPGP Card implementation In-Reply-To: <20061113104621.GG1352@gmail.com> (Ismael Valladolid Torres's message of "Mon\, 13 Nov 2006 11\:46\:21 +0100") References: <4533ABC1.3050903@digitalbrains.com> <45561B94.3010003@py-soft.co.uk> <45570FBD.9010103@digitalbrains.com> <20061113104621.GG1352@gmail.com> Message-ID: <87lkmfzbh4.fsf@wheatstone.g10code.de> On Mon, 13 Nov 2006 11:46, ivalladolidt@terra.es said: > Usually microcontroller manufacturers (Atmel, Infineon, Samsung...) do > include hardware based RNG in their chips, don't they? You want a chip with a hardware accelerator for RSA. RNG's are not the problem. Salam-Shalom, Werner From ivalladolidt at terra.es Mon Nov 13 16:02:54 2006 From: ivalladolidt at terra.es (Ismael Valladolid Torres) Date: Mon Nov 13 16:00:52 2006 Subject: OpenPGP Card implementation In-Reply-To: <87lkmfzbh4.fsf@wheatstone.g10code.de> References: <4533ABC1.3050903@digitalbrains.com> <45561B94.3010003@py-soft.co.uk> <45570FBD.9010103@digitalbrains.com> <20061113104621.GG1352@gmail.com> <87lkmfzbh4.fsf@wheatstone.g10code.de> Message-ID: <20061113150254.GO1352@gmail.com> Werner Koch escribe: > On Mon, 13 Nov 2006 11:46, ivalladolidt@terra.es said: > > > Usually microcontroller manufacturers (Atmel, Infineon, Samsung...) do > > include hardware based RNG in their chips, don't they? > > You want a chip with a hardware accelerator for RSA. RNG's are not the > problem. AFAIK some of them also include hardware accelerators for RSA. Cordially, Ismael -- Ismael Valladolid Torres "Il est vain de pleurer sur l'esprit, il suffit de travailler pour lui." Albert Camus http://digitrazos.info/ http://lamediahostia.blogspot.com/ OpenPGP key ID: 0xDE721AF4 http://www.hispasonic.com/foro73.html Jabber ID: ivalladt@jabberes.org From rstoddard at voyager.net Mon Nov 13 16:03:25 2006 From: rstoddard at voyager.net (Richard H. Stoddard) Date: Mon Nov 13 16:03:55 2006 Subject: GnuPG 2.0 Message-ID: <1657673143.20061113200325@voyager.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I received the notice that 2.0 has been released. I'm currently using GnuPG 1.4.5, which I downloaded as part of the Gnu for Windows package, and GPGshell for Windows 3.52. Can I upgrade to v2.0 without abandoning GPGshell? Do I need to uninstall the earlier version if I don't want to run them side by side or can I just install the newer version over the older? I apologize for asking such basic questions, but I'm somewhat new to GnuPG. - -- Thanks, Rick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) - GPGshell v3.52 iQIcBAEBCAAGBQJFWIkwAAoJELf6ImSjvaeWs1sP/2LmW+Gqh7i19girFw8z9k19 lpdpJgh8GUnxag69GXyPFaI4yn6UZMzmJVwGLPUOiBsfTU3sFt3+i9/ksi+xTKHM /A5ohIQ+XPZQ61v5Hc5QO6fQIj5OAoriLnwTcTQUez9syfPGjPrEgoaxs4jYQ9gj Z5fljJXLozJbZF4VOoS4HzKnUvrHDuneuggcMwn2NoywHOTN1D7M4nA4f2ZAkqwd UHVmNDVBv7x604LG4Jz3HRI5rrMDsC75AENMupFZWo3/S6ma4quO6Onkt6e4VES5 gIAiOioTWJjBAhcx4+grLSRXWaFWX++86NKtBjQc902F1NA2BrRahRcGwaFbUOMR Pc2RDDxkIyTIsGyql758SYxNppM6re6IrQ9Vw8DcCn8f9IcmT/G8zbzUKucfgnpb 1+dijvTDNcSj3+revejRbYCB5f+h+jXVCcgew4iOYskgz7FePU5m3eDwEhtGm9F1 FFnQW3Euy0pAD/P4I990Dz2YO6oYr0W3gK+jDA+W9GKmLF2FHp+JAneR6QIDMEgk 1cSoJONyOikW+7MzzU1pN94440A/a3vCS0woXYpFtBqLXWPj4XA9ngD28y5woHvV GVr47oYIvh+PZmdKYzB07P/Qvk6sFyv4+iF7QcX8epndGK3T6D0/LVGv2vuHHLDc 8/JFuYMEgJaybmqqrlCZ =FKCZ -----END PGP SIGNATURE----- From wk at gnupg.org Mon Nov 13 16:28:18 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 13 16:31:44 2006 Subject: GnuPG 2.0 In-Reply-To: <1657673143.20061113200325@voyager.net> (Richard H. Stoddard's message of "Mon\, 13 Nov 2006 20\:03\:25 +0500") References: <1657673143.20061113200325@voyager.net> Message-ID: <87d57rz7ql.fsf@wheatstone.g10code.de> On Mon, 13 Nov 2006 16:03, rstoddard@voyager.net said: > I received the notice that 2.0 has been released. I'm currently using > GnuPG 1.4.5, which I downloaded as part of the Gnu for Windows > package, and GPGshell for Windows 3.52. Can I upgrade to v2.0 without There is no version of GnuPG 2 for Windows. A port to Windows might eventually be done but as of now I see no reason for it. Shalom-Salam, Werner From marcus.brinkmann at ruhr-uni-bochum.de Mon Nov 13 16:25:20 2006 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Mon Nov 13 17:48:07 2006 Subject: [Announce] Scute 1.0 released Message-ID: <87y7qfl673.wl%marcus.brinkmann@ruhr-uni-bochum.de> Hello! g10 Code GmbH is pleased to announce the availability of the new software package Scute. Scute is a PKCS #11 implementation for the OpenPGP card using the GnuPG 2.0 framework. It allows you to use your OpenPGP card for client authentication in Mozilla-based web browsers. Scute is distributed under the terms of the GNU General Public License (GPL). Scute works best on GNU/Linux or *BSD systems. Other POSIX compliant systems are also supported but have not yet been tested very well. Getting the Software ==================== Please follow the instructions found at http://www.scute.org/download.xhtml or read on: Scute may be downloaded from one of the GnuPG mirror sites or directly from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . On the mirrors you should find the following files in the *scute* directory: scute-1.0.0.tar.bz2 scute-1.0.0.tar.bz2.sig Scute source compressed using BZIP2 and OpenPGP signature. Please try another mirror if exceptional your mirror is not yet up to date. Scute requires a couple of libraries to be installed; see the README file for details. Checking the Integrity ====================== In order to check that the version of Scute which you are going to install is an original and unmodified one, simply check the supplied signature. For example to check the signature of the file scute-1.0.0.tar.bz2 you would use this command: gpg --verify scute-1.0.0.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a key server like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! Documentation ============= Documentation is currently only available in the file README. More detailed instructions will be part of the next version and become available on the web page in the next two weeks. Support ======= Improving Scute is costly, but you can help! We are looking for organizations that find Scute useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or by donating money. Commercial support contracts for Scute are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding Scute development. We are always looking for interesting development projects. Happy Hacking, The Scute Team (Werner and Marcus) _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From spacemarc at gmail.com Mon Nov 13 17:31:12 2006 From: spacemarc at gmail.com (spacemarc) Date: Mon Nov 13 19:24:06 2006 Subject: GnuPG 2.0 In-Reply-To: <87d57rz7ql.fsf@wheatstone.g10code.de> References: <1657673143.20061113200325@voyager.net> <87d57rz7ql.fsf@wheatstone.g10code.de> Message-ID: 2006/11/13, Werner Koch : > There is no version of GnuPG 2 for Windows. A port to Windows might > eventually be done but as of now I see no reason for it. > > > Shalom-Salam, > > Werner so, for an installation from scratch, can be installed the new 2.0 version to the place of the old 1.4.5? right? -- http://www.spacemarc.it From yaverot at nerdshack.com Fri Nov 10 21:33:32 2006 From: yaverot at nerdshack.com (Matt) Date: Mon Nov 13 22:54:03 2006 Subject: encrypted public keys Was: Re: Bug in getkey.c:2219:merge_selfsigs In-Reply-To: <87u01pbqyq.fsf@wheatstone.g10code.de> References: <200610271555.47067.chris-usenet@netzpunkt.org> <87u01pbqyq.fsf@wheatstone.g10code.de> Message-ID: <4554E21C.800@nerdshack.com> Werner Koch wrote: > On Fri, 27 Oct 2006 15:55, Christoph Probst said: >> I was working on a large number of files (about 300) which I exported from my >> email client (the result of a key signing party some weeks ago): > > BTW, sending public keys encrypted or signed is a bad habit. There is > in general no reason to do so. Good habits are easy to break, and bad habits easy to pickup, but I'm curious why encrypting signed keys back to their owner is a bad habit. It verifies the other half of the ID on the key (the email address), it verifies that that person (still) has the secret key and passphrase. "Manoj's Key-Signing Protocol" takes this to an extreme, in requiring multiple "secrets" passed back-and-forth before actually signing the key. There was an interesting article on linuxsecurity.com by "Atom Smasher" called "pgp Key Signing Observations Overlooked Social and Technical Considerations", the only flaw I see is the implicit "you own your public key". At attrition.org there is "Social Implications of Keysigning" and it talks about social network mapping, and a virtual smear campaign. > They end up at a public keyserver anyway. Only if the owner puts his/her key on a keyserver, or someone disrespects his right to not have his key there. I can think of a few reasons why someone wouldn't want their key on a keyserver, but most of those reasons would also preclude going to a keysigning party (with that key). Personally, while I don't like the aspects of social mapping, once I have some sigs on my public key, I want it spread far and wide. If those sigs did not result from my face-to-face meeting with the other person, then having them on my key doesn't actually improve the web of trust, and seams reasonable not to have those sigs spread far and wide if I can help it. If people return their sigs to me, and not to keyservers, then I decide which ones appear "in the wild". I am moving into actually using GnuPG, instead of just having 'academic knowledge' of PGP, so if I've picked up 'wrong' preconceptions I want to know before I start spreading them to other people. From z.himsel at gmail.com Tue Nov 14 00:47:48 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Tue Nov 14 00:45:45 2006 Subject: gpg-agent timeout not working Message-ID: <8d5f78b30611131547v58db6c7cy8cba406c76b2c3ba@mail.gmail.com> I use the gpg-agent to store my passphrase. The problem is that my timeout is set for like 24 hours (actually, now it is 999999 seconds :) ), but pinentry keeps asking for my password every 4 hours or so. How would I get that to work correctly? I use Psi v0.10 (which uses GnuPG encryption and the gpg-agent). Would that have anything to do with it? Thanks. -- Zach Himsel ===========tinyurl.com/yjxo8s=========== |_|0|_| ------- OpenPGP Key: 0xD1093592 ------- |_|_|0| () **ASCII Ribbon Campaign** -- against |0|0|0| /\ html mail & proprietary attachments From henkdebruijn at wanadoo.nl Tue Nov 14 03:37:08 2006 From: henkdebruijn at wanadoo.nl (Henk M. de Bruijn) Date: Tue Nov 14 03:35:34 2006 Subject: GnuPG 2.0 In-Reply-To: <87d57rz7ql.fsf@wheatstone.g10code.de> References: <1657673143.20061113200325@voyager.net> <87d57rz7ql.fsf@wheatstone.g10code.de> Message-ID: <60280919.20061114033708@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Mon, 13 Nov 2006 16:28:18 +0100GMT (13-11-2006, 16:28 +0200, where I live), Werner Koch wrote: WK> On Mon, 13 Nov 2006 16:03, rstoddard@voyager.net said: >> I received the notice that 2.0 has been released. I'm currently using >> GnuPG 1.4.5, which I downloaded as part of the Gnu for Windows >> package, and GPGshell for Windows 3.52. Can I upgrade to v2.0 without WK> There is no version of GnuPG 2 for Windows. A port to Windows might WK> eventually be done but as of now I see no reason for it. And if a lot of Windows users ask for it? - -- Henk M. de Bruijn ______________________________________________________________________ The Bat! Natural E-Mail System version 3.86.03 ALPHA (beta) Pro on Windows XP SP2 Request-PGP: http://www.biglumber.com/x/web?qs=0x6C9F6CE78C32408B Gossamer Spider Web of Trust http://www.gswot.org A progressive and innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4328HdB-dynamic-IDEA-Tiger192 (Cygwin/MingW32) iQEVAwUBRVkrwhHuy+60ZN0PAQo1RggAhOyxr//v5SD2hKInIgZIJTp4LcWVBrTS b7xScHYEj3Lf2onDCF1IGvxGthi20NxbmjoVp53Xkyz+bAtKlrUPqeyyCR7EFEY0 vgmw2uvF5XmbR1YuYfC4HPDEUJrOGJlyc+XzOa40mkoYDgPfsw43o2MJY3NWhTuJ HlZYJ22gQX9dPPcjz21Imjy3RGRZtSNaCY9dKTLUlRPZa2unTTWYN5NZaXdttiUK 71KAsRVSzxl/kNeHeCfZFnUZfZOX74rN+qDG1EIpn1Ne69fX20uCINsKOL58lR0l 1ayCt92koFPwVT6Xpv4Hhml16D/aOIF9xAAy6LJ60NRea/csuwzJGA== =v7Kq -----END PGP SIGNATURE----- From aldert at rotz.org Tue Nov 14 03:34:27 2006 From: aldert at rotz.org (Aldert Hazenberg) Date: Tue Nov 14 05:24:26 2006 Subject: GnuPG 2.0 In-Reply-To: <87d57rz7ql.fsf@wheatstone.g10code.de> References: <1657673143.20061113200325@voyager.net> <87d57rz7ql.fsf@wheatstone.g10code.de> Message-ID: <972ABE9D-5CEC-4B1A-AEA1-03B33305AB23@rotz.org> On Nov 13, 2006, at 4:28 PM, Werner Koch wrote: > A port to Windows might > eventually be done but as of now I see no reason for it. Hi Werner, What is your reason for no windows port of 2.0 ? Is it a business reason ? Or ideological ? Aldert. -- Aldert J.B.P. Hazenberg Email : aldert@rotz.org Phone : voip/skype on request IM : several on request From alphasigmax at gmail.com Tue Nov 14 05:43:07 2006 From: alphasigmax at gmail.com (Alphax) Date: Tue Nov 14 05:42:10 2006 Subject: GnuPG 2.0 In-Reply-To: <972ABE9D-5CEC-4B1A-AEA1-03B33305AB23@rotz.org> References: <1657673143.20061113200325@voyager.net> <87d57rz7ql.fsf@wheatstone.g10code.de> <972ABE9D-5CEC-4B1A-AEA1-03B33305AB23@rotz.org> Message-ID: <4559495B.2060407@gmail.com> Aldert Hazenberg wrote: > > On Nov 13, 2006, at 4:28 PM, Werner Koch wrote: > >> A port to Windows might >> eventually be done but as of now I see no reason for it. > > > Hi Werner, > > What is your reason for no windows port of 2.0 ? > Is it a business reason ? Or ideological ? > As I understand, technological: the structures used in GPG2 simply don't exist in W32-land. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061114/b43abc2c/signature.pgp From jmoore3rd at bellsouth.net Tue Nov 14 05:43:52 2006 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue Nov 14 05:42:28 2006 Subject: GnuPG 2.0 In-Reply-To: <972ABE9D-5CEC-4B1A-AEA1-03B33305AB23@rotz.org> References: <1657673143.20061113200325@voyager.net> <87d57rz7ql.fsf@wheatstone.g10code.de> <972ABE9D-5CEC-4B1A-AEA1-03B33305AB23@rotz.org> Message-ID: <45594988.4070308@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Aldert Hazenberg wrote: > > On Nov 13, 2006, at 4:28 PM, Werner Koch wrote: > >> A port to Windows might >> eventually be done but as of now I see no reason for it. > What is your reason for no windows port of 2.0 ? > Is it a business reason ? Or ideological ? This was/is performed by the various GUI's for Windows Installations; the most well known being GPGshell, WinPT & Enigmail. There is also S/MIME support within GPG 2.0. In fact, 2.0 is far more bloated than the 1.4.x BRANCH. The Bottom Line is that nothing is /missing/ in 1.4.x Builds. GPGshell & WinPT will *not* work on Linux so GPG-Agent is the Linux version of a 'Shell' for easy manipulation of GnuPG within Linux. Because Linux Users secretly resent the variety of variety of GUI's available to Windows Users. (expect Lance & Alphax to rebut here) More & more Linux Users are not proficient in Command Line use nor do the ones who are particularly enjoy having to resort to it for routine Communication. Not everyone uses T-Bird/Enigmail with Linux. Also, there are these other Library dependencies in GPG 2.0: * The *gpg-agent* is the central place to maintain private keys and to cache passphrases. It is implemented as a daemon to be started with a user session. * *gpgsm* is an implementation of the X.509 and CMS standards and provides the cryptographic core to implement the S/MIME protocol. The command line interface is very similar to the one of gpg. This helps adding S/MIME to application currently providing OpenPGP support. * *scdaemon* is a daemon run by gpg-agent to access different types of smart cards using a unified interface. * *gpg-connect-agent* is a tool to help scripts directly accessing services of gpg-agent and scdaemon. * *gpgconf* is a tool to maintain the configuration files of all modules using a well defined API. Notice the 3 Items that GPG 2.0 brings to Linux Users: 1.) Smart Card Use 2.) S/MIME 3.) gpg.conf There is also cached passphrases; but basically, GPG 2.0 provides Linux MUA's many of the features that Windows Users take for granted. It just integrates them into the GnuPG Build. IMO: You are not being denied anything by sticking with 1.4.x on your Windows Box. My hope is that now that the 2.0 version has been released, more attention will be devoted to development of the 1.4.x BRANCH. JOHN ;) Timestamp: Monday 13 Nov 2006, 23:42 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4328: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFWUmHAAoJEBCGy9eAtCsPdnEH/iGmBYCfscVq/HzoQkPNuDiq JymYQ6K6c7eM6eDW3Po3f3U4zJLHqvit4bOpSSejp54Kjjh7VDOC0LEas8qCjxCe uw4OC8RwmBh4OSDALAy9QmGgIqRn0HPzjcMIcR3qhc/Pc1nvvrqVdR5POkrxcVq9 qBqkGVa02uQg+L38oNI9JMp1L3aDavVnnipms/ZkAHjB+buUgYPkbj6AGhj87nej 6rpnFKh+wYn2zuKGeJpIDO5aMYsNJmZZXR/zQtBoFJuQtZ3di9GsjYkHxR0fZr8O Z0kRA8rMmYkANizxc8keGtcQDOeXqojTZ3+7cc9zsmgO+vqi3pUkID7xL8f+mz8= =3SWr -----END PGP SIGNATURE----- From wk at gnupg.org Tue Nov 14 08:18:24 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 14 08:21:46 2006 Subject: GnuPG 2.0 In-Reply-To: <972ABE9D-5CEC-4B1A-AEA1-03B33305AB23@rotz.org> (Aldert Hazenberg's message of "Tue\, 14 Nov 2006 03\:34\:27 +0100") References: <1657673143.20061113200325@voyager.net> <87d57rz7ql.fsf@wheatstone.g10code.de> <972ABE9D-5CEC-4B1A-AEA1-03B33305AB23@rotz.org> Message-ID: <87slgmwl6n.fsf@wheatstone.g10code.de> On Tue, 14 Nov 2006 03:34, aldert@rotz.org said: > What is your reason for no windows port of 2.0 ? > Is it a business reason ? Or ideological ? I did a very basic port for a customer 2 years agho. However it is not maintained (because the custumer didn't entered into a support contract) and as said very basic. As soon as there is a financial backing, a real port to Windows can be done. Shalom-Salam, Werner From wk at gnupg.org Tue Nov 14 08:24:25 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 14 08:26:53 2006 Subject: gpg-agent timeout not working In-Reply-To: <8d5f78b30611131547v58db6c7cy8cba406c76b2c3ba@mail.gmail.com> (Zach Himsel's message of "Mon\, 13 Nov 2006 18\:47\:48 -0500") References: <8d5f78b30611131547v58db6c7cy8cba406c76b2c3ba@mail.gmail.com> Message-ID: <87odrawkwm.fsf@wheatstone.g10code.de> On Tue, 14 Nov 2006 00:47, z.himsel@gmail.com said: > I use the gpg-agent to store my passphrase. The problem is that my > timeout is set for like 24 hours (actually, now it is 999999 seconds > :) ), but pinentry keeps asking for my password every 4 hours or so. > How would I get that to work correctly? What option did you set? @item --default-cache-ttl @var{n} Set the time a cache entry is valid to @var{n} seconds. The default are 600 seconds. @item --max-cache-ttl @var{n} Set the maximum time a cache entry is valid to @var{n} seconds. After this time a cache entry will get expired even if it has been accessed recently. The default are 2 hours (7200 seconds). I guess you only changed --default-cache-ttl and thus the cache entry will expire after 2 houer due to the --mac-cache-ttl. > I use Psi v0.10 (which uses GnuPG encryption and the gpg-agent). Would > that have anything to do with it? No. Salam-Shalom, Werner From dmdm00 at yahoo.com Thu Nov 9 18:12:43 2006 From: dmdm00 at yahoo.com (dmdm) Date: Tue Nov 14 10:59:01 2006 Subject: --edit-key command Message-ID: <7262159.post@talk.nabble.com> what is the command in the edit-key section to add a missing uid to a key for example i have been asked in this way: Need add uid of send@... only has uid of config@... a) so how to add uid of send? Also would be nice for some unique shortname (8 characters or less) at the moment my key has a 12 charter name b) how to change to a unique shortname of say "pelt"? many thanks -- View this message in context: http://www.nabble.com/--edit-key-command-tf2602940.html#a7262159 Sent from the GnuPG - User mailing list archive at Nabble.com. From p_yian1 at hotmail.com Sun Nov 12 05:02:57 2006 From: p_yian1 at hotmail.com (yiannis pefk) Date: Tue Nov 14 10:59:05 2006 Subject: Get signatures from a keyring file Message-ID: Hi, My question is how I can export the signatures from the keyring file. The answer I am looking for, is not the command "check" because I want to extract the actual signature. I had an idea to convert the keyring to ascii and parse it, but i dont know the format of file so I cannot do it. Thank you. _________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ From pefkian at cs.ucla.edu Sun Nov 12 04:41:23 2006 From: pefkian at cs.ucla.edu (Yiannis Pefkianakis) Date: Tue Nov 14 10:59:08 2006 Subject: Get signatures from a keyring file Message-ID: <8B66390D-7161-4EDB-AB1D-BFBC05E4302A@cs.ucla.edu> Hi, My question is how I can export the signatures from the keyring file. The answer I am looking for, is not the command "check" because I want to extract the actual signature. I had an idea to convert the keyring to ascii and parse it, but i dont know the format of file so I cannot do it. Thank you. From r.post at sara.nl Tue Nov 14 10:11:06 2006 From: r.post at sara.nl (Remco Post) Date: Tue Nov 14 11:24:34 2006 Subject: GnuPG 2.0 In-Reply-To: <45594988.4070308@bellsouth.net> References: <1657673143.20061113200325@voyager.net> <87d57rz7ql.fsf@wheatstone.g10code.de> <972ABE9D-5CEC-4B1A-AEA1-03B33305AB23@rotz.org> <45594988.4070308@bellsouth.net> Message-ID: <4559882A.5020806@sara.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John W. Moore III wrote: > The Bottom Line is that nothing is /missing/ in 1.4.x Builds. GPGshell > & WinPT will *not* work on Linux so GPG-Agent is the Linux version of a > 'Shell' for easy manipulation of GnuPG within Linux. > _but_ gpg-agent also provides ssh-agent functionality for authentication purposes. This is the _only_ part I'm currently intrested in from gpg v2. Unfortunately, this means I'll have to stick to an ancient beta on windows (yes, my boss makes me use this OS). > IMO: You are not being denied anything by sticking with 1.4.x on your > Windows Box. My hope is that now that the 2.0 version has been > released, more attention will be devoted to development of the 1.4.x BRANCH. > And here we disagree... for me, basically forced to use this windows thing as an X-terminal, gpg-agent does add a bit of functionality. - -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRVmIKSrZkcVehrp5AQIj5wP9HCOTKcB7nBb7n4pSW/6Y35612Us5IW+r +e1eMIorc0vIUgbfTFek0JX5wv+8UFIgqM0xFOLiK+Emo8PeprZ4QlOEwaBcHCOx Lf8X6gxRIveFXE8fnb+AxosSulwmS85NnXZNFIb6AmJjHxe7OpSavKORo1cHmCKD G8OYuiwOlzs= =KgpO -----END PGP SIGNATURE----- From johanw at vulcan.xs4all.nl Tue Nov 14 13:06:02 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue Nov 14 13:07:39 2006 Subject: OpenPGP Card implementation In-Reply-To: <87psbrzbki.fsf@wheatstone.g10code.de> Message-ID: <200611141206.kAEC62et025194@vulcan.xs4all.nl> Werner Koch wrote: >Thanks to the pay-tv's lawyers and the tv card crackers the problems >on selling certain crypto cards exists. The rumour goes that they >blackmail the chip vendors (like Atmel) to stop processing chips which >are too easy to be used by tv card crackers. I call that "security >through lawyers". Is it very hard to design such a card from scratch, and very expensive to have it produced as custom hardware? I'm sure there are enough chip-producing companies in China who don't give a damn about western lawyers. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Tue Nov 14 13:23:35 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue Nov 14 13:18:56 2006 Subject: Use of IDEA in GnuPG 2 Message-ID: <200611141223.kAECNZpB000961@vulcan.xs4all.nl> Hello, The 1.x methods of using IDEA in GnuPG don't work anymore with 2.0. I assume I have to add IDEA to libgcrypt. Does anyone know how to do that? Is there an easy way or does it require changing the idea.c source and/or some makefiles to work? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From z.himsel at gmail.com Tue Nov 14 13:44:23 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Tue Nov 14 13:42:19 2006 Subject: gpg-agent timeout not working In-Reply-To: <87odrawkwm.fsf@wheatstone.g10code.de> References: <8d5f78b30611131547v58db6c7cy8cba406c76b2c3ba@mail.gmail.com> <87odrawkwm.fsf@wheatstone.g10code.de> Message-ID: <8d5f78b30611140444w1e93d03am6bfe19f13afc6aeb@mail.gmail.com> On 11/14/06, Werner Koch wrote: > > I use the gpg-agent to store my passphrase. The problem is that my > > timeout is set for like 24 hours (actually, now it is 999999 seconds > > :) ), but pinentry keeps asking for my password every 4 hours or so. > > How would I get that to work correctly? > > What option did you set? > > @item --default-cache-ttl @var{n} > > @item --max-cache-ttl @var{n} > > I guess you only changed --default-cache-ttl and thus the cache entry > will expire after 2 houer due to the --mac-cache-ttl. You're right, I did have default-cache-ttl set instead of max-cache-ttl. I added the max-cache-ttl entry and I will see how it works. Thanks! -- Zach Himsel ========== tinyurl.com/yjxo8s ========== |_|0|_| ------- OpenPGP Key: 0xD1093592 ------- |_|_|0| () **ASCII Ribbon Campaign** -- against |0|0|0| /\ html mail & proprietary attachments From dshaw at jabberwocky.com Tue Nov 14 14:19:18 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Nov 14 14:17:31 2006 Subject: --edit-key command In-Reply-To: <7262159.post@talk.nabble.com> References: <7262159.post@talk.nabble.com> Message-ID: <20061114131918.GA25027@jabberwocky.com> On Thu, Nov 09, 2006 at 09:12:43AM -0800, dmdm wrote: > > what is the command in the edit-key section to add a missing uid to a key > for example i have been asked in this way: > > > Need add uid of send@... > only has uid of config@... > > a) so how to add uid of send? > > Also would be nice for some unique shortname (8 characters or less) > at the moment my key has a 12 charter name gpg --edit-key (yourkey) adduid > b) how to change to a unique shortname of say "pelt"? If you have never distributed your key, you can use adduid to add a new user ID, and then deluid to remove the old one. However, if you have distributed your key, you can't really change names any longer. The best you can do is use adduid to add a new user ID, and revuid to revoke the old one. This doesn't actually remove the old one, but does mark it as not to be used. David From dshaw at jabberwocky.com Tue Nov 14 14:20:38 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Nov 14 14:18:49 2006 Subject: Get signatures from a keyring file In-Reply-To: <8B66390D-7161-4EDB-AB1D-BFBC05E4302A@cs.ucla.edu> References: <8B66390D-7161-4EDB-AB1D-BFBC05E4302A@cs.ucla.edu> Message-ID: <20061114132038.GB25027@jabberwocky.com> On Sat, Nov 11, 2006 at 07:41:23PM -0800, Yiannis Pefkianakis wrote: > Hi, > > My question is how I can export the signatures from the keyring file. > The answer I am looking for, is not the command "check" because I > want to extract the actual signature. You want to export *just* the signatures? There is no way to to that. Key ignatures are attached to a key and are generally not meaningful outside of that context. You can export keys if you like. > I had an idea to convert the keyring to ascii and parse it, but i > dont know the format of file so I cannot do it. RFC-2440. David From peter at digitalbrains.com Tue Nov 14 15:08:48 2006 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue Nov 14 15:06:46 2006 Subject: Question about use of --cipher-algo AES & --openpgp In-Reply-To: <1163343976.6292.550.camel@sirius.brigham.net> References: <0MKqZr-1Ghfru3IMV-0002h8@mx.perfora.net> <1163171698.5007.297.camel@sirius.brigham.net> <45570BFF.9010806@digitalbrains.com> <1163343976.6292.550.camel@sirius.brigham.net> Message-ID: <4559CDF0.7040105@digitalbrains.com> I started writing this before HHH's last post. I'll trim it but some of it could give insight. Henry Hertz Hobbit wrote: > I followed what some people were saying, and it appears that this is > not the case! Further, there is NOTHING in the RFC indicating whether > we have that or not. In fact that RFC says absolutely nothing about > a FILE header at all. If we don't always have at least three contiguous > bytes some place within what could be considered to be the header > (anything from 6 bytes on up to 32 or even 64 bytes) then we basically > have nothing to grab onto to give to the file command. It doesn't stop > a lot of people from doing it though. The more I read the RFC, they > just dumped the idea of having a file header entirely. That means you > can probably kiss the idea of something like file using the magic > database telling you that you have an OpenPGP file goodbye. That is > why I said what I said. The RFC is very clear on what could be the first bytes. OpenPGP messages and alike don't have a *file header* but they do have a packet header and only a limited set of packets can be the first packet of the file. I did notice something: Exporting secret keys is handled in the RFC, as is best shown by the existence of the "BEGIN PGP PRIVATE KEY BLOCK" ASCII Armor option. However, in chapter 10, it is omitted. But logical thinking applies the rule that was mentioned somewhere else: a secret key is a public key with extra luggage. > Second, if you are on a Unix system, the following man command should > tell you where your magic files are: > > man magic > > On most Linux systems, they will be in /usr/share/file > I wrote to the group about that. Read that and this before responding. > BUT PLEASE RESPOND OUT OF GROUP. Well as long as it is about identifying OpenPGP files I think it will be on-topic in this group, the moment it moves to discussion about the exact magic entry (and how good it is, considering false positives), it becomes off-topic. If I'm wrong, someone may correct me. > I think the whole OpenPGP standard just chucked the idea of a file > header goodbye. There is nothing to prevent them from doing that, > but it isn't a good idea. Though I agree, you should understand where this format comes from. PGP, starting from version 2.x! To be able to be somewhat backwards compatible (parsing and creating), they based the whole format on what PGP used. At least, that's my interpretation, I wasn't involved in making the OpenPGP standard :). OpenPGP messages don't have much to go on to identify them. But I tried to make a recognition for your interest, symmetrically encrypted messages with no "asymmetric recipients", only one or several passwords. For this I just used the RFC, not even experience to go on. Other people might see an error. However, my conclusion is that it cannot be done with the extremely limited options of 'file'. For a very probable packet, I need to match values ranging over 5 bytes. Since you can only do one test, and some bytes can range over a lot of possibilities, I'd need a numeric test with AND-masking applied. But only strings can be matched on *5* bytes, and they can't be masked. Here's how I recognise symmetrically encrypted messages: These begin with either a Symmetrically Encrypted Data Packet (deprecated, compatibility) or a Symmetric-Key Encrypted Session Key Packet. There is one catch: it's conform spec to compress the entire message. But let's suppose the implementation is nice enough to only compress the embedded data of the message. Even then we run into a problem. A Symmetrically Encrypted Data Packet can, with those basic tests of 'file', only be identified by it's packet tag. It's just not enough: byte 0 & 0xFC = 0xA4 : Old format, packet tag 9 byte 0 = 0xC9 : New format, packet tag 9 We get further with an ESK packet, luckily, and this is what you'll see from recent OpenPGP implementations (right, everybody?). Option 1: byte 0 = 0x8C: Old format, packet tag 3, 1 octet length of packet byte 2 = 0x4: SK-ESK packet version 4 byte 4 = 0,1 or 3: S2K specifier Option 2: byte 0 = 0x8D: Old format, packet tag 3, 2 octet length of packet byte 3 = 0x4: SK-ESK packet version 4 byte 5 = 0,1 or 3: S2K specifier You could continue the list for larger packet length specifiers (like someone already pointed out, a small packet can still be specified with a long specifier with leading 0's), new format packets, for public key ESK packets, etcetera. If we could match more bytes in one match then we would have at least 3 bytes identifying a file positively; that's fairly okay I think. If this where possible: 0 belonglong&0xFF00FF00FC000000 0x8C00040000000000 OpenPGP File 0 belonglong&0xFF0000FF00FC0000 0x8D00000400000000 OpenPGP File We'd match both options (with the added possibility of undefined S2K specifier 2, but let's keep it simple). However, then we run into a problem with new format packets, where the structure depends on the value of the 2nd byte in the file. The real solution obviously is more than 1 test. When I started this, I hoped it'd be possible to match the file. I think I've established though that it is impossible, which is also worth a bit. Greets, Peter. From kfitzner at excelcia.org Tue Nov 14 13:30:33 2006 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Tue Nov 14 15:24:07 2006 Subject: OpenPGP Card implementation In-Reply-To: <200611141206.kAEC62et025194@vulcan.xs4all.nl> References: <200611141206.kAEC62et025194@vulcan.xs4all.nl> Message-ID: <4559B6E9.3030702@excelcia.org> Johan Wevers wrote: > Werner Koch wrote: > >> Thanks to the pay-tv's lawyers and the tv card crackers the problems >> on selling certain crypto cards exists. The rumour goes that they >> blackmail the chip vendors (like Atmel) to stop processing chips which >> are too easy to be used by tv card crackers. I call that "security >> through lawyers". > > Is it very hard to design such a card from scratch, and very expensive > to have it produced as custom hardware? I'm sure there are enough > chip-producing companies in China who don't give a damn about western > lawyers. > I did some investigation, and there are lots of java card platforms that would be eminently usable for the OpenPGP smartcard. The hard part is redoing the code from BasicCard to Java. The hardware is easy to obtain. Kurt. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 305 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061114/7bebf825/signature.pgp From JPClizbe at tx.rr.com Tue Nov 14 13:53:16 2006 From: JPClizbe at tx.rr.com (John Clizbe) Date: Tue Nov 14 15:24:30 2006 Subject: Get signatures from a keyring file In-Reply-To: <8B66390D-7161-4EDB-AB1D-BFBC05E4302A@cs.ucla.edu> References: <8B66390D-7161-4EDB-AB1D-BFBC05E4302A@cs.ucla.edu> Message-ID: <4559BC3C.3060508@tx.rr.com> Yiannis Pefkianakis wrote: > Hi, > > My question is how I can export the signatures from the keyring file. > The answer I am looking for, is not the command "check" because I > want to extract the actual signature. > I had an idea to convert the keyring to ascii and parse it, but i > don't know the format of file so I cannot do it. A keyring is (at present) just a collection of packets. You may find definitions of the packet structure in RFC 2440. Latest draft is at http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-17.txt You could also use the output of 'gpg --list-keys --with-colons'. An explanation of its output format is in the documentation that comes with the source. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061114/d4972085/signature-0001.pgp From benjamin at py-soft.co.uk Tue Nov 14 15:35:04 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Tue Nov 14 15:33:33 2006 Subject: OpenPGP Card implementation In-Reply-To: <4559B6E9.3030702@excelcia.org> References: <200611141206.kAEC62et025194@vulcan.xs4all.nl> <4559B6E9.3030702@excelcia.org> Message-ID: <4559D418.7010805@py-soft.co.uk> Kurt Fitzner wrote: > I did some investigation, and there are lots of java card platforms that > would be eminently usable for the OpenPGP smartcard. The hard part is > redoing the code from BasicCard to Java. The hardware is easy to obtain. Can you point me in their direction please? I'd much rather try to implement RSA from scratch in Java than Basic! Ben From pessoa at angulosolido.pt Tue Nov 14 15:42:35 2006 From: pessoa at angulosolido.pt (Pedro Pessoa) Date: Tue Nov 14 15:42:00 2006 Subject: Failure to sign with gpgsm In-Reply-To: <200611102239.02554.pessoa@angulosolido.pt> References: <200611102239.02554.pessoa@angulosolido.pt> Message-ID: <200611141442.35549.pessoa@angulosolido.pt> On Friday 10 November 2006 22:39, Pedro Pessoa wrote: > Altough I can sign with a certificate from Thawte, when using a certificate > from the Portuguese nacional laywer association I'm having this error: > gpgsm: error creating signature: No value > > The certificate tree is correctly verified: > gpgsm: DBG: gcry_pk_verify: Success > gpgsm: certificate is good > gpgsm: DBG: got issuer's certificate: > gpgsm: DBG: BEGIN Certificate `issuer': > (...) > gpgsm: DBG: gcry_pk_verify: Success > gpgsm: error creating signature: No value > > Any thoughts on this? What's going on? > > I've tried the following versions: > gnupg2 1.9.16 with libksba 0.9.11 > and > gnupg2 1.9.22 with libksba 0.9.15 > both give out the same error. After trying to figure out what's this problem and reaching a dead end, I went through the diferences out of a dump in both certtificates, the one that works, and the one that doesn't. - Both have the fields: . Serial number . Issuer . Subject . sha1_fpr . md5_fpr . certid . keygrip . notBefore . notAfter . hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption) . keyType: 2048 bit RSA . chainLength: not a CA - These are only present on the certificate that doesn't work: . authKeyId.ki . keyUsage: digitalSignature nonRepudiation keyEncipherment dataEncipherment keyAgreement . extKeyUsage: 1.3.6.1.4.1.6204.20.18.2.105.1020 (suggested) clientAuth (suggested) emailProtection (suggested) . policies: 1.3.6.1.4.1.6204.10.2 1.3.6.1.4.1.6204.10.2.1020 . crlDP: http://www.multicert.com/ca/multicert-ca-02.crl ldap://ldap.multicert.com/cn=MULTICERT-CA%2002,o=MULTICERT-CA,c=PT?certificateRevocationList?base issuer: none . crlDP: CN=CRL26,CN=MULTICERT-CA 02,O=MULTICERT-CA,C=pt issuer: none . authInfo: 1.3.6.1.5.5.7.48.1 . subjInfo: [none] . extn: 1.3.6.1.5.5.7.1.1 (authorityInfoAccess) [44 octets] . extn: 2.16.840.1.113730.1.1 (netscape-cert-type) [4 octets] Is it possible that one or several of these fields only present on the certificate that doesn't work is causing the failure? Is there any way to strip them out of the certificate? Btw, I've just tested importing the "bad" certificate on Thunderbird, and there I can use it to sign messages. Is this a certificate or gnupg problem? I'm really at a loss... Thanks, Pedro -- Angulo S?lido - Tecnologias de Informa??o http://angulosolido.pt From wk at gnupg.org Tue Nov 14 17:49:00 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 14 17:52:22 2006 Subject: OpenPGP Card implementation In-Reply-To: <200611141206.kAEC62et025194@vulcan.xs4all.nl> (Johan Wevers's message of "Tue\, 14 Nov 2006 13\:06\:02 +0100 \(MET\)") References: <200611141206.kAEC62et025194@vulcan.xs4all.nl> Message-ID: <87d57qq8hv.fsf@wheatstone.g10code.de> On Tue, 14 Nov 2006 13:06, johanw@vulcan.xs4all.nl said: > Is it very hard to design such a card from scratch, and very expensive > to have it produced as custom hardware? I'm sure there are enough > chip-producing companies in China who don't give a damn about western > lawyers. Good for people in China, but here they will go after you as soon as you sell them. Recall that we are not yet ready to FTP hardware. Salam-Shalom, Werner From wk at gnupg.org Tue Nov 14 17:47:34 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 14 17:52:50 2006 Subject: OpenPGP Card implementation In-Reply-To: <4559B6E9.3030702@excelcia.org> (Kurt Fitzner's message of "Tue\, 14 Nov 2006 05\:30\:33 -0700") References: <200611141206.kAEC62et025194@vulcan.xs4all.nl> <4559B6E9.3030702@excelcia.org> Message-ID: <87hcx2q8k9.fsf@wheatstone.g10code.de> On Tue, 14 Nov 2006 13:30, kfitzner@excelcia.org said: > I did some investigation, and there are lots of java card platforms that > would be eminently usable for the OpenPGP smartcard. The hard part is > redoing the code from BasicCard to Java. The hardware is easy to obtain. The cards are pretty expensive. Many users claim that the 10 to 15 Euro you need to pay for one of our cards is already too expensive. Yes, I know there are cheaper cards. But do you really want to wait up to 2 seconds for a signature? Shalom-Salam, Werner From wk at gnupg.org Tue Nov 14 17:45:09 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 14 17:53:02 2006 Subject: Use of IDEA in GnuPG 2 In-Reply-To: <200611141223.kAECNZpB000961@vulcan.xs4all.nl> (Johan Wevers's message of "Tue\, 14 Nov 2006 13\:23\:35 +0100 \(MET\)") References: <200611141223.kAECNZpB000961@vulcan.xs4all.nl> Message-ID: <87lkmeq8oa.fsf@wheatstone.g10code.de> On Tue, 14 Nov 2006 13:23, johanw@vulcan.xs4all.nl said: > The 1.x methods of using IDEA in GnuPG don't work anymore with 2.0. You are still not giving upon this :-) IIRC, you need to wait only 4 more years for official support. Salam-Shalom, Werner From wk at gnupg.org Tue Nov 14 19:18:18 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 14 19:21:51 2006 Subject: encrypted public keys Was: Re: Bug in getkey.c:2219:merge_selfsigs In-Reply-To: <4554E21C.800@nerdshack.com> (yaverot@nerdshack.com's message of "Fri\, 10 Nov 2006 13\:33\:32 -0700") References: <200610271555.47067.chris-usenet@netzpunkt.org> <87u01pbqyq.fsf@wheatstone.g10code.de> <4554E21C.800@nerdshack.com> Message-ID: <87ejs5q4d1.fsf@wheatstone.g10code.de> On Fri, 10 Nov 2006 21:33, yaverot@nerdshack.com said: > curious why encrypting signed keys back to their owner is a bad habit. > It verifies the other half of the ID on the key (the email address), it > verifies that that person (still) has the secret key and passphrase. Why do you want this. It might chabnge the next minute. The main reason why sending a key back in an encrypted mail is that at that time the key as already be signed and thus there exists a public knowledge that about this signature. Whether the signer uploaded the key or not doesn't matter. He has gone into great lengths to make sure that he signed the correct key and any further checks are thus not needed. What do you do with keys which don't carry an encryption key? It is a policy decision whether to use an email challenge-response *before* signing a key. There is no reason to protect the public key after signing - it is public. Well, this holds valid for keys which are anyway public. For the few people who don't send their keys to a keyserver, it might make sense to send it encrypted. > Only if the owner puts his/her key on a keyserver, or someone > disrespects his right to not have his key there. I can think of a few Checking my keyring shows that I did 873 signatures using my current key. I am sure that not more than a few dozen people send me their key by mail or passed it using a floppy. Almost always I retrieved the key to sign from a keyserver and thus all this hiding of keys does not make sense. Further there is the problem that when attending a signing party a small percentage of the attendees will accidently send the keys to a keyserver and thus publish it. You can't aboid that. Well, you can but then you should not go to a signing party or use the key to sign anything which you can't be sure that it will stay within your closed group. > Personally, while I don't like the aspects of social mapping, once I Well, it just says that you and the other persons met some time before the signature has been done. You may delay the signing and batch them up to make it harder to map the signing to a specific event. Shalom-Salam, Werner From wk at gnupg.org Tue Nov 14 19:19:31 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 14 19:22:00 2006 Subject: Failure to sign with gpgsm In-Reply-To: <200611141442.35549.pessoa@angulosolido.pt> (Pedro Pessoa's message of "Tue\, 14 Nov 2006 14\:42\:35 +0000") References: <200611102239.02554.pessoa@angulosolido.pt> <200611141442.35549.pessoa@angulosolido.pt> Message-ID: <87ac2tq4b0.fsf@wheatstone.g10code.de> On Tue, 14 Nov 2006 15:42, pessoa@angulosolido.pt said: > After trying to figure out what's this problem and reaching a dead end, I went > through the diferences out of a dump in both certtificates, the one that You should update to the lates version of gnupg (2.0.0) before checking any further. Salam-Shalom, Werner From wwu at dls.net Tue Nov 14 20:52:31 2006 From: wwu at dls.net (Wei Wu [H]) Date: Tue Nov 14 22:24:16 2006 Subject: how to create a symmetric cipher In-Reply-To: Message-ID: <20061114195232.BF2F1412162@green.dls.net> Hi there, I want to create a symmetric cipher such as AES to encrypt some data, and think gpg (GnuPG Version 1.4.2.1) may do this. But I found it gives only three options, none is symmetric. I would appreciate if anyone can point me to another or way to do it? Regards, WW gpg --gen-key (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) From dshaw at jabberwocky.com Tue Nov 14 22:39:45 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Nov 14 22:38:02 2006 Subject: how to create a symmetric cipher In-Reply-To: <20061114195232.BF2F1412162@green.dls.net> References: <20061114195232.BF2F1412162@green.dls.net> Message-ID: <20061114213945.GA5866@jabberwocky.com> On Tue, Nov 14, 2006 at 01:52:31PM -0600, Wei Wu [H] wrote: > Hi there, > > I want to create a symmetric cipher such as AES to encrypt some data, and > think gpg (GnuPG Version 1.4.2.1) may do this. But I found it gives only > three options, none is symmetric. I would appreciate if anyone can point me > to another or way to do it? I'm a bit confused as to what you are asking, but if the question is "how do I encrypt data using a symmetric cipher?", then the answer is "gpg --symmetric (thefile)" David From brunij at earthlink.net Tue Nov 14 22:40:39 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Tue Nov 14 22:38:31 2006 Subject: how to create a symmetric cipher In-Reply-To: <20061114195232.BF2F1412162@green.dls.net> References: <20061114195232.BF2F1412162@green.dls.net> Message-ID: gpg --symmetric --encrypt The default is CAST5, but you can specify the algorithm using -- cipher-algo -Joe On Nov 14, 2006, at 12:52 PM, Wei Wu [H] wrote: > Hi there, > > I want to create a symmetric cipher such as AES to encrypt some > data, and > think gpg (GnuPG Version 1.4.2.1) may do this. But I found it gives > only > three options, none is symmetric. I would appreciate if anyone can > point me > to another or way to do it? > > Regards, > WW > > gpg --gen-key > (1) DSA and Elgamal (default) > (2) DSA (sign only) > (5) RSA (sign only) > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From wwu at dls.net Tue Nov 14 23:00:02 2006 From: wwu at dls.net (Wei Wu [H]) Date: Tue Nov 14 22:58:04 2006 Subject: how to create a symmetric cipher In-Reply-To: <20061114213945.GA5866@jabberwocky.com> Message-ID: <20061114220007.35303415118@green.dls.net> Thanks. Well, my ultimate goal is to encrypt data, but I don't want to use passphrase to do it as I believe it is not secure enough. So my questions are: 1. How to create a symmetric key or cipher? With that, I may use another tool to encrypt/decrypt. 2. Can gpg be used to do key based encryption? Not passphrase based. Regards, WW -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of David Shaw Sent: Tuesday, November 14, 2006 3:40 PM To: gnupg-users@gnupg.org Subject: Re: how to create a symmetric cipher On Tue, Nov 14, 2006 at 01:52:31PM -0600, Wei Wu [H] wrote: > Hi there, > > I want to create a symmetric cipher such as AES to encrypt some data, and > think gpg (GnuPG Version 1.4.2.1) may do this. But I found it gives only > three options, none is symmetric. I would appreciate if anyone can point me > to another or way to do it? I'm a bit confused as to what you are asking, but if the question is "how do I encrypt data using a symmetric cipher?", then the answer is "gpg --symmetric (thefile)" David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From wwu at dls.net Tue Nov 14 23:04:09 2006 From: wwu at dls.net (Wei Wu [H]) Date: Tue Nov 14 23:02:03 2006 Subject: how to create a symmetric cipher In-Reply-To: Message-ID: <20061114220413.59274412E00@green.dls.net> Thank you. As I said in my other posts, I don't want to use passphrase based encryption, and am looking for key based solution. Also I don't need a private/public key-pair based solution as symmetric key is more efficient. Regards, WW -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Joseph Oreste Bruni Sent: Tuesday, November 14, 2006 3:41 PM To: gnupg-users@gnupg.org Subject: Re: how to create a symmetric cipher gpg --symmetric --encrypt The default is CAST5, but you can specify the algorithm using -- cipher-algo -Joe On Nov 14, 2006, at 12:52 PM, Wei Wu [H] wrote: > Hi there, > > I want to create a symmetric cipher such as AES to encrypt some > data, and > think gpg (GnuPG Version 1.4.2.1) may do this. But I found it gives > only > three options, none is symmetric. I would appreciate if anyone can > point me > to another or way to do it? > > Regards, > WW > > gpg --gen-key > (1) DSA and Elgamal (default) > (2) DSA (sign only) > (5) RSA (sign only) > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From brunij at earthlink.net Tue Nov 14 23:16:58 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Tue Nov 14 23:15:09 2006 Subject: how to create a symmetric cipher In-Reply-To: <20061114220413.59274412E00@green.dls.net> References: <20061114220413.59274412E00@green.dls.net> Message-ID: <9C2F2747-1AAE-4518-BC80-F6AE21EBF05B@earthlink.net> When you encrypt to a person's public key you are not using the public key to encrypt the data. First, a random session key is generated and used to encrypt the data using a symmetric cipher. Then only the session key is encrypted using the public key and appended to the file. The recipient uses his private key to decrypt the session key which is then used to decrypt the data via the symmetric cipher. This way you avoid passing symmetric keys in the clear. If you are looking to build a custom solution, you might be better off looking at the OpenSSL crypto API. Joe On Nov 14, 2006, at 3:04 PM, Wei Wu [H] wrote: > Thank you. As I said in my other posts, I don't want to use > passphrase based > encryption, and am looking for key based solution. > > Also I don't need a private/public key-pair based solution as > symmetric key > is more efficient. > > Regards, > WW > > > -----Original Message----- > From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users- > bounces@gnupg.org] > On Behalf Of Joseph Oreste Bruni > Sent: Tuesday, November 14, 2006 3:41 PM > To: gnupg-users@gnupg.org > Subject: Re: how to create a symmetric cipher > > gpg --symmetric --encrypt > > The default is CAST5, but you can specify the algorithm using -- > cipher-algo > > -Joe > > > On Nov 14, 2006, at 12:52 PM, Wei Wu [H] wrote: > >> Hi there, >> >> I want to create a symmetric cipher such as AES to encrypt some >> data, and >> think gpg (GnuPG Version 1.4.2.1) may do this. But I found it gives >> only >> three options, none is symmetric. I would appreciate if anyone can >> point me >> to another or way to do it? >> >> Regards, >> WW >> >> gpg --gen-key >> (1) DSA and Elgamal (default) >> (2) DSA (sign only) >> (5) RSA (sign only) >> >> >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20061114/a21df358/smime.bin From dshaw at jabberwocky.com Tue Nov 14 23:17:36 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Nov 14 23:15:52 2006 Subject: how to create a symmetric cipher In-Reply-To: <20061114220007.35303415118@green.dls.net> References: <20061114213945.GA5866@jabberwocky.com> <20061114220007.35303415118@green.dls.net> Message-ID: <20061114221736.GB5866@jabberwocky.com> On Tue, Nov 14, 2006 at 04:00:02PM -0600, Wei Wu [H] wrote: > Thanks. > > Well, my ultimate goal is to encrypt data, but I don't want to use > passphrase to do it as I believe it is not secure enough. > > So my questions are: > > 1. How to create a symmetric key or cipher? With that, I may use another > tool to encrypt/decrypt. > > 2. Can gpg be used to do key based encryption? Not passphrase based. I'd like to help you, but I can't parse the question. GPG uses both passphrase and non-passphrase encryption in different circumstances. I suggest you read the section on "Hybrid ciphers" in the manual (http://www.gnupg.org/gph/en/manual.html), and hopefully that will help clear up the confusion. David From wwu at dls.net Tue Nov 14 23:39:43 2006 From: wwu at dls.net (Wei Wu [H]) Date: Tue Nov 14 23:37:38 2006 Subject: how to create a symmetric cipher In-Reply-To: <9C2F2747-1AAE-4518-BC80-F6AE21EBF05B@earthlink.net> Message-ID: <20061114223951.613CC414006@green.dls.net> Good to know the details of this process. I don't have a need to distribute data to other users, and simply need to protect some local data and only the person with the key is allowed to decrypt the data. That's the reason I want a symmetric key based solution. Thanks, Wei -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Joseph Oreste Bruni Sent: Tuesday, November 14, 2006 4:17 PM To: gnupg-users@gnupg.org Subject: Re: how to create a symmetric cipher When you encrypt to a person's public key you are not using the public key to encrypt the data. First, a random session key is generated and used to encrypt the data using a symmetric cipher. Then only the session key is encrypted using the public key and appended to the file. The recipient uses his private key to decrypt the session key which is then used to decrypt the data via the symmetric cipher. This way you avoid passing symmetric keys in the clear. If you are looking to build a custom solution, you might be better off looking at the OpenSSL crypto API. Joe On Nov 14, 2006, at 3:04 PM, Wei Wu [H] wrote: > Thank you. As I said in my other posts, I don't want to use > passphrase based > encryption, and am looking for key based solution. > > Also I don't need a private/public key-pair based solution as > symmetric key > is more efficient. > > Regards, > WW > > > -----Original Message----- > From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users- > bounces@gnupg.org] > On Behalf Of Joseph Oreste Bruni > Sent: Tuesday, November 14, 2006 3:41 PM > To: gnupg-users@gnupg.org > Subject: Re: how to create a symmetric cipher > > gpg --symmetric --encrypt > > The default is CAST5, but you can specify the algorithm using -- > cipher-algo > > -Joe > > > On Nov 14, 2006, at 12:52 PM, Wei Wu [H] wrote: > >> Hi there, >> >> I want to create a symmetric cipher such as AES to encrypt some >> data, and >> think gpg (GnuPG Version 1.4.2.1) may do this. But I found it gives >> only >> three options, none is symmetric. I would appreciate if anyone can >> point me >> to another or way to do it? >> >> Regards, >> WW >> >> gpg --gen-key >> (1) DSA and Elgamal (default) >> (2) DSA (sign only) >> (5) RSA (sign only) >> >> >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From simon at ruderich.com Tue Nov 14 22:42:12 2006 From: simon at ruderich.com (Simon Ruderich) Date: Wed Nov 15 00:24:08 2006 Subject: Problem compiling libgpg-error-1.4 with Mac OS X Message-ID: <9AE73FDA-D9BC-48E7-9608-59D31FD86FC7@ruderich.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, I'm trying to compile GnuPG 2.0 with Mac OS X. But I'm already failing with compiling libgpg-error-1.4. ./configure works but when I run make the following error is displayed and make fails: /bin/sh ../libtool --tag=CC --mode=link gcc -g -O2 -o libgpg- error.la -rpath /usr/local/lib -version-info 3:0:3 libgpg_error_la-init.lo libgpg_error_la-strsource.lo libgpg_error_la- strerror.lo libgpg_error_la-code-to-errno.lo libgpg_error_la-code- from-errno.lo ../intl/libintl.a -liconv -Wl,-framework - Wl,CoreFoundation *** Warning: Linking the shared library libgpg-error.la against the *** static library ../intl/libintl.a is not portable! gcc -dynamiclib -flat_namespace -undefined suppress -o .libs/libgpg- error.0.3.0.dylib .libs/libgpg_error_la-init.o .libs/libgpg_error_la- strsource.o .libs/libgpg_error_la-strerror.o .libs/libgpg_error_la- code-to-errno.o .libs/libgpg_error_la-code-from-errno.o ../intl/ libintl.a /usr/lib/libiconv.dylib -Wl,-framework -Wl,CoreFoundation - install_name /usr/local/lib/libgpg-error.0.dylib -Wl,- compatibility_version -Wl,4 -Wl,-current_version -Wl,4.0 ld: warning multiple definitions of symbol _locale_charset ../intl/libintl.a(localcharset.o) definition of _locale_charset in section (__TEXT,__text) /usr/lib/libiconv.dylib(localcharset.o) definition of _locale_charset ld: common symbols not allowed with MH_DYLIB output format with the - multi_module option ../intl/libintl.a(loadmsgcat.o) definition of common __nl_msg_cat_cntr (size 4) ../intl/libintl.a(dcigettext.o) definition of common _libintl_nl_domain_bindings (size 4) ../intl/libintl.a(plural-exp.o) definition of common _libintl_gettext_germanic_plural (size 20) /usr/bin/libtool: internal link edit command failed Could you please help me with this. I'm using Mac OS X 10.4.0 with an iMac G4. Thanks in advance, Simon - ---- > privacy is necessary > using http://gnupg.org > public key id: 0x6115F804EFB33229 http://ruderich.com/ simonruderich.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFWjg0YRX4BO+zMikRCjK/AJ0WtTEGKTfEIeqXkK6R/kDtxlrpTQCfejFK PnkGT0uoiWJFWEpha0oO5wU= =xZTB -----END PGP SIGNATURE----- From r.post at sara.nl Wed Nov 15 00:25:54 2006 From: r.post at sara.nl (Remco Post) Date: Wed Nov 15 00:24:23 2006 Subject: how to create a symmetric cipher In-Reply-To: <20061114220007.35303415118@green.dls.net> References: <20061114220007.35303415118@green.dls.net> Message-ID: <455A5082.9040501@sara.nl> Wei Wu [H] wrote: > Thanks. > > Well, my ultimate goal is to encrypt data, but I don't want to use > passphrase to do it as I believe it is not secure enough. > basically, a key is a asymmetric cypher used to protect the 'passprase' used in a symmetric cypher. So you can use the 'raw' symmetric cypher (and think up the password yourself), or let gpg generate some random bits as a password and encrypt the password using a public key. It's either one of those two. I know of no alternatives, I don't believe any alternatives are invented (but I might be wrong). So if you don't fee symmetric cyphers to be strong enough, you have a problem, because every pgp message is encrypted using one. Even when using keys you'll need a passphrase, and as long as you protect it carefully, you'll be ok either way. > So my questions are: > > 1. How to create a symmetric key or cipher? With that, I may use another > tool to encrypt/decrypt. > > 2. Can gpg be used to do key based encryption? Not passphrase based. > > Regards, > WW > > -----Original Message----- > From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] > On Behalf Of David Shaw > Sent: Tuesday, November 14, 2006 3:40 PM > To: gnupg-users@gnupg.org > Subject: Re: how to create a symmetric cipher > > On Tue, Nov 14, 2006 at 01:52:31PM -0600, Wei Wu [H] wrote: >> Hi there, >> >> I want to create a symmetric cipher such as AES to encrypt some data, and >> think gpg (GnuPG Version 1.4.2.1) may do this. But I found it gives only >> three options, none is symmetric. I would appreciate if anyone can point > me >> to another or way to do it? > > I'm a bit confused as to what you are asking, but if the question is > "how do I encrypt data using a symmetric cipher?", then the answer is > "gpg --symmetric (thefile)" > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From martin at linux-ip.net Tue Nov 14 23:43:55 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Wed Nov 15 01:23:59 2006 Subject: how to create a symmetric cipher In-Reply-To: <20061114220007.35303415118@green.dls.net> References: <20061114220007.35303415118@green.dls.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings Wei Wu, : Well, my ultimate goal is to encrypt data, but I don't want to : use passphrase to do it as I believe it is not secure enough. : : So my questions are: : : 1. How to create a symmetric key or cipher? With that, I may use : another tool to encrypt/decrypt. : : 2. Can gpg be used to do key based encryption? Not passphrase : based. There is a utility (outside of the GnuPG family of encryption tools) called aespipe [0], which is very handy for exactly the above sort of tasks. This tool can be used with 1, 64 or 65 encryption keys, which themselves are protected using GnuPG's public key cryptographic mechanisms. So, your stream of data is encrypted with (for example) randomly* generated encryption keys, which themselves are encrypted using your conventional public key cryptography. I wrote a wrapper script [1] (which has never been audited), which makes aespipe a touch more friendly to use on the command line. Best of luck, - -Martin * Beware the wonderful word "random" when speaking to those who are professionally engaged in cryptography. [0] http://loop-aes.sourceforge.net/aespipe/ [1] http://linux-ip.net/software/#aespipe-wrapper - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFFWkaxHEoZD1iZ+YcRAqXUAJ9oqqYokyomoDD6L35KWJLe9CSm7QCgy/ph QiHDMTXkRyZz7aV78XSOo/g= =8wgw -----END PGP SIGNATURE----- From hhhobbit at securemecca.net Wed Nov 15 01:59:33 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Wed Nov 15 01:57:56 2006 Subject: how to create a symmetric cipher In-Reply-To: <0MKqdz-1Gk6L12xJU-0002Mi@mx.perfora.net> References: <0MKqdz-1Gk6L12xJU-0002Mi@mx.perfora.net> Message-ID: <1163552373.5511.53.camel@sirius.brigham.net> On Tue, 2006-11-14 at 16:01 -0600, wvu@dls.net wrote: > Thanks. > > Well, my ultimate goal is to encrypt data, but I don't want to use > passphrase to do it as I believe it is not secure enough. > > So my questions are: > > 1. How to create a symmetric key or cipher? With that, I may use another > tool to encrypt/decrypt. > > 2. Can gpg be used to do key based encryption? Not passphrase based. > > Regards, > WW I already sent you some scripts to do it off-group. I am puzzled about this though. If you looked at the mail archives, there is Seahorse for Gnome users: http://www.gnome.org/projects/seahorse/ I must confess I am baffled by your statements. 1. Creating a key, any key, without a pass-phrase is less safe (I am thinking of something like SSH or SSL) than with a pass-phrase. If you use the default key with SSH or SSL, all that is necessary is to get the key you are using. Once I can do that I can pretend to be you. But if you have a pass-phrase, even if they steal your key, they still need the pass-phrase to pretend to be you. How is that less secure? 2. A key is just a key. Hypothetically, if gpg didn't complain about you not having a key you could hypothetically use gpg to do all of the symmetric encryption you want, but even there, a pass-phrase (which SHOULD be different than the pass-phrase bound with your key) is a good thing, not a bad thing. If you encrypt a file without a pass-phrase, then I can use gpg to decrypt your file and do the same thing you did - don't use a passphrase and voila, the file you encrypted is decrypted for me without me having to type anything other than the decrypt command. 3. Your key is primarily used to sign things and for ASYMMETRIC encryption, not symmetric encryption. By asymmetric encryption I mean stuff you send to others in email, using their public key to encrypt a message you send to them. Then only they can decrypt it using their secret key (which again requires they use their pass-phrase). When you sign a file or a message you send to them, you again must use the pass-phrase bound to your secret key when you to achieve the signing. Would you want me to steal your key, sign a message to your boss and send it to him telling him that he is a dirty scum-bag? Without a pass-phrase, that is entirely possible. With a well designed pass-phrase, even if I steal your key it makes it very hard if not impossible for me to pretend to be you (and get you in hot water). I can't do it without knowing the pass-phrase that must be used with your key. I am trying to understand how a machine key that is used with something like SSL used without a password is SAFER than something encrypted WITH a password. Every extra thing you can add for verification (and a pass-phrase is one of them), security is enhanced, not downgraded. HHH PS Even the NSA has big problems with a symmetric cipher like TWOFISH or AES256. The weakness isn't the algorithm. The weakness if there is one is a BAD or even worse NO encryption PASS-PHRASE. In fact, if you use no pass-phrase with symmetric encryption, you may as well not even encrypt the file at all. From pessoa at angulosolido.pt Wed Nov 15 02:02:06 2006 From: pessoa at angulosolido.pt (Pedro Pessoa) Date: Wed Nov 15 02:00:31 2006 Subject: Failure to sign with gpgsm In-Reply-To: <87ac2tq4b0.fsf@wheatstone.g10code.de> References: <200611102239.02554.pessoa@angulosolido.pt> <200611141442.35549.pessoa@angulosolido.pt> <87ac2tq4b0.fsf@wheatstone.g10code.de> Message-ID: <200611150102.06500.pessoa@angulosolido.pt> On Tuesday 14 November 2006 18:19, Werner Koch wrote: > On Tue, 14 Nov 2006 15:42, pessoa@angulosolido.pt said: > > After trying to figure out what's this problem and reaching a dead end, I > > went through the diferences out of a dump in both certtificates, the one > > that > > You should update to the lates version of gnupg (2.0.0) before > checking any further. I've just finished compiling gnupg fresh from the tar ball. The error remains: gpgsm: error creating signature: No value But now, with the code compiling, I could track down to where the problem is. The method gpgsm_validate_chain (ctrl, cert, NULL, 0, NULL, 0); on sm/sign.c is failling. Any hints on what I can do to know why it is failling? Thanks! Pedro -- Angulo S?lido - Tecnologias de Informa??o http://angulosolido.pt From hhhobbit at securemecca.net Wed Nov 15 03:21:27 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Wed Nov 15 03:19:55 2006 Subject: Question about use of --cipher-algo AES & --openpgp In-Reply-To: <4559CDF0.7040105@digitalbrains.com> References: <0MKqZr-1Ghfru3IMV-0002h8@mx.perfora.net> <1163171698.5007.297.camel@sirius.brigham.net> <45570BFF.9010806@digitalbrains.com> <1163343976.6292.550.camel@sirius.brigham.net> <4559CDF0.7040105@digitalbrains.com> Message-ID: <455A79A7.2050805@securemecca.net> Peter Lebbing wrote: > Option 1: > byte 0 = 0x8C: Old format, packet tag 3, 1 octet length of packet > byte 2 = 0x4: SK-ESK packet version 4 > byte 4 = 0,1 or 3: S2K specifier > > Option 2: > byte 0 = 0x8D: Old format, packet tag 3, 2 octet length of packet > byte 3 = 0x4: SK-ESK packet version 4 > byte 5 = 0,1 or 3: S2K specifier > > You could continue the list for larger packet length specifiers (like > someone already pointed out, a small packet can still be specified with > a long specifier with leading 0's), new format packets, for public key > ESK packets, etcetera. If we could match more bytes in one match then we > would have at least 3 bytes identifying a file positively; that's fairly > okay I think. If this where possible: > > 0 belonglong&0xFF00FF00FC000000 0x8C00040000000000 OpenPGP File > 0 belonglong&0xFF0000FF00FC0000 0x8D00000400000000 OpenPGP File > > We'd match both options (with the added possibility of undefined S2K > specifier 2, but let's keep it simple). > However, then we run into a problem with new format packets, where the > structure depends on the value of the 2nd byte in the file. The real > solution obviously is more than 1 test. > > When I started this, I hoped it'd be possible to match the file. I think > I've established though that it is impossible, which is also worth a bit. Good analysis. We can always submit it to the file people to see if we get another humourous comment in the magic database. You will note that the same problem existed in old versions of PGP. I suspect that what was done with RFC 2440 had to do with preserving compatibility with older versions of PGP. In other words, you can't blame either GnuPG nor PGP corporation. They know better now, but it isn't much help. You do have better luck with the keys themselves: $ file pubring.gpg pubring.gpg: GPG key public ring $ file secring.gpg secring.gpg: PGP key security ring $ file trustdb.gpg trustdb.gpg: GPG key trust database version 3 $ file tkojm.gpg tkojm.gpg: GPG key public ring I think the main message to spread is that people SHOULD use either a ".gpg" extension with GnuPG, and a ".pgp" with PGP when they write out a symmetrically encrypted file. The "file" command won't tell them anything. You have to depend on the encryption software itself to identify what you have. You CAN use the "file" command to do partial identification of a file with that extension to determine whether it has a key you can add to your keyring - there is no guarantee that it will be valid. Only the encryption software will tell you that. Thanks HHH From wwu at dls.net Wed Nov 15 04:52:54 2006 From: wwu at dls.net (Wei Wu [H]) Date: Wed Nov 15 04:51:01 2006 Subject: how to create a symmetric cipher In-Reply-To: <1163552373.5511.53.camel@sirius.brigham.net> Message-ID: <20061115035258.15D024130F3@green.dls.net> Thanks to all for offering help. I think I did not describe clearly what I need (actually for one of my friends). Let me know if what I intend to do make no sense. The data to be protected resides on a fixed harddisk in a Windows computer. I have a tool on Windows platform that does encryption using either a passphrase or a key file. Use of a key file is recommended as it is more secure (assuming passphrases can be cracked relatively easily). The key file is expected to be stored separately in a removable disk. So I need a tool to create a key. I checked a few key tools such as java keytool and gpg, but their genkey option does not support the generation of a symmetric key/cipher. I read the script you (Henry) sent me. Though it does show how to do symmetric encryption, I don't see how it produce a symmetric cipher. Basically, I need to do the job in two steps: 1. create a symmetric key 2. encrypt/decrypt using the key Regards, Wei -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Henry Hertz Hobbit Sent: Tuesday, November 14, 2006 7:00 PM To: gnupg-users@gnupg.org Subject: Re: how to create a symmetric cipher On Tue, 2006-11-14 at 16:01 -0600, wvu@dls.net wrote: > Thanks. > > Well, my ultimate goal is to encrypt data, but I don't want to use > passphrase to do it as I believe it is not secure enough. > > So my questions are: > > 1. How to create a symmetric key or cipher? With that, I may use another > tool to encrypt/decrypt. > > 2. Can gpg be used to do key based encryption? Not passphrase based. > > Regards, > WW I already sent you some scripts to do it off-group. I am puzzled about this though. If you looked at the mail archives, there is Seahorse for Gnome users: http://www.gnome.org/projects/seahorse/ I must confess I am baffled by your statements. 1. Creating a key, any key, without a pass-phrase is less safe (I am thinking of something like SSH or SSL) than with a pass-phrase. If you use the default key with SSH or SSL, all that is necessary is to get the key you are using. Once I can do that I can pretend to be you. But if you have a pass-phrase, even if they steal your key, they still need the pass-phrase to pretend to be you. How is that less secure? 2. A key is just a key. Hypothetically, if gpg didn't complain about you not having a key you could hypothetically use gpg to do all of the symmetric encryption you want, but even there, a pass-phrase (which SHOULD be different than the pass-phrase bound with your key) is a good thing, not a bad thing. If you encrypt a file without a pass-phrase, then I can use gpg to decrypt your file and do the same thing you did - don't use a passphrase and voila, the file you encrypted is decrypted for me without me having to type anything other than the decrypt command. 3. Your key is primarily used to sign things and for ASYMMETRIC encryption, not symmetric encryption. By asymmetric encryption I mean stuff you send to others in email, using their public key to encrypt a message you send to them. Then only they can decrypt it using their secret key (which again requires they use their pass-phrase). When you sign a file or a message you send to them, you again must use the pass-phrase bound to your secret key when you to achieve the signing. Would you want me to steal your key, sign a message to your boss and send it to him telling him that he is a dirty scum-bag? Without a pass-phrase, that is entirely possible. With a well designed pass-phrase, even if I steal your key it makes it very hard if not impossible for me to pretend to be you (and get you in hot water). I can't do it without knowing the pass-phrase that must be used with your key. I am trying to understand how a machine key that is used with something like SSL used without a password is SAFER than something encrypted WITH a password. Every extra thing you can add for verification (and a pass-phrase is one of them), security is enhanced, not downgraded. HHH PS Even the NSA has big problems with a symmetric cipher like TWOFISH or AES256. The weakness isn't the algorithm. The weakness if there is one is a BAD or even worse NO encryption PASS-PHRASE. In fact, if you use no pass-phrase with symmetric encryption, you may as well not even encrypt the file at all. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From wk at gnupg.org Wed Nov 15 09:23:42 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 15 09:26:57 2006 Subject: Failure to sign with gpgsm In-Reply-To: <200611150102.06500.pessoa@angulosolido.pt> (Pedro Pessoa's message of "Wed\, 15 Nov 2006 01\:02\:06 +0000") References: <200611102239.02554.pessoa@angulosolido.pt> <200611141442.35549.pessoa@angulosolido.pt> <87ac2tq4b0.fsf@wheatstone.g10code.de> <200611150102.06500.pessoa@angulosolido.pt> Message-ID: <87hcx1m835.fsf@wheatstone.g10code.de> On Wed, 15 Nov 2006 02:02, pessoa@angulosolido.pt said: > But now, with the code compiling, I could track down to where the problem is. > The method gpgsm_validate_chain (ctrl, cert, NULL, 0, NULL, 0); on sm/sign.c > is failling. Any hints on what I can do to know why it is failling? Run gpgsm --dump-chain YOUR_KEY_ID To see al certificates in the chain. If this does not show any problems, you should add the options: --with-validation --disable-crl-checks Shalom-Salam, Werner From wk at gnupg.org Wed Nov 15 09:29:42 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 15 09:31:41 2006 Subject: Question about use of --cipher-algo AES & --openpgp In-Reply-To: <455A79A7.2050805@securemecca.net> (Henry Hertz Hobbit's message of "Tue\, 14 Nov 2006 19\:21\:27 -0700") References: <0MKqZr-1Ghfru3IMV-0002h8@mx.perfora.net> <1163171698.5007.297.camel@sirius.brigham.net> <45570BFF.9010806@digitalbrains.com> <1163343976.6292.550.camel@sirius.brigham.net> <4559CDF0.7040105@digitalbrains.com> <455A79A7.2050805@securemecca.net> Message-ID: <87d57pm7t5.fsf@wheatstone.g10code.de> Hi, While you are at it, you might want to add support for the keybox foramt which is currently used for X.509 but will soon also store OpenPGP keys: The KeyBox uses an augmented OpenPGP/X.509 key format. This makes random access to a keyblock/Certificate easier and also gives the opportunity to store additional information (e.g. the fingerprint) along with the key. All integers are stored in network byte order, offsets are counted from the beginning of the Blob. The first record of a plain KBX file has a special format: u32 length of the first record byte Blob type (1) byte version number (1) byte reserved byte reserved u32 magic 'KBXf' u32 reserved u32 file_created_at u32 last_maintenance_run u32 reserved u32 reserved $ hd ~/.gnupg/pubring.kbx | head -2 00000000 00 00 00 20 01 01 00 00 4b 42 58 66 00 00 00 00 |... ....KBXf....| 00000010 40 d6 8d 77 42 79 db 24 00 00 00 00 00 00 00 00 |@?.wBy?$........| The description should be something like GnuPG keybox file version 1 Salam-Shalom, Werner From laurent.jumet at skynet.be Wed Nov 15 08:54:42 2006 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Wed Nov 15 10:01:13 2006 Subject: how to create a symmetric cipher In-Reply-To: <20061114195232.BF2F1412162@green.dls.net> Message-ID: Hello Wei ! "Wei Wu [H]" wrote: > I want to create a symmetric cipher such as AES to encrypt some data, and > think gpg (GnuPG Version 1.4.2.1) may do this. But I found it gives only > three options, none is symmetric. I would appreciate if anyone can point me > to another or way to do it? --symmetric [File] will use CAST5 by default, but you can change that choice by using --cipher-algo option. Or better yet, you can define a permanent list of preferred encryptions in --personal-cipher-preferences : the first one will be used for symmetric. AES is "S7" Example: personal-cipher-preferences S7 S1 S10 S3 S4 S2 Of course, each time you make a symmetric encryption, you'll need to type a PassPhrase (but not the one you are using for your secret key), and the recipient must have that PassPhrase in order to decode. -- Laurent Jumet KeyID: 0xCFAF704C From johanw at vulcan.xs4all.nl Wed Nov 15 13:50:19 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Nov 15 13:48:48 2006 Subject: Build problem with gpg2 Message-ID: <200611151250.kAFCoJFP010206@vulcan.xs4all.nl> Hello, GnuPG 2 doesn't make it easier... I installed all 4 libs, but configure in gpg2 gave me: configure: *** *** You need libassuan with Pth support to build this program. *** This library is for example available at *** ftp://ftp.gnupg.org/gcrypt/libassuan/ *** (at least version 0.9.3 (API 1) is required). *** configure: *** *** It is now required to build with support for the *** GNU Portable Threads Library (Pth). Please install this *** library first. The library is for example available at *** ftp://ftp.gnu.org/gnu/pth/ *** On a Debian GNU/Linux system you can install it using *** apt-get install libpth-dev *** configure: error: *** *** Required libraries not found. Please consult the above messages *** and install them before running configure again. *** I installed libassuan-1.0.0, downloaded 14-11 from the GnuPG site. I assume the Pth support is the problem. I have installed /usr/lib/libpthread.so /usr/lib/libpthread_nonshared.a /usr/lib/libpthread.a /lib/libpthread-0.10.so /lib/libpthread.so.0 Is this version new enough? It comes with Slackware Linux 10.0. If so, how do I build libassuan with Pth support? It doesn't say much in the docs. I see a --with-pth-prefix option, but that shouldn't be necessary I think. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Wed Nov 15 14:05:04 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Nov 15 14:08:32 2006 Subject: OpenPGP Card implementation In-Reply-To: <87d57qq8hv.fsf@wheatstone.g10code.de> Message-ID: <200611151305.kAFD54S7017736@vulcan.xs4all.nl> Werner Koch wrote: >Good for people in China, but here they will go after you as soon as >you sell them. Recall that we are not yet ready to FTP hardware. Mail-order from a company in Tadjikistan, who gets them from a front-end company in Hong Kong who orders them somewhere in mainland China. Good luck tracing and suing them. Smartcards are small enough to send via normal mail (my bank does so all the time) so the customs can't check easily for them too. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From alex at bofh.net.pl Wed Nov 15 12:13:32 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Wed Nov 15 14:24:14 2006 Subject: OpenPGP Card implementation In-Reply-To: <87d57qq8hv.fsf@wheatstone.g10code.de> References: <200611141206.kAEC62et025194@vulcan.xs4all.nl> <87d57qq8hv.fsf@wheatstone.g10code.de> Message-ID: <20061115111332.GF12190@hell.pl> On Tue, Nov 14, 2006 at 05:49:00PM +0100, Werner Koch wrote: > On Tue, 14 Nov 2006 13:06, johanw@vulcan.xs4all.nl said: > > > Is it very hard to design such a card from scratch, and very expensive > > to have it produced as custom hardware? I'm sure there are enough > > chip-producing companies in China who don't give a damn about western > > lawyers. > > Good for people in China, but here they will go after you as soon as > you sell them. Recall that we are not yet ready to FTP hardware. Ehm Do you mean that if I did get some VC funding for design of open crypto smartcard targeted for OpenPGP use and then published it (as a part of the business plan) I would get sued? For exactly what? -- JID: alex@hell.pl PGP: 0x46399138 od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze -- Czerski From wwu at dls.net Wed Nov 15 14:46:12 2006 From: wwu at dls.net (Wei Wu [H]) Date: Wed Nov 15 14:44:03 2006 Subject: how to create a symmetric cipher In-Reply-To: <455AB7BD.40105@radde.name> Message-ID: <20061115134613.4E6B34127E2@green.dls.net> Yes. That's what I need. Thanks, WW -----Original Message----- From: Sven Radde [mailto:sven@radde.name] Sent: Wednesday, November 15, 2006 12:46 AM To: Wei Wu [H] Cc: gnupg-users@gnupg.org Subject: Re: how to create a symmetric cipher Hello! Wei Wu [H] schrieb: > The data to be protected resides on a fixed harddisk in a Windows computer. > I have a tool on Windows platform that does encryption using either a > passphrase or a key file. Use of a key file is recommended as it is more > secure (assuming passphrases can be cracked relatively easily). The key file > is expected to be stored separately in a removable disk. So I need a tool to > create a key. > > I checked a few key tools such as java keytool and gpg, but their genkey > option does not support the generation of a symmetric key/cipher. No offense intended, but you are confusing the involved concepts quite heavily. What you need for your tool is merely a file filled with random data. This "key" is totally different from what gnupg, java keytool, openssl etc. use as keys for their sophisticated protocols. However, gnupg offers to generate some random bytes using the --gen-random command, which is probably what you need: --gen-random /0|1|2/ [/count/] Emit COUNT random bytes of the given quality level. If count is not given or zero, an endless sequence of random bytes will be emitted. PLEASE, don't use this command unless you know what you are doing, it may remove precious entropy from the system! So you would need to issue something like "gpg --gen-random 2 32 > file.key" to generate a 32 Bytes (=256 Bit) file full with random data to be used as a key by your other tool. Note that I do not have an idea whether "0" or "2" is the highest "quality" level for the random data. Probably others can clarify, but I assume that 2 is highest quality. HTH, Sven Radde From mk at fsfe.org Wed Nov 15 15:07:41 2006 From: mk at fsfe.org (Matthias Kirschner) Date: Wed Nov 15 16:24:00 2006 Subject: FSFE Smart Card In-Reply-To: <200610291826.k9TIQ2d3025953@rs26.luxsci.com> References: <200610291826.k9TIQ2d3025953@rs26.luxsci.com> Message-ID: <20061115140741.GD4204@mbwg.de> * Henry Bremridge [2006-10-29 18:25:17 +0000]: > Question: > > - The FSFE website states that the recommended procedure is to use the > smart card with sub-keys only. If however I am creating a new > key-pair and backing up the secret key to a safe place, then what is > the problem? AFAIK the problem is, that you will loose your old sigatures. Best wishes, Matze -- Join the Fellowship and protect your freedom! (http://www.fsfe.org) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature Url : /pipermail/attachments/20061115/712d03a3/attachment.pgp From wk at gnupg.org Wed Nov 15 16:49:52 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 15 16:51:39 2006 Subject: OpenPGP Card implementation In-Reply-To: <20061115111332.GF12190@hell.pl> (Janusz A. Urbanowicz's message of "Wed\, 15 Nov 2006 12\:13\:32 +0100") References: <200611141206.kAEC62et025194@vulcan.xs4all.nl> <87d57qq8hv.fsf@wheatstone.g10code.de> <20061115111332.GF12190@hell.pl> Message-ID: <87mz6siuan.fsf@wheatstone.g10code.de> On Wed, 15 Nov 2006 12:13, alex@bofh.net.pl said: > Do you mean that if I did get some VC funding for design of open > crypto smartcard targeted for OpenPGP use and then published it (as a > part of the business plan) I would get sued? Only if that card may be used to create clones of TV cards. Salam-Shalom, Werner From wk at gnupg.org Wed Nov 15 16:48:25 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 15 16:51:50 2006 Subject: Build problem with gpg2 In-Reply-To: <200611151250.kAFCoJFP010206@vulcan.xs4all.nl> (Johan Wevers's message of "Wed\, 15 Nov 2006 13\:50\:19 +0100 \(MET\)") References: <200611151250.kAFCoJFP010206@vulcan.xs4all.nl> Message-ID: <87r6w4iud2.fsf@wheatstone.g10code.de> On Wed, 15 Nov 2006 13:50, johanw@vulcan.xs4all.nl said: > /usr/lib/libpthread.so > /usr/lib/libpthread_nonshared.a > /usr/lib/libpthread.a > /lib/libpthread-0.10.so > /lib/libpthread.so.0 PTH is is usually in a library named libpth.so. Debian started to distribute the libpthread emulation which comes with pth - this leads to major problems. You need to have the header files as well as the libassuan-config and so on. Check the config.log for details. > Is this version new enough? It comes with Slackware Linux 10.0. > If so, how do I build libassuan with Pth support? It doesn't > say much in the docs. I see a --with-pth-prefix option, but that If you want to use your versions you need to make sure that /usr/local/bin comes prior to /usr/bin in your $PATH. Shalom-Salam, Werner From benjamin at py-soft.co.uk Wed Nov 15 18:45:44 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Wed Nov 15 18:44:57 2006 Subject: Use of IDEA in GnuPG 2 In-Reply-To: <200611141223.kAECNZpB000961@vulcan.xs4all.nl> References: <200611141223.kAECNZpB000961@vulcan.xs4all.nl> Message-ID: <455B5248.308@py-soft.co.uk> -------- Original Message -------- Subject: [Enigmail] IDEA Date: Wed, 15 Nov 2006 17:18:44 +0100 From: Kristian Fiskerstrand Reply-To: Enigmail user discussion list Organisation: The Mozdev Foundation - news server To: enigmail@mozdev.org Newsgroups: public.mozdev.enigmail Greetings. I don't know if this is available already, and if so just disregard this email. Anyways, I had to open up a couple of old emails using IDEA as the symmetric cipher, so I threw together a small wrapper for libgcrypt-1.2.3 to add IDEA support to GnuPG 2.0. if anyone else is interested it can be found at http://www.kfwebs.net/articles/article/42/GnuPG-2.0---IDEA-support . Comments are welcome, Yours sincerely, -- ---------------------------- Kristian Fiskerstrand http://www.kfwebs.net ---------------------------- http://www.secure-my-email.com http://www.secure-my-internet.com From jbloss at tampabay.rr.com Wed Nov 15 19:49:15 2006 From: jbloss at tampabay.rr.com (Jeffrey F. Bloss) Date: Wed Nov 15 19:47:31 2006 Subject: how to create a symmetric cipher In-Reply-To: <20061115134613.4E6B34127E2@green.dls.net> References: <455AB7BD.40105@radde.name> <20061115134613.4E6B34127E2@green.dls.net> Message-ID: <20061115134915.62d9be80@localhost.localdomain> Wei Wu [H] wrote: > Yes. That's what I need. If you're just trying to eliminate pass phrases and set up a key file only scenario, why not simply create a key pair with a null or "zero length" pass phrase? Keep those keys on your removable device, and use a script/batch that calls GnuPG with the appropriate keyring switches or .conf file options so it sees only those keys, only when they're needed. This would in effect eliminate asymmetric encryption, which I believe GnuPG really only uses to encrypt a symmetric session key. In reality you'd still be using both key files and asymmetric encryption I'd think, but it would appear as though you were merely using a simple key file encryption because you wouldn't have to enter a pass phrase, and the only actual security would come from the session key encryption. > Thanks, > WW > > -----Original Message----- > From: Sven Radde [mailto:sven@radde.name] > Sent: Wednesday, November 15, 2006 12:46 AM > To: Wei Wu [H] > Cc: gnupg-users@gnupg.org > Subject: Re: how to create a symmetric cipher > > Hello! > > Wei Wu [H] schrieb: > > The data to be protected resides on a fixed harddisk in a Windows > computer. > > I have a tool on Windows platform that does encryption using either > > a passphrase or a key file. Use of a key file is recommended as it > > is more secure (assuming passphrases can be cracked relatively > > easily). The key > file > > is expected to be stored separately in a removable disk. So I need > > a tool > to > > create a key. > > > > I checked a few key tools such as java keytool and gpg, but their > > genkey option does not support the generation of a symmetric > > key/cipher. > No offense intended, but you are confusing the involved concepts quite > heavily. > > What you need for your tool is merely a file filled with random data. > This "key" is totally different from what gnupg, java keytool, openssl > etc. use as keys for their sophisticated protocols. > > However, gnupg offers to generate some random bytes using the > --gen-random command, which is probably what you need: > > --gen-random /0|1|2/ [/count/] > > Emit COUNT random bytes of the given quality level. If count is > not given or zero, an endless sequence of random bytes will be > emitted. PLEASE, don't use this command unless you know what you are > doing, it may remove precious entropy from the system! > > > So you would need to issue something like "gpg --gen-random 2 32 > > file.key" to generate a 32 Bytes (=256 Bit) file full with random data > to be used as a key by your other tool. > Note that I do not have an idea whether "0" or "2" is the highest > "quality" level for the random data. Probably others can clarify, but > I assume that 2 is highest quality. > > HTH, > Sven Radde > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Hand crafted on 15 November, 2006 at 13:02:13 EST using only the finest domestic and imported ASCII. A long-forgotten loved one will appear soon. Buy the negatives at any price. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: not available Url : /pipermail/attachments/20061115/739341d0/signature.pgp From benjamin at py-soft.co.uk Thu Nov 16 00:23:57 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Thu Nov 16 00:22:15 2006 Subject: OpenPGP Card implementation In-Reply-To: <4559D418.7010805@py-soft.co.uk> References: <200611141206.kAEC62et025194@vulcan.xs4all.nl> <4559B6E9.3030702@excelcia.org> <4559D418.7010805@py-soft.co.uk> Message-ID: <455BA18D.1010109@py-soft.co.uk> Benjamin Donnachie wrote: > Can you point me in their direction please? I'd much rather try to > implement RSA from scratch in Java than Basic! Ah-ha! Amtel are apparently offering samples of their AT91SC512384RCT[1], which has an impressive set of features including a cryptographic accelerator... If anything, it might be an interesting exercise to write an OpenPGP smartcard implementation for the emulator... Ben [1] http://www.atmel.com/dyn/resources/prod_documents/6525S.pdf From benjamin at py-soft.co.uk Thu Nov 16 00:29:08 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Thu Nov 16 00:27:12 2006 Subject: OpenPGP Card implementation In-Reply-To: <455BA18D.1010109@py-soft.co.uk> References: <200611141206.kAEC62et025194@vulcan.xs4all.nl> <4559B6E9.3030702@excelcia.org> <4559D418.7010805@py-soft.co.uk> <455BA18D.1010109@py-soft.co.uk> Message-ID: <455BA2C4.4000302@py-soft.co.uk> Benjamin Donnachie wrote: > Ah-ha! Amtel are apparently offering samples of their > AT91SC512384RCT[1], which has an impressive set of features including a > cryptographic accelerator... Alternatively, this link raises some interesting possibilities - http://www.elecdesign.com/Articles/Index.cfm?AD=1&ArticleID=6412 Some people might even like the "retro" feeling that a PIC hanging off the end out give! :-) Ben From benjamin at py-soft.co.uk Thu Nov 16 01:03:53 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Thu Nov 16 01:01:56 2006 Subject: OpenPGP Card implementation In-Reply-To: <455BA2C4.4000302@py-soft.co.uk> References: <200611141206.kAEC62et025194@vulcan.xs4all.nl> <4559B6E9.3030702@excelcia.org> <4559D418.7010805@py-soft.co.uk> <455BA18D.1010109@py-soft.co.uk> <455BA2C4.4000302@py-soft.co.uk> Message-ID: <455BAAE9.10903@py-soft.co.uk> Now these are promising - http://www.weethet.nl/english/smartcards_types.php#funcard Need to crash into bed... I'll look at them in more detail later... Ben From pessoa at angulosolido.pt Thu Nov 16 01:15:41 2006 From: pessoa at angulosolido.pt (Pedro Pessoa) Date: Thu Nov 16 01:14:13 2006 Subject: Failure to sign with gpgsm In-Reply-To: <87hcx1m835.fsf@wheatstone.g10code.de> References: <200611102239.02554.pessoa@angulosolido.pt> <200611150102.06500.pessoa@angulosolido.pt> <87hcx1m835.fsf@wheatstone.g10code.de> Message-ID: <200611160015.41694.pessoa@angulosolido.pt> On Wednesday 15 November 2006 08:23, Werner Koch wrote: > On Wed, 15 Nov 2006 02:02, pessoa@angulosolido.pt said: > > But now, with the code compiling, I could track down to where the problem > > is. The method gpgsm_validate_chain (ctrl, cert, NULL, 0, NULL, 0); on > > sm/sign.c is failling. Any hints on what I can do to know why it is > > failling? > > Run > > gpgsm --dump-chain YOUR_KEY_ID > > To see al certificates in the chain. If this does not show any > problems, you should add the options: It looks ok, I can see the complete certificate chain. > --with-validation --disable-crl-checks Nope, still the same error: gpgsm: error creating signature: No value Shall I try to dig into gpgsm_validate_chain? Pedro -- Angulo S?lido - Tecnologias de Informa??o http://angulosolido.pt From dougb at dougbarton.us Thu Nov 16 02:37:19 2006 From: dougb at dougbarton.us (Doug Barton) Date: Thu Nov 16 04:24:28 2006 Subject: insecure memory warning in 2.0.0 Message-ID: <455BC0CF.2080004@dougbarton.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Howdy, I'm using 2.0.0 on FreeBSD 7-Current, and although I have "no-secmem-warning" in my gpg.conf, I'm still getting "Warning: using insecure memory!" with just about every gpg command I run. Any ideas? Doug - -- If you're never wrong, you're not trying hard enough -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.0 (FreeBSD) iD8DBQFFW8DPyIakK9Wy8PsRAnF0AJ9EMJ68f7VsdDlM+H0KYX9cYb8PPwCgwhCx Y+0WFRAvAC/b6bbzhLDhZxw= =BTLu -----END PGP SIGNATURE----- From groundedforlife at verizon.net Thu Nov 16 04:52:02 2006 From: groundedforlife at verizon.net (Eric Buchanan) Date: Thu Nov 16 06:24:09 2006 Subject: insecure memory warning in 2.0.0 In-Reply-To: <455BC0CF.2080004@dougbarton.us> References: <455BC0CF.2080004@dougbarton.us> Message-ID: <200611151952.02369.groundedforlife@verizon.net> Hi Doug, I haven't gotten 2.0 to compile on FreeBSD (yet), but with 1.x I have to run chmod 4775 on the absolute location of the gpg binary. Then it goes away. HTH, Eric Buchanan On Wednesday 15 November 2006 17:37, Doug Barton wrote: > Howdy, > > I'm using 2.0.0 on FreeBSD 7-Current, and although I have > "no-secmem-warning" in my gpg.conf, I'm still getting "Warning: using > insecure memory!" with just about every gpg command I run. Any ideas? > > Doug From wk at gnupg.org Thu Nov 16 08:27:23 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 16 08:31:54 2006 Subject: Failure to sign with gpgsm In-Reply-To: <200611160015.41694.pessoa@angulosolido.pt> (Pedro Pessoa's message of "Thu\, 16 Nov 2006 00\:15\:41 +0000") References: <200611102239.02554.pessoa@angulosolido.pt> <200611150102.06500.pessoa@angulosolido.pt> <87hcx1m835.fsf@wheatstone.g10code.de> <200611160015.41694.pessoa@angulosolido.pt> Message-ID: <87irhfrgv8.fsf@wheatstone.g10code.de> On Thu, 16 Nov 2006 01:15, pessoa@angulosolido.pt said: > Nope, still the same error: > gpgsm: error creating signature: No value It would be helpfukl to see the actual output. If you don't want that to appear on a public list, send it me by private mail. > Shall I try to dig into gpgsm_validate_chain? First run with --debug 1 Salam-Shalom, Werner From wk at gnupg.org Thu Nov 16 08:28:43 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 16 08:32:11 2006 Subject: insecure memory warning in 2.0.0 In-Reply-To: <455BC0CF.2080004@dougbarton.us> (Doug Barton's message of "Wed\, 15 Nov 2006 17\:37\:19 -0800") References: <455BC0CF.2080004@dougbarton.us> Message-ID: <87ejs3rgt0.fsf@wheatstone.g10code.de> On Thu, 16 Nov 2006 02:37, dougb@dougbarton.us said: > I'm using 2.0.0 on FreeBSD 7-Current, and although I have > "no-secmem-warning" in my gpg.conf, I'm still getting "Warning: using > insecure memory!" with just about every gpg command I run. Any ideas? What version of libgcrypt are you using? Shalom-Salam, Werner From dougb at dougbarton.us Thu Nov 16 08:47:02 2006 From: dougb at dougbarton.us (Doug Barton) Date: Thu Nov 16 08:45:04 2006 Subject: insecure memory warning in 2.0.0 In-Reply-To: <87ejs3rgt0.fsf@wheatstone.g10code.de> References: <455BC0CF.2080004@dougbarton.us> <87ejs3rgt0.fsf@wheatstone.g10code.de> Message-ID: <455C1776.8040901@dougbarton.us> Werner Koch wrote: > On Thu, 16 Nov 2006 02:37, dougb@dougbarton.us said: > >> I'm using 2.0.0 on FreeBSD 7-Current, and although I have >> "no-secmem-warning" in my gpg.conf, I'm still getting "Warning: using >> insecure memory!" with just about every gpg command I run. Any ideas? > > What version of libgcrypt are you using? Here is everything, in case it's relevant: $ pkg_info -r gnupg-2.0.0 Information for gnupg-2.0.0: Depends on: Dependency: pth-2.0.7 Dependency: openldap-client-2.3.30 Dependency: libusb-0.1.12_1 Dependency: libgpg-error-1.4 Dependency: libiconv-1.9.2_2 Dependency: libgcrypt-1.2.3_1 Dependency: libksba-1.0.0_1 Dependency: dirmngr-0.9.6_1 The _N after some of the version numbers means that the FreeBSD port got updated even though the software version didn't change. Thanks, Doug -- If you're never wrong, you're not trying hard enough From dougb at dougbarton.us Thu Nov 16 09:54:22 2006 From: dougb at dougbarton.us (Doug Barton) Date: Thu Nov 16 09:52:23 2006 Subject: insecure memory warning in 2.0.0 In-Reply-To: <200611151952.02369.groundedforlife@verizon.net> References: <455BC0CF.2080004@dougbarton.us> <200611151952.02369.groundedforlife@verizon.net> Message-ID: <455C273E.2020606@dougbarton.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eric Buchanan wrote: > Hi Doug, > I haven't gotten 2.0 to compile on FreeBSD (yet), http://dougbarton.us/libassuan.diff is the update to /usr/ports/security/libassuan that you need to get it up to version 1.0.0, since gnupg 2.0.0 needs a newer version of the library than we have in ports right now. For gnupg 2.0.0 itself, you can do the following: cd /usr/ports/security cp -Rp gnupg-devel gnupg2 cd gnupg2 Then apply the patch at http://dougbarton.us/gnupg2.diff No promises that this will be the final version of either of these ports, but I have already sent these patches to their maintainer, so hopefully the ports tree will be updated soon. Meanwhile this is enough to get you up and running. > but with 1.x I have to run > chmod 4775 on the absolute location of the gpg binary. Then it goes away. There is actually a knob in the port for 1.4.x that will do that for you, but if we can get the option to work I'd rather avoid making the gpg2 binary suid to start with. Thanks for the suggestion in any case. FWIW, I've been using 2.0.0 for a while now, doing some much needed key maintenance, sending out signatures from a recent key signing, sending challenges, and signing keys, and so far this is the only "issue" I've run across. I even set up gpg-agent with a minimum of fuss. So far so good ... Doug - -- If you're never wrong, you're not trying hard enough -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.0 (FreeBSD) iD8DBQFFXCc+yIakK9Wy8PsRAkiSAJwN80Z/ebVJJeZzlSv1jbJjLeF5TQCghaBr GyNecbI9CoxUFaf9rlrc5s4= =6VID -----END PGP SIGNATURE----- From wk at gnupg.org Thu Nov 16 10:52:50 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 16 10:56:46 2006 Subject: insecure memory warning in 2.0.0 In-Reply-To: <455C1776.8040901@dougbarton.us> (Doug Barton's message of "Wed\, 15 Nov 2006 23\:47\:02 -0800") References: <455BC0CF.2080004@dougbarton.us> <87ejs3rgt0.fsf@wheatstone.g10code.de> <455C1776.8040901@dougbarton.us> Message-ID: <87r6w3pvkd.fsf@wheatstone.g10code.de> On Thu, 16 Nov 2006 08:47, dougb@dougbarton.us said: > Dependency: libgcrypt-1.2.3_1 There are some changes int 1.2.4 but they are for actually printing the warning. Are you sure you see the Warning: using insecure memory! and not can't lock memory: XXXX or Please note that you don't have secure memory on this system The first needs some debugging. Set a breakpoint to secmem.c:lock_pool in libgcrypt. The second might be solvable using strace and for the last Ineed to look into config.log If anyone can give me access to such a system it would make things easier. Shalom-Salam, Werner From dougb at dougbarton.us Thu Nov 16 11:04:05 2006 From: dougb at dougbarton.us (Doug Barton) Date: Thu Nov 16 11:02:08 2006 Subject: insecure memory warning in 2.0.0 In-Reply-To: <87r6w3pvkd.fsf@wheatstone.g10code.de> References: <455BC0CF.2080004@dougbarton.us> <87ejs3rgt0.fsf@wheatstone.g10code.de> <455C1776.8040901@dougbarton.us> <87r6w3pvkd.fsf@wheatstone.g10code.de> Message-ID: <455C3795.8070702@dougbarton.us> Werner Koch wrote: > On Thu, 16 Nov 2006 08:47, dougb@dougbarton.us said: > >> Dependency: libgcrypt-1.2.3_1 > > There are some changes int 1.2.4 but they are for actually printing > the warning. Are you sure you see the > > Warning: using insecure memory! gpg --list-keys dougbarton Warning: using insecure memory! ... > The first needs some debugging. Set a breakpoint to > secmem.c:lock_pool in libgcrypt. Perhaps you can send me more detailed instructions by private mail now that we know what we're dealing with. It's too late for me to deal with this tonight (this morning!) in any case. Doug -- If you're never wrong, you're not trying hard enough From sven at radde.name Tue Nov 14 09:46:53 2006 From: sven at radde.name (Sven Radde) Date: Thu Nov 16 12:54:40 2006 Subject: GnuPG 2.0 In-Reply-To: <45594988.4070308@bellsouth.net> References: <1657673143.20061113200325@voyager.net> <87d57rz7ql.fsf@wheatstone.g10code.de> <972ABE9D-5CEC-4B1A-AEA1-03B33305AB23@rotz.org> <45594988.4070308@bellsouth.net> Message-ID: <4559827D.6030307@radde.name> Hello! John W. Moore III schrieb: > The Bottom Line is that nothing is /missing/ in 1.4.x Builds. Even if this was true, it is probably not wise to furnish Windows users with an 'old' version of GnuPG. People may have the impression that it is not maintained as well anymore. Obviously, this is a marketing perspective (and may even be incorrect) but depending on the goals of the GnuPG project, this point should not be overlooked. If you want to reach end-users (I assume so), Windows still is *the* market and will remain so for the foreseeable future. I'm not sure that "we will keep maintaining 1.x because it's still useful" (GnuPG 2.0 announcement) is the right message here. Apart from this soft reason, a replacement for pageant (Putty's SSH agent) that does support the OpenPGP smartcard is *definitely* something I would want under Windows. :-) Also, not every GnuPG-GUI does passphrase-caching (which is AFAIK a slightly different thing than what the agent does, anyway). Not so definite about S/MIME but would surely be nice to have as well (sometimes, one may want to use it outside of a mailer program or just have a central certificate storage independent of the mailer). Developers will be more qualified to comment here, but I imagine that a "well defined API" to manage the configuration would also be a nice thing compared to the various rather ad-hoc (I think) methods currently in use by the available GUIs. Same could be true for scdaemon and the other development-focused features. Summarizingly, I hope that there will be a Windows version. If nothing else, there should be a clear commitment as to the future of 1.4.x (i.e. not only maintaining but active further development) to avoid the feeling that Windows users have a "second class" GnuPG. Just my 2 cents, Sven Radde From sven at radde.name Wed Nov 15 07:46:21 2006 From: sven at radde.name (Sven Radde) Date: Thu Nov 16 12:54:45 2006 Subject: how to create a symmetric cipher In-Reply-To: <20061115035258.15D024130F3@green.dls.net> References: <20061115035258.15D024130F3@green.dls.net> Message-ID: <455AB7BD.40105@radde.name> Hello! Wei Wu [H] schrieb: > The data to be protected resides on a fixed harddisk in a Windows computer. > I have a tool on Windows platform that does encryption using either a > passphrase or a key file. Use of a key file is recommended as it is more > secure (assuming passphrases can be cracked relatively easily). The key file > is expected to be stored separately in a removable disk. So I need a tool to > create a key. > > I checked a few key tools such as java keytool and gpg, but their genkey > option does not support the generation of a symmetric key/cipher. No offense intended, but you are confusing the involved concepts quite heavily. What you need for your tool is merely a file filled with random data. This "key" is totally different from what gnupg, java keytool, openssl etc. use as keys for their sophisticated protocols. However, gnupg offers to generate some random bytes using the --gen-random command, which is probably what you need: --gen-random /0|1|2/ [/count/] Emit COUNT random bytes of the given quality level. If count is not given or zero, an endless sequence of random bytes will be emitted. PLEASE, don't use this command unless you know what you are doing, it may remove precious entropy from the system! So you would need to issue something like "gpg --gen-random 2 32 > file.key" to generate a 32 Bytes (=256 Bit) file full with random data to be used as a key by your other tool. Note that I do not have an idea whether "0" or "2" is the highest "quality" level for the random data. Probably others can clarify, but I assume that 2 is highest quality. HTH, Sven Radde From wk at gnupg.org Thu Nov 16 15:18:46 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 16 15:22:04 2006 Subject: Outcome of the Logo Ballot Message-ID: <87ac2rpj95.fsf@wheatstone.g10code.de> Hi, The logo contest for GnuPG (see http://logo-contest.gnupg.org) has been finished some time ago. However up to the end of the voting period, I received only 11 votes out of 40 people eligible to vote. Further there is no clear results. 9 votes are for 9 different submissions and only 2 voted for the same. Given these results anything else but canceling this ballot would be unfair. To come to a decision, I have setup a new ballot using Condorcet voting at the the CIVS service [1]. All 1230 subscribers of gnupg-users and gnupg-devel are eligible to cast their vote. They will soon receive a mail with an URL to the ballow page. There you may rank all submissions or tag them with "no opinion". Note that, some submissions are by the same authors; they are distinguished by small letter and a description in parentheses (the name is only given one). Please make sure that your spam filters don't catch the mail with the URL, it will be send from andru at cs.cornell.edu. The ballot runs to the end of this month. Shalom-Salam, Werner [1] http://www.cs.cornell.edu/andru/civs.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20061116/4562613b/attachment.pgp From benjamin at py-soft.co.uk Thu Nov 16 16:36:17 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Thu Nov 16 16:33:47 2006 Subject: OpenPGP Card implementation In-Reply-To: <455BAAE9.10903@py-soft.co.uk> References: <200611141206.kAEC62et025194@vulcan.xs4all.nl> <4559B6E9.3030702@excelcia.org> <4559D418.7010805@py-soft.co.uk> <455BA18D.1010109@py-soft.co.uk> <455BA2C4.4000302@py-soft.co.uk> <455BAAE9.10903@py-soft.co.uk> Message-ID: <455C8571.9090603@py-soft.co.uk> Benjamin Donnachie wrote: > Now these are promising - > http://www.weethet.nl/english/smartcards_types.php#funcard ... and so it SOSSE - Simple Operating System for Smartcard Education[1] Anyone interested in helping develop a truly open implementation of the OpenPGP smartcard on an AVR funcard (Generally available for about ?5 each) using C, please contact me off list. Ben [1] http://www.mbsks.franken.de/sosse/html/index.html From dshaw at jabberwocky.com Thu Nov 16 17:19:44 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Nov 16 17:18:19 2006 Subject: GnuPG 2.0 In-Reply-To: <4559827D.6030307@radde.name> References: <1657673143.20061113200325@voyager.net> <87d57rz7ql.fsf@wheatstone.g10code.de> <972ABE9D-5CEC-4B1A-AEA1-03B33305AB23@rotz.org> <45594988.4070308@bellsouth.net> <4559827D.6030307@radde.name> Message-ID: <20061116161944.GA30171@jabberwocky.com> On Tue, Nov 14, 2006 at 09:46:53AM +0100, Sven Radde wrote: > Summarizingly, I hope that there will be a Windows version. > If nothing else, there should be a clear commitment as to the future of > 1.4.x (i.e. not only maintaining but active further development) to > avoid the feeling that Windows users have a "second class" GnuPG. Here is your clear commitment to the future of 1.4.x. The numbering between 1.4 and 2.0 is perhaps unfortunate in that it implies that 2.0 replaces 1.4. It doesn't. They are two different programs that serve different purposes. There is certainly overlap (they both do OpenPGP), but 1.4.x is not going anywhere and new OpenPGP development will be done on both. David From vedaal at hush.com Thu Nov 16 20:31:05 2006 From: vedaal at hush.com (vedaal@hush.com) Date: Thu Nov 16 20:48:36 2006 Subject: gnupg 2.0 // compile on cygwin ? Message-ID: <20061116193106.77101DA84B@mailserver8.hushmail.com> On Tue, Nov 14, 2006 at 09:46:53AM +0100, Sven Radde wrote: > Summarizingly, I hope that there will be a Windows version. maybe it can be compiled on cygwin ? i have gnupg 1.4.5 on windows, and 1.4.2.2 on cygwin (a 'full' install on cygwin includes gnupg, gcc, perl and python) and both gnupg versions worked nicely and independently on the same windows machine (both win 2k pro and xp pro) ) can gnupg 2.o be set up in cygwin using cygwin's gcc compiler ? tia, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From wk at gnupg.org Thu Nov 16 21:43:15 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 16 21:46:41 2006 Subject: Problem compiling libgpg-error-1.4 with Mac OS X In-Reply-To: <9AE73FDA-D9BC-48E7-9608-59D31FD86FC7@ruderich.com> (Simon Ruderich's message of "Tue\, 14 Nov 2006 22\:42\:12 +0100") References: <9AE73FDA-D9BC-48E7-9608-59D31FD86FC7@ruderich.com> Message-ID: <87r6w3jf6k.fsf@wheatstone.g10code.de> On Tue, 14 Nov 2006 22:42, simon@ruderich.com said: > failing with compiling libgpg-error-1.4. > ./configure works but when I run make the following error is > displayed and make fails: Sorry, I have no experience with MAx OS X and its fat binaries. Without a testing box at hand it is hadr to guess the problem. Given that Mac OS X is a Unix system we will add patches if required. Salam-Shalom, Werner From wk at gnupg.org Thu Nov 16 21:41:37 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 16 21:46:51 2006 Subject: GnuPG 2.0 In-Reply-To: <20061116161944.GA30171@jabberwocky.com> (David Shaw's message of "Thu\, 16 Nov 2006 11\:19\:44 -0500") References: <1657673143.20061113200325@voyager.net> <87d57rz7ql.fsf@wheatstone.g10code.de> <972ABE9D-5CEC-4B1A-AEA1-03B33305AB23@rotz.org> <45594988.4070308@bellsouth.net> <4559827D.6030307@radde.name> <20061116161944.GA30171@jabberwocky.com> Message-ID: <87velfjf9a.fsf@wheatstone.g10code.de> On Thu, 16 Nov 2006 17:19, dshaw@jabberwocky.com said: > Here is your clear commitment to the future of 1.4.x. The numbering > between 1.4 and 2.0 is perhaps unfortunate in that it implies that 2.0 > replaces 1.4. It doesn't. They are two different programs that serve AFAICS, Apache does it the same way. Not every site has upgraded to 2.0 - for good reasons. Shalom-Salam, Werner From wk at gnupg.org Thu Nov 16 21:45:54 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 16 21:51:48 2006 Subject: how to create a symmetric cipher In-Reply-To: <455AB7BD.40105@radde.name> (Sven Radde's message of "Wed\, 15 Nov 2006 07\:46\:21 +0100") References: <20061115035258.15D024130F3@green.dls.net> <455AB7BD.40105@radde.name> Message-ID: <87mz6rjf25.fsf@wheatstone.g10code.de> On Wed, 15 Nov 2006 07:46, sven@radde.name said: > "quality" level for the random data. Probably others can clarify, but I > assume that 2 is highest quality. Correct. You might want to add the option --armor to get base64 output without linefeeds. This may the easily be passed to gpg via --passphrase-fd. Shalom-Salam, Werner From johanw at vulcan.xs4all.nl Fri Nov 17 02:17:50 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Nov 17 02:23:27 2006 Subject: OpenPGP Card implementation In-Reply-To: <20061115111332.GF12190@hell.pl> Message-ID: <200611170117.kAH1Ho0R014786@vulcan.xs4all.nl> Janusz A. Urbanowicz wrote: >Do you mean that if I did get some VC funding for design of open >crypto smartcard targeted for OpenPGP use and then published it (as a >part of the business plan) I would get sued? Then publish it anonymously. Most TV card hack software is also published anonymously, and programs like dvdshrink (too bad it doesn't come with sourcecode) and FairUse4WM too. No author known means noone to sue. >For exactly what? Companies don't need a valid legal reason to do that as long as they think you can't afford the lawsuit for long. The scientology method to use the legal system to sue someone into bancrupcy as default strategy is something that almost all companies use against individuals. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From gr at eclipsed.net Fri Nov 17 00:49:39 2006 From: gr at eclipsed.net (gabriel rosenkoetter) Date: Fri Nov 17 02:24:14 2006 Subject: Problem compiling libgpg-error-1.4 with Mac OS X In-Reply-To: <9AE73FDA-D9BC-48E7-9608-59D31FD86FC7@ruderich.com> References: <9AE73FDA-D9BC-48E7-9608-59D31FD86FC7@ruderich.com> Message-ID: <20061116234939.GA44493@stow.eclipsed.net> On Tue, Nov 14, 2006 at 10:42:12PM +0100, Simon Ruderich wrote: > I'm trying to compile GnuPG 2.0 with Mac OS X. But I'm already > failing with compiling libgpg-error-1.4. > ./configure works but when I run make the following error is > displayed and make fails: ... Have you looked at the darwinports localization for GnuPG? My rather-outdated tree expects gnupg 1.4.1, but I note that its Portfile includes this bit: configure.args --mandir=${prefix}/share/man \ [...] --with-libintl-prefix=${prefix} \ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [...] Perhaps you're hitting a libintl provided by Apple, which perhaps doesn't behave as expected, even if configure thinks it's okay? -- gabriel rosenkoetter gr@eclipsed.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20061116/312a3d86/attachment.pgp From rjh at sixdemonbag.org Fri Nov 17 02:40:58 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri Nov 17 02:38:51 2006 Subject: OpenPGP Card implementation In-Reply-To: <200611170117.kAH1Ho0R014786@vulcan.xs4all.nl> References: <200611170117.kAH1Ho0R014786@vulcan.xs4all.nl> Message-ID: <455D132A.5030902@sixdemonbag.org> The first bit of this is to Janusz; the second is to Johan. Janusz A. Urbanowicz wrote: > Do you mean that if I did get some VC funding for design of open > crypto smartcard targeted for OpenPGP use and then published it (as a > part of the business plan) I would get sued? You're asking computer and crypto geeks a legal question. You have as much chance of getting a good answer as walking into a meeting of the American Bar Association and asking them about the differences between PKCS1-1.5 and PKCS1-2.1. If you need a legal opinion, you should ask a qualified lawyer. Please do not trust any legal opinions you get from internet sources. Johan Wevers wrote: > No author known means noone to sue. This is factually wrong. No author known just means the author has to be discovered. The legal system offers ample tools to do just that. Subpoenas are routinely issued by courts precisely so potential litigants can discover whom to name in a lawsuit. Do not believe that you can remain anonymous for long if a major corporation or government wishes to find you out. The best way to remain anonymous is to avoid coming to the notice of those whom you wish to be unaware of your existence--not to tweak their nose and say "nyah, nyah, you can't find me". From dshaw at jabberwocky.com Fri Nov 17 06:00:37 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Nov 17 06:04:43 2006 Subject: Problem compiling libgpg-error-1.4 with Mac OS X In-Reply-To: <87r6w3jf6k.fsf@wheatstone.g10code.de> References: <9AE73FDA-D9BC-48E7-9608-59D31FD86FC7@ruderich.com> <87r6w3jf6k.fsf@wheatstone.g10code.de> Message-ID: <20061117050037.GB3151@jabberwocky.com> On Thu, Nov 16, 2006 at 09:43:15PM +0100, Werner Koch wrote: > On Tue, 14 Nov 2006 22:42, simon@ruderich.com said: > > > failing with compiling libgpg-error-1.4. > > ./configure works but when I run make the following error is > > displayed and make fails: > > Sorry, I have no experience with MAx OS X and its fat binaries. > Without a testing box at hand it is hadr to guess the problem. > > Given that Mac OS X is a Unix system we will add patches if required. I did some digging on this, and it seems the problem is that configure (specifically, the tests in gettext.m4) looks for libintl.h to determine if libintl exists. On OS X, it doesn't find libintl.h (so it builds the included copy) but in fact libintl does exist on OS X. The end result is that it tries to link libintl in twice and fails because the doubled symbols. This is not a GPG specific problem, and I wonder if a more up to date version of the gettext code would resolve this. David From dshaw at jabberwocky.com Fri Nov 17 06:02:49 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Nov 17 06:06:24 2006 Subject: Problem compiling libgpg-error-1.4 with Mac OS X In-Reply-To: <87r6w3jf6k.fsf@wheatstone.g10code.de> References: <9AE73FDA-D9BC-48E7-9608-59D31FD86FC7@ruderich.com> <87r6w3jf6k.fsf@wheatstone.g10code.de> Message-ID: <20061117050249.GC3151@jabberwocky.com> On Thu, Nov 16, 2006 at 09:43:15PM +0100, Werner Koch wrote: > On Tue, 14 Nov 2006 22:42, simon@ruderich.com said: > > > failing with compiling libgpg-error-1.4. > > ./configure works but when I run make the following error is > > displayed and make fails: > > Sorry, I have no experience with MAx OS X and its fat binaries. > Without a testing box at hand it is hadr to guess the problem. I should add also that a temporary workaround if you don't need the translations is to build with --disable-nls. David From yamaoka at jpl.org Fri Nov 17 06:56:41 2006 From: yamaoka at jpl.org (Katsumi Yamaoka) Date: Fri Nov 17 06:58:11 2006 Subject: pinentry doesn't work with gpg-agent Message-ID: Hi, I started using GnuPG 2.0.0. That works great except one thing. echo test.|gpg2 --clearsign|gpg2 --verify This test passes if I don't run gpg-agent or I unset GPG_AGENT_INFO as follows: GPG_AGENT_INFO='' echo test.|gpg2 --clearsign|gpg2 --verify At that time pinentry prompts me for a passphrase, and echoes an asterisk in the window every time I enter a letter. However, if I run gpg-agent, pinentry appears but I cannot enter a passphrase. It echoes no asterisk in the window whatever I type a letter, and then signing fails. Does anyone know what I overlooked? I installed the following packages by performing ``./configure; make; make install'' in the Fedora Core 6 Linux system, which runs the metacity window manager. ftp://ftp.gnu.org/gnu/pth/pth-2.0.7.tar.gz ftp://ftp.gnupg.org/gcrypt/libassuan/libassuan-1.0.0.tar.bz2 ftp://ftp.gnupg.org/gcrypt/libksba/libksba-1.0.0.tar.bz2 ftp://ftp.gnupg.org/gcrypt/pinentry/pinentry-0.7.2.tar.gz ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.0.tar.bz2 pinentry is a symlink to pinentry-gtk-2. The way to run gpg-agent is to put the following snipet in the ~/.Xclients file. --8<---------------cut here---------------start------------->8--- if test -z `ps x | grep gpg-agent|grep -v grep`; then gpg-agent --daemon --write-env-file fi . $HOME/.gpg-agent-info; export GPG_AGENT_INFO --8<---------------cut here---------------end--------------->8--- Thanks in advance. From wk at gnupg.org Fri Nov 17 09:39:05 2006 From: wk at gnupg.org (Werner Koch) Date: Fri Nov 17 09:42:03 2006 Subject: Problem compiling libgpg-error-1.4 with Mac OS X In-Reply-To: <20061117050037.GB3151@jabberwocky.com> (David Shaw's message of "Fri\, 17 Nov 2006 00\:00\:37 -0500") References: <9AE73FDA-D9BC-48E7-9608-59D31FD86FC7@ruderich.com> <87r6w3jf6k.fsf@wheatstone.g10code.de> <20061117050037.GB3151@jabberwocky.com> Message-ID: <87u00yii1i.fsf@wheatstone.g10code.de> On Fri, 17 Nov 2006 06:00, dshaw@jabberwocky.com said: > This is not a GPG specific problem, and I wonder if a more up to date > version of the gettext code would resolve this. I hesitate to update gettext because in the past this has led to some problems on other platforms. However, for GnuPG 2 it should not be a problem becuase the commonly used platforms come with a newer gettext anyway. I'll give it a try for the next release. Salam-Shalom, Werner From ivalladolidt at terra.es Fri Nov 17 11:26:38 2006 From: ivalladolidt at terra.es (Ismael Valladolid Torres) Date: Fri Nov 17 11:45:19 2006 Subject: gnupg 2.0 // compile on cygwin ? In-Reply-To: <20061116193106.77101DA84B@mailserver8.hushmail.com> References: <20061116193106.77101DA84B@mailserver8.hushmail.com> Message-ID: <20061117102637.GA1728@gmail.com> vedaal@hush.com escribe: > can gnupg 2.o be set up in cygwin using cygwin's gcc compiler ? Haven't you tried? Cordially, Ismael -- Ismael Valladolid Torres "Il est vain de pleurer sur l'esprit, il suffit de travailler pour lui." Albert Camus http://digitrazos.info/ http://lamediahostia.blogspot.com/ OpenPGP key ID: 0xDE721AF4 http://www.hispasonic.com/foro73.html Jabber ID: ivalladt@jabberes.org From alex at bofh.net.pl Fri Nov 17 13:02:34 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Fri Nov 17 13:00:49 2006 Subject: OpenPGP Card implementation In-Reply-To: <200611170117.kAH1Ho0R014786@vulcan.xs4all.nl> References: <20061115111332.GF12190@hell.pl> <200611170117.kAH1Ho0R014786@vulcan.xs4all.nl> Message-ID: <20061117120233.GA6500@hell.pl> On Fri, Nov 17, 2006 at 02:17:50AM +0100, Johan Wevers wrote: > Janusz A. Urbanowicz wrote: > > >Do you mean that if I did get some VC funding for design of open > >crypto smartcard targeted for OpenPGP use and then published it (as a > >part of the business plan) I would get sued? > > Then publish it anonymously. Most TV card hack software is also published > anonymously, and programs like dvdshrink (too bad it doesn't come with > sourcecode) and FairUse4WM too. No author known means noone to sue. In the theoretical scenario I presented this is unfeasible. > >For exactly what? > > Companies don't need a valid legal reason to do that as long as they > think you can't afford the lawsuit for long. The scientology method > to use the legal system to sue someone into bancrupcy as default > strategy is something that almost all companies use against individuals. I know all that, but I hoped to learn what exactsly would likely be named the lawsuit in this case. But this is getting more and more OT. Alex -- JID: alex@hell.pl PGP: 0x46399138 od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze -- Czerski From eleuteri at myrealbox.com Fri Nov 17 18:56:02 2006 From: eleuteri at myrealbox.com (David Picon Alvarez) Date: Fri Nov 17 18:54:01 2006 Subject: Spanish ID card Message-ID: <000501c70a71$a557ded0$0302a8c0@enterprise> Hello, Can anyone inform me if gpg will atl all work with the new Spanish electronic ID card? The official site for it is http://www.dnielectronico.es but I don't know if they have anything but a Spanish version. It would be nice to be able to sign and encrypt using a familiar program. --David. From JPClizbe at tx.rr.com Fri Nov 17 21:25:29 2006 From: JPClizbe at tx.rr.com (John Clizbe) Date: Fri Nov 17 21:24:45 2006 Subject: Spanish ID card In-Reply-To: <000501c70a71$a557ded0$0302a8c0@enterprise> References: <000501c70a71$a557ded0$0302a8c0@enterprise> Message-ID: <455E1AB9.1030003@tx.rr.com> David Picon Alvarez wrote: > Hello, > > Can anyone inform me if gpg will atl all work with the new Spanish > electronic ID card? The official site for it is http://www.dnielectronico.es > but I don't know if they have anything but a Spanish version. It would be > nice to be able to sign and encrypt using a familiar program. Hola David, A quick scan of Guia de Referencia Basica (http://www.dnielectronico.es/PDFs/Guia_de_referencia_basica_v1.0.pdf) confirms what I had initially thought: It is a X.509v3 based system. You'll need the card specific PKCS#11 library (Crytographic Service Provider in Windows parlance) and a reader and you should be able to use the card with most modern browsers and email programs:eg, IE/OE/Outlook, Firefox/Thunderbird/Seamonkey. There may be others, but those are the ones I deal with on Windows platforms. Info on the CSP is at www.dnielectronico.es/descargas/ Since you're using Windows, for email signing you'll be limited to S/MIME unless use use a Smart Card-enabled application such as a modern release of PGP which allows the use of a X.509 certificate to make an OpenPGP signature. (The keys on the cards are RSA). If my Spanish wasn't so rusty I could probably give you some better answers. -- John P. Clizbe Inet: JPClizbe(a)tx DOT rr DOT con Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061117/6d687313/signature-0001.pgp From peter at digitalbrains.com Sat Nov 18 21:02:36 2006 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat Nov 18 21:01:17 2006 Subject: OpenPGP Card implementation In-Reply-To: <455BA2C4.4000302@py-soft.co.uk> References: <200611141206.kAEC62et025194@vulcan.xs4all.nl> <4559B6E9.3030702@excelcia.org> <4559D418.7010805@py-soft.co.uk> <455BA18D.1010109@py-soft.co.uk> <455BA2C4.4000302@py-soft.co.uk> Message-ID: <455F66DC.2020503@digitalbrains.com> Perhaps this is more a discussion for gnupg-devel or even not a gnupg mailing list at all? I have a question regarding the current OpenPGP Card for Werner: does it blind RSA calculations? If not, is there a different firewall against using power analysis to obtain the secret key? Benjamin Donnachie wrote: > Alternatively, this link raises some interesting possibilities - > http://www.elecdesign.com/Articles/Index.cfm?AD=1&ArticleID=6412 > > Some people might even like the "retro" feeling that a PIC hanging off > the end out give! :-) > ... and so it SOSSE - Simple Operating System for Smartcard > Education[1] A 16C84 has 68 bytes RAM, only 1 data register, 0,25 MIPS per MHz and no hardware multiply instruction. A probably completely impossible basis for RSA calculations. I was more thinking along the line of the AT Mega Funcard with an Atmel ATmega161 or -163, with 1 KiB RAM, 32 registers, 1 MIPS per MHz and 8x8 multiply instruction (with 0,5 million multiplications per second per MHz), or possibly the SuperPIC Zen with PIC18F452: 1,5 KiB RAM, 1 data register, 1 MIPS per MHz and 8x8 multiply with 1 million multiplications per second per MHz. My personal preference goes to the Atmel, just a more pleasant platform imo; the lower multiplication speed might be compensated by other factors, or maybe not. Also, the ATmega Funcards are much easier to come by than the SuperPIC Zen. The lack of RNG might be a problem: obviously you need randomness for key generation; but you could choose to omit this feature (and just not be fully OpenPGP compliant) and still use the card effectively. However, it greatly improves secret key secrecy when RSA calculations are blinded, and that requires randomness as well. It might be possible to obtain reasonable randomness; and if not, a non-blinded RSA card is imho at least more secure than a private key file with a passphrase: for the file, access to the computer, be it local or remote, plus the passphrase is required to learn the secret key. For the card, *physical* access to the card and the passphrase are required to be able to obtain the secret key. The nice property that a key cannot be copied from the card is lost, though, without blinding. SOSSE is a nice starting ground for development; however, as this is a security product, I think one should rewrite large parts of it with constantly keeping security in mind. SOSSE is developed as an educational platform, not a crypto provider. I think, if you audited SOSSE code for security, you have more chance of overseeing a weakness than if you wrote completely new code. I'm not touching legality with a 40-feet pole, by the way :). Peter. From benjamin at py-soft.co.uk Sun Nov 19 01:26:09 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun Nov 19 01:23:19 2006 Subject: OpenPGP Card implementation In-Reply-To: <455F66DC.2020503@digitalbrains.com> References: <200611141206.kAEC62et025194@vulcan.xs4all.nl> <4559B6E9.3030702@excelcia.org> <4559D418.7010805@py-soft.co.uk> <455BA18D.1010109@py-soft.co.uk> <455BA2C4.4000302@py-soft.co.uk> <455F66DC.2020503@digitalbrains.com> Message-ID: <455FA4A1.6080400@py-soft.co.uk> Peter Lebbing wrote: > Perhaps this is more a discussion for gnupg-devel or even not a gnupg > mailing list at all? I've set up a separate mailing list - open-openpgp-card. See http://www.py-soft.co.uk/mailman/listinfo/open-openpgp-card to join. > I have a question regarding the current OpenPGP Card for Werner: does it > blind RSA calculations? If not, is there a different firewall against > using power analysis to obtain the secret key? From wk at gnupg.org Sun Nov 19 18:17:34 2006 From: wk at gnupg.org (Werner Koch) Date: Sun Nov 19 18:21:56 2006 Subject: Spanish ID card In-Reply-To: <000501c70a71$a557ded0$0302a8c0@enterprise> (David Picon Alvarez's message of "Fri\, 17 Nov 2006 18\:56\:02 +0100") References: <000501c70a71$a557ded0$0302a8c0@enterprise> Message-ID: <87y7q7cq4x.fsf@wheatstone.g10code.de> On Fri, 17 Nov 2006 18:56, eleuteri@myrealbox.com said: > Can anyone inform me if gpg will atl all work with the new Spanish > electronic ID card? The official site for it is http://www.dnielectronico.es > but I don't know if they have anything but a Spanish version. It would be > nice to be able to sign and encrypt using a familiar program. Get me a test card and I will likely be able to implement at least a mode to use it for ssh authentication. The Belgian cards works fine. If it is a pkcs#15 card only a few tweaks in app-p15 are required. Salam-Shalom, Werner From s_angelov at filibeto.org Sun Nov 19 17:46:36 2006 From: s_angelov at filibeto.org (Stoyan Angelov) Date: Sun Nov 19 19:24:33 2006 Subject: problem building libassuan + pth Message-ID: <45608A6C.4040101@filibeto.org> hello all, i am trying to build gnupg 2.0 on Solaris 10 (x86) but i have some problems building the libassuan library with the required pth support. pth itself builds and installs without problems (i use pth 2.0.7 and all 'make test' test pass successfully) however when i use the configure script for libassuan i get: checking for PTH - version >= 1.3.7... yes checking whether PTH installation is sane... no checking the config.log output i see the following: configure:3633: checking whether PTH installation is sane configure:3662: gcc -o conftest -g -O2 -Wall -Wcast-align -Wshadow -Wstrict-prototypes -I/usr/local/include -L /usr/local/lib conftest.c -lpth >&5 conftest.c:22: warning: function declaration isn't a prototype /usr/local/lib/libpth.so: undefined reference to `recv' /usr/local/lib/libpth.so: undefined reference to `connect' /usr/local/lib/libpth.so: undefined reference to `recvfrom' /usr/local/lib/libpth.so: undefined reference to `accept' /usr/local/lib/libpth.so: undefined reference to `sendto' /usr/local/lib/libpth.so: undefined reference to `getsockopt' collect2: ld returned 1 exit status configure:3668: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "libassuan" | #define PACKAGE_TARNAME "libassuan" | #define PACKAGE_VERSION "1.0.0" | #define PACKAGE_STRING "libassuan 1.0.0" | #define PACKAGE_BUGREPORT "bug-libassuan@gnupg.org" | #define PACKAGE "libassuan" | #define VERSION "1.0.0" | #define _GNU_SOURCE 1 | #define PACKAGE "libassuan" | #define VERSION "1.0.0" | #define PACKAGE_BUGREPORT "bug-libassuan@gnupg.org" | #define _XOPEN_SOURCE 500 | #define _XOPEN_SOURCE_EXTENDED 1 | #define __EXTENSIONS__ 1 | /* end confdefs.h. */ | #include | | int | main () | { | pth_init (); | ; | return 0; | } configure:3700: result: no can anyone help with this issue ? geetings, Stoyan From pessoa at angulosolido.pt Mon Nov 20 00:47:42 2006 From: pessoa at angulosolido.pt (Pedro Pessoa) Date: Mon Nov 20 00:46:38 2006 Subject: Failure to sign with gpgsm In-Reply-To: <87irhfrgv8.fsf@wheatstone.g10code.de> References: <200611102239.02554.pessoa@angulosolido.pt> <200611160015.41694.pessoa@angulosolido.pt> <87irhfrgv8.fsf@wheatstone.g10code.de> Message-ID: <200611192347.42619.pessoa@angulosolido.pt> Fixed. Details ahead. On Thursday 16 November 2006 07:27, Werner Koch wrote: > On Thu, 16 Nov 2006 01:15, pessoa@angulosolido.pt said: > > Nope, still the same error: > > gpgsm: error creating signature: No value > > It would be helpfukl to see the actual output. If you don't want that > to appear on a public list, send it me by private mail. After showing the certification chain to Werner, the error source was identified (gpgsm --dump-chain YOUR_KEY_ID). The root CA I'm using is bogus because its missing a basic contraint: chainLength: [none] However this did not showed up on gpgsm --dump-cert --with-validation. I said certificate was good. The workaround is to look up the fingerprint (sha1_fpr) of the offending key. In the case of /CN=GTE CyberTrust Global Root/OU=GTE CyberTrust Solutions, Inc./O=GTE Corporation/C=US the fingerprint is 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74 And the making sure that ~/.gnupg/trustlist.txt contains this line: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74 S relax which tells to ignore the fact that chainLength is not a number nor "unlimited" like it should. BTW, this does not work with gnupg <= 1.9.16. In fact, I went through to version 2.0.0. There it works! Just a side note, I had to use just one character for my passphrase that protects the imported certificate, because anything longer would fail the check afterwards during retrieval. I didn't gave it too much attention yet... Werner, thanks a lot for your help! Pedro -- Angulo S?lido - Tecnologias de Informa??o http://angulosolido.pt From kfitzner at excelcia.org Mon Nov 20 08:06:04 2006 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Mon Nov 20 08:04:23 2006 Subject: Outcome of the Logo Ballot In-Reply-To: <87ac2rpj95.fsf@wheatstone.g10code.de> References: <87ac2rpj95.fsf@wheatstone.g10code.de> Message-ID: <456153DC.7040304@excelcia.org> Werner Koch wrote: > To come to a decision, I have setup a new ballot using Condorcet > voting at the the CIVS service. Vote cast. I was impressed with the variety of submissions. I'm not sure if you want discussion of the entries, so I won't at this point, but I'm eagerly awaiting the results. I've been working on GPGee again lately, and I'm looking forward to putting the winner somewhere in the program (I assume this will be allowed for GPG support programs and GUI's to do). Kurt. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 305 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061120/d1e8f05c/signature.pgp From dougb at dougbarton.us Mon Nov 20 09:05:21 2006 From: dougb at dougbarton.us (Doug Barton) Date: Mon Nov 20 09:03:25 2006 Subject: problem building libassuan + pth In-Reply-To: <45608A6C.4040101@filibeto.org> References: <45608A6C.4040101@filibeto.org> Message-ID: <456161C1.20605@dougbarton.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stoyan Angelov wrote: > hello all, > > i am trying to build gnupg 2.0 on Solaris 10 (x86) but i have some > problems building the libassuan library with the required pth support. > pth itself builds and installs without problems (i use pth 2.0.7 and all > 'make test' test pass successfully) however when i use the configure > script for libassuan i get: > > checking for PTH - version >= 1.3.7... yes > checking whether PTH installation is sane... no For reasons I don't fully understand (read, didn't take the time to thoroughly investigate) it was necessary for me to add the following to the environment for configure in order to get libassuan version 1.0.0 to compile on FreeBSD: CFLAGS="${CFLAGS} -I${LOCALBASE}/include/pth" LDFLAGS="${LDFLAGS} -L${LOCALBASE}/lib/pth" where "LOCALBASE" is generally defined as /usr/local. hth, Doug - -- If you're never wrong, you're not trying hard enough -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.0 (FreeBSD) iD8DBQFFYWHAyIakK9Wy8PsRAgDYAJ49GfaIutEPwREs1KycK5TgQut55gCgsF7/ ewELDVkqf+tqmqemJtRw2UY= =NFmU -----END PGP SIGNATURE----- From s_angelov at filibeto.org Mon Nov 20 10:35:30 2006 From: s_angelov at filibeto.org (Stoyan Angelov) Date: Mon Nov 20 10:48:52 2006 Subject: problem building libassuan + pth In-Reply-To: <456161C1.20605@dougbarton.us> References: <45608A6C.4040101@filibeto.org> <456161C1.20605@dougbarton.us> Message-ID: <456176E2.5020402@filibeto.org> Doug Barton wrote: > Stoyan Angelov wrote: >> hello all, >> >> i am trying to build gnupg 2.0 on Solaris 10 (x86) but i have some >> problems building the libassuan library with the required pth support. >> pth itself builds and installs without problems (i use pth 2.0.7 and all >> 'make test' test pass successfully) however when i use the configure >> script for libassuan i get: >> >> checking for PTH - version >= 1.3.7... yes >> checking whether PTH installation is sane... no > > For reasons I don't fully understand (read, didn't take the time to > thoroughly investigate) it was necessary for me to add the following > to the environment for configure in order to get libassuan version > 1.0.0 to compile on FreeBSD: > > CFLAGS="${CFLAGS} -I${LOCALBASE}/include/pth" > LDFLAGS="${LDFLAGS} -L${LOCALBASE}/lib/pth" > > where "LOCALBASE" is generally defined as /usr/local. > > hth, > > Doug > hello Doug, i tried running ./configure with explicitly set CFLAGS and LDFLAGS variables, however the result is the same. from an earlier config.log file i can see that paths were already guessed correctly. i also run the configure script with the --with-pth-prefix=/usr/local option. greetings, Stoyan From brunij at earthlink.net Mon Nov 20 23:58:39 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Mon Nov 20 23:57:01 2006 Subject: Problem compiling libgpg-error-1.4 with Mac OS X In-Reply-To: <87r6w3jf6k.fsf@wheatstone.g10code.de> References: <9AE73FDA-D9BC-48E7-9608-59D31FD86FC7@ruderich.com> <87r6w3jf6k.fsf@wheatstone.g10code.de> Message-ID: <4CF851DC-A595-415C-BAAA-2A09FBB7987F@earthlink.net> On Nov 16, 2006, at 1:43 PM, Werner Koch wrote: > On Tue, 14 Nov 2006 22:42, simon@ruderich.com said: > >> failing with compiling libgpg-error-1.4. >> ./configure works but when I run make the following error is >> displayed and make fails: > > Sorry, I have no experience with MAx OS X and its fat binaries. > Without a testing box at hand it is hadr to guess the problem. > > Given that Mac OS X is a Unix system we will add patches if required. > > > Salam-Shalom, > > Werner Building a universal binary is as easy as specifying "-arch ppc -arch i386" to both the compile and link phases. GCC takes care of the rest. If the -arch is not specified, it will default to building only for the architecture of the host. For most packages configured by autoconf, I simply define the CFLAGS and LDFLAGS variables with the above values. Joe -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20061120/58fabcd7/smime-0001.bin From dshaw at jabberwocky.com Tue Nov 21 01:10:16 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Nov 21 01:09:46 2006 Subject: Problem compiling libgpg-error-1.4 with Mac OS X In-Reply-To: <4CF851DC-A595-415C-BAAA-2A09FBB7987F@earthlink.net> References: <9AE73FDA-D9BC-48E7-9608-59D31FD86FC7@ruderich.com> <87r6w3jf6k.fsf@wheatstone.g10code.de> <4CF851DC-A595-415C-BAAA-2A09FBB7987F@earthlink.net> Message-ID: <20061121001016.GA12506@jabberwocky.com> On Mon, Nov 20, 2006 at 03:58:39PM -0700, Joseph Oreste Bruni wrote: > > On Nov 16, 2006, at 1:43 PM, Werner Koch wrote: > > >On Tue, 14 Nov 2006 22:42, simon@ruderich.com said: > > > >>failing with compiling libgpg-error-1.4. > >>./configure works but when I run make the following error is > >>displayed and make fails: > > > >Sorry, I have no experience with MAx OS X and its fat binaries. > >Without a testing box at hand it is hadr to guess the problem. > > > >Given that Mac OS X is a Unix system we will add patches if required. > > > > > >Salam-Shalom, > > > > Werner > > Building a universal binary is as easy as specifying "-arch ppc -arch > i386" to both the compile and link phases. GCC takes care of the > rest. If the -arch is not specified, it will default to building only > for the architecture of the host. That's generally true for most programs, but crypto programs in particular tend to be different. Crypto very often contains endian-specific code for performance reasons, and thus someone building a fat binary needs to take care they don't end up with big endian code on an Intel Mac, or little endian code on a PPC Mac. GnuPG (at least 1.4.x) can be built "fat", and there are special options in configure to handle the endianness issue (see the README file). Still, the original problem reported with libgpg-error-1.4 is not related to building fat or not. The package doesn't yet compile at all. David From wk at gnupg.org Tue Nov 21 08:56:11 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 21 09:02:05 2006 Subject: problem building libassuan + pth In-Reply-To: <45608A6C.4040101@filibeto.org> (Stoyan Angelov's message of "Sun\, 19 Nov 2006 18\:46\:36 +0200") References: <45608A6C.4040101@filibeto.org> Message-ID: <87ac2l6xno.fsf@wheatstone.g10code.de> On Sun, 19 Nov 2006 17:46, s_angelov@filibeto.org said: > checking for PTH - version >= 1.3.7... yes > checking whether PTH installation is sane... no The tests did not include the --all flags for pth-config and thus it fails for systems requiring -lsocket or similar. Will be fixed in the next release. As a workaround you you should diff the output of pth-config --libs pth-config --libs --all and add the extra libs on the command linle like ./configure LIBS="-ldl -lnsl" Shalom-Salam, Werner From s_angelov at filibeto.org Tue Nov 21 10:51:16 2006 From: s_angelov at filibeto.org (Stoyan Angelov) Date: Tue Nov 21 11:04:37 2006 Subject: problem building libassuan + pth In-Reply-To: <87ac2l6xno.fsf@wheatstone.g10code.de> References: <45608A6C.4040101@filibeto.org> <87ac2l6xno.fsf@wheatstone.g10code.de> Message-ID: <4562CC14.2050301@filibeto.org> Werner Koch wrote: > On Sun, 19 Nov 2006 17:46, s_angelov@filibeto.org said: > >> checking for PTH - version >= 1.3.7... yes >> checking whether PTH installation is sane... no > > The tests did not include the --all flags for pth-config and thus it > fails for systems requiring -lsocket or similar. Will be fixed in the > next release. > > As a workaround you you should diff the output of > > pth-config --libs > pth-config --libs --all > > and add the extra libs on the command linle like > > ./configure LIBS="-ldl -lnsl" > > Shalom-Salam, > > Werner > hello Werner, thank you for your answer! adding LIBS="-ldl -lsocket -lnsl" to configure as you suggested fixed the problem and libassuan is now successfully build with pth support. i had a similar problem with gnupg 2.0 - adding LIBS="-ldl -lsocket -lnsl" to configure does not work as with libassuan, so i had to change the configure script itself: 6290c6290 < LIBS="$LIBS `$PTH_CONFIG --libs`" --- > LIBS="$LIBS `$PTH_CONFIG --libs --all`" now "configure" finishes successfully but when i use "make" i get the following error: gcc -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -g -O2 -Wall -Wno-pointer-sign -o gpg2 gpg.o build-packet.o compress.o compress-bz2.o free-packet.o getkey.o keydb.o keyring.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o openfile.o keyid.o parse-packet.o status.o plaintext.o sig-check.o keylist.o pkglue.o pkclist.o skclist.o pubkey-enc.o passphrase.o seckey-cert.o encr-data.o cipher.o encode.o sign.o verify.o revoke.o decrypt.o keyedit.o dearmor.o import.o export.o trustdb.o tdbdump.o tdbio.o delkey.o keygen.o helptext.o keyserver.o photoid.o call-agent.o card-util.o exec.o -L/usr/local/lib -lgcrypt -L/usr/local/lib -lgpg-error ../gl/libgnu.a ../common/libcommon.a ../jnlib/libjnlib.a ../common/libgpgrl.a -lz -lbz2 -lresolv -lreadline ../intl/libintl.a -liconv -lsocket -lnsl -L/usr/local/lib -lassuan -L/usr/local/lib -lgpg-error ../common/libcommon.a(libcommon_a-asshelp.o): In function `send_one_option': /root/gnupg-2.0.0/common/asshelp.c:46: undefined reference to `asprintf' collect2: ld returned 1 exit status make[2]: *** [gpg2] Error 1 make[2]: Leaving directory `/root/gnupg-2.0.0/g10' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/gnupg-2.0.0' make: *** [all] Error 2 greetings, Stoyan From wk at gnupg.org Tue Nov 21 12:21:41 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 21 12:26:57 2006 Subject: problem building libassuan + pth In-Reply-To: <4562CC14.2050301@filibeto.org> (Stoyan Angelov's message of "Tue\, 21 Nov 2006 11\:51\:16 +0200") References: <45608A6C.4040101@filibeto.org> <87ac2l6xno.fsf@wheatstone.g10code.de> <4562CC14.2050301@filibeto.org> Message-ID: <871wnx59kq.fsf@wheatstone.g10code.de> On Tue, 21 Nov 2006 10:51, s_angelov@filibeto.org said: > ../common/libcommon.a(libcommon_a-asshelp.o): In function `send_one_option': > /root/gnupg-2.0.0/common/asshelp.c:46: undefined reference to `asprintf' Has a asprintf.o been built in in ../gl/ ? Please check the g10/Makefile has a definition for LIBOBJS which includes the asprintf.o Shalom-Salam, Werner From s_angelov at filibeto.org Tue Nov 21 13:34:14 2006 From: s_angelov at filibeto.org (Stoyan Angelov) Date: Tue Nov 21 13:47:38 2006 Subject: problem building libassuan + pth In-Reply-To: <871wnx59kq.fsf@wheatstone.g10code.de> References: <45608A6C.4040101@filibeto.org> <87ac2l6xno.fsf@wheatstone.g10code.de> <4562CC14.2050301@filibeto.org> <871wnx59kq.fsf@wheatstone.g10code.de> Message-ID: <4562F246.9080402@filibeto.org> Werner Koch wrote: > On Tue, 21 Nov 2006 10:51, s_angelov@filibeto.org said: > >> ../common/libcommon.a(libcommon_a-asshelp.o): In function `send_one_option': >> /root/gnupg-2.0.0/common/asshelp.c:46: undefined reference to `asprintf' > > Has a asprintf.o been built in in ../gl/ ? > > Please check the g10/Makefile has a definition for LIBOBJS which > includes the asprintf.o > > > Shalom-Salam, > > Werner > hello Werner, asprintf.o builds ok in the ../gl directory. i have checked the g10/Makefile - it does include a line for LIBOBJS: LIBOBJS = mkdtemp$U.o vasnprintf$U.o printf-args$U.o printf-parse$U.o asnprintf$U.o vasprintf$U.o asprintf$U.o greetings, Stoyan From wk at gnupg.org Tue Nov 21 15:51:47 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 21 15:56:48 2006 Subject: problem building libassuan + pth In-Reply-To: <4562F246.9080402@filibeto.org> (Stoyan Angelov's message of "Tue\, 21 Nov 2006 14\:34\:14 +0200") References: <45608A6C.4040101@filibeto.org> <87ac2l6xno.fsf@wheatstone.g10code.de> <4562CC14.2050301@filibeto.org> <871wnx59kq.fsf@wheatstone.g10code.de> <4562F246.9080402@filibeto.org> Message-ID: <87slgc3la4.fsf@wheatstone.g10code.de> Hi, sorry, my fault. We are using a libgnu.a and not individual libobjs. However the order of the libs is wrong. Here is the fix --- g10/Makefile.am (revision 4341) +++ g10/Makefile.am (working copy) @@ -29,7 +29,7 @@ AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(LIBASSUAN_CFLAGS) $(GPG_ERROR_CFLAGS) -needed_libs = ../gl/libgnu.a ../common/libcommon.a ../jnlib/libjnlib.a +needed_libs = ../common/libcommon.a ../jnlib/libjnlib.a ../gl/libgnu.a bin_PROGRAMS = gpg2 gpgv2 Shalom-Salam, Werner From s_angelov at filibeto.org Tue Nov 21 16:46:12 2006 From: s_angelov at filibeto.org (Stoyan Angelov) Date: Tue Nov 21 16:59:42 2006 Subject: problem building libassuan + pth In-Reply-To: <87slgc3la4.fsf@wheatstone.g10code.de> References: <45608A6C.4040101@filibeto.org> <87ac2l6xno.fsf@wheatstone.g10code.de> <4562CC14.2050301@filibeto.org> <871wnx59kq.fsf@wheatstone.g10code.de> <4562F246.9080402@filibeto.org> <87slgc3la4.fsf@wheatstone.g10code.de> Message-ID: <45631F44.4060603@filibeto.org> Werner Koch wrote: > Hi, > > sorry, my fault. We are using a libgnu.a and not individual libobjs. > However the order of the libs is wrong. Here is the fix > > --- g10/Makefile.am (revision 4341) > +++ g10/Makefile.am (working copy) > @@ -29,7 +29,7 @@ > > AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(LIBASSUAN_CFLAGS) $(GPG_ERROR_CFLAGS) > > -needed_libs = ../gl/libgnu.a ../common/libcommon.a ../jnlib/libjnlib.a > +needed_libs = ../common/libcommon.a ../jnlib/libjnlib.a ../gl/libgnu.a > > bin_PROGRAMS = gpg2 gpgv2 > > > > Shalom-Salam, > > Werner > > > hello Werner, sorry to bother you again - i have applied the patch you sent me. i have also modified the g10/Makefile.in otherwise the g10/Makefile was not changed. i run in another problem: gcc -I/usr/local/include -I/usr/local/include -I/usr/local/include -g -O2 -Wall -Wno-pointer-sign -o gpg2keys_ldap gpg2keys_ldap-gpgkeys_ldap.o gpg2keys_ldap-ksutil.o gpg2keys_ldap-no-libgcrypt.o -L/usr/local/lib -lldap -lsocket -lnsl -liconv ../intl/libintl.a -liconv gpg2keys_ldap-gpgkeys_ldap.o: In function `ldap2epochtime': /root/gnupg-2.0.0/keyserver/gpgkeys_ldap.c:199: undefined reference to `timegm' gpg2keys_ldap-gpgkeys_ldap.o: In function `build_attrs': /root/gnupg-2.0.0/keyserver/gpgkeys_ldap.c:367: undefined reference to `strsep' /root/gnupg-2.0.0/keyserver/gpgkeys_ldap.c:376: undefined reference to `strsep' /root/gnupg-2.0.0/keyserver/gpgkeys_ldap.c:388: undefined reference to `strsep' /root/gnupg-2.0.0/keyserver/gpgkeys_ldap.c:403: undefined reference to `strsep' /root/gnupg-2.0.0/keyserver/gpgkeys_ldap.c:421: undefined reference to `strsep' gpg2keys_ldap-gpgkeys_ldap.o:/root/gnupg-2.0.0/keyserver/gpgkeys_ldap.c:435: more undefined references to `strsep' follow collect2: ld returned 1 exit status make[2]: *** [gpg2keys_ldap] Error 1 make[2]: Leaving directory `/root/gnupg-2.0.0/keyserver' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/gnupg-2.0.0' make: *** [all] Error 2 From jalmeida at math.ist.utl.pt Tue Nov 21 18:09:34 2006 From: jalmeida at math.ist.utl.pt (Jorge Almeida) Date: Tue Nov 21 19:54:08 2006 Subject: gpg Message-ID: Hello, I've been reading whatever documentation I could find about gpg-agent, but I couldn't get the whole picture yet. Assuming that the gpg-agent daemon is running and some client application needs to encrypt or decrypt something, what happens? As I understood it, the client connects to the socket and gpg-agent tells pinentry to ask for a passphrase, if it doesn't have it yet. Now, the first question is whether the passphrase is kept in locked memory (assuming the OS supports it), i.e, the passphrase is never send to disk or swap. Is this correct? The other question (not independent from the former) is what is (and where is) gpg-agent cache: a directory? containing what? the passphrases for several keys? and are they protected only by the filesystem permissions, or is there a more elaborate setup? The page http://www.gnupg.org/aegypten/ says "GpgAgent that stores passphrases like ssh-agent does", but the truth is that the documentation of ssh-agent is not clearer about these points. Thanks. -- Jorge Almeida From wk at gnupg.org Wed Nov 22 09:09:38 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 22 09:12:21 2006 Subject: problem building libassuan + pth In-Reply-To: <45631F44.4060603@filibeto.org> (Stoyan Angelov's message of "Tue\, 21 Nov 2006 17\:46\:12 +0200") References: <45608A6C.4040101@filibeto.org> <87ac2l6xno.fsf@wheatstone.g10code.de> <4562CC14.2050301@filibeto.org> <871wnx59kq.fsf@wheatstone.g10code.de> <4562F246.9080402@filibeto.org> <87slgc3la4.fsf@wheatstone.g10code.de> <45631F44.4060603@filibeto.org> Message-ID: <87fycb298d.fsf@wheatstone.g10code.de> On Tue, 21 Nov 2006 16:46, s_angelov@filibeto.org said: > sorry to bother you again - i have applied the patch you sent me. i > have also modified the g10/Makefile.in otherwise the g10/Makefile was > not changed. i run in another problem: Yes, changing the Makefile.am requires all the autotools and they need to be pretty recent. > gpg2keys_ldap-gpgkeys_ldap.o: In function `build_attrs': > /root/gnupg-2.0.0/keyserver/gpgkeys_ldap.c:367: undefined reference to > `strsep' Here is the next exercise on how to do automake's job by hand: --- keyserver/Makefile.am (revision 4345) +++ keyserver/Makefile.am (working copy) @@ -41,7 +41,7 @@ gpg2keys_ldap_SOURCES = gpgkeys_ldap.c ksutil.c ksutil.h no-libgcrypt.c gpg2keys_ldap_CPPFLAGS = $(LDAP_CPPFLAGS) $(AM_CPPFLAGS) -gpg2keys_ldap_LDADD = $(LDAPLIBS) $(NETLIBS) $(other_libs) +gpg2keys_ldap_LDADD = ../jnlib/libjnlib.a $(LDAPLIBS) $(NETLIBS) $(other_libs) gpg2keys_finger_SOURCES = gpgkeys_finger.c ksutil.c ksutil.h no-libgcrypt.c gpg2keys_finger_CPPFLAGS = $(AM_CPPFLAGS) Salam-Shalom, Werner From wk at gnupg.org Wed Nov 22 09:24:46 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 22 09:26:52 2006 Subject: gpg In-Reply-To: (Jorge Almeida's message of "Tue\, 21 Nov 2006 17\:09\:34 +0000 \(WET\)") References: Message-ID: <87bqmz28j5.fsf@wheatstone.g10code.de> On Tue, 21 Nov 2006 18:09, jalmeida@math.ist.utl.pt said: > Assuming that the gpg-agent daemon is running and some client > application needs to encrypt or decrypt something, what happens? As I > understood it, the client connects to the socket and gpg-agent tells > pinentry to ask for a passphrase, if it doesn't have it yet. Now, the That is correct for gpg. It is different with gpgsm (and will be for future versions of gpg2): The client (i.e. gpgsm) connects to the agent and ask the agent to decrypt a session key or to sign a hash. Whether the agent then requires a passphrase is solely a decision taken internally by gpg-agent. > first question is whether the passphrase is kept in locked memory > (assuming the OS supports it), i.e, the passphrase is never send to disk > or swap. Is this correct? Right. The passphrase (in all cases: when asking for the passphrase, or when gpg-agent requires it internally) is never stored on disk but kept in a special memory area of gpg-agent ("secure memory"). That memory area is protected from swapping out to disk. However we rely on the OS's kernel not to reveal the content of a pipe. Pipes are used to convey the passphrase from the pinnetry to the agent and to gpg. > The other question (not independent from the former) is what is (and > where is) gpg-agent cache: a directory? containing what? the passphrases > for several keys? and are they protected only by the filesystem > permissions, or is there a more elaborate setup? The cache is only in RAM. It is not encrypted there because you would anyway need to store the decryption key somehere else in RAM. Gpgsm's private keys (X.509 and SSH) are stored on disk. One file per key, all under the directory ~/.gnupg/private-keys-v1.d/. The keys store there are usually encrypted using a passphrase. gpg-agent decrypts the keys on the fly and only keeps them in RAM. To see the structure of these key files, you may use the command /usr/local/libexec/gpg-protect-tool \ ~/.gnupg/private-keys-v1.d/xx[...]xxxx.key The structure is documented in gnupg/agent/keyformat.txt. Shalom-Salam, Werner From jalmeida at math.ist.utl.pt Wed Nov 22 10:05:10 2006 From: jalmeida at math.ist.utl.pt (Jorge Almeida) Date: Wed Nov 22 10:03:31 2006 Subject: gpg In-Reply-To: <87bqmz28j5.fsf@wheatstone.g10code.de> References: <87bqmz28j5.fsf@wheatstone.g10code.de> Message-ID: On Wed, 22 Nov 2006, Werner Koch wrote: >> first question is whether the passphrase is kept in locked memory >> (assuming the OS supports it), i.e, the passphrase is never send to disk >> or swap. Is this correct? > > Right. The passphrase (in all cases: when asking for the passphrase, > or when gpg-agent requires it internally) is never stored on disk but > kept in a special memory area of gpg-agent ("secure memory"). That > memory area is protected from swapping out to disk. > Great. > However we rely on the OS's kernel not to reveal the content of a > pipe. Pipes are used to convey the passphrase from the pinnetry to I suppose Linux does the right thing wrt this issue. Correct? > > The cache is only in RAM. It is not encrypted there because you would > anyway need to store the decryption key somehere else in RAM. > And the cache is also is secure memory, just like the passphrases. Right? Thanks a lot. Jorge From wk at gnupg.org Wed Nov 22 10:22:56 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 22 10:26:45 2006 Subject: gpg In-Reply-To: (Jorge Almeida's message of "Wed\, 22 Nov 2006 09\:05\:10 +0000 \(WET\)") References: <87bqmz28j5.fsf@wheatstone.g10code.de> Message-ID: <87d57fzvgv.fsf@wheatstone.g10code.de> On Wed, 22 Nov 2006 10:05, jalmeida@math.ist.utl.pt said: >> However we rely on the OS's kernel not to reveal the content of a >> pipe. Pipes are used to convey the passphrase from the pinnetry to > > I suppose Linux does the right thing wrt this issue. Correct? Yes, unless there is a bug. > And the cache is also is secure memory, just like the passphrases. Yes. Salam-Shalom, Werner From jalmeida at math.ist.utl.pt Wed Nov 22 11:51:49 2006 From: jalmeida at math.ist.utl.pt (Jorge Almeida) Date: Wed Nov 22 11:49:47 2006 Subject: gpg In-Reply-To: <87d57fzvgv.fsf@wheatstone.g10code.de> References: <87bqmz28j5.fsf@wheatstone.g10code.de> <87d57fzvgv.fsf@wheatstone.g10code.de> Message-ID: :On Wed, 22 Nov 2006, Werner Koch wrote: > On Wed, 22 Nov 2006 10:05, jalmeida@math.ist.utl.pt said: >> I suppose Linux does the right thing wrt this issue. Correct? > > Yes, unless there is a bug. > >> And the cache is also is secure memory, just like the passphrases. > > Yes. > Thanks again. -- Jorge From jalmeida at math.ist.utl.pt Thu Nov 23 10:25:46 2006 From: jalmeida at math.ist.utl.pt (Jorge Almeida) Date: Thu Nov 23 10:24:16 2006 Subject: adding passphrases to gpg-agent Message-ID: Isn't there some way to do for gpg-agent what ssh-add does for ssh-agent? I'm trying to use a unique gpg-agent listening at a standard socket. Unless I'm missing something, the only way I have to provide passphrases to gpg-agent is to try some job (signing something, or whatever) and then give the passphrase when asked for it. But the pinentry-program entry in gpg-agent.conf decides whether I'm supposed to be in an X session or not. (BTW, pinentry-curses didn't work for me. But that's not the real issue.) Is there an alternative? -- Jorge Almeida From wk at gnupg.org Thu Nov 23 11:21:01 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 23 11:26:53 2006 Subject: adding passphrases to gpg-agent In-Reply-To: (Jorge Almeida's message of "Thu\, 23 Nov 2006 09\:25\:46 +0000 \(WET\)") References: Message-ID: <87lkm2ea5u.fsf@wheatstone.g10code.de> On Thu, 23 Nov 2006 10:25, jalmeida@math.ist.utl.pt said: > Isn't there some way to do for gpg-agent what ssh-add does for > ssh-agent? No, gpg-agent works different. If you want to preset a passphrase, you may do so using gpg-preset-passphrase - there is a man page for it. Shalom-Salam, Werner From jalmeida at math.ist.utl.pt Thu Nov 23 11:55:00 2006 From: jalmeida at math.ist.utl.pt (Jorge Almeida) Date: Thu Nov 23 11:52:58 2006 Subject: adding passphrases to gpg-agent In-Reply-To: <87lkm2ea5u.fsf@wheatstone.g10code.de> References: <87lkm2ea5u.fsf@wheatstone.g10code.de> Message-ID: On Thu, 23 Nov 2006, Werner Koch wrote: > On Thu, 23 Nov 2006 10:25, jalmeida@math.ist.utl.pt said: > >> Isn't there some way to do for gpg-agent what ssh-add does for >> ssh-agent? > > No, gpg-agent works different. > > If you want to preset a passphrase, you may do so using > gpg-preset-passphrase - there is a man page for it. > > OK, that seems to do the job (not much different from ssh-add, is it?), judging by the contents of http://www.gnupg.org/documentation/manuals/gnupg/gpg_002dpreset_002dpassphrase.html and http://www.gnupg.org/documentation/manuals/gnupg/Invoking-gpg_002dpreset_002dpassphrase.html#Invoking-gpg_002dpreset_002dpassphrase Now, my system doesn't have such command. I have gnupg 1.4.5 and 1.9.20. (OS is gentoo linux) Is gpg-preset-passphrase new to version 2.0.0? And what about gpgsm --dump-secret-keys, necessary to know the "keygrip" argument of gpg-preset-passphrase? This is what I get: $ gpgsm --dump-secret-keys gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! gpgsm: It is only intended for test purposes and should NOT be gpgsm: used in a production environment or with production keys! Did I misunderstood something, or is it just that I'm using a package not recent enough? TIA, Jorge Almeida From vini at fugspbr.org Thu Nov 23 04:55:17 2006 From: vini at fugspbr.org (Vini Engel) Date: Thu Nov 23 12:29:59 2006 Subject: Problems to import and export private keys using GnuPG v2. Message-ID: <200611231455.17319.vini@fugspbr.org> Hi guys, I have just installed FC6 with GnuPG v2 and am now having problems to import my previous private keys, funnily the same problems happens if I try to export the key that I generated using gpg2. When I try to import the key I get a message saying that "importing secret keys not allowed" - see below. The same happens if I try to export a private key. $ gpg --import private.pgp gpg: importing secret keys not allowed gpg: Total number processed: 1 gpg: secret keys read: 1 I think I must be missing something very small as importing and exporting keys should be trivial. Would anyone know the solution for this? Thanks a lot, Vini From wk at gnupg.org Thu Nov 23 12:26:28 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 23 13:01:29 2006 Subject: GnuPG 2.0.1rc1 released Message-ID: <87slgacskb.fsf@wheatstone.g10code.de> Hi, I did a release candidate for GnuPG 2.0.1. It fixes the problems on AMD64 as well as on 64 bit platforms. There are also some other build fixes. ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-2.0.1rc1.tar.bz2 ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-2.0.1rc1.tar.bz2.sig You should also get an updated libassuan version: ftp://ftp.gnupg.org/gcrypt/libassuan/libassuan-1.0.1.tar.bz2 ftp://ftp.gnupg.org/gcrypt/libassuan/libassuan-1.0.1.tar.bz2.sig Noteworthy changes in GnuPG: * Experimental support for the PIN pads of the SPR 532 and the Kaan Advanced card readers. Add "disable-keypad" scdaemon.conf if you don't want it. Does currently only work for the OpenPGP card and the authentication and decrypt keys. * Fixed build problems on some some platforms and crashes on amd64. Noteworthy changes in libassuan 1.0.1: * New function: assuan_set_io_monitor. * New function: assuan_register_post_cmd_notify. * Fixed a memory leak. Shalom-Salam, Werner From wk at gnupg.org Thu Nov 23 14:38:33 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 23 14:42:09 2006 Subject: adding passphrases to gpg-agent In-Reply-To: (Jorge Almeida's message of "Thu\, 23 Nov 2006 10\:55\:00 +0000 \(WET\)") References: <87lkm2ea5u.fsf@wheatstone.g10code.de> Message-ID: <87zmaib7vq.fsf@wheatstone.g10code.de> On Thu, 23 Nov 2006 11:55, jalmeida@math.ist.utl.pt said: > OK, that seems to do the job (not much different from ssh-add, is it?), > judging by the contents of ssh-add loads a key into ssh-agent and to dothis it has to ask for the passphrase. gpg-preset-passphrase merely stores a passphrase into gpg-agent's cache. > Now, my system doesn't have such command. I have gnupg 1.4.5 and > 1.9.20. (OS is gentoo linux) Is gpg-preset-passphrase new to version > 2.0.0? No it is arounf for two years or so. BTW, you need to add allow-preset-passphrase to gpg-agent.conf. > $ gpgsm --dump-secret-keys > gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! > gpgsm: It is only intended for test purposes and should NOT be > gpgsm: used in a production environment or with production keys! > Did I misunderstood something, or is it just that I'm using a package > not recent enough? There is no secret key Shalom-Salam, Werner From wk at gnupg.org Thu Nov 23 14:42:40 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 23 14:46:47 2006 Subject: Problems to import and export private keys using GnuPG v2. In-Reply-To: <200611231455.17319.vini@fugspbr.org> (Vini Engel's message of "Thu\, 23 Nov 2006 14\:55\:17 +1100") References: <200611231455.17319.vini@fugspbr.org> Message-ID: <87vel6b7ov.fsf@wheatstone.g10code.de> On Thu, 23 Nov 2006 04:55, vini@fugspbr.org said: > $ gpg --import private.pgp > gpg: importing secret keys not allowed #ifdef ENABLE_SELINUX_HACKS if (1) { /* We don't allow to import secret keys because that may be used to put a secret key into the keyring and the user might later be tricked into signing stuff with that key. */ log_error (_("importing secret keys not allowed\n")); return 0; } #endif So you used --enable-selinux-support This prevents access to certain files and won't allow import or export of secret keys. with configure. You need to build a second binary without that flag and use that binary to import stuff. Salam-Shalom, Werner From kabads at gmail.com Thu Nov 23 13:19:38 2006 From: kabads at gmail.com (Adam Cripps) Date: Thu Nov 23 14:59:12 2006 Subject: GnuPG 2.0 In-Reply-To: <87slgmwl6n.fsf@wheatstone.g10code.de> References: <1657673143.20061113200325@voyager.net> <87d57rz7ql.fsf@wheatstone.g10code.de> <972ABE9D-5CEC-4B1A-AEA1-03B33305AB23@rotz.org> <87slgmwl6n.fsf@wheatstone.g10code.de> Message-ID: On 11/14/06, Werner Koch wrote: > As soon as there is a financial backing, a real port to Windows can be > done. > > > Shalom-Salam, > > Werner > Would windows users be willing to fund development by contribution? That way, once a threshold of money has been received then someone could start work on the problem. Adam From wk at gnupg.org Thu Nov 23 15:41:03 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 23 15:46:56 2006 Subject: Logo ballot reminder Message-ID: <8764d6b4zk.fsf@wheatstone.g10code.de> Hi, this is a reminder for the logo ballot. All subscribers of the gnupg-users and gnupg-devel lists should have received a mail (unfortunately text/html) with an URL to the ballot page. If you miss such a mail, please let me know and I will resend this mail. As of now only 151 out of 1230 casted their vote. Hurry, the deadline is next Thursday. Salam-Shalom, Werner From gnupg-users at zielgra.de Thu Nov 23 20:24:15 2006 From: gnupg-users at zielgra.de (Michael Jaritz) Date: Thu Nov 23 21:54:10 2006 Subject: Logo ballot reminder References: <8764d6b4zk.fsf@wheatstone.g10code.de> Message-ID: <882dc347eb42f99e0ccab8c59d94a6e8@mj.zielgra.de> Werner Koch schrieb: >this is a reminder for the logo ballot. All subscribers of the >gnupg-users and gnupg-devel lists should have received a mail >(unfortunately text/html) with an URL to the ballot page. If you miss >such a mail, please let me know and I will resend this mail. Please resend it. Michael -- dumdideldu... From boldyrev+nospam at cgitftp.uiggm.nsc.ru Fri Nov 24 05:50:21 2006 From: boldyrev+nospam at cgitftp.uiggm.nsc.ru (Ivan Boldyrev) Date: Fri Nov 24 06:26:50 2006 Subject: adding passphrases to gpg-agent References: <87lkm2ea5u.fsf@wheatstone.g10code.de> Message-ID: On 9667 day of my life Jorge Almeida wrote: >> If you want to preset a passphrase, you may do so using >> gpg-preset-passphrase - there is a man page for it. >> > Now, my system doesn't have such command. I have gnupg 1.4.5 and > 1.9.20. (OS is gentoo linux) $ locate gpg-preset-passphrase /usr/libexec/gpg-preset-passphrase -- Ivan Boldyrev | recursion, n: | See recursion From jalmeida at math.ist.utl.pt Fri Nov 24 10:01:53 2006 From: jalmeida at math.ist.utl.pt (Jorge Almeida) Date: Fri Nov 24 10:01:03 2006 Subject: adding passphrases to gpg-agent In-Reply-To: References: <87lkm2ea5u.fsf@wheatstone.g10code.de> Message-ID: On Fri, 24 Nov 2006, Ivan Boldyrev wrote: > > $ locate gpg-preset-passphrase > /usr/libexec/gpg-preset-passphrase > Yep, it's good to do updatedb regularly :) Anyway, it seems the design of gpg-agent is not compatible with what I wanted. With ssh-agent, I have a always-running service (supervised by daemontools), which is easy to bring down if needed (but there's no need) and which I can setup once and forget about it. Of course, identities must be added (with ssh-add) after rebooting or if the service goes down for some random reason (it didn't happen yet) or if I chose to clear everything by sending the service a HUP. It works transparently, regardless of whether ssh is called from X or from another ssh session or whatever. I hoped to have a similar setup for gpg-agent, but the way to add identities just won't allow it. It seems to be a design decision, so there's nothing to do. (I'm not a C programmer, and even if I could I woudn't try to hack such an important package!) Thanks everyone. -- Jorge Almeida From bob.dunlop at xyzzy.org.uk Thu Nov 23 12:21:36 2006 From: bob.dunlop at xyzzy.org.uk (Bob Dunlop) Date: Fri Nov 24 10:44:51 2006 Subject: adding passphrases to gpg-agent In-Reply-To: References: <87lkm2ea5u.fsf@wheatstone.g10code.de> Message-ID: <20061123112136.GA31737@xyzzy.org.uk> On Thu, Nov 23 at 10:55, Jorge Almeida wrote: ... > OK, that seems to do the job (not much different from ssh-add, is it?), > judging by the contents of ... > Did I misunderstood something, or is it just that I'm using a package > not recent enough? The command is lurking in /usr/libexec/gpg-preset-passphrase for some reason. Guess it's not intended to be used directly ? -- Bob Dunlop From wk at gnupg.org Fri Nov 24 12:26:05 2006 From: wk at gnupg.org (Werner Koch) Date: Fri Nov 24 12:32:46 2006 Subject: adding passphrases to gpg-agent In-Reply-To: (Jorge Almeida's message of "Fri\, 24 Nov 2006 09\:01\:53 +0000 \(WET\)") References: <87lkm2ea5u.fsf@wheatstone.g10code.de> Message-ID: <87ac2h6q7m.fsf@wheatstone.g10code.de> On Fri, 24 Nov 2006 10:01, jalmeida@math.ist.utl.pt said: > need) and which I can setup once and forget about it. Of course, > identities must be added (with ssh-add) after rebooting or if the > service goes down for some random reason (it didn't happen yet) or if I It seems that you don't understand for what gpg-agent is good for. This is of course my fault. > chose to clear everything by sending the service a HUP. It works > transparently, regardless of whether ssh is called from X or from > another ssh session or whatever. That is how you use gpg-agent. Really, it is a plug-in replacement of ssh-agent. It works different internally but at a user level it is very simlar. For example, you don't need to use ssh-add every time after starting the agent. You do it only once and gpg-agent will store the entire key on disk and no just in memeory as ssh-agent does. If you later want to control what ssh keys are available to gpg-agent, you can edit the ~/.gnupg/sscontrol file and give gpg-agent a HUP. Salam-Shalom, Werner From wk at gnupg.org Fri Nov 24 12:28:00 2006 From: wk at gnupg.org (Werner Koch) Date: Fri Nov 24 12:32:53 2006 Subject: adding passphrases to gpg-agent In-Reply-To: <20061123112136.GA31737@xyzzy.org.uk> (Bob Dunlop's message of "Thu\, 23 Nov 2006 11\:21\:36 +0000") References: <87lkm2ea5u.fsf@wheatstone.g10code.de> <20061123112136.GA31737@xyzzy.org.uk> Message-ID: <8764d56q4f.fsf@wheatstone.g10code.de> On Thu, 23 Nov 2006 12:21, bob.dunlop@xyzzy.org.uk said: > The command is lurking in /usr/libexec/gpg-preset-passphrase for some > reason. Guess it's not intended to be used directly ? It does not make sense to be used in an interactive environment. It is useful for server systems only and then having it in libexec is a good choice as it prevents users from accidently using it. Shalom-Salam, Werner From eocsor at gmail.com Fri Nov 24 10:53:34 2006 From: eocsor at gmail.com (Roscoe) Date: Fri Nov 24 12:53:55 2006 Subject: FSFE Smart Card In-Reply-To: <200610291826.k9TIQ2d3025953@rs26.luxsci.com> References: <200610291826.k9TIQ2d3025953@rs26.luxsci.com> Message-ID: I'm a bit confused about this too. http://fsfe.org/en/card/howto/subkey_howto says: This howto describes setting up your computer to use the Fellowship card with subkeys only. We recommend this, as it is the most secure usage." For what reasons is it more secure than putting (or generating) your primary signing key on the card? On 10/30/06, Henry Bremridge wrote: > Running Debian-Etch > > I deleted my decryption sub-key by mistake and my back up was incomplete... > > After taking advice it seems that the only way forward is (in order) to: > - Issue a new keypair > - Sign the new-keypair with my current signature > - Tell all those who signed my old-key of my new key ID > - Revoke my old keypair > - Publish my key > > > Question: > > - The FSFE website states that the recommended procedure is to use the > smart card with sub-keys only. If however I am creating a new > key-pair and backing up the secret key to a safe place, then what is > the problem? > > If I lose my smart card would I not be able to continue with the > backed up secret-key? > > - Is there any way to add a uid to the generated smart card, or is it > possible to only use one identity? > > Any assistance would be much appreciated > > > > -- > Henry > Sun Oct 29 18:25:08 GMT 2006 > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (GNU/Linux) > > iD8DBQFFRPIMFr/I+3p/xIIRAhlQAJsHpA+45jAtBkmmiMNyr8US8+BM0gCePnpH > n+n5BSmw27qhdbkCTNLWcQs= > =euo3 > -----END PGP SIGNATURE----- > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > From wk at gnupg.org Fri Nov 24 14:48:57 2006 From: wk at gnupg.org (Werner Koch) Date: Fri Nov 24 14:52:13 2006 Subject: FSFE Smart Card In-Reply-To: (eocsor@gmail.com's message of "Fri\, 24 Nov 2006 19\:23\:34 +0930") References: <200610291826.k9TIQ2d3025953@rs26.luxsci.com> Message-ID: <87irh53qgm.fsf@wheatstone.g10code.de> On Fri, 24 Nov 2006 10:53, eocsor@gmail.com said: > For what reasons is it more secure than putting (or generating) your > primary signing key on the card? I don't know. It is not more secure but more convenient in case the card breaks. Well, a very few folks do have a dedicated laptop used only for the secret primary key - in that case it might be more secure. Frankly, I don't know this howto and it unfortunate that we have two different howtos. Salam-Shalom, Werner From jalmeida at math.ist.utl.pt Fri Nov 24 15:07:59 2006 From: jalmeida at math.ist.utl.pt (Jorge Almeida) Date: Fri Nov 24 15:06:04 2006 Subject: adding passphrases to gpg-agent In-Reply-To: <87ac2h6q7m.fsf@wheatstone.g10code.de> References: <87lkm2ea5u.fsf@wheatstone.g10code.de> <87ac2h6q7m.fsf@wheatstone.g10code.de> Message-ID: On Fri, 24 Nov 2006, Werner Koch wrote: > > That is how you use gpg-agent. Really, it is a plug-in replacement of > ssh-agent. It works different internally but at a user level it is > very simlar. > My talk about ssh-agent may have induced you in error. My fault. I was not comparing ssh-agent with gpg-agent as replacement for ssh-agent! I mentioned my setup of ssh-agent just to give an idea of what I was trying to accomplish. In other words, I wanted a similar setup for gpg-agent but only for its uses of signing and encrypting, not for ssh authentication. Correct me if I'm wrong, but there is no way to add passphrases other than by using it for some signing or encrypting. And how to do it from a remote box? I know about X forwarding, but I don't want to use it (slow & clumsy). And pinentry-curses didn't work for me, even at the local box. Even assuming that there was some misconfiguration that caused this, I think a CLI way to add passphrases was a natural thing to expect, at least for UNIX users (of course, this would not be incompatible with graphical alternatives). > For example, you don't need to use ssh-add every time after starting > the agent. You do it only once and gpg-agent will store the entire > key on disk and no just in memeory as ssh-agent does. If you later What about the passphrase gpg-agent asks when adding the key via ssh-add? Is it needed only after gpg-agent receives a TERM or HUP? And is it the same for all keys stored? > want to control what ssh keys are available to gpg-agent, you can edit > the ~/.gnupg/sscontrol file and give gpg-agent a HUP. > Interesting. I didn't have a real close look at gpg-agent as ssh-agent replacement yet, but the --enable-ssh-support entry in http://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html#Agent-Options says that a different socket is opened for this functionality. But then a client would know about it only through inheriting an env variable; I would use the --use-standard-socket for gpg-agent signing/encryption socket, but what about the other socket? > Cheers, Jorge From peter at digitalbrains.com Sat Nov 25 16:07:48 2006 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat Nov 25 17:00:30 2006 Subject: GnuPG 2.0.1rc1 released In-Reply-To: <87slgacskb.fsf@wheatstone.g10code.de> References: <87slgacskb.fsf@wheatstone.g10code.de> Message-ID: <45685C44.1020000@digitalbrains.com> > Noteworthy changes in GnuPG: > > * Experimental support for the PIN pads of the SPR 532 and the Kaan > Advanced card readers. Add "disable-keypad" scdaemon.conf if you > don't want it. Does currently only work for the OpenPGP card and > the authentication and decrypt keys. Hello Werner, Is it possible to backport this (or just the SPR 532 code) to GnuPG 1.4? I would like this to work on my Windows box. Or is the architecture too different? Back in March you wrote > To summarize: There is some code in gnupg but it is not yet ready for > general use. The parts which are not yet stable enough is the code to > dismiss the pinentry after the PIN has been entered on the reader's > pin pad. I could imagine fixing that requires a running scdaemon to do it... Greets, Peter. From shavital at mac.com Sat Nov 25 18:06:19 2006 From: shavital at mac.com (Charly Avital) Date: Sat Nov 25 18:54:30 2006 Subject: Using OpenPGP card. In-Reply-To: References: <87lkm2ea5u.fsf@wheatstone.g10code.de> Message-ID: <4568780B.2030202@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, 1. Apple's Powerbook G4 1.33GHz, MacOSX 10.4.8, gpg 1.4.5, gpg2 (with gpg-agent) 1.9.20, card reader SCR243, OpenPGPCard. 2. Public key URL 3. This is a test message signed with the card, sorry for any inconvenience. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRWh3/yRJoUyU/RYhAQLOIgQAhb1IRP293+TYdzVU0/t3mOtXGNFmq0cB WS01rzACltgm4y5nkFe1GpMVnbveSF67edqSFi9bntz5nkO7+Pcpmpp790mvgYVX ipLEd0+jRGO8DkOgi0GAv/RBOl7UJAbT9eOpdbZH8MwJvpB9V25iljlMRKGDdsG8 40Ey2b94RDk= =txGn -----END PGP SIGNATURE----- From shavital at mac.com Sat Nov 25 17:28:54 2006 From: shavital at mac.com (Charly Avital) Date: Sat Nov 25 18:54:44 2006 Subject: OpenPGP Card Message-ID: <45686F46.8060604@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, 1. Apple Powerbook G4 1.33GHz, MacOSX 10.4.8, GnuPG 1.4.5, gpg2 1.9.20 (with gpg-agent), Card Reader SCR243 PCMCIA, OpenPGP Card. 2. Key on card: 3. This is a test message, signed with the smart card, to whomever can find the time to verify the signature and comment if necessary. Thanks and sorry for any inconvenience. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRWhvOCRJoUyU/RYhAQJ+rgP/R/XBfD+6mMFLLNfp0r4O7G8gZAHC37uB SNsbzLTE1VNvGjfA3FhVSLQuV6LV9j/OUxA8X+qymoVjr5e69xjpObKQMiNMYKeU IucbzCAt+Fxt0hhwO6EU4yKwI8CeEOd6bz0PjzlkPOzH1tt6fkAVfNQn+I2wQGaY Ast3tNoBtcQ= =VfJh -----END PGP SIGNATURE----- From allen.schultz at gmail.com Sat Nov 25 18:23:08 2006 From: allen.schultz at gmail.com (Allen Schultz) Date: Sat Nov 25 20:24:10 2006 Subject: Logo ballot reminder In-Reply-To: <882dc347eb42f99e0ccab8c59d94a6e8@mj.zielgra.de> References: <8764d6b4zk.fsf@wheatstone.g10code.de> <882dc347eb42f99e0ccab8c59d94a6e8@mj.zielgra.de> Message-ID: <3f34f8420611250923w72765cdbqb2fff13cbc1a7a20@mail.gmail.com> I did miss the ballot page. Please resend. On 11/23/06, Michael Jaritz wrote: > Werner Koch schrieb: > > >this is a reminder for the logo ballot. All subscribers of the > >gnupg-users and gnupg-devel lists should have received a mail > >(unfortunately text/html) with an URL to the ballot page. If you miss > >such a mail, please let me know and I will resend this mail. From jmoore3rd at bellsouth.net Sat Nov 25 21:02:22 2006 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sat Nov 25 21:00:53 2006 Subject: Using OpenPGP card. In-Reply-To: <4568780B.2030202@mac.com> References: <87lkm2ea5u.fsf@wheatstone.g10code.de> <4568780B.2030202@mac.com> Message-ID: <4568A14E.501@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Charly Avital wrote: > 1. Apple's Powerbook G4 1.33GHz, MacOSX 10.4.8, gpg 1.4.5, gpg2 (with > gpg-agent) 1.9.20, card reader SCR243, OpenPGPCard. > > 2. Public key URL > > > 3. This is a test message signed with the card, sorry for any inconvenience. Again, Good Sig! JOHN ;) Timestamp: Saturday 25 Nov 2006, 15:02 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4328: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFaKFMAAoJEBCGy9eAtCsPWMgH/35AvrCXdc/rE22R2JfRq//0 3Xee6fRfRRIzZQIKRIAIk8n1dxf9ep82Zuav3118ltmS/SWtoQ8SGSgDfg8qVtdu Sv7JhS4zzgtoI6d6vVfoCbuP10R4UosfxOZF0//lkOMWiLLybjhXLiKxpOctwEVj AEC6JxpomZoJK/hrL7qLUlYdaQzHrlEjJ6J+3QwZj9UkqXgPDQ5W36hEgXCi2b7W UP6Kk/Ue0VSulkQ61gKM4OF78y+ApFEjBmpOxDyVx5WKIb9psGXhvuXUpxstr4vd +xgCD0PmIw2losmIaUTkCnfLQNh08AqqjrodF1dq8gJ6kcAyQSSdL2p6YIxmF5o= =JCFp -----END PGP SIGNATURE----- From shavital at mac.com Sat Nov 25 21:19:23 2006 From: shavital at mac.com (Charly Avital) Date: Sat Nov 25 21:17:28 2006 Subject: Using OpenPGP card. In-Reply-To: <4568A14E.501@bellsouth.net> References: <87lkm2ea5u.fsf@wheatstone.g10code.de> <4568780B.2030202@mac.com> <4568A14E.501@bellsouth.net> Message-ID: <4568A54B.50308@mac.com> Sorry for the double post. The first e-mail was reported not sent (smtp failure), disappeared from TB's list. Thanks John. Charly John W. Moore III wrote the following on 11/25/06 3:02 PM: [...] > > Again, Good Sig! > > JOHN ;) > Timestamp: Saturday 25 Nov 2006, 15:02 --500 (Eastern Standard Time) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From shavital at mac.com Sat Nov 25 21:19:47 2006 From: shavital at mac.com (Charly Avital) Date: Sat Nov 25 21:17:48 2006 Subject: Using OpenPGP card. In-Reply-To: <4568A14E.501@bellsouth.net> References: <87lkm2ea5u.fsf@wheatstone.g10code.de> <4568780B.2030202@mac.com> <4568A14E.501@bellsouth.net> Message-ID: <4568A563.2040806@mac.com> Sorry for the double post. The first e-mail was reported not sent (smtp failure), disappeared from TB's list. Thanks John. Charly John W. Moore III wrote the following on 11/25/06 3:02 PM: [...] > > Again, Good Sig! > > JOHN ;) > Timestamp: Saturday 25 Nov 2006, 15:02 --500 (Eastern Standard Time) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From sgarlick at gmail.com Sun Nov 26 08:50:47 2006 From: sgarlick at gmail.com (Simon H. Garlick) Date: Sun Nov 26 10:25:12 2006 Subject: Logo ballot reminder In-Reply-To: <3f34f8420611250923w72765cdbqb2fff13cbc1a7a20@mail.gmail.com> References: <8764d6b4zk.fsf@wheatstone.g10code.de> <882dc347eb42f99e0ccab8c59d94a6e8@mj.zielgra.de> <3f34f8420611250923w72765cdbqb2fff13cbc1a7a20@mail.gmail.com> Message-ID: <49aa5b1b0611252350q8b02e6bgad4334820a360def@mail.gmail.com> I didn't get an email either -- resend for me too please. Simon On 11/26/06, Allen Schultz wrote: > I did miss the ballot page. Please resend. > > On 11/23/06, Michael Jaritz wrote: > > Werner Koch schrieb: > > > > >this is a reminder for the logo ballot. All subscribers of the > > >gnupg-users and gnupg-devel lists should have received a mail > > >(unfortunately text/html) with an URL to the ballot page. If you miss > > >such a mail, please let me know and I will resend this mail. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From mnman at pd.jaring.my Sun Nov 26 10:27:49 2006 From: mnman at pd.jaring.my (omn) Date: Sun Nov 26 11:54:09 2006 Subject: OpenPGP Card In-Reply-To: <45686F46.8060604@mac.com> References: <45686F46.8060604@mac.com> Message-ID: <45695E15.1020306@pd.jaring.my> Charly Avital wrote: > Hi, > > 1. Apple Powerbook G4 1.33GHz, MacOSX 10.4.8, GnuPG 1.4.5, gpg2 1.9.20 > (with gpg-agent), Card Reader SCR243 PCMCIA, OpenPGP Card. > > 2. Key on card: > > > 3. This is a test message, signed with the smart card, to whomever can > find the time to verify the signature and comment if necessary. > > Thanks and sorry for any inconvenience. > Charly OpenPGP Security Info UNTRUSTED Good signature from Charly Avital (Test2) Key ID: 0x94FD1621 / Signed on: 11/26/2006 12:28 AM Key fingerprint: 0D2F A4AA E18F 335D D37E 4F8C 2449 A14C 94FD 1621 _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From wk at gnupg.org Mon Nov 27 10:03:04 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 27 10:06:56 2006 Subject: GnuPG 2.0.1rc1 released In-Reply-To: <45685C44.1020000@digitalbrains.com> (Peter Lebbing's message of "Sat\, 25 Nov 2006 16\:07\:48 +0100") References: <87slgacskb.fsf@wheatstone.g10code.de> <45685C44.1020000@digitalbrains.com> Message-ID: <87k61hntx3.fsf@wheatstone.g10code.de> On Sat, 25 Nov 2006 16:07, peter@digitalbrains.com said: > Is it possible to backport this (or just the SPR 532 code) to GnuPG 1.4? No, that is not possible. Shalom-Salam, Werner From peter at digitalbrains.com Mon Nov 27 14:36:54 2006 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon Nov 27 14:36:08 2006 Subject: GnuPG 2.0.1rc1 released In-Reply-To: <87fyc5kpsb.fsf@wheatstone.g10code.de> References: <87slgacskb.fsf@wheatstone.g10code.de> <45685C44.1020000@digitalbrains.com> <87k61hntx3.fsf@wheatstone.g10code.de> <456AC83C.80106@digitalbrains.com> <87fyc5kpsb.fsf@wheatstone.g10code.de> Message-ID: <456AE9F6.6010307@digitalbrains.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 First off, I noticed I accidentally replied only to Werner and not to the list. My previous post: Peter Lebbing wrote: > Werner Koch wrote: >>> Is it possible to backport this (or just the SPR 532 code) to GnuPG 1.4? >> >> No, that is not possible. > > > That's too bad. Someone suggested (off-list) to use Cygwin, but IIRC the > Cygwin version can't access USB devices... but if it is possible to use > serial-port devices (after all, that structure is less complex), I could > hook up the SPR 532 to the serial port. Does anybody have any > experience in or ideas about using a smartcard reader in Cygwin? > > Thanks, > > Peter. Werner Koch wrote: > I am pretty sure that we will have a GnuPG-2 Windows version at some > point next year. > > In theory we could port the keypad stuff to GnuPG-1 but it takes too > much time. Time we better spend for furthering other things. Yes, I was just hoping that it would be easy. Pity. Thanks for the replies! Peter. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRWrp9fqr/97I5g4/AQLUFgQAjSAo3pvcNjV/QPt/2KL8SlhRTvYkqKcx FIM2XQdLPqykKVwPJ6+XgixjpOLNT1i36s4E633rLA/fPTQkfthxoFvOBaZX6OKX aaJ9NxpU1d+dtm805QdV1y/WkZivAfqGE8RmfjJZS1ZXdWJZ13joH9+EfMxHqt7C kr07pfXaGX8= =V5HW -----END PGP SIGNATURE----- From nico-linux-gnupg at schottelius.org Mon Nov 27 15:25:45 2006 From: nico-linux-gnupg at schottelius.org (Nico Schottelius) Date: Mon Nov 27 17:24:48 2006 Subject: Encrypt + Sign format? Message-ID: <20061127142545.GK25947@schottelius.org> When I encrypt and sign a message, is the signature also crypted or is it around the encrypted part? -- ``...if there's one thing about Linux users, they're do-ers, not whiners.'' (A quotation of Andy Patrizio I completely agree with) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20061127/cbd3a8bf/attachment-0001.pgp From dshaw at jabberwocky.com Mon Nov 27 18:12:44 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Nov 27 18:13:50 2006 Subject: Encrypt + Sign format? In-Reply-To: <20061127142545.GK25947@schottelius.org> References: <20061127142545.GK25947@schottelius.org> Message-ID: <20061127171244.GB7857@jabberwocky.com> On Mon, Nov 27, 2006 at 03:25:45PM +0100, Nico Schottelius wrote: > When I encrypt and sign a message, is the signature also > crypted or is it around the encrypted part? It is encrypted also. OpenPGP encrypted and signed messages are: Encrypt ( Sign ( Message) ) David From johanw at vulcan.xs4all.nl Mon Nov 27 18:26:53 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Nov 27 18:22:16 2006 Subject: Encrypt + Sign format? In-Reply-To: <20061127142545.GK25947@schottelius.org> Message-ID: <200611271726.kARHQrw0002030@vulcan.xs4all.nl> Nico Schottelius wrote: >When I encrypt and sign a message, is the signature also >crypted or is it around the encrypted part? It is first signed and then encrypted. Since the information who signed the message might be sensitive too this makes sense. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From JPClizbe at tx.rr.com Mon Nov 27 19:39:47 2006 From: JPClizbe at tx.rr.com (John Clizbe) Date: Mon Nov 27 19:38:54 2006 Subject: GnuPG 2.0.1rc1 released In-Reply-To: <456AE9F6.6010307@digitalbrains.com> References: <87slgacskb.fsf@wheatstone.g10code.de> <45685C44.1020000@digitalbrains.com> <87k61hntx3.fsf@wheatstone.g10code.de> <456AC83C.80106@digitalbrains.com> <87fyc5kpsb.fsf@wheatstone.g10code.de> <456AE9F6.6010307@digitalbrains.com> Message-ID: <456B30F3.5020500@tx.rr.com> Peter Lebbing wrote: > That's too bad. Someone suggested (off-list) to use Cygwin, but IIRC the > Cygwin version can't access USB devices... but if it is possible to use > serial-port devices (after all, that structure is less complex), I could > hook up the SPR 532 to the serial port. Does anybody have any > experience in or ideas about using a smartcard reader in Cygwin? If the card reader works with the native Windows build of GnuPG, it should work with the Cygwin. USB reader support was fixed in 1.4.3-svn3916. Part of the commit included a patch that allows the use of USB card readers on Cygwin. Releases >= 1.4.4 should work under Cygwin. jpclizbe@icechest ~ $ uname -a CYGWIN_NT-5.1 icechest 1.5.22(0.156/4/2) 2006-11-13 17:01 i686 Cygwin jpclizbe@icechest ~ $ /usr/bin/gpg --version gpg (GnuPG) 1.4.5 Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 jpclizbe@icechest ~ $ /usr/bin/gpg --card-status gpg: detected reader `SCM Microsystems Inc. SCR33x USB Smart Card Reader 0' Application ID ...: D2760001240101010001000004830000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 00000483 Name of cardholder: John P. Clizbe
/usr/bin is the Cygwin furnished build. Normally, I'd run the svn copy in /usr/local/bin. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061127/8a9001c1/signature.pgp From wk at gnupg.org Mon Nov 27 18:13:02 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 27 20:14:14 2006 Subject: [Announce] GnuPG 1.4 and 2.0 buffer overflow Message-ID: <87mz6cke3l.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From johanw at vulcan.xs4all.nl Mon Nov 27 21:05:16 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Nov 27 21:00:25 2006 Subject: [Announce] GnuPG 1.4 and 2.0 buffer overflow In-Reply-To: <87mz6cke3l.fsf@wheatstone.g10code.de> Message-ID: <200611272005.kARK5G0H009387@vulcan.xs4all.nl> Werner Koch wrote: >While fixing a bug reported by Hugh Warrington, a buffer overflow has >been identified in all released GnuPG versions. The current versions >1.4.5 and 2.0.0 are affected. A small patch is provided. Will this lead to a 1.4.6 / 2.0.1 release anytime soon or is the bug not serious enough for that? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From wk at gnupg.org Mon Nov 27 23:04:05 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 27 23:06:55 2006 Subject: [Announce] GnuPG 1.4 and 2.0 buffer overflow In-Reply-To: <200611272005.kARK5G0H009387@vulcan.xs4all.nl> (Johan Wevers's message of "Mon\, 27 Nov 2006 21\:05\:16 +0100 \(MET\)") References: <200611272005.kARK5G0H009387@vulcan.xs4all.nl> Message-ID: <878xhwim22.fsf@wheatstone.g10code.de> On Mon, 27 Nov 2006 21:05, johanw@vulcan.xs4all.nl said: > Will this lead to a 1.4.6 / 2.0.1 release anytime soon or is the bug > not serious enough for that? Yes. This week. Salam-Shalom, Werner From wk at gnupg.org Tue Nov 28 10:01:15 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 28 10:06:42 2006 Subject: adding passphrases to gpg-agent In-Reply-To: (Jorge Almeida's message of "Fri\, 24 Nov 2006 14\:07\:59 +0000 \(WET\)") References: <87lkm2ea5u.fsf@wheatstone.g10code.de> <87ac2h6q7m.fsf@wheatstone.g10code.de> Message-ID: <87slg4eyhw.fsf@wheatstone.g10code.de> On Fri, 24 Nov 2006 15:07, jalmeida@math.ist.utl.pt said: > says that a different socket is opened for this functionality. But then > a client would know about it only through inheriting an env variable; I > would use the --use-standard-socket for gpg-agent signing/encryption > socket, but what about the other socket? We can't do anything about it. OpenSSH uses the environment variable to find its agent. Salam-Shalom, Werner From awolff at newbreed.com Mon Nov 27 17:18:41 2006 From: awolff at newbreed.com (Wolff, Alex) Date: Tue Nov 28 13:53:24 2006 Subject: Two servers...one KeyPair Message-ID: <862A39136A59664EB2DE1937B8B5BA96263818B9@isgms001.newbreed.com> Hello, I am trying to get around the problem of creating one key-pair and using it on two different servers (TEST and PROD). Is this possible? I am using gpg (GnuPG) 1.4.2.2 Thank You. Alex Wolff (awolff@newbreed.com) Technology Services Group New Breed Corp. 336-232-4573 (v) 336-217-1680 (f) From brunij at earthlink.net Tue Nov 28 15:07:25 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Tue Nov 28 15:05:19 2006 Subject: Two servers...one KeyPair In-Reply-To: <862A39136A59664EB2DE1937B8B5BA96263818B9@isgms001.newbreed.com> References: <862A39136A59664EB2DE1937B8B5BA96263818B9@isgms001.newbreed.com> Message-ID: <089B93DE-56F3-42A4-9DF6-5AFDE649831D@earthlink.net> Your question is ambiguous. What are you trying to do? Use one key pair on two systems, or use two key pairs on two systems? If the former, simply copy the .gnupg directory to the second system. If the former, simply create a second key pair on the second system. On Nov 27, 2006, at 9:18 AM, Wolff, Alex wrote: > Hello, > > I am trying to get around the problem of creating one key-pair and > using it > on two different servers (TEST and PROD). Is this possible? > > > I am using gpg (GnuPG) 1.4.2.2 > > Thank You. > > Alex Wolff (awolff@newbreed.com) > Technology Services Group > New Breed Corp. > 336-232-4573 (v) > 336-217-1680 (f) > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20061128/b6001082/smime-0001.bin From areiner at tph.tuwien.ac.at Tue Nov 28 15:01:25 2006 From: areiner at tph.tuwien.ac.at (Albert Reiner) Date: Tue Nov 28 16:25:42 2006 Subject: Two servers...one KeyPair In-Reply-To: <862A39136A59664EB2DE1937B8B5BA96263818B9@isgms001.newbreed.com> References: <862A39136A59664EB2DE1937B8B5BA96263818B9@isgms001.newbreed.com> Message-ID: <20061128140125.GA15808@tph.tuwien.ac.at> > I am trying to get around the problem of creating one key-pair and using it > on two different servers (TEST and PROD). Is this possible? Generate the key on one server, export both private and public key (gpg --export, gpg --export-private-key), transfer to the other server, import private and public key. HTH, Albert. From hhhobbit at securemecca.net Tue Nov 28 16:53:42 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Tue Nov 28 16:51:56 2006 Subject: Two servers..one KeyPair In-Reply-To: <0MKqVj-1Gp3dW2T0g-0002Nu@mx.perfora.net> References: <0MKqVj-1Gp3dW2T0g-0002Nu@mx.perfora.net> Message-ID: <1164729222.7152.96.camel@sirius.brigham.net> On Mon, 2006-11-27 at 11:18 -0500, brunij@earthlink.net wrote: > Your question is ambiguous. What are you trying to do? Use one key > pair on two systems, or use two key pairs on two systems? > > If the former, simply copy the .gnupg directory to the second system. > If the former, simply create a second key pair on the second system. I think you meant to say "If the latter" (we probably all deduced that). What was confusing me was the "create". You only do the "create" on ONE of the machines (hereafter referred to as machine number one). 0. Do a backup of both ~/.gnupg folders first. If you goof up you can always go back to what you have. If you don't have a .gnupg folder on machine two, just copy the backup from the first machine to machine two and unpack it (option one). 1. If you are starting from scratch, copy the entire .gnupg folder BUT delete the random_seed file in the folder on the machine the folder was copied to, to force it to recreate a new random_seed file that is different. 2. If you can NOT just copy the folder, e.g., you already have keys on machine two that are NOT on machine one where you generated the keys, then use the --export-secret-keys on the machine you generated the key you want to use on both machines. You import it just like any other key. [a] on the machine where the key was created: gpg -a --export-secret-keys E4FC4DDF > sec_bogus.asc # you will have your OWN key ID and file name [b] on machine two that doesn't have the secret key yet. copy the sec_bogus.asc (use your own name) file to it and type: gpg --import sec_bogus.asc # substitute your own name for the secret key file. Once # the transfer has worked, SHRED THIS FILE! This is TESTED and works as LONG as you are NOT using SELinux. 3. If you are using SELinux, approach one is HIGHLY recommended. If you can't do that search archives for Werner's work-around for exporting / importing the secret keys. It is a hack that defeats SELinux from preventing the export of secret keys (which is actually a good idea MOST of the time). > > On Nov 27, 2006, at 9:18 AM, Wolff, Alex wrote: > > > Hello, > > > > I am trying to get around the problem of creating one key-pair and > > using it > > on two different servers (TEST and PROD). Is this possible? > > YES. See previous. > > > > I am using gpg (GnuPG) 1.4.2.2 > > > > Thank You. > > > > Alex Wolff (awolff@newbreed.com) > > Technology Services Group > > New Breed Corp. > > 336-232-4573 (v) > > 336-217-1680 (f) HHH From gnupg-ml at seichter.de Tue Nov 28 17:09:01 2006 From: gnupg-ml at seichter.de (Ralph Seichter) Date: Tue Nov 28 18:54:11 2006 Subject: GnuPG 2.0 compilation fails with "undefined reference to gpg_err_code_from_syserror" Message-ID: <456C5F1D.7090704@seichter.de> Hi list, I'm having trouble compiling the "agent" component of GnuPG 2.0 on a Gentoo-based machine. I could not find anything about the error message (please see attachment) in the FAQ or by searching the Net, so I hope that the members of this mailing list are able to help. If you need any information about the machine on which I am trying to build GnuPG 2.0, please let me know. As a preparation, I have built and installed libgpg-error 1.4, libassuan 1.0.1 and libksba 1.0.0, but perhaps there is still something missing? Your help is appreciated. -- Mit freundlichen Gr??en / Sincerely Dipl. Inform. Ralph Seichter -------------- next part -------------- Making all in agent make[2]: Entering directory `gnupg-2.0.0/agent' gcc -I/usr/local/libgpg-error-1.4/include -g -O2 -Wall -Wno-pointer-sign -o gpg-agent gpg_agent-gpg-agent.o gpg_agent-command.o gpg_agent-command-ssh.o gpg_agent-call-pinentry.o gpg_agent-cache.o gpg_agent-trans.o gpg_agent-findkey.o gpg_agent-pksign.o gpg_agent-pkdecrypt.o gpg_agent-genkey.o gpg_agent-protect.o gpg_agent-trustlist.o gpg_agent-divert-scd.o gpg_agent-call-scd.o gpg_agent-learncard.o ../jnlib/libjnlib.a ../common/libcommonpth.a ../gl/libgnu.a -lgcrypt -lgpg-error -L/usr/local/libassuan-1.0.1/lib -lassuan-pth -L/usr/lib -lpth -lnsl -L/usr/local/libgpg-error-1.4/lib -lgpg-error -ldl gpg_agent-command.o: In function `gpg_error_from_syserror': /usr/local/libgpg-error-1.4/include/gpg-error.h:640: undefined reference to `gpg_err_code_from_syserror' /usr/local/libgpg-error-1.4/include/gpg-error.h:640: undefined reference to `gpg_err_code_from_syserror' /usr/local/libgpg-error-1.4/include/gpg-error.h:640: undefined reference to `gpg_err_code_from_syserror' gpg_agent-command.o: In function `write_and_clear_outbuf': /usr/local/libgpg-error-1.4/include/gpg-error.h:640: undefined reference to `gpg_err_code_from_syserror' gpg_agent-command.o: In function `gpg_error_from_syserror': /usr/local/libgpg-error-1.4/include/gpg-error.h:640: undefined reference to `gpg_err_code_from_syserror' gpg_agent-command.o:/usr/local/libgpg-error-1.4/include/gpg-error.h:640: more undefined references to `gpg_err_code_from_syserror' follow collect2: ld returned 1 exit status make[2]: *** [gpg-agent] Error 1 make[2]: Leaving directory `gnupg-2.0.0/agent' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `gnupg-2.0.0' make: *** [all] Error 2 From wk at gnupg.org Tue Nov 28 20:23:29 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 28 20:26:59 2006 Subject: GnuPG 2.0 compilation fails with "undefined reference to gpg_err_code_from_syserror" In-Reply-To: <456C5F1D.7090704@seichter.de> (Ralph Seichter's message of "Tue\, 28 Nov 2006 17\:09\:01 +0100") References: <456C5F1D.7090704@seichter.de> Message-ID: <87mz6bbcjy.fsf@wheatstone.g10code.de> On Tue, 28 Nov 2006 17:09, gnupg-ml@seichter.de said: > I'm having trouble compiling the "agent" component of GnuPG 2.0 on a > Gentoo-based machine. I could not find anything about the error message Please try 2.0.1 which I released this evening. Salam-Shalom, Werner From gnupg-ml at seichter.de Tue Nov 28 22:11:58 2006 From: gnupg-ml at seichter.de (Ralph Seichter) Date: Tue Nov 28 22:10:46 2006 Subject: GnuPG 2.0 compilation fails with "undefined reference to gpg_err_code_from_syserror" In-Reply-To: <87mz6bbcjy.fsf@wheatstone.g10code.de> References: <456C5F1D.7090704@seichter.de> <87mz6bbcjy.fsf@wheatstone.g10code.de> Message-ID: <456CA61E.4030100@seichter.de> Werner Koch wrote: > Please try 2.0.1 which I released this evening. I tried, but unfortunately version 2.0.1 won't compile either. -- Mit freundlichen Gr??en / Sincerely Dipl. Inform. Ralph Seichter -------------- next part -------------- gcc -I/usr/local/libgpg-error-1.4/include -g -O2 -Wall -Wno-pointer-sign -o gpg-agent gpg_agent-gpg-agent.o gpg_agent-command.o gpg_agent-command-ssh.o gpg_agent-call-pinentry.o gpg_agent-cache.o gpg_agent-trans.o gpg_agent-findkey.o gpg_agent-pksign.o gpg_agent-pkdecrypt.o gpg_agent-genkey.o gpg_agent-protect.o gpg_agent-trustlist.o gpg_agent-divert-scd.o gpg_agent-call-scd.o gpg_agent-learncard.o ../jnlib/libjnlib.a ../common/libcommonpth.a ../gl/libgnu.a -lgcrypt -lgpg-error -L/usr/local/libassuan-1.0.1/lib -lassuan-pth -L/usr/lib -lpth -lnsl -L/usr/local/libgpg-error-1.4/lib -lgpg-error -ldl gpg_agent-command.o: In function `gpg_error_from_syserror': /usr/local/libgpg-error-1.4/include/gpg-error.h:640: undefined reference to `gpg_err_code_from_syserror' /usr/local/libgpg-error-1.4/include/gpg-error.h:640: undefined reference to `gpg_err_code_from_syserror' /usr/local/libgpg-error-1.4/include/gpg-error.h:640: undefined reference to `gpg_err_code_from_syserror' gpg_agent-command.o: In function `write_and_clear_outbuf': /usr/local/libgpg-error-1.4/include/gpg-error.h:640: undefined reference to `gpg_err_code_from_syserror' gpg_agent-command.o: In function `gpg_error_from_syserror': /usr/local/libgpg-error-1.4/include/gpg-error.h:640: undefined reference to `gpg_err_code_from_syserror' gpg_agent-command.o:/usr/local/libgpg-error-1.4/include/gpg-error.h:640: more undefined references to `gpg_err_code_from_syserror' follow collect2: ld returned 1 exit status make[2]: *** [gpg-agent] Error 1 make[2]: Leaving directory `gnupg-2.0.1/agent' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `gnupg-2.0.1' make: *** [all] Error 2 From dougb at dougbarton.us Wed Nov 29 11:00:52 2006 From: dougb at dougbarton.us (Doug Barton) Date: Wed Nov 29 10:58:55 2006 Subject: FreeBSD ports for libassuan 1.0.1 and gnupg 2.0.1 Message-ID: <456D5A54.5070900@dougbarton.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For FreeBSD users eager to get started with the new versions, I'm told that the official ports will be updated "soon." They are just waiting on a repo copy of the old gnupg-devel port, and the CVS folks are a bit backlogged right now. Meanwhile, I've updated my unofficial patches. The libassuan patch is at http://dougbarton.us/libassuan.diff, and should apply cleanly to the existing port. For gnupg, 'cd /usr/ports/security && cp -Rp gnupg-devel gnupg2 && cd gnupg2 && patch < gnupg2.diff'. You can find the patch at http://dougbarton.us/gnupg2.diff. hth, Doug - -- If you're never wrong, you're not trying hard enough -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.1 (FreeBSD) iD8DBQFFbVpUyIakK9Wy8PsRAn/7AJ9xHzaoNgn3Tn0RS/osX4ctSWkpQACfWCqU /hlIJ0lwl1BMJkihkJSDJms= =tPLv -----END PGP SIGNATURE----- From alphasigmax at gmail.com Wed Nov 29 10:50:06 2006 From: alphasigmax at gmail.com (Alphax) Date: Wed Nov 29 11:08:59 2006 Subject: Two servers...one KeyPair In-Reply-To: <089B93DE-56F3-42A4-9DF6-5AFDE649831D@earthlink.net> References: <862A39136A59664EB2DE1937B8B5BA96263818B9@isgms001.newbreed.com> <089B93DE-56F3-42A4-9DF6-5AFDE649831D@earthlink.net> Message-ID: <456D57CE.7070002@gmail.com> Joseph Oreste Bruni wrote: > Your question is ambiguous. What are you trying to do? Use one key pair > on two systems, or use two key pairs on two systems? > > If the former, simply copy the .gnupg directory to the second system. That advice is seriously flawed. You do *not* want to copy the random-seed file! -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061129/3a3d5e55/signature.pgp From wk at gnupg.org Wed Nov 29 11:33:15 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 29 11:36:38 2006 Subject: GnuPG 2.0 compilation fails with "undefined reference to gpg_err_code_from_syserror" In-Reply-To: <456CA61E.4030100@seichter.de> (Ralph Seichter's message of "Tue\, 28 Nov 2006 22\:11\:58 +0100") References: <456C5F1D.7090704@seichter.de> <87mz6bbcjy.fsf@wheatstone.g10code.de> <456CA61E.4030100@seichter.de> Message-ID: <87r6vmv8yc.fsf@wheatstone.g10code.de> On Tue, 28 Nov 2006 22:11, gnupg-ml@seichter.de said: > ../jnlib/libjnlib.a ../common/libcommonpth.a ../gl/libgnu.a -lgcrypt > -lgpg-error -L/usr/local/libassuan-1.0.1/lib -lassuan-pth -L/usr/lib > -lpth -lnsl -L/usr/local/libgpg-error-1.4/lib -lgpg-error -ldl -L/usr/lib -lpth -lnsl -L/usr/local/libgpg-error-1.4/lib ^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From pth-config from gpg-error-config Thus pth-config tells the linker to search the standard lib directory first and there you have an old version of libgpg-error which does not match the one tested by configure (installed under /usr/local/libgpg-error-1.4). I can mitigate the problem by changing the order. However, these kinds of problems are not completly solvable. As a quick hack, I suggest to fix pth-config by removing the superfluous -L/usr/lib. Salam-Shalom, Werner p.s. You might also want to use stow(1) instead of having an own hierachy for all libs. Then you only need to do: ./configure make make install prefix=/usr/local/stow/libgpg-error sudo stow -d /usr/local/stow libgpg-error after having created the libgpg-error diectory chown to you. This allows to easily update or remove of libs. From henry.bremridge at xobie.com Wed Nov 29 11:40:48 2006 From: henry.bremridge at xobie.com (Henry Bremridge) Date: Wed Nov 29 11:41:44 2006 Subject: Two servers...one KeyPair In-Reply-To: <456D57CE.7070002@gmail.com> References: <862A39136A59664EB2DE1937B8B5BA96263818B9@isgms001.newbreed.com> <089B93DE-56F3-42A4-9DF6-5AFDE649831D@earthlink.net> <456D57CE.7070002@gmail.com> Message-ID: <200611291042.kATAg2H5026750@rs26.luxsci.com> On Wed, Nov 29, 2006 at 08:20:06PM +1030, Alphax wrote: > That advice is seriously flawed. You do *not* want to copy the > random-seed file! > Just out of interest: why? -- Henry Wed Nov 29 10:40:15 GMT 2006 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20061129/9ecfb2e3/attachment.pgp From alphasigmax at gmail.com Wed Nov 29 13:03:37 2006 From: alphasigmax at gmail.com (Alphax) Date: Wed Nov 29 13:02:58 2006 Subject: Two servers...one KeyPair In-Reply-To: <200611291042.kATAg2H5026750@rs26.luxsci.com> References: <862A39136A59664EB2DE1937B8B5BA96263818B9@isgms001.newbreed.com> <089B93DE-56F3-42A4-9DF6-5AFDE649831D@earthlink.net> <456D57CE.7070002@gmail.com> <200611291042.kATAg2H5026750@rs26.luxsci.com> Message-ID: <456D7719.40505@gmail.com> Henry Bremridge wrote: > On Wed, Nov 29, 2006 at 08:20:06PM +1030, Alphax wrote: > >> That advice is seriously flawed. You do *not* want to copy the >> random-seed file! >> > Just out of interest: why? > As someone a lot smarter than me pointed out in a message I can't find when I suggested "just copy the .gnupg directory" (and with a bit of background info thrown in, and I'm not a cryptographer and haven't really studied the GnuPG internals so I might be wrong): GPG is a hybrid cryptosystem; messages are (symmetrically) encrypted to "random" session keys, which are then (asymmetrically) encrypted to a number of recipient public keys. Part of the security of the system is that the session key is "random" or as close to it as possible; because GPG will work on many different and varying systems, there is no guarantee of a system-wide random data source, so you can't just read from /dev/random or /dev/urandom every time you want a bit of random data, because it might not exist (and these have their own problems). So, GPG has it's own internal pseudorandom number generator. In order to speed things up a bit, it normally has an internal seed of pooled random data - which it stores in .gnupg/random_seed while it's not using it. When GPG decides it wants some random data, it generates it using this file as the seed - so if you know what the random seed file was, it's (somewhat) easier to predict what the next lot of random data is going to be. So, you don't want two installations of GPG to have the same random_seed, because you're going to start producing deterministic output... -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061129/72643277/signature-0001.pgp From adam at e-ignite.co.uk Wed Nov 29 11:44:55 2006 From: adam at e-ignite.co.uk (Adam Gould) Date: Wed Nov 29 13:26:30 2006 Subject: Smart Card Use with GnuPG Message-ID: <456D64A7.3030609@e-ignite.co.uk> Hi all, I was looking into Smart Cards for use with GnuPG email encryption (I'm running Windows XP with Thunderbird and Enigmail) and found that the OpenPGP Smart Card from g10code only supports 1024 bit RSA keys. I'm aware that there are some Smart Cards available (not OpenPGP branded) that support 2048 bit RSA - would these work with GnuPG? If so, what type of card would I require to use? If I did get a non-OpenPGP Smart Card, would I require some additional software to enable me to transfer existing keys to the card? Thanks for any advice, Adam -- e-ignite: OpenPGP Key: 0x4B45F6F5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 542 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061129/14886b69/signature.pgp From wk at gnupg.org Wed Nov 29 14:39:49 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 29 14:41:45 2006 Subject: Smart Card Use with GnuPG In-Reply-To: <456D64A7.3030609@e-ignite.co.uk> (Adam Gould's message of "Wed\, 29 Nov 2006 10\:44\:55 +0000") References: <456D64A7.3030609@e-ignite.co.uk> Message-ID: <87bqmqtlqy.fsf@wheatstone.g10code.de> On Wed, 29 Nov 2006 11:44, adam@e-ignite.co.uk said: > OpenPGP Smart Card from g10code only supports 1024 bit RSA keys. I'm > aware that there are some Smart Cards available (not OpenPGP branded) That is not a branding but a specification for smartcards. GnuPG 1.4.x does only support this smartcard specification. GnuPG 2.0 supports several other smart cards but only for X.509 (S/MIME) and not for OpenPGP. Shalom-Salam, Werner From gnupg-ml at seichter.de Wed Nov 29 15:10:09 2006 From: gnupg-ml at seichter.de (Ralph Seichter) Date: Wed Nov 29 15:08:44 2006 Subject: GnuPG 2.0 compilation fails with "undefined reference to gpg_err_code_from_syserror" In-Reply-To: <87r6vmv8yc.fsf@wheatstone.g10code.de> References: <456C5F1D.7090704@seichter.de> <87mz6bbcjy.fsf@wheatstone.g10code.de> <456CA61E.4030100@seichter.de> <87r6vmv8yc.fsf@wheatstone.g10code.de> Message-ID: <456D94C1.9010200@seichter.de> Werner Koch wrote: > I can mitigate the problem by changing the order. However, these kinds > of problems are not completly solvable. Well, even though it is not a perfect solution, it might be a good idea to check the user-supplied library directories before /usr/lib. > As a quick hack, I suggest to fix pth-config by removing the > superfluous -L/usr/lib. I'll attach a small patch for the "configure" script of GnuPG 2.0.1 which works for me. -- Mit freundlichen Gr??en / Sincerely Dipl. Inform. Ralph Seichter -------------- next part -------------- *** /tmp/gnupg-2.0.1-orig/configure Tue Nov 28 17:05:22 2006 --- configure Wed Nov 29 14:41:48 2006 *************** *** 7344,7351 **** if test $have_pth = yes; then PTH_CFLAGS=`$PTH_CONFIG --cflags` ! PTH_LIBS=`$PTH_CONFIG --ldflags` ! PTH_LIBS="$PTH_LIBS `$PTH_CONFIG --libs --all`" cat >>confdefs.h <<\_ACEOF #define HAVE_PTH 1 --- 7344,7352 ---- if test $have_pth = yes; then PTH_CFLAGS=`$PTH_CONFIG --cflags` ! #PTH_LIBS=`$PTH_CONFIG --ldflags` ! #PTH_LIBS="$PTH_LIBS `$PTH_CONFIG --libs --all`" ! PTH_LIBS="`$PTH_CONFIG --libs --all`" cat >>confdefs.h <<\_ACEOF #define HAVE_PTH 1 From wk at gnupg.org Wed Nov 29 14:55:45 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 29 15:26:20 2006 Subject: [Announce] GnuPG 2.0.1 released Message-ID: <877ixetl0e.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From kabads at gmail.com Wed Nov 29 15:26:57 2006 From: kabads at gmail.com (Adam Cripps) Date: Wed Nov 29 15:59:21 2006 Subject: Logo ballot reminder In-Reply-To: <8764d6b4zk.fsf@wheatstone.g10code.de> References: <8764d6b4zk.fsf@wheatstone.g10code.de> Message-ID: On 11/23/06, Werner Koch wrote: > Hi, > As of now only 151 out of 1230 casted their vote. > > Hurry, the deadline is next Thursday. > > > Salam-Shalom, > > Werner > I don't seem to have received the URL either - please can you forward it? Adam From benjamin at py-soft.co.uk Wed Nov 29 16:07:24 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Wed Nov 29 16:05:53 2006 Subject: Smart Card Use with GnuPG In-Reply-To: <456D64A7.3030609@e-ignite.co.uk> References: <456D64A7.3030609@e-ignite.co.uk> Message-ID: <456DA22C.1060609@py-soft.co.uk> Adam Gould wrote: > I was looking into Smart Cards for use with GnuPG email encryption (I'm > running Windows XP with Thunderbird and Enigmail) and found that the > OpenPGP Smart Card from g10code only supports 1024 bit RSA keys. The gnupg-pkcs11[1] patches /may/ do what you want; it enables the use of PKCS#11 tokens with gnupg. But I haven't haven't had chance to look into it in detail yet. Also, I am in the process of starting an "open openpgp" implementation and one of the goals is to support 4096 bit RSA. See [2] to join the mailing list and read the archives. Ben [1] http://gnupg-pkcs11.sourceforge.net/ [2] http://www.py-soft.co.uk/mailman/listinfo/open-openpgp-card From johanw at vulcan.xs4all.nl Wed Nov 29 16:18:10 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Nov 29 16:26:41 2006 Subject: [Announce] GnuPG 2.0.1 released In-Reply-To: <877ixetl0e.fsf@wheatstone.g10code.de> Message-ID: <200611291518.kATFIAuZ005176@vulcan.xs4all.nl> Werner Koch wrote: >This is maintenance release to fix build problems found after the >release of 2.0.0 and to fix a buffer overflow in gpg2 Will there come a 1.4.6 too? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From brunij at earthlink.net Wed Nov 29 16:29:13 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Wed Nov 29 16:28:02 2006 Subject: [Announce] GnuPG 2.0.1 released In-Reply-To: <877ixetl0e.fsf@wheatstone.g10code.de> References: <877ixetl0e.fsf@wheatstone.g10code.de> Message-ID: Hi Werner, Do the build-problem fixes in 2.0.1 include OS X/Darwin? Or, should I wait for a future release? Joe On Nov 29, 2006, at 6:55 AM, Werner Koch wrote: > Hello! > > We are pleased to announce the availability of a new stable GnuPG-2 > release: Version 2.0.1 > > This is maintenance release to fix build problems found after the > release of 2.0.0 and to fix a buffer overflow in gpg2 > > The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication > and data storage. It can be used to encrypt data, create digital > signatures, help authenticating using Secure Shell and to provide a > framework for public key cryptography. It includes an advanced key > management facility and is compliant with the OpenPGP and S/MIME > standards. > > GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.5) in that > it splits up functionality into several modules. However, both > versions may be installed alongside without any conflict. In fact, > the gpg version from GnuPG-1 is able to make use of the gpg-agent as > included in GnuPG-2 and allows for seamless passphrase caching. The > advantage of GnuPG-1 is its smaller size and the lack of dependency on > other modules at run and build time. We will keep maintaining GnuPG-1 > versions because they are very useful for small systems and for server > based applications requiring only OpenPGP support. > > GnuPG is distributed under the terms of the GNU General Public License > (GPL). GnuPG-2 works best on GNU/Linux or *BSD systems. A port > Windows is planned but work has not yet started. > > > Getting the Software > ==================== > > Please follow the instructions found at http://www.gnupg.org/download/ > or read on: > > GnuPG 2.0.1 may be downloaded from one of the GnuPG mirror sites or > direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be > found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not > available at ftp.gnu.org. > > On the mirrors you should find the following files in the *gnupg* > directory: > > gnupg-2.0.1.tar.bz2 (3.8Mk) > gnupg-2.0.1.tar.bz2.sig > > GnuPG source compressed using BZIP2 and OpenPGP signature. > > gnupg-2.0.0-2.0.1.diff.bz2 (220k) > > A patch file to upgrade a 2.0.0 GnuPG source. This is only that > large arge due to an update of the included gettext module. > > Note, that we don't distribute gzip compressed tarballs. > > > Checking the Integrity > ====================== > > In order to check that the version of GnuPG which you are going to > install is an original and unmodified one, you can do it in one of > the following ways: > > * If you already have a trusted version of GnuPG installed, you > can simply check the supplied signature. For example to check the > signature of the file gnupg-2.0.1.tar.bz2 you would use this > command: > > gpg --verify gnupg-2.0.1.tar.bz2.sig > > This checks whether the signature file matches the source file. > You should see a message indicating that the signature is good and > made by that signing key. Make sure that you have the right key, > either by checking the fingerprint of that key with other sources > or by checking that the key has been signed by a trustworthy other > key. Note, that you can retrieve the signing key using the command > > finger wk ,at' g10code.com > > or using a keyserver like > > gpg --recv-key 1CE0C630 > > The distribution key 1CE0C630 is signed by the well known key > 5B0358A2. If you get an key expired message, you should retrieve a > fresh copy as the expiration date might have been prolonged. > > NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE > INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! > > * If you are not able to use an old version of GnuPG, you have to > verify > the SHA-1 checksum. Assuming you downloaded the file > gnupg-2.0.1.tar.bz2, you would run the sha1sum command like this: > > sha1sum gnupg-2.0.1.tar.bz2 > > and check that the output matches the first line from the > following list: > > ec84ffb1d2ac013dc0afb5bdf8b9df2c838673e9 gnupg-2.0.1.tar.bz2 > c6cca309b12700503bb4c671491ebf7a4cd6f1be gnupg-2.0.0-2.0.1.diff.bz2 > > > What's New > =========== > > * Experimental support for the PIN pads of the SPR 532 and the Kaan > Advanced card readers. Add "disable-keypad" scdaemon.conf if you > don't want it. Does currently only work for the OpenPGP card and > its authentication and decrypt keys. > > * Fixed build problems on some some platforms and crashes on amd64. > > * Fixed a buffer overflow in gpg2. [bug#728] > > > Internationalization > ==================== > > GnuPG comes with support for 27 languages. Due to a lot of new and > changed strings most translations are not entirely complete. However > the Turkish, German and Russian translators have meanwhile finished > their translations. Updates of the other translations are expected > for the next releases. > > > Documentation > ============= > > We are currently working on an installation guide to explain in more > detail how to configure the new features. As of now the chapters on > gpg-agent and gpgsm include brief information on how to set up the > whole thing. Please watch the GnuPG website for updates of the > documentation. In the meantime you may search the GnuPG mailing list > archives or ask on the gnupg-users mailing lists for advise on how to > solve problems. Many of the new features are around for several years > and thus enough public knowledge is already available. > > > Support > ======= > > Improving GnuPG is costly, but you can help! We are looking for > organizations that find GnuPG useful and wish to contribute back. You > can contribute by reporting bugs, improve the software, or by donating > money. > > Commercial support contracts for GnuPG are available, and they help > finance continued maintenance. g10 Code GmbH, a Duesseldorf based > company owned and headed by GnuPG's principal author, is currently > funding GnuPG development. We are always looking for interesting > development projects. > > A service directory is available at: > > http://www.gnupg.org/service.html > > > Thanks > ====== > > We have to thank all the people who helped with this release, be it > testing, coding, translating, suggesting, auditing, administering the > servers, spreading the word or answering questions on the mailing > lists. > > > Happy Hacking, > > The GnuPG Team (David, Werner and all other contributors) > > > -- > Werner Koch > The GnuPG Experts http://g10code.com > Join the Fellowship and protect your Freedom! http://www.fsfe.org > _______________________________________________ > Gnupg-announce mailing list > Gnupg-announce@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-announce > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From wk at gnupg.org Wed Nov 29 16:49:54 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 29 16:51:40 2006 Subject: GnuPG 2.0 compilation fails with "undefined reference to gpg_err_code_from_syserror" In-Reply-To: <456D94C1.9010200@seichter.de> (Ralph Seichter's message of "Wed\, 29 Nov 2006 15\:10\:09 +0100") References: <456C5F1D.7090704@seichter.de> <87mz6bbcjy.fsf@wheatstone.g10code.de> <456CA61E.4030100@seichter.de> <87r6vmv8yc.fsf@wheatstone.g10code.de> <456D94C1.9010200@seichter.de> Message-ID: <87hcwiqml9.fsf@wheatstone.g10code.de> On Wed, 29 Nov 2006 15:10, gnupg-ml@seichter.de said: > I'll attach a small patch for the "configure" script of GnuPG 2.0.1 > which works for me. But only for you. As soon as --ldflags returns a non-standard directory it won't work. Shalom-Salam, Werner From bahamut at madhatt.com Wed Nov 29 16:40:06 2006 From: bahamut at madhatt.com (Andrew Berg) Date: Wed Nov 29 17:54:32 2006 Subject: [Announce] GnuPG 2.0.1 released In-Reply-To: <200611291518.kATFIAuZ005176@vulcan.xs4all.nl> References: <200611291518.kATFIAuZ005176@vulcan.xs4all.nl> Message-ID: <456DA9D6.2070701@madhatt.com> Johan Wevers wrote: > Werner Koch wrote: > > >> This is maintenance release to fix build problems found after the >> release of 2.0.0 and to fix a buffer overflow in gpg2 >> > > Will there come a 1.4.6 too? > > Yes. I don't remember if this was asked, but will 1.4.6 have a Win32 build? -- /\_/\ /\_/\ /\_/\ ( o.o ) ( o.o ) ( o.o ) > ^ < > ^ < > ^ < Don't make me send my ASCII kitten minions. Key ID: 0x9C6CC3A3 Fingerprint: 5474 04A6 2BAC 7138 204A D61B 4246 59CB 9C6C C3A3 (Portable) Thunderbird 1.5.0.7 w/ Enigmail 0.94.1.1 and GnuPG 1.4.5 Windows XP SP2 Home Edition Every time you send private information unencrypted, a kitten cries. So won't you please, please, think of the kittens? From msemtd at yahoo.co.uk Wed Nov 29 15:35:46 2006 From: msemtd at yahoo.co.uk (Michael Erskine) Date: Wed Nov 29 17:56:17 2006 Subject: Importing my keys fails Message-ID: <200611291435.47134.msemtd@yahoo.co.uk> Hi all, I have a pair of existing keys that I've used for ssh over the past few years and I'd like to use them with gnupg and gpg-enabled mailers etc. but they won't import for some reason: - michael@fs1:~/.ssh$ gpg --import id_dsa gpg: no valid OpenPGP data found. gpg: Total number processed: 0 My private key looks like this... -----BEGIN DSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,A953971238701254 -----END DSA PRIVATE KEY----- ...and my public key is a single line beginning "ssh-dss ". Neither of them will import so I'm assuming they're either incompatible with my openpgp or I need to cast some magic to get them to work. Here's my version... michael@fs1:~/.ssh$ gpg --version gpg (GnuPG) 1.4.3 Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cypher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Any ideas? Regards, Michael Erskine. -- A right is not what someone gives you; it's what no one can take from you. -- Ramsey Clark ___________________________________________________________ Try the all-new Yahoo! Mail. "The New Version is radically easier to use" – The Wall Street Journal http://uk.docs.yahoo.com/nowyoucan.html From benjamin at py-soft.co.uk Wed Nov 29 18:08:55 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Wed Nov 29 18:07:55 2006 Subject: [Announce] GnuPG 2.0.1 released In-Reply-To: References: <877ixetl0e.fsf@wheatstone.g10code.de> Message-ID: <456DBEA7.2090202@py-soft.co.uk> Joseph Oreste Bruni wrote: > Do the build-problem fixes in 2.0.1 include OS X/Darwin? Or, should I > wait for a future release? What problems are you having? Ben From brunij at earthlink.net Wed Nov 29 18:10:49 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Wed Nov 29 18:09:48 2006 Subject: Logo ballot reminder In-Reply-To: References: <8764d6b4zk.fsf@wheatstone.g10code.de> Message-ID: <6DFB28AC-3B5D-4D90-A95E-5B4792441080@earthlink.net> On Nov 29, 2006, at 7:26 AM, Adam Cripps wrote: > On 11/23/06, Werner Koch wrote: >> Hi, > >> As of now only 151 out of 1230 casted their vote. >> >> Hurry, the deadline is next Thursday. >> >> >> Salam-Shalom, >> >> Werner >> > I don't seem to have received the URL either - please can you > forward it? > > Adam > Werner, your original ballot announcement ended up in my "Junk" box accidentally by my filter. I only noticed it after a rare venture to look to see what was there. Perhaps the HTML email is setting off people's filters? Joe -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20061129/33f2a10b/smime.bin From wk at gnupg.org Wed Nov 29 18:13:45 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 29 18:16:56 2006 Subject: [Announce] GnuPG 2.0.1 released In-Reply-To: <456DA9D6.2070701@madhatt.com> (Andrew Berg's message of "Wed\, 29 Nov 2006 09\:40\:06 -0600") References: <200611291518.kATFIAuZ005176@vulcan.xs4all.nl> <456DA9D6.2070701@madhatt.com> Message-ID: <8764cyp452.fsf@wheatstone.g10code.de> On Wed, 29 Nov 2006 16:40, bahamut@madhatt.com said: > I don't remember if this was asked, but will 1.4.6 have a Win32 build? Yes. Salam-Shalom, Werner From wk at gnupg.org Wed Nov 29 18:26:38 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 29 18:31:57 2006 Subject: [Announce] GnuPG 2.0.1 released In-Reply-To: <456DBEA7.2090202@py-soft.co.uk> (Benjamin Donnachie's message of "Wed\, 29 Nov 2006 17\:08\:55 +0000") References: <877ixetl0e.fsf@wheatstone.g10code.de> <456DBEA7.2090202@py-soft.co.uk> Message-ID: <87vekynoz5.fsf@wheatstone.g10code.de> On Wed, 29 Nov 2006 18:08, benjamin@py-soft.co.uk said: > What problems are you having? libksba does not build out of the box. This is a problem with gnulib and ar. I might need to update gnulib in libksba - then I can check further. FWIW, I am using this box for the tests: Darwin ppc-osx3.cf.sourceforge.net 6.8 Darwin Kernel Version 6.8: Wed Sep 10 15:20:55 PDT 2003; root:xnu/xnu-344.49.obj~2/RELEASE_PPC Power Macintosh powerpc Shalom-Salam, Werner From wk at gnupg.org Wed Nov 29 18:33:50 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 29 18:37:14 2006 Subject: Logo ballot reminder In-Reply-To: <6DFB28AC-3B5D-4D90-A95E-5B4792441080@earthlink.net> (Joseph Oreste Bruni's message of "Wed\, 29 Nov 2006 10\:10\:49 -0700") References: <8764d6b4zk.fsf@wheatstone.g10code.de> <6DFB28AC-3B5D-4D90-A95E-5B4792441080@earthlink.net> Message-ID: <87r6vmnon5.fsf@wheatstone.g10code.de> On Wed, 29 Nov 2006 18:10, brunij@earthlink.net said: > Werner, your original ballot announcement ended up in my "Junk" box > accidentally by my filter. I only noticed it after a rare venture to > look to see what was there. Perhaps the HTML email is setting off > people's filters? Probably. Frankly, I learned it only after starting that poll and then it was too late. Anway, setting up my own election service for this one-time event and send proper mails (i.e. text/plain) does not seem to be justified. Maybe someone can come up with a patch to the CIVS software to add an option for sending non-HTML mails. It would be nice feature for other projects too. Salam-Shalom, Werner From wk at gnupg.org Wed Nov 29 15:12:56 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 29 18:42:16 2006 Subject: [Announce] Dirmngr 1.0.0 released Message-ID: <87u00is5nb.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From benjamin at py-soft.co.uk Wed Nov 29 18:47:02 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Wed Nov 29 18:45:45 2006 Subject: [Announce] GnuPG 2.0.1 released In-Reply-To: <87vekynoz5.fsf@wheatstone.g10code.de> References: <877ixetl0e.fsf@wheatstone.g10code.de> <456DBEA7.2090202@py-soft.co.uk> <87vekynoz5.fsf@wheatstone.g10code.de> Message-ID: <456DC796.7050009@py-soft.co.uk> Werner Koch wrote: > libksba does not build out of the box. This is a problem with gnulib > and ar. I might need to update gnulib in libksba - then I can check > further. FWIW, I am using this box for the tests: I haven't tested it fully with the new version, but the following was in the darwin ports and worked well previously: edit gl/Makefile.in Change the line "am_libgnu_la_OBJECTS =" to "am_libgnu_la_OBJECTS = alloca.lo" Then ./configure, make etc. Ben From brunij at earthlink.net Wed Nov 29 18:40:26 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Wed Nov 29 18:48:18 2006 Subject: [Announce] GnuPG 2.0.1 released In-Reply-To: <456DBEA7.2090202@py-soft.co.uk> References: <877ixetl0e.fsf@wheatstone.g10code.de> <456DBEA7.2090202@py-soft.co.uk> Message-ID: <7F2AAB6C-CE41-4C57-B988-183C36763313@earthlink.net> On Nov 29, 2006, at 10:08 AM, Benjamin Donnachie wrote: > Joseph Oreste Bruni wrote: >> Do the build-problem fixes in 2.0.1 include OS X/Darwin? Or, should I >> wait for a future release? > > What problems are you having? > > Ben Two, actually. libgpg-error will not build unless I disable NLS. After that, libksba won't build at all. I'm using 10.4.8 on an intel iMac. Darwin lethe 8.8.1 Darwin Kernel Version 8.8.1: Mon Sep 25 19:42:00 PDT 2006; root:xnu-792.13.8.obj~1/RELEASE_I386 i386 i386 -Joe -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20061129/afe3241a/smime.bin From bahamut at madhatt.com Wed Nov 29 18:52:29 2006 From: bahamut at madhatt.com (Andrew Berg) Date: Wed Nov 29 18:50:58 2006 Subject: Logo ballot reminder In-Reply-To: <6DFB28AC-3B5D-4D90-A95E-5B4792441080@earthlink.net> References: <8764d6b4zk.fsf@wheatstone.g10code.de> <6DFB28AC-3B5D-4D90-A95E-5B4792441080@earthlink.net> Message-ID: <456DC8DD.8010704@madhatt.com> Joseph Oreste Bruni wrote: > Werner, your original ballot announcement ended up in my "Junk" box > accidentally by my filter. I only noticed it after a rare venture to > look to see what was there. Perhaps the HTML email is setting off > people's filters? I don't think HTML was why, it could be because of the number of links. Were there a lot? (it arrived before I subscribed to the list) Doesn't really matter,though. Just add gnupg-users-bounces@gnupg.org and gnupg-announce-bounces@gnupg.org to your address book. -- /\_/\ /\_/\ /\_/\ ( o.o ) ( o.o ) ( o.o ) > ^ < > ^ < > ^ < Don't make me send my ASCII kitten minions. Key ID: 0x9C6CC3A3 Fingerprint: 5474 04A6 2BAC 7138 204A D61B 4246 59CB 9C6C C3A3 (Portable) Thunderbird 1.5.0.7 w/ Enigmail 0.94.1.1 and GnuPG 1.4.5 Windows XP SP2 Home Edition Every time you send private information unencrypted, a kitten cries. So won't you please, please, think of the kittens? From benjamin at py-soft.co.uk Wed Nov 29 19:15:16 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Wed Nov 29 19:09:10 2006 Subject: [Announce] GnuPG 2.0.1 released In-Reply-To: <456DC796.7050009@py-soft.co.uk> References: <877ixetl0e.fsf@wheatstone.g10code.de> <456DBEA7.2090202@py-soft.co.uk> <87vekynoz5.fsf@wheatstone.g10code.de> <456DC796.7050009@py-soft.co.uk> Message-ID: <456DCE34.3050506@py-soft.co.uk> Benjamin Donnachie wrote: > I haven't tested it fully with the new version, but the following was in > the darwin ports and worked well previously: When I get time, I will prepare a packaged up version for MacOS which will be available through the mac-gpg project. Ben From gnupg-ml at seichter.de Wed Nov 29 20:56:17 2006 From: gnupg-ml at seichter.de (Ralph Seichter) Date: Wed Nov 29 20:54:49 2006 Subject: GnuPG 2.0 compilation fails with "undefined reference to gpg_err_code_from_syserror" In-Reply-To: <87hcwiqml9.fsf@wheatstone.g10code.de> References: <456C5F1D.7090704@seichter.de> <87mz6bbcjy.fsf@wheatstone.g10code.de> <456CA61E.4030100@seichter.de> <87r6vmv8yc.fsf@wheatstone.g10code.de> <456D94C1.9010200@seichter.de> <87hcwiqml9.fsf@wheatstone.g10code.de> Message-ID: <456DE5E1.8010003@seichter.de> Werner Koch wrote: > As soon as --ldflags returns a non-standard directory it won't work. Indeed, it is a crude, temporary workaround. I'm looking forward to your solution for upcoming builds. ;-) -- Mit freundlichen Gr??en / Sincerely Dipl. Inform. Ralph Seichter From brunij at earthlink.net Wed Nov 29 22:33:37 2006 From: brunij at earthlink.net (Joseph Bruni) Date: Wed Nov 29 22:31:57 2006 Subject: Importing my keys fails Message-ID: <26152351.1164836018568.JavaMail.root@elwamui-cypress.atl.sa.earthlink.net> An OpenSSH key is not an OpenPGP key. There are some efforts to use OpenPGP keys for SSH authentication, however. -----Original Message----- >From: Michael Erskine >Sent: Nov 29, 2006 7:35 AM >To: gnupg-users@gnupg.org >Subject: Importing my keys fails > >Hi all, > >I have a pair of existing keys that I've used for ssh over the past few years >and I'd like to use them with gnupg and gpg-enabled mailers etc. but they >won't import for some reason: - > >michael@fs1:~/.ssh$ gpg --import id_dsa >gpg: no valid OpenPGP data found. >gpg: Total number processed: 0 > >My private key looks like this... > >-----BEGIN DSA PRIVATE KEY----- >Proc-Type: 4,ENCRYPTED >DEK-Info: DES-EDE3-CBC,A953971238701254 > > > >-----END DSA PRIVATE KEY----- > >...and my public key is a single line beginning "ssh-dss ". Neither of them >will import so I'm assuming they're either incompatible with my openpgp or I >need to cast some magic to get them to work. Here's my version... > >michael@fs1:~/.ssh$ gpg --version >gpg (GnuPG) 1.4.3 >Copyright (C) 2006 Free Software Foundation, Inc. >This program comes with ABSOLUTELY NO WARRANTY. >This is free software, and you are welcome to redistribute it >under certain conditions. See the file COPYING for details. > >Home: ~/.gnupg >Supported algorithms: >Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA >Cypher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH >Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 >Compression: Uncompressed, ZIP, ZLIB, BZIP2 > >Any ideas? > >Regards, >Michael Erskine. > > >-- >A right is not what someone gives you; it's what no one can take from you. > -- Ramsey Clark > > > >___________________________________________________________ >Try the all-new Yahoo! Mail. "The New Version is radically easier to use" – The Wall Street Journal >http://uk.docs.yahoo.com/nowyoucan.html > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users From alon.barlev at gmail.com Wed Nov 29 22:18:23 2006 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed Nov 29 23:57:01 2006 Subject: Smart Card Use with GnuPG In-Reply-To: <456DA22C.1060609@py-soft.co.uk> References: <456D64A7.3030609@e-ignite.co.uk> <456DA22C.1060609@py-soft.co.uk> Message-ID: <200611292318.23573.alon.barlev@gmail.com> On Wednesday 29 November 2006 17:07, Benjamin Donnachie wrote: > Adam Gould wrote: > > I was looking into Smart Cards for use with GnuPG email > > encryption (I'm running Windows XP with Thunderbird and Enigmail) > > and found that the OpenPGP Smart Card from g10code only supports > > 1024 bit RSA keys. > > The gnupg-pkcs11[1] patches /may/ do what you want; it enables the > use of PKCS#11 tokens with gnupg. But I haven't haven't had chance > to look into it in detail yet. The gnupg-pkcs11 is a standalone scdaemon and not patch, but it works only with gpgsm, so it won't solve the problem. I've tried to make it work with gpg, but I had no success... It seems that it looks for specific card type? I didn't invest a lot of time in this, and we did not want to patch gpg code. Best Regards, Alon Bar-Lev. From dshaw at jabberwocky.com Thu Nov 30 04:21:43 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Nov 30 04:20:11 2006 Subject: [Announce] First release candidate for 1.4.6 available Message-ID: <20061130032143.GA6518@jabberwocky.com> We are pleased to announce the availability of the first release candidate for the forthcoming 1.4.6 version of GnuPG: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.6rc1.tar.bz2 (3.0M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.6rc1.tar.bz2.sig SHA-1 checksums for the above files are: c7fe6551350866af8509c3ba0666d1e69a1668cd gnupg-1.4.6rc1.tar.bz2 9a35c9b9a9544dd0b5afd91c6595655dca2c0b9c gnupg-1.4.6rc1.tar.bz2.sig Note that this is only a release candidate, and as such is not intended for use on production systems. If you are inclined to help test, however, we would appreciate you trying this new version and reporting any problems. Noteworthy changes since 1.4.5: * Fixed a bug while decrypting certain compressed and encrypted messages. [bug#537] * Fixed a buffer overflow in gpg. [bug#728] * Added --s2k-count to set the number of times passphrase mangling is repeated. The default is 65536 times. * Added a GPL license exception to the keyserver helper programs gpgkeys_ldap, gpgkeys_curl, and gpgkeys_hkp, to clarify any potential questions about the ability to distribute binaries that link to the OpenSSL library. GnuPG does not link directly to OpenSSL, but libcurl (used for HKP, HTTP, and FTP) and OpenLDAP (used for LDAP) may. Note that this license exception is considered a bug fix and is intended to forgive any violations pertaining to this issue, including those that may have occurred in the past. Happy Hacking, David, Timo, Werner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20061129/e4b20e35/attachment-0001.pgp From shavital at mac.com Thu Nov 30 08:36:09 2006 From: shavital at mac.com (Charly Avital) Date: Thu Nov 30 08:34:21 2006 Subject: [Announce] First release candidate for 1.4.6 available In-Reply-To: <20061130032143.GA6518@jabberwocky.com> References: <20061130032143.GA6518@jabberwocky.com> Message-ID: <456E89E9.1080300@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote the following on 11/29/06 10:21 PM: > We are pleased to announce the availability of the first release > candidate for the forthcoming 1.4.6 version of GnuPG: > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.6rc1.tar.bz2 (3.0M) > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.6rc1.tar.bz2.sig > > SHA-1 checksums for the above files are: > > c7fe6551350866af8509c3ba0666d1e69a1668cd gnupg-1.4.6rc1.tar.bz2 > 9a35c9b9a9544dd0b5afd91c6595655dca2c0b9c gnupg-1.4.6rc1.tar.bz2.sig > > Note that this is only a release candidate, and as such is not > intended for use on production systems. If you are inclined to help > test, however, we would appreciate you trying this new version and > reporting any problems. > > Noteworthy changes since 1.4.5: > > * Fixed a bug while decrypting certain compressed and encrypted > messages. [bug#537] > > * Fixed a buffer overflow in gpg. [bug#728] > > * Added --s2k-count to set the number of times passphrase mangling > is repeated. The default is 65536 times. > > * Added a GPL license exception to the keyserver helper programs > gpgkeys_ldap, gpgkeys_curl, and gpgkeys_hkp, to clarify any > potential questions about the ability to distribute binaries > that link to the OpenSSL library. GnuPG does not link directly > to OpenSSL, but libcurl (used for HKP, HTTP, and FTP) and > OpenLDAP (used for LDAP) may. Note that this license exception > is considered a bug fix and is intended to forgive any > violations pertaining to this issue, including those that may > have occurred in the past. > > Happy Hacking, > > David, Timo, Werner Compiled from source with idea.c added to 'cipher'. Version info: gnupg 1.4.6rc1 Configured for: Darwin (powerpc-apple-darwin8.8.0) Seems to be working fine. Thank you David, Timo and Werner. Charly KeyOnCard at: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6rc1 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRW6JriRJoUyU/RYhAQKZEgQAmYMJ+wNlFM914uxutPAqT/5+FPARwyUY Nz2irqq+VATQv9BgVQZSqYjdtlASg/uTCGFT/m4PgMZuoUcisjn1WBYzo7C3CZip Trddo4Etv+yCV+VMOz7smyY4wmNW/Q/ETaEWGMRiRVg50ecTVL7y8SKWA75+w/Bq 74oDfJaVgRU= =PqrU -----END PGP SIGNATURE----- From wk at gnupg.org Thu Nov 30 08:49:57 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 30 08:51:37 2006 Subject: [Announce] GnuPG 2.0.1 released In-Reply-To: <456DC796.7050009@py-soft.co.uk> (Benjamin Donnachie's message of "Wed\, 29 Nov 2006 17\:47\:02 +0000") References: <877ixetl0e.fsf@wheatstone.g10code.de> <456DBEA7.2090202@py-soft.co.uk> <87vekynoz5.fsf@wheatstone.g10code.de> <456DC796.7050009@py-soft.co.uk> Message-ID: <87u00hml0a.fsf@wheatstone.g10code.de> On Wed, 29 Nov 2006 18:47, benjamin@py-soft.co.uk said: > edit gl/Makefile.in > > Change the line "am_libgnu_la_OBJECTS =" to "am_libgnu_la_OBJECTS = > alloca.lo" I have found a more portable way to do it. Ii is in libksba 1.0.1. The problem is that ar(1) does not like "ar cru foo.a" to simply create an empty library foo.a. Now, we won't need alloca on OS X and thus the configure stuff creates a Makefile with no modules and thus ar is called without any object modules by litool. Addin a dummy object helps. Shalom-Salam, Werner From wk at gnupg.org Thu Nov 30 08:52:40 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 30 08:56:39 2006 Subject: [Announce] GnuPG 2.0.1 released In-Reply-To: <7F2AAB6C-CE41-4C57-B988-183C36763313@earthlink.net> (Joseph Oreste Bruni's message of "Wed\, 29 Nov 2006 10\:40\:26 -0700") References: <877ixetl0e.fsf@wheatstone.g10code.de> <456DBEA7.2090202@py-soft.co.uk> <7F2AAB6C-CE41-4C57-B988-183C36763313@earthlink.net> Message-ID: <87psb5mkvr.fsf@wheatstone.g10code.de> On Wed, 29 Nov 2006 18:40, brunij@earthlink.net said: > Two, actually. libgpg-error will not build unless I disable NLS. After > that, libksba won't build at all. Yes, know. I have disabled NLS for my builds. TO solve this problem I will remove all included gettext implementations (intl/) for all libraries and require that the system comes with suitable gettext installation. gettext should by now available on most platforms and thus including it with each package is not anymore needed. Salam-Shalom, Werner From msemtd at yahoo.co.uk Thu Nov 30 12:52:32 2006 From: msemtd at yahoo.co.uk (Michael Erskine) Date: Thu Nov 30 12:51:08 2006 Subject: Importing my keys fails In-Reply-To: <26152351.1164836018568.JavaMail.root@elwamui-cypress.atl.sa.earthlink.net> References: <26152351.1164836018568.JavaMail.root@elwamui-cypress.atl.sa.earthlink.net> Message-ID: <200611301152.34032.msemtd@yahoo.co.uk> On Wednesday 29 November 2006 21:33, Joseph Bruni wrote: > An OpenSSH key is not an OpenPGP key. There are some efforts to use OpenPGP > keys for SSH authentication, however. Can they be somehow integrated or will I always need two (or more) sets of keys? Are the keys used by OpenSSH in themselves somehow less secure or is there something in their nature that means they can never be used by OpenPGP? My limited understanding was that symetric keys were just a pair of fancy numbers! :) Regards, Michael Erskine. -- I have seen the future and it is just like the present, only longer. -- Kehlog Albran, "The Profit" Send instant messages to your online friends http://uk.messenger.yahoo.com From alphasigmax at gmail.com Thu Nov 30 13:13:06 2006 From: alphasigmax at gmail.com (Alphax) Date: Thu Nov 30 13:12:38 2006 Subject: Importing my keys fails In-Reply-To: <200611301152.34032.msemtd@yahoo.co.uk> References: <26152351.1164836018568.JavaMail.root@elwamui-cypress.atl.sa.earthlink.net> <200611301152.34032.msemtd@yahoo.co.uk> Message-ID: <456ECAD2.40508@gmail.com> Michael Erskine wrote: > On Wednesday 29 November 2006 21:33, Joseph Bruni wrote: >> An OpenSSH key is not an OpenPGP key. There are some efforts to use OpenPGP >> keys for SSH authentication, however. > > Can they be somehow integrated or will I always need two (or more) sets of > keys? Are the keys used by OpenSSH in themselves somehow less secure or is > there something in their nature that means they can never be used by OpenPGP? > My limited understanding was that symetric keys were just a pair of fancy > numbers! :) > Since I can't be bothered explaining, here are some links that will do it for me: http://en.wikipedia.org/wiki/Public-key_cryptography http://www.gnupg.org/gph/en/manual.html http://sixdemonbag.org/cryptofaq.html -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061130/77291394/signature.pgp From msemtd at yahoo.co.uk Thu Nov 30 14:23:39 2006 From: msemtd at yahoo.co.uk (Michael Erskine) Date: Thu Nov 30 14:22:25 2006 Subject: Importing my keys fails In-Reply-To: <200611301152.34032.msemtd@yahoo.co.uk> References: <26152351.1164836018568.JavaMail.root@elwamui-cypress.atl.sa.earthlink.net> <200611301152.34032.msemtd@yahoo.co.uk> Message-ID: <200611301323.39754.msemtd@yahoo.co.uk> On Thursday 30 November 2006 11:52, Michael Erskine wrote: > On Wednesday 29 November 2006 21:33, Joseph Bruni wrote: > > An OpenSSH key is not an OpenPGP key. There are some efforts to use > > OpenPGP keys for SSH authentication, however. Hmm, yes I found a reference to this actually being implemented in http://www.ssh.com/support/documentation/online/ssh/adminguide/32/Public-Key_Authentication-2.html but that may not be a truly Free Software implementation. Now for the flipside! > Can they be somehow integrated or will I always need two (or more) sets of > keys? Are the keys used by OpenSSH in themselves somehow less secure or is > there something in their nature that means they can never be used by > OpenPGP? Still googling away! > My limited understanding was that symetric keys were just a pair > of fancy numbers! :) Sorry, I meant asymmetric keys of course :) Regards, Michael Erskine. -- Nobody can be exactly like me. Sometimes even I have trouble doing it. -- Tallulah Bankhead ___________________________________________________________ All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine http://uk.docs.yahoo.com/nowyoucan.html From wk at gnupg.org Thu Nov 30 14:20:33 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 30 14:26:43 2006 Subject: Importing my keys fails In-Reply-To: <200611301152.34032.msemtd@yahoo.co.uk> (Michael Erskine's message of "Thu\, 30 Nov 2006 11\:52\:32 +0000") References: <26152351.1164836018568.JavaMail.root@elwamui-cypress.atl.sa.earthlink.net> <200611301152.34032.msemtd@yahoo.co.uk> Message-ID: <87ac29jcke.fsf@wheatstone.g10code.de> On Thu, 30 Nov 2006 12:52, msemtd@yahoo.co.uk said: > Can they be somehow integrated or will I always need two (or more) sets of > keys? Are the keys used by OpenSSH in themselves somehow less secure or is > there something in their nature that means they can never be used by OpenPGP? It is all about protocols. A diesel locomotive and a truck are similar from their engine and use. But a truck won't be able to drive on rails and vice versa. See also the hints Alphax gave. Shalom-Salam, Werner From hhhobbit at securemecca.net Thu Nov 30 17:41:18 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Thu Nov 30 17:39:39 2006 Subject: Logo ballot reminder (Andrew Berg) In-Reply-To: <0MKqdz-1GpcWW0eWG-0002bm@mx.perfora.net> References: <0MKqdz-1GpcWW0eWG-0002bm@mx.perfora.net> Message-ID: <1164904879.10342.30.camel@sirius.brigham.net> On Wed, 2006-11-29 at 11:52 -0600, Andrew Berg wrote: > Joseph Oreste Bruni wrote: > > Werner, your original ballot announcement ended up in my "Junk" box > > accidentally by my filter. I only noticed it after a rare venture to > > look to see what was there. Perhaps the HTML email is setting off > > people's filters? > I don't think HTML was why, it could be because of the number of links. > Were there a lot? (it arrived before I subscribed to the list) > Doesn't really matter,though. Just add gnupg-users-bounces@gnupg.org and > gnupg-announce-bounces@gnupg.org to your address book. Hello Chicago, Omaha, New Orleans. Sorry, but I have an EMPTY address book. It was interesting seeing that phish site suck down my address book on LINUX! If I had been thinking faster I would have moved the MUA folder (directory) some place else, created a new one with hundreds of bogus addresses and gone to the phish site over and over and over ... My addresses are safely contained in a GnuPG encrypted file. I let the cat out of the bag though. November 30 where? In Chicago? In New Orleans? In Pittsburgh? I strongly suggest which ever time zone it disappears from last on earth for the cut-off since you didn't specify which time zone. Hint: That is somewhere in the Pacific, not at Greenwich. Hey you didn't specify it was to be GMT, er, UTC time or any other time zone: http://article.gmane.org/gmane.comp.gnu.gnupg.users/11076 No, I don't need an email, and yes I will vote, but not by GMT time. It is 4:41 PM GMT or 5:41 PM Berlin time, but only 9:41 AM here. Hey you set yourselves up. I cite as legal precedent a decision by one of the judges that was on the circuit court system in the United States (Etas Unis). They had a rule that they could not be drinking while cases were at court (no, not in the court dummy, after work) unless it was raining. So he walked outside the inn and the sun was shining brightly with nary a cloud in sight. He walked back in and gave his summation. They all ordered drinks. His summation? It MUST be raining some place. They didn't say WHERE it had to be raining. Who was the judge? John Marshall. The precedent is now set but not binding (court was not in session). Here is a world time clock to help you know when we have ALL run out of November: http://www.timeanddate.com/worldclock/ Henry Hertz Hobbit From hhhobbit at securemecca.net Thu Nov 30 19:02:31 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Thu Nov 30 19:00:48 2006 Subject: Logo ballot reminder (HHH) In-Reply-To: <1164904879.10342.30.camel@sirius.brigham.net> References: <0MKqdz-1GpcWW0eWG-0002bm@mx.perfora.net> <1164904879.10342.30.camel@sirius.brigham.net> Message-ID: <1164909751.10342.67.camel@sirius.brigham.net> On Thu, 2006-11-30 at 09:41 -0700, Henry Hertz Hobbit wrote: > No, I don't need an email, and yes I will vote, but not by GMT time. > It is 4:41 PM GMT or 5:41 PM Berlin time, but only 9:41 AM here. > Hey you set yourselves up. I cite as legal precedent a decision by > one of the judges that was on the circuit court system in the United > States (Etas Unis). They had a rule that they could not be drinking > while cases were at court (no, not in the court dummy, after work) > unless it was raining. So he walked outside the inn and the sun was > shining brightly with nary a cloud in sight. He walked back in and > gave his summation. They all ordered drinks. His summation? It > MUST be raining some place. They didn't say WHERE it had to be > raining. Who was the judge? John Marshall. The precedent is now > set but not binding (court was not in session). Here is a world > time clock to help you know when we have ALL run out of November: > > http://www.timeanddate.com/worldclock/ > The "John Marshall" I am speaking of is THIS John Marshall: http://en.wikipedia.org/wiki/John_Marshall Be careful here. If you are a strictly Shabbat observing Jew and faithfully observe Shabbat every seventh day, starting from Israel and slowly travel westward going all the way around the globe and end your trip back where you started you will be observing Shabbat one day later than everybody else. If you go eastward, you will be observing Shabbat one day earlier than everybody else. If it wasn't for that line in the Pacific we would have a LOT of problems. It does make for some problems as you cross it because you sometimes have to change what day it is. If you cross it a lot you begin to use GMT time ALL the time instead (called Zulu time by some). The time to close the voting is 1 Dec. 2006, 12:00 GMT (noon). That will be 1 Dec. 2006, 07:00 AM at Carnegie Mellon. I am sitting here and being very "judicious" about looking VERY carefully at all of the submissions. That means this court IS in session and since I am judging all of the submissions that makes me a sitting judge in the performance of his duties. That means that this decision can now be cited as a precedent. Unfortunately, I am not the Chief Judge, nor do I know if I am in the minority. If I am in the minority, consider this a dissenting opinion. "Judge" Henry Hertz Hobbit From wk at gnupg.org Thu Nov 30 19:29:27 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 30 19:31:42 2006 Subject: Logo ballot reminder (Andrew Berg) In-Reply-To: <1164904879.10342.30.camel@sirius.brigham.net> (Henry Hertz Hobbit's message of "Thu\, 30 Nov 2006 09\:41\:18 -0700") References: <0MKqdz-1GpcWW0eWG-0002bm@mx.perfora.net> <1164904879.10342.30.camel@sirius.brigham.net> Message-ID: <878xhsiy9k.fsf@wheatstone.g10code.de> On Thu, 30 Nov 2006 17:41, hhhobbit@securemecca.net said: [...] And the executive summary is? > not at Greenwich. Hey you didn't specify it was to be GMT, er, UTC > time or any other time zone: > > http://article.gmane.org/gmane.comp.gnu.gnupg.users/11076 Unless otherwise note UTC is used. However, I don't know whether CIVS uses local time. Anyway you will then have a couple of hours more. Salam-Shalom, Werner From reynt0 at cs.albany.edu Thu Nov 30 20:04:55 2006 From: reynt0 at cs.albany.edu (reynt0) Date: Thu Nov 30 22:25:05 2006 Subject: [Announce] GnuPG 2.0.1 released In-Reply-To: <456DCE34.3050506@py-soft.co.uk> References: <877ixetl0e.fsf@wheatstone.g10code.de> <456DBEA7.2090202@py-soft.co.uk> <87vekynoz5.fsf@wheatstone.g10code.de> <456DC796.7050009@py-soft.co.uk> <456DCE34.3050506@py-soft.co.uk> Message-ID: On Wed, 29 Nov 2006, Benjamin Donnachie wrote: . . . > When I get time, I will prepare a packaged up version for MacOS which > will be available through the mac-gpg project. May one ask, is there any chance there will be such a packaged version for OS10.3.x as well as for 10.4.x? Presently, the very helpful mac-gpg project has gnupg 1.4.5 only for OS10.4; for OS10.3 is provided only the less secure gnupg 1.4.1. The uncontrolled outgoing information flow required by the OS10.4 EULA makes using OS10.4 undesirable. I guess the same question applies to the gnupg 1.4.6 being worked on now. From andru at cs.cornell.edu Wed Nov 29 19:21:20 2006 From: andru at cs.cornell.edu (Andrew Myers) Date: Fri Dec 1 01:30:50 2006 Subject: Logo ballot reminder In-Reply-To: <87r6vmnon5.fsf@wheatstone.g10code.de> References: <8764d6b4zk.fsf@wheatstone.g10code.de> <6DFB28AC-3B5D-4D90-A95E-5B4792441080@earthlink.net> <87r6vmnon5.fsf@wheatstone.g10code.de> Message-ID: <456DCFA0.2040908@cs.cornell.edu> Hi all, CIVS originally sent text/plain emails. But it was useful to be able to embed links and to preserve election description formatting. The HTML it sends is pretty minimal -- I don't think it should set off reasonable spam filters. At least, I haven't heard this complaint before. Making HTML mail an option seems like a good idea, though there are already too many options for my taste. If someone wants to write that patch I'd be happy to include it. I hope the election system has been working well for everyone otherwise. Cheers, -- Andrew Werner Koch wrote: > On Wed, 29 Nov 2006 18:10, brunij@earthlink.net said: >> Werner, your original ballot announcement ended up in my "Junk" box >> accidentally by my filter. I only noticed it after a rare venture to >> look to see what was there. Perhaps the HTML email is setting off >> people's filters? >> > > Probably. Frankly, I learned it only after starting that poll and > then it was too late. Anway, setting up my own election service for > this one-time event and send proper mails (i.e. text/plain) does not > seem to be justified. > > Maybe someone can come up with a patch to the CIVS software to add an > option for sending non-HTML mails. It would be nice feature for other > projects too. > > > > Salam-Shalom, > > Werner -------------- next part -------------- A non-text attachment was scrubbed... Name: andru.vcf Type: text/x-vcard Size: 333 bytes Desc: not available Url : /pipermail/attachments/20061129/422c0b16/andru.vcf