From vallee.aurelien at gmail.com Wed Jun 1 10:56:35 2016 From: vallee.aurelien at gmail.com (=?UTF-8?B?QXVyw6lsaWVuIFZhbGzDqWU=?=) Date: Wed, 1 Jun 2016 10:56:35 +0200 Subject: Automating the generation of master keys Message-ID: Hello, I would like to automate the generation of GPG master keys (I have hundreds of smartcards to configure for employees). I'm using the default GPG from CentOS 7 (gnupg 2.0.22). Ideally, I would like to have: - 1 masterkey with only the "certify" usage, stored offline. - 1 subkey with only "encryption" usage, backuped offline, imported on the smartcard. - 1 subkey with only "authenticate" usage, generated on the smartcard. - 1 subkey with only "sign" usage, generated on the smartcard. I guess this is a rather regular setup. Now my users are not super tech-savvy, so ideally I would like to generate the initial keys and configure the smart card before giving them. I first tried to generate the master keys using the batch mode, but I can't find a way to generate master keys with only "certify" usage. Quoting the documentation: Key-Usage: usage-list Space or comma delimited list of key usages. Allowed values are ?encrypt?, > ?sign?, and ?auth?. This is used to generate the key flags. Please make sure that the algorithm > is capable of this usage. Note that OpenPGP requires that all primary keys > are capable of certification, so no matter what usage is given here, the > ?cert? flag will be on. If no ?Key-Usage? is specified and the ?Key-Type? > is not ?default?, all allowed usages for that particular algorithm are > used; if it is not given but ?default? is used the usage will be ?sign?. So "cert" is a default for primary-keys. If I do not provide any "Key-Usage", all usages will be set. If I do provide a "Key-Usage", then my master key is not "certify only" anymore. Is there something I missed here? Currently, I fallback to writing an expect script to automate the key generation. The handling of passphrases input with possibly different pinentry programs makes the expect script insane to read and fragile in practice. Any help or advice greatly appreciated! Cheers, Aurelien -------------- next part -------------- An HTML attachment was scrubbed... URL: From dashohoxha at gmail.com Wed Jun 1 12:47:31 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Wed, 1 Jun 2016 12:47:31 +0200 Subject: Automating the generation of master keys In-Reply-To: References: Message-ID: On Wed, Jun 1, 2016 at 10:56 AM, Aur?lien Vall?e wrote: > > So "cert" is a default for primary-keys. If I do not provide any > "Key-Usage", all usages will be set. If I do provide a "Key-Usage", then my > master key is not "certify only" anymore. > I think that certify and sign are very similar, so it doesn't hurt if the primary key is both "cert" and "sign". I do it in batch mode like this: - https://github.com/dashohoxha/egpg/blob/gnupg-2.0/src/cmd/key/gen.sh#L42 Anyway, I generate a sign-only subkey later, and gnupg-2.0 picks by default the latest sign subkey, when it comes to signing, so the primary key normally will not be used for signing (which is what you want). > Currently, I fallback to writing an expect script to automate the key > generation. The handling of passphrases input with possibly different > pinentry programs makes the expect script insane to read and fragile in > practice. > I use the script above for automatic (batch) key generation. If you don't mind, can you share your expect script? Regards, Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From 2014-667rhzu3dc-lists-groups at riseup.net Wed Jun 1 13:39:02 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Wed, 1 Jun 2016 12:39:02 +0100 Subject: Keyserver lookup failure Message-ID: <78679581.20160601123902@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I am running GnuPG 2.1.2 on Windows 10, using the pre-compiled binaries. Keyserver lookup keeps failing for me as follows:- >gpg -v --keyserver hkp://pool.sks-keyservers.net --recv-key 0x251BCCEB547B7194 gpg: using character set 'utf-8' gpg: keyserver receive failed: No keyserver available >gpg-connect-agent --dirmngr "keyserver --hosttable" /bye S # hosttable (idx, ipv6, ipv4, dead, name, time): S # 0 d pool.sks-keyservers.net (14m50s) OK I tried pinging pool.sks-keyservers.net:- >ping -6 pool.sks-keyservers.net Pinging pool.sks-keyservers.net [2001:67c:2e80:40:21e:67ff:fe14:69f4] with 32 bytes of data: Reply from 2001:67c:2e80:40:21e:67ff:fe14:69f4: time=22ms Reply from 2001:67c:2e80:40:21e:67ff:fe14:69f4: time=21ms Reply from 2001:67c:2e80:40:21e:67ff:fe14:69f4: time=22ms Reply from 2001:67c:2e80:40:21e:67ff:fe14:69f4: time=21ms Ping statistics for 2001:67c:2e80:40:21e:67ff:fe14:69f4: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 21ms, Maximum = 22ms, Average = 21ms >ping -4 pool.sks-keyservers.net Pinging pool.sks-keyservers.net [176.241.243.15] with 32 bytes of data: Reply from 176.241.243.15: bytes=32 time=45ms TTL=50 Reply from 176.241.243.15: bytes=32 time=45ms TTL=50 Reply from 176.241.243.15: bytes=32 time=44ms TTL=50 Reply from 176.241.243.15: bytes=32 time=44ms TTL=50 Ping statistics for 176.241.243.15: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 44ms, Maximum = 45ms, Average = 44ms Any ideas how to proceed? - -- Best regards MFPA Alcohol and Calculus don't mix. Never drink and derive. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJXTsleXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwDewIAK9G+bxZL+dUu7fXJN0rih9d 7EISoZgrZ/ybxMPFciOXgHvC476EtZR4DYqowy+Z9bUtNTSGwZ5/LkmzSVm/TG3H gPiRRVloMJWAzCDPLPxRoi0xJ4tPpKt0xr9X8zqhuhMoYVsZkbMLz0/C8fp1/v+r jrd8G7lbmalL5yK7lw5y6Ioc7XY+kZJElbY0xW9Cs7OL6m4lJCMDn5PNhZMALWpi LyZPijBfSwl/YpCf8HhlnmzXzWdDzNT83j9EHQEkh/IwhjmbGpmTJG+QL++xR+KS N6RLwg9akJNk9LHTfznvamLVGQs32ZDTi5SgHNRVonc5Ziz1ivqQi7E8lRC2OhSI vgQBFgoAZgUCV07JbF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45D5WAP42dMUW3jvaYAJaA7Zxy2m4j3yc I1ndF3yQG8JMBN9+QAD/bOyVITPDGA7tpC6NjSUaLLCsvJ78i4L9DYnJil85RgQ= =pZ5i -----END PGP SIGNATURE----- From brian at minton.name Wed Jun 1 14:34:15 2016 From: brian at minton.name (Brian Minton) Date: Wed, 01 Jun 2016 12:34:15 +0000 Subject: Keyserver lookup failure In-Reply-To: <78679581.20160601123902@riseup.net> References: <78679581.20160601123902@riseup.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 That was a known bug in that version. Try the most recent release, 2.1.12. -----BEGIN PGP SIGNATURE----- iIAEAREKACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJXTtYM AAoJEGuOs6Blz7qpUSEA/1eOzIohTnrAEA2RMIWbRpjeqYAuuoptzBK9zT2D8kNC AP9WO0ubiiHcMXa5sIGiYiHPGHI6DWPi8fj1Gq1uHyxUQQ== =o0DU -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From 2014-667rhzu3dc-lists-groups at riseup.net Wed Jun 1 16:38:04 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Wed, 1 Jun 2016 15:38:04 +0100 Subject: Keyserver lookup failure In-Reply-To: References: <78679581.20160601123902@riseup.net> Message-ID: <415961366.20160601153804@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Wednesday 1 June 2016 at 1:34:15 PM, in , Brian Minton wrote: > That was a known bug in that version. > Try the most recent release, 2.1.12. Oops. That was a typo; I am using version 2.1.12. - -- Best regards MFPA All generalisations are dangerous, even this one. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJXTvNfXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwiMoH/i5mR46MmmAItGQT9feLFKec IX1m8CUCyIeASRKk0gqRKSg1rz1HmPzQy064yO16Xa9UfJa1gXVZKPSdFz5aXh+m h9FUmSB250/K75MuTL7MHHH5eV2q+AIXkvCUxNysGJ655WCozXSXU1sZHXxketkZ fGtVQofZKs29j36jIIprOI7p7Iil/maWg5HMXJphnWkB9Gn2izx30Z/SNiQUQ4ez n4N6FNmbj0kSDlHwMfeMXRK+Dh3EnOI9lF1354tdWeoFXEzkO/VFHFsV9ffQ/llW Dzi8ZOLtmdXj8sqt1czU82BxgmzRSsAS9/STSEroZGirvONSrk6G1ggrADVp+GmI vgQBFgoAZgUCV07zaF8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45GeyAP9sHGMK+jXlH8MX230nNMoeViHZ oukw75A5E5zlgWsYTgEA9BVCWwA835WWxggAe54A1sXr+oKfpkye/2JtakljXA8= =yvB7 -----END PGP SIGNATURE----- From kristian.fiskerstrand at sumptuouscapital.com Wed Jun 1 18:31:30 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Wed, 1 Jun 2016 18:31:30 +0200 Subject: Keyserver lookup failure In-Reply-To: <78679581.20160601123902@riseup.net> References: <78679581.20160601123902@riseup.net> Message-ID: <59e4f8b7-28b9-dddd-f0cf-a2a7ba4b479c@sumptuouscapital.com> On 06/01/2016 01:39 PM, MFPA wrote: > > I am running GnuPG 2.1.2 on Windows 10, using the pre-compiled > binaries. Keyserver lookup keeps failing for me as follows:- > >> gpg -v --keyserver hkp://pool.sks-keyservers.net --recv-key 0x251BCCEB547B7194 > gpg: using character set 'utf-8' > gpg: keyserver receive failed: No keyserver available what is the dig +trace output and any firewall blocking port 11371 anywhere? -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP certificate at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- "Excellence is not a singular act but a habit. You are what you do repeatedly." (Shaquille O'Neal) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Wed Jun 1 19:46:36 2016 From: wk at gnupg.org (Werner Koch) Date: Wed, 01 Jun 2016 19:46:36 +0200 Subject: Automating the generation of master keys In-Reply-To: (Dashamir Hoxha's message of "Wed, 1 Jun 2016 12:47:31 +0200") References: Message-ID: <87mvn4u7ib.fsf@wheatstone.g10code.de> On Wed, 1 Jun 2016 12:47, dashohoxha at gmail.com said: > I do it in batch mode like this: > - https://github.com/dashohoxha/egpg/blob/gnupg-2.0/src/cmd/key/gen.sh#L42 Take care: --8<---------------cut here---------------start------------->8--- local commands="addkey|4|4096|1m|addkey|6|4096|1m|save" commands=$(echo "$commands" | tr '|' "\n") script -c "gpg --batch --command-fd=0 --edit-key $GPG_KEY <<< \"$commands\"" /dev/null >/dev/null while [[ -n $(ps ax | grep -e '--edit-key' | grep -v grep) ]]; do sleep 0.5; done --8<---------------cut here---------------end--------------->8--- You can't use gpg this way - it does only work with a certain version and build if GnuPG. Canned commands too fragile to use - you need to process the output of --status-fd and act accordingly. ps ax | grep -e '--edit-key' | grep -v grep does not work either because you assume that there is only one gpg command running (actually any process with a string '--edit-key'). BTW, Unix people use this trick to avoid the inverse grep: grep -e '--edit-ke[y]' Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From peter at digitalbrains.com Wed Jun 1 21:19:18 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 1 Jun 2016 21:19:18 +0200 Subject: Automating the generation of master keys In-Reply-To: <87mvn4u7ib.fsf@wheatstone.g10code.de> References: <87mvn4u7ib.fsf@wheatstone.g10code.de> Message-ID: <574F3536.6060700@digitalbrains.com> On 01/06/16 19:46, Werner Koch wrote: > ps ax | grep -e '--edit-key' | grep -v grep > > does not work either because you assume that there is only one gpg > command running (actually any process with a string '--edit-key'). ... from any user. That seems odd? Why's the 'a' part of the ps invocation? Do you perhaps have the same affliction as I, in that when my fingers type "ps " they invariably append "fax" and press Enter before I have a chance to think whether I want my processes only? :-) Anyway, apart from the in this case entirely useful BSD-style ps behaviour of by default listing only processes from the owner, pgrep seems to be the even more compact option here. The only thing is that pgrep does not provide an option to say "the owner" other than naming the user. Something like: while pgrep -cfxu "$USER" "gpg --batch --command-fd=0 --edit-key $GPG_KEY" >/dev/null; do sleep 0.5; done seems a more logical choice. I couldn't test it though, as I couldn't reproduce the gpg process outliving the invocation. By the time it gets to the wait loop, it has already finished. I did use GnuPG 2.1.11 for it, but it still puzzles me why 2.0 would outlive the invocation. Do note it is all academical because Werner just said "you can't use gpg this way", which kind of defeats the purpose of the pgrep altogether. Oh, when I say pgrep is more compact, that's because the equivalent of the ps ax | ... etcetera invocation seems to be: while pgrep -c -- --edit-key >/dev/null; do It is a pity pgrep doesn't provide an option for silence. > BTW, Unix people use this trick to avoid the inverse grep: > > grep -e '--edit-ke[y]' A very useful little trick, but pgrep does it automatically, so in the cases where pgrep is the more logical choice than grep, it is not needed. HTH, Peter. PS: Talking about never learning about command-line invocation of a tool... ps, sheesh... I think I just know three: $ ps fax $ ps fx $ ps -fp 1 `pgrep blah` (the latter has the init process in there because I don't like it erroring out when pgrep turns up empty-handed) -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From vallee.aurelien at gmail.com Wed Jun 1 21:20:26 2016 From: vallee.aurelien at gmail.com (=?UTF-8?B?QXVyw6lsaWVuIFZhbGzDqWU=?=) Date: Wed, 1 Jun 2016 21:20:26 +0200 Subject: Automating the generation of master keys In-Reply-To: <87mvn4u7ib.fsf@wheatstone.g10code.de> References: <87mvn4u7ib.fsf@wheatstone.g10code.de> Message-ID: Okay, so I did try to add the sign usage to the master-key. That works well and avoids the use of expect for generating the keys. But the problem of pinentry still kind of happens everywhere: --passphrase is now ignored when not in batch mode in gpg2, which means there is no way to provide a passphrase programmatically when using --edit-key ... On Wed, Jun 1, 2016 at 7:46 PM, Werner Koch wrote: > On Wed, 1 Jun 2016 12:47, dashohoxha at gmail.com said: > > > I do it in batch mode like this: > > - > https://github.com/dashohoxha/egpg/blob/gnupg-2.0/src/cmd/key/gen.sh#L42 > > Take care: > > --8<---------------cut here---------------start------------->8--- > local commands="addkey|4|4096|1m|addkey|6|4096|1m|save" > commands=$(echo "$commands" | tr '|' "\n") > script -c "gpg --batch --command-fd=0 --edit-key $GPG_KEY <<< > \"$commands\"" /dev/null >/dev/null > while [[ -n $(ps ax | grep -e '--edit-key' | grep -v grep) ]]; do sleep > 0.5; done > --8<---------------cut here---------------end--------------->8--- > > You can't use gpg this way - it does only work with a certain version > and build if GnuPG. Canned commands too fragile to use - you need to > process the output of --status-fd and act accordingly. > > ps ax | grep -e '--edit-key' | grep -v grep > > does not work either because you assume that there is only one gpg > command running (actually any process with a string '--edit-key'). > > BTW, Unix people use this trick to avoid the inverse grep: > > grep -e '--edit-ke[y]' > > > > Shalom-Salam, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > /* EFH in Erkrath: https://alt-hochdahl.de/haus */ > > -- Aur?lien Vall?e Phone +33 9 77 19 85 61 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mls at bjoern-kahl.de Wed Jun 1 21:36:03 2016 From: mls at bjoern-kahl.de (Bjoern Kahl) Date: Wed, 1 Jun 2016 21:36:03 +0200 Subject: Configuration hints for using gnupg (2.0.x) interchangeably with graphical frontend and in the terminal Message-ID: Dear All, I am looking for hints or best practices to seamlessly mix use of GnuPG in the terminal and with frontends, in my case Enigmail in Thunderbird. I am on MacOS X (10.9.5 "Mavericks") with GnuPG installed through MacPorts as my main machine and also quite often logged into other Macs and other Linux boxes using SSH, coming from that main Mac. Problem: I quite often use gpg through Enigmail and also regularly use it in the terminal or when remotely logged into a box using ssh. Currently, whenever Enigmail needs a passphrase, it throws up a popup window (actually, it runs gpg, which runs the agent, which runs pinentry-mac, which throws up the window) _somewhere_: sometimes on the screen I am looking at, sometimes on another physical screen, sometimes hidden behind other windows, sometimes in the front. When using gpg in the terminal originally the same happened: Some random window popping up at some random spot on some random monitor. Even worse, when logging in through SSH, it throw up a pin entry window on the locked graphical session idling on the remote machine instead of in the terminal I am working in. Partial solution tried: I created a second gpg-agent.conf named "gpg-agent-term.conf" and configured the first to run pinentry-mac and the latter to run pinentry-curses. _Usually_ Enigmail/Thunderbird picks the first one and pops up its passphrase dialogue on one of my physical screens (I have no idea how it decides which one). If (and only if) I remember to explicitly start an agent with the second configuration, then gpg running in the terminal ask for my passphrase in that terminal. But *only* in that terminal. If I run gpg in another terminal, I either get the pinentry-mac (i.e. I forgot to set GPG_AGENT_INFO to the running "terminal-config" agent), or it asks me in that other terminal. On an average day, I have about 10 shell running in parallel, partly in terminal windows, partly in "screen" sessions in a single terminal window. Searching through all my shells where the passphrase dialogue appeared is annoying. However, when I start an agent with the second configuration, before starting Thunderbird, then Enigmail ask me for a passphrase in the terminal where I started that agent. Questions: How can I configure gpg and the agent such that: - Whenever I run gpg in a terminal, it will ask me for my passphrase in exactly that terminal where I am interacting with it and expect the prompt? I.e. on that TTY that is the controlling TTY of the gpg process I am interacting with? - Is there a way to have a single agent (with a single config file, so I can start it at first login and have it available in all terminals/shells and programs (e.g. Thunderbird) started from there) but still a graphical passphrase in programs which (no longer) have StdIn connected to a terminal or don't have a controlling TTY; and have a plain prompt in the terminal for programs that run in a terminal? I seriously doubt that there is any way to get back the just perfect behaviour of the old GnuPG 1.x where Enigmail would show a blocking dialogue attached to exactly that Thunderbird window where I was signing or decrypting a message. But I hope there is at least a way to get the terminal version to prompt for the passphrase in the one spot where it makes sense: the TTY it is running in. Sorry for the long mail, and thanks for reading all this. I tried to be precise on what my problem is and failed to be concise in the same time. Best regards Bj?rn -- | Bjoern Kahl +++ Siegburg +++ Germany | | "mls at -my-domain-" +++ www.bjoern-kahl.de | | Languages: German, English, Ancient Latin (a bit :-)) | From peter at digitalbrains.com Wed Jun 1 21:40:29 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 1 Jun 2016 21:40:29 +0200 Subject: Automating the generation of master keys In-Reply-To: References: <87mvn4u7ib.fsf@wheatstone.g10code.de> Message-ID: <574F3A2D.5040806@digitalbrains.com> On 01/06/16 21:20, Aur?lien Vall?e wrote: > Okay, so I did try to add the sign usage to the master-key. That works > well and avoids the use of expect for generating the keys. I think it's still an odd limitation of the Key-Usage: option that you cannot generate a master key without optional usages. Either "none" or "certify" would be a good option to have, where I regard "certify" definitely the prettier way to phrase it. Then Key-Usage: sign would do Sign, Certify for a primary key, implicitly adding certify. And Key-Usage: certify would do just Certify for a primary key. > But the problem of pinentry still kind of happens everywhere: > --passphrase is now ignored when not in batch mode in gpg2, which means > there is no way to provide a passphrase programmatically when using > --edit-key ... Disclaimer: I know very little of programmatic use of GnuPG. Is it an option to upgrade your GnuPG to 2.1? I think it provides for a less bumpy ride with the pinentry loopback. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dashohoxha at gmail.com Wed Jun 1 21:48:15 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Wed, 1 Jun 2016 21:48:15 +0200 Subject: Automating the generation of master keys In-Reply-To: <87mvn4u7ib.fsf@wheatstone.g10code.de> References: <87mvn4u7ib.fsf@wheatstone.g10code.de> Message-ID: On Wed, Jun 1, 2016 at 7:46 PM, Werner Koch wrote: > > --8<---------------cut here---------------start------------->8--- > local commands="addkey|4|4096|1m|addkey|6|4096|1m|save" > commands=$(echo "$commands" | tr '|' "\n") > script -c "gpg --batch --command-fd=0 --edit-key $GPG_KEY <<< > \"$commands\"" /dev/null >/dev/null > while [[ -n $(ps ax | grep -e '--edit-key' | grep -v grep) ]]; do sleep > 0.5; done > --8<---------------cut here---------------end--------------->8--- > > You can't use gpg this way - it does only work with a certain version > You are right, it only works with gnupg-2.0. For gnupg-2.1.11 the tricks above do not work and I had to change the script: - https://github.com/dashohoxha/egpg/blob/gnupg-2.1/src/cmd/key/gen.sh I don't remember exactly why they didn't work, but I think that in gnupg-2.1 the pinentry is used more frequently and I couldn't find any way to send data to it from stdin. I wish that the batch mode was more pervasive in gpg2, so that my scripts could do the interaction with the user and then just use gpg2 in batch mode to get the job done. > and build if GnuPG. Canned commands too fragile to use - you need to > process the output of --status-fd and act accordingly. > I couldn't find out how to use --status-fd properly, and maybe using it would make the logic of the scripts more complex, because my script would have to take care of all the possible outputs of --status-fd, in all the possible cases. > ps ax | grep -e '--edit-key' | grep -v grep > > does not work either because you assume that there is only one gpg > command running (actually any process with a string '--edit-key'). > I agree, this is a stupid trick. Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From dashohoxha at gmail.com Wed Jun 1 21:53:36 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Wed, 1 Jun 2016 21:53:36 +0200 Subject: Automating the generation of master keys In-Reply-To: <574F3A2D.5040806@digitalbrains.com> References: <87mvn4u7ib.fsf@wheatstone.g10code.de> <574F3A2D.5040806@digitalbrains.com> Message-ID: On Wed, Jun 1, 2016 at 9:40 PM, Peter Lebbing wrote: > > Is it an option to upgrade your GnuPG to 2.1? I think it provides for a > less bumpy ride with the pinentry loopback. > I couldn't make "pinentry loopback" work in 2.1.11, so, to be sure, try to upgrade to 2.1.12 where it may work better. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cs15d008 at smail.iitm.ac.in Wed Jun 1 17:44:16 2016 From: cs15d008 at smail.iitm.ac.in (DODDI ANTHONY BALARAJU cs15d008) Date: Wed, 1 Jun 2016 21:14:16 +0530 Subject: secret key not available Message-ID: hI, I'm new to this GPG usage. I dont need any internals. I am running a shell script in which following line causes error : gpg --yes --sign message.txt It shows the following error: gpg: no default secret key: secret key not available gpg: signing failed: secret key not available How can I solve this error, without modifying the command? (do I need to change any settings). I am using gpg version (GnuPG) 1.4.16 >which gpg is giving the output /usr/bin/gpg I Tried with --default-key Still it dint work!! Any suggestion to get past this error will be greatly helpful. Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkg at fifthhorseman.net Wed Jun 1 22:36:42 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 01 Jun 2016 16:36:42 -0400 Subject: secret key not available In-Reply-To: References: Message-ID: <87r3cgsl2d.fsf@alice.fifthhorseman.net> On Wed 2016-06-01 11:44:16 -0400, DODDI ANTHONY BALARAJU cs15d008 wrote: > > I'm new to this GPG usage. I dont need any internals. I am running a shell > script in which following line causes error : > > gpg --yes --sign message.txt > > It shows the following error: > > gpg: no default secret key: secret key not available > gpg: signing failed: secret key not available > > How can I solve this error, without modifying the command? (do I need to > change any settings). I am using gpg version (GnuPG) 1.4.16 > >>which gpg > > is giving the output > > /usr/bin/gpg > > I Tried with --default-key > > Still it dint work!! > > Any suggestion to get past this error will be greatly helpful. You don't mention whether you have any secret keys available. What do you get by running: gpg --list-options show-usage --list-secret-keys Are there any signing-capable secret keys listed? --dkg From juanmi.3000 at gmail.com Wed Jun 1 22:24:16 2016 From: juanmi.3000 at gmail.com (=?UTF-8?Q?Juan_Miguel_Navarro_Mart=c3=adnez?=) Date: Wed, 1 Jun 2016 22:24:16 +0200 Subject: secret key not available In-Reply-To: References: Message-ID: <574F4470.50707@gmail.com> What's the output of `gpg -K`? El 01/06/16 a las 17:44, DODDI ANTHONY BALARAJU cs15d008 escribi?: > hI, > > > > I'm new to this GPG usage. I dont need any internals. I am running a > shell script in which following line causes error : > > |gpg --yes --sign message.txt | > > It shows the following error: > > |gpg: no default secret key: secret key not available gpg: signing > failed: secret key not available | > > How can I solve this error, without modifying the command? (do I need to > change any settings). I am using gpg version (GnuPG) 1.4.16 > > |>which gpg | > > is giving the output > > |/usr/bin/gpg > > | > > |I Tried with --default-key > | > > |Still it dint work!! > > | > > Any suggestion to get past this error will be greatly helpful. > > Thank you > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Juan Miguel Navarro Mart?nez GPG Keyfingerprint: 5A91 90D4 CF27 9D52 D62A BC58 88E2 947F 9BC6 B3CF From jonas.hedman at fripost.org Wed Jun 1 22:19:10 2016 From: jonas.hedman at fripost.org (Jonas Hedman) Date: Wed, 1 Jun 2016 22:19:10 +0200 Subject: secret key not available In-Reply-To: References: Message-ID: <20160601201910.GB1540@bruce> On 16-06-01 21:14:16, DODDI ANTHONY BALARAJU cs15d008 wrote: > hI, > > > I'm new to this GPG usage. I dont need any internals. I am running a shell > script in which following line causes error : > > gpg --yes --sign message.txt > > It shows the following error: > > gpg: no default secret key: secret key not available > gpg: signing failed: secret key not available > > How can I solve this error, without modifying the command? (do I need to > change any settings). I am using gpg version (GnuPG) 1.4.16 > > >which gpg > > is giving the output > > /usr/bin/gpg > > I Tried with --default-key > > Still it dint work!! > > Any suggestion to get past this error will be greatly helpful. > > Thank you Did you generate a key? (gpg --gen-key) -- Jonas Hedman XMPP: nstr at nstr.se PGP Key: 0x5c3989e0616bb08c Fingerprint: 8F72 C5BE AAFA B4BA 8F46 9185 5C39 89E0 616B B08C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Digital signature URL: From 2014-667rhzu3dc-lists-groups at riseup.net Thu Jun 2 04:43:10 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Thu, 2 Jun 2016 03:43:10 +0100 Subject: Keyserver lookup failure In-Reply-To: <59e4f8b7-28b9-dddd-f0cf-a2a7ba4b479c@sumptuouscapital.com> References: <78679581.20160601123902@riseup.net> <59e4f8b7-28b9-dddd-f0cf-a2a7ba4b479c@sumptuouscapital.com> Message-ID: <138546192.20160602034310@riseup.net> Hi On Wednesday 1 June 2016 at 5:31:30 PM, in , Kristian Fiskerstrand wrote: > what is the dig +trace output and any firewall > blocking port 11371 anywhere? Thanks for replying. Port 11371 is not blocked:- I can reach a keyserver's web interface in my browser at . I can connect to . The gpg --recv-key command works if I use GnuPG version 1.4.18, and one of the lines of output is "gpgkeys: HTTP URL is`http:/ /pool.sks-keyservers.net:11371/pks/lookup?op=get&options=mr& search=0x251BCCEB547B7194'". As for dig +trace, I am using Windows and don't have it. The dig web interface at gives me:- pool.sks-keyservers.net at 8.8.4.4 (Default): dig A +noadditional +noquestion +nocomments +nocmd +nostats +trace pool.sks-keyservers.net. @8.8.4.4 . 4154 IN NS a.root-servers.net. . 4154 IN NS b.root-servers.net. . 4154 IN NS c.root-servers.net. . 4154 IN NS d.root-servers.net. . 4154 IN NS e.root-servers.net. . 4154 IN NS f.root-servers.net. . 4154 IN NS g.root-servers.net. . 4154 IN NS h.root-servers.net. . 4154 IN NS i.root-servers.net. . 4154 IN NS j.root-servers.net. . 4154 IN NS k.root-servers.net. . 4154 IN NS l.root-servers.net. . 4154 IN NS m.root-servers.net. ;; Received 228 bytes from 8.8.4.4#53(8.8.4.4) in 37 ms net. 172800 IN NS a.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. net. 172800 IN NS c.gtld-servers.net. net. 172800 IN NS d.gtld-servers.net. net. 172800 IN NS e.gtld-servers.net. net. 172800 IN NS f.gtld-servers.net. net. 172800 IN NS g.gtld-servers.net. net. 172800 IN NS h.gtld-servers.net. net. 172800 IN NS i.gtld-servers.net. net. 172800 IN NS j.gtld-servers.net. net. 172800 IN NS k.gtld-servers.net. net. 172800 IN NS l.gtld-servers.net. net. 172800 IN NS m.gtld-servers.net. ;; Received 510 bytes from 199.7.83.42#53(199.7.83.42) in 25 ms sks-keyservers.net. 172800 IN NS ns2.kfwebs.net. sks-keyservers.net. 172800 IN NS ns2.sks-keyservers.net. sks-keyservers.net. 172800 IN NS ns6.sks-keyservers.net. sks-keyservers.net. 172800 IN NS ns9.sks-keyservers.net. sks-keyservers.net. 172800 IN NS ns13.sks-keyservers.net. ;; Received 359 bytes from 192.42.93.30#53(192.42.93.30) in 450 ms pool.sks-keyservers.net. 60 IN A 46.4.212.178 pool.sks-keyservers.net. 60 IN A 78.47.176.74 pool.sks-keyservers.net. 60 IN A 84.200.66.125 pool.sks-keyservers.net. 60 IN A 95.89.12.215 pool.sks-keyservers.net. 60 IN A 104.131.30.118 pool.sks-keyservers.net. 60 IN A 188.40.206.8 pool.sks-keyservers.net. 60 IN A 206.176.170.195 pool.sks-keyservers.net. 60 IN A 5.135.158.148 pool.sks-keyservers.net. 60 IN A 37.59.213.225 pool.sks-keyservers.net. 60 IN A 37.97.129.189 sks-keyservers.net. 60 IN NS ns13.sks-keyservers.net. sks-keyservers.net. 60 IN NS ns7.sks-keyservers.net. sks-keyservers.net. 60 IN NS ns2.sks-keyservers.net. sks-keyservers.net. 60 IN NS ns9.sks-keyservers.net. sks-keyservers.net. 60 IN NS ns6.sks-keyservers.net. sks-keyservers.net. 60 IN NS ns12.sks-keyservers.net. sks-keyservers.net. 60 IN NS ns1.kfwebs.net. sks-keyservers.net. 60 IN NS ns2.kfwebs.net. sks-keyservers.net. 60 IN NS ns10.sks-keyservers.net. ;; Received 493 bytes from 199.74.220.4#53(199.74.220.4) in 22 ms "nslookup pool.sks-keyservers.net" gives me:- Non-authoritative answer: Name: pool.sks-keyservers.net Addresses: 2a01:4f8:150:7142::2 87.106.9.235 2001:980:53c0:1:46a:efff:fecf:701b 2001:41d0:2:3979:4f56:862a:d056:11c9 2001:41d0:2:a8b4::10 2001:41d0:8:d894::1 2604:a880:800:10::163:b001 2a01:4a0:59:1000:223:9eff:fe00:100f 2a01:7a0:1::6 2a03:b0c0:1:d0::fc:e001 104.131.30.118 5.9.50.141 37.191.220.247 83.160.105.236 85.119.82.209 85.143.112.59 92.43.111.21 144.76.9.122 176.9.146.20 208.89.139.251 "tracert -4 pool.sks-keyservers.net" gives, for example:- Tracing route to pool.sks-keyservers.net [176.241.243.15] over a maximum of 30 hops: 1 1 ms <1 ms <1 ms dsldevice.lan [IP ADDRESS REDACTED] 2 9 ms 9 ms 8 ms a.gormless.thn.aa.net.uk [90.155.53.51] 3 9 ms 9 ms 9 ms a.needless.tch.aa.net.uk [90.155.53.11] 4 10 ms 10 ms 11 ms 82.112.115.177 5 10 ms 10 ms 10 ms ae-13.r02.londen03.uk.bb.gin.ntt.net [129.250.2.118] 6 16 ms 17 ms 16 ms be3028.ccr21.lon02.atlas.cogentco.com [130.117.14.101] 7 17 ms 16 ms 18 ms be2791.ccr41.lon13.atlas.cogentco.com [154.54.56.77] 8 23 ms 23 ms 22 ms be12194.ccr41.ams03.atlas.cogentco.com [154.54.56.94] 9 31 ms 32 ms 31 ms be2815.ccr41.ham01.atlas.cogentco.com [154.54.38.206] 10 45 ms 44 ms 46 ms be2252.ccr21.waw01.atlas.cogentco.com [154.54.60.254] 11 44 ms 44 ms 44 ms be2882.rcr21.b016833-0.waw01.atlas.cogentco.com [154.54.59.38] 12 78 ms 245 ms 207 ms 149.11.6.230 13 45 ms 44 ms 44 ms host-80-238-113-202.jmdi.pl [80.238.113.202] 14 45 ms 44 ms 44 ms hell.kolosowscy.pl [176.241.243.15] Trace complete. Tracing route to pool.sks-keyservers.net [37.59.213.225] over a maximum of 30 hops: 1 1 ms <1 ms 1 ms dsldevice.lan [IP ADDRESS REDACTED] 2 9 ms 8 ms 8 ms a.gormless.thn.aa.net.uk [90.155.53.51] 3 9 ms 9 ms 9 ms a.aimless.thn.aa.net.uk [90.155.53.41] 4 * * * Request timed out. 5 13 ms 13 ms 13 ms be11-1188.rbx-g2-a9.fr.eu [91.121.128.88] 6 103 ms 57 ms 14 ms po3.vss-2-6k.routers.ovh.net [91.121.131.89] 7 13 ms 13 ms 13 ms x1.f2tec.de [94.23.210.194] 8 13 ms 13 ms 13 ms web.okoyono.de [37.59.213.225] Trace complete. "tracert -6 pool.sks-keyservers.net" gives, for example:- Tracing route to pool.sks-keyservers.net [2001:6f8:1c3c:babe::62:1] over a maximum of 30 hops: 1 1 ms 1 ms 1 ms dsldevice.lan [IP ADDRESS REDACTED] 2 9 ms 9 ms 9 ms a.gormless.thn.aa.net.uk [2001:8b0:0:53::51] 3 9 ms 9 ms 9 ms 2001:7f8:4::50e8:1 4 15 ms 15 ms 12 ms pc3.gr10.telon.uk.easynet.net [2001:7f8:4::11ed:1] 5 29 ms 28 ms 29 ms 2001:6f8:1:1:87:86:76:34 6 26 ms 26 ms 26 ms tengige0-0-0-2-112.er0.kgham.nexinto.net [2001:6f8:801:1:0:1a03:c240:812] 7 25 ms 25 ms 25 ms 2001:6f8:891:1::c2e9:c721 8 26 ms 25 ms 25 ms 2001:6f8:891:1::c2e9:c721 9 26 ms 25 ms 25 ms gw-112.ham-02.de.sixxs.net [2001:6f8:1c00:6f::1] 10 35 ms 34 ms 34 ms gpg.spline.inf.fu-berlin.de [2001:6f8:1c3c:babe::62:1] Trace complete. Tracing route to pool.sks-keyservers.net [2001:41d0:2:a8b4::10] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms dsldevice.lan [IP ADDRESS REDACTED] 2 9 ms 9 ms 9 ms a.gormless.thn.aa.net.uk [2001:8b0:0:53::51] 3 9 ms 9 ms 9 ms 2001:7f8:4::50e8:1 4 * * * Request timed out. 5 13 ms 12 ms 12 ms be10-1194.gra-g2-a9.fr.eu [2001:41d0::292] 6 * * * Request timed out. 7 * * * Request timed out. 8 20 ms 20 ms 20 ms po6.vss-4-6k.routers.ovh.net [2001:41d0::522] 9 20 ms 20 ms 20 ms 2001:41d0:2:a8b4::10 Trace complete. -- Best regards MFPA My mind works like lightning... one brilliant flash and it's gone From wk at gnupg.org Thu Jun 2 07:50:08 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 02 Jun 2016 07:50:08 +0200 Subject: Automating the generation of master keys In-Reply-To: (Dashamir Hoxha's message of "Wed, 1 Jun 2016 21:48:15 +0200") References: <87mvn4u7ib.fsf@wheatstone.g10code.de> Message-ID: <874m9crvfz.fsf@wheatstone.g10code.de> On Wed, 1 Jun 2016 21:48, dashohoxha at gmail.com said: > I don't remember exactly why they didn't work, but I think that in gnupg-2.1 Because gpg inserts other prompts depending on version and options. > make the logic of the scripts more complex, because my script would have > to take care of all the possible outputs of --status-fd, in all the > possible cases. You need to write a FSM. See gpa/src/gpgmeedit.c for examples. Agreed, this is a bit complex. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From dashohoxha at gmail.com Thu Jun 2 09:19:34 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Thu, 2 Jun 2016 09:19:34 +0200 Subject: Automating the generation of master keys In-Reply-To: <874m9crvfz.fsf@wheatstone.g10code.de> References: <87mvn4u7ib.fsf@wheatstone.g10code.de> <874m9crvfz.fsf@wheatstone.g10code.de> Message-ID: On Thu, Jun 2, 2016 at 7:50 AM, Werner Koch wrote: > On Wed, 1 Jun 2016 21:48, dashohoxha at gmail.com said: > > > I don't remember exactly why they didn't work, but I think that in > gnupg-2.1 > > Because gpg inserts other prompts depending on version and options. > I tried to change the script to match the version of gnupg, but it didn't work well. I was getting password prompts from pinentry for each subkey that I was adding, and I couldn't manage to automate the interaction with the pinentry. Finally I decided that the interaction was more complex than what I wanted it to be, so I dropped the generation of additional subkeys. Now there is only one main key for cert/sign and a subkey for decryption (these two are generated in batch mode). > You need to write a FSM. See gpa/src/gpgmeedit.c for examples. Agreed, > this is a bit complex. > If I have to answer also the questions "Are you sure you want to do this?" and "This is a weak password, do you really want to use it?", I think that this is more complex than it should be. A simpler interaction would be: this is the action that I want to do and these are the options/parameters, please do it for me. No questions involved, especially no pinentry prompts, and no unneccessary output. A good example of this is the batch mode of key generation. But I know that this is not possible right now. Even if extended batch mode is planed to be implemented, it will not be there before version 2.2 or 3.0 For the time being I am satisfied with what we have. Shalom-Salam, Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From dashohoxha at gmail.com Thu Jun 2 09:51:09 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Thu, 2 Jun 2016 09:51:09 +0200 Subject: [Announcement] EasyGnuPG 2.1-0.9 Message-ID: Hi, There is a new version of egpg, based on GnuPG-2.1.11 - https://github.com/dashohoxha/egpg - http://dashohoxha.github.io/egpg/gnupg-2.1/man/ Why not based on GnuPG-2.1.12? Because this is not ready yet for Ubuntu (16.04). Maybe I could try to compile it, but I cannot expect the users to compile the latest version of GnuPG, in order to use EasyGnuPG. It makes more sense to use what is already available on Ubuntu out-of-the-box (and this is what users expect). The main changes are: - Adapting scripts to match the version 2.1.11. - Added the command key2dongle (besides key split). - Using a docker container to run the test scripts. Have a look at it if you are curious. If you want to help, can you build a docker container for testing it on CentOS? Cheers, Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Thu Jun 2 10:54:28 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 2 Jun 2016 04:54:28 -0400 Subject: [Announcement] EasyGnuPG 2.1-0.9 In-Reply-To: References: Message-ID: <6aa80219-ccf2-d0a8-0cb7-60cb70d0d9fa@sixdemonbag.org> > There is a new version of egpg, based on GnuPG-2.1.11 ... which apparently has not fixed the "it will nuke your hard drive if you have a certain environment variable set" problem I pointed out a month ago. I am not kidding. Use at your own risk. From dashohoxha at gmail.com Thu Jun 2 12:43:22 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Thu, 2 Jun 2016 12:43:22 +0200 Subject: Stable release of branch 2.1 Message-ID: Hi, How far is the branch 2.1 from a stable release? Is there any roadmap or timeschedule about making a stable release for 2.1? I aksed ubuntu about when they are going to upgrade from 2.1.11 to 2.1.12 and the answer is that they don't upgrade packages on LTS, unless there is a strong reason (which makes sense): https://answers.launchpad.net/ubuntu/+source/gnupg2/+question/294724 Can you help me to convince them that they should upgrade? Or rather they should wait for another release of gnupg, before they upgrade? Thanks, Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From jonas.hedman at fripost.org Thu Jun 2 12:48:17 2016 From: jonas.hedman at fripost.org (Jonas Hedman) Date: Thu, 2 Jun 2016 12:48:17 +0200 Subject: [Announcement] EasyGnuPG 2.1-0.9 In-Reply-To: References: Message-ID: <20160602104817.GA1364@noether> Is this really the right place for such announcements? -- Jonas Hedman XMPP: nstr at nstr.se PGP Key: 0x5c3989e0616bb08c Fingerprint: 8F72 C5BE AAFA B4BA 8F46 9185 5C39 89E0 616B B08C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Digital signature URL: From dashohoxha at gmail.com Thu Jun 2 12:48:34 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Thu, 2 Jun 2016 12:48:34 +0200 Subject: [Announcement] EasyGnuPG 2.1-0.9 In-Reply-To: <6aa80219-ccf2-d0a8-0cb7-60cb70d0d9fa@sixdemonbag.org> References: <6aa80219-ccf2-d0a8-0cb7-60cb70d0d9fa@sixdemonbag.org> Message-ID: On Thu, Jun 2, 2016 at 10:54 AM, Robert J. Hansen wrote: > > There is a new version of egpg, based on GnuPG-2.1.11 > > ... which apparently has not fixed the "it will nuke your hard drive if > you have a certain environment variable set" problem I pointed out a > month ago. > Apparently? I remember fixing that one. What is wrong with this: https://github.com/dashohoxha/egpg/blob/gnupg-2.1/src/egpg.sh#L26-L28 > I am not kidding. Use at your own risk. > Everything GPL-d is "use at your own risk", you know the disclaimer. So, I agree: test it at your own risk and use it at your own risk. -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Thu Jun 2 21:47:11 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 02 Jun 2016 21:47:11 +0200 Subject: Stable release of branch 2.1 In-Reply-To: (Dashamir Hoxha's message of "Thu, 2 Jun 2016 12:43:22 +0200") References: Message-ID: <87fusvqsow.fsf@wheatstone.g10code.de> On Thu, 2 Jun 2016 12:43, dashohoxha at gmail.com said: > How far is the branch 2.1 from a stable release? it is not just stable, but modern! Go and use it. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From vallee.aurelien at gmail.com Thu Jun 2 23:47:54 2016 From: vallee.aurelien at gmail.com (=?UTF-8?B?QXVyw6lsaWVuIFZhbGzDqWU=?=) Date: Thu, 2 Jun 2016 23:47:54 +0200 Subject: Automating the generation of master keys In-Reply-To: References: <87mvn4u7ib.fsf@wheatstone.g10code.de> <874m9crvfz.fsf@wheatstone.g10code.de> Message-ID: So I switched to using GPGME instead of trying to automate GPG. Is there any way to force GPG to use expert mode? I'm having a hard time finding clear option documentation on gpgconf (homedir/gpgconf.conf) and gpg (homedir/gpg.conf) On Thu, Jun 2, 2016 at 9:19 AM, Dashamir Hoxha wrote: > On Thu, Jun 2, 2016 at 7:50 AM, Werner Koch wrote: > >> On Wed, 1 Jun 2016 21:48, dashohoxha at gmail.com said: >> >> > I don't remember exactly why they didn't work, but I think that in >> gnupg-2.1 >> >> Because gpg inserts other prompts depending on version and options. >> > > I tried to change the script to match the version of gnupg, but it didn't > work well. > I was getting password prompts from pinentry for each subkey that I was > adding, and I couldn't manage to automate the interaction with the > pinentry. > Finally I decided that the interaction was more complex than what I wanted > it to be, > so I dropped the generation of additional subkeys. Now there is only one > main key for cert/sign and a subkey for decryption (these two are generated > in batch mode). > > >> You need to write a FSM. See gpa/src/gpgmeedit.c for examples. Agreed, >> this is a bit complex. >> > > If I have to answer also the questions "Are you sure you want to do this?" > and "This is a weak password, do you really want to use it?", I think that > this is more complex than it should be. > A simpler interaction would be: this is the action that I want to do and > these > are the options/parameters, please do it for me. No questions involved, > especially no pinentry prompts, and no unneccessary output. > A good example of this is the batch mode of key generation. > > But I know that this is not possible right now. Even if extended batch mode > is planed to be implemented, it will not be there before version 2.2 or 3.0 > For the time being I am satisfied with what we have. > > Shalom-Salam, > Dashamir > -- Aur?lien Vall?e Phone +33 9 77 19 85 61 -------------- next part -------------- An HTML attachment was scrubbed... URL: From kristian.fiskerstrand at sumptuouscapital.com Fri Jun 3 09:33:54 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Fri, 3 Jun 2016 09:33:54 +0200 Subject: Stable release of branch 2.1 In-Reply-To: References: Message-ID: <12d829ac-8a14-fdf5-a4f0-2a855f47c6f6@sumptuouscapital.com> On 06/02/2016 12:43 PM, Dashamir Hoxha wrote: > Hi, > > How far is the branch 2.1 from a stable release? > Is there any roadmap or timeschedule about making a stable release for 2.1? > > I aksed ubuntu about when they are going to upgrade from 2.1.11 to 2.1.12 > and the answer is that they don't upgrade packages on LTS, unless there is > a strong reason (which makes sense): > https://answers.launchpad.net/ubuntu/+source/gnupg2/+question/294724 Isn't that the standard versioning model? backporting security fixes and regressions only but not adding new features after LTS. It isn't something gnupg specific wrt modern, in particular not if they already include 2.1.11. > > Can you help me to convince them that they should upgrade? > Or rather they should wait for another release of gnupg, before they > upgrade? Are there any particular features you require in the new version that would be considered major? In any case, one issue to beware in the .12 release is at least the issue fixed by "* g10/sig-check.c (check_signature_over_key_or_uid): Fix call to walk_kbnode." that fixes a regression resulting in segfaults in several situations (incidentally is a a good example of why the versioning discussed above makes sense for LTS). -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP certificate at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- "Action is the foundational key to all success" (Pablo Picasso) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From 2014-667rhzu3dc-lists-groups at riseup.net Fri Jun 3 13:33:17 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Fri, 3 Jun 2016 12:33:17 +0100 Subject: Having issues with dirmngr in gpg 2.1 In-Reply-To: <1DC3C8C67280FB4C9A402CB6DB1358F51B8FF0BAC8@S2008SBS.intern.giepa.de> References: <1DC3C8C67280FB4C9A402CB6DB1358F51B8FF0BAC8@S2008SBS.intern.giepa.de> Message-ID: <211459920.20160603123317@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Friday 13 May 2016 at 10:38:28 AM, in , Daniel Ranft wrote: > Hi, > Since a few weeks I cannot search keys anymore. When > I use gpg > --keyserver --search-keys , > the commandline > freezes and the process explorer does not show me a > dirmngr.exe instance. My commandline freezes after telling me:- gpg: connection to the dirmngr established (at which point dirmngr.exe appears in task manager). After a couple of minutes two more lines appear and the task exits:- gpg: no keyserver known (use option --keyserver) gpg: keyserver search failed: No keyserver available Subsequent attempts to run gpg -v --keyserver hkp://pool.sks-keyservers.net --search-keys mfpa display the "no keyserver known" message with no freezing, barely a pause. If I try with GnuPG version 2.1.10 instead of 2.1.12, the only thing that changes is the error message. The first attempt gives:- gpg: error searching keyserver: System error w/o errno gpg: keyserver search failed: System error w/o errno Subsequent attempts give:- gpg: error searching keyserver: Input/output error gpg: keyserver search failed: Input/output error > I then tried to investigate this further by trying > to start the > dirmngr manually with following result: > C:\Program Files > (x86)\GNU\GnuPG\2.1.12\bin>dirmngr.exe --daemon > dirmngr[5020]: Error while opening > `C:\ProgramData\GNU\etc\gnupg\ldapservers.conf': No > such file or directory I get that, plus similar lines for "trusted-certs" and "extra-certs". (Windows Explorer also doesn't find "ldapservers.conf" at all, and only finds "trusted-certs" and "extra-certs" in left-over directories from old installations.) Then I get:- dirmngr[892]: failed to open cache dir file 'C:\Users\[Username]\AppData\Local\GNU\cache\gnupg\crls.d\DIR.txt': No such file or directory And it proceeds to create it. There is already a "crls.d\DIR.txt" under "C:\Users\[Username]\AppData\Roaming\gnupg". Then it seems to stop doing anything. > dirmngr[5020]: The socket cannot be bound to > `C:\Windows\S.dirmngr': Unknown error I don't get that error. And on searching, I find S.dirmngr is created at C:\Users\[Username]\AppData\Local\VirtualStore\Windows whereas the S.dirmngr created when GnuPG calls dirmngr.exe is at C:\Users\[Username]\AppData\Roaming\gnupg (which is "%appdata%\gnupg"). > I think, gpg should try to create the socket file under > %appdata%\gnupg instead of under C:\Windows. For me, it does. - -- Best regards MFPA Life is a holiday. In the same way that glass is a liquid. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJXUWr9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwYbAH+QHlfGp8kcMmHVVj6bl26dl5 o56VDr86wxAhj7woLIekIigM3kNdTrKS4jEzpp4jeGwRnTDM94m0QuweScwh25E7 bNukuO84iAQyAEBqu4HAHsLsYqDVzaPguqZXeDgyu4fk1H/osYBHuI2IVFxUE1p+ PpSChxsWcARKTmgX2Bd8DUpxom0oX9NP9Ss2Fm5fvqqEDMMWe9xX4bBZ3DIRqe1n g5NXaR5w0hyhdsj+FEJMopv0LgkkVFS+kDJ23ipvTAOYxd+RwblqvNKAOzqYefLr MeCYuE9jCJqLQ8gEwsizoJpMalliyR3XziD1oEmdaiEeoCgLSlZyMMcr9NidiAaI vgQBFgoAZgUCV1Fq/V8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45ImwAPwJsomaw4gsWb1897+4F++qQ1lI XKJh4q+rstvu5tK1TQD/XKZEqE4VQh+pdPhsR1iXpTXn1MeUObDwJ3gr9YrcHwE= =O1cz -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Sat Jun 4 12:10:25 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 4 Jun 2016 11:10:25 +0100 Subject: Curve 25519 encryption subkey - problem encrypting Message-ID: <58279600.20160604111025@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I recently created a new Curve 25519 encryption subkey. One of the other PGPNET members tells me GnuPG 2.1.12 reports the subkey size as 0 and will not encrypt to this subkey,instead giving the error:- gpg: pubkey_encrypt failed: Provided object is too short gpg: test: encryption failed: Provided object is too short I get that error using GnuPG 2.1.11 but not 2.1.12 (and I do not see a key size for an ECC key in my key listing). Any ideas why he cannot encrypt to this Curve 25519 encryption subkey? (Subkey 0xA11C7EE5DA49DC12 on main key 0x251BCCEB547B7194) He is running OpenSUSE 13.2, which does not provide GnuPG 2.1 in their standard repos so he installed it from an alternative repo [0]. This install also replaces a number of related packages to resolve dependencies. He has provided the following information about the GnuPG and Libgcrypt packages he has installed:- Information for package gpg2: - ----------------------------- Repository: openSUSE-13.2-Security-Privacy Name: gpg2 Version: 2.1.12-164.1 Arch: i586 Vendor: obs://build.opensuse.org/security:privacy Installed: Yes Status: up-to-date Installed Size: 5.5 MiB Summary: GnuPG 2 Description: GnuPG 2 is the successor of "GnuPG" or GPG. It provides: GPGSM, gpg-agent, and a keybox library. And since Ben mentioned libgcrypt: Information for package libgcrypt20: - ------------------------------------ Repository: openSUSE-13.2-Security-Privacy Name: libgcrypt20 Version: 1.6.5-112.1 Arch: i586 Vendor: obs://build.opensuse.org/security:privacy Installed: Yes Status: up-to-date Installed Size: 757.8 KiB Summary: The GNU Crypto Library Description: Libgcrypt is a general purpose crypto library based on the code used in GnuPG (alpha version). [0] - -- Best regards MFPA All generalisations are dangerous, even this one. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJXUqkRXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw4tQIAJwGjGtjqRjQBSCwAkWOeqtb cOlnkG6CQKgKqjozpbRQjtX69kpAHy3hej5Pd3UvWPrQI9adBb9+Pmqtp/Q7zHu3 41wjUCGA+1YxeVCWCTU7hCq28LFmeSjfa6eZWFCN1mN2WICbFA3lyOsaLyiyYLBy yf8Aznh4mOrp0Ug06k6h/eSAD5TDR11E+XneQRC4S4GYG5U4sCLZ5raQSI351doR HnbMmqwDiC+VJOh0BpEhQ68JNTLtr0D2PYiYtW3GBZEwIfcKeDIXWAmwOYgn4dmy g3VolEKi8i3a58d8z/HEqdU4evnzMh7ETexDqLpxCOjHLC33gXaLS7mZxVBzey+I vgQBFgoAZgUCV1KpEV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45F7xAQCdtjGUsu6hyLaxntsi8paaD+Kg /qEFGFIbp706VcDM0wEAiSa37vIem4TELYYcMwVGa/xaFfgRIatTWI2n9glcUg8= =G6D/ -----END PGP SIGNATURE----- From kristian.fiskerstrand at sumptuouscapital.com Sat Jun 4 12:15:36 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Sat, 4 Jun 2016 12:15:36 +0200 Subject: Curve 25519 encryption subkey - problem encrypting In-Reply-To: <58279600.20160604111025@riseup.net> References: <58279600.20160604111025@riseup.net> Message-ID: On 06/04/2016 12:10 PM, MFPA wrote: > > > I recently created a new Curve 25519 encryption subkey. One of the > other PGPNET members tells me GnuPG 2.1.12 reports the subkey size as > 0 and will not encrypt to this subkey,instead giving the error:- > > Information for package libgcrypt20: > ------------------------------------ > Repository: openSUSE-13.2-Security-Privacy > Name: libgcrypt20 > Version: 1.6.5-112.1 And if this is upgraded to 1.7 branch? -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP certificate at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- Quidquid latine dictum sit, altum videtur. Anything said in Latin sounds profound -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From 2014-667rhzu3dc-lists-groups at riseup.net Sat Jun 4 16:26:37 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 4 Jun 2016 15:26:37 +0100 Subject: Curve 25519 encryption subkey - problem encrypting In-Reply-To: References: <58279600.20160604111025@riseup.net> Message-ID: <1063286787.20160604152637@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Saturday 4 June 2016 at 11:15:36 AM, in , Kristian Fiskerstrand wrote: > On 06/04/2016 12:10 PM, MFPA wrote: >> I recently created a new Curve 25519 encryption >> subkey. One of the >> other PGPNET members tells me GnuPG 2.1.12 reports >> the subkey size as >> 0 and will not encrypt to this subkey,instead >> giving the error:- >> Information for package libgcrypt20: >> ------------------------------------ >> Repository: openSUSE-13.2-Security-Privacy >> Name: libgcrypt20 >> Version: 1.6.5-112.1 > And if this is upgraded to 1.7 branch? Thanks for the swift reply. He has now noted from the Libgcrypt 1.7.0 release's "Noteworthy changes" that Curve25519 is new in this version. He asks what distribution/repo are people using that has already been updated? - -- Best regards MFPA Ballerinas are always on their toes. We need taller ballerinas! -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJXUuUeXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwEb4H/0hKon1xmr55sNIGRAuAbqtb TeK8jyPyQjdVB4IM+/6tCuQGCcKTYgO+zzGMeVR1MSsr2EdN5/y4rPG/56prBSoV J4HLiWfaih51KkEW5i+pPIW4elvjn6rDwV+N8HrHWOtaiSA1KFpRvn3xl53aXSSr zl1Wieku0BGeF99bG04Xg/GLLDTjUeQOW2daY6F6NrJUFWFBKMfL2NzSmsOwh1H6 +9tzBACOkvdTbXoqRKioh/Nf3vFjS9cOvayPh1GIwnNczIIzaU76IcggZvyC8qsn NZHbEb7ciO6QKPI306mTodKlmMHMO9/6LkJZZGWAeTDzCwkusJ2/g3SkrYSCgL2I vgQBFgoAZgUCV1LlHl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45BfAAQCu7rK4WZ8XZwGFpqJOjsE3lhcc d6Lm2GRVujKxlQZxuQD8DtHh1Q6uaPUCKoZgBthAd89YxHXnePEQ0rLIlaKtQgA= =2cH7 -----END PGP SIGNATURE----- From kristian.fiskerstrand at sumptuouscapital.com Sat Jun 4 16:37:40 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Sat, 4 Jun 2016 16:37:40 +0200 Subject: Curve 25519 encryption subkey - problem encrypting In-Reply-To: <1063286787.20160604152637@riseup.net> References: <58279600.20160604111025@riseup.net> <1063286787.20160604152637@riseup.net> Message-ID: On 06/04/2016 04:26 PM, MFPA wrote: > > > On Saturday 4 June 2016 at 11:15:36 AM, in > , > Kristian Fiskerstrand wrote: > >> And if this is upgraded to 1.7 branch? > > > Thanks for the swift reply. He has now noted from the Libgcrypt 1.7.0 > release's "Noteworthy changes" that Curve25519 is new in this version. > He asks what distribution/repo are people using that has already been > updated? In Gentoo we have 1.7 of libgcrypt in unstable (~arch) which is same level as gnupg 2.1 is in, so most using 2.1 have the capability -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP certificate at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- "If you cannot convince them, confuse them" (Harry S Truman) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From samir at samirnassar.com Sat Jun 4 22:40:18 2016 From: samir at samirnassar.com (Samir Nassar) Date: Sat, 4 Jun 2016 22:40:18 +0200 Subject: Curve 25519 encryption subkey - problem encrypting In-Reply-To: <1063286787.20160604152637@riseup.net> References: <58279600.20160604111025@riseup.net> <1063286787.20160604152637@riseup.net> Message-ID: On 06/04/2016 04:26 PM, MFPA wrote: > Thanks for the swift reply. He has now noted from the Libgcrypt 1.7.0 > release's "Noteworthy changes" that Curve25519 is new in this version. > He asks what distribution/repo are people using that has already been > updated? On up to date Arch linux: $ gpg --version gpg (GnuPG) 2.1.12 libgcrypt 1.7.0 Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 -- Samir Nassar web: samirnassar.com email: samir at samirnassar.com PGP: pgp.samirnassar.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From brian at minton.name Sun Jun 5 18:47:06 2016 From: brian at minton.name (Brian Minton) Date: Sun, 05 Jun 2016 16:47:06 +0000 Subject: Curve 25519 encryption subkey - problem encrypting In-Reply-To: References: <58279600.20160604111025@riseup.net> <1063286787.20160604152637@riseup.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Debian has gnupg 2.1 in experimental. If you have the experimental repository added, it will automatically pull in all the dependencies including libgcrypt 1.7 -----BEGIN PGP SIGNATURE----- iIAEAREKACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJXVFdg AAoJEGuOs6Blz7qpk5YA/3pTQMG69YuGCmLAcwGysDcXCF8CceG7LjvI6o5AK3sZ AP9/he0PueGTpQm0GQUwYkbTuIz1aBrBDUA7N7sqmfDlhw== =J8Wn -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From 2014-667rhzu3dc-lists-groups at riseup.net Mon Jun 6 02:27:43 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 6 Jun 2016 01:27:43 +0100 Subject: Curve 25519 encryption subkey - problem encrypting In-Reply-To: References: <58279600.20160604111025@riseup.net> <1063286787.20160604152637@riseup.net> Message-ID: <1559993053.20160606012743@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Saturday 4 June 2016 at 3:37:40 PM, in , Kristian Fiskerstrand wrote: > In Gentoo we have 1.7 of libgcrypt in unstable > (~arch) which is same > level as gnupg 2.1 is in, so most using 2.1 have the > capability Thank you. On Saturday 4 June 2016 at 9:40:18 PM, in , Samir Nassar wrote: > On up to date Arch linux: > $ gpg --version > gpg (GnuPG) 2.1.12 > libgcrypt 1.7.0 > Copyright (C) 2016 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > > This is free software: you are free to change and > redistribute it. > There is NO WARRANTY, to the extent permitted by law. > Home: ~/.gnupg > Supported algorithms: > Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA > Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, > AES256, TWOFISH, > CAMELLIA128, CAMELLIA192, CAMELLIA256 > Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 > Compression: Uncompressed, ZIP, ZLIB, BZIP2 Thank you. I have passed on both replies. - -- Best regards MFPA It's better to feed one cat than many mice -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJXVMN/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwnckH/2dw0EDkN8btfMG2t5zY9jow 5G1Zj3y2RI52ftU5R7tCvVm23b4anIzwth/3+INNB65MX4E78oQaemxwVp6jo9of lWXbRZpN3z1tyi4oa47O0QVNYVlo8rHOG+46OtW7DV9hx/3Hbh8vxQbSEuCFTWTg U0MUq0yjFZVl1Qnc/3rD5er3UDUxW5yQSTn4NRZkeyYmyQ4/lDfySKoCZ2SiF371 R+d0ZV2hW/8ObRSNlM6vS8urbUoH2/yT7xEqfFMuyuGzqcNLyWJJ0NdbApFgXl5G Nhz1QxZt74sqLfg37OnZGYic1KaQQU8tJgKtBJkXRRSyJfcnGdOSywnvShdIzImI vgQBFgoAZgUCV1TDf18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45EtoAP4vMAcD8KabUTdZf9yqeSIBCCA+ ONadM/RXgigY1AVFZgEAiEtdD7uh98ciTmyAkmPqITqFexwLWFrxC69BCamQ/QQ= =9jJb -----END PGP SIGNATURE----- From loki at zapto.roth.ca Mon Jun 6 03:07:00 2016 From: loki at zapto.roth.ca (Oliver Briscbois) Date: Mon, 06 Jun 2016 08:07:00 +0700 Subject: keyserver and --recv-keys Message-ID: Hi all, I'm trying to import about 100 keys using the command: gpg2 --recv-keys A1234567 B2345678 C3456789 ...etc Is there a better/faster way or custom script for importing keys than the above? Is there a list of keyservers I can ping/test to find the fastest one for my location. I'm remote, with a very slow (56.6k) internet connection, that's if I'm lucky. Oliver From peter at digitalbrains.com Mon Jun 6 12:09:15 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 6 Jun 2016 12:09:15 +0200 Subject: Curve 25519 encryption subkey - problem encrypting In-Reply-To: References: <58279600.20160604111025@riseup.net> <1063286787.20160604152637@riseup.net> Message-ID: <57554BCB.9050602@digitalbrains.com> On 05/06/16 18:47, Brian Minton wrote: > Debian has gnupg 2.1 in experimental. 2.1 has already passed into unstable as well as stretch/testing. The version currently in experimental renames the binary from gpg2 to gpg, which is, I think, truly experimental for now. My gut feeling says that for now, you'd better stick to the versions in testing(/unstable) unless you're willing to help development by reporting bugs :-). HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From me at matthias-nick.de Mon Jun 6 20:09:52 2016 From: me at matthias-nick.de (Matthias Nick) Date: Mon, 6 Jun 2016 20:09:52 +0200 Subject: Older gpg version does not ask for passphrase Message-ID: Hello everyone, first off: I'm new at this list. I did not find a (working) search option for the archives nor any thread pertaining to my question during the past year. My issue seems to be the exact opposite of what other people experience. In short, when I copy my keyring to a machine using an older version of gpg, it decrypts (successfully) without asking for my passphrase. On my laptop, running Arch Linux with gpg (GnuPG) 2.1.12 and libgcrypt 1.7.0, I am always asked for the passphrase. Same thing happens on a Debian testing machine running gpg (GnuPG) 2.1.11 and libgcrypt 1.7.0-beta. On that same machine, when I use gpg instead of gpg2 (gpg (GnuPG) 1.4.20) with the exact same command, the file is decrypted without entering a passphrase. On a machine running Debian stable (gpg (GnuPG) 2.0.26 and libgcrypt 1.6.3), the file is also decrypted without a passphrase. Lastly, my Android phone running OpenKeychaingn 3.9.5 does not ask for a passphrase either. Am I doing anything wrong or maybe misunderstanding something? My understanding is that passphrases are meant for a situation where someone gets their hands on my private key and this behaviour seems to defy the purpose. Many thanks and best regards Matthias -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From dashohoxha at gmail.com Mon Jun 6 22:50:57 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Mon, 6 Jun 2016 22:50:57 +0200 Subject: Older gpg version does not ask for passphrase In-Reply-To: References: Message-ID: On Mon, Jun 6, 2016 at 8:09 PM, Matthias Nick wrote: > > Am I doing anything wrong or maybe misunderstanding something? My > understanding is that passphrases are meant for a situation where > someone gets their hands on my private key and this behaviour seems to > defy the purpose. > If your environment is unsafe and you don't trust it, then you should authorize the private key each time that it is used. If you are in a safe environment and you trust it, you don't need to authorize the key each time you use it. I think that the latest versions of GnuPG are taking a more conservative approach, by not trusting the environment, so you have to give the passphrase more often. -------------- next part -------------- An HTML attachment was scrubbed... URL: From 2014-667rhzu3dc-lists-groups at riseup.net Mon Jun 6 22:53:12 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 6 Jun 2016 21:53:12 +0100 Subject: Having issues with dirmngr in gpg 2.1 In-Reply-To: <211459920.20160603123317@riseup.net> References: <1DC3C8C67280FB4C9A402CB6DB1358F51B8FF0BAC8@S2008SBS.intern.giepa.de> <211459920.20160603123317@riseup.net> Message-ID: <1267731650.20160606215312@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Friday 3 June 2016 at 12:33:17 PM, in , MFPA wrote: > [snipped] Please ignore me. I've realised the version 2.1.12 release announcement tells me the Windows installer is missing HKPS support. - -- Best regards MFPA Did you hear? They took the word gullible out of the dictionary -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJXVeK7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwkMAIAKKL8mlL3BW6GNDEkkGghAvS TQOuJN+QKaoaO1G2a5em8Ypvi3Ou4iuCQCAlH4zR1Ad3ShcYVP/ylAITYbuzM/vD GeXCqeCjZNeByTMF0dkjPHMTZz17mdwtNw+SvfQ1wbPYPEEgHm4bow47rTpBqVVl XsBZHwh3e/1HpunIVRp2KOP/fwCBKAKFCPTLGSb+5Pt6gmnUFG0G+GrIlFfzL/ZM KwGdpa/pIVB0mXXUnrynv6OCs/p/MPD/R1jgb4q5hfRK+bpPi3YdMb8MpQdKfv9f 2Oimm/L45x/HllyR7I8aa3rOrToCCOziVXDkY/qeRnf81FWoSs90QlfKj5JNns6I vgQBFgoAZgUCV1Xiz18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45GcsAP0RZltqueO0WE320HQ7XYKDD8Qb CAzkAB9p5on/ktT/iwEAyyyayaEcFCj1kfyC5DGztwdmc0waZx46xYofs2SuPQc= =LXLG -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Mon Jun 6 22:54:02 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 6 Jun 2016 21:54:02 +0100 Subject: Keyserver lookup failure In-Reply-To: <138546192.20160602034310@riseup.net> References: <78679581.20160601123902@riseup.net> <59e4f8b7-28b9-dddd-f0cf-a2a7ba4b479c@sumptuouscapital.com> <138546192.20160602034310@riseup.net> Message-ID: <311781291.20160606215402@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thursday 2 June 2016 at 3:43:10 AM, in , MFPA wrote: > Thanks for replying. Port 11371 is not blocked:- [snipped] Sorry. I just spotted the reason in "[Announce] GnuPG 2.1.12 released":- "This Windows installer comes with [...] It is still missing HKPS support, though." ^^^^^^^^^^^^^^^^^^^^ - -- Best regards MFPA Something must be done. This is something. Therefore, we must do it. -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJXVeLrXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwHrcH/1q+DkbrwWaWM5yEaxaCvTD2 el7DPWOzWe4pGPSMlGnp4HSmXXV+9bede13y4djirfQ4CJpB32UQyU1WqvpgqOVb JyHfSGsW5JbA8UZtribBpnVHyqCkRKKHGeDqPLOZ/ER7It0Axq6jkZqSTAxqlcvC dC1YY+jvpheECnpgR/KXUE3U/i0vEADC04T/Yci6xKWF3Ufs/yUuzoSys+njYDgq ieodzRQzSie90/M6eX0tw60W+vKO8FBadp3L7n8iupyz0HyBtoszhw4VAqq3ILFX v08kCGj6VXi6wv/e5fnI/plv7r6/aBO3JWtkqDJiiYwIMbVS9iBWAnlyO8vxDhmI vgQBFgoAZgUCV1Xi618UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45Lj7AP4vn/f9NyuPbM9MI4Gi/TOTa1ux vzxLII56wxfLbOPTvgD+IsTmzwflfKDj9vKUrtz5LIl8fpDcYm1fITbxPHtWkg8= =KEFf -----END PGP SIGNATURE----- From me at matthias-nick.de Mon Jun 6 23:54:08 2016 From: me at matthias-nick.de (Matthias Nick) Date: Mon, 6 Jun 2016 23:54:08 +0200 Subject: Older gpg version does not ask for passphrase In-Reply-To: References: Message-ID: <5a556dd1-e5ff-35f2-3767-1444881f0c8e@matthias-nick.de> Am 06.06.2016 um 22:50 schrieb Dashamir Hoxha: > On Mon, Jun 6, 2016 at 8:09 PM, Matthias Nick wrote: >> >> Am I doing anything wrong or maybe misunderstanding something? My >> understanding is that passphrases are meant for a situation where >> someone gets their hands on my private key and this behaviour seems to >> defy the purpose. >> > > If your environment is unsafe and you don't trust it, then you should > authorize > the private key each time that it is used. If you are in a safe environment > and > you trust it, you don't need to authorize the key each time you use it. > I think that the latest versions of GnuPG are taking a more conservative > approach, by not trusting the environment, so you have to give the > passphrase > more often. > Authorization would be a gpg-agent issue though, from what I understand. However, at least on one of the Debian machines, gpg-agent isn't even running. Also, I would still have to enter my password at least once initially. But I just copy the keyring and don't need to authorize even once. From rjh at sixdemonbag.org Tue Jun 7 04:17:15 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 6 Jun 2016 22:17:15 -0400 Subject: Older gpg version does not ask for passphrase In-Reply-To: References: Message-ID: <81df358b-8898-49e0-798e-556fb8ff494a@sixdemonbag.org> > If your environment is unsafe and you don't trust it, then you should > authorize the private key each time that it is used. This is howlingly bad advice. If you don't trust your computer, do not use it for sensitive communications. It's that simple. From dashohoxha at gmail.com Tue Jun 7 12:03:55 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 7 Jun 2016 12:03:55 +0200 Subject: How to install GnuPG-2.1.12 in Ubuntu? Message-ID: Hi, Does anybody know how to temporarily install GnuPG-2.1.12 in Ubuntu or Debian, for testing? I also need help with testing egpg in CentOS: - https://github.com/dashohoxha/egpg/blob/gnupg-2.0/tests/dockerfile/centos-7 In Ubuntu and Debian testing works well: - https://github.com/dashohoxha/egpg/blob/gnupg-2.0/tests/dockerfile/ubuntu-14.04 - https://github.com/dashohoxha/egpg/blob/gnupg-2.0/tests/dockerfile/debian-8 Thanks, Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkg at fifthhorseman.net Tue Jun 7 19:22:34 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 07 Jun 2016 13:22:34 -0400 Subject: How to install GnuPG-2.1.12 in Ubuntu? In-Reply-To: References: Message-ID: <87a8iwhq1x.fsf@alice.fifthhorseman.net> On Tue 2016-06-07 06:03:55 -0400, Dashamir Hoxha wrote: > Does anybody know how to temporarily install GnuPG-2.1.12 in Ubuntu or > Debian, for testing? In debian testing or unstable, you should use the gnupg package from the experimental repository. regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 948 bytes Desc: not available URL: From dashohoxha at gmail.com Tue Jun 7 19:28:45 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 7 Jun 2016 19:28:45 +0200 Subject: How to install GnuPG-2.1.12 in Ubuntu? In-Reply-To: <87a8iwhq1x.fsf@alice.fifthhorseman.net> References: <87a8iwhq1x.fsf@alice.fifthhorseman.net> Message-ID: On Tue, Jun 7, 2016 at 7:22 PM, Daniel Kahn Gillmor wrote: > On Tue 2016-06-07 06:03:55 -0400, Dashamir Hoxha wrote: > > > Does anybody know how to temporarily install GnuPG-2.1.12 in Ubuntu or > > Debian, for testing? > > In debian testing or unstable, you should use the gnupg package from the > experimental repository. > Thanks, but how? Just download the .deb package with `wget` and use `dpkg -i package.deb`? Sorry, I am not a debian guru. -------------- next part -------------- An HTML attachment was scrubbed... URL: From brad at fineby.me.uk Tue Jun 7 19:54:55 2016 From: brad at fineby.me.uk (Brad Rogers) Date: Tue, 7 Jun 2016 18:54:55 +0100 Subject: How to install GnuPG-2.1.12 in Ubuntu? In-Reply-To: References: <87a8iwhq1x.fsf@alice.fifthhorseman.net> Message-ID: <20160607185455.01546eb8@abydos.stargate.org.uk> On Tue, 7 Jun 2016 19:28:45 +0200 Dashamir Hoxha wrote: Hello Dashamir, >Thanks, but how? Just download the .deb package with `wget` and use >`dpkg -i package.deb`? That may well work, but it's possibly ill-advised. I suggest reading https://wiki.debian.org/DebianExperimental, which has all the info you need. -- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" Buy some love at the five and dime You Have Placed A Chill In My Heart - Eurythmics -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From dashohoxha at gmail.com Tue Jun 7 20:03:57 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 7 Jun 2016 20:03:57 +0200 Subject: How to install GnuPG-2.1.12 in Ubuntu? In-Reply-To: <20160607185455.01546eb8@abydos.stargate.org.uk> References: <87a8iwhq1x.fsf@alice.fifthhorseman.net> <20160607185455.01546eb8@abydos.stargate.org.uk> Message-ID: On Tue, Jun 7, 2016 at 7:54 PM, Brad Rogers wrote: > > That may well work, but it's possibly ill-advised. I suggest reading > https://wiki.debian.org/DebianExperimental, which has all the info you > need. > Thanks a lot. This page indeed has the answers I was looking for. Dashamir -------------- next part -------------- An HTML attachment was scrubbed... URL: From brad at fineby.me.uk Tue Jun 7 20:51:50 2016 From: brad at fineby.me.uk (Brad Rogers) Date: Tue, 7 Jun 2016 19:51:50 +0100 Subject: How to install GnuPG-2.1.12 in Ubuntu? In-Reply-To: References: <87a8iwhq1x.fsf@alice.fifthhorseman.net> <20160607185455.01546eb8@abydos.stargate.org.uk> Message-ID: <20160607195150.3fb77fd0@abydos.stargate.org.uk> On Tue, 7 Jun 2016 20:03:57 +0200 Dashamir Hoxha wrote: Hello Dashamir, >Thanks a lot. This page indeed has the answers I was looking for. Glad to have been of service. -- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" Does she always shout at you, does she tell you what to do Family Life - Sham 69 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From me at matthias-nick.de Sat Jun 4 04:05:32 2016 From: me at matthias-nick.de (Matthias Nick) Date: Sat, 4 Jun 2016 04:05:32 +0200 Subject: Older gpg version does not ask for passphrase Message-ID: <422fde14-32c1-5c7a-6655-e0047825629b@matthias-nick.de> Hello everyone, first off: I'm new at this list. I did not find a (working) search option for the archives nor any thread pertaining to my question during the past year. My issue seems to be the exact opposite of what other people experience. In short, when I copy my keyring to a machine using an older version of gpg, it decrypts (successfully) without asking for my passphrase. On my laptop, running Arch Linux with gpg (GnuPG) 2.1.12 and libgcrypt 1.7.0, I am always asked for the passphrase. Same thing happens on a Debian testing machine running gpg (GnuPG) 2.1.11 and libgcrypt 1.7.0-beta. On that same machine, when I use gpg instead of gpg2 (gpg (GnuPG) 1.4.20) with the exact same command, the file is decrypted without entering a passphrase. On a machine running Debian stable (gpg (GnuPG) 2.0.26 and libgcrypt 1.6.3), the file is also decrypted without a passphrase. Lastly, my Android phone running OpenKeychaingn 3.9.5 does not ask for a passphrase either. Am I doing anything wrong or maybe misunderstanding something? My understanding is that passphrases are meant for a situation where someone gets their hands on my private key and this behaviour seems to defy the purpose. Many thanks and best regards Matthias -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From cmorenot at mx1.ibm.com Mon Jun 6 19:34:04 2016 From: cmorenot at mx1.ibm.com (Carlos Alberto Moreno Torres) Date: Mon, 6 Jun 2016 12:34:04 -0500 Subject: Fw: GnuPG - Encryption process issues. In-Reply-To: References: Message-ID: <20160606173412.0E0356A03F@b03ledav003.gho.boulder.ibm.com> Hi Ankit, Below is the response from GnuPG support, please let us know if this can provide us the specific Root Cause. Please reply to all and direct email to GnuPG Team if you have any questions for them. Thanks in advance. Also, do not remove any of the participants of this email. Hi Carlos-- Please reply in the original thread, to make it easier for people to follow the discussion. I've added some References: headers back in here so some mailers might merge the threads, but this won't work for everyone. Also, when sharing terminal transcripts, sending mail without unnecessary line-wrapping will make them much easier for your readers to interpret. It looks like you're trying to sign the file (that's what the "-s" part of "-se" means). For whatever reason, the signature itself is likely to be what is failing, and not the encryption. If you drop the signatures in your test (using -e instead of -se) do they all complete cleanly? To be clear: I'm not saying you shouldn't sign at the same time as encrypting, i'm trying to help you narrow down the cause of the problem. I also see you fiddling with the ownership of ~/.gnupg/random_seed -- you really shouldn't need to do that, and ideally each user will control their own random_seed automatically -- you shouldn't be sharing a gnupg home directory between to different user accounts unless you absolutely need to. --dkg (See attached file: signature.asc) Carlos A. Moreno Torres Problem Management | CEMEX Global Technology Services | IBM Corporation Office:?(+52-81) 8328-5251 IBM E-mail:?cmorenot at mx1.ibm.com Av. Constituci?n No. 444 Pte. IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Monterrey, NL 64000 M?xico From: Ankit Bhardwaj5/India/IBM To: Carlos Alberto Moreno Torres/Mexico/Contr/IBM at IBMMX Cc: Ajay B Challa/India/IBM at IBMIN, Ivan Fernando Montes de Oca Tavera/Mexico/Contr/IBM at IBMMX, "Juan Carlos Garcia" , Samuel Ramos Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos Javier" , Srinivas Masetty/India/IBM at IBMIN Date: 05/31/2016 10:46 AM Subject: Re: Fw: GnuPG - Encryption process issues. Hello Carlos Please share below information with GPG team i think by seeing the results of test performed by us on system they will able to give us the solution We have tested below things in envirnoment -> Userd Details used in this test root ehpadm Permissions under user "root" -> Directory Permission of root drwx------ 2 root sapsys 4096 May 31 09:39 /home/root/.gnupg -> Files Under /home/root/.gnupg -rw------- 1 root sapsys 1280 Sep 13 2011 trustdb.gpg -rw------- 1 root sapsys 4805 Sep 13 2011 secring.gpg -r-------- 1 root sapsys 9088 Sep 13 2011 gpg.conf -rw------- 1 root sapsys 7438 May 21 2013 pubring.gpg~ -rw------- 1 root sapsys 8557 Nov 8 2013 pubring.gpg -rw------- 1 root sapsys 11 Apr 28 08:44 .#lk200104a8.mxoccsapehpn2.8716480 -rw------- 1 root sapsys 11 Apr 28 08:53 .#lk2000c2c8.mxoccsapehpn2.11141460 -rw------- 1 root sapsys 11 Apr 28 12:00 .#lk200104b8.mxoccsapehpn2.8978598 -rw------- 1 root sapsys 11 Apr 29 08:57 .#lk2000c2c8.mxoccsapehpn2.12911042 -rw------- 1 root sapsys 11 May 2 11:32 .#lk200104b8.mxoccsapehpn2.10748294 -rw------- 1 root sapsys 11 May 2 19:34 .#lk200104b8.mxoccsapehpn2.7471568 -rw------- 1 root sapsys 11 May 2 22:23 .#lk2000c328.mxoccsapehpn2.12058746 -rw------- 1 root sapsys 11 May 2 23:46 .#lk200104b8.mxoccsapehpn2.6750230 -rw------- 1 root sapsys 11 May 3 10:28 .#lk200104b8.mxoccsapehpn2.14221392 -rw------- 1 root sapsys 11 May 3 13:45 .#lk200104b8.mxoccsapehpn2.9240874 -rw------- 1 root sapsys 600 May 31 09:39 random_seed ->Permissions under user "ehpadm" drwx------ 2 ehpadm sapsys 4096 May 31 09:48 /home/ehpadm/.gnupg -> Files Under /home/ehpadm/.gnupg -rw------- 1 ehpadm sapsys 1200 May 3 21:54 trustdb.gpg -rw------- 1 ehpadm sapsys 7438 May 3 21:54 pubring.gpg~ -rw------- 1 ehpadm sapsys 8557 May 3 21:54 pubring.gpg -rw------- 1 ehpadm sapsys 4805 May 3 21:54 secring.gpg -rw------- 1 ehpadm sapsys 11 May 3 22:03 .#lk200104b8.mxoccsapehpn2.6488076 -rw------- 1 ehpadm sapsys 9029 May 4 11:18 gpg.conf -rw------- 1 ehpadm sapsys 11 May 4 13:43 .#lk2000c328.mxoccsapehpn2.6160766 -rw------- 1 ehpadm sapsys 11 May 4 13:55 .#lk2000c328.mxoccsapehpn2.8913004 -rw------- 1 ehpadm sapsys 11 May 4 15:55 .#lk2000c328.mxoccsapehpn2.12976528 -rw------- 1 ehpadm sapsys 11 May 4 17:58 .#lk2000c328.mxoccsapehpn2.10158578 -rw------- 1 ehpadm sapsys 11 May 4 18:06 .#lk2000c328.mxoccsapehpn2.5308674 -rw------- 1 ehpadm sapsys 0 May 31 10:00 random_seed #### Test 1 ##### -------Failed Test ->Created file name "testehpadm" in ehpadm home directory -rw-r--r-- 1 ehpadm sapsys 6 May 31 10:06 /home/ehpadm/testehpadm -> Invoke GPG progrma using below command /opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor --output /home/ehpadm/testehpadm.pgp -r HSBCnet******2020-07-20 --trust-model always /home/ehpadm/testehpadm -> Output of command gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE gpg: No trust check due to `--trust-model always' option gpg: writing to `/home/ehpadm/testehpadm.pgp' -> command is not exiting , we have to forecfully kill the command every time and file generated by PGP is zero bytes -rw-r--r-- 1 ehpadm sapsys 0 May 31 10:06 /home/ehpadm/testehpadm.pgp #### Test 2 ##### --------Successful Test ->Created file name "testroot" in root home directory -rw-r--r-- 1 root system 7 May 31 10:11 /home/root/testroot -> Invoke GPG progrma using below command /opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor --output /home/root/testroot.pgp -r HSBCnet******2020-07-20 --trust-model always /home/root/testroot -> Output of command gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE gpg: No trust check due to `--trust-model always' option gpg: writing to `/home/root/testroot.pgp' gpg: RSA/AES256 encrypted for: "B6BC9FE5 HSBCnet******2020-07-20" gpg: RSA/SHA1 signature from: "5FBFB2DF cxcxmxmt-py (exp:2026-07-22)" Test completed successfully with no errors -rw-r--r-- 1 root system 1649 May 31 10:12 /home/root/testroot.pgp #### Test 3 ##### ---------Test is successful but giving some error ->Created file name "testehpadm" in ehpadm home directory -rw-r--r-- 1 ehpadm sapsys 6 May 31 10:06 /home/ehpadm/testehpadm -> Changed the owner of "random seed" file to root so that ehpadm can not write to random_seed file -rw------- 1 root system 0 May 31 10:00 /home/ehpadm/.gnupg/random_seed -> Invoke GPG progrma using below command /opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor --output /home/ehpadm/testehpadm.pgp -r HSBCnet******2020-07-20 --trust-model always /home/ehpadm/testehpadm -> Output of command gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE gpg: No trust check due to `--trust-model always' option File `/home/ehpadm/testehpadm.pgp' exists. Overwrite? (y/N) y gpg: writing to `/home/ehpadm/testehpadm.pgp' gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied gpg: RSA/AES256 encrypted for: "B6BC9FE5 HSBCnet******2020-07-20" gpg: RSA/SHA1 signature from: "5FBFB2DF cxcxmxmt-py (exp:2026-07-22)" gpg: note: random_seed file not updated -> command is exiting successfully , but below errors are coming gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied gpg: note: random_seed file not updated Encrypted file is generated -rw-r--r-- 1 ehpadm sapsys 1654 May 31 10:25 /home/ehpadm/testehpadm.pgp So when we have original random seed file in home directory of ehpadm user, gpg encryption program is not working and when we change the owner of this file and make root as the owner gpg is bypassing this file and it generated the encypted file with below error as in TEST 3 gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied gpg: note: random_seed file not updated Regards, ANKIT BHARDWAJ SME - AIX Mobile: 91-9000-146341 IBM E-mail: ankit.bhardwaj3 at in.ibm.com From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM To: Ankit Bhardwaj5/India/IBM at IBMIN Cc: "Juan Carlos Garcia" , Srinivas Masetty/India/IBM at IBMIN, Ajay B Challa/India/IBM at IBMIN, Samuel Ramos Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos Javier" , Ivan Fernando Montes de Oca Tavera/Mexico/Contr/IBM at IBMMX Date: 05/31/2016 07:11 PM Subject: Fw: GnuPG - Encryption process issues. Hi Ankit, Please confirm if information provided by GnuPG Support Team lead us to a specific Root Cause or if more details are required, since issue can occur again, generating another RCA with higher visibility. Thanks in advance. Carlos A. Moreno Torres Problem Management | CEMEX Global Technology Services | IBM Corporation Office:?(+52-81) 8328-5251 IBM E-mail:?cmorenot at mx1.ibm.com Av. Constituci?n No. 444 Pte. IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Monterrey, NL 64000 M?xico ----- Forwarded by Carlos Alberto Moreno Torres/Mexico/Contr/IBM on 05/31/2016 08:36 AM ----- From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM To: "Juan Carlos Garcia" , Juan Carlos Garcia Dominguez/Mexico/Contr/IBM at IBMMX, Ankit Bhardwaj5/India/IBM at IBMIN Cc: Samuel Ramos Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos Javier" , Ivan Fernando Montes de Oca Tavera/Mexico/Contr/IBM at IBMMX Date: 05/27/2016 03:05 PM Subject: Fw: GnuPG - Encryption process issues. FYI Carlos A. Moreno Torres Problem Management | CEMEX Global Technology Services | IBM Corporation Office:?(+52-81) 8328-5251 IBM E-mail:?cmorenot at mx1.ibm.com Av. Constituci?n No. 444 Pte. IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Monterrey, NL 64000 M?xico ----- Forwarded by Carlos Alberto Moreno Torres/Mexico/Contr/IBM on 05/27/2016 03:04 PM ----- From: Daniel Kahn Gillmor To: Carlos Alberto Moreno Torres/Mexico/Contr/IBM at IBMMX, gnupg-users at gnupg.org Date: 05/27/2016 10:32 AM Subject: Re: GnuPG - Encryption process issues. On Tue 2016-05-24 16:09:21 -0400, Carlos Alberto Moreno Torres wrote: > In recent days, Human Resources Department had some issues while using the > Encryption Program GnuPG in payroll activities, this issue caused a delay > since files where encrypted but information was in blank (like if > encryption process did not finish.) > > As part of remediation process, we found out that it could only work with > Root Permissions but not with the current user. We want to confirm how does > the encryption process works and if you can share any thoughts of what > might could happen. If you require more information, please do not hesitate > to ask me. It sounds to me like the installation of gnupg that you are using is misconfigured. GnuPG depends heavily on a "keyring" -- a collection of public key material (and sometimes private key material, if decryption or signing is needed), which it maintains in the .gnupg directory within the running user's home directory (found by the environment variable $HOME). If you've started with a normal user account, but have then run gnupg as root (e.g. using "su") without resetting $HOME to root's actual homedir (usually /root on the systems i use), then it's possible that you've created ~/.gnupg with the wrong permissions. Or, it's possible that the .gnupg directory is *only* available within root's homedir. Does your non-privileged user have a ~/.gnupg directory? if so, does it have read and write access to it? What error messages do you get from invoking gpg directly? --dkg -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0F237791.gif Type: image/gif Size: 2022 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/octet-stream Size: 966 bytes Desc: not available URL: From ben at adversary.org Tue Jun 7 07:30:05 2016 From: ben at adversary.org (Ben McGinnes) Date: Tue, 7 Jun 2016 15:30:05 +1000 Subject: GNUPG Issues. In-Reply-To: <06927470d34f44739fdd2393091b1a8e@PUNITPMBX33.ad.infosys.com> References: <06927470d34f44739fdd2393091b1a8e@PUNITPMBX33.ad.infosys.com> Message-ID: <20160607053005.GA81949@adversary.org> On Thu, May 05, 2016 at 04:39:30AM +0000, Mrityunjay Kumar03 wrote: > Hi Team, > > On my application server GPG 1.2.1 is being used. Recently the keys > expired on the server. [SNIP] > Could anyone please help. As Robert said, nope, but this made my day ... and here's why ... > Server version being used is Solaris 8. Uh-huh ... > ECSADMC - Telstra > AUTOCAT & INOSS Support So what you're actually saying is you've already tried calling the one part of Sun/Oracle which provides support even to EOL and EOSL software and hardware; the team which will literally bend over backwards for the third biggest hardware customer globally (or as we used to say, would bend over and shake Telstra by the fist). Yet you've managed to do something so completely and utterly against all recommendations and specifications that even that team has said, "nope, you're gonna have to upgrade, there is *nothing* that can be done." Yet some middle manager has thrown a tantrum and said "it must work the way it was when it was first deployed" (probably when Telstra was still called Telecom Australia). So you guys at Infosys thought, "hey, let's get the open source community to do for free what Sun won't do even at $10,000,000 per year (not counting actual hw and sw purchases)." You thought *that* would be a good idea? Let me guess, you also thought no one would realise what was really going on too, right? You mislabeled this thread, this isn't a GnuPG issue, it's not even a Sun/Oracle issue. No, this is entirely a *Telstra* issue and they've made it an InfoSys issue (probably because Frontline and IBM had better sense too). Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: not available URL: From peter at digitalbrains.com Wed Jun 8 13:08:02 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 8 Jun 2016 13:08:02 +0200 Subject: Older gpg version does not ask for passphrase In-Reply-To: References: Message-ID: <5757FC92.3020205@digitalbrains.com> Hello, On 06/06/16 20:09, Matthias Nick wrote: > On my laptop, running Arch Linux with gpg (GnuPG) 2.1.12 and libgcrypt > 1.7.0, I am always asked for the passphrase. > > Same thing happens on a Debian testing machine running gpg (GnuPG) > 2.1.11 and libgcrypt 1.7.0-beta. > > On that same machine, when I use gpg instead of gpg2 (gpg (GnuPG) > 1.4.20) with the exact same command, the file is decrypted without > entering a passphrase. > > On a machine running Debian stable (gpg (GnuPG) 2.0.26 and libgcrypt > 1.6.3), the file is also decrypted without a passphrase. > > Lastly, my Android phone running OpenKeychaingn 3.9.5 does not ask for a > passphrase either. GnuPG 2.1 uses a new storage mechanism for your private keys. And 1.4 and 2.0 use the same "old" mechanism. From the way you sum it up, here's what I suspect might be wrong: you simply have no passphrase set on those systems that use the "old" storage. You might have exported your private key without a passphrase once, and used this unprotected copy to import the key elsewhere. When the key is stored without a passphrase, you won't be asked for one, and anybody with access to the files where the key is stored can simply copy the file and use your key, without a passphrase. If this is the problem, a way to fix it is to invoke: $ gpg --edit-key YOURKEYID [...] > passwd [... prompted for the new passphrase ...] > save If after that you are once again prompted for the passphrase (at least once after starting the computer, since the agent might be caching it after you've entered it once), then this was probably the issue. You have solved it for the future on that computer. You can then repeat this process on the others. HOWEVER: keys stored without a passphrase are vulnerable to being copied. If you suspect someone, for instance, has access to a backup containing this key, you need to consider whether you should revoke the key. I can't make this assessment for you, it's your decision. If the key was stored without a passphrase, anybody with access to the files in your GnuPG homedir can take your key and use it as they wish. Somebody could have made a copy of it before you fixed the problem. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From cmorenot at mx1.ibm.com Wed Jun 8 18:34:03 2016 From: cmorenot at mx1.ibm.com (Carlos Alberto Moreno Torres) Date: Wed, 8 Jun 2016 11:34:03 -0500 Subject: Fw: GnuPG - Encryption process issues. In-Reply-To: References: Message-ID: Hi Ankit / Ajay, So far we have not received any response, please revert to GnuPG Support Team since client is asking for updates and "Reply to all" in this email. Thanks in advance. Carlos A. Moreno Torres Problem Management | CEMEX Global Technology Services | IBM Corporation Office:?(+52-81) 8328-5251 IBM E-mail:?cmorenot at mx1.ibm.com Av. Constituci?n No. 444 Pte. IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Monterrey, NL 64000 M?xico From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM To: Ankit Bhardwaj5/India/IBM at IBMIN, Daniel Kahn Gillmor , gnupg-users at gnupg.org Cc: Ajay B Challa/India/IBM at IBMIN, Ivan Fernando Montes de Oca Tavera/Mexico/Contr/IBM at IBMMX, "Juan Carlos Garcia" , Samuel Ramos Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos Javier" , Srinivas Masetty/India/IBM at IBMIN Date: 06/06/2016 12:34 PM Subject: Re: Fw: GnuPG - Encryption process issues. Hi Ankit, Below is the response from GnuPG support, please let us know if this can provide us the specific Root Cause. Please reply to all and direct email to GnuPG Team if you have any questions for them. Thanks in advance. Also, do not remove any of the participants of this email. Hi Carlos-- Please reply in the original thread, to make it easier for people to follow the discussion. I've added some References: headers back in here so some mailers might merge the threads, but this won't work for everyone. Also, when sharing terminal transcripts, sending mail without unnecessary line-wrapping will make them much easier for your readers to interpret. It looks like you're trying to sign the file (that's what the "-s" part of "-se" means). For whatever reason, the signature itself is likely to be what is failing, and not the encryption. If you drop the signatures in your test (using -e instead of -se) do they all complete cleanly? To be clear: I'm not saying you shouldn't sign at the same time as encrypting, i'm trying to help you narrow down the cause of the problem. I also see you fiddling with the ownership of ~/.gnupg/random_seed -- you really shouldn't need to do that, and ideally each user will control their own random_seed automatically -- you shouldn't be sharing a gnupg home directory between to different user accounts unless you absolutely need to. --dkg (See attached file: signature.asc) Carlos A. Moreno Torres Problem Management | CEMEX Global Technology Services | IBM Corporation Office:?(+52-81) 8328-5251 IBM E-mail:?cmorenot at mx1.ibm.com Av. Constituci?n No. 444 Pte. IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Monterrey, NL 64000 M?xico From: Ankit Bhardwaj5/India/IBM To: Carlos Alberto Moreno Torres/Mexico/Contr/IBM at IBMMX Cc: Ajay B Challa/India/IBM at IBMIN, Ivan Fernando Montes de Oca Tavera/Mexico/Contr/IBM at IBMMX, "Juan Carlos Garcia" , Samuel Ramos Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos Javier" , Srinivas Masetty/India/IBM at IBMIN Date: 05/31/2016 10:46 AM Subject: Re: Fw: GnuPG - Encryption process issues. Hello Carlos Please share below information with GPG team i think by seeing the results of test performed by us on system they will able to give us the solution We have tested below things in envirnoment -> Userd Details used in this test root ehpadm Permissions under user "root" -> Directory Permission of root drwx------ 2 root sapsys 4096 May 31 09:39 /home/root/.gnupg -> Files Under /home/root/.gnupg -rw------- 1 root sapsys 1280 Sep 13 2011 trustdb.gpg -rw------- 1 root sapsys 4805 Sep 13 2011 secring.gpg -r-------- 1 root sapsys 9088 Sep 13 2011 gpg.conf -rw------- 1 root sapsys 7438 May 21 2013 pubring.gpg~ -rw------- 1 root sapsys 8557 Nov 8 2013 pubring.gpg -rw------- 1 root sapsys 11 Apr 28 08:44 .#lk200104a8.mxoccsapehpn2.8716480 -rw------- 1 root sapsys 11 Apr 28 08:53 .#lk2000c2c8.mxoccsapehpn2.11141460 -rw------- 1 root sapsys 11 Apr 28 12:00 .#lk200104b8.mxoccsapehpn2.8978598 -rw------- 1 root sapsys 11 Apr 29 08:57 .#lk2000c2c8.mxoccsapehpn2.12911042 -rw------- 1 root sapsys 11 May 2 11:32 .#lk200104b8.mxoccsapehpn2.10748294 -rw------- 1 root sapsys 11 May 2 19:34 .#lk200104b8.mxoccsapehpn2.7471568 -rw------- 1 root sapsys 11 May 2 22:23 .#lk2000c328.mxoccsapehpn2.12058746 -rw------- 1 root sapsys 11 May 2 23:46 .#lk200104b8.mxoccsapehpn2.6750230 -rw------- 1 root sapsys 11 May 3 10:28 .#lk200104b8.mxoccsapehpn2.14221392 -rw------- 1 root sapsys 11 May 3 13:45 .#lk200104b8.mxoccsapehpn2.9240874 -rw------- 1 root sapsys 600 May 31 09:39 random_seed ->Permissions under user "ehpadm" drwx------ 2 ehpadm sapsys 4096 May 31 09:48 /home/ehpadm/.gnupg -> Files Under /home/ehpadm/.gnupg -rw------- 1 ehpadm sapsys 1200 May 3 21:54 trustdb.gpg -rw------- 1 ehpadm sapsys 7438 May 3 21:54 pubring.gpg~ -rw------- 1 ehpadm sapsys 8557 May 3 21:54 pubring.gpg -rw------- 1 ehpadm sapsys 4805 May 3 21:54 secring.gpg -rw------- 1 ehpadm sapsys 11 May 3 22:03 .#lk200104b8.mxoccsapehpn2.6488076 -rw------- 1 ehpadm sapsys 9029 May 4 11:18 gpg.conf -rw------- 1 ehpadm sapsys 11 May 4 13:43 .#lk2000c328.mxoccsapehpn2.6160766 -rw------- 1 ehpadm sapsys 11 May 4 13:55 .#lk2000c328.mxoccsapehpn2.8913004 -rw------- 1 ehpadm sapsys 11 May 4 15:55 .#lk2000c328.mxoccsapehpn2.12976528 -rw------- 1 ehpadm sapsys 11 May 4 17:58 .#lk2000c328.mxoccsapehpn2.10158578 -rw------- 1 ehpadm sapsys 11 May 4 18:06 .#lk2000c328.mxoccsapehpn2.5308674 -rw------- 1 ehpadm sapsys 0 May 31 10:00 random_seed #### Test 1 ##### -------Failed Test ->Created file name "testehpadm" in ehpadm home directory -rw-r--r-- 1 ehpadm sapsys 6 May 31 10:06 /home/ehpadm/testehpadm -> Invoke GPG progrma using below command /opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor --output /home/ehpadm/testehpadm.pgp -r HSBCnet******2020-07-20 --trust-model always /home/ehpadm/testehpadm -> Output of command gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE gpg: No trust check due to `--trust-model always' option gpg: writing to `/home/ehpadm/testehpadm.pgp' -> command is not exiting , we have to forecfully kill the command every time and file generated by PGP is zero bytes -rw-r--r-- 1 ehpadm sapsys 0 May 31 10:06 /home/ehpadm/testehpadm.pgp #### Test 2 ##### --------Successful Test ->Created file name "testroot" in root home directory -rw-r--r-- 1 root system 7 May 31 10:11 /home/root/testroot -> Invoke GPG progrma using below command /opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor --output /home/root/testroot.pgp -r HSBCnet******2020-07-20 --trust-model always /home/root/testroot -> Output of command gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE gpg: No trust check due to `--trust-model always' option gpg: writing to `/home/root/testroot.pgp' gpg: RSA/AES256 encrypted for: "B6BC9FE5 HSBCnet******2020-07-20" gpg: RSA/SHA1 signature from: "5FBFB2DF cxcxmxmt-py (exp:2026-07-22)" Test completed successfully with no errors -rw-r--r-- 1 root system 1649 May 31 10:12 /home/root/testroot.pgp #### Test 3 ##### ---------Test is successful but giving some error ->Created file name "testehpadm" in ehpadm home directory -rw-r--r-- 1 ehpadm sapsys 6 May 31 10:06 /home/ehpadm/testehpadm -> Changed the owner of "random seed" file to root so that ehpadm can not write to random_seed file -rw------- 1 root system 0 May 31 10:00 /home/ehpadm/.gnupg/random_seed -> Invoke GPG progrma using below command /opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor --output /home/ehpadm/testehpadm.pgp -r HSBCnet******2020-07-20 --trust-model always /home/ehpadm/testehpadm -> Output of command gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE gpg: No trust check due to `--trust-model always' option File `/home/ehpadm/testehpadm.pgp' exists. Overwrite? (y/N) y gpg: writing to `/home/ehpadm/testehpadm.pgp' gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied gpg: RSA/AES256 encrypted for: "B6BC9FE5 HSBCnet******2020-07-20" gpg: RSA/SHA1 signature from: "5FBFB2DF cxcxmxmt-py (exp:2026-07-22)" gpg: note: random_seed file not updated -> command is exiting successfully , but below errors are coming gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied gpg: note: random_seed file not updated Encrypted file is generated -rw-r--r-- 1 ehpadm sapsys 1654 May 31 10:25 /home/ehpadm/testehpadm.pgp So when we have original random seed file in home directory of ehpadm user, gpg encryption program is not working and when we change the owner of this file and make root as the owner gpg is bypassing this file and it generated the encypted file with below error as in TEST 3 gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied gpg: note: random_seed file not updated Regards, ANKIT BHARDWAJ SME - AIX Mobile: 91-9000-146341 IBM E-mail: ankit.bhardwaj3 at in.ibm.com From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM To: Ankit Bhardwaj5/India/IBM at IBMIN Cc: "Juan Carlos Garcia" , Srinivas Masetty/India/IBM at IBMIN, Ajay B Challa/India/IBM at IBMIN, Samuel Ramos Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos Javier" , Ivan Fernando Montes de Oca Tavera/Mexico/Contr/IBM at IBMMX Date: 05/31/2016 07:11 PM Subject: Fw: GnuPG - Encryption process issues. Hi Ankit, Please confirm if information provided by GnuPG Support Team lead us to a specific Root Cause or if more details are required, since issue can occur again, generating another RCA with higher visibility. Thanks in advance. Carlos A. Moreno Torres Problem Management | CEMEX Global Technology Services | IBM Corporation Office:?(+52-81) 8328-5251 IBM E-mail:?cmorenot at mx1.ibm.com Av. Constituci?n No. 444 Pte. IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Monterrey, NL 64000 M?xico ----- Forwarded by Carlos Alberto Moreno Torres/Mexico/Contr/IBM on 05/31/2016 08:36 AM ----- From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM To: "Juan Carlos Garcia" , Juan Carlos Garcia Dominguez/Mexico/Contr/IBM at IBMMX, Ankit Bhardwaj5/India/IBM at IBMIN Cc: Samuel Ramos Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos Javier" , Ivan Fernando Montes de Oca Tavera/Mexico/Contr/IBM at IBMMX Date: 05/27/2016 03:05 PM Subject: Fw: GnuPG - Encryption process issues. FYI Carlos A. Moreno Torres Problem Management | CEMEX Global Technology Services | IBM Corporation Office:?(+52-81) 8328-5251 IBM E-mail:?cmorenot at mx1.ibm.com Av. Constituci?n No. 444 Pte. IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Monterrey, NL 64000 M?xico ----- Forwarded by Carlos Alberto Moreno Torres/Mexico/Contr/IBM on 05/27/2016 03:04 PM ----- From: Daniel Kahn Gillmor To: Carlos Alberto Moreno Torres/Mexico/Contr/IBM at IBMMX, gnupg-users at gnupg.org Date: 05/27/2016 10:32 AM Subject: Re: GnuPG - Encryption process issues. On Tue 2016-05-24 16:09:21 -0400, Carlos Alberto Moreno Torres wrote: > In recent days, Human Resources Department had some issues while using the > Encryption Program GnuPG in payroll activities, this issue caused a delay > since files where encrypted but information was in blank (like if > encryption process did not finish.) > > As part of remediation process, we found out that it could only work with > Root Permissions but not with the current user. We want to confirm how does > the encryption process works and if you can share any thoughts of what > might could happen. If you require more information, please do not hesitate > to ask me. It sounds to me like the installation of gnupg that you are using is misconfigured. GnuPG depends heavily on a "keyring" -- a collection of public key material (and sometimes private key material, if decryption or signing is needed), which it maintains in the .gnupg directory within the running user's home directory (found by the environment variable $HOME). If you've started with a normal user account, but have then run gnupg as root (e.g. using "su") without resetting $HOME to root's actual homedir (usually /root on the systems i use), then it's possible that you've created ~/.gnupg with the wrong permissions. Or, it's possible that the .gnupg directory is *only* available within root's homedir. Does your non-privileged user have a ~/.gnupg directory? if so, does it have read and write access to it? What error messages do you get from invoking gpg directly? --dkg -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0E326634.gif Type: image/gif Size: 2022 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/octet-stream Size: 966 bytes Desc: not available URL: From ankit.bhardwaj3 at in.ibm.com Wed Jun 8 18:41:27 2016 From: ankit.bhardwaj3 at in.ibm.com (Ankit Bhardwaj5) Date: Wed, 8 Jun 2016 22:11:27 +0530 Subject: Fw: GnuPG - Encryption process issues. In-Reply-To: References: Message-ID: Hello Carlos As i m busy in completing DR checklist, i will try to finish this by today. Regards, ANKIT BHARDWAJ SME - AIX Mobile: 91-9000-146341 E-mail: ankit.bhardwaj3 at in.ibm.com From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM To: Ankit Bhardwaj5/India/IBM at IBMIN, Rockey L Das/India/IBM at IBMIN Cc: Daniel Kahn Gillmor , gnupg-users at gnupg.org, Ajay B Challa/India/IBM at IBMIN, Ivan Fernando Montes de Oca Tavera/Mexico/Contr/IBM at IBMMX, "Juan Carlos Garcia" , Samuel Ramos Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos Javier" , Srinivas Masetty/India/IBM at IBMIN Date: 06/08/2016 10:04 PM Subject: Re: Fw: GnuPG - Encryption process issues. Hi Ankit / Ajay, So far we have not received any response, please revert to GnuPG Support Team since client is asking for updates and "Reply to all" in this email. Thanks in advance. Carlos A. Moreno Torres Problem Management | CEMEX Global Technology Services | IBM Corporation Office: (+52-81) 8328-5251 E-mail: cmorenot at mx1.ibm.com IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Av. Constituci?n No. 444 Pte. Monterrey, NL 64000 M?xico From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM To: Ankit Bhardwaj5/India/IBM at IBMIN, Daniel Kahn Gillmor , gnupg-users at gnupg.org Cc: Ajay B Challa/India/IBM at IBMIN, Ivan Fernando Montes de Oca Tavera/Mexico/Contr/IBM at IBMMX, "Juan Carlos Garcia" , Samuel Ramos Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos Javier" , Srinivas Masetty/India/IBM at IBMIN Date: 06/06/2016 12:34 PM Subject: Re: Fw: GnuPG - Encryption process issues. Hi Ankit, Below is the response from GnuPG support, please let us know if this can provide us the specific Root Cause. Please reply to all and direct email to GnuPG Team if you have any questions for them. Thanks in advance. Also, do not remove any of the participants of this email. Hi Carlos-- Please reply in the original thread, to make it easier for people to follow the discussion. I've added some References: headers back in here so some mailers might merge the threads, but this won't work for everyone. Also, when sharing terminal transcripts, sending mail without unnecessary line-wrapping will make them much easier for your readers to interpret. It looks like you're trying to sign the file (that's what the "-s" part of "-se" means). For whatever reason, the signature itself is likely to be what is failing, and not the encryption. If you drop the signatures in your test (using -e instead of -se) do they all complete cleanly? To be clear: I'm not saying you shouldn't sign at the same time as encrypting, i'm trying to help you narrow down the cause of the problem. I also see you fiddling with the ownership of ~/.gnupg/random_seed -- you really shouldn't need to do that, and ideally each user will control their own random_seed automatically -- you shouldn't be sharing a gnupg home directory between to different user accounts unless you absolutely need to. --dkg [attachment "signature.asc" deleted by Ankit Bhardwaj5/India/IBM] Carlos A. Moreno Torres Problem Management | CEMEX Global Technology Services | IBM Corporation Office: (+52-81) 8328-5251 E-mail: cmorenot at mx1.ibm.com IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Av. Constituci?n No. 444 Pte. Monterrey, NL 64000 M?xico From: Ankit Bhardwaj5/India/IBM To: Carlos Alberto Moreno Torres/Mexico/Contr/IBM at IBMMX Cc: Ajay B Challa/India/IBM at IBMIN, Ivan Fernando Montes de Oca Tavera/Mexico/Contr/IBM at IBMMX, "Juan Carlos Garcia" , Samuel Ramos Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos Javier" , Srinivas Masetty/India/IBM at IBMIN Date: 05/31/2016 10:46 AM Subject: Re: Fw: GnuPG - Encryption process issues. Hello Carlos Please share below information with GPG team i think by seeing the results of test performed by us on system they will able to give us the solution We have tested below things in envirnoment -> Userd Details used in this test root ehpadm Permissions under user "root" -> Directory Permission of root drwx------ 2 root sapsys 4096 May 31 09:39 /home/root/.gnupg -> Files Under /home/root/.gnupg -rw------- 1 root sapsys 1280 Sep 13 2011 trustdb.gpg -rw------- 1 root sapsys 4805 Sep 13 2011 secring.gpg -r-------- 1 root sapsys 9088 Sep 13 2011 gpg.conf -rw------- 1 root sapsys 7438 May 21 2013 pubring.gpg~ -rw------- 1 root sapsys 8557 Nov 8 2013 pubring.gpg -rw------- 1 root sapsys 11 Apr 28 08:44 .#lk200104a8.mxoccsapehpn2.8716480 -rw------- 1 root sapsys 11 Apr 28 08:53 .#lk2000c2c8.mxoccsapehpn2.11141460 -rw------- 1 root sapsys 11 Apr 28 12:00 .#lk200104b8.mxoccsapehpn2.8978598 -rw------- 1 root sapsys 11 Apr 29 08:57 .#lk2000c2c8.mxoccsapehpn2.12911042 -rw------- 1 root sapsys 11 May 2 11:32 .#lk200104b8.mxoccsapehpn2.10748294 -rw------- 1 root sapsys 11 May 2 19:34 .#lk200104b8.mxoccsapehpn2.7471568 -rw------- 1 root sapsys 11 May 2 22:23 .#lk2000c328.mxoccsapehpn2.12058746 -rw------- 1 root sapsys 11 May 2 23:46 .#lk200104b8.mxoccsapehpn2.6750230 -rw------- 1 root sapsys 11 May 3 10:28 .#lk200104b8.mxoccsapehpn2.14221392 -rw------- 1 root sapsys 11 May 3 13:45 .#lk200104b8.mxoccsapehpn2.9240874 -rw------- 1 root sapsys 600 May 31 09:39 random_seed ->Permissions under user "ehpadm" drwx------ 2 ehpadm sapsys 4096 May 31 09:48 /home/ehpadm/.gnupg -> Files Under /home/ehpadm/.gnupg -rw------- 1 ehpadm sapsys 1200 May 3 21:54 trustdb.gpg -rw------- 1 ehpadm sapsys 7438 May 3 21:54 pubring.gpg~ -rw------- 1 ehpadm sapsys 8557 May 3 21:54 pubring.gpg -rw------- 1 ehpadm sapsys 4805 May 3 21:54 secring.gpg -rw------- 1 ehpadm sapsys 11 May 3 22:03 .#lk200104b8.mxoccsapehpn2.6488076 -rw------- 1 ehpadm sapsys 9029 May 4 11:18 gpg.conf -rw------- 1 ehpadm sapsys 11 May 4 13:43 .#lk2000c328.mxoccsapehpn2.6160766 -rw------- 1 ehpadm sapsys 11 May 4 13:55 .#lk2000c328.mxoccsapehpn2.8913004 -rw------- 1 ehpadm sapsys 11 May 4 15:55 .#lk2000c328.mxoccsapehpn2.12976528 -rw------- 1 ehpadm sapsys 11 May 4 17:58 .#lk2000c328.mxoccsapehpn2.10158578 -rw------- 1 ehpadm sapsys 11 May 4 18:06 .#lk2000c328.mxoccsapehpn2.5308674 -rw------- 1 ehpadm sapsys 0 May 31 10:00 random_seed #### Test 1 ##### -------Failed Test ->Created file name "testehpadm" in ehpadm home directory -rw-r--r-- 1 ehpadm sapsys 6 May 31 10:06 /home/ehpadm/testehpadm -> Invoke GPG progrma using below command /opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor --output /home/ehpadm/testehpadm.pgp -r HSBCnet******2020-07-20 --trust-model always /home/ehpadm/testehpadm -> Output of command gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE gpg: No trust check due to `--trust-model always' option gpg: writing to `/home/ehpadm/testehpadm.pgp' -> command is not exiting , we have to forecfully kill the command every time and file generated by PGP is zero bytes -rw-r--r-- 1 ehpadm sapsys 0 May 31 10:06 /home/ehpadm/testehpadm.pgp #### Test 2 ##### --------Successful Test ->Created file name "testroot" in root home directory -rw-r--r-- 1 root system 7 May 31 10:11 /home/root/testroot -> Invoke GPG progrma using below command /opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor --output /home/root/testroot.pgp -r HSBCnet******2020-07-20 --trust-model always /home/root/testroot -> Output of command gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE gpg: No trust check due to `--trust-model always' option gpg: writing to `/home/root/testroot.pgp' gpg: RSA/AES256 encrypted for: "B6BC9FE5 HSBCnet******2020-07-20" gpg: RSA/SHA1 signature from: "5FBFB2DF cxcxmxmt-py (exp:2026-07-22)" Test completed successfully with no errors -rw-r--r-- 1 root system 1649 May 31 10:12 /home/root/testroot.pgp #### Test 3 ##### ---------Test is successful but giving some error ->Created file name "testehpadm" in ehpadm home directory -rw-r--r-- 1 ehpadm sapsys 6 May 31 10:06 /home/ehpadm/testehpadm -> Changed the owner of "random seed" file to root so that ehpadm can not write to random_seed file -rw------- 1 root system 0 May 31 10:00 /home/ehpadm/.gnupg/random_seed -> Invoke GPG progrma using below command /opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor --output /home/ehpadm/testehpadm.pgp -r HSBCnet******2020-07-20 --trust-model always /home/ehpadm/testehpadm -> Output of command gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE gpg: No trust check due to `--trust-model always' option File `/home/ehpadm/testehpadm.pgp' exists. Overwrite? (y/N) y gpg: writing to `/home/ehpadm/testehpadm.pgp' gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied gpg: RSA/AES256 encrypted for: "B6BC9FE5 HSBCnet******2020-07-20" gpg: RSA/SHA1 signature from: "5FBFB2DF cxcxmxmt-py (exp:2026-07-22)" gpg: note: random_seed file not updated -> command is exiting successfully , but below errors are coming gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied gpg: note: random_seed file not updated Encrypted file is generated -rw-r--r-- 1 ehpadm sapsys 1654 May 31 10:25 /home/ehpadm/testehpadm.pgp So when we have original random seed file in home directory of ehpadm user, gpg encryption program is not working and when we change the owner of this file and make root as the owner gpg is bypassing this file and it generated the encypted file with below error as in TEST 3 gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied gpg: note: random_seed file not updated Regards, ANKIT BHARDWAJ SME - AIX Mobile: 91-9000-146341 E-mail: ankit.bhardwaj3 at in.ibm.com From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM To: Ankit Bhardwaj5/India/IBM at IBMIN Cc: "Juan Carlos Garcia" , Srinivas Masetty/India/IBM at IBMIN, Ajay B Challa/India/IBM at IBMIN, Samuel Ramos Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos Javier" , Ivan Fernando Montes de Oca Tavera/Mexico/Contr/IBM at IBMMX Date: 05/31/2016 07:11 PM Subject: Fw: GnuPG - Encryption process issues. Hi Ankit, Please confirm if information provided by GnuPG Support Team lead us to a specific Root Cause or if more details are required, since issue can occur again, generating another RCA with higher visibility. Thanks in advance. Carlos A. Moreno Torres Problem Management | CEMEX Global Technology Services | IBM Corporation Office: (+52-81) 8328-5251 E-mail: cmorenot at mx1.ibm.com IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Av. Constituci?n No. 444 Pte. Monterrey, NL 64000 M?xico ----- Forwarded by Carlos Alberto Moreno Torres/Mexico/Contr/IBM on 05/31/2016 08:36 AM ----- From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM To: "Juan Carlos Garcia" , Juan Carlos Garcia Dominguez/Mexico/Contr/IBM at IBMMX, Ankit Bhardwaj5/India/IBM at IBMIN Cc: Samuel Ramos Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos Javier" , Ivan Fernando Montes de Oca Tavera/Mexico/Contr/IBM at IBMMX Date: 05/27/2016 03:05 PM Subject: Fw: GnuPG - Encryption process issues. FYI Carlos A. Moreno Torres Problem Management | CEMEX Global Technology Services | IBM Corporation Office: (+52-81) 8328-5251 E-mail: cmorenot at mx1.ibm.com IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Av. Constituci?n No. 444 Pte. Monterrey, NL 64000 M?xico ----- Forwarded by Carlos Alberto Moreno Torres/Mexico/Contr/IBM on 05/27/2016 03:04 PM ----- From: Daniel Kahn Gillmor To: Carlos Alberto Moreno Torres/Mexico/Contr/IBM at IBMMX, gnupg-users at gnupg.org Date: 05/27/2016 10:32 AM Subject: Re: GnuPG - Encryption process issues. On Tue 2016-05-24 16:09:21 -0400, Carlos Alberto Moreno Torres wrote: > In recent days, Human Resources Department had some issues while using the > Encryption Program GnuPG in payroll activities, this issue caused a delay > since files where encrypted but information was in blank (like if > encryption process did not finish.) > > As part of remediation process, we found out that it could only work with > Root Permissions but not with the current user. We want to confirm how does > the encryption process works and if you can share any thoughts of what > might could happen. If you require more information, please do not hesitate > to ask me. It sounds to me like the installation of gnupg that you are using is misconfigured. GnuPG depends heavily on a "keyring" -- a collection of public key material (and sometimes private key material, if decryption or signing is needed), which it maintains in the .gnupg directory within the running user's home directory (found by the environment variable $HOME). If you've started with a normal user account, but have then run gnupg as root (e.g. using "su") without resetting $HOME to root's actual homedir (usually /root on the systems i use), then it's possible that you've created ~/.gnupg with the wrong permissions. Or, it's possible that the .gnupg directory is *only* available within root's homedir. Does your non-privileged user have a ~/.gnupg directory? if so, does it have read and write access to it? What error messages do you get from invoking gpg directly? --dkg -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 2022 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 2022 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 2022 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 2022 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 2022 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 2022 bytes Desc: not available URL: From alexandrefranklin1 at gmail.com Thu Jun 9 07:18:46 2016 From: alexandrefranklin1 at gmail.com (Alex Franklin) Date: Thu, 9 Jun 2016 12:18:46 +0700 Subject: Installing gnupg Message-ID: Hi I don't know how to install the pgp software. I have downloaded the tarball and signature from the website. I have OSX El Capitan. I have terminal open but it is not clear as to what I need to do, what I need to type in to Terminal. Please help? Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: From samir at samirnassar.com Thu Jun 9 09:47:43 2016 From: samir at samirnassar.com (Samir Nassar) Date: Thu, 9 Jun 2016 09:47:43 +0200 Subject: Installing gnupg In-Reply-To: References: Message-ID: <2f8a52a0-6f18-961f-abef-f6e58b6f40ff@samirnassar.com> On 06/09/2016 07:18 AM, Alex Franklin wrote: > I don't know how to install the pgp software. I have downloaded the tarball > and signature from the website. I have OSX El Capitan. I have terminal open > but it is not clear as to what I need to do, what I need to type in to > Terminal. A small point of clarification. There is software called PGP, but this is the user mailing list for GnuPG also known as GPG, which implements PGP. There are several ways of gettings GnuPG for OS X: A comprehensive guide to install GnuPG and configuring Thunderbird and Enigmail is here: https://ssd.eff.org/en/module/how-use-pgp-mac-os-x If you look at the gnupg download page: https://www.gnupg.org/download/ note the section called binary downloads. This is most likely what you are looking for there are two options for getting GnuPG installed. If this information does not help you, please let share in more detail what you are trying to accomplish. -- Samir Nassar web: samirnassar.com email: samir at samirnassar.com PGP: pgp.samirnassar.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Thu Jun 9 09:14:33 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 09 Jun 2016 09:14:33 +0200 Subject: Fw: GnuPG - Encryption process issues. In-Reply-To: <20160606173412.0E0356A03F@b03ledav003.gho.boulder.ibm.com> (Carlos Alberto Moreno Torres's message of "Mon, 6 Jun 2016 12:34:04 -0500") References: <20160606173412.0E0356A03F@b03ledav003.gho.boulder.ibm.com> Message-ID: <877fdyx292.fsf@wheatstone.g10code.de> On Mon, 6 Jun 2016 19:34, cmorenot at mx1.ibm.com said: > Below is the response from GnuPG support, please let us know if this can > provide us the specific Root Cause. Please reply to all and direct email to > GnuPG Team if you have any questions for them. Thanks in advance. FWIW, what you call the ?GnuPG support? and ?GnuPG Team? is a public mailing list of GnuPG users: GnuPG user help mailing list. The topic of this is list is help and discussion among users of GnuPG. This includes questions on how to script GnuPG, how to create or sign keys and general discussion on encryption and digital signatures as long as it somehow pertains to GnuPG. The contents of all messages sent to this mailing list is assumed to be in the public domain. Please write only in English, avoid top posting and strip quotes to the necessary minimum. Postings by subscribers are not moderated; postings from non-subscribers are held for approval but there is no guarantee that the moderator can approve them in time; they may even be dropped. Some kinds of postings will not be accepted: e.g. large ones, mails without the list name in the To: or CC: header and HTML mails. Your mail client does have an option to send plain text only messages; try this if you don't get your posting through or notice it in the archive. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From pete at heypete.com Thu Jun 9 09:24:52 2016 From: pete at heypete.com (Pete Stephenson) Date: Thu, 9 Jun 2016 09:24:52 +0200 Subject: Installing gnupg In-Reply-To: References: Message-ID: On Jun 9, 2016 09:15, "Alex Franklin" wrote: > > Hi > > I don't know how to install the pgp software. I have downloaded the tarball and signature from the website. I have OSX El Capitan. I have terminal open but it is not clear as to what I need to do, what I need to type in to Terminal. > > Please help? Hi Alex, The tarball is for if you want to compile GnuPG from source. This is probably not what you want to do. The GPGtools project has a nice, easy-to-use installer for GPG on OS X. Their site is at https://gpgtools.org Cheers! -Pete -------------- next part -------------- An HTML attachment was scrubbed... URL: From pete at heypete.com Thu Jun 9 09:24:54 2016 From: pete at heypete.com (Pete Stephenson) Date: Thu, 9 Jun 2016 09:24:54 +0200 Subject: Installing gnupg In-Reply-To: References: Message-ID: On Jun 9, 2016 09:15, "Alex Franklin" wrote: > > Hi > > I don't know how to install the pgp software. I have downloaded the tarball and signature from the website. I have OSX El Capitan. I have terminal open but it is not clear as to what I need to do, what I need to type in to Terminal. > > Please help? Hi Alex, The tarball is for if you want to compile GnuPG from source. This is probably not what you want to do. The GPGtools project has a nice, easy-to-use installer for GPG on OS X. Their site is at https://gpgtools.org Cheers! -Pete -------------- next part -------------- An HTML attachment was scrubbed... URL: From ben at adversary.org Tue Jun 7 07:30:05 2016 From: ben at adversary.org (Ben McGinnes) Date: Tue, 7 Jun 2016 15:30:05 +1000 Subject: GNUPG Issues. In-Reply-To: <06927470d34f44739fdd2393091b1a8e@PUNITPMBX33.ad.infosys.com> References: <06927470d34f44739fdd2393091b1a8e@PUNITPMBX33.ad.infosys.com> Message-ID: <20160607053005.GA81949@adversary.org> On Thu, May 05, 2016 at 04:39:30AM +0000, Mrityunjay Kumar03 wrote: > Hi Team, > > On my application server GPG 1.2.1 is being used. Recently the keys > expired on the server. [SNIP] > Could anyone please help. As Robert said, nope, but this made my day ... and here's why ... > Server version being used is Solaris 8. Uh-huh ... > ECSADMC - Telstra > AUTOCAT & INOSS Support So what you're actually saying is you've already tried calling the one part of Sun/Oracle which provides support even to EOL and EOSL software and hardware; the team which will literally bend over backwards for the third biggest hardware customer globally (or as we used to say, would bend over and shake Telstra by the fist). Yet you've managed to do something so completely and utterly against all recommendations and specifications that even that team has said, "nope, you're gonna have to upgrade, there is *nothing* that can be done." Yet some middle manager has thrown a tantrum and said "it must work the way it was when it was first deployed" (probably when Telstra was still called Telecom Australia). So you guys at Infosys thought, "hey, let's get the open source community to do for free what Sun won't do even at $10,000,000 per year (not counting actual hw and sw purchases)." You thought *that* would be a good idea? Let me guess, you also thought no one would realise what was really going on too, right? You mislabeled this thread, this isn't a GnuPG issue, it's not even a Sun/Oracle issue. No, this is entirely a *Telstra* issue and they've made it an InfoSys issue (probably because Frontline and IBM had better sense too). Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: not available URL: From jonas.hedman at fripost.org Thu Jun 9 13:47:14 2016 From: jonas.hedman at fripost.org (Jonas Hedman) Date: Thu, 9 Jun 2016 13:47:14 +0200 Subject: Fw: GnuPG - Encryption process issues. In-Reply-To: References: Message-ID: <20160609114713.GA8253@bruce> On 16-06-08 22:11:27, Ankit Bhardwaj5 wrote: > Hello Carlos > > As i m busy in completing DR checklist, i will try to finish this by > today. You know this is a public mailing list, right? From michael at fladi.at Thu Jun 9 13:09:49 2016 From: michael at fladi.at (Michael Fladischer) Date: Thu, 9 Jun 2016 13:09:49 +0200 Subject: Forwarding scdaemon over SSH - is it possible? Message-ID: Hi, some months ago I bought a Yubikey Neo 4 to store my private key on. It works perfect with GnuPG on my local Laptop. Now I would like to sign some files with my key on a remote server (build machine). I'm logged in there over SSH and I tried forwarding the unix domain socket from scdaemon over the relatively new SSH-unix-domain-socket-forwaring feature like this: ssh my.server.com -R ~/.gnupg/S.scdaemon:~/.gnupg/S.scdaemon So far this works as it creates a socket on the server at ~/.gnupg/S.scdaemon. If I now try to test it this happens: $ gpg2 --card-status gpg: error getting version from 'scdaemon': No SmartCard daemon gpg: OpenPGP card not available: No SmartCard daemon It seems that just forwarding the socket is not enough and gpg2 wants an actually running scdaemon o the server. Does anyone have an idea how i could trick gpg2 into using my socket to talk to my local scdaemon? Cheers, -- Michael Fladischer Fladi.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Thu Jun 9 14:30:53 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 9 Jun 2016 14:30:53 +0200 Subject: Fw: GnuPG - Encryption process issues. In-Reply-To: <20160606173412.0E0356A03F@b03ledav003.gho.boulder.ibm.com> References: <20160606173412.0E0356A03F@b03ledav003.gho.boulder.ibm.com> Message-ID: <5759617D.2090503@digitalbrains.com> On 06/06/16 19:34, Carlos Alberto Moreno Torres wrote: > Please reply to all and direct email > to GnuPG Team if you have any questions for them. Thanks in advance. > > Also, do not remove any of the participants of this email. This turns out to be a problem. When including all recipients, the message to the mailing list is held for manual moderator approval: > The reason it is being held: > > Too many recipients to the message So I would suggest to solve the problem of including all intended recipients differently. A suggestion would be to have one person communicate on the gnupg-users mailing list, and keep the rest of the discourse internal to your company. Apart from the delay, moderator approval takes valuable time of the human moderator. Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Thu Jun 9 14:36:11 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 9 Jun 2016 14:36:11 +0200 Subject: Forwarding scdaemon over SSH - is it possible? In-Reply-To: References: Message-ID: <575962BB.8000801@digitalbrains.com> On 09/06/16 13:09, Michael Fladischer wrote: > Does anyone have an idea how i could trick gpg2 into using my socket to > talk to my local scdaemon? This sounds like a job for our new superhero the --extra-socket option that gpg-agent gained recently. It is meant for forwarding agent connections to remote hosts. The local agent will then create an scdaemon process to communicate to your smartcard. Think well on the security implications of letting the remote machine access your locally installed private keys. Do you fully trust the machine and anyone with access to the socket on the remote machine? HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From rjh at sixdemonbag.org Thu Jun 9 17:11:13 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 9 Jun 2016 11:11:13 -0400 Subject: Installing gnupg In-Reply-To: References: Message-ID: <5e80af19-c7f8-742d-2d32-787fb5d2e499@sixdemonbag.org> > I have OSX El Capitan. GPGOSX provides a newer version of GnuPG than GPGTools does: https://sourceforge.net/projects/gpgosx/ From junkemail at paulapplegate.com Thu Jun 9 16:20:47 2016 From: junkemail at paulapplegate.com (Paul Applegate) Date: Thu, 9 Jun 2016 14:20:47 +0000 (UTC) Subject: Installing gnupg In-Reply-To: References: Message-ID: <7741AE95D535261B.97E023E2-5809-455F-A9DE-6F7E964CD22A@mail.outlook.com> Your best bet is to use one of these two builds.?The first is using the Modern version. The second uses the older version. The second one also has more options such as a keychain and integration with mail.? https://sourceforge.net/projects/gpgosx/ https://gpgtools.org On Thu, Jun 9, 2016 at 3:14 AM -0400, "Alex Franklin" wrote: Hi I don't know how to install the pgp software. I have downloaded the tarball and signature from the website. I have OSX El Capitan. I have terminal open but it is not clear as to what I need to do, what I need to type in to Terminal. Please help? Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Thu Jun 9 19:50:25 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 9 Jun 2016 19:50:25 +0200 Subject: Configuration hints for using gnupg (2.0.x) interchangeably with graphical frontend and in the terminal In-Reply-To: References: Message-ID: <5759AC61.8000807@digitalbrains.com> On 01/06/16 21:36, Bjoern Kahl wrote: > Currently, whenever Enigmail needs a passphrase, it throws up a popup > window (actually, it runs gpg, which runs the agent, which runs > pinentry-mac, which throws up the window) _somewhere_: sometimes on > the screen I am looking at, sometimes on another physical screen, > sometimes hidden behind other windows, sometimes in the front. That's odd, I don't know pinentry-mac, but pinentry-gtk is always fully on top. It's so much on top that you can't use any other window while it's active. It would require the option "no-grab" to prevent it from fully taking over the screen. Do you perhaps have that option or something equivalent configured in gpg-agent.conf? As for which display it pops up on... on an X11 server, it will use the X display the request is coming from, but an X display may consist of several physical screens. Since my two screens are next to each other, I really can't tell you if it pops up on the same physical screen. I suspect it might not, since it probably only communicates the contents of the DISPLAY environment variable to the agent. > When using gpg in the terminal originally the same happened: Some > random window popping up at some random spot on some random monitor. > > Even worse, when logging in through SSH, it throw up a pin entry > window on the locked graphical session idling on the remote machine > instead of in the terminal I am working in. Now that is something that definitely should not be happening. That's odd. It's a pity I know nothing about Macs, so I can't directly help you. But this does not happen here on Linux. When you invoke gpg on a terminal and that gpg needs a pinentry, it tells the agent on which tty it is and what its DISPLAY environment variable is. When you use SSH, this will not set a DISPLAY variable by default, so you'll get a text pinentry on the text terminal you run SSH on. If you use X forwarding, it will do the correct thing and set an appropriate DISPLAY and set up access control, after which you'll get the pinentry on the system you're SSH'ing from. Only if you misconfigure SSH and force it to pass through the DISPLAY environment variable, would such a thing as you describe happen. In that case, your DISPLAY variable is probably ":0", and it will contact the first local X server, which will be the wrong one, as "local" is interpreted wrongly. > Partial solution tried: > > I created a second gpg-agent.conf named "gpg-agent-term.conf" and > configured the first to run pinentry-mac and the latter to run > pinentry-curses. This really shouldn't be necessary. The only thing where you normally need to watch out is with the SSH agent support, which has no means to communicate invoking tty and graphical display. But when you're just using gpg, it should do the correct thing out-of-the-box, and you need no configuration for using gnupg (2.0.x) interchangeably with graphical frontend and in the terminal (your title :). > Searching through > all my shells where the passphrase dialogue appeared is annoying. Yes, that is *very* annoying. > - Whenever I run gpg in a terminal, it will ask me for my passphrase > in exactly that terminal where I am interacting with it and expect > the prompt? I.e. on that TTY that is the controlling TTY of the > gpg process I am interacting with? That's exactly what should happen by default. Well, at least on the same graphical environment as the terminal emulator if you're using one. > - Is there a way to have a single agent (with a single config file, > so I can start it at first login and have it available in all > terminals/shells and programs (e.g. Thunderbird) started from there) > but still a graphical passphrase in programs which (no longer) have > StdIn connected to a terminal or don't have a controlling TTY; and > have a plain prompt in the terminal for programs that run in a > terminal? I think the priority is different: it will prefer graphical, and only when that is deemed not available, fall back to text on the controlling tty. If that is not available either, I think it will give up and error out. When I say it will prefer graphical, then I mean the graphical environment the terminal emulator is running in, not just any environment. Certainly not on a different system. Of course, if you multi-display a single "screen" terminal session, it might go haywire as any X application would, since it would pick the DISPLAY from the "screen" session that started it. Do you have any non-default configuration set? Again, it's a pity I know nothing of Macs. I don't even know how MacOS communicates the fact that there is a graphical display available. AFAIK, using X11 is just a compatibility feature thing, not the main method to talk to the graphical environment on OS X, so it's probably not through the DISPLAY environment variable? However, I haven't seen anyone with actual knowledge of the topic reply to you yet, so I thought I'd give you what I do know, HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Thu Jun 9 20:27:38 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 9 Jun 2016 20:27:38 +0200 Subject: Fw: GnuPG - Encryption process issues. In-Reply-To: <20160531155752.6F78512404E@b01ledav002.gho.pok.ibm.com> References: <20160531155752.6F78512404E@b01ledav002.gho.pok.ibm.com> Message-ID: <5759B51A.9050708@digitalbrains.com> > -> Files Under /home/ehpadm/.gnupg > > -rw------- 1 ehpadm sapsys 1200 May 3 21:54 trustdb.gpg > -rw------- 1 ehpadm sapsys 7438 May 3 21:54 pubring.gpg~ > -rw------- 1 ehpadm sapsys 8557 May 3 21:54 pubring.gpg > -rw------- 1 ehpadm sapsys 4805 May 3 21:54 secring.gpg > -rw------- 1 ehpadm sapsys 11 May 3 22:03 .#lk200104b8.mxoccsapehpn2.6488076 > -rw------- 1 ehpadm sapsys 9029 May 4 11:18 gpg.conf > -rw------- 1 ehpadm sapsys 11 May 4 13:43 .#lk2000c328.mxoccsapehpn2.6160766 > -rw------- 1 ehpadm sapsys 11 May 4 13:55 .#lk2000c328.mxoccsapehpn2.8913004 > -rw------- 1 ehpadm sapsys 11 May 4 15:55 > .#lk2000c328.mxoccsapehpn2.12976528 > -rw------- 1 ehpadm sapsys 11 May 4 17:58 > .#lk2000c328.mxoccsapehpn2.10158578 > -rw------- 1 ehpadm sapsys 11 May 4 18:06 .#lk2000c328.mxoccsapehpn2.5308674 > -rw------- 1 ehpadm sapsys 0 May 31 10:00 random_seed Note this last line. There is a file /named/ random_seed, but it's not doing its purpose. The file random_seed is used to store some randomness to carry it over from one invocation to the next. This file is empty; it contains no data, and hence no randomness. First of all, you can happily delete this file. It's useless in its current state, and GnuPG will generate a new one. I did a quick look at the code, and stopped looking when the code detecting an empty random_seed file was at least there in the year 2000 (commit 7438612 of libgcrypt). This case should be handled gracefully. But still, it seems to work for you when you block access to this file, right? Why not delete it. Although I suspect you may have tried it already. Coming to speak of moments something was introduced, I don't think you ever mentioned which version of GnuPG you're using. Could you please tell us? HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dkg at fifthhorseman.net Thu Jun 9 21:59:27 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 09 Jun 2016 15:59:27 -0400 Subject: How to convert (ancient) key in "version 2" to more modern "version 4" format? In-Reply-To: <4bc3d15a-523e-03ce-c7b6-ed19de66551c@bjoern-kahl.de> References: <80d0245c-8dcf-af94-0682-4effcc10496e@bjoern-kahl.de> <87h9dormnj.fsf@wheatstone.g10code.de> <39be5242-d86e-b6a4-a24a-1e07a7475c54@hammernoch.net> <4bc3d15a-523e-03ce-c7b6-ed19de66551c@bjoern-kahl.de> Message-ID: <874m92dtgg.fsf@alice.fifthhorseman.net> Hi Bjoern-- On Sat 2016-05-28 18:04:13 -0400, Bjoern Kahl wrote: > Because I have *tons* of mails (and other archived data files) that > have been signed and / or encrypted with such keys and I (I have to > use such a strong word here) *insist* on being able to continue to > read these mails and files whenever the need arises. So there are two things you might want to do with these mails: verify their signatures and decrypt them. Right? Is it possible that signature verification for old (likely weak, and quite possibly compromised) keys isn't relevant? If so, then the problem space becomes focused on decryption. I think there are serious usability risks to providing live decryption capability for *new* material that is sent encrypted to known-weak keys, but i can understand the use case you describe. Perhaps the better approach is to have a one-time tool that can either (a) translate your encrypted messages into a newer encrypted form (e.g. replacing the PKESK packets with ones encrypted to a newer, stronger key), or (b) extracting the session key from the encrypted object and storing it in a separate lookup table, so that the old secret key isn't relevant any longer. Either of these approaches would also be useful to people who want to destroy their old secret key material without losing access to their data, while making it harder for people to start interacting with bad/old keys. --dkg From peter at digitalbrains.com Thu Jun 9 14:17:17 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 9 Jun 2016 14:17:17 +0200 Subject: Fw: GnuPG - Encryption process issues. In-Reply-To: References: Message-ID: <57595E4D.9020500@digitalbrains.com> Hello all, Since I'm afraid that the message written by Jonas might not be read, as it is posted solely on the mailing list, let me quote him here and expand on it: On 09/06/16 13:47, Jonas Hedman wrote: > On 16-06-08 22:11:27, Ankit Bhardwaj5 wrote: >> Hello Carlos >> >> As i m busy in completing DR checklist, i will try to finish this by >> today. > > > You know this is a public mailing list, right? My own addition to this is: a public mailing list with a few rules. Among them are: > Please write only in English, avoid top posting > and strip quotes to the necessary minimum. Could you please not top post and trim your quotes? Cheers, Peter. PS: Just to clear up any possible confusion, I am not affiliated with GnuPG nor part of any "Team". I'm just a private individual posting to a mailing list for GnuPG users. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From m.kaufmann at infotech.li Thu Jun 9 15:29:49 2016 From: m.kaufmann at infotech.li (Mike Kaufmann) Date: Thu, 9 Jun 2016 13:29:49 +0000 Subject: WINDOWS - Adding passphrase to gpg via command line Message-ID: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> Hi, Im am using GnuPG v2.1.11.59877 on Windows 10. The utility gpg-preset-passphrase.exe is not available on my system. Is there a location I can download this tool and install on my machine? I would like to use the tool, to set the password on gpg-agent. Regards Mike From gniibe at fsij.org Fri Jun 10 01:03:30 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Fri, 10 Jun 2016 08:03:30 +0900 Subject: Forwarding scdaemon over SSH - is it possible? In-Reply-To: References: Message-ID: <5759F5C2.1050600@fsij.org> On 06/09/2016 08:09 PM, Michael Fladischer wrote: > some months ago I bought a Yubikey Neo 4 to store my private key on. It > works perfect with GnuPG on my local Laptop. > > Now I would like to sign some files with my key on a remote server > (build machine). I'm logged in there over SSH and I tried forwarding the > unix domain socket from scdaemon over the relatively new > SSH-unix-domain-socket-forwaring feature like this: > > ssh my.server.com -R ~/.gnupg/S.scdaemon:~/.gnupg/S.scdaemon You don't need to do that. Instead, you need to use forwarding of gpg-agent's socket. Note that it is gpg-agent which gpg frontend connects to, and it is gpg-agent which connects to scdaemon. Once gpg-agent' socket is forwarded, you can access your local scdaemon, like: gpg frontend --> [by forwarded socket] --> [by normal socket] remote your server local gpg-agent local scdaemon It works for me with Gnuk Token, and I don't think it's hardware specific. -- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 213 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Fri Jun 10 09:51:07 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 10 Jun 2016 09:51:07 +0200 Subject: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> (Mike Kaufmann's message of "Thu, 9 Jun 2016 13:29:49 +0000") References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> Message-ID: <87y46dbhxv.fsf@wheatstone.g10code.de> Hi! On Thu, 9 Jun 2016 15:29, m.kaufmann at infotech.li said: > Im am using GnuPG v2.1.11.59877 on Windows 10. The utility > gpg-preset-passphrase.exe is not available on my system. Is there a > location I can download this tool and install on my machine? I would > like to use the tool, to set the password on gpg-agent. I think that gpg-preset-passpharse is not the right tool and you either should not set a passphrase for the key or use the gpg option --pinentry-mode=loopback. However, I can distribute gpg-preset-passpharse with the next Windows installer (2.1.13) - hopefully next week. There is a workaround, though: gpg-connect-agent 'PRESET_PASSPHRASE -1 ' /bye The is what you would also use with gpg-preset-passphrase. The is, well, you passphrase which needs to be percent-escaped (e.g. "foo far" -> "foo%20bar"). If you do not want to type the passphrase, gpg-connect-agent has a simple script language which can help here. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From fulanoperez at cryptolab.net Fri Jun 10 08:54:25 2016 From: fulanoperez at cryptolab.net (Fulano Diego Perez) Date: Fri, 10 Jun 2016 16:54:25 +1000 Subject: RSA pub-sec pri key pair + ELG enc + RSA sign subkeys + EDDSA/ECDH subkeys -> e-mail familiar RSA/ELG key recipient Message-ID: sender: RSA pub-sec pri key pair + ELG enc + RSA sign subkeys + EDDSA/ECDH subkeys recipient: RSA and/or ELG key recipient sender e-mails recipient sender has in addition to older _non expired_ RSA/ELG subkeys, newer EDDSA/ECDH enc/sign subkeys recipient has familiar RSA pri key and _may_ have newer RSA/ELG enc/sign subkeys recipient has no software support for EDDSA/ECDH will gnupg 2.1.x automatically select the senders' older _non expired_ RSA/ELG subkeys so the recipient can decrypt/verify signed/encrypted email ? is the converse true for the sender for whatever software implementation they use (is this wishful thinking?) - in that their software will not fail after detecting newer incompatible subkeys, and then proceed to select the recipients' older but valid, compatible subkeys ? in other words at this time can gnupg 2.1.x automatically, compatibly operate with both RSA and EDDSA/ECDH keys/subkeys ? is manual subkey override necessary per-recipient ? is there a global default option to allow this scenario with mixed keys without manual intervention ? i did a few tests but not sure about this - the sender gnupg 2.1.12 libgcrypt 1.7.0-beta didnt use its older _non expired_ RSA/ELG subkeys to sign/enc to the recipient with the familiar RSA keypair From ben at adversary.org Fri Jun 10 11:38:04 2016 From: ben at adversary.org (Ben McGinnes) Date: Fri, 10 Jun 2016 19:38:04 +1000 Subject: Installing gnupg In-Reply-To: <5e80af19-c7f8-742d-2d32-787fb5d2e499@sixdemonbag.org> References: <5e80af19-c7f8-742d-2d32-787fb5d2e499@sixdemonbag.org> Message-ID: <20160610093804.GB81133@adversary.org> On Thu, Jun 09, 2016 at 11:11:13AM -0400, Robert J. Hansen wrote: > > I have OSX El Capitan. > > GPGOSX provides a newer version of GnuPG than GPGTools does: > > https://sourceforge.net/projects/gpgosx/ MacPorts usually stays reasonably up to date: bash-4.3$ port search gnupg2 gnupg2 @2.0.29 (mail, security) GNU pretty-good-privacy package gnupg21 @2.1.12 (mail, security) GNU pretty-good-privacy package Found 2 ports. bash-4.3$ Although getting the modern branch (gnupg21) to play nicely with gpgme (and thus gmime as well) requires editing the portfiles for the latter packages to change the dependencies from gnupg2 to gnupg21. Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: not available URL: From wk at gnupg.org Fri Jun 10 13:45:57 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 10 Jun 2016 13:45:57 +0200 Subject: AW: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> (Mike Kaufmann's message of "Fri, 10 Jun 2016 08:23:38 +0000") References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> Message-ID: <87ziqt9si2.fsf@wheatstone.g10code.de> On Fri, 10 Jun 2016 10:23, m.kaufmann at infotech.li said: > Gibt es eine M?glichkeit, den KeyGrip aus dem KeyRing z.B. via > --homedir zu ermitteln? Example: $ gpg --with-keygrip --with-fingerprint --with-colons -k 1e42b367 tru:o:1:1465230074:1:3:1:5 pub:f:2048:17:F2AD85AC1E42B367:1199118275:1546232400::f:::scESC::::::: fpr:::::::::80615870F5BAD690333686D0F2AD85AC1E42B367: grp:::::::::44B9E7E287B11C0E033A1A93ECCFDBC6AF7CCFAE: > Oder noch besser den KeyGrip gleich dynamisch im dem von Ihnen > vorgeschlagenen Befehl zu verwenden? No, that is not possible becuase gpg-agent does not know about the OpenPGP protocol. Salam-Shalom, Werner p.s Please stick to English in this list ;-) -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From wk at gnupg.org Fri Jun 10 14:44:49 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 10 Jun 2016 14:44:49 +0200 Subject: Installing gnupg In-Reply-To: <20160610093804.GB81133@adversary.org> (Ben McGinnes's message of "Fri, 10 Jun 2016 19:38:04 +1000") References: <5e80af19-c7f8-742d-2d32-787fb5d2e499@sixdemonbag.org> <20160610093804.GB81133@adversary.org> Message-ID: <87vb1h9pry.fsf@wheatstone.g10code.de> On Fri, 10 Jun 2016 11:38, ben at adversary.org said: > bash-4.3$ port search gnupg2 > gnupg2 @2.0.29 (mail, security) > GNU pretty-good-privacy package I am a bit disapointed to read this name. GnuPG is the GNU Privacy Guard and not a GNU PGP. PGP and GnuPG implement the same protocol as do several other software does. Tsss, strange Mac world. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From brian at minton.name Fri Jun 10 15:11:30 2016 From: brian at minton.name (Brian Minton) Date: Fri, 10 Jun 2016 09:11:30 -0400 Subject: RSA pub-sec pri key pair + ELG enc + RSA sign subkeys + EDDSA/ECDH subkeys -> e-mail familiar RSA/ELG key recipient In-Reply-To: References: Message-ID: On Fri, Jun 10, 2016, 3:58 AM Fulano Diego Perez > wrote: will gnupg 2.1.x automatically select the senders' older _non expired_ RSA/ELG subkeys so the recipient can decrypt/verify signed/encrypted email ? is the converse true for the sender for whatever software implementation they use (is this wishful thinking?) - in that their software will not fail after detecting newer incompatible subkeys, and then proceed to select the recipients' older but valid, compatible subkeys ? in other words at this time can gnupg 2.1.x automatically, compatibly operate with both RSA and EDDSA/ECDH keys/subkeys ? This is exactly the situation I'm in with my public key, 0424DC19B678A1A9. Here's what gpg2 -K shows: sec rsa4096/0424DC19B678A1A9 2014-10-08 [C] [expires: 2016-10-07] uid [ultimate] Brian Minton > uid [ultimate] Brian Minton > uid [ultimate] Brian Minton > uid [ultimate] [jpeg image of size 5202] uid [ultimate] Brian Minton > uid [ultimate] keybase.io/bjmgeek > ssb nistp384/EA49CFDB55D113E9 2014-10-12 [E] [expires: 2016-10-11] ssb ed25519/37B9507ACFF2016E 2014-10-12 [S] [expires: 2016-10-11] ssb elg3200/28FA8B9659A70692 2016-03-07 [E] [expires: 2016-10-10] ssb elg2048/25353D56E26A744C 2014-10-09 [E] [expires: 2016-10-08] ssb elg2048/32483BAF5EA82613 2014-10-10 [E] [expires: 2016-10-09] ssb dsa2048/6B8EB3A065CFBAA9 2014-10-10 [S] [expires: 2016-10-09] For encryption, people encrypting to you will use whatever key their software can use. If the ECC key is newer, then senders that can use it will by default, while senders that can't will use your ELG key. So, keep both secret keys available and you'll be fine. Note that I have a few extra ELG keys which I keep around just in case I need to decrypt a file that I encrypted with them. There's nothing wrong with them, so I haven't revoked them. However, gpg (and probably other PGP clients will use the newest usable key, so people encrypting to me with gpg2.1 will use EA49CFDB55D113E9 to encrypt, and people using gpg 2.0 and earlier will use 28FA8B9659A70692. For signing, I like to put both key IDs (in my case, ed25519 and DSA) in my gnupg conf file, so signing automatically uses both keys. The trick is to use the key IDs of each subkey with an exclamation point so gnupg takes that specific key. For instance, here are the relevant lines from my ~/.gnupg/gpg.conf-2 file (side note: if you use both gpg 1 and 2 you can use that kind of config file name to have different config files for each version): *local-user 37B9507ACFF2016E! local-user 6B8EB3A065CFBAA9!* The nice thing about this setup is that I don't need to have any sender- or recipient-specific rules. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 343 bytes Desc: OpenPGP digital signature URL: From ben at adversary.org Fri Jun 10 16:30:03 2016 From: ben at adversary.org (Ben McGinnes) Date: Sat, 11 Jun 2016 00:30:03 +1000 Subject: Installing gnupg In-Reply-To: <87vb1h9pry.fsf@wheatstone.g10code.de> References: <5e80af19-c7f8-742d-2d32-787fb5d2e499@sixdemonbag.org> <20160610093804.GB81133@adversary.org> <87vb1h9pry.fsf@wheatstone.g10code.de> Message-ID: <20160610143003.GC81133@adversary.org> On Fri, Jun 10, 2016 at 02:44:49PM +0200, Werner Koch wrote: > On Fri, 10 Jun 2016 11:38, ben at adversary.org said: > >> bash-4.3$ port search gnupg2 >> gnupg2 @2.0.29 (mail, security) >> GNU pretty-good-privacy package > > I am a bit disapointed to read this name. GnuPG is the GNU Privacy > Guard and not a GNU PGP. PGP and GnuPG implement the same protocol as > do several other software does. Tsss, strange Mac world. I have a few gripes with them, including the default config that results in things like: 1. Because GPG 2.0 and 2.1 conflict, GPGME and anything that subsequently depends on it cannot be installed without modification. 2. The incorrect names you mentioned. 3. While there are a couple of variations of config that can be chosen, the variation options do not include enabling support for increased secmem or larger RSA key sizes. OTOH the packages are all sourced from the original projects, so the source code is the tarball from gnupg.org. Unlike, for instance, Homebrew, which uses github as an ad-hoc package management repository and while their GPG sources might not be modified in some dodgy way, there is absolutely no way of knowing without comparing each file line by line with the originals. Since macports does let you modify the configuration parameters by editing the portfile and compile from source, all those issues can be fixed manually, but it's still a little irritating. The obvious "solution" is to skip it and compile GPG from source, but if macports doesn't know about that it gets in the way of things like GMIME (which then gets in the way of running Mutt and so on). I think I might have to wander over to the bug tracker and raise a bug on the names anyway. As for the conflicts between 2.0 and 2.1, that ought to get sorted out once 2.0 goes away, or at least gets EOL'd. Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: not available URL: From fulanoperez at cryptolab.net Fri Jun 10 17:19:26 2016 From: fulanoperez at cryptolab.net (Fulano Diego Perez) Date: Sat, 11 Jun 2016 01:19:26 +1000 Subject: RSA pub-sec pri key pair + ELG enc + RSA sign subkeys + EDDSA/ECDH subkeys -> e-mail familiar RSA/ELG key recipient In-Reply-To: References: Message-ID: <1219a35c-049c-a3f6-9f3a-c411b31570e6@cryptolab.net> > On Fri, Jun 10, 2016, 3:58 AM Fulano Diego Perez > <fulanoperez at cryptolab.net> wrote: > > will gnupg 2.1.x automatically select the senders' older _non > expired_ RSA/ELG subkeys so the recipient can decrypt/verify > signed/encrypted email ? > > is the converse true for the sender for whatever software > implementation they use (is this wishful thinking?) - in that their > software will not fail after detecting newer incompatible subkeys, > and then proceed to select the recipients' older but valid, > compatible subkeys ? > > in other words at this time can gnupg 2.1.x automatically, > compatibly operate with both RSA and EDDSA/ECDH keys/subkeys ? > > > This is exactly the situation I'm in with my public key, > 0424DC19B678A1A9. > > Here's what gpg2 -K shows: > > sec rsa4096/0424DC19B678A1A9 2014-10-08 [C] [expires: 2016-10-07] > uid [ultimate] Brian Minton > <brian at minton.name> uid > [ultimate] Brian Minton > <bjmgeek at gmail.com> uid > [ultimate] Brian Minton > <bminton at blinkenshell.org> uid > [ultimate] [jpeg image of size 5202] uid [ultimate] > Brian Minton <bminton at freeshell.de> uid > [ultimate] keybase.io/bjmgeek > > ssb > nistp384/EA49CFDB55D113E9 2014-10-12 [E] [expires: 2016-10-11] ssb > ed25519/37B9507ACFF2016E 2014-10-12 [S] [expires: 2016-10-11] ssb > elg3200/28FA8B9659A70692 2016-03-07 [E] [expires: 2016-10-10] ssb > elg2048/25353D56E26A744C 2014-10-09 [E] [expires: 2016-10-08] ssb > elg2048/32483BAF5EA82613 2014-10-10 [E] [expires: 2016-10-09] ssb > dsa2048/6B8EB3A065CFBAA9 2014-10-10 [S] [expires: 2016-10-09] > > For encryption, people encrypting to you will use whatever key their > software can use. If the ECC key is newer, then senders that can use > it will by default, while senders that can't will use your ELG key. > So, keep both secret keys available and you'll be fine. Note that I > have a few extra ELG keys which I keep around just in case I need to > decrypt a file that I encrypted with them. There's nothing wrong > with them, so I haven't revoked them. However, gpg (and probably > other PGP clients will use the newest usable key, so people > encrypting to me with gpg2.1 will use EA49CFDB55D113E9 to encrypt, > and people using gpg 2.0 and earlier will use 28FA8B9659A70692. > > For signing, I like to put both key IDs (in my case, ed25519 and DSA) > in my gnupg conf file, so signing automatically uses both keys. The > trick is to use the key IDs of each subkey with an exclamation point > so gnupg takes that specific key. thanks so much for that tip in the manual of course i missed it > For instance, here are the relevant lines from my > ~/.gnupg/gpg.conf-2 file (side note: if you use both gpg 1 and 2 you > can use that kind of config file name to have different config files > for each version): > > *local-user 37B9507ACFF2016E! local-user 6B8EB3A065CFBAA9!* good call > > The nice thing about this setup is that I don't need to have any > sender- or recipient-specific rules. less headache than per-recipient i agree trade-off for larger signature for me worth it From brian at minton.name Fri Jun 10 21:44:54 2016 From: brian at minton.name (Brian Minton) Date: Fri, 10 Jun 2016 15:44:54 -0400 Subject: RSA pub-sec pri key pair + ELG enc + RSA sign subkeys + EDDSA/ECDH subkeys -> e-mail familiar RSA/ELG key recipient In-Reply-To: <1219a35c-049c-a3f6-9f3a-c411b31570e6@cryptolab.net> References: <1219a35c-049c-a3f6-9f3a-c411b31570e6@cryptolab.net> Message-ID: On Fri, Jun 10, 2016 at 11:19 AM, Fulano Diego Perez < fulanoperez at cryptolab.net> wrote: > > trade-off for larger signature for me worth it > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ed25519 and DSA signatures are both small. The resulting ascii signature block with 2 keys is still smaller than most RSA ones seen today. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EARYIAAYFAldbF/sACgkQN7lQes/yAW612wD9FpCk+5cwez9Ewr7G/CRd40Dd OSiG+xOOkkQcNeTCC20A/1d1s9Sj+MkAsIIlxS1pT8hAca9Vg/2ExzTf9t7vKKAK iF4EAREIAAYFAldbF/wACgkQa46zoGXPuqmsEwD/Q5z1Sf9xu/3iObpUIHPHMfKj y45jPQE1du41Hcxr+04A/0b+IMlcWkCzAPBBo38rhJ+leTdGKzh99pt6CdeAjhdr =Ty0P -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Fri Jun 10 21:47:52 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 10 Jun 2016 21:47:52 +0200 Subject: AW: AW: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> (Mike Kaufmann's message of "Fri, 10 Jun 2016 12:18:33 +0000") References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> Message-ID: <87a8isakrb.fsf@wheatstone.g10code.de> On Fri, 10 Jun 2016 14:18, m.kaufmann at infotech.li said: > There are also many articles on the net that describe to add --allow-preset-passphrase to the file gpg-agent.conf. > On my Windows 10 system I can't find such a file. Can I create an You need to create it in the homedir. gpg --versions shows the homedir, or use gpgconf --list-dirs which also has a homedir line. Then go to that directory, and put a the lines verbose allow-preset-passphrase into a file named gpg-agent.conf. (verbose is not really needed but might be helpful). Then kill gpg-agent : gpgconf --kill gpg-agent and things should work. > You've mentioned the --pinentry-mode-lookback. > Could you give me some advice howto to use this option? I leave that to others ;-) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From m.kaufmann at infotech.li Fri Jun 10 10:23:38 2016 From: m.kaufmann at infotech.li (Mike Kaufmann) Date: Fri, 10 Jun 2016 08:23:38 +0000 Subject: AW: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <87y46dbhxv.fsf@wheatstone.g10code.de> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> Message-ID: <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> Hallo Herr Koch (Ich nehme jetzt mal an, dass sie deutsch sprechen...) Besten Dank f?r Ihre Antwort! Ich benutze GnuGP das erste Mal und kenne mich deshalb nicht so gut aus ;) Frage: Gibt es eine M?glichkeit, den KeyGrip aus dem KeyRing z.B. via --homedir zu ermitteln? Oder noch besser den KeyGrip gleich dynamisch im dem von Ihnen vorgeschlagenen Befehl zu verwenden? Unsere Anforderung ist es, Files aus einer .NET Applikation auf einem Windows Server zu signieren und zu verschl?sseln. Da dies auf dem Server geschieht, darf es keine User Interaktion geben. Deshalb kein Passphrase Abfragedialog ;) Herzlichen Dank f?r Ihre Hilfe! Freundliche Gr?sse Mike Kaufmann -----Urspr?ngliche Nachricht----- Von: Werner Koch [mailto:wk at gnupg.org] Gesendet: Freitag, 10. Juni 2016 09:51 An: Mike Kaufmann Cc: gnupg-users at gnupg.org Betreff: Re: WINDOWS - Adding passphrase to gpg via command line Hi! On Thu, 9 Jun 2016 15:29, m.kaufmann at infotech.li said: > Im am using GnuPG v2.1.11.59877 on Windows 10. The utility > gpg-preset-passphrase.exe is not available on my system. Is there a > location I can download this tool and install on my machine? I would > like to use the tool, to set the password on gpg-agent. I think that gpg-preset-passpharse is not the right tool and you either should not set a passphrase for the key or use the gpg option --pinentry-mode=loopback. However, I can distribute gpg-preset-passpharse with the next Windows installer (2.1.13) - hopefully next week. There is a workaround, though: gpg-connect-agent 'PRESET_PASSPHRASE -1 ' /bye The is what you would also use with gpg-preset-passphrase. The is, well, you passphrase which needs to be percent-escaped (e.g. "foo far" -> "foo%20bar"). If you do not want to type the passphrase, gpg-connect-agent has a simple script language which can help here. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From m.kaufmann at infotech.li Fri Jun 10 14:18:33 2016 From: m.kaufmann at infotech.li (Mike Kaufmann) Date: Fri, 10 Jun 2016 12:18:33 +0000 Subject: AW: AW: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <87ziqt9si2.fsf@wheatstone.g10code.de> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> Message-ID: <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> Hi, I'll try it in english again :) To me as a beginner it's not very handy to use GnuPG. It's very complicated. I've tried to use the following commands in Windows Command Line to set passphrase in gpg-agent. gpg-agent --allow-preset-passphrase gpg-connect-agent PRESET_PASSPHRASE "MyKeyGrip" -1 "MyPassphrase" I always receive the error message: ERR 67108924 Not supported - no --allow-preset-passphrase There are also many articles on the net that describe to add --allow-preset-passphrase to the file gpg-agent.conf. On my Windows 10 system I can't find such a file. Can I create an empty text file, change it's extension, add --allow-preset-passphrase to it and save it to the same location as the gpg.exe file? You've mentioned the --pinentry-mode-lookback. Could you give me some advice howto to use this option? Whitch options do I have to set in gpg-agent? Whitch commands do I have to execute in Windows Command Line to sign a file without pinentry dialog? At the moment I use the following command: gpg --homedir c:\PreProd\MyKeyRing --output C:\SignedFiles\temp.asc --armor -u info at info.com --digest-algo SHA512 --sign c:\UnSignedFiles\temp.csv What modifications do I have to made on my command to sign the file without passphrase dialog? Kind Regards, Mike -----Urspr?ngliche Nachricht----- Von: Werner Koch [mailto:wk at gnupg.org] Gesendet: Freitag, 10. Juni 2016 13:46 An: Mike Kaufmann Cc: gnupg-users at gnupg.org Betreff: Re: AW: WINDOWS - Adding passphrase to gpg via command line On Fri, 10 Jun 2016 10:23, m.kaufmann at infotech.li said: > Gibt es eine M?glichkeit, den KeyGrip aus dem KeyRing z.B. via > --homedir zu ermitteln? Example: $ gpg --with-keygrip --with-fingerprint --with-colons -k 1e42b367 tru:o:1:1465230074:1:3:1:5 pub:f:2048:17:F2AD85AC1E42B367:1199118275:1546232400::f:::scESC::::::: fpr:::::::::80615870F5BAD690333686D0F2AD85AC1E42B367: grp:::::::::44B9E7E287B11C0E033A1A93ECCFDBC6AF7CCFAE: > Oder noch besser den KeyGrip gleich dynamisch im dem von Ihnen > vorgeschlagenen Befehl zu verwenden? No, that is not possible becuase gpg-agent does not know about the OpenPGP protocol. Salam-Shalom, Werner p.s Please stick to English in this list ;-) -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From 2014-667rhzu3dc-lists-groups at riseup.net Fri Jun 10 23:43:14 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Fri, 10 Jun 2016 22:43:14 +0100 Subject: RSA pub-sec pri key pair + ELG enc + RSA sign subkeys + EDDSA/ECDH subkeys -> e-mail familiar RSA/ELG key recipient In-Reply-To: References: Message-ID: <555803960.20160610224314@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Friday 10 June 2016 at 2:11:30 PM, in , Brian Minton wrote: > For signing, I like to put both key IDs (in my case, > ed25519 and DSA) in > my gnupg conf file, so signing automatically uses > both keys. I do that, and have had feedback from Enigmail users that they only saw the verification report of one of the two signatures. Switching the order of the "local-user" lines in my gpg.conf file toggled whether Enigmail reported the signature to the recipient as Good, or not. This was before Christmas, so maybe the Enigmail people fixed it in the meantime. - -- Best regards MFPA Roses smell better than onions but don't make such good soup -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJXWzRyXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwBN0H/ioFMGS1lvM/575G6wOkWG9o Ry6180FO3cHuJnIOzyphgZFp1AsWkK7T57wk7BzalOKmzqShiCBEeAHO5kYdPSrl 7hVfmRuO2Tmgr4XAIwhv9goalFeAQUvbHun3k0PxvYMfDelYTIlNYJqW+8djZCDZ j46mj19aZUcOFR7gkz/HHZfXocA2a+ILNW6sQplFeDt1lExeufX3pzUYZ+ct3qgC /8L6gji8dYgXeVeOOKr5aRiQ2cvWVG0SlTZW9E1PHo+eeFlnHHiCPWkAzinSU6UJ d/cUprpKdcxIApeQC6I68UETLlJTybKvc5wDssAwl3WKhBJTZlyLpLzDvk3rLqiI vgQBFgoAZgUCV1s0cl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45PpOAP47oOdnUoVUu5j9wVPhe88z41yK m4HkTVcKPIXW3Fu7vQEAkPhTMpiBhKNarmNyUaM+e/9VsNbweIR4zOknevp8EQs= =KDzz -----END PGP SIGNATURE----- From peter at digitalbrains.com Sat Jun 11 11:08:22 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 11 Jun 2016 11:08:22 +0200 Subject: Configuration hints for using gnupg (2.0.x) interchangeably with graphical frontend and in the terminal In-Reply-To: <5759AC61.8000807@digitalbrains.com> References: <5759AC61.8000807@digitalbrains.com> Message-ID: <575BD506.80603@digitalbrains.com> On 09/06/16 19:50, Peter Lebbing wrote: > Of course, if you > multi-display a single "screen" terminal session, it might go haywire as > any X application would, since it would pick the DISPLAY from the > "screen" session that started it. I just realised this even happens with "regular" screen sessions, without the multi-display functionality. If you start a screen session locally, then detach it and attach it remotely, it will still have the DISPLAY environment variable from when you started it locally. So yes, in those circumstances any X program you start from that session will display on the original graphical display, and so will a pinentry prompt. In a sense, you could say the DISPLAY environment variable is incorrect then. Unsetting it will mean the pinentry will pop up on your "screen" display, as a text program. Perhaps this is in part an explanation for what you're seeing? It still doesn't explain why the pinentry isn't on top; that might be a non-default configuration? HTH, Peter. PS: I'm assuming OS X communicates the graphical display through an enironment variable as well. And I base this assumption on absolutely nothing, so I should probably shout angrily, as one is wont to do with poorly founded opinions. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From daniel at pocock.pro Sat Jun 11 17:37:01 2016 From: daniel at pocock.pro (Daniel Pocock) Date: Sat, 11 Jun 2016 17:37:01 +0200 Subject: storing private key on multiple SD cards / SD card RAID Message-ID: <575C301D.5030402@pocock.pro> Has anybody seen any MicroSD card readers that take multiple cards for use with btrfs, md RAID or other software RAID/replication solutions? I listed a few here: https://wiki.debian.org/OpenPGP/CleanRoomLiveEnvironment#Multiple_flash_card_readers This would be useful for storing private keys offline Regards, Daniel From kenny.evitt at gmail.com Sun Jun 12 16:16:35 2016 From: kenny.evitt at gmail.com (Kenny Evitt) Date: Sun, 12 Jun 2016 10:16:35 -0400 Subject: Follow-up about querying gpg-agent configuration options Message-ID: Back in April there was a thread with the subject "Querying gpg-agent configuration options". One of the last posts in that thread was as follows: >On Wed, 27 Apr 2016 18:02, eric.pruitt [at] gmail said: > >> query the information from gpg-agent, it parses the configuration files >> which is not what I need. Am I missing something? If it matters, the > >It parses the configuration files and also consults gpg-agent to test >which are options are enabled for use by gpgconf and what are the >current values. To do this gpgconf uses the special gpg-agent option >'--gpgconf-list'. This usuallay returns the correct values, unless >gpg-agent has not ben restarted after a gpg-agent.cof chnage or command >line options are used. > >> version of gpgconf / GPG I'm using is 2.0.14. > >If really required we could add an Assuan command to return certain >values similar to "gpg-connect-agent 'help getinfo' /bye". But before >adding such an option I would like to learn why you need this. I can't speak for Eric, but I was interested in querying the cache setting because I was working on shell scripts to implement a 'time-limited' decryption, using a symmetric key and I decided to implement the 'limit' aspect by running a shell script to re-encrypt the relevant item before the gpg-agent cache that includes the symmetric key passphrase expires. The larger project involves mimicking the manner in which a lot of 'password managers' work by allowing users to 'unlock' (decrypt) a password database for a limited amount of time and then automatically 'locking' (encrypting) the database after the limited period has elapsed (and thus preventing the decrypted data from remaining on the system). I'm using Pass for storing password entries but I also want to encrypt the entire 'password store' directory to, e.g. securely share different password stores among many computers. I discovered tho that a background process doesn't have access to gpg-agent or its cache, which upon reflection is wonderful. So instead I modified the 'decrypt' shell script to prompt for the passphrase and then pass it to both the `gpg2` decrypt command and the `gpg2` encrypt background command. [I'd separately appreciate any feedback about whether this is a secure or otherwise sensible way to do this.] So in my case I wanted to access this option setting so as to fit within the cache window. Given the current implementation, retrieving the actual setting in gpg-agent as its running is less important. But it would still be nice to match its cache setting were the value retrieved by `gpgconf` to differ. It would also be nice were there some way that `gpg2` and `gpg-agent` could provide a 'time-limited' decryption feature themselves. Or maybe some way commands could be 'hooked' into the expiration of cache entries, i.e. to cleanup decrypted info and re-encrypt items. Also, with respect to the example code for retrieving the option setting with `gpgconf` and `awk`, the output I saw did not include a value for the `$10` variable. I guessed that the `$8` was a default setting and that `$10` represented an explicit setting that overrides the default. If I'm wrong, please let me know. Thanks, Kenny -------------- next part -------------- An HTML attachment was scrubbed... URL: From kwadronaut at aktivix.org Mon Jun 13 09:28:22 2016 From: kwadronaut at aktivix.org (kwadronaut) Date: Mon, 13 Jun 2016 09:28:22 +0200 Subject: How to convert (ancient) key in "version 2" to more modern "version 4" format? In-Reply-To: <874m92dtgg.fsf@alice.fifthhorseman.net> References: <80d0245c-8dcf-af94-0682-4effcc10496e@bjoern-kahl.de> <87h9dormnj.fsf@wheatstone.g10code.de> <39be5242-d86e-b6a4-a24a-1e07a7475c54@hammernoch.net> <4bc3d15a-523e-03ce-c7b6-ed19de66551c@bjoern-kahl.de> <874m92dtgg.fsf@alice.fifthhorseman.net> Message-ID: <575E6096.2000900@aktivix.org> On 06/09/2016 09:59 PM, Daniel Kahn Gillmor wrote: > Perhaps the better approach is to have a one-time tool that can either > (a) translate your encrypted messages into a newer encrypted form > (e.g. replacing the PKESK packets with ones encrypted to a newer, > stronger key), or (b) extracting the session key from the encrypted > object and storing it in a separate lookup table, so that the old secret > key isn't relevant any longer. > > Either of these approaches would also be useful to people who want to > destroy their old secret key material without losing access to their > data, while making it harder for people to start interacting with > bad/old keys. Such a tool would indeed be nice. Have you come across one or know of one? It's probably not straightforward, giving the many formats this data comes in (inline in e-mails, textfiles, PGP/MIME, ?) kwadronaut -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From m.kaufmann at infotech.li Mon Jun 13 08:12:01 2016 From: m.kaufmann at infotech.li (Mike Kaufmann) Date: Mon, 13 Jun 2016 06:12:01 +0000 Subject: AW: AW: AW: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <87a8isakrb.fsf@wheatstone.g10code.de> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> Message-ID: <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> Good morning Thank you very much for the response! Now that I've done all the things you've written, I no longer receive the error "ERR 67108924 Not supported - no --allow-preset-passphrase" when I start the gpg-agent with gpg-connect-agent PRESET_PASSPHRASE. Unfortunately when I start gpg-agent with the following command on Windows Command Line gpg-connect-agent PRESET_PASSPHRASE "74EC3FAA93CD49446EC6825C3EBEB2C336CCBE2A" -1 "MyPassphrase" I receive the following errors: ERR 67108992 Missing value ERR 67109139 Unknown IPC command I've also attached an image to this e-mail where you can see the commands and errors. Do you have any further ideas? Regads, Mike -----Urspr?ngliche Nachricht----- Von: Werner Koch [mailto:wk at gnupg.org] Gesendet: Freitag, 10. Juni 2016 21:48 An: Mike Kaufmann Cc: gnupg-users at gnupg.org Betreff: Re: AW: AW: WINDOWS - Adding passphrase to gpg via command line On Fri, 10 Jun 2016 14:18, m.kaufmann at infotech.li said: > There are also many articles on the net that describe to add --allow-preset-passphrase to the file gpg-agent.conf. > On my Windows 10 system I can't find such a file. Can I create an You need to create it in the homedir. gpg --versions shows the homedir, or use gpgconf --list-dirs which also has a homedir line. Then go to that directory, and put a the lines verbose allow-preset-passphrase into a file named gpg-agent.conf. (verbose is not really needed but might be helpful). Then kill gpg-agent : gpgconf --kill gpg-agent and things should work. > You've mentioned the --pinentry-mode-lookback. > Could you give me some advice howto to use this option? I leave that to others ;-) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ -------------- next part -------------- A non-text attachment was scrubbed... Name: MissingValueGPGAgent.png Type: image/png Size: 20390 bytes Desc: MissingValueGPGAgent.png URL: From peter at digitalbrains.com Mon Jun 13 20:15:02 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 13 Jun 2016 20:15:02 +0200 Subject: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> Message-ID: <575EF826.2010205@digitalbrains.com> On 13/06/16 08:12, Mike Kaufmann wrote: > Unfortunately when I start gpg-agent with the following command on Windows Command Line > gpg-connect-agent PRESET_PASSPHRASE "74EC3FAA93CD49446EC6825C3EBEB2C336CCBE2A" -1 "MyPassphrase" > > I receive the following errors: > ERR 67108992 Missing value > ERR 67109139 Unknown IPC command I think it's possible Werner was mistaken about the correct format of the command. Here, on Debian GNU/Linux with GnuPG 2.1.11 (Debian packages version 2.1.11-7), the correct invocation appears to be different. However, so is the error message, oddly enough. This is the help text for PRESET_PASSPHRASE: > $ gpg-connect-agent > > help preset_passphrase > # PRESET_PASSPHRASE [--inquire] [] > # > # Set the cached passphrase/PIN for the key identified by the keygrip > # to passwd for the given time, where -1 means infinite and 0 means > # the default (currently only a timeout of -1 is allowed, which means > # to never expire it). If passwd is not provided, ask for it via the > # pinentry module unless --inquire is passed in which case the passphrase > # is retrieved from the client via a server inquire. > OK So it appears to take a hexstring, not a percent-escaped string. Indeed this is what happens (the passphrase is indeed "test", this is a test key, not my real key :-): > > preset_passphrase 2F677680CA15F6F7B963AF35822E8EC01FBF840A -1 "test" > ERR 67109144 IPC parameter error - invalid hexstring > > preset_passphrase 2F677680CA15F6F7B963AF35822E8EC01FBF840A -1 test > ERR 67109144 IPC parameter error - invalid hexstring Note it explicitly complains about the format, where on your invocation it's more ambiguous. This is a bit odd, if you ask me. Now let's write "test" as hexadecimal ASCII: > > preset_passphrase 2F677680CA15F6F7B963AF35822E8EC01FBF840A -1 74657374 > OK And indeed the key is unlocked for use and could be used to sign some data. So you could try this. I don't know what utility you'd use on Windows to easily get the hexadecimal. But to get the exact required input on a system like Linux, this will do so: > $ echo -n "MyPassphrase" | hexdump -v -e '/1 "%02X"'; echo > 4D7950617373706872617365 HTH, Peter. PS: On your replies, could you edit the Subject:-line to remove all the repeated strings of Re: or AW:? PPS: I've never understood, by the way, why the people who write e-mail clients that translate those headers (Reply -> Antwort) don't implement some functionality to automatically prevent the madness of repeated headers in different languages. Your system even seems to repeat when it's in the same language? Here in The Netherlands, I also see stuff like "Re: Aw: Re: Aw: Re: the subject" come by. Really annoying, IMO. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Tue Jun 14 07:34:42 2016 From: wk at gnupg.org (Werner Koch) Date: Tue, 14 Jun 2016 07:34:42 +0200 Subject: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <575EF826.2010205@digitalbrains.com> (Peter Lebbing's message of "Mon, 13 Jun 2016 20:15:02 +0200") References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> Message-ID: <871t401ggd.fsf@wheatstone.g10code.de> On Mon, 13 Jun 2016 20:15, peter at digitalbrains.com said: > So it appears to take a hexstring, not a percent-escaped string. Indeed > this is what happens (the passphrase is indeed "test", this is a test Ooops. Sorry for the false claim that it needs to be percent encoded. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From dirk at koeppen.name Tue Jun 14 13:40:14 2016 From: dirk at koeppen.name (=?utf-8?Q?Dirk_K=C3=B6ppen?=) Date: Tue, 14 Jun 2016 13:40:14 +0200 Subject: Can I replace a main key by a sub key? Message-ID: <3D9344C8-B540-455D-AAF3-1CC3666A0EE3@koeppen.name> Dear friends of GNUPG, I do have a main key which is DSA and subkeys for RSA and ELG-E. Now I would like to use the sign-service at https://pgp.governikus-eid.de/pgp/ which unfortunately does not support DSA. Is there a way to make my main DSA key a subkey and the sub RSA key my main key ? Thanks for your help and best regards, Dirk -- Dirk K?ppen PGP: D66A AF85 5DD9 EBE3 4539 90EF B815 3E77 7E40 5904 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: Message signed with OpenPGP using GPGMail URL: From wk at gnupg.org Tue Jun 14 17:26:12 2016 From: wk at gnupg.org (Werner Koch) Date: Tue, 14 Jun 2016 17:26:12 +0200 Subject: Can I replace a main key by a sub key? In-Reply-To: <3D9344C8-B540-455D-AAF3-1CC3666A0EE3@koeppen.name> ("Dirk =?utf-8?Q?K=C3=B6ppen=22's?= message of "Tue, 14 Jun 2016 13:40:14 +0200") References: <3D9344C8-B540-455D-AAF3-1CC3666A0EE3@koeppen.name> Message-ID: <877fdrvlkb.fsf@wheatstone.g10code.de> On Tue, 14 Jun 2016 13:40, dirk at koeppen.name said: > Now I would like to use the sign-service at https://pgp.governikus-eid.de/pgp/ which unfortunately does not support DSA. Which means they do not support OpenPGP - DSA is a required (MUST) algorithm in OpenPGP. > Is there a way to make my main DSA key a subkey and the sub RSA key my > main key ? This is in theory possible but it does not help you because the fingerprint of the primary (main) key will change. It is better to create a new key and, if your really need it, add your old keys to that new key as subkeys. Can be done with 2.1 without too much problems. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From mantorix at vollbio.de Tue Jun 14 14:11:53 2016 From: mantorix at vollbio.de (mantorix at vollbio.de) Date: Tue, 14 Jun 2016 14:11:53 +0200 Subject: With colons: Where is my curve? (rsa+ecc mixed key) Message-ID: An HTML attachment was scrubbed... URL: From wk at gnupg.org Tue Jun 14 23:17:59 2016 From: wk at gnupg.org (Werner Koch) Date: Tue, 14 Jun 2016 23:17:59 +0200 Subject: With colons: Where is my curve? (rsa+ecc mixed key) In-Reply-To: (mantorix@vollbio.de's message of "Tue, 14 Jun 2016 14:11:53 +0200") References: Message-ID: <87lh27sc54.fsf@wheatstone.g10code.de> On Tue, 14 Jun 2016 14:11, mantorix at vollbio.de said: > This key has been created as a more or less default 3k RSA key, and I added an > ECC encryption subkey with curve25519 after creation. > What I am missing is the curve field filled for the subkey. Ooops. Here is the fix I just pushed to the repo: diff --git a/g10/keylist.c b/g10/keylist.c index d77c86b..0ac763d 100644 --- a/g10/keylist.c +++ b/g10/keylist.c @@ -1542,11 +1542,11 @@ list_keyblock_colon (ctrl_t ctrl, kbnode_t keyblock, } es_putc (':', es_stdout); /* End of field 15. */ es_putc (':', es_stdout); /* End of field 16. */ - if (pk->pubkey_algo == PUBKEY_ALGO_ECDSA - || pk->pubkey_algo == PUBKEY_ALGO_EDDSA - || pk->pubkey_algo == PUBKEY_ALGO_ECDH) + if (pk2->pubkey_algo == PUBKEY_ALGO_ECDSA + || pk2->pubkey_algo == PUBKEY_ALGO_EDDSA + || pk2->pubkey_algo == PUBKEY_ALGO_ECDH) { - char *curve = openpgp_oid_to_str (pk->pkey[0]); + char *curve = openpgp_oid_to_str (pk2->pkey[0]); const char *name = openpgp_oid_to_curve (curve, 0); if (!name) name = curve; > Perhaps I should mention, that I'm using the windows version of gpg 2.1.12 I hope to get 2.1.13 out this week, so please have some patience if you need a new installer. Thanks for reporting. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From m.kaufmann at infotech.li Wed Jun 15 08:33:20 2016 From: m.kaufmann at infotech.li (Mike Kaufmann) Date: Wed, 15 Jun 2016 06:33:20 +0000 Subject: AW: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <575EF826.2010205@digitalbrains.com> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> Message-ID: <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> Hi Peter Thanks for your answer! Unfortunately I still receive the same errors when I set the passphrase param as hexstring in Windows Command Line: ERR 67108992 Missing value ERR 67109139 Unknown IPC command See also the attached screenshot. Do you habe any other ideas? This tool seems not to be made for Windows OS :( Regards Mike -----Urspr?ngliche Nachricht----- Von: Peter Lebbing [mailto:peter at digitalbrains.com] Gesendet: Montag, 13. Juni 2016 20:15 An: Mike Kaufmann Cc: gnupg-users at gnupg.org Betreff: Re: WINDOWS - Adding passphrase to gpg via command line On 13/06/16 08:12, Mike Kaufmann wrote: > Unfortunately when I start gpg-agent with the following command on > Windows Command Line gpg-connect-agent PRESET_PASSPHRASE "74EC3FAA93CD49446EC6825C3EBEB2C336CCBE2A" -1 "MyPassphrase" > > I receive the following errors: > ERR 67108992 Missing value ERR 67109139 Unknown IPC > command I think it's possible Werner was mistaken about the correct format of the command. Here, on Debian GNU/Linux with GnuPG 2.1.11 (Debian packages version 2.1.11-7), the correct invocation appears to be different. However, so is the error message, oddly enough. This is the help text for PRESET_PASSPHRASE: > $ gpg-connect-agent > > help preset_passphrase > # PRESET_PASSPHRASE [--inquire] > [] # # Set the cached passphrase/PIN for the key identified > by the keygrip # to passwd for the given time, where -1 means infinite > and 0 means # the default (currently only a timeout of -1 is allowed, > which means # to never expire it). If passwd is not provided, ask for > it via the # pinentry module unless --inquire is passed in which case > the passphrase # is retrieved from the client via a server inquire. > OK So it appears to take a hexstring, not a percent-escaped string. Indeed this is what happens (the passphrase is indeed "test", this is a test key, not my real key :-): > > preset_passphrase 2F677680CA15F6F7B963AF35822E8EC01FBF840A -1 "test" > ERR 67109144 IPC parameter error - invalid hexstring > > preset_passphrase 2F677680CA15F6F7B963AF35822E8EC01FBF840A -1 test > ERR 67109144 IPC parameter error - invalid hexstring Note it explicitly complains about the format, where on your invocation it's more ambiguous. This is a bit odd, if you ask me. Now let's write "test" as hexadecimal ASCII: > > preset_passphrase 2F677680CA15F6F7B963AF35822E8EC01FBF840A -1 > > 74657374 > OK And indeed the key is unlocked for use and could be used to sign some data. So you could try this. I don't know what utility you'd use on Windows to easily get the hexadecimal. But to get the exact required input on a system like Linux, this will do so: > $ echo -n "MyPassphrase" | hexdump -v -e '/1 "%02X"'; echo > 4D7950617373706872617365 HTH, Peter. PS: On your replies, could you edit the Subject:-line to remove all the repeated strings of Re: or AW:? PPS: I've never understood, by the way, why the people who write e-mail clients that translate those headers (Reply -> Antwort) don't implement some functionality to automatically prevent the madness of repeated headers in different languages. Your system even seems to repeat when it's in the same language? Here in The Netherlands, I also see stuff like "Re: Aw: Re: Aw: Re: the subject" come by. Really annoying, IMO. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: PresetPassphraseMissingValueGPGAgent.png Type: image/png Size: 20273 bytes Desc: PresetPassphraseMissingValueGPGAgent.png URL: From brenda.hales at btinternet.com Wed Jun 15 12:22:47 2016 From: brenda.hales at btinternet.com (Brenda Hales) Date: Wed, 15 Jun 2016 11:22:47 +0100 Subject: help - Libkcmutils.dll Message-ID: Newbie here ? managed to set up my own key pair but can import other persons public key ? get 3 fault messages all similar to title one. And utils.dll scanregw.errors Newbie totally lost ? Help most appreciated Sent from Mail for Windows 10 -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Wed Jun 15 13:17:01 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 15 Jun 2016 13:17:01 +0200 Subject: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> Message-ID: <5761392D.3030608@digitalbrains.com> On 15/06/16 08:33, Mike Kaufmann wrote: > See also the attached screenshot. Do you habe any other ideas? You're missing some necessary quoting. Right now, you're sending four separate commands instead of a single command with three options! gpg-connect-agent 'preset_passphrase 74EC3FAA93CD49446EC6825C3EBEB2C336CCBE2A -1 4D7950617373706872617365' /bye should do the trick. Or if the Windows command line doesn't like quoting with apostrophes, you could do gpg-connect-agent "preset_passphrase 74EC3FAA93CD49446EC6825C3EBEB2C336CCBE2A -1 4D7950617373706872617365" /bye HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From guilhem at fripost.org Wed Jun 15 12:13:36 2016 From: guilhem at fripost.org (Guilhem Moulin) Date: Wed, 15 Jun 2016 12:13:36 +0200 Subject: With colons: Where is my curve? (rsa+ecc mixed key) In-Reply-To: <87lh27sc54.fsf@wheatstone.g10code.de> References: <87lh27sc54.fsf@wheatstone.g10code.de> Message-ID: <20160615101336.GA6698@localhost.localdomain> On Tue, 14 Jun 2016 at 23:17:59 +0200, Werner Koch wrote: > On Tue, 14 Jun 2016 14:11, mantorix at vollbio.de said: >> This key has been created as a more or less default 3k RSA key, and I added an >> ECC encryption subkey with curve25519 after creation. >> What I am missing is the curve field filled for the subkey. > > Ooops. Here is the fix I just pushed to the repo: FWIW, the exact same fix I proposed on February 2nd in <1454434791-31608-1-git-send-email-guilhem at fripost.org> was overlooked :-( Good that it now landed to master, though. -- Guilhem. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From peter at digitalbrains.com Wed Jun 15 14:35:11 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 15 Jun 2016 14:35:11 +0200 Subject: AW: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <1B92CD52D917D24A8B33D05C14D1E91B6BA2484B@it-serverV01.intern.infotech.li> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> <5761392D.3030608@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA2484B@it-serverV01.intern.infotech.li> Message-ID: <57614B7F.2020301@digitalbrains.com> Hi, > Any further ideas? I am despairing slowly but surely... When I purposely enter the wrong passphrase, the PRESET_PASSPHRASE command succeeds, but subsequently the pinentry will pop up to prompt for the correct passphrase when I try to do anything with the key. So you might have a mistake in the passphrase? You could create a test key and set its passphrase to be test, and explicitly use the hexified version of the word test to try if it works then, since we obviously can't tell you if you've made a mistake with hexifying your real passphrase :-). By the way, depending on your situation, it might not be worse to use your key without a passphrase. Your key is encrypted when stored on disk so that an attacker getting hold of the file doesn't yet have your key. However, when you use gpg-preset-passphrase in a way that stores the passphrase argument plainly on disk as well, the attacker can simply read that file as well and decrypt your key. In such situations, the encryption serves no purpose (other than to make you despair slowly but surely). But in other situations, it can be more secure to use a passphrase, so it all depends. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Wed Jun 15 16:41:13 2016 From: wk at gnupg.org (Werner Koch) Date: Wed, 15 Jun 2016 16:41:13 +0200 Subject: [Announce] Libgcrypt 1.7.1 released Message-ID: <87poripl9y.fsf@wheatstone.g10code.de> Hello! The GnuPG Project is pleased to announce the availability of Libgcrypt version 1.7.1. This is a maintenace release. Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. Noteworthy changes in version 1.7.1 =================================== * Bug fixes: - Fix ecc_verify for cofactor support. - Fix portability bug when using gcc with Solaris 9 SPARC. - Build fix for OpenBSD/amd64 - Add OIDs to the Serpent ciphers. * Internal changes: - Use getrandom system call on Linux if available. - Blinding is now also used for RSA signature creation. - Changed names of debug envvars Download ======== Source code is hosted at the GnuPG FTP server and its mirrors as listed at https://gnupg.org/download/mirrors.html . On the primary server the source tarball and its digital signature are: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.7.1.tar.bz2 (2776k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.7.1.tar.bz2.sig That file is bzip2 compressed. A gzip compressed version is here: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.7.1.tar.gz (3314k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.7.1.tar.gz.sig The same files are also available via HTTP: https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.7.1.tar.bz2 https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.7.1.tar.bz2.sig https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.7.1.tar.gz https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.7.1.tar.gz.sig In order to check that the version of Libgcrypt you downloaded is an original and unmodified file please follow the instructions found at . In short, you may use one of the following methods: - Check the supplied OpenPGP signature. For example to check the signature of the file libgcrypt-1.7.1.tar.bz2 you would use this command: gpg --verify libgcrypt-1.7.1.tar.bz2.sig libgcrypt-1.7.1.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. - If you are not able to use GnuPG, you have to verify the SHA-1 checksum: sha1sum libgcrypt-1.7.1.tar.bz2 and check that the output matches the first line from the this list: b688add52b622bb96bbd823ba21aa05a116d442f libgcrypt-1.7.1.tar.bz2 7310ed270c3a98b74acb58bcc95a2b4f596417cb libgcrypt-1.7.1.tar.gz You should also verify that the checksums above are authentic by matching them with copies of this announcement. Those copies can be found at other mailing lists, web sites, and search engines. Copying ======= Libgcrypt is distributed under the terms of the GNU Lesser General Public License (LGPLv2.1+). The helper programs as well as the documentation are distributed under the terms of the GNU General Public License (GPLv2+). The file LICENSES has notices about contributions that require that these additional notices are distributed. Support ======= For help on developing with Libgcrypt you should read the included manual and optional ask on the gcrypt-devel mailing list [1]. A listing with commercial support offers for Libgcrypt and related software is available at the GnuPG web site [2]. If you are a developer and you may need a certain feature for your project, please do not hesitate to bring it to the gcrypt-devel mailing list for discussion. Maintenance and development of Libgcrypt is mostly financed by donations; see . We currently employ 3 full-time developers, one part-timer, and one contractor to work on GnuPG and closely related software like Libgcrypt. Thanks ====== We like to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Also many thanks to all our donors [3]. For the GnuPG hackers, Werner p.s. This is an announcement only mailing list. Please send replies only to the gcrypt-devel 'at' gnupg.org mailing list. [1] https://lists.gnupg.org/mailman/listinfo/gcrypt-devel [2] https://www.gnupg.org/service.html [3] https://gnupg.org/donate/kudos.html -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From joshterrill.dev at gmail.com Wed Jun 15 22:55:38 2016 From: joshterrill.dev at gmail.com (Joshua Terrill) Date: Wed, 15 Jun 2016 13:55:38 -0700 Subject: Issue with PIVKey C910 PKI Smart Card In-Reply-To: References: Message-ID: Ah nevermind, looks like that card doesn't support PGP. I have a g10 card coming in a few days. Hopefully that will work. On Wed, Jun 15, 2016 at 1:48 PM, Joshua Terrill wrote: > I just bought a SCM reader ( > https://www.amazon.com/gp/product/B002N3MM6W/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1) > and PIVKey C910 PKI Smart Card ( > https://www.amazon.com/gp/product/B00SJV2CNK/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1 > ) > > I'm running Windows 10, and installed GPG from GPG4Win ( > https://www.gpg4win.org/) > > I'm looking at all these articles online that say you should be able to > edit the card by typing in gpg --card-edit, but when I type that in, I get > this: > > gpg: detected reader `SCM Microsystems Inc. SCR33x USB Smart Card Reader 0' > Please insert the card and hit return or enter 'c' to cancel: > > So I've tried taking out the card, putting it back in, restarting the > windows service in task manager, unplugging the reader, plugging it back > in, etc. Nothing changes. > > When I try gpg2 --card-edit, I get gpg: OpenPGP card not available: Not > supported. > > I am typing this in, in a windows command prompt running as administrator. > > Any suggestions? I'm trying to get some pgp keys onto the card and use it > for decrypting, signing, etc. > > -- > Josh Terrill // developer > 209-676-7334 > > -- Josh Terrill // developer 209-676-7334 -------------- next part -------------- An HTML attachment was scrubbed... URL: From joshterrill.dev at gmail.com Wed Jun 15 22:48:39 2016 From: joshterrill.dev at gmail.com (Joshua Terrill) Date: Wed, 15 Jun 2016 13:48:39 -0700 Subject: Issue with PIVKey C910 PKI Smart Card Message-ID: I just bought a SCM reader ( https://www.amazon.com/gp/product/B002N3MM6W/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1) and PIVKey C910 PKI Smart Card ( https://www.amazon.com/gp/product/B00SJV2CNK/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1 ) I'm running Windows 10, and installed GPG from GPG4Win ( https://www.gpg4win.org/) I'm looking at all these articles online that say you should be able to edit the card by typing in gpg --card-edit, but when I type that in, I get this: gpg: detected reader `SCM Microsystems Inc. SCR33x USB Smart Card Reader 0' Please insert the card and hit return or enter 'c' to cancel: So I've tried taking out the card, putting it back in, restarting the windows service in task manager, unplugging the reader, plugging it back in, etc. Nothing changes. When I try gpg2 --card-edit, I get gpg: OpenPGP card not available: Not supported. I am typing this in, in a windows command prompt running as administrator. Any suggestions? I'm trying to get some pgp keys onto the card and use it for decrypting, signing, etc. -- Josh Terrill // developer 209-676-7334 -------------- next part -------------- An HTML attachment was scrubbed... URL: From yajo.sk8 at gmail.com Wed Jun 15 12:34:41 2016 From: yajo.sk8 at gmail.com (Yajo) Date: Wed, 15 Jun 2016 12:34:41 +0200 Subject: How to sign a PDF using a DNIe Message-ID: Hello everyone. I'm just trying to sign a PDF document using my DNIe . For those who don't know, DNIe is the Spanish ID card, that holds a certificate inside. I'm able to use this card with my card reader under Linux, and combined with Firefox, to access some Spanish goverment's pages that require it. All the packages I installed for that (in Fedora 23) are: opensc pcsc-tools pcsc-lite-ccid firefox I tried then to use both gpg and gpg2 to sign PDFs with no luck. I, being a complete dumb in tems of digital signing, submitted a bug report against OpenSC project , which holds in their core distribution the patches to work with DNIe natively. They obviously said to me that I should ask gpg developers. So, I created a bug for GnuPG , but they told me it should be added to scdaemon, and they closed the bug so I asked where to submit against scdaemon and they told me it's exactly here (so I don't understand why they closed it instead of marking it as improvement, but nevermind). Then werner told me to ask in the list and here I am. So the question is: *how do I sign a PDF with DNIe and GPG?* and if this is not currently possible, *where should I report that in the hope that somebody with interest, knowledge and resources can implement it (or at least future users know there's a bug for that)?* I hope some good soul wants to answer those simple questions to me. Regards. -------------- next part -------------- An HTML attachment was scrubbed... URL: From m.kaufmann at infotech.li Wed Jun 15 14:06:30 2016 From: m.kaufmann at infotech.li (Mike Kaufmann) Date: Wed, 15 Jun 2016 12:06:30 +0000 Subject: AW: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <5761392D.3030608@digitalbrains.com> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> <5761392D.3030608@digitalbrains.com> Message-ID: <1B92CD52D917D24A8B33D05C14D1E91B6BA2484B@it-serverV01.intern.infotech.li> Hi Peter Thank you very mutch, that did the trick for the Windows command line! The commands are now executed successfully. But unfortenately when I try to sign the file the pinentry dialog still appears :( I've also tried to put all the commands in one single command combined with the &-operator. Also this command runs successfully, but the pinenetry dialog is shown always. gpgconf --kill gpg-agent & gpg-connect-agent "preset_passphrase C9FE2B0938FC146E088A9D563AED4892A6ACB6FB -1 74657374" /bye & gpg --homedir c:\ESA\EIOPA\PreProd\DCCR --output "C:\ESA\EIOPA\Export\LI001_DATPPP_EIOPA_000001_16.asc" --armor -u vve at fma-li.li --digest-algo SHA512 --sign "c:\ESA\EIOPA\LI001_DATPPP_EIOPA_000001_16.csv" In the attachement you can see the executed commands (Passphrase 74657374 is the hex equivalent of "test" and is replaced, when I run the command). Any further ideas? I am despairing slowly but surely... Regards, Mike -----Urspr?ngliche Nachricht----- Von: Peter Lebbing [mailto:peter at digitalbrains.com] Gesendet: Mittwoch, 15. Juni 2016 13:17 An: Mike Kaufmann Cc: gnupg-users at gnupg.org Betreff: Re: WINDOWS - Adding passphrase to gpg via command line On 15/06/16 08:33, Mike Kaufmann wrote: > See also the attached screenshot. Do you habe any other ideas? You're missing some necessary quoting. Right now, you're sending four separate commands instead of a single command with three options! gpg-connect-agent 'preset_passphrase 74EC3FAA93CD49446EC6825C3EBEB2C336CCBE2A -1 4D7950617373706872617365' /bye should do the trick. Or if the Windows command line doesn't like quoting with apostrophes, you could do gpg-connect-agent "preset_passphrase 74EC3FAA93CD49446EC6825C3EBEB2C336CCBE2A -1 4D7950617373706872617365" /bye HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: GnuPGpressetpassphraseWinCmd.png Type: image/png Size: 19247 bytes Desc: GnuPGpressetpassphraseWinCmd.png URL: From m.kaufmann at infotech.li Thu Jun 16 08:46:09 2016 From: m.kaufmann at infotech.li (Mike Kaufmann) Date: Thu, 16 Jun 2016 06:46:09 +0000 Subject: AW: AW: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <57614B7F.2020301@digitalbrains.com> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> <5761392D.3030608@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA2484B@it-serverV01.intern.infotech.li> <57614B7F.2020301@digitalbrains.com> Message-ID: <1B92CD52D917D24A8B33D05C14D1E91B6BA26D19@it-serverV01.intern.infotech.li> Hi I've used http://www.asciitohex.com/ to convert my passphrase in hexstring. Therefore I think, that's not the reason. What I'm not sure: Is the value I use for the first parameter correct? In gpg-help the parameter is described as . In https://lists.gnupg.org/pipermail/gnupg-users/2010-January/037876.html I've seen, that the fingerprint should be used instead of keygrip. What is correct: keygrip or fingerprint? Is there a way with gpg commands to find out the value for this parameter? We have planed to save the passphrase in a database on Server A. On Server B a Webservice can be called from our client app, that reads the passphrase out of database on Server A and calls the gpg-commands on Server B with the passphrase parameter. So the passphrase is not stored plainly on disc on the same server as the key. Or does gpg-agent do this, when using preset-passphrase? Regards, Mike -----Urspr?ngliche Nachricht----- Von: Peter Lebbing [mailto:peter at digitalbrains.com] Gesendet: Mittwoch, 15. Juni 2016 14:35 An: Mike Kaufmann Cc: gnupg-users at gnupg.org Betreff: Re: AW: WINDOWS - Adding passphrase to gpg via command line Hi, > Any further ideas? I am despairing slowly but surely... When I purposely enter the wrong passphrase, the PRESET_PASSPHRASE command succeeds, but subsequently the pinentry will pop up to prompt for the correct passphrase when I try to do anything with the key. So you might have a mistake in the passphrase? You could create a test key and set its passphrase to be test, and explicitly use the hexified version of the word test to try if it works then, since we obviously can't tell you if you've made a mistake with hexifying your real passphrase :-). By the way, depending on your situation, it might not be worse to use your key without a passphrase. Your key is encrypted when stored on disk so that an attacker getting hold of the file doesn't yet have your key. However, when you use gpg-preset-passphrase in a way that stores the passphrase argument plainly on disk as well, the attacker can simply read that file as well and decrypt your key. In such situations, the encryption serves no purpose (other than to make you despair slowly but surely). But in other situations, it can be more secure to use a passphrase, so it all depends. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From yuriping at sohu.com Thu Jun 16 12:17:44 2016 From: yuriping at sohu.com (yuriping at sohu.com) Date: Thu, 16 Jun 2016 18:17:44 +0800 Subject: keytyping never end when gen-key, and importing key warning Message-ID: <1466072264.a9aa88a6d1e344718ae5fb99e486219d.yuriping@sohu.com> Hi, allWe're using gpg 1.4.20 on an arm target board;Problem 1.When I run "gpg --gen-key", everything done well, except the last step, type on the keyboard to gain enough entropy for the random number generator, the process seemingly will never end.Ref. to the attatchment, pls. download and check.I want to know what cause it and how to solve?So I generate one key on PC running Ubuntu, export the key, and then import the key into the target board.Now I can signature files with the key, but when I verify the signature successfully, one Warning emerged as belowProblem 2.    gpg: Signature made Thu Jun 16 10:56:45 2016 CST using RSA key ID 86111D4F    gpg: Good signature from "yuriping (0002) <yuriping at sohu.com>"    gpg: WARNING: This key is not certified with a trusted signature!    gpg:          There is no indication that the signature belongs to the owner.    Primary key fingerprint: 826B 7296 F49E AED4 F45B  443C 1907 1CAC 8611 1D4FHow can I solve this problem?    Best Regards! ------------------------------------------ ???????????????????~ -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: gpg--gen-key_passphrase_noresponse_20160616_1736.txt URL: From gnupg at soondae.co.uk Thu Jun 16 13:38:14 2016 From: gnupg at soondae.co.uk (keith) Date: Thu, 16 Jun 2016 12:38:14 +0100 Subject: keytyping never end when gen-key, and importing key warning In-Reply-To: <1466072264.a9aa88a6d1e344718ae5fb99e486219d.yuriping@sohu.com> References: <1466072264.a9aa88a6d1e344718ae5fb99e486219d.yuriping@sohu.com> Message-ID: <1466077094.2763.19.camel@keith> Hi, I'll take a probable incorrect guess at the first part. GPG relies not only on your activity to create the entropy but also other processes running on the target system. It is however your input that provides the push over the edge. Whilst Ubuntu will be running numerous other processes both in background and foreground your Arm board is likely to be doing much less. The result is that the Ubuntu system gains the required entropy much more quickly and with less input from yourself. Perhaps you can get your Arm board to perform more tasks whilst the keys are being generated. I have found that compressing/decompressing a bunch of files whilst the keys are being generated helps things along immensely. I also remember someone on the list mentioning a process or piece of software that performed a similar task but unfortunately I do not remember the name of it. HTH Keith On Thu, 2016-06-16 at 18:17 +0800, yuriping at sohu.com wrote: > Hi, all > We're using gpg 1.4.20 on an arm target board; > > Problem 1. > When I run "gpg --gen-key", everything done well, except the last > step, type on the keyboard to gain enough entropy for the random > number generator, the process seemingly will never end. > Ref. to the attatchment, pls. download and check. > > I want to know what cause it and how to solve? From peter at digitalbrains.com Thu Jun 16 13:41:11 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 16 Jun 2016 13:41:11 +0200 Subject: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <1B92CD52D917D24A8B33D05C14D1E91B6BA26D19@it-serverV01.intern.infotech.li> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> <5761392D.3030608@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA2484B@it-serverV01.intern.infotech.li> <57614B7F.2020301@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA26D19@it-serverV01.intern.infotech.li> Message-ID: <57629057.6040009@digitalbrains.com> Hello, On 16/06/16 08:46, Mike Kaufmann wrote: > I've used http://www.asciitohex.com/ to convert my passphrase in > hexstring. Therefore I think, that's not the reason. Does it end in bytes 0D or 0A? Those are CR/LF ASCII bytes, and should not be included. > What I'm not sure: Is the value I use for the first parameter > correct? By the looks of it, you could check this through: > $ gpg-connect-agent > > havekey 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 > OK > > havekey 44696420796F7520736565206D79206B6579733F > ERR 67108881 No secret key preset_passphrase will take anything thrown at it without complaint, as long as it's syntactically valid. Whether the information was useful will only become apparent when it is needed. Also, are you unlocking the correct (sub)key? Let's take a look at a test key: > $ gpg2 --with-keygrip -K DCDFDFA4 sec rsa1024/DCDFDFA4 2012-03-17 > [SC] [expires: 2016-06-17] Keygrip = > 2F677680CA15F6F7B963AF35822E8EC01FBF840A uid err Test > Teststra uid err Test Teststra (Koning > van Wezel) ssb rsa1024/77A3395A 2012-03-17 > [E] Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D ssb > rsa2048/38EF7410 2016-01-12 [A] Keygrip = > 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 If I wanted to unlock the key for signatures or certifying, I would unlock the first keygrip. Note that if you have a separate signing subkey, you'd most likely use that for signatures. If I wanted to decrypt stuff, I would unlock the second keygrip. Finally, if I wanted to use the key for SSH authentication, I would unlock the third and final keygrip. If I wanted to unlock the whole private key, I'd unlock all three. > What is correct: keygrip or fingerprint? Keygrips work, so I'd stick to that. > Is there a way with gpg commands to find out the value for this parameter? You mean, like, what the program gpg-preset-passphrase uses? It might, but before I spend time on that, please see if you've already figured it out with the previous part of this message. > We have planed to save the passphrase in a database on Server A. On > Server B a Webservice can be called from our client app, that reads > the passphrase out of database on Server A and calls the gpg-commands > on Server B with the passphrase parameter. So the passphrase is not > stored plainly on disc on the same server as the key. I don't feel qualified to comment on the usefulness of this arrangement, so I won't. This says something about me, not about your setup. > Or does gpg-agent do this, when using preset-passphrase? No, gpg-agent will not write to disk, and tries to prevent the operating system from doing so, if it is supported on your OS. HTH, Peter. PS: Could you perhaps use inline-quoting and strip your quotes? Alternatively, sometimes it's not unreasonable to just remove all the quoted text. But the dangling original message below your reply is an unwanted style here at gnupg-users. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dashohoxha at gmail.com Thu Jun 16 13:41:58 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Thu, 16 Jun 2016 13:41:58 +0200 Subject: keytyping never end when gen-key, and importing key warning In-Reply-To: <1466072264.a9aa88a6d1e344718ae5fb99e486219d.yuriping@sohu.com> References: <1466072264.a9aa88a6d1e344718ae5fb99e486219d.yuriping@sohu.com> Message-ID: On Thu, Jun 16, 2016 at 12:17 PM, wrote: > > Problem 1. > When I run "gpg --gen-key", everything done well, except the last step, > type on the keyboard to gain enough entropy for the random number > generator, the process seemingly will never end. > Ref. to the attatchment, pls. download and check. > > I want to know what cause it and how to solve? > This is a well known issue. If you install haveged: `apt-get install haveged` it will improve greatly the time of key generation. What is entropy and why it is slow? This is beyond my understanding. > So I generate one key on PC running Ubuntu, export the key, and then > import the key into the target board. > Now I can signature files with the key, but when I verify the signature > successfully, one Warning emerged as below > > Problem 2. > > gpg: Signature made Thu Jun 16 10:56:45 2016 CST using RSA key ID > 86111D4F > gpg: Good signature from "yuriping (0002) " > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 826B 7296 F49E AED4 F45B 443C 1907 1CAC 8611 > 1D4F > > How can I solve this problem? > After importing your key, you also need to sign it as "ultimately trusted", which is a geeky way of telling gpg that this is your personal key. This can be done with `gpg --edit-key` and then either `sign` or `trust` (try each of them). -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Thu Jun 16 16:51:28 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 16 Jun 2016 16:51:28 +0200 Subject: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <1B92CD52D917D24A8B33D05C14D1E91B6BA4AE60@it-serverV01.intern.infotech.li> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> <5761392D.3030608@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA2484B@it-serverV01.intern.infotech.li> <57614B7F.2020301@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA26D19@it-serverV01.intern.infotech.li> <57629057.6040009@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA4AE60@it-serverV01.intern.infotech.li> Message-ID: <5762BCF0.8090200@digitalbrains.com> On 16/06/16 16:13, Mike Kaufmann wrote: > I've tried this commands with all the KeyGrips that are listed with a command similar to > gpg2 --with-keygrip -K DCDFDFA4 sec rsa1024/DCDFDFA4 2012-03-17. That part got accidentally mangled when I asked my mailer to reflow the message. It was supposed to be: > $ gpg2 --with-keygrip -K DCDFDFA4 > sec rsa1024/DCDFDFA4 2012-03-17 [SC] [expires: 2016-06-17] > Keygrip = 2F677680CA15F6F7B963AF35822E8EC01FBF840A > uid err Test Teststra > uid err Test Teststra (Koning van Wezel) > ssb rsa1024/77A3395A 2012-03-17 [E] > Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D > ssb rsa2048/38EF7410 2016-01-12 [A] > Keygrip = 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 > I always receive the message > ERR 67108881 No secret key I'm at a loss, frankly. I don't understand. You're using GnuPG v2.1.11, you can use the key itself, but the agent isn't aware of having it! That does not compute. I can only think of one thing. Are you really using GnuPG v2.1.11, or do you have GnuPG 1.4 co-installed and are you using that? If the latter, that's not going to work with keygrips. If the name of the binary you're invoking is "gpg", what does "gpg --version" say? Could you show the invocation and output of using gpg to sign or decrypt something? Please add "-v" to the command line to make it more verbose. And could you show command and output for determining the keygrip you're intending to use? HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From fsantiago at garbage-juice.com Thu Jun 16 19:30:42 2016 From: fsantiago at garbage-juice.com (Fabian Santiago) Date: Thu, 16 Jun 2016 13:30:42 -0400 Subject: key signing parties in NJ Message-ID: Anyone? NJ PGP key signing parties...? - Fabian S. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Thu Jun 16 20:27:52 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 16 Jun 2016 20:27:52 +0200 Subject: [Announce] GnuPG 2.1.13 released Message-ID: <87fusdkmzb.fsf@wheatstone.g10code.de> Hello! The GnuPG team is pleased to announce the availability of a new release of GnuPG modern: Version 2.1.13. See below for new features and bug fixes. The GNU Privacy Guard (GnuPG) is a complete and free implementation of the OpenPGP standard which is commonly abbreviated as PGP. GnuPG allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries making use of GnuPG are available. Since version 2 GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Three different branches of GnuPG are actively maintained: - GnuPG "modern" (2.1) is the latest development with a lot of new features. This announcement is about this branch. - GnuPG "stable" (2.0) is the current stable version for general use. This is what most users are still using. - GnuPG "classic" (1.4) is the old standalone version which is most suitable for older or embedded platforms. You may not install "modern" (2.1) and "stable" (2.0) at the same time. However, it is possible to install "classic" (1.4) along with any of the other versions. Noteworthy changes in version 2.1.13 ==================================== * gpg: New command --quick-addkey. Extend the --quick-gen-key command. * gpg: New --keyid-format "none" which is now also the default. * gpg: New option --with-subkey-fingerprint. * gpg: Include Signer's UID subpacket in signatures if the secret key has been specified using a mail address and the new option --disable-signer-uid is not used. * gpg: Allow unattended deletion of a secret key. * gpg: Allow export of non-passphrase protected secret keys. * gpg: New status lines KEY_CONSIDERED and NOTATION_FLAGS. * gpg: Change status line TOFU_STATS_LONG to use '~' as a non-breaking-space character. * gpg: Speedup key listings in Tofu mode. * gpg: Make sure that the current and total values of a PROGRESS status line are small enough. * gpgsm: Allow the use of AES192 and SERPENT ciphers. * dirmngr: Adjust WKD lookup to current specs. * dirmngr: Fallback to LDAP v3 if v2 is is not supported. * gpgconf: New commands --create-socketdir and --remove-socketdir, new option --homedir. * If a /run/user/$UID directory exists, that directory is now used for IPC sockets instead of the GNUPGHOME directory. This fixes problems with NFS and too long socket names and thus avoids the need for redirection files. * The Speedo build systems now uses the new versions.gnupg.org server to retrieve the default package versions. * Fix detection of libusb on FreeBSD. * Speedup fd closing after a fork. A detailed description of the changes found in the 2.1 branch can be found at . Please be aware that there are still known bugs which we are working on. Check https://bugs.gnupg.org, https://wiki.gnupg.org, and the mailing list archives for known problems and workarounds. Getting the Software ==================== Please follow the instructions found at or read on: GnuPG 2.1.13 may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at . Note that GnuPG is not available at ftp.gnu.org. The GnuPG source code compressed using BZIP2 and its OpenPGP signature are available here: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.13.tar.bz2 (5415k) ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.13.tar.bz2.sig or here: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.13.tar.bz2 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.13.tar.bz2.sig Please kill running gpg-agent and dirmngr processes before using this release. An installer for Windows without any graphical frontend except for a basic Pinentry tool is available here: ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.13_20160616.exe (3527k) ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.13_20160616.exe.sig or here https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.13_20160616.exe https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.13_20160616.exe.sig The source used to build the Windows installer can be found in the same directory with a ".tar.xz" suffix. This Windows installer comes with Tofu support, translations, and support for Tor and the Tor browser. It is still missing HKPS support, though. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.1.13.tar.bz2 you would use this command: gpg --verify gnupg-2.1.13.tar.bz2.sig gnupg-2.1.13.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See below for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.1.13.tar.bz2, you run the command like this: sha1sum gnupg-2.1.13.tar.bz2 and check that the output matches the next line: 6ec1ae6db7815fdbd4151fb6b0b7197b65b05d1f gnupg-2.1.13.tar.bz2 2debd757534d777bb9c69c18f9492e9a9e5a3a72 gnupg-w32-2.1.13_20160616.exe 44b473d355de8546351c4f737f807b40220715ff gnupg-w32-2.1.13_20160616.tar.xz Release Signing Keys ==================== To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048/E0856959 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048/33BD3F06 2014-10-29 [expires: 2016-10-28] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31] Key fingerprint = D238 EA65 D64C 67ED 4C30 73F2 8A86 1B1C 7EFD 60D9 Werner Koch (Release Signing Key) You may retrieve these keys from a keyserver using this command gpg --keyserver hkp://keys.gnupg.net --recv-keys \ 249B39D24F25E3B6 04376F3EE0856959 \ 2071B08A33BD3F06 8A861B1C7EFD60D9 The keys are also available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese, Czech, French, German, Japanese, Russian, and Ukrainian being almost completely translated (2168 different strings). Documentation ============= If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete user manual of the system. Separate man pages are included as well but they have not all the details available as are the manual. It is also possible to read the complete manual online in HTML format at https://gnupg.org/documentation/manuals/gnupg/ or in Portable Document Format at https://gnupg.org/documentation/manuals/gnupg.pdf . The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. You may also want to follow our postings at and . Support ======== Please consult the archive of the gnupg-users mailing list before reporting a bug . We suggest to send bug reports for a new release to this list in favor of filing a bug at . If you need commercial support check out . If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Maintenance and development of GnuPG is mostly financed by donations. As of today we employ 3 full-time developers, one part-timer, and one contractor. They all work on GnuPG and closely related software like Libgcrypt and GPA. Please consider to donate via: https://gnupg.org/donate/ Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, and donating money. See you at OpenPGP.conf . For the GnuPG hackers, Werner p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From m.kaufmann at infotech.li Thu Jun 16 16:13:02 2016 From: m.kaufmann at infotech.li (Mike Kaufmann) Date: Thu, 16 Jun 2016 14:13:02 +0000 Subject: AW: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <57629057.6040009@digitalbrains.com> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> <5761392D.3030608@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA2484B@it-serverV01.intern.infotech.li> <57614B7F.2020301@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA26D19@it-serverV01.intern.infotech.li> <57629057.6040009@digitalbrains.com> Message-ID: <1B92CD52D917D24A8B33D05C14D1E91B6BA4AE60@it-serverV01.intern.infotech.li> > Does it end in bytes 0D or 0A? Those are CR/LF ASCII bytes, and should not be included. No, it does not end in one of these bytes. > $ gpg-connect-agent > > havekey 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 > OK > > havekey 44696420796F7520736565206D79206B6579733F > ERR 67108881 No secret key I've tried this commands with all the KeyGrips that are listed with a command similar to gpg2 --with-keygrip -K DCDFDFA4 sec rsa1024/DCDFDFA4 2012-03-17. I always receive the message ERR 67108881 No secret key Regards, Mike From lenharo at gmail.com Fri Jun 17 03:25:25 2016 From: lenharo at gmail.com (Marcos Aurelio Lenharo) Date: Thu, 16 Jun 2016 22:25:25 -0300 Subject: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <5762BCF0.8090200@digitalbrains.com> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> <5761392D.3030608@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA2484B@it-serverV01.intern.infotech.li> <57614B7F.2020301@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA26D19@it-serverV01.intern.infotech.li> <57629057.6040009@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA4AE60@it-serverV01.intern.infotech.li> <5762BCF0.8090200@digitalbrains.com> Message-ID: <8e998e3d-fb2d-d1cf-f025-5da7c6839d78@gmail.com> Em 16-06-2016 11:51, Peter Lebbing escreveu: > On 16/06/16 16:13, Mike Kaufmann wrote: >> I've tried this commands with all the KeyGrips that are listed with a command similar to >> gpg2 --with-keygrip -K DCDFDFA4 sec rsa1024/DCDFDFA4 2012-03-17. > That part got accidentally mangled when I asked my mailer to reflow the > message. It was supposed to be: > >> $ gpg2 --with-keygrip -K DCDFDFA4 >> sec rsa1024/DCDFDFA4 2012-03-17 [SC] [expires: 2016-06-17] >> Keygrip = 2F677680CA15F6F7B963AF35822E8EC01FBF840A >> uid err Test Teststra >> uid err Test Teststra (Koning van Wezel) >> ssb rsa1024/77A3395A 2012-03-17 [E] >> Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D >> ssb rsa2048/38EF7410 2016-01-12 [A] >> Keygrip = 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 > > >> I always receive the message >> ERR 67108881 No secret key > I'm at a loss, frankly. I don't understand. You're using GnuPG v2.1.11, > you can use the key itself, but the agent isn't aware of having it! That > does not compute. I can only think of one thing. Are you really using > GnuPG v2.1.11, or do you have GnuPG 1.4 co-installed and are you using > that? If the latter, that's not going to work with keygrips. If the name > of the binary you're invoking is "gpg", what does > "gpg --version" say? > > Could you show the invocation and output of using gpg to sign or decrypt > something? Please add "-v" to the command line to make it more verbose. > And could you show command and output for determining the keygrip you're > intending to use? > > HTH, > > Peter. > Hello guys, I think this is related to the following issue I opened last year: https://bugs.gnupg.org/gnupg/issue2015 Best Regards, Marcos A. Lenharo From gniibe at fsij.org Fri Jun 17 06:17:42 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Fri, 17 Jun 2016 13:17:42 +0900 Subject: How to sign a PDF using a DNIe In-Reply-To: References: Message-ID: <576379E6.4030404@fsij.org> On 06/15/2016 07:34 PM, Yajo wrote: > I tried then to use both gpg and gpg2 to sign PDFs with no luck. > > I, being a complete dumb in tems of digital signing, submitted a bug > report against OpenSC project > , which holds in their core > distribution the patches to work with DNIe natively. They obviously said > to me that I should ask gpg developers. > > So, I created a bug for GnuPG , > but they told me it should be added to scdaemon, and they closed the bug > so I asked where to submit against scdaemon and they told me it's > exactly here (so I don't understand why they closed it instead of > marking it as improvement, but nevermind). > > Then werner told me to ask in the list and here I am. > > So the question is: *how do I sign a PDF with DNIe and GPG?* and if this > is not currently possible, *where should I report that in the hope that > somebody with interest, knowledge and resources can implement it (or at > least future users know there's a bug for that)?* > > I hope some good soul wants to answer those simple questions to me. I'd recommend to seek other software instead. Simply, general smartcard is not supported. It seems that you have an illusion that GnuPG and its scdaemon can support any smartcard in general. No, we can't. Fundamentally, while OpenPGPcard can be under control of its user, general smartcard is designed in the situation that it is under control by its issuer ( card is usually not a user's property ). The scdaemon basically supports OpenPGPcard and its compatible only. For X.509, we have gpgsm and we have drivers for DINSIG German Geldkarte Telesec NKS some specific pkcs#15 cards SmartCard-HSM however, other than SmartCard-HSM, it's outdated. Technically speaking, following the way of SmartCard-HSM, it would be possible to support some smartcard for X.509. -- From peter at digitalbrains.com Fri Jun 17 10:19:40 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 17 Jun 2016 10:19:40 +0200 Subject: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <1B92CD52D917D24A8B33D05C14D1E91B6BA4CDF0@it-serverV01.intern.infotech.li> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> <5761392D.3030608@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA2484B@it-serverV01.intern.infotech.li> <57614B7F.2020301@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA26D19@it-serverV01.intern.infotech.li> <57629057.6040009@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA4AE60@it-serverV01.intern.infotech.li> <5762BCF0.8090200@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA4CDF0@it-serverV01.intern.infotech.li> Message-ID: <5763B29C.1000305@digitalbrains.com> Well, at least it seems to make more sense now. On 17/06/16 07:24, Mike Kaufmann wrote: > gpg --homedir C:\ESA\EIOPA\PreProd\DCCR -k > [...] > > gpg --homedir C:\ESA\EIOPA\PreProd\DCCR -K > [...] > > gpg --homedir c:\ESA\EIOPA\PreProd\DCCR --with-keygrip -K 29FDE3FE sec rsa2048/29FDE3FE 2016-03-21 > [...] > > gpg-connect-agent >> havekey C9FE2B0938FC146E088A9D563AED4892A6ACB6FB > ERR 67108881 Kein geheimer Schl?ssel (First of all, the third should just end "--with-keygrip -K", or possibly with 29FDE3FE to select to list just that secret key. The rest was in my example because I accidentally screwed up the formatting; it is actually the start of the output on the next line) The --homedir option has a lot of influence. You cannot use a "gpg" in one homedir with an agent running in another. So you should also supply the "--homedir " argument to gpg-connect-agent to get a connection for an agent with the correct homedir. You either need to supply the --homedir option to all commands you invoke, or set it through the Windows registry (HKCU\Software\GNU\GnuPG:HomeDir), or just keep it at its default. Also note that running "gpg" as one user and the agent as another will most likely lead to trouble. In fact, since you're continually running into trouble with preset_passphrase, it might make sense to first get it working using just the default homedir, and only when that works, move on to a different homedir. That is, if you do need that different homedir. > gpg --version > gpg (GnuPG) 2.1.12 > libgcrypt 1.7.0 Good. > Home: C:/Users/mika.INTERN/AppData/Roaming/gnupg This is its default homedir. > I use the following command to sign a file: > gpg --homedir c:\ESA\EIOPA\PreProd\DCCR --output C:\ESA\EIOPA\Export\LI001_DATPPP_EIOPA_000001_16.asc --armor -u sender at sendercompany.com --digest-algo SHA512 --sign c:\ESA\EIOPA\LI001_DATPPP_EIOPA_000001_16.csv Could you show its output as well? HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Fri Jun 17 10:25:59 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 17 Jun 2016 10:25:59 +0200 Subject: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <8e998e3d-fb2d-d1cf-f025-5da7c6839d78@gmail.com> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> <5761392D.3030608@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA2484B@it-serverV01.intern.infotech.li> <57614B7F.2020301@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA26D19@it-serverV01.intern.infotech.li> <57629057.6040009@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA4AE60@it-serverV01.intern.infotech.li> <5762BCF0.8090200@digitalbrains.com> <8e998e3d-fb2d-d1cf-f025-5da7c6839d78@gmail.com> Message-ID: <5763B417.3050203@digitalbrains.com> On 17/06/16 03:25, Marcos Aurelio Lenharo wrote: > I think this is related to the following issue I opened last year: > > https://bugs.gnupg.org/gnupg/issue2015 Thanks for the pointer! While I'm not sure, I think this isn't the problem in this specific case. I think that bug affects stuff that uses the GET_PASSPHRASE command only. In GnuPG v2.1, the private key is actually inside the agent, and the agent no longer just caches passphrases. So the GET_PASSPHRASE command is no longer used to do private key operations. Instead, the commands PKSIGN and PKDECRYPT are used (if I'm not mistaken). I myself got the PRESET_PASSPHRASE command to work for me, with GnuPG v2.1.11. Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Fri Jun 17 10:29:32 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 17 Jun 2016 10:29:32 +0200 Subject: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <5763B29C.1000305@digitalbrains.com> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> <5761392D.3030608@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA2484B@it-serverV01.intern.infotech.li> <57614B7F.2020301@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA26D19@it-serverV01.intern.infotech.li> <57629057.6040009@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA4AE60@it-serverV01.intern.infotech.li> <5762BCF0.8090200@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA4CDF0@it-serverV01.intern.infotech.li> <5763B29C.1000305@digitalbrains.com> Message-ID: <5763B4EC.8020309@digitalbrains.com> On 17/06/16 10:19, Peter Lebbing wrote: >> I use the following command to sign a file: >> gpg --homedir c:\ESA\EIOPA\PreProd\DCCR --output C:\ESA\EIOPA\Export\LI001_DATPPP_EIOPA_000001_16.asc --armor -u sender at sendercompany.com --digest-algo SHA512 --sign c:\ESA\EIOPA\LI001_DATPPP_EIOPA_000001_16.csv > > Could you show its output as well? With a -v somewhere there for some added verbosity! Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Fri Jun 17 11:33:19 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 17 Jun 2016 11:33:19 +0200 Subject: AW: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <1B92CD52D917D24A8B33D05C14D1E91B6BA4E533@it-serverV01.intern.infotech.li> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> <5761392D.3030608@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA2484B@it-serverV01.intern.infotech.li> <57614B7F.2020301@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA26D19@it-serverV01.intern.infotech.li> <57629057.6040009@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA4AE60@it-serverV01.intern.infotech.li> <5762BCF0.8090200@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA4CDF0@it-serverV01.intern.infotech.li> <5763B29C.1000305@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA4E533@it-serverV01.intern.infotech.li> Message-ID: <5763C3DF.1060307@digitalbrains.com> Hi, On 17/06/16 11:25, Mike Kaufmann wrote: > The hint with the homedir did the trick - you are my hero! Ah that's really great! > gpgconf --kill gpg-agent I read that in v2.1.13, gpgconf gains an option "--homedir" as well. So starting with that release, I'd advise to include the --homedir for gpgconf invocations. In fact, I'm unsure whether the version before v2.1.13 actually does what you want it to do now... it might only kill an agent pertaining to the default homedir, I don't know. > gpg --homedir C:\ESA\EIOPA\PreProd\DCCR -v --output C:\ESA\EIOPA\Export\LI001_DATPPP_EIOPA_000001_16.asc --armor -u sender at sendercompany.com --digest-algo SHA512 --sign c:\ESA\EIOPA\LI001_DATPPP_EIOPA_000001_16.csv You don't need the "-v" on every invocation. It just makes it more chatty about what it does, and that is helpful when trying to root out the cause of a problem. It's less useful in production. > Thank you very much for all your advises help! You're welcome! I'm happy we found the problem. Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Fri Jun 17 12:12:11 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 17 Jun 2016 12:12:11 +0200 Subject: How to sign a PDF using a DNIe In-Reply-To: <576379E6.4030404@fsij.org> (NIIBE Yutaka's message of "Fri, 17 Jun 2016 13:17:42 +0900") References: <576379E6.4030404@fsij.org> Message-ID: <87ziqkf7k4.fsf@wheatstone.g10code.de> On Fri, 17 Jun 2016 06:17, gniibe at fsij.org said: > Telesec NKS > some specific pkcs#15 cards > SmartCard-HSM > > however, other than SmartCard-HSM, it's outdated. The Telesec NetKey 3.0 card should still work. We plan to use this card for the Gpg4VSNfd project (for S/MIME) and thus it is likely that problems will be solved soon. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From m.kaufmann at infotech.li Fri Jun 17 07:24:02 2016 From: m.kaufmann at infotech.li (Mike Kaufmann) Date: Fri, 17 Jun 2016 05:24:02 +0000 Subject: AW: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <5762BCF0.8090200@digitalbrains.com> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> <5761392D.3030608@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA2484B@it-serverV01.intern.infotech.li> <57614B7F.2020301@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA26D19@it-serverV01.intern.infotech.li> <57629057.6040009@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA4AE60@it-serverV01.intern.infotech.li> <5762BCF0.8090200@digitalbrains.com> Message-ID: <1B92CD52D917D24A8B33D05C14D1E91B6BA4CDF0@it-serverV01.intern.infotech.li> Hi >I'm at a loss, frankly. I don't understand. You're using GnuPG v2.1.11, you can use the key itself, but the agent isn't aware of having it! That does not compute. I can only think of one thing. Are you really using GnuPG v2.1.11, or do you have GnuPG 1.4 co-installed and are you using that? If the latter, that's >not going to work with keygrips. If the name of the binary you're invoking is "gpg", what does "gpg --version" say? In the following lines you can see the results of all the commands, that you have mentioned in the mails before: gpg --homedir C:\ESA\EIOPA\PreProd\DCCR -k C:/ESA/EIOPA/PreProd/DCCR/pubring.kbx ------------------------------------- pub rsa2048/29FDE3FE 2016-03-21 [SC] [verf?llt: 2017-04-30] uid [ ultimativ] LI001_DCCR_PreProd (Sender Company) sub rsa2048/ADA7F402 2016-03-23 [E] [verf?llt: 2017-04-30] pub rsa2048/0B46586F 2016-01-28 [SC] [verf?llt: 2017-04-30] uid [ unbekannt] Registers_PP (Register test environment 2016) sub rsa2048/32D2EF29 2016-01-28 [E] [verf?llt: 2017-04-30] gpg --homedir C:\ESA\EIOPA\PreProd\DCCR -K C:/ESA/EIOPA/PreProd/DCCR/pubring.kbx ------------------------------------- sec rsa2048/29FDE3FE 2016-03-21 [SC] [verf?llt: 2017-04-30] uid [ ultimativ] LI001_DCCR_PreProd (Sender Company) ssb rsa2048/ADA7F402 2016-03-23 [E] [verf?llt: 2017-04-30] gpg --homedir c:\ESA\EIOPA\PreProd\DCCR --with-keygrip -K 29FDE3FE sec rsa2048/29FDE3FE 2016-03-21 sec rsa2048/29FDE3FE 2016-03-21 [SC] [verf?llt: 2017-04-30] Keygrip = C9FE2B0938FC146E088A9D563AED4892A6ACB6FB uid [ ultimativ] LI001_DCCR_PreProd (Sender Company) ssb rsa2048/ADA7F402 2016-03-23 [E] [verf?llt: 2017-04-30] Keygrip = 74EC3FAA93CD49446EC6825C3EBEB2C336CCBE2A gpg-connect-agent > havekey C9FE2B0938FC146E088A9D563AED4892A6ACB6FB ERR 67108881 Kein geheimer Schl?ssel > havekey 74EC3FAA93CD49446EC6825C3EBEB2C336CCBE2A ERR 67108881 Kein geheimer Schl?ssel gpg --version gpg (GnuPG) 2.1.12 libgcrypt 1.7.0 Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: C:/Users/mika.INTERN/AppData/Roaming/gnupg Unterst?tzte Verfahren: ?ff. Schl?ssel: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Verschl?.: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Komprimierung: nicht komprimiert, ZIP, ZLIB, BZIP2 I use the following command to sign a file: gpg --homedir c:\ESA\EIOPA\PreProd\DCCR --output C:\ESA\EIOPA\Export\LI001_DATPPP_EIOPA_000001_16.asc --armor -u sender at sendercompany.com --digest-algo SHA512 --sign c:\ESA\EIOPA\LI001_DATPPP_EIOPA_000001_16.csv Regards Mike From m.kaufmann at infotech.li Fri Jun 17 11:25:53 2016 From: m.kaufmann at infotech.li (Mike Kaufmann) Date: Fri, 17 Jun 2016 09:25:53 +0000 Subject: AW: WINDOWS - Adding passphrase to gpg via command line In-Reply-To: <5763B29C.1000305@digitalbrains.com> References: <1B92CD52D917D24A8B33D05C14D1E91B6BA03ECE@it-serverV01.intern.infotech.li> <87y46dbhxv.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA05A20@it-serverV01.intern.infotech.li> <87ziqt9si2.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA06197@it-serverV01.intern.infotech.li> <87a8isakrb.fsf@wheatstone.g10code.de> <1B92CD52D917D24A8B33D05C14D1E91B6BA1D9E8@it-serverV01.intern.infotech.li> <575EF826.2010205@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA23861@it-serverV01.intern.infotech.li> <5761392D.3030608@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA2484B@it-serverV01.intern.infotech.li> <57614B7F.2020301@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA26D19@it-serverV01.intern.infotech.li> <57629057.6040009@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA4AE60@it-serverV01.intern.infotech.li> <5762BCF0.8090200@digitalbrains.com> <1B92CD52D917D24A8B33D05C14D1E91B6BA4CDF0@it-serverV01.intern.infotech.li> <5763B29C.1000305@digitalbrains.com> Message-ID: <1B92CD52D917D24A8B33D05C14D1E91B6BA4E533@it-serverV01.intern.infotech.li> Hi Peter The hint with the homedir did the trick - you are my hero! > The --homedir option has a lot of influence. You cannot use a "gpg" in one homedir with an agent running in another. So you should also supply the "--homedir " argument to gpg-connect-agent to get a connection for an agent with the correct homedir. > You either need to supply the --homedir option to all commands you invoke, or set it through the Windows registry (HKCU\Software\GNU\GnuPG:HomeDir), or just keep it at its default. Also note that running "gpg" as one user and the agent as another will most likely lead to trouble. I was able to sign a file with a passphrase protected private key in Windows Command Line with a different homedir without pinentry dialog with the following commands (74657374 is the hexstring for "test"): gpgconf --kill gpg-agent gpg-connect-agent --homedir c:\ESA\EIOPA\PreProd\DCCR "preset_passphrase C9FE2B0938FC146E088A9D563AED4892A6ACB6FB -1 74657374" /bye gpg --homedir C:\ESA\EIOPA\PreProd\DCCR -v --output C:\ESA\EIOPA\Export\LI001_DATPPP_EIOPA_000001_16.asc --armor -u sender at sendercompany.com --digest-algo SHA512 --sign c:\ESA\EIOPA\LI001_DATPPP_EIOPA_000001_16.csv Thank you very much for all your advises help! Regards Mike From ck+gnupgusers at bl4ckb0x.de Sat Jun 18 15:51:16 2016 From: ck+gnupgusers at bl4ckb0x.de (Conrad Kostecki) Date: Sat, 18 Jun 2016 13:51:16 +0000 Subject: OpenGPG Smart Card v2.1 - unable to create key - card error Message-ID: Hi! I've bought an OpenGPG Smart Card v2.1 and trying now to generate a 4096 bit key for me. Using it with my ThinkPad X260 and a Alcor Smart Card Reader. $ gpg --version gpg (GnuPG) 2.1.13 libgcrypt 1.7.1 Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Before creating a key, the card is found: $ gpg --card-edit Reader ...........: 058F:9540:X:0 Application ID ...: DXXXXXXXXXXXXXXXXXXXXXXXXXXX Version ..........: 2.1 Manufacturer .....: ZeitControl Serial number ....: 0000XXXX Name of cardholder: [not set] Language prefs ...: de Sex ..............: [not set] URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: rsa4096 rsa4096 rsa4096 Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] Now, when I do start the creation of the key, it fails with a card error at the end: gpg/card> generate Make off-card backup of encryption key? (Y/n) Y What keysize do you want for the Signature key? (4096) What keysize do you want for the Encryption key? (4096) What keysize do you want for the Authentication key? (4096) Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) Y GnuPG needs to construct a user ID to identify your key. Real name: John Doe Email address: john at doe.com Comment: JD You selected this USER-ID: "John Doe (JD) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O gpg: key generation failed: Card error Key generation failed: Card error What does card error means? The card is now not anymore accassible. I am only able to access the card again, when I do restart the laptop completly. Cheers Conrad From mschoch at gmail.com Sat Jun 18 20:10:36 2016 From: mschoch at gmail.com (Martin S.) Date: Sat, 18 Jun 2016 20:10:36 +0200 Subject: GnuPG 2.0.30 console output charset Message-ID: <331072930.20160618201036@gmail.com> Hi list How to set GnuPG 2.0.30 configuration that the console output has the correct charset on Windows 7. The language is set to German in registry - but Umlauts are not displayed correctly. Thanks. m.s. From wk at gnupg.org Sun Jun 19 21:02:27 2016 From: wk at gnupg.org (Werner Koch) Date: Sun, 19 Jun 2016 21:02:27 +0200 Subject: OpenGPG Smart Card v2.1 - unable to create key - card error In-Reply-To: (Conrad Kostecki's message of "Sat, 18 Jun 2016 13:51:16 +0000") References: Message-ID: <87y46180jg.fsf@wheatstone.g10code.de> On Sat, 18 Jun 2016 15:51, ck+gnupgusers at bl4ckb0x.de said: > I've bought an OpenGPG Smart Card v2.1 and trying now to generate a > 4096 bit key for me. > Using it with my ThinkPad X260 and a Alcor Smart Card Reader. I guess that AU9540 Smartcard Reader does not work probably. I have never seen one of their readers to work with modern smartcards. But Gniibe has more experience, maybe he can help. As a test try to create a 1024 bit key. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From Hauke_Westemeier at web.de Sat Jun 18 13:42:51 2016 From: Hauke_Westemeier at web.de (Hauke Westemeier) Date: Sat, 18 Jun 2016 13:42:51 +0200 Subject: Old gnupg version by gpg4win is not overwritten Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I just downloaded and installed GnuPG 2.1.13 using the Windows installer provided at ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.13_20160616.exe . Before I had gnupg 2.0.30 installed by the gpg4win-vanilla-2.3.1 installer. The GnuPG 2.1.13 installer told me that there was already a GnuPG version installed (interestingly it stated the version number as 2.3.1) and I choose that this version should be replaced. But after the installation the old gnupg version was still there. I'm not sure but maybe it is because GnuPG 2.1.13 uses C:\Program Files\GnuPG\bin for the executable but the ones of the gpg4win installer were placed in C:\Program Files\GnuPG\ (I would consider a bin subfolder in windows not common). After uninstalling the gpg4win and reinstalling gnupg-w32-2.1.13_20160616.exe it works. As not everybody might check gpg --version it might be worth making the installer more robust by really checking where the old exe files are located or (if one does not want to overwrite/remove gnupg installed by an other installer) print a warning. Kind regards, Hauke -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF8EARECAB8FAldlM6wYHGhhdWtlX3dlc3RlbWVpZXJAd2ViLmRlAAoJEI8/I36K vfPXDdMAn0XM7RGLeFG9tpThguj/4Kfv3cpHAJ0eIWTo2/F2p+SSvBgDcBk0UfAB Tg== =zySu -----END PGP SIGNATURE----- From Hauke_Westemeier at web.de Sat Jun 18 14:46:06 2016 From: Hauke_Westemeier at web.de (Hauke Westemeier) Date: Sat, 18 Jun 2016 14:46:06 +0200 Subject: Pinetry: window to small + make arrow keys cancel dialog + change number of allowed wrong passphrases Message-ID: <5fa56e4e-d332-be93-fe9b-238cea64d893@web.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm using gnupg 2.1.13 under Windows 8.1. The pinetry window does not display the complete text, see here http://pasteboard.co/1M2I56mG.png for a screenshot where you can only see the top pixels of the missing last text line. Before I was using the pinetry that came with gnupg 2.0.30 and there I didn't had this issue (but I'm not sure if the window content was the same). Would it be possible to make the arrow keys (left, right, top, bottom) cancel the pinetry dialog? I use these keys to navigate through my Thunderbird mails and every time I come across an encrypted e-mail the pinetry dialog pops up, even if I'm not interested in this particular e-mail and as Thunderbird is not longer in focus I can not just navigate to the next mail. Of course I could cash the passphrases ore disable that Enigmail automatically tries to decrypt the message or get out of the pinetry dialoge by tab, tab enter... but just pressing the arrow key again to close the pinetry window and get back to Thunderbird would really be convenient. As the arrow keys can not be used in a passphrase I don't see any negative side effects. By default pinetry quits after the passphrase is entered wrongly 3 times. Is there a way to change this number (by gpg-agent.conf)? I searched in the manual for "3", "bad" and "wrong" but didn't find something useful and I don't know how such a parameter could be called. Kind regards, Hauke -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF8EARECAB8FAldlQn4YHGhhdWtlX3dlc3RlbWVpZXJAd2ViLmRlAAoJEI8/I36K vfPXqpsAn20tjWYiR8gTRL/CSx0He8P5zfNwAJ97cyomnYBp/R/Rujwd0e5aOe/Z Yw== =Xr9u -----END PGP SIGNATURE----- From scd at lst.de Sat Jun 18 20:20:18 2016 From: scd at lst.de (Stefan Dalibor) Date: Sat, 18 Jun 2016 20:20:18 +0200 Subject: gpgsm 2.1.13 / libksba-1.3.4 fail to verify certificate chain Message-ID: <20160618182018.GB25353@lst.de> Hi, trying to set up S/MIME protectecd communication via mutt, but gpgsm 2.1.13 / libksba 1.3.4 (built under Fedora 21) are unable to verify the certificate chain: $ gpgsm --debug-level guru --debug-all --dirmngr-program ./bin/dirmngr.sh --verify smime.p7s ~/gnupg-2.1.13:0 gpgsm: reading options from '/home/scd/.gnupg/gpgsm.conf' gpgsm: enabled debug flags: x509 mpi crypto memory cache memstat hashing ipc gpgsm: detached signature gpgsm: DBG: enabling hash algorithm 2 (1.3.14.3.2.26) gpgsm: detached signature w/o data - assuming certs-only gpgsm: DBG: signer 0 - issuer: gpgsm: DBG: signer 0 - serial: gpgsm: DBG: signer 0 - digest algo: 2 gpgsm: DBG: signer 0 - content-type attribute: 1.2.840.113549.1.7.1 gpgsm: DBG: signer 0 - signature available (sigval hash=0) gpgsm: Signature made 2016-06-14 15:39:52 using certificate ID 0x gpgsm: invalid signature: message digest attribute does not match computed one gpgsm: DBG: message: 9B BB CE DF 97 53 23 1A 8A 2D 82 16 D7 32 74 D0 C7 4D A5 B3 gpgsm: DBG: computed: DA 39 A3 EE 5E 6B 4B 0D 32 55 BF EF 95 60 18 90 AF D8 07 09 Tried to get more information by letting gnupg parse the mail, but got only "Not implmented" messages for CRL checking / invalid certification chain (see end of output below). Is there anything I can do configuration-wise, or is verificating this chain just not -- hopefully yet :)? -- supported by gpgsm? Thanks, Stefan $ ./tools/gpgparsemail --verbose --crypto mailmsg.txt gpgparsemail: non canonical ended line detected (line 2) . h media: multipart signed h signed.protocol: application/x-pkcs7-signature b down b part :------ c begin_hash .Content-Type: multipart/related; . boundary="_004_3D4F30E57ECFD443966400DFA1FDC090787B3C04S1001gagde_"; . type="multipart/alternative" h media: multipart related b down b part :--_004__ .Content-Type: multipart/alternative; . boundary="_000_3D4F30E57ECFD443966400DFA1FDC090787B3C04S1001gagde_" h media: multipart alternative b down b part :--_000__ .Content-Type: text/plain; charset="utf-8" .Content-Transfer-Encoding: base64 h media: text plain b part :--_000__ .Content-Type: text/html; charset="utf-8" .Content-Transfer-Encoding: base64 h media: text html b last b up :--_000__ b part :--_004__ . h media: image gif b last b up :--_004__ b part c end_hash :------F461B893FB2CA2F661FD798058E2475B .Content-Type: application/x-pkcs7-signature; name="smime.p7s" .Content-Transfer-Encoding: base64 .Content-Disposition: attachment; filename="smime.p7s" h media: application x-pkcs7-signature c begin_signature b last c end_signature b up c [GNUPG:] NEWSIG # gpgsm: Signature made 2016-06-14 15:39:52 using certificate ID 0x # gpgsm: Note: non-critical certificate policy not allowed # gpgsm: certificate # # gpgsm: checking the CRL failed: Not implemented c [GNUPG:] GOODSIG c [GNUPG:] VALIDSIG # gpgsm: invalid certification chain: Not implemented c [GNUPG:] TRUST_UNDEFINED 69 :------F461B893FB2CA2F661FD798058E2475B-- From gniibe at fsij.org Mon Jun 20 01:31:00 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Mon, 20 Jun 2016 08:31:00 +0900 Subject: OpenGPG Smart Card v2.1 - unable to create key - card error In-Reply-To: <87y46180jg.fsf@wheatstone.g10code.de> References: <87y46180jg.fsf@wheatstone.g10code.de> Message-ID: <57672B34.5000307@fsij.org> On 06/20/2016 04:02 AM, Werner Koch wrote: > I guess that AU9540 Smartcard Reader does not work probably. I have > never seen one of their readers to work with modern smartcards. But > Gniibe has more experience, maybe he can help. I fixed a problem of internal ccid-reader fo this specific reader. The problem was that decryption didn't work (for RSA-2048 key, I guess). FYI, please see: https://bugs.g10code.com/gnupg/issue1947 > As a test try to create a 1024 bit key. I think that it should work with RSA-1024 and RSA-2048. I'm afraid the reader doesn't work for RSA-4096. I suggest try using with PC/SC service. It's pcscd and libccid on GNU/Linux. There is a little possibility it works fine. If it works, please let us know. Let me explain the situation. The problem is the buffer size of the card reader. The descriptor says: dwFeatures 000404BE Auto configuration based on ATR Auto activation on insert Auto voltage selection Auto clock change Auto baud rate change Auto PPS made by CCID Auto IFSD exchange Short and extended APDU level exchange dwMaxCCIDMsgLen 272 It supports extended APDU level exchange, good. However, the size of message is limited by dwMaxCCIDMsgLen=272. So, larger message has to be divided into multiple packets. GnuPG/scdaemon will use larger message for receiving decrypted result, and/or sending private key to card. Please note that sending private key to card occurs for decryption key when "generate" command. The internal CCID-reader didn't support that multiple packets until last year. It was implemented when I handled the issue1947. I think that it works now for RSA-2048. I don't know for RSA-4096. Please note that I only fixed the driver part. Still, there is a fundamental (the card reader's) firmware limitation of the buffer size of APDU. In the original CCID class specification, there is no way to know the buffer size of APDU of the card reader. So, all that a user can do is try if it works or not. It is likely that the supported APDU size is not so large. Well, RSA-4096 is considered "huge" from the view point of smartcard. -- From mantorix at vollbio.de Mon Jun 20 08:47:34 2016 From: mantorix at vollbio.de (mantorix at vollbio.de) Date: Mon, 20 Jun 2016 08:47:34 +0200 Subject: Aw: Re: With colons: Where is my curve? (rsa+ecc mixed key) In-Reply-To: <87lh27sc54.fsf@wheatstone.g10code.de> References: , <87lh27sc54.fsf@wheatstone.g10code.de> Message-ID: > I hope to get 2.1.13 out this week, so please have some patience if you > need a new installer. > > Thanks for reporting. ? Many Thanks, I can confirm that is works not as intended. From mantorix at vollbio.de Mon Jun 20 09:37:03 2016 From: mantorix at vollbio.de (mantorix at vollbio.de) Date: Mon, 20 Jun 2016 09:37:03 +0200 Subject: Aw: Re: With colons: Where is my curve? (rsa+ecc mixed key) In-Reply-To: References: , <87lh27sc54.fsf@wheatstone.g10code.de>, Message-ID: > Many Thanks, I can confirm that is works not as intended. Oops, now, not not From kloecker at kde.org Mon Jun 20 19:46:10 2016 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Mon, 20 Jun 2016 19:46:10 +0200 Subject: Pinetry: window to small + make arrow keys cancel dialog + change number of allowed wrong passphrases In-Reply-To: <5fa56e4e-d332-be93-fe9b-238cea64d893@web.de> References: <5fa56e4e-d332-be93-fe9b-238cea64d893@web.de> Message-ID: <2106016.Ml01ps8Ept@thufir> On Saturday 18 June 2016 14:46:06 Hauke Westemeier wrote: > Would it be possible to make the arrow keys (left, right, > top, bottom) cancel the pinetry dialog? Did you try pressing Esc to cancel the dialog? Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: This is a digitally signed message part. URL: From Hauke_Westemeier at web.de Mon Jun 20 21:46:27 2016 From: Hauke_Westemeier at web.de (Hauke Westemeier) Date: Mon, 20 Jun 2016 21:46:27 +0200 Subject: Pinetry: window to small + make arrow keys cancel dialog + change number of allowed wrong passphrases In-Reply-To: <2106016.Ml01ps8Ept@thufir> References: <2106016.Ml01ps8Ept@thufir> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> Would it be possible to make the arrow keys (left, right, top, >> bottom) cancel the pinetry dialog? > > Did you try pressing Esc to cancel the dialog? OK, Esc also closes the dialog but it is quite on the opposite side of the keyboard so I still would prefer to just use an arrow key but of course I can also live with the current setup. The main reason for my post was to tell about the too small Pinetry window and to know if there is an easy way to change the number of allowed wrong passphrases. Regards, Hauke -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF8EARECAB8FAldoR/8YHGhhdWtlX3dlc3RlbWVpZXJAd2ViLmRlAAoJEI8/I36K vfPXYtMAniqqQ9AA8q6xAAr9u+vIXjpRYAmCAJ40K4EifdHYq7i4FgSyPeCWtXvC 9A== =6OhK -----END PGP SIGNATURE----- From wk at gnupg.org Tue Jun 21 11:55:20 2016 From: wk at gnupg.org (Werner Koch) Date: Tue, 21 Jun 2016 11:55:20 +0200 Subject: Pinetry: window to small + make arrow keys cancel dialog + change number of allowed wrong passphrases In-Reply-To: (Hauke Westemeier's message of "Mon, 20 Jun 2016 21:46:27 +0200") References: <2106016.Ml01ps8Ept@thufir> Message-ID: <87r3bqzx13.fsf@wheatstone.g10code.de> On Mon, 20 Jun 2016 21:46, Hauke_Westemeier at web.de said: > The main reason for my post was to tell about the too small Pinetry > window and to know if there is an easy way to change the number of May it be that you are using that very basic Pinentry which is the fallback pinentry installed by the gnupg 2.1 installer? >From the README: This is the core part of the GnuPG system as used by several other frontend programs. This installer does not provide any graphical frontend and thus almost everything needs to be done on the command line. However, a small native Windows GUI tool is included which is used by GnuPG to ask for passphrases. It provides only the basic functionality and is installed under the name "pinentry-basic.exe". Other software using this core component may install a different version of such a tool under the name "pinentry.exe" or configure the gpg-agent to use that version. For example, gpg4win comes with a better Pinentry. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From Hauke_Westemeier at web.de Wed Jun 22 22:09:04 2016 From: Hauke_Westemeier at web.de (Hauke Westemeier) Date: Wed, 22 Jun 2016 22:09:04 +0200 Subject: Pinetry: window to small + make arrow keys cancel dialog + change number of allowed wrong passphrases In-Reply-To: <87r3bqzx13.fsf@wheatstone.g10code.de> References: <87r3bqzx13.fsf@wheatstone.g10code.de> Message-ID: <70351a75-e8db-6543-feb6-5bc2e7d12c41@web.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > May it be that you are using that very basic Pinentry which is the > fallback pinentry installed by the gnupg 2.1 installer? Yes, I'm. I didn't assume that having a window large enough to show its complete content is already considered as above the "basic functionality" (OK, it works, maybe it is still worth to change it as I assume I'm not the only one just using the gnupg 2.1 installer. Maybe the difference is due to the extra line telling how often I entered the passphrase wrongly, this is not there in the gpg4win pinetry). Kind regards, Hauke -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF8EARECAB8FAldq8FAYHGhhdWtlX3dlc3RlbWVpZXJAd2ViLmRlAAoJEI8/I36K vfPX1x4An3Xau4+5vMez7j3cIjSr/u/RJ2ZmAJ9lfhGQ/3+BtGhOnMEyvDwYhltx DQ== =8I4q -----END PGP SIGNATURE----- From riber at calico-jack.dk Thu Jun 23 11:20:06 2016 From: riber at calico-jack.dk (Mikkel Riber) Date: Thu, 23 Jun 2016 11:20:06 +0200 Subject: Unable to batch decrypt messages on Windows Message-ID: <000001d1cd30$6f1a1680$4d4e4380$@calico-jack.dk> Hello, I've tried to setup so I can decrypt without typing in my password - since this is needed for unattended machines. However I can't seem to get it to work. To ensure it had nothing to do with my keyfiles I started from a new keyring. I am running latest GnuPG v 2.1.13 and have also tested with v2.1.9 same results. C:\Users\mr>gpg --version gpg (GnuPG) 2.1.13 libgcrypt 1.7.1 # Generation of my new key: C:\Users\mr>gpg --gen-key gpg (GnuPG) 2.1.13; Copyright (C) 2016 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: keybox 'C:/Users/mr/AppData/Roaming/gnupg/pubring.kbx' created Note: Use "gpg --full-gen-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: John Doe Email address: john at doe.com You selected this USER-ID: "John Doe " Change (N)ame, (E)mail, or (O)kay/(Q)uit? o ... gpg: C:/Users/mr/AppData/Roaming/gnupg/trustdb.gpg: trustdb created gpg: key 21EA293DB2F03772 marked as ultimately trusted gpg: directory 'C:/Users/mr/AppData/Roaming/gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as 'C:/Users/mr/AppData/Roaming/gnupg/openpgp-revocs.d\62AAA010AB8C52DC44EC04CE 21EA293DB2F03772.rev' public and secret key created and signed. gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub rsa2048 2016-06-23 [S] 62AAA010AB8C52DC44EC04CE21EA293DB2F03772 uid [ultimate] John Doe sub rsa2048 2016-06-23 [] # Encrypting my file plaintext.txt C:\Users\mr>gpg --verbose --encrypt --armor -r john at doe.com plaintext.txt gpg: using pgp trust model gpg: using subkey 60C4F0C050369A62 instead of primary key 21EA293DB2F03772 gpg: This key belongs to us gpg: reading from 'plaintext.txt' gpg: writing to 'plaintext.txt.asc' gpg: RSA/AES256 encrypted for: "60C4F0C050369A62 John Doe " # Verify it is possible to decrypt using normal interactive mode C:\Users\mr>gpg --decrypt plaintext.txt.asc gpg: encrypted with 2048-bit RSA key, ID 60C4F0C050369A62, created 2016-06-23 "John Doe " This is my secret! # When trying any of below commands I'm still getting the prompt for password. C:\Users\mr>gpg --batch --passphrase-file password.txt --decrypt plaintext.txt.asc C:\Users\mr>gpg --batch --passphrase-fd 0 --decrypt plaintext.txt.asc 1234 C:\Users\mr>echo 1234| gpg --batch --passphrase-fd 0 --decrypt plaintext.txt.asc C:\Users\mr>gpg --batch --decrypt --passphrase-fd 0 --output output.csv plaintext.txt.asc gpg --batch --passphrase 1234 --decrypt plaintext.txt.asc Any advice how to get this to work? Any input is welcome, thank you. Kind regards Mikkel R. From afenkart at gmail.com Fri Jun 24 11:21:15 2016 From: afenkart at gmail.com (Andreas Fenkart) Date: Fri, 24 Jun 2016 11:21:15 +0200 Subject: Tamper Resistance of SmartCards -- NitroKey Pro/ KernelConcepts Message-ID: Hi, I'm comparing NitroKey Pro and KernelConcepts OpenPGP card. https://shop.nitrokey.com/shop/product/nitrokey-pro-3 http://shop.kernelconcepts.de/#openpgp I'm only interested in creating signatures for FW releases. What confuses me is the claim made by NitroKey that it is "tamper resistant". I guess kernelconcepts card being a BasicCard[1] should be "tamper resistant" as well. I did a bit of googling: https://github.com/Nitrokey/nitrokey-pro-hardware - uses STM32F103TB - the chip supports JTAG - no special counter measures, or security section in the specification https://secure.zeitcontrol.de/shop/BasicCard_1 - http://www.basiccard.com/ - didn't find the exact BOM, but probably it's there Probably either cards resist hardware attacks, "side-channel", etc... - http://www.wrankl.de/SCH/Attacks.pdf https://www.yubico.com/2016/05/secure-hardware-vs-open-source/ - "What is the attack scenario you?re most worried about ? a backdoor or bug, accessible via the standard interface over the network, someone owning your computer while extracting sensitive information from your security token, or that someone in possession of your key could retrieve such information?" I'm okay with number one. I don't want anybody to extract the key while it's connected to a computer that I don't trust. I'm not so much concerned about the smartcard being stolen and the key extracted, by observing heat ouput or JTAG. But I have to make sure the key never leaves the hands of people I fully trust, that means: - don't send it via postal service - if it's lost/found key must be revoked Nonetheless, what are the low hanging fruit, to improve its tamper resistance? - kernelconcepts / NitroKey are they equivalent? - of course change admin/user pin - what is the card manager key mentionned in the yubic link? Do I need to change something? /Andreas [1] Manufacturer: ZeitControl reported by gpg2 --card-status https://wiki.debian.org/Smartcards#Some_common_cards [2] discussion discussing internals of various vendors https://plus.google.com/+KonstantinRyabitsev/posts/4a7RNxtt7vy From flapflap at riseup.net Fri Jun 24 13:51:49 2016 From: flapflap at riseup.net (flapflap) Date: Fri, 24 Jun 2016 11:51:49 +0000 Subject: Tamper Resistance of SmartCards -- NitroKey Pro/ KernelConcepts In-Reply-To: References: Message-ID: <0917c79e-d563-0936-1b58-24dc1e3325ee@riseup.net> Hi, Andreas Fenkart: > I'm comparing NitroKey Pro and KernelConcepts OpenPGP card. > > https://shop.nitrokey.com/shop/product/nitrokey-pro-3 > http://shop.kernelconcepts.de/#openpgp > > I'm only interested in creating signatures for FW releases. What > confuses me is the claim made by NitroKey that it is "tamper > resistant". I guess kernelconcepts card being a BasicCard[1] should be > "tamper resistant" as well. I think you are a bit mistaken: In the Nitrokey Pro, the STM32 processor is not doing any crypto. Indeed, the STM32 has no hardware protection at all for such purpose. The processor is used to implement the smartcard /reader/ protocol (and a few other functions) and itself forwards all crypto tasks to an on-board OpenPGP smartcard (can be exchanged via slot). As far as I know, there are no known side channels or (easy) attacks to the OpenPGP smartcard. As a normal user you almost have no way to find implementation details for smartcards because they are all protected by patents and NDAs (it would not be possible to make the design free). It is not (at least it should not be) possible to extract secret keys from a smartcard: you send your plain text to the reader, to the card, and get back the cipher text (or vice versa). The Nitrokey people had to decide to do the crypto on the STM32 where they can influence the PCB layout but not the processor (with known attacks) itself, or to do it on an OpenPGP smartcard and have to trust the manufacturer. Since the Nitrokey software and hardware design is free (as in freedom), you can at least inspect these bits (e.g. you can look at the layout using the free software KiCad) and modify the firmware run on the STM32 (maybe you want to add some other additional function that is not security critical). If you only buy a smartcard, you still have to trust the smartcard reader you use then because it can read/copy/modify/transmit via HF all communication and, dependent on your level of paranoia, you also have to carry the reader always with you. Since you need to trust both the reader and the smartcard, Nitrokey put both in the same package and labeled it Nitrokey Pro so you can carry it around. Cheers, ~flapflap From wk at gnupg.org Fri Jun 24 14:25:35 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 24 Jun 2016 14:25:35 +0200 Subject: Tamper Resistance of SmartCards -- NitroKey Pro/ KernelConcepts In-Reply-To: (Andreas Fenkart's message of "Fri, 24 Jun 2016 11:21:15 +0200") References: Message-ID: <87wplekc3k.fsf@wheatstone.g10code.de> On Fri, 24 Jun 2016 11:21, afenkart at gmail.com said: > confuses me is the claim made by NitroKey that it is "tamper > resistant". I guess kernelconcepts card being a BasicCard[1] should be > "tamper resistant" as well. NitroKey uses the very same card inside. IIRC, their basic version does not use a smartcard but Gniibe's gnuk software on their microcontroller. Another option is to purchase an USB stick sized reader and an ID-000 sized ZeitControl card. That is what I use for my release signing key. The ZeitControl card uses a standard tamper resistant smartcard chip and an OS which has been developed and evaluated for the German Health Card. On top of this the OpenPGP smartcard spec has been implemented. If you can do without hardware tamper resistance, consider to use a gnuk token. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From 2014-667rhzu3dc-lists-groups at riseup.net Fri Jun 24 20:17:38 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Fri, 24 Jun 2016 19:17:38 +0100 Subject: Unable to batch decrypt messages on Windows In-Reply-To: <000001d1cd30$6f1a1680$4d4e4380$@calico-jack.dk> References: <000001d1cd30$6f1a1680$4d4e4380$@calico-jack.dk> Message-ID: <331517645.20160624191738@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thursday 23 June 2016 at 10:20:06 AM, in , Mikkel Riber wrote: > Any input is welcome, thank you. Does it work if you simply use a key for which you have set an empty password? - -- Best regards MFPA You can't build a reputation on what you are going to do -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJXbXlLXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwbNkH/19khCFnXCmwDW0NX4bnfaPe QTW78fKxCNdSWoknzVpQOa496LZwVUIt5PwPACm8a1+6/MPNB5XUwgjUazX797Wd n+6mM+G74iLawjQrPiXjjwDbEy4cGIkzjz5+To/jptNTNFSDWYKfVhWAe9TOw0Md tMWoqnmFfsd3UrbaCEryBgaNyu7EUhAzm6RU5hPwTrmLzQFgrI3pFR30GNWNQmcb QDqMJ7rihM7nrk4F+XgdwgKk/Hs61CQB3ZTgd4KAr90VNn+hbeoqQ7CUTZCiJs1M I6IdcuwX4i/Q9qKHGHbce/jsqk6Xsj+hkkcnvmQ/dTNLupmnch2TXy8Kmv7kPP6I vgQBFgoAZgUCV215WV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45OJFAQCiBzXyZOAjdZ14iaH97UOCppwy pbg6E/sBZK32d1BC+QEAvL0ofIhKrZcHtcBPb36Nlqs2Qij18F6dpY0VY8rYygg= =GJPe -----END PGP SIGNATURE----- From saehym at chol.com Fri Jun 24 14:27:40 2016 From: saehym at chol.com (=?EUC-KR?B?c2FlaHlt?=) Date: Fri, 24 Jun 2016 21:27:40 +0900 (KST) Subject: =?EUC-KR?B?SSBoYXZlIEluc3RhbGwgUHJvYmxlbXMsIGhlbHAgbWV+fg==?= Message-ID: <0.08141900_1466771260@chol.com> An HTML attachment was scrubbed... URL: From wurzelsepp1337 at web.de Sun Jun 26 19:57:00 2016 From: wurzelsepp1337 at web.de (wurzelsepp1337 at web.de) Date: Sun, 26 Jun 2016 19:57:00 +0200 Subject: Very slow symmetric encryption/decryption with GnuPG 2.X References: Message-ID: Hello ? I use a Bashscript for Cloud-Encryption-Purposes under Debian Testing. It uses GnuPG for symmetrically encryption of many files with a for loop. With GnuPG 1.4.20, the encryption/decryption runs always very fast on my machine, but with GnuPG 2.X the speed is many many times slower. This process is really slow, I see the slow encryption/decryption of every (even small) single file. ? Versions: GnuPG 1.4.20 GnuPG 2.1.11 (even very slow with 2.0.X) ? Commandline: tar -cf - "$file" | gpg2 -z 0 --yes --batch --no-tty --symmetric --cipher-algo twofish --digest-algo sha512 --passphrase-file FILE -o /PATH/FILE ? I've tested out that the RNG is not the problem. But even with "ln -s /dev/urandom /dev/random", the speed remains very slow. Is there any way to analyse these performance differences? I've no idea. But I think its better to use newer versions, when GnuPG 2.X represents the future. ? Nick From wurzelsepp1337 at web.de Sun Jun 26 19:50:03 2016 From: wurzelsepp1337 at web.de (wurzelsepp1337 at web.de) Date: Sun, 26 Jun 2016 19:50:03 +0200 Subject: Very slow symmetric encryption/decryption with GnuPG 2.X Message-ID: An HTML attachment was scrubbed... URL: From wk at gnupg.org Mon Jun 27 07:59:20 2016 From: wk at gnupg.org (Werner Koch) Date: Mon, 27 Jun 2016 07:59:20 +0200 Subject: Very slow symmetric encryption/decryption with GnuPG 2.X In-Reply-To: (wurzelsepp's message of "Sun, 26 Jun 2016 19:50:03 +0200") References: Message-ID: <87lh1rdvev.fsf@wheatstone.g10code.de> On Sun, 26 Jun 2016 19:50, wurzelsepp1337 at web.de said: > I use a Bashscript for Cloud-Encryption-Purposes under Debian Testing. It uses > GnuPG for symmetrically encryption of many files with a for loop. With GnuPG > 1.4.20, the encryption/decryption runs always very fast on my machine, > GnuPG 2.X the speed is many many times slower. This process is really slow, I For small files most time is spend on the KDF function to convert a passphrase into a key. With 1.4. you may be using an low iteration count but since 2.x we set the iteration count to a value which results in about 100ms for the KDF. We have an open bug that it is not possible to modify that iteration count (--s2k-count) for 2.1. It might be possible to allow --multifile with --symmetric so that the KDF is run only once. However, you would use the very same key for all files which might not be what you want. If you have a high entropy passphrase for symmetric encryption, there is no need for a KDF function and you could use --s2k-mode 0 to use that key directly. Given that you need to store such a key anyway in a file, I would suggest to use regular public key encryption instead and store the secret key on the receiving machine. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ From gniibe at fsij.org Mon Jun 27 10:47:28 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Mon, 27 Jun 2016 17:47:28 +0900 Subject: Tamper Resistance of SmartCards -- NitroKey Pro/ KernelConcepts In-Reply-To: References: Message-ID: On 06/24/2016 06:21 PM, Andreas Fenkart wrote: > I'm only interested in creating signatures for FW releases. What > confuses me is the claim made by NitroKey that it is "tamper > resistant". I guess kernelconcepts card being a BasicCard[1] should be > "tamper resistant" as well. IIUC, NitroKey Pro uses ZeitControl smartcard for crypto computation. So, it is same as a chip. I think that the term "tamper resistance" is usually used for a chip, if it has some counter measure against some sort of physical attacks. Please note that it doesn't directly mean it can be safe device as a whole. I think that we also need some "tamper resistance" in different level(s). Well, the combination of smatcard chip + USB MCU (which works as a card reader) is a kind of practice for a token. And people discuss it is good as it's has "tamper resistance" feature (in the chip level). I think that the combo is generally good thing, but we also know that this could have a different type of attack vector. Suppose that an attacker has enough time&budget to manufacture similar looking device, and it is possible for the attacker to access to my device multiple times (say, at nights). Then, there is a scenario like: (1) he steals my device when I sleep. (2) he extracts the smartcard chip from my device. Then, using the chip, he makes a token replacing MCU or MCU's firmware. The card reader part will have a special malicious feature recording PIN of mine in the communication. And he puts back the device to me, before I wake. (3) I just keep using my device. I don't notice the change because "it just works". (4) he again steals my device, at another night. (5) Since PIN is recorded in the MCU, my private keys are under control by him now (even if the chip itself is "secure"). I usually recommend implementing some counter measure as a device by customizing your own device. Here are examples: http://www.fsij.org/gnuk/craftwork-fst-01.html http://www.fsij.org/gnuk/customizing-gnuk-token.html http://www.fsij.org/gnuk/mono-the-eraser-case.html I don't know if it's an effective counter measure or not. Anyway, I enjoyed. If it's an effective counter measure, do we need chip level counter measure? That's my question. Already, I know that an effective counter measure is never sleeping. Please don't suggest this method. :-) -- From peter at digitalbrains.com Mon Jun 27 11:43:16 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 27 Jun 2016 11:43:16 +0200 Subject: (OT) Tamper Resistance of SmartCards -- NitroKey Pro/ KernelConcepts In-Reply-To: References: Message-ID: <47718923-5c32-ffdf-15bd-9cec2ed8d4a2@digitalbrains.com> On 27/06/16 10:47, NIIBE Yutaka wrote: > Already, I know that an effective counter measure is never sleeping. > Please don't suggest this method. :-) You should integrate the crypto token and PIN pad under your skin. Subdermal keypad on the back of the hand, or one sensor per finger [1]. Nobody can take either your crypto token or your means of entering PINs without cutting you while you sleep, which you would notice. The only problem I see ;-P is that you would need to rely on contactless interfaces which are harder to secure than electrical-contact-meets-electrical-contact. But at least you can go to sleep feeling safe. Just kidding, Peter. [1] Flexing your left thumb is "0", flexing your right middle finger is "8", something like that. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From mandar.mhatre at crs-iimotion.com Mon Jun 27 14:44:14 2016 From: mandar.mhatre at crs-iimotion.com (Mandar Mhatre) Date: Mon, 27 Jun 2016 14:44:14 +0200 Subject: gpgme tutorial t-decrypt.c -> Bad passphrase Message-ID: <91d9b5b693cf54130f1d7e7676318c41@mail.gmail.com> Hello List, I am a noob to Cryptography world and few weeks ago started into this subject. Till now I could use linux console freely and perform all the described operations. Right now I am trying to understand GPGME and going through the provided tutorial codes. I am getting an error while running t-decrypt.c (and t-sign.c as well) as stated in the subject line. The passphrase_cb has been implemented in ?t-support.h? but somehow the code doesn?t retrieve the required password. I tried to implement my own callback function on the same lines and came to know that this function is never being called. Search on internet didn?t provide me any alternative working code nor any solution for this problem (Apart from John Morris, Sep 7, 2012) . So I am mailing GnuPG/GPGME profis. My goal is to pass a hardcoded password for decryption and signing for automatic decryption and signing . Any suggestions/modifications in the code or tutorial codes are appreciated. Attaching my (tutorial code from GPGME with some debug specific printf?s) code and other info below. Thank you in advance. Mandar Mhatre System info? Raspberry pi 3 with installed gpg, gpg2 and GPGME with dependencies Code----- /* t-decrypt.c - Regression test. Copyright (C) 2000 Werner Koch (dd9jn) Copyright (C) 2001, 2003, 2004 g10 Code GmbH This file is part of GPGME. GPGME is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. GPGME is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /* We need to include config.h so that we know whether we are building with large file system (LFS) support. */ #define _FILE_OFFSET_BITS 64 #ifdef HAVE_CONFIG_H #include #endif #include #include #include #include #include #include #include "t-support.h" gpgme_error_t passphrase_cb1 (void *hook, const char *uid_hint, const char *passphrase_info, int last_was_bad, int fd) { #ifdef HAVE_W32_system DWORD written; WriteFile ((HANDLE) fd, "abc\n", 4, &written, 0); #else printf("in passphrase cb"); int res; const char *pass = "abc\n"; int passlen = strlen (pass); int off = 0; do { res = write (fd, &pass[off], passlen - off); printf("passphrase is %s", pass); if ( res > 0) off += res; } while(res > 0 && off != passlen); return off == passlen ? 0 : gpgme_error_from_errno (errno); #endif return 0; } int main (int argc, char *argv[]) { gpgme_ctx_t ctx; gpgme_error_t err; gpgme_data_t in, out; gpgme_decrypt_result_t result; const char *cipher_1_asc = make_filename ("cipher-1.asc"); char *agent_info; init_gpgme (GPGME_PROTOCOL_OpenPGP); err = gpgme_new (&ctx); fail_if_err (err); err = gpgme_ctx_set_engine_info (ctx, GPGME_PROTOCOL_OpenPGP, NULL,"/home/pi/.gnupg"); agent_info = getenv("GPG_AGENT_INFO"); if (!(agent_info && strchr (agent_info, ':'))) { printf("in if loop\n"); gpgme_set_passphrase_cb (ctx, passphrase_cb1, NULL); } err = gpgme_data_new_from_file (&in, cipher_1_asc, 1); fail_if_err (err); err = gpgme_data_new (&out); fail_if_err (err); printf("data ready \n"); err = gpgme_op_decrypt (ctx, in, out); fprintf (stderr,"Encrypt error: %s\n", gpgme_strerror (err)); fail_if_err (err); result = gpgme_op_decrypt_result (ctx); if (result->unsupported_algorithm) { fprintf (stderr, "%s:%i: unsupported algorithm: %s\n", __FILE__, __LINE__, result->unsupported_algorithm); exit (1); } print_data (out); gpgme_data_release (in); gpgme_data_release (out); gpgme_release (ctx); return 0; } Output? In if loop Data ready Encrypt error: Bad passphrase t-decrypt.c:101: GPGME: Bad passphrase -------------- next part -------------- An HTML attachment was scrubbed... URL: From gniibe at fsij.org Tue Jun 28 04:16:03 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 28 Jun 2016 11:16:03 +0900 Subject: How to sign a PDF using a DNIe In-Reply-To: <576379E6.4030404@fsij.org> References: <576379E6.4030404@fsij.org> Message-ID: <749faf7d-ed46-2c8c-02fe-c65459b86864@fsij.org> On 06/17/2016 01:17 PM, NIIBE Yutaka wrote: > I'd recommend to seek other software instead. > > Simply, general smartcard is not supported. It seems that you have an > illusion that GnuPG and its scdaemon can support any smartcard in > general. No, we can't. > > Fundamentally, while OpenPGPcard can be under control of its user, > general smartcard is designed in the situation that it is under > control by its issuer ( card is usually not a user's property ). Last week, I was asked in person, about the possibility of using a smartcard issued by Japanese government, with GnuPG for OpenPGP and SSH. So, I add my comment more. In my opinion, it's not relevant to use such a card in order to protect our privacy, even if the technology of the device were great, even if the availability were good and cost were cheap. For the specific card, for example, it is issued at a public office for citizen and we need to enter PIN with a computer in the office when a key is generated (I don't know if it is really generated there or not, but they claim so). Even if the device were great, I don't want to use such a private key generated by those environment, for myself, for use of GnuPG to protect my own privacy. That's because the environment is not controlled by me at all. Thus, it is impossible for me to ensure the private key is only available in the card securely, or my PIN is not recorded. On the other hand, I happened to know that the computer has full of proprietary software (as usual), which no one (at least, no one at the public office) can control. The structure is: It's not my device, but someone's; They let me use the card. It would be considered healthy for me to think about the likelihood of honey-pot/trap or other kinds of attack vectors, when I try to use the card for other purpose. I think that I only use such a card only when it is mandatory by the government. I think that it is opposite way what we should make it possible. Let a government accept signature which is generated by our own smartcard/token with free software. Or let a governor certify our own public key, where the private key is in our own smartcard/token. -- From dashohoxha at gmail.com Tue Jun 28 09:20:52 2016 From: dashohoxha at gmail.com (Dashamir Hoxha) Date: Tue, 28 Jun 2016 09:20:52 +0200 Subject: How to sign a PDF using a DNIe In-Reply-To: <749faf7d-ed46-2c8c-02fe-c65459b86864@fsij.org> References: <576379E6.4030404@fsij.org> <749faf7d-ed46-2c8c-02fe-c65459b86864@fsij.org> Message-ID: On Tue, Jun 28, 2016 at 4:16 AM, NIIBE Yutaka wrote: > > Or let a governor certify our own > public key, where the private key is in our own smartcard/token. > This is really a good idea. If authorized government officials certify our public keys, then our signatures can have full legal values, as far as the government is concerned. -------------- next part -------------- An HTML attachment was scrubbed... URL: From saehym at chol.com Tue Jun 28 11:24:38 2016 From: saehym at chol.com (=?EUC-KR?B?c2FlaHlt?=) Date: Tue, 28 Jun 2016 18:24:38 +0900 (KST) Subject: =?EUC-KR?B?bGliZ2NyeXB0IGluc3RhbGwgcHJvYmxlbX5+aGVscCBtZQ==?= Message-ID: <0.55573300_1467105878@chol.com> An HTML attachment was scrubbed... URL: From ndk.clanbo at gmail.com Tue Jun 28 10:42:48 2016 From: ndk.clanbo at gmail.com (NdK) Date: Tue, 28 Jun 2016 10:42:48 +0200 Subject: How to sign a PDF using a DNIe In-Reply-To: <749faf7d-ed46-2c8c-02fe-c65459b86864@fsij.org> References: <576379E6.4030404@fsij.org> <749faf7d-ed46-2c8c-02fe-c65459b86864@fsij.org> Message-ID: <57723888.6060005@gmail.com> Il 28/06/2016 04:16, NIIBE Yutaka ha scritto: > I think that it is opposite way what we should make it possible. Let > a government accept signature which is generated by our own > smartcard/token with free software. Or let a governor certify our own > public key, where the private key is in our own smartcard/token. That would be great, but I think it's an orthogonal issue. When you get to use a smartcard, you are already giving up a lot of control on your key, trusting something you can't control and hoping certifiers did their work correctly and the units being sold are completely like the tested ones. The support for generic cards could be useful for other reasons. Say I have a smartcard that could host 15 keys. I'd like to use one for web auth, another for NFC auth, another for signing documents, another as my primary GPG identity (certification), one for GPG auth, one for GPG signing and the others for GPG decryption (just not to lose access to older mails). Currently it's not possible, unless I use quite a lot of different cards. IMO the "ideal" solution would be a FIDO-like system, where keys are kept, encrypted, on disk and uploaded as "blobs" to the card that decrypts 'em and only then become useable. That would remove the limit on the number of keys that could be kept on a card. But it's not feasible with Java cards, I think (at least I couldn't make it work w/o writing to the flash memory). That would be completely feasible with FST-01... BYtE, Diego From mandar.mhatre at crs-iimotion.com Tue Jun 28 11:16:34 2016 From: mandar.mhatre at crs-iimotion.com (Mandar Mhatre) Date: Tue, 28 Jun 2016 11:16:34 +0200 Subject: gpgme tutorial t-decrypt.c -> Bad passphrase In-Reply-To: <87k2haabmf.fsf@thinkbox.jade-hamburg.de> References: <91d9b5b693cf54130f1d7e7676318c41@mail.gmail.com> <87k2haabmf.fsf@thinkbox.jade-hamburg.de> Message-ID: <20c5b5f3130f452620dc25bb372c8b13@mail.gmail.com> Hello List, @Justus thanks for the kind reply! I found some more related issues on the internet forums and tried the listed solutions/workarounds. 1. As Justus suggested, I tried that but its only applicable to gnupg 2.13+, I am having 1.4 and 2.0.30 installed on my Debian. 2. Tried to achieve this solution in the code. Gpgme_set_pinentry_mode(ctx, GPGME_PINENTRY_MODE_LOOPBACK) I expected no change in the output, considering the above point. But interestingly now the error changes to "No data". A bit strange ! 3. On May 28, 2015 in reply to Folkert van Heusdens query, Werner Koch replied saying 'no-use-agent' should be used in gpg.conf. Does not affect the output and passphrase_cb still isn't being executed. 4. in gpg.conf uncommenting 'Passphrase agent' results in error "No data". As a result, the problem persists and I couldn't set my password. I hope I have been enough descriptive in stating my problem. Thank you in advance for your time and help. With kind regards, Mandar Mhatre -----Original Message----- From: Justus Winter [mailto:teythoon at avior.uberspace.de] Sent: Montag, 27. Juni 2016 17:35 To: Mandar Mhatre; gnupg-users at gnupg.org Subject: Re: gpgme tutorial t-decrypt.c -> Bad passphrase Hi, Mandar Mhatre writes: > I am getting an error while running t-decrypt.c (and t-sign.c as well) > as stated in the subject line. The passphrase_cb has been implemented > in ?t-support.h? but somehow the code doesn?t retrieve the required > password. I tried to implement my own callback function on the same > lines and came to know that this function is never being called. GnuPG is getting the passphrase using the pinentry mechanism. If you want to supply it using a callback, you have to set the pinentry mode to loopback. Furthermore, if you are using GnuPG < 2.12, you need to allow that using --allow-loopback-pinentry. Cheers, Justus From gniibe at fsij.org Wed Jun 29 01:42:48 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Wed, 29 Jun 2016 08:42:48 +0900 Subject: libgcrypt install problem~~help me In-Reply-To: <0.55573300_1467105878@chol.com> References: <0.55573300_1467105878@chol.com> Message-ID: <4ba96482-96df-7dbe-6e8f-a5fc10eff4b9@fsij.org> Hello, On 06/28/2016 06:24 PM, saehym wrote: > $ ./configure ==> ok > > Libgcrypt v1.7.0 has been configured as follows: > > Platform: GNU/Linux (x86_64-pc-linux-gnu) > Hardware detection module: hwf-x86 > Enabled cipher algorithms: arcfour blowfish cast5 des aes twofish > serpent rfc2268 seed camellia idea > salsa20 > gost28147 chacha20 > Enabled digest algorithms: crc gostr3411-94 md4 md5 rmd160 sha1 > sha256 sha512 sha3 tiger whirlpool > stribog > > Enabled kdf algorithms: s2k pkdf2 scrypt > Enabled pubkey algorithms: dsa elgamal rsa ecc > Random number generator: default > Using linux capabilities: no > Try using Padlock crypto: yes > Try using AES-NI crypto: yes > Try using Intel PCLMUL: yes > Try using DRNG (RDRAND): yes > Try using Intel AVX: yes > Try using Intel AVX2: no (unsupported by compiler) > Try using ARM NEON: n/a [...] > `_gcry_sha1_transform_amd64_avx' I think that it is same bug which is reported at: https://bugs.gnupg.org/gnupg/issue2396 Thanks for your description, I think that I found a bug in libgcrypt. If possible, could you try following patch? diff --git a/cipher/sha1-avx-amd64.S b/cipher/sha1-avx-amd64.S index 062a45b..70efe95 100644 --- a/cipher/sha1-avx-amd64.S +++ b/cipher/sha1-avx-amd64.S @@ -31,8 +31,8 @@ #if (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \ defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && \ - defined(HAVE_GCC_INLINE_ASM_BMI2) && \ - defined(HAVE_GCC_INLINE_ASM_AVX2) && defined(USE_SHA1) + defined(HAVE_INTEL_SYNTAX_PLATFORM_AS) && \ + defined(HAVE_GCC_INLINE_ASM_AVX) && defined(USE_SHA1) #ifdef __PIC__ # define RIP (%rip) --