From Henry.Story at Sun.COM Tue Apr 1 09:50:39 2008 From: Henry.Story at Sun.COM (Henry Story) Date: Tue, 01 Apr 2008 09:50:39 +0200 Subject: RDFAuth: a sketch of a simple authentication protol Message-ID: Dear GNU-PG users and experts, I recently posted a proposal for a very simple HTTP based protocol to build on GPG web of trust concepts by combining these with the linked data network [1] effect of the semantic web, and simple REST architecture concepts. Here is the introduction [[ Here is a proposal for an authentication scheme that is even simpler than OpenId, more secure, more RESTful, with fewer points of failure and fewer points of control, that is needed in order to make Open Distributed Social Networks with privacy controls possible. ]] http://blogs.sun.com/bblfish/entry/rdfauth_sketch_of_a_buzzword I am not a cryptography expert, but I make essential use of PGP in this sketch, so I was looking for feedback from this community, as well as REST and HTTP experts. I know there is something really powerful lying here to be discovered. Please give us feedback and ideas for improvements. Or just let us know that we are wrong. Any feedback is welcome :-) Henry [1] http://en.wikipedia.org/wiki/Linked_Data Home page: http://bblfish.net/ From Axel.Thimm at ATrpms.net Tue Apr 1 13:23:50 2008 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Tue, 1 Apr 2008 14:23:50 +0300 Subject: gpg-agent/ssh-add asking for passphrase at first usage In-Reply-To: <20080331041759.GG18510@inocybe.teonanacatl.org> References: <20080331004621.GB7497@puariko.nirvana> <20080331041759.GG18510@inocybe.teonanacatl.org> Message-ID: <20080401112350.GB13632@puariko.nirvana> On Mon, Mar 31, 2008 at 12:17:59AM -0400, Todd Zullinger wrote: > Axel Thimm wrote: > > some years ago I did create a nice "gpg-agent --enable-ssh-support" > > setup that would register ssh keys with the agent, but the agent > > would only ask for the passphrase when ssh would try a connection. > > > > Now I upgraded my system and this doesn't work anymore. > > What exactly doesn't work? You don't get any password prompt for > either your ssh nor gpg keys? Or you get the prompt for both now > instead of having your ssh key automatically added? Or something else > entirely? I tried to explain, but maybe the mail was too long: Previously, right after logging in I would see the keys with ssh-add -l, but I would only be asked for the passphrase on their first usage. Now they are not listed and if I try to add them I'm asked for the pssphrase immediately. > > Now my questions are: > [...] > > - *why* did it break with the update? The old system has gnupg 2.0.8 > > and the new one 2.0.9. But the Changelog doesn't indicate anything > > that would make these two behave differently. > > Is the new system running another agent, like the seahorse agent? I > think that might be on by default now, and it provides similar > functionlity to gpg-agent and ssh-agent. Maybe it's causing problems? I'm invoking gpg-agent directly in the ssh-agent replacment scrip (see my OP). -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From kevhilton at gmail.com Tue Apr 1 16:47:58 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Tue, 1 Apr 2008 09:47:58 -0500 Subject: Whirlpool Hash Message-ID: <96c450350804010747q21de35fbpbdf17a78d99d743d@mail.gmail.com> Has anyone written a patch that would allow whirlpool as an available hash algorithm for use with gnupg? -- Kevin Hilton From jmoore3rd at bellsouth.net Tue Apr 1 18:12:55 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 01 Apr 2008 12:12:55 -0400 Subject: Whirlpool Hash In-Reply-To: <96c450350804010747q21de35fbpbdf17a78d99d743d@mail.gmail.com> References: <96c450350804010747q21de35fbpbdf17a78d99d743d@mail.gmail.com> Message-ID: <47F25F07.6070501@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Kevin Hilton wrote: > Has anyone written a patch that would allow whirlpool as an available > hash algorithm for use with gnupg? The addition of Whirlpool would require the effective 'patching' of 11 Files. I am fooling with it in My spare time but haven't completed it as yet. I haven't devoted much time to this as there would be very few instances where it would be practical to implement. What would be accomplished by using a Hash that would prevent anyone from verifying My Sig? JOHN ;) Timestamp: Tuesday 01 Apr 2008, 12:11 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4732: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJH8l8GAAoJEBCGy9eAtCsP6fgIAIVgRvdeMXSty+3/EFcMQBhs 2I3u3eVCeEeX4gxP+LZO6zJ+fiCOgRYJ3/Fq6bJ6HhUFQjTC3hBeTamdPbjlzQHC xkvb90VBllqfP7cMN5kYJYZBEChfbsjn9IyZ+97+gyhlBpKMXVroRvykz9iSNRPe OUYeFkcVIk9V3YilGoVGlWE9kjunQ8TZFmHGaK75ntpZAIkOdm2vgW+fE1xIYacu 3SYuxBS3VidcTvAOVtVILsmKnwr95+9aCOP8ymum7ZUa2CdDUgPVp0wgUeZDBQla tCJPB9SkIesF0AwvdGVrBnuZWzbFa1ewOZON1r6eQtagdX2RiC9vPPLO0tXJcuI= =qGpS -----END PGP SIGNATURE----- From kevhilton at gmail.com Tue Apr 1 18:39:15 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Tue, 1 Apr 2008 11:39:15 -0500 Subject: Whirlpool Hash In-Reply-To: <96c450350804010747q21de35fbpbdf17a78d99d743d@mail.gmail.com> References: <96c450350804010747q21de35fbpbdf17a78d99d743d@mail.gmail.com> Message-ID: <96c450350804010939r62cd58d6gc6015e36a9b22539@mail.gmail.com> Let us know when you are done with the patch. I'd be interested in trying it out -- that would make one person who could verify your signature! From wk at gnupg.org Tue Apr 1 18:47:21 2008 From: wk at gnupg.org (Werner Koch) Date: Tue, 01 Apr 2008 18:47:21 +0200 Subject: Whirlpool Hash In-Reply-To: <96c450350804010747q21de35fbpbdf17a78d99d743d@mail.gmail.com> (Kevin Hilton's message of "Tue, 1 Apr 2008 09:47:58 -0500") References: <96c450350804010747q21de35fbpbdf17a78d99d743d@mail.gmail.com> Message-ID: <87ve31wmhy.fsf@wheatstone.g10code.de> On Tue, 1 Apr 2008 16:47, kevhilton at gmail.com said: > Has anyone written a patch that would allow whirlpool as an available > hash algorithm for use with gnupg? Whirlpool is not specified by OpenPGP and thus not supported by gpg. FWIW, Libgcrypt has support for Whirlpool and thus can be used by other applications (e.g. S/MIME as supported by gpgsm) Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From dshaw at jabberwocky.com Tue Apr 1 19:12:23 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 1 Apr 2008 13:12:23 -0400 Subject: Whirlpool Hash In-Reply-To: <96c450350804010747q21de35fbpbdf17a78d99d743d@mail.gmail.com> References: <96c450350804010747q21de35fbpbdf17a78d99d743d@mail.gmail.com> Message-ID: <20080401171222.GA6478@jabberwocky.com> On Tue, Apr 01, 2008 at 09:47:58AM -0500, Kevin Hilton wrote: > Has anyone written a patch that would allow whirlpool as an available > hash algorithm for use with gnupg? Not that I know of. Note that Whirlpool is not specified for OpenPGP, so that is a major barrier. There is a project to add Whirlpool to OpenPGP going on at the moment (also the Camellia cipher, by the way). When that happens, Whirlpool makes more sense than it does now. David From noc at phibee.net Tue Apr 1 20:50:34 2008 From: noc at phibee.net (Phibee Network Operation Center) Date: Tue, 01 Apr 2008 20:50:34 +0200 Subject: sign a public key ? Message-ID: <47F283FA.1030003@phibee.net> Hi i use this for crypt a tar archives: /usr/bin/gpg --recipient Stefan --encrypt /tmp/backup.tgz i use the public key of stefan for crypt, but when i start he request all time a "o" (Yes) and say me (sorry in french) : =================================================== [root at gw tmp]# /usr/bin/gpg --recipient Stefan --encrypt /tmp/backup.tgz gpg: DCC8B9Z4: Rien ne dit que la cl? appartient vraiment ? l'utilisateur nomm?. pub 2048g/DCC8B9Z4 2008-03-25 Stefan Empreinte de la cl? principale: XX Empreinte de la sous-cl?: XX Il n'est PAS certain que la cl? appartient ? la personne nom?e dans le nom d'utilisateur. Si vous savez *vraiment* ce que vous faites, vous pouvez r?pondre oui ? la prochaine question. Utiliser cette cl? quand m?me ? (o/N) ======================================================== He said that it's not sure that th key are the key of Stefan ..... can i write for all time a "Y" or what is the exact process ? thanks for your help From allen.schultz at gmail.com Wed Apr 2 01:29:36 2008 From: allen.schultz at gmail.com (Allen Schultz) Date: Tue, 1 Apr 2008 17:29:36 -0600 Subject: Office Outlook 2003 and GnuPG Message-ID: <3f34f8420804011629o28a6e7e6q606129489185c2f7@mail.gmail.com> What is the recommended frontend/plugin to Office Outlook 2003 for GnuPG that will allow the user (my friend in this case) to manually select Encrypt/Sign rather than have it automatically do that on all his messages. He wants that choice. I found one with it hiding in the Tools menu, but he wants it visible while writing/typing the message. Allen From JPClizbe at tx.rr.com Wed Apr 2 03:43:53 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Tue, 01 Apr 2008 20:43:53 -0500 Subject: sign a public key ? In-Reply-To: <47F283FA.1030003@phibee.net> References: <47F283FA.1030003@phibee.net> Message-ID: <47F2E4D9.5010104@tx.rr.com> Phibee Network Operation Center wrote: > Hi > > i use this for crypt a tar archives: > > /usr/bin/gpg --recipient Stefan --encrypt /tmp/backup.tgz > can i write for all time a "Y" or what is the exact process ? /usr/bin/gpg --batch --yes --recipient Stefan --encrypt /tmp/backup.tgz From the man page: --batch --no-batch Use batch mode. Never ask, do not allow interactive com- mands. --no-batch disables this option. --yes Assume "yes" on most questions. --no Assume "no" on most questions. -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 657 bytes Desc: OpenPGP digital signature URL: From jmoore3rd at bellsouth.net Wed Apr 2 04:08:06 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 01 Apr 2008 22:08:06 -0400 Subject: Office Outlook 2003 and GnuPG In-Reply-To: <3f34f8420804011629o28a6e7e6q606129489185c2f7@mail.gmail.com> References: <3f34f8420804011629o28a6e7e6q606129489185c2f7@mail.gmail.com> Message-ID: <47F2EA86.5090401@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Allen Schultz wrote: > What is the recommended frontend/plugin to Office Outlook 2003 for > GnuPG that will allow the user (my friend in this case) to manually > select Encrypt/Sign rather than have it automatically do that on all > his messages. He wants that choice. I found one with it hiding in the > Tools menu, but he wants it visible while writing/typing the message. Why not try GPGshell: http://www.jumaros.de/rsoft/index.html This will provide both a Tray Tool, Key Management & the ability to Encrypt/Decrypt Files. JOHN ;) Timestamp: Tuesday 01 Apr 2008, 22:07 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4732: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJH8uqFAAoJEBCGy9eAtCsPXIkH/35ewbdZCfKIH5aBGOMp1yOV +2SlKh0y3zPwjXwt4OtM8LFETMkHUsXbKlh9V18/cbaJmiPIJAjk33tW1jqJmmTi Lhu8V9EbXjCBazMe0R36VBrEckLjfDRDLPEqUt0kTmSo42eniAa9jnMTAvcRjHZd WeB1Z0hvoMv3VQzgOJ7cq/Aw48di94kjyNvPtsTco7625h9QdPkxWWbIVQ9ffJtu WPyU/ig1NoYAah1GIiLkgSDEPkV39fWs5b0zvcYOFxZyUwkJBI/3r0tPOfzgR3JK d29aI71DfPNsGEVgvuJhUwr5FwwZeZMznMf8UX/qyT5SvHJhANq4DcDXNUuA1BM= =e3ly -----END PGP SIGNATURE----- From noc at phibee.net Wed Apr 2 06:30:43 2008 From: noc at phibee.net (Phibee Network Operation Center) Date: Wed, 02 Apr 2008 06:30:43 +0200 Subject: sign a public key ? In-Reply-To: <47F2E4D9.5010104@tx.rr.com> References: <47F283FA.1030003@phibee.net> <47F2E4D9.5010104@tx.rr.com> Message-ID: <47F30BF3.4090104@phibee.net> John Clizbe a ?crit : > Phibee Network Operation Center wrote: > >> Hi >> >> i use this for crypt a tar archives: >> >> /usr/bin/gpg --recipient Stefan --encrypt /tmp/backup.tgz >> > > > >> can i write for all time a "Y" or what is the exact process ? >> > > /usr/bin/gpg --batch --yes --recipient Stefan --encrypt /tmp/backup.tgz > > > > From the man page: > > --batch > > --no-batch > Use batch mode. Never ask, do not allow interactive com- > mands. --no-batch disables this option. > > --yes Assume "yes" on most questions. > > --no Assume "no" on most questions. > > > > Thanks for your answer, but i have read the man and tested this solution ... i have a : [root at gw tmp]# /usr/bin/gpg --batch --yes --recipient Stefan --encrypt /tmp/backup.tgz gpg: DCC8B9Z4: Rien ne dit que la cl? appartient vraiment ? l'utilisateur nomm?. gpg: /tmp/backup.tgz: encryption failed: cl? publique inutilisable Failed :=< From JPClizbe at tx.rr.com Wed Apr 2 06:43:09 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Tue, 01 Apr 2008 23:43:09 -0500 Subject: sign a public key ? In-Reply-To: <47F30BF3.4090104@phibee.net> References: <47F283FA.1030003@phibee.net> <47F2E4D9.5010104@tx.rr.com> <47F30BF3.4090104@phibee.net> Message-ID: <47F30EDD.90809@tx.rr.com> Phibee Network Operation Center wrote: > John Clizbe a ?crit : >> Phibee Network Operation Center wrote: >>> Hi >>> >>> i use this for crypt a tar archives: >>> >>> /usr/bin/gpg --recipient Stefan --encrypt /tmp/backup.tgz >>> can i write for all time a "Y" or what is the exact process ? >>> >> /usr/bin/gpg --batch --yes --recipient Stefan --encrypt /tmp/backup.tgz >> > Thanks for your answer, but i have read the man and tested this solution ... > > i have a : > > [root at gw tmp]# /usr/bin/gpg --batch --yes --recipient Stefan --encrypt > /tmp/backup.tgz > gpg: DCC8B9Z4: Rien ne dit que la cl? appartient vraiment ? l'utilisateur > nomm?. > gpg: /tmp/backup.tgz: encryption failed: cl? publique inutilisable Try signing his key with a local signature: gpg --edit-key Stefan lsign or adding the --always-trust option to the command-line /usr/bin/gpg --batch --yes --always-trust --recipient Stefan \ --encrypt /tmp/backup.tgz I think a local sig is the better option. -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 657 bytes Desc: OpenPGP digital signature URL: From email at sven-radde.de Wed Apr 2 07:40:56 2008 From: email at sven-radde.de (Sven Radde) Date: Wed, 02 Apr 2008 07:40:56 +0200 Subject: Office Outlook 2003 and GnuPG In-Reply-To: <3f34f8420804011629o28a6e7e6q606129489185c2f7@mail.gmail.com> References: <3f34f8420804011629o28a6e7e6q606129489185c2f7@mail.gmail.com> Message-ID: <1207114856.6313.5.camel@carbon> Hi! Am Dienstag, den 01.04.2008, 17:29 -0600 schrieb Allen Schultz: > What is the recommended frontend/plugin to Office Outlook 2003 I think the one coming with gpg4win is fine? I am running Office 2007 at work in the meantime but AFAIR I used it when we still had 2003. And I definitely did never have a "full auto" mode enabled. cu, Sven From john.fitzpatrick at centralbank.ie Wed Apr 2 15:34:38 2008 From: john.fitzpatrick at centralbank.ie (JohnnyF1) Date: Wed, 2 Apr 2008 06:34:38 -0700 (PDT) Subject: 1.4.7 <-> 1.4.8 compatibility Message-ID: <16418735.post@talk.nabble.com> Hi, could anyone tell me if there are many problems with encrypting using 1.4.7 and decrypting in 1.4.8 and vice versa? I am aware of this one in relation to signing: http://www.nabble.com/SHA-224-problem-to14038812.html#a14040484 on the SHA-224 problem. Thank you in Advance John -- View this message in context: http://www.nabble.com/1.4.7-%3C-%3E-1.4.8-compatibility-tp16418735p16418735.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Wed Apr 2 15:52:35 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 02 Apr 2008 08:52:35 -0500 Subject: 1.4.7 <-> 1.4.8 compatibility In-Reply-To: <16418735.post@talk.nabble.com> References: <16418735.post@talk.nabble.com> Message-ID: <47F38FA3.6070708@sixdemonbag.org> JohnnyF1 wrote: > could anyone tell me if there are many problems with encrypting using 1.4.7 > and decrypting in 1.4.8 and vice versa? With the exception of RSA+SHA224 signatures, I know of none. From dshaw at jabberwocky.com Wed Apr 2 16:24:43 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 2 Apr 2008 10:24:43 -0400 Subject: 1.4.7 <-> 1.4.8 compatibility In-Reply-To: <16418735.post@talk.nabble.com> References: <16418735.post@talk.nabble.com> Message-ID: <4283CE7D-8403-43A5-83CF-B1B804ABEE3D@jabberwocky.com> On Apr 2, 2008, at 9:34 AM, JohnnyF1 wrote: > > Hi, > > could anyone tell me if there are many problems with encrypting > using 1.4.7 > and decrypting in 1.4.8 and vice versa? > I am aware of this one in relation to signing: > http://www.nabble.com/SHA-224-problem-to14038812.html#a14040484 > on the SHA-224 problem. No problems that have been reported. Note that we're up to version 1.4.9 now though. David From vedaal at hush.com Wed Apr 2 17:52:54 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Wed, 02 Apr 2008 11:52:54 -0400 Subject: 1.4.7 <-> 1.4.8 compatibility Message-ID: <20080402155254.F3E3311803C@mailserver5.hushmail.com> David Shaw dshaw at jabberwocky.com wrote on Wed Apr 2 16:24:43 CEST 2008 : > Note that we're up to version 1.4.9 now though. the gnupg website http://www.gnupg.org/ and all the download links http://www.gnupg.org/download/index.en.html still lists 1.4.8 and doesn't mention 1.4.9 vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Click here for fast, reliable, quality printing services! http://tagline.hushmail.com/fc/REAK6ZBP0G5EMbd348ni2qiW5XUNwVgUEz4Hw0OwovmtVqPvrv94PF/ From neal.dudley at utoledo.edu Wed Apr 2 18:07:55 2008 From: neal.dudley at utoledo.edu (Neal Dudley) Date: Wed, 02 Apr 2008 11:07:55 -0500 Subject: Keysigning request Message-ID: Is there anyone in the Chicago area who would be willing and able to meet me to sign my GPG key? Yes, I have looked on Biglumber and contacted several people from there. Yes, I have searched for WoT groups in the area. If you, or someone you know, is in the Chicago area and would be able to meet with me to id me and sign my key, I would very much appreciate it. Thank you for your time. From shavital at mac.com Wed Apr 2 18:12:21 2008 From: shavital at mac.com (Charly Avital) Date: Wed, 02 Apr 2008 12:12:21 -0400 Subject: 1.4.7 <-> 1.4.8 compatibility In-Reply-To: <20080402155254.F3E3311803C@mailserver5.hushmail.com> References: <20080402155254.F3E3311803C@mailserver5.hushmail.com> Message-ID: <47F3B065.1000502@mac.com> vedaal at hush.com wrote the following on 4/2/08 11:52 AM: [...] > the gnupg website > http://www.gnupg.org/ > and all the download links > http://www.gnupg.org/download/index.en.html > still lists 1.4.8 > and doesn't mention 1.4.9 > > > vedaal Concur. It seems that the web site has not been updated with the announcement of the availability of 1.4.9, that was posted to the list. Charly From wk at gnupg.org Wed Apr 2 19:45:00 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Apr 2008 19:45:00 +0200 Subject: 1.4.7 <-> 1.4.8 compatibility In-Reply-To: <20080402155254.F3E3311803C@mailserver5.hushmail.com> (vedaal@hush.com's message of "Wed, 02 Apr 2008 11:52:54 -0400") References: <20080402155254.F3E3311803C@mailserver5.hushmail.com> Message-ID: <87wsngqhgj.fsf@wheatstone.g10code.de> On Wed, 2 Apr 2008 17:52, vedaal at hush.com said: > still lists 1.4.8 > and doesn't mention 1.4.9 Sorry, the website is pretty outdated. This is due to the WML stuff which requires a chroot environment which more or less got lost during the hardware change. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Wed Apr 2 19:53:16 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Apr 2008 19:53:16 +0200 Subject: Siemens card reader In-Reply-To: <1206885127.5177.5.camel@dublin.local> ("Reinhard =?utf-8?Q?M?= =?utf-8?Q?=C3=BCller=22's?= message of "Sun, 30 Mar 2008 15:52:07 +0200") References: <1206885127.5177.5.camel@dublin.local> Message-ID: <87sky4qh2r.fsf@wheatstone.g10code.de> On Sun, 30 Mar 2008 15:52, reinhard.mueller at bytewise.at said: > Any hint? Please add thse options --debug-ccid-driver --debug-ccid-driver so get more output (yes, give it twice). Use a test card, so that your PIN is not visible in the output. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From jmoore3rd at bellsouth.net Wed Apr 2 21:16:39 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Wed, 02 Apr 2008 15:16:39 -0400 Subject: 1.4.7 <-> 1.4.8 compatibility In-Reply-To: <47F3B065.1000502@mac.com> References: <20080402155254.F3E3311803C@mailserver5.hushmail.com> <47F3B065.1000502@mac.com> Message-ID: <47F3DB97.8000507@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Charly Avital wrote: > vedaal at hush.com wrote the following on 4/2/08 11:52 AM: > [...] > >> the gnupg website >> http://www.gnupg.org/ >> and all the download links >> http://www.gnupg.org/download/index.en.html >> still lists 1.4.8 >> and doesn't mention 1.4.9 > Concur. It seems that the web site has not been updated with the > announcement of the availability of 1.4.9, that was posted to the list. Last I checked the Download Manager also shows that 1.4.8 is being Downloaded. :-\ JOHN ;) Timestamp: Wednesday 02 Apr 2008, 15:16 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.5.0-svn4735: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJH89uWAAoJEBCGy9eAtCsPpicH/A7JbBe/c9ZoGW59B8w3n6TA +/P/mHAy9hWSLfxY5wjXimJwl2NmT2Ui9wrpUVHhMFkSP8w/qY4Ju4KMwUII/TDM KX5sFfWfel5vTXqSQRZ1R3F4lJVrVx3Fno/xCyBar/yUkCF8DBskRRRj+RX7aoq4 h4g5P6EDT57H/vpUZ+i+mN4JWQO7uJuOa0SQzCHVrEz9T4V/QGcjbKfB0F2ZP2h9 D1MaanmWFSer6Cte3dtLbz+qtVFz0z9jko27rRkz1It+SC9bxunxS5o3SQjzLbb4 I+i8JyYOo0+L0AI7gytIaXGiLmGDxj5hJr8W6Tq3OHa6BXY0V2KmGdeOtEgqR/w= =0NkJ -----END PGP SIGNATURE----- From Vern.Bradner at cit.com Wed Apr 2 20:47:28 2008 From: Vern.Bradner at cit.com (Vern.Bradner at cit.com) Date: Wed, 2 Apr 2008 14:47:28 -0400 Subject: 1.4.9 availability Message-ID: <58542869CBA00141AB7E2F357F0F3FA303F39C08@crplivexc54.citnet.cit.com> Hi, I can see that 1.4.9 binaries are available at ftp://ftp.gnupg.org/gcrypt/binary/ But it looks like 1.4.8 is at http://www.gnupg.org/download/ I have tended to use http://www.gnupg.org/download/ as my official location for binaries in the past. Should I not? Thanks, Vern Vern Bradner Vern.Bradner at cit.com Voice: 973-535-3562 Cellular: 732-236-5537 From vedaal at hush.com Wed Apr 2 22:10:08 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Wed, 02 Apr 2008 16:10:08 -0400 Subject: 1.4.9 (IDEA not working?) Message-ID: <20080402201009.2BD2511803C@mailserver5.hushmail.com> have installed gnupg 1.4.9 using the windows binary, and IDEA no longer loads have tried this again on a usb drive, replacing all the gnupg 1.4.8 files with 1.4.9 files, but leaving the idea.dll, gpg.conf, keyrings and trust db the same as they were for 1.4.8 and even tested it before the replacement 1.4.8 loads IDEA 1.4.9 does not here is my gpg.conf in case i overlooked anything ##gpg2go drive comment "Acts of Kindness better the World, and protect the Soul" keyring v:\gnupg\pubring.gpg secret-keyring v:\gnupg\secring.gpg no-default-keyring trustdb-name v:\gnupg\trustdb.gpg cipher-algo TWOFISH digest-algo SHA256 #digest-algo SHA1 compress-algo ZIP homedir v:\gnupg load-extension v:\gnupg\idea.dll #local-user 0x5AA20C866A589A97! #hidden-encrypt-to 0x5AA20C866A589A97 s2k-cipher-algo twofish s2k-digest-algo SHA256 cert-digest-algo SHA256 #digest-algo sha1 #digest-algo ripemd160 verbose verbose ignore-crc-error ignore-mdc-error show-session-key expert #throw-keyids #try-all-secrets #default-key 6A589A97! default-key D35FB186 (v:\ is the truecrypt drive letter i use for volume that has gnupg and the keyrings) can anyone else confirm this, or did i make a mistake somnehwere (other than still using a v3 key and idea ;-)) ) TIA, vedaal any ads or links below this message are added by hushmail without -- Click here to choose from a huge selection of shipping supplies! http://tagline.hushmail.com/fc/REAK6ZBPnMblQux3ayDSua5qXy6KnlPR1TiJywFAh70Sdppg1Q6tLB/ my endorsement or awareness of the nature of the link From vedaal at hush.com Wed Apr 2 22:13:19 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Wed, 02 Apr 2008 16:13:19 -0400 Subject: 1.4.9 IDEA still works,// sorry, my mistake Message-ID: <20080402201319.5D59911803C@mailserver5.hushmail.com> sorry, a silly oversight on my part, ;-(( IDEA loads fine on 1.4.9 vedaal any ads or links below this message are added by hushmail without -- Click to recieve credit card help and get out of debt fast. http://tagline.hushmail.com/fc/REAK6ZBOk4NIwhYiT5hHUXjgn2GYzFMx1ahERXmgLhbVQ6NHRxQfyn/ my endorsement or awareness of the nature of the link From lists at michel-messerschmidt.de Wed Apr 2 23:58:06 2008 From: lists at michel-messerschmidt.de (Michel Messerschmidt) Date: Wed, 2 Apr 2008 23:58:06 +0200 Subject: Using CCID and PCSC Message-ID: <20080402215806.GA1013@ryu.matrix> Hello, is there a possibility to force gnupg 2 to use the internal CCID smartcard driver even if pcscd is running (something like the --disable-ccid option but for pcsc) ? I have a SCM SPR532 reader and like to use the pinpad. But it's deactivated if pcscd is running. Thanks, Michel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 315 bytes Desc: Digital signature URL: From mlisten at hammernoch.net Thu Apr 3 07:30:32 2008 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Thu, 03 Apr 2008 07:30:32 +0200 Subject: 1.4.9 availability In-Reply-To: <58542869CBA00141AB7E2F357F0F3FA303F39C08@crplivexc54.citnet.cit.com> References: <58542869CBA00141AB7E2F357F0F3FA303F39C08@crplivexc54.citnet.cit.com> Message-ID: <47F46B78.70501@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Vern.Bradner at cit.com wrote on 02.04.2008 20:47 Uhr: > Hi, > > I can see that 1.4.9 binaries are available at > ftp://ftp.gnupg.org/gcrypt/binary/ > > But it looks like 1.4.8 is at http://www.gnupg.org/download/ > > I have tended to use http://www.gnupg.org/download/ as my official > location for binaries in the past. Should I not? Well, I tried to point you to the archives, but http://lists.gnupg.org/pipermail/ gives a 403 So nothing else leaves than to cite Werner Koch from yesterday: > Sorry, the website is pretty outdated. This is due to the WML stuff > which requires a chroot environment which more or less got lost during > the hardware change. Seems the permissions on the archives also got lost. HTH Ludwig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBR/Rrd1YnpxVXVowdAQrqyQgApVmTIhowgGZwqhhUrpK2iZLcQg1+D7jb UpoEVkNi0uX3TDRqwI6OziVRCSn+EDVuZ+b6ajz59FFLZm7l2Bi1/CWEakhgCiwa XquokSmu1zWN1eFdGbGWiJdlOGxtgKjW4f9cbsJIy1tCIGJxVABo+XZc/vEvvI/2 kZxvU3lDbw9zfqdlTMFXTK1LHv/odZEsFy7bgLzNvnRb+fRWU2VOSuU8cjDoLvOK bHXSzkT8F1/ypmeCxpfo5Fu/maVAMLt90n0j214claNzJ2GLGYU42hqqn2r4Iwov HWM2h6FPP10KhDzTmu9ifJkLAEDEAPB3a/diWjBijUEtaJB467Unag== =rQlP -----END PGP SIGNATURE----- From wk at gnupg.org Thu Apr 3 09:18:25 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 03 Apr 2008 09:18:25 +0200 Subject: Using CCID and PCSC In-Reply-To: <20080402215806.GA1013@ryu.matrix> (Michel Messerschmidt's message of "Wed, 2 Apr 2008 23:58:06 +0200") References: <20080402215806.GA1013@ryu.matrix> Message-ID: <87abkbquda.fsf@wheatstone.g10code.de> On Wed, 2 Apr 2008 23:58, lists at michel-messerschmidt.de said: > is there a possibility to force gnupg 2 to use the internal CCID > smartcard driver even if pcscd is running (something like the > --disable-ccid option but for pcsc) ? No. This can't work becuase pcscd has already claimed the interface. If you use --disable-ccid with pcscd GnuPG should have no problem using its inetrnal driver. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Thu Apr 3 09:20:21 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 03 Apr 2008 09:20:21 +0200 Subject: 1.4.9 availability In-Reply-To: <47F46B78.70501@hammernoch.net> ("Ludwig =?utf-8?Q?H=C3=BCgel?= =?utf-8?Q?sch=C3=A4fer=22's?= message of "Thu, 03 Apr 2008 07:30:32 +0200") References: <58542869CBA00141AB7E2F357F0F3FA303F39C08@crplivexc54.citnet.cit.com> <47F46B78.70501@hammernoch.net> Message-ID: <8763uzqua2.fsf@wheatstone.g10code.de> On Thu, 3 Apr 2008 07:30, mlisten at hammernoch.net said: > http://lists.gnupg.org/pipermail/ gives a 403 Use http://lists.gnupg.org/pipermail/gnupg-announce/ Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From gukgukcommunity at yahoo.com Thu Apr 3 10:31:05 2008 From: gukgukcommunity at yahoo.com (guk guk) Date: Thu, 3 Apr 2008 18:31:05 +1000 (EST) Subject: Decrypt file from PGP Desktop Professional Message-ID: <992532.51724.qm@web46013.mail.sp1.yahoo.com> Hi ! I'm a newbie in gnupg. If a file is encrypted using PGP Desktop Professional, is it possible for me to decrypt that file using gnupg ? If it's possible , how to do that ? Thanks ____________________________________________________________________________________ You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Thu Apr 3 11:38:27 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 03 Apr 2008 11:38:27 +0200 Subject: FYI: Website updated Message-ID: <8763uzp9bg.fsf@wheatstone.g10code.de> Hi, www.gnupg.org is now up to date and lists the current versions of the gnupg et al. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Thu Apr 3 12:04:45 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 03 Apr 2008 12:04:45 +0200 Subject: Siemens card reader In-Reply-To: <1207210634.13949.8.camel@dublin.local> ("Reinhard =?utf-8?Q?M=C3=BCller=22's?= message of "Thu, 03 Apr 2008 10:17:14 +0200") References: <1206885127.5177.5.camel@dublin.local> <87sky4qh2r.fsf@wheatstone.g10code.de> <1207210634.13949.8.camel@dublin.local> Message-ID: <871w5np83m.fsf@wheatstone.g10code.de> On Thu, 3 Apr 2008 10:17, reinhard.mueller at bytewise.at said: > gpg: DBG: ccid-driver: bMaxCCIDBusySlots 1 > gpg: DBG: ccid-driver: usb_bulk_read error: Resource temporarily That seems to be a problem with the reader's USB stack. I have seen similar things with other old readers. You might want to ask for a firmware update. The reader is also not listed at http://pcsclite.alioth.debian.org/ccid.html Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From shavital at mac.com Thu Apr 3 13:39:51 2008 From: shavital at mac.com (Charly Avital) Date: Thu, 03 Apr 2008 07:39:51 -0400 Subject: Decrypt file from PGP Desktop Professional In-Reply-To: <992532.51724.qm@web46013.mail.sp1.yahoo.com> References: <992532.51724.qm@web46013.mail.sp1.yahoo.com> Message-ID: <47F4C207.2010208@mac.com> guk guk wrote the following on 4/3/08 4:31 AM: > Hi ! > > I'm a newbie in gnupg. > If a file is encrypted using PGP Desktop Professional, is it possible for me to decrypt that file using gnupg ? > If it's possible , how to do that ? > Thanks > I also use PGP Desktop 9.8.1 (Build 2.5.3), Macintosh. I correspond with some one who also uses the same application, and decrypt his messages with gpg and/or gpg2. To use gpg to decrypt such messages, it all depends on what MUA and operating system you are using. The message you posted to the list was composed in X-Mailer: YahooMailRC/902.40 YahooMailWebService/0.7.185 I am not familiar with that mailer. Does it have a plug-in that enables it to communicate with GnuPG? If you are running some flavor of Windows, I believe there is something called PGP Tray (or similar) that night enable you to process messages with GnuPG in your mailer's message window. A Google search with Yahoomail Web GnuPG brought up a number of links that you can check at: Check according to your operating system. I use, here, Thunderbird+Enigmail. Enigmail enables Thunderbird to interact with GnuPG. When I receive a message from the person who uses PGP 9.8.1, Thunderbird+Enigmail processes it as any other encrypted, signed, or signed and encrypted message; I use either icons in the tool bar, or commands from the Menu. Regards, Charly MacOS 10.5.2 - MacBook Intel C2Duo - GnuPG 1.4.9 - GPG2 2.0.9 - Thunderbird 2.0.0.12- Enigmail 0.95.6 From ladislav.hagara at unob.cz Thu Apr 3 13:47:24 2008 From: ladislav.hagara at unob.cz (Ladislav Hagara) Date: Thu, 03 Apr 2008 13:47:24 +0200 Subject: FYI: Website updated In-Reply-To: <8763uzp9bg.fsf@wheatstone.g10code.de> References: <8763uzp9bg.fsf@wheatstone.g10code.de> Message-ID: <47F4C3CC.2000409@unob.cz> > www.gnupg.org is now up to date and lists the current versions of the > gnupg et al. And what about favicon.ico, still old logo? -- Ladislav Hagara From stephen.fromm at gmail.com Thu Apr 3 13:28:50 2008 From: stephen.fromm at gmail.com (Stephen Fromm) Date: Thu, 3 Apr 2008 07:28:50 -0400 Subject: gpg for symmetric key encryption: cipher mode of operation? Message-ID: <000f01c8957d$e6ba0360$6401a8c0@apollosjf> I'd like to use gpg for symmetric key encryption, but I cannot find anything that tells me the mode of operation (cbc, ecb, etc), either in the usage (e.g., the cipher choices themselves don't have e.g. "-cbc") or in the documentation. TIA, S From email at sven-radde.de Thu Apr 3 14:43:47 2008 From: email at sven-radde.de (Sven Radde) Date: Thu, 03 Apr 2008 14:43:47 +0200 Subject: gpg for symmetric key encryption: cipher mode of operation? In-Reply-To: <000f01c8957d$e6ba0360$6401a8c0@apollosjf> References: <000f01c8957d$e6ba0360$6401a8c0@apollosjf> Message-ID: <47F4D103.7060408@sven-radde.de> Hi! Stephen Fromm schrieb: > I'd like to use gpg for symmetric key encryption, but I cannot find > anything that tells me the mode of operation GnuPG does "a variant of CFB mode". The exact details are specified in the OpenPGP standard: HTH, Sven From dshaw at jabberwocky.com Thu Apr 3 14:52:09 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 3 Apr 2008 08:52:09 -0400 Subject: gpg for symmetric key encryption: cipher mode of operation? In-Reply-To: <000f01c8957d$e6ba0360$6401a8c0@apollosjf> References: <000f01c8957d$e6ba0360$6401a8c0@apollosjf> Message-ID: On Apr 3, 2008, at 7:28 AM, Stephen Fromm wrote: > I'd like to use gpg for symmetric key encryption, but I cannot find > anything that tells me the mode of operation (cbc, ecb, etc), either > in the usage (e.g., the cipher choices themselves don't have e.g. "- > cbc") or in the documentation. It's "sort of" CFB. See http://tools.ietf.org/html/rfc4880#section-13.9 David From wk at gnupg.org Thu Apr 3 16:10:17 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 03 Apr 2008 16:10:17 +0200 Subject: Siemens card reader In-Reply-To: <1207220879.13949.32.camel@dublin.local> ("Reinhard =?utf-8?Q?M=C3=BCller=22's?= message of "Thu, 03 Apr 2008 13:07:59 +0200") References: <1206885127.5177.5.camel@dublin.local> <87sky4qh2r.fsf@wheatstone.g10code.de> <1207210634.13949.8.camel@dublin.local> <871w5np83m.fsf@wheatstone.g10code.de> <1207220879.13949.32.camel@dublin.local> Message-ID: <877iffm3li.fsf@wheatstone.g10code.de> On Thu, 3 Apr 2008 13:07, reinhard.mueller at bytewise.at said: > Can I assume that all of the listed readers work with GnuPG? I'm > specifically looking for an internal reader, like the SCM-SCR333. They should at least work when using the PC/CS interface. Usually they should all work and some will even work better whne using gpg's driver (keypad support woraround for SCR-335). I am pretty sure that the SCR-333 will work. I once talked with an SCM engineer about that device and he confirmed that it uses the same chip as all other modern SCM readers. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Thu Apr 3 16:28:31 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 03 Apr 2008 16:28:31 +0200 Subject: FYI: Website updated In-Reply-To: <47F4C3CC.2000409@unob.cz> (Ladislav Hagara's message of "Thu, 03 Apr 2008 13:47:24 +0200") References: <8763uzp9bg.fsf@wheatstone.g10code.de> <47F4C3CC.2000409@unob.cz> Message-ID: <87zlsbko6o.fsf@wheatstone.g10code.de> On Thu, 3 Apr 2008 13:47, ladislav.hagara at unob.cz said: > And what about favicon.ico, still old logo? Updated. (Galeon does not show the icon, so I didn't noticed) Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From ravi2082 at gmail.com Thu Apr 3 15:53:18 2008 From: ravi2082 at gmail.com (ravi shankar) Date: Thu, 3 Apr 2008 19:23:18 +0530 Subject: Decrypting 2 files which were merged into 1 Message-ID: <402f074b0804030653x2643866cved1341c4749da493@mail.gmail.com> Hi All, We have been using gnupg to decrypt files pulled from a customer FTP server. On the customer side, the software used is some financial gateway software which sets flags for each of the files. Based on those flags we are given permission to pull those and decrypt. Sometimes there are 2 encrypted files placed on the customer side with the same name, not sure how thats possible on that financial gateway.So we have 2 encrypted files at their end with same name, say suppose one of 2 MB and the other 3 MB, when we fetch those at one go using FTP we are getting a combined encrypted file of 5 MB. This 5 MB file is then decrypted using our gnupg key to get the data out of it. Now when we decrypt, we are only seeing one set of data and other 3 MB data of the second file is lost. We are using the following command to decrypt echo "password" | gpg --verbose --no-tty --no-secmem-warning --passphrase-fd 0 "$fpgp" And we get the following trace > gpg: armor header: Version: GnuPG v1.2.1 (AIX) stderr > gpg: Signature made Wed Apr 2 16:32:08 2008 EDT using DSA key ID F83564E3 stderr > gpg: Can't check signature: public key not found stderr > gpg: onepass_sig with unknown version 73 stderr > gpg: WARNING: encrypted message has been manipulated! stderr> gpg: [don't know]: invalid packet (ctb=42) Though we get data of 1 file out of it correctly. Is there a way to decrypt the merged file correctly and extract entire data of both encrypted files within it correctly using gnupg? Thanks, Ravi From email at sven-radde.de Thu Apr 3 17:04:06 2008 From: email at sven-radde.de (Sven Radde) Date: Thu, 03 Apr 2008 17:04:06 +0200 Subject: Decrypting 2 files which were merged into 1 In-Reply-To: <402f074b0804030653x2643866cved1341c4749da493@mail.gmail.com> References: <402f074b0804030653x2643866cved1341c4749da493@mail.gmail.com> Message-ID: <47F4F1E6.5030205@sven-radde.de> Hi! Well apart from the fact that this whole thing sounds rather strange, I would assume that you should include a step to separate those two files again before decrypting both separately (and saving to two different names ;-). The message from GnuPG suggests to me that the files are ASCII armored so that should be rather simple to accomplish. HTH, Sven From ravi2082 at gmail.com Thu Apr 3 18:36:17 2008 From: ravi2082 at gmail.com (ravi shankar) Date: Thu, 3 Apr 2008 22:06:17 +0530 Subject: Decrypting 2 files which were merged into 1 In-Reply-To: <47F4F1E6.5030205@sven-radde.de> References: <402f074b0804030653x2643866cved1341c4749da493@mail.gmail.com> <47F4F1E6.5030205@sven-radde.de> Message-ID: <402f074b0804030936v751c5e1bl469187b7e001317d@mail.gmail.com> Hi Sorry for asking this again. We have an automated job which pulls the file from the client machine. Once the file has been fetched, we get the merged file(if there are 2 files present with same name on the client machine) directly. How can we separate the 2 encrypted files from the merged file? Is there a way to specifically extract 1 encrypted file out of that merged file and the other separately again? I mean some params,commands etc? Thanks in advance Ravi On Thu, Apr 3, 2008 at 8:34 PM, Sven Radde wrote: > Hi! > > Well apart from the fact that this whole thing sounds rather strange, I > would assume that you should include a step to separate those two files > again before decrypting both separately (and saving to two different names > ;-). > The message from GnuPG suggests to me that the files are ASCII armored so > that should be rather simple to accomplish. > > HTH, Sven > From wk at gnupg.org Thu Apr 3 18:41:24 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 03 Apr 2008 18:41:24 +0200 Subject: GnuPG v2.x? In-Reply-To: <47ED0FD6.4010807@sixdemonbag.org> (Robert J. Hansen's message of "Fri, 28 Mar 2008 10:33:42 -0500") References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <47ED0FD6.4010807@sixdemonbag.org> Message-ID: <8763uylwln.fsf@wheatstone.g10code.de> On Fri, 28 Mar 2008 16:33, rjh at sixdemonbag.org said: > to your question, and one I suspect they will emphatically disagree > with. :) Let's see ... > exist mostly as rules of thumb and handed-down wisdom. I use 1.4.x only > because of the latter kind of reasons: particularly, the Small Tools > Principle and the Second System Effect. That is why we promised to keep 1.4 alive. > of the Small Tools Principle. When I build my own 1.4.x GnuPG, I > typically turn off all the options I don't need. The smaller my trusted > codebase, the more reliable the final product will be. Right. However there are so many features in gpg that I have doubts that it is really a small tool. The major problem is that gpg tries to implement the entire OpenPGP standard and quite some extra features. > doesn't sit well with me. I don't need the new capabilities of 2.x; > why, then, should I migrate to it? For my part, the convenience of the gpg-agent. > understand the architecture and design of the system. As GnuPG 1.0 > turned into 1.2 and 1.4, I kept track of the changes. I've not yet had > the time to study GnuPG 2.x. I don't know the architecture and design. The OpenPGP code (gpg2) is identical to the one from GnuPG 1.4. There are some exceptions: All low level crypto code has been moved out to Libgcrypt which in turn was created from the GnuPG 1.x code base. passphrase.c has been modified to use the standard code to access the gpg-agent (gpg1 uses some simplied code). In general we try to keep the code as similar as possible between gpg1 and gpg2 - this make maintenacne much easier. Of course there are plans to better integrate gpg2 into the entire GnuPG-2 framework. For example all secret key processing will eventually be moved to gpg-agent. This is to follow the crypto pronciple of putting all your keys into one basket and watch that basket very carefully. The real reason for GnuPG-2 is the support for S/MIME. This is all plain new code and you can't consider this the second system effect. S/MIME is an orthogonal addition to GnuPG. The code is definitely not as matured as the one for gpg 1.4 but it works reasonable well. I hope that I will eventually find the time to get trapped by the Second System Effect ;-). Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From email at sven-radde.de Thu Apr 3 19:13:48 2008 From: email at sven-radde.de (Sven Radde) Date: Thu, 03 Apr 2008 19:13:48 +0200 Subject: Decrypting 2 files which were merged into 1 In-Reply-To: <402f074b0804030936v751c5e1bl469187b7e001317d@mail.gmail.com> References: <402f074b0804030653x2643866cved1341c4749da493@mail.gmail.com> <47F4F1E6.5030205@sven-radde.de> <402f074b0804030936v751c5e1bl469187b7e001317d@mail.gmail.com> Message-ID: <1207242828.6353.11.camel@carbon> Hi! Am Donnerstag, den 03.04.2008, 22:06 +0530 schrieb ravi shankar: > Once the file has been fetched, we get the merged file(if there are 2 > files present with same name on the client machine) directly. How can > we separate the 2 encrypted files from the merged file? Is there a way > to specifically extract 1 encrypted file out of that merged file and > the other separately again? I mean some params,commands etc? Maybe I didn't make it clear that I think that it is not GnuPG's task to do the separation for you. Before even invoking GnuPG in your batch job, you should invoke a program to separate the two files. You will have to do some programming/scripting work of your own here, depending of how exactly those two files are merged into the one you're receiving. If they are simply concatenated ASCII-armored files that ought to be rather simple by parsing for the "END PGP MESSAGE" line in the middle of the file. HTH, Sven From mjkortve at optusnet.com.au Thu Apr 3 19:40:47 2008 From: mjkortve at optusnet.com.au (Michael) Date: Fri, 04 Apr 2008 03:40:47 +1000 Subject: re GPG 2.0 Message-ID: <47F5169F.8050905@optusnet.com.au> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ~ Hi everyone. I know this is probably a bit late, since I generally get the digest, and also only log on infrequently, but felt I might for the sake of anyone interested mention that I'm still using gpg 1.4.8 with Enigmail and thunderbird 2.0.0.12, and I think it pretty much works. ~ I also use to use GPGshell occasionally, just for a nice clear interface. ~ My question is should I upgrade to 1.4.9 for any particular reason? My understanding was that .8 is still more or less "current". Is .9 a security upgrade? ~ As an aside, I have an older version 1.4.1 I think on an older machine that runs an old linux system (Red Hat 9 to be specific) and I think keys created on that machine are compatible with 1.4.9, however on an even older system (Red Hat 7) I recall building a version of gpg 1.2.3 with the help of rpm. Would keys created with that version be usable or are they incompatible? ~ Michael. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFH9RacVlIM867aTsoRAuDNAJ45Jl/eGIXjLYNapPBFTifyjdvdvACgwgmJ ZPQyNH3MNsna27vLHPHmP24= =A4m3 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Apr 4 15:03:16 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 4 Apr 2008 09:03:16 -0400 Subject: re GPG 2.0 In-Reply-To: <47F5169F.8050905@optusnet.com.au> References: <47F5169F.8050905@optusnet.com.au> Message-ID: <903DEECF-FBFE-4809-B7E0-C641C59B5C10@jabberwocky.com> On Apr 3, 2008, at 1:40 PM, Michael wrote: > ~ My question is should I upgrade to 1.4.9 for any particular > reason? My > understanding was that .8 is still more or less "current". Is .9 a > security upgrade? Yes. The flaw is not trivially exploitable, but there is always a chance. > ~ As an aside, I have an older version 1.4.1 I think on an older > machine > that runs an old linux system (Red Hat 9 to be specific) and I think > keys created on that machine are compatible with 1.4.9, however on an > even older system (Red Hat 7) I recall building a version of gpg 1.2.3 > with the help of rpm. Would keys created with that version be usable > or > are they incompatible? Very usable. GPG follows the OpenPGP standard, so any version of GPG should be able to handle any OpenPGP key. David From dshaw at jabberwocky.com Fri Apr 4 17:45:03 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 4 Apr 2008 11:45:03 -0400 Subject: sign a public key ? In-Reply-To: <47F283FA.1030003@phibee.net> References: <47F283FA.1030003@phibee.net> Message-ID: <20080404154503.GA3715@jabberwocky.com> On Tue, Apr 01, 2008 at 08:50:34PM +0200, Phibee Network Operation Center wrote: > Hi > > i use this for crypt a tar archives: > > /usr/bin/gpg --recipient Stefan --encrypt /tmp/backup.tgz > > i use the public key of stefan for crypt, but when i start > he request all time a "o" (Yes) and say me (sorry in french) : You have several options here. If you know that the key is valid (say, if you met Stefan), then you can sign the key which tells the system that you know it is the right key. This will prevent GPG from asking you about it. gpg --sign-key Stefan (sign publically - signature can be exported for others to use) or gpg --lsign-key Stefan (sign locally - signature is local to you) Alternately, you can tell GPG to not ask the question at all. This is less good, but is still appropriate for certain uses where you know the key is the right one. gpg --trust-model always David From wk at gnupg.org Fri Apr 4 22:45:52 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 04 Apr 2008 22:45:52 +0200 Subject: GnuPG v2.x? In-Reply-To: <1207243216.6353.18.camel@carbon> (Sven Radde's message of "Thu, 03 Apr 2008 19:20:16 +0200") References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <47ED0FD6.4010807@sixdemonbag.org> <8763uylwln.fsf@wheatstone.g10code.de> <1207243216.6353.18.camel@carbon> Message-ID: <874pahfiwv.fsf@wheatstone.g10code.de> On Thu, 3 Apr 2008 19:20, sven at radde.name said: > I'm just curious and do not mean to be offensive or to belittle the > effort to implement S/MIME, but is GnuPG's S/MIME implementation > actually used somewhere? Well, KDE uses it. It is further the only Unix S/MIME application (with KMail) which passed the compatibility checks done by the BSI [1]. Mozilla has been tested too but woth some problems. In fact the Mozilla Foundation rejected our offer to implement a couple of useful and necessary enhancements to their S/MIME implementation. The way Mozilla works is basically: Show a positive result but don't annoy the user if the signature is suspicious. The fact that Mozilla may fall back to 40 bit RC4 encryption may indicate that the developers do not consider privacy a major goal. > aware of (like being able to re-use OpenPGP key material 'transparently' > in an S/MIME certificate)? You can't do that for technical reasons. An X.509 certificate based on the key material from an OpenPGP key has just the key material in common but nothing else. This would only make sense if you store your private key on a smartcard. GnuPG supports creation of certificates (to be exact, certificate signing requests) using existing key material. Salam-Shalom, Werner [1] e.g. http://www.bsi.de/fachthem/verwpki/dokumente/1_2005.pdf (German) -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From allen.schultz at gmail.com Sat Apr 5 04:21:51 2008 From: allen.schultz at gmail.com (Allen Schultz) Date: Fri, 4 Apr 2008 20:21:51 -0600 Subject: GnuPG v2.x? In-Reply-To: <874pahfiwv.fsf@wheatstone.g10code.de> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <47ED0FD6.4010807@sixdemonbag.org> <8763uylwln.fsf@wheatstone.g10code.de> <1207243216.6353.18.camel@carbon> <874pahfiwv.fsf@wheatstone.g10code.de> Message-ID: <3f34f8420804041921v16d40716t868f7c2839b5bb24@mail.gmail.com> Does 2.x work in Vista? From wk at gnupg.org Sat Apr 5 11:23:10 2008 From: wk at gnupg.org (Werner Koch) Date: Sat, 05 Apr 2008 11:23:10 +0200 Subject: GnuPG v2.x? In-Reply-To: <3f34f8420804041921v16d40716t868f7c2839b5bb24@mail.gmail.com> (Allen Schultz's message of "Fri, 4 Apr 2008 20:21:51 -0600") References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <47ED0FD6.4010807@sixdemonbag.org> <8763uylwln.fsf@wheatstone.g10code.de> <1207243216.6353.18.camel@carbon> <874pahfiwv.fsf@wheatstone.g10code.de> <3f34f8420804041921v16d40716t868f7c2839b5bb24@mail.gmail.com> Message-ID: <87ve2wejup.fsf@wheatstone.g10code.de> On Sat, 5 Apr 2008 04:21, allen.schultz at gmail.com said: > Does 2.x work in Vista? Yes. GnuPG-2 under Windows is pretty new so you might encounter some problems. A binary distribution is not yet available. The best way to build is to use the SVN trunk of gpg4win.org. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From kevhilton at gmail.com Sat Apr 5 15:26:57 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Sat, 5 Apr 2008 08:26:57 -0500 Subject: GnuPG v2.x? Message-ID: <96c450350804050626u61877e7dg755503d0edf34889@mail.gmail.com> But will it compile using in Vista using cygwin? -- Kevin Hilton From kevhilton at gmail.com Sat Apr 5 15:54:04 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Sat, 5 Apr 2008 08:54:04 -0500 Subject: GnuPG v2.x? Message-ID: <96c450350804050654i1b902cfal34f0fa7c193e0c01@mail.gmail.com> I think I can answer my own question --- No! I obtained svn sources, but during the make process, it failed with the following: gcc -I/usr/local/include -I/usr/local/include -I/usr/local/include -g -O2 -Wall -Wcast-align -Wshadow -Wstrict-prototypes -Wformat -Wno-format-y2k -Wformat-secu rity -Wpointer-arith -o gpg2.exe gpg.o server.o build-packet.o compress.o comp ress-bz2.o free-packet.o getkey.o keydb.o keyring.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o openfile.o keyid.o parse-pack et.o cpr.o plaintext.o sig-check.o keylist.o pkglue.o pkclist.o skclist.o pubkey -enc.o passphrase.o seckey-cert.o encr-data.o cipher.o encode.o sign.o verify.o revoke.o decrypt.o keyedit.o dearmor.o import.o export.o trustdb.o tdbdump.o tdb io.o delkey.o keygen.o helptext.o keyserver.o photoid.o call-agent.o card-util.o exec.o ../common/libcommon.a ../jnlib/libjnlib.a ../gl/libgnu.a ../common/libg pgrl.a -lz -lbz2 -lresolv -lreadline /usr/local/lib/libintl.dll.a -liconv -L/us r/local/lib -L/usr/local/lib -lgcrypt -lgpg-error -L/usr/local/lib -lassuan -L /usr/local/lib -lgpg-error -liconv /usr/local/lib/libgpg-error.a(libgpg_error_la-strerror.o): In function `gpg_stre rror': /home/klal/libgpg-error-1.6/src/strerror.c:50: undefined reference to `_libintl_ dgettext' /usr/local/lib/libgpg-error.a(libgpg_error_la-strerror.o): In function `gpg_stre rror_r': /home/klal/libgpg-error-1.6/src/strerror.c:161: undefined reference to `_libintl _dgettext' /usr/local/lib/libgpg-error.a(libgpg_error_la-strsource.o): In function `gpg_str source': /home/klal/libgpg-error-1.6/src/strsource.c:36: undefined reference to `_libintl _dgettext' /home/klal/libgpg-error-1.6/src/strsource.c:36: undefined reference to `_libintl _dgettext' Info: resolving _rl_attempted_completion_over by linking to __imp__rl_attempted_ completion_over (auto-import) Info: resolving _rl_attempted_completion_function by linking to __imp__rl_attemp ted_completion_function (auto-import) Info: resolving _rl_inhibit_completion by linking to __imp__rl_inhibit_completio n (auto-import) Info: resolving _rl_catch_signals by linking to __imp__rl_catch_signals (auto-im port) Info: resolving _rl_outstream by linking to __imp__rl_outstream (auto-import) Info: resolving _rl_instream by linking to __imp__rl_instream (auto-import) Info: resolving _rl_readline_name by linking to __imp__rl_readline_name (auto-im port) -- Kevin Hilton From JPClizbe at tx.rr.com Sat Apr 5 22:37:03 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Sat, 05 Apr 2008 15:37:03 -0500 Subject: GnuPG v2.x? In-Reply-To: <96c450350804050654i1b902cfal34f0fa7c193e0c01@mail.gmail.com> References: <96c450350804050654i1b902cfal34f0fa7c193e0c01@mail.gmail.com> Message-ID: <47F7E2EF.3040407@tx.rr.com> Kevin Hilton wrote: > I think I can answer my own question --- No! If you've gotten that far; ie, all other dependencies built, it's more like --- Maybe! > I obtained svn sources, but during the make process, it failed with > the following: > > gcc -I/usr/local/include -I/usr/local/include -I/usr/local/include -g -O2 -Wall > -Wcast-align -Wshadow -Wstrict-prototypes -Wformat -Wno-format-y2k -Wformat-secu > rity -Wpointer-arith -o gpg2.exe gpg.o server.o build-packet.o compress.o comp > ress-bz2.o free-packet.o getkey.o keydb.o keyring.o seskey.o kbnode.o mainproc.o > armor.o mdfilter.o textfilter.o progress.o misc.o openfile.o keyid.o parse-pack > et.o cpr.o plaintext.o sig-check.o keylist.o pkglue.o pkclist.o skclist.o pubkey > -enc.o passphrase.o seckey-cert.o encr-data.o cipher.o encode.o sign.o verify.o > revoke.o decrypt.o keyedit.o dearmor.o import.o export.o trustdb.o tdbdump.o tdb > io.o delkey.o keygen.o helptext.o keyserver.o photoid.o call-agent.o card-util.o > exec.o ../common/libcommon.a ../jnlib/libjnlib.a ../gl/libgnu.a ../common/libg > pgrl.a -lz -lbz2 -lresolv -lreadline /usr/local/lib/libintl.dll.a -liconv -L/us > r/local/lib -L/usr/local/lib -lgcrypt -lgpg-error -L/usr/local/lib -lassuan -L > /usr/local/lib -lgpg-error -liconv > /usr/local/lib/libgpg-error.a(libgpg_error_la-strerror.o): In function `gpg_stre > rror': > /home/klal/libgpg-error-1.6/src/strerror.c:50: undefined reference to `_libintl_ > dgettext' > /usr/local/lib/libgpg-error.a(libgpg_error_la-strerror.o): In function `gpg_stre > rror_r': looks like it can't find one of its dependencies. Rerun Cygwin's setup and make sure you've installed all of them, including any associated devel package. If you have, then you have a problem with your gettext/intl install. -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerber,net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 657 bytes Desc: OpenPGP digital signature URL: From kevhilton at gmail.com Sun Apr 6 00:42:34 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Sat, 5 Apr 2008 17:42:34 -0500 Subject: GnuPG v2.x? In-Reply-To: <96c450350804050654i1b902cfal34f0fa7c193e0c01@mail.gmail.com> References: <96c450350804050654i1b902cfal34f0fa7c193e0c01@mail.gmail.com> Message-ID: <96c450350804051542i644bccb5h7f3620bdafe626cd@mail.gmail.com> Hmm, thanks for the suggestion. I believe gnupg2 requires gettext 0.17 or greater -- cygwin ships with 0.16, with no higher version available in its mirrors. I downloaded the 0.17 sources from here: ftp://mirrors.kernel.org/gnu/gettext/, compiled and installed. I'm kind of stuck at this point. The intl package is contained within the gettext package correct? For some reason the cvs sources of gettext will not compile. I'm stuck in dependency hell! I'm finding not much luck with the cygwin mailing list either! From kevhilton at gmail.com Sun Apr 6 02:15:55 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Sat, 5 Apr 2008 19:15:55 -0500 Subject: GnuPG v2.x? In-Reply-To: <96c450350804051542i644bccb5h7f3620bdafe626cd@mail.gmail.com> References: <96c450350804050654i1b902cfal34f0fa7c193e0c01@mail.gmail.com> <96c450350804051542i644bccb5h7f3620bdafe626cd@mail.gmail.com> Message-ID: <96c450350804051715q48c16bc8r67343ca8f7904c0b@mail.gmail.com> Maybe this isnt for me. I did manage to get gettext compiled from cvs. Its now 0.18-pre1. However I think Im getting stuck at the same point: gcc -I/usr/local/include -I/usr/local/include -I/usr/local/include -g -O2 -Wall -Wcast-align -Wshadow -Wstrict-prototypes -Wformat -Wno-format-y2k -Wformat-secu rity -Wpointer-arith -o gpg2.exe gpg.o server.o build-packet.o compress.o comp ress-bz2.o free-packet.o getkey.o keydb.o keyring.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o openfile.o keyid.o parse-pack et.o cpr.o plaintext.o sig-check.o keylist.o pkglue.o pkclist.o skclist.o pubkey -enc.o passphrase.o seckey-cert.o encr-data.o cipher.o encode.o sign.o verify.o revoke.o decrypt.o keyedit.o dearmor.o import.o export.o trustdb.o tdbdump.o tdb io.o delkey.o keygen.o helptext.o keyserver.o photoid.o call-agent.o card-util.o exec.o ../common/libcommon.a ../jnlib/libjnlib.a ../gl/libgnu.a ../common/libg pgrl.a -lz -lbz2 -lresolv -lreadline /usr/local/lib/libintl.dll.a -liconv -L/us r/local/lib -L/usr/local/lib -lgcrypt -lgpg-error -L/usr/local/lib -lassuan -L /usr/local/lib -lgpg-error -liconv /usr/local/lib/libgpg-error.a(libgpg_error_la-strerror.o): In function `gpg_stre rror': /home/klal/libgpg-error-1.6/src/strerror.c:50: undefined reference to `_libintl_ dgettext' /usr/local/lib/libgpg-error.a(libgpg_error_la-strerror.o): In function `gpg_stre rror_r': /home/klal/libgpg-error-1.6/src/strerror.c:161: undefined reference to `_libintl _dgettext' /usr/local/lib/libgpg-error.a(libgpg_error_la-strsource.o): In function `gpg_str source': /home/klal/libgpg-error-1.6/src/strsource.c:36: undefined reference to `_libintl _dgettext' /home/klal/libgpg-error-1.6/src/strsource.c:36: undefined reference to `_libintl _dgettext' Info: resolving _rl_attempted_completion_over by linking to __imp__rl_attempted_ completion_over (auto-import) Info: resolving _rl_attempted_completion_function by linking to __imp__rl_attemp ted_completion_function (auto-import) Info: resolving _rl_inhibit_completion by linking to __imp__rl_inhibit_completio n (auto-import) Info: resolving _rl_catch_signals by linking to __imp__rl_catch_signals (auto-im port) Info: resolving _rl_outstream by linking to __imp__rl_outstream (auto-import) Info: resolving _rl_instream by linking to __imp__rl_instream (auto-import) Info: resolving _rl_readline_name by linking to __imp__rl_readline_name (auto-im port) collect2: ld returned 1 exit status make[2]: *** [gpg2.exe] Error 1 make[2]: Leaving directory `/home/klal/temp/gnupg/gnupg2/gnupg/g10' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/klal/temp/gnupg/gnupg2/gnupg' make: *** [all] Error 2 Still seems like a gettext error. All libs are in /usr/local/libs Thanks for any suggestions or sympathies. From kevhilton at gmail.com Sun Apr 6 02:38:30 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Sat, 5 Apr 2008 19:38:30 -0500 Subject: GnuPG v2.x? In-Reply-To: <96c450350804051715q48c16bc8r67343ca8f7904c0b@mail.gmail.com> References: <96c450350804050654i1b902cfal34f0fa7c193e0c01@mail.gmail.com> <96c450350804051542i644bccb5h7f3620bdafe626cd@mail.gmail.com> <96c450350804051715q48c16bc8r67343ca8f7904c0b@mail.gmail.com> Message-ID: <96c450350804051738h3deb21feg46ef2d59152b2512@mail.gmail.com> Clarification, my libraries are in /usr/local/lib Also this link statement seems strange to me. Possibly this is correct?: -lreadline /usr/local/lib/libintl.dll.a From claws at thewildbeast.co.uk Sun Apr 6 08:48:03 2008 From: claws at thewildbeast.co.uk (Paul) Date: Sun, 6 Apr 2008 07:48:03 +0100 Subject: GnuPG v2.x? In-Reply-To: <874pahfiwv.fsf@wheatstone.g10code.de> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <47ED0FD6.4010807@sixdemonbag.org> <8763uylwln.fsf@wheatstone.g10code.de> <1207243216.6353.18.camel@carbon> <874pahfiwv.fsf@wheatstone.g10code.de> Message-ID: <20080406074803.242e1a48@thewildbeast> On Fri, 04 Apr 2008 22:45:52 +0200 Werner Koch wrote: > Well, KDE uses it. It is also used by Claws Mail for its S/MIME plugin. best regards Paul -- It isn't worth a nickle to two guys like you or me, but to a collector it is worth a fortune From hudson at osresearch.net Sun Apr 6 22:59:56 2008 From: hudson at osresearch.net (Trammell Hudson) Date: Sun, 6 Apr 2008 16:59:56 -0400 Subject: Re-attaching a signature Message-ID: <20080406205956.GX21197@osresearch.net> Is there a way to detach a signature from a message after it has already been signed and then to-reattach it? As an example, let's say that I've received a signed message encrypted to me and I want to be able to decrypt it, verify the signature and then re-encrypt it to resend it to someone else, but with the original signature rather than mine. I've been able to use gpgsplit to generate the separate packets from the outer-most encrypted message (the encryption key and the encrypted data packet), but do not know how to get the data packets from the message once it has been decrypted. Looking at the output from --list-packets, I'm interested in the 'onepass_sig', 'literal data' and 'signature' packets that are nested in the 'encrypted data' packet: :pubkey enc packet: version 3, algo 16, keyid 366DE80896CDC35C data: [2048 bits] data: [2048 bits] :encrypted data packet: length: 205 mdc_method: 2 gpg: encrypted with 2048-bit ELG-E key, ID 96CDC35C, created 2008-04-06 "Test Key " :compressed packet: algo=2 :onepass_sig packet: keyid 317BCDBAC7BE611A version 3, sigclass 00, digest 2, pubkey 17, last=1 :literal data packet: mode b (62), created 1207514699, name="clear.txt", raw data: 128 bytes :signature packet: algo 17, keyid 317BCDBAC7BE611A version 3, created 1207514699, md5len 5, sigclass 00 digest algo 2, begin of digest 8e 1e data: [158 bits] data: [158 bits] If I use --status-fd, there are lots of data reported, but I do not know if any of it can be used to generate the signature. The SIG_ID reported is 27 bytes long in radix-64, which would result in the 158 bit signature + 4 bit CRC, but I'd rather find an easier way! [GNUPG:] ENC_TO 366DE80896CDC35C 16 0 [GNUPG:] GOOD_PASSPHRASE [GNUPG:] BEGIN_DECRYPTION [GNUPG:] PLAINTEXT 62 1207514699 clear.txt [GNUPG:] PLAINTEXT_LENGTH 128 [GNUPG:] SIG_ID ziWhsXtNDWk/TEDZiE+nEZB0x/w 2008-04-06 1207514699 [GNUPG:] GOODSIG 317BCDBAC7BE611A Trammell Hudson [GNUPG:] VALIDSIG 2CAAF424FC407D1904A56AD8317BCDBAC7BE611A 2008-04-06 1207514699 0 3 0 17 2 00 2CAAF424FC407D1904A56AD8317BCDBAC7BE611A [GNUPG:] TRUST_UNDEFINED [GNUPG:] DECRYPTION_OKAY [GNUPG:] GOODMDC [GNUPG:] END_DECRYPTION Thanks! -- Trammell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 155 bytes Desc: not available URL: From s_protsman at yahoo.com Mon Apr 7 06:07:56 2008 From: s_protsman at yahoo.com (Shawn Protsman) Date: Sun, 6 Apr 2008 21:07:56 -0700 (PDT) Subject: Decrypt file from PGP Desktop Professional Message-ID: <127028.20087.qm@web30805.mail.mud.yahoo.com> This is not a problem. I use both, PGP Desktop, gnupg and PGP Command Line interchangeably all the time. You would decrypt the file the same way you would any other file. Encrypted file with pgp: $ pgp -e appts.txt -r jd at foo.com appts.txt:encrypt (0:output file appts.txt.pgp) Decrypt the file with gpg: $ gpg -o appts.tmp.txt -d appts.txt.pgp You need a passphrase to unlock the secret key for user: "John Doe " 2048-bit ELG-E key, ID 6AD4EB61, created 2007-02-12 (main key ID BB93ECF1) gpg: encrypted with 2048-bit ELG-E key, ID 6AD4EB61, created 2007-02-12 "John Doe " ----- Original Message ---- From: guk guk To: gnupg-users at gnupg.org Sent: Thursday, April 3, 2008 1:31:05 AM Subject: Decrypt file from PGP Desktop Professional Hi ! I'm a newbie in gnupg. If a file is encrypted using PGP Desktop Professional, is it possible for me to decrypt that file using gnupg ? If it's possible , how to do that ? Thanks ____________________________________________________________________________________ You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From paulo.s.rod at bol.com.br Mon Apr 7 14:57:22 2008 From: paulo.s.rod at bol.com.br (paulo.s.rod) Date: Mon, 7 Apr 2008 10:57:22 -0200 Subject: Encrypt files using my secret key Message-ID: Guys, Please, is that possible to encrypt files with gnupg using my secret key ? Then other people could decrypt it using my public key, in order to have authenticity, that is, it came from me ? Thanks and regards, Paulo -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Mon Apr 7 15:28:30 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 7 Apr 2008 09:28:30 -0400 Subject: Encrypt files using my secret key In-Reply-To: References: Message-ID: On Apr 7, 2008, at 8:57 AM, paulo.s.rod wrote: > Guys, > > Please, is that possible to encrypt files with gnupg using my secret > key ? Then other people could decrypt it using my public key, in > order to have authenticity, that is, it came from me ? Not exactly. What you are looking for is a "signature". Signatures are made using your secret key, and can be verified by your public key, and it does show that it came from you (or at least, that it came from your key). However, signatures do not encrypt the data, so you get authenticity, but not confidentiality. If you want to encrypt also, you must encrypt on top of the signature. GPG can do this with "--sign -- encrypt". David From patrick at mozilla-enigmail.org Mon Apr 7 16:26:49 2008 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Mon, 07 Apr 2008 16:26:49 +0200 Subject: GnuPG v2.x? In-Reply-To: <874pahfiwv.fsf__20991.1794089296$1207342473$gmane$org@wheatstone.g10code.de> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <47ED0FD6.4010807@sixdemonbag.org> <8763uylwln.fsf@wheatstone.g10code.de> <1207243216.6353.18.camel@carbon> <874pahfiwv.fsf__20991.1794089296$1207342473$gmane$org@wheatstone.g10code.de> Message-ID: Werner Koch wrote: [...] > necessary enhancements to their S/MIME implementation. The way Mozilla > works is basically: Show a positive result but don't annoy the user if > the signature is suspicious. The fact that Mozilla may fall back to 40 > bit RC4 encryption may indicate that the developers do not consider > privacy a major goal. I think that last statement is no longer true. As of Thunderbird 2.0, SeaMonkey 1.1 and Firefox 2.0 all 40 bit algorithms are disabled by default (but the user may still enable them if he knows how to change hidden prefs). -Patrick From hlmuller at yahoo.com Mon Apr 7 16:27:13 2008 From: hlmuller at yahoo.com (Harvey Muller) Date: Mon, 7 Apr 2008 07:27:13 -0700 (PDT) Subject: Encrypt files using my secret key Message-ID: <374495.33748.qm@web53609.mail.re2.yahoo.com> Paulo, I apologize in advance for the rtfm response, but you probably want to investigate the --sign and --clearsign options in the gpg manpage. If you are only looking for authenticity, and not secrecy, then encryption is probably not necessary. Best regards, Harvey ----- Original Message ---- From: paulo.s.rod To: gnupg-users Sent: Monday, April 7, 2008 8:57:22 AM Subject: Encrypt files using my secret key Guys, Please, is that possible to encrypt files with gnupg using my secret key ? Then other people could decrypt it using my public key, in order to have authenticity, that is, it came from me ? Thanks and regards, Paulo -------------- next part -------------- An HTML attachment was scrubbed... URL: From shavital at mac.com Mon Apr 7 17:30:40 2008 From: shavital at mac.com (Charly Avital) Date: Mon, 07 Apr 2008 11:30:40 -0400 Subject: gpg 2.0.9 - compiling problem In-Reply-To: <200411171111.04077.linux@codehelp.co.uk> References: <20041117095555.23839.qmail@web52102.mail.yahoo.com> <200411171111.04077.linux@codehelp.co.uk> Message-ID: <47FA3E20.2060101@mac.com> Hi, When trying to compile 2.0.9 on a PPC, I get the following: 1. End of ./configure: ------- GnuPG v2.0.9 has been configured as follows: Platform: Darwin (powerpc-apple-darwin9.2.2) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes Protect tool: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) ------- 2. But end of Make: -------- gcc -DHAVE_CONFIG_H -I. -I.. -I../gl -I../intl -DLOCALEDIR=\"/usr/local/share/locale\" -DGNUPG_BINDIR="\"/usr/local/bin\"" -DGNUPG_LIBEXECDIR="\"/usr/local/libexec\"" -DGNUPG_LIBDIR="\"/usr/local/lib/gnupg\"" -DGNUPG_DATADIR="\"/usr/local/share/gnupg\"" -DGNUPG_SYSCONFDIR="\"/usr/local/etc/gnupg\"" -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -MT t-convert.o -MD -MP -MF .deps/t-convert.Tpo -c -o t-convert.o t-convert.c mv -f .deps/t-convert.Tpo .deps/t-convert.Po gcc -I/usr/local/include -I/usr/local/include -I/usr/local/include -g -O2 -Wall -Wno-pointer-sign -Wpointer-arith -o t-convert t-convert.o libcommon.a ../jnlib/libjnlib.a ../gl/libgnu.a -L/usr/local/lib -lgcrypt -L/usr/local/lib -lgpg-error -L/usr/local/lib -lgpg-error -L/usr/local/lib -liconv ld: file not found: /usr/local/lib/libintl.8.dylib collect2: ld returned 1 exit status make[3]: *** [t-convert] Error 1 make[2]: *** [all] Error 2 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 ------- 3. I got a lot of hits when Googling for 'ld: file not found: /usr/local/lib/libintl.8.dylib, that seems to be a part (?) of gettest. I tried to compile gettest 0.17, but 'make' failed. I had no problem compiling 2.0.9 on an Intel Mac. 4. What am I missing here? Thanks in advance, Charly From shavital at mac.com Mon Apr 7 20:13:51 2008 From: shavital at mac.com (Charly Avital) Date: Mon, 07 Apr 2008 14:13:51 -0400 Subject: Solved_ gpg 2.0.9 - compiling problem In-Reply-To: <200411171111.04077.linux@codehelp.co.uk> References: <20041117095555.23839.qmail@web52102.mail.yahoo.com> <200411171111.04077.linux@codehelp.co.uk> Message-ID: <47FA645F.1050805@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, Please disregard my previous question. Could compile successfully gpg 2.0.9, with gpg-agent running, on a PPC. I found out why gettext's compiling failed, and fixed it. Updated libksba to 1.0.3 Updated libgcrypt to 1.4.0 GnuPG v2.0.9 has been configured as follows: Platform: Darwin (powerpc-apple-darwin9.2.2) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes Protect tool: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) $ gpg2 --version gpg (GnuPG) 2.0.9 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ELG Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Used libraries: gcrypt(1.4.0) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJH+mRZAAoJEM3GMi2FW4Pvsw0H/AqVpwsrHlqrEuaFpglw3Wr2 IASKeOCpH7BVha1Bn9m8B/TZ0XI3Tfi/dwLpZXZBNmzG3LXk7c6giK51QkTqpA+q sqtP/1P8YYTz7Hz2JfskDIKzSi5PfVZqx13D9wIg/duLF28/T8EHMAL+JTLb1/4k /BzKwvUZD4170yRhFSVbbwv3mOFmg/MM+f7mnuPWLxiMQCncd2hU/nQP399LDwp1 hD9sB2OxCsIzScXrcTY9cqLN3/TD9iiZ+Um8UwvFYu8s6TjuL+QYfxOysXpbrFD1 VOGqFpP0WxP0G2q4cO4eb+EJqMZVRCdCl+NrIYOlDYCMJjs1SgKDsi+HS9ByEQk= =g6fu -----END PGP SIGNATURE----- From kevhilton at gmail.com Tue Apr 8 05:12:47 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Mon, 7 Apr 2008 22:12:47 -0500 Subject: GnuPG v2.x? In-Reply-To: <96c450350804051738h3deb21feg46ef2d59152b2512@mail.gmail.com> References: <96c450350804050654i1b902cfal34f0fa7c193e0c01@mail.gmail.com> <96c450350804051542i644bccb5h7f3620bdafe626cd@mail.gmail.com> <96c450350804051715q48c16bc8r67343ca8f7904c0b@mail.gmail.com> <96c450350804051738h3deb21feg46ef2d59152b2512@mail.gmail.com> Message-ID: <96c450350804072012h78081398n5863abcbf5792742@mail.gmail.com> Just updated to svn version gpg2 4739 Still have same problems trying to compile gpg2 under cygwin with the gettext error: gcc -I/usr/local/include -I/usr/local/include -g -O2 -Wall -Wcast-align -Wshado w -Wstrict-prototypes -Wformat -Wno-format-y2k -Wformat-security -Wpointer-arith -o gpg2.exe gpg.o server.o build-packet.o compress.o compress-bz2.o free-pack et.o getkey.o keydb.o keyring.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o openfile.o keyid.o parse-packet.o cpr.o plaintext .o sig-check.o keylist.o pkglue.o pkclist.o skclist.o pubkey-enc.o passphrase.o seckey-cert.o encr-data.o cipher.o encode.o sign.o verify.o revoke.o decrypt.o k eyedit.o dearmor.o import.o export.o trustdb.o tdbdump.o tdbio.o delkey.o keygen .o helptext.o keyserver.o photoid.o call-agent.o card-util.o exec.o ../common/li bcommon.a ../jnlib/libjnlib.a ../gl/libgnu.a ../common/libgpgrl.a -lz -lbz2 -lr esolv -lreadline /usr/local/lib/libintl.dll.a -liconv -L/usr/local/lib -lgcry pt -lgpg-error -L/usr/local/lib -lassuan -L/usr/local/lib -lgpg-error -liconv /usr/local/lib/libgpg-error.a(libgpg_error_la-strerror.o): In function `gpg_stre rror': /home/klal/temp/gnupg/libgpg-error-1.6/src/strerror.c:50: undefined reference to `_libintl_dgettext' /usr/local/lib/libgpg-error.a(libgpg_error_la-strerror.o): In function `gpg_stre rror_r': /home/klal/temp/gnupg/libgpg-error-1.6/src/strerror.c:161: undefined reference t o `_libintl_dgettext' Info: resolving _rl_attempted_completion_over by linking to __imp__rl_attempted_ completion_over (auto-import) Info: resolving _rl_attempted_completion_function by linking to __imp__rl_attemp ted_completion_function (auto-import) Info: resolving _rl_inhibit_completion by linking to __imp__rl_inhibit_completio n (auto-import) Info: resolving _rl_catch_signals by linking to __imp__rl_catch_signals (auto-im port) Info: resolving _rl_outstream by linking to __imp__rl_outstream (auto-import) Info: resolving _rl_instream by linking to __imp__rl_instream (auto-import) Info: resolving _rl_readline_name by linking to __imp__rl_readline_name (auto-im port) collect2: ld returned 1 exit status make[2]: *** [gpg2.exe] Error 1 make[2]: Leaving directory `/home/klal/temp/gnupg/gpg2/g10' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/klal/temp/gnupg/gpg2' make: *** [all] Error 2 I've seen other people complain of a similar error trying to compile other programs, but never found a posted solution. I don't know a lot about playing with the link flags. Are there any suggestions I could try? From john.fitzpatrick at centralbank.ie Tue Apr 1 19:06:23 2008 From: john.fitzpatrick at centralbank.ie (JohnnyF1) Date: Tue, 1 Apr 2008 10:06:23 -0700 (PDT) Subject: 1.4.7 <-> 1.4.8 compatibility Message-ID: <16418735.post@talk.nabble.com> Hi, could anyone tell me if there are many problems with encrypting using 1.4.7 and decrypting in 1.4.8 and vice versa? I am aware of this one in relation to signing: http://www.nabble.com/SHA-224-problem-to14038812.html#a14040484 on the SHA-224 problem. Thank you in Advance John -- View this message in context: http://www.nabble.com/1.4.7-%3C-%3E-1.4.8-compatibility-tp16418735p16418735.html Sent from the GnuPG - User mailing list archive at Nabble.com. From bluewire at imapmail.org Wed Apr 2 17:24:30 2008 From: bluewire at imapmail.org (Neal Dudley) Date: Wed, 02 Apr 2008 10:24:30 -0500 Subject: Keysigning request Message-ID: <47F3A52E.40709@imapmail.org> Is there anyone in the Chicago area who would be willing and able to meet me to sign my GPG key? Yes, I have looked on Biglumber and contacted several people from there. Yes, I have searched for WoT groups in the area. No, not one person has met with me yet. I will only be in Chicago for the next few days. If you, or someone you know, is in the Chicago area and would be able to meet with me to id me and sign my key, I would very much appreciate it. Thank you for your time. From reinhard.mueller at bytewise.at Thu Apr 3 10:17:14 2008 From: reinhard.mueller at bytewise.at (Reinhard =?ISO-8859-1?Q?M=FCller?=) Date: Thu, 03 Apr 2008 10:17:14 +0200 Subject: Siemens card reader In-Reply-To: <87sky4qh2r.fsf@wheatstone.g10code.de> References: <1206885127.5177.5.camel@dublin.local> <87sky4qh2r.fsf@wheatstone.g10code.de> Message-ID: <1207210634.13949.8.camel@dublin.local> Am Mittwoch, den 02.04.2008, 19:53 +0200 schrieb Werner Koch: > Please add thse options > > --debug-ccid-driver --debug-ccid-driver > > so get more output (yes, give it twice). Use a test card, so that your > PIN is not visible in the output. Using these options with a card with PIN 123456 gives me: ---8<--- $ gpg --debug-ccid --debug-ccid --clearsign foo gpg: DBG: ccid-driver: using CCID reader 0 (ID=0BF8:1006:X:0) gpg: DBG: ccid-driver: idVendor: 0BF8 idProduct: 1006 bcdDevice: 0203 gpg: DBG: ccid-driver: ChipCard Interface Descriptor: gpg: DBG: ccid-driver: bLength 54 gpg: DBG: ccid-driver: bDescriptorType 33 gpg: DBG: ccid-driver: bcdCCID 1.00 gpg: DBG: ccid-driver: nMaxSlotIndex 0 gpg: DBG: ccid-driver: bVoltageSupport 7 ? gpg: DBG: ccid-driver: dwProtocols 3 T=0 T=1 gpg: DBG: ccid-driver: dwDefaultClock 4800 gpg: DBG: ccid-driver: dwMaxiumumClock 8000 gpg: DBG: ccid-driver: bNumClockSupported 4 gpg: DBG: ccid-driver: dwDataRate 10752 bps gpg: DBG: ccid-driver: dwMaxDataRate 412903 bps gpg: DBG: ccid-driver: bNumDataRatesSupp. 106 gpg: DBG: ccid-driver: dwMaxIFSD 254 gpg: DBG: ccid-driver: dwSyncProtocols 00000007 2-wire 3-wire I2C gpg: DBG: ccid-driver: dwMechanical 00000000 gpg: DBG: ccid-driver: dwFeatures 000207B2 gpg: DBG: ccid-driver: Auto configuration based on ATR gpg: DBG: ccid-driver: Auto clock change gpg: DBG: ccid-driver: Auto baud rate change gpg: DBG: ccid-driver: Auto PPS made by CCID gpg: DBG: ccid-driver: CCID can set ICC in clock stop mode gpg: DBG: ccid-driver: NAD value other than 0x00 accepted gpg: DBG: ccid-driver: Auto IFSD exchange gpg: DBG: ccid-driver: Short APDU level exchange gpg: DBG: ccid-driver: dwMaxCCIDMsgLen 271 gpg: DBG: ccid-driver: bClassGetResponse echo gpg: DBG: ccid-driver: bClassEnvelope echo gpg: DBG: ccid-driver: wlcdLayout none gpg: DBG: ccid-driver: bPINSupport 0 gpg: DBG: ccid-driver: bMaxCCIDBusySlots 1 gpg: DBG: ccid-driver: usb_bulk_read error: Resource temporarily unavailable gpg: DBG: ccid-driver: USB: CALLING USB_CLEAR_HALT gpg: DBG: ccid-driver: usb_bulk_read error: Resource temporarily unavailable gpg: DBG: ccid-driver: USB: RETRYING bulk_in AGAIN gpg: DBG: ccid-driver: usb_bulk_read error: Resource temporarily unavailable gpg: DBG: ccid-driver: USB: RETRYING bulk_in AGAIN gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 01 data: 11 10 FF 45 00 80 00 gpg: DBG: ccid-driver: GetParametes returned 82 07 00 00 00 00 05 00 00 01 11 10 FF 45 00 80 00 gpg: DBG: ccid-driver: protocol ..........: T=1 gpg: DBG: ccid-driver: bmFindexDindex ....: 11 gpg: DBG: ccid-driver: bmTCCKST1 .........: 10 gpg: DBG: ccid-driver: bGuardTimeT1 ......: FF gpg: DBG: ccid-driver: bmWaitingIntegersT1: 45 gpg: DBG: ccid-driver: bClockStop ........: 00 gpg: DBG: ccid-driver: bIFSC .............: 128 gpg: DBG: ccid-driver: bNadValue .........: 0 gpg: DBG: ccid-driver: sending 61 07 00 00 00 00 06 01 00 00 11 10 FF 45 00 80 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 01 data: 13 10 FF 45 00 80 00 gpg: DBG: ccid-driver: sending 6F 0B 00 00 00 00 07 04 00 00 00 A4 04 00 06 D2 76 00 01 24 01 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 6F 12 84 10 D2 76 00 01 24 01 01 01 00 01 00 00 07 AC 00 00 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 08 04 00 00 00 CA 00 4F 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: D2 76 00 01 24 01 01 01 00 01 00 00 07 AC 00 00 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 09 04 00 00 00 CA 00 C4 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 00 FE FE FE 03 03 03 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 0A 04 00 00 00 CA 00 6E 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 4F 10 D2 76 00 01 24 01 01 01 00 01 00 00 07 AC 00 00 73 81 9D C0 01 78 C1 05 01 04 00 00 20 C2 05 01 04 00 00 20 C3 05 01 04 00 00 20 C4 07 00 FE FE FE 03 03 03 C5 3C 4A D9 E9 39 32 E4 58 75 0A F5 80 98 2A 6F D3 72 87 7C A6 E3 1E 9A 5B 89 0C BA F5 36 7E 2E 09 93 74 5F EC 25 AD 08 A0 AE C6 F9 89 47 13 3A EC DA 62 61 0D E7 8A ED 10 D3 D0 C4 48 5B C6 3C C4 85 A6 CD 7E C6 6E 9E EC 33 65 F2 70 F2 75 E4 C3 2F 6C A5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 44 D5 EB 94 44 D5 EB C2 44 D5 EB 3D 5E 08 72 65 69 6E 68 61 72 64 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 0B 04 00 00 00 CA 00 5E 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 72 65 69 6E 68 61 72 64 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 0C 04 00 00 00 CA 00 6E 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 4F 10 D2 76 00 01 24 01 01 01 00 01 00 00 07 AC 00 00 73 81 9D C0 01 78 C1 05 01 04 00 00 20 C2 05 01 04 00 00 20 C3 05 01 04 00 00 20 C4 07 00 FE FE FE 03 03 03 C5 3C 4A D9 E9 39 32 E4 58 75 0A F5 80 98 2A 6F D3 72 87 7C A6 E3 1E 9A 5B 89 0C BA F5 36 7E 2E 09 93 74 5F EC 25 AD 08 A0 AE C6 F9 89 47 13 3A EC DA 62 61 0D E7 8A ED 10 D3 D0 C4 48 5B C6 3C C4 85 A6 CD 7E C6 6E 9E EC 33 65 F2 70 F2 75 E4 C3 2F 6C A5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 44 D5 EB 94 44 D5 EB C2 44 D5 EB 3D 5E 08 72 65 69 6E 68 61 72 64 90 00 gpg: DBG: ccid-driver: sending 6F 05 00 00 00 00 0D 04 00 00 00 CA 00 7A 00 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 93 03 00 20 B5 90 00 gpg: Bisher erstellte Signaturen: 8373 Bitte geben Sie die PIN ein [Verarbeitete Signaturen: 8373] gpg: DBG: ccid-driver: sending 6F 0B 00 00 00 00 0E 04 00 00 00 20 00 81 06 31 32 33 34 35 36 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 90 00 gpg: DBG: ccid-driver: sending 6F 0B 00 00 00 00 0F 04 00 00 00 20 00 82 06 31 32 33 34 35 36 gpg: DBG: ccid-driver: status: 00 error: 00 octet[9]: 00 data: 90 00 gpg: DBG: ccid-driver: sending 6F 28 00 00 00 00 10 04 00 00 00 2A 9E 9A 23 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 4E 64 F2 0F 81 0E 0E 5B A6 1A 4F A6 DE AB 51 67 A5 AB A0 31 gpg: DBG: ccid-driver: status: 41 error: F4 octet[9]: 00 data: gpg: DBG: ccid-driver: CCID command failed: Procedure byte conflict gpg: ccid_transceive failed: (0x10009) gpg: apdu_send_simple(0) failed: card inactive gpg: Beglaubigung fehlgeschlagen: Allgemeiner Fehler gpg: foo: clearsign failed: Allgemeiner Fehler gpg: DBG: ccid-driver: status: 01 error: 00 octet[9]: 01 data: ---8<--- Thanks, Reinhard -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From reinhard.mueller at bytewise.at Thu Apr 3 13:07:59 2008 From: reinhard.mueller at bytewise.at (Reinhard =?ISO-8859-1?Q?M=FCller?=) Date: Thu, 03 Apr 2008 13:07:59 +0200 Subject: Siemens card reader In-Reply-To: <871w5np83m.fsf@wheatstone.g10code.de> References: <1206885127.5177.5.camel@dublin.local> <87sky4qh2r.fsf@wheatstone.g10code.de> <1207210634.13949.8.camel@dublin.local> <871w5np83m.fsf@wheatstone.g10code.de> Message-ID: <1207220879.13949.32.camel@dublin.local> Werner, thanks for investigating. Am Donnerstag, den 03.04.2008, 12:04 +0200 schrieb Werner Koch: > The reader is also not listed at > http://pcsclite.alioth.debian.org/ccid.html Hm, this seems to be a useful page :-) Can I assume that all of the listed readers work with GnuPG? I'm specifically looking for an internal reader, like the SCM-SCR333. Thanks, Reinhard -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From sven at radde.name Thu Apr 3 19:20:16 2008 From: sven at radde.name (Sven Radde) Date: Thu, 03 Apr 2008 19:20:16 +0200 Subject: GnuPG v2.x? In-Reply-To: <8763uylwln.fsf@wheatstone.g10code.de> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <47ED0FD6.4010807@sixdemonbag.org> <8763uylwln.fsf@wheatstone.g10code.de> Message-ID: <1207243216.6353.18.camel@carbon> Hi! Am Donnerstag, den 03.04.2008, 18:41 +0200 schrieb Werner Koch: > The real reason for GnuPG-2 is the support for S/MIME. I'm just curious and do not mean to be offensive or to belittle the effort to implement S/MIME, but is GnuPG's S/MIME implementation actually used somewhere? As far as I see it, the mail clients that offer S/MIME do so far longer than GnuPG2 exists and therefore have their own implementations (or use other libs). Is there any benefit for GnuPG's S/MIME implementation that I am not aware of (like being able to re-use OpenPGP key material 'transparently' in an S/MIME certificate)? cu, Sven From shavital at netvision.net.il Mon Apr 7 20:12:48 2008 From: shavital at netvision.net.il (Charly Avital) Date: Mon, 07 Apr 2008 14:12:48 -0400 Subject: Solved_ gpg 2.0.9 - compiling problem In-Reply-To: <200411171111.04077.linux@codehelp.co.uk> References: <20041117095555.23839.qmail@web52102.mail.yahoo.com> <200411171111.04077.linux@codehelp.co.uk> Message-ID: <47FA6420.1070802@netvision.net.il> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, Please disregard my previous question. Could compile successfully gpg 2.0.9, with gpg-agent running, on a PPC. I found out why gettext's compiling failed, and fixed it. Updated libksba to 1.0.3 Updated libgcrypt to 1.4.0 GnuPG v2.0.9 has been configured as follows: Platform: Darwin (powerpc-apple-darwin9.2.2) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes Protect tool: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) $ gpg2 --version gpg (GnuPG) 2.0.9 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ELG Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Used libraries: gcrypt(1.4.0) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJH+mQcAAoJEM3GMi2FW4PvBnYIAJHP5R+SloOJlaYlNfSnjuYj amv5qI+/bY1SCwiUlTNnEe5lE//9WEP5M2ei0bmqCbsYwGhjGic0Fp2kFmcFyHlq u39mX9jeaD/xeB79VsLg6nstiH37ULqeLhW2gkojRBh5UNnvS1NQhyo3kDVJwQ4g ascW/Ms5xDFvvijeDtY6WE/gxVTifddExW/X1Mx0Cgz6tNsHMhPqQ3rWhOPfN/w4 g0OKc93jeYJHOA3LHrRCzhYmQtCNpNkARNpD1DzqXln9JlTQGmNdqUI3CVTIvl7Z 3+AD4M9+DfHYbg22KRZ63nWeP1GGi+ShO0VEJdPWQ42FpaNXKoEmrsSLrd0/9U8= =E0ki -----END PGP SIGNATURE----- From shavital at mac.com Tue Apr 8 16:28:02 2008 From: shavital at mac.com (Charly Avital) Date: Tue, 08 Apr 2008 10:28:02 -0400 Subject: gettext version 0.17 Message-ID: <47FB80F2.3080605@mac.com> Hi, [MacOS 10.5.2 - MacBook Intel C2Duo - GnuPG 1.4.9 - GPG2 2.0.9] I am running gpg 2.0.9, that I have compiled on March 26, 2008, using an existing gettext (GNU gettext-runtime) 0.14.5. Is there any advantage that I compile and install gettext (GNU gettext-runtime) 0.17 and then compile 2.0.9 again? TIA Charly From wk at gnupg.org Tue Apr 8 16:46:52 2008 From: wk at gnupg.org (Werner Koch) Date: Tue, 08 Apr 2008 16:46:52 +0200 Subject: GnuPG v2.x? In-Reply-To: (Patrick Brunschwig's message of "Mon, 07 Apr 2008 16:26:49 +0200") References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <47ED0FD6.4010807@sixdemonbag.org> <8763uylwln.fsf@wheatstone.g10code.de> <1207243216.6353.18.camel@carbon> <874pahfiwv.fsf__20991.1794089296$1207342473$gmane$org@wheatstone.g10code.de> Message-ID: <87ve2s5rqb.fsf@wheatstone.g10code.de> On Mon, 7 Apr 2008 16:26, patrick at mozilla-enigmail.org said: > I think that last statement is no longer true. As of Thunderbird 2.0, > SeaMonkey 1.1 and Firefox 2.0 all 40 bit algorithms are disabled by > default (but the user may still enable them if he knows how to change > hidden prefs). We had this problem recently; not longer than half a year ago. I don't know what the current version of thunderbird was at that time. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From rjh at sixdemonbag.org Tue Apr 8 17:00:34 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 08 Apr 2008 10:00:34 -0500 Subject: gettext version 0.17 In-Reply-To: <47FB80F2.3080605@mac.com> References: <47FB80F2.3080605@mac.com> Message-ID: <47FB8892.8040009@sixdemonbag.org> Charly Avital wrote: > Is there any advantage that I compile and install gettext (GNU > gettext-runtime) 0.17 and then compile 2.0.9 again? Not especially. If you really want to know the nitty-gritty details about the differences between versions, I'd suggest asking on the gettext mailing list. If you want to proceed with this, I'd recommend using Fink to install GnuPG2 and gettext. Fink is a much more convenient way to build packages from source. From rjh at sixdemonbag.org Tue Apr 8 17:35:31 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 08 Apr 2008 10:35:31 -0500 Subject: Invalid cross certification? Message-ID: <47FB90C3.5060806@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I'm beginning to do my own testing of GnuPG 2.0.9, and I'm seeing something a bit odd. I have a message encrypted and signed to myself which GnuPG 1.4.9 decrypts and verifies correctly. GnuPG 2.0.9 gives a warning about there being an invalid cross-certification. Googling was not especially helpful. Checking the source code, sig-check.c turned out to have the most useful bit of information: /* Check the backsig. This is a 0x19 signature from the ~ subkey on the primary key. The idea here is that it should ~ not be possible for someone to "steal" subkeys and claim ~ them as their own. The attacker couldn't actually use the ~ subkey, but they could try and claim ownership of any ~ signaures issued by it. */ So the obvious questions: 1. If 1.4.9 and 2.0.9 use the same crypto code for OpenPGP, why is there this difference in functionality? 2. How is it possible to put an 0x19 signature on the primary key from the subkey, in order to get rid of this error message? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iFYEAREIAAYFAkf7kMMACgkQf2XByo0Cu7PJRADfVUbPPX0AaqMmQTvS8vKLSU4L G9b2D6QqQS9H/gDfUDOtXYOBQbeVn+hJp6te7IlClAQ75wFHdPQuTYkBHAQBAQgA BgUCR/uQwwAKCRC3APSC/q+BCV7DB/9MUUKtRF3AR7QJY/HyhIoCY97jQOrmQhL0 +gao8vq/DPUj+1WcfbR4hG4eGbs3Xj20b7HTmj3X8Jjx/jiXWP82qbk7npwAmtyz 2KtHiEUz7iC/Glv2Tlgz0tPCGIVIpq5wOzZHm38mgge/S4WgRpC+Y7QOG3X/m7TZ Agy3jUKkiHd4fiAHxHQxIQj07M+L9AbHVawGr3ptmjSXJRp5enCBHyOHo7ex++fH IKD/whulUPQG09K7VnzDYqgT+VsPSpJ4yTjWGktTNJwdcg1WbuXxzrFyYrty6xot S1X7llqKy+glW97XFytMBl3AUSYjPcPk7lxQ7UB7vF1jft26jwtJ =rmQg -----END PGP SIGNATURE----- From wk at gnupg.org Tue Apr 8 18:44:06 2008 From: wk at gnupg.org (Werner Koch) Date: Tue, 08 Apr 2008 18:44:06 +0200 Subject: Invalid cross certification? In-Reply-To: <47FB90C3.5060806@sixdemonbag.org> (Robert J. Hansen's message of "Tue, 08 Apr 2008 10:35:31 -0500") References: <47FB90C3.5060806@sixdemonbag.org> Message-ID: <87y77o2t61.fsf@wheatstone.g10code.de> On Tue, 8 Apr 2008 17:35, rjh at sixdemonbag.org said: > 1. If 1.4.9 and 2.0.9 use the same crypto code for OpenPGP, why is > there this difference in functionality? I did a quick check and I can't find a difference in the code. Do youuse the same config file? Note that gpg tries to read a gpg.conf-2 file first. If David has no other idea, I'd ask you to send me that test signature. > 2. How is it possible to put an 0x19 signature on the primary key from > the subkey, in order to get rid of this error message? I am not sure whether this works. We probably never tested the case to rectify an invalid cross-signature: http://www.gnupg.org/faq/subkey-cross-certify.html (en)If you have been pointed to this page by someone who received a warning when verifying one of your signatures, your key does not contain a subkey cross-certification. You can easily add this cross-certification using GnuPG 1.4.3 or later. To do this, simply run "gpg --edit-key (yourkey)" and then enter "cross-certify". You'll need to type your passphrase, and GnuPG will add the necessary cross-certification. Once this is done, you should distribute your key however you like (send it to a keyserver, post on a web page, etc). If you have already done this and people are still receiving the warning, make sure they have updated their copy of your key from the keyserver or web page. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From dshaw at jabberwocky.com Tue Apr 8 19:22:12 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 8 Apr 2008 13:22:12 -0400 Subject: Invalid cross certification? In-Reply-To: <47FB90C3.5060806@sixdemonbag.org> References: <47FB90C3.5060806@sixdemonbag.org> Message-ID: <20080408172212.GA14881@jabberwocky.com> On Tue, Apr 08, 2008 at 10:35:31AM -0500, Robert J. Hansen wrote: > I'm beginning to do my own testing of GnuPG 2.0.9, and I'm seeing > something a bit odd. I have a message encrypted and signed to myself > which GnuPG 1.4.9 decrypts and verifies correctly. GnuPG 2.0.9 gives a > warning about there being an invalid cross-certification. > > Googling was not especially helpful. Checking the source code, > sig-check.c turned out to have the most useful bit of information: > > /* Check the backsig. This is a 0x19 signature from the > ~ subkey on the primary key. The idea here is that it should > ~ not be possible for someone to "steal" subkeys and claim > ~ them as their own. The attacker couldn't actually use the > ~ subkey, but they could try and claim ownership of any > ~ signaures issued by it. */ > > So the obvious questions: > > 1. If 1.4.9 and 2.0.9 use the same crypto code for OpenPGP, why is > there this difference in functionality? This should work. I believe the code is identical around backsigs. > 2. How is it possible to put an 0x19 signature on the primary key from > the subkey, in order to get rid of this error message? It seems that there is a valid 0x19 signature already, as 1.4.9 does not give you a warning. Still, if you do --edit-key and then "cross-certify", you can add a backsig to any key you like. Looking at your signing subkey 8D02BBB3, I do see a valid backsig on it. Ah, I suspect this is the reason: subpkt 32 len 86 (signature: v4, class 0x19, algo 17, digest algo 11) Digest algo 11 is SHA-224, which is fairly recent. I believe it was added to libgcrypt somewhere in the 1.3.x development. Does your libgcrypt have it? David From ladislav.hagara at unob.cz Tue Apr 8 22:10:37 2008 From: ladislav.hagara at unob.cz (Ladislav Hagara) Date: Tue, 08 Apr 2008 22:10:37 +0200 Subject: gettext version 0.17 In-Reply-To: <47FB8892.8040009@sixdemonbag.org> References: <47FB80F2.3080605@mac.com> <47FB8892.8040009@sixdemonbag.org> Message-ID: <47FBD13D.1070000@unob.cz> >> Is there any advantage that I compile and install gettext (GNU >> gettext-runtime) 0.17 and then compile 2.0.9 again? >> > > Not especially. If you really want to know the nitty-gritty details > about the differences between versions, I'd suggest asking on the > gettext mailing list. http://cvs.savannah.gnu.org/viewvc/gettext/NEWS?revision=1.134&root=gettext&view=markup -- Ladislav Hagara From kloecker at kde.org Tue Apr 8 22:17:03 2008 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Tue, 08 Apr 2008 22:17:03 +0200 Subject: GnuPG v2.x? In-Reply-To: <1207243216.6353.18.camel@carbon> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <8763uylwln.fsf@wheatstone.g10code.de> <1207243216.6353.18.camel@carbon> Message-ID: <200804082217.04263@erwin.ingo-kloecker.de> On Thursday 03 April 2008, Sven Radde wrote: > Hi! > > Am Donnerstag, den 03.04.2008, 18:41 +0200 schrieb Werner Koch: > > The real reason for GnuPG-2 is the support for S/MIME. > > I'm just curious and do not mean to be offensive or to belittle the > effort to implement S/MIME, but is GnuPG's S/MIME implementation > actually used somewhere? Yes. > As far as I see it, the mail clients that offer S/MIME do so far > longer than GnuPG2 exists and therefore have their own > implementations (or use other libs). GnuPG's S/MIME implementation was developed as part of the Aegypten project [1]. It is used in KMail and probably also in Mutt (but I'm not sure about the latter). The S/MIME implementation in KMail (via gpgme/gpgsm) is the only Free Software implementation of S/MIME that has passed the Sphinx interoperability tests of the Federal Office for Information Security (BSI) [2]. Regards, Ingo [1] http://www.gnupg.de/aegypten/ [2] http://www.bsi.bund.de/fachthem/verwpki/interoptests/testberichte.htm (German) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part. URL: From shavital at mac.com Tue Apr 8 22:35:28 2008 From: shavital at mac.com (Charly Avital) Date: Tue, 08 Apr 2008 16:35:28 -0400 Subject: gettext version 0.17 In-Reply-To: <47FBD13D.1070000@unob.cz> References: <47FB80F2.3080605@mac.com> <47FB8892.8040009@sixdemonbag.org> <47FBD13D.1070000@unob.cz> Message-ID: <47FBD710.40909@mac.com> Ladislav Hagara wrote the following on 4/8/08 4:10 PM: [...] > Ladislav, thank you for the pointer. When I was trying to compile gpg 2.0.9, I kept getting an error warning about 'libintl.8.dylib', until I compiled and installed gettext 0.17. Charly From claws at thewildbeast.co.uk Wed Apr 9 08:15:15 2008 From: claws at thewildbeast.co.uk (Paul) Date: Wed, 9 Apr 2008 07:15:15 +0100 Subject: GnuPG v2.x? In-Reply-To: <200804082217.04263@erwin.ingo-kloecker.de> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <8763uylwln.fsf@wheatstone.g10code.de> <1207243216.6353.18.camel@carbon> <200804082217.04263@erwin.ingo-kloecker.de> Message-ID: <20080409071515.25eb08e2@thewildbeast> On Tue, 08 Apr 2008 22:17:03 +0200 Ingo Kl?cker wrote: > The S/MIME implementation in KMail (via > gpgme/gpgsm) is the only Free Software implementation of S/MIME that > has passed the Sphinx interoperability tests of the Federal Office for > Information Security (BSI) And what else did they test besides Kmail? best regards Paul -- It isn't worth a nickle to two guys like you or me, but to a collector it is worth a fortune From rjh at sixdemonbag.org Wed Apr 9 09:42:08 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 09 Apr 2008 02:42:08 -0500 Subject: GnuPG v2.x? In-Reply-To: <20080409071515.25eb08e2@thewildbeast> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <8763uylwln.fsf@wheatstone.g10code.de> <1207243216.6353.18.camel@carbon> <200804082217.04263@erwin.ingo-kloecker.de> <20080409071515.25eb08e2@thewildbeast> Message-ID: <47FC7350.1060709@sixdemonbag.org> Paul wrote: > And what else did they test besides Kmail? It doesn't really matter if there were a hundred other S/MIME implementations tested by Sphinx, or if GnuPG's S/MIME implementation was the only one. The Sphinx evaluation criteria are what matters--not the competition. If the evaluation criteria are rigorous and demanding, then being the only one to pass is a major accomplishment even if no one else submitted. If the evaluation criteria are easy, then being the best of hundreds to pass the examination really doesn't amount to much at all. From wk at gnupg.org Wed Apr 9 10:14:21 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 09 Apr 2008 10:14:21 +0200 Subject: GnuPG v2.x? In-Reply-To: <200804082217.04263@erwin.ingo-kloecker.de> ("Ingo =?utf-8?Q?Kl=C3=B6cker=22's?= message of "Tue, 08 Apr 2008 22:17:03 +0200") References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <8763uylwln.fsf@wheatstone.g10code.de> <1207243216.6353.18.camel@carbon> <200804082217.04263@erwin.ingo-kloecker.de> Message-ID: <878wzn30o2.fsf@wheatstone.g10code.de> On Tue, 8 Apr 2008 22:17, kloecker at kde.org said: > project [1]. It is used in KMail and probably also in Mutt (but I'm not > sure about the latter). The S/MIME implementation in KMail (via If Mutt has been compiled with the gpgme development package installed, it will have support. It is then just a matter of set crypt_use_gpgme in your .muttrc to switch from the OpenSSL based implementaion to the better integrated gpgme one. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Wed Apr 9 10:25:06 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 09 Apr 2008 10:25:06 +0200 Subject: Invalid cross certification? In-Reply-To: <20080408172212.GA14881@jabberwocky.com> (David Shaw's message of "Tue, 8 Apr 2008 13:22:12 -0400") References: <47FB90C3.5060806@sixdemonbag.org> <20080408172212.GA14881@jabberwocky.com> Message-ID: <874pab3065.fsf@wheatstone.g10code.de> On Tue, 8 Apr 2008 19:22, dshaw at jabberwocky.com said: > Digest algo 11 is SHA-224, which is fairly recent. I believe it was > added to libgcrypt somewhere in the 1.3.x development. Does your Right, since 1.3.0 (May 2007) but we neded to fixed the ASN OID in 1.3.2 (Dec 2007) to to an error in the OpenPGP RFC. Given that Libgcrypt was marked as development and gpg2 was not in wide use we did not put this workaround for the changed OID into GnuPG-2: /* This code is to work around a SHA-224 problem. RFC-4880 and the drafts leading up to it were published with the wrong DER prefix for SHA-224. Unfortunately, GPG pre-1.4.8 used this wrong prefix. What this code does is take all bad RSA signatures that use SHA-224, and re-checks them using the old, incorrect, DER prefix. Someday we should remove this code, and when we do remove it, pkcs1_encode_md can be made into a static function again. Note that GPG2 does not have this issue as it uses libgcrypt, which is being fixed while it is still a development version. */ However if you know verify a signature created with a faulty SHA-224 signature, gpg2 will flag it as bad. I hesitate to put the workaround into gpg2 unless more people complain about this problem. It would be better to fix the back signature. What about having gpg print a notice pointing to an online FAQ entry? Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From email at sven-radde.de Wed Apr 9 12:46:17 2008 From: email at sven-radde.de (Sven Radde) Date: Wed, 09 Apr 2008 12:46:17 +0200 Subject: Accessing the private DOs of the smartcard Message-ID: <47FC9E79.5060502@sven-radde.de> Hello GnuPG users, Is there a convenient way to access the data objects of the OpenPGP smartcard? The best thing I know is to use "gpg --card-edit" to get at the PIN-protected DOs, which is cumbersome and does not give a very machine-friendly output... What I am thinking of is the following: The card with its PIN counters represents a protection against brute force attempts, that is not available to other software-only crypto applications like EncFS, Truecrypt etc. Consequently, the card PIN can be shorter than the overlong passphrases needed to secure those applications. Now, it would be really nice to store a long passphrase into one of the PIN-protected data objects and have the possibility to pipe that to one of those applications. This way, e.g., a Truecrypt volume would be protected by a very long passphrase, while the owner has the convenience of "unlocking" that passphrase using his/her shorter smartcard PIN. Can this be accomplished using some scripting? Or may I suggest to add "--card-do1" through "--card-do4" as new commands to GnuPG which would print the respective string to standard output after asking for the PIN when applicable? Thanks for listening :-) Sven From dshaw at jabberwocky.com Wed Apr 9 14:53:43 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 9 Apr 2008 08:53:43 -0400 Subject: Invalid cross certification? In-Reply-To: <874pab3065.fsf@wheatstone.g10code.de> References: <47FB90C3.5060806@sixdemonbag.org> <20080408172212.GA14881@jabberwocky.com> <874pab3065.fsf@wheatstone.g10code.de> Message-ID: <5F0784E4-3649-4EBF-8665-686C97C0278C@jabberwocky.com> On Apr 9, 2008, at 4:25 AM, Werner Koch wrote: > On Tue, 8 Apr 2008 19:22, dshaw at jabberwocky.com said: > >> Digest algo 11 is SHA-224, which is fairly recent. I believe it was >> added to libgcrypt somewhere in the 1.3.x development. Does your > > Right, since 1.3.0 (May 2007) but we neded to fixed the ASN OID in > 1.3.2 > (Dec 2007) to to an error in the OpenPGP RFC. Given that Libgcrypt > was > marked as development and gpg2 was not in wide use we did not put this > workaround for the changed OID into GnuPG-2: > > /* This code is to work around a SHA-224 problem. RFC-4880 > and the drafts leading up to it were published with the > wrong DER prefix for SHA-224. Unfortunately, GPG pre-1.4.8 > used this wrong prefix. What this code does is take all > bad RSA signatures that use SHA-224, and re-checks them > using the old, incorrect, DER prefix. Someday we should > remove this code, and when we do remove it, pkcs1_encode_md > can be made into a static function again. Note that GPG2 > does not have this issue as it uses libgcrypt, which is > being fixed while it is still a development version. */ > > However if you know verify a signature created with a faulty SHA-224 > signature, gpg2 will flag it as bad. > > I hesitate to put the workaround into gpg2 unless more people complain > about this problem. It would be better to fix the back signature. > What > about having gpg print a notice pointing to an online FAQ entry? I'm trying to persuade myself that doing nothing is the right answer :) I rather like the FAQ idea, so we could print the notice on any failed SHA-224 verification? We might want to do that in 1.4.x as well, actually (with a reminder that we won't be fixing the signatures in the background forever). That way we could encourage people to fix the signatures as soon as possible. I need to check the backsig issuing code in keyedit.c to see how users can reissue backsigs. It shouldn't be too bad: backsigs live on the unhashed part of the signature. Maybe --expert could allow the backsig to be reissued. David From wk at gnupg.org Wed Apr 9 17:00:11 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 09 Apr 2008 17:00:11 +0200 Subject: Accessing the private DOs of the smartcard In-Reply-To: <47FC9E79.5060502@sven-radde.de> (Sven Radde's message of "Wed, 09 Apr 2008 12:46:17 +0200") References: <47FC9E79.5060502@sven-radde.de> Message-ID: <87lk3nxedg.fsf@wheatstone.g10code.de> On Wed, 9 Apr 2008 12:46, email at sven-radde.de said: > smartcard? The best thing I know is to use "gpg --card-edit" to get at > the PIN-protected DOs, which is cumbersome and does not give a very > machine-friendly output... You can script that (use --with-colons, --status-fd and command-fd). There is even a gpgme interface to it. It is also possible to read the content from a file in the --card-edit menu: privatedo 4 < FILE Another way to sscript this is by using gpg-agent and gpg-connect-agent. Have a look at the gpg/gpg-agent/scdaemon communication by enabling a log file for scdaemon and using "debug 1024". Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From claws at thewildbeast.co.uk Wed Apr 9 20:01:00 2008 From: claws at thewildbeast.co.uk (Paul) Date: Wed, 9 Apr 2008 19:01:00 +0100 Subject: GnuPG v2.x? In-Reply-To: <47FC7350.1060709@sixdemonbag.org> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <8763uylwln.fsf@wheatstone.g10code.de> <1207243216.6353.18.camel@carbon> <200804082217.04263@erwin.ingo-kloecker.de> <20080409071515.25eb08e2@thewildbeast> <47FC7350.1060709@sixdemonbag.org> Message-ID: <20080409190100.431f9008@thewildbeast> On Wed, 09 Apr 2008 02:42:08 -0500 "Robert J. Hansen" wrote: > It doesn't really matter if there were a hundred other S/MIME > implementations tested by Sphinx, or if GnuPG's S/MIME implementation > was the only one. The Sphinx evaluation criteria are what matters--not > the competition. That maybe true, but that is not what the OP said exactly. He didn't say GnuPG's S/MIME implementation passed, he said 'The S/MIME implementation in KMail'. So, I asked what other MUAs were tested. KMail is not the only MUA using GnuPG's S/MIME, Claws Mail does too. It's news to me if Claws Mail was tested - as a member of the dev team I would have expected to hear about it. So, I wondered, if KMail was the only MUA tested, then saying it is the only one that passed seems like a bit of semantic trickery, inferring, as it does, that others failed. best regards Paul -- It isn't worth a nickle to two guys like you or me, but to a collector it is worth a fortune From kloecker at kde.org Wed Apr 9 21:37:12 2008 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Wed, 09 Apr 2008 21:37:12 +0200 Subject: GnuPG v2.x? In-Reply-To: <20080409190100.431f9008@thewildbeast> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <47FC7350.1060709@sixdemonbag.org> <20080409190100.431f9008@thewildbeast> Message-ID: <200804092137.13188@erwin.ingo-kloecker.de> On Wednesday 09 April 2008, Paul wrote: > On Wed, 09 Apr 2008 02:42:08 -0500 > > "Robert J. Hansen" wrote: > > It doesn't really matter if there were a hundred other S/MIME > > implementations tested by Sphinx, or if GnuPG's S/MIME > > implementation was the only one. The Sphinx evaluation criteria > > are what matters--not the competition. > > That maybe true, but that is not what the OP said exactly. He didn't > say GnuPG's S/MIME implementation passed, he said 'The S/MIME > implementation in KMail'. So, I asked what other MUAs were tested. Did you follow the link I provided? The PDFs available on this page contain the test reports. They are in German but it shouldn't be a problem to understand which solutions were tested. Anyway, KMail was the only Free Software MUA that was tested because testing costs a lot of money. The other tested solutions were proprietary plugins for Groupwise, Lotus Notes and MS Outlook, and a mail gateway running on Linux. Note that the BSI wasn't interested in testing all available MUAs. They only wanted to make sure that the MUA they have chosen for usage on Linux was interoperable with the other solutions used by them. Obviously, this statement is somewhat simplified (and might even be incorrect). Even though I'm the former maintainer of KMail I was only very marginally involved in the ?gypten project. > KMail is not the only MUA using GnuPG's S/MIME, Claws Mail does too. > It's news to me if Claws Mail was tested - as a member of the dev > team I would have expected to hear about it. So, I wondered, if KMail > was the only MUA tested, then saying it is the only one that passed > seems like a bit of semantic trickery, inferring, as it does, that > others failed. Shoot me for using semantic trickery. :-) I only answered Sven's provocative (as I understood it) question whether GnuPG's S/MIME implementation is actually used somewhere and what its benefits are. I didn't want to belittle other MUAs using GnuPG's S/MIME. Au contraire. IMO all Free Software MUAs should use GnuPG's S/MIME instead of rolling their own S/MIME implementation. I'm pretty sure passing the Sphinx-interoperability test wouldn't be much of a problem for any MUA doing so. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Wed Apr 9 21:44:22 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 09 Apr 2008 14:44:22 -0500 Subject: GnuPG v2.x? In-Reply-To: <20080409190100.431f9008@thewildbeast> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <8763uylwln.fsf@wheatstone.g10code.de> <1207243216.6353.18.camel@carbon> <200804082217.04263@erwin.ingo-kloecker.de> <20080409071515.25eb08e2@thewildbeast> <47FC7350.1060709@sixdemonbag.org> <20080409190100.431f9008@thewildbeast> Message-ID: <47FD1C96.9080000@sixdemonbag.org> Paul wrote: > So, I wondered, if KMail was the only MUA tested, then saying it is > the only one that passed seems like a bit of semantic trickery, > inferring, as it does, that others failed. [sigh] If you're going to misquote someone, at least do it accurately. The original poster's exact words were "is the only Free Software implementation of S/MIME that has passed the Sphinx interoperability tests." The parse is ambiguous. You can read it as meaning "only one Free Software implementation was submitted to Sphinx, and it passed". You can read it as "other Free Software implementations were submitted to Sphinx, and only KMail passed". Or you can do what I do, which is recognize that it's an ambiguous parse, and assume that the person speaking is a reasonable human being who is probably not engaging in semantic trickery. Accusing people of malfeasance when there is no clear evidence any occurred is a McCarthyism into which I do not wish to fall. Ingo is a reasonable human being. From claws at thewildbeast.co.uk Wed Apr 9 22:46:02 2008 From: claws at thewildbeast.co.uk (Paul) Date: Wed, 9 Apr 2008 21:46:02 +0100 Subject: GnuPG v2.x? In-Reply-To: <47FD1C96.9080000@sixdemonbag.org> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <8763uylwln.fsf@wheatstone.g10code.de> <1207243216.6353.18.camel@carbon> <200804082217.04263@erwin.ingo-kloecker.de> <20080409071515.25eb08e2@thewildbeast> <47FC7350.1060709@sixdemonbag.org> <20080409190100.431f9008@thewildbeast> <47FD1C96.9080000@sixdemonbag.org> Message-ID: <20080409214602.4fa0af8b@thewildbeast> On Wed, 09 Apr 2008 14:44:22 -0500 "Robert J. Hansen" wrote: > [sigh] [bigger sigh] > If you're going to misquote someone, at least do it accurately. The > original poster's exact words were "is the only Free Software > implementation of S/MIME that has passed the Sphinx interoperability tests." Yes, exactly. That's why I asked what else was tested. I don't see any misquoting. As you say... > The parse is ambiguous. > You can read it as meaning "only one Free > Software implementation was submitted to Sphinx, and it passed". You > can read it as "other Free Software implementations were submitted to > Sphinx, and only KMail passed". Yes, exactly. That's why I asked what else was tested. > Or you can do what I do, which is recognize that it's an ambiguous > parse, and assume that the person speaking is a reasonable human being > who is probably not engaging in semantic trickery. Accusing people of > malfeasance when there is no clear evidence any occurred is a > McCarthyism into which I do not wish to fall. 'malfeasance' is a strong word. Alas, it seems that you might be slipping already! :) > Ingo is a reasonable human being. I didn't say otherwise. have a banana Paul -- Note to self: do as Robert does. From allen.schultz at gmail.com Wed Apr 9 23:50:05 2008 From: allen.schultz at gmail.com (Allen Schultz) Date: Wed, 9 Apr 2008 15:50:05 -0600 Subject: Accessing the private DOs of the smartcard In-Reply-To: <87lk3nxedg.fsf@wheatstone.g10code.de> References: <47FC9E79.5060502@sven-radde.de> <87lk3nxedg.fsf@wheatstone.g10code.de> Message-ID: <3f34f8420804091450p52e60c70ue582a12b1f6d1246@mail.gmail.com> Is there a FAQ for this question? I have either a 256 or a 512 MB USB Flash drive that I am not using. Is there anyway I can turn that into a smartcard for GNUPG and other security stuff? If so, is there a tutorial/walkthrough to setting that up? From reynt0 at cs.albany.edu Thu Apr 10 01:38:00 2008 From: reynt0 at cs.albany.edu (reynt0) Date: Wed, 9 Apr 2008 19:38:00 -0400 (EDT) Subject: GnuPG v2.x? In-Reply-To: <20080409071515.25eb08e2@thewildbeast> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <8763uylwln.fsf@wheatstone.g10code.de> <1207243216.6353.18.camel@carbon> <200804082217.04263@erwin.ingo-kloecker.de> <20080409071515.25eb08e2@thewildbeast> Message-ID: On Wed, 9 Apr 2008, Paul wrote: [back to the original, so quotation accuracy is not the issue] > On Tue, 08 Apr 2008 22:17:03 +0200 > Ingo Kl?cker wrote: > >> The S/MIME implementation in KMail (via >> gpgme/gpgsm) is the only Free Software implementation of S/MIME that >> has passed the Sphinx interoperability tests of the Federal Office for >> Information Security (BSI) > > And what else did they test besides Kmail? . . . Hmmmm.... The simple logic of that is like questions I often have, including when the topic is new to me or is about some "official" agency giving attention to someone or thing: him/her: "A did B to C." me: "Oh, did A do B to anyone/thing else?" It's a neutral way to learn more about not just B, but also about A and about C, plus about any D, E, ... which might be mentioned in the answer to my question. From email at sven-radde.de Thu Apr 10 07:51:47 2008 From: email at sven-radde.de (Sven Radde) Date: Thu, 10 Apr 2008 07:51:47 +0200 Subject: Accessing the private DOs of the smartcard In-Reply-To: <3f34f8420804091450p52e60c70ue582a12b1f6d1246@mail.gmail.com> References: <47FC9E79.5060502@sven-radde.de> <87lk3nxedg.fsf@wheatstone.g10code.de> <3f34f8420804091450p52e60c70ue582a12b1f6d1246@mail.gmail.com> Message-ID: <1207806708.6353.8.camel@carbon> Hi! Am Mittwoch, den 09.04.2008, 15:50 -0600 schrieb Allen Schultz: > I have either a 256 or a 512 MB USB Flash drive that I am not using. > Is there anyway I can turn that into a smartcard for GNUPG and other > security stuff? I was talking about the chip card, as seen here: http://www.g10code.de/p-card.html You cannot replicate its functionality with USB flash drives. If you think about "just" storing your GnuPG keys on a removable medium, that's relatively easy to do. Copy your GnuPG home directory to the stick and configure GnuPG to use that instead of the default directory, e.g. by giving "--homedir /path/to/usb/...". See also: Where the issue was discussed recently. HTH, Sven From claws at thewildbeast.co.uk Thu Apr 10 09:27:39 2008 From: claws at thewildbeast.co.uk (Paul) Date: Thu, 10 Apr 2008 08:27:39 +0100 Subject: GnuPG v2.x? In-Reply-To: <200804092137.13188@erwin.ingo-kloecker.de> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <47FC7350.1060709@sixdemonbag.org> <20080409190100.431f9008@thewildbeast> <200804092137.13188@erwin.ingo-kloecker.de> Message-ID: <20080410082739.381b3650@thewildbeast> On Wed, 09 Apr 2008 21:37:12 +0200 Ingo Kl?cker wrote: > IMO all Free Software MUAs should use GnuPG's S/MIME instead of rolling > their own S/MIME implementation. I couldn't agree more. Anyway, thanks for clearing that up! best regards Paul -- It isn't worth a nickle to two guys like you or me, but to a collector it is worth a fortune From dshaw at jabberwocky.com Fri Apr 11 22:17:27 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 11 Apr 2008 16:17:27 -0400 Subject: Need Help In-Reply-To: <304216.41718.qm@web94109.mail.in2.yahoo.com> References: <304216.41718.qm@web94109.mail.in2.yahoo.com> Message-ID: <20080411201727.GA1546@jabberwocky.com> On Tue, Apr 08, 2008 at 02:47:40PM +0100, Debabrata Das wrote: > Hi All, > > Currently we are using GnuPG 1.4.7 which is under GPL V2 on HP-UX ,but we came to know that there is a security vulnerability on GnuPG 1.4.8 & earlier version.Since Gnupg 1.4.9 is under GPL V3 & we don't want to move to product under GPL v3.Can you please tell us if it is permissible to back port all the changes made to GnuPg 1.4.9 on to Gnupg 1.4.7. The recent bug only applies to 1.4.8 and 2.0.8. It does not apply to 1.4.7 or any earlier version. There is no need to backport any patches. David From dshaw at jabberwocky.com Fri Apr 11 22:32:50 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 11 Apr 2008 16:32:50 -0400 Subject: Re-attaching a signature In-Reply-To: <20080406205956.GX21197@osresearch.net> References: <20080406205956.GX21197@osresearch.net> Message-ID: <20080411203250.GC1546@jabberwocky.com> On Sun, Apr 06, 2008 at 04:59:56PM -0400, Trammell Hudson wrote: > Is there a way to detach a signature from a message after it has > already been signed and then to-reattach it? As an example, let's > say that I've received a signed message encrypted to me and I want > to be able to decrypt it, verify the signature and then re-encrypt > it to resend it to someone else, but with the original signature > rather than mine. The OpenPGP protocol allows for this, but there are no tools that can currently do it. What you need is a change in GPG to unwrap only one layer of a layered object. Signed and encrypted data is layered with the data on the inside, then the signature around that, then the encryption around that. It's actually on my list of interesting things to do someday, but doesn't exist today. David From mca_debu at yahoo.co.in Tue Apr 8 15:47:40