From mel.gordon at wellnow.com Sat Jan 1 00:24:25 2011 From: mel.gordon at wellnow.com (Mel) Date: Fri, 31 Dec 2010 18:24:25 -0500 Subject: gnupg-2.0.16 / Configures but won't MAKE - Need Help ! Message-ID: <20101231182425.0b2dcb31@wellnow.com> Hi Users...after spending the last week, and a half attempting to get gnupg-2.0.16 compiled and installed.. I certainly could use some assistance. I'm running a linux CentOS-5.5.x86_64 OS with an AMD64 processor. Either I've missed something, or there is a coding error in the program ? I've extensively googled the error...nothing has solved the error. All the required dependencies are compiled, and installed. I've even done a "make clean" & deleted the directory entirely, updateddb...then unpacked the tar.gz again. Still configures but won't make.....frustrated ! Even tried a downgraded gnupg-2.0.15, but got the same errors. I've used gnupg for a number of years, and never had a problem until tried to upgrade to this latest version ? Any suggestions would be greatly appreciated. Mel G. ----------------------------------------------------------- [root at localhost gnupg-2.0.16]# ./configure checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu configure: autobuild project... gnupg configure: autobuild revision... 2.0.16 configure: autobuild hostname... localhost.localdomain configure: autobuild timestamp... 20101231-175330 checking for style of include used by make... GNU checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking dependency style of gcc... gcc3 checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking minix/config.h usability... no checking minix/config.h presence... no checking for minix/config.h... no checking whether it is safe to define __EXTENSIONS__... yes checking whether SELinux support is requested... no checking whether to enable the BZIP2 compression algorithm... yes checking whether to enable external program execution... yes checking whether to enable photo ID viewing... yes checking whether to use a fixed photo ID viewer... no checking whether to enable external keyserver helpers... yes checking whether LDAP keyserver support is requested... yes checking whether HKP keyserver support is requested... yes checking whether finger key fetching support is requested... yes checking whether generic object key fetching support is requested... yes checking whether email keyserver support is requested... no checking whether keyserver exec-path is enabled... yes checking for the size of the key and uid cache... 4096 checking whether use of capabilities is requested... no checking whether to enable the internal CCID driver... yes checking whether to enable maintainer-specific portions of Makefiles... no configure: checking for programs checking whether make sets $(MAKE)... (cached) yes checking whether build environment is sane... yes checking for gawk... (cached) gawk checking for gcc... (cached) gcc checking whether we are using the GNU C compiler... (cached) yes checking whether gcc accepts -g... (cached) yes checking for gcc option to accept ISO C89... (cached) none needed checking dependency style of gcc... (cached) gcc3 checking how to run the C preprocessor... gcc -E checking whether gcc and cc understand -c and -o together... yes checking whether ln -s works... yes checking for ranlib... ranlib checking for ar... ar checking for perl... /usr/bin/perl checking for windres... no checking for strerror in -lcposix... no checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... no checking for faqprog.pl... no checking for tar... /bin/tar checking whether /bin/tar speaks USTAR... yes checking for cc for build... gcc checking whether to use a standard socket by default... no configure: checking for libraries checking for gpg-error-config... /usr/local/bin/gpg-error-config checking for GPG Error - version >= 1.7... yes (1.10) checking for libgcrypt-config... /usr/local/bin/libgcrypt-config checking for LIBGCRYPT - version >= 1.4.0... yes (1.4.6) checking LIBGCRYPT API version... okay checking for libassuan-config... /usr/local/bin/libassuan-config checking for LIBASSUAN - version >= 2.0.0... yes (2.0.1) checking LIBASSUAN API version... okay checking for ksba-config... /usr/local/bin/ksba-config checking for KSBA - version >= 1.0.7... yes (1.1.0) checking KSBA API version... okay checking for usb_bulk_write in -lusb... yes checking for usb_create_match... no checking for library containing dlopen... -ldl checking for openpty in -lutil... yes checking for shred... /usr/bin/shred checking for pth-config... /usr/bin/pth-config checking for PTH - version >= 1.3.7... yes checking whether PTH installation is sane... yes configure: checking for networking options checking for gethostbyname... yes checking for setsockopt... yes checking adns.h usability... no checking adns.h presence... no checking for adns.h... no checking for adns_free... no checking for library containing res_query... no checking for library containing __res_query... -lresolv checking for library containing dn_expand... no checking for library containing __dn_expand... none required checking for library containing dn_skipname... no checking for library containing __dn_skipname... none required checking whether the resolver is usable... yes checking whether LDAP via "-lldap" is present and sane... yes checking for ldap_get_option... yes checking for ldap_set_option... yes checking for ldap_start_tls_s... yes checking for ldap_start_tls_sA... no checking for gawk... (cached) gawk checking for curl-config... /usr/bin/curl-config checking for the version of libcurl... 7.15.5 checking for libcurl >= version 7.10... yes checking whether libcurl is usable... yes checking for curl_free... yes checking for ld used by GCC... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for shared library run path origin... done checking for iconv... yes checking for working iconv... yes checking for iconv declaration... install-shextern size_t iconv (iconv_t cd, char * *inbuf, size_t *inbytesleft, char * *outbuf, size_t *outbytesleft); configure: checking for gettext checking whether NLS is requested... yes checking for msgfmt... /usr/bin/msgfmt checking for gmsgfmt... /usr/bin/msgfmt checking for xgettext... /usr/bin/xgettext checking for msgmerge... /usr/bin/msgmerge checking for CFPreferencesCopyAppValue... no checking for CFLocaleCopyCurrent... no checking for GNU gettext in libc... yes checking whether to use NLS... yes checking where the gettext function comes from... libc checking for strchr... yes checking for nl_langinfo and CODESET... yes checking for LC_MESSAGES... yes configure: checking for header files checking for ANSI C header files... (cached) yes checking for string.h... (cached) yes checking for unistd.h... (cached) yes checking langinfo.h usability... yes checking langinfo.h presence... yes checking for langinfo.h... yes checking termio.h usability... yes checking termio.h presence... yes checking for termio.h... yes checking locale.h usability... yes checking locale.h presence... yes checking for locale.h... yes checking getopt.h usability... yes checking getopt.h presence... yes checking for getopt.h... yes checking pty.h usability... yes checking pty.h presence... yes checking for pty.h... yes checking pwd.h usability... yes checking pwd.h presence... yes checking for pwd.h... yes checking for inttypes.h... (cached) yes checking whether time.h and sys/time.h may both be included... yes configure: checking for system characteristics checking for an ANSI C-conforming const... yes checking for inline... inline checking for working volatile... yes checking for size_t... yes checking for mode_t... yes checking return type of signal handlers... void checking whether sys_siglist is declared... yes checking for sys/socket.h... yes checking for sys/time.h... yes checking for unistd.h... (cached) yes checking for wchar.h... yes checking for stdint.h... (cached) yes checking for socklen_t... yes checking endianess... little checking for byte typedef... no checking for ushort typedef... yes checking for ulong typedef... yes checking for u16 typedef... no checking for u32 typedef... no checking size of unsigned short... 2 checking size of unsigned int... 4 checking size of unsigned long... 8 checking size of unsigned long long... 8 checking size of time_t... 8 checking for UINT64_C... yes checking size of uint64_t... 8 configure: checking for library functions checking whether getpagesize is declared... yes checking for _LARGEFILE_SOURCE value needed for large files... no checking for vprintf... yes checking for _doprnt... no checking for pid_t... yes checking vfork.h usability... no checking vfork.h presence... no checking for vfork.h... no checking for fork... yes checking for vfork... yes checking for working fork... yes checking for working vfork... (cached) yes checking for strerror... yes checking for strlwr... no checking for tcgetattr... yes checking for mmap... yes checking for strcasecmp... yes checking for strncasecmp... yes checking for ctermid... yes checking for times... yes checking for gmtime_r... yes checking for unsetenv... yes checking for fcntl... yes checking for ftruncate... yes checking for gettimeofday... yes checking for getrusage... yes checking for getrlimit... yes checking for setrlimit... yes checking for clock_gettime... no checking for atexit... yes checking for raise... yes checking for getpagesize... yes checking for strftime... yes checking for nl_langinfo... yes checking for setlocale... yes checking for waitpid... yes checking for wait4... yes checking for sigaction... yes checking for sigprocmask... yes checking for pipe... yes checking for stat... yes checking for getaddrinfo... yes checking for ttyname... yes checking for rand... yes checking for ftello... yes checking for fsync... yes checking for struct sigaction... yes checking for sigset_t... yes checking for memicmp... no checking for stpcpy... yes checking for strsep... yes checking for strlwr... (cached) no checking for strtoul... yes checking for memmove... yes checking for stricmp... no checking for strtol... yes checking for memrchr... yes checking for isascii... yes checking for timegm... yes checking for getrusage... (cached) yes checking for setrlimit... (cached) yes checking for stat... (cached) yes checking for setlocale... (cached) yes checking for flockfile... yes checking for funlockfile... yes checking for fopencookie... yes checking for funopen... no checking for getpwnam... yes checking for getpwuid... yes checking for working alloca.h... yes checking for alloca... yes checking for stdlib.h... (cached) yes checking for GNU libc compatible malloc... yes checking for long long int... yes checking for long double... yes checking whether stat file-mode macros are broken... no checking for unsigned long long int... yes checking for mkdtemp... yes checking for setenv... yes checking for unsetenv... (cached) yes checking for unsetenv() return type... int checking for stdint.h... (cached) yes checking for SIZE_MAX... yes checking absolute name of ... ///usr/include/stdint.h checking whether stdint.h conforms to C99... yes checking for strpbrk... yes checking for unistd.h... (cached) yes checking for stdint.h... (cached) yes checking for sys/stat.h... (cached) yes checking for unistd.h... (cached) yes checking direct.h usability... no checking direct.h presence... no checking for direct.h... no checking if mkdir takes one argument... no checking whether regular expression support is requested... yes checking for library containing regcomp... none required checking for regcomp... yes checking whether your system's regexp library is broken... no checking zlib.h usability... yes checking zlib.h presence... yes checking for zlib.h... yes checking for deflateInit2_ in -lz... yes checking for bzlib.h... no checking whether readline via "-lreadline" is present and sane... no checking whether readline via "-lreadline -ltermcap" is present and sane... no checking whether readline via "-lreadline -lcurses" is present and sane... no checking whether readline via "-lreadline -lncurses" is present and sane... no configure: checking for cc features checking if gcc supports -Wno-pointer-sign... yes checking if gcc supports -Wpointer-arith... yes configure: checking system features for estream-printf checking for stdint.h... (cached) yes checking for long long int... (cached) yes checking for long double... yes checking for intmax_t... yes checking for uintmax_t... yes checking for ptrdiff_t... yes checking size of unsigned long... (cached) 8 checking size of void *... 8 checking for nl_langinfo and THOUSANDS_SEP... yes configure: checking system features for estream configure: creating ./config.status config.status: creating m4/Makefile config.status: creating Makefile config.status: creating po/Makefile.in config.status: creating gl/Makefile config.status: creating include/Makefile config.status: creating jnlib/Makefile config.status: creating common/Makefile config.status: creating kbx/Makefile config.status: creating g10/Makefile config.status: creating sm/Makefile config.status: creating agent/Makefile config.status: creating scd/Makefile config.status: creating keyserver/Makefile config.status: creating keyserver/gpg2keys_mailto config.status: creating keyserver/gpg2keys_test config.status: creating tools/gpg-zip config.status: creating tools/Makefile config.status: creating doc/Makefile config.status: creating tests/Makefile config.status: creating tests/openpgp/Makefile config.status: creating tests/pkits/Makefile config.status: creating config.h config.status: config.h is unchanged config.status: executing depfiles commands config.status: executing po-directories commands config.status: creating po/POTFILES config.status: creating po/Makefile GnuPG v2.0.16 has been configured as follows: Platform: GNU/Linux (x86_64-unknown-linux-gnu) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes Protect tool: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) RESULTS OF RUNNING MAKE: status.c:25:26: error: status-codes.h: No such file or directory status.c: In function ?get_status_string?: status.c:32: warning: implicit declaration of function ?statusstr_msgidxof? status.c:36: error: ?statusstr_msgstr? undeclared (first use in this function) status.c:36: error: (Each undeclared identifier is reported only once status.c:36: error: for each function it appears in.) status.c:36: error: ?statusstr_msgidx? undeclared (first use in this function) make[3]: *** [libcommon_a-status.o] Error 1 make[3]: Leaving directory `/usr/share/gnupg-2.0.16/common' make[2]: *** [all] Error 2 make[2]: Leaving directory `/usr/share/gnupg-2.0.16/common' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/share/gnupg-2.0.16' make: *** [all] Error 2 From takethebus at gmx.de Sat Jan 1 16:07:00 2011 From: takethebus at gmx.de (takethebus at gmx.de) Date: Sat, 01 Jan 2011 16:07:00 +0100 Subject: Signed key contains signer's user ID? Message-ID: <20110101150700.99030@gmx.net> Hi everybody, does a signed key contain the signer's user ID or only his key ID? Do you need to posses the signer's public key to see where he is the signer of a signed key? My gpg works that way, but I wonder whether it simply suppresses the display of the signer's user ID, if I don't posses his public key. I'm grateful for answers. Sansibar From telegraph at gmx.net Sat Jan 1 17:57:00 2011 From: telegraph at gmx.net (Gregor Zattler) Date: Sat, 1 Jan 2011 17:57:00 +0100 Subject: Signed key contains signer's user ID? In-Reply-To: <20110101150700.99030@gmx.net> References: <20110101150700.99030@gmx.net> Message-ID: <20110101165659.GA26230@shi.workgroup> Hi Sansibar, * takethebus at gmx.de [01. Jan. 2011]: > does a signed key contain the signer's user ID no > or only his key ID? yes > Do you need to posses the signer's public key to see where he > is the signer of a signed key? yes > My gpg works that way, but I wonder whether it simply > suppresses the display of the signer's user ID, if I don't > posses his public key. no. Ciao, Gregor -- -... --- .-. . -.. ..--.. ...-.- From takethebus at gmx.de Sun Jan 2 04:30:53 2011 From: takethebus at gmx.de (takethebus at gmx.de) Date: Sun, 02 Jan 2011 04:30:53 +0100 Subject: Is self-signing necessary? Basic questions. Message-ID: <20110102033053.147530@gmx.net> I everybody, I tried to understand some of the concepts of GnuPG and would be grateful for you to give me a feedback, whether I understood things right. I'm especially interested in the concept of self-signed keys. My key type is "RSA and RSA (PGP)". Here is what I understood: My pulic key consists of the following: public master signing key (pub), public subordinate keys (sub), User IDs. Are the key IDs newly calculated every time GnuPG runs or are they members of the public key like the user IDs, too? Is the public master signing key ONLY used for signing and the public subordinate key ONLY used for enryption? Is the fingerprint of my public key ONLY the fingerprint of my public master signing key? When signing another key, what I do is to ONLY sign the other person's public master signing key with my own private master signing key. I don't sign a certain user ID or something. Is that right? (see the next two points) A self-singed public key, is a public key, who's following components are singed by the private master signing key, belonging to the same key pair: public subordinate keys (sub), User IDs, (key IDs?). Because the public key is self-signed, it is OK, to only sign the public master key when signing a key. It is OK, because this key signed the user IDs. But if that's so, don't I sign ALL user IDs (if there are several) of that public key by signing the public master singing key? Does GnuPG demand, that a public key must be self-signed, otherwise it's "no key" at all? Are keys checked automatically by GnuPG to be self-signed? Can signatures be removed from a key again? What about removing self-signatures, changing suboridinate encryption keys and user IDs? Is that possible/easy? Thanks for the answers, Sansibar From mailinglisten at hauke-laging.de Sun Jan 2 05:09:48 2011 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sun, 2 Jan 2011 05:09:48 +0100 Subject: Is self-signing necessary? Basic questions. In-Reply-To: <20110102033053.147530@gmx.net> References: <20110102033053.147530@gmx.net> Message-ID: <201101020509.56924.mailinglisten@hauke-laging.de> Am Sonntag 02 Januar 2011 04:30:53 schrieb takethebus at gmx.de: > Are the key IDs newly calculated every time GnuPG runs or are they members > of the public key like the user IDs, too? The key IDs are a small part of the key (SHA-1) hash value. Thus they are part of the public key but I don't know whether explicitly or just implicitly. > Is the public master signing key ONLY used for signing and the public > subordinate key ONLY used for enryption? There are four key capabilities: C: certification S: signing E: encryption (and decryption) A: authentication The main key is the only one which is used for key certifications (both for its own subkeys and for other main keys) because only the main key is identified by key certifications. The main key does not need any other capability. Not to use the main key for anything other than certifications allows you to keep that key offline (see --export-secret-subkeys). It is not necessary but makes sense to deny the main key all other capabilities if intended for offline use only. You can create subkeys with one or several capabilities (except for certification). In theory you could have a main key for certification and encryption and a subkey for signing. Subkeys can be created with a limited validity time. An offline main key can easily be valid for a long time (or even forever). > Is the fingerprint of my public key ONLY the fingerprint of my public > master signing key? Yes. The fingerprint refers to the key material itself and thus does not change when UIDs or subkeys change. Everything else (UIDs, subkeys, key configuration) is checked indirectly by checking the validity of the main key's signature for this data. > When signing another key, what I do is to ONLY sign the other person's > public master signing key with my own private master signing key. I don't > sign a certain user ID or something. Is that right? (see the next two > points) You verify only the main key itself by the fingerprint but you always sign the key together with a UID. gpg --list-sigs shows this to you: The root entry is pub, the uids are the next level ("connected" to pub) and the signatures refer to UIDs. > A self-singed public key, is a public key, who's following components are > singed by the private master signing key, belonging to the same key pair: > public subordinate keys (sub), > User IDs, A key must have at least one UID (at least with gpg) but need not have any subkey. > Because the public key is self-signed, it is OK, to only sign the public > master key when signing a key. It is OK, because this key signed the user > IDs. But if that's so, don't I sign ALL user IDs (if there are several) of > that public key by signing the public master singing key? You have to explicitly sign UIDs. AFAIK it is not possible to sign the raw key alone. > Does GnuPG demand, that a public key must be self-signed, otherwise it's > "no key" at all? Not demand but it seems to not make sense, see --allow-non-selfsigned-uid: "Allow the import and use of keys with user IDs which are not self-signed. This is not recommended, as a non self-signed user ID is trivial to forge." But I do not understand the practical problem: What sense could it make for an attacker to modify UIDs if the user of the public key verifies the fingerprint? > Are keys checked automatically by GnuPG to be self-signed? I don't know but you can try. :-) > Can signatures be removed from a key again? Yes, that is easily possible: 1) --edit-key 2) if needed: uid ... 3) delsig > What about removing self-signatures, changing suboridinate encryption keys > and user IDs? Is that possible/easy? You get warned if you try to remove selfsigs. UIDs and subkeys can be changed by commands like addkey delkey, see the man page for --edit-key. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From dshaw at jabberwocky.com Sun Jan 2 06:05:06 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 2 Jan 2011 00:05:06 -0500 Subject: Is self-signing necessary? Basic questions. In-Reply-To: <20110102033053.147530@gmx.net> References: <20110102033053.147530@gmx.net> Message-ID: <497685A4-E286-455B-AA00-26C3265059EB@jabberwocky.com> On Jan 1, 2011, at 10:30 PM, takethebus at gmx.de wrote: > I everybody, > > I tried to understand some of the concepts of GnuPG and would be grateful for you to give me a feedback, whether I understood things right. I'm especially interested in the concept of self-signed keys. My key type is "RSA and RSA (PGP)". Here is what I understood: > > My pulic key consists of the following: > public master signing key (pub), > public subordinate keys (sub), > User IDs. > > Are the key IDs newly calculated every time GnuPG runs or are they members of the public key like the user IDs, too? They are calculated by hashing the public key(s), and truncating to fit. The key ID is actually the lower 64 bits of the fingerprint. The *displayed* key ID is the lower 32 bits of that. > Is the public master signing key ONLY used for signing and the public subordinate key ONLY used for enryption? Traditionally, yes, but this is not a requirement. The only guarantee is that the primary key must be able to certify other keys (i.e. sign other keys or make new subkeys). In practice, a common setup (in fact, the default setup in GnuPG) is to have a primary key to sign and a subkey to encrypt. > Is the fingerprint of my public key ONLY the fingerprint of my public master signing key? In common usage, yes. Subkeys do in fact have fingerprints, but by convention, the fingerprint of the primary key is used as shorthand to refer to the whole key. > When signing another key, what I do is to ONLY sign the other person's public master signing key with my own private master signing key. I don't sign a certain user ID or something. Is that right? (see the next two points) No, when you sign a key, you are signing their primary key, plus a specified user ID. In effect, you are making a statement that "I believe that this particular user ID and this particular primary key belong together". If there are multiple user ID, you can sign them all (if you believe all of them are valid), or some. It's your choice. There is a way to sign a key alone, without signing any user IDs. Nobody supports it for 3rd party signatures like these. > Does GnuPG demand, that a public key must be self-signed, otherwise it's "no key" at all? By default, yes. You can override this, but it is not a good idea. After all, if the owner of the key hasn't asserted that a particular user ID is valid, why would you trust it? > Can signatures be removed from a key again? Yes. The "delsig" command in the --edit-key menu can delete signatures. Note that if the signatures are on a keyserver, they'll just come back the next time the key is refreshed though. > What about removing self-signatures, changing suboridinate encryption keys and user IDs? Is that possible/easy? delsig is capable of removing self-signatures. I'm not sure what you mean by "changing" a subkey, but delkey in the --edit-key menu can delete it, revkey can revoke it, etc. Similarly, there is deluid and revuid for user IDs. David From frankexchange at nospammail.net Sun Jan 2 05:24:27 2011 From: frankexchange at nospammail.net (frankexchange at nospammail.net) Date: Sun, 02 Jan 2011 04:24:27 +0000 Subject: Default GPG Encryption Algorithm (symmetric cipher) is? Message-ID: <1293942267.7601.1413093507@webmail.messagingengine.com> Deja Dup on Ubuntu 10.04 LTS: Default GPG Encryption Algorithm (symmetric cipher) is? I am using Deja Dup to create encrypted backups before uploading online. It uses GPG's default Symmetric Cipher (Encryption Algorithm) to encrypt data. Does anyone know exactly which default symmetric Cipher (Encryption Algorithm) is used by GPG? Apparently it is CAST-128, but I cannot find any citation online that confirms this is the case for the version of GPG integrated into Ubuntu 10.04 LTS OS. CAST-128 https://secure.wikimedia.org/wikipedia/en/wiki/CAST-128 I am a newbie to Ubuntu/Linux. so struggle to get my head around command line/Terminal techniques, as such does anyone know if a GUI has been created that enable the settings and options to be viewed or changed on Ubuntu 10.04 LTS? Thanks Frank From rjh at sixdemonbag.org Sun Jan 2 06:46:45 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 02 Jan 2011 00:46:45 -0500 Subject: Default GPG Encryption Algorithm (symmetric cipher) is? In-Reply-To: <1293942267.7601.1413093507@webmail.messagingengine.com> References: <1293942267.7601.1413093507@webmail.messagingengine.com> Message-ID: <4D201145.6040703@sixdemonbag.org> On 1/1/2011 11:24 PM, frankexchange at nospammail.net wrote: > Does anyone know exactly which default symmetric Cipher (Encryption > Algorithm) is used by GPG? Apparently it is CAST-128, but I cannot find > any citation online that confirms this is the case for the version of > GPG integrated into Ubuntu 10.04 LTS OS. Forgive what may seem like a silly answer, but "whatever you told GnuPG to use as a default." If you want CAST5-128, 3DES, AES256 or whatever, just add: default-cipher-preferences [algo name] ... to your ~/.gnupg/gpg.conf file. To get a list of algorithm names, type "gpg --version" at a command line. From frankexchange at nospammail.net Sun Jan 2 07:14:29 2011 From: frankexchange at nospammail.net (frankexchange at nospammail.net) Date: Sun, 02 Jan 2011 06:14:29 +0000 Subject: Default GPG Encryption Algorithm (symmetric cipher) is? In-Reply-To: <4D201145.6040703@sixdemonbag.org> References: <1293942267.7601.1413093507@webmail.messagingengine.com> <4D201145.6040703@sixdemonbag.org> Message-ID: <1293948869.25082.1413099741@webmail.messagingengine.com> As mentioned I am a Linux newbie (command line adverse) and like many users of Ubuntu they would not know how access details of what the default symmetric cipher is. Use of the term "default" was provided to mean the one GPG uses without any user intervention IE: Default So at risk of sounding silly, what is the Default symmetric cipher used in GPG under Unbuntu 10.04 LTS? Thanks Frank ----- Original message ----- From: "Robert J. Hansen" To: gnupg-users at gnupg.org Date: Sun, 02 Jan 2011 00:46:45 -0500 Subject: Re: Default GPG Encryption Algorithm (symmetric cipher) is? On 1/1/2011 11:24 PM, frankexchange at nospammail.net wrote: > Does anyone know exactly which default symmetric Cipher (Encryption > Algorithm) is used by GPG? Apparently it is CAST-128, but I cannot find > any citation online that confirms this is the case for the version of > GPG integrated into Ubuntu 10.04 LTS OS. Forgive what may seem like a silly answer, but "whatever you told GnuPG to use as a default." If you want CAST5-128, 3DES, AES256 or whatever, just add: default-cipher-preferences [algo name] ... to your ~/.gnupg/gpg.conf file. To get a list of algorithm names, type "gpg --version" at a command line. _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From tiago at xroot.org Sun Jan 2 06:57:00 2011 From: tiago at xroot.org (Tiago Faria) Date: Sun, 2 Jan 2011 05:57:00 +0000 Subject: Default GPG Encryption Algorithm (symmetric cipher) is? In-Reply-To: <1293942267.7601.1413093507@webmail.messagingengine.com> References: <1293942267.7601.1413093507@webmail.messagingengine.com> Message-ID: <20110102055700.5a4facb4@x41> On Sun, 02 Jan 2011 04:24:27 +0000 frankexchange at nospammail.net wrote: > Deja Dup on Ubuntu 10.04 LTS: Default GPG Encryption Algorithm > (symmetric cipher) is? If it uses GnuPG, then it will respect the rules set by your keyring preferences. You can check the preferences with the command: gpg --edit-key 0xYOURID pref (if you don't know your ID, use gpg --list-secret-keys) It will list what are the preferred ciphers, algorithms for integrity and compression. If you want to change it, and use something else, you can use the following command to see the supported values: gpg --verbose --version After that, you can change your preferences. Edit your key again: gpg --edit-key 0xYOURID and now use the 'setpref' option, respecting the values you got from gpg --verbose --version command. For example: setpref S9 S8 S7 S3 H10 H9 H8 H11 Z3 Z2 Z1 Z0 will configure a UID (these preferences are UID-based) to use: Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: BZIP2, ZLIB, ZIP, Uncompressed Hope this makes it easier for you to understand and edit to suit your needs. I think I didn't miss anything, but feel free to correct me :) Happy new year list! Tiago -- Tiago Faria | http://xroot.org OpenPGP Key ID: 0xB9466FB4 | http://xroot.org/contact FingerPrint: 27FB 1E35 81B8 5626 9450 EAFC 2517 8AB4 B946 6FB4 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From tiago at xroot.org Sun Jan 2 07:04:40 2011 From: tiago at xroot.org (Tiago Faria) Date: Sun, 2 Jan 2011 06:04:40 +0000 Subject: Default GPG Encryption Algorithm (symmetric cipher) is? Message-ID: <20110102060440.27c0903b@x41> > default-cipher-preferences [algo name] > ... to your ~/.gnupg/gpg.conf file. My bad for sending the last e-mail. While those settings apply to hybrid systems, I don't know if this application generates a keyring, and therefor, those instructions are not very helpful. Sorry. T -- Tiago Faria | http://xroot.org OpenPGP Key ID: 0xB9466FB4 | http://xroot.org/contact FingerPrint: 27FB 1E35 81B8 5626 9450 EAFC 2517 8AB4 B946 6FB4 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From rjh at sixdemonbag.org Sun Jan 2 09:21:32 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 02 Jan 2011 03:21:32 -0500 Subject: Default GPG Encryption Algorithm (symmetric cipher) is? In-Reply-To: <1293948869.25082.1413099741@webmail.messagingengine.com> References: <1293942267.7601.1413093507@webmail.messagingengine.com> <4D201145.6040703@sixdemonbag.org> <1293948869.25082.1413099741@webmail.messagingengine.com> Message-ID: <4D20358C.4060702@sixdemonbag.org> On 1/2/2011 1:14 AM, frankexchange at nospammail.net wrote: > Use of the term "default" was provided to mean the one GPG uses without > any user intervention IE: Default And the answer here is exactly what I said: whatever you tell it to be. Computers are complex beasts. Two installations of the same operating system will be very similar in some ways and very different in others. For some kinds of software, you can get away with saying "the default is...". Security-related software is different: assuming that your installation is just like somebody else's installation is dangerous. If something's important to you, then you need to take steps to take direct control of it. But, since you're asking: by default it's CAST5-128. Don't depend on this. This is what's true on my Ubuntu 10.04 LTS system: it may not be the same for yours. From larry-lists at maxqe.com Sun Jan 2 08:37:00 2011 From: larry-lists at maxqe.com (Larry Brower) Date: Sun, 02 Jan 2011 01:37:00 -0600 Subject: Default GPG Encryption Algorithm (symmetric cipher) is? In-Reply-To: <1293948869.25082.1413099741@webmail.messagingengine.com> References: <1293942267.7601.1413093507@webmail.messagingengine.com> <4D201145.6040703@sixdemonbag.org> <1293948869.25082.1413099741@webmail.messagingengine.com> Message-ID: <4D202B1C.5030600@maxqe.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 01/02/2011 12:14 AM, frankexchange at nospammail.net wrote: > As mentioned I am a Linux newbie (command line adverse) and like many > users of Ubuntu they would not know how access details of what the > default symmetric cipher is. > > Use of the term "default" was provided to mean the one GPG uses without > any user intervention IE: Default > > So at risk of sounding silly, what is the Default symmetric cipher used > in GPG under Unbuntu 10.04 LTS? > > Thanks > Frank > Perhaps try looking in ~/.gnupg/gpg.conf ? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJNICscAAoJEPXCUD/44PWqzpIP/Rc15kfAPtt3ZWFH1BYQEGIx hoPHsYHr5+mTAoDd0gGNo/7JRLJwEnLxb539VCUfDSBXgvwfPNfYLydw0lY+43xh vxlGbsSAu3qwXySeSToozdVItav2ERwQ7rkMPfoJ8J0itRUj8cJyRp8Rzj8iBxvP KvDTnwEdtB1nwb2SZeNSug2Z08bvoBWPoMbfRxlNXaam2rMpiX7+SelsU52cyD0Q WdUbDI/ue2F4nnPmuuyul0fMkU54RtkU2mHF2RJfOyP6iaHpVIgmEc+VNILP9hBT FSs7GkPjvvfNw8R3smJUxMIncMNyEKIs/R4hl+OxJmBay6EimEmVnkyifioEK5+H zmp4rVa0jwOoqXhqWs1v0W5Djl/hWPtpetFnBluOsaN1/3n7cAl9kFWzyMRi4Vwb dE5iKAdXNZS9YFyWHrlO/Ztzh8+jBtoETFCgLxdid6AFoDwl+yikTpDaY/NBdJ3I XAeDkXZ7OJxNKvT6XL72nDs3jwQI9raJaOnOebHKDz1VnRWy6ymhDVMxCjqzxBke zXAOKgcbukXkqEi6j6btrJEdO8qqJL6js6yEqsywlnipGBAbOqVERpm9HLws8Dna SU7+N8Pd8xxTJx5NQKJoZ3vc0A5bOgfKyYmmPnkpKKsiUzUd3sX4unBlvmXOwrob VbC5puSVCkZpo442WOcQ =62Di -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sun Jan 2 11:35:23 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 02 Jan 2011 05:35:23 -0500 Subject: Default GPG Encryption Algorithm (symmetric cipher) is? In-Reply-To: <20110102055700.5a4facb4@x41> References: <1293942267.7601.1413093507@webmail.messagingengine.com> <20110102055700.5a4facb4@x41> Message-ID: <4D2054EB.1000503@sixdemonbag.org> On 1/2/2011 12:57 AM, Tiago Faria wrote: > If it uses GnuPG, then it will respect the rules set by your keyring > preferences. You can check the preferences with the command: It will respect default-cipher-preference. Certificate prefs are not used during symmetric encryption, since certs themselves are not used at all. From free10pro at gmail.com Sun Jan 2 12:11:24 2011 From: free10pro at gmail.com (Paul Richard Ramer) Date: Sun, 02 Jan 2011 03:11:24 -0800 Subject: Having trouble getting GPG to accept input from a pinpad Message-ID: <4D205D5C.3050402@gmail.com> Hi, I am using an OpenPGP v2 card with an SCM SPR-532 smartcard reader, and I can't get GPG to take a PIN from the pinpad instead of the keyboard. When I run "gpg --card-edit" followed by any command that requires a PIN or Admin PIN, I get a password dialog box from pinentry, but I can only enter the PIN via a keyboard. I have followed the GnuPG Smartcard HOWTO, including setting up the udev rules and creating and adding my user account to the scard group. According to this post at , using the pinpad of my card reader should work (except when it doesn't ;-)). I don't have pcsc-lite installed. I am using GnuPG 1.4.10 (but also have GnuPG 2.0.14 installed) and am running it on top of Ubuntu 10.04. The versions of GnuPG that I have are what was available through my package manager. Thanks in advance for any help you can provide. -Paul -- PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 From frankexchange at nospammail.net Sun Jan 2 13:15:39 2011 From: frankexchange at nospammail.net (frankexchange at nospammail.net) Date: Sun, 02 Jan 2011 12:15:39 +0000 Subject: Default GPG Encryption Algorithm (symmetric cipher) is? In-Reply-To: <4D2054EB.1000503@sixdemonbag.org> References: <1293942267.7601.1413093507@webmail.messagingengine.com><20110102055700.5a4facb4@x41> <4D2054EB.1000503@sixdemonbag.org> Message-ID: <1293970539.19022.1413120463@webmail.messagingengine.com> Thanks to everyone for providing tips, I found the answer at: "The default symmetric cipher used is CAST5" http://www.gnupg.org/documentation/manuals/gnupg/Operational-GPG-Commands.html and used the Ubuntu Terminal to list the ciphers used: Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8), AES256 (S9), TWOFISH (S10), CAMELLIA128 (S11), CAMELLIA192 (S12), CAMELLIA256 (S13) Frank ----- Original message ----- From: "Robert J. Hansen" To: gnupg-users at gnupg.org Date: Sun, 02 Jan 2011 05:35:23 -0500 Subject: Re: Default GPG Encryption Algorithm (symmetric cipher) is? On 1/2/2011 12:57 AM, Tiago Faria wrote: > If it uses GnuPG, then it will respect the rules set by your keyring > preferences. You can check the preferences with the command: It will respect default-cipher-preference. Certificate prefs are not used during symmetric encryption, since certs themselves are not used at all. _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From neil.phillips39 at gmail.com Sun Jan 2 13:37:05 2011 From: neil.phillips39 at gmail.com (Neil Phillips) Date: Sun, 2 Jan 2011 12:37:05 +0000 (UTC) Subject: Encryting both file contents and file name with GnuPG Message-ID: Hi, I'm completely new to GnuPG. Can someone tell me how I can encrypt the name of the file that I want to encrypt please. Example: mySecrets.txt [a plain text file] I would like: szstt.asd [some 'apparently random name' file] [file contents encrypted] I see that secureZip can do this, I have used a trial version with success. However I would prefer to use GnuPG if possible. Neil From expires2011 at ymail.com Sun Jan 2 13:27:23 2011 From: expires2011 at ymail.com (MFPA) Date: Sun, 2 Jan 2011 12:27:23 +0000 Subject: Is self-signing necessary? Basic questions. In-Reply-To: <497685A4-E286-455B-AA00-26C3265059EB@jabberwocky.com> References: <20110102033053.147530@gmx.net> <497685A4-E286-455B-AA00-26C3265059EB@jabberwocky.com> Message-ID: <1647382176.20110102122723@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 2 January 2011 at 5:05:06 AM, in , David Shaw wrote: > There is a way to sign a key alone, without signing any > user IDs. Nobody supports it for 3rd party signatures > like these. That brings two questions to my mind. 1. How would you do that with GnuPG; it prompts to select user IDs? 2. What statement would such a signature actually be making? - -- Best regards MFPA mailto:expires2011 at ymail.com Editing is a rewording activity -----BEGIN PGP SIGNATURE----- iQCVAwUBTSBvP6ipC46tDG5pAQqjAQP+NeESotnp0kZ1EWhqZJwBf24TVcGT8eAd 5w/DxLe6X8/reMnX+/TQCMuJJaNZPko61hiVQ5F5PWHKI157Q507CrGFCOfUGySz fVijAAwv6j9GdNbG1F/OfjSI6Pczyq0ZT9t+y+YLfvZt2Hhf+wslOPJkP6aRkfWw WDA+10G2bPY= =v9mQ -----END PGP SIGNATURE----- From expires2011 at ymail.com Sun Jan 2 05:27:40 2011 From: expires2011 at ymail.com (MFPA) Date: Sun, 2 Jan 2011 04:27:40 +0000 Subject: Is self-signing necessary? Basic questions. In-Reply-To: <201101020509.56924.mailinglisten@hauke-laging.de> References: <20110102033053.147530@gmx.net> <201101020509.56924.mailinglisten@hauke-laging.de> Message-ID: <1106700217.20110102042740@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 2 January 2011 at 4:09:48 AM, in , Hauke Laging wrote: >> Can signatures be removed from a key again? > Yes, that is easily possible: 1) --edit-key 2) if > needed: uid ... 3) delsig If the key has been sent to a keyserver or to another user while that signature is on it, deleting the signature from your local copy obviously will not remove it from their copy. You can "revoke" a signature and send the key out again; the signature is still there but marked as revoked. You can also revoke user IDs, subkeys, or the entire key. - -- Best regards MFPA mailto:expires2011 at ymail.com Does anybody really read these things? -----BEGIN PGP SIGNATURE----- iQCVAwUBTR/+wqipC46tDG5pAQqFKAP8DT7Ic9NtQnDJoiBrbbVlcAYNDeFKb3iS gzFvpas5EEig0bsgv5Yupx9K88ZTc52FWcAZjsuq99gBX2l6HCnmeCNa2e0L/T7q 6UtqAYC1qEInbkHJbe86T1jB4CEZ4+P0YYymRcGkC7eisHu8WNeeG2B7AGBoKbbz SKhLUEuEJ60= =pzKy -----END PGP SIGNATURE----- From Mike_Acker at charter.net Sun Jan 2 13:15:25 2011 From: Mike_Acker at charter.net (Mike Acker) Date: Sun, 02 Jan 2011 07:15:25 -0500 Subject: Default GPG Encryption Algorithm (symmetric cipher) is? Message-ID: <4D206C5D.9070403@charter.net> Many Thanks to Tiago Faria Date:Sun, 2 Jan 2011 05:57:00 +0000 for excellent notes on editing GPG Keys. I had found neither GPA nor Kleo to have all of the edit capability that should be available for a key and in particular on the User ID and preferences for symetric ciphers the key to this is that you use command line ( no problemo ) and then use the --edit-key to open a dialog. I was used to using PGP and in that every command has its own --command format the one thing that Tiago didn't touch on in his example ==> For example: setpref S9 S8 S7 S3 H10 H9 H8 H11 Z3 Z2 Z1 Z0 will configure a UID (these preferences are UID-based) to use: Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: BZIP2, ZLIB, ZIP, Uncompressed Hope this makes it easier for you to understand and edit to suit your needs. I think I didn't miss anything, but feel free to correct me :) <== is: how does S9 equate to AES256 ? there has to be a way to find the equivalence between the verbose codes and the short hand The User ID on a key may ( at the owner's option ) contain more than just the e/mail address. If I remember rightly PGP will search any matching string in a key to use as and identifier so this could be a phone number or an employee number. Phone numbers, employee numbers, and e/mail addresses all tend to change when we change our affiliations so this would leave a question as to the best way to identify a key For the purpose of ENIGMAIL the e/mail address would seem to be the best choice. Even though I am changing e/mail address or even though I have several e/mail addresses -- the public keys for these are on the server and if you address mail to me via ENIGMAIL it will find the key associated with the e/mail address you are using. All Good. Happy New Year All! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 292 bytes Desc: OpenPGP digital signature URL: From telegraph at gmx.net Sun Jan 2 14:57:17 2011 From: telegraph at gmx.net (Gregor Zattler) Date: Sun, 2 Jan 2011 14:57:17 +0100 Subject: Encryting both file contents and file name with GnuPG In-Reply-To: References: Message-ID: <20110102135717.GA13963@shi.workgroup> Hi Neil, * Neil Phillips [02. Jan. 2011]: > Can someone tell me how I can encrypt the name of the file that I want to > encrypt please. > > Example: > mySecrets.txt [a plain text file] > > I would like: > szstt.asd [some 'apparently random name' file] [file contents encrypted] You may invoke gnupg like this: gpg --output szstt.asd ... mySecrets.txt It's up to you, what file name you choose for the option --output. While I understand the need for file names other than mySecrets.gpg I think "application-IBM_2010-11-11.txt" looks way less suspicious than szstt.asd. That said both don't provide protection against closer looks. Ciao, Gregor -- -... --- .-. . -.. ..--.. ...-.- From simon at josefsson.org Sun Jan 2 14:32:22 2011 From: simon at josefsson.org (Simon Josefsson) Date: Sun, 02 Jan 2011 14:32:22 +0100 Subject: Having trouble getting GPG to accept input from a pinpad In-Reply-To: <4D205D5C.3050402__43137.4791347936$1293968465$gmane$org@gmail.com> (Paul Richard Ramer's message of "Sun, 02 Jan 2011 03:11:24 -0800") References: <4D205D5C.3050402__43137.4791347936$1293968465$gmane$org@gmail.com> Message-ID: <87aajj5t3t.fsf@latte.josefsson.org> Paul Richard Ramer writes: > Hi, > > I am using an OpenPGP v2 card with an SCM SPR-532 smartcard reader, and > I can't get GPG to take a PIN from the pinpad instead of the keyboard. > When I run "gpg --card-edit" followed by any command that requires a PIN > or Admin PIN, I get a password dialog box from pinentry, but I can only > enter the PIN via a keyboard. IIRC the on-device PIN entry is only used for signing operations, not admin stuff -- so try proceeding anyway and then try signing. This kind of harms the point of having a on-device PIN entry, but it is still possible to setup the card on a secure machine and then use it in other environments. I'm using a SPR-532 too with GnuPG on Mac for SSH authentication, and I enter the PIN on the SPR-532 just fine. /Simon From jhs at berklix.com Sun Jan 2 14:32:09 2011 From: jhs at berklix.com (Julian H. Stacey) Date: Sun, 02 Jan 2011 14:32:09 +0100 Subject: Encryting both file contents and file name with GnuPG In-Reply-To: Your message "Sun, 02 Jan 2011 12:37:05 GMT." Message-ID: <201101021332.p02DW9u8029780@fire.js.berklix.net> Hi, Reference: > From: Neil Phillips > Date: Sun, 2 Jan 2011 12:37:05 +0000 (UTC) > Message-id: Neil Phillips wrote: > Hi, > I'm completely new to GnuPG. > Can someone tell me how I can encrypt the name of the file that I want to > encrypt please. > > Example: > mySecrets.txt [a plain text file] > > I would like: > szstt.asd [some 'apparently random name' file] [file contents encrypted] > > I see that secureZip can do this, I have used a trial version with success. > > However I would prefer to use GnuPG if possible. > > Neil I wouldnt have thought to look for that in GPG, try man gpg info gnupg Maybe you should look at using an encrypting file system. Some unixes have/ had eg CFS (maybe mount -r cfs ? guessing, try eg man mount apropos cfs More specifically: http://www.freebsd.org supports 2: man gbde gbde -- operation and management utility for Geom Based Disk Encryption man geli geli -- control utility for cryptographic GEOM class Doubtless Linux can offer crypting file systems too. Try apropos encrypt Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Mail plain text; Not quoted-printable, or HTML or base 64. Avoid top posting, it cripples itemised cumulative responses. From dshaw at jabberwocky.com Sun Jan 2 16:01:35 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 2 Jan 2011 10:01:35 -0500 Subject: Is self-signing necessary? Basic questions. In-Reply-To: <1647382176.20110102122723@my_localhost> References: <20110102033053.147530@gmx.net> <497685A4-E286-455B-AA00-26C3265059EB@jabberwocky.com> <1647382176.20110102122723@my_localhost> Message-ID: <955FCD26-BE44-4989-AC54-91C956E95AEC@jabberwocky.com> On Jan 2, 2011, at 7:27 AM, MFPA wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi > > > On Sunday 2 January 2011 at 5:05:06 AM, in > , David Shaw > wrote: > >> There is a way to sign a key alone, without signing any >> user IDs. Nobody supports it for 3rd party signatures >> like these. > > That brings two questions to my mind. > 1. How would you do that with GnuPG; it prompts to select user IDs? You can't. Like I said, nobody supports it. Non-owner use of the direct key signature is one of those odd corners in OpenPGP that is needed in the spec to cover all possible cases, but is not needed in reality since nobody uses it. It would break the current model of the WoT, which is another knock against it. The only significant use of the direct-key signature is for key owners to add designated revokers to their key. Designated revokers are carried in a subpacket on a direct key signature. > 2. What statement would such a signature actually be making? Only that which is contained inside the signature subpackets of the signature itself. For example, if someone wanted to attach a notation to the key. David From neil.phillips39 at gmail.com Sun Jan 2 16:06:56 2011 From: neil.phillips39 at gmail.com (Neil Phillips) Date: Sun, 2 Jan 2011 15:06:56 +0000 (UTC) Subject: Encryting both file contents and file name with GnuPG References: Message-ID: SecureZip will take a file and encrypt both the filename and the file. so far with GnuPG i can only see how to encrypt the file. i do not want to use a specific name as there are too many files to do that. i want something like; gpg -recipient "Neil Phillips" -output_encrypt "mySecrets.txt" -encrypt "mySecrets.txt" where i end up with my source file "mySecrets.txt" and a GnuPG encrypted file whose name is the result of encrypting "mySecrets.txt" sort of nesting i guess. so where it says -output_encrypt "mySecrets.txt" i want the result of: gpg -recipient "Neil Phillips" -encrypt [just the name: "mySecrets.txt] i am using windows. the source file location is secure. i want to place a copy of the source file in an unsecure place. hence i want to rename the file as well as encrypt the file itself. so the question remains, can i encrypt the name of the file in GnuPG? Neil From dshaw at jabberwocky.com Sun Jan 2 16:08:51 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 2 Jan 2011 10:08:51 -0500 Subject: Encryting both file contents and file name with GnuPG In-Reply-To: References: Message-ID: <97D200CD-BE7B-49E4-BA9B-FF6686A5415C@jabberwocky.com> On Jan 2, 2011, at 7:37 AM, Neil Phillips wrote: > Hi, > I'm completely new to GnuPG. > Can someone tell me how I can encrypt the name of the file that I want to > encrypt please. > > Example: > mySecrets.txt [a plain text file] > > I would like: > szstt.asd [some 'apparently random name' file] [file contents encrypted] GPG can use whatever filename you like. For example: gpg --output szstt.asd --encrypt ....... etc. Note that GPG does save the original ("mySecrets.txt" in your example) filename inside the encrypted bundle. It does not, however, use it when decrypting later. See the --use-embedded-filename option if you want to use that, but read the caveats in the man page about that option. David From neil.phillips39 at gmail.com Sun Jan 2 16:14:06 2011 From: neil.phillips39 at gmail.com (Neil Phillips) Date: Sun, 2 Jan 2011 15:14:06 +0000 (UTC) Subject: Encryting both file contents and file name with GnuPG References: <97D200CD-BE7B-49E4-BA9B-FF6686A5415C@jabberwocky.com> Message-ID: David Shaw jabberwocky.com> writes: > Note that GPG does save the original ("mySecrets.txt" in your example) filename inside the encrypted > bundle. It does not, however, use it when decrypting later. See the --use-embedded-filename option if > you want to use that, but read the caveats in the man page about that option. > > David > i was hoping to do the following; locate a source file. place the name of the source file in a log. encrypt the source file name and contents add to the log the name of the encrypted file. that way i have a list which tells me what the real name of the file is. i can use the log to pick which file i want to decrypt. the log will the kept locally which is secure for my purposes. Neil From dshaw at jabberwocky.com Sun Jan 2 16:28:36 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 2 Jan 2011 10:28:36 -0500 Subject: Encryting both file contents and file name with GnuPG In-Reply-To: References: Message-ID: <029F8ADB-D2E1-4F4A-B05D-2162543F62A8@jabberwocky.com> On Jan 2, 2011, at 10:06 AM, Neil Phillips wrote: > SecureZip will take a file and encrypt both the filename and the file. > > so far with GnuPG i can only see how to encrypt the file. > > i do not want to use a specific name as there are too many files to do that. > i want something like; > > gpg -recipient "Neil Phillips" -output_encrypt "mySecrets.txt" -encrypt > "mySecrets.txt" > > where i end up with my source file "mySecrets.txt" and a GnuPG encrypted file > whose name is the result of encrypting "mySecrets.txt" > > sort of nesting i guess. > > so where it says -output_encrypt "mySecrets.txt" i want the result of: > gpg -recipient "Neil Phillips" -encrypt [just the name: "mySecrets.txt] > > i am using windows. the source file location is secure. > i want to place a copy of the source file in an unsecure place. > hence i want to rename the file as well as encrypt the file itself. GPG does not do this. GPG gives you the necessary hooks to do it yourself (i.e. the --output) option, but does not do it for you. David From takethebus at gmx.de Sun Jan 2 17:04:07 2011 From: takethebus at gmx.de (takethebus at gmx.de) Date: Sun, 02 Jan 2011 17:04:07 +0100 Subject: Fingerprint useless if not self-signed key? Message-ID: <20110102160407.4720@gmx.net> Hi everybody, and thanks for the answers so far! I'm goint to write an introduction to GnuPG/PGP and therefor I'm trying to understand some concepts. Especially I wonder what I'll tell people about the meaning of the fingerprint. From my point of view a fingerprint-check is useless, if the key is not self-signed (explanation at the end of the email). Thus I wonder whether I shall advise people to check whether the key is self-signed, too. Checking wether a key is self-signed would not be necessary, if gnuPG didn't accept a key that isn't self-singed in ANY CASE. Especially, if GnuPG didn't accept a key with a missing self-signature on the subordinate public encrytion key in ANY CASE. In my first email (Subject: "Is self-signing necessary? Basic questions.") I asked: > Does GnuPG demand, that a public key must be self-signed, otherwise it's "no key" at all? And thankfully David Shaw answerd: >>By default, yes. You can override this, >>but it is not a good idea. Thus the answer to the question, whether one needs to check whether the key is self-signed is conneced with the word "override". What did he mean with that? Changing the source code of my version of gnuPG on my hard disk and recompiling or changing some sort of configuration file on my hard disk? If that's the case, then I don't need to advise people to check whether a key is self-signed, because an attacker needes access to my hard disk to override the self-sign-check. But if he already has access to my hard disk, he can as well to worse things like installing a keylogger or something. Thus in this case I'm beaten already, isn't that so? Are there any other GnuPG/PGP versions, that don't check whether a key is self-signed by default? I tried to test wether GnuPG accepts to encrypt with a public key, where the self-signatre is missing only at the public subordinate encryption key. But I wasn't able to remove it only at that key and leave the user ID self-signed. All I was able to do is the following. Does anybody know how to do it so I can test? -------------------------------------------------------------- >gpg --edit-key alice at nowhere.com pub 2048R/CB4B9C54 created: 2010-12-30 expires: never usage: SC trust: unknown validity: unknown sub 2048R/CCEFE99C created: 2010-12-30 expires: never usage: E [ unknown] (1). Alice (Test) gpg> uid 1 pub 2048R/CB4B9C54 created: 2010-12-30 expires: never usage: SC trust: unknown validity: unknown sub 2048R/CCEFE99C created: 2010-12-30 expires: never usage: E [ unknown] (1)* Alice (Test) gpg> delsig uid Alice (Test) sig!3 CB4B9C54 2010-12-30 [self-signature] Delete this good signature? (y/N/q)y Really delete this self-signature? (y/N)y Deleted 1 signature. gpg> quit Save changes? (y/N) y >gpg --output result.gpg --encrypt --recipient alice at nowhere.com Textdatei.txt gpg: alice at nowhere.com: skipped: unusable public key gpg: Textdatei.txt: encryption failed: unusable public key ---------------------------------------------------------------- EXPLANATION The fingerprint is a hash value of the public master signing key only, NOT of the public subordinate encryption key. Only if that public subordinate encryption key is self-signed, I can be sure the owner of the private key wanted it to belong to his public key. Otherwise it might have been placed there by an attacker. I'm grateful for answers, Sansibar From atom at smasher.org Sun Jan 2 16:35:18 2011 From: atom at smasher.org (Atom Smasher) Date: Mon, 3 Jan 2011 04:35:18 +1300 (NZDT) Subject: Encryting both file contents and file name with GnuPG In-Reply-To: References: <97D200CD-BE7B-49E4-BA9B-FF6686A5415C@jabberwocky.com> Message-ID: <1101030419230.1967@smasher> On Sun, 2 Jan 2011, Neil Phillips wrote: > i was hoping to do the following; > locate a source file. > place the name of the source file in a log. > encrypt the source file name and contents > add to the log the name of the encrypted file. > > that way i have a list which tells me what the real name of the file is. > i can use the log to pick which file i want to decrypt. =================== just hash the file-name. SHA1 ("secret-1.txt") = d422b71f32b06168db114638fa9778c42d7d0f3c SHA1 ("secret-2.txt") = d0ab019ba1975dab7c100bc5b4efa020bcd86a5d SHA1 ("secret-3.txt") = 753b2bd68f7ff5fc44f9142245039375a3a5b2f8 use the hash as the encrypted file name. feel free to add a dot-suffix. keep that reference in a db or text file and you can recover the original filename easily. if you're concerned that the name and/or format of the original file names are too predictable, concatenate the filename with a "secret" before hashing... SHA1 ("secret-1.txt:secret") = df3d0b4eb1034f7392c60baec6137c62a2d4579a SHA1 ("secret-2.txt:secret") = 39238faa73f2472e253d5f096b28c8b31c8e8a00 SHA1 ("secret-3.txt:secret") = 9450a1f9cd93a47c8d3621cb7fc3ca0ec1df47b7 -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Sometimes I think we're alone in the universe, and sometimes I think we're not. In either case the idea is quite staggering." -- Arthur C. Clarke From takethebus at gmx.de Sun Jan 2 17:36:52 2011 From: takethebus at gmx.de (takethebus at gmx.de) Date: Sun, 02 Jan 2011 17:36:52 +0100 Subject: Signing Message-ID: <20110102163652.4740@gmx.net> Hi everybody, In an former email (Subject: "Is self-signing necessary? Basic questions.") I asked: > When signing another key, what I do is to ONLY sign the other person's > public master signing key with my own private master signing key. I don't > sign a certain user ID or something. Is that right? Hauke Laging thankfully answered: >>[No], you always sign the key together with a UID. gpg --list-sigs shows >>this to you: >>The root entry is pub, the uids are the next level >>("connected" to pub) and the signatures refer to UIDs. How is this "connection" done? It's it possible to extract a signed user ID from the public master signing key and place it in another public master signing key? I'm grateful for answers. Take care, Sansibar From mailinglisten at hauke-laging.de Sun Jan 2 18:04:53 2011 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sun, 2 Jan 2011 18:04:53 +0100 Subject: Is self-signing necessary? Basic questions. In-Reply-To: <1647382176.20110102122723@my_localhost> References: <20110102033053.147530@gmx.net> <497685A4-E286-455B-AA00-26C3265059EB@jabberwocky.com> <1647382176.20110102122723@my_localhost> Message-ID: <201101021804.53458.mailinglisten@hauke-laging.de> Am Sonntag 02 Januar 2011 13:27:23 schrieb MFPA: > 2. What statement would such a signature actually be making? The same statement like a signature of a useless UID (without useful name and email address) like "fubar". Leaving out a useless UID can hardly change anything. The formal statement is "I had access to this key and I had some reason to sign it". As with signing normal UIDs the real statement does not come from the signature itself but from the certification level statement and the certification policy which is described in a signed document (signed by the certifiers of the key, too...) whose URL is contained in the signature... (see --cert-policy-url). Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From tiago at xroot.org Sun Jan 2 18:10:54 2011 From: tiago at xroot.org (Tiago Faria) Date: Sun, 2 Jan 2011 17:10:54 +0000 Subject: Default GPG Encryption Algorithm (symmetric cipher) is? In-Reply-To: <4D2054EB.1000503@sixdemonbag.org> References: <1293942267.7601.1413093507@webmail.messagingengine.com> <20110102055700.5a4facb4@x41> <4D2054EB.1000503@sixdemonbag.org> Message-ID: <20110102171054.23886116@stacker> On Sun, 02 Jan 2011 05:35:23 -0500 "Robert J. Hansen" wrote: > It will respect default-cipher-preference. Certificate prefs are not > used during symmetric encryption, since certs themselves are not used > at all. Indeed Robert. Thanks for pointing that out. I only noticed that certs were not even being used _after_ sending the message on how to edit their preferences. Regards, T -- Tiago Faria | http://xroot.org OpenPGP Key ID: 0xB9466FB4 | http://xroot.org/contact FingerPrint: 27FB 1E35 81B8 5626 9450 EAFC 2517 8AB4 B946 6FB4 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From neil.phillips39 at gmail.com Sun Jan 2 18:13:28 2011 From: neil.phillips39 at gmail.com (Neil Phillips) Date: Sun, 2 Jan 2011 17:13:28 +0000 (UTC) Subject: Encryting both file contents and file name with GnuPG References: <97D200CD-BE7B-49E4-BA9B-FF6686A5415C@jabberwocky.com> <1101030419230.1967@smasher> Message-ID: Atom Smasher smasher.org> writes: > just hash the file-name. > > SHA1 ("secret-1.txt") = d422b71f32b06168db114638fa9778c42d7d0f3c > SHA1 ("secret-2.txt") = d0ab019ba1975dab7c100bc5b4efa020bcd86a5d > SHA1 ("secret-3.txt") = 753b2bd68f7ff5fc44f9142245039375a3a5b2f8 > > use the hash as the encrypted file name. feel free to add a dot-suffix. > > keep that reference in a db or text file and you can recover the original > filename easily. > > if you're concerned that the name and/or format of the original file names > are too predictable, concatenate the filename with a "secret" before > hashing... > SHA1 ("secret-1.txt:secret") = df3d0b4eb1034f7392c60baec6137c62a2d4579a > SHA1 ("secret-2.txt:secret") = 39238faa73f2472e253d5f096b28c8b31c8e8a00 > SHA1 ("secret-3.txt:secret") = 9450a1f9cd93a47c8d3621cb7fc3ca0ec1df47b7 > aha that sounds like a plan. gpg should be able to give a hash, something like; gpg -output sha1("a filename") -e filename i'll give it a tryout tomorrow. Neil From mailinglisten at hauke-laging.de Sun Jan 2 18:18:59 2011 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sun, 2 Jan 2011 18:18:59 +0100 Subject: Signing In-Reply-To: <20110102163652.4740@gmx.net> References: <20110102163652.4740@gmx.net> Message-ID: <201101021819.00326.mailinglisten@hauke-laging.de> Am Sonntag 02 Januar 2011 17:36:52 schrieb takethebus at gmx.de: > Hauke Laging thankfully answered: > >>[No], you always sign the key together with a UID. gpg --list-sigs shows > >> >>this to you: The root entry is pub, the uids are the next level > >>("connected" to pub) and the signatures refer to UIDs. > > How is this "connection" done? By a self-signature. Same for the subkeys (with the difference you already noticed that you officially cannot delete the signature). > It's it possible to extract a signed user ID > from the public master signing key and place it in another public master > signing key? Sure. You can easily copy "Hauke Laging " from my "key", add it as UID to your key and sign it. Extracting the original signature would not make sense as it would not match the new public key and thus not be accepted. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From tiago at xroot.org Sun Jan 2 18:19:24 2011 From: tiago at xroot.org (Tiago Faria) Date: Sun, 2 Jan 2011 17:19:24 +0000 Subject: Default GPG Encryption Algorithm (symmetric cipher) is? In-Reply-To: <4D206C5D.9070403@charter.net> References: <4D206C5D.9070403@charter.net> Message-ID: <20110102171924.6fe2d1f7@stacker> On Sun, 02 Jan 2011 07:15:25 -0500 Mike Acker wrote: > is: how does S9 equate to AES256 ? there has to be a way to find the > equivalence between the verbose codes and the short hand Hi Mike, $ gpg --verbose --version will tell you (after the cipher/algorithm and between ()) what is the short code to use with setpref. Example for Cipher: ... 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8), AES256 (S9) ... I might have misunderstood your question, so feel free to let me know if you need something else. Regards, T -- Tiago Faria | http://xroot.org OpenPGP Key ID: 0xB9466FB4 | http://xroot.org/contact FingerPrint: 27FB 1E35 81B8 5626 9450 EAFC 2517 8AB4 B946 6FB4 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From neil.phillips39 at gmail.com Sun Jan 2 18:18:27 2011 From: neil.phillips39 at gmail.com (Neil Phillips) Date: Sun, 2 Jan 2011 17:18:27 +0000 (UTC) Subject: Encryting both file contents and file name with GnuPG References: <97D200CD-BE7B-49E4-BA9B-FF6686A5415C@jabberwocky.com> <1101030419230.1967@smasher> Message-ID: Neil Phillips gmail.com> writes: > > > gpg should be able to give a hash, something like; > gpg -output sha1("a filename") -e filename > or rather something like; type sha1(filename)| gpg -o 0 -e filename or echo sha1(filename)| gpg -o 0 -e filename From tom.simons at gmail.com Sun Jan 2 17:41:49 2011 From: tom.simons at gmail.com (Tom Simons) Date: Sun, 2 Jan 2011 08:41:49 -0800 Subject: GnuPG smart card w/ Dell keyboard Message-ID: Has anyone used the GnuPG smart card with a Dell Smartcard USB Keyboard? The GnuPG doc at http://www.gnupg.org/howtos/card-howto/en/ch02s02.html just lists the Cherry XX44 USB keyboard. -------------- next part -------------- An HTML attachment was scrubbed... URL: From takethebus at gmx.de Sun Jan 2 19:36:02 2011 From: takethebus at gmx.de (takethebus at gmx.de) Date: Sun, 02 Jan 2011 19:36:02 +0100 Subject: Signing In-Reply-To: <201101021819.00326.mailinglisten@hauke-laging.de> References: <20110102163652.4740@gmx.net> <201101021819.00326.mailinglisten@hauke-laging.de> Message-ID: <20110102183602.273100@gmx.net> >> Hauke Laging thankfully answered: >> >>[No], you always sign the key together >> >> with a UID. gpg --list-sigs shows >> >> this to you: The root entry is pub, the uids are the next level >> >>("connected" to pub) and the signatures refer to UIDs. >> How is this "connection" done? > By a self-signature. Same for the subkeys. Sorry, I don't understand what you mean. Could you please explain it again? Let's say Alice signs Bob's user ID together with Bob's public master signing key. What does "together" mean in this context? Does it mean, that the public signing key and the user ID are both signed with Alice's private key, but seperately? Is a signature on Bob's user ID only accepted, if Bob has the same signature on his public master signing key? Is the last procedure really called "self-signing". Alice cannot self-sign Bob's key, as she doesn't have his private key. I'd be grafeful for answers, Sansibar From atom at smasher.org Sun Jan 2 20:23:38 2011 From: atom at smasher.org (Atom Smasher) Date: Mon, 3 Jan 2011 08:23:38 +1300 (NZDT) Subject: Encryting both file contents and file name with GnuPG In-Reply-To: References: <97D200CD-BE7B-49E4-BA9B-FF6686A5415C@jabberwocky.com> <1101030419230.1967@smasher> Message-ID: <1101030801470.1967@smasher> On Sun, 2 Jan 2011, Neil Phillips wrote: > gpg should be able to give a hash, something like; > gpg -output sha1("a filename") -e filename =============== depending on your [*nix or cygwin] shell, it ~can~ do that... gpg -o $(sha1 -qs filename) -e filename -r keyid the exact command is system dependent; the example above would basically work as-is on freebsd with zsh or bash. cygwin or linux would be *slightly* more complicated. the idea is that shells like zsh and newer versions of bash use '$(...)' as a form of command substitution. older shells (bash & bourne) use back-quotes but the concept is the same. all shells have some form of variables... gpg -o ${file_name_hashed} -e filename -r keyid in any case, if you also want to populate a db of some sort, whether a flat-file or DBMS, you'll probably need three lines in a script: 1) calculate the hash 2) encrypt the file -- gpg -o ${file_name_hashed} -e filename -r keyid 3) add an entry to a db the first line creates a variable (eg, $file_name_hashed) and the next two lines refer to it. just make sure you're hashing the file-NAME, not it's contents. of course, if you don't lose your db, then there's nothing wrong with hashing the contents, or even a counter or random string. hashing the file-NAME is just an idea that makes recovery of the db possible if you know the format and range of the file-names (and any secret that may be used). the real trick is to just do something secure and consistent... sha1 does the job. -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The livestock sector is a major player [in climate change], responsible for 18% of greenhouse gas emissions measured in CO2 equivalent. This is a higher share than transport." -- Livestock's long shadow, 2006 UN report sponsored by WTO, EU, AS-AID, FAO, et al From mailinglisten at hauke-laging.de Sun Jan 2 20:29:13 2011 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Sun, 2 Jan 2011 20:29:13 +0100 Subject: Signing In-Reply-To: <20110102183602.273100@gmx.net> References: <20110102163652.4740@gmx.net> <201101021819.00326.mailinglisten@hauke-laging.de> <20110102183602.273100@gmx.net> Message-ID: <201101022029.20745.mailinglisten@hauke-laging.de> Am Sonntag 02 Januar 2011 19:36:02 schrieb takethebus at gmx.de: > >> How is this "connection" done? > > > > By a self-signature. Same for the subkeys. > > Sorry, I don't understand what you mean. Could you please explain it again? > Let's say Alice signs Bob's user ID together with Bob's public master > signing key. > > What does "together" mean in this context? Does it mean, that the public > signing key and the user ID are both signed with Alice's private key, but > seperately? Together is the opposite of seperately. The combination is signed. The one signature is not valid for the key or the UID alone, only for both together. > Is a signature on Bob's user ID only accepted, if Bob has the same > signature on his public master signing key? The signature is accepted if it signs the combination of key and UID. > Is the last procedure really called "self-signing". Alice cannot self-sign > Bob's key, as she doesn't have his private key. Correct. "Self-sign" refers to the key making signatures for its own components in contrast to signing other keys. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From dkg at fifthhorseman.net Sun Jan 2 20:43:27 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sun, 02 Jan 2011 14:43:27 -0500 Subject: Is self-signing necessary? Basic questions. In-Reply-To: <955FCD26-BE44-4989-AC54-91C956E95AEC@jabberwocky.com> References: <20110102033053.147530@gmx.net> <497685A4-E286-455B-AA00-26C3265059EB@jabberwocky.com> <1647382176.20110102122723@my_localhost> <955FCD26-BE44-4989-AC54-91C956E95AEC@jabberwocky.com> Message-ID: <4D20D55F.5070701@fifthhorseman.net> On 01/02/2011 10:01 AM, David Shaw wrote: > The only significant use of the direct-key signature is for key owners > to add designated revokers to their key. Designated revokers are carried > in a subpacket on a direct key signature. I think a revocation certificate (that is, revoking the primary key, not just revoking a given User ID or subkey) is also implemented as a direct-key signature. I don't know of any other significant uses, though. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From ricky at rzhou.org Sun Jan 2 20:33:27 2011 From: ricky at rzhou.org (Ricky Zhou) Date: Sun, 2 Jan 2011 14:33:27 -0500 Subject: Encryting both file contents and file name with GnuPG In-Reply-To: References: <97D200CD-BE7B-49E4-BA9B-FF6686A5415C@jabberwocky.com> Message-ID: <20110102193327.GA2621@alpha.rzhou.org> On 2011-01-02 03:14:06 PM, Neil Phillips wrote: > i was hoping to do the following; > locate a source file. > place the name of the source file in a log. > encrypt the source file name and contents > add to the log the name of the encrypted file. > > that way i have a list which tells me what the real name of the file is. > i can use the log to pick which file i want to decrypt. How about just tar up the file, then encrypt that, outputting a randomly named file? The tarfile will preserve the original filename when it is extracted. Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From dshaw at jabberwocky.com Sun Jan 2 22:07:57 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 2 Jan 2011 16:07:57 -0500 Subject: Is self-signing necessary? Basic questions. In-Reply-To: <4D20D55F.5070701@fifthhorseman.net> References: <20110102033053.147530@gmx.net> <497685A4-E286-455B-AA00-26C3265059EB@jabberwocky.com> <1647382176.20110102122723@my_localhost> <955FCD26-BE44-4989-AC54-91C956E95AEC@jabberwocky.com> <4D20D55F.5070701@fifthhorseman.net> Message-ID: <487CE671-FEB7-40A7-B2AA-12F93651B661@jabberwocky.com> On Jan 2, 2011, at 2:43 PM, Daniel Kahn Gillmor wrote: > On 01/02/2011 10:01 AM, David Shaw wrote: >> The only significant use of the direct-key signature is for key owners >> to add designated revokers to their key. Designated revokers are carried >> in a subpacket on a direct key signature. > > I think a revocation certificate (that is, revoking the primary key, not > just revoking a given User ID or subkey) is also implemented as a > direct-key signature. No, a revocation certificate is its own sort of signature. Unlike a direct key signature where various pieces of meaning are carried as subpackets, a revocation signature carries the revocation meaning inherently. (Signature class 0x1F vs class 0x20). David From kgo at grant-olson.net Sun Jan 2 23:13:10 2011 From: kgo at grant-olson.net (Grant Olson) Date: Sun, 02 Jan 2011 17:13:10 -0500 Subject: Fingerprint useless if not self-signed key? In-Reply-To: <20110102160407.4720@gmx.net> References: <20110102160407.4720@gmx.net> Message-ID: <4D20F876.3050201@grant-olson.net> On 1/2/2011 11:04 AM, takethebus at gmx.de wrote: > And thankfully David Shaw answerd: > >>> By default, yes. You can override this, >>> but it is not a good idea. > > Thus the answer to the question, whether one needs to check whether the key is self-signed is conneced with the word "override". What did he mean with that? Changing the source code of my version of gnuPG on my hard disk and recompiling or changing some sort of configuration file on my hard disk? gpg provides many options for backward compatibility and interoperability with other OpenPGP implementations. I'm presuming David is talking about this: -allow-non-selfsigned-uid Allow the import of keys with user IDs which are not self-signed. This is only allows the import - key validation will fail and you have to check the validity of the key my other means. This hack is needed for some German keys generated with pgp 2.6.3in. You should really avoid using it, because OpenPGP has better mechanics to do separate signing and encryption keys. > If that's the case, then I don't need to advise people to check whether a key is self-signed, because an attacker needes access to my hard disk to override the self-sign-check. But if he already has access to my hard disk, he can as well to worse things like installing a keylogger or something. Thus in this case I'm beaten already, isn't that so? > As you've said, I'm not sure how plausible it is to worry about that attack scenario. If someone is in a position gto modify your gpg.conf, there are much easier ways to attack you than modifying that setting and tricking you into loading an non-self-signed key years later. > > EXPLANATION > The fingerprint is a hash value of the public master signing key only, NOT of the public subordinate encryption key. Only if that public subordinate encryption key is self-signed, I can be sure the owner of the private key wanted it to belong to his public key. Otherwise it might have been placed there by an attacker. > That's technically correct-- the best kind of correct. If I were writing an introduction to OpenPGP, I'd focus on the purpose of the fingerprint, and not the implementation details of keys and subkeys and signing, and all that. A fingerprint: 1) Allows you to verify that the key you have is the one you think you have, and it hasn't been forged or modified. 2) Is only useful if obtained via an out-of-band channel, such as meeting in person or over the phone. If someone can forge one email, they can forge another. Same with webpages or keyservers. 3) Only authenticates the key itself. It doesn't do anything to authenticate the user. It doesn't prove that jack_bauer at ctu.gov is who he says he is. That's up to you. -- Grant "Can you construct some sort of rudimentary lathe?" From hamilric at us.ibm.com Mon Jan 3 00:12:45 2011 From: hamilric at us.ibm.com (Richard Hamilton) Date: Sun, 2 Jan 2011 16:12:45 -0700 Subject: AUTO: Richard Hamilton is out of the office (returning 01/03/2011) Message-ID: I am out of the office until 01/03/2011. I am out of the office until Monday January 3rd, 2011. If this is a production problem, please call the solution center at 918-573-2336 or email Bob Olson at Robert.Olson at williams.com. I will have limited mail and cell phone access. Note: This is an automated response to your message "Re: Is self-signing necessary? Basic questions." sent on 1/2/11 12:43:27. This is the only notification you will receive while this person is away. -------------- next part -------------- An HTML attachment was scrubbed... URL: From takethebus at gmx.de Mon Jan 3 01:11:44 2011 From: takethebus at gmx.de (takethebus at gmx.de) Date: Mon, 03 Jan 2011 01:11:44 +0100 Subject: Signing In-Reply-To: <201101022029.20745.mailinglisten@hauke-laging.de> References: <20110102163652.4740@gmx.net> <201101021819.00326.mailinglisten@hauke-laging.de> <20110102183602.273100@gmx.net> <201101022029.20745.mailinglisten@hauke-laging.de> Message-ID: <20110103001144.170590@gmx.net> Hi everybody, I have a question about the meaning of signing, I'd be happy if someone checked whether my understanding is write: When signing a public key's user ID, the statement I'm making is: "I believe that this key belongs to the person described by the name and the comment in the user ID." It's not necessary to make statements about the validity of the email adress, since if my former statement is true, the person with the name from the usr ID is the only one with the private key. Why should he/she ask someone to send encrypted messages to him/her where he/she can't receive them? And if so, - no harm is caused, since only he/she can decrypt them. Thanks for answers, Sansibar From rjh at sixdemonbag.org Mon Jan 3 01:19:56 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 02 Jan 2011 19:19:56 -0500 Subject: Signing In-Reply-To: <20110103001144.170590@gmx.net> References: <20110102163652.4740@gmx.net> <201101021819.00326.mailinglisten@hauke-laging.de> <20110102183602.273100@gmx.net> <201101022029.20745.mailinglisten@hauke-laging.de> <20110103001144.170590@gmx.net> Message-ID: <4D21162C.5060403@sixdemonbag.org> On 1/2/2011 7:11 PM, takethebus at gmx.de wrote: > When signing a public key's user ID, the statement I'm making is: "I > believe that this key belongs to the person described by the name and > the comment in the user ID." There is no fixed semantic meaning for a signature. Each signer is responsible for deciding what their signature means. Some people sign keys and mean nothing more than, "I have successfully exchanged emails with this address." Some people are quite a bit more paranoid. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: S/MIME Cryptographic Signature URL: From kgo at grant-olson.net Mon Jan 3 01:50:05 2011 From: kgo at grant-olson.net (Grant Olson) Date: Sun, 02 Jan 2011 19:50:05 -0500 Subject: Signing In-Reply-To: <4D21162C.5060403@sixdemonbag.org> References: <20110102163652.4740@gmx.net> <201101021819.00326.mailinglisten@hauke-laging.de> <20110102183602.273100@gmx.net> <201101022029.20745.mailinglisten@hauke-laging.de> <20110103001144.170590@gmx.net> <4D21162C.5060403@sixdemonbag.org> Message-ID: <4D211D3D.7030707@grant-olson.net> On 1/2/2011 7:19 PM, Robert J. Hansen wrote: > On 1/2/2011 7:11 PM, takethebus at gmx.de wrote: >> When signing a public key's user ID, the statement I'm making is: "I >> believe that this key belongs to the person described by the name and >> the comment in the user ID." > > There is no fixed semantic meaning for a signature. Each signer is > responsible for deciding what their signature means. Some people sign > keys and mean nothing more than, "I have successfully exchanged emails > with this address." Some people are quite a bit more paranoid. :) > And of course there are also no fixed semantics for the UID. It's just a random string. gpg arguably obscures this by asking you three questions when generating the ID, but the ID string can be anything. So ultimately, a signature is saying "I believe this arbitrary ID, whatever it is, is valid, by whatever method I used to validate it." OpenPGP lets you describe your own security model, which is its blessing and its curse. ;-) That's where the trust rating comes into play. It's how much you trust another person to sign keys in a way you consider appropriate. Validity is how much you 'trust' that the key itself is valid. That can be a bit confusing at first. I for one trust the PGP Global Directory just fine, at least for casual communication. That performs the opposite certification that we're talking about. It validates that the email address is controlled by the key owner (baring a man-in-the-middle attack), and does nothing to validate the person himself. But anyway, I'd be reluctant to sign a key that said something like "Grant Olson (Nightwatch Division) " if I knew this person had no affiliation with the FBI, or didn't know that he did, whether or not I thought the owner of the key could exploit the bogus email address. -- Grant "Can you construct some sort of rudimentary lathe?" From mel.gordon at wellnow.com Mon Jan 3 05:33:54 2011 From: mel.gordon at wellnow.com (Mel) Date: Sun, 2 Jan 2011 23:33:54 -0500 Subject: Saga of compiling gnupg Message-ID: <20110102233354.1c63aa02@wellnow.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 About a week ago I updated to claws-mail-3.7.8 which broke my pgpcore etc. plugins. Thus leaving me without a means to decrypt all my passwords. I upgraded to gnupg-2.0.16...would configure but not MAKE. I then tried gnupg-2.0.15...same thing..would configure but not MAKE. Both throwing multiple errors with very little info on how to fix. Installed the following:(All source tarballs) gnutls-2.10.4 gpgme-1.3.0 gpgme-1.2.0 gpgme-1.1.2 libassuan-2.0.1 libassuan-2.0.0 libetpan-1.0 libg15-1.2.7 libgcrypt-1.4.6 libgpg-error-1.9 libgpg-error-1.10 libksba-1.1.0 pinentry-0.8.1 (would configure but not MAKE) rsaref All were source tarballs that were configure, and MAKE on my os. Linux CentOS 5.5 x86_64. I had absolutely no luck installing rpm's. Not sure what else that I did, but the only gnupg that finally configure, MAKE, MAKE iNSTALL was gnupg-1.4.11. That seemed to fix my pgpcore plugin for claws-mail-3.7.8. Plugins are from the claws-mail-extra-plugins-3.7.8. Hope this helps someone, and saves them wasting a week. Mel G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk0hUbIACgkQH9t2GhKEOlXK9wCffVXmGa67x+85sNHYcerXBQdc AmcAn34VTCk5Jj+Ve9zSDxKA3XSyHrRk =Lsjm -----END PGP SIGNATURE----- From free10pro at gmail.com Mon Jan 3 10:26:05 2011 From: free10pro at gmail.com (Paul Richard Ramer) Date: Mon, 03 Jan 2011 01:26:05 -0800 Subject: Having trouble getting GPG to accept input from a pinpad In-Reply-To: <87aajj5t3t.fsf@latte.josefsson.org> References: <4D205D5C.3050402__43137.4791347936$1293968465$gmane$org@gmail.com> <87aajj5t3t.fsf@latte.josefsson.org> Message-ID: <4D21962D.1000904@gmail.com> On 01/02/2011 05:32 AM, Simon Josefsson wrote: >> I am using an OpenPGP v2 card with an SCM SPR-532 smartcard reader, and >> I can't get GPG to take a PIN from the pinpad instead of the keyboard. >> When I run "gpg --card-edit" followed by any command that requires a PIN >> or Admin PIN, I get a password dialog box from pinentry, but I can only >> enter the PIN via a keyboard. > > IIRC the on-device PIN entry is only used for signing operations, not > admin stuff -- so try proceeding anyway and then try signing. This kind > of harms the point of having a on-device PIN entry, but it is still > possible to setup the card on a secure machine and then use it in other > environments. I'm using a SPR-532 too with GnuPG on Mac for SSH > authentication, and I enter the PIN on the SPR-532 just fine. Unfortunately, GPG isn't taking input from the pinpad regardless of what operations I am performing--signing, decrypting, change card information. This behavior is true of both the PIN and the Admin PIN. Everything else that I have done so far with my OpenPGP v2 card works. So I have no issues there. Things such as generating a key, changing card information, decrypting and signing e-mail work without any trouble. I'll gladly answer any questions about my setup or tools or run different stuff to debug this situation. I just want to start using my pinpad. :-) -Paul -- PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 From wk at gnupg.org Mon Jan 3 10:51:09 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 03 Jan 2011 10:51:09 +0100 Subject: gnupg-2.0.16 problems when runing MAKE !!! H-E-L-P !!! In-Reply-To: <20101230201712.7f2d80f4@wellnow.com> (Mel's message of "Thu, 30 Dec 2010 20:17:12 -0500") References: <20101230201712.7f2d80f4@wellnow.com> Message-ID: <878vz28gdu.fsf@vigenere.g10code.de> On Fri, 31 Dec 2010 02:17, mel.gordon at wellnow.com said: > I've spent all week trying to get either gnupg-2.0.16 or > gnupg-2.0.15 to make on my system....no luck. I have > googled the problem, and tried every suggestion...no luck. I have no time to look into this. You may try a VPATH build: tar xjvf gnupg-n.m.p.tar.bz2 mkdir gnupg-n.m.p-build cd gnupg-n.m.p-build ../gnupg-n.m.p/configure make Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From lists at michel-messerschmidt.de Mon Jan 3 11:25:31 2011 From: lists at michel-messerschmidt.de (Michel Messerschmidt) Date: Mon, 3 Jan 2011 11:25:31 +0100 Subject: Having trouble getting GPG to accept input from a pinpad In-Reply-To: <4D21962D.1000904@gmail.com> References: <4D205D5C.3050402__43137.4791347936$1293968465$gmane$org@gmail.com> <87aajj5t3t.fsf@latte.josefsson.org> <4D21962D.1000904@gmail.com> Message-ID: <20110103102530.GA4070@rio.matrix> On Mon, Jan 03, 2011 at 01:26:05AM -0800, Paul Richard Ramer wrote: > I'll gladly answer any questions about my setup or tools or run > different stuff to debug this situation. I just want to start using my > pinpad. :-) Have you tried it with gnupg 2.0.x ? IIRC you need at least 2.0.12 for the SPR-532 pinpad and gnupg-agent should be running. If not, please post more details about your environment and how you execute gnupg. The pinpad works for me, so I guess you will find a way. From wk at gnupg.org Mon Jan 3 13:51:59 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 03 Jan 2011 13:51:59 +0100 Subject: Having trouble getting GPG to accept input from a pinpad In-Reply-To: <20110103102530.GA4070@rio.matrix> (Michel Messerschmidt's message of "Mon, 3 Jan 2011 11:25:31 +0100") References: <4D205D5C.3050402__43137.4791347936$1293968465$gmane$org@gmail.com> <87aajj5t3t.fsf@latte.josefsson.org> <4D21962D.1000904@gmail.com> <20110103102530.GA4070@rio.matrix> Message-ID: <87r5cu6tg0.fsf@vigenere.g10code.de> On Mon, 3 Jan 2011 11:25, lists at michel-messerschmidt.de said: > Have you tried it with gnupg 2.0.x ? > IIRC you need at least 2.0.12 for the SPR-532 pinpad and gnupg-agent > should be running. .. and do not run pcscd - only the GnuPG internal driver works with the pinpad. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From neil.phillips39 at gmail.com Mon Jan 3 17:05:40 2011 From: neil.phillips39 at gmail.com (Neil Phillips) Date: Mon, 3 Jan 2011 16:05:40 +0000 (UTC) Subject: defaults / homedir / loal variable / option file etc Message-ID: Hi, gpg -version = 2.0.14 So i'm looking at changing some of the defaults used by gpg. cipher, compression that sort of thing. i've read that i can use a command line to use a specific options file, something like --options file but thats a per use, not a set default behaviour. it says i can place stuff in a file called gpg.conf that is located in my C:\Profiles\xxx\Application Data\gnupg folder. well there is no gpg.conf file there :( it says --homedir can change the default location of the home directory, the place where i should see my gpg.conf file. it says that i can find my home directoy in the Registry under the key HKEY_CURRENT_USER\Software\GNU\GnuPG using the name "HomeDir" well there is no GnuPG folder there :( apparently i could set a user-level environment variable, GNUPGHOME. no such variable exists :( my questions are: 1. can i use a gpg.conf file to set some default behaviours for gpg? 2. where should the gpg.conf file be stored. 3. do i need a registry entry at all? i do have an entry in the path variable which is allowing me to use gpg. i have created a key for myself and can use that from anywhere in my file system with gpg to generate an encrypted file without any error messages. i'm assuming that my key does not contain settings for which cipher to use or which compression method or which hash method to use and that those settings are picked during the actual encryption of my file? Neil From david at gbenet.com Mon Jan 3 17:25:55 2011 From: david at gbenet.com (david at gbenet.com) Date: Mon, 03 Jan 2011 16:25:55 +0000 Subject: defaults / homedir / loal variable / option file etc In-Reply-To: References: Message-ID: <4D21F893.7020101@gbenet.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Neil, gpg reads gpg.conf by default so you an stick any variables you like - they wil get read David Neil Phillips wrote: > Hi, > > gpg -version = 2.0.14 > > So i'm looking at changing some of the defaults used by gpg. > cipher, compression that sort of thing. > > i've read that i can use a command line to use a specific options file, > something like --options file > but thats a per use, not a set default behaviour. > > it says i can place stuff in a file called gpg.conf that is located in my > C:\Profiles\xxx\Application Data\gnupg folder. > well there is no gpg.conf file there :( > > it says --homedir can change the default location of the home directory, the > place where i should see my gpg.conf file. > > it says that i can find my home directoy in the Registry under the key > HKEY_CURRENT_USER\Software\GNU\GnuPG using the name "HomeDir" > well there is no GnuPG folder there :( > > apparently i could set a user-level environment variable, GNUPGHOME. > no such variable exists :( > > my questions are: > 1. can i use a gpg.conf file to set some default behaviours for gpg? > 2. where should the gpg.conf file be stored. > 3. do i need a registry entry at all? > > i do have an entry in the path variable which is allowing me to use gpg. > i have created a key for myself and can use that from anywhere in my file system > with gpg to generate an encrypted file without any error messages. > > i'm assuming that my key does not contain settings for which cipher to use or > which compression method or which hash method to use and that those settings are > picked during the actual encryption of my file? > > Neil > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > - -- ?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind. Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJNIfiTAAoJEOJpqm7flRExClcIAKUWoV0d23XPrCqjdPxI8OIR bMsmwnVeibanbBet7g8RnEgPwXH2ZEkYtuJgCRrH0WDrS+bqvKN4FdJyWvCKGV/t 12sTHvvUjgKUseu/1szwRCCQzvMtNCShc+hm/PoC6yWhT9HyizR4Pm/1hZhkXwNx mUO1+e5RJLVdu1/Q71OVsfKAixQn8m+1IZPtedqYmKUENbWjjwdBzA58c40p1Vq7 6ArVDn/r/rxS+oK77xsbxA6h5JeX+txzFq7u5tIQw96kptHpTuigz18ddaI+JqXX P65cvz5ZPwCcVs8yvUf4Z6jk9/Y8WoIr8y0L6RiwwR7Pyinacyr0X8t3eG86raY= =uMf0 -----END PGP SIGNATURE----- From dkg at fifthhorseman.net Mon Jan 3 17:29:44 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 03 Jan 2011 11:29:44 -0500 Subject: defaults / homedir / loal variable / option file etc In-Reply-To: References: Message-ID: <4D21F978.3050500@fifthhorseman.net> On 01/03/2011 11:05 AM, Neil Phillips wrote: > it says i can place stuff in a file called gpg.conf that is located in my > C:\Profiles\xxx\Application Data\gnupg folder. > well there is no gpg.conf file there :( You've found the right location, i think. You should be able to just create the file in that location with notepad or any other text editor. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From singh.madhusudan at gmail.com Tue Jan 4 19:52:45 2011 From: singh.madhusudan at gmail.com (Madhusudan Singh) Date: Tue, 4 Jan 2011 12:52:45 -0600 Subject: Can't use GPG key - secret key not available In-Reply-To: <4CA65A30.8080204@mac.com> References: <4CA49646.1010104@mac.com> <4CA65A30.8080204@mac.com> Message-ID: I had given up on this last year but want to make the key signing work again. I still have the same error: GPG error detail: Traceback (most recent call last): File "/opt/local/bin/duplicity", line 1245, in with_tempdir(main) File "/opt/local/bin/duplicity", line 1238, in with_tempdir fn() File "/opt/local/bin/duplicity", line 1211, in main full_backup(col_stats) File "/opt/local/bin/duplicity", line 417, in full_backup globals.backend) File "/opt/local/bin/duplicity", line 295, in write_multivol globals.gpg_profile, globals.volsize) File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/duplicity/gpg.py", line 283, in GPGWriteFile file.write(data) File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/duplicity/gpg.py", line 153, in write self.gpg_failed() File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/duplicity/gpg.py", line 165, in gpg_failed raise GPGError, msg GPGError: GPG Failed, see log below: ===== Begin GnuPG log ===== gpg: no default secret key: secret key not available gpg: [stdin]: sign+encrypt failed: secret key not available ===== End GnuPG log ===== GPGError: GPG Failed, see log below: ===== Begin GnuPG log ===== gpg: no default secret key: secret key not available gpg: [stdin]: sign+encrypt failed: secret key not available ===== End GnuPG log ===== Any ideas? On Fri, Oct 1, 2010 at 5:01 PM, Charly Avital wrote: > Madhusudan Singh wrote the following on 10/1/10 2:35 PM: > > Tried this. > > > > No use. > > > > I have two keys installed on this machine (different email addresses). > > It just can't seem to use the newer one, regardless of the default-key > > parameter. > > > > Do I have to restart start-gpg-agent on Mac ? If so, how do I restart > > without rebooting ? > > I am not familiar with duplicity backup to S3. > > I don't know whether restarting gpg-agent will help (without rebooting), > but try this. > > Locate start-gpg-agent.app (it is, in fact, an application) and double > click on it. > > Another factor comes to mind. Have you signed your "new" key with the > "old" one? It is just possible (I am speculating) that the systems does > not recognize your new key because it has not been authenticated with > your default key. > > Best regards, > Charly > -------------- next part -------------- An HTML attachment was scrubbed... URL: From johnicholas.hines at gmail.com Tue Jan 4 22:37:39 2011 From: johnicholas.hines at gmail.com (Johnicholas Hines) Date: Tue, 4 Jan 2011 16:37:39 -0500 Subject: nested verification? Message-ID: Hi. Is there a built-in way to reverse the double-dash mangling for nested clearsigned messages? This is a somewhat contrived example: ---- begin fakeexample signed message --- - --- begin fakeexample signed message --- BankerBob, please exchange the 32 apples in my account for Fred's 48 oranges. Thanks, Shirley - --- begin fakeexample signature --- Shirley's signature - --- end fakeexample signature --- Yes, please execute the above exchange, I love apples. Thanks, Fred ---- begin fakeexample signed message Fred's signature ---- end fakeexample signed message. BankerBob would need to verify both the outer signature and the inner signature, before executing the transaction. Thanks for your help, Johnicholas From wk at gnupg.org Wed Jan 5 09:20:33 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 05 Jan 2011 09:20:33 +0100 Subject: nested verification? In-Reply-To: (Johnicholas Hines's message of "Tue, 4 Jan 2011 16:37:39 -0500") References: Message-ID: <877hej69ta.fsf@vigenere.g10code.de> On Tue, 4 Jan 2011 22:37, johnicholas.hines at gmail.com said: > Is there a built-in way to reverse the double-dash mangling for nested > clearsigned messages? gpg --verify --output inner.asc outer.asc Verifies the outer signature and writes the signed text to inner.asc which may then be verified as usual. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From johnicholas.hines at gmail.com Wed Jan 5 17:38:21 2011 From: johnicholas.hines at gmail.com (Johnicholas Hines) Date: Wed, 5 Jan 2011 11:38:21 -0500 Subject: nested verification? In-Reply-To: <877hej69ta.fsf@vigenere.g10code.de> References: <877hej69ta.fsf@vigenere.g10code.de> Message-ID: On Wed, Jan 5, 2011 at 3:20 AM, Werner Koch wrote: > On Tue, ?4 Jan 2011 22:37, johnicholas.hines at gmail.com said: > >> Is there a built-in way to reverse the double-dash mangling for nested >> clearsigned messages? > > ?gpg --verify --output inner.asc outer.asc > > Verifies the outer signature and writes the signed text to inner.asc > which may then be verified as usual. Thank you for your suggestion, I tried it with the version of gnupg that came with Ubuntu, then again with the latest version, but I don't seem to be getting any output. What am I doing wrong? johnicholas at johnicholas-desktop:~$ cat signed_test.asc -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 test test, a small message for testing - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFNI1GZ98l7Z5I2qcERAtFdAJ0Uo4kTq+EQgWsnSXGTMD81yTnFTQCfR0VH FBZs/qlhwuLYeK7w5YB37XQ= =PPm+ - -----END PGP SIGNATURE----- Okay, I am confirming receipt of a small message for testing. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFNI1Nz98l7Z5I2qcERAisAAJ4i9jKyNUzEI4E+09w1OZwY/VmazgCfTLoJ sKfy3wRWOKULVrCC10U/RXs= =wTMl -----END PGP SIGNATURE----- johnicholas at johnicholas-desktop:~$ gpg --verify --output verified_test.asc signed_test.asc gpg: Signature made Tue 04 Jan 2011 12:05:55 PM EST using DSA key ID 9236A9C1 gpg: Good signature from "Someone Somewhere (Fake name for testing) " johnicholas at johnicholas-desktop:~$ cat verified_test.asc cat: verified_test.asc: No such file or directory I tried to see if there was a permissions problem using strace, but it doesn't seem to be calling open or stat on the output file. johnicholas at johnicholas-desktop:~$ strace -o gpgrun.strace gpg --verify --output verified_test.asc signed_test.asc gpg: Signature made Tue 04 Jan 2011 12:05:55 PM EST using DSA key ID 9236A9C1 gpg: Good signature from "Someone Somewhere (Fake name for testing) " johnicholas at johnicholas-desktop:~$ grep verified gpgrun.strace execve("/usr/local/bin/gpg", ["gpg", "--verify", "--output", "verified_test.asc", "signed_test.asc"], [/* 40 vars */]) = 0 Thank you for your help, Johnicholas From singh.madhusudan at gmail.com Wed Jan 5 19:08:44 2011 From: singh.madhusudan at gmail.com (Madhusudan Singh) Date: Wed, 5 Jan 2011 12:08:44 -0600 Subject: Can't use GPG key - secret key not available In-Reply-To: <4D238478.5030808@gbenet.com> References: <4CA49646.1010104@mac.com> <4CA65A30.8080204@mac.com> <4D238478.5030808@gbenet.com> Message-ID: Hello David, Thanks. I am not using this key for any email program. I am using it to sign and encrypt my backups. I do have a key pair (I think - I followed instructions from the gpg home page): $gpg --list-keys pub 4096R/F784A849 2010-09-29 uid Madhusudan Singh sub 4096R/BB9A877C 2010-09-29 $gpg --list-secret-keys sec 4096R/F784A849 2010-09-29 uid Madhusudan Singh ssb 4096R/BB9A877C 2010-09-29 I am not really a gpg expert, but those two above came from pubring.gpg and secring.gpg, respectively. I have tried revoking, deleting and regenerating new keys many times, but it has not worked. On Tue, Jan 4, 2011 at 2:35 PM, david at gbenet.com wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > Well for a start you failed to create a key pair - that is a private and > public key. What I > suggest you do is to uninstall and start over. > > You will also need to install thunderbird email programme and add enigmail > via addons. Once > you have these installed then you need to reinstall gpg. > > If you can do that I will help you complete the rest of the setup. > > David > > > Madhusudan Singh wrote: > > I had given up on this last year but want to make the key signing work > > again. > > > > I still have the same error: > > > > GPG error detail: Traceback (most recent call last): > > ??File "/opt/local/bin/duplicity", line 1245, in > > ?? ?with_tempdir(main) > > ??File "/opt/local/bin/duplicity", line 1238, in with_tempdir > > ?? ?fn() > > ??File "/opt/local/bin/duplicity", line 1211, in main > > ?? ?full_backup(col_stats) > > ??File "/opt/local/bin/duplicity", line 417, in full_backup > > ?? ?globals.backend) > > ??File "/opt/local/bin/duplicity", line 295, in write_multivol > > ?? ?globals.gpg_profile, globals.volsize) > > ??File > > > "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/duplicity/gpg.py", > > line 283, in GPGWriteFile > > ?? ?file.write(data) > > ??File > > > "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/duplicity/gpg.py", > > line 153, in write > > ?? ?self.gpg_failed() > > ??File > > > "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/duplicity/gpg.py", > > line 165, in gpg_failed > > ?? ?raise GPGError, msg > > GPGError: GPG Failed, see log below: > > ===== Begin GnuPG log ===== > > gpg: no default secret key: secret key not available > > gpg: [stdin]: sign+encrypt failed: secret key not available > > ===== End GnuPG log ===== > > > > > > GPGError: GPG Failed, see log below: > > ===== Begin GnuPG log ===== > > gpg: no default secret key: secret key not available > > gpg: [stdin]: sign+encrypt failed: secret key not available > > ===== End GnuPG log ===== > > > > Any ideas? > > > > On Fri, Oct 1, 2010 at 5:01 PM, Charly Avital > > wrote: > > > > Madhusudan Singh wrote the following on 10/1/10 2:35 PM: > > > Tried this. > > > > > > No use. > > > > > > I have two keys installed on this machine (different email > addresses). > > > It just can't seem to use the newer one, regardless of the > default-key > > > parameter. > > > > > > Do I have to restart start-gpg-agent on Mac ? If so, how do I > restart > > > without rebooting ? > > > > I am not familiar with duplicity backup to S3. > > > > I don't know whether restarting gpg-agent will help (without > rebooting), > > but try this. > > > > Locate start-gpg-agent.app (it is, in fact, an application) and > double > > click on it. > > > > Another factor comes to mind. Have you signed your "new" key with the > > "old" one? It is just possible (I am speculating) that the systems > does > > not recognize your new key because it has not been authenticated with > > your default key. > > > > Best regards, > > Charly > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > - -- > ?See the sanity of the man! No gods, no angels, no demons, no body. Nothing > of the kind. > Stern, sane,every brain-cell perfect and complete even at the moment of > death. No delusion.? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQEcBAEBAgAGBQJNI4R4AAoJEOJpqm7flRExbdoH/28enkxycTkjtQXlu7EEl9jE > qneHGqI5T5Y28fg0LdlEFJtqnp2gaD8eBZkc+PC/uuHh0+N83B84FqD1Phr+5I8n > 37LEa9pdH5QBw/nAs3yzL7aT8PRioyHGgDnS0CTnurk/Fd1y7JUNgc0oV4r32jxt > kjggrLnA18Q5AvllFN7PmCifXmpakqhsOst3XmCzl4fckMXWeeGfcoUsEM4QjhC9 > HMLAKgxTie363nEexX5I4ZAaNFygcLiBoGh9hrUanQzlOl7Fr0y0XXU115coO+On > z4sqI95uFeU9GDDX0r6+cTVbrzjiVORHUJJPDENAEzWI8KpMndAaXU5R6e6ySSM= > =dvBO > -----END PGP SIGNATURE----- > -------------- next part -------------- An HTML attachment was scrubbed... URL: From freejack at is-not-my.name Wed Jan 5 19:37:24 2011 From: freejack at is-not-my.name (freejack at is-not-my.name) Date: Wed, 05 Jan 2011 18:37:24 -0000 Subject: --digest-algo ignored on gnupg-1.4.9? Message-ID: <20110105183724.kowziv@is-not-my.name> Hi, it appears --digest-algo is ignored for symmetric encryption using gpg 1.4.9. I was able to verify --cipher-algo does work but for some reason no matter what I specify for --digest-algo I always get RIPEMD160 as the hash according to --list-packets and pgpdump. It's definitely looking at what I specify for --digest-algo because an invalid value produces an error message "selected digest algorithm is invalid" but good values specified seem to be ignored and no warning message is issued. From rjh at sixdemonbag.org Wed Jan 5 20:01:10 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 05 Jan 2011 14:01:10 -0500 Subject: --digest-algo ignored on gnupg-1.4.9? In-Reply-To: <20110105183724.kowziv@is-not-my.name> References: <20110105183724.kowziv@is-not-my.name> Message-ID: <4D24BFF6.3030905@sixdemonbag.org> On 01/05/2011 01:37 PM, freejack at is-not-my.name wrote: > Hi, it appears --digest-algo is ignored for symmetric encryption using gpg > 1.4.9. Using --digest-algo is pretty dangerous. It's easy to create messages your recipients can't parse. --personal-digest-preferences is what you want to use instead. Anyway, I can't recreate this bug: [rjh at localhost]$ gpg --list-packets test.asc :symkey enc packet: version 4, cipher 2, s2k 3, hash 2 salt 6cbb4c1e2c0fbae1, count 65536 (96) gpg: 3DES encrypted data :encrypted data packet: length: unknown gpg: encrypted with 1 passphrase :compressed packet: algo=1 :literal data packet: mode b (62), created 1294253512, name="test.txt", raw data: 2385 bytes gpg: WARNING: message was not integrity protected SHA-1 is used in the symmetric packet, as is expected. See RFC4880, section 5.13: "Symmetrically Encrypted Integrity Protected Data Packet": SHA-1 is the only option for digest algorithms for this particular packet. --digest-algo will let you determine which algorithm to use, whenever there is a choice of which algorithm to use. There is no choice here. From dougb at dougbarton.us Wed Jan 5 21:02:47 2011 From: dougb at dougbarton.us (Doug Barton) Date: Wed, 05 Jan 2011 12:02:47 -0800 Subject: --digest-algo ignored on gnupg-1.4.9? In-Reply-To: <20110105183724.kowziv@is-not-my.name> References: <20110105183724.kowziv@is-not-my.name> Message-ID: <4D24CE67.5070906@dougbarton.us> On 01/05/2011 10:37, freejack at is-not-my.name wrote: > Hi, it appears --digest-algo is ignored for symmetric encryption using gpg > 1.4.9. I was able to verify --cipher-algo does work but for some reason no > matter what I specify for --digest-algo I always get RIPEMD160 as the hash > according to --list-packets and pgpdump. It's definitely looking at what I > specify for --digest-algo because an invalid value produces an error message > "selected digest algorithm is invalid" but good values specified seem to be > ignored and no warning message is issued. If you have a 1024 bit dsa key this is likely the cause. To help you more we'd need to know what kind of key you have, and what you're setting for disgest-algo. Also, Robert's reply was correct too. :) hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ From david at gbenet.com Wed Jan 5 21:44:13 2011 From: david at gbenet.com (david at gbenet.com) Date: Wed, 05 Jan 2011 20:44:13 +0000 Subject: Can't use GPG key - secret key not available In-Reply-To: References: <4CA49646.1010104@mac.com> <4CA65A30.8080204@mac.com> <4D238478.5030808@gbenet.com> Message-ID: <4D24D81D.9050402@gbenet.com> Hi, If you are using a key to encrypt backups - then you are able to decrypt - as well as encrypt. What operating system are you using? A good idea would be to go to the pgpnet at yahoogroups.com and post your question there telling them what operating system you are using and giving a read out of what the problem is. If you are using a Windows O/S it could be an issue with the path statement. I am no expert on Windows O/S I use Linux. If you join pgnet at yahoogroups.com you will find a friendly bunch of people who can help you out. David On 05/01/11 18:08, Madhusudan Singh wrote: > Hello David, > > Thanks. > > I am not using this key for any email program. > > I am using it to sign and encrypt my backups. > > I do have a key pair (I think - I followed instructions from the gpg home > page): > > $gpg --list-keys > pub 4096R/F784A849 2010-09-29 > uid Madhusudan Singh > sub 4096R/BB9A877C 2010-09-29 > > $gpg --list-secret-keys > sec 4096R/F784A849 2010-09-29 > uid Madhusudan Singh > ssb 4096R/BB9A877C 2010-09-29 > > I am not really a gpg expert, but those two above came from pubring.gpg and > secring.gpg, respectively. > > I have tried revoking, deleting and regenerating new keys many times, but it > has not worked. > > > On Tue, Jan 4, 2011 at 2:35 PM, david at gbenet.com wrote: > > Hi, > > Well for a start you failed to create a key pair - that is a private and > public key. What I > suggest you do is to uninstall and start over. > > You will also need to install thunderbird email programme and add enigmail > via addons. Once > you have these installed then you need to reinstall gpg. > > If you can do that I will help you complete the rest of the setup. > > David > > > Madhusudan Singh wrote: >>>> I had given up on this last year but want to make the key signing work >>>> again. >>>> >>>> I still have the same error: >>>> >>>> GPG error detail: Traceback (most recent call last): >>>> ??File "/opt/local/bin/duplicity", line 1245, in >>>> ?? ?with_tempdir(main) >>>> ??File "/opt/local/bin/duplicity", line 1238, in with_tempdir >>>> ?? ?fn() >>>> ??File "/opt/local/bin/duplicity", line 1211, in main >>>> ?? ?full_backup(col_stats) >>>> ??File "/opt/local/bin/duplicity", line 417, in full_backup >>>> ?? ?globals.backend) >>>> ??File "/opt/local/bin/duplicity", line 295, in write_multivol >>>> ?? ?globals.gpg_profile, globals.volsize) >>>> ??File >>>> > "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/duplicity/gpg.py", >>>> line 283, in GPGWriteFile >>>> ?? ?file.write(data) >>>> ??File >>>> > "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/duplicity/gpg.py", >>>> line 153, in write >>>> ?? ?self.gpg_failed() >>>> ??File >>>> > "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/duplicity/gpg.py", >>>> line 165, in gpg_failed >>>> ?? ?raise GPGError, msg >>>> GPGError: GPG Failed, see log below: >>>> ===== Begin GnuPG log ===== >>>> gpg: no default secret key: secret key not available >>>> gpg: [stdin]: sign+encrypt failed: secret key not available >>>> ===== End GnuPG log ===== >>>> >>>> >>>> GPGError: GPG Failed, see log below: >>>> ===== Begin GnuPG log ===== >>>> gpg: no default secret key: secret key not available >>>> gpg: [stdin]: sign+encrypt failed: secret key not available >>>> ===== End GnuPG log ===== >>>> >>>> Any ideas? >>>> >>>> On Fri, Oct 1, 2010 at 5:01 PM, Charly Avital >>> > wrote: >>>> >>>> Madhusudan Singh wrote the following on 10/1/10 2:35 PM: >>>> > Tried this. >>>> > >>>> > No use. >>>> > >>>> > I have two keys installed on this machine (different email > addresses). >>>> > It just can't seem to use the newer one, regardless of the > default-key >>>> > parameter. >>>> > >>>> > Do I have to restart start-gpg-agent on Mac ? If so, how do I > restart >>>> > without rebooting ? >>>> >>>> I am not familiar with duplicity backup to S3. >>>> >>>> I don't know whether restarting gpg-agent will help (without > rebooting), >>>> but try this. >>>> >>>> Locate start-gpg-agent.app (it is, in fact, an application) and > double >>>> click on it. >>>> >>>> Another factor comes to mind. Have you signed your "new" key with the >>>> "old" one? It is just possible (I am speculating) that the systems > does >>>> not recognize your new key because it has not been authenticated with >>>> your default key. >>>> >>>> Best regards, >>>> Charly >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> Gnupg-users mailing list >>>> Gnupg-users at gnupg.org >>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users > >> > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- ?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind. Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.? From singh.madhusudan at gmail.com Wed Jan 5 21:56:08 2011 From: singh.madhusudan at gmail.com (Madhusudan Singh) Date: Wed, 5 Jan 2011 14:56:08 -0600 Subject: Can't use GPG key - secret key not available In-Reply-To: <4D24D81D.9050402@gbenet.com> References: <4CA49646.1010104@mac.com> <4CA65A30.8080204@mac.com> <4D238478.5030808@gbenet.com> <4D24D81D.9050402@gbenet.com> Message-ID: Thanks for your response. I do not think it is any of those issues. I have used this system (and this script I wrote) successfully in the past (on Linux / Mac). I just transferred machines a few months ago (Mac OSX to Mac OSX) and somehow the key did not transfer properly. Then I started getting these errors. So, I deleted my old backups and the key, created a new key following a HOWTO on the net (which is just like zillions of other HOWTOs you will find using Google), and it still refuses to work (with the error I have described). I do not use the Toy OS. I seriously doubt that a Yahoo group is going to help me if the official gnupg user mailing list does not. On Wed, Jan 5, 2011 at 2:44 PM, david at gbenet.com wrote: > Hi, > > If you are using a key to encrypt backups - then you are able to decrypt - > as well as encrypt. > > What operating system are you using? > > A good idea would be to go to the pgpnet at yahoogroups.com and post your > question there > telling them what operating system you are using and giving a read out of > what the problem is. > > If you are using a Windows O/S it could be an issue with the path > statement. I am no expert > on Windows O/S I use Linux. If you join pgnet at yahoogroups.com you will > find a friendly bunch > of people who can help you out. > > David > > On 05/01/11 18:08, Madhusudan Singh wrote: > > Hello David, > > > > Thanks. > > > > I am not using this key for any email program. > > > > I am using it to sign and encrypt my backups. > > > > I do have a key pair (I think - I followed instructions from the gpg home > > page): > > > > $gpg --list-keys > > pub 4096R/F784A849 2010-09-29 > > uid Madhusudan Singh > > sub 4096R/BB9A877C 2010-09-29 > > > > $gpg --list-secret-keys > > sec 4096R/F784A849 2010-09-29 > > uid Madhusudan Singh > > ssb 4096R/BB9A877C 2010-09-29 > > > > I am not really a gpg expert, but those two above came from pubring.gpg > and > > secring.gpg, respectively. > > > > I have tried revoking, deleting and regenerating new keys many times, but > it > > has not worked. > > > > > > On Tue, Jan 4, 2011 at 2:35 PM, david at gbenet.com > wrote: > > > > Hi, > > > > Well for a start you failed to create a key pair - that is a private and > > public key. What I > > suggest you do is to uninstall and start over. > > > > You will also need to install thunderbird email programme and add > enigmail > > via addons. Once > > you have these installed then you need to reinstall gpg. > > > > If you can do that I will help you complete the rest of the setup. > > > > David > > > > > > Madhusudan Singh wrote: > >>>> I had given up on this last year but want to make the key signing work > >>>> again. > >>>> > >>>> I still have the same error: > >>>> > >>>> GPG error detail: Traceback (most recent call last): > >>>> ??File "/opt/local/bin/duplicity", line 1245, in > >>>> ?? ?with_tempdir(main) > >>>> ??File "/opt/local/bin/duplicity", line 1238, in with_tempdir > >>>> ?? ?fn() > >>>> ??File "/opt/local/bin/duplicity", line 1211, in main > >>>> ?? ?full_backup(col_stats) > >>>> ??File "/opt/local/bin/duplicity", line 417, in full_backup > >>>> ?? ?globals.backend) > >>>> ??File "/opt/local/bin/duplicity", line 295, in write_multivol > >>>> ?? ?globals.gpg_profile, globals.volsize) > >>>> ??File > >>>> > > > "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/duplicity/gpg.py", > >>>> line 283, in GPGWriteFile > >>>> ?? ?file.write(data) > >>>> ??File > >>>> > > > "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/duplicity/gpg.py", > >>>> line 153, in write > >>>> ?? ?self.gpg_failed() > >>>> ??File > >>>> > > > "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/duplicity/gpg.py", > >>>> line 165, in gpg_failed > >>>> ?? ?raise GPGError, msg > >>>> GPGError: GPG Failed, see log below: > >>>> ===== Begin GnuPG log ===== > >>>> gpg: no default secret key: secret key not available > >>>> gpg: [stdin]: sign+encrypt failed: secret key not available > >>>> ===== End GnuPG log ===== > >>>> > >>>> > >>>> GPGError: GPG Failed, see log below: > >>>> ===== Begin GnuPG log ===== > >>>> gpg: no default secret key: secret key not available > >>>> gpg: [stdin]: sign+encrypt failed: secret key not available > >>>> ===== End GnuPG log ===== > >>>> > >>>> Any ideas? > >>>> > >>>> On Fri, Oct 1, 2010 at 5:01 PM, Charly Avital >>>> > wrote: > >>>> > >>>> Madhusudan Singh wrote the following on 10/1/10 2:35 PM: > >>>> > Tried this. > >>>> > > >>>> > No use. > >>>> > > >>>> > I have two keys installed on this machine (different email > > addresses). > >>>> > It just can't seem to use the newer one, regardless of the > > default-key > >>>> > parameter. > >>>> > > >>>> > Do I have to restart start-gpg-agent on Mac ? If so, how do I > > restart > >>>> > without rebooting ? > >>>> > >>>> I am not familiar with duplicity backup to S3. > >>>> > >>>> I don't know whether restarting gpg-agent will help (without > > rebooting), > >>>> but try this. > >>>> > >>>> Locate start-gpg-agent.app (it is, in fact, an application) and > > double > >>>> click on it. > >>>> > >>>> Another factor comes to mind. Have you signed your "new" key with > the > >>>> "old" one? It is just possible (I am speculating) that the systems > > does > >>>> not recognize your new key because it has not been authenticated > with > >>>> your default key. > >>>> > >>>> Best regards, > >>>> Charly > >>>> > >>>> > >>>> > >>>> > ------------------------------------------------------------------------ > >>>> > >>>> _______________________________________________ > >>>> Gnupg-users mailing list > >>>> Gnupg-users at gnupg.org > >>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > >> > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- > ?See the sanity of the man! No gods, no angels, no demons, no body. Nothing > of the kind. > Stern, sane,every brain-cell perfect and complete even at the moment of > death. No delusion.? > -------------- next part -------------- An HTML attachment was scrubbed... URL: From freejack at is-not-my.name Wed Jan 5 22:00:28 2011 From: freejack at is-not-my.name (freejack at is-not-my.name) Date: Wed, 05 Jan 2011 21:00:28 -0000 Subject: --digest-algo ignored on gnupg-1.4.9? References: <4D24BFF6.3030905__43652.2631127902$1294254146$gmane$org@sixdemonbag.org> Message-ID: <20110105210028.ummguz@is-not-my.name> > On 01/05/2011 01:37 PM, freejack at is-not-my.name wrote: > > Hi, it appears --digest-algo is ignored for symmetric encryption using > > gpg 1.4.9. > > Using --digest-algo is pretty dangerous. It's easy to create messages > your recipients can't parse. --personal-digest-preferences is what you > want to use instead. I was playing around with --digest-algo after seeing something odd when I looked at a symmetrically encrypted file I was experimenting with. In the case I encrypt to somebody else then I do use --personal-digest-preferences. I understand the difference because I read the postings from Werner, David, and you. :-) > Anyway, I can't recreate this bug: > > [rjh at localhost]$ gpg --list-packets test.asc > :symkey enc packet: version 4, cipher 2, s2k 3, hash 2 > salt 6cbb4c1e2c0fbae1, count 65536 (96) > gpg: 3DES encrypted data > :encrypted data packet: > length: unknown > gpg: encrypted with 1 passphrase > :compressed packet: algo=1 > :literal data packet: > mode b (62), created 1294253512, name="test.txt", > raw data: 2385 bytes > gpg: WARNING: message was not integrity protected > > > SHA-1 is used in the symmetric packet, as is expected. See RFC4880, > section 5.13: "Symmetrically Encrypted Integrity Protected Data Packet": > SHA-1 is the only option for digest algorithms for this particular packet. Then something is very odd. Here's my output, only I used IDEA instead of 3DES for my test: user:~$ gpg --version gpg (GnuPG) 1.4.9 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 user:~$ user:~$ gpg -c -ao test.asc --digest-algo sha1 --cipher-algo idea test.txt Enter passphrase: 12345 Repeat passphrase: 12345 user:~$ gpg --list-packets test.asc :symkey enc packet: version 4, cipher 1, s2k 3, hash 3 salt 349d4381bb80d1f7, count 65536 (96) gpg: IDEA encrypted data Enter passphrase: 12345 :encrypted data packet: length: 33 gpg: encrypted with 1 passphrase :compressed packet: algo=1 :literal data packet: mode b (62), created 1294256753, name="test.txt", raw data: 5 bytes gpg: WARNING: message was not integrity protected user:~$ pgpdump test.asc Old: Symmetric-Key Encrypted Session Key Packet(tag 3)(13 bytes) New version(4) Sym alg - IDEA(sym 1) Iterated and salted string-to-key(s2k 3): Hash alg - RIPEMD160(hash 3) Salt - 34 9d 43 81 bb 80 d1 f7 Count - 65536(coded count 96) New: Symmetrically Encrypted Data Packet(tag 9)(33 bytes) Encrypted data [sym alg is specified in sym-key encrypted session key] > > --digest-algo will let you determine which algorithm to use, whenever > there is a choice of which algorithm to use. There is no choice here. Sounds reasonable but then why is it using RIPEMD160? I tested with 3DES instead of IDEA and got the same thing. RIPEMD160 is being used, not SHA1. Thanks for looking at this. From rjh at sixdemonbag.org Wed Jan 5 22:51:20 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 05 Jan 2011 16:51:20 -0500 Subject: --digest-algo ignored on gnupg-1.4.9? In-Reply-To: <20110105210028.ummguz@is-not-my.name> References: <4D24BFF6.3030905__43652.2631127902$1294254146$gmane$org@sixdemonbag.org> <20110105210028.ummguz@is-not-my.name> Message-ID: <4D24E7D8.307@sixdemonbag.org> On 1/5/2011 4:00 PM, freejack at is-not-my.name wrote: > Then something is very odd. Here's my output, only I used IDEA instead of > 3DES for my test: You might want to reconsider using IDEA: although it was the bee's knees for the early 1990s, the past twenty years (good /grief/ it's so strange to say that!) have not been kind to it. Don't misunderstand me: I am not saying "IDEA is broken, move away from it." IDEA's margin of safety is presently razor-thin, but it still holds up. It's just that nobody likes a razor-thin safety margin. :) > gpg: WARNING: message was not integrity protected Notice that? That's present in your packet list, but not in mine. You're not using integrity-protected symmetric encryption, so the bit of the RFC I quoted at you doesn't apply. :) > Sounds reasonable but then why is it using RIPEMD160? I tested with 3DES > instead of IDEA and got the same thing. RIPEMD160 is being used, not > SHA1. Thanks for looking at this. Try sharing your gpg.conf file. The answer is probably found in there somewhere. From vedaal at nym.hush.com Wed Jan 5 23:20:35 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Wed, 05 Jan 2011 17:20:35 -0500 Subject: --digest-algo ignored on gnupg-1.4.9? Message-ID: <20110105222035.3297C224430@smtp.hushmail.com> >Message: 2 >Date: Wed, 05 Jan 2011 14:01:10 -0500 >From: "Robert J. Hansen" >To: gnupg-users at gnupg.org >Subject: Re: --digest-algo ignored on gnupg-1.4.9? >> Hi, it appears --digest-algo is ignored for symmetric encryption >using gpg >> 1.4.9. >SHA-1 is used in the symmetric packet, as is expected. See >RFC4880, >section 5.13: "Symmetrically Encrypted Integrity Protected Data >Packet": >SHA-1 is the only option for digest algorithms for this particular >packet. > >--digest-algo will let you determine which algorithm to use, >whenever >there is a choice of which algorithm to use. There is no choice >here. There sort-of is, but in an out of the way place, and it's not apparent that the digests and ciphers for symmetric encryption are determined from there. It's in the s2k preferences: (the default is CAST5 and SHA1) Here are mine: s2k-cipher-algo 3DES s2k-digest-algo SHA256 Here is a symmetric message done without any further instruction about what cipher and digest to use: -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.10 (MingW32) Comment: passphrase: sss jA0EAgMIKVw2YR19EaZgySef30aCPaVOs1/gfRxxdfHPbvR27papUYOEyj4lZ/+l cv0c77KqiOI= =13Ks -----END PGP MESSAGE----- Here is the gpg output: gpg v:\j1.txt.asc gpg: armor: BEGIN PGP MESSAGE gpg: armor header: Version: GnuPG v1.4.10 (MingW32) gpg: armor header: Comment: passphrase: sss :symkey enc packet: version 4, cipher 2, s2k 3, hash 8 salt 295c36611d7d11a6, count 65536 (96) gpg: 3DES encrypted data :encrypted data packet: length: 39 gpg: encrypted with 1 passphrase :compressed packet: algo=1 :literal data packet: mode b (62), created 1294263096, name="j1.txt", raw data: 11 bytes gpg: original file name='j1.txt' File `v:\j1.txt' exists. Overwrite? (y/N) y gpg: decryption okay gpg: WARNING: message was not integrity protected gpg: session key: `2:FEAF701191406BCD0FA27D387E2CAA34BCD5CB2FFF82DC79' Note 'cipher 2' and 'hash 8' vedaal From freejack at is-not-my.name Thu Jan 6 01:26:37 2011 From: freejack at is-not-my.name (freejack at is-not-my.name) Date: Thu, 06 Jan 2011 00:26:37 -0000 Subject: --digest-algo ignored on gnupg-1.4.9? References: <4D24CE67.5070906__12237.5683430166$1294257879$gmane$org@dougbarton.us> Message-ID: <20110106002637.yixxdq@is-not-my.name> > If you have a 1024 bit dsa key this is likely the cause. To help you > more we'd need to know what kind of key you have, and what you're > setting for disgest-algo. Also, Robert's reply was correct too. :) Hello Doug! *Symmetric* encryption! > hth, Maybe next time ;-) From sasibhushankumar.alapati at cognizant.com Wed Jan 5 17:34:42 2011 From: sasibhushankumar.alapati at cognizant.com (alapatimailbox) Date: Wed, 5 Jan 2011 08:34:42 -0800 (PST) Subject: PUBLIC KEY NOT FOUND Message-ID: <30597673.post@talk.nabble.com> Hi All, MY OS is : Linux. I have written a Java Program to run a GPG Command using Java's exec command like: Runtime.getRuntime().exec(command); The command here is a gpg encryption command like : gpg --recipient "alapati" --output "Encrypted/SampleEncrypted.gpg" --encrypt "Sample.txt" If i run this command from terminal it is working fine . But if i run this command from java program it is giving the following error.The java program is executed from root users context.I tried setting the ring key as well but the same error was coming. Error is: [root at ESBING01 GnuPG]# java TestGPG "/oracleGL/GnuPG/gnupg-1.4.9/g10" "/oracleGL/GnuPG" ENCRYPT COMMAND: gpg --keyring /root/.gnupg/pubring.gpg --recipient "alapati" --output "Encrypted/SampleEncrypted.gpg" --yes --encrypt "Sample.txt" 2 gpg: "alapati": skipped: public key not found gpg: "Sample.txt": encryption failed: public key not found Failed. But if the same java program was ran from windows machine with the same setup it works fine . Only in linux it is giving the following error. Tried lot of options but nothing is working.Please help me.It is very urgent for my project. If you need any other info let me know, Regards, alapati. -- View this message in context: http://old.nabble.com/PUBLIC-KEY-NOT-FOUND-tp30597673p30597673.html Sent from the GnuPG - User mailing list archive at Nabble.com. From sasibhushankumar.alapati at cognizant.com Thu Jan 6 03:03:19 2011 From: sasibhushankumar.alapati at cognizant.com (alapatimailbox) Date: Wed, 5 Jan 2011 18:03:19 -0800 (PST) Subject: PUBLIC KEY NOT FOUND Message-ID: <30597673.post@talk.nabble.com> Hi All, MY OS is : Linux. I have written a Java Program to run a GPG Command using Java's exec command like: Runtime.getRuntime().exec(command); The command here is a gpg encryption command like : gpg --recipient "alapati" --output "Encrypted/SampleEncrypted.gpg" --encrypt "Sample.txt" If i run this command from terminal it is working fine . But if i run this command from java program it is giving the following error.The java program is executed from root users context.I tried setting the ring key as well but the same error was coming. Error is: [root at ESBING01 GnuPG]# java TestGPG "/oracleGL/GnuPG/gnupg-1.4.9/g10" "/oracleGL/GnuPG" ENCRYPT COMMAND: gpg --keyring /root/.gnupg/pubring.gpg --recipient "alapati" --output "Encrypted/SampleEncrypted.gpg" --yes --encrypt "Sample.txt" 2 gpg: "alapati": skipped: public key not found gpg: "Sample.txt": encryption failed: public key not found Failed. But if the same java program was ran from windows machine with the same setup it works fine . Only in linux it is giving the following error. Tried lot of options but nothing is working.Please help me.It is very urgent for my project. If you need any other info let me know, Regards, alapati. -- View this message in context: http://old.nabble.com/PUBLIC-KEY-NOT-FOUND-tp30597673p30597673.html Sent from the GnuPG - User mailing list archive at Nabble.com. From sasibhushankumar.alapati at cognizant.com Thu Jan 6 03:43:54 2011 From: sasibhushankumar.alapati at cognizant.com (alapatimailbox) Date: Wed, 5 Jan 2011 18:43:54 -0800 (PST) Subject: PUBLIC KEY NOT FOUND Message-ID: <30597673.post@talk.nabble.com> Hi All, MY OS is : Linux. I have written a Java Program to run a GPG Command using Java's exec command like: Runtime.getRuntime().exec(command); The command here is a gpg encryption command like : gpg --recipient "alapati" --output "Encrypted/SampleEncrypted.gpg" --encrypt "Sample.txt" If i run this command from terminal it is working fine . But if i run this command from java program it is giving the following error.The java program is executed from root users context.I tried setting the ring key as well but the same error was coming. Error is: [root at ESBING01 GnuPG]# java TestGPG "/oracleGL/GnuPG/gnupg-1.4.9/g10" "/oracleGL/GnuPG" ENCRYPT COMMAND: gpg --keyring /root/.gnupg/pubring.gpg --recipient "alapati" --output "Encrypted/SampleEncrypted.gpg" --yes --encrypt "Sample.txt" 2 gpg: "alapati": skipped: public key not found gpg: "Sample.txt": encryption failed: public key not found Failed. But if the same java program was ran from windows machine with the same setup it works fine . Only in linux it is giving the following error. Tried lot of options but nothing is working.Please help me.It is very urgent for my project. If you need any other info let me know, Regards, alapati. -- View this message in context: http://old.nabble.com/PUBLIC-KEY-NOT-FOUND-tp30597673p30597673.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Thu Jan 6 15:23:30 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 06 Jan 2011 09:23:30 -0500 Subject: PUBLIC KEY NOT FOUND In-Reply-To: <30597673.post@talk.nabble.com> References: <30597673.post@talk.nabble.com> Message-ID: <4D25D062.1000103@sixdemonbag.org> On 1/5/2011 9:43 PM, alapatimailbox wrote: > I have written a Java Program to run a GPG Command using Java's exec > command like: > Runtime.getRuntime().exec(command); Many Java programmers do this, but it is not what Oracle recommends. Check java.lang.ProcessBuilder instead. > If i run this command from terminal it is working fine . > But if i run this command from java program it is giving the following > error.The java program is executed from root users context.I tried setting > the ring key as well but the same error was coming. When you run it from the terminal, which user are you running as? When you run it from your IDE, which user are you running as? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: S/MIME Cryptographic Signature URL: From freejack at is-not-my.name Thu Jan 6 23:37:03 2011 From: freejack at is-not-my.name (freejack at is-not-my.name) Date: Thu, 06 Jan 2011 22:37:03 -0000 Subject: --digest-algo ignored on gnupg-1.4.9? Message-ID: <20110106223703.tystfd@is-not-my.name> Robert J. Hansen said something like this: > > On 1/5/2011 4:00 PM, freejack at is-not-my.name wrote: > > Then something is very odd. Here's my output, only I used IDEA instead > > of 3DES for my test: > > You might want to reconsider using IDEA: although it was the bee's knees > for the early 1990s, the past twenty years (good /grief/ it's so strange > to say that!) have not been kind to it. Don't misunderstand me: I am > not saying "IDEA is broken, move away from it." IDEA's margin of safety > is presently razor-thin, but it still holds up. It's just that nobody > likes a razor-thin safety margin. :) Ok, thanks for the insight on cipher choice, but let's not get distracted ;-) The issue is gnupg 1.4.9 doesn't seem to honor --digest-algo. I take your point maybe it shouldn't in some/all cases but it accepts a specification and verifies it and gives you a message if you specify an invalid choice. Then it silently ignores what you specified. Best case it's a usability error, worst case it's a bug. Has anybody tried this using 1.4.9? > > > gpg: WARNING: message was not integrity protected > > Notice that? That's present in your packet list, but not in mine. > You're not using integrity-protected symmetric encryption, so the bit of > the RFC I quoted at you doesn't apply. :) Well according to what you posted, you did get this message. So I'm not sure what one of us is smoking ;) Please check your post Message-ID: <4D24BFF6.3030905__43652.2631127902$1294254146$gmane$org at sixdemonbag.org> > > > Sounds reasonable but then why is it using RIPEMD160? I tested with 3DES > > instead of IDEA and got the same thing. RIPEMD160 is being used, not > > SHA1. Thanks for looking at this. > > Try sharing your gpg.conf file. The answer is probably found in there > somewhere. I'll do better than that. Here's a test with no .gnupg folder at all, starting from scratch. user:~$ gpg -c -ao test.asc --digest-algo sha512 --cipher-algo 3des test.txt gpg: directory `/home/user/.gnupg' created gpg: new configuration file `/home/user/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/user/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/user/.gnupg/pubring.gpg' created Enter passphrase: 12345 Repeat passphrase: 12345 user:~$ gpg --list-packets test.asc gpg: keyring `/home/user/.gnupg/secring.gpg' created :symkey enc packet: version 4, cipher 2, s2k 3, hash 2 salt b3a9a45872132be3, count 65536 (96) gpg: 3DES encrypted data Enter passphrase: 12345 :encrypted data packet: length: 33 gpg: encrypted with 1 passphrase :compressed packet: algo=1 :literal data packet: mode b (62), created 1294337333, name="test.txt", raw data: 5 bytes gpg: WARNING: message was not integrity protected user:~$ gpg -v --version gpg (GnuPG) 1.4.9 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8), AES256 (S9), TWOFISH (S10) Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9), SHA512 (H10), SHA224 (H11) Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3) user:~$ pgpdump test.asc Old: Symmetric-Key Encrypted Session Key Packet(tag 3)(13 bytes) New version(4) Sym alg - Triple-DES(sym 2) Iterated and salted string-to-key(s2k 3): Hash alg - SHA1(hash 2) Salt - b3 a9 a4 58 72 13 2b e3 Count - 65536(coded count 96) New: Symmetrically Encrypted Data Packet(tag 9)(33 bytes) Encrypted data [sym alg is specified in sym-key encrypted session key] user:~$ >From this it's pretty clear --digest-algo isn't being honored by 1.4.9. And it's clear it has nothing to do with IDEA, this example uses 3DES just like your example and anyway since I didn't load it (no conf) IDEA is completely out of the picture. I had said earlier it fails the same way when I used 3DES but here it is in black and white just to reinforce that. What do you say to me now, Mr. Robert J. Hanson? I demand to talk to the management! Where's Werner and David, still out on holiday vacation? ;-) Now to answer 2 posts in one: vedaal wrote: > There sort-of is, but in an out of the way place, > and it's not apparent that the digests and ciphers for symmetric > encryption are determined from there. > > It's in the s2k preferences: > (the default is CAST5 and SHA1) > > vedaal Thanks for your example, it may help if somebody had a gpg.conf, but given my test was run with no .gnupg folder or gpg.conf and used all the defaults, looks to me like there is some problem. Thanks guys! From dshaw at jabberwocky.com Fri Jan 7 00:23:53 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 6 Jan 2011 18:23:53 -0500 Subject: --digest-algo ignored on gnupg-1.4.9? In-Reply-To: <20110106223703.tystfd@is-not-my.name> References: <20110106223703.tystfd@is-not-my.name> Message-ID: <7F42B1FE-0513-4454-A911-8A8140A28097@jabberwocky.com> On Jan 6, 2011, at 5:37 PM, freejack at is-not-my.name wrote: >>> Sounds reasonable but then why is it using RIPEMD160? I tested with 3DES >>> instead of IDEA and got the same thing. RIPEMD160 is being used, not >>> SHA1. Thanks for looking at this. >> >> Try sharing your gpg.conf file. The answer is probably found in there >> somewhere. > > I'll do better than that. Here's a test with no .gnupg folder at all, > starting from scratch. > > user:~$ gpg -c -ao test.asc --digest-algo sha512 --cipher-algo 3des test.txt --digest-algo specifies the digest for making signatures. It is not related to symmetric-only ("-c") encryption, where the digest is used as part of the S2K to mangle your passphrase into a symmetric key. You want the --s2k-digest-algo option. As the documentation says: --s2k-digest-algo name Use name as the digest algorithm used to mangle the passphrases. The default algorithm is SHA-1. Incidentally, RIPEMD/160 is not being used: > :symkey enc packet: version 4, cipher 2, s2k 3, hash 2 > salt b3a9a45872132be3, count 65536 (96) hash 2 is SHA-1, which is the proper default for --s2k-digest-algo. RIPEMD/160 is hash 3. David From freejack at is-not-my.name Fri Jan 7 03:21:01 2011 From: freejack at is-not-my.name (freejack at is-not-my.name) Date: Fri, 07 Jan 2011 02:21:01 -0000 Subject: --digest-algo ignored on gnupg-1.4.9? References: <7F42B1FE-0513-4454-A911-8A8140A28097__43912.1754061945$1294356404$gmane$org@jabberwocky.com> Message-ID: <20110107022101.xsswbz@is-not-my.name> Hi David, > --digest-algo specifies the digest for making signatures. It is not > related to symmetric-only ("-c") encryption, where the digest is used as > part of the S2K to mangle your passphrase into a symmetric key. You > want the --s2k-digest-algo option. As the documentation says: > > --s2k-digest-algo name > Use name as the digest algorithm used to mangle the > passphrases. I misunderstood, thanks for clearing it up. Maybe this is what Vedaal was saying as well. > The default algorithm is SHA-1. > > Incidentally, RIPEMD/160 is not being used: It was in a prior example, but that's not really the issue so much as my --digest-algo wasn't affecting anything. Now I know why. > > > :symkey enc packet: version 4, cipher 2, s2k 3, hash 2 > > salt b3a9a45872132be3, count 65536 (96) > > hash 2 is SHA-1, which is the proper default for --s2k-digest-algo. > RIPEMD/160 is hash 3. Yes, understood. > > David Thanks very much David and Robert and Vedaal. I'll verify this tomorrow. At this point sorry for the false alarm and wasting your time. Off to work for me now. Cheers guys! From shavital at mac.com Fri Jan 7 19:24:34 2011 From: shavital at mac.com (Charly Avital) Date: Fri, 07 Jan 2011 13:24:34 -0500 Subject: Pinentry-mac0.5 fails under MacGPG2 2.0.16 In-Reply-To: <48F7F87F-138D-4A32-A848-9D679818A565@aon.at> References: <2F2F47E7-C17B-4B24-9878-CF21E0B5D40F@me.com> <-1155545997660807835@unknownmsgid> <48F7F87F-138D-4A32-A848-9D679818A565@aon.at> Message-ID: <4D275A62.1070508@mac.com> Roman Zechmeister wrote the following on 1/6/11 6:56 AM: > Please test these version of pinentry-mac: pinentry-mac_0.5.tar.bz2 > Tested pinentry-mac 0.5 with MacGPG2 2.0.16. When trying to decrypt an encrypted-signed message 'no pinentry....problem with gpg-agent...no secret key' Everything goes back to full functionality after running MacGPG2 2.0.16 installer. Full functionality includes gpg-agent running for the duration of the cache value set in ~/.gnupg/gpg-agent.conf Have a fine week end. Charly From olav at enigmail.net Sun Jan 9 16:58:24 2011 From: olav at enigmail.net (Olav Seyfarth) Date: Sun, 09 Jan 2011 16:58:24 +0100 Subject: clearsign failed: Bad signature In-Reply-To: <7D9D70E0-C25C-4BAD-8B65-F19DCA8AD99C@jabberwocky.com> References: <4D01EE28.2000304@mozilla-enigmail.org> <4D03834E.4010208@mozilla-enigmail.org> <1292602957.9417.83.camel@silence.i.fourings.com> <7D9D70E0-C25C-4BAD-8B65-F19DCA8AD99C@jabberwocky.com> Message-ID: <4D29DB20.2000902@enigmail.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi David, [2010-12-11 olav at mozilla-enigmail.org] > OpenPGP SmartCard v2 key 0x6AE1EF56 (RSA 3072) Card 0005 00000222 > Why can't I use SHA256/SHA512 with this card? > | enable-dsa2 > is set and showpref lists [2010-12-20 dshaw at jabberwocky.com] > The v2 card works just fine with other algorithms. If it isn't > working for you, then there may be an issue, but it is not related > to the fact that you are using a v2 card. since I'm not the only one that cannot use SHA256/SHA512 with the v2 card, may I ask you to test signing with an OpenPGP card v2 using hash algos other than SHA-1/RIPEMD-160? I have no idea how to narrow the problem further. Olav P.S.: new email address, I just updated my key accordingly - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJNKdsdAAoJEKGX32tq4e9WP60L/0vCY3CNBhiYjghEKln9AWsE p9dxR7ZjcE+LkrEA+VNoYIYrH9m2RV/wsgoHj3fh78xa9P9aPwsaY7hsxCMUkcvY V6eRq9cDgAPsa0ZBgw+wsnPvRTwT4UxOD6zg+FNWlRFO4K5UnSQB+kkhl/dlxNzR etQJ90Vw9BAGiFTg3A5rRk68b6Bu/ibjC9F0Fn3Ern9vvL/qHuBu3NHFvOpX08wD owqPQ/ZVulxtLqrtbSxEry5kAX6J4gUaZV8DnoElr+HdQk8VvWl2ZtWvOhAkC/DR dug5U8G9sCo13hXsZnx/6f444ZI9dkmir+werQCyUE7fkCDdJifLuY45Yu65wkW3 Py7JVTuETJ8/gvbV/VsaOb/gSs3ACWKHiV9opEcloFejI2D/1XcysYITF7jLm/fC qydQpIe/cCZFlblI5sKrzNTEYyz1VRvXfFqr8a15rSKGivFvoZjqGkskjAMuhv+j EsJBF/kebrIptkWbIkq+DxIbCDEL20WpjbNcf1GdtA== =OITF -----END PGP SIGNATURE----- From wk at gnupg.org Sun Jan 9 23:14:50 2011 From: wk at gnupg.org (Werner Koch) Date: Sun, 09 Jan 2011 23:14:50 +0100 Subject: clearsign failed: Bad signature In-Reply-To: <4D29DB20.2000902@enigmail.net> (Olav Seyfarth's message of "Sun, 09 Jan 2011 16:58:24 +0100") References: <4D01EE28.2000304@mozilla-enigmail.org> <4D03834E.4010208@mozilla-enigmail.org> <1292602957.9417.83.camel@silence.i.fourings.com> <7D9D70E0-C25C-4BAD-8B65-F19DCA8AD99C@jabberwocky.com> <4D29DB20.2000902@enigmail.net> Message-ID: <87sjx12085.fsf@vigenere.g10code.de> On Sun, 9 Jan 2011 16:58, olav at enigmail.net said: > since I'm not the only one that cannot use SHA256/SHA512 with the v2 > card, may I ask you to test signing with an OpenPGP card v2 using hash I just checked the sources: It seems you are using 2.0.16 from gpg4win. This version does not support other hash algorithms due to a bug in gpg2. I fixed the bug in 2.0.x on 2010-09-28 but this is after the 2.0.16 release and we also don't have have patch in for gpg4win. The proper solution will be a 2.0.17 release. I'll check tomorrow whether this can be done timely - if not I'll post a patch and add that one to gpg4win. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Jan 10 18:27:36 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 10 Jan 2011 18:27:36 +0100 Subject: nested verification? In-Reply-To: (Johnicholas Hines's message of "Wed, 5 Jan 2011 11:38:21 -0500") References: <877hej69ta.fsf@vigenere.g10code.de> Message-ID: <87k4ic1xfb.fsf@vigenere.g10code.de> > On Wed, Jan 5, 2011 at 3:20 AM, Werner Koch wrote: >> ?gpg --verify --output inner.asc outer.asc >> >> Verifies the outer signature and writes the signed text to inner.asc >> which may then be verified as usual. Sorry, I was wrong. --verify does not output any data. You need to leave it out. Thus a simple gpg --output inner.asc outer.asc should do the job. This behaviour is a bit suprising because GPGSM behaves as I explained in my previous mail. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From johnicholas.hines at gmail.com Mon Jan 10 19:28:06 2011 From: johnicholas.hines at gmail.com (Johnicholas Hines) Date: Mon, 10 Jan 2011 13:28:06 -0500 Subject: nested verification? In-Reply-To: <87k4ic1xfb.fsf@vigenere.g10code.de> References: <877hej69ta.fsf@vigenere.g10code.de> <87k4ic1xfb.fsf@vigenere.g10code.de> Message-ID: > Thus a simple > > ?gpg --output inner.asc outer.asc > > should do the job. Thank you very much! From jimbobpalmer at gmail.com Tue Jan 11 11:04:31 2011 From: jimbobpalmer at gmail.com (jimbob palmer) Date: Tue, 11 Jan 2011 11:04:31 +0100 Subject: What is the benefit of signing an encrypted email Message-ID: In Firefox I can sign or encrypt or encrypt+sign an e-mail. In what case would I want my encrypted emails also signed? Does it provide any additional benefit over a pure encrypted email? Thanks. From laurent.jumet at skynet.be Tue Jan 11 12:12:05 2011 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Tue, 11 Jan 2011 12:12:05 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello jimbob ! jimbob palmer wrote: > In Firefox I can sign or encrypt or encrypt+sign an e-mail. > In what case would I want my encrypted emails also signed? Does it > provide any additional benefit over a pure encrypted email? If you only sign, mail comes from you and cannot be changed. If you only encrypt, mail can be read only by receipient but could be a fake with your name. If you encrypt and sign, both. - -- Laurent Jumet KeyID: 0xCFAF704C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (MingW32) iHEEAREDADEFAk0sO4sqGGh0dHA6Ly93d3cucG9pbnRkZWNoYXQubmV0LzB4Q0ZB RjcwNEMuYXNjAAoJEPUdbaDPr3BMm+4An3zM71bE43tBgjmR/c1pMYUiTNY5AJ4u /3v14xo4RlEhgvrfCNeX2AOJnA== =ZRAL -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Tue Jan 11 12:15:09 2011 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Tue, 11 Jan 2011 11:15:09 +0000 Subject: What is the benefit of signing an encrypted email In-Reply-To: References: Message-ID: On 11 January 2011 10:04, jimbob palmer wrote: > In what case would I want my encrypted emails also signed? Does it > provide any additional benefit over a pure encrypted email? Encrypted means only the recipient can read it. Signed means that, if they verified the key properly, the message came from you and has not been tampered with. Encrypted and signed means both. Ben From olav at enigmail.net Tue Jan 11 12:36:13 2011 From: olav at enigmail.net (Olav Seyfarth) Date: Tue, 11 Jan 2011 12:36:13 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: References: Message-ID: <4D2C40AD.50002@enigmail.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi Jim / Bob, > In Firefox I can sign or encrypt or encrypt+sign an e-mail. > In what case would I want my encrypted emails also signed? > Does it provide any additional benefit over a pure encrypted email? encrypted = only persons you encrypted TO can read your message (= these persons need to have set up a key themselves beforehand) signed = everybody that has access to your PUBLIC key can verify that your message has not been fiddled with since you signed it Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJNLECpAAoJEKGX32tq4e9WtYYL/2v5nm0N3ZjlTBNp/jRXzTJg EtUF+sm2ZDmY2r5nzyyMlC2Z+xaI9eMnBTZoH+yAjmO7p0VoV3woF8eepRgAPAxQ s6ELTl7WKoyc1MjWvk4r5DFpRuV/DGGi+/hgUkZkoIALEiKiyvZDEHjDpielULWJ fqYUl/41mZ6x5yjU3l/lM9clSz7Iu/3//Kb8UXZSnOqfvcUocGpBdtw14o57kwLb w9VKoGT9RsMW9xaI7hdA1RlYmRFUED+g3eab1R7BXjrj1mG1Y8H/W+omhH+UWAsd auSwO02Hc1NqBx2CgDkpCPhDqZii4mkbs5h72SvDXAoCE5+OJpj99q/kdAwX9aHl 0rUbfep6Od9QcWZEA0MD8etOk9pd18M4IxlZpYQbn38MmnCV8YEMaRyPdRmeCRCT 3FNutrk1DAktc3y0NKLo4g9CDBPSi20dFuM4v/R4j9ehACjIduxXNDt9yqUVWqN3 Xtu/DFqns5lxYgXzmcvdvgg6CQMJfCwkfhjIihi42g== =scf0 -----END PGP SIGNATURE----- From Dave.Smith at st.com Tue Jan 11 12:09:30 2011 From: Dave.Smith at st.com (David Smith) Date: Tue, 11 Jan 2011 11:09:30 +0000 Subject: What is the benefit of signing an encrypted email In-Reply-To: References: Message-ID: <4D2C3A6A.9080409@st.com> jimbob palmer wrote: > In Firefox I can sign or encrypt or encrypt+sign an e-mail. > > In what case would I want my encrypted emails also signed? Does it > provide any additional benefit over a pure encrypted email? Signing and encrypting serve different purposes. Encrypting a mail ensures that only the intended recipient(s) can read it. Signing a mail allows the recipient(s) to check that it really was you that sent it, and not someone else masquerading as you. From gollo at fsfe.org Tue Jan 11 12:11:35 2011 From: gollo at fsfe.org (Martin Gollowitzer) Date: Tue, 11 Jan 2011 12:11:35 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: References: Message-ID: <20110111111135.GA5026@wingback.gollo.at> Hi, * jimbob palmer [110111 12:05]: > In Firefox I can sign or encrypt or encrypt+sign an e-mail. > > In what case would I want my encrypted emails also signed? Does it > provide any additional benefit over a pure encrypted email? A digital signature is useful so the sender can check if that message was really sent by you. If it's only encrypted, there is no proof for that since everyone who knows the recipient's public key can encrypt messages for this particular person. All the best, Martin -- The early worm is for the birds. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: not available URL: From carsten.aulbert at aei.mpg.de Tue Jan 11 12:14:02 2011 From: carsten.aulbert at aei.mpg.de (Carsten Aulbert) Date: Tue, 11 Jan 2011 12:14:02 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: References: Message-ID: <201101111214.03218.carsten.aulbert@aei.mpg.de> Hi On Tuesday 11 January 2011 11:04:31 jimbob palmer wrote: > In Firefox I can sign or encrypt or encrypt+sign an e-mail. > I suppose you mean thunderbird here, right? > In what case would I want my encrypted emails also signed? Does it > provide any additional benefit over a pure encrypted email? Usually, you encrypt with the public key of the recipient, but sign with the help of your personal private key. Thus the recipient can we reasonably sure you sent this message, but no-one but him should be able to decipher it. Does this help? Cheers Carsten From rjh at sixdemonbag.org Tue Jan 11 15:03:49 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 11 Jan 2011 09:03:49 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: <4D2C3A6A.9080409@st.com> References: <4D2C3A6A.9080409@st.com> Message-ID: <4D2C6345.4010708@sixdemonbag.org> On 1/11/2011 6:09 AM, David Smith wrote: > Signing a mail allows the recipient(s) to check that it really was you > that sent it, and not someone else masquerading as you. Not quite. Signatures let you verify the content has not been altered since someone else saw it. If the signature doesn't check, you don't get that verification, but that *doesn't* mean the message was tampered with, or that someone is doing an impersonation. There are tons of innocent things that can mangle a signature, from a misconfigured MTA mangling PGP/MIME attachments, to the original author remembering something at the last moment and adding content after it had been signed, to... etc. Signatures can verify a message as good, but they cannot flag a message as bad. From dan at geer.org Tue Jan 11 13:19:32 2011 From: dan at geer.org (dan at geer.org) Date: Tue, 11 Jan 2011 07:19:32 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: Your message of "Tue, 11 Jan 2011 11:09:30 GMT." <4D2C3A6A.9080409@st.com> Message-ID: <20110111121932.E9DF034098@absinthe.tinho.net> If one is a purist, then one wants sign>encrypt>sign See http://world.std.com/~dtd/#sign_encrypt --dan From bird_112 at hotmail.com Tue Jan 11 15:41:00 2011 From: bird_112 at hotmail.com (jack seth) Date: Tue, 11 Jan 2011 14:41:00 +0000 Subject: How to create non-standard key pair Message-ID: Hello. I have been searching google for a couple of days now and I can't figure out how to accomplish this. I need to create a v4 RSA keypair that has a 16384 encryption key and a 4096 (possibly 8192) signing key using AES-256 that I can export to a text file. Can you guys please provide some guidance on how to accomplish this? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From gollo at fsfe.org Tue Jan 11 17:27:09 2011 From: gollo at fsfe.org (Martin Gollowitzer) Date: Tue, 11 Jan 2011 17:27:09 +0100 Subject: Problems with pcsc-lite 1.6.6 and Cherry ST-2000U Message-ID: <20110111162709.GA25216@wingback.gollo.at> Hi all, Has anyone experienced problems with the most recent version of pcsc-lite (1.6.6) when using an OpenPGP smartcard with GnuPG? My card reader, a Cherry ST-2000U stopped working after I updated my Gentoo system recently (while my SCR335 still works). I tried to do some debugging and scdaemon reports an unknown PC/SC error code. This is all I could find out. I also tried to disable the internal CCID driver, but this didn't change anything. I still receive different error messages (like "no card found" although the card is inserted). Any hints what I could do? Thanks, Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: not available URL: From bo.berglund at gmail.com Tue Jan 11 17:35:57 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Tue, 11 Jan 2011 17:35:57 +0100 Subject: Organizing GPA public key list into favourites groups???? Message-ID: <8a1pi6hu1vbv9rj5tjer32krekf13oivpi@4ax.com> I installed Gpg4Win 2.0.3 in December and have started to use it for exchanging sensitive data files. I used to use PGP/GPG a lot sevaral years ago and so I have a fair collection of public keys... My public keyring thus has a lot of recipients, but I normally only communicate with a few of them. Most often I send an encrypted file to 3 specific persons, so I have to select their keys from the mess of keys in the GPA list. And the names of these persons are not alphabetically close either. So I have to scroll a lot! :( Is it possible to bunch several of the keys together into a group of recipients such that I need only select one single entry to encrypt to all? And is it possible to set GPA up such that it *ALWAYS* adds my own key to the encryption so I don't have to manually do this every time? -- Bo Berglund Developer in Sweden From mailinglisten at hauke-laging.de Tue Jan 11 17:44:42 2011 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 11 Jan 2011 17:44:42 +0100 Subject: Organizing GPA public key list into favourites groups???? In-Reply-To: <8a1pi6hu1vbv9rj5tjer32krekf13oivpi@4ax.com> References: <8a1pi6hu1vbv9rj5tjer32krekf13oivpi@4ax.com> Message-ID: <201101111744.49324.mailinglisten@hauke-laging.de> Am Dienstag 11 Januar 2011 17:35:57 schrieb Bo Berglund: > Is it possible to bunch several of the keys together into a group of > recipients such that I need only select one single entry to encrypt to > all? I don't know about the GUIs but gpg has the option --group. > And is it possible to set GPA up such that it *ALWAYS* adds my own key > to the encryption so I don't have to manually do this every time? --encrypt-to in the config file. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Tue Jan 11 18:13:46 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 11 Jan 2011 12:13:46 -0500 Subject: How to create non-standard key pair In-Reply-To: References: Message-ID: <4D2C8FCA.4040808@sixdemonbag.org> On 1/11/2011 9:41 AM, jack seth wrote: > Hello. I have been searching google for a couple of days now and I > can't figure out how to accomplish this. I need to create a v4 RSA > keypair that has a 16384 encryption key and a 4096 (possibly 8192) > signing key using AES-256 that I can export to a text file. Can you > guys please provide some guidance on how to accomplish this? If your requirements are accurate, then RSA is probably not an appropriate choice. Use elliptical curve cryptography instead. What exactly are you trying to accomplish? From bo.berglund at gmail.com Tue Jan 11 18:22:19 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Tue, 11 Jan 2011 18:22:19 +0100 Subject: Organizing GPA public key list into favourites groups???? References: <8a1pi6hu1vbv9rj5tjer32krekf13oivpi@4ax.com> <201101111744.49324.mailinglisten__4906.50944780118$1294764361$gmane$org@hauke-laging.de> Message-ID: On Tue, 11 Jan 2011 17:44:42 +0100, Hauke Laging wrote: >Am Dienstag 11 Januar 2011 17:35:57 schrieb Bo Berglund: > >> Is it possible to bunch several of the keys together into a group of >> recipients such that I need only select one single entry to encrypt to >> all? > >I don't know about the GUIs but gpg has the option --group. > > >> And is it possible to set GPA up such that it *ALWAYS* adds my own key >> to the encryption so I don't have to manually do this every time? > >--encrypt-to in the config file. > > >Hauke When I open the preferences in GPA there are next to no settings at all that can be configured. :-( Basically all I see is a list of my own keys where I assume I can select the defaiult key. But it is not marked in any way... And by checking "Show advanced options" a "default keyserver" combobox shows up. THat is 100% all there is.... How do I enter the --group and --encrypt-to items? There is absolutely nowhere I can type these things in. -- Bo Berglund Developer in Sweden From dshaw at jabberwocky.com Tue Jan 11 18:51:34 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 11 Jan 2011 12:51:34 -0500 Subject: How to create non-standard key pair In-Reply-To: References: Message-ID: On Jan 11, 2011, at 9:41 AM, jack seth wrote: > Hello. I have been searching google for a couple of days now and I can't figure out how to accomplish this. I need to create a v4 RSA keypair that has a 16384 encryption key and a 4096 (possibly 8192) signing key using AES-256 that I can export to a text file. Can you guys please provide some guidance on how to accomplish this? Thanks You'll have to patch the code. GnuPG won't do this by itself. What are you trying to accomplish? Those keys are insanely large. David From wk at gnupg.org Tue Jan 11 20:21:16 2011 From: wk at gnupg.org (Werner Koch) Date: Tue, 11 Jan 2011 20:21:16 +0100 Subject: Organizing GPA public key list into favourites groups???? In-Reply-To: (Bo Berglund's message of "Tue, 11 Jan 2011 18:22:19 +0100") References: <8a1pi6hu1vbv9rj5tjer32krekf13oivpi@4ax.com> <201101111744.49324.mailinglisten__4906.50944780118$1294764361$gmane$org@hauke-laging.de> Message-ID: <8739oz1c2b.fsf@vigenere.g10code.de> On Tue, 11 Jan 2011 18:22, bo.berglund at gmail.com said: > When I open the preferences in GPA there are next to no settings at > all that can be configured. :-( Select Edit->Backend_Preferences. This allows to change many more options. It is basically a menu for most of the configuration options of all backend modules (gpg, gpg-agent and so on). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From bo.berglund at gmail.com Tue Jan 11 20:43:26 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Tue, 11 Jan 2011 20:43:26 +0100 Subject: Organizing GPA public key list into favourites groups???? References: <8a1pi6hu1vbv9rj5tjer32krekf13oivpi@4ax.com> <201101111744.49324.mailinglisten__4906.50944780118$1294764361$gmane$org@hauke-laging.de> <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> Message-ID: <16cpi6d7lbr28h3eojah2katmua07l3c4b@4ax.com> On Tue, 11 Jan 2011 20:21:16 +0100, Werner Koch wrote: >On Tue, 11 Jan 2011 18:22, bo.berglund at gmail.com said: > >> When I open the preferences in GPA there are next to no settings at >> all that can be configured. :-( > >Select Edit->Backend_Preferences. This allows to change many more >options. It is basically a menu for most of the configuration options >of all backend modules (gpg, gpg-agent and so on). > > Found it but it is of little help actually... For example I found this on the tab "GPG for OpenPGP": "Options controlling the configuration" Default key encrypt-to group In all cases there was a dropdown to the right of the name saying "Do not use option" or "Use custom value". Then to the right of this and empty edit box with no indication on what to enter or do.... In similar cases in other applications there would be a button to click and then possibly a dialog box asking for the name of the item, in this case the group. THen tghere would be a list of valid items to choose from into this grouping. None of this happens with GPA. :-( I really need to get some help in doing this properly. Say that I have three public keys to my collegues that I want to add into a simple to use group for encryption. What do I do in this dialogue to make it happen? And will the group now appear in my public key list when I want to encrypt to someone?? -- Bo Berglund Developer in Sweden From free10pro at gmail.com Tue Jan 11 12:09:54 2011 From: free10pro at gmail.com (Paul Richard Ramer) Date: Tue, 11 Jan 2011 03:09:54 -0800 Subject: Having trouble getting GPG to accept input from a pinpad In-Reply-To: <20110103102530.GA4070@rio.matrix> References: <4D205D5C.3050402__43137.4791347936$1293968465$gmane$org@gmail.com> <87aajj5t3t.fsf@latte.josefsson.org> <4D21962D.1000904@gmail.com> <20110103102530.GA4070@rio.matrix> Message-ID: <4D2C3A82.60806@gmail.com> On 01/03/2011 02:25 AM, Michel Messerschmidt wrote: > Have you tried it with gnupg 2.0.x ? > IIRC you need at least 2.0.12 for the SPR-532 pinpad and gnupg-agent > should be running. > If not, please post more details about your environment and how you > execute gnupg. The pinpad works for me, so I guess you will find a way. Good news--it works. Initially, I tried gpg2 (version 2.0.14), but it didn't work. Instead, I got an error message that scdaemon wasn't running. I searched for scdaemon on my system with "which scdaemon", but I couldn't find it. But now I can find scdaemon with "which scdaemon", and the only thing that has changed has been that I compiled some software, installed some packages, and, just this last evening, performed an update on my system. I hadn't had any success with the pinpad until some time after the update last night. So I don't know what happened to fix my situation (I wish I knew). But thank you to all of you who helped me. You have been a big help. :-) -Paul -- PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 From nicholas.cole at gmail.com Tue Jan 11 21:09:11 2011 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Tue, 11 Jan 2011 20:09:11 +0000 Subject: What is the benefit of signing an encrypted email In-Reply-To: <20110111121932.E9DF034098@absinthe.tinho.net> References: <4D2C3A6A.9080409@st.com> <20110111121932.E9DF034098@absinthe.tinho.net> Message-ID: On Tue, Jan 11, 2011 at 12:19 PM, wrote: > > If one is a purist, then one wants sign>encrypt>sign > > See http://world.std.com/~dtd/#sign_encrypt That is a really interesting paper. Did the OpenPGP protocol ever include a fix for the attack they describe? Nicholas From bo.berglund at gmail.com Tue Jan 11 23:12:48 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Tue, 11 Jan 2011 23:12:48 +0100 Subject: Organizing GPA public key list into favourites groups???? References: <8a1pi6hu1vbv9rj5tjer32krekf13oivpi@4ax.com> <201101111744.49324.mailinglisten__4906.50944780118$1294764361$gmane$org@hauke-laging.de> <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> Message-ID: On Tue, 11 Jan 2011 20:43:26 +0100, Bo Berglund wrote: >Say that I have three public keys to my collegues that I want to add >into a simple to use group for encryption. What do I do in this >dialogue to make it happen? What I did next was to locate the gpg.conf file in AppData in my profile (I am running Windows7 X64). Here I found a text part where it looked like one could add a group specification. So I went ahead and added this line: group developers = 0xDBC3175B 0x9209B308 0x8A51A0EE Then I saved this edit of the conf file. Next I went to the GPA backend configuration and found that what I had written after the group marker was now visible in the configuration box. Fine so far.... >And will the group now appear in my public key list when I want to >encrypt to someone?? No it will not... If I use GPA to encrypt a file, what happens is exactly like before, I get the unwieldy (not even sorted by name) list of recipients public keys to select from and nowhere at all is there any sight of my developers group! :-( So there seems to be no way in GPA to actually select the group for encryption! This means that groups are unusable with GPA at least. Is there some other application that can be used to encrypt a file with GPG which actually works in Windows 7 X64 and also shows the group? (I have had to manually edit the registry to even get a right-click entry to choose GPA when a file is selected in Windows Explorer, before that there was no way one could encrypt the file). Finally, is it possible to have more than one group in GPG? If so what is the syntax in the conf file? Can there be more than one line starting with group? -- Bo Berglund Developer in Sweden From faramir.cl at gmail.com Wed Jan 12 01:47:44 2011 From: faramir.cl at gmail.com (Faramir) Date: Tue, 11 Jan 2011 21:47:44 -0300 Subject: What is the benefit of signing an encrypted email In-Reply-To: References: <4D2C3A6A.9080409@st.com> <20110111121932.E9DF034098@absinthe.tinho.net> Message-ID: <4D2CFA30.6020101@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 11-01-2011 17:09, Nicholas Cole escribi?: > On Tue, Jan 11, 2011 at 12:19 PM, wrote: >> >> If one is a purist, then one wants sign>encrypt>sign >> >> See http://world.std.com/~dtd/#sign_encrypt > > That is a really interesting paper. Did the OpenPGP protocol ever > include a fix for the attack they describe? When I was 18 y/o, I went to the university, and we were used to sign a sheet of paper to keep the assistance records. One day, a teacher took a blank sheet of paper, wrote columns for name, RUT (the unique id number), and signature. And we all signed it. Then the teacher said: "well... why did you sign it? there is no title in this paper, it doesn't say assistance record... now I can write anything I want, and you already signed it! What if I write 'petition to fire the dean'?" Of course the teacher wrote the right title on the sheet, and no harm was done. Why am I telling this here? Because, if Alice sends a signed message to Bob, she must add "to Bob" at the beginning of the message. It might be a flaw or not, but IMHO, cryptography can't replace common sense. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNLPowAAoJEMV4f6PvczxAgUUH/3GH+hdqRJTgWFZdoKPQrtND +Xw6TGU2z7A9OHdO/pWHocq635EX4JlKOraVrkbtIxdBIgINK6mcaVAAoITlWpzv PQ05wCx3TGOt1EtFmJOMu0ZM69BcEjzuV5IEViBEGB4WZw16hzCy8ga+P8Mawhm7 MDgeh9aS+EYeF+P89P9Gy2PlovvsX3Be8+6d9+UqtieEcSOsZHRGA2jsg66TVtyD KP//l1DBQjT7ix6PRwHFOjelMvIppmdN7wHsLu1K6XOKC2eKcu9ac5sE7YhniLp8 F8ISPhQo3hPB1oePESeH2zNWhfRCp5CHIM6pl3okQOHqsGV/m0tfWh/XNh6W1e8= =y2zJ -----END PGP SIGNATURE----- From kgo at grant-olson.net Wed Jan 12 04:56:58 2011 From: kgo at grant-olson.net (Grant Olson) Date: Tue, 11 Jan 2011 22:56:58 -0500 Subject: Official gnupg signing key (0x1CE0C630) expired Message-ID: <4D2D268A.8010501@grant-olson.net> I'm assuming this just needs the year end bump. Looks like it expired 12-31-2010. -Grant -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Wed Jan 12 06:52:59 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 12 Jan 2011 00:52:59 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: References: <4D2C3A6A.9080409@st.com> <20110111121932.E9DF034098@absinthe.tinho.net> Message-ID: <4D9F51D9-8EE8-4760-AED3-F1F35443D245@jabberwocky.com> On Jan 11, 2011, at 3:09 PM, Nicholas Cole wrote: > On Tue, Jan 11, 2011 at 12:19 PM, wrote: >> >> If one is a purist, then one wants sign>encrypt>sign >> >> See http://world.std.com/~dtd/#sign_encrypt > > That is a really interesting paper. Did the OpenPGP protocol ever > include a fix for the attack they describe? No. It was generally felt that this was more of an attack on the user of crypto, rather than on the crypto itself. See this thread from when the paper was first published: http://www.mail-archive.com/cryptography at wasabisystems.com/msg00259.html And especially: http://www.mail-archive.com/cryptography at wasabisystems.com/msg00261.html David From nicholas.cole at gmail.com Wed Jan 12 11:01:17 2011 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Wed, 12 Jan 2011 10:01:17 +0000 Subject: What is the benefit of signing an encrypted email In-Reply-To: <4D9F51D9-8EE8-4760-AED3-F1F35443D245@jabberwocky.com> References: <4D2C3A6A.9080409@st.com> <20110111121932.E9DF034098@absinthe.tinho.net> <4D9F51D9-8EE8-4760-AED3-F1F35443D245@jabberwocky.com> Message-ID: On Wed, Jan 12, 2011 at 5:52 AM, David Shaw wrote: > On Jan 11, 2011, at 3:09 PM, Nicholas Cole wrote: > >> On Tue, Jan 11, 2011 at 12:19 PM, ? wrote: >>> >>> If one is a purist, then one wants sign>encrypt>sign >>> >>> See http://world.std.com/~dtd/#sign_encrypt >> >> That is a really interesting paper. ?Did the OpenPGP protocol ever >> include a fix for the attack they describe? > > No. ?It was generally felt that this was more of an attack on the user of crypto, rather than on the crypto itself. > > See this thread from when the paper was first published: http://www.mail-archive.com/cryptography at wasabisystems.com/msg00259.html That thread is clearly right about the bulk of the paper, which is clearly an attack on the user of the crypto. Signing ambiguous messages is not a good idea! But what about the suggestion they made in section 1.2 about not signing crypt texts? Am I right that openpgp always encrypts signed text, rather than signing encrypted text, and so is not vulnerable at all? Best wishes, Nicholas From free10pro at gmail.com Wed Jan 12 11:28:29 2011 From: free10pro at gmail.com (Paul Richard Ramer) Date: Wed, 12 Jan 2011 02:28:29 -0800 Subject: What is the benefit of signing an encrypted email In-Reply-To: References: <4D2C3A6A.9080409@st.com> <20110111121932.E9DF034098@absinthe.tinho.net> <4D9F51D9-8EE8-4760-AED3-F1F35443D245@jabberwocky.com> Message-ID: <4D2D824D.70701@gmail.com> On Wed, 12 Jan 2011 10:01:17 +0000, Nicholas Cole wrote: > That thread is clearly right about the bulk of the paper, which is > clearly an attack on the user of the crypto. Signing ambiguous > messages is not a good idea! But what about the suggestion they made > in section 1.2 about not signing crypt texts? Am I right that openpgp > always encrypts signed text, rather than signing encrypted text, and > so is not vulnerable at all? Yes, OpenPGP encrypts signed text rather than signing encrypted text. -Paul -- PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 From wk at gnupg.org Wed Jan 12 11:48:39 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 12 Jan 2011 11:48:39 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: (Nicholas Cole's message of "Wed, 12 Jan 2011 10:01:17 +0000") References: <4D2C3A6A.9080409@st.com> <20110111121932.E9DF034098@absinthe.tinho.net> <4D9F51D9-8EE8-4760-AED3-F1F35443D245@jabberwocky.com> Message-ID: <87y66qz9bs.fsf@vigenere.g10code.de> On Wed, 12 Jan 2011 11:01, nicholas.cole at gmail.com said: > in section 1.2 about not signing crypt texts? Am I right that openpgp > always encrypts signed text, rather than signing encrypted text, and No. It is common practice to sign and encrypt. For gpg it is not the default. Before the introduction of the MDC (manipulation detection code), the signing helped to mitigate a possible ciphertext scrambling attack. The MDC was introduced as a countermeasure for non signed messages. Note also, that signing an encrypted message creates a privacy problem in that it is obvious who actually sent (or well signed) the message. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Jan 12 11:54:04 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 12 Jan 2011 11:54:04 +0100 Subject: Official gnupg signing key (0x1CE0C630) expired In-Reply-To: <4D2D268A.8010501@grant-olson.net> (Grant Olson's message of "Tue, 11 Jan 2011 22:56:58 -0500") References: <4D2D268A.8010501@grant-olson.net> Message-ID: <87tyhez92r.fsf@vigenere.g10code.de> On Wed, 12 Jan 2011 04:56, kgo at grant-olson.net said: > I'm assuming this just needs the year end bump. Looks like it expired > 12-31-2010. Right, I should have prolonged it again. The original plan was to switch to an OpenPGP v2 card in time. I didn't achieved that because I missed to buy an non-omnikey USB stick card reader. Let me see whether I can switch to a dedicated full-size card. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mailinglisten at hauke-laging.de Wed Jan 12 14:21:35 2011 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 12 Jan 2011 14:21:35 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: <4D9F51D9-8EE8-4760-AED3-F1F35443D245@jabberwocky.com> References: <4D2C3A6A.9080409@st.com> <4D9F51D9-8EE8-4760-AED3-F1F35443D245@jabberwocky.com> Message-ID: <201101121421.35427.mailinglisten@hauke-laging.de> Am Mittwoch 12 Januar 2011 06:52:59 schrieb David Shaw: > No. It was generally felt that this was more of an attack on the user of > crypto, rather than on the crypto itself. That may be a difference to crypto but I doubt that it is a difference to the user... Solutions are better than excuses. And here the solution is simple, it's "just" the usual problem of having to extend an existing standard. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From mailinglisten at hauke-laging.de Wed Jan 12 14:25:46 2011 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 12 Jan 2011 14:25:46 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: <87y66qz9bs.fsf@vigenere.g10code.de> References: <4D2C3A6A.9080409@st.com> <87y66qz9bs.fsf@vigenere.g10code.de> Message-ID: <201101121425.47324.mailinglisten@hauke-laging.de> Am Mittwoch 12 Januar 2011 11:48:39 schrieb Werner Koch: > Note also, that signing an encrypted message creates a privacy problem > in that it is obvious who actually sent (or well signed) the message. Which is simultaneously a solution for the spam problem (and an improvement against attacks by malicious content) in all thoses cases in which this kind of privacy is not required. For the (probably few) exceptions the other way (E/S/E) could be used. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From jimbobpalmer at gmail.com Wed Jan 12 16:15:37 2011 From: jimbobpalmer at gmail.com (jimbob palmer) Date: Wed, 12 Jan 2011 16:15:37 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: <20110111111135.GA5026@wingback.gollo.at> References: <20110111111135.GA5026@wingback.gollo.at> Message-ID: Hello, 2011/1/11 Martin Gollowitzer : > Hi, > > * jimbob palmer [110111 12:05]: >> In Firefox I can sign or encrypt or encrypt+sign an e-mail. >> >> In what case would I want my encrypted emails also signed? Does it >> provide any additional benefit over a pure encrypted email? > > A digital signature is useful so the sender can check if that message > was really sent by you. If it's only encrypted, there is no proof for > that since everyone who knows the recipient's public key can encrypt > messages for this particular person. So encrypting an e-mail only provides a guarantee that the recipient can read the message. It provides no guarantees about the sender. Signing the message guarantees the sender. Okay, I understand this. The question is, why on earth is the default for encrypted email not to sign too (I'm talking about anything that talks to gpg, like thunderbird). I suppose this might take me off topic. and would dkim be enough instead of signing the encrypted e-mails? Thanks. > > All the best, > Martin > > -- > The early worm is for the birds. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From rjh at sixdemonbag.org Wed Jan 12 16:57:27 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 12 Jan 2011 10:57:27 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: References: <20110111111135.GA5026@wingback.gollo.at> Message-ID: > Signing the message guarantees the sender. Only if certain conditions are met. The signature must (a) be correct (b) issued from a validated key (c) belonging to a trusted party. A bad signature makes no guarantees, not even a guarantee the message has been tampered with. (After all, the error could be in the signature itself, leaving the message intact.) A good signature from a non-validated key makes no guarantees. (After all, who does the key really belong to? How can you have any confidence in the signature?) Good signatures from validated keys belonging to untrustworthy people make no guarantees. There are a couple of people in the world who, even though I know their key fingerprints and have verified them face-to-face, I wouldn't trust signatures from. My immediate reaction would be, "I have no confidence they're not pulling some kind of trick on me." Their signatures are worthless and make no guarantees. > Okay, I understand this. The question is, why on earth is the default > for encrypted email not to sign too (I'm talking about anything that > talks to gpg, like thunderbird). Speaking for Enigmail, it's because 99% of the time signatures are worthless. They contribute to the illusion of data integrity while actually providing no guarantees. It's best if you only sign messages you deliberately intend to sign, messages where you believe all three conditions are met and the signature contributes to the overall integrity of the communication. We believe this is the responsible thing to do, rather than encouraging our users to buy into a false sense of security. If this bothers you, you can go into your account settings window, click on your account, click on "OpenPGP Security," and tell it to sign messages by default. From mailinglisten at hauke-laging.de Wed Jan 12 17:08:53 2011 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 12 Jan 2011 17:08:53 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: References: Message-ID: <201101121708.53466.mailinglisten@hauke-laging.de> Am Mittwoch 12 Januar 2011 16:57:27 schrieb Robert J. Hansen: > Good signatures from validated keys belonging to untrustworthy people make > no guarantees. There are a couple of people in the world who, even though > I know their key fingerprints and have verified them face-to-face, I > wouldn't trust signatures from. My immediate reaction would be, "I have > no confidence they're not pulling some kind of trick on me." More often "I have no confidence they keep their secret keys strictly under their control" might be the relevant objection. > Speaking for Enigmail, it's because 99% of the time signatures are > worthless. They contribute to the illusion of data integrity while > actually providing no guarantees. You mix up the (current ? key validation can be done after the communication, too) absence of a guarantee with being worthless. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Wed Jan 12 17:13:44 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 12 Jan 2011 11:13:44 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: <201101121708.53466.mailinglisten@hauke-laging.de> References: <201101121708.53466.mailinglisten@hauke-laging.de> Message-ID: > More often "I have no confidence they keep their secret keys strictly under > their control" might be the relevant objection. In my case, it's "I think these individuals are mentally unstable and violent," but yes. :) >> Speaking for Enigmail, it's because 99% of the time signatures are >> worthless. They contribute to the illusion of data integrity while >> actually providing no guarantees. > > You mix up the absence of a guarantee with being worthless. Show me the worth in a signed message that has any of (a) an incorrect signature, (b) from an invalid key, or (c) from someone you believe is utterly untrustworthy. From dkg at fifthhorseman.net Wed Jan 12 17:15:48 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 12 Jan 2011 11:15:48 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: References: <20110111111135.GA5026@wingback.gollo.at> Message-ID: <4D2DD3B4.50708@fifthhorseman.net> On 01/12/2011 10:57 AM, Robert J. Hansen wrote: > Speaking for Enigmail, it's because 99% of the time signatures are worthless. > They contribute to the illusion of data integrity while actually providing no > guarantees. It's best if you only sign messages you deliberately intend to > sign, messages where you believe all three conditions are met and the signature > contributes to the overall integrity of the communication. We believe this is > the responsible thing to do, rather than encouraging our users to buy into a > false sense of security. I agree with Robert that enigmail's choice of defaults (don't autosign every message) is a good thing, though i think i'd phrase the concern a little differently. I wouldn't say "signatures are worthless" (i sign nearly all of my outbound mail), but i do think that people should only sign messages they intend to sign and have thought about. Hopefully, this thoughtfulness extends into thinking about their message making sense even if it is seen out-of-context. For example, a signed e-mail message with a Subject: header of "Proposal X" and a body of "I say we should do it!" can be trivially repurposed by a backer of Proposal Y to imply that the same person supports Y instead of X (since only the e-mail body is signed, and not the headers). If enigmail were to default to signing everything, then it would sign messages for people that they have not thought about. As a result, that weakens the meaning of their signature, to the point where even if they *have* thought about and decided to sign any given message, the fact that their signature is attached thoughtlessly to so many other messages makes it dubious. So enigmail defaults to not sign every outbound message in order to keep the value of your signature high by not applying it to things you haven't thought about. For those who make the conscious decision to sign all their e-mails, and think consciously about what they send, there's nothing wrong with changing the default (though you should get used turning off signing when you realize you're about to send a message that might not be context-independent or where the signature might screw something up). --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From dkg at fifthhorseman.net Wed Jan 12 17:24:35 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 12 Jan 2011 11:24:35 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: References: <201101121708.53466.mailinglisten@hauke-laging.de> Message-ID: <4D2DD5C3.1080101@fifthhorseman.net> On 01/12/2011 11:13 AM, Robert J. Hansen wrote: > Show me the worth in a signed message that has any of (a) an incorrect > signature, (b) from an invalid key, or (c) from someone you believe is > utterly untrustworthy. As a devil's advocate, i'd point out that a message signed with a valid key known to belong to someone who is utterly untrustworthy could be used *against* the signer, by saying something like: "look -- here is Mr. X claiming that he is going to poison the reservoir. Please take this seriously, and note that it could only have come from Mr. X because it is signed with his key." This doesn't mean that Mr. X is actually going to poison the reservoir, but the signature is a good argument that the reservoir guards should investigate this particular individual -- that the message is not a forgery from someone trying to tarnish Mr. X's reputation. Signing a message makes you somewhat more vulnerable -- it is a non-repudiable statement bound to your identity, which people can use against you. It is also a way of standing behind what you are saying, and accepting responsibility for it. This kind of tradeoff needs to be made consciously, and is one of the reasons that you need to take good care to protect your secret keys. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Wed Jan 12 17:27:29 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 12 Jan 2011 11:27:29 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: References: <201101121708.53466.mailinglisten@hauke-laging.de> Message-ID: On Jan 12, 2011, at 11:13 AM, Robert J. Hansen wrote: >> More often "I have no confidence they keep their secret keys strictly under >> their control" might be the relevant objection. > > In my case, it's "I think these individuals are mentally unstable and violent," but yes. :) > >>> Speaking for Enigmail, it's because 99% of the time signatures are >>> worthless. They contribute to the illusion of data integrity while >>> actually providing no guarantees. >> >> You mix up the absence of a guarantee with being worthless. > > Show me the worth in a signed message that has any of (a) an incorrect signature, (b) from an invalid key, or (c) from someone you believe is utterly untrustworthy. With (c), you can then have some assurance that their untrustworthiness has been faithfully maintained in the message since it was signed... ;) David From mailinglisten at hauke-laging.de Wed Jan 12 17:39:00 2011 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 12 Jan 2011 17:39:00 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: <4D2DD3B4.50708@fifthhorseman.net> References: <4D2DD3B4.50708@fifthhorseman.net> Message-ID: <201101121739.00627.mailinglisten@hauke-laging.de> Am Mittwoch 12 Januar 2011 17:15:48 schrieb Daniel Kahn Gillmor: > If enigmail were to default to signing everything, then it would sign > messages for people that they have not thought about. As a result, that > weakens the meaning of their signature, to the point where even if they > *have* thought about and decided to sign any given message, the fact > that their signature is attached thoughtlessly to so many other messages > makes it dubious. Thus it makes sense to use different keys for a) usual ("not thought about") email, just as a first hard line of defense against forgery b) serious, valuable signatures That's why I would like to have a standardized description for keys which tells the other one what they are used for (and what not...) and in what kind of environment: 1) testing 2) webmail (used on untrusted systems) 3) used on normal-security but generally trusted systems 4) smartcard 5) used in a high-security environment only This category would have to be certified, too, of course. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Wed Jan 12 17:38:10 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 12 Jan 2011 17:38:10 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: <201101121425.47324.mailinglisten@hauke-laging.de> (Hauke Laging's message of "Wed, 12 Jan 2011 14:25:46 +0100") References: <4D2C3A6A.9080409@st.com> <87y66qz9bs.fsf@vigenere.g10code.de> <201101121425.47324.mailinglisten@hauke-laging.de> Message-ID: <87sjwyxekt.fsf@vigenere.g10code.de> On Wed, 12 Jan 2011 14:25, mailinglisten at hauke-laging.de said: > Which is simultaneously a solution for the spam problem (and an improvement Signing mails is not a solution against spam. Spammers have more processing power available than any anti-spam measure. Signing would only help against spam if you agree to accept only mails from certain senders (i.e. signed by certain keys). This is not much different from plain white listing and thus you won't be able to get mail from anyone you don't know. And no, the WoT won't help: The spammers have more nodes at their hands than anyone else and are able to build up WoTs as they like. Further, the WoT - like any PKI - does only work in smallish groups. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dkg at fifthhorseman.net Wed Jan 12 17:44:48 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 12 Jan 2011 11:44:48 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: <201101121739.00627.mailinglisten@hauke-laging.de> References: <4D2DD3B4.50708@fifthhorseman.net> <201101121739.00627.mailinglisten@hauke-laging.de> Message-ID: <4D2DDA80.3060104@fifthhorseman.net> On 01/12/2011 11:39 AM, Hauke Laging wrote: > a) usual ("not thought about") email, just as a first hard line of defense > against forgery What do you think you would gain from a signature made by an individual if they did not think they were making it? How is this a "hard line of defense against forgery" ? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Wed Jan 12 17:26:08 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 12 Jan 2011 17:26:08 +0100 Subject: [Announce] New signing key Message-ID: <87wrmaxf4v.fsf@vigenere.g10code.de> Hi! The key used to sign GnuPG releases expired at the end of last year. I prolonged the lifetime of that key for another 6 months to avoid the frequently asked question if signatures made in the past by an expired key are now invalid (in short: they are not). I will sign future distributions with this new 2048-bit RSA key which has also been generated on a smartcard: pub 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 uid Werner Koch (dist sig) sub 2048R/AC87C71A 2011-01-12 [expires: 2019-12-31] Please get a copy of the key, either from the attachment, a keyserver or using one of these commands: gpg --fetch-key finger:wk 'at' g10code 'dot' com gpg --fetch-key http://werner.eifelkommune.de/mykey.asc [Please replace 'at' and 'dot' as usual and use gpg2 if you like] The key has been signed by my main key 1E42B367. The authentication subkey listed above is currently not used. Note also that my old standard key 5B0358A2 expires in 6 months and won't be prolonged. 1E42B367 is now well connected in the Web of Trust. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From rjh at sixdemonbag.org Wed Jan 12 17:49:10 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 12 Jan 2011 11:49:10 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: <201101121739.00627.mailinglisten@hauke-laging.de> References: <4D2DD3B4.50708@fifthhorseman.net> <201101121739.00627.mailinglisten@hauke-laging.de> Message-ID: <9F87CB14-A281-494E-801B-2190F30E3676@sixdemonbag.org> > a) usual ("not thought about") email, just as a first hard line of defense > against forgery Doesn't work. Here's the thought experiment I've been using for years. Imagine that I'm a teaching assistant and I manage to make some of my undergrads very unhappy. They bomb a test or something, and decide to get back at me. So they sign up with Stormfront (a notorious hate site) using the one-off email of robert.j.hansen at somewebmailservice.com, create a user account for me there, and make all kinds of hate-filled racist screeds. They write these things from a coffeeshop across the street, one where I am often known to sit around and do my grading while sipping on a latte. Once they have a few weeks of this, they come to the Dean and say, "you have to fire Mr. Hansen, he's a racist!" I get hauled into the Dean's office. He's a reasonable man, a mathematician by training, and he'll give me a fair hearing. I tell him, "Dean, I didn't write those messages and I don't know who did. But I didn't write them. You can be sure of that, because they're not signed with my PGP key, and I sign everything." The Dean, not a fool, points out, "well, Rob, that doesn't actually mean anything. These opinions are so incendiary that if I wrote them I would make it a point not to sign them, either, so that I could repudiate them later. The lack of a signature means absolutely nothing. The IP address goes to House of Aromas, the posting times match up with times you were seen in there grading and drinking lattes. It doesn't look good. I'm going to have to remove you from teaching duties." Moral of the story: signatures do not protect against forgeries. They protect *individual messages* against being *modified without detection*. That's all. It is very possible to forge traffic from someone, even if they are known to be a regular user of OpenPGP. ... The other reason this is a nonstarter: you're now increasing the complexity of the system. OpenPGP already has a learning curve like the Matterhorn. People just don't want to use it: it requires too much technical knowledge, too much thinking, too much study. Adding more levels of complexity to it will just hurt the adoption curve even more. From mailinglisten at hauke-laging.de Wed Jan 12 18:10:49 2011 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 12 Jan 2011 18:10:49 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: <4D2DDA80.3060104@fifthhorseman.net> References: <201101121739.00627.mailinglisten@hauke-laging.de> <4D2DDA80.3060104@fifthhorseman.net> Message-ID: <201101121810.56629.mailinglisten@hauke-laging.de> Am Mittwoch 12 Januar 2011 17:44:48 schrieb Daniel Kahn Gillmor: > On 01/12/2011 11:39 AM, Hauke Laging wrote: > > a) usual ("not thought about") email, just as a first hard line of > > defense against forgery > > What do you think you would gain from a signature made by an individual > if they did not think they were making it? If only one person is capable of making a signature then it's not important whether he "thinks" he made it. > How is this a "hard line of defense against forgery" ? Let's take this email as an example. I write it on my PC which may be more secure than the average system but has all the weaknesses of a system which does all the daily work. I mean: It is POSSIBLE to steal my secret key but it is not EASY. For normal email communication I regard this as enough. For signing treaties or other keys I use other keys (and a different environment). Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From dkg at fifthhorseman.net Wed Jan 12 18:17:10 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 12 Jan 2011 12:17:10 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: <201101121810.56629.mailinglisten@hauke-laging.de> References: <201101121739.00627.mailinglisten@hauke-laging.de> <4D2DDA80.3060104@fifthhorseman.net> <201101121810.56629.mailinglisten@hauke-laging.de> Message-ID: <4D2DE216.7030706@fifthhorseman.net> On 01/12/2011 12:10 PM, Hauke Laging wrote: > I mean: It is POSSIBLE to steal my secret key but it is not EASY. For normal > email communication I regard this as enough. For signing treaties or other > keys I use other keys (and a different environment). yes, that's true; but here we've been talking about attacks that don't require stealing of the key (e.g. taking a signed message and placing it in another context). if you sign context-dependent messages as a matter of course, then it's trivial for me to replay one of those messages and have it imply an entirely different meaning. Is this a desirable outcome? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From hamilric at us.ibm.com Wed Jan 12 18:02:30 2011 From: hamilric at us.ibm.com (Richard Hamilton) Date: Wed, 12 Jan 2011 10:02:30 -0700 Subject: AUTO: Richard Hamilton is out of the office (returning 01/13/2011) Message-ID: I am out of the office until 01/13/2011. I am out of the office until Thursday January 13th, 2011. If this is a production problem, please call the solution center at 918-573-2336 or email Bob Olson at Robert.Olson at williams.com. I will have limited mail and cell phone access. Note: This is an automated response to your message "Re: What is the benefit of signing an encrypted email" sent on 1/12/11 9:15:48. This is the only notification you will receive while this person is away. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Wed Jan 12 19:52:02 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 12 Jan 2011 13:52:02 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: <201101121810.56629.mailinglisten@hauke-laging.de> References: <201101121739.00627.mailinglisten@hauke-laging.de> <4D2DDA80.3060104@fifthhorseman.net> <201101121810.56629.mailinglisten@hauke-laging.de> Message-ID: <4D2DF852.7040202@sixdemonbag.org> On 1/12/2011 12:10 PM, Hauke Laging wrote: > Let's take this email as an example. I write it on my PC which may be > more secure than the average system but has all the weaknesses of a > system which does all the daily work. As I recall, Werner has a story about receiving PGP-signed spam. Apparently, a home user had PGP set up to sign all outbound mail using the PGP mail proxy service, this user's machine got pwn3d and joined a botnet, and the spammer was pumping out Viagra mails that went through the PGP proxy... Automatic signing policies are bad not just because of emails you write but don't mean to sign, but because of emails you *don't* write. :) From bird_112 at hotmail.com Wed Jan 12 20:10:32 2011 From: bird_112 at hotmail.com (jack seth) Date: Wed, 12 Jan 2011 19:10:32 +0000 Subject: How to create non-standard key pair In-Reply-To: References: Message-ID: I am needing to do some testing with these size keys. Can someone advise me on how to modify the code to generate these keys? Thanks > Message: 2 > Date: Tue, 11 Jan 2011 12:13:46 -0500 > From: "Robert J. Hansen" > To: gnupg-users at gnupg.org > Subject: Re: How to create non-standard key pair > Message-ID: <4D2C8FCA.4040808 at sixdemonbag.org> > Content-Type: text/plain; charset=ISO-8859-1 > > On 1/11/2011 9:41 AM, jack seth wrote: > > Hello. I have been searching google for a couple of days now and I > > can't figure out how to accomplish this. I need to create a v4 RSA > > keypair that has a 16384 encryption key and a 4096 (possibly 8192) > > signing key using AES-256 that I can export to a text file. Can you > > guys please provide some guidance on how to accomplish this? > > If your requirements are accurate, then RSA is probably not an > appropriate choice. Use elliptical curve cryptography instead. > > What exactly are you trying to accomplish? > -------------- next part -------------- An HTML attachment was scrubbed... URL: From expires2011 at ymail.com Wed Jan 12 20:12:05 2011 From: expires2011 at ymail.com (MFPA) Date: Wed, 12 Jan 2011 19:12:05 +0000 Subject: What is the benefit of signing an encrypted email In-Reply-To: References: <201101121708.53466.mailinglisten@hauke-laging.de> Message-ID: <985616171.20110112191205@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 12 January 2011 at 4:13:44 PM, in , Robert J. Hansen wrote: > Show me the worth in a signed message that has any of > (a) an incorrect signature, (b) from an invalid key, or > (c) from someone you believe is utterly untrustworthy. Perhaps (b) can provide a level of assurance that the messages on a list or newsgroup from the same name actually come from the same person. - -- Best regards MFPA mailto:expires2011 at ymail.com The truth is out there. -----BEGIN PGP SIGNATURE----- iQCVAwUBTS39DaipC46tDG5pAQrDmgP+IDm/m6Zi34Hftb7zZpmk2V0q152/P3CW OiLhuHmu9PjlW+1H6H0Gup1qqmUFvrCRrl1gUeLxC8NxzR5/RI2vWZjpFIlWXq5q XiNw2HLFwVZazBPUOOQKYkBtIjePsxNfFrM6roduKuLjjvukJIkQYl8RjlMPx/dt sJk/eWqWEls= =GCQe -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed Jan 12 20:37:18 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 12 Jan 2011 14:37:18 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: <985616171.20110112191205@my_localhost> References: <201101121708.53466.mailinglisten@hauke-laging.de> <985616171.20110112191205@my_localhost> Message-ID: <6B1CCC69-6262-4882-8A71-7615B302E5A0@jabberwocky.com> On Jan 12, 2011, at 2:12 PM, MFPA wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi > > > On Wednesday 12 January 2011 at 4:13:44 PM, in > , Robert J. > Hansen wrote: > > >> Show me the worth in a signed message that has any of >> (a) an incorrect signature, (b) from an invalid key, or >> (c) from someone you believe is utterly untrustworthy. > > Perhaps (b) can provide a level of assurance that the messages on a > list or newsgroup from the same name actually come from the same > person. Or keyholder (of which there might be multiples of), but basically yes. The examples aren't really great, since "worth" isn't really easy to quantify here, and is somewhat subjective as well. The a) case is the only one where a message with no signature and one with an incorrect signature are effectively the same thing: an unsigned message. David From rjh at sixdemonbag.org Wed Jan 12 22:09:13 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 12 Jan 2011 16:09:13 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: <4D2DD5C3.1080101@fifthhorseman.net> References: <201101121708.53466.mailinglisten@hauke-laging.de> <4D2DD5C3.1080101@fifthhorseman.net> Message-ID: <4D2E1879.9020304@sixdemonbag.org> On 1/12/2011 11:24 AM, Daniel Kahn Gillmor wrote: > "look -- here is Mr. X claiming that he is going to poison the > reservoir. Please take this seriously, and note that it could only have > come from Mr. X because it is signed with his key." Mr. X has a conspirator, Ms. Y. Mr. X deliberately avoids installing an OS patch so that Ms. Y can pwn the box. Now that you've made this accusation against Mr. X, Mr. X reveals "hey, my box was cracked! I've been rooted and I've been sending out signed emails without my knowledge! How /dare/ you impugn me without having all the facts!" Or, a less contrived example: imagine that Mr. X is a stockbroker. He conspires with Ms. Y to pwn the box. You receive a signed message from Mr. X saying, "I want to buy 1000 shares of Yoyodyne from you at $10/share." On the basis of this, you send him 1000 shares. Yoyodyne immediately tanks. A week later Mr. X returns. "Hi, I was off in Bali on a beach sipping mai tais. Anything interesting happen while I was gone? What the heck? My box got pwn3d! I didn't place that order! Ack! I'm so sorry about this. Here, take your 1000 shares back, and I'll take my $10,000 back." (Of course, if Yoyodyne had gone up in value, Mr. X would not have repudiated the signature.) OpenPGP's nonrepudiability is largely a myth. I have never seen it tested in court. Given the fragility of our computer systems and how easily they're compromised, I think it's worthwhile to be very skeptical of any analysis that's predicated on nonrepudiability. From angelv64 at wanadoo.es Wed Jan 12 22:44:29 2011 From: angelv64 at wanadoo.es (Angel Vicente) Date: Wed, 12 Jan 2011 22:44:29 +0100 Subject: GnuPG in cybercafe Message-ID: <20110112214429.GA4348@angel.dominio.angel> Hello all.... I'm very newbie at GPG, I'm a Debian user for some years ago, but I have nothing to see with GPG until now, I think I understand the main flow and uses of GPG, but I have a doubt: suppose a group of friends, they want sign and/or cypher their email and files, almost of them are Windows users, all have email accounts in Google, Yahoo, MSN, etc, I think I could teach them to use Thunderbir+Enigmail or other..., but: there is one that hasn't got PC or laptop or anything so, he uses PCs in cybercafes or public libraries, well, what about some portable apps in USB?, answer: perhaps could be a good idea, but what about keyloggers in public computers?, I'm worried about this. I've tried with Neo Safekeys, but seems doesn't work with pinentry from GPG4Win, so what can we do?, is there a solution for use GPG in public PCs and for possible keylogger at the same time? Best regards and thanks in advanced From bo.berglund at gmail.com Wed Jan 12 23:58:04 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Wed, 12 Jan 2011 23:58:04 +0100 Subject: Organizing GPA public key list into favourites groups???? References: <8a1pi6hu1vbv9rj5tjer32krekf13oivpi@4ax.com> <201101111744.49324.mailinglisten__4906.50944780118$1294764361$gmane$org@hauke-laging.de> <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> Message-ID: <72csi61rno4nfa7rmdf6hn6lb9olokit72@4ax.com> On Tue, 11 Jan 2011 23:12:48 +0100, Bo Berglund wrote: Seems like noone can answer this question.... Summary: If I add a group definition in the configuration file of GPG, either through the GPA "Edit/Backend preferences" or by directly editing the conf file, how can I then use that group name to specify for whom the file should be encrypted? I am using the GPA application that comes with Gpg4Win 2.0.3 to do my GPG tasks. I am using Windows 7 X64 Professional. What I want to do is to encrypt a specific file before sending it as an attachment in an email. I need to encrypt it several times a week after it has been revised because it is a live specification document and it is very tedious to always sift through the long list of keys to select the keys for the development team members... A group would have made life so much easier. Is there any other way to encrypt a file than using GPA? -- Bo Berglund Developer in Sweden From bo.berglund at gmail.com Thu Jan 13 00:42:22 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Thu, 13 Jan 2011 00:42:22 +0100 Subject: Organizing GPA public key list into favourites groups???? References: <201101111744.49324.mailinglisten__4906.50944780118$1294764361$gmane$org@hauke-laging.de> <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> <72csi61rno4nfa7rmdf6hn6lb9olokit72__16338.6833425195$1294873158$gmane$org@4ax.com> Message-ID: On Wed, 12 Jan 2011 23:58:04 +0100, Bo Berglund wrote: >On Tue, 11 Jan 2011 23:12:48 +0100, Bo Berglund > wrote: > >What I want to do is to encrypt a specific file before sending it as >an attachment in an email. I need to encrypt it several times a week >after it has been revised because it is a live specification document >and it is very tedious to always sift through the long list of keys to >select the keys for the development team members... >A group would have made life so much easier. > >Is there any other way to encrypt a file than using GPA? Well, I created a batch file with the command: gpg -r --encrypt When I execute this batch file it actually does what I need provided that the file is not open in MS Word. If it is then there is a very strange error message about an illegal argument... Funnily, if I use PGA to encrypt the doc file while MSWord has it open, then encryption works just fine. Is there a gpg option to open the file in read-only mode such that I don't get this error? -- Bo Berglund Developer in Sweden From rjh at sixdemonbag.org Thu Jan 13 04:54:25 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 12 Jan 2011 22:54:25 -0500 Subject: Prosecution based on memory forensics Message-ID: When you close a laptop, Windows (or Mac OS X, or Linux, or what-have-you) takes a snapshot of memory contents and writes it to disk. This can be a really big problem, since encryption keys, passphrases, and so forth are written out in the process. For instance, if you have gpg-agent set up to cache your passphrase, your passphrase will probably be written to the hibernation file, unless the GnuPG devs have taken heroic measures to prevent this. Last year we saw the first prosecution based on evidence recovered from a hibernation file. The case is now over: Rajib K. Mitra has been convicted of eight counts of possession of child pornography and two counts of sexual exploitation of a child, according to the detective who was handling the case. This is not something new: many people have been warning about hibernation files for years. However, there are always people who will refuse to believe it until it's demonstrated in the real world. That time is now. From dshaw at jabberwocky.com Thu Jan 13 05:29:12 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 12 Jan 2011 23:29:12 -0500 Subject: Prosecution based on memory forensics In-Reply-To: References: Message-ID: <7E07EF86-2921-4514-A207-462E33075524@jabberwocky.com> On Jan 12, 2011, at 10:54 PM, Robert J. Hansen wrote: > When you close a laptop, Windows (or Mac OS X, or Linux, or what-have-you) takes a snapshot of memory contents and writes it to disk. This can be a really big problem, since encryption keys, passphrases, and so forth are written out in the process. For instance, if you have gpg-agent set up to cache your passphrase, your passphrase will probably be written to the hibernation file, unless the GnuPG devs have taken heroic measures to prevent this. We've taken some measures, but they are not infallible (it's hard for them to be infallible since hibernation can happen at a layer below us - and we don't necessarily get any notification in userspace that we're about to be suspended). In short, don't count on GnuPG alone to save you here. The manual mentions this: Note also that some systems (especially laptops) have the ability to ``suspend to disk'' (also known as ``safe sleep'' or ``hibernate''). This writes all memory to disk before going into a low power or even powered off mode. Unless measures are taken in the operating system to protect the saved memory, passphrases or other sensitive material may be recoverable from it later. So GnuPG can't do this alone, but there are ways to configure GnuPG alongside other packages and/or the OS to be safe(r) here. For example, if you can arrange to run some commands as you are hibernating, you could get gpg-agent to dump its passphrase, etc. This is similar in many ways to the old "key material ending up in swap" problem, though that was considerably easier to deal with since userspace had the necessary tools so GnuPG could handle the whole problem by itself. David From freejack at is-not-my.name Thu Jan 13 11:22:29 2011 From: freejack at is-not-my.name (freejack at is-not-my.name) Date: Thu, 13 Jan 2011 10:22:29 -0000 Subject: Prosecution based on memory forensics References: Message-ID: <20110113102229.qmnttg@is-not-my.name> > When you close a laptop, Windows (or Mac OS X, or Linux, or what-have-you) > takes a snapshot of memory contents and writes it to disk. This can be a > really big problem, since encryption keys, passphrases, and so forth are > written out in the process. For instance, if you have gpg-agent set up to > cache your passphrase, your passphrase will probably be written to the > hibernation file, unless the GnuPG devs have taken heroic measures to > prevent this. This is an OS feature, not a hardware feature. Turn off hibernation. Encrypt your swap file(s) or for Windows, go to system options and turn off swap and reboot in safe mode, defrag your disk and delete any remaining swap file. Better yet, uninstall Windows and set up a nice Linux or BSD! Encrypted swap on Linux and BSD is trivial to set up and works a treat! P.S. Robert, how about trimming your line lengths! From wk at gnupg.org Thu Jan 13 11:39:34 2011 From: wk at gnupg.org (Werner Koch) Date: Thu, 13 Jan 2011 11:39:34 +0100 Subject: Prosecution based on memory forensics In-Reply-To: <7E07EF86-2921-4514-A207-462E33075524@jabberwocky.com> (David Shaw's message of "Wed, 12 Jan 2011 23:29:12 -0500") References: <7E07EF86-2921-4514-A207-462E33075524@jabberwocky.com> Message-ID: <87tyhdw0ih.fsf@vigenere.g10code.de> On Thu, 13 Jan 2011 05:29, dshaw at jabberwocky.com said: > So GnuPG can't do this alone, but there are ways to configure GnuPG alongside other packages and/or the OS to be safe(r) here. For example, if you can arrange to run some commands as you are hibernating, you could get gpg-agent to dump its passphrase, etc. Things would be easier to handle if the OS would send a special signal to all processes before hibernating. However there are all kind of timing and priority problems with that. Thus the only working solution is to list all running gpg-agents in /etc/rc.suspend and send them a SIGHUP. Unfortunately SIGHUP also re-reads the config files and that may take up additional time and access the hard disk again. Another signal would be better but I fear that there is no other standard signal available. SIGUSR1 is used to dump internal information for debugging and SIGUSR2 is used for internal purposes. gpg-connect-agent could be used to clear the caches; however that is also a heavy command as it requires some IPC which might be subject to blocking and timeouts. Regarding the cached passphrases: 2.1 keeps all cached data encrypted - but as usual the encryption key is stored in RAM as well. If the hardware would provide a small memory area which gets cleared when entering hibernation mode, the cached data would automagically be safe. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From nils.faerber at kernelconcepts.de Thu Jan 13 11:50:20 2011 From: nils.faerber at kernelconcepts.de (Nils Faerber) Date: Thu, 13 Jan 2011 11:50:20 +0100 Subject: Prosecution based on memory forensics In-Reply-To: <87tyhdw0ih.fsf@vigenere.g10code.de> References: <7E07EF86-2921-4514-A207-462E33075524@jabberwocky.com> <87tyhdw0ih.fsf@vigenere.g10code.de> Message-ID: <4D2ED8EC.4070704@kernelconcepts.de> Am 13.01.2011 11:39, schrieb Werner Koch: > On Thu, 13 Jan 2011 05:29, dshaw at jabberwocky.com said: > >> So GnuPG can't do this alone, but there are ways to configure GnuPG alongside other packages and/or the OS to be safe(r) here. For example, if you can arrange to run some commands as you are hibernating, you could get gpg-agent to dump its passphrase, etc. > > Things would be easier to handle if the OS would send a special signal > to all processes before hibernating. However there are all kind of > timing and priority problems with that. Thus the only working solution > is to list all running gpg-agents in /etc/rc.suspend and send them a > SIGHUP. Unfortunately SIGHUP also re-reads the config files and that > may take up additional time and access the hard disk again. Another > signal would be better but I fear that there is no other standard signal > available. SIGUSR1 is used to dump internal information for debugging > and SIGUSR2 is used for internal purposes. > > gpg-connect-agent could be used to clear the caches; however that is > also a heavy command as it requires some IPC which might be subject to > blocking and timeouts. > > Regarding the cached passphrases: 2.1 keeps all cached data encrypted - > but as usual the encryption key is stored in RAM as well. If the > hardware would provide a small memory area which gets cleared when > entering hibernation mode, the cached data would automagically be safe. Well... I am not a security/crypto hacker but a kernel hacker. And from a kernel hacker's perspective this could be easy to solve! I could write a very simple driver which provides a mmap()able memory area which the application can use, protected by the kernel, and which will be automatically cleared upon suspend. Would that solve the problem? How much memory are we talking about here? Bytes? Kbytes? Or Mbytes? This would of course not be portable, i.e. it would only work in Linux. > Shalom-Salam, > Werner Cheers nils -- kernel concepts GbR Tel: +49-271-771091-12 Sieghuetter Hauptweg 48 D-57072 Siegen Mob: +49-176-21024535 http://www.kernelconcepts.de From johanw at vulcan.xs4all.nl Thu Jan 13 12:23:41 2011 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu, 13 Jan 2011 12:23:41 +0100 Subject: Prosecution based on memory forensics In-Reply-To: <20110113102229.qmnttg@is-not-my.name> References: <20110113102229.qmnttg@is-not-my.name> Message-ID: <4D2EE0BD.6090301@vulcan.xs4all.nl> On 13-01-2011 11:22, freejack at is-not-my.name wrote: > This is an OS feature, not a hardware feature. Turn off hibernation. Encrypt > your swap file(s) or for Windows, go to system options and turn off swap and > reboot in safe mode, defrag your disk and delete any remaining swap file. For Windows, TrueCrypt has a free open source solution to this in the form of system encryption. -- Met vriendelijke groet, Johan Wevers From gollo at fsfe.org Thu Jan 13 12:23:44 2011 From: gollo at fsfe.org (Martin Gollowitzer) Date: Thu, 13 Jan 2011 12:23:44 +0100 Subject: Prosecution based on memory forensics In-Reply-To: <20110113102229.qmnttg@is-not-my.name> References: <20110113102229.qmnttg@is-not-my.name> Message-ID: <20110113112344.GA20755@wingback.gollo.at> * freejack at is-not-my.name [110113 11:35]: > P.S. Robert, how about trimming your line lengths! Apple Mail sucks at this ;) Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4120 bytes Desc: not available URL: From free10pro at gmail.com Thu Jan 13 12:30:23 2011 From: free10pro at gmail.com (Paul Richard Ramer) Date: Thu, 13 Jan 2011 03:30:23 -0800 Subject: Organizing GPA public key list into favourites groups???? In-Reply-To: References: <8a1pi6hu1vbv9rj5tjer32krekf13oivpi@4ax.com> <201101111744.49324.mailinglisten__4906.50944780118$1294764361$gmane$org@hauke-laging.de> <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> Message-ID: <4D2EE24F.5080906@gmail.com> On 01/11/2011 02:12 PM, Bo Berglund wrote: > What I did next was to locate the gpg.conf file in AppData in my > profile (I am running Windows7 X64). > Here I found a text part where it looked like one could add a group > specification. > > So I went ahead and added this line: > group developers = 0xDBC3175B 0x9209B308 0x8A51A0EE The entry you made is syntactically correct. > If I use GPA to encrypt a file, what happens is exactly like before, I > get the unwieldy (not even sorted by name) list of recipients public > keys to select from and nowhere at all is there any sight of my > developers group! :-( > Try clicking on the heading "User Name". That will make GPA sort by name rather than key ID. > Is there some other application that can be used to encrypt a file > with GPG which actually works in Windows 7 X64 and also shows the > group? I don't know, I don't use Windows. But check out the list of frontends for GnuPG at . > Finally, is it possible to have more than one group in GPG? > If so what is the syntax in the conf file? > Can there be more than one line starting with group? Yes, you can have more than one group in GPG, and each group entry begins with "group some_name=some_identifier" (without the quotation marks, of course). The GPG man page gives the following explanation: --group name=value1 Sets up a named group, which is similar to aliases in email pro? grams. Any time the group name is a recipient (-r or --recipi? ent), it will be expanded to the values specified. Multiple groups with the same name are automatically merged into a single group. The values are key IDs or fingerprints, but any key description is accepted. Note that a value with spaces in it will be treated as two different values. Note also there is only one level of expansion --- you cannot make an group that points to another group. When used from the command line, it may be necessary to quote the argument to this option to prevent the shell from treating it as multiple arguments. Cheers, -Paul -- Please use my PGP key when sending me e-mail, if you can. PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 From free10pro at gmail.com Thu Jan 13 12:35:56 2011 From: free10pro at gmail.com (Paul Richard Ramer) Date: Thu, 13 Jan 2011 03:35:56 -0800 Subject: Organizing GPA public key list into favourites groups???? In-Reply-To: <72csi61rno4nfa7rmdf6hn6lb9olokit72@4ax.com> References: <8a1pi6hu1vbv9rj5tjer32krekf13oivpi@4ax.com> <201101111744.49324.mailinglisten__4906.50944780118$1294764361$gmane$org@hauke-laging.de> <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> <72csi61rno4nfa7rmdf6hn6lb9olokit72@4ax.com> Message-ID: <4D2EE39C.6030205@gmail.com> On 01/12/2011 02:58 PM, Bo Berglund wrote: > On Tue, 11 Jan 2011 23:12:48 +0100, Bo Berglund > wrote: > > Seems like noone can answer this question.... Cheer up. :-) Sometimes it can take a few days before someone can get you the answer that you need. > What I want to do is to encrypt a specific file before sending it as > an attachment in an email. I need to encrypt it several times a week > after it has been revised because it is a live specification document > and it is very tedious to always sift through the long list of keys to > select the keys for the development team members... > A group would have made life so much easier. What you want to do is easy with the command line, but I don't know about how to do it with GPA. -Paul -- Please use my PGP key when sending me e-mail, if you can. PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 From free10pro at gmail.com Thu Jan 13 12:38:24 2011 From: free10pro at gmail.com (Paul Richard Ramer) Date: Thu, 13 Jan 2011 03:38:24 -0800 Subject: Organizing GPA public key list into favourites groups???? In-Reply-To: References: <201101111744.49324.mailinglisten__4906.50944780118$1294764361$gmane$org@hauke-laging.de> <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> <72csi61rno4nfa7rmdf6hn6lb9olokit72__16338.6833425195$1294873158$gmane$org@4ax.com> Message-ID: <4D2EE430.7090707@gmail.com> On 01/12/2011 03:42 PM, Bo Berglund wrote: > Well, I created a batch file with the command: > > gpg -r --encrypt > > When I execute this batch file it actually does what I need provided > that the file is not open in MS Word. If it is then there is a very > strange error message about an illegal argument... > > Funnily, if I use PGA to encrypt the doc file while MSWord has it > open, then encryption works just fine. > Is there a gpg option to open the file in read-only mode such that I > don't get this error? Could you give us the error message? It may help someone figure out what the issue is. -Paul -- Please use my PGP key when sending me e-mail, if you can. PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 From bo.berglund at gmail.com Thu Jan 13 14:43:35 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Thu, 13 Jan 2011 14:43:35 +0100 Subject: Organizing GPA public key list into favourites groups???? References: <8a1pi6hu1vbv9rj5tjer32krekf13oivpi@4ax.com> <201101111744.49324.mailinglisten__4906.50944780118$1294764361$gmane$org@hauke-laging.de> <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> <4D2EE24F.5080906__37682.8778455549$1294918289$gmane$org@gmail.com> Message-ID: <440ui611p28jv54gj6g2p1l0rmjt38bq98@4ax.com> On Thu, 13 Jan 2011 03:30:23 -0800, Paul Richard Ramer wrote: >On 01/11/2011 02:12 PM, Bo Berglund wrote: >Try clicking on the heading "User Name". That will make GPA sort by >name rather than key ID. I am doing that but sonce the names of my associates are not alphabetically adjacent, it doesn't help a lot... >> Is there some other application that can be used to encrypt a file >> with GPG which actually works in Windows 7 X64 and also shows the >> group? > >I don't know, I don't use Windows. But check out the list of frontends >for GnuPG at . Link is broken. This is the correct one: http://www.gnupg.org/related_software/frontends.html For now I have reverted to a batch file which I can just doubleclick and it will encrypt the specific document to the group. The remaining problem I have now is that I have to remember to close MSWord so it does not have the document file open before I use the batch file. Otherwise gpg will not be able to encrypt the file, instead it gives a very strange error message. -- Bo Berglund Developer in Sweden From bo.berglund at gmail.com Thu Jan 13 14:54:00 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Thu, 13 Jan 2011 14:54:00 +0100 Subject: Organizing GPA public key list into favourites groups???? References: <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> <72csi61rno4nfa7rmdf6hn6lb9olokit72@4ax.com> <4D2EE39C.6030205__27458.0889418305$1294918622$gmane$org@gmail.com> Message-ID: On Thu, 13 Jan 2011 03:35:56 -0800, Paul Richard Ramer wrote: >On 01/12/2011 02:58 PM, Bo Berglund wrote: >> On Tue, 11 Jan 2011 23:12:48 +0100, Bo Berglund >> wrote: >> > >> What I want to do is to encrypt a specific file before sending it as >> an attachment in an email. I need to encrypt it several times a week >> after it has been revised because it is a live specification document >> and it is very tedious to always sift through the long list of keys to >> select the keys for the development team members... >> A group would have made life so much easier. > >What you want to do is easy with the command line, but I don't know >about how to do it with GPA. That is precicely my point, GPA seems totally unaware of key groups... In addition Win7X64 does not let any of the GPG tools integrate with Windows Explorer so there is no right-click functionality available :( Anyway I have managed to put together a batch file with the commands I need for the particular file I work on. So now I encrypt by running this batch file. The command in the batch file uses the group notation for recipients. -- Bo Berglund Developer in Sweden From wk at gnupg.org Thu Jan 13 15:00:03 2011 From: wk at gnupg.org (Werner Koch) Date: Thu, 13 Jan 2011 15:00:03 +0100 Subject: Prosecution based on memory forensics In-Reply-To: <4D2EE0BD.6090301@vulcan.xs4all.nl> (Johan Wevers's message of "Thu, 13 Jan 2011 12:23:41 +0100") References: <20110113102229.qmnttg@is-not-my.name> <4D2EE0BD.6090301@vulcan.xs4all.nl> Message-ID: <87lj2ox5ss.fsf@vigenere.g10code.de> On Thu, 13 Jan 2011 12:23, johanw at vulcan.xs4all.nl said: > For Windows, TrueCrypt has a free open source solution to this in the > form of system encryption. Does not help. Despite that we talked about hibernation, most users don't use S4 (Suspend-to-Disk) but the system goes into S3 (Suspend-to-RAM) when you close the lid. Better systems then proceed to S4 only when the battery gets too low. Reading out a powered RAM (S3) might be complicated for the home user but not for a lab. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From david at systemoverlord.com Thu Jan 13 16:40:42 2011 From: david at systemoverlord.com (David Tomaschik) Date: Thu, 13 Jan 2011 10:40:42 -0500 Subject: Prosecution based on memory forensics In-Reply-To: <87lj2ox5ss.fsf@vigenere.g10code.de> References: <20110113102229.qmnttg@is-not-my.name> <4D2EE0BD.6090301@vulcan.xs4all.nl> <87lj2ox5ss.fsf@vigenere.g10code.de> Message-ID: On Thu, Jan 13, 2011 at 9:00 AM, Werner Koch wrote: > On Thu, 13 Jan 2011 12:23, johanw at vulcan.xs4all.nl said: > > > For Windows, TrueCrypt has a free open source solution to this in the > > form of system encryption. > > Does not help. Despite that we talked about hibernation, most users > don't use S4 (Suspend-to-Disk) but the system goes into S3 > (Suspend-to-RAM) when you close the lid. Better systems then proceed to > S4 only when the battery gets too low. > > Reading out a powered RAM (S3) might be complicated for the home user > but not for a lab. > > > Shalom-Salam, > > Werner > > As usual, it all depends on your threat model. If you're really paranoid, don't use gpg-agent. :) -- David Tomaschik, RHCE, LPIC-1 GNU/Linux System Architect GPG: 0x5DEA789B david at systemoverlord.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mwood at IUPUI.Edu Thu Jan 13 16:23:01 2011 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Thu, 13 Jan 2011 10:23:01 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: <4D2DDA80.3060104@fifthhorseman.net> References: <4D2DD3B4.50708@fifthhorseman.net> <201101121739.00627.mailinglisten@hauke-laging.de> <4D2DDA80.3060104@fifthhorseman.net> Message-ID: <20110113152301.GB24618@IUPUI.Edu> Better not to send unconsidered emails at all. One of the reasons I often prefer email to a telephone conversation is the opportunity to read what I have written, tighten up the language and logic, and do research to support my claims or check my knowledge. Even so, I discard a lot of the emails that I write, having realized that they aren't worth sending. I try never to send a message I would dislike to have signed. Defaulting to an explicit choice to sign does however seem to be the best design. People who think about what they are doing can override it, and people who don't think about what they are doing will at least confront the opportunity to think before doing one thing they may rue. -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Asking whether markets are efficient is like asking whether people are smart. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From mwood at IUPUI.Edu Thu Jan 13 16:06:47 2011 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Thu, 13 Jan 2011 10:06:47 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: <201101121708.53466.mailinglisten@hauke-laging.de> References: <201101121708.53466.mailinglisten@hauke-laging.de> Message-ID: <20110113150647.GA24618@IUPUI.Edu> On Wed, Jan 12, 2011 at 05:08:53PM +0100, Hauke Laging wrote: > Am Mittwoch 12 Januar 2011 16:57:27 schrieb Robert J. Hansen: [snip] > > Speaking for Enigmail, it's because 99% of the time signatures are > > worthless. They contribute to the illusion of data integrity while > > actually providing no guarantees. > > You mix up the (current ? key validation can be done after the communication, > too) absence of a guarantee with being worthless. Well, guarantees are worth more than suggestions, but suggestions can be worth something too. The problem comes from paying attention to illusions rather than interpreting the evidence as it is. -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Asking whether markets are efficient is like asking whether people are smart. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From wk at gnupg.org Thu Jan 13 17:08:57 2011 From: wk at gnupg.org (Werner Koch) Date: Thu, 13 Jan 2011 17:08:57 +0100 Subject: [Announce] GnuPG 2.0.17 released Message-ID: <87hbdcwzty.fsf@vigenere.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.17. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.11) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPL version 3). GnuPG-2 works best on GNU/Linux or *BSD systems. What's New =========== * Allow more hash algorithms with the OpenPGP v2 card. * The gpg-agent now tests for a new gpg-agent.conf on a HUP. * Fixed output of "gpgconf --check-options". * Fixed a bug where Scdaemon sends a signal to Gpg-agent running in non-daemon mode. * Fixed TTY management for pinentries and session variable update problem. * Minor bug fixes. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 2.0.17 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the FTP server and its mirrors you should find the following files in the gnupg/ directory: gnupg-2.0.17.tar.bz2 (3904k) gnupg-2.0.17.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-2.0.16-2.0.17.diff.bz2 (75k) A patch file to upgrade a 2.0.16 GnuPG source tree. This patch does not include updates of the language files. Note, that we don't distribute gzip compressed tarballs for GnuPG-2. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.17.tar.bz2 you would use this command: gpg --verify gnupg-2.0.17.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --keyserver keys.gnupg.net --recv-key 4F25E3B6 The distribution key 4F25E3B6 is signed by the well known key 1E42B367. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.17.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.17.tar.bz2 and check that the output matches the first line from the following list: 41ef5460417ca0a1131fc730849fe3afd49ad2de gnupg-2.0.17.tar.bz2 ba49d5ab2659bfe6403d52df58722f439e393bbb gnupg-2.0.16-2.0.17.diff.bz2 Internationalization ==================== GnuPG comes with support for 27 languages. Due to a lot of new and changed strings many translations are not entirely complete. Jakub Bogusz, Petr Pisar, Jedi and Daniel Nylander have been kind enough to update their translations on short notice. Thus the Chinese, Czech, German, Polish and Swedish translations are complete. Documentation ============= We are currently working on an installation guide to explain in more detail how to configure the new features. As of now the chapters on gpg-agent and gpgsm include brief information on how to set up the whole thing. Please watch the GnuPG website for updates of the documentation. In the meantime you may search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. KDE's KMail is the most prominent user of GnuPG-2. In fact it has been developed along with the KMail folks. Mutt users might want to use the configure option "--enable-gpgme" and "set use_crypt_gpgme" in ~/.muttrc to make use of GnuPG-2 to enable S/MIME in addition to a reworked OpenPGP support. The manual is also available online in HTML format at http://www.gnupg.org/documentation/manuals/gnupg/ and in Portable Document Format at http://www.gnupg.org/documentation/manuals/gnupg.pdf . Support ======= Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, order extensions or support or more general by donating money to the Free Software movement (e.g. http://www.fsfeurope.org/help/donate.en.html). Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. The GnuPG service directory is available at: http://www.gnupg.org/service.html Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Happy Hacking, The GnuPG Team -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From vedaal at nym.hush.com Thu Jan 13 17:55:44 2011 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Thu, 13 Jan 2011 11:55:44 -0500 Subject: Prosecution based on memory forensics Message-ID: <20110113165544.268E714DBB4@smtp.hushmail.com> Werner Koch wk at gnupg.org wrote on Thu Jan 13 11:39:34 CET 2011 : "Things would be easier to handle if the OS would send a special signal to all processes before hibernating. " Usually, the screen saver will be activated by the OS well before hibernation begins. Maybe an option could be to have GnuPG clear all its processes once the screen saver goes on, or in a user-settable time after the screen saver is activated, i.e, 1, 3, 5, or 10 min, or custom user- set time, with a default at 3 min. vedaal From bo.berglund at gmail.com Thu Jan 13 19:11:43 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Thu, 13 Jan 2011 19:11:43 +0100 Subject: Organizing GPA public key list into favourites groups???? References: <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> <72csi61rno4nfa7rmdf6hn6lb9olokit72__16338.6833425195$1294873158$gmane$org@4ax.com> <4D2EE430.7090707__22518.2600472637$1294918755$gmane$org@gmail.com> Message-ID: On Thu, 13 Jan 2011 03:38:24 -0800, Paul Richard Ramer wrote: >On 01/12/2011 03:42 PM, Bo Berglund wrote: > >Could you give us the error message? It may help someone figure out >what the issue is. > Now back home and have repeated the error: I opened the document in MSWord and then started the batch file. The command in the batch file is (modified file name): gpg -r devgroup --encrypt XXX_Specification.doc The output from gpg is: gpg: 0x8A51A0EE: skipped: public key already present gpg: can't open `XXX_Specification.doc': Invalid argument gpg: XXX_Specification.doc: encryption failed: Invalid argument The first line is probably because I am part of the devgroup and my key is also set as the default key so it will encrypt to that key always. The error indicates a problem for gpg to "open" the document file, which may be understandable since MSWord is currently having the file open. However, GPA is able still to encrypt the file if I use that, so there must be some gpg option or such that makes it open the file as read-only when encrypting it. I have failed to locate that though... And if I close the document in MSWord, then the batch command is able to encrypt the file. -- Bo Berglund Developer in Sweden From sindegra at gmail.com Thu Jan 13 18:19:27 2011 From: sindegra at gmail.com (Joseph Ziff) Date: Thu, 13 Jan 2011 12:19:27 -0500 Subject: GnuPG 2.0.17's gpgtar option Message-ID: <4D2F341F.1070308@sindegra.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Good to see 2.0.17 has been released, but I am somewhat mystified by the gpgtar option thing I saw at the end of ./configure. I have no idea what it is. Can anyone help me with this? - -- Joseph Ziff , , This email was signed for authenticity with GnuPG version 2.0.16 with the following key: 1826 104E 72D2 2154 BA43 C43B 755D 727D 0694 8ECC See http://www.gnupg.org for information on state-of-the-art secure signing and encryption software compatible with the openPGP standard. Reclaim your right to privacy now. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iQIcBAEBCgAGBQJNLzQdAAoJEJzfqmQZYAcnlzsP/jzCkaAJn1e0yx7Psr4qhQUd k1PvPgD4/45vCb+cLtpU68uBKA8kgiDFcXd0j9SAYAW40C/9GZcyDVebsSxL/8T+ EuwzhUxKcEdycj5Wjx30PK3IHAISLgOKzS4ibXsLBe2a9YBuey+7ronanUgAyVde 8Qi3fyYfwLdnna8SNciIPePHeSs9sd2oapEZuZ59HvAPVkkPqggyOafvtWn6IoCo lmxmcA1RrispOsekJHqXGazjSze8ybakFjzTzWry5wj4idXnETiebSKqifnnYeJf qABh9sRd2/2w5MkZeZwqm5BaRt74ASkgVeRYv+RpTUwH0NV6oT8aD9a7DXaReBXD cH9bsJ1eWjnZn9tuDSO+im/kGXnuNNEK8yaaFGgwCWDeLFHg2jro7aWhh/fHtIQD ucr5PJO3yiGgTq1gWTT6EA8zLRg53PeBxhk0/hAyDALH0ePV4BqXNTVnK22Oq0+T micmT0sRG8d90t8Y1mdR2ijKq2gZ7PgNSjCqKZnNJarxYTygW8b4pytNICQRn9Cj XRbucbal2BBkgDPUE9YkkZO6eClhYRIezus/Jt4ODpATEM5h6+w3/CgRRPWd5e7/ FZMG5K7mzPmkz9Kl+1CdqFsUvR6gL3lYolITU2ntyrsaDaZBKtfwDjfida9Q/16n KsdgQTEEKDdhE8r2ld7I =Ypdp -----END PGP SIGNATURE----- From rixmann.ole at googlemail.com Thu Jan 13 18:59:18 2011 From: rixmann.ole at googlemail.com (Ole Rixmann) Date: Thu, 13 Jan 2011 18:59:18 +0100 Subject: parsing gpg-key block Message-ID: <4D2F3D76.30109@googlemail.com> Hi list, this is my first post ;) I need to check gpg-rsa-signatures in JavaScript and for this to happen i have to parse key blocks produced with "gpg --armor --export-options export-minimal --export 0xid". To do the checking i need the rsa-parameters (like n and g) but i have no clue how to extract them. With "gpg --debug-all --list-packets keyfile" i get a whole lot of stuff and i think the parameters are in there ;) but it doesn't look good. So maybe someone can give me a hint? I would also be interested in information about exactly how gpg does signing wit rsa/sha-1. Thanks a lot, ole -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 897 bytes Desc: OpenPGP digital signature URL: From expires2011 at ymail.com Thu Jan 13 21:04:54 2011 From: expires2011 at ymail.com (MFPA) Date: Thu, 13 Jan 2011 20:04:54 +0000 Subject: Organizing GPA public key list into favourites groups???? In-Reply-To: References: <8a1pi6hu1vbv9rj5tjer32krekf13oivpi@4ax.com> <201101111744.49324.mailinglisten__4906.50944780118$1294764361$gmane$org@hauke-laging.de> <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> Message-ID: <926007373.20110113200454@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 11 January 2011 at 10:12:48 PM, in , Bo Berglund wrote: > Is there some other application that can be used to > encrypt a file with GPG which actually works in Windows > 7 X64 and also shows the group? GPGshell [1] may be a possibility - with GnuPG 1.4.x, not 2.0.x. I understand on 64-bit Windows systems the shell integration won't work but the "GPGtools" menu provides some of the same functions. [1] www.jumaros.de/rsoft/index.html - -- Best regards MFPA mailto:expires2011 at ymail.com Dollar sign - An S that's been double crossed -----BEGIN PGP SIGNATURE----- iQCVAwUBTS9a7KipC46tDG5pAQrTjQQAoAWfYpmh8XmvjuWqO0TI6ujz0xGoNfOm zXE+JMDFtNo2IB8MPFIQt/pnIzhpHvD8T+65Khl8O9N6FQBmqOMs63EjZpHLLQwL oBVUbCIDvJsy/a0lczM28T3reOVSjxByI32d2Df9HtPq1d1DSN3HBc9oWMbaSH8p 3M9NTzaPFKI= =GcTe -----END PGP SIGNATURE----- From bo.berglund at gmail.com Thu Jan 13 21:33:33 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Thu, 13 Jan 2011 21:33:33 +0100 Subject: Organizing GPA public key list into favourites groups???? References: <8a1pi6hu1vbv9rj5tjer32krekf13oivpi@4ax.com> <201101111744.49324.mailinglisten__4906.50944780118$1294764361$gmane$org@hauke-laging.de> <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> <926007373.20110113200454__39714.6037001677$1294949218$gmane$org@my_localhost> Message-ID: <2boui6tfg3hasb9rde5bl90n8nkiac0jqu@4ax.com> On Thu, 13 Jan 2011 20:04:54 +0000, MFPA wrote: >> Is there some other application that can be used to >> encrypt a file with GPG which actually works in Windows >> 7 X64 and also shows the group? > >GPGshell [1] may be a possibility - with GnuPG 1.4.x, not 2.0.x. >I understand on 64-bit Windows systems the shell integration won't >work but the "GPGtools" menu provides some of the same functions. Or writing my own program. I don't know if GPGShell actually shows the groups defined in the gpg.conf file anyway... -- Bo Berglund Developer in Sweden From bo.berglund at gmail.com Thu Jan 13 21:44:00 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Thu, 13 Jan 2011 21:44:00 +0100 Subject: How do I list the GPG groups? Message-ID: <4eoui69hlkummij0ic6ijdsmi3ogkb55n0@4ax.com> I have defined a group in the gpg.conf file. If I encrypt and use this group as recipient then it works just fine. But if I try to list the existing groups I cannot find a command that does that. gpg2 -k this just lists the public keys on my keyring and it does not say anything about any groups. Is there an actual command that can be used to list the groups that have been defined for GPG? Or (horror!) do I have to programmatically locate the gpg.conf file and parse it myself for the groups and their members? Since I could not find any I am going to write a GUI program for handling GPG that actually will work in Win7 too and which recognizes the groups as recipient entries.... Then I will have more control myself. I might even do it with FPC/Lazarus to make it cross-platform. -- Bo Berglund Developer in Sweden From dshaw at jabberwocky.com Thu Jan 13 23:16:33 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 13 Jan 2011 17:16:33 -0500 Subject: How do I list the GPG groups? In-Reply-To: <4eoui69hlkummij0ic6ijdsmi3ogkb55n0@4ax.com> References: <4eoui69hlkummij0ic6ijdsmi3ogkb55n0@4ax.com> Message-ID: On Jan 13, 2011, at 3:44 PM, Bo Berglund wrote: > I have defined a group in the gpg.conf file. > If I encrypt and use this group as recipient then it works just fine. > > But if I try to list the existing groups I cannot find a command that > does that. > > gpg2 -k > > this just lists the public keys on my keyring and it does not say > anything about any groups. > > Is there an actual command that can be used to list the groups that > have been defined for GPG? gpg --with-colons --list-config group David From bo.berglund at gmail.com Thu Jan 13 23:32:13 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Thu, 13 Jan 2011 23:32:13 +0100 Subject: How do I list the GPG groups? References: <4eoui69hlkummij0ic6ijdsmi3ogkb55n0@4ax.com> Message-ID: On Thu, 13 Jan 2011 17:16:33 -0500, David Shaw wrote: >On Jan 13, 2011, at 3:44 PM, Bo Berglund wrote: > >> I have defined a group in the gpg.conf file. >> If I encrypt and use this group as recipient then it works just fine. >> >> But if I try to list the existing groups I cannot find a command that >> does that. >> >> gpg2 -k >> >> this just lists the public keys on my keyring and it does not say >> anything about any groups. >> >> Is there an actual command that can be used to list the groups that >> have been defined for GPG? > >gpg --with-colons --list-config group > Thanks, I knew there would be such a command! Is there an on-line manual where all commands like this are listed? I have looked at the documentation here: http://www.gnupg.org/documentation/manuals/gnupg/ but I could not find the commands I looked for.... And of course the first command (--with-colons) is a bit, shall we say "strange", at least not self-evident to do what I wanted. Anyway, now I know how to list the public keys on the ring and also to list any groups there may be. I can also split the group into its members by comparing the hex code with the key list. I also know how to call gpg to encrypt and to decrypt, so now I am on my way to making my own GUI gpg program! Thanks again. -- Bo Berglund Developer in Sweden From dkg at fifthhorseman.net Fri Jan 14 00:19:16 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 13 Jan 2011 18:19:16 -0500 Subject: parsing gpg-key block In-Reply-To: <4D2F3D76.30109@googlemail.com> References: <4D2F3D76.30109@googlemail.com> Message-ID: <4D2F8874.1050307@fifthhorseman.net> Hi Ole-- On 01/13/2011 12:59 PM, Ole Rixmann wrote: > this is my first post ;) welcome! > I need to check gpg-rsa-signatures in JavaScript and for this to happen > i have > to parse key blocks produced with > "gpg --armor --export-options export-minimal --export 0xid". > To do the checking i need the rsa-parameters (like n and g) but i have > no clue how to extract them. > With "gpg --debug-all --list-packets keyfile" i get a whole lot of stuff > and i think the parameters are in there ;) > but it doesn't look good. > > So maybe someone can give me a hint? You're asking about some arcana, and your best reference for details is probably the RFC -- the OpenPGP format itself is specified in RFC 4880: https://tools.ietf.org/html/rfc4880 export-minimal will usually produce nothing but: Public Keys: https://tools.ietf.org/html/rfc4880#section-5.5.2 User IDs: https://tools.ietf.org/html/rfc4880#section-5.11 and self-issued signatures: https://tools.ietf.org/html/rfc4880#section-5.2 There may also be subkeys (which look like primary keys, but have a slightly different header), user Attributes (like user IDs, but jpegs instead of strings), and direct-key signatures. Signatures can of course have many different kinds of subpackets, which makes robust parsing of them a bigger project. But if you just want the RSA key material, you can ignore the signatures of course. This would mean that you wouldn't be able to verify that they key belongs to whoever you hope it belongs to (at least, not through OpenPGP). Only you can say whether that tradeoff makes sense for your particular application. > I would also be interested in information about exactly how gpg does > signing wit rsa/sha-1. You probably want the info about "computing signatures": https://tools.ietf.org/html/rfc4880#section-5.2.4 hth, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Fri Jan 14 09:27:46 2011 From: wk at gnupg.org (Werner Koch) Date: Fri, 14 Jan 2011 09:27:46 +0100 Subject: GnuPG 2.0.17's gpgtar option In-Reply-To: <4D2F341F.1070308@sindegra.com> (Joseph Ziff's message of "Thu, 13 Jan 2011 12:19:27 -0500") References: <4D2F341F.1070308@sindegra.com> Message-ID: <871v4fx531.fsf@vigenere.g10code.de> On Thu, 13 Jan 2011 18:19, sindegra at gmail.com said: > Good to see 2.0.17 has been released, but I am somewhat mystified by the > gpgtar option thing I saw at the end of ./configure. I have no idea what > it is. Can anyone help me with this? For many years we have gpg-zip which is a wrapper around tar and gpg to be compatible with the pgpzip tool. Now there are many users of GnuPG on Windows boxes and they don't have this tool because there is no real shell under Windows and not tar program. However many of them want a tool to do archiving and encryption in one step. I looked around to find a compatible tar implementation for Windows which is small enough, can be cross-build and compatible to the USTAR. Not easy, the few available tar implementations are quite complex and don't have clean code which can be modified to easily build on all platforms. Thus I decided to look at the specs and indeed tar is not very complicated if you can leave out all the blocking code, special file handling and the precautions you need to take when restoring files. Gpgtar will only be used to feed the tarball via a pipe to gpg (or vice versa). Restoring is done to a new directory. Special files are not needed because it is for Windows and not intended as a general purpose backup device. No hardlinks, no symlinks, etc. The current implementation works with Kleopatra (the KDE key manager) and allows to encrypt entire directory hierarchies under Windows and POSIX. Due to the way Kleopatra works, gpgtar does not currently implement piping to gpg and requires the use of --no-crypto switch. It is part of gpg4win 2.1. It is merely a convenience tool for those who dislike writing a small pipeline. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Fri Jan 14 09:32:17 2011 From: wk at gnupg.org (Werner Koch) Date: Fri, 14 Jan 2011 09:32:17 +0100 Subject: Prosecution based on memory forensics In-Reply-To: <20110113165544.268E714DBB4@smtp.hushmail.com> (vedaal@nym.hush.com's message of "Thu, 13 Jan 2011 11:55:44 -0500") References: <20110113165544.268E714DBB4@smtp.hushmail.com> Message-ID: <87tyhbvqb2.fsf@vigenere.g10code.de> On Thu, 13 Jan 2011 17:55, vedaal at nym.hush.com said: > Usually, the screen saver will be activated by the OS well before > hibernation begins. Sure, there are a lot of ways to hook into the suspend process. I was talking about a standard signal (SIGABOUTTOSUSPEND) so that gpg-agent could install a signal handler for it. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Fri Jan 14 09:34:47 2011 From: wk at gnupg.org (Werner Koch) Date: Fri, 14 Jan 2011 09:34:47 +0100 Subject: Prosecution based on memory forensics In-Reply-To: <4D2ED8EC.4070704@kernelconcepts.de> (Nils Faerber's message of "Thu, 13 Jan 2011 11:50:20 +0100") References: <7E07EF86-2921-4514-A207-462E33075524@jabberwocky.com> <87tyhdw0ih.fsf@vigenere.g10code.de> <4D2ED8EC.4070704@kernelconcepts.de> Message-ID: <87pqrzvq6w.fsf@vigenere.g10code.de> On Thu, 13 Jan 2011 11:50, nils.faerber at kernelconcepts.de said: > I could write a very simple driver which provides a mmap()able memory > area which the application can use, protected by the kernel, and which > will be automatically cleared upon suspend. > Would that solve the problem? Yes. > How much memory are we talking about here? Bytes? Kbytes? Or Mbytes? For gpg-agent: 32 bytes. One memory page should be enough for any process. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From nils.faerber at kernelconcepts.de Fri Jan 14 10:06:18 2011 From: nils.faerber at kernelconcepts.de (Nils Faerber) Date: Fri, 14 Jan 2011 10:06:18 +0100 Subject: Prosecution based on memory forensics In-Reply-To: <87pqrzvq6w.fsf@vigenere.g10code.de> References: <7E07EF86-2921-4514-A207-462E33075524@jabberwocky.com> <87tyhdw0ih.fsf@vigenere.g10code.de> <4D2ED8EC.4070704@kernelconcepts.de> <87pqrzvq6w.fsf@vigenere.g10code.de> Message-ID: <4D30120A.2010707@kernelconcepts.de> Hi! Am 14.01.2011 09:34, schrieb Werner Koch: > On Thu, 13 Jan 2011 11:50, nils.faerber at kernelconcepts.de said: >> I could write a very simple driver which provides a mmap()able memory >> area which the application can use, protected by the kernel, and which >> will be automatically cleared upon suspend. >> Would that solve the problem? > Yes. Hmm... cool ;) >> How much memory are we talking about here? Bytes? Kbytes? Or Mbytes? > For gpg-agent: 32 bytes. One memory page should be enough for any > process. So, what do you think, would it be worth the effort? If it would help GnuPG and if you would like to use it I would offer to implement it and try to push it upstream. > Salam-Shalom, > Werner Cheers nils -- kernel concepts GbR Tel: +49-271-771091-12 Sieghuetter Hauptweg 48 D-57072 Siegen Mob: +49-176-21024535 http://www.kernelconcepts.de From expires2011 at ymail.com Fri Jan 14 19:57:40 2011 From: expires2011 at ymail.com (MFPA) Date: Fri, 14 Jan 2011 18:57:40 +0000 Subject: Organizing GPA public key list into favourites groups???? In-Reply-To: <2boui6tfg3hasb9rde5bl90n8nkiac0jqu@4ax.com> References: <8a1pi6hu1vbv9rj5tjer32krekf13oivpi@4ax.com> <201101111744.49324.mailinglisten__4906.50944780118$1294764361$gmane$org@hauke-laging.de> <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> <926007373.20110113200454__39714.6037001677$1294949218$gmane$org@my_localhost> <2boui6tfg3hasb9rde5bl90n8nkiac0jqu@4ax.com> Message-ID: <1545844082.20110114185740@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 13 January 2011 at 8:33:33 PM, in , Bo Berglund wrote: > I don't know if GPGShell > actually shows the groups defined in the gpg.conf file > anyway... GPGshell doesn't use the groups defined in gpg.conf - it uses its own "lists" instead. - -- Best regards MFPA mailto:expires2011 at ymail.com Two rights do not make a wrong. They make an airplane. -----BEGIN PGP SIGNATURE----- iQCVAwUBTTCcz6ipC46tDG5pAQoWKwP8C2Y2HcSiD8hMr7YLDsh7O+uVhEDHXzyY xz+Pjg1BAiFWA/AYmZPtJ4zmSwmfIEnh5OpNy2hpr1nLP3w6VHQEteMs7Gh7idGI 1NRiues9DLmYy9enlB6d6XgSnp6p5GkjZLyi307S5+dzOrSEpzljgpIyjxZsMrOK d/7V3oEnHSw= =Ynl1 -----END PGP SIGNATURE----- From wk at gnupg.org Fri Jan 14 21:01:45 2011 From: wk at gnupg.org (Werner Koch) Date: Fri, 14 Jan 2011 21:01:45 +0100 Subject: Prosecution based on memory forensics In-Reply-To: <4D30120A.2010707@kernelconcepts.de> (Nils Faerber's message of "Fri, 14 Jan 2011 10:06:18 +0100") References: <7E07EF86-2921-4514-A207-462E33075524@jabberwocky.com> <87tyhdw0ih.fsf@vigenere.g10code.de> <4D2ED8EC.4070704@kernelconcepts.de> <87pqrzvq6w.fsf@vigenere.g10code.de> <4D30120A.2010707@kernelconcepts.de> Message-ID: <87bp3juudy.fsf@vigenere.g10code.de> On Fri, 14 Jan 2011 10:06, nils.faerber at kernelconcepts.de said: > So, what do you think, would it be worth the effort? > If it would help GnuPG and if you would like to use it I would offer to > implement it and try to push it upstream. It would definitely be helpful because it makes a safe installation much easier. It will be used automagically and thus one does not need to fiddle with suspend scripts. All the password managers would benefit form that as they all have the same problem. The main threat model would be a stolen laptop with cached passphrases in suspend or hibernation mode. Might also be useful for smartphones. A counter argument will probably be: Just use kernel cyrpto and you don't need to worry. However, this is far more complex than a simple memset on suspend. I don't known what it takes in terms of discussion time to add a new flag to mmap as thar seems to be the easiest solution. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From ben at adversary.org Fri Jan 14 22:01:55 2011 From: ben at adversary.org (Ben McGinnes) Date: Sat, 15 Jan 2011 08:01:55 +1100 Subject: How to create non-standard key pair In-Reply-To: References: Message-ID: <4D30B9C3.2080901@adversary.org> On 13/01/11 6:10 AM, jack seth wrote: > I am needing to do some testing with these size keys. Can someone > advise me on how to modify the code to generate these keys? Seriously? Really? Well, okay ... this is for GnuPG 1.4.11 on a *nix platform: Extract the tarball, cd to /path/to/gnupg-1.4.11/g10 then open keygen.c in a text editor. Jump down to line no. 1,580 and change this: unsigned nbits, min, def=2048, max=4096; To this: unsigned nbits, min, def=2048, max=16384; Then do the configure, make, make install dance. There are, of course, no guarantees that this will play nice with others and if you're trying to do this on Windows, I can't help. Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: OpenPGP digital signature URL: From bo.berglund at gmail.com Fri Jan 14 23:01:24 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Fri, 14 Jan 2011 23:01:24 +0100 Subject: Organizing GPA public key list into favourites groups???? References: <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> <926007373.20110113200454__39714.6037001677$1294949218$gmane$org@my_localhost> <2boui6tfg3hasb9rde5bl90n8nkiac0jqu@4ax.com> <1545844082.20110114185740__26027.6327761405$1295031664$gmane$org@my_localhost> Message-ID: On Fri, 14 Jan 2011 18:57:40 +0000, MFPA wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > >Hi > > >On Thursday 13 January 2011 at 8:33:33 PM, in >, Bo Berglund wrote: > > >> I don't know if GPGShell >> actually shows the groups defined in the gpg.conf file >> anyway... > >GPGshell doesn't use the groups defined in gpg.conf - it uses its own >"lists" instead. OK, so I downloaded and installed GPGshell 3.77 to test it. Result: - This application tries to install stuff into Winows/system32!!!!! - When using GPGtools to encrypt, it opens an explorer window on c:\windows\system32! These two items alone would be cause not to use GPGshell. All programs should keep off of the windows system folders! - Even though a few tools were set to install to quick-launch they are not... - No Explorer integration at all... - Not possible to use "lists", the menu says - No menu command to create a list... -- Bo Berglund Developer in Sweden From gnupg at oneiroi.net Sat Jan 15 00:25:05 2011 From: gnupg at oneiroi.net (Milo) Date: Sat, 15 Jan 2011 00:25:05 +0100 Subject: Prosecution based on memory forensics In-Reply-To: <87bp3juudy.fsf@vigenere.g10code.de> References: <7E07EF86-2921-4514-A207-462E33075524@jabberwocky.com> <87tyhdw0ih.fsf@vigenere.g10code.de> <4D2ED8EC.4070704@kernelconcepts.de> <87pqrzvq6w.fsf@vigenere.g10code.de> <4D30120A.2010707@kernelconcepts.de> <87bp3juudy.fsf@vigenere.g10code.de> Message-ID: <20110114232505.GA31224@helcaraxe.net> Hello. On Fri, Jan 14, 2011 at 09:01:45PM +0100, Werner Koch wrote: > On Fri, 14 Jan 2011 10:06, nils.faerber at kernelconcepts.de said: > > > So, what do you think, would it be worth the effort? > > If it would help GnuPG and if you would like to use it I would offer to > > implement it and try to push it upstream. > > It would definitely be helpful because it makes a safe installation much > easier. It will be used automagically and thus one does not need to > fiddle with suspend scripts. All the password managers would benefit > form that as they all have the same problem. > > The main threat model would be a stolen laptop with cached passphrases > in suspend or hibernation mode. Might also be useful for smartphones. > > A counter argument will probably be: Just use kernel cyrpto and you > don't need to worry. However, this is far more complex than a simple > memset on suspend. I don't known what it takes in terms of discussion > time to add a new flag to mmap as thar seems to be the easiest solution. Discussion, yes - tough one I think. If you mean by that pushing syscall modification to mainstream - it's not easy :/ (not mentioning doing it for multiple kernels + waiting for upgrade of libcs or doing workarounds). So beign probaly the easiest way it's not easy way at all. Some project are distributing userland piece of code with kernel module - perhaps this is the way to introduce your idea? -- Regards, Milo From expires2011 at ymail.com Sat Jan 15 01:18:01 2011 From: expires2011 at ymail.com (MFPA) Date: Sat, 15 Jan 2011 00:18:01 +0000 Subject: Organizing GPA public key list into favourites groups???? In-Reply-To: References: <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> <926007373.20110113200454__39714.6037001677$1294949218$gmane$org@my_localhost> <2boui6tfg3hasb9rde5bl90n8nkiac0jqu@4ax.com> <1545844082.20110114185740__26027.6327761405$1295031664$gmane$org@my_localhost> Message-ID: <918395850.20110115001801@my_localhost> Hi On Friday 14 January 2011 at 10:01:24 PM, in , Bo Berglund wrote: > OK, so I downloaded and installed GPGshell 3.77 to test > it. Result: > - This application tries to install stuff into > Winows/system32!!!!! - When using GPGtools to encrypt, > it opens an explorer window on c:\windows\system32! Here I get a command window with the title c:\windows\system32\cmd.exe > These two items alone would be cause not to use > GPGshell. All programs should keep off of the windows > system folders! Unfortunately plenty do not. > - Even though a few tools were set to install to > quick-launch they are not... - No Explorer integration > at all... I understand this app's shell integration doesn't yet work in 64-bit Windows systems. > - Not possible to use "lists", the menu says > - The menu says "" until you have created at least one list. > No menu command to create a list... It's at Key(s) | Add to list...| New List (Also in the context menu when you select one or more keys.) -- Best regards MFPA mailto:expires2011 at ymail.com No man ever listened himself out of a job From faramir.cl at gmail.com Sat Jan 15 03:22:00 2011 From: faramir.cl at gmail.com (Faramir) Date: Fri, 14 Jan 2011 23:22:00 -0300 Subject: Organizing GPA public key list into favourites groups???? In-Reply-To: References: <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> <926007373.20110113200454__39714.6037001677$1294949218$gmane$org@my_localhost> <2boui6tfg3hasb9rde5bl90n8nkiac0jqu@4ax.com> <1545844082.20110114185740__26027.6327761405$1295031664$gmane$org@my_localhost> Message-ID: <4D3104C8.3040607@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 14-01-2011 19:01, Bo Berglund escribi?: > OK, so I downloaded and installed GPGshell 3.77 to test it. Result: > > - This application tries to install stuff into Winows/system32!!!!! > - When using GPGtools to encrypt, it opens an explorer window on > c:\windows\system32! Ok, from that tool, you can browse and select the file to encrypt. In my computer, it shows the last used folder. > These two items alone would be cause not to use GPGshell. All programs > should keep off of the windows system folders! I was not aware about it adding something to system32 folder. But it has never opened a window in a subfolder of windows folder. > - Even though a few tools were set to install to quick-launch they are > not... I didn't know quicklaunch icons don't install in Windows 7 x64. That's a bad new, but not too bad, since you can load GPGtray, and it can launch all the other apps of GPGShell. > - No Explorer integration at all... Explorer integration doesn't work in windows 7 x64, I'm not sure if it works in windows 7 x32 (if it exists). > - Not possible to use "lists", the menu says Open GPGkeys, right click the key you want to add to a list, in the menu there is a Add to List command, which gives you the option to create a new list, or to select an existing list (which of course you don't have, since it is the first time you use it). Right click the next key you want to add, and use the Add to list command, it will show you the lists available. If you add a key to the wrong list, you'll have to edit the txt file with the name of the list (it can be found under %appdata%/GPGShell/_lists folder). Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNMQTIAAoJEMV4f6PvczxAu0kIAIocjrYAKwuHOjoV2axO4kMd 2B/H0QsCqZHlOF6ATE5eFsMfRCO0SToPLN0l7LR9WVPnr4wwZY4XrIFVaUcVpMME aXz2jQ+BURBQvDiMsur2mqyFOXHFv7EtqtOWSiK/9DtybpEI2xqUaCVBhwc15s0M edfeuQjq2LGLLSi/quq2V1X3+Kq8ZGceLmp0PNsO+YiuPM7h2gpe72VNluKf3cfK al1J5swx9nueLRNpTqgEnFBF+PDMKUHLuUdoJJYHtqSg7WRyYpmYpFRxdKUrl7ii pJs3cdInbW0ZjAjsWvjNJItnVZ5jm/Vb0Tw/q5gBLpkL1l89cBUQIZNGSXYtIew= =ZPb1 -----END PGP SIGNATURE----- From expires2011 at ymail.com Sat Jan 15 16:45:19 2011 From: expires2011 at ymail.com (MFPA) Date: Sat, 15 Jan 2011 15:45:19 +0000 Subject: Organizing GPA public key list into favourites groups???? In-Reply-To: <4D3104C8.3040607@gmail.com> References: <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> <926007373.20110113200454__39714.6037001677$1294949218$gmane$org@my_localhost> <2boui6tfg3hasb9rde5bl90n8nkiac0jqu@4ax.com> <1545844082.20110114185740__26027.6327761405$1295031664$gmane$org@my_localhost> <4D3104C8.3040607@gmail.com> Message-ID: <359160690.20110115154519@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Saturday 15 January 2011 at 2:22:00 AM, in , Faramir wrote: > I didn't know quicklaunch icons don't install in > Windows 7 x64. That's a bad new, but not too bad, since > you can load GPGtray, and it can launch all the other > apps of GPGShell. Indeed. But in Windows XP, all you do for Quick Launch is place shortcuts in the "%AppData%\Microsoft\Internet Explorer\Quick Launch" folder (and make sure the quick launch toolbar is set to be displayed); I don't know if it's different in Windows 7. > If > you add a key to the wrong list, you'll have to edit > the txt file with the name of the list (it can be found > under %appdata%/GPGShell/_lists folder). A convenient way to open that file is from GPGkeys; click "lists" then hold down CTRL while clicking the name of the list. - -- Best regards MFPA mailto:expires2011 at ymail.com The truth is rarely pure and never simple -----BEGIN PGP SIGNATURE----- iQCVAwUBTTHBJaipC46tDG5pAQo1pAQAlk/OSXnHTl0YCINEExQVA8bmuiUaDzUm lFbv5hbKAxI5IRgssj2vGubxHZwGsXSLcsP7xhSW/ip15/faJ7VzEaggxu97+oQR BRbbFbrmk6xEhLgp5hEGs6KQH9Gl7rsID2qDQ/gz3inVJ3r3RzneJqkFI+x6TAI/ 7WTeaqgSK84= =GFdq -----END PGP SIGNATURE----- From bo.berglund at gmail.com Sat Jan 15 17:13:34 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Sat, 15 Jan 2011 17:13:34 +0100 Subject: What does the "sub" entry of a key mean? Message-ID: I am building an application for GPG encryption, which ultimately will be integrated into the Win7X64 Explorer context menu. I have used the command line command "gpg2 -k" to retrieve a ley list for the current key ring. Works fine. Now it is time for parsing and I have a few questions: The output from the command looks like this (shortened): C:/Documents and Settings/Bosse/Application Data/gnupg/pubring.gpg ------------------------------------------------------------------ pub 1024D/C50DAFF8 2006-08-19 uid Bo Berglund sub 2048g/011AD792 2006-08-19 pub 1024D/41C6E930 2003-04-10 uid Richard Jones uid Richard Jones uid Richard Jones sub 1024g/40AD97DF 2003-04-10 Now, I understand most of this but I would like to know the significance of these items: 1) In the pub line the first item is a number + a letter. I assume that the number is the bit length of the key, but what does the letter mean? And which are the possible letters? 2) What does the last line of each key mean, which starts with sub? Notice that there is a different hex code and different letter following the key length... 3) Some keys have several uid lines, is there a maximum or minimum number here? It looks like a number of email addresses attached to the key, is this correct? 4) I only have one public keyring, but I assume that it is possible to have several? If so will the -k command list these after each other? The first output line seems to be the actual keyring location. TIA -- Bo Berglund Developer in Sweden From dshaw at jabberwocky.com Sat Jan 15 18:27:58 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 15 Jan 2011 12:27:58 -0500 Subject: What does the "sub" entry of a key mean? In-Reply-To: References: Message-ID: <59ED2A86-3282-48F7-AA54-E54CE24E7311@jabberwocky.com> On Jan 15, 2011, at 11:13 AM, Bo Berglund wrote: > I am building an application for GPG encryption, which ultimately will > be integrated into the Win7X64 Explorer context menu. > I have used the command line command "gpg2 -k" to retrieve a ley list > for the current key ring. Works fine. Now it is time for parsing and I > have a few questions: > > The output from the command looks like this (shortened): > C:/Documents and Settings/Bosse/Application Data/gnupg/pubring.gpg > ------------------------------------------------------------------ > pub 1024D/C50DAFF8 2006-08-19 > uid Bo Berglund > sub 2048g/011AD792 2006-08-19 > > pub 1024D/41C6E930 2003-04-10 > uid Richard Jones > uid Richard Jones > uid Richard Jones > sub 1024g/40AD97DF 2003-04-10 > > Now, I understand most of this but I would like to know the > significance of these items: > > 1) In the pub line the first item is a number + a letter. I assume > that the number is the bit length of the key, but what does the letter > mean? And which are the possible letters? Yes, the number is the bit length of the key. The letters are: RSA == R DSA == D Elgamal == g (only seen in subkeys) Historically there was a "G" for an Elgamal key that could both encrypt and sign, but that was dropped from OpenPGP. The current lowercase "g" Elgamal is an encrypt-only key. > 2) What does the last line of each key mean, which starts with sub? > Notice that there is a different hex code and different letter > following the key length... Sub is for subkeys. They are other keys that go along with the main, or primary, key. A common usage pattern is for the primary to be used for signing, and the subkey used to encryption. > 3) Some keys have several uid lines, is there a maximum or minimum > number here? It looks like a number of email addresses attached to the > key, is this correct? There is a minimum of 1. There is no maximum. There are also "uat" lines, of which there are zero or more. A uat is used to store other things aside from text (for example, photo IDs). > 4) I only have one public keyring, but I assume that it is possible to > have several? If so will the -k command list these after each other? > The first output line seems to be the actual keyring location. It is possible to have several. I note that you are trying to parse the output, though. That is a bad idea, as the format is intended for human consumption, and not machine parsing. The machine format is stable, and the human format is subject to change. Use the --with-colons option to enable machine parsing. David From rjh at sixdemonbag.org Sat Jan 15 18:40:57 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 15 Jan 2011 12:40:57 -0500 Subject: What does the "sub" entry of a key mean? In-Reply-To: <59ED2A86-3282-48F7-AA54-E54CE24E7311@jabberwocky.com> References: <59ED2A86-3282-48F7-AA54-E54CE24E7311@jabberwocky.com> Message-ID: <4D31DC29.1010803@sixdemonbag.org> (Responding to David, but this is really meant for the OP) On 1/15/2011 12:27 PM, David Shaw wrote: > I note that you are trying to parse the output, though. That is a > bad idea, as the format is intended for human consumption, and not > machine parsing. The machine format is stable, and the human format > is subject to change. Use the --with-colons option to enable machine > parsing. Some time ago I wrote up a BNF for the machine-readable format, and posted it to gnupg-devel. You might want to search the archives for it: you might find it useful. From bo.berglund at gmail.com Sat Jan 15 19:17:27 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Sat, 15 Jan 2011 19:17:27 +0100 Subject: What does the "sub" entry of a key mean? References: <59ED2A86-3282-48F7-AA54-E54CE24E7311__18051.2872910642$1295112569$gmane$org@jabberwocky.com> Message-ID: <80p3j6lvdlaeuhe8p3qalkedn85o8ab99u@4ax.com> On Sat, 15 Jan 2011 12:27:58 -0500, David Shaw wrote: >On Jan 15, 2011, at 11:13 AM, Bo Berglund wrote: > >> I am building an application for GPG encryption, which ultimately will >> be integrated into the Win7X64 Explorer context menu. >> I have used the command line command "gpg2 -k" to retrieve a ley list >> for the current key ring. Works fine. Now it is time for parsing and I >> have a few questions: >> >> The output from the command looks like this (shortened): >> C:/Documents and Settings/Bosse/Application Data/gnupg/pubring.gpg >> ------------------------------------------------------------------ >> pub 1024D/C50DAFF8 2006-08-19 >> uid Bo Berglund >> sub 2048g/011AD792 2006-08-19 >> >> pub 1024D/41C6E930 2003-04-10 >> uid Richard Jones >> uid Richard Jones >> uid Richard Jones >> sub 1024g/40AD97DF 2003-04-10 >> >> Now, I understand most of this but I would like to know the >> significance of these items: >> >> 1) In the pub line the first item is a number + a letter. I assume >> that the number is the bit length of the key, but what does the letter >> mean? And which are the possible letters? > >Yes, the number is the bit length of the key. The letters are: > >RSA == R >DSA == D >Elgamal == g (only seen in subkeys) > >Historically there was a "G" for an Elgamal key that could both encrypt and sign, but that was dropped from OpenPGP. The current lowercase "g" Elgamal is an encrypt-only key. > >> 2) What does the last line of each key mean, which starts with sub? >> Notice that there is a different hex code and different letter >> following the key length... > >Sub is for subkeys. They are other keys that go along with the main, or primary, key. A common usage pattern is for the primary to be used for signing, and the subkey used to encryption. > >> 3) Some keys have several uid lines, is there a maximum or minimum >> number here? It looks like a number of email addresses attached to the >> key, is this correct? > >There is a minimum of 1. There is no maximum. There are also "uat" lines, of which there are zero or more. A uat is used to store other things aside from text (for example, photo IDs). > >> 4) I only have one public keyring, but I assume that it is possible to >> have several? If so will the -k command list these after each other? >> The first output line seems to be the actual keyring location. > >It is possible to have several. > >I note that you are trying to parse the output, though. That is a bad idea, as the format is intended for human consumption, and not machine parsing. The machine format is stable, and the human format is subject to change. Use the --with-colons option to enable machine parsing. > >David THanks, indeed the --with-colons gave a completely different output... I was just about to ask of the date format (if it changes between operating systems or such) but now I have a different problem in understanding the machine readable format. Very hard to understand. Is there a parsing guide somewhere? -- Bo Berglund Developer in Sweden From faramir.cl at gmail.com Sat Jan 15 21:06:06 2011 From: faramir.cl at gmail.com (Faramir) Date: Sat, 15 Jan 2011 17:06:06 -0300 Subject: Organizing GPA public key list into favourites groups???? In-Reply-To: <359160690.20110115154519@my_localhost> References: <8739oz1c2b.fsf__37102.1340637983$1294773989$gmane$org@vigenere.g10code.de> <16cpi6d7lbr28h3eojah2katmua07l3c4b__6755.88251692734$1294775093$gmane$org@4ax.com> <926007373.20110113200454__39714.6037001677$1294949218$gmane$org@my_localhost> <2boui6tfg3hasb9rde5bl90n8nkiac0jqu@4ax.com> <1545844082.20110114185740__26027.6327761405$1295031664$gmane$org@my_localhost> <4D3104C8.3040607@gmail.com> <359160690.20110115154519@my_localhost> Message-ID: <4D31FE2E.2080504@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, El 15-01-2011 12:45, MFPA escribi?: ... > On Saturday 15 January 2011 at 2:22:00 AM, in > , Faramir wrote: > >> I didn't know quicklaunch icons don't install in >> Windows 7 x64. That's a bad new, but not too bad, since ... > Indeed. But in Windows XP, all you do for Quick Launch is place > shortcuts in the "%AppData%\Microsoft\Internet Explorer\Quick Launch" > folder (and make sure the quick launch toolbar is set to be > displayed); I don't know if it's different in Windows 7. I didn't know that... and it's good to know it. I guess google would help to solve the Windows 7 mystery. >> If >> you add a key to the wrong list, you'll have to edit >> the txt file with the name of the list (it can be found >> under %appdata%/GPGShell/_lists folder). > > A convenient way to open that file is from GPGkeys; > click "lists" then hold down CTRL while clicking the name of the list. Excellent! A lot better than browsing it with windows explorer :) Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNMf4uAAoJEMV4f6PvczxAlSoH+wTSl3Ivf4SRgZZftE+UMiCO /ZmD61F9FapKKTh883mg0tGCI54AIKnsA8ODq7fEnurhKO7bMOFUTm/4QO0rNm0N TvVmDW+L+LRnSDpyf9ft0rlKeWowz/7lwBXHFAARFO5WUFNjuElY0Py5oXJH39Sq 4TmT//4KOp0IVBD5Ea3x+bOXDljjaFfTFWNuOHdQIrbhk0pamh8/Sfiz/yxF73oS 40w2ZS7tV74vZnR6Sn/40JLH8GSW3LIi9EFvdMwqXB5Mq3NlJ/C7prbPPJf0hs8W lxSx2N3XzCyBCE7Jwhfs5RwjN+XsPE4S76BQdfR5fygNVf9bH8CiVl2Y/dKV2dU= =YDmt -----END PGP SIGNATURE----- From bo.berglund at gmail.com Sat Jan 15 21:19:37 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Sat, 15 Jan 2011 21:19:37 +0100 Subject: What does the "sub" entry of a key mean? References: <59ED2A86-3282-48F7-AA54-E54CE24E7311@jabberwocky.com> <4D31DC29.1010803__10793.6030756266$1295113324$gmane$org@sixdemonbag.org> Message-ID: On Sat, 15 Jan 2011 12:40:57 -0500, "Robert J. Hansen" wrote: >(Responding to David, but this is really meant for the OP) > >On 1/15/2011 12:27 PM, David Shaw wrote: >> I note that you are trying to parse the output, though. That is a >> bad idea, as the format is intended for human consumption, and not >> machine parsing. The machine format is stable, and the human format >> is subject to change. Use the --with-colons option to enable machine >> parsing. > >Some time ago I wrote up a BNF for the machine-readable format, and >posted it to gnupg-devel. You might want to search the archives for it: >you might find it useful. I tried searching google for your name and "gpg machine readable" but came up with unusable suggestions. Please post a link to your document. (What does BNF mean?) -- Bo Berglund Developer in Sweden From jrollins at finestructure.net Sat Jan 15 21:21:01 2011 From: jrollins at finestructure.net (Jameson Rollins) Date: Sat, 15 Jan 2011 15:21:01 -0500 Subject: What does the "sub" entry of a key mean? In-Reply-To: <80p3j6lvdlaeuhe8p3qalkedn85o8ab99u@4ax.com> References: <59ED2A86-3282-48F7-AA54-E54CE24E7311__18051.2872910642$1295112569$gmane$org@jabberwocky.com> <80p3j6lvdlaeuhe8p3qalkedn85o8ab99u@4ax.com> Message-ID: <8739otgbpu.fsf@servo.finestructure.net> On Sat, 15 Jan 2011 19:17:27 +0100, Bo Berglund wrote: > THanks, indeed the --with-colons gave a completely different output... > I was just about to ask of the date format (if it changes between > operating systems or such) but now I have a different problem in > understanding the machine readable format. > > Very hard to understand. Is there a parsing guide somewhere? Hi, Bo. There should be a file called DETAILS (in doc/DETAILS in the gnupg source, or maybe included with your local installation) that describes in detail the meaning of the --with-colons output. It's exactly the reference you're looking for when writing a program to parse the --with-colons output. Good luck! jamie. $ head gnupg2-2.0.14/doc/DETAILS -*- text -*- Format of colon listings ======================== First an example: $ gpg --fixed-list-mode --with-colons --list-keys \ --with-fingerprint --with-fingerprint wk at gnupg.org pub:f:1024:17:6C7EE1B8621CC013:899817715:1055898235::m:::scESC: fpr:::::::::ECAF7590EB3443B5C7CF3ACB6C7EE1B8621CC013: $ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From bo.berglund at gmail.com Sun Jan 16 00:08:50 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Sun, 16 Jan 2011 00:08:50 +0100 Subject: What does the "sub" entry of a key mean? References: <59ED2A86-3282-48F7-AA54-E54CE24E7311__18051.2872910642$1295112569$gmane$org@jabberwocky.com> <80p3j6lvdlaeuhe8p3qalkedn85o8ab99u@4ax.com> <8739otgbpu.fsf__32167.6754545935$1295125966$gmane$org@servo.finestructure.net> Message-ID: On Sat, 15 Jan 2011 15:21:01 -0500, Jameson Rollins wrote: >On Sat, 15 Jan 2011 19:17:27 +0100, Bo Berglund wrote: >> THanks, indeed the --with-colons gave a completely different output... >> I was just about to ask of the date format (if it changes between >> operating systems or such) but now I have a different problem in >> understanding the machine readable format. >> >> Very hard to understand. Is there a parsing guide somewhere? > >Hi, Bo. There should be a file called DETAILS (in doc/DETAILS in the >gnupg source, or maybe included with your local installation) that >describes in detail the meaning of the --with-colons output. It's >exactly the reference you're looking for when writing a program to parse >the --with-colons output. > >Good luck! > >jamie. > > >$ head gnupg2-2.0.14/doc/DETAILS > -*- text -*- >Format of colon listings >======================== >First an example: > >$ gpg --fixed-list-mode --with-colons --list-keys \ > --with-fingerprint --with-fingerprint wk at gnupg.org > >pub:f:1024:17:6C7EE1B8621CC013:899817715:1055898235::m:::scESC: >fpr:::::::::ECAF7590EB3443B5C7CF3ACB6C7EE1B8621CC013: >$ Thanks, downloaded the GPG sources and located the DETAILS file. Now have to read the document, but it seems doable at least... -- Bo Berglund Developer in Sweden From malte.gell at gmx.de Sun Jan 16 06:12:42 2011 From: malte.gell at gmx.de (=?utf-8?B?TWFsdGUgR2VsbA==?=) Date: Sun, 16 Jan 2011 06:12:42 +0100 Subject: =?utf-8?B?T3BlblBHUCBmb3IgQW5kcm9pZA==?= Message-ID: Hi there, In the Android Market there is APG. Has anyone tested it? Does it import keys with subkeys? By the way, is there an app that encrypts SMS with APG? Regardsa Malte -------------- next part -------------- An HTML attachment was scrubbed... URL: From bo.berglund at gmail.com Sun Jan 16 08:34:20 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Sun, 16 Jan 2011 08:34:20 +0100 Subject: gpg command output language??? Message-ID: When I run the "gpg2 -h" command I get a result that is a mixture of English and Swedish words, which does not make a lot of sense. I am running Windows XP-Pro *English* version but because I am in Sweden I use the Swedish keyboard. I DON'T want to have anything fed back from programs like gpg in Swedish, though.... It beats me why a program like gpg should detect the keyboard type and change its language like this, language setting should be a volontary change by the user always! Just think how good it would be for an English speaking user to try and use a PC that happened to be set for say a Slovenian keyboard. Not possible to understand the output, right? So how can I change gpg such that it sends its responses in English only? I have checked gpg.conf, but there is no language setting there. -- Bo Berglund Developer in Sweden From free10pro at gmail.com Sun Jan 16 09:47:36 2011 From: free10pro at gmail.com (Paul Richard Ramer) Date: Sun, 16 Jan 2011 00:47:36 -0800 Subject: gpg command output language??? In-Reply-To: References: Message-ID: <4D32B0A8.1010206@gmail.com> On 01/15/2011 11:34 PM, Bo Berglund wrote: > It beats me why a program like gpg should detect the keyboard type and > change its language like this, language setting should be a volontary > change by the user always! Just think how good it would be for an > English speaking user to try and use a PC that happened to be set for > say a Slovenian keyboard. Not possible to understand the output, > right? > > So how can I change gpg such that it sends its responses in English > only? I have checked gpg.conf, but there is no language setting there. The GPG man page gives the following information: Operation is further controlled by a few environment variables: [...] LANGUAGE Apart from its use by GNU, it is used in the W32 version to override the language selection done through the Registry. If used and set to a valid and available language name (langid), the file with the translation is loaded from gpgdir/gnupg.nls/langid.mo. Here gpgdir is the directory out of which the gpg binary has been loaded. If it can't be loaded the Registry is tried and as last resort the native Windows locale system is used. -Paul -- Please use my PGP key when sending me e-mail, if you can. PGP Key ID: 0x3DB6D884 PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 From bo.berglund at gmail.com Sun Jan 16 10:19:38 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Sun, 16 Jan 2011 10:19:38 +0100 Subject: gpg command output language??? References: <4D32B0A8.1010206__39204.5401539237$1295167759$gmane$org@gmail.com> Message-ID: On Sun, 16 Jan 2011 00:47:36 -0800, Paul Richard Ramer wrote: >On 01/15/2011 11:34 PM, Bo Berglund wrote: >> It beats me why a program like gpg should detect the keyboard type and >> change its language like this, language setting should be a volontary >> change by the user always! Just think how good it would be for an >> English speaking user to try and use a PC that happened to be set for >> say a Slovenian keyboard. Not possible to understand the output, >> right? >> >> So how can I change gpg such that it sends its responses in English >> only? I have checked gpg.conf, but there is no language setting there. > >The GPG man page gives the following information: How do you locate the "GPG man page"?? > Operation is further controlled by a few environment variables: > [...] > > LANGUAGE > Apart from its use by GNU, it is used in the W32 version to > override the language selection done through the Registry. If > used and set to a valid and available language name (langid), > the file with the translation is loaded from > gpgdir/gnupg.nls/langid.mo. Here gpgdir is the directory out of > which the gpg binary has been loaded. If it can't be loaded the > Registry is tried and as last resort the native Windows locale > system is used. > Sounds like a very strange way to do this, an environment variable that is not even named with reference to GPG can affect all applications on the PC.... A more appropriate way would have been to have this entered in the conf file or at least named GPG_LANGUAGE instead of the generic name it now has... Additionally: What am I supposed to enter as "langid" in such an environment variable? "ENGLISH", "EN", "409" or what? -- Bo Berglund Developer in Sweden From kloecker at kde.org Sun Jan 16 12:21:07 2011 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun, 16 Jan 2011 12:21:07 +0100 Subject: gpg command output language??? In-Reply-To: References: <4D32B0A8.1010206__39204.5401539237$1295167759$gmane$org@gmail.com> Message-ID: <201101161221.14519@thufir.ingo-kloecker.de> On Sunday 16 January 2011, Bo Berglund wrote: > On Sun, 16 Jan 2011 00:47:36 -0800, Paul Richard Ramer > > wrote: > >On 01/15/2011 11:34 PM, Bo Berglund wrote: > >> It beats me why a program like gpg should detect the keyboard type > >> and change its language like this, language setting should be a > >> volontary change by the user always! Just think how good it would > >> be for an English speaking user to try and use a PC that happened > >> to be set for say a Slovenian keyboard. Not possible to > >> understand the output, right? > >> > >> So how can I change gpg such that it sends its responses in > >> English only? I have checked gpg.conf, but there is no language > >> setting there. > > > >The GPG man page gives the following information: > How do you locate the "GPG man page"?? I don't know how to do this on Windows, but you can always try Google. The second hit for "GPG man page" is what you are looking for. > > Operation is further controlled by a few environment variables: > > [...] > > > > LANGUAGE > > > > Apart from its use by GNU, it is used in the W32 version to > > override the language selection done through the Registry. > > If used and set to a valid and available language name > > (langid), the file with the translation is loaded from > > gpgdir/gnupg.nls/langid.mo. Here gpgdir is the directory > > out of which the gpg binary has been loaded. If it can't > > be loaded the Registry is tried and as last resort the > > native Windows locale system is used. > > Sounds like a very strange way to do this, an environment variable > that is not even named with reference to GPG can affect all > applications on the PC.... Well, that's the point of this environment variable. It is supposed to be recognized by all applications. If you only want this variable to affect gpg then write a simple script which sets the variable and then calls gpg. > A more appropriate way would have been to have this entered in the > conf file or at least named GPG_LANGUAGE instead of the generic name > it now has... > > Additionally: What am I supposed to enter as "langid" in such an > environment variable? "ENGLISH", "EN", "409" or what? Try "C". This should give you untranslated (and thus English) messages. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Sun Jan 16 14:01:16 2011 From: wk at gnupg.org (Werner Koch) Date: Sun, 16 Jan 2011 14:01:16 +0100 Subject: Prosecution based on memory forensics In-Reply-To: <20110114232505.GA31224@helcaraxe.net> (Milo's message of "Sat, 15 Jan 2011 00:25:05 +0100") References: <7E07EF86-2921-4514-A207-462E33075524@jabberwocky.com> <87tyhdw0ih.fsf@vigenere.g10code.de> <4D2ED8EC.4070704@kernelconcepts.de> <87pqrzvq6w.fsf@vigenere.g10code.de> <4D30120A.2010707@kernelconcepts.de> <87bp3juudy.fsf@vigenere.g10code.de> <20110114232505.GA31224@helcaraxe.net> Message-ID: <87vd1pt337.fsf@vigenere.g10code.de> On Sat, 15 Jan 2011 00:25, gnupg at oneiroi.net said: > Discussion, yes - tough one I think. If you mean by that pushing syscall modification to mainstream - it's not mmap already has a lot of flags. Adding another flag value should be an easy task - assuming that one wants to use another bit from the flag values. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Sun Jan 16 14:06:50 2011 From: wk at gnupg.org (Werner Koch) Date: Sun, 16 Jan 2011 14:06:50 +0100 Subject: What does the "sub" entry of a key mean? In-Reply-To: <8739otgbpu.fsf@servo.finestructure.net> (Jameson Rollins's message of "Sat, 15 Jan 2011 15:21:01 -0500") References: <59ED2A86-3282-48F7-AA54-E54CE24E7311__18051.2872910642$1295112569$gmane$org@jabberwocky.com> <80p3j6lvdlaeuhe8p3qalkedn85o8ab99u@4ax.com> <8739otgbpu.fsf@servo.finestructure.net> Message-ID: <87r5cdt2tx.fsf@vigenere.g10code.de> On Sat, 15 Jan 2011 21:21, jrollins at finestructure.net said: > describes in detail the meaning of the --with-colons output. It's > exactly the reference you're looking for when writing a program to parse > the --with-colons output. FWIW, gpgme provides a reference implementation for it. In general I suggest to use gpgme because it provides a well maintained API to GnuPG. Many programs use gpgme; Debian lists 37 direct dependencies. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From expires2011 at ymail.com Sun Jan 16 14:39:14 2011 From: expires2011 at ymail.com (MFPA) Date: Sun, 16 Jan 2011 13:39:14 +0000 Subject: gpg command output language??? In-Reply-To: References: <4D32B0A8.1010206__39204.5401539237$1295167759$gmane$org@gmail.com> Message-ID: <310000186.20110116133914@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 16 January 2011 at 9:19:38 AM, in , Bo Berglund wrote: >>The GPG man page gives the following information: > How do you locate the "GPG man page"?? I'm using GnuPG 1.4.x, not 2.x, and my copy of "GPG man page" is the text file called "gpg.man" that lives in the "DOC" folder under my GnuPG program directory. - -- Best regards MFPA mailto:expires2011 at ymail.com It's better to feed one cat than many mice -----BEGIN PGP SIGNATURE----- iQCVAwUBTTL1CqipC46tDG5pAQqP7AQAkHsqeOlL/Ty/gBuEDgkQeflfA1butjJ2 jExuwkD1petl2+MW3iNX4f5VKAUHXD8hRi6n8V0HeLA5D5HfISCtU3jpE/y3uKl4 SXwQE0lMikViSRcz2FLGI8yxut3OuZUmb4fAZLLR4VUiB7QYGWgfIedkrGsSPrJ1 wTywTu/MrgE= =ZuyZ -----END PGP SIGNATURE----- From bo.berglund at gmail.com Sun Jan 16 16:31:56 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Sun, 16 Jan 2011 16:31:56 +0100 Subject: What does the "sub" entry of a key mean? References: <59ED2A86-3282-48F7-AA54-E54CE24E7311__18051.2872910642$1295112569$gmane$org@jabberwocky.com> <80p3j6lvdlaeuhe8p3qalkedn85o8ab99u@4ax.com> <8739otgbpu.fsf@servo.finestructure.net> <87r5cdt2tx.fsf__33030.8988377967$1295183483$gmane$org@vigenere.g10code.de> Message-ID: On Sun, 16 Jan 2011 14:06:50 +0100, Werner Koch wrote: >On Sat, 15 Jan 2011 21:21, jrollins at finestructure.net said: > >> describes in detail the meaning of the --with-colons output. It's >> exactly the reference you're looking for when writing a program to parse >> the --with-colons output. > >FWIW, gpgme provides a reference implementation for it. In general I >suggest to use gpgme because it provides a well maintained API to GnuPG. >Many programs use gpgme; Debian lists 37 direct dependencies. > What is gpgme? I found a very short reference on the GPG website: http://www.gnupg.org/gpgme.html But it talks about a "library" that applications should use to access gpg. What does "library" mean? I looked at the download, but it looks like a source tree for some kind of C program. :-( I am programming in Pascal (Delphi or Lazarus with FPC). -- Bo Berglund Developer in Sweden From kloecker at kde.org Sun Jan 16 17:41:02 2011 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun, 16 Jan 2011 17:41:02 +0100 Subject: What does the "sub" entry of a key mean? In-Reply-To: References: <87r5cdt2tx.fsf__33030.8988377967$1295183483$gmane$org@vigenere.g10code.de> Message-ID: <201101161741.02585@thufir.ingo-kloecker.de> On Sunday 16 January 2011, Bo Berglund wrote: > On Sun, 16 Jan 2011 14:06:50 +0100, Werner Koch wrote: > >On Sat, 15 Jan 2011 21:21, jrollins at finestructure.net said: > >> describes in detail the meaning of the --with-colons output. It's > >> exactly the reference you're looking for when writing a program to > >> parse the --with-colons output. > > > >FWIW, gpgme provides a reference implementation for it. In general > >I suggest to use gpgme because it provides a well maintained API to > >GnuPG. Many programs use gpgme; Debian lists 37 direct > >dependencies. > > What is gpgme? I found a very short reference on the GPG website: > http://www.gnupg.org/gpgme.html > But it talks about a "library" that applications should use to access > gpg. What does "library" mean? A library is similar to what in Pascal/Delphi is called a unit. > I looked at the download, but it looks like a source tree for some > kind of C program. :-( Well, it's the source tree of a C library. > I am programming in Pascal (Delphi or Lazarus with FPC). Then you'll need a Pascal-binding for gpgme. A quick Google search yielded bindings for many languages (e.g. Python, Ruby, C#/.NET), but not Pascal. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From bo.berglund at gmail.com Sun Jan 16 17:52:59 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Sun, 16 Jan 2011 17:52:59 +0100 Subject: What does the "sub" entry of a key mean? References: <59ED2A86-3282-48F7-AA54-E54CE24E7311__18051.2872910642$1295112569$gmane$org@jabberwocky.com> <80p3j6lvdlaeuhe8p3qalkedn85o8ab99u@4ax.com> <8739otgbpu.fsf@servo.finestructure.net> <87r5cdt2tx.fsf__33030.8988377967$1295183483$gmane$org@vigenere.g10code.de> Message-ID: On Sun, 16 Jan 2011 16:31:56 +0100, Bo Berglund wrote: >On Sun, 16 Jan 2011 14:06:50 +0100, Werner Koch wrote: > >>On Sat, 15 Jan 2011 21:21, jrollins at finestructure.net said: >> >>> describes in detail the meaning of the --with-colons output. It's >>> exactly the reference you're looking for when writing a program to parse >>> the --with-colons output. >> >>FWIW, gpgme provides a reference implementation for it. In general I >>suggest to use gpgme because it provides a well maintained API to GnuPG. >>Many programs use gpgme; Debian lists 37 direct dependencies. >> > >What is gpgme? I found a very short reference on the GPG website: >http://www.gnupg.org/gpgme.html >But it talks about a "library" that applications should use to access >gpg. What does "library" mean? >I looked at the download, but it looks like a source tree for some >kind of C program. :-( > >I am programming in Pascal (Delphi or Lazarus with FPC). Now looked a bit longer at the downloaded files and found a subfolder "complus" where ther is reference to a Windows com server gpgcom.exe. According to the README the gpgcom.exe should be part of the archive, but it is not... * Because you are reading this file, you probably have already unpacked it distribution using a unzip utility :-). You should find these files: README - This file gpgcom.exe - The Gpgcom server <== Cannot be found! vbtest.html - A Test webpage vbtest.vbs - A VB script to be used with the cscript utility So it seems like on Windows one is out of luck and must go the long distance.... (And all because GpgEx won't work on Win 7 X64....) -- Bo Berglund Developer in Sweden From bo.berglund at gmail.com Sun Jan 16 20:45:45 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Sun, 16 Jan 2011 20:45:45 +0100 Subject: gpg command output language??? References: <4D32B0A8.1010206__39204.5401539237$1295167759$gmane$org@gmail.com> <201101161221.14519__30896.8700156131$1295176969$gmane$org@thufir.ingo-kloecker.de> Message-ID: On Sun, 16 Jan 2011 12:21:07 +0100, Ingo Kl?cker wrote: >> Additionally: What am I supposed to enter as "langid" in such an >> environment variable? "ENGLISH", "EN", "409" or what? > >Try "C". This should give you untranslated (and thus English) messages. > Did not work at all... I set the environment variable to "C" and then ran gpg2 -h. Example of output: -s, --sign make a signature --clearsign make a clear text signature -b, --detach-sign skapa signatur i en separat fil -e, --encrypt kryptera data (Both English and Swedish...) And later: -v, --verbose utf?rlig -n, --dry-run g?r inga Sndringar -i, --interactive frsga innan ?verskrivning --openpgp anvSnd strikt OpenPGP-beteende Characters used for the Swedish umlauted chars ?????? are completely wrong... -- Bo Berglund Developer in Sweden From bo.berglund at gmail.com Sun Jan 16 20:46:51 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Sun, 16 Jan 2011 20:46:51 +0100 Subject: gpg command output language??? References: <4D32B0A8.1010206__39204.5401539237$1295167759$gmane$org@gmail.com> <310000186.20110116133914__22559.1883798645$1295188545$gmane$org@my_localhost> Message-ID: On Sun, 16 Jan 2011 13:39:14 +0000, MFPA wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > >Hi > > >On Sunday 16 January 2011 at 9:19:38 AM, in >, Bo Berglund wrote: > > > >>>The GPG man page gives the following information: > >> How do you locate the "GPG man page"?? > >I'm using GnuPG 1.4.x, not 2.x, and my copy of "GPG man page" is the >text file called "gpg.man" that lives in the "DOC" folder under my >GnuPG program directory. I have installed GPG2 as part of Gpg4Win 2.0.4 and there are no traces at all of any doc folder or files.... -- Bo Berglund Developer in Sweden From sascha-ml-reply-to-2011-1 at silbe.org Sun Jan 16 20:21:08 2011 From: sascha-ml-reply-to-2011-1 at silbe.org (Sascha Silbe) Date: Sun, 16 Jan 2011 20:21:08 +0100 Subject: Prosecution based on memory forensics In-Reply-To: <87bp3juudy.fsf@vigenere.g10code.de> References: <7E07EF86-2921-4514-A207-462E33075524@jabberwocky.com> <87tyhdw0ih.fsf@vigenere.g10code.de> <4D2ED8EC.4070704@kernelconcepts.de> <87pqrzvq6w.fsf@vigenere.g10code.de> <4D30120A.2010707@kernelconcepts.de> <87bp3juudy.fsf@vigenere.g10code.de> Message-ID: <1295204945-sup-8177@xo15-sascha.sascha.silbe.org> Excerpts from Werner Koch's message of Fri Jan 14 21:01:45 +0100 2011: > It would definitely be helpful because it makes a safe installation much > easier. It will be used automagically and thus one does not need to > fiddle with suspend scripts. All the password managers would benefit > form that as they all have the same problem. > The main threat model would be a stolen laptop with cached passphrases > in suspend or hibernation mode. Might also be useful for smartphones. Sounds nice for some users. But please don't forget about users who don't want their pass phrase to be forgotten during suspend: 1. Users on systems that aggressively auto-suspend during regular operation (e.g. on the OLPC XO). 2. Users with a threat model that doesn't consider "stolen during suspend-to-RAM" to be different from "stolen while powered on". So please make it easy to opt out from, preferably both on a system-wide (to deactivate it for all applications that might make use of it) and a per-user basis (i.e. without requiring root access). Sascha -- http://sascha.silbe.org/ http://www.infra-silbe.de/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 494 bytes Desc: not available URL: From kloecker at kde.org Sun Jan 16 22:24:58 2011 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun, 16 Jan 2011 22:24:58 +0100 Subject: gpg command output language??? In-Reply-To: References: <201101161221.14519__30896.8700156131$1295176969$gmane$org@thufir.ingo-kloecker.de> Message-ID: <201101162225.03430@thufir.ingo-kloecker.de> On Sunday 16 January 2011, Bo Berglund wrote: > On Sun, 16 Jan 2011 12:21:07 +0100, Ingo Kl?cker > > wrote: > >> Additionally: What am I supposed to enter as "langid" in such an > >> environment variable? "ENGLISH", "EN", "409" or what? > > > >Try "C". This should give you untranslated (and thus English) > >messages. > > Did not work at all... Hmm. Yeah. I should have read the text from the man page. It says "[...] gpgdir/gnupg.nls/langid.mo. Here gpgdir is the directory out of which the gpg binary has been loaded." So you need to locate the directory gpgdir/gnupg.nls and look for available *.mo files. If there does not seem to be a file for English then try to guess the langid for English from the langids of the available languages. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From bird_112 at hotmail.com Mon Jan 17 02:29:55 2011 From: bird_112 at hotmail.com (jack seth) Date: Mon, 17 Jan 2011 01:29:55 +0000 Subject: How to create non-standard key pair In-Reply-To: References: Message-ID: > Message: 8 > Date: Sat, 15 Jan 2011 08:01:55 +1100 > From: Ben McGinnes > To: gnupg-users at gnupg.org > Subject: Re: How to create non-standard key pair > Message-ID: <4D30B9C3.2080901 at adversary.org> > Content-Type: text/plain; charset="utf-8" > > On 13/01/11 6:10 AM, jack seth wrote: > > I am needing to do some testing with these size keys. Can someone > > advise me on how to modify the code to generate these keys? > > Seriously? Really? Well, okay ... this is for GnuPG 1.4.11 on a *nix > platform: > > Extract the tarball, cd to /path/to/gnupg-1.4.11/g10 then open > keygen.c in a text editor. Jump down to line no. 1,580 and change > this: > > unsigned nbits, min, def=2048, max=4096; > > To this: > > unsigned nbits, min, def=2048, max=16384; > > Then do the configure, make, make install dance. > > There are, of course, no guarantees that this will play nice with > others and if you're trying to do this on Windows, I can't help. > > > Regards, > Ben > Thanks for the assistance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Mon Jan 17 11:03:48 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 17 Jan 2011 11:03:48 +0100 Subject: gpg command output language??? In-Reply-To: (Bo Berglund's message of "Sun, 16 Jan 2011 20:45:45 +0100") References: <4D32B0A8.1010206__39204.5401539237$1295167759$gmane$org@gmail.com> <201101161221.14519__30896.8700156131$1295176969$gmane$org@thufir.ingo-kloecker.de> Message-ID: <878vyju9rv.fsf@vigenere.g10code.de> On Sun, 16 Jan 2011 20:45, bo.berglund at gmail.com said: > I set the environment variable to "C" and then ran gpg2 -h. Example of > output: Use set LC_MESSAGES=C > Characters used for the Swedish umlauted chars ?????? are completely > wrong... They are UTF-8 encoded. The console has problems to render them, though. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From bo.berglund at gmail.com Sat Jan 15 21:40:00 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Sat, 15 Jan 2011 21:40:00 +0100 Subject: What does the "sub" entry of a key mean? In-Reply-To: <8739otgbpu.fsf@servo.finestructure.net> References: <59ED2A86-3282-48F7-AA54-E54CE24E7311__18051.2872910642$1295112569$gmane$org@jabberwocky.com> <80p3j6lvdlaeuhe8p3qalkedn85o8ab99u@4ax.com> <8739otgbpu.fsf@servo.finestructure.net> Message-ID: <6879B4AC6E874085A4DA54DA0C9C9143@agiusa.com> Thanks, downloaded the GPG sources and located DETAILS. Now have to read document, but it seems doable at least... /Bo B -----Original Message----- From: Jameson Rollins [mailto:jrollins at finestructure.net] Sent: den 15 januari 2011 21:21 To: bo.berglund at gmail.com; gnupg-users at gnupg.org Subject: Re: What does the "sub" entry of a key mean? On Sat, 15 Jan 2011 19:17:27 +0100, Bo Berglund wrote: > THanks, indeed the --with-colons gave a completely different output... > I was just about to ask of the date format (if it changes between > operating systems or such) but now I have a different problem in > understanding the machine readable format. > > Very hard to understand. Is there a parsing guide somewhere? Hi, Bo. There should be a file called DETAILS (in doc/DETAILS in the gnupg source, or maybe included with your local installation) that describes in detail the meaning of the --with-colons output. It's exactly the reference you're looking for when writing a program to parse the --with-colons output. Good luck! jamie. $ head gnupg2-2.0.14/doc/DETAILS -*- text -*- Format of colon listings ======================== First an example: $ gpg --fixed-list-mode --with-colons --list-keys \ --with-fingerprint --with-fingerprint wk at gnupg.org pub:f:1024:17:6C7EE1B8621CC013:899817715:1055898235::m:::scESC: fpr:::::::::ECAF7590EB3443B5C7CF3ACB6C7EE1B8621CC013: $ From bmarwell at googlemail.com Mon Jan 17 14:14:46 2011 From: bmarwell at googlemail.com (Benjamin Marwell) Date: Mon, 17 Jan 2011 14:14:46 +0100 Subject: gpg command output language??? In-Reply-To: <878vyju9rv.fsf@vigenere.g10code.de> References: <4D32B0A8.1010206__39204.5401539237$1295167759$gmane$org@gmail.com> <201101161221.14519__30896.8700156131$1295176969$gmane$org@thufir.ingo-kloecker.de> <878vyju9rv.fsf@vigenere.g10code.de> Message-ID: Hi there, LANG=C is always ANSII. For UTF-8 use en_EN.UTF-8. Regards. 2011/1/17 Werner Koch : > On Sun, 16 Jan 2011 20:45, bo.berglund at gmail.com said: > >> I set the environment variable to "C" and then ran gpg2 -h. Example of >> output: > > Use > > set LC_MESSAGES=C > >> Characters used for the Swedish umlauted chars ?????? are completely >> wrong... > > They are UTF-8 encoded. ?The console has problems to render them, > though. > > > Salam-Shalom, > > ? Werner > > -- > Die Gedanken sind frei. ?Ausnahmen regelt ein Bundesgesetz. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From JPClizbe at tx.rr.com Mon Jan 17 19:46:47 2011 From: JPClizbe at tx.rr.com (John Clizbe) Date: Mon, 17 Jan 2011 12:46:47 -0600 Subject: What does the "sub" entry of a key mean? In-Reply-To: <201101161741.02585@thufir.ingo-kloecker.de> References: <87r5cdt2tx.fsf__33030.8988377967$1295183483$gmane$org@vigenere.g10code.de> <201101161741.02585@thufir.ingo-kloecker.de> Message-ID: <4D348E97.5060704@tx.rr.com> Ingo Kl?cker wrote: > On Sunday 16 January 2011, Bo Berglund wrote: >> What is gpgme? I found a very short reference on the GPG website: >> http://www.gnupg.org/gpgme.html >> But it talks about a "library" that applications should use to access >> gpg. What does "library" mean? > > A library is similar to what in Pascal/Delphi is called a unit. > > >> I looked at the download, but it looks like a source tree for some >> kind of C program. :-( > > Well, it's the source tree of a C library. > > >> I am programming in Pascal (Delphi or Lazarus with FPC). > > Then you'll need a Pascal-binding for gpgme. A quick Google search > yielded bindings for many languages (e.g. Python, Ruby, C#/.NET), but > not Pascal. There's one at the Gnu Pascal site. http://www.gnu-pascal.de/contrib/nicola/gpgme.pas I became acquainted with it a little while the Enigmail gang were testing the English translation of the Adele server. If memory serves, it was written for gpgme v0.3.4, so it will need some "fixing" to support the API changes introduced later (0.4 ?) and carried through to modern versions. -John -- John P. Clizbe Inet: John (a) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: gpgme.pas Type: text/x-pascal Size: 15155 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 889 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Mon Jan 17 20:22:33 2011 From: wk at gnupg.org (Werner Koch) Date: Mon, 17 Jan 2011 20:22:33 +0100 Subject: gpg command output language??? In-Reply-To: (Benjamin Marwell's message of "Mon, 17 Jan 2011 14:14:46 +0100") References: <4D32B0A8.1010206__39204.5401539237$1295167759$gmane$org@gmail.com> <201101161221.14519__30896.8700156131$1295176969$gmane$org@thufir.ingo-kloecker.de> <878vyju9rv.fsf@vigenere.g10code.de> Message-ID: <87pqrvs5c6.fsf@vigenere.g10code.de> On Mon, 17 Jan 2011 14:14, bmarwell at googlemail.com said: > LANG=C is always ANSII. For UTF-8 use en_EN.UTF-8. Sorry, we are talking about GnuPG's Windows port. The locale feature under Windows is very different from what we all known. GnuPG uses its own gettext implementation (common/w32-gettext.c) and if you check this you will see that LC_MESSAGES is what we are looking for. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From bo.berglund at gmail.com Mon Jan 17 20:52:13 2011 From: bo.berglund at gmail.com (Bo Berglund) Date: Mon, 17 Jan 2011 20:52:13 +0100 Subject: gpg command output language??? References: <4D32B0A8.1010206__39204.5401539237$1295167759$gmane$org@gmail.com> <201101161221.14519__30896.8700156131$1295176969$gmane$org@thufir.ingo-kloecker.de> <878vyju9rv.fsf__24299.6103632779$1295258815$gmane$org@vigenere.g10code.de> Message-ID: On Mon, 17 Jan 2011 11:03:48 +0100, Werner Koch wrote: >On Sun, 16 Jan 2011 20:45, bo.berglund at gmail.com said: > >> I set the environment variable to "C" and then ran gpg2 -h. Example of >> output: > >Use > >set LC_MESSAGES=C > Yes! This did the trick. Now the language is indeed English. Both on Win7 and WinXP. -- Bo Berglund Developer in Sweden From kgo at grant-olson.net Mon Jan 17 22:03:03 2011 From: kgo at grant-olson.net (Grant Olson) Date: Mon, 17 Jan 2011 16:03:03 -0500 Subject: Do smartcards stay unlocked forever by design? Message-ID: <4D34AE87.4080805@grant-olson.net> Hey all, I've been using a smartcard for several months now. It's a cryptostick if the model is important. Every time I sign something, it asks me for my pin. But once the card is unlocked, ssh authentication and decryption seem to happen forever, regardless of any ttl-cache settings in gpg-agent.conf. I just want to make sure I understand the semantics correctly. It seems: 1) Once I enter my pin, the card is unlocked as long as it's connected. 2) I get prompted when making a signature because the sig counter gets incremented, and that's a write operation to the card. Decrypting and authenticating don't prompt because the operations don't write to the card. 3) The proper way to 'lock' the card is to remove it from the reader. Is this correct? -- Grant "I am gravely disappointed. Again you have made me unleash my dogs of war." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 559 bytes Desc: OpenPGP digital signature URL: From angelv64 at wanadoo.es Mon Jan 17 22:07:40 2011 From: angelv64 at wanadoo.es (Angel Vicente) Date: Mon, 17 Jan 2011 22:07:40 +0100 Subject: GnuPG in cybercafe In-Reply-To: <20110112214429.GA4348@angel.dominio.angel> References: <20110112214429.GA4348@angel.dominio.angel> Message-ID: <20110117210740.GA6998@angel.dominio.angel> On Wed, Jan 12, 2011 at 10:44:29PM +0100, Angel Vicente wrote: > Hello all.... Hello again.... > > I'm very newbie at GPG, I'm a Debian user for some years ago, but I have > nothing to see with GPG until now, I think I understand the main flow and uses > of GPG, but I have a doubt: > > suppose a group of friends, they want sign and/or cypher their email and files, > almost of them are Windows users, all have email accounts in Google, Yahoo, MSN, > etc, I think I could teach them to use Thunderbir+Enigmail or other..., but: > > there is one that hasn't got PC or laptop or anything so, he uses PCs in > cybercafes or public libraries, well, what about some portable apps in USB?, > answer: perhaps could be a good idea, but what about keyloggers in public > computers?, I'm worried about this. > > I've tried with Neo Safekeys, but seems doesn't work with pinentry from GPG4Win, > so what can we do?, is there a solution for use GPG in public PCs and for > possible keylogger at the same time? I've tried again with Neo Safekeys, and it works: using copy&paste doesn't work with pinentry, but drag&drop works fine, so I think I have all necessary pieces I've made a few tests and works O.K., now I'd like to crypt the file system on a USB stick. > > Best regards and thanks in advanced > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From cai.0407 at gmail.com Tue Jan 18 04:22:59 2011 From: cai.0407 at gmail.com (Kosuke Kaizuka) Date: Tue, 18 Jan 2011 12:22:59 +0900 Subject: OpenPGP for Android In-Reply-To: <4d328cbb.427a0e0a.561d.64b0SMTPIN_ADDED@mx.google.com> References: <4d328cbb.427a0e0a.561d.64b0SMTPIN_ADDED@mx.google.com> Message-ID: <4D350793.4000600@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Sun Jan 16 2011 14:12:42 GMT+0900, Malte Gell wrote: > In the Android Market there is APG. Has anyone tested it? Does it import keys with subkeys? By the way, is there an app that encrypts SMS with APG? Hi. I have already tested APG 1.0.8 with Android 2.1 on Xperia SO-01B (X10 family in Japan). APG... 1. can import keys with subkeys. 2. can not verify email signed by my self-signed key with Enigmail+Thunderbird. 3. ignores the encoding (always uses iso-8859-1). 4. does not support CAMELLIA. 5. has no integration with gmail app on 2.1. - -- Kosuke Kaizuka -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJNNQeTAAoJEFI91dNOjkjZgcoQAMV2q79Fp6to2n6d/hnk6mJ+ QhdzAT7SfVVy7OWsXOYmhknquAlKjEb326n5m3iWP+BdWb+8EvFIP15pp1BuDwk2 9sgMTILnsU91UXorRF2AK/q+9XlHOoPd49mGHA7EE8heQcWjvA9/YPXyawXnXjET ViPaYYVQ3Qfkoj48MY0YbmJF6r1PlrVB9t9ontkJ/j4wASg8iSyzIiiSgyzctZee 3/Aq+WuSt5hfWAoiImT8U/nNkt76vzysc3OONMW3mc6d/xJwcGrXQ6huaasORFGY lC2aISVDsYOoSQwccmFLHXltPeVZChRcQqllVsjCwM+xvWL88UIkAakvqw0lLeqb 2bAACbXeHzxLggahXJB5m2mxTu9XFp2QeqJMMEPx3weJPfEOdWxdMCo7qvq3ns8z HJ+2DUBKgQofRmji9ecGDsm0Htr2+HCYLF5q7CbnO7+p0JeEDWxsj2JS8M7MvoSv wKGn6J2wBEaeq2cEA72CwBPAAGFY/08PyPIwTvYbgtOMIWpBsZwoHLu8wHJfFm+U C8oQYX+fNfKjopYUryjDUZvntJEfPY0TELV98UdPS3lPVcEcvlNoiq51nyIsjsAk fk8eSWzR+Rbl6hgZbOJRkvCVFv8Et5AhV3k+hQ5vrYM/UN/yuN2zWuYn22jR/wJC D1WRbRVCcW5jb2y1EReQ =Z62K -----END PGP SIGNATURE----- From danielmang at googlemail.com Tue Jan 18 07:35:12 2011 From: danielmang at googlemail.com (Daniel Mang) Date: Tue, 18 Jan 2011 07:35:12 +0100 Subject: OpenPGP for Android In-Reply-To: <4D350793.4000600@gmail.com> References: <4d328cbb.427a0e0a.561d.64b0SMTPIN_ADDED@mx.google.com> <4D350793.4000600@gmail.com> Message-ID: Hello There is also some info here http://geekyschmidt.com/2010/12/09/gpg-on-your-android-phone (I thought I had sent this to the list but in fact I had sent it only to Malte). It seems not very secure to put your private key on a mobile device, unless there is some way to encrypt the harddisk (in case the device is stolen or confiscated). Is there ? Cheers Daniel On Tue, Jan 18, 2011 at 04:22, Kosuke Kaizuka wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On Sun Jan 16 2011 14:12:42 GMT+0900, Malte Gell wrote: >> In the Android Market there is APG. Has anyone tested it? Does it import keys with subkeys? By the way, is there an app that encrypts SMS with APG? > > Hi. > > I have already tested APG 1.0.8 with Android 2.1 on Xperia SO-01B (X10 > family in Japan). > > APG... > > 1. can import keys with subkeys. > 2. can not verify email signed by my self-signed key with > Enigmail+Thunderbird. > 3. ignores the encoding (always uses iso-8859-1). > 4. does not support CAMELLIA. > 5. has no integration with gmail app on 2.1. > > - -- > Kosuke Kaizuka > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBCgAGBQJNNQeTAAoJEFI91dNOjkjZgcoQAMV2q79Fp6to2n6d/hnk6mJ+ > QhdzAT7SfVVy7OWsXOYmhknquAlKjEb326n5m3iWP+BdWb+8EvFIP15pp1BuDwk2 > 9sgMTILnsU91UXorRF2AK/q+9XlHOoPd49mGHA7EE8heQcWjvA9/YPXyawXnXjET > ViPaYYVQ3Qfkoj48MY0YbmJF6r1PlrVB9t9ontkJ/j4wASg8iSyzIiiSgyzctZee > 3/Aq+WuSt5hfWAoiImT8U/nNkt76vzysc3OONMW3mc6d/xJwcGrXQ6huaasORFGY > lC2aISVDsYOoSQwccmFLHXltPeVZChRcQqllVsjCwM+xvWL88UIkAakvqw0lLeqb > 2bAACbXeHzxLggahXJB5m2mxTu9XFp2QeqJMMEPx3weJPfEOdWxdMCo7qvq3ns8z > HJ+2DUBKgQofRmji9ecGDsm0Htr2+HCYLF5q7CbnO7+p0JeEDWxsj2JS8M7MvoSv > wKGn6J2wBEaeq2cEA72CwBPAAGFY/08PyPIwTvYbgtOMIWpBsZwoHLu8wHJfFm+U > C8oQYX+fNfKjopYUryjDUZvntJEfPY0TELV98UdPS3lPVcEcvlNoiq51nyIsjsAk > fk8eSWzR+Rbl6hgZbOJRkvCVFv8Et5AhV3k+hQ5vrYM/UN/yuN2zWuYn22jR/wJC > D1WRbRVCcW5jb2y1EReQ > =Z62K > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From mailinglisten at hauke-laging.de Tue Jan 18 12:36:51 2011 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 18 Jan 2011 12:36:51 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: <9F87CB14-A281-494E-801B-2190F30E3676@sixdemonbag.org> References: <201101121739.00627.mailinglisten@hauke-laging.de> <9F87CB14-A281-494E-801B-2190F30E3676@sixdemonbag.org> Message-ID: <201101181236.59404.mailinglisten@hauke-laging.de> Sorry, just found this one in my spam folder :-) Am Mittwoch 12 Januar 2011 17:49:10 schrieb Robert J. Hansen: > > a) usual ("not thought about") email, just as a first hard line of > > defense against forgery > > Doesn't work. > > Here's the thought experiment I've been using for years. OK, I was not very clear about what exactly I meant. There are different types of attack. I thought about securing the real communication. If I regularly write emails to somebody and once he gets a mail that is not signed then he is to be distrustful. This is not about convincing someone that a certain email has not been written by me (as in your example) but to assure him that you have written certain emails. It is perfectly OK that GnuPG solves only one of these two problems. Incapability of solving the first is not an argument against solving the second. > The Dean, not a fool, points out, "well, Rob, that doesn't actually mean > anything. These opinions are so incendiary that if I wrote them I would > make it a point not to sign them, either, so that I could repudiate them > later. So why would somebody who cares about not being blamed for the content use an email address that refers to him? Somebody who cares about security? > Moral of the story: signatures do not protect against forgeries. They > protect *individual messages* against being *modified without detection*. Just in the case that this individual message is known by the receiver to be signed. In my opinion non-signing requires the receiver to be distrustful about the source. > ... The other reason this is a nonstarter: you're now increasing the > complexity of the system. But in a non-technical way. Everyone is used to the concept that cars, houses and mailboxes have locks of different quality. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From peter at digitalbrains.com Tue Jan 18 12:37:11 2011 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 18 Jan 2011 12:37:11 +0100 Subject: gpg command output language??? In-Reply-To: References: <4D32B0A8.1010206__39204.5401539237$1295167759$gmane$org@gmail.com> <310000186.20110116133914__22559.1883798645$1295188545$gmane$org@my_localhost> Message-ID: <4D357B67.3030608@digitalbrains.com> On -10/01/37 20:59, Bo Berglund wrote: > On Sun, 16 Jan 2011 13:39:14 +0000, MFPA >> I'm using GnuPG 1.4.x, not 2.x, and my copy of "GPG man page" is the >> text file called "gpg.man" that lives in the "DOC" folder under my >> GnuPG program directory. > > I have installed GPG2 as part of Gpg4Win 2.0.4 and there are no traces > at all of any doc folder or files.... The manual at [1] is, as far as I can see at a glance, largely the same as the gpg2 man page. A lot of your questions so far could have been answered by reading that manual. Also, you could fetch and unpack the source for GnuPG. It is bound to contain a lot of documentation for you as the developer of a new frontend, although a lot of the documentation will be there only in source format, not as the man pages or HTML files that would be generated from that source format. Peter. [1] -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt (new, larger key created on Nov 12, 2009) From rjh at sixdemonbag.org Tue Jan 18 15:31:30 2011 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 18 Jan 2011 09:31:30 -0500 Subject: What is the benefit of signing an encrypted email In-Reply-To: <201101181236.59404.mailinglisten@hauke-laging.de> References: <201101121739.00627.mailinglisten@hauke-laging.de> <9F87CB14-A281-494E-801B-2190F30E3676@sixdemonbag.org> <201101181236.59404.mailinglisten@hauke-laging.de> Message-ID: <4D35A442.8020107@sixdemonbag.org> On 1/18/11 6:36 AM, Hauke Laging wrote: > If I regularly write emails to somebody and once he gets a mail that > is not signed then he is to be distrustful. Why? This seems like you're saying, "I reserve the right to decide what someone else's security policy is, particularly which messages they trust and which they distrust." Which is totally bogus. > This is not about convincing someone that a certain email has not > been written by me (as in your example) but to assure him that you > have written certain emails. A good signature from a validated key belonging to a trusted person can do this. But that's it. > Incapability of solving the first is not an argument against solving > the second. It is an argument against believing that it does -- as in your example where the absence of a signature causes someone to distrust a message. A signature or the lack thereof cannot demonstrate that a message is untrustworthy. > So why would somebody who cares about not being blamed for the > content use an email address that refers to him? Somebody who cares > about security? A good rule of thumb is that nobody is as smart as they think. Master criminals are few and far between. People make mistakes, and malcontents are no exception. Claiming, "I never signed up for that, look at that email address, would I do that?", would receive a response of, "Rob, are you forgetting I've had you in some of my classes? I've /seen/ some of the brainos you've made on exams. I don't find it implausible." > In my opinion non-signing requires the receiver to be distrustful > about the source. You don't get to decide this. The receiver gets to decide his or her own policy. > But in a non-technical way. I doubt you will find many people who agree that your proposal does not increase the technical complexity. From tiago at xroot.org Tue Jan 18 15:50:48 2011 From: tiago at xroot.org (Tiago Faria) Date: Tue, 18 Jan 2011 14:50:48 +0000 Subject: OpenPGP for Android In-Reply-To: References: <4d328cbb.427a0e0a.561d.64b0SMTPIN_ADDED@mx.google.com> <4D350793.4000600@gmail.com> Message-ID: <20110118145048.692c2ff0@stacker> On Tue, 18 Jan 2011 07:35:12 +0100 Daniel Mang wrote: > It seems not very secure to put your private key on a mobile device, > unless there is some way to encrypt the harddisk (in case the device > is stolen or confiscated). Is there ? There has been some discussion and development on LUKS in the Android. Not sure what the current state is. Some relevant links: XDA-Developers thread: http://forum.xda-developers.com/showthread.php?t=866131 Screenshot: http://i.imgur.com/K1K9i.jpg HowTo: https://androidvoid.wordpress.com/2009/09/30/android-encryption-using-cryptsetup-and-luks/ -- Tiago Faria | http://xroot.org OpenPGP Key ID: 0xB9466FB4 | http://xroot.org/contact FingerPrint: 27FB 1E35 81B8 5626 9450 EAFC 2517 8AB4 B946 6FB4 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From bernhard at intevation.de Tue Jan 18 15:14:36 2011 From: bernhard at intevation.de (Bernhard Reiter) Date: Tue, 18 Jan 2011 15:14:36 +0100 Subject: GnuPG 2.1 beta released In-Reply-To: <87ocagzzh9.fsf@vigenere.g10code.de> References: <87ocagzzh9.fsf@vigenere.g10code.de> Message-ID: <201101181514.40474.bernhard@intevation.de> Am Dienstag, 26. Oktober 2010 18:32:34 schrieb Werner Koch: > ?ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0beta1.tar.bz2 Looks like it needs libassuan-2.0.1 and the configure check for this does not indicate it when running with libassuan-dev 2.0.0-0kk1. BTW: Was there an announcement of libassuan 2.0.1? asshelp.c: In function ?setup_libassuan_logging?: asshelp.c:87: error: ?ASSUAN_LOG_CONTROL? undeclared (first use in this function) asshelp.c:87: error: (Each undeclared identifier is reported only once asshelp.c:87: error: for each function it appears in.) make[3]: *** [libcommon_a-asshelp.o] Fehler 1 -- Managing Director - Owner: www.intevation.net (Free Software Company) Deputy Coordinator Germany: fsfe.org. Board member: www.kolabsys.com. Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3696 bytes Desc: not available URL: From marco+gnupg at websource.ch Tue Jan 18 17:21:44 2011 From: marco+gnupg at websource.ch (Marco Steinacher) Date: Tue, 18 Jan 2011 11:21:44 -0500 Subject: Do smartcards stay unlocked forever by design? In-Reply-To: <4D34AE87.4080805@grant-olson.net> References: <4D34AE87.4080805@grant-olson.net> Message-ID: <4D35BE18.1020504@websource.ch> On 01/17/2011 04:03 PM, Grant Olson wrote: > I've been using a smartcard for several months now. It's a cryptostick > if the model is important. Every time I sign something, it asks me for > my pin. But once the card is unlocked, ssh authentication and > decryption seem to happen forever, regardless of any ttl-cache settings > in gpg-agent.conf. I just want to make sure I understand the semantics > correctly. > > It seems: > > 1) Once I enter my pin, the card is unlocked as long as it's connected. Yes. > 2) I get prompted when making a signature because the sig counter gets > incremented, and that's a write operation to the card. Decrypting and > authenticating don't prompt because the operations don't write to the card. I think it's rather because signing is considered more precarious than decrypting or authenticating and not because it involves a write operation. You can disable this behavior by changing the signature PIN flag to 'not forced' with 'gpg --card-edit'. > 3) The proper way to 'lock' the card is to remove it from the reader. Yes, or if you can reload the scdaemon with 'gpgconf --reload scdaemon'. This should have the same effect. I wrote a small script that does this for me whenever the smartcard hasn't been used for some time. I do this to reduce the chance that someone can use the unlocked card while I'm away or when I forget to pull the card. Marco From nicholas.cole at gmail.com Tue Jan 18 19:12:00 2011 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Tue, 18 Jan 2011 18:12:00 +0000 Subject: What is the benefit of signing an encrypted email In-Reply-To: References: Message-ID: On Tue, Jan 11, 2011 at 10:04 AM, jimbob palmer wrote: > In Firefox I can sign or encrypt or encrypt+sign an e-mail. > > In what case would I want my encrypted emails also signed? Does it > provide any additional benefit over a pure encrypted email? It is, in fact, trivial to 'forge' email - that is to send email pretending to be someone else. All you need to do is tell your computer to send out email with a different "From:" line. Most smtp servers will forward an email from an authenticated user (or from anyone on the network) without checking that the From line matches their approved email address. This is, for the most part, a feature, not a bug. There are various schemes to prevent this from being possible (or at least undetectable) and OpenPGP offers one way - albeit one that places a great demand on the sysadmin or the user or both. In fact, email is forged every day in just this way - but most of it is such obvious spam that it is easier for the human eye to weed out than it is to set up an OpenPGP, which is why so few people have ever done so. Back when I was a student a friend of a friend of a friend got very drunk and started forging emails in this way pretending to be the Dean. But even these were such obvious forgeries, and the other email headers were so detailed, that it did not require OpenPGP to detect him. Best wishes, Nicholas From kloecker at kde.org Tue Jan 18 21:09:52 2011 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Tue, 18 Jan 2011 21:09:52 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: <4D35A442.8020107@sixdemonbag.org> References: <201101181236.59404.mailinglisten@hauke-laging.de> <4D35A442.8020107@sixdemonbag.org> Message-ID: <201101182109.53268@thufir.ingo-kloecker.de> On Tuesday 18 January 2011, Robert J. Hansen wrote: > On 1/18/11 6:36 AM, Hauke Laging wrote: > > This is not about convincing someone that a certain email has not > > been written by me (as in your example) but to assure him that you > > have written certain emails. > > A good signature from a validated key belonging to a trusted person > can do this. But that's it. Agreed. The question is what does it take for a key to be considered validated and for a person to be trusted? In the end those decisions are up to the receiver, but I think in certain scenarios (e.g. a mailing list like this one) me signing all of my messages could result in me building a certain reputation and consequently trust in me and messages signed with my key. Of course, I could still be totally untrustworthy. In the end, all you know for certain is that all of those messages that were apparently sent by me were signed with the same key. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Tue Jan 18 23:45:27 2011 From: wk at gnupg.org (Werner Koch) Date: Tue, 18 Jan 2011 23:45:27 +0100 Subject: Do smartcards stay unlocked forever by design? In-Reply-To: <4D34AE87.4080805@grant-olson.net> (Grant Olson's message of "Mon, 17 Jan 2011 16:03:03 -0500") References: <4D34AE87.4080805@grant-olson.net> Message-ID: <87bp3dsuew.fsf@vigenere.g10code.de> On Mon, 17 Jan 2011 22:03, kgo at grant-olson.net said: > 1) Once I enter my pin, the card is unlocked as long as it's connected. It depends on the card application. For the OpenPGP card it is true for key 2 and 3. For key 1 see below. A reset operation locks the keys again. (Try: gpg-connect-agent 'scd reset' /bye) > 2) I get prompted when making a signature because the sig counter gets > incremented, and that's a write operation to the card. Decrypting and No, that is because the forcesig flag is set; this requires a verify command before a crypto command with key 1. "gpg --edit-key", then "admin" and then "forcesig" toggles this flag. > 3) The proper way to 'lock' the card is to remove it from the reader. Yeah, powering it down is a pretty reliable way to lock all keys. Recall that the card is a regular computer - a bit small by todays desktop standards, but still a fully working CPU with RAM, ROM and I/O. Removing it from the readers is like pulling out the mains plug. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From kavalec at gmail.com Wed Jan 19 16:46:36 2011 From: kavalec at gmail.com (Kavalec) Date: Wed, 19 Jan 2011 07:46:36 -0800 (PST) Subject: Missing 'END PGP MESSAGE' not detected Message-ID: <30711102.post@talk.nabble.com> Using GnuPG 1.4.4 we occasionally receive truncated files, but gpg decrypts them anyway. Is there a way to force the decrypt to fail on a missing 'END PGP MESSAGE' ? Thank you! -- View this message in context: http://old.nabble.com/Missing-%27END-PGP-MESSAGE%27-not-detected-tp30711102p30711102.html Sent from the GnuPG - User mailing list archive at Nabble.com. From dshaw at jabberwocky.com Wed Jan 19 17:46:07 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 19 Jan 2011 11:46:07 -0500 Subject: Missing 'END PGP MESSAGE' not detected In-Reply-To: <30711102.post@talk.nabble.com> References: <30711102.post@talk.nabble.com> Message-ID: On Jan 19, 2011, at 10:46 AM, Kavalec wrote: > > Using GnuPG 1.4.4 we occasionally receive truncated files, but gpg decrypts > them anyway. > > Is there a way to force the decrypt to fail on a missing 'END PGP MESSAGE' ? Not really (or at least, not within GnuPG). The thing is, it doesn't really matter in practice. OpenPGP has its own corruption detection called a MDC, that applies even if part of the armor (the "END PGP MESSAGE") is missing. A truncated message won't decrypt. MDC is turned on by default, but it is worth checking to confirm there isn't something switching it off. To do this, take one of your truncated files and run: gpg --list-packets the-truncated-file.asc Look for a line that reads "mdc_method: 2". If you see that, you are protected from truncation no matter what your transport system does. David From kavalec at gmail.com Wed Jan 19 18:09:52 2011 From: kavalec at gmail.com (Kavalec) Date: Wed, 19 Jan 2011 09:09:52 -0800 (PST) Subject: Missing 'END PGP MESSAGE' not detected In-Reply-To: References: <30711102.post@talk.nabble.com> Message-ID: <30711942.post@talk.nabble.com> David Shaw wrote: > > On Jan 19, 2011, at 10:46 AM, Kavalec wrote: > >> Is there a way to force the decrypt to fail on a missing 'END PGP >> MESSAGE' ? > > ... take one of your truncated files and run: > > gpg --list-packets the-truncated-file.asc > > Look for a line that reads "mdc_method: 2". If you see that, you are > protected from truncation no matter what your transport system does. > > David > > Thanks David, that does give a 'fatal' error indicator, which we can test for. -- View this message in context: http://old.nabble.com/Missing-%27END-PGP-MESSAGE%27-not-detected-tp30711102p30711942.html Sent from the GnuPG - User mailing list archive at Nabble.com. From dshaw at jabberwocky.com Wed Jan 19 18:46:10 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 19 Jan 2011 12:46:10 -0500 Subject: Missing 'END PGP MESSAGE' not detected In-Reply-To: <30711942.post@talk.nabble.com> References: <30711102.post@talk.nabble.com> <30711942.post@talk.nabble.com> Message-ID: <254F8D7D-0515-4213-8B8C-768E56DBB369@jabberwocky.com> On Jan 19, 2011, at 12:09 PM, Kavalec wrote: > > > David Shaw wrote: >> >> On Jan 19, 2011, at 10:46 AM, Kavalec wrote: >> >>> Is there a way to force the decrypt to fail on a missing 'END PGP >>> MESSAGE' ? >> >> ... take one of your truncated files and run: >> >> gpg --list-packets the-truncated-file.asc >> >> Look for a line that reads "mdc_method: 2". If you see that, you are >> protected from truncation no matter what your transport system does. >> >> David >> >> > > Thanks David, that does give a 'fatal' error indicator, which we can test > for. You can either use --status-fd and look for: [GNUPG:] GOODMDC or [GNUPG:] BADMDC Or just check the return code from the gpg binary. If it fails (for whatever reason), the return code won't be zero. David From wk at gnupg.org Wed Jan 19 19:20:28 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 19 Jan 2011 19:20:28 +0100 Subject: Missing 'END PGP MESSAGE' not detected In-Reply-To: (David Shaw's message of "Wed, 19 Jan 2011 11:46:07 -0500") References: <30711102.post@talk.nabble.com> Message-ID: <87ei88rc0j.fsf@vigenere.g10code.de> On Wed, 19 Jan 2011 17:46, dshaw at jabberwocky.com said: > Not really (or at least, not within GnuPG). The thing is, it doesn't > really matter in practice. OpenPGP has its own corruption detection > called a MDC, that applies even if part of the armor (the "END PGP > MESSAGE") is missing. A truncated message won't decrypt. In addition all armored PGP messages use CRC for the armor. GPG complains about a missing or invalid CRC (unless option --ignore-crc-error) is used. In such a case the return code will always be nonzero. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Jan 19 19:29:35 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 19 Jan 2011 19:29:35 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: <201101182109.53268@thufir.ingo-kloecker.de> ("Ingo =?utf-8?Q?Kl=C3=B6cker=22's?= message of "Tue, 18 Jan 2011 21:09:52 +0100") References: <201101181236.59404.mailinglisten@hauke-laging.de> <4D35A442.8020107@sixdemonbag.org> <201101182109.53268@thufir.ingo-kloecker.de> Message-ID: <87aaiwrblc.fsf@vigenere.g10code.de> Hi! I'd like to see a feature in MUAs to wrap the entire mail as presented in the composer into a message/rfc822 container and send the actual message out with the same headers as in the rfc822 container. This allows to sign the entire mail including the headers. On the receiving site the MUA should figure out that the signed headers match the actual ones and visually indicate the message including the header as signed. This is fully MIME compliant and should not break any MIME aware mailer (except for those only claiming to support MIME). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dshaw at jabberwocky.com Wed Jan 19 19:32:00 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 19 Jan 2011 13:32:00 -0500 Subject: Missing 'END PGP MESSAGE' not detected In-Reply-To: <87ei88rc0j.fsf@vigenere.g10code.de> References: <30711102.post@talk.nabble.com> <87ei88rc0j.fsf@vigenere.g10code.de> Message-ID: On Jan 19, 2011, at 1:20 PM, Werner Koch wrote: > On Wed, 19 Jan 2011 17:46, dshaw at jabberwocky.com said: > >> Not really (or at least, not within GnuPG). The thing is, it doesn't >> really matter in practice. OpenPGP has its own corruption detection >> called a MDC, that applies even if part of the armor (the "END PGP >> MESSAGE") is missing. A truncated message won't decrypt. > > In addition all armored PGP messages use CRC for the armor. GPG > complains about a missing or invalid CRC (unless option > --ignore-crc-error) is used. In such a case the return code will always > be nonzero. If I remember correctly, GPG only complains for invalid CRC. A missing CRC is legal, as the CRC is a MAY. David From wk at gnupg.org Wed Jan 19 19:32:38 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 19 Jan 2011 19:32:38 +0100 Subject: Do smartcards stay unlocked forever by design? In-Reply-To: <4D35BE18.1020504@websource.ch> (Marco Steinacher's message of "Tue, 18 Jan 2011 11:21:44 -0500") References: <4D34AE87.4080805@grant-olson.net> <4D35BE18.1020504@websource.ch> Message-ID: <8762tkrbg9.fsf@vigenere.g10code.de> On Tue, 18 Jan 2011 17:21, marco+gnupg at websource.ch said: > for me whenever the smartcard hasn't been used for some time. I do this > to reduce the chance that someone can use the unlocked card while I'm > away or when I forget to pull the card. That does only help if you have a pinpad equipped reader. If someone is able to use your system he will also be able to log your keystrokes - he can't do that for the pinpad, though. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Jan 19 19:34:25 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 19 Jan 2011 19:34:25 +0100 Subject: GnuPG 2.1 beta released In-Reply-To: <201101181514.40474.bernhard@intevation.de> (Bernhard Reiter's message of "Tue, 18 Jan 2011 15:14:36 +0100") References: <87ocagzzh9.fsf@vigenere.g10code.de> <201101181514.40474.bernhard@intevation.de> Message-ID: <871v48rbda.fsf@vigenere.g10code.de> On Tue, 18 Jan 2011 15:14, bernhard at intevation.de said: > Looks like it needs libassuan-2.0.1 and the configure check for this does not > indicate it when running with libassuan-dev 2.0.0-0kk1. Right, the check is missing. I'll add it. > BTW: Was there an announcement of libassuan 2.0.1? Probably not. I don't write announcements for all library changes. The configure script should have informed the user of this requirement. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From gollo at fsfe.org Wed Jan 19 19:35:38 2011 From: gollo at fsfe.org (Martin Gollowitzer) Date: Wed, 19 Jan 2011 19:35:38 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: <87aaiwrblc.fsf@vigenere.g10code.de> References: <201101181236.59404.mailinglisten@hauke-laging.de> <4D35A442.8020107@sixdemonbag.org> <201101182109.53268@thufir.ingo-kloecker.de> <87aaiwrblc.fsf@vigenere.g10code.de> Message-ID: <20110119183538.GA27342@wingback.gollo.at> Hi Werner, * Werner Koch [110119 19:31]: > I'd like to see a feature in MUAs to wrap the entire mail as presented > in the composer into a message/rfc822 container and send the actual > message out with the same headers as in the rfc822 container. This > allows to sign the entire mail including the headers. On the receiving > site the MUA should figure out that the signed headers match the actual > ones and visually indicate the message including the header as signed. > This is fully MIME compliant and should not break any MIME aware mailer > (except for those only claiming to support MIME). I think this would be really great. Do you think it's worth the effort to contact the developers of Thunderbird/Enigmail, Mutt, Gnus and some others that support OpenPGP about this? Thanks, Martin -- For extra security, this message has been encrypted with double-ROT13. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: not available URL: From mailinglisten at hauke-laging.de Wed Jan 19 20:06:31 2011 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 19 Jan 2011 20:06:31 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: <87aaiwrblc.fsf@vigenere.g10code.de> References: <201101182109.53268@thufir.ingo-kloecker.de> <87aaiwrblc.fsf@vigenere.g10code.de> Message-ID: <201101192006.31704.mailinglisten@hauke-laging.de> Am Mittwoch 19 Januar 2011 19:29:35 schrieb Werner Koch: > I'd like to see a feature in MUAs to wrap the entire mail as presented > in the composer into a message/rfc822 container and send the actual > message out with the same headers as in the rfc822 container. This > allows to sign the entire mail including the headers. On the receiving > site the MUA should figure out that the signed headers match the actual > ones and visually indicate the message including the header as signed. I have asked for that before. At the last Linuxtag in Berlin noone from KDE or the BSI (which has paid for the crypto integration of KMail) accepted this as a problem which should be solved... In addition to what you just described I would like to have standardized dummy entries for the to and from field (probably seldom used but little effort to cover them, too) and the subject. That way you can also encrypt the headers. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Wed Jan 19 21:01:12 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 19 Jan 2011 21:01:12 +0100 Subject: Missing 'END PGP MESSAGE' not detected In-Reply-To: (David Shaw's message of "Wed, 19 Jan 2011 13:32:00 -0500") References: <30711102.post@talk.nabble.com> <87ei88rc0j.fsf@vigenere.g10code.de> Message-ID: <87sjwopss7.fsf@vigenere.g10code.de> On Wed, 19 Jan 2011 19:32, dshaw at jabberwocky.com said: > If I remember correctly, GPG only complains for invalid CRC. A missing CRC is legal, as the CRC is a MAY. I checked the code and there is a missing CRC message. I also recalled the the CRC is may. Looking again at it I noticed that I overlooked a one condition (the one which indicates that a CRC follows). Thus you are right, the CRC is optional. In any case the whole CRC and =====END PGP... is not relevant from a cryptographic point of view. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Jan 19 21:11:07 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 19 Jan 2011 21:11:07 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: <20110119183538.GA27342@wingback.gollo.at> (Martin Gollowitzer's message of "Wed, 19 Jan 2011 19:35:38 +0100") References: <201101181236.59404.mailinglisten@hauke-laging.de> <4D35A442.8020107@sixdemonbag.org> <201101182109.53268@thufir.ingo-kloecker.de> <87aaiwrblc.fsf@vigenere.g10code.de> <20110119183538.GA27342@wingback.gollo.at> Message-ID: <87k4i0psbo.fsf@vigenere.g10code.de> On Wed, 19 Jan 2011 19:35, gollo at fsfe.org said: > I think this would be really great. Do you think it's worth the effort > to contact the developers of Thunderbird/Enigmail, Mutt, Gnus and some I guess you will run into problems if you enable that: Many MUAs are not fully MIME compliant and may bail out on such messages. Needs some tests - in particular with web mailers. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From kloecker at kde.org Wed Jan 19 21:25:30 2011 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Wed, 19 Jan 2011 21:25:30 +0100 Subject: What is the benefit of signing an encrypted email In-Reply-To: <87aaiwrblc.fsf@vigenere.g10code.de> References: <201101182109.53268@thufir.ingo-kloecker.de> <87aaiwrblc.fsf@vigenere.g10code.de> Message-ID: <201101192125.31276@thufir.ingo-kloecker.de> On Wednesday 19 January 2011, Werner Koch wrote: > Hi! > > I'd like to see a feature in MUAs to wrap the entire mail as > presented in the composer into a message/rfc822 container and send > the actual message out with the same headers as in the rfc822 > container. This allows to sign the entire mail including the > headers. On the receiving site the MUA should figure out that the > signed headers match the actual ones and visually indicate the > message including the header as signed. "figure out that the signed headers match the actual ones" may sound easy, but it's actually an extremely tough task. Any mailing list mangling the Reply-to header will break the signature. Any MTA, virus checker, etc. beautifying or otherwise changing the existing headers will break the signature. There would need to be some canonical format for headers. But that's magnitudes harder than converting the body of an email message to the canonical text format. Still, it sounds like a neat idea. > This is fully MIME compliant > and should not break any MIME aware mailer (except for those only > claiming to support MIME). True. But those messages will look ugly in most mailers (even in those that are fully MIME compliant). In particular, web mailers will most likely not be able to view them properly. Not that any serious email user would care about them. :-) Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From dkg at fifthhorseman.net Wed Jan 19 22:37:29 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 19 Jan 2011 16:37:29 -0500 Subject: signed headers for OpenPGP [was: Re: What is the benefit of signing an encrypted email] In-Reply-To: <87aaiwrblc.fsf@vigenere.g10code.de> References: <201101181236.59404.mailinglisten@hauke-laging.de> <4D35A442.8020107@sixdemonbag.org> <201101182109.53268@thufir.ingo-kloecker.de> <87aaiwrblc.fsf@vigenere.g10code.de> Message-ID: <4D375999.4000008@fifthhorseman.net> On 01/19/2011 01:29 PM, Werner Koch wrote: > I'd like to see a feature in MUAs to wrap the entire mail as presented > in the composer into a message/rfc822 container and send the actual > message out with the same headers as in the rfc822 container. This > allows to sign the entire mail including the headers. On the receiving > site the MUA should figure out that the signed headers match the actual > ones and visually indicate the message including the header as signed. > This is fully MIME compliant and should not break any MIME aware mailer > (except for those only claiming to support MIME). That's a pretty elegant way to solve this problem, actually. You don't even need the signed headers to match all the other headers (e.g. the Received: headers won't be known at sign/send time, not to mention the other dubious mangling that goes on at the MTA level that Ingo mentioned). I suspect that many spam engines might balk at an e-mail with a top-level Content-Type: message/rfc822 though. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: From rixmann.ole at googlemail.com Sat Jan 22 16:39:10 2011 From: rixmann.ole at googlemail.com (Ole Rixmann) Date: Sat, 22 Jan 2011 16:39:10 +0100 Subject: parsing gpg-key block In-Reply-To: <4D2F8874.1050307@fifthhorseman.net> References: <4D2F3D76.30109@googlemail.com> <4D2F8874.1050307@fifthhorseman.net> Message-ID: <4D3AFA1E.6040607@googlemail.com> Hi Group, i am very thankfull for the information i got about the rfc from dkg. But now i have a problem which i can't solve with the rfc, so maybe someone can help me again ;) I am parsing a clear-signed signature of a text document (signature-type 0x01), the data to be signed is a json-string without newlines.... so nothing to replace with . and the first 16 bits of my hash never match the first 16 bits provided from the signature.... and as it is with hashs its hard to debug what is wrong with my input... a piece of example-data that i want to check: {"2011-01-13 13:00":"cno","2011-01-13 14:00":"cno","2011-01-14":"cno","2011-01-15 13:00":"cno"} this is prepended to the part of the signature-packet which is described in section 5.2.4, although i'm not sure about my byte-array to string conversion, but i first want to make sure that i'm not missing some newlines or other data from the signed text.... maybe i should prepend this ? (without the lines starting with -----) ? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 {"2011-01-13 13:00":"cno","2011-01-13 14:00":"cno","2011-01-14":"cno","2011-01-15 13:00":"cno"} -----BEGIN PGP SIGNATURE----- or the json-string with a newline at the end? Thanks in advance, Ole Rixmann Am 14.01.11 00:19, schrieb Daniel Kahn Gillmor: > Hi Ole-- > > On 01/13/2011 12:59 PM, Ole Rixmann wrote: >> this is my first post ;) > welcome! > >> I need to check gpg-rsa-signatures in JavaScript and for this to happen >> i have >> to parse key blocks produced with >> "gpg --armor --export-options export-minimal --export 0xid". >> To do the checking i need the rsa-parameters (like n and g) but i have >> no clue how to extract them. >> With "gpg --debug-all --list-packets keyfile" i get a whole lot of stuff >> and i think the parameters are in there ;) >> but it doesn't look good. >> >> So maybe someone can give me a hint? > You're asking about some arcana, and your best reference for details is > probably the RFC -- the OpenPGP format itself is specified in RFC 4880: > > https://tools.ietf.org/html/rfc4880 > > export-minimal will usually produce nothing but: > > Public Keys: > > https://tools.ietf.org/html/rfc4880#section-5.5.2 > > User IDs: > > https://tools.ietf.org/html/rfc4880#section-5.11 > > and self-issued signatures: > > https://tools.ietf.org/html/rfc4880#section-5.2 > > There may also be subkeys (which look like primary keys, but have a > slightly different header), user Attributes (like user IDs, but jpegs > instead of strings), and direct-key signatures. > > Signatures can of course have many different kinds of subpackets, which > makes robust parsing of them a bigger project. But if you just want the > RSA key material, you can ignore the signatures of course. This would > mean that you wouldn't be able to verify that they key belongs to > whoever you hope it belongs to (at least, not through OpenPGP). Only > you can say whether that tradeoff makes sense for your particular > application. > >> I would also be interested in information about exactly how gpg does >> signing wit rsa/sha-1. > You probably want the info about "computing signatures": > > https://tools.ietf.org/html/rfc4880#section-5.2.4 > > hth, > > --dkg > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 897 bytes Desc: OpenPGP digital signature URL: From runningutes at gmail.com Sun Jan 23 05:53:06 2011 From: runningutes at gmail.com (Michael Dansie) Date: Sat, 22 Jan 2011 20:53:06 -0800 Subject: Gpg for iPhone or iPad Message-ID: <3617509379343073546@unknownmsgid> I love gpg and use it quite often. Do you know if there is an application that can use gpg on the iOS platform either as an app or as a jail broken feature? Thank you, Michael Dansie -----PGP Public Key----- http://goo.gl/Na8FI From benjamin at py-soft.co.uk Sun Jan 23 13:08:33 2011 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun, 23 Jan 2011 12:08:33 +0000 Subject: Gpg for iPhone or iPad In-Reply-To: <3617509379343073546@unknownmsgid> References: <3617509379343073546@unknownmsgid> Message-ID: <7108283007743812696@unknownmsgid> On 23 Jan 2011, at 11:50, Michael Dansie wrote: > Do you know if there is an > application that can use gpg on the iOS platform either as an app or > as a jail broken feature? There's oPenPG Lite available from the App Store but it doesn't work with my private key! YMMV of course! Ben From shavital at mac.com Sun Jan 23 17:48:22 2011 From: shavital at mac.com (Charly Avital) Date: Sun, 23 Jan 2011 11:48:22 -0500 Subject: Gpg for iPhone or iPad In-Reply-To: <7108283007743812696@unknownmsgid> References: <3617509379343073546@unknownmsgid> <7108283007743812696@unknownmsgid> Message-ID: <4D3C5BD6.4030304@mac.com> Benjamin Donnachie wrote the following on 1/23/11 7:08 AM: > There's oPenPG Lite available from the App Store but it doesn't work > with my private key! YMMV of course! > > Ben oPenGP Lite (couldn't find any version without the 'Lite'). This version works one way, it decrypts only, doesn't encrypt. This is a PGP Corporation (owned by Symantec now) App, hence the upper case PGP in oPenGP. I don't know whether there is, or will be, a Mobile GnuPG what will work under iPhone or iPad iOS. I generated on my Mac a new key pair (default RSA/RSA 2048). I didn't want to use my "regular" key. Exported the secret key to the Mac's Desktop. Connected the iPhone via iTunes (hardwired USB) Imported the secret key to the iPhone via iTunes and an App called 'Files' . In 'Files' I could see the key block, select all/copy. Back to oPenGP, Import clipboard, ascertained that the key is now in the keyring. Back to 'Files', set an access locked code. Checked that it works. Deleted the secret key keyblock. Sent myself a test message encrypted with the public key of the above keypair. Downloaded the e-mail in iPhone, select all/copy. Back to oPenGP, Import/Decrypt Clipboard, enter the passphrase. It works. I don't feel at ease having my secret key in my iPhone, but i can learn to live with it, if I really want to use this iPhone feature. I'm not sure I want to. Charly From sk at intertivity.com Sun Jan 23 18:13:33 2011 From: sk at intertivity.com (Sascha Kiefer) Date: Sun, 23 Jan 2011 18:13:33 +0100 Subject: Gpg for iPhone or iPad In-Reply-To: <4D3C5BD6.4030304@mac.com> References: <3617509379343073546@unknownmsgid> <7108283007743812696@unknownmsgid> <4D3C5BD6.4030304@mac.com> Message-ID: <000901cbbb20$dda2c250$98e846f0$@com> I am (slowly) working on a Mono Pgp Library to use it in a MonoTouch Project. I'm doing it from scratch, using the RFC as a reference only. Anybody interested to participate, just message me and I will get you access on the github rep. Regards, --esskar -----Original Message----- From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Charly Avital Sent: Sunday, January 23, 2011 5:48 PM To: Benjamin Donnachie Cc: gnupg-users at gnupg.org; Michael Dansie Subject: Re: Gpg for iPhone or iPad Benjamin Donnachie wrote the following on 1/23/11 7:08 AM: > There's oPenPG Lite available from the App Store but it doesn't work > with my private key! YMMV of course! > > Ben oPenGP Lite (couldn't find any version without the 'Lite'). This version works one way, it decrypts only, doesn't encrypt. This is a PGP Corporation (owned by Symantec now) App, hence the upper case PGP in oPenGP. I don't know whether there is, or will be, a Mobile GnuPG what will work under iPhone or iPad iOS. I generated on my Mac a new key pair (default RSA/RSA 2048). I didn't want to use my "regular" key. Exported the secret key to the Mac's Desktop. Connected the iPhone via iTunes (hardwired USB) Imported the secret key to the iPhone via iTunes and an App called 'Files' . In 'Files' I could see the key block, select all/copy. Back to oPenGP, Import clipboard, ascertained that the key is now in the keyring. Back to 'Files', set an access locked code. Checked that it works. Deleted the secret key keyblock. Sent myself a test message encrypted with the public key of the above keypair. Downloaded the e-mail in iPhone, select all/copy. Back to oPenGP, Import/Decrypt Clipboard, enter the passphrase. It works. I don't feel at ease having my secret key in my iPhone, but i can learn to live with it, if I really want to use this iPhone feature. I'm not sure I want to. Charly _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From kloecker at kde.org Sun Jan 23 19:50:12 2011 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun, 23 Jan 2011 19:50:12 +0100 Subject: Gpg for iPhone or iPad In-Reply-To: <4D3C5BD6.4030304@mac.com> References: <3617509379343073546@unknownmsgid> <7108283007743812696@unknownmsgid> <4D3C5BD6.4030304@mac.com> Message-ID: <201101231950.21998@thufir.ingo-kloecker.de> On Sunday 23 January 2011, Charly Avital wrote: > Benjamin Donnachie wrote the following on 1/23/11 7:08 AM: > > There's oPenPG Lite available from the App Store but it doesn't > > work with my private key! YMMV of course! > > > > Ben > > oPenGP Lite (couldn't find any version without the 'Lite'). > This version works one way, it decrypts only, doesn't encrypt. > This is a PGP Corporation (owned by Symantec now) App, hence the > upper case PGP in oPenGP. > > > I don't know whether there is, or will be, a Mobile GnuPG what will > work under iPhone or iPad iOS. Well, it's pretty clear that there will never be a Mobile GnuPG that is available via Apple's App Store because the App Store is inherently incompatible with Free Software released under the GPL. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From shavital at mac.com Sun Jan 23 21:02:11 2011 From: shavital at mac.com (Charly Avital) Date: Sun, 23 Jan 2011 15:02:11 -0500 Subject: Gpg for iPhone or iPad In-Reply-To: <201101231950.21998@thufir.ingo-kloecker.de> References: <3617509379343073546@unknownmsgid> <7108283007743812696@unknownmsgid> <4D3C5BD6.4030304@mac.com> <201101231950.21998@thufir.ingo-kloecker.de> Message-ID: <4D3C8943.7050908@mac.com> Ingo Kl?cker wrote the following on 1/23/11 1:50 PM:> > Well, it's pretty clear that there will never be a Mobile GnuPG that is > available via Apple's App Store because the App Store is inherently > incompatible with Free Software released under the GPL. Thank you for your clarification. Charly From aguilarojo at gmail.com Sun Jan 23 20:21:29 2011 From: aguilarojo at gmail.com (Derick Centeno) Date: Sun, 23 Jan 2011 14:21:29 -0500 Subject: Gpg for iPhone or iPad In-Reply-To: <3617509379343073546@unknownmsgid> References: <3617509379343073546@unknownmsgid> Message-ID: <4D3C7FB9.8030500@gmail.com> I came across this article which may be of interest to others in this thread. Here's the article: http://anthonyvance.com/blog/forensics/iphone_encryption/ On 1/22/2011 11:53 PM, Michael Dansie wrote: > I love gpg and use it quite often. Do you know if there is an > application that can use gpg on the iOS platform either as an app or > as a jail broken feature? > Thank you, Michael Dansie > > -----PGP Public Key----- > http://goo.gl/Na8FI > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From shavital at mac.com Sun Jan 23 23:00:44 2011 From: shavital at mac.com (Charly Avital) Date: Sun, 23 Jan 2011 17:00:44 -0500 Subject: Gpg for iPhone or iPad In-Reply-To: <4D3C7FB9.8030500@gmail.com> References: <3617509379343073546@unknownmsgid> <4D3C7FB9.8030500@gmail.com> Message-ID: <4D3CA50C.5000000@mac.com> Derick Centeno wrote the following on 1/23/11 2:21 PM: > I came across this article which may be of interest to others in this > thread. > > Here's the article: > http://anthonyvance.com/blog/forensics/iphone_encryption/ Thank you Derick, very interesting. I appreciate it, Charly From sharma.umesh1977 at gmail.com Mon Jan 24 06:03:35 2011 From: sharma.umesh1977 at gmail.com (hare krishna) Date: Sun, 23 Jan 2011 21:03:35 -0800 Subject: Gpg for iPhone or iPad In-Reply-To: <4D3CA50C.5000000@mac.com> References: <3617509379343073546@unknownmsgid> <4D3C7FB9.8030500@gmail.com> <4D3CA50C.5000000@mac.com> Message-ID: Hi, Can you please help me how can i avoid in printing the message at the time of decrypting gpg file. Here is the message *gpg: Signature made Tue Jan 18 09:27:46 2011 PST using DSA key ID42D17C1B gpg: Good signature from* Regards, Umesh On Sun, Jan 23, 2011 at 2:00 PM, Charly Avital wrote: > Derick Centeno wrote the following on 1/23/11 2:21 PM: > > I came across this article which may be of interest to others in this > > thread. > > > > Here's the article: > > http://anthonyvance.com/blog/forensics/iphone_encryption/ > > > Thank you Derick, very interesting. > I appreciate it, > Charly > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rixmann.ole at googlemail.com Mon Jan 24 14:05:10 2011 From: rixmann.ole at googlemail.com (Ole Rixmann) Date: Mon, 24 Jan 2011 14:05:10 +0100 Subject: checking gpg-signatures in JavaScript Message-ID: <4D3D7906.90509@googlemail.com> Hi List, i wrote already 2 Mails and got some help but i don't get any further by myself... I want to check gpg-clearsigned-signatures in JS, and with the rfc https://tools.ietf.org/html/rfc4880 i had some success. The problem that i have right now is to produce the Hash-value which is to be signed (to be checked). I have an example to state my problem: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 {"2011-01-13 13:00":"cno","2011-01-13 14:00":"cno","2011-01-14":"cno","2011-01-15 13:00":"cno"} -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) iQIcBAEBAgAGBQJNPLs/AAoJEEH+GXMF1XjpY5MQAMSG7NcEJBEV7/mkeEtac1q7 cCYGzPBMnYlu3wY1/Jre6HPzfvY+x8kSsPMHIefndKDCcDFOqyEKpUe3rLZC9kBS 0yJ1Dewcz7/2tTrc6Yq6QfHXyalwpWk+I99bZpALQW5W3xh+hKtlxsZlLVn0MUnZ r5ZReRhpxefyOhRfJRzVVImvDwUpBn6GrBjmAElQd/Z27ecNtprgUZ46HfA7wHKu PjGmOHJzrbj34XPl7oqYS/tmE5AGIkyDYa7o81/8SODZxtBdztpZ48NBH9zgNcoV 32cdiGQ62S5DXUQeur+sL5z/vFMbcydtPeT2RW8gQ0Sgy6ogCwYt/QmtVFKNqJta CNh6onchhkCywjBVpxlqRQBsWvionnIY3EMF7AnQ6DhiRvF6WzVB0n9GBZwX9rvf 0A8k7AnFbGA+hAK1Oq6takm0dP2zBrq1irNe2osJfYnVp5/2m4ok+dVECp5XVG/f NgIQn1gOjflVzBotSG40VDbBKMNSjItU/xyWvR5h9Xd3p0W1940odUr1/wAwAZcM ziWa5f2G0CdeTQUQ3dzP7ZvDZZepGP+uLYPEZCDvlI4ARWqC4IdlwVPDsYQbTm9a BRzII51aiCHLuzQMNFy+Y91T655lhrsqQ6JMuURdhSGdcLvtJqZDWcyPaWflLaz/ nJlucBr0OdSQ04WkAlcA =McmZ -----END PGP SIGNATURE----- The content-part is this (as i understand the rfc): {"2011-01-13 13:00":"cno","2011-01-13 14:00":"cno","2011-01-14":"cno","2011-01-15 13:00":"cno"} This has to be concatenated with some data from the header of the clearsigned Packet, i have: 4,1,1,2,0,6,5,2,77,60,187,63 (as byte-array) which looks sound The Hash (SHA1) i get for the concatenation is: ebfc31ab409ac2c4d43ac99421992fb41c7590c8 but the first 16 bits from the hash (included in the header) are: 0x6393 The whole value from which the hash is calculated (as byte-array because some chars may change due to encoding): 123,34,50,48,49,49,45,48,49,45,49,51,32,49,51,58,48,48,34,58,34,99,110,111,34,44,34,50,48,49,49,45,48,49,45,49,51,32,49,52,58,48,48,34,58,34,99,110,111,34,44,34,50,48,49,49,45,48,49,45,49,52,34,58,34,99,110,111,34,44,34,50,48,49,49,45,48,49,45,49,53,32,49,51,58,48,48,34,58,34,99,110,111,34,125,4,1,1,2,0,6,5,2,77,60,187,63 This can be inserted on a site like http://home1.paulschou.net/tools/xlate/ to check the SHA1 value and from what i see my SHA1 is correct. I would be really happy if someone with knowledge of the implementation could reproduce my values and tell me where i went wrong :) I could give anyone with interest in it the code and would be willing to opensource it when i have my work finished... The system i'm working on is like www.doodle.com except that userdata is encrypted and signed in the browser, i'm a student of computer science so its more a proof of concept. Thanks in advance, Ole Rixmann -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 897 bytes Desc: OpenPGP digital signature URL: From aguilarojo at gmail.com Mon Jan 24 14:16:28 2011 From: aguilarojo at gmail.com (Derick Centeno) Date: Mon, 24 Jan 2011 08:16:28 -0500 Subject: Thunderbird/Live/Outlook users' habits In-Reply-To: <20110124131532.59e02542@hal.movb.de> References: <20110124110703.6dd2e6b6@hal.movb.de> <20110124104627.00006d46@surtees.fenrir.org.uk> <20110124114628.0dcadfaf@paperstreet.colino.net> <20110124131532.59e02542@hal.movb.de> Message-ID: <4D3D7BAC.6010201@gmail.com> In my view, what you are really discussing are how individuals parse or associate ideas. It just so happens that what makes information different from raw and discrete data are the cultural and religious assumptions and context added to the data. Briefly stated, as any Anthropologist and/or Psychologist will explain, humans find it a nearly impossible task to separate their cultural and/or religious assumptions from what individuals define as being "logical". At the root of this problem are not merely these assumptions, but language itself which incorporates and reaffirms these assumptions continuously providing the illusion of support of the "logical" appearance of the assumption. These prejudices, for lack of a better term, influence not only what we see as "logical", but what we see or accept as viable science. This is a more intractable problem than writing any program or straightforward script as the very foundation regarding what one believes needs to be addressed or corrected is seen in terms of one's individual, and usually untested, understanding. Of course, although as a society humanity developed mathematics and science to see such errors of thinking more clearly it is sadly also obvious that history shows very clearly that more often than not, humans require more than a generation at the minimum to catch such errors. On 1/24/2011 7:15 AM, Tobias Nissen wrote: > Colin Leroy wrote: > [...] >> I think a solution would be to remove In-Reply-To and References >> headers using an action. The difficulty of it is that References can >> span multiple lines. > I could easily parse that, but there's another problem. Consider this > thread: > > A > -> B > -> ... > -> C (new) > -> D (my reply) > -> E (others' replies) > -> F (others' reply) > -> ... > > Let's say C is the subthread with the changed subject line, that is > supposed to be a new thread. Of course I could go on and remove those > references. C would then stand alone as the beginning of a new thread. > My reply to C (D) and replies to my reply (E) would then correctly be > filed under that new thread. > > But direct replies to C (F) would still contain some references to the > old thread, A in this case. It doesn't really matter what Claws does in > this case, my guess would be to still file the reply under C. But all > direct replies to C would still have those "stale" references to A. > > I don't consider this a good idea. Say for some reason I'd want to > delete message C. I would then expect that all replies to C would either > stand alone or form *new* thread beginnings. Instead, at least that's > a behaviour I observed in my past MUAs, all those messages would again > be filed under A. Maybe not right then, but surely when the index is > rebuilt for some reason. > > I think there's now way around building a sophisticated filtering > mechanism. I think it's really hard to do right. > > > _______________________________________________ > Users mailing list > Users at lists.claws-mail.org > http://lists.claws-mail.org/cgi-bin/mailman/listinfo/users -------------- next part -------------- An HTML attachment was scrubbed... URL: From benjamin at py-soft.co.uk Tue Jan 25 00:07:25 2011 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Mon, 24 Jan 2011 23:07:25 +0000 Subject: MacGPG2 v2.0.17 released! In-Reply-To: References: Message-ID: On 24 January 2011 23:03, Benjamin Donnachie wrote: > What's New > bit Intel Macs running OS X Leopard (10.5) and higher. Cut and paste failed me. It should have read: What's New ========= * Supports 32- and 64-bit Intel Macs running OS X Leopard (10.5) and higher. From benjamin at py-soft.co.uk Tue Jan 25 00:03:40 2011 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Mon, 24 Jan 2011 23:03:40 +0000 Subject: MacGPG2 v2.0.17 released! Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MacGPG2, a build of GnuPG2 for MacOSX with a native pinentry program, has been updated to GnuPG v2.0.17. Download available from https://github.com/downloads/GPGTools/MacGPG2/MacGPG2-2.0.17.6.zip and detached signature at https://github.com/downloads/GPGTools/MacGPG2/MacGPG2-2.0.17.6.zip.asc * Tiger and PPC chips no longer supported. * v2.0.16 will be deleted from your system. * You may need to change the file path for gpg2 to /usr/local/MacGPG2/bin/gpg2 * Removal now as simple as "sudo rm -fr /usr/local/MacGPG2" Support available from the GPGTools mailing list - http://www.gpgtools.org/about.html Release notes follow: Please use the detached signature to confirm the integrity of your download prior to install. Public key needed available from http://www.gpgtools.org/ Unzip the archive and then run the MacGPG2 installer. * MD5 (MacGPG2-2.0.17.zip) = f682dda810d665ed68e321dd9d230350 * 121,836 downloads of MacGPG2 from 165 countries in two years! What's New bit Intel Macs running OS X Leopard (10.5) and higher. * Core upgraded to GnuPG v2.0.17 = Configured to use standard socket and daemonise gpg agent on the fly if required * Maximum key size increased to 8192 bits; recommended for expert users only * Includes GPGTools gpg-agent cache-id option patch * Pinentry updated by GPGTools team and includes keychain support * Installs exclusively under /usr/local/MacGPG2/ removing previous v2.0.16 install * Creates default gpg configuration file if none exists * Libksba upgraded to v1.1.0 * Libusb upgraded to v1.0.8 Credits ===== * Werner Koch and the GnuPG Project, http://www.gnupg.org/ * St?phane Corth?sy for the launchd patches. * Charly Avital for his patient testing. * Dr Alun J Carr for his kind donation. Noteworthy changes in GnuPG version 2.0.17 (2011-01-13) - ------------------------------------------------- * Allow more hash algorithms with the OpenPGP v2 card. * The gpg-agent now te gpg-agent.conf on a HUP. * Fixed output of "gpgconf --check-options". * Fixed a bug where Scdaemon sends a signal to Gpg-agent running in non-daemon mode. * Fixed TTY management for pinentries and session variable update problem. * Minor bug fixes. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://www.gpgtools.org/ iQIcBAEBAgAGBQJNPgUpAAoJEOgNmph0Y1E2XbgP/A/TaO3ARsVWU66ydjf+Tdrk ZMqy5Unt3pMffYF1W7cUbA3IiED7Wh7xkBScHWyQuEU9LmvU6lq5N7RY8uFA4aES 36jBazHgzIdsMWunouGoPqlXjmA99vt/sfrTGSH/EIcH3T7Qvw2dIL+AnnuXPZSi BRpBJDCStxa8QLw5H1h4W8+jsCxXYKigeV7PVl7fGfRXTPZUcYesDN9Nah+BpY68 mwTTh5zxzk97QjA4vWZ4GOUEfpf2fc0LMrMMTttri8kOwOz68qs+MmofNkzr6rPA FRlfChObK/t2zVoTaUDGLm+xkoggfKo+3s8RwYXG5YE90eHcmFr7Wy42pBHzvCc9 nh8nCa20r1/FzY68sz95meNls3cU9QkgCuVbQ1uXkkQ4rnp3D4fNaF+nj66XwCZa a1/WL+okH0JAcEm2Ym8s59zrXOjE6kp46TBoQZEiefnUqCMO/7hBHlyOh/eEqmfM v3JZzW/4YSOCKaPEpnv9qGqRzgz//PHmwHUb7PnqdM6i+NH2BlsM79sBE3BToubU O0bcBmxGFp/X/QMhPoUQ5VCwuJlD9qSxzs8eYXMNYM0MraMfhEI+8HeBFqA2oFxN 188lICsypJVjfK/9sPJtQBXRlI2EyVZrw6QouVnkyjzEWm2TSRXh9XTefl8+u7n9 QVQ5ID2nA7hg0QJYUDSR =OsK9 -----END PGP SIGNATURE----- From shavital at mac.com Tue Jan 25 08:17:01 2011 From: shavital at mac.com (Charly Avital) Date: Tue, 25 Jan 2011 02:17:01 -0500 Subject: MacGPG2 2.0.17 In-Reply-To: <20110125014204.GA2708@mini.hansaeditions.net> References: <1295889613.20180.1416952385@webmail.messagingengine.com> <4D3DBDDA.5080405@mac.com> <20110125014204.GA2708@mini.hansaeditions.net> Message-ID: <4D3E78ED.9050000@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Kevin Kammer wrote the following on 1/24/11 8:42 PM: > Thanks for the suggestion, but having deactivated everything GnuPG > related that was installed by MacPorts, and running the latest GPGTools > installer offered from their website, I ended up with far more problems > than I solved. So, for the time being I am going to revert to gpg from > MacPorts and use Mutt when I need to sign or encrypt something directly > from the mail client. > > Thanks again, > Kevin To the best of my knowledge, there was no need to deactivate the MacPorts installation, but it can't hurt to have done so. I have not run the GPGTools installer, I have run the MacGPG2 2.0.17 released a few hours ago by Ben Donnachie: > MacGPG2, a build of GnuPG2 for MacOSX with a native pinentry program, > has been updated to GnuPG v2.0.17. > > Download available from > https://github.com/downloads/GPGTools/MacGPG2/MacGPG2-2.0.17.6.zip and > detached signature at > https://github.com/downloads/GPGTools/MacGPG2/MacGPG2-2.0.17.6.zip.asc And *everything* related to MacGPG2, Thunderbird+Enigmail and GPGMail 1.3.2.RC1 is running just fine: - - decrypt/verify - - encrypt - - sign Ditto for test commands in Terminal, such as: ps waux | grep gpg-agent echo test | gpg2 -aser [your user name] | gpg2 Best regards, Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNPnjpAAoJEM3GMi2FW4PvUS4H/RuSuhv7gQa3s9SGXnBaZySG UWm7ogt29uUn1tD05zYbW3iM/WYcfrqmXqelY4NF4lqGgrlweQjmPXFr1uCjF9VA 3bUnXrG4D3sSlzC211ZJJmthD6wa5OJOm00+9HuGZWKA04V5ziLPon+zpbz7/B1Y wwm0Eh6CEBUlyyHpozPyUqHIKUiZ02yBkKuH4HxKuauBVsi4EZmUjInHwte6siLH esnYc8KvyELImMkiSJ4+ccmp+LIod2lDFKKAgManQ3kMOJTzt0Pc9CCNAyEshCCo 9PaOCJfD+k3Zu754O/0IKm+UZUbCPaDA2wdx3I+z5WDzm31fG+Jvs3BQhOQ3qdI= =wcjU -----END PGP SIGNATURE----- From wk at gnupg.org Tue Jan 25 09:50:45 2011 From: wk at gnupg.org (Werner Koch) Date: Tue, 25 Jan 2011 09:50:45 +0100 Subject: MacGPG2 v2.0.17 released! In-Reply-To: (Benjamin Donnachie's message of "Mon, 24 Jan 2011 23:03:40 +0000") References: Message-ID: <87pqrlmknu.fsf@vigenere.g10code.de> On Tue, 25 Jan 2011 00:03, benjamin at py-soft.co.uk said: > * Maximum key size increased to 8192 bits; recommended for expert users only I do not think this is a good idea. There is no point in such a long key size. The simplest reason against this is that the keysize is not the weakest link in the system - at least the bugs in the software prevail all such theoretical improvements. Another and real practical reason against such a long key is that it will unusable on my smartphone. >From past experience we know that many users will use such ridiculous long keys. As of now I have only 1 8k RSA key in my keyring compared to 22 4k, 108 2k and 172 1k. I hope we can keep the number of 8k keys at bay until everyone will be using ECC. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From johanw at vulcan.xs4all.nl Tue Jan 25 11:03:16 2011 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue, 25 Jan 2011 11:03:16 +0100 Subject: MacGPG2 v2.0.17 released! In-Reply-To: <87pqrlmknu.fsf@vigenere.g10code.de> References: <87pqrlmknu.fsf@vigenere.g10code.de> Message-ID: <4D3E9FE4.4080706@vulcan.xs4all.nl> Op 25-1-2011 9:50, Werner Koch schreef: > Another and real practical > reason against such a long key is that it will unusable on my > smartphone. What kind of smartphone do you have? Since when does GnuPG exists for phones? I would be really interested in a Symbian version, or I would have to wait for Meego to become adult. >>From past experience we know that many users will use such ridiculous > long keys. Ah, the good old CKT builds. :-) > As of now I have only 1 8k RSA key in my keyring compared to > 22 4k, 108 2k and 172 1k. I hope we can keep the number of 8k keys at > bay until everyone will be using ECC. I have a 3k ElGamal key (reasoning: 3k is supposed to be just a bit stronger than 128 bits which makes my secret key not the weakest point but also not longer than that, using 4k or even larger would make the symetric algo the weaker point), is 3k not an option for RSA? -- Met vriendelijke groet, Johan Wevers From aguilarojo at gmail.com Mon Jan 24 11:42:07 2011 From: aguilarojo at gmail.com (Derick Centeno) Date: Mon, 24 Jan 2011 05:42:07 -0500 Subject: Gpg for iPhone or iPad In-Reply-To: References: <3617509379343073546@unknownmsgid> <4D3C7FB9.8030500@gmail.com> <4D3CA50C.5000000@mac.com> Message-ID: <4D3D577F.6090301@gmail.com> An HTML attachment was scrubbed... URL: From aguilarojo at gmail.com Mon Jan 24 13:31:48 2011 From: aguilarojo at gmail.com (Derick Centeno) Date: Mon, 24 Jan 2011 07:31:48 -0500 Subject: Gpg for iPhone or iPad - Addendum In-Reply-To: References: <3617509379343073546@unknownmsgid> <4D3C7FB9.8030500@gmail.com> <4D3CA50C.5000000@mac.com> Message-ID: <4D3D7134.7090808@gmail.com> An HTML attachment was scrubbed... URL: From benjamin at py-soft.co.uk Tue Jan 25 12:07:49 2011 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Tue, 25 Jan 2011 11:07:49 +0000 Subject: MacGPG2 v2.0.17 released! In-Reply-To: <87pqrlmknu.fsf@vigenere.g10code.de> References: <87pqrlmknu.fsf@vigenere.g10code.de> Message-ID: <6860529263118609527@unknownmsgid> On 25 Jan 2011, at 08:55, Werner Koch wrote: >> * Maximum key size increased to 8192 bits; recommended for expert users only > > I do not think this is a good idea. I personally agree with you and it was only implemented due to user demand. I'll look at a better way of implementing this request. Take care, Ben From dshaw at jabberwocky.com Tue Jan 25 14:12:29 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 25 Jan 2011 08:12:29 -0500 Subject: MacGPG2 v2.0.17 released! In-Reply-To: <4D3E9FE4.4080706@vulcan.xs4all.nl> References: <87pqrlmknu.fsf@vigenere.g10code.de> <4D3E9FE4.4080706@vulcan.xs4all.nl> Message-ID: <447A2A92-E08D-4EEA-A6F5-E918097D32D8@jabberwocky.com> On Jan 25, 2011, at 5:03 AM, Johan Wevers wrote: > Op 25-1-2011 9:50, Werner Koch schreef: > >> Another and real practical >> reason against such a long key is that it will unusable on my >> smartphone. > > What kind of smartphone do you have? Since when does GnuPG exists for > phones? I would be really interested in a Symbian version, or I would > have to wait for Meego to become adult. > >>> From past experience we know that many users will use such ridiculous >> long keys. > > Ah, the good old CKT builds. :-) > >> As of now I have only 1 8k RSA key in my keyring compared to >> 22 4k, 108 2k and 172 1k. I hope we can keep the number of 8k keys at >> bay until everyone will be using ECC. > > I have a 3k ElGamal key (reasoning: 3k is supposed to be just a bit > stronger than 128 bits which makes my secret key not the weakest point > but also not longer than that, using 4k or even larger would make the > symetric algo the weaker point), is 3k not an option for RSA? Yes, it is. In fact, 3k is the maximum size for a RSA key on the OpenPGP smartcard. David From wk at gnupg.org Tue Jan 25 14:14:42 2011 From: wk at gnupg.org (Werner Koch) Date: Tue, 25 Jan 2011 14:14:42 +0100 Subject: MacGPG2 v2.0.17 released! In-Reply-To: <4D3E9FE4.4080706@vulcan.xs4all.nl> (Johan Wevers's message of "Tue, 25 Jan 2011 11:03:16 +0100") References: <87pqrlmknu.fsf@vigenere.g10code.de> <4D3E9FE4.4080706@vulcan.xs4all.nl> Message-ID: <877hdtm8fx.fsf@vigenere.g10code.de> On Tue, 25 Jan 2011 11:03, johanw at vulcan.xs4all.nl said: > What kind of smartphone do you have? Since when does GnuPG exists for > phones? I would be really interested in a Symbian version, or I would > have to wait for Meego to become adult. N900 and HTC Touch Pro2, GnuPG 2.1 supports them. See http://userbase.kde.org/Kontact_Touch/ > I have a 3k ElGamal key (reasoning: 3k is supposed to be just a bit > stronger than 128 bits which makes my secret key not the weakest point > but also not longer than that, using 4k or even larger would make the > symetric algo the weaker point), is 3k not an option for RSA? Sure, it is faster than Elgamal. I merely looked at the RSA keys of my own keyring (fwiw: 4 3k RSA keys). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From patryk at debian.org Tue Jan 25 16:07:02 2011 From: patryk at debian.org (Patryk Cisek) Date: Tue, 25 Jan 2011 16:07:02 +0100 Subject: SSH authentication using OpenPGP 2.0 smartcard Message-ID: <20110125150518.GB3867@patryks-laptop.softexor.net> Hi, I've been successfully using OpenPGP smartcard for signing my Debian uploads for a while now. Today I wanted to set it up also for SSH public key authentication. I'm using: gnupg-2.0.17 libassuan-2.0.1 libgcrypt-1.4.6 libksba-1.1.0 pinentry-0.8.1 pinentry-qt-0.5.0 All installed into /usr/local. Signing files using gpg2 works excellent. But when I try: $ /usr/local/bin/gpg-agent -vv --daemon --enable-ssh-support --scdaemon-program /usr/local/bin/scdaemon gpg-agent[6534]: listening on socket `/tmp/gpg-sUL53i/S.gpg-agent' gpg-agent[6534]: listening on socket `/tmp/gpg-x8sB4W/S.gpg-agent.ssh' GPG_AGENT_INFO=/tmp/gpg-sUL53i/S.gpg-agent:6535:1; export GPG_AGENT_INFO; SSH_AUTH_SOCK=/tmp/gpg-x8sB4W/S.gpg-agent.ssh; export SSH_AUTH_SOCK; SSH_AGENT_PID=6535; export SSH_AGENT_PID; gpg-agent[6535]: gpg-agent (GnuPG) 2.0.17 started $ GPG_AGENT_INFO=/tmp/gpg-sUL53i/S.gpg-agent:6535:1; export GPG_AGENT_INFO; $ SSH_AUTH_SOCK=/tmp/gpg-x8sB4W/S.gpg-agent.ssh; export SSH_AUTH_SOCK; $ SSH_AGENT_PID=6535; export SSH_AGENT_PID; $ ssh shell.dug.net.pl gpg-agent[6535]: ssh handler 0x96e9348 for fd 7 started gpg-agent[6535]: received ssh request of length 1 gpg-agent[6535]: ssh request handler for request_identities (11) started gpg-agent[6535]: no running SCdaemon - starting it gpg-agent[6535]: DBG: first connection to SCdaemon established gpg-agent[6535]: ssh request handler for request_identities (11) ready gpg-agent[6535]: sending ssh response of length 183 gpg-agent[6535]: received ssh request of length 409 gpg-agent[6535]: ssh request handler for sign_request (13) started gpg-agent[6535]: DBG: detected card with S/N D27600012401020000050000009E0000 gpg-agent[6535]: starting a new PIN Entry gpg-agent[6535]: smartcard signing failed: Bad PIN gpg-agent[6535]: ssh request handler for sign_request (13) ready gpg-agent[6535]: sending ssh response of length 1 Agent admitted failure to sign using the key. Password: I get a pinentry-qt4 propmpt (just as for regular signing). But, as you can see, gpg-agent says the PIN's been invalid. At first I tried GnuPG shipped with Debian (gpg 2.0.14, libgcrypt 1.4.6). No luck, so I compiled newest GnuPG and dependencies (see beginning of this mail), but still doesn't work. I'm not sure if key's preferences are important, but I changed them from the default values to: gpg> showpref [ unknown] (1). Patryk Cisek Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify [ unknown] (2) Prezu Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify [ unknown] (3) Patryk Cisek Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA1, SHA256, RIPEMD160 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify [ unknown] (4) Patryk Cisek Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify [ revoked] (5) Patryk Cisek Cipher: 3DES Digest: SHA1 Compression: ZIP, Uncompressed Features: Keyserver no-modify [ unknown] (6) Patryk Cisek Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA1, SHA256, RIPEMD160 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify [ unknown] (7) Patryk Cisek <102363 at student.pwr.wroc.pl> Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify From kgo at grant-olson.net Tue Jan 25 18:16:02 2011 From: kgo at grant-olson.net (Grant Olson) Date: Tue, 25 Jan 2011 12:16:02 -0500 Subject: SSH authentication using OpenPGP 2.0 smartcard In-Reply-To: <20110125150518.GB3867@patryks-laptop.softexor.net> References: <20110125150518.GB3867@patryks-laptop.softexor.net> Message-ID: <4D3F0552.9030501@grant-olson.net> On 1/25/11 10:07 AM, Patryk Cisek wrote: > Hi, > > I've been successfully using OpenPGP smartcard for signing my Debian > uploads for a while now. Today I wanted to set it up also for SSH > public key authentication. > Did you create an authentication key? You might only have signing and encryption keys. You need a third key for authentication. (A quick look at pool.keyservers.net doesn't show an auth subkey.) I just setup Debian 6.0RC1 last week. I have a key I've already been using to ssh. I had no problems. Just needed to add some stuff to .bashrc as documented in the manpage for gpg-agent. -- Grant "I am gravely disappointed. Again you have made me unleash my dogs of war." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 570 bytes Desc: OpenPGP digital signature URL: From kgo at grant-olson.net Tue Jan 25 18:39:33 2011 From: kgo at grant-olson.net (Grant Olson) Date: Tue, 25 Jan 2011 12:39:33 -0500 Subject: SSH authentication using OpenPGP 2.0 smartcard In-Reply-To: <4D3F0552.9030501@grant-olson.net> References: <20110125150518.GB3867@patryks-laptop.softexor.net> <4D3F0552.9030501@grant-olson.net> Message-ID: <4D3F0AD5.8050500@grant-olson.net> On 1/25/11 12:16 PM, Grant Olson wrote: > > I just setup Debian 6.0RC1 last week. I have a key I've already been > using to ssh. I had no problems. Just needed to add some stuff to > .bashrc as documented in the manpage for gpg-agent. > Actually, I also needed to run 'gpgkey2ssh 0xDEADBEEF >> ~/.ssh/authorized_keys" so I could ssh into the box as well. -- Grant "I am gravely disappointed. Again you have made me unleash my dogs of war." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 570 bytes Desc: OpenPGP digital signature URL: From andrew.long at mac.com Tue Jan 25 18:58:41 2011 From: andrew.long at mac.com (Andrew Long) Date: Tue, 25 Jan 2011 17:58:41 +0000 Subject: MacGPG2 v2.0.17 released! In-Reply-To: References: Message-ID: <816F67BF-1D2C-4697-9BC0-F3AEE7453725@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 24 Jan 2011, at 23:03, Benjamin Donnachie wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users I downloaded the new package and the detached key, but have not yet done anything with them. The email, when processed by my current macgpg2 installation (2.0.14) complains about Bad signature from Benjamin Donnachie ! No signature creation date available Key fingerprint: 7A88 447C 2EF4 209C 6D46 A1E8 49B8 D9AF 8FA3 F8B8 This is what gpg --list-sigs --fingerprint thinks about Ben's public key, after I did a gpg --refresj-keys (Ben's key was unchanged). I've had similar results for Alexander Willner as Alex at Willner.ws and as GPGTools Project Team (Official OpenPGP Key) m although recent signatures from Charly Avital are good. pub 1024D/8FA3F8B8 2002-02-14 [expires: 2011-02-28] Key fingerprint = 7A88 447C 2EF4 209C 6D46 A1E8 49B8 D9AF 8FA3 F8B8 uid Benjamin Donnachie sig A57A8EFA 2006-06-08 Charly Avital sig 3 8FA3F8B8 2008-09-07 Benjamin Donnachie sig 3 8FA3F8B8 2006-02-12 Benjamin Donnachie sig 3 8FA3F8B8 2006-07-14 Benjamin Donnachie sig 3 8FA3F8B8 2007-08-18 Benjamin Donnachie sig 3 8FA3F8B8 2009-10-27 Benjamin Donnachie sig 3 8FA3F8B8 2010-02-28 Benjamin Donnachie sig 3 8FA3F8B8 2008-09-16 Benjamin Donnachie uid Benjamin Donnachie sig 3 8FA3F8B8 2008-09-16 Benjamin Donnachie sig 3 8FA3F8B8 2009-10-27 Benjamin Donnachie sig 3 8FA3F8B8 2010-02-28 Benjamin Donnachie sig 3 8FA3F8B8 2008-09-07 Benjamin Donnachie sub 4096R/74635136 2005-03-28 [expires: 2011-02-28] sig 8FA3F8B8 2010-02-28 Benjamin Donnachie sub 4096R/F9B855FC 2005-03-29 [expires: 2011-02-28] sig 8FA3F8B8 2010-02-28 Benjamin Donnachie Is this a non-fatal warning, or should I be paying attention to the message? If so, how can I fix whatever is going wrong? Regards, Andy - - -- Andrew Long andrew dot long at mac dot com - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iF4EAREIAAYFAk0/CjwACgkQRL8D6wymVNbeYQD/frX2aEwvkGgq5pzUsuDdWiPF hZKzuhuo/d8cRgGZ6xoA/2JRMRxNOXtPL5zyORBfENev8Ngkvg6kbyb9u/8yKScI =J2M/ - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iF4EAREIAAYFAk0/D2EACgkQRL8D6wymVNblAgD8D8zA182SDUFatUY5Gop7QVL0 lZW3y4VtLapKv49uDJAA/1/aQr7+v+aX4ZWcKLj7sJqwfAqyu8ELTPBqEefmAwaG =QdTX -----END PGP SIGNATURE----- From remco at webconquest.com Tue Jan 25 19:06:22 2011 From: remco at webconquest.com (Remco Rijnders) Date: Tue, 25 Jan 2011 19:06:22 +0100 Subject: [gpgtools-users] MacGPG2 v2.0.17 released! In-Reply-To: <816F67BF-1D2C-4697-9BC0-F3AEE7453725@mac.com> References: <816F67BF-1D2C-4697-9BC0-F3AEE7453725@mac.com> Message-ID: <102.6273@winter.webconquest.com> On Tue, Jan 25, 2011 at 05:58:41PM +0000, Andrew Long wrote: >I downloaded the new package and the detached key, but have not yet done >anything with them. The email, when processed by my current macgpg2 >installation (2.0.14) complains about > >Bad signature from Benjamin Donnachie ! >No signature creation date available >Key fingerprint: 7A88 447C 2EF4 209C 6D46 A1E8 49B8 D9AF 8FA3 F8B8 > >Is this a non-fatal warning, or should I be paying attention to the >message? If so, how can I fix whatever is going wrong? For what it's worth... using gpg on my linux box with the mutt mail client also complains about bad signatures on Benjamin's emails. Cheers, Remco -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From wk at gnupg.org Tue Jan 25 20:39:28 2011 From: wk at gnupg.org (Werner Koch) Date: Tue, 25 Jan 2011 20:39:28 +0100 Subject: SSH authentication using OpenPGP 2.0 smartcard In-Reply-To: <4D3F0AD5.8050500@grant-olson.net> (Grant Olson's message of "Tue, 25 Jan 2011 12:39:33 -0500") References: <20110125150518.GB3867@patryks-laptop.softexor.net> <4D3F0552.9030501@grant-olson.net> <4D3F0AD5.8050500@grant-olson.net> Message-ID: <8739ogn573.fsf@vigenere.g10code.de> On Tue, 25 Jan 2011 18:39, kgo at grant-olson.net said: > Actually, I also needed to run 'gpgkey2ssh 0xDEADBEEF >> > ~/.ssh/authorized_keys" so I could ssh into the box as well. You should use ssh-add -L which gives you the public key. The comment field has the card number. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From sindegra at gmail.com Wed Jan 26 01:59:21 2011 From: sindegra at gmail.com (Joseph Ziff) Date: Tue, 25 Jan 2011 19:59:21 -0500 Subject: Future plans for implementation of other algorithms Message-ID: <4D3F71E9.9000302@sindegra.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Just out of curiosity (this might be the wrong mailing list for this so I apologize in advance if that is the case), are there any plans for implementing any other encryption/signing algorithms in GPG and if so what are they? - -- Joseph Ziff , , This email was signed for authenticity with GnuPG version 2.0.17. See http://www.gnupg.org for information on state-of-the-art secure signing and encryption software compatible with the openPGP standard. Reclaim your right to privacy now. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAEBCgAGBQJNP3HnAAoJEBunZXhXXdg2bggQAJdHAPUHZAakyfZzbzPiam/P EjJw+wx9cz8frubZHVvHb6BOVNGUQnSR/I2rbzZB2zlGuiG4ZogTPkYCtQl1XYlt 0Z2XKI0Cb5/BSlK4sS5G49HTzDTDHAFmyE69LTj1lJtC4FT7JSGmlZr66/5A8DR6 85YzjYU0ZnaZu2KlmwYcla3XDOpHIAy7D/KYaWFHyazTDcsUcL70mae0bEf+eCd+ i8lj9wip5C5ZNQVCAa3DPyOtdbi8fyzSV2whif2KC3C32lg6qZjEWcAQ/VJM1s+N jQJL+BG9VExzOkiCz2Ct+95aFUM9OZ+LvoxmVgzSvbTFXyWBmYV71mF+P+IYZvCu iJnwPZAAGEgRCbCqIGAiC260aey47MwjjNGBYpRcClkTXmS931z/UnQ9pujqAosw OxR84yEgo8oOePSGVQgbqY60tiFK6K2n+EZ6idPs2v70zM9nFWjOScKJ7ZMuz5ki CDclhp4g+zMkqicAbXsrF2OwuknJxF/DrjwtqpiYqwnbM2n/tCnkSyH/hRaeu3TN +gfejhv/fIOM3uOlAPfKhw7lXlrvQOAtOWvJE65JN54Zrpx8je55JgxBR2qCTyD9 IUvlBxnPiuLQfHSVvXdLhJmzOsytJaIocuccrqMeI9cLCnqoX4Bb8465eHuF8QHV TKeFXRYeGbDEDRC8vXIv =RnRZ -----END PGP SIGNATURE----- From kgo at grant-olson.net Wed Jan 26 05:21:53 2011 From: kgo at grant-olson.net (Grant Olson) Date: Tue, 25 Jan 2011 23:21:53 -0500 Subject: Future plans for implementation of other algorithms In-Reply-To: <4D3F71E9.9000302@sindegra.com> References: <4D3F71E9.9000302@sindegra.com> Message-ID: <4D3FA161.3050904@grant-olson.net> On 01/25/2011 07:59 PM, Joseph Ziff wrote: > Just out of curiosity (this might be the wrong mailing list for this so > I apologize in advance if that is the case), are there any plans for > implementing any other encryption/signing algorithms in GPG and if so > what are they? I think it's really the OpenPGP specs that drive the algorithms included in gnupg. There's no point in adding something if other OpenPGP implementations don't understand it. Right now there's a draft RFC to include Elliptic Curve Cryptography in OpenPGP, but it hasn't been finalized yet. That's probably the next big algo. Just this week on gnupg-devel, Werner announced a git branch containing an implementation of Elliptic Curve Cryptography for 2.1. Even after that code hits the gnupg mainline and the RFC gets approved, it might be a while before you can reliably assume people can handle ECC, given the number of people and distros that still default to 1.4. (Not that I'm saying there's anything wrong with using 1.4; I just doubt ECC will be back-ported.) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 565 bytes Desc: OpenPGP digital signature URL: From patryk at debian.org Wed Jan 26 08:20:12 2011 From: patryk at debian.org (Patryk Cisek) Date: Wed, 26 Jan 2011 08:20:12 +0100 Subject: SSH authentication using OpenPGP 2.0 smartcard In-Reply-To: <4D3F0552.9030501@grant-olson.net> References: <20110125150518.GB3867@patryks-laptop.softexor.net> <4D3F0552.9030501@grant-olson.net> Message-ID: <20110126072012.GB5674@patryks-laptop.softexor.net> On Tue, Jan 25, 2011 at 12:16:02PM -0500, Grant Olson wrote: > Did you create an authentication key? You might only have signing and > encryption keys. You need a third key for authentication. (A quick > look at pool.keyservers.net doesn't show an auth subkey.) Yes, I've got authentication key: $ ssh-add -l 1024 5d:20:6f:a5:ce:1e:a9:7c:04:57:89:5c:39:d9:93:52 cardno:00050000009E (RSA) $ ssh-add -L ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCiJsvSMy8riHYtEAp2rzXuKojMLYV17lmONjQQFX0iyn7Lvj+vX7fbDZTQFXFVIsoJ+xodg7wnnEZ6yRC6jKWDlxXTz33j58Lsb1IhrAvE6W6J2xlp1Vy9NG2QxLB/ua8Sjsd5pkW9O/iq/WqTCe+aANCwJZaEmJSjxA5qQzsCUQ== cardno:00050000009E $ /usr/local/bin/gpg2 --card-status Application ID ...: D27600012401020000050000009E0000 Version ..........: 2.0 Manufacturer .....: ZeitControl Serial number ....: 0000009E Name of cardholder: Patryk Cisek Language prefs ...: en Sex ..............: male URL of public key : [not set] Login data .......: patryk Signature PIN ....: forced Key attributes ...: 1024R 1024R 1024R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 177 Signature key ....: FDB4 BB34 728E 9F2B 5FD1 4087 0086 2F45 F39C 318F created ....: 2010-05-09 15:36:43 Encryption key....: 153C C0D0 F94A 4F81 94CC 4B58 811F 4C7E FA9A 8135 created ....: 2010-05-03 09:19:49 Authentication key: B264 C524 FDF1 4F3F AD35 7952 2867 6067 9789 6319 created ....: 2010-05-03 09:20:13 General key info..: pub 1024R/F39C318F 2010-05-09 Patryk Cisek sec# 1024D/D86A66BA created: 2004-06-14 expires: never ssb> 1024R/F39C318F created: 2010-05-09 expires: 2011-05-09 card-no: 0005 0000009E ssb# 1024g/482F585B created: 2004-06-14 expires: never Have you got any idea what might have been wrong with it? My card reader is a CCID device, should be no problem with it: $ lsusb Bus 002 Device 003: ID 076b:3021 OmniKey AG CardMan 3121 ... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 316 bytes Desc: Digital signature URL: From patryk at debian.org Wed Jan 26 08:25:30 2011 From: patryk at debian.org (Patryk Cisek) Date: Wed, 26 Jan 2011 08:25:30 +0100 Subject: SSH authentication using OpenPGP 2.0 smartcard In-Reply-To: <8739ogn573.fsf@vigenere.g10code.de> References: <20110125150518.GB3867@patryks-laptop.softexor.net> <4D3F0552.9030501@grant-olson.net> <4D3F0AD5.8050500@grant-olson.net> <8739ogn573.fsf@vigenere.g10code.de> Message-ID: <20110126072530.GC5674@patryks-laptop.softexor.net> On Tue, Jan 25, 2011 at 08:39:28PM +0100, Werner Koch wrote: > > Actually, I also needed to run 'gpgkey2ssh 0xDEADBEEF >> > > ~/.ssh/authorized_keys" so I could ssh into the box as well. > > You should use > > ssh-add -L > > which gives you the public key. The comment field has the card number. Also this is the one I used as a source for ~/.ssh/authorized_keys entry Are there any restrictions regarding the hey itself? My key is 1024-bit. Digest preference for signing (SHA512 as most proffered) shouldn't be an issue either, since I can sign (as I sign this email) without any problem. If anyone has any ideas what might have been wrong, please comment. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 316 bytes Desc: Digital signature URL: From wk at gnupg.org Wed Jan 26 11:02:34 2011 From: wk at gnupg.org (Werner Koch) Date: Wed, 26 Jan 2011 11:02:34 +0100 Subject: Future plans for implementation of other algorithms In-Reply-To: <4D3FA161.3050904@grant-olson.net> (Grant Olson's message of "Tue, 25 Jan 2011 23:21:53 -0500") References: <4D3F71E9.9000302@sindegra.com> <4D3FA161.3050904@grant-olson.net> Message-ID: <87sjwgkmo5.fsf@vigenere.g10code.de> On Wed, 26 Jan 2011 05:21, kgo at grant-olson.net said: > (Not that I'm saying there's anything wrong with using 1.4; I just doubt > ECC will be back-ported.) Well, at some point in time we might need to do that. If there are many ECC keys in use there is probably a need for ECC for server applications as well. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From johanw at vulcan.xs4all.nl Wed Jan 26 11:13:43 2011 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed, 26 Jan 2011 11:13:43 +0100 Subject: Future plans for implementation of other algorithms In-Reply-To: <87sjwgkmo5.fsf@vigenere.g10code.de> References: <4D3F71E9.9000302@sindegra.com> <4D3FA161.3050904@grant-olson.net> <87sjwgkmo5.fsf@vigenere.g10code.de> Message-ID: <4D3FF3D7.5010500@vulcan.xs4all.nl> Op 26-1-2011 11:02, Werner Koch schreef: >> (Not that I'm saying there's anything wrong with using 1.4; I just doubt >> ECC will be back-ported.) > > Well, at some point in time we might need to do that. If there are many > ECC keys in use there is probably a need for ECC for server applications > as well. Considering the modular setup (remembering the separate RSA module when there were RSA patent issues, and IDEA is still a module) I assume this is not very difficult. -- Met vriendelijke groet, Johan Wevers From dshaw at jabberwocky.com Wed Jan 26 17:45:50 2011 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 26 Jan 2011 11:45:50 -0500 Subject: Future plans for implementation of other algorithms In-Reply-To: <87sjwgkmo5.fsf@vigenere.g10code.de> References: <4D3F71E9.9000302@sindegra.com> <4D3FA161.3050904@grant-olson.net> <87sjwgkmo5.fsf@vigenere.g10code.de> Message-ID: <50EA8D6C-5B22-4793-827A-CD638D2B6D5A@jabberwocky.com> On Jan 26, 2011, at 5:02 AM, Werner Koch wrote: > On Wed, 26 Jan 2011 05:21, kgo at grant-olson.net said: > >> (Not that I'm saying there's anything wrong with using 1.4; I just doubt >> ECC will be back-ported.) > > Well, at some point in time we might need to do that. If there are many > ECC keys in use there is probably a need for ECC for server applications > as well. The smaller size of ECC is also useful for embedded systems, which tend to be both memory and CPU constrained. David From Lists at mephisto.fastmail.net Wed Jan 26 17:39:28 2011 From: Lists at mephisto.fastmail.net (Lists at mephisto.fastmail.net) Date: Wed, 26 Jan 2011 11:39:28 -0500 Subject: MacGPG2 2.0.17 In-Reply-To: <4D3E78ED.9050000@mac.com> References: <1295889613.20180.1416952385@webmail.messagingengine.com> <4D3DBDDA.5080405@mac.com> <20110125014204.GA2708@mini.hansaeditions.net> <4D3E78ED.9050000@mac.com> Message-ID: <20110126163928.GA7549@imac-6g2p.mgh.harvard.edu> On Tue, Jan 25, 2011 at 02:17:01AM -0500 Also sprach Charly Avital: > > I have not run the GPGTools installer, I have run the MacGPG2 2.0.17 > released a few hours ago by Ben Donnachie... My understanding is the GPGTools installer is a meta-package, which (as of the time I downloaded and installed it) includes the same build of GnuPG 2.0.17. I figured it wouldn't hurt to use the pre-packaged Tools installer to get GPGMail and everything else at the same time, since presumably all the pieces would be versions which would interoperate correctly. > And *everything* related to MacGPG2, Thunderbird+Enigmail and GPGMail > 1.3.2.RC1 is running just fine... I don't doubt that everything works, in your case. I have had different results on different platforms. On a machine running 10.6.6, which was freshly installed about two weeks ago, most components of GPGTools seemed to work, however, when I tried to generate test keys (either from the CLI, or from the GUI key management app), the process would always stall at the random number phase. On a different machine running 10.6.6 Server, gpg-agent fails to launch (whereas gpg-agent worked fine, from the same GPGTools installer, on the OS X Desktop machine above). I tried on a third machine (also a client/desktop), with similar results to the desktop above. I have no doubt that on certain computers, it works perfectly, given the variability of errors on the different platforms I have tried it on so far. However, since GnuPG from MacPorts seems to work for me consistently, on all the platforms I have tried it on, I'm going to stick with that for now. I'll revisit the GPGTools/MacGPG2 installers again later, when I have more time to chase these bugs. Cheers, Kevin From avi.wiki at gmail.com Wed Jan 26 21:37:02 2011 From: avi.wiki at gmail.com (Avi) Date: Wed, 26 Jan 2011 15:37:02 -0500 Subject: Future plans for implementation of other algorithms Message-ID: As someone who uses GnuPG on a USB stick under Windows, I sincerely hope that elliptical curves get added to the 1.4 trunk. --Avi ---- User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 -------------- next part -------------- An HTML attachment was scrubbed... URL: From kgo at grant-olson.net Wed Jan 26 22:03:18 2011 From: kgo at grant-olson.net (Grant Olson) Date: Wed, 26 Jan 2011 16:03:18 -0500 Subject: Future plans for implementation of other algorithms In-Reply-To: References: Message-ID: <4D408C16.6090906@grant-olson.net> On 1/26/11 3:37 PM, Avi wrote: > As someone who uses GnuPG on a USB stick under Windows, I sincerely hope > that elliptical curves get added to the 1.4 trunk. > > --Avi > ---- That was completely uninformed speculation on my part. But I still think that like any new standard and technology, even after ECC makes it into an official gnupg release, it'll probably be years before you'll be able to use it on a general purpose key, due to any number of systems or users that won't instantly support ECC in OpenPGP. That was really my main point. -- Grant "I am gravely disappointed. Again you have made me unleash my dogs of war." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 570 bytes Desc: OpenPGP digital signature URL: From david at systemoverlord.com Wed Jan 26 22:03:37 2011 From: david at systemoverlord.com (David Tomaschik) Date: Wed, 26 Jan 2011 16:03:37 -0500 Subject: SmartCard Import/Export Message-ID: Anyone in the US ever order the OpenPGP smartcards from Kernel Concepts? I'm wondering if there are any customs issues I should be aware of. I'm thinking of trying to get a few people together around here to do a bulk order to cut shipping costs, etc., but wanted to know if I was going to end up with any import taxes/customs trouble. -- David Tomaschik, RHCE, LPIC-1 GNU/Linux System Architect GPG: 0x5DEA789B david at systemoverlord.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnupg.user at seibercom.net Wed Jan 26 19:14:30 2011 From: gnupg.user at seibercom.net (Jerry) Date: Wed, 26 Jan 2011 13:14:30 -0500 Subject: Problem with keyserver Message-ID: <20110126131430.64555062@scorpio> Does anyone know if there is a problem with the following keyserver: hkp://keys.gnupg.net I have not been able to connect with it for several days now. -- Jerry ? GNUPG.user at seibercom.net _____________________________________________________________________ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. From dkg at fifthhorseman.net Wed Jan 26 22:21:26 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 26 Jan 2011 16:21:26 -0500 Subject: Problem with keyserver In-Reply-To: <20110126131430.64555062@scorpio> References: <20110126131430.64555062@scorpio> Message-ID: <4D409056.4000600@fifthhorseman.net> On 01/26/2011 01:14 PM, Jerry wrote: > Does anyone know if there is a problem with the following keyserver: > > hkp://keys.gnupg.net > > I have not been able to connect with it for several days now. keys.gnupg.net is a DNS round robin. if one of them fails, the other ones should be responsive at least. from my perspective on the network, i see: keys.gnupg.net. 86400 IN A 129.128.98.22 keys.gnupg.net. 86400 IN A 193.174.13.74 keys.gnupg.net. 86400 IN A 209.234.253.170 which are these machines: 129.128.98.22: pgp.srv.ualberta.ca. 193.174.13.74: pgpkeys.pca.dfn.de. 209.234.253.170: zimmermann.mayfirst.org. the last one (zimmermann.mayfirst.org, which i maintain) is functional for me, at least. the first one at least doesn't seem to be responsive at all right now, though :( you may also be interested in pool.sks-keyservers.net, which is updated automatically. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: From gnupg.user at seibercom.net Wed Jan 26 23:13:22 2011 From: gnupg.user at seibercom.net (Jerry) Date: Wed, 26 Jan 2011 17:13:22 -0500 Subject: Problem with keyserver In-Reply-To: <4D409056.4000600@fifthhorseman.net> References: <20110126131430.64555062@scorpio> <4D409056.4000600@fifthhorseman.net> Message-ID: <20110126171322.7ef38c08@scorpio> On Wed, 26 Jan 2011 16:21:26 -0500 Daniel Kahn Gillmor articulated: > On 01/26/2011 01:14 PM, Jerry wrote: > > Does anyone know if there is a problem with the following keyserver: > > > > hkp://keys.gnupg.net > > > > I have not been able to connect with it for several days now. > > keys.gnupg.net is a DNS round robin. > > if one of them fails, the other ones should be responsive at least. > from my perspective on the network, i see: > > keys.gnupg.net. 86400 IN A > 129.128.98.22 keys.gnupg.net. 86400 IN > A 193.174.13.74 keys.gnupg.net. 86400 > IN A 209.234.253.170 > > which are these machines: > > 129.128.98.22: pgp.srv.ualberta.ca. > 193.174.13.74: pgpkeys.pca.dfn.de. > 209.234.253.170: zimmermann.mayfirst.org. > > > the last one (zimmermann.mayfirst.org, which i maintain) is functional > for me, at least. > > the first one at least doesn't seem to be responsive at all right now, > though :( > > you may also be interested in pool.sks-keyservers.net, which is > updated automatically. Thanks, I have added that URL. Now, if I might ask a stupid question, is there a specific port number that is used? I just want to make sure my firewall is setup correctly. Presently I have it setup to allow any port # for those URLs. -- Jerry ? GNUPG.user at seibercom.net _____________________________________________________________________ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From dkg at fifthhorseman.net Wed Jan 26 23:29:43 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 26 Jan 2011 17:29:43 -0500 Subject: Problem with keyserver In-Reply-To: <20110126171322.7ef38c08@scorpio> References: <20110126131430.64555062@scorpio> <4D409056.4000600@fifthhorseman.net> <20110126171322.7ef38c08@scorpio> Message-ID: <4D40A057.10909@fifthhorseman.net> On 01/26/2011 05:13 PM, Jerry wrote: > Thanks, I have added that URL. Now, if I might ask a stupid question, > is there a specific port number that is used? I just want to make sure > my firewall is setup correctly. Presently I have it setup to allow any > port # for those URLs. hrm, sounds like you are doing some serious fiddling with your settings. the names i listed are hostnames, not URLs. and the DNS round robins are hostnames that resolve to different IP addresses. If you're putting these into some sort of IP-level firewall configuration, please be aware that the IP addresses of either pool may change frequently and/or without warning. The expectation is that HKP keyservers will listen on port 11371, but port 80 is also widely used: https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#section-2 Note that these are ports that your client (gnupg, presumably) connects *to* on those machines, not the other way around. Is your firewall really limiting outbound access like this? If your firewall is only limiting inbound access, you should not have to adjust it to use HKP keyservers. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: From christoph.anton.mitterer at physik.uni-muenchen.de Wed Jan 26 22:07:08 2011 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Wed, 26 Jan 2011 22:07:08 +0100 Subject: Future plans for implementation of other algorithms In-Reply-To: References: Message-ID: <1296076028.3205.19.camel@fermat.scientia.net> On Wed, 2011-01-26 at 15:37 -0500, Avi wrote: > As someone who uses GnuPG on a USB stick under Windows, I sincerely > hope that elliptical curves get added to the 1.4 trunk. I know this won't happen,... but I'd rather see a roadmap to phase out 1.x... Maintaining to branches is not only a big effort but poses also a constant risk wrt security/etc. Cheers, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From fladerer at fnb.tu-darmstadt.de Wed Jan 26 23:34:11 2011 From: fladerer at fnb.tu-darmstadt.de (Michael Fladerer) Date: Wed, 26 Jan 2011 23:34:11 +0100 Subject: Problem with keyserver In-Reply-To: <20110126171322.7ef38c08@scorpio> References: <20110126131430.64555062@scorpio> <4D409056.4000600@fifthhorseman.net> <20110126171322.7ef38c08@scorpio> Message-ID: <20110126223411.GB27061@fnb.tu-darmstadt.de> On Wed Jan 26, 2011 at 17:13:22 -0500, Jerry wrote: > On Wed, 26 Jan 2011 16:21:26 -0500 > Daniel Kahn Gillmor articulated: > > > On 01/26/2011 01:14 PM, Jerry wrote: > > > Does anyone know if there is a problem with the following keyserver: > > > > > > hkp://keys.gnupg.net > > > > > > I have not been able to connect with it for several days now. > > > > keys.gnupg.net is a DNS round robin. > > > > if one of them fails, the other ones should be responsive at least. > > from my perspective on the network, i see: > > > > keys.gnupg.net. 86400 IN A > > 129.128.98.22 keys.gnupg.net. 86400 IN > > A 193.174.13.74 keys.gnupg.net. 86400 > > IN A 209.234.253.170 > > > > which are these machines: > > > > 129.128.98.22: pgp.srv.ualberta.ca. > > 193.174.13.74: pgpkeys.pca.dfn.de. > > 209.234.253.170: zimmermann.mayfirst.org. > > > > > > the last one (zimmermann.mayfirst.org, which i maintain) is functional > > for me, at least. > > > > the first one at least doesn't seem to be responsive at all right now, > > though :( > > > > you may also be interested in pool.sks-keyservers.net, which is > > updated automatically. > > Thanks, I have added that URL. Now, if I might ask a stupid question, > is there a specific port number that is used? I just want to make sure > my firewall is setup correctly. Presently I have it setup to allow any > port # for those URLs. I think it's the Horowitz Keyserver Protocol (hkp) which typically uses port 11371 (see [1]). [1] http://www.iana.org/assignments/port-numbers Michael From avi.wiki at gmail.com Thu Jan 27 00:29:51 2011 From: avi.wiki at gmail.com (Avi) Date: Wed, 26 Jan 2011 18:29:51 -0500 Subject: Future plans for implementation of other algorithms Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I believe Werner had mentioned that the 1.x version would continue to be supported due to its enhanced portability, but I could be misremembering. Can someone "official" comment as to the viability of the 1.x trunk, please? - --Avi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (MingW32) - GPGshell v3.77 Comment: Most recent key: Click show in box @ http://is.gd/4xJrs iJgEAREKAEAFAk1Arls5GGh0dHA6Ly9wZ3AubmljLmFkLmpwL3Brcy9sb29rdXA/ b3A9Z2V0JnNlYXJjaD0weEY4MEUyOUY5AAoJEA1isBn4Din5S8kA/A2oNP8Ph2z9 gebz0CM8Mgxn5Oe0EHeCi5jb/9kBJqb1AP4k3i+Umh4zXhnvjEL3rk5Ul3+TFcNq jEVvo/5U4UgIRg== =MV3c -----END PGP SIGNATURE----- ---- User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 > ---------- Forwarded message ---------- > From: Christoph Anton Mitterer < > christoph.anton.mitterer at physik.uni-muenchen.de> > To: gnupg-users at gnupg.org > Date: Wed, 26 Jan 2011 22:07:08 +0100 > Subject: Re: Future plans for implementation of other algorithms > On Wed, 2011-01-26 at 15:37 -0500, Avi wrote: > > As someone who uses GnuPG on a USB stick under Windows, I sincerely > > hope that elliptical curves get added to the 1.4 trunk. > > I know this won't happen,... but I'd rather see a roadmap to phase out > 1.x... > > Maintaining to branches is not only a big effort but poses also a > constant risk wrt security/etc. > > > Cheers, > Chris. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From JPClizbe at tx.rr.com Thu Jan 27 01:46:59 2011 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed, 26 Jan 2011 18:46:59 -0600 Subject: SmartCard Import/Export In-Reply-To: References: Message-ID: <4D40C083.5030808@tx.rr.com> David Tomaschik wrote: > Anyone in the US ever order the OpenPGP smartcards from Kernel > Concepts? I'm wondering if there are any customs issues I should be > aware of. I'm thinking of trying to get a few people together around > here to do a bulk order to cut shipping costs, etc., but wanted to know > if I was going to end up with any import taxes/customs trouble. One of the Enigmail team sent OpenPGP v1 cards to all the US team members. There were no problems that I recall. I obtained my v2 card by joining FSFE, http://fellowship.fsfe.org/ I also have not heard anyone comment about Customs problems with obtaining the cards directly from Kernel Concepts. -John -- John P. Clizbe Inet: John (a) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 889 bytes Desc: OpenPGP digital signature URL: From kgo at grant-olson.net Thu Jan 27 01:58:12 2011 From: kgo at grant-olson.net (Grant Olson) Date: Wed, 26 Jan 2011 19:58:12 -0500 Subject: SmartCard Import/Export In-Reply-To: References: Message-ID: <4D40C324.4040600@grant-olson.net> On 1/26/11 4:03 PM, David Tomaschik wrote: > Anyone in the US ever order the OpenPGP smartcards from Kernel > Concepts? I'm wondering if there are any customs issues I should be > aware of. I'm thinking of trying to get a few people together around > here to do a bulk order to cut shipping costs, etc., but wanted to know > if I was going to end up with any import taxes/customs trouble. > I just got a card and reader from them. They did everything by the book. There was a customs declaration on the outside of the box. They even had an FCC clearance for the reader inside the box just in case customs decided to open it up. (They didn't.) Meanwhile, when I ordered a crypto-stick from the GPF I'm pretty sure it just showed up in a yellow envelope with a hand-written address. I don't think it had any customs declaration or anything. And that showed up just fine as well. I don't think you have anything to worry about. -- Grant "I am gravely disappointed. Again you have made me unleash my dogs of war." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 570 bytes Desc: OpenPGP digital signature URL: From faramir.cl at gmail.com Thu Jan 27 02:01:07 2011 From: faramir.cl at gmail.com (Faramir) Date: Wed, 26 Jan 2011 22:01:07 -0300 Subject: Future plans for implementation of other algorithms In-Reply-To: References: Message-ID: <4D40C3D3.8070609@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 26-01-2011 20:29, Avi escribi?: > I believe Werner had mentioned that the 1.x version would > continue to be supported due to its enhanced portability, but I > could be misremembering. Can someone "official" comment as to > the viability of the 1.x trunk, please? Well, Werner is "official", and IIRC, 1.x trunk is kept because it is easier to implement in servers. Of course, some end users like me like it too ;) Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNQMPTAAoJEMV4f6PvczxAGYcH/iwzB77Gp2TyGGtBCUJl9qvn FZ+gu1xavU2nL7yDvB/SkppNPmX2VL1Sz5GWkHCNkjhF/fJV9GtzllTlVmsw+j+W RfZ1+qeMXqlbCCw1cNsdw4QWhyoZdILcZVB7cPgqeUN66UMYqGkQCn/oeqbFeJDq bFrxiogX19RfNeUDJJiXXI9Fa670n3bnd8jcjpBHUoAl+b1cgQ7ukR9IhHLQ+1H4 u3jKrZib8CSyUCEsQNjAwz/ZGIseOffFQPHGdYvyY9nC0owTrC7+KUTMCu6mhZcN tbQw66XhV7WFMGr/pEzINcCVmASKCX7kj8X1dO8oFWgwfW5v0wzfrt8XGAq4lI8= =mRl9 -----END PGP SIGNATURE----- From nils.faerber at kernelconcepts.de Thu Jan 27 09:40:18 2011 From: nils.faerber at kernelconcepts.de (Nils Faerber) Date: Thu, 27 Jan 2011 09:40:18 +0100 Subject: SmartCard Import/Export In-Reply-To: References: Message-ID: <4D412F72.6050709@kernelconcepts.de> Am 26.01.2011 22:03, schrieb David Tomaschik: > Anyone in the US ever order the OpenPGP smartcards from Kernel > Concepts? I'm wondering if there are any customs issues I should be > aware of. I'm thinking of trying to get a few people together around > here to do a bulk order to cut shipping costs, etc., but wanted to know > if I was going to end up with any import taxes/customs trouble. We have been shipping cards to the US for quite a while now and never had any issues. As far as we know, and we tried to thoroughly research this, the OpenPGP card does not fall under any special regulations, i.e. neither crypto im- or export nor customs issues. We also try to minimize postage&packing cost as much as possible - so organising a collective order is a very welcome idea! Thanks! > David Tomaschik, RHCE, LPIC-1 Cheers nils -- kernel concepts GbR Tel: +49-271-771091-12 Sieghuetter Hauptweg 48 D-57072 Siegen Mob: +49-176-21024535 http://www.kernelconcepts.de From patryk at debian.org Thu Jan 27 16:01:20 2011 From: patryk at debian.org (Patryk Cisek) Date: Thu, 27 Jan 2011 16:01:20 +0100 Subject: SSH authentication using OpenPGP 2.0 smartcard In-Reply-To: <8739ogn573.fsf@vigenere.g10code.de> References: <20110125150518.GB3867@patryks-laptop.softexor.net> <4D3F0552.9030501@grant-olson.net> <4D3F0AD5.8050500@grant-olson.net> <8739ogn573.fsf@vigenere.g10code.de> Message-ID: <20110127150120.GA6230@patryks-laptop.softexor.net> I finally got it working. Seems like there's some kind of problem with CCID for those readers -- I'd used internal GnuPG's CCID driver until yesterday. I've got 2 readers: OmniKey CardMan 3121 (USB device) OmniKey CardMan 4040 (PCMCIA device) Both had the same problem; signing worked fine, but authentication didn't. Yesterday I tried to get them working with PCSC-Lite using manufacturer's drivers: http://www.hidglobal.com/driverDownloads.php?techCat=19 >From this moment both readers work perfectly. One minor issue is that for 3121 (USB) I have to kill scdaemon several times in a row when plugging in reader. For 4040 (PCMCIA), since no hot-plug mechanism, additionally I have to (re)start pcscd. Nevertheless works as expected now. :) On Tue, Jan 25, 2011 at 08:39:28PM +0100, Werner Koch wrote: > On Tue, 25 Jan 2011 18:39, kgo at grant-olson.net said: > > > Actually, I also needed to run 'gpgkey2ssh 0xDEADBEEF >> > > ~/.ssh/authorized_keys" so I could ssh into the box as well. > > You should use > > ssh-add -L > > which gives you the public key. The comment field has the card number. > > > Shalom-Salam, > > Werner > > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From alex at willner.ws Fri Jan 28 16:13:57 2011 From: alex at willner.ws (Alexander Willner) Date: Fri, 28 Jan 2011 16:13:57 +0100 Subject: OpenPGP and iOS / JS Message-ID: <877DB8B6-80BB-434D-AAFF-0E4D0655AEE0@willner.ws> Dear list, I just read the headings "Gpg for iPhone or iPad" and "checking gpg-signatures in JavaScript" in the archive - so I've decided to join this list. I also wanted to use OpenPGP on iOS so I decided to have a look what is possible in JavaScript. I think it is generally possible (with some limitations) to use OpenPGP on any device using modern web browser features. So this page might be interesting for you and if you've fun in doing some development: a prototype and some unit tests are available. https://github.com/AlexanderWillner/GPGMail_Mobile/wiki/Introduction Best regards, Alex -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3769 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 243 bytes Desc: This is a digitally signed message part URL: From david at systemoverlord.com Sat Jan 29 03:42:51 2011 From: david at systemoverlord.com (David Tomaschik) Date: Fri, 28 Jan 2011 21:42:51 -0500 Subject: ID-000 SmartCard Form Factor Message-ID: <4D437EAB.7090508@systemoverlord.com> While I realize that the ID-1 (full size) cards can be used with card readers that support PIN entry, are there any other advantages/disadvantages to one size over the other? At present, I feel like the ID-000 form factor has more advantages because of the portability and the lower cost of the readers. (I'm going to be using my card for a subkey-only card, as I keep my master key in an offline-only configuration.) Thanks, David From kgo at grant-olson.net Sat Jan 29 06:28:37 2011 From: kgo at grant-olson.net (Grant Olson) Date: Sat, 29 Jan 2011 00:28:37 -0500 Subject: ID-000 SmartCard Form Factor In-Reply-To: <4D437EAB.7090508@systemoverlord.com> References: <4D437EAB.7090508@systemoverlord.com> Message-ID: <4D43A585.8020305@grant-olson.net> On 01/28/2011 09:42 PM, David Tomaschik wrote: > While I realize that the ID-1 (full size) cards can be used with card > readers that support PIN entry, are there any other > advantages/disadvantages to one size over the other? At present, I feel > like the ID-000 form factor has more advantages because of the > portability and the lower cost of the readers. > As far as the cards themselves, you can used the ID-000 cards in a full-sized reader or pop the chip out. So if you have any doubt there, you can get the ID-000 card and keep your options open. I don't think the readers make that much of a difference either. In theory, it's nice that the ID-000 readers will fit on your keychain, and you can use them anywhere. But in practice, personally I'm either working at home or have my laptop bag with me. I'm not using a smart card at a computer lab or a library or something like that. In theory, a full-sized card and reader would be nice if you used multiple cards, like a separate ID to sign software or something, or different users on the same computer, but most people probably don't have to worry about that. A full-sized reader also has a cord, which can be convenient if it's hard to get to your USB ports, instead of climbing behind some desk every day. If you're already leaning towards a thumb-drive sized reader, that should work just fine. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 564 bytes Desc: OpenPGP digital signature URL: From kgo at grant-olson.net Sat Jan 29 19:54:11 2011 From: kgo at grant-olson.net (Grant Olson) Date: Sat, 29 Jan 2011 13:54:11 -0500 Subject: Did I just fry my smartcard? Message-ID: <4D446253.2090309@grant-olson.net> This is actually a spare card I was just messing around with, not my main one. It's a standard OpenPGP v2.0 card from g10. I wanted to reset the card to the factory defaults and mess around with the onboard key generation. I issued the series of commands listed here, among other places: http://www.gossamer-threads.com/lists/gnupg/users/49737 After that, the card wasn't reset, was locked out, and it won't do anything useful. If I run a command like gpg --card-status, I'm prompted with: gpg: detected reader `SCM SCR 3310 [CCID Interface] 00 00' gpg: pcsc_connect failed: sharing violation (0x8010000b) gpg: apdu_send_simple(0) failed: locking failed Please insert the card and hit return or enter 'c' to cancel: gpg: pcsc_connect failed: sharing violation (0x8010000b) gpg: pcsc_connect failed: sharing violation (0x8010000b) gpg: apdu_send_simple(0) failed: locking failed And if I try to issue the apdu sequence manually, nothing responds. grant at johnsmallberries:~$ gpg-connect-agent > scd apdu 00 44 00 00 ERR 100663351 Invalid value > scd apdu 00 e6 00 00 ERR 100663351 Invalid value > scd serialno ERR 100663351 Invalid value Does anyone have any tips for resetting the card, or am I out of luck? On the plus side, I can confirm that the Admin Password Lockout does indeed work as advertised. I've always wanted to give that a try. ;-) -Grant -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 565 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Sun Jan 30 12:03:22 2011 From: wk at gnupg.org (Werner Koch) Date: Sun, 30 Jan 2011 12:03:22 +0100 Subject: Did I just fry my smartcard? In-Reply-To: <4D446253.2090309@grant-olson.net> (Grant Olson's message of "Sat, 29 Jan 2011 13:54:11 -0500") References: <4D446253.2090309@grant-olson.net> Message-ID: <87bp2yirgl.fsf@gnupg.org> On Sat, 29 Jan 2011 19:54, kgo at grant-olson.net said: > gpg: detected reader `SCM SCR 3310 [CCID Interface] 00 00' > gpg: pcsc_connect failed: sharing violation (0x8010000b) Another process has locked the reader. Most likely this is either a gpg 1 or an scdaemon. > grant at johnsmallberries:~$ gpg-connect-agent >> scd apdu 00 44 00 00 > ERR 100663351 Invalid value Same reason as above; just different error messages. Figure out which process has locked the reader and kill it. Then try again. You should also add the options debug-ccid-driver debug 2048 log-file /foo/bar/scdaemon.log to ~/.gnupg/scdaemon.log . Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From jcruff at gmail.com Sun Jan 30 15:07:51 2011 From: jcruff at gmail.com (Chris Ruff) Date: Sun, 30 Jan 2011 09:07:51 -0500 Subject: Did I just fry my smartcard? In-Reply-To: <87bp2yirgl.fsf@gnupg.org> References: <4D446253.2090309@grant-olson.net> <87bp2yirgl.fsf@gnupg.org> Message-ID: <1296396471.5114.2.camel@silence> On Sun, 2011-01-30 at 12:03 +0100, Werner Koch wrote: > On Sat, 29 Jan 2011 19:54, kgo at grant-olson.net said: > > > gpg: detected reader `SCM SCR 3310 [CCID Interface] 00 00' > > gpg: pcsc_connect failed: sharing violation (0x8010000b) > > Another process has locked the reader. Most likely this is either a gpg > 1 or an scdaemon. > > > grant at johnsmallberries:~$ gpg-connect-agent > >> scd apdu 00 44 00 00 > > ERR 100663351 Invalid value > > Same reason as above; just different error messages. Figure out which > process has locked the reader and kill it. Then try again. You should > also add the options > > debug-ccid-driver > debug 2048 > log-file /foo/bar/scdaemon.log > - to ~/.gnupg/scdaemon.log . + to ~/.gnupg/scdaemon.conf > > > Shalom-Salam, > > Werner > -- __________________________________ Chris Ruff email: jcruff at gmail.com gpg key: 0xDD55B6FC gpg fgpr: 1BA1 71D7 ADA7 1E8B 1623 A43D 283B 2F81 BDD5 B810 -------------- next part -------------- An HTML attachment was scrubbed... URL: From kgo at grant-olson.net Sun Jan 30 17:18:56 2011 From: kgo at grant-olson.net (Grant Olson) Date: Sun, 30 Jan 2011 11:18:56 -0500 Subject: Did I just fry my smartcard? In-Reply-To: <87bp2yirgl.fsf@gnupg.org> References: <4D446253.2090309@grant-olson.net> <87bp2yirgl.fsf@gnupg.org> Message-ID: <4D458F70.1030003@grant-olson.net> On 01/30/2011 06:03 AM, Werner Koch wrote: > On Sat, 29 Jan 2011 19:54, kgo at grant-olson.net said: > >> gpg: detected reader `SCM SCR 3310 [CCID Interface] 00 00' >> gpg: pcsc_connect failed: sharing violation (0x8010000b) > > Another process has locked the reader. Most likely this is either a gpg > 1 or an scdaemon. > DOH! I think it was gpg-agent. If I use gpg2 I get these results: grant at johnyaya:~$ gpg2 --card-status gpg: OpenPGP card not available: Not supported grant at johnyaya:~$ gpg2 --card-edit gpg: OpenPGP card not available: Not supported gpg/card> gpg: OpenPGP card not available: Not supported >> grant at johnsmallberries:~$ gpg-connect-agent >>> scd apdu 00 44 00 00 >> ERR 100663351 Invalid value > > Same reason as above; just different error messages. Figure out which > process has locked the reader and kill it. Then try again. You should > also add the options > > debug-ccid-driver > debug 2048 > log-file /foo/bar/scdaemon.log > > to ~/.gnupg/scdaemon.log . > With those options enabled, I tried issuing the reset codes. First time it complained because no card was inserted. Second time it complained because it couldn't find a supported application on the card. I'm not sure if that message is normal when the card is in admin-lockout mode, or if it indicates there are more serious prolems with the card. grant at johnyaya:~$ gpg-connect-agent > scd apdu 00 e6 00 00 ERR 100663406 Card removed > scd apdu 00 44 00 00 ERR 100663406 Card removed > scd serialno ERR 100663351 Invalid value > scd apdu 00 e6 00 00 ERR 100663351 Invalid value > scd apdu 00 44 00 00 ERR 100663351 Invalid value > 5 - 2011-01-30 11:12:40 scdaemon[3871]: updating slot 0 status: 0x0007->0x0004 (7->8) 5 - 2011-01-30 11:12:40 scdaemon[3871]: sending signal 12 to client 3871 5 - 2011-01-30 11:12:42 scdaemon[3871]: updating slot 0 status: 0x0004->0x0007 (8->9) 5 - 2011-01-30 11:12:42 scdaemon[3871]: sending signal 12 to client 3871 4 - 2011-01-30 11:12:50 gpg-agent[3716]: chan_7 <- scd apdu 00 e6 00 00 4 - 2011-01-30 11:12:50 gpg-agent[3716]: new connection to SCdaemon established (reusing) 4 - 2011-01-30 11:12:50 gpg-agent[3716]: chan_9 -> apdu 00 e6 00 00 5 - 2011-01-30 11:12:50 scdaemon[3871]: chan_7 <- apdu 00 e6 00 00 5 - 2011-01-30 11:12:50 scdaemon[3871]: chan_7 -> ERR 100663406 Card removed 4 - 2011-01-30 11:12:50 gpg-agent[3716]: chan_9 <- ERR 100663406 Card removed 4 - 2011-01-30 11:12:50 gpg-agent[3716]: chan_7 -> ERR 100663406 Card removed 4 - 2011-01-30 11:12:56 gpg-agent[3716]: chan_7 <- scd apdu 00 44 00 00 4 - 2011-01-30 11:12:56 gpg-agent[3716]: chan_9 -> apdu 00 44 00 00 5 - 2011-01-30 11:12:56 scdaemon[3871]: chan_7 <- apdu 00 44 00 00 5 - 2011-01-30 11:12:56 scdaemon[3871]: chan_7 -> ERR 100663406 Card removed 4 - 2011-01-30 11:12:56 gpg-agent[3716]: chan_9 <- ERR 100663406 Card removed 4 - 2011-01-30 11:12:56 gpg-agent[3716]: chan_7 -> ERR 100663406 Card removed 4 - 2011-01-30 11:13:01 gpg-agent[3716]: chan_7 <- scd serialno 4 - 2011-01-30 11:13:01 gpg-agent[3716]: chan_9 -> serialno 5 - 2011-01-30 11:13:01 scdaemon[3871]: chan_7 <- serialno 5 - 2011-01-30 11:13:01 scdaemon[3871]: no supported card application found: Invalid value 5 - 2011-01-30 11:13:01 scdaemon[3871]: chan_7 -> ERR 100663351 Invalid value 4 - 2011-01-30 11:13:01 gpg-agent[3716]: chan_9 <- ERR 100663351 Invalid value 4 - 2011-01-30 11:13:01 gpg-agent[3716]: chan_7 -> ERR 100663351 Invalid value 4 - 2011-01-30 11:13:09 gpg-agent[3716]: chan_7 <- scd apdu 00 e6 00 00 4 - 2011-01-30 11:13:09 gpg-agent[3716]: chan_9 -> apdu 00 e6 00 00 5 - 2011-01-30 11:13:09 scdaemon[3871]: chan_7 <- apdu 00 e6 00 00 5 - 2011-01-30 11:13:09 scdaemon[3871]: no supported card application found: Invalid value 5 - 2011-01-30 11:13:09 scdaemon[3871]: chan_7 -> ERR 100663351 Invalid value 4 - 2011-01-30 11:13:09 gpg-agent[3716]: chan_9 <- ERR 100663351 Invalid value 4 - 2011-01-30 11:13:09 gpg-agent[3716]: chan_7 -> ERR 100663351 Invalid value 4 - 2011-01-30 11:13:13 gpg-agent[3716]: chan_7 <- scd apdu 00 44 00 00 4 - 2011-01-30 11:13:13 gpg-agent[3716]: chan_9 -> apdu 00 44 00 00 5 - 2011-01-30 11:13:13 scdaemon[3871]: chan_7 <- apdu 00 44 00 00 5 - 2011-01-30 11:13:13 scdaemon[3871]: no supported card application found: Invalid value 5 - 2011-01-30 11:13:13 scdaemon[3871]: chan_7 -> ERR 100663351 Invalid value 4 - 2011-01-30 11:13:13 gpg-agent[3716]: chan_9 <- ERR 100663351 Invalid value 4 - 2011-01-30 11:13:13 gpg-agent[3716]: chan_7 -> ERR 100663351 Invalid value 4 - 2011-01-30 11:13:15 gpg-agent[3716]: chan_7 <- [eof] 4 - 2011-01-30 11:13:15 gpg-agent[3716]: chan_9 -> RESTART 5 - 2011-01-30 11:13:15 scdaemon[3871]: chan_7 <- RESTART 5 - 2011-01-30 11:13:15 scdaemon[3871]: chan_7 -> OK 4 - 2011-01-30 11:13:15 gpg-agent[3716]: chan_9 <- OK 4 - 2011-01-30 11:13:15 gpg-agent[3716]: handler 0x9c50a38 for fd 7 terminated -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From orionbelt2 at gmail.com Mon Jan 31 03:41:51 2011 From: orionbelt2 at gmail.com (orionbelt2 at gmail.com) Date: Mon, 31 Jan 2011 03:41:51 +0100 Subject: How to handle user passphrase input from python script Message-ID: <20110131024151.GP21877@ulb.ac.be> Hi all, I use a python script to (a) open a file encrypted with a symmetric cipher using a passphrase, (b) do some operations on it, and (c) re-encrypt it. So far i've had GnuPG handle the user input of the passphrase, e.g.: os.system('gpg foo.gpg') # Do something with file 'foo' os.system('gpg -c foo') However, this obliges the user to enter the password three times --rather annoying. I am looking for a way to avoid this. An obvious, but probably unsafe, solution would be to use python's passphrase-reading facility along with GnuPG's --passphrase option, e.g.: passwd = getpass.getpass() os.system('gpg --batch --passphrase ' + passwd + ' foo.gpg') # Do something with file 'foo' os.system(''gpg -c --batch --passphrase ' + passwd + ' foo') But then the passwd variable would be lying unprotected in memory during script execution (and perhaps beyond)... Is there a nice way to do this operation safely? I looked around a little, and i suspect that GPGME might offer the way, but from the provided online API documentation i am not sure exactly how :) Any hints appreciated! That said, i am wondering whether there is actually a point in taking this extra precaution: Once foo.gpg is decrypted and opened by the python script, its decrypted contents will find their way in memory... which is about as bad as having the passphrase lying around in memory, is it not?... Should i be thinking about this in a completely different framework? Is there any semi-automated way (external libraries?) to guarantee that the application memory is protected from things like paging, core dumps, ptrace attacks and so on? Or am i just giving you a good laugh? :) I would probably be quite happy if i could guarantee that the passphrase and file contents are no longer accessible once the script terminates. Thanks! Chris From kgo at grant-olson.net Mon Jan 31 05:26:14 2011 From: kgo at grant-olson.net (Grant Olson) Date: Sun, 30 Jan 2011 23:26:14 -0500 Subject: Did I just fry my smartcard? In-Reply-To: <4D458F70.1030003@grant-olson.net> References: <4D446253.2090309@grant-olson.net> <87bp2yirgl.fsf@gnupg.org> <4D458F70.1030003@grant-olson.net> Message-ID: <4D4639E6.4040009@grant-olson.net> On 01/30/2011 11:18 AM, Grant Olson wrote: > > > With those options enabled, I tried issuing the reset codes. First time > it complained because no card was inserted. Second time it complained > because it couldn't find a supported application on the card. I'm not > sure if that message is normal when the card is in admin-lockout mode, > or if it indicates there are more serious prolems with the card. > > grant at johnyaya:~$ gpg-connect-agent >> scd apdu 00 e6 00 00 > ERR 100663406 Card removed >> scd apdu 00 44 00 00 > ERR 100663406 Card removed >> scd serialno > ERR 100663351 Invalid value >> scd apdu 00 e6 00 00 > ERR 100663351 Invalid value >> scd apdu 00 44 00 00 > ERR 100663351 Invalid value >> > > ... Okay, I solved the problem. I'm just describing what I did for the sake of the archives and future generations... Numerous attempts to get the serial number of the card or issue reset commands via gpg-connect-agent failed, on different computers, different OS'es, etc. I downloaded the debian package pcsc-tools. Surprisingly, the command 'pcsc_scan' picked up on the fact that I had an OpenPGP card right away, despite gpg-agent and gpg2 --card-status failures to recognize the card. From there I tried the APDU reset commands via the tool 'gscriptor', also included with 'pcsc-tools': 00 e6 00 00 00 44 00 00 Still nothing. From the OpenPGP Card 2.0 spec, it seemed there were two commands I could issue after TERMINATE DF (00 e6 00 00). One was ACTIVATE FILE (00 44 00 00) which I've been trying repeatedly. The other was SELECT FILE (00 A4 04 00 06 D2 76 00 01 24 01 00). So I tried that. BAM! It worked. At some point yesterday I also tried to send SELECT FILE via gpg-connect-agent, and I know that didn't work. Not sure why gscriptor seemed to work better than gpg-connect-agent and 'scd apdu', but all's well that ends well. The only obvious difference is that I could just tell gscriptor to turn on the card, without having to issue something like a serialno command to spin it up. -Grant -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 565 bytes Desc: OpenPGP digital signature URL: From jrollins at finestructure.net Mon Jan 31 05:37:21 2011 From: jrollins at finestructure.net (Jameson Rollins) Date: Sun, 30 Jan 2011 20:37:21 -0800 Subject: How to handle user passphrase input from python script In-Reply-To: <20110131024151.GP21877@ulb.ac.be> References: <20110131024151.GP21877@ulb.ac.be> Message-ID: <87zkqh7kou.fsf@servo.finestructure.net> On Mon, 31 Jan 2011 03:41:51 +0100, orionbelt2 at gmail.com wrote: > I use a python script to (a) open a file encrypted with a symmetric > cipher using a passphrase, (b) do some operations on it, and (c) > re-encrypt it. You might try using one of the many python gpg interface libraries that exist out there. With a cursory look I see three such packages in Debian: python-gpgme python-pyme python-gnupginterface hth. jamie. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From mjw at gnu.org Sun Jan 30 18:00:55 2011 From: mjw at gnu.org (Mark Wielaard) Date: Sun, 30 Jan 2011 18:00:55 +0100 Subject: two out of three keys.gnupg.net keyservers down? Message-ID: <1296406855.3246.11.camel@springer.wildebeest.org> Hi, After struggling with sending and retrieving keys for several days I finally noticed that keys.gnupg.net uses DNS round robin to provide you with a keyserver. But two out of the three servers are down. $ host keys.gnupg.net keys.gnupg.net has address 209.234.253.170 keys.gnupg.net has address 129.128.98.22 keys.gnupg.net has address 193.174.13.74 209.234.170 (zimmermann.mayfirst.org) works. 129.128.98.22 (pgp.srv.ualberta.ca) and 193.174.13.74 (pgpkeys.pca.dfn.de) are both down. Since keys.gnupg.net is the default keyserver name used could the broken keyservers be removed from the DNS round robin pool? The gnupg user experience is really bad otherwise. If you are lucky to hit the one that works everything is fine, but two out of three times you hit a bad one and things just stall and hang for ages. Thanks, Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: This is a digitally signed message part URL: From gnupg.user at seibercom.net Mon Jan 31 12:14:23 2011 From: gnupg.user at seibercom.net (Jerry) Date: Mon, 31 Jan 2011 06:14:23 -0500 Subject: two out of three keys.gnupg.net keyservers down? In-Reply-To: <1296406855.3246.11.camel@springer.wildebeest.org> References: <1296406855.3246.11.camel@springer.wildebeest.org> Message-ID: <20110131061423.040619db@scorpio> On Sun, 30 Jan 2011 18:00:55 +0100 Mark Wielaard articulated: > Hi, > > After struggling with sending and retrieving keys for several days I > finally noticed that keys.gnupg.net uses DNS round robin to provide > you with a keyserver. But two out of the three servers are down. > > $ host keys.gnupg.net > keys.gnupg.net has address 209.234.253.170 > keys.gnupg.net has address 129.128.98.22 > keys.gnupg.net has address 193.174.13.74 > > 209.234.170 (zimmermann.mayfirst.org) works. > > 129.128.98.22 (pgp.srv.ualberta.ca) and 193.174.13.74 > (pgpkeys.pca.dfn.de) are both down. > > Since keys.gnupg.net is the default keyserver name used could the > broken keyservers be removed from the DNS round robin pool? > > The gnupg user experience is really bad otherwise. If you are lucky to > hit the one that works everything is fine, but two out of three times > you hit a bad one and things just stall and hang for ages. In essence, I reported this exact same problem last week. I am not sure why the unresponsive servers cannot be fixed; however, as a work around, I simple started using a new server as my default: keyserver hkp://wwwkeys.us.pgp.net This may or may not be of any help to you though. Obviously, the correct solution is to get all of the servers back on line. -- Jerry ? GNUPG.user at seibercom.net _____________________________________________________________________ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From dkg at fifthhorseman.net Mon Jan 31 13:43:21 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 31 Jan 2011 07:43:21 -0500 Subject: two out of three keys.gnupg.net keyservers down? In-Reply-To: <20110131061423.040619db@scorpio> References: <1296406855.3246.11.camel@springer.wildebeest.org> <20110131061423.040619db@scorpio> Message-ID: <4D46AE69.9000505@fifthhorseman.net> On 01/31/2011 06:14 AM, Jerry wrote: > In essence, I reported this exact same problem last week. I am not sure > why the unresponsive servers cannot be fixed; however, as a work > around, I simple started using a new server as my default: > > keyserver hkp://wwwkeys.us.pgp.net if you want the benefits of a DNS round-robin that is kept up-to-date automatically, you might also try: pool.sks-keyservers.net Werner, how is keys.gnupg.net updated? I believe Kristian published his scripts for how the automated updates work for the sks-keyservers pool. Is this model something you'd be willing to adopt? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: