From jsogo at debian.org Sat May 1 12:50:35 2004 From: jsogo at debian.org (Jose Carlos Garcia Sogo) Date: Sat May 1 12:47:44 2004 Subject: 0.4.7 sig file has also .tar.gz Message-ID: <20040501105035.GH17752@jaimedelamo.eu.org> in ftp: -rw-r--r-- 1 1017 1017 822365 Apr 30 01:14 gpgme-0.4.7.tar.gz -rw-r--r-- 1 1017 1017 823762 Apr 30 01:24 gpgme-0.4.7.tar.gz.sig Cheers -- Jose Carlos Garcia Sogo jsogo@debian.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20040501/ed76c80b/attachment.bin From jsogo at debian.org Sat May 1 14:26:59 2004 From: jsogo at debian.org (Jose Carlos Garcia Sogo) Date: Sat May 1 14:24:07 2004 Subject: 0.4.x versions not installing .a libraries Message-ID: <20040501122659.GA21416@jaimedelamo.eu.org> Hi, While packaging version 0.4.7 I have just realized that all 0.4 branch has not installed .a verson of the library. Looking around a bit I discovered that .a file is called libgpgme-real.a and it's not listed in gpgme/Makefile.am, so it's not being copied over on install. Is this intended or a bug? Thanks -- Jose Carlos Garcia Sogo jsogo@debian.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20040501/bb0a87e4/attachment.bin From joe at spamfilter.de Sat May 1 17:16:12 2004 From: joe at spamfilter.de (Joe Schulz) Date: Sat May 1 18:17:47 2004 Subject: Is a .gnupg directory /w write access mandatory? Message-ID: Hello all, I am trying to use gnupg in a boot script for a high-security boot process. It only has to decrypt an ascii-armored symmetric ciphertext but at the moment it fails miserably because gnupg seems to ultimately demand write access to some .gnupg directory even if it is not needed for the task at all! At that point in the boot process there is no writable file system whatsoever because we still need to decrypt those keys for the file systems to mount! Talk about tail biting... I'd rather not mount a RAM-disk just for the purpose of getting around this, so is there some - maybe undocumented - way to make gnupg just decrypt my file and skip the ".gnupg" issue? Thanks in advance, Joe From dshaw at jabberwocky.com Sat May 1 19:21:30 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sat May 1 19:18:51 2004 Subject: Is a .gnupg directory /w write access mandatory? In-Reply-To: References: Message-ID: <20040501172130.GA3204@jabberwocky.com> On Sat, May 01, 2004 at 05:16:12PM +0200, Joe Schulz wrote: > > Hello all, > > I am trying to use gnupg in a boot script for a high-security boot > process. It only has to decrypt an ascii-armored symmetric ciphertext > but at the moment it fails miserably because gnupg seems to ultimately > demand write access to some .gnupg directory even if it is not needed > for the task at all! > At that point in the boot process there is no writable file system > whatsoever because we still need to decrypt those keys for the file > systems to mount! Talk about tail biting... > I'd rather not mount a RAM-disk just for the purpose of getting around > this, so is there some - maybe undocumented - way to make gnupg just > decrypt my file and skip the ".gnupg" issue? It is documented. The problem is that GnuPG is trying to save the random number seed file. If you don't want this to happen, use --no-random-seed-file. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 330 bytes Desc: not available Url : /pipermail/attachments/20040501/46692a7a/attachment.bin From dshaw at jabberwocky.com Sun May 2 02:58:04 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sun May 2 02:55:28 2004 Subject: Is a .gnupg directory /w write access mandatory? In-Reply-To: <20040501172130.GA3204@jabberwocky.com> References: <20040501172130.GA3204@jabberwocky.com> Message-ID: <20040502005804.GB3204@jabberwocky.com> On Sat, May 01, 2004 at 01:21:30PM -0400, David Shaw wrote: > On Sat, May 01, 2004 at 05:16:12PM +0200, Joe Schulz wrote: > > > > Hello all, > > > > I am trying to use gnupg in a boot script for a high-security boot > > process. It only has to decrypt an ascii-armored symmetric ciphertext > > but at the moment it fails miserably because gnupg seems to ultimately > > demand write access to some .gnupg directory even if it is not needed > > for the task at all! > > At that point in the boot process there is no writable file system > > whatsoever because we still need to decrypt those keys for the file > > systems to mount! Talk about tail biting... > > I'd rather not mount a RAM-disk just for the purpose of getting around > > this, so is there some - maybe undocumented - way to make gnupg just > > decrypt my file and skip the ".gnupg" issue? > > It is documented. The problem is that GnuPG is trying to save the > random number seed file. If you don't want this to happen, use > --no-random-seed-file. Oops. You'll need both --no-random-seed-file and --lock-never in this case. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 330 bytes Desc: not available Url : /pipermail/attachments/20040501/49c0a453/attachment.bin From atom at suspicious.org Mon May 3 05:55:50 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Mon May 3 05:53:21 2004 Subject: --comment Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 i'm not subscribed to the devel list, so please CC me on replies... from the man page (gpg 1.2.4): --comment string Use string as the comment string in clear text signatures. The default behavior is not to use a comment string. the man page says that the comment string will be used "in clear text signatures." the behavior that i've observed is that the comment is not only inserted into clear text signatures, but also inserted into ascii-armored cipher text. it doesn't matter if the comment is specified on the command line or config file. i'm not sure if this is a documentation bug or undesired behavior. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "We will, in fact, be greeted as liberators." -- Dick Cheney, March 16th 2003 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkCVwsoACgkQnCgLvz19QeOKKQCglNqjUTWRPammF+Mks/jPBDXN UY4AmwcA/oHU3t9XdYNJNxke9/kCLVvK =Vv5A -----END PGP SIGNATURE----- From rainer.perske at uni-muenster.de Mon May 3 15:14:12 2004 From: rainer.perske at uni-muenster.de (Rainer Perske) Date: Mon May 3 15:49:31 2004 Subject: GnuPG 1.2.4 bugs (see also BTS problem report 274) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hello, first, many thanks to all GnuPG developers for their great work! Using AIX 5.1, I cannot compile GnuPG 1.2.4. Looking into the Bug Tracking System, I've found the very same problem reported as number 274; see further description there. Because the BTS does not offer me to append my remarks there, I'm using this mail address. Looking into the source of util/secmem.c line 171/172 ff, I see: [...] if ( err ) { if( errno != EPERM [...] (The same sequence occures in line 107/108) Surely the second cited line should read: if( err != EPERM because errno may have been changed (and is changed on AIX) during the geteuid() call in line 164. Some further lines (lines 109 ff, 173 ff) surely have to be changed accordingly. Another problem is caused by the "#ifdef _AIX" used in the same source file (and in some others). Though I am compiling on an AIX system without GCC, this macro is undefined, surely causing the compiler to create unwanted code. I can circumvent this problem by calling export CC='cc -D_AIX' prior to running ./configure. (I know, GnuPG requires GCC, thus please read this paragraph is only as a remark, not a bug report.) Best wishes - -- Rainer Perske, Zentrum f?r Informationsverarbeitung, Universit?t M?nster Lesetipp: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (AIX) iQDVAwUBQJZFps9UbnbjB8C5AQEq0QX/XjhEGRa96a464Q9bEeagebDslGsYPMsw 2pMFUCQH/ciV03bmeWy8qIZfAWdA3edWVTrhmJxn8wcYQx88VFN1muA7H+tT3/md m8ogCRlsIGrIU9M7NInk9SWfF2k6kJAy9ds6dziS8vbqmiOpC/7utyoKzdaW/M0a V1c/vsMnPpqZ2+ZItGee5es+GGeNC8bHEs85T058kFsi4PQncpDAbICLEiLoistF ZmKSWby+bZJrPGbsh3SwJfDvUJHPG+PI =Dls6 -----END PGP SIGNATURE----- From JPClizbe at comcast.net Tue May 4 05:38:25 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Wed May 5 15:25:40 2004 Subject: 1.3.5 build error Message-ID: <40971031.4050605@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I finally got a working openLDAP library to play with. Building 1.3.5 against it (after convincing configure it could be sanely done), I came across some small errors. 1) keyserver/gpgkeys_ldap.c refers to unsetenv util/unsetenv.c declares unsetenv2 2) Also in util/unsetenv.c, compilation produces error "undefined reference to `environ'. Defined as "external char **environ;". Next question: in the prebuilt win32 binaries, gpgkeys_ldap.exe is linked to wldap32.dll, but there is no mention of this dll in any of the source files. What's missing? Win2000 with mingw gcc 3.2.3. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAlxAvHQSsSmCNKhARAvhlAKDl0bMgmlWbMR9/0S+JdT8sWe6f/wCgrNiM LiCSqcW0TYBjgxycItMUrAY= =uwRf -----END PGP SIGNATURE----- From jcd at fct.unl.pt Mon May 3 17:07:58 2004 From: jcd at fct.unl.pt (Jose Carlos dos Santos Danado) Date: Wed May 5 16:25:12 2004 Subject: Problems envrypting and sending signed e-mail. Message-ID: <1083596878.4318.116.camel@ar-217-129-86-211.netvisao.pt> Hi, I am trying to use cryptplug, specially the smime plug-in, in the kmail. I am using KDE and KDE-PIM 3.1.1. gpg 1.2.2 gpgme 0.3.15 newpg 0.9.4 libgcrypt 1.1.12 libksba 0.4.6 cryptplug 0.3.15 pinentry 0.6.8 The packages used are similar to the ones used in SUSE 8.2. (Tell me if I am missing some package). I have started the gpg-agent with: eval `gpg-agent --daemon` in the startkde script. I have also added the following configuration to ~/.gnugp/gpg.conf: use-agent In the ~/.gnupg/gpgsm.conf, I have the following configuration: agent-program /usr/bin/gpg-agent dirmngr-program /usr/bin/dirmngr #disable-crl-checks # uncomment if you think it is appropriate #disable-policy-checks # uncomment if you think it is appropriate In the ~/.gnupg/gpg-agent.conf, I have the following configuration: no-grab pinentry-program /usr/bin/pinentry-qt default-cache-ttl 600 After doing all this, I have added CA and my own certificates with gpgsm as described in the aegypten project. I have used openssl has described. I have added smime plugin in the kmail. However, when I tried to sign an email, I always get an error saying that the e-mail in the certificate is not the same has the one in the message. I have checked this and the name that I am using in Kmail message and certificate are the same. But I tried to sign the email anyway and following that, I got another error from the kmail with #22 Invalid engine. Has anyone experienced this problem? Does anyone had the same experience? I have no clues how to solve this problem. I need to have kmail to sign and encrypt messages but I don't know how to solve this. If anyone of you guys know the answer to this problem, if possible send an answer to this mailing list with my e-mail in bcc. I really need the help. Thanks for your time. Best regards, Jose Carlos From npcole at yahoo.co.uk Wed May 5 18:10:56 2004 From: npcole at yahoo.co.uk (=?iso-8859-1?q?Nicholas=20Cole?=) Date: Wed May 5 18:08:32 2004 Subject: --with-colons key prefs Message-ID: <20040505161056.80239.qmail@web25002.mail.ukl.yahoo.com> doc/DETAILS says that field 13 of a 'uid' record can contain the algo preferences, yet I can't find an option to actually turn this output on. Does such an option actually exist? (would be v. useful if not). Best, N. ____________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html From twoaday at freakmail.de Wed May 5 20:18:07 2004 From: twoaday at freakmail.de (Timo Schulz) Date: Wed May 5 20:17:20 2004 Subject: --with-colons key prefs In-Reply-To: <20040505161056.80239.qmail@web25002.mail.ukl.yahoo.com> References: <20040505161056.80239.qmail@web25002.mail.ukl.yahoo.com> Message-ID: <20040505181807.GC1123@daredevil.joesixpack.net> On Wed May 05 2004; 17:10, Nicholas Cole wrote: > contain the algo preferences, yet I can't find an > option to actually turn this output on. Does such an > option actually exist? (would be v. useful if not). gpg --with-colons --edit-key foo_bar this command produces output which contains a colon entry for the preferences. The ordinary key listing does not include this information. Timo -- Colt at Saber-Rider.CC keyid BF3DF9B4 (http://www.winpt.org) Windows Privacy Tools (http://winpt.sourceforge.net) WinPT (http://www.stud.uni-hannover.de/~twoaday/winpt.html) From dshaw at jabberwocky.com Wed May 5 20:27:13 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed May 5 20:24:34 2004 Subject: --comment In-Reply-To: References: Message-ID: <20040505182713.GB13657@jabberwocky.com> On Sun, May 02, 2004 at 11:55:50PM -0400, Atom 'Smasher' wrote: > i'm not subscribed to the devel list, so please CC me on replies... > > from the man page (gpg 1.2.4): > --comment string > Use string as the comment string in clear text signatures. > The default behavior is not to use a comment string. > > the man page says that the comment string will be used "in clear text > signatures." the behavior that i've observed is that the comment is not > only inserted into clear text signatures, but also inserted into > ascii-armored cipher text. it doesn't matter if the comment is specified > on the command line or config file. > > i'm not sure if this is a documentation bug or undesired behavior. Documentation bug. Thanks for the report. It's fixed now. David From wk at gnupg.org Wed May 5 20:42:23 2004 From: wk at gnupg.org (Werner Koch) Date: Wed May 5 20:25:33 2004 Subject: GnuPG 1.2.4 bugs (see also BTS problem report 274) In-Reply-To: (Rainer Perske's message of "Mon, 03 May 2004 15:14:12 +0200 (MES)") References: Message-ID: <87ad0mvhps.fsf@vigenere.g10code.de> On Mon, 03 May 2004 15:14:12 +0200 (MES), Rainer Perske said: > Using AIX 5.1, I cannot compile GnuPG 1.2.4. use 1.2.4rc1 from the alpha directory. > Surely the second cited line should read: if( err != EPERM > because errno may have been changed (and is changed on AIX) during No, the problem is that errno was no set above. This has been fixed in rc1. > Another problem is caused by the "#ifdef _AIX" used in the same source > file (and in some others). Though I am compiling on an AIX system without > GCC, this macro is undefined, surely causing the compiler to create So what is the OS indentifier on your AIX versions? > prior to running ./configure. (I know, GnuPG requires GCC, thus please > read this paragraph is only as a remark, not a bug report.) GnuPG does not require gcc - it should work with all c89 compliant compilers. Werner From dshaw at jabberwocky.com Wed May 5 21:03:20 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed May 5 21:00:34 2004 Subject: 1.3.5 build error In-Reply-To: <40971031.4050605@comcast.net> References: <40971031.4050605@comcast.net> Message-ID: <20040505190320.GC13657@jabberwocky.com> On Mon, May 03, 2004 at 10:38:25PM -0500, John Clizbe wrote: > I finally got a working openLDAP library to play with. Building 1.3.5 > against it (after convincing configure it could be sanely done), I came > across some small errors. > > 1) keyserver/gpgkeys_ldap.c refers to unsetenv > util/unsetenv.c declares unsetenv2 This is fixed in CVS. It'll be in 1.3.6. > 2) Also in util/unsetenv.c, compilation produces error "undefined > reference to `environ'. Defined as "external char **environ;". Interesting. I seem to recall reading about mingw and cygwin difficulties with environ. I have to look into this one a bit more - we might need a configure test to do this portably. > Next question: in the prebuilt win32 binaries, gpgkeys_ldap.exe is linked > to wldap32.dll, but there is no mention of this dll in any of the source > files. What's missing? wldap32.dll is part of Windows, so we don't ship the source for it ;) David From dshaw at jabberwocky.com Wed May 5 21:47:47 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Wed May 5 21:45:01 2004 Subject: 1.3.5 build error In-Reply-To: <40971031.4050605@comcast.net> References: <40971031.4050605@comcast.net> Message-ID: <20040505194747.GA16240@jabberwocky.com> On Mon, May 03, 2004 at 10:38:25PM -0500, John Clizbe wrote: > 2) Also in util/unsetenv.c, compilation produces error "undefined > reference to `environ'. Defined as "external char **environ;". Try this: 1) Add #include to the top of the file. 2) Delete the "extern char **environ;" line. Does that work for you? David From npcole at yahoo.co.uk Thu May 6 00:27:10 2004 From: npcole at yahoo.co.uk (=?iso-8859-1?q?Nicholas=20Cole?=) Date: Thu May 6 00:24:43 2004 Subject: error (?) in --with-colons --edit-key order Message-ID: <20040505222710.53525.qmail@web25009.mail.ukl.yahoo.com> If you do gpg --with-colons --list-key foo The output lists: The Primary Key User IDs Subkeys Which makes sense becuase the User IDs are bound to the primary key, and follows the general rule that each line (eg. a fingerprint when listing fingerprints) refers to the previous key or subkey. But if using gpg --with-colons --edit-key foo the listing is: The Primary Key Fingerprint Subkeys Fingerprint User IDs It is just a small inconsistency, but perhaps one worth fixing for the new version? Best, N. ____________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html From wk at gnupg.org Fri May 7 17:39:31 2004 From: wk at gnupg.org (Werner Koch) Date: Fri May 7 17:20:29 2004 Subject: 1.3.5 build error In-Reply-To: <20040505190320.GC13657@jabberwocky.com> (David Shaw's message of "Wed, 5 May 2004 15:03:20 -0400") References: <40971031.4050605@comcast.net> <20040505190320.GC13657@jabberwocky.com> Message-ID: <878yg4qma4.fsf@vigenere.g10code.de> On Wed, 5 May 2004 15:03:20 -0400, David Shaw said: > Interesting. I seem to recall reading about mingw and cygwin > difficulties with environ. I have to look into this one a bit more - The current CVS version works fine under Windows; one just needs a correct environment. I have said it a hundred times before: The only supported Windows build is by using the cross compiler .-) Werner From albrecht.dress at arcor.de Sat May 8 13:17:41 2004 From: albrecht.dress at arcor.de (Albrecht =?iso-8859-1?Q?Dre=DF?=) Date: Sat May 8 13:42:45 2004 Subject: gpgsm/gpgme interaction error on listing key Message-ID: <20040508111741.GA8405@antares.localdomain> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20040508/bd819ea5/attachment-0001.bin From albrecht.dress at arcor.de Sat May 8 16:21:46 2004 From: albrecht.dress at arcor.de (Albrecht =?iso-8859-1?Q?Dre=DF?=) Date: Sat May 8 16:19:43 2004 Subject: More gpgsm+gpgme problems Message-ID: <20040508142146.GA2137@antares.localdomain> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20040508/82511b00/attachment.bin From wk at gnupg.org Sun May 9 10:15:23 2004 From: wk at gnupg.org (Werner Koch) Date: Sun May 9 10:00:12 2004 Subject: More gpgsm+gpgme problems In-Reply-To: <20040508142146.GA2137@antares.localdomain> (Albrecht =?iso-8859-1?q?Dre=DF's?= message of "Sat, 8 May 2004 16:21:46 +0200") References: <20040508142146.GA2137@antares.localdomain> Message-ID: <87ad0inhic.fsf@vigenere.g10code.de> On Sat, 8 May 2004 16:21:46 +0200, Albrecht Dre? said: > Again, the logs are attached below (gzipped, this time...). The setup is >From the logs I guess this is a segv in gpgsm. You should create a core file and use gdb to look at it. There is a minor problem that gpgsm inhibits the creation of core files: Look for may_coredump = disable_core_dumps (); in sm/gpgsm.c and replace it by may_coredump = 0; In gdb please do a "bt full". Thanks, Werner From albrecht.dress at arcor.de Sun May 9 13:30:12 2004 From: albrecht.dress at arcor.de (Albrecht =?iso-8859-1?Q?Dre=DF?=) Date: Sun May 9 13:27:22 2004 Subject: More gpgsm+gpgme problems In-Reply-To: <87ad0inhic.fsf@vigenere.g10code.de> (from wk@gnupg.org on Son, Mai 09, 2004 at 10:15:23 +0200) References: <20040508142146.GA2137@antares.localdomain> <87ad0inhic.fsf@vigenere.g10code.de> Message-ID: <20040509113012.GJ8633@antares.localdomain> Am 09.05.04 10:15 schrieb(en) Werner Koch: >From the logs I guess this is a segv in gpgsm. You should create a > core file and use gdb to look at it. There is a minor problem that > gpgsm inhibits the creation of core files: Look for Arrgh - I enabled the coredumps as you said, recompiled with "-g -O - fsigned-char" (the latter option is needed for PowerPC gcc) , and now it doesn't crash any more! IMHO, this might be an indication for a stack corruption or buffer overflow somewhere in the code... Not a very good situation, isn't it? I added some more warning options to CFLAGS (then using "-g -O -fsigned- char -Wall -Wcast-align -Wshadow -Wstrict-prototypes -Wunused - Wuninitialized -pedantic -Wmissing-declarations -Wmissing-prototypes"), and got besides tons of non-critical stuff (?, pointers w/ different signedness) the following ones which *might* be fishy: iso7816.c:106: warning: overflow in implicit constant conversion app-openpgp.c:1186: warning: overflow in implicit constant conversion app-nks.c:491: warning: overflow in implicit constant conversion app-dinsig.c:403: warning: overflow in implicit constant conversion Any ideas? Cheers, Albrecht. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Albrecht Dre? - Johanna-Kirchner-Stra?e 13 - D-53123 Bonn (Germany) Phone (+49) 228 6199571 - mailto:albrecht.dress@arcor.de _________________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20040509/3e6a6c1a/attachment.bin From wk at gnupg.org Sun May 9 16:42:09 2004 From: wk at gnupg.org (Werner Koch) Date: Sun May 9 16:25:14 2004 Subject: More gpgsm+gpgme problems In-Reply-To: <20040509113012.GJ8633@antares.localdomain> (Albrecht =?iso-8859-1?q?Dre=DF's?= message of "Sun, 9 May 2004 13:30:12 +0200") References: <20040508142146.GA2137@antares.localdomain> <87ad0inhic.fsf@vigenere.g10code.de> <20040509113012.GJ8633@antares.localdomain> Message-ID: <87pt9dmzlq.fsf@vigenere.g10code.de> On Sun, 9 May 2004 13:30:12 +0200, Albrecht Dre? said: > Arrgh - I enabled the coredumps as you said, recompiled with "-g -O - > fsigned-char" (the latter option is needed for PowerPC gcc) , and now it Why do you need to add this option? gcc should know about it. > doesn't crash any more! IMHO, this might be an indication for a stack > corruption or buffer overflow somewhere in the code... Not a very Last time I valgrinded I have seen no problems, though. > I added some more warning options to CFLAGS (then using "-g -O -fsigned- > char -Wall -Wcast-align -Wshadow -Wstrict-prototypes -Wunused - > Wuninitialized -pedantic -Wmissing-declarations -Wmissing-prototypes"), > and got besides tons of non-critical stuff (?, pointers w/ different signed/unsigned mismatches are normal. > iso7816.c:106: warning: overflow in implicit constant conversion I'll change these constantd to unsigned. But it is definitely not your problem, this stuff is only used wth smartcards. > Any ideas? Try to reproduce the problem ;-). If it does not occure anymore when core dumps are enables, you should write a wrapper for gpgsm: #!/bin/sh exec strace -o /tmp/mylog /path/to/real/gpgsm $* and see what the strace has to say. There is also the option to add debug-wait 10 to gpgsm.conf and attach gdb to the running process (gpgsm will wait right after option procssing for 10 seconds). Werner From albrecht.dress at arcor.de Mon May 10 22:02:51 2004 From: albrecht.dress at arcor.de (Albrecht =?iso-8859-1?Q?Dre=DF?=) Date: Mon May 10 22:00:01 2004 Subject: More gpgsm+gpgme problems In-Reply-To: <87pt9dmzlq.fsf@vigenere.g10code.de> (from wk@gnupg.org on Son, Mai 09, 2004 at 16:42:09 +0200) References: <20040508142146.GA2137@antares.localdomain> <87ad0inhic.fsf@vigenere.g10code.de> <20040509113012.GJ8633@antares.localdomain> <87pt9dmzlq.fsf@vigenere.g10code.de> Message-ID: <20040510200251.GK1124@antares.localdomain> Am 09.05.04 16:42 schrieb(en) Werner Koch: > Why do you need to add this option? gcc should know about it. That's common practice on Linux/PowerPC (and also MacOS X?) - char on this platform is always unsigned, and some software doesn't compile cleanly without. > Try to reproduce the problem ;-). If it does not occure anymore when > core dumps are enables, you should write a wrapper for gpgsm: > > #!/bin/sh > exec strace -o /tmp/mylog /path/to/real/gpgsm $* > > and see what the strace has to say. There is also the option to add Ok, added an my system, but (unfortunately?) no crash any more. Stay tuned... Thanks, Albrecht. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Albrecht Dre? - Johanna-Kirchner-Stra?e 13 - D-53123 Bonn (Germany) Phone (+49) 228 6199571 - mailto:albrecht.dress@arcor.de _________________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20040510/551b7525/attachment.bin From atom at suspicious.org Tue May 11 04:35:30 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Tue May 11 04:32:51 2004 Subject: --batch --gen-key Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 i'm not subscribed to devel, so please CC me on any responses. (i have tried twice to subscribe, maybe someone should look into that.) since the man page calls this an "experimental feature", i guess that means i should ask about it on the devel list. i'm using gpg 1.2.4 there are a few things about generating keys in batch mode that seem odd to me.... * the "%pubring" and "%secring" control statements both seem limited to creating files in the current directory. any directory paths as arguments are silently ignored. placing the argument inside of double or single quotes produces an error. * files are created with liberal permissions: $ ls -l seckey.sec -rw-r--r-- 1 alpha alpha 2475 May 10 22:24 seckey.sec * if a file (or STDIN) specifies making multiple keys, it seems that the file remains empty until the whole job is done. shouldn't gpg be writing the new keys to file(s) as keys are being created? ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "The unleashed power of the atom has changed everything save our modes of thinking and we thus drift toward unparalleled catastrophe." -- Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkCgO/cACgkQnCgLvz19QeN/kQCeN7DY1OnmDXVreeclOaAi4yoV pqIAniNYFSIw9MO6sYq49dLGysbZ39k+ =mRX3 -----END PGP SIGNATURE----- From wk at gnupg.org Tue May 11 09:20:33 2004 From: wk at gnupg.org (Werner Koch) Date: Tue May 11 09:05:08 2004 Subject: More gpgsm+gpgme problems In-Reply-To: <20040510200251.GK1124@antares.localdomain> (Albrecht =?iso-8859-1?q?Dre=DF's?= message of "Mon, 10 May 2004 22:02:51 +0200") References: <20040508142146.GA2137@antares.localdomain> <87ad0inhic.fsf@vigenere.g10code.de> <20040509113012.GJ8633@antares.localdomain> <87pt9dmzlq.fsf@vigenere.g10code.de> <20040510200251.GK1124@antares.localdomain> Message-ID: <87y8nzfn0e.fsf@vigenere.g10code.de> On Mon, 10 May 2004 22:02:51 +0200, Albrecht Dre? said: > That's common practice on Linux/PowerPC (and also MacOS X?) - char on this > platform is always unsigned, and some software doesn't compile cleanly I like unsigned char - it does not get you into trouble when using isfoo(*p). For GnuPG the signed option is not required; and if you use it, better make sure it is already known at configure time. > Ok, added an my system, but (unfortunately?) no crash any more. Stay > tuned... Bad. Frankly, I hope it will crash again so that we can fix it. Salam-Shalom, Werner From wk at gnupg.org Tue May 11 09:35:02 2004 From: wk at gnupg.org (Werner Koch) Date: Tue May 11 09:15:08 2004 Subject: --batch --gen-key In-Reply-To: (atom@suspicious.org's message of "Mon, 10 May 2004 22:35:30 -0400 (EDT)") References: Message-ID: <87u0ynfmc9.fsf@vigenere.g10code.de> On Mon, 10 May 2004 22:35:30 -0400 (EDT), Atom 'Smasher' said: > i'm not subscribed to devel, so please CC me on any responses. (i have > tried twice to subscribe, maybe someone should look into that.) You are now. > * the "%pubring" and "%secring" control statements both seem limited to > creating files in the current directory. any directory paths as arguments > are silently ignored. placing the argument inside of double or single Just looked at the code and there is no special handling of filenames; there are passed verbatim to the open function. Tilde expansion is also not done. > * files are created with liberal permissions: > $ ls -l seckey.sec > -rw-r--r-- 1 alpha alpha 2475 May 10 22:24 seckey.sec Quite possible. I'll change that. > * if a file (or STDIN) specifies making multiple keys, it seems that the > file remains empty until the whole job is done. shouldn't gpg be writing > the new keys to file(s) as keys are being created? Ah tyes. This is die to the internal close/open optimization. I'll change that. Werner From atom at suspicious.org Tue May 11 09:23:00 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Tue May 11 09:20:10 2004 Subject: --batch --gen-key In-Reply-To: <87u0ynfmc9.fsf@vigenere.g10code.de> References: <87u0ynfmc9.fsf@vigenere.g10code.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 11 May 2004, Werner Koch wrote: > On Mon, 10 May 2004 22:35:30 -0400 (EDT), Atom 'Smasher' said: > > > i'm not subscribed to devel, so please CC me on any responses. (i have > > tried twice to subscribe, maybe someone should look into that.) > > You are now. ======================= thank you. > > * files are created with liberal permissions: > > $ ls -l seckey.sec > > -rw-r--r-- 1 alpha alpha 2475 May 10 22:24 seckey.sec > > Quite possible. I'll change that. ========================= thanks again! > > * if a file (or STDIN) specifies making multiple keys, it seems that the > > file remains empty until the whole job is done. shouldn't gpg be writing > > the new keys to file(s) as keys are being created? > > Ah tyes. This is die to the internal close/open optimization. I'll > change that. ========================== wow! thanks again!! ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "The law does not allow me to testify on any aspect of the National Security Agency, even to the Senate Intelligence Committee." -- General Allen, Director of the NSA, 1975 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkCgf1kACgkQnCgLvz19QeN2qACdHC3apRJzvUUP1dOY+iUz1qfu p0QAnj5wIyOFJpePSsEGrH/bpwATHe4H =6Lr5 -----END PGP SIGNATURE----- From atom at suspicious.org Wed May 12 06:23:28 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Wed May 12 06:20:43 2004 Subject: edit-key weirdness (1.2.4) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 i just edited the cipher preferences on a key with 2 UIDs. the public key records the changes properly, but the secret key only recorded the changes on the second UID... the first UID retained the original cipher preferences, on the secret key. after "setpref" and "updpref", "showpref" displays the new preferences for both UIDs. indeed, the changes ~are~ made to the public key. at first, i did not explicitly select a UID... which seems to imply that the action should involve both UIDs. on testing this out, i tried explicitly selecting both UIDs and the same thing happens. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "The two most common elements in the universe are hydrogen and stupidity." -- Harlan Ellison -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures iEUEARECAAYFAkChpsQACgkQnCgLvz19QeNEcACffLKhKL9yp5eBHNnPsLXT5DZm MxsAmKl7hO5yLJXMxE+/zykDu1ic1CI= =2PQk -----END PGP SIGNATURE----- From atom at suspicious.org Wed May 12 06:50:44 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Wed May 12 06:47:51 2004 Subject: edit-key weirdness (1.2.4) In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hhmm... edit-key also isn't updating the expire time of a secret subkey... it's working fine on the public subkey. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "MEATLESS" - US government standards allow the use of the word "Meatless" to allow up to 2% animal product and/or meat content. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkChrSgACgkQnCgLvz19QePgKACeJsVGO4pIJHlidz7p4agqiY7o YjsAoIudc75cMDoyk1BRg3luTqQr+3t7 =ZWiv -----END PGP SIGNATURE----- From wk at gnupg.org Wed May 12 08:55:29 2004 From: wk at gnupg.org (Werner Koch) Date: Wed May 12 08:57:17 2004 Subject: edit-key weirdness (1.2.4) In-Reply-To: (atom@suspicious.org's message of "Wed, 12 May 2004 00:23:28 -0400 (EDT)") References: Message-ID: <87ekpqcexq.fsf@vigenere.g10code.de> On Wed, 12 May 2004 00:23:28 -0400 (EDT), Atom 'Smasher' said: > i just edited the cipher preferences on a key with 2 UIDs. the public key > records the changes properly, but the secret key only recorded the changes > on the second UID... the first UID retained the original cipher Forget about the secret key. The signature on it are really used. Updating some of the properties is a relict from previous versions; modern versions don't care about it and secret key rings will anyway be removed. Creating a proper OpenPGP secret key will eventually be done at export time from the public key and the required secret key parameters. Werner From atom at suspicious.org Wed May 12 09:34:07 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Wed May 12 09:31:18 2004 Subject: edit-key weirdness (1.2.4) In-Reply-To: <87ekpqcexq.fsf@vigenere.g10code.de> References: <87ekpqcexq.fsf@vigenere.g10code.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Forget about the secret key. The signature on it are really used. > Updating some of the properties is a relict from previous versions; > modern versions don't care about it and secret key rings will anyway > be removed. Creating a proper OpenPGP secret key will eventually be > done at export time from the public key and the required secret key > parameters. ====================== some secret key features, such as expiration date, could cause problems when using gpgsplit "secret-to-public" and the public key can't be imported... at least not the conventional way... ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "In a way, risking climate change is even more frightening than playing Russian roulette... but with the pistol pointed at the head of one's child..." -- Stephen J. Decanio, The Economics of Climate Change -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkCh03QACgkQnCgLvz19QeOsIwCfdusQ6f8zCHmLCmX5sWj/ti4P 1+AAmgN8NGiKLnPaZSBOk7JWRhy/wMp0 =9T6P -----END PGP SIGNATURE----- From kraljaprvni at volny.cz Wed May 12 12:03:39 2004 From: kraljaprvni at volny.cz (Bolek) Date: Wed May 12 12:00:48 2004 Subject: Test Message-ID: <40A1F67B.8090904@volny.cz> Test From pgut001 at cs.auckland.ac.nz Fri May 14 01:01:46 2004 From: pgut001 at cs.auckland.ac.nz (pgut001@cs.auckland.ac.nz) Date: Fri May 14 01:01:48 2004 Subject: Hokki =) Message-ID: I don't bite, weah! ..btw, "04315" is a password for archive -------------- next part -------------- A non-text attachment was scrubbed... Name: MoreInfo.zip Type: application/octet-stream Size: 27366 bytes Desc: not available Url : /pipermail/attachments/20040513/d02aacaf/MoreInfo.exe From atom at suspicious.org Fri May 14 06:30:34 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Fri May 14 06:52:55 2004 Subject: cert-policy-url Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 two weird things about "cert-policy-url" (1.2.4).... 1) if a cert-policy-url is specified (in the config file), policy URLs are added even to keybinding signatures. this does not appear to be a violation of rfc2440, but it does seem weird. 2) if a subkey has it's expiration date updated (to generate a new keybinding signature) with no policy-url specified or a different policy-url, the old policy-url remains intact. there appears to be no simple way to either change or get rid of a bad policy-url from a keybinding signature. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "They have computers, and they may have other weapons of mass destruction." -- Janet Reno, US Attorney General, 27 Feb 1998 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkCkS3EACgkQnCgLvz19QeNuswCgj0LzONUMA8wnUhpamjxwOZgb w+QAmgOz7B4CnZsUgZibTFiaEAdOnZ2K =CojW -----END PGP SIGNATURE----- From stephane at sente.ch Fri May 14 11:11:29 2004 From: stephane at sente.ch (=?ISO-8859-1?Q?St=E9phane_Corth=E9sy?=) Date: Fri May 14 11:08:59 2004 Subject: Bad packaging of gpgme 0.4.7? Message-ID: Hi, I wanted to install gpgme 0.4.7, but it seems packages available on your ftp site are not correct: curl -O ftp://ftp.gnupg.org/gcrypt/alpha/gpgme/gpgme-0.4.7.tar.gz.sig returns a package of size 804kB, whereas gpgme-0.4.7.tar.gz weights 803kB. Quite a big signature! Anyway, verifying signature is OK: gpg --verify gpgme-0.4.7.tar.gz.sig gpg: Signature made Fri Apr 30 01:27:12 2004 CEST using DSA key ID 87978569 gpg: Good signature from "Marcus Brinkmann " gpg: aka "Marcus Brinkmann " gpg: aka "Marcus Brinkmann" gpg: aka "Marcus Brinkmann " gpg: aka "Marcus Brinkmann " Then, unarchiving gpgme-0.4.7.tar.gz logs some errors: gnutar xzf gpgme-0.4.7.tar.gz gnutar: ./PaxHeaders.13490/gpgme-0.4.7: Unknown file type 'x', extracted as normal file gnutar: gpgme-0.4.7/PaxHeaders.13490/gpgme: Unknown file type 'x', extracted as normal file ... Can you check and fix that? Thanks, St?phane From marcus.brinkmann at ruhr-uni-bochum.de Fri May 14 14:42:48 2004 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri May 14 14:47:34 2004 Subject: Bad packaging of gpgme 0.4.7? In-Reply-To: References: Message-ID: <87sme318on.wl@ulysses.g10code.de> At Fri, 14 May 2004 11:11:29 +0200, St?phane Corth?sy wrote: > > Hi, > > I wanted to install gpgme 0.4.7, but it seems packages available on > your ftp site are not correct: > > curl -O ftp://ftp.gnupg.org/gcrypt/alpha/gpgme/gpgme-0.4.7.tar.gz.sig > > returns a package of size 804kB, whereas gpgme-0.4.7.tar.gz weights > 803kB. Quite a big signature! Ah well, I didn't make a detached signature. I moved the file to *.old and uploaded a new, proper detached signature. > Then, unarchiving gpgme-0.4.7.tar.gz logs some errors: > > gnutar xzf gpgme-0.4.7.tar.gz > gnutar: ./PaxHeaders.13490/gpgme-0.4.7: Unknown file type 'x', > extracted as normal file > gnutar: gpgme-0.4.7/PaxHeaders.13490/gpgme: Unknown file type 'x', > extracted as normal file > ... > > Can you check and fix that? Uh. I use a very recent version of tar (1.13.93), which adds extended attributes to the tar archive. This doesn't seem to be backwards compatible. Distress. Here comes the bummer: We just use make distcheck to create our archives. If tar creates archives that are not backward compatible, I'd consider this to be a major bug. But maybe automake passes some option that triggers this behaviour. We can not fix it - 0.4.7 is released and the damage is done. However, we are going to do another release pretty soon, and I will make sure to produce a backward compatible tar archive. Thanks, Living-on-the-cutting-edge-Marcus From marcus.brinkmann at ruhr-uni-bochum.de Fri May 14 14:55:23 2004 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri May 14 15:00:32 2004 Subject: Bad packaging of gpgme 0.4.7? In-Reply-To: References: Message-ID: <87r7tn183o.wl@ulysses.g10code.de> At Fri, 14 May 2004 11:11:29 +0200, St?phane Corth?sy wrote: > gnutar: gpgme-0.4.7/PaxHeaders.13490/gpgme: Unknown file type 'x', > extracted as normal file Just found more info, automake is indeed using the --posix option to tar: /bin/sh /tmp/gpgme/missing --run tar chf - gpgme-0.4.7 --posix | GZIP=--best gzip -c >gpgme-0.4.7.tar.gz This is due to a Debian backport of a patch for automake 1.7. Uff. It seems that automake 1.9 will offer some flexibility to select the tar format to use. The Debian maintainer of automake unilaterally made a bogus decision. This is quite annoying. At least I know now where this is coming from, so I can prevent it from happening again. Thanks, Marcus From dshaw at jabberwocky.com Sat May 15 03:06:19 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sat May 15 03:03:37 2004 Subject: cert-policy-url In-Reply-To: References: Message-ID: <20040515010619.GC22858@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 14, 2004 at 12:30:34AM -0400, Atom 'Smasher' wrote: > two weird things about "cert-policy-url" (1.2.4).... > > 1) if a cert-policy-url is specified (in the config file), policy URLs are > added even to keybinding signatures. this does not appear to be a > violation of rfc2440, but it does seem weird. This is intentional. Both notations and policy URLs can be attached to self-sigs. Notations clearly need to be applied to self-sigs, but the idea was that self-sigs may well have a policy they are issued under as well. I'm certainly open to discussing it. I'm somewhat allergic to adding yet-another-option, but it is true that the notations that people attach to self-sigs are not necessarily the same notations that people attach to sigs on other keys. > 2) if a subkey has it's expiration date updated (to generate a new > keybinding signature) with no policy-url specified or a different > policy-url, the old policy-url remains intact. there appears to be no > simple way to either change or get rid of a bad policy-url from a > keybinding signature. Currently you can't. Probably the policy URL should disappear when the sig is remade. I need to think about this some more. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAkClbQsqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJwVkAoNRGyUwbe+oiS/9uAG4mcXGAOhxFAJ9h dVBmcMEZd9AmLjgtpuF0sowTtw== =EzrU -----END PGP SIGNATURE----- From atom at suspicious.org Sat May 15 07:51:07 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sat May 15 07:48:19 2004 Subject: cert-policy-url In-Reply-To: <20040515010619.GC22858@jabberwocky.com> References: <20040515010619.GC22858@jabberwocky.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 14 May 2004, David Shaw wrote: > On Fri, May 14, 2004 at 12:30:34AM -0400, Atom 'Smasher' wrote: > > 1) if a cert-policy-url is specified (in the config file), policy URLs are > > added even to keybinding signatures. this does not appear to be a > > violation of rfc2440, but it does seem weird. > > This is intentional. Both notations and policy URLs can be attached > to self-sigs. Notations clearly need to be applied to self-sigs, but > the idea was that self-sigs may well have a policy they are issued > under as well. ========================= ok... that makes sense. > I'm certainly open to discussing it. I'm somewhat allergic to adding > yet-another-option, but it is true that the notations that people > attach to self-sigs are not necessarily the same notations that people > attach to sigs on other keys. ============================ i can understand your aversion to more adding features. this probably doesn't need (yet another) feature, just more documentation. your explanation (above) is reasonable; i just wasn't expecting the behavior... i was a surprised to find the policy in the subkeys. without the need to add new features, it can just be documented that one might desire to generate a primary key with one policy-url, and then edit the key to add a subkey with (or without) a different policy-url. > > 2) if a subkey has it's expiration date updated (to generate a new > > keybinding signature) with no policy-url specified or a different > > policy-url, the old policy-url remains intact. there appears to be no > > simple way to either change or get rid of a bad policy-url from a > > keybinding signature. > > Currently you can't. Probably the policy URL should disappear when > the sig is remade. I need to think about this some more. ================================ a policy URL could point to an dead domain, or be otherwise obsolete... there should be a (simple) way to update (or delete) a policy-url when regenerating a keybinding signature. i haven't played with notations in this regard, but i think the same logic applies... i don't know if the same problems apply. ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "I don't care what the facts are." -- President George Bush 1988 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkClr9EACgkQnCgLvz19QePiHgCfeaAFPu1/VJgddCWduXUp7FXn 8AoAn0Jm18q8XVzfM/XyQgo9oCBd8ReZ =M64c -----END PGP SIGNATURE----- From torduninja at netcourrier.com Mon May 17 01:28:25 2004 From: torduninja at netcourrier.com (Maxine Brandt) Date: Mon May 17 02:25:28 2004 Subject: Hokki =) In-Reply-To: References: Message-ID: <40A7F919.8000000@netcourrier.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thet sure looks like a Netsky D virus attached to the message I got in the saily digest Vol.8 Issue 12. Salut Maxine - -- GPG/PGP keys: http://www.torduninja.tk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAp/kVKBY/R6nbCcARAjqEAJ9ozbBE2k759LzbaezQi30NT3pRNwCfZ/MN 852xxsBQyG/hAzjvYHOREe0= =jF04 -----END PGP SIGNATURE----- From wk at gnupg.org Tue May 18 13:38:25 2004 From: wk at gnupg.org (Werner Koch) Date: Tue May 18 13:37:17 2004 Subject: Hokki =) In-Reply-To: <40A7F919.8000000@netcourrier.com> (Maxine Brandt's message of "Sun, 16 May 2004 13:28:25 -1000") References: <40A7F919.8000000@netcourrier.com> Message-ID: <87hdue2cem.fsf@vigenere.g10code.de> On Sun, 16 May 2004 13:28:25 -1000, Maxine Brandt said: > Thet sure looks like a Netsky D virus attached to the message I got > in the saily digest Vol.8 Issue 12. We can't do anything about it. Authentication of the mailing lists relies on the Sender's address. Werner From jerry.windrel at verizon.net Tue May 18 16:41:04 2004 From: jerry.windrel at verizon.net (Jerry Windrel) Date: Tue May 18 16:36:19 2004 Subject: Hokki =) References: <40A7F919.8000000@netcourrier.com> <87hdue2cem.fsf@vigenere.g10code.de> Message-ID: <004001c43ce6$2655d340$6401a8c0@Windows> ----- Original Message ----- From: "Werner Koch" To: Sent: Tuesday, May 18, 2004 7:38 AM Subject: Re: Hokki =) > On Sun, 16 May 2004 13:28:25 -1000, Maxine Brandt said: > > > Thet sure looks like a Netsky D virus attached to the message I got > > in the saily digest Vol.8 Issue 12. > > We can't do anything about it. Authentication of the mailing lists > relies on the Sender's address. Has anyone added a signature verification feature to email list software? In other words, in order to send to the list, you would have to previously register your public key with the list software. It would then only let you send to the list if the message is signed by you. From wk at gnupg.org Tue May 18 17:03:33 2004 From: wk at gnupg.org (Werner Koch) Date: Tue May 18 17:01:57 2004 Subject: Hokki =) In-Reply-To: <004001c43ce6$2655d340$6401a8c0@Windows> (Jerry Windrel's message of "Tue, 18 May 2004 10:41:04 -0400") References: <40A7F919.8000000@netcourrier.com> <87hdue2cem.fsf@vigenere.g10code.de> <004001c43ce6$2655d340$6401a8c0@Windows> Message-ID: <871xlh3hh6.fsf@vigenere.g10code.de> On Tue, 18 May 2004 10:41:04 -0400, Jerry Windrel said: > Has anyone added a signature verification feature to email list software? > In other words, in order to send to the list, you would have to previously > register your public key with the list software. It would then only let you > send to the list if the message is signed by you. Not that I known of. Eventually we will need it, though. Werner From atom at suspicious.org Tue May 18 21:55:12 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Tue May 18 21:57:38 2004 Subject: OpenPGP SMTP headers Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 would it be within the scope of RFC 2440 to recommend SMTP headers related to pgp keys? such as: X-OpenPGP-KeyID: 0xB88D52E4D9F57808 (4096-RSA) X-OpenPGP-Fingerprint: 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 X-OpenPGP-URL: http://smasher.suspicious.org/pgp.txt etc... ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "We must learn to live together as brothers or perish together as fools." -- Martin Luther King, Jr. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkCqaiQACgkQnCgLvz19QePURQCfWuXI3/JW1WzP6qYsJ1TMkHw4 Nx0Anibr8nfCPyGBSjDfhV1mSzv4kfi8 =Lm9Z -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue May 18 22:13:23 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue May 18 22:10:36 2004 Subject: OpenPGP SMTP headers In-Reply-To: References: Message-ID: <20040518201322.GA12247@jabberwocky.com> On Tue, May 18, 2004 at 03:55:12PM -0400, Atom 'Smasher' wrote: > would it be within the scope of RFC 2440 to recommend SMTP headers related > to pgp keys? such as: > > X-OpenPGP-KeyID: 0xB88D52E4D9F57808 (4096-RSA) > X-OpenPGP-Fingerprint: 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 > X-OpenPGP-URL: http://smasher.suspicious.org/pgp.txt This is really a question for the IETF OpenPGP list, but the answer (for me, anyway) is 'no'. 2440bis is mainly a data format document. That isn't to say that you can't make a RFC for such a thing. Just that 2440bis isn't the one to use. David From fejj at ximian.com Tue May 18 22:15:50 2004 From: fejj at ximian.com (Jeffrey Stedfast) Date: Tue May 18 22:15:08 2004 Subject: OpenPGP SMTP headers In-Reply-To: <20040518201322.GA12247@jabberwocky.com> References: <20040518201322.GA12247@jabberwocky.com> Message-ID: <1084911350.3097.0.camel@164-99-120-36.boston.ximian.com> You should be using PGP/MIME anyway. Death to "inline pgp" for MIME messages. Jeff On Tue, 2004-05-18 at 16:13 -0400, David Shaw wrote: > On Tue, May 18, 2004 at 03:55:12PM -0400, Atom 'Smasher' wrote: > > would it be within the scope of RFC 2440 to recommend SMTP headers related > > to pgp keys? such as: > > > > X-OpenPGP-KeyID: 0xB88D52E4D9F57808 (4096-RSA) > > X-OpenPGP-Fingerprint: 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 > > X-OpenPGP-URL: http://smasher.suspicious.org/pgp.txt > > This is really a question for the IETF OpenPGP list, but the answer > (for me, anyway) is 'no'. 2440bis is mainly a data format document. > > That isn't to say that you can't make a RFC for such a thing. Just > that 2440bis isn't the one to use. > > David > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel > -- Jeffrey Stedfast Evolution Hacker - Novell, Inc. fejj@ximian.com - www.novell.com From dshaw at jabberwocky.com Tue May 18 22:21:01 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue May 18 22:18:17 2004 Subject: OpenPGP SMTP headers In-Reply-To: <1084911350.3097.0.camel@164-99-120-36.boston.ximian.com> References: <20040518201322.GA12247@jabberwocky.com> <1084911350.3097.0.camel@164-99-120-36.boston.ximian.com> Message-ID: <20040518202101.GB12247@jabberwocky.com> > On Tue, 2004-05-18 at 16:13 -0400, David Shaw wrote: > > On Tue, May 18, 2004 at 03:55:12PM -0400, Atom 'Smasher' wrote: > > > would it be within the scope of RFC 2440 to recommend SMTP headers related > > > to pgp keys? such as: > > > > > > X-OpenPGP-KeyID: 0xB88D52E4D9F57808 (4096-RSA) > > > X-OpenPGP-Fingerprint: 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 > > > X-OpenPGP-URL: http://smasher.suspicious.org/pgp.txt > > > > This is really a question for the IETF OpenPGP list, but the answer > > (for me, anyway) is 'no'. 2440bis is mainly a data format document. > > > > That isn't to say that you can't make a RFC for such a thing. Just > > that 2440bis isn't the one to use. On Tue, May 18, 2004 at 04:15:50PM -0400, Jeffrey Stedfast wrote: > You should be using PGP/MIME anyway. Death to "inline pgp" for MIME > messages. ? The original post was in regards to headers to say "this is my key and here is how to get it". It has nothing to do with the use of PGP/MIME or not. David From atom at suspicious.org Tue May 18 22:30:01 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Tue May 18 22:27:16 2004 Subject: OpenPGP SMTP headers In-Reply-To: <20040518201322.GA12247@jabberwocky.com> References: <20040518201322.GA12247@jabberwocky.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 18 May 2004, David Shaw wrote: > On Tue, May 18, 2004 at 03:55:12PM -0400, Atom 'Smasher' wrote: > > would it be within the scope of RFC 2440 to recommend SMTP headers related > > to pgp keys? such as: > > > > X-OpenPGP-KeyID: 0xB88D52E4D9F57808 (4096-RSA) > > X-OpenPGP-Fingerprint: 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 > > X-OpenPGP-URL: http://smasher.suspicious.org/pgp.txt > > This is really a question for the IETF OpenPGP list, but the answer > (for me, anyway) is 'no'. 2440bis is mainly a data format document. =========================== i was asking here because i didn't know where to ask, but i know that people on this list are involved with maintaining that RFC. > That isn't to say that you can't make a RFC for such a thing. Just > that 2440bis isn't the one to use. ============================ make my own RFC... that sounds intimidating... i have no idea where to start on a project like that... if anyone has any advice, please send it to me (off list, if it's off topic). thanks.... ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Like many big companies, Microsoft wins by dominating distribution channels, not by having better products. Having a technical edge over competitors is not critical to their business." -- Paul Graham -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkCqck8ACgkQnCgLvz19QeOPVACdFXEaaVixpfwY5XUdNVC35sjl nqMAn1omFfu8JDkLbSUj23PDGf4E/brZ =P6QS -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue May 18 22:41:32 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue May 18 22:38:42 2004 Subject: OpenPGP SMTP headers In-Reply-To: <1084912283.3097.9.camel@164-99-120-36.boston.ximian.com> References: <20040518201322.GA12247@jabberwocky.com> <1084911350.3097.0.camel@164-99-120-36.boston.ximian.com> <20040518202101.GB12247@jabberwocky.com> <1084912283.3097.9.camel@164-99-120-36.boston.ximian.com> Message-ID: <20040518204132.GC12247@jabberwocky.com> On Tue, May 18, 2004 at 04:31:23PM -0400, Jeffrey Stedfast wrote: > On Tue, 2004-05-18 at 16:21 -0400, David Shaw wrote: > > > On Tue, 2004-05-18 at 16:13 -0400, David Shaw wrote: > > > > On Tue, May 18, 2004 at 03:55:12PM -0400, Atom 'Smasher' wrote: > > > > > would it be within the scope of RFC 2440 to recommend SMTP headers related > > > > > to pgp keys? such as: > > > > > > > > > > X-OpenPGP-KeyID: 0xB88D52E4D9F57808 (4096-RSA) > > > > > X-OpenPGP-Fingerprint: 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 > > > > > X-OpenPGP-URL: http://smasher.suspicious.org/pgp.txt > > > > > > > > This is really a question for the IETF OpenPGP list, but the answer > > > > (for me, anyway) is 'no'. 2440bis is mainly a data format document. > > > > > > > > That isn't to say that you can't make a RFC for such a thing. Just > > > > that 2440bis isn't the one to use. > > > > On Tue, May 18, 2004 at 04:15:50PM -0400, Jeffrey Stedfast wrote: > > > You should be using PGP/MIME anyway. Death to "inline pgp" for MIME > > > messages. > > > > ? > > > > The original post was in regards to headers to say "this is my key and > > here is how to get it". It has nothing to do with the use of PGP/MIME > > or not. > > why not just application/pgp-keys mime part attachment? Because again, that isn't what was being asked for. An application/pgp-keys attachment is the key itself. That's great if someone wants to include their entire key along with every message, but most people don't want to do that. A header says "you can download my key from here if you want it". application/pgp-keys says "here is my key. Take it." You could do the same thing in an attachment if someone wanted to define some new attachment type that was (for example) the URL of a key. In practice, most people use some variation of x-pgp-fingerprint or the like. David From fejj at ximian.com Tue May 18 22:31:23 2004 From: fejj at ximian.com (Jeffrey Stedfast) Date: Tue May 18 23:03:34 2004 Subject: OpenPGP SMTP headers In-Reply-To: <20040518202101.GB12247@jabberwocky.com> References: <20040518201322.GA12247@jabberwocky.com> <1084911350.3097.0.camel@164-99-120-36.boston.ximian.com> <20040518202101.GB12247@jabberwocky.com> Message-ID: <1084912283.3097.9.camel@164-99-120-36.boston.ximian.com> On Tue, 2004-05-18 at 16:21 -0400, David Shaw wrote: > > On Tue, 2004-05-18 at 16:13 -0400, David Shaw wrote: > > > On Tue, May 18, 2004 at 03:55:12PM -0400, Atom 'Smasher' wrote: > > > > would it be within the scope of RFC 2440 to recommend SMTP headers related > > > > to pgp keys? such as: > > > > > > > > X-OpenPGP-KeyID: 0xB88D52E4D9F57808 (4096-RSA) > > > > X-OpenPGP-Fingerprint: 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 > > > > X-OpenPGP-URL: http://smasher.suspicious.org/pgp.txt > > > > > > This is really a question for the IETF OpenPGP list, but the answer > > > (for me, anyway) is 'no'. 2440bis is mainly a data format document. > > > > > > That isn't to say that you can't make a RFC for such a thing. Just > > > that 2440bis isn't the one to use. > > On Tue, May 18, 2004 at 04:15:50PM -0400, Jeffrey Stedfast wrote: > > You should be using PGP/MIME anyway. Death to "inline pgp" for MIME > > messages. > > ? > > The original post was in regards to headers to say "this is my key and > here is how to get it". It has nothing to do with the use of PGP/MIME > or not. why not just application/pgp-keys mime part attachment? -- Jeffrey Stedfast Evolution Hacker - Novell, Inc. fejj@ximian.com - www.novell.com From greg at turnstep.com Wed May 19 01:36:20 2004 From: greg at turnstep.com (Greg Sabino Mullane) Date: Wed May 19 02:30:40 2004 Subject: Hokki =) In-Reply-To: <004001c43ce6$2655d340$6401a8c0@Windows> Message-ID: <71ffb42a718a0decd9e5e63be56d7d68@biglumber.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Thet sure looks like a Netsky D virus attached to the message I got > in the saily digest Vol.8 Issue 12. > We can't do anything about it. Authentication of the mailing lists > relies on the Sender's address. Well, there are a couple of things one can do, namely limiting the size of the incoming messages: http://www.gtsm.com/mailmanspam.html > Has anyone added a signature verification feature to email list software? > In other words, in order to send to the list, you would have to previously > register your public key with the list software. It would then only let you > send to the list if the message is signed by you. I've heard that someone made a Mailman patch to do this. The problem is that nobody yet is willing (or has the need) for this high of a hoop to jump through for a mailing list. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200405181932 -----BEGIN PGP SIGNATURE----- iD8DBQFAqp5TvJuQZxSWSsgRAtRbAKDYJlo+Q1WquoCICgIAGEYsx5n6aQCfYtBD +Nw3WnoSKcp1SnXUuUJnJao= =N3ug -----END PGP SIGNATURE----- From albrecht.dress at arcor.de Wed May 19 08:30:57 2004 From: albrecht.dress at arcor.de (=?ISO-8859-15?Q?Albrecht_Dre=DF?=) Date: Wed May 19 08:28:03 2004 Subject: Aw: Re: OpenPGP SMTP headers Message-ID: <24910791.1084948257835.JavaMail.ngmail@webmail06.arcor-online.net> > You should be using PGP/MIME anyway. Death to "inline pgp" for MIME > messages. While I would support this opinion in principle, the "real world" is unfortunately different - some mua's just don't support rfc3156 messages. Examples are pgp4pine and the GData plugin for [spit] Microsnot Outlook. IMHO, a *real* mua therefore must support both '2440 and '3156 (and also '2633, btw) - not so difficult using gpgme... Cheers, Albrecht. From albrecht.dress at arcor.de Wed May 19 08:41:36 2004 From: albrecht.dress at arcor.de (=?ISO-8859-15?Q?Albrecht_Dre=DF?=) Date: Wed May 19 08:38:41 2004 Subject: Aw: Re: OpenPGP SMTP headers Message-ID: <6865142.1084948896626.JavaMail.ngmail@webmail06.arcor-online.net> > A header says "you can download my key from here if you want it". > application/pgp-keys says "here is my key. Take it." I guess I didn't get your point here - why not configure gpg to retreive missing keys from a key server automagically, and then your're done? If you don't like this idea and want something special, you're free to add any header to the message envelope you like as long as it starts with "x-" and complies with rfc2822. Cheers, Albrecht. From atom at suspicious.org Wed May 19 08:52:26 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Wed May 19 08:49:45 2004 Subject: signing keys with expiration Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 when signing a key with an expiration date, a user is asked: Do you want your signature to expire at the same time? (Y/n) why is the default "yes"? i use an expiration on my keys as a sort of self-revocation... should the keys become neglected or abandoned, or if i lose the secret key, the keys will revoke themselves. if nothing bad happens to me or my secret keys, i plan to update the expiration on the keys indefinitely. my concern is that a user who signs my keys might just go with the default, which could cause me to have a bunch of expired signatures on my key. of course it may be desirable, in some circumstances, to expire a certification signature at the same time as the key expires, but i think the default should be set to "no". ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "I disapprove of what you say, but I will defend to the death your right to say it." -- widely attributed to Voltaire, but written by Evelyn Beatrice Hall under the pseudonym S[tephen] G. Tallentyre. The Friends of Voltaire, 1906 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkCrBC8ACgkQnCgLvz19QeNwXgCeJEdqAPmtHmDhEq1fzroXO1xp 41YAnAwwsLD8/JHBPXggFTMHdR7zeasG =Li2Q -----END PGP SIGNATURE----- From avbidder at fortytwo.ch Wed May 19 09:55:23 2004 From: avbidder at fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Wed May 19 09:52:29 2004 Subject: OpenPGP SMTP headers In-Reply-To: References: <20040518201322.GA12247@jabberwocky.com> Message-ID: <200405190955.23696@fortytwo.ch> On Tuesday 18 May 2004 22.30, Atom 'Smasher' wrote: > > > X-OpenPGP-KeyID: 0xB88D52E4D9F57808 (4096-RSA) > > > X-OpenPGP-Fingerprint: 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 > > > D9F5 7808 > > > X-OpenPGP-URL: http://smasher.suspicious.org/pgp.txt > make my own RFC... that sounds intimidating... i have no idea where > to start on a project like that... if anyone has any advice, please > send it to me (off list, if it's off topic). I suggest you first get the terminology right - these headers have nothing to do with SMTP if I understand you correctly. Then you may want to produce patches to some of the popular mailers, to demonstrate how you imagine it all should work (for those mailers that are scriptable, this probably isn't a big problem. A small hook for .forward files should be trivial, too) - if your idea is supported by more than one application, there's a bigger chance that people will consider it seriously. As for finding the right forum, this might be either the RFC822 people or the openpgp workgroup (but if you post it there, you should make it clear that you do not propose this for inclusion for rfc2440. It should probably go into an RFC of its own) greetings -- vbi -- featured product: SpamAssassin - http://spamassassin.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 331 bytes Desc: signature Url : /pipermail/attachments/20040519/c2d2058f/attachment.bin From avbidder at fortytwo.ch Wed May 19 09:58:43 2004 From: avbidder at fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Wed May 19 09:55:48 2004 Subject: Aw: Re: OpenPGP SMTP headers In-Reply-To: <6865142.1084948896626.JavaMail.ngmail@webmail06.arcor-online.net> References: <6865142.1084948896626.JavaMail.ngmail@webmail06.arcor-online.net> Message-ID: <200405190958.43693@fortytwo.ch> On Wednesday 19 May 2004 08.41, Albrecht Dre? wrote: > > A header says "you can download my key from here if you want it". > > application/pgp-keys says "here is my key. Take it." > > I guess I didn't get your point here - why not configure gpg to > retreive missing keys from a key server automagically, and then > your're done? If you don't like this idea and want something special, > you're free to add any header to the message envelope you like as > long as it starts with "x-" and complies with rfc2822. Since many keyservers today are broken, I think a standard way to specify a canonic location for key retrieval in an mail header would be a good thing. cheers -- vbi (speaking of headers: your mailer breaks threading - it doesn't use In-Reply-To or References headers.) -- Das Leben hat keinen Sinn, au?er dem, den wir ihm geben. Es ermutigt den Menschen nicht, noch dem?tigt es ihn. -- Thornton Wilder -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 331 bytes Desc: signature Url : /pipermail/attachments/20040519/ad9d72c9/attachment.bin From wk at gnupg.org Wed May 19 10:49:46 2004 From: wk at gnupg.org (Werner Koch) Date: Wed May 19 10:46:55 2004 Subject: signing keys with expiration In-Reply-To: (atom@suspicious.org's message of "Wed, 19 May 2004 02:52:26 -0400 (EDT)") References: Message-ID: <87ekpg2445.fsf@vigenere.g10code.de> On Wed, 19 May 2004 02:52:26 -0400 (EDT), Atom 'Smasher' said: > why is the default "yes"? Because users asked for this and it is the most conservative option. I agree with your concerns, though. For reasons I don't really understand, people don't want to state that their certification "yes, this key belongs to the owner according to my own policy" lasts longer than the expiration time of the key in question at the time of certification. Salam-Shalom, Werner From cbiere at TechFak.Uni-Bielefeld.DE Wed May 19 14:47:00 2004 From: cbiere at TechFak.Uni-Bielefeld.DE (Christian Biere) Date: Wed May 19 14:44:10 2004 Subject: Hokki =) In-Reply-To: <004001c43ce6$2655d340$6401a8c0@Windows> References: <87hdue2cem.fsf@vigenere.g10code.de> <004001c43ce6$2655d340$6401a8c0@Windows> Message-ID: <20040519124700.GA25653@quetrupillan.TechFak.Uni-Bielefeld.DE> Jerry Windrel schrieb: > In other words, in order to send to the list, you would have to previously > register your public key with the list software. It would then only let you > send to the list if the message is signed by you. I guess, with "you" you refer to the spam bot? Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 303 bytes Desc: not available Url : /pipermail/attachments/20040519/ab70112e/attachment.bin From jerry.windrel at verizon.net Wed May 19 22:19:10 2004 From: jerry.windrel at verizon.net (Jerry Windrel) Date: Wed May 19 22:14:18 2004 Subject: Hokki =) References: <87hdue2cem.fsf@vigenere.g10code.de><004001c43ce6$2655d340$6401a8c0@Windows> <20040519124700.GA25653@quetrupillan.TechFak.Uni-Bielefeld.DE> Message-ID: <02ae01c43dde$8bc7d5e0$6401a8c0@Windows> No, I refer to legitimate subscribers to the list. Presumably, the list admin would not let spambots register, so the spambot wouldn't have a public key registered with the list server, and therefor the spambot could not sign messages that would be accepted. Thus, no spam. ----- Original Message ----- From: "Christian Biere" To: Sent: Wednesday, May 19, 2004 8:47 AM Subject: Re: Hokki =) Jerry Windrel schrieb: > In other words, in order to send to the list, you would have to previously > register your public key with the list software. It would then only let you > send to the list if the message is signed by you. I guess, with "you" you refer to the spam bot? Christian From albrecht.dress at arcor.de Thu May 20 17:24:00 2004 From: albrecht.dress at arcor.de (Albrecht =?iso-8859-1?Q?Dre=DF?=) Date: Thu May 20 17:21:27 2004 Subject: [BUG/Gpgme] checking message with a revoked key Message-ID: <20040520152400.GA15931@antares.localdomain> Hi, I ran into an odd behaviour of gpgme when checking a message which has been signed with a revoked key (actually this result comes from a message sent to this list recently, Message-ID: ). The results part of the gpgme (version 0.4.7, gpg 1.2.4) debug log looks like ~~~snip here~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ posix-io.c:374: select OK [ r33 ] posix-io.c:71: fd 33: about to read 1024 bytes posix-io.c:78: fd 33: got 66 bytes fd 33: got `[GNUPG:] SIG_ID hFXuvoA9V980KHYIpmzdzXhcbM4 2004-05-18 1084912207 ' posix-io.c:328: gpgme:select on [ r33 r37 ] posix-io.c:374: select OK [ r33 ] posix-io.c:71: fd 33: about to read 1024 bytes posix-io.c:78: fd 33: got 71 bytes fd 33: got `[GNUPG:] REVKEYSIG 9C280BBF3D7D41E3 Atom Smasher ' posix-io.c:328: gpgme:select on [ r33 r37 ] posix-io.c:374: select OK [ r33 ] posix-io.c:71: fd 33: about to read 1024 bytes posix-io.c:78: fd 33: got 136 bytes fd 33: got `[GNUPG:] VALIDSIG 3EBE281030AE601D54B24A909C280BBF3D7D41E3 2004-05-18 1084912207 0 4 0 17 2 01 3EBE281030AE601D54B24A909C280BBF3D7D41E3 ' posix-io.c:134: closing fd 33 wait.c:159: setting fd 33 (item=0x10d7fe08) done posix-io.c:134: closing fd 37 wait.c:159: setting fd 37 (item=0x10d7ff50) done ~~~snip here~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From this, gpgme returns 0x7000096 == source gpgme, error "invalid crypto engine". This is grossly misleading, the result should be something like "key revoked" (like key expired, see GPG_ERR_KEY_EXPIRED; IMHO such an error should be added to gpg-error). Furthermore, it would be great if I could still get the output stream (input was '2440 encoded) from gpgme to display the human-readable message content alongside with the more meaningful error message. Any ideas? Cheers, Albrecht. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Albrecht Dre? - Johanna-Kirchner-Stra?e 13 - D-53123 Bonn (Germany) Phone (+49) 228 6199571 - mailto:albrecht.dress@arcor.de _________________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20040520/6e81ab89/attachment.bin From cbiere at TechFak.Uni-Bielefeld.DE Fri May 21 01:01:26 2004 From: cbiere at TechFak.Uni-Bielefeld.DE (Christian Biere) Date: Fri May 21 00:58:29 2004 Subject: Hokki =) In-Reply-To: <02ae01c43dde$8bc7d5e0$6401a8c0@Windows> References: <20040519124700.GA25653@quetrupillan.TechFak.Uni-Bielefeld.DE> <02ae01c43dde$8bc7d5e0$6401a8c0@Windows> Message-ID: <20040520230126.GA5418@kilauea.TechFak.Uni-Bielefeld.DE> Jerry Windrel schrieb: > No, I refer to legitimate subscribers to the list. Presumably, the list > admin would not let spambots register, so the spambot wouldn't have a public > key registered with the list server, OK, how would you accomplish this? A tea party or a turing test? IMHO, any (spam) barrier works only as long as it's not in wide use (thus not interesting). Once it's state-of-the-start, spammers develop an automatic counter-measure and you end up with a highly complex system without really solving the problem. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 303 bytes Desc: not available Url : /pipermail/attachments/20040521/e8a1618b/attachment.bin From marcus.brinkmann at ruhr-uni-bochum.de Fri May 21 01:05:51 2004 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri May 21 01:02:58 2004 Subject: [BUG/Gpgme] checking message with a revoked key In-Reply-To: <20040520152400.GA15931@antares.localdomain> References: <20040520152400.GA15931@antares.localdomain> Message-ID: <87zn82puls.wl@ulysses.g10code.de> At Thu, 20 May 2004 17:24:00 +0200, Albrecht Dre? wrote: > fd 33: got `[GNUPG:] REVKEYSIG 9C280BBF3D7D41E3 Atom Smasher Yow, that one is not handled at all right now! > From this, gpgme returns 0x7000096 == source gpgme, error "invalid crypto > engine". This is grossly misleading, the result should be something like > "key revoked" (like key expired, see GPG_ERR_KEY_EXPIRED; IMHO such an > error should be added to gpg-error). The invalid engine is caused by a VALIDSIG without starting a signature (as REVKEYSIG was not recognized). Can you try the below patch if it helps? It's totally untested (didn't even try to compile it). BTW, the CERT_REVOKED error code in the patch is probably bogus. From a quick glance, I agree with you that a KEY_REVOKED error code is needed in gpg-error. > Furthermore, it would be great if I could still get the output stream > (input was '2440 encoded) from gpgme to display the human-readable message > content alongside with the more meaningful error message. That might be a side error of the invalid engine. Please first check the below patch, that might already be all you need. Thanks, Marcus 2004-05-21 Marcus Brinkmann * gpgme.h (gpgme_status_code_t): Add GPGME_STATUS_REVKEYSIG. * verify.c (_gpgme_verify_status_handler): Add handling of GPGME_STATUS_REVKEYSIG. (parse_trust): Likewise. Index: gpgme.h =================================================================== RCS file: /cvs/gnupg/gpgme/gpgme/gpgme.h,v retrieving revision 1.143 diff -u -r1.143 gpgme.h --- gpgme.h 29 Apr 2004 21:50:38 -0000 1.143 +++ gpgme.h 20 May 2004 23:00:48 -0000 @@ -388,7 +388,8 @@ GPGME_STATUS_EXPKEYSIG, GPGME_STATUS_TRUNCATED, GPGME_STATUS_ERROR, - GPGME_STATUS_NEWSIG + GPGME_STATUS_NEWSIG, + GPGME_STATUS_REVKEYSIG } gpgme_status_code_t; Index: verify.c =================================================================== RCS file: /cvs/gnupg/gpgme/gpgme/verify.c,v retrieving revision 1.65 diff -u -r1.65 verify.c --- verify.c 15 Apr 2004 15:58:08 -0000 1.65 +++ verify.c 20 May 2004 23:00:32 -0000 @@ -223,6 +223,10 @@ sig->status = gpg_error (GPG_ERR_BAD_SIGNATURE); break; + case GPGME_STATUS_REVKEYSIG: + sig->status = gpg_error (GPG_ERR_CERT_REVOKED); + break; + case GPGME_STATUS_ERRSIG: if (end) { @@ -531,6 +535,7 @@ case GPGME_STATUS_EXPKEYSIG: case GPGME_STATUS_BADSIG: case GPGME_STATUS_ERRSIG: + case GPGME_STATUS_REVKEYSIG: if (sig && !opd->did_prepare_new_sig) calc_sig_summary (sig); opd->only_newsig_seen = 0; From wk at gnupg.org Fri May 21 11:00:09 2004 From: wk at gnupg.org (Werner Koch) Date: Fri May 21 11:01:48 2004 Subject: [BUG/Gpgme] checking message with a revoked key In-Reply-To: <87zn82puls.wl@ulysses.g10code.de> (Marcus Brinkmann's message of "Fri, 21 May 2004 01:05:51 +0200") References: <20040520152400.GA15931@antares.localdomain> <87zn82puls.wl@ulysses.g10code.de> Message-ID: <87oeoixihy.fsf@vigenere.g10code.de> On Fri, 21 May 2004 01:05:51 +0200, Marcus Brinkmann said: > BTW, the CERT_REVOKED error code in the patch is probably bogus. From > a quick glance, I agree with you that a KEY_REVOKED error code is CERT_REVOKED is fine because you don't revoke a key (i.e. the numbers of which the key consists) but the certificate or the OpenPGP key along with its associated information (self-signatures). There is an ambiguity in the terms when it comes to OpenPGP. Werner From albrecht.dress at arcor.de Fri May 21 14:00:07 2004 From: albrecht.dress at arcor.de (Albrecht =?iso-8859-1?Q?Dre=DF?=) Date: Fri May 21 14:15:56 2004 Subject: [BUG/Gpgme] checking message with a revoked key In-Reply-To: <87zn82puls.wl@ulysses.g10code.de> (from marcus.brinkmann@ruhr-uni-bochum.de on Fre, Mai 21, 2004 at 01:05:51 +0200) References: <20040520152400.GA15931@antares.localdomain> <87zn82puls.wl@ulysses.g10code.de> Message-ID: <20040521120007.GA26068@antares.localdomain> Am 21.05.04 01:05 schrieb(en) Marcus Brinkmann: > The invalid engine is caused by a VALIDSIG without starting a > signature (as REVKEYSIG was not recognized). Can you try the below > patch if it helps? It's totally untested (didn't even try to compile > it). Wow - great patch!! Now op_verify correctly returns with no error, writes back the "decrypted" contents, and the signature status says "certificate revoked". Good work!! > BTW, the CERT_REVOKED error code in the patch is probably bogus. From > a quick glance, I agree with you that a KEY_REVOKED error code is > needed in gpg-error. Now I'm looking eagerly forward to a new gpgme/gpg-error tarball 2B released soon, so I can feed the fix and the new key status/error upstream into balsa... ;-)) Thanks, Albrecht. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Albrecht Dre? - Johanna-Kirchner-Stra?e 13 - D-53123 Bonn (Germany) Phone (+49) 228 6199571 - mailto:albrecht.dress@arcor.de _________________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20040521/bc70292d/attachment.bin From marcus.brinkmann at ruhr-uni-bochum.de Fri May 21 18:50:01 2004 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri May 21 18:47:07 2004 Subject: 0.4.x versions not installing .a libraries In-Reply-To: <20040501122659.GA21416@jaimedelamo.eu.org> References: <20040501122659.GA21416@jaimedelamo.eu.org> Message-ID: <87n041pvwm.wl@ulysses.g10code.de> At Sat, 1 May 2004 14:26:59 +0200, Jose Carlos Garcia Sogo wrote: > > [1 ] > [1.1 ] > > Hi, > > While packaging version 0.4.7 I have just realized that all 0.4 branch > has not installed .a verson of the library. Looking around a bit I > discovered that .a file is called libgpgme-real.a and it's not listed > in gpgme/Makefile.am, so it's not being copied over on install. > > Is this intended or a bug? Have you used --enable-static at configure time? The default is "no". libgpgme-real.a is an intermediate library, only used to build the other ones. Thanks, Marcus From marcus.brinkmann at ruhr-uni-bochum.de Fri May 21 18:44:41 2004 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Fri May 21 19:59:20 2004 Subject: [BUG/Gpgme] checking message with a revoked key In-Reply-To: <20040521120007.GA26068@antares.localdomain> References: <20040520152400.GA15931@antares.localdomain> <87zn82puls.wl@ulysses.g10code.de> <20040521120007.GA26068@antares.localdomain> Message-ID: <87oeohpw5i.wl@ulysses.g10code.de> At Fri, 21 May 2004 14:00:07 +0200, Albrecht Dre? wrote: > Wow - great patch!! Now op_verify correctly returns with no error, writes > back the "decrypted" contents, and the signature status says "certificate > revoked". Good work!! Ok, as Werner said CERT_REVOKED is ok, I added the patch to CVS. > > BTW, the CERT_REVOKED error code in the patch is probably bogus. From > > a quick glance, I agree with you that a KEY_REVOKED error code is > > needed in gpg-error. > > Now I'm looking eagerly forward to a new gpgme/gpg-error tarball 2B > released soon, so I can feed the fix and the new key status/error upstream > into balsa... ;-)) There is more that needs to be fixed and prepared, but a new release won't take too long, stay tuned ;) You can already add the code to handle it to balsa, as we use the existing GPG_ERR_CERT_REVOKED error code. Thanks, MArcus From dshaw at jabberwocky.com Sat May 22 06:19:52 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sat May 22 06:17:02 2004 Subject: Aw: Re: OpenPGP SMTP headers In-Reply-To: <200405190958.43693@fortytwo.ch> References: <6865142.1084948896626.JavaMail.ngmail@webmail06.arcor-online.net> <200405190958.43693@fortytwo.ch> Message-ID: <20040522041951.GA13121@jabberwocky.com> On Wed, May 19, 2004 at 09:58:43AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote: > On Wednesday 19 May 2004 08.41, Albrecht Dre? wrote: > > > A header says "you can download my key from here if you want it". > > > application/pgp-keys says "here is my key. Take it." > > > > I guess I didn't get your point here - why not configure gpg to > > retreive missing keys from a key server automagically, and then > > your're done? If you don't like this idea and want something special, > > you're free to add any header to the message envelope you like as > > long as it starts with "x-" and complies with rfc2822. > > Since many keyservers today are broken, I think a standard way to > specify a canonic location for key retrieval in an mail header would be > a good thing. Note that if you are signing a message, the development GnuPG can implant a URL to download the key from right in the signature. The recipient (using auto-key-retrieve) can get this key from whatever URL you specify. It doesn't even have to be on a keyserver. (The next development GnuPG should be out very soon). David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 330 bytes Desc: not available Url : /pipermail/attachments/20040522/b1c0d60f/attachment.bin From dshaw at jabberwocky.com Sat May 22 15:45:40 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sat May 22 16:20:26 2004 Subject: [Announce] GnuPG 1.3.6 released (development) Message-ID: <20040522134540.GB13121@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! The latest release from the development branch of GnuPG is ready for public consumption. This is a branch to create what will eventually become GnuPG 1.4. It will change with greater frequency than the 1.2.x "stable" branch, which will mainly be updated for bug fix reasons. The more GnuPG-familiar user is encouraged try this release (and the ones that will follow in the 1.3.x branch), and report back any problems to gnupg-devel@gnupg.org. In return, you get the latest code with the latest features. This release brings development even closer to a good point for 1.4. If there is something that you do not like here, be it a missing feature, a UI choice, or, well, anything, now is the time to speak up. Once 1.3.x becomes the new stable, large changes will be unlikely. While we obviously cannot guarantee that every suggestion will be included, they will all be looked at. As always, note that while this code is stable enough for many uses, it is still the development branch. Mission-critical applications should use the 1.2.x stable branch. The files are available from: Gzipped: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.6.tar.gz (1.9M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.6.tar.gz.sig Bzip2ed: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.6.tar.bz2 (1.5M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.6.tar.bz2.sig or as a patch against the 1.3.5 source: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.5-1.3.6.diff.gz (193k) MD5 checksums for the files are: 931f67b4c261349f613c531c00e8f068 gnupg-1.3.6.tar.gz 886764469a51845cb84cece3e8a6ccf1 gnupg-1.3.6.tar.gz.sig 36d1291322a277ec391fdc0950a56bb9 gnupg-1.3.6.tar.bz2 aa009ee54efec31ba1f4d304de3b3f06 gnupg-1.3.6.tar.bz2.sig a1fc4269789909ea17f2d6965ea7b4dd gnupg-1.3.5-1.3.6.diff.gz Noteworthy changes in version 1.3.6 (2004-05-22) - ------------------------------------------------ * New --keyid-format option that selects short (99242560), long (DB698D7199242560), 0xshort (0x99242560), or 0xlong (0xDB698D7199242560) keyid displays. This lets users tune the display to what they prefer. * The --list-options and --verify-options option "show-long-keyids" has been removed since --keyid-format obviates the need for them. * Support for the old quasi-1991 partial length encoding has been removed. * The --export-all and --export-options include-non-rfc options have been removed as superfluous since nonstandard V3 Elgamal sign+encrypt keys have been removed. * Preferred keyserver support has been added. Users may set a preferred keyserver via the --edit-key command "keyserver". If the --keyserver-option honor-keyserver-url is set (and it is by default), then the preferred keyserver is used when refreshing that key. * The --sig-keyserver-url option can be used to inform signature recipients where the signing key can be downloaded. When verifying the signature, if the signing key is not present, and the keyserver options honor-keyserver-url and auto-key-retrieve are set, this URL will be used to retrieve the key. * Support for fetching keys via HTTP has been added. This is mainly useful for setting a preferred keyserver URL like "http://www.jabberwocky.com/key.asc". * New --ask-cert-level/--no-ask-cert-level option to turn on and off the prompt for signature level when signing a key. Defaults to off. * New --gpgconf-list command for internal use by the gpgconf utility from gnupg 1.9.x. Enjoy! The GnuPG team (David, Stefan, Timo and Werner) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (GNU/Linux) iGoEARECACoFAkCvWYQjGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h c2MACgkQ4mZch0nhy8l+8wCdEpS1pqiCGf14bMRFjY5Wb6yDUyIAn39y539e0IN+ lOxuEOXLcTfhXfIu =HQBy -----END PGP SIGNATURE----- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From cbiere at TechFak.Uni-Bielefeld.DE Sat May 22 18:18:55 2004 From: cbiere at TechFak.Uni-Bielefeld.DE (Christian Biere) Date: Sat May 22 18:15:59 2004 Subject: Hokki =) In-Reply-To: <20040520230126.GA5418@kilauea.TechFak.Uni-Bielefeld.DE> References: <20040519124700.GA25653@quetrupillan.TechFak.Uni-Bielefeld.DE> <02ae01c43dde$8bc7d5e0$6401a8c0@Windows> <20040520230126.GA5418@kilauea.TechFak.Uni-Bielefeld.DE> Message-ID: <20040522161855.GA11731@kilauea.TechFak.Uni-Bielefeld.DE> Christian Biere wrote: > Jerry Windrel schrieb: > > No, I refer to legitimate subscribers to the list. Presumably, the list > > admin would not let spambots register, so the spambot wouldn't have a public > > key registered with the list server, > OK, how would you accomplish this? However, I like the idea of subscribing with a key *instead* of an email address so that I could easily post from diverse accounts without having to register different addresses. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 303 bytes Desc: not available Url : /pipermail/attachments/20040522/bd31dba0/attachment.bin From thomas at northernsecurity.net Sat May 22 18:37:47 2004 From: thomas at northernsecurity.net (Thomas =?iso-8859-1?Q?Sj=F6gren?=) Date: Sat May 22 18:35:28 2004 Subject: Hokki =) In-Reply-To: <20040522161855.GA11731@kilauea.TechFak.Uni-Bielefeld.DE> References: <20040519124700.GA25653@quetrupillan.TechFak.Uni-Bielefeld.DE> <02ae01c43dde$8bc7d5e0$6401a8c0@Windows> <20040520230126.GA5418@kilauea.TechFak.Uni-Bielefeld.DE> <20040522161855.GA11731@kilauea.TechFak.Uni-Bielefeld.DE> Message-ID: <20040522163747.GF11833@northernsecurity.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 22, 2004 at 06:18:55PM +0200, Christian Biere wrote: > However, I like the idea of subscribing with a key *instead* of an email > address so that I could easily post from diverse accounts without having > to register different addresses. This would work on this list but what about gnupg-users or similar where people usually joins because they either havent start using gpg, dont know how to use it or its broken? /Thomas - -- == thomas@northernsecurity.net | thomas@se.linux.org == Encrypted e-mails preferred | GPG KeyID: 114AA85C - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQEVAwUBQK+B2tXAsD67qPj1AQJ0OAf+J9h4rqixQeHUXJS/WghWkCwY1riSHxkH y6n/sCfstrwpDI3FxkPboQGTufYp/0fM6zKoFiUD09HbA+lG4Dre4Vn2Fg41qYyM zuL37xp9t6m5NmIllOn0UMGPMmhqdPvcjIuIN4vkVoJMfZ+5ei6QQ7aGFxjiwsN/ 5hEp9nmn8FEecezOwJLqUn+/z1OIlVE3FyNrIIcNnrrRiEb8IT92moIuelhLdeFN WgqKrtwgFDEdYLAvTDlBPf9jzOdWpx6T0ERiPatJ2lLf4jD74yQviVgv+BR1y0Kq Np5TjZT2gR7POzEBtlVF/E9EkZVBDkMIbnRlLyYUMoUMYt/+HqpCQA== =uf1h -----END PGP SIGNATURE----- From npcole at yahoo.co.uk Sat May 22 20:01:23 2004 From: npcole at yahoo.co.uk (=?iso-8859-1?q?Nicholas=20Cole?=) Date: Sat May 22 19:58:56 2004 Subject: multiple file signing oddness Message-ID: <20040522180123.82744.qmail@web25006.mail.ukl.yahoo.com> On version 1.2.4 and 1.3.5: gpg -o sig-file --detach-sign file1 file2 gives a signature which is BAD if you do gpg --verify sig-file file1 file2 but GOOD if you do gpg --verify sig-file file2 file1 (ie. if the files are specified in the reverse order from the one in which the signature was originally made). A bug or a feature? Best, N. ____________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html From dshaw at jabberwocky.com Sun May 23 06:34:20 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sun May 23 06:31:31 2004 Subject: multiple file signing oddness In-Reply-To: <20040522180123.82744.qmail@web25006.mail.ukl.yahoo.com> References: <20040522180123.82744.qmail@web25006.mail.ukl.yahoo.com> Message-ID: <20040523043420.GF22635@jabberwocky.com> On Sat, May 22, 2004 at 07:01:23PM +0100, Nicholas Cole wrote: > > On version 1.2.4 and 1.3.5: > > gpg -o sig-file --detach-sign file1 file2 > > gives a signature which is BAD if you do > > gpg --verify sig-file file1 file2 > > but GOOD if you do > > gpg --verify sig-file file2 file1 > > (ie. if the files are specified in the reverse order > from the one in which the signature was originally > made). Very interesting. That's not ideal since the syntax that is used to generate the sigfile should be usable to verify the sigfile. Changing it in 1.2.x is not a good idea as it may break some assumptions and/or scripts, but I'll fix it for 1.3.x. David Index: verify.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/verify.c,v retrieving revision 1.11 diff -u -r1.11 verify.c --- verify.c 15 Apr 2003 15:46:13 -0000 1.11 +++ verify.c 23 May 2004 04:27:27 -0000 @@ -101,7 +101,7 @@ iobuf_push_filter( fp, armor_filter, &afx ); sl = NULL; - for(i=1 ; i < nfiles; i++ ) + for(i=nfiles-1 ; i > 0 ; i-- ) add_to_strlist( &sl, files[i] ); rc = proc_signature_packets( NULL, fp, sl, sigfile ); free_strlist(sl); From atom at suspicious.org Sun May 23 09:38:22 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun May 23 09:35:36 2004 Subject: [Announce] GnuPG 1.3.6 released (development) In-Reply-To: <20040522134540.GB13121@jabberwocky.com> References: <20040522134540.GB13121@jabberwocky.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FreeBSD 4.9-RELEASE #0 ./configure --program-suffix=_1.3.6 no problems. //// multiple comments are working!! soon, the comment in my signature will span 2 lines and be fully compliant with rfc 2822:2.1.1 //// i'm too tired now to test this myself, but i'm curious... i'm assuming that fetching keys will not work via https. if that's the case, and a key uses a preferred keyserver that specifies https (or some other unknown or unsupported protocol), does it fail gracefully or does it get ugly? has anyone tried this? //// generating keys in batch mode still doesn't write to keys to the keyrings as it goes... dave, you said the fix was in for this, i'm not sure if that means that it should be behaving differently in 1.3.6...? //// - --default-cert-level hhmmm... 1.2.4 will use the specified level as a default, but still ASK what level signature to issue... 1.3.6 does NOT ask, it just uses the supplied default. that means that the default isn't *really* a default, but rather the signature level is specified on the command line instead of interactively. - --sign-key and --edit-key both seem to behave the same on this. i like the old (interactive) way better. //// man page says: show-keyserver-urls Show any preferred keyserver URL in the signature being verified. Defaults to no. the default seems to be "yes". //// past my bedtime..... thanks!!! ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Nearly all men can stand adversity, but if you want to test a man's character, give him power." -- Abraham Lincoln -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkCwVPMACgkQnCgLvz19QeNizwCfVOIGR444f8t1yhCGyyIIF4IT dJEAn3ZlIvNGVPatAmGot7+glI9a6mO9 =zxe7 -----END PGP SIGNATURE----- From ajgpgml at tesla.inka.de Sun May 23 13:53:41 2004 From: ajgpgml at tesla.inka.de (Andreas John) Date: Sun May 23 13:50:56 2004 Subject: --list-keys and --show-keyring Message-ID: <00ee01c440bc$bee31940$0c02a8c0@de> Hi! The manpage of GPG tells: --show-keyring Causes --list-keys, --list-public-keys, and --list-secret-keys to display the name of the keyring a given key resides on. This is only useful when you're listing a specific key or set of keys. It has no effect when listing all keys. Why is it not inactive when listing all keys? Is it because a key might be present in different keyrings at the same time and thus would be listed twice (and stupid programs would break)? Then, why not allow when using "--expert" or something. If some program is interessted in that information, why only reveal it the long and hard way? Bye! From ajgpgml at tesla.inka.de Sun May 23 13:42:33 2004 From: ajgpgml at tesla.inka.de (Andreas John) Date: Sun May 23 13:51:03 2004 Subject: Embedded filenames and --status-fd Message-ID: <00ed01c440bc$be860520$0c02a8c0@de> Hi! I've played around a bit with GPG and aim to integrate some file-decoding mechanism into my program using GPG. Well, to put it short: I'm interessted in the embedded filename of a decrypted file (possibly set with "--set-filename" to hide a real filename when sent as attachment "gpg.asc"), unfortunately the only way to get the embedded filename from an encrypted file seems to be "-v" and parse the verbose infostrings printed then (with the additional complexity of them being strings possibly be translated to different languages?). So I'd like to know if it's possible (say, if not already done, for 1.2.5?) to add a status-fd-message showing this information when decrypting? Maybe only show when "--use-embedded-filename" is specified at the command-line if you fear to break some programs relying on the --status-fd as it currently is. I've seen that even "--enable-progress-filter" won't show the embedded filename (and it even clips the filename after a fixed amount of chars (a bit too small I'd say)). I'd also like to see an special option "--list-embedded-filenames [files]", as I don't think that "--list-only --decrypt-files [files]" can serve this need). Bye! From dshaw at jabberwocky.com Sun May 23 16:35:12 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sun May 23 16:32:20 2004 Subject: Embedded filenames and --status-fd In-Reply-To: <00ed01c440bc$be860520$0c02a8c0@de> References: <00ed01c440bc$be860520$0c02a8c0@de> Message-ID: <20040523143512.GA13598@jabberwocky.com> On Sun, May 23, 2004 at 01:42:33PM +0200, Andreas John wrote: > I've played around a bit with GPG and aim to integrate some > file-decoding mechanism into my program using GPG. > > Well, to put it short: I'm interessted in the embedded filename of a > decrypted file (possibly set with "--set-filename" to hide a real > filename when sent as attachment "gpg.asc"), unfortunately the only > way to get the embedded filename from an encrypted file seems to be > "-v" and parse the verbose infostrings printed then (with the > additional complexity of them being strings possibly be translated > to different languages?). > > So I'd like to know if it's possible (say, if not already done, for > 1.2.5?) to add a status-fd-message showing this information when > decrypting? Maybe only show when "--use-embedded-filename" is > specified at the command-line if you fear to break some programs > relying on the --status-fd as it currently is. As it happens, I have code to do this already. I haven't checked it in yet for 1.2.5 as there is some discussion about the details of embedded filenames and character set encoding going on for the updated OpenPGP draft. I'm reluctant to check it in and have people start using it before the standard is set (running the risk of being forced to change it later and break things). David -------------- next part -------------- Index: plaintext.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/plaintext.c,v retrieving revision 1.39.2.9 diff -u -r1.39.2.9 plaintext.c --- plaintext.c 1 Apr 2004 04:02:27 -0000 1.39.2.9 +++ plaintext.c 23 May 2004 14:30:48 -0000 @@ -58,6 +58,19 @@ int c; int convert = (pt->mode == 't' || pt->mode == 'u'); + /* While it might be nice to put this at the end so we could + include the number of bytes written, it's more important that + this status tag is output before any plaintext is written. + This allows the receiving program to try and so something + different based on the plaintext format code. */ + if(!nooutput && is_status_enabled()) + { + char status[14]; + sprintf(status,"%d %u ",pt->mode,pt->timestamp); + write_status_text_and_buffer(STATUS_PLAINTEXT, + status,pt->name,pt->namelen,0); + } + /* create the filename as C string */ if( nooutput ) ; Index: status.c =================================================================== RCS file: /cvs/gnupg/gnupg/g10/status.c,v retrieving revision 1.35.2.5 diff -u -r1.35.2.5 status.c --- status.c 1 Mar 2004 20:00:39 -0000 1.35.2.5 +++ status.c 23 May 2004 14:30:48 -0000 @@ -1,6 +1,6 @@ /* status.c - * Copyright (C) 1998, 1999, 2000, 2001, 2002, - * 2004 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, + * 2004 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -151,6 +151,7 @@ case STATUS_EXPKEYSIG : s = "EXPKEYSIG"; break; case STATUS_REVKEYSIG : s = "REVKEYSIG"; break; case STATUS_ATTRIBUTE : s = "ATTRIBUTE"; break; + case STATUS_PLAINTEXT : s = "PLAINTEXT"; break; default: s = "?"; break; } return s; Index: status.h =================================================================== RCS file: /cvs/gnupg/gnupg/g10/status.h,v retrieving revision 1.23.2.2 diff -u -r1.23.2.2 status.h --- status.h 28 Jul 2003 00:49:20 -0000 1.23.2.2 +++ status.h 23 May 2004 14:30:49 -0000 @@ -1,5 +1,6 @@ /* status.h - * Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, + * 2004 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -20,7 +21,6 @@ #ifndef G10_STATUS_H #define G10_STATUS_H - #define STATUS_ENTER 1 #define STATUS_LEAVE 2 #define STATUS_ABORT 3 @@ -29,7 +29,6 @@ #define STATUS_BADSIG 5 #define STATUS_ERRSIG 6 - #define STATUS_BADARMOR 7 #define STATUS_RSA_OR_IDEA 8 @@ -100,6 +99,7 @@ #define STATUS_IMPORT_OK 68 #define STATUS_IMPORT_CHECK 69 #define STATUS_REVKEYSIG 70 +#define STATUS_PLAINTEXT 71 /*-- status.c --*/ void set_status_fd ( int fd ); @@ -123,6 +123,5 @@ void cpr_kill_prompt(void); int cpr_get_answer_is_yes( const char *keyword, const char *prompt ); int cpr_get_answer_yes_no_quit( const char *keyword, const char *prompt ); - #endif /*G10_STATUS_H*/ From dshaw at jabberwocky.com Sun May 23 16:45:50 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sun May 23 16:42:57 2004 Subject: Embedded filenames and --status-fd In-Reply-To: <20040523143512.GA13598@jabberwocky.com> References: <00ed01c440bc$be860520$0c02a8c0@de> <20040523143512.GA13598@jabberwocky.com> Message-ID: <20040523144550.GB13598@jabberwocky.com> On Sun, May 23, 2004 at 10:35:12AM -0400, David Shaw wrote: > Index: plaintext.c > =================================================================== > RCS file: /cvs/gnupg/gnupg/g10/plaintext.c,v > retrieving revision 1.39.2.9 > diff -u -r1.39.2.9 plaintext.c etc. I should add, by the way, that I haven't tested this code at all yet. It compiles, but that's it. Use at your own risk. The buffer may not even be big enough for the mode and timestamp. David From albrecht.dress at arcor.de Sun May 23 16:36:43 2004 From: albrecht.dress at arcor.de (Albrecht =?iso-8859-1?Q?Dre=DF?=) Date: Sun May 23 16:54:57 2004 Subject: [OT] pinentry 0.7.1 & Gtk+-2 Message-ID: <20040523143643.GA1078@antares.localdomain> Hi all, a while ago I hacked a patch to provide Gtk+-2 support for pinentry 0.7. Meanwhile pinentry 0.7.1 has been released as well as a new Gnome disto building on top of gtk+-2.4.x. I therefore hacked a new patch for this... If you are interested, please see http://home.arcor.de/dralbrecht.dress/GnuPG/Gtk2-Pinentry.html I use it for quite a while without problems, but I must admit that I would feel a lot better if some of you crypto gurus could have a look at it... As always, any feedback/comment is welcome! Cheers, Albrecht. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Albrecht Dre? - Johanna-Kirchner-Stra?e 13 - D-53123 Bonn (Germany) Phone (+49) 228 6199571 - mailto:albrecht.dress@arcor.de _________________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20040523/62bee333/attachment.bin From npcole at yahoo.co.uk Sun May 23 18:53:29 2004 From: npcole at yahoo.co.uk (=?iso-8859-1?q?Nicholas=20Cole?=) Date: Sun May 23 18:51:04 2004 Subject: multiple file signing oddness In-Reply-To: <20040523043420.GF22635@jabberwocky.com> Message-ID: <20040523165329.44494.qmail@web25006.mail.ukl.yahoo.com> --- David Shaw wrote: > Very interesting. That's not ideal since the syntax > that is used to > generate the sigfile should be usable to verify the > sigfile. > > Changing it in 1.2.x is not a good idea as it may > break some > assumptions and/or scripts, but I'll fix it for > 1.3.x. Dear David, Thanks for looking in to that. I am right that there is nothing in the signature itself to tell a recipient in which order the files were signed, am I? In that case should gpg 'search' for an order in which the files verify, or would that add too much overhead? Best, N. ____________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html From dshaw at jabberwocky.com Sun May 23 20:15:35 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon May 24 00:07:58 2004 Subject: multiple file signing oddness In-Reply-To: <20040523165329.44494.qmail@web25006.mail.ukl.yahoo.com> References: <20040523043420.GF22635@jabberwocky.com> <20040523165329.44494.qmail@web25006.mail.ukl.yahoo.com> Message-ID: <20040523181535.GA16567@jabberwocky.com> On Sun, May 23, 2004 at 05:53:29PM +0100, Nicholas Cole wrote: > --- David Shaw wrote: > > Very interesting. That's not ideal since the syntax > > that is used to > > generate the sigfile should be usable to verify the > > sigfile. > > > > Changing it in 1.2.x is not a good idea as it may > > break some > > assumptions and/or scripts, but I'll fix it for > > 1.3.x. > > Dear David, > > Thanks for looking in to that. I am right that there > is nothing in the signature itself to tell a recipient > in which order the files were signed, am I? In that > case should gpg 'search' for an order in which the > files verify, or would that add too much overhead? It should definitely not search. When you sign multiple files that way, you are effectively signing the concatenation of the files. So if a.txt is "foo" and b.txt is "bar", and c.txt is "foobar": gpg --detach-sign a.txt b.txt is identical to: gpg --detach-sign c.txt If GnuPG searched for an answer, then checking the signature against b.txt & a.txt ("barfoo") would be valid, and it should not be. David From atom at suspicious.org Mon May 24 09:32:45 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Mon May 24 09:29:52 2004 Subject: feature request: --with-sigs Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 how about a '--with-sigs' option, of similar function to '--with-fingerprint'. thanks...! ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The pride of dying rich raises the loudest laugh in hell." -- John W. Foster -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkCxpSIACgkQnCgLvz19QeMiVwCfUlbKgzke0I3pL6WGue+xMosm tQAAoJO+jbS/n58tpp9RiwfuVDYpeNBn =x4E9 -----END PGP SIGNATURE----- From jerry.windrel at verizon.net Mon May 24 16:00:59 2004 From: jerry.windrel at verizon.net (Jerry Windrel) Date: Mon May 24 15:56:21 2004 Subject: Aw: Re: OpenPGP SMTP headers References: <6865142.1084948896626.JavaMail.ngmail@webmail06.arcor-online.net><200405190958.43693@fortytwo.ch> <20040522041951.GA13121@jabberwocky.com> Message-ID: <007c01c44197$8acf8720$6401a8c0@Windows> David, I saved the attachments from your email (ATT00109.dat and ATT00107.txt) and tried to verify the signature. This is what I got: C:\test>gpg -v ATT00109.dat gpg: armor header: Version: GnuPG v1.3.6-cvs (GNU/Linux) gpg: armor header: Comment: Key available at http://www.jabberwocky.com/david/ke ys.asc Detached signature. Please enter name of data file: ATT00107.txt gpg: Signature made 05/22/04 00:19:51 using DSA key ID 49E1CBC9 gpg: using secondary key 49E1CBC9 instead of primary key 99242560 gpg: BAD signature from "David M. Shaw " gpg: textmode signature, digest algorithm SHA1 From wk at gnupg.org Mon May 24 19:22:33 2004 From: wk at gnupg.org (Werner Koch) Date: Mon May 24 19:21:43 2004 Subject: Aw: Re: OpenPGP SMTP headers In-Reply-To: <007c01c44197$8acf8720$6401a8c0@Windows> (Jerry Windrel's message of "Mon, 24 May 2004 10:00:59 -0400") References: <6865142.1084948896626.JavaMail.ngmail@webmail06.arcor-online.net> <200405190958.43693@fortytwo.ch> <20040522041951.GA13121@jabberwocky.com> <007c01c44197$8acf8720$6401a8c0@Windows> Message-ID: <87d64tspt2.fsf@vigenere.g10code.de> On Mon, 24 May 2004 10:00:59 -0400, Jerry Windrel said: > I saved the attachments from your email (ATT00109.dat and ATT00107.txt) and > tried to verify the signature. This is what I got: When saving the attachment, make sure that you also save the header lines of the attachment, because they are part of the signed material. Werner From atom at suspicious.org Mon May 24 19:47:16 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Mon May 24 19:44:29 2004 Subject: signing a hash Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 are there any hacks to create a signature using the hash of a message, instead of feeding the message into gpg and letting gpg calculate the hash? in other words, if i want to sign the message: "test\n" can i just tell gpg to create a signature for a message that hashes to: 4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 ??? would that be a difficult option to add? --sign-hash ?? ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The Final Act of the Uruguay Round, marking the conclusion of the most ambitious trade negotiation of our century, will give birth - in Morocco - to the World Trade Organization, the third pillar of the New World Order, along with the United Nations and the International Monetary Fund." -- Part of full-page advertisement by the government of Morocco in The New York Times (April 1994) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: What is this gibberish? - http://atom.smasher.org/links/#digital_signatures iEYEARECAAYFAkCyNSoACgkQnCgLvz19QeMsyACdGoA0rJbjuJmWsL9qrLjUBAGo LHsAoKaV+aiFYYkU2VzH0XzQPoVt5sHp =jtjy -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Mon May 24 20:53:49 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon May 24 20:50:56 2004 Subject: signing a hash In-Reply-To: References: Message-ID: <20040524185349.GD26582@jabberwocky.com> On Mon, May 24, 2004 at 01:47:16PM -0400, Atom 'Smasher' wrote: > are there any hacks to create a signature using the hash of a message, > instead of feeding the message into gpg and letting gpg calculate the > hash? > > in other words, if i want to sign the message: "test\n" > can i just tell gpg to create a signature for a message that hashes to: > 4e1243bd22c66e76c2ba9eddc1f91394e57f9f83 > ??? > > would that be a difficult option to add? --sign-hash ?? Not terribly difficult. See the sign.c file. David From jerry.windrel at verizon.net Mon May 24 21:15:23 2004 From: jerry.windrel at verizon.net (Jerry Windrel) Date: Mon May 24 21:10:29 2004 Subject: Aw: Re: OpenPGP SMTP headers References: <6865142.1084948896626.JavaMail.ngmail@webmail06.arcor-online.net><200405190958.43693@fortytwo.ch><20040522041951.GA13121@jabberwocky.com><007c01c44197$8acf8720$6401a8c0@Windows> <87d64tspt2.fsf@vigenere.g10code.de> Message-ID: <004901c441c3$771c7b80$6401a8c0@Windows> Interesting... I finally did get it to verify but only by using the "Message Source" feature of OE (which is buried quite deeply in the UI). If I do a Ctrl-Shift-D on the whole message source (which actually contains a multipart/signed compound message inside a multipart/mixed compound message), it verifies properly. I experimented with selecting less and less of the message, and I found it would verify even if I just select from the beginning of the headers of the multipart/signed compound message to the "-----END PGP SIGNATURE-----" line. ----- Original Message ----- From: "Werner Koch" To: Sent: Monday, May 24, 2004 1:22 PM Subject: Re: Aw: Re: OpenPGP SMTP headers > On Mon, 24 May 2004 10:00:59 -0400, Jerry Windrel said: > > > I saved the attachments from your email (ATT00109.dat and ATT00107.txt) and > > tried to verify the signature. This is what I got: > > When saving the attachment, make sure that you also save the header > lines of the attachment, because they are part of the signed material. > > Werner > > > > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel From Holger.Sesterhenn at smgwtest.aachen.utimaco.de Tue May 25 08:49:27 2004 From: Holger.Sesterhenn at smgwtest.aachen.utimaco.de (Holger Sesterhenn) Date: Fri May 28 10:01:53 2004 Subject: Aw: Re: OpenPGP SMTP headers In-Reply-To: <004901c441c3$771c7b80$6401a8c0@Windows> References: <6865142.1084948896626.JavaMail.ngmail@webmail06.arcor-online.net><200405190958.43693@fortytwo.ch><20040522041951.GA13121@jabberwocky.com><007c01c44197$8acf8720$6401a8c0@Windows> <87d64tspt2.fsf@vigenere.g10code.de> <004901c441c3$771c7b80$6401a8c0@Windows> Message-ID: <40B2EC77.8070407@smgwtest.aachen.utimaco.de> Hi, > I experimented with selecting less and less > of the message, and I found it would verify even if I just select from the > beginning of the headers of the multipart/signed compound message to the There are two things to mention: First, David uses PGP/MIME (RFC 3156) instead of the old (but most widespread) PGP/INLINE signatures (CLASSIC). All known OpenPGP plugins for OE just support the latter. Even the original PGP 8.x. Second, the mailing list software creates an envelope around the PGP/MIME message so it looks like "multipart/mixed" instead of "multipart/signed". There are some OpenPGP clients (like Enigmail) which try to detect this but its just experimental. I wouldn't call it a bug in the mailing list software ;-) -- Best Regards, Holger Sesterhenn --- http://www.utimaco.com From dshaw at jabberwocky.com Thu May 27 17:25:42 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri May 28 10:06:49 2004 Subject: 1.3.6 on SunOS 4 Message-ID: <20040527152542.GC26917@jabberwocky.com> If someone has a SunOS 4 box, I'd appreciate it if you could try and compile the new devel 1.3.6 release. It did not build cleanly on SunOS 4 (needing to add "ac_cv_sys_symbol_underscore=yes" in configure). I'd like to see if this release builds without the underscore command. David From albrecht.dress at arcor.de Sat May 29 19:27:40 2004 From: albrecht.dress at arcor.de (Albrecht =?iso-8859-1?Q?Dre=DF?=) Date: Sat Jun 5 11:13:40 2004 Subject: gpgme_op_edit?!? Message-ID: <20040529172740.GA1112@antares.localdomain> Hi all, I'm currently trying to port a Gnome keymanager app (seahorse) from gpgme 0.3 to gpgme 0.4.7, and I ran into the function gpgme_op_edit(). However, I can not find any documentation about it, although it's in the header file, and it's not marked as depracted. Now, where can I find the doc of the function? Tia, Albrecht. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Albrecht Dre? - Johanna-Kirchner-Stra?e 13 - D-53123 Bonn (Germany) Phone (+49) 228 6199571 - mailto:albrecht.dress@arcor.de _________________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20040529/e424f50b/attachment-0001.bin From jsogo at debian.org Sun May 30 14:42:45 2004 From: jsogo at debian.org (Jose Carlos Garcia Sogo) Date: Sat Jun 5 11:14:22 2004 Subject: gpgme_op_edit?!? In-Reply-To: <20040529172740.GA1112@antares.localdomain> References: <20040529172740.GA1112@antares.localdomain> Message-ID: <20040530124245.GE26468@jaimedelamo.eu.org> On Sat, May 29, 2004 at 07:27:40PM +0200, Albrecht Dre? wrote: > Hi all, > > I'm currently trying to port a Gnome keymanager app (seahorse) from gpgme > 0.3 to gpgme 0.4.7, and I ran into the function gpgme_op_edit(). However, > I can not find any documentation about it, although it's in the header > file, and it's not marked as depracted. I hope you're going to commit those changes to seahorse CVS. I haven't seen any message from you in seahorse-devel mailing list, though. -- Jose Carlos Garcia Sogo jsogo@debian.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20040530/88767e6f/attachment-0001.bin From albrecht.dress at arcor.de Sun May 30 16:10:24 2004 From: albrecht.dress at arcor.de (Albrecht =?iso-8859-1?Q?Dre=DF?=) Date: Sat Jun 5 11:14:29 2004 Subject: gpgme_op_edit?!? In-Reply-To: <20040530124245.GE26468@jaimedelamo.eu.org> (from jsogo@debian.org on Son, Mai 30, 2004 at 14:42:45 +0200) References: <20040529172740.GA1112@antares.localdomain> <20040530124245.GE26468@jaimedelamo.eu.org> Message-ID: <20040530141024.GA1363@antares.localdomain> Am 30.05.04 14:42 schrieb(en) Jose Carlos Garcia Sogo: > I hope you're going to commit those changes to seahorse CVS. I haven't > seen any message from you in seahorse-devel mailing list, though. Sure I'll post the patch - this effort has been triggered by the note on the seahorse sf project page and a short exchange of messages with Jacob. I'll need some more days, though, although most of Seahorse already compiles even with "-Wall -Werror". Stay tuned... Cheers, Albrecht. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Albrecht Dre? - Johanna-Kirchner-Stra?e 13 - D-53123 Bonn (Germany) Phone (+49) 228 6199571 - mailto:albrecht.dress@arcor.de _________________________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20040530/c9bc3226/attachment-0001.bin From dshaw at jabberwocky.com Mon May 31 03:38:02 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jun 5 11:14:43 2004 Subject: How to use preferred keyservers Message-ID: <20040531013801.GA12978@jabberwocky.com> So now that 1.3.6 is out and people are playing with it, here's some info on preferred keyservers. There are actually two uses for preferred keyservers, but I'll cover the second use in a later mail. Remember that preferred keyservers is a new feature in 1.3.6. It does not exist in 1.2.x. The main idea behind preferred keyservers is that the key owner is often the best person to decide how their key is distributed. They thus set a preferred keyserver on the key, and anyone who wants to refresh the key can get it from there automatically. Obviously, since the preferred keyserver lives on the key itself, it doesn't help anyone get the key for the first time (it's a chicken-and-the-egg problem). To use it: gpg --edit-key (yourkey) keyserver (theurl) The preferred keyserver lives on the self-sig (along with the expiration time, preferences, etc), so you will need to type your passphrase so a new self-sig can be generated. Note that like the other data items that live on self-sigs, you can have a different preferred keyserver per user ID. The keyserver URL can point to a keyserver: hkp://subkeys.pgp.net ldap://keyserver.pgp.com or it can be a HTTP URL: http://www.jabberwocky.com/key.asc You can even point to CGIs on places like Biglumber: http://www.biglumber.com/x/web?pk=8B93F0C84A9E88B2CAB478DAA6112E1D14B0A058 It's fairly simple, but powerful. Once there is a preferred keyserver set, anyone who does --refresh-keys on your key will get it from the place you specified. There is a keyserver-option named "honor-keyserver-url" that turns this feature on and off. It is on by default. Caveats: * For various unfortunate reasons, some versions of PGP interpret "preferred keyserver" as "Yes, I understand PGP/MIME email". Not much we can do about that, but keep it in mind if you want a preferred keyserver and don't understand PGP/MIME mails. The PGP versions that do this are the "PGP Universal" product, so if your correspondents use regular PGP 8, there should be no problem. * There is a gotcha in that since the keyholder controls the keyserver URL, they can prevent people from revoking their signatures on the key by simply not updating their web page. Note also that a stolen key has a similar problem - the thief can try and prevent the real owner from revoking the key. There is no solution to this problem yet. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : /pipermail/attachments/20040530/23c6518d/attachment-0001.bin From jbglaw at lug-owl.de Mon May 31 10:53:26 2004 From: jbglaw at lug-owl.de (Jan-Benedict Glaw) Date: Sat Jun 5 11:14:46 2004 Subject: Public keyring gone... Message-ID: <20040531085326.GV20632@lug-owl.de> Hi! Maybe some of you remember that (quite some time ago) I reported something similar: I've seen my public keyring being deleted. In those days, I thought it was a locking problem (because I possibly had several gnupg instances running), but this time, I think it there was only one running, for sure. I assume the public keyring got deleted when I Ctrl-C'ed gpg (which I did at some time, when it took too long to verify an email, which may have been caused by the fact that my public keyring got quite hugh during the last months...). I haven't yet looked into sources, but I guess this happened during an aborted automatical import of a key. That's probably why I Ctrl-C'ed it at all... $ gpg --version gpg (GnuPG) 1.2.4 Copyright (C) 2003 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256 Compression: Uncompressed, ZIP, ZLIB, BZIP2 MfG, JBG -- Jan-Benedict Glaw jbglaw@lug-owl.de . +49-172-7608481 "Eine Freie Meinung in einem Freien Kopf | Gegen Zensur | Gegen Krieg fuer einen Freien Staat voll Freier B?rger" | im Internet! | im Irak! ret = do_actions((curr | FREE_SPEECH) & ~(NEW_COPYRIGHT_LAW | DRM | TCPA)); -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20040531/78c02eb9/attachment-0001.bin From malte.gell at gmx.de Mon May 31 19:28:16 2004 From: malte.gell at gmx.de (Malte Gell) Date: Sat Jun 5 11:15:12 2004 Subject: How to use preferred keyservers In-Reply-To: <20040531013801.GA12978@jabberwocky.com> References: <20040531013801.GA12978@jabberwocky.com> Message-ID: <200405311927.14823.malte.gell@gmx.de> On Monday 31 May 2004 03:38, David Shaw wrote: > So now that 1.3.6 is out and people are playing with it, here's some > info on preferred keyservers. There are actually two uses for > preferred keyservers, but I'll cover the second use in a later mail. > Remember that preferred keyservers is a new feature in 1.3.6. It > does not exist in 1.2.x. > > The main idea behind preferred keyservers is that the key owner is > often the best person to decide how their key is distributed. They > thus set a preferred keyserver on the key, and anyone who wants to > refresh the key can get it from there automatically. Obviously, > since the preferred keyserver lives on the key itself, it doesn't > help anyone get the key for the first time (it's a > chicken-and-the-egg problem). This is really a nice feature, but can't it be expanded to fetching a key for the first time? With something like "gpg --keyserver http://homepage.foo/key.asc --recv-key 0x123456" ? I just saw that --list-options show-keyserver-urls works only together with --list-sigs, is this correct? Why not show such things as well with --list-key if someone only wants to see such information and not the whole list of signatures? IIRC the same applies as well to things like show-policy-url or notations which need --list-sigs and don't work with --list-key. Malte PS, gpg 1.3.6 really has some nice new features! From jack at netgate.net Wed May 26 05:36:52 2004 From: jack at netgate.net (Jack Repenning) Date: Sat Jun 5 11:15:45 2004 Subject: Bus Error on certain keys [Patch provided] Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 gpg --list-secret-keys --with-colons crashes (bus error). Seems to be related to one of my keys in particular. Maybe: if I do gpg --list-secret-keys --with-colons KeyID for every secret key ID, there's no problem. But if I let it walk the list of secret keys, it crashes at the same place every time. (Tried to check the archives first, but SF won't let me in ... perhaps because I just joined up because of this situation. Sorry if this has been discussed!) This is a big problem for me, because wrappers like GPGMail depend on the "--with-colons" feature. I have found a patch that makes it not crash. I found the patch by local inspection (the crashing line is using a pointer that's NULL; no other line in its block uses that pointer; I switched it to use the pointer everyone else does). But I don't follow the code well enough to understand the meaning of this change, and its effect on the output surprises me a bit (lines come out in different order, I only expected processing to not crash). Oddly, on my G4 TiBook with Panther (and the same keys), The problem does not occur. So I'm not real sure about this... Platform is OS 10.2.8 (iMac flat panel 833MHz, 1Gb RAM) gpg versions showing the problem: - - - 1.2.3 (latest download for Jaguar) - - - 1.2.4 (built it myself from ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.2.4.tar.gz) The patch: > diff -w -U10 g10/keylist.c~ g10/keylist.c - - --- g10/keylist.c~ Fri Oct 3 05:50:30 2003 +++ g10/keylist.c Mon May 24 21:17:49 2004 @@ -806,22 +806,22 @@ printf("%c", trustletter ); } printf(":%u:%d:%08lX%08lX:%s:%s:", nbits_from_pk( pk2 ), pk2->pubkey_algo, (ulong)keyid2[0],(ulong)keyid2[1], colon_datestr_from_pk( pk2 ), colon_strtime (pk2->expiredate) /* fixme: add LID and ownertrust here */ ); - - - if( pk->local_id ) /* use the local_id of the main key??? */ - - - printf("%lu", pk->local_id ); + if( pk2->local_id ) /* use the local_id of the main key??? */ + printf("%lu", pk2->local_id ); putchar(':'); putchar(':'); putchar(':'); putchar(':'); print_capabilities (pk2, NULL, NULL); putchar('\n'); if( fpr > 1 ) print_fingerprint( pk2, NULL, 0 ); if( opt.with_key_data ) print_key_data( pk2, keyid2 ); The symptoms: > g10/gpg --list-secret-keys --with-colons ... sec::1024:17:51F13EED3B82E870:1997-07-12::::Jack Repenning (Permanent DSS key) ::: uid:::::::::Jack Repenning : uid:::::::::Jack Repenning : uid:::::::::Jack Repenning : uid:::::::::At-work Jack: uid:::::::::Jack Repenning : uid:::::::::Thawte Freemail Member : uat:::::::::1 3321: uid:::::::::John Allan Repenning : uid:::::::::Jack Repenning (work DSS) : Bus error And yet: > g10/gpg --list-secret-keys --with-colons 51F13EED3B82E870 sec::1024:17:51F13EED3B82E870:1997-07-12::::Jack Repenning ::scSC: uid:::::::::Jack Repenning (work DSS) : uid:::::::::Jack Repenning (Permanent DSS key) : uid:::::::::Jack Repenning : uid:::::::::Jack Repenning : uid:::::::::Jack Repenning : uid:::::::::At-work Jack: uid:::::::::Jack Repenning : uat:::::::::1 3321: uid:::::::::John Allan Repenning : uid:::::::::Thawte Freemail Member : uid:::::::::Jack Repenning : After the patch: ... sec::1024:17:51F13EED3B82E870:1997-07-12::::Jack Repenning (Permanent DSS key) ::: uid:::::::::Jack Repenning : uid:::::::::Jack Repenning : uid:::::::::Jack Repenning : uid:::::::::At-work Jack: uid:::::::::Jack Repenning : uid:::::::::Thawte Freemail Member : uat:::::::::1 3321: uid:::::::::John Allan Repenning : uid:::::::::Jack Repenning (work DSS) : sub:i:2048:16:A5EF280B1A877C4F:1997-07-12::::::: sub:i:3072:16:D895FC426A299E29:2000-02-18::::::: ... What gdb has to say about the matter: ... sec::1024:17:51F13EED3B82E870:1997-07-12::::Jack Repenning (Permanent DSS key) ::: uid:::::::::Jack Repenning : uid:::::::::Jack Repenning : uid:::::::::Jack Repenning : uid:::::::::At-work Jack: uid:::::::::Jack Repenning : uid:::::::::Thawte Freemail Member : uat:::::::::1 3321: uid:::::::::John Allan Repenning : uid:::::::::Jack Repenning (work DSS) : Program received signal EXC_BAD_ACCESS, Could not access memory. list_keyblock_colon (keyblock=0x2280e0, secret=536643, fpr=0) at keylist.c:816 816 if( pk->local_id ) /* use the local_id of the main key??? */ (gdb) where #0 list_keyblock_colon (keyblock=0x2280e0, secret=536643, fpr=0) at keylist.c:816 #1 0x0002719c in list_all (secret=2259792) at keylist.c:225 #2 0x0002719c in list_all (secret=1) at keylist.c:225 #3 0x00006820 in main (argc=0, argv=0xbffffc54) at g10.c:2360 #4 0x00002078 in _start (argc=3, argv=0xbffffc48, envp=0xbffffc58) at /SourceCache/Csu/Csu-45/crt.c:267 #5 0x00001ef8 in start () <>< Jack Repenning And the next thing you know, you're sucking down Darjeeling with Marie Antoinette and her little sister! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: GPG-encrypted email preferred iD8DBQFAtBDdfnZDrTsQK+gRAuPyAKCUuiWdcgyMyMy0MKxVcu8krGdeHACdFtDU Y4OWVfPCIpXTjzm8KZKjqbs= =5Vnr -----END PGP SIGNATURE----- From taylor at candd.org Mon May 31 07:16:19 2004 From: taylor at candd.org (David Taylor) Date: Sat Jun 5 11:15:55 2004 Subject: gpg --gen-key and empty passphrase Message-ID: <200405310516.BAA10940@houston.candd.org> I ran gpg --gen-key and took the defaults for questions that had defaults. When it asked for a pass phrase, I didn't have one pre-selected, so I figured what-they-heck, it's a laptop, no one has access but me, I'll make it empty and set it to something better in a day or two. So, I pressed twice. And everything appeared to be successful -- until I tried to change the passphrase few days later. All operations that I have tried that require the passphrase fail. I have tried control-j, control-m, and control-@ (null), and a couple of other possibilities. But, alas, none worked. So, when asked for a passphrase by gpg --gen-key if you press , what passphrase does it use? BTW, the problem is repeatable. Thanks. David -- David Taylor