From brian at minton.name Wed Apr 5 01:43:04 2023 From: brian at minton.name (Brian Minton) Date: Tue, 4 Apr 2023 19:43:04 -0400 Subject: Does the PGP public key at https://www.washingtonpost.com/anonymous-news-tips/ In-Reply-To: References: <42EA56C4-1FC4-42ED-893E-5B6DF5CDB678@andrewg.com> Message-ID: WaPo also does have SecureDrop, but I'm not sure how often that gets used either. On Tue, Aug 9, 2022 at 10:34?PM Jay Sulzberger via Gnupg-users wrote: > > > On Sun, 7 Aug 2022, Andrew Gallagher wrote: > > > > >> On 7 Aug 2022, at 17:28, Jay Sulzberger via Gnupg-users wrote: > >> > >> Andrew, do the sks keyservers work today? > >> > >> I was able to find the key by going to > >> > >> https://keyserver.ubuntu.com/ > >> > >> and putting > >> > >> EC6C2905F0F93C0373946CA10642427A5FF780BE > >> > >> into the search box. > > > > Do you mean SKS the software (i.e. github.com/sks-keyserver) or SKS > > the protocol/network? The answer in both cases is ?yes?, but for > > different values of ?yes?. ? > > In the past two days, I have come to understand how little I know > about the design, the practical use, and the statistics of usage, of > gnupg. I think that learning some more is worth the effort. > > > > > What doesn?t work any more is the sks-keyservers.net pool, which had > > become a nightmare to manage. This has been taken by many to mean > > that the SKS network itself is down, but this is absolutely not the > > case. > > Ah. > > > > > sks-keyserver still works, but is IMO not suitable for use in > > production unless you are an expert willing to roll your own load > > balancing pool and recompile the code to update blacklists (there > > are still a few such brave souls left). This may change in the > > future ? the software is maintained but hasn?t had a significant > > feature bump in some time. > > Ah, oi. > > > > > The SKS network also still works, and depending on your choice of > > metric is probably more stable today than it has ever been. The > > reasons are twofold: many operators have migrated from sks-keyserver > > to hockeypuck, and most of the rest have shut down. This means that > > although there are fewer keyservers now than five years ago, the > > ones that do exist (including keyserver.ubuntu.com) are generally > > much more reliable. > > Ah, OK. > > > > > Information about the SKS network can be found at https://spider.pgpkeys.eu > > > > A > > Andrew, thank you much for this useful short introduction to these > obscure things! > > oo--JS. > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users From yengas07 at gmail.com Wed Apr 5 22:17:00 2023 From: yengas07 at gmail.com (=?UTF-8?B?WWnEn2l0Y2FuIFXDh1VN?=) Date: Wed, 5 Apr 2023 23:17:00 +0300 Subject: Seeking Assistance with GnuPG for Signing Arbitrary Data Using a Smart Card Message-ID: Hello, I am using a Yubikey 5C NFC with OpenPGP Version 3.4 Applet and an `ed25519` curve signing key. I'm attempting to create `EdDSA` Algorithm JWTs using GnuPG tooling, but I've encountered some difficulties. I've used `gpg-connect-agent` to interact with my Smart Card through a low-level API, as shown in the following commands: ``` RESET SCD READKEY OPENPGP.1 SCD SETDATA $MY_ARBITRARY_DATA SCD PKSIGN --hash=sha512 OPENPGP.1 ``` I can sign arbitrary data with some limitations, and the successful output looks like: ``` OK D (10:public-key(3:ecc(5:curve7:Ed25519)(5:flags5:eddsa)(1:q33:@?m?7;??5%0A?A?2v??o?s?????pE?g9))) OK OK D @???????;?\???T?t?%25???k? ?Ku?Q[??~???L??#V%0D;Gp/@?J? OK ``` I have a few questions about this process: 1. Is it feasible to use `gpg-connect-agent` and the `SCD *` operations for my goal? Are there any alternative approaches? 2. In the output, are the public key and signature encoded with S-Expression and MPI? How should I parse this output? 3. I receive an error when trying to `SCD PKSIGN` with data above 64 bytes: "ERR 100663351 Invalid value ". Is this a tooling limitation, or is there a way to sign arbitrary data? I can sign arbitrary data using `COMPUTE DIGITAL SIGNATURE` with direct APDU communication to the Smart Card. Thank you for your help! Kind regards, Yigitcan From vuori at notcom.org Thu Apr 6 11:09:27 2023 From: vuori at notcom.org (vuori) Date: Thu, 6 Apr 2023 12:09:27 +0300 Subject: Seeking Assistance with GnuPG for Signing Arbitrary Data Using a Smart Card In-Reply-To: References: Message-ID: On Wed, Apr 05, 2023 at 11:17:00PM +0300, Yi?itcan U?UM via Gnupg-users wrote: > 3. I receive an error when trying to `SCD PKSIGN` with data above 64 > bytes: "ERR 100663351 Invalid value ". Is this a tooling > limitation, or is there a way to sign arbitrary data? I can sign > arbitrary data using `COMPUTE DIGITAL SIGNATURE` with direct APDU > communication to the Smart Card. I'm not particularly familiar with the Assuan protocol so can't say about the other questions, but in general with generic token cards (such as OpenPGP cards) you'll sign precomputed hashes instead of having the card hash the data. So you should usually calculate the hash yourself and then sign the result. (Hash-on-card seems more useful for cases where the card application generates the message to be signed by itself, such as EMV.) In this kind of use case, you might also want to use PKAUTH (or INTERNAL AUTHENTICATE in APDU terms) instead? It seems to be intended for use with generic signing, while PKSIGN/COMPUTE DIGITAL SIGNATURE is documented in the context of OpenPGP message signing. scd/app-openpgp.c:{do_sign,do_auth} in GnuPG sources have some informative comments on the process and the code looks mostly straightforward too. -Valtteri From mark.christian at intel.com Fri Apr 7 01:20:07 2023 From: mark.christian at intel.com (Christian, Mark) Date: Thu, 6 Apr 2023 23:20:07 +0000 Subject: using gpg-agent from web server mod_wsgi script Message-ID: <106f55f68d234dc055ba70e7298ab2424e65c1aa.camel@intel.com> I was hoping to gpg-preset-passphrase a gpg-agent running under the apache WSGI service account, so that a python gpgme web wsgi/cgi application could access the gpg-agent's private key in order to run various gpg operations. It seems the python mod_wsgi script is not finding the gpg-agent. I'm wondering if this is possible? I'm using gpg2 2.2.27 and python gpgme_version 1.16.0 Thank you, Mark From jscott at posteo.net Sun Apr 9 04:35:18 2023 From: jscott at posteo.net (John Scott) Date: Sun, 09 Apr 2023 02:35:18 +0000 Subject: Application deadlock when using GnuPG, gpgsm, and Scute Message-ID: <4d0dfd906aac33599d58cb45af805dc5a865f35d.camel@posteo.net> Hi, I'm using Debian Bookworm (Testing) with GnuPG, gpgsm, and Scute. My motivation for using this trio of tools is a little elaborate, so allow me to explain. For just the technical stuff, skip to the end. I use OpenPGP for a variety of reasons, including for my own email security and because I'm a Debian contributor. I do believe it is the better cryptosystem for my day-to-day needs, and I've been using it for a handful of years. I also like using my OpenPGP smartcards and the fact that I can use them for SSH too; I'm a believer in the concept of Monkeysphere and that SSH could benefit from a more powerful cryptosystem. I also digitally sign all of my Git commits. I'm also a student at Indiana University, where we have S/MIME certificates. S/MIME is the predominant cryptosystem at IU, so it makes sense for me to use that instead there. I use it for signing and encrypting email, for digitally signing my homework PDFs, and if I need to make Git repos, might use my certificate for signing those too. Again, in the spirit of Monkeysphere, I might use my IU certificate's keypair to do SSH into IU machines; this has the benefit that IU administrators can verify the authenticity of my SSH key by noticing that it's the same raw public key as my certificate (whether anyone would appreciate that in practice, I doubt it). IU forced upon me an RSA 4096 certificate, which OpenSC refuses to put on to my (second) Gnuk (Nitrokey Start) because of the space squeeze. Here's what I've done. * I've imported the certificate with private key into gpgsm. * Then I went to edit my personal OpenPGP key and create a subkey that uses the same keypair as the certificate. * Lastly, I moved that subkey over to the smartcard. This has the benefit that, if you already trust my OpenPGP key, you can see that my certificate raw public key also happens to be an OpenPGP subkey, and thus you can consider it trustworthy. This looks like it's supposed to be doing the right thing. When I insert my Gnuk #2 into my machine and try to sign something with my IU certificate, gpgsm is smart enough to realize that the private key is on my Gnuk. However, when I try to use Firefox, Evolution, pdfsig from Poppler, and other applications that try talking to Scute, they hang when I have my Gnuk #2 inserted. An strace shows read(6, "4.17=#3437343035::%0Auid:e::::::"..., 999) = 999 read(6, "::%0Agrp:::::::::B5AE798D0A57B3B"..., 999) = 999 read(6, ".5.4.5=#5A5A5A5A5A5A4131,O=Sieme"..., 999) = 999 read(6, "03355375058::%0Auid:e:::::::: From dgouttegattat at incenp.org Sun Apr 9 13:09:17 2023 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Sun, 09 Apr 2023 12:09:17 +0100 Subject: Application deadlock when using GnuPG, gpgsm, and Scute In-Reply-To: <4d0dfd906aac33599d58cb45af805dc5a865f35d.camel@posteo.net> References: <4d0dfd906aac33599d58cb45af805dc5a865f35d.camel@posteo.net> Message-ID: <2665257.vuYhMxLoTh@borealin.local.incenp.org> Hi, On Sunday, 9 April 2023 03:35:18 BST John Scott via Gnupg-users wrote: > Note that GnuPG 2.3 is not available in Debian, not even in Debian experimental yet, but as soon as the packagers provide it I will give it a try. Perhaps I'll install GnuPG 2.3 myself in /usr/local Note also that according to packages.debian.org [1], the latest version of Scute available in Debian, even in Sid, is still 1.5.0. That version is six years old. If you don?t mind compiling and installing GnuPG ? 2.3 yourself you should also try installing Scute 1.7.0. - Damien [1] https://packages.debian.org/source/sid/scute -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From jscott at posteo.net Sun Apr 9 21:13:46 2023 From: jscott at posteo.net (John Scott) Date: Sun, 09 Apr 2023 19:13:46 +0000 Subject: Application deadlock when using GnuPG, gpgsm, and Scute In-Reply-To: <2665257.vuYhMxLoTh@borealin.local.incenp.org> References: <4d0dfd906aac33599d58cb45af805dc5a865f35d.camel@posteo.net> <2665257.vuYhMxLoTh@borealin.local.incenp.org> Message-ID: On Sun, 2023-04-09 at 12:09 +0100, Damien Goutte-Gattat wrote: > If you don?t mind compiling and installing GnuPG ? 2.3 yourself you should also try installing Scute 1.7.0. You're a genius! I actually had a hard time getting Scute 1.7.0 to compile, so I built it from Git instead and everything worked flawlessly! I was even able to sign a PDF :) Issue resolved -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part URL: From dgouttegattat at incenp.org Sun Apr 9 23:02:46 2023 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Sun, 09 Apr 2023 22:02:46 +0100 Subject: Application deadlock when using GnuPG, gpgsm, and Scute In-Reply-To: References: <4d0dfd906aac33599d58cb45af805dc5a865f35d.camel@posteo.net> <2665257.vuYhMxLoTh@borealin.local.incenp.org> Message-ID: <4784903.OV4Wx5bFTl@borealin.local.incenp.org> On Sunday, 9 April 2023 20:13:46 BST John Scott via Gnupg-users wrote: > You're a genius! Hardly. :D > I actually had a hard time getting Scute 1.7.0 to compile, so I built it from Git instead If you have some time to spare I?d be interested to know which problem(s) you ran into when trying to compile Scute 1.7.0. Building from a release tarball is supposed to be easier than building from a Git checkout after all! > and everything worked flawlessly! I was even able to sign a PDF :) Glad to read that! Best, - Damien -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Tue Apr 11 08:54:58 2023 From: wk at gnupg.org (Werner Koch) Date: Tue, 11 Apr 2023 08:54:58 +0200 Subject: Application deadlock when using GnuPG, gpgsm, and Scute In-Reply-To: (John Scott via Gnupg-users's message of "Sun, 09 Apr 2023 19:13:46 +0000") References: <4d0dfd906aac33599d58cb45af805dc5a865f35d.camel@posteo.net> <2665257.vuYhMxLoTh@borealin.local.incenp.org> Message-ID: <87zg7e9ad9.fsf@wheatstone.g10code.de> On Sun, 9 Apr 2023 19:13, John Scott said: > You're a genius! I actually had a hard time getting Scute 1.7.0 to > compile, so I built it from Git instead and everything worked > flawlessly! I was even able to sign a PDF :) FWIW, we are even working on Poppler to integrate GnuPG without the need for Scute. This required a few updates to GnuPG and thus 2.4.1 will soon be released. I am sorry, for the Debian troubles - we actually had 2.3 in Sid already 2 years ago. AFAICS the problem is that the Debian maintainer seems to be in a conflict between being Sequoia contributor and maintainer, OpenPGP WG Chair and also long time GnuPG maintainer. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From simon at josefsson.org Tue Apr 11 10:50:39 2023 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 11 Apr 2023 10:50:39 +0200 Subject: Application deadlock when using GnuPG, gpgsm, and Scute In-Reply-To: <87zg7e9ad9.fsf@wheatstone.g10code.de> (Werner Koch via Gnupg-users's message of "Tue, 11 Apr 2023 08:54:58 +0200") References: <4d0dfd906aac33599d58cb45af805dc5a865f35d.camel@posteo.net> <2665257.vuYhMxLoTh@borealin.local.incenp.org> <87zg7e9ad9.fsf@wheatstone.g10code.de> Message-ID: <87jzyipzts.fsf@kaka.sjd.se> Werner Koch via Gnupg-users writes: > I am sorry, for the Debian troubles - we actually had 2.3 in Sid already > 2 years ago. AFAICS the problem is that the Debian maintainer seems to > be in a conflict between being Sequoia contributor and maintainer, > OpenPGP WG Chair and also long time GnuPG maintainer. Are there well-maintained debian packages for GnuPG 2.4 anywhere? I recently ran into yet another bug that has been fixed in later versions that Debian/Trisquel doesn't ship, so wondered this recently as well. I've seen some work here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022702#10 If nobody has done this, is there interest in providing such packages? /Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 255 bytes Desc: not available URL: From vuori at notcom.org Tue Apr 11 12:27:31 2023 From: vuori at notcom.org (vuori) Date: Tue, 11 Apr 2023 13:27:31 +0300 Subject: Application deadlock when using GnuPG, gpgsm, and Scute In-Reply-To: <87jzyipzts.fsf@kaka.sjd.se> References: <4d0dfd906aac33599d58cb45af805dc5a865f35d.camel@posteo.net> <2665257.vuYhMxLoTh@borealin.local.incenp.org> <87zg7e9ad9.fsf@wheatstone.g10code.de> <87jzyipzts.fsf@kaka.sjd.se> Message-ID: <3bcxhjecqg7nw6okolbuj6hjn2u63jkea5szvpr55kvqkiuz5t@6k765gzkc4y4> On Tue, Apr 11, 2023 at 10:50:39AM +0200, Simon Josefsson via Gnupg-users wrote: > Are there well-maintained debian packages for GnuPG 2.4 anywhere? I > recently ran into yet another bug that has been fixed in later versions > that Debian/Trisquel doesn't ship, so wondered this recently as well. > > I've seen some work here: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022702#10 > > If nobody has done this, is there interest in providing such packages? I was wondering about this a while ago. A PPA or similar external repo would be very convenient if the Debian situation can't be sorted out, since there are several post-2.2 features I'd like to use. I'm not a party to the ongoing standardization efforts and can't speak about the technical merits of the proposals, but from a user perspective, Debian seems to be in the wrong here: if putatively not fully following standards were a general reason for not providing updates to a package, there would be very few packages left in Debian. IMO the maintainer should provide updated packages with a default configuration that keeps to "safe" (same as 2.2?) data formats if they think the newer formats will be a problem in the future?not hold back the entire package. -Valtteri -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From simon at josefsson.org Tue Apr 11 15:13:12 2023 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 11 Apr 2023 15:13:12 +0200 Subject: Application deadlock when using GnuPG, gpgsm, and Scute In-Reply-To: <3bcxhjecqg7nw6okolbuj6hjn2u63jkea5szvpr55kvqkiuz5t@6k765gzkc4y4> (vuori@notcom.org's message of "Tue, 11 Apr 2023 13:27:31 +0300") References: <4d0dfd906aac33599d58cb45af805dc5a865f35d.camel@posteo.net> <2665257.vuYhMxLoTh@borealin.local.incenp.org> <87zg7e9ad9.fsf@wheatstone.g10code.de> <87jzyipzts.fsf@kaka.sjd.se> <3bcxhjecqg7nw6okolbuj6hjn2u63jkea5szvpr55kvqkiuz5t@6k765gzkc4y4> Message-ID: <877cuipno7.fsf@kaka.sjd.se> vuori writes: > On Tue, Apr 11, 2023 at 10:50:39AM +0200, Simon Josefsson via Gnupg-users wrote: >> Are there well-maintained debian packages for GnuPG 2.4 anywhere? I >> recently ran into yet another bug that has been fixed in later versions >> that Debian/Trisquel doesn't ship, so wondered this recently as well. >> >> I've seen some work here: >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022702#10 >> >> If nobody has done this, is there interest in providing such packages? > > I was wondering about this a while ago. A PPA or similar external repo > would be very convenient if the Debian situation can't be sorted out, > since there are several post-2.2 features I'd like to use. Thanks to the wonders of git packaging and gitlab shared runners, it only took an hour or so to build bullseye packages for 2.2.40 and 2.4.0 via gitlab. See how to test the packages below. This uses upstream gnupg2, libgcrypt, libksba, libgpg-error from salsa with no changes, built using the latest tag that is also in unstable+testing but on bullseye images. For v2.4, only the gnupg2 package was rebuilt on the tmp-ametzler-v2.4 branch suggesting that it works. Of course, this is work in progress... See https://gitlab.com/debdistutils/packages/cicd-config for background. I'm sure we could finalize this into stable URLs and sign the apt repository using a GnuPG key if people find this interesting. I would find packages for Trisquel aramo useful myself, I'm not sure the bullseye packages work directly. /Simon To install version 2.2.40 follow this: ``` podman run -it --rm debian:bullseye apt-get update apt-get dist-upgrade -u -y apt-get install -y ca-certificates echo "deb [trusted=yes] https://gitlab.com/debdistutils/packages/libgpg-error/-/jobs/4092717327/artifacts/raw/aptly bullseye main" > /etc/apt/sources.list.d/libgpg-error.list echo "deb [trusted=yes] https://gitlab.com/debdistutils/packages/gnupg2/-/jobs/4092793555/artifacts/raw/aptly bullseye main" > /etc/apt/sources.list.d/gnupg2.list apt-get update apt-get install -y gnupg2 gpg --version ``` The expected output after all the installation noise should be: ``` gpg (GnuPG) 2.2.40 libgcrypt 1.8.8 Copyright (C) 2022 g10 Code GmbH License GNU GPL-3.0-or-later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /root/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 ``` To install version 2.4.0 follow this: ``` podman run -it --rm debian:bullseye apt-get update apt-get dist-upgrade -u -y apt-get install -y ca-certificates echo "deb [trusted=yes] https://gitlab.com/debdistutils/packages/libgpg-error/-/jobs/4092717327/artifacts/raw/aptly bullseye main" > /etc/apt/sources.list.d/libgpg-error.list echo "deb [trusted=yes] https://gitlab.com/debdistutils/packages/libgcrypt/-/jobs/4093099318/artifacts/raw/aptly bullseye main" > /etc/apt/sources.list.d/libgcrypt.list echo "deb [trusted=yes] https://gitlab.com/debdistutils/packages/libksba/-/jobs/4092985161/artifacts/raw/aptly bullseye main" > /etc/apt/sources.list.d/libksba.list echo "deb [trusted=yes] https://gitlab.com/debdistutils/packages/gnupg2/-/jobs/4093118295/artifacts/raw/aptly bullseye main" > /etc/apt/sources.list.d/gnupg2.list apt-get update apt-get install -y gnupg2 gpg --version ``` The expected output after all the installation noise should be: ``` gpg (GnuPG) 2.4.0 libgcrypt 1.10.1 Copyright (C) 2021 Free Software Foundation, Inc. License GNU GPL-3.0-or-later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /root/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 ``` -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 255 bytes Desc: not available URL: From mike at mdsresource.net Sat Apr 15 18:17:31 2023 From: mike at mdsresource.net (Mike Schleif) Date: Sat, 15 Apr 2023 11:17:31 -0500 Subject: gpg: can't handle public key algorithm 18 Message-ID: On trying to decrypt a file, we get the subject error on failure. What does this mean? How ought we deal with this? Please, advise. Thank you. ~ Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From bwalzer at 59.ca Sat Apr 15 20:36:04 2023 From: bwalzer at 59.ca (Bruce Walzer) Date: Sat, 15 Apr 2023 13:36:04 -0500 Subject: gpg: can't handle public key algorithm 18 In-Reply-To: References: Message-ID: On Sat, Apr 15, 2023 at 11:17:31AM -0500, Mike Schleif wrote: > On trying to decrypt a file, we get the subject error on failure. What version of GnuPG are you using? Running on what platform? Bruce From mike at mdsresource.net Sat Apr 15 21:50:23 2023 From: mike at mdsresource.net (Mike Schleif) Date: Sat, 15 Apr 2023 14:50:23 -0500 Subject: gpg: can't handle public key algorithm 18 In-Reply-To: References: Message-ID: $ gpg --version gpg (GnuPG) 2.0.22 libgcrypt 1.5.3 $ cat /etc/system-release CentOS Linux release 7.9.2009 (Core) On Sat, Apr 15, 2023 at 1:36?PM Bruce Walzer wrote: > On Sat, Apr 15, 2023 at 11:17:31AM -0500, Mike Schleif wrote: > > On trying to decrypt a file, we get the subject error on failure. > > What version of GnuPG are you using? Running on what platform? > > Bruce > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tmz at pobox.com Sat Apr 15 22:37:26 2023 From: tmz at pobox.com (Todd Zullinger) Date: Sat, 15 Apr 2023 16:37:26 -0400 Subject: gpg: can't handle public key algorithm 18 In-Reply-To: References: Message-ID: Mike Schleif wrote: > $ gpg --version > gpg (GnuPG) 2.0.22 > libgcrypt 1.5.3 > > $ cat /etc/system-release > CentOS Linux release 7.9.2009 (Core) Algorithm 18 is ECDH, which is not supported by gpg on CentOS 7. You can confirm this in the Pubkey line of the gpg --version output: $ gpg --version gpg (GnuPG) 2.0.22 libgcrypt 1.5.3 [...] Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ?, ?, ELG, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 On a newer Fedora system, ECDH is present: $ gpg --version --no-copyright gpg (GnuPG) 2.4.0 libgcrypt 1.10.1-unknown [...] Home: /home/user/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 -- Todd -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From mike at mdsresource.net Sun Apr 16 17:12:24 2023 From: mike at mdsresource.net (Mike Schleif) Date: Sun, 16 Apr 2023 10:12:24 -0500 Subject: gpg: can't handle public key algorithm 18 In-Reply-To: References: Message-ID: Yes, I see that. However, our public key was generated by our GPG; and this file is encrypted with our public key, since there is NO missing "secret key" error. Why, then, the subject error message? On Sat, Apr 15, 2023 at 3:37?PM Todd Zullinger via Gnupg-users < gnupg-users at gnupg.org> wrote: > Mike Schleif wrote: > > $ gpg --version > > gpg (GnuPG) 2.0.22 > > libgcrypt 1.5.3 > > > > $ cat /etc/system-release > > CentOS Linux release 7.9.2009 (Core) > > Algorithm 18 is ECDH, which is not supported by gpg on > CentOS 7. You can confirm this in the Pubkey line of the > gpg --version output: > > $ gpg --version > gpg (GnuPG) 2.0.22 > libgcrypt 1.5.3 > [...] > > Home: ~/.gnupg > Supported algorithms: > Pubkey: RSA, ?, ?, ELG, DSA > Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, > CAMELLIA128, CAMELLIA192, CAMELLIA256 > Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 > Compression: Uncompressed, ZIP, ZLIB, BZIP2 > > On a newer Fedora system, ECDH is present: > > $ gpg --version --no-copyright > gpg (GnuPG) 2.4.0 > libgcrypt 1.10.1-unknown > [...] > > Home: /home/user/.gnupg > Supported algorithms: > Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA > Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, > CAMELLIA128, CAMELLIA192, CAMELLIA256 > Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 > Compression: Uncompressed, ZIP, ZLIB, BZIP2 > > -- > Todd > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tmz at pobox.com Sun Apr 16 18:15:13 2023 From: tmz at pobox.com (Todd Zullinger) Date: Sun, 16 Apr 2023 12:15:13 -0400 Subject: gpg: can't handle public key algorithm 18 In-Reply-To: References:

Message-ID: Mike Schleif wrote: > Yes, I see that. > > However, our public key was generated by our GPG; and this file is > encrypted with our public key, since there is NO missing "secret key" error. > > Why, then, the subject error message? Perhaps the file is signed by an ECDH key? I can only guess. You might want to try the --list-packets option on the encrypted message. Adding -v (or -vv) when decrypting might help show the issue. -- Todd -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From wk at gnupg.org Mon Apr 17 15:22:42 2023 From: wk at gnupg.org (Werner Koch) Date: Mon, 17 Apr 2023 15:22:42 +0200 Subject: gpg: can't handle public key algorithm 18 In-Reply-To: (Mike Schleif's message of "Sun, 16 Apr 2023 10:12:24 -0500") References:

Message-ID: <87mt3663tp.fsf@wheatstone.g10code.de> On Sun, 16 Apr 2023 10:12, Mike Schleif said: >> > gpg (GnuPG) 2.0.22 That version reached end-of-life more than 5 years ago. Don't use it. >> $ gpg --version --no-copyright --no-copyright - There is no such option. What you meant was --no-greeting. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From konstantin at linuxfoundation.org Mon Apr 17 16:11:11 2023 From: konstantin at linuxfoundation.org (Konstantin Ryabitsev) Date: Mon, 17 Apr 2023 10:11:11 -0400 Subject: gpg: can't handle public key algorithm 18 In-Reply-To: <87mt3663tp.fsf@wheatstone.g10code.de> References:

<87mt3663tp.fsf@wheatstone.g10code.de> Message-ID: <20230417-tamper-gnarly-9a738d@meerkat> On Mon, Apr 17, 2023 at 03:22:42PM +0200, Werner Koch via Gnupg-users wrote: > >> > gpg (GnuPG) 2.0.22 > > That version reached end-of-life more than 5 years ago. Don't use it. If you need a newer version of GnuPG for RHEL7 systems, you can install gnupg24-static from this COPR: https://copr.fedorainfracloud.org/coprs/icon/lfit/packages/ -K From andrewg at andrewg.com Fri Apr 21 15:35:40 2023 From: andrewg at andrewg.com (Andrew Gallagher) Date: Fri, 21 Apr 2023 14:35:40 +0100 Subject: Flooding attack against synchronising keyservers In-Reply-To: <1560A136-39D1-4052-AF35-AEEE89BDCD3D@andrewg.com> References: <1560A136-39D1-4052-AF35-AEEE89BDCD3D@andrewg.com> Message-ID: <56BC8465-6A22-41ED-86F6-595C473253D8@andrewg.com> Hi, all. pgpkeys.eu is fully operational, is accepting key submissions and is syncing with two similarly recovered peers. The number of keys in the dataset is back to pre-flooding levels, and site reliability has been significantly improved. If you are an operator and need assistance recovering your system, please get in touch. Thanks, A > On 27 Mar 2023, at 18:47, Andrew Gallagher via Gnupg-users wrote: > > Signed PGP part > Hi, everyone. > > The synchronising keyserver network has been under an intermittent flooding attack for the past five days, resulting in the addition of approximately 3 million obviously-fake OpenPGP keys to the SKS dataset. The fake keys are currently being submitted multiple times per second via a large number of Tor exit relays, making them difficult to block using normal abuse mitigations. If unaddressed, this will eventually fill up the disk of all public synchronising servers. > > Effective immediately, pgpkeys.eu has been temporarily disconnected from all its peers, and is blocking all key submissions. It will remain available for key lookups but will not allow key updates while the flooding attack continues. > > I strongly recommend that other keyserver operators take similar measures, until a more permanent solution can be deployed. > > A -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From bernhard at intevation.de Wed Apr 26 14:33:49 2023 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 26 Apr 2023 14:33:49 +0200 Subject: Debian Packages for 2.4 (was: Application deadlock when using GnuPG, gpgsm, and Scute) In-Reply-To: <877cuipno7.fsf@kaka.sjd.se> References: <4d0dfd906aac33599d58cb45af805dc5a865f35d.camel@posteo.net> <3bcxhjecqg7nw6okolbuj6hjn2u63jkea5szvpr55kvqkiuz5t@6k765gzkc4y4> <877cuipno7.fsf@kaka.sjd.se> Message-ID: <202304261433.56356.bernhard@intevation.de> Hi Simon, Am Dienstag 11 April 2023 15:13:12 schrieb Simon Josefsson via Gnupg-users: > >> Are there well-maintained debian packages for GnuPG 2.4 anywhere? > >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022702#10 > only took an hour or so to build bullseye packages for 2.2.40 and 2.4.0 > via gitlab. See how to test the packages below. [found the instructions in the link as well] > Of course, this is work in progress... See > https://gitlab.com/debdistutils/packages/cicd-config for background. > > I'm sure we could finalize this into stable URLs and sign the apt > repository using a GnuPG key if people find this interesting. Cool, thanks! Yes I am interested and I think others will be as well. > I would find packages for Trisquel aramo useful myself, > I'm not sure the bullseye packages work directly. If there is helpful input someone in this list has and is a Debian user, you can and should send it to the issue tracker. Regards Bernhard -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From bernhard at intevation.de Wed Apr 26 14:20:59 2023 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 26 Apr 2023 14:20:59 +0200 Subject: using gpg-agent from web server mod_wsgi script In-Reply-To: <106f55f68d234dc055ba70e7298ab2424e65c1aa.camel@intel.com> References: <106f55f68d234dc055ba70e7298ab2424e65c1aa.camel@intel.com> Message-ID: <202304261421.08694.bernhard@intevation.de> Am Freitag 07 April 2023 01:20:07 schrieb Christian, Mark via Gnupg-users: > I was hoping to gpg-preset-passphrase a gpg-agent running under the apache > WSGI service account, so that a python gpgme web wsgi/cgi application could > access the gpg-agent's private key in order to run various gpg operations. > It seems the python mod_wsgi script is not finding the gpg-agent. I'm > wondering if this is possible? apache and mod_wsgi are most likely controlling the environment variables for the python process closely and running on a different user and thus directory than your gpg-agent. So the mod_wsgi process may not be able to access the agent's socket > I'm using gpg2 2.2.27 and python gpgme_version 1.16.0 Other solution approach: Use a private key without passphrase. Best, Bernhard [Answering an elder question where I haven't seen an answer to.] -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Fri Apr 28 15:47:52 2023 From: wk at gnupg.org (Werner Koch) Date: Fri, 28 Apr 2023 15:47:52 +0200 Subject: [Announce] GnuPG 2.4.1 released Message-ID: <87mt2s15kn.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG release: version 2.4.1. This version fixes some minor regressions introduced with 2.4.0 and also adds a couple of new features. See below for details. What is GnuPG ============= The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation of the OpenPGP and S/MIME standards. GnuPG allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. The separate library GPGME provides a uniform API to use the GnuPG engine by software written in common programming languages. A wealth of frontend applications and libraries making use of GnuPG are available. As an universal crypto engine GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Three different series of GnuPG are actively maintained: - Version 2.4 is the current stable version with a lot of new features compared to 2.2. This announcement is about the latest release of this series; the previous release was 2.3.8. - Version 2.2 is our LTS (long term support) version and guaranteed to be maintained at least until the end of 2024. Only a small subset of features from 2.4 has been back-ported to this series. See https://gnupg.org/download/index.html#end-of-life - Version 1.4 is only maintained to allow decryption of very old data which is, for security reasons, not anymore possible with other GnuPG versions. Please use 1.4 only for this purpose. Noteworthy changes in version 2.4.1 =================================== * If the ~/.gnupg directory does not exist, the keyboxd is now automagically enabled. [rGd9e7488b17] * gpg: New option --add-desig-revoker. [rG3d094e2bcf] * gpg: New option --assert-signer. [rGc9e95b8dee] * gpg: New command --quick-add-adsk and other ADSK features. [T6395, https://gnupg.org/blog/20230321-adsk.html] * gpg: New list-option "show-unusable-sigs". Also show "[self-signature]" instead of the user-id in key signature listings. [rG103acfe9ca] * gpg: For symmetric encryption the default S2K hash is now SHA256. [T6367] * gpg: Detect already compressed data also when using a pipe. Also detect JPEG and PNG file formats. [T6332] * gpg: New subcommand "openpgp" for --card-edit. [T6462] * gpgsm: Verification of detached signatures does now strip trailing zeroes from the input if --assume-binary is used. [rG2a13f7f9dc] * gpgsm: Non-armored detached signature are now created without using indefinite form length octets. This improves compatibility with some PDF signature verification software. [rG8996b0b655] * gpgtar: Emit progress status lines in create mode. [T6363] * dirmngr: The LDAP modifyTimestamp is now returned by some keyserver commands. [rG56d309133f] * ssh: Allow specification of the order keys are presented to ssh. See the man page entry for --enable-ssh-support. [T5996, T6212] * gpg: Make list-options "show-sig-subpackets" work again. Fixes regression in 2.4.0. [rG5a223303d7] * gpg: Fix the keytocard command for Yubikeys. [T6378] * gpg: Do not continue an export after a cancel for the primary key. [T6093] * gpg: Replace the --override-compliance-check hack by a real fix. [T5655] * gpgtar: Fix decryption with input taken from stdin. [T6355] Release-info: https://dev.gnupg.org/T6454 Getting the Software ==================== Please follow the instructions found at or read on: GnuPG may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at . Note that GnuPG is not available at ftp.gnu.org. The GnuPG source code compressed using BZIP2 and its OpenPGP signature are available here: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2 (7169k) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2.sig An installer for Windows without any graphical frontend except for a very minimal Pinentry tool is available here: https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.4.1_20230428.exe (5305k) https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.4.1_20230428.exe.sig The source used to build this Windows installer can be found in the same directory with a ".tar.xz" suffix. A new release of Gpg4win including this version of GnuPG will soon be announced. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.4.1.tar.bz2 you would use this command: gpg --verify gnupg-2.4.1.tar.bz2.sig gnupg-2.4.1.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.4.1.tar.bz2, you run the command like this: sha1sum gnupg-2.4.1.tar.bz2 and check that the output matches the next line: d7d021101361a5e1166a6c0cc1731276e7134547 gnupg-2.4.1.tar.bz2 ddef13a3d099b72e4136d76918e9e11a27e58472 gnupg-w32-2.4.1_20230428.tar.xz 4fcd84cb78c84970bc874c123d223f6521c1e566 gnupg-w32-2.4.1_20230428.exe Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Italian, Japanese, Norwegian, Polish, Russian, Turkish, and Ukrainian being almost completely translated. Documentation and Support ========================= The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in the manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T6454 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Job Opportunity =============== We are looking for an experienced technical person for the g10 Code office in Erkrath. Your duties would be help with system administration and to extend our technical support team. Although we are running completely on free software, most of our customers are running Windows; thus experience with Windows management will be of advantage as well as a reasonable proficiency in German. If you are interested in a full time employment please contact us my mail. Thanks ====== Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and has mostly been financed by donations. Several full-time employed developers and contractors are working exclusively on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. Fortunately, and this is still not common with free software, we have established a way of financing the development while keeping all our software free and freely available for everyone. Our model is similar to the way RedHat manages RHEL and Fedora: Except for the actual binary of the MSI installer for Windows and client specific configuration files, all the software is available under the GNU GPL and other Open Source licenses. Thus customers may even build and distribute their own version of the software as long as they do not use our trademarks GnuPG Desktop? or GnuPG VS-Desktop?. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, or helped with donations. *Thank you all* Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users at gnupg.org mailing list. List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa3072 2017-03-17 [expires: 2027-03-15] 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) brainpoolP256r1 2021-10-15 [expires: 2029-12-31] 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208 GnuPG.com (Release Signing Key 2021) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From johanw at vulcan.xs4all.nl Fri Apr 28 16:57:11 2023 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri, 28 Apr 2023 16:57:11 +0200 Subject: ADK's (was: [Announce] GnuPG 2.4.1 released) In-Reply-To: <87mt2s15kn.fsf@wheatstone.g10code.de> References: <87mt2s15kn.fsf@wheatstone.g10code.de> Message-ID: <693912b3-7ef6-c201-65dc-942fdd265725@vulcan.xs4all.nl> On 2023-04-28 15:47, Werner Koch via Gnupg-users wrote: > * gpg: New command --quick-add-adsk and other ADSK features. > [T6395, https://gnupg.org/blog/20230321-adsk.html] So you finally caved in to the backdoor demands. What I'm missing (maybe I just didn't found it?) is an option in my config file to ignore adk requests and just don't encrypt to those keys as well when I send or reply a message. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From tmz at pobox.com Fri Apr 28 17:21:54 2023 From: tmz at pobox.com (Todd Zullinger) Date: Fri, 28 Apr 2023 11:21:54 -0400 Subject: [Announce] GnuPG 2.4.1 released In-Reply-To: <87mt2s15kn.fsf@wheatstone.g10code.de> References: <87mt2s15kn.fsf@wheatstone.g10code.de> Message-ID: Hi, Werner Koch via Gnupg-users wrote: > Getting the Software > ==================== > > Please follow the instructions found at or > read on: > > GnuPG may be downloaded from one of the GnuPG mirror sites or direct > from its primary FTP server. The list of mirrors can be found at > . Note that GnuPG is not > available at ftp.gnu.org. > > The GnuPG source code compressed using BZIP2 and its OpenPGP signature > are available here: > > https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2 (7169k) > https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2.sig It seems neither of these files have not made it to the server yet: $ curl -I https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2 HTTP/1.1 404 Not Found Date: Fri, 28 Apr 2023 15:19:07 GMT Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes Connection: close Content-Type: text/html; charset=ISO-8859-1 $ curl -I https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2.sig HTTP/1.1 404 Not Found Date: Fri, 28 Apr 2023 15:19:07 GMT Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes Connection: close Content-Type: text/html; charset=ISO-8859-1 -- Todd -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From johanw at vulcan.xs4all.nl Fri Apr 28 16:34:41 2023 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri, 28 Apr 2023 16:34:41 +0200 Subject: [Announce] GnuPG 2.4.1 released In-Reply-To: <87mt2s15kn.fsf@wheatstone.g10code.de> References: <87mt2s15kn.fsf@wheatstone.g10code.de> Message-ID: <4252da96-b55e-c193-104f-a15091795ed3@vulcan.xs4all.nl> I get a 404 not found, the last version preesent on the server is 2.4.0. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From bernhard at intevation.de Fri Apr 28 17:32:07 2023 From: bernhard at intevation.de (Bernhard Reiter) Date: Fri, 28 Apr 2023 17:32:07 +0200 Subject: [Announce] GnuPG 2.4.1 released In-Reply-To: <87mt2s15kn.fsf@wheatstone.g10code.de> References: <87mt2s15kn.fsf@wheatstone.g10code.de> Message-ID: <202304281732.08360.bernhard@intevation.de> Am Freitag 28 April 2023 15:47:52 schrieb Werner Koch via Gnupg-devel: > We are pleased to announce the availability of a new stable GnuPG > release: version 2.4.1. Congrats! > - Version 2.4 is the current stable version with a lot of new features > compared to 2.2. This announcement is about the latest release of > this series; the previous release was 2.3.8. This reads like "2.3.8" was a typo, maybe something to check for the next announcement. Best Regards Bernhard -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From bernhard at intevation.de Fri Apr 28 18:22:30 2023 From: bernhard at intevation.de (Bernhard Reiter) Date: Fri, 28 Apr 2023 18:22:30 +0200 Subject: files are there now (Re: [Announce] GnuPG 2.4.1 released) In-Reply-To: References: <87mt2s15kn.fsf@wheatstone.g10code.de> Message-ID: <202304281822.38147.bernhard@intevation.de> Am Freitag 28 April 2023 17:21:54 schrieb Todd Zullinger via Gnupg-users: > > https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2 (7169k) > > https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2.sig > > It seems neither of these files have not made it to the > server yet: They are now. (Though not visible on https://gnupg.org/ftp/gcrypt/gnupg/ yet ) curl --silent https://gnupg.org/ftp/gcrypt/gnupg/ | grep '2\.4\.1' | wc -l 0 ) Best Regards Bernhard -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From mlnl at mailbox.org Fri Apr 28 23:03:49 2023 From: mlnl at mailbox.org (mlnl) Date: Fri, 28 Apr 2023 23:03:49 +0200 Subject: ADK's (was: [Announce] GnuPG 2.4.1 released) In-Reply-To: <693912b3-7ef6-c201-65dc-942fdd265725@vulcan.xs4all.nl> References: <87mt2s15kn.fsf@wheatstone.g10code.de> <693912b3-7ef6-c201-65dc-942fdd265725@vulcan.xs4all.nl> Message-ID: <20230428230349.429d3d3a@localhost> Hi Johan, Johan Wevers via Gnupg-users wrote: >On 2023-04-28 15:47, Werner Koch via Gnupg-users wrote: > >> * gpg: New command --quick-add-adsk and other ADSK features. >> [T6395, https://gnupg.org/blog/20230321-adsk.html] > >So you finally caved in to the backdoor demands. If there is no option as you say, i would say yes. >What I'm missing (maybe I just didn't found it?) is an option in my >config file to ignore adk requests and just don't encrypt to those keys >as well when I send or reply a message. ACK, absolutely necessary. Otherwise GnuPG would no longer be a trustworthy encryption solution. -- mlnl GPG:1FC05426F87FA623 From steffen at sdaoden.eu Sat Apr 29 01:52:46 2023 From: steffen at sdaoden.eu (Steffen Nurpmeso) Date: Sat, 29 Apr 2023 01:52:46 +0200 Subject: ADK's (was: [Announce] GnuPG 2.4.1 released) In-Reply-To: <20230428230349.429d3d3a@localhost> References: <87mt2s15kn.fsf@wheatstone.g10code.de> <693912b3-7ef6-c201-65dc-942fdd265725@vulcan.xs4all.nl> <20230428230349.429d3d3a@localhost> Message-ID: <20230428235246.VS_pS%steffen@sdaoden.eu> gnupg-users at gnupg.org wrote in <20230428230349.429d3d3a at localhost>: |Johan Wevers via Gnupg-users wrote: |>On 2023-04-28 15:47, Werner Koch via Gnupg-users wrote: |> |>> * gpg: New command --quick-add-adsk and other ADSK features. |>> [T6395, https://gnupg.org/blog/20230321-adsk.html] |> |>So you finally caved in to the backdoor demands. | |If there is no option as you say, i would say yes. | |>What I'm missing (maybe I just didn't found it?) is an option in my |>config file to ignore adk requests and just don't encrypt to those keys |>as well when I send or reply a message. | |ACK, absolutely necessary. Otherwise GnuPG would no longer be a |trustworthy encryption solution. And Patrice Lumumba was thrown into a pit of slaked lime. (After being beaten to death with rifle butts on the flight from western to eastern Kongo, as far as i know. But wild times still under colonial money mighty. (Afaik.)) --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) |~~ |..and in spring, hear David Leonard sing.. | |The black bear, The black bear, |blithely holds his own holds himself at leisure |beating it, up and down tossing over his ups and downs with pleasure |~~ |Farewell, dear collar bear From ralph at ml.seichter.de Sat Apr 29 07:36:48 2023 From: ralph at ml.seichter.de (Ralph Seichter) Date: Sat, 29 Apr 2023 07:36:48 +0200 Subject: [Announce] GnuPG for OS X 2.4.1 Message-ID: <87edo3w8pb.fsf@ra.horus-it.com> GnuPG for OS X / macOS release 2.4.1 is now available for download via https://sourceforge.net/p/gpgosx/docu/Download/ . The disk image signature key is available via public keyservers, and it can also be downloaded from https://www.seichter.de/pgp/gpgosx-signing.asc . pub ed25519/FD56297D9833FF7F 2022-07-07 [SC] [expires: 2027-07-06] Key fingerprint = EAB0 FE4F F793 D9E7 028E C8E2 FD56 297D 9833 FF7F uid [ultimate] Ralph Seichter (GnuPG for OS X signing key) GnuPG 2.4.x is installed in /usr/local/gnupg-2.4 instead of the formerly hardcoded directory /usr/local/gnupg-2.2. This enables installing both stable and LTS releases of GnuPG for OS X side by side, for advanced users' needs. The one caveat is that the latest installation will replace existing soft links in /usr/local/{bin,lib}. Please use absolute paths like /usr/local/gnupg-2.2/bin/gpg2 if necessary. Enjoy. -Ralph From ckeader at disroot.org Sun Apr 30 01:15:22 2023 From: ckeader at disroot.org (ckeader) Date: Sun, 30 Apr 2023 00:15:22 +0100 Subject: ADK's (was: [Announce] GnuPG 2.4.1 released) In-Reply-To: <693912b3-7ef6-c201-65dc-942fdd265725@vulcan.xs4all.nl> References: <87mt2s15kn.fsf@wheatstone.g10code.de> <693912b3-7ef6-c201-65dc-942fdd265725@vulcan.xs4all.nl> Message-ID: Johan Wevers via Gnupg-users writes: > On 2023-04-28 15:47, Werner Koch via Gnupg-users wrote: > > > * gpg: New command --quick-add-adsk and other ADSK features. > > [T6395, https://gnupg.org/blog/20230321-adsk.html] > > So you finally caved in to the backdoor demands. > > What I'm missing (maybe I just didn't found it?) is an option in my > config file to ignore adk requests and just don't encrypt to those keys > as well when I send or reply a message. Can't call it that as long as it's under user control (every long option of the software has an equivalent config file option. You don't add such a key via config or command line, no adsk will happen as it's not configured). If you're using gpg built by your org, you have no trustworthy environment anyway. And the feature needs to be supported by the client. In the face of email having been hijacked by the corporates/Micros~t+Exchange and intrinsically broken S/MIME, practical relevance: close to zero. From johanw at vulcan.xs4all.nl Sun Apr 30 12:30:29 2023 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun, 30 Apr 2023 12:30:29 +0200 Subject: ADK's (was: [Announce] GnuPG 2.4.1 released) In-Reply-To: References: <87mt2s15kn.fsf@wheatstone.g10code.de> <693912b3-7ef6-c201-65dc-942fdd265725@vulcan.xs4all.nl> Message-ID: <807ba2da-80d1-1dbc-a4e0-95e3e509cf07@vulcan.xs4all.nl> On 2023-04-30 1:15, ckeader via Gnupg-users wrote: > Can't call it that as long as it's under user control (every long option of the software has an equivalent config file option. You don't add such a key via config or command line, no adsk will happen as it's not configured). On my key, yes, I can choose to add an adk or not of course. But suppose I want to encrypt to a key that has an adk added, but I only want to encrypt to that key and not to the added adk? How do I do that? > If you're using gpg built by your org, you have no trustworthy environment anyway. Probably, but when I answer a mail from home with my own GnuPG I want to be able to ignore adk's. > And the feature needs to be supported by the client. You, currently I run gpg 2.2 so it's not of immediate concern. But when I eventually upgrade I want to be able to ignore adk's. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From andrewg at andrewg.com Sun Apr 30 13:22:53 2023 From: andrewg at andrewg.com (Andrew Gallagher) Date: Sun, 30 Apr 2023 12:22:53 +0100 Subject: ADK's (was: [Announce] GnuPG 2.4.1 released) In-Reply-To: <807ba2da-80d1-1dbc-a4e0-95e3e509cf07@vulcan.xs4all.nl> References: <87mt2s15kn.fsf@wheatstone.g10code.de> <693912b3-7ef6-c201-65dc-942fdd265725@vulcan.xs4all.nl> <807ba2da-80d1-1dbc-a4e0-95e3e509cf07@vulcan.xs4all.nl> Message-ID: On 30 Apr 2023, at 11:30, Johan Wevers via Gnupg-users wrote: > > On 2023-04-30 1:15, ckeader via Gnupg-users wrote: > >> Can't call it that as long as it's under user control (every long option of the software has an equivalent config file option. You don't add such a key via config or command line, no adsk will happen as it's not configured). > > On my key, yes, I can choose to add an adk or not of course. But suppose > I want to encrypt to a key that has an adk added, but I only want to > encrypt to that key and not to the added adk? How do I do that? Just curious, what?s the threat scenario here? If you suspect that your correspondent?s key preferences have been tampered with by a third party then surely the entire key is supect and shouldn?t be used at all? If on the other hand you believe that it has not been tampered with, but your correspondent has been negligent in configuring it, then maybe you shouldn?t trust your correspondent? A -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From wk at gnupg.org Sun Apr 30 14:05:42 2023 From: wk at gnupg.org (Werner Koch) Date: Sun, 30 Apr 2023 14:05:42 +0200 Subject: [Announce] GnuPG 2.4.1 released In-Reply-To: (Todd Zullinger's message of "Fri, 28 Apr 2023 11:21:54 -0400") References: <87mt2s15kn.fsf@wheatstone.g10code.de> Message-ID: <87o7n5ziax.fsf@wheatstone.g10code.de> On Fri, 28 Apr 2023 11:21, Todd Zullinger said: > It seems neither of these files have not made it to the > server yet: Sorry for that. I have used a new build machine and obviously forgot one of the last steps. Most of the release process is scripted but the final upload needs to be done manually (after signing, copying to the internal archive, updating the repo, writing announcement and updating the web page). Fixed after Bernhard called me at home. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Sun Apr 30 14:10:16 2023 From: wk at gnupg.org (Werner Koch) Date: Sun, 30 Apr 2023 14:10:16 +0200 Subject: ADK's In-Reply-To: <693912b3-7ef6-c201-65dc-942fdd265725@vulcan.xs4all.nl> (Johan Wevers via Gnupg-users's message of "Fri, 28 Apr 2023 16:57:11 +0200") References: <87mt2s15kn.fsf@wheatstone.g10code.de> <693912b3-7ef6-c201-65dc-942fdd265725@vulcan.xs4all.nl> Message-ID: <87jzxtzi3b.fsf@wheatstone.g10code.de> On Fri, 28 Apr 2023 16:57, Johan Wevers said: > So you finally caved in to the backdoor demands. In business it is quite common to share subkeys with others. Thus the ADSK makes it only more explicit and flexible. See the blog entry. > What I'm missing (maybe I just didn't found it?) is an option in my > config file to ignore adk requests and just don't encrypt to those keys It does not make any sense so have such an option. If a user wants to allow colleagues or an archive system to decrypt her mails that is her decision. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From johanw at vulcan.xs4all.nl Sun Apr 30 14:42:57 2023 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun, 30 Apr 2023 14:42:57 +0200 Subject: ADK's (was: [Announce] GnuPG 2.4.1 released) In-Reply-To: References: <87mt2s15kn.fsf@wheatstone.g10code.de> <693912b3-7ef6-c201-65dc-942fdd265725@vulcan.xs4all.nl> <807ba2da-80d1-1dbc-a4e0-95e3e509cf07@vulcan.xs4all.nl> Message-ID: <43693178-7263-7400-defe-58722d27ad5a@vulcan.xs4all.nl> On 2023-04-30 13:22, Andrew Gallagher via Gnupg-users wrote: > Just curious, what?s the threat scenario here? The HR department of the receiver. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Sun Apr 30 14:45:27 2023 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun, 30 Apr 2023 14:45:27 +0200 Subject: ADK's In-Reply-To: <87jzxtzi3b.fsf@wheatstone.g10code.de> References: <87mt2s15kn.fsf@wheatstone.g10code.de> <693912b3-7ef6-c201-65dc-942fdd265725@vulcan.xs4all.nl> <87jzxtzi3b.fsf@wheatstone.g10code.de> Message-ID: On 2023-04-30 14:10, Werner Koch via Gnupg-users wrote: > It does not make any sense so have such an option. If a user wants to > allow colleagues or an archive system to decrypt her mails that is her > decision. What I've had in practice in one company: you got a company key with a personal key and an adk added. Nothing to want from my part there. If I want to mail someone at such a company I may just want to ignore the adk. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From andrewg at andrewg.com Sun Apr 30 14:58:17 2023 From: andrewg at andrewg.com (Andrew Gallagher) Date: Sun, 30 Apr 2023 13:58:17 +0100 Subject: ADK's In-Reply-To: References: Message-ID: <8409E3A7-DA83-4EAD-AD7B-E57CC24C5254@andrewg.com> On 30 Apr 2023, at 13:45, Johan Wevers via Gnupg-users wrote: > > ?On 2023-04-30 14:10, Werner Koch via Gnupg-users wrote: > >> It does not make any sense so have such an option. If a user wants to >> allow colleagues or an archive system to decrypt her mails that is her >> decision. > > What I've had in practice in one company: you got a company key with a > personal key and an adk added. Nothing to want from my part there. If I > want to mail someone at such a company I may just want to ignore the adk. E2E encryption can?t protect you from your correspondent disclosing your communication at the other end. Whether this is done voluntarily or under duress from their employer is an opsec issue, not a comsec one. If you don?t want your correspondent?s employer reading your emails, don?t send messages to their work email address. The danger of an ?ignore ADK? option is that it gives a false sense of security. It is already possible for an employer to require escrow of the decryption subkeys of their employees - ADK actually makes this process more transparent. A From johanw at vulcan.xs4all.nl Sun Apr 30 15:41:31 2023 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun, 30 Apr 2023 15:41:31 +0200 Subject: ADK's In-Reply-To: <8409E3A7-DA83-4EAD-AD7B-E57CC24C5254@andrewg.com> References: <8409E3A7-DA83-4EAD-AD7B-E57CC24C5254@andrewg.com> Message-ID: <2de12ab8-b0a0-5c15-5c7a-ea8f241b1ec7@vulcan.xs4all.nl> On 2023-04-30 14:58, Andrew Gallagher via Gnupg-users wrote: > E2E encryption can?t protect you from your correspondent disclosing your communication at the other end. That is obvious. > Whether this is done voluntarily or under duress from their employer is an opsec issue, not a comsec one. If it is an ex-employer that might be more compicated. > The danger of an ?ignore ADK? option is that it gives a false sense of security. It is already possible for an employer to require escrow of the decryption subkeys of their employees - ADK actually makes this process more transparent. That might be, but it is nowhere certain that this escrow will happen, especially if they roll out adk's. Not providing such an option might be a case where the perfect is the enemy of the good: it might not be a perfect solution but it can be better than the alternative. Besides, this is begging for GnuPG forks to arise, and if those forks are well implemented remains to be seen. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From andrewg at andrewg.com Sun Apr 30 16:54:21 2023 From: andrewg at andrewg.com (Andrew Gallagher) Date: Sun, 30 Apr 2023 15:54:21 +0100 Subject: ADK's Message-ID: <2199A4D9-31B8-48FD-AD1B-A490E381CB2A@andrewg.com> ?On 30 Apr 2023, at 14:42, Johan Wevers via Gnupg-users wrote: > > ?On 2023-04-30 14:58, Andrew Gallagher via Gnupg-users wrote: >> Whether this is done voluntarily or under duress from their employer is an opsec issue, not a comsec one. > > If it is an ex-employer that might be more compicated. Indeed. If this is in your threat model then don?t use work email addresses for personal communication, because encryption cannot protect you. >> The danger of an ?ignore ADK? option is that it gives a false sense of security. It is already possible for an employer to require escrow of the decryption subkeys of their employees - ADK actually makes this process more transparent. > > That might be, but it is nowhere certain that this escrow will happen, > especially if they roll out adk's. You?re inverting the burden of proof here. The important consideration is that E2E can?t prove that a key *wasn?t* escrowed - so it?s much better for the software to make no claims about it than potentially misleading ones. A From johanw at vulcan.xs4all.nl Sun Apr 30 17:41:31 2023 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun, 30 Apr 2023 17:41:31 +0200 Subject: ADK's In-Reply-To: <2199A4D9-31B8-48FD-AD1B-A490E381CB2A@andrewg.com> References: <2199A4D9-31B8-48FD-AD1B-A490E381CB2A@andrewg.com> Message-ID: On 2023-04-30 16:54, Andrew Gallagher via Gnupg-users wrote: >> That might be, but it is nowhere certain that this escrow will happen, >> especially if they roll out adk's. > > You?re inverting the burden of proof here. The important consideration is that E2E can?t prove that a key *wasn?t* escrowed - so it?s much better for the software to make no claims about it than potentially misleading ones. There is also no strict proof that the employer doesn't have access to the personal key of the receiver. All I want is an option to ignore adk's - and it should not claim anything else than that. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From ineiev at gnu.org Sun Apr 30 21:01:42 2023 From: ineiev at gnu.org (Ineiev) Date: Sun, 30 Apr 2023 19:01:42 +0000 Subject: ADK's In-Reply-To: References: <2199A4D9-31B8-48FD-AD1B-A490E381CB2A@andrewg.com> Message-ID: <20230430190142.GA155004@manas> On Sun, Apr 30, 2023 at 05:41:31PM +0200, Johan Wevers via Gnupg-users wrote: > > All I want is an option to ignore adk's - and it should not claim > anything else than that. Can't you remove ADK subkeys from your keyring? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From vedaal at nym.hush.com Sun Apr 30 23:27:42 2023 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Sun, 30 Apr 2023 17:27:42 -0400 Subject: ADK's In-Reply-To: <20230430190142.GA155004@manas> References: <2199A4D9-31B8-48FD-AD1B-A490E381CB2A@andrewg.com> <20230430190142.GA155004@manas> Message-ID: <20230430212742.E3782803281@smtp.hushmail.com> There are 2 simple workarounds to employment ADK's : [ 1 ]. Send a symmetrically encrypted message to the key with the ADK(This will require an agreed upon symmetric passphrase communicated in person, phone, or another non-ADK manner) [ 2 ]. Generate a non-ADK key, not uploaded to any server and send and receive messages with a hidden-ID option, and keep this key on a separated keyring. This can be communicated symmetrically as in [ 1 ]. vedaal -------------- next part -------------- An HTML attachment was scrubbed... URL: