From jhansonxi at gmail.com Tue Jan 1 23:39:58 2013 From: jhansonxi at gmail.com (Jeff Hanson) Date: Tue, 1 Jan 2013 17:39:58 -0500 Subject: Obtain a signature ID with only a sig file? Message-ID: Is there a way to obtain the signature ID from a detached sig file without the signed file? I haven't been able to get anything out of gpg without both files present. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhansonxi at gmail.com Tue Jan 1 23:38:25 2013 From: jhansonxi at gmail.com (Jeff Hanson) Date: Tue, 1 Jan 2013 17:38:25 -0500 Subject: No subject Message-ID: Is there a way to obtain the signature ID from a detached sig file without the signed file? I haven't been able to get anything out of gpg without both files present. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkg at fifthhorseman.net Wed Jan 2 03:02:33 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 01 Jan 2013 21:02:33 -0500 Subject: Obtain a signature ID with only a sig file? In-Reply-To: References: Message-ID: <50E39539.1010905@fifthhorseman.net> On 01/01/2013 05:39 PM, Jeff Hanson wrote: > Is there a way to obtain the signature ID from a detached sig file without > the signed file? I haven't been able to get anything out of gpg without > both files present. If you're talking about the "SIG_ID", then i don't think that's possible. According to the DETAILS file (/usr/share/doc/gnupg/DETAILS.gz on debian-ish systems): >> SIG_ID >> This is emitted only for signatures of class 0 or 1 which >> have been verified okay. The string is a signature id >> and may be used in applications to detect replay attacks >> of signed messages. Note that only DLP algorithms give >> unique ids - others may yield duplicated ones when they >> have been created in the same second. >> >> Note, that SIG-TIMESTAMP may either be a number with seconds >> since epoch or an ISO 8601 string which can be detected by the >> presence of the letter 'T' inside. And you can't have a signature that's "verified okay" if you don't have the data that was signed, since the OpenPGP signature block doesn't contain the digested data itself (v3 data signatures contain the two leftmost octets of the digest, but that's certainly not enough to calculate the SIG_ID). Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1027 bytes Desc: OpenPGP digital signature URL: From fabio.coatti at gmail.com Wed Jan 2 11:05:47 2013 From: fabio.coatti at gmail.com (Fabio Coatti) Date: Wed, 2 Jan 2013 11:05:47 +0100 Subject: smartcard key change Message-ID: Hi All, I'm playing a bit with a fsfe fellowship card, and I've noticed an issue but I can't say if in gpg or in me :) basically, the card works as expected (signing, encryption, etc..) with a subkey only setup; I've then changed the sign subkey with a new one, but I noticed that I mistakenly loaded a 4096bit subkey (out of spec, IIRC, it works but it is failry slow :) ). I then tried to place the previous sign key... and gnupg fails with this error: Please select where to store the key: (1) Signature key (3) Authentication key Cosa scegli? 1 gpg: WARNING: such a key has already been stored on the card! Replace existing key? (y/N) y gpg: secret key already stored on a card but the card as the 4096 key on it; so it seems that gnupg flags every key that has loaded on card as "on card", but it is impossible to tell gnupg that a key has been removed from card. Interesting enough, gpg --card-status (or gpg --edit key /toggle/list) shows that 4 keys are on card :) i.e. the secret key description reports "card-no: 0000 00000XXX" below 4 keys and not only three. My guess is that gpg flags every subkey sent to card with the card number and checks the number when requested to install it again... but is there any way to tell gpg to clear that card number field? -- Fabio From peter at digitalbrains.com Wed Jan 2 12:31:10 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 02 Jan 2013 12:31:10 +0100 Subject: smartcard key change In-Reply-To: References: Message-ID: <50E41A7E.7090700@digitalbrains.com> On 02/01/13 11:05, Fabio Coatti wrote: > Replace existing key? (y/N) y > gpg: secret key already stored on a card > > [...] > My guess is that gpg flags every subkey sent to card with the card > number and checks the number when requested to install it again... but > is there any way to tell gpg to clear that card number field? It doesn't just flag the secret key as stored on card, the secret key in your keyring is /replaced/ by a stub that just says the key is stored on the card. So your secret keyring no longer contains the secret key. You will need to recover the secret material from a backup. At least, I am fairly sure this is the case. I have not tried it out since I don't want to screw up the keys on my smartcards :). You say we are talking about a signing key here, so you could also just generate a new signing key. Good luck, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From fabio.coatti at gmail.com Wed Jan 2 14:09:39 2013 From: fabio.coatti at gmail.com (Fabio Coatti) Date: Wed, 02 Jan 2013 14:09:39 +0100 Subject: smartcard key change In-Reply-To: <50E41A7E.7090700@digitalbrains.com> References: <50E41A7E.7090700@digitalbrains.com> Message-ID: <1529983.rXxy3Ca5LQ@calvin> In data mercoled? 2 gennaio 2013 12:31:10, Peter Lebbing ha scritto: > On 02/01/13 11:05, Fabio Coatti wrote: > > Replace existing key? (y/N) y > > gpg: secret key already stored on a card > > > > [...] > > My guess is that gpg flags every subkey sent to card with the card > > number and checks the number when requested to install it again... but > > is there any way to tell gpg to clear that card number field? > > It doesn't just flag the secret key as stored on card, the secret key in > your keyring is /replaced/ by a stub that just says the key is stored on > the card. So your secret keyring no longer contains the secret key. > > You will need to recover the secret material from a backup. > > At least, I am fairly sure this is the case. I have not tried it out since I > don't want to screw up the keys on my smartcards :). > > You say we are talking about a signing key here, so you could also just > generate a new signing key. > No big deal, I have the needed backups; now I figured out what's going on, thanks. Maybe the message "gpg: secret key already stored on a card" is a bit misleading here :) Many thanks! -- Fabio From dkg at fifthhorseman.net Wed Jan 2 19:50:10 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 02 Jan 2013 13:50:10 -0500 Subject: [Enigmail] Problem with automated decryption of encrypted drafts? (Key unlocking popup nightmares) In-Reply-To: <50E4042D.2090907@enigmail.net> References: <50E4042D.2090907@enigmail.net> Message-ID: <50E48162.50502@fifthhorseman.net> On 01/02/2013 04:55 AM, Patrick Brunschwig wrote: > On 01.01.13 19:57, Sini Ruohomaa wrote: >> 1) The request popup to unlock my key blocks my _entire X session_, >> also when TB is minimized, which I think seems needlessly rude. It >> also doesn't cache my 'cancels' (so I can be asked for the password >> for 5+ times in a row before I can go back to doing whatever I was >> doing) and doesn't indicate what it needs the key for. (To >> reproduce, cause the key popup to appear and just try to ignore >> it.) > > That's because pinentry blocks your X session. pinentry is part of > GnuPG 2.x, and there is nothing Enigmail could do about it. AFAIR > there is an option in gpg-agent.conf to disable blocking the X session. Bug reports or suggestions about pinentry behavior should probably go to a gnupg list (i've cc'ed gnupg-users here, please follow up appropriately) Do any gnupg contributors have suggestions about the "fails to cache my 'cancels'" concern Sini raised above? I'm not sure how the pieces could fit together to improve the user experience without breaking expected/desired behavior in other contexts. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1027 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Wed Jan 2 20:18:27 2013 From: wk at gnupg.org (Werner Koch) Date: Wed, 02 Jan 2013 20:18:27 +0100 Subject: [Enigmail] Problem with automated decryption of encrypted drafts? (Key unlocking popup nightmares) In-Reply-To: <50E48162.50502@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Wed, 02 Jan 2013 13:50:10 -0500") References: <50E4042D.2090907@enigmail.net> <50E48162.50502@fifthhorseman.net> Message-ID: <877gnvfl6k.fsf@vigenere.g10code.de> On Wed, 2 Jan 2013 19:50, dkg at fifthhorseman.net said: >> GnuPG 2.x, and there is nothing Enigmail could do about it. AFAIR >> there is an option in gpg-agent.conf to disable blocking the X session. It is called --no-grab. > Do any gnupg contributors have suggestions about the "fails to cache my > 'cancels'" concern Sini raised above? I'm not sure how the pieces could I am not sure what he means. However, recent GnuPG's and pinentries have a cancel-all feature: Either the pinentry features an appropriate button or you use the close-window button of the pinentry which also sends the cancel-all message. This is useful if gpg starts looking for --throw-keyid keys and you know that you don't have the key. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From vedaal at nym.hush.com Wed Jan 2 20:32:30 2013 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Wed, 02 Jan 2013 14:32:30 -0500 Subject: Obtain a signature ID with only a sig file? In-Reply-To: References: <20130102162326.318376F443@smtp.hushmail.com> Message-ID: <20130102193231.23C2E6F443@smtp.hushmail.com> Jeff Hanson jhansonxi at gmail.com wrote on Tue Jan 1 23:39:58 CET 2013 : >Is there a way to obtain the signature ID from a detached sig file without the signed file? ----- It can be done by using gpg --list-packets 'detached sig filename' Here is what happens on my system by doing the above for a detached signature file, when only the signature file is present, and the file signed is not: $ gpg --list-packets /cygdrive/c/users/vedaal/'My Documents'/km1.pdf.gpg :compressed packet: algo=1 :onepass_sig packet: keyid A306C37B495CA15B version 3, sigclass 0x00, digest 8, pubkey 1, last=1 :literal data packet: mode b (62), created 1357154353, name="KM1.pdf", raw data: 24689 bytes :signature packet: algo 1, keyid A306C37B495CA15B version 4, created 1357154353, md5len 0, sigclass 0x00 digest algo 8, begin of digest 88 48 hashed subpkt 2 len 4 (sig created 2013-01-02) subpkt 16 len 8 (issuer key ID A306C37B495CA15B) data: [2048 bits] vedaal From dkg at fifthhorseman.net Wed Jan 2 20:36:22 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 02 Jan 2013 14:36:22 -0500 Subject: Obtain a signature ID with only a sig file? In-Reply-To: <20130102193231.23C2E6F443@smtp.hushmail.com> References: <20130102162326.318376F443@smtp.hushmail.com> <20130102193231.23C2E6F443@smtp.hushmail.com> Message-ID: <50E48C36.2030809@fifthhorseman.net> On 01/02/2013 02:32 PM, vedaal at nym.hush.com wrote: > Jeff Hanson jhansonxi at gmail.com wrote on > Tue Jan 1 23:39:58 CET 2013 : > >> Is there a way to obtain the signature ID from a detached sig file without > the signed file? > > ----- > > It can be done by using gpg --list-packets 'detached sig filename' this does not produce the sig id. it produces the key ID of the issuer of the signature, which is a different thing. regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1027 bytes Desc: OpenPGP digital signature URL: From jhansonxi at gmail.com Wed Jan 2 22:33:44 2013 From: jhansonxi at gmail.com (Jeff Hanson) Date: Wed, 2 Jan 2013 16:33:44 -0500 Subject: Fwd: (No Subject) In-Reply-To: References: Message-ID: Re: Obtain a signature ID with only a sig file? Thanks. Based on that this also worked: wget http://.gpg --output-document=- | gpg --verify - /dev/null I'm writing a kickstart script for Ubuntu and needed a way to test a repository connection before using apt. The problem with apt is that it doesn't have a way to test for connectivity with a specific repository. I wanted to test for connectivity of a newly added repo by downloading the smallest verifiable file available (because of ISP data transfer caps) and the Release.gpg is best target I've found. Even better is being able to get a verifiable key ID without having to make a temporary file. I'm not worried about verifying the Release list since apt will download that and it's own copy of the sig for verification. I just wanted to catch 404 error pages and the like without having apt download the package lists of every repo (many MB each). ---------- Forwarded message ---------- From: Anonymous Remailer (austria) Date: Wed, Jan 2, 2013 at 3:17 PM Subject: (No Subject) To: jhansonxi at gmail.com, gnupg-users at gnupg.org Jeff Hanson wrote: > Is there a way to obtain the signature ID from > a detached sig file without the signed file? > I haven't been able to get anything out > of gpg without both files present. > echo|gpg --verify detached.sig - follow: $ gpg -b -u testkey foobar $ gpg --verify foobar.sig gpg: Signature made 01/02/13 00:00:00 using DSA key ID DEADBEEF gpg: Good signature from "testkey (testkey)" $ del foobar $ echo|gpg --verify foobar.sig - gpg: Signature made 01/02/13 00:00:00 using DSA key ID DEADBEEF gpg: BAD signature from "testkey (testkey)" $ gpg --delete-secret-and-public-key testkey sec 1024D/DEADBEEF 2013-01-02 testkey (testkey) Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y pub 1024D/DEADBEEF 2013-01-02 testkey (testkey) Delete this key from the keyring? (y/N) y $ echo|gpg --verify foobar.sig - gpg: Signature made 01/02/13 00:00:00 using DSA key ID DEADBEEF gpg: Can't check signature: public key not found $ -------------- next part -------------- An HTML attachment was scrubbed... URL: From oub at mat.ucm.es Thu Jan 3 21:32:16 2013 From: oub at mat.ucm.es (Uwe Brauer) Date: Thu, 03 Jan 2013 21:32:16 +0100 Subject: gpgsm: smime, various secret keys, various email addresses how to configure Message-ID: <87fw2i80tr.fsf@mat.ucm.es> Hello I am not sure that this is the correct list to ask and whether my question is too elementary, but I could not find a solution using google. I started to use smime, via xemacs, gnus, epg and gpgsm. [1] I have 3 accounts, one for work two private ones. I obtained free certificates from www.comodo.com. Now the issue is that epg (the lisp interface) chooses the first secret keys which is listed via gpgsm --list-secrect-keys For any email, even if I use a different account. However I would like to have user1 at gmail.com key1 user2 at gmail.com key2 user3 at gmail.com key3 The epg author referred to the gpgsm manual or the mailing list, however I can't find a relevant description Can somebody help me? Thanks very much in advance Uwe Brauer Footnotes: [1] I used gpg, but most of the people I correspondence considered it as to user unfriendly. From mortenkjarulff at gmail.com Thu Jan 3 22:43:33 2013 From: mortenkjarulff at gmail.com (=?UTF-8?Q?Morten_Kj=C3=A6rulff?=) Date: Thu, 3 Jan 2013 22:43:33 +0100 Subject: Is a document signed with hellosign legally binding? Message-ID: Hi, This is a off topic question, but I do not know where to go with it. I just signed up with hellosign.com. It is a service where you upload an image file with your handwritten signature. Later on you can upload a document and they will merge your signature and document, and mail it to the one you specified. (at least that is how I understand it) They claim (http://www.hellosign.com/info/faq) that electronic signatures are legally binding, and refer fx to "European Directive (EC/1999/93)" ( http://ec.europa.eu/information_society/policy/esignature/docs/electronic_sig_report.pdf). As far as I can see, this document is about digital signing using certificate and so on. As I see it, the service provided by hellosign.com has nothing to do with the topics in "European Directive (EC/1999/93)". Am I right or wrong? /Morten -------------- next part -------------- An HTML attachment was scrubbed... URL: From hka at qbs.com.pl Fri Jan 4 00:33:53 2013 From: hka at qbs.com.pl (Hubert Kario) Date: Fri, 04 Jan 2013 00:33:53 +0100 Subject: Is a document signed with hellosign legally binding? In-Reply-To: References: Message-ID: <1414183.l2L7tov6G1@bursa22> Hi Morten, On Thursday 03 of January 2013 22:43:33 Morten Kj?rulff wrote: > Hi, > > This is a off topic question, but I do not know where to go with it. > > I just signed up with hellosign.com. It is a service where you upload an > image file with your handwritten signature. Later on you can upload a > document and they will merge your signature and document, and mail it to > the one you specified. (at least that is how I understand it) > > They claim (http://www.hellosign.com/info/faq) that electronic signatures > are legally binding, and refer fx to "European Directive (EC/1999/93)" ( > http://ec.europa.eu/information_society/policy/esignature/docs/electronic_ > sig_report.pdf). As far as I can see, this document is about digital > signing using certificate and so on. > > As I see it, the service provided by hellosign.com has nothing to do with > the topics in "European Directive (EC/1999/93)". > > Am I right or wrong? > > /Morten As always on the Internet, IANAL. Even if I were, this wouldn't be a legal advice, not legally binding, yada yada. What's more, I have no knowledge how exactly their system works so below is just my opinion and bits of knowlege about how digital signatures work in EU. Now, back to the issue in question. In one sentence: this looks very fishy to me. First: basically only Qualified Electronic Signatures are unquestionably legally binding. Second: Qualified Electronic Signature can only be created using a Secure Signature Creation Device (a.k.a. cryptographic token). Third: to get a Qualified Certificate you need to personally visit (this may be more relaxed in some countries) one of certification authorities and present some kind of state issued ID Considering that the biggest problem (as far as proving its origin, creation date, etc.) with electronic data is that it is very easy to copy, the whole goal of digital signatures was directed to make it impossible to copy a signature (in a way for it to still be valid) without copying verbatim the file/data that was signed. They are doing exact opposite. The only thing agains that is the audit trial. If it doesn't use third party provided time stamps in one way or another I'd bluntly call it useless. They perform no detailed verification of the person's identity (I can submit scan of Steve Jobs signature and his photo, doesn't make me Steve Jobs). As such, I'd say it's very unlikely for the scheme described to be regarded as trustworthy (and admissible before court without question), let alone usable for Qualified Electronic Signing. The only stuff they can reasonably prove, is that a document was created before such and such time and uploaded at such and such time to their service. gmail can do just as much. I'd say if the other person signing a contract is also using gmail it's just as secure and trustworthy. But maybe it's just my bias against crypto that doesn't use DSA/RSA/ECC... Regards, -- Hubert Kario QBS - Quality Business Software 02-656 Warszawa, ul. Ksawer?w 30/85 tel. +48 (22) 646-61-51, 646-74-24 www.qbs.com.pl From chd at chud.net Fri Jan 4 00:45:39 2013 From: chd at chud.net (Chris De Young) Date: Thu, 03 Jan 2013 16:45:39 -0700 Subject: Is a document signed with hellosign legally binding? In-Reply-To: <1414183.l2L7tov6G1@bursa22> References: <1414183.l2L7tov6G1@bursa22> Message-ID: <50E61823.4090007@chud.net> >> This is a off topic question, but I do not know where to go with it. >> >> I just signed up with hellosign.com. It is a service where you upload an >> image file with your handwritten signature. Later on you can upload a >> document and they will merge your signature and document, and mail it to >> the one you specified. (at least that is how I understand it) Although this isn't an answer to your question - I'm not sure I understand the benefit of such a service in the first place; what is the advantage of this process over printing your document instead of uploading it, signing it yourself with a pen, and mailing it to the one you want it to go to yourself? If the idea is that the document isn't a format that lends itself to printing, how do they "merge" your signature image with it in any meaningful way that you couldn't do yourself just as easily? Just curious... -Chris From rjh at sixdemonbag.org Fri Jan 4 02:59:27 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 03 Jan 2013 20:59:27 -0500 Subject: Is a document signed with hellosign legally binding? In-Reply-To: References: Message-ID: <50E6377F.8040107@sixdemonbag.org> On 1/3/2013 4:43 PM, Morten Kj?rulff wrote: > They claim (http://www.hellosign.com/info/faq) that electronic > signatures are legally binding, and refer fx to "European Directive > (EC/1999/93)" There is usually a world of difference between what cryppies consider a "legally binding signature" and what is really a legally binding signature. The law has many ways for a signature to be deemed binding: the law has many ways for a binding signature to be repudiated. Whether a signature is really binding in your specific case is a legal question for which you'll need to consult with a lawyer licensed to practice in your area. From expires2013 at ymail.com Fri Jan 4 03:23:36 2013 From: expires2013 at ymail.com (MFPA) Date: Fri, 4 Jan 2013 02:23:36 +0000 Subject: Is a document signed with hellosign legally binding? In-Reply-To: References: Message-ID: <217108513.20130104022336@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 3 January 2013 at 9:43:33 PM, in , Morten Kj?rulff wrote: > It is a service > where you upload an image file with your handwritten > signature. Later on you can upload a document and they > will merge your signature and document, and mail it to > the one you specified. I can't quite see the point of this. Surely you could just paste the image of your signature into the document yourself, save it as a PDF (for example), and email it to the intended recipient. I also question whether I would want to give somebody else an image of my handwritten signature, especially a website that requires you to enable scripts from about a dozen domains. > They claim (http://www.hellosign.com/info/faq) that > electronic signatures are legally binding, and refer fx > to "European Directive (EC/1999/93)" > . A quick skim through that document suggests to me the basic intention of the directive is for electronic signatures to have the same legal status as handwritten signatures. I'm not convinced that document is hugely relevant. I see no reason why the image of your signature placed into the document should have any different status than:- * typing your name and making clear it constituted a signature, or * one of those rubber-stamp signatures that solicitors used to use on cheques, or * an actual handwritten signature. Of course, I am not legally trained. Anybody taking the advice of anonymous strangers over the internet does so at their own risk. > > As far as I can see, this document is about digital > signing using certificate and so on. Yes. Although the document does mention on page 215: "An e-signature in the form of a computer-generated facsimile would have satisfied the requirements of the Insolvency Act in terms of signing a proxy voting form." That sounds very much like adding an image to a document as an electronic signature. > As I see it, the service provided by hellosign.com has > nothing to do with the topics in "European Directive > (EC/1999/93)". > Am I right or wrong? There is certainly a lot in the linked EC document that has nothing to do with the service offered by hellosign.com. - -- Best regards MFPA mailto:expires2013 at ymail.com Another person's secret is like another person's money: you are not as careful with it as you are with your own -----BEGIN PGP SIGNATURE----- iQCVAwUBUOY9OqipC46tDG5pAQo1qwP+J2bldKWfH2YRE55L+c7NC8YhUIDfLT9p oZgJW83m6jlySMbSmXVIcbsvoIpXWTL/LGIuG8+3Vd3c44zfQwQx1pwvMd2uxxJO 3CvVeGUNacVB+oJrHJXzfwYFfTb+fXl/UEEn/7rUpKrcFhj+/XCfT+aHlrSMRTD5 ev0NN4TBm3Y= =yMUf -----END PGP SIGNATURE----- From singpolyma at singpolyma.net Fri Jan 4 03:53:22 2013 From: singpolyma at singpolyma.net (Stephen Paul Weber) Date: Fri, 4 Jan 2013 02:53:22 +0000 Subject: "New" packet headers and gpg Message-ID: <20130104025322.GA26567@singpolyma.net> Is there a set of switches to tell gpg or gpg2 to produce "new" packet length headers for output? Specifically . -- Stephen Paul Weber, @singpolyma See for how I prefer to be contacted edition right joseph From dshaw at jabberwocky.com Fri Jan 4 05:42:07 2013 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 3 Jan 2013 23:42:07 -0500 Subject: Paperkey 1.3 Message-ID: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, Paperkey 1.3 is released. This adds ECC key support (both ECDH and ECDSA) as well as a few more minor tweaks. Source and Win32 binaries are available at: http://www.jabberwocky.com/software/paperkey/ Enjoy! David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQEcBAEBAgAGBQJQ5l03AAoJEP6ninqhvE+ka0MH/Ah32BaP018tuX6WIFtauc7M mm3cl5GF58llhpzpU7zB0zpXNjhUJ9TqT1+ep2tc6RGQePAodLdT3WTwa/ZzVGUS 9anfFdMkkg6b5tn/O8mJt14kh07AGepPzZBM8rlH3WAgQ9BNEKvMgbHRkRh3OH4z l71JdjVWAabeYATGDBIZPxFFBx2WFhgwWNzilLsO204oMqnozgui3aYdJNVYtVkb tDzLgJpPNm0V2SMoZyiUdF0TadMBpgOY93/B2reFXmVrYczppM/4V/8lHJMC28Ha HCoP2yVS1NGRV0EQt2F2ZvM/8XB6JE/G2GS7KSoapOslsxJik8lXmWshNgmA9LY= =fKJ6 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Jan 4 05:52:05 2013 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 3 Jan 2013 23:52:05 -0500 Subject: "New" packet headers and gpg In-Reply-To: <20130104025322.GA26567@singpolyma.net> References: <20130104025322.GA26567@singpolyma.net> Message-ID: <09D45477-7DB2-4B34-A0F8-C0A3B5650329@jabberwocky.com> On Jan 3, 2013, at 9:53 PM, Stephen Paul Weber wrote: > Is there a set of switches to tell gpg or gpg2 to produce "new" packet length headers for output? Specifically . No. GPG automatically uses the old packet headers for those packets that can be described that way (i.e. packets numbered less than 16) and new packet headers for all other packets (16 and up). David From branko at majic.rs Fri Jan 4 10:01:00 2013 From: branko at majic.rs (Branko Majic) Date: Fri, 4 Jan 2013 10:01:00 +0100 Subject: Paperkey 1.3 In-Reply-To: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> Message-ID: <20130104100100.42b8e405@zetkin.int.primekey.se> On Thu, 3 Jan 2013 23:42:07 -0500 David Shaw wrote: > Paperkey 1.3 is released. This adds ECC key support (both ECDH and > ECDSA) as well as a few more minor tweaks. > > Source and Win32 binaries are available at: > http://www.jabberwocky.com/software/paperkey/ Curious piece of software. Certainly not something that comes to mind right away for making backups. I wonder if you could back-up even more by using 2D bar code for an output? Best regards -- Branko Majic Jabber: branko at majic.rs Please use only Free formats when sending attachments to me. ?????? ????? ?????: branko at majic.rs ????? ??? ?? ??????? ?????? ????????? ? ????????? ?????????. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From mortenkjarulff at gmail.com Fri Jan 4 13:35:09 2013 From: mortenkjarulff at gmail.com (=?UTF-8?Q?Morten_Kj=C3=A6rulff?=) Date: Fri, 4 Jan 2013 13:35:09 +0100 Subject: Is a document signed with hellosign legally binding? In-Reply-To: <50E6A5F0.6070705@miradoiro.com> References: <50E6A5F0.6070705@miradoiro.com> Message-ID: Thank you all! So, a bare email is also legally binding, but it can be hard to proove who sent it. Same for hellosign.com, it can be hard to proove who really signed a document there, and it was that fact that confused me, I made "legally binding" and "proove who signed" the same thing. /Morten On Fri, Jan 4, 2013 at 10:50 AM, David P ? wrote: > The directive refers to two types of signatures on article 2: electronic > signatures are those like me writing my name on the foot of this email, > advanced electronic signatures are the ones that require certificates and > so on. By art 5.1, advanced electronic signatures are equivalent to > hand-written ones, by art 5.2, though, unqualified electronic signatures > should not be denied legal validity on the mere grounds that they are > electronic. So without advising to particulars, especially given the > possible issues with transposition of the directive into national law, an > electronic signature of that sort is binding, though of course it is > possible to question whether it really was issued by the signatory and so > on. > > --David. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From apadmaraju at prounlimited.com Thu Jan 3 20:37:28 2013 From: apadmaraju at prounlimited.com (Anilkumar Padmaraju) Date: Thu, 3 Jan 2013 11:37:28 -0800 Subject: gnupg not working with RHEL 4 Message-ID: Hi, This is an important issue for me. I would really appreciate, if any one can help. Server 1: I have a server with Red Hat Enterprise Linux AS release 4 (Nahant Update 5) and having gnupg version 1.2.6. When I am trying to import a key, I am getting below problem and the key is not getting imported. The key is 2048 bits. # gpg --import /key.asc gpg: DSA requires the use of a 160 bit hash algorithm gpg: DSA requires the use of a 160 bit hash algorithm gpg: DSA requires the use of a 160 bit hash algorithm gpg: DSA requires the use of a 160 bit hash algorithm gpg: key ACF6FA22: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1 # Server 2: I have an another server with Red Hat Enterprise Linux Server release 5.5 (Tikanga) and with gncpg version 1.4.5. On this I am able to import the same key successfully. Unfortunately, I cannot upgrade Linux on Server 1. What I have to do to solve the problem with gpg import on Server 1? Do I have to upgrade the gncpg on Server 1 or is there alternate solution? If I have to upgrade gncpg, to which version of gncpg I have to update? I cannot use up2date because the Server 1 is not subscribed to RHN. So what will be the alternate way to upgrade without up2date. Thank you very much, Anil. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Fri Jan 4 14:34:40 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 04 Jan 2013 08:34:40 -0500 Subject: gnupg not working with RHEL 4 In-Reply-To: References: Message-ID: <50E6DA70.9040700@sixdemonbag.org> On 1/3/2013 2:37 PM, Anilkumar Padmaraju wrote: > This is an important issue for me. I would really appreciate, if any > one can help. The fix is easy: upgrade GnuPG. Version 1.2.6 is old, really old. The certificate you're trying to import uses an algorithm (DSA2) which is relatively new. GnuPG is trying to treat this as a DSA certificate and is complaining that it uses the wrong parameters. Download and install the GnuPG 1.4.13 source code from: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.13.tar.bz2 ... and this problem will go away. From mwood at IUPUI.Edu Fri Jan 4 14:50:56 2013 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Fri, 4 Jan 2013 08:50:56 -0500 Subject: Is a document signed with hellosign legally binding? In-Reply-To: References: Message-ID: <20130104135056.GB22257@IUPUI.Edu> I don't know, but I must say that I'm wary of dealing with unknown people who are collecting signature samples from all over Europe, offering a service which seems to accomplish very little and making disputed claims about its legal effect. -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu There's an app for that: your browser -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From dshaw at jabberwocky.com Fri Jan 4 14:54:43 2013 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 4 Jan 2013 08:54:43 -0500 Subject: gnupg not working with RHEL 4 In-Reply-To: References: Message-ID: <60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com> On Jan 3, 2013, at 2:37 PM, Anilkumar Padmaraju wrote: > Hi, > > This is an important issue for me. I would really appreciate, if any one can help. > > Server 1: > I have a server with Red Hat Enterprise Linux AS release 4 (Nahant Update 5) and having gnupg version 1.2.6. > > > When I am trying to import a key, I am getting below problem and the key is not getting imported. The key is 2048 bits. > > > > # gpg --import /key.asc > gpg: DSA requires the use of a 160 bit hash algorithm This means that you are trying to import a key with a version of GnuPG that is too old to understand it. That key uses a feature (called DSA2) that didn't exist in version 1.2.6 of GnuPG. > Unfortunately, I cannot upgrade Linux on Server 1. What I have to do to solve the problem with gpg import on Server 1? While you don't have to upgrade Linux on server 1, you do need to at least upgrade GnuPG. Go to http://www.gnupg.org/download/ and grab the latest 1.4 version of GnuPG (at the moment, it's 1.4.13). That is the easiest replacement for 1.2.6, and will handle that DSA2 key just fine. David From johanw at vulcan.xs4all.nl Fri Jan 4 15:27:55 2013 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri, 04 Jan 2013 15:27:55 +0100 Subject: Paperkey 1.3 In-Reply-To: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> Message-ID: <50E6E6EB.2040801@vulcan.xs4all.nl> On 04-01-2013 5:42, David Shaw wrote: > Paperkey 1.3 is released. You might want to update the website, it reads a bit outdated. CD/DVD-ROMs are going the way of the floppy disc; flash memory is much more reliable than either. Future support of USB ports or memory card readers seems the biggest concern for me. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From singpolyma at singpolyma.net Fri Jan 4 15:39:22 2013 From: singpolyma at singpolyma.net (Stephen Paul Weber) Date: Fri, 4 Jan 2013 09:39:22 -0500 Subject: "New" packet headers and gpg In-Reply-To: <09D45477-7DB2-4B34-A0F8-C0A3B5650329@jabberwocky.com> References: <20130104025322.GA26567@singpolyma.net> <09D45477-7DB2-4B34-A0F8-C0A3B5650329@jabberwocky.com> Message-ID: <20130104143922.GA1818@singpolyma-svelti> Somebody claiming to be David Shaw wrote: >On Jan 3, 2013, at 9:53 PM, Stephen Paul Weber wrote: >> tell gpg or gpg2 to produce "new" packet length headers for output? > >No. GPG automatically uses the old packet headers for those packets that >can be described that way Hmm, ok. I was hoping that with all the "advanced mode, you probably don't care about this" features, there would be one for this. -- Stephen Paul Weber, @singpolyma See for how I prefer to be contacted edition right joseph -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From fabio.coatti at gmail.com Fri Jan 4 16:11:06 2013 From: fabio.coatti at gmail.com (Fabio Coatti) Date: Fri, 04 Jan 2013 16:11:06 +0100 Subject: poldi Message-ID: <2881301.LpLIF6IPSH@calvin> Hi, I'm playing a bit with a fsfe card and trying to find a way to use smartcard for xscreensaver I've stumbled on poldi references, but the sources seems untouched since long time. before starting to work on a updated ebuild (I'm on gentoo installation), is poldi still alive or do we have better way to reach the same goal (basically, having xscreensaver and other pam enabled things using the card)? sorry if the question is silly, but I found no helpful references so far... -- Fabio From wk at gnupg.org Fri Jan 4 16:13:03 2013 From: wk at gnupg.org (Werner Koch) Date: Fri, 04 Jan 2013 16:13:03 +0100 Subject: Paperkey 1.3 In-Reply-To: <50E6E6EB.2040801@vulcan.xs4all.nl> (Johan Wevers's message of "Fri, 04 Jan 2013 15:27:55 +0100") References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> <50E6E6EB.2040801@vulcan.xs4all.nl> Message-ID: <87hamxc77k.fsf@vigenere.g10code.de> On Fri, 4 Jan 2013 15:27, johanw at vulcan.xs4all.nl said: > CD/DVD-ROMs are going the way of the floppy disc; flash memory is much > more reliable than either. Future support of USB ports or memory card FWIW: Some time ago I copied a bunch of ~25 years old 5.25 floppies to a disk. I had only problems with some of the very cheap or the dusted, wet and oiled ones stored for too many years in my non-heated garage. Nobody has experience with flash for more than a decade. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dshaw at jabberwocky.com Fri Jan 4 17:31:16 2013 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 4 Jan 2013 11:31:16 -0500 Subject: "New" packet headers and gpg In-Reply-To: <20130104143922.GA1818@singpolyma-svelti> References: <20130104025322.GA26567@singpolyma.net> <09D45477-7DB2-4B34-A0F8-C0A3B5650329@jabberwocky.com> <20130104143922.GA1818@singpolyma-svelti> Message-ID: <24A495D2-B601-4188-B322-46CB7B8748ED@jabberwocky.com> On Jan 4, 2013, at 9:39 AM, Stephen Paul Weber wrote: > Somebody claiming to be David Shaw wrote: >> On Jan 3, 2013, at 9:53 PM, Stephen Paul Weber wrote: >>> tell gpg or gpg2 to produce "new" packet length headers for output? >> >> No. GPG automatically uses the old packet headers for those packets that can be described that way > > Hmm, ok. I was hoping that with all the "advanced mode, you probably don't care about this" features, there would be one for this. You could patch the code (look in build-packet.c) fairly easily if you need this. Out of curiosity, why do you want to use only new packet headers? David From singpolyma at singpolyma.net Fri Jan 4 17:34:51 2013 From: singpolyma at singpolyma.net (Stephen Paul Weber) Date: Fri, 4 Jan 2013 11:34:51 -0500 Subject: "New" packet headers and gpg In-Reply-To: <24A495D2-B601-4188-B322-46CB7B8748ED@jabberwocky.com> References: <20130104025322.GA26567@singpolyma.net> <09D45477-7DB2-4B34-A0F8-C0A3B5650329@jabberwocky.com> <20130104143922.GA1818@singpolyma-svelti> <24A495D2-B601-4188-B322-46CB7B8748ED@jabberwocky.com> Message-ID: <20130104163451.GA1869@singpolyma-svelti> Somebody claiming to be David Shaw wrote: >On Jan 4, 2013, at 9:39 AM, Stephen Paul Weber wrote: >> Somebody claiming to be David Shaw wrote: >>> On Jan 3, 2013, at 9:53 PM, Stephen Paul Weber wrote: >>>> tell gpg or gpg2 to produce "new" packet length headers for output? >>> No. >> I was hoping that with all the "advanced mode, you probably don't care >> about this" features, there would be one for this. > >You could patch the code (look in build-packet.c) fairly easily if you need >this. Out of curiosity, why do you want to use only new packet headers? I might do that if I get further along. I want to be able to have partial OpenPGP implementations that only bother with new-style headers. Such implementations' ouput can be read by gpg, but there's currently no way to convince gpg to talk to them :) My own implementations currently do support both kinds of headers, so it's not a pressing need. -- Stephen Paul Weber, @singpolyma See for how I prefer to be contacted edition right joseph -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From harningt at gmail.com Fri Jan 4 16:35:30 2013 From: harningt at gmail.com (Thomas Harning Jr.) Date: Fri, 4 Jan 2013 10:35:30 -0500 Subject: Paperkey 1.3 In-Reply-To: <20130104100100.42b8e405@zetkin.int.primekey.se> References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> <20130104100100.42b8e405@zetkin.int.primekey.se> Message-ID: You may want to check out my blog post about key backup[1]. In it I mention two bar-code style backup solutions: * PaperBack [2] * Twibright Optar [3] I also investigated QR codes and other 2D bar codes.. however they did not seem to scale well to large amounts of data... I found that PaperBack, while being a Win32 app (runs fine in Wine) works beautifully for storing quite a bit of data with redundancy and handling for user-level printers. Quoting the page "If you have a good laser printer with the 600 dpi resolution, you can save up to 500,000 bytes of uncompressed data on the single A4/Letter sheet." ... quite a bit to store your entire secret keyring ... though you could use paperkey + this to permit bumping up redundancy / dot-size quite a bit. Twibright Optar has quite a bit of promise, but requires quite a bit of pre-processing and noise removal (not to mention source-code edit to change dot-size to work nicely with non-super printers). 1: http://blog.eharning.us/2011/04/key-backup-for-paranoid.html 2: http://ollydbg.de/Paperbak/ 3: http://ronja.twibright.com/optar/ On Fri, Jan 4, 2013 at 4:01 AM, Branko Majic wrote: > On Thu, 3 Jan 2013 23:42:07 -0500 > David Shaw wrote: > >> Paperkey 1.3 is released. This adds ECC key support (both ECDH and >> ECDSA) as well as a few more minor tweaks. >> >> Source and Win32 binaries are available at: >> http://www.jabberwocky.com/software/paperkey/ > > Curious piece of software. Certainly not something that comes to mind > right away for making backups. > > I wonder if you could back-up even more by using 2D bar code for an > output? > > Best regards > > -- > Branko Majic > Jabber: branko at majic.rs > Please use only Free formats when sending attachments to me. > > ?????? ????? > ?????: branko at majic.rs > ????? ??? ?? ??????? ?????? ????????? ? ????????? ?????????. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Thomas Harning Jr. (http://about.me/harningt) From dshaw at jabberwocky.com Fri Jan 4 18:31:14 2013 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 4 Jan 2013 12:31:14 -0500 Subject: Paperkey 1.3 In-Reply-To: <20130104100100.42b8e405@zetkin.int.primekey.se> References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> <20130104100100.42b8e405@zetkin.int.primekey.se> Message-ID: <94C97912-C377-4414-881F-0617AA85577D@jabberwocky.com> On Jan 4, 2013, at 4:01 AM, Branko Majic wrote: > On Thu, 3 Jan 2013 23:42:07 -0500 > David Shaw wrote: > >> Paperkey 1.3 is released. This adds ECC key support (both ECDH and >> ECDSA) as well as a few more minor tweaks. >> >> Source and Win32 binaries are available at: >> http://www.jabberwocky.com/software/paperkey/ > > Curious piece of software. Certainly not something that comes to mind > right away for making backups. > > I wonder if you could back-up even more by using 2D bar code for an > output? Sure, paperkey supports piping the output into whatever code generator you like: gpg --export-secret-key mykey | paperkey --output-format raw | your-bar-code-generator However, 2D bar codes have some of the problems that paperkey is intended to address. You need a 'thing' (a process, a device, etc) to read them, and part of the point of paperkey is that it's supposed to be the backup of last resort, and thus readable by a human without any special hardware involved. You could also back up your whole key via a 2D bar code (without using paperkey at all) but then you're backing up a lot of redundant data, giving you a larger image. Of course, this may not be a big deal if the intent is to scan it back in again rather than type it back in again. David From vedaal at nym.hush.com Fri Jan 4 19:06:11 2013 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Fri, 04 Jan 2013 13:06:11 -0500 Subject: paperkey // recommended OCR font ? In-Reply-To: <16793717.1631@walmart.com> Message-ID: <20130104180611.515B3E6726@smtp.hushmail.com> My scanner is broken (lamp problem) and the multifunction printer hasn't arrived yet ;-( so I can't test this myself. Has anyone tested Paperkey by scanning it in, having the OCR recognize it without error, and then successfully import it into a keyring ? If so, what is the recommended font and size to be used for accurate OCR ? OCR-A, OCR-B, Ordinary Courier 10, other ? (I know that the purpose of Paperkey is to be able to type it in by hand, if all else fails ;-) but if OCR works, it would make things much easier ... ) TIA vedaal From cogsci.k at gmail.com Fri Jan 4 18:39:08 2013 From: cogsci.k at gmail.com (Klaus Neumann) Date: Fri, 04 Jan 2013 09:39:08 -0800 Subject: Paperkey 1.3 In-Reply-To: <50E6E6EB.2040801@vulcan.xs4all.nl> References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> <50E6E6EB.2040801@vulcan.xs4all.nl> Message-ID: <50E713BC.4030102@gmail.com> On 01/04/2013 06:27 AM, Johan Wevers wrote: > On 04-01-2013 5:42, David Shaw wrote: > >> Paperkey 1.3 is released. > > You might want to update the website, it reads a bit outdated. > CD/DVD-ROMs are going the way of the floppy disc; flash memory is much > more reliable than either. Future support of USB ports or memory card > readers seems the biggest concern for me. > Support for USB ports or card readers will not disappear over night. Whenever the next better medium becomes common, you simply transfer your back-ups. No reason to be concerned, IMHO. -- Best regards, Klaus -------------- PGP/GPG public keys at http://pgp.mit.edu _____________________________________________ ?Political language? is designed to make lies sound truthful and murder respectable.? George Orwell From dshaw at jabberwocky.com Fri Jan 4 20:30:43 2013 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 4 Jan 2013 14:30:43 -0500 Subject: Paperkey 1.3 In-Reply-To: <50E6E6EB.2040801@vulcan.xs4all.nl> References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> <50E6E6EB.2040801@vulcan.xs4all.nl> Message-ID: On Jan 4, 2013, at 9:27 AM, Johan Wevers wrote: > On 04-01-2013 5:42, David Shaw wrote: > >> Paperkey 1.3 is released. > > You might want to update the website, it reads a bit outdated. > CD/DVD-ROMs are going the way of the floppy disc; flash memory is much > more reliable than either. Future support of USB ports or memory card > readers seems the biggest concern for me. That's a very good point. Do you know of any studies on the projected life of flash when used as backup? I've read anecdotal numbers as low as 5 years, and marketing claims are always huge (100 years!), but most of what I see is about the lifespan is when the flash is actively used (so running out of read/write cycles), rather than the on-the-shelf lifespan of already written data. The few numbers I've seen at manufacturers websites about retention specifically, suggest it's around 10 years (depending on how well the flash is stored - heat makes it die quicker, etc). David From apadmaraju at prounlimited.com Fri Jan 4 18:34:37 2013 From: apadmaraju at prounlimited.com (Anilkumar Padmaraju) Date: Fri, 4 Jan 2013 09:34:37 -0800 Subject: gnupg not working with RHEL 4 In-Reply-To: <60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com> References: <60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com> Message-ID: Thank you very much, David. Our other server is having 1.4.5 and to be consistent want to go from 1.2.6 to 1.4.5. Can I go ahead and update gnupg from 1.2.6 to 1.4.5 on "Red Hat Enterprise Linux AS release 4 (Nahant Update 5)"? Is 1.4.5 compatible with this Linux version? I did not find any information regarding this compatibility. Thank you, Anil. On Fri, Jan 4, 2013 at 5:54 AM, David Shaw wrote: > On Jan 3, 2013, at 2:37 PM, Anilkumar Padmaraju < > apadmaraju at prounlimited.com> wrote: > > > Hi, > > > > This is an important issue for me. I would really appreciate, if any > one can help. > > > > Server 1: > > I have a server with Red Hat Enterprise Linux AS release 4 (Nahant > Update 5) and having gnupg version 1.2.6. > > > > > > When I am trying to import a key, I am getting below problem and the key > is not getting imported. The key is 2048 bits. > > > > > > > > # gpg --import /key.asc > > gpg: DSA requires the use of a 160 bit hash algorithm > > This means that you are trying to import a key with a version of GnuPG > that is too old to understand it. That key uses a feature (called DSA2) > that didn't exist in version 1.2.6 of GnuPG. > > > Unfortunately, I cannot upgrade Linux on Server 1. What I have to do to > solve the problem with gpg import on Server 1? > > While you don't have to upgrade Linux on server 1, you do need to at least > upgrade GnuPG. > > Go to http://www.gnupg.org/download/ and grab the latest 1.4 version of > GnuPG (at the moment, it's 1.4.13). That is the easiest replacement for > 1.2.6, and will handle that DSA2 key just fine. > > David > > -- Anilkumar Padmaraju | Sr. Linux System Administrator *PRO Unlimited, Inc.* 1350 Old Bayshore Highway, Suite 350, Burlingame, CA 94010 (o) 650-373-2484 | (m) 408-835-7599 | (e) apadmaraju at prounlimited.com www.prounlimited.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ivfrost2-mail at yahoo.com Fri Jan 4 18:16:16 2013 From: ivfrost2-mail at yahoo.com (I.V. Frost) Date: Fri, 04 Jan 2013 11:16:16 -0600 Subject: Paperkey 1.3 Message-ID: <50E70E60.6000903@yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Am I the only having trouble both the key for this message and the one with the binaries? My installation tells me it is not Key ID: 0x99242560 but key 0xA1BC4FA4 which is not found on any server that I use. David Shaw made the following observation on 1/3/2013 10:42 PM: > Hi folks, > > Paperkey 1.3 is released. This adds ECC key support (both ECDH and > ECDSA) as well as a few more minor tweaks. > > Source and Win32 binaries are available at: > http://www.jabberwocky.com/software/paperkey/ -----BEGIN PGP SIGNATURE----- Comment: what is essential is invisible to the eye Comment: - Antoine de Saint Exupery iEYEAREIAAYFAlDm96wACgkQsMrrDTRrXem+cQCgpf9rv9Zj7KHr9CMezbN0YjV6 f/gAn174BhbDynOMYspBeKFztlK//xd/ =ZjMc -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Fri Jan 4 21:18:17 2013 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 4 Jan 2013 15:18:17 -0500 Subject: Paperkey 1.3 In-Reply-To: <50E70E60.6000903@yahoo.com> References: <50E70E60.6000903@yahoo.com> Message-ID: <546CFFD3-A7E2-49E8-A953-DCF7D20D0F4D@jabberwocky.com> On Jan 4, 2013, at 12:16 PM, "I.V. Frost" wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Am I the only having trouble both the key for this message and the one with the binaries? My installation tells me it is not Key ID: 0x99242560 but key 0xA1BC4FA4 which is not found on any server that I use. 0xA1BC4FA4 is a subkey on 0x99242560. It should be available on the keyserver network. David From wk at gnupg.org Fri Jan 4 21:23:45 2013 From: wk at gnupg.org (Werner Koch) Date: Fri, 04 Jan 2013 21:23:45 +0100 Subject: "New" packet headers and gpg In-Reply-To: <20130104163451.GA1869@singpolyma-svelti> (Stephen Paul Weber's message of "Fri, 4 Jan 2013 11:34:51 -0500") References: <20130104025322.GA26567@singpolyma.net> <09D45477-7DB2-4B34-A0F8-C0A3B5650329@jabberwocky.com> <20130104143922.GA1818@singpolyma-svelti> <24A495D2-B601-4188-B322-46CB7B8748ED@jabberwocky.com> <20130104163451.GA1869@singpolyma-svelti> Message-ID: <87sj6gbstq.fsf@vigenere.g10code.de> On Fri, 4 Jan 2013 17:34, singpolyma at singpolyma.net said: > headers. Such implementations' ouput can be read by gpg, but there's > currently no way to convince gpg to talk to them :) I just checked the RFC and it says: If interoperability [with PGP 2] is not an issue, the new packet format is RECOMMENDED. Thus there is nothing in the standard which would speak against using the new headers. This can either be done using a new option or by using for example the existing compliance option --rfc4880. I don't assume that PGP 2 is still in use. With the recent addition of IDEA even decryption of old data can now be done with vanilla GPG. Shall we give this a test by using one of the compliance options and make the new headers the default in one or two years? Less code is always better. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dshaw at jabberwocky.com Fri Jan 4 21:36:32 2013 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 4 Jan 2013 15:36:32 -0500 Subject: gnupg not working with RHEL 4 In-Reply-To: References: <60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com> Message-ID: <39121838-D366-4898-9052-C81685FCDEA0@jabberwocky.com> On Jan 4, 2013, at 12:34 PM, Anilkumar Padmaraju wrote: > Thank you very much, David. > > Our other server is having 1.4.5 and to be consistent want to go from 1.2.6 to 1.4.5. > > Can I go ahead and update gnupg from 1.2.6 to 1.4.5 on "Red Hat Enterprise Linux AS release 4 (Nahant Update 5)"? Is 1.4.5 compatible with this Linux version? I did not find any information regarding this compatibility. You could upgrade to 1.4.5, but this is not recommended. There have been a number of bug fixes between 1.4.5 and 1.4.13, and using the most recent version is usually the best course of action. David From wk at gnupg.org Fri Jan 4 21:45:42 2013 From: wk at gnupg.org (Werner Koch) Date: Fri, 04 Jan 2013 21:45:42 +0100 Subject: gnupg not working with RHEL 4 In-Reply-To: (Anilkumar Padmaraju's message of "Fri, 4 Jan 2013 09:34:37 -0800") References: <60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com> Message-ID: <87obh4brt5.fsf@vigenere.g10code.de> On Fri, 4 Jan 2013 18:34, apadmaraju at prounlimited.com said: > Can I go ahead and update gnupg from 1.2.6 to 1.4.5 on "Red Hat Enterprise > Linux AS release 4 (Nahant Update 5)"? Is 1.4.5 compatible with this Linux > version? I did not find any information regarding this compatibility. GnuPG is compatible with all Unix style operating systems inclduing Linux and RHEL [1]. You just need to build it yourself. And please use the latest versions (1.4.13). Shalom-Salam, Werner [1] And with VMS and Windows. However, you better get a prebuild version for these OSes. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From apadmaraju at prounlimited.com Fri Jan 4 22:09:11 2013 From: apadmaraju at prounlimited.com (Anilkumar Padmaraju) Date: Fri, 4 Jan 2013 13:09:11 -0800 Subject: gnupg not working with RHEL 4 In-Reply-To: <87obh4brt5.fsf@vigenere.g10code.de> References: <60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com> <87obh4brt5.fsf@vigenere.g10code.de> Message-ID: Thank you, David and Werner. This is first time I am upgrading gnupg. Are there any steps or document to download source, compile, and upgrade? I did some search in google, but could not find detailed one. After upgrading do I have to do gpg --gen-key or it is only needed when we install for the first time? Thank you, Anil. On Fri, Jan 4, 2013 at 12:45 PM, Werner Koch wrote: > On Fri, 4 Jan 2013 18:34, apadmaraju at prounlimited.com said: > > > Can I go ahead and update gnupg from 1.2.6 to 1.4.5 on "Red Hat > Enterprise > > Linux AS release 4 (Nahant Update 5)"? Is 1.4.5 compatible with this > Linux > > version? I did not find any information regarding this compatibility. > > GnuPG is compatible with all Unix style operating systems inclduing > Linux and RHEL [1]. You just need to build it yourself. And please use > the latest versions (1.4.13). > > > Shalom-Salam, > > Werner > > > > [1] And with VMS and Windows. However, you better get a prebuild > version for these OSes. > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > -- Anilkumar Padmaraju | Sr. Linux System Administrator *PRO Unlimited, Inc.* 1350 Old Bayshore Highway, Suite 350, Burlingame, CA 94010 (o) 650-373-2484 | (m) 408-835-7599 | (e) apadmaraju at prounlimited.com www.prounlimited.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From singpolyma at singpolyma.net Fri Jan 4 22:37:14 2013 From: singpolyma at singpolyma.net (Stephen Paul Weber) Date: Fri, 4 Jan 2013 16:37:14 -0500 Subject: simple-sk-checksum Message-ID: <20130104213714.GC1838@singpolyma-svelti> The manpage for gpg sez: > Secret keys are integrity protected by using a SHA-1 checksum. This > method is part of the upcoming enhanced OpenPGP specification but GnuPG > already uses it as a countermeasure against certain attacks. Old > applications don't under? stand this new format, so this > option may be used to switch back to the old behaviour. Using this option > bears a security risk. Does anyone know what the actual security risk is? Using a weaker checksum obviously makes it easier to forge data, but in this case the data being forged is just the secret parts of a secret key. What are the attack vectors there? -- Stephen Paul Weber, @singpolyma See for how I prefer to be contacted edition right joseph -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From dshaw at jabberwocky.com Fri Jan 4 22:53:44 2013 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 4 Jan 2013 16:53:44 -0500 Subject: simple-sk-checksum In-Reply-To: <20130104213714.GC1838@singpolyma-svelti> References: <20130104213714.GC1838@singpolyma-svelti> Message-ID: <33BBCE6A-5E00-419E-83D4-D6F61B11B28E@jabberwocky.com> On Jan 4, 2013, at 4:37 PM, Stephen Paul Weber wrote: > The manpage for gpg sez: > >> Secret keys are integrity protected by using a SHA-1 checksum. This method is part of the upcoming enhanced OpenPGP specification but GnuPG already uses it as a countermeasure against certain attacks. Old applications don't under? stand this new format, so this >> option may be used to switch back to the old behaviour. Using this option bears a security risk. > > Does anyone know what the actual security risk is? Using a weaker checksum obviously makes it easier to forge data, but in this case the data being forged is just the secret parts of a secret key. What are the attack vectors there? http://eprint.iacr.org/2002/076.pdf David From singpolyma at singpolyma.net Fri Jan 4 23:08:09 2013 From: singpolyma at singpolyma.net (Stephen Paul Weber) Date: Fri, 4 Jan 2013 17:08:09 -0500 Subject: simple-sk-checksum In-Reply-To: <33BBCE6A-5E00-419E-83D4-D6F61B11B28E@jabberwocky.com> References: <20130104213714.GC1838@singpolyma-svelti> <33BBCE6A-5E00-419E-83D4-D6F61B11B28E@jabberwocky.com> Message-ID: <20130104220809.GD1838@singpolyma-svelti> Somebody claiming to be David Shaw wrote: >On Jan 4, 2013, at 4:37 PM, Stephen Paul Weber wrote: >> Does anyone know what the actual security risk is? Using a weaker >> checksum obviously makes it easier to forge data, but in this case the >> data being forged is just the secret parts of a secret key. What are the >> attack vectors there? > >http://eprint.iacr.org/2002/076.pdf Thanks! That paper implies that both the public *and* private elements must be integrity protected to defeat the attack (depending on algorithm), however it seems that only the private elements are protected by the SHA1 under RFC4880. Was the need to protect the public elements discovered to be unnecessary? -- Stephen Paul Weber, @singpolyma See for how I prefer to be contacted edition right joseph -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From apadmaraju at prounlimited.com Fri Jan 4 23:49:09 2013 From: apadmaraju at prounlimited.com (Anilkumar Padmaraju) Date: Fri, 4 Jan 2013 14:49:09 -0800 Subject: gnupg not working with RHEL 4 In-Reply-To: References: <60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com> <87obh4brt5.fsf@vigenere.g10code.de> Message-ID: I am using http://www.faqs.org/docs/securing/chap19sec152.html to do the upgrade. Please let me know, if I have to do any additional steps. Since I am already using gpg on this server, do I have to do "gpg --gen-key" after the upgrade? Thank you, Anil. On Fri, Jan 4, 2013 at 1:09 PM, Anilkumar Padmaraju < apadmaraju at prounlimited.com> wrote: > Thank you, David and Werner. > > This is first time I am upgrading gnupg. Are there any steps or document > to download source, compile, and upgrade? I did some search in google, but > could not find detailed one. > > After upgrading do I have to do gpg --gen-key or it is only needed when we > install for the first time? > > Thank you, > > Anil. > > On Fri, Jan 4, 2013 at 12:45 PM, Werner Koch wrote: > >> On Fri, 4 Jan 2013 18:34, apadmaraju at prounlimited.com said: >> >> > Can I go ahead and update gnupg from 1.2.6 to 1.4.5 on "Red Hat >> Enterprise >> > Linux AS release 4 (Nahant Update 5)"? Is 1.4.5 compatible with this >> Linux >> > version? I did not find any information regarding this compatibility. >> >> GnuPG is compatible with all Unix style operating systems inclduing >> Linux and RHEL [1]. You just need to build it yourself. And please use >> the latest versions (1.4.13). >> >> >> Shalom-Salam, >> >> Werner >> >> >> >> [1] And with VMS and Windows. However, you better get a prebuild >> version for these OSes. >> >> -- >> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Sat Jan 5 01:17:13 2013 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 4 Jan 2013 19:17:13 -0500 Subject: paperkey // recommended OCR font ? In-Reply-To: <20130104180611.515B3E6726@smtp.hushmail.com> References: <20130104180611.515B3E6726@smtp.hushmail.com> Message-ID: <7172B295-A418-4746-BD9A-3B44A99EF8F7@jabberwocky.com> On Jan 4, 2013, at 1:06 PM, vedaal at nym.hush.com wrote: > My scanner is broken (lamp problem) and the multifunction printer hasn't arrived yet ;-( so I can't test this myself. > > > Has anyone tested Paperkey by scanning it in, having the OCR recognize it without error, and then successfully import it into a keyring ? > > If so, what is the recommended font and size to be used for accurate OCR ? > > OCR-A, OCR-B, Ordinary Courier 10, other ? I've done this, with regular old Courier. It basically worked, with a few glitches that I had to correct by hand. Paperkey has a checksum on each line so you can easily tell which line got the glitch. I suspect a OCR font would have done better. David From rjh at sixdemonbag.org Sat Jan 5 04:23:53 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 04 Jan 2013 22:23:53 -0500 Subject: paperkey // recommended OCR font ? In-Reply-To: <7172B295-A418-4746-BD9A-3B44A99EF8F7@jabberwocky.com> References: <20130104180611.515B3E6726@smtp.hushmail.com> <7172B295-A418-4746-BD9A-3B44A99EF8F7@jabberwocky.com> Message-ID: <50E79CC9.3000107@sixdemonbag.org> On 1/4/2013 7:17 PM, David Shaw wrote: > I've done this, with regular old Courier. My experiences are similar. One additional thing: the larger the font the easier it is for OCR to recognize it (up to a point: I doubt there's much difference between 48- and 72-point recognition). So try using 12- or 14-point if possible. From johanw at vulcan.xs4all.nl Sat Jan 5 13:55:26 2013 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sat, 05 Jan 2013 13:55:26 +0100 Subject: Paperkey 1.3 In-Reply-To: References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> <50E6E6EB.2040801@vulcan.xs4all.nl> Message-ID: <50E822BE.2020409@vulcan.xs4all.nl> On 04-01-2013 20:30, David Shaw wrote: > That's a very good point. Do you know of any studies on the projected life of flash > when used as backup? That depends strongly on the type of flash. NOR-flash, which is not used any more in new devices gave problems after not many rewrites. NAND flash is much more durable. However, when you buy a new device and use it for long term backup purposes (no/very few rewrites) AFAIK it can last very long. The main thing that could damage it when it's just stored is radioactive radiation like cosmic rays. Personally I'm a heavy user of USB flash, also for backups, and the only problems I ever had were software related (e.g. a 64-bit windows 7 computer that had the tendency to corrupt Truecrypt images). Of cource this is anecdotical and I seem to be lucky about it; my oldest CD-ROM backups from 1998 are also still readable. > The few numbers I've seen at manufacturers websites about retention specifically, > suggest it's around 10 years (depending on how well the flash is stored - heat > makes it die quicker, etc). My oldest flash drive is still readable but it's not 10 years old yet. But I am keeping it and will test it every now and then. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dkg at fifthhorseman.net Sat Jan 5 20:26:59 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sat, 05 Jan 2013 14:26:59 -0500 Subject: gnupg not working with RHEL 4 In-Reply-To: References: <60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com> <87obh4brt5.fsf@vigenere.g10code.de> Message-ID: <50E87E83.5080208@fifthhorseman.net> On 01/04/2013 04:09 PM, Anilkumar Padmaraju wrote: > This is first time I am upgrading gnupg. Are there any steps or document > to download source, compile, and upgrade? I did some search in google, but > could not find detailed one. > > After upgrading do I have to do gpg --gen-key or it is only needed when we > install for the first time? GnuPG is software for working with OpenPGP material (keys, signatures, and encrypted messages). Newer versions of GnuPG will continue to work with pre-existing OpenPGP material. This means that you should not need to generate another OpenPGP key just because your version of GnuPG was upgraded. Your existing OpenPGP key should continue to work. hth, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1027 bytes Desc: OpenPGP digital signature URL: From kwadronaut at aktivix.org Sun Jan 6 00:39:05 2013 From: kwadronaut at aktivix.org (kwadronaut) Date: Sun, 06 Jan 2013 00:39:05 +0100 Subject: key revocation reasons in frontends/gnupg Message-ID: <50E8B999.1010701@aktivix.org> Hi, I was thinking/discussing rfc2440 5.2.3.22. Reason for Revocation. I'd love to hear opinions why it would or wouldn't make sense to have this information easy(easier) available with gnupg or some frontends. I personally find it very convenient to point people to that packet to say that I for example have a new key that superseded the old one. But maybe you have other opinions? For sake of easiness I'll paste here the relevant RFC section: (1 octet of revocation code, N octets of reason string) This subpacket is used only in key revocation and certification revocation signatures. It describes the reason why the key or certificate was revoked. The first octet contains a machine-readable code that denotes the reason for the revocation: 0x00 - No reason specified (key revocations or cert revocations) 0x01 - Key is superceded (key revocations) 0x02 - Key material has been compromised (key revocations) 0x03 - Key is no longer used (key revocations) 0x20 - User id information is no longer valid (cert revocations) Following the revocation code is a string of octets which gives information about the reason for revocation in human-readable form (UTF-8). The string may be null, that is, of zero length. The length of the subpacket is the length of the reason string plus one. Ciao, Kwadronaut From cloos at jhcloos.com Sun Jan 6 02:02:47 2013 From: cloos at jhcloos.com (James Cloos) Date: Sat, 05 Jan 2013 20:02:47 -0500 Subject: paperkey // recommended OCR font ? In-Reply-To: <20130104180611.515B3E6726@smtp.hushmail.com> (vedaal@nym.hush.com's message of "Fri, 04 Jan 2013 13:06:11 -0500") References: <20130104180611.515B3E6726@smtp.hushmail.com> Message-ID: >>>>> "v" == vedaal writes: v> If so, what is the recommended font and size to be used for accurate OCR ? v> OCR-A, OCR-B, Ordinary Courier 10, other ? I've tried it once. I used ocr-a since it was available and seemed likely to be easiest to scan. And, although some might disagree, I also find it easy to read. I just gave it a try w/o paper, using mpage to generate postscript, OCRA for the font, gs to render the ps to pbm, and gocr to extract the text. I needed to run >>tr \;_ ::<< on the extracted text, but with that paperkey was able to generate a new secring. So be aware that you may need to massage the ocr'ed data to recover paperkey's format, but it should mostly work. Using OCRB or Courier, gocr wasn't able to recover the text well enough. Tesseract did better with Courier-Bold, but needed >>tr Ol 01<<. But tesseract *badly* fails to grok OCRA! I suspect that actual printing and scanning won't be *too* much worse. -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 From mwood at IUPUI.Edu Mon Jan 7 16:39:12 2013 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Mon, 7 Jan 2013 10:39:12 -0500 Subject: Paperkey 1.3 In-Reply-To: References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> <50E6E6EB.2040801@vulcan.xs4all.nl> Message-ID: <20130107153911.GB23569@IUPUI.Edu> On Fri, Jan 04, 2013 at 02:30:43PM -0500, David Shaw wrote: > On Jan 4, 2013, at 9:27 AM, Johan Wevers wrote: > > > On 04-01-2013 5:42, David Shaw wrote: > > > >> Paperkey 1.3 is released. > > > > You might want to update the website, it reads a bit outdated. > > CD/DVD-ROMs are going the way of the floppy disc; flash memory is much > > more reliable than either. Future support of USB ports or memory card > > readers seems the biggest concern for me. > > That's a very good point. Do you know of any studies on the projected life of flash when used as backup? I've read anecdotal numbers as low as 5 years, and marketing claims are always huge (100 years!), but most of what I see is about the lifespan is when the flash is actively used (so running out of read/write cycles), rather than the on-the-shelf lifespan of already written data. I'd suggest assuming some periodic read-only use, since we *should* be testing our backups regularly to discover decay *before* it makes something irretrievable. -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu There's an app for that: your browser -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From peter at digitalbrains.com Mon Jan 7 17:54:15 2013 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 07 Jan 2013 17:54:15 +0100 Subject: Paperkey 1.3 In-Reply-To: <20130107153911.GB23569@IUPUI.Edu> References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> <50E6E6EB.2040801@vulcan.xs4all.nl> <20130107153911.GB23569@IUPUI.Edu> Message-ID: <50EAFDB7.5060003@digitalbrains.com> On 07/01/13 16:39, Mark H. Wood wrote: > I'd suggest assuming some periodic read-only use, since we *should* be > testing our backups regularly to discover decay *before* it makes > something irretrievable. I would assume the decay to make it irretrievable the moment you discover it. Hoping the bit flips in a non-vital piece of (meta)data seems like a risky backup strategy. Flash memory stores its data as an electrical charge, which can leak away. It does so very slowly, but it still does[1]. We are talking about years. And reading a cell does not "refresh" it, so read-only use will in principle not do anything to extend the storage time. Peter. [1] Johan Wevers mentioned radioactive radiation. Sounds plausible to me, that should be capable of knocking electrons away, I'd think as a layman. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt From Dave.Smith at st.com Mon Jan 7 17:05:32 2013 From: Dave.Smith at st.com (David Smith) Date: Mon, 7 Jan 2013 16:05:32 +0000 Subject: Paperkey 1.3 In-Reply-To: <94C97912-C377-4414-881F-0617AA85577D@jabberwocky.com> References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> <20130104100100.42b8e405@zetkin.int.primekey.se> <94C97912-C377-4414-881F-0617AA85577D@jabberwocky.com> Message-ID: <50EAF24C.6000606@st.com> On 01/04/13 17:31, David Shaw wrote: > Sure, paperkey supports piping the output into whatever code generator you like: > > gpg --export-secret-key mykey | paperkey --output-format raw | your-bar-code-generator > > However, 2D bar codes have some of the problems that paperkey is intended to address. You need a 'thing' (a process, a device, etc) to read them, and part of the point of paperkey is that it's supposed to be the backup of last resort, and thus readable by a human without any special hardware involved. True, but OTOH, whilst hardware devices do tend to become obsolete relatively quickly, the algorithms tend to have more longevity. For example, you might struggle to find one of the earlier 1d bar code reader pens that I remember from the 1980s around now, and even the software used for reading and interpreting them will probably have disappeared, but the overall mechanism is still widely used. I would suggest that we are going to have "devices for scanning paper to a digital image" for quite a few years yet (whether they are SCSI-based ones from years ago, through USB-connected multi-function printers, to digital cameras and beyond. 2d bar codes (and the algorithms needed to process them) are well-specified, so even if the existing software becomes unusable, it could be re-written for a new platform. I'm not saying that there isn't a place for printing the key out in ASCII; just that it might be a good idea to print it out as a 2d barcode as well, so that if recovery were necessary and the appropriate HW and SW were available, that could be used to recover substantially more data (since the whole key record could be encoded in a relatively small space), and then fall back on the ASCII version if the barcode is unrecoverable. From apadmaraju at prounlimited.com Mon Jan 7 19:32:16 2013 From: apadmaraju at prounlimited.com (Anilkumar Padmaraju) Date: Mon, 7 Jan 2013 10:32:16 -0800 Subject: gnupg not working with RHEL 4 In-Reply-To: <50E87E83.5080208@fifthhorseman.net> References: <60BC2FBA-0E5D-4145-B180-78DC8278169B@jabberwocky.com> <87obh4brt5.fsf@vigenere.g10code.de> <50E87E83.5080208@fifthhorseman.net> Message-ID: Thank you, Daniel. Anil. On Sat, Jan 5, 2013 at 11:26 AM, Daniel Kahn Gillmor wrote: > On 01/04/2013 04:09 PM, Anilkumar Padmaraju wrote: > > This is first time I am upgrading gnupg. Are there any steps or document > > to download source, compile, and upgrade? I did some search in google, > but > > could not find detailed one. > > > > After upgrading do I have to do gpg --gen-key or it is only needed when > we > > install for the first time? > > GnuPG is software for working with OpenPGP material (keys, signatures, > and encrypted messages). Newer versions of GnuPG will continue to work > with pre-existing OpenPGP material. > > This means that you should not need to generate another OpenPGP key just > because your version of GnuPG was upgraded. Your existing OpenPGP key > should continue to work. > > hth, > > --dkg > > -- Anilkumar Padmaraju | Sr. Linux System Administrator *PRO Unlimited, Inc.* 1350 Old Bayshore Highway, Suite 350, Burlingame, CA 94010 (o) 650-373-2484 | (m) 408-835-7599 | (e) apadmaraju at prounlimited.com www.prounlimited.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From bd9439 at att.com Mon Jan 7 22:14:16 2013 From: bd9439 at att.com (DUELL, BOB) Date: Mon, 7 Jan 2013 21:14:16 +0000 Subject: Invalid packet error message Message-ID: Hi, When trying to decrypt a file, we are getting this error message: gpg: [don't know]: invalid packet (ctb=70) Does anyone know what this means? I tried several Google searches but can't find anything relevant. FWIW, here is the command (all one line): gpg --homedir /opt/app/apps/dbmprod/gpg --local-user "mykeyID" --output imdm_extract_20121221.dat --decrypt imdm_extract_20121221.dat.pgp Thanks, Bob From josef at netpage.dk Mon Jan 7 21:49:05 2013 From: josef at netpage.dk (Josef Schneider) Date: Mon, 7 Jan 2013 21:49:05 +0100 Subject: Paperkey 1.3 In-Reply-To: <50EAFDB7.5060003@digitalbrains.com> References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> <50E6E6EB.2040801@vulcan.xs4all.nl> <20130107153911.GB23569@IUPUI.Edu> <50EAFDB7.5060003@digitalbrains.com> Message-ID: On Mon, Jan 7, 2013 at 5:54 PM, Peter Lebbing wrote: > Flash memory stores its data as an electrical charge, which can leak away. > It does so very slowly, but it still does[1]. We are talking about years. > And reading a cell does not "refresh" it, so read-only use will in principle > not do anything to extend the storage time. Still you can't be sure that the controller or flash cells won't just stop working. Yesterday, a new MicroSD card of mine just stopped working. At first one folder was unreadable and fsck didn't work, then after unplugging and re-plugging it all file names where gibberish, the card got hot and I unplugged it. Since then it's detected as unformated and no write access is possible. This is the second MicroSD card where this happens for me. While yesterday this was after less than a day, the other one broke after about a month of heavy usage in my smart phone. And while with a CD or DVD you probably still can read parts of the data (especially if you have e.g. PAR2 files to recover it) if a flash storage of any kind stops working, realistically you can't do anything to rescue even parts of the data. And while most hard disks that broke showed some signs of that (via SMART or increased sound level) all flash memory devices more or less stopped working from one moment to the other. (but then, I don't have very much data) So I wouldn't trust any flash memory for long time storage. From bd9439 at att.com Tue Jan 8 00:31:20 2013 From: bd9439 at att.com (DUELL, BOB) Date: Mon, 7 Jan 2013 23:31:20 +0000 Subject: Invalid packet error message In-Reply-To: References: Message-ID: -----Original Message----- >From: breaka at srv1.adept-hosting.net [mailto:breaka at srv1.adept-hosting.net] On Behalf Of Anonymous >Sent: Monday, January 07, 2013 3:14 PM >To: DUELL, BOB >Subject: Re: Invalid packet error message > >> gpg >> --homedir /opt/app/apps/dbmprod/gpg >> --local-user "mykeyID" >> --imdm_extract_20121221.dat >> --decrypt imdm_extract_20121221.dat.pgp >> > > >make --output imdm_extract_20121221.dat >last in command line > >[reply to list] Unfortunately, that's not it; I get: gpg: WARNING: unsafe permissions on homedir `/opt/app/apps/dbmprod/gpg' gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information usage: gpg [options] --decrypt [filename] Also, here is my setup: bd9439 at dspsas01 $ gpg --homedir /opt/app/apps/dbmprod/gpg --version gpg: WARNING: unsafe permissions on homedir `/opt/app/apps/dbmprod/gpg' gpg (GnuPG) 1.4.11 Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /opt/app/apps/dbmprod/gpg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 And yes, I know it's an old version. I just have not had a reason to upgrade; what we have has worked fine (until now). And yes, the "unsafe permissions" is understood. I have this installed in a "public" directory so all users can decrypt files (we have a common key to receive files from outside sources). This is the first time I've seen such a message. We will ask the outside sourced to re-encrypt and re-send the file (perhaps it was corrupted during FTP), but I'm curious what this error message means. Thanks! Bob From wk at gnupg.org Tue Jan 8 09:17:45 2013 From: wk at gnupg.org (Werner Koch) Date: Tue, 08 Jan 2013 09:17:45 +0100 Subject: Invalid packet error message In-Reply-To: (BOB DUELL's message of "Mon, 7 Jan 2013 21:14:16 +0000") References: Message-ID: <871udw6qc6.fsf@vigenere.g10code.de> On Mon, 7 Jan 2013 22:14, bd9439 at att.com said: > gpg: [don't know]: invalid packet (ctb=70) > > Does anyone know what this means? I tried several Google searches but Your input data is corrupted. OpenPGP messages are constructed from several packets, each packets starts with a tag byte commonly called CTB indicating the type of the packet and how the length of the packet is specified. 0x70 is not a valid CTB, thus you see this message. A common cause for a corrupted message is the use of a non binary clean channel (e.g. using ftp without switching to binary mode). Mail software may also corrupt the message. Ask the sender of the message to encapsulate it in a ZIP or tar file and than unzip it before decrypting. If this works or you can't unzip it your transport channel is non 8 bit clean. A quick work around would be the use of the --armor or -a option. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From John at enigmail.net Tue Jan 8 10:26:00 2013 From: John at enigmail.net (John Clizbe) Date: Tue, 08 Jan 2013 03:26:00 -0600 Subject: Paperkey 1.3 In-Reply-To: <50E70E60.6000903@yahoo.com> References: <50E70E60.6000903@yahoo.com> Message-ID: <50EBE628.8010106@enigmail.net> I.V. Frost wrote: > > Am I the only having trouble both the key for this message and the one > with the binaries? My installation tells me it is not Key ID: > 0x99242560 but key 0xA1BC4FA4 which is not found on any server that I use. > Something sounds odd about the search criteria or keyserver selection. Searching for the subkey 0xA1BC4FA4: http://keyserver.gingerbear.net:11371/pks/lookup?search=0xA1BC4FA4&fingerprint=on&op=index returns the key: Search results for '0xa1bc4fa4' Type bits/keyID Date User ID pub 4096R/99242560 2002-01-28 David M. Shaw Fingerprint=7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 This should be true of any of the SKS keyservers out there. (I'm syncing with 75 other servers) -- John P. Clizbe Inet: John (a) Gingerbear DAWT net SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 863 bytes Desc: OpenPGP digital signature URL: From bd9439 at att.com Tue Jan 8 16:10:25 2013 From: bd9439 at att.com (DUELL, BOB) Date: Tue, 8 Jan 2013 15:10:25 +0000 Subject: Invalid packet error message In-Reply-To: <871udw6qc6.fsf@vigenere.g10code.de> References: <871udw6qc6.fsf@vigenere.g10code.de> Message-ID: Thanks for the excellent explanation! Before I ask for the file to be retransmitted, one quick question (perhaps obvious but bear with me): If I ask the sender to use the -a option, the resulting file will be ASCII and as such, I would download it as "text" from our FTP server, not "binary", correct? It just occurred to me that the problem was on the sender's side; perhaps they uploaded the file as "text" when they placed it on our FTP server (we use an intermediary FTP site). At any rate, I think I understand now. Thanks very much! Bob -----Original Message----- From: Werner Koch [mailto:wk at gnupg.org] Sent: Tuesday, January 08, 2013 12:18 AM To: DUELL, BOB Cc: gnupg-users at gnupg.org Subject: Re: Invalid packet error message On Mon, 7 Jan 2013 22:14, bd9439 at att.com said: > gpg: [don't know]: invalid packet (ctb=70) > > Does anyone know what this means? I tried several Google searches but Your input data is corrupted. OpenPGP messages are constructed from several packets, each packets starts with a tag byte commonly called CTB indicating the type of the packet and how the length of the packet is specified. 0x70 is not a valid CTB, thus you see this message. A common cause for a corrupted message is the use of a non binary clean channel (e.g. using ftp without switching to binary mode). Mail software may also corrupt the message. Ask the sender of the message to encapsulate it in a ZIP or tar file and than unzip it before decrypting. If this works or you can't unzip it your transport channel is non 8 bit clean. A quick work around would be the use of the --armor or -a option. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mwood at IUPUI.Edu Tue Jan 8 16:25:39 2013 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Tue, 8 Jan 2013 10:25:39 -0500 Subject: Paperkey 1.3 In-Reply-To: <50EAFDB7.5060003@digitalbrains.com> References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> <50E6E6EB.2040801@vulcan.xs4all.nl> <20130107153911.GB23569@IUPUI.Edu> <50EAFDB7.5060003@digitalbrains.com> Message-ID: <20130108152539.GB3657@IUPUI.Edu> On Mon, Jan 07, 2013 at 05:54:15PM +0100, Peter Lebbing wrote: > On 07/01/13 16:39, Mark H. Wood wrote: > > I'd suggest assuming some periodic read-only use, since we *should* be > > testing our backups regularly to discover decay *before* it makes > > something irretrievable. > > I would assume the decay to make it irretrievable the moment you discover > it. Hoping the bit flips in a non-vital piece of (meta)data seems like a > risky backup strategy. [Hmmm, we are diverging a bit from Paperkey.] This is why backup formats typically have internal redundancy. (Printing the data as characters on paper adds a *lot* of redundancy.) Depending on the medium, you might include error-correcting codes that can recover from single-bit errors. If you catch it at that stage, you can copy it out and discard the failing medium. Some codes will also detect errors that can't be corrected, so that you know *now* to throw this medium away and make a new copy of your other backup. (You *do* have another backup?) If you wait, they may both turn out to be corrupt. Every backup medium decays. Long-term backups should be: o armored against bit-level decay; o tested regularly to detect degradation in progress; o replicated (and the replicas housed separately); o periodically refreshed or copied to new media. I realize that most of us don't do any of that which didn't come with the software, but we should. :-/ Of course, if an active device (like a flash stick) just stops working and starts smoking, nothing can be recovered from it. That's one of the reasons you keep two of them. -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu There's an app for that: your browser -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From vedaal at nym.hush.com Tue Jan 8 18:49:07 2013 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 08 Jan 2013 12:49:07 -0500 Subject: Paperkey 1.3 // very durable but often overlooked backup medium Message-ID: <20130108174907.E9E35E6726@smtp.hushmail.com> Back in the shrouded mists of time, in the last millenium, before digital media were widely accessible, many libraries and archives used to back up data on microfiche. Many of them had built in printers, so that 'text' data could be retrieved, printed out, (and then, as the technology became widely available), scanned into digital format. http://www.wisegeek.org/what-is-microfiche.htm The above article gives the following interesting (?overly optimistic?) durability estimate: =====[ begin quote ]===== The polyester material on which the images are printed is also very stable and, if kept in a temperature controlled environment, is estimated to last as long as 500 years. CD-ROMs are estimated to last for about 75 - 100 years, depending on the materials they are made of and how they are stored. =====[ end quote ]===== (as an old darkroom B&W hobbyist, I remember specific instructions on how to prepare prints for 'Archival Quality' [adjust development time so that the print could tolerate 2 minutes in a fixer tray without overly darkening], this produced an estimate then of 75 year durability.) Preserving only monochrome text probably has much greater durability. Anyone come across specific recommendations for paper, printer, and storage recommendations for 'Archival Paper Backup' ? TIA vedaal From avi.wiki at gmail.com Tue Jan 8 19:00:59 2013 From: avi.wiki at gmail.com (Avi) Date: Tue, 8 Jan 2013 13:00:59 -0500 Subject: Paperkey 1.3 // very durable but often overlooked backup medium In-Reply-To: <20130108174907.E9E35E6726@smtp.hushmail.com> References: <20130108174907.E9E35E6726@smtp.hushmail.com> Message-ID: These sites may prove interesting: < http://www.familyarchives.com/pages/documents-how-to-preserve-your-documents.html > This book, perhaps: --Avi ---- User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 On Tue, Jan 8, 2013 at 12:49 PM, wrote: > Archival Paper Backup -------------- next part -------------- An HTML attachment was scrubbed... URL: From vedaal at nym.hush.com Tue Jan 8 20:37:41 2013 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 08 Jan 2013 14:37:41 -0500 Subject: Paperkey 1.3 // very durable but often overlooked backup medium In-Reply-To: References: <20130108174907.E9E35E6726@smtp.hushmail.com> Message-ID: <20130108193741.8BABBE6718@smtp.hushmail.com> On Tuesday, January 08, 2013 at 2:13 PM, "Avi" wrote: > >These sites may prove interesting: > >< >http://www.familyarchives.com/pages/documents-how-to-preserve-your- >documents.html >> >maintenance/index.html> > Excellent ! Thanks! vedaal From oub at mat.ucm.es Tue Jan 8 23:02:51 2013 From: oub at mat.ucm.es (Uwe Brauer) Date: Tue, 08 Jan 2013 23:02:51 +0100 Subject: embedded public key in signature as in smime. Message-ID: <87lic3fi44.fsf@mat.ucm.es> Hello Are there any plans to modify the signature (backward compatible?) such that it contains the public key embedded as in smime? thanks Uwe Brauer -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4474 bytes Desc: not available URL: From dkg at fifthhorseman.net Tue Jan 8 23:21:58 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 08 Jan 2013 17:21:58 -0500 Subject: embedded public key in signature as in smime. In-Reply-To: <87lic3fi44.fsf@mat.ucm.es> References: <87lic3fi44.fsf@mat.ucm.es> Message-ID: <50EC9C06.9020205@fifthhorseman.net> On 01/08/2013 05:02 PM, Uwe Brauer wrote: > Are there any plans to modify the signature (backward compatible?) such > that it contains the public key embedded as in smime? Not that i know of. Why do you think this would be useful? You could do all of this within the existing OpenPGP specification, but to make it actually useful (and not just bloat your signatures in ways that no one else bothers to take advantage of) you might want to modify GnuPG a bit. Here are some thoughts on how you might approach it if you think this is a worthwhile goal. OpenPGP notations: https://tools.ietf.org/html/rfc4880#section-5.2.3.16 To send this sort of thing, you'd just need to pick a standard name for the notation, and use gpg's --sig-notation argument in some reasonable way. Reading gpg(1), it seems like you might want to extend the %-escaping to make some code (e.g. %X) include the full key in some format. That's just the sending side. then you'd have to take care of the receiving side. If you wanted gpg to interpret something like this automatically, you'd need to consider the concern that now the previously read-only activity of evaluating a signature has side effects that might modify your keyring. This is has some of the same issues (except for the "web bug" concern) as gpg's "--keyserver-options auto-key-retrieve" option, as well as "--verify-options pka-lookups" though, so it has some precedent in the existing codebase. So to extend gpg, you might add some other --verify-options directive like import-embedded-key-notation. make sense? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1027 bytes Desc: OpenPGP digital signature URL: From oub at mat.ucm.es Wed Jan 9 15:35:54 2013 From: oub at mat.ucm.es (Uwe Brauer) Date: Wed, 09 Jan 2013 15:35:54 +0100 Subject: embedded public key in signature as in smime. References: <87lic3fi44.fsf@mat.ucm.es> <50EC9C06.9020205__1946.69991401515$1357683802$gmane$org@fifthhorseman.net> Message-ID: <87vcb6whit.fsf@gilgamesch.quim.ucm.es> >> "Daniel" == Daniel Kahn Gillmor writes: > On 01/08/2013 05:02 PM, Uwe Brauer wrote: >> Are there any plans to modify the signature (backward compatible?) such >> that it contains the public key embedded as in smime? > Not that i know of. Why do you think this would be useful? I think it would make it easier to interchange public keys. I have tried over many years to encourage my friends to use pgp, one of the obstacles was the extraction and interchange of the public keys. I started to use smime recently and besides its flaws I have to admit that the key interchange is easier (most likely be more insecure) > You could do all of this within the existing OpenPGP specification, but > to make it actually useful (and not just bloat your signatures in ways > that no one else bothers to take advantage of) you might want to modify > GnuPG a bit. > Here are some thoughts on how you might approach it if you think this is > a worthwhile goal. > OpenPGP notations: https://tools.ietf.org/html/rfc4880#section-5.2.3.16 thanks [snip] > So to extend gpg, you might add some other --verify-options directive > like import-embedded-key-notation. > make sense? I think it does, but it sounds like a project for the (far) future. regards Uwe -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4474 bytes Desc: not available URL: From wk at gnupg.org Wed Jan 9 16:32:20 2013 From: wk at gnupg.org (Werner Koch) Date: Wed, 09 Jan 2013 16:32:20 +0100 Subject: embedded public key in signature as in smime. In-Reply-To: <87vcb6whit.fsf@gilgamesch.quim.ucm.es> (Uwe Brauer's message of "Wed, 09 Jan 2013 15:35:54 +0100") References: <87lic3fi44.fsf@mat.ucm.es> <50EC9C06.9020205__1946.69991401515$1357683802$gmane$org@fifthhorseman.net> <87vcb6whit.fsf@gilgamesch.quim.ucm.es> Message-ID: <87d2xe4bjv.fsf@vigenere.g10code.de> On Wed, 9 Jan 2013 15:35, oub at mat.ucm.es said: > I started to use smime recently and besides its flaws I have to admit > that the key interchange is easier (most likely be more insecure) With S/MIME you can send the keys because it is a centralized system and all trust comes the root certificate which has already need installed on the system. Actually sending the the certificate with the mail is required because there is no easy other way to retrieve a certificate. With OpenPGP we have it much easier and do not need to resort to that silliness of sending several K of certificates for a one liner. Sending the certificate is even bad because it implies that you never need to look out for revocations. The funny thing is that S/MIME looks online for revocations, but can't do so for certificates. Thus the argument of using a more secure offline connections is a bit flawed. BTW, if you are able to put the keyblock/certificate into the DNS, users have an easy way to get it. You may also configure your mail client to always attach the OpenPGP key, that makes it pretty clear and easy to send you (or Mallory) an encrypted reply. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From sbsubram at in.ibm.com Thu Jan 10 13:38:58 2013 From: sbsubram at in.ibm.com (Suresh B Subramanyam) Date: Thu, 10 Jan 2013 18:08:58 +0530 Subject: Clarification sought on GnuPG v1.4.12 Message-ID: Hi GPG user group, I am trying to use Gnu PG v1.4.12 in one of my project. I have downloaded the source gnupg-1.4.12-1.aix5.1.ppc.rpm from http://www.linuxfromscratch.org/blfs/view/svn/postlfs/gnupg.html as I could not find any download link for this version in Gnu PG website. However, I am facing some issues in compiling the source Is there a link from where I can get the binary of 1.4.12 version, from where I can download and readily use. I intend to use this on AIX 5.3 platform Any help will be appreciated. Thanks and Regards, Suresh B Subramanyam SA3 2F 015, Bangalore, India Ph: +91 80 41772421 From wk at gnupg.org Fri Jan 11 14:20:21 2013 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Jan 2013 14:20:21 +0100 Subject: Clarification sought on GnuPG v1.4.12 In-Reply-To: (Suresh B. Subramanyam's message of "Thu, 10 Jan 2013 18:08:58 +0530") References: Message-ID: <877gnjx3e2.fsf@vigenere.g10code.de> On Thu, 10 Jan 2013 13:38, sbsubram at in.ibm.com said: > the source gnupg-1.4.12-1.aix5.1.ppc.rpm from > > http://www.linuxfromscratch.org/blfs/view/svn/postlfs/gnupg.html I don't know that but it sounds like a Linux distribution which may have been patched and thus might not anymore work on other Unix platforms > as I could not find any download link for this version in Gnu PG website. We are not distributing binaries and binaries for Linux won't work on AIX. > > I intend to use this on AIX 5.3 platform ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.13.tar.gz is the latest version and should build fine on any Unix platform. Please use 1.4.13 and not the old 1.4.12, we recently found and fixed a DoS bug. Note: There is a report that the new IDEA code does don't work on PPC, thus you may want to use the --disable-idea option: ./configure --disable-idea make Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dshaw at jabberwocky.com Mon Jan 14 05:39:59 2013 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 13 Jan 2013 23:39:59 -0500 Subject: Paperkey 1.3 In-Reply-To: <50EAF24C.6000606@st.com> References: <06E61075-A0FB-4C7A-A3A4-DFD0DF6C5BEB@jabberwocky.com> <20130104100100.42b8e405@zetkin.int.primekey.se> <94C97912-C377-4414-881F-0617AA85577D@jabberwocky.com> <50EAF24C.6000606@st.com> Message-ID: <1B257E37-9059-4981-9458-FDE2D166A34A@jabberwocky.com> On Jan 7, 2013, at 11:05 AM, David Smith wrote: > On 01/04/13 17:31, David Shaw wrote: >> Sure, paperkey supports piping the output into whatever code generator you like: >> >> gpg --export-secret-key mykey | paperkey --output-format raw | your-bar-code-generator >> >> However, 2D bar codes have some of the problems that paperkey is intended to address. You need a 'thing' (a process, a device, etc) to read them, and part of the point of paperkey is that it's supposed to be the backup of last resort, and thus readable by a human without any special hardware involved. > > True, but OTOH, whilst hardware devices do tend to become obsolete > relatively quickly, the algorithms tend to have more longevity. For > example, you might struggle to find one of the earlier 1d bar code > reader pens that I remember from the 1980s around now, and even the > software used for reading and interpreting them will probably have > disappeared, but the overall mechanism is still widely used. > > I would suggest that we are going to have "devices for scanning paper to > a digital image" for quite a few years yet (whether they are SCSI-based > ones from years ago, through USB-connected multi-function printers, to > digital cameras and beyond. 2d bar codes (and the algorithms needed to > process them) are well-specified, so even if the existing software > becomes unusable, it could be re-written for a new platform. This is exactly the point. Algorithms may stay around, but if have to reconstruct printed data given only knowledge of the encoding algorithm (without the hardware intended to read it, or the software intended to reconstruct the data), well, it's possible, but sure as heck won't be quick or cheap for someone with image processing experience, or even possible for the majority of people without that knowledge. Paperkey often spawns this discussion about how we could use scannable paper images using x, y, or z encoding, or favorite brands of burnable CDs that will last, etc. No doubt, favorite flash brands will be discussed in the future. These are all interesting discussions, but it's sort of missing the point. Paperkey is a way to store your key in a way that needs nothing more than eyes and a keyboard to restore, and uses a medium that can last for many times the greatest human lifespan. The disadvantage is that it's potentially annoying to recover a key from paper (i.e. typing in a several hundred hex bytes without error). There are per line checksums to make this easier, so you know where a mistake is, and you can use OCR to save on typing, but still, you have to get the bytes from paper into a computer somehow. All that is fine, as paperkey does not, and is not intended to, replace a backup of your secret keys. It's not where you should be going if your primary storage goes poof. > I'm not saying that there isn't a place for printing the key out in > ASCII; just that it might be a good idea to print it out as a 2d barcode > as well Exactly. Keep proper backups! Paperkey is for when that backup fails, for when your CD stops working, for when the driver for your scanning pen isn't maintained on your new computer, or for when cosmic rays have rendered your flash corrupt. It's the backup of last resort, and as such should need nothing other than nothing other than the ability to read numbers and type them in again to restore, hence my comment about not favoring a 2D barcode paperkey. David From sini.ruohomaa at cs.helsinki.fi Sun Jan 13 22:50:59 2013 From: sini.ruohomaa at cs.helsinki.fi (sini.ruohomaa at cs.helsinki.fi) Date: Sun, 13 Jan 2013 23:50:59 +0200 Subject: [Enigmail] Problem with automated decryption of encrypted drafts? (Key unlocking popup nightmares) In-Reply-To: <877gnvfl6k.fsf@vigenere.g10code.de> References: <50E4042D.2090907@enigmail.net> <50E48162.50502@fifthhorseman.net> <877gnvfl6k.fsf@vigenere.g10code.de> Message-ID: <50F32C43.3010001@cs.helsinki.fi> Hi, Sorry, I was hoping I could find a solution for this so I could report it but only got to a state where I've minimized the effects by avoidance behaviour. :/ One "solution" to work around this would be to let my email program always cache my key until the end of the session and only have this problem once per session (I have multihour sessions, it wouldn't help a whole lot to just cache for a couple of hours), but a) my heart bleeds over the thought that I have to accept the ever so slightly reduced security just to not be harassed repeatedly for decryption I have not requested. (Why ask the user in the first place if this is the only way to go, etc.) Also, b) it still means that just having Enigmail installed gives me random key unlock requests, apparently even on sessions where I'm not handling encrypted mail. As long as this stands I've chosen not to install the plugin in one of my TB setups where I don't have time for playing around, just because the hassle is too big; I'd rather have to cutpaste the mails manually out of TB for decryption if I need them than take the popup windows. So this bothers me. This is what I've managed to do. I'd appreciate if someone could eliminate that some of these actions are not necessary/useful for peace from popups: - I turned off all automatic decryption I could find (have to manually press the 'decrypt' button now - and have started to wish it would be an "Other Actions" in the message preview pane too ;)) - I also turned off all other TB features that sound even remotely like they're trying to read messages. This includes search indexing and spam filtering. - I changed my drafts saving to be local instead of on the IMAP server, just in case that would spare me from key unlocking popups (this too causes minor inconvenience so I may have to revert it, I'm hoping it doesn't make a difference). - I have a per-recipient rule to encrypt mail, so to those recipients I don't type in the recipient before I'm about to send. - I don't click on the encryption key to indicate I want to encrypt the message before I'm about to send either. (It'd be really great if this wasn't a problem, too, because it increases the probability of forgetting.) This session I got an unwarranted popup asking for a key unlock: - while I was editing my message filters (I don't *think* I had any encryption-related mails open at the time, it just came as a surprise and got me to start this mail; it's not easily reproduceable) - expectedly when I tried to save as draft a mail that was marked to be encrypted (to test the window grab one more time), - after I deleted an encrypted test draft mail from my Drafts folder and the preview pane moved on to an unencrypted mail (this one, actually), - after I first turned _off_ encrypting on the open draft message from the yellow key icon in the bottom right corner, and made sure it was deleted from the Drafts folder, and THEN tried to save it as draft (this seems to be a bug, shouldn't it start saving the draft as cleartext at that point?) - after autosave wanted to save said test mail a couple of minutes later; after that I didn't change it so it's been peaceful. For the most part, I seem to get through my sessions with little harrassment currently as long as I don't do anything unusual or handle encrypted mails, but I still have problems replying to encrypted mails (that is, besides decrypting them to be read and to be replied to, which I find completely reasonable). Because the replies are by default encrypted, the draft autosaving keeps wanting to decrypt the result even though the message is open in front of me. (This also occasionally leads to a strange effect that my draft folder starts to fill up with copies of the draft message over time, but I'm not able to reproduce it with my test message.) [Pinentry grabs X session] > On Wed, 2 Jan 2013 19:50, dkg at fifthhorseman.net said: >>> GnuPG 2.x, and there is nothing Enigmail could do about it. AFAIR >>> there is an option in gpg-agent.conf to disable blocking the X session. > > It is called --no-grab. I may be dense since gpg-agent always seems to defeat me whenever I get close to it. But I added this option to a new file, ~/.gnupg/gpg-agent.conf. It now contains the line "no-grab" and nothing else. I also made sure the Preferences > Advanced > "Use gpg-agent for passphrases" option was set. The resulting command in the console is "gpg --charset utf-8 --display-charset utf-8 --batch --no-tty --status-fd 2 --decrypt --use-agent". This has no effect on the blocking effect of the popup windows asking for my key passphrase. I can change window focus out of the popup by moving my mouse around, but I cannot do anything in the other windows. I'm not sure what I'm doing wrong. >> Do any gnupg contributors have suggestions about the "fails to cache my >> 'cancels'" concern Sini raised above? I'm not sure how the pieces could > > I am not sure what he means. However, recent GnuPG's and pinentries > have a cancel-all feature: Either the pinentry features an appropriate > button or you use the close-window button of the pinentry which also > sends the cancel-all message. > > This is useful if gpg starts looking for --throw-keyid keys and you know > that you don't have the key. This feature may also theoretically exist, but unfortunately it makes no difference for me if I hit 'cancel' or close the window from the upper right button; I'll still get the dialogue repeatedly if it's coming repeatedly. I suspect it's just because gpg-agent is immediately being asked a second time after I cancel, as my Enigmail console seems to suggest. I've been unable to start an Enigmail log file. Sorry about the length, too high threshold to complain on mailing lists, don't want to do it multiple times. X-) Best regards, --Sini From jussi.kivilinna at mbnet.fi Mon Jan 14 08:34:09 2013 From: jussi.kivilinna at mbnet.fi (Jussi Kivilinna) Date: Mon, 14 Jan 2013 09:34:09 +0200 Subject: Gpg Aes-ni In-Reply-To: References: Message-ID: <20130114093409.12381kpklsgkt5gg@www.dalek.fi> Hello, gpg 1.4.13 does not have AES-NI acceleration. You'd need to use gpg 2.0.x with libgcrypt version that has AES-NI support (libgcrypt 1.5.0 or newer). If you have more questions with regards to GnuPG, please use GnuPG mailing list (gnupg-users at gnupg.org) instead. -Jussi Quoting Ertunga Arsal : > Hi Jussi, > > Does the latest cli, gpg 1.4.13 support AES-NI? > > Does a command like gpg -r abc at esnc.de --cipher-algo AES256 > --compress-algo none --encrypt xyz.bin use the accelerated routines? > > I'm currently receiving 30MB throughput, it should be actually close > to 500MB. Is there a way to make it work? > > Kind regards, > Ertunga > > ___________ > Ertunga Arsal, CISSP, ISSAP > ESNC GmbH > Bliesstr. 16 66538 Neunkirchen > Tel : +49-6821-920-6852 > Fax : +49-6821-912-7354 > ertunga.arsal at esnc.de > http://www.esnc.de > HRB 18216 Saarbr?cken > > From leotreasure at gmail.com Tue Jan 15 08:49:43 2013 From: leotreasure at gmail.com (Leo Treasure) Date: Tue, 15 Jan 2013 18:49:43 +1100 Subject: Problem with keys Message-ID: <50F50A17.1070107@gmail.com> Hello, I'm relatively new to GPG but I'm having this problem I need some advice on. When I clear sign a message using a newly created key pair it always chooses the sub key instead of the main key. This happens even when using --default-key . In my settings, GPGPreferences I have the correct key in default key selected. Also in ~/.gnupg/gpg.conf the default-key has the main key's ID. I am running OS X Mountain Lion and the latest version of GPG (GnuPG/MacGPG2) 2.0.19 I did not put an email address when creating the key is about the only unusual thing I have done. Any suggestions? From mailinglisten at hauke-laging.de Tue Jan 15 17:10:06 2013 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 15 Jan 2013 17:10:06 +0100 Subject: Problem with keys In-Reply-To: <50F50A17.1070107@gmail.com> References: <50F50A17.1070107@gmail.com> Message-ID: <2016360.QT2BuaKC7L@inno> Am Di 15.01.2013, 18:49:43 schrieb Leo Treasure: > When I clear sign a message using a newly created key pair it always > chooses the sub key instead of the main key. This happens even when > using --default-key . This is the expected behaviour. Why don't you want to use your subkey? You can force the usage of the mainkey: --local-user 0x1a571df5\! --default-key 0x1a571df5\! (the \ is for the shell and not always necessary) The main key should not be available for normal usage. The keyword is: offline mainkey. Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) http://www.openpgp-schulungen.de/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From leotreasure at gmail.com Wed Jan 16 07:42:38 2013 From: leotreasure at gmail.com (Leo Treasure) Date: Wed, 16 Jan 2013 17:42:38 +1100 Subject: Problem with keys In-Reply-To: <50F6160F.4010802@gmail.com> References: <50F50A17.1070107@gmail.com> <2016360.QT2BuaKC7L@inno> <50F6160F.4010802@gmail.com> Message-ID: <50F64BDE.5060406@gmail.com> On 16/01/13 3:10 AM, Hauke Laging wrote: Am Di 15.01.2013, 18:49:43 schrieb Leo Treasure: > When I clear sign a message using a newly created key pair it always > chooses the sub key instead of the main key. This happens even when > using --default-key . This is the expected behaviour. Why don't you want to use your subkey? You can force the usage of the mainkey: --local-user 0x1a571df5\! --default-key 0x1a571df5\! (the \ is for the shell and not always necessary) The main key should not be available for normal usage. The keyword is: offline mainkey. Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) http://www.openpgp-schulungen.de/ Thanks Hauke! I needed to use the main key to interface with a Bitcoin exchange mpex.co. I first exported my ascii armoured public key and sent it. For subsequent orders the exchange operator needs me to sign with the same main key. I'm not sure if this is a normal use or not. Do you mean that the main key is offline so it is the private key? Sorry if this is a silly question I'm still coming to grips with GPG. Much appreciate your help! Leo From dkg at fifthhorseman.net Wed Jan 16 17:54:33 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 16 Jan 2013 11:54:33 -0500 Subject: Problem with keys In-Reply-To: <50F64BDE.5060406@gmail.com> References: <50F50A17.1070107@gmail.com> <2016360.QT2BuaKC7L@inno> <50F6160F.4010802@gmail.com> <50F64BDE.5060406@gmail.com> Message-ID: <50F6DB49.6040106@fifthhorseman.net> On 01/16/2013 01:42 AM, Leo Treasure wrote: > Thanks Hauke! I needed to use the main key to interface with a Bitcoin > exchange mpex.co. I first exported my ascii armoured public key and sent > it. For subsequent orders the exchange operator needs me to sign with > the same main key. I note that your key 0x46EEEA4C06CD1637 is a bit unusual in that its subkey is marked as signing-capable. with the default gpg --gen-key creation, the primary key is usually marked as capable for signing and certification, and the subkey is marked as just encryption-capable. how did you create this key? Despite it being unusual, it's entirely reasonable and within the OpenPGP spec to have a signing-capable subkey. You should tell mpex.co that their system needs to support signing-capable subkeys. Feel free to point them to this discussion, and to encourage them to ask here if they're unclear about what that means or how they might do so. > I'm not sure if this is a normal use or not. Do you mean that the main > key is offline so it is the private key? no, your primary key is not offline unless you've taken steps to put it offline (you would know if you had done so). Hauke was making a suggestion of something else you could do. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1027 bytes Desc: OpenPGP digital signature URL: From dkg at fifthhorseman.net Thu Jan 17 03:48:44 2013 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 16 Jan 2013 21:48:44 -0500 Subject: Problem with keys In-Reply-To: <50F7648C.9060306@gmail.com> References: <50F50A17.1070107@gmail.com> <2016360.QT2BuaKC7L@inno> <50F6160F.4010802@gmail.com> <50F64BDE.5060406@gmail.com> <50F6DB49.6040106@fifthhorseman.net> <50F7648C.9060306@gmail.com> Message-ID: <50F7668C.70908@fifthhorseman.net> On 01/16/2013 09:40 PM, Leo Treasure wrote: > Thanks dkg. I created the key under normal circumstances using version: > gpg (GnuPG/MacGPG2) 2.0.19 > libgcrypt 1.5.0 i'm afraid i don't know what "the normal circumstances" are for MacGPG -- maybe there's better forum for MacGPG someplace? > When setting up the keypair I did not provide an email address. that's OK, the e-mail address is part of the User ID, and the choice of User ID(s) is orthogonal to the settings on your primary key or any of your subkeys. > Could it be that I am using the Mac version that I got this unusual > keypair setup? Maybe -- i have never tried it. Perhaps someone else else on this list has more experience with it, though. If MacGPG is setting up default keys with such unusual usage flags, it'd be good to know about it. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1027 bytes Desc: OpenPGP digital signature URL: From leotreasure at gmail.com Thu Jan 17 03:40:12 2013 From: leotreasure at gmail.com (Leo Treasure) Date: Thu, 17 Jan 2013 13:40:12 +1100 Subject: Problem with keys In-Reply-To: <50F6DB49.6040106@fifthhorseman.net> References: <50F50A17.1070107@gmail.com> <2016360.QT2BuaKC7L@inno> <50F6160F.4010802@gmail.com> <50F64BDE.5060406@gmail.com> <50F6DB49.6040106@fifthhorseman.net> Message-ID: <50F7648C.9060306@gmail.com> Thanks dkg. I created the key under normal circumstances using version: gpg (GnuPG/MacGPG2) 2.0.19 libgcrypt 1.5.0 When setting up the keypair I did not provide an email address. Could it be that I am using the Mac version that I got this unusual keypair setup? Regards, Leo On 17/01/13 3:54 AM, Daniel Kahn Gillmor wrote: > On 01/16/2013 01:42 AM, Leo Treasure wrote: >> Thanks Hauke! I needed to use the main key to interface with a Bitcoin >> exchange mpex.co. I first exported my ascii armoured public key and sent >> it. For subsequent orders the exchange operator needs me to sign with >> the same main key. > > I note that your key 0x46EEEA4C06CD1637 is a bit unusual in that its > subkey is marked as signing-capable. with the default gpg --gen-key > creation, the primary key is usually marked as capable for signing and > certification, and the subkey is marked as just encryption-capable. > > how did you create this key? > > Despite it being unusual, it's entirely reasonable and within the > OpenPGP spec to have a signing-capable subkey. > > You should tell mpex.co that their system needs to support > signing-capable subkeys. > > Feel free to point them to this discussion, and to encourage them to ask > here if they're unclear about what that means or how they might do so. > >> I'm not sure if this is a normal use or not. Do you mean that the main >> key is offline so it is the private key? > > no, your primary key is not offline unless you've taken steps to put it > offline (you would know if you had done so). Hauke was making a > suggestion of something else you could do. > > --dkg > > From anychem at tormail.org Sat Jan 19 00:57:24 2013 From: anychem at tormail.org (anychem at tormail.org) Date: Fri, 18 Jan 2013 23:57:24 -0000 Subject: No subject Message-ID: <1TwLoK-000IKU-Rr@internal.tormail.org> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (MingW32) mQENBE8/u9wBCAC1C/RQwrIiOIWeIthV0aaoLUZUyiI6pIO0NLcTnBtqmWdVXYrA LOxI3XroHpmuj8z3P5iW6HzSsbgGq9+3WaJn+dIY6ttSSuCw2Lc4l4b5grCuOyRp 4++U8OAoaHHtepfxBww+YeLbC3iY4xZ2yNL27enyyOkJQ9cLVEaC+Iy6hssGAuAK Vyafv9gLiTdPu6cvkccxQe8DdSnP6P+X2B9WJ9pkvGxvY6xhc9AQ5ssghWMD0F22 VbGSin9IaEyGgo2hEYNcEId8W8Cffor0Y6td17QvalGA6kQlRN9s9fhoK3sDEyNK UN/5TxiybbI5zjpcByYzq9c7Vjh+5sf/AGMBABEBAAG0J1BlYWNlYW5kbG92ZSA8 cGVhY2VhbmRsb3ZlQHRvcm1haWwubmV0PokBPgQTAQIAKAUCTz+73AIbIwUJCWYB gAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQIzpxeVm6A6Egdgf/bpDIpW7P USbc3jeqa8BfzhrjvqN9iFVQDfdoJy3TU+aAROSGaaf/BtBisnkxv/zDSMX266KK 4KCR8P4IzvZqb0IG5pVmJpc0IOmJxTpUphXJThvY12Dt6FFW5pmNPwJMvnI56yy0 X15Xi7fdHTF7qh3OXYoETVT3RSPbqpOSVARSEz66yMWJX6omxbBSVUemGRlfv5Nu jYe3vFg4VReUHwAkFcTn5siY9y/wdI1DoQBTC+qPkCGi/sp07E8YULdH8gzWBVQH NNj1Mo29741/V3qnwEd2IG7gWdWvWf+qiLUIDBVPgwnQpKPxSNGRNdlz/WHzn1S+ OGj36Ikf3K2/hbkBDQRPP7vcAQgA9b7R5zlw9FgTWcfv/YNYjfdYkAZEeFfgkjfY JlK6IlXQD/QY8eQl6YzdtbRPbnxn3zfk28PBecltOQDUaJsorSPMb2pvypDmMsSr n2j9Go4ETn3a1D3LkNw8s98Y/UfCLnHTZJjEY9SX9p49f9yjA7Ct4MxhzlC6bMb8 YsNSJDoDMefklvmd3+qSxxDmdBn8DAqWamoeTC1mh7lfzLEYVVQJKCzR4YFulnnr FD3SE1smQ8iST6YLlOqZsSuomX+uSOEuKdJRpJBQSNavP1HK/4tVrabEwmuL0CFF /2agPV62ozO6RFIuehRW8mMIcBrazHDDTQmiLO8r/vPOqV0CXQARAQABiQElBBgB AgAPBQJPP7vcAhsMBQkJZgGAAAoJECM6cXlZugOhG64IAJ8WVrQsLvg4A+BuMzT8 oB1O4iD/5hHOgMEI7XYQtvHyOtLCiQ+svyuds2eGB+fnNYP2+0JG5zxxgxJkDOZ7 hK+Pw3lkzK/Im2CF1F6sP9kgrIkNTkvUeZwTxx0cxLkzleHh31MBbkUd5M8SK/1C aGNMA7WR92n4U+6E7/+JXVERB6wBEP0B+YdhRDjdhtmUCZy/j0cd2d/VgZovkKUs GeVNc1VUTWAL+5gTTGozOVY66Wg1ZrMvOvq3hjQ6H7NwTY5AOENNZvKslr5PGMp5 FdRikO/ajXYAaNC0ixe3ONgq7pSfeXWt9R7S3IAwhrnb0O2lDz460BTfo2xvontP 13E= =yg76 -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (MingW32) mQENBE8/u9wBCAC1C/RQwrIiOIWeIthV0aaoLUZUyiI6pIO0NLcTnBtqmWdVXYrA LOxI3XroHpmuj8z3P5iW6HzSsbgGq9+3WaJn+dIY6ttSSuCw2Lc4l4b5grCuOyRp 4++U8OAoaHHtepfxBww+YeLbC3iY4xZ2yNL27enyyOkJQ9cLVEaC+Iy6hssGAuAK Vyafv9gLiTdPu6cvkccxQe8DdSnP6P+X2B9WJ9pkvGxvY6xhc9AQ5ssghWMD0F22 VbGSin9IaEyGgo2hEYNcEId8W8Cffor0Y6td17QvalGA6kQlRN9s9fhoK3sDEyNK UN/5TxiybbI5zjpcByYzq9c7Vjh+5sf/AGMBABEBAAG0J1BlYWNlYW5kbG92ZSA8 cGVhY2VhbmRsb3ZlQHRvcm1haWwubmV0PokBPgQTAQIAKAUCTz+73AIbIwUJCWYB gAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQIzpxeVm6A6Egdgf/bpDIpW7P USbc3jeqa8BfzhrjvqN9iFVQDfdoJy3TU+aAROSGaaf/BtBisnkxv/zDSMX266KK 4KCR8P4IzvZqb0IG5pVmJpc0IOmJxTpUphXJThvY12Dt6FFW5pmNPwJMvnI56yy0 X15Xi7fdHTF7qh3OXYoETVT3RSPbqpOSVARSEz66yMWJX6omxbBSVUemGRlfv5Nu jYe3vFg4VReUHwAkFcTn5siY9y/wdI1DoQBTC+qPkCGi/sp07E8YULdH8gzWBVQH NNj1Mo29741/V3qnwEd2IG7gWdWvWf+qiLUIDBVPgwnQpKPxSNGRNdlz/WHzn1S+ OGj36Ikf3K2/hbkBDQRPP7vcAQgA9b7R5zlw9FgTWcfv/YNYjfdYkAZEeFfgkjfY JlK6IlXQD/QY8eQl6YzdtbRPbnxn3zfk28PBecltOQDUaJsorSPMb2pvypDmMsSr n2j9Go4ETn3a1D3LkNw8s98Y/UfCLnHTZJjEY9SX9p49f9yjA7Ct4MxhzlC6bMb8 YsNSJDoDMefklvmd3+qSxxDmdBn8DAqWamoeTC1mh7lfzLEYVVQJKCzR4YFulnnr FD3SE1smQ8iST6YLlOqZsSuomX+uSOEuKdJRpJBQSNavP1HK/4tVrabEwmuL0CFF /2agPV62ozO6RFIuehRW8mMIcBrazHDDTQmiLO8r/vPOqV0CXQARAQABiQElBBgB AgAPBQJPP7vcAhsMBQkJZgGAAAoJECM6cXlZugOhG64IAJ8WVrQsLvg4A+BuMzT8 oB1O4iD/5hHOgMEI7XYQtvHyOtLCiQ+svyuds2eGB+fnNYP2+0JG5zxxgxJkDOZ7 hK+Pw3lkzK/Im2CF1F6sP9kgrIkNTkvUeZwTxx0cxLkzleHh31MBbkUd5M8SK/1C aGNMA7WR92n4U+6E7/+JXVERB6wBEP0B+YdhRDjdhtmUCZy/j0cd2d/VgZovkKUs GeVNc1VUTWAL+5gTTGozOVY66Wg1ZrMvOvq3hjQ6H7NwTY5AOENNZvKslr5PGMp5 FdRikO/ajXYAaNC0ixe3ONgq7pSfeXWt9R7S3IAwhrnb0O2lDz460BTfo2xvontP 13E= =yg76 -----END PGP PUBLIC KEY BLOCK----- hi, need help to cantact peaceandlove From expires2013 at ymail.com Sun Jan 20 01:25:37 2013 From: expires2013 at ymail.com (MFPA) Date: Sun, 20 Jan 2013 00:25:37 +0000 Subject: In-Reply-To: <1TwLoK-000IKU-Rr@internal.tormail.org> References: <1TwLoK-000IKU-Rr@internal.tormail.org> Message-ID: <1679636413.20130120002537@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 18 January 2013 at 11:57:24 PM, in , anychem at tormail.org wrote: > hi, need help to cantact peaceandlove If you give a little more info, people are more likely to be able to help. I suggest you try posting again addressing some of the questions below, and giving your message a descriptive subject line. What help do you need? What are you trying to achieve? What is going wrong? Which operating system are you using? And which GnuPG version? And what email software? - -- Best regards MFPA mailto:expires2013 at ymail.com Why is the universe here? Well, where else would it be? -----BEGIN PGP SIGNATURE----- iQCVAwUBUPs5mKipC46tDG5pAQpagwP/WO4+FZLyF13N4t0W025hvBYZmM8IyYMw cWiDa6LCaDht1ojE18E+pEzr30bXg9o70NlBS6BJ/3Poz6d/DQoq5Ly064FNvWz6 vlmmLRt86951+Ex2xRF0x/h8dtVOaN3/6j2wCtbT22K89QQiBvlmcMLeJLA7+EX9 aGsAnmDKXzE= =qttw -----END PGP SIGNATURE----- From sradithya at gmail.com Sun Jan 20 04:17:37 2013 From: sradithya at gmail.com (raja aditya) Date: Sat, 19 Jan 2013 21:17:37 -0600 Subject: gpg: out of memory while allocating 8192 bytes - HELP NEEDED Message-ID: Hi All, We are receiving the below error message when trying to encrypt or decrypt a file on AIX server : *gpg: out of memory while allocating 8192 bytes* gpg process was working for years on the server until the day we started to see this. This same gpg encryption is working on an other AIX server in the same environment. Many options were tried including copying the gpg from the server that's working on, recycling the server etc. But the error is persisting. This is not a problem with any one specific id or a group of id's. Any id trying to encrypt/decrypt is getting this error. Hence this is observed at a server level and not at a user or id level. We have an other server with identical settings where it is working normally. Even restoring the file system from this server didn't help. The server memory is just fine and is well within limits. Even trying to encrypt / decrypt an empty or a 3 record file is facing a problem, hence its irrespective of the file size or who is trying to encrypt/decrypt it. Sample Error : /home>touch simple1 /home >chmod 777 simple1 /home >/opt/TWWfsw/gnupg12/bin/gpg --encrypt-file simple1 You did not specify a user ID. (you may use "-r") Enter the user ID. End with an empty line: sradithya *gpg: out of memory while allocating 8192 bytes* /home > The issue that surprises is that it also worked for a day after the crash recovery. Its only the next day that it stopped working. No visible changes happened in that one day nor any new file systems were restored. The fact that it worked for a day after crash and then lost is perplexing. Any help or suggestions on this or any clues to look out for would be of a invaluable help to me. Please post any suggestions that you may have. Best Regards, Aditya -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmorgan466 at gmail.com Mon Jan 21 17:56:58 2013 From: rmorgan466 at gmail.com (Rita) Date: Mon, 21 Jan 2013 11:56:58 -0500 Subject: passing information among several users Message-ID: Hello, Here is what I am trying to do in my environment. I have 6 users: maseruser and user{A,B,C,D,E} Masteruser will be generating data and I would like userA and userC be able to decypt the data and others not to. However, in the future I would like to add userE to decrypt the data and remove userA (any old data she has is fine). I was wondering how I can achieve this using gpg -- --- Get your facts first, then you can distort them as you please.-- -------------- next part -------------- An HTML attachment was scrubbed... URL: From johanw at vulcan.xs4all.nl Mon Jan 21 21:19:43 2013 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon, 21 Jan 2013 21:19:43 +0100 Subject: passing information among several users In-Reply-To: References: Message-ID: <50FDA2DF.7040201@vulcan.xs4all.nl> On 21-01-2013 17:56, Rita wrote: > I have 6 users: maseruser and user{A,B,C,D,E} Make also 6 keypais for each user. > Masteruser will be generating data and I would like userA and userC be > able to decypt the data and others not to. Encrypt it to the public key of users A and C. > However, in the future I > would like to add userE to decrypt the data and remove userA (any old > data she has is fine). Encrypt the new messages only to the keys of C and E. > I was wondering how I can achieve this using gpg The eaqsiest way is to define a group in gpg.conf: group receivers=01234567 ABCDEF89 where 01234567 and ABCDEF89 are the key ID's of the receivers. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From jeandavid8 at verizon.net Mon Jan 21 20:43:35 2013 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Mon, 21 Jan 2013 14:43:35 -0500 Subject: passing information among several users In-Reply-To: References: Message-ID: <50FD9A67.7070305@verizon.net> On 01/21/2013 11:56 AM, Rita wrote: > Hello, > > > Here is what I am trying to do in my environment. > > > I have 6 users: maseruser and user{A,B,C,D,E} > > Masteruser will be generating data and I would like userA and userC be > able to decypt the data and others not to. However, in the future I > would like to add userE to decrypt the data and remove userA (any old > data she has is fine). I was wondering how I can achieve this using gpg > Sure you can do this. Or do you want to know how? 1.) get gnupg software. http://gnupg.org/ Install it, generate your keys and your revocation certificate (you never know when you will need ont. 2.) Upload your public key to a keyserver. 3, Have A, and C do the same. 3a.) If you want to anytime, have B and D do it too. 4.) When you want to send data get the public keys for A and C. 5.) Encrypt these data with the public the public keys of A and C. Am I missing something? From david at systemoverlord.com Wed Jan 23 00:33:01 2013 From: david at systemoverlord.com (David Tomaschik) Date: Tue, 22 Jan 2013 15:33:01 -0800 Subject: Rugged ID-000 form factor card reader? Message-ID: Does anyone know of a more rugged ID-000 (SIM card size) smart card reader than the Gemalto? I'm thinking of something with a metal case perhaps? The reason I ask is that I've had 2 gemalto readers have the plastic part that attaches to a keyring break off. I would hate to lose my smart card in this way. Even better would be a new smart card with a form factor similar to the Yubikey Nano (https://www.yubico.com/products/yubikey-hardware/yubikey-nano/) but that might be a pipe dream. -- David Tomaschik OpenPGP: 0x5DEA789B http://systemoverlord.com david at systemoverlord.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From aokunlola at gmail.com Wed Jan 23 02:59:35 2013 From: aokunlola at gmail.com (Akinola Okunlola) Date: Tue, 22 Jan 2013 20:59:35 -0500 Subject: Patch for using GPG on 64 bit Matching Message-ID: Hi fellow gnupg-users, I am new to gpg arena though I have used PGP in the past. We have 64-bit servers and I was wondering if there is a Patch to apply to gpg so it could run successfully on 64 bit. Please let me know. Currently, my command line scripts does not run when automated but I can run them manually. Please help. AO -------------- next part -------------- An HTML attachment was scrubbed... URL: From js at vinci-info.com Wed Jan 23 12:40:06 2013 From: js at vinci-info.com (Johannes Scholz) Date: Wed, 23 Jan 2013 12:40:06 +0100 Subject: gpg on windows 2008 running from task scheduler as NT AUTHORITY\SYSTEM fails with exit code 255 Message-ID: Hello, I am trying to run some gpg operations from a script on windows. Said script works perfectly fine when I run it as a "normal" user account. When launched from the task scheduler (which launches the script as NT AUTHORITY\SYSTEM) it just exits, the exit code is being set to 255. Nothing on stderr or stdout. One example command that fails: "C:\Program Files\Some App\Update\gpg\gpg2.exe" --list-public-keys --with-colons --homedir "C:\Program Files\Some App\Update" XXXXXXXX The home directory I specified with ?homedir exists and the System user has full access to that directory and its contents. I added gpg2.exe to windows 2008's data execution prevention (DEP) exception list. At this point I am out of ideas. Other binaries uses by the script (wget, 7zip) work just fine, even when run as System user. gpg (GnuPG) 2.0.17 (Gpg4win 2.1.0) libgcrypt 1.4.6 Thoughts? Regards, Johannes Scholz -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Wed Jan 23 19:33:53 2013 From: wk at gnupg.org (Werner Koch) Date: Wed, 23 Jan 2013 19:33:53 +0100 Subject: Patch for using GPG on 64 bit Matching In-Reply-To: (Akinola Okunlola's message of "Tue, 22 Jan 2013 20:59:35 -0500") References: Message-ID: <87zjzzn3zi.fsf@vigenere.g10code.de> On Wed, 23 Jan 2013 02:59, aokunlola at gmail.com said: > We have 64-bit servers and I was wondering if there is a Patch to apply to > gpg so it could run successfully on 64 bit. GnuPG definitely runs on 64 bit boxes. There is only a glitch for big-endian boxes. If nobody complains I plan to do a 1.4.15 soon. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From david at systemoverlord.com Wed Jan 23 19:39:30 2013 From: david at systemoverlord.com (David Tomaschik) Date: Wed, 23 Jan 2013 10:39:30 -0800 Subject: Patch for using GPG on 64 bit Matching In-Reply-To: References: Message-ID: I regularly use GnuPG on 64 bit servers with no patches or changes. What OS is on your servers? What version of GPG are you running? On Tue, Jan 22, 2013 at 5:59 PM, Akinola Okunlola wrote: > Hi fellow gnupg-users, > > I am new to gpg arena though I have used PGP in the past. > We have 64-bit servers and I was wondering if there is a Patch to apply to > gpg so it could run successfully on 64 bit. > Please let me know. > Currently, my command line scripts does not run when automated but I can > run them manually. > > Please help. > > AO > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- David Tomaschik OpenPGP: 0x5DEA789B http://systemoverlord.com david at systemoverlord.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From aokunlola at gmail.com Thu Jan 24 05:47:58 2013 From: aokunlola at gmail.com (Akinola Okunlola) Date: Wed, 23 Jan 2013 23:47:58 -0500 Subject: Patch for using GPG on 64 bit Matching In-Reply-To: References: Message-ID: Hi David, OS is: Windows 2008 R2 Enterprise (64-bit). We are running Gpg4win version 2.1.0 (2011-03-15) which contains GnuPG 2.0.17. Thanks, -Akin On Wednesday, January 23, 2013, David Tomaschik wrote: > I regularly use GnuPG on 64 bit servers with no patches or changes. What > OS is on your servers? What version of GPG are you running? > > > On Tue, Jan 22, 2013 at 5:59 PM, Akinola Okunlola > > wrote: > >> Hi fellow gnupg-users, >> >> I am new to gpg arena though I have used PGP in the past. >> We have 64-bit servers and I was wondering if there is a Patch to apply >> to gpg so it could run successfully on 64 bit. >> Please let me know. >> Currently, my command line scripts does not run when automated but I can >> run them manually. >> >> Please help. >> >> AO >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users at gnupg.org > 'Gnupg-users at gnupg.org');> >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> >> > > > -- > David Tomaschik > OpenPGP: 0x5DEA789B > http://systemoverlord.com > david at systemoverlord.com 'david at systemoverlord.com');> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From js at vinci-info.com Thu Jan 24 08:55:29 2013 From: js at vinci-info.com (Johannes Scholz) Date: Thu, 24 Jan 2013 08:55:29 +0100 Subject: Patch for using GPG on 64 bit Matching In-Reply-To: Message-ID: By "does not run when automated" you mean it does not run when you run it from the task scheduler? If so, maybe you are having the same issue that I seem to have (2008 AMD64) http://lists.gnupg.org/pipermail/gnupg-users/2013-January/045960.html + Johannes Scholz + js at vinci-info.com From: Akinola Okunlola > Date: Donnerstag, 24. Januar 2013 05:47 To: David Tomaschik > Cc: GnuPG Users List > Subject: Re: Patch for using GPG on 64 bit Matching Hi David, OS is: Windows 2008 R2 Enterprise (64-bit). We are running Gpg4win version 2.1.0 (2011-03-15) which contains GnuPG 2.0.17. Thanks, -Akin On Wednesday, January 23, 2013, David Tomaschik wrote: I regularly use GnuPG on 64 bit servers with no patches or changes. What OS is on your servers? What version of GPG are you running? On Tue, Jan 22, 2013 at 5:59 PM, Akinola Okunlola > wrote: Hi fellow gnupg-users, I am new to gpg arena though I have used PGP in the past. We have 64-bit servers and I was wondering if there is a Patch to apply to gpg so it could run successfully on 64 bit. Please let me know. Currently, my command line scripts does not run when automated but I can run them manually. Please help. AO _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- David Tomaschik OpenPGP: 0x5DEA789B http://systemoverlord.com david at systemoverlord.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From johanw at vulcan.xs4all.nl Thu Jan 24 13:05:58 2013 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu, 24 Jan 2013 13:05:58 +0100 Subject: Patch for using GPG on 64 bit Matching In-Reply-To: <87zjzzn3zi.fsf@vigenere.g10code.de> References: <87zjzzn3zi.fsf@vigenere.g10code.de> Message-ID: <510123A6.10204@vulcan.xs4all.nl> On 23-01-2013 19:33, Werner Koch wrote: > GnuPG definitely runs on 64 bit boxes. There is only a glitch for > big-endian boxes. If nobody complains I plan to do a 1.4.15 soon. Did I miss 1.4.14? -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From aokunlola at gmail.com Thu Jan 24 16:36:37 2013 From: aokunlola at gmail.com (Akinola Okunlola) Date: Thu, 24 Jan 2013 10:36:37 -0500 Subject: Patch for using GPG on 64 bit Matching In-Reply-To: References: Message-ID: I agreed with you David, these are very similar issues. I am exploring the possibility of using Rational robot to run the script. On Thu, Jan 24, 2013 at 2:55 AM, Johannes Scholz wrote: > By "does not run when automated" you mean it does not run when you run it > from the task scheduler? If so, maybe you are having the same issue that I > seem to have (2008 AMD64) > http://lists.gnupg.org/pipermail/gnupg-users/2013-January/045960.html > > + Johannes Scholz > + js at vinci-info.com > > From: Akinola Okunlola > Date: Donnerstag, 24. Januar 2013 05:47 > To: David Tomaschik > Cc: GnuPG Users List > Subject: Re: Patch for using GPG on 64 bit Matching > > Hi David, > > OS is: Windows 2008 R2 Enterprise (64-bit). We are running Gpg4win version > 2.1.0 (2011-03-15) which contains GnuPG 2.0.17. > > Thanks, > > -Akin > > On Wednesday, January 23, 2013, David Tomaschik wrote: > >> I regularly use GnuPG on 64 bit servers with no patches or changes. What >> OS is on your servers? What version of GPG are you running? >> >> >> On Tue, Jan 22, 2013 at 5:59 PM, Akinola Okunlola wrote: >> >>> Hi fellow gnupg-users, >>> >>> I am new to gpg arena though I have used PGP in the past. >>> We have 64-bit servers and I was wondering if there is a Patch to apply >>> to gpg so it could run successfully on 64 bit. >>> Please let me know. >>> Currently, my command line scripts does not run when automated but I can >>> run them manually. >>> >>> Please help. >>> >>> AO >>> >>> _______________________________________________ >>> Gnupg-users mailing list >>> Gnupg-users at gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >>> >>> >> >> >> -- >> David Tomaschik >> OpenPGP: 0x5DEA789B >> http://systemoverlord.com >> david at systemoverlord.com >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Fri Jan 25 09:51:03 2013 From: wk at gnupg.org (Werner Koch) Date: Fri, 25 Jan 2013 09:51:03 +0100 Subject: Patch for using GPG on 64 bit Matching In-Reply-To: <510123A6.10204@vulcan.xs4all.nl> (Johan Wevers's message of "Thu, 24 Jan 2013 13:05:58 +0100") References: <87zjzzn3zi.fsf@vigenere.g10code.de> <510123A6.10204@vulcan.xs4all.nl> Message-ID: <87txq5lk7c.fsf@vigenere.g10code.de> On Thu, 24 Jan 2013 13:05, johanw at vulcan.xs4all.nl said: > Did I miss 1.4.14? You are right, the next version will be 1.4.14. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wuttkej at gmail.com Fri Jan 25 12:16:47 2013 From: wuttkej at gmail.com (Jochen Wuttke) Date: Fri, 25 Jan 2013 12:16:47 +0100 Subject: No rule to make target `audit-events.h', needed by `all' Message-ID: Hi all, I just tried to compile gpg 2.0.19 on Mac OSX. After resolving an odd issue with libiconv, I got a little further, but get the following make error: Making all in common make[2]: *** No rule to make target `audit-events.h', needed by `all'. Stop. make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 I found this question asked as far back as 2010 on various forums an user groups, but I could never find an answer to what causes this and how to resolve it. Any hints? Thanks, Jochen -------------- next part -------------- An HTML attachment was scrubbed... URL: From mlisten at hammernoch.net Fri Jan 25 20:21:38 2013 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Fri, 25 Jan 2013 20:21:38 +0100 Subject: No rule to make target `audit-events.h', needed by `all' In-Reply-To: References: Message-ID: <5102DB42.2020607@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, On 25.01.13 12:16, Jochen Wuttke wrote: > I found this question asked as far back as 2010 on various forums > an user groups, but I could never find an answer to what causes > this and how to resolve it. Any hints? You may want to look into buildscripts and patches used by the gpgtools project. The dev-tree builds fine here. https://github.com/GPGTools/MacGPG2/tree/dev Ludwig -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJRAttCAAoJEA52XAUJWdLjNX8H/RSH4pxJbOsV1Wbbdd48XGwH UNnNbD0Et1DS3BCuhRKzshnwZrvPideLhvoUEiRt5Wz3FrSNd7zNoML9cO+08KcQ +iiuYzmP2HkF18jr/VOYyR5ZqTJn056GmsnOlkZmrko/ssEy+HlgTD4EPV/6z6OG xg8iK+PHOm7MC42SHEqA8iKbpPWLxLdtEF2Qrt0OXHQ/dl3gm/zQd1hBee2NZOHM lQ+GjYsotuwfeF7cUeccXRi9dDuor1Fsdr+OzQY1ZKtEdF12aTwkyZTq5ePM6LNs 29q80zc4iJfjJQpRoFSa3Kjm767f5i2laxjyQRHc88u+5AL9uR2mkBU2/qbEr7Y= =UKwY -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Mon Jan 28 06:56:25 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 28 Jan 2013 00:56:25 -0500 Subject: Fedora 18: still broken for OpenPGP cards Message-ID: <51061309.6020604@sixdemonbag.org> My prior bug report detailing Fedora 17's problems with OpenPGP cards is still current for Fedora 18. Would it be possible for one of the GnuPG maintainers to shake the tree of the gnupg2-smime maintainer (the RPM just lists the Fedora Project as the maintainer) and ask why in God's name they insist on releasing a gnupg2-smime package that does not work, clearly hasn't been checked against the most common smartcard hardware in use for GnuPG, and which has been broken for two major releases? The original thread, BTW: http://www.gossamer-threads.com/lists/gnupg/users/58041 From rjh at sixdemonbag.org Mon Jan 28 07:07:48 2013 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 28 Jan 2013 01:07:48 -0500 Subject: Fedora 18: still broken for OpenPGP cards In-Reply-To: <51061309.6020604@sixdemonbag.org> References: <51061309.6020604@sixdemonbag.org> Message-ID: <510615B4.60206@sixdemonbag.org> On 01/28/2013 12:56 AM, Robert J. Hansen wrote: > My prior bug report detailing Fedora 17's problems with OpenPGP cards is > still current for Fedora 18. Addendum: GnuPG 1.4.13 works fine with smart cards. It's only GnuPG 2.0.19 that's screwed up. [rjh at localhost ~]$ gpg --version gpg (GnuPG) 1.4.13 ... snip ... [rjh at localhost ~]$ gpg2 --version gpg (GnuPG) 2.0.19 libgcrypt 1.5.0 ... snip ... [rjh at localhost ~]$ gpg2 --card-status gpg: selecting openpgp failed: Unsupported certificate gpg: OpenPGP card not available: Unsupported certificate [rjh at localhost ~]$ gpg --card-status gpg: detected reader `SCM Microsystems Inc. SCR 3310 [CCID Interface] 00 00' Application ID ...: D276000124010200000500000D180000 Version ..........: 2.0 Manufacturer .....: ZeitControl Serial number ....: 00000D18 Name of cardholder: Robert Hansen ... snip... From vedaal at nym.hush.com Tue Jan 29 18:49:10 2013 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 29 Jan 2013 12:49:10 -0500 Subject: RSA // OAEP // SHA-1 Message-ID: <20130129174910.81CD710E2C8@smtp.hushmail.com> As the padding scheme in RSA, (OAEP) uses SHA-1, then , *eventually*, as people move away from using SHA-1, and toward a V5 key where SHA-1 is not used, will it also be necessary to re-do the RSA padding to not use SHA-1, and if so, would this fall under the open-pgp RFC, or would it have to go through an RSA standard first? just curious, vedaal From JPClizbe at tx.rr.com Wed Jan 30 01:36:25 2013 From: JPClizbe at tx.rr.com (John Clizbe) Date: Tue, 29 Jan 2013 18:36:25 -0600 Subject: RSA // OAEP // SHA-1 In-Reply-To: <20130129174910.81CD710E2C8@smtp.hushmail.com> References: <20130129174910.81CD710E2C8@smtp.hushmail.com> Message-ID: <51086B09.1090803@tx.rr.com> vedaal at nym.hush.com wrote: > As the padding scheme in RSA, (OAEP) uses SHA-1, then , *eventually*, as > people move away from using SHA-1, and toward a V5 key where SHA-1 is not used, > will it also be necessary to re-do the RSA padding to not use SHA-1, and > if so, would this fall under the open-pgp RFC, or would it have to go through an > RSA standard first? This is probably more on topic for the IETF-OpenPGP list, but anyway... RFC 4880 makes no mention of OAEP. RFC 4880 references RFC 3447 for details of RSA implementation. So, from what I can tell, RSA standard first, then OpenPGP by incorporating the new RSA standard. THEN, Gnupg. [RFC4880] J. Callas, L. Donnerhacke, H. Finney, D. Shaw, R. Thayer. "OpenPGP Message Format", RFC 4880, November 2007. https://tools.ietf.org/html/rfc4880 [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC 3447, February 2003. https://tools.ietf.org/html/rfc3447 -- John P. Clizbe Inet: John (a) Gingerbear DAWT net SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 863 bytes Desc: OpenPGP digital signature URL: From lists at michel-messerschmidt.de Wed Jan 30 20:40:25 2013 From: lists at michel-messerschmidt.de (Michel Messerschmidt) Date: Wed, 30 Jan 2013 20:40:25 +0100 Subject: RSA // OAEP // SHA-1 In-Reply-To: <51086B09.1090803@tx.rr.com> References: <20130129174910.81CD710E2C8@smtp.hushmail.com> <51086B09.1090803@tx.rr.com> Message-ID: <20130130194025.GA5039@ryu.matrix> On Tue, Jan 29, 2013 at 06:36:25PM -0600, John Clizbe wrote: > vedaal at nym.hush.com wrote: > > if so, would this fall under the open-pgp RFC, or would it have to go through an > > RSA standard first? > > RFC 4880 makes no mention of OAEP. RFC 4880 references RFC 3447 for details of > RSA implementation. > > So, from what I can tell, RSA standard first, then OpenPGP by incorporating > the new RSA standard. THEN, Gnupg. Although it is the default, RFC 3447 is not restricted to SHA-1. Appendix B actually states: "For the RSAES-OAEP encryption scheme and EMSA-PSS encoding method, only SHA-1 and SHA-256/384/512 are recommended." From vedaal at nym.hush.com Wed Jan 30 21:50:14 2013 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Wed, 30 Jan 2013 15:50:14 -0500 Subject: RSA // OAEP // SHA-1 In-Reply-To: <20130130194025.GA5039@ryu.matrix> References: <20130129174910.81CD710E2C8@smtp.hushmail.com> <51086B09.1090803@tx.rr.com> <20130130194025.GA5039@ryu.matrix> Message-ID: <20130130205014.A968E6F443@smtp.hushmail.com> On Wednesday, January 30, 2013 at 3:28 PM, "Michel Messerschmidt" wrote: > >Although it is the default, RFC 3447 is not restricted to SHA-1. >Appendix B actually states: >"For the RSAES-OAEP encryption scheme and EMSA-PSS encoding >method, >only SHA-1 and SHA-256/384/512 are recommended." Which would mean that GnuPG wouldn't need any overhaul of standards to move from a default of SHA-1 to SHA-256, (although it might involve making changes to the crypto library that GnuPG uses for RSA). After thinking about it some more, though, it doesn't seem like much of a threat to continue SHA-1, (or at least, less important for GnuPG to concern itself, than with the SHA-1 involved in the fingerprint.) GnuPg uses RSA padding only to encrypt and decrypt the random session key. All other encryption is done by symmetric algorithms and doesn't involve RSA and its padding. As the session key is random, it isn't vulnerable to a plain-text attack, and might not need any padding at all, and so, the hash function used for the padding isn't such an issue... Sorry to take up the time needlessly. vedaal From avi.wiki at gmail.com Wed Jan 30 21:35:03 2013 From: avi.wiki at gmail.com (Avi) Date: Wed, 30 Jan 2013 15:35:03 -0500 Subject: RSA // OAEP // SHA-1 In-Reply-To: <20130130194025.GA5039@ryu.matrix> References: <20130129174910.81CD710E2C8@smtp.hushmail.com> <51086B09.1090803@tx.rr.com> <20130130194025.GA5039@ryu.matrix> Message-ID: Would it make sense to amend that to add SHA-3? --Avi On 1/30/13, Michel Messerschmidt wrote: > On Tue, Jan 29, 2013 at 06:36:25PM -0600, John Clizbe wrote: >> vedaal at nym.hush.com wrote: >> > if so, would this fall under the open-pgp RFC, or would it have to go >> > through an >> > RSA standard first? >> >> RFC 4880 makes no mention of OAEP. RFC 4880 references RFC 3447 for >> details of >> RSA implementation. >> >> So, from what I can tell, RSA standard first, then OpenPGP by >> incorporating >> the new RSA standard. THEN, Gnupg. > > Although it is the default, RFC 3447 is not restricted to SHA-1. > Appendix B actually states: > "For the RSAES-OAEP encryption scheme and EMSA-PSS encoding method, > only SHA-1 and SHA-256/384/512 are recommended." > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Sent from my mobile device ---- User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 From jw72253 at verizon.net Thu Jan 31 19:10:07 2013 From: jw72253 at verizon.net (John A. Wallace) Date: Thu, 31 Jan 2013 12:10:07 -0600 Subject: using gpg with http proxy Message-ID: <000501cdffde$33f06eb0$9bd14c10$@net> When I looked here: http://www.gnupg.org/documentation/manpage.en.html, I see it mentioned that the option "--honor-http-proxy" is available and would work if there is an environment variable setting for "http_proxy". Would this work in Windows, and would it simply be ignored if no environment variable were set ahead of time? Finally, in general can an option like this be put either in an options file or in "gpg.conf"? Thanks. John A. Wallace The pen is mightier than the sword, but only if you get in the first stroke. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jw72253 at verizon.net Thu Jan 31 18:24:19 2013 From: jw72253 at verizon.net (John A. Wallace) Date: Thu, 31 Jan 2013 11:24:19 -0600 Subject: path defaults for gpg.conf Message-ID: <000001cdffd7$cdb20560$69161020$@net> I have two instances of GnuPG installed on a Windows 7 OS. I also use an application that appears to have installed an instance of it for its own use and put it into one of its separate folders along with some of the files needed with it, including "gpg.exe" and a unique "gpg.conf" file, among others. However, when I go to that folder, in which this third instance of gpg was placed, with a command prompt in Windows and type ".\gpg.exe -h", the initial output from this command includes these lines: Home: %APPDATA%/gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA What puzzles me is the line with "Home". I have two questions about it. First, where is it getting that environment variable(?) called "Home" since I do not show it listed among the environment variables I can see in Windows when I issue the "set" command to show me all of them? Secondly, why does "Home" point to the path it does instead of pointing to the current directory path for which I issued the command ".\gpg.exe -h". If there is a unique "gpg.conf" in this folder designed to work with this third instance of "gpg.exe", shouldn't "Home" also be this current directory? Otherwise, it would not see the commands and options I included in its special "gpg.conf". Is that not so? Thanks. John A. Wallace The pen is mightier than the sword, but only if you get in the first stroke. -------------- next part -------------- An HTML attachment was scrubbed... URL: From per.hopstadius at logica.com Thu Jan 31 14:29:50 2013 From: per.hopstadius at logica.com (perhop) Date: Thu, 31 Jan 2013 05:29:50 -0800 (PST) Subject: gpg: WARNING: message was not integrity protected - MDC Message-ID: <1359638990136-29533.post@n7.nabble.com> Hi This has been discussed before and I have an question referring to this. Short summary: A customer encrypts data with our public key, we receive the file and we attempt to decrypt it. The decrypt step seems to work but we get a warning message while validating the file (gpg: WARNING: message was not integrity protected). The question is how to avoid the warning message. After reading the forum I believe this has to do with mdc, that mdc is not forced in this case and that is causing the warning message. I would like to know how you enable mdc. Do I tell the customer to force mdc or is that controlled from my side, automatic controlled depending on what cipher method I use? We run GPG version 1.4.9 and customer PGP 7.1 Please advice a noob Regards, Dan -- View this message in context: http://gnupg.10057.n7.nabble.com/gpg-WARNING-message-was-not-integrity-protected-MDC-tp29533.html Sent from the GnuPG - User mailing list archive at Nabble.com. From vivarto at gmail.com Thu Jan 31 18:26:38 2013 From: vivarto at gmail.com (Veet Vivarto) Date: Thu, 31 Jan 2013 07:26:38 -1000 Subject: 1.4.12 beta installer for Windows In-Reply-To: <87y5syd8ah.fsf@vigenere.g10code.de> References: <87y5syd8ah.fsf@vigenere.g10code.de> Message-ID: Hello Werner, My friend and I, aer working on a easy to use front-end for GPG for Windows and Mac. On Windews we are using the 1.4.11 because it only requires two files (.exe, .dll) I have not been able to find a small Mac command line program that would correspond to GnuPG 1.4. I only found the huge package called GPGTools. Thank you in advance for your help. Vivarto -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Thu Jan 31 21:41:06 2013 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 31 Jan 2013 15:41:06 -0500 Subject: gpg: WARNING: message was not integrity protected - MDC In-Reply-To: <1359638990136-29533.post@n7.nabble.com> References: <1359638990136-29533.post@n7.nabble.com> Message-ID: On Jan 31, 2013, at 8:29 AM, perhop wrote: > Hi > > This has been discussed before and I have an question referring to this. > Short summary: > > A customer encrypts data with our public key, we receive the file and we > attempt to decrypt it. The decrypt step seems to work but we get a warning > message while validating the file (gpg: WARNING: message was not integrity > protected). The question is how to avoid the warning message. > > After reading the forum I believe this has to do with mdc, that mdc is not > forced in this case and that is causing the warning message. > > I would like to know how you enable mdc. Do I tell the customer to force mdc > or is that controlled from my side, automatic controlled depending on what > cipher method I use? > We run GPG version 1.4.9 and customer PGP 7.1 Note that the message you see is just a warning. It does not affect decryption - it's just telling you that the sender didn't protect the message. There are several ways to enable MDC. The most common way is a flag on your key that instructs the customer's PGP to enable MDC (i.e. "I can handle MDC, so you're free to use it"). So the first thing you should do is check your key to see if it has the MDC flag on it. To do this, run: gpg --edit-key (yourkey) and enter "showpref" at the prompt. The final line is "Features". If "MDC" is on that line, then you have the MDC flag, and anyone communicating with you should use a MDC if they support it. That said, I see that your customer is using PGP 7.1, which is incredibly old at this point. I don't recall offhand if it supports MDC or not (I have a vague recollection that PGP only started supporting it in PGP 8 - which is itself very old at this point). If your key has the MDC flag, then the problem is most likely that the customer's PGP doesn't support MDC. Since you probably can't upgrade the customer, you can use the --no-mdc-warning on your side. This doesn't change the fact that the message you got isn't protected, but does prevent the warning from being printed. David