From gnupg-users at aschoettler.com Sun Jan 1 03:54:21 2023 From: gnupg-users at aschoettler.com (gnupg-users at aschoettler.com) Date: Sun, 01 Jan 2023 03:54:21 +0100 Subject: Expiration date of subkeys (retroactive) Message-ID: <20230101035421.Horde.6eCy0F8Q8TyYC_u77bipyic@webmail.your-server.de> I have several GnuPG keys which I edited with KGpg. https://apps.kde.org/de/kgpg/ Unfortunately, the subkeys were not taken into account when setting the expiry date. How can I retroactively edit my expired keys and expire the subkeys? Important: I don't want to change the existing expiration date! So renewing the keys is not an option. From gnupg-users at aschoettler.com Sun Jan 1 03:53:08 2023 From: gnupg-users at aschoettler.com (gnupg-users at aschoettler.com) Date: Sun, 01 Jan 2023 03:53:08 +0100 Subject: Creation and Expiration timestamp Message-ID: <20230101035308.Horde.sF_Z4VY4dSKF3TyfykXhPZG@webmail.your-server.de> Where can I see the internal creation and expiration timestamp of my keys? In the command line and in various frontends I only see the date without the time. From kloecker at kde.org Sun Jan 1 15:51:18 2023 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Sun, 01 Jan 2023 15:51:18 +0100 Subject: Creation and Expiration timestamp In-Reply-To: <20230101035308.Horde.sF_Z4VY4dSKF3TyfykXhPZG@webmail.your-server.de> References: <20230101035308.Horde.sF_Z4VY4dSKF3TyfykXhPZG@webmail.your-server.de> Message-ID: <13176668.uLZWGnKmhe@daneel> On Sonntag, 1. Januar 2023 03:53:08 CET gnupg-users at aschoettler.com wrote: > Where can I see the internal creation and expiration timestamp of my keys? > In the command line and in various frontends I only see the date > without the time. If you really must know the exact second then use the option --with-colons when listing the keys. The timestamps are given as seconds since Unix epoch. You can use the `date` command to convert this number to your local time. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From kloecker at kde.org Sun Jan 1 15:57:11 2023 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Sun, 01 Jan 2023 15:57:11 +0100 Subject: Expiration date of subkeys (retroactive) In-Reply-To: <20230101035421.Horde.6eCy0F8Q8TyYC_u77bipyic@webmail.your-server.de> References: <20230101035421.Horde.6eCy0F8Q8TyYC_u77bipyic@webmail.your-server.de> Message-ID: <10205399.nUPlyArG6x@daneel> On Sonntag, 1. Januar 2023 03:54:21 CET gnupg-users at aschoettler.com wrote: > I have several GnuPG keys which I edited with KGpg. > https://apps.kde.org/de/kgpg/ > > Unfortunately, the subkeys were not taken into account when setting > the expiry date. > How can I retroactively edit my expired keys and expire the subkeys? With the expire command of `gpg --edit-key`. You may have to use the --faked-system-time option (or change the system time of your computer) because, if I remember correctly, gpg doesn't allow to set an expiration date in the past. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From andrewg at andrewg.com Sun Jan 1 19:17:41 2023 From: andrewg at andrewg.com (Andrew Gallagher) Date: Sun, 1 Jan 2023 18:17:41 +0000 Subject: Expiration date of subkeys (retroactive) In-Reply-To: <20230101035421.Horde.6eCy0F8Q8TyYC_u77bipyic@webmail.your-server.de> References: <20230101035421.Horde.6eCy0F8Q8TyYC_u77bipyic@webmail.your-server.de> Message-ID: <939A9732-84BB-4EF3-8E30-C6276404C5F9@andrewg.com> On 1 Jan 2023, at 03:49, gnupg-users at aschoettler.com wrote: > > ?I have several GnuPG keys which I edited with KGpg. > https://apps.kde.org/de/kgpg/ > > Unfortunately, the subkeys were not taken into account when setting the expiry date. > How can I retroactively edit my expired keys and expire the subkeys? If your primary key is already expired, there?s not much advantage to be gained by explicitly expiring the subkeys. It?s conceptually tidier, but a subkey of an expired primary key is just as (in)valid either way. The expiry date of a subkey is meant to expire the subkey earlier that its primary; the inverse case (subkey expiring later than its primary) is meaningless - once the primary is expired the entire key should be considered expired, subkeys and all. The only exception might be if you are interacting with client software that doesn?t calculate validity correctly, and needs the extra hint. A From wk at gnupg.org Mon Jan 2 11:42:21 2023 From: wk at gnupg.org (Werner Koch) Date: Mon, 02 Jan 2023 11:42:21 +0100 Subject: location of pubring.db In-Reply-To: <9519b9e6-f176-9afe-2dfc-e2b6a45763c0@gmail.com> (Kosuke Kaizuka via Gnupg-users's message of "Fri, 30 Dec 2022 19:48:27 +0900") References: <9519b9e6-f176-9afe-2dfc-e2b6a45763c0@gmail.com> Message-ID: <87h6x9i5f6.fsf@wheatstone.g10code.de> On Fri, 30 Dec 2022 19:48, Kosuke Kaizuka said: > keyring /path/to/pubring.db (does not work) > > "keyring" does not work any more with "use-keyboxd"? That is correct. The keyboxd uses a fixed location for its database and there may only be one. keyring has no effect as long as use-keyboxd is active - if that option is disabled the keyring option is used again. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Mon Jan 2 11:44:39 2023 From: wk at gnupg.org (Werner Koch) Date: Mon, 02 Jan 2023 11:44:39 +0100 Subject: Creation and Expiration timestamp In-Reply-To: <13176668.uLZWGnKmhe@daneel> ("Ingo \=\?utf-8\?Q\?Kl\=C3\=B6cker\=22\?\= \=\?utf-8\?Q\?'s\?\= message of "Sun, 01 Jan 2023 15:51:18 +0100") References: <20230101035308.Horde.sF_Z4VY4dSKF3TyfykXhPZG@webmail.your-server.de> <13176668.uLZWGnKmhe@daneel> Message-ID: <87cz7xi5bc.fsf@wheatstone.g10code.de> On Sun, 1 Jan 2023 15:51, Ingo Kl?cker said: > If you really must know the exact second then use the option --with-colons > when listing the keys. The timestamps are given as seconds since Unix epoch. > You can use the `date` command to convert this number to your local time. Or use use --full-timestrings Change the format of printed creation and expiration times from just the date to the date and time. This is in general not useful and the same information is anyway available in --with-colons mode. These longer strings are also not well aligned with other printed data. (since 2.3.0) Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From cai.0407 at gmail.com Tue Jan 3 01:06:16 2023 From: cai.0407 at gmail.com (Kosuke Kaizuka) Date: Tue, 3 Jan 2023 09:06:16 +0900 Subject: location of pubring.db In-Reply-To: <87h6x9i5f6.fsf@wheatstone.g10code.de> References: <9519b9e6-f176-9afe-2dfc-e2b6a45763c0@gmail.com> <87h6x9i5f6.fsf@wheatstone.g10code.de> Message-ID: <18bb16cc-9239-6b9a-d2f8-666c34e9dc14@gmail.com> On Mon, 02 Jan 2023 11:42:21 +0100, Werner Koch wrote: > On Fri, 30 Dec 2022 19:48, Kosuke Kaizuka said: > >> keyring /path/to/pubring.db (does not work) >> >> "keyring" does not work any more with "use-keyboxd"? > > That is correct. The keyboxd uses a fixed location for its database and > there may only be one. keyring has no effect as long as use-keyboxd is > active - if that option is disabled the keyring option is used again. I understood. Thanks for clarification. -- Kosuke Kaizuka -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From lawisking at gmail.com Tue Jan 3 23:25:58 2023 From: lawisking at gmail.com (K S) Date: Tue, 3 Jan 2023 16:25:58 -0600 Subject: Difference between versions--Question In-Reply-To: <5623161.DvuYhMxLoT@daneel> References: <202211111406.42092.bernhard@intevation.de> <5623161.DvuYhMxLoT@daneel> Message-ID: It would be helpful to know why I can't get compression in my build. I've tried to build from source three times now. There are so many packages in Ubuntu with zip, zlib, and bzip2 in the name I can't begin to try them all. I've looked at config.log and it doesn't give much help. Cheers On Fri, Nov 11, 2022 at 8:38 AM Ingo Kl?cker wrote: > On Freitag, 11. November 2022 14:06:34 CET Bernhard Reiter wrote: > > Am Freitag 04 November 2022 13:55:58 schrieb K S via Gnupg-users: > > > How do I run configure to get the compression routines? > > > > checkout the "config.log" or the output of your configure command run > > to see if there are messages concerning compression libraries. > > It depends on your distribution what packages you need to install to get > support for compression. Typically, those packages would be called > something > like zlib-devel, zip-devel, bzip2-devel, or similar. > > configure will very likely have told you that it didn't find zlib, zip and > bzip2. Just running configure without looking at its output will allow you > to > build an application, but you may miss optional feature like, in the case > of > gnupg, support for different types of compression. > > Regards, > Ingo > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mortimer.hobart at gmail.com Wed Jan 4 01:19:33 2023 From: mortimer.hobart at gmail.com (mortimer.hobart at gmail.com) Date: Tue, 3 Jan 2023 17:19:33 -0700 Subject: Outlook addon for gpg4win In-Reply-To: <87h6x9i5f6.fsf@wheatstone.g10code.de> References: <9519b9e6-f176-9afe-2dfc-e2b6a45763c0@gmail.com> <87h6x9i5f6.fsf@wheatstone.g10code.de> Message-ID: <08a201d91fd2$5154de90$f3fe9bb0$@gmail.com> Is it possible to install the GpG3Win addon for Outlook without re-installing the whole Gpg4Win system? -- This email has been checked for viruses by AVG antivirus software. www.avg.com From rjh at sixdemonbag.org Wed Jan 4 02:08:12 2023 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 3 Jan 2023 20:08:12 -0500 Subject: Difference between versions--Question In-Reply-To: References: <202211111406.42092.bernhard@intevation.de> <5623161.DvuYhMxLoT@daneel> Message-ID: > It would be helpful to know why I can't get compression in my build. > I've tried to build from source three times now. The answer is very simple: because you are building it incorrectly. We can provide you with the answers, but we can't give you the software development skills needed to correctly use the answers. > There are so many packages in Ubuntu with zip, zlib, and bzip2 in the > name I can't begin to try them all. I've looked at config.log and it > doesn't give much help. If you're unable to recognize which packages provide development headers for common system libraries, that would be a sign your skill level is not up to this task. This isn't to say you shouldn't learn. Learning is good, even essential! It's only to say the problem isn't with GnuPG. From tmz at pobox.com Wed Jan 4 03:09:24 2023 From: tmz at pobox.com (Todd Zullinger) Date: Tue, 3 Jan 2023 21:09:24 -0500 Subject: Difference between versions--Question In-Reply-To: References: <202211111406.42092.bernhard@intevation.de> <5623161.DvuYhMxLoT@daneel> Message-ID: K S via Gnupg-users wrote: > It would be helpful to know why I can't get compression in my build. I've > tried to build from source three times now. > > There are so many packages in Ubuntu with zip, zlib, and bzip2 in the name > I can't begin to try them all. I've looked at config.log and it doesn't > give much help. The config.log should show some information about the compression algorithms, likely found searching for "zip" in the output. Building from source does require a bit of familiarity with the system on which you are building. While you shouldn't need to randomly try all the packages, knowing where to look for ideas will help. I don't use Ubuntu or Debian, but if I were trying to build gnupg from source I'd start by looking at what build dependencies are required by the system packages. In the case of gnupg, you can see that in the debian/control file: https://salsa.debian.org/debian/gnupg2/-/blob/7f5e9b1b/debian/control#L9-43 https://git.launchpad.net/ubuntu/+source/gnupg2/tree/debian/control#n10 You can install those build dependencies via something like: apt-get build-dep gnupg2 The debian/rules file is usually also interesting; seeing what configure and make options are used can be helpful. Some of the dependencies for the current gnupg may be newer than what is required by the gnupg2 package in Ubuntu and/or provided by the OS. You may first need to build those newer dependencies. If so, you need to be careful not to interfere with the OS libraries which are used by other packages on the system. It can get "interesting" trying to update something which is quite a core dependency of the operating system. -- Todd -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From lawisking at gmail.com Wed Jan 4 04:38:52 2023 From: lawisking at gmail.com (K S) Date: Tue, 3 Jan 2023 21:38:52 -0600 Subject: Difference between versions--Question In-Reply-To: References: <202211111406.42092.bernhard@intevation.de> <5623161.DvuYhMxLoT@daneel> Message-ID: Thank you! kcs On Tue, Jan 3, 2023 at 9:05 PM Todd Zullinger via Gnupg-users < gnupg-users at gnupg.org> wrote: > K S via Gnupg-users wrote: > > It would be helpful to know why I can't get compression in my build. I've > > tried to build from source three times now. > > > > There are so many packages in Ubuntu with zip, zlib, and bzip2 in the > name > > I can't begin to try them all. I've looked at config.log and it doesn't > > give much help. > > The config.log should show some information about the > compression algorithms, likely found searching for "zip" in > the output. > > Building from source does require a bit of familiarity with > the system on which you are building. While you shouldn't > need to randomly try all the packages, knowing where to look > for ideas will help. > > I don't use Ubuntu or Debian, but if I were trying to build > gnupg from source I'd start by looking at what build > dependencies are required by the system packages. > > In the case of gnupg, you can see that in the debian/control > file: > > > https://salsa.debian.org/debian/gnupg2/-/blob/7f5e9b1b/debian/control#L9-43 > > https://git.launchpad.net/ubuntu/+source/gnupg2/tree/debian/control#n10 > > You can install those build dependencies via something like: > > apt-get build-dep gnupg2 > > The debian/rules file is usually also interesting; seeing > what configure and make options are used can be helpful. > > Some of the dependencies for the current gnupg may be newer > than what is required by the gnupg2 package in Ubuntu and/or > provided by the OS. You may first need to build those newer > dependencies. > > If so, you need to be careful not to interfere with the OS > libraries which are used by other packages on the system. > It can get "interesting" trying to update something which is > quite a core dependency of the operating system. > > -- > Todd > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Wed Jan 4 11:59:25 2023 From: wk at gnupg.org (Werner Koch) Date: Wed, 04 Jan 2023 11:59:25 +0100 Subject: Outlook addon for gpg4win In-Reply-To: <08a201d91fd2$5154de90$f3fe9bb0$@gmail.com> (mortimer hobart's message of "Tue, 3 Jan 2023 17:19:33 -0700") References: <9519b9e6-f176-9afe-2dfc-e2b6a45763c0@gmail.com> <87h6x9i5f6.fsf@wheatstone.g10code.de> <08a201d91fd2$5154de90$f3fe9bb0$@gmail.com> Message-ID: <87o7reftv6.fsf@wheatstone.g10code.de> On Tue, 3 Jan 2023 17:19, mortimer.hobart at gmail.com said: > Is it possible to install the GpG3Win addon for Outlook without > re-installing the whole Gpg4Win system? You need to update the entire Gpg4win. For security reasons you should do this asap. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jackson at jacksonchen666.com Thu Jan 5 02:50:25 2023 From: jackson at jacksonchen666.com (Jackson Chen) Date: Thu, 05 Jan 2023 01:50:25 +0000 Subject: Question about secret service integration and saved passphrases Message-ID: <09348E78-8C18-4A64-9278-7FA6BA2DB075@jacksonchen666.com> hi, i had enabled KeePassXC secret service integration (some free desktop standard). when i use my secret GPG/PGP keys, i get prompted by KeePassXC to unlock the database (if locked). after unlocking the database, GPG goes back to asking for the passphrase through pinentry. the problem i have is that the pinentry program (pinentry-qt) does not have a checkbox to save the passphrase, which is what i need to save the passphrase into KeePassXC. is there a way to either save an entry for the key's passphrase directly in KeePassXC, or indirectly through some pinentry program or other way? currently, pinentry-gtk2 is broken because of a missing library (namely libgtk-x11). my linux system runs the KDE desktop environment, so i guess it makes sense why pinentry-gtk2 wouldn't work, but i'm not sure what package to install (arch linux ARM). thanks! From kloecker at kde.org Thu Jan 5 13:51:33 2023 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Thu, 05 Jan 2023 13:51:33 +0100 Subject: Question about secret service integration and saved passphrases In-Reply-To: <09348E78-8C18-4A64-9278-7FA6BA2DB075@jacksonchen666.com> References: <09348E78-8C18-4A64-9278-7FA6BA2DB075@jacksonchen666.com> Message-ID: <3233697.aeNJFYEL58@daneel> On Donnerstag, 5. Januar 2023 02:50:25 CET Jackson Chen via Gnupg-users wrote: > i had enabled KeePassXC secret service integration (some free desktop > standard). when i use my secret GPG/PGP keys, i get prompted by KeePassXC > to unlock the database (if locked). after unlocking the database, GPG goes > back to asking for the passphrase through pinentry. > > the problem i have is that the pinentry program (pinentry-qt) does not have > a checkbox to save the passphrase, which is what i need to save the > passphrase into KeePassXC. is there a way to either save an entry for the > key's passphrase directly in KeePassXC, or indirectly through some pinentry > program or other way? I think there's a pinentry-gnome3 which supports saving passwords via the secret service integration. It should work fine in KDE Plasma. Searching the internet I found this link which might be helpful: https://wiki.archlinux.org/title/GNOME/Keyring Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From kloecker at kde.org Thu Jan 5 14:42:16 2023 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Thu, 05 Jan 2023 14:42:16 +0100 Subject: Subkeys renewing/expiring strategy In-Reply-To: <8171810.NyiUUSuA9g@daneel> References: <8171810.NyiUUSuA9g@daneel> Message-ID: <9071707.CDJkKcVGEf@daneel> On Dienstag, 11. Oktober 2022 19:44:19 CET Ingo Kl?cker wrote: > I'm going to experiment with 1-year-validity of the signing subkeys of my > commit signing key. Since I use this key exclusively for commit signing, I > can simply replace it with a completely different key if I change my mind. Update: After the signing subkey expired, I have added a new subkey and signed two commits with the new subkey. In GitLab, I had to remove the old copy of the key before adding the new copy. GitLab keeps the verification state if a key is removed, but I added the updated key including the expired subkey. That was a bad idea because GitLab invalidated all commits signed with the expired subkey. To fix this I decided to extend the life time of the expired subkey and forget about the new subkey. I uploaded an export of the updated key *without* the new subkey to GitLab. After a day or so, GitLab has again marked all my old signed commits as verified. And the two new commits are still marked as verified (as GitLab promised). Conclusion: Rotating signing subkeys isn't the best idea because you have to take extra care when you update the keys in GitLab (and probably also in GitHub, etc.). Simply generating completely new (signing) keys is easier. Or you simply keep using your existing signing key (as I'm doing for now). Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From tech at eden.one Thu Jan 5 15:42:29 2023 From: tech at eden.one (Jan Eden) Date: Thu, 5 Jan 2023 15:42:29 +0100 Subject: Question about secret service integration and saved passphrases In-Reply-To: <3233697.aeNJFYEL58@daneel> References: <09348E78-8C18-4A64-9278-7FA6BA2DB075@jacksonchen666.com> <3233697.aeNJFYEL58@daneel> Message-ID: On 2023-01-05 13:51, Ingo Kl?cker wrote: > On Donnerstag, 5. Januar 2023 02:50:25 CET Jackson Chen via Gnupg-users wrote: > > i had enabled KeePassXC secret service integration (some free desktop > > standard). when i use my secret GPG/PGP keys, i get prompted by KeePassXC > > to unlock the database (if locked). after unlocking the database, GPG goes > > back to asking for the passphrase through pinentry. > > > > the problem i have is that the pinentry program (pinentry-qt) does not have > > a checkbox to save the passphrase, which is what i need to save the > > passphrase into KeePassXC. is there a way to either save an entry for the > > key's passphrase directly in KeePassXC, or indirectly through some pinentry > > program or other way? > > I think there's a pinentry-gnome3 which supports saving passwords via the > secret service integration. It should work fine in KDE Plasma. > > Searching the internet I found this link which might be helpful: > https://wiki.archlinux.org/title/GNOME/Keyring I can confirm that pinentry-gnome3 works well with seahorse in Ubuntu 22.04. - Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From bernhard at intevation.de Fri Jan 6 14:42:23 2023 From: bernhard at intevation.de (Bernhard Reiter) Date: Fri, 6 Jan 2023 14:42:23 +0100 Subject: Reminder: use plaintext mails only on ML In-Reply-To: References: Message-ID: <202301061442.31481.bernhard@intevation.de> Friends of GnuPG, a happy new year to all of you! Now I am taking Andrew (hi) as an example to send a reminder why using text/plain format only mails is a good idea on this (and other mailing lists). Am Samstag 17 Dezember 2022 19:54:39 schrieb Andrew Gallagher via Gnupg-users: > I?ve been Because HTML can have a lot of active contents, a number of people I know sanitize email that have text/html parts. Some ignore such emails completely. In the past I know that Werner ignored (most) emails with text/html. There are more advanted to text/plain mails: * people can better chose how their email client is displaying the contents, for instance the font size and color. * it saves energy because of less bytes transmitted and backuped (and indexed, archived and searched). Best Regards, Bernhard ps. On a general remark, I believe there is a productivity gap between people that use full fledged and customised emails clients to those with only web and mobile clients. As email is one of the working decentralised communication solutions, I think we should value it more and thus help people to learn about the productivity of an email client that they can fully control (on their hardware) and customize to have one unified interface to several communities. -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From andrewg at andrewg.com Fri Jan 6 16:13:28 2023 From: andrewg at andrewg.com (Andrew Gallagher) Date: Fri, 6 Jan 2023 15:13:28 +0000 Subject: Reminder: use plaintext mails only on ML In-Reply-To: <202301061442.31481.bernhard@intevation.de> References: <202301061442.31481.bernhard@intevation.de> Message-ID: <26bdbcb5-4a4f-c5f3-dcd1-dc639cd32274@andrewg.com> On 06/01/2023 13:42, Bernhard Reiter wrote: > Friends of GnuPG, > a happy new year to all of you! Happy New Year! > Now I am taking Andrew (hi) as an example Oh dear...! > to send a reminder > why using text/plain format only mails is a good idea > on this (and other mailing lists). > > Am Samstag 17 Dezember 2022 19:54:39 schrieb Andrew Gallagher via Gnupg-users: >> I?ve been Argh, that will teach me not to reply to list emails from my phone. Sorry, everyone. :-( A From andrewg at andrewg.com Fri Jan 6 16:47:57 2023 From: andrewg at andrewg.com (Andrew Gallagher) Date: Fri, 6 Jan 2023 15:47:57 +0000 Subject: Subkeys renewing/expiring strategy In-Reply-To: <9071707.CDJkKcVGEf@daneel> References: <8171810.NyiUUSuA9g@daneel> <9071707.CDJkKcVGEf@daneel> Message-ID: On 5 Jan 2023, at 13:42, Ingo Kl?cker wrote: > > GitLab keeps the verification state if a > key is removed, but I added the updated key including the expired subkey. That > was a bad idea because GitLab invalidated all commits signed with the expired > subkey. It is disappointing to see that major projects still have trouble implementing signature verification correctly. The rules are not trivial, but they are important to accurately convey the intent of the signer. Is there an implementers guide anywhere for how to calculate sig validity? There are plenty for users but none for developers that I can see. The details are distributed across various parts of the RFCs (expiry, revocation, etc.), so perhaps a wiki page to consolidate them (and other relevant arcane knowledge) would be helpful, so that we could point implementers at it and tap the sign. A -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From ralph at ml.seichter.de Tue Jan 10 00:47:08 2023 From: ralph at ml.seichter.de (Ralph Seichter) Date: Tue, 10 Jan 2023 00:47:08 +0100 Subject: [Announce] GnuPG for OS X 2.4.0 released Message-ID: <87fscjuv7n.fsf@ra.horus-it.com> GnuPG for OS X / macOS release 2.4.0 is now available for download via https://sourceforge.net/p/gpgosx/docu/Download/ . It took me longer than usual to provide this release, because I ran into build problems. I also spent several weeks in hospitals over the last couple of months, and I am still not well today, so I hope you can forgive the delay. ;-) The disk image signature key is available via public keyservers, and it can also be downloaded from https://www.seichter.de/pgp/gpgosx-signing.asc . pub ed25519/FD56297D9833FF7F 2022-07-07 [SC] [expires: 2027-07-06] Key fingerprint = EAB0 FE4F F793 D9E7 028E C8E2 FD56 297D 9833 FF7F uid [ultimate] Ralph Seichter (GnuPG for OS X signing key) GnuPG 2.4.x is installed in /usr/local/gnupg-2.4 instead of the formerly hardcoded directory /usr/local/gnupg-2.2. This enables installing both stable and LTS releases of GnuPG for OS X side by side, for advanced users' needs. The one caveat is that the latest installation will replace existing soft links in /usr/local/{bin,lib}. Please use absolute paths like /usr/local/gnupg-2.2/bin/gpg2 if necessary. Enjoy. -Ralph From bernhard at intevation.de Wed Jan 11 09:14:03 2023 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 11 Jan 2023 09:14:03 +0100 Subject: [Announce] GnuPG for OS X 2.4.0 released In-Reply-To: <87fscjuv7n.fsf@ra.horus-it.com> References: <87fscjuv7n.fsf@ra.horus-it.com> Message-ID: <202301110914.04039.bernhard@intevation.de> Am Dienstag 10 Januar 2023 00:47:08 schrieb Ralph Seichter via Gnupg-users: > GnuPG for OS X / macOS release 2.4.0 is now available for download via > https://sourceforge.net/p/gpgosx/docu/Download/ . Cool, Ralph! > It took me longer than > usual to provide this release, because I ran into build problems. I also > spent several weeks in hospitals over the last couple of months, and I > am still not well today, so I hope you can forgive the delay. ;-) All the best wishes for your health in the new year! Bernhard -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From christoph.klassen at intevation.de Sun Jan 15 10:52:23 2023 From: christoph.klassen at intevation.de (Christoph Klassen) Date: Sun, 15 Jan 2023 10:52:23 +0100 Subject: En-/Decryption speed for large files (GnuPG and Gpg4win) Message-ID: <48c68b4f-398b-3f35-1ea1-f8663f993434@intevation.de> Hello, I was testing the encryption and decryption with "pure" GnuPG and Gpg4win to compare the speed of them. What I also wanted to find out it how long it takes to en-/decrypt larger files. Some details of the environment for the test: * Windows 10 * Gpg4win 4.0.3 * CPU: Intel i5-6500 @3,20 GHz * RAM: 16 GB * Storage: SSD To test the speed I created files of different sizes with a Python script where I used the method os.urandom() to fill the files. GnuPG was running in the PowerShell and I measured the time by using the command "Measure-Command". To measure the time that Gpg4win needed I used a stopwatch. First part of the test was the encryption of the files. To test GnuPG I used the command "gpg -r test --encrypt ./test_file". To encrypt with Gpg4win I used the entry "Encrypt" of the GpgEX context menu in the file explorer. Results of encryption: Size | GnuPG | Gpg4win 1GB | 38 sec. | 1 min. 8 sec. 1GB | 37 sec. | 1 min. 7 sec. 2GB | 1 min. 14 sec. | 2 min. 15 sec. 2GB | 1 min. 14 sec. | 2 min. 14 sec. 5GB | 3 min. 10 sec. | 6 min. 10 sec. 5GB | 3 min. 6 sec. | 5 min. 34 sec. 10GB | 6 min. 28 sec. | 11 min. 21 sec. 10GB | 6 min. 21 sec. | 11 min. 6 sec. To decrypt the files I used the entry "Decrypt" of the GpgEX context menu in the file explorer for Gpg4win and for GnuPG I used the command "gpg --output test_file --decrypt test_file.gpg". Results of decryption: Size | GnuPG | Gpg4win 1GB | 3 sec. | 36 sec. 1GB | 3 sec. | 34 sec. 2GB | 10 sec. | 1 min. 13 sec. 2GB | 7 sec. | 1 min. 12 sec. 5GB | 22 sec. | 3 min. 1 sec. 5GB | 19 sec. | 3 min. 2 sec. 10GB | 1 min. 3 sec. | 5 min. 52 sec. 10GB | 1 min. 7 sec. | 6 min. 5 sec. One insight of this test is that Gpg4win needs around two times longer for encryption. For decryption the difference is much bigger. When I was testing the decryption I also tried "gpg --decrypt test_file.gpg" (without output file) with the 10 GB file and it took 8 minutes and 47 seconds. I was wondering why it took longer when GnuPG didn't need to create an output file. Did someone of you also try to en-/decrypt larger files? Maybe even files that are larger than 1 TB? It would be really nice to know how long GnuPG and Gpg4win are busy with such large files. With regards, Christoph -- Christoph Klassen | https://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HRB 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: From ming at imkuang.com Sun Jan 15 16:14:09 2023 From: ming at imkuang.com (Ming Kuang) Date: Sun, 15 Jan 2023 23:14:09 +0800 Subject: En-/Decryption speed for large files (GnuPG and Gpg4win) In-Reply-To: <48c68b4f-398b-3f35-1ea1-f8663f993434@intevation.de> References: <48c68b4f-398b-3f35-1ea1-f8663f993434@intevation.de> Message-ID: <000b01d928f4$0669f980$133dec80$@imkuang.com> On Sunday, January 15, 2023 5:52 PM, Christoph Klassen wrote: > When I was testing the decryption I also tried "gpg --decrypt > test_file.gpg" (without output file) with the 10 GB file and it took 8 > minutes and 47 seconds. I was wondering why it took longer when GnuPG > didn't need to create an output file. As far as I know, outputting text to the screen (like printf) is a very time consuming operation, it will block you until all printing is complete. gpg --decrypt test_file.gpg without output file will print all the decrypted contents on the screen, which may be the reason why it takes so long. -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 834 bytes Desc: not available URL: From angel at pgp.16bits.net Mon Jan 16 02:01:39 2023 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Mon, 16 Jan 2023 02:01:39 +0100 Subject: En-/Decryption speed for large files (GnuPG and Gpg4win) In-Reply-To: <000b01d928f4$0669f980$133dec80$@imkuang.com> References: <48c68b4f-398b-3f35-1ea1-f8663f993434@intevation.de> <000b01d928f4$0669f980$133dec80$@imkuang.com> Message-ID: <977ee36911aa151ee8d14c48fb5b91adafb6334c.camel@16bits.net> On 2023-01-15 at 23:14 +0800, Ming Kuang via Gnupg-users wrote: > On Sunday, January 15, 2023 5:52 PM, Christoph Klassen wrote: > > When I was testing the decryption I also tried "gpg --decrypt > > test_file.gpg" (without output file) with the 10 GB file and it took 8 > > minutes and 47 seconds. I was wondering why it took longer when GnuPG > > didn't need to create an output file. > > As far as I know, outputting text to the screen (like printf) is a very time > consuming operation, it will block you until all printing is complete. > > gpg --decrypt test_file.gpg without output file will print all the decrypted > contents on the screen, which may be the reason why it takes so long. Generally speaking, I wouldn't consider printing to the screen "very expensive" (i.e. print if you need to), but if you need to output a lot of text, the other side (the terminal) will need to process and draw it into the screen (think on it as a pipe), which will be slow with lots of text or extremely long lines. Moreover, in Windows it will be processed to convert LF into CRLF, and then moved into the Terminal subsystem. For any test like this where you are not going to process the output (e.g. to compare it) I would recommend writing into the null device (/dev/null in *nix, nul in Windows). Also, when measuring encryption make sure it is not trying to use compression (based on the preferences of your test key). The time spent by the compressor on your uncompressible files would be just an unneeded source of variation. Regards From wk at gnupg.org Sun Jan 15 17:03:38 2023 From: wk at gnupg.org (Werner Koch) Date: Sun, 15 Jan 2023 17:03:38 +0100 Subject: En-/Decryption speed for large files (GnuPG and Gpg4win) In-Reply-To: <48c68b4f-398b-3f35-1ea1-f8663f993434@intevation.de> (Christoph Klassen's message of "Sun, 15 Jan 2023 10:52:23 +0100") References: <48c68b4f-398b-3f35-1ea1-f8663f993434@intevation.de> Message-ID: <87a62jaip1.fsf@wheatstone.g10code.de> On Sun, 15 Jan 2023 10:52, Christoph Klassen said: > When I was testing the decryption I also tried "gpg --decrypt > test_file.gpg" (without output file) with the 10 GB file and it took 8 > minutes and 47 seconds. I was wondering why it took longer when GnuPG > didn't need to create an output file. Because you sent the output the the console. This is of course slow. BTW, Do not use gpg4win 4.0.3 - it has a known vulnerability. Use gpg4win 4.1.0. This will also change the numbers because we improved some things in gpg. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From vollkorn at cryptobitch.de Mon Jan 16 07:55:08 2023 From: vollkorn at cryptobitch.de (Jan Girlich) Date: Mon, 16 Jan 2023 07:55:08 +0100 Subject: Multithreading with GPGME Python Bindings Message-ID: <4d11a4445a334463d67a08f96b1dc4a6cb879914.camel@cryptobitch.de> Hi, I want to use the GPGME Python bindings in a concurrent way. In the documentation of the Python bindings at http://files.au.adversary.org/crypto/gpgme-python-howto.html I find no mention of multithreading. In the GPGME documentation at https://www.gnupg.org/documentation/manuals/gpgme/Multi_002dThreading.html#Multi_002dThreading I find the note, that I need to call "gpgme_check_version" before doing any multithreaded operations. Then again I find only this section about version checking in the Python binding's documentation: http://files.au.adversary.org/crypto/gpgme-python-howto.html#gpgme-version-check In this section the version check is done via a subprocess call to "gpgme-config --version". Is the call to "gpgme_check_version" maybe done implicitly by the Python bindings? Do I have to call "gpgme-config --version" before to safely do multithreaded operations with the Python bindings? Thank you for any insights, Jan From ming at imkuang.com Mon Jan 16 15:09:27 2023 From: ming at imkuang.com (Ming Kuang) Date: Mon, 16 Jan 2023 22:09:27 +0800 Subject: En-/Decryption speed for large files (GnuPG and Gpg4win) In-Reply-To: <977ee36911aa151ee8d14c48fb5b91adafb6334c.camel@16bits.net> References: <48c68b4f-398b-3f35-1ea1-f8663f993434@intevation.de> <000b01d928f4$0669f980$133dec80$@imkuang.com> <977ee36911aa151ee8d14c48fb5b91adafb6334c.camel@16bits.net> Message-ID: <001c01d929b4$2704ac10$750e0430$@imkuang.com> On Monday, January 16, 2023 9:02 AM, ?ngel wrote: > On 2023-01-15 at 23:14 +0800, Ming Kuang via Gnupg-users wrote: > > On Sunday, January 15, 2023 5:52 PM, Christoph Klassen wrote: > > > When I was testing the decryption I also tried "gpg --decrypt > > > test_file.gpg" (without output file) with the 10 GB file and it took 8 > > > minutes and 47 seconds. I was wondering why it took longer when GnuPG > > > didn't need to create an output file. > > > > As far as I know, outputting text to the screen (like printf) is a very time > > consuming operation, it will block you until all printing is complete. > > > > gpg --decrypt test_file.gpg without output file will print all the decrypted > > contents on the screen, which may be the reason why it takes so long. > > Generally speaking, I wouldn't consider printing to the screen "very > expensive" (i.e. print if you need to), but if you need to output a lot > of text, the other side (the terminal) will need to process and draw it > into the screen (think on it as a pipe), which will be slow with lots > of text or extremely long lines. Moreover, in Windows it will be > processed to convert LF into CRLF, and then moved into the Terminal > subsystem. You are right, my reply might be a bit misleading, what really takes time is the operation of drawing content to the terminal, if the application tries to print but you don't let it display on the screen (e.g. redirecting output to a file or /dev/null), the time consumption will not be a problem. -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 834 bytes Desc: not available URL: From christoph.klassen at intevation.de Mon Jan 16 16:47:54 2023 From: christoph.klassen at intevation.de (Christoph Klassen) Date: Mon, 16 Jan 2023 16:47:54 +0100 Subject: En-/Decryption speed for large files (GnuPG and Gpg4win) In-Reply-To: <000b01d928f4$0669f980$133dec80$@imkuang.com> References: <48c68b4f-398b-3f35-1ea1-f8663f993434@intevation.de> <000b01d928f4$0669f980$133dec80$@imkuang.com> Message-ID: <2a9e7405-ac55-9414-2afb-ed83d493ca99@intevation.de> Thanks for your replies! On 15.01.23 16:14, Ming Kuang wrote: > gpg --decrypt test_file.gpg without output file will print all the decrypted > contents on the screen, which may be the reason why it takes so long. For some reason in that test gpg didn't output anything or at least the PowerShell didn't show anything. On 15.01.23 17:03, Werner Koch wrote: > BTW, Do not use gpg4win 4.0.3 - it has a known vulnerability. Use > gpg4win 4.1.0. This will also change the numbers because we improved > some things in gpg. Don't worry, the system is mostly offline ;-) When I will give it access to the internet again I will update Gpg4win. Anyway, great to hear that the current version is faster than 4.0.3. On 16.01.23 02:01, ?ngel wrote: > For any test like this where you are not going to process the output > (e.g. to compare it) I would recommend writing into the null device > (/dev/null in *nix, nul in Windows). I wanted to create an output file because I wanted to see how GnuPG would behave in a real scenario :) > Also, when measuring encryption make sure it is not trying to use > compression (based on the preferences of your test key). The time spent > by the compressor on your uncompressible files would be just an > unneeded source of variation. Thanks for the hint! I will try it with disabled compression. With regards, Christoph -- Christoph Klassen | https://intevation.de Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: From list-gnupg at reml.org Mon Jan 16 16:56:58 2023 From: list-gnupg at reml.org (Troy) Date: Mon, 16 Jan 2023 07:56:58 -0800 Subject: How to make remote gpg talk to specific Unix socket (for forwarded local gpg-agent) Message-ID: Hi, I was wondering if you could give me a pointer. I'm ssh'ing to a machine where I'm trying to run gpg, which I hope to talk to the gpg-agent that's running on my local laptop, forwarded through ssh. I'm following the instructions at https://wiki.gnupg.org/AgentForwarding but I don't know how to make gpg use a specific Unix socket to communicate with my forwarded gpg-agent. The problem is that there's already a gpg-agent running at the remote (I think started by systemd or the X server), which I don't want to disturb.? For my ssh connection, I try to create a new Unix domain socket by using ??? ssh -R /run/user/1000/gnupg/S.gpg-agent.remote:/Users/troy/.gnupg/S.gpg-agent.extra -o StreamLocalBindUnlink=yes -o ExitOnForwardFailure=yes But then how do I make gpg use/run/user/1000/gnupg/S.gpg-agent.remote .? It seems that gpg uses gpgconf to figure out that path. And there's no flag or envvar that I can use to override that (anymore). The only thing I can think of is to specify a new --homedir so that the socket is created elsewhere, and then I'd have to change the port forwarding to reflect the dynamically-generated path which will look something like /run/user/1000/gnupg/d.xhmoxiusfxtwuy8s69hkyxtc .? So either I have to do two separate ssh calls or I have to use an expect script to automate the addition of port forwarding on an existing session.? Plus, now the homedir is different and all my files are in the wrong place. I hope I'm missing something obvious.? Thanks for any ideas. I'm using: - Ubuntu 22.04.1 LTS - gpg (GnuPG) 2.2.27 - OpenSSH_8.9p1 Ubuntu-3ubuntu0.1, OpenSSL 3.0.2 15 Mar 2022 Troy -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Mon Jan 16 17:53:38 2023 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 16 Jan 2023 11:53:38 -0500 Subject: Multithreading with GPGME Python Bindings In-Reply-To: <4d11a4445a334463d67a08f96b1dc4a6cb879914.camel@cryptobitch.de> Message-ID: <37cce2ec-308e-4382-b99b-c707d0ad03ba@email.android.com> An HTML attachment was scrubbed... URL: From vollkorn at cryptobitch.de Mon Jan 16 20:13:07 2023 From: vollkorn at cryptobitch.de (Jan Girlich) Date: Mon, 16 Jan 2023 20:13:07 +0100 Subject: Multithreading with GPGME Python Bindings In-Reply-To: <37cce2ec-308e-4382-b99b-c707d0ad03ba@email.android.com> References: <37cce2ec-308e-4382-b99b-c707d0ad03ba@email.android.com> Message-ID: <3a24203ce05dcd2f5d57edf3c62b4149d0cc9ffe.camel@cryptobitch.de> Hi Robert, On Mon, 2023-01-16 at 11:53 -0500, Robert J. Hansen wrote: > I don't have an immediate answer for you I'd suggest starting by > learning how Python's multi-threading support is more smoke and > mirrors than reality. That may lead you to an answer to your > question. you seem to be quite new to the topic of Python and multi-threading, so let me give you the relevant basics relating to my question. Yes, the GIL is making cPython thread-safe and thus blocking threads. But only when processing Python bytecode. When an external operation runs, like gnupg encrypting something or I/O operations, the GIL is released and another thread can run. So multi-threading computationally intensive gnupg operations can have performance improvements. Also, the GIL is no issue with multi-processing, which is the constructive answer I prefer to "GIL is a problem", instead of "smoke and mirrors". I can recommend https://superfastpython.com/multiprocessing-pool-gil/ on this topic. Thank you, Jan > > On Jan 16, 2023 1:55 AM, Jan Girlich wrote: > > Hi, > > > > I want to use the GPGME Python bindings in a concurrent way. > > > > In the documentation of the Python bindings at > > http://files.au.adversary.org/crypto/gpgme-python-howto.html?I find > > no > > mention of multithreading. > > > > In the GPGME documentation at > > https://www.gnupg.org/documentation/manuals/gpgme/Multi_002dThreading.html#Multi_002dThreading > > I find the note, that I need to call "gpgme_check_version" before > > doing > > any multithreaded operations. > > > > Then again I find only this section about version checking in the > > Python binding's documentation: > > http://files.au.adversary.org/crypto/gpgme-python-howto.html#gpgme-version-check > > In this section the version check is done via a subprocess call to > > "gpgme-config --version". > > > > Is the call to "gpgme_check_version" maybe done implicitly by the > > Python bindings? > > > > Do I have to call "gpgme-config --version" before to safely do > > multithreaded operations with the Python bindings? > > > > Thank you for any insights, > > Jan > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > https://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > (Please forgive the HTML email, sending from my phone) > > Given Python is effectively single-threaded through the global > interpreter lock, this may turn out to be a total non-issue. Although > I don't have an immediate answer for you I'd suggest starting by > learning how Python's multi-threading support is more smoke and > mirrors than reality. That may lead you to an answer to your > question. > > On Jan 16, 2023 1:55 AM, Jan Girlich wrote: > > Hi, > > > > I want to use the GPGME Python bindings in a concurrent way. > > > > In the documentation of the Python bindings at > > http://files.au.adversary.org/crypto/gpgme-python-howto.html I find > > no > > mention of multithreading. > > > > In the GPGME documentation at > > https://www.gnupg.org/documentation/manuals/gpgme/Multi_002dThreading.html#Multi_002dThreading > > I find the note, that I need to call "gpgme_check_version" before > > doing > > any multithreaded operations. > > > > Then again I find only this section about version checking in the > > Python binding's documentation: > > http://files.au.adversary.org/crypto/gpgme-python-howto.html#gpgme-version-check > > In this section the version check is done via a subprocess call to > > "gpgme-config --version". > > > > Is the call to "gpgme_check_version" maybe done implicitly by the > > Python bindings? > > > > Do I have to call "gpgme-config --version" before to safely do > > multithreaded operations with the Python bindings? > > > > Thank you for any insights, > > Jan > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > https://lists.gnupg.org/mailman/listinfo/gnupg-users > > > From wk at gnupg.org Tue Jan 17 10:54:28 2023 From: wk at gnupg.org (Werner Koch) Date: Tue, 17 Jan 2023 10:54:28 +0100 Subject: Multithreading with GPGME Python Bindings In-Reply-To: <4d11a4445a334463d67a08f96b1dc4a6cb879914.camel@cryptobitch.de> (Jan Girlich's message of "Mon, 16 Jan 2023 07:55:08 +0100") References: <4d11a4445a334463d67a08f96b1dc4a6cb879914.camel@cryptobitch.de> Message-ID: <8735898p0r.fsf@wheatstone.g10code.de> On Mon, 16 Jan 2023 07:55, Jan Girlich said: > Is the call to "gpgme_check_version" maybe done implicitly by the > Python bindings? Yes. See gpgme/lang/python/src/core.py # check_version also makes sure that several subsystems are properly # initialized, and it must be run at least once before invoking any # other function. We do it here so that the user does not have to do # it unless she really wants to check for a certain version. check_version() > Do I have to call "gpgme-config --version" before to safely do No, this is a helper to compile against gpgme - it returns suggested compiler and linker flags. Make sure that one context object is only used by one thread at a time. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Tue Jan 17 10:56:51 2023 From: wk at gnupg.org (Werner Koch) Date: Tue, 17 Jan 2023 10:56:51 +0100 Subject: En-/Decryption speed for large files (GnuPG and Gpg4win) In-Reply-To: <2a9e7405-ac55-9414-2afb-ed83d493ca99@intevation.de> (Christoph Klassen's message of "Mon, 16 Jan 2023 16:47:54 +0100") References: <48c68b4f-398b-3f35-1ea1-f8663f993434@intevation.de> <000b01d928f4$0669f980$133dec80$@imkuang.com> <2a9e7405-ac55-9414-2afb-ed83d493ca99@intevation.de> Message-ID: <87y1q17acc.fsf@wheatstone.g10code.de> On Mon, 16 Jan 2023 16:47, Christoph Klassen said: > For some reason in that test gpg didn't output anything or at least > the PowerShell didn't show anything. Powershell and stdout and stderr are a bit problematic. I can't remember the details so I usually stick to cmd.exe or run tools directly via ssh from a Unix shell. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Tue Jan 17 11:10:12 2023 From: wk at gnupg.org (Werner Koch) Date: Tue, 17 Jan 2023 11:10:12 +0100 Subject: How to make remote gpg talk to specific Unix socket (for forwarded local gpg-agent) In-Reply-To: (Troy's message of "Mon, 16 Jan 2023 07:56:58 -0800") References: Message-ID: <87tu0p79q3.fsf@wheatstone.g10code.de> On Mon, 16 Jan 2023 07:56, Troy said: > The problem is that there's already a gpg-agent running at the remote > (I think started by systemd or the X server), which I don't want to > disturb.? For my ssh connection, I try to create a new Unix domain Don't run the gpg-agent for your account. I put no-autostart into ~/.gnupg/common.conf to avoid that any tools on the remote start the gpg-agent. Of course you need to disable the systemd stuff to autostart gpg-agent - using systemd for autostart is deprecated because it creates races. iirc, the wiki says that you should put StreamLocalBindUnlink yes into the sshd_config. I prefer to manually delete the socket using ssh remote "rm $(gpgconf -L agent-socket)" if the connection does not work. I have this in ~/.ssh/config Host remote RemoteForward /run/user/1042/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg-agent.extra (1042 is my uid on remote). Then you just need to "ssh remote" > - gpg (GnuPG) 2.2.27 Well, the single common option no-autostart is only available in stable (since 2.3.8) Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From aheinecke at gnupg.org Tue Jan 17 13:08:18 2023 From: aheinecke at gnupg.org (Andre Heinecke) Date: Tue, 17 Jan 2023 13:08:18 +0100 Subject: En-/Decryption speed for large files (GnuPG and Gpg4win) In-Reply-To: <48c68b4f-398b-3f35-1ea1-f8663f993434@intevation.de> References: <48c68b4f-398b-3f35-1ea1-f8663f993434@intevation.de> Message-ID: <3481012.iIbC2pHGDl@teutates> Hi, On Sunday 15 January 2023 10:52:23 CET Christoph Klassen wrote: > When I was testing the decryption I also tried "gpg --decrypt > test_file.gpg" (without output file) with the 10 GB file and it took 8 > minutes and 47 seconds. I was wondering why it took longer when GnuPG > didn't need to create an output file. Yes that is expected. Gpg encrypt and decrypt with AES should be mostly IO Bound as with AES-NI instructions it is really fast in the CPU. So not writing the output to disk will result in faster operations. And one of the biggest differences you get is when you encrypt / decrypt on a faster disk. Another big difference what you will see in the perfomance of GnuPG is if you use -z 0 which disables compression. Currently GnuPG on the command line disables compression when the input file name already looks compressed depending on the file name. We want to improve that, especially since Kleopatra hands the filename only in a way that is not used in that compression calculation. E.g. Adding Media data formats there might already help in a lot of use cases. For uncompressable output, like random data, this will make the largest difference. You can put "compress-level 0" into your gpg.conf to cause Kleopatra to also use that. That issue is: https://dev.gnupg.org/T6332 If you could do a run of your tests and comment in that issue with the results that would be helpful. It does not surprise me that Kleopatra is much slower. Due to our Architecture Kleopatra passes Data, through GPGME directly to GnuPG. This results in additional overhead but gives us more flexibility what kind of data we encrypt / decrypt. E.g. a mail or something that is not even written on the File system. For some parts we want to change that. Most notably Ingo is currently working on Gpgtar. Gpgtar can nowadays directly encrypt / decrypt so there is no need to pipe the input / output of GnuPG to or from GpgTar. Using GpgTar directly should help a lot when working with larger Archives. https://dev.gnupg.org/ T5478 We also already increased the buffer size in GPGME to reduce the number of callbacks we do internally but there can be more optimization there. Currently our recommendation for Large Data is to use the command line directly, which will always be fastest as there is no overhead. > Did someone of you also try to en-/decrypt larger files? Maybe even > files that are larger than 1 TB? It would be really nice to know how > long GnuPG and Gpg4win are busy with such large files. I think my largest tests were around 40GB. But I don't have the numbers anymore, the testing I did there was mostly because there were reports that Kleopatra crashes on such large files. Maybe you can open a ticket for this with a reference to https:// dev.gnupg.org/T5478 about performance problems when decrypting / encrypting large files (In contrast to archives.) Best Regards, Andre P.S. we are currently also looking at the startup / initial keycache building time of Kleopatra. This might also be intresting for those looking at Kleo performance. https://dev.gnupg.org/T6259 -- GnuPG.com - a brand of g10 Code, the GnuPG experts. g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459 GF Werner Koch, USt-Id DE215605608, www.g10code.com. GnuPG e.V., Rochusstr. 44, D-40479 D?sseldorf. VR 11482 D?sseldorf Vorstand: W.Koch, B.Reiter, A.Heinecke Mail: board at gnupg.org Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-211-28010702 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 5655 bytes Desc: This is a digitally signed message part. URL: From bernhard at intevation.de Tue Jan 17 14:40:12 2023 From: bernhard at intevation.de (Bernhard Reiter) Date: Tue, 17 Jan 2023 14:40:12 +0100 Subject: switching off compression (was: En-/Decryption speed for large files (GnuPG and Gpg4win)) In-Reply-To: <3481012.iIbC2pHGDl@teutates> References: <48c68b4f-398b-3f35-1ea1-f8663f993434@intevation.de> <3481012.iIbC2pHGDl@teutates> Message-ID: <202301171440.21232.bernhard@intevation.de> Am Dienstag 17 Januar 2023 13:08:18 schrieb Andre Heinecke via Gnupg-users: > Another big difference what you will see in the perfomance of GnuPG is if > you use -z 0 which disables compression. According to the GnuPG documentation (2.4.0) https://gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html#index-compress_002dlevel '-z 0' is equivalent to the following long options '--compress-level 0 --bzip2-compress-level 0' yes, both have to be given. > You can put "compress-level 0" into > your gpg.conf to cause Kleopatra to also use that. Would not be enough to disable bip2 encryption (according to the documentation). Looking at https://gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html#index-compress_002dalgo what shall work with just one option is `compress-algo uncompressed` Best, Bernhard -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From christoph.klassen at intevation.de Tue Jan 17 17:14:35 2023 From: christoph.klassen at intevation.de (Christoph Klassen) Date: Tue, 17 Jan 2023 17:14:35 +0100 Subject: En-/Decryption speed for large files (GnuPG and Gpg4win) In-Reply-To: <3481012.iIbC2pHGDl@teutates> References: <48c68b4f-398b-3f35-1ea1-f8663f993434@intevation.de> <3481012.iIbC2pHGDl@teutates> Message-ID: <2e72f210-b453-e7cc-3d77-42595a7fa647@intevation.de> Thanks a lot for your reply Andre! On 17.01.23 13:08, Andre Heinecke wrote: > Another big difference what you will see in the perfomance of GnuPG is if you > use -z 0 which disables compression. I tried that with the 10GB file and, indeed, it was much faster. The encryption took only 51 seconds (with compression it was: 6 min. 21 sec.). -- Christoph Klassen | https://intevation.de Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: From dentaldiva2378 at yahoo.com Wed Jan 18 02:57:59 2023 From: dentaldiva2378 at yahoo.com (Shannon Mess) Date: Wed, 18 Jan 2023 01:57:59 +0000 (UTC) Subject: En-/Decryption speed for large files (GnuPG and Gpg4win) In-Reply-To: <3481012.iIbC2pHGDl@teutates> References: <48c68b4f-398b-3f35-1ea1-f8663f993434@intevation.de> <3481012.iIbC2pHGDl@teutates> Message-ID: <2100269235.2858673.1674007079208@mail.yahoo.com> Can someone please remove my email address from this group! This has nothing to do with me! Sent from Yahoo Mail for iPhone On Tuesday, January 17, 2023, 5:10 AM, Andre Heinecke via Gnupg-users wrote: Hi, On Sunday 15 January 2023 10:52:23 CET Christoph Klassen wrote: > When I was testing the decryption I also tried "gpg --decrypt > test_file.gpg" (without output file) with the 10 GB file and it took 8 > minutes and 47 seconds. I was wondering why it took longer when GnuPG > didn't need to create an output file. Yes that is expected. Gpg encrypt and decrypt with AES should be mostly IO Bound as with AES-NI instructions it is really fast in the CPU. So not writing the output to disk will result in faster operations. And one of the biggest differences you get is when you encrypt / decrypt on a faster disk. Another big difference what you will see in the perfomance of GnuPG is if you use -z 0 which disables compression. Currently GnuPG on the command line disables compression when the input file name already looks compressed depending on the file name. We want to improve that, especially since Kleopatra hands the filename only in a way that is not used in that compression calculation. E.g. Adding Media data formats there might already help in a lot of use cases. For uncompressable output, like random data, this will make the largest difference. You can put "compress-level 0" into your gpg.conf to cause Kleopatra to also use that. That issue is: https://dev.gnupg.org/T6332 If you could do a run of your tests and comment in that issue with the results that would be helpful. It does not surprise me that Kleopatra is much slower. Due to our Architecture Kleopatra passes Data, through GPGME directly to GnuPG. This results in additional overhead but gives us more flexibility what kind of data we encrypt / decrypt. E.g. a mail or something that is not even written on the File system. For some parts we want to change that. Most notably Ingo is currently working on Gpgtar. Gpgtar can nowadays directly encrypt / decrypt so there is no need to pipe the input / output of GnuPG to or from GpgTar. Using GpgTar directly should help a lot when working with larger Archives. https://dev.gnupg.org/ T5478 We also already increased the buffer size in GPGME to reduce the number of callbacks we do internally but there can be more optimization there. Currently our recommendation for Large Data is to use the command line directly, which will always be fastest as there is no overhead. > Did someone of you also try to en-/decrypt larger files? Maybe even > files that are larger than 1 TB? It would be really nice to know how > long GnuPG and Gpg4win are busy with such large files. I think my largest tests were around 40GB. But I don't have the numbers anymore, the testing I did there was mostly because there were reports that Kleopatra crashes on such large files. Maybe you can open a ticket for this with a reference to https:// dev.gnupg.org/T5478 about performance problems when decrypting / encrypting large files (In contrast to archives.) Best Regards, Andre P.S. we are currently also looking at the startup / initial keycache building time of Kleopatra. This might also be intresting for those looking at Kleo performance. https://dev.gnupg.org/T6259 -- GnuPG.com - a brand of g10 Code, the GnuPG experts. g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459 GF Werner Koch, USt-Id DE215605608, www.g10code.com. GnuPG e.V., Rochusstr. 44, D-40479 D?sseldorf.? VR 11482 D?sseldorf Vorstand: W.Koch, B.Reiter, A.Heinecke? ? ? ? Mail: board at gnupg.org Finanzamt D-Altstadt, St-Nr: 103/5923/1779.? Tel: +49-211-28010702_______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex at blueselene.com Wed Jan 18 12:33:35 2023 From: alex at blueselene.com (Alex) Date: Wed, 18 Jan 2023 12:33:35 +0100 Subject: En-/Decryption speed for large files (GnuPG and Gpg4win) In-Reply-To: <2100269235.2858673.1674007079208@mail.yahoo.com> References: <48c68b4f-398b-3f35-1ea1-f8663f993434@intevation.de> <3481012.iIbC2pHGDl@teutates> <2100269235.2858673.1674007079208@mail.yahoo.com> Message-ID: <20230118123335.63d57127@blueselene.com> On Wed, 18 Jan 2023 01:57:59 +0000 (UTC) Shannon Mess via Gnupg-users wrote: > Can someone please remove my email address from this group! This has > nothing to do with me! Send an email to gnupg-users-request at gnupg.org?subject=unsubscribe if you're not interested in emails from this mailing list. -- Current PGP KeyID: 11ADE4393600C1BDFFCBC0A598DE15942B08CA00 https://blueselene.com/pgp-archive/11ADE4393600C1BDFFCBC0A598DE15942B08CA00/key.pub For up-to-date information on my crypto keys, see https://blueselene.com/crypto.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: From yorickvanpelt at gmail.com Fri Jan 20 15:07:37 2023 From: yorickvanpelt at gmail.com (Yorick van Pelt) Date: Fri, 20 Jan 2023 15:07:37 +0100 Subject: gpg-agent ssh key order in version 2.3.7 Message-ID: Hello, I have a question regarding the gpg-agent changes in 2.3.7. I have the following setup: - gpg-agent configured as ssh-agent, with - 1 auth subkey, protected by a passphrase - 1 auth subkey stored on a yubikey. Prior to upgrading to gnupg 2.3.7, gpg would prompt me for the yubikey pincode and use it if it was inserted, and for the passphrase otherwise. Starting with 2.3.8, it always asks for the passphrase. Hitting 'cancel' makes it try the yubikey, but this happens again on the next invocation. Looking at the code changes, it looks like the ordering from the sshcontrol file is no longer used. I see that I can use "Prompt: no" to ignore the yubikey if it is not inserted, but can't figure out how to make it try the yubikey before the password-protected key. How can I best restore the old behavior? Thanks! Yorick -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Tue Jan 24 10:05:26 2023 From: wk at gnupg.org (Werner Koch) Date: Tue, 24 Jan 2023 10:05:26 +0100 Subject: gpg-agent ssh key order in version 2.3.7 In-Reply-To: (Yorick van Pelt via Gnupg-users's message of "Fri, 20 Jan 2023 15:07:37 +0100") References: Message-ID: <878rhs4815.fsf@wheatstone.g10code.de> On Fri, 20 Jan 2023 15:07, Yorick van Pelt said: > yubikey if it is not inserted, but can't figure out how to make it try the > yubikey before the password-protected key. > > How can I best restore the old behavior? Unfortunately there is no way to do this right now. The tentative plan is to assign a priority based on the line number to the sshcontrol listed keys. Also we can set a priority to Use-for-ssh: flagged key files. See https://dev.gnupg.org/T6212 I guess it can make it into 2.4.1 Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From sharon at web-iq.nl Thu Jan 26 11:26:06 2023 From: sharon at web-iq.nl (Sharon Oosterhuis) Date: Thu, 26 Jan 2023 11:26:06 +0100 Subject: Ecrypt group email addresses Message-ID: Hi, How to ecrypt group email addresses on brand laptops (for example: Linux) not macbook? Is there a description for? For MacBook I used the attached explanation, this works! Only this so unfortunately does not work on linux laptop for example. So we linked each employee's personal key to a group email address. Kind Regards, Sharon Winner of Dutch Innovation award within Law Enforcement Active in 30+ countries Sharon Oosterhuis Headquarters Manager phone: site: pgp: +31 (0)50 21 11 622 web-iq.com 0153 79C8 1DDB 11D9 FA3C 7F0D 52A0 8844 CC28 5CE0 The content of this email is confidential and intended for the recipient(s) specified in this message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Encrypt to group emails.pdf Type: application/pdf Size: 67816 bytes Desc: not available URL: -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From alex at blueselene.com Thu Jan 26 20:45:03 2023 From: alex at blueselene.com (Alex) Date: Thu, 26 Jan 2023 20:45:03 +0100 Subject: Ecrypt group email addresses In-Reply-To: References: Message-ID: <20230126204503.3fc4c37c@blueselene.com> On Thu, 26 Jan 2023 11:26:06 +0100 Sharon Oosterhuis via Gnupg-users wrote: > Hi, > > How to ecrypt group email addresses on brand laptops (for example: > Linux) not macbook? Is there a description for? What do you mean with "group email addresses"? Is it an email address shared between multiple people > For MacBook I used the attached explanation, this works! Only this so > unfortunately does not work on linux laptop for example. So we linked > each employee's personal key to a group email address. You didn't attach any explanation. -- Current PGP KeyID: 11ADE4393600C1BDFFCBC0A598DE15942B08CA00 https://blueselene.com/pgp-archive/11ADE4393600C1BDFFCBC0A598DE15942B08CA00/key.pub For up-to-date information on my crypto keys, see https://blueselene.com/crypto.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: From alex at blueselene.com Thu Jan 26 23:40:23 2023 From: alex at blueselene.com (Alex) Date: Thu, 26 Jan 2023 23:40:23 +0100 Subject: Ecrypt group email addresses In-Reply-To: <20230126204503.3fc4c37c@blueselene.com> References: <20230126204503.3fc4c37c@blueselene.com> Message-ID: <20230126234023.4e53be6c@blueselene.com> I just saw the PDF in your attachments, sorry, thanks to another user for letting me know. GnuPG in Linux also supports the groups feature, however, whether or not GnuPG gets used depends on what email client you're using. I've never used groups, but it will likely work with clients like Claws Mail, who interact with GnuPG directly. Clients that have their own OpenPGP implementation, like Mozilla Thunderbird, likely don't support groups. -- Current PGP KeyID: 11ADE4393600C1BDFFCBC0A598DE15942B08CA00 https://blueselene.com/pgp-archive/11ADE4393600C1BDFFCBC0A598DE15942B08CA00/key.pub For up-to-date information on my crypto keys, see https://blueselene.com/crypto.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: From andrewg at andrewg.com Mon Jan 30 11:57:40 2023 From: andrewg at andrewg.com (Andrew Gallagher) Date: Mon, 30 Jan 2023 10:57:40 +0000 Subject: Ecrypt group email addresses In-Reply-To: <20230126234023.4e53be6c@blueselene.com> References: <20230126204503.3fc4c37c@blueselene.com> <20230126234023.4e53be6c@blueselene.com> Message-ID: <72DC5CF9-8579-4A31-93D4-D960D3C42BF8@andrewg.com> On 26 Jan 2023, at 22:40, Alex wrote: > > Clients that have their own OpenPGP implementation, like Mozilla > Thunderbird, likely don't support groups. Thunderbird does support encryption to groups, but you have to manually edit a JSON configuration file: https://support.mozilla.org/en-US/kb/openpgp-recipient-alias-configuration A -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From joellidin at gmail.com Tue Jan 31 20:52:24 2023 From: joellidin at gmail.com (Joel) Date: Tue, 31 Jan 2023 20:52:24 +0100 Subject: Unable to sign public key Message-ID: Hello! I am trying to sign a public key, but I get an error saying, `gpg: signing failed: No secret key`. However, a normal signing on a file works perfectly fine. I suspect it could be something because I have a yubikey and it might not work as I initially expected. Have anyone had similar problems and know how to fix it when you use a yubikey? Best regards, Joel Lidin