From ged at solace.miun.se Wed Aug 1 16:06:38 2007 From: ged at solace.miun.se (Sten Lindgren) Date: Wed, 1 Aug 2007 16:06:38 +0200 (CEST) Subject: OpenPGP card on Javacard Message-ID: I have released a alpha test version of an applet implementing part of the OpenPGP card specification on Java card. It is avaible from sourceforge at http://sourceforge.net/projects/jopenpgpcard/. Feel free to test it but don't use it for production use since it is alpha. If you remove the applet from your card to update in the futureyou loose your keys, This implementation has only been tested on one brand of cards using Linux and gnupg. I does not support key sizes above 1536 bits. You may have to apply a patch to gnupg apdu.c implementing support for "SW_EXACT_LENGTH" in order to get it to work, the patch is in the release on sourceforge and attached to this mail. The patch is against GnuPG 1.4.7, no other version has been tested yet. Key import doesn't work, only on card key generation. Please read the README file before trying to use it. Most other parts of the specification should be implemented. Only some basic testing of key generation, signing and decryption has been done. Additional features as use of authentification key has not been tested. I you use authentification somewhere feel free to test and report if it works or not. Questions and bug reports should be sent to me. Some todo items that remains to be done: - Support for 2048 bit keys (This will most likely need ENVELOPE to be implemented both on card and in gnupg. 2048 bit acually work for key generation and signing but not for decryption due to need for more then 254 bytes of data to be sent to the card). - Key import. (This might not be possible to do in accordance with the OpenPGP card specification due to limitations in the Java Card API) - Automatic generation of random serial numbers for the card (when needed). - Testing on more cards. Sten Lindgren ged at solace.miun.se -------------- next part -------------- *** g10/apdu.c 2006-03-05 15:46:14.000000000 +0100 --- ../gnupg-1.4.7.patched/g10/apdu.c 2007-07-10 12:50:03.000000000 +0200 *************** *** 2640,2645 **** --- 2640,2660 ---- return rc? rc : SW_HOST_INCOMPLETE_CARD_RESPONSE; } sw = (result[resultlen-2] << 8) | result[resultlen-1]; + /* A small hack to fix support for cards sending back SW_EXACT_LENGTH */ + if ((sw & 0xff00) == SW_EXACT_LENGTH && (sw & 0x00ff) > 0) + { + resultlen = RESULTLEN; + apdu[apdulen - 1] = (sw & 0x00ff); + rc = send_apdu (slot, apdu, apdulen, result, &resultlen, pininfo); + if (rc || resultlen < 2) + { + log_error ("apdu_send_simple(%d) failed: %s\n", + slot, apdu_strerror (rc)); + unlock_slot (slot); + return rc? rc : SW_HOST_INCOMPLETE_CARD_RESPONSE; + } + sw = (result[resultlen-2] << 8) | result[resultlen-1]; + } /* store away the returned data but strip the statusword. */ resultlen -= 2; if (DBG_CARD_IO) From alon.barlev at gmail.com Wed Aug 1 17:41:57 2007 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed, 1 Aug 2007 18:41:57 +0300 Subject: OpenPGP card on Javacard In-Reply-To: References: Message-ID: <9e0cf0bf0708010841o7bbbdb90l3e9b6612d7e3bd7f@mail.gmail.com> On 8/1/07, Sten Lindgren wrote: > I have released a alpha test version of an applet implementing part of > the OpenPGP card specification on Java card. It is avaible from I just wounder... Why do you wish to do this? You already have MUSCLE which provides java applet. You already have coolkey (http://directory.fedoraproject.org/wiki/CoolKey) provides java applet. You already have standard PKCS#11 interface to MUSCLE (also using OpenSC) and coolkey. And you have http://gnupg-pkcs11.sourceforge.net/ which allows gnupg to use standard PKCS#11 tokens. Implementing a card structure for a specific software is incorrect solution. There should be a standard interface for cards that allows application to access them, without dependency of specific hardware/implementation. There are two standards: PKCS#11 (cross platform, vendor independent) and CAPI (Microsoft). The fact that GnuPG developer choose to reinvent the wheel is not for the benefit of their users. If you like smarcard development, you can try to provide a generic card (That can hold more than 3 keys), secured (2048) and usable (More than one application)... This involves in providing a PKCS#11 provider that communicate with your generic applet. Best Regards, Alon Bar-Lev. From wk at gnupg.org Wed Aug 1 20:18:08 2007 From: wk at gnupg.org (Werner Koch) Date: Wed, 01 Aug 2007 20:18:08 +0200 Subject: OpenPGP card on Javacard In-Reply-To: <9e0cf0bf0708010841o7bbbdb90l3e9b6612d7e3bd7f@mail.gmail.com> (Alon Bar-Lev's message of "Wed, 1 Aug 2007 18:41:57 +0300") References: <9e0cf0bf0708010841o7bbbdb90l3e9b6612d7e3bd7f@mail.gmail.com> Message-ID: <87bqdrw23j.fsf@wheatstone.g10code.de> On Wed, 1 Aug 2007 17:41, alon.barlev at gmail.com said: > Implementing a card structure for a specific software is incorrect > solution. The majorty of the smartcard world things different. In fact the OpenPGP card specification is in wider use than many of the other card specs. It is for example used to secure email, disk, X-ray machines, phones and a wealth of other stuff. In fact the OpenPGP card specification is even suggested by the BSI[1] because it is one of the very few openly available and actual implemented and produced specs. Shalom-Salam, Werner p.s. I won't get into such a discussion we you again, so please take this as for the records only. [1] German Federal Information Security Agency From wk at gnupg.org Wed Aug 1 20:22:38 2007 From: wk at gnupg.org (Werner Koch) Date: Wed, 01 Aug 2007 20:22:38 +0200 Subject: OpenPGP card on Javacard In-Reply-To: (Sten Lindgren's message of "Wed, 1 Aug 2007 16:06:38 +0200 (CEST)") References: Message-ID: <873az3w1w1.fsf@wheatstone.g10code.de> On Wed, 1 Aug 2007 16:06, ged at solace.miun.se said: > the OpenPGP card specification on Java card. It is avaible from > sourceforge at http://sourceforge.net/projects/jopenpgpcard/. Feel free to Cool. > and gnupg. I does not support key sizes above 1536 bits. You may have to > apply a patch to gnupg apdu.c implementing support for "SW_EXACT_LENGTH" BTW, we already have such a thing at a higher level. Anyway, I just added a similar patch to apdu.c (SVN trunk): --- apdu.c (revision 4543) +++ apdu.c (working copy) @@ -2648,6 +2649,7 @@ assert (sizeof (apdu) >= apdulen); /* As safeguard don't pass any garbage from the stack to the driver. */ memset (apdu+apdulen, 0, sizeof (apdu) - apdulen); + exact_length_hack: resultlen = RESULTLEN; rc = send_apdu (slot, apdu, apdulen, result, &resultlen, pininfo); if (rc || resultlen < 2) @@ -2658,7 +2660,14 @@ return rc? rc : SW_HOST_INCOMPLETE_CARD_RESPONSE; } sw = (result[resultlen-2] << 8) | result[resultlen-1]; - /* store away the returned data but strip the statusword. */ + if (!did_exact_length_hack && SW_EXACT_LENGTH_P (sw)) + { + apdu[apdulen-1] = (sw & 0x00ff); + did_exact_length_hack = 1; + goto exact_length_hack; + } + + /* Store away the returned data but strip the statusword. */ resultlen -= 2; if (DBG_CARD_IO) { Shalom-Salam, Werner From jason at the-greenes.net Wed Aug 1 22:27:20 2007 From: jason at the-greenes.net (jag7720) Date: Wed, 1 Aug 2007 13:27:20 -0700 (PDT) Subject: gpg in a for loop Message-ID: <11951969.post@talk.nabble.com> I am writing a "simple" script that loops through a file and encrypts each file listed then secure copies it to another server... I am stuck When I run my script I get gpg: shawnm: skipped: public key not found here is the part of my script that does the encrytping and scp-ing for FILE in `cat $EEX` do gpg -e -r shawnm $FILE if [ $? -ne 0 ] ; then echo "Could not encrypt $FILE" exit 1 fi scp $FILE.gpg $USER@$DEST:$FILE.gpg if I put this in its own script by itself and substitute the $FILE variable with a file name it will run. gpg -e -r shawnm file.txt Am I missing something? Can someone help? Jason -- View this message in context: http://www.nabble.com/gpg-in-a-for-loop-tf4202075.html#a11951969 Sent from the GnuPG - User mailing list archive at Nabble.com. From mvyver at gmail.com Thu Aug 2 15:06:19 2007 From: mvyver at gmail.com (Mark Van De Vyver) Date: Thu, 2 Aug 2007 23:06:19 +1000 Subject: gnupg 'unknown user' complaint about the subkey of a public key (signed) Message-ID: <389c43e40708020606q5cc503d2heee15d5b22a3b64f@mail.gmail.com> Hi, Thanks for all the excellent work that has gone into making gnupg available. (Please cc me directly if possible - my list membership seems to be taking some time, and I now need to sleep... ) I'm using: openSUSE 10.2 gnupg (gpg-1.4.5-24.4 and gpg2-1.9.22-20.2 ) The gnupg packages are those distributed by suse. I think I've run into a problem that has been encountered before (see the link below): http://lists.gnupg.org/pipermail/gnupg-users/2006-May/028663.html Specifically I find that gnupg (1.4.5 and 1.9.22) always complains about a public subkey being unknown: gpg: : There is no assurance this key belongs to the named user gpg: [stdin]: sign+encrypt failed: unusable public key I've tried re-signing this key, and gpg indicates that the key was already signed. If I try and sign the subkey it indicates the key is not used for signing, and that the key has already been signed.... It took me ages/days to work all this out, so I'm at my wits end :) I assume the patch mentioned above will fix my problem.... Unfortunately I'm not that comfortable patching and building... so was hoping someone can indicate what version(s) of gnupg would come with this patch? Ideally I'd like to have a production 'version' (1.4.x), but if it is too soon for that I'd live with using the development version (2.x). My distribution is and the latest release they have is 1.4.5. I'd appreciate any suggestions. Regards Mark From jason at the-greenes.net Thu Aug 2 17:33:56 2007 From: jason at the-greenes.net (jag7720) Date: Thu, 2 Aug 2007 08:33:56 -0700 (PDT) Subject: gpg in a for loop [SOLVED] In-Reply-To: <11951969.post@talk.nabble.com> References: <11951969.post@talk.nabble.com> Message-ID: <11966839.post@talk.nabble.com> Ok, I seem to have found a solution If I add --homedir /home/foobar/.gnupg to my code it works. so instead of this gpg -e -r user at user.com file.txt use this gpg -e --homedir /home/foobar/.gnupg -r user at user.com file.txt -- View this message in context: http://www.nabble.com/gpg-in-a-for-loop-tf4202794.html#a11966839 Sent from the GnuPG - User mailing list archive at Nabble.com. From jason at the-greenes.net Wed Aug 1 21:10:04 2007 From: jason at the-greenes.net (jag7720) Date: Wed, 1 Aug 2007 12:10:04 -0700 (PDT) Subject: gpg in a for loop Message-ID: <11951969.post@talk.nabble.com> I am writing a "simple" script that loops through a file and encrypts each file listed then secure copies it to another server... I am stuck When I run my script I get gpg: shawnm: skipped: public key not found here is the part of my script that does the encrytping and scp-ing for FILE in `cat $EEX` do gpg -e -r shawnm $FILE if [ $? -ne 0 ] ; then echo "Could not encrypt $FILE" exit 1 fi scp $FILE.gpg $USER@$DEST:$FILE.gpg if I put this in its own script by itself and substitute the $FILE variable with a file name it will run. gpg -e -r shawnm file.txt Am I missing something? Can someone help? Jason -- View this message in context: http://www.nabble.com/gpg-in-a-for-loop-tf4202075.html#a11951969 Sent from the GnuPG - User mailing list archive at Nabble.com. From nico-linux-gnupg at schottelius.org Sun Aug 5 01:25:41 2007 From: nico-linux-gnupg at schottelius.org (Nico Schottelius) Date: Sun, 5 Aug 2007 01:25:41 +0200 Subject: gpgme: A small introduction started Message-ID: <20070804232541.GB16926@schottelius.org> Hello again! Sorry for the last mail, was a largefile support problem (missed -D_FILE_OFFSET_BITS=64). As I did not find any easy to use documentation for gpgme, I started to write one: http://nico.schottelius.org/documentations/howtos/a-small-introduction-for-using-gpgme/ Feel free to comment it. I'll extend it, as I continue to write more tests / examples. Nico -- Think about Free and Open Source Software (FOSS). http://nico.schottelius.org/documentations/foss/the-term-foss/ PGP: BFE4 C736 ABE5 406F 8F42 F7CF B8BE F92A 9885 188C -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20070805/ff311821/attachment-0001.pgp From nico-linux-gnupg at schottelius.org Sun Aug 5 00:05:18 2007 From: nico-linux-gnupg at schottelius.org (Nico Schottelius) Date: Sun, 5 Aug 2007 00:05:18 +0200 Subject: gpgme: export key problems Message-ID: <20070804220518.GA16926@schottelius.org> Hello! I'm new to gpgme and have some understanding problems: I'm trying to export a key: -------------------------------------------------------------------------------- err = gpgme_data_new(&data); err = gpgme_op_export(ceofcontext,NULL,0,data); /* returns no error */ read_bytes = gpgme_data_seek (data, 0, SEEK_END); /* returns -1 */ p = gpgme_strerror(errno); /* returns "Invalid encoding method" */ -------------------------------------------------------------------------------- So I added more code to my test: -------------------------------------------------------------------------------- setlocale (LC_ALL, ""); gpgme_set_locale (NULL, LC_CTYPE, setlocale (LC_CTYPE, NULL)); gpgme_set_textmode(ceofcontext,0); gpgme_set_armor(ceofcontext, 1); err = gpgme_data_set_encoding(data,GPGME_DATA_ENCODING_ARMOR); if(err != GPG_ERR_NO_ERROR) return 11; tmp = gpgme_data_get_encoding(data); if(tmp == GPGME_DATA_ENCODING_ARMOR) { printf("encode ok\n"); /* matches / is printed out */ } -------------------------------------------------------------------------------- Still the same error. Then I tried t-export.c from the test directory from gpgme. Result: -------------------------------------------------------------------------------- [23:47] denkbrett:gpg% LANG=C ./t-export Begin Result: t-support.h:56: Unspecified source: Invalid argument -------------------------------------------------------------------------------- I searched for examples for using gpgme, but there seem to be more or less none available. Does anyone have a hint for me, what I am doing wrong? I attached the whole testprogram. Sincerly Nico -- Think about Free and Open Source Software (FOSS). http://nico.schottelius.org/documentations/foss/the-term-foss/ PGP: BFE4 C736 ABE5 406F 8F42 F7CF B8BE F92A 9885 188C -------------- next part -------------- A non-text attachment was scrubbed... Name: gpgme1.c Type: text/x-csrc Size: 4350 bytes Desc: not available Url : /pipermail/attachments/20070805/28f18d03/attachment.c -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20070805/28f18d03/attachment.pgp From wk at gnupg.org Mon Aug 6 09:27:26 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 06 Aug 2007 09:27:26 +0200 Subject: gpgme: export key problems In-Reply-To: <20070804220518.GA16926@schottelius.org> (Nico Schottelius's message of "Sun, 5 Aug 2007 00:05:18 +0200") References: <20070804220518.GA16926@schottelius.org> Message-ID: <87lkcpm8bl.fsf@wheatstone.g10code.de> On Sun, 5 Aug 2007 00:05, nico-linux-gnupg at schottelius.org said: > p = gpgme_strerror(errno); /* returns "Invalid encoding method" */ You may not pass errno to a gpg_strerror or gpgme_strerror (which is just a wrapper). You shall pass an gpg_error_t error code to these functions. > I searched for examples for using gpgme, but there seem to be more or > less none available. What about: KMail, Mutt, Sylpheeed, Claws, Seahorse, Licq, GPA, Elmo, Centericq, Bazaar and Balsa? There is also a complete manual which comes with gpgme. Salam-Shalom, Werner From rjh at sixdemonbag.org Tue Aug 7 21:17:53 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 07 Aug 2007 15:17:53 -0400 Subject: OpenPGP and usability Message-ID: <46B8C561.9070101@sixdemonbag.org> (Two of the three points mentioned in this email are Enigmail-specific. However, the worst one is an OpenPGP problem, and one that probably deserves more attention, which is why I'm posting it to gnupg-users.) I'm sitting in the Hampton Room of the Sheraton Boston right now attending a meeting of electronic voting researchers. A few minutes ago a big name in computer security--if I gave it, you would probably know it--finished talking about his experiences with a large voting machine investigation, and how they were using OpenPGP to secure communications between researchers. Or, at least, trying to. I have his permission to relate his experiences to these lists. I am omitting his name because I am going from my memory of the conversation I had with him, and I may have misunderstood a detail here or there, and I don't want to do anything that might besmirch his reputation because I misunderstood things. Anyway. The problem, as he said: "forty computer security professionals can't use GnuPG among them because the [cognitive] overhead is too much." He had several mailing lists for different tasks in his electronic voting research. Roughly 40 people in total were on the mailing lists. His ultimate goal was to ensure confidentiality; assurance was not a major issue, but was a nice side benefit. He was using Enigmail and GnuPG, while other people on lists were using GnuPG + gpgol, PGP + Outlook, or (in one case) a custom Windows PowerShell script gluing together GnuPG and Microsoft Word. I do not have version numbers for any of these. The good news: he describes Thunderbird + Enigmail + GnuPG as "the best thing going for email crypto," or words pretty close to that. Unfortunately, that turned out to be pretty faint praise. Problem 1: key signatures. He says he couldn't figure out what he needed to do with the keys. Did he need to sign them? Trust them? What's validity and otrust again? Who should be set up as a trusted introducer? Why wasn't the cursed thing working?! As he said, "I know, I knew what needed to be done, but even knowing what needed to be done, I couldn't figure out what needed to be done." Even just talking about it, months after the fact, he sounded frustrated. Problem 2: PGP/MIME. Correspondents who were using PGP/MIME for attachments found massive interoperability problems. Apparently, Enigmail has an idiosyncratic way of doing PGP/MIME which causes heartache and woe for non-Enigmail users. (I haven't confirmed this; this is just according to him.) Problem 3: Key selection. They ultimately decided to just go with a single shared GnuPG key for each mailing list. The idea here was that as soon as the project finished, each person could just nuke their copy of the mailing list key and the mailing list messages would effectively be put forever beyond use. However, Enigmail would frequently encrypt-to-self, or encrypt to the keys of other people on the mailing lists, or... etc. Ultimately, he says that his resolution was just to always show the key confirmation dialog. From juergen.fenn at GMX.DE Tue Aug 7 22:44:01 2007 From: juergen.fenn at GMX.DE (Juergen Fenn) Date: Tue, 07 Aug 2007 22:44:01 +0200 Subject: OpenPGP and usability In-Reply-To: <46B8C561.9070101@sixdemonbag.org> (Robert J. Hansen's message of "Tue\, 07 Aug 2007 15\:17\:53 -0400") References: <46B8C561.9070101@sixdemonbag.org> Message-ID: "Robert J. Hansen" writes: > Anyway. The problem, as he said: "forty computer security professionals > can't use GnuPG among them because the [cognitive] overhead is too much." Sounds strange to me... but, then, I am not a security pro... > Problem 2: PGP/MIME. Correspondents who were using PGP/MIME for > attachments found massive interoperability problems. Apparently, > Enigmail has an idiosyncratic way of doing PGP/MIME which causes > heartache and woe for non-Enigmail users. (I haven't confirmed this; > this is just according to him.) I have used GnuPG with Gnus under Win98SE for quite a while now. I have not experienced any problems with other users running the more "professional" applications, e.g. mutt. However, I did not succeed to communicate with a user running enigmail under Linux because we did not manage to get the German special characters right. We did not manage to find out what this was due to. We just gave up. Thanks for your report. Regards, J?rgen. From wk at gnupg.org Wed Aug 8 10:51:15 2007 From: wk at gnupg.org (Werner Koch) Date: Wed, 08 Aug 2007 10:51:15 +0200 Subject: OpenPGP and usability In-Reply-To: <46B8C561.9070101@sixdemonbag.org> (Robert J. Hansen's message of "Tue, 07 Aug 2007 15:17:53 -0400") References: <46B8C561.9070101@sixdemonbag.org> Message-ID: <871weeh0jg.fsf@wheatstone.g10code.de> On Tue, 7 Aug 2007 21:17, rjh at sixdemonbag.org said: > Anyway. The problem, as he said: "forty computer security professionals > can't use GnuPG among them because the [cognitive] overhead is too much." So today the question is "Why Diffie can't encrypt" ;-) > Problem 1: key signatures. He says he couldn't figure out what he > needed to do with the keys. Did he need to sign them? Trust them? Just "lsign" all keys or let someone sign all keys and assign him ultimate trust. That is the easiest ad-hoc way. > What's validity and otrust again? Who should be set up as a trusted > introducer? Why wasn't the cursed thing working?! As he said, "I know, That is really hard stuff as it is about setting up a complete PKI. We can't exepct that an average user (even a security expert) can to this without a lot of experience. > Problem 2: PGP/MIME. Correspondents who were using PGP/MIME for > attachments found massive interoperability problems. Apparently, > Enigmail has an idiosyncratic way of doing PGP/MIME which causes > heartache and woe for non-Enigmail users. (I haven't confirmed this; > this is just according to him.) It is really a shame that the one Free Software project which is known by more than the computer geeks - namely Mozilla - is refusing to support an established standard like PGP/MIME. We have had several implementations of it over the years for the new mail componnent (now known as Thunderbird) but all of them have been refused without giving good reasons. In this regard Thunderbird is no better than Outlook! BTW: We would be able to solve the Outlook PGP/MIME sending problem if we could informally agree on a variant of the Content-Type header which gets checked by PGP/MIME aware MUAs before they use the real Content-Type. Yes, it would be an ugly hack but very helpful. Salam-Shalom, Werner From rjh at sixdemonbag.org Wed Aug 8 19:39:58 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 08 Aug 2007 13:39:58 -0400 Subject: OpenPGP and usability In-Reply-To: <871weeh0jg.fsf@wheatstone.g10code.de> References: <46B8C561.9070101@sixdemonbag.org> <871weeh0jg.fsf@wheatstone.g10code.de> Message-ID: <46B9FFEE.60200@sixdemonbag.org> Werner Koch wrote: > So today the question is "Why Diffie can't encrypt" ;-) Not quite Whit Diffie, but not that far away from him, either. :) > Just "lsign" all keys or let someone sign all keys and assign him > ultimate trust. That is the easiest ad-hoc way. Right, I'm not disputing that there is a way to do this. However, the person in question was unable to find that solution in the time he spent researching the problem. This suggests to me that either (a) the OpenPGP standard is bad for being too complex, (b) [GnuPG|Enigmail]'s user [interface|documentation] is bad for not making it easier to discover these things. I doubt we can do anything about (a), but all four cases of (b) might warrant some looking into. From patrick at mozilla-enigmail.org Wed Aug 8 20:20:28 2007 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Wed, 08 Aug 2007 20:20:28 +0200 Subject: OpenPGP and usability In-Reply-To: <871weeh0jg.fsf__32383.2582952038$1186568488$gmane$org@wheatstone.g10code.de> References: <46B8C561.9070101@sixdemonbag.org> <871weeh0jg.fsf__32383.2582952038$1186568488$gmane$org@wheatstone.g10code.de> Message-ID: Werner Koch wrote: >> Problem 2: PGP/MIME. Correspondents who were using PGP/MIME for >> attachments found massive interoperability problems. Apparently, >> Enigmail has an idiosyncratic way of doing PGP/MIME which causes >> heartache and woe for non-Enigmail users. (I haven't confirmed this; >> this is just according to him.) > > It is really a shame that the one Free Software project which is known > by more than the computer geeks - namely Mozilla - is refusing to > support an established standard like PGP/MIME. We have had several > implementations of it over the years for the new mail componnent (now > known as Thunderbird) but all of them have been refused without giving > good reasons. > > In this regard Thunderbird is no better than Outlook! But there is Enigmail, and I'm doing my best to integrate .it as neatly as possible into Thunderbird ;-) > BTW: We would be able to solve the Outlook PGP/MIME sending problem if > we could informally agree on a variant of the Content-Type header which > gets checked by PGP/MIME aware MUAs before they use the real > Content-Type. Yes, it would be an ugly hack but very helpful. What precisely would you need (or send)? I would be open to implement such a "solution" in Enigmail, if it helps! -Patrick From wk at gnupg.org Thu Aug 9 05:51:42 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 09 Aug 2007 05:51:42 +0200 Subject: OpenPGP and usability In-Reply-To: (Patrick Brunschwig's message of "Wed, 08 Aug 2007 20:20:28 +0200") References: <46B8C561.9070101@sixdemonbag.org> <871weeh0jg.fsf__32383.2582952038$1186568488$gmane$org@wheatstone.g10code.de> Message-ID: <87bqdhcqlt.fsf@wheatstone.g10code.de> On Wed, 8 Aug 2007 20:20, patrick at mozilla-enigmail.org said: > What precisely would you need (or send)? I would be open to implement > such a "solution" in Enigmail, if it helps! I am considering to have a new header like Gpgol-content-type: application/pgp-encrypted to supplement the Outlook generated Content-type. The problem is that there is no way in Outlook/MAPI to override all content-types - Outlook has its own idea on how to set them. Tough it is possible to set the content-type of the top body, there is no way to set any conent type below that an thus we would end up with text/plain instead applaiction/pgp-encrypted for the first part. I have not yet implemented that in gpgol. I did some tests last year and they showed that it will be possible. It would also be possible to fixup the content type later using an SMTP proxy but that won't be easy to install. A new MAPI transport provider could also fixup such things but I fear that this will raise all kinds of compatibility problems. Salam-Shalom, Werner From patrick at mozilla-enigmail.org Thu Aug 9 09:52:44 2007 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Thu, 09 Aug 2007 09:52:44 +0200 Subject: OpenPGP and usability In-Reply-To: <87bqdhcqlt.fsf@wheatstone.g10code.de> References: <46B8C561.9070101@sixdemonbag.org> <871weeh0jg.fsf__32383.2582952038$1186568488$gmane$org@wheatstone.g10code.de> <87bqdhcqlt.fsf@wheatstone.g10code.de> Message-ID: <46BAC7CC.4010209@mozilla-enigmail.org> Werner Koch wrote: > On Wed, 8 Aug 2007 20:20, patrick at mozilla-enigmail.org said: > >> What precisely would you need (or send)? I would be open to implement >> such a "solution" in Enigmail, if it helps! > > I am considering to have a new header like > > Gpgol-content-type: application/pgp-encrypted > > to supplement the Outlook generated Content-type. The problem is that > there is no way in Outlook/MAPI to override all content-types - Outlook > has its own idea on how to set them. Tough it is possible to set the > content-type of the top body, there is no way to set any conent type > below that an thus we would end up with text/plain instead > applaiction/pgp-encrypted for the first part. > > I have not yet implemented that in gpgol. I did some tests last year > and they showed that it will be possible. > > It would also be possible to fixup the content type later using an SMTP > proxy but that won't be easy to install. A new MAPI transport provider > could also fixup such things but I fear that this will raise all kinds > of compatibility problems. I would actually call the content type X-Gpgol-content-type: application/pgp-encrypted I think at least concerning Enigmail, I could handle this properly. -Patrick From nicholas.cole at gmail.com Thu Aug 9 08:36:21 2007 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Thu, 9 Aug 2007 07:36:21 +0100 Subject: OpenPGP and usability In-Reply-To: <46B8C561.9070101@sixdemonbag.org> References: <46B8C561.9070101@sixdemonbag.org> Message-ID: On 8/7/07, Robert J. Hansen wrote: > Problem 1: key signatures. He says he couldn't figure out what he > needed to do with the keys. Did he need to sign them? Trust them? > What's validity and otrust again? Who should be set up as a trusted > introducer? Why wasn't the cursed thing working?! As he said, "I know, > I knew what needed to be done, but even knowing what needed to be done, > I couldn't figure out what needed to be done." Even just talking about > it, months after the fact, he sounded frustrated. In my experience, this is one of the biggest hurdles. One of PGP's problems from the beginning is that words like "sign" and "valid" have always been used in several different contexts, and then introduced all of them to the user at once. What the (beginner) needs to be told is that, if he wants to tell his software to use a particular key, he should sign (validate / mark as genuine) it. If he is at all unsure about the key he needs to check the Fingerprint with his contact. And that's all. (As an aside: I note that all these social networking sites have a web of trust of sorts, so the concept is not impossible to present to the user in a very straightforward way). Other concepts should be intoduced as features that help larger organisations, not as something that the user needs to understand before he even gets started. The original PGP software also made the mistake of saying this like (I forget the exact wording now) "This is a GOOD signature from an Invalid key", which is just unhelpful to the new user. What it meant to say was "You have not validated the key that signed this message - it may or may not be genuine." Or better words to that effect. Best wishes, N. From jf_payette at hotmail.com Wed Aug 8 21:36:22 2007 From: jf_payette at hotmail.com (Jean-Francois Payette) Date: Wed, 08 Aug 2007 15:36:22 -0400 Subject: ASP Shell and GnuPG Message-ID: Hello, I saw your question about using gnupg with asp shell at this address : http://lists.gnupg.org/pipermail/gnupg-users/2006-April/028283.html. Did you find the solutions? I am having problem to make it work in asp. If i use the dos comand line it works fine. Here's my code: Set WshShell = Server.CreateObject("Wscript.Shell") command = PGP_PATH&"\gnupg\gpg.exe --sign --passphrase thisisatest C:\Inetpub\wwwroot\PGP\ENCFILES\BET2007080834_INT.XML" response.write "Exit Code: " & WshShell.run(command, 1, true) & "
" set wshshell = nothing Hope you can help _________________________________________________________________ Enjoy The Show: Buskers & Street Performers http://search.live.com/images/results.aspx?q=Amuseurs+publics&mkt=fr-ca&FORM=SERNEP From ewrobinson at fedex.com Thu Aug 9 20:56:29 2007 From: ewrobinson at fedex.com (Eric Robinson) Date: Thu, 9 Aug 2007 13:56:29 -0500 Subject: Partial file download issue - GPG In-Reply-To: References: Message-ID: <32B8847FC645964E9F42BB8CCCF0147B24649C@MEMEXCH06V.corp.ds.fedex.com> Hello Group, I need some help in determining what this problem is. I have a customer that is trying to decrypt a file but it is not 'getting' the complete file. Message is below: # gpg --decrypt SMAL070809.txt > foo.txt gpg: encrypted with 1024-bit ELG-E key, ID 957F2C4C, created 2005-03-14 "VisionaryServices (VSi ProdKey) " gpg: fatal: zlib inflate problem: invalid stored block lengths secmem usage: 2080/2368 bytes in 4/7 blocks of pool 3424/32768 [root at deepthought remit]# gpg --decrypt -o bar.txt SMAL070809.txt gpg: encrypted with 1024-bit ELG-E key, ID 957F2C4C, created 2005-03-14 "VisionaryServices (VSi ProdKey) " gpg: fatal: zlib inflate problem: invalid stored block lengths secmem usage: 2080/2368 bytes in 4/7 blocks of pool 3424/32768 [root at deepthought remit]# diff foo.txt bar.txt [root at deepthought remit]# wc -l foo.txt 1815 foo.txt Can anyone help? Thanks, Eric ------------------------------------- Eric Robinson Business Application Advisor FedEx Corporate Services Internet Engineering & EC Integration 901.263.5749 ------------------------------------- From dshaw at jabberwocky.com Thu Aug 9 22:52:56 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 9 Aug 2007 16:52:56 -0400 Subject: Partial file download issue - GPG In-Reply-To: <32B8847FC645964E9F42BB8CCCF0147B24649C@MEMEXCH06V.corp.ds.fedex.com> References: <32B8847FC645964E9F42BB8CCCF0147B24649C@MEMEXCH06V.corp.ds.fedex.com> Message-ID: <20070809205256.GA25529@jabberwocky.com> On Thu, Aug 09, 2007 at 01:56:29PM -0500, Eric Robinson wrote: > Hello Group, > I need some help in determining what this problem is. I have a customer > that is trying to decrypt a file but it is not 'getting' the complete > file. Message is below: > > # gpg --decrypt SMAL070809.txt > foo.txt > gpg: encrypted with 1024-bit ELG-E key, ID 957F2C4C, created 2005-03-14 > "VisionaryServices (VSi ProdKey) " > gpg: fatal: zlib inflate problem: invalid stored block lengths secmem > usage: 2080/2368 bytes in 4/7 blocks of pool 3424/32768 > [root at deepthought remit]# gpg --decrypt -o bar.txt SMAL070809.txt > gpg: encrypted with 1024-bit ELG-E key, ID 957F2C4C, created 2005-03-14 > "VisionaryServices (VSi ProdKey) " > gpg: fatal: zlib inflate problem: invalid stored block lengths secmem > usage: 2080/2368 bytes in 4/7 blocks of pool 3424/32768 > [root at deepthought remit]# diff foo.txt bar.txt [root at deepthought remit]# > wc -l foo.txt > 1815 foo.txt The file is corrupt, so cannot be processed. How was the file created? Try comparing the original to what the customer has. David From ewrobinson at fedex.com Thu Aug 9 23:54:34 2007 From: ewrobinson at fedex.com (Eric Robinson) Date: Thu, 9 Aug 2007 16:54:34 -0500 Subject: Partial file download issue - GPG In-Reply-To: <20070809205256.GA25529@jabberwocky.com> References: <32B8847FC645964E9F42BB8CCCF0147B24649C@MEMEXCH06V.corp.ds.fedex.com> <20070809205256.GA25529@jabberwocky.com> Message-ID: <32B8847FC645964E9F42BB8CCCF0147B2464FE@MEMEXCH06V.corp.ds.fedex.com> Thanks for the response. We think it might be the file size. These are over 4MB. Now we've started with one record, that worked, and we are increasing the file size gradually, up to 1.9MB, and success so far. Is there a file size limit on GPG? Thanks, Eric ------------------------------------- Eric Robinson Business Application Advisor FedEx Corporate Services Internet Engineering & EC Integration 901.263.5749 ------------------------------------- -----Original Message----- From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of David Shaw Sent: Thursday, August 09, 2007 3:53 PM To: gnupg-users at gnupg.org Subject: Re: Partial file download issue - GPG On Thu, Aug 09, 2007 at 01:56:29PM -0500, Eric Robinson wrote: > Hello Group, > I need some help in determining what this problem is. I have a > customer that is trying to decrypt a file but it is not 'getting' the > complete file. Message is below: > > # gpg --decrypt SMAL070809.txt > foo.txt > gpg: encrypted with 1024-bit ELG-E key, ID 957F2C4C, created 2005-03-14 > "VisionaryServices (VSi ProdKey) " > gpg: fatal: zlib inflate problem: invalid stored block lengths secmem > usage: 2080/2368 bytes in 4/7 blocks of pool 3424/32768 > [root at deepthought remit]# gpg --decrypt -o bar.txt SMAL070809.txt > gpg: encrypted with 1024-bit ELG-E key, ID 957F2C4C, created 2005-03-14 > "VisionaryServices (VSi ProdKey) " > gpg: fatal: zlib inflate problem: invalid stored block lengths secmem > usage: 2080/2368 bytes in 4/7 blocks of pool 3424/32768 > [root at deepthought remit]# diff foo.txt bar.txt [root at deepthought > remit]# wc -l foo.txt > 1815 foo.txt The file is corrupt, so cannot be processed. How was the file created? Try comparing the original to what the customer has. David _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From nico-linux-gnupg at schottelius.org Thu Aug 9 22:42:13 2007 From: nico-linux-gnupg at schottelius.org (Nico Schottelius) Date: Thu, 9 Aug 2007 22:42:13 +0200 Subject: key sizes: maximum size and shrinking Message-ID: <20070809204213.GB17879@schottelius.org> Hello guys! We are trying to write a chat protocol, which uses gpg (gpgme especially) for encryption / signing. As it is an chat protocol, we try to keep latency down. As far as I can see the biggest packets we'll have are those containing the key exchange (as others are only messages, transport protocol metadata, ..., but no packet is > 1 KiB). I did some tests (dirty notes attached) and it looks like the whole packet is about 5KiB (which is pretty much): 4096-bit dsa-elgamal public key, binary: 1680 Bytes + Initial Key exchange metadata / data: 2 + 2 + 4 + 128 tp + 2 = 138 Bytes = 3008 bytes for one inner packet, containing one transport protocol + n * 128 bytes nexthop specification, n == 8, => 1024 Bytes testing showed 128 bytes are enough, see doc/packets/outer-draft1 for tests + encyption + signatur = 4033 Bytes in test ==> ~ 5 KiB including possible bigger keys That's really much, as we intend to have static packet sizes (indenpendent of content, so external watchers cannot see which type of packet is sent) and continues traffic (so one cannot determine if we send data or noise). The first idea was to use a send interval of 250ms, but that would make ~20KiB/s + protocol overhead (transport protocols maybe mostly everything, including. http, smtp, ftp, ..., everything that may transport bytes). With this size we could only do a maximum of 2s intervals... So my questions to you gnupg experts are: - Is there a maximum size for an exported, non-armored public key? => if yes, we could use that as a base and pad the rest - Are there any good (possibly gnupg / gpgme included) methods to shrink the size of the exported public key? - Or would you recommened using gzip/bzip2/lzma additionally? As far as I've tested it, gzip and bzip2 are just adding header overhead, so I assume gnupg already does some compression itself. Thanks for any hint, Nico -- Think about Free and Open Source Software (FOSS). http://nico.schottelius.org/documentations/foss/the-term-foss/ PGP: BFE4 C736 ABE5 406F 8F42 F7CF B8BE F92A 9885 188C -------------- next part -------------- List of keys: [20:54] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --list-keys ./dot-gpg/pubring.gpg --------------------- pub 1024D/B9F52B24 2007-08-09 uid dsa-elgamal-4096bits (no at comment) sub 4096g/F6684B3A 2007-08-09 pub 1024D/477FAD1B 2007-08-09 uid dsa-elgamal-2048 (no at comment-key2) sub 2048g/5632130B 2007-08-09 pub 1024D/9C303CE6 2007-08-09 uid dsa-elgamal-4096-2 (and no further comments) sub 4096g/6BF7E5E9 2007-08-09 [21:08] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --list-secret-keys ./dot-gpg/secring.gpg --------------------- sec 1024D/B9F52B24 2007-08-09 uid dsa-elgamal-4096bits (no at comment) ssb 4096g/F6684B3A 2007-08-09 sec 1024D/477FAD1B 2007-08-09 uid dsa-elgamal-2048 (no at comment-key2) ssb 2048g/5632130B 2007-08-09 sec 1024D/9C303CE6 2007-08-09 uid dsa-elgamal-4096-2 (and no further comments) ssb 4096g/6BF7E5E9 2007-08-09 -------------------------------------------------------------------------------- Exporting some keys: # 4096 bits / my real key [19:37] denkbrett:test% gpg -a --export 9885188C | wc -c 3473 # 4096 bits pub 1024D/B9F52B24 2007-08-09 uid dsa-elgamal-4096bits (no at comment) sub 4096g/F6684B3A 2007-08-09 [20:33] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export -a | wc -c 2388 [20:37] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export -a B9F52B24 | wc -c 2388 [20:36] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export B9F52B24 | wc -c 1680 # 2048 [20:35] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --list-keys 2048 pub 1024D/477FAD1B 2007-08-09 uid dsa-elgamal-2048 (no at comment-key2) sub 2048g/5632130B 2007-08-09 [20:36] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export -a 477FAD1B | wc -c 1698 [20:36] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export 477FAD1B | wc -c 1169 -------------------------------------------------------------------------------- Sign exported key --local-user name -u Use name as the key to sign with. Note that this option overrides --default-key --default-key name [21:09] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export B9F52B24 -a | gpg --homedir ./dot-gpg/ -u B9F52B24 -s -a | wc -c You need a passphrase to unlock the secret key for user: "dsa-elgamal-4096bits (no at comment) " 1024-bit DSA key, ID B9F52B24, created 2007-08-09 4723 [21:09] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export B9F52B24 | gpg --homedir ./dot-gpg/ -u B9F52B24 -s -a | wc -c You need a passphrase to unlock the secret key for user: "dsa-elgamal-4096bits (no at comment) " 1024-bit DSA key, ID B9F52B24, created 2007-08-09 2505 [21:10] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export B9F52B24 | gpg --homedir ./dot-gpg/ -u B9F52B24 -s | wc -c You need a passphrase to unlock the secret key for user: "dsa-elgamal-4096bits (no at comment) " 1024-bit DSA key, ID B9F52B24, created 2007-08-09 1777 [21:15] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export B9F52B24 | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 --armor | wc -c You need a passphrase to unlock the secret key for user: "dsa-elgamal-4096bits (no at comment) " 1024-bit DSA key, ID B9F52B24, created 2007-08-09 3983 [21:17] denkbrett:gpg-tests% gpg --homedir ./dot-gpg --export B9F52B24 | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c You need a passphrase to unlock the secret key for user: "dsa-elgamal-4096bits (no at comment) " 1024-bit DSA key, ID B9F52B24, created 2007-08-09 2870 -------------------------------------------------------------------------------- Plus noise: [21:53] denkbrett:gpg-tests% (cat 512bytes; gpg --homedir ./dot-gpg --export B9F52B24) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c You need a passphrase to unlock the secret key for user: "dsa-elgamal-4096bits (no at comment) " 1024-bit DSA key, ID B9F52B24, created 2007-08-09 3380 [21:53] denkbrett:gpg-tests% (cat 512bytes 512bytes; gpg --homedir ./dot-gpg --export B9F52B24) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c You need a passphrase to unlock the secret key for user: "dsa-elgamal-4096bits (no at comment) " 1024-bit DSA key, ID B9F52B24, created 2007-08-09 3424 [21:55] denkbrett:gpg-tests% (cat 4096bytes; gpg --homedir ./dot-gpg --export B9F52B24) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c You need a passphrase to unlock the secret key for user: "dsa-elgamal-4096bits (no at comment) " 1024-bit DSA key, ID B9F52B24, created 2007-08-09 6968 [22:05] denkbrett:gpg-tests% (cat 2048bytes; gpg --homedir ./dot-gpg --export B9F52B24) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c You need a passphrase to unlock the secret key for user: "dsa-elgamal-4096bits (no at comment) " 1024-bit DSA key, ID B9F52B24, created 2007-08-09 4920 [22:13] denkbrett:gpg-tests% (cat 1536bytes; gpg --homedir ./dot-gpg --export B9F52B24) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c You need a passphrase to unlock the secret key for user: "dsa-elgamal-4096bits (no at comment) " 1024-bit DSA key, ID B9F52B24, created 2007-08-09 4406 # test: --export-options export-minimal # seems to be minimal anyway :-) [22:13] denkbrett:gpg-tests% (cat 1536bytes; gpg --homedir ./dot-gpg --export B9F52B24 --export-options export-minimal) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c You need a passphrase to unlock the secret key for user: "dsa-elgamal-4096bits (no at comment) " 1024-bit DSA key, ID B9F52B24, created 2007-08-09 4406 # Only 1162 bytes [22:23] denkbrett:gpg-tests% (cat 1162bytes; gpg --homedir ./dot-gpg --export B9F52B24 --export-options export-minimal) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c You need a passphrase to unlock the secret key for user: "dsa-elgamal-4096bits (no at comment) " 1024-bit DSA key, ID B9F52B24, created 2007-08-09 4033 -------------------------------------------------------------------------------- Compression: After encrypt/sign: [22:31] denkbrett:gpg-tests% cat 1162bytes+pubkey | bzip2 -9 > 1162bytes+pubkey.bz2 [22:31] denkbrett:gpg-tests% cat 1162bytes+pubkey | gzip -9 > 1162bytes+pubkey.gz -rw------- 1 nico nico 4033 2007-08-09 22:29 1162bytes+pubkey -rw------- 1 nico nico 4524 2007-08-09 22:30 1162bytes+pubkey.bz2 -rw------- 1 nico nico 4056 2007-08-09 22:31 1162bytes+pubkey.gz Compression: Of the public key only: [22:31] denkbrett:gpg-tests% (cat 1162bytes; gpg --homedir ./dot-gpg --export B9F52B24 --export-options export-minimal | bzip2 -9) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c You need a passphrase to unlock the secret key for user: "dsa-elgamal-4096bits (no at comment) " 1024-bit DSA key, ID B9F52B24, created 2007-08-09 4431 [22:32] denkbrett:gpg-tests% (cat 1162bytes; gpg --homedir ./dot-gpg --export B9F52B24 --export-options export-minimal | gzip -9) | gpg --homedir ./dot-gpg/ -u B9F52B24 --sign --encrypt --recipient 9C303CE6 | wc -c You need a passphrase to unlock the secret key for user: "dsa-elgamal-4096bits (no at comment) " 1024-bit DSA key, ID B9F52B24, created 2007-08-09 4056 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20070809/a2b5ea54/attachment-0001.pgp From wk at gnupg.org Fri Aug 10 12:52:43 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 10 Aug 2007 12:52:43 +0200 Subject: OpenPGP and usability In-Reply-To: <46BAC7CC.4010209@mozilla-enigmail.org> (Patrick Brunschwig's message of "Thu, 09 Aug 2007 09:52:44 +0200") References: <46B8C561.9070101@sixdemonbag.org> <871weeh0jg.fsf__32383.2582952038$1186568488$gmane$org@wheatstone.g10code.de> <87bqdhcqlt.fsf@wheatstone.g10code.de> <46BAC7CC.4010209@mozilla-enigmail.org> Message-ID: <87absz8xvo.fsf@wheatstone.g10code.de> On Thu, 9 Aug 2007 09:52, patrick at mozilla-enigmail.org said: > X-Gpgol-content-type: application/pgp-encrypted Well, the X prefix is not anymore required for user defined headers. But that is a detail. Shalom-Salam, Werner From wk at gnupg.org Fri Aug 10 12:56:07 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 10 Aug 2007 12:56:07 +0200 Subject: Partial file download issue - GPG In-Reply-To: <32B8847FC645964E9F42BB8CCCF0147B2464FE@MEMEXCH06V.corp.ds.fedex.com> (Eric Robinson's message of "Thu, 9 Aug 2007 16:54:34 -0500") References: <32B8847FC645964E9F42BB8CCCF0147B24649C@MEMEXCH06V.corp.ds.fedex.com> <20070809205256.GA25529@jabberwocky.com> <32B8847FC645964E9F42BB8CCCF0147B2464FE@MEMEXCH06V.corp.ds.fedex.com> Message-ID: <87643n8xq0.fsf@wheatstone.g10code.de> On Thu, 9 Aug 2007 23:54, ewrobinson at fedex.com said: > We think it might be the file size. These are over 4MB. > Now we've started with one record, that worked, and we are increasing > the file size gradually, up to 1.9MB, and success so far. > Is there a file size limit on GPG? No. Depending on the OS and how you pass the data to gpg (piped or given filename) you may encounter problems for files larger 2 GB. I suggest to always pipe the data to gpg so that the OS's shell can tell you that the file is too large (not sure whether they do this). It has also the advantage that you know who the culprit is (gpg or the shell) ;-). Salam-Shalom, Werner From wk at gnupg.org Fri Aug 10 14:15:36 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 10 Aug 2007 14:15:36 +0200 Subject: key sizes: maximum size and shrinking In-Reply-To: <20070809204213.GB17879@schottelius.org> (Nico Schottelius's message of "Thu, 9 Aug 2007 22:42:13 +0200") References: <20070809204213.GB17879@schottelius.org> Message-ID: <87lkcj7fh3.fsf@wheatstone.g10code.de> On Thu, 9 Aug 2007 22:42, nico-linux-gnupg at schottelius.org said: > I did some tests (dirty notes attached) and it looks like the whole > packet is about 5KiB (which is pretty much): > > 4096-bit dsa-elgamal public key, binary: 1680 Bytes Why at all are you using such insane large key sizes? What is your threat model? If it is important to have small key sizes you better use RSA or or agree on standard parameters for DSA and Elgamal keys (well, that is not defined by OpenPGP). > - Is there a maximum size for an exported, non-armored public key? > => if yes, we could use that as a base and pad the rest The only variants in the size of the keyblock are the user IDs and the signatures. The size of the key is a function of the key size and the algorithm). If you restrict yourself to a certain length of the user ID you will have an upper bound of the keyblocks size. > - Are there any good (possibly gnupg / gpgme included) methods to shrink > the size of the exported public key? No, you can't. Except for what I mentioned above. > - Or would you recommened using gzip/bzip2/lzma additionally? > As far as I've tested it, gzip and bzip2 are just adding header > overhead, so I assume gnupg already does some compression itself. Not for the key, it does not make sense. Please check the protocol you are going to use. It seems that there are some flaws. OpenPGP is not in general suited for online communication. Salam-Shalom, Werner From seh at panix.com Fri Aug 10 18:34:28 2007 From: seh at panix.com (Steven E. Harris) Date: Fri, 10 Aug 2007 09:34:28 -0700 Subject: OpenPGP and usability References: <46B8C561.9070101@sixdemonbag.org> <871weeh0jg.fsf__32383.2582952038$1186568488$gmane$org@wheatstone.g10code.de> <87bqdhcqlt.fsf@wheatstone.g10code.de> <46BAC7CC.4010209@mozilla-enigmail.org> <87absz8xvo.fsf@wheatstone.g10code.de> Message-ID: <7yodhf1h7v.fsf@panix.com> Werner Koch writes: > Well, the X prefix is not anymore required for user defined headers. Was there some change in this prescription? If so, from where? I hadn't heard about "X-" falling from use. -- Steven E. Harris From ewrobinson at fedex.com Fri Aug 10 17:42:07 2007 From: ewrobinson at fedex.com (Eric Robinson) Date: Fri, 10 Aug 2007 10:42:07 -0500 Subject: CoreLabs Detects Flaw In GnuPG - any comments ? In-Reply-To: <87lkcj7fh3.fsf@wheatstone.g10code.de> References: <20070809204213.GB17879@schottelius.org> <87lkcj7fh3.fsf@wheatstone.g10code.de> Message-ID: <32B8847FC645964E9F42BB8CCCF0147B246585@MEMEXCH06V.corp.ds.fedex.com> CoreLabs Detects Flaw In GnuPG By CXOtoday Staff Mumbai, Mar 9, 2007 Core Security Technologies has issued an advisory disclosing a flaw in the GNU Privacy Guard (GnuPG or GPG). It is an OpenPGP- compliant cryptographic software system and is a part of the Free Software Foundation's (FSF) GNU software project, and third-party email applications that rely on it for encrypted and signed email communications. CoreLabs, the research arm of Core Security, discovered this by exploiting the vulnerability. According to the press release, issued by Core Security, an attacker can add arbitrary content to encrypted and/or signed emails in order to mislead recipients about the trustworthiness of a message. In addition, attackers can use this flaw to bypass content-filtering defenses, which makes it particularly inconvenient to detect phishing attacks. The company discovered that the scripts and applications using GnuPG are prone to a vulnerability involving incorrect verification of signatures. Unsuspecting users reading a GPG encrypted and/or signed email, using a mail client or encryption extension, are led to believe that the entire message was signed by the sender when, in fact, an arbitrary portion of the content may have been inserted by an attacker. In some cases, the attacker may completely hide the signed portion of a message and present the user with only the forged portion. It should be noted that this is not a cryptographic problem. It affects how information is presented to the user and how third-party applications interact with GnuPG. This attack method infects systems using: *GnuPG 1.4.6 and previous versions *Enigmail 0.94.2 and previous versions *KMail 1.9.5 and previous versions *Evolution 2.8.1 and previous versions *Sylpheed 2.2.7 and previous versions *Mutt 1.5.13 and previous versions *GNUMail 1.1.2 and previous versions *Other scripts and applications using GnuPG may be vulnerable To address this vulnerability, users of scripts and applications using GnuPG should immediately upgrade to the latest versions of GnuPG and Enigmail. Additionally, Core Security recommends that, if a signed message looks suspicious, the validity of the signature can be verified by manually invoking GnuPG from the command line and adding the special option "--status-fd" to gain extra information. "This vulnerability is a good e.g. of how very subtle implementation decisions on how to interface data communications between two applications, in this case email front-end extensions and GnuPG, can end up exposing end users to unexpected security weaknesses," said Iv n Arce, CTO, Core Security Technologies. "We continue to encourage and support the use of GnuPG as a convenient way to improve the security and privacy of communications. To that effect and to prevent traffic analysis attacks, we also recommend that encryption should be turned on by default on every email." ------------------------------------------------------------------------ ----------------- Eric ------------------------------------- Eric Robinson Business Application Advisor FedEx Corporate Services Internet Engineering & EC Integration 901.263.5749 ------------------------------------- From dshaw at jabberwocky.com Fri Aug 10 19:08:28 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 10 Aug 2007 13:08:28 -0400 Subject: CoreLabs Detects Flaw In GnuPG - any comments ? In-Reply-To: <32B8847FC645964E9F42BB8CCCF0147B246585@MEMEXCH06V.corp.ds.fedex.com> References: <20070809204213.GB17879@schottelius.org> <87lkcj7fh3.fsf@wheatstone.g10code.de> <32B8847FC645964E9F42BB8CCCF0147B246585@MEMEXCH06V.corp.ds.fedex.com> Message-ID: <20070810170828.GB25849@jabberwocky.com> On Fri, Aug 10, 2007 at 10:42:07AM -0500, Eric Robinson wrote: > CoreLabs Detects Flaw In GnuPG > By CXOtoday Staff > Mumbai, Mar 9, 2007 > > > Core Security Technologies has issued an advisory disclosing a flaw in > the GNU Privacy Guard (GnuPG or GPG). It is an OpenPGP- compliant > cryptographic software system and is a part of the Free Software > Foundation's (FSF) GNU software project, and third-party email > applications that rely on it for encrypted and signed email > communications. http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html Basically, upgrade to 1.4.7, which was released on March 5th. David From ewrobinson at fedex.com Fri Aug 10 19:29:53 2007 From: ewrobinson at fedex.com (Eric Robinson) Date: Fri, 10 Aug 2007 12:29:53 -0500 Subject: CoreLabs Detects Flaw In GnuPG - any comments ? In-Reply-To: <20070810170828.GB25849@jabberwocky.com> References: <20070809204213.GB17879@schottelius.org><87lkcj7fh3.fsf@wheatstone.g10code.de><32B8847FC645964E9F42BB8CCCF0147B246585@MEMEXCH06V.corp.ds.fedex.com> <20070810170828.GB25849@jabberwocky.com> Message-ID: <32B8847FC645964E9F42BB8CCCF0147B2465A1@MEMEXCH06V.corp.ds.fedex.com> Thanks.... Eric -----Original Message----- From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of David Shaw Sent: Friday, August 10, 2007 12:08 PM To: gnupg-users at gnupg.org Subject: Re: CoreLabs Detects Flaw In GnuPG - any comments ? On Fri, Aug 10, 2007 at 10:42:07AM -0500, Eric Robinson wrote: > CoreLabs Detects Flaw In GnuPG > By CXOtoday Staff > Mumbai, Mar 9, 2007 > > > Core Security Technologies has issued an advisory disclosing a flaw in > the GNU Privacy Guard (GnuPG or GPG). It is an OpenPGP- compliant > cryptographic software system and is a part of the Free Software > Foundation's (FSF) GNU software project, and third-party email > applications that rely on it for encrypted and signed email > communications. http://lists.gnupg.org/pipermail/gnupg-announce/2007q1/000251.html Basically, upgrade to 1.4.7, which was released on March 5th. David _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From alex at bofh.net.pl Fri Aug 10 13:43:44 2007 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Fri, 10 Aug 2007 13:43:44 +0200 Subject: OpenPGP and usability In-Reply-To: <871weeh0jg.fsf@wheatstone.g10code.de> References: <46B8C561.9070101@sixdemonbag.org> <871weeh0jg.fsf@wheatstone.g10code.de> Message-ID: <20070810114344.GC689@hell.pl> On Wed, Aug 08, 2007 at 10:51:15AM +0200, Werner Koch wrote: > In this regard Thunderbird is no better than Outlook! At least Thunderbird openly invites plugins and Enigmail is a good one. A. -- JID: alex at hell.pl PGP: 0x46399138 od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze -- Czerski From fweimer at bfk.de Fri Aug 10 19:07:00 2007 From: fweimer at bfk.de (Florian Weimer) Date: Fri, 10 Aug 2007 19:07:00 +0200 Subject: CoreLabs Detects Flaw In GnuPG - any comments ? In-Reply-To: <32B8847FC645964E9F42BB8CCCF0147B246585@MEMEXCH06V.corp.ds.fedex.com> (Eric Robinson's message of "Fri, 10 Aug 2007 10:42:07 -0500") References: <20070809204213.GB17879@schottelius.org> <87lkcj7fh3.fsf@wheatstone.g10code.de> <32B8847FC645964E9F42BB8CCCF0147B246585@MEMEXCH06V.corp.ds.fedex.com> Message-ID: <824pj7tj2j.fsf@mid.bfk.de> * Eric Robinson: > CoreLabs Detects Flaw In GnuPG > By CXOtoday Staff > Mumbai, Mar 9, 2007 Have you seen the publication date? This has already been addressed by new software releases. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From simon at josefsson.org Fri Aug 10 21:15:10 2007 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 10 Aug 2007 21:15:10 +0200 Subject: OpenPGP and usability In-Reply-To: <7yodhf1h7v.fsf@panix.com> (Steven E. Harris's message of "Fri, 10 Aug 2007 09:34:28 -0700") References: <46B8C561.9070101@sixdemonbag.org> <871weeh0jg.fsf__32383.2582952038$1186568488$gmane$org@wheatstone.g10code.de> <87bqdhcqlt.fsf@wheatstone.g10code.de> <46BAC7CC.4010209@mozilla-enigmail.org> <87absz8xvo.fsf@wheatstone.g10code.de> <7yodhf1h7v.fsf@panix.com> Message-ID: <87wsw3mcap.fsf@mocca.josefsson.org> "Steven E. Harris" writes: > Werner Koch writes: > >> Well, the X prefix is not anymore required for user defined headers. > > Was there some change in this prescription? If so, from where? I hadn't > heard about "X-" falling from use. In RFC 822 there was X-, in RFC 2822 it has been removed. X-* is a bad idea: once you want to standardize an experimental header, you have to break the deployment of that header. /Simon From seh at panix.com Sun Aug 12 00:44:11 2007 From: seh at panix.com (Steven E. Harris) Date: Sat, 11 Aug 2007 15:44:11 -0700 Subject: OpenPGP and usability References: <46B8C561.9070101@sixdemonbag.org> <871weeh0jg.fsf__32383.2582952038$1186568488$gmane$org@wheatstone.g10code.de> <87bqdhcqlt.fsf@wheatstone.g10code.de> <46BAC7CC.4010209@mozilla-enigmail.org> <87absz8xvo.fsf@wheatstone.g10code.de> <7yodhf1h7v.fsf@panix.com> <87wsw3mcap.fsf__329.42113834924$1186785557$gmane$org@mocca.josefsson.org> Message-ID: <83absx3d4o.fsf@torus.sehlabs.com> Simon Josefsson writes: > In RFC 822 there was X-, in RFC 2822 it has been removed. April 2001? Apparently this RFC had not yet been published in the cave within which I must be living. > once you want to standardize an experimental header, you have to break > the deployment of that header. Right, and you're usually obligated to then support two headers: the experimental one, and the standardized one, which may have changed from the experimental one by way of "standardization" going beyond canonizing existing practice. -- Steven E. Harris From wk at gnupg.org Sun Aug 12 12:51:32 2007 From: wk at gnupg.org (Werner Koch) Date: Sun, 12 Aug 2007 12:51:32 +0200 Subject: OpenPGP and usability In-Reply-To: <7yodhf1h7v.fsf@panix.com> (Steven E. Harris's message of "Fri, 10 Aug 2007 09:34:28 -0700") References: <46B8C561.9070101@sixdemonbag.org> <871weeh0jg.fsf__32383.2582952038$1186568488$gmane$org@wheatstone.g10code.de> <87bqdhcqlt.fsf@wheatstone.g10code.de> <46BAC7CC.4010209@mozilla-enigmail.org> <87absz8xvo.fsf@wheatstone.g10code.de> <7yodhf1h7v.fsf@panix.com> Message-ID: <873ayphvpn.fsf@wheatstone.g10code.de> On Fri, 10 Aug 2007 18:34, seh at panix.com said: > Was there some change in this prescription? If so, from where? I hadn't > heard about "X-" falling from use. The current standard, RFC2822 does not mention it anymore: 3.6.8. Optional fields Fields may appear in messages that are otherwise unspecified in this standard. They MUST conform to the syntax of an optional-field. This is a field name, made up of the printable US-ASCII characters except SP and colon, followed by a colon, followed by any text which conforms to unstructured. The field names of any optional-field MUST NOT be identical to any field name specified elsewhere in this standard. and the change notices say: 11. Extension header fields no longer specifically called out. In contrast the old rfc822 has very detailed information about extension fields: 4.7.4. EXTENSION-FIELD A limited number of common fields have been defined in this document. As network mail requirements dictate, addi- tional fields may be standardized. To provide user-defined fields with a measure of safety, in name selection, such extension-fields will never have names that begin with the string "X-". Names of Extension-fields are registered with the Network Information Center, SRI International, Menlo Park, California. 4.7.5. USER-DEFINED-FIELD Individual users of network mail are free to define and use additional header fields. Such fields must have names which are not already used in the current specification or in any definitions of extension-fields, and the overall syntax of these user-defined-fields must conform to this specification's rules for delimiting and folding fields. Due to the extension-field publishing process, the name of a user- defined-field may be pre-empted Note: The prefatory string "X-" will never be used in the names of Extension-fields. This provides user-defined fields with a protected set of names. My conclusion is that X- was never required by the standard and that after the 19 years the IETF realized that there was no need for it. There is an obvious advantage of not using "X-": If the use of such an optional field later makes it into a standard, the software does not need to be enhanced to cope with the then standardized field Shalom-Salam, Werner From wk at gnupg.org Sun Aug 12 13:38:30 2007 From: wk at gnupg.org (Werner Koch) Date: Sun, 12 Aug 2007 13:38:30 +0200 Subject: OpenPGP and usability In-Reply-To: <20070810114344.GC689@hell.pl> (Janusz A. Urbanowicz's message of "Fri, 10 Aug 2007 13:43:44 +0200") References: <46B8C561.9070101@sixdemonbag.org> <871weeh0jg.fsf@wheatstone.g10code.de> <20070810114344.GC689@hell.pl> Message-ID: <87hcn5geyx.fsf@wheatstone.g10code.de> On Fri, 10 Aug 2007 13:43, alex at bofh.net.pl said: > At least Thunderbird openly invites plugins and Enigmail is a good one. Let Patrick explain you why there are still problems. Have you ever tried to work with the Mozilla Foundation on allowing better integration of certain plugins? For example supporting non-NSS based crypto? Salam-Shalom, Werner From seh at panix.com Sun Aug 12 17:58:29 2007 From: seh at panix.com (Steven E. Harris) Date: Sun, 12 Aug 2007 08:58:29 -0700 Subject: OpenPGP and usability References: <46B8C561.9070101@sixdemonbag.org> <871weeh0jg.fsf__32383.2582952038$1186568488$gmane$org@wheatstone.g10code.de> <87bqdhcqlt.fsf@wheatstone.g10code.de> <46BAC7CC.4010209@mozilla-enigmail.org> <87absz8xvo.fsf@wheatstone.g10code.de> <7yodhf1h7v.fsf@panix.com> <873ayphvpn.fsf@wheatstone.g10code.de> Message-ID: <83zm0w218u.fsf@torus.sehlabs.com> Werner Koch writes: > My conclusion is that X- was never required by the standard and that > after the 19 years the IETF realized that there was no need for it. Thank you for the detailed explanation. -- Steven E. Harris From patrick at mozilla-enigmail.org Mon Aug 13 09:31:41 2007 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Mon, 13 Aug 2007 09:31:41 +0200 Subject: OpenPGP and usability In-Reply-To: <87hcn5geyx.fsf__41476.6560927548$1186918933$gmane$org@wheatstone.g10code.de> References: <46B8C561.9070101@sixdemonbag.org> <871weeh0jg.fsf@wheatstone.g10code.de> <20070810114344.GC689@hell.pl> <87hcn5geyx.fsf__41476.6560927548$1186918933$gmane$org@wheatstone.g10code.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: > On Fri, 10 Aug 2007 13:43, alex at bofh.net.pl said: > >> At least Thunderbird openly invites plugins and Enigmail is a good one. > > Let Patrick explain you why there are still problems. The user interface may be nice indeed, and the whole extension seems to be quite well-integrated into Thunderbird, but in the background I can tell you there are many hacks and workarounds needed to get things running. Still, after more than 6 years of development, there are parts of the code in Enigmail that I would call fragile > Have you ever tried to work with the Mozilla Foundation on allowing > better integration of certain plugins? For example supporting non-NSS > based crypto? The main problem is that Thunderbird is very open for add-ons related to the user interface, but once you dig into the core of the application, it's no longer so well extensible. This is especially true for some of the existing core parts. Some bits date back to Netscape 4.0 (or even earlier) and have not been redesigned ever since then -- you can imagine what follows now. - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRsAI3HcOpHodsOiwAQKEUwf9HdlzC7+03LJ9tO/L9I6dcWGiRB9pVNGa MScLKFL1PaiR7HEJu58Ch/CHwXWwPQPG5gjc5icDJWm2ruDtJ6/G7iATnY5L5hIL +5m8PhNAS1lmIFT1yuxsvgsVkTBtL+JVGImTjm95rL2TuTaehpqwYPYM5Ki8hQkK 8OL+d1FLz2ZR/toLD8Xa4bD1gwqC/ml7+1qnmnzc82EJ3V1sAfuMohs3+vnrTN5Y 9+KfP9QyVbVeUMWdDRQG5KxJn5oysnz61r46RmCSIIuE9G/aWUHf6wxSLoR0JPX6 HISmJF2T/COEYzh2QolwBfAUM1ceCvsblfgxsZCKmXEy2x4xXYS57w== =f+42 -----END PGP SIGNATURE----- From tkittredge at bancfirst.com Wed Aug 15 16:30:00 2007 From: tkittredge at bancfirst.com (trkghost) Date: Wed, 15 Aug 2007 07:30:00 -0700 (PDT) Subject: Importing a key from PGP Message-ID: <12163176.post@talk.nabble.com> I am trying to import this one key from PGP and keep getting this error... C:\Program Files\GNU\GnuPG>gpg --import "Company Name.asc" gpg: public key XXXXXXX is 21450 seconds newer than the signature gpg: public key XXXXXXX is 21450 seconds newer than the signature gpg: key XXXXXXX: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1 Does anyone have any suggestions around this issue? Thank you -- View this message in context: http://www.nabble.com/Importing-a-key-from-PGP-tf4273484.html#a12163176 Sent from the GnuPG - User mailing list archive at Nabble.com. From dshaw at jabberwocky.com Wed Aug 15 18:59:33 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 15 Aug 2007 12:59:33 -0400 Subject: Importing a key from PGP In-Reply-To: <12163176.post@talk.nabble.com> References: <12163176.post@talk.nabble.com> Message-ID: <20070815165933.GB12739@jabberwocky.com> On Wed, Aug 15, 2007 at 07:30:00AM -0700, trkghost wrote: > > I am trying to import this one key from PGP and keep getting this error... > > C:\Program Files\GNU\GnuPG>gpg --import "Company Name.asc" > gpg: public key XXXXXXX is 21450 seconds newer than the signature > gpg: public key XXXXXXX is 21450 seconds newer than the signature > gpg: key XXXXXXX: no valid user IDs > gpg: this may be caused by a missing self-signature > gpg: Total number processed: 1 > gpg: w/o user IDs: 1 > > Does anyone have any suggestions around this issue? gpg --ignore-time-conflict David From wk at gnupg.org Thu Aug 16 16:10:30 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 16 Aug 2007 16:10:30 +0200 Subject: [Announce] GnuPG 2.0.6 released Message-ID: <871we3po2x.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.6 This is maintenance release with a few minor enhancements. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.6) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPL). GnuPG-2 works best on GNU/Linux or *BSD systems. What's New =========== * GPGSM does now grok --default-key. * GPGCONF is now aware of --default-key and --encrypt-to. * GPGSM does again correctly print the serial number as well the the various keyids. This was broken since 2.0.4. * New option --validation-model and support for the chain-model. * Improved Windows support. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 2.0.6 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the FTP server and ist mirrors you should find the following files in the gnupg/ directory: gnupg-2.0.6.tar.bz2 (3482k) gnupg-2.0.6.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-2.0.5-2.0.6.diff.bz2 (46k) A patch file to upgrade a 2.0.5 GnuPG source tree. This patch does not include updates of the language files. Note, that we don't distribute gzip compressed tarballs. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.6.tar.bz2 you would use this command: gpg --verify gnupg-2.0.6.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.6.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.6.tar.bz2 and check that the output matches the first line from the following list: 4aa9a3ecc954126cfc0a30bef94ec6e1fbbc7009 gnupg-2.0.6.tar.bz2 20ea4caaf8f2ff6c5432221f48601ba9162871ea gnupg-2.0.5-2.0.6.diff.bz2 Internationalization ==================== GnuPG comes with support for 27 languages. Due to a lot of new and changed strings most translations are not entirely complete. The Swedish, Turkish, German and Russian translations close to be complete. Documentation ============= We are currently working on an installation guide to explain in more detail how to configure the new features. As of now the chapters on gpg-agent and gpgsm include brief information on how to set up the whole thing. Please watch the GnuPG website for updates of the documentation. In the meantime you may search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. KDE's KMail is the most prominent user of GnuPG. In fact it has been developed along with the Kmail folks. Mutt users might want to use the configure option "--enable-gpgme" and "set use_crypt_gpgme" in ~/.muttrc to make use of GnuPG-2 to enable S/MIME in addition to a reworked OpenPGP support. The manual is also available online in HTML format at http://www.gnupg.org/documentation/manuals/gnupg/ and in Portable Document Format at http://www.gnupg.org/documentation/manuals/gnupg.pdf . Support ======= Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or by donating money. Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. The GnuPG service directory is available at: http://www.gnupg.org/service.html Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Happy Hacking, The GnuPG Team (David, Marcus, Werner and all other contributors) -- Die Gedanken sind frei. Auschnahmen regelt ein Bundeschgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20070816/359fca2f/attachment-0001.pgp -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From patrick at mozilla-enigmail.org Fri Aug 17 08:44:53 2007 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Fri, 17 Aug 2007 08:44:53 +0200 Subject: [Announce] GnuPG 2.0.6 released In-Reply-To: <871we3po2x.fsf__1516.63684887371$1187274987$gmane$org@wheatstone.g10code.de> References: <871we3po2x.fsf__1516.63684887371$1187274987$gmane$org@wheatstone.g10code.de> Message-ID: <46C543E5.7010409@mozilla-enigmail.org> Werner Koch wrote: > > * Improved Windows support. Werner, do you also plan to create binary releases (i.e. installers) for Windows? -Patrick From wk at gnupg.org Fri Aug 17 09:53:24 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 17 Aug 2007 09:53:24 +0200 Subject: [Announce] GnuPG 2.0.6 released In-Reply-To: <46C543E5.7010409@mozilla-enigmail.org> (Patrick Brunschwig's message of "Fri, 17 Aug 2007 08:44:53 +0200") References: <871we3po2x.fsf__1516.63684887371$1187274987$gmane$org@wheatstone.g10code.de> <46C543E5.7010409@mozilla-enigmail.org> Message-ID: <87odh6ioln.fsf@wheatstone.g10code.de> On Fri, 17 Aug 2007 08:44, patrick at mozilla-enigmail.org said: > Werner, do you also plan to create binary releases (i.e. installers) for > Windows? See www.gpg4win.org - 1.1.2 has been released. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahmen regelt ein Bundeschgesetz. From ladislav.hagara at unob.cz Fri Aug 17 09:38:29 2007 From: ladislav.hagara at unob.cz (Ladislav Hagara) Date: Fri, 17 Aug 2007 09:38:29 +0200 Subject: [Announce] GnuPG 2.0.6 released In-Reply-To: <46C543E5.7010409@mozilla-enigmail.org> References: <871we3po2x.fsf__1516.63684887371$1187274987$gmane$org@wheatstone.g10code.de> <46C543E5.7010409@mozilla-enigmail.org> Message-ID: <46C55075.5010105@unob.cz> > >> * Improved Windows support. > Werner, do you also plan to create binary releases (i.e. installers) for > Windows? GnuPG 2.0.6 is included in new Gpg4win (1.1.2). http://www.gpg4win.org/ -- Ladislav Hagara From tkittredge at bancfirst.com Fri Aug 17 14:24:35 2007 From: tkittredge at bancfirst.com (trkghost) Date: Fri, 17 Aug 2007 05:24:35 -0700 (PDT) Subject: Importing a key from PGP In-Reply-To: <20070815165933.GB12739@jabberwocky.com> References: <12163176.post@talk.nabble.com> <20070815165933.GB12739@jabberwocky.com> Message-ID: <12198667.post@talk.nabble.com> David Shaw wrote: > > On Wed, Aug 15, 2007 at 07:30:00AM -0700, trkghost wrote: >> >> I am trying to import this one key from PGP and keep getting this >> error... >> >> C:\Program Files\GNU\GnuPG>gpg --import "Company Name.asc" >> gpg: public key XXXXXXX is 21450 seconds newer than the signature >> gpg: public key XXXXXXX is 21450 seconds newer than the signature >> gpg: key XXXXXXX: no valid user IDs >> gpg: this may be caused by a missing self-signature >> gpg: Total number processed: 1 >> gpg: w/o user IDs: 1 >> >> Does anyone have any suggestions around this issue? > > gpg --ignore-time-conflict > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > David, Thank you that helped out alot. We were able to get the key imported but how would I incorperate that line into the encryption process? I tried a few different ways but it keeps getting errored out. We have a batch file setup to encrypt and here is the line we use...Any help would be greatly appriciated. "D:\Program Files\GNU\GnuPG\GPG" -q --yes --pgp7 -e -a -r %2 %1 -- View this message in context: http://www.nabble.com/Importing-a-key-from-PGP-tf4273484.html#a12198667 Sent from the GnuPG - User mailing list archive at Nabble.com. From JPClizbe at tx.rr.com Fri Aug 17 19:29:57 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Fri, 17 Aug 2007 12:29:57 -0500 Subject: Importing a key from PGP In-Reply-To: <12198667.post@talk.nabble.com> References: <12163176.post@talk.nabble.com> <20070815165933.GB12739@jabberwocky.com> <12198667.post@talk.nabble.com> Message-ID: <46C5DB15.5040407@tx.rr.com> trkghost wrote: > > > David Shaw wrote: >> >> On Wed, Aug 15, 2007 at 07:30:00AM -0700, trkghost wrote: >>> >>> I am trying to import this one key from PGP and keep getting this >>> error... >>> >>> C:\Program Files\GNU\GnuPG>gpg --import "Company Name.asc" >>> gpg: public key XXXXXXX is 21450 seconds newer than the signature >>> gpg: public key XXXXXXX is 21450 seconds newer than the signature >>> gpg: key XXXXXXX: no valid user IDs >>> gpg: this may be caused by a missing self-signature >>> gpg: Total number processed: 1 >>> gpg: w/o user IDs: 1 >>> >>> Does anyone have any suggestions around this issue? >> >> gpg --ignore-time-conflict > Thank you that helped out alot. We were able to get the key imported but > how would I incorperate that line into the encryption process? I tried a > few different ways but it keeps getting errored out. > > We have a batch file setup to encrypt and here is the line we use...Any > help would be greatly appreciated. > > "D:\Program Files\GNU\GnuPG\GPG" -q --yes --pgp7 -e -a -r %2 %1 Add it to your encryption command line ...\GnuPG\GPG" --ignore-time-conflict -q --yes --pgp7 -e -a -r %2 %1 or add ignore-time-conflict to gpg.conf gpg.conf is just a text file of settings and options to gpg. It normally is found in the GnuPG homedir along with your keyring files. 'gpg --version' will tell you the location being used by GnuPG. On Windows, the default location is the expansion of %APPDATA%\GnuPG -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070817/66cd2996/attachment.pgp From kara.ml at arcor.de Sat Aug 18 12:32:54 2007 From: kara.ml at arcor.de (kara.ml at arcor.de) Date: Sat, 18 Aug 2007 12:32:54 +0200 Subject: [Announce] GnuPG 2.0.6 released In-Reply-To: <87odh6ioln.fsf@wheatstone.g10code.de> References: <871we3po2x.fsf__1516.63684887371$1187274987$gmane$org@wheatstone.g10code.de> <46C543E5.7010409@mozilla-enigmail.org> <87odh6ioln.fsf@wheatstone.g10code.de> Message-ID: <46C6CAD6.1060201@arcor.de> Hi, > On Fri, 17 Aug 2007 08:44, patrick at mozilla-enigmail.org said: > >> Werner, do you also plan to create binary releases (i.e. installers) for >> Windows? > > See www.gpg4win.org - 1.1.2 has been released. Isn't bzip2 compression supported any longer? Because with 1.1.2 i get: gpg --version gpg (GnuPG) 1.4.7 Komprimierung: nicht komprimiert (Z0), ZIP (Z1), ZLIB (Z2) gpg2 --version gpg (GnuPG) 2.0.6 Komprimierung: nicht komprimiert (Z0), ZIP (Z1), ZLIB (Z2) And i miss Z3. With personal-compress-preferences Z3 Z2 Z1 default-preference-list ...Z3 Z2 Z1 gpg complained after the first start. -- Ciao Kai http://kairaven.de/ From wk at gnupg.org Mon Aug 20 10:59:26 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 20 Aug 2007 10:59:26 +0200 Subject: [Announce] GnuPG 2.0.6 released In-Reply-To: <46C6CAD6.1060201@arcor.de> (kara ml's message of "Sat, 18 Aug 2007 12:32:54 +0200") References: <871we3po2x.fsf__1516.63684887371$1187274987$gmane$org@wheatstone.g10code.de> <46C543E5.7010409@mozilla-enigmail.org> <87odh6ioln.fsf@wheatstone.g10code.de> <46C6CAD6.1060201@arcor.de> Message-ID: <871wdy7f9t.fsf@wheatstone.g10code.de> On Sat, 18 Aug 2007 12:32, kara.ml at arcor.de said: > Isn't bzip2 compression supported any longer? > Because with 1.1.2 i get: I can't remember that we ever supported bzip 2 under Windows. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahmen regelt ein Bundeschgesetz. From kara.ml at arcor.de Mon Aug 20 11:13:39 2007 From: kara.ml at arcor.de (Kai Raven) Date: Mon, 20 Aug 2007 11:13:39 +0200 Subject: [Announce] GnuPG 2.0.6 released In-Reply-To: <871wdy7f9t.fsf@wheatstone.g10code.de> References: <871we3po2x.fsf__1516.63684887371$1187274987$gmane$org@wheatstone.g10code.de> <46C543E5.7010409@mozilla-enigmail.org> <87odh6ioln.fsf@wheatstone.g10code.de> <46C6CAD6.1060201@arcor.de> <871wdy7f9t.fsf@wheatstone.g10code.de> Message-ID: <46C95B43.6000705@arcor.de> Hi, > On Sat, 18 Aug 2007 12:32, kara.ml at arcor.de said: > >> Isn't bzip2 compression supported any longer? >> Because with 1.1.2 i get: > > I can't remember that we ever supported bzip 2 under Windows. What? From gpg4win 1.0.9/GnuPG 1.4.7: Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3) I have used Z3 all the time with former versions. Ciao Kai From wk at gnupg.org Mon Aug 20 12:42:50 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 20 Aug 2007 12:42:50 +0200 Subject: [Announce] GnuPG 2.0.6 released In-Reply-To: <46C95B43.6000705@arcor.de> (Kai Raven's message of "Mon, 20 Aug 2007 11:13:39 +0200") References: <871we3po2x.fsf__1516.63684887371$1187274987$gmane$org@wheatstone.g10code.de> <46C543E5.7010409@mozilla-enigmail.org> <87odh6ioln.fsf@wheatstone.g10code.de> <46C6CAD6.1060201@arcor.de> <871wdy7f9t.fsf@wheatstone.g10code.de> <46C95B43.6000705@arcor.de> Message-ID: <87vebafpw5.fsf@wheatstone.g10code.de> On Mon, 20 Aug 2007 11:13, kara.ml at arcor.de said: > Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3) Interesting. I switched the box used to build the installer at some point and the fresh toolchain there does not come with libbz2. On the old box I used a toolchain with libbz2.a in the lib directory, configure figured that out and thus build with bzip2 support. It was linked statically so it was not obvious that there is BZIP2 support. I'll make bzip2 support explicit for the next release. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahmen regelt ein Bundeschgesetz. From sven at radde.name Mon Aug 20 11:29:28 2007 From: sven at radde.name (Sven Radde) Date: Mon, 20 Aug 2007 11:29:28 +0200 Subject: [Announce] GnuPG 2.0.6 released In-Reply-To: <871wdy7f9t.fsf@wheatstone.g10code.de> References: <871we3po2x.fsf__1516.63684887371$1187274987$gmane$org@wheatstone.g10code.de> <46C543E5.7010409@mozilla-enigmail.org> <87odh6ioln.fsf@wheatstone.g10code.de> <46C6CAD6.1060201@arcor.de> <871wdy7f9t.fsf@wheatstone.g10code.de> Message-ID: <46C95EF8.5030004@radde.name> Hi! Werner Koch schrieb: > I can't remember that we ever supported bzip 2 under Windows. Here you go (installed gpg4win v1.1.0): C:\Programme\GnuPG>gpg --version gpg (GnuPG) 1.4.7 (...) Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Interestingly, though, my keys do not indicate recipient's preference/support for BZIP2. I don't remember whether this was an intentional decision by me at the time when I created/exported the key or whether it was default then... Therefore, at least for me, the change doesn't seem to break anything. I am not sure whether other people would have to re-publish their keys. cu, Sven From maccrest at gmail.com Mon Aug 20 13:34:21 2007 From: maccrest at gmail.com (Crest) Date: Mon, 20 Aug 2007 13:34:21 +0200 Subject: [Announce] GnuPG 2.0.6 released In-Reply-To: <46C95B43.6000705@arcor.de> References: <871we3po2x.fsf__1516.63684887371$1187274987$gmane$org@wheatstone.g10code.de> <46C543E5.7010409@mozilla-enigmail.org> <87odh6ioln.fsf@wheatstone.g10code.de> <46C6CAD6.1060201@arcor.de> <871wdy7f9t.fsf@wheatstone.g10code.de> <46C95B43.6000705@arcor.de> Message-ID: <94A20C13-3FFA-4763-829E-8677BD2A405B@googlemail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Am 20.08.2007 um 11:13 schrieb Kai Raven: > Hi, > >> On Sat, 18 Aug 2007 12:32, kara.ml at arcor.de said: >> >>> Isn't bzip2 compression supported any longer? >>> Because with 1.1.2 i get: >> >> I can't remember that we ever supported bzip 2 under Windows. > > What? From gpg4win 1.0.9/GnuPG 1.4.7: > > Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3) > > I have used Z3 all the time with former versions. > > Ciao > Kai I used bzip2 for a while now an one day about a month ago i send a mail to a windows user an he was unable to open the mail bc his gpg installation didn't support bzip2. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iQIVAwUBRsl8Pf950yjRhRAFAQqrBQ/+NdperX5J5i+cakZY0cRG8MF2zNWHjOMq 1r445xG/SSBIFMA3tSw6d5zjIt6MV8ch4WeeNeyqnrzqbLYVbwBMMA6aw8gXziJI hOw5T+UoeUISdWzPdqna3O1Z9gJvTbhpVAV7iqIGeDw76mY68eDazjeTJaIiguAI sF5bbUv5tdlZHijX0ntaqg4anqEtiuN5ZLAX8/4ybNupA9pHq4QfrzoX+7ZlT6/V Iq1J0SrKmu4j2fur6T8HKYqXqaNDCtz8+InfWxxNLt+jaRulXKXP3+1phUji0vbX sUnJwrwEzW3Ha8OoefqnJ5BUyydD597XNdVKoxeqtttD3s/jPOZZIkNCtmp1Fuju zwRLTlfqFsWe+3Dzn8cUsc0KYERnVgozzsMdgc/lNfbirKtiek4D/b1A9SZ2kbT6 /YGbY+/bPR4Hxd7O2xr8Te/yy5pnqKoyfTfIA3TXbyA+iohA2K/TGjex6OLXHlCZ J+aJ+fa88bbfDo0I+BfENhvB76azSudmYLTxetNAICiTvaU8iPfFAwS8BRe/PFu/ 4qkFo/WBn5N8JXJTZE7yr5ZAONEBGnhsXAAAMvKLtaqodU+MUxIobX0I7sc/SXmR +2taVj4pZIRb+/9KzEYv2i619UE4BkNcKWrjmSMGpw45DoFZyOPg+LIg7A7DPMGA 4JM95FsO4jE= =dS2a -----END PGP SIGNATURE----- From sriharivijayaraghavan at yahoo.com.au Mon Aug 20 14:10:31 2007 From: sriharivijayaraghavan at yahoo.com.au (Srihari Vijayaraghavan) Date: Mon, 20 Aug 2007 22:10:31 +1000 (EST) Subject: GnuPG & OpenSSH Message-ID: <81945.9244.qm@web52607.mail.re2.yahoo.com> I've lightly read through a few gnupg man & info pages, though my questions might sound like FAQ or outright annoying :-). I'm a happy user with OpenSSH & GPG independently, but of late am trying to find if it's possible to unify them with just a key pair. 1. Is it possible to have only one key pair (public & secret pref. DSA) that can be used for both GPG & OpenSSH? (as a sys admin of some interest in cryptography, this is an important question) 2. Is gpg-agent, SSH agent service provided by GPG etc. somehow useful only when one has a card reader? Or put it other way, is it useful even when one has no card reader? 3. Am I missing a simple 'GPG/OpenSSH unification for dummies' (dummies like me :-)) with a few solid examples on unifying GPG (keys - including exporting GPG public key to add into .ssh/authorized_keys, gpg-agent) with OpenSSH client side? The potentials are huge if OpenSSH & GPG can share the same key pair, I reckon. I wish somebody writes a nice article on one of the reputed computer magazines about this topic, with simple pictures & hands on procedures etc. (A careful reader would notice I've carefully constructed questions to lead to yes or no type of answers to avoid any ambiguity, as at this stage I should be delighted with such answers alone on the concepts/ideas/idioms. You're welcome to point me to any additional materials, of course.) Thanks in advance. Srihari PS: Keep up the good work on GPG. ____________________________________________________________________________________ Feel safe with award winning spam protection on Yahoo!7 Mail. http://mail.yahoo.com.au From signallock at gmail.com Mon Aug 20 14:29:55 2007 From: signallock at gmail.com (Victor Stuart) Date: Mon, 20 Aug 2007 20:29:55 +0800 Subject: A Passphrase Problem Message-ID: <2bfbe2040708200529jb02d4dfxf9862ed508209668@mail.gmail.com> Hi all, I'm a newbie, and have some problems with the software. I generated a pair of keys, and set the password for the secret key. Then I just noticed the option "--passphrase-file" in the manual, and quite appreciated that. I wanted to use a file as a passphrase, instead of a string. So I just did this: I edited the key, erased the original passphrase, and then typed "gpg --passphrase-file xxx --edit xxx" Command>passwd Finally I changed the passphrase to the file xxx successfully. But just then I found a serious problem, how can I change the passphrase? I tried to use the option "--passphrase-file " again but it didn't work. Original passphrase-file needed before I could change it. I am puzzling #_# Do you have any idea to help me change it back or, must revoke it? Victor Stuart From wk at gnupg.org Mon Aug 20 16:56:16 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 20 Aug 2007 16:56:16 +0200 Subject: [Announce] GnuPG 2.0.6 released In-Reply-To: <94A20C13-3FFA-4763-829E-8677BD2A405B@googlemail.com> (maccrest@gmail.com's message of "Mon, 20 Aug 2007 13:34:21 +0200") References: <871we3po2x.fsf__1516.63684887371$1187274987$gmane$org@wheatstone.g10code.de> <46C543E5.7010409@mozilla-enigmail.org> <87odh6ioln.fsf@wheatstone.g10code.de> <46C6CAD6.1060201@arcor.de> <871wdy7f9t.fsf@wheatstone.g10code.de> <46C95B43.6000705@arcor.de> <94A20C13-3FFA-4763-829E-8677BD2A405B@googlemail.com> Message-ID: <87r6lycl0v.fsf@wheatstone.g10code.de> On Mon, 20 Aug 2007 13:34, maccrest at gmail.com said: > I used bzip2 for a while now an one day about a month ago i send a > mail to a windows user an he was unable to open the mail bc his gpg > installation didn't support bzip2. BZIP2 is an optional OpenPGP feature and not widely used. Using it will likely lead to such problems. The preference system should help here but in practise people sometimes change their implementation and thus the preference are not anymore valid. There is usually no need for bzip2 compression; if you really need to send a very large file, compress it first with an external program and then encrypt it. The standard compression is sufficient in almost all cases. I have now integrated BZIP2 support explicily into the installer and the next release will support it. I hope to do a release next week. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahmen regelt ein Bundeschgesetz. From signallock at gmail.com Mon Aug 20 16:17:03 2007 From: signallock at gmail.com (Victor Stuart) Date: Mon, 20 Aug 2007 22:17:03 +0800 Subject: [Announce] GnuPG 2.0.6 released In-Reply-To: <94A20C13-3FFA-4763-829E-8677BD2A405B@googlemail.com> References: <871we3po2x.fsf__1516.63684887371$1187274987$gmane$org@wheatstone.g10code.de> <46C543E5.7010409@mozilla-enigmail.org> <87odh6ioln.fsf@wheatstone.g10code.de> <46C6CAD6.1060201@arcor.de> <871wdy7f9t.fsf@wheatstone.g10code.de> <46C95B43.6000705@arcor.de> <94A20C13-3FFA-4763-829E-8677BD2A405B@googlemail.com> Message-ID: <2bfbe2040708200717t27baf352tb896acea18c3c0b9@mail.gmail.com> On 8/20/07, Crest wrote: > Am 20.08.2007 um 11:13 schrieb Kai Raven: > > > Hi, > > > >> On Sat, 18 Aug 2007 12:32, kara.ml at arcor.de said: > >> > >>> Isn't bzip2 compression supported any longer? > >>> Because with 1.1.2 i get: > >> > >> I can't remember that we ever supported bzip 2 under Windows. > > > > What? From gpg4win 1.0.9/GnuPG 1.4.7: > > > > Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3) > > > > I have used Z3 all the time with former versions. > > > > Ciao > > Kai > > I used bzip2 for a while now an one day about a month ago i send a > mail to a windows user an he was unable to open the mail bc his gpg > installation didn't support bzip2. Well, I use GnuPG 1.4.7 and 2.0.6 compiled by MingW32, they don't support bzip2. From wk at gnupg.org Mon Aug 20 17:49:44 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 20 Aug 2007 17:49:44 +0200 Subject: GnuPG & OpenSSH In-Reply-To: <81945.9244.qm@web52607.mail.re2.yahoo.com> (Srihari Vijayaraghavan's message of "Mon, 20 Aug 2007 22:10:31 +1000 (EST)") References: <81945.9244.qm@web52607.mail.re2.yahoo.com> Message-ID: <87absmcijr.fsf@wheatstone.g10code.de> On Mon, 20 Aug 2007 14:10, sriharivijayaraghavan at yahoo.com.au said: > 1. Is it possible to have only one key pair (public & secret pref. DSA) that > can be used for both GPG & OpenSSH? (as a sys admin of some interest in > cryptography, this is an important question) Yes. However you want separate keys for separate tasks. Fortunately OpenPGP provides just that: There is a primary key for certifying other keys (and subkeys) and subkeys for encryption, signing and authentication. The authentication key may be used for SSH. > 2. Is gpg-agent, SSH agent service provided by GPG etc. somehow useful only > when one has a card reader? Or put it other way, is it useful even when one > has no card reader? Yes, I use it mostly without a card. This allows for a nice passphrase prompting and caching by gpg-agent. No more need for ssh-add. > 3. Am I missing a simple 'GPG/OpenSSH unification for dummies' (dummies like > me :-)) with a few solid examples on unifying GPG (keys - including exporting > GPG public key to add into .ssh/authorized_keys, gpg-agent) with OpenSSH > client side? Me too ;-). There are some text fragments floating around but there is no real HOWTO. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahmen regelt ein Bundeschgesetz. From jmoore3rd at bellsouth.net Mon Aug 20 17:34:37 2007 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Mon, 20 Aug 2007 11:34:37 -0400 Subject: [Announce] GnuPG 2.0.6 released In-Reply-To: <2bfbe2040708200717t27baf352tb896acea18c3c0b9@mail.gmail.com> References: <871we3po2x.fsf__1516.63684887371$1187274987$gmane$org@wheatstone.g10code.de> <46C543E5.7010409@mozilla-enigmail.org> <87odh6ioln.fsf@wheatstone.g10code.de> <46C6CAD6.1060201@arcor.de> <871wdy7f9t.fsf@wheatstone.g10code.de> <46C95B43.6000705@arcor.de> <94A20C13-3FFA-4763-829E-8677BD2A405B@googlemail.com> <2bfbe2040708200717t27baf352tb896acea18c3c0b9@mail.gmail.com> Message-ID: <46C9B48D.5060800@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Victor Stuart wrote: > Well, I use GnuPG 1.4.7 and 2.0.6 compiled by MingW32, they don't > support bzip2. I Compile the 1.4.Branch using MinGW & I have bzip2. Did You remember to include it when compiling? JOHN ;) Timestamp: Monday 20 Aug 2007, 11:33 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8-svn4556: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJGybSLAAoJEBCGy9eAtCsP53YH/RDo6Amh3ttJ5u0Yk0vbsnkn 2WYemATEYS5zG5D+ikf/WkDweVfUWUSTVpYVcRmw7luWtVFEteb02XXx/r+ACLUk EtzHED0zjprWgAxZ8hDzWAabWbXgA7V5sau26gx0jIE6Ho2jKLIYvFe3ML33QY02 AbOTss75ECVuzcu6XQJwMb1MMZ4bZLazCH+4G6bOqeJg4YdE1ZZuTWYofGxJ3zvI ybNVPrqJGUBF0rLoLeDuaFqFpx14VpvWmF7Ul4J6ue93p6QpluyD2SPYIFFQqSVm BHh2OYyACVLL7u7+I4jRa3jWNp+uYATPUrNuln+fPXFOPj23xPqKcga1C4MIzzY= =+/rr -----END PGP SIGNATURE----- From JPClizbe at tx.rr.com Mon Aug 20 18:20:01 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Mon, 20 Aug 2007 11:20:01 -0500 Subject: [Announce] GnuPG 2.0.6 released In-Reply-To: <2bfbe2040708200717t27baf352tb896acea18c3c0b9@mail.gmail.com> References: <871we3po2x.fsf__1516.63684887371$1187274987$gmane$org@wheatstone.g10code.de> <46C543E5.7010409@mozilla-enigmail.org> <87odh6ioln.fsf@wheatstone.g10code.de> <46C6CAD6.1060201@arcor.de> <871wdy7f9t.fsf@wheatstone.g10code.de> <46C95B43.6000705@arcor.de> <94A20C13-3FFA-4763-829E-8677BD2A405B@googlemail.com> <2bfbe2040708200717t27baf352tb896acea18c3c0b9@mail.gmail.com> Message-ID: <46C9BF31.9020402@tx.rr.com> Victor Stuart wrote: > Well, I use GnuPG 1.4.7 and 2.0.6 compiled by MingW32, they don't > support bzip2. Well, maybe not the 1.4.7 you are using from GPG4WIN as Werner pointed out earlier, but it *is* part of the 1.4.7 available from gnupg.org. Installer available at: ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.7.exe C:\WINDOWS>gpg --version gpg (GnuPG) 1.4.7 Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 BTW, MinGW32 refers to a compiler (MINimalist Gnu for Windows32), not any group. All GnuPG builds for Windows will say MinGW regardless of who does the packaging unless the builder plays with config.h before running make. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070820/61d36229/attachment.pgp From mo at g10code.com Mon Aug 20 17:37:06 2007 From: mo at g10code.com (Moritz Schulte) Date: Mon, 20 Aug 2007 17:37:06 +0200 Subject: GnuPG & OpenSSH In-Reply-To: <81945.9244.qm@web52607.mail.re2.yahoo.com> References: <81945.9244.qm@web52607.mail.re2.yahoo.com> Message-ID: <13492.1187624226@localhost.localdomain> A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 199 bytes Desc: not available Url : /pipermail/attachments/20070820/ff65f604/attachment.pgp From hhhobbit at securemecca.net Mon Aug 20 20:29:37 2007 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Mon, 20 Aug 2007 12:29:37 -0600 Subject: Compression routines - please include 7-Zip In-Reply-To: References: Message-ID: <46C9DD91.7050401@securemecca.net> Werner: F?r die Unterzeichnung danke. This is amazing for somebody whose father was run out of nothern Mexico (Me-hico) by Pancho Villa's raiders. I have been using the 7-Zip compression long enough to give Igor Pavlov the nod he has longed for. Bzip2 is good. 7-Zip is better. If you want to know how much better I will I give you the install for our PAC filter in 7-Zip. Reply out of group and I will give you the goods. It works in both Anglais (Etas-Unis) and Fran?ais. It is so blisteringly fast that it is time to give credit where credit is due. I had it updating our (my?) PAC filter. Even with copying the executable for 7zip.exe on Windows it is so blisteringly fast I can't believe it. I am used to the forty years that Microsoft takes. When it is done almost instantaneously (the word comes from Latin to Fran?ais to Anglais) it shocked me! What I need is more security for the sig downloads to guarantee that things are okay (email me for the script that will be available in a few hours). Tell Richard Stallman to stop toking up long enough so that we can discuss this and head it in the right direction. Other than the fact that 7-Zip does not store the UID/GID it is the best compression algorithm out there. It is only marginally better than BZIP2 but it is infinitely better than ZIP or RAR. If we can adopt it as a standard in OpenPGP it may be all that is needed to go to the next level. Why go half-way when you can go all the way? The UID/GID problem has no meaning in email anyway. What I am begging for is people to make the install of 7-Zip not optional but mandatory. In the past month I told somebody to stuff it because they refused to use it on Windows. It was the best thing that happened in my life. I have a French speaking friend who is infinitely better than all of my English speaking friends. Thanks for listening. I am too tired right now. I have to take a nap. HHH From james at freecharity.org.uk Mon Aug 20 21:26:16 2007 From: james at freecharity.org.uk (James Davis) Date: Mon, 20 Aug 2007 20:26:16 +0100 Subject: GnuPG & OpenSSH In-Reply-To: <87absmcijr.fsf@wheatstone.g10code.de> References: <81945.9244.qm@web52607.mail.re2.yahoo.com> <87absmcijr.fsf@wheatstone.g10code.de> Message-ID: <46C9EAD8.6060508@freecharity.org.uk> Werner Koch wrote: > Me too ;-). There are some text fragments floating around but there is > no real HOWTO. Steps 1-4 on this page still apply if you're not using a smart card. You'll want to use ssh-add to add keys rather than expect it to pick them up automatically though. http://www.fsfe.org/fellows/greve/freedom_bits/authenticating_ssh_logins_with_the_fellowship_crypto_card That and gpg-agent's man page were enough to get me familiar with these features. James -- FreeCharity.org.uk - Free hosting for charities and non-profits WordPress and Blogging Consultancy - (01348) 800101 From rjh at sixdemonbag.org Mon Aug 20 21:46:13 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 20 Aug 2007 14:46:13 -0500 Subject: Compression routines - please include 7-Zip In-Reply-To: <46C9DD91.7050401@securemecca.net> References: <46C9DD91.7050401@securemecca.net> Message-ID: <46C9EF85.20702@sixdemonbag.org> Henry Hertz Hobbit wrote: > I am used to the forty years that Microsoft takes. MS's implementation of zip compression is known to be ridiculously slow. Most other zip implementations are orders of magnitude faster. > Tell Richard Stallman to stop toking up long enough so that we can > discuss this and head it in the right direction. RMS is not a core contributor for the GnuPG project. He is also not on the IETF OpenPGP working group. If you are interested in pitching this, I would suggest pitching it to the IETF. GnuPG's typical position is to only support the RFC, without any embrace-and-extend. From bahamut at digital-signal.net Mon Aug 20 22:20:24 2007 From: bahamut at digital-signal.net (Andrew Berg) Date: Mon, 20 Aug 2007 15:20:24 -0500 Subject: Compression routines - please include 7-Zip In-Reply-To: <46C9DD91.7050401@securemecca.net> References: <46C9DD91.7050401@securemecca.net> Message-ID: <46C9F788.4030001@digital-signal.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Henry Hertz Hobbit wrote: > It is so blisteringly fast that it is time to give credit where > credit is due. I had it updating our (my?) PAC filter. Even with > copying the executable for 7zip.exe on Windows it is so blisteringly > fast I can't believe it. I am used to the forty years that Microsoft > takes. When it is done almost instantaneously (the word comes from > Latin to Fran?ais to Anglais) it shocked me! You're referring to PPMd, right? LZMA is pretty slow (though the compression it achieves is almost always worth it). Plus, PPMd is much, much better than LZMA with text. > It is only marginally better than > BZIP2 but it is infinitely better than ZIP or RAR. To be fair, RAR isn't that bad. I'm not suggesting Werner use it, but it shouldn't be grouped with zip. I'd like to see where this goes. - -- Windows NT 5.1.2600.2180 | Thunderbird 2.0.0.6 | Enigmail 0.95.2 | GPG 1.4.7 Key ID: 0xF88E034060A78FCB - available on major keyservers and upon request Fingerprint: 4A84 CAE2 A0D3 2AEB 71F6 07FD F88E 0340 60A7 8FCB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRsn3h/iOA0Bgp4/LAQNV3ggAj9AmUvhYRBvHo7gbMwQSqZpK+37GVNea sgmp+JQ+c4MjXEfkMj4LuyjTGcx+YBhtOPcSBQusiwzcurLHzgLZS+KrvzVf3Xj/ 1J1gGzwi0sAgB5I9OIhvNq1qwb8lP8+2mTjwF2gVW6Yl+CaypB5ZGJv4/7aM88oX W4yumKhCQv8MXHDf5tK6ClOj+fHJR8FLVUTKTkGrVIoNBMaZKEAuViU2FtI21x+q CHHwODb7CTxY8ocdjtdVymRqw3iqpnee5DWgsMZOv7GBIiruJa2Dpv7UxiiUD+Rn z0szhaSJSUbY9eR/Mc6gvf2q36L2o2tAiK3C2EpDsy/741Pnenx9ZQ== =nMe0 -----END PGP SIGNATURE----- From wk at gnupg.org Mon Aug 20 22:38:56 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 20 Aug 2007 22:38:56 +0200 Subject: Compression routines - please include 7-Zip In-Reply-To: <46C9EF85.20702@sixdemonbag.org> (Robert J. Hansen's message of "Mon, 20 Aug 2007 14:46:13 -0500") References: <46C9DD91.7050401@securemecca.net> <46C9EF85.20702@sixdemonbag.org> Message-ID: <87lkc6aqlb.fsf@wheatstone.g10code.de> On Mon, 20 Aug 2007 21:46, rjh at sixdemonbag.org said: > If you are interested in pitching this, I would suggest pitching it to > the IETF. GnuPG's typical position is to only support the RFC, without > any embrace-and-extend. Right, we won't support things which are not in the standard or at least described in a draft of whom we know that it will end up as a standard. For interoperability we can't use new compression algorithms. There is also the issue that adding algorithms does not help to keep a standard clean. I was not in favor of bzip2 for that reasons and in retrospective I's better not pushed the ZLIB algorithm. Let each tool do what it can do best. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahmen regelt ein Bundeschgesetz. From JPClizbe at tx.rr.com Mon Aug 20 23:13:35 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Mon, 20 Aug 2007 16:13:35 -0500 Subject: Compression routines - please include 7-Zip In-Reply-To: <87lkc6aqlb.fsf@wheatstone.g10code.de> References: <46C9DD91.7050401@securemecca.net> <46C9EF85.20702@sixdemonbag.org> <87lkc6aqlb.fsf@wheatstone.g10code.de> Message-ID: <46CA03FF.2030105@tx.rr.com> Werner Koch wrote: > On Mon, 20 Aug 2007 21:46, rjh at sixdemonbag.org said: >> If you are interested in pitching this, I would suggest pitching it to >> the IETF. GnuPG's typical position is to only support the RFC, without >> any embrace-and-extend. > > Right, we won't support things which are not in the standard or at least > described in a draft of whom we know that it will end up as a standard. > > For interoperability we can't use new compression algorithms. There is > also the issue that adding algorithms does not help to keep a standard > clean. I was not in favor of bzip2 for that reasons and in > retrospective I's better not pushed the ZLIB algorithm. Werner, I agree with both Rob and you on this. Those who want to campaign for 7-Zip can pitch it to the IETF Working Group. Though if it's only marginally better than BZIP2, the WG is likely not to accept it. But the 'not in the standard' and interoperability remarks lead me to wonder, "Why is TIGER192 in the Windows build of GnuPG2 that's in GPG4Win?" -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070820/b1004586/attachment.pgp From bchill at bch.net Tue Aug 21 00:11:05 2007 From: bchill at bch.net (Brian C. Hill) Date: Mon, 20 Aug 2007 15:11:05 -0700 Subject: gnupg 2.0.2 and funopen/fopencookie on Solaris 8 In-Reply-To: <46CA03FF.2030105@tx.rr.com> References: <46C9DD91.7050401@securemecca.net> <46C9EF85.20702@sixdemonbag.org> <87lkc6aqlb.fsf@wheatstone.g10code.de> <46CA03FF.2030105@tx.rr.com> Message-ID: <20070820221105.GB22483@romulus.mondobox.com> On Fri, 23 Feb 2007 01:53, Werner Koch wrote: > On Fri, 23 Feb 2007 01:17, bchill at bch.net said: > > > How have other managed to build gnupg on SunOS 5.8? > > You can't build GnuPG 2 on a system without funopen. We will > eventually solve this by replacing most stdio operations by a our own > and enhanced stdio implementation. Unfortunately there is no other > way to do that. > > Shalom-Salam, > > Werner I put this aside for a bit, but I am back to it now. I realize that Solaris isn't a supported platform, but FAQ says that there are "positive reports" of running gnupg on Solaris. Has anyone on this list done that and how? Is there a standalone funopen library? Brian From hhhobbit at securemecca.net Tue Aug 21 08:06:43 2007 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Tue, 21 Aug 2007 00:06:43 -0600 Subject: Compression routines - please include 7-Zip In-Reply-To: <46C9DD91.7050401@securemecca.net> References: <46C9DD91.7050401@securemecca.net> Message-ID: <46CA80F3.8060302@securemecca.net> Settle down. I am arguing for the inclusion of 7zip IN THE FUTURE! I am just afraid it is going to get overlooked again yet one more time. The fact that 7zip doesn't store the UID:GID is a plus in my mind. It allows you to get what ever UID:GID YOU are when you unzip it. That is better than some of the strange ownerships I see, sometimes with the actual install files themselves. Some people don't know what "chown -R UID:GID " is yet. I am not so stupid to not know you can NOT use 7zip now. It isn't in the RFC. What I am arguing for is NOT to forget 7zip exists when you do the next iteration of the RFC. Here is why with a non-trivial real world example comparing all of the zips. I have one machine I work on almost all the time. It isn't mine. My machine is rarely available (I did mention I have been homeless for several years now and unemployed for over eleven years now, didn't I?) and since I need the mail in sync I frequently zip it up on this machine, encrypt it, put it up to my web site and then pull it down to the other machine to keep the mail in sync on both machines. Here are the file size comparisons for the two MUAs: Evolution File Sizes: ===================== 2713325 evolution.tar.7z 2728384 evolution.tar.7z.gpg [ 1.00555 * 7zip ] 3090190 evolution.tbz [ 1.14 * 7zip ] 3221545 evolution.tar.gz [ 1.04 * bzip2 ] { used -9 } 3340579 evolution.zip [ 1.04 * gzip ] { used -9 } 7792640 evolution.tar [ 2.33 * zip ] Thunderbird File Sizes: ======================= 4058666 thunderbird.tar.7z [ BEST ] 4080803 thunderbird.tar.7z.gpg [ 1.00545 * 7zip ] 4528758 thunderbird.tbz [ 1.16 * 7zip ] 5044288 thunderbird.tar.gz [ 1.11 * bzip2 ] { used -9 } 5138290 thunderbird.zip [ 1.02 * gzip ] { used -9 } 13721600 thunderbird.tar [ 2.67 * zip ] Cipher = TWOFISH Now it doesn't take a genius to know what I am going to use with restrictive upload speeds - *.tar.7z.gpg or just *.7z.gpg! You think I am so crazy that I am not going to encrypt it with file perms like these? ftp> dir -rw-rw-r-- 1 3156036 1000006 2728384 evolution.tar.7z.gpg -rw-rw-r-- 1 3156036 1000006 4080803 thunderbird.tar.7z.gpg I don't know who else is in group 1000006. I also actually have the 7zip format on my web site (just replace the tbz with 7z): http://www.securemecca.com/InstallProxyPkg.unx.7z http://www.securemecca.com/InstallProxyPkg.msw.7z http://www.securemecca.com/fr/InstallProxyPkg_FR.unx.7z http://www.securemecca.com/fr/InstallProxyPkg_FR.msw.7z (last two are work in progress, second is actually used) But I face the same problem. There are all of these moss-backs that say they can't pull down 7-zip and compile it for their Unix systems. It isn't the Unix way! PHOOEY! You can even pull down the binary install packages of 7zip (which is NOT the Unix way as far as I am concerned) for Linux and several other Unix systems if you don't have a Gnu development system. In fact, I have to provide gzip and zip files on the sister hostsfile.org site because that IIS server isn't set to allow downloads of either 7zip or bzip2 files. So here are the actual links I use instead: http://www.securemecca.com/InstallProxyPkg.unx.tbz http://www.securemecca.com/fr/InstallProxyPkg_FR.unx.tbz http://www.hostsfile.org/InstallProxyPkg.unx.tar.gz http://www.hostsfile.org/InstallProxyPkg.msw.zip (second is same and still work in progress) All of this reminds me of the person (a Microsofft MVP) I tried to get to do the following things. 1. Use GnuPG encryption to get around the 42.zip block at his pop mail server that caused all the zip files containing the name of bad hosts I was sending to him to be blocked in a very strange way. He wouldn't do it. It wasn't the Windows way. 2. Use another mail server. It wasn't the Windows way? He is still using the same mail server. 3. Use gzip? It isn't the Windows way. It doesn't matter that WinZip and almost all other zip programs support the gzip format. It just isn't the Windows way! 4. Use 7zip? It isn't the Windows way. Besides, one zipped up file with just a few dozen bad hosts isn't worth it. SHEESH! That 7zip file contained almost a dozen files and hundreds of bad hosts and yes, they were in a folder. Work with that person is terminated! But it takes just one suggestion via an Internet search before I address a hole I know has been there for some time in what I am working on. It doesn't matter that it was way down on the 4 dozen things I had to do and the monitoring of two dozen experimental rules. Just one person making that statement will make me shift when I see it is a priority with the people considering what I am providing (it is *GPL licensed). WHAT I USE 7ZIP FOR (besides personal use): =========================================== I use 7zip to unpack the files with an auto-update and I can already hear people complaining that because it needs UnixUtils (CygWin is rather large) and 7-zip, that it ISN'T THE WINDOWS WAY! It doesn't matter that it is blisteringly fast. Phooey with the Windows way. I want the way that works that is best. I will dump my absurd keys with their huge key size if you promise to at least consider 7zip in the future. It kind of reminds me of the almost 4,000 hosts that somebody was blocking that I block with just one rule (I have no idea how many there are): BadNetworks[i++] = "216.65.41.185, 255.255.255.254"; askeeves.com, askgevees.com, askjieves.com, circuitcit.com, circuitecity.com anybody? But that ISN'T THE WINDOWS WAY! What I am saying is there IS a better mouse-trap, and it IS 7zip! It is ALL I use for my own personal use any more. It IS LGPL licensed and it IS THE GNU WAY. Pun intended. Do some tests to convince yourself that it is the real deal. And yes, I could have used 7zip's built-in AES encryption. I like TWOFISH. It is just personal preference. I may reconsider. HHH From rjh at sixdemonbag.org Tue Aug 21 08:43:52 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 21 Aug 2007 01:43:52 -0500 Subject: Compression routines - please include 7-Zip In-Reply-To: <46CA80F3.8060302@securemecca.net> References: <46C9DD91.7050401@securemecca.net> <46CA80F3.8060302@securemecca.net> Message-ID: <46CA89A8.7030003@sixdemonbag.org> Henry Hertz Hobbit wrote: > Settle down. I am arguing for the inclusion of 7zip IN THE FUTURE! Once more, this mailing list is not the correct forum to raise your concerns. Please do it on the IETF OpenPGP WG mailing list. > What I am arguing for is NOT to forget 7zip exists > when you do the next iteration of the RFC. Given that the RFC cycle has ended and a formal submission made to the IETF just weeks ago, I do not expect a new submission for at least five years. There will likely be a series of -bis releases in the months and years to come. If you want to get 7Z in a -bis release, you need to talk to the IETF OpenPGP WG. I do not know how to make the preceding more clear. From wk at gnupg.org Tue Aug 21 09:04:25 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 21 Aug 2007 09:04:25 +0200 Subject: Compression routines - please include 7-Zip In-Reply-To: <46CA03FF.2030105@tx.rr.com> (John Clizbe's message of "Mon, 20 Aug 2007 16:13:35 -0500") References: <46C9DD91.7050401@securemecca.net> <46C9EF85.20702@sixdemonbag.org> <87lkc6aqlb.fsf@wheatstone.g10code.de> <46CA03FF.2030105@tx.rr.com> Message-ID: <87ps1h9xmu.fsf@wheatstone.g10code.de> On Mon, 20 Aug 2007 23:13, JPClizbe at tx.rr.com said: > But the 'not in the standard' and interoperability remarks lead me to wonder, > "Why is TIGER192 in the Windows build of GnuPG2 that's in GPG4Win?" That is a bug. TIGER192 is defined by OpenPGP alsthough it will be dropped from the next revision. I'll fix it. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahmen regelt ein Bundeschgesetz. From wk at gnupg.org Tue Aug 21 09:16:44 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 21 Aug 2007 09:16:44 +0200 Subject: gnupg 2.0.2 and funopen/fopencookie on Solaris 8 In-Reply-To: <20070820221105.GB22483@romulus.mondobox.com> (Brian C. Hill's message of "Mon, 20 Aug 2007 15:11:05 -0700") References: <46C9DD91.7050401@securemecca.net> <46C9EF85.20702@sixdemonbag.org> <87lkc6aqlb.fsf@wheatstone.g10code.de> <46CA03FF.2030105@tx.rr.com> <20070820221105.GB22483@romulus.mondobox.com> Message-ID: <87lkc59x2b.fsf@wheatstone.g10code.de> On Tue, 21 Aug 2007 00:11, bchill at bch.net said: > Is there a standalone funopen library? Yes, at most places we now use our estream library which is plain POSIX. However there are a two places where funopen is still used but not required as tehre is a simple replacement: sm/certdump.c for formatting the prompts and jnlib/logging.c for logging to a socket (the later is just not available without funopen). Both will be converted to estream asap. So, in theory it should build on any POSIX system. I plan to do some tests on Solaris next week or so. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahmen regelt ein Bundeschgesetz. From wk at gnupg.org Tue Aug 21 09:25:03 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 21 Aug 2007 09:25:03 +0200 Subject: Compression routines - please include 7-Zip In-Reply-To: <46CA80F3.8060302@securemecca.net> (Henry Hertz Hobbit's message of "Tue, 21 Aug 2007 00:06:43 -0600") References: <46C9DD91.7050401@securemecca.net> <46CA80F3.8060302@securemecca.net> Message-ID: <87hcmt9wog.fsf@wheatstone.g10code.de> On Tue, 21 Aug 2007 08:06, hhhobbit at securemecca.net said: > time. The fact that 7zip doesn't store the UID:GID is a plus in > my mind. It allows you to get what ever UID:GID YOU are when you OpenPGP does not know about file permission , thus this is irrelevant. In fact the comprssion algorithms specified are bare-bone compression algorithms and not archival formats. If you want gpg to detect that an input file is 7zip encoded and disable compression in that case, wer can do this as long as the detection can be done by reading a few bytes at the start of the file and if you pass the filename. However, -z0 would do the same. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahmen regelt ein Bundeschgesetz. From dougb at dougbarton.us Tue Aug 21 08:19:05 2007 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 20 Aug 2007 23:19:05 -0700 (PDT) Subject: Compression routines - please include 7-Zip In-Reply-To: <46CA80F3.8060302@securemecca.net> References: <46C9DD91.7050401@securemecca.net> <46CA80F3.8060302@securemecca.net> Message-ID: On Tue, 21 Aug 2007, Henry Hertz Hobbit wrote: > Settle down. I am arguing for the inclusion of 7zip IN THE FUTURE! So join the IETF working group, and champion its cause. If you've read the posts on this thread, you've seen that this is the only way it's going to happen. Also, please remember that you can already compress your file with whatever algorithm you want, then encrypt it, so this whole discussion is silly. Thanks, Doug From burks at burks.de Tue Aug 21 09:17:00 2007 From: burks at burks.de (Burkhard Schroeder) Date: Tue, 21 Aug 2007 09:17:00 +0200 Subject: Decrpytion not automatically possbible Message-ID: <46CA916C.2060201@burks.de> Hi, a got the same problem with Thunderbird and Evolution: encryption is working perfect, but decryption not. I have to store the textfile manually, and then to decrypt it as a file :-( But I did not change nothing..... I got the message only in german: Fehler - Entschl?sselung fehlgeschlagen gpg Kommandozeile und Ausgabe: /usr/bin/gpg --charset utf8 --batch --no-tty --status-fd 2 -d --use-agent gpg: Schwierigkeiten mit dem Agenten - Agent-Ansteuerung wird abgeschaltet gpg: Passwortsatz kann im Batchmodus nicht abgefragt werden gpg: Ung?ltige Passphrase; versuchen Sie es bitte noch einmal ... gpg: Passwortsatz kann im Batchmodus nicht abgefragt werden gpg: Ung?ltige Passphrase; versuchen Sie es bitte noch einmal ... gpg: Passwortsatz kann im Batchmodus nicht abgefragt werden gpg: verschl?sselt mit 4096-Bit ELG-E Schl?ssel, ID 488E0745, erzeugt 2005-07-23 "Burkhard Schroeder " gpg: Entschl?sselung mit Public-Key-Verfahren fehlgeschlagen: Falsche Passphrase gpg: Entschl?sselung fehlgeschlagen: Geheimer Schl?ssel ist nicht vorhanden Bukrs From patrick at mozilla-enigmail.org Tue Aug 21 12:40:30 2007 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Tue, 21 Aug 2007 12:40:30 +0200 Subject: Decrpytion not automatically possbible In-Reply-To: <46CA916C.2060201__2602.58063576675$1187689885$gmane$org@burks.de> References: <46CA916C.2060201__2602.58063576675$1187689885$gmane$org@burks.de> Message-ID: Burkhard Schroeder wrote: > Hi, > > a got the same problem with Thunderbird and Evolution: encryption is > working perfect, but decryption not. I have to store the textfile > manually, and then to decrypt it as a file :-( > > But I did not change nothing..... > > I got the message only in german: > > Fehler - Entschl?sselung fehlgeschlagen > > gpg Kommandozeile und Ausgabe: > /usr/bin/gpg --charset utf8 --batch --no-tty --status-fd 2 -d --use-agent > gpg: Schwierigkeiten mit dem Agenten - Agent-Ansteuerung wird abgeschaltet > gpg: Passwortsatz kann im Batchmodus nicht abgefragt werden > gpg: Ung?ltige Passp