From markus_kampkoetter@t-online.de Tue Apr 1 00:08:02 2003 From: markus_kampkoetter@t-online.de (markus_kampkoetter) Date: Mon Mar 31 23:08:02 2003 Subject: OT References: <200303301053.39038.engage@n0sq.net> Message-ID: <1906Wb-0DqUgjC@fwd02.sul.t-online.com> > I don't know if the gnupg.org website was hacked but I have to state that > such emotional political statements have no business on such a website. i would have liked to be told what you are talking about, its just easier this way (don t worry, i informed myself meanwhile). > Such statements have nothing to do with the GnuPG product. Let's keep things > professional. good idea! but unfortunately there are no NO WAR PROFESSIONALS (even not gandhi) but to be serious: some of the statements that refer to a NO WAR banner and a quotation of mr. gandhi (both of it timeless) reflect on anti-u.s.-feelings abroad and political correctness in the web very emotionally. we should take this seriously. this effect not only is due to its cause (the banner and the quote). if we engage in this discussion more emotionally than in a fundamental opposition to war then something very strange is happening. markus there are two kinds of good men: the dead and the unborn. chinese saying From markus_kampkoetter@t-online.de Tue Apr 1 00:33:01 2003 From: markus_kampkoetter@t-online.de (markus_kampkoetter) Date: Mon Mar 31 23:33:01 2003 Subject: OT References: <0D3BC21D7A74D411981400508B6C76F8A1580D@nne-nt-esweb> Message-ID: <1906ut-02Bq9wC@fwd07.sul.t-online.com> James R. Hendrick schrieb: > I hate to step in this one, because there are excellent points on both > sides. However, I must make a point where I make a distinction between > professionalism and indifference. I may or may not agree with what is posted > on the GnuPG site (or on an Oracle site, or on a Sun or Microsoft site). > Would you feel the same way if GnuPG had an American flag supporting our > troops, but also wishing for an end to the war? personally i am not very fond of flaggs (of course except the yellow-black of my favorite football team), there is a risk of nationalism in it that is different from patriotism. > In my opinion, these expressions have little to do with their > professionalism in the creation, distribution or support of a product. If > you feel your clients will be offended by your recommendation of GnuPG, I > hope you (and they) will understand that this expression is perhaps more > open and forward than some found on other sites, but should not reflect on > you or on the product. In fact it is these freedoms that America has (and > continues to) fight for. the problem seems to be what the u.s. are doing at the moment. hardly anybody in the entire world believes it is freedom they are fighting for. > Sincerely hoping that the War will end and all brave and innocent people > will be allowed to return to their families, and that those families will be > allowed to live in peace and freedom. i do not doubt your sincerety (does this word exist?) but what makes the discussion being confrontative sometimes and people feeling helpless is that we all know for sure that your wish will not come true (except for the end of the war). that makes me angry as hell (not about you). > Jim Hendrick respect markus > > -----Original Message----- > > From: BConley@checkfree.com [mailto:BConley@checkfree.com] > > Sent: Monday, March 31, 2003 12:27 PM > > To: gnupg-users@gnupg.org > > Subject: Re: OT > > Let's not forget, GnuPG is used commercially as well as > > privately. I work > > for a company that does business with a large number of other large > > companies and we recently began recommending GnuPG as an > > alternative to > > commercial PGP products. In our eyes as well as theirs, > > GnuPG is very > > much a product, just as PGP is a product, and I find it > > distasteful at > > best to direct clients of ours to gnupg.org to be confronted with an > > anti-war political statement. These clients are people, some > > of whom may > > have loved ones involved in the conflict in Iraq, and because > > we referred > > them to the site, it is a direct reflection on us. We should > > not have to > > provide a disclaimer to our clients that they may be exposed > > to political > > statements that may be offensive to them. Like it or not, > > the commercial > > use of this product does place a burden of professionalism on the > > developers of gnupg. Frankly, if I had known that this type of > > politicization would come with GnuPG, I never would have > > implemented it in > > our organization. > > Burns > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > - --- engage wrote: > > > I don't know if the gnupg.org website was hacked but I have to > > state that > > > such > > > emotional political statements have no business on such a > > website. Such > > > statements have nothing to do with the GnuPG product. Let's keep > > things > > > professional. > > > > > If it were a "product", that would be true. But, it's not a > > product. It's volunteer work done to preserve a source of good > > opensource software. I think that people who give away the results > > of their own hard work, don't need to apologize for using their > > soapbox for other things once in awhile. > > > > Randy > > -----BEGIN PGP SIGNATURE----- > > Comment: Randy Burns - 0x2CECAE1F > > > > iD8DBQE+h1BghNLaTSzsrh8RAuG7AJ0QCyhLWqKl9CYSt6dwH+d/afRuAACgxLQP > > YDiNxQp0Tekez942AArZIs4= > > -----END PGP SIGNATURE----- -- markus kampkoetter From jc@lysator.liu.se Tue Apr 1 00:34:01 2003 From: jc@lysator.liu.se (Jorgen Cederlof) Date: Mon Mar 31 23:34:01 2003 Subject: Announce: Web of trust statistics and pathfinder (Wotsap) In-Reply-To: References: <20030327173550.GA24399@pyret> Message-ID: <20030331213527.GA7801@ondska> --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable (Sorry for the late reply. My main computer died from hardware failure last friday, so I had to secure another one.) On Sat, Mar 29, 2003 at 23:11:12 +0100, Michael Nahrath wrote: > Very nice!=20 Thank you! > Dont you have any reaction by a keyserver admin yet to give you a > feed of 500 kByte? Yes, actually, I just got an offer for a feed. > One little thing the pathfinder doesn't do right yet: It doesn't > notice if a UID is revoked. You are probably right. I'll look into this next week when I get my regular computer back. > Or is it this you mean by "No attempt is made to verify the > signatures."? No, that just means I trust the keyservers, and don't verify the signatures using gpg locally. People shouldn't need to trust me either, so it doesn't make much difference. :) J=F6rgen --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+iLSfATxQg+jIDDQRAoP8AJ0ROMXpzvyQmur80gqM1uHticDQFwCgnUNZ MiwTaRcA7Cns+PXQPjbj3Fw= =nv2V -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4-- From douglist@anize.org Tue Apr 1 00:56:01 2003 From: douglist@anize.org (Douglas F. Calvert) Date: Mon Mar 31 23:56:01 2003 Subject: on topic (was: OT) In-Reply-To: <20030331110103.GA4508@pit.ID-43118.user.dfncis.de> References: <200303301053.39038.engage@n0sq.net> <20030331110103.GA4508@pit.ID-43118.user.dfncis.de> Message-ID: <1049147803.20463.1440.camel@liberate.anize.org> On Mon, 2003-03-31 at 06:01, Gregor Zattler wrote: > GnuPG and "PGP: public encryption for the masses" projects clearly > state their motivation rooted in civil rights movement. So the > anti war statement on the GnuPG WebSite has much to do with the > GnuPG product. Let's keep things professional: Engage in anti war > movement. > Let's keep things rational: Engage in the human rights movement. War is a neccessary evil, this war might not be a neccessary war but there are times when politics must be carried out by other means. Blanket, unequivocal statements like no war are frivolous and do nothing to furthur the intellectual discourse... -- Douglas F. Calvert From k.raven@freenet.de Tue Apr 1 00:57:02 2003 From: k.raven@freenet.de (Kai Raven) Date: Mon Mar 31 23:57:02 2003 Subject: GPA problems In-Reply-To: <20030331180320.GA28685@mycroft> References: <20030331180116.72d9091d.k.raven@freenet.de> <20030331180320.GA28685@mycroft> Message-ID: <20030331235851.50d377c9.k.raven@freenet.de> Hello Miguel, On Mon, 31 Mar 2003 20:03:20 +0200 you wrote: > > i have tried to compile GPA 5.6.1 with Mandrake 9.1. > > That's 0.6.1 :-) Yes :) > GPA is trying to use GPGME 0.3.x. If you compiled 0.4.0 from source, > it'll be installed in /usr/local/, so you should pass configure > --with-gpgme-prefix=/usr/local I have compiled both versions from source, GPGME 0.3.X resides in /usr/local/, 0.4.0 in /usr/. configure with GPA: checking for gpgme-config... /usr/bin/gpgme-config checking for GPGME - version >= 0.4.0... yes Ciao Kai -- Gegen den US Angriffskrieg: http://kai.iks-jena.de/ GPG-Key: 0x60F3882F / 0x76C65282 ICQ:146714798 From agreene@pobox.com Tue Apr 1 01:43:01 2003 From: agreene@pobox.com (Anthony E. Greene) Date: Tue Apr 1 00:43:01 2003 Subject: OT In-Reply-To: <1906ut-02Bq9wC@fwd07.sul.t-online.com> References: <0D3BC21D7A74D411981400508B6C76F8A1580D@nne-nt-esweb> <1906ut-02Bq9wC@fwd07.sul.t-online.com> Message-ID: <3E88C52E.609@pobox.com> Discussions about world events that are not related to privacy and encryption should be taken off-list. Thank You, Tony -- Anthony E. Greene OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D AOL/Yahoo Chat: TonyG05 HomePage: Linux. The choice of a GNU generation. From BConley@checkfree.com Tue Apr 1 01:48:01 2003 From: BConley@checkfree.com (BConley@checkfree.com) Date: Tue Apr 1 00:48:01 2003 Subject: OT Message-ID: My point has nothing to do with my personal opinion on the Iraq war or any other war...I'm just trying to serve our clients without offending them. As quoted from the gnupg.org website itself, " ``Free software'' does not mean ``non-commercial''. A free program must be available for commercial use, commercial development, and commercial distribution." I'm not disputing anyone's right to say what they want to say, but the point is, GnuPG is being described as a commercial software, it's purported as being a "full replacement for PGP", that is compared to PGP in many ways on this site. That being said, in my opinion claiming the "hey this is free, it's open source, we can say whatever we want" argument seems a bit disingenuous. Maxine Brandt cc: Sent by: Subject: Re: OT gnupg-users-admin @gnupg.org 03/31/2003 03:01 PM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, March 31, 2003 12:27 PM BConley > In our eyes as well as theirs, GnuPG is verymuch a product, just as > PGP is a product, and I find it distasteful atbest to direct clients > of ours to gnupg.org to be confronted with an anti-war political > statement. These clients are people, some of whom may have loved > ones involved in the conflict in Iraq, and becausewe referred them to > the site, it is a direct reflection on us. > If I had loved ones involved in this dirty mess I would be praying that this war is stopped, not finding it distasteful that others feel the same. And a second point: "No War" - this one or any other - is not a political statement; it's an ethical statement. Peace Maxine Brandt - -- ========================================================= My PGP keys are at: http://www.torduninja.tk ========================================================= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) - GPGshell v2.70 Comment: My keys are at http://www.torduninja.tk iD8DBQE+iJ3AKBY/R6nbCcARAkN8AJ40+LXg1Cxvho0r/O5wMOD0O3gQwwCfcASc 0fNgqijsPwZ4DHKbf4e8ZaE= -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From ninjaforce@netcourrier.com Tue Apr 1 02:24:01 2003 From: ninjaforce@netcourrier.com (Maxine Brandt) Date: Tue Apr 1 01:24:01 2003 Subject: OT Message-ID: <3E88CDB1.1010600@netcourrier.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 wiggins@danconia.org wiggins@danconia.org wrote on Mon Mar 31 22:56:02 2003 > > > > If I had loved ones involved in this dirty mess I would be praying > > that this war is stopped, not finding it distasteful that others >> feel the same. > > > > But possibly if you had loved ones in Iraq living under the conditions > put in place by the current regime you might be praying the war > continued, or that it started sooner. > No. I would be praying for another solution. > > And a second point: "No War" - this one or any other - is not > > a political statement; it's an ethical statement. > > In its truest meaning you are correct, but the statement wasn't made > before the current events, and if the war was over, it would not be > there any longer (granted this is an assumption as well, but a fairly > safe one). There are plenty of ethical statements that could have > been made before the war started, or should be made all the time, but > the fact that they weren't being made (because that isn't what the > site is for) is an indication that now that this one is being made, it > is political rather than ethical. Where was the ethical statement > before the war about how the regime was treating the people of iraq? > OK let's be precise. Whether the "No war" message was meant as a political or an ethical statement, only the site owner can say. But the message as it is is an ethical statement. albeit in a highly-charged political context. But it's just such a context that pushes someone to make clear their ethical beliefs. You say these statements should have been made before the war started. They were, not on the GnuPG home page but in massive anti-war demonstrations around the world, and there was the hope that the issue could have been resolved in the UN Security Council. And let's be precise about the holy mission of the US to liberate these poor Irakis. It was never an issue put forward until there were massive anti-war demonstrations around the world, including the US and UK. The issue was disarming Irak of any remaining arms of mass destruction. Now we're at the hour of body counts and the losses among Iraki civilians are far higher than among the US and UK troops. Peace, Maxine Brandt - -- ========================================================= My PGP keys are at: http://www.torduninja.tk ========================================================= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) - GPGshell v2.70 Comment: My keys are at http://www.torduninja.tk iD8DBQE+iM2CKBY/R6nbCcARAopRAJ9E+7RBIsbzhnXIM1dFvhv2g+Rl2QCdFWZ4 zJKsQm18lEZssdQgK/BZWtU= =ChHA -----END PGP SIGNATURE----- From wiggins@danconia.org Tue Apr 1 03:10:01 2003 From: wiggins@danconia.org (Wiggins d'Anconia) Date: Tue Apr 1 02:10:01 2003 Subject: OT In-Reply-To: <3E88C52E.609@pobox.com> References: <0D3BC21D7A74D411981400508B6C76F8A1580D@nne-nt-esweb> <1906ut-02Bq9wC@fwd07.sul.t-online.com> <3E88C52E.609@pobox.com> Message-ID: <3E88D8BA.6010607@danconia.org> Anthony E. Greene wrote: > Discussions about world events that are not related to privacy and > encryption should be taken off-list. > That I think was the very point of the original post. The post was not about pro or anti war, it was about the inappropriateness of making such statements on a website about privacy and encryption. If the discussion doesn't belong on the list, then the same conclusion must be drawn about the image on the site right? As soon as the image was added, it became a reasonable topic for this list.......... http://danconia.org From mehdy@yecc.net Tue Apr 1 11:13:02 2003 From: mehdy@yecc.net (mehdy) Date: Tue Apr 1 10:13:02 2003 Subject: Unsubscribe me from this list. Message-ID: <3E8949E5.4080805@yecc.net> From FrankYip@octopuscards.com Tue Apr 1 12:31:01 2003 From: FrankYip@octopuscards.com (Frank Yip) Date: Tue Apr 1 11:31:01 2003 Subject: Unsubsribe me from this list Message-ID: From johanw@vulcan.xs4all.nl Tue Apr 1 13:11:01 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Tue Apr 1 12:11:01 2003 Subject: OT In-Reply-To: from "BConley@checkfree.com" at "Mar 31, 2003 05:48:56 pm" Message-ID: <200303312352.BAA01831@vulcan.xs4all.nl> BConley@checkfree.com wrote: > My point has nothing to do with my personal opinion on the Iraq war or any > other war...I'm just trying to serve our clients without offending them. The maintainer of the GnuPG site seems not to care about offending people who take offence by this. That is his choice. People who are _offended_ by this have very long toes. You can't make everybody happy. BTW, disagreeing with it is not the same as being offended by it. > As quoted from the gnupg.org website itself, " ``Free software'' does not > mean ``non-commercial''. A free program must be available for commercial > use, commercial development, and commercial distribution." So? Does a no war banner prevent this in any way? Maybe some people choose not to use GnuPG because of this, but that's their choice. But AFAIK GnuPG is still usable for any of these purposes. > That being said, in my opinion claiming the "hey this is free, it's open > source, we can say whatever we want" argument seems a bit disingenuous. If you're selling the software you can also say what you want. Perhaps it will cost you some customers, perhaps it wil gain some. But that's your choice. Anyway, since GnuPG is not sold it won't cost or gain the developers any money. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From agreene@pobox.com Tue Apr 1 14:56:02 2003 From: agreene@pobox.com (Anthony E. Greene) Date: Tue Apr 1 13:56:02 2003 Subject: OT In-Reply-To: <"from wiggins"@danconia.org> References: <0D3BC21D7A74D411981400508B6C76F8A1580D@nne-nt-esweb> <1906ut-02Bq9wC@fwd07.sul.t-online.com> <3E88C52E.609@pobox.com> <3E88D8BA.6010607@danconia.org> Message-ID: <20030401065559.B4300@cp5340.hyatsv01.md.comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 31-Mar-2003/19:09 -0500, Wiggins d'Anconia wrote: >Anthony E. Greene wrote: >> Discussions about world events that are not related to privacy and >> encryption should be taken off-list. >> > >That I think was the very point of the original post. > >The post was not about pro or anti war, it was about the >inappropriateness of making such statements on a website about privacy >and encryption. If the discussion doesn't belong on the list, then the >same conclusion must be drawn about the image on the site right? As >soon as the image was added, it became a reasonable topic for this >list.......... I disagree. It became a legitimate matter to discuss with the web site owner/maintainer. Now that the list members have been informed about the change to the site, they have the opportunity to contact the web site maintainer directly. I intend to do so. I recommend the same for anyone else who has comments to make. The list members cannot change the site, the site maintainer can. Tony - -- Anthony E. Greene OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D AOL/Yahoo Messenger: TonyG05 HomePage: Linux. The choice of a GNU generation -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Anthony E. Greene 0x6C94239D iD8DBQE+iX5CpCpg3WyUI50RAvy2AKDoSJgnovVjzLS2cNxMw82nrA59QQCeMRyt XFNi0MvwoVFkAjPoj7+TxnQ= =AXjW -----END PGP SIGNATURE----- From mcoca@gnu.org Tue Apr 1 20:54:01 2003 From: mcoca@gnu.org (Miguel Coca) Date: Tue Apr 1 19:54:01 2003 Subject: GPA problems In-Reply-To: <20030331235851.50d377c9.k.raven@freenet.de> References: <20030331180116.72d9091d.k.raven@freenet.de> <20030331180320.GA28685@mycroft> <20030331235851.50d377c9.k.raven@freenet.de> Message-ID: <20030401175515.GA16451@mycroft> --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 31, 2003 at 23:58:51 +0200, Kai Raven wrote: > Hello Miguel, Hi, > > GPA is trying to use GPGME 0.3.x. If you compiled 0.4.0 from source, > > it'll be installed in /usr/local/, so you should pass configure >=20 > I have compiled both versions from source, GPGME 0.3.X resides in > /usr/local/, 0.4.0 in /usr/. > configure with GPA: > checking for gpgme-config... /usr/bin/gpgme-config > checking for GPGME - version >=3D 0.4.0... yes =46rom the original error message, it looks like GPA is trying to use the hack I put in for GPGME 0.4.1 support. Is there any chance that your gpgme version string is not 0.4.0 precisely? You can run "/usr/bin/gpgme-config --version" to make sure. Anyway, it can be fixed by adding: #define GPGME_VERSION_0_4_0 1 Either in config.h or somewhere in verifydlg.c. That should fix it. Thanks, --=20 Miguel Coca (mcoca@gnu.org) http://zipi.fi.upm.es/~e970095/ OpenPGP: E60A CBF4 5C6F 914E B6C1 C402 8C4D C7B6 27FC 3CA8 --AqsLC8rIMeq19msA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+idKDjE3Htif8PKgRAiBAAJ9sZ0enVmBZFsBI+sfSCjJK4ezF4gCfY6Z7 hD+uQKJlV1K3sP8+EZQ0hc8= =/rMr -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA-- From bminton@efn.org Tue Apr 1 21:25:02 2003 From: bminton@efn.org (Brian Minton) Date: Tue Apr 1 20:25:02 2003 Subject: [william@meetup.com: OpenPGP Meetup Day is happening!] Message-ID: <20030401182557.GA16298@bminton.dyn.cheapnet.net> --qtZFehHsKgwS5rPz Content-Type: multipart/mixed; boundary="St7VIuEGZ6dlpu13" Content-Disposition: inline --St7VIuEGZ6dlpu13 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This is a great opportunity to get together and have a keysigning party... --=20 Brian Minton | OpenPGP fingerprint: =20 brian@minton.name | 81BE 3A84 A502 ABDD B2CC http://brian.minton.name | 4BFD 7227 8820 5703 7472 =20 Live long, and prosper longer! KeyID: 0x57037472 --St7VIuEGZ6dlpu13 Content-Type: message/rfc822 Content-Disposition: inline Return-path: Envelope-to: minton@dawgchain.at Delivery-date: Tue, 01 Apr 2003 12:16:05 -0500 Received: from pcp02833706pcs.anaprd01.md.comcast.net ([68.84.14.121] helo=localhost ident=nullidentd) by bminton.dyn.cheapnet.net with esmtp (Exim 3.36 #1 (Debian)) id 190PMi-00049Q-01 for ; Tue, 01 Apr 2003 12:16:04 -0500 Delivered-To: minton@math.smsu.edu Received: from math.smsu.edu [146.7.45.198] by localhost with IMAP (fetchmail-6.2.1) for minton@dawgchain.at (single-drop); Tue, 01 Apr 2003 12:16:04 -0500 (EST) Received: (qmail 26544 invoked from network); 1 Apr 2003 16:36:06 -0000 Received: from clavin.efn.org (66.178.136.10) by math.smsu.edu with SMTP; 1 Apr 2003 16:36:06 -0000 Received: from mail.meetup.com (mail.meetup.com [209.61.191.196]) by clavin.efn.org (8.11.6/8.11.6) with ESMTP id h31GYrF10548 for ; Tue, 1 Apr 2003 08:34:54 -0800 (PST) Received: from will (46.mufm.nycm.n54ny06r18.dsl.att.net [12.103.204.46]) by mail.meetup.com (Postfix) with ESMTP id 9C6EC7700EF for ; Tue, 1 Apr 2003 11:34:52 -0500 (EST) Message-ID: <005701c2f86c$05de3400$a200a8c0@meetup.com> From: "William Finkel" To: Subject: OpenPGP Meetup Day is happening! Date: Tue, 1 Apr 2003 11:30:35 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Bogosity: No, tests=bogofilter, spamicity=3.16e-11, version=0.11.1.5 Hi, This is William from Meetup. I wanted to let you know that your topic submission for an OpenPGP Meetup is now live. It may have been several weeks since you submitted this, and I need to apologize for the delay. We launched with six people and were immediately overwhelmed from all directions. We're trying our best, so thanks for your patience. The first OpenPGP Meetup is Saturday, April 26th at 4 pm (and the 4th Saturday of every month). For details, see: http://OpenPGP.meetup.com/ Let's get this off to a great start! In our experience with Meetups, we've found two things make for a successful Meetup. 1) Good Venues. We've tried to get the best possible venues, but we're not perfect (yet). If there are any problems with the venues slotted for any OpenPGP Meetup, email me and we'll make changes right away. 2) Bigger groups make better Meetups. Our users have told us meeting 3 other people is great, and meeting 6 is even better. If you have a site and would like to spread the word about OpenPGP Meetup Day, we've made some links you can find here: http://OpenPGP.meetup.com/link.jsp . If you know other OpenPGP Programmers, you can invite them along here: http://OpenPGP.meetup.com/tellafriend.jsp And finally, if you know of any sites, lists, groups, or discussion boards where we can help get the word out, please let me know and we'll do our best to make this a great thing. Please let me know of any questions, comments, or suggestions for us. Thanks for the suggestion! William ______________________ William Finkel Meetup www.meetup.com william@meetup.com --St7VIuEGZ6dlpu13-- --qtZFehHsKgwS5rPz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+idm1cieIIFcDdHIRAm4KAKDC2qrJnNhuF2qvS0kGcvvCamqarACePAxF nkV3+bhrZzLKlzTnKRMHgng= =QQyJ -----END PGP SIGNATURE----- --qtZFehHsKgwS5rPz-- From fabian.rodriguez@toxik.com Tue Apr 1 22:23:01 2003 From: fabian.rodriguez@toxik.com (Toxik - Fabian Rodriguez) Date: Tue Apr 1 21:23:01 2003 Subject: [william@meetup.com: OpenPGP Meetup Day is happening!] In-Reply-To: <20030401182557.GA16298@bminton.dyn.cheapnet.net> Message-ID: On Tue, 01 Apr 2003 13:25:57 -0500 Brian Minton wrote: >This is a great opportunity to get together and have a >keysigning party... Hi Brian! I got the same message myself... we must have been a bunch to suggest that :) Glad to see there's now another way to expand the web of trust. Cheers, Fabián Rodríguez Toxik Technologies Inc. From k.raven@freenet.de Tue Apr 1 22:38:01 2003 From: k.raven@freenet.de (Kai Raven) Date: Tue Apr 1 21:38:01 2003 Subject: GPA problems In-Reply-To: <20030401175515.GA16451@mycroft> References: <20030331180116.72d9091d.k.raven@freenet.de> <20030331180320.GA28685@mycroft> <20030331235851.50d377c9.k.raven@freenet.de> <20030401175515.GA16451@mycroft> Message-ID: <20030401213903.09f129ee.k.raven@freenet.de> Hello Miguel, On Tue, 1 Apr 2003 19:55:15 +0200 you wrote: > From the original error message, it looks like GPA is trying to use > the hack I put in for GPGME 0.4.1 support. Is there any chance that > your gpgme version string is not 0.4.0 precisely? You can run > "/usr/bin/gpgme-config --version" to make sure. Output: $ /usr/bin/gpgme-config --version 0.4.0 > Anyway, it can be fixed by adding: > > #define GPGME_VERSION_0_4_0 1 > > Either in config.h or somewhere in verifydlg.c. That should fix it. In config.h it *is* #define GPGME_VERSION_0_4_0 1 I have added #define GPGME_VERSION_0_4_0 1 in verifydlg.c: #define GPGME_VERSION_0_4_0 1 /* Verify */ #if GPGME_VERSION_0_4_0 err = gpgme_op_verify (ctx, sig, signed_text, plain_text, &stat); #else err = gpgme_op_verify (ctx, sig, signed_text, plain_text); #endif error message: verifydlg.c: In function `verify_file': verifydlg.c:134: warning: passing arg 4 of `gpgme_op_verify' from incompatible pointer type verifydlg.c:134: too many arguments to function `gpgme_op_verify' make[2]: *** [verifydlg.o] Fehler 1 make[2]: Leaving directory `/home/hiro/tmp/gpa-0.6.1/src' make[1]: *** [all-recursive] Fehler 1 make[1]: Leaving directory `/home/hiro/tmp/gpa-0.6.1' make: *** [all] Fehler 2 Ciao Kai -- Gegen den US Angriffskrieg: http://kai.iks-jena.de/ GPG-Key: 0x60F3882F / 0x76C65282 ICQ:146714798 From Jim_Hendrick@KEANE-NNE.com Tue Apr 1 23:32:02 2003 From: Jim_Hendrick@KEANE-NNE.com (James R. Hendrick) Date: Tue Apr 1 22:32:02 2003 Subject: Securing Secret Keys Message-ID: <0D3BC21D7A74D411981400508B6C76F8A15818@nne-nt-esweb> You should be able to "wipe" the disk area with some tool. I also thought about using gnupg to encrypt the file (to yourself so no one else could access it), but I'm not sure if this correctly does a multi-pass wipe of the original disk area. PGP has the option to "wipe" a file that supposedly does something like what you ask for. Can anyone comment on whether gnupg can do this? otherwise you could hope for some disasterous accident to befall the disk prior to your leaving... oh, and all the backup tapes too... > -----Original Message----- > From: Brad Tilley [mailto:bradtilley@usa.net] > Sent: Thursday, March 27, 2003 8:02 AM > To: gnupg-users@gnupg.org > Subject: Securing Secret Keys > > > Hello, > > I'm changing jobs, and I'll be leaving my old Linux > workstation for a new one > at another company. What is the proper way to remove my keys > from the old > machine? I don't want my private key to become suspect... > I've had it for > several years now. > > Thanks, > Brad > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From mcoca@gnu.org Wed Apr 2 01:01:02 2003 From: mcoca@gnu.org (Miguel Coca) Date: Wed Apr 2 00:01:02 2003 Subject: GPA problems In-Reply-To: <20030401213903.09f129ee.k.raven@freenet.de> References: <20030331180116.72d9091d.k.raven@freenet.de> <20030331180320.GA28685@mycroft> <20030331235851.50d377c9.k.raven@freenet.de> <20030401175515.GA16451@mycroft> <20030401213903.09f129ee.k.raven@freenet.de> Message-ID: <20030401220210.GA17600@mycroft> --fUYQa+Pmc3FrFX/N Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 01, 2003 at 21:39:03 +0200, Kai Raven wrote: >=20 > Hello Miguel, Hi, > On Tue, 1 Apr 2003 19:55:15 +0200 you wrote: >=20 > > From the original error message, it looks like GPA is trying to use > > the hack I put in for GPGME 0.4.1 support. Is there any chance that > > your gpgme version string is not 0.4.0 precisely? You can run > > "/usr/bin/gpgme-config --version" to make sure. >=20 > Output: > $ /usr/bin/gpgme-config --version > 0.4.0 Ok. > in verifydlg.c: >=20 > #define GPGME_VERSION_0_4_0 1 > /* Verify */ > #if GPGME_VERSION_0_4_0 > err =3D gpgme_op_verify (ctx, sig, signed_text, plain_text, &stat); > #else > err =3D gpgme_op_verify (ctx, sig, signed_text, plain_text); > #endif >=20 > error message: >=20 > verifydlg.c: In function `verify_file': > verifydlg.c:134: warning: passing arg 4 of `gpgme_op_verify' from > incompatible pointer type verifydlg.c:134: too many arguments to > function `gpgme_op_verify' make[2]: *** [verifydlg.o] Fehler 1 Sorry, I must be slow today. The gpgme_op_verify prototype has changed several times, and I forget which is which :-) The only option left is that gpgme is confusing the 0.3 and 0.4 headers. Probably in the include search order /usr/local/include comes before /usr/include, so you are getting the 0.3 gpgme.h no matter what. As a workaround, move away /usr/local/include/gpgme.h for compiling GPA, and everything should be allright (I hope) :-) Hope this helps, --=20 Miguel Coca (mcoca@gnu.org) http://zipi.fi.upm.es/~e970095/ OpenPGP: E60A CBF4 5C6F 914E B6C1 C402 8C4D C7B6 27FC 3CA8 --fUYQa+Pmc3FrFX/N Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+igxijE3Htif8PKgRAio7AJ94x0/dQfxFCZn03SIIcPR3X2598ACfYX2B a/S+lW1YW6PoWa+gE9qhBA8= =DFJI -----END PGP SIGNATURE----- --fUYQa+Pmc3FrFX/N-- From k.raven@freenet.de Wed Apr 2 02:22:01 2003 From: k.raven@freenet.de (Kai Raven) Date: Wed Apr 2 01:22:01 2003 Subject: GPA problems In-Reply-To: <20030401220210.GA17600@mycroft> References: <20030331180116.72d9091d.k.raven@freenet.de> <20030331180320.GA28685@mycroft> <20030331235851.50d377c9.k.raven@freenet.de> <20030401175515.GA16451@mycroft> <20030401213903.09f129ee.k.raven@freenet.de> <20030401220210.GA17600@mycroft> Message-ID: <20030402012304.65524754.k.raven@freenet.de> Hi Miguel, On Wed, 2 Apr 2003 00:02:10 +0200 you wrote: > Sorry, I must be slow today. The gpgme_op_verify prototype has changed > several times, and I forget which is which :-) no problem :) > The only option left is that gpgme is confusing the 0.3 and 0.4 > headers. Probably in the include search order /usr/local/include comes > before /usr/include, so you are getting the 0.3 gpgme.h no matter > what. it seems so > As a workaround, move away /usr/local/include/gpgme.h for compiling > GPA, and everything should be allright (I hope) :-) Thx very much for your help and hints, now GPA is working :o)) One question for further compilations: So it isn't necessary to modify the source but to move the GPME 0.3 header file? Ciao Kai -- Gegen den US Angriffskrieg: http://kai.iks-jena.de/ GPG-Key: 0x60F3882F / 0x76C65282 ICQ:146714798 From malte_gell@t-online.de Wed Apr 2 04:39:01 2003 From: malte_gell@t-online.de (Malte Gell) Date: Wed Apr 2 03:39:01 2003 Subject: simplifying the use of --throw-keyid option Message-ID: <200304020340.00256.malte_gell@t-online.de> --Boundary-02=_w9ji+4e08M2CyHF Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline Hi, if one gets a message encrypted with the --throw-keyid option the=20 receiver's GnuPG has to try all available secret keys and this can be a=20 bit annoying if one has several secret keys. So, wouldn't it be a nice idea to have a new option "--encrypted-with"=20 to simplify this ? I get a message from person X and I know, that he uses my key Y and if=20 there would be such an option I just had to type "gpg -d=20 =2D-encrypted-with Y" instead of GnuPG having to go through all keys.=20 Just and idea... Malte --Boundary-02=_w9ji+4e08M2CyHF Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iEYEABEDAAYFAj6KP3AACgkQGzg12gD8wBbiNQCgkvLj5UhECpAG/t/i5N0vG2dv +ysAnjAKiMnyZWfwxt16t5NLPioZcviQ =YrWw -----END PGP SIGNATURE----- --Boundary-02=_w9ji+4e08M2CyHF-- From wk@gnupg.org Wed Apr 2 11:10:02 2003 From: wk@gnupg.org (Werner Koch) Date: Wed Apr 2 10:10:02 2003 Subject: OT In-Reply-To: <20030401065559.B4300@cp5340.hyatsv01.md.comcast.net> ("Anthony E. Greene"'s message of "Tue, 01 Apr 2003 06:55:59 -0500") References: <0D3BC21D7A74D411981400508B6C76F8A1580D@nne-nt-esweb> <1906ut-02Bq9wC@fwd07.sul.t-online.com> <3E88C52E.609@pobox.com> <3E88D8BA.6010607@danconia.org> <20030401065559.B4300@cp5340.hyatsv01.md.comcast.net> Message-ID: <874r5h2ubc.fsf@alberti.g10code.de> On Tue, 01 Apr 2003 06:55:59 -0500, Anthony E Greene said: > they have the opportunity to contact the web site maintainer directly. I > intend to do so. I recommend the same for anyone else who has comments to > make. The list members cannot change the site, the site maintainer can. Please send only to the gpgweb-devel ML. I can't answer all personal mail. I don't indent to remove the banner or the quote. If I would do so, I would not only remove the banner but black out the entire web site (like www.gnu-darwin.org). Salam-Shalom, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From dshaw@jabberwocky.com Wed Apr 2 16:43:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed Apr 2 15:43:03 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <200304020340.00256.malte_gell@t-online.de> References: <200304020340.00256.malte_gell@t-online.de> Message-ID: <20030402134356.GE2873@jabberwocky.com> --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 02, 2003 at 03:39:35AM +0200, Malte Gell wrote: > if one gets a message encrypted with the --throw-keyid option the=20 > receiver's GnuPG has to try all available secret keys and this can be a= =20 > bit annoying if one has several secret keys. > So, wouldn't it be a nice idea to have a new option "--encrypted-with"=20 > to simplify this ? The development branch has better handling of such messages. Instead of prompting for each secret key, it prompts for a single passphrase and tries it against all keys. This will be in 1.4. David --h31gzZEtNLTqOjlF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+iukc4mZch0nhy8kRApx0AKDZxtJk12q5Hv2sEf5vYSXvIyiBAQCggSzN AS+ZIVbnk6BIhXtXYzPL+Kc= =0dWx -----END PGP SIGNATURE----- --h31gzZEtNLTqOjlF-- From laramaelee@cox.net Wed Apr 2 22:55:02 2003 From: laramaelee@cox.net (laramaelee@cox.net) Date: Wed Apr 2 21:55:02 2003 Subject: default algorithms in gpg 1.0.6 Message-ID: <20030402195530.OCNW4514.lakemtao07.cox.net@smtp.central.cox.net> Hi, I've been trying to determine what the default cipher (symmetric key) and hash algorithm for version 1.0.6. I looked into the gpg man pages and the GNU Privacy Handbook and haven't been able to find anything yet. I'm researching for a school project and appreciate any input. Thanks! From markus_kampkoetter@t-online.de Wed Apr 2 23:25:12 2003 From: markus_kampkoetter@t-online.de (markus_kampkoetter) Date: Wed Apr 2 22:25:12 2003 Subject: OT References: <0D3BC21D7A74D411981400508B6C76F8A1580D@nne-nt-esweb> <1906ut-02Bq9wC@fwd07.sul.t-online.com> <3E88C52E.609@pobox.com> <3E88D8BA.6010607@danconia.org> <20030401065559.B4300@cp5340.hyatsv01.md.comcast.net> <874r5h2ubc.fsf@alberti.g10code.de> Message-ID: <190onw-1cYfsPC@fwd05.sul.t-online.com> hi list, i have been thinking about whether modern war is related to this lists theme or not. if gpg is software to ensure that the information you get is reliable (in many aspects and besides other functionality) and we assume that the information we get about modern wars through our mass media is NOT reliable then discussions about modern war are not off topic. Werner Koch schrieb: > On Tue, 01 Apr 2003 06:55:59 -0500, Anthony E Greene said: > > > they have the opportunity to contact the web site maintainer directly. I > > intend to do so. I recommend the same for anyone else who has comments to > > make. The list members cannot change the site, the site maintainer can. > > Please send only to the gpgweb-devel ML. I can't answer all personal > mail. > > I don't intent to remove the banner or the quote. If I would do so, I > would not only remove the banner but black out the entire web site > (like www.gnu-darwin.org). this would be another way of protesting. as far as i understood the discussion the point was NOT to protest on a project site if the protests objective is off topic the project. (to be true: personally i find this to be a hypercritic discussion) > Salam-Shalom, > > Werner keep your spirit werner > -- > Nonviolence is the greatest force at the disposal of > mankind. It is mightier than the mightiest weapon of > destruction devised by the ingenuity of man. -Gandhi just in case: cc me, i am not subscribed to gpgweb-devel ML -- markus kampkoetter praxis für chinesische medizin soesterstr. 42 d-48155 münster www.ChinesischeMedizin-online.de From mike.campbell@oracle.com Thu Apr 3 00:00:07 2003 From: mike.campbell@oracle.com (Mike Campbell) Date: Wed Apr 2 23:00:07 2003 Subject: adduid questions Message-ID: <3E8B4F43.9010202@oracle.com> I'm new to GnuPG and trying to setup my private/public key. I have 2 email addresses that I would like to add to the key. I used 'gpg --gen-key' to generate the first uid and that works fine. I then used 'gpg --edit-key' and 'adduid' to add a 2nd email address to the key. This also completed just fine. However, the problem is that I can't figure out how to select which email address to sign/encrypt outgoing email. In some cases I want to sign/encrypt with my work key and in others using my home key. How do I do this or am I just totally off base? -- ------------------------------------------------------------------------ Mike Campbell Technical Specialist Email: Mike.Campbell@oracle.com Oracle Corporation From dshaw@jabberwocky.com Thu Apr 3 01:15:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu Apr 3 00:15:01 2003 Subject: default algorithms in gpg 1.0.6 In-Reply-To: <20030402195530.OCNW4514.lakemtao07.cox.net@smtp.central.cox.net> References: <20030402195530.OCNW4514.lakemtao07.cox.net@smtp.central.cox.net> Message-ID: <20030402221549.GG2873@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Apr 02, 2003 at 02:55:32PM -0500, laramaelee@cox.net wrote: > Hi, I've been trying to determine what the default cipher (symmetric > key) and hash algorithm for version 1.0.6. I looked into the gpg > man pages and the GNU Privacy Handbook and haven't been able to find > anything yet. I'm researching for a school project and appreciate > any input. It's a difficult question since the cipher can change depending on the recipient. For example, if the recipient requests CAST5, it'll be CAST5. If there is a conflict between recipients, it'll be resolved as best as possible. If the conflict cannot be resolved, it'll be 3DES. The hash is a little easier: in 1.0.6, it's SHA-1 unless the signing key is a PGP 2.x key. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+i2EV4mZch0nhy8kRAsmuAKCfYknvPtCzZT74kYuYyCGcn+9aJwCfcXZ7 t4lkjS/F3eLr46lbiW9lWvY= =sZUs -----END PGP SIGNATURE----- From agreene@pobox.com Thu Apr 3 01:36:02 2003 From: agreene@pobox.com (Anthony E. Greene) Date: Thu Apr 3 00:36:02 2003 Subject: OT In-Reply-To: <190onw-1cYfsPC@fwd05.sul.t-online.com> References: <0D3BC21D7A74D411981400508B6C76F8A1580D@nne-nt-esweb> <1906ut-02Bq9wC@fwd07.sul.t-online.com> <3E88C52E.609@pobox.com> <3E88D8BA.6010607@danconia.org> <20030401065559.B4300@cp5340.hyatsv01.md.comcast.net> <874r5h2ubc.fsf@alberti.g10code.de> <190onw-1cYfsPC@fwd05.sul.t-online.com> Message-ID: <3E8B6686.3090700@pobox.com> markus_kampkoetter wrote: >i have been thinking about whether modern war is related to this lists >theme or not. if gpg is software to ensure that the information you get >is reliable (in many aspects and besides other functionality) I am going to respond on the assumption that you mean the gnupg-users list, since that is where this thread started (you put gnupg-users in the Cc header). Your comments support this assumption (you commented about the list, not the web site). Your first assumption is faulty. OpenPGP (and GnuPG) only help to provide a tamper-evident function for data. In other words, a clearsigned statement that "Up is the same as Down" will validate just as well as a clearsigned statement that "Up is the opposite of Down". The use of GnuPG only ensures that it is clear that the data has or has not been tampered with since the time that the signer signed it. It has no function in verifying the correctness or reliability of the information conveyed by that data. >and we assume that the information we get about modern wars through >our mass media is NOT reliable This assumption is at least unprovable. For one thing, the terms are not defined well enough (How much error is allowed before information is "unreliable"? How do you measure error?). Besides that, you are still talking about information, when GnuPG deals with data, not information. (To convert data into information, you must apply interpretation and derive meaning. Data can be accurate, but meaningless until it is turned into information. In this context, GnuPG can provide confidence that data is unchanged, but it has nothing to say about the information conveyed.) >then discussions about modern war are not off topic. A conclusion based on faulty assumptions. If you oppose the war, fine. Just please do not pretend that discussions of the war are on-topic for the gnupg-users mailing list. They're not. I have my own position on the war, and on many other issues. I express those opinions in forums where those opinions are relevant. In this forum, I express opinions about GnuPG, OpenPGP, and some related security and privacy issues. Those issues are "on-topic". My (sometimes very strong) opinions about other topics are expressed elsewhere. I respectfully request that you, and others who feel like you, respect the purpose of this particular forum, and stay on-topic. If you would like to debate the war, I will join you in some other forum, prefereably private email, but probably in any forum appropriate to discussions about the war. Whatever, you decide about issuing that invitation, this is really not the place for that debate, no matter how strongly people feel about it. Strong feelings do not convert an off-topic issue into an on-topic issue. Tony -- Anthony E. Greene OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D AOL/Yahoo Chat: TonyG05 HomePage: Linux. The choice of a GNU generation. ************************************************************************* Ordinarily I would clearsign a message like this, but my secret key is not immediately available. A clearsigned copy of this message will be posted at: http://www.pobox.com/~agreene/msg-gnupg-users-list-20030402T171000.txt ************************************************************************* From johanw@vulcan.xs4all.nl Thu Apr 3 02:30:01 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Thu Apr 3 01:30:01 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <20030402134356.GE2873@jabberwocky.com> from David Shaw at "Apr 2, 2003 08:43:56 am" Message-ID: <200304022243.AAA00587@vulcan.xs4all.nl> David Shaw wrote: > The development branch has better handling of such messages. Instead > of prompting for each secret key, it prompts for a single passphrase > and tries it against all keys. This will be in 1.4. And what happens if you have 2 secret keys with the same passphrase and the first key that is tried with that passphrase is not the one the message is encrypted to? Are the other keys then still tried? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw@jabberwocky.com Thu Apr 3 03:27:11 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu Apr 3 02:27:11 2003 Subject: adduid questions In-Reply-To: <3E8B4F43.9010202@oracle.com> References: <3E8B4F43.9010202@oracle.com> Message-ID: <20030403002759.GH2873@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Apr 02, 2003 at 02:59:47PM -0600, Mike Campbell wrote: > I'm new to GnuPG and trying to setup my private/public key. > > I have 2 email addresses that I would like to add to the key. I used > 'gpg --gen-key' to generate the first uid and that works fine. I then > used 'gpg --edit-key' and 'adduid' to add a 2nd email address to the > key. This also completed just fine. > > However, the problem is that I can't figure out how to select which > email address to sign/encrypt outgoing email. > > In some cases I want to sign/encrypt with my work key and in others > using my home key. > > How do I do this or am I just totally off base? If I understand your email properly, you have a single key with two email addresses (work and home). In this case, it doesn't matter which email address you use - they'll end up pointing to the same key. If you have two actual different keys, then you can select which key to use with the -u command line option. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+i4AP4mZch0nhy8kRAs7EAKDbm18DTnCMwUu47xHwJpLZovxrvwCeOROd j/zVvTex/Sgoyb4dThgO+Dw= =UZxX -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Thu Apr 3 03:31:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu Apr 3 02:31:02 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <200304022243.AAA00587@vulcan.xs4all.nl> References: <20030402134356.GE2873@jabberwocky.com> <200304022243.AAA00587@vulcan.xs4all.nl> Message-ID: <20030403003119.GI2873@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Apr 03, 2003 at 12:43:48AM +0200, Johan Wevers wrote: > David Shaw wrote: > > > The development branch has better handling of such messages. Instead > > of prompting for each secret key, it prompts for a single passphrase > > and tries it against all keys. This will be in 1.4. > > And what happens if you have 2 secret keys with the same passphrase and the > first key that is tried with that passphrase is not the one the message is > encrypted to? Are the other keys then still tried? All keys are tried until one successfully decrypts the message. In the example you give, even though an earlier secret key has the same passphrase, GnuPG will continue processing until it hits the right key. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+i4DW4mZch0nhy8kRApUBAJ4tMtO8IIQUyFPw398s4It7d0BZ3QCghjOb LJExnUV92yEkgHSQMeIgB9A= =fowb -----END PGP SIGNATURE----- From Todd Thu Apr 3 04:17:02 2003 From: Todd (Todd) Date: Thu Apr 3 03:17:02 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <20030402134356.GE2873@jabberwocky.com> References: <200304020340.00256.malte_gell@t-online.de> <20030402134356.GE2873@jabberwocky.com> Message-ID: <20030403011740.GD11007@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > On Wed, Apr 02, 2003 at 03:39:35AM +0200, Malte Gell wrote: > >> if one gets a message encrypted with the --throw-keyid option the >> receiver's GnuPG has to try all available secret keys and this can be a >> bit annoying if one has several secret keys. >> So, wouldn't it be a nice idea to have a new option "--encrypted-with" >> to simplify this ? > > The development branch has better handling of such messages. Instead > of prompting for each secret key, it prompts for a single passphrase > and tries it against all keys. This will be in 1.4. Pardon me for asking a question when I know very little about the subject, but why not display the key for which gpg is asking for a passphrase? I'm thinking of what ssh does, using key based authentication, it will prompt you something like: Enter passphrase for key '/home/user/.ssh/id_rsa': Could that be done for gpg when it's trying your various secret keys? Obviously, it would use either the keyid or some other identifier in place of the file path as ssh uses. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ Why does a slight tax increase cost you two hundred dollars and a substantial tax cut save you thirty cents? -- Peg Bracken -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+i4u0uv+09NZUB1oRAq04AKDaBNqgoz816e1ohRIecjxfgPFBEQCcDGBd 54P+mLwVU73kmtKWTIoml4w= =hpP1 -----END PGP SIGNATURE----- From dgc@uchicago.edu Thu Apr 3 07:17:01 2003 From: dgc@uchicago.edu (David Champion) Date: Thu Apr 3 06:17:01 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <20030403003119.GI2873@jabberwocky.com> References: <20030402134356.GE2873@jabberwocky.com> <200304022243.AAA00587@vulcan.xs4all.nl> <20030403003119.GI2873@jabberwocky.com> Message-ID: <20030403041807.GP12963@dust.uchicago.edu> * On 2003.04.02, in <20030403003119.GI2873@jabberwocky.com>, * "David Shaw" wrote: > > All keys are tried until one successfully decrypts the message. In > the example you give, even though an earlier secret key has the same > passphrase, GnuPG will continue processing until it hits the right > key. Nonetheless, would it work out to make the -u option specify, say, the first key to try? It might make the operation faster, if nothing else, although I'm not sure how many people process messages with thrown key IDs in bulk. But the help text for -u suggests that this should work, so perhaps it's not out of scope. -- -D. dgc@uchicago.edu NSIT University of Chicago "The whole thrust of the text adventure was one picture was worth a thousand words and we would rather give you the thousand words." - Dave Lebling, Implementor From dshaw@jabberwocky.com Thu Apr 3 08:14:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu Apr 3 07:14:01 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <20030403011740.GD11007@psilocybe.teonanacatl.org> References: <200304020340.00256.malte_gell@t-online.de> <20030402134356.GE2873@jabberwocky.com> <20030403011740.GD11007@psilocybe.teonanacatl.org> Message-ID: <20030403051510.GL2873@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Apr 02, 2003 at 08:17:41PM -0500, Todd wrote: > David Shaw wrote: > > On Wed, Apr 02, 2003 at 03:39:35AM +0200, Malte Gell wrote: > > > >> if one gets a message encrypted with the --throw-keyid option the > >> receiver's GnuPG has to try all available secret keys and this can be a > >> bit annoying if one has several secret keys. > >> So, wouldn't it be a nice idea to have a new option "--encrypted-with" > >> to simplify this ? > > > > The development branch has better handling of such messages. Instead > > of prompting for each secret key, it prompts for a single passphrase > > and tries it against all keys. This will be in 1.4. > > Pardon me for asking a question when I know very little about the subject, > but why not display the key for which gpg is asking for a passphrase? I'm > thinking of what ssh does, using key based authentication, it will prompt > you something like: > > Enter passphrase for key '/home/user/.ssh/id_rsa': > > Could that be done for gpg when it's trying your various secret keys? > Obviously, it would use either the keyid or some other identifier in place > of the file path as ssh uses. That is what GnuPG currently does. The problem with this method is that when decrypting a message with a thrown (hidden) keyid, the user must type the passphrase for every single key. For users with more then one secret key, this is annoying. The new system asks for a passphrase once, and then tries each secret key with that passphrase. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+i8Ne4mZch0nhy8kRAuEUAJ9sOXSxFE/YjOZYrI3FMe6/8zXV6wCcD6Wv 2WKWV2pOWkQ9gewIFlqymyE= =bANS -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Thu Apr 3 08:22:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu Apr 3 07:22:02 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <20030403041807.GP12963@dust.uchicago.edu> References: <20030402134356.GE2873@jabberwocky.com> <200304022243.AAA00587@vulcan.xs4all.nl> <20030403003119.GI2873@jabberwocky.com> <20030403041807.GP12963@dust.uchicago.edu> Message-ID: <20030403052237.GM2873@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Apr 02, 2003 at 10:18:07PM -0600, David Champion wrote: > * On 2003.04.02, in <20030403003119.GI2873@jabberwocky.com>, > * "David Shaw" wrote: > > > > All keys are tried until one successfully decrypts the message. In > > the example you give, even though an earlier secret key has the same > > passphrase, GnuPG will continue processing until it hits the right > > key. > > Nonetheless, would it work out to make the -u option specify, say, the > first key to try? It might make the operation faster, if nothing else, > although I'm not sure how many people process messages with thrown key > IDs in bulk. But the help text for -u suggests that this should work, so > perhaps it's not out of scope. Part of the point of thrown keyids is that the local user can't know which secret key to decrypt with. They'd have to try every key manually, which defeats the point of using -u for a speed improvement. Even assuming the local user happens to know via whatever means which secret key to use, unless the user has a massive number of secret keys to try, there is no real advantage to this. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+i8Ud4mZch0nhy8kRAgS3AJ9ao1XXtrPePR0XxrtwhMi+NO1BYwCghZ3I nJQkVRA/T5ASJ6C3KfR5b2c= =Yc7e -----END PGP SIGNATURE----- From dgc@uchicago.edu Thu Apr 3 08:58:02 2003 From: dgc@uchicago.edu (David Champion) Date: Thu Apr 3 07:58:02 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <20030403052237.GM2873@jabberwocky.com> References: <20030402134356.GE2873@jabberwocky.com> <200304022243.AAA00587@vulcan.xs4all.nl> <20030403003119.GI2873@jabberwocky.com> <20030403041807.GP12963@dust.uchicago.edu> <20030403052237.GM2873@jabberwocky.com> Message-ID: <20030403055853.GR12963@dust.uchicago.edu> * On 2003.04.02, in <20030403052237.GM2873@jabberwocky.com>, * "David Shaw" wrote: > > Part of the point of thrown keyids is that the local user can't know > which secret key to decrypt with. They'd have to try every key > manually, which defeats the point of using -u for a speed improvement. Yes, but the hypothesis in the initial post was that the recipient knew or suspected the key ID out-of-channel -- which is a wholly plausible hypothesis. > Even assuming the local user happens to know via whatever means which > secret key to use, unless the user has a massive number of secret keys > to try, there is no real advantage to this. I happen to have 9 secret keys on my current keyring. If I were to decrypt a lot of message with thrown key IDs, all in one shot -- say I'm searching for something in my mailbox, and I get a lot of messages from a particular person who throws IDs when sending to me -- that actually could be significant computational savings. I don't think this is useful in the common case, I only suggested it for the rather rarer case of bulk processing, because it seemed like a small change that was already suggested by the documentation. -- -D. dgc@uchicago.edu NSIT University of Chicago "The whole thrust of the text adventure was one picture was worth a thousand words and we would rather give you the thousand words." - Dave Lebling, Implementor From dshaw@jabberwocky.com Thu Apr 3 17:42:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu Apr 3 16:42:03 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <20030403055853.GR12963@dust.uchicago.edu> References: <20030402134356.GE2873@jabberwocky.com> <200304022243.AAA00587@vulcan.xs4all.nl> <20030403003119.GI2873@jabberwocky.com> <20030403041807.GP12963@dust.uchicago.edu> <20030403052237.GM2873@jabberwocky.com> <20030403055853.GR12963@dust.uchicago.edu> Message-ID: <20030403144228.GN2873@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Apr 02, 2003 at 11:58:53PM -0600, David Champion wrote: > > Even assuming the local user happens to know via whatever means which > > secret key to use, unless the user has a massive number of secret keys > > to try, there is no real advantage to this. > > I happen to have 9 secret keys on my current keyring. If I were to > decrypt a lot of message with thrown key IDs, all in one shot -- say I'm > searching for something in my mailbox, and I get a lot of messages from > a particular person who throws IDs when sending to me -- that actually > could be significant computational savings. I have 63 secret keys on my current keyring, and that's the ring I used to test the feature ;) The check to see whether a given key is the right one is actually extremely quick. I'm not completely against the idea, but I am reluctant to add extra complexity for something this obscure. Nobody is saying "add this, because I'm having a problem without it". If it came to pass that this was an actual problem for people someday, it would be a different story. I'm also not sure that -u would be the appropriate option here, since - -u is designed and documented to work in an options file, which would make thrown keyid messages more or less unusable in those cases unless the -u value happened to match the key in use. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+jEhU4mZch0nhy8kRAiXBAJ4/toR0amOCX04SI3Pvid5xjY7UkwCdHcCA j99Phh2nSRv4TbWHiwXK84E= =hmX1 -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Thu Apr 3 19:11:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu Apr 3 18:11:03 2003 Subject: HKP and firewalls In-Reply-To: <200303292254.08491.linux@codehelp.co.uk> References: <200303292254.08491.linux@codehelp.co.uk> Message-ID: <20030403161156.GO2873@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Mar 29, 2003 at 10:54:05PM +0000, Neil Williams wrote: > I've had recent problems with a new ISDN router that doesn't use a > particularly easy firewall setup. All other outgoing internet connections are > fine (HTTP,POP,SMTP,SSH,FTP,DNS etc) and the firewall appears to be dropping > other packets as expected - it's a basic deny-all firewall with no internet > services available. > > However, I cannot get a reply from any keyservers using --recv-keys. I can > send to keyservers fine (and I can test that the keyserver received the > update using an SSH connection to a remote server with GPG installed) and I > can receive all keys IF I use a dial-up modem connection instead of the > router, so I can't see that it is a problem with ~/.gnup/options. > > I've tried opening port 11371 but I get very confusing results. Once in a > while (and only once each time) I can get a single key through - as if it has > been cached somewhere - but the other 99 times gpg just waits and waits and > waits. e.g. output > $ gpg --verbose --verbose --keyserver pgp.mit.edu --recv-keys 0x28BCB3E3 > gpg: requesting key 28BCB3E3 from HKP keyserver pgp.mit.edu > gpg: armor: BEGIN PGP PUBLIC KEY BLOCK > gpg: armor header: Version: PGP Key Server 0.9.5 > > I also use keyserver.linux.it > > My basic problem is that the router doesn't use the familiar iptables format > and doesn't provide a full listing of the traffic. I can't tell where the > packets are being dropped. I've tried using IP addresses for the keyservers > and using hkp://pgp.mit.edu etc. > > Does HKP only use port 11371? (Could it be trying to send data back to a > different port?) > > The router is a D-Link DI-304 I'm not familiar with that particular router, but I can give you some general information that will hopefully help you. HKP is HTTP underneath it all. The only thing unusual about it is that it runs on port 11371. If there is a general "HTTP" configuration for your firewall, try that, and allow it on port 11371. If that isn't possible for whatever reason, you might look around for a HKP keyserver that runs on port 80 (for this exact reason - firewalls). Ask on the pgp-keyserver-folk @ flame.org list, and I'm sure someone there can suggest a server to use. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+jF1M4mZch0nhy8kRAuFIAJ4zK3eJ0A/7Ofjj5YvsG74unu6NQQCcCrmF mL6FO93TDtFbzTRVNxVaxtA= =ajfg -----END PGP SIGNATURE----- From dgc@uchicago.edu Thu Apr 3 21:19:01 2003 From: dgc@uchicago.edu (David Champion) Date: Thu Apr 3 20:19:01 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <20030403144228.GN2873@jabberwocky.com> References: <20030402134356.GE2873@jabberwocky.com> <200304022243.AAA00587@vulcan.xs4all.nl> <20030403003119.GI2873@jabberwocky.com> <20030403041807.GP12963@dust.uchicago.edu> <20030403052237.GM2873@jabberwocky.com> <20030403055853.GR12963@dust.uchicago.edu> <20030403144228.GN2873@jabberwocky.com> Message-ID: <20030403181944.GS12963@dust.uchicago.edu> * On 2003.04.03, in <20030403144228.GN2873@jabberwocky.com>, * "David Shaw" wrote: > > I have 63 secret keys on my current keyring, and that's the ring I > used to test the feature ;) The check to see whether a given key is > the right one is actually extremely quick. Ah, ok -- unfamiliar with the specifics of 2440, I thought it must take as long as decrypting the whole message, and then some. But I can imagine that's not necessary. > I'm not completely against the idea, but I am reluctant to add extra > complexity for something this obscure. Nobody is saying "add this, > because I'm having a problem without it". If it came to pass that > this was an actual problem for people someday, it would be a different > story. Fair enough. > I'm also not sure that -u would be the appropriate option here, since > -u is designed and documented to work in an options file, which would > make thrown keyid messages more or less unusable in those cases unless > the -u value happened to match the key in use. I wondered whether that might be a problem. In this case, then, would it be appropriate to change the help text associated with -u? It currently says "use this user-id to sign or decrypt", but it sounds like that user-id is *never* used to decrypt. Or is there another case where a user can profitably specify the decryption key? -- -D. dgc@uchicago.edu NSIT University of Chicago "The whole thrust of the text adventure was one picture was worth a thousand words and we would rather give you the thousand words." - Dave Lebling, Implementor From gr@eclipsed.net Thu Apr 3 22:55:01 2003 From: gr@eclipsed.net (gabriel rosenkoetter) Date: Thu Apr 3 21:55:01 2003 Subject: False insecure memory warnings... Message-ID: <20030403195550.GB15782@uriel.eclipsed.net> --cmJC7u66zC7hs+87 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable After some discussion with David Shaw recently, I've broken down, admitted that my public keyring is really just huge and than having a cron job to maintain it is really pretty reasonable. So I've been blowing along happily with this in cron: 0 8 * * 1-5 zsh -c 'time gpg --no --batch --check-trustdb' (Yes, I really do want zsh's time output, thanks.) That was well and good till several days ago, when I started getting this: gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: checking at depth 0 signed=3D49 ot(-/q/n/m/f/u)=3D0/0/0/0/0/1 gpg: checking at depth 1 signed=3D82 ot(-/q/n/m/f/u)=3D0/0/0/19/30/0 gpg: checking at depth 2 signed=3D286 ot(-/q/n/m/f/u)=3D1/0/0/69/5/0 gpg: checking at depth 3 signed=3D178 ot(-/q/n/m/f/u)=3D1/74/0/21/0/0 gpg: next trustdb check due at 2003-04-16 gpg --no --batch --check-trustdb 14.57s user 11.03s system 60% cpu 42.328 = total Only but my gpg(1) really is suid, I promise: uriel:~% which gpg /usr/pkg/bin/gpg uriel:~% ls -l `!!` ls -l `which gpg` -r-sr-xr-x 1 root wheel 684660 Feb 27 07:27 /usr/pkg/bin/gpg* uriel:~% gpg --version gpg (GnuPG) 1.2.1 Copyright (C) 2002 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, TIGER192 Compress: Uncompressed, ZIP, ZLIB I believe that this warning started popping up without any change in gpg's version. It's *possible* that it coincided with my upgrading that system from NetBSD 1.5.3_ALPHA to 1.6.1_RC2. So perhaps relinking gpg would be enough? Is it *possible* to get the insecure memory warning not because your gpg binary lacks the suid bit but because the syscall mappings for locking memory have changed? (Seems logical, but not the kind of interface you go changing regularly... you know, unless you're Linux; and certainly seems like the kind of thing I'd have heard about since I *do* follow NetBSD mailing lists somewhat regularly.) If so, shouldn't there be a more descriptive error message? (I'd count "ioctl failed" as more descriptive, but maybe the average user wouldn't.) But if that were the case, shouldn't I *always* get this warning, rather than just out of cron? On the command line: uriel:~% gpg --check-trustdb gpg: checking at depth 0 signed=3D49 ot(-/q/n/m/f/u)=3D0/0/0/0/0/1 gpg: checking at depth 1 signed=3D82 ot(-/q/n/m/f/u)=3D0/0/0/19/30/0 gpg: checking at depth 2 signed=3D286 ot(-/q/n/m/f/u)=3D1/0/0/69/5/0 gpg: checking at depth 3 signed=3D178 ot(-/q/n/m/f/u)=3D1/74/0/21/0/0 gpg: next trustdb check due at 2003-04-16 So perhaps NetBSD went and broke using suid binaries out of cron? Doesn't seem reasonable... I could understand if I were doing an exec, since then it would be the same memory space whose privelege was re-elevated to uid 0, but that isn't what's going on here, unless I'm completely missing how euids and saved uids work... Is this phenomenon something that's been reported before? Should I go barking up the NetBSD code review tree? --=20 gabriel rosenkoetter gr@eclipsed.net --cmJC7u66zC7hs+87 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (NetBSD) iD8DBQE+jJHG9ehacAz5CRoRAqanAJ9fCYkUNIJD+tnJ9wnJWjwFf4ZY0QCgmDgD oXLbowhxAQemRyRRtYzzhpg= =Ya3j -----END PGP SIGNATURE----- --cmJC7u66zC7hs+87-- From dshaw@jabberwocky.com Fri Apr 4 00:40:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu Apr 3 23:40:01 2003 Subject: False insecure memory warnings... In-Reply-To: <20030403195550.GB15782@uriel.eclipsed.net> References: <20030403195550.GB15782@uriel.eclipsed.net> Message-ID: <20030403214052.GA765@jabberwocky.com> --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 03, 2003 at 02:55:50PM -0500, gabriel rosenkoetter wrote: > After some discussion with David Shaw recently, I've broken down, > admitted that my public keyring is really just huge and than having > a cron job to maintain it is really pretty reasonable. So I've been > blowing along happily with this in cron: >=20 > 0 8 * * 1-5 zsh -c 'time gpg --no --batch --check-trustdb' >=20 > (Yes, I really do want zsh's time output, thanks.) >=20 > That was well and good till several days ago, when I started getting > this: >=20 > gpg: WARNING: using insecure memory! > gpg: please see http://www.gnupg.org/faq.html for more information > gpg: checking at depth 0 signed=3D49 ot(-/q/n/m/f/u)=3D0/0/0/0/0/1 > gpg: checking at depth 1 signed=3D82 ot(-/q/n/m/f/u)=3D0/0/0/19/30/0 > gpg: checking at depth 2 signed=3D286 ot(-/q/n/m/f/u)=3D1/0/0/69/5/0 > gpg: checking at depth 3 signed=3D178 ot(-/q/n/m/f/u)=3D1/74/0/21/0/0 > gpg: next trustdb check due at 2003-04-16 > gpg --no --batch --check-trustdb 14.57s user 11.03s system 60% cpu 42.32= 8 total >=20 > Only but my gpg(1) really is suid, I promise: >=20 > uriel:~% which gpg > /usr/pkg/bin/gpg > uriel:~% ls -l `!!` > ls -l `which gpg` > -r-sr-xr-x 1 root wheel 684660 Feb 27 07:27 /usr/pkg/bin/gpg* I've seen this a few times before. Check to make sure that there isn't another copy of gpg somewhere, and the gpg that cron is running is the same one that you're running from the shell. David --Kj7319i9nmIyA2yE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+jKpk4mZch0nhy8kRAjX5AJ9/2sZyedeOMnjTPwj4wcMkif0gXQCg2PNs Cyhl910IaN4T3mgGYl7zvYo= =nywP -----END PGP SIGNATURE----- --Kj7319i9nmIyA2yE-- From jbruni@mac.com Fri Apr 4 06:03:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Fri Apr 4 05:03:02 2003 Subject: DNS problem Message-ID: The mail exchanger for gnupg.org is listed as "kerckhoffs.g10code.com" which does not appear to resolve from earthlink.net. It does appear to resolve from other places (mac.com), however. Therefore, some of my recent postings are bouncing. I will post a couple of my messages via this other account until the DNS issue clears up. If it appears that I'm posting duplicates, it's probably because my earlier messages are finally making it through, and I apologize in advance. From jbruni@mac.com Fri Apr 4 06:03:25 2003 From: jbruni@mac.com (Joseph Bruni) Date: Fri Apr 4 05:03:25 2003 Subject: "key expired" from PGP 6 Message-ID: I have created a key originally with an expiration date. Subsequently, I removed the expiration date on both the primary and sub keys. In GPG 1.2.1, this is working just fine. However, when I try to import the key into PGP 6, PGP is complaining that the key has expired even though in GPG the "expires" shows as "never". Can someone explain what is going on? I have tried to delete the old key from the PGP system an re-import but that does not seem to help. From jbruni@mac.com Fri Apr 4 06:04:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Fri Apr 4 05:04:02 2003 Subject: False insecure memory warnings... Message-ID: <3F5D14D0-664A-11D7-BD2D-003065B1243E@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David, You bring up an excellent point here that can be generalized. Basically, in any automated task, it's probably a good idea to fully qualify the paths of any executable. Merely changing the system default configuration of the PATH variable can subtly alter a system if more than one copy of a program exist. By fully qualifying the path to the intended executable, you prevent such future problems. Joe Bruni On Thursday, April 3, 2003, at 02:40 PM, David Shaw wrote: >I've seen this a few times before. Check to make sure that there >isn't another copy of gpg somewhere, and the gpg that cron is running >is the same one that you're running from the shell. > >David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iEYEARECAAYFAj6M9moACgkQ4rg/mXNDweNlzQCg3m8juhBIWIvAe6QG5LQtIlJX fywAn3e3ZEW0PxGMHCPMS440iE081Awy =0qXc -----END PGP SIGNATURE----- From malte_gell@t-online.de Fri Apr 4 06:21:01 2003 From: malte_gell@t-online.de (Malte Gell) Date: Fri Apr 4 05:21:01 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <20030402134356.GE2873@jabberwocky.com> References: <200304020340.00256.malte_gell@t-online.de> <20030402134356.GE2873@jabberwocky.com> Message-ID: <200304040455.29094.malte_gell@t-online.de> Am Mittwoch, 2. April 2003 15:43 schrieb David Shaw: > On Wed, Apr 02, 2003 at 03:39:35AM +0200, Malte Gell wrote: > > if one gets a message encrypted with the --throw-keyid option the > > receiver's GnuPG has to try all available secret keys and this can > > be a bit annoying if one has several secret keys. > > So, wouldn't it be a nice idea to have a new option > > "--encrypted-with" to simplify this ? > > The development branch has better handling of such messages. Instead > of prompting for each secret key, it prompts for a single passphrase > and tries it against all keys. This will be in 1.4. This sounds like a good solution and if you have tested it with your 63 secret keys as you mentioned...;-) BTW, can the use of the --throw-keyid option cause any compatibility problems with older GnuPG (1.0.6/7) versions or PGP 6.x/7.x/8.x ? Or can all PGP derivatives handle data encrypted this way ? Regards, Malte From heiko.teichmeier@sw-meerane.de Fri Apr 4 08:14:01 2003 From: heiko.teichmeier@sw-meerane.de (Heiko Teichmeier) Date: Fri Apr 4 07:14:01 2003 Subject: HKP and firewalls References: <200303292254.08491.linux@codehelp.co.uk> <20030403161156.GO2873@jabberwocky.com> Message-ID: <3E8D144E.8080503@sw-meerane.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw schrieb: > On Sat, Mar 29, 2003 at 10:54:05PM +0000, Neil Williams wrote: > > >>I've had recent problems with a new ISDN router that doesn't use a >>particularly easy firewall setup. All other outgoing internet connections are >>fine (HTTP,POP,SMTP,SSH,FTP,DNS etc) and the firewall appears to be dropping >>other packets as expected - it's a basic deny-all firewall with no internet >>services available. >> I had same problems to get a connection to a keyserver over a http-proxy (Squid). One problem is, that the http-proxy connect to remote-port 80. How I can now it learn to use a other port??? The next problem in my mind is the DNS. In normal the user get only contact to the http-proxy in local network (security-reasons) and *no routing* trough the firewall. So makes the http-server the dns-request to the internet and get the IP to the asked name. This reasons make the - --auto-key-retrieve over a http-server difficult (or complete not working!?) I had test with our firewall: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D If I allow routing (NAT) for services dns, port:11371 and incoming highports the --auto-key-retrieve works fine. If I use secure restrictions (no routing, only proxy-connections [in this time not with user/password] to the internet) the key-retrieve works not. Now my questions: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D How works a http(port80)proxy with port of hkp? How get it (the http-proxy) the dns-information, if it think it can't contact the port 11371? Who has a working combination of only-proxy-allow firewall with http-proxy (Squid) and enigmail (on windows) for the communication? - What options make the squid-enigmail-gpg-key-retrieve-combination to a working suite. >>However, I cannot get a reply from any keyservers using --recv-keys. I can >>send to keyservers fine (and I can test that the keyserver received the >>update using an SSH connection to a remote server with GPG installed) and I >>can receive all keys IF I use a dial-up modem connection instead of the >>router, so I can't see that it is a problem with ~/.gnup/options. >> >>I've tried opening port 11371 but I get very confusing results. Once in= a >>while (and only once each time) I can get a single key through - as if it has >>been cached somewhere - but the other 99 times gpg just waits and waits and >>waits. e.g. output >>$ gpg --verbose --verbose --keyserver pgp.mit.edu --recv-keys 0x28BCB3E= 3 >>gpg: requesting key 28BCB3E3 from HKP keyserver pgp.mit.edu >>gpg: armor: BEGIN PGP PUBLIC KEY BLOCK >>gpg: armor header: Version: PGP Key Server 0.9.5 >> >>I also use keyserver.linux.it >> >>My basic problem is that the router doesn't use the familiar iptables format >>and doesn't provide a full listing of the traffic. I can't tell where t= he >>packets are being dropped. I've tried using IP addresses for the keyservers >>and using hkp://pgp.mit.edu etc. >> >>Does HKP only use port 11371? (Could it be trying to send data back to = a >>different port?) >> >>The router is a D-Link DI-304 > > > I'm not familiar with that particular router, but I can give you some > general information that will hopefully help you. > > HKP is HTTP underneath it all. The only thing unusual about it is > that it runs on port 11371. If there is a general "HTTP" > configuration for your firewall, try that, and allow it on port 11371. > > If that isn't possible for whatever reason, you might look around for > a HKP keyserver that runs on port 80 (for this exact reason - > firewalls). Ask on the pgp-keyserver-folk @ flame.org list, and I'm > sure someone there can suggest a server to use. > > David - -- Mit freundlichen Gr=FC=DFen Stadtwerke Meerane GmbH Teichmeier Netzmeister NB Elt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ heiko.teichmeier@sw-meerane.de Tel: +49 3764 791720 Fax: +49 3764 791719 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.sw-meerane.de ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 98) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+jRRND371SiWcNJkRAp/xAJwKZXiORyerbkHIOkzGZV4vQBMvDACfYZ2o ZicwvWix9UaeMRVxZLsCBvs=3D =3DJDvU -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Fri Apr 4 18:53:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri Apr 4 17:53:01 2003 Subject: "key expired" from PGP 6 In-Reply-To: References: Message-ID: <20030404155320.GV2873@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Apr 03, 2003 at 08:02:52PM -0700, Joseph Bruni wrote: > I have created a key originally with an expiration date. Subsequently, > I removed the expiration date on both the primary and sub keys. In GPG > 1.2.1, this is working just fine. However, when I try to import the key > into PGP 6, PGP is complaining that the key has expired even though in > GPG the "expires" shows as "never". Can someone explain what is going > on? I have tried to delete the old key from the PGP system an re-import > but that does not seem to help. Without seeing the key in question, I can't be completely sure but I suspect you have two expiration dates set. This is normal, and GnuPG is picking the one that was set most recently. It seems PGP is picking the other one.... What happens when you try the key in a more recent version of PGP? David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+japw4mZch0nhy8kRAgzvAJ9WXnYq1dPoT2RMEiW7TA7o9z+3lACfXN7U FQYB43In13IFlj3mSkfx3D4= =U9re -----END PGP SIGNATURE----- From gr@eclipsed.net Fri Apr 4 18:56:01 2003 From: gr@eclipsed.net (gabriel rosenkoetter) Date: Fri Apr 4 17:56:01 2003 Subject: False insecure memory warnings... In-Reply-To: <3F5D14D0-664A-11D7-BD2D-003065B1243E@mac.com> <20030403214052.GA765@jabberwocky.com> References: <3F5D14D0-664A-11D7-BD2D-003065B1243E@mac.com> <20030403195550.GB15782@uriel.eclipsed.net> <20030403214052.GA765@jabberwocky.com> Message-ID: <20030404155719.GG8435@uriel.eclipsed.net> --L+ofChggJdETEG3Y Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 03, 2003 at 04:40:52PM -0500, David Shaw wrote: > I've seen this a few times before. Check to make sure that there > isn't another copy of gpg somewhere, and the gpg that cron is running > is the same one that you're running from the shell. I *knew* I forgot to tack some reporting onto that email. I'd run this in a separate screened session, forgot to grab it and dump it in the email: uriel:~# id uid=3D0(root) gid=3D0(wheel) groups=3D0(wheel),2(kmem),3(sys),4(tty),5(oper= ator),20(staff),30(web),31(guest),1000(pgsql) uriel:~# find / -name gpg /usr/pkg/bin/gpg /usr/pkgsrc/security/gnupg/work/gnupg-1.2.1/g10/gpg /home/gr/tmp/gpg uriel:~#=20 Neither of those alternates are likely places for PATH to catch... And, in any case, here's the full cron report, including exactly what PATH it was using: =46rom root@eclipsed.net Fri Apr 4 08:00:39 2003 Return-Path: Delivered-To: gr@eclipsed.net Received: by uriel.eclipsed.net (Postfix, from userid 0) id 1F1EA49702; Fri, 4 Apr 2003 08:00:38 -0500 (EST) From: root@eclipsed.net (Cron Daemon) To: gr@eclipsed.net Subject: Cron zsh -c 'time gpg --no --batch --check-trustdb' X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: Message-Id: <20030404130038.1F1EA49702@uriel.eclipsed.net> Date: Fri, 4 Apr 2003 08:00:38 -0500 (EST) X-Spam-Status: No, hits=3D-0.5 required=3D4.1 tests=3DCRON_ENV,SPAM_PHRASE_02_03 +version=3D2.44=20 X-Spam-Level:=20 gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: checking at depth 0 signed=3D49 ot(-/q/n/m/f/u)=3D0/0/0/0/0/1 gpg: checking at depth 1 signed=3D82 ot(-/q/n/m/f/u)=3D0/0/0/19/30/0 gpg: checking at depth 2 signed=3D287 ot(-/q/n/m/f/u)=3D1/0/0/69/5/0 gpg: checking at depth 3 signed=3D178 ot(-/q/n/m/f/u)=3D1/74/0/21/0/0 gpg: next trustdb check due at 2003-04-16 gpg --no --batch --check-trustdb 15.32s user 10.38s system 69% cpu 37.171 = total So I really am sure that it really is using exactly the same gpg I call from the command line. If there's really still doubt as to that, I'm glad to specify a full path, but I sincerely doubt that doing so will change this. But, hey, what the hell. Let's find out! Just tossed this in: 45 10 * * 1-5 zsh -c 'time /usr/pkg/bin/gpg --no --batch --check-trustdb' And here's the full output (without the full headers this time): From: root@eclipsed.net (Cron Daemon) Subject: Cron zsh -c 'time /usr/pkg/bin/gpg --no --batch --check= -trustdb' Date: Fri, 4 Apr 2003 10:45:03 -0500 (EST) To: gr@eclipsed.net Delivered-To: gr@eclipsed.net =20 X-Cron-Env: =20 X-Cron-Env: =20 X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Spam-Status: No, hits=3D-0.5 required=3D4.1 tests=3DCRON_ENV,SPAM_PHRASE_= 02_03 version=3D2.44 X-Spam-Level: =20 gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: next trustdb check due at 2003-04-16 /usr/pkg/bin/gpg --no --batch --check-trustdb 0.10s user 0.23s system 10% = cpu 3.040 total And, just so it's totally crystal clear, here's this again: uriel:~# ls -lF /usr/pkg/bin/gpg -r-sr-xr-x 1 root wheel 684660 Feb 27 07:27 /usr/pkg/bin/gpg* As to not specifying full paths... I make a living as a Unix systems administrator. I really do know when it's okay, I promise. :^> So then. Is there *any* way that this is a problem with gpg, or is it time for me to go digging in just what the hell NetBSD's crond is doing with euids? --=20 gabriel rosenkoetter gr@eclipsed.net --L+ofChggJdETEG3Y Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (NetBSD) iD8DBQE+jatf9ehacAz5CRoRArSLAJ4nmkFypm13OBkZ+YXCuPmaDICbNgCcCa84 SaKy8s1f0ne0ALetMZmA+AQ= =1T8o -----END PGP SIGNATURE----- --L+ofChggJdETEG3Y-- From dshaw@jabberwocky.com Fri Apr 4 20:51:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri Apr 4 19:51:02 2003 Subject: False insecure memory warnings... In-Reply-To: <20030404155719.GG8435@uriel.eclipsed.net> References: <3F5D14D0-664A-11D7-BD2D-003065B1243E@mac.com> <20030403195550.GB15782@uriel.eclipsed.net> <20030403214052.GA765@jabberwocky.com> <20030404155719.GG8435@uriel.eclipsed.net> Message-ID: <20030404175142.GW2873@jabberwocky.com> --24zk1gE8NUlDmwG9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Apr 04, 2003 at 10:57:19AM -0500, gabriel rosenkoetter wrote: > On Thu, Apr 03, 2003 at 04:40:52PM -0500, David Shaw wrote: > > I've seen this a few times before. Check to make sure that there > > isn't another copy of gpg somewhere, and the gpg that cron is running > > is the same one that you're running from the shell. [ that is not the problem ] > So then. Is there *any* way that this is a problem with gpg, or is > it time for me to go digging in just what the hell NetBSD's crond is > doing with euids? Very interesting. There are a few other reasons that GnuPG might be unable to get secure memory. Being not setuid root (on those platforms that need it) is only the most common. Let's dig a bit more. What happens if you run this program out of cron in the same way (zsh -c 'time testprog'). Make testprog setuid root. #include #include #include int main(int argc,char *argv[]) { printf("UID: %d\n",(int)getuid()); printf("EUID: %d\n",(int)geteuid()); return 0; } The other obvious thing to try is to rebuild GnuPG to see if something changed in the underlying libraries when you upgraded NetBSD (you may have done this already). David --24zk1gE8NUlDmwG9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+jcYu4mZch0nhy8kRAs6VAKCgoqL+lNHjweU0teX04eDM43OaZACgnZkO dcPPQBfRSfn6mk7nr1yxXa4= =5Yni -----END PGP SIGNATURE----- --24zk1gE8NUlDmwG9-- From gr@eclipsed.net Fri Apr 4 21:59:01 2003 From: gr@eclipsed.net (gabriel rosenkoetter) Date: Fri Apr 4 20:59:01 2003 Subject: False insecure memory warnings... In-Reply-To: <20030404175142.GW2873@jabberwocky.com> References: <3F5D14D0-664A-11D7-BD2D-003065B1243E@mac.com> <20030403195550.GB15782@uriel.eclipsed.net> <20030403214052.GA765@jabberwocky.com> <20030404155719.GG8435@uriel.eclipsed.net> <20030404175142.GW2873@jabberwocky.com> Message-ID: <20030404185955.GK1109@uriel.eclipsed.net> --icsXL8FABjDeMLkQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 04, 2003 at 12:51:42PM -0500, David Shaw wrote: > Very interesting. There are a few other reasons that GnuPG might be > unable to get secure memory. Being not setuid root (on those > platforms that need it) is only the most common. What is GnuPG's definition of "secure memory"? Does it have to be wired kernel memory (to avoid being paged)? I really hope that NetBSD's sysctls for this didn't change between 1.5 and 1.6; it'll harm binary package compatibility. > What happens if you run this program out of cron in the same way > (zsh -c 'time testprog'). Results for all my test cases: > 52 13 * * * suidtest UID: 1000 EUID: 0 =20 > 52 13 * * * /usr/local/bin/suidtest UID: 1000 EUID: 0 =20 > 52 13 * * * time suidtest UID: 1000 EUID: 0 =20 1.10 real 0.00 user 0.06 sys > 52 13 * * * zsh -c 'time suidtest' UID: 1000 EUID: 0 =20 suidtest 0.00s user 0.06s system 2% cpu 2.046 total > 52 13 * * * zsh -c 'time /usr/local/bin/suidtest' UID: 1000 EUID: 0 =20 /usr/local/bin/suidtest 0.02s user 0.06s system 6% cpu 1.267 total So euid isn't the problem, then. Back to "what's GnuPG do to secure memory"? (Pointing me at the right source file would be plenty...) > The other obvious thing to try is to rebuild GnuPG to see if something > changed in the underlying libraries when you upgraded NetBSD (you may > have done this already). Yeah, I do wonder if it's that... but I'm a little reluctant just to blow away the problem version, since it'd make it hard to figure out exactly what's causing this. :^> I am building a new version of GnuPG in exactly the same way (NetBSD's pkgsrc/security/gnupg), I just won't install it (yet). (This is only a 300 MHz PowerPC G3 and a mere 20 MB/s SCSI disk, so I'll let you know when I get a chance to test that version. :^>) --=20 gabriel rosenkoetter gr@eclipsed.net --icsXL8FABjDeMLkQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (NetBSD) iD8DBQE+jdYr9ehacAz5CRoRAnCDAJ9Tm3uFLtyTHEFUrgS6slPmfqT8ZgCfbh4N gayiLFBoqReFP4hcoy8BGmw= =fDJR -----END PGP SIGNATURE----- --icsXL8FABjDeMLkQ-- From gr@eclipsed.net Fri Apr 4 22:57:02 2003 From: gr@eclipsed.net (gabriel rosenkoetter) Date: Fri Apr 4 21:57:02 2003 Subject: False insecure memory warnings... In-Reply-To: <20030404185955.GK1109@uriel.eclipsed.net> References: <3F5D14D0-664A-11D7-BD2D-003065B1243E@mac.com> <20030403195550.GB15782@uriel.eclipsed.net> <20030403214052.GA765@jabberwocky.com> <20030404155719.GG8435@uriel.eclipsed.net> <20030404175142.GW2873@jabberwocky.com> <20030404185955.GK1109@uriel.eclipsed.net> Message-ID: <20030404195813.GI8435@uriel.eclipsed.net> --3U8TY7m7wOx7RL1F Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 04, 2003 at 01:59:55PM -0500, gabriel rosenkoetter wrote: > I am building a new version of GnuPG in exactly the same way > (NetBSD's pkgsrc/security/gnupg), I just won't install it (yet). > (This is only a 300 MHz PowerPC G3 and a mere 20 MB/s SCSI disk, > so I'll let you know when I get a chance to test that version. :^>) After rebuilding GnuPG: 52 14 * * 1-5 zsh -c 'time /usr/pkgsrc/security/gnupg/work/gnupg-1.2.1/g10/= gpg --no --batch --check-trustdb' gets: [...] X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: [...] gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: next trustdb check due at 2003-04-16 /usr/pkgsrc/security/gnupg/work/gnupg-1.2.1/g10/gpg --no --batch 0.09s us= er 0.27s system 54% cpu 0.656 total So no change. --=20 gabriel rosenkoetter gr@eclipsed.net --3U8TY7m7wOx7RL1F Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (NetBSD) iD8DBQE+jePV9ehacAz5CRoRAr29AKCTdSCWg3tbPHa0sXYUNZUhbudbbgCfUYGK ArMfxG5aDInuWmjuQU2xLs8= =t3n5 -----END PGP SIGNATURE----- --3U8TY7m7wOx7RL1F-- From dshaw@jabberwocky.com Sat Apr 5 00:31:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri Apr 4 23:31:01 2003 Subject: False insecure memory warnings... In-Reply-To: <20030404185955.GK1109@uriel.eclipsed.net> References: <3F5D14D0-664A-11D7-BD2D-003065B1243E@mac.com> <20030403195550.GB15782@uriel.eclipsed.net> <20030403214052.GA765@jabberwocky.com> <20030404155719.GG8435@uriel.eclipsed.net> <20030404175142.GW2873@jabberwocky.com> <20030404185955.GK1109@uriel.eclipsed.net> Message-ID: <20030404213139.GA10965@jabberwocky.com> --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 04, 2003 at 01:59:55PM -0500, gabriel rosenkoetter wrote: > On Fri, Apr 04, 2003 at 12:51:42PM -0500, David Shaw wrote: > > Very interesting. There are a few other reasons that GnuPG might be > > unable to get secure memory. Being not setuid root (on those > > platforms that need it) is only the most common. >=20 > What is GnuPG's definition of "secure memory"? Does it have to be > wired kernel memory (to avoid being paged)? >=20 > I really hope that NetBSD's sysctls for this didn't change between > 1.5 and 1.6; it'll harm binary package compatibility. >=20 > > What happens if you run this program out of cron in the same way > > (zsh -c 'time testprog'). [ not that either ] > So euid isn't the problem, then. >=20 > Back to "what's GnuPG do to secure memory"? (Pointing me at the > right source file would be plenty...) util/secmem.c. In particular see lock_pool(). I wonder if the BSD login.conf rlimit stuff might be biting you here. If cron has a smaller "memorylocked" value than you do when running =66rom the shell, then the mlock call can fail and cause the symptoms you see. I do know there was a change to the NetBSD cron recently to have it start using login_cap, but I don't know what release that was in. David --0OAP2g/MAC+5xKAE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+jfm74mZch0nhy8kRAjnCAJ4kvmnmus1WrPWTbDR9HHIwPv+EKQCaAmL1 ZJCv0eyt19WuKJhaKA9zgJo= =vPS7 -----END PGP SIGNATURE----- --0OAP2g/MAC+5xKAE-- From dshaw@jabberwocky.com Sat Apr 5 04:10:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat Apr 5 03:10:01 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <20030403181944.GS12963@dust.uchicago.edu> References: <20030402134356.GE2873@jabberwocky.com> <200304022243.AAA00587@vulcan.xs4all.nl> <20030403003119.GI2873@jabberwocky.com> <20030403041807.GP12963@dust.uchicago.edu> <20030403052237.GM2873@jabberwocky.com> <20030403055853.GR12963@dust.uchicago.edu> <20030403144228.GN2873@jabberwocky.com> <20030403181944.GS12963@dust.uchicago.edu> Message-ID: <20030405011103.GB20332@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Apr 03, 2003 at 12:19:44PM -0600, David Champion wrote: > * On 2003.04.03, in <20030403144228.GN2873@jabberwocky.com>, > * "David Shaw" wrote: > > > > I have 63 secret keys on my current keyring, and that's the ring I > > used to test the feature ;) The check to see whether a given key is > > the right one is actually extremely quick. > > Ah, ok -- unfamiliar with the specifics of 2440, I thought it must > take as long as decrypting the whole message, and then some. But I can > imagine that's not necessary. It's a pretty neat system - there are short checksums that are used to throw out clearly wrong decryptions so GnuPG doesn't need to continue. It also doesn't proceed to decrypt the message if the secret key can't be decrypted. > > I'm also not sure that -u would be the appropriate option here, since > > -u is designed and documented to work in an options file, which would > > make thrown keyid messages more or less unusable in those cases unless > > the -u value happened to match the key in use. > > I wondered whether that might be a problem. > > In this case, then, would it be appropriate to change the help text > associated with -u? It currently says "use this user-id to sign or > decrypt", but it sounds like that user-id is *never* used to decrypt. Or > is there another case where a user can profitably specify the decryption > key? Hmm. I don't know what the original intent was with that help text. I can't think of any place where -u can actually be used to specify a decryption key. Maybe something in an earlier version that was changed? It is unfortunately difficult to change the help text in 1.2.2 as it'll break all of the translations. :( David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+ji0n4mZch0nhy8kRAkUTAKCaoa2doApTO2yAK+59m55B9s9QEwCfde3z dLgjaAOO/CwEiR56eaVT/yc= =K1Qz -----END PGP SIGNATURE----- From gr@eclipsed.net Sat Apr 5 05:12:02 2003 From: gr@eclipsed.net (gabriel rosenkoetter) Date: Sat Apr 5 04:12:02 2003 Subject: False insecure memory warnings... In-Reply-To: <20030404213139.GA10965@jabberwocky.com> References: <3F5D14D0-664A-11D7-BD2D-003065B1243E@mac.com> <20030403195550.GB15782@uriel.eclipsed.net> <20030403214052.GA765@jabberwocky.com> <20030404155719.GG8435@uriel.eclipsed.net> <20030404175142.GW2873@jabberwocky.com> <20030404185955.GK1109@uriel.eclipsed.net> <20030404213139.GA10965@jabberwocky.com> Message-ID: <20030405021250.GM1109@uriel.eclipsed.net> --Y9FGoQKSF2AxjRbT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 04, 2003 at 04:31:39PM -0500, David Shaw wrote: > util/secmem.c. In particular see lock_pool(). I'll go dig. Some time other than when I'm about to go out dinner on a Friday night. :^> > I wonder if the BSD login.conf rlimit stuff might be biting you here. Plausible. Well, actually... not: default:\ [...] :memorylocked=3Dunlimited:\ Only other setting's for root... > If cron has a smaller "memorylocked" value than you do when running > from the shell, then the mlock call can fail and cause the symptoms > you see. Don't think that cron's environment would be smaller, especially since it's doing a seteuid to the user... > I do know there was a change to the NetBSD cron recently to > have it start using login_cap, but I don't know what release that was > in. True, and I *believe* that's part of the 1.6 release, but I'm not positive. --=20 gabriel rosenkoetter gr@eclipsed.net --Y9FGoQKSF2AxjRbT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (NetBSD) iD8DBQE+jjui9ehacAz5CRoRAvFDAJ9tjJHjhwt7SkpuFd73dIqre5esFQCdEl3e l4mLmp1WQSm7i3TQQB4HMuk= =C2rl -----END PGP SIGNATURE----- --Y9FGoQKSF2AxjRbT-- From dshaw@jabberwocky.com Sat Apr 5 07:29:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat Apr 5 06:29:01 2003 Subject: False insecure memory warnings... In-Reply-To: <20030405021250.GM1109@uriel.eclipsed.net> References: <3F5D14D0-664A-11D7-BD2D-003065B1243E@mac.com> <20030403195550.GB15782@uriel.eclipsed.net> <20030403214052.GA765@jabberwocky.com> <20030404155719.GG8435@uriel.eclipsed.net> <20030404175142.GW2873@jabberwocky.com> <20030404185955.GK1109@uriel.eclipsed.net> <20030404213139.GA10965@jabberwocky.com> <20030405021250.GM1109@uriel.eclipsed.net> Message-ID: <20030405042958.GC20332@jabberwocky.com> --SUOF0GtieIMvvwua Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 04, 2003 at 09:12:50PM -0500, gabriel rosenkoetter wrote: > On Fri, Apr 04, 2003 at 04:31:39PM -0500, David Shaw wrote: > > util/secmem.c. In particular see lock_pool(). >=20 > I'll go dig. Some time other than when I'm about to go out dinner on > a Friday night. :^> >=20 > > I wonder if the BSD login.conf rlimit stuff might be biting you here. >=20 > Plausible. Well, actually... not: >=20 > default:\ > [...] > :memorylocked=3Dunlimited:\ >=20 > Only other setting's for root... I assume root's isn't something really small like 32k? > > If cron has a smaller "memorylocked" value than you do when running > > from the shell, then the mlock call can fail and cause the symptoms > > you see. >=20 > Don't think that cron's environment would be smaller, especially > since it's doing a seteuid to the user... set(e)uid doesn't necessarily imply that the rlimit values match the values for uid in question... What happens if you have a cron entry for "zsh -c 'ulimit -a'" ? If that isn't it, perhaps something changed in mlock or mmap with the new NetBSD? David --SUOF0GtieIMvvwua Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+jlvG4mZch0nhy8kRAq6QAJ40MchsI8ZDP1aYJ+7OomSY1LTMzQCePkon O1UERtxs8/zTRPcF1sTLkfw= =ldGC -----END PGP SIGNATURE----- --SUOF0GtieIMvvwua-- From vedaal@hush.com Mon Apr 7 13:03:02 2003 From: vedaal@hush.com (vedaal@hush.com) Date: Mon Apr 7 12:03:02 2003 Subject: simplifying the use of --throw-keyid option Message-ID: <200304041632.h34GW0vP014108@mailserver2.hushmail.com> >Message: 12 >From: malte_gell@t-online.de (Malte Gell) >Organization: ACME >To: gnupg-users@gnupg.org >Subject: Re: simplifying the use of --throw-keyid option >Date: Fri, 4 Apr 2003 04:55:28 +0200 .. >BTW, can the use of the --throw-keyid option cause any compatibility >problems with older GnuPG (1.0.6/7) versions or PGP 6.x/7.x/8.x ? >Or >can all PGP derivatives handle data encrypted this way ? except for Disastry's versions of 2.6.3 no PGP version can either decrypt or generate a throw-keyid message {have tried to beg for an implementation of this, Disastry was the only one who listened} a pgp user, who for whatever reason, isn't using gnupg, might be able to work around it with a hex editor, and write a script to insert the id's of his own keys, and let pgp try each one ... but anyone capable of doing that, is probably already using gnupg ;-) hth, vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From vedaal@hush.com Mon Apr 7 13:06:02 2003 From: vedaal@hush.com (vedaal@hush.com) Date: Mon Apr 7 12:06:02 2003 Subject: simplifying the use of --throw-keyid option Message-ID: <200304031457.h33Evr71092720@mailserver3.hushmail.com> >Message: 2 >Date: Wed, 2 Apr 2003 08:43:56 -0500 >From: David Shaw >To: gnupg-users@gnupg.org >Subject: Re: simplifying the use of --throw-keyid option .. >The development branch has better handling of such messages. Instead >of prompting for each secret key, it prompts for a single passphrase >and tries it against all keys. This will be in 1.4. suggestions: {if not already implemented } [1] can the 16k space be increased, as people are importing 4k pgp dh and rsa v4 keys, if they have 5 secret keys, the 'try all secrets' shuts off [2] can there be an option where one can choose to have gnupg inform the user if the passphrase is entered incorrectly for that key, {especially useful for 'secure' passphrases, entered from the commandline, where mistyping may be common) [3] can there be selective anonymity, where if encrypting to multiple recipients, to specify the key-id for the throw keyid, and leave the others intact, (or, if easier to implement, an option for -ignore-throw-keyid for each key that one wants to not be anonymous Thanks, with Respect, vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From oliver@hankeln-online.de Mon Apr 7 14:01:02 2003 From: oliver@hankeln-online.de (Oliver Hankeln) Date: Mon Apr 7 13:01:02 2003 Subject: Double encryption ?? Message-ID: <3E8EC8A8.6010505@hankeln-online.de> Hello, a friend of mine and me were just starting using GPG. He encrypted a text for me an sent it to me. I was able to decrypt it. BUT: He was also able to decrypt the encrypted message with his own secret key. The only reason why this could happen as seen by us is that the text has been encrypted twice - with my and with his public key. We just want to be sure we didn´t make any mistakes. Is our assumption right? Thanks, Oliver From linux@codehelp.co.uk Mon Apr 7 14:27:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Mon Apr 7 13:27:02 2003 Subject: HKP and firewalls In-Reply-To: <3E8D144E.8080503@sw-meerane.de> References: <200303292254.08491.linux@codehelp.co.uk> <20030403161156.GO2873@jabberwocky.com> <3E8D144E.8080503@sw-meerane.de> Message-ID: <200304042001.18300.linux@codehelp.co.uk> --Boundary-02=_+Zdj+ABA+mDAB9h Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Friday 04 April 2003 6:12 am, Heiko Teichmeier wrote: > I had test with our firewall: > ============================= > If I allow routing (NAT) for services dns, port:11371 and incoming > highports the --auto-key-retrieve works fine. That was the solution - enabling higher ports - HKP doesn't just use 11371, it tries to connect at other higher ports too. Just enabling 11371 isn't enough. I've now got access to the HKP servers. Thanks Heiko. (It still doesn't work 100% of the time but at least it's working 90% instead of 1%!) That isn't good enough to use auto-key-retrieve though so I'll continue working on it using different distros and installations. > How works a http(port80)proxy with port of hkp? > How get it (the http-proxy) the dns-information, if it think it can't > contact the port 11371? HKP should work as HTTP in these areas. > > I'm not familiar with that particular router, but I can give you some > > general information that will hopefully help you. > > > > HKP is HTTP underneath it all. The only thing unusual about it is > > that it runs on port 11371. If there is a general "HTTP" > > configuration for your firewall, try that, and allow it on port 11371. > > > > If that isn't possible for whatever reason, you might look around for > > a HKP keyserver that runs on port 80 (for this exact reason - > > firewalls). Ask on the pgp-keyserver-folk @ flame.org list, and I'm > > sure someone there can suggest a server to use. > > > > David -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_+Zdj+ABA+mDAB9h Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+jdZ+iAEJSii8s+MRAvWZAJ9ImjYIZMqFNJU1V1OGG4Otgi87/QCg2idG ncrBY7hJjQRR9TKbFFZ+4B0= =ae1J -----END PGP SIGNATURE----- --Boundary-02=_+Zdj+ABA+mDAB9h-- From avbidder@fortytwo.ch Mon Apr 7 15:29:01 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Mon Apr 7 14:29:01 2003 Subject: Double encryption ?? In-Reply-To: <3E8EC8A8.6010505@hankeln-online.de> References: <3E8EC8A8.6010505@hankeln-online.de> Message-ID: <200304071430.07363@fortytwo.ch> --Boundary-02=_P9Wk+NjIfeXWrx9 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Saturday 05 April 2003 14:14, Oliver Hankeln wrote: > Hello, > > a friend of mine and me were just starting using GPG. > He encrypted a text for me an sent it to me. I was able to decrypt it. > BUT: He was also able to decrypt the encrypted message with his own > secret key. > The only reason why this could happen as seen by us is that the text has > been encrypted twice - with my and with his public key. > We just want to be sure we didn=B4t make any mistakes. Is our assumption > right? =46rom the manpage: --encrypt-to name Same as --recipient but this one is intended for use in = the options file and may be used with your own user-id as = an "encrypt-to-self". These keys are only used when there = are other recipients given either by use of --recipient or by = the asked user id. No trust checking is performed for these u= ser ids and even disabled keys can be used. So, I'd look in the config file if there is an --encrypt-to statement. Also= ,=20 many mailers have the option of automatically encrypting to the own key whe= n=20 sending encrypted mail. So, you (probably) didn't do anything wrong. The question is, of course, if= =20 you want mails to be encrypted to both keys. I think it makes sense - I oft= en=20 need to go back and look at what exactly I sent. Theoretically, it makes=20 encryption weaker - for one thing, there's now 2 possible keys, so a brute= =20 force attack might be somewhat faster (I say *might* - I'm absolutely not=20 sure if it can really be). And, probably more critical: having the same=20 plaintext encrypted with two different keys might just allow some specific= =20 attack (there is one if the same plaintext is enciphered to multiple RSA ke= ys=20 with the same exponent, to name just the classical example). =46or general use, I wouldn't worry.=20 greets =2D- vbi =2D-=20 OpenPGP encrypted mail welcome - my key: http://fortytwo.ch/gpg/92082481 --Boundary-02=_P9Wk+NjIfeXWrx9 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6Rb09gGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWJLEAnR5s3yXY/eFvnClJHZwAi//E Z2aZAKDTdFG9yoopq62mLq5DZWxTOH6mdw== =4QUt -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_P9Wk+NjIfeXWrx9-- From ellement@sdd.hp.com Mon Apr 7 15:35:02 2003 From: ellement@sdd.hp.com (David Ellement) Date: Mon Apr 7 14:35:02 2003 Subject: message was not integrity protected In-Reply-To: <20021014140302.GB16768@akamai.com> References: <01C27069.B035FB80.heiko.teichmeier@sw-meerane.de> <20021014140302.GB16768@akamai.com> Message-ID: <20030407000756.GA5714@sdd.hp.com> On 2002-10-14, David Shaw wrote > On Thu, Oct 10, 2002 at 02:31:13PM +0200, Heiko Teichmeier wrote: > > "Warning: messsage was not integrity protected". > > How dangerous is this problem to trust the mail? What way exist to get a > > clean message - no failure? > > GnuPG supports integrity protected messages which adds a hash (sort of > a mini-signature) inside the encrypted message to alert the user if > the message was tampered with. > > That warning message means that the message you received did not have > integrity protection enabled. I see on messages I send between my work and home machines. I'm using GnuPG 1.2.1 at both ends. How is it that I've disabled integrity protection? -- David Ellement From jam@jamux.com Mon Apr 7 15:55:01 2003 From: jam@jamux.com (John A. Martin) Date: Mon Apr 7 14:55:01 2003 Subject: DNS problem In-Reply-To: (Joseph Bruni's message of "Thu, 3 Apr 2003 20:02:47 -0700") References: Message-ID: <87n0j6clit.fsf@athene.jamux.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>> "Joseph" == Joseph Bruni >>>>> "DNS problem" >>>>> Thu, 3 Apr 2003 20:02:47 -0700 Joseph> The mail exchanger for gnupg.org is listed as Joseph> "kerckhoffs.g10code.com" which does not appear to resolve Joseph> from earthlink.net. It does appear to resolve from other Joseph> places (mac.com), however. Your observations are confirmed by Both "Mail Test" and "DNS Report" at . These or similar tools reduce the need to ask others for independent verification. They often also go a long way toward explaining such problems. Alas, this here message to the list will be queued until the problem(s) is (are) fixed. jam -----BEGIN PGP SIGNATURE----- iD8DBQE+jagnUEvv1b/iXy8RAhB8AKCYbQXRkT2JcZUJjGp+QCimgN/K+ACeIiqA L7vtUEgV9p0yultxQ+UaEkw= =YltX -----END PGP SIGNATURE----- From xantor@linux.be Mon Apr 7 15:58:01 2003 From: xantor@linux.be (Michael Anckaert) Date: Mon Apr 7 14:58:01 2003 Subject: keysign parties Message-ID: <1049555324.726.3.camel@carpathia> --=-QMP+fH7c/fwMtz1BBaKC Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello all, I wanted to know why there are so few keysigning parties. I once signed up for a keysigning mailinglist, but there wasn't almost any posts on that list.=20 Does anyone know of another list where people post announcements for keysigning parties and such? --=20 Greetings, Michael Anckaert aka The XanTor xantor@linux.be michael.anckaert@pi.be OpenPGP key: F7A6C3AB Fingerprint: A329 43FC 3953 A944 5DDC 2E05 8E5D AD60 F7A6 C3AB --=-QMP+fH7c/fwMtz1BBaKC Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+jvF8jl2tYPemw6sRAuSoAKCsH/rDiujB7y8UZC767yFvkvr2DACeM41U JmobU0wMyhphkxRDuPrU9G0= =sVsv -----END PGP SIGNATURE----- --=-QMP+fH7c/fwMtz1BBaKC-- From gnupg-users@nahrath.de Mon Apr 7 16:12:01 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Mon Apr 7 15:12:01 2003 Subject: Double encryption ?? In-Reply-To: <3E8EC8A8.6010505@hankeln-online.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oliver Hankeln schrieb am 2003-04-05 14:14: > a friend of mine and me were just starting using GPG. > He encrypted a text for me an sent it to me. I was able to decrypt it. > BUT: He was also able to decrypt the encrypted message with his own > secret key. He should check his ~/.gnupg/gpg.conf file (or ~/.gnupg/options if he is running an older version of GPG) for the entries default-recipient-self or default-recipient $MY_KEY_ID Usually you _want_ to be able to decrypt messages you encypted to someone else's key yourself. To prevent this you may try the option '--no-default-recipient' on the command-line or uncomment the lines in the config file. > The only reason why this could happen as seen by us is that the text has > been encrypted twice - with my and with his public key. Probably it was encypted only once, but for the two keys. > We just want to be sure we didn=B4t make any mistakes. Is our assumption > right? I guess, the --default-recipient-self may be a default option in your GPG installation. So I don't see any mistakes on your side. Greeting, Michi -----BEGIN PGP SIGNATURE----- Comment: http://www.biglumber.com/x/web?qs=3D0x9A4C704C iEYEARECAAYFAj6Rd5sACgkQ19dRf5pMcEyQIQCbBQDRz2pzDx2QUt5d0n7lVsJD QVAAoLh6Yw/zHxINBW0fKZV95SninCsp =3DQk/W -----END PGP SIGNATURE----- From gr@eclipsed.net Mon Apr 7 16:16:02 2003 From: gr@eclipsed.net (gabriel rosenkoetter) Date: Mon Apr 7 15:16:02 2003 Subject: Double encryption ?? In-Reply-To: <3E8EC8A8.6010505@hankeln-online.de> References: <3E8EC8A8.6010505@hankeln-online.de> Message-ID: <20030407131715.GU1109@uriel.eclipsed.net> --UEgmpZn7Z/frN9Sq Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Apr 05, 2003 at 02:14:32PM +0200, Oliver Hankeln wrote: > The only reason why this could happen as seen by us is that the text has= =20 > been encrypted twice - with my and with his public key. > We just want to be sure we didn=B4t make any mistakes. Is our assumption= =20 > right? The assumption's correct and, unless you've used --throw-key, GnuPG should tell you exactly that (two "encrypted for...") lines. I'm guessing either that each of you followed a set of setup instructions that involved putting a "encrypt-to ..." line in your =2Egnupg/{options,gpg.conf} or that your MUAs do it by default after being told your default private key (for signing). --=20 gabriel rosenkoetter gr@eclipsed.net --UEgmpZn7Z/frN9Sq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (NetBSD) iD8DBQE+kXpb9ehacAz5CRoRAmdoAJ4pxfA0eWTofqaSN+1zSsnCjUrapgCgjDiP 1fCddMwnPfkn3x3akbnK8Rc= =u+3j -----END PGP SIGNATURE----- --UEgmpZn7Z/frN9Sq-- From dshaw@jabberwocky.com Mon Apr 7 17:11:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon Apr 7 16:11:02 2003 Subject: message was not integrity protected In-Reply-To: <20030407000756.GA5714@sdd.hp.com> References: <01C27069.B035FB80.heiko.teichmeier@sw-meerane.de> <20021014140302.GB16768@akamai.com> <20030407000756.GA5714@sdd.hp.com> Message-ID: <20030407140918.GB4996@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Apr 06, 2003 at 05:07:56PM -0700, David Ellement wrote: > On 2002-10-14, David Shaw wrote > > On Thu, Oct 10, 2002 at 02:31:13PM +0200, Heiko Teichmeier wrote: > > > "Warning: messsage was not integrity protected". > > > How dangerous is this problem to trust the mail? What way exist to get a > > > clean message - no failure? > > > > GnuPG supports integrity protected messages which adds a hash (sort of > > a mini-signature) inside the encrypted message to alert the user if > > the message was tampered with. > > > > That warning message means that the message you received did not have > > integrity protection enabled. > > I see on messages I send between my work and home machines. I'm using > GnuPG 1.2.1 at both ends. How is it that I've disabled integrity > protection? If the key does not have the MDC flag set, then MDC will not be used. GnuPG sets this flag, but PGP does not. Were the keys generated with PGP? There are also various options that disable MDC, either directly or as a side effect. Do you have any of these in your gpg.conf file? disable-mdc pgp2 pgp6 David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+kYaO4mZch0nhy8kRAnefAKDZkD+rmRlNUbu+AGaJ1aJOF+A7kQCg3wDo BwikzAmYCzcTUlbDa/A9sdU= =D+mB -----END PGP SIGNATURE----- From list@daniel-luebke.de Mon Apr 7 17:13:01 2003 From: list@daniel-luebke.de (Daniel Luebke) Date: Mon Apr 7 16:13:01 2003 Subject: keysign parties In-Reply-To: <1049555324.726.3.camel@carpathia> References: <1049555324.726.3.camel@carpathia> Message-ID: <3E9188AC.3070907@daniel-luebke.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! Usually there are keysignings during most Linux and OSS Conferences like the LinuxTag this weekend. I don't know of any list, where all keysigning parties are announced. In Hannover (Germany) some simply searched BigLumber (www.biglumber.com) and set up our own mailinglist. If you visit an exhibition here, you should sign up and see, who has time. Otherwise you can email the people listed in BigLumber for your region and meet them. Regs ~ Daniel Michael Anckaert wrote: | Hello all, | | I wanted to know why there are so few keysigning parties. I once signed | up for a keysigning mailinglist, but there wasn't almost any posts on | that list. | | Does anyone know of another list where people post announcements for | keysigning parties and such? | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+kYisEKRSJJognFARAv5tAJ0aF4BAeUy1oHitd53kJoxr2G3N4gCfcMQd Cavly9FyAMfdpy8GWquQSe8= =l9oN -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Mon Apr 7 17:15:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon Apr 7 16:15:01 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <200304040455.29094.malte_gell@t-online.de> References: <200304020340.00256.malte_gell@t-online.de> <20030402134356.GE2873@jabberwocky.com> <200304040455.29094.malte_gell@t-online.de> Message-ID: <20030407141544.GC4996@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Apr 04, 2003 at 04:55:28AM +0200, Malte Gell wrote: > Am Mittwoch, 2. April 2003 15:43 schrieb David Shaw: > > On Wed, Apr 02, 2003 at 03:39:35AM +0200, Malte Gell wrote: > > > if one gets a message encrypted with the --throw-keyid option the > > > receiver's GnuPG has to try all available secret keys and this can > > > be a bit annoying if one has several secret keys. > > > So, wouldn't it be a nice idea to have a new option > > > "--encrypted-with" to simplify this ? > > > > The development branch has better handling of such messages. Instead > > of prompting for each secret key, it prompts for a single passphrase > > and tries it against all keys. This will be in 1.4. > > This sounds like a good solution and if you have tested it with your 63 > secret keys as you mentioned...;-) > BTW, can the use of the --throw-keyid option cause any compatibility > problems with older GnuPG (1.0.6/7) versions or PGP 6.x/7.x/8.x ? Or > can all PGP derivatives handle data encrypted this way ? GnuPG can handle it. No version of official PGP can handle it, but Disastry's hacked 2.6.3 can. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+kYgQ4mZch0nhy8kRAju0AKCHspw5khKwDiLrowp5DTJh6MxpEQCeMe7N FwLrYrE/JBvkiPtKJCHeO00= =sOju -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Mon Apr 7 17:16:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon Apr 7 16:16:02 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <200304031457.h33Evr71092720@mailserver3.hushmail.com> References: <200304031457.h33Evr71092720@mailserver3.hushmail.com> Message-ID: <20030407141714.GD4996@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Apr 03, 2003 at 06:57:53AM -0800, vedaal@hush.com wrote: > >Message: 2 > >Date: Wed, 2 Apr 2003 08:43:56 -0500 > >From: David Shaw > >To: gnupg-users@gnupg.org > >Subject: Re: simplifying the use of --throw-keyid option > > .. > >The development branch has better handling of such messages. Instead > >of prompting for each secret key, it prompts for a single passphrase > >and tries it against all keys. This will be in 1.4. > > suggestions: {if not already implemented } > > [1] can the 16k space be increased, > as people are importing 4k pgp dh and rsa v4 keys, if they have 5 secret > keys, the 'try all secrets' shuts off Yes, this is raised to 32k in 1.2.2. > [2] can there be an option where one can choose to have gnupg inform > > the user if the passphrase is entered incorrectly for that key, > {especially useful for 'secure' passphrases, entered from the commandline, > where mistyping may be common) I don't understand this. GnuPG already reports that a passphrase is invalid. > [3] can there be selective anonymity, where if encrypting to multiple > recipients, to specify the key-id for the throw keyid, and leave the > others intact, > (or, if easier to implement, an option for -ignore-throw-keyid > for each key that one wants to not be anonymous This is in 1.3.x. See the --hidden-recipient option. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+kYhq4mZch0nhy8kRAh3kAKCtbaQqYDVTJ/R7zfzyZV0++x8ujQCgxXrc RWu6M8AfacpAXJnOxS9QEjQ= =b7ys -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Mon Apr 7 17:18:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon Apr 7 16:18:02 2003 Subject: keysign parties In-Reply-To: <1049555324.726.3.camel@carpathia> References: <1049555324.726.3.camel@carpathia> Message-ID: <20030407141844.GE4996@jabberwocky.com> --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Apr 05, 2003 at 05:08:44PM +0200, Michael Anckaert wrote: > Hello all, >=20 > I wanted to know why there are so few keysigning parties. I once signed > up for a keysigning mailinglist, but there wasn't almost any posts on > that list.=20 >=20 > Does anyone know of another list where people post announcements for > keysigning parties and such? Not exactly mailing lists, but see: http://OpenPGP.meetup.com http://www.biglumber.com David --r5Pyd7+fXNt84Ff3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+kYjE4mZch0nhy8kRAr3XAJ9dk9xGwmbkQAAZZxO1BBoOpNzHvACfXYA/ QB6wmM0UKxM3ANiWYGVKrAI= =R1+z -----END PGP SIGNATURE----- --r5Pyd7+fXNt84Ff3-- From b.buerger@penguin.de Mon Apr 7 17:22:01 2003 From: b.buerger@penguin.de (Bjoern Buerger) Date: Mon Apr 7 16:22:01 2003 Subject: keysign parties In-Reply-To: <1049555324.726.3.camel@carpathia> References: <1049555324.726.3.camel@carpathia> Message-ID: <20030407142232.GF31705@susie.lk.etc.tu-bs.de> Am Sam, 05 Apr 2003 schrieb Michael Anckaert: > Does anyone know of another list where people post announcements for > keysigning parties and such? http://www.biglumber.com Web & Email=20 Ciao, Bj=F8rn --=20 What difference does it make to the dead, the orphans, and the homeless, whether the mad destruction is brought under the name=20 of totalitarianism or the holy name of liberty and democracy? =20 Gandhi From johanw@vulcan.xs4all.nl Mon Apr 7 17:45:01 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Mon Apr 7 16:45:01 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <200304041632.h34GW0vP014108@mailserver2.hushmail.com> from "vedaal@hush.com" at "Apr 4, 2003 08:31:59 am" Message-ID: <200304071449.QAA02071@vulcan.xs4all.nl> vedaal@hush.com wrote: > except for Disastry's versions of 2.6.3 > no PGP version can either decrypt or generate a throw-keyid message With the new anti-privacy, I mean anti-terrorist, laws in the USA, I doubt pgp inc. wil implement this. Now that they're stupid enough to try to outlaw NAT because it can hide identities, they will certainly not like a throw-keyid option. Perhaps an idea to try to get it into the CKT versions of pgp? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From ellement@sdd.hp.com Mon Apr 7 18:30:02 2003 From: ellement@sdd.hp.com (David Ellement) Date: Mon Apr 7 17:30:02 2003 Subject: message was not integrity protected In-Reply-To: <20030407140918.GB4996@jabberwocky.com> References: <20030407000756.GA5714@sdd.hp.com> <20030407140918.GB4996@jabberwocky.com> Message-ID: <20030407153130.GF1388@sdd.hp.com> On 2003-04-07, David Shaw wrote > > I see on messages I send between my work and home machines. I'm using > > GnuPG 1.2.1 at both ends. How is it that I've disabled integrity > > protection? > > If the key does not have the MDC flag set, then MDC will not be used. > GnuPG sets this flag, but PGP does not. Were the keys generated with > PGP? The key was originally generated with PGP5. I've now changed the preferences to include MDC. Thanks. -- David Ellement From th.falissard@etic.fr Mon Apr 7 18:35:02 2003 From: th.falissard@etic.fr (Falissard) Date: Mon Apr 7 17:35:02 2003 Subject: A GnuPG oddity (decompression) Message-ID: <003c01c2fd1b$63e08cc0$7a114251@sncb53000105> Here is a weird thing that I found when comparing PGP and GnuPG. You'll find below some conventionally encrypted data (the passphrase to decrypt is "test"). It is decrypted OK by PGP and GnuPG. BUT GnuPG generates garbled data. (I've tried GnuPG v1.0.6 and v1.2.1). This has something to do with decompression, because I get no problem with non-compressed data. Thanks for any suggestion. -----BEGIN PGP MESSAGE----- Version: PGPfreeware 7.0.3 for non-commercial use wwQEAwAByf8AABeiiyCJPTT9smRt0b/hpaOc90vsDDLDIdd5ltky2wC/G/7jbHU7 QWnOJgVAHz/9sJn6x1UJ6jBZRNhQ9V1++OL7hQ3r5vXF1I3wxulH3B5QW3fZ/OQ1 MAohPY5MFXh/pdMe5LSxGwHyW5r5R/fJ/N0EKfp/Sjx3t0R7Jn5A+KYR1W+vwO5T 3Zr9+FPFQxRXGbIT+I+9zviLm/DiWq7z6iDdInE9HZ8cZ2PTRYxfMf0X+xPBROoN LyTknhNSE08NGa4Y66PgcqwWt9fQrUxWrgizZtcVN3zAG2X/DoI7/bq+jqHYzq3J QtpPtq1NM5PP57sWV6ZjurHtCaUaWLVYgSaNqfJddPn9dyNUY2OW1T5SgXu6Rlze Rrn5XA5oHdmyamciCTY9BdQEy+/tPmAhZfTIdSU0qRcrM9l/u5HUZ1N0Fxq9IPME Fgqe+/nEzGaSZKV3xRcV+5MqYl6jkv8Ke2BBEKe6XbFgV+CUFaO5pxhk/aiH6WGL 4w+dAdj9nuH9l5aOh8hWffXlWTIru6Ahm/qbky4BzGwypRQknLGtN/rb0BcOeCRE lQ6H80rjkuiPrlq6udtqAGRPRsZTxh0MxqOdMmgVwvYFfnCKM9AHqZrE6lunNgu2 Bc636k9H6BqQksEOa6HGP4Ilg1B/P1SvCPpapG2O45P4lfvdpKKI10fK6JfKPxj1 MrnXwzhlUsWV6Uggg4k3rx9ZtHD1NX4i14XeZJR/+Q7hFWeQ7acR17oQh4EC7N0r 9MUK0uM0FVXRwWcY3h/ySiiFK3lRkE/B7qIZtDycZkwH9nTpKZj7e0RNWv/l8Zth SJn6etMOyE/alGYaN/63UQgq/lO3z6+Y87t+C43t6VY/Cx8rZvvW/3AVjTdYGEHf KQJ8afQzIks1VU4mvgu8Qm0aZUpk4l1HHpk9EInZiyGoOUcJ5/MZ478vqauy5tQo mbx/hSZrJ59ZbfRt0nIu9+y6OZBKJUk+XI8hn8jPZxYxUPprMDT3E/cjcu5Dw7Y/ rtBFLJE4EiUTzoK8m7oTeZrOEJj35gPvagFXooZlBmVDuX27mvJ03kNb82ppRBWA gA0/4UdP+ecJiPg8vyrnTjPE6m1CBNt0BIf+A+WMDeqZEjnw0W/umSupZYhPyXNy gUSdelYEZnpkd6dyR6jP3VIPnedj3oFg098g9qRxdhRv8V8JdTI3Bv04CYgu+IPG BLpt1B4A3vvfGDeonPcnsPe8UoNWlHFF0Gr0OHlUPWSMkWa1kIXJsJP31NIQNZfl TkWsfjqTuUfObgUIspYshpDFno8ZaIx64TM5RZKflfl+BzSNntQHdV1OPEdgRmrt 4V93x2zIwpVKNiKDps0XgDNUFAFvUmqkKSCKOu391tnpN2TubAd+vR2EFV8rbVEJ Q+0DLT1gxYQ+ofnuDddH5Xv0saTSBAeN2rP8wv3kqMtDuSWhzYOWLyFKbvYsKbm9 Nvt3FCg9cKyfC0wdmxyk10/qIakJVACcNnEvgiyqsDfNaHPTzoqnbbk6F8c2iSH7 7QRwsHL5xw4OBhcXDzSbaGBSSLABykkT0YMrCUtHZHALtwndervgs1bGixIEHj5y AZxo3UhSplrQs3+UsLg13734FnPbnU/KfR0W5jSDNDi/Q8TKdNkZSAK7YZMip80c 7NXyZXW9lS3e+OndkG5m7qujCeVMXQs0FzG+jiHbuZt9eo+9j06lWtdIG2sFhS2b v+qfMDS7kSSM3vTHaF9TjAaFUfatMA7XQA+/u5GEU1LAZU8DPWsrWLTQtU621vFR 0GD3pz9L+l6cVATI5fA+X8WmuUKna1OQS9eJX+ZjRBclKxcoLmlzqCVPLp5rwtI1 92iR43JZXq/NXuwDTPgXn8ioO1kyFy1X0qKuYp3ZYSgkNEZhA4e/XDrNGo1EozfT +UFMcUiE9CqrHHzCfAkJtky6nCOsAmf15x0lirXsJfC3RD3o74OztedD4A7zRLJB 57k4EHsMqlanpe2v0wBrtI73MyeOsOJNe5znIvGqmaQNFZ74nx2jn3Mwr1wdB8YH k+t0+iNIXbVMQ58pX86eoS5YuXtkWBrF+KIjtZznLglPj5/Ur93oA/agcftq8sLN nAQ/c9ZalzyCJN5WrYIbw1gnqorVPQIqy4O1/tGWNmadf8jHaV5Xn3p0ShoRHb38 3KQCx/DruQ07r7edNmpuDDFlwv68Wxj7eNzskNO9k6+fz/xpNbNgC+zKk54zzNL4 jLM1JVhN7+cZkNG85MFTqoKbJlViEnue7Lq9fHO60IETzy3BlTaxajKkTFpHWfJC n7BA9e+P0OUYEYCEfgI6Dhcxzc0eW4FzYxwK5MQuz0NSPMMpwzH9xJ7MYBP04Q+L RmQwvZeKz/DePfPOcYIJZrHSU+jIO4DO2Bp2JqM+7HMgODXELzkrGaf51v6HnVQF BoKGoc0SenCoSxSrkP6Jh7DdkfTmk9t8rx0Dnax2bggaV0WjkMwaJeMwYgGjAjtb j1mINQVMIBMpmA4F0T9xUN7G4SM4IrwwzmoK2eDB05xY68Sb9XCAVGj2fnqB9Zhr NqAYiX920V4eOrwf8gUrTpWxXR2jtkndLSrAOrViKpp/W9bxcQjnOxZTYk/l+7sn Ulmo3/RHC7F4c9/dv5fwohoQDQd4XD9Hz7YLZ6+xyVaS7qVwI0uXNLhB7le7C+Rr ci8Sp10Mr/GfHbl8R7UP99n6uPkVyLcUWS4okYusnPPhL4a4z+GJBUAvEMhKJIqt R22ml+EVbospe99xcVnWxU1FsTLH8jroNWFpvJmbkzM7Pzf3q6XkRbze7mCLAPiV 2Yk8lG1u01zRCy4fniHSF/o9sUWGrz+KuB87T6kb2jeYhv8EDpsAxkkjUR/2rsxI /AN1DS1fUvQaLvPpa8IFOkaZCUpGYwSqfaT9mvOcQ7bWeSJgBxUiGyuav167VeRx +7TZlGmRUSlZEBCjnCjcMPBponDMHM6EEMYiBvzmvOU7rj6Tr/wZ0uFlKk4H/KhP rPFSRXFG4VGrJs/ZIUyI0qTohOx5oy8TShQLP25Pbh7RNOIh8qix1ORf33STfv17 49ef60E9GEiAonkMQIoE4DGzY7U0elJW8VVGdIieFFi2pKQIi6NcE3tXduEScY09 7gp5ObQIvHZf3+kJfDbNPzFXOyWH6qq5+S+Hmzfk4pmYoH221+fHuBF846tu/Oa/ D0tW4gJN97EfKb6LvPrcTIH2Znb8QgLmL6+BvR+L01nuUWtxRIhrXc2QbmyG8pkD Ev0Ye/66IUNj29yWYgKS9gQOS1d23h6TiPP5UBTjQn3jd1KtiJq1+2Qg8IMaZpzt QvK2lSqQVoXGdUhxGJtbFl12E82TLOBePqV3WlWZ94rdwZXvb69f4XLCNzXF2OsW qkfsNbE/FpkvmawUwMFLQTYmKchggVcJdfrC/C/CZh1mrkmyAdlTMxFWapSNvgl6 eRNC/D3dzxwGTQrBIJulRWpYBx9mSTWPAf7cvFu7jD06q156kEC24D5mPaxkcVNc iyMQimird3FR6JwKZzP7QnwCP2I/0jWz2xOWb919UvEKSQU9ZuzFBm0cqqvGtOGy PZI3egVZZbxUnKg5Sn7bF72D0kP/j+oCn9bvKxWNlUtIFwyz3twydqFYFTzCNg/T XLaasNw8k+5GHxpIL0aL2IxJ2uYRGtNXU3+Vnf7CikncwKYMBUrxfnfGOjXaNKAH +pUeHXzkWl/5+eFWYGR2Bxtg1BkHljHFm7jz0eHFULq7sZEDi4oPpgQmqor7zyxr TLfUfoHaVEAmyBvrIrU9ktZ3IcudFhk7hQvOW1ZF4uw+VrCFzHxf6nk+vvh6exiT amcH9S2QuM7v+uW1HilPLyFf2ivfqjzSEapPIIG4RlKIMIKXJOCP7jVNCcjnyOxi aXRMjtcGhRoH0FJEK4j8lrMM9sykdxgqniKCrcjSQAJrQbqcJX83VCMXS3wgTtIQ 9wg5JiZCpaQlPqyYXS1jJIh7AdbUSM+nLc9h9rm6CrQgSP7LEh6iSaR3KZbggoIS Kkh57TRjXgn+lczVj0kJZfQS6WBhuZQ/vjuB4ye3f3Ki2Tl6H8wSdlRaXQ1nVIOI nQjTbkfdmFDrpOphVh3kdK/MdVMBA5e8IOvrNQt/cmHxGN342UeUn6czVdiVmZFS kHuH6r0AElAdjCa8LaIno5HAhfATVcYNvddZnHokVoIl0Ka3iEOslGQKUuMJu+oz qwDs6N7ymAcn6CKcGLkQ9HllSyhfZtAB+MZ5H/MhEnXZawmty4Vm7IYsN/UEqlzN LGRJq0p5Zp0TYemHw3XLKDl68Db8QlLNAk1vf3HTKLIouDieZxhEsG36m4S1GJcs 8MUW9iudUCAMQRsCJqXuF829T7vGxx3LF6JdT2+rh8nRsUEqSux68khZDxSwic2q 2dbUzNODxOaYwOBjJ6Y3lAVyAgZax6Pj9mWnjcL1P/gK3/Hg15iA4VAZbyUbtAM/ LpxLveSALwpl6naz0bC90Kf8U1UqWBXDBBnQAY6tJSan9U29fwRR/5Rya8UIZf5g v+XdSs/61X/s9ix77gZTn9RF7LNudWM0E2HVDNFe70OLH5D2G86YVO0TcD1s+qXa fmAnR0koNF1A1oWLNYsZls+aa9EGltRVb7Hqsh1SpqkjW2b+cpWaztkNTw21840d 40oNpVF621RQANqIc5t4VEazGawsWTpHgiTUO8ZUPAXxqmMJ80DyYehx5c9/ryqp 4afGV6pzZH7/+6TTmisThwMFdy4xn7pSblgidq8r624HTzJ8NUvzbtF8iIgqxIHB CgF43d6xaTDGot36DqU46bmE7OD2DJloAnHA0Pq0B9vOTv+p0rKAvU+FjqIAK3QZ 1RW0StI091NYUOgxoTQPujHzFYC4fUdeyzUJnEtFSIbnsEOXW+lheDk6u/cmA26N b88VBv6mWSVf+PP6cZB+Y5S8UkS7YZCAM4A0wsuqNYRmlgeVD7361O7VRokMHhx1 q3+rdthdSmbFvOu8nMxJBRhhy5nKPijRqCMYq38+5AGUqv2JZGgkS+Kc3q+7n6TM oFWWL9SspC62fwq6l9j/065kMEje9dpoSjFuhf685NTw+0+kXMKqUBWYebK84kdw gXyBk5myNC2AScv5ZhiYCA+ex4AscFPRPJJnOlpav3kkCwWRGqAJibiEFu6RvTSU 7zUgcsz78YTp7OlPPPNcL5+o0urtBMFvUyZDxwa8F6dJqO/ZrabW2f2fir1ETCTw l0us4OtPsz6By7esiFX/ByA8tpR0914Po7HKfk7eR3EyzeBtGmiIzdRghYk/Ha30 uThJjdzpcg51Y9Ey21hBUK8W0l3MBb+qYgSbY773hBxWRqzgXgdpqRA1IWewzCkS 1za90uiGsBMjQvp5HcHXON6Z8SLKDtmSNvM63S+BcC8YybXvRsMMndb/S8nImT6e ADD56KbKN2mmU82DHx2XmkOHMiFzc5Ksnkd7jDtl8fGw4ESt3mu3cIcXegNJ3b3Y dkSS0GCnl5JwYb1kIHHXjGtEKGspDXb6FT0/egbxiicGmqEnN9/p76K5+OY7rO3C IcETWoBTGv1ura6IxeoaLffV0OEb9vjaK/2zL8LzyMfOtMey4zVqa9pb+1oHgETd K/GSQJFQ2tgfAw4bzqzaYrw4ZGHlRCVu56rGwu5Gu6XqSoOa+uAq389hI8KeKH1N pIU/RS5289EnO77fFwAzwqJ9IP6awTr095oExI6mlD8/IwERdHugkBGwdwn5d7Zp wtuwiHLrGHOoKRxy1q4CUK/oFcZVL6iQoj+OUnV4/GNmyt/cW2JiX6mDjZ0XeWEw qG2wuxVzWAwVsBTm+l5SKlHKRU7aBM4htCPwlhDfNSA16nyE+ll1jGOF9UkaCSFf 86EfFfcRILfsbA4HWH8uTccIvYgRhTJzxHS80WAIFxEEK1EJgB091aBQlzpMeQt+ 19VIVoh0jw92Sw3WTp62Olwq5sHtSR7yVUzVI59SNHtP1WM9E+7ioOV6h8yyiskI +kEVhZtgdFOpb2sV+eEQ3bzc2ADajfNVnLc/RMZEY3cTZvy6azVVi+CTrp5nwcCZ 8dgiw4I5+dcuC19JZqC+A6mmwLtrNyqv5K3JGh9FTgA2OygcAIyp62J1gvJZNlFH cf+I85X5jWCsrdmB8UmVJtshQW01/EScT/w6xqaP64HZdOAxFJx5T4a/FkKKK7cT g303It6a+f/RjEOAvewBSp6LRZq9j7PNtCra8ipzme/z5XGUF/e6iJAmyTFGsWLU 0Vx41hORHreMO4ZD2vY0x96Vj2fbl9vkNZidDiz4dX4pxBu5C9YotOQTZt1td+x9 8K9ORrslT5Xjg1xoPcFd8+zLiJV0GZA6uhsXXFUIik9MMyXWMfgEED8ugk4ZGsM7 EKoUoC/xSh7EB2+SsFB8PREFWdBk2oKCOOo7KV4rrP/C5RMe+YsWgBv/U0cwKcZA L4xf4vPABZALGkPydDG+REaDijUqwCBA6rlrVpeKC0RDZk2nC9hwYZRbXiNjelW4 P4JhJuc1hYHo7pdiYykHOyXYm01CDElKh9qPvYjicQHFLHRWo9HV8m81QxCiPxF1 i0wwj9bLyKsR63VEo5NTdyJuU5hcGw4KlO/2cwVkoZmRwKKz2sCbZ2JFNIfnOnbU dLxEoCotbi7NGVrsVqRr9OfHINY9eZFIyTc/pR7fdJykePnP8dOT1uxcoat1b4JS 1Xj8AxnGff/W4wO1dxHP1X7RywrRHUG/qQ/BLBLTbHpolbJQkMqOyWNsiuXt26NH l804R4k4TGJWGQ6vkJwE87ubRPYbQno7M1UG7I59sJqCyJ/iC3SJlaRsHa/bSgcF 7EQ43dvMJhnpkA7mHx67IcWABT2y6tsXLL/mwFcI+AsOScEuk4wGxJlpiGvPhAVk Zkr0VaJDdwXooQ/Frvy+G2ZIxdw8QXZBHpaCskXLuJEmlJWfTN4mS8X0ncrsbDDZ BJ2yHJD8Qt3G5DV+4mT2qg96wNuC3So4udYIy7oL4vks6KP27ghdg7iV573yejPj iwKB1/ihDvv54fHhVEKkBlh2CG/EJ7XfPnGGBzSq3JtecCXOIrtvVV/k69zgLoiX EwBbSFpYBBHEMIX7ycs6KIEDoUjXvKCe8j7K1jtQwetZLs0diUkY3oPy12Wk1I2Y 5Uhx7AYCcOI/+7n7fVjBET42RisMMecO57Seyo5OWnrhWzFD7mBZscjrKiYvGY7+ VyMppS1TrrzXvcBEejkujNodqVqnVH7zEnQIzi7cpKJzDDfBGBj1gjiDOYL2Or7k gn2w8+ExaAHyPE8C8nbvz+NF6XlpKQpruyOesseI72L3+DqXfcAUkruBPOuaN2aS FwErQVC3T69a2P23Mqng8NzOlHyuEVlm3hkbtMjQhcXOPxtqn94VdIQ/nExoZlJq OSb6dTGHuB99yf+p7ZG7+DaulI5YzgQR3gDXLs2Of+XhLZP28tCDugOqSVAYvInT 13WkrVK7I2taHTKV79G1Bc8/5tIxikygzKEw3XDUoxdESHF3agAFxBNMGiEbuCZK aryKdayGYC6DiJ+XMvecwkrfM8fCaxi5t7aQCVWjIyr5ZIPFZappsq32WQYGfqLa EhSZL54xmq0F8+HLXF9YA+MOyDVt7BC2HPHlJ7MM7pDYxzIAIzbolQ4dSI8GjpTB LqEIqruhKneu1Cih+cveVJoVdHrHibysci2RAcuGCpffpkFejUCI8i0ON4qRW2qU 5PhJ89rdgTFk7eoqnFi0MM/8r213qA14RZ2fYxDwyx1foriHBg5XlIygA8dDQBN9 6PRD1mPuoXjtUHBtoD67aJaIqrnLlIpy3j1XpUbCIRDOrKJfhWOvJiXlUXZ0EKSV MXukKvG/aD3hKcekAM1LRVHfRofbRumdKL3DWiFzNWw1865CsdPsQTfXQbi+aJ94 pZS51mDahaOI/jIpBmXkEW1DZIUJeH2bWXB2v6o1RDkP52uiydbnzJ6o7q4br60v N171NQ94G75sfFFC/lGa2wU0LU/k/hLGeIqNsqNDjfpefXCEbio56A/lvTni7MeM J0M7UU5kidHP7ucPU1w= =L/3a -----END PGP MESSAGE----- From eugene@esmiley.net Mon Apr 7 19:27:01 2003 From: eugene@esmiley.net (Eugene Smiley) Date: Mon Apr 7 18:27:01 2003 Subject: A GnuPG oddity (decompression) In-Reply-To: <003c01c2fd1b$63e08cc0$7a114251@sncb53000105> Message-ID: --=_SSQa.1ffRjcCapqGDEGa6LwcYZ7pj3 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable gnupg-users-admin@gnupg.org wrote:=20 > > Here is a weird thing that I found when comparing PGP and GnuPG. > You'll find below some conventionally encrypted data (the=20 > passphrase to decrypt is "test"). > > It is decrypted OK by PGP and GnuPG. BUT GnuPG generates garbled=20 > data. (I've tried GnuPG v1.0.6 and v1.2.1). This has something=20 > to do with decompression, because I get no problem with non- > compressed data. > > Thanks for any suggestion. I get it to work fine with both PGP and GPGshell. Nothing comes out=20 garbled, but I do get this from GPGshell: gpg: CAST5 encrypted data gpg: WARNING: message was not integrity protected Time: 4/7/2003 12:18:33 PM (4:18:33 PM UTC) Here's what I am using: OS : Win XP PGP : 8.0.2 GPG : 1.2.1 GPGshell : 2.65 --=_SSQa.1ffRjcCapqGDEGa6LwcYZ7pj3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQA+kacc6QPtAqft/S8RAiI+AJ9g+CpuZZNyyA3cexerdHw2EEyo+gCg8qq1 5IyPPkH9qhWWLWIwIyDN2bk= =FJxR -----END PGP SIGNATURE----- --=_SSQa.1ffRjcCapqGDEGa6LwcYZ7pj3-- From th.falissard@etic.fr Mon Apr 7 19:41:02 2003 From: th.falissard@etic.fr (Falissard) Date: Mon Apr 7 18:41:02 2003 Subject: A GnuPG oddity (decompression) References: Message-ID: <002001c2fd24$973aac50$7a114251@sncb53000105> To be precise, only the end of the data is garbled... From sbhatt@installs.com Mon Apr 7 19:42:01 2003 From: sbhatt@installs.com (sbhatt) Date: Mon Apr 7 18:42:01 2003 Subject: gpg: [don't know]: invalid packet (ctb=4c) Message-ID: <3E91AA71.3010502@installs.com> Hi Group, I installed GPG a few weeks back and presently I am decrypting some symmetric cipher text. One of the errors that has shown up last night (for the first time) is gpg: [don't know]: invalid packet (ctb=4c) gpg: [don't know]: invalid packet (ctb=4e) gpg: [don't know]: invalid packet (ctb=47) I tried looking in the mail-lists but did not find anything (may be I skipped it) but can anybody please let me know why this error occurs and wats the workaround for it. I would really appreciate all help thanks much Sid From pt@radvis.nu Mon Apr 7 20:29:02 2003 From: pt@radvis.nu (Per Tunedal) Date: Mon Apr 7 19:29:02 2003 Subject: A GnuPG oddity (decompression) In-Reply-To: References: <003c01c2fd1b$63e08cc0$7a114251@sncb53000105> Message-ID: <5.1.0.14.2.20030407192828.00c4d648@localhost> At 12:28 2003-04-07 -0400, Eugene Smiley wrote: >gnupg-users-admin@gnupg.org >wrote: >> >> Here is a weird thing that I found when comparing PGP and GnuPG. >> You'll find below some conventionally encrypted data (the >> passphrase to decrypt is "test"). >> >> It is decrypted OK by PGP and GnuPG. BUT GnuPG generates garbled >> data. (I've tried GnuPG v1.0.6 and v1.2.1). This has something >> to do with decompression, because I get no problem with non- >> compressed data. >> >> Thanks for any suggestion. > >I get it to work fine with both PGP and GPGshell. Nothing comes out >garbled, but I do get this from GPGshell: > >gpg: CAST5 encrypted data >gpg: WARNING: message was not integrity protected > >Time: 4/7/2003 12:18:33 PM (4:18:33 PM UTC) > > >Here's what I am using: >OS : Win XP >PGP : 8.0.2 >GPG : 1.2.1 >GPGshell : 2.65 Hi, I get some extra letters in the message when decrypted with GPG: e.g. "Here's how it worksyfor authentication: Alice, ..." Maybe you didn't notice? Per Tunedal From vedaal@hush.com Mon Apr 7 20:51:01 2003 From: vedaal@hush.com (vedaal@hush.com) Date: Mon Apr 7 19:51:01 2003 Subject: simplifying the use of --throw-keyid option Message-ID: <200304071750.h37HoNsM018152@mailserver3.hushmail.com> >Message: 14 >Date: Mon, 7 Apr 2003 10:17:14 -0400 >From: David Shaw >To: gnupg-users@gnupg.org >Subject: Re: simplifying the use of --throw-keyid option .. >> [2] can there be an option where one can choose to have gnupg >inform >> >> the user if the passphrase is entered incorrectly for that key, >> >> {especially useful for 'secure' passphrases, entered from the commandline, >> >> where mistyping may be common) > >I don't understand this. GnuPG already reports that a passphrase >is >invalid. .. sorry for not articulating the request more clearly: as the throw-keyid switch implemented now,(1.2.2), gnupg gives only one chance per key to enter a passphrase gnupg does not distinguish whether it is the correct key with an incorrectly entered passphrase, or a correctly entered passphrase, but not for the key it was encrypted to, and after only one chance, without saying if the passphrase is incorrect or not, goes on to the next key so, if for example, i have three 'real' keys that i give out the public key for {one v3, one v4rsa, and one dh, } each with a different passphrase, then, i don't know if one my keys is the correct key, but i entered the passphrase incorrectly, or if it is a passphrase encypted to someone else's key and not mine at all my request is: can there be an option for gnupg to give an error message of 'incorrect passphrase' for each key that it is checking when it tries all secrets, and if incorrect, give addtional chances to enter it correctly, just as it does when asking for asking for the passphrase for signing or encrypting Thanks, with Respect, vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From markus_kampkoetter@t-online.de Mon Apr 7 21:02:01 2003 From: markus_kampkoetter@t-online.de (markus_kampkoetter) Date: Mon Apr 7 20:02:01 2003 Subject: A GnuPG oddity (decompression) References: <003c01c2fd1b$63e08cc0$7a114251@sncb53000105> Message-ID: <192ax1-1wJRi4C@fwd10.sul.t-online.com> Falissard schrieb: > Here is a weird thing that I found when comparing > PGP and GnuPG. > You'll find below some conventionally encrypted data > (the passphrase to decrypt is "test"). > It is decrypted OK by PGP and GnuPG. > BUT GnuPG generates garbled data. works fine for me (gnupg 1.0.6 & winPT) > (I've tried GnuPG v1.0.6 and v1.2.1). > This has something to do with decompression, > because I get no problem with non-compressed data. > Thanks for any suggestion. (snip) -- markus kampkoetter From dshaw@jabberwocky.com Mon Apr 7 21:50:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon Apr 7 20:50:01 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <200304071750.h37HoNsM018152@mailserver3.hushmail.com> References: <200304071750.h37HoNsM018152@mailserver3.hushmail.com> Message-ID: <20030407185017.GG4996@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Apr 07, 2003 at 10:50:22AM -0700, vedaal@hush.com wrote: > > > > >Message: 14 > >Date: Mon, 7 Apr 2003 10:17:14 -0400 > >From: David Shaw > >To: gnupg-users@gnupg.org > >Subject: Re: simplifying the use of --throw-keyid option > .. > >> [2] can there be an option where one can choose to have gnupg > >inform > >> > >> the user if the passphrase is entered incorrectly for that key, > >> > >> {especially useful for 'secure' passphrases, entered from the commandline, > > >> > >> where mistyping may be common) > > > >I don't understand this. GnuPG already reports that a passphrase > >is > >invalid. > .. > > sorry for not articulating the request more clearly: > > as the throw-keyid switch implemented now,(1.2.2), gnupg gives only one > chance per key to enter a passphrase > > gnupg does not distinguish whether it is the correct key with an incorrectly > entered passphrase, > or a correctly entered passphrase, but not for the key it was encrypted > to, > > and after only one chance, without saying if the passphrase is incorrect > or not, goes on to the next key This was also addressed in 1.3.x, as there is only one passphrase prompted for. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+kchp4mZch0nhy8kRAox7AKCMb2Df6mpBUfiVDzUMwyM0imJmjwCggyVJ dFLjm+y9j0080JxBQ7sEhmA= =UNE8 -----END PGP SIGNATURE----- From michael@silicontao.com Mon Apr 7 22:25:02 2003 From: michael@silicontao.com (Michael Weiss) Date: Mon Apr 7 21:25:02 2003 Subject: Invalid engine??? In-Reply-To: <0HCX0037PJGDU4@l-daemon> References: <0HCX0037PJGDU4@l-daemon> Message-ID: <0HCY002MT2IEMA@l-daemon> I figured out that I have an older version of gnupg installed. That is probably what was causing the error. I have installed gnupg-1-2-1 a whole bunch of times I get no errors, but it doesn't seem to overwrite version 1.0.6 On Sunday 06 April 2003 10:06 am, I wrote: > Hello all, > > I am developing a small automated data exchange program and I am trying to > get gpgme working. > > I have gnupg-1.2.1 and gpgme-0.3.15 on a Mandrake 8.2 system > > Everythings seems to work when I use gpg from the command line or gpa > but when I try gpgme I get errors. > > 'gpgme_get_engine_info' > returns: > > > OpenPGP > 1.0.6 > /usr/bin/gpg > > > > BUT: > 'gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP)' > returns: > Invalid Engine > > Can anyone tell me what I am doing wrong? > > Michael Weiss From gr@eclipsed.net Mon Apr 7 22:58:01 2003 From: gr@eclipsed.net (gabriel rosenkoetter) Date: Mon Apr 7 21:58:01 2003 Subject: Import a pubkey sans self-sig? Message-ID: <20030407195903.GA21667@uriel.eclipsed.net> --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'd like to encipher things to keyid 75E4988D (seems to be on wwwkeys.pgp.net)... but GnuPG simply refuses to import it because it's lacking a self-signature. pgp 6.5.2 (yeah, I know, but this is a long-standing production process at work that I'm trying to update) has no trouble with this key. --expert doesn't help and we don't have a --force... If that's a truly malformed key, how'd it ever get on the keyservers? How does pgp6 manage to grok it? (The issue here is that some fool wrapped Perl's Expect module around pgp6 to solve a problem that's far better solved by GnuPG's --batch. And Expect falls flat on its face when, say, the ciphertext file already exists and pgp asks for permission to overwrite it.) --=20 gabriel rosenkoetter gr@eclipsed.net --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (NetBSD) iD8DBQE+kdiH9ehacAz5CRoRAniQAJoD5lbORFdq4y11LYask0NLDUqovQCfSqM5 LjabG3/LbTQh3U933s/fOj8= =mTMJ -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- From Todd Mon Apr 7 23:15:02 2003 From: Todd (Todd) Date: Mon Apr 7 22:15:02 2003 Subject: Invalid engine??? In-Reply-To: <0HCY002MT2IEMA@l-daemon> References: <0HCX0037PJGDU4@l-daemon> <0HCY002MT2IEMA@l-daemon> Message-ID: <20030407201605.GC25851@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Weiss wrote: > I have installed gnupg-1-2-1 a whole bunch of times > I get no errors, but it doesn't seem to overwrite version 1.0.6 How did you install these versions? If you're using a stock Mandrake system, I'd guess that gnupg is installed via rpm and is in /usr/bin/gpg. If you installed 1.2.1 from source, it defaults to /usr/local/bin/gpg for the binary, and /usr/local/bin is probably in your path after /usr/bin. This would cause a call to gpg to find the old version first. Try uninstalling the gnupg rpm, if the above matches what you've done to install gnupg. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ The trouble with most people is that they think with their hopes or fears or wishes rather than with their minds. -- Will Durant -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+kdyEuv+09NZUB1oRAjk2AJ4/4ikgj6az0WialceFGidBeU5WvQCcDjZg R7nJWWBdVPo2gl/HcKHimWs= =hn3+ -----END PGP SIGNATURE----- From Thomas.Arend@t-online.de Mon Apr 7 23:26:01 2003 From: Thomas.Arend@t-online.de (Thomas Arend) Date: Mon Apr 7 22:26:01 2003 Subject: Double encryption ?? In-Reply-To: <3E8EC8A8.6010505@hankeln-online.de> References: <3E8EC8A8.6010505@hankeln-online.de> Message-ID: <200304072127.03653.thomas.arend@t-online.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am Samstag, 5. April 2003 14:14 schrieb Oliver Hankeln: > Hello, > > a friend of mine and me were just starting using GPG. > He encrypted a text for me an sent it to me. I was able to decrypt it. > BUT: He was also able to decrypt the encrypted message with his own > secret key. > The only reason why this could happen as seen by us is that the text ha= s > been encrypted twice - with my and with his public key. > We just want to be sure we didn=B4t make any mistakes. Is our assumptio= n > right? You are partly right. AFAIK the encryption works as follows. A symetric key is generated to enc= rypt=20 the message. The symetric key is encrypted with each public key of the=20 recipients and included in the message. For decryption you will decrypt t= he=20 symetric key with your secret key and then decrypt the message. So not the text is encypted twice but the symetric key is encrypted twice= (or=20 one time for evry recipient). Otherwise a message would grow very fast. As others mentioned, the normal behaviour is not to include the senders i= n the=20 list. But most mail clients do it by default.=20 Thomas =20 > > Thanks, > Oliver > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+kdEF2TqsmTFMxwkRAhrsAKCLajDctOcR6BbRXJzrC0t9zDYN6QCfdtB9 HdfPGPr0m8mw4x2RdSDlHuI=3D =3D8/D3 -----END PGP SIGNATURE----- From ninjaforce@netcourrier.com Mon Apr 7 23:31:02 2003 From: ninjaforce@netcourrier.com (Maxine Brandt) Date: Mon Apr 7 22:31:02 2003 Subject: A GnuPG oddity (decompression) In-Reply-To: <003c01c2fd1b$63e08cc0$7a114251@sncb53000105> References: <003c01c2fd1b$63e08cc0$7a114251@sncb53000105> Message-ID: <3E91E00F.6070605@netcourrier.com> Falissard wrote: > Here is a weird thing that I found when comparing > PGP and GnuPG. > You'll find below some conventionally encrypted data > (the passphrase to decrypt is "test"). > It is decrypted OK by PGP and GnuPG. > BUT GnuPG generates garbled data. > (I've tried GnuPG v1.0.6 and v1.2.1). > This has something to do with decompression, > because I get no problem with non-compressed data. > Thanks for any suggestion. > > Decrypting with GPG 1.2.1-nrl and Enigmail in Mozilla I got three sections of corrupted text. When I open my mail window full width I see these three sections exceed the width of the rest of the text and the corruption begins at the point where these sections exceed other lines, so maybe there's a line-wrap problem. Hope that helps. Cheers Maxine -- ========================================================= My keys are at: http://www.torduninja.tk ========================================================= From Todd Mon Apr 7 23:36:03 2003 From: Todd (Todd) Date: Mon Apr 7 22:36:03 2003 Subject: simplifying the use of --throw-keyid option In-Reply-To: <20030403051510.GL2873@jabberwocky.com> References: <200304020340.00256.malte_gell@t-online.de> <20030402134356.GE2873@jabberwocky.com> <20030403011740.GD11007@psilocybe.teonanacatl.org> <20030403051510.GL2873@jabberwocky.com> Message-ID: <20030403190151.GC18236@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > On Wed, Apr 02, 2003 at 08:17:41PM -0500, Todd wrote: >> Pardon me for asking a question when I know very little about the subject, >> but why not display the key for which gpg is asking for a passphrase? I'm >> thinking of what ssh does, using key based authentication, it will prompt >> you something like: >> >> Enter passphrase for key '/home/user/.ssh/id_rsa': >> >> Could that be done for gpg when it's trying your various secret keys? >> Obviously, it would use either the keyid or some other identifier in place >> of the file path as ssh uses. > > That is what GnuPG currently does. Oops. That's what I get for asking about something I haven't used. :) - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ I was brought up to believe that the only thing worth doing was to add to the sum of accurate information in the world. -- Margaret Mead -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+jIUfuv+09NZUB1oRAq4MAJ4m6x2XXEp1RrmrDofbnXiO8EJh8QCZAWXk oa59RNODJEWLy2fJyd1VXps= =LO5Y -----END PGP SIGNATURE----- From michael@silicontao.com Mon Apr 7 23:44:02 2003 From: michael@silicontao.com (Michael Weiss) Date: Mon Apr 7 22:44:02 2003 Subject: Invalid engine??? Message-ID: <0HCX0037PJGDU4@l-daemon> Hello all, I am developing a small automated data exchange program and I am trying to get gpgme working. I have gnupg-1.2.1 and gpgme-0.3.15 on a Mandrake 8.2 system Everythings seems to work when I use gpg from the command line or gpa but when I try gpgme I get errors. 'gpgme_get_engine_info' returns: OpenPGP 1.0.6 /usr/bin/gpg BUT: 'gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP)' returns: Invalid Engine Can anyone tell me what I am doing wrong? Michael Weiss From Todd Mon Apr 7 23:45:03 2003 From: Todd (Todd) Date: Mon Apr 7 22:45:03 2003 Subject: Import a pubkey sans self-sig? In-Reply-To: <20030407195903.GA21667@uriel.eclipsed.net> References: <20030407195903.GA21667@uriel.eclipsed.net> Message-ID: <20030407204609.GD25851@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 gabriel rosenkoetter wrote: > I'd like to encipher things to keyid 75E4988D (seems to be on > wwwkeys.pgp.net)... but GnuPG simply refuses to import it because it's > lacking a self-signature. man gpg says this: --allow-non-selfsigned-uid Allow the import and use of keys with user IDs which are not self-signed. This is not recommended, as a non self-signed user ID is trivial to forge. HTH - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ When is the last time government admitted it might have made a mistake and canceled a program? -- Thomas Bray -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+keORuv+09NZUB1oRAqrhAKDmDDh+P8pG8zrHE1U8ewlzzzT9vQCgk3tA 95V4tO/fRM4u3GBmZDBGT80= =n31e -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Tue Apr 8 00:14:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon Apr 7 23:14:01 2003 Subject: Import a pubkey sans self-sig? In-Reply-To: <20030407195903.GA21667@uriel.eclipsed.net> References: <20030407195903.GA21667@uriel.eclipsed.net> Message-ID: <20030407211421.GA22190@jabberwocky.com> --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 07, 2003 at 03:59:03PM -0400, gabriel rosenkoetter wrote: > I'd like to encipher things to keyid 75E4988D (seems to be on > wwwkeys.pgp.net)... but GnuPG simply refuses to import it because > it's lacking a self-signature. >=20 > pgp 6.5.2 (yeah, I know, but this is a long-standing production > process at work that I'm trying to update) has no trouble with this > key. >=20 > --expert doesn't help and we don't have a --force... --allow-non-selfsigned-uid David --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+keot4mZch0nhy8kRAiIqAKDOVWtGGh8fjQOHk8dM/4JchfBNmACdGYRi H210SUkeqk+yOnS+x9ZNW9Q= =XhBi -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7-- From j@erf.sh Tue Apr 8 00:52:01 2003 From: j@erf.sh (J Irving) Date: Mon Apr 7 23:52:01 2003 Subject: keysign parties In-Reply-To: <20030407142232.GF31705@susie.lk.etc.tu-bs.de> References: <1049555324.726.3.camel@carpathia> <20030407142232.GF31705@susie.lk.etc.tu-bs.de> Message-ID: <20030407215312.GA29150@joop> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anyone going to be at RSA in San Francisco next week? How about a keysigning meetup there? cheers j * Bjoern Buerger [2003.04.07 16:22 +0200]: > Date: Mon, 7 Apr 2003 16:22:32 +0200 > From: Bjoern Buerger > To: Gnupg-Users > Subject: Re: keysign parties > X-Sieve: CMU Sieve 2.2 > User-Agent: Mutt/1.3.28i > X-Accept-Language: de,en > X-Accept-Content-Type: text/plain > X-Iceberg: Happy Penguins Online > X-URL: http://www.penguin.de/ > X-Contact-Info: http://iceberg.penguin.de/~bb/contact/ > X-Uptime: 16:19:32 up 407 days, 21:25, 1 user, load average: 0.14, 0.15, 0.18 > X-MIME-Autoconverted: from 8bit to quoted-printable by susie.lk.etc.tu-bs.de id h37EMX2h032125 > X-BeenThere: gnupg-users@gnupg.org > X-Mailman-Version: 2.0.11 > X-Original-Date: Mon, 7 Apr 2003 16:22:32 +0200 > > Am Sam, 05 Apr 2003 schrieb Michael Anckaert: > > Does anyone know of another list where people post announcements for > > keysigning parties and such? > > http://www.biglumber.com > > Web & Email > > Ciao, Bj?rn > > -- > What difference does it make to the dead, the orphans, and the > homeless, whether the mad destruction is brought under the name > of totalitarianism or the holy name of liberty and democracy? > Gandhi > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- I must review my disbelief in angels. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+kfNIUMt2z+iZNdMRAvgkAJwMPwM/QRVU3wMDh7a6f+FXf7lUywCgyPjK 37GFkA0204DAqzAYTrVPZZE= =WO7j -----END PGP SIGNATURE----- From jharris@widomaker.com Tue Apr 8 02:52:01 2003 From: jharris@widomaker.com (Jason Harris) Date: Tue Apr 8 01:52:01 2003 Subject: intermediate (2003-04-06) keyanalyze results Message-ID: <20030407235248.GA951@pm1.ric-05.lft.widomaker.com> --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable New intermediate keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2003-04-06/ Earlier intermediate reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --WIyZ46R2i8wDzkSu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+kg9PSypIl9OdoOMRAjVrAJ0TVkP7AJ5wwRBlQCDFfZFJ2pBz4gCg0Wa/ cjjEDmEuljVVzqm3zv+3fpc= =khTn -----END PGP SIGNATURE----- --WIyZ46R2i8wDzkSu-- From gustavo.hlv@gmx.net Tue Apr 8 04:12:01 2003 From: gustavo.hlv@gmx.net (Gustavo Vasconcelos) Date: Tue Apr 8 03:12:01 2003 Subject: Multiple "Comment:" in signature (was Re: OT) In-Reply-To: <20030407162149.GA18805@postfix.dyndns.org> References: <20030331020444.58826.qmail@web10501.mail.yahoo.com> <3E87B1EF.3090508@gmx.net> <20030407162149.GA18805@postfix.dyndns.org> Message-ID: <3E921FA0.6070400@gmx.net> If there is a way, I don't know. =) I added mannually the last comment mannually to make clear what I've done (Comments are not content, thus the signature is valid). However, I've seem many signatures with 2/3 lines, made IIRC with a PGP CKT. The only thing I changed was the version info, and after used it I deleted and restored the original binary from GnuPG.org. You know, I trust more in GnuPG.org than in myself... ;-D But maybe I'll stick to it permanently... []'s Gustavo Manuel Samper wrote on 07-04-2003 13:21: > Maybe I'm overlooking something obvious, but cannot find anything in > manuals or by seraching the list so, how I can split a comment in > several lines, like in your signature? Or you have hacked the sources? > > TIA, > Manuel Samper -- Gustavo Vasconcelos OpenPGP Key ID: 0xFF006747 From gnupg-users@nahrath.de Tue Apr 8 05:10:02 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Tue Apr 8 04:10:02 2003 Subject: export single UID of a key Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For e-mail validation after keysignings there are basically two methods: 1. Send a challenge in an encrypted mail to each UIDs e-mail address and wait for the decrypted answers before you sign. 2. Sign only one UID and send it in an encrypted mail to this UID's mail address. Do this for every UID in a key seperately. Do _not_ keep these signatures in your normal keyring. If the key owner uploads the signatures to the keyservers he prooves that he owns the secret key. You get your signature back via '--refresh-keys'. The second is the way I want to go. Currently I use basically those steps: gpg --recv-key $KEYID # START loop: # repeat until only 1 UID left gpg --default-cert-check-level 3 --edit-key $KEYID uid 1 sign save gpg -a --export $KEYID \ | gpg -a -e -r $KEYID \ | mail -b $MY_MAIL -s "your signed key" `gpg --list-key $KEYID \ | grep "@" | cut -d "<" -f2 | cut -d ">" -f 1 | head -1` gpg --edit-key $KEYID uid 1 deluid save # END loop gpg --delete-key $KEYID gpg --recv-key $KEYID So the first UID is signed, the full key exported and sent, the first UID is deleted and now the prior second UID is the first and the game goes on (with the key getting shorter in each turn). Currently this only works correctly in GPG 1.2.2rc1 because in earlier versions '--list-key' and '--edit-key' have different sorting orders, if the primary UID is not the first. Of course this should be done on a temporary keyring and the mail sending could be enhanced. Both is already scripted - but that is not the point. I have the feeling: There must be a better way to do this! Something like 1. Sign the full key 2. Export only one UID of the key 3. Encrypt and send the exported one-UID-key 4. Back to 2. Is there a way to export only one UID? If not I'll have to stay with the destructive method. In this case: Is there a way to sign and delete only one UID of a key without using the interactive '--edit-key'? Greeting, Michi -----BEGIN PGP SIGNATURE----- Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj6SL14ACgkQ19dRf5pMcEx0qwCfRO/Xjr73D+LuxpgZjkpkNbJa 1XAAn3HkgM2HkzwDHTAEdTh00VIBy9SX =vEZA -----END PGP SIGNATURE----- From hh@hackhawk.net Tue Apr 8 06:18:02 2003 From: hh@hackhawk.net (Hack Hawk) Date: Tue Apr 8 05:18:02 2003 Subject: Suppressing gpg messages from php exec command? Message-ID: <5.2.0.9.0.20030403182846.038cb2a0@mail.nightsource.com> Hello, I'm pulling my hair out over this one, can anyone assist? I've searched google for hours but to no avail. I'm trying to suppress gpg output from within a php script. Here's the important stuff. --------- PHP ----------------- $msg = $some_gpg_signed_clear_text $comd = "echo '$msg' | /usr/local/bin/gpg --decrypt"; exec($comd,$res,$errcd); ------- END PHP --------------- I get the unsigned text in $res without a problem. The problem is that the following output is sent to the terminal/browser/whatever. -------------------------------- gpg: Signature made Thu 03 Apr 2003 06:24:21 PM PST using DSA key ID AABBCCDD gpg: Good signature from "Blah Blah " gpg: aka "Blah Bleh " -------------------------------- I've tried adding ALL of the following to the $comd command line with no success. --logger-fd 1 --status-fd 1 --quiet --batch --no-tty 2>&1 Is there ANYWAY to suppress these messages? I'm assuming that if the signature is NOT validated, then the $res will NOT return the unsigned message, and that's how I'll verify validity or not. Please correct me if I'm wrong about this assumption. Thanks in advance for any replies - Rich From michael@silicontao.com Tue Apr 8 06:28:01 2003 From: michael@silicontao.com (Michael Weiss) Date: Tue Apr 8 05:28:01 2003 Subject: Invalid engine??? In-Reply-To: <20030407201605.GC25851@psilocybe.teonanacatl.org> References: <0HCX0037PJGDU4@l-daemon> <0HCY002MT2IEMA@l-daemon> <20030407201605.GC25851@psilocybe.teonanacatl.org> Message-ID: <0HD0009X49NIF2@l-daemon> Thanks Todd, I removed the version in /usr/bin and then it worked. On Monday 07 April 2003 04:16 pm, you wrote: > Michael Weiss wrote: > > I have installed gnupg-1-2-1 a whole bunch of times > > I get no errors, but it doesn't seem to overwrite version 1.0.6 > > How did you install these versions? If you're using a stock Mandrake > system, I'd guess that gnupg is installed via rpm and is in /usr/bin/gpg. > If you installed 1.2.1 from source, it defaults to /usr/local/bin/gpg for > the binary, and /usr/local/bin is probably in your path after /usr/bin. > This would cause a call to gpg to find the old version first. > > Try uninstalling the gnupg rpm, if the above matches what you've done to > install gnupg. From douglist@anize.org Tue Apr 8 09:24:01 2003 From: douglist@anize.org (Douglas F. Calvert) Date: Tue Apr 8 08:24:01 2003 Subject: export single UID of a key In-Reply-To: References: Message-ID: <1049783056.28440.406.camel@liberate.imissjerry.org> On Mon, 2003-04-07 at 22:11, Michael Nahrath wrote: > Do this for every UID in a key seperately. > Do _not_ keep these signatures in your normal keyring. > If the key owner uploads the signatures to the keyservers he prooves that > he owns the secret key. You get your signature back via '--refresh-keys'. He really only proves that he has the secret key on his disk and that he brute forced the password to the key. For most purposes this seems reasonable. However if you rely on an encrypted challenge and then sign the key you could improve it a little more by having a time limit. Three or four days does not seem like enough time to brute force a reasonable passphrase (~10 characters). But this is all napkin math... -- Douglas F. Calvert From avbidder@fortytwo.ch Tue Apr 8 10:49:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Tue Apr 8 09:49:02 2003 Subject: SIGSEGV on gpg 1.2.1 (was: Re: A GnuPG oddity (decompression)) In-Reply-To: <003c01c2fd1b$63e08cc0$7a114251@sncb53000105> References: <003c01c2fd1b$63e08cc0$7a114251@sncb53000105> Message-ID: <200304080949.47513@fortytwo.ch> --Boundary-02=_b8nk+iytPfpgPGV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Monday 07 April 2003 17:35, Falissard wrote: > Here is a weird thing that I found when comparing > PGP and GnuPG. > You'll find below some conventionally encrypted data > (the passphrase to decrypt is "test"). > It is decrypted OK by PGP and GnuPG. NOT > -----BEGIN PGP MESSAGE----- > Version: PGPfreeware 7.0.3 for non-commercial use > > wwQEAwAByf8AABeiiyCJPTT9smRt0b/hpaOc90vsDDLDIdd5ltky2wC/G/7jbHU7 > QWnOJgVAHz/9sJn6x1UJ6jBZRNhQ9V1++OL7hQ3r5vXF1I3wxulH3B5QW3fZ/OQ1 > MAohPY5MFXh/pdMe5LSxGwHyW5r5R/fJ/N0EKfp/Sjx3t0R7Jn5A+KYR1W+vwO5T =2E... begin console-log.txt vbi@altfrangg:~$ gpg < blah gpg: CAST5 encrypted data gpg: Segmentation fault caught ... exiting Segmentation fault vbi@altfrangg:~$ gpg --decrypt < blah gpg: CAST5 encrypted data gpg: Segmentation fault caught ... exiting Segmentation fault vbi@altfrangg:~$ end console-log.txt gnupg is 1.2.1-2 package from Debian. Are there interactions with gpg-agent= =20 (using gpgsm 0.9.4-0woody2 Debian packages done by Ralf Nolden)? Might be=20 some weird libc issue, too, since I guess the gpg package might have been=20 compiled with an older libc than I have installed on my system. So I guess = if=20 nobody else can verify this, I assume it's a library issue and will just sh= ut=20 up. gpg is working fine for what I use it normally (signing and verifying email= ).=20 cheers =2D- vbi =2D-=20 get my gpg key here: http://fortytwo.ch/gpg/92082481 --Boundary-02=_b8nk+iytPfpgPGV Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6SfxtgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWgRIAn2QXL/pbLZooyIwvyPpDshSD a8nDAKCVAwCR3CzksR1pTOHjNS/4oSmkJA== =CQvk -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_b8nk+iytPfpgPGV-- From dirk_haak@yahoo.com Tue Apr 8 12:34:02 2003 From: dirk_haak@yahoo.com (Dirk Haak) Date: Tue Apr 8 11:34:02 2003 Subject: windows and EGD In-Reply-To: <20030408042903.23678.58364.Mailman@trithemius.gnupg.org> Message-ID: <20030408093531.77432.qmail@web14909.mail.yahoo.com> Hello gnupg-users, Does it make any difference, if a key is generated with or without the EGD device on a Windows system. And if so what are these differences? With regards, Dirk Haak __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com From kl@vsen.dk Tue Apr 8 12:42:01 2003 From: kl@vsen.dk (Klavs Klavsen) Date: Tue Apr 8 11:42:01 2003 Subject: Problem importing S/MIME certificates into GPGSM Message-ID: <1049718240.1728.14.camel@amd.vsen.dk> --=-Tlj54h5uSTv+ojaZkjJv Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Dear gnupg-users, I'm not subscribed to the list (tried to send email to gnupg-users-subscrib= e - but that didn't work, I have yet to find info on how to subscribe (I'm = probably just blind). I found a howto on the gpa-devel list: http://lists.gnupg.org/pipermail/gpa-dev/2003-January/001148.html describing howto use gpgsm. The reason I wanted to try it - is that we in Denmark have gotten a digital= certifikate solution that is pkcs12 certifikates. I have backed up my certificate from Mozilla to a pkcs12 file and then when= I try to invoke it I get a weird response. when I envoke: gpgsm --call-protect-tool --p12-import --store certkey.p12 I get this output: gpg-protect-tool: gpg-agent is not available in this session gpg-protect-tool: error while asking for the passphrase I tried starting the gpg-agent both as server and as deamon. I've searched google and whatever I could find without finding an answer :( Also - once this is working, I'm going to try and see if I can make gpgsm work with evolution-1.2.3. If you have hints, please tell me. --=20 Regards, Klavs Klavsen, GSEC Open Source Server, Security and Network Consulting klavs@EnableIT.dk - http://www.EnableIT.dk Phone: +45 3284 4372 Mobile: +45 2342 4372 PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 "Open Source Software - Sometimes you get more than you paid for." --=20 Regards, Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk Working with Unix is like wrestling a worthy opponent.=20 Working with windows is like attacking a small whining child=20 who is carrying a .38. =09 --=-Tlj54h5uSTv+ojaZkjJv Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+kW3gPToLeX4GPGIRAg7fAJ4slxG6rrR8Uk6hMND/hb1XdN8TQQCeJxO6 QG+Qb1Z0V8jPxGPcYaU3hm4= =EOml -----END PGP SIGNATURE----- --=-Tlj54h5uSTv+ojaZkjJv-- From macgpg-users@nahrath.de Tue Apr 8 12:42:24 2003 From: macgpg-users@nahrath.de (Michael Nahrath) Date: Tue Apr 8 11:42:24 2003 Subject: Double encryption ?? In-Reply-To: <3E8EC8A8.6010505@hankeln-online.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oliver Hankeln schrieb am 2003-04-05 14:14: > a friend of mine and me were just starting using GPG. > He encrypted a text for me an sent it to me. I was able to decrypt it. > BUT: He was also able to decrypt the encrypted message with his own > secret key. He should check his ~/.gnupg/gpg.conf file (or ~/.gnupg/options if he is running an older version of GPG) for the entries default-recipient-self or default-recipient $MY_KEY_ID Usually you _want_ to be able to decrypt messages you encypted to someone else's key yourself. To prevent this you may try the option '--no-default-recipient' on the command-line or uncomment the lines in the config file. > The only reason why this could happen as seen by us is that the text has > been encrypted twice - with my and with his public key. Probably it was encypted only once, but for the two keys. > We just want to be sure we didn=B4t make any mistakes. Is our assumption > right? I guess, the --default-recipient-self may be a default option in your GPG installation. So I don't see any mistakes on your side. Greeting, Michi -----BEGIN PGP SIGNATURE----- Comment: http://www.biglumber.com/x/web?qs=3D0x9A4C704C iEYEARECAAYFAj6Rd5sACgkQ19dRf5pMcEyQIQCbBQDRz2pzDx2QUt5d0n7lVsJD QVAAoLh6Yw/zHxINBW0fKZV95SninCsp =3DQk/W -----END PGP SIGNATURE----- From udo.fleckenstein@arcor.de Tue Apr 8 12:42:47 2003 From: udo.fleckenstein@arcor.de (udo 'mju' fleckenstein) Date: Tue Apr 8 11:42:47 2003 Subject: HKP and firewalls Message-ID: <3E8E87E7.3070708@arcor.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Heiko, | How works a http(port80)proxy with port of hkp? use "keyserver-options honor-http-proxy" in your gpg.conf set the environmeny variable http_proxy accordingly, i.e. set http_proxy=http://proxy:3128 ~ ^^^^^ ^^^^^ ~ | + proxy port ~ + proxy host | How get it (the http-proxy) the dns-information, if it think it can't | contact the port 11371? it'll ask it's dns-server (independently to the port-question - dns and port do not depend on each other, at least not in your scenario) | Who has a working combination of only-proxy-allow firewall with | http-proxy (Squid) and enigmail (on windows) for the communication? - well, try the following: rem should fail, to be sure we're doing it right later on gpg --recv-keys 0x259C3499 set http_proxy=http://your.proxy.host:port rem to be sure the honor-http-proxy (and keyserver) option is set find "keyserver" c:/path/to/your/gpg.conf |>---------- c:/path/to/your/gpg.conf |>keyserver x-hkp://blackhole.pca.dfn.de |>keyserver-options auto-key-retrieve |>keyserver-options honor-http-proxy rem should work now, if you've access to the proxy-logs there should be rem a log entry like: rem [...] TCP_MISS/200 1745 GET http://blackhole.pca.dfn.de:11371/pks/lookup? [...] gpg --recv-keys 0x259C3499 if this works, set http_proxy in your systemproperties (for yourself or systemwide) and restart mozilla so the new environment variable is active (if unsure: reboot...) also the keyserver-entries should be active (esp. honory-http-proxy, the other ones are set by enigmail independently IIRC) | What options make the squid-enigmail-gpg-key-retrieve-combination to a | working suite. i hope those. if it doesn't work, contact me directly (i'm currently subscribed to the digest-list only) cu, - -udo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+jofcWW6kzec0tFURAmUFAJ43HtjkAcT3m7hxqHbTSsKbfirV0QCfZC6o 2e9+60l4JPX27Fh9P6CtLqM= =dHq8 -----END PGP SIGNATURE----- From th.falissard@etic.fr Tue Apr 8 12:43:11 2003 From: th.falissard@etic.fr (Falissard) Date: Tue Apr 8 11:43:11 2003 Subject: A GnuPG oddity (decompression) Message-ID: <007801c2fd18$35850e30$7a114251@sncb53000105> Here is a weird thing that I found when comparing PGP and GnuPG. You'll find below some conventionally encrypted data (the passphrase to decrypt is "test"). It is decrypted OK by PGP and GnuPG. BUT GnuPG generates garbled data. (I've tried GnuPG v1.0.6 and v1.2.1). This has something to do with decompression, because I get no problem with non-compressed data. Thanks for any suggestion. -----BEGIN PGP MESSAGE----- Version: PGPfreeware 7.0.3 for non-commercial use wwQEAwAByf8AABeiiyCJPTT9smRt0b/hpaOc90vsDDLDIdd5ltky2wC/G/7jbHU7 QWnOJgVAHz/9sJn6x1UJ6jBZRNhQ9V1++OL7hQ3r5vXF1I3wxulH3B5QW3fZ/OQ1 MAohPY5MFXh/pdMe5LSxGwHyW5r5R/fJ/N0EKfp/Sjx3t0R7Jn5A+KYR1W+vwO5T 3Zr9+FPFQxRXGbIT+I+9zviLm/DiWq7z6iDdInE9HZ8cZ2PTRYxfMf0X+xPBROoN LyTknhNSE08NGa4Y66PgcqwWt9fQrUxWrgizZtcVN3zAG2X/DoI7/bq+jqHYzq3J QtpPtq1NM5PP57sWV6ZjurHtCaUaWLVYgSaNqfJddPn9dyNUY2OW1T5SgXu6Rlze Rrn5XA5oHdmyamciCTY9BdQEy+/tPmAhZfTIdSU0qRcrM9l/u5HUZ1N0Fxq9IPME Fgqe+/nEzGaSZKV3xRcV+5MqYl6jkv8Ke2BBEKe6XbFgV+CUFaO5pxhk/aiH6WGL 4w+dAdj9nuH9l5aOh8hWffXlWTIru6Ahm/qbky4BzGwypRQknLGtN/rb0BcOeCRE lQ6H80rjkuiPrlq6udtqAGRPRsZTxh0MxqOdMmgVwvYFfnCKM9AHqZrE6lunNgu2 Bc636k9H6BqQksEOa6HGP4Ilg1B/P1SvCPpapG2O45P4lfvdpKKI10fK6JfKPxj1 MrnXwzhlUsWV6Uggg4k3rx9ZtHD1NX4i14XeZJR/+Q7hFWeQ7acR17oQh4EC7N0r 9MUK0uM0FVXRwWcY3h/ySiiFK3lRkE/B7qIZtDycZkwH9nTpKZj7e0RNWv/l8Zth SJn6etMOyE/alGYaN/63UQgq/lO3z6+Y87t+C43t6VY/Cx8rZvvW/3AVjTdYGEHf KQJ8afQzIks1VU4mvgu8Qm0aZUpk4l1HHpk9EInZiyGoOUcJ5/MZ478vqauy5tQo mbx/hSZrJ59ZbfRt0nIu9+y6OZBKJUk+XI8hn8jPZxYxUPprMDT3E/cjcu5Dw7Y/ rtBFLJE4EiUTzoK8m7oTeZrOEJj35gPvagFXooZlBmVDuX27mvJ03kNb82ppRBWA gA0/4UdP+ecJiPg8vyrnTjPE6m1CBNt0BIf+A+WMDeqZEjnw0W/umSupZYhPyXNy gUSdelYEZnpkd6dyR6jP3VIPnedj3oFg098g9qRxdhRv8V8JdTI3Bv04CYgu+IPG BLpt1B4A3vvfGDeonPcnsPe8UoNWlHFF0Gr0OHlUPWSMkWa1kIXJsJP31NIQNZfl TkWsfjqTuUfObgUIspYshpDFno8ZaIx64TM5RZKflfl+BzSNntQHdV1OPEdgRmrt 4V93x2zIwpVKNiKDps0XgDNUFAFvUmqkKSCKOu391tnpN2TubAd+vR2EFV8rbVEJ Q+0DLT1gxYQ+ofnuDddH5Xv0saTSBAeN2rP8wv3kqMtDuSWhzYOWLyFKbvYsKbm9 Nvt3FCg9cKyfC0wdmxyk10/qIakJVACcNnEvgiyqsDfNaHPTzoqnbbk6F8c2iSH7 7QRwsHL5xw4OBhcXDzSbaGBSSLABykkT0YMrCUtHZHALtwndervgs1bGixIEHj5y AZxo3UhSplrQs3+UsLg13734FnPbnU/KfR0W5jSDNDi/Q8TKdNkZSAK7YZMip80c 7NXyZXW9lS3e+OndkG5m7qujCeVMXQs0FzG+jiHbuZt9eo+9j06lWtdIG2sFhS2b v+qfMDS7kSSM3vTHaF9TjAaFUfatMA7XQA+/u5GEU1LAZU8DPWsrWLTQtU621vFR 0GD3pz9L+l6cVATI5fA+X8WmuUKna1OQS9eJX+ZjRBclKxcoLmlzqCVPLp5rwtI1 92iR43JZXq/NXuwDTPgXn8ioO1kyFy1X0qKuYp3ZYSgkNEZhA4e/XDrNGo1EozfT +UFMcUiE9CqrHHzCfAkJtky6nCOsAmf15x0lirXsJfC3RD3o74OztedD4A7zRLJB 57k4EHsMqlanpe2v0wBrtI73MyeOsOJNe5znIvGqmaQNFZ74nx2jn3Mwr1wdB8YH k+t0+iNIXbVMQ58pX86eoS5YuXtkWBrF+KIjtZznLglPj5/Ur93oA/agcftq8sLN nAQ/c9ZalzyCJN5WrYIbw1gnqorVPQIqy4O1/tGWNmadf8jHaV5Xn3p0ShoRHb38 3KQCx/DruQ07r7edNmpuDDFlwv68Wxj7eNzskNO9k6+fz/xpNbNgC+zKk54zzNL4 jLM1JVhN7+cZkNG85MFTqoKbJlViEnue7Lq9fHO60IETzy3BlTaxajKkTFpHWfJC n7BA9e+P0OUYEYCEfgI6Dhcxzc0eW4FzYxwK5MQuz0NSPMMpwzH9xJ7MYBP04Q+L RmQwvZeKz/DePfPOcYIJZrHSU+jIO4DO2Bp2JqM+7HMgODXELzkrGaf51v6HnVQF BoKGoc0SenCoSxSrkP6Jh7DdkfTmk9t8rx0Dnax2bggaV0WjkMwaJeMwYgGjAjtb j1mINQVMIBMpmA4F0T9xUN7G4SM4IrwwzmoK2eDB05xY68Sb9XCAVGj2fnqB9Zhr NqAYiX920V4eOrwf8gUrTpWxXR2jtkndLSrAOrViKpp/W9bxcQjnOxZTYk/l+7sn Ulmo3/RHC7F4c9/dv5fwohoQDQd4XD9Hz7YLZ6+xyVaS7qVwI0uXNLhB7le7C+Rr ci8Sp10Mr/GfHbl8R7UP99n6uPkVyLcUWS4okYusnPPhL4a4z+GJBUAvEMhKJIqt R22ml+EVbospe99xcVnWxU1FsTLH8jroNWFpvJmbkzM7Pzf3q6XkRbze7mCLAPiV 2Yk8lG1u01zRCy4fniHSF/o9sUWGrz+KuB87T6kb2jeYhv8EDpsAxkkjUR/2rsxI /AN1DS1fUvQaLvPpa8IFOkaZCUpGYwSqfaT9mvOcQ7bWeSJgBxUiGyuav167VeRx +7TZlGmRUSlZEBCjnCjcMPBponDMHM6EEMYiBvzmvOU7rj6Tr/wZ0uFlKk4H/KhP rPFSRXFG4VGrJs/ZIUyI0qTohOx5oy8TShQLP25Pbh7RNOIh8qix1ORf33STfv17 49ef60E9GEiAonkMQIoE4DGzY7U0elJW8VVGdIieFFi2pKQIi6NcE3tXduEScY09 7gp5ObQIvHZf3+kJfDbNPzFXOyWH6qq5+S+Hmzfk4pmYoH221+fHuBF846tu/Oa/ D0tW4gJN97EfKb6LvPrcTIH2Znb8QgLmL6+BvR+L01nuUWtxRIhrXc2QbmyG8pkD Ev0Ye/66IUNj29yWYgKS9gQOS1d23h6TiPP5UBTjQn3jd1KtiJq1+2Qg8IMaZpzt QvK2lSqQVoXGdUhxGJtbFl12E82TLOBePqV3WlWZ94rdwZXvb69f4XLCNzXF2OsW qkfsNbE/FpkvmawUwMFLQTYmKchggVcJdfrC/C/CZh1mrkmyAdlTMxFWapSNvgl6 eRNC/D3dzxwGTQrBIJulRWpYBx9mSTWPAf7cvFu7jD06q156kEC24D5mPaxkcVNc iyMQimird3FR6JwKZzP7QnwCP2I/0jWz2xOWb919UvEKSQU9ZuzFBm0cqqvGtOGy PZI3egVZZbxUnKg5Sn7bF72D0kP/j+oCn9bvKxWNlUtIFwyz3twydqFYFTzCNg/T XLaasNw8k+5GHxpIL0aL2IxJ2uYRGtNXU3+Vnf7CikncwKYMBUrxfnfGOjXaNKAH +pUeHXzkWl/5+eFWYGR2Bxtg1BkHljHFm7jz0eHFULq7sZEDi4oPpgQmqor7zyxr TLfUfoHaVEAmyBvrIrU9ktZ3IcudFhk7hQvOW1ZF4uw+VrCFzHxf6nk+vvh6exiT amcH9S2QuM7v+uW1HilPLyFf2ivfqjzSEapPIIG4RlKIMIKXJOCP7jVNCcjnyOxi aXRMjtcGhRoH0FJEK4j8lrMM9sykdxgqniKCrcjSQAJrQbqcJX83VCMXS3wgTtIQ 9wg5JiZCpaQlPqyYXS1jJIh7AdbUSM+nLc9h9rm6CrQgSP7LEh6iSaR3KZbggoIS Kkh57TRjXgn+lczVj0kJZfQS6WBhuZQ/vjuB4ye3f3Ki2Tl6H8wSdlRaXQ1nVIOI nQjTbkfdmFDrpOphVh3kdK/MdVMBA5e8IOvrNQt/cmHxGN342UeUn6czVdiVmZFS kHuH6r0AElAdjCa8LaIno5HAhfATVcYNvddZnHokVoIl0Ka3iEOslGQKUuMJu+oz qwDs6N7ymAcn6CKcGLkQ9HllSyhfZtAB+MZ5H/MhEnXZawmty4Vm7IYsN/UEqlzN LGRJq0p5Zp0TYemHw3XLKDl68Db8QlLNAk1vf3HTKLIouDieZxhEsG36m4S1GJcs 8MUW9iudUCAMQRsCJqXuF829T7vGxx3LF6JdT2+rh8nRsUEqSux68khZDxSwic2q 2dbUzNODxOaYwOBjJ6Y3lAVyAgZax6Pj9mWnjcL1P/gK3/Hg15iA4VAZbyUbtAM/ LpxLveSALwpl6naz0bC90Kf8U1UqWBXDBBnQAY6tJSan9U29fwRR/5Rya8UIZf5g v+XdSs/61X/s9ix77gZTn9RF7LNudWM0E2HVDNFe70OLH5D2G86YVO0TcD1s+qXa fmAnR0koNF1A1oWLNYsZls+aa9EGltRVb7Hqsh1SpqkjW2b+cpWaztkNTw21840d 40oNpVF621RQANqIc5t4VEazGawsWTpHgiTUO8ZUPAXxqmMJ80DyYehx5c9/ryqp 4afGV6pzZH7/+6TTmisThwMFdy4xn7pSblgidq8r624HTzJ8NUvzbtF8iIgqxIHB CgF43d6xaTDGot36DqU46bmE7OD2DJloAnHA0Pq0B9vOTv+p0rKAvU+FjqIAK3QZ 1RW0StI091NYUOgxoTQPujHzFYC4fUdeyzUJnEtFSIbnsEOXW+lheDk6u/cmA26N b88VBv6mWSVf+PP6cZB+Y5S8UkS7YZCAM4A0wsuqNYRmlgeVD7361O7VRokMHhx1 q3+rdthdSmbFvOu8nMxJBRhhy5nKPijRqCMYq38+5AGUqv2JZGgkS+Kc3q+7n6TM oFWWL9SspC62fwq6l9j/065kMEje9dpoSjFuhf685NTw+0+kXMKqUBWYebK84kdw gXyBk5myNC2AScv5ZhiYCA+ex4AscFPRPJJnOlpav3kkCwWRGqAJibiEFu6RvTSU 7zUgcsz78YTp7OlPPPNcL5+o0urtBMFvUyZDxwa8F6dJqO/ZrabW2f2fir1ETCTw l0us4OtPsz6By7esiFX/ByA8tpR0914Po7HKfk7eR3EyzeBtGmiIzdRghYk/Ha30 uThJjdzpcg51Y9Ey21hBUK8W0l3MBb+qYgSbY773hBxWRqzgXgdpqRA1IWewzCkS 1za90uiGsBMjQvp5HcHXON6Z8SLKDtmSNvM63S+BcC8YybXvRsMMndb/S8nImT6e ADD56KbKN2mmU82DHx2XmkOHMiFzc5Ksnkd7jDtl8fGw4ESt3mu3cIcXegNJ3b3Y dkSS0GCnl5JwYb1kIHHXjGtEKGspDXb6FT0/egbxiicGmqEnN9/p76K5+OY7rO3C IcETWoBTGv1ura6IxeoaLffV0OEb9vjaK/2zL8LzyMfOtMey4zVqa9pb+1oHgETd K/GSQJFQ2tgfAw4bzqzaYrw4ZGHlRCVu56rGwu5Gu6XqSoOa+uAq389hI8KeKH1N pIU/RS5289EnO77fFwAzwqJ9IP6awTr095oExI6mlD8/IwERdHugkBGwdwn5d7Zp wtuwiHLrGHOoKRxy1q4CUK/oFcZVL6iQoj+OUnV4/GNmyt/cW2JiX6mDjZ0XeWEw qG2wuxVzWAwVsBTm+l5SKlHKRU7aBM4htCPwlhDfNSA16nyE+ll1jGOF9UkaCSFf 86EfFfcRILfsbA4HWH8uTccIvYgRhTJzxHS80WAIFxEEK1EJgB091aBQlzpMeQt+ 19VIVoh0jw92Sw3WTp62Olwq5sHtSR7yVUzVI59SNHtP1WM9E+7ioOV6h8yyiskI +kEVhZtgdFOpb2sV+eEQ3bzc2ADajfNVnLc/RMZEY3cTZvy6azVVi+CTrp5nwcCZ 8dgiw4I5+dcuC19JZqC+A6mmwLtrNyqv5K3JGh9FTgA2OygcAIyp62J1gvJZNlFH cf+I85X5jWCsrdmB8UmVJtshQW01/EScT/w6xqaP64HZdOAxFJx5T4a/FkKKK7cT g303It6a+f/RjEOAvewBSp6LRZq9j7PNtCra8ipzme/z5XGUF/e6iJAmyTFGsWLU 0Vx41hORHreMO4ZD2vY0x96Vj2fbl9vkNZidDiz4dX4pxBu5C9YotOQTZt1td+x9 8K9ORrslT5Xjg1xoPcFd8+zLiJV0GZA6uhsXXFUIik9MMyXWMfgEED8ugk4ZGsM7 EKoUoC/xSh7EB2+SsFB8PREFWdBk2oKCOOo7KV4rrP/C5RMe+YsWgBv/U0cwKcZA L4xf4vPABZALGkPydDG+REaDijUqwCBA6rlrVpeKC0RDZk2nC9hwYZRbXiNjelW4 P4JhJuc1hYHo7pdiYykHOyXYm01CDElKh9qPvYjicQHFLHRWo9HV8m81QxCiPxF1 i0wwj9bLyKsR63VEo5NTdyJuU5hcGw4KlO/2cwVkoZmRwKKz2sCbZ2JFNIfnOnbU dLxEoCotbi7NGVrsVqRr9OfHINY9eZFIyTc/pR7fdJykePnP8dOT1uxcoat1b4JS 1Xj8AxnGff/W4wO1dxHP1X7RywrRHUG/qQ/BLBLTbHpolbJQkMqOyWNsiuXt26NH l804R4k4TGJWGQ6vkJwE87ubRPYbQno7M1UG7I59sJqCyJ/iC3SJlaRsHa/bSgcF 7EQ43dvMJhnpkA7mHx67IcWABT2y6tsXLL/mwFcI+AsOScEuk4wGxJlpiGvPhAVk Zkr0VaJDdwXooQ/Frvy+G2ZIxdw8QXZBHpaCskXLuJEmlJWfTN4mS8X0ncrsbDDZ BJ2yHJD8Qt3G5DV+4mT2qg96wNuC3So4udYIy7oL4vks6KP27ghdg7iV573yejPj iwKB1/ihDvv54fHhVEKkBlh2CG/EJ7XfPnGGBzSq3JtecCXOIrtvVV/k69zgLoiX EwBbSFpYBBHEMIX7ycs6KIEDoUjXvKCe8j7K1jtQwetZLs0diUkY3oPy12Wk1I2Y 5Uhx7AYCcOI/+7n7fVjBET42RisMMecO57Seyo5OWnrhWzFD7mBZscjrKiYvGY7+ VyMppS1TrrzXvcBEejkujNodqVqnVH7zEnQIzi7cpKJzDDfBGBj1gjiDOYL2Or7k gn2w8+ExaAHyPE8C8nbvz+NF6XlpKQpruyOesseI72L3+DqXfcAUkruBPOuaN2aS FwErQVC3T69a2P23Mqng8NzOlHyuEVlm3hkbtMjQhcXOPxtqn94VdIQ/nExoZlJq OSb6dTGHuB99yf+p7ZG7+DaulI5YzgQR3gDXLs2Of+XhLZP28tCDugOqSVAYvInT 13WkrVK7I2taHTKV79G1Bc8/5tIxikygzKEw3XDUoxdESHF3agAFxBNMGiEbuCZK aryKdayGYC6DiJ+XMvecwkrfM8fCaxi5t7aQCVWjIyr5ZIPFZappsq32WQYGfqLa EhSZL54xmq0F8+HLXF9YA+MOyDVt7BC2HPHlJ7MM7pDYxzIAIzbolQ4dSI8GjpTB LqEIqruhKneu1Cih+cveVJoVdHrHibysci2RAcuGCpffpkFejUCI8i0ON4qRW2qU 5PhJ89rdgTFk7eoqnFi0MM/8r213qA14RZ2fYxDwyx1foriHBg5XlIygA8dDQBN9 6PRD1mPuoXjtUHBtoD67aJaIqrnLlIpy3j1XpUbCIRDOrKJfhWOvJiXlUXZ0EKSV MXukKvG/aD3hKcekAM1LRVHfRofbRumdKL3DWiFzNWw1865CsdPsQTfXQbi+aJ94 pZS51mDahaOI/jIpBmXkEW1DZIUJeH2bWXB2v6o1RDkP52uiydbnzJ6o7q4br60v N171NQ94G75sfFFC/lGa2wU0LU/k/hLGeIqNsqNDjfpefXCEbio56A/lvTni7MeM J0M7UU5kidHP7ucPU1w= =L/3a -----END PGP MESSAGE----- From fredrik.hellstrom@crossnet.net Tue Apr 8 12:43:44 2003 From: fredrik.hellstrom@crossnet.net (=?iso-8859-1?Q?Fredrik_Hellstr=F6m?=) Date: Tue Apr 8 11:43:44 2003 Subject: How to remove passphrase? Message-ID: <003001c2fab3$04553c20$191ea8c0@fredrik> Hi, How do I remove the passphrase for my secret key? I want do to scripting for automatically signing e-mails. Does anyone have suggestions? /Fredrik From udo.fleckenstein@arcor.de Tue Apr 8 12:44:08 2003 From: udo.fleckenstein@arcor.de (udo 'mju' fleckenstein) Date: Tue Apr 8 11:44:08 2003 Subject: [Fwd: Re: HKP and firewalls] In-Reply-To: <3E912567.9050104@sw-meerane.de> References: <3E8FFFD2.2040901@arcor.de> <3E912567.9050104@sw-meerane.de> Message-ID: <3E91AF88.9010300@arcor.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Heiko Teichmeier wrote: | My test with engimail and your key failed with folowing messages: | <--- snip ---> | Unable to receive public key | gpg: blackhole.pca.dfn.de: host not found: ec=3D10110 | gpg: Schl=FCssel ist beim Schl=FCsselserver nicht erh=E4ltlich: No such= file | or directory | gpg: Anzahl insgesamt bearbeiteter Schl=FCssel: 0 | <--- snip ---> | | Than I test it with your key from the commandline - it's working fine. | | Because the failure-message above say HOST NOT FOUND, I had think that | it exist a problem with the DNS-Lookup, but from commandline it's | working - now I think it is a *enigmail-problem !???* indeed - it's a documented one :-) i was just browsing enigmails site [while searching a changelog for the new version] and found: "7. Enigmail fails to access keyserver from behind a firewall? If you are using HTTP proxy behind a firewall, you need to use GPG with the "keyserver-options honor-http-proxy". It is essential to set not only the environment variable "http_proxy" to point to the proxy server but to also set the environment variable "ENIGMAIL_PASS_ENV=3Dhttp_proxy"= before starting Mozilla and using Enigmail. This ensures that Enigmail will pass the environment variable to GPG." http://enigmail.mozdev.org/troubles.html BTW: It's your key-id i used *smile* to the enigmail-folks: Why using another environment variable? If http_proxy is set, simply pass it - or do i miss some point? cu, - -udo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+ka9+WW6kzec0tFURAiUOAJ9Dn1eUvvuFeCV9aN9vaZsjczdZoQCdHkWm Wh34aOldYZ1OXD5ltTZ6+Xo=3D =3DKNx9 -----END PGP SIGNATURE----- From andrew@cbsohiou.com Tue Apr 8 12:44:32 2003 From: andrew@cbsohiou.com (Andrew Stout) Date: Tue Apr 8 11:44:32 2003 Subject: invalid trustdb error Message-ID: <3E8DC5A6.23337877@cbsohiou.com> Help! My ISP's server went down recently, and now that it's 'back up', GnuPG will not execute for me. They are running version 1.07 now, and I do not know if this is a different version from before the 'crash'. Here's the error I get when trying to execute GPG: gpg: fatal: /home/username/.gnupg/trustdb.gpg: invalid trustdb Everything work fine before they went down. Now I get this error, and I have not changed ANYTHING from when it always worked fine. HOW DO I FIX THIS TRUSTDB.GPG file???? More info: I've tried editing my key (--edit-key) and I get the same error. I've tried using --always-trust and still get the same error. I've also tried creating a brand new key (--gen-key) and it fails with the same error after the random-data generation step. I've looked in my .gnupg directory and see the file named trustdb.gpg with a date on it AFTER the crash. It is an empty file, however (zero bytes). I also see a file named trustdb.gpg.lock with a date well before the date (a couple years ago, when I first started using GPG) When I look at this file with a text editor I see just a few blank spaces and some numbers (768 maybe?). Don't know if this second file has anything to do with it. Can someone help me??? Thanks, Andrew Stout From jean-francois.paris@insalien.org Tue Apr 8 12:44:56 2003 From: jean-francois.paris@insalien.org (Jean-francois PARIS) Date: Tue Apr 8 11:44:56 2003 Subject: keysign parties In-Reply-To: <1049555324.726.3.camel@carpathia> References: <1049555324.726.3.camel@carpathia> Message-ID: <28246.195.28.196.72.1049723493.squirrel@webmail.if.insa-lyon.fr> > Hello all, > > I wanted to know why there are so few keysigning parties. I once signed > up for a keysigning mailinglist, but there wasn't almost any posts on > that list. Keysigning parties occured generally during Big Free Software events like Fosdem or during smaller ones (we are trying to organise one for each events in Lyon). If you are assisting to such events sing in to their ML. Maybe a key signing party will be announced. If it is not announced, keep an eye on the debian team, and ask them if they are organizing something (they need it for beeing members of the debian team). Last but not the least, Do It Yourself. Bring your finger print the right day and make an announcement, or if you have time, collect fingerprints and organize something. jeff -- Paris jean-francois | CLE PUBLIQUE PGP&GPG jean-francois.paris@insalien.org | DH/DSS ID: 0xBF4B709E jean-francois.paris@insa-lyon.fr | http://mjediyoda.free.fr/ If you use envelopes, why not use encryption? From shavital@netbox.com Tue Apr 8 13:47:01 2003 From: shavital@netbox.com (Charly Avital) Date: Tue Apr 8 12:47:01 2003 Subject: A GnuPG oddity (decompression) In-Reply-To: <003c01c2fd1b$63e08cc0$7a114251@sncb53000105> References: <003c01c2fd1b$63e08cc0$7a114251@sncb53000105> Message-ID: At 5:35 PM +0200 4/7/03, Falissard wrote: >-----BEGIN GPG DECRYPTED MESSAGE----- >Archive-name: cryptography-faq/rsa/part1 > >Last-modified: 93/09/20 > >Version: 2.0 > >Distribution-agent: tmp@netcom.com > [...] Decrypted without any garbled text: - PGP 7.2 Corporate Mac OS 9/Eudora - double line feeds (see GPG OUTPUT hereunder) - GnuPG 1.2.1, Mac OS X 10.2.4/Eudora - double line feeds - PGP 8.0.2 Enterprise, Mac OS X 10.2.4/Eudora - Perfect. [...] >-----END GPG DECRYPTED MESSAGE ----- > >-----BEGIN GPG OUTPUT----- >gpg: armor header: Version: PGPfreeware 7.0.3 for non-commercial use > >gpg: CAST5 encrypted data >gpg: original file name='Myoutput.TXT' >gpg: WARNING: message was not integrity protected >-----END GPG OUTPUT----- From pt@radvis.nu Tue Apr 8 14:24:01 2003 From: pt@radvis.nu (Per Tunedal) Date: Tue Apr 8 13:24:01 2003 Subject: Understanding MDC (Modification Detection Code) In-Reply-To: <20021019124821.GA1247@jabberwocky.com> References: <20021018120534.GA30375@comcast.net> <20021018120534.GA30375@comcast.net> Message-ID: <5.1.0.14.2.20030408131747.00c4d788@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 08:48 2002-10-19 -0400, you wrote: >On Fri, Oct 18, 2002 at 12:05:34PM +0000, MindFuq wrote: >> The faq states that having key preferences of TwoFish and AES implies >> the keyholder has the capability of using MDC encryption. This may be >> true, but my tests are showing that MDC is disjoint from those >> algorithms. PGP 6.5.1i can handle MDC, and it's limited to the IDEA, >> CAST, and 3DES ciphers. > >That is correct. As you saw, MDC is unrelated from any particular >cipher choice. However, given the general evolution of OpenPGP, it is >possible to infer from the presence of Twofish and AES that MDC >exists. Ideally, of course, the key would have an explicit MDC flag, >but PGP does not do this. > >> How exactly does MDC work? I know with MDC out of the picture, if >> someone changes the ciphertext, the receiver knows. Either the >> receiver will get garbage, or the receiver won't be able to decrypt >> the message at all. So what's the purpose of MDC? > >Among other things, read http://www.counterpane.com/pgp-attack.html > >> Also, I'm curious as to why PGP 6.5.8 (domestic) cannot handle MDC, >> but PGP 6.5.1i can. Was MDC capability removed, and then re-added in >> PGP7? > >6.5.8 != 6.5.1i. Two different programs. > >David > I have re-read the document above today and realised that compressed data e.g. zip-files might be a problem. The document tells that the attack succeeds in 100% of the times if compression isn't used. And GPG doesn't compress data if it already is compressed, right? And the mdc doesn't help against this vulnerability? BTW I found the switch --force-mdc that might be useful if not AES or Twofish are used. Any problems with that? (I am testing it right now!) Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+krFz2Jp9Z++ji2YRAilEAKCd1v0cmIYqUFpgbkBJrM19Vq5nZQCeJvYu dBITmNIBB29KFkO5WVNZstA= =M1mB -----END PGP SIGNATURE----- From Fabian.Rodriguez@Toxik.com Tue Apr 8 15:28:02 2003 From: Fabian.Rodriguez@Toxik.com (Toxik - Fabian Rodriguez) Date: Tue Apr 8 14:28:02 2003 Subject: Multiple "Comment:" in signature (was Re: OT) In-Reply-To: <20030407162149.GA18805@postfix.dyndns.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, The GnuPG options (or gnupg.conf) file can have multiple lines sepcifying a comment, but only the last one is used. Maybe this could be suggested as a new feature in upcoming GnuPG releases. Fabi=E1n Rodr=EDguez - Toxik Technologies, Inc. www.toxik.com - (514) 528-6945 @221 OpenPGP: 0x5AF2A4D5 >Gustavo Vasconcelos, on Monday, Mar 31 2003 at 05:11, wrote: >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.2.1 Anti-War (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >> Comment: Rebuilt from source with new version information. > >Maybe I'm overlooking something obvious, but cannot find anything in >manuals or by seraching the list so, how I can split a comment in >several lines, like in your signature? Or you have hacked the sources? -----BEGIN PGP SIGNATURE----- iD8DBQE+kr4rfUcTXFrypNURArb6AJ0R37sNc4ygBkJCTfaAtpTfvH9A3ACfalh5 /UZGmcKVT6tm//ZciLrK00I=3D =3DZnkB -----END PGP SIGNATURE----- From Fabian.Rodriguez@Toxik.com Tue Apr 8 15:28:24 2003 From: Fabian.Rodriguez@Toxik.com (Toxik - Fabian Rodriguez) Date: Tue Apr 8 14:28:24 2003 Subject: OT: Suppressing gpg messages from php exec command? In-Reply-To: <5.2.0.9.0.20030403182846.038cb2a0@mail.nightsource.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have you tried "@" before the exec command ?: >--------- PHP ----------------- >$msg = $some_gpg_signed_clear_text >$comd = "echo '$msg' | /usr/local/bin/gpg --decrypt"; > @exec($comd,$res,$errcd); >------- END PHP --------------- Fabian Rodriguez - Toxik Technologies, Inc. www.toxik.com - (514) 528-6945 @221 OpenPGP: 0x5AF2A4D5 -----BEGIN PGP SIGNATURE----- iD8DBQE+kr/0fUcTXFrypNURAvqWAJwJmxCWTijTtUB0qE39oUk5ZE9lkwCgi6BZ tG8+akg32jShfHkLiJHweos= =Rowg -----END PGP SIGNATURE----- From johanw@vulcan.xs4all.nl Tue Apr 8 16:07:01 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Tue Apr 8 15:07:01 2003 Subject: invalid trustdb error In-Reply-To: <3E8DC5A6.23337877@cbsohiou.com> from Andrew Stout at "Apr 4, 2003 12:49:26 pm" Message-ID: <200304081202.OAA03657@vulcan.xs4all.nl> Andrew Stout wrote: > My ISP's server went down recently, and now that it's 'back up', GnuPG > will not execute for me. They are running version 1.07 now, and I do > not know if this is a different version from before the 'crash'. If the old version was 1.0.6 or below, you have to rebuild the keydb because it's format has changed. Run gpg --rebuild-keydb-caches to fix it. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From pt@radvis.nu Tue Apr 8 16:45:02 2003 From: pt@radvis.nu (Per Tunedal) Date: Tue Apr 8 15:45:02 2003 Subject: BAD signature from Fabian was: Re: OT: Suppressing gpg messages from php exec command? In-Reply-To: References: <5.2.0.9.0.20030403182846.038cb2a0@mail.nightsource.com> Message-ID: <5.1.0.14.2.20030408154303.0241b8b0@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I got BAD signature from Fabian on this mail. Some extra characters or what? Per Tunedal At 08:27 2003-04-08 -0400, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >Have you tried "@" before the exec command ?: > >>--------- PHP ----------------- >>$msg = $some_gpg_signed_clear_text >>$comd = "echo '$msg' | /usr/local/bin/gpg --decrypt"; >> @exec($comd,$res,$errcd); >>------- END PHP --------------- > >Fabian Rodriguez - Toxik Technologies, Inc. >www.toxik.com - (514) 528-6945 @221 >OpenPGP: 0x5AF2A4D5 > >-----BEGIN PGP SIGNATURE----- > >iD8DBQE+kr/0fUcTXFrypNURAvqWAJwJmxCWTijTtUB0qE39oUk5ZE9lkwCgi6BZ >tG8+akg32jShfHkLiJHweos= >=Rowg >-----END PGP SIGNATURE----- > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+ktKR2Jp9Z++ji2YRAkDlAJ9ts7+BpRc9wMkz+rNAgNcrvXIJUACfay0F 0yZ9GziwWFCx/eUiTGXDJVw= =kyJp -----END PGP SIGNATURE----- From Fabian.Rodriguez@Toxik.com Tue Apr 8 17:37:01 2003 From: Fabian.Rodriguez@Toxik.com (Toxik - Fabian Rodriguez) Date: Tue Apr 8 16:37:01 2003 Subject: OT: Suppressing gpg messages from php exec command? (now ISO-8859-1 encoded) In-Reply-To: <5.2.0.9.0.20030403182846.038cb2a0@mail.nightsource.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have you tried "@" before the exec command ?: >--------- PHP ----------------- >$msg =3D $some_gpg_signed_clear_text >$comd =3D "echo '$msg' | /usr/local/bin/gpg --decrypt"; > @exec($comd,$res,$errcd); >------- END PHP --------------- Fabi=E1n Rodr=EDguez - Toxik Technologies, Inc. www.toxik.com - (514) 528-6945 @221 OpenPGP: 0x5AF2A4D5 -----BEGIN PGP SIGNATURE----- iD8DBQE+kr/0fUcTXFrypNURAvqWAJwJmxCWTijTtUB0qE39oUk5ZE9lkwCgi6BZ tG8+akg32jShfHkLiJHweos=3D =3DRowg -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Tue Apr 8 18:06:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue Apr 8 17:06:02 2003 Subject: SIGSEGV on gpg 1.2.1 (was: Re: A GnuPG oddity (decompression)) In-Reply-To: <200304080949.47513@fortytwo.ch> References: <003c01c2fd1b$63e08cc0$7a114251@sncb53000105> <200304080949.47513@fortytwo.ch> Message-ID: <20030408150624.GC22190@jabberwocky.com> --rS8CxjVDS/+yyDmU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 08, 2003 at 09:49:44AM +0200, Adrian 'Dagurashibanipal' von Bid= der wrote: > begin console-log.txt > vbi@altfrangg:~$ gpg < blah > gpg: CAST5 encrypted data >=20 > gpg: Segmentation fault caught ... exiting > Segmentation fault > vbi@altfrangg:~$ gpg --decrypt < blah > gpg: CAST5 encrypted data >=20 > gpg: Segmentation fault caught ... exiting > Segmentation fault > vbi@altfrangg:~$ > end console-log.txt >=20 > gnupg is 1.2.1-2 package from Debian. Are there interactions with gpg-age= nt=20 > (using gpgsm 0.9.4-0woody2 Debian packages done by Ralf Nolden)? That is a known bug with 1.2.1, symmetrically encrypted data, and gpg-agent. It is fixed in 1.2.2. David --rS8CxjVDS/+yyDmU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+kuVw4mZch0nhy8kRAjXTAJ9/3WJYMAcvLMLCxdLOb1r5gb4GmgCcC+v7 Oxb0Cs3cySH2Ck8LbykPqyo= =ahg8 -----END PGP SIGNATURE----- --rS8CxjVDS/+yyDmU-- From ellement@sdd.hp.com Tue Apr 8 18:09:01 2003 From: ellement@sdd.hp.com (David Ellement) Date: Tue Apr 8 17:09:01 2003 Subject: BAD signature from Fabian was: Re: OT: Suppressing gpg messages from php exec command? In-Reply-To: <5.1.0.14.2.20030408154303.0241b8b0@localhost> References: <5.2.0.9.0.20030403182846.038cb2a0@mail.nightsource.com> <5.1.0.14.2.20030408154303.0241b8b0@localhost> Message-ID: <20030408150938.GC11584@sdd.hp.com> On 2003-04-08, Per Tunedal wrote > I got BAD signature from Fabian on this mail. Some extra characters or what? > > At 08:27 2003-04-08 -0400, you wrote: > >-----BEGIN PGP SIGNED MESSAGE----- Inline PGP via e-mail. -- David Ellement From dshaw@jabberwocky.com Tue Apr 8 18:10:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue Apr 8 17:10:02 2003 Subject: Understanding MDC (Modification Detection Code) In-Reply-To: <5.1.0.14.2.20030408131747.00c4d788@localhost> References: <20021018120534.GA30375@comcast.net> <20021018120534.GA30375@comcast.net> <5.1.0.14.2.20030408131747.00c4d788@localhost> Message-ID: <20030408151106.GD22190@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Apr 08, 2003 at 01:24:15PM +0200, Per Tunedal wrote: > At 08:48 2002-10-19 -0400, you wrote: > >On Fri, Oct 18, 2002 at 12:05:34PM +0000, MindFuq wrote: > >> The faq states that having key preferences of TwoFish and AES implies > >> the keyholder has the capability of using MDC encryption. This may be > >> true, but my tests are showing that MDC is disjoint from those > >> algorithms. PGP 6.5.1i can handle MDC, and it's limited to the IDEA, > >> CAST, and 3DES ciphers. > > > >That is correct. As you saw, MDC is unrelated from any particular > >cipher choice. However, given the general evolution of OpenPGP, it is > >possible to infer from the presence of Twofish and AES that MDC > >exists. Ideally, of course, the key would have an explicit MDC flag, > >but PGP does not do this. > > > >> How exactly does MDC work? I know with MDC out of the picture, if > >> someone changes the ciphertext, the receiver knows. Either the > >> receiver will get garbage, or the receiver won't be able to decrypt > >> the message at all. So what's the purpose of MDC? > > > >Among other things, read http://www.counterpane.com/pgp-attack.html > > > >> Also, I'm curious as to why PGP 6.5.8 (domestic) cannot handle MDC, > >> but PGP 6.5.1i can. Was MDC capability removed, and then re-added in > >> PGP7? > > > >6.5.8 != 6.5.1i. Two different programs. > > > >David > > > I have re-read the document above today and realised that compressed data > e.g. zip-files might be a problem. The document tells that the attack > succeeds in 100% of the times if compression isn't used. And GPG doesn't > compress data if it already is compressed, right? Correct. > And the mdc doesn't help against this vulnerability? Incorrect. The MDC stops this vulnerability. Note that the chosen ciphertext attack mentioned requires a lot more than an uncompressed file to succeed: the victim needs to cooperate (even unknowingly) and send back decrypted text. > BTW I found the switch --force-mdc that might be useful if not AES or > Twofish are used. Any problems with that? (I am testing it right now!) No problem, so long as your recipient can handle MDCs. That means PGP 7 or later, or GnuPG. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+kuaK4mZch0nhy8kRAq7sAKCjyO7yGnWsEAuCh9bdYqdO1hAu0gCfYArk ama2DJb0LP99d2cclia7h0Y= =2Dx+ -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Tue Apr 8 18:12:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue Apr 8 17:12:02 2003 Subject: How to remove passphrase? In-Reply-To: <003001c2fab3$04553c20$191ea8c0@fredrik> References: <003001c2fab3$04553c20$191ea8c0@fredrik> Message-ID: <20030408151237.GE22190@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Apr 04, 2003 at 04:03:49PM +0200, Fredrik Hellstr=C3=B6m wrote: > How do I remove the passphrase for my secret key? I want do to scriptin= g > for automatically signing e-mails. Does anyone have suggestions? >> gpg --edit-key (thekey) >> passwd When GnuPG prompts for the new passphrase, just hit enter. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+kubl4mZch0nhy8kRAnxnAKDcTVny2YH5NJKJ4BRczhZnDEinXQCgtMAc Fh+oRWAVa6EOx2Z3tnWCZMI=3D =3DrKoS -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Tue Apr 8 18:13:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue Apr 8 17:13:02 2003 Subject: invalid trustdb error In-Reply-To: <3E8DC5A6.23337877@cbsohiou.com> References: <3E8DC5A6.23337877@cbsohiou.com> Message-ID: <20030408151352.GF22190@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Apr 04, 2003 at 12:49:26PM -0500, Andrew Stout wrote: > I've looked in my .gnupg directory and see the file named > trustdb.gpg with a date on it AFTER the crash. It is an empty file, > however (zero bytes). I also see a file named trustdb.gpg.lock with > a date well before the date (a couple years ago, when I first > started using GPG) When I look at this file with a text editor I see > just a few blank spaces and some numbers (768 maybe?). Don't know > if this second file has anything to do with it. Delete both, and GnuPG will create a new, good, trustdb the next time it runs. A zero-length trustdb has no data in it you can save anyway. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+kucw4mZch0nhy8kRAjzFAJ94MkdobEc0u8jI0OXK4Os9d1YWCwCg3bTv pHzgMr5jOJB9xIVlpntJcbQ= =DgVt -----END PGP SIGNATURE----- From hh@hackhawk.net Tue Apr 8 18:58:01 2003 From: hh@hackhawk.net (Hack Hawk) Date: Tue Apr 8 17:58:01 2003 Subject: Suppressing gpg messages from php exec command? In-Reply-To: <5.2.0.9.0.20030403182846.038cb2a0@mail.nightsource.com> Message-ID: <5.1.0.14.0.20030408090016.045f1a10@mail.nightsource.com> Oh Darn, I thought since this message bounced back originally I'd be spared the embarrassment of yet another useless post on my part. I obviously needed to step away from the computer for the evening, because when I came back the next morning I immediately realized that I was modifying the WRONG friggin file!! Aaarrrgggh! The --status-fd 1 did indeed work just fine. - rich At 07:43 PM 04/03/2003, Hack Hawk wrote: >Hello, > >I'm pulling my hair out over this one, can anyone assist? I've searched >google for hours but to no avail. I'm trying to suppress gpg output from >within a php script. > >Here's the important stuff. > >--------- PHP ----------------- >$msg = $some_gpg_signed_clear_text >$comd = "echo '$msg' | /usr/local/bin/gpg --decrypt"; >exec($comd,$res,$errcd); >------- END PHP --------------- > >I get the unsigned text in $res without a problem. The problem is that >the following output is sent to the terminal/browser/whatever. > >-------------------------------- >gpg: Signature made Thu 03 Apr 2003 06:24:21 PM PST using DSA key ID AABBCCDD >gpg: Good signature from "Blah Blah " >gpg: aka "Blah Bleh " >-------------------------------- > >I've tried adding ALL of the following to the $comd command line with no >success. > >--logger-fd 1 >--status-fd 1 >--quiet >--batch >--no-tty >2>&1 > >Is there ANYWAY to suppress these messages? I'm assuming that if the >signature is NOT validated, then the $res will NOT return the unsigned >message, and that's how I'll verify validity or not. Please correct me if >I'm wrong about this assumption. > >Thanks in advance for any replies >- Rich From dshaw@jabberwocky.com Tue Apr 8 19:33:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue Apr 8 18:33:02 2003 Subject: A GnuPG oddity (decompression) In-Reply-To: <003c01c2fd1b$63e08cc0$7a114251@sncb53000105> References: <003c01c2fd1b$63e08cc0$7a114251@sncb53000105> Message-ID: <20030408163345.GA7072@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Apr 07, 2003 at 05:35:59PM +0200, Falissard wrote: > Here is a weird thing that I found when comparing > PGP and GnuPG. > You'll find below some conventionally encrypted data > (the passphrase to decrypt is "test"). > It is decrypted OK by PGP and GnuPG. > BUT GnuPG generates garbled data. > (I've tried GnuPG v1.0.6 and v1.2.1). > This has something to do with decompression, > because I get no problem with non-compressed data. > Thanks for any suggestion. I believe this is has to do with a similar problem seen with CryptoEx compresssed messages. It is fixed in 1.2.2. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+kvnp4mZch0nhy8kRAut6AKCg41LuGzzklIdUNO2VI59+A8M4VgCdEpoy EgC6SNkB8EzOdPbCuJJTChc= =s6qh -----END PGP SIGNATURE----- From jharris@widomaker.com Tue Apr 8 20:48:02 2003 From: jharris@widomaker.com (Jason Harris) Date: Tue Apr 8 19:48:02 2003 Subject: export single UID of a key In-Reply-To: References: Message-ID: <20030408174914.GB951@pm1.ric-05.lft.widomaker.com> --rJwd6BRFiFCcLxzm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 08, 2003 at 04:11:28AM +0200, Michael Nahrath wrote: > The second is the way I want to go. Currently I use basically those steps: >=20 > gpg --recv-key $KEYID > # START loop:=20 > # repeat until only 1 UID left > gpg --default-cert-check-level 3 --edit-key $KEYID uid 1 sign save > gpg -a --export $KEYID \ > | gpg -a -e -r $KEYID \ > | mail -b $MY_MAIL -s "your signed key" `gpg --list-key $KEYID \ > | grep "@" | cut -d "<" -f2 | cut -d ">" -f 1 | head -1` > gpg --edit-key $KEYID uid 1 deluid save > # END loop > gpg --delete-key $KEYID > gpg --recv-key $KEYID I hope you are checking the fingerprints after each keyserver fetch. I would think it would be easier to sign all the userids at once=20 (one keyserver fetch, one fp check, one passphrase entry) and remove=20 all but one userid before sending the signed key to that address. Have you looked into running RobotCA manually to assist in this process? See key 0xC521097E and http://www.toehold.com/robotca/ . > I have the feeling: There must be a better way to do this! >=20 > Something like=20 >=20 > 1. Sign the full key > 2. Export only one UID of the key Deleting the userids will have to suffice since I don't believe you can selectively export userids. --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --rJwd6BRFiFCcLxzm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+kwuYSypIl9OdoOMRAtyYAKCMYFv2mHTZk1nLKNcAxRJFS9RThQCgkNS0 teaB6IpL2RZR+eM/+57lEVk= =D2Jy -----END PGP SIGNATURE----- --rJwd6BRFiFCcLxzm-- From rdmyers@pe.net Tue Apr 8 20:49:01 2003 From: rdmyers@pe.net (Rodney D. Myers) Date: Tue Apr 8 19:49:01 2003 Subject: SIGSEGV on gpg 1.2.1 (was: Re: A GnuPG oddity (decompression)) In-Reply-To: <20030408150624.GC22190@jabberwocky.com> References: <003c01c2fd1b$63e08cc0$7a114251@sncb53000105> <200304080949.47513@fortytwo.ch> <20030408150624.GC22190@jabberwocky.com> Message-ID: <20030408101302.5a0bbebe.rdmyers@pe.net> --=.qBXz2lmbRfaluS Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Tue, 8 Apr 2003 11:06:24 -0400 David Shaw wrote: > That is a known bug with 1.2.1, symmetrically encrypted data, and > gpg-agent. It is fixed in 1.2.2. > > David Where is 1.2.2? I went to the download page, but did not see it listed? -- Rodney D. Myers ICQ#: AIM#: YAHOO: 18002350 mailman452 mailman42_5 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Ben Franklin - 1759 --=.qBXz2lmbRfaluS Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+kwMhRzSENXJW+i8RAgUSAJ0blT41R1YPC4CjaZLgzEq1X45khQCfbhrI scv6fIVCGY6HJSSeSzcz6vk= =nd+O -----END PGP SIGNATURE----- --=.qBXz2lmbRfaluS-- From yenot@sec.to Tue Apr 8 21:25:01 2003 From: yenot@sec.to (Yenot) Date: Tue Apr 8 20:25:01 2003 Subject: Import a pubkey sans self-sig? In-Reply-To: <20030407211421.GA22190@jabberwocky.com> References: <20030407195903.GA21667@uriel.eclipsed.net> <20030407211421.GA22190@jabberwocky.com> Message-ID: <200304081611.00548.yenot@sec.to> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 08 April 2003 01:14 am, David Shaw wrote: > On Mon, Apr 07, 2003 at 03:59:03PM -0400, gabriel rosenkoetter wrote: > > I'd like to encipher things to keyid 75E4988D (seems to be on > > wwwkeys.pgp.net)... but GnuPG simply refuses to import it because > > it's lacking a self-signature. > > > > pgp 6.5.2 (yeah, I know, but this is a long-standing production > > process at work that I'm trying to update) has no trouble with this > > key. > > > > --expert doesn't help and we don't have a --force... > > --allow-non-selfsigned-uid I was shocked that non-self-signed UID's were allowed at all. The only reason I can think of for such a UID, would be to annotate a local key that you don't own. (Just as local signatures are used for localized key annotation.) I decided to run some tests. Others may be interested in the results: GnuPG 1.2.1 - ----------- gpg --import key.asc This command *silently* ignores unsigned UID's. gpg --import --allow-non-selfsigned-uid key.asc This command imports unsigned UID's, but warns the user about the unsigned UID's. gpg -o key.asc --export test@test.com This command exports *all* UID's. No warning is given about the unsigned UID's. PGP 8.02 - -------- Imports and exports unsigned UID's. Unsigned UID's are annotated as being *revoked*. ldap://keyserver.pgp.com also accepts unsigned UID's. This means one could [for example] add porn site advertisements and humorous but annoying photo UID's to an enemy's key. ... advertisements are probably only a matter of time if the problem isn't fixed. - Yenot -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+krxQP247TY29IxARAvuGAKCS0y1QXELN31uhmhzclmIEaLU+PgCgnLVK Ed0FhHSUadI2ALgXA+4Xrbg= =MM0r -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Tue Apr 8 21:41:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue Apr 8 20:41:01 2003 Subject: SIGSEGV on gpg 1.2.1 (was: Re: A GnuPG oddity (decompression)) In-Reply-To: <20030408101302.5a0bbebe.rdmyers@pe.net> References: <003c01c2fd1b$63e08cc0$7a114251@sncb53000105> <200304080949.47513@fortytwo.ch> <20030408150624.GC22190@jabberwocky.com> <20030408101302.5a0bbebe.rdmyers@pe.net> Message-ID: <20030408184141.GD7072@jabberwocky.com> --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 08, 2003 at 10:13:02AM -0700, Rodney D. Myers wrote: > On Tue, 8 Apr 2003 11:06:24 -0400 > David Shaw wrote: > > That is a known bug with 1.2.1, symmetrically encrypted data, and > > gpg-agent. It is fixed in 1.2.2. > >=20 > > David >=20 > Where is 1.2.2? >=20 > I went to the download page, but did not see it listed? Sorry, I should have said "will be fixed in 1.2.2" ;) 1.2.2 is not released yet, though we hope to have the next release candidate (1.2.2rc2) out fairly soon. David --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD4DBQE+kxfl4mZch0nhy8kRAuXKAJiiKDVI3cWg0BEwh4Fis8GmPSIXAJ9Z0IW4 UONsJeidluIN4t4zH3yTbw== =LwAt -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- From dshaw@jabberwocky.com Tue Apr 8 21:45:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue Apr 8 20:45:02 2003 Subject: export single UID of a key In-Reply-To: References: Message-ID: <20030408184555.GE7072@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Apr 08, 2003 at 04:11:28AM +0200, Michael Nahrath wrote: > For e-mail validation after keysignings there are basically two methods: > > 1. Send a challenge in an encrypted mail to each UIDs e-mail address and > wait for the decrypted answers before you sign. > > 2. Sign only one UID and send it in an encrypted mail to this UID's mail > address. > Do this for every UID in a key seperately. > Do _not_ keep these signatures in your normal keyring. > If the key owner uploads the signatures to the keyservers he prooves that > he owns the secret key. You get your signature back via '--refresh-keys'. Note that this doesn't really give you what you want in all cases. OpenPGP keys are usually made up of a primary signing key and a number of secondary encryption keys. There are other combinations, but that is by far the most common. Anyway, when you sign a key, you are actually signing the primary key plus the user ID. If you follow #2 above, you are actually sending the signed key to an entity that may or may not control the signing key - in effect, signing something without strong proof that the recipient actually "owns" that key. There are cases where this isn't a problem (a PGP 2.x key, or a sign+encrypt primary key), but the common case is a problem. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+kxjj4mZch0nhy8kRApsfAKCVpL38CtVPG+ykEzGzsMgVh9+e7wCfeOh+ WjipoAskAIvsHxFBi1pvEI4= =IXGz -----END PGP SIGNATURE----- From tgfurnish@herff-jones.com Tue Apr 8 22:43:01 2003 From: tgfurnish@herff-jones.com (Furnish, Trever) Date: Tue Apr 8 21:43:01 2003 Subject: Anyone have hpux11.11 gnupg working? Message-ID: <3E93277E.2030903@herff-jones.com> This is probably because I'm doing something patently stupid, but when I run configure on HPUX11.11 on an rp8400, I get the following errors, then configure dies: # ./configure --prefix=/opt/gnupg checking build system type... config.sub: too many arguments Try `config.sub --help' for more information. configure: error: /bin/sh scripts/config.sub hppa2.0w-hp-hpux11.11 failed Do I need a Gnu toolchain installed even just to run configure? Any pointers on where to start (what to check, what to update, what Gnu tools required, how to tell configure about them once they're installed, etc) would be greatly appreciated. This is for gnupg-1.2.1 taken from the web site just a couple of days ago. -- Trever Furnish, tgfurnish @ herff-jones d0t com From ninjaforce@netcourrier.com Tue Apr 8 23:00:01 2003 From: ninjaforce@netcourrier.com (Maxine Brandt) Date: Tue Apr 8 22:00:01 2003 Subject: DDOS attack Message-ID: <3E932A55.5010505@netcourrier.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If any list members had problems accessing my keys recently at http://www.torduninja.tk this was because of a massive attack on the .tk root servers, and the .tk registry server. This was such a large attack that the FBI in the US is investigating it, IP address by IP address, since one of the root servers is on US soil. The Dutch Criminal Investigation Service is doing the same on the other servers. Things are running again but may still be slow for a few days yet. Sorry for any inconvenience. Maxine Brandt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+kypRKBY/R6nbCcARAo4MAJ9nV+q2vTW9D0uvscci4Hx7r5jgRgCghhUk ErA9cGLEpYpNEcCeLRDv4Z8= =4F/b -----END PGP SIGNATURE----- From rlaager@wiktel.com Tue Apr 8 23:20:02 2003 From: rlaager@wiktel.com (Richard Laager) Date: Tue Apr 8 22:20:02 2003 Subject: export single UID of a key In-Reply-To: <20030408184555.GE7072@jabberwocky.com> Message-ID: <003701c2fe0c$69ad8f80$26a63992@umcrookston.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 8 Apr 2003 14:45:55 -0400, David Shaw wrote: > On Tue, Apr 08, 2003 at 04:11:28AM +0200, Michael Nahrath wrote: ... > > 2. Sign only one UID and send it in an encrypted mail to > this UID's mail > > address. > > Do this for every UID in a key seperately. > > Do _not_ keep these signatures in your normal keyring. > > If the key owner uploads the signatures to the keyservers > he prooves that > > he owns the secret key. You get your signature back via > '--refresh-keys'. > > Note that this doesn't really give you what you want in all cases. > OpenPGP keys are usually made up of a primary signing key and a > number of secondary encryption keys. There are other combinations, > but that is by far the most common. > > Anyway, when you sign a key, you are actually signing the primary > key plus the user ID. If you follow #2 above, you are actually > sending the signed key to an entity that may or may not control the > signing key - in effect, signing something without strong proof > that the > recipient actually "owns" that key. If I'm understanding you correctly, a key like the following would be a problem: pub Alice sig Alice uid Alice <> In this case, eve@example.com would get a signature for that user id. However, this would only be possible if the process implementing #2 above wasn't validating self-sigatures. What motive* would Alice have to add a fake userid to her key and add a self-signature to it? If she wanted to be associated with root@someotherdomain.com for example, this wouldn't work, unless she could intercept the e-mail message with the signature. And, if she can intercept mail at that address, then the signature is valid -- she can in fact read messages sent to the address. * I acknowledge the possibility that she might want to annoy someone with lots of signed uid messages. The other way I'm interpreting this is that the encryption key used for encrypting the e-mail might not be the one owned by the primary key owner. Here again, though, the binding signatures must be checked. This technique is what the Robot CA at toehold.com uses, as far as I can tell. The whole premise is that the signatures mean nothing at the time of singing. Only by virtue of the recipient decrypting them, importing them, and sending them to a keyserver do they have meaning. So yes, there isn't strong proof, but that seems to be a design choice. Am I anywhere on target here? Can you clarify what you meant by "If you follow #2 above..."? Thanks, Richard Laager -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPpMvPW31OrleHxvOEQLGTACgrzFhZ1qZo+SyAYkZXAaXp5NIrKgAoNoF s1hB8Ldgb4UZLdtOmuXUB5lb =dfmj -----END PGP SIGNATURE----- From linux@codehelp.co.uk Tue Apr 8 23:25:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Tue Apr 8 22:25:02 2003 Subject: [Fwd: Re: HKP and firewalls] In-Reply-To: <3E91AF88.9010300@arcor.de> References: <3E8FFFD2.2040901@arcor.de> <3E912567.9050104@sw-meerane.de> <3E91AF88.9010300@arcor.de> Message-ID: <200304082124.48212.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 07 Apr 2003 6:04 pm, udo 'mju' fleckenstein wrote: > "7. Enigmail fails to access keyserver from behind a firewall? > If you are using HTTP proxy behind a firewall, you need to use GPG with > the "keyserver-options honor-http-proxy". It is essential to set not > only the environment variable "http_proxy" to point to the proxy server > but to also set the environment variable "ENIGMAIL_PASS_ENV=http_proxy" > before starting Mozilla and using Enigmail. This ensures that Enigmail > will pass the environment variable to GPG." > http://enigmail.mozdev.org/troubles.html To solve my original query, I've just changed keyserver x-hkp://keyserver.linux.it to keyserver x-broken-hkp://keyserver.linux.it and now auto-key-retrieve works fine and all keys (on public keyservers) can be retrieved. May work for others. > to the enigmail-folks: Why using another environment variable? If > http_proxy is set, simply pass it - or do i miss some point? More of Mozilla being just plain greedy for resources? - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+kzAPk7DVr6iX/QIRAonwAKCSq4Qy1w8+6EAhIPRnxLFoRRyqWgCbB0a7 EveKRIOwxXwcEnkI449+Fec= =PXOp -----END PGP SIGNATURE----- From cmt@rz.uni-karlsruhe.de Wed Apr 9 00:10:02 2003 From: cmt@rz.uni-karlsruhe.de (Christoph Moench-Tegeder) Date: Tue Apr 8 23:10:02 2003 Subject: Anyone have hpux11.11 gnupg working? In-Reply-To: <3E93277E.2030903@herff-jones.com> References: <3E93277E.2030903@herff-jones.com> Message-ID: <20030408211011.GA32402@rz-ewok.rz.uni-karlsruhe.de> ## Furnish, Trever (tgfurnish@herff-jones.com): > This is probably because I'm doing something patently stupid, but when I > run configure on HPUX11.11 on an rp8400, I get the following errors, > then configure dies: > > # ./configure --prefix=/opt/gnupg > checking build system type... config.sub: too many arguments > Try `config.sub --help' for more information. > configure: error: /bin/sh scripts/config.sub hppa2.0w-hp-hpux11.11 failed It seems as if your /bin/sh is acting strange. The error above should be observed if (and only if) config.sub is called with more than one argument (ll. 108 in config.sub). However, I can't reproduce your problem with hppa2.0w-hp-hpux11.00. > Do I need a Gnu toolchain installed even just to run configure? Any > pointers on where to start (what to check, what to update, what Gnu > tools required, how to tell configure about them once they're installed, > etc) would be greatly appreciated. I was not able to compile gnupg 1.2.1 with HP's cc, there were some issues with undefined symbols wich went away when switching to gcc. configure can be influenced by setting some environment variables, e.g. CC=gcc for using gcc as compiler. Regards, cmt -- Spare Space From gnupg-users@nahrath.de Wed Apr 9 00:12:01 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Tue Apr 8 23:12:01 2003 Subject: export single UID of a key In-Reply-To: <20030408184555.GE7072@jabberwocky.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw schrieb am 2003-04-08 20:45: >> 2. Sign only one UID and send it in an encrypted mail to this UID's mail >> address. >> Do this for every UID in a key seperately. >> Do _not_ keep these signatures in your normal keyring. >> If the key owner uploads the signatures to the keyservers he prooves that >> he owns the secret key. You get your signature back via '--refresh-keys'. > > Note that this doesn't really give you what you want in all cases. > OpenPGP keys are usually made up of a primary signing key and a number > of secondary encryption keys. There are other combinations, but that > is by far the most common. I am aware of the limitation to key with encryption-subkeys. Pure Certification keys or UIDs without e-mail address can't bechecked that way -- but they can't be checked with an encrypted chelange either. > Anyway, when you sign a key, you are actually signing the primary key > plus the user ID. AFAIKS the signatures are only detached to the UID parts, at least this is how GPG and the keyservers display it. Is there a difference in the end if I sign all UIDs in one turn or each by its own (except from differences in signing time)? > If you follow #2 above, you are actually sending > the signed key to an entity that may or may not control the signing > key - Is it possible that someone owns and uses only the decryption subkey but not the primary signing key to it? > in effect, signing something without strong proof that the > recipient actually "owns" that key. If the owner of the UID's e-mail doesn't controll the secret key to decrypt my message the signed key will stay unpacked forever. After signing and sending it doesn't even exist in my keyring any more. > There are cases where this isn't a problem (a PGP 2.x key, or a > sign+encrypt primary key), but the common case is a problem. Sorry, if there es a basical logical problem I still don't get the point. At least I don't see the advantage of the chellange method, for it depends on checking the ability to decrypt an encrypted message as well. Greeting, Michi -----BEGIN PGP SIGNATURE----- Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj6TOzMACgkQ19dRf5pMcEyNnwCgr53/aoLs3O1yK4gQcvn3JnER RMwAoIbS4GqGzwR0x3p48sXl3ksxDALE =Xewn -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Wed Apr 9 00:15:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue Apr 8 23:15:01 2003 Subject: export single UID of a key In-Reply-To: <003701c2fe0c$69ad8f80$26a63992@umcrookston.edu> References: <20030408184555.GE7072@jabberwocky.com> <003701c2fe0c$69ad8f80$26a63992@umcrookston.edu> Message-ID: <20030408211519.GF7072@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Apr 08, 2003 at 03:21:17PM -0500, Richard Laager wrote: > > On Tue, 8 Apr 2003 14:45:55 -0400, David Shaw wrote: > > > On Tue, Apr 08, 2003 at 04:11:28AM +0200, Michael Nahrath wrote: > ... > > > 2. Sign only one UID and send it in an encrypted mail to > > this UID's mail > > > address. > > > Do this for every UID in a key seperately. > > > Do _not_ keep these signatures in your normal keyring. > > > If the key owner uploads the signatures to the keyservers > > he prooves that > > > he owns the secret key. You get your signature back via > > '--refresh-keys'. > > > > Note that this doesn't really give you what you want in all cases. > > OpenPGP keys are usually made up of a primary signing key and a > > number of secondary encryption keys. There are other combinations, > > but that is by far the most common. > > > > Anyway, when you sign a key, you are actually signing the primary > > key plus the user ID. If you follow #2 above, you are actually > > sending the signed key to an entity that may or may not control the > > signing key - in effect, signing something without strong proof > > that the > > recipient actually "owns" that key. > > If I'm understanding you correctly, a key like the following would be > a problem: > pub Alice > sig Alice > uid Alice > <> > > In this case, eve@example.com would get a signature for that user id. > However, this would only be possible if the process implementing #2 > above wasn't validating self-sigatures. What motive* would Alice have > to add a fake userid to her key and add a self-signature to it? If > she wanted to be associated with root@someotherdomain.com for > example, this wouldn't work, unless she could intercept the e-mail > message with the signature. And, if she can intercept mail at that > address, then the signature is valid -- she can in fact read messages > sent to the address. > > * I acknowledge the possibility that she might want to annoy someone > with lots of signed uid messages. > > The other way I'm interpreting this is that the encryption key used > for encrypting the e-mail might not be the one owned by the primary > key owner. Here again, though, the binding signatures must be > checked. No, the binding signature is useless here. Think about it: would you sign my key based on the fact that I signed some random piece of data at some point in the past? Surely not, but that is what this system suggests. It is certainly true that in the huge majority of cases, the entity that controls the decryption key is the same one that controls the signing key. However, OpenPGP does not in any way require this. When you make a signature you are making it over {primarykey,uid}. The decryption key is of only incidental importance here. For example: let's say someone can read my mail, and manages to steal my key and passphrase. Big deal - they still didn't get my primary key, which is stored offline. I can just revoke the subkeys, and make some new ones. Until I realize what happened, the attacker has a pretty strong incentive to get more signatures on my key. If people sign using the suggested method above, then the attacker gets lots of signatures and doesn't "own" the key. If people require a signed challenge, the attacker is foiled. He cannot fulfil the challenge. Another place where the suggested system breaks down is in split key setups where there is one OpenPGP "key" broken into different subkeys for different employees with the employer controlling the primary. Finally, what happens with a sign-only key in this system? Who do you encrypt the message to? David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+kzvn4mZch0nhy8kRAlrAAJsGwxIW0gAhUIB0ip1RZiNQQ2KN/wCg4y4i fESplvQ36Q1hCL13MdE4jGk= =dgiv -----END PGP SIGNATURE----- From jharris@widomaker.com Wed Apr 9 00:17:01 2003 From: jharris@widomaker.com (Jason Harris) Date: Tue Apr 8 23:17:01 2003 Subject: DDOS attack In-Reply-To: <3E932A55.5010505@netcourrier.com> References: <3E932A55.5010505@netcourrier.com> Message-ID: <20030408211800.GB6160@pm1.ric-28.lft.widomaker.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Apr 08, 2003 at 10:00:21AM -1000, Maxine Brandt wrote: > If any list members had problems accessing my keys recently at > http://www.torduninja.tk this was because of a massive attack on the > .tk root servers, and the .tk registry server. > Things are running again but may still be slow for a few days yet. > Sorry for any inconvenience. Many public keyservers have your key (filesize, partial URL): 3121 openpksd.org:11371/pks/lookup?op=get&search=0xA9DB09C0 2993 belgium.keyserver.net:11371/pks/lookup?op=get&search=0xA9DB09C0 2894 skylane.kjsl.com:11371/pks/lookup?op=get&search=0xA9DB09C0 2887 keyserver.bu.edu:11371/pks/lookup?op=get&search=0xA9DB09C0 2887 sks.dnsalias.net:11371/pks/lookup?op=get&search=0xA9DB09C0 2876 ldap_pgp.surfnet.nl:11370/pks/A9DB09C0 2869 ds.carnet.hr:11371/pks/lookup?op=get&search=0xA9DB09C0 2869 netcat.upb.de:11371/pks/lookup?op=get&search=0xA9DB09C0 2869 stinkfoot.org:11371/pks/lookup?op=get&search=0xA9DB09C0 2869 wwwkeys.uk.pgp.net:11371/pks/lookup?op=get&search=0xA9DB09C0 2865 pgp.rediris.es:11371/pks/lookup?op=get&search=0xA9DB09C0 2865 wwwkeys.de.pgp.net:11371/pks/lookup?op=get&search=0xA9DB09C0 2627 hell.on.earth.li:11371/pks/lookup?op=get&search=0xA9DB09C0 2624 wwwkeys.ch.pgp.net:11371/pks/lookup?op=get&search=0xA9DB09C0 2621 pgp.uk.demon.net:11371/pks/lookup?op=get&search=0xA9DB09C0 2609 keyserver.linux.it:11371/pks/lookup?op=get&search=0xA9DB09C0 2600 keys.iif.hu:11371/pks/lookup?op=get&search=0xA9DB09C0 2600 pgp.es.net:11371/pks/lookup?op=get&search=0xA9DB09C0 2600 pgp.nic.ad.jp:11371/pks/lookup?op=get&search=0xA9DB09C0 2600 wwwkeys.es.pgp.net:11371/pks/lookup?op=get&search=0xA9DB09C0 2593 pgp.zdv.uni-mainz.de:11371/pks/lookup?op=get&search=0xA9DB09C0 2587 pgp.ael.be:11371/pks/lookup?op=get&search=0xA9DB09C0 2584 pgp.escomposlinux.org:11371/pks/lookup?op=get&search=0xA9DB09C0 2584 pgp.eteo.mondragon.edu:11371/pks/lookup?op=get&search=0xA9DB09C0 2583 ldap_keyserver.pgp.com:389/pks/A9DB09C0 2580 pgp.mit.edu:11371/pks/lookup?op=get&search=0xA9DB09C0 2580 wwwkeys.1.us.pgp.net:11371/pks/lookup?op=get&search=0xA9DB09C0 2580 wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA9DB09C0 But these could use a copy: 284 www.keyserver.de:11371/pks/lookup?op=get&search=0xA9DB09C0 204 pgp.loxinfo.co.th:11371/pks/lookup?op=get&search=0xA9DB09C0 114 keyserver.mcbone.net:11371/pks/lookup?op=get&search=0xA9DB09C0 114 pgp.ndlug.nd.edu:11371/pks/lookup?op=get&search=0xA9DB09C0 114 pgpserv.indstate.edu:11371/pks/lookup?op=get&search=0xA9DB09C0 - -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+kzxjSypIl9OdoOMRAn45AKCSFYqvUM1aqVK+tkkRMSyfReWINQCdExeQ Xp5oOzmdhORkwjg8wcD+fz8= =KKSP -----END PGP SIGNATURE----- From gnupg-users@nahrath.de Wed Apr 9 00:34:02 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Tue Apr 8 23:34:02 2003 Subject: export single UID of a key In-Reply-To: <20030408174914.GB951@pm1.ric-05.lft.widomaker.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason Harris schrieb am 2003-04-08 19:49: > On Tue, Apr 08, 2003 at 04:11:28AM +0200, Michael Nahrath wrote: > >> The second is the way I want to go. Currently I use basically those steps: >> >> gpg --recv-key $KEYID > >> # START loop: >> # repeat until only 1 UID left >> gpg --default-cert-check-level 3 --edit-key $KEYID uid 1 sign save >> gpg -a --export $KEYID \ >> | gpg -a -e -r $KEYID \ >> | mail -b $MY_MAIL -s "your signed key" `gpg --list-key $KEYID \ >> | grep "@" | cut -d "<" -f2 | cut -d ">" -f 1 | head -1` >> gpg --edit-key $KEYID uid 1 deluid save >> # END loop > >> gpg --delete-key $KEYID >> gpg --recv-key $KEYID > > I hope you are checking the fingerprints after each keyserver fetch. There is only on keyserver fetch at the very beginning (and one after the end). No network fetching is included in the loop. Do you think it neccesary to check the fingerprint again if after a - --refresh-keys two days later I receive my own signature on a key? > I would think it would be easier to sign all the userids at once > (one keyserver fetch, Ther is only one keyserver fetch > one fp check, one passphrase entry) You are right. Giving 6 seperate signatures to a key with 6 UIDs results in having to check the fingerprint 6 times and to give in the passphrase 6 times. > and remove > all but one userid before sending the signed key to that address. Once sign the full key, back it up to a temporary location and then import it again for each UID. Would need a bit more scripting but it reduces the amount of manulal signing to a minimum. I should try this. > Have you looked into running RobotCA manually to assist in this process? > See key 0xC521097E and http://www.toehold.com/robotca/ . I'll have a look on it. Even if I personally don't like the idea of the signing-without-idendity-checking the robot does its code may be perfect _after_ a key signing party with full contact. Fine idea! >> 2. Export only one UID of the key > Deleting the userids will have to suffice since I don't believe you > can selectively export userids. Pitty! Is there at least a way of deleting certain userids without using the intractive '--edit-key' shell? Thanks, Michi -----BEGIN PGP SIGNATURE----- Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj6TQH8ACgkQ19dRf5pMcExguwCeP8cjQ4WRfPgU7z0e05XpReLM vOQAnihRw0flUv1UPXCx7LBhvuNSdJLr =zLx8 -----END PGP SIGNATURE----- From johanw@vulcan.xs4all.nl Wed Apr 9 00:44:01 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Tue Apr 8 23:44:01 2003 Subject: SIGSEGV on gpg 1.2.1 (was: Re: A GnuPG oddity (decompression)) In-Reply-To: <20030408101302.5a0bbebe.rdmyers@pe.net> from "Rodney D. Myers" at "Apr 8, 2003 10:13:02 am" Message-ID: <200304082020.WAA01018@vulcan.xs4all.nl> Rodney D. Myers wrote: > Where is 1.2.2? > I went to the download page, but did not see it listed? He probably means 1.2.2rc1, which is in the alpha section of the ftp site. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw@vulcan.xs4all.nl Wed Apr 9 00:44:25 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Tue Apr 8 23:44:25 2003 Subject: Import a pubkey sans self-sig? In-Reply-To: <200304081611.00548.yenot@sec.to> from Yenot at "Apr 8, 2003 04:10:49 pm" Message-ID: <200304082019.WAA00977@vulcan.xs4all.nl> Yenot wrote: >I was shocked that non-self-signed UID's were allowed at all. It is mostly done to work with old keys. Some very old pgp versions didn't default to selfsign keys. I don't remember which ones, but 2.6.3ia already does selfsign keys it creates. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From cmt@rz.uni-karlsruhe.de Wed Apr 9 00:55:02 2003 From: cmt@rz.uni-karlsruhe.de (Christoph Moench-Tegeder) Date: Tue Apr 8 23:55:02 2003 Subject: Some build reports (HP-UX, IRIX, Solaris, AIX, Linux) Message-ID: <20030408215549.GB32402@rz-ewok.rz.uni-karlsruhe.de> Some notes on building gnupg 1.2.1 on different platforms (all the stuff I couldn't find in the archives when I ran into first trouble): For all those needing idea: The check for bigendian platforms in idea.c line 73 covers only gcc. For other compilers, I needed the following patch: --- /home/ws/ry04/gnupg/idea.c Tue Mar 25 18:38:38 2003 +++ idea.c Tue Apr 8 23:19:24 2003 @@ -73,6 +73,10 @@ #if defined(__mc68000__) || defined (__sparc__) || defined (__PPC__) \ || (defined(__mips__) && (defined(MIPSEB) || defined (__MIPSEB__)) ) \ || defined(__powerpc__) || defined(__ppc__) \ + || defined(_IBMR2) /* IBM AIX xlc */ \ + || defined(__sparc) /* SUN WSpro cc */ \ + || defined(__hpux) /* HP-UX cc */ \ + || defined(_MIPS_SIM) /* SGI IRIX cc */ \ || defined(__hpux__) /* should be replaced by the Macro for the PA */ #define BIG_ENDIAN_HOST 1 #else Some little patching was required so I coud link tiger and idea got linked statically into gpg. This only affected cipher/Makefile.in and was rather trivial: --- gnupg-1.2.1.orig/cipher/Makefile.in Fri Oct 25 12:05:39 2002 +++ gnupg-1.2.1/cipher/Makefile.in Fri Mar 28 15:24:01 2003 @@ -431,9 +431,6 @@ mostlyclean-generic tags uninstall uninstall-am \ uninstall-info-am - -tiger.o: $(srcdir)/tiger.c - `echo $(COMPILE) -c $(srcdir)/tiger.c | sed -e 's/-O[2-9s]*/-O1/g' ` # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: Note that the sed script breaks the $CFLAGS for IRIX's cc (it uses -O -OPT:Olimit=2000), so it's a good idea too get rid of these lines anyway. Now for the compilers and $CFLAGS: AIX 4.1, 4.3, 5.1: Compiler was xlc (IBM) (called via cc) Environment: CFLAGS='-O3 -qstrict' CXXFLAGS='-O3 -qstrict' ./configure --enable-tiger --enable-static-rnd=unix --disable-asm HP-UX 9: HP-UX 9 does not know not know about RLIMIT_CORE. One can disable disable_core_dumps (g10/misc.c ll 85) or define RLIMIT_CORE as 4 (this comes frome the HP-UX FAQ). I did the latter, so I ended up with: Compiler: gcc 2.95.2 Environment: CFLAGS='-O3 -fomit-frame-pointer -DRLIMIT_CORE=4' PICFLAGS=+z CXXFLAGS='-O3 -fomit-frame-pointer' ./configure --enable-tiger --enable-static-rnd=unix HP-UX 10, 11: Compiler: gcc 2.95.2 Environment: CFLAGS='-O3 -fomit-frame-pointer -DRLIMIT_CORE=4' PICFLAGS=+z CXXFLAGS='-O3 -fomit-frame-pointer' ./configure --enable-tiger --enable-static-rnd=unix IRIX 6.5: Compiler: cc (SGI) Environment: CFLAGS='-O -OPT:Olimit=2000' CXXFLAGS='-O -OPT:Olimit=2000' ./configure --enable-tiger --enable-static-rnd=unix --disable-asm Linux (glibc 2.1 and 2.2): Works out of the box. Compiler: gcc 2.95.2 Environment: CFLAGS='-O3 -fomit-frame-pointer' CXXFLAGS='-O3 -fomit-frame-pointer' PICFLAGS=-fPIC ./configure --enable-tiger --enable-static-rnd=linux Solaris 7: Do not set CFLAGS=-xO3, you will get bus errors in some checks. Compiler: Sun WSpro 6 Environment: PICFLAGS=-Kpic ./configure --enable-tiger --enable-static-rnd=unix I could not get a Tru64 for testing, may be next time. Regards, cmt -- Spare Space From dshaw@jabberwocky.com Wed Apr 9 01:00:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed Apr 9 00:00:01 2003 Subject: export single UID of a key In-Reply-To: References: <20030408184555.GE7072@jabberwocky.com> Message-ID: <20030408220031.GH7072@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Apr 08, 2003 at 11:12:44PM +0200, Michael Nahrath wrote: > David Shaw schrieb am 2003-04-08 20:45: > > >> 2. Sign only one UID and send it in an encrypted mail to this UID's mail > >> address. > >> Do this for every UID in a key seperately. > >> Do _not_ keep these signatures in your normal keyring. > >> If the key owner uploads the signatures to the keyservers he prooves that > >> he owns the secret key. You get your signature back via '--refresh-keys'. > > > > Note that this doesn't really give you what you want in all cases. > > OpenPGP keys are usually made up of a primary signing key and a number > > of secondary encryption keys. There are other combinations, but that > > is by far the most common. > > I am aware of the limitation to key with encryption-subkeys. > > Pure Certification keys or UIDs without e-mail address can't bechecked that > way -- but they can't be checked with an encrypted chelange either. So don't encrypt the challenge. Encrypting the challenge doesn't buy you any additional security. You don't need confidentiality here - you need identity confirmation. > > Anyway, when you sign a key, you are actually signing the primary key > > plus the user ID. > > AFAIKS the signatures are only detached to the UID parts, at least this is > how GPG and the keyservers display it. Nevertheless, you are signing the primary key plus the user ID. It doesn't matter how programs display it for human consumption. > Is there a difference in the end if I sign all UIDs in one turn or each by > its own (except from differences in signing time)? No. > > If you follow #2 above, you are actually sending > > the signed key to an entity that may or may not control the signing > > key - > > Is it possible that someone owns and uses only the decryption subkey but > not the primary signing key to it? Yes. That is why the method being discussed does not work in all cases. > If the owner of the UID's e-mail doesn't controll the secret key to decrypt > my message the signed key will stay unpacked forever. > After signing and sending it doesn't even exist in my keyring any more. You are signing the primary key... but giving someone with access to only the decryption key the ability to use your signature. Signing A, but giving B access to it. A and B are not necessarily the same person. By using a challenge, you are signing A, and requiring proof that the entity controls A. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+k0Z/4mZch0nhy8kRArtMAJwNM1rAvIpa3xGHhUr9t4oj39kdbQCgxG/d gajKgxO/0LX4CV9idKX+V4o= =0mRA -----END PGP SIGNATURE----- From ninjaforce@netcourrier.com Wed Apr 9 01:40:02 2003 From: ninjaforce@netcourrier.com (Maxine Brandt) Date: Wed Apr 9 00:40:02 2003 Subject: DDOS attack In-Reply-To: <20030408211800.GB6160@pm1.ric-28.lft.widomaker.com> References: <3E932A55.5010505@netcourrier.com> <20030408211800.GB6160@pm1.ric-28.lft.widomaker.com> Message-ID: <3E934FF5.8080107@netcourrier.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason Harris wrote: | On Tue, Apr 08, 2003 at 10:00:21AM -1000, Maxine Brandt wrote: | | |>If any list members had problems accessing my keys recently at |>http://www.torduninja.tk this was because of a massive attack on the |>.tk root servers, and the .tk registry server. | | | |>Things are running again but may still be slow for a few days yet. |>Sorry for any inconvenience. | | | Many public keyservers have your key (filesize, partial URL): | So much for asking people NOT to send my keys to servers. And I even said PLEASE Maxine -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+k0/0KBY/R6nbCcARAnTzAJsGWjU6G3aOgbkOSCXvbHOI/hYeNwCgh3MM WNVTvqJydMn19YSbrABBkeU= =twlb -----END PGP SIGNATURE----- From gnupg-users@nahrath.de Wed Apr 9 03:52:02 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Wed Apr 9 02:52:02 2003 Subject: export single UID of a key In-Reply-To: <20030408220031.GH7072@jabberwocky.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw schrieb am 2003-04-09 00:00: >>>> 2. Sign only one UID and send it in an encrypted mail to this UID's mail >>>> address. >>>> Do this for every UID in a key seperately. >>>> Do _not_ keep these signatures in your normal keyring. >>>> If the key owner uploads the signatures to the keyservers he prooves that >>>> he owns the secret key. You get your signature back via '--refresh-keys'. >>> >>> Note that this doesn't really give you what you want in all cases. >> Pure Certification keys or UIDs without e-mail address can't be checked that >> way -- but they can't be checked with an encrypted chelange either. > > So don't encrypt the challenge. Encrypting the challenge doesn't buy > you any additional security. You don't need confidentiality here - > you need identity confirmation. OK, that is the point! I guess I was not alone in the misunderstanding, that the main validation feature in the callange was the ability to _decrypt_ the callenge-cookie. Thank you for clearing this! >> AFAIKS the signatures are only detached to the UID parts, at least this is >> how GPG and the keyservers display it. > > Nevertheless, you are signing the primary key plus the user ID. It > doesn't matter how programs display it for human consumption. How does this fit to the fact that trust to a (primary-) key gets lost if a user ID is revoked? Is there any mechanism to sign somebody else's primary key without signing any of his UIDs? > You are signing the primary key... but giving someone with access to > only the decryption key the ability to use your signature. Signing A, > but giving B access to it. A and B are not necessarily the same > person. Maybe this a bit overparanoid two days after a keysigning party where each of the key owners presented his/her idendity and key-data in person. Many people find this alone enough to sign keys. E-mail validation is only be an extra-bonus. But I understand that technical security is not about probability but about (even theoretical) possibility ;-) > By using a challenge, you are signing A, and requiring proof that the > entity controls A. I underestimated again, that the signing key is "the key" and all encryption/decription is secondary (sub-*) to it. thanks for the advice, greeting, Michi P.S.: Anyway I am still interested if there is a way to sign, delet and export single UIDs without using the --edit-key shell. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj6TbscACgkQ19dRf5pMcEwTQQCeIDQ82NyIU7X0zSW1YeABl3no b3sAn2BItgI75tH+4i7I0tYIxJqMjf7C =wYR3 -----END PGP SIGNATURE----- From jbruni@mac.com Wed Apr 9 04:38:22 2003 From: jbruni@mac.com (Joseph Bruni) Date: Wed Apr 9 03:38:22 2003 Subject: Anyone have hpux11.11 gnupg working? In-Reply-To: <3E93277E.2030903@herff-jones.com> Message-ID: <06A74ECC-6A2C-11D7-9BBA-003065B1243E@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have it working on HP/UX 11.11, but I did not receive the errors you indicate below. I was able to compile GPG with the HP ANSI C compiler (not the built-in) and did not need to install GCC. In fact, none of the Gnu tools are installed. On Tuesday, April 8, 2003, at 12:48 PM, Furnish, Trever wrote: > This is probably because I'm doing something patently stupid, but when > I run configure on HPUX11.11 on an rp8400, I get the following errors, > then configure dies: > > # ./configure --prefix=/opt/gnupg > checking build system type... config.sub: too many arguments > Try `config.sub --help' for more information. > configure: error: /bin/sh scripts/config.sub hppa2.0w-hp-hpux11.11 > failed > > Do I need a Gnu toolchain installed even just to run configure? Any > pointers on where to start (what to check, what to update, what Gnu > tools required, how to tell configure about them once they're > installed, etc) would be greatly appreciated. > > This is for gnupg-1.2.1 taken from the web site just a couple of days > ago. > > -- > Trever Furnish, tgfurnish @ herff-jones d0t com > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iEYEARECAAYFAj6TebUACgkQ4rg/mXNDweOXigCg/peuzJIGDqF1dQkrlwlbQ5+8 liMAn1HoAI+akCdMpVoQx4GN74q18Mjf =G2/t -----END PGP SIGNATURE----- From jbruni@mac.com Wed Apr 9 04:41:01 2003 From: jbruni@mac.com (Joseph Bruni) Date: Wed Apr 9 03:41:01 2003 Subject: DDOS attack In-Reply-To: <3E934FF5.8080107@netcourrier.com> Message-ID: <7FD8F79B-6A2C-11D7-9BBA-003065B1243E@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I really hope spammers are unable to reap email addresses from keyservers. At least not efficiently. Joe On Tuesday, April 8, 2003, at 03:40 PM, Maxine Brandt wrote: > So much for asking people NOT to send my keys to servers. And I even > said PLEASE > > Maxine -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iEYEARECAAYFAj6Ten8ACgkQ4rg/mXNDweMD8wCdHDz2C2je1VwIzw4B4tWK11N3 zF0AoJ7bYZFjze+Otz8WvHYqp51KThrC =bv7k -----END PGP SIGNATURE----- From gustavo.hlv@gmx.net Wed Apr 9 06:00:01 2003 From: gustavo.hlv@gmx.net (Gustavo Vasconcelos) Date: Wed Apr 9 05:00:01 2003 Subject: BAD signature from Fabian AND Per In-Reply-To: <5.1.0.14.2.20030408154303.0241b8b0@localhost> References: <5.2.0.9.0.20030403182846.038cb2a0@mail.nightsource.com> <5.1.0.14.2.20030408154303.0241b8b0@localhost> Message-ID: <3E93886A.6070406@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, His sig was good for me... Yours, by the way, was not! =) Some extra characters or what? ;-) []'s Gustavo Per Tunedal wrote on 08-04-2003 10:45: > Hi, > I got BAD signature from Fabian on this mail. Some extra characters or > what? > Per Tunedal - -- Gustavo Vasconcelos OpenPGP Key ID: 0xFF006747 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+k4hoGVGVi/8AZ0cRAkh1AKCNH3efVJxwOHHaAKKeWrMh3OAEUwCfYsNE AY+gxHX00Uq0VMmx32juSrw= =Jmml -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Wed Apr 9 06:43:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed Apr 9 05:43:01 2003 Subject: export single UID of a key In-Reply-To: References: <20030408220031.GH7072@jabberwocky.com> Message-ID: <20030409034311.GK7072@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Apr 09, 2003 at 02:52:48AM +0200, Michael Nahrath wrote: > David Shaw schrieb am 2003-04-09 00:00: > > >>>> 2. Sign only one UID and send it in an encrypted mail to this UID's mail > >>>> address. > >>>> Do this for every UID in a key seperately. > >>>> Do _not_ keep these signatures in your normal keyring. > >>>> If the key owner uploads the signatures to the keyservers he prooves that > >>>> he owns the secret key. You get your signature back via '--refresh-keys'. > >>> > >>> Note that this doesn't really give you what you want in all cases. > > >> Pure Certification keys or UIDs without e-mail address can't be checked that > >> way -- but they can't be checked with an encrypted chelange either. > > > > So don't encrypt the challenge. Encrypting the challenge doesn't buy > > you any additional security. You don't need confidentiality here - > > you need identity confirmation. > > OK, that is the point! > > I guess I was not alone in the misunderstanding, that the main validation > feature in the callange was the ability to _decrypt_ the callenge-cookie. > > Thank you for clearing this! > > >> AFAIKS the signatures are only detached to the UID parts, at least this is > >> how GPG and the keyservers display it. > > > > Nevertheless, you are signing the primary key plus the user ID. It > > doesn't matter how programs display it for human consumption. > > How does this fit to the fact that trust to a (primary-) key gets lost if a > user ID is revoked? This is actually a good thing. Since you are signing {primary,uid}, if the uid is no longer usable then your signature should certainly no longer be used. The uid being revoked breaks a part of the "contract" you have with the key owner. > Is there any mechanism to sign somebody else's primary key without signing > any of his UIDs? Well, yes, and no. OpenPGP defines a "direct key signature", which is a signature on the primary key only. However, GnuPG doesn't accept it as part of the web of trust. I'm actually not sure if PGP does, either. Both programs use it for special key features (like designated revokers). Neither program allows users to make direct key signatures on other people's keys. Using a direct key signature is a bit like giving unconditional trust ("I can't confirm who this person is, but I trust the key belongs to them anyway"). I think it could be useful in special cases where those somewhat weird semantics don't matter, but it just isn't that useful the rest of the time. > > You are signing the primary key... but giving someone with access to > > only the decryption key the ability to use your signature. Signing A, > > but giving B access to it. A and B are not necessarily the same > > person. > > Maybe this a bit overparanoid two days after a keysigning party where each > of the key owners presented his/her idendity and key-data in person. > Many people find this alone enough to sign keys. E-mail validation is only > be an extra-bonus. > > But I understand that technical security is not about probability but about > (even theoretical) possibility ;-) Exactly :) The stronger everyone is in making their own signatures, the better the web of trust is overall. People who only need weak checks can still use the strong links, but people who need strong links can't use weak checks. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+k5bP4mZch0nhy8kRAvQpAJ0dd1k9h4Hv1saVLET3e0cdc3x19QCgmhXT P5BvDexd9xQy9JdnjhAMbog= =2IC6 -----END PGP SIGNATURE----- From burns@runbox.com Wed Apr 9 07:35:02 2003 From: burns@runbox.com (Burns) Date: Wed Apr 9 06:35:02 2003 Subject: Spam (was: Re: DDOS attack) In-Reply-To: <7FD8F79B-6A2C-11D7-9BBA-003065B1243E@mac.com> Message-ID: <20030409043546.42210.qmail@web10502.mail.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Speaking of spam... This article is from a PC point of view, but might be worth reading: Natural-Born Spam Killers Six top utilities promise relief from the junk-mail onslaught. Our tests reveal the best defenders for your in-box. Daniel Tynan - From the May 2003 issue of PC World magazine Posted Wednesday, April 02, 2003 http://www.pcworld.com/reviews/article/0,aid,109698,00.asp Randy - --- Joseph Bruni wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I really hope spammers are unable to reap email addresses from > keyservers. At least not efficiently. > > Joe > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows Me) - GPGshell v2.70 iD8DBQE+k6L+hNLaTSzsrh8RAjVRAJsH4g6pxqT/hqwCOENIUklRabvgjwCgsBC4 K3NiefMepamG4oriMLfbNxE= =QLIc -----END PGP SIGNATURE----- From avbidder@fortytwo.ch Wed Apr 9 10:10:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Wed Apr 9 09:10:02 2003 Subject: BAD signature from Fabian was: Re: OT: Suppressing gpg messages from php exec command? In-Reply-To: <5.1.0.14.2.20030408154303.0241b8b0@localhost> References: <5.2.0.9.0.20030403182846.038cb2a0@mail.nightsource.com> <5.1.0.14.2.20030408154303.0241b8b0@localhost> Message-ID: <200304090911.27585@fortytwo.ch> --Boundary-02=_fe8k+j68FpZ4c8e Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Tuesday 08 April 2003 15:45, Per Tunedal wrote: > Hi, > I got BAD signature from Fabian on this mail. Some extra characters or > what? Per Tunedal Confirmed. Whitespace-at-end-of-line problem, most likely. cheers =2D- vbi =2D-=20 random link of the day: http://fortytwo.ch/sienapei/yeekoong --Boundary-02=_fe8k+j68FpZ4c8e Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6Tx59gGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWGbIAoO282wLjoyLV1Ku6kiQX5IYE KHfLAJ9KI5N5uZ3l6rlodQIpEnjpMiw0OQ== =wEVN -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_fe8k+j68FpZ4c8e-- From pt@radvis.nu Wed Apr 9 10:38:01 2003 From: pt@radvis.nu (Per Tunedal) Date: Wed Apr 9 09:38:01 2003 Subject: SPAM Re: DDOS attack In-Reply-To: <7FD8F79B-6A2C-11D7-9BBA-003065B1243E@mac.com> References: <3E934FF5.8080107@netcourrier.com> Message-ID: <5.1.0.14.2.20030409093033.00c4e4a8@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 18:42 2003-04-08 -0700, you wrote: > >I really hope spammers are unable to reap email addresses from >keyservers. At least not efficiently. > >Joe Bad news Joe, according to a discussion on the WinPT users list it is possible to "harvest" e-mail addresses on a keyserver. Timo Scultz confirmed this, but it has not happend so far as I know. I can only think of one countermeasure: I will not include alla my e-mailaddresses in the userid:s I can anyhow tell people which key to use (and GPGrelay users can let GPGrelay create aliases by the option "learn from POP": if a valid signature is found I get a question if the from address should be a new alias for an e-mail address found in the user-id of the used signing key.) Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+k8342Jp9Z++ji2YRAjXGAJ9znkd1CdaC7MPJeg7leTMF6ZCcdgCeMfst lv3PNkXhq4IApqzpyeyhVxM= =8R20 -----END PGP SIGNATURE----- From wk@gnupg.org Wed Apr 9 18:35:02 2003 From: wk@gnupg.org (Werner Koch) Date: Wed Apr 9 17:35:02 2003 Subject: Problem importing S/MIME certificates into GPGSM In-Reply-To: <1049718240.1728.14.camel@amd.vsen.dk> (Klavs Klavsen's message of "07 Apr 2003 14:24:00 +0200") References: <1049718240.1728.14.camel@amd.vsen.dk> Message-ID: <87of3f65pb.fsf@alberti.g10code.de> On 07 Apr 2003 14:24:00 +0200, Klavs Klavsen said: > I'm not subscribed to the list (tried to send email to gnupg-users-subscribe - but that didn't work, I have yet to find info on how to subscribe (I'm probably just blind). See www.gnupg.org or send a message with subject "subscribe" to gnupg-users-request@gnupg.org. > The reason I wanted to try it - is that we in Denmark have gotten a digital certifikate solution that is pkcs12 certifikates. PKCS#12 is merely a transport format for all kind of stuff, usually used for the private key and the certificate. Look out for an option to export a certificate in binary (DER) format. > gpgsm --call-protect-tool --p12-import --store certkey.p12 > I get this output: > gpg-protect-tool: gpg-agent is not available in this session > gpg-protect-tool: error while asking for the passphrase You need to start the agent in the background first: $ eval `gpg-agent --daemon` the the import might work. PCKS#12 support is very basic. Salam-Shalom, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From jbruni@mac.com Wed Apr 9 19:31:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Wed Apr 9 18:31:02 2003 Subject: GPG agent for automated processing Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I would like to solicit advice regarding automating decryption using GPG. Currently, the easiest method I've used is to simply have no pass-phrase on the private key, and just ensure that it is unreadable by any user other than the owner. I've looked at using the - --passphrase-fd option, but that simply transfers the weakness to another place. Instead, I would like to know if anyone uses or would suggest the use of the gpg-agent for automating decryption. Presumably, the passphrase would need to be known only once as the system is started by an operator. Since our system almost never needs to be cycled, I'm thinking this might be a good approach. Any suggestions, comments? Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iEYEARECAAYFAj6USu0ACgkQ4rg/mXNDwePu7wCfTJAoiKL3ci1vzXjt4IY4zXPk fxIAoL+mlSqBtfFnh/aHdls+CEhsFkKc =Msuq -----END PGP SIGNATURE----- From phuckauthority@maineindymedia.org Wed Apr 9 21:02:02 2003 From: phuckauthority@maineindymedia.org (Paul Madore) Date: Wed Apr 9 20:02:02 2003 Subject: GPG Message-ID: <3E946057.4030903@maineindymedia.org> Hi Everyone, I'm new to this and the archive is a royal pain in the ass. So heres what I need to know, what do I use it for? How do I use it and what do I do to get it working under XP Pro? Thanks for tolerating me, -The Kid That Everyone Thought Was Crazy http://www.CrimethInc.TK From priyar@infotechfl.com Wed Apr 9 22:05:04 2003 From: priyar@infotechfl.com (Priya Rudradas) Date: Wed Apr 9 21:05:04 2003 Subject: GPG create key in batch mode Message-ID: <4.2.0.58.20030409145745.0176d498@mail.infotechfl.com> Guys, I am new to GPG but was trying to automate certain gpg functions and guess I tripped on something and was wondering if anyone else was aware of this. When the --create-key is called in --batch mode and --homedir is specified to point to the keyring, gpg wipes the key ring and places the new key in there. Does anyone know of this issue? Example: This is my key data Key-Type: DSA Key-Length: 1024 Subkey-Type: ELG-E Subkey-Length: 1024 Name-Real: $KeyName Name-Comment: Generated by BERC %pubring c:/gnupg/pubring.gpg %secring c:/gnupg/secring.gpg Expire-Date: 3000d Passphrase: $PassPhrase This case my key ring is in c:/gnupg/. Any idea. Thanks Priya From avbidder@fortytwo.ch Wed Apr 9 22:26:03 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Wed Apr 9 21:26:03 2003 Subject: GPG In-Reply-To: <3E946057.4030903@maineindymedia.org> References: <3E946057.4030903@maineindymedia.org> Message-ID: <200304092127.21590@fortytwo.ch> --Boundary-02=_ZQHl+76/1tl/VUm Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline [cc:ed off list - I don't know if you read the list. Please don't cc me on= =20 replies] On Wednesday 09 April 2003 20:03, Paul Madore wrote: > Hi Everyone, I'm new to this and the archive is a royal pain in the ass. There's google. > So heres what I need to know, what do I use it for? You can read? Good. You can operate a web browser? Good. You can point your web browser to http://www.gnupg.org and read the=20 documentation. Why did you download a software where you don't know what you can use it fo= r?=20 (Rethorical question, no answer needed). > How do I use it and there's good documentation. You guessed it, it's again on the gnupg website= =20 thingy. > what do I do to get it working under XP Pro? Use the web site. There are, iirc, binaries for windows available. > Thanks for tolerating me, =2D- vbi =2D-=20 NOTE: my email addresses in usenet postings change frequently! --Boundary-02=_ZQHl+76/1tl/VUm Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6UdBlgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWk70An1TQsCRhU4W4HG5UJw4piSbj UJdqAJ4yRfp/2v/weXB0wjCtagb1lt+Lcw== =GlJT -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_ZQHl+76/1tl/VUm-- From graham.todd@ntlworld.com Wed Apr 9 22:29:02 2003 From: graham.todd@ntlworld.com (Graham) Date: Wed Apr 9 21:29:02 2003 Subject: GPG In-Reply-To: <3E946057.4030903@maineindymedia.org> References: <3E946057.4030903@maineindymedia.org> Message-ID: <200304092035.05097.graham.todd@ntlworld.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 09 Apr 2003 7:03 pm, Paul Madore wrote: > Hi Everyone, I'm new to this and the archive is a royal pain in the > ass. > > So heres what I need to know, what do I use it for? How do I use it > and what do I do to get it working under XP Pro? You use GPG for encryption and signing of files and emails, just like=20 PGP. Unlike PGP, GPG is a commandline program (even under Windows) so=20 unless you are used to console commands in Windows, I suggest you get a=20 GUI front end as well. You can use the Windows version of GPG compiled on this site, or go to=20 http://www.nullify.org to get a different version compiled with a=20 different compiler which produces slightly more Windows-friendly code I=20 understand. The two GUI fron ends available in Windows are WinPT and GPGShell (the=20 latter is not OpenSource if that matters to you). You can get a link=20 to WinPT on this site and the nullify.org site has links to both=20 programs. Although being here can help you, as a newbie to GPG, I would suggest=20 you also join the PGP-Basics mailing list (which covers GPG for=20 Windows) where members can download HOWTO documents which are more=20 Windows-centric and also ask some basic questions. You can, of course=20 ask those questions here, as well. PGP-Basics can be found at: http://groups.yahoo.com/group/PGP-Basics And don't forget to READ the documentation and look at the gpg.conf file=20 in particular. Good luck! - --=20 Graham GPG Keys at encryption.keys@ntlworld.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: Please sign and encrypt for internet privacy iD8DBQE+lHXlIwtBZOk1250RAqV7AKDG4TlMN2lEXnMhiQqrvAy1pgg9SwCgmXfT h8xabzdQaBg5cbBUQRpdKIA=3D =3DEv8v -----END PGP SIGNATURE----- From qqhmc5x02@sneakemail.com Wed Apr 9 23:11:02 2003 From: qqhmc5x02@sneakemail.com (Michael) Date: Wed Apr 9 22:11:02 2003 Subject: java (little bit OT) Message-ID: <18791-13667@sneakemail.com> hi everybody! sorry for being a little OT. I'm looking for a java implementation to decrypt gnupg-encrypted files, by submitting the private-key, the passphrase and the encrypted data - without gnupg installed! (so to decrypt data on every platform with a java-vm installed) any hints? thx michi From bminton@efn.org Wed Apr 9 23:39:02 2003 From: bminton@efn.org (Brian Minton) Date: Wed Apr 9 22:39:02 2003 Subject: GPG agent for automated processing In-Reply-To: References: Message-ID: <20030409203733.GA21227@bminton.dyn.cheapnet.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Apr 09, 2003 at 09:31:35AM -0700, Joseph Bruni wrote: > I would like to solicit advice regarding automating decryption > using GPG. Currently, the easiest method I've used is to simply > have no pass-phrase on the private key, and just ensure that it > is unreadable by any user other than the owner. I've looked at > using the - --passphrase-fd option, but that simply transfers > the weakness to another place. > > Instead, I would like to know if anyone uses or would suggest > the use of the gpg-agent for automating decryption. Presumably, > the passphrase would need to be known only once as the system > is started by an operator. Since our system almost never needs > to be cycled, I'm thinking this might be a good approach. you might want to look into quintuple agent. It includes wrappers for gpg and stores passphrases securely. - -- Brian Minton | OpenPGP fingerprint: brian@minton.name | 81BE 3A84 A502 ABDD B2CC http://brian.minton.name | 4BFD 7227 8820 5703 7472 Live long, and prosper longer! KeyID: 0x57037472 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+lISMcieIIFcDdHIRAkkPAJsFVvVlZdXfCjM+IOU8zjCfVQXBUgCdE0ww NqI5ymJbAT6lzIBRit2CYZ0= =7UXc -----END PGP SIGNATURE----- From vedaal@hush.com Thu Apr 10 00:29:01 2003 From: vedaal@hush.com (vedaal@hush.com) Date: Wed Apr 9 23:29:01 2003 Subject: armored files Message-ID: <200304092128.h39LSqCn007638@mailserver2.hushmail.com> when gnupg armors a file using the '--enarmor' command, (gpg --enarmor filename) the output for the .asc file is always the same, no matter how many times the command is repeated {as expected, as there is no hashing} this is also so from command line pgp,(pgp -a filename) both in 2.x and 6.x but, when the '-a --store' command is used in gnupg, (gpg -a --store filename) the output is 'different' each time, resulting in a different armored block for the .asc file what is different about the '--store' command, and what is actually being 'changed' each time? tia, vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From ingo.kloecker@epost.de Thu Apr 10 01:13:02 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Thu Apr 10 00:13:02 2003 Subject: GPG agent for automated processing In-Reply-To: References: Message-ID: <200304092321.44255@erwin.ingo-kloecker.de> --Boundary-02=_o7Il+G/mXd8wZzR Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Wednesday 09 April 2003 18:31, Joseph Bruni wrote: > Instead, I would like to know if anyone uses or would suggest the use > of the gpg-agent for automating decryption. Presumably, the > passphrase would need to be known only once as the system is started > by an operator. Since our system almost never needs to be cycled, I'm > thinking this might be a good approach. > > Any suggestions, comments? Well, gpg-agent caches the passphrase for a defined amount of time. I'm=20 not sure if it's possible to cache the passphrase forever. But you=20 could try to start it with an extraordinary high value after the=20 =2D-default-cache-ttl option. The ttl is given in seconds. ttl is an=20 unsigned long. So unless your system is restarted less often then at=20 least once every 2^32 seconds then gpg-agent should suit your needs. Regards, Ingo --Boundary-02=_o7Il+G/mXd8wZzR Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+lI7oGnR+RTDgudgRAqufAJ9arqR8rIu7sQ7cgfxobmaCbQQXaQCfWMyz 92HincaVdtOC5xOznXE8DGo= =X63/ -----END PGP SIGNATURE----- --Boundary-02=_o7Il+G/mXd8wZzR-- From Fabian.Rodriguez@Toxik.com Thu Apr 10 01:17:02 2003 From: Fabian.Rodriguez@Toxik.com (Toxik - Fabian Rodriguez) Date: Thu Apr 10 00:17:02 2003 Subject: GPG In-Reply-To: <3E946057.4030903@maineindymedia.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, >Hi Everyone, I'm new to this and the archive is a royal pain in the ass. What archive are you using ? THere are two, and the one at marc.theaimsgroup.com has a search engine: http://marc.theaimsgroup.com/?l=3Dgnupg-users&w=3D2 >So heres what I need to know, what do I use it for? I believe this was answered in another reply. > How do I use it and > what do I do to get it working under XP Pro? If you are looking for just GnuPG binaries (command line, no graphical interface), you can get them at gnupg.org. Otherwise I'd invite you to take a look at WinPT (see www.winpt.org or winpt.sf.net). WinPT uses GnuPG and provides a graphical interface to it. We have recently re-organized the whole project and lots of improvements have been done to the documentation and web site - an to the applicationS :) Regards, Fabi=E1n Rodr=EDguez - Toxik Technologies, Inc. www.toxik.com - (514) 528-6945 @221 OpenPGP: 0x5AF2A4D5 -----BEGIN PGP SIGNATURE----- iD8DBQE+lJvRfUcTXFrypNURAjxEAJ9taUeuYGutTInQ9h9NqMoCRLHAZwCghaby v0Xb/rvo9xjYmUV5lU4rPc0=3D =3DCc8i -----END PGP SIGNATURE----- From jbruni@mac.com Thu Apr 10 02:09:01 2003 From: jbruni@mac.com (Joseph Bruni) Date: Thu Apr 10 01:09:01 2003 Subject: GPG agent for automated processing In-Reply-To: <200304092321.44255@erwin.ingo-kloecker.de> Message-ID: <62E5CA45-6AE0-11D7-AFE7-003065B1243E@mac.com> Here's a dumb question: Where can I find gpg-agent, anyway? I've been=20 searching the GnuPG.org web-site and FTP server and can't seem to find=20= it. I've done google searches and only turned up discussions about it. Another question: Does gpg-agent cache the pass-phrase, or does it=20 cache the (unencrypted) private key the way ssh-agent does? Not that it=20= would make any operational difference -- I'm just curious. On Wednesday, April 9, 2003, at 02:21 PM, Ingo Kl=F6cker wrote: > Well, gpg-agent caches the passphrase for a defined amount of time. = I'm > not sure if it's possible to cache the passphrase forever. But you > could try to start it with an extraordinary high value after the > --default-cache-ttl option. The ttl is given in seconds. ttl is an > unsigned long. So unless your system is restarted less often then at > least once every 2^32 seconds then gpg-agent should suit your needs. > > Regards, > Ingo From wk@gnupg.org Thu Apr 10 13:15:02 2003 From: wk@gnupg.org (Werner Koch) Date: Thu Apr 10 12:15:02 2003 Subject: GPG agent for automated processing In-Reply-To: <62E5CA45-6AE0-11D7-AFE7-003065B1243E@mac.com> (Joseph Bruni's message of "Wed, 9 Apr 2003 16:09:59 -0700") References: <62E5CA45-6AE0-11D7-AFE7-003065B1243E@mac.com> Message-ID: <87el4a4pv4.fsf@alberti.g10code.de> On Wed, 9 Apr 2003 16:09:59 -0700, Joseph Bruni said: > Here's a dumb question: Where can I find gpg-agent, anyway? I've been > searching the GnuPG.org web-site and FTP server and can't seem to find > it. I've done google searches and only turned up discussions about it. You need to get the lates newpg package from ftp://ftp.gnupg.org/gcrypt/alpha/aegypten/ as well as the latest libgcrypt from ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt and the pinentry package ftp://ftp.gnupg.org/gcrypt/pinentry/ That should be sufficient to build the gpg-agent, gpgsm won't be build if you don't have libksba installed. I am working on a GnuPG 1.9 which will include gpg, gpgsm and gpg-agent in one package. > Another question: Does gpg-agent cache the pass-phrase, or does it > cache the (unencrypted) private key the way ssh-agent does? Not that > it would make any operational difference -- I'm just curious. When used with current gpg versions, gpg-agent does only cache the passphrase. The plan is to modify gpg to divert all secret key operations to the gpg-agent. This has already been done for gpgsm (the S/MIME cousin of gpg). Whether the use of gpg-agent to cache the passphrase on an unattended system is questionable. The only advantage I can see is that the passphrase is stored in ram and not in the file system; a ram disk might be configured for the same effect. BTW, the design of gpg-agent would allow to enhance it to run on another machine. Salam-Shalom, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Thu Apr 10 13:20:02 2003 From: wk@gnupg.org (Werner Koch) Date: Thu Apr 10 12:20:02 2003 Subject: armored files In-Reply-To: <200304092128.h39LSqCn007638@mailserver2.hushmail.com> ('s message of "Wed, 9 Apr 2003 14:28:51 -0700") References: <200304092128.h39LSqCn007638@mailserver2.hushmail.com> Message-ID: <87brze4prr.fsf@alberti.g10code.de> On Wed, 9 Apr 2003 14:28:51 -0700, said: > what is different about the '--store' command, and what is actually being > 'changed' each time? Store uses the OpenPGP Literal data packet to encapsulate the data. That format for this packet includes a time stamp ... -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From pt@radvis.nu Thu Apr 10 15:56:01 2003 From: pt@radvis.nu (Per Tunedal) Date: Thu Apr 10 14:56:01 2003 Subject: GPG In-Reply-To: <3E946057.4030903@maineindymedia.org> Message-ID: <5.1.0.14.2.20030410144348.02531038@localhost> Hi, You need a front-end and I suggest you take a look att GPGrelay: It does automatic signing and encryption. And automatically verifies signed mail and decrypts encrypted mail. http://sites.inka.de/tesla/gpgrelay.html You have to do the setup correct to get it working: it's a relay i.e. you have to pass the mail through the program. And you have to create groups of e-mailaddresses/keys with different signing/encryption policies. You may do some key management, key generation, signing and encryption etc with GPGrelay as well. When the setup is done anyone can use it. And it's quite stable nowdays ... v.0.92 And comes with an installer. Join the GPGrelay-users list: http://lists.sourceforge.net/lists/listinfo/gpgrelay-talk Per Tunedal At 14:03 2003-04-09 -0400, you wrote: >Hi Everyone, I'm new to this and the archive is a royal pain in the ass. > >So heres what I need to know, what do I use it for? How do I use it and >what do I do to get it working under XP Pro? > >Thanks for tolerating me, >-The Kid That Everyone Thought Was Crazy From dlc@users.sourceforge.net Thu Apr 10 16:08:02 2003 From: dlc@users.sourceforge.net (darren chamberlain) Date: Thu Apr 10 15:08:02 2003 Subject: GPG agent for automated processing In-Reply-To: <87el4a4pv4.fsf@alberti.g10code.de> References: <62E5CA45-6AE0-11D7-AFE7-003065B1243E@mac.com> <87el4a4pv4.fsf@alberti.g10code.de> Message-ID: <20030410-94ef1fc600846a8284e90cf4a0ccd13c@mail.boston.com> --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * Werner Koch [2003-04-10 06:49]: > [...]The only advantage I can see is that the passphrase is stored in > ram and not in the file system[...] =2E..until it gets swapped out, of course. (darren) --=20 When correctly viewed, everything is lewd. -- Tom Lehrer --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+lWxgzsinjrVhZaoRAl6YAJ9t0N0U3sopL1sVlFhsreE2SXfMogCeLUKC tbtkS9hR5NwWp8pQ3P9xXAg= =n7QK -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- From eroosenmaallen@cogeco.ca Thu Apr 10 16:26:02 2003 From: eroosenmaallen@cogeco.ca (Eddie Roosenmaallen) Date: Thu Apr 10 15:26:02 2003 Subject: GPG In-Reply-To: <5.1.0.14.2.20030410144348.02531038@localhost> References: <5.1.0.14.2.20030410144348.02531038@localhost> Message-ID: <3E95710C.40908@cogeco.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Another alternative for an easy-to-use mail frontend is Mozilla with Enigmail. It's pretty painless to set up, and it does signing, encrypting, key pair generation, etc. right from the menus in Moz mail. Site is http://enigmail.mozdev.org/ if you want to take a look. Peace, Eddie Roosenmaallen Per Tunedal wrote: > Hi, > You need a front-end and I suggest you take a look att GPGrelay: It does > automatic signing and encryption. And automatically verifies signed mail > and decrypts encrypted mail. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+lXELtGGqbMwazQURAjuPAKDBeaSe5pdJYKFbogv+fS19GncUawCgrqC0 A6sP/CN3s1dXGmBtiHrnKi8= =8D7Z -----END PGP SIGNATURE----- From Fabian.Rodriguez@Toxik.com Thu Apr 10 19:27:02 2003 From: Fabian.Rodriguez@Toxik.com (Toxik - Fabian Rodriguez) Date: Thu Apr 10 18:27:02 2003 Subject: GPG In-Reply-To: <5.1.0.14.2.20030410144348.02531038@localhost> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, all, An important clarification: GPGRelay and Enigmail are email tools, but WinPT is for general use with all types of content: email, files, clipboard, etc. It may help us suggest the appropriate tools if you tell us what will be your primary use of GnuPG. Regards, Fabi=E1n Rodr=EDguez - Toxik Technologies, Inc. www.toxik.com - (514) 528-6945 @221 OpenPGP: 0x5AF2A4D5 >-----Original Message----- >From: gnupg-users-admin@gnupg.org [mailto:gnupg-users-admin@gnupg.org]On >Behalf Of Per Tunedal >Sent: Thursday, April 10, 2003 8:56 AM >To: gnupg-users@gnupg.org >Cc: Paul Madore >Subject: Re: GPG > > >Hi, >You need a front-end and I suggest you take a look att GPGrelay: It does >automatic signing and encryption. And automatically verifies signed mail >and decrypts encrypted mail. > >http://sites.inka.de/tesla/gpgrelay.html [...] -----BEGIN PGP SIGNATURE----- Comment: Using WinPT.org - Windows Privacy Tools iD8DBQE+lZtufUcTXFrypNURAtAnAKDrVgE0f/BYSNOKil0AopvfhvgItACfdUrx Fj80JyTS3K2piXEEB9JLRU8=3D =3DVwrm -----END PGP SIGNATURE----- From dgc@uchicago.edu Thu Apr 10 20:04:02 2003 From: dgc@uchicago.edu (David Champion) Date: Thu Apr 10 19:04:02 2003 Subject: GPG agent for automated processing In-Reply-To: <87el4a4pv4.fsf@alberti.g10code.de> References: <62E5CA45-6AE0-11D7-AFE7-003065B1243E@mac.com> <87el4a4pv4.fsf@alberti.g10code.de> Message-ID: <20030410170513.GB4496@dust.uchicago.edu> * On 2003.04.10, in <87el4a4pv4.fsf@alberti.g10code.de>, * "Werner Koch" wrote: > > When used with current gpg versions, gpg-agent does only cache the > passphrase. The plan is to modify gpg to divert all secret key > operations to the gpg-agent. This has already been done for gpgsm I'm not too familiar with gpg-agent. Does this mean that in the future, we'll have to use a long-running gpg-agent process to use OpenPGP with GnuPG? Or will some front-end be able to start whatever is required instantially, then close it off when it's done? -- -D. dgc@uchicago.edu NSIT University of Chicago "The whole thrust of the text adventure was one picture was worth a thousand words and we would rather give you the thousand words." - Dave Lebling, Implementor From jbloss@alltel.net Thu Apr 10 23:07:02 2003 From: jbloss@alltel.net (jbloss@alltel.net) Date: Thu Apr 10 22:07:02 2003 Subject: GPG In-Reply-To: References: <5.1.0.14.2.20030410144348.02531038@localhost> Message-ID: <3E959694.15448.EFDFCF@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10 Apr 2003 at 12:27, Toxik - Fabian Rodriguez wrote: > An important clarification: GPGRelay and Enigmail are email tools, > but WinPT is for general use with all types of content: email, files, > clipboard, etc. Just curious, but I've scanned this list for a while now, and haven't seen much mention of GPGShell. I realize it's not open source, but I feel that it's more "powerful" and PGP-like. Am I missing something? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) iD8DBQE+lc7VM2E0hebvkdERAvfWAKDU4QTwZk9NgsTQHPdJDgfEsKL/6ACfekiK yfQdwi/qxBf1FDXrqz7tDwk= =mGip -----END PGP SIGNATURE----- From floeff@arcor.de Thu Apr 10 23:24:02 2003 From: floeff@arcor.de (Florian Effenberger) Date: Thu Apr 10 22:24:02 2003 Subject: delete ID Message-ID: <000701c2ff9f$3fee25d0$0500a8c0@effenberger> Hi, I have a GnuPG key with three different user IDs. I wanted to delete two of them, so I deleted the self-signing and eventually the ID and submitted that to the keyserver (pgp.mit.edu). When creating a new GnuPG keyring on another computer and fetching my key, I see the correct uid. However, using the web interface of pgp.mit.edu all three uids are still shown? How can that happen? Thanks, Florian From dshaw@jabberwocky.com Thu Apr 10 23:35:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu Apr 10 22:35:02 2003 Subject: Import a pubkey sans self-sig? In-Reply-To: <200304081611.00548.yenot@sec.to> References: <20030407195903.GA21667@uriel.eclipsed.net> <20030407211421.GA22190@jabberwocky.com> <200304081611.00548.yenot@sec.to> Message-ID: <20030410203525.GC3086@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Apr 08, 2003 at 04:10:49PM +0400, Yenot wrote: > On Tuesday 08 April 2003 01:14 am, David Shaw wrote: > > On Mon, Apr 07, 2003 at 03:59:03PM -0400, gabriel rosenkoetter wrote: > > > I'd like to encipher things to keyid 75E4988D (seems to be on > > > wwwkeys.pgp.net)... but GnuPG simply refuses to import it because > > > it's lacking a self-signature. > > > > > > pgp 6.5.2 (yeah, I know, but this is a long-standing production > > > process at work that I'm trying to update) has no trouble with this > > > key. > > > > > > --expert doesn't help and we don't have a --force... > > > > --allow-non-selfsigned-uid > > I was shocked that non-self-signed UID's were allowed at all. > The only reason I can think of for such a UID, would be to > annotate a local key that you don't own. (Just as local > signatures are used for localized key annotation.) It's historical. Early versions of PGP (2.x) did not automatically self-sign user IDs. RFC-2440 maintains that in not requiring a self-signature. Note that GnuPG will import and export non-self-signed user IDs, but will never actually use a key with no self-signed user IDs unless: 1) If --allow-non-selfsigned-uid is set. 2) If a user ID is signed (or lsigned) by an ultimately trusted key. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+ldWN4mZch0nhy8kRAlACAJsGUYMPWlry1uJKaRQs8Jvd0++SuACg1Nba 4MDazUPWMJccTDNkfxHyYEU= =dn6S -----END PGP SIGNATURE----- From bminton@efn.org Fri Apr 11 03:46:02 2003 From: bminton@efn.org (Brian Minton) Date: Fri Apr 11 02:46:02 2003 Subject: delete ID In-Reply-To: <000701c2ff9f$3fee25d0$0500a8c0@effenberger> References: <000701c2ff9f$3fee25d0$0500a8c0@effenberger> Message-ID: <20030411004547.GA18525@bminton.dyn.cheapnet.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Apr 10, 2003 at 10:24:53PM +0200, Florian Effenberger wrote: > Hi, > > I have a GnuPG key with three different user IDs. I wanted to > delete two of them, so I deleted the self-signing and > eventually the ID and submitted that to the keyserver > (pgp.mit.edu). > > When creating a new GnuPG keyring on another computer and > fetching my key, I see the correct uid. However, using the web > interface of pgp.mit.edu all three uids are still shown? How > can that happen? > Florian, You can't just delete them, because the keyservers (almost) never delete anything, only add. What you need to do is revoke them, and gpg won't show them. To revoke the id, first edit the key: gpg --edit 0x12345678 (of course, use your own key id) Then select the id you wish to revoke. A * will show the userid currently being edited. Then, revoke your selfsig on that id: revsig gpg will ask if you are sure, etc. You may repeat this process for every userid you wish to revoke. Finally, save the key: save N.B. I am not sure if the RFC explicitly defines revoking userids, but certainly revoking the selfsig on a particular user achieves the same effect. - -- Brian Minton | OpenPGP fingerprint: brian@minton.name | 81BE 3A84 A502 ABDD B2CC http://brian.minton.name | 4BFD 7227 8820 5703 7472 Live long, and prosper longer! KeyID: 0x57037472 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+lhA6cieIIFcDdHIRAjQIAJ9qc63KPAL/dkSBENjiWcMG0bCC7wCfYYwQ Ce2vAWEBVmhDsVs4N4z0nNM= =aMZT -----END PGP SIGNATURE----- From avbidder@fortytwo.ch Fri Apr 11 11:43:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Fri Apr 11 10:43:02 2003 Subject: delete ID In-Reply-To: <20030411004547.GA18525@bminton.dyn.cheapnet.net> References: <000701c2ff9f$3fee25d0$0500a8c0@effenberger> <20030411004547.GA18525@bminton.dyn.cheapnet.net> Message-ID: <200304111044.10132@fortytwo.ch> --Boundary-02=_aBol+KUq6RVpOyz Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 11 April 2003 02:45, Brian Minton wrote: > N.B. I am not sure if the RFC explicitly defines revoking > userids, but certainly revoking the selfsig on a particular user > achieves the same effect. Revoking the binding signature (selfsig) on a userid is exactly the right w= ay.=20 gpg will take care of chosing the right signature class (userid revocation= =20 signature). cheers =2D- vbi =2D-=20 What's so funny? --Boundary-02=_aBol+KUq6RVpOyz Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6WgFpgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWiKcAn3D6EB+QjR2dAC7242fQUTIV yJDOAKC/EUK6x6fSxG0omnxmK8iJKyqsUw== =uipd -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_aBol+KUq6RVpOyz-- From pt@radvis.nu Fri Apr 11 11:46:02 2003 From: pt@radvis.nu (Per Tunedal) Date: Fri Apr 11 10:46:02 2003 Subject: GPG In-Reply-To: <3E95710C.40908@cogeco.ca> References: <5.1.0.14.2.20030410144348.02531038@localhost> <5.1.0.14.2.20030410144348.02531038@localhost> Message-ID: <5.1.0.14.2.20030411103349.02538848@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I haven' tried the new Mozilla yet but my son likes it. Enigmail works OK he says. I will probably try it soon because of other nice features in Mozilla like easy editing of textfields on web sites. Might be useful if several persons maintain a site - e.g. the GnuPG site? Per Tunedal At 09:26 2003-04-10 -0400, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Hi, > >Another alternative for an easy-to-use mail frontend is Mozilla with >Enigmail. It's pretty painless to set up, and it does signing, encrypting, >key pair generation, etc. right from the menus in Moz mail. > >Site is http://enigmail.mozdev.org/ if you want to take a look. > >Peace, > Eddie Roosenmaallen > >Per Tunedal wrote: > >> Hi, >> You need a front-end and I suggest you take a look att GPGrelay: It does >> automatic signing and encryption. And automatically verifies signed mail >> and decrypts encrypted mail. >> > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.1 (MingW32) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQE+lXELtGGqbMwazQURAjuPAKDBeaSe5pdJYKFbogv+fS19GncUawCgrqC0 >A6sP/CN3s1dXGmBtiHrnKi8= >=8D7Z >-----END PGP SIGNATURE----- > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+loD02Jp9Z++ji2YRAvEJAKCjlpZU4fBYFxn1cD78tseBwafZZQCcDXia RFmMjaWlBYpsT0uaFPpyoiM= =kFDX -----END PGP SIGNATURE----- From pt@radvis.nu Fri Apr 11 11:46:25 2003 From: pt@radvis.nu (Per Tunedal) Date: Fri Apr 11 10:46:25 2003 Subject: GPG In-Reply-To: <3E959694.15448.EFDFCF@localhost> References: <5.1.0.14.2.20030410144348.02531038@localhost> Message-ID: <5.1.0.14.2.20030411104049.025c51a8@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Well OPENSOURCE is extremely important to encryption software. The source must be available for review, otherwise you don't know if the software is secure. PGP is not opensorce but the source is available for "peer review" and is thus judged as secure. GPGShell has been more mature than WinPT for a long while and it's extremely similar to PGP and thus easy to use. But I will never use it as the source isn't available. Per Tunedal At 16:06 2003-04-10 -0400, you wrote: > >On 10 Apr 2003 at 12:27, Toxik - Fabian Rodriguez wrote: > >> An important clarification: GPGRelay and Enigmail are email tools, >> but WinPT is for general use with all types of content: email, files, >> clipboard, etc. > >Just curious, but I've scanned this list for a while now, and haven't >seen much mention of GPGShell. I realize it's not open source, but I >feel that it's more "powerful" and PGP-like. > >Am I missing something? > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+loD12Jp9Z++ji2YRAoaCAJ4pLQXC0BKUVUensp5L4skJEuQN/wCcCbD/ dIAZ9pVfKQuCVl0gYgFm5n0= =CCIw -----END PGP SIGNATURE----- From floeff@arcor.de Fri Apr 11 11:49:01 2003 From: floeff@arcor.de (Florian Effenberger) Date: Fri Apr 11 10:49:01 2003 Subject: delete ID References: <000701c2ff9f$3fee25d0$0500a8c0@effenberger> <20030411004547.GA18525@bminton.dyn.cheapnet.net> Message-ID: <000501c30007$53555c20$0500a8c0@effenberger> Hi Brian, thanks a lot! Could you please do me a favor and check what your GnuPG tells you when you query for 'floeff@web.de' (the old address)? I guess I revsig'd it, and I want to check that from another PC. Thanks! Florian From Holger.Sesterhenn@aachen.utimaco.de Fri Apr 11 13:16:02 2003 From: Holger.Sesterhenn@aachen.utimaco.de (Holger Sesterhenn) Date: Fri Apr 11 12:16:02 2003 Subject: GPG create key in batch mode References: <4.2.0.58.20030409145745.0176d498@mail.infotechfl.com> Message-ID: <3E969474.1030706@aachen.utimaco.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Priya Rudradas wrote: | I am new to GPG but was trying to automate certain gpg functions and | guess I tripped on something and was wondering if anyone else was aware | of this. When the --create-key is called in --batch mode and --homedir | is specified to point to the keyring, gpg wipes the key ring and places | the new key in there. Does anyone know of this issue? | Example: This is my key data Yes, you have to store the auto-generated keys in different files and then import them to the main keyrings. A few weeks ago I have posted a bash script for this purpose. Just search the list archive. HTH. Best Regards, Holger Sesterhenn - --- Internet http://www.utimaco.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+lpRu/L73KYxXRxARAlh+AKCXx4eHkVWfxeF+ceUcbN+WPDe10ACgwirb cakECuSlfhGySl2q/X4eO3g= =6FrT -----END PGP SIGNATURE----- From pt@radvis.nu Fri Apr 11 15:46:01 2003 From: pt@radvis.nu (Per Tunedal) Date: Fri Apr 11 14:46:01 2003 Subject: GPGrelay "hangs" when fetching mail Message-ID: <5.1.0.14.2.20030411144253.025ffe40@mail4.it-norr.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, GPGrelay "hangs" occasionally when fetching mail. It might have something to do with the option --outo-key-retreive ? What about a time-out for the keysearching? Is this a GPGrelay or a GPG issue? Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+lrkv2Jp9Z++ji2YRAksoAJ4kd//s8A0m7jMFj69fE7njkDsXKACgzf3t UwkfHB6IvDHjWLh/oRb98L0= =9NdR -----END PGP SIGNATURE----- From bminton@efn.org Fri Apr 11 16:11:03 2003 From: bminton@efn.org (Brian Minton) Date: Fri Apr 11 15:11:03 2003 Subject: delete ID In-Reply-To: <000501c30007$53555c20$0500a8c0@effenberger> References: <000701c2ff9f$3fee25d0$0500a8c0@effenberger> <20030411004547.GA18525@bminton.dyn.cheapnet.net> <000501c30007$53555c20$0500a8c0@effenberger> Message-ID: <20030411131025.GA29620@bminton.dyn.cheapnet.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Apr 11, 2003 at 10:49:52AM +0200, Florian Effenberger wrote: > Hi Brian, > > thanks a lot! Could you please do me a favor and check what your GnuPG tells > you when you query for 'floeff@web.de' (the old address)? I guess I revsig'd > it, and I want to check that from another PC. gpg --list-public 74B3BD9B pub 1024D/74B3BD9B 2002-08-29 Florian Effenberger sub 2048g/C0EC65D8 2002-08-29 gpg --list-public floeff@web.de gpg: error reading key: public key not found - -- Brian Minton | OpenPGP fingerprint: brian@minton.name | 81BE 3A84 A502 ABDD B2CC http://brian.minton.name | 4BFD 7227 8820 5703 7472 Live long, and prosper longer! KeyID: 0x57037472 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+lr6/cieIIFcDdHIRAhdGAJ9hrS8pU3OYOFW1FnN3R/kfOy/vuQCgoats 46dhlrW37Qie34v1STX72GQ= =l1FZ -----END PGP SIGNATURE----- From eroosenmaallen@cogeco.ca Fri Apr 11 17:28:02 2003 From: eroosenmaallen@cogeco.ca (Eddie Roosenmaallen) Date: Fri Apr 11 16:28:02 2003 Subject: Compiling GnuPG on Windows Message-ID: <3E96D0B5.5090608@cogeco.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, This message may be better suited for the dev mailing list, but maybe someone here can help me. I'm trying to compile GnuPG on my windows box, just to see how it works (since I'm stuck with Windows, I may as well learn to hack in it). I've downloaded the GnuPG source from CVS (STABLE-BRANCH-1-2). I'm using MinGW 2.4 and MSYS 1.0.8. My Perl environment is ActiveState Perl 5.6.1. When I try to make GnuPG, it reports a line of errors - I need automake, autoconf and gettext. So, I downloaded them (automake-1.7, autoconf-2.57, and gettext-0.11.5). Trying to build automake, ./config and make both run OK, but make test fails most of the tests. Some of them mention autoconf, so I tried to build that first. Trying to build autoconf, ./config works, but make fails on general.pm. First I got an error along the lines of "uninitialised scalar in chomp on line 331", so I put a test around the chomp line to ensure the $tmp variable is initialised. Now I'm getting "WIFEXITED is not a valid POSIX macto at [bla bla bla] line 482". "perldoc POSIX" does list WIFEXITED as a macro in the POSIX module, and it is mentioned in C:\perl\lib\POSIX.pm... This is where I get lost - is there a safe and sane way to fix this or work around it? Thanks (and if this is better for the dev list, please let me know), Eddie Roosenmaallen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+ltC0tGGqbMwazQURAla1AKC9czL8QttEgmAGfBkcRCjQI9PNfgCg0Pm1 lIv/ho/kgIV+A6k3VIRXWG8= =YLex -----END PGP SIGNATURE----- From mike.campbell@oracle.com Fri Apr 11 20:23:03 2003 From: mike.campbell@oracle.com (Mike Campbell) Date: Fri Apr 11 19:23:03 2003 Subject: Using GPG as a certificate autority Message-ID: <3E96F484.2070606@oracle.com> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigEEAE93AA8738382EDDD0E509 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Just thinking out loud here.

Is it possible to use GPG as a certificate authority?

For example use Oracle's wallet manager to generate a certificate request can I then somehow use GPG to generate a user certificate and root certificate that can then be imported back into Oracle's wallet manager?

I don't readily see a way to do this but I'm not an expert.
--

___________________________________________________________________
Mike Campbell
Technical Specialist       Phone: 407.458.5688
Oracle Corporation         Email: Mike.Campbell@oracle.com

GPG Fingerprint 6C34 6C22 4760 A01F 7C83 11CE C117 CDF1 8241 7C64
--------------enigEEAE93AA8738382EDDD0E509 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: http://webpages.charter.net/mcampbell17/publickey.asc iD8DBQE+lvSEwRfN8YJBfGQRAo3cAJ9nUn4Y7fgP3noV8SLvqxDtIRuMlwCfRf7I 6eo8fXhfqU6egGOfS4XEXrU= =FgRl -----END PGP SIGNATURE----- --------------enigEEAE93AA8738382EDDD0E509-- From DenisMcCauley@ifrance.com Fri Apr 11 21:22:03 2003 From: DenisMcCauley@ifrance.com (Denis McCauley) Date: Fri Apr 11 20:22:03 2003 Subject: GPG In-Reply-To: <5.1.0.14.2.20030411103349.02538848@localhost> References: <5.1.0.14.2.20030410144348.02531038@localhost> <5.1.0.14.2.20030410144348.02531038@localhost> <5.1.0.14.2.20030411103349.02538848@localhost> Message-ID: <3E97073C.8010900@ifrance.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Eddie Roosenmaallen wrote > Another alternative for an easy-to-use mail frontend is Mozilla with > Enigmail. It's pretty painless to set up, and it does signing, encrypting, > key pair generation, etc. right from the menus in Moz mail. > > Very easy to use but I see a problem with encrypting or signing mails with Enigmail because this is done on sending, which means private keys (and passphrase if cached) might be exposed when you go online. An option to encrypt/sign and queue would solve this problem though. Cheers DM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) - GPGshell v2.70 Comment: Key ID: 0x8353641A Comment: 1374 43A0 8F8D DB46 D752 0202 2514 2492 8353 641A iQEVAwUBPpcHCCUUJJKDU2QaAQK1IAgAlPsnqJlhhtMoS1VYtkZMwPtJvdDhlqfr Z11IPaZcYJ8gIU5OwChaE7jyvrxZ8mchVhn8tTdD5SVScgbuooklfCwJdPMZIisF UpFIQplIIT+Lo68psivCQX7IdE8snKSBALidqAb4Ku/tY2zvO7NXdnb31k5hazFX S1GS2n4LW5gfft+9qSGRuUDfCq2Uy09V4pPf9wyzpMd1oN+IEApdVkmGOi5qgfTx 3Usx/L4+Z0mpp6LGq+508/SQ66yHV/GBTZfjIPzOUUXqqKeQb8BRblH3mc+RRB0g iIAN648AtEPSQZNPhediqFIoWPVndfsS9GAMXjlH/KM62qT5POSUfg== =BB4/ -----END PGP SIGNATURE----- From linux@codehelp.co.uk Fri Apr 11 23:21:03 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Fri Apr 11 22:21:03 2003 Subject: GPGrelay "hangs" when fetching mail In-Reply-To: <5.1.0.14.2.20030411144253.025ffe40@mail4.it-norr.com> References: <5.1.0.14.2.20030411144253.025ffe40@mail4.it-norr.com> Message-ID: <200304112122.41087.linux@codehelp.co.uk> --Boundary-02=_RQyl+9cqP1OYsDn Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Friday 11 April 2003 1:45 pm, Per Tunedal wrote: > Hi, > GPGrelay "hangs" occasionally when fetching mail. It might have something > to do with the option --outo-key-retreive ? What about a time-out for the > keysearching? Is this a GPGrelay or a GPG issue? Keyserver issue. I had enormous problems with this until I changed GnuPG to use broken-http-proxy emulation. Now KMail does delay while retrieving new keys but if a key is not found, it doesn't wait overly long - the keyserver comes back with an error code the gnupg can understand and it simply tells KMail to continue without verifying the sig. I get a yellow alert that the public key cannot be found and the message cannot be verified. I often email the person concerned off-list to ask where they have a copy of their public key so that I can import it. The next time I view the message, it verifies as expected. Most keyservers I've used already have a timeout suitable for auto-key-retrieve and if you are getting v.v.long delays, like me, investigate your firewall and your HKP connection. Depending if you are still using an old gnupg it would be keyserver x-broken-hkp://keyserver.linux.it in ~/.gnupg/options or with a newer installation that will raise a warning to change to: keyserver-options broken-http-proxy in ~/.gnupg/gpg.conf -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_RQyl+9cqP1OYsDn Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+lyQRiAEJSii8s+MRAi+gAKDc4kygU3YeJLP+ZcrJ9HXtnmFUOQCcC4Nn GwxfRglbMOT0tg/aCtlzQDM= =Rdc+ -----END PGP SIGNATURE----- --Boundary-02=_RQyl+9cqP1OYsDn-- From linux@codehelp.co.uk Fri Apr 11 23:23:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Fri Apr 11 22:23:02 2003 Subject: GPG In-Reply-To: <3E97073C.8010900@ifrance.com> References: <5.1.0.14.2.20030410144348.02531038@localhost> <5.1.0.14.2.20030411103349.02538848@localhost> <3E97073C.8010900@ifrance.com> Message-ID: <200304112123.48845.linux@codehelp.co.uk> --Boundary-02=_URyl+MPOSSE4MAX Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Friday 11 April 2003 7:19 pm, Denis McCauley wrote: > > Eddie Roosenmaallen wrote > > Another alternative for an easy-to-use mail frontend is Mozilla with > > Enigmail. It's pretty painless to set up, and it does signing, > > encrypting, > > key pair generation, etc. right from the menus in Moz mail. > > Very easy to use but I see a problem with encrypting or signing mails > with Enigmail because this is done on sending, which means private > keys (and passphrase if cached) might be exposed when you go online. > An option to encrypt/sign and queue would solve this problem though. But Mozilla can do that, like most email clients you can send now or send later. It's a simple configuration option. # To send messages in your Unsent Messages folder before going offline, check "Send Unsent Messages". The act of signing is done when the message is finalised ready for sending later - queued. This can therefore be done offline, leaving only the signed email in the outbox waiting for the connection and command to send. Besides, even without a queue, aren't you going to be using a firewall to protect your machine? Where is the perceived threat - from the internet or from the intranet or even from users on the same system? -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_URyl+MPOSSE4MAX Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+lyRUiAEJSii8s+MRAgNRAKCGn7KU+yqpSBmM1juo71yeLigmHQCfXp8J MIb21fGsWwJA8tme4/UGAWw= =zUA2 -----END PGP SIGNATURE----- --Boundary-02=_URyl+MPOSSE4MAX-- From dshaw@jabberwocky.com Sat Apr 12 01:07:24 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat Apr 12 00:07:24 2003 Subject: delete ID In-Reply-To: <20030411004547.GA18525@bminton.dyn.cheapnet.net> References: <000701c2ff9f$3fee25d0$0500a8c0@effenberger> <20030411004547.GA18525@bminton.dyn.cheapnet.net> Message-ID: <20030411192835.GC1357@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Apr 10, 2003 at 08:45:47PM -0400, Brian Minton wrote: > N.B. I am not sure if the RFC explicitly defines revoking > userids, but certainly revoking the selfsig on a particular user > achieves the same effect. The new draft OpenPGP RFC does define this meaning (as well as the notion of an expiring user ID, done via an expiring selfsig). 1.2.2 has a new "revuid" command to do this easily so there is no need to manually revoke the selfsig. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+lxdj4mZch0nhy8kRAiJdAJ4rwBsUnO4jBF9hqJi/0y5BdXkKIQCfWslJ f3ZPPT+88cCK+QCZDDS1+88= =dX4B -----END PGP SIGNATURE----- From DenisMcCauley@ifrance.com Sat Apr 12 03:53:02 2003 From: DenisMcCauley@ifrance.com (Denis McCauley) Date: Sat Apr 12 02:53:02 2003 Subject: GPG In-Reply-To: <200304112123.48845.linux@codehelp.co.uk> References: <5.1.0.14.2.20030410144348.02531038@localhost> <5.1.0.14.2.20030411103349.02538848@localhost> <3E97073C.8010900@ifrance.com> <200304112123.48845.linux@codehelp.co.uk> Message-ID: <3E976389.7070600@ifrance.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Neil Williams wrote: >On Friday 11 April 2003 7:19 pm, Denis McCauley wrote: > >> > Eddie Roosenmaallen wrote >> > Another alternative for an easy-to-use mail frontend is Mozilla with >> > Enigmail. It's pretty painless to set up, and it does signing, >> > encrypting, >> > key pair generation, etc. right from the menus in Moz mail. >> >>Very easy to use but I see a problem with encrypting or signing mails >>with Enigmail because this is done on sending, which means private >>keys (and passphrase if cached) might be exposed when you go online. >>An option to encrypt/sign and queue would solve this problem though. > > >But Mozilla can do that, like most email clients you can send now or send >later. It's a simple configuration option. ># To send messages in your Unsent Messages folder before going offline, check >"Send Unsent Messages". > Sure, but .... >The act of signing is done when the message is finalised ready for sending >later - queued. This can therefore be done offline, leaving only the signed >email in the outbox waiting for the connection and command to send. > Maybe I'm a bit thick, but I can't find an option to queue encrypted or signed messages on my version (Enigmail 0.71 on Mozilla 1.2.1 on w2k), though it can be done for unencrypted/unsigned messages. I have to encrypt or sign with gpg outside the mailer, copy to the composer and then queue the message. >Besides, even without a queue, aren't you going to be using a firewall to >protect your machine? Where is the perceived threat - from the internet or >from the intranet or even from users on the same system? > > I keep in mind a comment by Bruce Schneier: "Some firewalls are reasonably effective", and I've seen examples of sites reading my file structure through IE (not with Mozilla, but I'm careful all the same). Once the firewall is opened for the browser there's a potential problem. Cheers, DM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) - GPGshell v2.70 Comment: Key ID: 0x8353641A Comment: 1374 43A0 8F8D DB46 D752 0202 2514 2492 8353 641A iQEVAwUBPpdi3SUUJJKDU2QaAQIJaAgAlNBqIAY8EcFcL/l6frOZVBKE6G+R1ZzO UNDQ8xHFlRpoEvvLaF9BrTiHZfDHDf9ZudQYDFa1rbQ/Aw2rJ1Z37NHHmWBl9m7I Dfo3EtbqqamRU3fx2Mo4AigwQ7g3c9Jd58UbP6EgRoQxcE7uGu+3XDsQuc213zBB kuM/06pOKA2vgwn4oC8AdpvRkDJzFWdsAYBDPCLGdWzc7Usws567xRWUVBU28QsG h8VuvHyIqknakKYxPLWxc9yq+sBq11KYMHOhvnTKtTbwd4RuJ41XIjNgg2zhd9MZ 9GEgCw/OIK9qO/sv1Lyh6bPa0eL5ArgwVre4RGplVhherNno3ArF0g== =CLX+ -----END PGP SIGNATURE----- From avbidder@fortytwo.ch Sat Apr 12 16:33:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Sat Apr 12 15:33:02 2003 Subject: Using GPG as a certificate autority In-Reply-To: <3E96F484.2070606@oracle.com> References: <3E96F484.2070606@oracle.com> Message-ID: <200304121534.41028@fortytwo.ch> --Boundary-02=_xXBm+hpWpnWpX4b Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 11 April 2003 18:59, Mike Campbell wrote: > Please don't use HTML mail. > Is it possible to use GPG as a certificate authority?
In principle, yes. The OpenPGP does not require a certain trust model, so a= =20 centralized trust model with a CA (or with multiple CAs) can be implemented BUT >[...] Oracle's wallet manager [...] Without knowing the product, I think most commercial products that support= =20 cryptographical certificates and hierarchical trust models use X.509=20 certificates and not OpenPGP certificates. Standard gpg can't do anything=20 with X.509 certificates.=20 There's work being done to allow interoperation between the X.509 world and= =20 the OpenPGP world. I can't say how much of this already works and how it is= =20 supposed to work in the end. I think you should find some information in th= e=20 list archives (gpg-devel, probably) when you search about 'gpgsm' and=20 possibly '=E4gypten' or 'newpg'. cheers =2D- vbi =2D-=20 random link of the day: http://fortytwo.ch/sienapei/lohpaidi --Boundary-02=_xXBm+hpWpnWpX4b Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6YFfBgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWSnUAoPNLobr4/46cYarLVcLpnKMi 2KcPAJ4urhxxlSjn0t42yXG4mvBgcCldRA== =yTOP -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_xXBm+hpWpnWpX4b-- From linux@codehelp.co.uk Sat Apr 12 20:15:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Sat Apr 12 19:15:02 2003 Subject: GPG In-Reply-To: <3E976389.7070600@ifrance.com> References: <5.1.0.14.2.20030410144348.02531038@localhost> <200304112123.48845.linux@codehelp.co.uk> <3E976389.7070600@ifrance.com> Message-ID: <200304121815.42044.linux@codehelp.co.uk> --Boundary-02=_+mEm+k87jyPrchD Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Saturday 12 April 2003 1:53 am, Denis McCauley wrote: > Neil Williams wrote: > > Maybe I'm a bit thick, but I can't find an option to queue encrypted > or signed messages on my version (Enigmail 0.71 on Mozilla 1.2.1 on > w2k), though it can be done for unencrypted/unsigned messages. I have > to encrypt or sign with gpg outside the mailer, copy to the composer > and then queue the message. Doesn't Ctrl+Shift+Return work? Have you not got Enigmail set to sign by default? It might be worth setting up an identity where this can be used. If not, it just goes to show that Windows simply isn't up to the job. > I keep in mind a comment by Bruce Schneier: "Some firewalls are > reasonably effective", and I've seen examples of sites reading my file > structure through IE (not with Mozilla, but I'm careful all the same). That's IE's fault, not the firewall!!! Those exploits can be patched but new ones keep appearing. I switched to Linux instead. Mozilla doesn't provide holes like IE as it is not part of the operating system like explorer. On Linux, Mozilla behind a iptables deny-all firewall simply has no permission to even read the filesystem structure as it runs as a user. Unlike Windows, the user on Linux is NOT given permission to access the filesystem structure outside the home directory, that is reserved for the sys admin user. All attempts are simply refused. Your basic problem is that Windows runs as the system admin even when the user doesn't have a clue. Worse, it runs a scripted environment that can be modified by the not-a-clue user but which still runs as the super-user. On Linux/Unix, the system runs as super-user and no other user has any permission to access the system. Users have access to their own home directories (and not to each others) and have no permission to modify the system environment. That's how my machines keep running even when a user trashes their own environment. As the firewall is part of the system, there is no way for a user (or user program) to interfere with the port configuration directly. > Once the firewall is opened for the browser there's a potential > problem. Depends on the browser and the operating system. If a request is received on a port opened by the browser, the request doesn't have to completed - it's down to the security of the browser and the operating system behind it. > > Cheers, > > DM > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_+mEm+k87jyPrchD Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+mEm+iAEJSii8s+MRAiCNAJwNO8I9J7Ysc7CmV80UEJ1Ogvx88QCfWdnO QNKk8OAd6i+/IHSd49bRmLs= =jsO5 -----END PGP SIGNATURE----- --Boundary-02=_+mEm+k87jyPrchD-- From ingo.kloecker@epost.de Sat Apr 12 21:29:01 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sat Apr 12 20:29:01 2003 Subject: GPG agent for automated processing In-Reply-To: <20030410-94ef1fc600846a8284e90cf4a0ccd13c@mail.boston.com> References: <62E5CA45-6AE0-11D7-AFE7-003065B1243E@mac.com> <87el4a4pv4.fsf@alberti.g10code.de> <20030410-94ef1fc600846a8284e90cf4a0ccd13c@mail.boston.com> Message-ID: <200304122002.05037@erwin.ingo-kloecker.de> --Boundary-02=_dSFm+PYkkqiIyNm Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Thursday 10 April 2003 15:06, darren chamberlain wrote: > * Werner Koch [2003-04-10 06:49]: > > [...]The only advantage I can see is that the passphrase is stored > > in ram and not in the file system[...] > > ...until it gets swapped out, of course. AFAIK, it never gets swapped out if gpg-agent is allowed to lock memory=20 (e.g. if gpg-agent is setuid root). Regards, Ingo --Boundary-02=_dSFm+PYkkqiIyNm Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+mFScGnR+RTDgudgRAnVkAJ0YaDwvUKbeW61VfRJ5GKzHxaQ4JwCglIVl hpvix7NwpHudCSa1CIzaCrQ= =hAm5 -----END PGP SIGNATURE----- --Boundary-02=_dSFm+PYkkqiIyNm-- From ingo.kloecker@epost.de Sat Apr 12 21:29:25 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sat Apr 12 20:29:25 2003 Subject: DDOS attack In-Reply-To: <20030408211800.GB6160@pm1.ric-28.lft.widomaker.com> References: <3E932A55.5010505@netcourrier.com> <20030408211800.GB6160@pm1.ric-28.lft.widomaker.com> Message-ID: <200304122007.57211@erwin.ingo-kloecker.de> --Boundary-02=_9XFm+n2xIUDyWeI Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Tuesday 08 April 2003 23:18, Jason Harris wrote: > On Tue, Apr 08, 2003 at 10:00:21AM -1000, Maxine Brandt wrote: > > If any list members had problems accessing my keys recently at > > http://www.torduninja.tk this was because of a massive attack on > > the .tk root servers, and the .tk registry server. > > > > Things are running again but may still be slow for a few days yet. > > Sorry for any inconvenience. > > Many public keyservers have your key (filesize, partial URL): > > 3121 openpksd.org:11371/pks/lookup?op=get&search=0xA9DB09C0 [snip] Which script did you use to get this nice list, Jason? Regards, Ingo --Boundary-02=_9XFm+n2xIUDyWeI Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+mFX9GnR+RTDgudgRAueIAJ9MIA+QADYiF5/JmRWgi8jLPvGGBQCfXf9V 7CGafLNo9LGNq4mW8+JrgVg= =3Uqu -----END PGP SIGNATURE----- --Boundary-02=_9XFm+n2xIUDyWeI-- From linux@codehelp.co.uk Sun Apr 13 00:23:01 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Sat Apr 12 23:23:01 2003 Subject: addkey edit option Message-ID: <200304122224.00676.linux@codehelp.co.uk> --Boundary-02=_wPIm+vAw013pvUX Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline Before I do something I will later regret, I thought I'd ask. :-) I currently have just an ElGamal subkey on my main GnuPG key, 28BCB3E3. I've created a test key that isn't on any keyservers yet to which I've added other subkeys, RSA (1 sign + 1 encrypt) and DSA. Does this make this key 1: more, or less, secure? 2: more or less compatible with PGP? What does it add / subtract from the usefulness of the key? -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_wPIm+vAw013pvUX Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+mIPwiAEJSii8s+MRAo/NAKDGZH2pD4nYwZT+r3dUTsUG8lWxgQCeOSIR OY9VQZvleOJfEC76rjs3N3o= =OhbB -----END PGP SIGNATURE----- --Boundary-02=_wPIm+vAw013pvUX-- From martin.bretschneider@gmx.de Sun Apr 13 01:56:01 2003 From: martin.bretschneider@gmx.de (Martin Bretschneider) Date: Sun Apr 13 00:56:01 2003 Subject: different way of enrcypted e-mails including signatures/ Sylpheed-Claws-bug Message-ID: --vn)egr=.XAbC_CYE Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Hi GnuPG-user and devs, I'm (still) investigating a bug of my favourite e-mail-client Sylpheed-Claws: Sylpheed-Claws does not recognize signatures of PGP/MIME-encrypted & signed e-mails sent by mutt or gpgrelay (I call them group X). But it does from Sylpheed-Claws, Mozilla, Evolution... (I call them group Y). Now I've found the big difference beetween X and Y: Y takes the e-mail-body, calculates the signature, adds a MIME-envelope and put the signature in that. X puts the signature in another way to the encrypted part. I guess it is a kind of combinded method described in chapted 6.2 in RFC 3156. If I decrypt a e-mail by X manually, gpg verifies it automatically. There is no MIMI-envelope including the signature left. Thus, Sylpheed-Claws cannot verify it. I want to be as exact as possible in reporting this bug to the Sylpheed-claws-devs. Can you pleas tell me, the method that Sylpheed-Claws does not support? BTW: Sylpheed-Claws uses GPGME in order to use GnuPG. TIA Martin -- www.bretschneidernet.de OpenPGP_0x4EA52583 JID_breti@jabber.org (o_ Albert Einstein: (o_ (o_ (o_ //\ Few are those who see with their (\)_(\)_(\)_V_/_ own eyes and feel with their own hearts. --vn)egr=.XAbC_CYE Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+mJlZGK1ebE6lJYMRAmwpAJ9QPCC/3CM5xijV8xiM2ojpLkGpvQCfRILZ Mijy60WAGvRXq9SKL+RLio8= =gg3j -----END PGP SIGNATURE----- --vn)egr=.XAbC_CYE-- From ingo.kloecker@epost.de Sun Apr 13 03:34:01 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun Apr 13 02:34:01 2003 Subject: different way of enrcypted e-mails including signatures/ Sylpheed-Claws-bug In-Reply-To: References: Message-ID: <200304130219.21557@erwin.ingo-kloecker.de> --Boundary-02=_J0Km+Cdhy/PcKId Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Sunday 13 April 2003 00:55, Martin Bretschneider wrote: > Sylpheed-Claws does not recognize signatures of PGP/MIME-encrypted & > signed e-mails sent by mutt or gpgrelay (I call them group X). But it > does from Sylpheed-Claws, Mozilla, Evolution... (I call them group > Y). > > Now I've found the big difference beetween X and Y: > Y takes the e-mail-body, calculates the signature, adds a > MIME-envelope and put the signature in that. > X puts the signature in another way to the encrypted part. I guess it > is a kind of combinded method described in chapted 6.2 in RFC 3156. Exactly. > If I decrypt a e-mail by X manually, gpg verifies it automatically. > There is no MIMI-envelope including the signature left. Thus, > Sylpheed-Claws cannot verify it. > > > I want to be as exact as possible in reporting this bug to the > Sylpheed-claws-devs. Can you pleas tell me, the method that > Sylpheed-Claws does not support? Well, you gave the answer already yourself. Apparently, Sylpheed-Claws=20 doesn't support the combined method. Regards, Ingo --Boundary-02=_J0Km+Cdhy/PcKId Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+mK0JGnR+RTDgudgRAoL+AKCL25dy3taIArkVfiz+9zJAWZXpeACffiv+ aPx49D9ZF3qvpLEOuc+Kkpg= =WYyY -----END PGP SIGNATURE----- --Boundary-02=_J0Km+Cdhy/PcKId-- From martin.bretschneider@gmx.de Sun Apr 13 10:57:02 2003 From: martin.bretschneider@gmx.de (Martin Bretschneider) Date: Sun Apr 13 09:57:02 2003 Subject: different way of enrcypted e-mails including signatures/ Sylpheed-Claws-bug In-Reply-To: <200304130219.21557@erwin.ingo-kloecker.de> References: <200304130219.21557@erwin.ingo-kloecker.de> Message-ID: --=.,?rn'QDAU?rB.s Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: base64 SW5nbyBLbPZja2VyIDxpbmdvLmtsb2Vja2VyQGVwb3N0LmRlPiB3cm90ZToNCg0KSGkgSW5nbywN Cg0KPiBXZWxsLCB5b3UgZ2F2ZSB0aGUgYW5zd2VyIGFscmVhZHkgeW91cnNlbGYuIEFwcGFyZW50 bHksDQo+IFN5bHBoZWVkLUNsYXdzIGRvZXNuJ3Qgc3VwcG9ydCB0aGUgY29tYmluZWQgbWV0aG9k Lg0KDQpUaGFua3M7KSBJJ3ZlIHdyb3RlIGEgZmVhdHVyZSByZXF1ZXN0IG5vdzogDQpodHRwOi8v c291cmNlZm9yZ2UubmV0L3RyYWNrZXIvaW5kZXgucGhwP2Z1bmM9ZGV0YWlsJmF0aWQ9Mzg0NjAx JmFpZD03MjA1NDQmZ3JvdXBfaWQ9MjU1MjgNCg0KTWFydGluDQotLSANCiAgIHd3dy5icmV0c2No bmVpZGVybmV0LmRlICAgT3BlblBHUF8weDRFQTUyNTgzICAgICAgIElDUV8xMTA1NDM4MjQNCiAg ICAgICAgICAgICAob18gICAgICAgICAgICAgICAgICAgRXJuZXN0IEhlbWluZ3dheToNCiAob18g KG9fIChvXyAvL1wgICAgIEkgbGlrZSB0byBsaXN0ZW4uIEkgaGF2ZSBsZWFybmVkIGEgZ3JlYXQg ZGVhbA0KIChcKV8oXClfKFwpX1ZfL18gZnJvbSBsaXN0ZW5pbmcgY2FyZWZ1bGx5LiBNb3N0IHBl b3BsZSBuZXZlciBsaXN0ZW4uDQo= --=.,?rn'QDAU?rB.s Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+mQzpGK1ebE6lJYMRArhSAKDc9vqIVVWk3YlW+xGd6SDIXGwA7ACgy9us aS05vxYubjHhRBzlbBQGirQ= =UeF2 -----END PGP SIGNATURE----- --=.,?rn'QDAU?rB.s-- From pknoob@noos.fr Sun Apr 13 18:46:02 2003 From: pknoob@noos.fr (Don Patou) Date: Sun Apr 13 17:46:02 2003 Subject: trying to export the sender key Message-ID: <200304131747.30510.pknoob@noos.fr> I've just created my keys from the gnupg tutorial on http://technocage.com/~caskey/gnupg/gpg-cmt.html. The problem is that when I try to export my sender key with this line: "joe@debian:~/keys/recipient$ gpg --homedir -a --export recipient" I get a: "gpg: keyblock resource `-a/secring.gpg': file open error gpg: keyblock resource `-a/pubring.gpg': file open error gpg: WARNING: nothing exported" any suggestions? Thanx in advance From richard@sheflug.co.uk Sun Apr 13 19:08:02 2003 From: richard@sheflug.co.uk (Richard Ibbotson) Date: Sun Apr 13 18:08:02 2003 Subject: Expiry Date Message-ID: <200304131706.32091.richard@sheflug.co.uk> Hi This one has probably been seen on this list before. Been through the manual and the docs. I can find what I am looking for but it doesn't work with my version of GnuPG 1.2.1. I'd like to update my subkey so that it never expires. At the moment it looks like this... pub 1024D/E233C898 created: 2002-08-01 expires: never trust:f/f sub 2048g/48F969EB created: 2002-08-01 expires: 2003-08-01 (1). Richard Ibbotson Can anyone suggest how to do this ? I've tried 'gpg --edit-key richard@sheflug.co.uk'. But, when I try to change the date on the subkey by selecting the subkey with 'expire' gpg just selects the primary key and not the subkey. If I try 'expire 2' it still doesn't work. Any suggestions ? I don't want to delete the subkey. I'm afraid that I might not be able to put it back again. -- Richard From twoaday@freakmail.de Sun Apr 13 20:31:02 2003 From: twoaday@freakmail.de (Timo Schulz) Date: Sun Apr 13 19:31:02 2003 Subject: trying to export the sender key In-Reply-To: <200304131747.30510.pknoob@noos.fr> References: <200304131747.30510.pknoob@noos.fr> Message-ID: <20030413173048.GA795@daredevil.joesixpack.net> On Sun Apr 13 2003; 17:47, Don Patou wrote: > "joe@debian:~/keys/recipient$ gpg --homedir -a --export recipient" > > I get a: > "gpg: keyblock resource `-a/secring.gpg': file open error > gpg: keyblock resource `-a/pubring.gpg': file open error > gpg: WARNING: nothing exported" > > any suggestions? Yes... homedir needs an argument. Now you set your home directory to '-a' which does not work. Try "gpg --homedir /home/joe/.gnupg -a --export recipient" (And replace the directory with the GPG dir on your machine!) Timo -- "Der Tugendhafte begnügt sich, von dem zu träumen, was der Böse im Leben verwirklicht." -- Platon From gnupg-users@nahrath.de Sun Apr 13 20:38:01 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Sun Apr 13 19:38:01 2003 Subject: Expiry Date In-Reply-To: <200304131706.32091.richard@sheflug.co.uk> References: <200304131706.32091.richard@sheflug.co.uk> Message-ID: <3E99A0D6.5080908@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig8300397EDF2CF58AFB187156 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Richard Ibbotson wrote: > I'd like to update my subkey so that it never expires. At the moment > it looks like this... > > pub 1024D/E233C898 created: 2002-08-01 expires: never trust:f/f > sub 2048g/48F969EB created: 2002-08-01 expires: 2003-08-01 > (1). Richard Ibbotson > Can anyone suggest how to do this ? Sorry that I can't realy answer your question. The usual thing people do in your situation is to crate a new, additional subkey and let the old one expire. If you do it now everybody has another 4 months time to receive your updated key, including the new subkey. I see another problem with your key. I just downloaded it from the keyserver 'sks.dnsalias.net'. It seems that the primary key is set to expire as well: | [michi@localhost]~$ gpg --edit E233C898 check q | | pub 1024D/E233C898 created: 2002-08-01 expires: 2003-08-01 trust: -/- | sub 2048g/48F969EB created: 2002-08-01 expires: 2003-08-01 | (1). Richard Ibbotson | | uid Richard Ibbotson | sig!3 E233C898 2002-08-01 [self-signature] | 2 signatures not checked due to missing keys Have you already changed the expity of your primary key locally (by an additional self-signature) and not exported it yet? Greeting, Michi --------------enig8300397EDF2CF58AFB187156 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj6ZoNcACgkQ19dRf5pMcEzSuACgiSFyxqgEYA5Wg+TpU6ReY9MQ tjAAnjS4VLMTZIHqm1vaf83dy+a+BW0d =sNC9 -----END PGP SIGNATURE----- --------------enig8300397EDF2CF58AFB187156-- From manuel@samper.dyndns.org Sun Apr 13 20:42:02 2003 From: manuel@samper.dyndns.org (Manuel Samper) Date: Sun Apr 13 19:42:02 2003 Subject: Expiry Date In-Reply-To: <200304131706.32091.richard@sheflug.co.uk> References: <200304131706.32091.richard@sheflug.co.uk> Message-ID: <20030413174310.GB3531@postfix.dyndns.org> Richard Ibbotson, on Sunday, Apr 13 2003 at 18:06, wrote: > I've tried 'gpg --edit-key richard@sheflug.co.uk'. But, when I try to > change the date on the subkey by selecting the subkey with 'expire' > gpg just selects the primary key and not the subkey. If I try > 'expire 2' it still doesn't work. Edit the key, then select the subkey: Command> key 1 You will see your subkey marked with an asterisk. Now you can set the espiry date in it. MS From mitabrev@mochamail.com Sun Apr 13 20:46:02 2003 From: mitabrev@mochamail.com (Erik) Date: Sun Apr 13 19:46:02 2003 Subject: Expiry Date In-Reply-To: <200304131706.32091.richard@sheflug.co.uk> References: <200304131706.32091.richard@sheflug.co.uk> Message-ID: <20030413174647.GB7843@mochamail.com> --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 13, 2003 at 05:06:32PM +0100, Richard Ibbotson wrote: > I'd like to update my subkey so that it never expires. At the moment=20 > it looks like this... >=20 > pub 1024D/E233C898 created: 2002-08-01 expires: never trust:f/f > sub 2048g/48F969EB created: 2002-08-01 expires: 2003-08-01 > (1). Richard Ibbotson >=20 >=20 > Can anyone suggest how to do this ? Have you tried the following? gpg --edit-key your_keyid or uid key 1 expire follow prompts list save --=20 Erik --2fHTh5uZTiUOsy+g Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+maKHuvaiddBYam8RAwcCAJ96sHCL4SwUjhzUuduxdYRj5Q9g+ACgq12c kyfc3JY5BNN7Lqh3Q+BGDFc= =wwmI -----END PGP SIGNATURE----- --2fHTh5uZTiUOsy+g-- From manuel@samper.dyndns.org Sun Apr 13 20:47:02 2003 From: manuel@samper.dyndns.org (Manuel Samper) Date: Sun Apr 13 19:47:02 2003 Subject: trying to export the sender key In-Reply-To: <200304131747.30510.pknoob@noos.fr> References: <200304131747.30510.pknoob@noos.fr> Message-ID: <20030413174802.GC3531@postfix.dyndns.org> Don Patou, on Sunday, Apr 13 2003 at 17:47, wrote: > I've just created my keys from the gnupg tutorial on > http://technocage.com/~caskey/gnupg/gpg-cmt.html. The problem is that when I > try to export my sender key with this line: > "joe@debian:~/keys/recipient$ gpg --homedir -a --export recipient" ^^^^^^^^^^^^^ gpg are seeing homedir=-a > I get a: > "gpg: keyblock resource `-a/secring.gpg': file open error > gpg: keyblock resource `-a/pubring.gpg': file open error > gpg: WARNING: nothing exported" Don't set --homedir (by default in $HOME/.gnupg, on unix-like systems), or set it to where your gnupg files (keyrings, etc.) are. MS From jharris@widomaker.com Sun Apr 13 20:52:01 2003 From: jharris@widomaker.com (Jason Harris) Date: Sun Apr 13 19:52:01 2003 Subject: Expiry Date In-Reply-To: <200304131706.32091.richard@sheflug.co.uk> References: <200304131706.32091.richard@sheflug.co.uk> Message-ID: <20030413175311.GA44649@pm1.ric-37.lft.widomaker.com> --ibTvN161/egqYuK8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 13, 2003 at 05:06:32PM +0100, Richard Ibbotson wrote: =20 > I'd like to update my subkey so that it never expires. At the moment=20 > it looks like this... >=20 > pub 1024D/E233C898 created: 2002-08-01 expires: never trust:f/f > sub 2048g/48F969EB created: 2002-08-01 expires: 2003-08-01 =20 > I've tried 'gpg --edit-key richard@sheflug.co.uk'. But, when I try to=20 > change the date on the subkey by selecting the subkey with 'expire'=20 > gpg just selects the primary key and not the subkey. If I try=20 > 'expire 2' it still doesn't work. Type "key 1" to select (which puts a * by) the subkey, then proceed as usua= l. > Any suggestions ? I don't want to delete the subkey. I'm afraid that=20 > I might not be able to put it back again. You'd have to restore it from a backup to get it back, or all data encrypted to it would be unreadable. Revoking it or letting it expire (and adding a new (encryption) subkey via 'addkey') would still let you decrypt any data, however. Also, since the public subkey is already on the keyservers (and presumably otherwise in play), removing the private subkey from your keyring could mean you can't revoke the subkey, so you'd only be able to let it expire. (Will GPG revoke a subkey if the private portion isn't available? (Adding legitimacy (a popular word these days...) to a bogus subkey by revoking it would seem counterintuitive, so one may argue that a valid binding sig. is first required, but it would seem to be useful if a subkey is accidentally deleted.)) --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --ibTvN161/egqYuK8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+maQGSypIl9OdoOMRAgZhAJ0emTMTimAy9KLxv6kd7KdEdBKvQQCeNDu8 NmYKchDQpsAwKUr4Fmr+IKo= =RCN1 -----END PGP SIGNATURE----- --ibTvN161/egqYuK8-- From mitabrev@mochamail.com Sun Apr 13 20:54:01 2003 From: mitabrev@mochamail.com (Erik) Date: Sun Apr 13 19:54:01 2003 Subject: trying to export the sender key In-Reply-To: <200304131747.30510.pknoob@noos.fr> References: <200304131747.30510.pknoob@noos.fr> Message-ID: <20030413175459.GC7843@mochamail.com> --s/l3CgOIzMHHjg/5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 13, 2003 at 05:47:30PM +0200, Don Patou wrote: > I've just created my keys from the gnupg tutorial on > http://technocage.com/~caskey/gnupg/gpg-cmt.html. The problem is that > when I try to export my sender key with this line: > "joe@debian:~/keys/recipient$ gpg --homedir -a --export recipient" >=20 > I get a: "gpg: keyblock resource `-a/secring.gpg': file open error > gpg: keyblock resource `-a/pubring.gpg': file open error gpg: WARNING: > nothing exported" >=20 > any suggestions? You didn't specify a directory for "--homedir", so it is using -a as the directory. This may work: gpg --homedir some_directory -a --export keyid > some_filename From the gpg man page: --homedir directory Set the name of the home directory to directory If this option is not used it defaults to "~/.gnupg". It does not make sense to use this in a options file. This also overrides the environment variable "GNUPGHOME". --=20 Erik --s/l3CgOIzMHHjg/5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+maRzuvaiddBYam8RA/MAAJ4hIK+HlNR1XbPAp6iksYTpOaeVrwCgh7NK mSnnz7CaK1KFkIJ2/MitIzo= =M6zY -----END PGP SIGNATURE----- --s/l3CgOIzMHHjg/5-- From richard@sheflug.co.uk Sun Apr 13 20:56:02 2003 From: richard@sheflug.co.uk (Richard Ibbotson) Date: Sun Apr 13 19:56:02 2003 Subject: Expiry Date In-Reply-To: <3E99A0D6.5080908@nahrath.de> References: <200304131706.32091.richard@sheflug.co.uk> <3E99A0D6.5080908@nahrath.de> Message-ID: <200304131855.00552.richard@sheflug.co.uk> Michael > Have you already changed the expity of your primary key locally (by > an additional self-signature) and not exported it yet? Yes. Exporting it doesn't result in an update on the server. Don't ask me why I don't know. -- Richard From jharris@widomaker.com Sun Apr 13 21:00:01 2003 From: jharris@widomaker.com (Jason Harris) Date: Sun Apr 13 20:00:01 2003 Subject: checking keys on multiple keyservers (was Re: DDOS attack) In-Reply-To: <200304122007.57211@erwin.ingo-kloecker.de> References: <3E932A55.5010505@netcourrier.com> <20030408211800.GB6160@pm1.ric-28.lft.widomaker.com> <200304122007.57211@erwin.ingo-kloecker.de> Message-ID: <20030413180042.GB44649@pm1.ric-37.lft.widomaker.com> --Y7xTucakfITjPcLV Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Apr 12, 2003 at 08:07:56PM +0200, Ingo Kl=F6cker wrote: > On Tuesday 08 April 2003 23:18, Jason Harris wrote: > > Many public keyservers have your key (filesize, partial URL): > > > > 3121 openpksd.org:11371/pks/lookup?op=3Dget&search=3D0xA9DB09C0 > Which script did you use to get this nice list, Jason? I used kserver-all (with wget -x) and lget (see "code" on my website) to fetch the key from multiple keyservers and just reported the sizes and filenames. --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --Y7xTucakfITjPcLV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+maXJSypIl9OdoOMRAvalAKDL0ORqFpC+Vrnvg01w6TYMpTg1kQCeOxZt lG66I2fKiiYZLxmy9Y4+c4I= =6S7W -----END PGP SIGNATURE----- --Y7xTucakfITjPcLV-- From linux@codehelp.co.uk Sun Apr 13 21:11:07 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Sun Apr 13 20:11:07 2003 Subject: trying to export the sender key In-Reply-To: <200304131747.30510.pknoob@noos.fr> References: <200304131747.30510.pknoob@noos.fr> Message-ID: <200304131909.57529.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 13 Apr 2003 4:47 pm, Don Patou wrote: > I've just created my keys from the gnupg tutorial on > http://technocage.com/~caskey/gnupg/gpg-cmt.html. The problem is that when > I try to export my sender key with this line: > "joe@debian:~/keys/recipient$ gpg --homedir -a --export recipient" If you use --homedir, you need to specify a directory for it to use. If you've followed the defaults, it'll be in ~/.gnupg/ and you won't need --homedir anyway. Use ls -a ~ to list the entire contents of your home directory and look for .gnupg/ Replace recipient with the keyid (or leave blank to get all keys). If you only have your key in place, use: gpg -a --export > export.asc This will create a text file called export.asc containing the public key. > I get a: > "gpg: keyblock resource `-a/secring.gpg': file open error > gpg: keyblock resource `-a/pubring.gpg': file open error Because of the --homedir setting, gpg is misreading the -a option as a directory. - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+maf0k7DVr6iX/QIRAgz7AJ0YkhL6EEOtHKmJPvjqoSWGtP2bDQCfS4UC 7UTQ32A2ZvzIKKj4/jitqxA= =8cu0 -----END PGP SIGNATURE----- From jbruni@mac.com Sun Apr 13 21:15:01 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sun Apr 13 20:15:01 2003 Subject: Expiry Date In-Reply-To: <200304131706.32091.richard@sheflug.co.uk> Message-ID: % gpg --edit-key E233C898 At the Command> prompt, type "key 1". Then type "expire". On Sunday, April 13, 2003, at 09:06 AM, Richard Ibbotson wrote: > Hi > > This one has probably been seen on this list before. Been through the > manual and the docs. I can find what I am looking for but it doesn't > work with my version of GnuPG 1.2.1. > > I'd like to update my subkey so that it never expires. At the moment > it looks like this... > > pub 1024D/E233C898 created: 2002-08-01 expires: never trust:f/f > sub 2048g/48F969EB created: 2002-08-01 expires: 2003-08-01 > (1). Richard Ibbotson > > > Can anyone suggest how to do this ? > > I've tried 'gpg --edit-key richard@sheflug.co.uk'. But, when I try to > change the date on the subkey by selecting the subkey with 'expire' > gpg just selects the primary key and not the subkey. If I try > 'expire 2' it still doesn't work. > > Any suggestions ? I don't want to delete the subkey. I'm afraid that > I might not be able to put it back again. > > > -- > Richard > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From linux@codehelp.co.uk Sun Apr 13 21:16:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Sun Apr 13 20:16:02 2003 Subject: Expiry Date In-Reply-To: <200304131706.32091.richard@sheflug.co.uk> References: <200304131706.32091.richard@sheflug.co.uk> Message-ID: <200304131915.30225.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 13 Apr 2003 5:06 pm, Richard Ibbotson wrote: > Hi > > This one has probably been seen on this list before. Been through the > manual and the docs. I can find what I am looking for but it doesn't > work with my version of GnuPG 1.2.1. > I'd like to update my subkey so that it never expires. At the moment > it looks like this... > > pub 1024D/E233C898 created: 2002-08-01 expires: never trust:f/f > sub 2048g/48F969EB created: 2002-08-01 expires: 2003-08-01 > (1). Richard Ibbotson Edit the key and use key to select the correct one first. $ gpg --edit-key richard@sheflug.co.uk key 1 expire > I've tried 'gpg --edit-key richard@sheflug.co.uk'. But, when I try to > change the date on the subkey by selecting the subkey with 'expire' You can't select the subkey just from the expire command, you need the key command first. - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+malBk7DVr6iX/QIRAkNxAJ9+QuYRWY2w8piZlN93APfVcF0h3gCbB68P 29OuiRTVFHLekUHoqFIQ3Dk= =BLmb -----END PGP SIGNATURE----- From richard@sheflug.co.uk Sun Apr 13 21:33:01 2003 From: richard@sheflug.co.uk (Richard Ibbotson) Date: Sun Apr 13 20:33:01 2003 Subject: Expiry Date In-Reply-To: <20030413175311.GA44649@pm1.ric-37.lft.widomaker.com> References: <200304131706.32091.richard@sheflug.co.uk> <20030413175311.GA44649@pm1.ric-37.lft.widomaker.com> Message-ID: <200304131931.47029.richard@sheflug.co.uk> Jason > Type "key 1" to select (which puts a * by) the subkey, then proceed > as usual. That sorted it out :) Thanks very much. -- Richard From jharris@widomaker.com Sun Apr 13 22:43:01 2003 From: jharris@widomaker.com (Jason Harris) Date: Sun Apr 13 21:43:01 2003 Subject: Expiry Date In-Reply-To: <200304131931.47029.richard@sheflug.co.uk> References: <200304131706.32091.richard@sheflug.co.uk> <20030413175311.GA44649@pm1.ric-37.lft.widomaker.com> <200304131931.47029.richard@sheflug.co.uk> Message-ID: <20030413194410.GA52142@pm1.ric-37.lft.widomaker.com> --82I3+IH0IqGh5yIs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 13, 2003 at 07:31:47PM +0100, Richard Ibbotson wrote: > Jason >=20 > > Type "key 1" to select (which puts a * by) the subkey, then proceed > > as usual. > That sorted it out :) Thanks very much. You're welcome. (My reply was also CC'd to you and although I didn't see any others at the time, mine wasn't the first I later saw get through on the list.) [previous trouble exporting new sigs] They hit keyserver.kjsl.com OK (TZ=3DPST8PDT): Apr 13 11:37:00 skylane pksd[37838]: pksd: mail_req: request received from = PGP K ey Server Administrator : incremental Apr 13 11:37:00 skylane pksd[37838]: pksd: kd_add: flags=3D100000 Apr 13 11:37:00 skylane pksd[37838]: pksd: display_new_sig: new sig 1 by E2= 33C89 8 added to E233C898 Richard Ibbotson References: <200304131706.32091.richard@sheflug.co.uk> <3E99A0D6.5080908@nahrath.de> <200304131855.00552.richard@sheflug.co.uk> Message-ID: <3E99C5AE.3040304@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF58AFB187156D7C4ADE27330 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Richard Ibbotson wrote: >>Have you already changed the expity of your primary key locally (by >>an additional self-signature) and not exported it yet? > Yes. Exporting it doesn't result in an update on the server. Don't > ask me why I don't know. Depends on which keyserver you are using. Try "gpg --keyserver keyserver.kjsl.com:11371 --export E233C898" or "gpg --keyserver sks.dnsalias.net --export E233C898" and see again if your changes have arived. The old software most keyservers still use is really bad when it comes to changes done by self-signatures and subkeys. Greeting, Michi --------------enigF58AFB187156D7C4ADE27330 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj6ZxcQACgkQ19dRf5pMcExn2gCgqXvhWPZ8bxg1Hb9mkoMDuaPi LuwAoKCgWmJKkvLV/eFyK7l5mph3mQzd =SZTj -----END PGP SIGNATURE----- --------------enigF58AFB187156D7C4ADE27330-- From list@daniel-luebke.de Mon Apr 14 00:03:18 2003 From: list@daniel-luebke.de (Daniel Luebke) Date: Sun Apr 13 23:03:18 2003 Subject: Charset of gpg --with-colon Message-ID: <3E99D135.1060905@daniel-luebke.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I just needed the output of gpg --list-keys --with-colon I saw that some keynames are printed in UTF-8 and some with a local charset. I thought I somewhere read that --with-colon uses UTF-8, but maybe I'm wrong. What is the correct charset? And why are there keys that are somewhat different. And more importantly: How can I correclty get the names ;-) Thanks in advance Daniel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+mdE0EKRSJJognFARAvDpAJ9IcBMJkDJPMPiYqx1m+kx8ksBn8QCgr1Jt zkZT7jnePYOAnDMd6G+7scc= =rXUT -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Mon Apr 14 01:49:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon Apr 14 00:49:02 2003 Subject: Charset of gpg --with-colon In-Reply-To: <3E99D135.1060905@daniel-luebke.de> References: <3E99D135.1060905@daniel-luebke.de> Message-ID: <20030413224925.GB1670@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Apr 13, 2003 at 11:05:57PM +0200, Daniel Luebke wrote: > Hi! > > I just needed the output of > > gpg --list-keys --with-colon > > I saw that some keynames are printed in UTF-8 and some with a local > charset. I thought I somewhere read that --with-colon uses UTF-8, but > maybe I'm wrong. > What is the correct charset? And why are there keys that are somewhat > different. And more importantly: How can I correclty get the names ;-) The name field of --with-colons is the raw UTF-8 value of the user ID field, with some values \-escaped. So, to extract the user name you need to take the value from the field and replace every occurance of '\xQQ' with the byte QQ. This results in the UTF-8 name field. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+mel14mZch0nhy8kRAtvpAKDJFF/yY2v05jFTUVOCWejV4WK9hwCg4ygh eXQqM6JXWtpqKXe129pBb1U= =uZZQ -----END PGP SIGNATURE----- From ingo.kloecker@epost.de Mon Apr 14 02:41:02 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Mon Apr 14 01:41:02 2003 Subject: Charset of gpg --with-colon In-Reply-To: <3E99D135.1060905@daniel-luebke.de> References: <3E99D135.1060905@daniel-luebke.de> Message-ID: <200304140131.53736@erwin.ingo-kloecker.de> --Boundary-02=_pNfm+uG75flVft2 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Sunday 13 April 2003 23:05, Daniel Luebke wrote: > I just needed the output of > > gpg --list-keys --with-colon > > I saw that some keynames are printed in UTF-8 and some with a local > charset. I thought I somewhere read that --with-colon uses UTF-8, but > maybe I'm wrong. > > What is the correct charset? And why are there keys that are somewhat > different. And more importantly: How can I correclty get the names The user ids are output literally, i. e. exactly as they are stored in=20 the public key. According to the OpenPGP standard user ids must be=20 encoded in utf-8. But unfortunately keys created with older PGP version=20 (5 and 6, maybe also 7) encoded the user id in local encoding instead=20 of utf-8. AFAIK gpa has some heuristics to find out if utf-8 encoding=20 or another encoding was used. Regards, Ingo --Boundary-02=_pNfm+uG75flVft2 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+mfNpGnR+RTDgudgRAng9AKCfJLgSRgnkSzXRcV2YJFuPFtheGwCdFz5c n8dXjHNZdCfYrrGCFtZv4kk= =ULHM -----END PGP SIGNATURE----- --Boundary-02=_pNfm+uG75flVft2-- From jacdej@aent.com Mon Apr 14 14:28:01 2003 From: jacdej@aent.com (Jacques Dejean) Date: Mon Apr 14 13:28:01 2003 Subject: gnupg on hpux 11.11 Message-ID: Hello, In building gnupg v1.2.1, I encounter the following error -- ---------------------------------------------------------------------------- ------------------------------------ # make make all-recursive make[1]: Entering directory `/u01/gnupg/gnupg-1.2.1' Making all in intl make[2]: Entering directory `/u01/gnupg/gnupg-1.2.1/intl' cc -c -DLOCALEDIR=\"/opt/gnupg/share/locale\" -DLOCALE_ALIAS_PATH=\"/opt/gnupg/share/locale\" -DLIBDIR=\"/opt/gnupg/lib\" -DHAVE_CONFIG_H -I.. -I. -I../intl -g -Ae -D_HPUX_SOURCE intl-compat.c cc: "gettextP.h", line 67: error 1000: Unexpected symbol: "SWAP". cc: panic 2017: Cannot recover from earlier errors, terminating. make[2]: *** [intl-compat.o] Error 1 make[2]: Leaving directory `/u01/gnupg/gnupg-1.2.1/intl' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/u01/gnupg/gnupg-1.2.1' make: *** [all] Error 2 # ---------------------------------------------------------------------------- ------------------------------------- I ran the compile with "-E" flag set, and I see the variables being set; however, I don't understand why it's complaining about SWAP #ifdef _LIBC # include # define SWAP(i) bswap_32 (i) #else static inline nls_uint32 SWAP (i) nls_uint32 i; { return (i << 24) | ((i & 0xff00) << 8) | ((i >> 8) & 0xff00) | (i >> 24); } #endif Any suggestions? I appreciate it. Regards, Jacques V. Dejean Lead Systems Administrator Alliance Entertainment (v) 954-255-4344 From A.Melon Mon Apr 14 14:28:28 2003 From: A.Melon (A.Melon) Date: Mon Apr 14 13:28:28 2003 Subject: Best GnuPG tool for the non-technical windows user Message-ID: <10ee3d35776613eba9c3a8cbeb389794@melontraffickers.com> Hello, I'm interested in helping some non-technical people get up and running with encryption; a good thing. Is GPA + WinPT (as read in an older post) still the best way to accomplish this? Or should I get them using plugins (in this case for either Mozilla Mail or Qualcomm's Eudora)? I want to make this as simple as possible for them. Thanks for any pertinent information. From subotnik@gmx.de Mon Apr 14 14:28:55 2003 From: subotnik@gmx.de (Michael Nahrath) Date: Mon Apr 14 13:28:55 2003 Subject: addkey edit option In-Reply-To: <200304122224.00676.linux@codehelp.co.uk> References: <200304122224.00676.linux@codehelp.co.uk> Message-ID: <3E989C98.7040106@gmx.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig3D328300397EDF2CF58AFB18 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Neil Williams wrote: > Before I do something I will later regret, I thought I'd ask. > :-) Good Idea! > I currently have just an ElGamal subkey on my main GnuPG key, 28BCB3E3. > > I've created a test key that isn't on any keyservers yet to which I've added > other subkeys, RSA (1 sign + 1 encrypt) and DSA. > > Does this make this key > 1: more, or less, secure? There were additional possible weaknesses and attacks to vare for. > 2: more or less compatible with PGP? AFAIK the only PGP-Versions that don't understand eGamal subkeys not understand any subkeys at all. OTOH Keys with more than one subkey are still a problem, at least to the most existing keyservers. > What does it add / subtract from the usefulness of the key? Irritate people. Trigger esotheric bugs ... Greeting, Michi --------------enig3D328300397EDF2CF58AFB18 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj6YnKQACgkQ19dRf5pMcEwu5QCffz8BG6dBXg3Gk0iBkBX9no1T UdIAn2oFE0NULpZZ/tdkhKc+oDTk85pv =diNx -----END PGP SIGNATURE----- --------------enig3D328300397EDF2CF58AFB18-- From neil@codehelp.co.uk Mon Apr 14 14:29:22 2003 From: neil@codehelp.co.uk (Neil Williams) Date: Mon Apr 14 13:29:22 2003 Subject: trying to export the sender key In-Reply-To: <200304131747.30510.pknoob@noos.fr> References: <200304131747.30510.pknoob@noos.fr> Message-ID: <200304131909.57529.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 13 Apr 2003 4:47 pm, Don Patou wrote: > I've just created my keys from the gnupg tutorial on > http://technocage.com/~caskey/gnupg/gpg-cmt.html. The problem is that when > I try to export my sender key with this line: > "joe@debian:~/keys/recipient$ gpg --homedir -a --export recipient" If you use --homedir, you need to specify a directory for it to use. If you've followed the defaults, it'll be in ~/.gnupg/ and you won't need --homedir anyway. Use ls -a ~ to list the entire contents of your home directory and look for .gnupg/ Replace recipient with the keyid (or leave blank to get all keys). If you only have your key in place, use: gpg -a --export > export.asc This will create a text file called export.asc containing the public key. > I get a: > "gpg: keyblock resource `-a/secring.gpg': file open error > gpg: keyblock resource `-a/pubring.gpg': file open error Because of the --homedir setting, gpg is misreading the -a option as a directory. - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+maf0k7DVr6iX/QIRAgz7AJ0YkhL6EEOtHKmJPvjqoSWGtP2bDQCfS4UC 7UTQ32A2ZvzIKKj4/jitqxA= =8cu0 -----END PGP SIGNATURE----- From wk@gnupg.org Mon Apr 14 15:50:01 2003 From: wk@gnupg.org (Werner Koch) Date: Mon Apr 14 14:50:01 2003 Subject: Best GnuPG tool for the non-technical windows user In-Reply-To: <10ee3d35776613eba9c3a8cbeb389794@melontraffickers.com> (A.Melon's message of "Fri, 11 Apr 2003 07:46:58 -0700 (PDT)") References: <10ee3d35776613eba9c3a8cbeb389794@melontraffickers.com> Message-ID: <87n0itz1d0.fsf@alberti.g10code.de> On Fri, 11 Apr 2003 07:46:58 -0700 (PDT), A Melon said: > best way to accomplish this? Or should I get them using plugins (in this case > for either Mozilla Mail or Qualcomm's Eudora)? I want to make this as simple Moziall+Enigmail(+GnuPG) seems to be the best cross-platform email encryption tool. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From thompsma@colorado.edu Mon Apr 14 17:24:02 2003 From: thompsma@colorado.edu (The Matt) Date: Mon Apr 14 16:24:02 2003 Subject: Removing photo from key? Message-ID: <1050330310.20715.2.camel@ixion.colorado.edu> --=-wAzRqAfUEH0Q4x3uIDAq Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I recently learned (after years of using GPG :p) that photos can be embedded into a person's key. I thought, that's cool, and saw that using 'addphoto' under --edit-key was how you did it. But, I had a question before I did it: =20 Is there a way to remove the photo from the key? I can't see anything about it in the gpg man page, so I thought I'd ask this group. Thanks, Matt --=20 "And isn't sanity really just a one-trick pony, anyway? I mean, all you get is one trick, rational thinking, but when you're good and crazy, ooh ooh ooh, the sky's the limit!" -- The Tick The Matt -- http://ucsub.colorado.edu/~thompsma/ --=-wAzRqAfUEH0Q4x3uIDAq Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+msTF0XRaGMGO968RAmt/AKCw+77Jd3er9qtDcCd8yq6NLwAv1gCfTaVC K5g+ShoLs+loGWjy+Gwe164= =hHi1 -----END PGP SIGNATURE----- --=-wAzRqAfUEH0Q4x3uIDAq-- From graham.todd@ntlworld.com Mon Apr 14 18:04:02 2003 From: graham.todd@ntlworld.com (Graham) Date: Mon Apr 14 17:04:02 2003 Subject: Best GnuPG tool for the non-technical windows user In-Reply-To: <10ee3d35776613eba9c3a8cbeb389794@melontraffickers.com> References: <10ee3d35776613eba9c3a8cbeb389794@melontraffickers.com> Message-ID: <200304141609.48935.graham.todd@ntlworld.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 11 Apr 2003 3:46 pm, A.Melon wrote: > I'm interested in helping some non-technical people get up and > running with encryption; a good thing. Is GPA + WinPT (as read in an > older post) still the best way to accomplish this? Or should I get > them using plugins (in this case for either Mozilla Mail or > Qualcomm's Eudora)? I want to make this as simple as possible for > them. Thanks for any pertinent information. First of all, get the latest version of GPG and look and set up the=20 gpg.cof file correctly: this will sort out 85% of all problems. I take=20 it you are using Windows, so get the version of GPG at=20 http://www.nullify.org because it seems to be compiled with a slightly=20 more Windows-friendly compiler. Unless you're familiar with the Dos box, I'd suggest that you get a GUI=20 front end. This will help you access the functions of GPG through a=20 graphical interface, and here you have two options; WinPT or GPGShell. =20 Although it is not open source, I would favour GPGShell as its more=20 like PGP's interface and a little more mature, and some of your users=20 might find it easier to use. Links to both programs are on the=20 nullify.org site. If you want an email program that is easy to use and integrates well=20 with GPG, I would go for Enigmail. This is a Mozilla project that=20 makes Mozilla Mail integrate with GPG and has PGP/MIME capabilities. =20 However, I would not use it with Mozilla, but with Beonex Communicator,=20 which is an end-user version of Mozilla, is much easier to use, and=20 more secure. You can get it at : http://www.beonex.com/communicator/ and you will find most Mozilla projects are compatible with it. However Enigmail is merely an extension of the inbuilt mailer: all the=20 shortcomings of the email program are still there, and Enigmail will=20 not carry out key management for you. That's why you ALSO require a=20 GUI front end. Finally, join the PGP-Basics mailing list at=20 http://groups.yahoo.com/group/PGP-Basics which is more Windows centric=20 and they have a number of downloadable howto documents and a wealth of=20 experienced users of GPG in Windows for you to ask even the basic=20 question. HTH - --=20 Graham GPG Keys at encryption.keys@ntlworld.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Please sign and encrypt for internet privacy iD8DBQE+ms83IwtBZOk1250RAqTpAJ4yn7rlpdp7jCJ6FQrTBnwaZ1oU5wCggQst 0SKbYKDTSoke+F8lcg8v42I=3D =3D+eiG -----END PGP SIGNATURE----- From faide@alphacent.com Mon Apr 14 18:35:01 2003 From: faide@alphacent.com (Aide Florent) Date: Mon Apr 14 17:35:01 2003 Subject: Removing photo from key? In-Reply-To: <1050330310.20715.2.camel@ixion.colorado.edu> References: <1050330310.20715.2.camel@ixion.colorado.edu> Message-ID: <200304141721.22188.faide@alphacent.com> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 yes, you just need to select it as the UID you want to work on: uid # where # is the number shown on the photo line, it should add a star "*" jus= t=20 after the number like that : (3)* [jpeg image of size 1798] and then issue a "deluid" command that's all.. =46lorent AIDE > Is there a way to remove the photo from the key? > > I can't see anything about it in the gpg man page, so I thought I'd ask > this group. =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+mtHuQe8gCED8yYERAjknAKC2t7E5HUf9K2IXmJ5Zj9HqwOxgYQCgyawE 40m6D6ImzbCW/eJt09E6hZg=3D =3DNBt3 =2D----END PGP SIGNATURE----- From eugene@esmiley.net Mon Apr 14 19:12:02 2003 From: eugene@esmiley.net (Eugene Smiley) Date: Mon Apr 14 18:12:02 2003 Subject: Removing photo from key? In-Reply-To: <1050330310.20715.2.camel@ixion.colorado.edu> Message-ID: --=_ttjc.1SN9htH0jcC96uJUOoKkJ7x9p Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable gnupg-users-admin@gnupg.org wrote:=20 > I recently learned (after years of using GPG :p) that photos can > be embedded into a person's key. I thought, that's cool, and saw > that using 'addphoto' under --edit-key was how you did it. But, > I had a question before I did it:=20 >=20 > Is there a way to remove the photo from the key? >=20 > I can't see anything about it in the gpg man page, so I thought > I'd ask this group.=20 --edit-key help lists the commands to edit your key, but it doesn't list = a specific command to delete an image.=20 That might be irrelevant though. You can select it by typing its number, = then try 'deluid'. I haven't tried this though, therefore it's just a = guess. This is all moot if you or someone else sends your key to a keyserver as = you can't effectively delete sigs/uids/photos once they reach a = keyserver. You can only revoke at that point. Eugene --=_ttjc.1SN9htH0jcC96uJUOoKkJ7x9p Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQA+mt336QPtAqft/S8RAkbhAJ9zvODJF04FfMaaq8l9HeJVEkk5wQCgjUYN Od6iLWLxGFp5ri2Zlr3ANK8= =k9HY -----END PGP SIGNATURE----- --=_ttjc.1SN9htH0jcC96uJUOoKkJ7x9p-- From jbruni@mac.com Tue Apr 15 00:20:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Mon Apr 14 23:20:02 2003 Subject: gnupg on hpux 11.11 Message-ID: <7874427.1050355283191.JavaMail.jbruni@mac.com> Hey! That's the same error I got. Go into the intl/gettextP.h file and add a line at the beginning: #define inline This will get you working. This is caused by a language parsing bug in HP's ANSI C compiler. Joe Bruni On Friday, April 11, 2003, at 07:38AM, Jacques Dejean wrote: >Hello, > >In building gnupg v1.2.1, I encounter the following error -- >---------------------------------------------------------------------------- >------------------------------------ ># make >make all-recursive >make[1]: Entering directory `/u01/gnupg/gnupg-1.2.1' >Making all in intl >make[2]: Entering directory `/u01/gnupg/gnupg-1.2.1/intl' >cc -c -DLOCALEDIR=\"/opt/gnupg/share/locale\" >-DLOCALE_ALIAS_PATH=\"/opt/gnupg/share/locale\" -DLIBDIR=\"/opt/gnupg/lib\" >-DHAVE_CONFIG_H -I.. -I. -I../intl -g -Ae -D_HPUX_SOURCE intl-compat.c >cc: "gettextP.h", line 67: error 1000: Unexpected symbol: "SWAP". >cc: panic 2017: Cannot recover from earlier errors, terminating. >make[2]: *** [intl-compat.o] Error 1 >make[2]: Leaving directory `/u01/gnupg/gnupg-1.2.1/intl' >make[1]: *** [all-recursive] Error 1 >make[1]: Leaving directory `/u01/gnupg/gnupg-1.2.1' >make: *** [all] Error 2 ># >---------------------------------------------------------------------------- >------------------------------------- > >I ran the compile with "-E" flag set, and I see the variables being set; >however, I don't understand why it's complaining about SWAP > >#ifdef _LIBC ># include ># define SWAP(i) bswap_32 (i) >#else >static inline nls_uint32 >SWAP (i) > nls_uint32 i; >{ > return (i << 24) | ((i & 0xff00) << 8) | ((i >> 8) & 0xff00) | (i >> 24); >} >#endif > >Any suggestions? I appreciate it. > >Regards, >Jacques V. Dejean >Lead Systems Administrator >Alliance Entertainment >(v) 954-255-4344 > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- PGP Fingerprint: 886F 6A8A 68A1 5E90 EF3F 8EFA E2B8 3F99 7343 C1E3 From Montgomery.Groff@echostar.com Tue Apr 15 03:53:01 2003 From: Montgomery.Groff@echostar.com (Groff, Montgomery) Date: Tue Apr 15 02:53:01 2003 Subject: gpg and ximian 1.2.2 for redhat9 Message-ID: <1050368076.28501.4.camel@linux59> I recently installed Red Hat 9 which comes with the Ximian evelution mail client. I like the interface, however I'm having trouble decrypting messages. Are there any special tricks I need to know to get it to work? Has anyone else experienced a similar problem? As a side note: If I use the kmail client I CAN decrypt the message so I know the keys are good. Thanks, -monty From chris@yonderway.com Tue Apr 15 04:04:01 2003 From: chris@yonderway.com (Chris Hedemark) Date: Tue Apr 15 03:04:01 2003 Subject: hardware acceleration? Message-ID: <3F474B1F-6EDE-11D7-8B15-0003939CC61E@yonderway.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've been googling for this with no luck and hoping to get a firm answer on this. I'm building a web site for crypto advocacy, and a big chunk of the tool set I'm working on centers around GnuPG. Because the site is so crypto-intensive, and I'm working with my own limited out-of-pocket funds, I'm hoping to push off some of the GnuPG work to a PCI card. For example, with OpenBSD I can push IPSec and OpenSSH crypto work off to a Soekris card so the host processor isn't bogged down. Can I do something like this with GnuPG? Or is my only hope to have a really really fast host processor(s)? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iEYEARECAAYFAj6bWrIACgkQYPuF4Zq9lvbBmQCg2ZydGjXJwthlQtoYXP44ychA OtEAn3xm1JePTLI1gUk1Vorx+c9U2hCu =Ssww -----END PGP SIGNATURE----- From jharris@widomaker.com Tue Apr 15 06:01:01 2003 From: jharris@widomaker.com (Jason Harris) Date: Tue Apr 15 05:01:01 2003 Subject: hardware acceleration? In-Reply-To: <3F474B1F-6EDE-11D7-8B15-0003939CC61E@yonderway.com> References: <3F474B1F-6EDE-11D7-8B15-0003939CC61E@yonderway.com> Message-ID: <20030415030221.GF52142@pm1.ric-37.lft.widomaker.com> --b8GWCKCLzrXbuNet Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 14, 2003 at 09:04:45PM -0400, Chris Hedemark wrote: > I've been googling for this with no luck and hoping to get a firm=20 > answer on this. Google? Just use the source. > I'm building a web site for crypto advocacy, and a big chunk of the=20 > tool set I'm working on centers around GnuPG. Because the site is so=20 > crypto-intensive, and I'm working with my own limited out-of-pocket=20 > funds, I'm hoping to push off some of the GnuPG work to a PCI card. =20 > For example, with OpenBSD I can push IPSec and OpenSSH crypto work off=20 > to a Soekris card so the host processor isn't bogged down. Can I do=20 > something like this with GnuPG? Or is my only hope to have a really=20 > really fast host processor(s)? The topic has come up (again?) recently, but the support isn't currently there. Have you looked at cryptolib or coding something that links to OpenSSL? Can you tell us more about the new website? --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --b8GWCKCLzrXbuNet Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+m3Y8SypIl9OdoOMRAvt0AKCc5YloNrAzVsDRLmeVUQWbG9DeEgCgxXF1 a0diVZbV9y6uc1Tm2y5/H+c= =aTpI -----END PGP SIGNATURE----- --b8GWCKCLzrXbuNet-- From sascha-news-NOSPAM@sascha.silbe.org Tue Apr 15 12:30:02 2003 From: sascha-news-NOSPAM@sascha.silbe.org (Sascha Silbe) Date: Tue Apr 15 11:30:02 2003 Subject: Cannot sign key with expired signature Message-ID: One of my friends has prolonged his key, so I want to prolong my signature on it, but GnuPG refuses to sign that key again. His key and my expired sig on it: === Begin === sascha@cube:~$ gpg --list-sigs CE9DDE57 pub 1024D/CE9DDE57 2001-03-12 Caspar Bothmer sig 3 CE9DDE57 2001-03-12 Caspar Bothmer sig 6135C35B 2001-03-21 Old key - please use 74E5CF87 instead sig 3 X 74E5CF87 2002-06-13 Sascha Silbe sig 3 CE9DDE57 2003-03-13 Caspar Bothmer sub 2048g/A2366D02 2001-03-12 [expires: 2003-03-12] sig CE9DDE57 2001-03-12 Caspar Bothmer sub 2048G/3ECA1531 2002-09-09 [expires: 2004-09-08] sig CE9DDE57 2002-09-09 Caspar Bothmer === End === Trying to sign the key again: === Begin === sascha@cube:~$ gpg --sign-key CE9DDE57 pub 1024D/CE9DDE57 created: 2001-03-12 expires: 2005-03-12 trust: m/- sub 2048g/A2366D02 created: 2001-03-12 expires: 2003-03-12 sub 2048G/3ECA1531 created: 2002-09-09 expires: 2004-09-08 (1). Caspar Bothmer "Caspar Bothmer " was already signed by key 74E5CF87 Nothing to sign with key 74E5CF87 Key not changed so no update needed. === End === Is this a bug or am I just missing something? CU/Lnx Sascha -- Registered Linux User #77587 (http://counter.li.org/) bomb terrorist afghanistan PGP encrypt CIA FBI BND MAD StaSi anschlag strike sex pussy xxx kill bj hitler Gates MS Windows ZV ZDV From rodmur@maybe.org Tue Apr 15 12:30:29 2003 From: rodmur@maybe.org (Dale Harris) Date: Tue Apr 15 11:30:29 2003 Subject: gnupg on hpux 11.11 In-Reply-To: References: Message-ID: <20030414151334.GS26351@maybe.org> On Fri, Apr 11, 2003 at 09:38:38AM -0400, Jacques Dejean elucidated: > Hello, > > In building gnupg v1.2.1, I encounter the following error -- > ---------------------------------------------------------------------------- > ------------------------------------ > # make > make all-recursive > make[1]: Entering directory `/u01/gnupg/gnupg-1.2.1' > Making all in intl > make[2]: Entering directory `/u01/gnupg/gnupg-1.2.1/intl' > cc -c -DLOCALEDIR=\"/opt/gnupg/share/locale\" > -DLOCALE_ALIAS_PATH=\"/opt/gnupg/share/locale\" -DLIBDIR=\"/opt/gnupg/lib\" > -DHAVE_CONFIG_H -I.. -I. -I../intl -g -Ae -D_HPUX_SOURCE intl-compat.c > cc: "gettextP.h", line 67: error 1000: Unexpected symbol: "SWAP". You'll probably have better luck with gcc. So you might want to try compiling that up first. Especially since it does appear that you are using the optional, non-free HPUX ANSI C compiler. -- Dale Harris rodmur@maybe.org /.-) From gareth.woodhouse@pinnacle.co.uk Tue Apr 15 13:30:02 2003 From: gareth.woodhouse@pinnacle.co.uk (Gareth Woodhouse) Date: Tue Apr 15 12:30:02 2003 Subject: Possible Bug with WINGPGA? Message-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C30339.80E77EE0 Content-Type: text/plain; charset="iso-8859-1" I am using WINGPGA to allow batch decryption via gpg (GnuPG) 1.2.1 Home: C:/GnuPG Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160 Compress: Uncompressed, ZIP, ZLIB in a windows 2000 enviroment to avoid repetitive password requests. However after 3000-3300 decrypts the decrypt fails and I have to kill the agent - restart it and re-input the password for it to work again. Has anyone else found this problem or hads anyone a possible work around? Thanks. Gareth Woodhouse Analyst Programmer Email : gareth.woodhouse@pinnacle.co.uk Ext : 2431 Tel : (0208) 2079431 Fax : (0208) 9538629 http://www.pinnacle.co.uk *********************************************************************** CONFIDENTIALITY. This e-mail and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Pinnacle Insurance Plc. If you have received this e-mail in error please immediately notify our Helpdesk on +44 (0) 20 8207 9555. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** ------_=_NextPart_001_01C30339.80E77EE0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Possible Bug with WINGPGA?

I am using WINGPGA to allow batch decryption via gpg (Gnu= PG) 1.2.1
Home: C:/GnuPG
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOF= ISH
Hash: MD5, SHA1, RIPEMD160
Compress: Uncompressed, ZIP, ZLIB
in a windows 2000 enviroment to avoid repetitive passwor= d requests.

However after 3000-3300 decrypts the decrypt fails and I = have to kill the agent - restart it and re-input the password for it to wor= k again.

Has anyone else found this problem or hads anyone a possi= ble work around?

Thanks.


Gareth Woodhouse
Analyst Programmer
Email : gareth.woodhouse@pinnacle.co.uk
Ext : 2431
Tel  : (0208) 2079431
Fax : (0208) 9538629
= http://www.pinnacle.co.uk




***********************************************************************
CONFIDENTIALITY. This e-mail and any attachments are
confidential and may also be privileged. If you are not the
named recipient, please notify the sender immediately and
do not disclose the contents to another person, use it for any
purpose, or store or copy the information in any medium. Any
views expressed in this message are those of the individual
sender, except where the sender specifically states them to
be the views of Pinnacle Insurance Plc.

If you have received this e-mail in error please immediately
notify our Helpdesk on +44 (0) 20 8207 9555.

This footnote also confirms that this email message has been
swept by MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************
 ------_=_NextPart_001_01C30339.80E77EE0-- From chris@yonderway.com Tue Apr 15 13:49:01 2003 From: chris@yonderway.com (Chris Hedemark) Date: Tue Apr 15 12:49:01 2003 Subject: hardware acceleration? In-Reply-To: <20030415030221.GF52142@pm1.ric-37.lft.widomaker.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, April 14, 2003, at 11:02 PM, Jason Harris wrote: > Google? Just use the source. This is gnupg-users, not gnupg-devel. > The topic has come up (again?) recently, but the support isn't > currently there. > > Have you looked at cryptolib or coding something that links to OpenSSL? Again, see the TO: header. > Can you tell us more about the new website? cryptonly.{com,net,org} (don't bother looking, it's not there yet outside of my laptop) is intended to be a crypto-for-all advocacy site. When I say all I'm not talking about just little old ladies or the technophobic coworker, but also enough tech there to satisfy sysadmins and developers alike. I've been learning PHP to put some front end tools together for GnuPG, OpenSSL and other tools. I don't want to give too much away at this point but I am looking at some of the great work Darxus has done with the web of trust analysis and improving upon that for a web based user. I've also got a farm of oddball machines that are a little old but still current enough to be relevant for cross-platform development purposes (sparc, sparc64, alpha, vax, hp-parisc, etc). I've already talked a very little bit with one of the GnuPG developers to gauge interest in using this farm for GnuPG development and it looks like that might come to fruition in a few months. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iEYEARECAAYFAj6b49cACgkQYPuF4Zq9lvbpYACfRzkRkzAKl0Ev30oIT6bsV3kB i4UAoJwLk5IB9SKyBQvc3UQTM1eYe4I1 =K5q8 -----END PGP SIGNATURE----- From wk@gnupg.org Tue Apr 15 14:00:01 2003 From: wk@gnupg.org (Werner Koch) Date: Tue Apr 15 13:00:01 2003 Subject: hardware acceleration? In-Reply-To: <20030415030221.GF52142@pm1.ric-37.lft.widomaker.com> (Jason Harris's message of "Mon, 14 Apr 2003 23:02:21 -0400") References: <3F474B1F-6EDE-11D7-8B15-0003939CC61E@yonderway.com> <20030415030221.GF52142@pm1.ric-37.lft.widomaker.com> Message-ID: <877k9wxbwa.fsf@alberti.g10code.de> On Mon, 14 Apr 2003 23:02:21 -0400, Jason Harris said: > The topic has come up (again?) recently, but the support isn't > currently there. Well, this is mainly because I have no board or a project which allows me to buy one. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From ams@kemisten.nu Tue Apr 15 14:59:02 2003 From: ams@kemisten.nu (Alfred M. Szmidt) Date: Tue Apr 15 13:59:02 2003 Subject: hardware acceleration? In-Reply-To: <877k9wxbwa.fsf@alberti.g10code.de> (message from Werner Koch on Tue, 15 Apr 2003 13:01:25 +0200) References: <3F474B1F-6EDE-11D7-8B15-0003939CC61E@yonderway.com> <20030415030221.GF52142@pm1.ric-37.lft.widomaker.com> <877k9wxbwa.fsf@alberti.g10code.de> Message-ID: Har ar delar av sidan. Urvalsresultat f=F6r 801204-6572 ALFRED M. SZMIDT H=E4r kan du se utfallet av det senaste urvalet f=F6r din del.=20 KURS INOM PROGRAM - 84547 KURS INOM PROGRAM Anm=E4lningsnummer 84547 Huvudkurs Alternativ Anm.kod Resultat Anm. Kurs 1 DATORSYSTEM DV1 10763 Kurs 2 ALGORITMER OCH DATASTRUKTURER DV2 10524 Kurs 3 DATAJURIDIK OCH HANDELSR=C4TT 21582 Kurs 4 ALGEBRA DV2 10484 Till=E4ggskurs Kurs 1 POLSKA I 53802 From szeder@ira.uka.de Tue Apr 15 16:14:01 2003 From: szeder@ira.uka.de (Szeder Gabor) Date: Tue Apr 15 15:14:01 2003 Subject: adduid questions In-Reply-To: <20030403002759.GH2873@jabberwocky.com> References: <3E8B4F43.9010202@oracle.com> <20030403002759.GH2873@jabberwocky.com> Message-ID: <20030415131456.GA2676@elysium.ira.uka.de> Hi! On Thu, Apr 03, 2003 at 01:27:11AM +0000, David Shaw wrote: > If I understand your email properly, you have a single key with two > email addresses (work and home). In this case, it doesn't matter > which email address you use - they'll end up pointing to the same key. If someone imports my pubkey with my two email addresses, than he can see both emails with gpg --editkey . If I don't want this, I must have two different keys, am I right? > If you have two actual different keys, then you can select which key > to use with the -u command line option. If I have two different keys, than have these keys a common web of trust or has each key its own web of trust? bye, Gábor Szeder -- sz From ams@kemisten.nu Tue Apr 15 16:15:01 2003 From: ams@kemisten.nu (Alfred M. Szmidt) Date: Tue Apr 15 15:15:01 2003 Subject: hardware acceleration? In-Reply-To: (ams@kemisten.nu) References: <3F474B1F-6EDE-11D7-8B15-0003939CC61E@yonderway.com> <20030415030221.GF52142@pm1.ric-37.lft.widomaker.com> <877k9wxbwa.fsf@alberti.g10code.de> Message-ID: Argh! This was the completly wrong email address. Sorry for that. And uhm, yeah forget whatever was written in the mail. :) If someone could, please remove it from the archives. From heiko.teichmeier@sw-meerane.de Tue Apr 15 16:56:02 2003 From: heiko.teichmeier@sw-meerane.de (Heiko Teichmeier) Date: Tue Apr 15 15:56:02 2003 Subject: enigmail, key-retrieve and http-proxy Message-ID: <3E9C0F12.3050905@sw-meerane.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, my "auto-key-retrieve" with enigmail 0.71.0 and gnupg 1.2.1 over a http-proxy (Squid) works now! I would give a help to users with nearly problem: - - first you must set following enviroment-variables (Win9x - 'autoexec.bat', WinNT/2000 - 'enviroment' or 'Umgebungsvariablen'): http_proxy=3Dhttp://your-local-net-proxy-adress:proxy-port (*:3128 if you use squid) ENIGMAIL_PASS_ENV=3Dhttp_proxy - - after this you must restart to activate the enivroment-variables! - - in 'gpg.conf' must set: keyserver x-hkp://blackhole.pca.dfn.de keyserver-options honor-http-proxy keyserver-options auto-key-retrieve - - in 'engimail->advanced' it must set: keyserver: x-hkp://blackhole.pca.dfn.de - - next you must configure your proxy to accept connections from your localnet *without authentication*! This whas my problem, because we use http-proxy with authentication. In 'squid.conf' you must set the destination-domain-names that can access without authentication *before* the authentication-allow-line: Accesslist: acl xhkp-server-1 dest_domain_regex blackhole.pca.dfn.de At the access-allow section it must follow: http_access allow xhkp-server-1 * * http_access allow authent-user If you would save your proxy against extern users you must add a acl that allow only user from your net: acl xhkp-server-1 dest_domain_regex blackhole.pca.dfn.de acl my_net src 192.168.0.0/255.255.255.0 # allow IP's from 192.168.0.0 - 192.168.0.255 than you combine the acls ('and' combination): http_access allow my_net xhkp-server-1 * * http_access allow authent-user I has test the access with enigmail and everytime I has looked with one eye to the squid-access-logfile. So I can see the 'TCP_DENIED'-message and I know, that my enigmail would have a connection to the proxy, but it get no access from http-proxy. At your firewall you *don't must allow the port 11371* to get access to the key-server - the www-port is enough. The request I see in the squid-access-logfile looks so: Get http://blackhole.pca.dfn.de:11371/pks/lookup? I hope that now more user can access with 'auto-key-retrieve' over a http-proxy to a keyserver. - -- Mit freundlichen Gr=FC=DFen Stadtwerke Meerane GmbH Teichmeier Netzmeister NB Elt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ heiko.teichmeier@sw-meerane.de Tel: +49 3764 791720 Fax: +49 3764 791719 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.sw-meerane.de ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 98) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+nA8RD371SiWcNJkRAhL3AJ9AS1qGJ0bvxXbaRieokq98l2UbuwCeIviL zoCI7pyFZRGCIHlzDvsCGGo=3D =3DI3hl -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Tue Apr 15 18:27:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue Apr 15 17:27:03 2003 Subject: Cannot sign key with expired signature In-Reply-To: References: Message-ID: <20030415140443.GA4314@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Apr 14, 2003 at 02:43:29PM +0200, Sascha Silbe wrote: > > One of my friends has prolonged his key, so I want to prolong my signature > on it, but GnuPG refuses to sign that key again. > > His key and my expired sig on it: > > === Begin === > sascha@cube:~$ gpg --list-sigs CE9DDE57 > pub 1024D/CE9DDE57 2001-03-12 Caspar Bothmer > sig 3 CE9DDE57 2001-03-12 Caspar Bothmer > sig 6135C35B 2001-03-21 Old key - please use 74E5CF87 instead > sig 3 X 74E5CF87 2002-06-13 Sascha Silbe > sig 3 CE9DDE57 2003-03-13 Caspar Bothmer > sub 2048g/A2366D02 2001-03-12 [expires: 2003-03-12] > sig CE9DDE57 2001-03-12 Caspar Bothmer > sub 2048G/3ECA1531 2002-09-09 [expires: 2004-09-08] > sig CE9DDE57 2002-09-09 Caspar Bothmer > === End === > > Trying to sign the key again: > > === Begin === > sascha@cube:~$ gpg --sign-key CE9DDE57 > > pub 1024D/CE9DDE57 created: 2001-03-12 expires: 2005-03-12 trust: m/- > sub 2048g/A2366D02 created: 2001-03-12 expires: 2003-03-12 > sub 2048G/3ECA1531 created: 2002-09-09 expires: 2004-09-08 > (1). Caspar Bothmer > > "Caspar Bothmer " was already signed by key 74E5CF87 > Nothing to sign with key 74E5CF87 > Key not changed so no update needed. > === End === > > Is this a bug or am I just missing something? No, this is a real problem. GnuPG should allow you to re-sign a uid when the new signature has a different expiration date than the original. I'll fix that. In the meantime, a workaround is to use "delsig" in the --edit-key menu to remove the old signature before re-signing. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+nBF74mZch0nhy8kRArYSAJ9MZisVErrPKcIw0EZW8M5y28pUyACfToJD q9ns+wS7sZIjUzyMTj6Q2es= =Me32 -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Tue Apr 15 18:29:23 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue Apr 15 17:29:23 2003 Subject: adduid questions In-Reply-To: <20030415131456.GA2676@elysium.ira.uka.de> References: <3E8B4F43.9010202@oracle.com> <20030403002759.GH2873@jabberwocky.com> <20030415131456.GA2676@elysium.ira.uka.de> Message-ID: <20030415152956.GC4314@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Apr 15, 2003 at 03:14:56PM +0200, Szeder Gabor wrote: > Hi! > > On Thu, Apr 03, 2003 at 01:27:11AM +0000, David Shaw wrote: > > If I understand your email properly, you have a single key with two > > email addresses (work and home). In this case, it doesn't matter > > which email address you use - they'll end up pointing to the same key. > If someone imports my pubkey with my two email addresses, than he can > see both emails with gpg --editkey . If I don't want this, I > must have two different keys, am I right? Correct. > > If you have two actual different keys, then you can select which key > > to use with the -u command line option. > If I have two different keys, than have these keys a common web of > trust or has each key its own web of trust? Each has its own, but it is common in cases like this to sign each key with the other to join the webs. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+nCV04mZch0nhy8kRArGVAKDGx7rDISD+ZdWiFj8RFVXtq2UERgCgyxZJ I84WvPSx7IS97O+PYJeORQw= =Yv8o -----END PGP SIGNATURE----- From rmalayter@bai.org Tue Apr 15 18:44:02 2003 From: rmalayter@bai.org (Ryan Malayter) Date: Tue Apr 15 17:44:02 2003 Subject: hardware acceleration? Message-ID: <792DE28E91F6EA42B4663AE761C41C2A390C2F@cliff.bai.org> From: Chris Hedemark [mailto:chris@yonderway.com]=20 >Can I do something like this with GnuPG?=20 >Or is my only hope to have a really really=20 >fast host processor(s)? I believe you're going to need to modify the GnuPG codebase on your own to support whatever crypto acceleration hardware you'd like to use. I believe GnuPG in its current form it is designed to have as few hardware and OS dependencies as possible. CPU power is very cheap these days, and GnuPG uses a wide variety of algorithms. Most off-the-shelf acceleration hardware you can get will not accelerate GnuPG's widely used Diffie-Hellman, Blowfish, and CAST algorithms. It probably will accelerate RSA, AES, and 3DES, which are commonly used in SSL and Ipsec. Since 3 GHz CPUs can be had for under $500, I think speding money on some super-fast multiple CPU P4 hardware will probably offer more performance than (very selective) crypto hardware acceleration in your situation. -ryan- From ingo.kloecker@epost.de Tue Apr 15 23:55:02 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Tue Apr 15 22:55:02 2003 Subject: gpg and ximian 1.2.2 for redhat9 In-Reply-To: <1050368076.28501.4.camel@linux59> References: <1050368076.28501.4.camel@linux59> Message-ID: <200304152215.24180@erwin.ingo-kloecker.de> --Boundary-02=_bhGn+yjCLDXkXuC Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Tuesday 15 April 2003 02:54, Groff, Montgomery wrote: > I recently installed Red Hat 9 which comes with the Ximian evelution > mail client. I like the interface, however I'm having trouble > decrypting messages. Are there any special tricks I need to know to > get it to work? Has anyone else experienced a similar problem? > > As a side note: If I use the kmail client I CAN decrypt the message > so I know the keys are good. Most likely Evolution doesn't support either old-style inline encrypted=20 messages or new-style PGP/MIME messages. KMail 1.5+ supports both=20 formats. Regards, Ingo --Boundary-02=_bhGn+yjCLDXkXuC Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+nGhbGnR+RTDgudgRAu7KAKCYcX0sCY/7qIrxu7hqWQIRgnLoPACfUtmW 5P++aqfzU4WJYX7mCdBelRY= =IvFd -----END PGP SIGNATURE----- --Boundary-02=_bhGn+yjCLDXkXuC-- From twoaday@freakmail.de Wed Apr 16 00:37:01 2003 From: twoaday@freakmail.de (Timo Schulz) Date: Tue Apr 15 23:37:01 2003 Subject: Possible Bug with WINGPGA? In-Reply-To: References: Message-ID: <20030415213407.GA1476@daredevil.joesixpack.net> On Tue Apr 15 2003; 11:26, Gareth Woodhouse wrote: > However after 3000-3300 decrypts the decrypt fails and I have to kill the > agent - restart it and re-input the password for it to work again. The Windows version of the GPG-Agent is still beta. It's nice to hear it works for such an amount of files (data) but I guess there are a lot of problems I still not discovered. > Has anyone else found this problem or hads anyone a possible work around? Currently I've no idea how to fix it or if the server or the client part of the sorce is the problem. But I will try to find something and to provide a patch for this ASAP. Timo -- "Der Tugendhafte begnügt sich, von dem zu träumen, was der Böse im Leben verwirklicht." -- Platon From chris@yonderway.com Wed Apr 16 02:48:02 2003 From: chris@yonderway.com (Chris Hedemark) Date: Wed Apr 16 01:48:02 2003 Subject: hardware acceleration Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, April 15, 2003, at 11:44 AM, Ryan Malayter wrote: > I believe you're going to need to modify the GnuPG codebase on your own > to support whatever crypto acceleration hardware you'd like to use. Will never happen; I'm a BOFH not a codemonkey. :-/ > I > believe GnuPG in its current form it is designed to have as few > hardware > and OS dependencies as possible. I'm not suggesting any dependency by any means, but rather the option to use hardware if it is present (which is precisely how OpenBSD handles its crypto built into the kernel in /dev/crypto) > CPU power is very cheap these days, and GnuPG uses a wide variety of > algorithms. Most off-the-shelf acceleration hardware you can get will > not accelerate GnuPG's widely used Diffie-Hellman, Blowfish, and CAST > algorithms. It probably will accelerate RSA, AES, and 3DES, which are > commonly used in SSL and Ipsec. True. > Since 3 GHz CPUs can be had for under $500, I think speding money on > some super-fast multiple CPU P4 hardware will probably offer more > performance than (very selective) crypto hardware acceleration in your > situation. The idea for using hardware acceleration is for several reasons: 1) Older machines are perfectly good for serving up web pages & email, but choke on crypto. Crypto cards are cheaper than new machines. 2) The old machines that are out there don't support new CPU's. So the so-called cheap 3GHz CPU becomes a lot more expensive when you figure in the additional cost of a system board, memory and an ATX case. 3) Even if I had a 3GHz system for the cryptonly.org site, I don't want the heavy GnuPG operations to slow down apache and PHP considerably if I can help it. Anyway I guess I'm just being cheap. I'm building this site with no funding or commercial goals. I've got a bunch of old hardware to throw at it but not a lot of money for newer hardware (though if you have a box you want to kick into the project and it is reasonably fast, let me know *grin*) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iEYEARECAAYFAj6cmhkACgkQYPuF4Zq9lvZXlwCeNB+Dl/T5Pt+/72n/tVLeYiMz yd4AoLp24PNquLHJaNG48SlPXe70P6cC =xuL+ -----END PGP SIGNATURE----- From jacob@oztechsystems.com Wed Apr 16 06:19:02 2003 From: jacob@oztechsystems.com (Jacob Solomon) Date: Wed Apr 16 05:19:02 2003 Subject: entropy Message-ID: <010101c303c7$458ab7c0$0201a8c0@ibm> This is a multi-part message in MIME format. ------=_NextPart_000_00FE_01C3038C.98E8BC40 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit I have a problem with running out of entropy when using gpg. The system is Solaris 8, with /dev/random and /dev/urandom installed, and using gpg 1.2.1. When I am using a single script, which continually encrypt files every minute, all is working well. However, when I fire up three scripts to encrypt files, after a while I get the following error: gpg: note: random_seed file is empty Here is the actual command I am using to encrypt the files: # gpg --batch --armor --cipher-algo AES192 --passphrase-fd 0 --symmetric file_name < cipher_file Any ideas for workaround/solutions? ------=_NextPart_000_00FE_01C3038C.98E8BC40 Content-Type: text/x-vcard; name="Jacob Solomon.vcf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="Jacob Solomon.vcf" BEGIN:VCARD VERSION:2.1 N:Solomon;Jacob FN:Jacob Solomon ORG:OZtech Systems, Inc. TITLE:President & CEO TEL;WORK;VOICE:(650) 344-4409 TEL;CELL;VOICE:(650) 533-8833 TEL;PAGER;VOICE:(800) 433-2132 TEL;WORK;FAX:(650) 344-4439 ADR;WORK:;;2888 Canyon Rd.;Burlingame;CA;94010-6015;USA LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:2888 Canyon = Rd.=3D0D=3D0ABurlingame, CA 94010-6015=3D0D=3D0AUSA URL;WORK:http://www.oztechsystems.com EMAIL;PREF;INTERNET:jacob@oztechsystems.com REV:20030416T032129Z END:VCARD ------=_NextPart_000_00FE_01C3038C.98E8BC40-- From jbruni@mac.com Wed Apr 16 08:10:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Wed Apr 16 07:10:02 2003 Subject: entropy In-Reply-To: <010101c303c7$458ab7c0$0201a8c0@ibm> Message-ID: Does anyone else here see a major conflict with Stephen Hawking's theories of entropy and the heat-death of the universe? Imagine, we could set up automated clients to consume entropy instead of merely doing things like RC5-72 or SETI or OGR. Wow! What a concept. Consuming mass quantities of entropy would immediately increase the amount of order in the Universe. I think I might put this together into an essay and see about winning a Nobel or something... ;) On Tuesday, April 15, 2003, at 08:21 PM, Jacob Solomon wrote: > I have a problem with running out of entropy when using gpg. From xantor@linux.be Wed Apr 16 10:06:01 2003 From: xantor@linux.be (Michael Anckaert) Date: Wed Apr 16 09:06:01 2003 Subject: gpg and ximian 1.2.2 for redhat9 In-Reply-To: <200304152215.24180@erwin.ingo-kloecker.de> References: <1050368076.28501.4.camel@linux59> <200304152215.24180@erwin.ingo-kloecker.de> Message-ID: <1050476864.660.1.camel@carpathia> --=-Gl3P6Za7x8Dbqiu6UnKs Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Tue, 2003-04-15 at 22:15, Ingo Kl=F6cker wrote: > On Tuesday 15 April 2003 02:54, Groff, Montgomery wrote: > > I recently installed Red Hat 9 which comes with the Ximian evelution > > mail client. I like the interface, however I'm having trouble > > decrypting messages. Are there any special tricks I need to know to > > get it to work? Has anyone else experienced a similar problem? > > > > As a side note: If I use the kmail client I CAN decrypt the message > > so I know the keys are good. >=20 > Most likely Evolution doesn't support either old-style inline encrypted=20 > messages or new-style PGP/MIME messages. KMail 1.5+ supports both=20 > formats. >=20 > Regards, > Ingo Indeed, Evolution can't handle inline signatures or encrypted messages.=20 As a matter of fact, I recently sent such a feature report to the evolution team at ximian. They told to look into it for the next version. --=20 Greetings, Michael Anckaert aka The XanTor xantor AT linux.be michael.anckaert AT pi.be OpenPGP key: F7A6C3AB Fingerprint: A329 43FC 3953 A944 5DDC 2E05 8E5D AD60 F7A6 C3AB --=-Gl3P6Za7x8Dbqiu6UnKs Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+nQFAjl2tYPemw6sRAmbgAKCH+Vtz7PH2uuBB53kiwj/8mZwkbwCgrdee lkaWfeTom3rdxj1wwZFRiiQ= =oxGr -----END PGP SIGNATURE----- --=-Gl3P6Za7x8Dbqiu6UnKs-- From wk@gnupg.org Wed Apr 16 12:00:02 2003 From: wk@gnupg.org (Werner Koch) Date: Wed Apr 16 11:00:02 2003 Subject: [Announce] 1.2.2 release candidate 2 Message-ID: <87istevmqa.fsf@alberti.g10code.de> Hello! We are pleased to announce the availability of a second release candidate for GnuPG 1.2.2: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.2.2rc2.tar.gz (2.8M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.2.2rc2.tar.gz.sig or as a patch (quite large due to the translations) against the first release candidate: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.2.1rc1-1.2.2rc2.diff.gz (753k) If you had problems in the past or suggested a new feature, we would appreciate if you can check out this release. In addition to some bug fixes the following stuff is new since 1.2.1: * A "convert-from-106" script has been added. This is a simple script that automates the conversion from a 1.0.6 or earlier version of GnuPG to a 1.0.7 or later version. * Notation names that do not contain a '@' are no longer allowed unless --expert is set. This is to help prevent pollution of the (as yet unused) IETF notation namespace. * A "--trust-model always" option has been added to smooth the transition to a future GnuPG that has multiple trust models. This is identical to the current "--always-trust" option. * Care is taken to prevent compiler optimization from removing memory wiping code. * New option --no-mangle-dos-filenames so that filenames are not truncated in the W32 version. * Disabled keys are now skipped when selecting keys for encryption. If you are using the --with-colons key listings to detect disabled keys, please see doc/DETAILS for a minor format change in this release. * Minor trustdb changes to make the trust calculations match common usage. * New translations: Finnish and Traditional Chinese. * New command "revuid" in the --edit-key menu to revoke a user ID. This is a simpler interface to the old method (which still works) of revoking the user ID self-signature. * Fixed a compatibility problem with CryptoEx by increasing the window size of the uncompressor. * Status VALIDSIG does now also print the primary key's fingerprint. * Add read-only support for the SHA-256 hash, and optional read-only support for the SHA-384 and SHA-512 hashes. * New option --enable-progress-filter for use with frontends. A binary for Windows is also available: ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.2.2rc2.zip (1.1M) ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.2.2rc2.zip.sig If you want to report bugs, please use the new bug tracker at http://bugs.gnupg.org and select the category "gnupg". Happy hacking, The GnuPG Team (David, Stefan, Timo, Werner) From informat@ptb.be Wed Apr 16 13:00:02 2003 From: informat@ptb.be (INFORMAT) Date: Wed Apr 16 12:00:02 2003 Subject: exporting private key created with GPG to PGP Message-ID: <3E9D29E2.9050203@ptb.be> I advised someone to use WinPT/GPG, he used it for some time, but finally decided to get back to PGP (version 6.0.2). I found some incompatibility issues then which are making me doubt if it is such a good idea to swith to GPG anyway (although I'm strongly in favor for GPG) . Export and import worked fine but: 1. First I got an error that the passphrase was not correct when I wanted to decrypt with PGP a document I had encrypted with GPG. 2. I did the following then: gpg --simple-sk-checksum --edit-key (changing the passphrase afterwards) and export the key then. 3. Messages encrypted with this key in GPG: PGP accepted the passphrase now but gave then an error "encryptes session key is bad". What can I do to make this work (so that I'm sure someone can always go back to PGP if in the future there should be a problem with GPG). Marc From wk@gnupg.org Wed Apr 16 15:10:02 2003 From: wk@gnupg.org (Werner Koch) Date: Wed Apr 16 14:10:02 2003 Subject: entropy In-Reply-To: <010101c303c7$458ab7c0$0201a8c0@ibm> ("Jacob Solomon"'s message of "Tue, 15 Apr 2003 20:21:29 -0700") References: <010101c303c7$458ab7c0$0201a8c0@ibm> Message-ID: <8765pevdul.fsf@alberti.g10code.de> On Tue, 15 Apr 2003 20:21:29 -0700, Jacob Solomon said: > minute, all is working well. However, when I fire up three scripts to > encrypt files, after a while I get the following error: > gpg: note: random_seed file is empty Which is not a real problem but a performance issue. The thing is that we update the random_seed file simply by writing out the current pool. Of course this is a race condition and a gpg process, trying to read the random_seen file might find it empty and requests more bytes from /dev/random. I'll see whether I can change this to an atomic update, so ayou will always get an intact random_seed file. A workaround is to use different home directories. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From jacdej@aent.com Wed Apr 16 16:39:02 2003 From: jacdej@aent.com (Jacques Dejean) Date: Wed Apr 16 15:39:02 2003 Subject: gnupg v1.2.1 Message-ID: Hello, I followed the steps in the pgp2gnupg howto document; however, I receive the following error: # echo 'hello world' | pgpe -r | gpg --decrypt No files specified. Using stdin. 1024 bits, Key ID , Created 2001-09-11 "userid@domain.com>" You need a passphrase to unlock the secret key for user: "userid@domain.com" ................ gpg: public key decryption failed: bad passphrase gpg: decryption failed: secret key not available When I retry the steps and include the step to create a blank passphrase, I get a "bad passphrase" error. Any suggestions? I am running gnupg 1.2.1 on hpux 11.11 system. Thanks, Jacques V. Dejean Lead Systems Administrator Alliance Entertainment (v) 954-255-4344 From shavital@netbox.com Wed Apr 16 17:00:03 2003 From: shavital@netbox.com (Charly Avital) Date: Wed Apr 16 16:00:03 2003 Subject: [Announce] 1.2.2 release candidate 2 In-Reply-To: <87istevmqa.fsf@alberti.g10code.de> References: <87istevmqa.fsf@alberti.g10code.de> Message-ID: At 11:02 AM +0200 4/16/03, Werner Koch wrote: >Hello! > >We are pleased to announce the availability of a second release >candidate for GnuPG 1.2.2: Hi, built 1.2.2rc2 for Darwin on MacOS 10.2.5. man gpg does not display the manual, only a line with 'END'. OS X stand-along applications that display man, apropos files, when prompted for gpg, or gpg10, gnupg10, output "no man entry". When prompted for other items, the appropriate file is displayed This did not happen on another Mac where I have built 1.2.2rc1, now running OS X 10.2.5 too, and another with 1.3.1 also running 10.2.5 Whereto did man gpg go? TIA Charly From Todd Wed Apr 16 17:26:02 2003 From: Todd (Todd) Date: Wed Apr 16 16:26:02 2003 Subject: gpg and ximian 1.2.2 for redhat9 In-Reply-To: <1050476864.660.1.camel@carpathia> References: <1050368076.28501.4.camel@linux59> <200304152215.24180@erwin.ingo-kloecker.de> <1050476864.660.1.camel@carpathia> Message-ID: <20030416142638.GI2615@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Anckaert wrote: > Indeed, Evolution can't handle inline signatures or encrypted messages. > As a matter of fact, I recently sent such a feature report to the > evolution team at ximian. They told to look into it for the next > version. Hmmm, so the 1.2 series went backward from the 1.0 series? I have 1.0.8. I've tested inline signed and encrypted messages and both work. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ Patriotism is the willingness to kill and be killed for trivial reasons. -- Bertrand Russell -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+nWgeuv+09NZUB1oRAk1uAJ4w8TbduJBkGgqHdtMRSt1ivp/G0QCcCgxZ dX2G5wwNkCrsy8RFFY0BysY= =oxyL -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Wed Apr 16 18:45:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed Apr 16 17:45:02 2003 Subject: exporting private key created with GPG to PGP In-Reply-To: <3E9D29E2.9050203@ptb.be> References: <3E9D29E2.9050203@ptb.be> Message-ID: <20030416141005.GD1184@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Apr 16, 2003 at 12:01:06PM +0200, INFORMAT wrote: > I advised someone to use WinPT/GPG, he used it for some time, but > finally decided to get back to PGP (version 6.0.2). > I found some incompatibility issues then which are making me doubt if it > is such a good idea to swith to GPG anyway (although I'm strongly in > favor for GPG) . > > Export and import worked fine but: > 1. First I got an error that the passphrase was not correct when I > wanted to decrypt with PGP a document I had encrypted with GPG. > 2. I did the following then: gpg --simple-sk-checksum --edit-key > (changing the passphrase afterwards) and export the key then. > 3. Messages encrypted with this key in GPG: PGP accepted the passphrase > now but gave then an error "encryptes session key is bad". This is a FAQ. See http://www.gnupg.org/faq.html for step-by-step instructions on how to do this. The issue is that PGP (particularly a version as old as 6) does not implement the newer OpenPGP features. GnuPG also implements more of the optional ciphers than PGP 6 does. The FAQ has instructions to alter the feature and cipher list to match what PGP 6 can handle. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+nWQ94mZch0nhy8kRAi6AAJ0Qg4F4VYzp+47z2QQOpdQ98axBdwCcCrEv VdsGXWSRSjR0j+viv10nGi8= =IRLI -----END PGP SIGNATURE----- From pknoob@noos.fr Thu Apr 17 00:09:03 2003 From: pknoob@noos.fr (Don Patou) Date: Wed Apr 16 23:09:03 2003 Subject: trying to export the sender key In-Reply-To: <200304131747.30510.pknoob@noos.fr> References: <200304131747.30510.pknoob@noos.fr> Message-ID: <200304162309.41547.pknoob@noos.fr> I tried this: joe@debian:~/keys/recipient$ ls pubring.gpg pubring.gpg~ random_seed secring.gpg trustdb.gpg joe@debian:~/keys/recipient$ gpg --homedir /home/joe/.gnupg -a --export pubring.gpg gpg: WARNING: nothing exported what am i doing wrong? thanx in advance From Fabian.Rodriguez@Toxik.com Thu Apr 17 00:24:03 2003 From: Fabian.Rodriguez@Toxik.com (Toxik - Fabian Rodriguez) Date: Wed Apr 16 23:24:03 2003 Subject: Corrupted trustdb Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I am getting this messages as part of signatures = verifications... What is "type 110" ? "trustdb.gpg: invalid record type 110 at recnum XXX" Thanks for any information, I searched the FAQ and mailing list= without luck. Regards, Fabi=E1n A. Rodr=EDguez S. - www.Toxik.com OpenPGP Key ID: 0x5AF2A4D5 -----BEGIN PGP SIGNATURE----- Comment: PGP/Mime available upon request iD8DBQE+ncosfUcTXFrypNURAkdpAKC0ASF93vC3w+8qQrGCpmAAEG8V0gCfUTVw X1XF03R6l2O1fTlLVlDo3HM=3D =3DGEXO -----END PGP SIGNATURE----- From Todd Thu Apr 17 00:59:03 2003 From: Todd (Todd) Date: Wed Apr 16 23:59:03 2003 Subject: trying to export the sender key In-Reply-To: <200304162309.41547.pknoob@noos.fr> References: <200304131747.30510.pknoob@noos.fr> <200304162309.41547.pknoob@noos.fr> Message-ID: <20030416215921.GM2615@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Don Patou wrote: > joe@debian:~/keys/recipient$ ls > pubring.gpg pubring.gpg~ random_seed secring.gpg trustdb.gpg > joe@debian:~/keys/recipient$ gpg --homedir /home/joe/.gnupg -a --export > pubring.gpg > gpg: WARNING: nothing exported The Fine Manual says this about the export command: --export [names] Either export all keys from all keyrings (default keyrings and those registered via option --keyring), or if at least one name is given, those of the given name. The new keyring is written to stdout or to the file given with option "output". Use together with --armor to mail those keys. So if you're trying to export all the keys on your public keyring, just leave off the pubring.gpg part of the command. Otherwise, gpg is trying to find a key that matches pubring.gpg. See the section "How to specify a user ID" in the gpg man page for details on how to specify [names] as in the export command. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ When you define liberty for someone else, it's no longer liberty. It's permission. -- R.L. Root -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+ndI5uv+09NZUB1oRAoapAJ9OQGYKjVy1iJGmj4eKoxhVt/SvrQCeKdZs dBNqDH1gjr3qBLezj+mxYAc= =EXM1 -----END PGP SIGNATURE----- From jbruni@mac.com Thu Apr 17 01:23:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Thu Apr 17 00:23:02 2003 Subject: trying to export the sender key Message-ID: <7903205.1050531845848.JavaMail.jbruni@mac.com> the export command takes a key id (or someother identifier). You most likely do not have a key whose userid is "pubring.gpg". Try specifying the key or keys that you want to export. Those will be sent to standard output unless you specify the name of the output file with the --output command. Joe On Wednesday, April 16, 2003, at 03:09PM, Don Patou wrote: >I tried this: > >joe@debian:~/keys/recipient$ ls >pubring.gpg pubring.gpg~ random_seed secring.gpg trustdb.gpg >joe@debian:~/keys/recipient$ gpg --homedir /home/joe/.gnupg -a --export >pubring.gpg >gpg: WARNING: nothing exported > > >what am i doing wrong? > >thanx in advance > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- PGP Fingerprint: 886F 6A8A 68A1 5E90 EF3F 8EFA E2B8 3F99 7343 C1E3 From jbruni@mac.com Thu Apr 17 05:20:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Thu Apr 17 04:20:02 2003 Subject: entropy In-Reply-To: <013c01c303e0$0c866dc0$0201a8c0@ibm> Message-ID: <436653FA-707B-11D7-8871-003065B1243E@mac.com> First of all, my comment was made with tongue planted firmly in my cheek. I was playing off the idea of "running out of entropy". Read "Hitchhikers' Guide to the Galaxy" by Douglas Adams for details on Brownian motion generators. :) To answer your question, RC5-72, SETI, and OGR are distributed computing projects. For details on RC5-72 and OGR go here: http://distributed.net/ Details on SETI can be found here. http://setiathome.ssl.berkeley.edu/ (Personally, I think SETI is a complete waste of effort but that's based on the logic of my world-view.) On Tuesday, April 15, 2003, at 11:18 PM, Jacob Solomon wrote: > Hi Joseph, > > Sounds like you have a better/simpler solution to my simple needs of > symmetric file encryption, without the need for gpg. Would you mind to > share > it with me? Pardon my ignorance, but what is RC5-72, SETI, or OGR? > > Thanks, > Jacob > > ----- Original Message ----- > From: "Joseph Bruni" > To: > Sent: Tuesday, April 15, 2003 10:11 PM > Subject: Re: entropy > > >> Does anyone else here see a major conflict with Stephen Hawking's >> theories of entropy and the heat-death of the universe? Imagine, we >> could set up automated clients to consume entropy instead of merely >> doing things like RC5-72 or SETI or OGR. Wow! What a concept. >> Consuming >> mass quantities of entropy would immediately increase the amount of >> order in the Universe. I think I might put this together into an essay >> and see about winning a Nobel or something... >> >> ;) >> >> >> On Tuesday, April 15, 2003, at 08:21 PM, Jacob Solomon wrote: >> >>> I have a problem with running out of entropy when using gpg. >> >> >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > From wk@gnupg.org Thu Apr 17 10:15:01 2003 From: wk@gnupg.org (Werner Koch) Date: Thu Apr 17 09:15:01 2003 Subject: Corrupted trustdb In-Reply-To: (Toxik - Fabian Rodriguez's message of "Wed, 16 Apr 2003 17:25:00 -0400") References: Message-ID: <877k9ttx0h.fsf@alberti.g10code.de> On Wed, 16 Apr 2003 17:25:00 -0400, Toxik said: > "trustdb.gpg: invalid record type 110 at recnum XXX" That is an internal error descriotion, we expected a different record type at this address of the trustdb instead we got an impossible record type. You need to rebuild the trustdb - I hope you got an backup of the ownertrust settings (gpg --export-owertrust). -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From Fabian.Rodriguez@Toxik.com Thu Apr 17 15:24:02 2003 From: Fabian.Rodriguez@Toxik.com (Toxik - Fabian Rodriguez) Date: Thu Apr 17 14:24:02 2003 Subject: Corrupted trustdb In-Reply-To: <877k9ttx0h.fsf@alberti.g10code.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> "trustdb.gpg: invalid record type 110 at recnum XXX" >That is an internal error descriotion, we expected a different record >type at this address of the trustdb instead we got an impossible >record type. You need to rebuild the trustdb - I hope you got an >backup of the ownertrust settings (gpg --export-owertrust). Thanks Werner! How can this be prevented in the future ? I suspect this is the result of having this in my gpg.conf: keyserver-options auto-key-retrieve Is it possible that some public keys break the trust db integrity when imported ? Thank you, Fabian A. Rodriguez S. - www.Toxik.com OpenPGP Key ID: 0x5AF2A4D5 - -- This message is protected with OpenPGP digital security features. Visit WinPT.org and secure your data. -----BEGIN PGP SIGNATURE----- Comment: PGP/Mime available upon request iD8DBQE+npy4fUcTXFrypNURAqbGAKDtMqY7R7bkhfMHIaRcSKIriivEAgCeNMIJ VRRz3AnWlfTdVBj9FwcA/J0= =OLD+ -----END PGP SIGNATURE----- From ean@ishoejby.dk Thu Apr 17 18:12:02 2003 From: ean@ishoejby.dk (Egon Andersen) Date: Thu Apr 17 17:12:02 2003 Subject: 3DES key generation Message-ID: <3E9EC4A5.2090100@ishoejby.dk> Hi, I know that gpg can use 3DES cipher algorithm, but how do I generate the 128-bit key used for this? I can see that gpg can generate DSA and ElGamal, but I can find out how to generate keys for 3DES. Best regards Egon Andersen From gnupg-users@nahrath.de Thu Apr 17 21:30:12 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Thu Apr 17 20:30:12 2003 Subject: [Announce] 1.2.2 release candidate 2 In-Reply-To: <87istevmqa.fsf@alberti.g10code.de> References: <87istevmqa.fsf@alberti.g10code.de> Message-ID: <3E9E0805.7080704@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigA57A2B88214607345DD2A3A0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Werner Koch wrote: > We are pleased to announce the availability of a second release > candidate for GnuPG 1.2.2: > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.2.2rc2.tar.gz (2.8M) > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.2.2rc2.tar.gz.sig Tried to compile it on MacOS 10.2.5. It still needes special parameters: After a "./configure --disable-asm" it compiles fine. But simply doing "./configure; make; sudo make install" quits in make with: --- 8< --- ... source='mpiutil.c' object='mpiutil.o' libtool=no \ depfile='.deps/mpiutil.Po' tmpdepfile='.deps/mpiutil.TPo' \ depmode=gcc /bin/sh ../scripts/depcomp \ gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -g -O2 -Wall -c `test -f 'mpiutil.c' || echo './'`mpiutil.c source='g10m.c' object='g10m.o' libtool=no \ depfile='.deps/g10m.Po' tmpdepfile='.deps/g10m.TPo' \ depmode=gcc /bin/sh ../scripts/depcomp \ gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -g -O2 -Wall -c `test -f 'g10m.c' || echo './'`g10m.c gcc -E -I.. -I../include -DHAVE_CONFIG_H mpih-mul1.S | grep -v '^#' > _mpih-mul1.s gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -g -O2 -Wall -c _mpih-mul1.s _mpih-mul1.s:2:Parameter syntax error (parameter 2) _mpih-mul1.s:4:Parameter syntax error (parameter 1) _mpih-mul1.s:5:Parameter syntax error (parameter 1) _mpih-mul1.s:6:Parameter syntax error (parameter 1) _mpih-mul1.s:7:Parameter syntax error (parameter 1) _mpih-mul1.s:8:Parameter syntax error (parameter 1) _mpih-mul1.s:11:Parameter syntax error (parameter 1) _mpih-mul1.s:12:Parameter syntax error (parameter 1) _mpih-mul1.s:13:Parameter syntax error (parameter 1) _mpih-mul1.s:14:Parameter syntax error (parameter 1) _mpih-mul1.s:15:Parameter syntax error (parameter 1) _mpih-mul1.s:18:Parameter syntax error (parameter 1) _mpih-mul1.s:19:Parameter syntax error (parameter 1) _mpih-mul1.s:21:Unknown pseudo-op: .size _mpih-mul1.s:21:Rest of line ignored. 1st junk character valued 109 (m). make[2]: *** [mpih-mul1.o] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 --- >8 --- I don't know what "asm" is but I do know that my system doesn't support it and that it had to be manually disabled to compile GPG at least since 1.0.7 Can't the build process know that it should be disabled on "powerpc-apple-darwin6.5" by default? Greeting, Michi --------------enigA57A2B88214607345DD2A3A0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj6eCAUACgkQ19dRf5pMcEyZpQCgjM04nlyx+Ep5SV6tTDW+SRjW V2QAmgN1LifCwdQ3nVdgSHCNf0OreseW =bRuZ -----END PGP SIGNATURE----- --------------enigA57A2B88214607345DD2A3A0-- From Tony_Mione@peoplesoft.com Thu Apr 17 22:03:26 2003 From: Tony_Mione@peoplesoft.com (Tony_Mione@peoplesoft.com) Date: Thu Apr 17 21:03:26 2003 Subject: C/C++ API for GnuPG Message-ID: I have been looking for an OpenPGP based library for C/C++. I noticed that GnuPG only generates executables (plus libraries for the underlying crypto and other utility routines.) The FAQ says that this project (of providing a full API) will not be taken on since there are some concerns about openning possible security holes. I have looked at Gpgme. I like it to some degree but I do not like the fact that it forks another process and calls gpg at the command line. I am trying to avoid that type of interface. I would use libgcrypt for my project but it ONLY implements the crypto and I can really use the packet processing features of the source code in g10. So, what are the security holes that may be openned if this is made into a library? Do people involved with Gpg believe that the same holes [may] exist in the PGP SDK marketed by PGP, Inc. then NAI, and soon PGP International? In my mind, a programmatic API would be better than spawning processes that may need to have a passphrase in the command line. Does this make sense or am I missing something here? Thanks for any help that people can give here. Take care. Antonino N. Mione PeopleTools Security and Infrastructure PeopleSoft, Inc., 4411 PeopleSoft Pkwy., Pleasanton, Ca. 94588 Antonino_Mione@peoplesoft.com +1-(925)-694-6118 got Crypto? From cbiacca@tiscalinet.it Fri Apr 18 03:09:02 2003 From: cbiacca@tiscalinet.it (Francesco Biacca) Date: Fri Apr 18 02:09:02 2003 Subject: decipher secret keyring Message-ID: <001d01c3053e$cf744280$0201a8c0@h4mwxp> Hi, I'm new to the list so first of all, I wanna excuse if I'm posting something known ... To be honest, I've read another thread some months ago in which you spoke about this theme, but I'd like to know more. I'm trying to develop a webmail, using java and jsp technology, which would be able to send ciphered mail without using gpg (The idea was born while I was outside without my notebook and I had to send a mail ciphered with my gpg key). So I need to know how (and if) is possible to decipher a secret keyring; otherwise it's impossibile to cipher/decipher mail for me. I know that you could be bored about this, so you can also give me some url or docs to solve this problem. As I've understood, first I have to decipher the secret keyring: to reach my aim I have to use the passphrase and the algorithm used to encode the secretring, don't I?? ... Then, when I have done it, I can use the methods which are contained in bouncycastle API to extract all the information I need to cipher mail. Is that all right?? Please help me ... thanks, Francesco Biacca ps: I'm sorry if my written english seems to be translation from italian ... From dshaw@jabberwocky.com Fri Apr 18 09:26:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri Apr 18 08:26:02 2003 Subject: decipher secret keyring In-Reply-To: <001d01c3053e$cf744280$0201a8c0@h4mwxp> References: <001d01c3053e$cf744280$0201a8c0@h4mwxp> Message-ID: <20030418061600.GD438@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Apr 18, 2003 at 02:09:40AM +0200, Francesco Biacca wrote: > Hi, > I'm new to the list so first of all, I wanna excuse if I'm posting something > known ... To be honest, I've read another thread some months ago in which > you spoke about this theme, but I'd like to know more. > > I'm trying to develop a webmail, using java and jsp technology, which would > be able to send ciphered mail without using gpg (The idea was born while I > was outside without my notebook and I had to send a mail ciphered with my > gpg key). > > So I need to know how (and if) is possible to decipher a secret keyring; > otherwise it's impossibile to cipher/decipher mail for me. I know that you > could be bored about this, so you can also give me some url or docs to solve > this problem. Probably the best thing for you to read is RFC-2440. In particular, see the section for "Secret Key Encryption", as well as "Secret Key Packet". David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+n5gg4mZch0nhy8kRAsFZAJ9NMDmCdfky0JMb8XhqEF2U8tlG7ACgi88Y byDMvucexkOO9CNt8GZVpM8= =RCiJ -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Fri Apr 18 09:26:34 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri Apr 18 08:26:34 2003 Subject: 3DES key generation In-Reply-To: <3E9EC4A5.2090100@ishoejby.dk> References: <3E9EC4A5.2090100@ishoejby.dk> Message-ID: <20030418061434.GC438@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Apr 17, 2003 at 05:13:41PM +0200, Egon Andersen wrote: > Hi, > > I know that gpg can use 3DES cipher algorithm, but how do I generate the > 128-bit key used for this? > > I can see that gpg can generate DSA and ElGamal, but I can find out how > to generate keys for 3DES. GnuPG uses 3DES for session keys, so you do not need to generate them. They are generated automatically as needed. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+n5fK4mZch0nhy8kRAkBKAJ9spgVCPl421q1fr+vvgN/VlECntACgvPVa 5/a6GV5stfg9stHuWfGdXcU= =lT+A -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Fri Apr 18 09:27:04 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri Apr 18 08:27:04 2003 Subject: [Announce] 1.2.2 release candidate 2 In-Reply-To: <3E9E0805.7080704@nahrath.de> References: <87istevmqa.fsf@alberti.g10code.de> <3E9E0805.7080704@nahrath.de> Message-ID: <20030418051256.GA438@jabberwocky.com> --k+w/mQv8wyuph6w0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 17, 2003 at 03:48:53AM +0200, Michael Nahrath wrote: > Werner Koch wrote: >=20 > > We are pleased to announce the availability of a second release > > candidate for GnuPG 1.2.2: > >=20 > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.2.2rc2.tar.gz (2.8M) > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.2.2rc2.tar.gz.sig >=20 > Tried to compile it on MacOS 10.2.5. >=20 > It still needes special parameters: >=20 > After a "./configure --disable-asm" it compiles fine. >=20 > But simply doing "./configure; make; sudo make install" quits in make wit= h: > gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -g -O2 -Wall -c > _mpih-mul1.s > _mpih-mul1.s:2:Parameter syntax error (parameter 2) > _mpih-mul1.s:4:Parameter syntax error (parameter 1) > _mpih-mul1.s:5:Parameter syntax error (parameter 1) > _mpih-mul1.s:6:Parameter syntax error (parameter 1) > _mpih-mul1.s:7:Parameter syntax error (parameter 1) > _mpih-mul1.s:8:Parameter syntax error (parameter 1) > _mpih-mul1.s:11:Parameter syntax error (parameter 1) > _mpih-mul1.s:12:Parameter syntax error (parameter 1) > _mpih-mul1.s:13:Parameter syntax error (parameter 1) > _mpih-mul1.s:14:Parameter syntax error (parameter 1) > _mpih-mul1.s:15:Parameter syntax error (parameter 1) > _mpih-mul1.s:18:Parameter syntax error (parameter 1) > _mpih-mul1.s:19:Parameter syntax error (parameter 1) > _mpih-mul1.s:21:Unknown pseudo-op: .size > _mpih-mul1.s:21:Rest of line ignored. 1st junk character valued 109 (m). > make[2]: *** [mpih-mul1.o] Error 1 > make[1]: *** [all-recursive] Error 1 > make: *** [all] Error 2 > --- >8 --- >=20 > I don't know what "asm" is but I do know that my system doesn't support it > and that it had to be manually disabled to compile GPG at least since 1.0= =2E7 That's very odd. This was successfully tested on Darwin 6.2. I wonder what changed. Can you tell me the output of "uname -a" as well as the contents of your mpi/asm-syntax.h file? David --k+w/mQv8wyuph6w0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+n4lY4mZch0nhy8kRAn0wAJ9fi30SH9is3Hsks8xDQSzECz41rQCfZxZ7 kZ87jTqFcMEmTLIuf0N1rns= =k7xV -----END PGP SIGNATURE----- --k+w/mQv8wyuph6w0-- From wk@gnupg.org Fri Apr 18 11:25:01 2003 From: wk@gnupg.org (Werner Koch) Date: Fri Apr 18 10:25:01 2003 Subject: Corrupted trustdb In-Reply-To: (Toxik - Fabian Rodriguez's message of "Thu, 17 Apr 2003 08:23:19 -0400") References: Message-ID: <87el40rz3j.fsf@alberti.g10code.de> On Thu, 17 Apr 2003 08:23:19 -0400, Toxik said: > I suspect this is the result of having this in my gpg.conf: > keyserver-options auto-key-retrieve > Is it possible that some public keys break the trust db integrity when imported ? No. Are you able to reproduce the problem? -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From ean@ishoejby.dk Fri Apr 18 12:13:02 2003 From: ean@ishoejby.dk (Egon Andersen) Date: Fri Apr 18 11:13:02 2003 Subject: 3DES key generation References: <3E9EC4A5.2090100@ishoejby.dk> <20030418061434.GC438@jabberwocky.com> Message-ID: <3E9FC1D4.3020702@ishoejby.dk> David Shaw wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, Apr 17, 2003 at 05:13:41PM +0200, Egon Andersen wrote: > >>Hi, >> >>I know that gpg can use 3DES cipher algorithm, but how do I generate the >> 128-bit key used for this? >> >>I can see that gpg can generate DSA and ElGamal, but I can find out how >>to generate keys for 3DES. > > > GnuPG uses 3DES for session keys, so you do not need to generate > them. They are generated automatically as needed. > Well, this true when I use gpg in both ends. But my problem is that the opposite end only uses symmetric ciphers and I have to inform them about my 3DES key for this session (encrypted with another 3DES key). So therefore I need to generate 3DES keys, encrypt it with a given 3DES key, at send it to the receiver. (I haven't 'invented' this system, the receiver did.) So is there any way I can generate/get 3DES key? Perhaps using some library? Best regards Egon Andersen From johanw@vulcan.xs4all.nl Fri Apr 18 12:23:02 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Fri Apr 18 11:23:02 2003 Subject: C/C++ API for GnuPG In-Reply-To: from "Tony_Mione@peoplesoft.com" at "Apr 17, 2003 11:53:26 am" Message-ID: <200304181225.OAA02176@vulcan.xs4all.nl> Tony_Mione@peoplesoft.com wrote: > In my mind, a programmatic API would be better than spawning processes > that may need to have a passphrase in the command line. Does this make > sense or am I missing something here? Yes: you're missing the fact that gpg never takes passwords on the commandline (half the messages about implemnting gpg in websites deals about this), but uses a file descriptor to pass the password. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw@vulcan.xs4all.nl Fri Apr 18 12:23:30 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Fri Apr 18 11:23:30 2003 Subject: 3DES key generation In-Reply-To: <3E9EC4A5.2090100@ishoejby.dk> from Egon Andersen at "Apr 17, 2003 05:13:41 pm" Message-ID: <200304181234.OAA02239@vulcan.xs4all.nl> You, Egon Andersen, wrote: > I know that gpg can use 3DES cipher algorithm, but how do I generate the > 128-bit key used for this? 3DES uses a 168 bit key (3*56). You don't need to generate this key, a random generator will do it for you. If you want to generate it yourself, for example for test purposes, I guess tou'll have to hack that into gpg yourself. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From ingo.kloecker@epost.de Fri Apr 18 14:14:01 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Fri Apr 18 13:14:01 2003 Subject: 3DES key generation In-Reply-To: <3E9FC1D4.3020702@ishoejby.dk> References: <3E9EC4A5.2090100@ishoejby.dk> <20030418061434.GC438@jabberwocky.com> <3E9FC1D4.3020702@ishoejby.dk> Message-ID: <200304181211.27377@erwin.ingo-kloecker.de> --Boundary-02=_O98n+QUehYc1zi+ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 18 April 2003 11:13, Egon Andersen wrote: > David Shaw wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Thu, Apr 17, 2003 at 05:13:41PM +0200, Egon Andersen wrote: > >>Hi, > >> > >>I know that gpg can use 3DES cipher algorithm, but how do I > >> generate the 128-bit key used for this? > >> > >>I can see that gpg can generate DSA and ElGamal, but I can find out > >> how to generate keys for 3DES. > > > > GnuPG uses 3DES for session keys, so you do not need to generate > > them. They are generated automatically as needed. > > Well, this true when I use gpg in both ends. > But my problem is that the opposite end only uses symmetric ciphers > and I have to inform them about my 3DES key for this session > (encrypted with another 3DES key). > So therefore I need to generate 3DES keys, encrypt it with a given > 3DES key, at send it to the receiver. > (I haven't 'invented' this system, the receiver did.) > > So is there any way I can generate/get 3DES key? > Perhaps using some library? Try --show-session-key and --override-session-key . See 'man=20 gpg'. Regards, Ingo --Boundary-02=_O98n+QUehYc1zi+ Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+n89OGnR+RTDgudgRAkgyAJ9zWne4x7UtaLRenef1mRiehwcmZgCgwZS4 y794lzQgNE7pPJY9B4R5PjQ= =Smpn -----END PGP SIGNATURE----- --Boundary-02=_O98n+QUehYc1zi+-- From ean@ishoejby.dk Fri Apr 18 14:39:02 2003 From: ean@ishoejby.dk (Egon Andersen) Date: Fri Apr 18 13:39:02 2003 Subject: 3DES key generation References: <200304181234.OAA02239@vulcan.xs4all.nl> Message-ID: <3E9FE42C.6070207@ishoejby.dk> Johan Wevers wrote: > You, Egon Andersen, wrote: > > >>I know that gpg can use 3DES cipher algorithm, but how do I generate the >> 128-bit key used for this? > > > 3DES uses a 168 bit key (3*56). You don't need to generate this key, a > random generator will do it for you. If you want to generate it yourself, > for example for test purposes, I guess tou'll have to hack that into gpg > yourself. > I had a closer look at "The GNU Privacy Handbook" Chapter 2 under Symmetric ciphers, it says: "... 3DES, Blowfish, and IDEA all use 128-bit keys, ..." (I agree that is seems a little strange to call it 3DES then.) But now I came to think about it. Can I in principle use 'any' bit-string with the required number of bits as my key? If that is so, then I could use a high-quality random number generator to make my keys? Then that may well be the solution to my problem. Best regards Egon Andersen From gnupg-users@nahrath.de Fri Apr 18 15:53:02 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Fri Apr 18 14:53:02 2003 Subject: [Announce] 1.2.2 release candidate 2 In-Reply-To: <20030418051256.GA438@jabberwocky.com> References: <87istevmqa.fsf@alberti.g10code.de> <3E9E0805.7080704@nahrath.de> <20030418051256.GA438@jabberwocky.com> Message-ID: <3E9FF29C.9080502@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig47749D12E3E0995E3F0C556A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David Shaw wrote: >>> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.2.2rc2.tar.gz (2.8M) >>Tried to compile it on MacOS 10.2.5. >> >>It still needes special parameters: >> >>After a "./configure --disable-asm" it compiles fine. >> >>But simply doing "./configure; make; sudo make install" quits in make with: >>_mpih-mul1.s:21:Unknown pseudo-op: .size >>_mpih-mul1.s:21:Rest of line ignored. 1st junk character valued 109 (m). >>make[2]: *** [mpih-mul1.o] Error 1 >>make[1]: *** [all-recursive] Error 1 >>make: *** [all] Error 2 >>--- >8 --- >> >>I don't know what "asm" is but I do know that my system doesn't support it >>and that it had to be manually disabled to compile GPG at least since 1.0.7 > That's very odd. This was successfully tested on Darwin 6.2. I > wonder what changed. In doubt it may be Apple's fault ;) May tht insatllation of the package management system 'fink' have changed something? > Can you tell me the output of "uname -a" [michi@localhost]~$ uname -a Darwin localhost 6.5 Darwin Kernel Version 6.5: Mon Apr 7 17:05:38 PDT 2003; root:xnu/xnu-344.32.obj~1/RELEASE_PPC Power Macintosh powerpc > as well > as the contents of your mpi/asm-syntax.h file? My running coppy was installed with "./configure --disable-asm" and thus the file ./gnupg-1.2.2rc2/mpi/asm-syntax.h just contains: /* created by config.links - do not edit */ /* Assembler modules disabled on request */ I just tried pure "./configure" and now is: =====> /* created by config.links - do not edit */ /* configured for OpenBSD/NetBSD/Darwin on powerpc */ #define ELF_SYNTAX /* gmp2-2.0.2-ppc/mpn/powerpc-linux/syntax.h Tue Oct 6 19:27:01 1998 */ /* From glibc's sysdeps/unix/sysv/linux/powerpc/sysdep.h */ /* Copyright (C) 1992, 1997, 1998 Free Software Foundation, Inc. [...] Boston, MA 02111-1307, USA. */ #define USE_PPC_PATCHES 1 /* This seems to always be the case on PPC. */ #define ALIGNARG(log2) log2 /* For ELF we need the `.type' directive to make shared libs work right. */ #define ASM_TYPE_DIRECTIVE(name,typearg) .type name,typearg; #define ASM_SIZE_DIRECTIVE(name) .size name,.-name #define ASM_GLOBAL_DIRECTIVE .globl #ifdef __STDC__ # define C_LABEL(name) C_SYMBOL_NAME(name)##: #else # define C_LABEL(name) C_SYMBOL_NAME(name)/**/: #endif #ifdef __STDC__ # define L(body) .L##body #else # define L(body) .L/**/body #endif /* No profiling of gmp's assembly for now... */ #define CALL_MCOUNT /* no profiling */ #define ENTRY(name) \ ASM_GLOBAL_DIRECTIVE C_SYMBOL_NAME(name); \ ASM_TYPE_DIRECTIVE (C_SYMBOL_NAME(name),@function) \ .align ALIGNARG(2); \ C_LABEL(name) \ CALL_MCOUNT #define EALIGN_W_0 /* No words to insert. */ #define EALIGN_W_1 nop #define EALIGN_W_2 nop;nop #define EALIGN_W_3 nop;nop;nop #define EALIGN_W_4 EALIGN_W_3;nop #define EALIGN_W_5 EALIGN_W_4;nop #define EALIGN_W_6 EALIGN_W_5;nop #define EALIGN_W_7 EALIGN_W_6;nop /* EALIGN is like ENTRY, but does alignment to 'words'*4 bytes past a 2^align boundary. */ #define EALIGN(name, alignt, words) \ ASM_GLOBAL_DIRECTIVE C_SYMBOL_NAME(name); \ ASM_TYPE_DIRECTIVE (C_SYMBOL_NAME(name),@function) \ .align ALIGNARG(alignt); \ EALIGN_W_##words; \ C_LABEL(name) #undef END #define END(name) \ ASM_SIZE_DIRECTIVE(name) <===== with that "make" fails like before. Greeting, Michi --------------enig47749D12E3E0995E3F0C556A Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj6f8qcACgkQ19dRf5pMcEwA9ACgtDzuJRsQZ0I6zo30yeEdMVBG nYcAoLe7QTHxbNg1y7hJqOBhOXoyLApB =4CaR -----END PGP SIGNATURE----- --------------enig47749D12E3E0995E3F0C556A-- From ean@ishoejby.dk Fri Apr 18 16:11:02 2003 From: ean@ishoejby.dk (Egon Andersen) Date: Fri Apr 18 15:11:02 2003 Subject: 3DES key generation References: <3E9EC4A5.2090100@ishoejby.dk> <20030418061434.GC438@jabberwocky.com> <3E9FC1D4.3020702@ishoejby.dk> <200304181211.27377@erwin.ingo-kloecker.de> Message-ID: <3E9FF990.6090805@ishoejby.dk> Ingo Kl=F6cker wrote: > On Friday 18 April 2003 11:13, Egon Andersen wrote: >=20 [cut] >> >>So is there any way I can generate/get 3DES key? >>Perhaps using some library? >=20 >=20 > Try --show-session-key and --override-session-key . See 'man=20 > gpg'. >=20 This sounds reasonable to use --show-session-key But I don't get any keys shown :-( It might be because I use it in a wrong way, but the man-page isn't that = informative. I've tried to have the option both during encryption and decryption,=20 with no difference. I've tried the following: gpg --show-session-key --cipher-algo 3DES -c and was of course asked for a passphrase, which I gave. - but no session key was shown I tried hereafter: gpg --show-session-key .gpg gave the passphrase as before. - no session key was shown Any idea about what I do wrong, and perhaps an example of how I should do= ? Best regards Egon Andersen From johanw@vulcan.xs4all.nl Fri Apr 18 22:08:03 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Fri Apr 18 21:08:03 2003 Subject: 3DES key generation In-Reply-To: <3E9FE42C.6070207@ishoejby.dk> from Egon Andersen at "Apr 18, 2003 01:40:28 pm" Message-ID: <200304190232.EAA00500@vulcan.xs4all.nl> You, Egon Andersen, wrote: > I had a closer look at "The GNU Privacy Handbook" Chapter 2 under > Symmetric ciphers, it says: "... 3DES, Blowfish, and IDEA all use > 128-bit keys, ..." That's incorrect for 3DES. > But now I came to think about it. > Can I in principle use 'any' bit-string with the required number of bits > as my key? As another reply indicated, you can put them in manually (I completely forgot about putting them in, I knew about the show option), to use the --show-session-key and --override-session-key options. But I as far as I know this can't be combined with symetric encryption. When using conventional encryption, the symmetric key is the SHA1 hash of the passphrase. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw@vulcan.xs4all.nl Fri Apr 18 22:08:38 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Fri Apr 18 21:08:38 2003 Subject: 3DES key generation In-Reply-To: <3E9FC8DA.4070403@ishoejby.dk> from Egon Andersen at "Apr 18, 2003 11:43:54 am" Message-ID: <200304190235.EAA00509@vulcan.xs4all.nl> Egon Andersen wrote: > And you are right 3DES uses 3*56 bit, but the receiver actually only > uses 2DES Hmmm. I remember there was some big weakness in 2DES, but I can't remember what it was exactly. Does someone here know that? > (2*56 bit = 112) packed into a hex-representation of 32 > characters - therefore I happened to write 128 (= 4 x 32). > (Actually 48 characters, but the 16 trailing bytes are spaces) Then the receiver uses it in a different mode than gpg does. Are you sure both ptograms are otherwise compatible? GnuPG doesn't just output encrypted data, it stores them in a file format that includes headers, checksums, etc. > If I could, I would of course like the receiver to use gpg, but they > don't, and I don't think I can make them change their system over night. > (If is a company making most of the bank-transactions in Denmark!!!) Perhaps the easiest solution would be if you used their cryptosystem? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw@vulcan.xs4all.nl Fri Apr 18 22:10:18 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Fri Apr 18 21:10:18 2003 Subject: 3DES key generation In-Reply-To: <3E9FF990.6090805@ishoejby.dk> from Egon Andersen at "Apr 18, 2003 03:11:44 pm" Message-ID: <200304190236.EAA00529@vulcan.xs4all.nl> Egon Andersen wrote: > This sounds reasonable to use --show-session-key > But I don't get any keys shown :-( These options don't combine with symmetric encryption. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From jbruni@mac.com Sat Apr 19 05:32:01 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sat Apr 19 04:32:01 2003 Subject: C/C++ API for GnuPG In-Reply-To: Message-ID: <4D063DFE-720F-11D7-A12E-003065B1243E@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not a GPG-specific programmer, but I'd like to weigh in on this since I am a Unix programmer. Please indulge me if I'm off base here. I like the idea of GPG running in its own protected, non-swapable address space with a strictly well-defined communication interface provided by the anonymous pipe of stdin and stdout, environment variables, and command-line arguments. If I were a library programmer, (especially a security library), I would want to make sure that nothing could accidentally step on the code that I've spent a lot of time making robust. A GPG co-process lives in its own protected address space which (if set up properly) cannot be paged because it is setuid-root on many systems. As an application programmer, I would not want some library creating weakness in my application either. A linkable library, on the other hand, would be completely at the mercy of the library user (application programmer), just as the application is at the mercy of the library. In Unix, just as userland applications are "quarantined" from (and by) the kernel in order to provide security and stability, and are only able to communicate with the kernel through well-defined and checked APIs, so would the application and GPG be protected from each other by acting as co-processes in a client-server model which provides a great deal of robustness. On Thursday, April 17, 2003, at 11:53 AM, Tony_Mione@peoplesoft.com wrote: > I have looked at Gpgme. I like it to some degree but I do not like the > fact that it forks another process and calls gpg at the command line. > I am > trying to avoid that type of interface. I would use libgcrypt for my > project but it ONLY implements the crypto and I can really use the > packet processing features of the source code in g10. > > So, what are the security holes that may be openned if this is made > into a library? Do people involved with Gpg believe that the same > holes [may] exist in the PGP SDK marketed by PGP, Inc. then NAI, and > soon > PGP International? > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iEYEARECAAYFAj6gtX0ACgkQ4rg/mXNDwePCSQCfe7NWYakSuZzYx6reuJ2/CB++ 4pkAoJggK6vorGt5JoPcX3nZ5v9LCcf/ =T5fU -----END PGP SIGNATURE----- From ean@ishoejby.dk Sat Apr 19 09:56:01 2003 From: ean@ishoejby.dk (Egon Andersen) Date: Sat Apr 19 08:56:01 2003 Subject: 3DES key generation References: <200304190235.EAA00509@vulcan.xs4all.nl> Message-ID: <3EA0F344.3020907@ishoejby.dk> Johan Wevers wrote: > Egon Andersen wrote: > > >>And you are right 3DES uses 3*56 bit, but the receiver actually only >>uses 2DES > > > Hmmm. I remember there was some big weakness in 2DES, but I can't remember > what it was exactly. Does someone here know that? > To be more correct, the receiver uses two-key Triple-DES C=E(ks1,D(ks2,E(ks1,M))) This form of Triple-DES is used by the RSAREF library. I think I've found the solution to my problems in the openssl libraries. Best regards Egon Andersen From jharris@widomaker.com Sun Apr 20 00:01:02 2003 From: jharris@widomaker.com (Jason Harris) Date: Sat Apr 19 23:01:02 2003 Subject: C/C++ API for GnuPG In-Reply-To: <4D063DFE-720F-11D7-A12E-003065B1243E@mac.com> References: <4D063DFE-720F-11D7-A12E-003065B1243E@mac.com> Message-ID: <20030419210227.GT52142@pm1.ric-37.lft.widomaker.com> --SvF6CGw9fzJC4Rcx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 18, 2003 at 07:33:27PM -0700, Joseph Bruni wrote: > I'm not a GPG-specific programmer, but I'd like to weigh in on this=20 > since I am a Unix programmer. Please indulge me if I'm off base here. OK. > I like the idea of GPG running in its own protected, non-swapable=20 > address space with a strictly well-defined communication interface=20 > provided by the anonymous pipe of stdin and stdout, environment=20 > variables, and command-line arguments. If I were a library programmer,=20 (It _sounds_ all warm and fuzzy...) > (especially a security library), I would want to make sure that nothing= =20 > could accidentally step on the code that I've spent a lot of time=20 > making robust. A GPG co-process lives in its own protected address=20 > space which (if set up properly) cannot be paged because it is=20 > setuid-root on many systems. As an application programmer, I would not=20 > want some library creating weakness in my application either. The library knows which page(s) to lock and should request that whether it runs inside GPG or another app. > A linkable library, on the other hand, would be completely at the mercy= =20 > of the library user (application programmer), just as the application=20 > is at the mercy of the library. >=20 > In Unix, just as userland applications are "quarantined" from (and by)=20 > the kernel in order to provide security and stability, and are only=20 > able to communicate with the kernel through well-defined and checked=20 > APIs, so would the application and GPG be protected from each other by=20 > acting as co-processes in a client-server model which provides a great=20 > deal of robustness. The application mentioned by the OP (at least on gnupg-devel) would store secret keys in a db and send passphrases to GPG on a pipe. If it isn't careful with these, it doesn't really matter if it isn't careful with the raw private keys. Also, the application will likely know/produce any plaintext to be encrypted and/or need acess to any decrypted messages. That pretty much leaves the application holding all the secrets. --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --SvF6CGw9fzJC4Rcx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+obliSypIl9OdoOMRApzGAKDVy4a+8GEVlzw3NJfYJ5mJ48/hmwCgnOQY ZJmBWKjMldWHiBKmjaYs4uk= =OzPw -----END PGP SIGNATURE----- --SvF6CGw9fzJC4Rcx-- From ingo.kloecker@epost.de Sun Apr 20 02:22:02 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Sun Apr 20 01:22:02 2003 Subject: Question about --rebuild-keydb-caches Message-ID: <200304200057.58745@erwin.ingo-kloecker.de> --Boundary-02=_2Rdo+4/V6DtIXUP Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline Hi, I just refreshed my keyring (using GnuPG 1.2.1): gpg: Total number processed: 262 gpg: skipped new keys: 1 gpg: unchanged: 142 gpg: new user IDs: 34 gpg: new subkeys: 2 gpg: new signatures: 4333 Afterwards I ran gpg --check-trustdb: > time gpg --check-trustdb gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5 gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0 gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0 gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0 gpg: next trustdb check due at 2003-05-31 real 0m5.672s user 0m4.650s sys 0m0.560s A second run took the same amount of time. Before the refresh it wasn't=20 that slow IIRC. So I decided to try if rebuilding the signature caches=20 helps. Now I get: > time gpg --check-trustdb gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5 gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0 gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0 gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0 gpg: next trustdb check due at 2003-05-31 real 0m1.871s user 0m1.230s sys 0m0.420s So user time went down nearly 75%. My question is now whether there was a problem with my keyring (I have=20 rebuild the caches several times since the days of 1.0.6) or is it=20 always useful to run --rebuild-keydb-caches after larger changes in the=20 keyring. In the latter case the documentation needs to be improved.=20 Currently man gpg simply says: --rebuild-keydb-caches When updating from version 1.0.6 to 1.0.7 this command should be used to create signature caches in the keyring. It might be handy in other situ=ADations too. "other situations" could mean anything. Regards, Ingo --Boundary-02=_2Rdo+4/V6DtIXUP Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+odR2GnR+RTDgudgRAp1eAKCmlLeodJScElw03vuj+tscTk+nFwCfVNzu XkLzldyjc8w4ou9rsjYW+2Y= =rQCl -----END PGP SIGNATURE----- --Boundary-02=_2Rdo+4/V6DtIXUP-- From jharris@widomaker.com Sun Apr 20 03:18:12 2003 From: jharris@widomaker.com (Jason Harris) Date: Sun Apr 20 02:18:12 2003 Subject: --verify --always-trust --with-fingerprint broken? Message-ID: <20030420001839.GA2865@pm1.ric-31.lft.widomaker.com> --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable %gpg --verify --always-trust --with-fingerprint seems to always report: Primary key fingerprint: 0E07 7F87 83C2 06C6 02FD 7EF7 9323 84EE BAB6 B3BC regardless of the signing key (GPG 1.2.1). --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+oedeSypIl9OdoOMRAqFxAJwPNHhiWNd+Bz6LCvizpxlm/yO2CwCfdVQM pk67e5fmjhRrp1BjqyQjTpA= =8Vjs -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1-- From linux@codehelp.co.uk Sun Apr 20 15:19:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Sun Apr 20 14:19:02 2003 Subject: --verify --always-trust --with-fingerprint broken? In-Reply-To: <20030420001839.GA2865@pm1.ric-31.lft.widomaker.com> References: <20030420001839.GA2865@pm1.ric-31.lft.widomaker.com> Message-ID: <200304201320.05714.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 20 Apr 2003 1:18 am, Jason Harris wrote: > %gpg --verify --always-trust --with-fingerprint > > seems to always report: > > Primary key fingerprint: 0E07 7F87 83C2 06C6 02FD 7EF7 9323 84EE BAB6 B3BC > > regardless of the signing key (GPG 1.2.1). If you have a secret key available, rather than using --always-trust to drop the warnings, would it be better to locally sign the key used in the signature file? I've tested it on local systems and I agree, if no secret key is available, the only way to get an accurate fingerprint is to omit the --always-trust and just put up with the warning. $ gpg --with-fingerprint gpgme-0.3.15.tar.gz.sig gpg: Signature made Tue 18 Feb 2003 18:27:09 GMT using DSA key ID 87978569 gpg: Good signature from "Marcus Brinkmann " gpg: aka "Marcus Brinkmann" gpg: aka "Marcus Brinkmann " gpg: aka "Marcus Brinkmann " gpg: aka "Marcus Brinkmann " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Fingerprint: 1411 9889 4E27 D44F 7084 F098 C0A4 CBB9 8797 8569 $ gpg --always-trust --with-fingerprint gpgme-0.3.15.tar.gz.sig gpg: Signature made Tue 18 Feb 2003 18:27:09 GMT using DSA key ID 87978569 gpg: Good signature from "Marcus Brinkmann " gpg: aka "Marcus Brinkmann" gpg: aka "Marcus Brinkmann " gpg: aka "Marcus Brinkmann " gpg: aka "Marcus Brinkmann " gpg: WARNING: Using untrusted key! Fingerprint: 0E07 7F87 83C2 06C6 02FD 7EF7 9323 84EE BAB6 B3BC $ gpg --fingerprint 0x87978569 pub 1024D/87978569 1999-05-13 Marcus Brinkmann Key fingerprint = 1411 9889 4E27 D44F 7084 F098 C0A4 CBB9 8797 8569 uid Marcus Brinkmann uid Marcus Brinkmann uid Marcus Brinkmann uid Marcus Brinkmann sub 2048g/C3AF90C1 1999-05-13 So who's fingerprint is: Fingerprint: 0E07 7F87 83C2 06C6 02FD 7EF7 9323 84EE BAB6 B3BC It's not one of mine! 0xA897FD02: 744C 978D 7AB8 F27B 3BA6 C101 93B0 D5AF A897 FD02 0x28BCB3E3: 4CD4 6644 C105 48ED CA28 EC36 8801 094A 28BC B3E3 $ gpg --list-keys --with-fingerprint | grep "744C 978D 7AB8 F27B 3BA6 C101 93B0 D5AF A897 FD02" Key fingerprint = 744C 978D 7AB8 F27B 3BA6 C101 93B0 D5AF A897 FD02 gpg --list-keys --with-fingerprint | grep "0E07 7F87 83C2 06C6 02FD 7EF7 9323 84EE BAB6 B3BC" No output. (With 94 keys in the public ring including Marcus Brinkmann, Werner Koch etc. and most of those on this list who use signatures in email.) ??? - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+opB0iAEJSii8s+MRAg/1AJ9dUiI7hgncMUBB9u0yKoYoiF0X/gCfVlLb fjTPe446zKXxbGdqnWNUMII= =H1mZ -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sun Apr 20 17:06:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun Apr 20 16:06:02 2003 Subject: --verify --always-trust --with-fingerprint broken? In-Reply-To: <20030420001839.GA2865@pm1.ric-31.lft.widomaker.com> References: <20030420001839.GA2865@pm1.ric-31.lft.widomaker.com> Message-ID: <20030420140627.GA1186@jabberwocky.com> --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Apr 19, 2003 at 08:18:39PM -0400, Jason Harris wrote: >=20 > %gpg --verify --always-trust --with-fingerprint >=20 > seems to always report: >=20 > Primary key fingerprint: 0E07 7F87 83C2 06C6 02FD 7EF7 9323 84EE BAB6 B3= BC >=20 > regardless of the signing key (GPG 1.2.1). Well, that's interesting... Anyway, I just fixed it 1.2.2. Thanks for the report! David --X1bOJ3K7DJ5YkBrT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+oqlj4mZch0nhy8kRAqNUAKDTZojgXac92pKOVNmDiO6cTVQrPACg07VU EW2Ip26gcKp6YfR2HHz0NQ4= =Q/TV -----END PGP SIGNATURE----- --X1bOJ3K7DJ5YkBrT-- From dshaw@jabberwocky.com Sun Apr 20 17:07:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun Apr 20 16:07:02 2003 Subject: --verify --always-trust --with-fingerprint broken? In-Reply-To: <200304201320.05714.linux@codehelp.co.uk> References: <20030420001839.GA2865@pm1.ric-31.lft.widomaker.com> <200304201320.05714.linux@codehelp.co.uk> Message-ID: <20030420140741.GB1186@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Apr 20, 2003 at 01:20:02PM +0100, Neil Williams wrote: > So who's fingerprint is: > Fingerprint: 0E07 7F87 83C2 06C6 02FD 7EF7 9323 84EE BAB6 B3BC That is the fingerprint of a null key (i.e. all zeroes). David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+oqmt4mZch0nhy8kRAhHvAKCmrWDghCueS25SycM3bWEGWGTBNQCePREn xDzlAUnFfcZ4cs0wUWcXYog= =DALh -----END PGP SIGNATURE----- From gnupg-users@nahrath.de Sun Apr 20 17:22:03 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Sun Apr 20 16:22:03 2003 Subject: Question about --rebuild-keydb-caches In-Reply-To: <200304200057.58745@erwin.ingo-kloecker.de> References: <200304200057.58745@erwin.ingo-kloecker.de> Message-ID: <3EA2AD2B.1020900@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigC8618647749D12E3E0995E3F Content-Type: multipart/mixed; boundary="------------050009080502090801080904" This is a multi-part message in MIME format. --------------050009080502090801080904 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ingo KlĂścker wrote: >>time gpg --check-trustdb > > gpg: checking at depth 0 signed=67 ot(-/q/n/m/f/u)=0/0/0/0/0/5 > gpg: checking at depth 1 signed=64 ot(-/q/n/m/f/u)=57/0/0/6/4/0 > gpg: checking at depth 2 signed=11 ot(-/q/n/m/f/u)=37/0/0/0/1/0 > gpg: checking at depth 3 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/1/0 > gpg: next trustdb check due at 2003-05-31 > > real 0m1.871s > user 0m1.230s > sys 0m0.420s > > So user time went down nearly 75%. Did you try this a second time as well? Did you try "time gpg --check-trustdb" afterward? > My question is now whether there was a problem with my keyring (I have > rebuild the caches several times since the days of 1.0.6) Probably there are only one or two keys that cause the delay. Try "gpg --list-keys | egrep pub\ \ ....G" to check for ElGamal Primary keys. They are a real DOS attack to each keyring. > or is it > always useful to run --rebuild-keydb-caches after larger changes in the > keyring. AFAIHU: yes > In the latter case the documentation needs to be improved. ACK. Greeting, Michi --------------050009080502090801080904 Content-Type: application/pgp-signature; name="file:///tmp/nsmail.tmp" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="file:///tmp/nsmail.tmp" LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuMi4ycmMy IChEYXJ3aW4pCkNvbW1lbnQ6IGh0dHA6Ly93d3cuYmlnbHVtYmVyLmNvbS94L3dlYj9xcz0w eDlBNEM3MDRDCgppRVlFQVJFQ0FBWUZBajZpZWtzQUNna1ExOWRSZjVwTWNFd28rUUNmVXQr SGNzOGdKWlNjZDBnZTJpME9TY0EwCk5CRUFvT3pzaTRJRlkzb3V4bW5HUzVsekxkYkVpV1Zj Cj1jUHFFCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQoK --------------050009080502090801080904-- --------------enigC8618647749D12E3E0995E3F Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj6irTcACgkQ19dRf5pMcEyO2ACggPDns3WtCqoufjLgdlj30QMt B24AnR7ZZTqmNKlBOQ1CD2ZgYDv8tQgN =a1QF -----END PGP SIGNATURE----- --------------enigC8618647749D12E3E0995E3F-- From dshaw@jabberwocky.com Sun Apr 20 23:20:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun Apr 20 22:20:02 2003 Subject: Question about --rebuild-keydb-caches In-Reply-To: <200304200057.58745@erwin.ingo-kloecker.de> References: <200304200057.58745@erwin.ingo-kloecker.de> Message-ID: <20030420202102.GB1276@jabberwocky.com> --mojUlQ0s9EVzWg2t Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 20, 2003 at 12:57:53AM +0200, Ingo Kl=F6cker wrote: [ rebuilding sig caches improves trustdb time by 75% ] > My question is now whether there was a problem with my keyring (I have=20 > rebuild the caches several times since the days of 1.0.6) or is it=20 > always useful to run --rebuild-keydb-caches after larger changes in the= =20 > keyring. In the latter case the documentation needs to be improved.=20 > Currently man gpg simply says: >=20 > --rebuild-keydb-caches > When updating from version 1.0.6 to 1.0.7 this command should be > used to create signature caches in the keyring. It might be handy > in other situ=ADations too. >=20 > "other situations" could mean anything. This is one of the little improvements that were rolled into 1.2.2. 1.2.2 is a lot more eager to cache signatures during --import so there is less of a need to rebuild the cache periodically. Still, there are some cases when signature caches are not created automatically. For example, say Alice has signed Baker's key. You import Baker's key, then Alice's. In this case, there is no cache created as when Baker's key is imported, Alice's key is not yet present to verify and cache the results of Alice's signature. GnuPG is opportunistic in these cases and can add the signature cache in the background the next time you --edit-key Baker's key. There are a few other ways to improve performance here, but this is unlikely to be in 1.2.3 (or any 1.2.x) as it would be a reasonably large change. David --mojUlQ0s9EVzWg2t Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+owEu4mZch0nhy8kRAohXAJ9QqmVXISRRWDnl+h0wb71agqJycQCghCBD SX9n5MfqCHQqZnnRrf6z1IU= =AfaR -----END PGP SIGNATURE----- --mojUlQ0s9EVzWg2t-- From ingo.kloecker@epost.de Sun Apr 20 23:23:02 2003 From: ingo.kloecker@epost.de (Ingo =?utf-8?q?Kl=C3=B6cker?=) Date: Sun Apr 20 22:23:02 2003 Subject: Question about --rebuild-keydb-caches In-Reply-To: <3EA2AD2B.1020900@nahrath.de> References: <200304200057.58745@erwin.ingo-kloecker.de> <3EA2AD2B.1020900@nahrath.de> Message-ID: <200304202218.51643@erwin.ingo-kloecker.de> --Boundary-02=_rCwo+t4Y677micY Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Sunday 20 April 2003 16:22, Michael Nahrath wrote: > Ingo Kl=C3=B6cker wrote: > >>time gpg --check-trustdb > > > > gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5 > > gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0 > > gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0 > > gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0 > > gpg: next trustdb check due at 2003-05-31 > > > > real 0m1.871s > > user 0m1.230s > > sys 0m0.420s > > > > So user time went down nearly 75%. > > Did you try this a second time as well? Yes, I ran "time gpg --check-trustdb" twice. Same result. > Did you try "time gpg --check-trustdb" afterward? After what? After the first run? Yes, see above. Since then? Yes, I just=20 tried it again: # time gpg --check-trustdb gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5 gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0 gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0 gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0 gpg: next trustdb check due at 2003-05-31 real 0m1.647s user 0m1.270s sys 0m0.360s > > My question is now whether there was a problem with my keyring (I > > have rebuild the caches several times since the days of 1.0.6) > > Probably there are only one or two keys that cause the delay. > > Try "gpg --list-keys | egrep pub\ \ ....G" to check for ElGamal > Primary keys. They are a real DOS attack to each keyring. # gpg --list-keys | egrep pub\ \ ....G pub 4096G/DEADBEEF So there is only one of those keys in my keyring. Let's make a small test (deleting the key and re-importing it): # gpg --export --armor DEADBEEF >DEADBEEF.asc # gpg --delete-key DEADBEEF pub 4096G/DEADBEEF Delete this key from the keyring? y # time gpg --check-trustdb gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5 gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0 gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0 gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0 gpg: next trustdb check due at 2003-05-31 real 0m1.731s user 0m1.280s sys 0m0.350s # time gpg --check-trustdb gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5 gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0 gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0 gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0 gpg: next trustdb check due at 2003-05-31 real 0m1.699s user 0m1.270s sys 0m0.320s # gpg --import DEADBEEF.asc gpg: key DEADBEEF: public key "xyz" imported gpg: Total number processed: 1 gpg: imported: 1 # time gpg --check-trustdb gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5 gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0 gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0 gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0 gpg: next trustdb check due at 2003-05-31 real 0m38.306s user 0m37.770s sys 0m0.400s # time gpg --check-trustdb gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5 gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0 gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0 gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0 gpg: next trustdb check due at 2003-05-31 real 0m40.260s user 0m37.890s sys 0m0.580s # gpg --rebuild-keydb-caches gpg: checking keyring `/home/ingo/.gnupg/pubring.gpg' gpg: public key FBBB8AB1 is 58138 seconds newer than the signature gpg: 50 keys so far checked (6070 signatures) gpg: 100 keys so far checked (9058 signatures) gpg: 150 keys so far checked (14018 signatures) gpg: 200 keys so far checked (17647 signatures) gpg: 250 keys so far checked (19479 signatures) gpg: 275 keys checked (19697 signatures) # time gpg --check-trustdb gpg: checking at depth 0 signed=3D67 ot(-/q/n/m/f/u)=3D0/0/0/0/0/5 gpg: checking at depth 1 signed=3D64 ot(-/q/n/m/f/u)=3D57/0/0/6/4/0 gpg: checking at depth 2 signed=3D11 ot(-/q/n/m/f/u)=3D37/0/0/0/1/0 gpg: checking at depth 3 signed=3D0 ot(-/q/n/m/f/u)=3D0/0/0/0/1/0 gpg: next trustdb check due at 2003-05-31 real 0m1.736s user 0m1.350s sys 0m0.300s Hmm, this doesn't look to good. It seems that after each import of a new=20 key (or at least after importing of expensive keys) rebuilding the=20 keydb caches might improve the speed of check-trustdb dramatically. Regards, Ingo --Boundary-02=_rCwo+t4Y677micY Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+owCrGnR+RTDgudgRAjBkAJ4l8YLIZoDyytn3q3ijT04uALgtBQCg4oI7 mD/iMWJMwwTv1wUUVJIvDSY= =crxF -----END PGP SIGNATURE----- --Boundary-02=_rCwo+t4Y677micY-- From jharris@widomaker.com Sun Apr 20 23:37:02 2003 From: jharris@widomaker.com (Jason Harris) Date: Sun Apr 20 22:37:02 2003 Subject: new (2003-04-20) keyanalyze results Message-ID: <20030420203815.GU52142@pm1.ric-37.lft.widomaker.com> --tpZe61tYkA9f+p/0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2003-04-20/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --tpZe61tYkA9f+p/0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+owU0SypIl9OdoOMRArU/AKDS+ctzd2rWKhOb37oyDC3MqhZE0wCeLb22 3iDNb6HsR0H3oL+NZoE1LSE= =EQLw -----END PGP SIGNATURE----- --tpZe61tYkA9f+p/0-- From jharris@widomaker.com Mon Apr 21 00:16:02 2003 From: jharris@widomaker.com (Jason Harris) Date: Sun Apr 20 23:16:02 2003 Subject: another 0xDEADBEEF key (was Re: Question about --rebuild-keydb-caches) In-Reply-To: <200304202218.51643@erwin.ingo-kloecker.de> References: <200304200057.58745@erwin.ingo-kloecker.de> <3EA2AD2B.1020900@nahrath.de> <200304202218.51643@erwin.ingo-kloecker.de> Message-ID: <20030420211648.GA5558@pm1.ric-24.lft.widomaker.com> --ibTvN161/egqYuK8 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 20, 2003 at 10:18:44PM +0200, Ingo Kl=F6cker wrote: > # gpg --list-keys | egrep pub\ \ ....G > pub 4096G/DEADBEEF Cool, another one. Did you use Imad's tool to generate it? Care to send a copy to the keyservers? --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --ibTvN161/egqYuK8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+ow5ASypIl9OdoOMRAqf+AKDCZ8tIe7h52Y19T2gexiif8BIxUACgiS+u fFhVWFDjiftKo8nrqu5YBrI= =fNw7 -----END PGP SIGNATURE----- --ibTvN161/egqYuK8-- From ingo.kloecker@epost.de Mon Apr 21 00:57:04 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun Apr 20 23:57:04 2003 Subject: another 0xDEADBEEF key (was Re: Question about --rebuild-keydb-caches) In-Reply-To: <20030420211648.GA5558@pm1.ric-24.lft.widomaker.com> References: <200304200057.58745@erwin.ingo-kloecker.de> <200304202218.51643@erwin.ingo-kloecker.de> <20030420211648.GA5558@pm1.ric-24.lft.widomaker.com> Message-ID: <200304202354.31504@erwin.ingo-kloecker.de> --Boundary-02=_Xcxo+Zg3HmkE4mK Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Sunday 20 April 2003 23:16, Jason Harris wrote: > On Sun, Apr 20, 2003 at 10:18:44PM +0200, Ingo Kl=F6cker wrote: > > # gpg --list-keys | egrep pub\ \ ....G > > pub 4096G/DEADBEEF > > Cool, another one. Did you use Imad's tool to generate it? Care to > send a copy to the keyservers? I'm sorry to disappoint you. But I just wrote DEADBEEF instead of the=20 real key id to protect the privacy of the key owner. Regards, Ingo --Boundary-02=_Xcxo+Zg3HmkE4mK Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+oxcXGnR+RTDgudgRAmk4AJ9AkNMJK/rf4cyFZo4WIzAkzKGvgwCgntnz W2jcfmWboG6VW4XNR8feLE4= =mmBe -----END PGP SIGNATURE----- --Boundary-02=_Xcxo+Zg3HmkE4mK-- From dshaw@jabberwocky.com Mon Apr 21 01:42:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon Apr 21 00:42:02 2003 Subject: another 0xDEADBEEF key (was Re: Question about --rebuild-keydb-caches) In-Reply-To: <20030420211648.GA5558@pm1.ric-24.lft.widomaker.com> References: <200304200057.58745@erwin.ingo-kloecker.de> <3EA2AD2B.1020900@nahrath.de> <200304202218.51643@erwin.ingo-kloecker.de> <20030420211648.GA5558@pm1.ric-24.lft.widomaker.com> Message-ID: <20030420224237.GC1276@jabberwocky.com> --eHhjakXzOLJAF9wJ Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 20, 2003 at 05:16:49PM -0400, Jason Harris wrote: > On Sun, Apr 20, 2003 at 10:18:44PM +0200, Ingo Kl=F6cker wrote: >=20 > > # gpg --list-keys | egrep pub\ \ ....G > > pub 4096G/DEADBEEF >=20 > Cool, another one. Did you use Imad's tool to generate it? Care to > send a copy to the keyservers? Why? If the key owner wanted a copy on the keyserver, they'd have sent it there themselves. Sending a key to the keyservers "against the will" of the key owner is not necessarily doing the owner any favors. David --eHhjakXzOLJAF9wJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+oyJd4mZch0nhy8kRArDcAJ4pLZKnw7aN5ykwzg9TWMHheHGRAACgp1TB i+9zhrieIbU1cgd877T95tY= =rAXD -----END PGP SIGNATURE----- --eHhjakXzOLJAF9wJ-- From dshaw@jabberwocky.com Mon Apr 21 01:44:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon Apr 21 00:44:02 2003 Subject: Question about --rebuild-keydb-caches In-Reply-To: <200304202218.51643@erwin.ingo-kloecker.de> References: <200304200057.58745@erwin.ingo-kloecker.de> <3EA2AD2B.1020900@nahrath.de> <200304202218.51643@erwin.ingo-kloecker.de> Message-ID: <20030420224447.GD1276@jabberwocky.com> --+KJYzRxRHjYqLGl5 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 20, 2003 at 10:18:44PM +0200, Ingo Kl=F6cker wrote: >=20 > Hmm, this doesn't look to good. It seems that after each import of a new= =20 > key (or at least after importing of expensive keys) rebuilding the=20 > keydb caches might improve the speed of check-trustdb dramatically. Yes. Upgrade to 1.2.2 when it comes out and you won't have to. David --+KJYzRxRHjYqLGl5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+oyLf4mZch0nhy8kRAveYAJ93rjSnf/0L7PyfLiOBN6TLzGTfPQCgrcZG +74/0BxrQL1zEDX8CeLjQZw= =FRSG -----END PGP SIGNATURE----- --+KJYzRxRHjYqLGl5-- From jharris@widomaker.com Mon Apr 21 02:42:01 2003 From: jharris@widomaker.com (Jason Harris) Date: Mon Apr 21 01:42:01 2003 Subject: another 0xDEADBEEF key (was Re: Question about --rebuild-keydb-caches) In-Reply-To: <20030420224237.GC1276@jabberwocky.com> References: <200304200057.58745@erwin.ingo-kloecker.de> <3EA2AD2B.1020900@nahrath.de> <200304202218.51643@erwin.ingo-kloecker.de> <20030420211648.GA5558@pm1.ric-24.lft.widomaker.com> <20030420224237.GC1276@jabberwocky.com> Message-ID: <20030420234307.GA7474@pm1.ric-24.lft.widomaker.com> --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 20, 2003 at 06:42:37PM -0400, David Shaw wrote: > On Sun, Apr 20, 2003 at 05:16:49PM -0400, Jason Harris wrote: > > Cool, another one. Did you use Imad's tool to generate it? Care to > > send a copy to the keyservers? >=20 > Why? If the key owner wanted a copy on the keyserver, they'd have > sent it there themselves. :) I assumed he created it himself, which is why I wrote: "Did _you_ (emphasis added) use Imad's tool to generate it?" --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+ozCKSypIl9OdoOMRAsHgAJ92H9izJw38Ljh361NBXK+gky+qGACcCFuu GwudPpW3JpxPDOyFLKc1Dtk= =yf2s -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc-- From cyrus@codeperl.com Mon Apr 21 11:30:02 2003 From: cyrus@codeperl.com (Cyrus Dantes) Date: Mon Apr 21 10:30:02 2003 Subject: Generating a key using another algo Message-ID: <20030421033243.GA21187@codeperl.com> Hello All, I was wondering how one could go about generating a key in GnuPG which doesn't use the AES-128 bit algo that it does by Default. PGP 8.x let's us do this by selecting our preferred algo in which any key we generate after that will be using that algo, so is there anyway that we can do so in GnuPG. I found something in an FAQ, but when I followed the instructions, it still did not work and was wondering if anyone else had any tips. Thanks. From gnupg-users@nahrath.de Mon Apr 21 11:46:01 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Mon Apr 21 10:46:01 2003 Subject: Question about --rebuild-keydb-caches In-Reply-To: <200304202218.51643@erwin.ingo-kloecker.de> References: <200304200057.58745@erwin.ingo-kloecker.de> <3EA2AD2B.1020900@nahrath.de> <200304202218.51643@erwin.ingo-kloecker.de> Message-ID: <3EA3B015.2030203@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig58B1961704ED22B370E96E0F Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ingo KlĂścker wrote: > On Sunday 20 April 2003 16:22, Michael Nahrath wrote: > >>Ingo KlĂścker wrote: >> >>>>time gpg --check-trustdb >>Did you try this a second time as well? > Yes, I ran "time gpg --check-trustdb" twice. Same result. Sorry, I quoted the wrong line. I meant "Did you run 'time gpg --rebuild-keydb-caches' for a second time?" But manwhile you have run all the extended tests that I intended to suggest :) > # gpg --list-keys | egrep pub\ \ ....G > pub 4096G/DEADBEEF > > So there is only one of those keys in my keyring. I guess "DEADBEAF" stands for 10F4B2AA. I had a problem with that key earlier and braught it to this list on 2002-12-04. David Shaw explained then: >> But before deleting them those 2 signatures seem to have corrupted my >> whole keyring. > > Not corrupted. David's key has several user ID revocations on it. > Elgamal is a very slow signing algorithm, and validating those > revocation self-signatures takes time. > > When you deleted one of them, you caused the signature cache to be > updated, so the sigs didn't need to be checked again. You could have > deleted anything from that key or run --rebuild-keydb-caches and > gotten the same result. > > When GnuPG imports a new key, it automatically caches signatures, but > does not cache user ID revocations. HTH, Greeting, Michi --------------enig58B1961704ED22B370E96E0F Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj6jsCAACgkQ19dRf5pMcEydNwCg+sK5uUAxNLB+iOyVp+8plD1B yusAoKf/0O7yOK5M6MNNTjb6EUj5MXfL =lFgL -----END PGP SIGNATURE----- --------------enig58B1961704ED22B370E96E0F-- From jacdej@aent.com Mon Apr 21 17:12:02 2003 From: jacdej@aent.com (Jacques Dejean) Date: Mon Apr 21 16:12:02 2003 Subject: compiling pinentry-0.6.8 Message-ID: Hello, In compiling pinentry-0.6.8 on an hpux 11.11 system with HP ANSI/C compiler, the process fails with the following error -- checking for fopencookie... no configure: error: *** *** fopencookie(3) is needed to build this package. *** We will provide an replacement in a later release. *** I am running the following command -- > export CC=/usr/bin/cc > configure --prefix=/opt/gnu --with-libiconv-prefix=/opt/gnu/lib Is there an alternate version of glibc-2.3, containing "fopencookie", which is available for hpux 11.11? Thanks for you reply. Regards, Jacques V. Dejean Lead Systems Administrator Alliance Entertainment (v) 954-255-4344 From wk@gnupg.org Mon Apr 21 20:35:02 2003 From: wk@gnupg.org (Werner Koch) Date: Mon Apr 21 19:35:02 2003 Subject: C/C++ API for GnuPG In-Reply-To: <20030419210227.GT52142@pm1.ric-37.lft.widomaker.com> (Jason Harris's message of "Sat, 19 Apr 2003 17:02:27 -0400") References: <4D063DFE-720F-11D7-A12E-003065B1243E@mac.com> <20030419210227.GT52142@pm1.ric-37.lft.widomaker.com> Message-ID: <87he8rn460.fsf@alberti.g10code.de> On Sat, 19 Apr 2003 17:02:27 -0400, Jason Harris said: > The library knows which page(s) to lock and should request that whether > it runs inside GPG or another app. No, it can't. Under a lot of OSes it is not possible to protect against paging or you need to have root capabilities to do so. Noone would do this in a library. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Mon Apr 21 20:55:02 2003 From: wk@gnupg.org (Werner Koch) Date: Mon Apr 21 19:55:02 2003 Subject: compiling pinentry-0.6.8 In-Reply-To: (Jacques Dejean's message of "Mon, 21 Apr 2003 10:11:46 -0400") References: Message-ID: <87el3vn32y.fsf@alberti.g10code.de> On Mon, 21 Apr 2003 10:11:46 -0400, Jacques Dejean said: > *** fopencookie(3) is needed to build this package. > *** We will provide an replacement in a later release. We do have a replacenment for BSD systems and are working on libgio which eventually should allow to use glib's stdio implementation with other libcs. However, this is work in progress and needs adjustments for most OSes. Afaik, there is a project to port glibc to a generic POSIX system which would instantly solve this problem. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From jharris@widomaker.com Mon Apr 21 20:55:30 2003 From: jharris@widomaker.com (Jason Harris) Date: Mon Apr 21 19:55:30 2003 Subject: 4096G pubkeys (was Re: Question about --rebuild-keydb-caches) In-Reply-To: <3EA3B015.2030203@nahrath.de> References: <200304200057.58745@erwin.ingo-kloecker.de> <3EA2AD2B.1020900@nahrath.de> <200304202218.51643@erwin.ingo-kloecker.de> <3EA3B015.2030203@nahrath.de> Message-ID: <20030421175600.GX52142@pm1.ric-37.lft.widomaker.com> --bWJzwVwZrZVVyQvz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 21, 2003 at 10:47:17AM +0200, Michael Nahrath wrote: [4096G key] > I guess "DEADBEAF" stands for 10F4B2AA. >=20 > I had a problem with that key earlier and braught it to this list on 2002= -12-04. There are more 4096G pubkeys (or at least those where bits /^4/, in the latest kjsl.com keyanalyze dump, as reported by pgpring): (bits (y, NB: p is what everyone else uses.), algo., keyid) 4095 20 FD865009CEB1FA2B 4091 20 324D1E69F24F5932 4093 20 B703329E41C6517C 4094 20 5954AEAF7B473399 4095 20 1D461AB93BF55BD2 4095 20 8572E22610F4B2AA <- just 1 of 70 4096 20 AF934E83C4EB3EF2 4096 20 8D6DE5BDE522701D 4095 20 C21C1A952C52A219 4096 20 351336B2DCA1913A 4094 20 5198D0251C18E747 4092 20 744603EF67F4A86A 4096 20 7A0AE1F45FCACE03 4092 20 AA218FA8DEF57CCD 4095 20 7F0620CB9D628230 4093 20 516C78085CFA4E9F 4094 20 5DB1491D6FF0E3C1 4095 20 12E4B45067C1C854 4096 20 66DFEAF1A9719299 4095 20 E7E8359649072930 4094 20 809EA1BD0EE3D52E 4096 20 88121E149A0C65C8 4092 20 4499F4EBB24233CC 4094 20 5BC606F18C58F7B1 4096 20 2915D98D1D429DA6 4094 20 A2F4E26D59265171 4095 20 4F81B08F8090E86F 4095 20 6E97B1BA7EE102D4 4088 20 0898C0F58A3F8351 4093 20 2D3823F52D48A33A 4096 20 6CD1474DBE329B1B 4096 20 5CE34084BD64F025 4096 20 83F375C3DE093968 4096 20 B0822A4707BCEA3D 4095 20 A8C853F858F4D06D 4094 20 D27184F365A9A149 4096 20 58164E6B80C15776 4095 20 332B12751BEE2AA5 4095 20 19488F7A237F284B 4096 20 D66428BD3C2BC6FF 4091 20 F7541FB9E76CBAB8 4095 20 465B3B6643058814 4092 20 1766B97D110267D7 4093 20 7671134EA69B14E1 4095 20 338C811235FB5626 4096 20 8DEC5A185A753691 4096 20 CD65FC70B220A1EB 4094 20 A076D8329BCB810D 4093 20 DC1BAFD8A2C27CE5 4096 20 F3F2C0BA6CEE61DA 4095 20 1B8029E348C1E456 4094 20 F268E7627CC7047A 4093 20 96335AD5A16BE81D 4090 20 7B8BCC89DC1E0B9D 4095 20 AB8BD6AC81A11F8C 4095 20 78E47CE46928B48B 4095 20 7F8931EEEA8C9535 4096 20 1485CCEECA3BF6DA 4095 20 D982D0FFCEA42F4C 4096 20 1DCF396BD7487F55 4092 20 8197FDF320F683C4 4096 20 95647067859B6666 4095 20 E924035A93B53FED 4095 20 8D2FB8513F1DCAB2 4096 20 3195D9260D8D1A46 4094 20 6B11D380EF64D9D8 4095 20 C49FB57907D2A99C 4096 20 CF2B6AE358DCC2D2 4095 20 D9A4AC2407D347FE 4095 20 AF604E937E76FE8A --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --bWJzwVwZrZVVyQvz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+pDCrSypIl9OdoOMRApv1AJ9yVbWOYbhcmuwAFnSpJ7o8b3ktAwCeObVu 6Ro7PCjKQjxnb2cB10j568g= =Rk3U -----END PGP SIGNATURE----- --bWJzwVwZrZVVyQvz-- From DenisMcCauley@ifrance.com Mon Apr 21 21:56:04 2003 From: DenisMcCauley@ifrance.com (Denis McCauley) Date: Mon Apr 21 20:56:04 2003 Subject: Generating a key using another algo In-Reply-To: <20030421033243.GA21187@codeperl.com> References: <20030421033243.GA21187@codeperl.com> Message-ID: <3EA43EE0.8060901@ifrance.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cyrus Dantes wrote: > Hello All, > > I was wondering how one could go about generating a key in GnuPG which doesn't use the AES-128 bit > algo that it does by Default. PGP 8.x let's us do this by selecting our= preferred algo in which > any key we generate after that will be using that algo, so is there any= way that we can do so in > GnuPG. I found something in an FAQ, but when I followed the instruction= s, it still did not work > and was wondering if anyone else had any tips. Thanks. > With GPG you can change the algorithms you use after key creation by changing your preferences on the key. The command-line sequence (on a Windows OS) is: prompt> --edit-key "yourkeyid" (without the quotes) prompt> pref (this lists current preferences; aes128 is s7) prompt> setpref "string" (type the string shown above, without s7 in your= case=B0) prompt> updpref (which brings up an interactive dialogue) prompt> save Cheers, Denis - -- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Denis McCauley GPG/PGP keys at http://www.djmccauley.tk =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+pD7d3wn5k0VSiPERAoxIAJ0bc35SB9rG7RvYBbwqYDm6GqvHpgCfQWYM KR8WcEnNCq4TVYHBS2uuGeY=3D =3DFBCF -----END PGP SIGNATURE----- From DenisMcCauley@ifrance.com Mon Apr 21 22:05:04 2003 From: DenisMcCauley@ifrance.com (Denis McCauley) Date: Mon Apr 21 21:05:04 2003 Subject: Generating a key using another algo Message-ID: <3EA4410E.7090603@ifrance.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry, the first line of sequence in my previous message should read: prompt> gpg --edit-key "yourkeyid" (without the quotes) Cheers - -- ========================================== Denis McCauley GPG/PGP keys at http://www.djmccauley.tk ========================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+pEEL3wn5k0VSiPERAs1yAJ9hLB4picbIP3IzRU0S63gQeQ4G1ACeIfaO 1Q+vdx0hIyfNLBPm26cffU4= =LcRU -----END PGP SIGNATURE----- From jharris@widomaker.com Mon Apr 21 23:17:02 2003 From: jharris@widomaker.com (Jason Harris) Date: Mon Apr 21 22:17:02 2003 Subject: C/C++ API for GnuPG In-Reply-To: <87he8rn460.fsf@alberti.g10code.de> References: <4D063DFE-720F-11D7-A12E-003065B1243E@mac.com> <20030419210227.GT52142@pm1.ric-37.lft.widomaker.com> <87he8rn460.fsf@alberti.g10code.de> Message-ID: <20030421201806.GY52142@pm1.ric-37.lft.widomaker.com> --gz4FNQG/2iJjJcgR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 21, 2003 at 07:36:39PM +0200, Werner Koch wrote: > On Sat, 19 Apr 2003 17:02:27 -0400, Jason Harris said: >=20 > > The library knows which page(s) to lock and should request that whether > > it runs inside GPG or another app. >=20 > No, it can't. Under a lot of OSes it is not possible to protect > against paging or you need to have root capabilities to do so. Noone > would do this in a library. (Werner, is this from someone trying to make trouble for you? :) It can attempt it and report if it fails, no? lock_pool() (src/secmem.c) in libgcrypt (1.1.9) reports failed mlock()s... [sorry, but I had to make sure it was still there] Hey, what's this (cvs annotate output): 1.1 (wkoch 24-Jan-00): err =3D mlock( p, n ); 1.1 (wkoch 24-Jan-00): err =3D errno; Also, OpenBSD's and NetBSD's man pages for mlock(2) (on websites) don't say root privs are specifically required. (FreeBSD could use this feature, w/o the hassles of ACLs/capabilities/whatever.) --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --gz4FNQG/2iJjJcgR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+pFH8SypIl9OdoOMRAnmhAJ0dQNeofOY3LQbGSg+zf+Ak/UfBDACePLRB 0qzda0i4GdjGLZYdahw1hLE= =TDcY -----END PGP SIGNATURE----- --gz4FNQG/2iJjJcgR-- From canadienx@hotmail.com Tue Apr 22 00:21:02 2003 From: canadienx@hotmail.com (Michel Mansour) Date: Mon Apr 21 23:21:02 2003 Subject: Change install directory (1.2.1) Message-ID: Hi, I'm trying to compile and install gnupg-1.2.1 for Solaris 8. I want to change the install directory to something different than /usr/local/bin so that I don't need root access. I don't want to use the --prefix option because I want to keep the default directory structure; I just want to change where "make install" puts the binaries. Is there a way to do this? I've looked through the INSTALL and README files with no luck. Thanks! _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus From jbruni@mac.com Tue Apr 22 01:04:04 2003 From: jbruni@mac.com (Joseph Bruni) Date: Tue Apr 22 00:04:04 2003 Subject: C/C++ API for GnuPG Message-ID: <7426774.1050962739611.JavaMail.jbruni@mac.com> Tru64 4.0, HP/UX 11i, FreeBSD 5.0, Linux 2.4, Solaris 5.8 all require root privs for mlock(). OS X 10.2 lets non-root processes call mlock() up to RLIMIT_MEMLOCK pages (whatever that is). On Monday, April 21, 2003, at 02:18PM, Jason Harris wrote: >On Mon, Apr 21, 2003 at 07:36:39PM +0200, Werner Koch wrote: >> On Sat, 19 Apr 2003 17:02:27 -0400, Jason Harris said: >> >> > The library knows which page(s) to lock and should request that whether >> > it runs inside GPG or another app. >> >> No, it can't. Under a lot of OSes it is not possible to protect >> against paging or you need to have root capabilities to do so. Noone >> would do this in a library. > >(Werner, is this from someone trying to make trouble for you? :) > >It can attempt it and report if it fails, no? lock_pool() >(src/secmem.c) in libgcrypt (1.1.9) reports failed mlock()s... > >[sorry, but I had to make sure it was still there] >Hey, what's this (cvs annotate output): > > 1.1 (wkoch 24-Jan-00): err = mlock( p, n ); > 1.1 (wkoch 24-Jan-00): err = errno; > > >Also, OpenBSD's and NetBSD's man pages for mlock(2) (on websites) don't >say root privs are specifically required. (FreeBSD could use this >feature, w/o the hassles of ACLs/capabilities/whatever.) > >-- >Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? >jharris@widomaker.com | web: http://jharris.cjb.net/ > > -- PGP Fingerprint: 886F 6A8A 68A1 5E90 EF3F 8EFA E2B8 3F99 7343 C1E3 From bminton@efn.org Tue Apr 22 02:25:02 2003 From: bminton@efn.org (Brian Minton) Date: Tue Apr 22 01:25:02 2003 Subject: Change install directory (1.2.1) In-Reply-To: References: Message-ID: <20030421231854.GC15378@bminton.dyn.cheapnet.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Apr 21, 2003 at 05:21:43PM -0400, Michel Mansour wrote: > Hi, > > I'm trying to compile and install gnupg-1.2.1 for Solaris 8. I want to > change the install directory to something different than /usr/local/bin so > that I don't need root access. I don't want to use the --prefix option > because I want to keep the default directory structure; I just want to > change where "make install" puts the binaries. Is there a way to do this? > I've looked through the INSTALL and README files with no luck. > > Thanks! I think you need to be more specific with what you want, when you say you don't want to change directory structure. --prefix doesn't change the directory structure, it just relocates the entire hierarchy. For instance, if I run configure with --prefix=/foo/bar the binaries will be in /foo/bar/bin the man pages will be in /foo/bar/man etc. If you want everything to go to /usr/local (the default prefix) but want the binaries to go somewhere else, you can use the --bindir option For more info, call configure with --help - -- Brian Minton | OpenPGP fingerprint: brian@minton.name | 81BE 3A84 A502 ABDD B2CC http://brian.minton.name | 4BFD 7227 8820 5703 7472 Live long, and prosper longer! KeyID: 0x57037472 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+pHxdcieIIFcDdHIRAppxAJsFVXxrwczkNRU6ZtnlXEk93RdGLQCfX7nE NnD2Q3IoUn8x1XJ7v3VQvMM= =NiOm -----END PGP SIGNATURE----- From JPClizbe@attbi.com Tue Apr 22 02:45:03 2003 From: JPClizbe@attbi.com (John P. Clizbe) Date: Tue Apr 22 01:45:03 2003 Subject: Change install directory (1.2.1) In-Reply-To: References: Message-ID: <3EA482B6.7090002@attbi.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michel Mansour wrote: > I'm trying to compile and install gnupg-1.2.1 for Solaris 8. I want to > change the install directory to something different than /usr/local/bin so > that I don't need root access. I don't want to use the --prefix option > because I want to keep the default directory structure; I just want to > change where "make install" puts the binaries. Is there a way to do this? > I've looked through the INSTALL and README files with no luck. I'm puzzled about not using --prefix to 'keep the default directory structure' since the default for --prefix is /usr/local. Those other "default" directories would also require root access for installation. Anyway FWIW,`./configure --help` gives the following info: Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [/usr/local] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX] By default, `make install' will install all the files in `/usr/local/bin', `/usr/local/lib' etc. You can specify an installation prefix other than `/usr/local' using `--prefix', for instance `--prefix=$HOME'. For better control, use the options below. Fine tuning of the installation directories: --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] --datadir=DIR read-only architecture-independent data [PREFIX/share] --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] --infodir=DIR info documentation [PREFIX/info] --mandir=DIR man documentation [PREFIX/man] So, to only change the binary directory, specify --bindir= to the configure script, ie" `./configure --bindir=$HOME/bin`. Then the usual make commands..... - -- John P. Clizbe Inet: JPClizbe@EarthLink.net Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." "There is safety in Numbers... *VERY LARGE PRIME* Numbers 9:00PM Tonight on _REAL_IRONY_: Vegetarian Man Eaten by Cannibals -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+pIK0HQSsSmCNKhARArl9AKCgvSONW7ZbTy2TcMKNmMU0EWOYngCg+v45 2heK5+sCoIxj/oZFsWcPVNc= =caI9 -----END PGP SIGNATURE----- From canadienx@hotmail.com Tue Apr 22 03:40:02 2003 From: canadienx@hotmail.com (Michel Mansour) Date: Tue Apr 22 02:40:02 2003 Subject: Change install directory (1.2.1) Message-ID: > > Hi, > > > > I'm trying to compile and install gnupg-1.2.1 for Solaris 8. I want to > > change the install directory to something different than /usr/local/bin >so > > that I don't need root access. I don't want to use the --prefix option > > because I want to keep the default directory structure; I just want to > > change where "make install" puts the binaries. Is there a way to do >this? > > I've looked through the INSTALL and README files with no luck. > > > > Thanks! > >I think you need to be more specific with what you want, when you say you >don't want to change directory structure. --prefix doesn't change the >directory structure, it just relocates the entire hierarchy. For instance, >if >I run configure with --prefix=/foo/bar the binaries will be in /foo/bar/bin >the man pages will be in /foo/bar/man etc. If you want everything to go >to /usr/local (the default prefix) but want the binaries to go somewhere >else, >you can use the --bindir option For more info, call configure with --help > Let me clarify what I was asking in my initial message (sorry about the confusion). What I'm looking for is to keep the default hierarchy (/usr/local/bin, /usr/local/lib, etc.), but I want the entire hierarchy to be installed in a directory that I specify, for example $HOME/gnupg. So, it would look like this after the install: $HOME/gnupg/usr/local/bin, $HOME/gnupg/usr/local/lib, and so on. I know this may not be an issue unique to gnupg, but this is the first I've encountered this problem, which is also why my first post was confusing. I hope my question is clear now. Thanks, Michel _________________________________________________________________ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail From jbruni@mac.com Tue Apr 22 04:33:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Tue Apr 22 03:33:02 2003 Subject: Change install directory (1.2.1) In-Reply-To: Message-ID: <72D7EDD0-7462-11D7-933E-003065B1243E@mac.com> ./configure --prefix $HOME/gnupg/usr/local That should do the trick. On Monday, April 21, 2003, at 05:40 PM, Michel Mansour wrote: > Let me clarify what I was asking in my initial message (sorry about > the confusion). What I'm looking for is to keep the default hierarchy > (/usr/local/bin, /usr/local/lib, etc.), but I want the entire > hierarchy to be installed in a directory that I specify, for example > $HOME/gnupg. So, it would look like this after the install: > $HOME/gnupg/usr/local/bin, $HOME/gnupg/usr/local/lib, and so on. > From jbruni@mac.com Tue Apr 22 04:36:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Tue Apr 22 03:36:02 2003 Subject: Change install directory (1.2.1) In-Reply-To: Message-ID: By the way, if you are doing this in order to build a tarball that you can transplant to another system, you might not get what you expect. Some utilities (like OpenSSH) use what you set in the PREFIX in order to rewrite man pages on the fly. They do this so that the location of files as specified in the man pages matches what the installer set during the build process. I'm not sure if GnuPG does this, however. On Monday, April 21, 2003, at 05:40 PM, Michel Mansour wrote: > Let me clarify what I was asking in my initial message (sorry about > the confusion). What I'm looking for is to keep the default hierarchy > (/usr/local/bin, /usr/local/lib, etc.), but I want the entire > hierarchy to be installed in a directory that I specify, for example > $HOME/gnupg. So, it would look like this after the install: > $HOME/gnupg/usr/local/bin, $HOME/gnupg/usr/local/lib, and so on. > From JPClizbe@attbi.com Tue Apr 22 04:44:08 2003 From: JPClizbe@attbi.com (John P. Clizbe) Date: Tue Apr 22 03:44:08 2003 Subject: Change install directory (1.2.1) In-Reply-To: References: Message-ID: <3EA49EA2.4030604@attbi.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michel Mansour wrote: > > > Let me clarify what I was asking in my initial message (sorry about the > confusion). What I'm looking for is to keep the default hierarchy > (/usr/local/bin, /usr/local/lib, etc.), but I want the entire hierarchy to > be installed in a directory that I specify, for example $HOME/gnupg. So, it > would look like this after the install: $HOME/gnupg/usr/local/bin, > $HOME/gnupg/usr/local/lib, and so on. > > I know this may not be an issue unique to gnupg, but this is the first I've > encountered this problem, which is also why my first post was confusing. I > hope my question is clear now. > `./configure --prefix $HOME/gnupg` would yield $HOME/gnupg/bin, $HOME/gnupg/lib, $HOME/gnupg/man, etc For the directories specified in your email use --prefix $HOME/gnupg/usr/local HTH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+pJ6gHQSsSmCNKhARAqiQAKDNMPHHclV5wPGAdqx3yETDMCVyTgCfR/up sJyk/PmN2qL512y5+LXiX3Y= =9Dg/ -----END PGP SIGNATURE----- From Todd Tue Apr 22 05:15:03 2003 From: Todd (Todd) Date: Tue Apr 22 04:15:03 2003 Subject: Change install directory (1.2.1) In-Reply-To: References: Message-ID: <20030422021517.GB3924@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joseph Bruni wrote: > By the way, if you are doing this in order to build a tarball that you > can transplant to another system, you might not get what you expect. > Some utilities (like OpenSSH) use what you set in the PREFIX in order > to rewrite man pages on the fly. They do this so that the location of > files as specified in the man pages matches what the installer set > during the build process. I'm not sure if GnuPG does this, however. If that's the case, I would think the OP would want to use DESTDIR. You'd use a normal ./configure and make and then use make DESTDIR=$HOME/gnupg install to have things installed into $HOME/gnupg yet ready to untar into /usr/local on the target system. Or something like that... :) - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ Sometimes the majority only means that all the fools are on the same side. -- Michael W. Smith -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+pKW1uv+09NZUB1oRAr0LAJ9gPI4DNOtVyCb+GB7Z2Qqpn0MBEwCggwvu xq9P6/w9N7iPxtpUNlEn1PU= =aG94 -----END PGP SIGNATURE----- From jbruni@mac.com Tue Apr 22 05:57:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Tue Apr 22 04:57:02 2003 Subject: Change install directory (1.2.1) In-Reply-To: <20030422021517.GB3924@psilocybe.teonanacatl.org> Message-ID: <34E65836-746E-11D7-A760-003065B1243E@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, I was just in the process of researching how to do that, and bam! your reply answers that question just as I was reading through the autoconf man page. I love the open source community! Joe On Monday, April 21, 2003, at 07:15 PM, Todd wrote: > If that's the case, I would think the OP would want to use DESTDIR. > You'd > use a normal ./configure and make and then use > > make DESTDIR=$HOME/gnupg install > > to have things installed into $HOME/gnupg yet ready to untar into > /usr/local > on the target system. Or something like that... :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iEYEARECAAYFAj6kr7QACgkQ4rg/mXNDweMqEACdH+llrhn5U9o9x2r+1eoaJxOo yzMAnAsGf9rAM5RdKdrqZsczYKALovFb =Sn/6 -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Tue Apr 22 07:53:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue Apr 22 06:53:02 2003 Subject: [Announce] 1.2.2 release candidate 2 In-Reply-To: References: <87istevmqa.fsf@alberti.g10code.de> Message-ID: <20030422045336.GC1250@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Apr 16, 2003 at 05:00:35PM +0300, Charly Avital wrote: > At 11:02 AM +0200 4/16/03, Werner Koch wrote: > >Hello! > > > >We are pleased to announce the availability of a second release > >candidate for GnuPG 1.2.2: > > Hi, > > built 1.2.2rc2 for Darwin on MacOS 10.2.5. > > man gpg does not display the manual, only a line with 'END'. > > OS X stand-along applications that display man, apropos files, when > prompted for gpg, or gpg10, gnupg10, output "no man entry". When prompted > for other items, the appropriate file is displayed > > > This did not happen on another Mac where I have built 1.2.2rc1, now running > OS X 10.2.5 too, and another with 1.3.1 also running 10.2.5 > > Whereto did man gpg go? That seems to be just an error in the rc2 tarball. Don't worry, the man page will be back for the real 1.2.2 release. By the way, you say you built it on MacOS 10.2.5. Did you use any options in ./configure, or did you build it straight? David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+pMrQ4mZch0nhy8kRAkFUAKDgq9gu1VO0kYg+YZtqJm7I3IVYggCg1usK pf6zl8f2MsULuIeUp0tIvfY= =0k+e -----END PGP SIGNATURE----- From jbwiebe@cnx.net Tue Apr 22 08:25:02 2003 From: jbwiebe@cnx.net (jbwiebe@cnx.net) Date: Tue Apr 22 07:25:02 2003 Subject: [Announce] 1.2.2 release candidate 2 In-Reply-To: <20030418051256.GA438@jabberwocky.com> References: <3E9E0805.7080704@nahrath.de> Message-ID: <3EA46C7A.14699.4B872@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Verily, on April 16, 2003, a scroll of the prophet Werner Koch arrived, saying, > We are pleased to announce the availability of a second release > candidate for GnuPG 1.2.2: > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.2.2rc2.tar.gz > (2.8M) > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.2.2rc2.tar.gz.sig Fairly new linux user here. I tried to compile 1.2.2rc2 on Mandrake Linux 6.0 (pgcc-2.91.66 19990314 egcs-1.1.2 release; glibc 2.1.1). I have had no problems installing 1.2.0 or 1.2.1 from source. Doing "./configure; make" quits in make with: gcc -DGNUPG_LIBEXECDIR="\"/usr/local/libexec/gnupg\"" -g -O2 -Wall - o gpg g10.o build-packet.o compress.o free-packet.o getkey.o keydb.o keyring.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o openfile.o keyid.o parse-packet.o comment.o status.o plaintext.o sig-check.o keylist.o signal.o pkclist.o skclist.o pubkey-enc.o passphrase.o seckey-cert.o encr- data.o cipher.o encode.o sign.o verify.o revoke.o decrypt.o keyedit.o dearmor.o import.o export.o hkp.o trustdb.o tdbdump.o tdbio.o delkey.o keygen.o pipemode.o helptext.o keyserver.o photoid.o exec.o mkdtemp.o ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a - -ldl -lz passphrase.o: In function `agent_get_passphrase': /usr/local/src/gnupg-1.2.2rc2/g10/passphrase.c:648: undefined reference to `bind_textdomain_codeset' /usr/local/src/gnupg-1.2.2rc2/g10/passphrase.c:656: undefined reference to `bind_textdomain_codeset' /usr/local/src/gnupg-1.2.2rc2/g10/passphrase.c:861: undefined reference to `bind_textdomain_codeset' /usr/local/src/gnupg-1.2.2rc2/g10/passphrase.c:884: undefined reference to `bind_textdomain_codeset' collect2: ld returned 1 exit status make[2]: *** [gpg] Error 1 make[2]: Leaving directory `/usr/local/src/gnupg-1.2.2rc2/g10' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/local/src/gnupg-1.2.2rc2' make: *** [all] Error 2 Being fairly new to linux I'm not sure what to do next but I thought I should notify the dev team. If you need any further information about my system to help trace this then just ask. Regards, Jonathan B. Wiebe Jonathan & Shandra Wiebe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (MingW32) Comment: This is a digitally signed message. It can be verified for authenticity. iD8DBQE+pM7yHjG5JBuJlTURApGAAKDH10sn1VojHtBfncZ+/apbvS7oBwCg2q2P PO0gB32ROLEO0bTCWVtJotA= =WLKS -----END PGP SIGNATURE----- From wk@gnupg.org Tue Apr 22 12:15:08 2003 From: wk@gnupg.org (Werner Koch) Date: Tue Apr 22 11:15:08 2003 Subject: C/C++ API for GnuPG In-Reply-To: <7426774.1050962739611.JavaMail.jbruni@mac.com> (Joseph Bruni's message of "Mon, 21 Apr 2003 16:05:39 -0600") References: <7426774.1050962739611.JavaMail.jbruni@mac.com> Message-ID: <873ckalwkv.fsf@alberti.g10code.de> On Mon, 21 Apr 2003 16:05:39 -0600, Joseph Bruni said: >> Hey, what's this (cvs annotate output): >> >> 1.1 (wkoch 24-Jan-00): err = mlock( p, n ); >> 1.1 (wkoch 24-Jan-00): err = errno; That is bracketed with HAVE_BROKEN_MLOCK: # Check whether mlock is broken (hpux 10.20 raises a SIGBUS if mlock # is not called from uid 0 so in this case we only do an mlock if we are running under euid 0. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Tue Apr 22 12:25:26 2003 From: wk@gnupg.org (Werner Koch) Date: Tue Apr 22 11:25:26 2003 Subject: [Announce] 1.2.2 release candidate 2 In-Reply-To: <3EA46C7A.14699.4B872@localhost> (jbwiebe@cnx.net's message of "Mon, 21 Apr 2003 22:11:06 -0700") References: <3E9E0805.7080704@nahrath.de> <3EA46C7A.14699.4B872@localhost> Message-ID: <87znmikhk0.fsf@alberti.g10code.de> On Mon, 21 Apr 2003 22:11:06 -0700, jbwiebe said: > /usr/local/src/gnupg-1.2.2rc2/g10/passphrase.c:648: undefined > reference to `bind_textdomain_codeset' I somehow expected to see such an error. The way to solve it is by using ./configure --with-included-gettext make Your system come with an old version of gettext which does not provide the codeset function of gettext. The solution to this is to write a autoconf test to check for it and auto-enbale the above configure option. However, the entire gettext stuff used in autoconf comes with gettext and I didn't found a test for the codeset function. Maintaining our own gettext tests would be a lot of work and thus I concluded that it is easier to use the --with-included-gettext option. BTW, the README file contains this paragraph: Installation Problems --------------------- If you get unresolved externals "gettext" you should run configure again with the option "--with-included-gettext"; this is version 0.10.35 which is available at alpha.gnu.org. I may need to reqord it to make if clearer. Shalom-Salam, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From post@talura.dk Tue Apr 22 12:39:01 2003 From: post@talura.dk (Egon Andersen, Talura) Date: Tue Apr 22 11:39:01 2003 Subject: 3DES key generation Message-ID: <3E9EC398.4010707@talura.dk> Hi, I know that gpg can use 3DES cipher algorithm, but how do I generate the 128-bit key used for this? I can see that gpg can generate DSA and ElGamal, but I can find out how to generate keys for 3DES. Best regards Egon Andersen From sascha-news-NOSPAM@sascha.silbe.org Tue Apr 22 12:39:26 2003 From: sascha-news-NOSPAM@sascha.silbe.org (Sascha Silbe) Date: Tue Apr 22 11:39:26 2003 Subject: Cannot sign key with expired signature References: <20030415140443.GA4314@jabberwocky.com> Message-ID: On Tue, 15 Apr 2003 10:04:43 -0400, David Shaw wrote: [Problem signing prolonged key] > I'll fix that. > In the meantime, a workaround is to use "delsig" in the --edit-key > menu to remove the old signature before re-signing. Works. Thanks! CU/Lnx Sascha -- Registered Linux User #77587 (http://counter.li.org/) bomb terrorist afghanistan PGP encrypt CIA FBI BND MAD StaSi anschlag strike sex pussy xxx kill bj hitler Gates MS Windows ZV ZDV From michael@nahrath.de Tue Apr 22 12:39:52 2003 From: michael@nahrath.de (Michael Nahrath) Date: Tue Apr 22 11:39:52 2003 Subject: Question about --rebuild-keydb-caches In-Reply-To: <200304200057.58745@erwin.ingo-kloecker.de> References: <200304200057.58745@erwin.ingo-kloecker.de> Message-ID: <3EA27A41.10201@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigA8C166A754FDF243C0F93E9F Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ingo KlĂścker wrote: >>time gpg --check-trustdb > > gpg: checking at depth 0 signed=67 ot(-/q/n/m/f/u)=0/0/0/0/0/5 > gpg: checking at depth 1 signed=64 ot(-/q/n/m/f/u)=57/0/0/6/4/0 > gpg: checking at depth 2 signed=11 ot(-/q/n/m/f/u)=37/0/0/0/1/0 > gpg: checking at depth 3 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/1/0 > gpg: next trustdb check due at 2003-05-31 > > real 0m1.871s > user 0m1.230s > sys 0m0.420s > > So user time went down nearly 75%. Did you try this a second time as well? Did you try "time gpg --check-trustdb" afterward? > My question is now whether there was a problem with my keyring (I have > rebuild the caches several times since the days of 1.0.6) Probably there are only one or two keys that cause the delay. Try "gpg --list-keys | egrep pub\ \ ....G" to check for ElGamal Primary keys. They are a real DOS attack to each keyring. > or is it > always useful to run --rebuild-keydb-caches after larger changes in the > keyring. AFAIHU: yes > In the latter case the documentation needs to be improved. ACK. Greeting, Michi --------------enigA8C166A754FDF243C0F93E9F Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj6ieksACgkQ19dRf5pMcEwo+QCfUt+Hcs8gJZScd0ge2i0OScA0 NBEAoOzsi4IFY3ouxmnGS5lzLdbEiWVc =cPqE -----END PGP SIGNATURE----- --------------enigA8C166A754FDF243C0F93E9F-- From engage@BLOCK.n0sq.net Tue Apr 22 12:40:16 2003 From: engage@BLOCK.n0sq.net (engage) Date: Tue Apr 22 11:40:16 2003 Subject: missing key during rpm --checksig Message-ID: <200304201701.50465.engage@n0sq.net> Even though I added the redhat key to my keyring, I keep getting an error message that the key is missing. I did a gpg --list-key redhat and it shows the key on the keyring. Anyone have a clue? GnuPG 1.2.1, RedHat 9. From Todd Tue Apr 22 15:32:02 2003 From: Todd (Todd) Date: Tue Apr 22 14:32:02 2003 Subject: missing key during rpm --checksig In-Reply-To: <200304201701.50465.engage@n0sq.net> References: <200304201701.50465.engage@n0sq.net> Message-ID: <20030422123330.GE3924@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 engage wrote: > Even though I added the redhat key to my keyring, I keep getting an error > message that the key is missing. I did a gpg --list-key redhat and it shows > the key on the keyring. Anyone have a clue? GnuPG 1.2.1, RedHat 9. That's because rpm now keeps the keys in its own database. It doesn't use your gpg keyring. I think the command to import a key is rpm --import keyfile.asc. Check the rpm manpage for details. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ If a government were put in charge of the Sahara Desert, within five years they'd have a shortage of sand. -- Dr. Milton Friedman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+pTaZuv+09NZUB1oRAiwcAKCiz7GCssbxJfUy0VyVE5fnLh+slwCgrbhH gJcOn5ilKvfsbHuVZ/VgJWo= =7Duc -----END PGP SIGNATURE----- From jacdej@aent.com Tue Apr 22 18:05:01 2003 From: jacdej@aent.com (Jacques Dejean) Date: Tue Apr 22 17:05:01 2003 Subject: decryption failed: secret key not available Message-ID: Hello, In my attempts to decrypt a file generated from Win2000 GNU PGP on an HPUX 11.11 server running GNU PGP v1.2.1, I get the following error - ============================================================================ ====================== # echo '$PGPPASS' | gpg -v -v --passphrase-fd 0 --no-default-keyring -r Comme> Reading passphrase from file descriptor 0 :marker packet: 50 47 50 :pubkey enc packet: version 3, algo 16, keyid 58DF43AC123ABC4D data: [2047 bits] data: [2047 bits] gpg: public key is 123ABC4D gpg: using secondary key 123ABC4D instead of primary key D5E55555 You need a passphrase to unlock the secret key for user: "Jacques Victor Dejean " gpg: using secondary key 123ABC4D instead of primary key D5E55555 2048-bit ELG-E key, ID 123ABC4D, created 2001-09-11 (main key ID D5E55555) :encrypted data packet: length: 1135 gpg: encrypted with 2048-bit ELG-E key, ID 123ABC4D, created 2001-09-11 "Jacques Victor Dejean " gpg: public key decryption failed: bad passphrase gpg: decryption failed: secret key not available ============================================================================ ====================== >From perusing the mailing lists archives, I noticed that several have had this problem -- On a unix server, decrypting a file which was encrypted on an NT server running GNU PGP. However, I don't see any posted solution. I have exported, re-imported both public and secret keys; I have set 'trust' to ultimate; and 'lsign' the public key from the customer running GPG on NT. Thanks for your help, Jacques V. Dejean Lead Systems Administrator Alliance Entertainment (v) 954-255-4344 From wk@gnupg.org Tue Apr 22 20:25:02 2003 From: wk@gnupg.org (Werner Koch) Date: Tue Apr 22 19:25:02 2003 Subject: decryption failed: secret key not available In-Reply-To: (Jacques Dejean's message of "Tue, 22 Apr 2003 11:04:50 -0400") References: Message-ID: <87u1cqphmq.fsf@alberti.g10code.de> On Tue, 22 Apr 2003 11:04:50 -0400, Jacques Dejean said: > # echo '$PGPPASS' | gpg -v -v --passphrase-fd 0 --no-default-keyring -r You know that the passphrase is available to all users on most OSes? Better don't use a passphrase at all. > gpg: encrypted with 2048-bit ELG-E key, ID 123ABC4D, created 2001-09-11 > "Jacques Victor Dejean " > gpg: public key decryption failed: bad passphrase May it be that your passphrase has a character with the high bit set and that the codepages used on Windows and HP are different? -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From thijmen@xs4all.nl Tue Apr 22 20:43:01 2003 From: thijmen@xs4all.nl (5468696A6D656E) Date: Tue Apr 22 19:43:01 2003 Subject: decryption failed: secret key not available In-Reply-To: References: Message-ID: <20030422174410.GK24868@xs4all.nl> On Tue, Apr 22, 2003 at 11:04:50AM -0400, Jacques Dejean wrote: > In my attempts to decrypt a file generated from Win2000 GNU PGP on an HPUX > 11.11 server running GNU PGP v1.2.1, I get the following error - > ============================================================================ > ====================== > # echo '$PGPPASS' | gpg -v -v --passphrase-fd 0 --no-default-keyring -r try this: echo $PGPPASS| gpg -v -v --passphrase-fd 0 --no-default-keyring -r note that the pipe sign ("|") is directly behind the passphrase. Th. -- __Thijmen Klok________ From linux@codehelp.co.uk Tue Apr 22 22:11:03 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Tue Apr 22 21:11:03 2003 Subject: gpg-agent Message-ID: <200304222011.18514.linux@codehelp.co.uk> --Boundary-02=_WPZp+bYmLQcfmPZ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline Does anyone know how to solve problems with the environment variable for gpg-agent? ========= http://kmail.kde.org/kmail-pgpmime-howto.html Before using gpg, you need to start gpg-agent: eval "$(gpg-agent --daemon)" (gpg-agent outputs a little shell script that sets the environment variable GNUPG_AGENT_INFO). You may want to add this to your ~/.xsession or startkde so that all programs see the environment variable. ========== I've tried putting it in /home/neil/.xsession (a symlink to /home/neil/.xinitrc) and in /usr/local/kde/bin/startkde but all I get is two copies of the agent showing up in ps -ax in a root shell but nothing in a user shell. The gpg-agent-info environment variable is present in the root shell but not in the user shell. If I run the eval "$(gpg-agent --daemon)" command in a user terminal or in .bashrc, it still isn't visible to KMail unless I start KMail from the same terminal. I can't see why the environment variable isn't being passed on to users. Unless the gpg-agent-info environment variable is within scope of KMail, I can't send signed emails. -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_WPZp+bYmLQcfmPZ Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+pZPWiAEJSii8s+MRAlfPAKDbuL1aSsQhnlhRgVZCOGM4tOzYfACgrDG2 1AQu6Xa6ER7kB3mLBLQKDVA= =iZM0 -----END PGP SIGNATURE----- --Boundary-02=_WPZp+bYmLQcfmPZ-- From dlc@users.sourceforge.net Tue Apr 22 22:50:03 2003 From: dlc@users.sourceforge.net (darren chamberlain) Date: Tue Apr 22 21:50:03 2003 Subject: gpg-agent In-Reply-To: <200304222011.18514.linux@codehelp.co.uk> References: <200304222011.18514.linux@codehelp.co.uk> Message-ID: <20030422194811.GB25882@boston.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Neil Williams [2003-04-22 15:43]: > Does anyone know how to solve problems with the environment variable > for gpg-agent? Make sure that the script that gpg-agent --daemon emits is exporting the variables, or export them yourself: eval `gpg-agent --daemon` export GNUPG_AGENT_INFO (darren) - -- The rebootings will continue until the configuration works. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+pZx7zsinjrVhZaoRAof9AJ9P4np0kBRH/bkcwOgbb7FADw1KewCdHASU HxjdFvgFc8ySKwpcOrbAh+M= =ishf -----END PGP SIGNATURE----- From thijmen@xs4all.nl Tue Apr 22 23:01:02 2003 From: thijmen@xs4all.nl (5468696A6D656E) Date: Tue Apr 22 22:01:02 2003 Subject: decryption failed: secret key not available In-Reply-To: <20030422174410.GK24868@xs4all.nl> References: <20030422174410.GK24868@xs4all.nl> Message-ID: <20030422200221.GO24868@xs4all.nl> On Tue, Apr 22, 2003 at 07:44:10PM +0200, 5468696A6D656E wrote: > On Tue, Apr 22, 2003 at 11:04:50AM -0400, Jacques Dejean wrote: > > # echo '$PGPPASS' | gpg -v -v --passphrase-fd 0 --no-default-keyring -r > try this: > echo $PGPPASS| gpg -v -v --passphrase-fd 0 --no-default-keyring -r > > note that the pipe sign ("|") is directly behind the passphrase. To test this kind of output i made this tiny program: //stdincheck.c #include #include int main(int argc, char *argv[]) { char buffer[1024]; int size; fgets(buffer, 1024, stdin); size = strlen(buffer); if (size > 0 && buffer[size - 1] == '\n') { printf("stripping linefeed\r\n"); buffer[size - 1] = '\0'; } if (size > 1 && buffer[size - 2] == '\r') { printf("stripping carriage return\r\n"); buffer[size - 2] = '\0'; } printf("Passphrase (quoted): \"%s\"\r\n", buffer); } On windows 98 SE this is the output: T:\stdincheck\Debug>echo blaa|stdincheck.exe stripping linefeed Passphrase (quoted): "blaa" T:\stdincheck\Debug>echo blaa | stdincheck.exe stripping linefeed Passphrase (quoted): "blaa " T:\stdincheck\Debug>echo "blaa" | stdincheck.exe stripping linefeed Passphrase (quoted): ""blaa" " See the differences? As Gpg cannot know whether a quote character is part of the passphrase you need to send it unquoted, and without any space before the | pipesign. Th. -- __Thijmen Klok________ From gnupg-users@nahrath.de Tue Apr 22 23:54:02 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Tue Apr 22 22:54:02 2003 Subject: can't work on armoured keyring Message-ID: <3EA58CA3.7000706@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigFFCC152A1BB891F6F764CD82 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I downloaded a community's keyring from a website. It is ASCII-armored and served via http: as 'application/pgpkeys' according to RFC 3156. Unfortunately I get errors whenever I try to work on this keyring without importing it. You may try on your own: $ gpg -a --export 5B0358A2 99242560 > test.gpgkey $ gpg --no-default-keyring --keyring ./test.gpgkey --list-keys gpg: [don't know]: invalid packet (ctb=2d) gpg: keydb_search_first failed: invalid packet $ gpg --no-default-keyring --keyring ./test.gpgkey --check-sigs gpg: [don't know]: invalid packet (ctb=2d) gpg: keydb_search_first failed: invalid packet Nevertheless $ gpg --list-packets ./test.gpgkey works fine. Seems like GPG (same behaviour in all versions from 1.06 through 1.2.2rc2) is unable to deal with a keyring if it is ASCII-armoured. Is this * a bug? * a known limitation? * technically neccesary? We still would like to provide this keyring in a form that was suitable to do WoT-annalysis etc. without further modifications. Do we have to provide it in binary form for this? What is the correct MIME-type for a binary keyring file? Greeting, Michi --------------enigFFCC152A1BB891F6F764CD82 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj6ljLAACgkQ19dRf5pMcEwifgCgj7b6wc6suojxmuD1FXTjFjem dcoAoMA70m4uENmyJvOBC8G3981iuR2m =ES47 -----END PGP SIGNATURE----- --------------enigFFCC152A1BB891F6F764CD82-- From jharris@widomaker.com Wed Apr 23 01:04:03 2003 From: jharris@widomaker.com (Jason Harris) Date: Wed Apr 23 00:04:03 2003 Subject: can't work on armoured keyring In-Reply-To: <3EA58CA3.7000706@nahrath.de> References: <3EA58CA3.7000706@nahrath.de> Message-ID: <20030422220436.GD52142@pm1.ric-37.lft.widomaker.com> --cMwMn/tF35tO7kHm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 22, 2003 at 08:40:35PM +0200, Michael Nahrath wrote: > I downloaded a community's keyring from a website. It is ASCII-armored and > served via http: as 'application/pgpkeys' according to RFC 3156. >=20 > Unfortunately I get errors whenever I try to work on this keyring without > importing it. You may try on your own: > We still would like to provide this keyring in a form that was suitable to > do WoT-annalysis etc. without further modifications. Converting it to binary is easy: %gpg --dearmor =20 and will let GPG use it directly without an --import. To help detect modification, publish a signature for the binary form of the file. Also, advise people to make the keyring read-only to prevent modification. Keeping the file on the website in armored format may mean larger downloads, but if people keep the original file around but hose their binary copy then they can just reconstruct the binary file without doing another download. Or you can just make the files available via rsync, which works quite nicely for the Debian keyrings. --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --cMwMn/tF35tO7kHm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+pbxzSypIl9OdoOMRAnX9AJ99fTz7tGGPP9Clbpjtr7j7PnpyAACgi6xV y1VxaEQ0x4Taw6Lry4jeV4Y= =TKRa -----END PGP SIGNATURE----- --cMwMn/tF35tO7kHm-- From lists@kaseinet.de Wed Apr 23 01:36:02 2003 From: lists@kaseinet.de (Alexander Johannes) Date: Wed Apr 23 00:36:02 2003 Subject: can't work on armoured keyring In-Reply-To: <3EA58CA3.7000706@nahrath.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Am Dienstag, 22.04.03 um 20:40 Uhr schrieb Michael Nahrath: > I downloaded a community's keyring from a website. It is ASCII-armored > and > served via http: as 'application/pgpkeys' according to RFC 3156. This morning i wrote a message about this problem, but it seems that it doesnt appeared to this list (i posted it through gmane.org). So i will do some annotations to your mail. > Unfortunately I get errors whenever I try to work on this keyring > without > importing it. You may try on your own: It seems that armored keyrings, created with PGP 8, cause the same problem. > Seems like GPG (same behaviour in all versions from 1.06 through > 1.2.2rc2) > is unable to deal with a keyring if it is ASCII-armoured. And, i don't know if it is worth mentioning, i could reproduce it on MacOS X, WinNT 4 and Linux. Alex -----BEGIN PGP SIGNATURE----- Comment: http://kaseinet.de/aboutme/contact/ iD8DBQE+pbzgNukaPmQYrJ8RAoerAKCP+Hn45oy9X19fn5RwvHWZToDdzACbBsj7 SCYgJ6QqGbNZrZWw+qXqsTc= =bqCF -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Wed Apr 23 05:36:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed Apr 23 04:36:03 2003 Subject: can't work on armoured keyring In-Reply-To: <3EA58CA3.7000706@nahrath.de> References: <3EA58CA3.7000706@nahrath.de> Message-ID: <20030423023704.GF4874@jabberwocky.com> --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 22, 2003 at 08:40:35PM +0200, Michael Nahrath wrote: > I downloaded a community's keyring from a website. It is ASCII-armored and > served via http: as 'application/pgpkeys' according to RFC 3156. >=20 > Unfortunately I get errors whenever I try to work on this keyring without > importing it. You may try on your own: >=20 > $ gpg -a --export 5B0358A2 99242560 > test.gpgkey > $ gpg --no-default-keyring --keyring ./test.gpgkey --list-keys > gpg: [don't know]: invalid packet (ctb=3D2d) > gpg: keydb_search_first failed: invalid packet > $ gpg --no-default-keyring --keyring ./test.gpgkey --check-sigs > gpg: [don't know]: invalid packet (ctb=3D2d) > gpg: keydb_search_first failed: invalid packet >=20 > Nevertheless > $ gpg --list-packets ./test.gpgkey > works fine. >=20 > Seems like GPG (same behaviour in all versions from 1.06 through 1.2.2rc2) > is unable to deal with a keyring if it is ASCII-armoured. >=20 > Is this * a bug? > * a known limitation? > * technically neccesary? A known limitation, and (weakly) necessary in that it makes a lot of keyring management easier. While everyone does it anyway, the keyring files aren't really intended to be used without using --import and --export. If you want to use an armored file as a keyring without --import-ing it first, use "gpg --dearmor" on it and then you can use it as a keyring. When you are done, just use "gpg --armor --export > allmykeys.asc" to return it to armored form. > We still would like to provide this keyring in a form that was suitable to > do WoT-annalysis etc. without further modifications. > Do we have to provide it in binary form for this? No. It depends on the program that does your analysis. Either way, it is easy to convert back and forth. > What is the correct MIME-type for a binary keyring file? application/octet-stream, but you could make up your own x-type, of course. The application/pgp-keys type is reserved for ascii armored data. David --qMm9M+Fa2AknHoGS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+pfxP4mZch0nhy8kRAu2zAJ0ZIW1zJI1jbSoCbw4wB/SuEd7zIQCgwgDz TkrYnNAigyRnzjKdRtOTkeA= =+crS -----END PGP SIGNATURE----- --qMm9M+Fa2AknHoGS-- From Alexander Johannes Wed Apr 23 11:54:02 2003 From: Alexander Johannes (Alexander Johannes) Date: Wed Apr 23 10:54:02 2003 Subject: Problems with armored Keyrings Message-ID: Hi, it seems, that gpg is unable to work with ASCII-armored keyrings. Neither i could list the contained Keys nor i could import them to my keyring. Here is one Example of the error message: [nirgalvallis:~] alex% gpg --no-default-keyring --keyring ~/dsm.gpgkey.asc --list-keys gpg: [don't know]: invalid packet (ctb=2d) gpg: keydb_search_first failed: Ungültiges Paket I could reproduce this Error with gpg 1.2.1 on MacOS X and WinNT 4.0 and gpg 1.0.6 on Linux. I tested with 2 different Keyrings. One of them i created using gpg 1.2.1 on MacOS X. You could find it at (armored) The other Keyring someone created using PGP 8 at Windows. It's armored too and produces the same error. Both Keyrings only contain Public Keys. Is this a known bug? Alex -- __ __ ___ _ | - Newsticker - | 29.01.03 - Navigation überarbeitet From gnupg-users@nahrath.de Wed Apr 23 13:39:01 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Wed Apr 23 12:39:01 2003 Subject: can't work on armoured keyring In-Reply-To: <20030423023704.GF4874@jabberwocky.com> References: <3EA58CA3.7000706@nahrath.de> <20030423023704.GF4874@jabberwocky.com> Message-ID: <3EA66D79.9080308@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5FAC750A7B98F1D657442D62 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David Shaw wrote: >>$ gpg -a --export 5B0358A2 99242560 > test.gpgkey >>$ gpg --no-default-keyring --keyring ./test.gpgkey --list-keys >>gpg: [don't know]: invalid packet (ctb=2d) >>gpg: keydb_search_first failed: invalid packet >>Seems like GPG (same behaviour in all versions from 1.06 through 1.2.2rc2) >>is unable to deal with a keyring if it is ASCII-armoured. >> >>Is this * a bug? >> * a known limitation? >> * technically neccesary? > > > A known limitation, and (weakly) necessary in that it makes a lot of > keyring management easier. While everyone does it anyway, the keyring > files aren't really intended to be used without using --import and > --export. Is thre any difference betwheen a working keyring and a (binary) exported keyring? If I do $ gpg --no-default-keyring --keyring ./test.gpg --import ./bin-keyring.gpg shouldn't ./test.gpg and ./bin-keyring.gpg be identical (assuming ./bin-keyring.gpg doesn't contain errors)? > If you want to use an armored file as a keyring without --import-ing > it first, use "gpg --dearmor" on it and then you can use it as a > keyring. When you are done, just use "gpg --armor --export > > allmykeys.asc" to return it to armored form. Thanks for this clarification. So I guess you are right: We don't need to provide binary keyrings, but add this tip at the download site. Greeting, Michi --------------enig5FAC750A7B98F1D657442D62 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj6mbYQACgkQ19dRf5pMcEx42QCguuP2jXtM82xoh6lE/Yy6ITLE 1RcAnj7Jx7YE98h8g3LOGBDvdazkp5J4 =W8NO -----END PGP SIGNATURE----- --------------enig5FAC750A7B98F1D657442D62-- From wk@gnupg.org Wed Apr 23 14:00:02 2003 From: wk@gnupg.org (Werner Koch) Date: Wed Apr 23 13:00:02 2003 Subject: Problems with armored Keyrings In-Reply-To: (Alexander Johannes's message of "Tue, 22 Apr 2003 12:29:02 +0200") References: Message-ID: <87he8po4og.fsf@alberti.g10code.de> On Tue, 22 Apr 2003 12:29:02 +0200, Alexander Johannes said: > it seems, that gpg is unable to work with ASCII-armored keyrings. keyrings are not defined in OpenPGP; it is up to an implementation to decide how to store keys and whether to store them at all. What OpenPGP indeed defines are transport formats for keys and GnuPG adheres to that. The published interfaces to handle keys in the transport format are the commands --import and --export. It is just coincidence that you are able to use a file in binary transport format as ~/.gnupg/pubring.gpg. > Is this a known bug? Definitely not. Salam-Shalom, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From lists@kaseinet.de Wed Apr 23 14:40:02 2003 From: lists@kaseinet.de (Alexander Johannes) Date: Wed Apr 23 13:40:02 2003 Subject: Problems with armored Keyrings In-Reply-To: <87he8po4og.fsf@alberti.g10code.de> Message-ID: <659D195A-7580-11D7-BA33-0003938ECA20@kaseinet.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am Mittwoch, 23.04.03 um 13:04 Uhr schrieb Werner Koch: >> it seems, that gpg is unable to work with ASCII-armored keyrings. > > keyrings are not defined in OpenPGP; it is up to an implementation to > decide how to store keys and whether to store them at all. What > OpenPGP indeed defines are transport formats for keys and GnuPG > adheres to that. Understood. > The published interfaces to handle keys in the transport format are > the commands --import and --export. This is the way i do it. The main question (Michael Nahrath wrote about this yesterday) was, why you can't list the contents (keys and signatures) of an armored keyring. The explanation from David Shaw is acceptable: | A known limitation, and (weakly) necessary in that it makes a lot of keyring management easier. Alex -----BEGIN PGP SIGNATURE----- Comment: http://kaseinet.de/aboutme/contact/ iD8DBQE+pnvBNukaPmQYrJ8RAoUMAJ9Bhv+x/icfhg570p9oCs5fpKbmqgCfSJf7 EECULOvsJxS/gXHcXhTD5s0= =i1qH -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Wed Apr 23 17:21:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed Apr 23 16:21:02 2003 Subject: can't work on armoured keyring In-Reply-To: <3EA66D79.9080308@nahrath.de> References: <3EA58CA3.7000706@nahrath.de> <20030423023704.GF4874@jabberwocky.com> <3EA66D79.9080308@nahrath.de> Message-ID: <20030423142208.GK4874@jabberwocky.com> --/NkBOFFp2J2Af1nK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 23, 2003 at 12:39:53PM +0200, Michael Nahrath wrote: > David Shaw wrote: >=20 > >>$ gpg -a --export 5B0358A2 99242560 > test.gpgkey > >>$ gpg --no-default-keyring --keyring ./test.gpgkey --list-keys > >>gpg: [don't know]: invalid packet (ctb=3D2d) > >>gpg: keydb_search_first failed: invalid packet >=20 > >>Seems like GPG (same behaviour in all versions from 1.06 through 1.2.2r= c2) > >>is unable to deal with a keyring if it is ASCII-armoured. > >> > >>Is this * a bug? > >> * a known limitation? > >> * technically neccesary? > >=20 > >=20 > > A known limitation, and (weakly) necessary in that it makes a lot of > > keyring management easier. While everyone does it anyway, the keyring > > files aren't really intended to be used without using --import and > > --export. >=20 > Is thre any difference betwheen a working keyring and a (binary) exported > keyring? Yes and no. While it will work in the current version of GnuPG, this cannot be relied upon forever. The OpenPGP standard dictates how keys can be transported (i.e. via --export/--import), but there is no rule for how to store the keyrings. For example, there could be a version of GnuPG that uses a database as the "keyring". The truly safe way to take a file (binary or ascii) and make it into a new keyring is: gpg --no-default-keyring --keyring ./my-new-keyring.gpg --import the_file Do what you need to do to my-new-keyring.gpg, and then: gpg --no-default-keyring --keyring ./my-new-keyring.gpg --export the_file (you can add --armor here if you desire). > If I do > $ gpg --no-default-keyring --keyring ./test.gpg --import ./bin-keyring.gpg > shouldn't ./test.gpg and ./bin-keyring.gpg be identical (assuming > ./bin-keyring.gpg doesn't contain errors)? Not necessarily. There are things that won't be imported (local signatures, some special packets, etc). David --/NkBOFFp2J2Af1nK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+pqGQ4mZch0nhy8kRAsWbAKC6Z3uEZ41VPLkfY7vW8WfDd3XtbACgzvhd qC+MelYLa8UfCJYYbl6XIJc= =kZ1E -----END PGP SIGNATURE----- --/NkBOFFp2J2Af1nK-- From Todd Wed Apr 23 18:17:02 2003 From: Todd (Todd) Date: Wed Apr 23 17:17:02 2003 Subject: querying multiple keyservers Message-ID: <20030423151741.GR3924@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, Is there any way to use multiple keyservers with gnupg? What I'm after is having gpg search one keyserver first and if there are no matches (or perhaps even if there are) then search another keyserver. I know that most of the public keyservers sync, but I'm looking at using a small, semi-private keyserver for a local linux user group as the first keyserver and then fall back on one of the public servers. The reason we're looking at setting up a small keyserver is that many of the new users will hopefully find it easier to rely on a keyserver that other members control. That way we can purge keys if someone loses a key or forgets a passphrase. But for those of us in the group who use gpg more regularly, we'd prefer not to have to switch our config settings to go back and forth between the public and private keyservers. I tried setting keyserver twice but it seems like only one of them gets used (and at this god-awful hour of the morning I can't recall if it was the first or the last). I know that we could also just maintain a group keyring, but I was looking to have some fun learning about running pks. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ If a government were put in charge of the Sahara Desert, within five years they'd have a shortage of sand. -- Dr. Milton Friedman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+pq6Uuv+09NZUB1oRAmQYAKCu9NyKMeH1QTlQooSNlFDU5GyXBwCfUe1m Gqm3pwFzWV2fDxJBgXd3xVM= =nGJG -----END PGP SIGNATURE----- From dlc@users.sourceforge.net Wed Apr 23 19:17:02 2003 From: dlc@users.sourceforge.net (darren chamberlain) Date: Wed Apr 23 18:17:02 2003 Subject: querying multiple keyservers In-Reply-To: <20030423151741.GR3924@psilocybe.teonanacatl.org> References: <20030423151741.GR3924@psilocybe.teonanacatl.org> Message-ID: <20030423-aa4738cbbad26dfaee68b0af926b65d8@mail.boston.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Todd [2003-04-23 11:51]: > I know that we could also just maintain a group keyring, but I was > looking to have some fun learning about running pks. What about setting up a local keyserver that syncs against a remote keyserver, and then just simply use that one for everything? (darren) - -- You can't wake a person who is pretending to be asleep. -- Navajo Proverb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+prwWzsinjrVhZaoRAvCKAJ9ikLUDtJLiL+KSMMiP4d25Q74B9wCfdKpY EgD66BRXf1hu9g4aLKrbv60= =ZbVd -----END PGP SIGNATURE----- From linux@codehelp.co.uk Wed Apr 23 21:35:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Wed Apr 23 20:35:02 2003 Subject: querying multiple keyservers In-Reply-To: <20030423-aa4738cbbad26dfaee68b0af926b65d8@mail.boston.com> References: <20030423151741.GR3924@psilocybe.teonanacatl.org> <20030423-aa4738cbbad26dfaee68b0af926b65d8@mail.boston.com> Message-ID: <200304231934.16122.linux@codehelp.co.uk> --Boundary-02=_oytp+S7A3OPi7Tj Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Wednesday 23 April 2003 5:15 pm, darren chamberlain wrote: > * Todd [2003-04-23 11:51]: > > I know that we could also just maintain a group keyring, but I was > > looking to have some fun learning about running pks. > > What about setting up a local keyserver that syncs against a remote > keyserver, and then just simply use that one for everything? > > (darren) I was thinking of the same thing for my own LUG. Darren, I looked at your idea myself but only if the sync was uni-directional. If the smaller keyserver sends keys to the main keyservers, the functionality of removing keys is lost. How does the keyserver protocol implement the sync? Can it be done so that the smaller keyserver only refreshes existing keys and doesn't ever send any keys to any other main keyserver. (Along the lines of limiting the small keyserver to a function akin to gpg --refresh-keys). Is a keyserver just a public ring with extra software added? -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_oytp+S7A3OPi7Tj Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+ptyoiAEJSii8s+MRAl/UAKDnBgc3BGlkJHtbcfB1FY/SnkDmowCbBayw 44bzwrAYUKIasGgrI2YkYLM= =FjdI -----END PGP SIGNATURE----- --Boundary-02=_oytp+S7A3OPi7Tj-- From linux@codehelp.co.uk Wed Apr 23 21:36:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Wed Apr 23 20:36:02 2003 Subject: gpg-agent In-Reply-To: <20030422194811.GB25882@boston.com> References: <200304222011.18514.linux@codehelp.co.uk> <20030422194811.GB25882@boston.com> Message-ID: <200304231936.09419.linux@codehelp.co.uk> --Boundary-02=_Z0tp+c6bWGnZak1 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Tuesday 22 April 2003 8:48 pm, darren chamberlain wrote: > * Neil Williams [2003-04-22 15:43]: > > Does anyone know how to solve problems with the environment variable > > for gpg-agent? > > Make sure that the script that gpg-agent --daemon emits is exporting the > variables, or export them yourself: > > eval `gpg-agent --daemon` > export GNUPG_AGENT_INFO > > (darren) The variable is being emitted in the root environment space but not in the user space. Even when I run the command above, the variable doesn't remain set outside the terminal window. -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_Z0tp+c6bWGnZak1 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+pt0ZiAEJSii8s+MRAphdAKConbQHeBzZlx3ex+Jrb1d6zZ9TcQCgmXA/ Y4ZnCmIV29JyQ679pVJBohE= =O1h/ -----END PGP SIGNATURE----- --Boundary-02=_Z0tp+c6bWGnZak1-- From dshaw@jabberwocky.com Wed Apr 23 22:06:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed Apr 23 21:06:01 2003 Subject: querying multiple keyservers In-Reply-To: <20030423151741.GR3924@psilocybe.teonanacatl.org> References: <20030423151741.GR3924@psilocybe.teonanacatl.org> Message-ID: <20030423190625.GM4874@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Apr 23, 2003 at 11:17:41AM -0400, Todd wrote: > Is there any way to use multiple keyservers with gnupg? What I'm after is > having gpg search one keyserver first and if there are no matches (or > perhaps even if there are) then search another keyserver. I know that most > of the public keyservers sync, but I'm looking at using a small, > semi-private keyserver for a local linux user group as the first keyserver > and then fall back on one of the public servers. This is on the "to do" list, but is not currently an available feature. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+puQx4mZch0nhy8kRAmbOAKCxUcckqfJ2a7YkFxuNDaFwsehTlgCgniv8 zMAmSw8kv0pD5bD3mhCtHtA= =H/GM -----END PGP SIGNATURE----- From Bryan_Hunter@archway.com Wed Apr 23 22:08:01 2003 From: Bryan_Hunter@archway.com (Hunter, Bryan) Date: Wed Apr 23 21:08:01 2003 Subject: do_plaintext() error message Message-ID: <2E40FE65F46EEC40984776ED29756EE442013C@stargate1.mi.gage.com> Could some one please explain what the following error message means and in particular whether the output is corrupt in some way? gpg: do_plaintext(): wrote 46305280 bytes but expected 4096 bytes This was the result of entering a command like this. time tar -cvf - directory | gpg --output outfile --encrypt --recipient keyid - Here "directory" is a directory, "outfile" is the output file, and "keyid" is the recipient. This is GnuPG 1.0.6 running under RedHat 7.2. A decryption by PGP seemed to work. Thank you, Bryan Hunter From dlc@users.sourceforge.net Wed Apr 23 22:23:02 2003 From: dlc@users.sourceforge.net (darren chamberlain) Date: Wed Apr 23 21:23:02 2003 Subject: gpg-agent In-Reply-To: <200304231936.09419.linux@codehelp.co.uk> References: <200304222011.18514.linux@codehelp.co.uk> <20030422194811.GB25882@boston.com> <200304231936.09419.linux@codehelp.co.uk> Message-ID: <20030423-b3846bfd7586944db181758c1cdd0890@mail.boston.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Neil Williams [2003-04-23 15:07]: > The variable is being emitted in the root environment space but not in > the user space. Even when I run the command above, the variable > doesn't remain set outside the terminal window. I'm not sure that I understand what you mean by "outside the terminal window"; the variable will only propogated to the children of the process marks the variable as exported. If the shell invoking X has the variable set and exported, then all the children will inherit it. Similarly, if .xinitrc (or .xsession) has the variable set and exported, and then spawns a few xterms (e.g.) and then your window manager, the xterms and window manager (and _their_ children) will inherit the variable as well. (darren) - -- A lot of things wrong with society today are directly attributable to the fact that the people who make the laws are sexually maladjusted. -- Frank Zappa -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+pufDzsinjrVhZaoRAjICAJ4xsjp+Ir1jmF3v+iolUfFX7CJ7qgCfb9Yq aAXzVxKWdvUR9DK0B68AjFY= =dWFO -----END PGP SIGNATURE----- From dlc@users.sourceforge.net Wed Apr 23 22:34:03 2003 From: dlc@users.sourceforge.net (darren chamberlain) Date: Wed Apr 23 21:34:03 2003 Subject: querying multiple keyservers In-Reply-To: <200304231934.16122.linux@codehelp.co.uk> References: <20030423151741.GR3924@psilocybe.teonanacatl.org> <20030423-aa4738cbbad26dfaee68b0af926b65d8@mail.boston.com> <200304231934.16122.linux@codehelp.co.uk> Message-ID: <20030423-f519191254a106c4033fa0c0103011b6@mail.boston.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Neil Williams [2003-04-23 15:07]: > I was thinking of the same thing for my own LUG. Darren, I looked at > your idea myself but only if the sync was uni-directional. If the > smaller keyserver sends keys to the main keyservers, the functionality > of removing keys is lost. Hm, good point. > Is a keyserver just a public ring with extra software added? This seems like a simple, straightforward way to implement it, but I've never looked at any keyserver code. A simple script that (basically) calls gpg --list-keys on it's input could qualify as a keyserver I suppose: #!/usr/bin/perl -w use strict; my $gpg = "/usr/local/bin/gpg"; use CGI; my $q = CGI->new; my $fpr = $q->param("fpr"); print $q->header("text/plain"); open KEY, "$gpg --list-keys --with-colons $fpr |"; while () { next unless /^pub/; my @Key = split /:/ => $_; print `$gpg --export --armor $Key[4]`; } (darren) - -- Your only obligation in any lifetime is to be true to yourself. Being true to anyone else or anything else is ... impossible. -- Richard Bach -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+pupHzsinjrVhZaoRAtDtAKCg3IfvQiHlGY6Nt3bgKzwZUYekTgCfUQfg Pb2wc7kkEg8KgDFUxjUwZmE= =PhxC -----END PGP SIGNATURE----- From sbutler@fchn.com Wed Apr 23 23:43:03 2003 From: sbutler@fchn.com (Steve Butler) Date: Wed Apr 23 22:43:03 2003 Subject: do_plaintext() error message Message-ID: <9A86613AB85FF346BB1321840DB42B4B01EBFD10@jupiter.fchn.com> Perhaps I'm all wet, but wouldn't the output from both tar and time be sent via the pipe to gpg? Somehow I think there will be problems since tar is being told to send output via STDOUT and time writes by default to STDOUT. Try it without time. -----Original Message----- From: Hunter, Bryan [mailto:Bryan_Hunter@archway.com] Sent: Wednesday, April 23, 2003 12:12 PM To: 'gnupg-users@gnupg.org' Subject: do_plaintext() error message Could some one please explain what the following error message means and in particular whether the output is corrupt in some way? gpg: do_plaintext(): wrote 46305280 bytes but expected 4096 bytes This was the result of entering a command like this. time tar -cvf - directory | gpg --output outfile --encrypt --recipient keyid - Here "directory" is a directory, "outfile" is the output file, and "keyid" is the recipient. This is GnuPG 1.0.6 running under RedHat 7.2. A decryption by PGP seemed to work. Thank you, Bryan Hunter _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From dshaw@jabberwocky.com Thu Apr 24 00:06:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed Apr 23 23:06:02 2003 Subject: querying multiple keyservers In-Reply-To: <200304231934.16122.linux@codehelp.co.uk> References: <20030423151741.GR3924@psilocybe.teonanacatl.org> <20030423-aa4738cbbad26dfaee68b0af926b65d8@mail.boston.com> <200304231934.16122.linux@codehelp.co.uk> Message-ID: <20030423210645.GO4874@jabberwocky.com> --3siQDZowHQqNOShm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 23, 2003 at 07:34:15PM +0100, Neil Williams wrote: Content-Description: signed data > On Wednesday 23 April 2003 5:15 pm, darren chamberlain wrote: > > * Todd [2003-04-23 11:51]: > > > I know that we could also just maintain a group keyring, but I was > > > looking to have some fun learning about running pks. > > > > What about setting up a local keyserver that syncs against a remote > > keyserver, and then just simply use that one for everything? > > > > (darren) >=20 > I was thinking of the same thing for my own LUG. Darren, I looked at > your idea myself but only if the sync was uni-directional. If the > smaller keyserver sends keys to the main keyservers, the > functionality of removing keys is lost. >=20 > How does the keyserver protocol implement the sync? Can it be done > so that the smaller keyserver only refreshes existing keys and > doesn't ever send any keys to any other main keyserver. (Along the > lines of limiting the small keyserver to a function akin to gpg > --refresh-keys). Believe it or not, the most common sync protocol is email - each keyserver emails a bunch of keys to the next. You can do it one-way if you want, but there is no current functionality that implements something akin to --refresh-keys. You might ask on the pgp-keyserver-folk@flame.org mailing list. > Is a keyserver just a public ring with extra software added? Something like that. See http://sks.sourceforge.net/ and http://pks.sourceforge.net/ David --3siQDZowHQqNOShm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+pwBk4mZch0nhy8kRAnMEAKCjn/24Wrw38lCgqEtgxJ0HSthtQQCfWEMB mn1GbvL8mgW8W7W/yXW7WHs= =YmDM -----END PGP SIGNATURE----- --3siQDZowHQqNOShm-- From dshaw@jabberwocky.com Thu Apr 24 00:07:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed Apr 23 23:07:02 2003 Subject: querying multiple keyservers In-Reply-To: <20030423-f519191254a106c4033fa0c0103011b6@mail.boston.com> References: <20030423151741.GR3924@psilocybe.teonanacatl.org> <20030423-aa4738cbbad26dfaee68b0af926b65d8@mail.boston.com> <200304231934.16122.linux@codehelp.co.uk> <20030423-f519191254a106c4033fa0c0103011b6@mail.boston.com> Message-ID: <20030423210811.GP4874@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Apr 23, 2003 at 03:32:23PM -0400, darren chamberlain wrote: > * Neil Williams [2003-04-23 15:07]: > > I was thinking of the same thing for my own LUG. Darren, I looked at > > your idea myself but only if the sync was uni-directional. If the > > smaller keyserver sends keys to the main keyservers, the functionality > > of removing keys is lost. > > Hm, good point. > > > Is a keyserver just a public ring with extra software added? > > This seems like a simple, straightforward way to implement it, but I've > never looked at any keyserver code. A simple script that (basically) > calls gpg --list-keys on it's input could qualify as a keyserver I > suppose: > > #!/usr/bin/perl -w > > use strict; > my $gpg = "/usr/local/bin/gpg"; > > use CGI; > my $q = CGI->new; > my $fpr = $q->param("fpr"); > > print $q->header("text/plain"); > > open KEY, "$gpg --list-keys --with-colons $fpr |"; > > while () { > next unless /^pub/; > my @Key = split /:/ => $_; > > print `$gpg --export --armor $Key[4]`; > } See http://www.ietf.org/internet-drafts/draft-shaw-openpgp-hkp-00.txt for the spec that GnuPG follows when making keyserver requests. It is fairly easy to implement in a similar manner to the script you have here. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+pwC74mZch0nhy8kRAjoHAKDAEJyKzyJumzbZXwjJHwmpKv6lggCfYrqc bJrVGWrqQEN7aE4p42Msb48= =YK2i -----END PGP SIGNATURE----- From Bryan_Hunter@archway.com Thu Apr 24 00:38:02 2003 From: Bryan_Hunter@archway.com (Hunter, Bryan) Date: Wed Apr 23 23:38:02 2003 Subject: do_plaintext() error message Message-ID: <2E40FE65F46EEC40984776ED29756EE442013D@stargate1.mi.gage.com> I tried it without time and received the same error (same exact sizes). The time from the previous runs always showed properly at the end of the process. This has been repeatable using 2 different directories. Thanks for the idea. Bryan Hunter -----Original Message----- From: Steve Butler [mailto:sbutler@fchn.com] Sent: Wednesday, April 23, 2003 4:42 PM To: Hunter, Bryan; gnupg-users@gnupg.org Subject: RE: do_plaintext() error message Perhaps I'm all wet, but wouldn't the output from both tar and time be sent via the pipe to gpg? Somehow I think there will be problems since tar is being told to send output via STDOUT and time writes by default to STDOUT. Try it without time. -----Original Message----- From: Hunter, Bryan [mailto:Bryan_Hunter@archway.com] Sent: Wednesday, April 23, 2003 12:12 PM To: 'gnupg-users@gnupg.org' Subject: do_plaintext() error message Could some one please explain what the following error message means and in particular whether the output is corrupt in some way? gpg: do_plaintext(): wrote 46305280 bytes but expected 4096 bytes This was the result of entering a command like this. time tar -cvf - directory | gpg --output outfile --encrypt --recipient keyid - Here "directory" is a directory, "outfile" is the output file, and "keyid" is the recipient. This is GnuPG 1.0.6 running under RedHat 7.2. A decryption by PGP seemed to work. Thank you, Bryan Hunter _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From matt@rangie.com Thu Apr 24 00:40:02 2003 From: matt@rangie.com (Matthew Reeve) Date: Wed Apr 23 23:40:02 2003 Subject: Blank encrypted messages Message-ID: <001a01c309e1$0aa912d0$0800a8c0@ANYA> Hi group, I have just implemented gnupg to encrypt the contents of a webform and = email it. It took a while to get the PHP script to work, but it finally is. I tried decrypting the block on my local machine (with the private key on) = and it comes up as an empty mail.=20 I have already checked that the string being executed contains the = message in the code below. Can anyone suggest what I can try to fix this? The PHP code is as follows... function _encrypt($msg)=20 {=20 $oldhome =3D getEnv("HOME");=20 putenv("HOME=3D/var/www");=20 $command =3D 'echo "$msg" | /usr/bin/gpg -e -a --always-trust --batch --no-secmem-warning -u matt@rangie.com -r matt@rangie.com'; exec($command, $encrypted, $errorcode);=20 putenv("HOME=3D$oldhome");=20 if ($errorcode)=20 {=20 die( "$errorCode"); } else { for ($index =3D 0; $index < ((count($encrypted))); $index++) { $message .=3D $encrypted[$index]; } return ($message); } }=20 Many thanks in advance, Matthew Reeve From Kyle Hasselbacher Thu Apr 24 01:02:01 2003 From: Kyle Hasselbacher (Kyle Hasselbacher) Date: Thu Apr 24 00:02:01 2003 Subject: do_plaintext() error message In-Reply-To: <9A86613AB85FF346BB1321840DB42B4B01EBFD10@jupiter.fchn.com> References: <9A86613AB85FF346BB1321840DB42B4B01EBFD10@jupiter.fchn.com> Message-ID: <20030423220227.GB14193@longshot.toehold.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Apr 23, 2003 at 01:42:09PM -0700, Steve Butler wrote: >Perhaps I'm all wet, but wouldn't the output from both tar and time be sent >via the pipe to gpg? Somehow I think there will be problems since tar is >being told to send output via STDOUT and time writes by default to STDOUT. > >Try it without time. Hmmm. Not on my system. kyle@longshot ~ $ time echo hello hello real 0m0.000s user 0m0.000s sys 0m0.000s kyle@longshot ~ $ time echo hello > /dev/null real 0m0.000s user 0m0.000s sys 0m0.000s kyle@longshot ~ $ uname -a Linux longshot 2.4.20 #1 Thu Nov 28 20:28:40 CST 2002 i686 unknown kyle@longshot ~ $ I'm not sure how time writes its output, but it's not stdout. It's a shell built-in, so maybe it writes straight to the terminal. - -- Kyle Hasselbacher kyle@toehold.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+pw1z10sofiqUxIQRArmmAJ4lmwL4ephN+dMZcvEry/zvBR6W/QCeMhSZ Luslr8eHaZRKSQc/bSf3SLE= =UF9P -----END PGP SIGNATURE----- From malte_gell@t-online.de Thu Apr 24 02:21:02 2003 From: malte_gell@t-online.de (Malte Gell) Date: Thu Apr 24 01:21:02 2003 Subject: gpg-agent In-Reply-To: <200304231936.09419.linux@codehelp.co.uk> References: <200304222011.18514.linux@codehelp.co.uk> <20030422194811.GB25882@boston.com> <200304231936.09419.linux@codehelp.co.uk> Message-ID: <200304240121.50034.malte_gell@t-online.de> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > The variable is being emitted in the root environment space but not > in the user space. Even when I run the command above, the variable > doesn't remain set outside the terminal window. I start gpg-agent this way via ~/.xsession if test -e ~/.gpg_agent_info; then . ~/.gpg_agent_info else gpg-agent --daemon --sh >> ~/.gpg_agent_info =2E ~/.gpg_agent_info fi So, every time I log in, ~/.xsession will check, whether gpg-agent is up=20 and running and if not, it will be started. I have the right options for gpg-agent in ~/.gnupg/gpg-agent.conf which=20 looks like this: [malte_gell@eingang]~/.gnupg=B7 cat gpg-agent.conf pinentry-program /usr/local/bin/pinentry-qt no-grab default-cache-ttl 3600 This works fine for me. If I exit from KDE and log in later, ~/.xsession=20 sees that gpg-agent is already up and running. HTH Malte =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iEYEAREDAAYFAj6nH+sACgkQGzg12gD8wBbOPQCgmfUgdT8lZzJZ7ON1vKldI4jI 30MAn0cUYSO2eR602xzc8isWDuJ1ctWE =3DI73V =2D----END PGP SIGNATURE----- From jbruni@mac.com Thu Apr 24 04:45:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Thu Apr 24 03:45:02 2003 Subject: Blank encrypted messages In-Reply-To: <001a01c309e1$0aa912d0$0800a8c0@ANYA> Message-ID: <77000B9C-75F6-11D7-B9CB-003065B1243E@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You're trying to encrypt a file named "-a". On Wednesday, April 23, 2003, at 02:41 PM, Matthew Reeve wrote: > $command = 'echo "$msg" | /usr/bin/gpg -e -a --always-trust --batch > --no-secmem-warning -u matt@rangie.com -r matt@rangie.com'; > exec($command, $encrypted, $errorcode); -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iEYEARECAAYFAj6nQc0ACgkQ4rg/mXNDweMJ2QCfQOC0R+pL9c9O/VFgwxVyJk/r J60AnijnjTTyXhqceM7Pb39ZCxkb3bJx =41K4 -----END PGP SIGNATURE----- From jbruni@mac.com Thu Apr 24 05:49:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Thu Apr 24 04:49:02 2003 Subject: Blank encrypted messages In-Reply-To: <77000B9C-75F6-11D7-B9CB-003065B1243E@mac.com> Message-ID: <54914726-75FF-11D7-92D8-003065B1243E@mac.com> Strike that. It seems that sometimes -e takes a filename and sometimes it doesn't. On Wednesday, April 23, 2003, at 06:45 PM, Joseph Bruni wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > You're trying to encrypt a file named "-a". > > > On Wednesday, April 23, 2003, at 02:41 PM, Matthew Reeve wrote: > >> $command = 'echo "$msg" | /usr/bin/gpg -e -a --always-trust --batch >> --no-secmem-warning -u matt@rangie.com -r matt@rangie.com'; >> exec($command, $encrypted, $errorcode); > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (Darwin) > > iEYEARECAAYFAj6nQc0ACgkQ4rg/mXNDweMJ2QCfQOC0R+pL9c9O/VFgwxVyJk/r > J60AnijnjTTyXhqceM7Pb39ZCxkb3bJx > =41K4 > -----END PGP SIGNATURE----- > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dcmwai@amtb-m.org.my Thu Apr 24 07:06:02 2003 From: dcmwai@amtb-m.org.my (=?Big5?B?s6+7yrC2IENoYW4gTWluIFdhaQ==?=) Date: Thu Apr 24 06:06:02 2003 Subject: Adding Footer on MTA, where MUA using GPG Message-ID: <3EA76299.8070104@amtb-m.org.my> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig8D92977C729C54DEB2A28AB5 Content-Type: text/plain; charset=Big5 Content-Transfer-Encoding: 8bit Hello all, Is there any way I can add footer from MTA (I'm using Sendmail) and didn't broken the GPG/PGP Signature. Thank You Chan Min Wai -- ------------------------------ °¨¨ÓŚč¨Č˛bŠvžÇˇ| Amitabha Buddhist Society (M) 16A, 1st Floor, Jalan Pahang, 53000, Kuala Lumpur, Malaysia. Tel:+603-40414101, 40452630 Fax:+603-40412172 --------------enig8D92977C729C54DEB2A28AB5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+p2KZV0p9slMZLW4RAkt4AKDYNL7htqok9oT8N9RKVw1Zz9sl7gCgkDub +hl+poHaR8GkTRP5eQJ+zfY= =ph4e -----END PGP SIGNATURE----- --------------enig8D92977C729C54DEB2A28AB5-- From eleuteri@myrealbox.com Thu Apr 24 08:23:01 2003 From: eleuteri@myrealbox.com (David Picon Alvarez) Date: Thu Apr 24 07:23:01 2003 Subject: Adding Footer on MTA, where MUA using GPG References: <3EA76299.8070104@amtb-m.org.my> Message-ID: <001801c30a21$27359f50$f92489c3@enterprise> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -- > ------------------------------ > ???????? > Amitabha Buddhist Society (M) > 16A, 1st Floor, Jalan Pahang, > 53000, Kuala Lumpur, > Malaysia. > > Tel:+603-40414101, 40452630 > Fax:+603-40412172 If that's what you mean by footer, it's not breaking the signature. The sig verifies alright from here. - --David. -----BEGIN PGP SIGNATURE----- Comment: This message is digitally signed and can be verified for authenticity. iQIVAwUBPqd0DqYOp7uFKb/EAQJaTQ//SYTxZIvzcMfqB47tdBjCJLF8vn8QmFS0 umLIpQwlceJVRHl7Mypmelp/6gLyZsWCEHYlxfVkaTy5GCRrvZLqfnExEsEJyyeo CXHG5nb37GZj3ROOvJkuapCwiQGhGn8QZC9pDff0njQWDRsyYEuRmHV8DbZMe214 +VS3rjJMAWmSfTIc2MsFPvoEnFJoM4Q4Qm1dRblwgBlMZRhSr/lzrl9Rnbedl3hM Q3u5S2aLqXH/RvpdHpQLzxZk82oYBvGrijZs3fgVSFVfAQtCEq5fG0B0KiS0X/8R LHO7elzR304/wGtLMuOLnKCqcOxIkms1X2ORM/7Bg5OP/juz6Y4+EI9ehx4lU1Kn /jROU5i49PHaX2jHaIxVlpo/2xC4mEDnWH8OOIPamEdbO6X6IXW1ZsmeXUEYaHhe bj7EQVCdP/mTtQF8cYbk3l7WypCbDEowR8QS9jefD1H4zmRakorQIis2wAJjwijY +w+RCllgnqzD9wcHlXVbD47cxs3a1dBwPMApRrM3+nqEbKLnt6LF0KW0uwcdurR2 Z9qsZKctRh7mCctSSa8Efv+Vhv6b/ktYH9KZjnzcP2mp2Cch5dgWKGIfA3or+NRq tn1nSbFKqOVtf+77v+jVbDHJmMrQfv3MbAi1v05+EzmAdhFc7VGoH6VOFTyeIBrm GvS0T8tC9fc= =XCeK -----END PGP SIGNATURE----- From avbidder@fortytwo.ch Thu Apr 24 09:13:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Thu Apr 24 08:13:02 2003 Subject: Adding Footer on MTA, where MUA using GPG In-Reply-To: <3EA76299.8070104@amtb-m.org.my> References: <3EA76299.8070104@amtb-m.org.my> Message-ID: <200304240814.21240@fortytwo.ch> --Boundary-02=_9C4p+PCqx3AZHRn Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Thursday 24 April 2003 06:05, =B3=AF=BB=CA=B0=B6 Chan Min Wai wrote: (Wow! My set up seems to be not too bad if I can see your name properly :-) > Hello all, > > Is there any way I can add footer from MTA (I'm using Sendmail) and > didn't broken the GPG/PGP Signature. - non-MIME ('inline') signatures are obviously no problem at all - just adding a footer to a PGP/MIME (like mine) signed mail will not touc= h=20 the signature either, but the MUA won't display the footer as it is not in = a=20 MIME part (you probably also know this - this mailing list has such a foote= r) - the 'proper' way, I guess, would be to encapsulate the signed mail withi= n a=20 multipart/mixed mail, with first a message/rfc822 part containing the signe= d=20 email, and then a text/plain part with the footer. However, I'd object=20 violently if any mailing list would handle my mail in this way, and also I'= m=20 absolutely not sure how various MUA would display this - I guess you'd only= =20 have problems... In short: if you don't want to depend on people using inline signatures, yo= u=20 basically have a problem with no elegant solution. After all, preventing=20 undetected modification is one of the reasons why people sign email... greets =2D- vbi =2D-=20 featured product: the GNOME desktop - http://gnome.org --Boundary-02=_9C4p+PCqx3AZHRn Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6ngL1gGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWheYAoNHtaqiwyHMMT5AUSlA5jAfV YI+GAJ4vH2nfCouGiFIyQvqb8zNImZtdQQ== =Y0p/ -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_9C4p+PCqx3AZHRn-- From wk@gnupg.org Thu Apr 24 10:50:01 2003 From: wk@gnupg.org (Werner Koch) Date: Thu Apr 24 09:50:01 2003 Subject: Blank encrypted messages In-Reply-To: <001a01c309e1$0aa912d0$0800a8c0@ANYA> ("Matthew Reeve"'s message of "Wed, 23 Apr 2003 22:41:00 +0100") References: <001a01c309e1$0aa912d0$0800a8c0@ANYA> Message-ID: <87adegmivt.fsf@alberti.g10code.de> On Wed, 23 Apr 2003 22:41:00 +0100, Matthew Reeve said: > $command = 'echo "$msg" | /usr/bin/gpg -e -a --always-trust --batch > --no-secmem-warning -u matt@rangie.com -r matt@rangie.com'; > exec($command, $encrypted, $errorcode); Are you sure that exec runs a shell? -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From dcmwai@amtb-m.org.my Thu Apr 24 13:21:03 2003 From: dcmwai@amtb-m.org.my (=?Big5?B?s6+7yrC2IENoYW4gTWluIFdhaQ==?=) Date: Thu Apr 24 12:21:03 2003 Subject: Adding Footer on MTA, where MUA using GPG In-Reply-To: <200304240814.21240@fortytwo.ch> References: <3EA76299.8070104@amtb-m.org.my> <200304240814.21240@fortytwo.ch> Message-ID: <3EA7BA77.6070006@amtb-m.org.my> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5CA2BE7E266F035D30E411FD Content-Type: multipart/alternative; boundary="------------000205060203010102070005" --------------000205060203010102070005 Content-Type: text/plain; charset=Big5 Content-Transfer-Encoding: 8bit Hello Adrian, I don't think that is a "not too bad" setup. It is very good. ;) You can even reply with my name on it :) I see what you meant, I'm using Mozilla with Enigmail and the Gnupg Maillisting footer wasn't showup on my screen. So I suppose that adding footer is always possible but showing it will be not possible in the mean time. You are right, the main point to use GPG/PGP is to aviod People to changing or getting know of our mail. Does anyone think that there will be a way to improve the way this kind of stuff doing? (well, may be I'm just dreaming) Thank You Chan Min Wai Adrian 'Dagurashibanipal' von Bidder ´Ł¨ě: >On Thursday 24 April 2003 06:05, łŻťĘ°ś Chan Min Wai wrote: > >(Wow! My set up seems to be not too bad if I can see your name properly :-) > > > >>Hello all, >> >> Is there any way I can add footer from MTA (I'm using Sendmail) and >>didn't broken the GPG/PGP Signature. >> >> > > - non-MIME ('inline') signatures are obviously no problem at all > - just adding a footer to a PGP/MIME (like mine) signed mail will not touch >the signature either, but the MUA won't display the footer as it is not in a >MIME part (you probably also know this - this mailing list has such a footer) > - the 'proper' way, I guess, would be to encapsulate the signed mail within a >multipart/mixed mail, with first a message/rfc822 part containing the signed >email, and then a text/plain part with the footer. However, I'd object >violently if any mailing list would handle my mail in this way, and also I'm >absolutely not sure how various MUA would display this - I guess you'd only >have problems... > >In short: if you don't want to depend on people using inline signatures, you >basically have a problem with no elegant solution. After all, preventing >undetected modification is one of the reasons why people sign email... > >greets >-- vbi > > > > -- ------------------------------ °¨¨ÓŚč¨Č˛bŠvžÇˇ| Amitabha Buddhist Society (M) 16A, 1st Floor, Jalan Pahang, 53000, Kuala Lumpur, Malaysia. Tel:+603-40414101, 40452630 Fax:+603-40412172 --------------000205060203010102070005 Content-Type: text/html; charset=Big5 Content-Transfer-Encoding: 8bit Hello Adrian,

    I don't think that is a "not too bad" setup. It is very good. ;)
    You can even reply with my name on it :)

    I see what you meant, I'm using Mozilla with Enigmail and the Gnupg Maillisting footer wasn't showup on my screen. So I suppose that adding footer is always possible but showing it will be not possible in the mean time.

    You are right, the main point to use GPG/PGP is to aviod People to changing or getting know of our mail.

    Does anyone think that there will be a way to improve the way this kind of stuff doing? (well, may be I'm just dreaming)

Thank You
Chan Min Wai

Adrian 'Dagurashibanipal' von Bidder ´Ł¨ě:
On Thursday 24 April 2003 06:05, łŻťĘ°ś Chan Min Wai wrote:

(Wow! My set up seems to be not too bad if I can see your name properly :-)

  
Hello all,

	Is there any way I can add footer from MTA (I'm using Sendmail) and
didn't broken the GPG/PGP Signature.
    

 - non-MIME ('inline') signatures are obviously no problem at all
 - just adding a footer to a PGP/MIME (like mine) signed mail will not touch 
the signature either, but the MUA won't display the footer as it is not in a 
MIME part (you probably also know this - this mailing list has such a footer)
 - the 'proper' way, I guess, would be to encapsulate the signed mail within a 
multipart/mixed mail, with first a message/rfc822 part containing the signed 
email, and then a text/plain part with the footer. However, I'd object 
violently if any mailing list would handle my mail in this way, and also I'm 
absolutely not sure how various MUA would display this - I guess you'd only 
have problems...

In short: if you don't want to depend on people using inline signatures, you 
basically have a problem with no elegant solution. After all, preventing 
undetected modification is one of the reasons why people sign email...

greets
-- vbi


  


-- 
------------------------------
°¨¨ÓŚč¨Č˛bŠvžÇˇ|
Amitabha Buddhist Society (M)
16A, 1st Floor, Jalan Pahang,
53000, Kuala Lumpur,
Malaysia.

Tel:+603-40414101, 40452630
Fax:+603-40412172
--------------000205060203010102070005-- --------------enig5CA2BE7E266F035D30E411FD Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+p7p3V0p9slMZLW4RAvL9AKCRewtHNyrgaAwio+MeCiiMNO19mgCgsqnC TpDCHhKHIdUh/od8LzbCHPQ= =XM6Z -----END PGP SIGNATURE----- --------------enig5CA2BE7E266F035D30E411FD-- From eleuteri@myrealbox.com Thu Apr 24 15:57:02 2003 From: eleuteri@myrealbox.com (David Picon Alvarez) Date: Thu Apr 24 14:57:02 2003 Subject: Adding Footer on MTA, where MUA using GPG References: <3EA76299.8070104@amtb-m.org.my> <200304240814.21240@fortytwo.ch> <3EA7BA77.6070006@amtb-m.org.my> Message-ID: <007d01c30a60$8a09ebb0$f92489c3@enterprise> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Does anyone think that there will be a way to improve the way this kind > of stuff doing? (well, may be I'm just dreaming) I am not sure of this, but you could do the encryption on a centralized level when the mail gets out, I think GEAM is supposed to do something like that. If you could do it that way, you could add the footer before the encryption/signing happens. I suppose there are some drawbacks, though. - --David. -----BEGIN PGP SIGNATURE----- Comment: This message is digitally signed and can be verified for authenticity. iQIVAwUBPqfeWKYOp7uFKb/EAQJr4g//fm2XyVTl+7r1F1n5ioeeBGYLrBC4ZD6F eg37jTJCqBiKPewBm8dHUZo4hDv26kRM76HU9lZtvuYNacvIArK6oSZvUQeDfeRB pGDjjFtycINm0gDbHDLL+Prd38MWGpgO5FlR5C92I2OpFRL4iOKByZmm79D9poOr fUHw/jo1o9ijH2xk+n5ekHWE31MA3vyMdQdVKcXry2hxOT75PQH5AVS+KqhhzV1a cABqGjUcrtk77Au9lP2I8iROvHhs0AOOB223j8CFudNWUcVJbT9/KGUSzBZgTY+s vdcKWUpg0DnQo9mQ/iVHEZsQ+XSB0ah2uEcGmbSxm4sYj4z+ZUmvQbKoociNJNZZ 3IW9f37UaM2Mf5Vyswf5E7Fe1cmNVb2RHK7lQ4H6R8AjrDr7vlcW89+eRs4aBeQ3 i5JQno/8Jl9LbIou6OyEq31lyjpV0yDPBCRFLGsc1o0hUyGeyqcKUhOSooh0EGpO ILGbs/fCXAoggiaJ8Xt5zt1iuQZ1O3BGi7FyDAFGex28Gg92zwzY++WFbKIq1hqd XSFHIXBHDX5XKsSD1fo4mzCg4y/wEFvdY21L0RDbH0V8DU9XZJFhP6jPnfIfS6Re U0tw84UNDW1RCqKLh92fuhpEh332oBpxDIdlNQ5AA+Bg/76Q7pjfORx+aVGzqQYL ObmQymoKFHE= =hL9d -----END PGP SIGNATURE----- From sbutler@fchn.com Thu Apr 24 18:38:02 2003 From: sbutler@fchn.com (Steve Butler) Date: Thu Apr 24 17:38:02 2003 Subject: do_plaintext() error message Message-ID: <9A86613AB85FF346BB1321840DB42B4B01EBFD15@jupiter.fchn.com> It does appear that time is a built-in and is not affected by any IO redirection on the command line. Testing on my box did not elicit the error. I did time tar -cf - [directory] | gpg --no-batch --always-trust --recipient [myself] --output web.pgp --encrypt File `web.pgp' exists. Overwrite (y/N)? y 2.99s real 0.94s user 0.02s system Note: --always-trust is needed solely due to the way we handle keys. -----Original Message----- From: Kyle Hasselbacher [mailto:kyle-list-gpguser@toehold.com] Sent: Wednesday, April 23, 2003 3:02 PM To: Steve Butler Cc: gnupg-users@gnupg.org Subject: Re: do_plaintext() error message -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Apr 23, 2003 at 01:42:09PM -0700, Steve Butler wrote: >Perhaps I'm all wet, but wouldn't the output from both tar and time be sent >via the pipe to gpg? Somehow I think there will be problems since tar is >being told to send output via STDOUT and time writes by default to STDOUT. > >Try it without time. Hmmm. Not on my system. kyle@longshot ~ $ time echo hello hello real 0m0.000s user 0m0.000s sys 0m0.000s kyle@longshot ~ $ time echo hello > /dev/null real 0m0.000s user 0m0.000s sys 0m0.000s kyle@longshot ~ $ uname -a Linux longshot 2.4.20 #1 Thu Nov 28 20:28:40 CST 2002 i686 unknown kyle@longshot ~ $ I'm not sure how time writes its output, but it's not stdout. It's a shell built-in, so maybe it writes straight to the terminal. - -- Kyle Hasselbacher kyle@toehold.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+pw1z10sofiqUxIQRArmmAJ4lmwL4ephN+dMZcvEry/zvBR6W/QCeMhSZ Luslr8eHaZRKSQc/bSf3SLE= =UF9P -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From linux@codehelp.co.uk Thu Apr 24 20:12:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Thu Apr 24 19:12:02 2003 Subject: gpg-agent In-Reply-To: <20030424-6aaa0a5d19b9f5364931911b30b43185@mail.boston.com> References: <200304222011.18514.linux@codehelp.co.uk> <200304240017.42416.linux@codehelp.co.uk> <20030424-6aaa0a5d19b9f5364931911b30b43185@mail.boston.com> Message-ID: <200304241812.52885.linux@codehelp.co.uk> --Boundary-02=_UsBq+RLUC2/lTuZ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Thursday 24 April 2003 1:40 pm, darren chamberlain wrote: > Hi Neil, > > * Neil Williams [2003-04-23 19:15]: > > If I start kmail from the terminal window, it can find the agent. If > > I start kmail from the menu or a desktop link, it fails to find the > > agent. > > Hm, weird. I suspect that KDE is doing somethink wonky. Perhaps it's > launcher app (whatever it's called) intentionally scrubs the environment > before spawning new processes? I've had to write a bash script now - eval gpg-agent --daemon etc, then kmail. Guess what - it works BUT the KPanel complains that it can't execute the bash script (probably because it is set as chmod 700). Still, it's not really a bother, at least it works now. (I will experiment with not having the gpg-agent command in the bash script at all, just using .bashrc). > It's also possible that the variable isn't being propogated from the > main kde app to the program that manages the desktop or menu, I suppose. Very likely - kmail is seeing the variable now but that's because it is being started from bash which itself has the variable set in .bashrc - it sounds like the panel is cleansing the environment. > > Without a line in .bashrc, the terminal window can't see the variable > > either, despite lines in startkde and .xinitc. Yet when I su to root, > > it is there. (I'm currently using a different installation with an > > older version of kmail but I will look at it again tomorrow on the > > installation with KDE3.1). > > I definitely suspect KDE, then, because this sounds broken to me. Agreed. However, is this an opportunity to ask for a change in design? Wouldn't it be better to use a temporary file? It already uses a location in /tmp but the filename changes each session. If the filename was kept the same, the agent could detect existing instances and all programs would know where to find the information without using the environment at all. Would that be more reliable? If the file was a risk, would putting it in ~/tmp be any better? > If you have the wherewithal, try running X without KDE, and then launch > kmail, and see if it has the variable. The only distro that has KDE3.1 and therefore KMail 1.5 and S/MIME is an optimised one that doesn't include Gnome or anything else really. It seems a little longwinded to compile Gnome from source just to test this!!! > (darren) -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_UsBq+RLUC2/lTuZ Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+qBsUiAEJSii8s+MRAi56AKCHB5NQ3LP1fKWBmvQ1XYki8ByZBQCggUS7 isRDJrkjLQvc5mSiLj09pUM= =7TZu -----END PGP SIGNATURE----- --Boundary-02=_UsBq+RLUC2/lTuZ-- From Bryan_Hunter@archway.com Thu Apr 24 20:14:02 2003 From: Bryan_Hunter@archway.com (Hunter, Bryan) Date: Thu Apr 24 19:14:02 2003 Subject: do_plaintext() error message Message-ID: <2E40FE65F46EEC40984776ED29756EE442013E@stargate1.mi.gage.com> Thank you Steve. It was the "-" at the end of the command line that caused the error message. Removing it also increased the size of the output file considerably (17KB) so I presume that there was some corruption. This error message was briefly mentioned 5 years ago by Werner Koch and Matthew Skala. Is there some place where this issue should be further addressed? Thanks for your help, Bryan Hunter -----Original Message----- From: Steve Butler [mailto:sbutler@fchn.com] Sent: Thursday, April 24, 2003 11:37 AM To: 'Kyle Hasselbacher' Cc: gnupg-users@gnupg.org Subject: RE: do_plaintext() error message It does appear that time is a built-in and is not affected by any IO redirection on the command line. Testing on my box did not elicit the error. I did time tar -cf - [directory] | gpg --no-batch --always-trust --recipient [myself] --output web.pgp --encrypt File `web.pgp' exists. Overwrite (y/N)? y 2.99s real 0.94s user 0.02s system Note: --always-trust is needed solely due to the way we handle keys. -----Original Message----- From: Kyle Hasselbacher [mailto:kyle-list-gpguser@toehold.com] Sent: Wednesday, April 23, 2003 3:02 PM To: Steve Butler Cc: gnupg-users@gnupg.org Subject: Re: do_plaintext() error message -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Apr 23, 2003 at 01:42:09PM -0700, Steve Butler wrote: >Perhaps I'm all wet, but wouldn't the output from both tar and time be sent >via the pipe to gpg? Somehow I think there will be problems since tar is >being told to send output via STDOUT and time writes by default to STDOUT. > >Try it without time. Hmmm. Not on my system. kyle@longshot ~ $ time echo hello hello real 0m0.000s user 0m0.000s sys 0m0.000s kyle@longshot ~ $ time echo hello > /dev/null real 0m0.000s user 0m0.000s sys 0m0.000s kyle@longshot ~ $ uname -a Linux longshot 2.4.20 #1 Thu Nov 28 20:28:40 CST 2002 i686 unknown kyle@longshot ~ $ I'm not sure how time writes its output, but it's not stdout. It's a shell built-in, so maybe it writes straight to the terminal. - -- Kyle Hasselbacher kyle@toehold.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+pw1z10sofiqUxIQRArmmAJ4lmwL4ephN+dMZcvEry/zvBR6W/QCeMhSZ Luslr8eHaZRKSQc/bSf3SLE= =UF9P -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From linux@codehelp.co.uk Thu Apr 24 20:43:01 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Thu Apr 24 19:43:01 2003 Subject: gpg-agent In-Reply-To: <20030422194811.GB25882@boston.com> References: <200304222011.18514.linux@codehelp.co.uk> <20030422194811.GB25882@boston.com> Message-ID: <200304241841.41582.linux@codehelp.co.uk> --Boundary-02=_VHCq+UM0EAMchSh Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Tuesday 22 April 2003 8:48 pm, darren chamberlain wrote: > * Neil Williams [2003-04-22 15:43]: > > Does anyone know how to solve problems with the environment variable > > for gpg-agent? The problem now is that in order to start KMail, I MUST issue the eval "$(gpg-agent --daemon)" command in a bash script and execute kmail from the same script - no other form (like the one you list below) will work and KMail never finds the agent unless yet another gpg-agent daemon is started each time I start KMail. What is the consequence (if any) of perhaps 10 or more gpg-agent --daemon listings in ps -ax? I've tried just exporting the variable (it shows in the output but is not passed to KMail), I've tried alternative formats of the eval command. I've tried setting the panel properties to execute in a terminal and I've tried executing the same file from the desktop and from the panel. The only method to work is: #!/bin/bash eval "$(gpg-agent --daemon)" kmail Even now I still get the complaint that KPanel cannot execute the script (but it goes ahead and does so anyway) despite the script now being chmod 755 and all directories in the path also being 755. > Make sure that the script that gpg-agent --daemon emits is exporting the > variables, or export them yourself: > > eval `gpg-agent --daemon` > export GNUPG_AGENT_INFO > > (darren) Doesn't work. There has to be a better way than using environment variables. -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_VHCq+UM0EAMchSh Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+qCHViAEJSii8s+MRAuQWAKCdo6HIB/Fc47ea9RrmwlPIuANomQCeJ8TE 19GoJt6jePjqTNLzWToIloc= =hOvt -----END PGP SIGNATURE----- --Boundary-02=_VHCq+UM0EAMchSh-- From dlc@users.sourceforge.net Thu Apr 24 20:53:01 2003 From: dlc@users.sourceforge.net (darren chamberlain) Date: Thu Apr 24 19:53:01 2003 Subject: gpg-agent In-Reply-To: <200304241812.52885.linux@codehelp.co.uk> References: <200304222011.18514.linux@codehelp.co.uk> <200304240017.42416.linux@codehelp.co.uk> <20030424-6aaa0a5d19b9f5364931911b30b43185@mail.boston.com> <200304241812.52885.linux@codehelp.co.uk> Message-ID: <20030424-8a21d55eac3e7dd56c95c709343d21b4@mail.boston.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Neil Williams [2003-04-24 13:43]: > On Thursday 24 April 2003 1:40 pm, darren chamberlain wrote: > > If you have the wherewithal, try running X without KDE, and then > > launch kmail, and see if it has the variable. > > The only distro that has KDE3.1 and therefore KMail 1.5 and S/MIME is > an optimised one that doesn't include Gnome or anything else really. > It seems a little longwinded to compile Gnome from source just to test > this!!! "Without KDE" doesn't mean "with GNOME", it means, run startx from a console. You definitely have X, or KDE wouldn't run. Meanwhile, take a look at keychain (http://www.gentoo.org/proj/en/keychain.xml). keychain is designed to work with ssh-agent, but the idea is the same. You can probably steal some ideas from it. (darren) - -- What a strange illusion it is to suppose that beauty is goodness. -- Leo Tolstoy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+qCQOzsinjrVhZaoRAtzXAKCWlLOqYXM7raLxnlJwJ1D2gZ68igCeNECZ PVvy6sLnyt+nBs6X30UoCl0= =ud49 -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Thu Apr 24 23:19:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu Apr 24 22:19:02 2003 Subject: Adding Footer on MTA, where MUA using GPG In-Reply-To: <200304240814.21240@fortytwo.ch> References: <3EA76299.8070104@amtb-m.org.my> <200304240814.21240@fortytwo.ch> Message-ID: <20030424201933.GD28568@jabberwocky.com> --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Apr 24, 2003 at 08:14:17AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote: > - the 'proper' way, I guess, would be to encapsulate the signed > mail within a multipart/mixed mail, with first a message/rfc822 part > containing the signed email, and then a text/plain part with the > footer. However, I'd object violently if any mailing list would > handle my mail in this way, and also I'm absolutely not sure how > various MUA would display this - I guess you'd only have problems... Mailman 2.1 keeps the original multipart/signed message and adds a text/plain footer. I can't speak for all MUAs, but mutt handles it fine. David --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+qEbV4mZch0nhy8kRAlQAAJ0do0Mc6lyeNL9L8iukc/VPxyrAEgCfYSRL 1Ex7kdoDGgZaSRVq4X52c5I= =/kU/ -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- From dshaw@jabberwocky.com Thu Apr 24 23:23:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu Apr 24 22:23:03 2003 Subject: [Announce] 1.2.2 release candidate 2 In-Reply-To: <3E9FF29C.9080502@nahrath.de> References: <87istevmqa.fsf@alberti.g10code.de> <3E9E0805.7080704@nahrath.de> <20030418051256.GA438@jabberwocky.com> <3E9FF29C.9080502@nahrath.de> Message-ID: <20030424202324.GE28568@jabberwocky.com> --H1spWtNR+x+ondvy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 18, 2003 at 02:42:04PM +0200, Michael Nahrath wrote: > David Shaw wrote: >=20 > >>> ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.2.2rc2.tar.gz (2.8M) >=20 > >>Tried to compile it on MacOS 10.2.5. > >> > >>It still needes special parameters: > >> > >>After a "./configure --disable-asm" it compiles fine. > >> > >>But simply doing "./configure; make; sudo make install" quits in make w= ith: >=20 > >>_mpih-mul1.s:21:Unknown pseudo-op: .size > >>_mpih-mul1.s:21:Rest of line ignored. 1st junk character valued 109 (m). > >>make[2]: *** [mpih-mul1.o] Error 1 > >>make[1]: *** [all-recursive] Error 1 > >>make: *** [all] Error 2 > >>--- >8 --- This is fixed in 1.2.2. Alas, the answer seems to be "no assembler for OS X". David --H1spWtNR+x+ondvy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+qEe84mZch0nhy8kRAql6AKDRgM0XCzTehmTNxH4ceMor7uDdZACaAqjL TjxVDff4eFgsy9kZUPxt+sA= =jNoa -----END PGP SIGNATURE----- --H1spWtNR+x+ondvy-- From coder@ntlworld.com Fri Apr 25 00:15:02 2003 From: coder@ntlworld.com (John Watson) Date: Thu Apr 24 23:15:02 2003 Subject: Messed up my GnuPG settings....help needed. Message-ID: <200304242217.34075.coder@ntlworld.com> I mistakenly erased both my public and private keys (yes even after being warned 2 or 3 times). Anyway I did generate a revoke key. I have since re-generated a new set of keys although I haven't exported any nor have I sent an emails using them (except to myself for testing). I thought that I may be able to use the same passphrase to regenerate the same set of keys as before (!). However I believe this would be futile due to a random seed coming into play (right??). My questions are: 1. Can I rescue my original keys at all? 2. If not, how do I go about exporting my revoke key to cancel my previous public key? Thanks. John. (using kde3.1.0 and Mandake9.1) From linux@codehelp.co.uk Fri Apr 25 01:19:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Fri Apr 25 00:19:02 2003 Subject: Messed up my GnuPG settings....help needed. In-Reply-To: <200304242217.34075.coder@ntlworld.com> References: <200304242217.34075.coder@ntlworld.com> Message-ID: <200304242320.34651.linux@codehelp.co.uk> --Boundary-02=_yMGq+zfXKle+Jrv Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Thursday 24 April 2003 10:17 pm, John Watson wrote: > I mistakenly erased both my public and private keys (yes even after being > warned 2 or 3 times). Anyway I did generate a revoke key. > > I have since re-generated a new set of keys although I haven't exported any > nor have I sent an emails using them (except to myself for testing). I > thought that I may be able to use the same passphrase to regenerate the > same set of keys as before (!). However I believe this would be futile due > to a random seed coming into play (right??). The passphrase can be the same but the key will differ as will the keyid. > My questions are: > 1. Can I rescue my original keys at all? Not without a backup of your secret keyring. You can restore your public ring - all you need is a list of the KeyID's that you are most likely to need and a keyserver. Without the secret key you won't be able to decrypt messages that used your old key or sign your new key with your old to carry forward the trust from existing signatures on your old key. > 2. If not, how do I go about exporting my revoke key to cancel my > previous public key? You've done the bit at: http://webber.dewinter.com/gnupg_howto/english/GPGMiniHowto-3.html#ss3.4 So: http://www.gnupg.org/gph/en/manual.html#REVOCATION anybody can publish the revocation certificate and render the corresponding public key useless. (That's why the revocation certificate needs to be protected). In your newly blank ring, import your existing public key from a keyserver, import the revocation certificate and send the altered key back to the keyserver. -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_yMGq+zfXKle+Jrv Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+qGMyiAEJSii8s+MRAn/RAJ9dH56/fh+itYSMRVGNYcv8DzYYzACgg08r 7JB2JbkthaRE8ebbv8v6UmM= =38kt -----END PGP SIGNATURE----- --Boundary-02=_yMGq+zfXKle+Jrv-- From dshaw@jabberwocky.com Fri Apr 25 01:25:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri Apr 25 00:25:02 2003 Subject: Messed up my GnuPG settings....help needed. In-Reply-To: <200304242217.34075.coder@ntlworld.com> References: <200304242217.34075.coder@ntlworld.com> Message-ID: <20030424222608.GF28568@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Apr 24, 2003 at 10:17:34PM +0100, John Watson wrote: > I mistakenly erased both my public and private keys (yes even after being > warned 2 or 3 times). Anyway I did generate a revoke key. > > I have since re-generated a new set of keys although I haven't exported any > nor have I sent an emails using them (except to myself for testing). I > thought that I may be able to use the same passphrase to regenerate the > same set of keys as before (!). However I believe this would be futile due > to a random seed coming into play (right??). > > My questions are: > 1. Can I rescue my original keys at all? Alas, no. The passphrase is just used to encrypt a random key. You can't recreate a key by using the same passphrase. > 2. If not, how do I go about exporting my revoke key to cancel my > previous public key? If you generated a revocation for your previous key, then that's great. Just do "gpg --import the_revocation" and the key will be revoked. If you have your old key on a keyserver, then you might want to also do "gpg --send-key (thekeyid)" to propagate the revocation to the world. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+qGSA4mZch0nhy8kRAsmrAJ9AkmlIrP4h4Eq/1fjFATBMsjmgygCg3uV7 Lev8wKQ/x9dmgr5AQF7U6TU= =+lJb -----END PGP SIGNATURE----- From avbidder@fortytwo.ch Fri Apr 25 11:08:01 2003 From: avbidder@fortytwo.ch (avbidder@fortytwo.ch) Date: Fri Apr 25 10:08:01 2003 Subject: Adding Footer on MTA, where MUA using GPG In-Reply-To: <20030424201933.GD28568@jabberwocky.com> References: <20030424201933.GD28568@jabberwocky.com> Message-ID: <20030425075928.63F531864@altfrangg.fortytwo.ch> ---=-=-=-boundary-=-=-=- Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="--other boundary--" ----other boundary-- Content-Type: text/plain; charset=us-ascii Content-Disposition: inline David: > Mailman 2.1 keeps the original multipart/signed message and adds a > text/plain footer. I can't speak for all MUAs, but mutt handles it > fine. You mean something like this? (signature going to be bad, see User-Agent header, it's just too much trouble). -- vbi ----other boundary-- Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: keyboard v1.0 iKcEABECAGcFAj6ngL1gGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWheYAoNHtaqiwyHMMT5AUSlA5jAfV YI+GAJ4vH2nfCouGiFIyQvqb8zNImZtdQQ== =Y0p/ -----END PGP SIGNATURE----- ----other boundary---- ---=-=-=-boundary-=-=-=- Content-Type: text/plain -- And this would be the footer... ---=-=-=-boundary-=-=-=--- Phew. I hope the errors aren't too bad... From d.fettke@peguform.de Fri Apr 25 11:12:02 2003 From: d.fettke@peguform.de (Dirk Fettke) Date: Fri Apr 25 10:12:02 2003 Subject: problems to sign emails Message-ID: <200304251011.44125.d.fettke@peguform.de> hello, my problem is, that i can't sign any emails i want to send. i'm using kmail with suse 8.2. if i klick on "send", i get an error-message called that i have given a wrong password. if i klick on "try again" the error comes again immediatelly. i can't type in any password. when i edit my gpg-key and type in no password, then the signing of emails works. only if i typeing a password in the gpg-key, then it won't working. what's the problem, or what i doing wrong? tanks for your help dirk fettke From wk@gnupg.org Fri Apr 25 11:40:02 2003 From: wk@gnupg.org (Werner Koch) Date: Fri Apr 25 10:40:02 2003 Subject: gpg-agent In-Reply-To: <200304241841.41582.linux@codehelp.co.uk> (Neil Williams's message of "Thu, 24 Apr 2003 18:41:37 +0100") References: <200304222011.18514.linux@codehelp.co.uk> <20030422194811.GB25882@boston.com> <200304241841.41582.linux@codehelp.co.uk> Message-ID: <8765p3km17.fsf@alberti.g10code.de> On Thu, 24 Apr 2003 18:41:37 +0100, Neil Williams said: >> eval `gpg-agent --daemon` >> export GNUPG_AGENT_INFO >> >> (darren) > Doesn't work. There has to be a better way than using environment variables. Most likely you also run ssh-agent. gpg-agent must be startet in excactly the same way. Note, that you can also let gpg-agent start an application: gpg-agent --daemon /bin/sh -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From avbidder@fortytwo.ch Fri Apr 25 12:37:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Fri Apr 25 11:37:02 2003 Subject: problems to sign emails In-Reply-To: <200304251011.44125.d.fettke@peguform.de> References: <200304251011.44125.d.fettke@peguform.de> Message-ID: <200304251138.19331@fortytwo.ch> --Boundary-02=_LIQq+DoWR4AUSIS Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 25 April 2003 10:11, Dirk Fettke wrote: > hello, > > my problem is, that i can't sign any emails i want to send. i'm using kma= il > with suse 8.2. if i klick on "send", i get an error-message called that i > have given a wrong password. if i klick on "try again" the error comes > again immediatelly. i can't type in any password. > when i edit my gpg-key and type in no password, then the signing of emails > works. only if i typeing a password in the gpg-key, then it won't working. > what's the problem, or what i doing wrong? Which kmail version? How are you trying to send mail - with the builtin gpg= =20 support of kmail or with the PGP/MIME plugin (Hint: there is a 'crypto=20 plugins' tab in the security settings dialog. Do you have anything there?). If the latter, it's probably a problem with the gpg-agent not working.=20 cheers =2D- vbi =2D-=20 You opted-in to receive these exciting offers by having an email address. Our spam cannot be considered spam because of this disclaimer. This is a one-time mailing. To be removed from future one-time mailings, don't receive email. --Boundary-02=_LIQq+DoWR4AUSIS Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6pAgtgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWt9YAn1WEdKDinrdXcf3pEHkA/O5M ghkzAJ9Jxs66ga6CMY7QKJ1AAavVoPF2Mw== =IPIs -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_LIQq+DoWR4AUSIS-- From d.fettke@peguform.de Fri Apr 25 13:52:02 2003 From: d.fettke@peguform.de (Dirk Fettke) Date: Fri Apr 25 12:52:02 2003 Subject: problems to sign emails In-Reply-To: <200304251138.19331@fortytwo.ch> References: <200304251138.19331@fortytwo.ch> Message-ID: <200304251252.18173.d.fettke@peguform.de> > Which kmail version? How are you trying to send mail - with the builtin > gpg > support of kmail or with the PGP/MIME plugin (Hint: there is a 'crypto > plugins' tab in the security settings dialog. Do you have anything > there?). > > If the latter, it's probably a problem with the gpg-agent not working. my kmal version is 1.5.1. i trying to send emails with the builtin gpg of kmail. in the security settings at the crypto plugin i haven't anything there. the couriosity is that all works without an gpg password. as soon as i given a password it don't works. i become to desperate... :-( greetings dirk From avbidder@fortytwo.ch Fri Apr 25 16:01:01 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Fri Apr 25 15:01:01 2003 Subject: problems to sign emails In-Reply-To: <200304251252.18173.d.fettke@peguform.de> References: <200304251138.19331@fortytwo.ch> <200304251252.18173.d.fettke@peguform.de> Message-ID: <200304251502.16976@fortytwo.ch> --Boundary-02=_YHTq+WQHGFe6Fwo Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 25 April 2003 12:52, Dirk Fettke wrote: > > Which kmail version? How are you trying to send mail - with the builtin > > gpg > > support of kmail or with the PGP/MIME plugin (Hint: there is a 'crypto > > plugins' tab in the security settings dialog. Do you have anything > > there?). > > > > If the latter, it's probably a problem with the gpg-agent not working. > > my kmal version is 1.5.1. > i trying to send emails with the builtin gpg of kmail. in the security > settings at the crypto plugin i haven't anything there. Ok. I have to say that I don't have any experience with the builtin facilit= y,=20 as I use the plugin myself (but it is somewhat experimental, so I'd have be= en=20 surprised if SuSE shipped it. But one never knows...) > the couriosity is > that all works without an gpg password. as soon as i given a password it > don't works. i become to desperate... :-( Have a look at your ~/.gnupg/gpg.conf (or 'options', in the same directory)= =20 file. Is there any 'use-agent' directive? (There shouldn't, just checking). If you create a new user with all the default settings, does it fail there,= =20 too? Perhaps it's just one of your config files borken. But I'm in the dark, really, perhaps you should ask in a KDE or SuSE mailin= g=20 list/support forum? When you can sign ordinary files with gpg, I guess the= =20 problem is not with gpg but with kmail. cheers =2D-- vbi =2D-=20 pub 1024D/92082481 2002-02-22 Adrian von Bidder Key fingerprint =3D EFE3 96F4 18F5 8D65 8494 28FC 1438 5168 9208 2481 --Boundary-02=_YHTq+WQHGFe6Fwo Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6pMdhgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWygcAoPVpmTxxyFptNTq/EpLSyh6H 2T5oAKCt1yC/CyQw2MARpeUkeuHKPBpkFQ== =oFN1 -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_YHTq+WQHGFe6Fwo-- From linux@codehelp.co.uk Fri Apr 25 20:07:03 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Fri Apr 25 19:07:03 2003 Subject: Adding Footer on MTA, where MUA using GPG In-Reply-To: <20030425075928.63F531864@altfrangg.fortytwo.ch> References: <20030424201933.GD28568@jabberwocky.com> <20030425075928.63F531864@altfrangg.fortytwo.ch> Message-ID: <200304251808.25572.linux@codehelp.co.uk> --Boundary-02=_JuWq+95dY2GKfR4 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Friday 25 April 2003 8:59 am, avbidder@fortytwo.ch wrote: Nowt. There was some text in the source but the mime boundaries didn't work so the whole message disappeared. >From the source: (boundary markers deleted to prevent more mime errors) ======================================= David: > Mailman 2.1 keeps the original multipart/signed message and adds a > text/plain footer. I can't speak for all MUAs, but mutt handles it > fine. You mean something like this? (signature going to be bad, see User-Agent header, it's just too much trouble). other boundary boundary Content-Type: text/plain And this would be the footer... boundary Phew. I hope the errors aren't too bad... ================================= :-)) -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_JuWq+95dY2GKfR4 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+qWuJiAEJSii8s+MRAl7kAKDqJ9hRg2XhHc6GadR7SpZKZN1JZgCfcG+A U69PoSe6QgFmgHv1uDrxkEI= =hAIX -----END PGP SIGNATURE----- --Boundary-02=_JuWq+95dY2GKfR4-- From linux@codehelp.co.uk Fri Apr 25 20:14:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Fri Apr 25 19:14:02 2003 Subject: gpg-agent In-Reply-To: <8765p3km17.fsf@alberti.g10code.de> References: <200304222011.18514.linux@codehelp.co.uk> <200304241841.41582.linux@codehelp.co.uk> <8765p3km17.fsf@alberti.g10code.de> Message-ID: <200304251815.06341.linux@codehelp.co.uk> --Boundary-02=_a0Wq+2ozbzBLUoB Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Friday 25 April 2003 9:40 am, Werner Koch wrote: > On Thu, 24 Apr 2003 18:41:37 +0100, Neil Williams said: > >> eval `gpg-agent --daemon` > >> export GNUPG_AGENT_INFO When it works, the variable that shows up is GPG_AGENT_INFO not GNUPG. > >> > >> (darren) > > > > Doesn't work. There has to be a better way than using environment > > variables. > > Most likely you also run ssh-agent. gpg-agent must be startet in Therein is the problem - this optimised distro has no servers at all so ssh-agent isn't installed. I can use ssh as a client (but it is very slow to authorise) but I have no ssh, telnet, ftp, mysql or httpd servers. I'm waiting to get hold of Mandrake 9.1 (can't download as I have no broadband) so that I can get better use out of KDE3.1 I have installed the same distro on two machines - on one I end up with three copies of gpg-agent but it works. On the other I need to start kmail from the bash script referred to before and end up with lots and lots of gpg-agents. -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_a0Wq+2ozbzBLUoB Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+qW0aiAEJSii8s+MRAkkvAJ9CNUFbKjRHgEcYp1wmvsBsTdrSCwCgx9JC jWyLQ/nyi0u9Hm9eNuWOdtQ= =vDwh -----END PGP SIGNATURE----- --Boundary-02=_a0Wq+2ozbzBLUoB-- From linux@codehelp.co.uk Fri Apr 25 20:17:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Fri Apr 25 19:17:02 2003 Subject: Messed up my GnuPG settings....help needed. In-Reply-To: <200304250129.44741.coder@ntlworld.com> References: <200304242217.34075.coder@ntlworld.com> <200304242320.34651.linux@codehelp.co.uk> <200304250129.44741.coder@ntlworld.com> Message-ID: <200304251818.36381.linux@codehelp.co.uk> --Boundary-02=_s3Wq+ekaYxcL6a5 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Friday 25 April 2003 1:29 am, John Watson wrote: > I have imported my old public key and my revoked key now I have a key > listed as ([revoked]) in my list of keys. However this is what happens > ..... > > [john@localhost john]$ gpg --send-key D7553476 > gpg: error sending to `www.mandrakesecure.net': eof > Don't know where mandrakesecure comes from but anyway.... it appears as It's selected as a default by Mandrake. Edit the ~/.gnupg/gpg.conf and change the keyserver. To just get this one action done, use the --keyserver option: $ gpg --keyserver hkp://blackhole.pca.dfn.de --send-key D7553476 I use hkp://keyserver.linux.it -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_s3Wq+ekaYxcL6a5 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+qW3siAEJSii8s+MRAu87AJ94i/KSeA6x6VRFuUCJhL7QkFxuLgCgrngR JfzAjjBpvwB3pMiPNbmZIwk= =sHUh -----END PGP SIGNATURE----- --Boundary-02=_s3Wq+ekaYxcL6a5-- From ingo.kloecker@epost.de Fri Apr 25 22:02:03 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Fri Apr 25 21:02:03 2003 Subject: gpg-agent In-Reply-To: <200304251815.06341.linux@codehelp.co.uk> References: <200304222011.18514.linux@codehelp.co.uk> <8765p3km17.fsf@alberti.g10code.de> <200304251815.06341.linux@codehelp.co.uk> Message-ID: <200304252047.26065@erwin.ingo-kloecker.de> --Boundary-02=_9KYq+CRU5ypVIyM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 25 April 2003 19:15, Neil Williams wrote: > I have installed the same distro on two machines - on one I end up > with three copies of gpg-agent but it works. On the other I need to > start kmail from the bash script referred to before and end up with > lots and lots of gpg-agents. Simply add a 'killall gpg-agent' as first command to your script if you=20 don't want multiple gpg-agents. Regards, Ingo --Boundary-02=_9KYq+CRU5ypVIyM Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+qYK9GnR+RTDgudgRApDaAKDc3jGL/ZBNJn7oVdigakzBNzHzQACgjq5z EnWRPPx8sVUGui7yd2HiLVk= =eY/A -----END PGP SIGNATURE----- --Boundary-02=_9KYq+CRU5ypVIyM-- From ingo.kloecker@epost.de Fri Apr 25 22:02:42 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Fri Apr 25 21:02:42 2003 Subject: problems to sign emails In-Reply-To: <200304251011.44125.d.fettke@peguform.de> References: <200304251011.44125.d.fettke@peguform.de> Message-ID: <200304252051.20525@erwin.ingo-kloecker.de> --Boundary-02=_oOYq+9hNPR3buu4 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 25 April 2003 10:11, Dirk Fettke wrote: > my problem is, that i can't sign any emails i want to send. i'm using > kmail with suse 8.2. if i klick on "send", i get an error-message > called that i have given a wrong password. if i klick on "try again" > the error comes again immediatelly. i can't type in any password. > when i edit my gpg-key and type in no password, then the signing of > emails works. only if i typeing a password in the gpg-key, then it > won't working. what's the problem, or what i doing wrong? Most likely you don't use gpg-agent but you have the line "use-agent" in=20 your ~/.gnupg/gpg.conf. Removing this line will fix your problem. With=20 KMail 1.5.2 this problem won't occur anymore. BTW, this bug is already documented in the SuSE support database=20 (www.suse.de, search for "kmail"). Regards, Ingo --Boundary-02=_oOYq+9hNPR3buu4 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+qYOoGnR+RTDgudgRAs2PAKCWF2XxXqUVlFW0wwyDBx46Od/srQCeKys4 jrkUxw4zWJbMJB5kfgk8mp0= =rl49 -----END PGP SIGNATURE----- --Boundary-02=_oOYq+9hNPR3buu4-- From ingo.kloecker@epost.de Fri Apr 25 22:03:23 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Fri Apr 25 21:03:23 2003 Subject: problems to sign emails In-Reply-To: <200304251502.16976@fortytwo.ch> References: <200304251138.19331@fortytwo.ch> <200304251252.18173.d.fettke@peguform.de> <200304251502.16976@fortytwo.ch> Message-ID: <200304252059.06776@erwin.ingo-kloecker.de> --Boundary-02=_6VYq+IiADKOzh7o Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 25 April 2003 15:02, Adrian 'Dagurashibanipal' von Bidder=20 wrote: > On Friday 25 April 2003 12:52, Dirk Fettke wrote: > > > Which kmail version? How are you trying to send mail - with the > > > builtin gpg > > > support of kmail or with the PGP/MIME plugin (Hint: there is a > > > 'crypto plugins' tab in the security settings dialog. Do you have > > > anything there?). > > > > > > If the latter, it's probably a problem with the gpg-agent not > > > working. > > > > my kmal version is 1.5.1. > > i trying to send emails with the builtin gpg of kmail. in the > > security settings at the crypto plugin i haven't anything there. > > Ok. I have to say that I don't have any experience with the builtin > facility, as I use the plugin myself (but it is somewhat > experimental, so I'd have been surprised if SuSE shipped it. But one > never knows...) SuSE 8.2 includes everything that's necessary for the crypto plugins.=20 It's just not installed by default. Search the SuSE support database=20 for "kmail". > > the couriosity is > > that all works without an gpg password. as soon as i given a > > password it don't works. i become to desperate... :-( > > Have a look at your ~/.gnupg/gpg.conf (or 'options', in the same > directory) file. Is there any 'use-agent' directive? (There > shouldn't, just checking). > > If you create a new user with all the default settings, does it fail > there, too? Perhaps it's just one of your config files borken. > > But I'm in the dark, really, perhaps you should ask in a KDE or SuSE > mailing list/support forum? When you can sign ordinary files with > gpg, I guess the problem is not with gpg but with kmail. Actually it's IMO a bug in gpg because KMail calls gpg with the=20 =2D-passphrase-fd option. This obviously means that kmail (or any other=20 application that calls gpg with this option) wants to tell the=20 passphrase to gpg. But gpg insists on using the gpg-agent if the=20 use-agent option is set. Of course this fails if gpg-agent isn't=20 running because falling back to the command line is impossible in batch=20 mode. KMail 1.5.2 will tell gpg explicitely via the undocumented (I had to=20 look into the source code) --no-use-agent option to not use the=20 gpg-agent. Regards, Ingo --Boundary-02=_6VYq+IiADKOzh7o Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+qYV6GnR+RTDgudgRAsvOAKCh1VnWxvaxJSThU1hwpfuRWqedBQCeJM6U IfJ805GMV6XQupPF+oizt4c= =E1oq -----END PGP SIGNATURE----- --Boundary-02=_6VYq+IiADKOzh7o-- From ebrandao@sonae.com.br Fri Apr 25 22:50:03 2003 From: ebrandao@sonae.com.br (Eduardo Scharnberg Brandao) Date: Fri Apr 25 21:50:03 2003 Subject: Unix AIX Message-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C30B63.D5A3B750 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hi there, =20 I=B4m trying to run gpg.exe but I=B4m getting the following error = message: =20 exec(): 0509-036 Cannot load program gpg because of the following = errors: 0509-150 Dependent module libintl.a(libintl.so.1) could not = be loaded. 0509-022 Cannot load module libintl.a(libintl.so.1). 0509-026 System error: A file or directory in the path name = does not exist. =20 My UNIX version is AIX 4.3.3, and the gpg building I=B4m trying to use = is 5.1 =20 Can it be the reason of the problem? If true, is there an AIX 4.3.3 = version available somewhere? =20 Thanks in advance. =20 =20 Eduardo Scharnberg Brand=E3o Analista de Sistemas Pleno SONAE DISTRIBUI=C7=C2O BRASIL +55 51 3349-4718 =20 =20 ------_=_NextPart_001_01C30B63.D5A3B750 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Mensagem
Hi there,
 
I=B4m trying to run gpg.exe but I=B4m = getting the following=20 error message:
 
exec(): 0509-036 Cannot load program = gpg because of=20 the following errors:
       =20 0509-150   Dependent module libintl.a(libintl.so.1) could not = be=20 loaded.
        0509-022 Cannot = load=20 module = libintl.a(libintl.so.1).
       =20 0509-026 System error: A file or directory in the path name does not=20 exist.
 
My = UNIX version is=20 AIX 4.3.3, and the gpg building I=B4m trying to use is = 5.1
 
Can = it be the reason=20 of the problem? If true, is there an AIX 4.3.3 version = available=20 somewhere?
 
Thanks in=20 advance.
 
 

Eduardo Scharnberg Brand=E3o

Analista de Sistemas=20 Pleno

SONAE DISTRIBUI=C7=C2O=20 BRASIL

+55 = 51=20 3349-4718

 

 
------_=_NextPart_001_01C30B63.D5A3B750-- From plaven@bigpond.net.au Sat Apr 26 04:16:02 2003 From: plaven@bigpond.net.au (Peter Lavender) Date: Sat Apr 26 03:16:02 2003 Subject: Trust Message-ID: <20030426011702.GA19214@piglet2> Hi everyone I'm using 1.2.1, and noticed that it was taking ages when it imported a key. I have since resolved this, but I'm interested to understand the trust ouput in the output when a signed message is checked. I'm running a cron job that does some trustdb stuff and this is the output I would like to understand: gpg: checking at depth 0 signed=7 ot(-/q/n/m/f/u)=0/0/0/0/0/1 gpg: checking at depth 1 signed=10 ot(-/q/n/m/f/u)=4/0/0/2/1/0 Is there some documents/FAQ (I have looked here) that explains this in any detail? Thanks. Pete :wq From cwsiv_home1@juno.com Sat Apr 26 04:30:02 2003 From: cwsiv_home1@juno.com (carl w spitzer) Date: Sat Apr 26 03:30:02 2003 Subject: Keyserver list Message-ID: <20030425.182706.3239.7.cwsiv_home1@juno.com> Big Brother keyserver status page http://pgp.zdv.uni-mainz.de/keyserver/bigbrother/ o _______________________________ o _____ | CWSIV_HOME1@JUNO.COM | .][__n_n_|DD[ ====_____ | M A R K L I N T R A I N S | > (________|__|_[_________]_|___________________________| _/oo OOOOO oo` ooo ooo 'o!o!o o!o!o` ________________________________________________________________ The best thing to hit the internet in years - Juno SpeedBand! Surf the web up to FIVE TIMES FASTER! Only $14.95/ month - visit www.juno.com to sign up today! From cwsiv_home1@juno.com Sat Apr 26 04:30:32 2003 From: cwsiv_home1@juno.com (carl w spitzer) Date: Sat Apr 26 03:30:32 2003 Subject: something new Message-ID: <20030425.182705.3239.0.cwsiv_home1@juno.com> There is now a version of mandrake linux which runs from a USB drive. Has anyone tried to run GNUPG or PGP off one of these. o _______________________________ o _____ | CWSIV_HOME1@JUNO.COM | .][__n_n_|DD[ ====_____ | M A R K L I N T R A I N S | > (________|__|_[_________]_|___________________________| _/oo OOOOO oo` ooo ooo 'o!o!o o!o!o` ________________________________________________________________ The best thing to hit the internet in years - Juno SpeedBand! Surf the web up to FIVE TIMES FASTER! Only $14.95/ month - visit www.juno.com to sign up today! From eleuteri@myrealbox.com Sat Apr 26 05:17:02 2003 From: eleuteri@myrealbox.com (David Picon Alvarez) Date: Sat Apr 26 04:17:02 2003 Subject: Trust References: <20030426011702.GA19214@piglet2> Message-ID: <000701c30b99$8be5c960$f92489c3@enterprise> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > gpg: checking at depth 0 signed=7 ot(-/q/n/m/f/u)=0/0/0/0/0/1 > gpg: checking at depth 1 signed=10 ot(-/q/n/m/f/u)=4/0/0/2/1/0 It doesn't have too much science (wonder if that's legal in English). Depth is how far from the trust source the analysis is. For example, depth 0 applies to ultimately trusted keys, which are the primary sources of trust in gpg. Depth one applies to keys signed by ultimately trusted, depth two by those signed by depth 1, etc. Actually, this is a bit of a simplification, but you get the idea. The other kind of cryptic bit goes like this: ot(-/q/n/m/f/u)=0/0/0/0/0/1 This is a summary of the trust (not validity) levels assigned. In this particular case: Ultimate trust 1, full trust 0, marginal trust 0, "no trust" 0, don't know trust 0, uncalculated (IIRC the - means that) trust 0. Note that this is quite necessary filled with zeroes except for the last digit, since depth zero implies ultimate trust. From here, you can work it out, I hope. BTW, I haven't found this on the fine manual or on the fine source but just used my powers of induction which are quite fallible, so maybe I have misinterpreted the data. - --David. -----BEGIN PGP SIGNATURE----- Comment: This message is digitally signed and can be verified for authenticity. iQIVAwUBPqnri6YOp7uFKb/EAQIhVhAAhrgDd/bik6dJlSuVgtEGOEAeWxz6kaN9 2GEuv2jZgOFECSNjrj2paUQkr1zKKdQnXZKRchdynUtlZVRZ4atiKCEqkAaEeFPX ZQ9gIGB65cLNQKrc3PRfLfA+CwvR2DJhtxZOcEKAdzKss4Z6blxACWfKjs49wH3Z 2byyI/OxSAxF5v47ncSDageeoZoe4gOa08AF3js8BOMOwCsBDC0fibL9WH9w+cMp fQpRWtPG9uSaYg6WCARIIgtxMyDOH1zOr7Fvm6VUb8Z8PZGajqtuB/zdYdoMg+jI xAOVO1Q/lhpciSBYz2cXprFAUMZGy8yzXnAYVbkH25TTI9JrH7O0Nwk3rmc+fIgj Gl9LQYZ+bi3tkEiWyjmUDA34Nd/Rd7wFI1eKmY/hAwbI2OmSMvjVby/b5SfE9Zvg se7SO2CI7iiS+PiBmcirQ6Ef95SP3Wec8kLLqbuVUKKbFMt2RrwspFKTKC993vxn hBVoZx20IdQOcl0qacQfhtwlbppEem0WuYoZxSHiGjnF4t+Tgl3JQDfbHBYfw7If g56JlPtNBIIMOVFqaJh4MSo+wzMzQqPUMw24xEoXnI6sUjVFMt0Y/6w0Mcs9FN41 4TNFqNHTq/yOIASPLng0Dxutf+sRebaYjl5Y2n9AF6l0xwZbi3yCwc2Tnmr/dPCp pS7+0cHbxPE= =IbwW -----END PGP SIGNATURE----- From dcmwai@amtb-m.org.my Sat Apr 26 06:29:02 2003 From: dcmwai@amtb-m.org.my (=?Big5?B?s6+7yrC2IENoYW4gTWluIFdhaQ==?=) Date: Sat Apr 26 05:29:02 2003 Subject: Any Reason to build up an Keyserver for LAN? Message-ID: <3EA9FD2B.9050905@amtb-m.org.my> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1FC621229CA1C2F849A97BCE Content-Type: text/plain; charset=Big5 Content-Transfer-Encoding: 8bit Hello all, I'm wounder is there any reason to build a Keyserver for LAN? I'm using LDAP so is there any Schema for LDAP? Thank You Chan Min Wai -- ------------------------------ °¨¨ÓŚč¨Č˛bŠvžÇˇ| Amitabha Buddhist Society (M) 16A, 1st Floor, Jalan Pahang, 53000, Kuala Lumpur, Malaysia. Tel:+603-40414101, 40452630 Fax:+603-40412172 --------------enig1FC621229CA1C2F849A97BCE Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+qf0rV0p9slMZLW4RArOVAJ4tM7xS2mzftdEW3rZxyPEbIlQbEQCg2cCU p31pk1c7Gb9ReEUfpSRnhC4= =XckR -----END PGP SIGNATURE----- --------------enig1FC621229CA1C2F849A97BCE-- From pt@radvis.nu Sat Apr 26 22:14:02 2003 From: pt@radvis.nu (Per Tunedal) Date: Sat Apr 26 21:14:02 2003 Subject: Multiple sub-signingkeys Message-ID: <5.1.0.14.2.20030426205737.00c53970@mail4.it-norr.com> Hi, Finally I hope that I have understood what Adrian von Bidder tells on his page about using multiple subkeys: http://fortytwo.ch/gpg/subkeys/ It is possible to use a "crippled" key without the secret primary signing key if an other secret signing key is present. Only the public primary signing key is needed. When listing the secret keys the primary key with missing secret key is market with #. "your primary secret key should be marked with a '#': $ gpg --list-secret-key testuser sec# 1024D/971B7A70 2003-01-03 testuser ssb 1024g/ACDF80C4 2003-01-03 ssb 1024R/BE9CA308 2003-01-07" This crippled key can be used on an insecure computer, while your complete key can be used on a secure computer. When listing secret keys for the original key the primary key is shown without the #. You can thus easily see what secret keys are present in each keyring. (If I am right it might be a good idea to emphasize this on your page, Adrian!) I find Adrians advice very useful. Why isn't it easier to do it? (I have tried to do it with WinPT and it works OK. But I cannot see what secret keys are present neither with WinPT, nor with GPGrelay.) Have I missed something? Per Tunedal PS I have previous tried using multiple encryption keys in a similar manner without success ... From DenisMcCauley@ifrance.com Sun Apr 27 03:12:02 2003 From: DenisMcCauley@ifrance.com (Denis McCauley) Date: Sun Apr 27 02:12:02 2003 Subject: multiple sub-signingkeys Message-ID: <3EAB204B.1010003@ifrance.com> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5D3A38715B500322509CE571 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Per Tunedal wrote > > This crippled key can be used on an insecure computer, while your > complete key can be used on a secure computer. When listing secret > keys for the original key the primary key is shown without the #. > > (I have tried to do it with WinPT and it works OK. But I cannot see > what secret keys are present neither with WinPT, nor with GPGrelay.) > Nor with GPGshell. When I try "list-secret-keys" I get "Invalid command" and when I try "toggle" I get: sec 1024D/key ID date testuser (There's no "#" ) ssb 1024g/key ID date ssb 1024R/key ID date Cheers -- -- ========================================== Denis McCauley GPG/PGP keys at http://www.djmccauley.tk ========================================== --------------enig5D3A38715B500322509CE571 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) Comment: Key ID: 0x578247B4 (using signature subkey 0x4980C4F7) iD8DBQE+qyBpJpZGKkmAxPcRAjNHAKCCDpF/CFliebFaaYAcqEv9pjpiBQCeIZHy lb53XL8RLlE50Vb/T9TnIgY= =8xVW -----END PGP SIGNATURE----- --------------enig5D3A38715B500322509CE571-- From wk@gnupg.org Sun Apr 27 13:20:02 2003 From: wk@gnupg.org (Werner Koch) Date: Sun Apr 27 12:20:02 2003 Subject: Trust In-Reply-To: <000701c30b99$8be5c960$f92489c3@enterprise> ("David Picon Alvarez"'s message of "Sat, 26 Apr 2003 03:14:14 +0100") References: <20030426011702.GA19214@piglet2> <000701c30b99$8be5c960$f92489c3@enterprise> Message-ID: <87r87oi6g7.fsf@alberti.g10code.de> On Sat, 26 Apr 2003 03:14:14 +0100, David Picon Alvarez said: > BTW, I haven't found this on the fine manual or on the fine source but just > used my powers of induction which are quite fallible, so maybe I have This is not documented on purpose: We don't want that this is used for some kind of automation. It is merely a progress indicator with some debugging output. Salam-Shalom, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From avbidder@fortytwo.ch Tue Apr 29 14:06:17 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Tue Apr 29 13:06:17 2003 Subject: Multiple sub-signingkeys In-Reply-To: <5.1.0.14.2.20030426205737.00c53970@mail4.it-norr.com> References: <5.1.0.14.2.20030426205737.00c53970@mail4.it-norr.com> Message-ID: <200304280902.24614@fortytwo.ch> --Boundary-02=_AINr+9BhdadN62/ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline [reply on list please] On Saturday 26 April 2003 21:13, Per Tunedal wrote: > This crippled key can be used on an insecure computer, while your complete > key can be used on a secure computer. When listing secret keys for the > original key the primary key is shown without the #. > > You can thus easily see what secret keys are present in each keyring. > > (If I am right it might be a good idea to emphasize this on your page, > Adrian!) I guess you mean this part: +-- | To verify that you really don't have any secret keys you don't want, have= a=20 | look at the output of "gpg --list-secret-keys", your primary secret key=20 | should be marked with a '#':=20 +-- Hmm. I'm not entirely sure what exactly you feel I should clarify. Would=20 something like +-- | ...should be marked with a '#' (this means that the 'primary key' you're | seeing is really only a placeholder and does not contain the secret key | data.): +-- clarify it in the way you thought? cheers =2D- vbi =2D-=20 this email is protected by a digital signature: http://fortytwo.ch/gpg --Boundary-02=_AINr+9BhdadN62/ Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6s0gBgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWiZQAoOdoybh9ZUx4V85Uh8+AqK8v sWlkAKC63J0ToFnWwUusAFFWM4i6Y7cw8g== =uJm8 -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_AINr+9BhdadN62/-- From avbidder@fortytwo.ch Tue Apr 29 14:06:44 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Tue Apr 29 13:06:44 2003 Subject: Adding Footer on MTA, where MUA using GPG In-Reply-To: <200304251808.25572.linux@codehelp.co.uk> References: <20030424201933.GD28568@jabberwocky.com> <20030425075928.63F531864@altfrangg.fortytwo.ch> <200304251808.25572.linux@codehelp.co.uk> Message-ID: <200304280905.59105@fortytwo.ch> --Boundary-02=_XLNr+Ko/gZP/XY0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 25 April 2003 19:08, Neil Williams wrote: > On Friday 25 April 2003 8:59 am, avbidder@fortytwo.ch wrote: > > Nowt. > > There was some text in the source but the mime boundaries didn't work so > the whole message disappeared. Damn. You're right, didn't show up here, too. (But I guess you got the idea= =20 what I was trying to do). David, could you direct such a mailman 2.1 message in my direction, I'm=20 curious. cheers =2D- vbi =2D-=20 this email is protected by a digital signature: http://fortytwo.ch/gpg --Boundary-02=_XLNr+Ko/gZP/XY0 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6s0tdgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWTbYAoLc+17o5q2EwZWdBjZwetKtS LsOAAJwKGg4dlZiMidYFa0qOYqdgnvg/Zg== =tZ4n -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_XLNr+Ko/gZP/XY0-- From Lukasz Stelmach Tue Apr 29 14:08:30 2003 From: Lukasz Stelmach (Lukasz Stelmach) Date: Tue Apr 29 13:08:30 2003 Subject: (ssh|gpg)-agent Message-ID: <20030425164714.GC47307@tygrys.klucz> --Pk6IbRAofICFmK5e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Greetings All. Recently i have came accross gpg gpg-agent. It seems to be very usefull=3D20 but... Would it be possible to use (theoretically, after some coding)=3D20 ssh-agent to forward gpg keys. For example at my school there is=3D20 computer laboratory where all machines run w2k. There are also some=3D20 unix machines that i ssh to. I don't want to keep my secret key on unix=3D20 account because it is distributed via nfs, therefore is very insecure.=3D20 Since i use putty with pagent it could be great to use the same=3D20 software for gpg keys. What do you think about such integration? Bye --=20 |/ |_, _ .- --, |__ |_|. | \ |_|. ._' /_. --Pk6IbRAofICFmK5e Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+qWaSNdzY8sm9K9wRAjoAAJ4jnY0L6NNy0J8ssfGjxrZnXIAj+QCfRYEH Ip66/SCA0ElLOKn1VxY91To= =VVuO -----END PGP SIGNATURE----- --Pk6IbRAofICFmK5e-- From d.fettke@peguform.de Tue Apr 29 14:09:12 2003 From: d.fettke@peguform.de (Dirk Fettke) Date: Tue Apr 29 13:09:12 2003 Subject: problems to sign emails In-Reply-To: <200304252059.06776@erwin.ingo-kloecker.de> References: <200304252059.06776@erwin.ingo-kloecker.de> Message-ID: <200304281153.37418.d.fettke@peguform.de> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > KMail 1.5.2 will tell gpg explicitely via the undocumented (I had to > look into the source code) --no-use-agent option to not use the > gpg-agent. > > Regards, > Ingo thanks, it works now :-) but how can i use the same secret-key on two=20 different systems? on my workstation in my office i use suse 8.2 with kmail= =20 an vmware 4.0 with winxp and $ms-office. both i need for different things=20 because kmail doesn't work together with exchange2000 :( the key i use was genereting on my linux system, so now i would use it also= on=20 my windows-system. for ms-outlook i found on gnugpg.org a plugin which i've= =20 downloaded and installed. when i copy the ~/.gnupg/secring.gpg to the=20 windows-dirctory C:\Programme\GnuPGExch it won't work. so i can't use one=20 secret-key for both systems.=20 Did anybody have any idea or perhaps a solution? perhaps i'm doing somethin= g=20 wrong...?! greetings dirk fettke =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE+rPoaAnl6resKVfYRAqL4AKCpbSpBjF9Ky2vBysF2ZFJ0WRnJbwCeO2tW MHbSXPp0NxEhlCSESDQ+axU=3D =3Dr/VL =2D----END PGP SIGNATURE----- From Fabian.Rodriguez@Toxik.com Tue Apr 29 14:09:47 2003 From: Fabian.Rodriguez@Toxik.com (Toxik - Fabian Rodriguez) Date: Tue Apr 29 13:09:47 2003 Subject: Subject tag in all list messages ? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Would it be possible to add a tag in the subject (like = [GnuPG-users]) to all messages sent by this list ? It would = make it easier to filter the messages, not only for me I guess = ;) Thank for considering this for gnupg-devel too. Cheers, Fabi=E1n. -----BEGIN PGP SIGNATURE----- Comment: PGP/Mime available upon request iD8DBQE+rRMqfUcTXFrypNURAn/cAKDwJt05VCFcc4B9KjaXohqI9ia92ACePP/j P4W88np2bkpnF0Eed+AW05w=3D =3D+heq -----END PGP SIGNATURE----- From jbruni@mac.com Tue Apr 29 14:22:57 2003 From: jbruni@mac.com (Joseph Bruni) Date: Tue Apr 29 13:22:57 2003 Subject: Fwd: GPG ON UNIX 11 Message-ID: <269CFA44-79E0-11D7-829F-003065B1243E@mac.com> Begin forwarded message: > From: Joseph Bruni > Date: Mon Apr 28, 2003 6:14:07 PM America/Phoenix > To: Pedro Velez > Subject: Re: GPG ON UNIX 11 > > Hello, > > I am happy to help. After extracting the gpg-1.2.1 software, I > modified the file ./intl/gettextP.h to include the line: > > #define inline > > After that, everything should compile and install just fine. > > -Joe > > > > On Monday, April 28, 2003, at 05:42 PM, Pedro Velez wrote: > >> Hi Joseph >> >> Can you describe me the procedure you do to install on HP11 please ? >> >> I am having compiling problems >> >> Or can you give one copy of the binary ? >> >> I wrote some e-mails to the users but do not have response >> >> > From matt@rangie.com Tue Apr 29 14:25:03 2003 From: matt@rangie.com (Matthew Reeve) Date: Tue Apr 29 13:25:03 2003 Subject: Blank encrypted messages In-Reply-To: <87adegmivt.fsf@alberti.g10code.de> Message-ID: <001301c30e22$551c2290$0800a8c0@ANYA> > > $command = 'echo "$msg" | /usr/bin/gpg -e -a --always-trust --batch > > --no-secmem-warning -u matt@rangie.com -r matt@rangie.com'; > > exec($command, $encrypted, $errorcode); > Are you sure that exec runs a shell? It must be running a shell, as I end up with an encrypted message - unfortunately it's just an encryption of nothing. I can log in as the same user (apache) and run the command from the shell and get an output which, when decrypted, contains the data. However when run from PHP the encrypted data, when decrypted, contains nothing. I've re-written to use files being passed in and out, and the command when exec'd or system'd returns an error code of 0 (zero). I'm absolutely stumped on this. Thanks for the suggestions so far, Matthew Reeve From agreene@pobox.com Tue Apr 29 15:02:02 2003 From: agreene@pobox.com (Anthony E. Greene) Date: Tue Apr 29 14:02:02 2003 Subject: Subject tag in all list messages ? In-Reply-To: References: Message-ID: <3EAE6AA0.8010900@pobox.com> Toxik - Fabian Rodriguez wrote: > Would it be possible to add a tag in the subject (like [GnuPG-users]) > to all messages sent by this list ? It would make it easier to filter > the messages, not only for me I guess ;) Setup a filter for "List-Id:" header contains "gnupg-users.gnupg.org". The devel list will be similar. If you have an older version of Outlook, you may not be able to specify the "List-Id:" header. You may have to setup a filter that looks for "gnupg-users.gnupg.org" anywhere in the header. Tony -- Anthony E. Greene OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D AOL/Yahoo Chat: TonyG05 HomePage: Linux. The choice of a GNU generation. From cmt@rz.uni-karlsruhe.de Tue Apr 29 15:31:03 2003 From: cmt@rz.uni-karlsruhe.de (Christoph Moench-Tegeder) Date: Tue Apr 29 14:31:03 2003 Subject: Subject tag in all list messages ? In-Reply-To: References: Message-ID: <20030429123221.GA25870@rz-ewok.rz.uni-karlsruhe.de> > Would it be possible to add a tag in the subject (like [GnuPG-users]) > to all messages sent by this list ? It would make it easier to filter > the messages, not only for me I guess ;) Why don't you use headers as List-Id or X-BeenThere? Regards, Christoph -- Spare Space From wk@gnupg.org Tue Apr 29 15:35:34 2003 From: wk@gnupg.org (Werner Koch) Date: Tue Apr 29 14:35:34 2003 Subject: Subject tag in all list messages ? In-Reply-To: (Toxik - Fabian Rodriguez's message of "Mon, 28 Apr 2003 07:40:26 -0400") References: Message-ID: <878ytteb01.fsf@alberti.g10code.de> On Mon, 28 Apr 2003 07:40:26 -0400, Toxik said: > Would it be possible to add a tag in the subject (like [GnuPG-users]) to all messages sent by this list ? It would make it easier to filter the messages, not only for me I guess ;) Frankly, I find this annoying as it forces me to reconfigure my MUA to strip them. Filtering is best done on the List-Id: header. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From mwood@IUPUI.Edu Tue Apr 29 16:31:04 2003 From: mwood@IUPUI.Edu (Mark H. Wood) Date: Tue Apr 29 15:31:04 2003 Subject: Subject tag in all list messages ? In-Reply-To: Message-ID: On Mon, 28 Apr 2003, Toxik - Fabian Rodriguez wrote: > Would it be possible to add a tag in the subject (like [GnuPG-users]) > to all messages sent by this list ? It would make it easier to filter > the messages, not only for me I guess ;) I'm curious: what's wrong with this header: To: gnupg-users@gnupg.org or this one: Sender: gnupg-users-admin@gnupg.org or this one: X-BeenThere: gnupg-users@gnupg.org or this one: List-Id: Help and discussion among users of GnuPG in identifying the source of messages reflected by this list? -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu MS Windows *is* user-friendly, but only for certain values of "user". From dshaw@jabberwocky.com Tue Apr 29 16:59:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue Apr 29 15:59:02 2003 Subject: Adding Footer on MTA, where MUA using GPG In-Reply-To: <200304280905.59105@fortytwo.ch> References: <20030424201933.GD28568@jabberwocky.com> <20030425075928.63F531864@altfrangg.fortytwo.ch> <200304251808.25572.linux@codehelp.co.uk> <200304280905.59105@fortytwo.ch> Message-ID: <20030429135954.GC428@jabberwocky.com> --O5XBE6gyVG5Rl6Rj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Apr 28, 2003 at 09:05:55AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote: > On Friday 25 April 2003 19:08, Neil Williams wrote: > > On Friday 25 April 2003 8:59 am, avbidder@fortytwo.ch wrote: > > > > Nowt. > > > > There was some text in the source but the mime boundaries didn't work so > > the whole message disappeared. > > Damn. You're right, didn't show up here, too. (But I guess you got the idea > what I was trying to do). > > David, could you direct such a mailman 2.1 message in my direction, I'm > curious. I'll try attaching it here as a rfc822 item, and I'll send it to you directly as well. David --O5XBE6gyVG5Rl6Rj Content-Type: message/rfc822 Content-Disposition: inline Return-Path: Date: Tue, 29 Apr 2003 09:53:41 -0400 From: David Shaw To: mailman@example.com Message-ID: <20030429135341.GB428@example.com> Mime-Version: 1.0 X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Crescent (5% of Full) User-Agent: Mutt/1.5.4i Subject: [Mailman] Mailman mime test X-BeenThere: mailman@example.com X-Mailman-Version: 2.1.1 Precedence: list Content-Type: multipart/mixed; boundary="===============11721384260861134==" Sender: mailman-bounces@example.com --===============11721384260861134== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YZ5djTAD1cGYuMQK" Content-Disposition: inline --YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi there. This part of the message is signed. Notice that Mailman attaches a footer in such a way that doesn't mangle the signature, and doesn't become invisible. --YZ5djTAD1cGYuMQK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+roPl4mZch0nhy8kRAgh7AJoDNmRXNsxPK5I5LTHKTWkMu4spgwCgkdq1 7BofAAgI/nOAZl692fkLxIY= =pVA5 -----END PGP SIGNATURE----- --YZ5djTAD1cGYuMQK-- --===============11721384260861134== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ This is the footer. See how Mailman attaches it in a MIME safe way. --===============11721384260861134==-- --O5XBE6gyVG5Rl6Rj-- From Fabian.Rodriguez@Toxik.com Tue Apr 29 17:31:05 2003 From: Fabian.Rodriguez@Toxik.com (Toxik - Fabian Rodriguez) Date: Tue Apr 29 16:31:05 2003 Subject: Subject tag in all list messages ? In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Outlook 2000 allows me to filter by "with specific words" in the headers. I prefer a tag in the subject since I filter messages from several lists in the same folder, but thanks for showing me this :) I don't examine headers frequently. From:, To: and Sender: are not ok *for me* because some messages to the list are posted via CC: (like Werner's reply to this) or are formed differently depending on mail clients. I also use those to filter other type of messages. Cheers, Fabian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 Comment: PGP/Mime available upon request iD8DBQE+royNfUcTXFrypNURAiC2AJ90VSAWOmVggLjxUZhwCC2ouBcDgwCg1zhK 7eTOUbrQjYiQHvF23d/kKTs= =IMFC -----END PGP SIGNATURE----- From sbutler@fchn.com Tue Apr 29 18:15:02 2003 From: sbutler@fchn.com (Steve Butler) Date: Tue Apr 29 17:15:02 2003 Subject: problems to sign emails Message-ID: <9A86613AB85FF346BB1321840DB42B4B01EBFD38@jupiter.fchn.com> I exported both the public and private keys from the Linux box and imported both the public and private keys to the Windows box. -----Original Message----- From: Dirk Fettke [mailto:d.fettke@peguform.de] Sent: Monday, April 28, 2003 2:53 AM To: gnupg-users@gnupg.org Subject: Re: problems to sign emails -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > KMail 1.5.2 will tell gpg explicitely via the undocumented (I had to > look into the source code) --no-use-agent option to not use the > gpg-agent. > > Regards, > Ingo thanks, it works now :-) but how can i use the same secret-key on two different systems? on my workstation in my office i use suse 8.2 with kmail an vmware 4.0 with winxp and $ms-office. both i need for different things because kmail doesn't work together with exchange2000 :( the key i use was genereting on my linux system, so now i would use it also on my windows-system. for ms-outlook i found on gnugpg.org a plugin which i've downloaded and installed. when i copy the ~/.gnupg/secring.gpg to the windows-dirctory C:\Programme\GnuPGExch it won't work. so i can't use one secret-key for both systems. Did anybody have any idea or perhaps a solution? perhaps i'm doing something wrong...?! greetings dirk fettke -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE+rPoaAnl6resKVfYRAqL4AKCpbSpBjF9Ky2vBysF2ZFJ0WRnJbwCeO2tW MHbSXPp0NxEhlCSESDQ+axU= =r/VL -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From avbidder@fortytwo.ch Tue Apr 29 19:06:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Tue Apr 29 18:06:02 2003 Subject: problems to sign emails In-Reply-To: <200304281153.37418.d.fettke@peguform.de> References: <200304252059.06776@erwin.ingo-kloecker.de> <200304281153.37418.d.fettke@peguform.de> Message-ID: <200304291807.04753@fortytwo.ch> --Boundary-02=_oMqr+wFJgN1Gbcp Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Monday 28 April 2003 11:53, Dirk Fettke wrote: > > KMail 1.5.2 will tell gpg explicitely via the undocumented (I had to > > look into the source code) --no-use-agent option to not use the > > gpg-agent. > > > > Regards, > > Ingo > > thanks, it works now :-) but how can i use the same secret-key on two > different systems? gpg -a --export-secret-key yourkeyname on the Linux machine, then you get t= he=20 secret key in ascii armored form and can easily import it on the other=20 machine. cheers =2D- vbi =2D-=20 (1) Alexander the Great was a great general. (2) Great generals are forewarned. (3) Forewarned is forearmed. (4) Four is an even number. (5) Four is certainly an odd number of arms for a man to have. (6) The only number that is both even and odd is infinity. Therefore, all horses are black. --Boundary-02=_oMqr+wFJgN1Gbcp Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6uoyhgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWfgwAn0FU1dxxYMWsWxbRmOKZ8Lq7 xT7rAKCTdhy0RJlExY3xRmzfELZijCNSJQ== =HKdj -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_oMqr+wFJgN1Gbcp-- From avbidder@fortytwo.ch Tue Apr 29 19:09:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Tue Apr 29 18:09:02 2003 Subject: (ssh|gpg)-agent In-Reply-To: <20030425164714.GC47307@tygrys.klucz> References: <20030425164714.GC47307@tygrys.klucz> Message-ID: <200304291810.03557@fortytwo.ch> --Boundary-02=_bPqr+iSCzJrol2Q Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 25 April 2003 18:47, Lukasz Stelmach wrote: > Greetings All. > > Recently i have came accross gpg gpg-agent. It seems to be very usefull= =3D20 > but... Would it be possible to use (theoretically, after some coding)=3D= 20 > ssh-agent to forward gpg keys. For example at my school there is=3D20 > computer laboratory where all machines run w2k. There are also some=3D20 > unix machines that i ssh to. I don't want to keep my secret key on unix= =3D20 > account because it is distributed via nfs, therefore is very insecure.=3D= 20 > Since i use putty with pagent it could be great to use the same=3D20 > software for gpg keys. > > What do you think about such integration? Hmmm. I think it is a great idea - though I would not do it by forwarding t= he=20 key itself, but by sending the to-be-encrypted data around, thus keeping th= e=20 secret key on the machine it was originally stored. IIRC there was someone around working on using gpg keys for ssh=20 authentication, so at least one person knows much about both gpg and ssh,=20 perhaps he would be interested? I certainly would like the idea as I use ss= h=20 a lot. cheers =2D- vbi =2D-=20 this email is protected by a digital signature: http://fortytwo.ch/gpg --Boundary-02=_bPqr+iSCzJrol2Q Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6uo9tgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWOcsAoMjh5+NEey3y5gHZU7AuhgIv R2NMAKCHQJCaA+Ejis3igPmH0OAef7eQlw== =XPzN -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_bPqr+iSCzJrol2Q-- From vedaal@hush.com Tue Apr 29 19:25:02 2003 From: vedaal@hush.com (vedaal@hush.com) Date: Tue Apr 29 18:25:02 2003 Subject: verification of clearsigned e-mails // question/request Message-ID: <200304291625.h3TGPfV8086335@mailserver3.hushmail.com> for verification of clearsigned messages, when there is a 'bad' signature, would it be possible/feasible to have an option of '--try-all-unwraps', (i.e, try 'unwrapping' the message, and re-attempt verification, assuming a wrap setting of 60 characters/line, if still bad, then try 61, etc... until a setting of 100 characters/line, (could be only from settings of 64 to 80, or whatever settings would be necessary to cover all the e-mail clients) and if a 'good' signature is found after unwrapping at a particular wrap setting, to list which wrap setting it was the gpg output might look something like this: gpg: bad signature from key ID (key signed with) gpg: try all unwraps? yes/no gpg: good signature from key id when unwrapped at setting of 80 characters/line or gpg: bad signature at all unwrap settings, 60-100 characters/line this wouldn't help with mangled headers or extra dashes or other characters that e-mail clients add, but would solve the false 'bad' signature commonly resulting from different wrap settings tia, with Respect, vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From chris@yonderway.com Tue Apr 29 19:52:03 2003 From: chris@yonderway.com (Chris Hedemark) Date: Tue Apr 29 18:52:03 2003 Subject: Subject tag in all list messages ? In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, April 29, 2003, at 10:30 AM, Toxik - Fabian Rodriguez wrote: > Outlook 2000 allows me to filter by "with specific words" in the > headers. That explains everything; you're using a broken MUA. > From:, To: and Sender: are not ok *for me* because some messages to > the list are posted via CC: (like Werner's reply to this) or are > formed differently depending on mail clients. I also use those to > filter other type of messages. This is a problem MS has had for years and has not addressed. The mailing list isn't broken; the mail client is. It makes more sense for the people with broken mail clients to change their clients to suit the list than it does for the list to change headers to suit a broken MUA. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (Darwin) iEYEARECAAYFAj6urdAACgkQYPuF4Zq9lvYgTwCeP+CiQebdJ0YblDaAa+chULyh 7GIAoLMOP+MTKXWlLI5YnJzANWBTXvGM =mJlv -----END PGP SIGNATURE----- From malsyned@cif.rochester.edu Tue Apr 29 20:14:02 2003 From: malsyned@cif.rochester.edu (Dennis Lambe Jr.) Date: Tue Apr 29 19:14:02 2003 Subject: Multiple encryption subkeys Message-ID: <1051636509.13754.31.camel@dennisx.cif.rochester.edu> --=-s0FvG/L2BLuDc0zENiLf Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I've read through the archives, but I still have a question or two about subkeys. Most of the discussion has been about signing subkeys, or encrypting subkeys that are used in succession, with one only coming=20 into use after another expires. I haven't read anything about having=20 multiple active encrypting subkeys and the issues they present. What I'd like to do is have a public key with multiple ElGamel and RSA subkeys of different key lengths, 1024, 2048, and 4096, for example. My goal is to allow the sender more control over the encryption vs. speed tradeoff and the encryption algorithm, instead of requiring that she use the level of security that I deemed appropriate. My reasoning is that how secure a message needs to be may be more appropriately determined by the contents of the message, rather than the identity of the recipient. 1) Is this a worthwhile endeavor, cryptographically speaking? That is to say, am I justified in wanting to do this, or is there something I've overlooked that makes this a bad or useless application of subkeys? 2) Is there a way to specify a default encrypting subkey? I have read that GnuPG will encrypt to the most recently self-signed subkey unless the exclamation-point syntax is used. Can that be overridden by a flag in the key? I haven't read anything to suggest that it could, so this is just wishful thinking. 3) Apart from the awkward method of deciding a "default" encrypting subkey, I think I've figured out everything I need to know to use GnuPG with multiple encrypting subkeys. How is support in other OpenPGP programs, though? Will the commercial PGP be able to work with my key?=20 Does it have an equivilent to the exclamation-point syntax, or will it always use the default subkey? How about WinPT, GPA, and Seahorse? I know they'll at least work with my key, but do they provide a UI for encrypting to a specific subkey? 4) A lot of messages I read from 2002 and earlier this year suggest that many keyservers are still having difficulty with multiple subkeys. Is this still the case, or have there been recent positive developments in that area? What's the official gnupg-users party line on the use of keyservers with multiple subkeys? Is it still "use kjsl.com and pray"? GnuPG is a great piece of software. I'm very impressed with how well it implements the OpenPGP standard. It's pretty frutstrating, though, when the rest of the PGP community is lagging so far behind the open source guys. --Dennis Lambe --=-s0FvG/L2BLuDc0zENiLf Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html iD8DBQA+rrMd+yh/ThbejSgRAlVIAJ495sPzT40pw6Pc5+2xf4vZVRbo6ACfdA1x IlYj/0maHrVDSSluC98Y30s= =9hjO -----END PGP SIGNATURE----- --=-s0FvG/L2BLuDc0zENiLf-- From JPClizbe@attbi.com Tue Apr 29 20:27:02 2003 From: JPClizbe@attbi.com (John P. Clizbe) Date: Tue Apr 29 19:27:02 2003 Subject: Subject tag in all list messages ? In-Reply-To: References: Message-ID: <3EAEB623.2090200@attbi.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Toxik - Fabian Rodriguez wrote: > > Outlook 2000 allows me to filter by "with specific words" in the headers. > > I prefer a tag in the subject since I filter messages from several > lists in the same folder, but thanks for showing me this :) I > don't examine headers frequently. > > From:, To: and Sender: are not ok *for me* because some messages > to the list are posted via CC: (like Werner's reply to this) or > are formed differently depending on mail clients. I also use those > to filter other type of messages. Hmmm, ( (Sender contains "gnupg-users") | (To contains "gnupg-users") | (CC contains "gnupg-users") ) Seems to do that just fine under Netscape & Mozilla Mail. For grins I checked LookOut! 2000... It's "Rules _Wizard_" seems rather limited. It can handle the Sender: and To: cases, but is brain dead for CC: and checking specific headers. Maybe some other Outlook users know how to extend the ruleset types. The "[]" construct in the Subject header is used for a lot of my own rules, but I really wish there was a "better" way -- the [...] consumes a fair amount of space at the beginning of the subject line and only serves to lower the s/n ratio. - -John - -- John P. Clizbe Inet: JPClizbe@EarthLink.net Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." "There is safety in Numbers... *VERY LARGE PRIME* Numbers 9:00PM Tonight on _REAL_IRONY_: Vegetarian Man Eaten by Cannibals -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+rrYiHQSsSmCNKhARAn1/AJ42BsPmJ7mlDPIEL6Mghxr7Z8BpYgCgkFKW 0MJEIYcWZDgytN87XhazEhk= =H3RM -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Tue Apr 29 21:19:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue Apr 29 20:19:02 2003 Subject: Multiple encryption subkeys In-Reply-To: <1051636509.13754.31.camel@dennisx.cif.rochester.edu> References: <1051636509.13754.31.camel@dennisx.cif.rochester.edu> Message-ID: <20030429181933.GE428@jabberwocky.com> --m51xatjYGsM+13rf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 29, 2003 at 01:15:10PM -0400, Dennis Lambe Jr. wrote: > I've read through the archives, but I still have a question or two about > subkeys. Most of the discussion has been about signing subkeys, or > encrypting subkeys that are used in succession, with one only coming=20 > into use after another expires. I haven't read anything about having=20 > multiple active encrypting subkeys and the issues they present. >=20 > What I'd like to do is have a public key with multiple ElGamel and RSA > subkeys of different key lengths, 1024, 2048, and 4096, for example. My > goal is to allow the sender more control over the encryption vs. speed > tradeoff and the encryption algorithm, instead of requiring that she use > the level of security that I deemed appropriate. My reasoning is that > how secure a message needs to be may be more appropriately determined by > the contents of the message, rather than the identity of the recipient. >=20 > 1) Is this a worthwhile endeavor, cryptographically speaking? That is > to say, am I justified in wanting to do this, or is there something I've > overlooked that makes this a bad or useless application of subkeys? It is not a *bad* application of subkeys, but perhaps not as useful as you'd like. Given the speed of (most) machines these days, and the common use of GnuPG for email and file encryption, there is little difference in the user visible speed differences between 1024, 2048, and 4096 bit encryption keys. I'm assuming that a few seconds here or there don't matter to you. If someone was encrypting many files to you every minute, or had a slow machine (like a PDA) then this would be more useful. Note, by the way, that this: My reasoning is that how secure a message needs to be may be more appropriately determined by the contents of the message, rather than the identity of the recipient. leaks some information to traffic analysis. The snoop may not be able to read a given message, but she does know that the message was "important" because it used the 4096-bit subkey. > 2) Is there a way to specify a default encrypting subkey? I have read > that GnuPG will encrypt to the most recently self-signed subkey unless > the exclamation-point syntax is used. Can that be overridden by a flag > in the key? I haven't read anything to suggest that it could, so this > is just wishful thinking. There was discussion at one point about a "primary subkey" flag which would suggest to a sender which subkey to use, but it didn't progress much beyond that. Currently it is completely up to the sender which subkey to use. As you noted, GnuPG uses the timestamps to choose. There is an argument that programs should use the subkey with the closest expiration date, in order to make perfect forward security easier. See http://www.cs.ucl.ac.uk/staff/I.Brown/draft-brown-pgp-pfs-03.txt > 3) Apart from the awkward method of deciding a "default" encrypting > subkey, I think I've figured out everything I need to know to use > GnuPG with multiple encrypting subkeys. How is support in other > OpenPGP programs, though? Will the commercial PGP be able to work > with my key? Does it have an equivilent to the exclamation-point > syntax, or will it always use the default subkey? It will work properly, but I don't know offhand what PGP uses to pick a subkey. > 4) A lot of messages I read from 2002 and earlier this year suggest that > many keyservers are still having difficulty with multiple subkeys. Is > this still the case, or have there been recent positive developments in > that area? What's the official gnupg-users party line on the use of > keyservers with multiple subkeys? Is it still "use kjsl.com and pray"? I submitted a fix for the worst of the key corruption bugs in pks, so as pks-based servers upgrade, they'll stop eating keys. This doesn't mean they handle multiple subkeys properly though, just that they don't mangle them. Servers that work properly include: ldap://keyserver.pgp.com (not pks-based) hkp://sks.dnsalias.net (not pks-based) hkp://keyserver.bu.edu (not pks-based) hkp://keyserver.kjsl.com (pks-based, but heavily patched) Synchronization between the pgp.com LDAP server and the rest of the world tends to be poor. David --m51xatjYGsM+13rf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+rsI14mZch0nhy8kRAnP2AJ9mta+hhjkG1S7sXrn33YKjry08YgCgjSHq mQG1KNqLB8U0WezvRB/aFiQ= =VbEF -----END PGP SIGNATURE----- --m51xatjYGsM+13rf-- From avbidder@fortytwo.ch Tue Apr 29 22:01:01 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Tue Apr 29 21:01:01 2003 Subject: verification of clearsigned e-mails // question/request In-Reply-To: <200304291625.h3TGPfV8086335@mailserver3.hushmail.com> References: <200304291625.h3TGPfV8086335@mailserver3.hushmail.com> Message-ID: <200304292102.33342@fortytwo.ch> --Boundary-02=_Jxsr+pYWEYdx9mn Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Tuesday 29 April 2003 18:25, vedaal@hush.com wrote: > for verification of clearsigned messages, when there is a 'bad' signature, > > would it be possible/feasible to have an option of '--try-all-unwraps', IMHO fixing a broken system of how clearsigned text is transported is not=20 something that belongs into gpg, but into the system which deals with the=20 (broken) transport of the text, i.e. the mail program. Even better: nag those who send broken signatures to fix their systems. I=20 guess in 90% of the cases the problem is at the sender's end.=20 cheers =2D- vbi =2D-=20 The prablem with Manoca is thot it's difficult ta tell the difference between o cauple af the letters. -- Jacob W. Haller on alt.religion.kibology --Boundary-02=_Jxsr+pYWEYdx9mn Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6uzElgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWU6sAoLam/ItMVJd/A6RRjNAAfFBM BKL+AKCFzrRfl8n/HI987tKPcSi6EQPV1Q== =dztD -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_Jxsr+pYWEYdx9mn-- From avbidder@fortytwo.ch Tue Apr 29 22:10:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Tue Apr 29 21:10:02 2003 Subject: Multiple encryption subkeys In-Reply-To: <1051636509.13754.31.camel@dennisx.cif.rochester.edu> References: <1051636509.13754.31.camel@dennisx.cif.rochester.edu> Message-ID: <200304292111.23469@fortytwo.ch> --Boundary-02=_b5sr+IDfMxmeyQ+ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Tuesday 29 April 2003 19:15, Dennis Lambe Jr. wrote: [multiple subkeys with various strengths] > 1) Is this a worthwhile endeavor, cryptographically speaking? That is > to say, am I justified in wanting to do this, or is there something I've > overlooked that makes this a bad or useless application of subkeys? I guess the idea is not bad. However, you'd have to match the strength of t= he=20 public key encryption to the strength of the underlying block cipher - I=20 don't have data on this, but I when you use a 128bit block cipher with a 20= 48=20 public key, the block cipher is much easier to break, so with going to=20 4096bit public key you don't gain anything. If you want to do this really seriously, you'll need to read up on the curr= ent=20 best known attacks on the various block ciphers and the public key algorith= ms=20 and make sure that you really gain security by using a stronger public key. > 4) A lot of messages I read from 2002 and earlier this year suggest that > many keyservers are still having difficulty with multiple subkeys. Is > this still the case, or have there been recent positive developments in > that area? What's the official gnupg-users party line on the use of > keyservers with multiple subkeys? Is it still "use kjsl.com and pray"? Yes, this still is mostly the case. One or two of the pksd keyservers and t= he=20 keyservers running sks don't have the subkey problem, and gnupg 1.2.1 has=20 logic to recover as far as possible when it receives a broken key. Problem= =20 with the pksd keyservers is that Jason Harris still thinks that his patch i= s=20 not as perfect as it should be and therefore has not released it yet. cheers =2D- vbi =2D-=20 OpenPGP encrypted mail welcome - my key: http://fortytwo.ch/gpg/92082481 --Boundary-02=_b5sr+IDfMxmeyQ+ Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6uzltgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWvDYAoPBxezE5OgM6CuhE5+sImT8P 4EIaAKCLS0ezgAoVWBIKNzG0JNhiNBh3pg== =6kad -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_b5sr+IDfMxmeyQ+-- From avbidder@fortytwo.ch Tue Apr 29 22:16:01 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Tue Apr 29 21:16:01 2003 Subject: Adding Footer on MTA, where MUA using GPG In-Reply-To: <20030429162959.GB30896@postfix.dyndns.org> References: <20030424201933.GD28568@jabberwocky.com> <20030429135954.GC428@jabberwocky.com> <20030429162959.GB30896@postfix.dyndns.org> Message-ID: <200304292116.45767@fortytwo.ch> --Boundary-02=_d+sr+B+kQAXd3wN Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline Damn semicolons. They're so small... On Tuesday 29 April 2003 18:29, Manuel Samper wrote: > David Shaw, on Tuesday, Apr 29 2003 at 15:59, wrote: > > Hi there. This part of the message is signed. Notice that Mailman > > attaches a footer in such a way that doesn't mangle the signature, and > > doesn't become invisible. > > > > _______________________________________________ > > This is the footer. See how Mailman attaches it in a MIME safe way. > > I hope never see this crap in mailing lists, as always strip their > footers (and any List-(subscribe|help|post|archive|...etc) header). No > need to store 100..1000..whatever number of copies of the same info. Seeing at least 2 or 3 'subscribe' and 'how do I unsubscribe' messages on t= he=20 debian lists I subscribe to makes me wonder how bad this would be without t= he=20 footer on every message. And tehy automatically are stripped in most cases= =20 because may people use a signature separator (and manually deleting it is n= ot=20 that much of a pain). > And yes, I hate also those mailman "membership reminders"; I throw away > everyone to a separate mailbox. =46ully agree here. I get at least 5 reminders every month (Yeah! Day after= =20 tomorrow is 1.5....) cheers =2D- vbi =2D-=20 featured link: http://fortytwo.ch/gpg/subkeys --Boundary-02=_d+sr+B+kQAXd3wN Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6uz51gGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWkG0AoJ3g9xA9rKSwHPm3HewamgXk tragAJ0Z1nPW8u8GqJazbzKZeQpmINZfhQ== =BNeR -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_d+sr+B+kQAXd3wN-- From wk@gnupg.org Tue Apr 29 22:25:02 2003 From: wk@gnupg.org (Werner Koch) Date: Tue Apr 29 21:25:02 2003 Subject: (ssh|gpg)-agent In-Reply-To: <200304291810.03557@fortytwo.ch> (Adrian 'Dagurashibanipal' von Bidder's message of "Tue, 29 Apr 2003 18:09:59 +0200") References: <20030425164714.GC47307@tygrys.klucz> <200304291810.03557@fortytwo.ch> Message-ID: <87wuhdcda9.fsf@alberti.g10code.de> On Tue, 29 Apr 2003 18:09:59 +0200, Adrian 'Dagurashibanipal' von Bidder said: > Hmmm. I think it is a great idea - though I would not do it by > forwarding the key itself, but by sending the to-be-encrypted data > around, thus keeping the secret key on the machine it was originally > stored. I had the same idea when designing the protocol used by gpg-agent. This is definitely possible and I would like to implement it as time permits. Either ssh-agent is modified to provide a new channel for gpg-agent communication or we implement the ssh-agent stuff in GnuPG. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From cbaegert@europeanservers.net Wed Apr 30 00:34:03 2003 From: cbaegert@europeanservers.net (Christophe BAEGERT) Date: Tue Apr 29 23:34:03 2003 Subject: missing self-signature ? Message-ID: <200304292334.17390.cbaegert@europeanservers.net> Hello, I just upgrade to MDK 9.1 from MDK 9.0. My gpg worked fine before. When I try to import a key, it says : gpg: key XXXXXXXX has been created 3614 seconds in future (time warp or clock problem) gpg: key XXXXXXXX: invalid self-signature on user id "xxxxxx xxxxxxx " gpg: key XXXXXXXX has been created 3614 seconds in future (time warp or clock problem) gpg: key XXXXXXX: invalid subkey binding gpg: key XXXXXXX: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1 Any idea ? The creation date of the key isn't in the future ... Thanks ! -- Christophe BAEGERT cbaegert@europeanservers.net >>>>>>>>>>>>>>> http://www.europeanservers.net <<<<<<<<<<<<<<<< -------------- Ultra fast internet servers ------------- From DenisMcCauley@ifrance.com Wed Apr 30 01:15:02 2003 From: DenisMcCauley@ifrance.com (Denis McCauley) Date: Wed Apr 30 00:15:02 2003 Subject: verification of clearsigned e-mails // question/request In-Reply-To: <200304292102.33342@fortytwo.ch> References: <200304291625.h3TGPfV8086335@mailserver3.hushmail.com> <200304292102.33342@fortytwo.ch> Message-ID: <3EAEF9A1.601@ifrance.com> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig6C2A6020A4FBBBDF3BFF9AC7 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Adrian 'Dagurashibanipal' von Bidder wrote: > > Even better: nag those who send broken signatures to fix their systems. I > guess in 90% of the cases the problem is at the sender's end. > Hmmm. I'm not so sure about that as far as Windows mail programs are concerned. I spent more than two months trying to get reliable clear-signing on my w2k system before I found Enigmail, and more than 50% of the test messages I sent which did not verify at reception were good in my outbox. The worst offender is Eudora. Clear-signed messages which verify in Enigmail, Outlook, Outlook Express, and Pegasus rarely verify in Eudora. Outlook and OE also gave problems at the reception end until I installed PGP with the plugins for these (PGP 8x or 6.5.8ckt for Outlook, PGP 8x only for OE). Current-window or clipboard clear-signing with GPG now works fine on these with the PGP plugins there. Cheers -- ========================================== Denis McCauley GPG/PGP keys at http://www.djmccauley.tk ========================================== --------------enig6C2A6020A4FBBBDF3BFF9AC7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) Comment: Key ID: 0x578247B4 (using signature subkey 0x4980C4F7) iD8DBQE+rvmhJpZGKkmAxPcRAphiAKDSzN/bnw8eEk1GReOx6lZ+92UpggCgnfwL a6bgaBF+UGXyw0hhRrSdiFU= =sYce -----END PGP SIGNATURE----- --------------enig6C2A6020A4FBBBDF3BFF9AC7-- From dshaw@jabberwocky.com Wed Apr 30 01:43:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed Apr 30 00:43:01 2003 Subject: missing self-signature ? In-Reply-To: <200304292334.17390.cbaegert@europeanservers.net> References: <200304292334.17390.cbaegert@europeanservers.net> Message-ID: <20030429224404.GB12283@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Apr 29, 2003 at 11:34:17PM +0200, Christophe BAEGERT wrote: > Hello, > > I just upgrade to MDK 9.1 from MDK 9.0. My gpg worked fine before. > > When I try to import a key, it says : > > gpg: key XXXXXXXX has been created 3614 seconds in future (time warp or clock > problem) > gpg: key XXXXXXXX: invalid self-signature on user id "xxxxxx xxxxxxx > " > gpg: key XXXXXXXX has been created 3614 seconds in future (time warp or clock > problem) > gpg: key XXXXXXX: invalid subkey binding > gpg: key XXXXXXX: no valid user IDs > gpg: this may be caused by a missing self-signature > gpg: Total number processed: 1 > gpg: w/o user IDs: 1 > > Any idea ? The creation date of the key isn't in the future ... 3614 seconds is a bit over an hour. The user visible "date" may be the same, but the internal date stamp used by GnuPG has a higher resolution. Check your clock. If you are sure it is correct, you can wait an hour or so, or use the --ignore-time-conflict option. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+rwA04mZch0nhy8kRAkXfAJ9O35yWh7kPgGU2o0+EGB+T0LhvDQCfZGjq igIM8OhEVgpH5WhjCEKLJis= =e13g -----END PGP SIGNATURE----- From johanw@vulcan.xs4all.nl Wed Apr 30 03:06:02 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Wed Apr 30 02:06:02 2003 Subject: Multiple encryption subkeys In-Reply-To: <200304292111.23469@fortytwo.ch> from "Adrian 'Dagurashibanipal' von Bidder" at "Apr 29, 2003 09:11:19 pm" Message-ID: <200304292324.BAA05211@vulcan.xs4all.nl> Adrian 'Dagurashibanipal' von Bidder wrote: >I guess the idea is not bad. However, you'd have to match the strength of >the public key encryption to the strength of the underlying block cipher - I >don't have data on this, but I when you use a 128bit block cipher with a >2048 public key, the block cipher is much easier to break, so with going to >4096bit public key you don't gain anything. Not really. You need to know that symmetric-key ciphers are usually much stronger than public-key ciphers with the same keylength. A 128 bit RSA or DH key can be brute-forced easily. Elliptic curves seem to do better with short keylengths but they are at this moment much less studied than RSA or DH. 128 bit symmetric is roughly comparable to a 2048 bit RSA or DH key. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From jbruni@mac.com Wed Apr 30 04:06:03 2003 From: jbruni@mac.com (Joseph Bruni) Date: Wed Apr 30 03:06:03 2003 Subject: Blank encrypted messages In-Reply-To: <001301c30e22$551c2290$0800a8c0@ANYA> Message-ID: <028B7F78-7AA8-11D7-92D2-003065B1243E@mac.com> Does the variable "$msg" exist in the subshell? If it's not defined the you would be just echoing nothing into the left-hand side of the pipe. In Perl, enclosing the string in single quotes would turn off variable interpolation. I don't know if that would be true for your language though. But if $msg doesn't get interpolated, and if it doesn't exist as an environment variable in the subshell, you will not get anything. On Tuesday, April 29, 2003, at 12:38 AM, Matthew Reeve wrote: >>> $command = 'echo "$msg" | /usr/bin/gpg -e -a --always-trust --batch >>> --no-secmem-warning -u matt@rangie.com -r matt@rangie.com'; >>> exec($command, $encrypted, $errorcode); >> Are you sure that exec runs a shell? > > It must be running a shell, as I end up with an encrypted message - > unfortunately it's just an encryption of nothing. I can log in as the > same > user (apache) and run the command from the shell and get an output > which, > when decrypted, contains the data. However when run from PHP the > encrypted > data, when decrypted, contains nothing. > > I've re-written to use files being passed in and out, and the command > when > exec'd or system'd returns an error code of 0 (zero). > > I'm absolutely stumped on this. > > Thanks for the suggestions so far, > > Matthew Reeve > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From jbruni@mac.com Wed Apr 30 04:14:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Wed Apr 30 03:14:02 2003 Subject: (ssh|gpg)-agent In-Reply-To: <87wuhdcda9.fsf@alberti.g10code.de> Message-ID: <39B0FD03-7AA9-11D7-92D2-003065B1243E@mac.com> If you were to try to use the Agent Forwarding feature, wouldn't that be (potentially) a lot of data over the wire? Maybe you only need to pass the session keys around, instead? Agent forwarding would be really cool if you logged in to a remote host and were able to decrypt files using a private key that was stored on your local computer's USB keychain. I don't think you'd want to pass all the data in this scenario. On Tuesday, April 29, 2003, at 12:30 PM, Werner Koch wrote: > On Tue, 29 Apr 2003 18:09:59 +0200, Adrian 'Dagurashibanipal' von > Bidder said: > >> Hmmm. I think it is a great idea - though I would not do it by >> forwarding the key itself, but by sending the to-be-encrypted data >> around, thus keeping the secret key on the machine it was originally >> stored. > > I had the same idea when designing the protocol used by gpg-agent. > This is definitely possible and I would like to implement it as time > permits. Either ssh-agent is modified to provide a new channel for > gpg-agent communication or we implement the ssh-agent stuff in GnuPG. > > -- > Nonviolence is the greatest force at the disposal of > mankind. It is mightier than the mightiest weapon of > destruction devised by the ingenuity of man. -Gandhi > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From cbaegert@europeanservers.net Wed Apr 30 08:30:02 2003 From: cbaegert@europeanservers.net (Christophe BAEGERT) Date: Wed Apr 30 07:30:02 2003 Subject: missing self-signature ? In-Reply-To: <20030429224404.GB12283@jabberwocky.com> References: <200304292334.17390.cbaegert@europeanservers.net> <20030429224404.GB12283@jabberwocky.com> Message-ID: <200304300730.18318.cbaegert@europeanservers.net> Le Mercredi 30 Avril 2003 00:44, David Shaw a =E9crit : > > 3614 seconds is a bit over an hour. The user visible "date" may be > the same, but the internal date stamp used by GnuPG has a higher > resolution. > > Check your clock. If you are sure it is correct, you can wait an hour > or so, or use the --ignore-time-conflict option. My clock is correct. But you're right, it worked this morning. It's=20 strange... Thanks for your help. --=20 Christophe BAEGERT cbaegert@europeanservers.net >>>>>>>>>>>>>>> http://www.europeanservers.net <<<<<<<<<<<<<<<< -------------- Ultra fast internet servers ------------- From avbidder@fortytwo.ch Wed Apr 30 10:14:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Wed Apr 30 09:14:02 2003 Subject: Multiple encryption subkeys In-Reply-To: <200304292324.BAA05211@vulcan.xs4all.nl> References: <200304292324.BAA05211@vulcan.xs4all.nl> Message-ID: <200304300915.42237@fortytwo.ch> --Boundary-02=_eg3r+hrN7nG1yOx Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Wednesday 30 April 2003 01:24, Johan Wevers wrote: > Adrian 'Dagurashibanipal' von Bidder wrote: > >I guess the idea is not bad. However, you'd have to match the strength of > >the public key encryption to the strength of the underlying block cipher= - > > I don't have data on this, but I when you use a 128bit block cipher with > > a 2048 public key, the block cipher is much easier to break, so with > > going to 4096bit public key you don't gain anything. > > Not really. You need to know that symmetric-key ciphers are usually much > stronger than public-key ciphers with the same keylength.=20 Yes, that's clear (it's even obvious, to me). > A 128 bit RSA > or DH key can be brute-forced easily. Elliptic curves seem to do better > with short keylengths but they are at this moment much less studied than > RSA or DH. > > 128 bit symmetric is roughly comparable to a 2048 bit RSA or DH key. I just wasn't sure where this point of (rough) comparability is. But still:= if=20 128 bit is comparable to a 2048 RSA key, you don't gain much going to a 409= 6=20 bit RSA key. cheers =2D- vbi =2D-=20 featured link: http://fortytwo.ch/gpg/subkeys --Boundary-02=_eg3r+hrN7nG1yOx Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6veB5gGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWNjwAn2dmER7W9D0bwx9bjB0nhwsZ 4TQLAKC/a99m5nyQl+ke99NdYLqgMwdotQ== =I/0/ -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_eg3r+hrN7nG1yOx-- From avbidder@fortytwo.ch Wed Apr 30 10:19:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Wed Apr 30 09:19:02 2003 Subject: (ssh|gpg)-agent In-Reply-To: <39B0FD03-7AA9-11D7-92D2-003065B1243E@mac.com> References: <39B0FD03-7AA9-11D7-92D2-003065B1243E@mac.com> Message-ID: <200304300920.41754@fortytwo.ch> --Boundary-02=_Jl3r+C3nyO6uWGC Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Wednesday 30 April 2003 03:15, Joseph Bruni wrote: > If you were to try to use the Agent Forwarding feature, wouldn't that > be (potentially) a lot of data over the wire? Maybe you only need to > pass the session keys around, instead? Agent forwarding would be really > cool if you logged in to a remote host and were able to decrypt files > using a private key that was stored on your local computer's USB > keychain. I don't think you'd want to pass all the data in this > scenario. I think you get it right: when I said 'pass the data around' I thought abou= t=20 passing the data around which needs to be decrypted/signed with the actual= =20 secret key. And this, of course, is only the session key for the block ciph= er=20 and not the whole message. After all, the session key is only used once, and by decrypting things on a= =20 remote machine, you trust it to some degree, you only don't want the actual= =20 secret key leaving your machine (or, ideally, the operation would be done i= n=20 the USB dongle, so the secret key wouldn't even leave that). cheers =2D- vbi =2D-=20 The ants in France, stay mainly on the plants. --Boundary-02=_Jl3r+C3nyO6uWGC Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6veUlgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fW8iMAn2GGxvahl0WBiOlwXVUrVlN4 DXpqAKCPpfwnS3XNRdEuJ0h15/I0gXeWOw== =SKuT -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_Jl3r+C3nyO6uWGC-- From matt@rangie.com Wed Apr 30 10:24:02 2003 From: matt@rangie.com (Matthew Reeve) Date: Wed Apr 30 09:24:02 2003 Subject: Blank encrypted messages In-Reply-To: <028B7F78-7AA8-11D7-92D2-003065B1243E@mac.com> Message-ID: <001b01c30ee9$b4f54e90$0800a8c0@ANYA> > Does the variable "$msg" exist in the subshell? If it's not=20 > defined the=20 > you would be just echoing nothing into the left-hand side of the pipe. It's an interesting thought - I rewrote the script to look like this, = also addressing Adam's concerns about the security of echoing $msg. The file called $plainTxt is created and contains the correct data. The = file called $crypted is also created and contains a PGP message. However, decrypting the contents of $crypted gives an empty string. The 'echo' shows the encryption command is the following. /usr/bin/gpg --encrypt -v -ao /var/www/tempFiles/1195e9ed7ad15a57907ff4b87bc4653aoutput --always-trust = -r matt@rangie.com /var/www/tempFiles/1195e9ed7ad15a57907ff4b87bc4653adata If I copy and paste the encryption command into a shell running as the apache user (instead of calling it from PHP), an encrypted file is = created containing a PGP message which contains the correct data when decrypted. Is there any way to see what is going on with gpg while it's running?=20 ********* function _encrypt($msg)=20 {=20 $oldhome =3D getEnv("HOME");=20 putenv("HOME=3D/var/www");=20 $tmpToken =3D md5(uniqid(rand())); $plainTxt =3D "/var/www/tempFiles/" . $tmpToken . "data"; $crypted =3D "/var/www/tempFiles/" . $tmpToken . "output"; $fp =3D fopen($plainTxt, "w+"); fputs($fp, $msg); echo "/usr/bin/gpg --encrypt -v -ao $crypted --always-trust -r matt@rangie.com $plainTxt"; passthru("/usr/bin/gpg --encrypt -v -ao $crypted --always-trust -r matt@rangie.com $plainTxt"); putenv("HOME=3D$oldhome");=20 $fd =3D fopen($crypted, "r"); $message =3D fread($fd, filesize($crypted)); fclose($fd); return $message; }=20 *************** Thanks for the help! Matthew Reeve From pt@radvis.nu Wed Apr 30 10:56:01 2003 From: pt@radvis.nu (Per Tunedal) Date: Wed Apr 30 09:56:01 2003 Subject: Multiple sub-signingkeys In-Reply-To: <200304280902.24614@fortytwo.ch> References: <5.1.0.14.2.20030426205737.00c53970@mail4.it-norr.com> <5.1.0.14.2.20030426205737.00c53970@mail4.it-norr.com> Message-ID: <5.1.0.14.2.20030430094829.02475318@localhost> At 09:02 2003-04-28 +0200, you wrote: >[reply on list please] >On Saturday 26 April 2003 21:13, Per Tunedal wrote: > >> This crippled key can be used on an insecure computer, while your complete >> key can be used on a secure computer. When listing secret keys for the >> original key the primary key is shown without the #. >> >> You can thus easily see what secret keys are present in each keyring. >> >> (If I am right it might be a good idea to emphasize this on your page, >> Adrian!) > >I guess you mean this part: >+-- >| To verify that you really don't have any secret keys you don't want, have a >| look at the output of "gpg --list-secret-keys", your primary secret key >| should be marked with a '#': >+-- > >Hmm. I'm not entirely sure what exactly you feel I should clarify. Would >something like > >+-- >| ...should be marked with a '#' (this means that the 'primary key' you're >| seeing is really only a placeholder and does not contain the secret key >| data.): >+-- > >clarify it in the way you thought? > >cheers >-- vbi > Hi Adrian, yes that's better. But the # is not so apparent and I missed the meaning though I read your page several times. Maybe you should mention the opposite too: e.g. "When listing secret keys for the original complete key the primary key is shown without the #." The presence/absence of the # is a very cryptical (!) way of supplying very important information! Thus this has to be explained very thoroughly. I would like to suggest some printout in plaintext from GPG in a future release! Per Tunedal From pdiaz@supercable.net.co Wed Apr 30 12:34:02 2003 From: pdiaz@supercable.net.co (Pedro Velez) Date: Wed Apr 30 11:34:02 2003 Subject: HP-UX 11 Compiler problems Message-ID: <3EADCBD9.1060604@supercable.net.co> Hi I compiled with cc , gcc, and try all switches but have compiler errors have any one a bynary to download? Thanks Pedro From wk@gnupg.org Wed Apr 30 21:59:24 2003 From: wk@gnupg.org (Werner Koch) Date: Wed Apr 30 20:59:24 2003 Subject: (ssh|gpg)-agent In-Reply-To: <39B0FD03-7AA9-11D7-92D2-003065B1243E@mac.com> (Joseph Bruni's message of "Tue, 29 Apr 2003 18:15:26 -0700") References: <39B0FD03-7AA9-11D7-92D2-003065B1243E@mac.com> Message-ID: <87k7dcijm0.fsf@alberti.g10code.de> On Tue, 29 Apr 2003 18:15:26 -0700, Joseph Bruni said: > If you were to try to use the Agent Forwarding feature, wouldn't that > be (potentially) a lot of data over the wire? Maybe you only need to > pass the session keys around, instead? Agent forwarding would be Sure. gpg-agent only manages public keys and is used to encrypt/decrypt sesson keys. There is not much point in handling random session keys more securly than the plaintext. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi